suri-ingest-pcap.sh
source link: https://gist.github.com/jstrosch/d9e31d364a80714856eb70fcf6f9b13f
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
suri-ingest-pcap.sh · GitHub
Instantly share code, notes, and snippets.
#!/usr/bin/env bash
PCAPFILE=$1 LOG_LOCATION='/tmp/suricata/'
if [ -z $PCAPFILE ] || [ ! -f $PCAPFILE ]; then echo "File ${PCAPFILE} doesnt seem to be there - please supply a pcap file." exit 1; fi
if [ ! -d "$LOG_LOCATION" ]; then echo "Attempting to create Suricata log directory..." mkdir "$LOG_LOCATION" else echo "Log location exists, removing previous content..." rm -rf "$LOG_LOCATION/*" fi
# Run Suricata in offline mode (i.e. PCAP processing) suricata -c /etc/suricata/suricata.yaml -k none -r $1 --runmode=autofp -l /tmp/suricata/
#print out alerts echo -e "\nAlerts:\n" grep '"event_type":"alert"' /tmp/suricata/eve.json |jq '"\(.timestamp) | \(.alert.gid):\(.alert.signature_id):\(.alert.rev) | \(.alert.signature) | \(.alert.category) | \(.src_ip):\(.src_port) -> \(.dest_ip):\(.dest_port)"'
# If you have Evebox installed, you can comment out this line to launch it in oneshot mode # evebox oneshot "$LOG_LOCATION/eve.json"
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK