diff --git a/network/nepenthes/nepenthes-0.2.0-update-r1345.patch b/network/nepenthes/nepenthes-0.2.0-update-r1345.patch new file mode 100644 index 000000000..87b321536 --- /dev/null +++ b/network/nepenthes/nepenthes-0.2.0-update-r1345.patch @@ -0,0 +1,4595 @@ +# --- SDE-COPYRIGHT-NOTE-BEGIN --- +# This copyright note is auto-generated by ./scripts/Create-CopyPatch. +# +# Filename: package/.../nepenthes/nepenthes-0.2.0-update-r1345.patch +# Copyright (C) 2007 The OpenSDE Project +# +# More information can be found in the files COPYING and README. +# +# This patch file is dual-licensed. It is available under the license the +# patched project is licensed under, as long as it is an OpenSource license +# as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms +# of the GNU General Public License as published by the Free Software +# Foundation; either version 2 of the License, or (at your option) any later +# version. +# --- SDE-COPYRIGHT-NOTE-END --- + +diff -ruN nepenthes-0.2.0/conf/nepenthes.conf.dist nepenthes-0.2.0-r1345/conf/nepenthes.conf.dist +--- nepenthes-0.2.0/conf/nepenthes.conf.dist 2006-11-13 20:40:03.000000000 +0100 ++++ nepenthes-0.2.0-r1345/conf/nepenthes.conf.dist 2007-08-06 00:46:15.000000000 +0200 +@@ -35,10 +35,12 @@ + // "submitnorman.so", "submit-norman.conf", "" + // "submitnepenthes.so", "submit-nepenthes.conf", "" // send to download-nepenthes in other nepenthes instances + // "submitxmlrpc.so", "submit-xmlrpc.conf", "" // submit files to a xmlrpc server ++// "submithttp.so", "submit-http.conf", "" // submit files to a web server + + // logging + "logdownload.so", "log-download.conf", "" + // "logirc.so", "log-irc.conf", "" // needs configuration ++// "logprelude.so", "log-prelude.conf", "" + + + // dumping and logging +diff -ruN nepenthes-0.2.0/configure.ac nepenthes-0.2.0-r1345/configure.ac +--- nepenthes-0.2.0/configure.ac 2006-11-13 20:50:47.000000000 +0100 ++++ nepenthes-0.2.0-r1345/configure.ac 2007-08-06 00:46:15.000000000 +0200 +@@ -201,6 +201,9 @@ + # libdl + AC_SUBST([LIB_DL]) + ++# libssh ++AC_SUBST([LIB_SSH]) ++ + dnl ************************************************** + dnl * libdl linking flag * + dnl ************************************************** +@@ -788,12 +791,11 @@ + AC_DEFINE(HAVE_LIBPRELUDE, 1,[Define if you want to use libprelude]) + PRELUDE_LDFLAGS=`$LIBPRELUDE_CONFIG --ldflags` + PRELUDE_LIBS=`$LIBPRELUDE_CONFIG --libs` +- PRELUDE_CPPFLAGS=`$LIBPRELUDE_CONFIG --cflags` ++ PRELUDE_CPPFLAGS=`$LIBPRELUDE_CONFIG --pthread-cflags` + + LIB_PRELUDE="$PRELUDE_LIBS" + LDFLAG_PRELUDE="$PRELUDE_LDFLAGS" +- CPPFLAG="$PRELUDE_CPPFLAGS" +- ++ CPPFLAGS="$CPPFLAGS $PRELUDE_CPPFLAGS" + fi + fi + +@@ -913,6 +915,8 @@ + modules/submit-gotek/Makefile + modules/submit-norman/Makefile + modules/submit-postgres/Makefile ++ modules/submit-http/Makefile ++ modules/submit-mwserv/Makefile + modules/vuln-asn1/Makefile + modules/vuln-bagle/Makefile + modules/vuln-dameware/Makefile +@@ -931,6 +935,7 @@ + modules/vuln-pnp/Makefile + modules/vuln-realvnc/Makefile + modules/vuln-sasserftpd/Makefile ++ modules/vuln-sav/Makefile + modules/vuln-ssh/Makefile + modules/vuln-sub7/Makefile + modules/vuln-upnp/Makefile +diff -ruN nepenthes-0.2.0/modules/Makefile.am nepenthes-0.2.0-r1345/modules/Makefile.am +--- nepenthes-0.2.0/modules/Makefile.am 2006-11-13 20:40:11.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/Makefile.am 2007-08-06 00:46:15.000000000 +0200 +@@ -4,11 +4,11 @@ + + SUBDIRS = download-creceive download-csend download-curl download-ftp download-http download-link download-tftp download-rcp\ + log-download log-irc \ +- submit-file submit-gotek submit-norman submit-postgres\ ++ submit-file submit-gotek submit-norman submit-postgres submit-http submit-mwserv \ + shellcode-generic shellemu-winnt \ + vuln-asn1 vuln-bagle vuln-dcom vuln-iis vuln-kuang2 vuln-lsass \ + vuln-msdtc vuln-msmq vuln-mssql vuln-mydoom \ +- vuln-netbiosname vuln-netdde vuln-optix vuln-pnp vuln-sasserftpd \ ++ vuln-netbiosname vuln-netdde vuln-optix vuln-pnp vuln-sasserftpd vuln-sav \ + vuln-sub7 vuln-upnp vuln-veritas vuln-wins vuln-dameware vuln-ssh vuln-realvnc \ + module-portwatch module-honeytrap module-bridge module-peiros\ + dnsresolve-adns \ +diff -ruN nepenthes-0.2.0/modules/dnsresolve-adns/Makefile.am nepenthes-0.2.0-r1345/modules/dnsresolve-adns/Makefile.am +--- nepenthes-0.2.0/modules/dnsresolve-adns/Makefile.am 2006-11-13 20:40:10.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/dnsresolve-adns/Makefile.am 2007-08-06 00:46:15.000000000 +0200 +@@ -12,4 +12,4 @@ + + dnsresolveadns_la_SOURCES = dnsresolve-adns.cpp dnsresolve-adns.hpp + +-dnsresolveadns_la_LDFLAGS = -module -no-undefined -avoid-version ++dnsresolveadns_la_LDFLAGS = -module -no-undefined -avoid-version $(AM_LDFLAGS) +diff -ruN nepenthes-0.2.0/modules/dnsresolve-adns/dnsresolve-adns.cpp nepenthes-0.2.0-r1345/modules/dnsresolve-adns/dnsresolve-adns.cpp +--- nepenthes-0.2.0/modules/dnsresolve-adns/dnsresolve-adns.cpp 2006-11-13 20:40:10.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/dnsresolve-adns/dnsresolve-adns.cpp 2007-08-06 00:46:15.000000000 +0200 +@@ -47,6 +47,7 @@ + + + #include "EventManager.hpp" ++#include "Nepenthes.hpp" + + using namespace std; + +diff -ruN nepenthes-0.2.0/modules/download-creceive/CReceiveDialogue.cpp nepenthes-0.2.0-r1345/modules/download-creceive/CReceiveDialogue.cpp +--- nepenthes-0.2.0/modules/download-creceive/CReceiveDialogue.cpp 2006-11-13 20:40:09.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/download-creceive/CReceiveDialogue.cpp 2007-08-06 00:46:15.000000000 +0200 +@@ -87,7 +87,7 @@ + + CReceiveDialogue::~CReceiveDialogue() + { +-// g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *)m_Buffer->getData(),m_Buffer->getSize()); ++// HEXDUMP(m_Socket,(byte *)m_Buffer->getData(),m_Buffer->getSize()); + // delete m_Buffer; + delete m_Download; + } +diff -ruN nepenthes-0.2.0/modules/download-curl/Makefile.am nepenthes-0.2.0-r1345/modules/download-curl/Makefile.am +--- nepenthes-0.2.0/modules/download-curl/Makefile.am 2006-11-13 20:40:06.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/download-curl/Makefile.am 2007-08-06 00:46:15.000000000 +0200 +@@ -12,4 +12,4 @@ + + downloadcurl_la_SOURCES = download-curl.conf.dist download-curl.hpp download-curl.cpp + +-downloadcurl_la_LDFLAGS = -module -no-undefined -avoid-version ++downloadcurl_la_LDFLAGS = -module -no-undefined -avoid-version $(AM_LDFLAGS) +diff -ruN nepenthes-0.2.0/modules/download-curl/download-curl.cpp nepenthes-0.2.0-r1345/modules/download-curl/download-curl.cpp +--- nepenthes-0.2.0/modules/download-curl/download-curl.cpp 2006-11-13 20:40:06.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/download-curl/download-curl.cpp 2007-08-06 00:46:15.000000000 +0200 +@@ -230,7 +230,9 @@ + down->getDownloadUrl()->getPort(), + down->getDownloadUrl()->getPath().c_str()); + // string auth = down->getDownloadUrl()->getUser() + ":" + down->getDownloadUrl()->getPass(); ++#if LIBCURL_VERSION_NUM < 0x071000 + curl_easy_setopt(pCurlHandle, CURLOPT_SOURCE_USERPWD,(char *)down->getDownloadUrl()->getAuth().c_str()); ++#endif + curl_easy_setopt(pCurlHandle, CURLOPT_USERPWD,(char *)down->getDownloadUrl()->getAuth().c_str()); + curl_easy_setopt(pCurlHandle, CURLOPT_URL , url); + curl_easy_setopt(pCurlHandle, CURLOPT_FTP_RESPONSE_TIMEOUT, 120); // 2 min ftp timeout +diff -ruN nepenthes-0.2.0/modules/download-http/HTTPDialogue.cpp nepenthes-0.2.0-r1345/modules/download-http/HTTPDialogue.cpp +--- nepenthes-0.2.0/modules/download-http/HTTPDialogue.cpp 2006-11-13 20:40:04.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/download-http/HTTPDialogue.cpp 2007-08-06 00:46:15.000000000 +0200 +@@ -178,7 +178,7 @@ + if ( end == NULL ) + { + logWarn("HTTP ERROR header found %i\n", size); +- g_Nepenthes->getUtilities()->hexdump((byte *)start,size); ++// g_Nepenthes->getUtilities()->hexdump((byte *)start,size); + return CL_DROP; + }else + if ( end != NULL ) +diff -ruN nepenthes-0.2.0/modules/download-link/LinkDialogue.cpp nepenthes-0.2.0-r1345/modules/download-link/LinkDialogue.cpp +--- nepenthes-0.2.0/modules/download-link/LinkDialogue.cpp 2006-11-13 20:40:10.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/download-link/LinkDialogue.cpp 2007-08-06 00:46:15.000000000 +0200 +@@ -122,7 +122,7 @@ + case LINK_NULL: + { + m_Buffer->add(msg->getMsg(),msg->getSize()); +-// g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *)m_Buffer->getData(),m_Buffer->getSize()); ++// HEXDUMP(m_Socket,(byte *)m_Buffer->getData(),m_Buffer->getSize()); + msg->getResponder()->doRespond((char *)&m_Challenge,4); + + m_State = LINK_FILE; +diff -ruN nepenthes-0.2.0/modules/log-irc/log-irc.cpp nepenthes-0.2.0-r1345/modules/log-irc/log-irc.cpp +--- nepenthes-0.2.0/modules/log-irc/log-irc.cpp 2006-11-13 20:40:09.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/log-irc/log-irc.cpp 2007-08-06 00:46:15.000000000 +0200 +@@ -171,7 +171,7 @@ + } + // m_Nepenthes->getSocketMgr()->bindTCPSocket(0,10002,0,45,this); + +- g_Nepenthes->getLogMgr()->addLogger(this,l_dl|l_sub); ++ g_Nepenthes->getLogMgr()->addLogger(this,l_all); + return true; + } + +diff -ruN nepenthes-0.2.0/modules/log-prelude/Makefile.am nepenthes-0.2.0-r1345/modules/log-prelude/Makefile.am +--- nepenthes-0.2.0/modules/log-prelude/Makefile.am 2006-11-13 20:40:08.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/log-prelude/Makefile.am 2007-08-06 00:46:15.000000000 +0200 +@@ -4,7 +4,7 @@ + + AUTOMAKE_OPTIONS = foreign + +-AM_CPPFLAGS = -I/usr/include/libprelude -I$(top_srcdir)/nepenthes-core/include -I$(top_srcdir)/nepenthes-core/src -pipe -D _GNU_SOURCE $(CPPFLAG_PRELUDE) ++AM_CPPFLAGS = -I$(top_srcdir)/nepenthes-core/include -I$(top_srcdir)/nepenthes-core/src -pipe -D _GNU_SOURCE + AM_CXXFLAGS = -Wall + AM_LDFLAGS = $(LDFLAG_PRELUDE) ${LIB_PRELUDE} + +@@ -12,5 +12,5 @@ + + logprelude_la_SOURCES = log-prelude.cpp log-prelude.hpp log-prelude.conf.dist + +-logprelude_la_LDFLAGS = -module -no-undefined -avoid-version ++logprelude_la_LDFLAGS = -module -no-undefined -avoid-version $(AM_LDFLAGS) + +diff -ruN nepenthes-0.2.0/modules/log-prelude/log-prelude.conf.dist nepenthes-0.2.0-r1345/modules/log-prelude/log-prelude.conf.dist +--- nepenthes-0.2.0/modules/log-prelude/log-prelude.conf.dist 2006-11-13 20:40:08.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/log-prelude/log-prelude.conf.dist 2007-08-06 00:46:15.000000000 +0200 +@@ -1,7 +1,9 @@ + log-prelude + { +- analyzerClass "NIDS"; +- analyzerModel "nepenthes"; +- analyzerName "nepenthes"; +- ++ ++ // Name of the Prelude analyzer to use (default is nepenthes). ++ // analyzerName "nepenthes"; ++ ++ // Name of the Prelude profile to use (default is nepenthes). ++ // analyzerProfile "nepenthes"; + }; +diff -ruN nepenthes-0.2.0/modules/log-prelude/log-prelude.cpp nepenthes-0.2.0-r1345/modules/log-prelude/log-prelude.cpp +--- nepenthes-0.2.0/modules/log-prelude/log-prelude.cpp 2006-11-13 20:40:08.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/log-prelude/log-prelude.cpp 2007-08-06 00:48:07.000000000 +0200 +@@ -27,14 +27,6 @@ + + /* $Id: log-prelude.cpp 550 2006-05-04 10:25:35Z common $ */ + +-#ifdef HAVE_LIBPRELUDE +-#include +-#include +-#include +-#include +-#include +-#endif +- + #include + #include "log-prelude.hpp" + #include "Nepenthes.hpp" +@@ -63,7 +55,11 @@ + + #define STDTAGS l_mod | l_ev | l_hlr + #define ANALYZER_MANUFACTURER "http://nepenthes.sf.net" +-#define NEPENTHES_VERSION "$Rev: 550 $" ++#define DEFAULT_ANALYZER_NAME "nepenthes" ++#define DEFAULT_ANALYZER_PROFILE "nepenthes" ++#define ANALYZER_MODEL "Nepenthes" ++#define ANALYZER_CLASS "Honeypot" ++#define ANALYZER_MANUFACTURER "http://nepenthes.mwcollect.org/" + + + +@@ -132,28 +128,21 @@ + + #ifdef HAVE_LIBPRELUDE + +- if ( m_Config == NULL ) +- { +- logCrit("I need a config\n"); +- return false; +- } +- +- string analyzerClass; +- string analyzerModel; + string analyzerName; +- +- try +- { +- analyzerClass = (m_Config->getValString("log-prelude.analyzerClass")); +- analyzerModel = m_Config->getValString("log-prelude.analyzerModel"); +- analyzerName = m_Config->getValString("log-prelude.analyzerName"); +- +- } catch ( ... ) +- { +- logCrit("Error setting needed vars, check your config\n"); +- return false; +- } +- ++ string analyzerProfile; ++ ++ try { ++ analyzerName = m_Config->getValString("log-prelude.analyzerName"); ++ } catch ( ... ) { ++ analyzerName = DEFAULT_ANALYZER_NAME; ++ } ++ ++ try { ++ analyzerProfile = m_Config->getValString("log-prelude.analyzerProfile"); ++ } catch ( ... ) { ++ analyzerProfile = DEFAULT_ANALYZER_PROFILE; ++ } ++ + m_ModuleManager = m_Nepenthes->getModuleMgr(); + m_Events.set(EV_SOCK_TCP_ACCEPT); + m_Events.set(EV_SOCK_TCP_CLOSE); +@@ -163,44 +152,39 @@ + m_Events.set(EV_DOWNLOAD); + m_Events.set(EV_SUBMISSION); + +- +- const char *profile, *config; +- +- config = NULL; +- profile = analyzerName.c_str(); +- +- +- +- + int32_t ret; + // Initialize Prelude Library + ret = prelude_init(NULL, NULL); +- if ( ret < 0 ) ++ if ( ret < 0 ) { + logCrit("%s: Unable to initialize the Prelude library: %s.\n", + prelude_strsource(ret), + prelude_strerror(ret)); ++ return false; ++ } + + // generate a new Prelude client +- ret = prelude_client_new(&m_PreludeClient, profile); ++ ret = prelude_client_new(&m_PreludeClient, analyzerProfile.c_str()); + +- if ( ret < 0 ) ++ if ( ret < 0 ) { + logCrit("%s: Unable to create a prelude client object: %s.\n", + prelude_strsource(ret), + prelude_strerror(ret)); ++ return false; ++ } + +- ++ + // set options in the analyzer-part of the client + prelude_string_t *string; + +- ret = idmef_analyzer_new_model(prelude_client_get_analyzer(m_PreludeClient), &string); ++ ret = idmef_analyzer_new_class(prelude_client_get_analyzer(m_PreludeClient), &string); + if ( ret < 0 ) + return false; +- prelude_string_set_constant(string, analyzerModel.c_str()); +- +- ret = idmef_analyzer_new_class(prelude_client_get_analyzer(m_PreludeClient), &string); ++ prelude_string_set_constant(string, ANALYZER_CLASS); ++ ++ ret = idmef_analyzer_new_model(prelude_client_get_analyzer(m_PreludeClient), &string); + if ( ret < 0 ) + return false; +- prelude_string_set_constant(string, analyzerClass.c_str()); ++ prelude_string_set_constant(string, ANALYZER_MODEL); + + ret = idmef_analyzer_new_manufacturer(prelude_client_get_analyzer(m_PreludeClient), &string); + if ( ret < 0 ) +@@ -209,28 +193,31 @@ + + ret = idmef_analyzer_new_version(prelude_client_get_analyzer(m_PreludeClient), &string); + if ( ret < 0 ) +- return false; +- +- prelude_string_set_constant(string, NEPENTHES_VERSION); ++ return false; ++ prelude_string_set_constant(string, VERSION); + +-// start the Prelude Client ++ ret = idmef_analyzer_new_name(prelude_client_get_analyzer(m_PreludeClient), &string); ++ if ( ret < 0 ) ++ return false; ++ prelude_string_set_dup(string, analyzerName.c_str()); ++ ++ // start the Prelude Client + ret = prelude_client_start(m_PreludeClient); + if ( ret < 0 ) + { +- if ( prelude_client_is_setup_needed(ret) ) +- prelude_client_print_setup_error(m_PreludeClient); +- + logCrit("%s: Unable to initialize prelude client: %s.\n", + prelude_strsource(ret), prelude_strerror(ret)); ++ return false; + } + +-// set async Prelude Flags for the client, makes the application multithreaded +- ret = prelude_client_set_flags(m_PreludeClient, (prelude_client_flags_t) (PRELUDE_CLIENT_FLAGS_CONNECT | PRELUDE_CLIENT_FLAGS_ASYNC_SEND | PRELUDE_CLIENT_FLAGS_ASYNC_TIMER)); +- if ( ret < 0 ) ++ // set async Prelude Flags for the client, makes the application multithreaded ++ ret = prelude_client_set_flags(m_PreludeClient, (prelude_client_flags_t) (PRELUDE_CLIENT_FLAGS_CONNECT | PRELUDE_CLIENT_FLAGS_ASYNC_SEND | PRELUDE_CLIENT_FLAGS_ASYNC_TIMER)); ++ if ( ret < 0 ) { + logCrit("%s: Unable to set asynchronous send and timer: %s.\n", + prelude_strsource(ret), + prelude_strerror(ret)); +- ++ return false; ++ } + + REG_EVENT_HANDLER(this); + return true; +@@ -274,7 +261,7 @@ + idmef_value_t *val; + idmef_path_t *path; + +- ret = idmef_path_new(&path, object); ++ ret = idmef_path_new_fast(&path, object); + if ( ret < 0 ) + { + logWarn("imdef error #1 %s -> %s %i (%s) \n",object,value,ret, prelude_strerror(ret)); +@@ -376,7 +363,6 @@ + + add_idmef_object(idmef, "alert.classification.text" ,"TCP Connection established"); + add_idmef_object(idmef, "alert.classification.ident", EV_SOCK_TCP_ACCEPT); +-// add_idmef_object(idmef, "alert.classification.reference(0).origin" ,"vendor-specific" ); + + + add_idmef_object(idmef, "alert.source(0).Spoofed" ,"no"); +@@ -449,7 +435,6 @@ + + add_idmef_object(idmef, "alert.classification.text" ,"TCP Connection closed"); + add_idmef_object(idmef, "alert.classification.ident", EV_SOCK_TCP_CLOSE); +-// add_idmef_object(idmef, "alert.classification.reference(0).origin" ,"vendor-specific" ); + + + add_idmef_object(idmef, "alert.source(0).Service.protocol" ,"TCP"); +@@ -515,7 +500,6 @@ + // hl: added ident + add_idmef_object(idmef, "alert.classification.ident", EV_SHELLCODE_DONE); + +- // add_idmef_object(idmef, "alert.classification.reference(0).origin" ,"vendor-specific" ); + + + add_idmef_object(idmef, "alert.source(0).Spoofed" ,"no"); +diff -ruN nepenthes-0.2.0/modules/log-prelude/log-prelude.cpp~ nepenthes-0.2.0-r1345/modules/log-prelude/log-prelude.cpp~ +--- nepenthes-0.2.0/modules/log-prelude/log-prelude.cpp~ 1970-01-01 01:00:00.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/log-prelude/log-prelude.cpp~ 2006-11-13 20:40:08.000000000 +0100 +@@ -0,0 +1,857 @@ ++/******************************************************************************** ++ * Nepenthes ++ * - finest collection - ++ * ++ * ++ * ++ * Copyright (C) 2005 Paul Baecher & Markus Koetter ++ * ++ * This program is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU General Public License ++ * as published by the Free Software Foundation; either version 2 ++ * of the License, or (at your option) any later version. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with this program; if not, write to the Free Software ++ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. ++ * ++ * ++ * contact nepenthesdev@users.sourceforge.net ++ * ++ *******************************************************************************/ ++ ++ /* $Id: log-prelude.cpp 550 2006-05-04 10:25:35Z common $ */ ++ ++#ifdef HAVE_LIBPRELUDE ++#include ++#include ++#include ++#include ++#include ++#endif ++ ++#include ++#include "log-prelude.hpp" ++#include "Nepenthes.hpp" ++#include "LogManager.hpp" ++#include "EventManager.hpp" ++#include "SubmitEvent.hpp" ++ ++#include "Download.hpp" ++#include "DownloadUrl.hpp" ++#include "DownloadBuffer.hpp" ++ ++#include "Socket.hpp" ++#include "SocketEvent.hpp" ++ ++#include "Message.hpp" ++#include "Utilities.hpp" ++#include "Config.hpp" ++#include "ShellcodeHandler.hpp" ++ ++ ++using namespace nepenthes; ++ ++#ifdef STDTAGS ++#undef STDTAGS ++#endif ++ ++#define STDTAGS l_mod | l_ev | l_hlr ++#define ANALYZER_MANUFACTURER "http://nepenthes.sf.net" ++#define NEPENTHES_VERSION "$Rev: 550 $" ++ ++ ++ ++/** ++ * as we may need a global pointer to our Nepenthes in our modules, ++ * and cant access the cores global pointer to nepenthes ++ * we have to use a own global pointer to nepenthes per module ++ * we need this pointer for logInfo() etc ++ */ ++Nepenthes *g_Nepenthes; ++ ++/** ++ * Constructor ++ * creates a new LogPrelude Module, where x% is public Module, public EventHandler ++ * - sets the ModuleName ++ * - sets the ModuleDescription ++ * - sets the EventHandlerName ++ * - sets the EventHandlerDescription ++ * - sets the EventHandlers Timeout ++ * - sets the Modules global pointer to the Nepenthes ++ * ++ * @param nepenthes pointer to our nepenthes master class ++ */ ++LogPrelude::LogPrelude(Nepenthes *nepenthes) ++{ ++ m_ModuleName = "log-prelude"; ++ m_ModuleDescription = "event based prelude logger"; ++ m_ModuleRevision = "$Rev: 550 $"; ++ m_Nepenthes = nepenthes; ++ ++ m_EventHandlerName = "LogPreludeEventHandler"; ++ m_EventHandlerDescription = "log events to a prelude database"; ++ ++// m_Timeout = time(NULL) + rand()%23; ++ ++ g_Nepenthes = nepenthes; ++ ++#ifdef HAVE_LIBPRELUDE ++ m_PreludeClient = NULL; ++#endif ++} ++ ++ ++/** ++ * exerything important happens in ::Exit() as we have a return value there ++ */ ++LogPrelude::~LogPrelude() ++{ ++ ++} ++ ++ ++ ++/** ++ * bool Module::Init() ++ * setup Module specific values ++ * here: ++ * - register as EventHandler ++ * - set wanted events ++ * ++ * @return returns true if everything was fine, else false ++ * returning false will showup errors in warning a module ++ */ ++bool LogPrelude::Init() ++{ ++ ++#ifdef HAVE_LIBPRELUDE ++ ++ if ( m_Config == NULL ) ++ { ++ logCrit("I need a config\n"); ++ return false; ++ } ++ ++ string analyzerClass; ++ string analyzerModel; ++ string analyzerName; ++ ++ try ++ { ++ analyzerClass = (m_Config->getValString("log-prelude.analyzerClass")); ++ analyzerModel = m_Config->getValString("log-prelude.analyzerModel"); ++ analyzerName = m_Config->getValString("log-prelude.analyzerName"); ++ ++ } catch ( ... ) ++ { ++ logCrit("Error setting needed vars, check your config\n"); ++ return false; ++ } ++ ++ m_ModuleManager = m_Nepenthes->getModuleMgr(); ++ m_Events.set(EV_SOCK_TCP_ACCEPT); ++ m_Events.set(EV_SOCK_TCP_CLOSE); ++ m_Events.set(EV_DIALOGUE_ASSIGN_AND_DONE); ++ m_Events.set(EV_SHELLCODE_DONE); ++ ++ m_Events.set(EV_DOWNLOAD); ++ m_Events.set(EV_SUBMISSION); ++ ++ ++ const char *profile, *config; ++ ++ config = NULL; ++ profile = analyzerName.c_str(); ++ ++ ++ ++ ++ int32_t ret; ++// Initialize Prelude Library ++ ret = prelude_init(NULL, NULL); ++ if ( ret < 0 ) ++ logCrit("%s: Unable to initialize the Prelude library: %s.\n", ++ prelude_strsource(ret), ++ prelude_strerror(ret)); ++ ++// generate a new Prelude client ++ ret = prelude_client_new(&m_PreludeClient, profile); ++ ++ if ( ret < 0 ) ++ logCrit("%s: Unable to create a prelude client object: %s.\n", ++ prelude_strsource(ret), ++ prelude_strerror(ret)); ++ ++ ++ // set options in the analyzer-part of the client ++ prelude_string_t *string; ++ ++ ret = idmef_analyzer_new_model(prelude_client_get_analyzer(m_PreludeClient), &string); ++ if ( ret < 0 ) ++ return false; ++ prelude_string_set_constant(string, analyzerModel.c_str()); ++ ++ ret = idmef_analyzer_new_class(prelude_client_get_analyzer(m_PreludeClient), &string); ++ if ( ret < 0 ) ++ return false; ++ prelude_string_set_constant(string, analyzerClass.c_str()); ++ ++ ret = idmef_analyzer_new_manufacturer(prelude_client_get_analyzer(m_PreludeClient), &string); ++ if ( ret < 0 ) ++ return false; ++ prelude_string_set_constant(string, ANALYZER_MANUFACTURER); ++ ++ ret = idmef_analyzer_new_version(prelude_client_get_analyzer(m_PreludeClient), &string); ++ if ( ret < 0 ) ++ return false; ++ ++ prelude_string_set_constant(string, NEPENTHES_VERSION); ++ ++// start the Prelude Client ++ ret = prelude_client_start(m_PreludeClient); ++ if ( ret < 0 ) ++ { ++ if ( prelude_client_is_setup_needed(ret) ) ++ prelude_client_print_setup_error(m_PreludeClient); ++ ++ logCrit("%s: Unable to initialize prelude client: %s.