so-import-pcap will import one or more pcaps into Security Onion and preserve original timestamps. It will do the following:
- generate IDS alerts using Suricata
- generate network metadata using Zeek
- store IDS alerts and network metadata in Elasticsearch with original timestamps
- store pcaps where Security Onion Console (SOC) can find them
so-import-pcap works differently on Security Onion 2 than it did in previous versions!
This new version of so-import-pcap requires you to run through Setup and choose a configuration that supports so-import-pcap. This includes Import Node and other nodes that include sensor services like Eval and Standalone. The quickest and easiest option is to choose Import Node which gives you the minimal services necessary to import a pcap. so-import-pcap then provides a hyperlink for you to view all alerts and logs in Hunt. You can also find NIDS alerts in Alerts and all logs in Kibana.
Once Setup completes, you can then run
sudo so-import-pcap and supply the full path to at least one pcap file. For example, to import a single pcap named
sudo so-import-pcap /full/path/to/import.pcap
To import multiple pcaps:
sudo so-import-pcap /full/path/to/import1.pcap /full/path/to/import2.pcap
Please note that if you import multiple pcaps at one time, so-import-pcap currently only provides a hyperlink for the last pcap in the list. If you need a hyperlink for each pcap, then you can run one pcap file per so-import-pcap and use a for-loop to iterate over your collection of pcap files.
If you don’t already have some pcap files to import, see PCAPs for Testing for a list of sites where you can download sample pcaps.
Our Quick Malware Analysis series at https://blog.securityonion.net/search/label/quick%20malware%20analysis uses so-import-pcap to import pcaps from https://www.malware-traffic-analysis.net/ and other sites. Following along with these blog posts in your own so-import-pcap VM is a great way to practice your skills!