This repository has been archived by the owner on Apr 19, 2021. It is now read-only.
/
Issue-916:-CapMe:-Check-for-gzip-encoding-and-automatically-switch-to-Bro-transcript
79 lines (72 loc) · 3.64 KB
/
Issue-916:-CapMe:-Check-for-gzip-encoding-and-automatically-switch-to-Bro-transcript
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
Description: <short summary of the patch>
TODO: Put a short summary on the line above and replace this paragraph
with a longer explanation of this change. Complete the meta-information
with other relevant fields (see below for details). To make it easier, the
information below has been extracted from the changelog. Adjust it or drop
it.
.
securityonion-capme (20121213-0ubuntu0securityonion39) trusty; urgency=medium
.
* Issue 916: CapMe: Check for gzip encoding and automatically switch to Bro transcript
Author: Doug Burks <doug.burks@gmail.com>
---
The information above should follow the Patch Tagging Guidelines, please
checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
are templates for supplementary fields that you might want to add:
Origin: <vendor|upstream|other>, <url of original patch>
Bug: <url in upstream bugtracker>
Bug-Debian: http://bugs.debian.org/<bugnumber>
Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber>
Forwarded: <no|not-needed|url proving that it has been forwarded>
Reviewed-By: <name and email of someone who approved the patch>
Last-Update: <YYYY-MM-DD>
--- securityonion-capme-20121213.orig/capme/.inc/callback.php
+++ securityonion-capme-20121213/capme/.inc/callback.php
@@ -274,10 +274,33 @@ if ($err == 1) {
}
$cmd = "$script -sid $sid -sensor '$sensor' -timestamp '$st' -u '$usr' -pw '$pwd' -sip $sip -spt $spt -dip $dip -dpt $dpt";
- // The first time the pcap is requested, there is a race condition where DEBUG output may be inconsistent.
- // The second time the pcap is requested, the pcap is cached by sguild and DEBUG output is consistent.
+ // Request pcap/transcript.
exec("../.scripts/$cmd",$raw);
+
+ // If user requested the standard tcpflow transcript, check output
+ // for signs of gzip encoding. If found, resubmit using Bro.
+ $foundgzip=0;
+ if ($xscript == "tcpflow") {
+ foreach ($raw as $line) {
+ if (preg_match("/^DST: Content-Encoding: gzip/i", $line)) {
+ $foundgzip=1;
+ }
+ }
+ }
+
+ // Initialize $raw before requesting pcap again.
$raw="";
+
+ // If we found gzip encoding, then request Bro transcript.
+ if ($foundgzip==1) {
+ $script = "cliscriptbro.tcl";
+ $cmd = "$script -sid $sid -sensor '$sensor' -timestamp '$st' -u '$usr' -pw '$pwd' -sip $sip -spt $spt -dip $dip -dpt $dpt";
+ $fmtd .= "<span class=txtext_hdr>CAPME: Detected gzip encoding.</span>";
+ $fmtd .= "<span class=txtext_hdr>CAPME: Automatically switched to Bro transcript.</span>";
+ }
+
+ // Request pcap/transcript.
+ // Always request pcap a second time to ensure consistent DEBUG output.
exec("../.scripts/$cmd",$raw);
// To handle large pcaps more gracefully, we now only render 1000 lines of output by default.
@@ -307,11 +330,11 @@ if ($err == 1) {
// If we exceeded $maxoutputlines, notify the user and recommend downloading the pcap.
if ($outputlines >= $maxoutputlines) {
- $fmtd .= "===========================================================<br>";
- $fmtd .= "CAPME: Only showing the first $maxoutputlines lines.<br>";
- $fmtd .= "CAPME: This pcap has a total of $outputlines lines.<br>";
+ $fmtd .= "=================================================================<br>";
+ $fmtd .= "CAPME: Only showing the first $maxoutputlines lines of transcript output.<br>";
+ $fmtd .= "CAPME: This transcript has a total of $outputlines lines.<br>";
$fmtd .= "CAPME: To see the entire stream, you can download the pcap using the link below.<br>";
- $fmtd .= "===========================================================<br>";
+ $fmtd .= "=================================================================<br>";
}
// default to sending transcript