Changeset 573
- Timestamp:
- 06/24/06 16:32:16 (3 years ago)
- Files:
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
nepenthes/trunk/modules/module-honeytrap/module-honeytrap.conf.dist
r569 r573 1 1 module-honeytrap 2 2 { 3 listen_mode "ipq"; // valid values are ipq and pcap 3 listen_mode "ipq"; // valid values are ipq pcap and divert 4 5 6 pcap 7 { 8 device "any"; // any should be valid always 9 }; 10 11 divert 12 { 13 port "4711"; 14 }; 15 16 4 17 }; nepenthes/trunk/modules/module-honeytrap/module-honeytrap.cpp
r572 r573 28 28 /* $Id$ */ 29 29 30 #include <ctype.h> 30 #include <sys/types.h> 31 #include <sys/socket.h> 32 #include <arpa/inet.h> 33 #include <netpacket/packet.h> 34 #include <net/ethernet.h> /* the L2 protocols */ 31 35 #include <netinet/in.h> 36 37 32 38 33 39 #include "module-honeytrap.hpp" … … 38 44 #include "LogManager.hpp" 39 45 #include "DialogueFactoryManager.hpp" 40 46 #include "Utilities.hpp" 41 47 42 48 #include "Buffer.hpp" … … 102 108 #endif 103 109 104 m_HTType = HT_IPQ; 110 #ifdef HAVE_IPFW 111 m_DivertSocket = -1; 112 #endif 113 114 m_HTType = HT_NONE; 105 115 } 106 116 … … 127 137 128 138 #ifdef HAVE_IPQ 129 isupport += "ipq"; 139 isupport += "ipq,"; 140 #endif 141 142 #ifdef HAVE_IPFW 143 isupport += "ipfw"; 130 144 #endif 131 145 … … 149 163 } 150 164 165 #ifdef HAVE_PCAP 151 166 if (mode == "pcap") 152 167 { 153 168 m_HTType = HT_PCAP; 154 155 }else 169 } 170 #endif 171 172 #ifdef HAVE_IPQ 156 173 if (mode == "ipq") 157 174 { 158 175 m_HTType = HT_IPQ; 159 }else 176 } 177 #endif 178 179 #ifdef HAVE_IPFW 180 if (mode == "ipfw") 181 { 182 m_HTType = HT_IPFW; 183 } 184 #endif 185 186 187 if (m_HTType == HT_NONE) 160 188 { 161 189 logCrit("Invalid mode %s for module-honeytrap\n",mode.c_str()); … … 175 203 retval = Init_IPQ(); 176 204 break; 205 206 case HT_IPFW: 207 retval = Init_IPFW(); 208 break; 209 210 default: 211 logCrit("Invalid mode for module-honeytrap\n"); 212 177 213 } 178 214 … … 210 246 } 211 247 248 bool ModuleHoneyTrap::Init_IPFW() 249 { 250 #ifdef HAVE_IPFW 251 if ((m_DivertSocket = socket(PF_INET, SOCK_RAW, IPPROTO_DIVERT)) == -1) 252 { 253 logCrit("Could not create divert socket for ipfw %s\n",strerror(errno)); 254 return false; 255 } 256 bzero(&m_DivertSin, sizeof(m_DivertSin)); 257 m_DivertSin.sin_port = htons(4711); // FIXME 258 m_DivertSin.sin_family = PF_INET; 259 m_DivertSin.sin_addr.s_addr = INADDR_ANY; 260 261 if (bind(m_DivertSocket, (struct sockaddr *)&m_DivertSin, sizeof(m_DivertSin)) == -1) 262 { 263 logCrit("Could not bind divert socket %s\n",strerror(errno)); 264 return false; 265 } 266 logInfo("Bound divert socket on port %i\n",4711); //FIXME 267 return true; 268 #else 269 logCrit("IPFW not supported, check your plattform\n"); 270 return false; 271 #endif // HAVE_IPFW 272 273 } 274 275 212 276 bool ModuleHoneyTrap::Init_PCAP() 213 277 { … … 217 281 218 282 logInfo("Using pcap %s\n",pcap_lib_version()); 219 220 if ( (m_RawListener = pcap_open_live("any", 1500, 1, 0, errbuf)) == NULL ) 221 { 222 logCrit("Could not open raw listener '%s'\n",errbuf); 223 return false; 224 } 225 226 283 m_PcapDevice = m_Config->getValString("module-honeytrap.pcap.device"); 284 285 286 287 if ( (m_RawListener = pcap_open_live(m_PcapDevice.c_str(), 1500, 1, 0, errbuf)) == NULL ) 288 { 289 logCrit("Could not open raw listener on device %s '%s'\n",m_PcapDevice.c_str(),errbuf); 290 return false; 291 } 292 293 string bpf_filter_string = "tcp[tcpflags] & tcp-rst != 0 "; 294 295 pcap_if_t *alldevsp = NULL; 296 297 if( pcap_findalldevs(&alldevsp,errbuf) == -1) 298 { 299 logCrit("pcap_findalldevs failed %s\n",errbuf); 300 return false; 301 302 } 303 304 string bpf_filter_string_addition; 305 306 for(pcap_if_t *alldev = alldevsp;alldev != NULL;alldev = alldev->next) 307 { 308 if (m_PcapDevice != "any" && alldev->name != m_PcapDevice) 309 continue; 310 311 if (alldev->name) 312 logSpam("name %s\n",alldev->name); 313 if (alldev->description) 314 logSpam("\tdescription %s\n",alldev->description); 315 316 logSpam("\tflags %i\n",alldev->flags); 317 318 319 // char inet6addr[64]; 320 321 for (pcap_addr_t *addr = alldev->addresses; addr != NULL; addr = addr->next) 322 { 323 switch(addr->addr->sa_family) 324 { 325 case AF_INET: 326 logSpam("\t\tAF_INET\n"); 327 if (addr->addr) 328 logSpam("\t\t\taddr %s\n",inet_ntoa(*(struct in_addr*) &(((struct sockaddr_in *)addr->addr)->sin_addr))); 329 if (addr->netmask) 330 logSpam("\t\t\tnetmask %s\n",inet_ntoa(*(struct in_addr*) &(((struct sockaddr_in *)addr->netmask)->sin_addr))); 331 if (addr->broadaddr) 332 logSpam("\t\t\tbcast %s\n",inet_ntoa(*(struct in_addr*) &(((struct sockaddr_in *)addr->broadaddr)->sin_addr))); 333 if (addr->dstaddr ) 334 logSpam("\t\t\tdstaddr %s\n",inet_ntoa(*(struct in_addr*) &(((struct sockaddr_in *)addr->dstaddr)->sin_addr))); 335 336 if (bpf_filter_string_addition == "") 337 { 338 bpf_filter_string_addition += string("src host ") + 339 string(inet_ntoa(*(struct in_addr*) &(((struct sockaddr_in *)addr->addr)->sin_addr))) + 340 string(" "); 341 }else 342 { 343 bpf_filter_string_addition += string("or src host ") + 344 string(inet_ntoa(*(struct in_addr*) &(((struct sockaddr_in *)addr->addr)->sin_addr))) + 345 string(" "); 346 } 347 348 break; 349 350 case AF_INET6: 351 /* logSpam("\t\tAF_INET6\n"); 352 const char *inet_ntop(int af, const void *src,char *dst, socklen_t cnt); 353 logSpam("\t\t\taddr %s\n",inet_ntop(AF_INET6, (const void *) &((struct sockaddr_in6 *)addr->addr)->sin6_addr,(char *)&inet6addr,64)); 354 */ 355 break; 356 357 case AF_PACKET: 358 /* logSpam("\t\tAF_PACKET\n"); 359 logSpam("\t\t\ttype %i %i\n",((struct sockaddr_ll*)addr->addr)->sll_family,AF_PACKET); 360 { 361 unsigned char *hwa = ((struct sockaddr_ll*)addr->addr)->sll_addr; 362 char hexbyte[8]; 363 string mac_rep; 364 for (int i=0;i<8;i++) 365 { 366 if (i>0) 367 mac_rep += ":"; 368 snprintf(hexbyte,8,"%02x",hwa[i]); 369 mac_rep += hexbyte; 370 } 371 logSpam("\t\t\taddr %s\n",mac_rep.c_str()); 372 } 373 374 375 */ 376 break; 377 378 379 default: 380 logSpam("\t\tAF_UNKNOWN %i\n",addr->addr->sa_family); 381 382 } 383 logSpam("\n"); 384 385 386 } 387 } 388 389 pcap_freealldevs(alldevsp); 390 391 if (bpf_filter_string_addition != "") 392 { 393 bpf_filter_string += "and (" + bpf_filter_string_addition + ")"; 394 } 227 395 228 396 struct bpf_program filter; 229 397 398 logInfo("BPF Filter is %s\n",bpf_filter_string.c_str()); 230 399 // int pcap_compile(pcap_t *p, struct bpf_program *fp, char *str, int optimize, bpf_u_int32 netmask) 231 if ( pcap_compile(m_RawListener, &filter, "tcp[tcpflags] & tcp-rst != 0", 0, 0) == -1 )400 if ( pcap_compile(m_RawListener, &filter, (char *)bpf_filter_string.c_str(), 0, 0) == -1 ) 232 401 // if ( pcap_compile(m_RawListener, &filter, "host 192.168.53.20", 0, 0) == -1 ) 233 402 { … … 262 431 } 263 432 433 int dll = pcap_datalink(m_RawListener); 434 switch( dll ) 435 { 436 case DLT_LINUX_SLL: 437 logInfo("DataLinkLayer %s %s\n",pcap_datalink_val_to_name(dll),pcap_datalink_val_to_description(dll)); 438 m_LinkLayerHeaderLength = 16; 439 break; 440 441 442 case DLT_EN10MB: 443 logInfo("DataLinkLayer %s %s\n",pcap_datalink_val_to_name(dll),pcap_datalink_val_to_description(dll)); 444 m_LinkLayerHeaderLength = 14; 445 break; 446 447 default: 448 logCrit("DataLink %i %s %s unknown, please file a bug\n",dll,pcap_datalink_val_to_name(dll),pcap_datalink_val_to_description(dll)); 449 return false; 450 } 451 452 return true; 453 #else 454 logCrit("pcap not supported, hit the docs\n"); 455 return false; 264 456 #endif // HAVE_PCAP 265 return true;457 266 458 } 267 459 … … 278 470 retval = Exit_IPQ(); 279 471 break; 472 473 case HT_IPFW: 474 retval = Exit_IPFW(); 475 break; 476 477 default: 478 logCrit("Invalid mode for module-honeytrap\n"); 280 479 } 281 480 return retval; … … 321 520 } 322 521 522 bool ModuleHoneyTrap::Exit_IPFW() 523 { 524 #ifdef HAVE_IPFW 525 if (m_DivertSocket != -1) 526 { 527 close(m_DivertSocket); 528 } 529 #endif 530 return true; 531 } 323 532 324 533 … … 349 558 retval = doRecv_IPQ(); 350 559 break; 560 561 case HT_IPFW: 562 retval = doRecv_IPFW(); 563 break; 564 565 566 default: 567 logCrit("Invalid mode for module-honeytrap\n"); 351 568 } 352 569 return retval; … … 367 584 if ( retval == 1 ) 368 585 { 369 370 struct ip_header *ip = (struct ip_header *) (pkt_data + ETHER_HDRLEN); 371 struct tcp_header *tcp = (struct tcp_header *) (pkt_data + ETHER_HDRLEN + ip->ip_hl * 4); 586 // g_Nepenthes->getUtilities()->hexdump((byte *)pkt_data,52); 587 588 589 struct libnet_ipv4_hdr *ip = (struct libnet_ipv4_hdr *) (pkt_data + m_LinkLayerHeaderLength); 590 struct libnet_tcp_hdr *tcp = (struct libnet_tcp_hdr *) (pkt_data + m_LinkLayerHeaderLength + ip->ip_hl * 4); 372 591 373 592 /* new connections are welcome */ 374 if ( ntohl(tcp->th_seq no) != 0 )593 if ( ntohl(tcp->th_seq) != 0 ) 375 594 return 0; 376 595 logInfo("Got RST packet from localhost:%i %i\n",ntohs(tcp->th_sport),tcp->th_sport); … … 433 652 { 434 653 435 436 logSpam("-- IP v%d, ID = %d, Header Length = %d, Total Length = %d\n", 437 ip->ip_v, 438 ip->ip_id, 439 ip->ip_hl * 4, 440 ntohs(ip->ip_len) ); 441 442 logSpam(" | %s --> " , 443 inet_ntoa(ip->ip_src) ); 444 445 logSpam("%s \n" , 446 inet_ntoa(ip->ip_dst) ); 447 448 logSpam(" |- Bits: %s %s, Offset : %d, checksum = %.4x, TTL = %d\n", 449 ntohs(ip->ip_off) & IP_DF? "DF":"", 450 ntohs(ip->ip_off) & IP_MF? "MF":"", 451 ntohs(ip->ip_off) & IP_OFFMASK, 452 ntohs(ip->ip_sum), 453 ip->ip_ttl); 454 455 logSpam(" |- proto = %d : \n", 456 ip->ip_p ); 457 458 459 logSpam(" `-- TCP, Header Length = %d Payload Length = %d\n", 460 tcp->th_off *4, 461 m->data_len); // <- this number is wrong 462 463 logSpam(" |- port Source = %d --> port Destination = %d\n", 464 ntohs(tcp->th_sport), 465 ntohs(tcp->th_dport)); 466 467 logSpam(" |- Seq nb = %.4x ,Acknowledgement nb:%.4x\n", 468 ntohs(tcp->th_seq), 469 ntohs(tcp->th_ack)); 470 471 logSpam(" |- bits %s %s %s %s %s %s %s %s\n", 472 (tcp->th_flags) & TH_FIN?"FIN":"", 473 (tcp->th_flags) & TH_SYN?"SYN":"", 474 (tcp->th_flags) & TH_RST?"RST":"", 475 (tcp->th_flags) & TH_PUSH?"PUSH":"", 476 (tcp->th_flags) & TH_ACK?"ACK":"", 477 (tcp->th_flags) & TH_URG?"URG":"", 478 (tcp->th_flags) & TH_ECE?"ECE":"", 479 (tcp->th_flags) & TH_CWR?"CWR":"" 480 ); 481 482 logSpam(" `- checksum = %.4x, windows = %.4x, urgent = %.4x\n", 483 ntohs(tcp->th_sum), 484 ntohs(tcp->th_win), 485 ntohs(tcp->th_urp) ); 486 654 printIPpacket(m->payload,m->data_len); 487 655 488 656 if ( isPortListening(ntohs(tcp->th_dport),*(uint32_t *)&(ip->ip_dst)) == false ) … … 522 690 } 523 691 692 int32_t ModuleHoneyTrap::doRecv_IPFW() 693 { 694 logPF(); 695 #ifdef HAVE_IPFW 696 int len; 697 char buf[2024]; 698 699 if ( (len = recvfrom(m_DivertSocket, buf, sizeof(buf), 0,(struct sockaddr *)&m_DivertSin, &m_DivertSinLen)) == -1 ) 700 { 701 logWarn("recvfrom() on divert socket failed %s\n",strerror(errno)); 702 return 1; 703 } 704 705 // I'll add processing once i have access on a fbsd box with divert sockets enabled 706 logWarn("You are too early, the processing logic for data from divert sockets is a todo"); 707 708 709 if ( sendto(m_DivertSocket, buf, len, 0,(struct sockaddr *)&m_DivertSin, m_DivertSinLen) == -1 ) 710 { 711 logWarn("Writing packet back to divert socket failed %s\n",strerror(errno)); 712 } 713 714 715 #endif 716 return 1; 717 } 718 719 524 720 int32_t ModuleHoneyTrap::getSocket() 525 721 { … … 536 732 return m_IPQHandle->fd; 537 733 #endif 538 break; 734 735 case HT_IPFW: 736 #ifdef HAVE_IPFW 737 return m_DivertSocket; 738 #endif 739 break; 740 741 742 default: 743 logCrit("Invalid mode for module-honeytrap\n"); 539 744 } 540 745 return -1; … … 609 814 } 610 815 816 void ModuleHoneyTrap::printIPpacket(unsigned char *buf, uint32_t len) 817 { 818 const struct libnet_ipv4_hdr* ip; 819 820 ip = (struct libnet_ipv4_hdr*)(buf); 821 822 int hlen = ip->ip_hl * 4; 823 824 const struct libnet_tcp_hdr* tcp; 825 tcp = (struct libnet_tcp_hdr*) ((u_char *)buf+hlen); 826 827 828 logSpam("-- IP v%d, ID = %d, Header Length = %d, Total Length = %d\n", 829 ip->ip_v, 830 ip->ip_id, 831 ip->ip_hl * 4, 832 ntohs(ip->ip_len) ); 833 834 logSpam(" | %s --> " , 835 inet_ntoa(ip->ip_src) ); 836 837 logSpam("%s \n" , 838 inet_ntoa(ip->ip_dst) ); 839 840 logSpam(" |- Bits: %s %s, Offset : %d, checksum = %.4x, TTL = %d\n", 841 ntohs(ip->ip_off) & IP_DF? "DF":"", 842 ntohs(ip->ip_off) & IP_MF? "MF":"", 843 ntohs(ip->ip_off) & IP_OFFMASK, 844 ntohs(ip->ip_sum), 845 ip->ip_ttl); 846 847 logSpam(" |- proto = %d : \n", 848 ip->ip_p ); 849 850 851 logSpam(" `-- TCP, Header Length = %d Payload Length = %d\n", 852 tcp->th_off *4, 853 len); // <- this number is wrong 854 855 logSpam(" |- port Source = %d --> port Destination = %d\n", 856 ntohs(tcp->th_sport), 857 ntohs(tcp->th_dport)); 858 859 logSpam(" |- Seq nb = %.4x ,Acknowledgement nb:%.4x\n", 860 ntohs(tcp->th_seq), 861 ntohs(tcp->th_ack)); 862 863 logSpam(" |- bits %s %s %s %s %s %s %s %s\n", 864 (tcp->th_flags) & TH_FIN?"FIN":"", 865 (tcp->th_flags) & TH_SYN?"SYN":"", 866 (tcp->th_flags) & TH_RST?"RST":"", 867 (tcp->th_flags) & TH_PUSH?"PUSH":"", 868 (tcp->th_flags) & TH_ACK?"ACK":"", 869 (tcp->th_flags) & TH_URG?"URG":"", 870 (tcp->th_flags) & TH_ECE?"ECE":"", 871 (tcp->th_flags) & TH_CWR?"CWR":"" 872 ); 873 874 logSpam(" `- checksum = %.4x, windows = %.4x, urgent = %.4x\n", 875 ntohs(tcp->th_sum), 876 ntohs(tcp->th_win), 877 ntohs(tcp->th_urp) ); 878 } 879 611 880 extern "C" int32_t module_init(int32_t version, Module **module, Nepenthes *nepenthes) 612 881 { nepenthes/trunk/modules/module-honeytrap/module-honeytrap.hpp
r572 r573 31 31 #define HAVE_IPQ 32 32 33 #ifdef HAVE_PCAP 33 34 #include <pcap.h> 34 35 #endif 35 36 36 37 37 38 extern "C" 38 39 { 40 #ifdef HAVE_IPQ 39 41 #include <linux/netfilter.h> 40 42 #include <libipq.h> 41 #include <libnet.h> 43 #endif 44 // #include <libnet.h> 45 #include <sys/types.h> 46 #include <netinet/in.h> 47 42 48 } 43 49 44 #include <sys/types.h> 45 #include <netinet/in.h> 50 46 51 47 52 … … 66 71 #define ETHER_HDRLEN 16 67 72 #define IPQ_PACKET_BUFSIZE 2048 68 69 /* IP header */ 70 struct ip_header 71 { 72 #if BYTE_ORDER == LITTLE_ENDIAN 73 u_int ip_hl:4, /* header length */ 74 ip_v:4; /* version */ 75 #if BYTE_ORDER == BIG_ENDIAN 76 u_int ip_v:4, /* version */ 77 ip_hl:4; /* header length */ 78 #endif 79 #endif /* not _IP_VHL */ 80 u_char ip_tos; /* type of service */ 81 u_short ip_len; /* total length */ 82 u_short ip_id; /* identification */ 83 u_short ip_off; /* fragment offset field */ 84 #define IP_RF 0x8000 /* reserved fragment flag */ 85 #define IP_DF 0x4000 /* dont fragment flag */ 86 #define IP_MF 0x2000 /* more fragments flag */ 87 #define IP_OFFMASK 0x1fff /* mask for fragmenting bits */ 88 u_char ip_ttl; /* time to live */ 89 u_char ip_p; /* protocol */ 90 u_short ip_sum; /* checksum */ 91 struct in_addr ip_src,ip_dst; /* source and dest address */ 92 }; 93 94 /* tcp header */ 95 struct tcp_header 96 { 97 u_int16_t th_sport; /* tcp source port */ 98 u_int16_t th_dport; /* tcp dest port */ 99 u_int32_t th_seqno; /* tcp sequence number,identifies the byte in the stream of data */ 100 u_int32_t th_ackno; /* contains the next seq num that the sender expects to recieve */ 101 u_int8_t th_res:4, /* 4 reserved bits */ 102 th_doff:4; /* data offset */ 103 u_int8_t th_flags; 104 #define FIN 0x01 105 #define SYN 0x02 106 #define RST 0x04 107 #define PUSH 0x08 108 #define ACK 0x10 109 #define URG 0x20 110 #define ECE 0x40 111 #define CWR 0x80 112 #define FLAGS (TH_FIN|TH_SYN|TH_RST|TH_ACK|TH_URG|TH_ECE|TH_CWR) 113 u_int16_t th_window; /* maxinum number of bytes able to recieve*/ 114 u_int16_t th_sum; /* checksum to cover the tcp header and data portion of the packet*/ 115 u_int16_t th_urp; /* vaild only if the urgent flag is set, used to transmit emergency data */ 116 }; 117 118 119 /* These enums are used by IPX too. :-( */ 73 #define LIBNET_LIL_ENDIAN 1 74 75 76 77 78 79 80 /* 81 * IPv4 header 82 * Internet Protocol, version 4 83 * Static header size: 20 bytes 84 * 85 * taken from libnet 1.1 86 * 87 */ 88 struct libnet_ipv4_hdr 89 { 90 #if (LIBNET_LIL_ENDIAN) 91 u_int8_t ip_hl:4, /* header length */ 92 ip_v:4; /* version */ 93 #endif 94 #if (LIBNET_BIG_ENDIAN) 95 u_int8_t ip_v:4, /* version */ 96 ip_hl:4; /* header length */ 97 #endif 98 u_int8_t ip_tos; /* type of service */ 99 #ifndef IPTOS_LOWDELAY 100 #define IPTOS_LOWDELAY 0x10 101 #endif 102 #ifndef IPTOS_THROUGHPUT 103 #define IPTOS_THROUGHPUT 0x08 104 #endif 105 #ifndef IPTOS_RELIABILITY 106 #define IPTOS_RELIABILITY 0x04 107 #endif 108 #ifndef IPTOS_LOWCOST 109 #define IPTOS_LOWCOST 0x02 110 #endif 111 u_int16_t ip_len; /* total length */ 112 u_int16_t ip_id; /* identification */ 113 u_int16_t ip_off; 114 #ifndef IP_RF 115 #define IP_RF 0x8000 /* reserved fragment flag */ 116 #endif 117 #ifndef IP_DF 118 #define IP_DF 0x4000 /* dont fragment flag */ 119 #endif 120 #ifndef IP_MF 121 #define IP_MF 0x2000 /* more fragments flag */ 122 #endif 123 #ifndef IP_OFFMASK 124 #define IP_OFFMASK 0x1fff /* mask for fragmenting bits */ 125 #endif 126 u_int8_t ip_ttl; /* time to live */ 127 u_int8_t ip_p; /* protocol */ 128 u_int16_t ip_sum; /* checksum */ 129 struct in_addr ip_src, ip_dst; /* source and dest address */ 130 }; 131 132 /* 133 * TCP header 134 * Transmission Control Protocol 135 * Static header size: 20 bytes 136 * 137 * taken from libnet 1.1 138 * 139 */ 140 struct libnet_tcp_hdr 141 { 142 u_int16_t th_sport; /* source port */ 143 u_int16_t th_dport; /* destination port */ 144 u_int32_t th_seq; /* sequence number */ 145 u_int32_t th_ack; /* acknowledgement number */ 146 #if (LIBNET_LIL_ENDIAN) 147 u_int8_t th_x2:4, /* (unused) */ 148 th_off:4; /* data offset */ 149 #endif 150 #if (LIBNET_BIG_ENDIAN) 151 u_int8_t th_off:4, /* data offset */ 152 th_x2:4; /* (unused) */ 153 #endif 154 u_int8_t th_flags; /* control flags */ 155 #ifndef TH_FIN 156 #define TH_FIN 0x01 /* finished send data */ 157 #endif 158 #ifndef TH_SYN 159 #define TH_SYN 0x02 /* synchronize sequence numbers */ 160 #endif 161 #ifndef TH_RST 162 #define TH_RST 0x04 /* reset the connection */ 163 #endif 164 #ifndef TH_PUSH 165 #define TH_PUSH 0x08 /* push data to the app layer */ 166 #endif 167 #ifndef TH_ACK 168 #define TH_ACK 0x10 /* acknowledge */ 169 #endif 170 #ifndef TH_URG 171 #define TH_URG 0x20 /* urgent! */ 172 #endif 173 #ifndef TH_ECE 174 #define TH_ECE 0x40 175 #endif 176 #ifndef TH_CWR 177 #define TH_CWR 0x80 178 #endif 179 u_int16_t th_win; /* window */ 180 u_int16_t th_sum; /* checksum */ 181 u_int16_t th_urp; /* urgent pointer */ 182 }; 183 184 185 186 /* These enums are used by IPX too. :-( 187 * 188 * mappings to determine the state of a tcp connection in /proc/net/tcp 189 * 190 * taken from net-tools 191 * 192 */ 120 193 enum 121 194 { … … 138 211 typedef enum 139 212 { 213 HT_NONE, 140 214 HT_PCAP, 141 HT_IPQ 215 HT_IPQ, 216 HT_IPFW 142 217 } honeytrap_type; 143 218 … … 151 226 bool Init_PCAP(); 152 227 bool Init_IPQ(); 228 bool Init_IPFW(); 153 229 154 230 bool Exit(); 155 231 bool Exit_PCAP(); 156 232 bool Exit_IPQ(); 233 bool Exit_IPFW(); 157 234 158 235 bool wantSend(); … … 163 240 int32_t doRecv_PCAP(); 164 241 int32_t doRecv_IPQ(); 242 int32_t doRecv_IPFW(); 165 243 166 244 int32_t getSocket(); … … 168 246 169 247 bool isPortListening(uint16_t localport, uint32_t localhost); 248 249 void printIPpacket(unsigned char *buf, uint32_t len); 170 250 171 251 protected: 172 252 #ifdef HAVE_PCAP 173 253 pcap_t *m_RawListener; 254 int m_LinkLayerHeaderLength; 255 string m_PcapDevice; 174 256 #endif 175 257 … … 178 260 #endif 179 261 262 #ifdef HAVE_IPFW 263 uint16_t m_DivertPort; 264 int m_DivertSocket; 265 struct sockaddr_in m_DivertSin; 266 socklen_t m_DivertSinLen; 267 #endif 268 180 269 Nepenthes *m_Nepenthes; 181 270 honeytrap_type m_HTType;
