I have been testing the SELKS Docker set up. Is there a way to ingest pcap files? I was at the Defcon workshop over the weekend and there was a nice script (suri.sh) in the workshop ova that pulled in pcap files. I am working on an automated lab environment for college students.
Via reading a pcap from the command line: suricata -l /var/log/suricata/ -r file.pcap -k none --runmode=autofp
This is what the script from the workshop does above, it just makes sure any and all data and logs are cleared before ingestion so that we are sure it is only that particular pcap’s data n any visualization/dashboard