Issue-916:-CapMe:-Check-for-gzip-encoding-and-automatically-switch-to-Bro-transcript

Description: <short summary of the patch>
 TODO: Put a short summary on the line above and replace this paragraph
 with a longer explanation of this change. Complete the meta-information
 with other relevant fields (see below for details). To make it easier, the
 information below has been extracted from the changelog. Adjust it or drop
 it.
 .
 securityonion-capme (20121213-0ubuntu0securityonion39) trusty; urgency=medium
 .
   * Issue 916: CapMe: Check for gzip encoding and automatically switch to Bro transcript
Author: Doug Burks <doug.burks@gmail.com>

---
The information above should follow the Patch Tagging Guidelines, please
checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
are templates for supplementary fields that you might want to add:

Origin: <vendor|upstream|other>, <url of original patch>
Bug: <url in upstream bugtracker>
Bug-Debian: http://bugs.debian.org/<bugnumber>
Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber>
Forwarded: <no|not-needed|url proving that it has been forwarded>
Reviewed-By: <name and email of someone who approved the patch>
Last-Update: <YYYY-MM-DD>

--- securityonion-capme-20121213.orig/capme/.inc/callback.php
+++ securityonion-capme-20121213/capme/.inc/callback.php
@@ -274,10 +274,33 @@ if ($err == 1) {
     }
     $cmd = "$script -sid $sid -sensor '$sensor' -timestamp '$st' -u '$usr' -pw '$pwd' -sip $sip -spt $spt -dip $dip -dpt $dpt";
 
-    // The first time the pcap is requested, there is a race condition where DEBUG output may be inconsistent.
-    // The second time the pcap is requested, the pcap is cached by sguild and DEBUG output is consistent.
+    // Request pcap/transcript.
     exec("../.scripts/$cmd",$raw);
+
+    // If user requested the standard tcpflow transcript, check output
+    // for signs of gzip encoding.  If found, resubmit using Bro.
+    $foundgzip=0;
+    if ($xscript == "tcpflow") {
+	foreach ($raw as $line) {
+		if (preg_match("/^DST: Content-Encoding: gzip/i", $line)) {
+			$foundgzip=1;
+		}
+	}
+    }
+
+    // Initialize $raw before requesting pcap again.
     $raw="";
+
+    // If we found gzip encoding, then request Bro transcript.
+    if ($foundgzip==1) {
+	$script = "cliscriptbro.tcl";
+	$cmd = "$script -sid $sid -sensor '$sensor' -timestamp '$st' -u '$usr' -pw '$pwd' -sip $sip -spt $spt -dip $dip -dpt $dpt";
+	$fmtd .= "<span class=txtext_hdr>CAPME: Detected gzip encoding.</span>";
+	$fmtd .= "<span class=txtext_hdr>CAPME: Automatically switched to Bro transcript.</span>";
+    }
+
+    // Request pcap/transcript.
+    // Always request pcap a second time to ensure consistent DEBUG output.
     exec("../.scripts/$cmd",$raw);
 
     // To handle large pcaps more gracefully, we now only render 1000 lines of output by default.
@@ -307,11 +330,11 @@ if ($err == 1) {
 
     // If we exceeded $maxoutputlines, notify the user and recommend downloading the pcap.
     if ($outputlines >= $maxoutputlines) {
-	$fmtd .= "===========================================================<br>";
-	$fmtd .= "CAPME: Only showing the first $maxoutputlines lines.<br>";
-	$fmtd .= "CAPME: This pcap has a total of $outputlines lines.<br>";
+	$fmtd .= "=================================================================<br>";
+	$fmtd .= "CAPME: Only showing the first $maxoutputlines lines of transcript output.<br>";
+	$fmtd .= "CAPME: This transcript has a total of $outputlines lines.<br>";
 	$fmtd .= "CAPME: To see the entire stream, you can download the pcap using the link below.<br>";
-	$fmtd .= "===========================================================<br>";
+	$fmtd .= "=================================================================<br>";
     }
 
     // default to sending transcript