Do you need to start bro for so-import-pcap to work? Or does zeek suffice? #10612
Replies: 1 comment 1 reply
-
|
That video is from an old version of Security Onion. Zeek is the new name for Bro - they're the same software. |
Beta Was this translation helpful? Give feedback.
1 reply
-
|
thanks |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Hi,
I am asking because I sent wireshark pcap files through WinSCP to a folder I my VM. I am not seeing any pcap data when I go kibana etc.
Do I need to put my pcaps in a certain folder (pcap store) for pcaps to be retrieved. I know the MD5’s are kept in nsm/import? Are the MD5’s the ones that get pulled into kibana?
I followed this video “https://www.youtube.com/watch?v=SVT2QGEmjd8 “. When Doug ran the import command, I saw “Checking /opt/samples/bro/cve”.
Dougs so-import-pcap processing - shows the bro/cve folder (ignore magnifying section)
My so-import-pcap processing does not
After looking around, I found this “sudo nsm_sensor_ps-restart --only-brog “. Do I need to run this before I run the import command, after the import command or do I even need this “only-brog”. Or does zeek suffice?
Or is there something else I need to do?
Thanks for your suggestions and advice
Beta Was this translation helpful? Give feedback.
All reactions