Navigation

← Previous Changeset
Next Changeset →

Changeset 1249

Timestamp:

05/02/07 21:50:56 (1 year ago)

Author:

till

Message:

make plugins optional in autotools build process

Files:

honeytrap/trunk/ChangeLog (modified) (2 diffs)
honeytrap/trunk/INSTALL (modified) (1 diff)
honeytrap/trunk/configure.in (modified) (3 diffs)
honeytrap/trunk/src/modules/Makefile.am (modified) (2 diffs)
honeytrap/trunk/src/modules/htm_aSavePostgres.c (modified) (8 diffs)
honeytrap/trunk/src/modules/htm_aSavePostgres.h (modified) (3 diffs)
honeytrap/trunk/src/modules/htm_ftpDownload.c (modified) (16 diffs)
honeytrap/trunk/src/modules/htm_ftpDownload.h (modified) (3 diffs)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

honeytrap/trunk/ChangeLog

r1221	r1249
1	1	Version 0.7.0
2		- Plugins can be prio~~tiz~~ized
	2	- Plugins can be prioritized
3	3	- PostgreSQL module for commits into mwcollect database
4	4	- SHA512 hash support
…	…
6	6	- Improved connection request handling in the nfq stream monitor
7	7	- FTP download plugin is now source-based routing safe
	8	- Changed autotools process to make module builts optional
8	9	Version 0.6.5
9	10	- Introduced an nfnetlink_queue-based connection monitor

honeytrap/trunk/INSTALL

r1081	r1249
10	10	The `configure' shell script must be told which connection monitor
11	11	should be used by honeytrap to monitor network interfaces for incoming
12		connection requests. Possible values are currently
13
14		--with-pcap-mon monitoring with a PCAP-based sniffer
	12	connection requests. Currently the following options are possible:
	13
	14	--with-nfq-mon monitoring via libnetfilter_queue
	15	(Linux only, recommended)
15	16
16	17	--with-ipq-mon monitoring via netfilter/iptables ip_queue
17	18	(Linux only)
	19
	20	--with-pcap-mon monitoring with a PCAP-based sniffer
	21
	22	To build additional plugins use the --with-[pluginname] options.
18	23
19	24	Please refer to the generic installation instructions below for further

honeytrap/trunk/configure.in

r1241	r1249
267	267	fi
268	268
	269	#----------------------- network stream monitors ---------------------------
269	270
270	271	AC_ARG_WITH(pcap-mon,
…	…
377	378	else with_ipfw_mon="no"
378	379	fi
	380
	381
	382	#----------------------- optional plugins ---------------------------
	383
	384
	385	AC_ARG_WITH(spamsum,
	386	[ --with-spamsum Perform SpamSum similarity analysis for recorded attacks])
	387	AM_CONDITIONAL(BUILD_SPAMSUM_PLUGIN, test x$with_spamsum = xyes)
	388	if test "$with_spamsum" != "yes"; then
	389	with_spamsum="no"
	390	fi
	391
	392
	393
	394	AC_ARG_WITH(postgres,
	395	[ --with-postgres Store attack data in PostgreSQL database])
	396	AM_CONDITIONAL(BUILD_POSTGRES_PLUGIN, test x$with_postgres = xyes)
	397	if test "$with_postgres" = "yes"; then
	398	AC_ARG_WITH(libpq_includes,
	399	[ --with-libpq-includes=DIR libpq include directory],
	400	[with_libpq_includes="$withval"],[with_libpq_includes=no])
	401
	402	AC_ARG_WITH(libpq_libraries,
	403	[ --with-libpq-libraries=DIR libpq library directory],
	404	[with_libpq_libraries="$withval"],[with_libpq_libraries=no])
	405
	406	if test "$with_libpq_includes" != "no"; then
	407	CPPFLAGS="${CPPFLAGS} -I${with_libpq_includes}"
	408	fi
	409	AC_CHECK_HEADER(postgresql/libpq-fe.h,,[AC_ERROR(libpq-fe.h not found.)])
	410
	411	if test "$with_libpq_libraries" != "no"; then
	412	LDFLAGS="${LDFLAGS} -L${with_libpq_libraries}"
	413	fi
	414	LIPQ=""
	415	AC_CHECK_LIB(pq, PQconnectdb,, LPQ="no")
	416
	417	if test "$LPQ" = "no"; then
	418	echo
	419	echo " ERROR! Libpq library/headers not found. Install it or use the"
	420	echo " --with-libpq-* options, if you have it installed in unusual place."
	421	echo
	422	exit
	423	fi
	424
	425	AC_DEFINE([USE_POSTGRES_DB], [], [Define to store attacks in PostgreSQL database])
	426	else with_postgres="no"
	427	fi
	428
	429	#-------------------------------------------------------------
	430
	431
379	432
380	433	default_directory="/usr /usr/local"
…	…
463	516	echo
464	517	echo "--- honeytrap configuration ---"
465		echo "Debugging options: $enable_debug"
466		echo "Profiling options: $enable_profile"
467		echo "Electric Fence: $with_efence"
	518	echo "Debugging options: $enable_debug"
	519	echo "Profiling options: $enable_profile"
	520	echo "Electric Fence: $with_efence"
468	521	echo
469	522	echo "Connection monitor"
470		echo " Linux ip_queue (ipq): $with_ipq_mon"
471		echo " Linux nfnetlink_queue (nfq): $with_nfq_mon"
472		echo " FreeBSD ipfw (ipfw): $with_ipfw_mon"
473		echo " Libpcap (pcap): $with_pcap_mon"
	523	echo " Linux ip_queue (ipq): $with_ipq_mon"
	524	echo " Linux libnetfilter_queue (nfq): $with_nfq_mon"
	525	echo " FreeBSD ipfw (ipfw): $with_ipfw_mon"
	526	echo " Libpcap (pcap): $with_pcap_mon"
	527	echo
	528	echo "Optional plugins"
	529	echo " PostgeSQL: $with_postgres"
	530	echo " SpamSum: $with_spamsum"

honeytrap/trunk/src/modules/Makefile.am

r1226	r1249
9	9	libdir=$(DESTDIR)/$(sysconfdir)/honeytrap/plugins
10	10
11		lib_LTLIBRARIES = htm_aSaveFile.la htm_ftpDownload.la htm_tftpDownload.la htm_vncDownload.la htm_b64Decode.la htm_SpamSum.la htm_aSavePostgres.la
	11	lib_LTLIBRARIES = \
	12	htm_aSaveFile.la \
	13	htm_ftpDownload.la \
	14	htm_tftpDownload.la \
	15	htm_vncDownload.la \
	16	htm_b64Decode.la
	17
	18	if BUILD_SPAMSUM_PLUGIN
	19	lib_LTLIBRARIES += htm_SpamSum.la
	20	endif
	21
	22	if BUILD_POSTGRES_PLUGIN
	23	lib_LTLIBRARIES += htm_aSavePostgres.la
	24	endif
12	25
13	26	htm_aSaveFile_la_SOURCES = htm_aSaveFile.c htm_aSaveFile.h
…	…
26	39	htm_b64Decode_la_LDFLAGS = -module -no-undefined -avoid-version
27	40
	41	if BUILD_SPAMSUM_PLUGIN
28	42	htm_SpamSum_la_SOURCES = htm_SpamSum.c htm_SpamSum.h
29	43	htm_SpamSum_la_LDFLAGS = -module -no-undefined -avoid-version
	44	endif
30	45
	46	if BUILD_POSTGRES_PLUGIN
31	47	htm_aSavePostgres_la_SOURCES = htm_aSavePostgres.c htm_aSavePostgres.h
32	48	htm_aSavePostgres_la_LDFLAGS = -module -no-undefined -avoid-version -lpq
	49	endif
33	50
34	51	install-exec-am:
35	52	$(mkinstalldirs) $(DESTDIR)/$(sysconfdir)/honeytrap/plugins
36		for module in `find .libs -name htm_*.so ~~\| grep -v SpamSum~~`; do \
	53	for module in `find .libs -name htm_*.so`; do \
37	54	[ -h $$module ] \|\| $(INSTALL_DATA) "$$module" $(DESTDIR)/$(sysconfdir)/honeytrap/plugins/ ; \
38	55	done
39		for module in `find . -name htm_.a ~~\| grep -v SpamSum~~`; do \
	56	for module in `find . -name htm_.a`; do \
40	57	rm -f $(DESTDIR)/$(sysconfdir)/honeytrap/plugins/`basename "$$module"` ; \
41	58	done

