-
Notifications
You must be signed in to change notification settings - Fork 136
Description
Repro is with Zui commit e1da723.
I recently went to update the Custom Brimcap Config article and found something had stopped working since I last ran through the steps. In that doc, logs for a pcap are loaded using Zeek & Suricata that are not the ones bundled with Brimcap, since the doc wants to show users the a la carte steps for working with customized analyzers. What I found was that the Packets button (the shark fin icon) was not becoming active when I clicked on normally eligible Zeek records that I'd loaded.
@jameskerr helped me find the root cause. The problem relates to this chunk of code, which gets called when the user clicks on a record.
zui/src/plugins/brimcap/zeek/queries.ts
Lines 21 to 35 in e1da723
| export function findConnLog(pool: string, uid: string) { | |
| return ( | |
| zedScript` | |
| from ${pool} | |
| | (` + | |
| uidFilter(uid) + | |
| `) | |
| | is(ts, <time>) | |
| | is(community_id, <string>) | |
| | is(duration, <duration>) | |
| | is(uid, <string>) | |
| | head 1 | |
| ` | |
| ) | |
| } |
The community_id field is present in all the logs generated by the Zeek that we bundle with Brimcap since it includes a non-default Community ID package. However, an out-of-the-box Zeek does not have Community ID enabled by default, so that is(community_id, <string>) check fails 100% of the time on such Zeek logs and the fin never lights up.
I show the effect in the attached video where I have two conn logs generated from the same pcap using out-of-the-box Zeek v6.0.0. The first log is with Zeek in its default config such that the community_id field is not present, and in the second I've uncommented the necessary line in my local.zeek config so that community_id is present. As it shows, in the latter case the Packets fin does indeed become active. It shows "no packets found" when clicked because I didn't happen to have the Brimcap packet index populated, but that's a separate topic.