|
# --- SDE-COPYRIGHT-NOTE-BEGIN ---
|
|
# This copyright note is auto-generated by ./scripts/Create-CopyPatch.
|
|
#
|
|
# Filename: package/.../nepenthes/nepenthes-0.2.0-update-r1345.patch
|
|
# Copyright (C) 2007 The OpenSDE Project
|
|
#
|
|
# More information can be found in the files COPYING and README.
|
|
#
|
|
# This patch file is dual-licensed. It is available under the license the
|
|
# patched project is licensed under, as long as it is an OpenSource license
|
|
# as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms
|
|
# of the GNU General Public License as published by the Free Software
|
|
# Foundation; either version 2 of the License, or (at your option) any later
|
|
# version.
|
|
# --- SDE-COPYRIGHT-NOTE-END ---
|
|
|
|
diff -ruN nepenthes-0.2.0/conf/nepenthes.conf.dist nepenthes-0.2.0-r1345/conf/nepenthes.conf.dist
|
|
--- nepenthes-0.2.0/conf/nepenthes.conf.dist 2006-11-13 20:40:03.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/conf/nepenthes.conf.dist 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -35,10 +35,12 @@
|
|
// "submitnorman.so", "submit-norman.conf", ""
|
|
// "submitnepenthes.so", "submit-nepenthes.conf", "" // send to download-nepenthes in other nepenthes instances
|
|
// "submitxmlrpc.so", "submit-xmlrpc.conf", "" // submit files to a xmlrpc server
|
|
+// "submithttp.so", "submit-http.conf", "" // submit files to a web server
|
|
|
|
// logging
|
|
"logdownload.so", "log-download.conf", ""
|
|
// "logirc.so", "log-irc.conf", "" // needs configuration
|
|
+// "logprelude.so", "log-prelude.conf", ""
|
|
|
|
|
|
// dumping and logging
|
|
diff -ruN nepenthes-0.2.0/configure.ac nepenthes-0.2.0-r1345/configure.ac
|
|
--- nepenthes-0.2.0/configure.ac 2006-11-13 20:50:47.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/configure.ac 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -201,6 +201,9 @@
|
|
# libdl
|
|
AC_SUBST([LIB_DL])
|
|
|
|
+# libssh
|
|
+AC_SUBST([LIB_SSH])
|
|
+
|
|
dnl **************************************************
|
|
dnl * libdl linking flag *
|
|
dnl **************************************************
|
|
@@ -788,12 +791,11 @@
|
|
AC_DEFINE(HAVE_LIBPRELUDE, 1,[Define if you want to use libprelude])
|
|
PRELUDE_LDFLAGS=`$LIBPRELUDE_CONFIG --ldflags`
|
|
PRELUDE_LIBS=`$LIBPRELUDE_CONFIG --libs`
|
|
- PRELUDE_CPPFLAGS=`$LIBPRELUDE_CONFIG --cflags`
|
|
+ PRELUDE_CPPFLAGS=`$LIBPRELUDE_CONFIG --pthread-cflags`
|
|
|
|
LIB_PRELUDE="$PRELUDE_LIBS"
|
|
LDFLAG_PRELUDE="$PRELUDE_LDFLAGS"
|
|
- CPPFLAG="$PRELUDE_CPPFLAGS"
|
|
-
|
|
+ CPPFLAGS="$CPPFLAGS $PRELUDE_CPPFLAGS"
|
|
fi
|
|
fi
|
|
|
|
@@ -913,6 +915,8 @@
|
|
modules/submit-gotek/Makefile
|
|
modules/submit-norman/Makefile
|
|
modules/submit-postgres/Makefile
|
|
+ modules/submit-http/Makefile
|
|
+ modules/submit-mwserv/Makefile
|
|
modules/vuln-asn1/Makefile
|
|
modules/vuln-bagle/Makefile
|
|
modules/vuln-dameware/Makefile
|
|
@@ -931,6 +935,7 @@
|
|
modules/vuln-pnp/Makefile
|
|
modules/vuln-realvnc/Makefile
|
|
modules/vuln-sasserftpd/Makefile
|
|
+ modules/vuln-sav/Makefile
|
|
modules/vuln-ssh/Makefile
|
|
modules/vuln-sub7/Makefile
|
|
modules/vuln-upnp/Makefile
|
|
diff -ruN nepenthes-0.2.0/modules/Makefile.am nepenthes-0.2.0-r1345/modules/Makefile.am
|
|
--- nepenthes-0.2.0/modules/Makefile.am 2006-11-13 20:40:11.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/Makefile.am 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -4,11 +4,11 @@
|
|
|
|
SUBDIRS = download-creceive download-csend download-curl download-ftp download-http download-link download-tftp download-rcp\
|
|
log-download log-irc \
|
|
- submit-file submit-gotek submit-norman submit-postgres\
|
|
+ submit-file submit-gotek submit-norman submit-postgres submit-http submit-mwserv \
|
|
shellcode-generic shellemu-winnt \
|
|
vuln-asn1 vuln-bagle vuln-dcom vuln-iis vuln-kuang2 vuln-lsass \
|
|
vuln-msdtc vuln-msmq vuln-mssql vuln-mydoom \
|
|
- vuln-netbiosname vuln-netdde vuln-optix vuln-pnp vuln-sasserftpd \
|
|
+ vuln-netbiosname vuln-netdde vuln-optix vuln-pnp vuln-sasserftpd vuln-sav \
|
|
vuln-sub7 vuln-upnp vuln-veritas vuln-wins vuln-dameware vuln-ssh vuln-realvnc \
|
|
module-portwatch module-honeytrap module-bridge module-peiros\
|
|
dnsresolve-adns \
|
|
diff -ruN nepenthes-0.2.0/modules/dnsresolve-adns/Makefile.am nepenthes-0.2.0-r1345/modules/dnsresolve-adns/Makefile.am
|
|
--- nepenthes-0.2.0/modules/dnsresolve-adns/Makefile.am 2006-11-13 20:40:10.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/dnsresolve-adns/Makefile.am 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -12,4 +12,4 @@
|
|
|
|
dnsresolveadns_la_SOURCES = dnsresolve-adns.cpp dnsresolve-adns.hpp
|
|
|
|
-dnsresolveadns_la_LDFLAGS = -module -no-undefined -avoid-version
|
|
+dnsresolveadns_la_LDFLAGS = -module -no-undefined -avoid-version $(AM_LDFLAGS)
|
|
diff -ruN nepenthes-0.2.0/modules/dnsresolve-adns/dnsresolve-adns.cpp nepenthes-0.2.0-r1345/modules/dnsresolve-adns/dnsresolve-adns.cpp
|
|
--- nepenthes-0.2.0/modules/dnsresolve-adns/dnsresolve-adns.cpp 2006-11-13 20:40:10.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/dnsresolve-adns/dnsresolve-adns.cpp 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -47,6 +47,7 @@
|
|
|
|
|
|
#include "EventManager.hpp"
|
|
+#include "Nepenthes.hpp"
|
|
|
|
using namespace std;
|
|
|
|
diff -ruN nepenthes-0.2.0/modules/download-creceive/CReceiveDialogue.cpp nepenthes-0.2.0-r1345/modules/download-creceive/CReceiveDialogue.cpp
|
|
--- nepenthes-0.2.0/modules/download-creceive/CReceiveDialogue.cpp 2006-11-13 20:40:09.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/download-creceive/CReceiveDialogue.cpp 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -87,7 +87,7 @@
|
|
|
|
CReceiveDialogue::~CReceiveDialogue()
|
|
{
|
|
-// g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *)m_Buffer->getData(),m_Buffer->getSize());
|
|
+// HEXDUMP(m_Socket,(byte *)m_Buffer->getData(),m_Buffer->getSize());
|
|
// delete m_Buffer;
|
|
delete m_Download;
|
|
}
|
|
diff -ruN nepenthes-0.2.0/modules/download-curl/Makefile.am nepenthes-0.2.0-r1345/modules/download-curl/Makefile.am
|
|
--- nepenthes-0.2.0/modules/download-curl/Makefile.am 2006-11-13 20:40:06.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/download-curl/Makefile.am 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -12,4 +12,4 @@
|
|
|
|
downloadcurl_la_SOURCES = download-curl.conf.dist download-curl.hpp download-curl.cpp
|
|
|
|
-downloadcurl_la_LDFLAGS = -module -no-undefined -avoid-version
|
|
+downloadcurl_la_LDFLAGS = -module -no-undefined -avoid-version $(AM_LDFLAGS)
|
|
diff -ruN nepenthes-0.2.0/modules/download-curl/download-curl.cpp nepenthes-0.2.0-r1345/modules/download-curl/download-curl.cpp
|
|
--- nepenthes-0.2.0/modules/download-curl/download-curl.cpp 2006-11-13 20:40:06.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/download-curl/download-curl.cpp 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -230,7 +230,9 @@
|
|
down->getDownloadUrl()->getPort(),
|
|
down->getDownloadUrl()->getPath().c_str());
|
|
// string auth = down->getDownloadUrl()->getUser() + ":" + down->getDownloadUrl()->getPass();
|
|
+#if LIBCURL_VERSION_NUM < 0x071000
|
|
curl_easy_setopt(pCurlHandle, CURLOPT_SOURCE_USERPWD,(char *)down->getDownloadUrl()->getAuth().c_str());
|
|
+#endif
|
|
curl_easy_setopt(pCurlHandle, CURLOPT_USERPWD,(char *)down->getDownloadUrl()->getAuth().c_str());
|
|
curl_easy_setopt(pCurlHandle, CURLOPT_URL , url);
|
|
curl_easy_setopt(pCurlHandle, CURLOPT_FTP_RESPONSE_TIMEOUT, 120); // 2 min ftp timeout
|
|
diff -ruN nepenthes-0.2.0/modules/download-http/HTTPDialogue.cpp nepenthes-0.2.0-r1345/modules/download-http/HTTPDialogue.cpp
|
|
--- nepenthes-0.2.0/modules/download-http/HTTPDialogue.cpp 2006-11-13 20:40:04.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/download-http/HTTPDialogue.cpp 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -178,7 +178,7 @@
|
|
if ( end == NULL )
|
|
{
|
|
logWarn("HTTP ERROR header found %i\n", size);
|
|
- g_Nepenthes->getUtilities()->hexdump((byte *)start,size);
|
|
+// g_Nepenthes->getUtilities()->hexdump((byte *)start,size);
|
|
return CL_DROP;
|
|
}else
|
|
if ( end != NULL )
|
|
diff -ruN nepenthes-0.2.0/modules/download-link/LinkDialogue.cpp nepenthes-0.2.0-r1345/modules/download-link/LinkDialogue.cpp
|
|
--- nepenthes-0.2.0/modules/download-link/LinkDialogue.cpp 2006-11-13 20:40:10.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/download-link/LinkDialogue.cpp 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -122,7 +122,7 @@
|
|
case LINK_NULL:
|
|
{
|
|
m_Buffer->add(msg->getMsg(),msg->getSize());
|
|
-// g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *)m_Buffer->getData(),m_Buffer->getSize());
|
|
+// HEXDUMP(m_Socket,(byte *)m_Buffer->getData(),m_Buffer->getSize());
|
|
msg->getResponder()->doRespond((char *)&m_Challenge,4);
|
|
|
|
m_State = LINK_FILE;
|
|
diff -ruN nepenthes-0.2.0/modules/log-irc/log-irc.cpp nepenthes-0.2.0-r1345/modules/log-irc/log-irc.cpp
|
|
--- nepenthes-0.2.0/modules/log-irc/log-irc.cpp 2006-11-13 20:40:09.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/log-irc/log-irc.cpp 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -171,7 +171,7 @@
|
|
}
|
|
// m_Nepenthes->getSocketMgr()->bindTCPSocket(0,10002,0,45,this);
|
|
|
|
- g_Nepenthes->getLogMgr()->addLogger(this,l_dl|l_sub);
|
|
+ g_Nepenthes->getLogMgr()->addLogger(this,l_all);
|
|
return true;
|
|
}
|
|
|
|
diff -ruN nepenthes-0.2.0/modules/log-prelude/Makefile.am nepenthes-0.2.0-r1345/modules/log-prelude/Makefile.am
|
|
--- nepenthes-0.2.0/modules/log-prelude/Makefile.am 2006-11-13 20:40:08.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/log-prelude/Makefile.am 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -4,7 +4,7 @@
|
|
|
|
AUTOMAKE_OPTIONS = foreign
|
|
|
|
-AM_CPPFLAGS = -I/usr/include/libprelude -I$(top_srcdir)/nepenthes-core/include -I$(top_srcdir)/nepenthes-core/src -pipe -D _GNU_SOURCE $(CPPFLAG_PRELUDE)
|
|
+AM_CPPFLAGS = -I$(top_srcdir)/nepenthes-core/include -I$(top_srcdir)/nepenthes-core/src -pipe -D _GNU_SOURCE
|
|
AM_CXXFLAGS = -Wall
|
|
AM_LDFLAGS = $(LDFLAG_PRELUDE) ${LIB_PRELUDE}
|
|
|
|
@@ -12,5 +12,5 @@
|
|
|
|
logprelude_la_SOURCES = log-prelude.cpp log-prelude.hpp log-prelude.conf.dist
|
|
|
|
-logprelude_la_LDFLAGS = -module -no-undefined -avoid-version
|
|
+logprelude_la_LDFLAGS = -module -no-undefined -avoid-version $(AM_LDFLAGS)
|
|
|
|
diff -ruN nepenthes-0.2.0/modules/log-prelude/log-prelude.conf.dist nepenthes-0.2.0-r1345/modules/log-prelude/log-prelude.conf.dist
|
|
--- nepenthes-0.2.0/modules/log-prelude/log-prelude.conf.dist 2006-11-13 20:40:08.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/log-prelude/log-prelude.conf.dist 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -1,7 +1,9 @@
|
|
log-prelude
|
|
{
|
|
- analyzerClass "NIDS";
|
|
- analyzerModel "nepenthes";
|
|
- analyzerName "nepenthes";
|
|
-
|
|
+
|
|
+ // Name of the Prelude analyzer to use (default is nepenthes).
|
|
+ // analyzerName "nepenthes";
|
|
+
|
|
+ // Name of the Prelude profile to use (default is nepenthes).
|
|
+ // analyzerProfile "nepenthes";
|
|
};
|
|
diff -ruN nepenthes-0.2.0/modules/log-prelude/log-prelude.cpp nepenthes-0.2.0-r1345/modules/log-prelude/log-prelude.cpp
|
|
--- nepenthes-0.2.0/modules/log-prelude/log-prelude.cpp 2006-11-13 20:40:08.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/log-prelude/log-prelude.cpp 2007-08-06 00:48:07.000000000 +0200
|
|
@@ -27,14 +27,6 @@
|
|
|
|
/* $Id: log-prelude.cpp 550 2006-05-04 10:25:35Z common $ */
|
|
|
|
-#ifdef HAVE_LIBPRELUDE
|
|
-#include <prelude.h>
|
|
-#include <libprelude/prelude-log.h>
|
|
-#include <idmef-message-print.h>
|
|
-#include <prelude-io.h>
|
|
-#include <libprelude/prelude-timer.h>
|
|
-#endif
|
|
-
|
|
#include <arpa/inet.h>
|
|
#include "log-prelude.hpp"
|
|
#include "Nepenthes.hpp"
|
|
@@ -63,7 +55,11 @@
|
|
|
|
#define STDTAGS l_mod | l_ev | l_hlr
|
|
#define ANALYZER_MANUFACTURER "http://nepenthes.sf.net"
|
|
-#define NEPENTHES_VERSION "$Rev: 550 $"
|
|
+#define DEFAULT_ANALYZER_NAME "nepenthes"
|
|
+#define DEFAULT_ANALYZER_PROFILE "nepenthes"
|
|
+#define ANALYZER_MODEL "Nepenthes"
|
|
+#define ANALYZER_CLASS "Honeypot"
|
|
+#define ANALYZER_MANUFACTURER "http://nepenthes.mwcollect.org/"
|
|
|
|
|
|
|
|
@@ -132,28 +128,21 @@
|
|
|
|
#ifdef HAVE_LIBPRELUDE
|
|
|
|
- if ( m_Config == NULL )
|
|
- {
|
|
- logCrit("I need a config\n");
|
|
- return false;
|
|
- }
|
|
-
|
|
- string analyzerClass;
|
|
- string analyzerModel;
|
|
string analyzerName;
|
|
-
|
|
- try
|
|
- {
|
|
- analyzerClass = (m_Config->getValString("log-prelude.analyzerClass"));
|
|
- analyzerModel = m_Config->getValString("log-prelude.analyzerModel");
|
|
- analyzerName = m_Config->getValString("log-prelude.analyzerName");
|
|
-
|
|
- } catch ( ... )
|
|
- {
|
|
- logCrit("Error setting needed vars, check your config\n");
|
|
- return false;
|
|
- }
|
|
-
|
|
+ string analyzerProfile;
|
|
+
|
|
+ try {
|
|
+ analyzerName = m_Config->getValString("log-prelude.analyzerName");
|
|
+ } catch ( ... ) {
|
|
+ analyzerName = DEFAULT_ANALYZER_NAME;
|
|
+ }
|
|
+
|
|
+ try {
|
|
+ analyzerProfile = m_Config->getValString("log-prelude.analyzerProfile");
|
|
+ } catch ( ... ) {
|
|
+ analyzerProfile = DEFAULT_ANALYZER_PROFILE;
|
|
+ }
|
|
+
|
|
m_ModuleManager = m_Nepenthes->getModuleMgr();
|
|
m_Events.set(EV_SOCK_TCP_ACCEPT);
|
|
m_Events.set(EV_SOCK_TCP_CLOSE);
|
|
@@ -163,44 +152,39 @@
|
|
m_Events.set(EV_DOWNLOAD);
|
|
m_Events.set(EV_SUBMISSION);
|
|
|
|
-
|
|
- const char *profile, *config;
|
|
-
|
|
- config = NULL;
|
|
- profile = analyzerName.c_str();
|
|
-
|
|
-
|
|
-
|
|
-
|
|
int32_t ret;
|
|
// Initialize Prelude Library
|
|
ret = prelude_init(NULL, NULL);
|
|
- if ( ret < 0 )
|
|
+ if ( ret < 0 ) {
|
|
logCrit("%s: Unable to initialize the Prelude library: %s.\n",
|
|
prelude_strsource(ret),
|
|
prelude_strerror(ret));
|
|
+ return false;
|
|
+ }
|
|
|
|
// generate a new Prelude client
|
|
- ret = prelude_client_new(&m_PreludeClient, profile);
|
|
+ ret = prelude_client_new(&m_PreludeClient, analyzerProfile.c_str());
|
|
|
|
- if ( ret < 0 )
|
|
+ if ( ret < 0 ) {
|
|
logCrit("%s: Unable to create a prelude client object: %s.\n",
|
|
prelude_strsource(ret),
|
|
prelude_strerror(ret));
|
|
+ return false;
|
|
+ }
|
|
|
|
-
|
|
+
|
|
// set options in the analyzer-part of the client
|
|
prelude_string_t *string;
|
|
|
|
- ret = idmef_analyzer_new_model(prelude_client_get_analyzer(m_PreludeClient), &string);
|
|
+ ret = idmef_analyzer_new_class(prelude_client_get_analyzer(m_PreludeClient), &string);
|
|
if ( ret < 0 )
|
|
return false;
|
|
- prelude_string_set_constant(string, analyzerModel.c_str());
|
|
-
|
|
- ret = idmef_analyzer_new_class(prelude_client_get_analyzer(m_PreludeClient), &string);
|
|
+ prelude_string_set_constant(string, ANALYZER_CLASS);
|
|
+
|
|
+ ret = idmef_analyzer_new_model(prelude_client_get_analyzer(m_PreludeClient), &string);
|
|
if ( ret < 0 )
|
|
return false;
|
|
- prelude_string_set_constant(string, analyzerClass.c_str());
|
|
+ prelude_string_set_constant(string, ANALYZER_MODEL);
|
|
|
|
ret = idmef_analyzer_new_manufacturer(prelude_client_get_analyzer(m_PreludeClient), &string);
|
|
if ( ret < 0 )
|
|
@@ -209,28 +193,31 @@
|
|
|
|
ret = idmef_analyzer_new_version(prelude_client_get_analyzer(m_PreludeClient), &string);
|
|
if ( ret < 0 )
|
|
- return false;
|
|
-
|
|
- prelude_string_set_constant(string, NEPENTHES_VERSION);
|
|
+ return false;
|
|
+ prelude_string_set_constant(string, VERSION);
|
|
|
|
-// start the Prelude Client
|
|
+ ret = idmef_analyzer_new_name(prelude_client_get_analyzer(m_PreludeClient), &string);
|
|
+ if ( ret < 0 )
|
|
+ return false;
|
|
+ prelude_string_set_dup(string, analyzerName.c_str());
|
|
+
|
|
+ // start the Prelude Client
|
|
ret = prelude_client_start(m_PreludeClient);
|
|
if ( ret < 0 )
|
|
{
|
|
- if ( prelude_client_is_setup_needed(ret) )
|
|
- prelude_client_print_setup_error(m_PreludeClient);
|
|
-
|
|
logCrit("%s: Unable to initialize prelude client: %s.\n",
|
|
prelude_strsource(ret), prelude_strerror(ret));
|
|
+ return false;
|
|
}
|
|
|
|
-// set async Prelude Flags for the client, makes the application multithreaded
|
|
- ret = prelude_client_set_flags(m_PreludeClient, (prelude_client_flags_t) (PRELUDE_CLIENT_FLAGS_CONNECT | PRELUDE_CLIENT_FLAGS_ASYNC_SEND | PRELUDE_CLIENT_FLAGS_ASYNC_TIMER));
|
|
- if ( ret < 0 )
|
|
+ // set async Prelude Flags for the client, makes the application multithreaded
|
|
+ ret = prelude_client_set_flags(m_PreludeClient, (prelude_client_flags_t) (PRELUDE_CLIENT_FLAGS_CONNECT | PRELUDE_CLIENT_FLAGS_ASYNC_SEND | PRELUDE_CLIENT_FLAGS_ASYNC_TIMER));
|
|
+ if ( ret < 0 ) {
|
|
logCrit("%s: Unable to set asynchronous send and timer: %s.\n",
|
|
prelude_strsource(ret),
|
|
prelude_strerror(ret));
|
|
-
|
|
+ return false;
|
|
+ }
|
|
|
|
REG_EVENT_HANDLER(this);
|
|
return true;
|
|
@@ -274,7 +261,7 @@
|
|
idmef_value_t *val;
|
|
idmef_path_t *path;
|
|
|
|
- ret = idmef_path_new(&path, object);
|
|
+ ret = idmef_path_new_fast(&path, object);
|
|
if ( ret < 0 )
|
|
{
|
|
logWarn("imdef error #1 %s -> %s %i (%s) \n",object,value,ret, prelude_strerror(ret));
|
|
@@ -376,7 +363,6 @@
|
|
|
|
add_idmef_object(idmef, "alert.classification.text" ,"TCP Connection established");
|
|
add_idmef_object(idmef, "alert.classification.ident", EV_SOCK_TCP_ACCEPT);
|
|
-// add_idmef_object(idmef, "alert.classification.reference(0).origin" ,"vendor-specific" );
|
|
|
|
|
|
add_idmef_object(idmef, "alert.source(0).Spoofed" ,"no");
|
|
@@ -449,7 +435,6 @@
|
|
|
|
add_idmef_object(idmef, "alert.classification.text" ,"TCP Connection closed");
|
|
add_idmef_object(idmef, "alert.classification.ident", EV_SOCK_TCP_CLOSE);
|
|
-// add_idmef_object(idmef, "alert.classification.reference(0).origin" ,"vendor-specific" );
|
|
|
|
|
|
add_idmef_object(idmef, "alert.source(0).Service.protocol" ,"TCP");
|
|
@@ -515,7 +500,6 @@
|
|
// hl: added ident
|
|
add_idmef_object(idmef, "alert.classification.ident", EV_SHELLCODE_DONE);
|
|
|
|
- // add_idmef_object(idmef, "alert.classification.reference(0).origin" ,"vendor-specific" );
|
|
|
|
|
|
add_idmef_object(idmef, "alert.source(0).Spoofed" ,"no");
|
|
diff -ruN nepenthes-0.2.0/modules/log-prelude/log-prelude.cpp~ nepenthes-0.2.0-r1345/modules/log-prelude/log-prelude.cpp~
|
|
--- nepenthes-0.2.0/modules/log-prelude/log-prelude.cpp~ 1970-01-01 01:00:00.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/log-prelude/log-prelude.cpp~ 2006-11-13 20:40:08.000000000 +0100
|
|
@@ -0,0 +1,857 @@
|
|
+/********************************************************************************
|
|
+ * Nepenthes
|
|
+ * - finest collection -
|
|
+ *
|
|
+ *
|
|
+ *
|
|
+ * Copyright (C) 2005 Paul Baecher & Markus Koetter
|
|
+ *
|
|
+ * This program is free software; you can redistribute it and/or
|
|
+ * modify it under the terms of the GNU General Public License
|
|
+ * as published by the Free Software Foundation; either version 2
|
|
+ * of the License, or (at your option) any later version.
|
|
+ *
|
|
+ * This program is distributed in the hope that it will be useful,
|
|
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
+ * GNU General Public License for more details.
|
|
+ *
|
|
+ * You should have received a copy of the GNU General Public License
|
|
+ * along with this program; if not, write to the Free Software
|
|
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
|
+ *
|
|
+ *
|
|
+ * contact nepenthesdev@users.sourceforge.net
|
|
+ *
|
|
+ *******************************************************************************/
|
|
+
|
|
+ /* $Id: log-prelude.cpp 550 2006-05-04 10:25:35Z common $ */
|
|
+
|
|
+#ifdef HAVE_LIBPRELUDE
|
|
+#include <prelude.h>
|
|
+#include <libprelude/prelude-log.h>
|
|
+#include <idmef-message-print.h>
|
|
+#include <prelude-io.h>
|
|
+#include <libprelude/prelude-timer.h>
|
|
+#endif
|
|
+
|
|
+#include <arpa/inet.h>
|
|
+#include "log-prelude.hpp"
|
|
+#include "Nepenthes.hpp"
|
|
+#include "LogManager.hpp"
|
|
+#include "EventManager.hpp"
|
|
+#include "SubmitEvent.hpp"
|
|
+
|
|
+#include "Download.hpp"
|
|
+#include "DownloadUrl.hpp"
|
|
+#include "DownloadBuffer.hpp"
|
|
+
|
|
+#include "Socket.hpp"
|
|
+#include "SocketEvent.hpp"
|
|
+
|
|
+#include "Message.hpp"
|
|
+#include "Utilities.hpp"
|
|
+#include "Config.hpp"
|
|
+#include "ShellcodeHandler.hpp"
|
|
+
|
|
+
|
|
+using namespace nepenthes;
|
|
+
|
|
+#ifdef STDTAGS
|
|
+#undef STDTAGS
|
|
+#endif
|
|
+
|
|
+#define STDTAGS l_mod | l_ev | l_hlr
|
|
+#define ANALYZER_MANUFACTURER "http://nepenthes.sf.net"
|
|
+#define NEPENTHES_VERSION "$Rev: 550 $"
|
|
+
|
|
+
|
|
+
|
|
+/**
|
|
+ * as we may need a global pointer to our Nepenthes in our modules,
|
|
+ * and cant access the cores global pointer to nepenthes
|
|
+ * we have to use a own global pointer to nepenthes per module
|
|
+ * we need this pointer for logInfo() etc
|
|
+ */
|
|
+Nepenthes *g_Nepenthes;
|
|
+
|
|
+/**
|
|
+ * Constructor
|
|
+ * creates a new LogPrelude Module, where x% is public Module, public EventHandler
|
|
+ * - sets the ModuleName
|
|
+ * - sets the ModuleDescription
|
|
+ * - sets the EventHandlerName
|
|
+ * - sets the EventHandlerDescription
|
|
+ * - sets the EventHandlers Timeout
|
|
+ * - sets the Modules global pointer to the Nepenthes
|
|
+ *
|
|
+ * @param nepenthes pointer to our nepenthes master class
|
|
+ */
|
|
+LogPrelude::LogPrelude(Nepenthes *nepenthes)
|
|
+{
|
|
+ m_ModuleName = "log-prelude";
|
|
+ m_ModuleDescription = "event based prelude logger";
|
|
+ m_ModuleRevision = "$Rev: 550 $";
|
|
+ m_Nepenthes = nepenthes;
|
|
+
|
|
+ m_EventHandlerName = "LogPreludeEventHandler";
|
|
+ m_EventHandlerDescription = "log events to a prelude database";
|
|
+
|
|
+// m_Timeout = time(NULL) + rand()%23;
|
|
+
|
|
+ g_Nepenthes = nepenthes;
|
|
+
|
|
+#ifdef HAVE_LIBPRELUDE
|
|
+ m_PreludeClient = NULL;
|
|
+#endif
|
|
+}
|
|
+
|
|
+
|
|
+/**
|
|
+ * exerything important happens in ::Exit() as we have a return value there
|
|
+ */
|
|
+LogPrelude::~LogPrelude()
|
|
+{
|
|
+
|
|
+}
|
|
+
|
|
+
|
|
+
|
|
+/**
|
|
+ * bool Module::Init()
|
|
+ * setup Module specific values
|
|
+ * here:
|
|
+ * - register as EventHandler
|
|
+ * - set wanted events
|
|
+ *
|
|
+ * @return returns true if everything was fine, else false
|
|
+ * returning false will showup errors in warning a module
|
|
+ */
|
|
+bool LogPrelude::Init()
|
|
+{
|
|
+
|
|
+#ifdef HAVE_LIBPRELUDE
|
|
+
|
|
+ if ( m_Config == NULL )
|
|
+ {
|
|
+ logCrit("I need a config\n");
|
|
+ return false;
|
|
+ }
|
|
+
|
|
+ string analyzerClass;
|
|
+ string analyzerModel;
|
|
+ string analyzerName;
|
|
+
|
|
+ try
|
|
+ {
|
|
+ analyzerClass = (m_Config->getValString("log-prelude.analyzerClass"));
|
|
+ analyzerModel = m_Config->getValString("log-prelude.analyzerModel");
|
|
+ analyzerName = m_Config->getValString("log-prelude.analyzerName");
|
|
+
|
|
+ } catch ( ... )
|
|
+ {
|
|
+ logCrit("Error setting needed vars, check your config\n");
|
|
+ return false;
|
|
+ }
|
|
+
|
|
+ m_ModuleManager = m_Nepenthes->getModuleMgr();
|
|
+ m_Events.set(EV_SOCK_TCP_ACCEPT);
|
|
+ m_Events.set(EV_SOCK_TCP_CLOSE);
|
|
+ m_Events.set(EV_DIALOGUE_ASSIGN_AND_DONE);
|
|
+ m_Events.set(EV_SHELLCODE_DONE);
|
|
+
|
|
+ m_Events.set(EV_DOWNLOAD);
|
|
+ m_Events.set(EV_SUBMISSION);
|
|
+
|
|
+
|
|
+ const char *profile, *config;
|
|
+
|
|
+ config = NULL;
|
|
+ profile = analyzerName.c_str();
|
|
+
|
|
+
|
|
+
|
|
+
|
|
+ int32_t ret;
|
|
+// Initialize Prelude Library
|
|
+ ret = prelude_init(NULL, NULL);
|
|
+ if ( ret < 0 )
|
|
+ logCrit("%s: Unable to initialize the Prelude library: %s.\n",
|
|
+ prelude_strsource(ret),
|
|
+ prelude_strerror(ret));
|
|
+
|
|
+// generate a new Prelude client
|
|
+ ret = prelude_client_new(&m_PreludeClient, profile);
|
|
+
|
|
+ if ( ret < 0 )
|
|
+ logCrit("%s: Unable to create a prelude client object: %s.\n",
|
|
+ prelude_strsource(ret),
|
|
+ prelude_strerror(ret));
|
|
+
|
|
+
|
|
+ // set options in the analyzer-part of the client
|
|
+ prelude_string_t *string;
|
|
+
|
|
+ ret = idmef_analyzer_new_model(prelude_client_get_analyzer(m_PreludeClient), &string);
|
|
+ if ( ret < 0 )
|
|
+ return false;
|
|
+ prelude_string_set_constant(string, analyzerModel.c_str());
|
|
+
|
|
+ ret = idmef_analyzer_new_class(prelude_client_get_analyzer(m_PreludeClient), &string);
|
|
+ if ( ret < 0 )
|
|
+ return false;
|
|
+ prelude_string_set_constant(string, analyzerClass.c_str());
|
|
+
|
|
+ ret = idmef_analyzer_new_manufacturer(prelude_client_get_analyzer(m_PreludeClient), &string);
|
|
+ if ( ret < 0 )
|
|
+ return false;
|
|
+ prelude_string_set_constant(string, ANALYZER_MANUFACTURER);
|
|
+
|
|
+ ret = idmef_analyzer_new_version(prelude_client_get_analyzer(m_PreludeClient), &string);
|
|
+ if ( ret < 0 )
|
|
+ return false;
|
|
+
|
|
+ prelude_string_set_constant(string, NEPENTHES_VERSION);
|
|
+
|
|
+// start the Prelude Client
|
|
+ ret = prelude_client_start(m_PreludeClient);
|
|
+ if ( ret < 0 )
|
|
+ {
|
|
+ if ( prelude_client_is_setup_needed(ret) )
|
|
+ prelude_client_print_setup_error(m_PreludeClient);
|
|
+
|
|
+ logCrit("%s: Unable to initialize prelude client: %s.\n",
|
|
+ prelude_strsource(ret), prelude_strerror(ret));
|
|
+ }
|
|
+
|
|
+// set async Prelude Flags for the client, makes the application multithreaded
|
|
+ ret = prelude_client_set_flags(m_PreludeClient, (prelude_client_flags_t) (PRELUDE_CLIENT_FLAGS_CONNECT | PRELUDE_CLIENT_FLAGS_ASYNC_SEND | PRELUDE_CLIENT_FLAGS_ASYNC_TIMER));
|
|
+ if ( ret < 0 )
|
|
+ logCrit("%s: Unable to set asynchronous send and timer: %s.\n",
|
|
+ prelude_strsource(ret),
|
|
+ prelude_strerror(ret));
|
|
+
|
|
+
|
|
+ REG_EVENT_HANDLER(this);
|
|
+ return true;
|
|
+#else
|
|
+ logCrit("Module log-prelude is compiled without libprelude, this wont work, reconfigure the whole source and recompile");
|
|
+ return false;
|
|
+#endif
|
|
+
|
|
+}
|
|
+
|
|
+
|
|
+/**
|
|
+ * unregister as EventHandler, destroy the Prelude Client
|
|
+ *
|
|
+ * @return returns true if everything was fine
|
|
+ */
|
|
+bool LogPrelude::Exit()
|
|
+{
|
|
+#ifdef HAVE_LIBPRELUDE
|
|
+ if( m_PreludeClient != NULL)
|
|
+ {
|
|
+ prelude_client_destroy(m_PreludeClient, (prelude_client_exit_status_t)(PRELUDE_CLIENT_EXIT_STATUS_SUCCESS));
|
|
+ prelude_deinit();
|
|
+ }
|
|
+ // disabled by harald due to segfaults
|
|
+ //UNREG_EVENT_HANDLER(this);
|
|
+#endif
|
|
+ return true;
|
|
+}
|
|
+
|
|
+
|
|
+
|
|
+/**
|
|
+ * This function adds char * idmef values into an idmef message
|
|
+ *
|
|
+ */
|
|
+#ifdef HAVE_LIBPRELUDE
|
|
+int32_t add_idmef_object(idmef_message_t *message, const char *object, const char *value)
|
|
+{
|
|
+ int32_t ret=0;
|
|
+ idmef_value_t *val;
|
|
+ idmef_path_t *path;
|
|
+
|
|
+ ret = idmef_path_new(&path, object);
|
|
+ if ( ret < 0 )
|
|
+ {
|
|
+ logWarn("imdef error #1 %s -> %s %i (%s) \n",object,value,ret, prelude_strerror(ret));
|
|
+ return -1;
|
|
+ }
|
|
+
|
|
+ ret = idmef_value_new_from_path(&val, path, value);
|
|
+ if ( ret < 0 )
|
|
+ {
|
|
+ idmef_path_destroy(path);
|
|
+ logWarn("imdef error #2 %s -> %s %i (%s) \n",object,value,ret, prelude_strerror(ret));
|
|
+ return -1;
|
|
+ }
|
|
+
|
|
+ ret = idmef_path_set(path, message, val);
|
|
+
|
|
+ idmef_value_destroy(val);
|
|
+ idmef_path_destroy(path);
|
|
+ return ret;
|
|
+}
|
|
+
|
|
+
|
|
+/**
|
|
+ *
|
|
+ * This function adds int32_t idmef values into an idmef message
|
|
+ */
|
|
+int32_t add_idmef_object(idmef_message_t *message, const char *object, int32_t i)
|
|
+{
|
|
+ char value[20];
|
|
+ memset(value,0,20);
|
|
+ snprintf(value,19,"%i",i);
|
|
+ return add_idmef_object(message,object,value);
|
|
+}
|
|
+
|
|
+#endif
|
|
+
|
|
+
|
|
+/**
|
|
+ * the handleEvent method is called whenever an event occurs
|
|
+ * the EventHandler wanted to have.
|
|
+ *
|
|
+ * @param event the Event
|
|
+ *
|
|
+ * @return return 0
|
|
+ */
|
|
+uint32_t LogPrelude::handleEvent(Event *event)
|
|
+{
|
|
+// logPF();
|
|
+// logInfo("Event %i\n",event->getType());
|
|
+ switch(event->getType())
|
|
+ {
|
|
+
|
|
+ case EV_SOCK_TCP_ACCEPT:
|
|
+ handleTCPaccept(event);
|
|
+ break;
|
|
+
|
|
+ case EV_SOCK_TCP_CLOSE:
|
|
+ handleTCPclose(event);
|
|
+ break;
|
|
+
|
|
+ case EV_SUBMISSION:
|
|
+ handleSubmission(event);
|
|
+ break;
|
|
+
|
|
+ case EV_DIALOGUE_ASSIGN_AND_DONE:
|
|
+ handleDialogueAssignAndDone(event);
|
|
+ break;
|
|
+
|
|
+ case EV_SHELLCODE_DONE:
|
|
+ handleShellcodeDone(event);
|
|
+ break;
|
|
+
|
|
+
|
|
+ case EV_DOWNLOAD:
|
|
+ handleDownload(event);
|
|
+ break;
|
|
+
|
|
+ default:
|
|
+ logWarn("this should not happen\n");
|
|
+ }
|
|
+ return 0;
|
|
+}
|
|
+
|
|
+
|
|
+void LogPrelude::handleTCPaccept(Event *event)
|
|
+{
|
|
+
|
|
+
|
|
+ logInfo("LogPrelude EVENT EV_SOCK_TCP_ACCEPT\n");
|
|
+
|
|
+#ifdef HAVE_LIBPRELUDE
|
|
+ Socket *socket = ((SocketEvent *)event)->getSocket();
|
|
+
|
|
+ idmef_message_t *idmef;
|
|
+
|
|
+ int32_t ret = idmef_message_new(&idmef);
|
|
+ if ( ret < 0 )
|
|
+ return;
|
|
+
|
|
+ add_idmef_object(idmef, "alert.classification.text" ,"TCP Connection established");
|
|
+ add_idmef_object(idmef, "alert.classification.ident", EV_SOCK_TCP_ACCEPT);
|
|
+// add_idmef_object(idmef, "alert.classification.reference(0).origin" ,"vendor-specific" );
|
|
+
|
|
+
|
|
+ add_idmef_object(idmef, "alert.source(0).Spoofed" ,"no");
|
|
+ add_idmef_object(idmef, "alert.source(0).Service.protocol" ,"TCP");
|
|
+ add_idmef_object(idmef, "alert.source(0).Service.port" ,socket->getRemotePort());
|
|
+
|
|
+ uint32_t addr = socket->getRemoteHost();
|
|
+ string address = inet_ntoa(*(in_addr *)&addr);
|
|
+ add_idmef_object(idmef, "alert.source(0).Node.Address(0).address" ,address.c_str());
|
|
+
|
|
+
|
|
+ add_idmef_object(idmef, "alert.target(0).Decoy" ,"yes");
|
|
+ add_idmef_object(idmef, "alert.target(0).Service.protocol" ,"TCP");
|
|
+ add_idmef_object(idmef, "alert.target(0).Service.port" ,socket->getLocalPort());
|
|
+
|
|
+ addr = socket->getLocalHost();
|
|
+ address = inet_ntoa(*(in_addr *)&addr);
|
|
+ add_idmef_object(idmef, "alert.target(0).Node.Address(0).address" ,address.c_str());
|
|
+
|
|
+
|
|
+
|
|
+
|
|
+ idmef_time_t *time;
|
|
+
|
|
+ ret = idmef_time_new_from_gettimeofday(&time);
|
|
+ idmef_alert_set_create_time(idmef_message_get_alert(idmef),
|
|
+ time);
|
|
+
|
|
+
|
|
+ // analyzer id
|
|
+ idmef_alert_set_analyzer(idmef_message_get_alert(idmef),
|
|
+ idmef_analyzer_ref(prelude_client_get_analyzer(m_PreludeClient)),
|
|
+ IDMEF_LIST_PREPEND);
|
|
+
|
|
+
|
|
+ prelude_client_send_idmef(m_PreludeClient, idmef);
|
|
+
|
|
+ //prelude_string_t *field = idmef_alert_get_messageid(idmef_message_get_alert(idmef));
|
|
+ //const char *msgid = prelude_string_get_string(field);
|
|
+
|
|
+ //logInfo("PreludeMessageID = %s \n",msgid);
|
|
+
|
|
+ idmef_message_destroy(idmef);
|
|
+#endif
|
|
+}
|
|
+
|
|
+
|
|
+
|
|
+
|
|
+void LogPrelude::handleTCPclose(Event *event)
|
|
+{
|
|
+
|
|
+ Socket *socket = ((SocketEvent *)event)->getSocket();
|
|
+
|
|
+ if (! socket->isAccept())
|
|
+ {
|
|
+ return;
|
|
+ }
|
|
+
|
|
+ logInfo("LogPrelude EVENT EV_SOCK_TCP_CLOSE\n");
|
|
+
|
|
+#ifdef HAVE_LIBPRELUDE
|
|
+
|
|
+ idmef_message_t *idmef;
|
|
+
|
|
+ int32_t ret = idmef_message_new(&idmef);
|
|
+ if ( ret < 0 )
|
|
+ return;
|
|
+
|
|
+
|
|
+ add_idmef_object(idmef, "alert.classification.text" ,"TCP Connection closed");
|
|
+ add_idmef_object(idmef, "alert.classification.ident", EV_SOCK_TCP_CLOSE);
|
|
+// add_idmef_object(idmef, "alert.classification.reference(0).origin" ,"vendor-specific" );
|
|
+
|
|
+
|
|
+ add_idmef_object(idmef, "alert.source(0).Service.protocol" ,"TCP");
|
|
+ add_idmef_object(idmef, "alert.source(0).Service.port" ,socket->getRemotePort());
|
|
+
|
|
+ uint32_t addr = socket->getRemoteHost();
|
|
+ string address = inet_ntoa(*(in_addr *)&addr);
|
|
+ add_idmef_object(idmef, "alert.source(0).Node.Address(0).address" ,address.c_str());
|
|
+
|
|
+ add_idmef_object(idmef, "alert.target(0).Service.protocol" ,"TCP");
|
|
+ add_idmef_object(idmef, "alert.target(0).Service.port" ,socket->getLocalPort());
|
|
+
|
|
+ addr = socket->getLocalHost();
|
|
+ address = inet_ntoa(*(in_addr *)&addr);
|
|
+ add_idmef_object(idmef, "alert.target(0).Node.Address(0).address",address.c_str());
|
|
+
|
|
+ idmef_time_t *time;
|
|
+
|
|
+ ret = idmef_time_new_from_gettimeofday(&time);
|
|
+ idmef_alert_set_create_time(idmef_message_get_alert(idmef),
|
|
+ time);
|
|
+
|
|
+
|
|
+ // analyzer id
|
|
+ idmef_alert_set_analyzer(idmef_message_get_alert(idmef),
|
|
+ idmef_analyzer_ref(prelude_client_get_analyzer(m_PreludeClient)),
|
|
+ IDMEF_LIST_PREPEND);
|
|
+
|
|
+
|
|
+ prelude_client_send_idmef(m_PreludeClient, idmef);
|
|
+
|
|
+// prelude_string_t *field = idmef_alert_get_messageid(idmef_message_get_alert(idmef));
|
|
+// const char *msgid = prelude_string_get_string(field);
|
|
+
|
|
+// logInfo("CloseMessageID = %s \n",msgid);
|
|
+
|
|
+ idmef_message_destroy(idmef);
|
|
+
|
|
+#endif
|
|
+}
|
|
+
|
|
+
|
|
+/**
|
|
+ * Send idmef message when finished with the Shellcode
|
|
+ *
|
|
+ */
|
|
+void LogPrelude::handleShellcodeDone(Event *event)
|
|
+{
|
|
+ logInfo("LogPrelude EVENT EV_SHELLCODE_DONE\n");
|
|
+
|
|
+#ifdef HAVE_LIBPRELUDE
|
|
+
|
|
+ ShellcodeHandler *handler = ((ShellcodeEvent *)event)->getShellcodeHandler();
|
|
+ Socket *socket = ((ShellcodeEvent *)event)->getSocket();
|
|
+
|
|
+ idmef_message_t *idmef;
|
|
+
|
|
+ int32_t ret = idmef_message_new(&idmef);
|
|
+ if ( ret < 0 )
|
|
+ return;
|
|
+ string shellcodeText = "Shellcode detected: " + handler->getShellcodeHandlerName();
|
|
+ add_idmef_object(idmef, "alert.classification.text", shellcodeText.c_str());
|
|
+ // hl: added ident
|
|
+ add_idmef_object(idmef, "alert.classification.ident", EV_SHELLCODE_DONE);
|
|
+
|
|
+ // add_idmef_object(idmef, "alert.classification.reference(0).origin" ,"vendor-specific" );
|
|
+
|
|
+
|
|
+ add_idmef_object(idmef, "alert.source(0).Spoofed" ,"no");
|
|
+ add_idmef_object(idmef, "alert.source(0).Service.protocol" ,"TCP");
|
|
+ add_idmef_object(idmef, "alert.source(0).Service.port" ,socket->getRemotePort());
|
|
+
|
|
+ uint32_t addr = socket->getRemoteHost();
|
|
+ string address = inet_ntoa(*(in_addr *)&addr);
|
|
+ add_idmef_object(idmef, "alert.source(0).Node.Address(0).address" ,address.c_str());
|
|
+
|
|
+
|
|
+ add_idmef_object(idmef, "alert.target(0).Decoy" ,"yes");
|
|
+ add_idmef_object(idmef, "alert.target(0).Service.protocol" ,"TCP");
|
|
+ add_idmef_object(idmef, "alert.target(0).Service.port" ,socket->getLocalPort());
|
|
+
|
|
+ addr = socket->getLocalHost();
|
|
+ address = inet_ntoa(*(in_addr *)&addr);
|
|
+ add_idmef_object(idmef, "alert.target(0).Node.Address(0).address" ,address.c_str());
|
|
+
|
|
+
|
|
+ add_idmef_object(idmef, "alert.assessment.impact.description" ,"possible Shellcode has been detected.");
|
|
+ add_idmef_object(idmef, "alert.assessment.impact.severity" ,"medium");
|
|
+// add_idmef_object(idmef, "alert.assessment.impact.completion" ,"succeeded");
|
|
+ add_idmef_object(idmef, "alert.assessment.impact.type" ,"other");
|
|
+
|
|
+
|
|
+ // hl: added for additional information
|
|
+ add_idmef_object(idmef, "alert.additional_data(0).type", "string");
|
|
+ add_idmef_object(idmef, "alert.additional_data(0).meaning", "Shellcode");
|
|
+ add_idmef_object(idmef, "alert.additional_data(0).data", handler->getShellcodeHandlerName().c_str());
|
|
+
|
|
+
|
|
+ idmef_time_t *time;
|
|
+
|
|
+ ret = idmef_time_new_from_gettimeofday(&time);
|
|
+ idmef_alert_set_create_time(idmef_message_get_alert(idmef),
|
|
+ time);
|
|
+
|
|
+
|
|
+ // analyzer id
|
|
+ idmef_alert_set_analyzer(idmef_message_get_alert(idmef),
|
|
+ idmef_analyzer_ref(prelude_client_get_analyzer(m_PreludeClient)),
|
|
+ IDMEF_LIST_PREPEND);
|
|
+
|
|
+
|
|
+ prelude_client_send_idmef(m_PreludeClient, idmef);
|
|
+
|
|
+// prelude_string_t *field = idmef_alert_get_messageid(idmef_message_get_alert(idmef));
|
|
+// const char *msgid = prelude_string_get_string(field);
|
|
+// logInfo("RecvMessageID = %s \n",msgid);
|
|
+
|
|
+ idmef_message_destroy(idmef);
|
|
+#endif
|
|
+}
|
|
+
|
|
+
|
|
+/**
|
|
+ *
|
|
+ * handle submitted files
|
|
+ */
|
|
+void LogPrelude::handleSubmission(Event *event)
|
|
+{
|
|
+ SubmitEvent *se = (SubmitEvent *)event;
|
|
+ Download *down = se->getDownload();
|
|
+
|
|
+ logInfo("LogPrelude EVENT EV_SUBMISSION %s %s %i \n",down->getUrl().c_str(),
|
|
+ down->getMD5Sum().c_str(),
|
|
+ down->getDownloadBuffer()->getSize());
|
|
+
|
|
+#ifdef HAVE_LIBPRELUDE
|
|
+ idmef_message_t *idmef;
|
|
+
|
|
+ int32_t ret = idmef_message_new(&idmef);
|
|
+ if ( ret < 0 )
|
|
+ return;
|
|
+
|
|
+ // generic information
|
|
+ // hl: changed submited to submitted, added ident
|
|
+ add_idmef_object(idmef, "alert.classification.text" ,"Malware submitted");
|
|
+ add_idmef_object(idmef, "alert.classification.ident", EV_SUBMISSION);
|
|
+
|
|
+ string url = "http://nepenthes.sf.net/wiki/submission/" + down->getMD5Sum();
|
|
+ add_idmef_object(idmef, "alert.classification.reference(0).origin" ,"vendor-specific" );
|
|
+ add_idmef_object(idmef, "alert.classification.reference(0).url" ,url.c_str() );
|
|
+
|
|
+
|
|
+ // file name and info
|
|
+ // hl: changed file tags because of DTD violation
|
|
+ add_idmef_object(idmef, "alert.target(0).file(0).name" ,down->getDownloadUrl()->getFile().c_str());
|
|
+ add_idmef_object(idmef, "alert.target(0).file(0).path" ,down->getUrl().c_str());
|
|
+ add_idmef_object(idmef, "alert.target(0).file(0).category" ,"current");
|
|
+ add_idmef_object(idmef, "alert.target(0).file(0).ident" ,down->getMD5Sum().c_str());
|
|
+ add_idmef_object(idmef, "alert.target(0).file(0).data_size" ,down->getDownloadBuffer()->getSize());
|
|
+
|
|
+ //hl: some debug stuff, prelude-manager doesnt write the checksums into xml
|
|
+ ret = add_idmef_object(idmef, "alert.target(0).file(0).checksum(0).algorithm" ,"MD5");
|
|
+ //logInfo("LogPrelude DEBUG MD5 %i\n", ret);
|
|
+ ret = add_idmef_object(idmef, "alert.target(0).file(0).checksum(0).value" ,down->getMD5Sum().c_str());
|
|
+ //logInfo("LogPrelude DEBUG Hash %i\n", ret);
|
|
+ ret = add_idmef_object(idmef, "alert.target(0).file(0).checksum(1).algorithm" ,"SHA2-512");
|
|
+ //logInfo("LogPrelude DEBUG SHA %i\n", ret);
|
|
+ ret = add_idmef_object(idmef, "alert.target(0).file(0).checksum(1).value" ,down->getSHA512Sum().c_str());
|
|
+ //logInfo("LogPrelude DEBUG Hash %i\n", ret);
|
|
+
|
|
+ uint32_t addr = down->getLocalHost();
|
|
+ string address = inet_ntoa(*(in_addr *)&addr);
|
|
+ add_idmef_object(idmef, "alert.target(0).Node.Address(0).address" ,address.c_str());
|
|
+
|
|
+
|
|
+
|
|
+ // infection host
|
|
+ addr = down->getRemoteHost();
|
|
+ address = inet_ntoa(*(in_addr *)&addr);
|
|
+ add_idmef_object(idmef, "alert.source(0).Node.Address(0).address" ,address.c_str());
|
|
+
|
|
+
|
|
+ // download source
|
|
+ add_idmef_object(idmef, "alert.source(0).Service.port", down->getDownloadUrl()->getPort());
|
|
+
|
|
+ /* hl: previous dirty workaround -> commented
|
|
+ string protocol;
|
|
+ if (down->getDownloadUrl()->getProtocol() == "tftp" )
|
|
+ protocol = "UDP";
|
|
+ else
|
|
+ protocol = "TCP";
|
|
+
|
|
+ add_idmef_object(idmef, "alert.source(0).Service.protocol" ,protocol.c_str());
|
|
+ */
|
|
+
|
|
+ add_idmef_object(idmef, "alert.source(0).Service.web_service.url" ,down->getUrl().c_str());
|
|
+ // hl: not needed
|
|
+ //add_idmef_object(idmef, "alert.source(0).Service.web_service.http_method" ,"get");
|
|
+
|
|
+ add_idmef_object(idmef, "alert.assessment.impact.description" ,"possible Malware stored for further analysis");
|
|
+ add_idmef_object(idmef, "alert.assessment.impact.severity" ,"high");
|
|