\n", ++ prelude_strsource(ret), prelude_strerror(ret)); ++ } ++ ++// set async Prelude Flags for the client, makes the application multithreaded ++ ret = prelude_client_set_flags(m_PreludeClient, (prelude_client_flags_t) (PRELUDE_CLIENT_FLAGS_CONNECT | PRELUDE_CLIENT_FLAGS_ASYNC_SEND | PRELUDE_CLIENT_FLAGS_ASYNC_TIMER)); ++ if ( ret < 0 ) ++ logCrit("%s: Unable to set asynchronous send and timer: %s.\n", ++ prelude_strsource(ret), ++ prelude_strerror(ret)); ++ ++ ++ REG_EVENT_HANDLER(this); ++ return true; ++#else ++ logCrit("Module log-prelude is compiled without libprelude, this wont work, reconfigure the whole source and recompile"); ++ return false; ++#endif ++ ++} ++ ++ ++/** ++ * unregister as EventHandler, destroy the Prelude Client ++ * ++ * @return returns true if everything was fine ++ */ ++bool LogPrelude::Exit() ++{ ++#ifdef HAVE_LIBPRELUDE ++ if( m_PreludeClient != NULL) ++ { ++ prelude_client_destroy(m_PreludeClient, (prelude_client_exit_status_t)(PRELUDE_CLIENT_EXIT_STATUS_SUCCESS)); ++ prelude_deinit(); ++ } ++ // disabled by harald due to segfaults ++ //UNREG_EVENT_HANDLER(this); ++#endif ++ return true; ++} ++ ++ ++ ++/** ++ * This function adds char * idmef values into an idmef message ++ * ++ */ ++#ifdef HAVE_LIBPRELUDE ++int32_t add_idmef_object(idmef_message_t *message, const char *object, const char *value) ++{ ++ int32_t ret=0; ++ idmef_value_t *val; ++ idmef_path_t *path; ++ ++ ret = idmef_path_new(&path, object); ++ if ( ret < 0 ) ++ { ++ logWarn("imdef error #1 %s -> %s %i (%s) \n",object,value,ret, prelude_strerror(ret)); ++ return -1; ++ } ++ ++ ret = idmef_value_new_from_path(&val, path, value); ++ if ( ret < 0 ) ++ { ++ idmef_path_destroy(path); ++ logWarn("imdef error #2 %s -> %s %i (%s) \n",object,value,ret, prelude_strerror(ret)); ++ return -1; ++ } ++ ++ ret = idmef_path_set(path, message, val); ++ ++ idmef_value_destroy(val); ++ idmef_path_destroy(path); ++ return ret; ++} ++ ++ ++/** ++ * ++ * This function adds int32_t idmef values into an idmef message ++ */ ++int32_t add_idmef_object(idmef_message_t *message, const char *object, int32_t i) ++{ ++ char value[20]; ++ memset(value,0,20); ++ snprintf(value,19,"%i",i); ++ return add_idmef_object(message,object,value); ++} ++ ++#endif ++ ++ ++/** ++ * the handleEvent method is called whenever an event occurs ++ * the EventHandler wanted to have. ++ * ++ * @param event the Event ++ * ++ * @return return 0 ++ */ ++uint32_t LogPrelude::handleEvent(Event *event) ++{ ++// logPF(); ++// logInfo("Event %i\n",event->getType()); ++ switch(event->getType()) ++ { ++ ++ case EV_SOCK_TCP_ACCEPT: ++ handleTCPaccept(event); ++ break; ++ ++ case EV_SOCK_TCP_CLOSE: ++ handleTCPclose(event); ++ break; ++ ++ case EV_SUBMISSION: ++ handleSubmission(event); ++ break; ++ ++ case EV_DIALOGUE_ASSIGN_AND_DONE: ++ handleDialogueAssignAndDone(event); ++ break; ++ ++ case EV_SHELLCODE_DONE: ++ handleShellcodeDone(event); ++ break; ++ ++ ++ case EV_DOWNLOAD: ++ handleDownload(event); ++ break; ++ ++ default: ++ logWarn("this should not happen\n"); ++ } ++ return 0; ++} ++ ++ ++void LogPrelude::handleTCPaccept(Event *event) ++{ ++ ++ ++ logInfo("LogPrelude EVENT EV_SOCK_TCP_ACCEPT\n"); ++ ++#ifdef HAVE_LIBPRELUDE ++ Socket *socket = ((SocketEvent *)event)->getSocket(); ++ ++ idmef_message_t *idmef; ++ ++ int32_t ret = idmef_message_new(&idmef); ++ if ( ret < 0 ) ++ return; ++ ++ add_idmef_object(idmef, "alert.classification.text" ,"TCP Connection established"); ++ add_idmef_object(idmef, "alert.classification.ident", EV_SOCK_TCP_ACCEPT); ++// add_idmef_object(idmef, "alert.classification.reference(0).origin" ,"vendor-specific" ); ++ ++ ++ add_idmef_object(idmef, "alert.source(0).Spoofed" ,"no"); ++ add_idmef_object(idmef, "alert.source(0).Service.protocol" ,"TCP"); ++ add_idmef_object(idmef, "alert.source(0).Service.port" ,socket->getRemotePort()); ++ ++ uint32_t addr = socket->getRemoteHost(); ++ string address = inet_ntoa(*(in_addr *)&addr); ++ add_idmef_object(idmef, "alert.source(0).Node.Address(0).address" ,address.c_str()); ++ ++ ++ add_idmef_object(idmef, "alert.target(0).Decoy" ,"yes"); ++ add_idmef_object(idmef, "alert.target(0).Service.protocol" ,"TCP"); ++ add_idmef_object(idmef, "alert.target(0).Service.port" ,socket->getLocalPort()); ++ ++ addr = socket->getLocalHost(); ++ address = inet_ntoa(*(in_addr *)&addr); ++ add_idmef_object(idmef, "alert.target(0).Node.Address(0).address" ,address.c_str()); ++ ++ ++ ++ ++ idmef_time_t *time; ++ ++ ret = idmef_time_new_from_gettimeofday(&time); ++ idmef_alert_set_create_time(idmef_message_get_alert(idmef), ++ time); ++ ++ ++ // analyzer id ++ idmef_alert_set_analyzer(idmef_message_get_alert(idmef), ++ idmef_analyzer_ref(prelude_client_get_analyzer(m_PreludeClient)), ++ IDMEF_LIST_PREPEND); ++ ++ ++ prelude_client_send_idmef(m_PreludeClient, idmef); ++ ++ //prelude_string_t *field = idmef_alert_get_messageid(idmef_message_get_alert(idmef)); ++ //const char *msgid = prelude_string_get_string(field); ++ ++ //logInfo("PreludeMessageID = %s \n",msgid); ++ ++ idmef_message_destroy(idmef); ++#endif ++} ++ ++ ++ ++ ++void LogPrelude::handleTCPclose(Event *event) ++{ ++ ++ Socket *socket = ((SocketEvent *)event)->getSocket(); ++ ++ if (! socket->isAccept()) ++ { ++ return; ++ } ++ ++ logInfo("LogPrelude EVENT EV_SOCK_TCP_CLOSE\n"); ++ ++#ifdef HAVE_LIBPRELUDE ++ ++ idmef_message_t *idmef; ++ ++ int32_t ret = idmef_message_new(&idmef); ++ if ( ret < 0 ) ++ return; ++ ++ ++ add_idmef_object(idmef, "alert.classification.text" ,"TCP Connection closed"); ++ add_idmef_object(idmef, "alert.classification.ident", EV_SOCK_TCP_CLOSE); ++// add_idmef_object(idmef, "alert.classification.reference(0).origin" ,"vendor-specific" ); ++ ++ ++ add_idmef_object(idmef, "alert.source(0).Service.protocol" ,"TCP"); ++ add_idmef_object(idmef, "alert.source(0).Service.port" ,socket->getRemotePort()); ++ ++ uint32_t addr = socket->getRemoteHost(); ++ string address = inet_ntoa(*(in_addr *)&addr); ++ add_idmef_object(idmef, "alert.source(0).Node.Address(0).address" ,address.c_str()); ++ ++ add_idmef_object(idmef, "alert.target(0).Service.protocol" ,"TCP"); ++ add_idmef_object(idmef, "alert.target(0).Service.port" ,socket->getLocalPort()); ++ ++ addr = socket->getLocalHost(); ++ address = inet_ntoa(*(in_addr *)&addr); ++ add_idmef_object(idmef, "alert.target(0).Node.Address(0).address",address.c_str()); ++ ++ idmef_time_t *time; ++ ++ ret = idmef_time_new_from_gettimeofday(&time); ++ idmef_alert_set_create_time(idmef_message_get_alert(idmef), ++ time); ++ ++ ++ // analyzer id ++ idmef_alert_set_analyzer(idmef_message_get_alert(idmef), ++ idmef_analyzer_ref(prelude_client_get_analyzer(m_PreludeClient)), ++ IDMEF_LIST_PREPEND); ++ ++ ++ prelude_client_send_idmef(m_PreludeClient, idmef); ++ ++// prelude_string_t *field = idmef_alert_get_messageid(idmef_message_get_alert(idmef)); ++// const char *msgid = prelude_string_get_string(field); ++ ++// logInfo("CloseMessageID = %s \n",msgid); ++ ++ idmef_message_destroy(idmef); ++ ++#endif ++} ++ ++ ++/** ++ * Send idmef message when finished with the Shellcode ++ * ++ */ ++void LogPrelude::handleShellcodeDone(Event *event) ++{ ++ logInfo("LogPrelude EVENT EV_SHELLCODE_DONE\n"); ++ ++#ifdef HAVE_LIBPRELUDE ++ ++ ShellcodeHandler *handler = ((ShellcodeEvent *)event)->getShellcodeHandler(); ++ Socket *socket = ((ShellcodeEvent *)event)->getSocket(); ++ ++ idmef_message_t *idmef; ++ ++ int32_t ret = idmef_message_new(&idmef); ++ if ( ret < 0 ) ++ return; ++ string shellcodeText = "Shellcode detected: " + handler->getShellcodeHandlerName(); ++ add_idmef_object(idmef, "alert.classification.text", shellcodeText.c_str()); ++ // hl: added ident ++ add_idmef_object(idmef, "alert.classification.ident", EV_SHELLCODE_DONE); ++ ++ // add_idmef_object(idmef, "alert.classification.reference(0).origin" ,"vendor-specific" ); ++ ++ ++ add_idmef_object(idmef, "alert.source(0).Spoofed" ,"no"); ++ add_idmef_object(idmef, "alert.source(0).Service.protocol" ,"TCP"); ++ add_idmef_object(idmef, "alert.source(0).Service.port" ,socket->getRemotePort()); ++ ++ uint32_t addr = socket->getRemoteHost(); ++ string address = inet_ntoa(*(in_addr *)&addr); ++ add_idmef_object(idmef, "alert.source(0).Node.Address(0).address" ,address.c_str()); ++ ++ ++ add_idmef_object(idmef, "alert.target(0).Decoy" ,"yes"); ++ add_idmef_object(idmef, "alert.target(0).Service.protocol" ,"TCP"); ++ add_idmef_object(idmef, "alert.target(0).Service.port" ,socket->getLocalPort()); ++ ++ addr = socket->getLocalHost(); ++ address = inet_ntoa(*(in_addr *)&addr); ++ add_idmef_object(idmef, "alert.target(0).Node.Address(0).address" ,address.c_str()); ++ ++ ++ add_idmef_object(idmef, "alert.assessment.impact.description" ,"possible Shellcode has been detected."); ++ add_idmef_object(idmef, "alert.assessment.impact.severity" ,"medium"); ++// add_idmef_object(idmef, "alert.assessment.impact.completion" ,"succeeded"); ++ add_idmef_object(idmef, "alert.assessment.impact.type" ,"other"); ++ ++ ++ // hl: added for additional information ++ add_idmef_object(idmef, "alert.additional_data(0).type", "string"); ++ add_idmef_object(idmef, "alert.additional_data(0).meaning", "Shellcode"); ++ add_idmef_object(idmef, "alert.additional_data(0).data", handler->getShellcodeHandlerName().c_str()); ++ ++ ++ idmef_time_t *time; ++ ++ ret = idmef_time_new_from_gettimeofday(&time); ++ idmef_alert_set_create_time(idmef_message_get_alert(idmef), ++ time); ++ ++ ++ // analyzer id ++ idmef_alert_set_analyzer(idmef_message_get_alert(idmef), ++ idmef_analyzer_ref(prelude_client_get_analyzer(m_PreludeClient)), ++ IDMEF_LIST_PREPEND); ++ ++ ++ prelude_client_send_idmef(m_PreludeClient, idmef); ++ ++// prelude_string_t *field = idmef_alert_get_messageid(idmef_message_get_alert(idmef)); ++// const char *msgid = prelude_string_get_string(field); ++// logInfo("RecvMessageID = %s \n",msgid); ++ ++ idmef_message_destroy(idmef); ++#endif ++} ++ ++ ++/** ++ * ++ * handle submitted files ++ */ ++void LogPrelude::handleSubmission(Event *event) ++{ ++ SubmitEvent *se = (SubmitEvent *)event; ++ Download *down = se->getDownload(); ++ ++ logInfo("LogPrelude EVENT EV_SUBMISSION %s %s %i \n",down->getUrl().c_str(), ++ down->getMD5Sum().c_str(), ++ down->getDownloadBuffer()->getSize()); ++ ++#ifdef HAVE_LIBPRELUDE ++ idmef_message_t *idmef; ++ ++ int32_t ret = idmef_message_new(&idmef); ++ if ( ret < 0 ) ++ return; ++ ++ // generic information ++ // hl: changed submited to submitted, added ident ++ add_idmef_object(idmef, "alert.classification.text" ,"Malware submitted"); ++ add_idmef_object(idmef, "alert.classification.ident", EV_SUBMISSION); ++ ++ string url = "http://nepenthes.sf.net/wiki/submission/" + down->getMD5Sum(); ++ add_idmef_object(idmef, "alert.classification.reference(0).origin" ,"vendor-specific" ); ++ add_idmef_object(idmef, "alert.classification.reference(0).url" ,url.c_str() ); ++ ++ ++ // file name and info ++ // hl: changed file tags because of DTD violation ++ add_idmef_object(idmef, "alert.target(0).file(0).name" ,down->getDownloadUrl()->getFile().c_str()); ++ add_idmef_object(idmef, "alert.target(0).file(0).path" ,down->getUrl().c_str()); ++ add_idmef_object(idmef, "alert.target(0).file(0).category" ,"current"); ++ add_idmef_object(idmef, "alert.target(0).file(0).ident" ,down->getMD5Sum().c_str()); ++ add_idmef_object(idmef, "alert.target(0).file(0).data_size" ,down->getDownloadBuffer()->getSize()); ++ ++ //hl: some debug stuff, prelude-manager doesnt write the checksums into xml ++ ret = add_idmef_object(idmef, "alert.target(0).file(0).checksum(0).algorithm" ,"MD5"); ++ //logInfo("LogPrelude DEBUG MD5 %i\n", ret); ++ ret = add_idmef_object(idmef, "alert.target(0).file(0).checksum(0).value" ,down->getMD5Sum().c_str()); ++ //logInfo("LogPrelude DEBUG Hash %i\n", ret); ++ ret = add_idmef_object(idmef, "alert.target(0).file(0).checksum(1).algorithm" ,"SHA2-512"); ++ //logInfo("LogPrelude DEBUG SHA %i\n", ret); ++ ret = add_idmef_object(idmef, "alert.target(0).file(0).checksum(1).value" ,down->getSHA512Sum().c_str()); ++ //logInfo("LogPrelude DEBUG Hash %i\n", ret); ++ ++ uint32_t addr = down->getLocalHost(); ++ string address = inet_ntoa(*(in_addr *)&addr); ++ add_idmef_object(idmef, "alert.target(0).Node.Address(0).address" ,address.c_str()); ++ ++ ++ ++ // infection host ++ addr = down->getRemoteHost(); ++ address = inet_ntoa(*(in_addr *)&addr); ++ add_idmef_object(idmef, "alert.source(0).Node.Address(0).address" ,address.c_str()); ++ ++ ++ // download source ++ add_idmef_object(idmef, "alert.source(0).Service.port", down->getDownloadUrl()->getPort()); ++ ++ /* hl: previous dirty workaround -> commented ++ string protocol; ++ if (down->getDownloadUrl()->getProtocol() == "tftp" ) ++ protocol = "UDP"; ++ else ++ protocol = "TCP"; ++ ++ add_idmef_object(idmef, "alert.source(0).Service.protocol" ,protocol.c_str()); ++ */ ++ ++ add_idmef_object(idmef, "alert.source(0).Service.web_service.url" ,down->getUrl().c_str()); ++ // hl: not needed ++ //add_idmef_object(idmef, "alert.source(0).Service.web_service.http_method" ,"get"); ++ ++ add_idmef_object(idmef, "alert.assessment.impact.description" ,"possible Malware stored for further analysis"); ++ add_idmef_object(idmef, "alert.assessment.impact.severity" ,"high"); ++// add_idmef_object(idmef, "alert.assessment.impact.completion" ,"succeeded"); ++ add_idmef_object(idmef, "alert.assessment.impact.type" ,"other"); ++ ++ // time ++ idmef_time_t *time; ++ ret = idmef_time_new_from_gettimeofday(&time); ++ idmef_alert_set_create_time(idmef_message_get_alert(idmef), ++ time); ++ ++ ++ // analyzer id ++ idmef_alert_set_analyzer(idmef_message_get_alert(idmef), ++ idmef_analyzer_ref(prelude_client_get_analyzer(m_PreludeClient)), ++ IDMEF_LIST_PREPEND); ++ ++ ++ prelude_client_send_idmef(m_PreludeClient, idmef); ++ idmef_message_destroy(idmef); ++ ++#endif ++} ++ ++ ++ ++/** ++ * ++ * ++ * ++ */ ++void LogPrelude::handleDialogueAssignAndDone(Event *event) ++{ ++ logInfo("LogPrelude EVENT EV_ASSIGN_AND_DONE\n"); ++ ++#ifdef HAVE_LIBPRELUDE ++ ++ Dialogue *dia = ((DialogueEvent *)event)->getDialogue(); ++ Socket *socket = ((DialogueEvent *)event)->getSocket(); ++ idmef_message_t *idmef; ++ ++ int32_t ret = idmef_message_new(&idmef); ++ if ( ret < 0 ) ++ return; ++ ++ string attack = "Exploit attempt: " + dia->getDialogueName(); ++ ++ // generic information ++ add_idmef_object(idmef, "alert.classification.text", attack.c_str()); ++ // hl: added ident field ++ add_idmef_object(idmef, "alert.classification.ident", EV_DIALOGUE_ASSIGN_AND_DONE); ++ ++// add_idmef_object(idmef, "alert.classification.reference(0).origin" ,"vendor-specific" ); ++ ++ ++ // attacker ++ uint32_t addr = socket->getRemoteHost(); ++ string address = inet_ntoa(*(in_addr *)&addr); ++ add_idmef_object(idmef, "alert.source(0).Node.Address(0).address", address.c_str()); ++ ++ // target ++ addr = socket->getLocalHost(); ++ address = inet_ntoa(*(in_addr *)&addr); ++ add_idmef_object(idmef, "alert.target(0).Node.Address(0).address", address.c_str()); ++ ++// string protocol; ++// if (down->getDownloadUrl()->getProtocol() == "tftp" ) ++// protocol = "UDP"; ++// else ++// protocol = "TCP"; ++// ++// add_idmef_object(idmef, "alert.source(0).Service.protocol" ,protocol.c_str()); ++// add_idmef_object(idmef, "alert.source(0).Service.web_service.url" ,down->getUrl().c_str()); ++// add_idmef_object(idmef, "alert.source(0).Service.web_service.http_method" ,"get"); ++ ++ add_idmef_object(idmef, "alert.assessment.impact.description" ,"An exploit attempt is getting handled."); ++ add_idmef_object(idmef, "alert.assessment.impact.severity" ,"low"); ++// add_idmef_object(idmef, "alert.assessment.impact.completion" ,"succeeded"); ++ add_idmef_object(idmef, "alert.assessment.impact.type" ,"other"); ++ ++ ++ // hl: added ++ add_idmef_object(idmef, "alert.additional_data(0).type", "string"); ++ add_idmef_object(idmef, "alert.additional_data(0).meaning", "Dialogue"); ++ add_idmef_object(idmef, "alert.additional_data(0).data", dia->getDialogueName().c_str()); ++ ++ // time ++ idmef_time_t *time; ++ ret = idmef_time_new_from_gettimeofday(&time); ++ idmef_alert_set_create_time(idmef_message_get_alert(idmef), ++ time); ++ ++ ++ // analyzer id ++ idmef_alert_set_analyzer(idmef_message_get_alert(idmef), ++ idmef_analyzer_ref(prelude_client_get_analyzer(m_PreludeClient)), ++ IDMEF_LIST_PREPEND); ++ ++ ++ prelude_client_send_idmef(m_PreludeClient, idmef); ++ ++ ++ idmef_message_destroy(idmef); ++ ++#endif ++} ++ ++ ++ ++ ++ ++ ++/** ++ * ++ * ++ */ ++void LogPrelude::handleDownload(Event *event) ++{ ++ SubmitEvent *se = (SubmitEvent *)event; ++ Download *down = se->getDownload(); ++ string url = se->getDownload()->getUrl(); ++ ++ se->getType(); ++ logInfo("LogPrelude EVENT EV_DOWNLOAD %s %s %i \n",down->getUrl().c_str(), ++ down->getMD5Sum().c_str(), ++ down->getDownloadBuffer()->getSize()); ++ ++#ifdef HAVE_LIBPRELUDE ++ ++ idmef_message_t *idmef; ++ ++ int32_t ret = idmef_message_new(&idmef); ++ if ( ret < 0 ) ++ return; ++ ++ // generic information ++ // hl: changed message ++ string message = "possible Malware offered: " + down->getUrl(); ++ ++ add_idmef_object(idmef, "alert.classification.text", message.c_str()); ++ // hl: changed to ident number ++ add_idmef_object(idmef, "alert.classification.ident", EV_DOWNLOAD); ++ ++// add_idmef_object(idmef, "alert.classification.reference(0).origin" ,"vendor-specific" ); ++ ++ ++ // infection host ++ uint32_t addr = down->getRemoteHost(); ++ string address = inet_ntoa(*(in_addr *)&addr); ++ add_idmef_object(idmef, "alert.source(0).Node.Address(0).address" ,address.c_str()); ++ //target host ++ addr = down->getLocalHost(); ++ address = inet_ntoa(*(in_addr *)&addr); ++ add_idmef_object(idmef, "alert.target(0).Node.Address(0).address" ,address.c_str()); ++ ++ ++ // download source ++ // hl: removed protocol, added url ++ /* ++ string protocol; ++ if (down->getDownloadUrl()->getProtocol() == "tftp" ) ++ protocol = "UDP"; ++ else ++ protocol = "TCP"; ++ */ ++ add_idmef_object(idmef, "alert.source(0).Service.port" ,down->getDownloadUrl()->getPort()); ++ //add_idmef_object(idmef, "alert.source(0).Service.protocol" ,protocol.c_str()); ++ add_idmef_object(idmef, "alert.source(0).Service.web_service.url" ,down->getUrl().c_str()); ++// add_idmef_object(idmef, "alert.source(0).Service.web_service.http_method" ,"get"); ++ add_idmef_object(idmef, "alert.assessment.impact.description" ,"Parsing the Shellcode has unrevealed a URL."); ++ add_idmef_object(idmef, "alert.assessment.impact.severity" ,"medium"); ++// add_idmef_object(idmef, "alert.assessment.impact.completion" ,"succeeded"); ++ add_idmef_object(idmef, "alert.assessment.impact.type" ,"other"); ++ ++ // time ++ idmef_time_t *time; ++ ret = idmef_time_new_from_gettimeofday(&time); ++ idmef_alert_set_create_time(idmef_message_get_alert(idmef), ++ time); ++ ++ ++ // analyzer id ++ idmef_alert_set_analyzer(idmef_message_get_alert(idmef), ++ idmef_analyzer_ref(prelude_client_get_analyzer(m_PreludeClient)), ++ IDMEF_LIST_PREPEND); ++ ++ ++ prelude_client_send_idmef(m_PreludeClient, idmef); ++ ++ ++ idmef_message_destroy(idmef); ++#endif ++ ++} ++ ++ ++ ++extern "C" int32_t module_init(int32_t version, Module **module, Nepenthes *nepenthes) ++{ ++ if (version == MODULE_IFACE_VERSION) { ++ *module = new LogPrelude(nepenthes); ++ return 1; ++ } else { ++ return 0; ++ } ++} +diff -ruN nepenthes-0.2.0/modules/log-prelude/log-prelude.hpp nepenthes-0.2.0-r1345/modules/log-prelude/log-prelude.hpp +--- nepenthes-0.2.0/modules/log-prelude/log-prelude.hpp 2006-11-13 20:40:08.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/log-prelude/log-prelude.hpp 2007-08-06 00:46:15.000000000 +0200 +@@ -30,7 +30,7 @@ + #include "config.h" + + #ifdef HAVE_LIBPRELUDE +-#include ++#include + #endif + + #include +diff -ruN nepenthes-0.2.0/modules/log-surfnet/Makefile.am nepenthes-0.2.0-r1345/modules/log-surfnet/Makefile.am +--- nepenthes-0.2.0/modules/log-surfnet/Makefile.am 2006-11-13 20:40:10.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/log-surfnet/Makefile.am 2007-08-06 00:46:15.000000000 +0200 +@@ -6,7 +6,6 @@ + + AM_CPPFLAGS = -I$(top_srcdir)/nepenthes-core/include -I$(top_srcdir)/nepenthes-core/src -I/usr/include/postgresql -pipe -D _GNU_SOURCE + AM_CXXFLAGS = -Wall -Werror +-AM_LDFLAGS = ${LIB_POSTGRES} + + pkglib_LTLIBRARIES = logsurfnet.la + +diff -ruN nepenthes-0.2.0/modules/log-surfnet/log-surfnet.conf.dist nepenthes-0.2.0-r1345/modules/log-surfnet/log-surfnet.conf.dist +--- nepenthes-0.2.0/modules/log-surfnet/log-surfnet.conf.dist 2006-11-13 20:40:10.