ipqmon.c

Revision 1690, 6.4 kB (checked in by till, 4 months ago)
honeytrap - submitMWserv plugin fixed, curl handle gets only initialized in child process and first heartbeat is sent after honeytrap finished its self-setup

Line
1	/ ipqmon.c*
2	* Copyright (C) 2006-2007 Tillmann Werner <tillmann.werner@gmx.de>
3	*
4	* This file is free software; as a special exception the author gives
5	* unlimited permission to copy and/or distribute it, with or without
6	* modifications, as long as this notice is preserved.
7	*
8	* This program is distributed in the hope that it will be useful, but
9	* WITHOUT ANY WARRANTY, to the extent permitted by law; without even the
10	* implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
11	*/
12
13	#include "honeytrap.h"
14	#ifdef USE_IPQ_MON
15
16	#include <arpa/inet.h>
17	#include <errno.h>
18	#include <libipq.h>
19	#include <linux/netfilter.h>
20	#include <string.h>
21	#include <stdlib.h>
22
23	#include "ctrl.h"
24	#include "dynsrv.h"
25	#include "event.h"
26	#include "ipqmon.h"
27	#include "logging.h"
28	#include "readconf.h"
29	#include "signals.h"
30
31	/ Set BUFSIZE to 1500 (ethernet frame size) to prevent*
32	* errors with ipq_read due to truncated messages.
33	* This is only necessary for UDP. A buffer size of
34	* 256 seems to be enough to hanlde TCP when there is
35	* no data on the SYNs */
36	#define BUFSIZE 1500
37
38
39	int start_ipq_mon(void) {
40	int status, process;
41	u_int8_t port_mode;
42	uint16_t sport, dport;
43	fd_set rfds;
44	struct timeval mainloop_timeout;
45	char srcip, dstip;
46	unsigned char buf[BUFSIZE];
47	struct ip_header *ip;
48	struct tcp_header *tcp;
49	struct udp_header *udp;
50
51	sport = 0;
52	dport = 0;
53	packet = NULL;
54	ip = NULL;
55	tcp = NULL;
56	udp = NULL;
57	port_mode = PORTCONF_IGNORE;
58
59	logmsg(LOG_DEBUG, 1, "Creating ipq connection monitor.\n");
60	if ((h = ipq_create_handle(0, PF_INET)) == NULL) {
61	logmsg(LOG_ERR, 1, "Error - Could not create IPQ handle: %s.\n", ipq_errstr());
62	clean_exit(EXIT_FAILURE);
63	}
64
65	if ((status = ipq_set_mode(h, IPQ_COPY_PACKET, BUFSIZE)) < 0) {
66	logmsg(LOG_ERR, 1, "Error - Could not set IPQ mode: %s.\n", ipq_errstr());
67	ipq_destroy_handle(h);
68	clean_exit(EXIT_FAILURE);
69	}
70
71	logmsg(LOG_NOTICE, 1, "---- Trapping attacks via IPQ. ----\n");
72
73	running = 1;
74
75	// receive packets
76	mainloop_timeout.tv_sec = 0;
77	mainloop_timeout.tv_usec = 0;
78
79	for (;;) {
80	FD_ZERO(&rfds);
81	FD_SET(sigpipe[0], &rfds);
82	FD_SET(h->fd, &rfds);
83
84	switch (select(MAX(h->fd, sigpipe[0]) + 1, &rfds, NULL, NULL, &mainloop_timeout)) {
85	case -1:
86	if (errno == EINTR) {
87	if (check_sigpipe() == -1) exit(EXIT_FAILURE);
88	break;
89	}
90	/ error /
91	logmsg(LOG_ERR, 1, "Error - select() call failed in main loop: %m.\n");
92	exit(EXIT_FAILURE);
93	case 0:
94	// select timed out, handle events
95	mainloop_timeout.tv_sec = event_execute();
96	mainloop_timeout.tv_usec = 0;
97
98	break;
99	default:
100	if (FD_ISSET(sigpipe[0], &rfds) && (check_sigpipe() == -1))
101	exit(EXIT_FAILURE);
102	if (FD_ISSET(h->fd, &rfds)) {
103	/ incoming connection request /
104	process = 1;
105	if ((status = ipq_read(h, buf, BUFSIZE, 0)) < 0) {
106	logmsg(LOG_ERR, 1, "Error - Could not read queued packet: %s.\n", ipq_errstr());
107	ipq_destroy_handle(h);
108	clean_exit(EXIT_FAILURE);
109	}
110	switch (ipq_message_type(buf)) {
111	case NLMSG_ERROR:
112	logmsg(LOG_WARN, 1, "IPQ Warning - ipq_read() returned status NLMSG_ERROR: %s\n",
113	strerror(ipq_get_msgerr(buf)));
114	break;
115	case IPQM_PACKET:
116	packet = ipq_get_packet(buf);
117	ip = (struct ip_header*) packet->payload;
118	if (ip->ip_p == TCP) {
119	tcp = (struct tcp_header) (packet->payload + (4 ip->ip_hlen));
120	sport = ntohs(tcp->th_sport);
121	dport = ntohs(tcp->th_dport);
122	port_mode = port_flags_tcp[dport] ? port_flags_tcp[dport]->mode : 0;
123	} else if (ip->ip_p == UDP) {
124	udp = (struct udp_header) (packet->payload + (4 ip->ip_hlen));
125	sport = ntohs(udp->uh_sport);
126	dport = ntohs(udp->uh_dport);
127	port_mode = port_flags_udp[dport] ? port_flags_udp[dport]->mode : 0;
128	} else {
129	logmsg(LOG_ERR, 1, "Error - Protocol %u is not supported.\n", ip->ip_p);
130	if ((status = ipq_set_verdict(h, packet->packet_id, NF_ACCEPT, 0, NULL)) < 0) {
131	logmsg(LOG_ERR, 1, "Error - Could not set verdict on packet: %s.\n", ipq_errstr());
132	ipq_destroy_handle(h);
133	clean_exit(EXIT_FAILURE);
134	}
135	break;
136	}
137
138	/ Got a connection request, start dynamic server and pass packet processing back to the kernel /
139	if ((srcip = strdup(inet_ntoa(ip->ip_src))) == NULL) {
140	logmsg(LOG_ERR, 1, "Error - Unable to allocate memory: %m.\n");
141	exit(EXIT_FAILURE);
142	}
143	if ((dstip = strdup(inet_ntoa(ip->ip_dst))) == NULL) {
144	logmsg(LOG_ERR, 1, "Error - Unable to allocate memory: %m.\n");
145	exit(EXIT_FAILURE);
146	}
147	logmsg(LOG_NOISY, 1, "%s:%d requesting %s connection on %s:%d.\n",
148	srcip, sport, PROTO(ip->ip_p), dstip, dport);
149	free(srcip);
150	free(dstip);
151
152	switch (port_mode) {
153	case PORTCONF_NONE:
154	logmsg(LOG_DEBUG, 1, "Port %u/%s has no explicit configuration.\n",
155	dport, PROTO(ip->ip_p));
156	break;
157	case PORTCONF_IGNORE:
158	logmsg(LOG_DEBUG, 1, "Port %u/%s is configured to be ignored.\n",
159	dport, PROTO(ip->ip_p));
160	if ((status = ipq_set_verdict(h, packet->packet_id, NF_ACCEPT, 0, NULL)) < 0) {
161	logmsg(LOG_ERR, 1, "Error - Could not set verdict on packet: %s.\n", ipq_errstr());
162	ipq_destroy_handle(h);
163	clean_exit(EXIT_FAILURE);
164	}
165	process = 0;
166	break;
167	case PORTCONF_NORMAL:
168	logmsg(LOG_DEBUG, 1, "Port %u/%s is configured to be handled in normal mode.\n",
169	dport, PROTO(ip->ip_p));
170	break;
171	case PORTCONF_MIRROR:
172	logmsg(LOG_DEBUG, 1, "Port %u/%s is configured to be handled in mirror mode.\n",
173	dport, PROTO(ip->ip_p));
174	break;
175	case PORTCONF_PROXY:
176	logmsg(LOG_DEBUG, 1, "Port %u/%s is configured to be handled in proxy mode\n",
177	dport, PROTO(ip->ip_p));
178	break;
179	default:
180	logmsg(LOG_ERR, 1, "Error - Invalid explicit configuration for port %u/%s.\n",
181	dport, PROTO(ip->ip_p));
182	if ((status = ipq_set_verdict(h, packet->packet_id, NF_ACCEPT, 0, NULL)) < 0) {
183	logmsg(LOG_ERR, 1, "Error - Could not set verdict on packet: %s.\n", ipq_errstr());
184	ipq_destroy_handle(h);
185	clean_exit(EXIT_FAILURE);
186	}
187	process = 0;
188	break;
189	}
190
191	if (process == 0) break;
192
193	start_dynamic_server(ip->ip_src, htons(sport), ip->ip_dst, htons(dport), ip->ip_p);
194	break;
195	default:
196	logmsg(LOG_DEBUG, 1, "IPQ Warning - Unknown message type.\n");
197	break;
198	}
199	}
200	}
201	}
202
203	ipq_destroy_handle(h);
204	return(1);
205	}
206
207	#endif

Note: See TracBrowser for help on using the browser.

root/honeytrap/trunk/src/ipqmon.c

Download in other formats: