Re: [Sguil-users] Sguil vs packet captures, not live traffic
Status: Beta
Brought to you by:
bamm
Menu
▾
▴
Re: [Sguil-users] Sguil vs packet captures, not live traffic
|
From: Jeremy H. <jt...@gm...> - 2013-01-18 01:38:23
|
sure.. pass the name of the pcap file, the have the script start doing all the checks and copying based on the config of the agents. The one goofy thing might be the timestamp on the pcap, but I bet that could be determined via tcpdump or tshark, export and then appended as required. On Fri, Jan 18, 2013 at 1:33 AM, Richard Bejtlich <tao...@gm...> wrote: > This sounds like a scriptable process... I wouldn't expect a student > to run this process, but if given a script and a trace file, they > could make do? > > Thank you, > > Richard > > On Thu, Jan 17, 2013 at 5:50 PM, Voth, Brad (GE Corporate) > <Bra...@ge...> wrote: >> In thinking about this more it would not be too complex: >> >> run snort against the pcaps >> put the merge.log where barnyard expects them >> run sancp/cxtracker against the pcaps >> put the sancp logs where the sancp agent expects them >> properly name the pcaps and put them where the pcap agent expects them >> start sguild and the agents >> >> Sent from my iPhone >> >> On Jan 17, 2013, at 17:28, "Richard Bejtlich" <tao...@gm...> wrote: >> >>> And that's the problem. If you want to use Sguil as a "forensic" tool, >>> or have students read a pcap and have the result look just like the >>> data when it was collected live, Tcpreplay doesn't work because >>> timestamps are set to the time of the replay. >>> >>> Sincerely, >>> >>> Richard >>> >>> On Thu, Jan 17, 2013 at 5:23 PM, Guy Bruneau <se...@wh...> wrote: >>>> You are correct. The timestamps will be the timestamps of the replay time, >>>> not the original time. >>>> >>>> Guy >>>> >>>> From: Richard Bejtlich <tao...@gm...> >>>> To: sgu...@li... >>>> Sent: Thursday, January 17, 2013 9:53:55 AM >>>> >>>> Subject: Re: [Sguil-users] Sguil vs packet captures, not live traffic >>>> >>>> My concern with tools like Tcpreplay is that you lose the original >>>> timestamps. >>>> >>>> Sincerely, >>>> >>>> Richard >>> >>> ------------------------------------------------------------------------------ >>> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, >>> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current >>> with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft >>> MVPs and experts. ON SALE this month only -- learn more at: >>> http://p.sf.net/sfu/learnmore_122712 >>> _______________________________________________ >>> Sguil-users mailing list >>> Sgu...@li... >>> https://lists.sourceforge.net/lists/listinfo/sguil-users >> >> ------------------------------------------------------------------------------ >> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, >> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current >> with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft >> MVPs and experts. ON SALE this month only -- learn more at: >> http://p.sf.net/sfu/learnmore_122712 >> _______________________________________________ >> Sguil-users mailing list >> Sgu...@li... >> https://lists.sourceforge.net/lists/listinfo/sguil-users > > ------------------------------------------------------------------------------ > Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and > much more. Get web development skills now with LearnDevNow - > 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts. > SALE $99.99 this month only -- learn more at: > http://p.sf.net/sfu/learnmore_122812 > _______________________________________________ > Sguil-users mailing list > Sgu...@li... > https://lists.sourceforge.net/lists/listinfo/sguil-users |
