I run the following in a local folder for several ingest types (PREDICT,
malware-traffic-analysis, etc...). Logstash, etc... does the rest. Hope it
helps.
Additionally, I have a watcher process written in Python to watch for pcaps
that are dropped into a directory.
## Replay all pcaps in bro
## Patrick Kelley
for i in `ls |
sort`;
do bro -r $i
done
On Mon, Apr 29, 2019 at 6:18 PM Justin Azoff <justin(a)corelight.com> wrote:
You can specify -r multiple times. Something like
import subprocess
import glob
cmd = ["bro"]
for f in glob.glob("*.pcap"):
cmd.extend(["-r", f])
subprocess.call(cmd)
will work to a point. Eventually you will hit ARG_MAX with enough
files. but for a few dozen this works fine. For more, something like
https://github.com/assafmo/joincap could be better.
I outlined a good way to do this as an input plugin a while back as
well:
http://mailman.icsi.berkeley.edu/pipermail/zeek/2017-July/012355.html
On Mon, Apr 29, 2019 at 5:06 PM David Decker <x.faith(a)gmail.com> wrote:
Looking to see if anyone has created a script, or if this is an argument
to
process multiple PCAPS using the bro -r argument.
I have it setup to output to JSON currently and change from EPOCH time
to normal
date/time output, but that is one at a time, and will have
multiple.
Looking at either a batch script of maybe python but wanted to see if
anyone has
done this bfore.
(Reingest multiple old PCAP files) to get
re-ingested.
Dave
_______________________________________________
Zeek mailing list
zeek(a)zeek.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
--
Justin
_______________________________________________
Zeek mailing list
zeek(a)zeek.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
--
Patrick Kelley
Hyperion Avenue Labs
http://www.hyperionavenue.com
951.291.8310
*The limit to which you have accepted being comfortable is the limit to
which you have grown. Accept new challenges as an opportunity to enrich
yourself and not as a point of potential failure.*
[image: hal_logo]