Showing posts from February, 2018

Importing Pcap into Security Onion

Within the last week, Doug Burks of Security Onion  (SO) added a new script that revolutionizes the use case for his amazing open source network security monitoring platform. I have always used SO in a live production mode, meaning I deploy a SO sensor sniffing a live network interface. As the multitude of SO components observe network traffic, they generate, store, and display various forms of NSM data for use by analysts. The problem with this model is that it could not be used for processing stored network traffic. If one simply replayed the traffic from a .pcap file, the new traffic would be assigned contemporary timestamps by the various tools observing the traffic. While all of the NSM tools in SO have the independent capability to read stored .pcap files, there was no unified way to integrate their output into the SO platform. Therefore, for years, there has not been a way to import .pcap files into SO -- until last week! Here is how I tested the new so-import-pcap s