Changeset 673
- Timestamp:
- 10/22/06 22:56:08 (2 years ago)
- Files:
-
- nepenthes/trunk/modules/log-surfnet/DatabaseConnection.cpp (deleted)
- nepenthes/trunk/modules/log-surfnet/DatabaseConnection.hpp (deleted)
- nepenthes/trunk/modules/log-surfnet/Makefile.am (modified) (1 diff)
- nepenthes/trunk/modules/log-surfnet/log-surfnet.conf.dist (modified) (2 diffs)
- nepenthes/trunk/modules/log-surfnet/log-surfnet.cpp (modified) (18 diffs)
- nepenthes/trunk/modules/log-surfnet/log-surfnet.hpp (modified) (5 diffs)
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
nepenthes/trunk/modules/log-surfnet/Makefile.am
r556 r673 11 11 pkglib_LTLIBRARIES = logsurfnet.la 12 12 13 logsurfnet_la_SOURCES = log-surfnet.cpp log-surfnet.hpp DatabaseConnection.cpp DatabaseConnection.hpplog-surfnet.conf.dist13 logsurfnet_la_SOURCES = log-surfnet.cpp log-surfnet.hpp log-surfnet.conf.dist 14 14 15 15 logsurfnet_la_LDFLAGS = -module -no-undefined -avoid-version nepenthes/trunk/modules/log-surfnet/log-surfnet.conf.dist
r497 r673 1 1 log-surfnet 2 2 { 3 server "127.0.0.1"; // must be ip 4 user "user"; 5 pass "pass"; 6 db "idsserver"; 7 8 options ""; // sslmode=required for example if you want to use ssl 9 10 11 12 /* mode: 13 * * any means log accepted connections on _all_ ports 14 * * list means, use the port list 15 */ 16 17 mode "any"; 18 19 3 20 ports ( 4 21 "21", … … 31 48 "27347"); 32 49 33 server "127.0.0.1"; // must be ip34 user "user";35 pass "pass";36 db "idsserver";37 50 }; 51 52 53 /* 54 55 don't forget to create these fn's in your surfnet ids database. 56 57 58 CREATE PROCEDURAL LANGUAGE plpgsql; 59 60 CREATE FUNCTION surfnet_attack_add(integer, inet, integer, inet, integer, macaddr, inet) RETURNS integer 61 AS $_$DECLARE 62 p_severity ALIAS FOR $1; 63 p_attackerip ALIAS FOR $2; 64 p_attackerport ALIAS FOR $3; 65 p_decoyip ALIAS FOR $4; 66 p_decoyport ALIAS FOR $5; 67 p_hwa ALIAS FOR $6; 68 p_localhost ALIAS FOR $7; 69 m_attackid INTEGER; 70 m_sensorid INTEGER; 71 BEGIN 72 73 SELECT INTO m_sensorid surfnet_sensorid_get(p_localhost); 74 SELECT INTO m_attackid surfnet_attack_add_by_id(p_severity, 75 p_attackerip, p_attackerport, p_decoyip, 76 p_decoyport, p_hwa, m_sensorid); 77 78 return m_attackid; 79 END$_$ 80 LANGUAGE plpgsql; 81 82 83 CREATE FUNCTION surfnet_attack_add_by_id(integer, inet, integer, inet, integer, macaddr, integer) RETURNS integer 84 AS $_$DECLARE 85 p_severity ALIAS FOR $1; 86 p_attackerip ALIAS FOR $2; 87 p_attackerport ALIAS FOR $3; 88 p_decoyip ALIAS FOR $4; 89 p_decoyport ALIAS FOR $5; 90 p_hwa ALIAS FOR $6; 91 p_sensorid ALIAS FOR $7; 92 m_attackid INTEGER; 93 BEGIN 94 INSERT INTO attacks 95 (severity, 96 timestamp, 97 dest, 98 dport, 99 source, 100 sport, 101 sensorid, 102 src_mac) 103 VALUES 104 (p_severity, 105 extract(epoch from current_timestamp(0))::integer, 106 p_attackerip, 107 p_attackerport, 108 p_decoyip, 109 p_decoyport, 110 p_sensorid, 111 p_hwa); 112 113 SELECT INTO m_attackid currval('attacks_id_seq'); 114 return m_attackid; 115 END$_$ 116 LANGUAGE plpgsql; 117 118 119 120 CREATE FUNCTION surfnet_attack_update_severity(integer, integer) RETURNS void 121 AS $_$DECLARE 122 p_attackid ALIAS FOR $1; 123 p_severity ALIAS FOR $2; 124 BEGIN 125 UPDATE attacks SET severity = p_severity WHERE id = p_attackid; 126 return; 127 END;$_$ 128 LANGUAGE plpgsql; 129 130 131 CREATE FUNCTION surfnet_detail_add(integer, inet, integer, character varying) RETURNS void 132 AS $_$DECLARE 133 p_attackid ALIAS FOR $1; 134 p_localhost ALIAS FOR $2; 135 p_type ALIAS FOR $3; 136 p_data ALIAS FOR $4; 137 138 m_sensorid INTEGER; 139 BEGIN 140 SELECT INTO m_sensorid surfnet_sensorid_get(p_localhost); 141 142 INSERT INTO details 143 (attackid,sensorid,type,text) 144 VALUES 145 (p_attackid,m_sensorid,p_type,p_data); 146 END$_$ 147 LANGUAGE plpgsql; 148 149 150 CREATE FUNCTION surfnet_detail_add_by_id(integer, integer, integer, character varying) RETURNS void 151 AS $_$DECLARE 152 p_attackid ALIAS FOR $1; 153 m_sensorid ALIAS FOR $2; 154 p_type ALIAS FOR $3; 155 p_data ALIAS FOR $4; 156 BEGIN 157 INSERT INTO details 158 (attackid,sensorid,type,text) 159 VALUES 160 (p_attackid,m_sensorid,p_type,p_data); 161 END$_$ 162 LANGUAGE plpgsql; 163 164 165 CREATE FUNCTION surfnet_detail_add_download(inet, inet, character varying, character varying) RETURNS void 166 AS $_$DECLARE 167 p_remotehost ALIAS FOR $1; 168 p_localhost ALIAS FOR $2; 169 p_url ALIAS FOR $3; 170 p_hash ALIAS FOR $4; 171 172 m_sensorid INTEGER; 173 m_attackid INTEGER; 174 BEGIN 175 SELECT INTO m_sensorid surfnet_sensorid_get(p_localhost); 176 SELECT INTO m_attackid surfnet_attack_add_by_id(32,p_remotehost, 0, 177 p_localhost, 0, 178 NULL,m_sensorid); 179 180 PERFORM surfnet_detail_add_by_id(m_attackid, 181 m_sensorid,4,p_url); 182 PERFORM surfnet_detail_add_by_id(m_attackid, 183 m_sensorid,8,p_hash); 184 185 return; 186 END; $_$ 187 LANGUAGE plpgsql; 188 189 190 CREATE FUNCTION surfnet_detail_add_offer(inet, inet, character varying) RETURNS void 191 AS $_$DECLARE 192 p_remotehost ALIAS FOR $1; 193 p_localhost ALIAS FOR $2; 194 p_url ALIAS FOR $3; 195 196 m_sensorid INTEGER; 197 m_attackid INTEGER; 198 BEGIN 199 SELECT INTO m_sensorid surfnet_sensorid_get(p_localhost); 200 SELECT INTO m_attackid surfnet_attack_add_by_id(16,p_remotehost, 0, 201 p_localhost, 0, 202 NULL,m_sensorid); 203 204 PERFORM surfnet_detail_add_by_id(m_attackid, 205 m_sensorid,4,p_url); 206 return; 207 END; $_$ 208 LANGUAGE plpgsql; 209 210 211 CREATE FUNCTION surfnet_sensorid_get(inet) RETURNS integer 212 AS $_$DECLARE 213 p_localhost ALIAS FOR $1; 214 m_sensorid INTEGER; 215 BEGIN 216 SELECT INTO m_sensorid id FROM sensors WHERE tapip = p_localhost; 217 return m_sensorid; 218 END 219 $_$ 220 LANGUAGE plpgsql; 221 222 223 */ nepenthes/trunk/modules/log-surfnet/log-surfnet.cpp
