Another day, another task to try. I have a requirement to store PCAP offline, and n 16.04 there were folders for PCAP /nsm/*/dailylogs which I could rsync over to another storage device. In 2.3 there is a folder path for PCAP /NSM/PCAP but the files are not truly PCAP data files.
The files are created from Stenographer and can be converted back to PCAP (that's my understanding at least). That's how the SOC interfaces pull the PCAP based off of Alerts. But what if you wanted to copy all PCAP data.
Going through the SecurityOnion documentation and the discussion forums, I found mention of a script created by the SecurityOnion team called so-pcap-export. From the documentation:
I tested it with sudo so-pcap-export 'after 30m ago' output (leave off the .pcap as it is added in the script.
This created the file inside of the /nsm/pcapout folder. So this works for exporting, but it looks to only create one file at the moment. It would be nice to have the ability to create PCAP on set intervals, from the files created with Stenographer.
More searching led me to this script on the discussion forums for SecurityOnion.
https://github.com/Security-Onion-Solutions/securityonion/discussions/4038
Its a python script created by a Rob Hackworth, that I am still trying to get to work at the moment but it looks like it uses the same Stenoquery, just adds the ability to break up the PCAP by intervals. So far when I have tried it and it does create multiple PCAPs based off intervals. The only issue is that this version looks to only do by dates, and does not do by saying 24h, so I could copy days worth of PCAP.
One item of note from the script:
The time interval is critical as Steno will only let you export ~76G before it fails
Now I am not sure where that information comes from, maybe the users testing. The next set of testing would be to see how CPU intensive the converting of the files to PCAP is on the system, and then the addition of a possible rsync to this.
Currently trying to think of better ways, different ways to accomplish the task. I was thinking maybe using an NFS share and having the script copy the files directly to the shared folder (This might be heavy intensive, especially in the current build-out of our SecurityOnion.
I wonder if it's possible also someone set a marker on the last set of steno files that you converted back to PCAP so you are not recreating the same PCAP files.
No comments:
Post a Comment