Re: [Sguil-users] Sguil vs packet captures, not live traffic
Status: Beta
Brought to you by:
bamm
Menu
▾
▴
Re: [Sguil-users] Sguil vs packet captures, not live traffic
|
From: Voth, B. (GE Corporate) <Bra...@ge...> - 2013-01-18 01:49:23
|
yeah, I would expect an experienced scripter could have a v1 for you in a pretty short timeframe. Sent from my iPhone On Jan 17, 2013, at 20:38, "Jeremy Hoel" <jt...@gm...> wrote: > sure.. pass the name of the pcap file, the have the script start doing > all the checks and copying based on the config of the agents. The one > goofy thing might be the timestamp on the pcap, but I bet that could > be determined via tcpdump or tshark, export and then appended as > required. > > > > On Fri, Jan 18, 2013 at 1:33 AM, Richard Bejtlich <tao...@gm...> wrote: >> This sounds like a scriptable process... I wouldn't expect a student >> to run this process, but if given a script and a trace file, they >> could make do? >> >> Thank you, >> >> Richard >> >> On Thu, Jan 17, 2013 at 5:50 PM, Voth, Brad (GE Corporate) >> <Bra...@ge...> wrote: >>> In thinking about this more it would not be too complex: >>> >>> run snort against the pcaps >>> put the merge.log where barnyard expects them >>> run sancp/cxtracker against the pcaps >>> put the sancp logs where the sancp agent expects them >>> properly name the pcaps and put them where the pcap agent expects them >>> start sguild and the agents >>> >>> Sent from my iPhone >>> >>> On Jan 17, 2013, at 17:28, "Richard Bejtlich" <tao...@gm...> wrote: >>> >>>> And that's the problem. If you want to use Sguil as a "forensic" tool, >>>> or have students read a pcap and have the result look just like the >>>> data when it was collected live, Tcpreplay doesn't work because >>>> timestamps are set to the time of the replay. >>>> >>>> Sincerely, >>>> >>>> Richard >>>> >>>> On Thu, Jan 17, 2013 at 5:23 PM, Guy Bruneau <se...@wh...> wrote: >>>>> You are correct. The timestamps will be the timestamps of the replay time, >>>>> not the original time. >>>>> >>>>> Guy >>>>> >>>>> From: Richard Bejtlich <tao...@gm...> >>>>> To: sgu...@li... >>>>> Sent: Thursday, January 17, 2013 9:53:55 AM >>>>> >>>>> Subject: Re: [Sguil-users] Sguil vs packet captures, not live traffic >>>>> >>>>> My concern with tools like Tcpreplay is that you lose the original >>>>> timestamps. >>>>> >>>>> Sincerely, >>>>> >>>>> Richard >>>> >>>> ------------------------------------------------------------------------------ >>>> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, >>>> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current >>>> with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft >>>> MVPs and experts. ON SALE this month only -- learn more at: >>>> http://p.sf.net/sfu/learnmore_122712 >>>> _______________________________________________ >>>> Sguil-users mailing list >>>> Sgu...@li... >>>> https://lists.sourceforge.net/lists/listinfo/sguil-users >>> >>> ------------------------------------------------------------------------------ >>> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, >>> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current >>> with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft >>> MVPs and experts. ON SALE this month only -- learn more at: >>> http://p.sf.net/sfu/learnmore_122712 >>> _______________________________________________ >>> Sguil-users mailing list >>> Sgu...@li... >>> https://lists.sourceforge.net/lists/listinfo/sguil-users >> >> ------------------------------------------------------------------------------ >> Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and >> much more. Get web development skills now with LearnDevNow - >> 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts. >> SALE $99.99 this month only -- learn more at: >> http://p.sf.net/sfu/learnmore_122812 >> _______________________________________________ >> Sguil-users mailing list >> Sgu...@li... >> https://lists.sourceforge.net/lists/listinfo/sguil-users > > ------------------------------------------------------------------------------ > Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and > much more. Get web development skills now with LearnDevNow - > 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts. > SALE $99.99 this month only -- learn more at: > http://p.sf.net/sfu/learnmore_122812 > _______________________________________________ > Sguil-users mailing list > Sgu...@li... > https://lists.sourceforge.net/lists/listinfo/sguil-users |