r567 r673 26 26 *******************************************************************************/ 27 27 28 /* $Id$ */ 28 /* $Id$ */ 29 30 #include <sstream> 31 #include <sys/types.h> 32 #include <sys/socket.h> 33 #include <netinet/in.h> 34 #include <arpa/inet.h> 29 35 30 36 #include "log-surfnet.hpp" 31 #include "DatabaseConnection.hpp" 37 32 38 33 39 #include "LogManager.hpp" … … 43 49 #include "Config.hpp" 44 50 51 #include "SQLHandler.hpp" 52 #include "SQLResult.hpp" 53 #include "SQLManager.hpp" 54 45 55 using namespace nepenthes; 46 56 47 57 #ifdef STDTAGS 48 #undef STDTAGS58 #undef STDTAGS 49 59 #endif 50 60 #define STDTAGS l_mod | l_ev | l_hlr 61 62 63 64 65 LSDetail::LSDetail(uint32_t host, int type, string data) 66 { 67 68 m_host = inet_ntoa(*(in_addr *)&host); 69 m_type = type; 70 m_data = data; 71 } 72 73 74 LSContext::LSContext() 75 { 76 m_attackID = 0; 77 m_closed = false; 78 79 m_severity = 0; 80 } 81 82 83 51 84 52 85 … … 83 116 84 117 g_Nepenthes = nepenthes; 118 119 m_RunningMode = LS_MODE_LIST; 85 120 } 86 121 … … 121 156 string pass; 122 157 string db; 158 string options; 159 string mode; 123 160 try 124 161 { 125 162 sList = *m_Config->getValStringList("log-surfnet.ports"); 126 server = m_Config->getValString("log-surfnet.server"); 127 user = m_Config->getValString("log-surfnet.user"); 128 pass = m_Config->getValString("log-surfnet.pass"); 129 db = m_Config->getValString("log-surfnet.db"); 130 } catch ( ... ) 163 server = m_Config->getValString("log-surfnet.server"); 164 user = m_Config->getValString("log-surfnet.user"); 165 pass = m_Config->getValString("log-surfnet.pass"); 166 db = m_Config->getValString("log-surfnet.db"); 167 options = m_Config->getValString("log-surfnet.options"); 168 mode = m_Config->getValString("log-surfnet.mode"); 169 } 170 catch ( ... ) 131 171 { 132 172 logCrit("Error setting needed vars, check your config\n"); … … 137 177 m_MaxPorts = sList.size(); 138 178 139 uint32_t i = 0; 140 while (i < sList.size()) 141 { 142 m_Ports[i] = (uint16_t)atoi(sList[i]); 143 i++; 144 } 145 146 147 m_DB = new DatabaseConnection(server.c_str(),user.c_str(),pass.c_str(),db.c_str()); 148 149 if ( m_DB->Init() == false ) 150 { 151 return false; 179 try 180 { 181 mode = m_Config->getValString("log-surfnet.mode"); 182 if (mode == "list") 183 { 184 m_RunningMode = LS_MODE_LIST; 185 } 186 else 187 if ( mode == "any" ) 188 { 189 m_RunningMode = LS_MODE_ANY; 190 } 191 192 } 193 catch ( ... ) 194 { 195 logWarn("No 'mode' value found in config, using 'any'\n"); 196 } 197 198 199 if ( m_RunningMode == LS_MODE_LIST ) 200 { 201 uint32_t i = 0; 202 while ( i < sList.size() ) 203 { 204 m_Ports[i] = (uint16_t)atoi(sList[i]); 205 i++; 206 } 207 } 208 209 switch (m_RunningMode) 210 { 211 case nepenthes::LS_MODE_ANY: 212 logInfo("Running mode is any port\n"); 213 break; 214 215 case nepenthes::LS_MODE_LIST: 216 logInfo("Running mode is port list\n"); 217 break; 218 219 } 220 221 