Looking to see if anyone has created a script, or if this is an argument to process multiple PCAPS using the bro -r argument.
I have it setup to output to JSON currently and change from EPOCH time to normal date/time output, but that is one at a time, and will have multiple.
Looking at either a batch script of maybe python but wanted to see if anyone has done this bfore.
(Reingest multiple old PCAP files) to get re-ingested.
Dave
You can specify -r multiple times. Something like
import subprocess
import glob
cmd = ["bro"]
for f in glob.glob("*.pcap"):
cmd.extend(["-r", f])
subprocess.call(cmd)
will work to a point. Eventually you will hit ARG_MAX with enough
files. but for a few dozen this works fine. For more, something like
https://github.com/assafmo/joincap could be better.
I outlined a good way to do this as an input plugin a while back as
well: http://mailman.icsi.berkeley.edu/pipermail/zeek/2017-July/012355.html
I run the following in a local folder for several ingest types (PREDICT, malware-traffic-analysis, etc…). Logstash, etc… does the rest. Hope it helps.
Additionally, I have a watcher process written in Python to watch for pcaps that are dropped into a directory.
Update on the Bro -r using multiple scripts.
I guess I should add that I am needing to break out the logs (either by PCAP or by say day) not sure what is the easiest.
Thanks everyone so far.
Still working out the kinks i guess.
New to this.
I made a quick github project with the script I had sent David.
https://github.com/ottobackwards/run-bro-pcap-directory
if anyone is interested.