+// add_idmef_object(idmef, "alert.assessment.impact.completion" ,"succeeded");
|
|
+ add_idmef_object(idmef, "alert.assessment.impact.type" ,"other");
|
|
+
|
|
+ // time
|
|
+ idmef_time_t *time;
|
|
+ ret = idmef_time_new_from_gettimeofday(&time);
|
|
+ idmef_alert_set_create_time(idmef_message_get_alert(idmef),
|
|
+ time);
|
|
+
|
|
+
|
|
+ // analyzer id
|
|
+ idmef_alert_set_analyzer(idmef_message_get_alert(idmef),
|
|
+ idmef_analyzer_ref(prelude_client_get_analyzer(m_PreludeClient)),
|
|
+ IDMEF_LIST_PREPEND);
|
|
+
|
|
+
|
|
+ prelude_client_send_idmef(m_PreludeClient, idmef);
|
|
+ idmef_message_destroy(idmef);
|
|
+
|
|
+#endif
|
|
+}
|
|
+
|
|
+
|
|
+
|
|
+/**
|
|
+ *
|
|
+ *
|
|
+ *
|
|
+ */
|
|
+void LogPrelude::handleDialogueAssignAndDone(Event *event)
|
|
+{
|
|
+ logInfo("LogPrelude EVENT EV_ASSIGN_AND_DONE\n");
|
|
+
|
|
+#ifdef HAVE_LIBPRELUDE
|
|
+
|
|
+ Dialogue *dia = ((DialogueEvent *)event)->getDialogue();
|
|
+ Socket *socket = ((DialogueEvent *)event)->getSocket();
|
|
+ idmef_message_t *idmef;
|
|
+
|
|
+ int32_t ret = idmef_message_new(&idmef);
|
|
+ if ( ret < 0 )
|
|
+ return;
|
|
+
|
|
+ string attack = "Exploit attempt: " + dia->getDialogueName();
|
|
+
|
|
+ // generic information
|
|
+ add_idmef_object(idmef, "alert.classification.text", attack.c_str());
|
|
+ // hl: added ident field
|
|
+ add_idmef_object(idmef, "alert.classification.ident", EV_DIALOGUE_ASSIGN_AND_DONE);
|
|
+
|
|
+// add_idmef_object(idmef, "alert.classification.reference(0).origin" ,"vendor-specific" );
|
|
+
|
|
+
|
|
+ // attacker
|
|
+ uint32_t addr = socket->getRemoteHost();
|
|
+ string address = inet_ntoa(*(in_addr *)&addr);
|
|
+ add_idmef_object(idmef, "alert.source(0).Node.Address(0).address", address.c_str());
|
|
+
|
|
+ // target
|
|
+ addr = socket->getLocalHost();
|
|
+ address = inet_ntoa(*(in_addr *)&addr);
|
|
+ add_idmef_object(idmef, "alert.target(0).Node.Address(0).address", address.c_str());
|
|
+
|
|
+// string protocol;
|
|
+// if (down->getDownloadUrl()->getProtocol() == "tftp" )
|
|
+// protocol = "UDP";
|
|
+// else
|
|
+// protocol = "TCP";
|
|
+//
|
|
+// add_idmef_object(idmef, "alert.source(0).Service.protocol" ,protocol.c_str());
|
|
+// add_idmef_object(idmef, "alert.source(0).Service.web_service.url" ,down->getUrl().c_str());
|
|
+// add_idmef_object(idmef, "alert.source(0).Service.web_service.http_method" ,"get");
|
|
+
|
|
+ add_idmef_object(idmef, "alert.assessment.impact.description" ,"An exploit attempt is getting handled.");
|
|
+ add_idmef_object(idmef, "alert.assessment.impact.severity" ,"low");
|
|
+// add_idmef_object(idmef, "alert.assessment.impact.completion" ,"succeeded");
|
|
+ add_idmef_object(idmef, "alert.assessment.impact.type" ,"other");
|
|
+
|
|
+
|
|
+ // hl: added
|
|
+ add_idmef_object(idmef, "alert.additional_data(0).type", "string");
|
|
+ add_idmef_object(idmef, "alert.additional_data(0).meaning", "Dialogue");
|
|
+ add_idmef_object(idmef, "alert.additional_data(0).data", dia->getDialogueName().c_str());
|
|
+
|
|
+ // time
|
|
+ idmef_time_t *time;
|
|
+ ret = idmef_time_new_from_gettimeofday(&time);
|
|
+ idmef_alert_set_create_time(idmef_message_get_alert(idmef),
|
|
+ time);
|
|
+
|
|
+
|
|
+ // analyzer id
|
|
+ idmef_alert_set_analyzer(idmef_message_get_alert(idmef),
|
|
+ idmef_analyzer_ref(prelude_client_get_analyzer(m_PreludeClient)),
|
|
+ IDMEF_LIST_PREPEND);
|
|
+
|
|
+
|
|
+ prelude_client_send_idmef(m_PreludeClient, idmef);
|
|
+
|
|
+
|
|
+ idmef_message_destroy(idmef);
|
|
+
|
|
+#endif
|
|
+}
|
|
+
|
|
+
|
|
+
|
|
+
|
|
+
|
|
+
|
|
+/**
|
|
+ *
|
|
+ *
|
|
+ */
|
|
+void LogPrelude::handleDownload(Event *event)
|
|
+{
|
|
+ SubmitEvent *se = (SubmitEvent *)event;
|
|
+ Download *down = se->getDownload();
|
|
+ string url = se->getDownload()->getUrl();
|
|
+
|
|
+ se->getType();
|
|
+ logInfo("LogPrelude EVENT EV_DOWNLOAD %s %s %i \n",down->getUrl().c_str(),
|
|
+ down->getMD5Sum().c_str(),
|
|
+ down->getDownloadBuffer()->getSize());
|
|
+
|
|
+#ifdef HAVE_LIBPRELUDE
|
|
+
|
|
+ idmef_message_t *idmef;
|
|
+
|
|
+ int32_t ret = idmef_message_new(&idmef);
|
|
+ if ( ret < 0 )
|
|
+ return;
|
|
+
|
|
+ // generic information
|
|
+ // hl: changed message
|
|
+ string message = "possible Malware offered: " + down->getUrl();
|
|
+
|
|
+ add_idmef_object(idmef, "alert.classification.text", message.c_str());
|
|
+ // hl: changed to ident number
|
|
+ add_idmef_object(idmef, "alert.classification.ident", EV_DOWNLOAD);
|
|
+
|
|
+// add_idmef_object(idmef, "alert.classification.reference(0).origin" ,"vendor-specific" );
|
|
+
|
|
+
|
|
+ // infection host
|
|
+ uint32_t addr = down->getRemoteHost();
|
|
+ string address = inet_ntoa(*(in_addr *)&addr);
|
|
+ add_idmef_object(idmef, "alert.source(0).Node.Address(0).address" ,address.c_str());
|
|
+ //target host
|
|
+ addr = down->getLocalHost();
|
|
+ address = inet_ntoa(*(in_addr *)&addr);
|
|
+ add_idmef_object(idmef, "alert.target(0).Node.Address(0).address" ,address.c_str());
|
|
+
|
|
+
|
|
+ // download source
|
|
+ // hl: removed protocol, added url
|
|
+ /*
|
|
+ string protocol;
|
|
+ if (down->getDownloadUrl()->getProtocol() == "tftp" )
|
|
+ protocol = "UDP";
|
|
+ else
|
|
+ protocol = "TCP";
|
|
+ */
|
|
+ add_idmef_object(idmef, "alert.source(0).Service.port" ,down->getDownloadUrl()->getPort());
|
|
+ //add_idmef_object(idmef, "alert.source(0).Service.protocol" ,protocol.c_str());
|
|
+ add_idmef_object(idmef, "alert.source(0).Service.web_service.url" ,down->getUrl().c_str());
|
|
+// add_idmef_object(idmef, "alert.source(0).Service.web_service.http_method" ,"get");
|
|
+ add_idmef_object(idmef, "alert.assessment.impact.description" ,"Parsing the Shellcode has unrevealed a URL.");
|
|
+ add_idmef_object(idmef, "alert.assessment.impact.severity" ,"medium");
|
|
+// add_idmef_object(idmef, "alert.assessment.impact.completion" ,"succeeded");
|
|
+ add_idmef_object(idmef, "alert.assessment.impact.type" ,"other");
|
|
+
|
|
+ // time
|
|
+ idmef_time_t *time;
|
|
+ ret = idmef_time_new_from_gettimeofday(&time);
|
|
+ idmef_alert_set_create_time(idmef_message_get_alert(idmef),
|
|
+ time);
|
|
+
|
|
+
|
|
+ // analyzer id
|
|
+ idmef_alert_set_analyzer(idmef_message_get_alert(idmef),
|
|
+ idmef_analyzer_ref(prelude_client_get_analyzer(m_PreludeClient)),
|
|
+ IDMEF_LIST_PREPEND);
|
|
+
|
|
+
|
|
+ prelude_client_send_idmef(m_PreludeClient, idmef);
|
|
+
|
|
+
|
|
+ idmef_message_destroy(idmef);
|
|
+#endif
|
|
+
|
|
+}
|
|
+
|
|
+
|
|
+
|
|
+extern "C" int32_t module_init(int32_t version, Module **module, Nepenthes *nepenthes)
|
|
+{
|
|
+ if (version == MODULE_IFACE_VERSION) {
|
|
+ *module = new LogPrelude(nepenthes);
|
|
+ return 1;
|
|
+ } else {
|
|
+ return 0;
|
|
+ }
|
|
+}
|
|
diff -ruN nepenthes-0.2.0/modules/log-prelude/log-prelude.hpp nepenthes-0.2.0-r1345/modules/log-prelude/log-prelude.hpp
|
|
--- nepenthes-0.2.0/modules/log-prelude/log-prelude.hpp 2006-11-13 20:40:08.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/log-prelude/log-prelude.hpp 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -30,7 +30,7 @@
|
|
#include "config.h"
|
|
|
|
#ifdef HAVE_LIBPRELUDE
|
|
-#include <prelude.h>
|
|
+#include <libprelude/prelude.h>
|
|
#endif
|
|
|
|
#include <string>
|
|
diff -ruN nepenthes-0.2.0/modules/log-surfnet/Makefile.am nepenthes-0.2.0-r1345/modules/log-surfnet/Makefile.am
|
|
--- nepenthes-0.2.0/modules/log-surfnet/Makefile.am 2006-11-13 20:40:10.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/log-surfnet/Makefile.am 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -6,7 +6,6 @@
|
|
|
|
AM_CPPFLAGS = -I$(top_srcdir)/nepenthes-core/include -I$(top_srcdir)/nepenthes-core/src -I/usr/include/postgresql -pipe -D _GNU_SOURCE
|
|
AM_CXXFLAGS = -Wall -Werror
|
|
-AM_LDFLAGS = ${LIB_POSTGRES}
|
|
|
|
pkglib_LTLIBRARIES = logsurfnet.la
|
|
|
|
diff -ruN nepenthes-0.2.0/modules/log-surfnet/log-surfnet.conf.dist nepenthes-0.2.0-r1345/modules/log-surfnet/log-surfnet.conf.dist
|
|
--- nepenthes-0.2.0/modules/log-surfnet/log-surfnet.conf.dist 2006-11-13 20:40:10.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/log-surfnet/log-surfnet.conf.dist 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -49,175 +49,3 @@
|
|
|
|
};
|
|
|
|
-
|
|
-/*
|
|
-
|
|
-don't forget to create these fn's in your surfnet ids database.
|
|
-
|
|
-
|
|
-CREATE PROCEDURAL LANGUAGE plpgsql;
|
|
-
|
|
-CREATE FUNCTION surfnet_attack_add(integer, inet, integer, inet, integer, macaddr, inet) RETURNS integer
|
|
- AS $_$DECLARE
|
|
- p_severity ALIAS FOR $1;
|
|
- p_attackerip ALIAS FOR $2;
|
|
- p_attackerport ALIAS FOR $3;
|
|
- p_decoyip ALIAS FOR $4;
|
|
- p_decoyport ALIAS FOR $5;
|
|
- p_hwa ALIAS FOR $6;
|
|
- p_localhost ALIAS FOR $7;
|
|
- m_attackid INTEGER;
|
|
- m_sensorid INTEGER;
|
|
-BEGIN
|
|
-
|
|
- SELECT INTO m_sensorid surfnet_sensorid_get(p_localhost);
|
|
- SELECT INTO m_attackid surfnet_attack_add_by_id(p_severity,
|
|
- p_attackerip, p_attackerport, p_decoyip,
|
|
- p_decoyport, p_hwa, m_sensorid);
|
|
-
|
|
- return m_attackid;
|
|
-END$_$
|
|
- LANGUAGE plpgsql;
|
|
-
|
|
-
|
|
-CREATE FUNCTION surfnet_attack_add_by_id(integer, inet, integer, inet, integer, macaddr, integer) RETURNS integer
|
|
- AS $_$DECLARE
|
|
- p_severity ALIAS FOR $1;
|
|
- p_attackerip ALIAS FOR $2;
|
|
- p_attackerport ALIAS FOR $3;
|
|
- p_decoyip ALIAS FOR $4;
|
|
- p_decoyport ALIAS FOR $5;
|
|
- p_hwa ALIAS FOR $6;
|
|
- p_sensorid ALIAS FOR $7;
|
|
- m_attackid INTEGER;
|
|
-BEGIN
|
|
- INSERT INTO attacks
|
|
- (severity,
|
|
- timestamp,
|
|
- dest,
|
|
- dport,
|
|
- source,
|
|
- sport,
|
|
- sensorid,
|
|
- src_mac)
|
|
- VALUES
|
|
- (p_severity,
|
|
- extract(epoch from current_timestamp(0))::integer,
|
|
- p_attackerip,
|
|
- p_attackerport,
|
|
- p_decoyip,
|
|
- p_decoyport,
|
|
- p_sensorid,
|
|
- p_hwa);
|
|
-
|
|
- SELECT INTO m_attackid currval('attacks_id_seq');
|
|
- return m_attackid;
|
|
-END$_$
|
|
- LANGUAGE plpgsql;
|
|
-
|
|
-
|
|
-
|
|
-CREATE FUNCTION surfnet_attack_update_severity(integer, integer) RETURNS void
|
|
- AS $_$DECLARE
|
|
- p_attackid ALIAS FOR $1;
|
|
- p_severity ALIAS FOR $2;
|
|
-BEGIN
|
|
- UPDATE attacks SET severity = p_severity WHERE id = p_attackid;
|
|
- return;
|
|
-END;$_$
|
|
- LANGUAGE plpgsql;
|
|
-
|
|
-
|
|
-CREATE FUNCTION surfnet_detail_add(integer, inet, integer, character varying) RETURNS void
|
|
- AS $_$DECLARE
|
|
- p_attackid ALIAS FOR $1;
|
|
- p_localhost ALIAS FOR $2;
|
|
- p_type ALIAS FOR $3;
|
|
- p_data ALIAS FOR $4;
|
|
-
|
|
- m_sensorid INTEGER;
|
|
-BEGIN
|
|
- SELECT INTO m_sensorid surfnet_sensorid_get(p_localhost);
|
|
-
|
|
- INSERT INTO details
|
|
- (attackid,sensorid,type,text)
|
|
- VALUES
|
|
- (p_attackid,m_sensorid,p_type,p_data);
|
|
-END$_$
|
|
- LANGUAGE plpgsql;
|
|
-
|
|
-
|
|
-CREATE FUNCTION surfnet_detail_add_by_id(integer, integer, integer, character varying) RETURNS void
|
|
- AS $_$DECLARE
|
|
- p_attackid ALIAS FOR $1;
|
|
- m_sensorid ALIAS FOR $2;
|
|
- p_type ALIAS FOR $3;
|
|
- p_data ALIAS FOR $4;
|
|
-BEGIN
|
|
- INSERT INTO details
|
|
- (attackid,sensorid,type,text)
|
|
- VALUES
|
|
- (p_attackid,m_sensorid,p_type,p_data);
|
|
-END$_$
|
|
- LANGUAGE plpgsql;
|
|
-
|
|
-
|
|
-CREATE FUNCTION surfnet_detail_add_download(inet, inet, character varying, character varying) RETURNS void
|
|
- AS $_$DECLARE
|
|
- p_remotehost ALIAS FOR $1;
|
|
- p_localhost ALIAS FOR $2;
|
|
- p_url ALIAS FOR $3;
|
|
- p_hash ALIAS FOR $4;
|
|
-
|
|
- m_sensorid INTEGER;
|
|
- m_attackid INTEGER;
|
|
-BEGIN
|
|
- SELECT INTO m_sensorid surfnet_sensorid_get(p_localhost);
|
|
- SELECT INTO m_attackid surfnet_attack_add_by_id(32,p_remotehost, 0,
|
|
- p_localhost, 0,
|
|
- NULL,m_sensorid);
|
|
-
|
|
- PERFORM surfnet_detail_add_by_id(m_attackid,
|
|
- m_sensorid,4,p_url);
|
|
- PERFORM surfnet_detail_add_by_id(m_attackid,
|
|
- m_sensorid,8,p_hash);
|
|
-
|
|
- return;
|
|
-END; $_$
|
|
- LANGUAGE plpgsql;
|
|
-
|
|
-
|
|
-CREATE FUNCTION surfnet_detail_add_offer(inet, inet, character varying) RETURNS void
|
|
- AS $_$DECLARE
|
|
- p_remotehost ALIAS FOR $1;
|
|
- p_localhost ALIAS FOR $2;
|
|
- p_url ALIAS FOR $3;
|
|
-
|
|
- m_sensorid INTEGER;
|
|
- m_attackid INTEGER;
|
|
-BEGIN
|
|
- SELECT INTO m_sensorid surfnet_sensorid_get(p_localhost);
|
|
- SELECT INTO m_attackid surfnet_attack_add_by_id(16,p_remotehost, 0,
|
|
- p_localhost, 0,
|
|
- NULL,m_sensorid);
|
|
-
|
|
- PERFORM surfnet_detail_add_by_id(m_attackid,
|
|
- m_sensorid,4,p_url);
|
|
- return;
|
|
-END; $_$
|
|
- LANGUAGE plpgsql;
|
|
-
|
|
-
|
|
-CREATE FUNCTION surfnet_sensorid_get(inet) RETURNS integer
|
|
- AS $_$DECLARE
|
|
- p_localhost ALIAS FOR $1;
|
|
- m_sensorid INTEGER;
|
|
-BEGIN
|
|
- SELECT INTO m_sensorid id FROM sensors WHERE tapip = p_localhost;
|
|
- return m_sensorid;
|
|
-END
|
|
-$_$
|
|
- LANGUAGE plpgsql;
|
|
-
|
|
-
|
|
-*/
|
|
diff -ruN nepenthes-0.2.0/modules/log-surfnet/log-surfnet.cpp nepenthes-0.2.0-r1345/modules/log-surfnet/log-surfnet.cpp
|
|
--- nepenthes-0.2.0/modules/log-surfnet/log-surfnet.cpp 2006-11-13 20:40:10.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/log-surfnet/log-surfnet.cpp 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -76,7 +76,7 @@
|
|
m_attackID = 0;
|
|
m_closed = false;
|
|
|
|
- m_severity = 0;
|
|
+ m_severity = -1;
|
|
}
|
|
|
|
|
|
@@ -471,7 +471,13 @@
|
|
(uint32_t) ((intptr_t)socket),
|
|
attackid);
|
|
|
|
- m_SocketTracker[(uintptr_t) socket].m_closed = true;
|
|
+ if (m_SocketTracker[(uintptr_t) socket].m_Details.size() > 0)
|
|
+ {
|
|
+ m_SocketTracker[(uintptr_t) socket].m_closed = true;
|
|
+ }else
|
|
+ {
|
|
+ m_SocketTracker.erase((uintptr_t)socket);
|
|
+ }
|
|
}
|
|
|
|
void LogSurfNET::handleDialogueAssignAndDone(Socket *socket, Dialogue *dia, uint32_t attackid)
|
|
@@ -649,6 +655,19 @@
|
|
m_SocketTracker[(uintptr_t)s].m_Details.pop_front();
|
|
}
|
|
|
|
+ if (m_SocketTracker[(uintptr_t)s].m_severity != -1)
|
|
+ {
|
|
+ string query;
|
|
+
|
|
+ query = "SELECT surfnet_attack_update_severity('";
|
|
+ query += itos(m_SocketTracker[(uintptr_t)s].m_attackID);
|
|
+ query += "','";
|
|
+ query += itos(m_SocketTracker[(uintptr_t)s].m_severity);
|
|
+ query += "');";
|
|
+
|
|
+ m_SQLHandler->addQuery(&query,NULL,NULL);
|
|
+ }
|
|
+
|
|
if (m_SocketTracker[(uintptr_t)s].m_closed == true)
|
|
{
|
|
m_SocketTracker.erase((uintptr_t)s);
|
|
@@ -660,6 +679,11 @@
|
|
bool LogSurfNET::sqlFailure(SQLResult *result)
|
|
{
|
|
logPF();
|
|
+
|
|
+ Socket *s;
|
|
+ s = (Socket *)result->getObject();
|
|
+ logCrit("Getting attackid for socket %x failed, dropping the whole attack, forgetting all details\n",(uintptr_t)s);
|
|
+ m_SocketTracker.erase((uintptr_t)s);
|
|
return true;
|
|
}
|
|
|
|
diff -ruN nepenthes-0.2.0/modules/module-honeytrap/Makefile.am nepenthes-0.2.0-r1345/modules/module-honeytrap/Makefile.am
|
|
--- nepenthes-0.2.0/modules/module-honeytrap/Makefile.am 2006-11-13 20:40:09.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/module-honeytrap/Makefile.am 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -15,4 +15,4 @@
|
|
modulehoneytrap_la_SOURCES += TrapSocket.cpp TrapSocket.hpp
|
|
modulehoneytrap_la_SOURCES += module-honeytrap.conf.dist
|
|
|
|
-modulehoneytrap_la_LDFLAGS = -module -no-undefined -avoid-version
|
|
+modulehoneytrap_la_LDFLAGS = -module -no-undefined -avoid-version $(AM_LDFLAGS)
|
|
diff -ruN nepenthes-0.2.0/modules/module-honeytrap/TrapSocket.cpp nepenthes-0.2.0-r1345/modules/module-honeytrap/TrapSocket.cpp
|
|
--- nepenthes-0.2.0/modules/module-honeytrap/TrapSocket.cpp 2006-11-13 20:40:09.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/module-honeytrap/TrapSocket.cpp 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -782,11 +782,18 @@
|
|
{
|
|
printIPpacket(data,size);
|
|
|
|
+ uint16_t port;
|
|
+
|
|
+ if ( tcp->th_flags & TH_SYN && !(tcp->th_flags & TH_ACK) )
|
|
+ port = ntohs(tcp->th_dport); // inline mode
|
|
+ else
|
|
+ port = ntohs(tcp->th_sport); // pcap mode
|
|
+
|
|
if (1)// isPortListening(ntohs(tcp->th_dport),*(uint32_t *)&(ip->ip_dst)) == false )
|
|
{
|
|
- logInfo("Connection to unbound port %i requested, binding port\n",ntohs(tcp->th_dport));
|
|
+ logInfo("Connection to unbound port %i requested, binding port\n",port);
|
|
|
|
- Socket *sock = g_Nepenthes->getSocketMgr()->bindTCPSocket(INADDR_ANY,ntohs(tcp->th_dport),60,60);
|
|
+ Socket *sock = g_Nepenthes->getSocketMgr()->bindTCPSocket(INADDR_ANY,port,60,60);
|
|
if ( sock != NULL && (sock->getDialogst()->size() == 0 && sock->getFactories()->size() == 0) )
|
|
{
|
|
|
|
diff -ruN nepenthes-0.2.0/modules/module-peiros/module-peiros.cpp nepenthes-0.2.0-r1345/modules/module-peiros/module-peiros.cpp
|
|
--- nepenthes-0.2.0/modules/module-peiros/module-peiros.cpp 2006-11-13 20:40:08.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/module-peiros/module-peiros.cpp 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -29,6 +29,7 @@
|
|
|
|
#include <ctype.h>
|
|
#include <string.h>
|
|
+#include <sys/types.h>
|
|
#include <sys/socket.h>
|
|
#include <netinet/in.h>
|
|
#include <arpa/inet.h>
|
|
diff -ruN nepenthes-0.2.0/modules/module-portwatch/WatchDialogue.cpp nepenthes-0.2.0-r1345/modules/module-portwatch/WatchDialogue.cpp
|
|
--- nepenthes-0.2.0/modules/module-portwatch/WatchDialogue.cpp 2006-11-13 20:40:09.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/module-portwatch/WatchDialogue.cpp 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -47,6 +47,9 @@
|
|
|
|
#include "Utilities.hpp"
|
|
|
|
+#include "EventManager.hpp"
|
|
+#include "SocketEvent.hpp"
|
|
+
|
|
#ifdef STDTAGS
|
|
#undef STDTAGS
|
|
#endif
|
|
@@ -77,7 +80,7 @@
|
|
WatchDialogue::~WatchDialogue()
|
|
{
|
|
logWarn("Unknown WatchDialogue %i bytes, port %i\n",m_Buffer->getSize(), m_Socket->getLocalPort());
|
|
- g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *) m_Buffer->getData(), m_Buffer->getSize());
|
|
+ HEXDUMP(m_Socket,(byte *) m_Buffer->getData(), m_Buffer->getSize());
|
|
delete m_Buffer;
|
|
}
|
|
|
|
diff -ruN nepenthes-0.2.0/modules/shellcode-generic/Makefile.am nepenthes-0.2.0-r1345/modules/shellcode-generic/Makefile.am
|
|
--- nepenthes-0.2.0/modules/shellcode-generic/Makefile.am 2006-11-13 20:40:07.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/shellcode-generic/Makefile.am 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -32,4 +32,4 @@
|
|
shellcodegeneric_la_SOURCES += sch_generic_leimbach_url_xor.cpp sch_generic_leimbach_url_xor.hpp
|
|
shellcodegeneric_la_SOURCES += sch_generic_wget.cpp sch_generic_wget.hpp
|
|
|
|
-shellcodegeneric_la_LDFLAGS = -module -no-undefined -avoid-version
|
|
+shellcodegeneric_la_LDFLAGS = -module -no-undefined -avoid-version $(AM_LDFLAGS)
|
|
diff -ruN nepenthes-0.2.0/modules/shellcode-generic/sch_generic_cmd.cpp nepenthes-0.2.0-r1345/modules/shellcode-generic/sch_generic_cmd.cpp
|
|
--- nepenthes-0.2.0/modules/shellcode-generic/sch_generic_cmd.cpp 2006-11-13 20:40:07.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/shellcode-generic/sch_generic_cmd.cpp 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -95,7 +95,7 @@
|
|
if((iResult = pcre_exec(m_pcre, 0, (char *) shellcode, len, 0, 0, (int *)piOutput, sizeof(piOutput)/sizeof(int32_t))) > 0)
|
|
{
|
|
// logDebug("GenricCMD (improve pcre debug) (%i bytes)\n",(*msg)->getSize());
|
|
-// g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *)(*msg)->getMsg(),(*msg)->getSize());
|
|
+// HEXDUMP(m_Socket,(byte *)(*msg)->getMsg(),(*msg)->getSize());
|
|
|
|
const char * pRemoteCommand;
|
|
|
|
diff -ruN nepenthes-0.2.0/modules/shellcode-generic/sch_generic_leimbach_url_xor.cpp nepenthes-0.2.0-r1345/modules/shellcode-generic/sch_generic_leimbach_url_xor.cpp
|
|
--- nepenthes-0.2.0/modules/shellcode-generic/sch_generic_leimbach_url_xor.cpp 2006-11-13 20:40:07.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/shellcode-generic/sch_generic_leimbach_url_xor.cpp 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -203,7 +203,7 @@
|
|
pcre_free_substring(preload);
|
|
pcre_free_substring(xordecoder);
|
|
|
|
- g_Nepenthes->getUtilities()->hexdump(l_crit,(byte *)newshellcode, len);
|
|
+// g_Nepenthes->getUtilities()->hexdump(l_crit,(byte *)newshellcode, len);
|
|
|
|
Message *newMessage = new Message((char *)newshellcode, len, (*msg)->getLocalPort(), (*msg)->getRemotePort(),
|
|
(*msg)->getLocalHost(), (*msg)->getRemoteHost(), (*msg)->getResponder(), (*msg)->getSocket());
|
|
diff -ruN nepenthes-0.2.0/modules/shellcode-generic/sch_generic_url.cpp nepenthes-0.2.0-r1345/modules/shellcode-generic/sch_generic_url.cpp
|
|
