Import pcap files into Qradar

View Only

Expand all | Collapse all

Jump to Best Answer

1. Import pcap files into Qradar

0 Like
Davide Salardi
Posted Fri November 24, 2023 11:58 AM

Reply
Hello,

one of our customers asked if it is possible to ingest traffic data from a pcap file into Qradar.

We have an event\flow processor so he is expecting to see this data in the flow activity; is it possible to import this kind of data into Qradar without Network Packet Capture or Qradar Incident Forensics? We are running Qradar 7.5.0.3 (soon we will update to 7.5.0.7).

B Regards,

Davide

------------------------------
Davide Salardi
------------------------------
2. RE: Import pcap files into Qradar

0 Like
Comghall Morgan
Posted Mon November 27, 2023 07:51 AM

Reply
Hello,

My undersatnding is that you will need to use a QIF to accomplish this requirement.

Regards,

------------------------------
Comghall Morgan
QRadar Support Architect
IBM
------------------------------

Original Message
3. RE: Import pcap files into Qradar

0 Like
Davide Salardi
Posted Mon November 27, 2023 09:15 AM

Reply
Thanks for your reply, we are discussing it also with our pre-sale specialists.

Is QIF a separated appliance (like QNI) or is an app extension that could be installed on an existing deployment?

B Regards,

Davide

------------------------------
Davide Salardi
------------------------------

Original Message
4. RE: Import pcap files into Qradar

1 Like
Comghall Morgan
Posted Mon November 27, 2023 10:33 AM

Reply
It is a separate appliance.

Please review the Install guide link below:

https://www.ibm.com/docs/en/SS42VS_7.5/pdf/b_forensics_ig.pdf

------------------------------
Comghall Morgan
QRadar Support Architect
IBM
------------------------------

Original Message
5. RE: Import pcap files into Qradar

1 Like
IBM Champion

Karl Jaeger
Posted Tue November 28, 2023 11:35 AM

Reply
Davide,

ingesting pcap is very easy and part of our bootcamp. No extra appliance needed at all.

You may have to install tcpreplay on your testmachine. An AIO may do the trick, just configure a monitor flow source. Here is a sample output from one of our labs:

------------------------------
[Karl] [Jaeger] [Business Partner]
[QRadar Specialist]
[pro4bizz]
[Karlsruhe] [Germany]
[4972190981722]
------------------------------

Original Message
6. RE: Import pcap files into Qradar
Best Answer

0 Like
Comghall Morgan
Posted Wed November 29, 2023 05:48 AM

Reply
Hello,

My understanding was that tis was to ingest for a production enviornment.

As Karl has stated and thank you Karl, you can utilise tcpreplay to ingest pcaps as a test or within test environments.

Though my issue was that the tcpreplay rpm is not installed by deafult on a QRadar sysyem and why I stated the only supported method is using the additonal appliance for a production environnment.

Though if this is for a test or proof of concept then yes I see this as a valid method.

Regards,

------------------------------
Comghall Morgan
QRadar Support Architect
IBM
------------------------------

Original Message
7. RE: Import pcap files into Qradar

0 Like
Davide Salardi
Posted Tue December 05, 2023 10:29 AM

Reply
Hello,

thanks for your explanation.

We already have a flow source configured on the target machine, it is still not so clear to us what our customer wants to achieve with this..we will be discussing the topic in detail with him.

We have not deployed a QNI or QIF but only an event\flow processor, so I suppose the source .pcap file should already contain netflow\sFlow traffic because this is the only type of traffic that a flow processor can ingest.

B Regards,

Davide

------------------------------
Davide Salardi
------------------------------

Original Message
8. RE: Import pcap files into Qradar

0 Like
Davide Salardi
Posted Fri May 31, 2024 08:57 AM

Reply
Hello,

after a while we are again evaluating this option..the point that I do not get completely is how the data contained in the .pcap file will be replayed: If we install and run tcpreplay, this will provide the output as a flow data (from an external .pcap that the customer will provide us from his PaloAlto firewalls) in "flow search" tab?

We would like to run tcpreplay on a event\flow processor, we do not have any QNI or QIF additional appliance.

Thanks,

------------------------------
Davide Salardi
------------------------------

Original Message

IBM Security

Join our 16,000+ members as we work together to overcome the toughest challenges of cybersecurity.

IBM Security QRadar

Import pcap files into Qradar

Davide SalardiFri November 24, 2023 11:58 AM

Comghall MorganMon November 27, 2023 07:51 AM

Davide SalardiMon November 27, 2023 09:15 AM

Comghall MorganMon November 27, 2023 10:33 AM

Karl JaegerTue November 28, 2023 11:35 AM

Comghall MorganWed November 29, 2023 05:48 AMBest Answer

Davide SalardiTue December 05, 2023 10:29 AM

Davide SalardiFri May 31, 2024 08:57 AM

1. Import pcap files into Qradar

2. RE: Import pcap files into Qradar

3. RE: Import pcap files into Qradar

4. RE: Import pcap files into Qradar

5. RE: Import pcap files into Qradar

6. RE: Import pcap files into Qradar Best Answer

7. RE: Import pcap files into Qradar

8. RE: Import pcap files into Qradar

Join our 16,000+ members as we work together to
overcome the toughest challenges of cybersecurity.

6. RE: Import pcap files into Qradar
Best Answer