From 2a3192142d9341dd074f1067809ab8beaea75561 Mon Sep 17 00:00:00 2001 From: Christian Wiese Date: Sun, 5 Aug 2007 21:32:02 +0000 Subject: [PATCH] * fixed nepenthes prelude log support git-svn-id: svn://svn.opensde.net/opensde/package/trunk@21960 10447126-35f2-4685-b0cf-6dd780d3921f --- network/nepenthes/libprelude.patch | 27 - network/nepenthes/nepenthes.conf | 10 +- network/nepenthes/prelude-hotfix.patch | 1107 ++++++++++++++++++++++++ 3 files changed, 1114 insertions(+), 30 deletions(-) delete mode 100644 network/nepenthes/libprelude.patch create mode 100644 network/nepenthes/prelude-hotfix.patch diff --git a/network/nepenthes/libprelude.patch b/network/nepenthes/libprelude.patch deleted file mode 100644 index 003fb4850..000000000 --- a/network/nepenthes/libprelude.patch +++ /dev/null @@ -1,27 +0,0 @@ -# --- SDE-COPYRIGHT-NOTE-BEGIN --- -# This copyright note is auto-generated by ./scripts/Create-CopyPatch. -# -# Filename: package/.../nepenthes/libprelude.patch -# Copyright (C) 2006 The OpenSDE Project -# -# More information can be found in the files COPYING and README. -# -# This patch file is dual-licensed. It is available under the license the -# patched project is licensed under, as long as it is an OpenSource license -# as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms -# of the GNU General Public License as published by the Free Software -# Foundation; either version 2 of the License, or (at your option) any later -# version. -# --- SDE-COPYRIGHT-NOTE-END --- - ---- nepenthes-0.1.7/modules/log-prelude/log-prelude.hpp.orig 2006-10-16 02:45:08.000000000 +0200 -+++ nepenthes-0.1.7/modules/log-prelude/log-prelude.hpp 2006-10-16 02:45:25.000000000 +0200 -@@ -30,7 +30,7 @@ - #include "config.h" - - #ifdef HAVE_LIBPRELUDE --#include -+#include - #endif - - #include diff --git a/network/nepenthes/nepenthes.conf b/network/nepenthes/nepenthes.conf index 86bcf8ea4..eb1b9ad08 100644 --- a/network/nepenthes/nepenthes.conf +++ b/network/nepenthes/nepenthes.conf @@ -2,7 +2,7 @@ # This copyright note is auto-generated by ./scripts/Create-CopyPatch. # # Filename: package/.../nepenthes/nepenthes.conf -# Copyright (C) 2006 The OpenSDE Project +# Copyright (C) 2006 - 2007 The OpenSDE Project # # More information can be found in the files COPYING and README. # @@ -13,5 +13,9 @@ # --- SDE-COPYRIGHT-NOTE-END --- # Prelude-IDS support -pkginstalled libprelude && var_append confopt " " "--enable-prelude" - +if pkginstalled libprelude ; then + pkgprefix -t libprelude + var_append confopt " " "--enable-prelude" + var_append CXXFLAGS ' ' "-I$root$( pkgprefix includedir libprelude )" + export CXXFLAGS +fi diff --git a/network/nepenthes/prelude-hotfix.patch b/network/nepenthes/prelude-hotfix.patch new file mode 100644 index 000000000..046446201 --- /dev/null +++ b/network/nepenthes/prelude-hotfix.patch @@ -0,0 +1,1107 @@ +# --- SDE-COPYRIGHT-NOTE-BEGIN --- +# This copyright note is auto-generated by ./scripts/Create-CopyPatch. +# +# Filename: package/.../nepenthes/prelude-hotfix.patch +# Copyright (C) 2007 The OpenSDE Project +# +# More information can be found in the files COPYING and README. +# +# This patch file is dual-licensed. It is available under the license the +# patched project is licensed under, as long as it is an OpenSource license +# as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms +# of the GNU General Public License as published by the Free Software +# Foundation; either version 2 of the License, or (at your option) any later +# version. +# --- SDE-COPYRIGHT-NOTE-END --- + +This patch includes several bugfixes that were fixed in the +upstream svn repository and rediffed against nepenthes 0.2.0. + +it includes following changesets: +http://svn.mwcollect.org/changeset/1266 +http://svn.mwcollect.org/changeset/1274 +http://svn.mwcollect.org/changeset/1278 + +diff -ruN nepenthes-0.2.0/modules/log-prelude/Makefile.am nepenthes-0.2.0-prelude/modules/log-prelude/Makefile.am +--- nepenthes-0.2.0/modules/log-prelude/Makefile.am 2006-11-13 20:40:08.000000000 +0100 ++++ nepenthes-0.2.0-prelude/modules/log-prelude/Makefile.am 2007-08-05 22:40:44.000000000 +0200 +@@ -4,7 +4,7 @@ + + AUTOMAKE_OPTIONS = foreign + +-AM_CPPFLAGS = -I/usr/include/libprelude -I$(top_srcdir)/nepenthes-core/include -I$(top_srcdir)/nepenthes-core/src -pipe -D _GNU_SOURCE $(CPPFLAG_PRELUDE) ++AM_CPPFLAGS = -I$(top_srcdir)/nepenthes-core/include -I$(top_srcdir)/nepenthes-core/src -pipe -D _GNU_SOURCE + AM_CXXFLAGS = -Wall + AM_LDFLAGS = $(LDFLAG_PRELUDE) ${LIB_PRELUDE} + +diff -ruN nepenthes-0.2.0/modules/log-prelude/log-prelude.conf.dist