--- nepenthes-0.2.0/modules/shellcode-generic/sch_generic_url.cpp 2006-11-13 20:40:07.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/shellcode-generic/sch_generic_url.cpp 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -119,7 +119,7 @@
|
|
|
|
if((iResult = pcre_exec(m_pcre, 0, (char *) shellcode, len, 0, 0, (int *)piOutput, sizeof(piOutput)/sizeof(int32_t))) > 0)
|
|
{
|
|
-// g_Nepenthes->getUtilities()->hexdump(STDTAGS,shellcode,len);
|
|
+// HEXDUMP(m_Socket,shellcode,len);
|
|
const char * pUrl;
|
|
|
|
pcre_get_substring((char *) shellcode, (int *)piOutput, (int)iResult, 1, &pUrl);
|
|
diff -ruN nepenthes-0.2.0/modules/shellcode-signatures/Makefile.am nepenthes-0.2.0-r1345/modules/shellcode-signatures/Makefile.am
|
|
--- nepenthes-0.2.0/modules/shellcode-signatures/Makefile.am 2006-11-13 20:40:04.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/shellcode-signatures/Makefile.am 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -33,5 +33,5 @@
|
|
shellcodesignatures_la_SOURCES += sch_namespace_konstanzxor.cpp sch_namespace_konstanzxor.hpp
|
|
shellcodesignatures_la_SOURCES += sch_namespace_alphanumericxor.cpp sch_namespace_alphanumericxor.hpp
|
|
|
|
-shellcodesignatures_la_LDFLAGS = -module -no-undefined -avoid-version
|
|
+shellcodesignatures_la_LDFLAGS = -module -no-undefined -avoid-version $(AM_LDFLAGS)
|
|
|
|
diff -ruN nepenthes-0.2.0/modules/shellcode-signatures/shellcode-signatures.sc nepenthes-0.2.0-r1345/modules/shellcode-signatures/shellcode-signatures.sc
|
|
--- nepenthes-0.2.0/modules/shellcode-signatures/shellcode-signatures.sc 2006-11-13 20:40:04.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/shellcode-signatures/shellcode-signatures.sc 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -178,6 +178,13 @@
|
|
mapping (none,pre,decoder,size,key,post);
|
|
};
|
|
|
|
+xor::marburganderlahn
|
|
+{
|
|
+ pattern
|
|
+ "(.*)(\\xEB\\x0E\\x5A\\x4A\\x31\\xC9\\xB1(.)\\x80\\x34\\x11(.)\\xE2\\xFA\\xEB\\x05\\xE8\\xED\xFF\xFF\xFF)(.*)$";
|
|
+ mapping (none,pre,decoder,size,key,post);
|
|
+};
|
|
+
|
|
/*
|
|
* too inaccurate
|
|
*
|
|
@@ -944,8 +951,8 @@
|
|
pattern
|
|
"\\xeb\\x02\\xeb\\x6b"
|
|
"\\xe8\\xf9\\xff\\xff\\xff\\x53\\x55\\x56\\x57\\x8b\\x6c\\x24\\x18\\x8b\\x45\\x3c"
|
|
- "\\x8b\\x54\\x05\\x78\\x03\\xd5\\x8b\\x4a\\x18\\x8b\\x5a\\x20\\x03\\xdd\\xe3\\x32"
|
|
- "\\x49\\x8b\\x34\\x8b\\x03\\xf5\\x33\\xff\\xfc\\x33\\xc0\\xac\\x3a\\xc4\\x74\\x07"
|
|
+ "\\x8b\\x54.\\x78\\x03\\xd5\\x8b\\x4a\\x18\\x8b\\x5a\\x20\\x03\\xdd\\xe3\\x32"
|
|
+ "\\x49\\x8b\\x34\\x8b\\x03\\xf5\\x33\\xff\\xfc\\x33\\xc0\\xac..\\x74\\x07"
|
|
"\\xc1\\xcf\\x0d\\x03\\xf8\\xeb\\xf2\\x3b\\x7c\\x24\\x14\\x75\\xe1\\x8b\\x5a\\x24"
|
|
"\\x03\\xdd\\x66\\x8b\\x0c\\x4b\\x8b\\x5a\\x1c\\x03\\xdd\\x8b\\x04\\x8b\\x03\\xc5"
|
|
"\\xeb\\x02\\x33\\xc0\\x5f\\x5e\\x5d\\x5b\\x89\\x44\\x24\\x04\\x8b\\x04\\x24\\x89"
|
|
diff -ruN nepenthes-0.2.0/modules/shellemu-winnt/VFSCommandFTP.cpp nepenthes-0.2.0-r1345/modules/shellemu-winnt/VFSCommandFTP.cpp
|
|
--- nepenthes-0.2.0/modules/shellemu-winnt/VFSCommandFTP.cpp 2006-11-13 20:40:06.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/shellemu-winnt/VFSCommandFTP.cpp 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -425,7 +425,6 @@
|
|
logSpam("VFSCommandFTP Setting Hosts %i %i\n",remotehost,localhost);
|
|
remotehost = m_VFS->getDialogue()->getSocket()->getRemoteHost();
|
|
localhost = m_VFS->getDialogue()->getSocket()->getLocalHost();
|
|
-
|
|
}
|
|
|
|
logSpam("VFSCommandFTP LocalHost %s\n",inet_ntoa(*(in_addr *)&localhost));
|
|
diff -ruN nepenthes-0.2.0/modules/sqlhandler-postgres/Makefile.am nepenthes-0.2.0-r1345/modules/sqlhandler-postgres/Makefile.am
|
|
--- nepenthes-0.2.0/modules/sqlhandler-postgres/Makefile.am 2006-11-13 20:40:05.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/sqlhandler-postgres/Makefile.am 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -12,4 +12,4 @@
|
|
|
|
sqlhandlerpostgres_la_SOURCES = sqlhandler-postgres.cpp sqlhandler-postgres.hpp
|
|
|
|
-sqlhandlerpostgres_la_LDFLAGS = -module -no-undefined -avoid-version
|
|
+sqlhandlerpostgres_la_LDFLAGS = -module -no-undefined -avoid-version $(AM_LDFLAGS)
|
|
diff -ruN nepenthes-0.2.0/modules/sqlhandler-postgres/sqlhandler-postgres.cpp nepenthes-0.2.0-r1345/modules/sqlhandler-postgres/sqlhandler-postgres.cpp
|
|
--- nepenthes-0.2.0/modules/sqlhandler-postgres/sqlhandler-postgres.cpp 2006-11-13 20:40:05.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/sqlhandler-postgres/sqlhandler-postgres.cpp 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -145,6 +145,7 @@
|
|
m_PGTable = table;
|
|
m_PGUser = user;
|
|
m_PGPass = passwd;
|
|
+ m_PGOptions = options;
|
|
|
|
m_Callback = cb;
|
|
}
|
|
@@ -760,6 +761,10 @@
|
|
"' user = '" + m_PGUser +
|
|
"' password = '" + m_PGPass +"'";
|
|
|
|
+ if ( m_PGOptions.size() > 0 )
|
|
+ ConnectString += m_PGOptions;
|
|
+
|
|
+
|
|
if (m_PGConnection != NULL)
|
|
PQfinish(m_PGConnection);
|
|
else
|
|
diff -ruN nepenthes-0.2.0/modules/sqlhandler-postgres/sqlhandler-postgres.hpp nepenthes-0.2.0-r1345/modules/sqlhandler-postgres/sqlhandler-postgres.hpp
|
|
--- nepenthes-0.2.0/modules/sqlhandler-postgres/sqlhandler-postgres.hpp 2006-11-13 20:40:05.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/sqlhandler-postgres/sqlhandler-postgres.hpp 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -141,6 +141,7 @@
|
|
string m_PGTable;
|
|
string m_PGUser;
|
|
string m_PGPass;
|
|
+ string m_PGOptions;
|
|
|
|
};
|
|
|
|
diff -ruN nepenthes-0.2.0/modules/submit-gotek/gotekCTRLDialogue.cpp nepenthes-0.2.0-r1345/modules/submit-gotek/gotekCTRLDialogue.cpp
|
|
--- nepenthes-0.2.0/modules/submit-gotek/gotekCTRLDialogue.cpp 2006-11-13 20:40:11.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/submit-gotek/gotekCTRLDialogue.cpp 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -112,7 +112,7 @@
|
|
|
|
unsigned char sessionkey[8];
|
|
memcpy((char *)sessionkey,(char *)m_Buffer->getData(),8);
|
|
- g_Nepenthes->getUtilities()->hexdump(sessionkey,8);
|
|
+// g_Nepenthes->getUtilities()->hexdump(sessionkey,8);
|
|
|
|
|
|
|
|
@@ -128,13 +128,13 @@
|
|
byte hashme[1032];
|
|
memset(hashme,0,1032);
|
|
|
|
- g_Nepenthes->getUtilities()->hexdump(g_GotekSubmitHandler->getCommunityKey(),1024);
|
|
+// g_Nepenthes->getUtilities()->hexdump(g_GotekSubmitHandler->getCommunityKey(),1024);
|
|
memcpy(hashme,g_GotekSubmitHandler->getCommunityKey(),1024);
|
|
memcpy(hashme+1024,sessionkey,8);
|
|
- g_Nepenthes->getUtilities()->hexdump(hashme, 1032);
|
|
+// g_Nepenthes->getUtilities()->hexdump(hashme, 1032);
|
|
|
|
g_Nepenthes->getUtilities()->sha512(hashme, 1032, hash);
|
|
- g_Nepenthes->getUtilities()->hexdump(hash,64);
|
|
+// g_Nepenthes->getUtilities()->hexdump(hash,64);
|
|
|
|
m_Socket->doRespond((char *)hash,64);
|
|
|
|
diff -ruN nepenthes-0.2.0/modules/submit-gotek/gotekDATADialogue.cpp nepenthes-0.2.0-r1345/modules/submit-gotek/gotekDATADialogue.cpp
|
|
--- nepenthes-0.2.0/modules/submit-gotek/gotekDATADialogue.cpp 2006-11-13 20:40:11.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/submit-gotek/gotekDATADialogue.cpp 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -173,7 +173,7 @@
|
|
byte hashme[1032];
|
|
memset(hashme,0,1032);
|
|
|
|
- g_Nepenthes->getUtilities()->hexdump(g_GotekSubmitHandler->getCommunityKey(),1024);
|
|
+// g_Nepenthes->getUtilities()->hexdump(g_GotekSubmitHandler->getCommunityKey(),1024);
|
|
memcpy(hashme,g_GotekSubmitHandler->getCommunityKey(),1024);
|
|
memcpy(hashme+1024,&sessionkey,8);
|
|
g_Nepenthes->getUtilities()->sha512(hashme, 1032, hash);
|
|
diff -ruN nepenthes-0.2.0/modules/submit-http/HTTPSession.cpp nepenthes-0.2.0-r1345/modules/submit-http/HTTPSession.cpp
|
|
--- nepenthes-0.2.0/modules/submit-http/HTTPSession.cpp 1970-01-01 01:00:00.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/submit-http/HTTPSession.cpp 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -0,0 +1,187 @@
|
|
+/********************************************************************************
|
|
+ * Nepenthes
|
|
+ * - finest collection -
|
|
+ *
|
|
+ *
|
|
+ *
|
|
+ * Copyright (C) 2006 Niklas Schiffler <nick@digitician.eu>
|
|
+ * Copyright (C) 2005 Paul Baecher & Markus Koetter
|
|
+ *
|
|
+ * This program is free software; you can redistribute it and/or
|
|
+ * modify it under the terms of the GNU General Public License
|
|
+ * as published by the Free Software Foundation; either version 2
|
|
+ * of the License, or (at your option) any later version.
|
|
+ *
|
|
+ * This program is distributed in the hope that it will be useful,
|
|
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
+ * GNU General Public License for more details.
|
|
+ *
|
|
+ * You should have received a copy of the GNU General Public License
|
|
+ * along with this program; if not, write to the Free Software
|
|
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
|
+ *
|
|
+ *
|
|
+ * contact nepenthesdev@users.sourceforge.net
|
|
+ *
|
|
+ *******************************************************************************/
|
|
+
|
|
+
|
|
+#include <curl/curl.h>
|
|
+#include <curl/types.h> /* new for v7 */
|
|
+#include <curl/easy.h> /* new for v7 */
|
|
+#include <sstream>
|
|
+#include <netinet/in.h>
|
|
+
|
|
+#include "HTTPSession.hpp"
|
|
+#include "submit-http.hpp"
|
|
+#include "DownloadBuffer.hpp"
|
|
+#include "DownloadUrl.hpp"
|
|
+
|
|
+using namespace nepenthes;
|
|
+
|
|
+HTTPSession::HTTPSession(string &url, string &email, string &user, string &password, Download* down)
|
|
+{
|
|
+ state = S_ERROR;
|
|
+ postInfo = NULL;
|
|
+ postFile = NULL;
|
|
+ curlInfoHandle = NULL;
|
|
+ curlFileHandle = NULL;
|
|
+
|
|
+ submitURL = url;
|
|
+
|
|
+ if ( user.length() > 0 && password.length() > 0 )
|
|
+ submitAuthStr = user + ":" + password;
|
|
+
|
|
+ md5 = down->getMD5Sum();
|
|
+ sha512 = down->getSHA512Sum();
|
|
+ fileSize = down->getDownloadBuffer()->getSize();
|
|
+ fileName = down->getDownloadUrl()->getFile();
|
|
+ fileSourceURL = down->getUrl();
|
|
+
|
|
+ fileBuffer = new uint8_t[fileSize];
|
|
+ fileBuffer = (uint8_t*)memcpy(fileBuffer, down->getDownloadBuffer()->getData(), fileSize);
|
|
+
|
|
+ curlInfoHandle = curl_easy_init();
|
|
+ if ( curlInfoHandle )
|
|
+ {
|
|
+ struct curl_httppost* last = NULL;
|
|
+
|
|
+ if ( email.length() > 0 )
|
|
+ curl_formadd(&postInfo, &last, CURLFORM_COPYNAME, "email", CURLFORM_COPYCONTENTS, email.c_str(), CURLFORM_END);
|
|
+
|
|
+ stringstream sSourceHost; sSourceHost << htonl(down->getRemoteHost());
|
|
+ stringstream sTargetHost; sTargetHost << htonl(down->getLocalHost());
|
|
+
|
|
+ curl_formadd(&postInfo, &last, CURLFORM_PTRNAME, "url", CURLFORM_COPYCONTENTS, fileSourceURL.c_str(), CURLFORM_END);
|
|
+ curl_formadd(&postInfo, &last, CURLFORM_PTRNAME, "trigger", CURLFORM_COPYCONTENTS, down->getTriggerLine().c_str(), CURLFORM_END);
|
|
+ curl_formadd(&postInfo, &last, CURLFORM_PTRNAME, "md5", CURLFORM_COPYCONTENTS, md5.c_str(), CURLFORM_END);
|
|
+ curl_formadd(&postInfo, &last, CURLFORM_PTRNAME, "sha512", CURLFORM_COPYCONTENTS, sha512.c_str(), CURLFORM_END);
|
|
+ curl_formadd(&postInfo, &last, CURLFORM_PTRNAME, "filetype", CURLFORM_COPYCONTENTS, down->getFileType().c_str(), CURLFORM_END);
|
|
+ curl_formadd(&postInfo, &last, CURLFORM_PTRNAME, "source_host", CURLFORM_COPYCONTENTS, sSourceHost.str().c_str(), CURLFORM_END);
|
|
+ curl_formadd(&postInfo, &last, CURLFORM_PTRNAME, "target_host", CURLFORM_COPYCONTENTS, sTargetHost.str().c_str(), CURLFORM_END);
|
|
+ curl_formadd(&postInfo, &last, CURLFORM_PTRNAME, "filename", CURLFORM_COPYCONTENTS, down->getDownloadUrl()->getFile().c_str(), CURLFORM_END);
|
|
+
|
|
+ setCURLOpts(curlInfoHandle, postInfo);
|
|
+ }
|
|
+}
|
|
+
|
|
+HTTPSession::~HTTPSession()
|
|
+{
|
|
+ delete [] fileBuffer;
|
|
+ curl_formfree(postInfo);
|
|
+ if ( postFile )
|
|
+ curl_formfree(postFile);
|
|
+ curl_easy_cleanup(curlInfoHandle);
|
|
+ if ( curlFileHandle )
|
|
+ curl_easy_cleanup(curlFileHandle);
|
|
+}
|
|
+
|
|
+CURL* HTTPSession::getSubmitInfoHandle()
|
|
+{
|
|
+ return curlInfoHandle;
|
|
+}
|
|
+
|
|
+CURL* HTTPSession::getSubmitFileHandle()
|
|
+{
|
|
+ curlFileHandle = curl_easy_init();
|
|
+ if ( curlFileHandle )
|
|
+ {
|
|
+ postFile = NULL;
|
|
+ struct curl_httppost* last = NULL;
|
|
+
|
|
+ curl_formadd(&postFile, &last, CURLFORM_PTRNAME, "md5", CURLFORM_COPYCONTENTS, md5.c_str(), CURLFORM_END);
|
|
+ curl_formadd(&postFile, &last, CURLFORM_PTRNAME, "sha512", CURLFORM_COPYCONTENTS, sha512.c_str(), CURLFORM_END);
|
|
+
|
|
+ curl_formadd(&postFile, &last,
|
|
+ CURLFORM_COPYNAME, "file",
|
|
+ CURLFORM_BUFFER, fileName.c_str(),
|
|
+ CURLFORM_BUFFERPTR, fileBuffer,
|
|
+ CURLFORM_BUFFERLENGTH, fileSize,
|
|
+ CURLFORM_END);
|
|
+
|
|
+ setCURLOpts(curlFileHandle, postFile);
|
|
+ }
|
|
+ return curlFileHandle;
|
|
+}
|
|
+
|
|
+string HTTPSession::getMD5()
|
|
+{
|
|
+ return md5;
|
|
+}
|
|
+
|
|
+string HTTPSession::getSHA512()
|
|
+{
|
|
+ return sha512;
|
|
+}
|
|
+
|
|
+void HTTPSession::setCURLOpts(CURL* c, curl_httppost* post)
|
|
+{
|
|
+ curl_easy_setopt(c, CURLOPT_HTTPPOST, post);
|
|
+ curl_easy_setopt(c, CURLOPT_SSL_VERIFYHOST, false);
|
|
+ curl_easy_setopt(c, CURLOPT_SSL_VERIFYPEER, false);
|
|
+ curl_easy_setopt(c, CURLOPT_URL, submitURL.c_str());
|
|
+ curl_easy_setopt(c, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; nepenthes; Linux)");
|
|
+ curl_easy_setopt(c, CURLOPT_PRIVATE, (char*) this);
|
|
+ curl_easy_setopt(c, CURLOPT_WRITEDATA, this);
|
|
+ curl_easy_setopt(c, CURLOPT_WRITEFUNCTION, HTTPSession::WriteCallback);
|
|
+
|
|
+ if ( submitAuthStr.length() > 0 )
|
|
+ curl_easy_setopt(c, CURLOPT_USERPWD, submitAuthStr.c_str());
|
|
+}
|
|
+
|
|
+size_t HTTPSession::WriteCallback(char *buffer, size_t size, size_t nitems, void *p)
|
|
+{
|
|
+ HTTPSession* s = (HTTPSession*)p;
|
|
+ int32_t iSize = size * nitems;
|
|
+
|
|
+ string res(buffer, iSize);
|
|
+ if ( res.find("S_FILEREQUEST") != string::npos )
|
|
+ s->setState(S_FILEREQUEST);
|
|
+ else
|
|
+ if ( res.find("S_FILEKNOWN") != string::npos )
|
|
+ s->setState(S_FILEKNOWN);
|
|
+ else
|
|
+ if ( res.find("S_FILEOK") != string::npos )
|
|
+ s->setState(S_FILEOK);
|
|
+ else
|
|
+ s->setState(S_ERROR);
|
|
+
|
|
+// delete(strBuf);
|
|
+ return iSize;
|
|
+}
|
|
+
|
|
+uint8_t HTTPSession::getState()
|
|
+{
|
|
+ return state;
|
|
+}
|
|
+
|
|
+void HTTPSession::setState(uint8_t s)
|
|
+{
|
|
+ this->state = s;
|
|
+}
|
|
+
|
|
+string HTTPSession::getFileSourceURL()
|
|
+{
|
|
+ return fileSourceURL;
|
|
+}
|
|
diff -ruN nepenthes-0.2.0/modules/submit-http/HTTPSession.hpp nepenthes-0.2.0-r1345/modules/submit-http/HTTPSession.hpp
|
|
--- nepenthes-0.2.0/modules/submit-http/HTTPSession.hpp 1970-01-01 01:00:00.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/submit-http/HTTPSession.hpp 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -0,0 +1,82 @@
|
|
+/********************************************************************************
|
|
+ * Nepenthes
|
|
+ * - finest collection -
|
|
+ *
|
|
+ *
|
|
+ *
|
|
+ * Copyright (C) 2006 Niklas Schiffler <nick@digitician.eu>
|
|
+ * Copyright (C) 2005 Paul Baecher & Markus Koetter
|
|
+ *
|
|
+ * This program is free software; you can redistribute it and/or
|
|
+ * modify it under the terms of the GNU General Public License
|
|
+ * as published by the Free Software Foundation; either version 2
|
|
+ * of the License, or (at your option) any later version.
|
|
+ *
|
|
+ * This program is distributed in the hope that it will be useful,
|
|
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
+ * GNU General Public License for more details.
|
|
+ *
|
|
+ * You should have received a copy of the GNU General Public License
|
|
+ * along with this program; if not, write to the Free Software
|
|
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
|
+ *
|
|
+ *
|
|
+ * contact nepenthesdev@users.sourceforge.net
|
|
+ *
|
|
+ *******************************************************************************/
|
|
+
|
|
+ /* $Id$ */
|
|
+
|
|
+#include <curl/curl.h>
|
|
+#include <curl/types.h>
|
|
+
|
|
+#include "Download.hpp"
|
|
+
|
|
+using namespace std;
|
|
+
|
|
+namespace nepenthes
|
|
+{
|
|
+
|
|
+
|
|
+ class HTTPSession
|
|
+ {
|
|
+ public:
|
|
+ static const uint8_t S_FILEKNOWN = 0;
|
|
+ static const uint8_t S_FILEREQUEST = 1;
|
|
+ static const uint8_t S_FILEOK = 2;
|
|
+ static const uint8_t S_FILEPENDING = 3;
|
|
+ static const uint8_t S_ERROR = 4;
|
|
+
|
|
+ HTTPSession(string &url, string &email, string &user, string &password, Download* down);
|
|
+ ~HTTPSession();
|
|
+ CURL* getSubmitInfoHandle();
|
|
+ CURL* getSubmitFileHandle();
|
|
+ string getMD5();
|
|
+ string getSHA512();
|
|
+ void setCURLOpts(CURL* c, curl_httppost* post);
|
|
+ uint8_t getState();
|
|
+ void setState(uint8_t s);
|
|
+ string getFileSourceURL();
|
|
+
|
|
+ static size_t WriteCallback(char *buffer, size_t size, size_t nitems, void *userp);
|
|
+
|
|
+ protected:
|
|
+ CURL* curlInfoHandle;
|
|
+ CURL* curlFileHandle;
|
|
+ uint8_t* fileBuffer;
|
|
+ size_t fileSize;
|
|
+ struct curl_httppost* postInfo;
|
|
+ struct curl_httppost* postFile;
|
|
+ string fileName;
|
|
+ string fileSourceURL;
|
|
+ string md5;
|
|
+ string sha512;
|
|
+ string submitURL;
|
|
+ string submitAuthStr;
|
|
+ uint8_t state;
|
|
+
|
|
+ };
|
|
+
|
|
+}
|
|
+
|
|
diff -ruN nepenthes-0.2.0/modules/submit-http/Makefile.am nepenthes-0.2.0-r1345/modules/submit-http/Makefile.am
|
|
--- nepenthes-0.2.0/modules/submit-http/Makefile.am 1970-01-01 01:00:00.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/submit-http/Makefile.am 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -0,0 +1,14 @@
|
|
+AUTOMAKE_OPTIONS = foreign
|
|
+
|
|
+AM_CPPFLAGS = -I$(top_srcdir)/nepenthes-core/include -I$(top_srcdir)/nepenthes-core/src -pipe -D _GNU_SOURCE
|
|
+AM_CXXFLAGS = -Wall -Werror
|
|
+
|
|
+AM_LDFLAGS = $(LIB_CURL)
|
|
+
|
|
+pkglib_LTLIBRARIES = submithttp.la
|
|
+
|
|
+submithttp_la_SOURCES = submit-http.cpp submit-http.hpp
|
|
+submithttp_la_SOURCES += HTTPSession.hpp HTTPSession.cpp
|
|
+submithttp_la_SOURCES += submit-http.conf.dist
|
|
+
|
|
+submithttp_la_LDFLAGS = -module -no-undefined -avoid-version $(AM_LDFLAGS)
|
|
diff -ruN nepenthes-0.2.0/modules/submit-http/submit-http.conf.dist nepenthes-0.2.0-r1345/modules/submit-http/submit-http.conf.dist
|
|
--- nepenthes-0.2.0/modules/submit-http/submit-http.conf.dist 1970-01-01 01:00:00.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/submit-http/submit-http.conf.dist 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -0,0 +1,8 @@
|
|
+submit-http
|
|
+{
|
|
+ url "http://somehost.de/submit.php";
|
|
+ email "your@email"; // optional
|
|
+ user "httpuser"; // optional
|
|
+ pass "httppass"; // optional
|
|
+};
|
|
+
|
|
diff -ruN nepenthes-0.2.0/modules/submit-http/submit-http.cpp nepenthes-0.2.0-r1345/modules/submit-http/submit-http.cpp
|
|
--- nepenthes-0.2.0/modules/submit-http/submit-http.cpp 1970-01-01 01:00:00.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/submit-http/submit-http.cpp 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -0,0 +1,231 @@
|
|
+/********************************************************************************
|
|
+ * Nepenthes
|
|
+ * - finest collection -
|
|
+ *
|
|
+ *
|
|
+ *
|
|
+ * Copyright (C) 2006 Niklas Schiffler <nick@digitician.eu>
|
|
+ * Copyright (C) 2005 Paul Baecher & Markus Koetter
|
|
+ *
|
|
+ * This program is free software; you can redistribute it and/or
|
|
+ * modify it under the terms of the GNU General Public License
|
|
+ * as published by the Free Software Foundation; either version 2
|
|
+ * of the License, or (at your option) any later version.
|
|
+ *
|
|
+ * This program is distributed in the hope that it will be useful,
|
|
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
+ * GNU General Public License for more details.
|
|
+ *
|
|
+ * You should have received a copy of the GNU General Public License
|
|
+ * along with this program; if not, write to the Free Software
|
|
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
|
+ *
|
|
+ *
|
|
+ * contact nepenthesdev@users.sourceforge.net
|
|
+ *
|
|
+ *******************************************************************************/
|
|
+
|
|
+ /* $Id$ */
|
|
+
|
|
+#include "submit-http.hpp"
|
|
+#include "Download.hpp"
|
|
+#include "Utilities.hpp"
|
|
+#include "SubmitManager.hpp"
|
|
+#include "LogManager.hpp"
|
|
+#include "Event.hpp"
|
|
+#include "EventManager.hpp"
|
|
+#include "EventHandler.cpp" // das ist Mist!
|
|
+#include "Config.hpp"
|
|
+#include "ModuleManager.hpp"
|
|
+
|
|
+#include "HTTPSession.hpp"
|
|
+
|
|
+using namespace nepenthes;
|
|
+
|
|
+
|
|
+Nepenthes *g_Nepenthes;
|
|
+
|
|
+
|
|
+HTTPSubmitHandler::HTTPSubmitHandler(Nepenthes *nepenthes)
|
|
+{
|
|
+ m_ModuleName = "submit-http";
|
|
+ m_ModuleDescription = "HTTP submit handler";
|
|
+ m_ModuleRevision = "$Rev$";
|
|
+ m_Nepenthes = nepenthes;
|
|
+ m_SubmitterName = "submit-http";
|
|
+ m_SubmitterDescription = "submit binary file via HTTP POST request";
|
|
+ g_Nepenthes = nepenthes;
|
|
+
|
|
+ m_Queued = 0;
|
|
+ m_Timeout = time(NULL);
|
|
+ m_Events.reset();
|
|
+}
|
|
+
|
|
+
|
|
+HTTPSubmitHandler::~HTTPSubmitHandler()
|
|
+{
|
|
+}
|
|
+
|
|
+bool HTTPSubmitHandler::Init()
|
|
+{
|
|
+ logPF();
|
|
+
|
|
+ if ( m_Config == NULL )
|
|
+ {
|
|
+ logCrit("I need a config\n");
|
|
+ return false;
|
|
+ }
|
|
+
|
|
+ try
|
|
+ {
|
|
+ m_URL = m_Config->getValString("submit-http.url");
|
|
+ }
|
|
+ catch ( ... )
|
|
+ {
|
|
+ logCrit("Error: Config property \"url\" missing\n");
|
|
+ return false;
|
|
+ }
|
|
+
|
|
+ try
|
|
+ {
|
|
+ m_Email = m_Config->getValString("submit-http.email");
|
|
+ m_User = m_Config->getValString("submit-http.user");
|
|
+ m_Password = m_Config->getValString("submit-http.pass");
|
|
+ }
|
|
+ catch ( ... )
|
|
+ {
|
|
+ }
|
|
+
|
|
+ m_ModuleManager = m_Nepenthes->getModuleMgr();
|
|
+
|
|
+ if ( (m_CurlStack = curl_multi_init()) == NULL )
|
|
+ {
|
|
+ logCrit("Could not init Curl Multi Perform Stack %s\n",strerror(errno));
|
|
+ return false;
|
|
+ }
|
|
+
|
|
+ REG_SUBMIT_HANDLER(this);
|
|
+ REG_EVENT_HANDLER(this);
|
|
+ return true;
|
|
+}
|
|
+
|
|
+bool HTTPSubmitHandler::Exit()
|
|
+{
|
|
+ curl_multi_cleanup(m_CurlStack);
|
|
+ return true;
|
|
+}
|
|
+
|
|
+
|
|
+void HTTPSubmitHandler::Submit(Download *down)
|
|
+{
|
|
+ logPF();
|
|
+
|
|
+ if ( m_Events.test(EV_TIMEOUT) == false )
|
|
+ m_Events.set(EV_TIMEOUT);
|
|
+
|
|
+ HTTPSession* session = new HTTPSession(m_URL, m_Email, m_User, m_Password, down);
|
|
+ curl_multi_add_handle(m_CurlStack, session->getSubmitInfoHandle());
|
|
+ m_Queued++;
|
|
+}
|
|
+
|
|
+void HTTPSubmitHandler::Hit(Download *down)
|
|
+{
|
|
+ Submit(down);
|
|
+}
|
|
+
|
|
+
|
|
+uint32_t HTTPSubmitHandler::handleEvent(Event *event)
|
|
+{
|
|
+ logPF();
|
|
+ if ( event->getType() != EV_TIMEOUT )
|
|
+ {
|
|
+ logCrit("Unwanted event %i\n",event->getType());
|
|
+ return 1;
|
|
+ }
|
|
+
|
|
+ // do file info submits
|
|
+ int32_t iQueue = 0;
|
|
+ while ( curl_multi_perform(m_CurlStack, (int *)&iQueue) == CURLM_CALL_MULTI_PERFORM );
|
|
+
|
|
+ if ( m_Queued > iQueue )
|
|
+ {
|
|
+ logSpam("m_Queued (%i) > (%i) iQueue\n", m_Queued, iQueue);
|
|
+ CURLMsg * pMessage;
|
|
+
|
|
+ while ( (pMessage = curl_multi_info_read(m_CurlStack, (int *)&iQueue)) )
|
|
+ {
|
|
+ if ( pMessage->msg == CURLMSG_DONE )
|
|
+ {
|
|
+ HTTPSession *session;
|
|
+ char *cSession;
|
|
+
|
|
+ curl_easy_getinfo(pMessage->easy_handle, CURLINFO_PRIVATE, (char**)&cSession);
|
|
+ session = (HTTPSession *)cSession;
|
|
+
|
|
+ uint8_t sessionState = session->getState();
|
|
+
|
|
+ if ( sessionState == HTTPSession::S_FILEKNOWN || sessionState == HTTPSession::S_FILEREQUEST )
|
|
+ {
|
|
+ if ( pMessage->data.result )
|
|
+ {
|
|
+ logInfo("Error: Submitting file info (%s, %s) failed: %s\n", session->getMD5().c_str(), session->getFileSourceURL().c_str(), curl_easy_strerror(pMessage->data.result));
|
|
+ delete session;
|
|
+ curl_multi_remove_handle(m_CurlStack, pMessage->easy_handle);
|
|
+ --m_Queued;
|
|
+ continue;
|
|
+ }
|
|
+ logInfo("File info submitted (%s, %s)\n", session->getMD5().c_str(), session->getFileSourceURL().c_str());
|
|
+ }
|
|
+
|
|
+ switch ( sessionState )
|
|
+ {
|
|
+ case HTTPSession::S_FILEKNOWN:
|
|
+ logInfo("File already known (%s, %s)\n", session->getMD5().c_str(), session->getFileSourceURL().c_str());
|
|
+ break;
|
|
+ case HTTPSession::S_FILEREQUEST:
|
|
+ logInfo("File upload requested (%s, %s)\n", session->getMD5().c_str(), session->getFileSourceURL().c_str());
|
|
+ session->setState(HTTPSession::S_FILEPENDING);
|
|
+ curl_multi_add_handle(m_CurlStack, session->getSubmitFileHandle());
|
|
+ break;
|
|
+ case HTTPSession::S_FILEOK:
|
|
+ logInfo("File uploaded (%s, %s)\n", session->getMD5().c_str(), session->getFileSourceURL().c_str());
|
|
+ break;
|
|
+ case HTTPSession::S_ERROR:
|
|
+ logInfo("Error handling file (%s, %s)\n", session->getMD5().c_str(), session->getFileSourceURL().c_str());
|
|
+ break;
|
|
+ }
|
|
+
|
|
+ curl_multi_remove_handle(m_CurlStack, pMessage->easy_handle);
|
|
+
|
|
+ if ( sessionState == HTTPSession::S_FILEKNOWN ||
|
|
+ sessionState == HTTPSession::S_FILEOK ||
|
|
+ sessionState == HTTPSession::S_ERROR )
|
|
+ {
|
|
+ delete session;
|
|
+ --m_Queued;
|
|
+ }
|
|
+ }
|
|
+ }
|
|
+ }
|
|
+
|
|
+ if ( m_Queued == 0 )
|
|
+ m_Events.reset(EV_TIMEOUT);
|
|
+
|
|
+ m_Timeout = time(NULL) + 1;
|
|
+ return 0;
|
|
+}
|
|
+
|
|
+
|
|
+extern "C" int32_t module_init(int32_t version, Module **module, Nepenthes *nepenthes)
|
|
+{
|
|
+ if ( version == MODULE_IFACE_VERSION )
|
|
+ {
|
|
+ *module = new HTTPSubmitHandler(nepenthes);
|
|
+ return 1;
|
|
+ }
|
|
+ else
|
|
+ {
|
|
+ return 0;
|
|
+ }
|
|
+}
|
|
diff -ruN nepenthes-0.2.0/modules/submit-http/submit-http.hpp nepenthes-0.2.0-r1345/modules/submit-http/submit-http.hpp
|
|
--- nepenthes-0.2.0/modules/submit-http/submit-http.hpp 1970-01-01 01:00:00.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/submit-http/submit-http.hpp 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -0,0 +1,72 @@
|
|
+/********************************************************************************
|
|
+ * Nepenthes
|
|
+ * - finest collection -
|
|
+ *
|
|
+ *
|
|
+ *
|
|
+ * Copyright (C) 2006 Niklas Schiffler <nick@digitician.eu>
|
|
+ * Copyright (C) 2005 Paul Baecher & Markus Koetter
|
|
+ *
|
|
+ * This program is free software; you can redistribute it and/or
|
|
+ * modify it under the terms of the GNU General Public License
|
|
+ * as published by the Free Software Foundation; either version 2
|
|
+ * of the License, or (at your option) any later version.
|
|
+ *
|
|
+ * This program is distributed in the hope that it will be useful,
|
|
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
+ * GNU General Public License for more details.
|
|
+ *
|
|
+ * You should have received a copy of the GNU General Public License
|
|
+ * along with this program; if not, write to the Free Software
|
|
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
|
+ *
|
|
+ *
|
|
+ * contact nepenthesdev@users.sourceforge.net
|
|
+ *
|
|
+ *******************************************************************************/
|
|
+
|
|
+ /* $Id$ */
|
|
+
|
|
+#include <curl/curl.h>
|
|
+#include <curl/types.h> /* new for v7 */
|
|
+#include <curl/easy.h> /* new for v7 */
|
|
+
|
|
+#include "Nepenthes.hpp"
|
|
+#include "Module.hpp"
|
|
+#include "SubmitHandler.hpp"
|
|
+#include "EventHandler.hpp"
|
|
+#include "Download.hpp"
|
|
+
|
|
+
|
|
+using namespace std;
|
|
+
|
|
+namespace nepenthes
|
|
+{
|
|
+
|
|
+ class HTTPSubmitHandler : public Module , public SubmitHandler, public EventHandler
|
|
+ {
|
|
+ public:
|
|
+ HTTPSubmitHandler(Nepenthes *nep);
|
|
+ ~HTTPSubmitHandler();
|
|
+ bool Init();
|
|
+ bool Exit();
|
|
+
|
|
+ void Submit(Download *down);
|
|
+ void Hit(Download *down);
|
|
+
|
|
+ uint32_t handleEvent(Event *event);
|
|
+
|
|
+ protected:
|
|
+ CURLM* m_CurlStack;
|
|
+ int32_t m_Queued;
|
|
+ string m_URL;
|
|
+ string m_Email;
|
|
+ string m_User;
|
|
+ string m_Password;
|
|
+
|
|
+ };
|
|
+
|
|
+}
|
|
+
|
|
+extern nepenthes::Nepenthes *g_Nepenthes;
|
|
diff -ruN nepenthes-0.2.0/modules/submit-mwserv/Makefile.am nepenthes-0.2.0-r1345/modules/submit-mwserv/Makefile.am
|
|
--- nepenthes-0.2.0/modules/submit-mwserv/Makefile.am 1970-01-01 01:00:00.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/submit-mwserv/Makefile.am 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -0,0 +1,19 @@
|
|
+# nepenthes module Makefile
|
|
+# Paul Baecher, Maximillian Dornseif, Markus Koetter
|
|
+# $Id: Makefile.am 718 2006-12-28 23:29:59Z common $
|
|
+
|
|
+AUTOMAKE_OPTIONS = foreign
|
|
+
|
|
+AM_CPPFLAGS = -I$(top_srcdir)/nepenthes-core/include -I$(top_srcdir)/nepenthes-core/src -pipe -D _GNU_SOURCE
|
|
+AM_CXXFLAGS = -Wall -Werror
|
|
+
|
|
+AM_LDFLAGS = $(LIB_CURL)
|
|
+
|
|
+pkglib_LTLIBRARIES = submitmwserv.la
|
|
+
|
|
+submitmwserv_la_SOURCES = submit-mwserv.cpp submit-mwserv.hpp
|
|
+submitmwserv_la_SOURCES += TransferSession.cpp TransferSession.hpp
|
|
+submitmwserv_la_SOURCES += submit-mwserv.conf.dist
|
|
+
|
|
+submitmwserv_la_CXXFLAGS = -fno-strict-aliasing
|
|
+submitmwserv_la_LDFLAGS = -module -no-undefined -avoid-version $(AM_LDFLAGS)
|
|
diff -ruN nepenthes-0.2.0/modules/submit-mwserv/TransferSession.cpp nepenthes-0.2.0-r1345/modules/submit-mwserv/TransferSession.cpp
|
|
--- nepenthes-0.2.0/modules/submit-mwserv/TransferSession.cpp 1970-01-01 01:00:00.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/submit-mwserv/TransferSession.cpp 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -0,0 +1,402 @@
|
|
+/********************************************************************************
|
|
+ * Nepenthes
|
|
+ * - finest collection -
|
|
+ *
|
|
+ *
|
|
+ *
|
|
+ * Copyright (C) 2007 Georg Wicherski <gw@mwcollect.org>
|
|
+ * Copyright (C) 2005 Paul Baecher & Markus Koetter
|
|
+ *
|
|
+ * This program is free software; you can redistribute it and/or
|
|
+ * modify it under the terms of the GNU General Public License
|
|
+ * as published by the Free Software Foundation; either version 2
|
|
+ * of the License, or (at your option) any later version.
|
|
+ *
|
|
+ * This program is distributed in the hope that it will be useful,
|
|
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
+ * GNU General Public License for more details.
|
|
+ *
|
|
+ * You should have received a copy of the GNU General Public License
|
|
+ * along with this program; if not, write to the Free Software
|
|
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
|
+ *
|
|
+ *
|
|
+ * contact nepenthesdev@users.sourceforge.net
|
|
+ *
|
|
+ *******************************************************************************/
|
|
+
|
|
+#include "submit-mwserv.hpp"
|
|
+
|
|
+#include "LogManager.hpp"
|
|
+#include "EventManager.hpp"
|
|
+
|
|
+#include "POLLSocket.cpp"
|
|
+#include "Socket.cpp"
|
|
+
|
|
+
|
|
+
|
|
+#if defined(__GNUG__)
|
|
+ #define MY_COMPILER "g++"
|
|
+#elif defined(__CYGWIN__)
|
|
+ #define MY_COMPILER "cygwin"
|
|
+#else
|
|
+ #define MY_COMPILER "unknown Compiler"
|
|
+#endif
|
|
+
|
|
+#if defined(__FreeBSD__)
|
|
+# define MY_OS "FreeBSD"
|
|
+#elif defined(linux) || defined (__linux)
|
|
+# define MY_OS "Linux"
|
|
+#elif defined (__MACOSX__) || defined (__APPLE__)
|
|
+# define MY_OS "Mac OS X"
|
|
+#elif defined(__NetBSD__)
|
|
+# define MY_OS "NetBSD"
|
|
+#elif defined(__OpenBSD__)
|
|
+# define MY_OS "OpenBSD"
|
|
+#elif defined(_WIN32) || defined(__WIN32__) || defined(__TOS_WIN__)
|
|
+# define MY_OS "Windows"
|
|
+#elif defined(CYGWIN)
|
|
+# define MY_OS "Cygwin\Windows"
|
|
+#else
|
|
+# define MY_OS "Unknown OS"
|
|
+#endif
|
|
+
|
|
+#if defined(__alpha__) || defined(__alpha) || defined(_M_ALPHA)
|
|
+# define MY_ARCH "Alpha"
|
|
+#elif defined(__arm__)
|
|
+# if defined(__ARMEB__)
|
|
+# define MY_ARCH "ARMeb"
|
|
+# else
|
|
+# define MY_ARCH "ARM"
|
|
+# endif
|
|
+#elif defined(i386) || defined(__i386__) || defined(__i386) || defined(_M_IX86) || defined(_X86_) || defined(__THW_INTEL)
|
|
+# define MY_ARCH "x86"
|
|
+#elif defined(__x86_64__) || defined(__amd64__)
|
|
+# define MY_ARCH "x86_64"
|
|
+#elif defined(__ia64__) || defined(_IA64) || defined(__IA64__) || defined(_M_IA64)
|
|
+# define MY_ARCH "Intel Architecture-64"
|
|
+#elif defined(__mips__) || defined(__mips) || defined(__MIPS__)
|
|
+# if defined(__mips32__) || defined(__mips32)
|
|
+# define MY_ARCH "MIPS32"
|
|
+# else
|
|
+# define MY_ARCH "MIPS"
|
|
+# endif
|
|
+#elif defined(__hppa__) || defined(__hppa)
|
|
+# define MY_ARCH "PA RISC"
|
|
+#elif defined(__powerpc) || defined(__powerpc__) || defined(__POWERPC__) || defined(__ppc__) || defined(_M_PPC) || defined(__PPC) || defined(__PPC__)
|
|
+# define MY_ARCH "PowerPC"
|
|
+#elif defined(__THW_RS6000) || defined(_IBMR2) || defined(_POWER) || defined(_ARCH_PWR) || defined(_ARCH_PWR2)
|
|
+# define MY_ARCH "RS/6000"
|
|
+#elif defined(__sparc__) || defined(sparc) || defined(__sparc)
|
|
+# define MY_ARCH "SPARC"
|
|
+#else
|
|
+# define MY_ARCH "Unknown Architecture"
|
|
+#endif
|
|
+
|
|
+
|
|
+
|
|
+namespace nepenthes
|
|
+{
|
|
+
|
|
+
|
|
+TransferSession::TransferSession(Type type, SubmitMwservModule * parent)
|
|
+{
|
|
+ m_type = type;
|
|
+ m_parent = parent;
|
|
+
|
|
+ m_sample.binary = 0;
|
|
+ m_multiHandle = 0;
|
|
+ m_postInfo = m_postInfoLast = 0;
|
|
+ m_curlHandle = 0;
|
|
+
|
|
+ m_Type |= ST_NODEL;
|
|
+}
|
|
+
|
|
+void TransferSession::transfer(TransferSample& sample, string url)
|
|
+{
|
|
+ m_sample = sample;
|
|
+
|
|
+ if(!(m_curlHandle = curl_easy_init()) || !(m_multiHandle =
|
|
+ curl_multi_init()))
|
|
+ {
|
|
+ logCrit("%s failed!\n", __PRETTY_FUNCTION__);
|
|
+ return;
|
|
+ }
|
|
+
|
|
+ m_targetUrl = url;
|
|
+ m_sample = sample;
|
|
+
|
|
+ initializeHandle();
|
|
+}
|
|
+
|
|
+TransferSession::~TransferSession()
|
|
+{
|
|
+ Exit();
|
|
+}
|
|
+
|
|
+void TransferSession::initializeHandle()
|
|
+{
|
|
+ m_postInfo = m_postInfoLast = 0;
|
|
+
|
|
+ curl_formadd(&m_postInfo, &m_postInfoLast, CURLFORM_PTRNAME, "guid",
|
|
+ CURLFORM_COPYCONTENTS, m_sample.guid.c_str(), CURLFORM_END);
|
|
+ curl_formadd(&m_postInfo, &m_postInfoLast, CURLFORM_PTRNAME,
|
|
+ "maintainer", CURLFORM_COPYCONTENTS, m_sample.maintainer.c_str(),
|
|
+ CURLFORM_END);
|
|
+ curl_formadd(&m_postInfo, &m_postInfoLast, CURLFORM_PTRNAME, "secret",
|
|
+ CURLFORM_COPYCONTENTS, m_sample.secret.c_str(), CURLFORM_END);
|
|
+
|
|
+ if(m_type != TST_HEARTBEAT)
|
|
+ {
|
|
+ curl_formadd(&m_postInfo, &m_postInfoLast, CURLFORM_PTRNAME, "url",
|
|
+ CURLFORM_COPYCONTENTS, m_sample.url.c_str(), CURLFORM_END);
|
|
+ curl_formadd(&m_postInfo, &m_postInfoLast, CURLFORM_PTRNAME, "sha512",
|
|
+ CURLFORM_COPYCONTENTS, m_sample.sha512.c_str(), CURLFORM_END);
|
|
+ curl_formadd(&m_postInfo, &m_postInfoLast, CURLFORM_PTRNAME, "saddr",
|
|
+ CURLFORM_COPYCONTENTS, m_sample.saddr.c_str(), CURLFORM_END);
|
|
+ curl_formadd(&m_postInfo, &m_postInfoLast, CURLFORM_PTRNAME, "daddr",
|
|
+ CURLFORM_COPYCONTENTS, m_sample.daddr.c_str(), CURLFORM_END);
|
|
+
|
|
+ if(m_type == TST_SAMPLE)
|
|
+ {
|
|
+ curl_formadd(&m_postInfo, &m_postInfoLast, CURLFORM_PTRNAME, "data",
|
|
+ CURLFORM_PTRCONTENTS, m_sample.binary, CURLFORM_CONTENTSLENGTH,
|
|
+ m_sample.binarySize, CURLFORM_END);
|
|
+ }
|
|
+ }
|
|
+ else
|
|
+ {
|
|
+ curl_formadd(&m_postInfo, &m_postInfoLast, CURLFORM_PTRNAME, "software",
|
|
+ CURLFORM_COPYCONTENTS, "nepenthes " VERSION " (" MY_OS ", " MY_ARCH
|
|
+ ", " MY_COMPILER ")", CURLFORM_END);
|
|
+ }
|
|
+
|
|
+ curl_easy_setopt(m_curlHandle, CURLOPT_HTTPPOST, m_postInfo);
|
|
+ curl_easy_setopt(m_curlHandle, CURLOPT_FORBID_REUSE, 1);
|
|
+ curl_easy_setopt(m_curlHandle, CURLOPT_SSL_VERIFYHOST, false);
|
|
+ curl_easy_setopt(m_curlHandle, CURLOPT_SSL_VERIFYPEER, false);
|
|
+ curl_easy_setopt(m_curlHandle, CURLOPT_URL, m_targetUrl.c_str());
|
|
+ curl_easy_setopt(m_curlHandle, CURLOPT_USERAGENT,
|
|
+ "nepenthes " VERSION " (" MY_OS ", " MY_ARCH ", " MY_COMPILER ")");
|
|
+ curl_easy_setopt(m_curlHandle, CURLOPT_WRITEDATA, this);
|
|
+ curl_easy_setopt(m_curlHandle, CURLOPT_WRITEFUNCTION,
|
|
+ TransferSession::readData);
|
|
+
|
|
+ CURLMcode error;
|
|
+
|
|
+ if((error = curl_multi_add_handle(m_multiHandle, m_curlHandle)))
|
|
+ logCrit("Error adding easy to multi: %s\n", curl_multi_strerror(error));
|
|
+
|
|
+ int handles = 0;
|
|
+
|
|
+ while(curl_multi_perform(m_multiHandle, &handles) ==
|
|
+ CURLM_CALL_MULTI_PERFORM && handles);
|
|
+}
|
|
+
|
|
+//size_t function( void *ptr, size_t size, size_t nmemb, void *stream);
|
|
+size_t TransferSession::readData(void *buffer, size_t s, size_t n, void *data)
|
|
+{
|
|
+ ((TransferSession *) data)->m_buffer.append((const char *)buffer, s * n);
|
|
+ return s * n;
|
|
+}
|
|
+
|
|
+TransferSession::Status TransferSession::getTransferStatus()
|
|
+{
|
|
+ if(m_type != TST_HEARTBEAT)
|
|
+ {
|
|
+ if(m_buffer == "OK")
|
|
+ return TSS_OK;
|
|
+ else if(m_buffer == "UNKNOWN")
|
|
+ return TSS_UNKNOWN;
|
|
+ else
|
|
+ return TSS_ERROR;
|
|
+ }
|
|
+ else
|
|
+ {
|
|
+ if(m_buffer.substr(0, 4) == "OK: ")
|
|
+ return TSS_HEARTBEAT;
|
|
+ else
|
|
+ return TSS_ERROR;
|
|
+ }
|
|
+}
|
|
+
|
|
+bool TransferSession::Init()
|
|
+{
|
|
+ return true;
|
|
+}
|
|
+
|
|
+bool TransferSession::Exit()
|
|
+{
|
|
+ if(m_multiHandle)
|
|
+ curl_multi_remove_handle(m_multiHandle, m_curlHandle);
|
|
+
|
|
+ if(m_postInfo)
|
|
+ curl_formfree(m_postInfo);
|
|
+
|
|
+ if(m_curlHandle)
|
|
+ curl_easy_cleanup(m_curlHandle);
|
|
+
|
|
+ if(m_multiHandle)
|
|
+ {
|
|
+ curl_multi_cleanup(m_multiHandle);
|
|
+ m_multiHandle = 0;
|
|
+ }
|
|
+
|
|
+ if(m_sample.binary)
|
|
+ {
|
|
+ delete [] m_sample.binary;
|
|
+ m_sample.binary = 0;
|
|
+ }
|
|
+
|
|
+ return true;
|
|
+}
|
|
+
|
|
+bool TransferSession::wantSend()
|
|
+{
|
|
+ fd_set readSet, writeSet, errorSet;
|
|
+ int maxFd = 0;
|
|
+ CURLMcode error;
|
|
+ FD_ZERO(&readSet); FD_ZERO(&writeSet); FD_ZERO(&errorSet);
|
|
+
|
|
+ if((error = curl_multi_fdset(m_multiHandle, &readSet, &writeSet, &errorSet,
|
|
+ &maxFd)))
|
|
+ {
|
|
+ logCrit("Obtaining write socket failed: %s\n",
|
|
+ curl_multi_strerror(error));
|
|
+ return false;
|
|
+ }
|
|
+
|
|
+ return FD_ISSET(maxFd, &writeSet);
|
|
+}
|
|
+
|
|
+int32_t TransferSession::doSend()
|
|
+{
|
|
+ return doRecv();
|
|
+}
|
|
+
|
|
+int32_t TransferSession::doRecv()
|
|
+{
|
|
+ int handles = 0, queued = 0;
|
|
+
|
|
+ while(curl_multi_perform(m_multiHandle, &handles) ==
|
|
+ CURLM_CALL_MULTI_PERFORM && handles);
|
|
+
|
|
+ CURLMsg * message;
|
|
+
|
|
+ while((message = curl_multi_info_read(m_multiHandle, &queued)))
|
|
+ {
|
|
+ if(message->msg == CURLMSG_DONE)
|
|
+ {
|
|
+ if(message->data.result)
|
|
+ {
|
|
+ logCrit("Connection to %s failed: %s [\"%s\"]\n",
|
|
+ m_targetUrl.c_str(), curl_easy_strerror(message->
|
|
+ data.result), m_buffer.c_str());
|
|
+
|
|
+ if(m_type == TST_HEARTBEAT)
|
|
+ m_parent->scheduleHeartbeat(DEFAULT_HEARTBEAT_DELTA);
|
|
+ else
|
|
+ {
|
|
+ m_parent->retrySample(m_sample);
|
|
+ m_sample.binary = 0;
|
|
+ }
|
|
+ }
|
|
+ else
|
|
+ {
|
|
+ switch(getTransferStatus())
|
|
+ {
|
|
+ case TransferSession::TSS_OK:
|
|
+ logInfo("Transmitted %s to %s.\n", m_sample.url.c_str(),
|
|
+ m_targetUrl.c_str());
|
|
+
|
|
+ break;
|
|
+
|
|
+ case TransferSession::TSS_UNKNOWN:
|
|
+ logInfo("submit-mwserv: uploading data for %s\n",
|
|
+ m_sample.url.c_str());
|
|
+
|
|
+ m_parent->submitSample(m_sample);
|
|
+ m_sample.binary = 0;
|
|
+
|
|
+ break;
|
|
+
|
|
+ case TransferSession::TSS_HEARTBEAT:
|
|
+ {
|
|
+ unsigned long delta = strtoul(m_buffer.substr(4).
|
|
+ c_str(), 0, 0);
|
|
+ logDebug("Next heartbeat in %u seconds.\n", delta);
|
|
+
|
|
+ m_parent->scheduleHeartbeat(delta);
|
|
+
|
|
+ break;
|
|
+ }
|
|
+
|
|
+ case TransferSession::TSS_ERROR:
|
|
+ if(m_type == TST_HEARTBEAT)
|
|
+ m_parent->scheduleHeartbeat(DEFAULT_HEARTBEAT_DELTA);
|
|
+
|
|
+ logCrit("%s reported \"%s\"\n", m_targetUrl.c_str(),
|
|
+ m_buffer.c_str());
|
|
+
|
|
+ break;
|
|
+ }
|
|
+ }
|
|
+
|
|
+ m_Type |= ~ST_NODEL;
|
|
+ m_Status = SS_CLOSED;
|
|
+ }
|
|
+ }
|
|
+
|
|
+ return 0;
|
|
+}
|
|
+
|
|
+int32_t TransferSession::getSocket()
|
|
+{
|
|
+ if(!m_multiHandle)
|
|
+ return -1;
|
|
+
|
|
+ fd_set readSet, writeSet, errorSet;
|
|
+ int maxFd = 0;
|
|
+ CURLMcode error;
|
|
+ FD_ZERO(&readSet); FD_ZERO(&writeSet); FD_ZERO(&errorSet);
|
|
+
|
|
+ if((error = curl_multi_fdset(m_multiHandle, &readSet, &writeSet, &errorSet,
|
|
+ &maxFd)))
|
|
+ {
|
|
+ logCrit("Obtaining read socket failed: %s\n",
|
|
+ curl_multi_strerror(error));
|
|
+ return -1;
|
|
+ }
|
|
+
|
|
+ if(maxFd == -1)
|
|
+ return -1;
|
|
+
|
|
+ if(!FD_ISSET(maxFd, &readSet) && !FD_ISSET(maxFd, &writeSet) &&
|
|
+ !FD_ISSET(maxFd, &errorSet))
|
|
+ {
|
|
+ logCrit("maxFd not in set: %i!\n", maxFd);
|
|
+ return -1;
|
|
+ }
|
|
+
|
|
+ return maxFd;
|
|
+}
|
|
+
|
|
+int32_t TransferSession::getsockOpt(int32_t level, int32_t optname,
|
|
+ void *optval, socklen_t *optlen)
|
|
+{
|
|
+ return getsockopt(getSocket(), level, optname, optval, optlen);
|
|
+}
|
|
+
|
|
+
|
|
+}
|
|
+
|
|
+
|
|
+bool TransferSession::checkTimeout()
|
|
+{
|
|
+ // if the connection is bad, give curl a chance to take care, so we can get rid of the connection
|
|
+ if (getSocket() == -1)
|
|
+ doRecv();
|
|
+
|
|
+ return false;
|
|
+}
|
|
diff -ruN nepenthes-0.2.0/modules/submit-mwserv/TransferSession.hpp nepenthes-0.2.0-r1345/modules/submit-mwserv/TransferSession.hpp
|
|
--- nepenthes-0.2.0/modules/submit-mwserv/TransferSession.hpp 1970-01-01 01:00:00.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/submit-mwserv/TransferSession.hpp 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -0,0 +1,129 @@
|
|
+/********************************************************************************
|
|
+ * Nepenthes
|
|
+ * - finest collection -
|
|
+ *
|
|
+ *
|
|
+ *
|
|
+ * Copyright (C) 2007 Georg Wicherski <gw@mwcollect.org>
|
|
+ * Copyright (C) 2005 Paul Baecher & Markus Koetter
|
|
+ *
|
|
+ * This program is free software; you can redistribute it and/or
|
|
+ * modify it under the terms of the GNU General Public License
|
|
+ * as published by the Free Software Foundation; either version 2
|
|
+ * of the License, or (at your option) any later version.
|
|
+ *
|
|
+ * This program is distributed in the hope that it will be useful,
|
|
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
+ * GNU General Public License for more details.
|
|
+ *
|
|
+ * You should have received a copy of the GNU General Public License
|
|
+ * along with this program; if not, write to the Free Software
|
|
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
|
+ *
|
|
+ *
|
|
+ * contact nepenthesdev@users.sourceforge.net
|
|
+ *
|
|
+ *******************************************************************************/
|
|
+
|
|
+#include <curl/curl.h>
|
|
+#include <curl/types.h>
|
|
+#include <curl/easy.h>
|
|
+
|
|
+#include <string>
|
|
+using namespace std;
|
|
+
|
|
+#include "Nepenthes.hpp"
|
|
+#include "Module.hpp"
|
|
+#include "SubmitHandler.hpp"
|
|
+#include "Download.hpp"
|
|
+
|
|
+#include "POLLSocket.hpp"
|
|
+
|
|
+
|
|
+namespace nepenthes
|
|
+{
|
|
+
|
|
+
|
|
+struct TransferSample
|
|
+{
|
|
+ string guid;
|
|
+ string maintainer;
|
|
+ string secret;
|
|
+
|
|
+ string url;
|
|
+ string saddr, daddr;
|
|
+ string sha512;
|
|
+
|
|
+ char * binary;
|
|
+ unsigned int binarySize;
|
|
+};
|
|
+
|
|
+
|
|
+class SubmitMwservModule;
|
|
+
|
|
+class TransferSession : public POLLSocket
|
|
+{
|
|
+public:
|
|
+ enum Type
|
|
+ {
|
|
+ TST_INSTANCE,
|
|
+ TST_SAMPLE,
|
|
+ TST_HEARTBEAT,
|
|
+ };
|
|
+
|
|
+ TransferSession(Type type, SubmitMwservModule * parent);
|
|
+ virtual ~TransferSession();
|
|
+
|
|
+ enum Status
|
|
+ {
|
|
+ TSS_OK,
|
|
+ TSS_UNKNOWN,
|
|
+ TSS_HEARTBEAT,
|
|
+ TSS_ERROR,
|
|
+ };
|
|
+
|
|
+ TransferSession::Status getTransferStatus();
|
|
+
|
|
+ void transfer(TransferSample& sample, string url);
|
|
+
|
|
+ // POLLSocket
|
|
+ bool Init();
|
|
+ bool Exit();
|
|
+
|
|
+ bool wantSend();
|
|
+
|
|
+ int32_t doSend();
|
|
+ int32_t doRecv();
|
|
+ int32_t getSocket();
|
|
+ int32_t getsockOpt(int32_t level, int32_t optname,
|
|
+ void *optval, socklen_t *optlen);
|
|
+ bool checkTimeout();
|
|
+
|
|
+protected:
|
|
+ string m_targetUrl;
|
|
+ TransferSample m_sample;
|
|
+
|
|
+ CURL * m_curlHandle;
|
|
+ CURLM * m_multiHandle;
|
|
+ curl_httppost * m_postInfo, * m_postInfoLast;
|
|
+
|
|
+ char * m_dataCopy;
|
|
+ unsigned int m_dataSize;
|
|
+
|
|
+ void initializeHandle();
|
|
+ void recreateWithSampleData();
|
|
+
|
|
+ string m_buffer;
|
|
+
|
|
+ Type m_type;
|
|
+ SubmitMwservModule * m_parent;
|
|
+
|
|
+ unsigned long m_heartbeatDelta;
|
|
+
|
|
+private:
|
|
+ static size_t readData(void *buffer, size_t size, size_t n, void *data);
|
|
+};
|
|
+
|
|
+
|
|
+}
|
|
diff -ruN nepenthes-0.2.0/modules/submit-mwserv/submit-mwserv.conf.dist nepenthes-0.2.0-r1345/modules/submit-mwserv/submit-mwserv.conf.dist
|
|
--- nepenthes-0.2.0/modules/submit-mwserv/submit-mwserv.conf.dist 1970-01-01 01:00:00.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/submit-mwserv/submit-mwserv.conf.dist 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -0,0 +1,18 @@
|
|
+// lightweight libcurl based module for file submission via HTTP to the mwserv
|
|
+// python script suite (typically running on an apache2 with mod_python)
|
|
+// This is primarily used by the mwcollect Alliance - alliance.mwcollect.org
|
|
+
|
|
+submit-mwserv
|
|
+{
|
|
+ // the url to send the submission requests to
|
|
+ url = "";
|
|
+
|
|
+ // username of the maintainer of this sensor
|
|
+ maintainer = "";
|
|
+
|
|
+ // guid of this sensor, as generated serverside; typically 8 chars
|
|
+ guid = "";
|
|
+
|
|
+ // shared secret used for authentication aka `password'; typically 48 chars
|
|
+ secret = "";
|
|
+};
|
|
diff -ruN nepenthes-0.2.0/modules/submit-mwserv/submit-mwserv.cpp nepenthes-0.2.0-r1345/modules/submit-mwserv/submit-mwserv.cpp
|
|
--- nepenthes-0.2.0/modules/submit-mwserv/submit-mwserv.cpp 1970-01-01 01:00:00.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/submit-mwserv/submit-mwserv.cpp 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -0,0 +1,224 @@
|
|
+/********************************************************************************
|
|
+ * Nepenthes
|
|
+ * - finest collection -
|
|
+ *
|
|
+ *
|
|
+ *
|
|
+ * Copyright (C) 2007 Georg Wicherski <gw@mwcollect.org>
|
|
+ * Copyright (C) 2005 Paul Baecher & Markus Koetter
|
|
+ *
|
|
+ * This program is free software; you can redistribute it and/or
|
|
+ * modify it under the terms of the GNU General Public License
|
|
+ * as published by the Free Software Foundation; either version 2
|
|
+ * of the License, or (at your option) any later version.
|
|
+ *
|
|
+ * This program is distributed in the hope that it will be useful,
|
|
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
+ * GNU General Public License for more details.
|
|
+ *
|
|
+ * You should have received a copy of the GNU General Public License
|
|
+ * along with this program; if not, write to the Free Software
|
|
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
|
+ *
|
|
+ *
|
|
+ * contact nepenthesdev@users.sourceforge.net
|
|
+ *
|
|
+ *******************************************************************************/
|
|
+
|
|
+#include "Download.hpp"
|
|
+#include "Utilities.hpp"
|
|
+#include "SubmitManager.hpp"
|
|
+#include "LogManager.hpp"
|
|
+#include "Event.hpp"
|
|
+#include "EventManager.hpp"
|
|
+#include "EventHandler.cpp"
|
|
+#include "Config.hpp"
|
|
+#include "ModuleManager.hpp"
|
|
+#include "SocketManager.hpp"
|
|
+
|
|
+#include "DownloadBuffer.hpp"
|
|
+#include "DownloadUrl.hpp"
|
|
+
|
|
+#include "submit-mwserv.hpp"
|
|
+
|
|
+#include <unistd.h>
|
|
+#include <sys/socket.h>
|
|
+#include <netinet/in.h>
|
|
+#include <arpa/inet.h>
|
|
+
|
|
+
|
|
+#define SUBMIT_URI "nepenthes/submit"
|
|
+#define HEARTBEAT_URI "heartbeat"
|
|
+
|
|
+
|
|
+namespace nepenthes
|
|
+{
|
|
+
|
|
+
|
|
+SubmitMwservModule::SubmitMwservModule(Nepenthes * nepenthes)
|
|
+{
|
|
+ m_ModuleName = "submit-mwserv";
|
|
+ m_ModuleDescription = "mwserv.py HTTP Post Submission";
|
|
+ m_ModuleRevision = "$Rev: 921 $";
|
|
+ m_Nepenthes = nepenthes;
|
|
+ m_SubmitterName = "submit-mwserv";
|
|
+ m_SubmitterDescription = "mwserv.py HTTP Post Submission";
|
|
+
|
|
+ m_Timeout = 0;
|
|
+ m_TimeoutIntervall = 0;
|
|
+}
|
|
+
|
|
+bool SubmitMwservModule::Init()
|
|
+{
|
|
+ if(!m_Config)
|
|
+ {
|
|
+ logCrit("No configuration for submit-mwserv provided.\n");
|
|
+ return false;
|
|
+ }
|
|
+
|
|
+ try
|
|
+ {
|
|
+ m_url = m_Config->getValString("submit-mwserv.url");
|
|
+ m_guid = m_Config->getValString("submit-mwserv.guid");
|
|
+ m_maintainer = m_Config->getValString("submit-mwserv.maintainer");
|
|
+ m_secret = m_Config->getValString("submit-mwserv.secret");
|
|
+ }
|
|
+ catch(...)
|
|
+ {
|
|
+ logCrit("Missing configuration option for submit-mwserv.\n");
|
|
+ return false;
|
|
+ }
|
|
+
|
|
+ if(m_guid.find(":") != string::npos || m_maintainer.find(":")
|
|
+ != string::npos || m_secret.find(":") != string::npos ||
|
|
+ m_guid.find("+") != string::npos || m_maintainer.find("+")
|
|
+ != string::npos || m_secret.find("+") != string::npos)
|
|
+ {
|
|
+ logCrit("submit-mwserv: guid, maintainer or secret from configuration"
|
|
+ "contained ':' or '+'; this is not allowed.\n");
|
|
+ return false;
|
|
+ }
|
|
+
|
|
+ if(* m_url.rbegin() != '/')
|
|
+ m_url += "/";
|
|
+
|
|
+ REG_SUBMIT_HANDLER(this);
|
|
+ REG_EVENT_HANDLER(this);
|
|
+
|
|
+ handleEvent(0);
|
|
+
|
|
+ return true;
|
|
+}
|
|
+
|
|
+bool SubmitMwservModule::Exit()
|
|
+{
|
|
+ return true;
|
|
+}
|
|
+
|
|
+void SubmitMwservModule::Submit(Download * download)
|
|
+{
|
|
+ Hit(download);
|
|
+}
|
|
+
|
|
+void SubmitMwservModule::Hit(Download * download)
|
|
+{
|
|
+ TransferSample sample;
|
|
+ TransferSession * session = new TransferSession(TransferSession::
|
|
+ TST_INSTANCE, this);
|
|
+
|
|
+ {
|
|
+ struct in_addr saddr, daddr;
|
|
+
|
|
+ saddr.s_addr = download->getRemoteHost();
|
|
+ daddr.s_addr = download->getLocalHost();
|
|
+
|
|
+ sample.saddr = inet_ntoa(saddr);
|
|
+ sample.daddr = inet_ntoa(daddr);
|
|
+
|
|
+ sample.guid = m_guid;
|
|
+ sample.maintainer = m_maintainer;
|
|
+ sample.secret = m_secret;
|
|
+
|
|
+ sample.url = download->getUrl();
|
|
+ sample.sha512 = download->getSHA512Sum();
|
|
+
|
|
+ sample.binarySize = download->getDownloadBuffer()->getSize();
|
|
+ sample.binary = new char[sample.binarySize];
|
|
+ memcpy(sample.binary, download->getDownloadBuffer()->getData(),
|
|
+ sample.binarySize);
|
|
+ }
|
|
+
|
|
+ session->transfer(sample, m_url + SUBMIT_URI);
|
|
+ g_Nepenthes->getSocketMgr()->addPOLLSocket(session);
|
|
+}
|
|
+
|
|
+void SubmitMwservModule::retrySample(TransferSample& sample)
|
|
+{
|
|
+ TransferSession * session = new TransferSession(TransferSession::
|
|
+ TST_INSTANCE, this);
|
|
+
|
|
+ session->transfer(sample, m_url + SUBMIT_URI);
|
|
+ g_Nepenthes->getSocketMgr()->addPOLLSocket(session);
|
|
+}
|
|
+
|
|
+void SubmitMwservModule::submitSample(TransferSample& sample)
|
|
+{
|
|
+ TransferSession * session = new TransferSession(TransferSession::
|
|
+ TST_SAMPLE, this);
|
|
+
|
|
+ session->transfer(sample, m_url + SUBMIT_URI);
|
|
+ g_Nepenthes->getSocketMgr()->addPOLLSocket(session);
|
|
+}
|
|
+
|
|
+uint32_t SubmitMwservModule::handleEvent(Event * ev)
|
|
+{
|
|
+ m_Events.reset(EV_TIMEOUT);
|
|
+
|
|
+ TransferSample sample;
|
|
+ TransferSession * session = new TransferSession(TransferSession::
|
|
+ TST_HEARTBEAT, this);
|
|
+
|
|
+ sample.guid = m_guid;
|
|
+ sample.maintainer = m_maintainer;
|
|
+ sample.secret = m_secret;
|
|
+ sample.binary = 0;
|
|
+
|
|
+ session->transfer(sample, m_url + HEARTBEAT_URI);
|
|
+ g_Nepenthes->getSocketMgr()->addPOLLSocket(session);
|
|
+
|
|
+ return 0;
|
|
+}
|
|
+
|
|
+void SubmitMwservModule::scheduleHeartbeat(unsigned long delta)
|
|
+{
|
|
+ if(delta > MAX_HEARTBEAT_DELTA)
|
|
+ {
|
|
+ logInfo("Capping server heartbeat delta of %u sec to %u sec.\n", delta,
|
|
+ MAX_HEARTBEAT_DELTA);
|
|
+
|
|
+ delta = MAX_HEARTBEAT_DELTA;
|
|
+ }
|
|
+
|
|
+ m_Events.set(EV_TIMEOUT);
|
|
+ m_Timeout = time(0) + delta;
|
|
+}
|
|
+
|
|
+
|
|
+extern "C" int32_t module_init(int32_t version, Module **module, Nepenthes *nepenthes)
|
|
+{
|
|
+ g_Nepenthes = nepenthes;
|
|
+
|
|
+ if(version == MODULE_IFACE_VERSION)
|
|
+ {
|
|
+ * module = new SubmitMwservModule(nepenthes);
|
|
+ return 1;
|
|
+ }
|
|
+
|
|
+ return 0;
|
|
+}
|
|
+
|
|
+
|
|
+}
|
|
+
|
|
+Nepenthes * g_Nepenthes;
|
|
diff -ruN nepenthes-0.2.0/modules/submit-mwserv/submit-mwserv.hpp nepenthes-0.2.0-r1345/modules/submit-mwserv/submit-mwserv.hpp
|
|
--- nepenthes-0.2.0/modules/submit-mwserv/submit-mwserv.hpp 1970-01-01 01:00:00.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/submit-mwserv/submit-mwserv.hpp 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -0,0 +1,78 @@
|
|
+/********************************************************************************
|
|
+ * Nepenthes
|
|
+ * - finest collection -
|
|
+ *
|
|
+ *
|
|
+ *
|
|
+ * Copyright (C) 2007 Georg Wicherski <gw@mwcollect.org>
|
|
+ * Copyright (C) 2005 Paul Baecher & Markus Koetter
|
|
+ *
|
|
+ * This program is free software; you can redistribute it and/or
|
|
+ * modify it under the terms of the GNU General Public License
|
|
+ * as published by the Free Software Foundation; either version 2
|
|
+ * of the License, or (at your option) any later version.
|
|
+ *
|
|
+ * This program is distributed in the hope that it will be useful,
|
|
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
+ * GNU General Public License for more details.
|
|
+ *
|
|
+ * You should have received a copy of the GNU General Public License
|
|
+ * along with this program; if not, write to the Free Software
|
|
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
|
+ *
|
|
+ *
|
|
+ * contact nepenthesdev@users.sourceforge.net
|
|
+ *
|
|
+ *******************************************************************************/
|
|
+
|
|
+#include <curl/curl.h>
|
|
+#include <curl/types.h>
|
|
+#include <curl/easy.h>
|
|
+
|
|
+#include "Nepenthes.hpp"
|
|
+#include "Module.hpp"
|
|
+#include "SubmitHandler.hpp"
|
|
+#include "EventHandler.hpp"
|
|
+#include "Download.hpp"
|
|
+
|
|
+#include "TransferSession.hpp"
|
|
+
|
|
+
|
|
+#define DEFAULT_HEARTBEAT_DELTA 30
|
|
+#define MAX_HEARTBEAT_DELTA 300
|
|
+
|
|
+
|
|
+using namespace std;
|
|
+
|
|
+namespace nepenthes
|
|
+{
|
|
+
|
|
+
|
|
+class SubmitMwservModule : public Module , public SubmitHandler,
|
|
+ public EventHandler
|
|
+{
|
|
+public:
|
|
+ SubmitMwservModule(Nepenthes * nepenthes);
|
|
+
|
|
+ bool Init();
|
|
+ bool Exit();
|
|
+
|
|
+ void Submit(Download * download);
|
|
+ void Hit(Download * download);
|
|
+
|
|
+ uint32_t handleEvent(Event *event);
|
|
+
|
|
+ void submitSample(TransferSample& sample);
|
|
+ void retrySample(TransferSample& sample);
|
|
+ void scheduleHeartbeat(unsigned long delta);
|
|
+
|
|
+protected:
|
|
+ string m_url, m_guid, m_maintainer, m_secret;
|
|
+ uint32_t m_inTransfer;
|
|
+};
|
|
+
|
|
+
|
|
+}
|
|
+
|
|
+extern nepenthes::Nepenthes *g_Nepenthes;
|
|
diff -ruN nepenthes-0.2.0/modules/submit-norman/Makefile.am nepenthes-0.2.0-r1345/modules/submit-norman/Makefile.am
|
|
--- nepenthes-0.2.0/modules/submit-norman/Makefile.am 2006-11-13 20:40:09.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/submit-norman/Makefile.am 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -12,4 +12,4 @@
|
|
|
|
submitnorman_la_SOURCES = submit-norman.conf.dist submit-norman.hpp submit-norman.cpp
|
|
|
|
-submitnorman_la_LDFLAGS = -module -no-undefined -avoid-version
|
|
+submitnorman_la_LDFLAGS = -module -no-undefined -avoid-version $(AM_LDFLAGS)
|
|
diff -ruN nepenthes-0.2.0/modules/submit-norman/submit-norman.conf.dist nepenthes-0.2.0-r1345/modules/submit-norman/submit-norman.conf.dist
|
|
--- nepenthes-0.2.0/modules/submit-norman/submit-norman.conf.dist 2006-11-13 20:40:09.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/submit-norman/submit-norman.conf.dist 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -1,8 +1,8 @@
|
|
submit-norman
|
|
{
|
|
// this is the adress where norman sandbox reports will be sent
|
|
- email "malware@mac.com";
|
|
- urls ("http://sandbox.norman.no/live_4.html",
|
|
+ email "nsbx@mwcollect.org";
|
|
+ urls ("http://www.norman.com/microsites/nsic/Submit/Special/45773/",
|
|
"http://luigi.informatik.uni-mannheim.de/submit.php?action=verify");
|
|
|
|
};
|
|
diff -ruN nepenthes-0.2.0/modules/submit-postgres/Makefile.am nepenthes-0.2.0-r1345/modules/submit-postgres/Makefile.am
|
|
--- nepenthes-0.2.0/modules/submit-postgres/Makefile.am 2006-11-13 20:40:05.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/submit-postgres/Makefile.am 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -13,5 +13,6 @@
|
|
submitpostgres_la_SOURCES = submit-postgres.cpp submit-postgres.hpp
|
|
submitpostgres_la_SOURCES += PGDownloadContext.cpp PGDownloadContext.hpp
|
|
submitpostgres_la_SOURCES += bencoding.c bencoding.h
|
|
+submitpostgres_la_SOURCES += submit-postgres.conf.dist
|
|
|
|
submitpostgres_la_LDFLAGS = -module -no-undefined -avoid-version
|
|
diff -ruN nepenthes-0.2.0/modules/vuln-asn1/IISDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-asn1/IISDialogue.cpp
|
|
--- nepenthes-0.2.0/modules/vuln-asn1/IISDialogue.cpp 2006-11-13 20:40:08.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/vuln-asn1/IISDialogue.cpp 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -43,6 +43,9 @@
|
|
|
|
#include "Socket.hpp"
|
|
|
|
+#include "EventManager.hpp"
|
|
+#include "SocketEvent.hpp"
|
|
+
|
|
#ifdef STDTAGS
|
|
#undef STDTAGS
|
|
#endif
|
|
@@ -79,7 +82,7 @@
|
|
case IIS_POST:
|
|
case IIS_GET:
|
|
logWarn("Unknown IIS %i bytes State %i\n",m_Buffer->getSize(), m_State);
|
|
- g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *) m_Buffer->getData(), m_Buffer->getSize());
|
|
+ HEXDUMP(m_Socket,(byte *) m_Buffer->getData(), m_Buffer->getSize());
|
|
break;
|
|
|
|
case IIS_SEARCH:
|
|
@@ -102,7 +105,7 @@
|
|
ConsumeLevel IISDialogue::incomingData(Message *msg)
|
|
{
|
|
m_Buffer->add(msg->getMsg(),msg->getSize());
|
|
-// g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *) m_Buffer->getData(), m_Buffer->getSize());
|
|
+// HEXDUMP(m_Socket,(byte *) m_Buffer->getData(), m_Buffer->getSize());
|
|
|
|
// FIXME this can only recognize urldownloadtofile foobar
|
|
|
|
diff -ruN nepenthes-0.2.0/modules/vuln-asn1/SMBDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-asn1/SMBDialogue.cpp
|
|
--- nepenthes-0.2.0/modules/vuln-asn1/SMBDialogue.cpp 2006-11-13 20:40:08.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/vuln-asn1/SMBDialogue.cpp 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -43,8 +43,13 @@
|
|
#include "Utilities.hpp"
|
|
#include "ShellcodeManager.hpp"
|
|
|
|
+#include "EventManager.hpp"
|
|
+#include "SocketEvent.hpp"
|
|
+
|
|
#include "vuln-asn1.hpp"
|
|
|
|
+
|
|
+
|
|
#ifdef STDTAGS
|
|
#undef STDTAGS
|
|
#endif
|
|
@@ -227,5 +232,5 @@
|
|
void SMBDialogue::dump()
|
|
{
|
|
logWarn("Unknown %s Shellcode (Buffer %i bytes) (State %i)\n","ASN1_SMB",m_Buffer->getSize(),m_State);
|
|
- g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *)m_Buffer->getData(),m_Buffer->getSize());
|
|
+ HEXDUMP(m_Socket,(byte *)m_Buffer->getData(),m_Buffer->getSize());
|
|
}
|
|
diff -ruN nepenthes-0.2.0/modules/vuln-bagle/BagleDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-bagle/BagleDialogue.cpp
|
|
--- nepenthes-0.2.0/modules/vuln-bagle/BagleDialogue.cpp 2006-11-13 20:40:09.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/vuln-bagle/BagleDialogue.cpp 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -124,7 +124,7 @@
|
|
}
|
|
|
|
logCrit("Unknown Bagle Auth (%i)\n",m_Buffer->getSize());
|
|
- g_Nepenthes->getUtilities()->hexdump(l_crit | STDTAGS ,(byte *)m_Buffer->getData(),m_Buffer->getSize());
|
|
+// g_Nepenthes->getUtilities()->hexdump(l_crit | STDTAGS ,(byte *)m_Buffer->getData(),m_Buffer->getSize());
|
|
if (m_Buffer->getSize() > 128 )
|
|
return CL_DROP;
|
|
|
|
diff -ruN nepenthes-0.2.0/modules/vuln-bagle/Makefile.am nepenthes-0.2.0-r1345/modules/vuln-bagle/Makefile.am
|
|
--- nepenthes-0.2.0/modules/vuln-bagle/Makefile.am 2006-11-13 20:40:09.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/vuln-bagle/Makefile.am 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -6,7 +6,6 @@
|
|
|
|
AM_CPPFLAGS = -I$(top_srcdir)/nepenthes-core/include -I$(top_srcdir)/nepenthes-core/src -pipe -D _GNU_SOURCE
|
|
AM_CXXFLAGS = -Wall -Werror
|
|
-AM_LDFLAGS = -lpcre
|
|
|
|
pkglib_LTLIBRARIES = vulnbagle.la
|
|
|
|
diff -ruN nepenthes-0.2.0/modules/vuln-dameware/DWDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-dameware/DWDialogue.cpp
|
|
--- nepenthes-0.2.0/modules/vuln-dameware/DWDialogue.cpp 2006-11-13 20:40:05.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/vuln-dameware/DWDialogue.cpp 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -48,6 +48,9 @@
|
|
|
|
#include "Utilities.hpp"
|
|
|
|
+#include "EventManager.hpp"
|
|
+#include "SocketEvent.hpp"
|
|
+
|
|
#ifdef STDTAGS
|
|
#undef STDTAGS
|
|
#endif
|
|
@@ -209,5 +212,5 @@
|
|
void DWDialogue::dump()
|
|
{
|
|
logWarn("Unknown %s Shellcode (Buffer %i bytes) (State %i)\n","DameWare",m_Buffer->getSize(),m_State);
|
|
- g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *)m_Buffer->getData(),m_Buffer->getSize());
