I have uploaded a new version of PcapParser for all 3 of you who are probably using it ;-). It has small fixes.
1. The last pcap file in the array wasn't being added to the search list when using argus data and the last connection time was > the pcap file timestamp.
2. I set the default linktype to be ethernet in the bpfcompile php extension so that we could match on mac addresses. If you need it to be somthing else you will have to modify it.
http://doc.emergingthreats.net/pub/Main/PcapParser/pcapp-0.1.tar.bz2
md5sum:e6d71d9a4dd0c5ee7ed033c17150d785
Additionally there was recently a question to the snort mailing list about automating extraction of sessions etc. I have upload the script that I use to automate this. Essentially it tails a barnyard generated csv file, and then runs parsep4 based on matched sids.
I have uploaded this to the pcap parser page as well just incase you are looking for a crappy script to do this for you ;-)....
http://doc.emergingthreats.net/pub/Main/PcapParser/sentinal.tar.bz2
md5sum:0be132cd3ac15b184af3e4b39ece4f1a
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment