CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-07 01:32:47 +01:00
Code Issues Packages Projects Releases Wiki Activity

Import now requires execution on a sensor node due to the need for zeek and suricata; Automatically stop curator if curator is installed

Browse Source
This commit is contained in:
Jason Ertel
2020-07-02 12:07:24 -04:00
parent c7a3cc9c17
commit cf6a229f51
1 changed files with 10 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

51
salt/common/tools/sbin/so-import-pcap
View File

@@ -21,18 +21,9 @@
function usage { function usage {
cat << EOF cat << EOF
Usage: $0 [options] <pcap-file-1> [pcap-file-2] [pcap-file-N] Usage: $0 <pcap-file-1> [pcap-file-2] [pcap-file-N]
Imports one or more PCAP files for analysis. Imports one or more PCAP files for analysis. If available, curator will be automatically stopped.
Options:
--stop-curator Use this option when importing PCAPs with older traffic,
otherwise the data will not be available for analysis.
CAUTION: Curator will remain disabled! If this is a
production installation then curator should be
re-enabled once analysis of the imported PCAP
data is completed. Use the 'so-curator-start'
command to re-enable curator.
EOF EOF
} }
@@ -98,35 +89,16 @@ function zeek() {
-C -r /input.pcap local > $NSM_PATH/logs/console.log 2>&1 -C -r /input.pcap local > $NSM_PATH/logs/console.log 2>&1
} }
MORE_OPTIONS=1
while [[ $# -gt 0 && $MORE_OPTIONS -eq 1 ]]; do
arg="$1"
case "$arg" in
"--stop-curator" )
STOP_CURATOR=1
shift
;;
* )
if [[ "$arg" == "--"* ]]; then
echo "Invalid option"
usage
exit 1
else
MORE_OPTIONS=0
fi
esac
done
# if no parameters supplied, display usage # if no parameters supplied, display usage
if [ $# -eq 0 ]; then if [ $# -eq 0 ]; then
usage usage
exit 1 exit 1
fi fi
# ensure this is a manager node # ensure this is a sensor node
if [ ! -d /opt/so/conf/soc ]; then if [ ! -d /opt/so/conf/suricata ]; then
echo "This procedure must be run on a manager node." echo "This command must be run on a sensor node."
exit 2 exit 3
fi fi
# verify that all parameters are files # verify that all parameters are files
@@ -134,11 +106,13 @@ for i in "$@"; do
if ! [ -f "$i" ]; then if ! [ -f "$i" ]; then
usage usage
echo "\"$i\" is not a valid file!" echo "\"$i\" is not a valid file!"
exit 3 exit 2
fi fi
done done
if [[ $STOP_CURATOR -eq 1 ]]; then if ! [ -d /opt/so/conf/curator ]; then
echo "Curator is not installed on this node and cannot be stopped automatically."
else
echo -n "Stopping curator..." echo -n "Stopping curator..."
so-curator-stop > /dev/null 2>&1 so-curator-stop > /dev/null 2>&1
echo "Done" echo "Done"
@@ -246,8 +220,3 @@ From: $START_OLDEST To: $END_NEWEST
Please note that it may take 30 seconds or more for events to appear in Kibana. Please note that it may take 30 seconds or more for events to appear in Kibana.
EOF EOF
fi fi
if [[ $STOP_CURATOR -eq 1 ]]; then
echo ""
echo "CAUTION: Curator has been stopped. Use `so-curator-start` to start curator once the imported PCAP data is no longer needed.
fi