"Fix failed to find a matching sid..." error in CAPME - in cases where ELSA is returning a warning
405 views
Skip to first unread message
Ryan
Jul 31, 2014, 1:11:33 PM7/31/14
to securit...@googlegroups.com
https://github.com/Security-Onion/capme/pull/1
When ELSA's /opt/elsa/web/cli.pl returns a warning - it prints to
STDOUT. This throws off the position in the array of th response data is
causing the $sensor variable never to be populated and CAPME to fail
with the - "Failed to find a matching sid..." error message because
the $sensor variable is empty.
This patch will iterate through the response until we find the header
line for the response - and take the next line as the response_data.
I found while stepping through CAPME that ELSA was in fact returning the expected results for when I ran /opt/elsa/web/cli.pl manually - but it was printing a warning to STDOUT - throwing off the CAPME ELSA script. This patch should address this specific problem. Not a PHP guy - let me know if you notice anything wrong.
When ELSA's /opt/elsa/web/cli.pl returns a warning - it prints to
STDOUT. This throws off the position in the array of th response data is
causing the $sensor variable never to be populated and CAPME to fail
with the - "Failed to find a matching sid..." error message because
the $sensor variable is empty.
This patch will iterate through the response until we find the header
line for the response - and take the next line as the response_data.
------
I found while stepping through CAPME that ELSA was in fact returning the expected results for when I ran /opt/elsa/web/cli.pl manually - but it was printing a warning to STDOUT - throwing off the CAPME ELSA script. This patch should address this specific problem. Not a PHP guy - let me know if you notice anything wrong.
Ryan Peck
Doug Burks
Jul 31, 2014, 1:34:21 PM7/31/14
to securit...@googlegroups.com
Hi Ryan,
What was the warning being printed to STDOUT?
> --
> You received this message because you are subscribed to the Google Groups
> "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
What was the warning being printed to STDOUT?
> You received this message because you are subscribed to the Google Groups
> "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Karolis
Jul 31, 2014, 3:34:47 PM7/31/14
to securit...@googlegroups.com
I have seen this error. I have also run the cli.pl sript manually and one of the sensors returns extra line to STDOUT.Â
Can not remember what was it exact but something like this: ARRAY(4718742740) or HASH(23429ulkj23i4j).
Will try your patch tomorrow. (I hope)
Ryan John Peck
Jul 31, 2014, 4:16:02 PM7/31/14
to securit...@googlegroups.com
Same thing as Karolis. For me it was "HASH(0x68390b8)" - hexadecimal number changes every run - probably a reference to a Perl hash since it changes every time I run the cli.pl query manually. It's printed to STDOUT in the foreach loop starting at line 36.
For testing you could simulate this by just printing as many new lines as you want. The patch should still work.
For testing you could simulate this by just printing as many new lines as you want. The patch should still work.
Doug Burks
Jul 31, 2014, 4:53:09 PM7/31/14
to securit...@googlegroups.com
Thanks, Ryan! I've created Issue 570 for this:
https://code.google.com/p/security-onion/issues/detail?id=570
https://code.google.com/p/security-onion/issues/detail?id=570
Karolis
Aug 1, 2014, 6:23:19 AM8/1/14
to securit...@googlegroups.com
Thanks Ryan for the patch. Pcaps are reassembled as expected now.
Â
Karolis
Â
Doug Burks
Aug 1, 2014, 11:41:01 AM8/1/14
to securit...@googlegroups.com
Updated package and submitted for testing:
https://groups.google.com/d/topic/security-onion-testing/nLJeQrEwZh8/discussion
https://groups.google.com/d/topic/security-onion-testing/nLJeQrEwZh8/discussion
Doug Burks
Aug 12, 2014, 1:10:38 PM8/12/14
to securit...@googlegroups.com
Reply all
Reply to author
Forward
0 new messages