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/log-surfnet/log-surfnet.conf.dist 2007-08-06 00:46:15.000000000 +0200 +@@ -49,175 +49,3 @@ + + }; + +- +-/* +- +-don't forget to create these fn's in your surfnet ids database. +- +- +-CREATE PROCEDURAL LANGUAGE plpgsql; +- +-CREATE FUNCTION surfnet_attack_add(integer, inet, integer, inet, integer, macaddr, inet) RETURNS integer +- AS $_$DECLARE +- p_severity ALIAS FOR $1; +- p_attackerip ALIAS FOR $2; +- p_attackerport ALIAS FOR $3; +- p_decoyip ALIAS FOR $4; +- p_decoyport ALIAS FOR $5; +- p_hwa ALIAS FOR $6; +- p_localhost ALIAS FOR $7; +- m_attackid INTEGER; +- m_sensorid INTEGER; +-BEGIN +- +- SELECT INTO m_sensorid surfnet_sensorid_get(p_localhost); +- SELECT INTO m_attackid surfnet_attack_add_by_id(p_severity, +- p_attackerip, p_attackerport, p_decoyip, +- p_decoyport, p_hwa, m_sensorid); +- +- return m_attackid; +-END$_$ +- LANGUAGE plpgsql; +- +- +-CREATE FUNCTION surfnet_attack_add_by_id(integer, inet, integer, inet, integer, macaddr, integer) RETURNS integer +- AS $_$DECLARE +- p_severity ALIAS FOR $1; +- p_attackerip ALIAS FOR $2; +- p_attackerport ALIAS FOR $3; +- p_decoyip ALIAS FOR $4; +- p_decoyport ALIAS FOR $5; +- p_hwa ALIAS FOR $6; +- p_sensorid ALIAS FOR $7; +- m_attackid INTEGER; +-BEGIN +- INSERT INTO attacks +- (severity, +- timestamp, +- dest, +- dport, +- source, +- sport, +- sensorid, +- src_mac) +- VALUES +- (p_severity, +- extract(epoch from current_timestamp(0))::integer, +- p_attackerip, +- p_attackerport, +- p_decoyip, +- p_decoyport, +- p_sensorid, +- p_hwa); +- +- SELECT INTO m_attackid currval('attacks_id_seq'); +- return m_attackid; +-END$_$ +- LANGUAGE plpgsql; +- +- +- +-CREATE FUNCTION surfnet_attack_update_severity(integer, integer) RETURNS void +- AS $_$DECLARE +- p_attackid ALIAS FOR $1; +- p_severity ALIAS FOR $2; +-BEGIN +- UPDATE attacks SET severity = p_severity WHERE id = p_attackid; +- return; +-END;$_$ +- LANGUAGE plpgsql; +- +- +-CREATE FUNCTION surfnet_detail_add(integer, inet, integer, character varying) RETURNS void +- AS $_$DECLARE +- p_attackid ALIAS FOR $1; +- p_localhost ALIAS FOR $2; +- p_type ALIAS FOR $3; +- p_data ALIAS FOR $4; +- +- m_sensorid INTEGER; +-BEGIN +- SELECT INTO m_sensorid surfnet_sensorid_get(p_localhost); +- +- INSERT INTO details +- (attackid,sensorid,type,text) +- VALUES +- (p_attackid,m_sensorid,p_type,p_data); +-END$_$ +- LANGUAGE plpgsql; +- +- +-CREATE FUNCTION surfnet_detail_add_by_id(integer, integer, integer, character varying) RETURNS void +- AS $_$DECLARE +- p_attackid ALIAS FOR $1; +- m_sensorid ALIAS FOR $2; +- p_type ALIAS FOR $3; +- p_data ALIAS FOR $4; +-BEGIN +- INSERT INTO details +- (attackid,sensorid,type,text) +- VALUES +- (p_attackid,m_sensorid,p_type,p_data); +-END$_$ +- LANGUAGE plpgsql; +- +- +-CREATE FUNCTION surfnet_detail_add_download(inet, inet, character varying, character varying) RETURNS void +- AS $_$DECLARE +- p_remotehost ALIAS FOR $1; +- p_localhost ALIAS FOR $2; +- p_url ALIAS FOR $3; +- p_hash ALIAS FOR $4; +- +- m_sensorid INTEGER; +- m_attackid INTEGER; +-BEGIN +- SELECT INTO m_sensorid surfnet_sensorid_get(p_localhost); +- SELECT INTO m_attackid surfnet_attack_add_by_id(32,p_remotehost, 0, +- p_localhost, 0, +- NULL,m_sensorid); +- +- PERFORM surfnet_detail_add_by_id(m_attackid, +- m_sensorid,4,p_url); +- PERFORM surfnet_detail_add_by_id(m_attackid, +- m_sensorid,8,p_hash); +- +- return; +-END; $_$ +- LANGUAGE plpgsql; +- +- +-CREATE FUNCTION surfnet_detail_add_offer(inet, inet, character varying) RETURNS void +- AS $_$DECLARE +- p_remotehost ALIAS FOR $1; +- p_localhost ALIAS FOR $2; +- p_url ALIAS FOR $3; +- +- m_sensorid INTEGER; +- m_attackid INTEGER; +-BEGIN +- SELECT INTO m_sensorid surfnet_sensorid_get(p_localhost); +- SELECT INTO m_attackid surfnet_attack_add_by_id(16,p_remotehost, 0, +- p_localhost, 0, +- NULL,m_sensorid); +- +- PERFORM surfnet_detail_add_by_id(m_attackid, +- m_sensorid,4,p_url); +- return; +-END; $_$ +- LANGUAGE plpgsql; +- +- +-CREATE FUNCTION surfnet_sensorid_get(inet) RETURNS integer +- AS $_$DECLARE +- p_localhost ALIAS FOR $1; +- m_sensorid INTEGER; +-BEGIN +- SELECT INTO m_sensorid id FROM sensors WHERE tapip = p_localhost; +- return m_sensorid; +-END +-$_$ +- LANGUAGE plpgsql; +- +- +-*/ +diff -ruN nepenthes-0.2.0/modules/log-surfnet/log-surfnet.cpp nepenthes-0.2.0-r1345/modules/log-surfnet/log-surfnet.cpp +--- nepenthes-0.2.0/modules/log-surfnet/log-surfnet.cpp 2006-11-13 20:40:10.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/log-surfnet/log-surfnet.cpp 2007-08-06 00:46:15.000000000 +0200 +@@ -76,7 +76,7 @@ + m_attackID = 0; + m_closed = false; + +- m_severity = 0; ++ m_severity = -1; + } + + +@@ -471,7 +471,13 @@ + (uint32_t) ((intptr_t)socket), + attackid); + +- m_SocketTracker[(uintptr_t) socket].m_closed = true; ++ if (m_SocketTracker[(uintptr_t) socket].m_Details.size() > 0) ++ { ++ m_SocketTracker[(uintptr_t) socket].m_closed = true; ++ }else ++ { ++ m_SocketTracker.erase((uintptr_t)socket); ++ } + } + + void LogSurfNET::handleDialogueAssignAndDone(Socket *socket, Dialogue *dia, uint32_t attackid) +@@ -649,6 +655,19 @@ + m_SocketTracker[(uintptr_t)s].m_Details.pop_front(); + } + ++ if (m_SocketTracker[(uintptr_t)s].m_severity != -1) ++ { ++ string query; ++ ++ query = "SELECT surfnet_attack_update_severity('"; ++ query += itos(m_SocketTracker[(uintptr_t)s].m_attackID); ++ query += "','"; ++ query += itos(m_SocketTracker[(uintptr_t)s].m_severity); ++ query += "');"; ++ ++ m_SQLHandler->addQuery(&query,NULL,NULL); ++ } ++ + if (m_SocketTracker[(uintptr_t)s].m_closed == true) + { + m_SocketTracker.erase((uintptr_t)s); +@@ -660,6 +679,11 @@ + bool LogSurfNET::sqlFailure(SQLResult *result) + { + logPF(); ++ ++ Socket *s; ++ s = (Socket *)result->getObject(); ++ logCrit("Getting attackid for socket %x failed, dropping the whole attack, forgetting all details\n",(uintptr_t)s); ++ m_SocketTracker.erase((uintptr_t)s); + return true; + } + +diff -ruN nepenthes-0.2.0/modules/module-honeytrap/Makefile.am nepenthes-0.2.0-r1345/modules/module-honeytrap/Makefile.am +--- nepenthes-0.2.0/modules/module-honeytrap/Makefile.am 2006-11-13 20:40:09.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/module-honeytrap/Makefile.am 2007-08-06 00:46:15.000000000 +0200 +@@ -15,4 +15,4 @@ + modulehoneytrap_la_SOURCES += TrapSocket.cpp TrapSocket.hpp + modulehoneytrap_la_SOURCES += module-honeytrap.conf.dist + +-modulehoneytrap_la_LDFLAGS = -module -no-undefined -avoid-version ++modulehoneytrap_la_LDFLAGS = -module -no-undefined -avoid-version $(AM_LDFLAGS) +diff -ruN nepenthes-0.2.0/modules/module-honeytrap/TrapSocket.cpp nepenthes-0.2.0-r1345/modules/module-honeytrap/TrapSocket.cpp +--- nepenthes-0.2.0/modules/module-honeytrap/TrapSocket.cpp 2006-11-13 20:40:09.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/module-honeytrap/TrapSocket.cpp 2007-08-06 00:46:15.000000000 +0200 +@@ -782,11 +782,18 @@ + { + printIPpacket(data,size); + ++ uint16_t port; ++ ++ if ( tcp->th_flags & TH_SYN && !(tcp->th_flags & TH_ACK) ) ++ port = ntohs(tcp->th_dport); // inline mode ++ else ++ port = ntohs(tcp->th_sport); // pcap mode ++ + if (1)// isPortListening(ntohs(tcp->th_dport),*(uint32_t *)&(ip->ip_dst)) == false ) + { +- logInfo("Connection to unbound port %i requested, binding port\n",ntohs(tcp->th_dport)); ++ logInfo("Connection to unbound port %i requested, binding port\n",port); + +- Socket *sock = g_Nepenthes->getSocketMgr()->bindTCPSocket(INADDR_ANY,ntohs(tcp->th_dport),60,60); ++ Socket *sock = g_Nepenthes->getSocketMgr()->bindTCPSocket(INADDR_ANY,port,60,60); + if ( sock != NULL && (sock->getDialogst()->size() == 0 && sock->getFactories()->size() == 0) ) + { + +diff -ruN nepenthes-0.2.0/modules/module-peiros/module-peiros.cpp nepenthes-0.2.0-r1345/modules/module-peiros/module-peiros.cpp +--- nepenthes-0.2.0/modules/module-peiros/module-peiros.cpp 2006-11-13 20:40:08.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/module-peiros/module-peiros.cpp 2007-08-06 00:46:15.000000000 +0200 +@@ -29,6 +29,7 @@ + + #include + #include ++#include + #include + #include + #include +diff -ruN nepenthes-0.2.0/modules/module-portwatch/WatchDialogue.cpp nepenthes-0.2.0-r1345/modules/module-portwatch/WatchDialogue.cpp +--- nepenthes-0.2.0/modules/module-portwatch/WatchDialogue.cpp 2006-11-13 20:40:09.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/module-portwatch/WatchDialogue.cpp 2007-08-06 00:46:15.000000000 +0200 +@@ -47,6 +47,9 @@ + + #include "Utilities.hpp" + ++#include "EventManager.hpp" ++#include "SocketEvent.hpp" ++ + #ifdef STDTAGS + #undef STDTAGS + #endif +@@ -77,7 +80,7 @@ + WatchDialogue::~WatchDialogue() + { + logWarn("Unknown WatchDialogue %i bytes, port %i\n",m_Buffer->getSize(), m_Socket->getLocalPort()); +- g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *) m_Buffer->getData(), m_Buffer->getSize()); ++ HEXDUMP(m_Socket,(byte *) m_Buffer->getData(), m_Buffer->getSize()); + delete m_Buffer; + } + +diff -ruN nepenthes-0.2.0/modules/shellcode-generic/Makefile.am nepenthes-0.2.0-r1345/modules/shellcode-generic/Makefile.am +--- nepenthes-0.2.0/modules/shellcode-generic/Makefile.am 2006-11-13 20:40:07.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/shellcode-generic/Makefile.am 2007-08-06 00:46:15.000000000 +0200 +@@ -32,4 +32,4 @@ + shellcodegeneric_la_SOURCES += sch_generic_leimbach_url_xor.cpp sch_generic_leimbach_url_xor.hpp + shellcodegeneric_la_SOURCES += sch_generic_wget.cpp sch_generic_wget.hpp + +-shellcodegeneric_la_LDFLAGS = -module -no-undefined -avoid-version ++shellcodegeneric_la_LDFLAGS = -module -no-undefined -avoid-version $(AM_LDFLAGS) +diff -ruN nepenthes-0.2.0/modules/shellcode-generic/sch_generic_cmd.cpp nepenthes-0.2.0-r1345/modules/shellcode-generic/sch_generic_cmd.cpp +--- nepenthes-0.2.0/modules/shellcode-generic/sch_generic_cmd.cpp 2006-11-13 20:40:07.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/shellcode-generic/sch_generic_cmd.cpp 2007-08-06 00:46:15.000000000 +0200 +@@ -95,7 +95,7 @@ + if((iResult = pcre_exec(m_pcre, 0, (char *) shellcode, len, 0, 0, (int *)piOutput, sizeof(piOutput)/sizeof(int32_t))) > 0) + { + // logDebug("GenricCMD (improve pcre debug) (%i bytes)\n",(*msg)->getSize()); +-// g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *)(*msg)->getMsg(),(*msg)->getSize()); ++// HEXDUMP(m_Socket,(byte *)(*msg)->getMsg(),(*msg)->getSize()); + + const char * pRemoteCommand; + +diff -ruN nepenthes-0.2.0/modules/shellcode-generic/sch_generic_leimbach_url_xor.cpp nepenthes-0.2.0-r1345/modules/shellcode-generic/sch_generic_leimbach_url_xor.cpp +--- nepenthes-0.2.0/modules/shellcode-generic/sch_generic_leimbach_url_xor.cpp 2006-11-13 20:40:07.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/shellcode-generic/sch_generic_leimbach_url_xor.cpp 2007-08-06 00:46:15.000000000 +0200 +@@ -203,7 +203,7 @@ + pcre_free_substring(preload); + pcre_free_substring(xordecoder); + +- g_Nepenthes->getUtilities()->hexdump(l_crit,(byte *)newshellcode, len); ++// g_Nepenthes->getUtilities()->hexdump(l_crit,(byte *)newshellcode, len); + + Message *newMessage = new Message((char *)newshellcode, len, (*msg)->getLocalPort(), (*msg)->getRemotePort(), + (*msg)->getLocalHost(), (*msg)->getRemoteHost(), (*msg)->getResponder(), (*msg)->getSocket()); +diff -ruN nepenthes-0.2.0/modules/shellcode-generic/sch_generic_url.cpp nepenthes-0.2.0-r1345/modules/shellcode-generic/sch_generic_url.cpp +--- nepenthes-0.2.0/modules/shellcode-generic/sch_generic_url.cpp 2006-11-13 20:40:07.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/shellcode-generic/sch_generic_url.cpp 2007-08-06 00:46:15.000000000 +0200 +@@ -119,7 +119,7 @@ + + if((iResult = pcre_exec(m_pcre, 0, (char *) shellcode, len, 0, 0, (int *)piOutput, sizeof(piOutput)/sizeof(int32_t))) > 0) + { +-// g_Nepenthes->getUtilities()->hexdump(STDTAGS,shellcode,len); ++// HEXDUMP(m_Socket,shellcode,len); + const char * pUrl; + + pcre_get_substring((char *) shellcode, (int *)piOutput, (int)iResult, 1, &pUrl); +diff -ruN nepenthes-0.2.0/modules/shellcode-signatures/Makefile.am nepenthes-0.2.0-r1345/modules/shellcode-signatures/Makefile.am +--- nepenthes-0.2.0/modules/shellcode-signatures/Makefile.am 2006-11-13 20:40:04.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/shellcode-signatures/Makefile.am 2007-08-06 00:46:15.000000000 +0200 +@@ -33,5 +33,5 @@ + shellcodesignatures_la_SOURCES += sch_namespace_konstanzxor.cpp sch_namespace_konstanzxor.hpp + shellcodesignatures_la_SOURCES += sch_namespace_alphanumericxor.cpp sch_namespace_alphanumericxor.hpp + +-shellcodesignatures_la_LDFLAGS = -module -no-undefined -avoid-version ++shellcodesignatures_la_LDFLAGS = -module -no-undefined -avoid-version $(AM_LDFLAGS) + +diff -ruN nepenthes-0.2.0/modules/shellcode-signatures/shellcode-signatures.sc nepenthes-0.2.0-r1345/modules/shellcode-signatures/shellcode-signatures.sc +--- nepenthes-0.2.0/modules/shellcode-signatures/shellcode-signatures.sc 2006-11-13 20:40:04.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/shellcode-signatures/shellcode-signatures.sc 2007-08-06 00:46:15.000000000 +0200 +@@ -178,6 +178,13 @@ + mapping (none,pre,decoder,size,key,post); + }; + ++xor::marburganderlahn ++{ ++ pattern ++ "(.*)(\\xEB\\x0E\\x5A\\x4A\\x31\\xC9\\xB1(.)\\x80\\x34\\x11(.)\\xE2\\xFA\\xEB\\x05\\xE8\\xED\xFF\xFF\xFF)(.*)$"; ++ mapping (none,pre,decoder,size,key,post); ++}; ++ + /* + * too inaccurate + * +@@ -944,8 +951,8 @@ + pattern + "\\xeb\\x02\\xeb\\x6b" + "\\xe8\\xf9\\xff\\xff\\xff\\x53\\x55\\x56\\x57\\x8b\\x6c\\x24\\x18\\x8b\\x45\\x3c" +- "\\x8b\\x54\\x05\\x78\\x03\\xd5\\x8b\\x4a\\x18\\x8b\\x5a\\x20\\x03\\xdd\\xe3\\x32" +- "\\x49\\x8b\\x34\\x8b\\x03\\xf5\\x33\\xff\\xfc\\x33\\xc0\\xac\\x3a\\xc4\\x74\\x07" ++ "\\x8b\\x54.\\x78\\x03\\xd5\\x8b\\x4a\\x18\\x8b\\x5a\\x20\\x03\\xdd\\xe3\\x32" ++ "\\x49\\x8b\\x34\\x8b\\x03\\xf5\\x33\\xff\\xfc\\x33\\xc0\\xac..\\x74\\x07" + "\\xc1\\xcf\\x0d\\x03\\xf8\\xeb\\xf2\\x3b\\x7c\\x24\\x14\\x75\\xe1\\x8b\\x5a\\x24" + "\\x03\\xdd\\x66\\x8b\\x0c\\x4b\\x8b\\x5a\\x1c\\x03\\xdd\\x8b\\x04\\x8b\\x03\\xc5" + "\\xeb\\x02\\x33\\xc0\\x5f\\x5e\\x5d\\x5b\\x89\\x44\\x24\\x04\\x8b\\x04\\x24\\x89" +diff -ruN nepenthes-0.2.0/modules/shellemu-winnt/VFSCommandFTP.cpp nepenthes-0.2.0-r1345/modules/shellemu-winnt/VFSCommandFTP.cpp +--- nepenthes-0.2.0/modules/shellemu-winnt/VFSCommandFTP.cpp 2006-11-13 20:40:06.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/shellemu-winnt/VFSCommandFTP.cpp 2007-08-06 00:46:15.000000000 +0200 +@@ -425,7 +425,6 @@ + logSpam("VFSCommandFTP Setting Hosts %i %i\n",remotehost,localhost); + remotehost = m_VFS->getDialogue()->getSocket()->getRemoteHost(); + localhost = m_VFS->getDialogue()->getSocket()->getLocalHost(); +- + } + + logSpam("VFSCommandFTP LocalHost %s\n",inet_ntoa(*(in_addr *)&localhost)); +diff -ruN nepenthes-0.2.0/modules/sqlhandler-postgres/Makefile.am nepenthes-0.2.0-r1345/modules/sqlhandler-postgres/Makefile.am +--- nepenthes-0.2.0/modules/sqlhandler-postgres/Makefile.am 2006-11-13 20:40:05.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/sqlhandler-postgres/Makefile.am 2007-08-06 00:46:15.000000000 +0200 +@@ -12,4 +12,4 @@ + + sqlhandlerpostgres_la_SOURCES = sqlhandler-postgres.cpp sqlhandler-postgres.hpp + +-sqlhandlerpostgres_la_LDFLAGS = -module -no-undefined -avoid-version ++sqlhandlerpostgres_la_LDFLAGS = -module -no-undefined -avoid-version $(AM_LDFLAGS) +diff -ruN nepenthes-0.2.0/modules/sqlhandler-postgres/sqlhandler-postgres.cpp nepenthes-0.2.0-r1345/modules/sqlhandler-postgres/sqlhandler-postgres.cpp +--- nepenthes-0.2.0/modules/sqlhandler-postgres/sqlhandler-postgres.cpp 2006-11-13 20:40:05.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/sqlhandler-postgres/sqlhandler-postgres.cpp 2007-08-06 00:46:15.000000000 +0200 +@@ -145,6 +145,7 @@ + m_PGTable = table; + m_PGUser = user; + m_PGPass = passwd; ++ m_PGOptions = options; + + m_Callback = cb; + } +@@ -760,6 +761,10 @@ + "' user = '" + m_PGUser + + "' password = '" + m_PGPass +"'"; + ++ if ( m_PGOptions.size() > 0 ) ++ ConnectString += m_PGOptions; ++ ++ + if (m_PGConnection != NULL) + PQfinish(m_PGConnection); + else +diff -ruN nepenthes-0.2.0/modules/sqlhandler-postgres/sqlhandler-postgres.hpp nepenthes-0.2.0-r1345/modules/sqlhandler-postgres/sqlhandler-postgres.hpp +--- nepenthes-0.2.0/modules/sqlhandler-postgres/sqlhandler-postgres.hpp 2006-11-13 20:40:05.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/sqlhandler-postgres/sqlhandler-postgres.hpp 2007-08-06 00:46:15.000000000 +0200 +@@ -141,6 +141,7 @@ + string m_PGTable; + string m_PGUser; + string m_PGPass; ++ string m_PGOptions; + + }; + +diff -ruN nepenthes-0.2.0/modules/submit-gotek/gotekCTRLDialogue.cpp nepenthes-0.2.0-r1345/modules/submit-gotek/gotekCTRLDialogue.cpp +--- nepenthes-0.2.0/modules/submit-gotek/gotekCTRLDialogue.cpp 2006-11-13 20:40:11.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/submit-gotek/gotekCTRLDialogue.cpp 2007-08-06 00:46:15.000000000 +0200 +@@ -112,7 +112,7 @@ + + unsigned char sessionkey[8]; + memcpy((char *)sessionkey,(char *)m_Buffer->getData(),8); +- g_Nepenthes->getUtilities()->hexdump(sessionkey,8); ++// g_Nepenthes->getUtilities()->hexdump(sessionkey,8); + + + +@@ -128,13 +128,13 @@ + byte hashme[1032]; + memset(hashme,0,1032); + +- g_Nepenthes->getUtilities()->hexdump(g_GotekSubmitHandler->getCommunityKey(),1024); ++// g_Nepenthes->getUtilities()->hexdump(g_GotekSubmitHandler->getCommunityKey(),1024); + memcpy(hashme,g_GotekSubmitHandler->getCommunityKey(),1024); + memcpy(hashme+1024,sessionkey,8); +- g_Nepenthes->getUtilities()->hexdump(hashme, 1032); ++// g_Nepenthes->getUtilities()->hexdump(hashme, 1032); + + g_Nepenthes->getUtilities()->sha512(hashme, 1032, hash); +- g_Nepenthes->getUtilities()->hexdump(hash,64); ++// g_Nepenthes->getUtilities()->hexdump(hash,64); + + m_Socket->doRespond((char *)hash,64); + +diff -ruN nepenthes-0.2.0/modules/submit-gotek/gotekDATADialogue.cpp nepenthes-0.2.0-r1345/modules/submit-gotek/gotekDATADialogue.cpp +--- nepenthes-0.2.0/modules/submit-gotek/gotekDATADialogue.cpp 2006-11-13 20:40:11.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/submit-gotek/gotekDATADialogue.cpp 2007-08-06 00:46:15.000000000 +0200 +@@ -173,7 +173,7 @@ + byte hashme[1032]; + memset(hashme,0,1032); + +- g_Nepenthes->getUtilities()->hexdump(g_GotekSubmitHandler->getCommunityKey(),1024); ++// g_Nepenthes->getUtilities()->hexdump(g_GotekSubmitHandler->getCommunityKey(),1024); + memcpy(hashme,g_GotekSubmitHandler->getCommunityKey(),1024); + memcpy(hashme+1024,&sessionkey,8); + g_Nepenthes->getUtilities()->sha512(hashme, 1032, hash); +diff -ruN nepenthes-0.2.0/modules/submit-http/HTTPSession.cpp nepenthes-0.2.0-r1345/modules/submit-http/HTTPSession.cpp +--- nepenthes-0.2.0/modules/submit-http/HTTPSession.cpp 1970-01-01 01:00:00.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/submit-http/HTTPSession.cpp 2007-08-06 00:46:15.000000000 +0200 +@@ -0,0 +1,187 @@ ++/******************************************************************************** ++ * Nepenthes ++ * - finest collection - ++ * ++ * ++ * ++ * Copyright (C) 2006 Niklas Schiffler ++ * Copyright (C) 2005 Paul Baecher & Markus Koetter ++ * ++ * This program is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU General Public License ++ * as published by the Free Software Foundation; either version 2 ++ * of the License, or (at your option) any later version. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with this program; if not, write to the Free Software ++ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. ++ * ++ * ++ * contact nepenthesdev@users.sourceforge.net ++ * ++ *******************************************************************************/ ++ ++ ++#include ++#include /* new for v7 */ ++#include /* new for v7 */ ++#include ++#include ++ ++#include "HTTPSession.hpp" ++#include "submit-http.hpp" ++#include "DownloadBuffer.hpp" ++#include "DownloadUrl.hpp" ++ ++using namespace nepenthes; ++ ++HTTPSession::HTTPSession(string &url, string &email, string &user, string &password, Download* down) ++{ ++ state = S_ERROR; ++ postInfo = NULL; ++ postFile = NULL; ++ curlInfoHandle = NULL; ++ curlFileHandle = NULL; ++ ++ submitURL = url; ++ ++ if ( user.length() > 0 && password.length() > 0 ) ++ submitAuthStr = user + ":" + password; ++ ++ md5 = down->getMD5Sum(); ++ sha512 = down->getSHA512Sum(); ++ fileSize = down->getDownloadBuffer()->getSize(); ++ fileName = down->getDownloadUrl()->getFile(); ++ fileSourceURL = down->getUrl(); ++ ++ fileBuffer = new uint8_t[fileSize]; ++ fileBuffer = (uint8_t*)memcpy(fileBuffer, down->getDownloadBuffer()->getData(), fileSize); ++ ++ curlInfoHandle = curl_easy_init(); ++ if ( curlInfoHandle ) ++ { ++ struct curl_httppost* last = NULL; ++ ++ if ( email.length() > 0 ) ++ curl_formadd(&postInfo, &last, CURLFORM_COPYNAME, "email", CURLFORM_COPYCONTENTS, email.c_str(), CURLFORM_END); ++ ++ stringstream sSourceHost; sSourceHost << htonl(down->getRemoteHost()); ++ stringstream sTargetHost; sTargetHost << htonl(down->getLocalHost()); ++ ++ curl_formadd(&postInfo, &last, CURLFORM_PTRNAME, "url", CURLFORM_COPYCONTENTS, fileSourceURL.c_str(), CURLFORM_END); ++ curl_formadd(&postInfo, &last, CURLFORM_PTRNAME, "trigger", CURLFORM_COPYCONTENTS, down->getTriggerLine().c_str(), CURLFORM_END); ++ curl_formadd(&postInfo, &last, CURLFORM_PTRNAME, "md5", CURLFORM_COPYCONTENTS, md5.c_str(), CURLFORM_END); ++ curl_formadd(&postInfo, &last, CURLFORM_PTRNAME, "sha512", CURLFORM_COPYCONTENTS, sha512.c_str(), CURLFORM_END); ++ curl_formadd(&postInfo, &last, CURLFORM_PTRNAME, "filetype", CURLFORM_COPYCONTENTS, down->getFileType().c_str(), CURLFORM_END); ++ curl_formadd(&postInfo, &last, CURLFORM_PTRNAME, "source_host", CURLFORM_COPYCONTENTS, sSourceHost.str().c_str(), CURLFORM_END); ++ curl_formadd(&postInfo, &last, CURLFORM_PTRNAME, "target_host", CURLFORM_COPYCONTENTS, sTargetHost.str().c_str(), CURLFORM_END); ++ curl_formadd(&postInfo, &last, CURLFORM_PTRNAME, "filename", CURLFORM_COPYCONTENTS, down->getDownloadUrl()->getFile().c_str(), CURLFORM_END); ++ ++ setCURLOpts(curlInfoHandle, postInfo); ++ } ++} ++ ++HTTPSession::~HTTPSession() ++{ ++ delete [] fileBuffer; ++ curl_formfree(postInfo); ++ if ( postFile ) ++ curl_formfree(postFile); ++ curl_easy_cleanup(curlInfoHandle); ++ if ( curlFileHandle ) ++ curl_easy_cleanup(curlFileHandle); ++} ++ ++CURL* HTTPSession::getSubmitInfoHandle() ++{ ++ return curlInfoHandle; ++} ++ ++CURL* HTTPSession::getSubmitFileHandle() ++{ ++ curlFileHandle = curl_easy_init(); ++ if ( curlFileHandle ) ++ { ++ postFile = NULL; ++ struct curl_httppost* last = NULL; ++ ++ curl_formadd(&postFile, &last, CURLFORM_PTRNAME, "md5", CURLFORM_COPYCONTENTS, md5.c_str(), CURLFORM_END); ++ curl_formadd(&postFile, &last, CURLFORM_PTRNAME, "sha512", CURLFORM_COPYCONTENTS, sha512.c_str(), CURLFORM_END); ++ ++ curl_formadd(&postFile, &last, ++ CURLFORM_COPYNAME, "file", ++ CURLFORM_BUFFER, fileName.c_str(), ++ CURLFORM_BUFFERPTR, fileBuffer, ++ CURLFORM_BUFFERLENGTH, fileSize, ++ CURLFORM_END); ++ ++ setCURLOpts(curlFileHandle, postFile); ++ } ++ return curlFileHandle; ++} ++ ++string HTTPSession::getMD5() ++{ ++ return md5; ++} ++ ++string HTTPSession::getSHA512() ++{ ++ return sha512; ++} ++ ++void HTTPSession::setCURLOpts(CURL* c, curl_httppost* post) ++{ ++ curl_easy_setopt(c, CURLOPT_HTTPPOST, post); ++ curl_easy_setopt(c, CURLOPT_SSL_VERIFYHOST, false); ++ curl_easy_setopt(c, CURLOPT_SSL_VERIFYPEER, false); ++ curl_easy_setopt(c, CURLOPT_URL, submitURL.c_str()); ++ curl_easy_setopt(c, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; nepenthes; Linux)"); ++ curl_easy_setopt(c, CURLOPT_PRIVATE, (char*) this); ++ curl_easy_setopt(c, CURLOPT_WRITEDATA, this); ++ curl_easy_setopt(c, CURLOPT_WRITEFUNCTION, HTTPSession::WriteCallback); ++ ++ if ( submitAuthStr.length() > 0 ) ++ curl_easy_setopt(c, CURLOPT_USERPWD, submitAuthStr.c_str()); ++} ++ ++size_t HTTPSession::WriteCallback(char *buffer, size_t size, size_t nitems, void *p) ++{ ++ HTTPSession* s = (HTTPSession*)p; ++ int32_t iSize = size * nitems; ++ ++ string res(buffer, iSize); ++ if ( res.find("S_FILEREQUEST") != string::npos ) ++ s->setState(S_FILEREQUEST); ++ else ++ if ( res.find("S_FILEKNOWN") != string::npos ) ++ s->setState(S_FILEKNOWN); ++ else ++ if ( res.find("S_FILEOK") != string::npos ) ++ s->setState(S_FILEOK); ++ else ++ s->setState(S_ERROR); ++ ++// delete(strBuf); ++ return iSize; ++} ++ ++uint8_t HTTPSession::getState() ++{ ++ return state; ++} ++ ++void HTTPSession::setState(uint8_t s) ++{ ++ this->state = s; ++} ++ ++string HTTPSession::getFileSourceURL() ++{ ++ return fileSourceURL; ++} +diff -ruN nepenthes-0.2.0/modules/submit-http/HTTPSession.hpp nepenthes-0.2.0-r1345/modules/submit-http/HTTPSession.hpp +--- nepenthes-0.2.0/modules/submit-http/HTTPSession.hpp 1970-01-01 01:00:00.