so-import-pcap

so-import-pcap will import one or more pcaps into Security Onion and preserve original timestamps.

It will do the following:

• generate IDS alerts using Suricata
• generate network metadata using Zeek
• store IDS alerts and network metadata in Elasticsearch with original timestamps
• store pcaps where Security Onion Console (SOC) can find them

Usage

Warning

so-import-pcap works differently on Security Onion 2 than it did in previous versions!

This new version of so-import-pcap requires you to run through Setup and choose a configuration that supports so-import-pcap. This includes Import Node and other nodes that include sensor services like Eval and Standalone. The quickest and easiest option is to choose Import Node which gives you the minimal services necessary to import a pcap. so-import-pcap then provides a hyperlink for you to view all alerts and logs in Hunt. You can also find NIDS alerts in Alerts and all logs in Kibana.

Once Setup completes, you can then run sudo so-import-pcap and supply the full path to at least one pcap file. For example, to import a single pcap named import.pcap:

sudo so-import-pcap /full/path/to/import.pcap

To import multiple pcaps:

sudo so-import-pcap /full/path/to/import1.pcap /full/path/to/import2.pcap

If you don’t already have some pcap files to import, see PCAPs for Testing for a list of sites where you can download sample pcaps.