29 Apr
2019
29 Apr
'19
1:57 p.m.
Looking to see if anyone has created a script, or if this is an argument to
process multiple PCAPS using the bro -r argument.
I have it setup to output to JSON currently and change from EPOCH time to
normal date/time output, but that is one at a time, and will have
multiple.
Looking at either a batch script of maybe python but wanted to see if
anyone has done this bfore.
(Reingest multiple old PCAP files) to get re-ingested.
Dave
29 Apr
29 Apr
3:15 p.m.
You can specify -r multiple times. Something like
import subprocess
import glob
cmd = ["bro"]
for f in glob.glob("*.pcap"):
cmd.extend(["-r", f])
subprocess.call(cmd)
will work to a point. Eventually you will hit ARG_MAX with enough
files. but for a few dozen this works fine. For more, something like
https://github.com/assafmo/joincap could be better.
I outlined a good way to do this as an input plugin a while back as
well: http://mailman.icsi.berkeley.edu/pipermail/zeek/2017-July/012355.html
On Mon, Apr 29, 2019 at 5:06 PM David Decker <x.faith(a)gmail.com> wrote:
Looking to see if anyone has created a script, or if this is an argument to process
multiple PCAPS using the bro -r argument.
I have it setup to output to JSON currently and change from EPOCH time to normal
date/time output, but that is one at a time, and will have multiple.
Looking at either a batch script of maybe python but wanted to see if anyone has done
this bfore.
(Reingest multiple old PCAP files) to get re-ingested.
Dave
_______________________________________________
Zeek mailing list
zeek(a)zeek.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
--
Justin
30 Apr
30 Apr
7:31 p.m.
I run the following in a local folder for several ingest types (PREDICT,
malware-traffic-analysis, etc...). Logstash, etc... does the rest. Hope it
helps.
Additionally, I have a watcher process written in Python to watch for pcaps
that are dropped into a directory.
## Replay all pcaps in bro
## Patrick Kelley
for i in `ls |
sort`;
do bro -r $i
done
On Mon, Apr 29, 2019 at 6:18 PM Justin Azoff <justin(a)corelight.com> wrote:
You can specify -r multiple times. Something like
import subprocess
import glob
cmd = ["bro"]
for f in glob.glob("*.pcap"):
cmd.extend(["-r", f])
subprocess.call(cmd)
will work to a point. Eventually you will hit ARG_MAX with enough
files. but for a few dozen this works fine. For more, something like
https://github.com/assafmo/joincap could be better.
I outlined a good way to do this as an input plugin a while back as
well:
http://mailman.icsi.berkeley.edu/pipermail/zeek/2017-July/012355.html
On Mon, Apr 29, 2019 at 5:06 PM David Decker <x.faith(a)gmail.com> wrote:
--
Patrick Kelley
Hyperion Avenue Labs
http://www.hyperionavenue.com
951.291.8310
*The limit to which you have accepted being comfortable is the limit to
which you have grown. Accept new challenges as an opportunity to enrich
yourself and not as a point of potential failure.*
[image: hal_logo]
Looking to see if anyone has created a script, or if this is an argument
to
process multiple PCAPS using the bro -r argument.
I have it setup to output to JSON currently and change from EPOCH time
to normal
date/time output, but that is one at a time, and will have
multiple.
Looking at either a batch script of maybe python but wanted to see if
anyone has
done this bfore.
(Reingest multiple old PCAP files) to get
re-ingested.
Dave
_______________________________________________
Zeek mailing list
zeek(a)zeek.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
--
Justin
_______________________________________________
Zeek mailing list
zeek(a)zeek.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
9:30 p.m.
Update on the Bro -r using multiple scripts.
I guess I should add that I am needing to break out the logs (either by
PCAP or by say day) not sure what is the easiest.
Thanks everyone so far.
Still working out the kinks i guess.
New to this.
On Mon, Apr 29, 2019 at 1:57 PM David Decker <x.faith(a)gmail.com> wrote:
Looking to see if anyone has created a script, or if
this is an argument
to process multiple PCAPS using the bro -r argument.
I have it setup to output to JSON currently and change from EPOCH time to
normal date/time output, but that is one at a time, and will have
multiple.
Looking at either a batch script of maybe python but wanted to see if
anyone has done this bfore.
(Reingest multiple old PCAP files) to get re-ingested.
Dave
2 May
2 May
6:34 a.m.
I made a quick github project with the script I had sent David.
https://github.com/ottobackwards/run-bro-pcap-directory
if anyone is interested.
On May 1, 2019 at 00:33:06, David Decker (x.faith(a)gmail.com) wrote:
Update on the Bro -r using multiple scripts.
I guess I should add that I am needing to break out the logs (either by
PCAP or by say day) not sure what is the easiest.
Thanks everyone so far.
Still working out the kinks i guess.
New to this.
On Mon, Apr 29, 2019 at 1:57 PM David Decker <x.faith(a)gmail.com> wrote:
Looking to see if anyone has created a script, or if
this is an argument
to process multiple PCAPS using the bro -r argument.
I have it setup to output to JSON currently and change from EPOCH time to
normal date/time output, but that is one at a time, and will have multiple.
Looking at either a batch script of maybe python but wanted to see if
anyone has done this bfore.
(Reingest multiple old PCAP files) to get re-ingested.
Dave
_______________________________________________
Zeek mailing list
zeek(a)zeek.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
949
days inactive
952
days old
4 comments
4 participants
participants (4)
-
David Decker -
Justin Azoff -
Otto Fowler -
Patrick Kelley