can't read "start_file": no such variable

[dougburks]

Hi Bamm,

I'm experimenting with your latest code from github and am especially excited about being able to get transcripts for TCP streams that span multiple pcap files (23e40a8)!

However, if I take a fresh database and immediately generate some alerts and then pivot to transcript, I get an error like this:

If I'm reading the code correctly:

• Looks like the error is happening here:
  https://github.com/bammv/sguil/blob/master/sensor/pcap_agent.tcl#L354
• based on the fact that start_file never got set here:
  https://github.com/bammv/sguil/blob/master/sensor/pcap_agent.tcl#L341-L346
• $start_secs is the timestamp of the alert minus 120 seconds and I don't have any pcap files with a timestamp less than that:
  

I think this is somewhat of a corner case and should really only happen within the first 2 minutes of starting Sguil. I suppose I could shorten $BACK_SECONDS to something smaller like 60 to decrease the likelihood of a user running into this. But I'm wondering if it might be better to add some code here:
https://github.com/bammv/sguil/blob/master/sensor/pcap_agent.tcl#L349

to check and see if $start_file is null and, if so, set it to the earliest pcap available.

Any thoughts?

Thanks!

[jmtaylor90]

There is also an issue with pulling pcap/transcript for alerts that come in at 0000. The $start_file error will also occur in a scenario where the back occurs in the previous day. I haven't had a chance to mock up anything to address the previous day issue but would be curious what you have in mind for this @dougburks or @bammv

[bammv]

I uploaded an update to pcap_agent.tcl to day. Please let me know if it corrected the issues.