Automating PCAP Parsing with Linux CLI, Bash & Security Onion

Source: https://dribbble.com/shots/11988083-Server-Icons

Introduction

Zeek — Formally Bro

CLI Aliases

ParseFiles — Simply parses out all files

SuspUA — This will parse out User Agents so you can spot anomalous ones

Bash scripts

Note: CD to the directory where your PCAP is first...
REM@remnux: so-import-pcap incident123.pcap
REM@remnux: bro -Cr incident123.pcap
REM@remnux: chmod +x quick.sh
REM@remnux: ./quick.sh
#!/usr/bin/env bash#Gives you a quick view of user agents to potentially spot something anomalous
SuspUA(){
cat http.log | bro-cut user_agent | sort -u > UniqueUserAgents.txt
}#This is the file parser, it simply gives you a list of files, along with source, destination etc. You will only get a filename if it was available. SourceIP is the first column!
ParseFiles() {
cat files.log | bro-cut tx_hosts rx_hosts mime_type filename | grep -E -v 'application/x-x509-user-cert|application/x-x509-ca-cert|application/ocsp-response|application/font-woff2' > FileList.txt
}#ExtInbIPAddr will give you a list of unique external source (inbound) IP's and Ports
ExtInbIPAddr() {
cat conn.log | bro-cut id.orig_h proto service | grep -E -v '10.*.|192.168.*.|172.16.*.' | sort -u > ExtInbIPAddrs.txt
}#ExtOutbIPAddr will give you a list of unique external destination (outbound) IP's and Ports
ExtOutbIPAddr() {
cat conn.log | bro-cut id.resp_h id.resp_p proto service | grep -E -v '10.*.|192.168.*.|172.16.*.' | sort -u >ExtOutbIPAddrs.txt
}SuspUA
ParseFiles
ExtInbIPAddr
ExtOutbIPAddr

Make your own Bro Aliases and Scripts

Twitter: @mikecybersec