|
|
+ HEXDUMP(m_Socket,(byte *)m_Buffer->getData(),m_Buffer->getSize());
|
|
}
|
|
diff -ruN nepenthes-0.2.0/modules/vuln-dcom/DCOMDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-dcom/DCOMDialogue.cpp
|
|
--- nepenthes-0.2.0/modules/vuln-dcom/DCOMDialogue.cpp 2006-11-13 20:40:05.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/vuln-dcom/DCOMDialogue.cpp 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -39,6 +39,10 @@
|
|
#include "Utilities.hpp"
|
|
|
|
|
|
+#include "EventManager.hpp"
|
|
+#include "SocketEvent.hpp"
|
|
+
|
|
+
|
|
#ifdef STDTAGS
|
|
#undef STDTAGS
|
|
#endif
|
|
@@ -234,5 +238,5 @@
|
|
void DCOMDialogue::dump()
|
|
{
|
|
logWarn("Unknown %s Shellcode (Buffer %i bytes) (State %i)\n","DCOM",m_Buffer->getSize(),m_State);
|
|
- g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *)m_Buffer->getData(),m_Buffer->getSize());
|
|
+ HEXDUMP(m_Socket,(byte *)m_Buffer->getData(),m_Buffer->getSize());
|
|
}
|
|
diff -ruN nepenthes-0.2.0/modules/vuln-ftpd/vuln-ftpd.cpp nepenthes-0.2.0-r1345/modules/vuln-ftpd/vuln-ftpd.cpp
|
|
--- nepenthes-0.2.0/modules/vuln-ftpd/vuln-ftpd.cpp 2006-11-13 20:40:03.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/vuln-ftpd/vuln-ftpd.cpp 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -55,6 +55,9 @@
|
|
|
|
#include "Utilities.hpp"
|
|
|
|
+#include "EventManager.hpp"
|
|
+#include "SocketEvent.hpp"
|
|
+
|
|
#ifdef STDTAGS
|
|
#undef STDTAGS
|
|
#endif
|
|
@@ -220,7 +223,7 @@
|
|
uint32_t i = 0;
|
|
bool buffercut=false;
|
|
|
|
- g_Nepenthes->getUtilities()->hexdump((byte *) m_Buffer->getData(),m_Buffer->getSize());
|
|
+// g_Nepenthes->getUtilities()->hexdump((byte *) m_Buffer->getData(),m_Buffer->getSize());
|
|
while ( i < m_Buffer->getSize() )
|
|
{
|
|
buffercut = false;
|
|
@@ -418,7 +421,7 @@
|
|
void FTPdDialogue::dump()
|
|
{
|
|
logWarn("Unknown exploit %i bytes \n",m_Shellcode->getSize());
|
|
- g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *) m_Shellcode->getData(), m_Shellcode->getSize());
|
|
+ HEXDUMP(m_Socket,(byte *) m_Shellcode->getData(), m_Shellcode->getSize());
|
|
}
|
|
|
|
ftp_exploit FTPdDialogue::identExploit(string line)
|
|
diff -ruN nepenthes-0.2.0/modules/vuln-iis/IISDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-iis/IISDialogue.cpp
|
|
--- nepenthes-0.2.0/modules/vuln-iis/IISDialogue.cpp 2006-11-13 20:40:10.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/vuln-iis/IISDialogue.cpp 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -49,6 +49,9 @@
|
|
#include "Message.hpp"
|
|
#include "Message.cpp"
|
|
|
|
+#include "EventManager.hpp"
|
|
+#include "SocketEvent.hpp"
|
|
+
|
|
#ifdef STDTAGS
|
|
#undef STDTAGS
|
|
#endif
|
|
@@ -85,7 +88,7 @@
|
|
case IIS_NULL:
|
|
case IIS_SSL:
|
|
logWarn("Unknown IIS SSL exploit %i bytes State %i\n",m_Buffer->getSize(), m_State);
|
|
- g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *) m_Buffer->getData(), m_Buffer->getSize());
|
|
+ HEXDUMP(m_Socket,(byte *) m_Buffer->getData(), m_Buffer->getSize());
|
|
break;
|
|
|
|
case IIS_DONE:
|
|
diff -ruN nepenthes-0.2.0/modules/vuln-lsass/LSASSDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-lsass/LSASSDialogue.cpp
|
|
--- nepenthes-0.2.0/modules/vuln-lsass/LSASSDialogue.cpp 2006-11-13 20:40:11.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/vuln-lsass/LSASSDialogue.cpp 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -46,6 +46,8 @@
|
|
#include "Buffer.hpp"
|
|
#include "Buffer.cpp"
|
|
|
|
+#include "EventManager.hpp"
|
|
+#include "SocketEvent.hpp"
|
|
|
|
#ifdef STDTAGS
|
|
#undef STDTAGS
|
|
@@ -281,6 +283,6 @@
|
|
void LSASSDialogue::dump()
|
|
{
|
|
logWarn("Unknown %s Shellcode (Buffer %i bytes) (State %i)\n","LSASS",m_Buffer->getSize(),m_State);
|
|
- g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *)m_Buffer->getData(),m_Buffer->getSize());
|
|
+ HEXDUMP(m_Socket,(byte *)m_Buffer->getData(),m_Buffer->getSize());
|
|
}
|
|
|
|
diff -ruN nepenthes-0.2.0/modules/vuln-msdtc/MSDTCDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-msdtc/MSDTCDialogue.cpp
|
|
--- nepenthes-0.2.0/modules/vuln-msdtc/MSDTCDialogue.cpp 2006-11-13 20:40:05.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/vuln-msdtc/MSDTCDialogue.cpp 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -38,6 +38,8 @@
|
|
#include "ShellcodeManager.hpp"
|
|
#include "Utilities.hpp"
|
|
|
|
+#include "EventManager.hpp"
|
|
+#include "SocketEvent.hpp"
|
|
|
|
#ifdef STDTAGS
|
|
#undef STDTAGS
|
|
@@ -181,5 +183,5 @@
|
|
void MSDTCDialogue::dump()
|
|
{
|
|
logWarn("Unknown %s Shellcode (Buffer %i bytes) (State %i)\n","MSDTC",m_Buffer->getSize(),m_State);
|
|
- g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *)m_Buffer->getData(),m_Buffer->getSize());
|
|
+ HEXDUMP(m_Socket,(byte *)m_Buffer->getData(),m_Buffer->getSize());
|
|
}
|
|
diff -ruN nepenthes-0.2.0/modules/vuln-msmq/MSMQDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-msmq/MSMQDialogue.cpp
|
|
--- nepenthes-0.2.0/modules/vuln-msmq/MSMQDialogue.cpp 2006-11-13 20:40:05.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/vuln-msmq/MSMQDialogue.cpp 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -43,6 +43,8 @@
|
|
#include "Nepenthes.hpp"
|
|
#include "LogManager.hpp"
|
|
|
|
+#include "EventManager.hpp"
|
|
+#include "SocketEvent.hpp"
|
|
|
|
using namespace nepenthes;
|
|
|
|
@@ -73,7 +75,7 @@
|
|
case MSMQ_NULL:
|
|
case MSMQ_SHELLCODE:
|
|
logWarn("Unknown MSMQ exploit %i bytes State %i\n",m_Buffer->getSize(), m_State);
|
|
- g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *) m_Buffer->getData(), m_Buffer->getSize());
|
|
+ HEXDUMP(m_Socket,(byte *) m_Buffer->getData(), m_Buffer->getSize());
|
|
break;
|
|
|
|
case MSMQ_DONE:
|
|
diff -ruN nepenthes-0.2.0/modules/vuln-mssql/MSSQLDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-mssql/MSSQLDialogue.cpp
|
|
--- nepenthes-0.2.0/modules/vuln-mssql/MSSQLDialogue.cpp 2006-11-13 20:40:03.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/vuln-mssql/MSSQLDialogue.cpp 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -41,6 +41,9 @@
|
|
|
|
#include "Utilities.hpp"
|
|
|
|
+#include "EventManager.hpp"
|
|
+#include "SocketEvent.hpp"
|
|
+
|
|
#ifdef STDTAGS
|
|
#undef STDTAGS
|
|
#endif
|
|
@@ -115,7 +118,7 @@
|
|
}
|
|
else
|
|
{ // hexdump it
|
|
- g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte*)msg->getMsg(),msg->getSize());
|
|
+ HEXDUMP(m_Socket,(byte*)msg->getMsg(),msg->getSize());
|
|
|
|
}
|
|
|
|
diff -ruN nepenthes-0.2.0/modules/vuln-netbiosname/SMBNameDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-netbiosname/SMBNameDialogue.cpp
|
|
--- nepenthes-0.2.0/modules/vuln-netbiosname/SMBNameDialogue.cpp 2006-11-13 20:40:05.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/vuln-netbiosname/SMBNameDialogue.cpp 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -49,6 +49,8 @@
|
|
|
|
#include "Utilities.hpp"
|
|
|
|
+#include "EventManager.hpp"
|
|
+#include "SocketEvent.hpp"
|
|
|
|
#ifdef STDTAGS
|
|
#undef STDTAGS
|
|
@@ -146,7 +148,7 @@
|
|
case SMBName_NEGOTIATE:
|
|
case SMBName_NULL:
|
|
logWarn("Unknown SMBName exploit %i bytes State %i\n",m_Buffer->getSize(), m_State);
|
|
-// g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *) m_Buffer->getData(), m_Buffer->getSize());
|
|
+// HEXDUMP(m_Socket,(byte *) m_Buffer->getData(), m_Buffer->getSize());
|
|
break;
|
|
|
|
|
|
diff -ruN nepenthes-0.2.0/modules/vuln-netdde/NETDDEDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-netdde/NETDDEDialogue.cpp
|
|
--- nepenthes-0.2.0/modules/vuln-netdde/NETDDEDialogue.cpp 2006-11-13 20:40:05.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/vuln-netdde/NETDDEDialogue.cpp 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -49,6 +49,8 @@
|
|
|
|
#include "Utilities.hpp"
|
|
|
|
+#include "EventManager.hpp"
|
|
+#include "SocketEvent.hpp"
|
|
|
|
#ifdef STDTAGS
|
|
#undef STDTAGS
|
|
@@ -201,5 +203,5 @@
|
|
void NETDDEDialogue::dump()
|
|
{
|
|
logWarn("Unknown NETDDE exploit %i bytes State %i\n",m_Buffer->getSize(), m_State);
|
|
- g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *) m_Buffer->getData(), m_Buffer->getSize());
|
|
+ HEXDUMP(m_Socket,(byte *) m_Buffer->getData(), m_Buffer->getSize());
|
|
}
|
|
diff -ruN nepenthes-0.2.0/modules/vuln-optix/Makefile.am nepenthes-0.2.0-r1345/modules/vuln-optix/Makefile.am
|
|
--- nepenthes-0.2.0/modules/vuln-optix/Makefile.am 2006-11-13 20:40:08.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/vuln-optix/Makefile.am 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -12,4 +12,4 @@
|
|
|
|
vulnoptix_la_SOURCES = vuln-optix.conf.dist OPTIXBindDialogue.hpp OPTIXDownloadDialogue.hpp OPTIXDownloadHandler.hpp OPTIXShellDialogue.hpp vuln-optix.hpp OPTIXBindDialogue.cpp OPTIXDownloadDialogue.cpp OPTIXDownloadHandler.cpp OPTIXShellDialogue.cpp vuln-optix.cpp
|
|
|
|
-vulnoptix_la_LDFLAGS = -module -no-undefined -avoid-version
|
|
+vulnoptix_la_LDFLAGS = -module -no-undefined -avoid-version $(AM_LDFLAGS)
|
|
diff -ruN nepenthes-0.2.0/modules/vuln-optix/OPTIXShellDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-optix/OPTIXShellDialogue.cpp
|
|
--- nepenthes-0.2.0/modules/vuln-optix/OPTIXShellDialogue.cpp 2006-11-13 20:40:08.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/vuln-optix/OPTIXShellDialogue.cpp 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -107,7 +107,7 @@
|
|
case OPTIX_AUTHED:
|
|
if (m_Buffer->getSize() >= 6)
|
|
{
|
|
- g_Nepenthes->getUtilities()->hexdump((byte *)m_Buffer->getData(),m_Buffer->getSize());
|
|
+// g_Nepenthes->getUtilities()->hexdump((byte *)m_Buffer->getData(),m_Buffer->getSize());
|
|
// we could do this with pcre ...
|
|
if (memcmp(m_Buffer->getData(),"019¬\r\n",6) == 0)
|
|
{
|
|
diff -ruN nepenthes-0.2.0/modules/vuln-pnp/PNPDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-pnp/PNPDialogue.cpp
|
|
--- nepenthes-0.2.0/modules/vuln-pnp/PNPDialogue.cpp 2006-11-13 20:40:08.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/vuln-pnp/PNPDialogue.cpp 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -47,6 +47,8 @@
|
|
#include "Buffer.hpp"
|
|
#include "Buffer.cpp"
|
|
|
|
+#include "EventManager.hpp"
|
|
+#include "SocketEvent.hpp"
|
|
|
|
#ifdef STDTAGS
|
|
#undef STDTAGS
|
|
@@ -276,5 +278,5 @@
|
|
void PNPDialogue::dump()
|
|
{
|
|
logWarn("Unknown %s Shellcode (Buffer %i bytes) (State %i)\n","PNP",m_Buffer->getSize(),m_State);
|
|
- g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *)m_Buffer->getData(),m_Buffer->getSize());
|
|
+ HEXDUMP(m_Socket,(byte *)m_Buffer->getData(),m_Buffer->getSize());
|
|
}
|
|
diff -ruN nepenthes-0.2.0/modules/vuln-realvnc/vuln-realvnc.cpp nepenthes-0.2.0-r1345/modules/vuln-realvnc/vuln-realvnc.cpp
|
|
--- nepenthes-0.2.0/modules/vuln-realvnc/vuln-realvnc.cpp 2006-11-13 20:40:07.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/vuln-realvnc/vuln-realvnc.cpp 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -246,7 +246,7 @@
|
|
{
|
|
|
|
logSpam("VNC_HANDSHAKE\n");
|
|
- g_Nepenthes->getUtilities()->hexdump((byte *)m_Buffer->getData(),m_Buffer->getSize());
|
|
+// g_Nepenthes->getUtilities()->hexdump((byte *)m_Buffer->getData(),m_Buffer->getSize());
|
|
if (m_Buffer->getSize() >= strlen(rfb_version_003_008) &&
|
|
memcmp(m_Buffer->getData(),rfb_version_003_008,strlen(rfb_version_003_008)) == 0)
|
|
{
|
|
@@ -262,7 +262,7 @@
|
|
if ( m_State == VNC_AUTH)
|
|
{
|
|
logSpam("VNC_AUTH\n");
|
|
- g_Nepenthes->getUtilities()->hexdump((byte *)m_Buffer->getData(),m_Buffer->getSize());
|
|
+// g_Nepenthes->getUtilities()->hexdump((byte *)m_Buffer->getData(),m_Buffer->getSize());
|
|
if (m_Buffer->getSize() >= 1 )
|
|
{
|
|
if (1)// *(char *) (m_Buffer->getData()) == 1)
|
|
@@ -546,7 +546,7 @@
|
|
|
|
case 6:
|
|
logSpam("ClientReq: CutEvent\n");
|
|
- g_Nepenthes->getUtilities()->hexdump((byte *)m_Buffer->getData(),m_Buffer->getSize());
|
|
+// g_Nepenthes->getUtilities()->hexdump((byte *)m_Buffer->getData(),m_Buffer->getSize());
|
|
if (m_Buffer->getSize() >= 8 )
|
|
{
|
|
uint32_t cpbytes;
|
|
diff -ruN nepenthes-0.2.0/modules/vuln-sasserftpd/SasserFTPDDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-sasserftpd/SasserFTPDDialogue.cpp
|
|
--- nepenthes-0.2.0/modules/vuln-sasserftpd/SasserFTPDDialogue.cpp 2006-11-13 20:40:09.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/vuln-sasserftpd/SasserFTPDDialogue.cpp 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -49,6 +49,8 @@
|
|
|
|
#include "Utilities.hpp"
|
|
|
|
+#include "EventManager.hpp"
|
|
+#include "SocketEvent.hpp"
|
|
|
|
#ifdef STDTAGS
|
|
#undef STDTAGS
|
|
@@ -219,5 +221,5 @@
|
|
void SasserFTPDDialogue::dump()
|
|
{
|
|
logWarn("Unknown SasserFTPD exploit %i bytes State %i\n",m_Buffer->getSize(), m_State);
|
|
- g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *) m_Buffer->getData(), m_Buffer->getSize());
|
|
+ HEXDUMP(m_Socket,(byte *) m_Buffer->getData(), m_Buffer->getSize());
|
|
}
|
|
diff -ruN nepenthes-0.2.0/modules/vuln-sav/Makefile.am nepenthes-0.2.0-r1345/modules/vuln-sav/Makefile.am
|
|
--- nepenthes-0.2.0/modules/vuln-sav/Makefile.am 1970-01-01 01:00:00.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/vuln-sav/Makefile.am 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -0,0 +1,14 @@
|
|
+# nepenthes module Makefile
|
|
+# Paul Baecher, Maximillian Dornseif, Markus Koetter
|
|
+# $Id$
|
|
+
|
|
+AUTOMAKE_OPTIONS = foreign
|
|
+
|
|
+AM_CPPFLAGS = -I$(top_srcdir)/nepenthes-core/include -I$(top_srcdir)/nepenthes-core/src -pipe -D _GNU_SOURCE
|
|
+AM_CXXFLAGS = -Wall -Werror
|
|
+
|
|
+pkglib_LTLIBRARIES = vulnsav.la
|
|
+
|
|
+vulnsav_la_SOURCES = vuln-sav.cpp vuln-sav.hpp
|
|
+
|
|
+vulnsav_la_LDFLAGS = -module -no-undefined -avoid-version
|
|
diff -ruN nepenthes-0.2.0/modules/vuln-sav/vuln-sav.cpp nepenthes-0.2.0-r1345/modules/vuln-sav/vuln-sav.cpp
|
|
--- nepenthes-0.2.0/modules/vuln-sav/vuln-sav.cpp 1970-01-01 01:00:00.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/vuln-sav/vuln-sav.cpp 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -0,0 +1,278 @@
|
|
+/********************************************************************************
|
|
+ * Nepenthes
|
|
+ * - finest collection -
|
|
+ *
|
|
+ *
|
|
+ *
|
|
+ * Copyright (C) 2005 Paul Baecher & Markus Koetter
|
|
+ *
|
|
+ * This program is free software; you can redistribute it and/or
|
|
+ * modify it under the terms of the GNU General Public License
|
|
+ * as published by the Free Software Foundation; either version 2
|
|
+ * of the License, or (at your option) any later version.
|
|
+ *
|
|
+ * This program is distributed in the hope that it will be useful,
|
|
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
+ * GNU General Public License for more details.
|
|
+ *
|
|
+ * You should have received a copy of the GNU General Public License
|
|
+ * along with this program; if not, write to the Free Software
|
|
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
|
+ *
|
|
+ *
|
|
+ * contact nepenthesdev@users.sourceforge.net
|
|
+ *
|
|
+ *******************************************************************************/
|
|
+
|
|
+ /* $Id$ */
|
|
+
|
|
+#include <ctype.h>
|
|
+
|
|
+#include "vuln-sav.hpp"
|
|
+
|
|
+#include "SocketManager.hpp"
|
|
+
|
|
+#include "DownloadManager.hpp"
|
|
+#include "LogManager.hpp"
|
|
+#include "DialogueFactoryManager.hpp"
|
|
+
|
|
+
|
|
+#include "Buffer.hpp"
|
|
+#include "Buffer.cpp"
|
|
+
|
|
+#include "Message.hpp"
|
|
+#include "Message.cpp"
|
|
+
|
|
+#include "ShellcodeManager.hpp"
|
|
+
|
|
+#include "Config.hpp"
|
|
+
|
|
+#include "Download.hpp"
|
|
+
|
|
+#ifdef STDTAGS
|
|
+#undef STDTAGS
|
|
+#endif
|
|
+#define STDTAGS l_mod
|
|
+
|
|
+using namespace nepenthes;
|
|
+
|
|
+
|
|
+/**
|
|
+ * as we may need a global pointer to our Nepenthes in our modules,
|
|
+ * and cant access the cores global pointer to nepenthes
|
|
+ * we have to use a own global pointer to nepenthes per module
|
|
+ * we need this pointer for logInfo() etc
|
|
+ */
|
|
+Nepenthes *g_Nepenthes;
|
|
+
|
|
+/**
|
|
+ * The Constructor
|
|
+ * creates a new VulnSAV Module,
|
|
+ * VulnSAV is an example for binding a socket & setting up the Dialogue & DialogueFactory
|
|
+ *
|
|
+ *
|
|
+ * it can be used as a shell emu to allow trigger commands
|
|
+ *
|
|
+ *
|
|
+ * sets the following values:
|
|
+ * - m_DialogueFactoryName
|
|
+ * - m_DialogueFactoryDescription
|
|
+ *
|
|
+ * @param nepenthes the pointer to our Nepenthes
|
|
+ */
|
|
+VulnSAV::VulnSAV(Nepenthes *nepenthes)
|
|
+{
|
|
+ m_ModuleName = "vuln-sav";
|
|
+ m_ModuleDescription = "emulate the bug in symantec antivirus product";
|
|
+ m_ModuleRevision = "$Rev$";
|
|
+ m_Nepenthes = nepenthes;
|
|
+
|
|
+ m_DialogueFactoryName = "SAV Factory";
|
|
+ m_DialogueFactoryDescription = "Symantec Antivirus Client Dialogue Factory";
|
|
+
|
|
+ g_Nepenthes = nepenthes;
|
|
+}
|
|
+
|
|
+VulnSAV::~VulnSAV()
|
|
+{
|
|
+
|
|
+}
|
|
+
|
|
+
|
|
+/**
|
|
+ * Module::Init()
|
|
+ *
|
|
+ * binds the port, adds the DialogueFactory to the Socket
|
|
+ *
|
|
+ * @return returns true if everything was fine, else false
|
|
+ * false indicates a fatal error
|
|
+ */
|
|
+bool VulnSAV::Init()
|
|
+{
|
|
+/* if ( m_Config == NULL )
|
|
+ {
|
|
+ logCrit("I need a config\n");
|
|
+ return false;
|
|
+ }
|
|
+*/
|
|
+ m_Nepenthes->getSocketMgr()->bindTCPSocket(0,2967,0,30,this);
|
|
+ return true;
|
|
+}
|
|
+
|
|
+bool VulnSAV::Exit()
|
|
+{
|
|
+ return true;
|
|
+}
|
|
+
|
|
+/**
|
|
+ * DialogueFactory::createDialogue(Socket *)
|
|
+ *
|
|
+ * creates a new SAVDialogue
|
|
+ *
|
|
+ * @param socket the socket the DIalogue has to use, can be NULL if the Dialogue can handle it
|
|
+ *
|
|
+ * @return returns the new created dialogue
|
|
+ */
|
|
+Dialogue *VulnSAV::createDialogue(Socket *socket)
|
|
+{
|
|
+ return new SAVDialogue(socket);
|
|
+// return g_Nepenthes->getFactoryMgr()->getFactory("WinNTShell DialogueFactory")->createDialogue(socket);
|
|
+}
|
|
+
|
|
+
|
|
+
|
|
+
|
|
+
|
|
+
|
|
+
|
|
+/**
|
|
+ * Dialogue::Dialogue(Socket *)
|
|
+ * construktor for the SAVDialogue, creates a new SAVDialogue
|
|
+ *
|
|
+ * replies some crap to the socket
|
|
+ *
|
|
+ * @param socket the Socket the Dialogue has to use
|
|
+ */
|
|
+SAVDialogue::SAVDialogue(Socket *socket)
|
|
+{
|
|
+ m_Socket = socket;
|
|
+ m_DialogueName = "SAVDialogue";
|
|
+ m_DialogueDescription = "Symantec Antivirus Dialogue";
|
|
+
|
|
+ m_ConsumeLevel = CL_ASSIGN;
|
|
+
|
|
+ m_Buffer = new Buffer(512);
|
|
+}
|
|
+
|
|
+SAVDialogue::~SAVDialogue()
|
|
+{
|
|
+ delete m_Buffer;
|
|
+}
|
|
+
|
|
+/**
|
|
+ * Dialogue::incomingData(Message *)
|
|
+ *
|
|
+ * a small and ugly shell where we can use
|
|
+ * "download protocol://localction:port/path/to/file
|
|
+ * to trigger a download
|
|
+ *
|
|
+ * @param msg the Message the Socker received.
|
|
+ *
|
|
+ *
|
|
+ * @return CL_ASSIGN
|
|
+ */
|
|
+ConsumeLevel SAVDialogue::incomingData(Message *msg)
|
|
+{
|
|
+
|
|
+ m_Buffer->add(msg->getMsg(),msg->getSize());
|
|
+
|
|
+ if ( m_Buffer->getSize() > 0xcd0 )
|
|
+ {
|
|
+ Message *Msg = new Message((char *)m_Buffer->getData(), m_Buffer->getSize(),m_Socket->getLocalPort(), m_Socket->getRemotePort(),
|
|
+ m_Socket->getLocalHost(), m_Socket->getRemoteHost(), m_Socket, m_Socket);
|
|
+ sch_result sch;
|
|
+ sch = g_Nepenthes->getShellcodeMgr()->handleShellcode(&Msg);
|
|
+ delete Msg;
|
|
+
|
|
+ if ( sch == SCH_DONE )
|
|
+ {
|
|
+ m_Buffer->clear();
|
|
+ return CL_ASSIGN_AND_DONE;
|
|
+ }
|
|
+
|
|
+ }
|
|
+
|
|
+ return CL_ASSIGN;
|
|
+}
|
|
+
|
|
+/**
|
|
+ * Dialogue::outgoingData(Message *)
|
|
+ * as we are not interested in these socket actions
|
|
+ * we simply return CL_DROP to show the socket
|
|
+ *
|
|
+ * @param msg
|
|
+ *
|
|
+ * @return CL_DROP
|
|
+ */
|
|
+ConsumeLevel SAVDialogue::outgoingData(Message *msg)
|
|
+{
|
|
+ return CL_ASSIGN;
|
|
+}
|
|
+
|
|
+/**
|
|
+ * Dialogue::handleTimeout(Message *)
|
|
+ * as we are not interested in these socket actions
|
|
+ * we simply return CL_DROP to show the socket
|
|
+ *
|
|
+ * @param msg
|
|
+ *
|
|
+ * @return CL_DROP
|
|
+ */
|
|
+ConsumeLevel SAVDialogue::handleTimeout(Message *msg)
|
|
+{
|
|
+ return CL_DROP;
|
|
+}
|
|
+
|
|
+/**
|
|
+ * Dialogue::connectionLost(Message *)
|
|
+ * as we are not interested in these socket actions
|
|
+ * we simply return CL_DROP to show the socket
|
|
+ *
|
|
+ * @param msg
|
|
+ *
|
|
+ * @return CL_DROP
|
|
+ */
|
|
+ConsumeLevel SAVDialogue::connectionLost(Message *msg)
|
|
+{
|
|
+ return CL_DROP;
|
|
+}
|
|
+
|
|
+/**
|
|
+ * Dialogue::connectionShutdown(Message *)
|
|
+ * as we are not interested in these socket actions
|
|
+ * we simply return CL_DROP to show the socket
|
|
+ *
|
|
+ * @param msg
|
|
+ *
|
|
+ * @return CL_DROP
|
|
+ */
|
|
+ConsumeLevel SAVDialogue::connectionShutdown(Message *msg)
|
|
+{
|
|
+ return CL_DROP;
|
|
+}
|
|
+
|
|
+
|
|
+
|
|
+
|
|
+extern "C" int32_t module_init(int32_t version, Module **module, Nepenthes *nepenthes)
|
|
+{
|
|
+ if ( version == MODULE_IFACE_VERSION )
|
|
+ {
|
|
+ *module = new VulnSAV(nepenthes);
|
|
+ return (1);
|
|
+ } else
|
|
+ {
|
|
+ return (0);
|
|
+ }
|
|
+}
|
|
diff -ruN nepenthes-0.2.0/modules/vuln-sav/vuln-sav.hpp nepenthes-0.2.0-r1345/modules/vuln-sav/vuln-sav.hpp
|
|
--- nepenthes-0.2.0/modules/vuln-sav/vuln-sav.hpp 1970-01-01 01:00:00.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/vuln-sav/vuln-sav.hpp 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -0,0 +1,72 @@
|
|
+/********************************************************************************
|
|
+ * Nepenthes
|
|
+ * - finest collection -
|
|
+ *
|
|
+ *
|
|
+ *
|
|
+ * Copyright (C) 2005 Paul Baecher & Markus Koetter
|
|
+ *
|
|
+ * This program is free software; you can redistribute it and/or
|
|
+ * modify it under the terms of the GNU General Public License
|
|
+ * as published by the Free Software Foundation; either version 2
|
|
+ * of the License, or (at your option) any later version.
|
|
+ *
|
|
+ * This program is distributed in the hope that it will be useful,
|
|
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
+ * GNU General Public License for more details.
|
|
+ *
|
|
+ * You should have received a copy of the GNU General Public License
|
|
+ * along with this program; if not, write to the Free Software
|
|
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
|
+ *
|
|
+ *
|
|
+ * contact nepenthesdev@users.sourceforge.net
|
|
+ *
|
|
+ *******************************************************************************/
|
|
+
|
|
+ /* $Id$ */
|
|
+
|
|
+#include "DialogueFactory.hpp"
|
|
+#include "Module.hpp"
|
|
+#include "ModuleManager.hpp"
|
|
+#include "SocketManager.hpp"
|
|
+#include "Nepenthes.hpp"
|
|
+#include "Dialogue.hpp"
|
|
+#include "Socket.hpp"
|
|
+
|
|
+using namespace std;
|
|
+
|
|
+namespace nepenthes
|
|
+{
|
|
+
|
|
+ class Buffer;
|
|
+
|
|
+ class VulnSAV : public Module , public DialogueFactory
|
|
+ {
|
|
+ public:
|
|
+ VulnSAV(Nepenthes *);
|
|
+ ~VulnSAV();
|
|
+ Dialogue *createDialogue(Socket *socket);
|
|
+ bool Init();
|
|
+ bool Exit();
|
|
+ };
|
|
+
|
|
+ class SAVDialogue : public Dialogue
|
|
+ {
|
|
+ public:
|
|
+ SAVDialogue(Socket *socket);
|
|
+ ~SAVDialogue();
|
|
+ ConsumeLevel incomingData(Message *msg);
|
|
+ ConsumeLevel outgoingData(Message *msg);
|
|
+ ConsumeLevel handleTimeout(Message *msg);
|
|
+ ConsumeLevel connectionLost(Message *msg);
|
|
+ ConsumeLevel connectionShutdown(Message *msg);
|
|
+
|
|
+ protected:
|
|
+ Buffer *m_Buffer;
|
|
+
|
|
+ };
|
|
+
|
|
+}
|
|
+extern nepenthes::Nepenthes *g_Nepenthes;
|
|
diff -ruN nepenthes-0.2.0/modules/vuln-sav/x-2.conf.dist nepenthes-0.2.0-r1345/modules/vuln-sav/x-2.conf.dist
|
|
--- nepenthes-0.2.0/modules/vuln-sav/x-2.conf.dist 1970-01-01 01:00:00.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/vuln-sav/x-2.conf.dist 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -0,0 +1,5 @@
|
|
+x-2
|
|
+{
|
|
+ ports ("10002");
|
|
+ accepttimeout "45";
|
|
+};
|
|
diff -ruN nepenthes-0.2.0/modules/vuln-ssh/Makefile.am nepenthes-0.2.0-r1345/modules/vuln-ssh/Makefile.am
|
|
--- nepenthes-0.2.0/modules/vuln-ssh/Makefile.am 2006-11-13 20:40:03.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/vuln-ssh/Makefile.am 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -10,6 +10,6 @@
|
|
|
|
pkglib_LTLIBRARIES = vulnssh.la
|
|
|
|
-vulnssh_la_SOURCES = vuln-ssh.cpp vuln-ssh.hpp SSHSocket.cpp SSHSocket.hpp SSHDialogue.cpp SSHDialogue.hpp vuln-ssh.conf.dist
|
|
+vulnssh_la_SOURCES = vuln-ssh.cpp vuln-ssh.hpp SSHSocket.cpp SSHSocket.hpp SSHDialogue.cpp SSHDialogue.hpp
|
|
|
|
-vulnssh_la_LDFLAGS = -module -no-undefined -avoid-version
|
|
+vulnssh_la_LDFLAGS = -module -no-undefined -avoid-version $(AM_LDFLAGS)
|
|
diff -ruN nepenthes-0.2.0/modules/vuln-upnp/UPNPDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-upnp/UPNPDialogue.cpp
|
|
--- nepenthes-0.2.0/modules/vuln-upnp/UPNPDialogue.cpp 2006-11-13 20:40:10.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/vuln-upnp/UPNPDialogue.cpp 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -49,6 +49,8 @@
|
|
|
|
#include "Utilities.hpp"
|
|
|
|
+#include "EventManager.hpp"
|
|
+#include "SocketEvent.hpp"
|
|
|
|
#ifdef STDTAGS
|
|
#undef STDTAGS
|
|
@@ -190,5 +192,5 @@
|
|
void UPNPDialogue::dump()
|
|
{
|
|
logWarn("Unknown UPNP exploit %i bytes State %i\n",m_Buffer->getSize(), m_State);
|
|
- g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *) m_Buffer->getData(), m_Buffer->getSize());
|
|
+ HEXDUMP(m_Socket,(byte *) m_Buffer->getData(), m_Buffer->getSize());
|
|
}
|
|
diff -ruN nepenthes-0.2.0/modules/vuln-veritas/VERITASDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-veritas/VERITASDialogue.cpp
|
|
--- nepenthes-0.2.0/modules/vuln-veritas/VERITASDialogue.cpp 2006-11-13 20:40:09.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/vuln-veritas/VERITASDialogue.cpp 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -49,6 +49,8 @@
|
|
|
|
#include "Utilities.hpp"
|
|
|
|
+#include "EventManager.hpp"
|
|
+#include "SocketEvent.hpp"
|
|
|
|
#ifdef STDTAGS
|
|
#undef STDTAGS
|
|
@@ -98,7 +100,7 @@
|
|
m_Buffer->add(msg->getMsg(),msg->getSize());
|
|
|
|
logInfo("Traffic for VERITAS (%i bytes)\n",msg->getSize());
|
|
- g_Nepenthes->getUtilities()->hexdump(STDTAGS|l_warn,(byte *) m_Buffer->getData(), m_Buffer->getSize());
|
|
+// g_Nepenthes->getUtilities()->hexdump(STDTAGS|l_warn,(byte *) m_Buffer->getData(), m_Buffer->getSize());
|
|
|
|
/*
|
|
switch (m_State)
|
|
@@ -189,5 +191,5 @@
|
|
void VERITASDialogue::dump()
|
|
{
|
|
logWarn("Unknown VERITAS exploit %i bytes State %i\n",m_Buffer->getSize(), m_State);
|
|
- g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *) m_Buffer->getData(), m_Buffer->getSize());
|
|
+ HEXDUMP(m_Socket,(byte *) m_Buffer->getData(), m_Buffer->getSize());
|
|
}
|
|
diff -ruN nepenthes-0.2.0/modules/vuln-wins/WINSDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-wins/WINSDialogue.cpp
|
|
--- nepenthes-0.2.0/modules/vuln-wins/WINSDialogue.cpp 2006-11-13 20:40:10.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/vuln-wins/WINSDialogue.cpp 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -41,6 +41,9 @@
|
|
|
|
#include "Socket.hpp"
|
|
|
|
+#include "EventManager.hpp"
|
|
+#include "SocketEvent.hpp"
|
|
+
|
|
#ifdef STDTAGS
|
|
#undef STDTAGS
|
|
#endif
|
|
@@ -123,5 +126,5 @@
|
|
{
|
|
|
|
logWarn("WINS unknown shellcode %i bytes State 0\n",m_Buffer->getSize());
|
|
- g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *) m_Buffer->getData(), m_Buffer->getSize());
|
|
+ HEXDUMP(m_Socket,(byte *) m_Buffer->getData(), m_Buffer->getSize());
|
|
}
|
|
diff -ruN nepenthes-0.2.0/modules/x-4/x-4.cpp nepenthes-0.2.0-r1345/modules/x-4/x-4.cpp
|
|
--- nepenthes-0.2.0/modules/x-4/x-4.cpp 2006-11-13 20:40:11.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/modules/x-4/x-4.cpp 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -118,7 +118,7 @@
|
|
*/
|
|
void X4::Submit(Download *down)
|
|
{
|
|
- m_Nepenthes->getUtilities()->hexdump((byte *)down->getDownloadBuffer()->getData(),down->getDownloadBuffer()->getSize());
|
|
+// m_Nepenthes->getUtilities()->hexdump((byte *)down->getDownloadBuffer()->getData(),down->getDownloadBuffer()->getSize());
|
|
}
|
|
|
|
/**
|
|
diff -ruN nepenthes-0.2.0/nepenthes-core/include/DNSQuery.hpp nepenthes-0.2.0-r1345/nepenthes-core/include/DNSQuery.hpp
|
|
--- nepenthes-0.2.0/nepenthes-core/include/DNSQuery.hpp 2006-11-13 20:40:01.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/nepenthes-core/include/DNSQuery.hpp 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -56,6 +56,7 @@
|
|
virtual ~DNSQuery();
|
|
|
|
virtual DNSCallback *getCallback();
|
|
+ virtual void cancelCallback();
|
|
virtual string getDNS();
|
|
virtual uint16_t getQueryType();
|
|
virtual void *getObject();
|
|
diff -ruN nepenthes-0.2.0/nepenthes-core/include/Event.hpp nepenthes-0.2.0-r1345/nepenthes-core/include/Event.hpp
|
|
--- nepenthes-0.2.0/nepenthes-core/include/Event.hpp 2006-11-13 20:40:01.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/nepenthes-core/include/Event.hpp 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -71,6 +71,8 @@
|
|
|
|
#define EV_SHELLCODE_DONE 24
|
|
|
|
+#define EV_HEXDUMP 25
|
|
+
|
|
class Event
|
|
{
|
|
public:
|
|
diff -ruN nepenthes-0.2.0/nepenthes-core/include/SocketEvent.hpp nepenthes-0.2.0-r1345/nepenthes-core/include/SocketEvent.hpp
|
|
--- nepenthes-0.2.0/nepenthes-core/include/SocketEvent.hpp 2006-11-13 20:40:01.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/nepenthes-core/include/SocketEvent.hpp 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -137,5 +137,50 @@
|
|
Dialogue *m_Dialogue;
|
|
};
|
|
|
|
+#ifdef HAVE_DEBUG_LOGGING
|
|
+#define HEXDUMP(socket,data,size) \
|
|
+{ \
|
|
+ HexdumpEvent *he = new HexdumpEvent(socket,data,size); \
|
|
+ g_Nepenthes->getEventMgr()->handleEvent(he); \
|
|
+ delete he; \
|
|
+}
|
|
+#else // HAVE_DEBUG_LOGGING
|
|
+#define HEXDUMP(socket,data,size)
|
|
+#endif // HAVE_DEBUG_LOGGING
|
|
+
|
|
+
|
|
+
|
|
+ class HexdumpEvent : public Event
|
|
+ {
|
|
+ public:
|
|
+ HexdumpEvent(Socket *s, void *data, uint32_t size)
|
|
+ {
|
|
+ m_EventType = EV_HEXDUMP;
|
|
+ m_Socket = s;
|
|
+ m_Size = size;
|
|
+ m_Data = data;
|
|
+ }
|
|
+
|
|
+ virtual Socket *getSocket()
|
|
+ {
|
|
+ return m_Socket;
|
|
+ }
|
|
+
|
|
+ virtual void *getData()
|
|
+ {
|
|
+ return m_Data;
|
|
+ }
|
|
+
|
|
+ virtual uint32_t getSize()
|
|
+ {
|
|
+ return m_Size;
|
|
+ }
|
|
+
|
|
+ private:
|
|
+ Socket *m_Socket;
|
|
+ void *m_Data;
|
|
+ uint32_t m_Size;
|
|
+ };
|
|
+
|
|
|
|
}
|
|
diff -ruN nepenthes-0.2.0/nepenthes-core/include/Utilities.hpp nepenthes-0.2.0-r1345/nepenthes-core/include/Utilities.hpp
|
|
--- nepenthes-0.2.0/nepenthes-core/include/Utilities.hpp 2006-11-13 20:40:01.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/nepenthes-core/include/Utilities.hpp 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -130,10 +130,10 @@
|
|
void MD5Init(struct MD5Context *context);
|
|
void MD5Update(struct MD5Context *context, unsigned char const *buf,unsigned len);
|
|
void MD5Final(unsigned char digest[16], struct MD5Context *context);
|
|
-
|
|
+/*
|
|
virtual void hexdump(byte *data, uint32_t len);
|
|
virtual void hexdump(uint32_t mask, byte *data, uint32_t len);
|
|
-
|
|
+*/
|
|
virtual unsigned char *b64encode_alloc(unsigned char *in);
|
|
virtual unsigned char *b64encode_alloc(unsigned char *in, int32_t inlen);
|
|
virtual unsigned char *b64decode_alloc(unsigned char *in);
|
|
diff -ruN nepenthes-0.2.0/nepenthes-core/src/DNSQuery.cpp nepenthes-0.2.0-r1345/nepenthes-core/src/DNSQuery.cpp
|
|
--- nepenthes-0.2.0/nepenthes-core/src/DNSQuery.cpp 2006-11-13 20:40:03.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/nepenthes-core/src/DNSQuery.cpp 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -54,6 +54,15 @@
|
|
return m_Callback;
|
|
}
|
|
|
|
+
|
|
+/**
|
|
+ * chancel the callback
|
|
+ */
|
|
+void DNSQuery::cancelCallback()
|
|
+{
|
|
+ m_Callback = NULL;
|
|
+}
|
|
+
|
|
/**
|
|
* get the dns to resolve
|
|
*
|
|
diff -ruN nepenthes-0.2.0/nepenthes-core/src/DNSResult.cpp nepenthes-0.2.0-r1345/nepenthes-core/src/DNSResult.cpp
|
|
--- nepenthes-0.2.0/nepenthes-core/src/DNSResult.cpp 2006-11-13 20:40:03.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/nepenthes-core/src/DNSResult.cpp 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -89,7 +89,7 @@
|
|
while ( test->i != -1 )
|
|
{
|
|
m_TXT.append(test->str,test->i);
|
|
- g_Nepenthes->getUtilities()->hexdump((byte *)test->str,test->i);
|
|
+// g_Nepenthes->getUtilities()->hexdump((byte *)test->str,test->i);
|
|
test++;
|
|
}
|
|
}
|
|
diff -ruN nepenthes-0.2.0/nepenthes-core/src/LogManager.cpp nepenthes-0.2.0-r1345/nepenthes-core/src/LogManager.cpp
|
|
--- nepenthes-0.2.0/nepenthes-core/src/LogManager.cpp 2006-11-13 20:40:02.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/nepenthes-core/src/LogManager.cpp 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -146,7 +146,7 @@
|
|
{
|
|
if ( m_Loggers.size() == 0)
|
|
{
|
|
- printf("%s",message);
|
|
+// printf("%s",message);
|
|
return;
|
|
}
|
|
|
|
diff -ruN nepenthes-0.2.0/nepenthes-core/src/Nepenthes.cpp nepenthes-0.2.0-r1345/nepenthes-core/src/Nepenthes.cpp
|
|
--- nepenthes-0.2.0/nepenthes-core/src/Nepenthes.cpp 2006-11-13 20:40:03.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/nepenthes-core/src/Nepenthes.cpp 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -43,6 +43,8 @@
|
|
#include <dirent.h>
|
|
#include <sys/utsname.h>
|
|
#include <ctype.h>
|
|
+#include <errno.h>
|
|
+#include <string.h>
|
|
|
|
#ifdef HAVE_LIBCAP
|
|
#undef _POSIX_SOURCE
|
|
@@ -211,7 +213,7 @@
|
|
{ "user", 1, 0, 'u' },
|
|
{ "version", 0, 0, 'V' },
|
|
{ "verbose", 0, 0, 'v' },
|
|
- { "workingdir", 0, 0, 'w' },
|
|
+ { "workingdir", 1, 0, 'w' },
|
|
{ 0, 0, 0, 0 }
|
|
};
|
|
|
|
@@ -370,26 +372,27 @@
|
|
|
|
|
|
|
|
+ m_LogManager->registerTag(l_crit, "crit");
|
|
+ m_LogManager->registerTag(l_warn, "warn");
|
|
+ m_LogManager->registerTag(l_debug, "debug");
|
|
+ m_LogManager->registerTag(l_info, "info");
|
|
+ m_LogManager->registerTag(l_spam, "spam");
|
|
+ m_LogManager->registerTag(l_net, "net");
|
|
+ m_LogManager->registerTag(l_script, "script");
|
|
+ m_LogManager->registerTag(l_shell, "shell");
|
|
+ m_LogManager->registerTag(l_mem, "mem");
|
|
+ m_LogManager->registerTag(l_sc, "sc");
|
|
+ m_LogManager->registerTag(l_dl, "down");
|
|
+ m_LogManager->registerTag(l_mgr, "mgr");
|
|
+ m_LogManager->registerTag(l_hlr, "handler");
|
|
+ m_LogManager->registerTag(l_dia, "dia");
|
|
+ m_LogManager->registerTag(l_sub, "submit");
|
|
+ m_LogManager->registerTag(l_ev, "event");
|
|
+ m_LogManager->registerTag(l_mod, "module");
|
|
+ m_LogManager->registerTag(l_stdtag, "fixme");
|
|
+
|
|
if ( opt.m_runMode != runFileCheck || opt.m_verbose )
|
|
{
|
|
- m_LogManager->registerTag(l_crit, "crit");
|
|
- m_LogManager->registerTag(l_warn, "warn");
|
|
- m_LogManager->registerTag(l_debug, "debug");
|
|
- m_LogManager->registerTag(l_info, "info");
|
|
- m_LogManager->registerTag(l_spam, "spam");
|
|
- m_LogManager->registerTag(l_net, "net");
|
|
- m_LogManager->registerTag(l_script, "script");
|
|
- m_LogManager->registerTag(l_shell, "shell");
|
|
- m_LogManager->registerTag(l_mem, "mem");
|
|
- m_LogManager->registerTag(l_sc, "sc");
|
|
- m_LogManager->registerTag(l_dl, "down");
|
|
- m_LogManager->registerTag(l_mgr, "mgr");
|
|
- m_LogManager->registerTag(l_hlr, "handler");
|
|
- m_LogManager->registerTag(l_dia, "dia");
|
|
- m_LogManager->registerTag(l_sub, "submit");
|
|
- m_LogManager->registerTag(l_ev, "event");
|
|
- m_LogManager->registerTag(l_mod, "module");
|
|
- m_LogManager->registerTag(l_stdtag, "fixme");
|
|
|
|
if ( opt.m_consoleTags )
|
|
m_LogManager->addLogger(new ConsoleLogger(m_LogManager), m_LogManager->parseTagString(opt.m_consoleTags));
|
|
@@ -460,52 +463,53 @@
|
|
return 0;
|
|
|
|
|
|
- if ( opt.m_ringLogger == true )
|
|
+ if ( opt.m_runMode != runFileCheck || opt.m_verbose )
|
|
{
|
|
- string rlpath;
|
|
- try
|
|
- {
|
|
- rlpath = m_Config->getValString("nepenthes.logmanager.ring_logging_file");
|
|
- }
|
|
- catch ( ... )
|
|
+
|
|
+ if ( opt.m_ringLogger == true )
|
|
{
|
|
- logCrit("Could not find nepenthes.logmanager.ring_logging_file in Config\n");
|
|
- return false;
|
|
- }
|
|
+ string rlpath;
|
|
+ try
|
|
+ {
|
|
+ rlpath = m_Config->getValString("nepenthes.logmanager.ring_logging_file");
|
|
+ } catch ( ... )
|
|
+ {
|
|
+ logCrit("Could not find nepenthes.logmanager.ring_logging_file in Config\n");
|
|
+ return (false);
|
|
+ }
|
|
|
|
|
|
- RingFileLogger *fl = new RingFileLogger(m_LogManager);
|
|
+ RingFileLogger *fl = new RingFileLogger(m_LogManager);
|
|
|
|
- fl->setLogFileFormat((char *)rlpath.c_str());
|
|
- fl->setMaxFiles(5);
|
|
- fl->setMaxSize(1024 * 1024);
|
|
+ fl->setLogFileFormat((char *)rlpath.c_str());
|
|
+ fl->setMaxFiles(5);
|
|
+ fl->setMaxSize(1024 * 1024);
|
|
|
|
- if ( opt.m_diskTags )
|
|
- m_LogManager->addLogger(fl, m_LogManager->parseTagString(opt.m_diskTags));
|
|
- else
|
|
- m_LogManager->addLogger(fl, l_all);
|
|
+ if ( opt.m_diskTags )
|
|
+ m_LogManager->addLogger(fl, m_LogManager->parseTagString(opt.m_diskTags));
|
|
+ else
|
|
+ m_LogManager->addLogger(fl, l_all);
|
|
|
|
- }
|
|
- else
|
|
- {
|
|
- string flpath;
|
|
- try
|
|
- {
|
|
- flpath = m_Config->getValString("nepenthes.logmanager.file_logging_file");
|
|
- }
|
|
- catch ( ... )
|
|
+ } else
|
|
{
|
|
- logCrit("Could not find nepenthes.logmanager.file_logging_file in Config\n");
|
|
- return false;
|
|
- }
|
|
+ string flpath;
|
|
+ try
|
|
+ {
|
|
+ flpath = m_Config->getValString("nepenthes.logmanager.file_logging_file");
|
|
+ } catch ( ... )
|
|
+ {
|
|
+ logCrit("Could not find nepenthes.logmanager.file_logging_file in Config\n");
|
|
+ return (false);
|
|
+ }
|
|
|
|
- FileLogger *fl = new FileLogger(m_LogManager);
|
|
- fl->setLogFile(flpath.c_str());
|
|
- if ( opt.m_diskTags )
|
|
- m_LogManager->addLogger(fl, m_LogManager->parseTagString(opt.m_diskTags));
|
|
- else
|
|
- m_LogManager->addLogger(fl, l_all);
|
|
+ FileLogger *fl = new FileLogger(m_LogManager);
|
|
+ fl->setLogFile(flpath.c_str());
|
|
+ if ( opt.m_diskTags )
|
|
+ m_LogManager->addLogger(fl, m_LogManager->parseTagString(opt.m_diskTags));
|
|
+ else
|
|
+ m_LogManager->addLogger(fl, l_all);
|
|
|
|
+ }
|
|
}
|
|
|
|
if (opt.m_daemonize == true)
|
|
@@ -665,7 +669,7 @@
|
|
struct stat fileinfo;
|
|
if ( stat((const char*)argv[opti],&fileinfo) != 0 )
|
|
{
|
|
- printf("failed\n");
|
|
+ printf("Could not stat %s: %s", (const char*)argv[opti], strerror(errno));
|
|
return -1;
|
|
}
|
|
|
|
@@ -680,7 +684,10 @@
|
|
)
|
|
|
|
{
|
|
- unlink(argv[opti]);
|
|
+ if (unlink(argv[opti]) != 0)
|
|
+ {
|
|
+ printf("could not remove file %s (%s)\n",argv[opti],strerror(errno));
|
|
+ }
|
|
}
|
|
|
|
}else
|
|
@@ -693,7 +700,7 @@
|
|
while ( (dirnode = readdir(bindir)) != NULL && m_running == true )
|
|
{
|
|
|
|
-#if !defined(CYGWIN) && !defined(CYGWIN32) &&!defined(__CYGWIN__) || !defined(__CYGWIN32__)
|
|
+#if defined(d_type_IS_NOT_A_POSIX_SPEC)
|
|
if ( dirnode->d_type == 8 )
|
|
#else
|
|
if (1)
|
|
@@ -708,7 +715,10 @@
|
|
)
|
|
|
|
{
|
|
- unlink(filepath.c_str());
|
|
+ if (unlink(filepath.c_str()) != 0)
|
|
+ {
|
|
+ printf("could not remove file %s (%s)\n",filepath.c_str(),strerror(errno));
|
|
+ }
|
|
}
|
|
}
|
|
}
|
|
diff -ruN nepenthes-0.2.0/nepenthes-core/src/SocketManager.cpp nepenthes-0.2.0-r1345/nepenthes-core/src/SocketManager.cpp
|
|
--- nepenthes-0.2.0/nepenthes-core/src/SocketManager.cpp 2006-11-13 20:40:03.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/nepenthes-core/src/SocketManager.cpp 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -273,13 +273,17 @@
|
|
}
|
|
}
|
|
|
|
+ int32_t socketcounter, socketmax;
|
|
+ socketcounter=0;
|
|
+ socketmax = m_Sockets.size();
|
|
+
|
|
int32_t iPollRet = poll(polls,i,50);
|
|
|
|
if (iPollRet != 0)
|
|
{
|
|
// read sockets
|
|
i=0;
|
|
- for (itSocket = m_Sockets.begin();itSocket != m_Sockets.end(); itSocket++)
|
|
+ for (itSocket = m_Sockets.begin();itSocket != m_Sockets.end(), socketcounter < socketmax ; itSocket++, socketcounter++)
|
|
{
|
|
if ( (*itSocket)->isPolled() == true )
|
|
{
|
|
@@ -303,7 +307,8 @@
|
|
|
|
// write sockets
|
|
i=0;
|
|
- for (itSocket = m_Sockets.begin();itSocket != m_Sockets.end(); itSocket++)
|
|
+ socketcounter=0;
|
|
+ for (itSocket = m_Sockets.begin();itSocket != m_Sockets.end(), socketcounter < socketmax; itSocket++, socketcounter++)
|
|
{
|
|
if ( (*itSocket)->isPolled() == true )
|
|
{
|
|
@@ -331,7 +336,8 @@
|
|
|
|
// accept new, non udp clients as udp does not accept()
|
|
i=0;
|
|
- for (itSocket = m_Sockets.begin();itSocket != m_Sockets.end(); itSocket++)
|
|
+ socketcounter=0;
|
|
+ for (itSocket = m_Sockets.begin();itSocket != m_Sockets.end(), socketcounter < socketmax; itSocket++, socketcounter++)
|
|
{
|
|
|
|
|
|
diff -ruN nepenthes-0.2.0/nepenthes-core/src/Utilities.cpp nepenthes-0.2.0-r1345/nepenthes-core/src/Utilities.cpp
|
|
--- nepenthes-0.2.0/nepenthes-core/src/Utilities.cpp 2006-11-13 20:40:02.000000000 +0100
|
|
+++ nepenthes-0.2.0-r1345/nepenthes-core/src/Utilities.cpp 2007-08-06 00:46:15.000000000 +0200
|
|
@@ -339,7 +339,7 @@
|
|
|
|
// ENDOF MD5Sum
|
|
|
|
-
|
|
+/*
|
|
|
|
void Utilities::hexdump(byte *data, uint32_t len)
|
|
{
|
|
@@ -430,7 +430,7 @@
|
|
|
|
}
|
|
|
|
-
|
|
+*/
|
|
|
|
|
|
|