Zeek Import Pcap

[solftclone]

Hi, I have one pcap captured in last month . I want that pcap packets to be processed by so-zeek container and generate notice logs on kibana dashboard whenever I will import that pcap.

I have tried tcpreplay and changing timestamp of pcap packets to current timestamp of Security onion But no notice logs were generated.

I have my custom zeek script placed at proper location. Whenever I have imported pcap using so-import-pcap. Able to to notice logs on hunt dashboard for that particular timestamp when that pcap was captured.

But i want the notice logs to be generated on kibana dashboard like logs will generate for live network traffic.

Can someone please help me with that as soon as possible.

[robbiemarshall]

What version of SO are you running?

[solftclone]

HI, Thanks for replying. We are using Security Onion 2.3.170 version. Please help me with this. I need to do this as soon as possible.

[robbiemarshall]

so-import-pcap will generate logs in both SOC and Kibana: https://docs.securityonion.net/en/2.3/so-import-pcap.html#so-import-pcap

[solftclone]

Hi, I am not able to see logs in kibana from the imported pcap. When we import pcap then It will give hunt URL right? There that pcap timerange is applied and all logs will appear in categories like dns or conn or notice.
Within that URL I am able to see notice logs for the packets from the imported pcap.

My requirement is when I import pcap then those packets from pcap should be processed lively like live network traffic and as soon as that packet is processed based on condition notice log should be generated in kibana based on that notice log I have written elastalert rule which should be hit.

Now that pcap was not lively processed so no notice log will be generated in todays date when we import the pcap so not able to see hit for the elastalert rule.

I have tried changing timestamp of packets from pcap to current timestamp of SO 170 but then may be that pcap behaviour is changing hence I am not able to see the notice logs.

[robbiemarshall]

so-pcap-import will maintain the time of the packet capture, so it's not possible to do what you're asking. The only possible option would be to use a tool like scapy to directly manipulate the packets and timestamps and then ingest them.