Ignore CRC on bro input

[oflebbe]

I am reading network dumps with

docker exec othercontainer tcpdump -i eth0 -s -w - | nc localhost 1969

However, the tcpdumps from containers lack correct CRC sums. I had to add -C to bro commandline to get these ethernet traces accepted by bro.

[danielguerra69]

Yes it should be changed..

On 22 Oct 2016, at 21:52, Olaf Flebbe notifications@github.com wrote:

I am reading network dumps with

docker exec othercontainer tcpdump -i eth0 -s -w - | nc localhost 1969

However, the tcpdumps from containers lack correct CRC sums. I had to add -C to bro commandline to get these ethernet traces accepted by bro.

You can view, comment on, or merge this pull request online at:

https://github.com/danielguerra69/bro-debian-elasticsearch/pull/8 https://github.com/danielguerra69/bro-debian-elasticsearch/pull/8 Commit Summary

Ignore CRC on bro input File Changes

M scripts/bro-forensic.sh https://github.com/danielguerra69/bro-debian-elasticsearch/pull/8/files#diff-0 (2) Patch Links:

https://github.com/danielguerra69/bro-debian-elasticsearch/pull/8.patch https://github.com/danielguerra69/bro-debian-elasticsearch/pull/8.patch https://github.com/danielguerra69/bro-debian-elasticsearch/pull/8.diff https://github.com/danielguerra69/bro-debian-elasticsearch/pull/8.diff — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/danielguerra69/bro-debian-elasticsearch/pull/8, or mute the thread https://github.com/notifications/unsubscribe-auth/ALzmMjo4B-nqb0ZRU53YDMm4gYuZKQRqks5q2mmFgaJpZM4Kd9Cr.

[oflebbe]

I will feature your docker container setup at ApacheCon Bigdata Europe tomorrow. http://events.linuxfoundation.org/sites/events/files/slides/AttackingBigDataDeveloper.pdf Thanks for this project!

It would be great if this change can go upstream asap.

[danielguerra69]

-C is not good for all scenario's. You can edit the script in your own container. I will make an extra role for offside capturing.

Op 22 okt. 2016 9:52 PM schreef "Olaf Flebbe" notifications@github.com:

I am reading network dumps with

docker exec othercontainer tcpdump -i eth0 -s -w - | nc localhost 1969

However, the tcpdumps from containers lack correct CRC sums. I had to add

-C to bro commandline to get these ethernet traces accepted by bro.

You can view, comment on, or merge this pull request online at:

https://github.com/danielguerra69/bro-debian-elasticsearch/pull/8 Commit Summary

• Ignore CRC on bro input

File Changes

• M scripts/bro-forensic.sh https://github.com/danielguerra69/bro-debian-elasticsearch/pull/8/files#diff-0 (2)

Patch Links:

• https://github.com/danielguerra69/bro-debian- elasticsearch/pull/8.patch
• https://github.com/danielguerra69/bro-debian- elasticsearch/pull/8.diff

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/danielguerra69/bro-debian-elasticsearch/pull/8, or mute the thread https://github.com/notifications/unsubscribe-auth/ALzmMjo4B-nqb0ZRU53YDMm4gYuZKQRqks5q2mmFgaJpZM4Kd9Cr .

[oflebbe]

Could you please elaborate on the problems introduced by -C ?

Olaf

Am 15.11.2016 um 18:57 schrieb danielguerra69 notifications@github.com:

-C is not good for all scenario's. You can edit the script in your own container. I will make an extra role for offside capturing.

Op 22 okt. 2016 9:52 PM schreef "Olaf Flebbe" notifications@github.com:

I am reading network dumps with

docker exec othercontainer tcpdump -i eth0 -s -w - | nc localhost 1969

However, the tcpdumps from containers lack correct CRC sums. I had to add

-C to bro commandline to get these ethernet traces accepted by bro.

You can view, comment on, or merge this pull request online at:

https://github.com/danielguerra69/bro-debian-elasticsearch/pull/8 Commit Summary

• Ignore CRC on bro input

File Changes

• M scripts/bro-forensic.sh https://github.com/danielguerra69/bro-debian-elasticsearch/pull/8/files#diff-0 (2)

Patch Links:

• https://github.com/danielguerra69/bro-debian- elasticsearch/pull/8.patch
• https://github.com/danielguerra69/bro-debian- elasticsearch/pull/8.diff

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/danielguerra69/bro-debian-elasticsearch/pull/8, or mute the thread https://github.com/notifications/unsubscribe-auth/ALzmMjo4B-nqb0ZRU53YDMm4gYuZKQRqks5q2mmFgaJpZM4Kd9Cr .

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.

[danielguerra69]

I didn’t elaborate because i dind’t like it. I prefer not to use -C with bro. Instead i have made a new role for you xinetd-forensic-crc. Maybe you should use this command to dump your containers docker run --rm --net=container: crccheck/tcpdump -i eth0 -w - | nc 1969 &

On 15 Nov 2016, at 19:19, Olaf Flebbe notifications@github.com wrote:

Could you please elaborate on the problems introduced by -C ?

Olaf

Am 15.11.2016 um 18:57 schrieb danielguerra69 notifications@github.com:

-C is not good for all scenario's. You can edit the script in your own container. I will make an extra role for offside capturing.

Op 22 okt. 2016 9:52 PM schreef "Olaf Flebbe" notifications@github.com:

I am reading network dumps with

docker exec othercontainer tcpdump -i eth0 -s -w - | nc localhost 1969

However, the tcpdumps from containers lack correct CRC sums. I had to add

-C to bro commandline to get these ethernet traces accepted by bro.

You can view, comment on, or merge this pull request online at:

https://github.com/danielguerra69/bro-debian-elasticsearch/pull/8 Commit Summary

• Ignore CRC on bro input

File Changes

• M scripts/bro-forensic.sh https://github.com/danielguerra69/bro-debian-elasticsearch/pull/8/files#diff-0 (2)

Patch Links:

• https://github.com/danielguerra69/bro-debian- elasticsearch/pull/8.patch
• https://github.com/danielguerra69/bro-debian- elasticsearch/pull/8.diff

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/danielguerra69/bro-debian-elasticsearch/pull/8, or mute the thread https://github.com/notifications/unsubscribe-auth/ALzmMjo4B-nqb0ZRU53YDMm4gYuZKQRqks5q2mmFgaJpZM4Kd9Cr .

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/danielguerra69/bro-debian-elasticsearch/pull/8#issuecomment-260722120, or mute the thread https://github.com/notifications/unsubscribe-auth/ALzmMtA2KPoM0YfJbpDzy1HQ31T593TFks5q-fecgaJpZM4Kd9Cr.