diff --git a/capme/.inc/callback.php b/capme/.inc/callback.php index 2eeec2e..46fcd1c 100644 --- a/capme/.inc/callback.php +++ b/capme/.inc/callback.php @@ -132,16 +132,23 @@ function cliscript($cmd, $pwd) { invalid("Connection Failed."); } +// Validate user input - maxtxbytes +// must be an integer between 1000 and 100000000 +$maxtranscriptbytes = h2s($d[8]); +if (filter_var($maxtranscriptbytes, FILTER_VALIDATE_INT, array("options" => array("min_range"=>1000, "max_range"=>100000000))) === false) { + invalid("Invalid maximum transcript bytes."); +} + // Validate user input - sidsrc // valid values are: sancp, event, and elsa -$sidsrc = h2s($d[8]); +$sidsrc = h2s($d[9]); if (!( $sidsrc == 'sancp' || $sidsrc == 'event' || $sidsrc == 'elsa' )) { invalid("Invalid sidsrc."); } // Validate user input - xscript // valid values are: auto, tcpflow, bro, and pcap -$xscript = h2s($d[9]); +$xscript = h2s($d[10]); if (!( $xscript == 'auto' || $xscript == 'tcpflow' || $xscript == 'bro' || $xscript == 'pcap' )) { invalid("Invalid xscript."); } @@ -324,15 +331,15 @@ function cliscript($cmd, $pwd) { $raw = cliscript($cmd, $pwd); $time4 = microtime(true); - // To handle large pcaps more gracefully, we only render the first $maxtranscriptbytes. + // Initialize $transcriptbytes so we can count the number of bytes in the transcript $transcriptbytes=0; - $maxtranscriptbytes=500000; // Check for errors and format as necessary. foreach ($raw as $line) { if (preg_match("/^ERROR: Connection failed$/", $line)) { invalid("ERROR: Connection to sguild failed!"); } + // To handle large pcaps more gracefully, we only render the first $maxtranscriptbytes. $transcriptbytes += strlen($line); if ($transcriptbytes <= $maxtranscriptbytes) { $line = htmlspecialchars($line); @@ -412,7 +419,10 @@ function cliscript($cmd, $pwd) { if ($transcriptbytes > $maxtranscriptbytes) { $debug .= "CAPME: Only showing the first " . number_format($maxtranscriptbytes) . " bytes of transcript output.
"; $debug .= "CAPME: This transcript has a total of " . number_format($transcriptbytes) . " bytes.
"; - $debug .= "CAPME: To see the entire stream, you can download the pcap using the link below.
"; + $debug .= "CAPME: To see the entire stream, you can either:
"; + $debug .= "CAPME: - click the 'close' button, increase Max Xscript Bytes, and resubmit (may take a while)
"; + $debug .= "CAPME: OR
"; + $debug .= "CAPME: - you can download the pcap using the link below.
"; } // if we found the pcap, create a symlink in /var/www/so/capme/pcap/ diff --git a/capme/.js/capme.js b/capme/.js/capme.js index 78ae5fe..dd42a26 100644 --- a/capme/.js/capme.js +++ b/capme/.js/capme.js @@ -159,7 +159,7 @@ $(document).ready(function(){ } frmArgs = $('input[value!=""]').length; - if (frmArgs == 18) { + if (frmArgs == 19) { reqCap("usefrm"); } else { theMsg("Please complete all form fields"); @@ -186,6 +186,9 @@ $(document).ready(function(){ var dip = s2h(chkIP($("#dip").val())); var dpt = s2h(chkPort($("#dpt").val())); + // Max TX + var maxtx = s2h(chkMaxTX($("#maxtx").val())); + // Timestamps if ($("#stime").val().length > 0) { var st = chkDate($("#stime").val()); @@ -214,7 +217,7 @@ $(document).ready(function(){ // Continue if no errors if (err == 0) { - var urArgs = "d=" + sip + "-" + spt + "-" + dip + "-" + dpt + "-" + st + "-" + et + "-" + usr + "-" + pwd + "-" + sidsrc + "-" + xscript; + var urArgs = "d=" + sip + "-" + spt + "-" + dip + "-" + dpt + "-" + st + "-" + et + "-" + usr + "-" + pwd + "-" + maxtx + "-" + sidsrc + "-" + xscript; $(function(){ $.get(".inc/callback.php?" + urArgs, function(data){cbtx(data)}); @@ -296,6 +299,18 @@ $(document).ready(function(){ } } + // maxtx validation + function chkMaxTX(maxtx) { + var valid = /^[0-9]+$\b/; + if (!valid.test(maxtx) || maxtx < 1000 || maxtx > 100000000 || maxtx.charAt(0) == 0) { + theMsg("Error: Bad MaxTX"); + bON('.capme_submit'); + err = 1; + } else { + return maxtx; + } + } + // port validation function chkPort(port) { var valid = /^[0-9]+$\b/; diff --git a/capme/index.php b/capme/index.php index 793f03b..b86a777 100644 --- a/capme/index.php +++ b/capme/index.php @@ -10,7 +10,7 @@ function invalid($string) { } // Argument defaults -$sip = $spt = $dip = $dpt = $stime = $etime = $usr = $pwd = $sancp = $event = $elsa = $bro = $tcpflow = $pcap = ''; +$sip = $spt = $dip = $dpt = $stime = $etime = $usr = $pwd = $sancp = $event = $elsa = $bro = $tcpflow = $pcap = $maxtx = ''; // Validate user input - source IP address - sip if (isset($_REQUEST['sip'])) { @@ -114,6 +114,19 @@ function invalid($string) { } } +// Validate user input - max transcript bytes - maxtx +// must be an integer between 1000 and 100000000 (100MB) +if (isset($_REQUEST['maxtx'])) { + if (filter_var($_REQUEST['maxtx'], FILTER_VALIDATE_INT, array("options" => array("min_range"=>1000, "max_range"=>100000000))) === false) { + invalid("Invalid max transcript bytes."); + } else { + $maxtx = $_REQUEST['maxtx']; $s++; + } +} else { + // Default to Max Xscript Bytes of 500,000 + $maxtx = 500000; +} + // If we see a filename parameter, we know the request came from Snorby // and if so we can just query the event table since Snorby just has NIDS alerts // If the referer contains "elsa-query", then it's most likely a Security Onion user @@ -193,6 +206,12 @@ function invalid($string) { + +Max Xscript Bytes: + + + + Sid Source: diff --git a/debian/changelog b/debian/changelog index e146144..ea2db86 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +securityonion-capme (20121213-0ubuntu0securityonion47) trusty; urgency=medium + + * add Max Transcript Bytes to submission form + + -- Doug Burks Mon, 23 May 2016 15:59:05 -0400 + securityonion-capme (20121213-0ubuntu0securityonion46) trusty; urgency=medium * remove unnecessary delay diff --git a/debian/patches/add-Max-Transcript-Bytes-to-submission-form b/debian/patches/add-Max-Transcript-Bytes-to-submission-form new file mode 100644 index 0000000..57a6721 --- /dev/null +++ b/debian/patches/add-Max-Transcript-Bytes-to-submission-form @@ -0,0 +1,176 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-capme (20121213-0ubuntu0securityonion47) trusty; urgency=medium + . + * add Max Transcript Bytes to submission form +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-capme-20121213.orig/capme/.inc/callback.php ++++ securityonion-capme-20121213/capme/.inc/callback.php +@@ -132,16 +132,23 @@ if ($link) { + invalid("Connection Failed."); + } + ++// Validate user input - maxtxbytes ++// must be an integer between 1000 and 100000000 ++$maxtranscriptbytes = h2s($d[8]); ++if (filter_var($maxtranscriptbytes, FILTER_VALIDATE_INT, array("options" => array("min_range"=>1000, "max_range"=>100000000))) === false) { ++ invalid("Invalid maximum transcript bytes."); ++} ++ + // Validate user input - sidsrc + // valid values are: sancp, event, and elsa +-$sidsrc = h2s($d[8]); ++$sidsrc = h2s($d[9]); + if (!( $sidsrc == 'sancp' || $sidsrc == 'event' || $sidsrc == 'elsa' )) { + invalid("Invalid sidsrc."); + } + + // Validate user input - xscript + // valid values are: auto, tcpflow, bro, and pcap +-$xscript = h2s($d[9]); ++$xscript = h2s($d[10]); + if (!( $xscript == 'auto' || $xscript == 'tcpflow' || $xscript == 'bro' || $xscript == 'pcap' )) { + invalid("Invalid xscript."); + } +@@ -324,15 +331,15 @@ if ($err == 1) { + $raw = cliscript($cmd, $pwd); + $time4 = microtime(true); + +- // To handle large pcaps more gracefully, we only render the first $maxtranscriptbytes. ++ // Initialize $transcriptbytes so we can count the number of bytes in the transcript + $transcriptbytes=0; +- $maxtranscriptbytes=500000; + + // Check for errors and format as necessary. + foreach ($raw as $line) { + if (preg_match("/^ERROR: Connection failed$/", $line)) { + invalid("ERROR: Connection to sguild failed!"); + } ++ // To handle large pcaps more gracefully, we only render the first $maxtranscriptbytes. + $transcriptbytes += strlen($line); + if ($transcriptbytes <= $maxtranscriptbytes) { + $line = htmlspecialchars($line); +@@ -412,7 +419,10 @@ if ($err == 1) { + if ($transcriptbytes > $maxtranscriptbytes) { + $debug .= "CAPME: Only showing the first " . number_format($maxtranscriptbytes) . " bytes of transcript output.
"; + $debug .= "CAPME: This transcript has a total of " . number_format($transcriptbytes) . " bytes.
"; +- $debug .= "CAPME: To see the entire stream, you can download the pcap using the link below.
"; ++ $debug .= "CAPME: To see the entire stream, you can either:
"; ++ $debug .= "CAPME: - click the 'close' button, increase Max Xscript Bytes, and resubmit (may take a while)
"; ++ $debug .= "CAPME: OR
"; ++ $debug .= "CAPME: - you can download the pcap using the link below.
"; + } + + // if we found the pcap, create a symlink in /var/www/so/capme/pcap/ +--- securityonion-capme-20121213.orig/capme/.js/capme.js ++++ securityonion-capme-20121213/capme/.js/capme.js +@@ -159,7 +159,7 @@ $(document).ready(function(){ + } + + frmArgs = $('input[value!=""]').length; +- if (frmArgs == 18) { ++ if (frmArgs == 19) { + reqCap("usefrm"); + } else { + theMsg("Please complete all form fields"); +@@ -186,6 +186,9 @@ $(document).ready(function(){ + var dip = s2h(chkIP($("#dip").val())); + var dpt = s2h(chkPort($("#dpt").val())); + ++ // Max TX ++ var maxtx = s2h(chkMaxTX($("#maxtx").val())); ++ + // Timestamps + if ($("#stime").val().length > 0) { + var st = chkDate($("#stime").val()); +@@ -214,7 +217,7 @@ $(document).ready(function(){ + // Continue if no errors + if (err == 0) { + +- var urArgs = "d=" + sip + "-" + spt + "-" + dip + "-" + dpt + "-" + st + "-" + et + "-" + usr + "-" + pwd + "-" + sidsrc + "-" + xscript; ++ var urArgs = "d=" + sip + "-" + spt + "-" + dip + "-" + dpt + "-" + st + "-" + et + "-" + usr + "-" + pwd + "-" + maxtx + "-" + sidsrc + "-" + xscript; + + $(function(){ + $.get(".inc/callback.php?" + urArgs, function(data){cbtx(data)}); +@@ -296,6 +299,18 @@ $(document).ready(function(){ + } + } + ++ // maxtx validation ++ function chkMaxTX(maxtx) { ++ var valid = /^[0-9]+$\b/; ++ if (!valid.test(maxtx) || maxtx < 1000 || maxtx > 100000000 || maxtx.charAt(0) == 0) { ++ theMsg("Error: Bad MaxTX"); ++ bON('.capme_submit'); ++ err = 1; ++ } else { ++ return maxtx; ++ } ++ } ++ + // port validation + function chkPort(port) { + var valid = /^[0-9]+$\b/; +--- securityonion-capme-20121213.orig/capme/index.php ++++ securityonion-capme-20121213/capme/index.php +@@ -10,7 +10,7 @@ function invalid($string) { + } + + // Argument defaults +-$sip = $spt = $dip = $dpt = $stime = $etime = $usr = $pwd = $sancp = $event = $elsa = $bro = $tcpflow = $pcap = ''; ++$sip = $spt = $dip = $dpt = $stime = $etime = $usr = $pwd = $sancp = $event = $elsa = $bro = $tcpflow = $pcap = $maxtx = ''; + + // Validate user input - source IP address - sip + if (isset($_REQUEST['sip'])) { +@@ -114,6 +114,19 @@ if ( isset($_REQUEST['user']) && isset($ + } + } + ++// Validate user input - max transcript bytes - maxtx ++// must be an integer between 1000 and 100000000 (100MB) ++if (isset($_REQUEST['maxtx'])) { ++ if (filter_var($_REQUEST['maxtx'], FILTER_VALIDATE_INT, array("options" => array("min_range"=>1000, "max_range"=>100000000))) === false) { ++ invalid("Invalid max transcript bytes."); ++ } else { ++ $maxtx = $_REQUEST['maxtx']; $s++; ++ } ++} else { ++ // Default to Max Xscript Bytes of 500,000 ++ $maxtx = 500000; ++} ++ + // If we see a filename parameter, we know the request came from Snorby + // and if so we can just query the event table since Snorby just has NIDS alerts + // If the referer contains "elsa-query", then it's most likely a Security Onion user +@@ -193,6 +206,12 @@ capME! + + + ++ ++Max Xscript Bytes: ++ ++ ++ ++ + + Sid Source: + diff --git a/debian/patches/series b/debian/patches/series index d00c2f2..fd831ce 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -34,3 +34,4 @@ check-for-sguild-failure-needs-to-be-more-strict -Issue-493:-CapMe:-send-credentials-interactively-to-avoid-exposing-on-command-line clean-up remove-unnecessary-delay +add-Max-Transcript-Bytes-to-submission-form