Re: [security-onion] Reading pcap and Snort Log Files
2,568 views
Skip to first unread message
Liam Randall
Jan 28, 2013, 12:48:47 PM1/28/13
to securit...@googlegroups.com
sudo tcpreplay -t -i eth1 test.pcap
where eth1 is your sniffing interface. This will replay your pcaps at the "now" time.
You will need to setup your toolset first; did you run the wizard?
sudo nsm_sensor_ps-status ?
Liam
On Mon, Jan 28, 2013 at 12:39 PM, Chris Simpson <ch...@brightmoonsecurity.com> wrote:
I'm using Security Onion to teach a class on network defense. I would like to use some of the Honeynet Project challenges as lab assignments. What is the best way to import the Snort log files and pcap files so all of the tools ((Snorby, Sguil etc) can see them? I tried snort -r for one of the Snort log files but didn't see any data in any of the tools. I also tried tcpreplay for a pcap file but didn't see any data in any of the tools. Thanks for the assistance.
Best Regards,
Chris
--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To post to this group, send email to securit...@googlegroups.com.
To unsubscribe from this group, send email to security-onio...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion?hl=en-US.
For more options, visit https://groups.google.com/groups/opt_out.
Scott Runnels
Jan 28, 2013, 12:55:52 PM1/28/13
to securit...@googlegroups.com
Just a note that TCPReplay will clobber the timestamps in the output as it uses the current time.
Scott Runnels
Doug Burks
Jan 28, 2013, 7:10:33 PM1/28/13
to securit...@googlegroups.com
Hi Chris,
On Monday, January 28, 2013, Chris Simpson wrote:
--
Doug Burks
http://securityonion.blogspot.com
Here's a blog post I did a few years ago about replaying a Honeynet pcap:
Assuming you've already run through the Setup wizard and you replay to the correct interface, it should work fine
If you still need help, please send the output of the following (redacting sensitive info as necessary):
sudo sostat
Thanks,
Doug
On Monday, January 28, 2013, Chris Simpson wrote:
I'm using Security Onion to teach a class on network defense. I would like to use some of the Honeynet Project challenges as lab assignments. What is the best way to import the Snort log files and pcap files so all of the tools ((Snorby, Sguil etc) can see them? I tried snort -r for one of the Snort log files but didn't see any data in any of the tools. I also tried tcpreplay for a pcap file but didn't see any data in any of the tools. Thanks for the assistance.
Best Regards,
Chris
--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To post to this group, send email to securit...@googlegroups.com.
To unsubscribe from this group, send email to security-onio...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion?hl=en-US.
For more options, visit https://groups.google.com/groups/opt_out.
--
http://securityonion.blogspot.com
bamm.v...@gmail.com
Jan 30, 2013, 8:38:42 AM1/30/13
to securit...@googlegroups.com
Often times it's a checksum issue. Try running Snort with "-k none".
Bamm
-----Original Message-----
From: Chris Simpson <ch...@brightmoonsecurity.com>
Sender: securit...@googlegroups.com
Date: Mon, 28 Jan 2013 16:02:33
To: <securit...@googlegroups.com>
Reply-To: securit...@googlegroups.com
Subject: Re: [security-onion] Reading pcap and Snort Log Files
Liam,
Thanks for the quick response. I initially executed tcprelay incorrectly but even when I do it the right way I'm not getting any alerts in sguil or Snorby. I started tcpdump and then tcpreplay and captured the replay to verify it was replaying the traffic. Its an older capture so it might not trigger any alerts. I'm going to try a custom alert to see if that works.
Everything is running when I run sudo nsm_sensor_ps-status.
Best Regards,
Chris
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
Bamm
-----Original Message-----
From: Chris Simpson <ch...@brightmoonsecurity.com>
Sender: securit...@googlegroups.com
Date: Mon, 28 Jan 2013 16:02:33
To: <securit...@googlegroups.com>
Reply-To: securit...@googlegroups.com
Subject: Re: [security-onion] Reading pcap and Snort Log Files
Liam,
Thanks for the quick response. I initially executed tcprelay incorrectly but even when I do it the right way I'm not getting any alerts in sguil or Snorby. I started tcpdump and then tcpreplay and captured the replay to verify it was replaying the traffic. Its an older capture so it might not trigger any alerts. I'm going to try a custom alert to see if that works.
Everything is running when I run sudo nsm_sensor_ps-status.
Best Regards,
Chris
To post to this group, send email to securit...@googlegroups.com.
Chris Simpson
Feb 11, 2013, 7:08:11 PM2/11/13
to securit...@googlegroups.com
All,
Sorry for the late follow up. Thanks for all of the help. I have it up and running in our lab. The first file I used didn't trip any alerts but some other pcap files I tried worked.
Best Regards,
Chris
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion?hl=en-US.
For more options, visit https://groups.google.com/groups/opt_out.
Chris Simpson
Tel: 619.865.7294
Email: ch...@brightmoonsecurity.com
Website: http://brightmoonsecurity.com
Reply all
Reply to author
Forward
0 new messages