diff --git a/capme/.inc/callback.php b/capme/.inc/callback.php
index 199cee3..f7f9c78 100644
--- a/capme/.inc/callback.php
+++ b/capme/.inc/callback.php
@@ -274,10 +274,33 @@ function invalid($string) {
}
$cmd = "$script -sid $sid -sensor '$sensor' -timestamp '$st' -u '$usr' -pw '$pwd' -sip $sip -spt $spt -dip $dip -dpt $dpt";
- // The first time the pcap is requested, there is a race condition where DEBUG output may be inconsistent.
- // The second time the pcap is requested, the pcap is cached by sguild and DEBUG output is consistent.
+ // Request pcap/transcript.
exec("../.scripts/$cmd",$raw);
+
+ // If user requested the standard tcpflow transcript, check output
+ // for signs of gzip encoding. If found, resubmit using Bro.
+ $foundgzip=0;
+ if ($xscript == "tcpflow") {
+ foreach ($raw as $line) {
+ if (preg_match("/^DST: Content-Encoding: gzip/i", $line)) {
+ $foundgzip=1;
+ }
+ }
+ }
+
+ // Initialize $raw before requesting pcap again.
$raw="";
+
+ // If we found gzip encoding, then request Bro transcript.
+ if ($foundgzip==1) {
+ $script = "cliscriptbro.tcl";
+ $cmd = "$script -sid $sid -sensor '$sensor' -timestamp '$st' -u '$usr' -pw '$pwd' -sip $sip -spt $spt -dip $dip -dpt $dpt";
+ $fmtd .= "CAPME: Detected gzip encoding.";
+ $fmtd .= "CAPME: Automatically switched to Bro transcript.";
+ }
+
+ // Request pcap/transcript.
+ // Always request pcap a second time to ensure consistent DEBUG output.
exec("../.scripts/$cmd",$raw);
// To handle large pcaps more gracefully, we now only render 1000 lines of output by default.
@@ -307,11 +330,11 @@ function invalid($string) {
// If we exceeded $maxoutputlines, notify the user and recommend downloading the pcap.
if ($outputlines >= $maxoutputlines) {
- $fmtd .= "===========================================================
";
- $fmtd .= "CAPME: Only showing the first $maxoutputlines lines.
";
- $fmtd .= "CAPME: This pcap has a total of $outputlines lines.
";
+ $fmtd .= "=================================================================
";
+ $fmtd .= "CAPME: Only showing the first $maxoutputlines lines of transcript output.
";
+ $fmtd .= "CAPME: This transcript has a total of $outputlines lines.
";
$fmtd .= "CAPME: To see the entire stream, you can download the pcap using the link below.
";
- $fmtd .= "===========================================================
";
+ $fmtd .= "=================================================================
";
}
// default to sending transcript
diff --git a/debian/changelog b/debian/changelog
index c364dbf..c181048 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+securityonion-capme (20121213-0ubuntu0securityonion39) trusty; urgency=medium
+
+ * Issue 916: CapMe: Check for gzip encoding and automatically switch to Bro transcript
+
+ -- Doug Burks Sat, 14 May 2016 07:54:51 -0400
+
securityonion-capme (20121213-0ubuntu0securityonion38) trusty; urgency=medium
* issues 736 and 738
diff --git a/debian/patches/Issue-916:-CapMe:-Check-for-gzip-encoding-and-automatically-switch-to-Bro-transcript b/debian/patches/Issue-916:-CapMe:-Check-for-gzip-encoding-and-automatically-switch-to-Bro-transcript
new file mode 100644
index 0000000..7ddd317
--- /dev/null
+++ b/debian/patches/Issue-916:-CapMe:-Check-for-gzip-encoding-and-automatically-switch-to-Bro-transcript
@@ -0,0 +1,79 @@
+Description:
+ TODO: Put a short summary on the line above and replace this paragraph
+ with a longer explanation of this change. Complete the meta-information
+ with other relevant fields (see below for details). To make it easier, the
+ information below has been extracted from the changelog. Adjust it or drop
+ it.
