Issue 916: CapMe: Check for gzip encoding and automatically switch to…

… Bro transcript
Security-Onion-Solutions · May 14, 2016 · d67a16f · d67a16f
1 parent 5ef0b55
commit d67a16f
Show file tree

Hide file tree

Showing 4 changed files with 115 additions and 6 deletions.
diff --git a/capme/.inc/callback.php b/capme/.inc/callback.php
@@ -274,10 +274,33 @@ function invalid($string) {
     }
     $cmd = "$script -sid $sid -sensor '$sensor' -timestamp '$st' -u '$usr' -pw '$pwd' -sip $sip -spt $spt -dip $dip -dpt $dpt";
 
-    // The first time the pcap is requested, there is a race condition where DEBUG output may be inconsistent.
-    // The second time the pcap is requested, the pcap is cached by sguild and DEBUG output is consistent.
+    // Request pcap/transcript.
     exec("../.scripts/$cmd",$raw);
+
+    // If user requested the standard tcpflow transcript, check output
+    // for signs of gzip encoding.  If found, resubmit using Bro.
+    $foundgzip=0;
+    if ($xscript == "tcpflow") {
+	foreach ($raw as $line) {
+		if (preg_match("/^DST: Content-Encoding: gzip/i", $line)) {
+			$foundgzip=1;
+		}
+	}
+    }
+
+    // Initialize $raw before requesting pcap again.
     $raw="";
+
+    // If we found gzip encoding, then request Bro transcript.
+    if ($foundgzip==1) {
+	$script = "cliscriptbro.tcl";
+	$cmd = "$script -sid $sid -sensor '$sensor' -timestamp '$st' -u '$usr' -pw '$pwd' -sip $sip -spt $spt -dip $dip -dpt $dpt";
+	$fmtd .= "<span class=txtext_hdr>CAPME: Detected gzip encoding.</span>";
+	$fmtd .= "<span class=txtext_hdr>CAPME: Automatically switched to Bro transcript.</span>";
+    }
+
+    // Request pcap/transcript.
+    // Always request pcap a second time to ensure consistent DEBUG output.
     exec("../.scripts/$cmd",$raw);
 
     // To handle large pcaps more gracefully, we now only render 1000 lines of output by default.
@@ -307,11 +330,11 @@ function invalid($string) {
 
     // If we exceeded $maxoutputlines, notify the user and recommend downloading the pcap.
     if ($outputlines >= $maxoutputlines) {
-	$fmtd .= "===========================================================<br>";
-	$fmtd .= "CAPME: Only showing the first $maxoutputlines lines.<br>";
-	$fmtd .= "CAPME: This pcap has a total of $outputlines lines.<br>";
+	$fmtd .= "=================================================================<br>";
+	$fmtd .= "CAPME: Only showing the first $maxoutputlines lines of transcript output.<br>";
+	$fmtd .= "CAPME: This transcript has a total of $outputlines lines.<br>";
 	$fmtd .= "CAPME: To see the entire stream, you can download the pcap using the link below.<br>";
-	$fmtd .= "===========================================================<br>";
+	$fmtd .= "=================================================================<br>";
     }
 
     // default to sending transcript

diff --git a/debian/changelog b/debian/changelog
@@ -1,3 +1,9 @@
+securityonion-capme (20121213-0ubuntu0securityonion39) trusty; urgency=medium
+
+  * Issue 916: CapMe: Check for gzip encoding and automatically switch to Bro transcript
+
+ -- Doug Burks <[email protected]>  Sat, 14 May 2016 07:54:51 -0400
+
 securityonion-capme (20121213-0ubuntu0securityonion38) trusty; urgency=medium
 
