Merge pull request #162 from CybercentreCanada/AL-3337

Attempt to convert all input files to PCAP format
CybercentreCanada · Sep 4, 2024 · a693d4c · a693d4c
2 parents 17e060e + 20dbad6
commit a693d4c
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 1 deletion.
diff --git a/Dockerfile b/Dockerfile
@@ -14,6 +14,7 @@ RUN apt-get update && apt-get install -y wget curl\
   libnss3-dev libgeoip-dev liblua5.1-dev libhiredis-dev libevent-dev \
   rustc cargo autoconf libpcre2-dev\
   libtool jq git-core automake liblz4-dev\
+  wireshark-common \
   && rm -rf /var/lib/apt/lists/*
 
 FROM base AS build

diff --git a/suricata_/suricata_.py b/suricata_/suricata_.py
@@ -218,12 +218,18 @@ def launch_or_load_suricata(self):
             raise Exception("Suricata could not be started.")
 
     def execute(self, request):
-        file_path = request.file_path
+        file_path = os.path.join(self.working_directory, f"{request.sha256}.pcap")
         result = Result()
 
         # Report the version of suricata as the service context
         request.set_service_context(f"Suricata version: {self.get_suricata_version()}")
 
+        # Try conversion of input file to PCAP format (on failure, return empty result)
+        proc = subprocess.run(["editcap", "-F", "pcap", request.file_path, file_path], capture_output=True)
+        if proc.stderr:
+            request.result = result
+            return
+
         # restart Suricata if we need to
         self.start_suricata_if_necessary()