How to analyze captured network traffic?

Question

I have some network traffic in the following format:

Timestamp | Source | Destination | Protocol | Port | Payload | Payload Size

I am trying to determine if there are any known attacks in this traffic. For this, I was looking at some intrusion detection systems. It looks like both Snort and Bro require the dump to be pcap file for further offline analysis. I looked up the documentation of both systems in detail but could not find any options of handling the data that I have.

Any suggestions on how to perform this analysis? Specifically, I am looking for one of the following:

• Some pointers on how to directly use the systems to analyze this data in plain text
• Tool to convert this data into a PCAP file that I can later use with the systems

Answer 1

Have you looked into Security Onion? This does exactly what you are looking for (the flow data you are looking for (with argus or Bro) and let's you pivot to the pcaps from those flows.

Answer 2

Bro provides a framework called Input Framework to "input data into bro".

You can specify which values should be read, what separator should be used and so on (options-reference). The input framework gives you the ability to read such ASCII files or use different readers (benchmark, binary, raw, sqlite).

You can for example use the RawReader to execute shell commands to convert the file or to send the result (stdout) to an event.