Navigation

← Previous Changeset
Next Changeset →

Changeset 1238

Timestamp:

04/25/07 23:08:54 (1 year ago)

Author:

till

Message:

udp confusions, fixed

Files:

honeytrap/trunk/src/modules/htm_aSaveFile.c (modified) (3 diffs)
honeytrap/trunk/src/modules/htm_aSavePostgres.c (modified) (17 diffs)
honeytrap/trunk/src/modules/htm_aSavePostgres.h (modified) (1 diff)
honeytrap/trunk/src/modules/htm_b64Decode.c (modified) (1 diff)
honeytrap/trunk/src/modules/htm_ftpDownload.c (modified) (1 diff)
honeytrap/trunk/src/modules/htm_ftpDownload.h (modified) (1 diff)
honeytrap/trunk/src/pcapmon.c (modified) (2 diffs)
honeytrap/trunk/src/readconf.c (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

honeytrap/trunk/src/modules/htm_aSaveFile.c

r1221	r1238
28	28	#include <logging.h>
29	29	#include <honeytrap.h>
	30	#include <md5.h>
30	31	#include <attack.h>
31	32	#include <plughook.h>
…	…
53	54	struct tm *file_time;
54	55	time_t loc_time;
55		char filename = NULL, proto_str = NULL;
56		int dumpfile_fd;
	56	char filename, mwfilename, *proto_str;
	57	int i, dumpfile_fd;
	58
	59	filename = NULL;
	60	mwfilename = NULL;
	61	proto_str = NULL;
57	62
58	63	logmsg(LOG_DEBUG, 1, "Dumping attack string into file.\n");
…	…
105	110	close(dumpfile_fd);
106	111	logmsg(LOG_DEBUG, 1, "Plugin aSaveFile: Attack string saved as %s.\n", filename);
	112
	113	/* save malware */
	114	for (i=1; i<=attack->dl_count; i++) {
	115	/* save file */
	116	/* we need the length of directory + "/" + filename plus md5 checksum */
	117	mwfilename = (char *) malloc(strlen(dlsave_dir)+strlen(filename)+35);
	118	snprintf(mwfilename, strlen(dlsave_dir)+strlen(mwfilename) + 35, "%s/%s-%s",
	119	dlsave_dir, mem_md5sum(attack->download[i].dl_payload.data, attack->download[i].dl_payload.size), mwfilename);
	120	logmsg(LOG_DEBUG, 1, "Malware sample dump - File name is %s\n", mwfilename);
	121	if (((dumpfile_fd = open(mwfilename, O_WRONLY \| O_CREAT \| O_EXCL)) < 0) \|\|
	122	(fchmod(dumpfile_fd, S_IRUSR \| S_IWUSR \| S_IRGRP \| S_IROTH) != 0)) {
	123	logmsg(LOG_WARN, 1, "Malware sample dump - Unable to save %s: %s.\n", mwfilename,
	124	strerror(errno));
	125	close(dumpfile_fd);
	126	return(-1);
	127	}
	128	if (write(dumpfile_fd, attack->download[i].dl_payload.data, attack->download[i].dl_payload.size) != attack->download[i].dl_payload.size) {
	129	logmsg(LOG_ERR, 1, "Malware sample dump error - Unable to write data to file: %s\n",
	130	strerror(errno));
	131	close(dumpfile_fd);
	132	return(-1);
	133	}
	134	close(dumpfile_fd);
	135	logmsg(LOG_NOTICE, 1, "Malware sample dump - %s saved.\n", attack->download[i].filename);
	136	}
	137
107	138	return(0);
108	139	}

honeytrap/trunk/src/modules/htm_aSavePostgres.c

r1226	r1238
62	62	/* connect to database */
63	63	if (PQstatus(db_connection = PQconnectdb(db_info)) != CONNECTION_OK) {
64		logmsg(LOG_ERR, 1, "Error - Could not connect to database: %s.\n", PQerrorMessage(db_connection));
	64	logmsg(LOG_ERR, 1, "Postgres client error - Could not connect to database: %s.\n", PQerrorMessage(db_connection));
65	65	PQfinish(db_connection);
66	66	return(-1);
67	67	}
68		logmsg(LOG_NOISY, 1, "~~Attack database (Postgres) - C~~onnection established.\n");
	68	logmsg(LOG_NOISY, 1, "Postgres client - Database connection established.\n");
69	69	if (PQsetClientEncoding(db_connection, "UTF8") != 0) {
70		logmsg(LOG_ERR, 1, "Error - Could not set database character encoding to UTF8: %s.\n", PQerrorMessage(db_connection));
	70	logmsg(LOG_ERR, 1, "Postgres client error - Could not set database character encoding to UTF8: %s.\n", PQerrorMessage(db_connection));
71	71	PQfinish(db_connection);
72	72	return(-1);
…	…
79	79	/* disconnect from database */
80	80	PQfinish(db_connection);
81		logmsg(LOG_NOISY, 1, "~~Attack database (Postgres)~~ - Connection closed.\n");
	81	logmsg(LOG_NOISY, 1, "Postgres client - Connection closed.\n");
82	82	return;
83	83	}
84	84
85	85
86		char build_url(struct s_download download) {
87		char *ur~~l; // generic malware URL~~ format 'type://user:pass@path/to/file:port/protocol'
88
89		if ((ur~~l = malloc(MAX_URL~~_SIZE + 1)) == NULL) {
90		logmsg(LOG_ERR, 1, "Error - Unable to allocate memory: %s.\n", strerror(errno));
	86	char build_uri(struct s_download download) {
	87	char *uri; // generic malware URI format 'type://user:pass@path/to/file:port/protocol'
	88
	89	if ((uri = malloc(MAX_URI_SIZE + 1)) == NULL) {
	90	logmsg(LOG_ERR, 1, "Postgres client error - Unable to allocate memory: %s.\n", strerror(errno));
91	91	return(NULL);
92	92	}
93		memset(ur~~l, 0, MAX_URL~~_SIZE+1);
94
95		logmsg(LOG_DEBUG, 1, "~~Building generic malware resource URL~~.\n");
	93	memset(uri, 0, MAX_URI_SIZE+1);
	94
	95	logmsg(LOG_DEBUG, 1, "Postgres client - Building generic malware resource URI.\n");
96	96
97	97	/* should check for supported protocol types */
98	98	if (!strlen(download->dl_type)) {
99		logmsg(LOG_WARN, 1, "~~Database warning - Could not build URL~~: Unknown protocol type.\n");
	99	logmsg(LOG_WARN, 1, "Postgres client - Warning: Could not build URI: Unknown protocol type.\n");
100	100	return(NULL);
101	101	}
102		logmsg(LOG_DEBUG, 1, "~~(Build URL): Typ: %s.~~\n",download->dl_type);
103		snprintf(ur~~l + strlen(url~~), strlen(download->dl_type) + 4, "%s://", download->dl_type);
	102	logmsg(LOG_DEBUG, 1, "Postgres client - Adding Type to URI: %s\n",download->dl_type);
	103	snprintf(uri + strlen(uri), strlen(download->dl_type) + 4, "%s://", download->dl_type);
104	104
105	105	if(strlen(download->user)) {
106		logmsg(LOG_NOISY,1,"(Build URL): User: %s Pass: %s.\n", download->user, download->pass);
107		snprintf(url + strlen(url), strlen(download->user) + strlen(download->pass) + 3, "%s:%s@", download->user, download->pass);
108		}
109
110		logmsg(LOG_NOISY, 1, "(Build URL): URL: %s.\n", inet_ntoa((struct in_addr)&download->r_addr));
111		strncat(url, inet_ntoa((struct in_addr)&download->r_addr), strlen(inet_ntoa((struct in_addr)&download->r_addr)));
	106	logmsg(LOG_NOISY,1,"Postgres client - Adding user and pass to URI: %s:%s\n", download->user, download->pass);
	107	snprintf(uri + strlen(uri), strlen(download->user) + strlen(download->pass) + 3, "%s:%s@", download->user, download->pass);
	108	}
	109
	110	logmsg(LOG_NOISY, 1, "Postgres client - Adding host to URI: %s\n", inet_ntoa((struct in_addr)&download->r_addr));
	111	strncat(uri, inet_ntoa((struct in_addr)&download->r_addr), strlen(inet_ntoa((struct in_addr)&download->r_addr)));
	112
	113	if (download->filename) {
	114	logmsg(LOG_NOISY, 1, "Postgres client - Adding filename to URI: %s\n", download->filename);
	115	snprintf(uri + strlen(uri), strlen(download->filename) + 2, "/%s", download->filename);
	116	}
112	117
113	118	if (download->r_port) {
114		logmsg(LOG_NOISY, 1, "(Build URL): Port: %d.\n", download->r_port);
115		snprintf(url + strlen(url), 7, ":%d/", download->r_port);
116		strcat(url + strlen(url), PROTO(download->protocol));
117		}
118
119		if (download->filename) {
120		logmsg(LOG_NOISY, 1, "(Build URL): Filename: %s.\n", download->filename);
121		snprintf(url + strlen(url), strlen(download->filename) + 2, "/%s", download->filename);
122		}
123
124		return(url);
	119	logmsg(LOG_NOISY, 1, "Postgres client - Adding port to URI: %d\n", download->r_port);
	120	snprintf(uri + strlen(uri), 7, ":%d/", download->r_port);
	121	strcat(uri + strlen(uri), PROTO(download->protocol));
	122	}
	123
	124
	125	return(uri);
125	126	}
126	127
…	…
128	129	int db_submit(Attack *attack) {
129	130	PGresult *res;
130		char query, starttime, endtime, url, l_ip, r_ip;
	131	char query, starttime, endtime, uri, l_ip, r_ip;
131	132	u_char *esc_bytea;
132	133	int mw_inst = -1;
…	…
136	137	if ((!attack->a_conn.payload.size) && (!attack->dl_count)) return(0);
137	138
138		logmsg(LOG_DEBUG, 1, "~~Attack database (Postgres)~~ - Connecting to database.\n");
	139	logmsg(LOG_DEBUG, 1, "Postgres client - Connecting to database.\n");
139	140	if (db_connect() != 0) return(-1);
140	141
141	142	/* Start a transaction block */
142	143	if (PQresultStatus(res = PQexec(db_connection, "BEGIN")) != PGRES_COMMAND_OK) {
143		logmsg(LOG_ERR, 1, "~~Database~~ error - BEGIN command failed: %s.\n", PQerrorMessage(db_connection));
	144	logmsg(LOG_ERR, 1, "Postgres client error - BEGIN command failed: %s.\n", PQerrorMessage(db_connection));
144	145	PQclear(res);
145	146	db_disconnect();
…	…
152	153	if (attack->dl_count) {
153	154	if ((query = malloc(MAX_SQL_BUFFER + 1)) == NULL) {
154		logmsg(LOG_ERR, 1, "Error - Unable to allocate memory: %s.\n", strerror(errno));
	155	logmsg(LOG_ERR, 1, "Postgres client error - Unable to allocate memory: %s.\n", strerror(errno));
155	156	return(-1);
156	157	}
…	…
159	160	/* escape byte data to prevent sql injection */
160	161	if ((esc_bytea = PQescapeByteaConn(db_connection, attack->download->dl_payload.data, attack->download->dl_payload.size, &length)) == NULL) {
161		logmsg(LOG_ERR, 1, "~~Database~~ error - Could not escape attack string: %s.\n", PQerrorMessage(db_connection));
	162	logmsg(LOG_ERR, 1, "Postgres client error - Could not escape attack string: %s.\n", PQerrorMessage(db_connection));
162	163	PQclear(res);
163	164	db_disconnect();
…	…
168	169	mem_md5sum(attack->download->dl_payload.data,attack->download->dl_payload.size);
169	170
170		if ((ur~~l = build_url~~(attack->download)) == NULL) {
171		logmsg(LOG_WARN, 1, "~~Warning - Unable to build generic malware URL~~.\n");
172		free(url);
173		} else logmsg(LOG_NOISY, 1, "~~Generic malware URL assembled: %s\n", url~~);
	171	if ((uri = build_uri(attack->download)) == NULL) {
	172	logmsg(LOG_WARN, 1, "Postgres client warning - Unable to build generic malware URI.\n");
	173	free(uri);
	174	} else logmsg(LOG_NOISY, 1, "Postgres client - Generic malware URI assembled: %s\n", uri);
174	175
175	176	if (((l_ip = strdup(inet_ntoa((struct in_addr)&(attack->a_conn.l_addr)))) == NULL) \|\|
176	177	((r_ip = strdup(inet_ntoa((struct in_addr)&(attack->a_conn.r_addr)))) == NULL)) {
177		logmsg(LOG_ERR, 1, "Error - Unable to allocate memory: %s.\n", strerror(errno));
178		free(url);
	178	logmsg(LOG_ERR, 1, "Postgres client error - Unable to allocate memory: %s.\n", strerror(errno));
	179	free(uri);
179	180	return(-1);
180	181	}
…	…
183	184	"honeytrap-default",
184	185	"dynamic-generic",
185		url,
	186	uri,
186	187	inet_ntoa((struct in_addr)&(attack->a_conn.l_addr)),
187	188	inet_ntoa((struct in_addr)&(attack->a_conn.r_addr)),
…	…
189	190	attack->download->r_port,
190	191	esc_bytea) >= MAX_SQL_BUFFER) {
191		logmsg(LOG_ERR, 1, "Error - Could not save attack: SQL query exceeds maximum size (increase MAX_SQL_BUFFER and recompile).\n");
192		free(url);
	192	logmsg(LOG_ERR, 1, "Postgres client error - Could not save attack: SQL query exceeds maximum size (increase MAX_SQL_BUFFER and recompile).\n");
	193	free(uri);
193	194	free(query);
194	195	return(-1);
195	196	}
196		free(url);
	197	free(uri);
197	198
198	199	if (PQresultStatus(res = PQexec(db_connection, query)) != PGRES_TUPLES_OK) {
199		logmsg(LOG_ERR, 1, "~~Database~~ error - Malware submission failed: %s.\n", PQerrorMessage(db_connection));
	200	logmsg(LOG_ERR, 1, "Postgres client error - Malware submission failed: %s.\n", PQerrorMessage(db_connection));
200	201	PQclear(res);
201	202	db_disconnect();
…	…
205	206	free(query);
206	207	PQfreemem(esc_bytea);
207		logmsg(LOG_NOISY, 1, "~~Attack database (Postgres)~~ - Malware saved.\n");
	208	logmsg(LOG_NOISY, 1, "Postgres client - Malware saved.\n");
208	209
209	210	/* get instance number for reference within attack_string record */
…	…
217	218	if (attack->a_conn.payload.size > 0) {
218	219	if ((query = malloc(MAX_SQL_BUFFER + 1)) == NULL) {
219		logmsg(LOG_ERR, 1, "Error - Unable to allocate memory: %s.\n", strerror(errno));
	220	logmsg(LOG_ERR, 1, "Postgres client error - Unable to allocate memory: %s.\n", strerror(errno));
220	221	return(-1);
221	222	}
…	…
224	225	/* escape byte data to prevent sql injection */
225	226	if ((esc_bytea = PQescapeByteaConn(db_connection, attack->a_conn.payload.data, attack->a_conn.payload.size, &length)) == NULL) {
226		logmsg(LOG_ERR, 1, "~~Database~~ error - Could not escape malware binary string: %s.\n", PQerrorMessage(db_connection));
	227	logmsg(LOG_ERR, 1, "Postgres client error - Could not escape malware binary string: %s.\n", PQerrorMessage(db_connection));
227	228	db_disconnect();
228	229	free(query);
…	…
256	257	attack->p_conn.r_port,
257	258	esc_bytea) >= MAX_SQL_BUFFER) {
258		logmsg(LOG_ERR, 1, "Error - Could not save attack: SQL query exceeds maximum size (increase MAX_SQL_BUFFER and recompile).\n");
	259	logmsg(LOG_ERR, 1, "Postgres client error - Could not save attack: SQL query exceeds maximum size (increase MAX_SQL_BUFFER and recompile).\n");
259	260	free(query);
260	261	return(-1);
…	…
279	280	attack->p_conn.r_port,
280	281	esc_bytea) >= MAX_SQL_BUFFER) {
281		logmsg(LOG_ERR, 1, "Error - Could not save attack: SQL query exceeds maximum size (increase MAX_SQL_BUFFER and recompile).\n");
	282	logmsg(LOG_ERR, 1, "Postgres client error - Could not save attack: SQL query exceeds maximum size (increase MAX_SQL_BUFFER and recompile).\n");
282	283	free(query);
283	284	return(-1);
…	…
286	287
287	288	if (PQresultStatus(res = PQexec(db_connection, query)) != PGRES_TUPLES_OK) {
288		logmsg(LOG_ERR, 1, "~~Database~~ error - Attack submission failed: %s.\n", PQerrorMessage(db_connection));
	289	logmsg(LOG_ERR, 1, "Postgres client error - Attack submission failed: %s.\n", PQerrorMessage(db_connection));
289	290	PQclear(res);
290	291	db_disconnect();
…	…
293	294	}
294	295
295		logmsg(LOG_NOISY, 1, "~~Attack database (Postgres)~~ - Attack saved.\n");
	296	logmsg(LOG_NOISY, 1, "Postgres client - Attack saved.\n");
296	297	free(starttime);
297	298	free(endtime);
…	…
304	305	/* end transaction and disconnect */
305	306	if (PQresultStatus(res = PQexec(db_connection, "END")) != PGRES_COMMAND_OK) {
306		logmsg(LOG_ERR, 1, "~~Database~~ error - END command failed: %s.\n", PQerrorMessage(db_connection));
	307	logmsg(LOG_ERR, 1, "Postgres client error - END command failed: %s.\n", PQerrorMessage(db_connection));
307	308	PQclear(res);
308	309	db_disconnect();

honeytrap/trunk/src/modules/htm_aSavePostgres.h

r1201	r1238
22	22
23	23	#define MAX_SQL_BUFFER 10485760 // 10 MB
24		#define MAX_URL_SIZE 2048
	24	#define MAX_URI_SIZE 2048
25	25
26	26	const char module_name[] = "htm_aSavePostgres";
27		const char module_version[] = "0.1";
	27	const char module_version[] = "0.2";
28	28
29	29	struct pg_conn *db_connection;

honeytrap/trunk/src/modules/htm_b64Decode.c

r1221	r1238
135	135	dec_attack.a_conn.payload.data = decoded->str;
136	136	dec_attack.a_conn.payload.size = decoded->len;
137		// plughook_process_attack(funclist_attack_preproc, dec_attack);
138		plughook_process_attack(funclist_attack_analyze, dec_attack);
139		plughook_process_attack(funclist_attack_savedata, dec_attack);
140		plughook_process_attack(funclist_attack_postproc, dec_attack);
	137	// plughook_process_attack(funclist_attack_preproc, &dec_attack);
	138	plughook_process_attack(funclist_attack_analyze, &dec_attack);
	139	plughook_process_attack(funclist_attack_savedata, &dec_attack);
	140	plughook_process_attack(funclist_attack_postproc, &dec_attack);
141	141
142	142

honeytrap/trunk/src/modules/htm_ftpDownload.c

r1226	r1238
597	597
598	598	close(data_sock_fd);
599		~~printf("---> returning.\n");~~
600	599	return(0);
601	600	} else logmsg(LOG_DEBUG, 1, "FTP download - Select on FTP data channel returned but socket is not set: %s\n", strerror(errno));

honeytrap/trunk/src/modules/htm_ftpDownload.h

r1201	r1238
19	19
20	20	const char module_name[]="htm_ftpDownload";
21		const char module_version[]="0.~~3.1~~";
	21	const char module_version[]="0.4.0";
22	22
23	23	void plugin_init(void);

honeytrap/trunk/src/pcapmon.c

r1117	r1238
88	88	ip_hdr = (struct ip_header *) ip;
89	89	udp = (struct udp_header ) (ip + (4 ip_hdr->ip_hlen));
90		sport = ntohs(udp->uh_dport);
91		dport = ntohs(udp->uh_sport);
	90	sport = ntohs(udp->uh_sport);
	91	dport = ntohs(udp->uh_dport);
92	92	port_mode = port_flags[dport].udp;
93	93	} else {
…	…
119	119	}
120	120
121		logmsg(LOG_INFO, 1, "Connection request on port %d/%s.\n", sport, PROTO(ip_hdr->ip_p));
122		start_dynamic_server(ip_hdr->ip_dst, htons(dport), ip_hdr->ip_src, htons(sport), ip_hdr->ip_p);
	121	if (ip_hdr->ip_p == UDP) {
	122	logmsg(LOG_INFO, 1, "Connection request on port %d/udp.\n", dport);
	123	start_dynamic_server(ip_hdr->ip_src, htons(sport), ip_hdr->ip_dst, htons(dport), ip_hdr->ip_p);
	124	} else if (ip_hdr->ip_p == TCP) {
	125	logmsg(LOG_INFO, 1, "Connection request on port %d/tcp.\n", sport);
	126	start_dynamic_server(ip_hdr->ip_dst, htons(dport), ip_hdr->ip_src, htons(sport), ip_hdr->ip_p);
	127	}
123	128	return;
124	129	}

honeytrap/trunk/src/readconf.c

r1201	r1238
293	293	" %s%c", my_argv[optind], 0);
294	294	}
295		~~my_argv[optind++]~~;
	295	optind++;
296	296	}
297	297	DEBUG_FPRINTF(stdout, " Command line bpf expression is '%s'\n", bpf_cmd_ext);

Download in other formats: