drill-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bob Rudis <...@rud.is>
Subject Re: Drill fails to query pcap files
Date Sat, 09 Feb 2019 22:25:10 GMT
Agreed. The reason we have some malformed PCAPs from the global honeypot network is those pesky
attackers trying to be clever as they "scapy" their way into breaking their attacks due to
shoddy code (more incompetence in this case than capable maliciousness).

And, I did indeed find a few and am just waiting for a formal review so I can submit them
for the Drill dev & tests.

-Bob

> On Feb 9, 2019, at 15:55, Ted Dunning <ted.dunning@gmail.com> wrote:
> 
> I think that returning any usable information from the corrupt packet
> (notably including the package content itself) is important because a
> primary use case of the pcap query is in network forensics where you are
> often looking for malware that is purposely corrupting packets.
> 
> 
> 
> On Thu, Feb 7, 2019 at 9:00 AM Charles Givre <cgivre@gmail.com> wrote:
> 
>> Hey Ted
>> What do you think the desired behavior should be for corrupt packets?
>> Should Drill just ignore, or should we maybe create a Boolean field like
>> isCorrupt or something and  mark corrupt packets as such?
>> 
>> Sent from my iPhone
>> 
>>> On Feb 7, 2019, at 11:45, Ted Dunning <ted.dunning@gmail.com> wrote:
>>> 
>>> Giovanni,
>>> 
>>> A critical thing to help progress here is sample corrupted data. Even
>> just
>>> information about what kind of corruption you are seeing is important.
>>> 
>>> Packet corruption is a key technique of malware so handling bad records
>>> well is of great importance.
>>> 
>>> 
>>> 
>>>> On Thu, Feb 7, 2019 at 3:54 PM GiovanniC <gio.cnt@gmail.com> wrote:
>>>> 
>>>> Unfortunately I don’t have more of them at the moment.
>>>> 
>>>>> Il giorno 7 feb 2019, alle ore 14:33, Charles Givre <cgivre@gmail.com>
>>>> ha scritto:
>>>>> 
>>>>> Hi Giovanni,
>>>>> Can you post additional PCAP files that don’t work?  Basically, I’m
>>>> going to add some code that will let you set a tolerance level of how
>> many
>>>> errors Drill will tolerate before throwing an exception.
>>>>> — C
>>>>> 
>>>>>> On Feb 7, 2019, at 07:33, GiovanniC <gio.cnt@gmail.com> wrote:
>>>>>> 
>>>>>> I can help you by doing some test.
>>>>>> 
>>>>>>> Il giorno 6 feb 2019, alle ore 18:46, Charles Givre <
>> cgivre@gmail.com>
>>>> ha scritto:
>>>>>>> 
>>>>>>> Just create a ticket and I will work on it.
>>>>>>> 
>>>>>>> Sent from my iPhone
>>>>>>> 
>>>>>>>> On Feb 6, 2019, at 12:35, Giovanni Conte <gio.cnt@gmail.com>
wrote:
>>>>>>>> 
>>>>>>>> I would like to, but I am not a java dev :(
>>>>>>>> 
>>>>>>>> Il giorno mer 6 feb 2019 alle ore 18:31 Arina Yelchiyeva
<
>>>>>>>> arina.yelchiyeva@gmail.com> ha scritto:
>>>>>>>> 
>>>>>>>>> Contributions are always welcome :)
>>>>>>>>> 
>>>>>>>>> Kind regards,
>>>>>>>>> Arina
>>>>>>>>> 
>>>>>>>>>> On Wed, Feb 6, 2019 at 7:19 PM Charles Givre <cgivre@gmail.com>
>>>> wrote:
>>>>>>>>>> 
>>>>>>>>>> Hi Giovanni
>>>>>>>>>> I think it would be useful for Drill to have some
ability to
>> ignore
>>>>>>>>>> corrupt rows in a PCAP file.  Can you open a JIRA
ticket for this?
>>>>>>>>>> 
>>>>>>>>>> Sent from my iPhone
>>>>>>>>>> 
>>>>>>>>>>> On Feb 6, 2019, at 12:15, Arina Yelchiyeva <
>>>> arina.yelchiyeva@gmail.com
>>>>>>>>>> 
>>>>>>>>>> wrote:
>>>>>>>>>>> 
>>>>>>>>>>> Hi Giovanni,
>>>>>>>>>>> 
>>>>>>>>>>> I don't think Drill pcap format reader has such
functionality.
>>>>>>>>>>> 
>>>>>>>>>>> Kind regards,
>>>>>>>>>>> Arina
>>>>>>>>>>> 
>>>>>>>>>>>> On Wed, Feb 6, 2019 at 6:39 PM Giovanni Conte
<
>> gio.cnt@gmail.com>
>>>>>>>>>> wrote:
>>>>>>>>>>>> 
>>>>>>>>>>>> Hi,
>>>>>>>>>>>> I'm trying to query a pcap file and I know
that there are
>>>> corrupted
>>>>>>>>> rows
>>>>>>>>>>>> (precisely line 6407),
>>>>>>>>>>>> I need a command to skip this rows to avoid
the following error:
>>>>>>>>>>>> 
>>>>>>>>>>>> Error: INTERNAL_ERROR ERROR: null
>>>>>>>>>>>> Fragment 0:0
>>>>>>>>>>>> Please, refer to logs for more information.
>>>>>>>>>>>> [Error Id: fe17f64d-4ac8-453f-b442-9bcf68c69c61
on ubuntu:31010]
>>>>>>>>>>>> (state=,code=0)
>>>>>>>>>>>> 
>>>>>>>>>>>> [...]
>>>>>>>>>>>> 
>>>>>>>>>>>> the complete error is attached in the txt
file ()for java
>>>> exceptions,
>>>>>>>>>>>> along with the pcap file used for testing
this issue. I would
>>>> like to
>>>>>>>>>> avoid
>>>>>>>>>>>> a pre-parsing of the pcap when a corrupted
row is found.
>>>>>>>>>>>> Is there a way to avoid this problem?
>>>>>>>>>>>> Thanks,
>>>>>>>>>>>> 
>>>>>>>>>>>> Giovanni
>>>>>>>>>>>> 
>>>>>>>>>>>> OS: Ubuntu 18.4
>>>>>>>>>>>> Drill version: 1.15.0
>>>>>>>>>>>> Java(TM) SE Runtime Environment (build 1.8.0_191-b12)
>>>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>> 
>>>>> 
>>>> 
>> 


Mime
View raw message