   * issues 736 and 738 

diff --git a/...ches/Issue-916:-CapMe:-Check-for-gzip-encoding-and-automatically-switch-to-Bro-transcript b/...ches/Issue-916:-CapMe:-Check-for-gzip-encoding-and-automatically-switch-to-Bro-transcript
@@ -0,0 +1,79 @@
+Description: <short summary of the patch>
+ TODO: Put a short summary on the line above and replace this paragraph
+ with a longer explanation of this change. Complete the meta-information
+ with other relevant fields (see below for details). To make it easier, the
+ information below has been extracted from the changelog. Adjust it or drop
+ it.
+ .
+ securityonion-capme (20121213-0ubuntu0securityonion39) trusty; urgency=medium
+ .
+   * Issue 916: CapMe: Check for gzip encoding and automatically switch to Bro transcript
+Author: Doug Burks <[email protected]>
+
+---
+The information above should follow the Patch Tagging Guidelines, please
+checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
+are templates for supplementary fields that you might want to add:
+
+Origin: <vendor|upstream|other>, <url of original patch>
+Bug: <url in upstream bugtracker>
+Bug-Debian: http://bugs.debian.org/<bugnumber>
+Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber>
+Forwarded: <no|not-needed|url proving that it has been forwarded>
+Reviewed-By: <name and email of someone who approved the patch>
+Last-Update: <YYYY-MM-DD>
+
+--- securityonion-capme-20121213.orig/capme/.inc/callback.php
++++ securityonion-capme-20121213/capme/.inc/callback.php
+@@ -274,10 +274,33 @@ if ($err == 1) {
+     }
+     $cmd = "$script -sid $sid -sensor '$sensor' -timestamp '$st' -u '$usr' -pw '$pwd' -sip $sip -spt $spt -dip $dip -dpt $dpt";
+
+-    // The first time the pcap is requested, there is a race condition where DEBUG output may be inconsistent.
+-    // The second time the pcap is requested, the pcap is cached by sguild and DEBUG output is consistent.
++    // Request pcap/transcript.
+     exec("../.scripts/$cmd",$raw);
++
++    // If user requested the standard tcpflow transcript, check output
++    // for signs of gzip encoding.  If found, resubmit using Bro.
++    $foundgzip=0;
++    if ($xscript == "tcpflow") {
++	foreach ($raw as $line) {
++		if (preg_match("/^DST: Content-Encoding: gzip/i", $line)) {
++			$foundgzip=1;
++		}
++	}
++    }
++
++    // Initialize $raw before requesting pcap again.
+     $raw="";
++
++    // If we found gzip encoding, then request Bro transcript.
++    if ($foundgzip==1) {
++	$script = "cliscriptbro.tcl";
++	$cmd = "$script -sid $sid -sensor '$sensor' -timestamp '$st' -u '$usr' -pw '$pwd' -sip $sip -spt $spt -dip $dip -dpt $dpt";
++	$fmtd .= "<span class=txtext_hdr>CAPME: Detected gzip encoding.</span>";
++	$fmtd .= "<span class=txtext_hdr>CAPME: Automatically switched to Bro transcript.</span>";
++    }
++
++    // Request pcap/transcript.
++    // Always request pcap a second time to ensure consistent DEBUG output.
+     exec("../.scripts/$cmd",$raw);
+
+     // To handle large pcaps more gracefully, we now only render 1000 lines of output by default.
+@@ -307,11 +330,11 @@ if ($err == 1) {
+
+     // If we exceeded $maxoutputlines, notify the user and recommend downloading the pcap.
+     if ($outputlines >= $maxoutputlines) {
+-	$fmtd .= "===========================================================<br>";
+-	$fmtd .= "CAPME: Only showing the first $maxoutputlines lines.<br>";
+-	$fmtd .= "CAPME: This pcap has a total of $outputlines lines.<br>";
++	$fmtd .= "=================================================================<br>";
++	$fmtd .= "CAPME: Only showing the first $maxoutputlines lines of transcript output.<br>";
++	$fmtd .= "CAPME: This transcript has a total of $outputlines lines.<br>";
+ 	$fmtd .= "CAPME: To see the entire stream, you can download the pcap using the link below.<br>";
+-	$fmtd .= "===========================================================<br>";
++	$fmtd .= "=================================================================<br>";
+     }
+
+     // default to sending transcript
diff --git a/debian/patches/series b/debian/patches/series
@@ -26,3 +26,4 @@ package-PR-#13
 -Issue-736:-CapMe:-Debug-information-occasionally-gets-rendered-inside-the-transcript
 previous-fix-didn't-work,-try-pingpong
 issues-736-and-738
+Issue-916:-CapMe:-Check-for-gzip-encoding-and-automatically-switch-to-Bro-transcript