forked from philhagen/for572-scripts
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathpcap_iterator.sh
executable file
·67 lines (57 loc) · 2.97 KB
/
pcap_iterator.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
#!/bin/bash
# (C)2020 Lewes Technology Consulting, LLC
# This script will traverse a directory tree full of pcap files and run a set
# of commands against each pcap file.
# As distributed, it's designed to handle the capstone data in FOR572, but you
# can adjust it as needed for other situations.
# Set these two variables as needed. Be mindful of the space available in
# $DEST_DIR_ROOT, as the commands below may require a LOT of disk space.
SOURCE_PCAPS=/path/to/source/pcaps/
DEST_DIR_ROOT=/cases/for572/capstone/
# Uncomment one or more of the annotated sections below, then run the script
for src_file in $( find -L ${SOURCE_PCAPS} -type f ); do
echo
echo "- processing ${src_file}"
directory=$( dirname ${src_file#${SOURCE_PCAPS}} )
filename=$( basename $src_file )
if [ ! -d ${DEST_DIR_ROOT}/${directory} ]; then
mkdir -p ${DEST_DIR_ROOT}/${directory}
fi
###### TCPDUMP ######
# Uncomment the following four commands.
# Change the following two variable assignments to reflect the pcap
# reduction you require
# $TRAFFIC_TYPE is a cosmetic label that will be prepended to the output
# filenames
# $BPF is the filter to apply. Be careful, as this could result in a LOT
# of space.
# After running this sequence, you will likely want to use mergecap or
# something similar to unify the resulting files.
#TRAFFIC_TYPE=NFURY_MYSQL
#BPF='host 172.16.7.15 and tcp and port 3306'
#mkdir -p ${DEST_DIR_ROOT}/$directory/tcpdump_reduced
#tcpdump -n -s 0 -r ${src_file} -w ${DEST_DIR_ROOT}/${directory}/tcpdump_reduced/${TRAFFIC_TYPE}_${filename} ${BPF}
###### ZEEK ######
# Uncomment the following two commands to create an output directory for
# each input pcap file, as required for Zeek processing
#mkdir -p ${DEST_DIR_ROOT}/${directory}/zeek_output/${filename}
#cd ${DEST_DIR_ROOT}/${directory}/zeek_output/${filename}
# Uncomment this command to process with Zeek, using the for572 policy
#zeek for572 -r ${src_file}
# Uncomment this command to process with Zeek, using the for572-allfiles
# policy
# This will take a LONG time and require a LOT of disk space! You probably
# DO NOT want to do this to ALL the capstone pcaps!!
#zeek for572-allfiles -r ${src_file}
###### PASSIVEDNS ######
# Uncomment this one command to process with passivedns
# This is a pretty manageable process
#passivedns -r ${src_file} -l ${DEST_DIR_ROOT}/${directory}/passivedns.txt -L ${DEST_DIR_ROOT}/${directory}/passivedns_nxdomain.txt
###### NFCAPD ######
# Uncomment these two commands to process with nfpcapd
# This is not needed for the FOR572 capstone, as you’ve been provided with
# NetFlow that covers well beyond the pcap data, but the command is here
# for your reference and future use as needed
#mkdir -p ${DEST_DIR_ROOT}/${directory}/netflow/${filename}
#nfpcapd -r ${src_file} -S 1 -z -l ${DEST_DIR_ROOT}/${directory}/netflow/${filename}
done