QRadar

Expand all | Collapse all

Command to push flow /pcap files into QRadar

  • 1.  Command to push flow /pcap files into QRadar

    Posted 13 days ago
    Hi All,
    Did anyone try pushing flow data or Pcap files into QRadar?

    I understood we can use "tcpreplay" command to do so ,Looks like the command is not avaliable in  7.2.8,7.3.1,7.3.2 ,When i tried installing tcpreplay directly through SSH , its asking me to install some dependent files, but i was not successful in doing so.

    Can someone help me with the steps to configure tcpreplay on my QRadar ,if you have?

    ------------------------------
    Jabez Daniel
    ------------------------------


  • 2.  RE: Command to push flow /pcap files into QRadar

    Posted 10 days ago
    Edited by Pascal Weber 10 days ago
    Hello @Jabez Daniel,

    Yes.

    Don't install it on a production environment, but on a separate Linux VM to do your tests.

    On your QRadar Community Edition or Linux CentOS distro you can get tcpreplay from the EPEL repo.

    Just do :

    [root@qradarCE ~] yum --enablerepo=extras install epel-release
    [root@qradarCE ~]# yum install tcpreplay


    This will install tcpdump and tcpreplay on your Linux Centos Qradar CE.

    For information EPEL (Extra Packages for Enterprise Linux) is open source and free community based repository project from Fedora team. This is for RHEL, CentOS, and Scientific Linux.

    Epel project is not a part of RHEL/Cent OS but it is designed for these Linux distributions by providing lots of open source packages like networking, sys admin, programming, monitoring and so on.

    Most of the epel packages are maintained by Fedora repo.


    I have published some complementary notes (data bank etc..) about it a few time ago about tcpreplay, look at the answer :

    https://developer.ibm.com/answers/questions/446240/replay-network-flows-on-qradar-devtest-instance/

    Hope this help,
    Regards,

    @zoldax​​

    Original Message:
    Sent: Wed November 06, 2019 08:28 AM
    From: Jabez Daniel
    Subject: Command to push flow /pcap files into QRadar

    Hi All,
    Did anyone try pushing flow data or Pcap files into QRadar?

    I understood we can use "tcpreplay" command to do so ,Looks like the command is not avaliable in  7.2.8,7.3.1,7.3.2 ,When i tried installing tcpreplay directly through SSH , its asking me to install some dependent files, but i was not successful in doing so.

    Can someone help me with the steps to configure tcpreplay on my QRadar ,if you have?

    ------------------------------
    Jabez Daniel
    ------------------------------