so-import-pcap is a quick and dirty EXPERIMENTAL script that will import one or more pcaps into Security Onion and preserve original timestamps.
It will do the following:
- stop and disable Curator to avoid closing old indices
- stop and disable all active sniffing processes (Bro, Snort, Suricata, and netsniff-ng)
- stop and disable ossec_agent
- reconfigure and restart sguild, syslog-ng, and Logstash where necessary
- generate IDS alerts using Snort or Suricata
- generate Bro logs
- store IDS alerts and Bro logs with original timestamps
- split traffic into separate daily pcaps and store them where sguil’s pcap_agent can find them
- You must be running at least Security Onion 16.04.
- Do NOT run this on a production deployment. It is designed for standalone systems designated for so-import-pcap.
- If you’re running in a VM with snapshot capability, you might want to take a snapshot before this program makes changes.
Reverting System Changes:
- If you take a VM snapshot before this program makes changes, then just revert to snapshot.
- Otherwise, you can re-run Setup and it should overwrite all modified files to revert the system to normal operation.
Please supply at least one pcap file.
For example, to import a single pcap named
To import multiple pcaps:
so-import-pcap import1.pcap import2.pcap
For a detailed walk-through with screenshots, please see https://taosecurity.blogspot.com/2018/02/importing-pcap-into-security-onion.html.
Please note that so-import-pcap will make changes to your system! It will warn you before doing so and will prompt you to press Enter to continue or Ctrl-c to cancel.
If you want to bypass the “Press Enter to continue” prompt, you can do something like this:
echo | sudo so-import-pcap /opt/samples/markofu/ie*