Import incorrectly flags a mismatch between filename and path field for open_http, open_ssl, and open_conn logs. #69
Description
Re-importing the sample database in ACH 7.0.1 resulted in the following errors:
FTL Encountered an unrecoverable issue when trying to write to the database, exiting error="write: write tcp 172.18.0.4:49298->172.18.0.3:9000: write: broken pipe" batch_size=100000 database=openconn_tmp stage=send
Errors from AC-Hunter Logs:
2025-07-22T11:26:02.000+00:00 {"level":"error","path":"/tmp/zeek_logs/dnscat2/dnscat2/open_conn.log","error":"TSV 'path' field does not match file pathname prefix","time
":1753183562}
2025-07-22T11:26:03.000+00:00 {"level":"error","path":"/tmp/zeek_logs/dnscat2/dnscat2/open_http.log","error":"TSV 'path' field does not match file pathname prefix","time
":1753183563}
2025-07-22T11:26:04.000+00:00 {"level":"error","path":"/tmp/zeek_logs/dnscat2/dnscat2/open_ssl.log","error":"TSV 'path' field does not match file pathname prefix","time"
:1753183564}
2025-07-22T11:33:21.000+00:00 {"level":"fatal","error":"write: write tcp 172.18.0.4:49298->172.18.0.3:9000: write: broken pipe","database":"openconn_tmp","stage":"send","batch_size":100000,"time":1753184001,"message":"Encountered an unrecoverable issue when trying to write to the database, exiting"}
Here are the relevant lines for "#path" in those three files:
wstearns@ro94 dnscat2]$ grep '^#path' open_*
open_conn.log:#path conn
open_http.log:#path http
open_ssl.log:#path ssl
That error appears to come from:
./rita-main/importer/parser.go:var errMismatchedPathField = errors.New("TSV 'path' field does not match file pathname prefix")
That file appears to be the only file that uses that variable.
// validatePathPrefix returns an error if the TSV header path field does not match the prefix of the file's path name
func (header *ZeekHeader[Z]) validatePathPrefix() (err error) {
switch {
case strings.HasPrefix(filepath.Base(header.fsPath), ConnPrefix) && !strings.HasPrefix(filepath.Base(header.fsPath), ConnSummaryPrefixUnderscore) && !strings.HasPrefix(filepath
.Base(header.fsPath), ConnSummaryPrefixHyphen):
if header.path != ConnPrefix {
return errMismatchedPathField
}
case strings.HasPrefix(filepath.Base(header.fsPath), OpenConnPrefix):
if header.path != OpenConnPrefix {
return errMismatchedPathField
}
case strings.HasPrefix(filepath.Base(header.fsPath), DNSPrefix):
if header.path != DNSPrefix {
return errMismatchedPathField
}
case strings.HasPrefix(filepath.Base(header.fsPath), HTTPPrefix):
if header.path != HTTPPrefix {
return errMismatchedPathField
}
case strings.HasPrefix(filepath.Base(header.fsPath), OpenHTTPPrefix):
if header.path != OpenHTTPPrefix {
return errMismatchedPathField
}
case strings.HasPrefix(filepath.Base(header.fsPath), SSLPrefix):
if header.path != SSLPrefix {
return errMismatchedPathField
}
case strings.HasPrefix(filepath.Base(header.fsPath), OpenSSLPrefix):
if header.path != OpenSSLPrefix {
return errMismatchedPathField
}
}
return nil
}