Changeset 1241
- Timestamp:
- 04/26/07 17:37:01 (1 year ago)
- Files:
-
- honeytrap/trunk/configure.in (modified) (1 diff)
- honeytrap/trunk/src/modules/htm_aSaveFile.c (modified) (3 diffs)
- honeytrap/trunk/src/modules/htm_aSaveFile.h (modified) (1 diff)
- honeytrap/trunk/src/modules/htm_aSavePostgres.c (modified) (3 diffs)
- honeytrap/trunk/src/modules/htm_ftpDownload.c (modified) (2 diffs)
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
honeytrap/trunk/configure.in
r1201 r1241 447 447 if test $with_ipq_mon != "yes" -a $with_nfq_mon != "yes" -a $with_ipfw_mon != "yes" -a $with_pcap_mon != "yes"; then 448 448 echo 449 echo " ERROR! No connection monitor selected. Please reconfigure with --with-pcap-mon or --with-ipq-mon."449 echo " ERROR! No connection monitor selected. Please reconfigure with --with-pcap-mon, --with-nfq-mon or --with-ipq-mon." 450 450 echo 451 451 exit 1 honeytrap/trunk/src/modules/htm_aSaveFile.c
r1238 r1241 1 1 /* htm_aSaveFile.c 2 * Copyright (C) 2006 Tillmann Werner <tillmann.werner@gmx.de>2 * Copyright (C) 2006-2007 Tillmann Werner <tillmann.werner@gmx.de> 3 3 * 4 4 * This file is free software; as a special exception the author gives … … 14 14 * This honeytrap module dumps incoming traffic from incoming 15 15 * connections to a file. 16 * Also, all malware/sample entries attached to an attack record 17 * are dumped into a download directory. 16 18 */ 17 19 … … 112 114 113 115 /* save malware */ 114 for (i= 1; i<=attack->dl_count; i++) {116 for (i=0; i<attack->dl_count; i++) { 115 117 /* save file */ 116 118 /* we need the length of directory + "/" + filename plus md5 checksum */ 117 119 mwfilename = (char *) malloc(strlen(dlsave_dir)+strlen(filename)+35); 118 snprintf(mwfilename, strlen(dlsave_dir)+strlen( mwfilename) +35, "%s/%s-%s",119 dlsave_dir, mem_md5sum(attack->download[i].dl_payload.data, attack->download[i].dl_payload.size), mwfilename);120 snprintf(mwfilename, strlen(dlsave_dir)+strlen(filename)+35, "%s/%s-%s", 121 dlsave_dir, mem_md5sum(attack->download[i].dl_payload.data, attack->download[i].dl_payload.size), attack->download[i].filename); 120 122 logmsg(LOG_DEBUG, 1, "Malware sample dump - File name is %s\n", mwfilename); 121 123 if (((dumpfile_fd = open(mwfilename, O_WRONLY | O_CREAT | O_EXCL)) < 0) || honeytrap/trunk/src/modules/htm_aSaveFile.h
r1117 r1241 19 19 20 20 const char module_name[]="htm_aSaveFile"; 21 const char module_version[]="0. 1.2";21 const char module_version[]="0.2.0"; 22 22 23 23 void plugin_init(void); honeytrap/trunk/src/modules/htm_aSavePostgres.c
r1238 r1241 156 156 return(-1); 157 157 } 158 159 /* check if sample already exists */ 158 160 memset(query, 0, MAX_SQL_BUFFER + 1); 161 if (snprintf(query, MAX_SQL_BUFFER, "SELECT malware.sensor_exists_sample('%s')", 162 mem_sha512sum(attack->download->dl_payload.data, attack->download->dl_payload.size)) >= MAX_SQL_BUFFER) { 163 logmsg(LOG_ERR, 1, "Postgres client error - Could not check if sample exists: SQL query exceeds maximum size (increase MAX_SQL_BUFFER and recompile).\n"); 164 free(query); 165 return(-1); 166 } 167 168 /* 169 if (PQresultStatus(res = PQexec(db_connection, query)) != PGRES_TUPLES_OK) { 170 printf("---> malware exists.\n"); 171 } else printf("---> malware does not exist.\n"); 172 logmsg(LOG_ERR, 1, "Postgres client error - Malware submission failed: %s.\n", PQerrorMessage(db_connection)); 173 PQclear(res); 174 db_disconnect(); 175 free(query); 176 return(-1); 177 } 178 */ 159 179 160 180 /* escape byte data to prevent sql injection */ … … 180 200 return(-1); 181 201 } 202 memset(query, 0, MAX_SQL_BUFFER + 1); 182 203 if (snprintf(query, MAX_SQL_BUFFER, "SELECT attacks.sensor_honeytrap_add_sample('%s', '%s', '%s', '%s', '%s', '%s', %d, %d, '%s')", 183 204 mem_sha512sum(attack->download->dl_payload.data, attack->download->dl_payload.size), … … 190 211 attack->download->r_port, 191 212 esc_bytea) >= MAX_SQL_BUFFER) { 192 logmsg(LOG_ERR, 1, "Postgres client error - Could not save attack: SQL query exceeds maximum size (increase MAX_SQL_BUFFER and recompile).\n");193 194 195 196 213 logmsg(LOG_ERR, 1, "Postgres client error - Could not save malware: SQL query exceeds maximum size (increase MAX_SQL_BUFFER and recompile).\n"); 214 free(uri); 215 free(query); 216 return(-1); 217 } 197 218 free(uri); 198 219 honeytrap/trunk/src/modules/htm_ftpDownload.c
r1238 r1241 259 259 uint16_t first_half:8, second_half:8; 260 260 } ftp_port; 261 char rline[MAX_LINE], rbuf[READ_SIZE], *ftp_command , *dumpfile_name;261 char rline[MAX_LINE], rbuf[READ_SIZE], *ftp_command; 262 262 struct timeval r_timeout; 263 263 fd_set rfds; … … 568 568 logmsg(LOG_NOISY, 1, "FTP download - Successfully downloaded %s.\n", save_file); 569 569 ftp_quit(control_sock_fd, data_sock_fd, dumpfile_fd); 570 /* save file */ 570 571 /* add download to attack record */ 571 572 if(total_bytes) { 572 /* we need the length of directory + "/" + filename plus md5 checksum */ 573 dumpfile_name = (char *) malloc(strlen(dlsave_dir)+strlen(save_file)+35); 574 snprintf(dumpfile_name, strlen(dlsave_dir)+strlen(save_file) + 35, "%s/%s-%s", 575 dlsave_dir, mem_md5sum(binary_stream, total_bytes), save_file); 576 logmsg(LOG_DEBUG, 1, "FTP download - Dumpfile name is %s\n", dumpfile_name); 577 if (((dumpfile_fd = open(dumpfile_name, O_WRONLY | O_CREAT | O_EXCL)) < 0) || 578 (fchmod(dumpfile_fd, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH) != 0)) { 579 logmsg(LOG_WARN, 1, "FTP download - Unable to save %s: %s.\n", save_file, 580 strerror(errno)); 581 return(-1); 582 } 583 if (write(dumpfile_fd, binary_stream, total_bytes) != total_bytes) { 584 logmsg(LOG_ERR, 1, "FTP download error - Unable to write data to file: %s\n", 585 strerror(errno)); 586 close(dumpfile_fd); 587 return(-1); 588 } 589 close(dumpfile_fd); 590 591 /* add download struct to attack struct*/ 592 logmsg(LOG_DEBUG, 1, "(htm_ftp) Adding download to attack struct.\n"); 573 logmsg(LOG_DEBUG, 1, "FTP download - Adding download to attack record.\n"); 593 574 add_download("ftp", 6, rhost->s_addr, port, user, pass, (const char *) save_file, binary_stream, total_bytes, attack); 594 575 595 logmsg(LOG_NOTICE, 1, "FTP download - %s saved.\n", save_file);576 logmsg(LOG_NOTICE, 1, "FTP download - %s attached to attack record.\n", save_file); 596 577 } else logmsg(LOG_NOISY, 1, "FTP download - No data received.\n"); 597 578
