Navigation

← Previous Changeset
Next Changeset →

Changeset 354

Timestamp:

02/23/06 15:43:23 (3 years ago)

Author:

common

Message:

[x] log-prelude
- harald fixed it up

removed correlating alerts
added some new log messages for recognized shellcodes and such
furthermore it uses async prelude interface now
- async prelude interface thread deadlocks atm, so this code requires an unreleased version of prelude, but it works

Files:

nepenthes/trunk/modules/log-prelude/log-prelude.cpp (modified) (27 diffs)
nepenthes/trunk/modules/log-prelude/log-prelude.hpp (modified) (4 diffs)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

nepenthes/trunk/modules/log-prelude/log-prelude.cpp

r343	r354
28	28	/* $Id$ */
29	29
	30	#ifdef HAVE_LIBPRELUDE
30	31	#include <prelude.h>
	32	#include <libprelude/prelude-log.h>
31	33	#include <idmef-message-print.h>
32	34	#include <prelude-io.h>
	35	#include <libprelude/prelude-timer.h>
	36	#endif
	37
33	38	#include <arpa/inet.h>
34
35	39	#include "log-prelude.hpp"
36	40	#include "Nepenthes.hpp"
…	…
48	52	#include "Message.hpp"
49	53	#include "Utilities.hpp"
	54	#include "Config.hpp"
	55	#include "ShellcodeHandler.hpp"
	56
50	57
51	58	using namespace nepenthes;
…	…
54	61	#undef STDTAGS
55	62	#endif
	63
56	64	#define STDTAGS l_mod \| l_ev \| l_hlr
	65	#define ANALYZER_MANUFACTURER "http://nepenthes.sf.net"
	66	#define NEPENTHES_VERSION "$Rev$"
	67
57	68
58	69
…	…
87	98	m_EventHandlerDescription = "log events to a prelude database";
88	99
89		m_Timeout = time(NULL) + rand()%23;
	100	// m_Timeout = time(NULL) + rand()%23;
90	101
91	102	g_Nepenthes = nepenthes;
92	103
	104	#ifdef HAVE_LIBPRELUDE
93	105	m_PreludeClient = NULL;
	106	#endif
94	107	}
95	108
…	…
103	116	}
104	117
105		~~#define ANALYZER_CLASS "NIDS"~~
106		~~#define ANALYZER_MODEL "Nepenthes"~~
107		~~#define ANALYZER_MANUFACTURER "http://nepenthes.sf.net"~~
108		~~#define DEFAULT_ANALYZER_NAME "markus.koetter"~~
109		~~#define VERSION "$Rev$"~~
110
111
112		~~static int32_t setup_analyzer(idmef_analyzer_t *analyzer)~~
113		{
114		~~int32_t ret;~~
115		~~prelude_string_t *string;~~
116
117		~~ret = idmef_analyzer_new_model(analyzer, &string);~~
118		~~if ( ret < 0 )~~
119		~~return ret;~~
120		~~prelude_string_set_constant(string, ANALYZER_MODEL);~~
121
122		~~ret = idmef_analyzer_new_class(analyzer, &string);~~
123		~~if ( ret < 0 )~~
124		~~return ret;~~
125		~~prelude_string_set_constant(string, ANALYZER_CLASS);~~
126
127		~~ret = idmef_analyzer_new_manufacturer(analyzer, &string);~~
128		~~if ( ret < 0 )~~
129		~~return ret;~~
130		~~prelude_string_set_constant(string, ANALYZER_MANUFACTURER);~~
131
132		~~ret = idmef_analyzer_new_version(analyzer, &string);~~
133		~~if ( ret < 0 )~~
134		~~return ret;~~
135		~~prelude_string_set_constant(string, VERSION);~~
136
137		~~return 0;~~
138		}
139	118
140	119
…	…
143	122	* setup Module specific values
144	123	* here:
145		* - register als EventHandler
	124	* - register as EventHandler
146	125	* - set wanted events
147	126	*
…	…
151	130	bool LogPrelude::Init()
152	131	{
	132
	133	if ( m_Config == NULL )
	134	{
	135	logCrit("%s","I need a config\n");
	136	return false;
	137	}
	138
	139	string analyzerClass;
	140	string analyzerModel;
	141	string analyzerName;
	142
	143	try
	144	{
	145	analyzerClass = (m_Config->getValString("log-prelude.analyzerClass"));
	146	analyzerModel = m_Config->getValString("log-prelude.analyzerModel");
	147	analyzerName = m_Config->getValString("log-prelude.analyzerName");
	148
	149	} catch ( ... )
	150	{
	151	logCrit("%s","Error setting needed vars, check your config\n");
	152	return false;
	153	}
	154
153	155	m_ModuleManager = m_Nepenthes->getModuleMgr();
154		~~m_Events.set(EV_SUBMISSION);~~
155
156	156	m_Events.set(EV_SOCK_TCP_ACCEPT);
157	157	m_Events.set(EV_SOCK_TCP_CLOSE);
158		m_Events.set(EV_SOCK_TCP_RX);
159
160		m_Events.set(EV_TIMEOUT);
161
	158	m_Events.set(EV_DIALOGUE_ASSIGN_AND_DONE);
	159	m_Events.set(EV_SHELLCODE_DONE);
	160
	161	m_Events.set(EV_DOWNLOAD);
	162	m_Events.set(EV_SUBMISSION);
	163
	164
	165	const char profile, config;
	166
	167	config = NULL;
	168	profile = analyzerName.c_str();
	169
	170
	171	#ifdef HAVE_LIBPRELUDE
162	172
163	173	int32_t ret;
164		const char profile, config;
165
166		config = NULL;
167		profile = DEFAULT_ANALYZER_NAME;
168
169		// parse_args(args, &profile, &config);
170
	174	// Initialize Prelude Library
171	175	ret = prelude_init(NULL, NULL);
172	176	if ( ret < 0 )
…	…
175	179	prelude_strerror(ret));
176	180
	181	// generate a new Prelude client
177	182	ret = prelude_client_new(&m_PreludeClient, profile);
178	183
…	…
182	187	prelude_strerror(ret));
183	188
184		// ret = prelude_client_set_flags(m_PreludeClient,
185		// (prelude_client_flags_t)
186		// (prelude_client_get_flags(m_PreludeClient) \| PRELUDE_CLIENT_FLAGS_ASYNC_SEND\|PRELUDE_CLIENT_FLAGS_ASYNC_TIMER));
187		// ret = prelude_client_set_flags(m_PreludeClient,prelude_client_get_flags(m_PreludeClient) \| PRELUDE_CLIENT_FLAGS_ASYNC_SEND\|PRELUDE_CLIENT_FLAGS_ASYNC_TIMER);
	189
	190	// set options in the analyzer-part of the client
	191	prelude_string_t *string;
	192
	193	ret = idmef_analyzer_new_model(prelude_client_get_analyzer(m_PreludeClient), &string);
	194	if ( ret < 0 )
	195	return false;
	196	prelude_string_set_constant(string, analyzerModel.c_str());
	197
	198	ret = idmef_analyzer_new_class(prelude_client_get_analyzer(m_PreludeClient), &string);
	199	if ( ret < 0 )
	200	return false;
	201	prelude_string_set_constant(string, analyzerClass.c_str());
	202
	203	ret = idmef_analyzer_new_manufacturer(prelude_client_get_analyzer(m_PreludeClient), &string);
	204	if ( ret < 0 )
	205	return false;
	206	prelude_string_set_constant(string, ANALYZER_MANUFACTURER);
	207
	208	ret = idmef_analyzer_new_version(prelude_client_get_analyzer(m_PreludeClient), &string);
	209	if ( ret < 0 )
	210	return false;
	211
	212	prelude_string_set_constant(string, NEPENTHES_VERSION);
	213
	214	// start the Prelude Client
	215	ret = prelude_client_start(m_PreludeClient);
	216	if ( ret < 0 )
	217	{
	218	if ( prelude_client_is_setup_needed(ret) )
	219	prelude_client_print_setup_error(m_PreludeClient);
	220
	221	logCrit("%s: Unable to initialize prelude client: %s.\n",
	222	prelude_strsource(ret), prelude_strerror(ret));
	223	}
	224
	225	// set async Prelude Flags for the client, makes the application multithreaded
	226	ret = prelude_client_set_flags(m_PreludeClient, (prelude_client_flags_t) (PRELUDE_CLIENT_FLAGS_CONNECT \| PRELUDE_CLIENT_FLAGS_ASYNC_SEND \| PRELUDE_CLIENT_FLAGS_ASYNC_TIMER));
188	227	if ( ret < 0 )
189	228	logCrit("%s: Unable to set asynchronous send and timer: %s.\n",
190	229	prelude_strsource(ret),
191	230	prelude_strerror(ret));
192
193		setup_analyzer(prelude_client_get_analyzer(m_PreludeClient));
194
195		ret = prelude_client_start(m_PreludeClient);
196		if ( ret < 0 )
197		{
198		if ( prelude_client_is_setup_needed(ret) )
199		prelude_client_print_setup_error(m_PreludeClient);
200
201		logCrit("%s: Unable to initialize prelude client: %s.\n",
202		prelude_strsource(ret), prelude_strerror(ret));
203		}
204
205
	231
	232	#endif
206	233	REG_EVENT_HANDLER(this);
207	234	return true;
…	…
210	237
211	238	/**
212		* unregister as EventHandler
	239	* unregister as EventHandler, destroy the Prelude Client
213	240	*
214	241	* @return returns true if everything was fine
…	…
216	243	bool LogPrelude::Exit()
217	244	{
	245	#ifdef HAVE_LIBPRELUDE
218	246	if( m_PreludeClient != NULL)
219		prelude_client_destroy(m_PreludeClient, PRELUDE_CLIENT_EXIT_STATUS_SUCCESS);
220
221		// UNREG_EVENT_HANDLER(this);
	247	{
	248	prelude_client_destroy(m_PreludeClient, (prelude_client_exit_status_t)(PRELUDE_CLIENT_EXIT_STATUS_SUCCESS));
	249	prelude_deinit();
	250	}
	251	#endif
	252
	253	UNREG_EVENT_HANDLER(this);
222	254	return true;
223	255	}
224	256
	257
	258
	259	/**
	260	* This function adds char * idmef values into an idmef message
	261	*
	262	*/
	263	#ifdef HAVE_LIBPRELUDE
225	264	int32_t add_idmef_object(idmef_message_t message, const char object, const char *value)
226	265	{
…	…
252	291
253	292
	293	/**
	294	*
	295	* This function adds int32_t idmef values into an idmef message
	296	*/
254	297	int32_t add_idmef_object(idmef_message_t message, const char object, int32_t i)
255	298	{
…	…
260	303	}
261	304
	305	#endif
262	306
263	307
…	…
272	316	uint32_t LogPrelude::handleEvent(Event *event)
273	317	{
274		logPF();
	318	// logPF();
275	319	// logInfo("Event %i\n",event->getType());
276	320	switch(event->getType())
…	…
288	332	handleSubmission(event);
289	333	break;
290
291		case EV_~~SOCK_TCP_RX~~:
292		handle~~TCPrecv~~(event);
	334
	335	case EV_DIALOGUE_ASSIGN_AND_DONE:
	336	handleDialogueAssignAndDone(event);
293	337	break;
294
295		case EV_TIMEOUT:
296		m_Timeout = time(NULL) + 1;
297		// prelude_timer_wakeup();
	338
	339	case EV_SHELLCODE_DONE:
	340	handleShellcodeDone(event);
	341	break;
	342
	343
	344	case EV_DOWNLOAD:
	345	handleDownload(event);
298	346	break;
299	347
…	…
307	355	void LogPrelude::handleTCPaccept(Event *event)
308	356	{
309		Socket socket = ((SocketEvent )event)->getSocket();
310
311		SocketContext *ctx = new SocketContext(socket);
312		logInfo("Adding Socket 0x%x to Contexts\n",socket);
313		m_Contexts.push_back(ctx);
314
	357
	358
	359	logInfo("%s","LogPrelude EVENT EV_SOCK_TCP_ACCEPT\n");
	360
	361	#ifdef HAVE_LIBPRELUDE
	362	Socket socket = ((SocketEvent )event)->getSocket();
	363
315	364	idmef_message_t *idmef;
316	365
…	…
319	368	return;
320	369
321		add_idmef_object(idmef, "alert.classification.text" ,"~~nepenthes::TCPSocket::acceptConnection~~");
322		add_idmef_object(idmef, "alert.classification.reference(0).origin" ,"vendor-specific" );
	370	add_idmef_object(idmef, "alert.classification.text" ,"TCP Connection established");
	371	// add_idmef_object(idmef, "alert.classification.reference(0).origin" ,"vendor-specific" );
323	372
324	373
…	…
338	387	addr = socket->getLocalHost();
339	388	address = inet_ntoa((in_addr )&addr);
340		// add_idmef_object(idmef, "alert.target(0).Node.Address(0).address" ,address.c_str());
341
342		add_idmef_object(idmef, "alert.assessment.impact.description" ,"possible malicious connection established");
343		add_idmef_object(idmef, "alert.assessment.impact.severity" ,"low");
344		add_idmef_object(idmef, "alert.assessment.impact.completion" ,"succeeded");
345		add_idmef_object(idmef, "alert.assessment.impact.type" ,"other");
	389	add_idmef_object(idmef, "alert.target(0).Node.Address(0).address" ,address.c_str());
	390
	391
346	392
347	393
…	…
361	407	prelude_client_send_idmef(m_PreludeClient, idmef);
362	408
363		// prelude_string_t *field = idmef_alert_get_messageid(idmef_message_get_alert(idmef));
364		// logInfo("PreludeMessageID = %s \n",prelude_string_get_string(field));
365
366		prelude_string_t *field = idmef_alert_get_messageid(idmef_message_get_alert(idmef));
367		const char *msgid = prelude_string_get_string(field);
368		logInfo("PreludeMessageID = %s \n",msgid);
369		addIDtoSocketContext(socket,(char *)msgid);
370
	409	//prelude_string_t *field = idmef_alert_get_messageid(idmef_message_get_alert(idmef));
	410	//const char *msgid = prelude_string_get_string(field);
	411
	412	//logInfo("PreludeMessageID = %s \n",msgid);
371	413
372	414	idmef_message_destroy(idmef);
373		}
	415	#endif
	416	}
	417
	418
	419
374	420
375	421	void LogPrelude::handleTCPclose(Event *event)
…	…
383	429	}
384	430
385		SocketContext ctx = findSocketContext(socket);
386		if (ctx == NULL)
387		{
388		logCrit("ctx is %x\n",ctx);
389		}
390
391
	431	logInfo("%s","LogPrelude EVENT EV_SOCK_TCP_CLOSE\n");
	432
	433	#ifdef HAVE_LIBPRELUDE
	434
392	435	idmef_message_t *idmef;
393	436
…	…
397	440
398	441
399		add_idmef_object(idmef, "alert.classification.text" ,"~~nepenthes::TCPSocket::~TCPSocket~~");
400		add_idmef_object(idmef, "alert.classification.reference(0).origin" ,"vendor-specific" );
	442	add_idmef_object(idmef, "alert.classification.text" ,"TCP Connection closed");
	443	// add_idmef_object(idmef, "alert.classification.reference(0).origin" ,"vendor-specific" );
401	444
402	445
…	…
430	473	prelude_client_send_idmef(m_PreludeClient, idmef);
431	474
432		prelude_string_t *field = idmef_alert_get_messageid(idmef_message_get_alert(idmef));
433		const char *msgid = prelude_string_get_string(field);
434		logInfo("CloseMessageID = %s \n",msgid);
435		addIDtoSocketContext(socket,(char *)msgid);
436
	475	// prelude_string_t *field = idmef_alert_get_messageid(idmef_message_get_alert(idmef));
	476	// const char *msgid = prelude_string_get_string(field);
	477
	478	// logInfo("CloseMessageID = %s \n",msgid);
437	479
438	480	idmef_message_destroy(idmef);
439
440		// return;
441
442		ret = idmef_message_new(&idmef);
	481
	482	#endif
	483	}
	484
	485
	486	/**
	487	* Send idmef message when finished with the Shellcode
	488	*
	489	*/
	490	void LogPrelude::handleShellcodeDone(Event *event)
	491	{
	492	logInfo("%s", "LogPrelude EVENT EV_SHELLCODE_DONE\n");
	493
	494	#ifdef HAVE_LIBPRELUDE
	495
	496	ShellcodeHandler handler = ((ShellcodeEvent )event)->getShellcodeHandler();
	497	Socket socket = ((ShellcodeEvent )event)->getSocket();
	498
	499	idmef_message_t *idmef;
	500
	501	int32_t ret = idmef_message_new(&idmef);
443	502	if ( ret < 0 )
444	503	return;
445		add_idmef_object(idmef, "alert.correlation_alert.name" ,"TCP Session");
446
447		char path[128];
448
449		list<string>::iterator it;
450		uint32_t i=0;
451
452		for (it=ctx->m_Collection.begin();it!=ctx->m_Collection.end();it++,i++)
453		{
454		memset(path,0,128);
455		snprintf(path,127,"alert.correlation_alert.alertident(%i).alertident",i);
456		add_idmef_object(idmef,path,it->c_str() );
457		}
458
	504	string shellcodeText = "Shellcode detected " + handler->getShellcodeHandlerName();
	505	add_idmef_object(idmef, "alert.classification.text" ,shellcodeText.c_str());
	506	// add_idmef_object(idmef, "alert.classification.reference(0).origin" ,"vendor-specific" );
	507
	508
	509	add_idmef_object(idmef, "alert.source(0).Spoofed" ,"no");
	510	add_idmef_object(idmef, "alert.source(0).Service.protocol" ,"TCP");
	511	add_idmef_object(idmef, "alert.source(0).Service.port" ,socket->getRemotePort());
	512
	513	uint32_t addr = socket->getRemoteHost();
	514	string address = inet_ntoa((in_addr )&addr);
	515	add_idmef_object(idmef, "alert.source(0).Node.Address(0).address" ,address.c_str());
	516
	517
	518	add_idmef_object(idmef, "alert.target(0).Decoy" ,"yes");
	519	add_idmef_object(idmef, "alert.target(0).Service.protocol" ,"TCP");
	520	add_idmef_object(idmef, "alert.target(0).Service.port" ,socket->getLocalPort());
	521
	522	addr = socket->getLocalHost();
	523	address = inet_ntoa((in_addr )&addr);
	524	add_idmef_object(idmef, "alert.target(0).Node.Address(0).address" ,address.c_str());
	525
	526
	527	add_idmef_object(idmef, "alert.assessment.impact.description" ,"possible Shellcode has been detected.");
	528	add_idmef_object(idmef, "alert.assessment.impact.severity" ,"medium");
	529	// add_idmef_object(idmef, "alert.assessment.impact.completion" ,"succeeded");
	530	add_idmef_object(idmef, "alert.assessment.impact.type" ,"other");
	531
	532
	533	idmef_time_t *time;
459	534
460	535	ret = idmef_time_new_from_gettimeofday(&time);
…	…
471	546	prelude_client_send_idmef(m_PreludeClient, idmef);
472	547
473		field = idmef_alert_get_messageid(idmef_message_get_alert(idmef));
474		msgid = prelude_string_get_string(field);
475		~~logInfo("CorrelationMsg~~ID = %s \n",msgid);
	548	// prelude_string_t *field = idmef_alert_get_messageid(idmef_message_get_alert(idmef));
	549	// const char *msgid = prelude_string_get_string(field);
	550	// logInfo("RecvMessageID = %s \n",msgid);
476	551
477	552	idmef_message_destroy(idmef);
478
479		}
480
481
482		void LogPrelude::handleTCPrecv(Event *event)
483		{
484		Message msg = ((MessageEvent )event)->getMessage();
485		Socket socket = ((MessageEvent )event)->getMessage()->getSocket();
486
487		SocketContext *ctx = new SocketContext(socket);
488		logInfo("Adding Socket 0x%x to Contexts\n",socket);
489		m_Contexts.push_back(ctx);
490
491		idmef_message_t *idmef;
492
493		int32_t ret = idmef_message_new(&idmef);
494		if ( ret < 0 )
495		return;
496
497		add_idmef_object(idmef, "alert.classification.text" ,"nepenthes::TCPSocket::doRecv");
498		add_idmef_object(idmef, "alert.classification.reference(0).origin" ,"vendor-specific" );
499
500
501		add_idmef_object(idmef, "alert.source(0).Spoofed" ,"no");
502		add_idmef_object(idmef, "alert.source(0).Service.protocol" ,"TCP");
503		add_idmef_object(idmef, "alert.source(0).Service.port" ,socket->getRemotePort());
504
505		uint32_t addr = socket->getRemoteHost();
506		string address = inet_ntoa((in_addr )&addr);
507		add_idmef_object(idmef, "alert.source(0).Node.Address(0).address" ,address.c_str());
508
509
510		add_idmef_object(idmef, "alert.target(0).Decoy" ,"yes");
511		add_idmef_object(idmef, "alert.target(0).Service.protocol" ,"TCP");
512		add_idmef_object(idmef, "alert.target(0).Service.port" ,socket->getLocalPort());
513
514		addr = socket->getLocalHost();
515		address = inet_ntoa((in_addr )&addr);
516		add_idmef_object(idmef, "alert.target(0).Node.Address(0).address" ,address.c_str());
517
518		add_idmef_object(idmef, "alert.additional_data(0).type" ,"byte-string");
519
520
521		unsigned char payload = g_Nepenthes->getUtilities()->b64encode_alloc((unsigned char )msg->getMsg(),msg->getSize());
522		add_idmef_object(idmef, "alert.additional_data(0).data" ,(char *)payload);
523		free(payload);
524
525		add_idmef_object(idmef, "alert.additional_data(0).meaning" ,"the payload");
526
527		idmef_time_t *time;
528
529		ret = idmef_time_new_from_gettimeofday(&time);
530		idmef_alert_set_create_time(idmef_message_get_alert(idmef),
531		time);
532
533
534		// analyzer id
535		idmef_alert_set_analyzer(idmef_message_get_alert(idmef),
536		idmef_analyzer_ref(prelude_client_get_analyzer(m_PreludeClient)),
537		0);
538
539
540		prelude_client_send_idmef(m_PreludeClient, idmef);
541
542		prelude_string_t *field = idmef_alert_get_messageid(idmef_message_get_alert(idmef));
543		const char *msgid = prelude_string_get_string(field);
544		logInfo("RecvMessageID = %s \n",msgid);
545		addIDtoSocketContext(socket,(char *)msgid);
546
547		idmef_message_destroy(idmef);
548		}
549
	553	#endif
	554	}
	555
	556
	557	/**
	558	*
	559	* handle submitted files
	560	*/
550	561	void LogPrelude::handleSubmission(Event *event)
551	562	{
552		SubmitEvent se = (SubmitEvent )event;
	563	SubmitEvent se = (SubmitEvent )event;
553	564	Download *down = se->getDownload();
554	565
555		~~se->getType();~~
556	566	logInfo("LogPrelude EVENT EV_SUBMISSION %s %s %i \n",down->getUrl().c_str(),
557	567	down->getMD5Sum().c_str(),
558	568	down->getDownloadBuffer()->getSize());
559	569
	570	#ifdef HAVE_LIBPRELUDE
560	571	idmef_message_t *idmef;
561	572
…	…
565	576
566	577	// generic information
567		add_idmef_object(idmef, "alert.classification.text" ,"~~nepenthes::SubmitManager::Submit~~");
	578	add_idmef_object(idmef, "alert.classification.text" ,"Malware submited");
568	579
569	580	string url = "http://nepenthes.sf.net/wiki/submission/" + down->getMD5Sum();
…	…
581	592	add_idmef_object(idmef, "alert.target(0).file(0).Checksum(1).value" ,down->getSHA512Sum().c_str());
582	593
	594	uint32_t addr = down->getLocalHost();
	595	string address = inet_ntoa((in_addr )&addr);
	596	add_idmef_object(idmef, "alert.target(0).Node.Address(0).address" ,address.c_str());
	597
	598
583	599
584	600	// infection host
585		~~uint32_t addr = down->getAddress~~();
586		~~string~~ address = inet_ntoa((in_addr )&addr);
587		add_idmef_object(idmef, "alert.source(1).Node.Address(0).address" ,address.c_str());
	601	addr = down->getRemoteHost();
	602	address = inet_ntoa((in_addr )&addr);
	603	add_idmef_object(idmef, "alert.source(0).Node.Address(0).address" ,address.c_str());
588	604
589	605
590	606	// download source
591	607	add_idmef_object(idmef, "alert.source(0).Service.port" ,down->getDownloadUrl()->getPort());
592
	608
	609
593	610	string protocol;
594	611	if (down->getDownloadUrl()->getProtocol() == "tftp" )
…	…
601	618	add_idmef_object(idmef, "alert.source(0).Service.web_service.http_method" ,"get");
602	619
	620	add_idmef_object(idmef, "alert.assessment.impact.description" ,"possible Malware stored for further analysis");
	621	add_idmef_object(idmef, "alert.assessment.impact.severity" ,"high");
	622	// add_idmef_object(idmef, "alert.assessment.impact.completion" ,"succeeded");
	623	add_idmef_object(idmef, "alert.assessment.impact.type" ,"other");
603	624
604	625	// time
…	…
617	638	prelude_client_send_idmef(m_PreludeClient, idmef);
618	639	idmef_message_destroy(idmef);
619		}
620
621
622
623
624
625		list<SocketContext >::iterator LogPrelude::findSocketContext(Socket socket)
626		{
627		list<SocketContext *>::iterator it;
628		for (it=m_Contexts.begin();it!=m_Contexts.end();it++)
629		{
630		if ((*it)->getSocket() == socket)
631		{
632		return it;
633		}
634		}
635		return NULL;
636		}
637
638		bool LogPrelude::addIDtoSocketContext(Socket s,char msgid)
639		{
640		list<SocketContext *>::iterator ctx;
641		if (( ctx = findSocketContext(s)) == NULL )
642		{
643		return false;
644		}
645
646		(*ctx)->m_Collection.push_back(msgid);
647		// printf("Context %x\n\t %s \n",(uint32_t)(ctx),(ctx)->m_Collection.c_str());
648		return true;
649		}
650
	640
	641	#endif
	642	}
	643
	644
	645
	646	/**
	647	*
	648	*
	649	*
	650	*/
	651	void LogPrelude::handleDialogueAssignAndDone(Event *event)
	652	{
	653	logInfo("%s", "LogPrelude EVENT EV_ASSIGN_AND_DONE\n");
	654
	655	#ifdef HAVE_LIBPRELUDE
	656
	657	Dialogue dia = ((DialogueEvent )event)->getDialogue();
	658	Socket socket = ((DialogueEvent )event)->getSocket();
	659	idmef_message_t *idmef;
	660
	661	int32_t ret = idmef_message_new(&idmef);
	662	if ( ret < 0 )
	663	return;
	664
	665	string attack = "Exploit attempt: " + dia->getDialogueName();
	666
	667	// generic information
	668	add_idmef_object(idmef, "alert.classification.text", attack.c_str());
	669	// add_idmef_object(idmef, "alert.classification.ident", attack.c_str());
	670
	671	add_idmef_object(idmef, "alert.classification.reference(0).origin" ,"vendor-specific" );
	672
	673
	674	// // file name and info
	675	// add_idmef_object(idmef, "alert.target(0).file(0).name" ,down->getDownloadUrl()->getFile().c_str());
	676	// add_idmef_object(idmef, "alert.target(0).file(0).data_size" ,down->getDownloadBuffer()->getSize());
	677	// add_idmef_object(idmef, "alert.target(0).file(0).Checksum(0).algorithm" ,"MD5");
	678	// add_idmef_object(idmef, "alert.target(0).file(0).Checksum(0).value" ,down->getMD5Sum().c_str());
	679	//// add_idmef_object(idmef, "alert.target(0).file(0).Checksum(0).category","current");
	680	// add_idmef_object(idmef, "alert.target(0).file(0).Checksum(1).algorithm" ,"SHA2-512");
	681	// add_idmef_object(idmef, "alert.target(0).file(0).Checksum(1).value" ,down->getSHA512Sum().c_str());
	682
	683
	684	// attacker
	685	uint32_t addr = socket->getRemoteHost();
	686	string address = inet_ntoa((in_addr )&addr);
	687	add_idmef_object(idmef, "alert.source(0).Node.Address(0).address", address.c_str());
	688
	689	// target
	690	addr = socket->getLocalHost();
	691	address = inet_ntoa((in_addr )&addr);
	692	add_idmef_object(idmef, "alert.target(0).Node.Address(0).address", address.c_str());
	693
	694	// string protocol;
	695	// if (down->getDownloadUrl()->getProtocol() == "tftp" )
	696	// protocol = "UDP";
	697	// else
	698	// protocol = "TCP";
	699	//
	700	// add_idmef_object(idmef, "alert.source(0).Service.protocol" ,protocol.c_str());
	701	// add_idmef_object(idmef, "alert.source(0).Service.web_service.url" ,down->getUrl().c_str());
	702	// add_idmef_object(idmef, "alert.source(0).Service.web_service.http_method" ,"get");
	703
	704	add_idmef_object(idmef, "alert.assessment.impact.description" ,"An exploit attempt is getting handled.");
	705	add_idmef_object(idmef, "alert.assessment.impact.severity" ,"low");
	706	// add_idmef_object(idmef, "alert.assessment.impact.completion" ,"succeeded");
	707	add_idmef_object(idmef, "alert.assessment.impact.type" ,"other");
	708
	709
	710	// time
	711	idmef_time_t *time;
	712	ret = idmef_time_new_from_gettimeofday(&time);
	713	idmef_alert_set_create_time(idmef_message_get_alert(idmef),
	714	time);
	715
	716
	717	// analyzer id
	718	idmef_alert_set_analyzer(idmef_message_get_alert(idmef),
	719	idmef_analyzer_ref(prelude_client_get_analyzer(m_PreludeClient)),
	720	0);
	721
	722
	723	prelude_client_send_idmef(m_PreludeClient, idmef);
	724
	725
	726	idmef_message_destroy(idmef);
	727
	728	#endif
	729	}
	730
	731
	732
	733
	734
	735
	736	/**
	737	*
	738	*
	739	*/
	740	void LogPrelude::handleDownload(Event *event)
	741	{
	742	SubmitEvent se = (SubmitEvent )event;
	743	Download *down = se->getDownload();
	744	string url = se->getDownload()->getUrl();
	745
	746	se->getType();
	747	logInfo("LogPrelude EVENT EV_DOWNLOAD %s %s %i \n",down->getUrl().c_str(),
	748	down->getMD5Sum().c_str(),
	749	down->getDownloadBuffer()->getSize());
	750
	751	#ifdef HAVE_LIBPRELUDE
	752
	753	idmef_message_t *idmef;
	754
	755	int32_t ret = idmef_message_new(&idmef);
	756	if ( ret < 0 )
	757	return;
	758
	759	// generic information
	760	add_idmef_object(idmef, "alert.classification.text" ,"possible Malware offered");
	761	add_idmef_object(idmef, "alert.classification.ident", url.c_str());
	762
	763	// add_idmef_object(idmef, "alert.classification.reference(0).origin" ,"vendor-specific" );
	764
	765
	766	// infection host
	767	uint32_t addr = down->getRemoteHost();
	768	string address = inet_ntoa((in_addr )&addr);
	769	add_idmef_object(idmef, "alert.source(0).Node.Address(0).address" ,address.c_str());
	770	//target host
	771	addr = down->getLocalHost();
	772	address = inet_ntoa((in_addr )&addr);
	773	add_idmef_object(idmef, "alert.target(0).Node.Address(0).address" ,address.c_str());
	774
	775
	776	// download source
	777	string protocol;
	778	if (down->getDownloadUrl()->getProtocol() == "tftp" )
	779	protocol = "UDP";
	780	else
	781	protocol = "TCP";
	782
	783	add_idmef_object(idmef, "alert.source(0).Service.port" ,down->getDownloadUrl()->getPort());
	784	add_idmef_object(idmef, "alert.source(0).Service.protocol" ,protocol.c_str());
	785	// add_idmef_object(idmef, "alert.source(0).Service.web_service.url" ,down->getUrl().c_str());
	786	// add_idmef_object(idmef, "alert.source(0).Service.web_service.http_method" ,"get");
	787	add_idmef_object(idmef, "alert.assessment.impact.description" ,"Parsing the Shellcode has unrevealed a URL.");
	788	add_idmef_object(idmef, "alert.assessment.impact.severity" ,"medium");
	789	// add_idmef_object(idmef, "alert.assessment.impact.completion" ,"succeeded");
	790	add_idmef_object(idmef, "alert.assessment.impact.type" ,"other");
	791
	792	// time
	793	idmef_time_t *time;
	794	ret = idmef_time_new_from_gettimeofday(&time);
	795	idmef_alert_set_create_time(idmef_message_get_alert(idmef),
	796	time);
	797
	798
	799	// analyzer id
	800	idmef_alert_set_analyzer(idmef_message_get_alert(idmef),
	801	idmef_analyzer_ref(prelude_client_get_analyzer(m_PreludeClient)),
	802	0);
	803
	804
	805	prelude_client_send_idmef(m_PreludeClient, idmef);
	806
	807
	808	idmef_message_destroy(idmef);
	809	#endif
	810
	811	}
651	812
652	813

nepenthes/trunk/modules/log-prelude/log-prelude.hpp

r343	r354
28	28	/* $Id$ */
29	29
	30	#ifdef HAVE_LIBPRELUDE
30	31	#include <prelude.h>
	32	#endif
	33
31	34	#include <string>
32	35
…	…
40	43	using namespace std;
41	44
	45	#ifdef HAVE_LIBPRELUDE
42	46	int32_t add_idmef_object(idmef_message_t message, const char object, const char *value);
43	47	int32_t add_idmef_object(idmef_message_t message, const char object, int32_t i);
	48	#endif
44	49
45	50	namespace nepenthes
46	51	{
47
48		~~class SocketContext~~
49		{
50
51		~~public:~~
52		~~SocketContext(Socket *s)~~
53		{
54		~~m_Socket = s;~~
55		}
56		~~~SocketContext()~~
57		{
58		~~m_Collection.clear();~~
59		}
60
61		~~Socket *getSocket()~~
62		{
63		~~return m_Socket;~~
64		}
65
66		~~list<string> m_Collection;~~
67		~~protected:~~
68
69		~~Socket *m_Socket;~~
70
71		};
72
73	52
74	53	class LogPrelude : public Module , public EventHandler
…	…
84	63	void handleTCPaccept(Event *event);
85	64	void handleTCPclose(Event *event);
86		void handle~~TCPrecv~~(Event *event);
	65	void handleDownload(Event *event);
87	66	void handleSubmission(Event *event);
	67	void handleShellcodeDone(Event *event);
	68	void handleDialogueAssignAndDone(Event *event);
	69
88	70	protected:
89	71	uint64_t generateID()
…	…
92	74	}
93	75
94		list<SocketContext >::iterator findSocketContext(Socket s);
95		bool addIDtoSocketContext(Socket s,char msgid);
96
	76	#ifdef HAVE_LIBPRELUDE
97	77	prelude_client_t *m_PreludeClient;
98
99		list <SocketContext *> m_Contexts;
100
	78	#endif
101	79	};
102	80

Navigation

Changeset 354

Legend:

nepenthes/trunk/modules/log-prelude/log-prelude.cpp

nepenthes/trunk/modules/log-prelude/log-prelude.hpp

Download in other formats: