Re: [Sguil-users] Sguil vs packet captures, not live traffic
Status: Beta
Brought to you by:
bamm
Menu
▾
▴
Re: [Sguil-users] Sguil vs packet captures, not live traffic
|
From: Richard B. <tao...@gm...> - 2013-01-18 01:34:02
|
This sounds like a scriptable process... I wouldn't expect a student to run this process, but if given a script and a trace file, they could make do? Thank you, Richard On Thu, Jan 17, 2013 at 5:50 PM, Voth, Brad (GE Corporate) <Bra...@ge...> wrote: > In thinking about this more it would not be too complex: > > run snort against the pcaps > put the merge.log where barnyard expects them > run sancp/cxtracker against the pcaps > put the sancp logs where the sancp agent expects them > properly name the pcaps and put them where the pcap agent expects them > start sguild and the agents > > Sent from my iPhone > > On Jan 17, 2013, at 17:28, "Richard Bejtlich" <tao...@gm...> wrote: > >> And that's the problem. If you want to use Sguil as a "forensic" tool, >> or have students read a pcap and have the result look just like the >> data when it was collected live, Tcpreplay doesn't work because >> timestamps are set to the time of the replay. >> >> Sincerely, >> >> Richard >> >> On Thu, Jan 17, 2013 at 5:23 PM, Guy Bruneau <se...@wh...> wrote: >>> You are correct. The timestamps will be the timestamps of the replay time, >>> not the original time. >>> >>> Guy >>> >>> From: Richard Bejtlich <tao...@gm...> >>> To: sgu...@li... >>> Sent: Thursday, January 17, 2013 9:53:55 AM >>> >>> Subject: Re: [Sguil-users] Sguil vs packet captures, not live traffic >>> >>> My concern with tools like Tcpreplay is that you lose the original >>> timestamps. >>> >>> Sincerely, >>> >>> Richard >> >> ------------------------------------------------------------------------------ >> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, >> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current >> with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft >> MVPs and experts. ON SALE this month only -- learn more at: >> http://p.sf.net/sfu/learnmore_122712 >> _______________________________________________ >> Sguil-users mailing list >> Sgu...@li... >> https://lists.sourceforge.net/lists/listinfo/sguil-users > > ------------------------------------------------------------------------------ > Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, > MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current > with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft > MVPs and experts. ON SALE this month only -- learn more at: > http://p.sf.net/sfu/learnmore_122712 > _______________________________________________ > Sguil-users mailing list > Sgu...@li... > https://lists.sourceforge.net/lists/listinfo/sguil-users |