Agreed. The reason we have some malformed PCAPs from the global honeypot network is those pesky attackers trying to be clever as they "scapy" their way into breaking their attacks due to shoddy code (more incompetence in this case than capable maliciousness).
And, I did indeed find a few and am just waiting for a formal review so I can submit them for the Drill dev & tests. -Bob > On Feb 9, 2019, at 15:55, Ted Dunning <ted.dunn...@gmail.com> wrote: > > I think that returning any usable information from the corrupt packet > (notably including the package content itself) is important because a > primary use case of the pcap query is in network forensics where you are > often looking for malware that is purposely corrupting packets. > > > > On Thu, Feb 7, 2019 at 9:00 AM Charles Givre <cgi...@gmail.com> wrote: > >> Hey Ted >> What do you think the desired behavior should be for corrupt packets? >> Should Drill just ignore, or should we maybe create a Boolean field like >> isCorrupt or something and mark corrupt packets as such? >> >> Sent from my iPhone >> >>> On Feb 7, 2019, at 11:45, Ted Dunning <ted.dunn...@gmail.com> wrote: >>> >>> Giovanni, >>> >>> A critical thing to help progress here is sample corrupted data. Even >> just >>> information about what kind of corruption you are seeing is important. >>> >>> Packet corruption is a key technique of malware so handling bad records >>> well is of great importance. >>> >>> >>> >>>> On Thu, Feb 7, 2019 at 3:54 PM GiovanniC <gio....@gmail.com> wrote: >>>> >>>> Unfortunately I don’t have more of them at the moment. >>>> >>>>> Il giorno 7 feb 2019, alle ore 14:33, Charles Givre <cgi...@gmail.com> >>>> ha scritto: >>>>> >>>>> Hi Giovanni, >>>>> Can you post additional PCAP files that don’t work? Basically, I’m >>>> going to add some code that will let you set a tolerance level of how >> many >>>> errors Drill will tolerate before throwing an exception. >>>>> — C >>>>> >>>>>> On Feb 7, 2019, at 07:33, GiovanniC <gio....@gmail.com> wrote: >>>>>> >>>>>> I can help you by doing some test. >>>>>> >>>>>>> Il giorno 6 feb 2019, alle ore 18:46, Charles Givre < >> cgi...@gmail.com> >>>> ha scritto: >>>>>>> >>>>>>> Just create a ticket and I will work on it. >>>>>>> >>>>>>> Sent from my iPhone >>>>>>> >>>>>>>> On Feb 6, 2019, at 12:35, Giovanni Conte <gio....@gmail.com> wrote: >>>>>>>> >>>>>>>> I would like to, but I am not a java dev :( >>>>>>>> >>>>>>>> Il giorno mer 6 feb 2019 alle ore 18:31 Arina Yelchiyeva < >>>>>>>> arina.yelchiy...@gmail.com> ha scritto: >>>>>>>> >>>>>>>>> Contributions are always welcome :) >>>>>>>>> >>>>>>>>> Kind regards, >>>>>>>>> Arina >>>>>>>>> >>>>>>>>>> On Wed, Feb 6, 2019 at 7:19 PM Charles Givre <cgi...@gmail.com> >>>> wrote: >>>>>>>>>> >>>>>>>>>> Hi Giovanni >>>>>>>>>> I think it would be useful for Drill to have some ability to >> ignore >>>>>>>>>> corrupt rows in a PCAP file. Can you open a JIRA ticket for this? >>>>>>>>>> >>>>>>>>>> Sent from my iPhone >>>>>>>>>> >>>>>>>>>>> On Feb 6, 2019, at 12:15, Arina Yelchiyeva < >>>> arina.yelchiy...@gmail.com >>>>>>>>>> >>>>>>>>>> wrote: >>>>>>>>>>> >>>>>>>>>>> Hi Giovanni, >>>>>>>>>>> >>>>>>>>>>> I don't think Drill pcap format reader has such functionality. >>>>>>>>>>> >>>>>>>>>>> Kind regards, >>>>>>>>>>> Arina >>>>>>>>>>> >>>>>>>>>>>> On Wed, Feb 6, 2019 at 6:39 PM Giovanni Conte < >> gio....@gmail.com> >>>>>>>>>> wrote: >>>>>>>>>>>> >>>>>>>>>>>> Hi, >>>>>>>>>>>> I'm trying to query a pcap file and I know that there are >>>> corrupted >>>>>>>>> rows >>>>>>>>>>>> (precisely line 6407), >>>>>>>>>>>> I need a command to skip this rows to avoid the following error: >>>>>>>>>>>> >>>>>>>>>>>> Error: INTERNAL_ERROR ERROR: null >>>>>>>>>>>> Fragment 0:0 >>>>>>>>>>>> Please, refer to logs for more information. >>>>>>>>>>>> [Error Id: fe17f64d-4ac8-453f-b442-9bcf68c69c61 on ubuntu:31010] >>>>>>>>>>>> (state=,code=0) >>>>>>>>>>>> >>>>>>>>>>>> [...] >>>>>>>>>>>> >>>>>>>>>>>> the complete error is attached in the txt file ()for java >>>> exceptions, >>>>>>>>>>>> along with the pcap file used for testing this issue. I would >>>> like to >>>>>>>>>> avoid >>>>>>>>>>>> a pre-parsing of the pcap when a corrupted row is found. >>>>>>>>>>>> Is there a way to avoid this problem? >>>>>>>>>>>> Thanks, >>>>>>>>>>>> >>>>>>>>>>>> Giovanni >>>>>>>>>>>> >>>>>>>>>>>> OS: Ubuntu 18.4 >>>>>>>>>>>> Drill version: 1.15.0 >>>>>>>>>>>> Java(TM) SE Runtime Environment (build 1.8.0_191-b12) >>>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>> >>>> >>
signature.asc
Description: Message signed with OpenPGP
