Merge pull request #4 from CERT-Polska/feature/max-pcap-size

Add config option to specify the maximum PCAP file size to be analyzed
CERT-Polska · Jan 15, 2024 · 5197c97 · 5197c97
2 parents 2160cc0 + b8cc936
commit 5197c97
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -44,6 +44,10 @@ Set the `vm_ip_range` value to specify the range of IP addresses used by VMs. Th
 
 Some samples may purposely generate a huge number of TCP/DNS connections. The `max_results` configures the maximum number of results reported for a given analyzer. If The number exceeds the configured value, no values are reported at all. Set to `-1` to always report all results.
 
+### Max PCAP size
+
+Processing huge (>100MB) PCAP files can take a considerable amount of time. Use the `max_pcap_size` option to specify the maximum PCAP file size to be analyzed (in bytes).
+
 ### Indicator ignorelist
 
 In some cases you don't really want to report some of the indicators that come up in almost all PCAPs. Things like OCSP, UPNP, telemetry appears very frequently and doesn't provide any analytic value per se.

diff --git a/karton/pcap_miner/pcap_miner.py b/karton/pcap_miner/pcap_miner.py
@@ -87,6 +87,9 @@ def __init__(self, *args, **kwargs) -> None:
         # do not report artifacts if number of results exceeds max_results
         self.max_results = self.config.getint("pcap-miner", "max_results", fallback=24)
 
+        # do not analyze PCAP files exceeding this size
+        self.max_pcap_size = self.config.getint("pcap-miner", "max_pcap_size")
+
         self.ignorelist = {}
         ignore_path = self.config.get("pcap-miner", "ignore_list")
         if ignore_path:
@@ -173,7 +176,15 @@ def process(self, task: Task) -> None:
             tlsmon_log = task.get_payload("tlsmon.log")
 
             if not pcap_file:
-                self.log.info("No pcap file, nothing to do...")
+                self.log.info("No PCAP file, nothing to do...")
+                return
+
+            if self.max_pcap_size and pcap_file.size > self.max_pcap_size:
+                self.log.info(
+                    "PCAP file size (%s) exceeds the configured limit (%s)",
+                    pcap_file.size,
+                    self.max_pcap_size,
+                )
                 return
 
             pcap_file.download_to_file(temp_dir / "dump.pcap")