nepenthes-0.2.0-prelude/modules/log-prelude/log-prelude.conf.dist +--- nepenthes-0.2.0/modules/log-prelude/log-prelude.conf.dist 2006-11-13 20:40:08.000000000 +0100 ++++ nepenthes-0.2.0-prelude/modules/log-prelude/log-prelude.conf.dist 2007-08-05 22:52:16.000000000 +0200 +@@ -1,7 +1,9 @@ + log-prelude + { +- analyzerClass "NIDS"; +- analyzerModel "nepenthes"; +- analyzerName "nepenthes"; +- ++ ++ // Name of the Prelude analyzer to use (default is nepenthes). ++ // analyzerName "nepenthes"; ++ ++ // Name of the Prelude profile to use (default is nepenthes). ++ // analyzerProfile "nepenthes"; + }; +diff -ruN nepenthes-0.2.0/modules/log-prelude/log-prelude.cpp nepenthes-0.2.0-prelude/modules/log-prelude/log-prelude.cpp +--- nepenthes-0.2.0/modules/log-prelude/log-prelude.cpp 2006-11-13 20:40:08.000000000 +0100 ++++ nepenthes-0.2.0-prelude/modules/log-prelude/log-prelude.cpp 2007-08-05 22:52:51.000000000 +0200 +@@ -27,14 +27,6 @@ + + /* $Id: log-prelude.cpp 550 2006-05-04 10:25:35Z common $ */ + +-#ifdef HAVE_LIBPRELUDE +-#include +-#include +-#include +-#include +-#include +-#endif +- + #include + #include "log-prelude.hpp" + #include "Nepenthes.hpp" +@@ -62,8 +54,12 @@ + #endif + + #define STDTAGS l_mod | l_ev | l_hlr +-#define ANALYZER_MANUFACTURER "http://nepenthes.sf.net" + #define NEPENTHES_VERSION "$Rev: 550 $" ++#define DEFAULT_ANALYZER_NAME "nepenthes" ++#define DEFAULT_ANALYZER_PROFILE "nepenthes" ++#define ANALYZER_MODEL "Nepenthes" ++#define ANALYZER_CLASS "Honeypot" ++#define ANALYZER_MANUFACTURER "http://nepenthes.mwcollect.org/" + + + +@@ -132,28 +128,21 @@ + + #ifdef HAVE_LIBPRELUDE + +- if ( m_Config == NULL ) +- { +- logCrit("I need a config\n"); +- return false; +- } +- +- string analyzerClass; +- string analyzerModel; + string analyzerName; +- +- try +- { +- analyzerClass = (m_Config->getValString("log-prelude.analyzerClass")); +- analyzerModel = m_Config->getValString("log-prelude.analyzerModel"); +- analyzerName = m_Config->getValString("log-prelude.analyzerName"); +- +- } catch ( ... ) +- { +- logCrit("Error setting needed vars, check your config\n"); +- return false; +- } +- ++ string analyzerProfile; ++ ++ try { ++ analyzerName = m_Config->getValString("log-prelude.analyzerName"); ++ } catch ( ... ) { ++ analyzerName = DEFAULT_ANALYZER_NAME; ++ } ++ ++ try { ++ analyzerProfile = m_Config->getValString("log-prelude.analyzerProfile"); ++ } catch ( ... ) { ++ analyzerProfile = DEFAULT_ANALYZER_PROFILE; ++ } ++ + m_ModuleManager = m_Nepenthes->getModuleMgr(); + m_Events.set(EV_SOCK_TCP_ACCEPT); + m_Events.set(EV_SOCK_TCP_CLOSE); +@@ -163,44 +152,39 @@ + m_Events.set(EV_DOWNLOAD); + m_Events.set(EV_SUBMISSION); + +- +- const char *profile, *config; +- +- config = NULL; +- profile = analyzerName.c_str(); +- +- +- +- + int32_t ret; + // Initialize Prelude Library + ret = prelude_init(NULL, NULL); +- if ( ret < 0 ) ++ if ( ret < 0 ) { + logCrit("%s: Unable to initialize the Prelude library: %s.\n", + prelude_strsource(ret), + prelude_strerror(ret)); ++ return false; ++ } + + // generate a new Prelude client +- ret = prelude_client_new(&m_PreludeClient, profile); ++ ret = prelude_client_new(&m_PreludeClient, analyzerProfile.c_str()); + +- if ( ret < 0 ) ++ if ( ret < 0 ) { + logCrit("%s: Unable to create a prelude client object: %s.\n", + prelude_strsource(ret), + prelude_strerror(ret)); ++ return false; ++ } + +- ++ + // set options in the analyzer-part of the client + prelude_string_t *string; + +- ret = idmef_analyzer_new_model(prelude_client_get_analyzer(m_PreludeClient), &string); ++ ret = idmef_analyzer_new_class(prelude_client_get_analyzer(m_PreludeClient), &string); + if ( ret < 0 ) + return false; +- prelude_string_set_constant(string, analyzerModel.c_str()); +- +- ret = idmef_analyzer_new_class(prelude_client_get_analyzer(m_PreludeClient), &string); ++ prelude_string_set_constant(string, ANALYZER_CLASS); ++ ++ ret = idmef_analyzer_new_model(prelude_client_get_analyzer(m_PreludeClient), &string); + if ( ret < 0 ) + return false; +- prelude_string_set_constant(string, analyzerClass.c_str()); ++ prelude_string_set_constant(string, ANALYZER_MODEL); + + ret = idmef_analyzer_new_manufacturer(prelude_client_get_analyzer(m_PreludeClient), &string); + if ( ret < 0 ) +@@ -209,28 +193,31 @@ + + ret = idmef_analyzer_new_version(prelude_client_get_analyzer(m_PreludeClient), &string); + if ( ret < 0 ) +- return false; +- +- prelude_string_set_constant(string, NEPENTHES_VERSION); ++ return false; ++ prelude_string_set_constant(string, VERSION); + +-// start the Prelude Client ++ ret = idmef_analyzer_new_name(prelude_client_get_analyzer(m_PreludeClient), &string); ++ if ( ret < 0 ) ++ return false; ++ prelude_string_set_dup(string, analyzerName.c_str()); ++ ++ // start the Prelude Client + ret = prelude_client_start(m_PreludeClient); + if ( ret < 0 ) + { +- if ( prelude_client_is_setup_needed(ret) ) +- prelude_client_print_setup_error(m_PreludeClient); +- + logCrit("%s: Unable to initialize prelude client: %s.\n", + prelude_strsource(ret), prelude_strerror(ret)); ++ return false; + } + +-// set async Prelude Flags for the client, makes the application multithreaded +- ret = prelude_client_set_flags(m_PreludeClient, (prelude_client_flags_t) (PRELUDE_CLIENT_FLAGS_CONNECT | PRELUDE_CLIENT_FLAGS_ASYNC_SEND | PRELUDE_CLIENT_FLAGS_ASYNC_TIMER)); +- if ( ret < 0 ) ++ // set async Prelude Flags for the client, makes the application multithreaded ++ ret = prelude_client_set_flags(m_PreludeClient, (prelude_client_flags_t) (PRELUDE_CLIENT_FLAGS_CONNECT | PRELUDE_CLIENT_FLAGS_ASYNC_SEND | PRELUDE_CLIENT_FLAGS_ASYNC_TIMER)); ++ if ( ret < 0 ) { + logCrit("%s: Unable to set asynchronous send and timer: %s.\n", + prelude_strsource(ret), + prelude_strerror(ret)); +- ++ return false; ++ } + + REG_EVENT_HANDLER(this); + return true; +@@ -274,7 +261,7 @@ + idmef_value_t *val; + idmef_path_t *path; + +- ret = idmef_path_new(&path, object); ++ ret = idmef_path_new_fast(&path, object); + if ( ret < 0 ) + { + logWarn("imdef error #1 %s -> %s %i (%s) \n",object,value,ret, prelude_strerror(ret)); +diff -ruN nepenthes-0.2.0/modules/log-prelude/log-prelude.cpp~ nepenthes-0.2.0-prelude/modules/log-prelude/log-prelude.cpp~ +--- nepenthes-0.2.0/modules/log-prelude/log-prelude.cpp~ 1970-01-01 01:00:00.000000000 +0100 ++++ nepenthes-0.2.0-prelude/modules/log-prelude/log-prelude.cpp~ 2007-08-05 22:51:33.000000000 +0200 +@@ -0,0 +1,853 @@ ++/******************************************************************************** ++ * Nepenthes ++ * - finest collection - ++ * ++ * ++ * ++ * Copyright (C) 2005 Paul Baecher & Markus Koetter ++ * ++ * This program is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU General Public License ++ * as published by the Free Software Foundation; either version 2 ++ * of the License, or (at your option) any later version. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with this program; if not, write to the Free Software ++ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. ++ * ++ * ++ * contact nepenthesdev@users.sourceforge.net ++ * ++ *******************************************************************************/ ++ ++ /* $Id: log-prelude.cpp 550 2006-05-04 10:25:35Z common $ */ ++ ++#include ++#include "log-prelude.hpp" ++#include "Nepenthes.hpp" ++#include "LogManager.hpp" ++#include "EventManager.hpp" ++#include "SubmitEvent.hpp" ++ ++#include "Download.hpp" ++#include "DownloadUrl.hpp" ++#include "DownloadBuffer.hpp" ++ ++#include "Socket.hpp" ++#include "SocketEvent.hpp" ++ ++#include "Message.hpp" ++#include "Utilities.hpp" ++#include "Config.hpp" ++#include "ShellcodeHandler.hpp" ++ ++ ++using namespace nepenthes; ++ ++#ifdef STDTAGS ++#undef STDTAGS ++#endif ++ ++#define STDTAGS l_mod | l_ev | l_hlr ++#define NEPENTHES_VERSION "$Rev: 550 $" ++#define DEFAULT_ANALYZER_NAME "nepenthes" ++#define DEFAULT_ANALYZER_PROFILE "nepenthes" ++#define ANALYZER_MODEL "Nepenthes" ++#define ANALYZER_CLASS "Honeypot" ++#define ANALYZER_MANUFACTURER "http://nepenthes.mwcollect.org/" ++ ++ ++ ++/** ++ * as we may need a global pointer to our Nepenthes in our modules, ++ * and cant access the cores global pointer to nepenthes ++ * we have to use a own global pointer to nepenthes per module ++ * we need this pointer for logInfo() etc ++ */ ++Nepenthes *g_Nepenthes; ++ ++/** ++ * Constructor ++ * creates a new LogPrelude Module, where x% is public Module, public EventHandler ++ * - sets the ModuleName ++ * - sets the ModuleDescription ++ * - sets the EventHandlerName ++ * - sets the EventHandlerDescription ++ * - sets the EventHandlers Timeout ++ * - sets the Modules global pointer to the Nepenthes ++ * ++ * @param nepenthes pointer to our nepenthes master class ++ */ ++LogPrelude::LogPrelude(Nepenthes *nepenthes) ++{ ++ m_ModuleName = "log-prelude"; ++ m_ModuleDescription = "event based prelude logger"; ++ m_ModuleRevision = "$Rev: 550 $"; ++ m_Nepenthes = nepenthes; ++ ++ m_EventHandlerName = "LogPreludeEventHandler"; ++ m_EventHandlerDescription = "log events to a prelude database"; ++ ++// m_Timeout = time(NULL) + rand()%23; ++ ++ g_Nepenthes = nepenthes; ++ ++#ifdef HAVE_LIBPRELUDE ++ m_PreludeClient = NULL; ++#endif ++} ++ ++ ++/** ++ * exerything important happens in ::Exit() as we have a return value there ++ */ ++LogPrelude::~LogPrelude() ++{ ++ ++} ++ ++ ++ ++/** ++ * bool Module::Init() ++ * setup Module specific values ++ * here: ++ * - register as EventHandler ++ * - set wanted events ++ * ++ * @return returns true if everything was fine, else false ++ * returning false will showup errors in warning a module ++ */ ++bool LogPrelude::Init() ++{ ++ ++#ifdef HAVE_LIBPRELUDE ++ ++ if ( m_Config == NULL ) ++ { ++ logCrit("I need a config\n"); ++ return false; ++ } ++ ++ string analyzerClass; ++ string analyzerModel; ++ string analyzerName; ++ ++ try ++ { ++ analyzerClass = (m_Config->getValString("log-prelude.analyzerClass")); ++ analyzerModel = m_Config->getValString("log-prelude.analyzerModel"); ++ analyzerName = m_Config->getValString("log-prelude.analyzerName"); ++ ++ } catch ( ... ) ++ { ++ logCrit("Error setting needed vars, check your config\n"); ++ return false; ++ } ++ ++ m_ModuleManager = m_Nepenthes->getModuleMgr(); ++ m_Events.set(EV_SOCK_TCP_ACCEPT); ++ m_Events.set(EV_SOCK_TCP_CLOSE); ++ m_Events.set(EV_DIALOGUE_ASSIGN_AND_DONE); ++ m_Events.set(EV_SHELLCODE_DONE); ++ ++ m_Events.set(EV_DOWNLOAD); ++ m_Events.set(EV_SUBMISSION); ++ ++ ++ const char *profile, *config; ++ ++ config = NULL; ++ profile = analyzerName.c_str(); ++ ++ ++ ++ ++ int32_t ret; ++// Initialize Prelude Library ++ ret = prelude_init(NULL, NULL); ++ if ( ret < 0 ) ++ logCrit("%s: Unable to initialize the Prelude library: %s.\n", ++ prelude_strsource(ret), ++ prelude_strerror(ret)); ++ ++// generate a new Prelude client ++ ret = prelude_client_new(&m_PreludeClient, profile); ++ ++ if ( ret < 0 ) ++ logCrit("%s: Unable to create a prelude client object: %s.\n", ++ prelude_strsource(ret), ++ prelude_strerror(ret)); ++ ++ ++ // set options in the analyzer-part of the client ++ prelude_string_t *string; ++ ++ ret = idmef_analyzer_new_model(prelude_client_get_analyzer(m_PreludeClient), &string); ++ if ( ret < 0 ) ++ return false; ++ prelude_string_set_ref(string, analyzerModel.c_str()); ++ ++ ret = idmef_analyzer_new_class(prelude_client_get_analyzer(m_PreludeClient), &string); ++ if ( ret < 0 ) ++ return false; ++ prelude_string_set_ref(string, analyzerClass.c_str()); ++ ++ ret = idmef_analyzer_new_manufacturer(prelude_client_get_analyzer(m_PreludeClient), &string); ++ if ( ret < 0 ) ++ return false; ++ prelude_string_set_constant(string, ANALYZER_MANUFACTURER); ++ ++ ret = idmef_analyzer_new_version(prelude_client_get_analyzer(m_PreludeClient), &string); ++ if ( ret < 0 ) ++ return false; ++ ++ prelude_string_set_constant(string, NEPENTHES_VERSION); ++ ++// start the Prelude Client ++ ret = prelude_client_start(m_PreludeClient); ++ if ( ret < 0 ) ++ { ++ if ( prelude_client_is_setup_needed(ret) ) ++ prelude_client_print_setup_error(m_PreludeClient); ++ ++ logCrit("%s: Unable to initialize prelude client: %s.\n", ++ prelude_strsource(ret), prelude_strerror(ret)); ++ } ++ ++// set async Prelude Flags for the client, makes the application multithreaded ++ ret = prelude_client_set_flags(m_PreludeClient, (prelude_client_flags_t) (PRELUDE_CLIENT_FLAGS_CONNECT | PRELUDE_CLIENT_FLAGS_ASYNC_SEND | PRELUDE_CLIENT_FLAGS_ASYNC_TIMER)); ++ if ( ret < 0 ) ++ logCrit("%s: Unable to set asynchronous send and timer: %s.\n", ++ prelude_strsource(ret), ++ prelude_strerror(ret)); ++ ++ ++ REG_EVENT_HANDLER(this); ++ return true; ++#else ++ logCrit("Module log-prelude is compiled without libprelude, this wont work, reconfigure the whole source and recompile"); ++ return false; ++#endif ++ ++} ++ ++ ++/** ++ * unregister as EventHandler, destroy the Prelude Client ++ * ++ * @return returns true if everything was fine ++ */ ++bool LogPrelude::Exit() ++{ ++#ifdef HAVE_LIBPRELUDE ++ if( m_PreludeClient != NULL) ++ { ++ prelude_client_destroy(m_PreludeClient, (prelude_client_exit_status_t)(PRELUDE_CLIENT_EXIT_STATUS_SUCCESS)); ++ prelude_deinit(); ++ } ++ // disabled by harald due to segfaults ++ //UNREG_EVENT_HANDLER(this); ++#endif ++ return true; ++} ++ ++ ++ ++/** ++ * This function adds char * idmef values into an idmef message ++ * ++ */ ++#ifdef HAVE_LIBPRELUDE ++int32_t add_idmef_object(idmef_message_t *message, const char *object, const char *value) ++{ ++ int32_t ret=0; ++ idmef_value_t *val; ++ idmef_path_t *path; ++ ++ ret = idmef_path_new(&path, object); ++ if ( ret < 0 ) ++ { ++ logWarn("imdef error #1 %s -> %s %i (%s) \n",object,value,ret, prelude_strerror(ret)); ++ return -1; ++ } ++ ++ ret = idmef_value_new_from_path(&val, path, value); ++ if ( ret < 0 ) ++ { ++ idmef_path_destroy(path); ++ logWarn("imdef error #2 %s -> %s %i (%s) \n",object,value,ret, prelude_strerror(ret)); ++ return -1; ++ } ++ ++ ret = idmef_path_set(path, message, val); ++ ++ idmef_value_destroy(val); ++ idmef_path_destroy(path); ++ return ret; ++} ++ ++ ++/** ++ * ++ * This function adds int32_t idmef values into an idmef message ++ */ ++int32_t add_idmef_object(idmef_message_t *message, const char *object, int32_t i) ++{ ++ char value[20]; ++ memset(value,0,20); ++ snprintf(value,19,"%i",i); ++ return add_idmef_object(message,object,value); ++} ++ ++#endif ++ ++ ++/** ++ * the handleEvent method is called whenever an event occurs ++ * the EventHandler wanted to have. ++ * ++ * @param event the Event ++ * ++ * @return return 0 ++ */ ++uint32_t LogPrelude::handleEvent(Event *event) ++{ ++// logPF(); ++// logInfo("Event %i\n",event->getType()); ++ switch(event->getType()) ++ { ++ ++ case EV_SOCK_TCP_ACCEPT: ++ handleTCPaccept(event); ++ break; ++ ++ case EV_SOCK_TCP_CLOSE: ++ handleTCPclose(event); ++ break; ++ ++ case EV_SUBMISSION: ++ handleSubmission(event); ++ break; ++ ++ case EV_DIALOGUE_ASSIGN_AND_DONE: ++ handleDialogueAssignAndDone(event); ++ break; ++ ++ case EV_SHELLCODE_DONE: ++ handleShellcodeDone(event); ++ break; ++ ++ ++ case EV_DOWNLOAD: ++ handleDownload(event); ++ break; ++ ++ default: ++ logWarn("this should not happen\n"); ++ } ++ return 0; ++} ++ ++ ++void LogPrelude::handleTCPaccept(Event *event) ++{ ++ ++ ++ logInfo("LogPrelude EVENT EV_SOCK_TCP_ACCEPT\n"); ++ ++#ifdef HAVE_LIBPRELUDE ++ Socket *socket = ((SocketEvent *)event)->getSocket(); ++ ++ idmef_message_t *idmef; ++ ++ int32_t ret = idmef_message_new(&idmef); ++ if ( ret < 0 ) ++ return; ++ ++ add_idmef_object(idmef, "alert.classification.text" ,"TCP Connection established"); ++ add_idmef_object(idmef, "alert.classification.ident", EV_SOCK_TCP_ACCEPT); ++// add_idmef_object(idmef, "alert.classification.reference(0).origin" ,"vendor-specific" ); ++ ++ ++ add_idmef_object(idmef, "alert.source(0).Spoofed" ,"no"); ++ add_idmef_object(idmef, "alert.source(0).Service.protocol" ,"TCP"); ++ add_idmef_object(idmef, "alert.source(0).Service.port" ,socket->getRemotePort()); ++ ++ uint32_t addr = socket->getRemoteHost(); ++ string address = inet_ntoa(*(in_addr *)&addr); ++ add_idmef_object(idmef, "alert.source(0).Node.Address(0).address" ,address.c_str()); ++ ++ ++ add_idmef_object(idmef, "alert.target(0).Decoy" ,"yes"); ++ add_idmef_object(idmef, "alert.target(0).Service.protocol" ,"TCP"); ++ add_idmef_object(idmef, "alert.target(0).Service.port" ,socket->getLocalPort()); ++ ++ addr = socket->getLocalHost(); ++ address = inet_ntoa(*(in_addr *)&addr); ++ add_idmef_object(idmef, "alert.target(0).Node.Address(0).address" ,address.c_str()); ++ ++ ++ ++ ++ idmef_time_t *time; ++ ++ ret = idmef_time_new_from_gettimeofday(&time); ++ idmef_alert_set_create_time(idmef_message_get_alert(idmef), ++ time); ++ ++ ++ // analyzer id ++ idmef_alert_set_analyzer(idmef_message_get_alert(idmef), ++ idmef_analyzer_ref(prelude_client_get_analyzer(m_PreludeClient)), ++ IDMEF_LIST_PREPEND); ++ ++ ++ prelude_client_send_idmef(m_PreludeClient, idmef); ++ ++ //prelude_string_t *field = idmef_alert_get_messageid(idmef_message_get_alert(idmef)); ++ //const char *msgid = prelude_string_get_string(field); ++ ++ //logInfo("PreludeMessageID = %s \n",msgid); ++ ++ idmef_message_destroy(idmef); ++#endif ++} ++ ++ ++ ++ ++void LogPrelude::handleTCPclose(Event *event) ++{ ++ ++ Socket *socket = ((SocketEvent *)event)->getSocket(); ++ ++ if (! socket->isAccept()) ++ { ++ return; ++ } ++ ++ logInfo("LogPrelude EVENT EV_SOCK_TCP_CLOSE\n"); ++ ++#ifdef HAVE_LIBPRELUDE ++ ++ idmef_message_t *idmef; ++ ++ int32_t ret = idmef_message_new(&idmef); ++ if ( ret < 0 ) ++ return; ++ ++ ++ add_idmef_object(idmef, "alert.classification.text" ,"TCP Connection closed"); ++ add_idmef_object(idmef, "alert.classification.ident", EV_SOCK_TCP_CLOSE); ++// add_idmef_object(idmef, "alert.classification.reference(0).origin" ,"vendor-specific" ); ++ ++ ++ add_idmef_object(idmef, "alert.source(0).Service.protocol" ,"TCP"); ++ add_idmef_object(idmef, "alert.source(0).Service.port" ,socket->getRemotePort()); ++ ++ uint32_t addr = socket->getRemoteHost(); ++ string address = inet_ntoa(*(in_addr *)&addr); ++ add_idmef_object(idmef, "alert.source(0).Node.Address(0).address" ,address.c_str()); ++ ++ add_idmef_object(idmef, "alert.target(0).Service.protocol" ,"TCP"); ++ add_idmef_object(idmef, "alert.target(0).Service.port" ,socket->getLocalPort()); ++ ++ addr = socket->getLocalHost(); ++ address = inet_ntoa(*(in_addr *)&addr); ++ add_idmef_object(idmef, "alert.target(0).Node.Address(0).address",address.c_str()); ++ ++ idmef_time_t *time; ++ ++ ret = idmef_time_new_from_gettimeofday(&time); ++ idmef_alert_set_create_time(idmef_message_get_alert(idmef), ++ time); ++ ++ ++ // analyzer id ++ idmef_alert_set_analyzer(idmef_message_get_alert(idmef), ++ idmef_analyzer_ref(prelude_client_get_analyzer(m_PreludeClient)), ++ IDMEF_LIST_PREPEND); ++ ++ ++ prelude_client_send_idmef(m_PreludeClient, idmef); ++ ++// prelude_string_t *field = idmef_alert_get_messageid(idmef_message_get_alert(idmef)); ++// const char *msgid = prelude_string_get_string(field); ++ ++// logInfo("CloseMessageID = %s \n",msgid); ++ ++ idmef_message_destroy(idmef); ++ ++#endif ++} ++ ++ ++/** ++ * Send idmef message when finished with the Shellcode ++ * ++ */ ++void LogPrelude::handleShellcodeDone(Event *event) ++{ ++ logInfo("LogPrelude EVENT EV_SHELLCODE_DONE\n"); ++ ++#ifdef HAVE_LIBPRELUDE ++ ++ ShellcodeHandler *handler = ((ShellcodeEvent *)event)->getShellcodeHandler(); ++ Socket *socket = ((ShellcodeEvent *)event)->getSocket(); ++ ++ idmef_message_t *idmef; ++ ++ int32_t ret = idmef_message_new(&idmef); ++ if ( ret < 0 ) ++ return; ++ string shellcodeText = "Shellcode detected: " + handler->getShellcodeHandlerName(); ++ add_idmef_object(idmef, "alert.classification.text", shellcodeText.c_str()); ++ // hl: added ident ++ add_idmef_object(idmef, "alert.classification.ident", EV_SHELLCODE_DONE); ++ ++ // add_idmef_object(idmef, "alert.classification.reference(0).origin" ,"vendor-specific" ); ++ ++ ++ add_idmef_object(idmef, "alert.source(0).Spoofed" ,"no"); ++ add_idmef_object(idmef, "alert.source(0).Service.protocol" ,"TCP"); ++ add_idmef_object(idmef, "alert.source(0).Service.port" ,socket->getRemotePort()); ++ ++ uint32_t addr = socket->getRemoteHost(); ++ string address = inet_ntoa(*(in_addr *)&addr); ++ add_idmef_object(idmef, "alert.source(0).Node.Address(0).address" ,address.c_str()); ++ ++ ++ add_idmef_object(idmef, "alert.target(0).Decoy" ,"yes"); ++ add_idmef_object(idmef, "alert.target(0).Service.protocol" ,"TCP"); ++ add_idmef_object(idmef, "alert.target(0).Service.port" ,socket->getLocalPort()); ++ ++ addr = socket->getLocalHost(); ++ address = inet_ntoa(*(in_addr *)&addr); ++ add_idmef_object(idmef, "alert.target(0).Node.Address(0).address" ,address.c_str()); ++ ++ ++ add_idmef_object(idmef, "alert.assessment.impact.description" ,"possible Shellcode has been detected."); ++ add_idmef_object(idmef, "alert.assessment.impact.severity" ,"medium"); ++// add_idmef_object(idmef, "alert.assessment.impact.completion" ,"succeeded"); ++ add_idmef_object(idmef, "alert.assessment.impact.type" ,"other"); ++ ++ ++ // hl: added for additional information ++ add_idmef_object(idmef, "alert.additional_data(0).type", "string"); ++ add_idmef_object(idmef, "alert.additional_data(0).meaning", "Shellcode"); ++ add_idmef_object(idmef, "alert.additional_data(0).data", handler->getShellcodeHandlerName().c_str()); ++ ++ ++ idmef_time_t *time; ++ ++ ret = idmef_time_new_from_gettimeofday(&time); ++ idmef_alert_set_create_time(idmef_message_get_alert(idmef), ++ time); ++ ++ ++ // analyzer id ++ idmef_alert_set_analyzer(idmef_message_get_alert(idmef), ++ idmef_analyzer_ref(prelude_client_get_analyzer(m_PreludeClient)), ++ IDMEF_LIST_PREPEND); ++ ++ ++ prelude_client_send_idmef(m_PreludeClient, idmef); ++ ++// prelude_string_t *field = idmef_alert_get_messageid(idmef_message_get_alert(idmef)); ++// const char *msgid = prelude_string_get_string(field); ++// logInfo("RecvMessageID = %s \n",msgid); ++ ++ idmef_message_destroy(idmef); ++#endif ++} ++ ++ ++/** ++ * ++ * handle submitted files ++ */ ++void LogPrelude::handleSubmission(Event *event) ++{ ++ SubmitEvent *se = (SubmitEvent *)event; ++ Download *down = se->getDownload(); ++ ++ logInfo("LogPrelude EVENT EV_SUBMISSION %s %s %i \n",down->getUrl().c_str(), ++ down->getMD5Sum().c_str(), ++ down->getDownloadBuffer()->getSize()); ++ ++#ifdef HAVE_LIBPRELUDE ++ idmef_message_t *idmef; ++ ++ int32_t ret = idmef_message_new(&idmef); ++ if ( ret < 0 ) ++ return; ++ ++ // generic information ++ // hl: changed submited to submitted, added ident ++ add_idmef_object(idmef, "alert.classification.text" ,"Malware submitted"); ++ add_idmef_object(idmef, "alert.classification.ident", EV_SUBMISSION); ++ ++ string url = "http://nepenthes.sf.net/wiki/submission/" + down->getMD5Sum(); ++ add_idmef_object(idmef, "alert.classification.reference(0).origin" ,"vendor-specific" ); ++ add_idmef_object(idmef, "alert.classification.reference(0).url" ,url.c_str() ); ++ ++ ++ // file name and info ++ // hl: changed file tags because of DTD violation ++ add_idmef_object(idmef, "alert.target(0).file(0).name" ,down->getDownloadUrl()->getFile().c_str()); ++ add_idmef_object(idmef, "alert.target(0).file(0).path" ,down->getUrl().c_str()); ++ add_idmef_object(idmef, "alert.target(0).file(0).category" ,"current"); ++ add_idmef_object(idmef, "alert.target(0).file(0).ident" ,down->getMD5Sum().c_str()); ++ add_idmef_object(idmef, "alert.target(0).file(0).data_size" ,down->getDownloadBuffer()->getSize()); ++ ++ //hl: some debug stuff, prelude-manager doesnt write the checksums into xml ++ ret = add_idmef_object(idmef, "alert.target(0).file(0).checksum(0).algorithm" ,"MD5"); ++ //logInfo("LogPrelude DEBUG MD5 %i\n", ret); ++ ret = add_idmef_object(idmef, "alert.target(0).file(0).checksum(0).value" ,down->getMD5Sum().c_str()); ++ //logInfo("LogPrelude DEBUG Hash %i\n", ret); ++ ret = add_idmef_object(idmef, "alert.target(0).file(0).checksum(1).algorithm" ,"SHA2-512"); ++ //logInfo("LogPrelude DEBUG SHA %i\n", ret); ++ ret = add_idmef_object(idmef, "alert.target(0).file(0).checksum(1).value" ,down->getSHA512Sum().c_str()); ++ //logInfo("LogPrelude DEBUG Hash %i\n", ret); ++ ++ uint32_t addr = down->getLocalHost(); ++ string address = inet_ntoa(*(in_addr *)&addr); ++ add_idmef_object(idmef, "alert.target(0).Node.Address(0).address" ,address.c_str()); ++ ++ ++ ++ // infection host ++ addr = down->getRemoteHost(); ++ address = inet_ntoa(*(in_addr *)&addr); ++ add_idmef_object(idmef, "alert.source(0).Node.Address(0).address" ,address.c_str()); ++ ++ ++ // download source ++ add_idmef_object(idmef, "alert.source(0).Service.port", down->getDownloadUrl()->getPort()); ++ ++ /* hl: previous dirty workaround -> commented ++ string protocol; ++ if (down->getDownloadUrl()->getProtocol() == "tftp" ) ++ protocol = "UDP"; ++ else ++ protocol = "TCP"; ++ ++ add_idmef_object(idmef, "alert.source(0).Service.protocol" ,protocol.c_str()); ++ */ ++ ++ add_idmef_object(idmef, "alert.source(0).Service.web_service.url" ,down->getUrl().c_str()); ++ // hl: not needed ++ //add_idmef_object(idmef, "alert.source(0).Service.web_service.http_method" ,"get"); ++ ++ add_idmef_object(idmef, "alert.assessment.impact.description" ,"possible Malware stored for further analysis"); ++ add_idmef_object(idmef, "alert.assessment.impact.severity" ,"high"); ++// add_idmef_object(idmef, "alert.assessment.impact.completion" ,"succeeded"); ++ add_idmef_object(idmef, "alert.assessment.impact.type" ,"other"); ++ ++ // time ++ idmef_time_t *time; ++ ret = idmef_time_new_from_gettimeofday(&time); ++ idmef_alert_set_create_time(idmef_message_get_alert(idmef), ++ time); ++ ++ ++ // analyzer id ++ idmef_alert_set_analyzer(idmef_message_get_alert(idmef), ++ idmef_analyzer_ref(prelude_client_get_analyzer(m_PreludeClient)), ++ IDMEF_LIST_PREPEND); ++ ++ ++ prelude_client_send_idmef(m_PreludeClient, idmef); ++ idmef_message_destroy(idmef); ++ ++#endif ++} ++ ++ ++ ++/** ++ * ++ * ++ * ++ */ ++void LogPrelude::handleDialogueAssignAndDone(Event *event) ++{ ++ logInfo("LogPrelude EVENT EV_ASSIGN_AND_DONE\n"); ++ ++#ifdef HAVE_LIBPRELUDE ++ ++ Dialogue *dia = ((DialogueEvent *)event)->getDialogue(); ++ Socket *socket = ((DialogueEvent *)event)->getSocket(); ++ idmef_message_t *idmef; ++ ++ int32_t ret = idmef_message_new(&idmef); ++ if ( ret < 0 ) ++ return; ++ ++ string attack = "Exploit attempt: " + dia->getDialogueName(); ++ ++ // generic information ++ add_idmef_object(idmef, "alert.classification.text", attack.c_str()); ++ // hl: added ident field ++ add_idmef_object(idmef, "alert.classification.ident", EV_DIALOGUE_ASSIGN_AND_DONE); ++ ++// add_idmef_object(idmef, "alert.classification.reference(0).origin" ,"vendor-specific" ); ++ ++ ++ // attacker ++ uint32_t addr = socket->getRemoteHost(); ++ string address = inet_ntoa(*(in_addr *)&addr); ++ add_idmef_object(idmef, "alert.source(0).Node.Address(0).address", address.c_str()); ++ ++ // target ++ addr = socket->getLocalHost(); ++ address = inet_ntoa(*(in_addr *)&addr); ++ add_idmef_object(idmef, "alert.target(0).Node.Address(0).address", address.c_str()); ++ ++// string protocol; ++// if (down->getDownloadUrl()->getProtocol() == "tftp" ) ++// protocol = "UDP"; ++// else ++// protocol = "TCP"; ++// ++// add_idmef_object(idmef, "alert.source(0).Service.protocol" ,protocol.c_str()); ++// add_idmef_object(idmef, "alert.source(0).Service.web_service.url" ,down->getUrl().c_str()); ++// add_idmef_object(idmef, "alert.source(0).Service.web_service.http_method" ,"get"); ++ ++ add_idmef_object(idmef, "alert.assessment.impact.description" ,"An exploit attempt is getting handled."); ++ add_idmef_object(idmef, "alert.assessment.impact.severity" ,"low"); ++// add_idmef_object(idmef, "alert.assessment.impact.completion" ,"succeeded"); ++ add_idmef_object(idmef, "alert.assessment.impact.type" ,"other"); ++ ++ ++ // hl: added ++ add_idmef_object(idmef, "alert.additional_data(0).type", "string"); ++ add_idmef_object(idmef, "alert.additional_data(0).meaning", "Dialogue"); ++ add_idmef_object(idmef, "alert.additional_data(0).data", dia->getDialogueName().c_str()); ++ ++ // time ++ idmef_time_t *time; ++ ret = idmef_time_new_from_gettimeofday(&time); ++ idmef_alert_set_create_time(idmef_message_get_alert(idmef), ++ time); ++ ++ ++ // analyzer id ++ idmef_alert_set_analyzer(idmef_message_get_alert(idmef), ++ idmef_analyzer_ref(prelude_client_get_analyzer(m_PreludeClient)), ++ IDMEF_LIST_PREPEND); ++ ++ ++ prelude_client_send_idmef(m_PreludeClient, idmef); ++ ++ ++ idmef_message_destroy(idmef); ++ ++#endif ++} ++ ++ ++ ++ ++ ++ ++/** ++ * ++ * ++ */ ++void LogPrelude::handleDownload(Event *event) ++{ ++ SubmitEvent *se = (SubmitEvent *)event; ++ Download *down = se->getDownload(); ++ string url = se->getDownload()->getUrl(); ++ ++ se->getType(); ++ logInfo("LogPrelude EVENT EV_DOWNLOAD %s %s %i \n",down->getUrl().c_str(), ++ down->getMD5Sum().c_str(), ++ down->getDownloadBuffer()->getSize()); ++ ++#ifdef HAVE_LIBPRELUDE ++ ++ idmef_message_t *idmef; ++ ++ int32_t ret = idmef_message_new(&idmef); ++ if ( ret < 0 ) ++ return; ++ ++ // generic information ++ // hl: changed message ++ string message = "possible Malware offered: " + down->getUrl(); ++ ++ add_idmef_object(idmef, "alert.classification.text", message.c_str()); ++ // hl: changed to ident number ++ add_idmef_object(idmef, "alert.classification.ident", EV_DOWNLOAD); ++ ++// add_idmef_object(idmef, "alert.classification.reference(0).origin" ,"vendor-specific" ); ++ ++ ++ // infection host ++ uint32_t addr = down->getRemoteHost(); ++ string address = inet_ntoa(*(in_addr *)&addr); ++ add_idmef_object(idmef, "alert.source(0).Node.Address(0).address" ,address.c_str()); ++ //target host ++ addr = down->getLocalHost(); ++ address = inet_ntoa(*(in_addr *)&addr); ++ add_idmef_object(idmef, "alert.target(0).Node.Address(0).address" ,address.c_str()); ++ ++ ++ // download source ++ // hl: removed protocol, added url ++ /* ++ string protocol; ++ if (down->getDownloadUrl()->getProtocol() == "tftp" ) ++ protocol = "UDP"; ++ else ++ protocol = "TCP"; ++ */ ++ add_idmef_object(idmef, "alert.source(0).Service.port" ,down->getDownloadUrl()->getPort()); ++ //add_idmef_object(idmef, "alert.source(0).Service.protocol" ,protocol.c_str()); ++ add_idmef_object(idmef, "alert.source(0).Service.web_service.url" ,down->getUrl().c_str()); ++// add_idmef_object(idmef, "alert.source(0).Service.web_service.http_method" ,"get"); ++ add_idmef_object(idmef, "alert.assessment.impact.description" ,"Parsing the Shellcode has unrevealed a URL."); ++ add_idmef_object(idmef, "alert.assessment.impact.severity" ,"medium"); ++// add_idmef_object(idmef, "alert.assessment.impact.completion" ,"succeeded"); ++ add_idmef_object(idmef, "alert.assessment.impact.type" ,"other"); ++ ++ // time ++ idmef_time_t *time; ++ ret = idmef_time_new_from_gettimeofday(&time); ++ idmef_alert_set_create_time(idmef_message_get_alert(idmef), ++ time); ++ ++ ++ // analyzer id ++ idmef_alert_set_analyzer(idmef_message_get_alert(idmef), ++ idmef_analyzer_ref(prelude_client_get_analyzer(m_PreludeClient)), ++ IDMEF_LIST_PREPEND); ++ ++ ++ prelude_client_send_idmef(m_PreludeClient, idmef); ++ ++ ++ idmef_message_destroy(idmef); ++#endif ++ ++} ++ ++ ++ ++extern "C" int32_t module_init(int32_t version, Module **module, Nepenthes *nepenthes) ++{ ++ if (version == MODULE_IFACE_VERSION) { ++ *module = new LogPrelude(nepenthes); ++ return 1; ++ } else { ++ return 0; ++ } ++} +diff -ruN nepenthes-0.2.0/modules/log-prelude/log-prelude.hpp nepenthes-0.2.0-prelude/modules/log-prelude/log-prelude.hpp +--- nepenthes-0.2.0/modules/log-prelude/log-prelude.hpp 2006-11-13 20:40:08.000000000 +0100 ++++ nepenthes-0.2.0-prelude/modules/log-prelude/log-prelude.hpp 2007-08-05 22:40:44.000000000 +0200 +@@ -30,7 +30,7 @@ + #include "config.h" + + #ifdef HAVE_LIBPRELUDE +-#include ++#include + #endif + + #include