honeytrap/trunk/src/modules/htm_aSavePostgres.c

r1248	r1249
13	13	*
14	14	* Description:
15		* This honeytrap module submits ~~a recorded attack~~ to a PostgreSQL database.
	15	* This honeytrap module submits recorded attacks to a PostgreSQL database.
16	16	*
17	17	*/
	18
	19	#ifdef USE_POSTGRES
18	20
19	21	#include <stdio.h>
…	…
159	161	/* check if sample already exists */
160	162	memset(query, 0, MAX_SQL_BUFFER + 1);
161		if (snprintf(query, MAX_SQL_BUFFER, "SELECT m~~alware~~.sensor_exists_sample('%s', '%s');",
	163	if (snprintf(query, MAX_SQL_BUFFER, "SELECT mwcollect.sensor_exists_sample('%s', '%s');",
162	164	mem_sha512sum(attack->download->dl_payload.data, attack->download->dl_payload.size),
163	165	mem_md5sum(attack->download->dl_payload.data, attack->download->dl_payload.size)) >= MAX_SQL_BUFFER) {
…	…
177	179	} else {
178	180	/* escape byte data to prevent sql injection */
	181	logmsg(LOG_DEBUG, 1, "payload is %s.\n", attack->download->dl_payload.data);
179	182	if ((esc_bytea = PQescapeByteaConn(db_connection, attack->download->dl_payload.data,
180	183	attack->download->dl_payload.size, &length)) == NULL) {
…	…
185	188	return(-1);
186	189	}
	190	logmsg(LOG_DEBUG, 1, "esc_bytea is %s.\n", esc_bytea);
187	191
188	192	if ((uri = build_uri(attack->download)) == NULL) {
…	…
198	202	}
199	203	memset(query, 0, MAX_SQL_BUFFER + 1);
200		if (snprintf(query, MAX_SQL_BUFFER, "SELECT attacks.sensor_honeytrap_add_sample('%s', '%s', '%s', '%s', '%s', '%s', %d, %d, '%s')",
	204	// if (snprintf(query, MAX_SQL_BUFFER, "SELECT attacks.sensor_honeytrap_add_sample('%s', '%s', '%s', '%s', '%s', '%s', %d, %d, '%s')",
	205	logmsg(LOG_DEBUG, 1, "esc_bytea is %s.\n", esc_bytea);
	206	if (snprintf(query, MAX_SQL_BUFFER, "SELECT mwcollect.sensor_add_sample('%s', '%s', '%s', '%s', '%s', '%s')",
	207	mem_md5sum(attack->download->dl_payload.data, attack->download->dl_payload.size),
201	208	mem_sha512sum(attack->download->dl_payload.data, attack->download->dl_payload.size),
202		~~"honeytrap-default"~~,
203		~~"dynamic-generic~~",
204		~~uri~~,
	209	esc_bytea,
	210	// "honeytrap-default",
	211	// "dynamic-generic",
205	212	inet_ntoa((struct in_addr)&(attack->a_conn.l_addr)),
206	213	inet_ntoa((struct in_addr)&(attack->a_conn.r_addr)),
207		attack->a_conn.l_port,
208		attack->download->r_port,
209		esc_bytea) >= MAX_SQL_BUFFER) {
	214	uri
	215	// attack->a_conn.l_port,
	216	// attack->download->r_port,
	217	) >= MAX_SQL_BUFFER) {
210	218	logmsg(LOG_ERR, 1, "Postgres client error - Could not save malware: SQL query exceeds maximum size (increase MAX_SQL_BUFFER and recompile).\n");
211	219	free(uri);
…	…
213	221	return(-1);
214	222	}
	223	logmsg(LOG_DEBUG, 1, "Postgres client - Query is: %s.\n", query);
215	224	free(uri);
216	225
217	226	if (PQresultStatus(res = PQexec(db_connection, query)) != PGRES_TUPLES_OK) {
218	227	logmsg(LOG_ERR, 1, "Postgres client error - Malware submission failed: %s.\n", PQerrorMessage(db_connection));
	228	logmsg(LOG_DEBUG, 1, "Postgres client - Query was: %s.\n", query);
219	229	PQclear(res);
220	230	db_disconnect();
…	…
227	237
228	238	/* get instance number for reference within attack_string record */
229		mw_inst = atoi(PQgetvalue(res, 0, PQfnumber(res, "sensor_honeytrap_add_sample")));
	239	// mw_inst = atoi(PQgetvalue(res, 0, PQfnumber(res, "sensor_honeytrap_add_sample")));
	240	mw_inst = atoi(PQgetvalue(res, 0, PQfnumber(res, "sensor_add_sample")));
230	241
231	242	PQclear(res);
…	…
334	345	return(0);
335	346	}
	347
	348	#endif

honeytrap/trunk/src/modules/htm_aSavePostgres.h

r1238	r1249
11	11	* implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
12	12	*/
	13
	14	#ifdef USE_POSTGRES
13	15
14	16	#ifndef __HT_MODULE_ASAVEPOSTGRES_H
…	…
30	32
31	33	/* use static values for now. should be taken from configuration file */
32		const char *db_info = "port=5432 host=127.0.0.1 user=mwcollect password=mwcollect dbname=mwcollect";
	34	const char *db_info = "port=5432 host=127.0.0.1 user=mwcollect password=mwcollect dbname=mwcollect2";
33	35
34	36	void plugin_init(void);
…	…
42	44
43	45	#endif
	46
	47	#endif

