Analyze Pcap File by Suricata Selks

29 views
Skip to first unread message

fadi abusafat

unread,
Jun 21, 2019, 10:30:18 AM6/21/19
to SELKS
Hi everyone. 

I would like to analyze pcap file through Suricata into Selks but it not works. every time I run it, it provides me with errors that mentioned ( The custom type "workers" does not exist for this runmode type " PC AP_FILE". Please use  --list-runmodes to see available sutome types for this runmode. 

I run the following command to analyse pcap file : 

suricata -c /etc/suricata/suricata.yaml -r Desktop/ Pcap\ file / wrcc.pcap

This is an image of my works. 

Anyone could help me please how to analyse Pcap file through Suricata Selks.

Thank you so much. 

Many Thanks. 

Fadi !!!!
Pcap_File by Selks.PNG

Peter Manev

unread,
Jun 21, 2019, 10:44:16 AM6/21/19
to fadi abusafat, SELKS
On Fri, Jun 21, 2019 at 5:30 PM fadi abusafat <fabusa...@gmail.com> wrote:
>
> Hi everyone.
>
> I would like to analyze pcap file through Suricata into Selks but it not works. every time I run it, it provides me with errors that mentioned ( The custom type "workers" does not exist for this runmode type " PC AP_FILE". Please use --list-runmodes to see available sutome types for this runmode.
>
> I run the following command to analyse pcap file :
>
> suricata -c /etc/suricata/suricata.yaml -r Desktop/ Pcap\ file / wrcc.pcap
>

You should probably try
suricata -c /etc/suricata/suricata.yaml -r Desktop/ Pcap\ file /
wrcc.pcap --runmode=autofp


Than be careful as to the timespan of the dashboards you are using to
look at the pcap - as th epcap timestamp may be diff than from
today/now :)

> This is an image of my works.
>
> Anyone could help me please how to analyse Pcap file through Suricata Selks.
>
> Thank you so much.
>
> Many Thanks.
>
> Fadi !!!!
>
> --
> IRC: Let's talk about SELKS on Freenode IRC on the #SELKS channel
> Wiki: https://github.com/StamusNetworks/SELKS/wiki
> GitHub: https://github.com/StamusNetworks/SELKS
> Blog: https://www.stamus-networks.com/theblog/
> Twitter: @StamusN
> g+: Stamus Networks
> ---
> You received this message because you are subscribed to the Google Groups "SELKS" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to selks+un...@googlegroups.com.
> To post to this group, send email to se...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/selks/45614601-1cd0-4d94-a224-38639418ee34%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.



--
Regards,
Peter Manev

fadi abusafat

unread,
Jun 25, 2019, 6:15:19 AM6/25/19
to Peter Manev, SELKS
Good morning. 

Thank you so much. It works but I would like to ask you how we can get details of analysed Pcap file into Kibana. I already logged in through IP address after analysed Pcap File but there is no any result such as attack, DNS, Port ...etc. 

Please, could you help me in this issue. 


Thank you so much. 

Many Thanks. 

Fadi !!!!

Peter Manev

unread,
Jun 25, 2019, 6:45:06 AM6/25/19
to fadi abusafat, SELKS
On Tue, Jun 25, 2019 at 12:15 PM fadi abusafat <fabusa...@gmail.com> wrote:
>
> Good morning.
>
> Thank you so much. It works but I would like to ask you how we can get details of analysed Pcap file into Kibana. I already logged in through IP address after analysed Pcap File but there is no any result such as attack, DNS, Port ...etc.
>
> Please, could you help me in this issue.
>

You should probably adjust the time span in kibana to reflect the
timespan of the pcap (timestamp of the packets)
Tahnk you
> To view this discussion on the web visit https://groups.google.com/d/msgid/selks/CAJo9fsp2Nbeq5mW1s2gi1HhTRyPJuBkHMBxRafJHVbcDnMwXsA%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages