Re: [Sguil-users] Sguil vs packet captures, not live traffic
Status: Beta
Brought to you by:
bamm
Menu
▾
▴
Re: [Sguil-users] Sguil vs packet captures, not live traffic
|
From: Voth, B. (GE Corporate) <Bra...@ge...> - 2013-01-17 22:50:24
|
In thinking about this more it would not be too complex: run snort against the pcaps put the merge.log where barnyard expects them run sancp/cxtracker against the pcaps put the sancp logs where the sancp agent expects them properly name the pcaps and put them where the pcap agent expects them start sguild and the agents Sent from my iPhone On Jan 17, 2013, at 17:28, "Richard Bejtlich" <tao...@gm...> wrote: > And that's the problem. If you want to use Sguil as a "forensic" tool, > or have students read a pcap and have the result look just like the > data when it was collected live, Tcpreplay doesn't work because > timestamps are set to the time of the replay. > > Sincerely, > > Richard > > On Thu, Jan 17, 2013 at 5:23 PM, Guy Bruneau <se...@wh...> wrote: >> You are correct. The timestamps will be the timestamps of the replay time, >> not the original time. >> >> Guy >> >> From: Richard Bejtlich <tao...@gm...> >> To: sgu...@li... >> Sent: Thursday, January 17, 2013 9:53:55 AM >> >> Subject: Re: [Sguil-users] Sguil vs packet captures, not live traffic >> >> My concern with tools like Tcpreplay is that you lose the original >> timestamps. >> >> Sincerely, >> >> Richard > > ------------------------------------------------------------------------------ > Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, > MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current > with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft > MVPs and experts. ON SALE this month only -- learn more at: > http://p.sf.net/sfu/learnmore_122712 > _______________________________________________ > Sguil-users mailing list > Sgu...@li... > https://lists.sourceforge.net/lists/listinfo/sguil-users |