honeytrap/trunk/src/modules/htm_ftpDownload.c

r1241	r1249
1	1	/* htm_ftpDownload.c
2		* Copyright (C) 2006 Tillmann Werner <tillmann.werner@gmx.de>
	2	* Copyright (C) 2006-2007 Tillmann Werner <tillmann.werner@gmx.de>
3	3	*
4	4	* This file is free software; as a special exception the author gives
…	…
227	227
228	228
229		int ftp_quit(int control_sock_fd, int data_sock_fd~~, int dumpfile_fd~~) {
	229	int ftp_quit(int control_sock_fd, int data_sock_fd) {
230	230	char rline[MAX_LINE+1]; /* MAX_LINE plus one char for \0 */
231	231	int timeout = 60;
…	…
233	233
234	234	close(data_sock_fd);
235		~~close(dumpfile_fd);~~
236	235
237	236	logmsg(LOG_NOISY, 1, "FTP download - Sending 'QUIT'.\n");
…	…
252	251	int get_ftp_resource(const char user, const char pass, struct in_addr lhost, struct in_addr rhost, const int port, const char save_file, Attack attack) {
253	252	struct sockaddr_in control_socket, local_data_socket, remote_data_socket;
254		int control_sock_fd, data_sock_listen_fd, data_sock_fd, ~~dumpfile_fd,~~
	253	int control_sock_fd, data_sock_listen_fd, data_sock_fd,
255	254	local_data_port, bytes_read, total_bytes, addr_len, select_return, timeout, retval;
256	255	uint8_t ip_octet[4], *binary_stream;
…	…
269	268	timeout = 60;
270	269	data_sock_fd = -1;
271		~~dumpfile_fd = -1;~~
272	270
273	271	logmsg(LOG_NOTICE, 1, "FTP download - Requesting '%s' from %s:%u.\n", save_file, inet_ntoa(*rhost), port);
…	…
341	339	/* wait for 200 */
342	340	while (strstr(rline, "200") != rline) {
343
	341	/* read multi-line banner */
	342	while ((strlen(rline) > 3) && (rline[3] == '-')) {
	343	if (read_ftp_line(control_sock_fd, rline, timeout) <= 0) return(0);
	344	}
344	345	/* wait for 230 and send SYST and TYPE */
345	346	if(strstr(rline, "230") == rline) {
	347
346	348	/* Send SYST and switch to binary mode */
347	349	/* Some buggy servers cannot handle a TYPE after SYST, so check for return value */
…	…
431	433	sizeof(local_data_socket))) < 0) && (local_data_port < 65535)) {
432	434	logmsg(LOG_DEBUG, 1,
433		"FTP download - ~~Port %d is already in use. Trying to bind on~~ port %d.\n",
	435	"FTP download - Unable to bind port %d. Trying port %d.\n",
434	436	ntohs(local_data_socket.sin_port), ntohs(local_data_socket.sin_port)+1);
435	437	/* check if integer was overflowed to 0 */
…	…
451	453	strerror(errno));
452	454	close(data_sock_listen_fd);
453		ftp_quit(control_sock_fd, data_sock_fd~~, dumpfile_fd~~);
	455	ftp_quit(control_sock_fd, data_sock_fd);
454	456	return(-1);
455	457	} else logmsg(LOG_DEBUG, 1, "FTP download - Initialized FTP data channel on port %u/tcp.\n",
…	…
478	480	if(strstr(rline, "4") == rline) {
479	481	logmsg(LOG_WARN, 1, "FTP download - FTP error code received: %s", rline);
480		ftp_quit(control_sock_fd, data_sock_fd~~, dumpfile_fd~~);
	482	ftp_quit(control_sock_fd, data_sock_fd);
481	483	return(-1);
482	484	}
…	…
503	505	if(strstr(rline, "4") == rline) {
504	506	logmsg(LOG_WARN, 1, "FTP download - FTP error code received: %s", rline);
505		ftp_quit(control_sock_fd, data_sock_fd~~, dumpfile_fd~~);
	507	ftp_quit(control_sock_fd, data_sock_fd);
506	508	return(-1);
507	509	}
…	…
521	523	if (errno != EINTR) {
522	524	logmsg(LOG_ERR, 1, "FTP download error - Select on FTP data channel failed: %s.\n", strerror(errno));
523		ftp_quit(control_sock_fd, data_sock_fd~~, dumpfile_fd~~);
	525	ftp_quit(control_sock_fd, data_sock_fd);
524	526	return(-1);
525	527	}
…	…
527	529	logmsg(LOG_WARN, 1, "FTP download - Transfer timeout, no incoming data connection for %d seconds.\n",
528	530	timeout);
529		ftp_quit(control_sock_fd, data_sock_fd~~, dumpfile_fd~~);
	531	ftp_quit(control_sock_fd, data_sock_fd);
530	532	return(-1);
531	533	} else if (FD_ISSET(data_sock_listen_fd, &rfds)) {
…	…
533	535	logmsg(LOG_ERR, 1, "FTP download error - Unable to accept FTP data connection: %s\n",
534	536	strerror(errno));
535		ftp_quit(control_sock_fd, data_sock_fd~~, dumpfile_fd~~);
	537	ftp_quit(control_sock_fd, data_sock_fd);
536	538	return(-1);
537	539	} else logmsg(LOG_DEBUG, 1, "FTP download - Incoming data connection from %s:%u.\n",
…	…
550	552	if (errno != EINTR) {
551	553	logmsg(LOG_ERR, 1, "FTP download error - Select on FTP data channel failed: %s.\n", strerror(errno));
552		ftp_quit(control_sock_fd, data_sock_listen_fd~~, dumpfile_fd~~);
	554	ftp_quit(control_sock_fd, data_sock_listen_fd);
553	555	return(-1);
554	556	}
555	557	} else if (select_return == 0) {
556	558	logmsg(LOG_WARN, 1, "FTP download - Transfer timeout, no data to read for 10 seconds.\n");
557		ftp_quit(control_sock_fd, data_sock_listen_fd~~, dumpfile_fd~~);
558		return(-1);
559		} else if (FD_ISSET(data_sock_fd, &rfds)) {
	559	ftp_quit(control_sock_fd, data_sock_listen_fd);
	560	return(-1);
	561	} else if (FD_ISSET(data_sock_fd, &rfds)) {
560	562	logmsg(LOG_DEBUG, 1, "FTP download - Data available, retrieving file.\n");
561	563	/* receive file */
…	…
566	568	total_bytes += bytes_read;
567	569	}
	570	if (bytes_read < 0) {
	571	logmsg(LOG_ERR, 1, "FTP download error - Unable to read from data channel: %s.\n", strerror(errno));
	572	ftp_quit(control_sock_fd, data_sock_listen_fd);
	573	return(-1);
	574	}
568	575	logmsg(LOG_NOISY, 1, "FTP download - Successfully downloaded %s.\n", save_file);
569		ftp_quit(control_sock_fd, data_sock_fd~~, dumpfile_fd~~);
	576	ftp_quit(control_sock_fd, data_sock_fd);
570	577
571	578	/* add download to attack record */
572		if(total_bytes) {
	579	if (total_bytes) {
573	580	logmsg(LOG_DEBUG, 1, "FTP download - Adding download to attack record.\n");
574	581	add_download("ftp", 6, rhost->s_addr, port, user, pass, (const char *) save_file, binary_stream, total_bytes, attack);
…	…
583	590	/* close open descriptors and return */
584	591	while((read_ftp_line(control_sock_fd, rline, 5) && strstr(rline, "226") != rline));
585		ftp_quit(control_sock_fd, data_sock_fd~~, dumpfile_fd~~);
	592	ftp_quit(control_sock_fd, data_sock_fd);
586	593	return(0);
587	594	}

honeytrap/trunk/src/modules/htm_ftpDownload.h

r1238	r1249
1	1	/* htm_ftpDownload.h
2		* Copyright (C) 2006 Tillmann Werner <tillmann.werner@gmx.de>
	2	* Copyright (C) 2006-2007 Tillmann Werner <tillmann.werner@gmx.de>
3	3	*
4	4	* This file is free software; as a special exception the author gives
…	…
19	19
20	20	const char module_name[]="htm_ftpDownload";
21		const char module_version[]="0.4.0";
	21	const char module_version[]="0.4.1";
22	22
23	23	void plugin_init(void);
…	…
26	26	int cmd_parse_for_ftp(Attack *attack);
27	27	int read_ftp_line(int control_sock_fd, char *rline, int timeout);
28		int ftp_quit(int control_sock_fd, int data_sock_fd~~, int dumpfile_fd~~);
	28	int ftp_quit(int control_sock_fd, int data_sock_fd);
29	29	int get_ftp_resource(const char user, const char pass, struct in_addr lhost, struct in_addr rhost, const int port, const char save_file, Attack attack);
30	30	int get_ftpcmd(char attack_string, uint32_t string_size, struct in_addr lhost, Attack attack);

Download in other formats: