[Zeek] Bro -r using multiple PCAP
Patrick Kelley
pkelley at hyperionavenue.com
Tue Apr 30 19:31:57 PDT 2019
I run the following in a local folder for several ingest types (PREDICT,
malware-traffic-analysis, etc...). Logstash, etc... does the rest. Hope it
helps.
Additionally, I have a watcher process written in Python to watch for pcaps
that are dropped into a directory.
## Replay all pcaps in bro
## Patrick Kelley
for i in `ls |
sort`;
do bro -r $i
done
On Mon, Apr 29, 2019 at 6:18 PM Justin Azoff <justin at corelight.com> wrote:
> You can specify -r multiple times. Something like
>
> import subprocess
> import glob
>
> cmd = ["bro"]
>
> for f in glob.glob("*.pcap"):
> cmd.extend(["-r", f])
>
> subprocess.call(cmd)
>
>
> will work to a point. Eventually you will hit ARG_MAX with enough
> files. but for a few dozen this works fine. For more, something like
> https://github.com/assafmo/joincap could be better.
>
> I outlined a good way to do this as an input plugin a while back as
> well:
> http://mailman.icsi.berkeley.edu/pipermail/zeek/2017-July/012355.html
>
> On Mon, Apr 29, 2019 at 5:06 PM David Decker <x.faith at gmail.com> wrote:
> >
> > Looking to see if anyone has created a script, or if this is an argument
> to process multiple PCAPS using the bro -r argument.
> >
> > I have it setup to output to JSON currently and change from EPOCH time
> to normal date/time output, but that is one at a time, and will have
> multiple.
> >
> > Looking at either a batch script of maybe python but wanted to see if
> anyone has done this bfore.
> > (Reingest multiple old PCAP files) to get re-ingested.
> >
> > Dave
> > _______________________________________________
> > Zeek mailing list
> > zeek at zeek.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
>
>
> --
> Justin
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
--
Patrick Kelley
Hyperion Avenue Labs
http://www.hyperionavenue.com
951.291.8310
*The limit to which you have accepted being comfortable is the limit to
which you have grown. Accept new challenges as an opportunity to enrich
yourself and not as a point of potential failure.*
[image: hal_logo]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190430/89df7a20/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 12155 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190430/89df7a20/attachment-0001.bin
More information about the Zeek
mailing list