eciavatta / caronte Goto Github PK

One thing we have noticed while using Caronte is that it's hard to find out
which pcap file a specific stream is from. If you want to manually look at packets/streams
before and after the stream you have found in Caronte, we had to basically download
all pcaps and just open all of them to find the correct stream.

1. Would be awesome if there was some info about which pcap file a stream/packet is from.
2. Possibility to download the entire pcap the specific stream/packet is from.

When I try to delete a session by using DELETE method it doesn't remove any session, the return status is 202 (accepted) but the sessions remain unchanged. I think there are some trouble with the cancelFunc() method (caronte/pcap_importer.go:161)

As I try to send PCAPs files (captured with tcpdump -i ens18 -w out.pcap) to caronte via API, either via POST to /api/pcap/upload or via POST to /api/pcap/file I get the following error and the docker container crashes:

caronte_1  | panic: interface conversion: interface is nil, not hyperscan.database
caronte_1  | 
caronte_1  | goroutine 117 [running]:
caronte_1  | github.com/flier/gohs/hyperscan.NewScratch(0x0, 0x0, 0x0, 0x0, 0x0)
caronte_1  |    /root/go/pkg/mod/github.com/flier/[email protected]/hyperscan/runtime.go:22 +0x45
caronte_1  | main.(*BiDirectionalStreamFactory).takeScanner(0xc00031adc0, 0x0, 0x0, 0x0)
caronte_1  |    /caronte/connection_handler.go:117 +0x163
caronte_1  | main.(*BiDirectionalStreamFactory).New(0xc00031adc0, 0x1, 0x4, 0x4, 0x440f77a8, 0x0, 0xdb612e5d, 0x0, 0x4, 0x2, ...)
caronte_1  |    /caronte/connection_handler.go:175 +0xeec
caronte_1  | github.com/google/gopacket/tcpassembly.(*StreamPool).getConnection(0xc00012e380, 0x1, 0x4, 0x4, 0x440f77a8, 0x0, 0xdb612e5d, 0x0, 0x4, 0x2, ...)
caronte_1  |    /root/go/pkg/mod/github.com/google/[email protected]/tcpassembly/assembly.go:502 +0x1ea
caronte_1  | github.com/google/gopacket/tcpassembly.(*Assembler).AssembleWithTimestamp(0xc0000acb80, 0x1, 0x4, 0x4, 0x440f77a8, 0x0, 0xdb612e5d, 0x0, 0xc0001ae000, 0xdff7f00, ...)
caronte_1  |    /root/go/pkg/mod/github.com/google/[email protected]/tcpassembly/assembly.go:550 +0x27f
caronte_1  | main.(*PcapImporter).parsePcap(0xc000482700, 0xc000316b80, 0x40, 0xc0284a8bbad061e8, 0x363bcb01f2, 0x1580e20, 0x87b2, 0x0, 0x0, 0x0, ...)
caronte_1  |    /caronte/pcap_importer.go:249 +0xb8c
caronte_1  | created by main.(*PcapImporter).ImportPcap
caronte_1  |    /caronte/pcap_importer.go:132 +0x57e

From the frontend it must be possible to download the contents of a connection in the selected format

• it is necessary to add a new API such as /api/streams/{id}/format/download
• it is necessary to find a way to split client content from server content
  • using newline chars to divide the messages
  • create two separate files, one with the client content, the other with the server content

Rules are used to highlight and filter connections based on network properties or based on content (regular expressions are used to search). The rules system is already implemented in the backend, but not yet present in the frontend

• it is necessary to add a window showing all the rules already created
  • and for each rule it must be possible to view and modify the details
  • the API to use to get the list of rules entered is GET /api/rules
  • the API to use to get the details of a single rule is GET /api/rules/{id}
• it must be possible to add a new rule or modify an existing one, inserting all the consistency checks
  • the API to use to insert a new rule is POST /api/rules
  • the API to use to update an existing rule is PUT /api/rules/{id}
• the list of connections must be modified to include the matched rules for each connection
  • the API only provides the id of the matched rule. To get to the name of the rule it is necessary to perform a join operation from the frontend
    • the list of rules, however, must be downloaded only once, and updated each time a new rule is added or an existing rule modified
      • for optimization reasons and to save the number of requests to the server
  • a color is associated with each rule, then display them as labels

At each commit on a stable branch (master) the tool image must be automatically created and pushed to the DockerHub public repository

• the full name of the repository will be eciavatta/caronte

At the first start the tool must be configured (with POST /setup)

• when the user opens the GUI without having configured the tool, all requests give an error (Error 503 - ServiceUnavailable)
• the frontend must therefore understand that the tool has not been configured, and must show the configuration window
  • warnings should be shown that once the configuration is complete it cannot be changed
  • once the configuration is complete, the tool must automatically reload and start working
  • the configuration parameters must be those present in the API specification

The possibility to process or load pcap directly from the frontend must be added

• it must be possible to select files with the extension pcap|pcapng in the browser file upload window
  • and upload them with /api/pcap/upload api
• it must be possible to choose to process a pcap / pcapng file present on the filesystem where Caronte is running with /api/pcap/file api

CIDR address specified in the server ip during setup doesn't work properly. Flag stolen doesn't work on CIDR.

At the bottom of the page, in the frontend, there is the space reserved for a timeline

• which starts at the time of the oldest connection and ends at the time of the most recent connection
  • it is necessary to create new APIs to get this information
• for each chosen time interval (for example every minute) display the number of connections per service using a line graph
  • each line represents a service; the color of the line is the color of the service label
  • it is necessary to create new APIs that contain the statistics of each service for time intervals
• there will be a sliding windows that can be resized in width to select the time interval for viewing connections
  • at each movement of the sliding window the list of connections must be updated with the new time filters
• moving the mouse on the timeline it will expand showing more details
  • to be defined later

First things first: thanks for the wonderful project!

Reading your README.md I saw that one of the features mentions the highlight of the packets matching the regex, but in my experience this doesn't happen.

For example:

I tried it with Firefox and Chrome on Linux. Is caronte supposed to highlight the flags or did I get it wrong?

The tool must be able to recognize if one or more HTTP requests are compressed using gzip or deflate, and provide the body of the decompressed response.
Decompression should be done from the backend, and the APIs should be updated to provide both the original and the decompressed version to the frontend

I think you messed up something while adding ur website in the readme, maybe u meant eciavatta.DEV?