I have been testing the SELKS Docker set up. Is there a way to ingest pcap files? I was at the Defcon workshop over the weekend and there was a nice script (suri.sh) in the workshop ova that pulled in pcap files. I am working on an automated lab environment for college students.
Thanks for the assistance.
Best Regards,
Chris
Thank you for attending the workshop. I hope it was useful.
There are a couple of ways to ingest pcaps:
Via unix socket:
https://suricata.readthedocs.io/en/suricata-6.0.3/unix-socket.html?#pcap-processing-mode
Via reading a pcap from the command line:
suricata -l /var/log/suricata/ -r file.pcap -k none --runmode=autofp
This is what the script from the workshop does above, it just makes sure any and all data and logs are cleared before ingestion so that we are sure it is only that particular pcap’s data n any visualization/dashboard
Via pointing a folder with pcaps or specifying other options like “continuous” :
https://suricata.readthedocs.io/en/suricata-6.0.3/command-line-options.html?#cmdoption-r
Via simply replaying the pcap on the sniffing interface of suricata
tcpreplay -i eth0 --pps=50 /path/to/file.pcap