Changeset 1226
- Timestamp:
- 04/21/07 00:46:03 (1 year ago)
- Files:
-
- honeytrap/trunk/src/attack.c (modified) (6 diffs)
- honeytrap/trunk/src/attack.h (modified) (1 diff)
- honeytrap/trunk/src/modules/Makefile.am (modified) (3 diffs)
- honeytrap/trunk/src/modules/htm_aSavePostgres.c (modified) (8 diffs)
- honeytrap/trunk/src/modules/htm_ftpDownload.c (modified) (2 diffs)
- honeytrap/trunk/src/plughook.c (modified) (3 diffs)
- honeytrap/trunk/src/plughook.h (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
honeytrap/trunk/src/attack.c
r1221 r1226 48 48 a->a_conn.protocol = proto; 49 49 a->dl_count = 0; 50 // memset(a->download, 0, sizeof(struct s_download));51 50 a->download = NULL; 52 51 if (time(&(a->start_time)) == ((time_t)-1)) … … 79 78 memcpy(a->a_conn.payload.sha512sum, mem_sha512sum(a->a_conn.payload.data, a->a_conn.payload.size), 129); 80 79 memcpy(a->a_conn.payload.md5sum, mem_md5sum(a->a_conn.payload.data, a->a_conn.payload.size), 33); 80 81 81 /* mirror string */ 82 82 a->p_conn.payload.size = p_size; … … 101 101 /* call plugins */ 102 102 /* do calls even if no data received, i.e. to update connection statistics */ 103 plughook_process_attack(funclist_attack_preproc, *a);104 plughook_process_attack(funclist_attack_analyze, *a);105 plughook_process_attack(funclist_attack_savedata, *a);106 plughook_process_attack(funclist_attack_postproc, *a);103 plughook_process_attack(funclist_attack_preproc, a); 104 plughook_process_attack(funclist_attack_analyze, a); 105 plughook_process_attack(funclist_attack_savedata, a); 106 plughook_process_attack(funclist_attack_postproc, a); 107 107 108 108 return(1); … … 110 110 111 111 /* add a downloaded file to the attack instance */ 112 int add_download(const char *dl_type, const uint32_t r_addr, const uint16_t r_port, const char *user, const char *pass, const char *filename, const u_char *data, const u_int32_t size, Attack *a) {112 int add_download(const char *dl_type, u_int16_t proto, const uint32_t r_addr, const uint16_t r_port, const char *user, const char *pass, const char *filename, const u_char *data, const u_int32_t size, Attack *a) { 113 113 if ((data == NULL) || (!size)) return(0); 114 114 … … 118 118 } 119 119 120 if ((a->download = realloc(a->download, a->dl_count + 1)) == NULL) {120 if ((a->download = realloc(a->download, sizeof(struct s_download) * (a->dl_count + 1))) == NULL) { 121 121 logmsg(LOG_ERR, 1, "Error - Unable to allocate memory: %s.\n", strerror(errno)); 122 122 return(-1); … … 140 140 memcpy(a->download[a->dl_count].dl_payload.sha512sum, mem_sha512sum(a->download->dl_payload.data, size), 129); 141 141 142 a->download[a->dl_count].protocol = proto; 142 143 a->download[a->dl_count].dl_payload.size = size; 143 144 a->download[a->dl_count].r_addr = r_addr; honeytrap/trunk/src/attack.h
r1201 r1226 57 57 Attack *new_attack(struct in_addr l_addr, struct in_addr r_addr, uint16_t l_port, uint16_t r_port, uint16_t proto); 58 58 int process_data(u_char *a_data, uint32_t a_size, u_char *p_data, uint32_t p_size, uint16_t port, Attack *a); 59 int add_download(const char *dl_type, const uint32_t r_addr, const uint16_t r_port, const char *user, const char *pass, const char *filename, const u_char *data, const u_int32_t size, Attack *a);59 int add_download(const char *dl_type, u_int16_t proto, const uint32_t r_addr, const uint16_t r_port, const char *user, const char *pass, const char *filename, const u_char *data, const u_int32_t size, Attack *a); 60 60 61 61 #endif honeytrap/trunk/src/modules/Makefile.am
