Changeset 1582
- Timestamp:
- 02/29/08 20:03:17 (6 months ago)
- Files:
-
- nebula/trunk/src/classify.c (modified) (7 diffs)
- nebula/trunk/src/nebula.c (modified) (4 diffs)
- nebula/trunk/src/session.c (modified) (18 diffs)
- nebula/trunk/src/signals.c (modified) (4 diffs)
- nebula/trunk/src/signals.h (modified) (1 diff)
- nebula/trunk/src/util.c (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
nebula/trunk/src/classify.c
r1581 r1582 83 83 ((hash*)t->data)->cnt++; 84 84 85 if (verbose ) printf(" md5sumis %s (%u instances)\n", ((hash*)t->data)->md5sum, ((hash*)t->data)->cnt);86 if (verbose) printf(" absolutematch found.\n");85 if (verbose > 1) printf(" MD5 hash is %s (%u instances)\n", ((hash*)t->data)->md5sum, ((hash*)t->data)->cnt); 86 if (verbose) printf(" Absolute MD5 match found.\n"); 87 87 return(0); 88 88 } else { … … 111 111 exit(EXIT_FAILURE); 112 112 } 113 if (verbose) printf(" md5sumis %s (%u instances)\n", ((hash*)t->data)->md5sum, ((hash*)t->data)->cnt);113 if (verbose) printf(" MD5 hash is %s (%u instances)\n", ((hash*)t->data)->md5sum, ((hash*)t->data)->cnt); 114 114 115 115 … … 122 122 if (!((hash*)t->data)->cl) { 123 123 add_entry_to_cluster((cluster *)cur_cqelem->data, (hash*)t->data); 124 if (verbose) printf(" cluster has now %u elements.\n", ((hash*)t->data)->cl->cnt); 124 if (verbose) printf(" Cluster has now %u elements (threshold is %lu).\n", 125 ((hash*)t->data)->cl->cnt, ((hash*)t->data)->cl->threshold); 125 126 break; 126 127 } else { … … 159 160 160 161 161 } else if (verbose) printf(" cluster has now %u elements.\n", ((hash*)t->data)->cl->cnt); 162 } else if (verbose) printf(" Cluster has now %u elements (threshold is %lu).\n", 163 ((hash*)t->data)->cl->cnt, ((hash*)t->data)->cl->threshold); 162 164 } else { 163 165 // create new cluster of two outliers … … 186 188 ((cluster *) clusterq->head->data)->parent = clusterq->head; 187 189 188 if (verbose) printf(" cluster created.\n");190 if (verbose) printf(" New Cluster created.\n"); 189 191 } 190 192 } … … 197 199 198 200 199 if (verbose ) printf(" spamsum is %s (%u instances)\n", ((hash*)t->data)->spamsum, ((hash*)t->data)->cnt);201 if (verbose > 1) printf(" Spamsum is %s (%u instances)\n", ((hash*)t->data)->spamsum, ((hash*)t->data)->cnt); 200 202 201 203 if (!((hash*)t->data)->cl) { … … 216 218 queue_ins(outlierq, t->data, outlierq_max); 217 219 218 if (verbose) printf(" input added to outlier queue.\n");219 } 220 } 221 222 // check for signature generation criteri ahere220 if (verbose) printf(" Input added to outlier queue (queue size: %lu).\n", outlierq->size); 221 } 222 } 223 224 // check for signature generation criterion here 223 225 if ((((hash*)t->data)->cl) && ((hash*)t->data)->cl->cnt >= ((hash*)t->data)->cl->threshold) { 224 printf("[=] cluster size (%u) hit threshold (%lu), generating signature.\n",226 printf("[=] Cluster size (%u) hit threshold (%lu), generating signature.\n", 225 227 ((hash*)t->data)->cl->cnt, ((hash*)t->data)->cl->threshold); 226 228 nebula/trunk/src/nebula.c
r1570 r1582 55 55 " -a <filename>\t append new snort signatures to this file\n" 56 56 "\t\t -C <size>\t cluster queue size\n" 57 "\t\t -c <similarity> cluster criteri a(a similarity measure in percent)\n"57 "\t\t -c <similarity> cluster criterion (a similarity measure in percent)\n" 58 58 "\t\t -d\t\t daemonize\n" 59 59 "\t\t -h\t\t this help\n" … … 100 100 rules_file = NULL; // a: NULL 101 101 clusterq_max = 5000; // C 102 cluster_radius = 95.0; // c: 95% similarity as cluster criteri a102 cluster_radius = 95.0; // c: 95% similarity as cluster criterion 103 103 daemonize = 0; // d: 0 104 104 clusterhashq_max = 500000; // E … … 236 236 237 237 if (verbose) { 238 printf(" Initial snort signature ID: %u\n\n", global_sid); 239 printf(" Initial cluster size threshold: %lu\n\n", initial_threshold); 240 } 238 printf(" Initial snort signature ID: %u\n", global_sid); 239 printf(" Initial cluster size threshold: %lu\n", initial_threshold); 240 printf(" Cluster criterion (minimal similarity): %.1f percent\n", cluster_radius); 241 } 242 printf("\n"); 241 243 242 244 … … 283 285 pthread_mutex_unlock(&sessions_mutex); 284 286 285 if (verbose ) printf("[>] Connection accepted.\n");287 if (verbose > 1) printf("[>] Connection accepted.\n"); 286 288 break; 287 289 } nebula/trunk/src/session.c
r1568 r1582 49 49 if (pfd) { 50 50 if (pfd->fd >= 0) close(pfd->fd); 51 if (verbose ) printf("[<] Connection terminated.\n");51 if (verbose > 1) printf("[<] Connection terminated.\n"); 52 52 53 53 memset(pfd, 0, sizeof(struct pollfd)); … … 99 99 100 100 if ((bytes_read = read(fd, buf + s->bytes_read, len - s->bytes_read)) == -1) { 101 fprintf(stderr, "Error while readingfrom socket: %s.\n", strerror(errno));101 fprintf(stderr, "Error - Unable to read from socket: %s.\n", strerror(errno)); 102 102 return(-1); 103 103 } … … 160 160 161 161 if (!strncmp(sha512sum, s->secret_hash, 128)) { 162 if (verbose > 1) printf(" valid secret hash read, session authenticated.\n");162 if (verbose > 1) printf(" Valid secret hash read, session authenticated.\n"); 163 163 s->state = AUTHENTICATED; 164 164 s->bytes_read = 0; … … 168 168 169 169 if (s->state != AUTHENTICATED) { 170 if (verbose > 1) printf(" secret mismatch, dropping session.\n");170 if (verbose > 1) printf(" Secret mismatch, dropping session.\n"); 171 171 return(0); 172 172 } … … 185 185 } else if (rv == 32) { 186 186 s->md5sum[32] = 0; 187 if (verbose > 1) printf(" attack md5sum: %s\n", s->md5sum);187 if (verbose > 1) printf(" Attack MD5 hash: %s\n", s->md5sum); 188 188 189 189 pthread_rwlock_rdlock(&md5sum_trie_lock); … … 197 197 return(-1); 198 198 } 199 printf("[x] Rejecting known attack\n"); 200 199 200 // increase instance counter 201 ((hash*)t->data)->cnt++; 202 if (verbose > 1) printf(" MD5 hash is %s (%u instances)\n", ((hash*)t->data)->md5sum, ((hash*)t->data)->cnt); 203 204 if (verbose) printf("[x] Absolute MD5 match found, Rejecting known attack\n"); 201 205 return(0); 202 206 } else { … … 208 212 } 209 213 210 if (verbose > 1) printf(" unknown attack, submission requested.\n");214 if (verbose > 1) printf(" Unknown attack, submission requested.\n"); 211 215 s->state = REQUEST_SENT; 212 216 s->bytes_read = 0; … … 220 224 switch (s->protocol) { 221 225 case 6: 222 if (verbose > 1) printf(" protocol: TCP\n");226 if (verbose > 1) printf(" Protocol: TCP\n"); 223 227 break; 224 228 case 17: 225 if (verbose > 1) printf(" protocol: UDP\n");229 if (verbose > 1) printf(" Protocol: UDP\n"); 226 230 break; 227 231 default: 228 if (verbose > 1) printf(" protocol: unknown\n");232 if (verbose > 1) printf(" Protocol: unknown\n"); 229 233 return(0); 230 234 break; … … 240 244 } else if (rv == 2) { 241 245 s->port = ntohs(s->port); 242 if (verbose > 1) printf(" port: %u\n", s->port);246 if (verbose > 1) printf(" Port: %u\n", s->port); 243 247 s->state = PORT_READ; 244 248 s->bytes_read = 0; … … 251 255 } else if (rv == 4) { 252 256 s->attack_len = ntohl(s->attack_len); 253 if (verbose > 1) printf(" bytes of attacks: %lu\n", s->attack_len);257 if (verbose > 1) printf(" Bytes of attack string: %lu\n", s->attack_len); 254 258 s->state = ATTACK_LEN_READ; 255 259 s->bytes_read = 0; … … 262 266 } else if (rv == 4) { 263 267 s->cattack_len = ntohl(s->cattack_len); 264 if (verbose > 1) printf(" bytes of compressed attacks: %u\n", s->cattack_len);268 if (verbose > 1) printf(" Bytes of compressed attack string: %u\n", s->cattack_len); 265 269 s->state = CATTACK_LEN_READ; 266 270 s->bytes_read = 0; … … 276 280 return(-1); 277 281 } else if (rv == s->cattack_len) { 278 if (verbose > 1) printf(" attack read.\n");282 if (verbose > 1) printf(" Attack read.\n"); 279 283 s->state = CATTACK_READ; 280 284 s->bytes_read = 0; … … 287 291 } else if (rv == 2) { 288 292 s->hmac_len = ntohs(s->hmac_len); 289 if (verbose > 1) printf(" length of HMAC: %u\n", s->hmac_len);293 if (verbose > 1) printf(" Length of HMAC: %u\n", s->hmac_len); 290 294 s->state = HMAC_LEN_READ; 291 295 s->bytes_read = 0; … … 300 304 return(-1); 301 305 } else if (rv == s->hmac_len) { 302 if (verbose > 1) printf(" HMAC read: %s\n", s->hmac);306 if (verbose > 1) printf(" HMAC read: %s\n", s->hmac); 303 307 hmac_port = htons(s->port); 304 308 … … 308 312 return(-1); 309 313 } 310 if (verbose > 1) printf(" response sent.\n");314 if (verbose > 1) printf(" Response sent.\n"); 311 315 312 316 … … 338 342 339 343 free(sha512sum); 340 if (verbose > 1) printf(" receivedHMAC is valid.\n");344 if (verbose > 1) printf(" HMAC is valid.\n"); 341 345 342 346 … … 361 365 exit(EXIT_FAILURE); 362 366 } 363 if (verbose > 1) printf(" successfully uncompressed %lu bytes.\n", s->attack_len);367 if (verbose > 1) printf(" Successfully uncompressed %lu bytes.\n", s->attack_len); 364 368 365 369 if (s->protocol == 6) … … 371 375 md5sum = mem_md5sum(s->attack, s->attack_len); 372 376 if (md5sum && strncmp(md5sum, s->md5sum, 32)) { 373 fprintf(stderr, " 377 fprintf(stderr, "[x] Attack checksum does not match, discarding submission.\n"); 374 378 return(-1); 375 379 } nebula/trunk/src/signals.c
r1566 r1582 31 31 32 32 33 void handle_usr_signal(int sig) { 34 switch (sig) { 35 case SIGUSR1: 33 // SIGRTMIN+[0..2] are used for thread control 34 #define SIGINCV (SIGRTMIN+3) // signal to increase verbosity level 35 #define SIGDECV (SIGRTMIN+4) // signal to decrease verbosity level 36 #define SIGINCC (SIGRTMIN+5) // signal to increase similarity threshold by 5 37 #define SIGDECC (SIGRTMIN+6) // signal to decrease similarity threshold by 5 38 39 40 void handle_ctrl_signal(int sig) { 41 if (sig == SIGINCV) { 36 42 verbose++; 37 printf("Verbosity level increased to %u.\n", verbose); 38 break; 39 case SIGUSR2: 40 if (!verbose) break; 43 write(STDOUT_FILENO, "[*] Verbosity level increased.\n", 31); 44 return; 45 } 46 if (sig == SIGDECV) { 47 if (!verbose) return; 41 48 verbose--; 42 printf("Verbosity level decreased to %u.\n", verbose); 43 break; 44 default: 45 break; 49 write(STDOUT_FILENO, "[*] Verbosity level decreased.\n", 31); 50 return; 51 } 52 if (sig == SIGINCC) { 53 if (cluster_radius == 100.0) return; 54 if (cluster_radius < 95.0) { 55 cluster_radius += 5.0; 56 write(STDOUT_FILENO, "[*] Cluster criterion increased by 5 percent\n", 44); 57 } else { 58 cluster_radius = 100.0; 59 write(STDOUT_FILENO, "[*] Cluster criterion increased to 100 percent\n", 46); 60 } 61 return; 62 } 63 if (sig == SIGDECC) { 64 if (cluster_radius == 0.0) return; 65 if (cluster_radius > 5.0) { 66 cluster_radius -= 5.0; 67 write(STDOUT_FILENO, "[*] Cluster criterion decreased by 5 percent\n", 44); 68 } else { 69 cluster_radius = 0.0; 70 write(STDOUT_FILENO, "[*] Cluster criterion decreased to 0 percent\n", 44); 71 } 72 return; 46 73 } 47 74 return; … … 49 76 50 77 void handle_term_signal(int sig) { 51 if (verbose) printf("\nPremature termination forced (signal %d caught).\n", sig); 78 if (sig == SIGINT) { 79 // free memory and quit 80 if (verbose) write(STDOUT_FILENO, "[*] Termination forced, cleaning up.\n", 37); 81 cleanup(); 82 write(STDOUT_FILENO, "[*] Done.\n", 10); 83 exit(EXIT_SUCCESS); 84 } 52 85 53 cleanup(); 54 55 printf("[*] Done.\n"); 56 exit(EXIT_SUCCESS); 57 return; 86 // signal indicates an error 87 write(STDOUT_FILENO, "\n[*] Premature termination forced.\n", 35); 88 exit(EXIT_FAILURE); 58 89 } 59 60 61 #ifdef PROFILE62 void handle_alarm_signal(int sig) {63 if (show_progress) printf("\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b\n");64 printf("%*u | files: %*u\tcluster: %*u\toutlier: %*u\tduplicates: %*u \tfiles/second: %*.0f\tbytes/second: %*u\n",65 6, checkpoint,66 8, (unsigned int) num_of_files,67 5, (unsigned int) clusterq->size,68 7, (unsigned int) outlierq->size,69 7, num_of_duplicates,70 6, files_in_interval/alarm_time,71 9, (unsigned int) bytes_in_interval/alarm_time);72 fflush(stdout);73 74 checkpoint++;75 files_in_interval = 0;76 bytes_in_interval = 0;77 alarm(alarm_time);78 79 return;80 }81 #endif82 90 83 91 … … 96 104 SIGTERM 97 105 }; 98 // install handler for signals to toggle verbosity 106 107 108 // install handler for control realtime signals 99 109 memset(&s_action, 0, sizeof(struct sigaction)); 100 s_action.sa_handler = handle_ usr_signal;110 s_action.sa_handler = handle_ctrl_signal; 101 111 #ifdef SA_RESTART 102 112 s_action.sa_flags |= SA_RESTART; 103 113 #endif 104 if (sigaction(SIGUSR1, &s_action, NULL) == -1) { 105 fprintf(stdout, " Error - Unable to install handler for signal %d: %m.\n", SIGUSR1); 106 exit(EXIT_FAILURE); 114 for (i = 3; i < 8; i++) { 115 if (sigaction(SIGRTMIN+i, &s_action, NULL) == -1) { 116 fprintf(stdout, " Error - Unable to install handler for signal %d: %m.\n", SIGRTMIN+i); 117 exit(EXIT_FAILURE); 118 } 107 119 } 108 if (sigaction(SIGUSR2, &s_action, NULL) == -1) { 109 fprintf(stdout, " Error - Unable to install handler for signal %d: %m.\n", SIGUSR2); 110 exit(EXIT_FAILURE); 111 } 120 112 121 113 122 // install handler for signals which terminate the process … … 124 133 } 125 134 126 #ifdef PROFILE127 // install handler for SIGALARM128 memset(&s_action, 0, sizeof(struct sigaction));129 s_action.sa_handler = handle_alarm_signal;130 #ifdef SA_RESTART131 s_action.sa_flags |= SA_RESTART;132 #endif133 if (sigaction(SIGALRM, &s_action, NULL) == -1) {134 fprintf(stdout, " Error - Unable to install handler for signal %d: %m.\n", SIGALRM);135 exit(EXIT_FAILURE);136 }137 #endif138 139 135 return; 140 136 } nebula/trunk/src/signals.h
r1566 r1582 29 29 void handle_usr_signal(int sig); 30 30 void handle_term_signal(int sig); 31 #ifdef PROFILE32 void handle_alarm_signal(int sig);33 #endif34 31 void set_signal_handlers(void); 35 32 nebula/trunk/src/util.c
r1566 r1582 108 108 lock_mutex = 0; 109 109 110 printf("[*] Cleaning up...\n");111 110 // close all open sessions 112 111 for (i = 0; i+1 < POLLFD_SET_SIZE; i++)
