Misnamed attack report, missing pcap capture
rufoa opened this issue · 3 comments
I'm having a couple of issues - not sure if they are due to HoneyBadger or one of its dependencies - hoping you can help me out.
I'm running golang 1.5.1 on Debian Jessie and using the libpcap DAQ. I've run the HB tests and they all pass.
When I follow the 'manual test' instructions, I see the injected stream in nc as expected.
However when I look in my archive
directory, I only have one file, called []:[]-[]:[].attackreport.json
so it looks like a .String() call has potentially gone wrong somewhere. (The actual contents of the file look correct.)
There also doesn't seem to be a pcap capture - but nor do I see any error messages - currently unsure what is causing this.
Please let me know what further info would be helpful to debug - I'm quite new to golang.
Many thanks
ah yes that's an olde bug that sometimes shows up. i hope i get fix it soon. maybe later today... i don't have time right this minute.
thanks for that - no rush
i recently discovered that gopacket flows must be constructed using endpoints otherwise their String() method receiver breaks.
localIP, localPort, remoteIP, remotePort := t.getTCP4Tuple(t.conn)
srcIPEndpoint := layers.NewIPEndpoint(localIP)
dstIPEndpoint := layers.NewIPEndpoint(remoteIP)
srcTCPEndpoint := layers.NewTCPPortEndpoint(layers.TCPPort(localPort))
dstTCPEndpoint := layers.NewTCPPortEndpoint(layers.TCPPort(remotePort))
netFlow, err := gopacket.FlowFromEndpoints(srcIPEndpoint, dstIPEndpoint)
tcpFlow, err := gopacket.FlowFromEndpoints(srcTCPEndpoint, dstTCPEndpoint)
flow := types.NewTcpIpFlowFromFlows(netFlow, tcpFlow)