You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm experimenting with your latest code from github and am especially excited about being able to get transcripts for TCP streams that span multiple pcap files (23e40a8)!
However, if I take a fresh database and immediately generate some alerts and then pivot to transcript, I get an error like this:
$start_secs is the timestamp of the alert minus 120 seconds and I don't have any pcap files with a timestamp less than that:
I think this is somewhat of a corner case and should really only happen within the first 2 minutes of starting Sguil. I suppose I could shorten $BACK_SECONDS to something smaller like 60 to decrease the likelihood of a user running into this. But I'm wondering if it might be better to add some code here: https://github.com/bammv/sguil/blob/master/sensor/pcap_agent.tcl#L349
to check and see if $start_file is null and, if so, set it to the earliest pcap available.
Any thoughts?
Thanks!
The text was updated successfully, but these errors were encountered:
There is also an issue with pulling pcap/transcript for alerts that come in at 0000. The $start_file error will also occur in a scenario where the back occurs in the previous day. I haven't had a chance to mock up anything to address the previous day issue but would be curious what you have in mind for this @dougburks or @bammv
Hi Bamm,
I'm experimenting with your latest code from github and am especially excited about being able to get transcripts for TCP streams that span multiple pcap files (23e40a8)!
However, if I take a fresh database and immediately generate some alerts and then pivot to transcript, I get an error like this:
If I'm reading the code correctly:
https://github.com/bammv/sguil/blob/master/sensor/pcap_agent.tcl#L354
https://github.com/bammv/sguil/blob/master/sensor/pcap_agent.tcl#L341-L346
I think this is somewhat of a corner case and should really only happen within the first 2 minutes of starting Sguil. I suppose I could shorten $BACK_SECONDS to something smaller like 60 to decrease the likelihood of a user running into this. But I'm wondering if it might be better to add some code here:
https://github.com/bammv/sguil/blob/master/sensor/pcap_agent.tcl#L349
to check and see if $start_file is null and, if so, set it to the earliest pcap available.
Any thoughts?
Thanks!
The text was updated successfully, but these errors were encountered: