label

package

v0.6.11 Latest Latest Go to latest Published: Jan 30, 2022 License: BSD-3-Clause, GPL-3.0 Imports: 6 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/dreadl0ck/netcap

Links

Open Source Insights

README ¶

NET.LABEL

net label is a commandline tool to apply classification labels to netcap audit records.

Description

As a source for the alerts, the source pcap file is scanned with suricata. Netcap parses the suricata output and maps it to the previously generated netcap audit records. A labeled comma-separated values (CSV) file will be generated for each audit record type.

Read more about this tool in the documentation: https://docs.netcap.io

Usage examples

Scan input pcap and create labeled csv files by mapping audit records in the current directory:

$ net label -read traffic.pcap

Scan input pcap and create output files by mapping audit records from the output directory:

$ net label -read traffic.pcap -out output_dir

Abort if there is more than one alert for the same timestamp:

$ net label -read taffic.pcap -strict

Display progress bar while processing input (experimental):

$ net.label -read taffic.pcap -progress

Append classifications for duplicate labels:

$ net.label -read taffic.pcap -collect

Help

$ net label -h
                       / |
 _______    ______   _10 |_     _______   ______    ______
/     / \  /    / \ / 01/  |   /     / | /    / \  /    / \
0010100 /|/011010 /|101010/   /0101010/  001010  |/100110  |
01 |  00 |00    00 |  10 | __ 00 |       /    10 |00 |  01 |
10 |  01 |01001010/   00 |/  |01 \_____ /0101000 |00 |__10/|
10 |  00 |00/    / |  10  00/ 00/    / |00    00 |00/   00/
00/   10/  0101000/    0010/   0010010/  0010100/ 1010100/
                                                  00 |
Network Protocol Analysis Framework               00 |
created by Philipp Mieden, 2018                   00/
v0.5

label tool usage examples:
        $ net label -read traffic.pcap
        $ net label -read traffic.pcap -out output_dir
        $ net label -read taffic.pcap -progress
        $ net label -read taffic.pcap -collect

  -collect=false: append classifications from alert with duplicate timestamps to the generated label
  -config="": read configuration from file at path
  -custom="": use custom mappings at path
  -debug=false: toggle debug mode
  -description=false: use attack description instead of classification for labels
  -disable-layers=false: do not map layer types by timestamp
  -exclude="": specify a comma separated list of suricata classifications that shall be excluded from the generated labeled csv
  -gen-config=false: generate config
  -out="": specify output directory, will be created if it does not exist
  -progress=false: use progress bars
  -read="": use specified pcap file to scan with suricata
  -sep=",": set separator string for csv output
  -strict=false: fail when there is more than one alert for the same timestamp
  -suricata-config="/usr/local/etc/suricata/suricata.yaml": set the path to the suricata config file
  -version=false: print netcap package version and exit