r1142 r1226 2 2 3 3 AM_YFLAGS = -d 4 5 AM_CFLAGS=-Wall -Werror 4 6 5 7 INCLUDES = -I../ … … 7 9 libdir=$(DESTDIR)/$(sysconfdir)/honeytrap/plugins 8 10 9 lib_LTLIBRARIES = htm_aSaveFile.la htm_ftpDownload.la htm_tftpDownload.la htm_vncDownload.la htm_b64Decode.la htm_SpamSum.la 11 lib_LTLIBRARIES = htm_aSaveFile.la htm_ftpDownload.la htm_tftpDownload.la htm_vncDownload.la htm_b64Decode.la htm_SpamSum.la htm_aSavePostgres.la 10 12 11 13 htm_aSaveFile_la_SOURCES = htm_aSaveFile.c htm_aSaveFile.h … … 27 29 htm_SpamSum_la_LDFLAGS = -module -no-undefined -avoid-version 28 30 31 htm_aSavePostgres_la_SOURCES = htm_aSavePostgres.c htm_aSavePostgres.h 32 htm_aSavePostgres_la_LDFLAGS = -module -no-undefined -avoid-version -lpq 33 29 34 install-exec-am: 30 35 $(mkinstalldirs) $(DESTDIR)/$(sysconfdir)/honeytrap/plugins honeytrap/trunk/src/modules/htm_aSavePostgres.c
r1221 r1226 34 34 #include <plughook.h> 35 35 #include <md5.h> 36 #include <sha512.h> 36 37 37 38 #include "htm_aSavePostgres.h" … … 100 101 } 101 102 logmsg(LOG_DEBUG, 1, "(Build URL): Typ: %s.\n",download->dl_type); 102 snprintf(url + strlen(url), strlen(download->dl_type) + 3, "%s://", download->dl_type);103 snprintf(url + strlen(url), strlen(download->dl_type) + 4, "%s://", download->dl_type); 103 104 104 105 if(strlen(download->user)) { 105 106 logmsg(LOG_NOISY,1,"(Build URL): User: %s Pass: %s.\n", download->user, download->pass); 106 snprintf(url + strlen(url), strlen(download->user) + strlen(download->pass) + 2, "%s:%s@", download->user, download->pass);107 snprintf(url + strlen(url), strlen(download->user) + strlen(download->pass) + 3, "%s:%s@", download->user, download->pass); 107 108 } 108 109 … … 112 113 if (download->r_port) { 113 114 logmsg(LOG_NOISY, 1, "(Build URL): Port: %d.\n", download->r_port); 114 snprintf(url + strlen(url), 6, ":%d/", download->r_port);115 snprintf(url + strlen(url), 7, ":%d/", download->r_port); 115 116 strcat(url + strlen(url), PROTO(download->protocol)); 116 117 } … … 118 119 if (download->filename) { 119 120 logmsg(LOG_NOISY, 1, "(Build URL): Filename: %s.\n", download->filename); 120 snprintf(url + strlen(url), strlen(download->filename) + 1, "/%s", download->filename);121 snprintf(url + strlen(url), strlen(download->filename) + 2, "/%s", download->filename); 121 122 } 122 123 … … 178 179 return(-1); 179 180 } 180 if (snprintf(query, MAX_SQL_BUFFER, "SELECT malware.sensor_honeytrap_add_sample('%s', '%s', '%s', '%s', '%s', '%s', %d, %d, '%s')", 181 mem_md5sum(attack->download->dl_payload.data, attack->download->dl_payload.size), 182 "mysensor", "malware", url, inet_ntoa(*(struct in_addr*)&(attack->a_conn.l_addr)), 183 inet_ntoa(*(struct in_addr*)&(attack->a_conn.r_addr)), attack->a_conn.l_port, 184 attack->download->r_port, esc_bytea) >= MAX_SQL_BUFFER) { 181 if (snprintf(query, MAX_SQL_BUFFER, "SELECT attacks.sensor_honeytrap_add_sample('%s', '%s', '%s', '%s', '%s', '%s', %d, %d, '%s')", 182 mem_sha512sum(attack->download->dl_payload.data, attack->download->dl_payload.size), 183 "honeytrap-default", 184 "dynamic-generic", 185 url, 186 inet_ntoa(*(struct in_addr*)&(attack->a_conn.l_addr)), 187 inet_ntoa(*(struct in_addr*)&(attack->a_conn.r_addr)), 188 attack->a_conn.l_port, 189 attack->download->r_port, 190 esc_bytea) >= MAX_SQL_BUFFER) { 185 191 logmsg(LOG_ERR, 1, "Error - Could not save attack: SQL query exceeds maximum size (increase MAX_SQL_BUFFER and recompile).\n"); 186 192 free(url); … … 229 235 strftime(endtime, 40, "%Y-%m-%d %T %Z", localtime(&attack->end_time)); 230 236 237 238 /* FIXME: link samples to attacks */ 239 /* 231 240 if(attack->dl_count) { 232 241 if (snprintf(query, MAX_SQL_BUFFER, … … 252 261 } 253 262 } else { 263 */ 254 264 if (snprintf(query, MAX_SQL_BUFFER, 255 265 "SELECT attacks.honeytrap_add_attack_string('%s'::varchar, %d::integer, '%s'::timestamptz, '%s'::timestamptz, " \ … … 273 283 return(-1); 274 284 } 275 }285 // } 276 286 277 287 if (PQresultStatus(res = PQexec(db_connection, query)) != PGRES_TUPLES_OK) { honeytrap/trunk/src/modules/htm_ftpDownload.c
r1222 r1226 71 71 addr = (struct in_addr *) &(attack->a_conn.l_addr); 72 72 get_ftpcmd(string_for_processing, attack->a_conn.payload.size, *addr,attack); 73 return(0); 73 74 } 74 75 } … … 587 588 } 588 589 close(dumpfile_fd); 590 591 /* add download struct to attack struct*/ 592 logmsg(LOG_DEBUG, 1, "(htm_ftp) Adding download to attack struct.\n"); 593 add_download("ftp", 6, rhost->s_addr, port, user, pass, (const char *) save_file, binary_stream, total_bytes, attack); 594 589 595 logmsg(LOG_NOTICE, 1, "FTP download - %s saved.\n", save_file); 590 596 } else logmsg(LOG_NOISY, 1, "FTP download - No data received.\n"); 591 597 592 /* add download struct to attack struct*/593 logmsg(LOG_DEBUG, 1, "(htm_ftp) Adding download to attack struct.\n");594 add_download("ftp", rhost->s_addr, port, user, pass, (const char *) save_file, binary_stream, total_bytes, attack);595 // return(0);596 598 close(data_sock_fd); 599 printf("---> returning.\n"); 600 return(0); 597 601 } else logmsg(LOG_DEBUG, 1, "FTP download - Select on FTP data channel returned but socket is not set: %s\n", strerror(errno)); 598 602 honeytrap/trunk/src/plughook.c
r1221 r1226 93 93 94 94 95 void plughook_process_attack(PlugFuncList *func_list, Attack attack) {95 void plughook_process_attack(PlugFuncList *func_list, Attack *attack) { 96 96 PlugFuncList *func_tmp = NULL; 97 97 … … 107 107 if (func_tmp->func) { 108 108 logmsg(LOG_DEBUG, 1, "Calling %s::%s().\n", func_tmp->plugnam, func_tmp->funcnam); 109 func_tmp->func((void *) &attack);109 func_tmp->func((void *)attack); 110 110 } else logmsg(LOG_ERR, 1, "Error - Function %s::%s is not registered.\n", 111 111 func_tmp->plugnam, func_tmp->funcnam); … … 146 146 147 147 logmsg(LOG_DEBUG, 1, "Calling plugins for hook 'unload_plugins'.\n"); 148 149 /*150 if (funclist_process_attack == NULL) {151 logmsg(LOG_DEBUG, 1, "No plugins registered for hook 'unload_plugins'.\n");152 return;153 }154 */155 148 156 149 func_tmp = funclist_unload_plugins; honeytrap/trunk/src/plughook.h
r1221 r1226 41 41 42 42 PlugFuncList *add_attack_func_to_list(const func_prio priority, const char *plugname, const char *funcname, int (*func)(struct s_attack)); 43 void plughook_process_attack(PlugFuncList *func_list, Attack attack);43 void plughook_process_attack(PlugFuncList *func_list, Attack *attack); 44 44 45 45 PlugFuncList *add_unload_func_to_list(const char *plugname, const char *funcname, void (*func)(void));
