CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-08 18:22:47 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #9711 from Security-Onion-Solutions/fix/so_import_pcap_suricata_metadata_disable_zeek

Browse Source 
Only run Zeek if it is defined as the metadata engine
This commit is contained in:
weslambert
2023-02-02 13:27:35 -05:00
committed by GitHub
parent 395cbf330a bc082dff99
commit bee5a1e9e8
1 changed files with 3 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
salt/common/tools/sbin/so-import-pcap
View File

@@ -148,11 +148,12 @@ for PCAP in "$@"; do
# generate IDS alerts and write them to standard pipeline # generate IDS alerts and write them to standard pipeline
echo "- analyzing traffic with Suricata" echo "- analyzing traffic with Suricata"
suricata "${PCAP}" $HASH suricata "${PCAP}" $HASH
{% if salt['pillar.get']('global:mdengine') == 'ZEEK' %}
# generate Zeek logs and write them to a unique subdirectory in /nsm/import/bro/ # generate Zeek logs and write them to a unique subdirectory in /nsm/import/zeek/
# since each run writes to a unique subdirectory, there is no need for a lock file # since each run writes to a unique subdirectory, there is no need for a lock file
echo "- analyzing traffic with Zeek" echo "- analyzing traffic with Zeek"
zeek "${PCAP}" $HASH zeek "${PCAP}" $HASH
{% endif %}
START=$(pcapinfo "${PCAP}" -a |grep "First packet time:" | awk '{print $4}') START=$(pcapinfo "${PCAP}" -a |grep "First packet time:" | awk '{print $4}')
END=$(pcapinfo "${PCAP}" -e |grep "Last packet time:" | awk '{print $4}') END=$(pcapinfo "${PCAP}" -e |grep "Last packet time:" | awk '{print $4}')