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/submit-http/HTTPSession.hpp 2007-08-06 00:46:15.000000000 +0200 +@@ -0,0 +1,82 @@ ++/******************************************************************************** ++ * Nepenthes ++ * - finest collection - ++ * ++ * ++ * ++ * Copyright (C) 2006 Niklas Schiffler ++ * Copyright (C) 2005 Paul Baecher & Markus Koetter ++ * ++ * This program is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU General Public License ++ * as published by the Free Software Foundation; either version 2 ++ * of the License, or (at your option) any later version. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with this program; if not, write to the Free Software ++ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. ++ * ++ * ++ * contact nepenthesdev@users.sourceforge.net ++ * ++ *******************************************************************************/ ++ ++ /* $Id$ */ ++ ++#include ++#include ++ ++#include "Download.hpp" ++ ++using namespace std; ++ ++namespace nepenthes ++{ ++ ++ ++ class HTTPSession ++ { ++ public: ++ static const uint8_t S_FILEKNOWN = 0; ++ static const uint8_t S_FILEREQUEST = 1; ++ static const uint8_t S_FILEOK = 2; ++ static const uint8_t S_FILEPENDING = 3; ++ static const uint8_t S_ERROR = 4; ++ ++ HTTPSession(string &url, string &email, string &user, string &password, Download* down); ++ ~HTTPSession(); ++ CURL* getSubmitInfoHandle(); ++ CURL* getSubmitFileHandle(); ++ string getMD5(); ++ string getSHA512(); ++ void setCURLOpts(CURL* c, curl_httppost* post); ++ uint8_t getState(); ++ void setState(uint8_t s); ++ string getFileSourceURL(); ++ ++ static size_t WriteCallback(char *buffer, size_t size, size_t nitems, void *userp); ++ ++ protected: ++ CURL* curlInfoHandle; ++ CURL* curlFileHandle; ++ uint8_t* fileBuffer; ++ size_t fileSize; ++ struct curl_httppost* postInfo; ++ struct curl_httppost* postFile; ++ string fileName; ++ string fileSourceURL; ++ string md5; ++ string sha512; ++ string submitURL; ++ string submitAuthStr; ++ uint8_t state; ++ ++ }; ++ ++} ++ +diff -ruN nepenthes-0.2.0/modules/submit-http/Makefile.am nepenthes-0.2.0-r1345/modules/submit-http/Makefile.am +--- nepenthes-0.2.0/modules/submit-http/Makefile.am 1970-01-01 01:00:00.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/submit-http/Makefile.am 2007-08-06 00:46:15.000000000 +0200 +@@ -0,0 +1,14 @@ ++AUTOMAKE_OPTIONS = foreign ++ ++AM_CPPFLAGS = -I$(top_srcdir)/nepenthes-core/include -I$(top_srcdir)/nepenthes-core/src -pipe -D _GNU_SOURCE ++AM_CXXFLAGS = -Wall -Werror ++ ++AM_LDFLAGS = $(LIB_CURL) ++ ++pkglib_LTLIBRARIES = submithttp.la ++ ++submithttp_la_SOURCES = submit-http.cpp submit-http.hpp ++submithttp_la_SOURCES += HTTPSession.hpp HTTPSession.cpp ++submithttp_la_SOURCES += submit-http.conf.dist ++ ++submithttp_la_LDFLAGS = -module -no-undefined -avoid-version $(AM_LDFLAGS) +diff -ruN nepenthes-0.2.0/modules/submit-http/submit-http.conf.dist nepenthes-0.2.0-r1345/modules/submit-http/submit-http.conf.dist +--- nepenthes-0.2.0/modules/submit-http/submit-http.conf.dist 1970-01-01 01:00:00.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/submit-http/submit-http.conf.dist 2007-08-06 00:46:15.000000000 +0200 +@@ -0,0 +1,8 @@ ++submit-http ++{ ++ url "http://somehost.de/submit.php"; ++ email "your@email"; // optional ++ user "httpuser"; // optional ++ pass "httppass"; // optional ++}; ++ +diff -ruN nepenthes-0.2.0/modules/submit-http/submit-http.cpp nepenthes-0.2.0-r1345/modules/submit-http/submit-http.cpp +--- nepenthes-0.2.0/modules/submit-http/submit-http.cpp 1970-01-01 01:00:00.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/submit-http/submit-http.cpp 2007-08-06 00:46:15.000000000 +0200 +@@ -0,0 +1,231 @@ ++/******************************************************************************** ++ * Nepenthes ++ * - finest collection - ++ * ++ * ++ * ++ * Copyright (C) 2006 Niklas Schiffler ++ * Copyright (C) 2005 Paul Baecher & Markus Koetter ++ * ++ * This program is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU General Public License ++ * as published by the Free Software Foundation; either version 2 ++ * of the License, or (at your option) any later version. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with this program; if not, write to the Free Software ++ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. ++ * ++ * ++ * contact nepenthesdev@users.sourceforge.net ++ * ++ *******************************************************************************/ ++ ++ /* $Id$ */ ++ ++#include "submit-http.hpp" ++#include "Download.hpp" ++#include "Utilities.hpp" ++#include "SubmitManager.hpp" ++#include "LogManager.hpp" ++#include "Event.hpp" ++#include "EventManager.hpp" ++#include "EventHandler.cpp" // das ist Mist! ++#include "Config.hpp" ++#include "ModuleManager.hpp" ++ ++#include "HTTPSession.hpp" ++ ++using namespace nepenthes; ++ ++ ++Nepenthes *g_Nepenthes; ++ ++ ++HTTPSubmitHandler::HTTPSubmitHandler(Nepenthes *nepenthes) ++{ ++ m_ModuleName = "submit-http"; ++ m_ModuleDescription = "HTTP submit handler"; ++ m_ModuleRevision = "$Rev$"; ++ m_Nepenthes = nepenthes; ++ m_SubmitterName = "submit-http"; ++ m_SubmitterDescription = "submit binary file via HTTP POST request"; ++ g_Nepenthes = nepenthes; ++ ++ m_Queued = 0; ++ m_Timeout = time(NULL); ++ m_Events.reset(); ++} ++ ++ ++HTTPSubmitHandler::~HTTPSubmitHandler() ++{ ++} ++ ++bool HTTPSubmitHandler::Init() ++{ ++ logPF(); ++ ++ if ( m_Config == NULL ) ++ { ++ logCrit("I need a config\n"); ++ return false; ++ } ++ ++ try ++ { ++ m_URL = m_Config->getValString("submit-http.url"); ++ } ++ catch ( ... ) ++ { ++ logCrit("Error: Config property \"url\" missing\n"); ++ return false; ++ } ++ ++ try ++ { ++ m_Email = m_Config->getValString("submit-http.email"); ++ m_User = m_Config->getValString("submit-http.user"); ++ m_Password = m_Config->getValString("submit-http.pass"); ++ } ++ catch ( ... ) ++ { ++ } ++ ++ m_ModuleManager = m_Nepenthes->getModuleMgr(); ++ ++ if ( (m_CurlStack = curl_multi_init()) == NULL ) ++ { ++ logCrit("Could not init Curl Multi Perform Stack %s\n",strerror(errno)); ++ return false; ++ } ++ ++ REG_SUBMIT_HANDLER(this); ++ REG_EVENT_HANDLER(this); ++ return true; ++} ++ ++bool HTTPSubmitHandler::Exit() ++{ ++ curl_multi_cleanup(m_CurlStack); ++ return true; ++} ++ ++ ++void HTTPSubmitHandler::Submit(Download *down) ++{ ++ logPF(); ++ ++ if ( m_Events.test(EV_TIMEOUT) == false ) ++ m_Events.set(EV_TIMEOUT); ++ ++ HTTPSession* session = new HTTPSession(m_URL, m_Email, m_User, m_Password, down); ++ curl_multi_add_handle(m_CurlStack, session->getSubmitInfoHandle()); ++ m_Queued++; ++} ++ ++void HTTPSubmitHandler::Hit(Download *down) ++{ ++ Submit(down); ++} ++ ++ ++uint32_t HTTPSubmitHandler::handleEvent(Event *event) ++{ ++ logPF(); ++ if ( event->getType() != EV_TIMEOUT ) ++ { ++ logCrit("Unwanted event %i\n",event->getType()); ++ return 1; ++ } ++ ++ // do file info submits ++ int32_t iQueue = 0; ++ while ( curl_multi_perform(m_CurlStack, (int *)&iQueue) == CURLM_CALL_MULTI_PERFORM ); ++ ++ if ( m_Queued > iQueue ) ++ { ++ logSpam("m_Queued (%i) > (%i) iQueue\n", m_Queued, iQueue); ++ CURLMsg * pMessage; ++ ++ while ( (pMessage = curl_multi_info_read(m_CurlStack, (int *)&iQueue)) ) ++ { ++ if ( pMessage->msg == CURLMSG_DONE ) ++ { ++ HTTPSession *session; ++ char *cSession; ++ ++ curl_easy_getinfo(pMessage->easy_handle, CURLINFO_PRIVATE, (char**)&cSession); ++ session = (HTTPSession *)cSession; ++ ++ uint8_t sessionState = session->getState(); ++ ++ if ( sessionState == HTTPSession::S_FILEKNOWN || sessionState == HTTPSession::S_FILEREQUEST ) ++ { ++ if ( pMessage->data.result ) ++ { ++ logInfo("Error: Submitting file info (%s, %s) failed: %s\n", session->getMD5().c_str(), session->getFileSourceURL().c_str(), curl_easy_strerror(pMessage->data.result)); ++ delete session; ++ curl_multi_remove_handle(m_CurlStack, pMessage->easy_handle); ++ --m_Queued; ++ continue; ++ } ++ logInfo("File info submitted (%s, %s)\n", session->getMD5().c_str(), session->getFileSourceURL().c_str()); ++ } ++ ++ switch ( sessionState ) ++ { ++ case HTTPSession::S_FILEKNOWN: ++ logInfo("File already known (%s, %s)\n", session->getMD5().c_str(), session->getFileSourceURL().c_str()); ++ break; ++ case HTTPSession::S_FILEREQUEST: ++ logInfo("File upload requested (%s, %s)\n", session->getMD5().c_str(), session->getFileSourceURL().c_str()); ++ session->setState(HTTPSession::S_FILEPENDING); ++ curl_multi_add_handle(m_CurlStack, session->getSubmitFileHandle()); ++ break; ++ case HTTPSession::S_FILEOK: ++ logInfo("File uploaded (%s, %s)\n", session->getMD5().c_str(), session->getFileSourceURL().c_str()); ++ break; ++ case HTTPSession::S_ERROR: ++ logInfo("Error handling file (%s, %s)\n", session->getMD5().c_str(), session->getFileSourceURL().c_str()); ++ break; ++ } ++ ++ curl_multi_remove_handle(m_CurlStack, pMessage->easy_handle); ++ ++ if ( sessionState == HTTPSession::S_FILEKNOWN || ++ sessionState == HTTPSession::S_FILEOK || ++ sessionState == HTTPSession::S_ERROR ) ++ { ++ delete session; ++ --m_Queued; ++ } ++ } ++ } ++ } ++ ++ if ( m_Queued == 0 ) ++ m_Events.reset(EV_TIMEOUT); ++ ++ m_Timeout = time(NULL) + 1; ++ return 0; ++} ++ ++ ++extern "C" int32_t module_init(int32_t version, Module **module, Nepenthes *nepenthes) ++{ ++ if ( version == MODULE_IFACE_VERSION ) ++ { ++ *module = new HTTPSubmitHandler(nepenthes); ++ return 1; ++ } ++ else ++ { ++ return 0; ++ } ++} +diff -ruN nepenthes-0.2.0/modules/submit-http/submit-http.hpp nepenthes-0.2.0-r1345/modules/submit-http/submit-http.hpp +--- nepenthes-0.2.0/modules/submit-http/submit-http.hpp 1970-01-01 01:00:00.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/submit-http/submit-http.hpp 2007-08-06 00:46:15.000000000 +0200 +@@ -0,0 +1,72 @@ ++/******************************************************************************** ++ * Nepenthes ++ * - finest collection - ++ * ++ * ++ * ++ * Copyright (C) 2006 Niklas Schiffler ++ * Copyright (C) 2005 Paul Baecher & Markus Koetter ++ * ++ * This program is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU General Public License ++ * as published by the Free Software Foundation; either version 2 ++ * of the License, or (at your option) any later version. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with this program; if not, write to the Free Software ++ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. ++ * ++ * ++ * contact nepenthesdev@users.sourceforge.net ++ * ++ *******************************************************************************/ ++ ++ /* $Id$ */ ++ ++#include ++#include /* new for v7 */ ++#include /* new for v7 */ ++ ++#include "Nepenthes.hpp" ++#include "Module.hpp" ++#include "SubmitHandler.hpp" ++#include "EventHandler.hpp" ++#include "Download.hpp" ++ ++ ++using namespace std; ++ ++namespace nepenthes ++{ ++ ++ class HTTPSubmitHandler : public Module , public SubmitHandler, public EventHandler ++ { ++ public: ++ HTTPSubmitHandler(Nepenthes *nep); ++ ~HTTPSubmitHandler(); ++ bool Init(); ++ bool Exit(); ++ ++ void Submit(Download *down); ++ void Hit(Download *down); ++ ++ uint32_t handleEvent(Event *event); ++ ++ protected: ++ CURLM* m_CurlStack; ++ int32_t m_Queued; ++ string m_URL; ++ string m_Email; ++ string m_User; ++ string m_Password; ++ ++ }; ++ ++} ++ ++extern nepenthes::Nepenthes *g_Nepenthes; +diff -ruN nepenthes-0.2.0/modules/submit-mwserv/Makefile.am nepenthes-0.2.0-r1345/modules/submit-mwserv/Makefile.am +--- nepenthes-0.2.0/modules/submit-mwserv/Makefile.am 1970-01-01 01:00:00.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/submit-mwserv/Makefile.am 2007-08-06 00:46:15.000000000 +0200 +@@ -0,0 +1,19 @@ ++# nepenthes module Makefile ++# Paul Baecher, Maximillian Dornseif, Markus Koetter ++# $Id: Makefile.am 718 2006-12-28 23:29:59Z common $ ++ ++AUTOMAKE_OPTIONS = foreign ++ ++AM_CPPFLAGS = -I$(top_srcdir)/nepenthes-core/include -I$(top_srcdir)/nepenthes-core/src -pipe -D _GNU_SOURCE ++AM_CXXFLAGS = -Wall -Werror ++ ++AM_LDFLAGS = $(LIB_CURL) ++ ++pkglib_LTLIBRARIES = submitmwserv.la ++ ++submitmwserv_la_SOURCES = submit-mwserv.cpp submit-mwserv.hpp ++submitmwserv_la_SOURCES += TransferSession.cpp TransferSession.hpp ++submitmwserv_la_SOURCES += submit-mwserv.conf.dist ++ ++submitmwserv_la_CXXFLAGS = -fno-strict-aliasing ++submitmwserv_la_LDFLAGS = -module -no-undefined -avoid-version $(AM_LDFLAGS) +diff -ruN nepenthes-0.2.0/modules/submit-mwserv/TransferSession.cpp nepenthes-0.2.0-r1345/modules/submit-mwserv/TransferSession.cpp +--- nepenthes-0.2.0/modules/submit-mwserv/TransferSession.cpp 1970-01-01 01:00:00.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/submit-mwserv/TransferSession.cpp 2007-08-06 00:46:15.000000000 +0200 +@@ -0,0 +1,402 @@ ++/******************************************************************************** ++ * Nepenthes ++ * - finest collection - ++ * ++ * ++ * ++ * Copyright (C) 2007 Georg Wicherski ++ * Copyright (C) 2005 Paul Baecher & Markus Koetter ++ * ++ * This program is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU General Public License ++ * as published by the Free Software Foundation; either version 2 ++ * of the License, or (at your option) any later version. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with this program; if not, write to the Free Software ++ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. ++ * ++ * ++ * contact nepenthesdev@users.sourceforge.net ++ * ++ *******************************************************************************/ ++ ++#include "submit-mwserv.hpp" ++ ++#include "LogManager.hpp" ++#include "EventManager.hpp" ++ ++#include "POLLSocket.cpp" ++#include "Socket.cpp" ++ ++ ++ ++#if defined(__GNUG__) ++ #define MY_COMPILER "g++" ++#elif defined(__CYGWIN__) ++ #define MY_COMPILER "cygwin" ++#else ++ #define MY_COMPILER "unknown Compiler" ++#endif ++ ++#if defined(__FreeBSD__) ++# define MY_OS "FreeBSD" ++#elif defined(linux) || defined (__linux) ++# define MY_OS "Linux" ++#elif defined (__MACOSX__) || defined (__APPLE__) ++# define MY_OS "Mac OS X" ++#elif defined(__NetBSD__) ++# define MY_OS "NetBSD" ++#elif defined(__OpenBSD__) ++# define MY_OS "OpenBSD" ++#elif defined(_WIN32) || defined(__WIN32__) || defined(__TOS_WIN__) ++# define MY_OS "Windows" ++#elif defined(CYGWIN) ++# define MY_OS "Cygwin\Windows" ++#else ++# define MY_OS "Unknown OS" ++#endif ++ ++#if defined(__alpha__) || defined(__alpha) || defined(_M_ALPHA) ++# define MY_ARCH "Alpha" ++#elif defined(__arm__) ++# if defined(__ARMEB__) ++# define MY_ARCH "ARMeb" ++# else ++# define MY_ARCH "ARM" ++# endif ++#elif defined(i386) || defined(__i386__) || defined(__i386) || defined(_M_IX86) || defined(_X86_) || defined(__THW_INTEL) ++# define MY_ARCH "x86" ++#elif defined(__x86_64__) || defined(__amd64__) ++# define MY_ARCH "x86_64" ++#elif defined(__ia64__) || defined(_IA64) || defined(__IA64__) || defined(_M_IA64) ++# define MY_ARCH "Intel Architecture-64" ++#elif defined(__mips__) || defined(__mips) || defined(__MIPS__) ++# if defined(__mips32__) || defined(__mips32) ++# define MY_ARCH "MIPS32" ++# else ++# define MY_ARCH "MIPS" ++# endif ++#elif defined(__hppa__) || defined(__hppa) ++# define MY_ARCH "PA RISC" ++#elif defined(__powerpc) || defined(__powerpc__) || defined(__POWERPC__) || defined(__ppc__) || defined(_M_PPC) || defined(__PPC) || defined(__PPC__) ++# define MY_ARCH "PowerPC" ++#elif defined(__THW_RS6000) || defined(_IBMR2) || defined(_POWER) || defined(_ARCH_PWR) || defined(_ARCH_PWR2) ++# define MY_ARCH "RS/6000" ++#elif defined(__sparc__) || defined(sparc) || defined(__sparc) ++# define MY_ARCH "SPARC" ++#else ++# define MY_ARCH "Unknown Architecture" ++#endif ++ ++ ++ ++namespace nepenthes ++{ ++ ++ ++TransferSession::TransferSession(Type type, SubmitMwservModule * parent) ++{ ++ m_type = type; ++ m_parent = parent; ++ ++ m_sample.binary = 0; ++ m_multiHandle = 0; ++ m_postInfo = m_postInfoLast = 0; ++ m_curlHandle = 0; ++ ++ m_Type |= ST_NODEL; ++} ++ ++void TransferSession::transfer(TransferSample& sample, string url) ++{ ++ m_sample = sample; ++ ++ if(!(m_curlHandle = curl_easy_init()) || !(m_multiHandle = ++ curl_multi_init())) ++ { ++ logCrit("%s failed!\n", __PRETTY_FUNCTION__); ++ return; ++ } ++ ++ m_targetUrl = url; ++ m_sample = sample; ++ ++ initializeHandle(); ++} ++ ++TransferSession::~TransferSession() ++{ ++ Exit(); ++} ++ ++void TransferSession::initializeHandle() ++{ ++ m_postInfo = m_postInfoLast = 0; ++ ++ curl_formadd(&m_postInfo, &m_postInfoLast, CURLFORM_PTRNAME, "guid", ++ CURLFORM_COPYCONTENTS, m_sample.guid.c_str(), CURLFORM_END); ++ curl_formadd(&m_postInfo, &m_postInfoLast, CURLFORM_PTRNAME, ++ "maintainer", CURLFORM_COPYCONTENTS, m_sample.maintainer.c_str(), ++ CURLFORM_END); ++ curl_formadd(&m_postInfo, &m_postInfoLast, CURLFORM_PTRNAME, "secret", ++ CURLFORM_COPYCONTENTS, m_sample.secret.c_str(), CURLFORM_END); ++ ++ if(m_type != TST_HEARTBEAT) ++ { ++ curl_formadd(&m_postInfo, &m_postInfoLast, CURLFORM_PTRNAME, "url", ++ CURLFORM_COPYCONTENTS, m_sample.url.c_str(), CURLFORM_END); ++ curl_formadd(&m_postInfo, &m_postInfoLast, CURLFORM_PTRNAME, "sha512", ++ CURLFORM_COPYCONTENTS, m_sample.sha512.c_str(), CURLFORM_END); ++ curl_formadd(&m_postInfo, &m_postInfoLast, CURLFORM_PTRNAME, "saddr", ++ CURLFORM_COPYCONTENTS, m_sample.saddr.c_str(), CURLFORM_END); ++ curl_formadd(&m_postInfo, &m_postInfoLast, CURLFORM_PTRNAME, "daddr", ++ CURLFORM_COPYCONTENTS, m_sample.daddr.c_str(), CURLFORM_END); ++ ++ if(m_type == TST_SAMPLE) ++ { ++ curl_formadd(&m_postInfo, &m_postInfoLast, CURLFORM_PTRNAME, "data", ++ CURLFORM_PTRCONTENTS, m_sample.binary, CURLFORM_CONTENTSLENGTH, ++ m_sample.binarySize, CURLFORM_END); ++ } ++ } ++ else ++ { ++ curl_formadd(&m_postInfo, &m_postInfoLast, CURLFORM_PTRNAME, "software", ++ CURLFORM_COPYCONTENTS, "nepenthes " VERSION " (" MY_OS ", " MY_ARCH ++ ", " MY_COMPILER ")", CURLFORM_END); ++ } ++ ++ curl_easy_setopt(m_curlHandle, CURLOPT_HTTPPOST, m_postInfo); ++ curl_easy_setopt(m_curlHandle, CURLOPT_FORBID_REUSE, 1); ++ curl_easy_setopt(m_curlHandle, CURLOPT_SSL_VERIFYHOST, false); ++ curl_easy_setopt(m_curlHandle, CURLOPT_SSL_VERIFYPEER, false); ++ curl_easy_setopt(m_curlHandle, CURLOPT_URL, m_targetUrl.c_str()); ++ curl_easy_setopt(m_curlHandle, CURLOPT_USERAGENT, ++ "nepenthes " VERSION " (" MY_OS ", " MY_ARCH ", " MY_COMPILER ")"); ++ curl_easy_setopt(m_curlHandle, CURLOPT_WRITEDATA, this); ++ curl_easy_setopt(m_curlHandle, CURLOPT_WRITEFUNCTION, ++ TransferSession::readData); ++ ++ CURLMcode error; ++ ++ if((error = curl_multi_add_handle(m_multiHandle, m_curlHandle))) ++ logCrit("Error adding easy to multi: %s\n", curl_multi_strerror(error)); ++ ++ int handles = 0; ++ ++ while(curl_multi_perform(m_multiHandle, &handles) == ++ CURLM_CALL_MULTI_PERFORM && handles); ++} ++ ++//size_t function( void *ptr, size_t size, size_t nmemb, void *stream); ++size_t TransferSession::readData(void *buffer, size_t s, size_t n, void *data) ++{ ++ ((TransferSession *) data)->m_buffer.append((const char *)buffer, s * n); ++ return s * n; ++} ++ ++TransferSession::Status TransferSession::getTransferStatus() ++{ ++ if(m_type != TST_HEARTBEAT) ++ { ++ if(m_buffer == "OK") ++ return TSS_OK; ++ else if(m_buffer == "UNKNOWN") ++ return TSS_UNKNOWN; ++ else ++ return TSS_ERROR; ++ } ++ else ++ { ++ if(m_buffer.substr(0, 4) == "OK: ") ++ return TSS_HEARTBEAT; ++ else ++ return TSS_ERROR; ++ } ++} ++ ++bool TransferSession::Init() ++{ ++ return true; ++} ++ ++bool TransferSession::Exit() ++{ ++ if(m_multiHandle) ++ curl_multi_remove_handle(m_multiHandle, m_curlHandle); ++ ++ if(m_postInfo) ++ curl_formfree(m_postInfo); ++ ++ if(m_curlHandle) ++ curl_easy_cleanup(m_curlHandle); ++ ++ if(m_multiHandle) ++ { ++ curl_multi_cleanup(m_multiHandle); ++ m_multiHandle = 0; ++ } ++ ++ if(m_sample.binary) ++ { ++ delete [] m_sample.binary; ++ m_sample.binary = 0; ++ } ++ ++ return true; ++} ++ ++bool TransferSession::wantSend() ++{ ++ fd_set readSet, writeSet, errorSet; ++ int maxFd = 0; ++ CURLMcode error; ++ FD_ZERO(&readSet); FD_ZERO(&writeSet); FD_ZERO(&errorSet); ++ ++ if((error = curl_multi_fdset(m_multiHandle, &readSet, &writeSet, &errorSet, ++ &maxFd))) ++ { ++ logCrit("Obtaining write socket failed: %s\n", ++ curl_multi_strerror(error)); ++ return false; ++ } ++ ++ return FD_ISSET(maxFd, &writeSet); ++} ++ ++int32_t TransferSession::doSend() ++{ ++ return doRecv(); ++} ++ ++int32_t TransferSession::doRecv() ++{ ++ int handles = 0, queued = 0; ++ ++ while(curl_multi_perform(m_multiHandle, &handles) == ++ CURLM_CALL_MULTI_PERFORM && handles); ++ ++ CURLMsg * message; ++ ++ while((message = curl_multi_info_read(m_multiHandle, &queued))) ++ { ++ if(message->msg == CURLMSG_DONE) ++ { ++ if(message->data.result) ++ { ++ logCrit("Connection to %s failed: %s [\"%s\"]\n", ++ m_targetUrl.c_str(), curl_easy_strerror(message-> ++ data.result), m_buffer.c_str()); ++ ++ if(m_type == TST_HEARTBEAT) ++ m_parent->scheduleHeartbeat(DEFAULT_HEARTBEAT_DELTA); ++ else ++ { ++ m_parent->retrySample(m_sample); ++ m_sample.binary = 0; ++ } ++ } ++ else ++ { ++ switch(getTransferStatus()) ++ { ++ case TransferSession::TSS_OK: ++ logInfo("Transmitted %s to %s.\n", m_sample.url.c_str(), ++ m_targetUrl.c_str()); ++ ++ break; ++ ++ case TransferSession::TSS_UNKNOWN: ++ logInfo("submit-mwserv: uploading data for %s\n", ++ m_sample.url.c_str()); ++ ++ m_parent->submitSample(m_sample); ++ m_sample.binary = 0; ++ ++ break; ++ ++ case TransferSession::TSS_HEARTBEAT: ++ { ++ unsigned long delta = strtoul(m_buffer.substr(4). ++ c_str(), 0, 0); ++ logDebug("Next heartbeat in %u seconds.\n", delta); ++ ++ m_parent->scheduleHeartbeat(delta); ++ ++ break; ++ } ++ ++ case TransferSession::TSS_ERROR: ++ if(m_type == TST_HEARTBEAT) ++ m_parent->scheduleHeartbeat(DEFAULT_HEARTBEAT_DELTA); ++ ++ logCrit("%s reported \"%s\"\n", m_targetUrl.c_str(), ++ m_buffer.c_str()); ++ ++ break; ++ } ++ } ++ ++ m_Type |= ~ST_NODEL; ++ m_Status = SS_CLOSED; ++ } ++ } ++ ++ return 0; ++} ++ ++int32_t TransferSession::getSocket() ++{ ++ if(!m_multiHandle) ++ return -1; ++ ++ fd_set readSet, writeSet, errorSet; ++ int maxFd = 0; ++ CURLMcode error; ++ FD_ZERO(&readSet); FD_ZERO(&writeSet); FD_ZERO(&errorSet); ++ ++ if((error = curl_multi_fdset(m_multiHandle, &readSet, &writeSet, &errorSet, ++ &maxFd))) ++ { ++ logCrit("Obtaining read socket failed: %s\n", ++ curl_multi_strerror(error)); ++ return -1; ++ } ++ ++ if(maxFd == -1) ++ return -1; ++ ++ if(!FD_ISSET(maxFd, &readSet) && !FD_ISSET(maxFd, &writeSet) && ++ !FD_ISSET(maxFd, &errorSet)) ++ { ++ logCrit("maxFd not in set: %i!