+ .
+ securityonion-capme (20121213-0ubuntu0securityonion39) trusty; urgency=medium
+ .
+ * Issue 916: CapMe: Check for gzip encoding and automatically switch to Bro transcript
+Author: Doug Burks
+
+---
+The information above should follow the Patch Tagging Guidelines, please
+checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
+are templates for supplementary fields that you might want to add:
+
+Origin: ,
+Bug:
+Bug-Debian: http://bugs.debian.org/
+Bug-Ubuntu: https://launchpad.net/bugs/
+Forwarded:
+Reviewed-By:
+Last-Update:
+
+--- securityonion-capme-20121213.orig/capme/.inc/callback.php
++++ securityonion-capme-20121213/capme/.inc/callback.php
+@@ -274,10 +274,33 @@ if ($err == 1) {
+ }
+ $cmd = "$script -sid $sid -sensor '$sensor' -timestamp '$st' -u '$usr' -pw '$pwd' -sip $sip -spt $spt -dip $dip -dpt $dpt";
+
+- // The first time the pcap is requested, there is a race condition where DEBUG output may be inconsistent.
+- // The second time the pcap is requested, the pcap is cached by sguild and DEBUG output is consistent.
++ // Request pcap/transcript.
+ exec("../.scripts/$cmd",$raw);
++
++ // If user requested the standard tcpflow transcript, check output
++ // for signs of gzip encoding. If found, resubmit using Bro.
++ $foundgzip=0;
++ if ($xscript == "tcpflow") {
++ foreach ($raw as $line) {
++ if (preg_match("/^DST: Content-Encoding: gzip/i", $line)) {
++ $foundgzip=1;
++ }
++ }
++ }
++
++ // Initialize $raw before requesting pcap again.
+ $raw="";
++
++ // If we found gzip encoding, then request Bro transcript.
++ if ($foundgzip==1) {
++ $script = "cliscriptbro.tcl";
++ $cmd = "$script -sid $sid -sensor '$sensor' -timestamp '$st' -u '$usr' -pw '$pwd' -sip $sip -spt $spt -dip $dip -dpt $dpt";
++ $fmtd .= "CAPME: Detected gzip encoding.";
++ $fmtd .= "CAPME: Automatically switched to Bro transcript.";
++ }
++
++ // Request pcap/transcript.
++ // Always request pcap a second time to ensure consistent DEBUG output.
+ exec("../.scripts/$cmd",$raw);
+
+ // To handle large pcaps more gracefully, we now only render 1000 lines of output by default.
+@@ -307,11 +330,11 @@ if ($err == 1) {
+
+ // If we exceeded $maxoutputlines, notify the user and recommend downloading the pcap.
+ if ($outputlines >= $maxoutputlines) {
+- $fmtd .= "===========================================================
";
+- $fmtd .= "CAPME: Only showing the first $maxoutputlines lines.
";
+- $fmtd .= "CAPME: This pcap has a total of $outputlines lines.
";
++ $fmtd .= "=================================================================
";
++ $fmtd .= "CAPME: Only showing the first $maxoutputlines lines of transcript output.
";
++ $fmtd .= "CAPME: This transcript has a total of $outputlines lines.
";
+ $fmtd .= "CAPME: To see the entire stream, you can download the pcap using the link below.
";
+- $fmtd .= "===========================================================
";
++ $fmtd .= "=================================================================
";
+ }
+
+ // default to sending transcript
diff --git a/debian/patches/series b/debian/patches/series
index 737f236..4594d88 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -26,3 +26,4 @@ package-PR-#13
-Issue-736:-CapMe:-Debug-information-occasionally-gets-rendered-inside-the-transcript
previous-fix-didn't-work,-try-pingpong
issues-736-and-738
+Issue-916:-CapMe:-Check-for-gzip-encoding-and-automatically-switch-to-Bro-transcript