\n", maxFd); ++ return -1; ++ } ++ ++ return maxFd; ++} ++ ++int32_t TransferSession::getsockOpt(int32_t level, int32_t optname, ++ void *optval, socklen_t *optlen) ++{ ++ return getsockopt(getSocket(), level, optname, optval, optlen); ++} ++ ++ ++} ++ ++ ++bool TransferSession::checkTimeout() ++{ ++ // if the connection is bad, give curl a chance to take care, so we can get rid of the connection ++ if (getSocket() == -1) ++ doRecv(); ++ ++ return false; ++} +diff -ruN nepenthes-0.2.0/modules/submit-mwserv/TransferSession.hpp nepenthes-0.2.0-r1345/modules/submit-mwserv/TransferSession.hpp +--- nepenthes-0.2.0/modules/submit-mwserv/TransferSession.hpp 1970-01-01 01:00:00.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/submit-mwserv/TransferSession.hpp 2007-08-06 00:46:15.000000000 +0200 +@@ -0,0 +1,129 @@ ++/******************************************************************************** ++ * Nepenthes ++ * - finest collection - ++ * ++ * ++ * ++ * Copyright (C) 2007 Georg Wicherski ++ * Copyright (C) 2005 Paul Baecher & Markus Koetter ++ * ++ * This program is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU General Public License ++ * as published by the Free Software Foundation; either version 2 ++ * of the License, or (at your option) any later version. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with this program; if not, write to the Free Software ++ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. ++ * ++ * ++ * contact nepenthesdev@users.sourceforge.net ++ * ++ *******************************************************************************/ ++ ++#include ++#include ++#include ++ ++#include ++using namespace std; ++ ++#include "Nepenthes.hpp" ++#include "Module.hpp" ++#include "SubmitHandler.hpp" ++#include "Download.hpp" ++ ++#include "POLLSocket.hpp" ++ ++ ++namespace nepenthes ++{ ++ ++ ++struct TransferSample ++{ ++ string guid; ++ string maintainer; ++ string secret; ++ ++ string url; ++ string saddr, daddr; ++ string sha512; ++ ++ char * binary; ++ unsigned int binarySize; ++}; ++ ++ ++class SubmitMwservModule; ++ ++class TransferSession : public POLLSocket ++{ ++public: ++ enum Type ++ { ++ TST_INSTANCE, ++ TST_SAMPLE, ++ TST_HEARTBEAT, ++ }; ++ ++ TransferSession(Type type, SubmitMwservModule * parent); ++ virtual ~TransferSession(); ++ ++ enum Status ++ { ++ TSS_OK, ++ TSS_UNKNOWN, ++ TSS_HEARTBEAT, ++ TSS_ERROR, ++ }; ++ ++ TransferSession::Status getTransferStatus(); ++ ++ void transfer(TransferSample& sample, string url); ++ ++ // POLLSocket ++ bool Init(); ++ bool Exit(); ++ ++ bool wantSend(); ++ ++ int32_t doSend(); ++ int32_t doRecv(); ++ int32_t getSocket(); ++ int32_t getsockOpt(int32_t level, int32_t optname, ++ void *optval, socklen_t *optlen); ++ bool checkTimeout(); ++ ++protected: ++ string m_targetUrl; ++ TransferSample m_sample; ++ ++ CURL * m_curlHandle; ++ CURLM * m_multiHandle; ++ curl_httppost * m_postInfo, * m_postInfoLast; ++ ++ char * m_dataCopy; ++ unsigned int m_dataSize; ++ ++ void initializeHandle(); ++ void recreateWithSampleData(); ++ ++ string m_buffer; ++ ++ Type m_type; ++ SubmitMwservModule * m_parent; ++ ++ unsigned long m_heartbeatDelta; ++ ++private: ++ static size_t readData(void *buffer, size_t size, size_t n, void *data); ++}; ++ ++ ++} +diff -ruN nepenthes-0.2.0/modules/submit-mwserv/submit-mwserv.conf.dist nepenthes-0.2.0-r1345/modules/submit-mwserv/submit-mwserv.conf.dist +--- nepenthes-0.2.0/modules/submit-mwserv/submit-mwserv.conf.dist 1970-01-01 01:00:00.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/submit-mwserv/submit-mwserv.conf.dist 2007-08-06 00:46:15.000000000 +0200 +@@ -0,0 +1,18 @@ ++// lightweight libcurl based module for file submission via HTTP to the mwserv ++// python script suite (typically running on an apache2 with mod_python) ++// This is primarily used by the mwcollect Alliance - alliance.mwcollect.org ++ ++submit-mwserv ++{ ++ // the url to send the submission requests to ++ url = ""; ++ ++ // username of the maintainer of this sensor ++ maintainer = ""; ++ ++ // guid of this sensor, as generated serverside; typically 8 chars ++ guid = ""; ++ ++ // shared secret used for authentication aka `password'; typically 48 chars ++ secret = ""; ++}; +diff -ruN nepenthes-0.2.0/modules/submit-mwserv/submit-mwserv.cpp nepenthes-0.2.0-r1345/modules/submit-mwserv/submit-mwserv.cpp +--- nepenthes-0.2.0/modules/submit-mwserv/submit-mwserv.cpp 1970-01-01 01:00:00.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/submit-mwserv/submit-mwserv.cpp 2007-08-06 00:46:15.000000000 +0200 +@@ -0,0 +1,224 @@ ++/******************************************************************************** ++ * Nepenthes ++ * - finest collection - ++ * ++ * ++ * ++ * Copyright (C) 2007 Georg Wicherski ++ * Copyright (C) 2005 Paul Baecher & Markus Koetter ++ * ++ * This program is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU General Public License ++ * as published by the Free Software Foundation; either version 2 ++ * of the License, or (at your option) any later version. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with this program; if not, write to the Free Software ++ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. ++ * ++ * ++ * contact nepenthesdev@users.sourceforge.net ++ * ++ *******************************************************************************/ ++ ++#include "Download.hpp" ++#include "Utilities.hpp" ++#include "SubmitManager.hpp" ++#include "LogManager.hpp" ++#include "Event.hpp" ++#include "EventManager.hpp" ++#include "EventHandler.cpp" ++#include "Config.hpp" ++#include "ModuleManager.hpp" ++#include "SocketManager.hpp" ++ ++#include "DownloadBuffer.hpp" ++#include "DownloadUrl.hpp" ++ ++#include "submit-mwserv.hpp" ++ ++#include ++#include ++#include ++#include ++ ++ ++#define SUBMIT_URI "nepenthes/submit" ++#define HEARTBEAT_URI "heartbeat" ++ ++ ++namespace nepenthes ++{ ++ ++ ++SubmitMwservModule::SubmitMwservModule(Nepenthes * nepenthes) ++{ ++ m_ModuleName = "submit-mwserv"; ++ m_ModuleDescription = "mwserv.py HTTP Post Submission"; ++ m_ModuleRevision = "$Rev: 921 $"; ++ m_Nepenthes = nepenthes; ++ m_SubmitterName = "submit-mwserv"; ++ m_SubmitterDescription = "mwserv.py HTTP Post Submission"; ++ ++ m_Timeout = 0; ++ m_TimeoutIntervall = 0; ++} ++ ++bool SubmitMwservModule::Init() ++{ ++ if(!m_Config) ++ { ++ logCrit("No configuration for submit-mwserv provided.\n"); ++ return false; ++ } ++ ++ try ++ { ++ m_url = m_Config->getValString("submit-mwserv.url"); ++ m_guid = m_Config->getValString("submit-mwserv.guid"); ++ m_maintainer = m_Config->getValString("submit-mwserv.maintainer"); ++ m_secret = m_Config->getValString("submit-mwserv.secret"); ++ } ++ catch(...) ++ { ++ logCrit("Missing configuration option for submit-mwserv.\n"); ++ return false; ++ } ++ ++ if(m_guid.find(":") != string::npos || m_maintainer.find(":") ++ != string::npos || m_secret.find(":") != string::npos || ++ m_guid.find("+") != string::npos || m_maintainer.find("+") ++ != string::npos || m_secret.find("+") != string::npos) ++ { ++ logCrit("submit-mwserv: guid, maintainer or secret from configuration" ++ "contained ':' or '+'; this is not allowed.\n"); ++ return false; ++ } ++ ++ if(* m_url.rbegin() != '/') ++ m_url += "/"; ++ ++ REG_SUBMIT_HANDLER(this); ++ REG_EVENT_HANDLER(this); ++ ++ handleEvent(0); ++ ++ return true; ++} ++ ++bool SubmitMwservModule::Exit() ++{ ++ return true; ++} ++ ++void SubmitMwservModule::Submit(Download * download) ++{ ++ Hit(download); ++} ++ ++void SubmitMwservModule::Hit(Download * download) ++{ ++ TransferSample sample; ++ TransferSession * session = new TransferSession(TransferSession:: ++ TST_INSTANCE, this); ++ ++ { ++ struct in_addr saddr, daddr; ++ ++ saddr.s_addr = download->getRemoteHost(); ++ daddr.s_addr = download->getLocalHost(); ++ ++ sample.saddr = inet_ntoa(saddr); ++ sample.daddr = inet_ntoa(daddr); ++ ++ sample.guid = m_guid; ++ sample.maintainer = m_maintainer; ++ sample.secret = m_secret; ++ ++ sample.url = download->getUrl(); ++ sample.sha512 = download->getSHA512Sum(); ++ ++ sample.binarySize = download->getDownloadBuffer()->getSize(); ++ sample.binary = new char[sample.binarySize]; ++ memcpy(sample.binary, download->getDownloadBuffer()->getData(), ++ sample.binarySize); ++ } ++ ++ session->transfer(sample, m_url + SUBMIT_URI); ++ g_Nepenthes->getSocketMgr()->addPOLLSocket(session); ++} ++ ++void SubmitMwservModule::retrySample(TransferSample& sample) ++{ ++ TransferSession * session = new TransferSession(TransferSession:: ++ TST_INSTANCE, this); ++ ++ session->transfer(sample, m_url + SUBMIT_URI); ++ g_Nepenthes->getSocketMgr()->addPOLLSocket(session); ++} ++ ++void SubmitMwservModule::submitSample(TransferSample& sample) ++{ ++ TransferSession * session = new TransferSession(TransferSession:: ++ TST_SAMPLE, this); ++ ++ session->transfer(sample, m_url + SUBMIT_URI); ++ g_Nepenthes->getSocketMgr()->addPOLLSocket(session); ++} ++ ++uint32_t SubmitMwservModule::handleEvent(Event * ev) ++{ ++ m_Events.reset(EV_TIMEOUT); ++ ++ TransferSample sample; ++ TransferSession * session = new TransferSession(TransferSession:: ++ TST_HEARTBEAT, this); ++ ++ sample.guid = m_guid; ++ sample.maintainer = m_maintainer; ++ sample.secret = m_secret; ++ sample.binary = 0; ++ ++ session->transfer(sample, m_url + HEARTBEAT_URI); ++ g_Nepenthes->getSocketMgr()->addPOLLSocket(session); ++ ++ return 0; ++} ++ ++void SubmitMwservModule::scheduleHeartbeat(unsigned long delta) ++{ ++ if(delta > MAX_HEARTBEAT_DELTA) ++ { ++ logInfo("Capping server heartbeat delta of %u sec to %u sec.\n", delta, ++ MAX_HEARTBEAT_DELTA); ++ ++ delta = MAX_HEARTBEAT_DELTA; ++ } ++ ++ m_Events.set(EV_TIMEOUT); ++ m_Timeout = time(0) + delta; ++} ++ ++ ++extern "C" int32_t module_init(int32_t version, Module **module, Nepenthes *nepenthes) ++{ ++ g_Nepenthes = nepenthes; ++ ++ if(version == MODULE_IFACE_VERSION) ++ { ++ * module = new SubmitMwservModule(nepenthes); ++ return 1; ++ } ++ ++ return 0; ++} ++ ++ ++} ++ ++Nepenthes * g_Nepenthes; +diff -ruN nepenthes-0.2.0/modules/submit-mwserv/submit-mwserv.hpp nepenthes-0.2.0-r1345/modules/submit-mwserv/submit-mwserv.hpp +--- nepenthes-0.2.0/modules/submit-mwserv/submit-mwserv.hpp 1970-01-01 01:00:00.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/submit-mwserv/submit-mwserv.hpp 2007-08-06 00:46:15.000000000 +0200 +@@ -0,0 +1,78 @@ ++/******************************************************************************** ++ * Nepenthes ++ * - finest collection - ++ * ++ * ++ * ++ * Copyright (C) 2007 Georg Wicherski ++ * Copyright (C) 2005 Paul Baecher & Markus Koetter ++ * ++ * This program is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU General Public License ++ * as published by the Free Software Foundation; either version 2 ++ * of the License, or (at your option) any later version. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with this program; if not, write to the Free Software ++ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. ++ * ++ * ++ * contact nepenthesdev@users.sourceforge.net ++ * ++ *******************************************************************************/ ++ ++#include ++#include ++#include ++ ++#include "Nepenthes.hpp" ++#include "Module.hpp" ++#include "SubmitHandler.hpp" ++#include "EventHandler.hpp" ++#include "Download.hpp" ++ ++#include "TransferSession.hpp" ++ ++ ++#define DEFAULT_HEARTBEAT_DELTA 30 ++#define MAX_HEARTBEAT_DELTA 300 ++ ++ ++using namespace std; ++ ++namespace nepenthes ++{ ++ ++ ++class SubmitMwservModule : public Module , public SubmitHandler, ++ public EventHandler ++{ ++public: ++ SubmitMwservModule(Nepenthes * nepenthes); ++ ++ bool Init(); ++ bool Exit(); ++ ++ void Submit(Download * download); ++ void Hit(Download * download); ++ ++ uint32_t handleEvent(Event *event); ++ ++ void submitSample(TransferSample& sample); ++ void retrySample(TransferSample& sample); ++ void scheduleHeartbeat(unsigned long delta); ++ ++protected: ++ string m_url, m_guid, m_maintainer, m_secret; ++ uint32_t m_inTransfer; ++}; ++ ++ ++} ++ ++extern nepenthes::Nepenthes *g_Nepenthes; +diff -ruN nepenthes-0.2.0/modules/submit-norman/Makefile.am nepenthes-0.2.0-r1345/modules/submit-norman/Makefile.am +--- nepenthes-0.2.0/modules/submit-norman/Makefile.am 2006-11-13 20:40:09.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/submit-norman/Makefile.am 2007-08-06 00:46:15.000000000 +0200 +@@ -12,4 +12,4 @@ + + submitnorman_la_SOURCES = submit-norman.conf.dist submit-norman.hpp submit-norman.cpp + +-submitnorman_la_LDFLAGS = -module -no-undefined -avoid-version ++submitnorman_la_LDFLAGS = -module -no-undefined -avoid-version $(AM_LDFLAGS) +diff -ruN nepenthes-0.2.0/modules/submit-norman/submit-norman.conf.dist nepenthes-0.2.0-r1345/modules/submit-norman/submit-norman.conf.dist +--- nepenthes-0.2.0/modules/submit-norman/submit-norman.conf.dist 2006-11-13 20:40:09.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/submit-norman/submit-norman.conf.dist 2007-08-06 00:46:15.000000000 +0200 +@@ -1,8 +1,8 @@ + submit-norman + { + // this is the adress where norman sandbox reports will be sent +- email "malware@mac.com"; +- urls ("http://sandbox.norman.no/live_4.html", ++ email "nsbx@mwcollect.org"; ++ urls ("http://www.norman.com/microsites/nsic/Submit/Special/45773/", + "http://luigi.informatik.uni-mannheim.de/submit.php?action=verify"); + + }; +diff -ruN nepenthes-0.2.0/modules/submit-postgres/Makefile.am nepenthes-0.2.0-r1345/modules/submit-postgres/Makefile.am +--- nepenthes-0.2.0/modules/submit-postgres/Makefile.am 2006-11-13 20:40:05.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/submit-postgres/Makefile.am 2007-08-06 00:46:15.000000000 +0200 +@@ -13,5 +13,6 @@ + submitpostgres_la_SOURCES = submit-postgres.cpp submit-postgres.hpp + submitpostgres_la_SOURCES += PGDownloadContext.cpp PGDownloadContext.hpp + submitpostgres_la_SOURCES += bencoding.c bencoding.h ++submitpostgres_la_SOURCES += submit-postgres.conf.dist + + submitpostgres_la_LDFLAGS = -module -no-undefined -avoid-version +diff -ruN nepenthes-0.2.0/modules/vuln-asn1/IISDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-asn1/IISDialogue.cpp +--- nepenthes-0.2.0/modules/vuln-asn1/IISDialogue.cpp 2006-11-13 20:40:08.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/vuln-asn1/IISDialogue.cpp 2007-08-06 00:46:15.000000000 +0200 +@@ -43,6 +43,9 @@ + + #include "Socket.hpp" + ++#include "EventManager.hpp" ++#include "SocketEvent.hpp" ++ + #ifdef STDTAGS + #undef STDTAGS + #endif +@@ -79,7 +82,7 @@ + case IIS_POST: + case IIS_GET: + logWarn("Unknown IIS %i bytes State %i\n",m_Buffer->getSize(), m_State); +- g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *) m_Buffer->getData(), m_Buffer->getSize()); ++ HEXDUMP(m_Socket,(byte *) m_Buffer->getData(), m_Buffer->getSize()); + break; + + case IIS_SEARCH: +@@ -102,7 +105,7 @@ + ConsumeLevel IISDialogue::incomingData(Message *msg) + { + m_Buffer->add(msg->getMsg(),msg->getSize()); +-// g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *) m_Buffer->getData(), m_Buffer->getSize()); ++// HEXDUMP(m_Socket,(byte *) m_Buffer->getData(), m_Buffer->getSize()); + + // FIXME this can only recognize urldownloadtofile foobar + +diff -ruN nepenthes-0.2.0/modules/vuln-asn1/SMBDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-asn1/SMBDialogue.cpp +--- nepenthes-0.2.0/modules/vuln-asn1/SMBDialogue.cpp 2006-11-13 20:40:08.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/vuln-asn1/SMBDialogue.cpp 2007-08-06 00:46:15.000000000 +0200 +@@ -43,8 +43,13 @@ + #include "Utilities.hpp" + #include "ShellcodeManager.hpp" + ++#include "EventManager.hpp" ++#include "SocketEvent.hpp" ++ + #include "vuln-asn1.hpp" + ++ ++ + #ifdef STDTAGS + #undef STDTAGS + #endif +@@ -227,5 +232,5 @@ + void SMBDialogue::dump() + { + logWarn("Unknown %s Shellcode (Buffer %i bytes) (State %i)\n","ASN1_SMB",m_Buffer->getSize(),m_State); +- g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *)m_Buffer->getData(),m_Buffer->getSize()); ++ HEXDUMP(m_Socket,(byte *)m_Buffer->getData(),m_Buffer->getSize()); + } +diff -ruN nepenthes-0.2.0/modules/vuln-bagle/BagleDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-bagle/BagleDialogue.cpp +--- nepenthes-0.2.0/modules/vuln-bagle/BagleDialogue.cpp 2006-11-13 20:40:09.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/vuln-bagle/BagleDialogue.cpp 2007-08-06 00:46:15.000000000 +0200 +@@ -124,7 +124,7 @@ + } + + logCrit("Unknown Bagle Auth (%i)\n",m_Buffer->getSize()); +- g_Nepenthes->getUtilities()->hexdump(l_crit | STDTAGS ,(byte *)m_Buffer->getData(),m_Buffer->getSize()); ++// g_Nepenthes->getUtilities()->hexdump(l_crit | STDTAGS ,(byte *)m_Buffer->getData(),m_Buffer->getSize()); + if (m_Buffer->getSize() > 128 ) + return CL_DROP; + +diff -ruN nepenthes-0.2.0/modules/vuln-bagle/Makefile.am nepenthes-0.2.0-r1345/modules/vuln-bagle/Makefile.am +--- nepenthes-0.2.0/modules/vuln-bagle/Makefile.am 2006-11-13 20:40:09.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/vuln-bagle/Makefile.am 2007-08-06 00:46:15.000000000 +0200 +@@ -6,7 +6,6 @@ + + AM_CPPFLAGS = -I$(top_srcdir)/nepenthes-core/include -I$(top_srcdir)/nepenthes-core/src -pipe -D _GNU_SOURCE + AM_CXXFLAGS = -Wall -Werror +-AM_LDFLAGS = -lpcre + + pkglib_LTLIBRARIES = vulnbagle.la + +diff -ruN nepenthes-0.2.0/modules/vuln-dameware/DWDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-dameware/DWDialogue.cpp +--- nepenthes-0.2.0/modules/vuln-dameware/DWDialogue.cpp 2006-11-13 20:40:05.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/vuln-dameware/DWDialogue.cpp 2007-08-06 00:46:15.000000000 +0200 +@@ -48,6 +48,9 @@ + + #include "Utilities.hpp" + ++#include "EventManager.hpp" ++#include "SocketEvent.hpp" ++ + #ifdef STDTAGS + #undef STDTAGS + #endif +@@ -209,5 +212,5 @@ + void DWDialogue::dump() + { + logWarn("Unknown %s Shellcode (Buffer %i bytes) (State %i)\n","DameWare",m_Buffer->getSize(),m_State); +- g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *)m_Buffer->getData(),m_Buffer->getSize()); ++ HEXDUMP(m_Socket,(byte *)m_Buffer->getData(),m_Buffer->getSize()); + } +diff -ruN nepenthes-0.2.0/modules/vuln-dcom/DCOMDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-dcom/DCOMDialogue.cpp +--- nepenthes-0.2.0/modules/vuln-dcom/DCOMDialogue.cpp 2006-11-13 20:40:05.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/vuln-dcom/DCOMDialogue.cpp 2007-08-06 00:46:15.000000000 +0200 +@@ -39,6 +39,10 @@ + #include "Utilities.hpp" + + ++#include "EventManager.hpp" ++#include "SocketEvent.hpp" ++ ++ + #ifdef STDTAGS + #undef STDTAGS + #endif +@@ -234,5 +238,5 @@ + void DCOMDialogue::dump() + { + logWarn("Unknown %s Shellcode (Buffer %i bytes) (State %i)\n","DCOM",m_Buffer->getSize(),m_State); +- g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *)m_Buffer->getData(),m_Buffer->getSize()); ++ HEXDUMP(m_Socket,(byte *)m_Buffer->getData(),m_Buffer->getSize()); + } +diff -ruN nepenthes-0.2.0/modules/vuln-ftpd/vuln-ftpd.cpp nepenthes-0.2.0-r1345/modules/vuln-ftpd/vuln-ftpd.cpp +--- nepenthes-0.2.0/modules/vuln-ftpd/vuln-ftpd.cpp 2006-11-13 20:40:03.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/vuln-ftpd/vuln-ftpd.cpp 2007-08-06 00:46:15.000000000 +0200 +@@ -55,6 +55,9 @@ + + #include "Utilities.hpp" + ++#include "EventManager.hpp" ++#include "SocketEvent.hpp" ++ + #ifdef STDTAGS + #undef STDTAGS + #endif +@@ -220,7 +223,7 @@ + uint32_t i = 0; + bool buffercut=false; + +- g_Nepenthes->getUtilities()->hexdump((byte *) m_Buffer->getData(),m_Buffer->getSize()); ++// g_Nepenthes->getUtilities()->hexdump((byte *) m_Buffer->getData(),m_Buffer->getSize()); + while ( i < m_Buffer->getSize() ) + { + buffercut = false; +@@ -418,7 +421,7 @@ + void FTPdDialogue::dump() + { + logWarn("Unknown exploit %i bytes \n",m_Shellcode->getSize()); +- g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *) m_Shellcode->getData(), m_Shellcode->getSize()); ++ HEXDUMP(m_Socket,(byte *) m_Shellcode->getData(), m_Shellcode->getSize()); + } + + ftp_exploit FTPdDialogue::identExploit(string line) +diff -ruN nepenthes-0.2.0/modules/vuln-iis/IISDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-iis/IISDialogue.cpp +--- nepenthes-0.2.0/modules/vuln-iis/IISDialogue.cpp 2006-11-13 20:40:10.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/vuln-iis/IISDialogue.cpp 2007-08-06 00:46:15.000000000 +0200 +@@ -49,6 +49,9 @@ + #include "Message.hpp" + #include "Message.cpp" + ++#include "EventManager.hpp" ++#include "SocketEvent.hpp" ++ + #ifdef STDTAGS + #undef STDTAGS + #endif +@@ -85,7 +88,7 @@ + case IIS_NULL: + case IIS_SSL: + logWarn("Unknown IIS SSL exploit %i bytes State %i\n",m_Buffer->getSize(), m_State); +- g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *) m_Buffer->getData(), m_Buffer->getSize()); ++ HEXDUMP(m_Socket,(byte *) m_Buffer->getData(), m_Buffer->getSize()); + break; + + case IIS_DONE: +diff -ruN nepenthes-0.2.0/modules/vuln-lsass/LSASSDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-lsass/LSASSDialogue.cpp +--- nepenthes-0.2.0/modules/vuln-lsass/LSASSDialogue.cpp 2006-11-13 20:40:11.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/vuln-lsass/LSASSDialogue.cpp 2007-08-06 00:46:15.000000000 +0200 +@@ -46,6 +46,8 @@ + #include "Buffer.hpp" + #include "Buffer.cpp" + ++#include "EventManager.hpp" ++#include "SocketEvent.hpp" + + #ifdef STDTAGS + #undef STDTAGS +@@ -281,6 +283,6 @@ + void LSASSDialogue::dump() + { + logWarn("Unknown %s Shellcode (Buffer %i bytes) (State %i)\n","LSASS",m_Buffer->getSize(),m_State); +- g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *)m_Buffer->getData(),m_Buffer->getSize()); ++ HEXDUMP(m_Socket,(byte *)m_Buffer->getData(),m_Buffer->getSize()); + } + +diff -ruN nepenthes-0.2.0/modules/vuln-msdtc/MSDTCDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-msdtc/MSDTCDialogue.cpp +--- nepenthes-0.2.0/modules/vuln-msdtc/MSDTCDialogue.cpp 2006-11-13 20:40:05.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/vuln-msdtc/MSDTCDialogue.cpp 2007-08-06 00:46:15.000000000 +0200 +@@ -38,6 +38,8 @@ + #include "ShellcodeManager.hpp" + #include "Utilities.hpp" + ++#include "EventManager.hpp" ++#include "SocketEvent.hpp" + + #ifdef STDTAGS + #undef STDTAGS +@@ -181,5 +183,5 @@ + void MSDTCDialogue::dump() + { + logWarn("Unknown %s Shellcode (Buffer %i bytes) (State %i)\n","MSDTC",m_Buffer->getSize(),m_State); +- g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *)m_Buffer->getData(),m_Buffer->getSize()); ++ HEXDUMP(m_Socket,(byte *)m_Buffer->getData(),m_Buffer->getSize()); + } +diff -ruN nepenthes-0.2.0/modules/vuln-msmq/MSMQDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-msmq/MSMQDialogue.cpp +--- nepenthes-0.2.0/modules/vuln-msmq/MSMQDialogue.cpp 2006-11-13 20:40:05.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/vuln-msmq/MSMQDialogue.cpp 2007-08-06 00:46:15.000000000 +0200 +@@ -43,6 +43,8 @@ + #include "Nepenthes.hpp" + #include "LogManager.hpp" + ++#include "EventManager.hpp" ++#include "SocketEvent.hpp" + + using namespace nepenthes; + +@@ -73,7 +75,7 @@ + case MSMQ_NULL: + case MSMQ_SHELLCODE: + logWarn("Unknown MSMQ exploit %i bytes State %i\n",m_Buffer->getSize(), m_State); +- g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *) m_Buffer->getData(), m_Buffer->getSize()); ++ HEXDUMP(m_Socket,(byte *) m_Buffer->getData(), m_Buffer->getSize()); + break; + + case MSMQ_DONE: +diff -ruN nepenthes-0.2.0/modules/vuln-mssql/MSSQLDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-mssql/MSSQLDialogue.cpp +--- nepenthes-0.2.0/modules/vuln-mssql/MSSQLDialogue.cpp 2006-11-13 20:40:03.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/vuln-mssql/MSSQLDialogue.cpp 2007-08-06 00:46:15.000000000 +0200 +@@ -41,6 +41,9 @@ + + #include "Utilities.hpp" + ++#include "EventManager.hpp" ++#include "SocketEvent.hpp" ++ + #ifdef STDTAGS + #undef STDTAGS + #endif +@@ -115,7 +118,7 @@ + } + else + { // hexdump it +- g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte*)msg->getMsg(),msg->getSize()); ++ HEXDUMP(m_Socket,(byte*)msg->getMsg(),msg->getSize()); + + } + +diff -ruN nepenthes-0.2.0/modules/vuln-netbiosname/SMBNameDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-netbiosname/SMBNameDialogue.cpp +--- nepenthes-0.2.0/modules/vuln-netbiosname/SMBNameDialogue.cpp 2006-11-13 20:40:05.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/vuln-netbiosname/SMBNameDialogue.cpp 2007-08-06 00:46:15.000000000 +0200 +@@ -49,6 +49,8 @@ + + #include "Utilities.hpp" + ++#include "EventManager.hpp" ++#include "SocketEvent.hpp" + + #ifdef STDTAGS + #undef STDTAGS +@@ -146,7 +148,7 @@ + case SMBName_NEGOTIATE: + case SMBName_NULL: + logWarn("Unknown SMBName exploit %i bytes State %i\n",m_Buffer->getSize(), m_State); +-// g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *) m_Buffer->getData(), m_Buffer->getSize()); ++// HEXDUMP(m_Socket,(byte *) m_Buffer->getData(), m_Buffer->getSize()); + break; + + +diff -ruN nepenthes-0.2.0/modules/vuln-netdde/NETDDEDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-netdde/NETDDEDialogue.cpp +--- nepenthes-0.2.0/modules/vuln-netdde/NETDDEDialogue.cpp 2006-11-13 20:40:05.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/vuln-netdde/NETDDEDialogue.cpp 2007-08-06 00:46:15.000000000 +0200 +@@ -49,6 +49,8 @@ + + #include "Utilities.hpp" + ++#include "EventManager.hpp" ++#include "SocketEvent.hpp" + + #ifdef STDTAGS + #undef STDTAGS +@@ -201,5 +203,5 @@ + void NETDDEDialogue::dump() + { + logWarn("Unknown NETDDE exploit %i bytes State %i\n",m_Buffer->getSize(), m_State); +- g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *) m_Buffer->getData(), m_Buffer->getSize()); ++ HEXDUMP(m_Socket,(byte *) m_Buffer->getData(), m_Buffer->getSize()); + } +diff -ruN nepenthes-0.2.0/modules/vuln-optix/Makefile.am nepenthes-0.2.0-r1345/modules/vuln-optix/Makefile.am +--- nepenthes-0.2.0/modules/vuln-optix/Makefile.am 2006-11-13 20:40:08.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/vuln-optix/Makefile.am 2007-08-06 00:46:15.000000000 +0200 +@@ -12,4 +12,4 @@ + + vulnoptix_la_SOURCES = vuln-optix.conf.dist OPTIXBindDialogue.hpp OPTIXDownloadDialogue.hpp OPTIXDownloadHandler.hpp OPTIXShellDialogue.hpp vuln-optix.hpp OPTIXBindDialogue.cpp OPTIXDownloadDialogue.cpp OPTIXDownloadHandler.cpp OPTIXShellDialogue.cpp vuln-optix.cpp + +-vulnoptix_la_LDFLAGS = -module -no-undefined -avoid-version ++vulnoptix_la_LDFLAGS = -module -no-undefined -avoid-version $(AM_LDFLAGS) +diff -ruN nepenthes-0.2.0/modules/vuln-optix/OPTIXShellDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-optix/OPTIXShellDialogue.cpp +--- nepenthes-0.2.0/modules/vuln-optix/OPTIXShellDialogue.cpp 2006-11-13 20:40:08.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/vuln-optix/OPTIXShellDialogue.cpp 2007-08-06 00:46:15.000000000 +0200 +@@ -107,7 +107,7 @@ + case OPTIX_AUTHED: + if (m_Buffer->getSize() >= 6) + { +- g_Nepenthes->getUtilities()->hexdump((byte *)m_Buffer->getData(),m_Buffer->getSize()); ++// g_Nepenthes->getUtilities()->hexdump((byte *)m_Buffer->getData(),m_Buffer->getSize()); + // we could do this with pcre ... + if (memcmp(m_Buffer->getData(),"019¬\r\n",6) == 0) + { +diff -ruN nepenthes-0.2.0/modules/vuln-pnp/PNPDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-pnp/PNPDialogue.cpp +--- nepenthes-0.2.0/modules/vuln-pnp/PNPDialogue.cpp 2006-11-13 20:40:08.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/vuln-pnp/PNPDialogue.cpp 2007-08-06 00:46:15.000000000 +0200 +@@ -47,6 +47,8 @@ + #include "Buffer.hpp" + #include "Buffer.cpp" + ++#include "EventManager.hpp" ++#include "SocketEvent.hpp" + + #ifdef STDTAGS + #undef STDTAGS +@@ -276,5 +278,5 @@ + void PNPDialogue::dump() + { + logWarn("Unknown %s Shellcode (Buffer %i bytes) (State %i)\n","PNP",m_Buffer->getSize(),m_State); +- g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *)m_Buffer->getData(),m_Buffer->getSize()); ++ HEXDUMP(m_Socket,(byte *)m_Buffer->getData(),m_Buffer->getSize()); + } +diff -ruN nepenthes-0.2.0/modules/vuln-realvnc/vuln-realvnc.cpp nepenthes-0.2.0-r1345/modules/vuln-realvnc/vuln-realvnc.cpp +--- nepenthes-0.2.0/modules/vuln-realvnc/vuln-realvnc.cpp 2006-11-13 20:40:07.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/vuln-realvnc/vuln-realvnc.cpp 2007-08-06 00:46:15.000000000 +0200 +@@ -246,7 +246,7 @@ + { + + logSpam("VNC_HANDSHAKE\n"); +- g_Nepenthes->getUtilities()->hexdump((byte *)m_Buffer->getData(),m_Buffer->getSize()); ++// g_Nepenthes->getUtilities()->hexdump((byte *)m_Buffer->getData(),m_Buffer->getSize()); + if (m_Buffer->getSize() >= strlen(rfb_version_003_008) && + memcmp(m_Buffer->getData(),rfb_version_003_008,strlen(rfb_version_003_008)) == 0) + { +@@ -262,7 +262,7 @@ + if ( m_State == VNC_AUTH) + { + logSpam("VNC_AUTH\n"); +- g_Nepenthes->getUtilities()->hexdump((byte *)m_Buffer->getData(),m_Buffer->getSize()); ++// g_Nepenthes->getUtilities()->hexdump((byte *)m_Buffer->getData(),m_Buffer->getSize()); + if (m_Buffer->getSize() >= 1 ) + { + if (1)// *(char *) (m_Buffer->getData()) == 1) +@@ -546,7 +546,7 @@ + + case 6: + logSpam("ClientReq: CutEvent\n"); +- g_Nepenthes->getUtilities()->hexdump((byte *)m_Buffer->getData(),m_Buffer->getSize()); ++// g_Nepenthes->getUtilities()->hexdump((byte *)m_Buffer->getData(),m_Buffer->getSize()); + if (m_Buffer->getSize() >= 8 ) + { + uint32_t cpbytes; +diff -ruN nepenthes-0.2.0/modules/vuln-sasserftpd/SasserFTPDDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-sasserftpd/SasserFTPDDialogue.cpp +--- nepenthes-0.2.0/modules/vuln-sasserftpd/SasserFTPDDialogue.cpp 2006-11-13 20:40:09.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/vuln-sasserftpd/SasserFTPDDialogue.cpp 2007-08-06 00:46:15.000000000 +0200 +@@ -49,6 +49,8 @@ + + #include "Utilities.hpp" + ++#include "EventManager.hpp" ++#include "SocketEvent.hpp" + + #ifdef STDTAGS + #undef STDTAGS +@@ -219,5 +221,5 @@ + void SasserFTPDDialogue::dump() + { + logWarn("Unknown SasserFTPD exploit %i bytes State %i\n",m_Buffer->getSize(), m_State); +- g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *) m_Buffer->getData(), m_Buffer->getSize()); ++ HEXDUMP(m_Socket,(byte *) m_Buffer->getData(), m_Buffer->getSize()); + } +diff -ruN nepenthes-0.2.0/modules/vuln-sav/Makefile.am nepenthes-0.2.0-r1345/modules/vuln-sav/Makefile.am +--- nepenthes-0.2.0/modules/vuln-sav/Makefile.am 1970-01-01 01:00:00.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/vuln-sav/Makefile.am 2007-08-06 00:46:15.000000000 +0200 +@@ -0,0 +1,14 @@ ++# nepenthes module Makefile ++# Paul Baecher, Maximillian Dornseif, Markus Koetter ++# $Id$ ++ ++AUTOMAKE_OPTIONS = foreign ++ ++AM_CPPFLAGS = -I$(top_srcdir)/nepenthes-core/include -I$(top_srcdir)/nepenthes-core/src -pipe -D _GNU_SOURCE ++AM_CXXFLAGS = -Wall -Werror ++ ++pkglib_LTLIBRARIES = vulnsav.la ++ ++vulnsav_la_SOURCES = vuln-sav.cpp vuln-sav.hpp ++ ++vulnsav_la_LDFLAGS = -module -no-undefined -avoid-version +diff -ruN nepenthes-0.2.0/modules/vuln-sav/vuln-sav.cpp nepenthes-0.2.0-r1345/modules/vuln-sav/vuln-sav.cpp +--- nepenthes-0.2.0/modules/vuln-sav/vuln-sav.cpp 1970-01-01 01:00:00.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/vuln-sav/vuln-sav.cpp 2007-08-06 00:46:15.000000000 +0200 +@@ -0,0 +1,278 @@ ++/******************************************************************************** ++ * Nepenthes ++ * - finest collection - ++ * ++ * ++ * ++ * Copyright (C) 2005 Paul Baecher & Markus Koetter ++ * ++ * This program is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU General Public License ++ * as published by the Free Software Foundation; either version 2 ++ * of the License, or (at your option) any later version. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with this program; if not, write to the Free Software ++ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. ++ * ++ * ++ * contact nepenthesdev@users.sourceforge.net ++ * ++ *******************************************************************************/ ++ ++ /* $Id$ */ ++ ++#include ++ ++#include "vuln-sav.hpp" ++ ++#include "SocketManager.hpp" ++ ++#include "DownloadManager.hpp" ++#include "LogManager.hpp" ++#include "DialogueFactoryManager.hpp" ++ ++ ++#include "Buffer.hpp" ++#include "Buffer.cpp" ++ ++#include "Message.hpp" ++#include "Message.cpp" ++ ++#include "ShellcodeManager.hpp" ++ ++#include "Config.hpp" ++ ++#include "Download.hpp" ++ ++#ifdef STDTAGS ++#undef STDTAGS ++#endif ++#define STDTAGS l_mod ++ ++using namespace nepenthes; ++ ++ ++/** ++ * as we may need a global pointer to our Nepenthes in our modules, ++ * and cant access the cores global pointer to nepenthes ++ * we have to use a own global pointer to nepenthes per module ++ * we need this pointer for logInfo() etc ++ */ ++Nepenthes *g_Nepenthes; ++ ++/** ++ * The Constructor ++ * creates a new VulnSAV Module, ++ * VulnSAV is an example for binding a socket & setting up the Dialogue & DialogueFactory ++ * ++ * ++ * it can be used as a shell emu to allow trigger commands ++ * ++ * ++ * sets the following values: ++ * - m_DialogueFactoryName ++ * - m_DialogueFactoryDescription ++ * ++ * @param nepenthes the pointer to our Nepenthes ++ */ ++VulnSAV::VulnSAV(Nepenthes *nepenthes) ++{ ++ m_ModuleName = "vuln-sav"; ++ m_ModuleDescription = "emulate the bug in symantec antivirus product"; ++ m_ModuleRevision = "$Rev$"; ++ m_Nepenthes = nepenthes; ++ ++ m_DialogueFactoryName = "SAV Factory"; ++ m_DialogueFactoryDescription = "Symantec Antivirus Client Dialogue Factory"; ++ ++ g_Nepenthes = nepenthes; ++} ++ ++VulnSAV::~VulnSAV() ++{ ++ ++} ++ ++ ++/** ++ * Module::Init() ++ * ++ * binds the port, adds the DialogueFactory to the Socket ++ * ++ * @return returns true if everything was fine, else false ++ * false indicates a fatal error ++ */ ++bool VulnSAV::Init() ++{ ++/* if ( m_Config == NULL ) ++ { ++ logCrit("I need a config\n"); ++ return false; ++ } ++*/ ++ m_Nepenthes->getSocketMgr()->bindTCPSocket(0,2967,0,30,this); ++ return true; ++} ++ ++bool VulnSAV::Exit() ++{ ++ return true; ++} ++ ++/** ++ * DialogueFactory::createDialogue(Socket *) ++ * ++ * creates a new SAVDialogue ++ * ++ * @param socket the socket the DIalogue has to use, can be NULL if the Dialogue can handle it ++ * ++ * @return returns the new created dialogue ++ */ ++Dialogue *VulnSAV::createDialogue(Socket *socket) ++{ ++ return new SAVDialogue(socket); ++// return g_Nepenthes->getFactoryMgr()->getFactory("WinNTShell DialogueFactory")->createDialogue(socket); ++} ++ ++ ++ ++ ++ ++ ++ ++/** ++ * Dialogue::Dialogue(Socket *) ++ * construktor for the SAVDialogue, creates a new SAVDialogue ++ * ++ * replies some crap to the socket ++ * ++ * @param socket the Socket the Dialogue has to use ++ */ ++SAVDialogue::SAVDialogue(Socket *socket) ++{ ++ m_Socket = socket; ++ m_DialogueName = "SAVDialogue"; ++ m_DialogueDescription = "Symantec Antivirus Dialogue"; ++ ++ m_ConsumeLevel = CL_ASSIGN; ++ ++ m_Buffer = new Buffer(512); ++} ++ ++SAVDialogue::~SAVDialogue() ++{ ++ delete m_Buffer; ++} ++ ++/** ++ * Dialogue::incomingData(Message *) ++ * ++ * a small and ugly shell where we can use ++ * "download protocol://localction:port/path/to/file ++ * to trigger a download ++ * ++ * @param msg the Message the Socker received. ++ * ++ * ++ * @return CL_ASSIGN ++ */ ++ConsumeLevel SAVDialogue::incomingData(Message *msg) ++{ ++ ++ m_Buffer->add(msg->getMsg(),msg->getSize()); ++ ++ if ( m_Buffer->getSize() > 0xcd0 ) ++ { ++ Message *Msg = new Message((char *)m_Buffer->getData(), m_Buffer->getSize(),m_Socket->getLocalPort(), m_Socket->getRemotePort(), ++ m_Socket->getLocalHost(), m_Socket->getRemoteHost(), m_Socket, m_Socket); ++ sch_result sch; ++ sch = g_Nepenthes->getShellcodeMgr()->handleShellcode(&Msg); ++ delete Msg; ++ ++ if ( sch == SCH_DONE ) ++ { ++ m_Buffer->clear(); ++ return CL_ASSIGN_AND_DONE; ++ } ++ ++ } ++ ++ return CL_ASSIGN; ++} ++ ++/** ++ * Dialogue::outgoingData(Message *) ++ * as we are not interested in these socket actions ++ * we simply return CL_DROP to show the socket ++ * ++ * @param msg ++ * ++ * @return CL_DROP ++ */ ++ConsumeLevel SAVDialogue::outgoingData(Message *msg) ++{ ++ return CL_ASSIGN; ++} ++ ++/** ++ * Dialogue::handleTimeout(Message *) ++ * as we are not interested in these socket actions ++ * we simply return CL_DROP to show the socket ++ * ++ * @param msg ++ * ++ * @return CL_DROP ++ */ ++ConsumeLevel SAVDialogue::handleTimeout(Message *msg) ++{ ++ return CL_DROP; ++} ++ ++/** ++ * Dialogue::connectionLost(Message *) ++ * as we are not interested in these socket actions ++ * we simply return CL_DROP to show the socket ++ * ++ * @param msg ++ * ++ * @return CL_DROP ++ */ ++ConsumeLevel SAVDialogue::connectionLost(Message *msg) ++{ ++ return CL_DROP; ++} ++ ++/** ++ * Dialogue::connectionShutdown(Message *) ++ * as we are not interested in these socket actions ++ * we simply return CL_DROP to show the socket ++ * ++ * @param msg ++ * ++ * @return CL_DROP ++ */ ++ConsumeLevel SAVDialogue::connectionShutdown(Message *msg) ++{ ++ return CL_DROP; ++} ++ ++ ++ ++ ++extern "C" int32_t module_init(int32_t version, Module **module, Nepenthes *nepenthes) ++{ ++ if ( version == MODULE_IFACE_VERSION ) ++ { ++ *module = new VulnSAV(nepenthes); ++ return (1); ++ } else ++ { ++ return (0); ++ } ++} +diff -ruN nepenthes-0.2.0/modules/vuln-sav/vuln-sav.hpp nepenthes-0.2.0-r1345/modules/vuln-sav/vuln-sav.hpp +--- nepenthes-0.2.0/modules/vuln-sav/vuln-sav.hpp 1970-01-01 01:00:00.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/vuln-sav/vuln-sav.hpp 2007-08-06 00:46:15.000000000 +0200 +@@ -0,0 +1,72 @@ ++/******************************************************************************** ++ * Nepenthes ++ * - finest collection - ++ * ++ * ++ * ++ * Copyright (C) 2005 Paul Baecher & Markus Koetter ++ * ++ * This program is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU General Public License ++ * as published by the Free Software Foundation; either version 2 ++ * of the License, or (at your option) any later version. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with this program; if not, write to the Free Software ++ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. ++ * ++ * ++ * contact nepenthesdev@users.sourceforge.net ++ * ++ *******************************************************************************/ ++ ++ /* $Id$ */ ++ ++#include "DialogueFactory.hpp" ++#include "Module.hpp" ++#include "ModuleManager.hpp" ++#include "SocketManager.hpp" ++#include "Nepenthes.hpp" ++#include "Dialogue.hpp" ++#include "Socket.hpp" ++ ++using namespace std; ++ ++namespace nepenthes ++{ ++ ++ class Buffer; ++ ++ class VulnSAV : public Module , public DialogueFactory ++ { ++ public: ++ VulnSAV(Nepenthes *); ++ ~VulnSAV(); ++ Dialogue *createDialogue(Socket *socket); ++ bool Init(); ++ bool Exit(); ++ }; ++ ++ class SAVDialogue : public Dialogue ++ { ++ public: ++ SAVDialogue(Socket *socket); ++ ~SAVDialogue(); ++ ConsumeLevel incomingData(Message *msg); ++ ConsumeLevel outgoingData(Message *msg); ++ ConsumeLevel handleTimeout(Message *msg); ++ ConsumeLevel connectionLost(Message *msg); ++ ConsumeLevel connectionShutdown(Message *msg); ++ ++ protected: ++ Buffer *m_Buffer; ++ ++ }; ++ ++} ++extern nepenthes::Nepenthes *g_Nepenthes; +diff -ruN nepenthes-0.2.0/modules/vuln-sav/x-2.conf.dist nepenthes-0.2.0-r1345/modules/vuln-sav/x-2.conf.dist +--- nepenthes-0.2.0/modules/vuln-sav/x-2.conf.dist 1970-01-01 01:00:00.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/vuln-sav/x-2.conf.dist 2007-08-06 00:46:15.000000000 +0200 +@@ -0,0 +1,5 @@ ++x-2 ++{ ++ ports ("10002"); ++ accepttimeout "45"; ++}; +diff -ruN nepenthes-0.2.0/modules/vuln-ssh/Makefile.am nepenthes-0.2.0-r1345/modules/vuln-ssh/Makefile.am +--- nepenthes-0.2.0/modules/vuln-ssh/Makefile.am 2006-11-13 20:40:03.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/vuln-ssh/Makefile.am 2007-08-06 00:46:15.000000000 +0200 +@@ -10,6 +10,6 @@ + + pkglib_LTLIBRARIES = vulnssh.la + +-vulnssh_la_SOURCES = vuln-ssh.cpp vuln-ssh.hpp SSHSocket.cpp SSHSocket.hpp SSHDialogue.cpp SSHDialogue.hpp vuln-ssh.conf.dist ++vulnssh_la_SOURCES = vuln-ssh.cpp vuln-ssh.hpp SSHSocket.cpp SSHSocket.hpp SSHDialogue.cpp SSHDialogue.hpp + +-vulnssh_la_LDFLAGS = -module -no-undefined -avoid-version ++vulnssh_la_LDFLAGS = -module -no-undefined -avoid-version $(AM_LDFLAGS) +diff -ruN nepenthes-0.2.0/modules/vuln-upnp/UPNPDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-upnp/UPNPDialogue.cpp +--- nepenthes-0.2.0/modules/vuln-upnp/UPNPDialogue.cpp 2006-11-13 20:40:10.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/vuln-upnp/UPNPDialogue.cpp 2007-08-06 00:46:15.000000000 +0200 +@@ -49,6 +49,8 @@ + + #include "Utilities.hpp" + ++#include "EventManager.hpp" ++#include "SocketEvent.hpp" + + #ifdef STDTAGS + #undef STDTAGS +@@ -190,5 +192,5 @@ + void UPNPDialogue::dump() + { + logWarn("Unknown UPNP exploit %i bytes State %i\n",m_Buffer->getSize(), m_State); +- g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *) m_Buffer->getData(), m_Buffer->getSize()); ++ HEXDUMP(m_Socket,(byte *) m_Buffer->getData(), m_Buffer->getSize()); + } +diff -ruN nepenthes-0.2.0/modules/vuln-veritas/VERITASDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-veritas/VERITASDialogue.cpp +--- nepenthes-0.2.0/modules/vuln-veritas/VERITASDialogue.cpp 2006-11-13 20:40:09.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/vuln-veritas/VERITASDialogue.cpp 2007-08-06 00:46:15.000000000 +0200 +@@ -49,6 +49,8 @@ + + #include "Utilities.hpp" + ++#include "EventManager.hpp" ++#include "SocketEvent.hpp" + + #ifdef STDTAGS + #undef STDTAGS +@@ -98,7 +100,7 @@ + m_Buffer->add(msg->getMsg(),msg->getSize()); + + logInfo("Traffic for VERITAS (%i bytes)\n",msg->getSize()); +- g_Nepenthes->getUtilities()->hexdump(STDTAGS|l_warn,(byte *) m_Buffer->getData(), m_Buffer->getSize()); ++// g_Nepenthes->getUtilities()->hexdump(STDTAGS|l_warn,(byte *) m_Buffer->getData(), m_Buffer->getSize()); + + /* + switch (m_State) +@@ -189,5 +191,5 @@ + void VERITASDialogue::dump() + { + logWarn("Unknown VERITAS exploit %i bytes State %i\n",m_Buffer->getSize(), m_State); +- g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *) m_Buffer->getData(), m_Buffer->getSize()); ++ HEXDUMP(m_Socket,(byte *) m_Buffer->getData(), m_Buffer->getSize()); + } +diff -ruN nepenthes-0.2.0/modules/vuln-wins/WINSDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-wins/WINSDialogue.cpp +--- nepenthes-0.2.0/modules/vuln-wins/WINSDialogue.cpp 2006-11-13 20:40:10.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/vuln-wins/WINSDialogue.cpp 2007-08-06 00:46:15.000000000 +0200 +@@ -41,6 +41,9 @@ + + #include "Socket.hpp" + ++#include "EventManager.hpp" ++#include "SocketEvent.hpp" ++ + #ifdef STDTAGS + #undef STDTAGS + #endif +@@ -123,5 +126,5 @@ + { + + logWarn("WINS unknown shellcode %i bytes State 0\n",m_Buffer->getSize()); +- g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *) m_Buffer->getData(), m_Buffer->getSize()); ++ HEXDUMP(m_Socket,(byte *) m_Buffer->getData(), m_Buffer->getSize()); + } +diff -ruN nepenthes-0.2.0/modules/x-4/x-4.cpp nepenthes-0.2.0-r1345/modules/x-4/x-4.cpp +--- nepenthes-0.2.0/modules/x-4/x-4.cpp 2006-11-13 20:40:11.000000000 +0100 ++++ nepenthes-0.2.0-r1345/modules/x-4/x-4.cpp 2007-08-06 00:46:15.000000000 +0200 +@@ -118,7 +118,7 @@ + */ + void X4::Submit(Download *down) + { +- m_Nepenthes->getUtilities()->hexdump((byte *)down->getDownloadBuffer()->getData(),down->getDownloadBuffer()->getSize()); ++// m_Nepenthes->getUtilities()->hexdump((byte *)down->getDownloadBuffer()->getData(),down->getDownloadBuffer()->getSize()); + } + + /** +diff -ruN nepenthes-0.2.0/nepenthes-core/include/DNSQuery.hpp nepenthes-0.2.0-r1345/nepenthes-core/include/DNSQuery.hpp +--- nepenthes-0.2.0/nepenthes-core/include/DNSQuery.hpp 2006-11-13 20:40:01.000000000 +0100 ++++ nepenthes-0.2.0-r1345/nepenthes-core/include/DNSQuery.hpp 2007-08-06 00:46:15.000000000 +0200 +@@ -56,6 +56,7 @@ + virtual ~DNSQuery(); + + virtual DNSCallback *getCallback(); ++ virtual void cancelCallback(); + virtual string getDNS(); + virtual uint16_t getQueryType(); + virtual void *getObject(); +diff -ruN nepenthes-0.2.0/nepenthes-core/include/Event.hpp nepenthes-0.2.0-r1345/nepenthes-core/include/Event.hpp +--- nepenthes-0.2.0/nepenthes-core/include/Event.hpp 2006-11-13 20:40:01.000000000 +0100 ++++ nepenthes-0.2.0-r1345/nepenthes-core/include/Event.hpp 2007-08-06 00:46:15.000000000 +0200 +@@ -71,6 +71,8 @@ + + #define EV_SHELLCODE_DONE 24 + ++#define EV_HEXDUMP 25 ++ + class Event + { + public: +diff -ruN nepenthes-0.2.0/nepenthes-core/include/SocketEvent.hpp nepenthes-0.2.0-r1345/nepenthes-core/include/SocketEvent.hpp +--- nepenthes-0.2.0/nepenthes-core/include/SocketEvent.hpp 2006-11-13 20:40:01.000000000 +0100 ++++ nepenthes-0.2.0-r1345/nepenthes-core/include/SocketEvent.hpp 2007-08-06 00:46:15.000000000 +0200 +@@ -137,5 +137,50 @@ + Dialogue *m_Dialogue; + }; + ++#ifdef HAVE_DEBUG_LOGGING ++#define HEXDUMP(socket,data,size) \ ++{ \ ++ HexdumpEvent *he = new HexdumpEvent(socket,data,size); \ ++ g_Nepenthes->getEventMgr()->handleEvent(he); \ ++ delete he; \ ++} ++#else // HAVE_DEBUG_LOGGING ++#define HEXDUMP(socket,data,size) ++#endif // HAVE_DEBUG_LOGGING ++ ++ ++ ++ class HexdumpEvent : public Event ++ { ++ public: ++ HexdumpEvent(Socket *s, void *data, uint32_t size) ++ { ++ m_EventType = EV_HEXDUMP; ++ m_Socket = s; ++ m_Size = size; ++ m_Data = data; ++ } ++ ++ virtual Socket *getSocket() ++ { ++ return m_Socket; ++ } ++ ++ virtual void *getData() ++ { ++ return m_Data; ++ } ++ ++ virtual uint32_t getSize() ++ { ++ return m_Size; ++ } ++ ++ private: ++ Socket *m_Socket; ++ void *m_Data; ++ uint32_t m_Size; ++ }; ++ + + } +diff -ruN nepenthes-0.2.0/nepenthes-core/include/Utilities.hpp nepenthes-0.2.0-r1345/nepenthes-core/include/Utilities.hpp +--- nepenthes-0.2.0/nepenthes-core/include/Utilities.hpp 2006-11-13 20:40:01.000000000 +0100 ++++ nepenthes-0.2.0-r1345/nepenthes-core/include/Utilities.hpp 2007-08-06 00:46:15.000000000 +0200 +@@ -130,10 +130,10 @@ + void MD5Init(struct MD5Context *context); + void MD5Update(struct MD5Context *context, unsigned char const *buf,unsigned len); + void MD5Final(unsigned char digest[16], struct MD5Context *context); +- ++/* + virtual void hexdump(byte *data, uint32_t len); + virtual void hexdump(uint32_t mask, byte *data, uint32_t len); +- ++*/ + virtual unsigned char *b64encode_alloc(unsigned char *in); + virtual unsigned char *b64encode_alloc(unsigned char *in, int32_t inlen); + virtual unsigned char *b64decode_alloc(unsigned char *in); +diff -ruN nepenthes-0.2.0/nepenthes-core/src/DNSQuery.cpp nepenthes-0.2.0-r1345/nepenthes-core/src/DNSQuery.cpp +--- nepenthes-0.2.0/nepenthes-core/src/DNSQuery.cpp 2006-11-13 20:40:03.000000000 +0100 ++++ nepenthes-0.2.0-r1345/nepenthes-core/src/DNSQuery.cpp 2007-08-06 00:46:15.000000000 +0200 +@@ -54,6 +54,15 @@ + return m_Callback; + } + ++ ++/** ++ * chancel the callback ++ */ ++void DNSQuery::cancelCallback() ++{ ++ m_Callback = NULL; ++} ++ + /** + * get the dns to resolve + * +diff -ruN nepenthes-0.2.0/nepenthes-core/src/DNSResult.cpp nepenthes-0.2.0-r1345/nepenthes-core/src/DNSResult.cpp +--- nepenthes-0.2.0/nepenthes-core/src/DNSResult.cpp 2006-11-13 20:40:03.000000000 +0100 ++++ nepenthes-0.2.0-r1345/nepenthes-core/src/DNSResult.cpp 2007-08-06 00:46:15.000000000 +0200 +@@ -89,7 +89,7 @@ + while ( test->i != -1 ) + { + m_TXT.append(test->str,test->i); +- g_Nepenthes->getUtilities()->hexdump((byte *)test->str,test->i); ++// g_Nepenthes->getUtilities()->hexdump((byte *)test->str,test->i); + test++; + } + } +diff -ruN nepenthes-0.2.0/nepenthes-core/src/LogManager.cpp nepenthes-0.2.0-r1345/nepenthes-core/src/LogManager.cpp +--- nepenthes-0.2.0/nepenthes-core/src/LogManager.cpp 2006-11-13 20:40:02.000000000 +0100 ++++ nepenthes-0.2.0-r1345/nepenthes-core/src/LogManager.cpp 2007-08-06 00:46:15.000000000 +0200 +@@ -146,7 +146,7 @@ + { + if ( m_Loggers.size() == 0) + { +- printf("%s",message); ++// printf("%s",message); + return; + } + +diff -ruN nepenthes-0.2.0/nepenthes-core/src/Nepenthes.cpp nepenthes-0.2.0-r1345/nepenthes-core/src/Nepenthes.cpp +--- nepenthes-0.2.0/nepenthes-core/src/Nepenthes.cpp 2006-11-13 20:40:03.000000000 +0100 ++++ nepenthes-0.2.0-r1345/nepenthes-core/src/Nepenthes.cpp 2007-08-06 00:46:15.000000000 +0200 +@@ -43,6 +43,8 @@ + #include + #include + #include ++#include ++#include + + #ifdef HAVE_LIBCAP + #undef _POSIX_SOURCE +@@ -211,7 +213,7 @@ + { "user", 1, 0, 'u' }, + { "version", 0, 0, 'V' }, + { "verbose", 0, 0, 'v' }, +- { "workingdir", 0, 0, 'w' }, ++ { "workingdir", 1, 0, 'w' }, + { 0, 0, 0, 0 } + }; + +@@ -370,26 +372,27 @@ + + + ++ m_LogManager->registerTag(l_crit, "crit"); ++ m_LogManager->registerTag(l_warn, "warn"); ++ m_LogManager->registerTag(l_debug, "debug"); ++ m_LogManager->registerTag(l_info, "info"); ++ m_LogManager->registerTag(l_spam, "spam"); ++ m_LogManager->registerTag(l_net, "net"); ++ m_LogManager->registerTag(l_script, "script"); ++ m_LogManager->registerTag(l_shell, "shell"); ++ m_LogManager->registerTag(l_mem, "mem"); ++ m_LogManager->registerTag(l_sc, "sc"); ++ m_LogManager->registerTag(l_dl, "down"); ++ m_LogManager->registerTag(l_mgr, "mgr"); ++ m_LogManager->registerTag(l_hlr, "handler"); ++ m_LogManager->registerTag(l_dia, "dia"); ++ m_LogManager->registerTag(l_sub, "submit"); ++ m_LogManager->registerTag(l_ev, "event"); ++ m_LogManager->registerTag(l_mod, "module"); ++ m_LogManager->registerTag(l_stdtag, "fixme"); ++ + if ( opt.m_runMode != runFileCheck || opt.m_verbose ) + { +- m_LogManager->registerTag(l_crit, "crit"); +- m_LogManager->registerTag(l_warn, "warn"); +- m_LogManager->registerTag(l_debug, "debug"); +- m_LogManager->registerTag(l_info, "info"); +- m_LogManager->registerTag(l_spam, "spam"); +- m_LogManager->registerTag(l_net, "net"); +- m_LogManager->registerTag(l_script, "script"); +- m_LogManager->registerTag(l_shell, "shell"); +- m_LogManager->registerTag(l_mem, "mem"); +- m_LogManager->registerTag(l_sc, "sc"); +- m_LogManager->registerTag(l_dl, "down"); +- m_LogManager->registerTag(l_mgr, "mgr"); +- m_LogManager->registerTag(l_hlr, "handler"); +- m_LogManager->registerTag(l_dia, "dia"); +- m_LogManager->registerTag(l_sub, "submit"); +- m_LogManager->registerTag(l_ev, "event"); +- m_LogManager->registerTag(l_mod, "module"); +- m_LogManager->registerTag(l_stdtag, "fixme"); + + if ( opt.m_consoleTags ) + m_LogManager->addLogger(new ConsoleLogger(m_LogManager), m_LogManager->parseTagString(opt.m_consoleTags)); +@@ -460,52 +463,53 @@ + return 0; + + +- if ( opt.m_ringLogger == true ) ++ if ( opt.m_runMode != runFileCheck || opt.m_verbose ) + { +- string rlpath; +- try +- { +- rlpath = m_Config->getValString("nepenthes.logmanager.ring_logging_file"); +- } +- catch ( ... ) ++ ++ if ( opt.m_ringLogger == true ) + { +- logCrit("Could not find nepenthes.logmanager.ring_logging_file in Config\n"); +- return false; +- } ++ string rlpath; ++ try ++ { ++ rlpath = m_Config->getValString("nepenthes.logmanager.ring_logging_file"); ++ } catch ( ... ) ++ { ++ logCrit("Could not find nepenthes.logmanager.ring_logging_file in Config\n"); ++ return (false); ++ } + + +- RingFileLogger *fl = new RingFileLogger(m_LogManager); ++ RingFileLogger *fl = new RingFileLogger(m_LogManager); + +- fl->setLogFileFormat((char *)rlpath.c_str()); +- fl->setMaxFiles(5); +- fl->setMaxSize(1024 * 1024); ++ fl->setLogFileFormat((char *)rlpath.c_str()); ++ fl->setMaxFiles(5); ++ fl->setMaxSize(1024 * 1024); + +- if ( opt.m_diskTags ) +- m_LogManager->addLogger(fl, m_LogManager->parseTagString(opt.m_diskTags)); +- else +- m_LogManager->addLogger(fl, l_all); ++ if ( opt.m_diskTags ) ++ m_LogManager->addLogger(fl, m_LogManager->parseTagString(opt.m_diskTags)); ++ else ++ m_LogManager->addLogger(fl, l_all); + +- } +- else +- { +- string flpath; +- try +- { +- flpath = m_Config->getValString("nepenthes.logmanager.file_logging_file"); +- } +- catch ( ... ) ++ } else + { +- logCrit("Could not find nepenthes.logmanager.file_logging_file in Config\n"); +- return false; +- } ++ string flpath; ++ try ++ { ++ flpath = m_Config->getValString("nepenthes.logmanager.file_logging_file"); ++ } catch ( ... ) ++ { ++ logCrit("Could not find nepenthes.logmanager.file_logging_file in Config\n"); ++ return (false); ++ } + +- FileLogger *fl = new FileLogger(m_LogManager); +- fl->setLogFile(flpath.c_str()); +- if ( opt.m_diskTags ) +- m_LogManager->addLogger(fl, m_LogManager->parseTagString(opt.m_diskTags)); +- else +- m_LogManager->addLogger(fl, l_all); ++ FileLogger *fl = new FileLogger(m_LogManager); ++ fl->setLogFile(flpath.c_str()); ++ if ( opt.m_diskTags ) ++ m_LogManager->addLogger(fl, m_LogManager->parseTagString(opt.m_diskTags)); ++ else ++ m_LogManager->addLogger(fl, l_all); + ++ } + } + + if (opt.m_daemonize == true) +@@ -665,7 +669,7 @@ + struct stat fileinfo; + if ( stat((const char*)argv[opti],&fileinfo) != 0 ) + { +- printf("failed\n"); ++ printf("Could not stat %s: %s", (const char*)argv[opti], strerror(errno)); + return -1; + } + +@@ -680,7 +684,10 @@ + ) + + { +- unlink(argv[opti]); ++ if (unlink(argv[opti]) != 0) ++ { ++ printf("could not remove file %s (%s)\n",argv[opti],strerror(errno)); ++ } + } + + }else +@@ -693,7 +700,7 @@ + while ( (dirnode = readdir(bindir)) != NULL && m_running == true ) + { + +-#if !defined(CYGWIN) && !defined(CYGWIN32) &&!defined(__CYGWIN__) || !defined(__CYGWIN32__) ++#if defined(d_type_IS_NOT_A_POSIX_SPEC) + if ( dirnode->d_type == 8 ) + #else + if (1) +@@ -708,7 +715,10 @@ + ) + + { +- unlink(filepath.c_str()); ++ if (unlink(filepath.c_str()) != 0) ++ { ++ printf("could not remove file %s (%s)\n",filepath.c_str(),strerror(errno)); ++ } + } + } + } +diff -ruN nepenthes-0.2.0/nepenthes-core/src/SocketManager.cpp nepenthes-0.2.0-r1345/nepenthes-core/src/SocketManager.cpp +--- nepenthes-0.2.0/nepenthes-core/src/SocketManager.cpp 2006-11-13 20:40:03.000000000 +0100 ++++ nepenthes-0.2.0-r1345/nepenthes-core/src/SocketManager.cpp 2007-08-06 00:46:15.000000000 +0200 +@@ -273,13 +273,17 @@ + } + } + ++ int32_t socketcounter, socketmax; ++ socketcounter=0; ++ socketmax = m_Sockets.size(); ++ + int32_t iPollRet = poll(polls,i,50); + + if (iPollRet != 0) + { + // read sockets + i=0; +- for (itSocket = m_Sockets.begin();itSocket != m_Sockets.end(); itSocket++) ++ for (itSocket = m_Sockets.begin();itSocket != m_Sockets.end(), socketcounter < socketmax ; itSocket++, socketcounter++) + { + if ( (*itSocket)->isPolled() == true ) + { +@@ -303,7 +307,8 @@ + + // write sockets + i=0; +- for (itSocket = m_Sockets.begin();itSocket != m_Sockets.end(); itSocket++) ++ socketcounter=0; ++ for (itSocket = m_Sockets.begin();itSocket != m_Sockets.end(), socketcounter < socketmax; itSocket++, socketcounter++) + { + if ( (*itSocket)->isPolled() == true ) + { +@@ -331,7 +336,8 @@ + + // accept new, non udp clients as udp does not accept() + i=0; +- for (itSocket = m_Sockets.begin();itSocket != m_Sockets.end(); itSocket++) ++ socketcounter=0; ++ for (itSocket = m_Sockets.begin();itSocket != m_Sockets.end(), socketcounter < socketmax; itSocket++, socketcounter++) + { + + +diff -ruN nepenthes-0.2.0/nepenthes-core/src/Utilities.cpp nepenthes-0.2.0-r1345/nepenthes-core/src/Utilities.cpp +--- nepenthes-0.2.0/nepenthes-core/src/Utilities.cpp 2006-11-13 20:40:02.000000000 +0100 ++++ nepenthes-0.2.0-r1345/nepenthes-core/src/Utilities.cpp 2007-08-06 00:46:15.000000000 +0200 +@@ -339,7 +339,7 @@ + + // ENDOF MD5Sum + +- ++/* + + void Utilities::hexdump(byte *data, uint32_t len) + { +@@ -430,7 +430,7 @@ + + } + +- ++*/ + + + diff --git a/network/nepenthes/nepenthes.conf b/network/nepenthes/nepenthes.conf index eb1b9ad08..fd5ec1642 100644 --- a/network/nepenthes/nepenthes.conf +++ b/network/nepenthes/nepenthes.conf @@ -12,6 +12,9 @@ # GNU General Public License can be found in the file COPYING. # --- SDE-COPYRIGHT-NOTE-END --- +# we patch configure.ac +hook_add preconf 5 "aclocal ; autoconf ; automake --add-missing" + # Prelude-IDS support if pkginstalled libprelude ; then pkgprefix -t libprelude @@ -19,3 +22,9 @@ if pkginstalled libprelude ; then var_append CXXFLAGS ' ' "-I$root$( pkgprefix includedir libprelude )" export CXXFLAGS fi + +# libssh support +if pkginstalled libssh ; then + pkgprefix -t libssh + var_append confopt ' ' "--with-ssh-include=$root$( pkgprefix includedir libssh )/libssh" +fi diff --git a/network/nepenthes/nepenthes.desc b/network/nepenthes/nepenthes.desc index 586b1fb16..8b52a143b 100644 --- a/network/nepenthes/nepenthes.desc +++ b/network/nepenthes/nepenthes.desc @@ -31,7 +31,7 @@ [L] OpenSource [S] Beta -[V] 0.2.0 +[V] 0.2.0-1 [P] X -----5---9 300.000 [D] 2264113893 nepenthes-0.2.0.tar.bz2 http://dl.sourceforge.net/sourceforge/nepenthes/ diff --git a/network/nepenthes/prelude-hotfix.patch b/network/nepenthes/prelude-hotfix.patch deleted file mode 100644 index 046446201..000000000 --- a/network/nepenthes/prelude-hotfix.patch +++ /dev/null @@ -1,1107 +0,0 @@ -# --- SDE-COPYRIGHT-NOTE-BEGIN --- -# This copyright note is auto-generated by ./scripts/Create-CopyPatch. -# -# Filename: package/.../nepenthes/prelude-hotfix.patch -# Copyright (C) 2007 The OpenSDE Project -# -# More information can be found in the files COPYING and README. -# -# This patch file is dual-licensed. It is available under the license the -# patched project is licensed under, as long as it is an OpenSource license -# as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms -# of the GNU General Public License as published by the Free Software -# Foundation; either version 2 of the License, or (at your option) any later -# version. -# --- SDE-COPYRIGHT-NOTE-END --- - -This patch includes several bugfixes that were fixed in the -upstream svn repository and rediffed against nepenthes 0.2.0. - -it includes following changesets: -http://svn.mwcollect.org/changeset/1266 -http://svn.mwcollect.org/changeset/1274 -http://svn.mwcollect.org/changeset/1278 - -diff -ruN nepenthes-0.2.0/modules/log-prelude/Makefile.am nepenthes-0.2.0-prelude/modules/log-prelude/Makefile.am ---- nepenthes-0.2.0/modules/log-prelude/Makefile.am 2006-11-13 20:40:08.000000000 +0100 -+++ nepenthes-0.2.0-prelude/modules/log-prelude/Makefile.am 2007-08-05 22:40:44.000000000 +0200 -@@ -4,7 +4,7 @@ - - AUTOMAKE_OPTIONS = foreign - --AM_CPPFLAGS = -I/usr/include/libprelude -I$(top_srcdir)/nepenthes-core/include -I$(top_srcdir)/nepenthes-core/src -pipe -D _GNU_SOURCE $(CPPFLAG_PRELUDE) -+AM_CPPFLAGS = -I$(top_srcdir)/nepenthes-core/include -I$(top_srcdir)/nepenthes-core/src -pipe -D _GNU_SOURCE - AM_CXXFLAGS = -Wall - AM_LDFLAGS = $(LDFLAG_PRELUDE) ${LIB_PRELUDE} - -diff -ruN nepenthes-0.2.0/modules/log-prelude/log-prelude.conf.dist nepenthes-0.2.0-prelude/modules/log-prelude/log-prelude.conf.dist ---- nepenthes-0.2.0/modules/log-prelude/log-prelude.conf.dist 2006-11-13 20:40:08.000000000 +0100 -+++ nepenthes-0.2.0-prelude/modules/log-prelude/log-prelude.conf.dist 2007-08-05 22:52:16.000000000 +0200 -@@ -1,7 +1,9 @@ - log-prelude - { -- analyzerClass "NIDS"; -- analyzerModel "nepenthes"; -- analyzerName "nepenthes"; -- -+ -+ // Name of the Prelude analyzer to use (default is nepenthes). -+ // analyzerName "nepenthes"; -+ -+ // Name of the Prelude profile to use (default is nepenthes). -+ // analyzerProfile "nepenthes"; - }; -diff -ruN nepenthes-0.2.0/modules/log-prelude/log-prelude.cpp nepenthes-0.2.0-prelude/modules/log-prelude/log-prelude.cpp ---- nepenthes-0.2.0/modules/log-prelude/log-prelude.cpp 2006-11-13 20:40:08.000000000 +0100 -+++ nepenthes-0.2.0-prelude/modules/log-prelude/log-prelude.cpp 2007-08-05 22:52:51.000000000 +0200 -@@ -27,14 +27,6 @@ - - /* $Id: log-prelude.cpp 550 2006-05-04 10:25:35Z common $ */ - --#ifdef HAVE_LIBPRELUDE --#include --#include --#include --#include --#include --#endif -- - #include - #include "log-prelude.hpp" - #include "Nepenthes.hpp" -@@ -62,8 +54,12 @@ - #endif - - #define STDTAGS l_mod | l_ev | l_hlr --#define ANALYZER_MANUFACTURER "http://nepenthes.sf.net" - #define NEPENTHES_VERSION "$Rev: 550 $" -+#define DEFAULT_ANALYZER_NAME "nepenthes" -+#define DEFAULT_ANALYZER_PROFILE "nepenthes" -+#define ANALYZER_MODEL "Nepenthes" -+#define ANALYZER_CLASS "Honeypot" -+#define ANALYZER_MANUFACTURER "http://nepenthes.mwcollect.org/" - - - -@@ -132,28 +128,21 @@ - - #ifdef HAVE_LIBPRELUDE - -- if ( m_Config == NULL ) -- { -- logCrit("I need a config\n"); -- return false; -- } -- -- string analyzerClass; -- string analyzerModel; - string analyzerName; -- -- try -- { -- analyzerClass = (m_Config->getValString("log-prelude.analyzerClass")); -- analyzerModel = m_Config->getValString("log-prelude.analyzerModel"); -- analyzerName = m_Config->getValString("log-prelude.analyzerName"); -- -- } catch ( ... ) -- { -- logCrit("Error setting needed vars, check your config\n"); -- return false; -- } -- -+ string analyzerProfile; -+ -+ try { -+ analyzerName = m_Config->getValString("log-prelude.analyzerName"); -+ } catch ( ... ) { -+ analyzerName = DEFAULT_ANALYZER_NAME; -+ } -+ -+ try { -+ analyzerProfile = m_Config->getValString("log-prelude.analyzerProfile"); -+ } catch ( ... ) { -+ analyzerProfile = DEFAULT_ANALYZER_PROFILE; -+ } -+ - m_ModuleManager = m_Nepenthes->getModuleMgr(); - m_Events.set(EV_SOCK_TCP_ACCEPT); - m_Events.set(EV_SOCK_TCP_CLOSE); -@@ -163,44 +152,39 @@ - m_Events.set(EV_DOWNLOAD); - m_Events.set(EV_SUBMISSION); - -- -- const char *profile, *config; -- -- config = NULL; -- profile = analyzerName.c_str(); -- -- -- -- - int32_t ret; - // Initialize Prelude Library - ret = prelude_init(NULL, NULL); -- if ( ret < 0 ) -+ if ( ret < 0 ) { - logCrit("%s: Unable to initialize the Prelude library: %s.\n", - prelude_strsource(ret), - prelude_strerror(ret)); -+ return false; -+ } - - // generate a new Prelude client -- ret = prelude_client_new(&m_PreludeClient, profile); -+ ret = prelude_client_new(&m_PreludeClient, analyzerProfile.c_str()); - -- if ( ret < 0 ) -+ if ( ret < 0 ) { - logCrit("%s: Unable to create a prelude client object: %s.\n", - prelude_strsource(ret), - prelude_strerror(ret)); -+ return false; -+ } - -- -+ - // set options in the analyzer-part of the client - prelude_string_t *string; - -- ret = idmef_analyzer_new_model(prelude_client_get_analyzer(m_PreludeClient), &string); -+ ret = idmef_analyzer_new_class(prelude_client_get_analyzer(m_PreludeClient), &string); - if ( ret < 0 ) - return false; -- prelude_string_set_constant(string, analyzerModel.c_str()); -- -- ret = idmef_analyzer_new_class(prelude_client_get_analyzer(m_PreludeClient), &string); -+ prelude_string_set_constant(string, ANALYZER_CLASS); -+ -+ ret = idmef_analyzer_new_model(prelude_client_get_analyzer(m_PreludeClient), &string); - if ( ret < 0 ) - return false; -- prelude_string_set_constant(string, analyzerClass.c_str()); -+ prelude_string_set_constant(string, ANALYZER_MODEL); - - ret = idmef_analyzer_new_manufacturer(prelude_client_get_analyzer(m_PreludeClient), &string); - if ( ret < 0 ) -@@ -209,28 +193,31 @@ - - ret = idmef_analyzer_new_version(prelude_client_get_analyzer(m_PreludeClient), &string); - if ( ret < 0 ) -- return false; -- -- prelude_string_set_constant(string, NEPENTHES_VERSION); -+ return false; -+ prelude_string_set_constant(string, VERSION); - --// start the Prelude Client -+ ret = idmef_analyzer_new_name(prelude_client_get_analyzer(m_PreludeClient), &string); -+ if ( ret < 0 ) -+ return false; -+ prelude_string_set_dup(string, analyzerName.c_str()); -+ -+ // start the Prelude Client - ret = prelude_client_start(m_PreludeClient); - if ( ret < 0 ) - { -- if ( prelude_client_is_setup_needed(ret) ) -- prelude_client_print_setup_error(m_PreludeClient); -- - logCrit("%s: Unable to initialize prelude client: %s.\n", - prelude_strsource(ret), prelude_strerror(ret)); -+ return false; - } - --// set async Prelude Flags for the client, makes the application multithreaded -- ret = prelude_client_set_flags(m_PreludeClient, (prelude_client_flags_t) (PRELUDE_CLIENT_FLAGS_CONNECT | PRELUDE_CLIENT_FLAGS_ASYNC_SEND | PRELUDE_CLIENT_FLAGS_ASYNC_TIMER)); -- if ( ret < 0 ) -+ // set async Prelude Flags for the client, makes the application multithreaded -+ ret = prelude_client_set_flags(m_PreludeClient, (prelude_client_flags_t) (PRELUDE_CLIENT_FLAGS_CONNECT | PRELUDE_CLIENT_FLAGS_ASYNC_SEND | PRELUDE_CLIENT_FLAGS_ASYNC_TIMER)); -+ if ( ret < 0 ) { - logCrit("%s: Unable to set asynchronous send and timer: %s.\n", - prelude_strsource(ret), - prelude_strerror(ret)); -- -+ return false; -+ } - - REG_EVENT_HANDLER(this); - return true; -@@ -274,7 +261,7 @@ - idmef_value_t *val; - idmef_path_t *path; - -- ret = idmef_path_new(&path, object); -+ ret = idmef_path_new_fast(&path, object); - if ( ret < 0 ) - { - logWarn("imdef error #1 %s -> %s %i (%s) \n",object,value,ret, prelude_strerror(ret)); -diff -ruN nepenthes-0.2.0/modules/log-prelude/log-prelude.cpp~ nepenthes-0.2.0-prelude/modules/log-prelude/log-prelude.cpp~ ---- nepenthes-0.2.0/modules/log-prelude/log-prelude.cpp~ 1970-01-01 01:00:00.000000000 +0100 -+++ nepenthes-0.2.0-prelude/modules/log-prelude/log-prelude.cpp~ 2007-08-05 22:51:33.000000000 +0200 -@@ -0,0 +1,853 @@ -+/******************************************************************************** -+ * Nepenthes -+ * - finest collection - -+ * -+ * -+ * -+ * Copyright (C) 2005 Paul Baecher & Markus Koetter -+ * -+ * This program is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU General Public License -+ * as published by the Free Software Foundation; either version 2 -+ * of the License, or (at your option) any later version. -+ * -+ * This program is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ * GNU General Public License for more details. -+ * -+ * You should have received a copy of the GNU General Public License -+ * along with this program; if not, write to the Free Software -+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -+ * -+ * -+ * contact nepenthesdev@users.sourceforge.net -+ * -+ *******************************************************************************/ -+ -+ /* $Id: log-prelude.cpp 550 2006-05-04 10:25:35Z common $ */ -+ -+#include -+#include "log-prelude.hpp" -+#include "Nepenthes.hpp" -+#include "LogManager.hpp" -+#include "EventManager.hpp" -+#include "SubmitEvent.hpp" -+ -+#include "Download.hpp" -+#include "DownloadUrl.hpp" -+#include "DownloadBuffer.hpp" -+ -+#include "Socket.hpp" -+#include "SocketEvent.hpp" -+ -+#include "Message.hpp" -+#include "Utilities.hpp" -+#include "Config.hpp" -+#include "ShellcodeHandler.hpp" -+ -+ -+using namespace nepenthes; -+ -+#ifdef STDTAGS -+#undef STDTAGS -+#endif -+ -+#define STDTAGS l_mod | l_ev | l_hlr -+#define NEPENTHES_VERSION "$Rev: 550 $" -+#define DEFAULT_ANALYZER_NAME "nepenthes" -+#define DEFAULT_ANALYZER_PROFILE "nepenthes" -+#define ANALYZER_MODEL "Nepenthes" -+#define ANALYZER_CLASS "Honeypot" -+#define ANALYZER_MANUFACTURER "http://nepenthes.mwcollect.org/" -+ -+ -+ -+/** -+ * as we may need a global pointer to our Nepenthes in our modules, -+ * and cant access the cores global pointer to nepenthes -+ * we have to use a own global pointer to nepenthes per module -+ * we need this pointer for logInfo() etc -+ */ -+Nepenthes *g_Nepenthes; -+ -+/** -+ * Constructor -+ * creates a new LogPrelude Module, where x% is public Module, public EventHandler -+ * - sets the ModuleName -+ * - sets the ModuleDescription -+ * - sets the EventHandlerName -+ * - sets the EventHandlerDescription -+ * - sets the EventHandlers Timeout -+ * - sets the Modules global pointer to the Nepenthes -+ * -+ * @param nepenthes pointer to our nepenthes master class -+ */ -+LogPrelude::LogPrelude(Nepenthes *nepenthes) -+{ -+ m_ModuleName = "log-prelude"; -+ m_ModuleDescription = "event based prelude logger"; -+ m_ModuleRevision = "$Rev: 550 $"; -+ m_Nepenthes = nepenthes; -+ -+ m_EventHandlerName = "LogPreludeEventHandler"; -+ m_EventHandlerDescription = "log events to a prelude database"; -+ -+// m_Timeout = time(NULL) + rand()%23; -+ -+ g_Nepenthes = nepenthes; -+ -+#ifdef HAVE_LIBPRELUDE -+ m_PreludeClient = NULL; -+#endif -+} -+ -+ -+/** -+ * exerything important happens in ::Exit() as we have a return value there -+ */ -+LogPrelude::~LogPrelude() -+{ -+ -+} -+ -+ -+ -+/** -+ * bool Module::Init() -+ * setup Module specific values -+ * here: -+ * - register as EventHandler -+ * - set wanted events -+ * -+ * @return returns true if everything was fine, else false -+ * returning false will showup errors in warning a module -+ */ -+bool LogPrelude::Init() -+{ -+ -+#ifdef HAVE_LIBPRELUDE -+ -+ if ( m_Config == NULL ) -+ { -+ logCrit("I need a config\n"); -+ return false; -+ } -+ -+ string analyzerClass; -+ string analyzerModel; -+ string analyzerName; -+ -+ try -+ { -+ analyzerClass = (m_Config->getValString("log-prelude.analyzerClass")); -+ analyzerModel = m_Config->getValString("log-prelude.analyzerModel"); -+ analyzerName = m_Config->getValString("log-prelude.analyzerName"); -+ -+ } catch ( ... ) -+ { -+ logCrit("Error setting needed vars, check your config\n"); -+ return false; -+ } -+ -+ m_ModuleManager = m_Nepenthes->getModuleMgr(); -+ m_Events.set(EV_SOCK_TCP_ACCEPT); -+ m_Events.set(EV_SOCK_TCP_CLOSE); -+ m_Events.set(EV_DIALOGUE_ASSIGN_AND_DONE); -+ m_Events.set(EV_SHELLCODE_DONE); -+ -+ m_Events.set(EV_DOWNLOAD); -+ m_Events.set(EV_SUBMISSION); -+ -+ -+ const char *profile, *config; -+ -+ config = NULL; -+ profile = analyzerName.c_str(); -+ -+ -+ -+ -+ int32_t ret; -+// Initialize Prelude Library -+ ret = prelude_init(NULL, NULL); -+ if ( ret < 0 ) -+ logCrit("%s: Unable to initialize the Prelude library: %s.\n", -+ prelude_strsource(ret), -+ prelude_strerror(ret)); -+ -+// generate a new Prelude client -+ ret = prelude_client_new(&m_PreludeClient, profile); -+ -+ if ( ret < 0 ) -+ logCrit("%s: Unable to create a prelude client object: %s.\n", -+ prelude_strsource(ret), -+ prelude_strerror(ret)); -+ -+ -+ // set options in the analyzer-part of the client -+ prelude_string_t *string; -+ -+ ret = idmef_analyzer_new_model(prelude_client_get_analyzer(m_PreludeClient), &string); -+ if ( ret < 0 ) -+ return false; -+ prelude_string_set_ref(string, analyzerModel.c_str()); -+ -+ ret = idmef_analyzer_new_class(prelude_client_get_analyzer(m_PreludeClient), &string); -+ if ( ret < 0 ) -+ return false; -+ prelude_string_set_ref(string, analyzerClass.c_str()); -+ -+ ret = idmef_analyzer_new_manufacturer(prelude_client_get_analyzer(m_PreludeClient), &string); -+ if ( ret < 0 ) -+ return false; -+ prelude_string_set_constant(string, ANALYZER_MANUFACTURER); -+ -+ ret = idmef_analyzer_new_version(prelude_client_get_analyzer(m_PreludeClient), &string); -+ if ( ret < 0 ) -+ return false; -+ -+ prelude_string_set_constant(string, NEPENTHES_VERSION); -+ -+// start the Prelude Client -+ ret = prelude_client_start(m_PreludeClient); -+ if ( ret < 0 ) -+ { -+ if ( prelude_client_is_setup_needed(ret) ) -+ prelude_client_print_setup_error(m_PreludeClient); -+ -+ logCrit("%s: Unable to initialize prelude client: %s.\n", -+ prelude_strsource(ret), prelude_strerror(ret)); -+ } -+ -+// set async Prelude Flags for the client, makes the application multithreaded -+ ret = prelude_client_set_flags(m_PreludeClient, (prelude_client_flags_t) (PRELUDE_CLIENT_FLAGS_CONNECT | PRELUDE_CLIENT_FLAGS_ASYNC_SEND | PRELUDE_CLIENT_FLAGS_ASYNC_TIMER)); -+ if ( ret < 0 ) -+ logCrit("%s: Unable to set asynchronous send and timer: %s.\n", -+ prelude_strsource(ret), -+ prelude_strerror(ret)); -+ -+ -+ REG_EVENT_HANDLER(this); -+ return true; -+#else -+ logCrit("Module log-prelude is compiled without libprelude, this wont work, reconfigure the whole source and recompile"); -+ return false; -+#endif -+ -+} -+ -+ -+/** -+ * unregister as EventHandler, destroy the Prelude Client -+ * -+ * @return returns true if everything was fine -+ */ -+bool LogPrelude::Exit() -+{ -+#ifdef HAVE_LIBPRELUDE -+ if( m_PreludeClient != NULL) -+ { -+ prelude_client_destroy(m_PreludeClient, (prelude_client_exit_status_t)(PRELUDE_CLIENT_EXIT_STATUS_SUCCESS)); -+ prelude_deinit(); -+ } -+ // disabled by harald due to segfaults -+ //UNREG_EVENT_HANDLER(this); -+#endif -+ return true; -+} -+ -+ -+ -+/** -+ * This function adds char * idmef values into an idmef message -+ * -+ */ -+#ifdef HAVE_LIBPRELUDE -+int32_t add_idmef_object(idmef_message_t *message, const char *object, const char *value) -+{ -+ int32_t ret=0; -+ idmef_value_t *val; -+ idmef_path_t *path; -+ -+ ret = idmef_path_new(&path, object); -+ if ( ret < 0 ) -+ { -+ logWarn("imdef error #1 %s -> %s %i (%s) \n",object,value,ret, prelude_strerror(ret)); -+ return -1; -+ } -+ -+ ret = idmef_value_new_from_path(&val, path, value); -+ if ( ret < 0 ) -+ { -+ idmef_path_destroy(path); -+ logWarn("imdef error #2 %s -> %s %i (%s) \n",object,value,ret, prelude_strerror(ret)); -+ return -1; -+ } -+ -+ ret = idmef_path_set(path, message, val); -+ -+ idmef_value_destroy(val); -+ idmef_path_destroy(path); -+ return ret; -+} -+ -+ -+/** -+ * -+ * This function adds int32_t idmef values into an idmef message -+ */ -+int32_t add_idmef_object(idmef_message_t *message, const char *object, int32_t i) -+{ -+ char value[20]; -+ memset(value,0,20); -+ snprintf(value,19,"%i",i); -+ return add_idmef_object(message,object,value); -+} -+ -+#endif -+ -+ -+/** -+ * the handleEvent method is called whenever an event occurs -+ * the EventHandler wanted to have. -+ * -+ * @param event the Event -+ * -+ * @return return 0 -+ */ -+uint32_t LogPrelude::handleEvent(Event *event) -+{ -+// logPF(); -+// logInfo("Event %i\n",event->getType()); -+ switch(event->getType()) -+ { -+ -+ case EV_SOCK_TCP_ACCEPT: -+ handleTCPaccept(event); -+ break; -+ -+ case EV_SOCK_TCP_CLOSE: -+ handleTCPclose(event); -+ break; -+ -+ case EV_SUBMISSION: -+ handleSubmission(event); -+ break; -+ -+ case EV_DIALOGUE_ASSIGN_AND_DONE: -+ handleDialogueAssignAndDone(event); -+ break; -+ -+ case EV_SHELLCODE_DONE: -+ handleShellcodeDone(event); -+ break; -+ -+ -+ case EV_DOWNLOAD: -+ handleDownload(event); -+ break; -+ -+ default: -+ logWarn("this should not happen\n"); -+ } -+ return 0; -+} -+ -+ -+void LogPrelude::handleTCPaccept(Event *event) -+{ -+ -+ -+ logInfo("LogPrelude EVENT EV_SOCK_TCP_ACCEPT\n"); -+ -+#ifdef HAVE_LIBPRELUDE -+ Socket *socket = ((SocketEvent *)event)->getSocket(); -+ -+ idmef_message_t *idmef; -+ -+ int32_t ret = idmef_message_new(&idmef); -+ if ( ret < 0 ) -+ return; -+ -+ add_idmef_object(idmef, "alert.classification.text" ,"TCP Connection established"); -+ add_idmef_object(idmef, "alert.classification.ident", EV_SOCK_TCP_ACCEPT); -+// add_idmef_object(idmef, "alert.classification.reference(0).origin" ,"vendor-specific" ); -+ -+ -+ add_idmef_object(idmef, "alert.source(0).Spoofed" ,"no"); -+ add_idmef_object(idmef, "alert.source(0).Service.protocol" ,"TCP"); -+ add_idmef_object(idmef, "alert.source(0).Service.port" ,socket->getRemotePort()); -+ -+ uint32_t addr = socket->getRemoteHost(); -+ string address = inet_ntoa(*(in_addr *)&addr); -+ add_idmef_object(idmef, "alert.source(0).Node.Address(0).address" ,address.c_str()); -+ -+ -+ add_idmef_object(idmef, "alert.target(0).Decoy" ,"yes"); -+ add_idmef_object(idmef, "alert.target(0).Service.protocol" ,"TCP"); -+ add_idmef_object(idmef, "alert.target(0).Service.port" ,socket->getLocalPort()); -+ -+ addr = socket->getLocalHost(); -+ address = inet_ntoa(*(in_addr *)&addr); -+ add_idmef_object(idmef, "alert.target(0).Node.Address(0).address" ,address.c_str()); -+ -+ -+ -+ -+ idmef_time_t *time; -+ -+ ret = idmef_time_new_from_gettimeofday(&time); -+ idmef_alert_set_create_time(idmef_message_get_alert(idmef), -+ time); -+ -+ -+ // analyzer id -+ idmef_alert_set_analyzer(idmef_message_get_alert(idmef), -+ idmef_analyzer_ref(prelude_client_get_analyzer(m_PreludeClient)), -+ IDMEF_LIST_PREPEND); -+ -+ -+ prelude_client_send_idmef(m_PreludeClient, idmef); -+ -+ //prelude_string_t *field = idmef_alert_get_messageid(idmef_message_get_alert(idmef)); -+ //const char *msgid = prelude_string_get_string(field); -+ -+ //logInfo("PreludeMessageID = %s \n",msgid); -+ -+ idmef_message_destroy(idmef); -+#endif -+} -+ -+ -+ -+ -+void LogPrelude::handleTCPclose(Event *event) -+{ -+ -+ Socket *socket = ((SocketEvent *)event)->getSocket(); -+ -+ if (! socket->isAccept()) -+ { -+ return; -+ } -+ -+ logInfo("LogPrelude EVENT EV_SOCK_TCP_CLOSE\n"); -+ -+#ifdef HAVE_LIBPRELUDE -+ -+ idmef_message_t *idmef; -+ -+ int32_t ret = idmef_message_new(&idmef); -+ if ( ret < 0 ) -+ return; -+ -+ -+ add_idmef_object(idmef, "alert.classification.text" ,"TCP Connection closed"); -+ add_idmef_object(idmef, "alert.classification.ident", EV_SOCK_TCP_CLOSE); -+// add_idmef_object(idmef, "alert.classification.reference(0).origin" ,"vendor-specific" ); -+ -+ -+ add_idmef_object(idmef, "alert.source(0).Service.protocol" ,"TCP"); -+ add_idmef_object(idmef, "alert.source(0).Service.port" ,socket->getRemotePort()); -+ -+ uint32_t addr = socket->getRemoteHost(); -+ string address = inet_ntoa(*(in_addr *)&addr); -+ add_idmef_object(idmef, "alert.source(0).Node.Address(0).address" ,address.c_str()); -+ -+ add_idmef_object(idmef, "alert.target(0).Service.protocol" ,"TCP"); -+ add_idmef_object(idmef, "alert.target(0).Service.port" ,socket->getLocalPort()); -+ -+ addr = socket->getLocalHost(); -+ address = inet_ntoa(*(in_addr *)&addr); -+ add_idmef_object(idmef, "alert.target(0).Node.Address(0).address",address.c_str()); -+ -+ idmef_time_t *time; -+ -+ ret = idmef_time_new_from_gettimeofday(&time); -+ idmef_alert_set_create_time(idmef_message_get_alert(idmef), -+ time); -+ -+ -+ // analyzer id -+ idmef_alert_set_analyzer(idmef_message_get_alert(idmef), -+ idmef_analyzer_ref(prelude_client_get_analyzer(m_PreludeClient)), -+ IDMEF_LIST_PREPEND); -+ -+ -+ prelude_client_send_idmef(m_PreludeClient, idmef); -+ -+// prelude_string_t *field = idmef_alert_get_messageid(idmef_message_get_alert(idmef)); -+// const char *msgid = prelude_string_get_string(field); -+ -+// logInfo("CloseMessageID = %s \n",msgid); -+ -+ idmef_message_destroy(idmef); -+ -+#endif -+} -+ -+ -+/** -+ * Send idmef message when finished with the Shellcode -+ * -+ */ -+void LogPrelude::handleShellcodeDone(Event *event) -+{ -+ logInfo("LogPrelude EVENT EV_SHELLCODE_DONE\n"); -+ -+#ifdef HAVE_LIBPRELUDE -+ -+ ShellcodeHandler *handler = ((ShellcodeEvent *)event)->getShellcodeHandler(); -+ Socket *socket = ((ShellcodeEvent *)event)->getSocket(); -+ -+ idmef_message_t *idmef; -+ -+ int32_t ret = idmef_message_new(&idmef); -+ if ( ret < 0 ) -+ return; -+ string shellcodeText = "Shellcode detected: " + handler->getShellcodeHandlerName(); -+ add_idmef_object(idmef, "alert.classification.text", shellcodeText.c_str()); -+ // hl: added ident -+ add_idmef_object(idmef, "alert.classification.ident", EV_SHELLCODE_DONE); -+ -+ // add_idmef_object(idmef, "alert.classification.reference(0).origin" ,"vendor-specific" ); -+ -+ -+ add_idmef_object(idmef, "alert.source(0).Spoofed" ,"no"); -+ add_idmef_object(idmef, "alert.source(0).Service.protocol" ,"TCP"); -+ add_idmef_object(idmef, "alert.source(0).Service.port" ,socket->getRemotePort()); -+ -+ uint32_t addr = socket->getRemoteHost(); -+ string address = inet_ntoa(*(in_addr *)&addr); -+ add_idmef_object(idmef, "alert.source(0).Node.Address(0).address" ,address.c_str()); -+ -+ -+ add_idmef_object(idmef, "alert.target(0).Decoy" ,"yes"); -+ add_idmef_object(idmef, "alert.target(0).Service.protocol" ,"TCP"); -+ add_idmef_object(idmef, "alert.target(0).Service.port" ,socket->getLocalPort()); -+ -+ addr = socket->getLocalHost(); -+ address = inet_ntoa(*(in_addr *)&addr); -+ add_idmef_object(idmef, "alert.target(0).Node.Address(0).address" ,address.c_str()); -+ -+ -+ add_idmef_object(idmef, "alert.assessment.impact.description" ,"possible Shellcode has been detected."); -+ add_idmef_object(idmef, "alert.assessment.impact.severity" ,"medium"); -+// add_idmef_object(idmef, "alert.assessment.impact.completion" ,"succeeded"); -+ add_idmef_object(idmef, "alert.assessment.impact.type" ,"other"); -+ -+ -+ // hl: added for additional information -+ add_idmef_object(idmef, "alert.additional_data(0).type", "string"); -+ add_idmef_object(idmef, "alert.additional_data(0).meaning", "Shellcode"); -+ add_idmef_object(idmef, "alert.additional_data(0).data", handler->getShellcodeHandlerName().c_str()); -+ -+ -+ idmef_time_t *time; -+ -+ ret = idmef_time_new_from_gettimeofday(&time); -+ idmef_alert_set_create_time(idmef_message_get_alert(idmef), -+ time); -+ -+ -+ // analyzer id -+ idmef_alert_set_analyzer(idmef_message_get_alert(idmef), -+ idmef_analyzer_ref(prelude_client_get_analyzer(m_PreludeClient)), -+ IDMEF_LIST_PREPEND); -+ -+ -+ prelude_client_send_idmef(m_PreludeClient, idmef); -+ -+// prelude_string_t *field = idmef_alert_get_messageid(idmef_message_get_alert(idmef)); -+// const char *msgid = prelude_string_get_string(field); -+// logInfo("RecvMessageID = %s \n",msgid); -+ -+ idmef_message_destroy(idmef); -+#endif -+} -+ -+ -+/** -+ * -+ * handle submitted files -+ */ -+void LogPrelude::handleSubmission(Event *event) -+{ -+ SubmitEvent *se = (SubmitEvent *)event; -+ Download *down = se->getDownload(); -+ -+ logInfo("LogPrelude EVENT EV_SUBMISSION %s %s %i \n",down->getUrl().c_str(), -+ down->getMD5Sum().c_str(), -+ down->getDownloadBuffer()->getSize()); -+ -+#ifdef HAVE_LIBPRELUDE -+ idmef_message_t *idmef; -+ -+ int32_t ret = idmef_message_new(&idmef); -+ if ( ret < 0 ) -+ return; -+ -+ // generic information -+ // hl: changed submited to submitted, added ident -+ add_idmef_object(idmef, "alert.classification.text" ,"Malware submitted"); -+ add_idmef_object(idmef, "alert.classification.ident", EV_SUBMISSION); -+ -+ string url = "http://nepenthes.sf.net/wiki/submission/" + down->getMD5Sum(); -+ add_idmef_object(idmef, "alert.classification.reference(0).origin" ,"vendor-specific" ); -+ add_idmef_object(idmef, "alert.classification.reference(0).url" ,url.c_str() ); -+ -+ -+ // file name and info -+ // hl: changed file tags because of DTD violation -+ add_idmef_object(idmef, "alert.target(0).file(0).name" ,down->getDownloadUrl()->getFile().c_str()); -+ add_idmef_object(idmef, "alert.target(0).file(0).path" ,down->getUrl().c_str()); -+ add_idmef_object(idmef, "alert.target(0).file(0).category" ,"current"); -+ add_idmef_object(idmef, "alert.target(0).file(0).ident" ,down->getMD5Sum().c_str()); -+ add_idmef_object(idmef, "alert.target(0).file(0).data_size" ,down->getDownloadBuffer()->getSize()); -+ -+ //hl: some debug stuff, prelude-manager doesnt write the checksums into xml -+ ret = add_idmef_object(idmef, "alert.target(0).file(0).checksum(0).algorithm" ,"MD5"); -+ //logInfo("LogPrelude DEBUG MD5 %i\n", ret); -+ ret = add_idmef_object(idmef, "alert.target(0).file(0).checksum(0).value" ,down->getMD5Sum().c_str()); -+ //logInfo("LogPrelude DEBUG Hash %i\n", ret); -+ ret = add_idmef_object(idmef, "alert.target(0).file(0).checksum(1).algorithm" ,"SHA2-512"); -+ //logInfo("LogPrelude DEBUG SHA %i\n", ret); -+ ret = add_idmef_object(idmef, "alert.target(0).file(0).checksum(1).value" ,down->getSHA512Sum().c_str()); -+ //logInfo("LogPrelude DEBUG Hash %i\n", ret); -+ -+ uint32_t addr = down->getLocalHost(); -+ string address = inet_ntoa(*(in_addr *)&addr); -+ add_idmef_object(idmef, "alert.target(0).Node.Address(0).address" ,address.c_str()); -+ -+ -+ -+ // infection host -+ addr = down->getRemoteHost(); -+ address = inet_ntoa(*(in_addr *)&addr); -+ add_idmef_object(idmef, "alert.source(0).Node.Address(0).address" ,address.c_str()); -+ -+ -+ // download source -+ add_idmef_object(idmef, "alert.source(0).Service.port", down->getDownloadUrl()->getPort()); -+ -+ /* hl: previous dirty workaround -> commented -+ string protocol; -+ if (down->getDownloadUrl()->getProtocol() == "tftp" ) -+ protocol = "UDP"; -+ else -+ protocol = "TCP"; -+ -+ add_idmef_object(idmef, "alert.source(0).Service.protocol" ,protocol.c_str()); -+ */ -+ -+ add_idmef_object(idmef, "alert.source(0).Service.web_service.url" ,down->getUrl().c_str()); -+ // hl: not needed -+ //add_idmef_object(idmef, "alert.source(0).Service.web_service.http_method" ,"get"); -+ -+ add_idmef_object(idmef, "alert.assessment.impact.description" ,"possible Malware stored for further analysis"); -+ add_idmef_object(idmef, "alert.assessment.impact.severity" ,"high"); -+// add_idmef_object(idmef, "alert.assessment.impact.completion" ,"succeeded"); -+ add_idmef_object(idmef, "alert.assessment.impact.type" ,"other"); -+ -+ // time -+ idmef_time_t *time; -+ ret = idmef_time_new_from_gettimeofday(&time); -+ idmef_alert_set_create_time(idmef_message_get_alert(idmef), -+ time); -+ -+ -+ // analyzer id -+ idmef_alert_set_analyzer(idmef_message_get_alert(idmef), -+ idmef_analyzer_ref(prelude_client_get_analyzer(m_PreludeClient)), -+ IDMEF_LIST_PREPEND); -+ -+ -+ prelude_client_send_idmef(m_PreludeClient, idmef); -+ idmef_message_destroy(idmef); -+ -+#endif -+} -+ -+ -+ -+/** -+ * -+ * -+ * -+ */ -+void LogPrelude::handleDialogueAssignAndDone(Event *event) -+{ -+ logInfo("LogPrelude EVENT EV_ASSIGN_AND_DONE\n"); -+ -+#ifdef HAVE_LIBPRELUDE -+ -+ Dialogue *dia = ((DialogueEvent *)event)->getDialogue(); -+ Socket *socket = ((DialogueEvent *)event)->getSocket(); -+ idmef_message_t *idmef; -+ -+ int32_t ret = idmef_message_new(&idmef); -+ if ( ret < 0 ) -+ return; -+ -+ string attack = "Exploit attempt: " + dia->getDialogueName(); -+ -+ // generic information -+ add_idmef_object(idmef, "alert.classification.text", attack.c_str()); -+ // hl: added ident field -+ add_idmef_object(idmef, "alert.classification.ident", EV_DIALOGUE_ASSIGN_AND_DONE); -+ -+// add_idmef_object(idmef, "alert.classification.reference(0).origin" ,"vendor-specific" ); -+ -+ -+ // attacker -+ uint32_t addr = socket->getRemoteHost(); -+ string address = inet_ntoa(*(in_addr *)&addr); -+ add_idmef_object(idmef, "alert.source(0).Node.Address(0).address", address.c_str()); -+ -+ // target -+ addr = socket->getLocalHost(); -+ address = inet_ntoa(*(in_addr *)&addr); -+ add_idmef_object(idmef, "alert.target(0).Node.Address(0).address", address.c_str()); -+ -+// string protocol; -+// if (down->getDownloadUrl()->getProtocol() == "tftp" ) -+// protocol = "UDP"; -+// else -+// protocol = "TCP"; -+// -+// add_idmef_object(idmef, "alert.source(0).Service.protocol" ,protocol.c_str()); -+// add_idmef_object(idmef, "alert.source(0).Service.web_service.url" ,down->getUrl().c_str()); -+// add_idmef_object(idmef, "alert.source(0).Service.web_service.http_method" ,"get"); -+ -+ add_idmef_object(idmef, "alert.assessment.impact.description" ,"An exploit attempt is getting handled."); -+ add_idmef_object(idmef, "alert.assessment.impact.severity" ,"low"); -+// add_idmef_object(idmef, "alert.assessment.impact.completion" ,"succeeded"); -+ add_idmef_object(idmef, "alert.assessment.impact.type" ,"other"); -+ -+ -+ // hl: added -+ add_idmef_object(idmef, "alert.additional_data(0).type", "string"); -+ add_idmef_object(idmef, "alert.additional_data(0).meaning", "Dialogue"); -+ add_idmef_object(idmef, "alert.additional_data(0).data", dia->getDialogueName().c_str()); -+ -+ // time -+ idmef_time_t *time; -+ ret = idmef_time_new_from_gettimeofday(&time); -+ idmef_alert_set_create_time(idmef_message_get_alert(idmef), -+ time); -+ -+ -+ // analyzer id -+ idmef_alert_set_analyzer(idmef_message_get_alert(idmef), -+ idmef_analyzer_ref(prelude_client_get_analyzer(m_PreludeClient)), -+ IDMEF_LIST_PREPEND); -+ -+ -+ prelude_client_send_idmef(m_PreludeClient, idmef); -+ -+ -+ idmef_message_destroy(idmef); -+ -+#endif -+} -+ -+ -+ -+ -+ -+ -+/** -+ * -+ * -+ */ -+void LogPrelude::handleDownload(Event *event) -+{ -+ SubmitEvent *se = (SubmitEvent *)event; -+ Download *down = se->getDownload(); -+ string url = se->getDownload()->getUrl(); -+ -+ se->getType(); -+ logInfo("LogPrelude EVENT EV_DOWNLOAD %s %s %i \n",down->getUrl().c_str(), -+ down->getMD5Sum().c_str(), -+ down->getDownloadBuffer()->getSize()); -+ -+#ifdef HAVE_LIBPRELUDE -+ -+ idmef_message_t *idmef; -+ -+ int32_t ret = idmef_message_new(&idmef); -+ if ( ret < 0 ) -+ return; -+ -+ // generic information -+ // hl: changed message -+ string message = "possible Malware offered: " + down->getUrl(); -+ -+ add_idmef_object(idmef, "alert.classification.text", message.c_str()); -+ // hl: changed to ident number -+ add_idmef_object(idmef, "alert.classification.ident", EV_DOWNLOAD); -+ -+// add_idmef_object(idmef, "alert.classification.reference(0).origin" ,"vendor-specific" ); -+ -+ -+ // infection host -+ uint32_t addr = down->getRemoteHost(); -+ string address = inet_ntoa(*(in_addr *)&addr); -+ add_idmef_object(idmef, "alert.source(0).Node.Address(0).address" ,address.c_str()); -+ //target host -+ addr = down->getLocalHost(); -+ address = inet_ntoa(*(in_addr *)&addr); -+ add_idmef_object(idmef, "alert.target(0).Node.Address(0).address" ,address.c_str()); -+ -+ -+ // download source -+ // hl: removed protocol, added url -+ /* -+ string protocol; -+ if (down->getDownloadUrl()->getProtocol() == "tftp" ) -+ protocol = "UDP"; -+ else -+ protocol = "TCP"; -+ */ -+ add_idmef_object(idmef, "alert.source(0).Service.port" ,down->getDownloadUrl()->getPort()); -+ //add_idmef_object(idmef, "alert.source(0).Service.protocol" ,protocol.c_str()); -+ add_idmef_object(idmef, "alert.source(0).Service.web_service.url" ,down->getUrl().c_str()); -+// add_idmef_object(idmef, "alert.source(0).Service.web_service.http_method" ,"get"); -+ add_idmef_object(idmef, "alert.assessment.impact.description" ,"Parsing the Shellcode has unrevealed a URL."); -+ add_idmef_object(idmef, "alert.assessment.impact.severity" ,"medium"); -+// add_idmef_object(idmef, "alert.assessment.impact.completion" ,"succeeded"); -+ add_idmef_object(idmef, "alert.assessment.impact.type" ,"other"); -+ -+ // time -+ idmef_time_t *time; -+ ret = idmef_time_new_from_gettimeofday(&time); -+ idmef_alert_set_create_time(idmef_message_get_alert(idmef), -+ time); -+ -+ -+ // analyzer id -+ idmef_alert_set_analyzer(idmef_message_get_alert(idmef), -+ idmef_analyzer_ref(prelude_client_get_analyzer(m_PreludeClient)), -+ IDMEF_LIST_PREPEND); -+ -+ -+ prelude_client_send_idmef(m_PreludeClient, idmef); -+ -+ -+ idmef_message_destroy(idmef); -+#endif -+ -+} -+ -+ -+ -+extern "C" int32_t module_init(int32_t version, Module **module, Nepenthes *nepenthes) -+{ -+ if (version == MODULE_IFACE_VERSION) { -+ *module = new LogPrelude(nepenthes); -+ return 1; -+ } else { -+ return 0; -+ } -+} -diff -ruN nepenthes-0.2.0/modules/log-prelude/log-prelude.hpp nepenthes-0.2.0-prelude/modules/log-prelude/log-prelude.hpp ---- nepenthes-0.2.0/modules/log-prelude/log-prelude.hpp 2006-11-13 20:40:08.000000000 +0100 -+++ nepenthes-0.2.0-prelude/modules/log-prelude/log-prelude.hpp 2007-08-05 22:40:44.000000000 +0200 -@@ -30,7 +30,7 @@ - #include "config.h" - - #ifdef HAVE_LIBPRELUDE --#include -+#include - #endif - - #include