m_SQLHandler = g_Nepenthes->getSQLMgr()->createSQLHandler("postgres",server,user,pass,db,options,this); 222 223 224 if ( m_SQLHandler == NULL ) 225 { 226 logCrit("Could not create sqlhandler for the postgres database connection\n"); 227 return false; 152 228 } 153 229 … … 192 268 logInfo("Event %i\n",event->getType()); 193 269 194 270 Socket *socket=NULL; 195 271 Dialogue *dia=NULL; 196 272 ShellcodeHandler *handler=NULL; … … 200 276 string md5sum = ""; 201 277 202 203 switch (event->getType())278 279 switch ( event->getType() ) 204 280 { 205 281 case EV_SOCK_TCP_ACCEPT: … … 242 318 243 319 bool process=false; 244 map <uint32_t, uint32_t, ltint>::iterator attackit;320 map <uint32_t, LSContext, ltint>::iterator attackit; 245 321 uint32_t attackid=0; 246 322 247 switch (event->getType())323 switch ( event->getType() ) 248 324 { 249 325 case EV_SOCK_TCP_ACCEPT: 250 326 { 251 uint16_t localport = socket->getLocalPort(); 252 uint16_t i=0; 253 while (i < m_MaxPorts) 327 if (m_RunningMode == LS_MODE_ANY) 254 328 { 255 if (m_Ports[i] == localport) 329 process = true; 330 } 331 else 332 { 333 uint16_t localport = socket->getLocalPort(); 334 uint16_t i=0; 335 while ( i < m_MaxPorts ) 256 336 { 257 process=true; 337 if ( m_Ports[i] == localport ) 338 { 339 process=true; 340 } 341 i++; 258 342 } 259 i++;260 343 } 261 344 } … … 266 349 case EV_SHELLCODE_DONE: 267 350 { 268 if ( m_SocketTracker.count((uintptr_t) socket) == 0)351 if ( m_SocketTracker.count((uintptr_t) socket) == 0 ) 269 352 { 270 process=false; 271 }else 353 logCrit("Could not find attackid for %x\n",(uintptr_t) socket); 354 process=false; 355 } 356 else 272 357 { 273 358 process=true; 274 359 attackit = m_SocketTracker.find((uintptr_t) socket); 275 attackid = attackit->second ;360 attackid = attackit->second.m_attackID; 276 361 } 277 362 } … … 288 373 289 374 290 if ( process == true)291 { 292 switch (event->getType())375 if ( process == true ) 376 { 377 switch ( event->getType() ) 293 378 { 294 379 case EV_SOCK_TCP_ACCEPT: … … 320 405 logWarn("this should not happen\n"); 321 406 } 322 } 407 }else 408 logInfo("not processed\n"); 323 409 324 410 return 0; 325 411 } 326 412 413 string itos( long i ) 414 { 415 std::ostringstream s; 416 s << i; 417 return s.str(); 418 } 419 327 420 328 421 void LogSurfNET::handleTCPAccept(Socket *socket) 329 422 { 330 logCrit("handleTCPAccept()\n" 423 logPF(); 424 logSpam("handleTCPAccept()\n" 331 425 "\tSocket 0x%x\n", 332 426 (uint32_t) ((intptr_t)socket)); … … 335 429 socket->getRemoteHWA(&hwa); 336 430 337 int32_t sensorid = m_DB->getSensorID(socket->getLocalHost()); 338 int32_t attackid = m_DB->addAttack(AS_POSSIBLE_MALICIOUS_CONNECTION, socket->getRemoteHost(), socket->getRemotePort(), socket->getLocalHost(), socket->getLocalPort(),hwa,sensorid); 339 340 m_SocketTracker[(uintptr_t)socket] = attackid; 341 431 uint32_t attackerip = socket->getRemoteHost(); 432 uint32_t decoyip = socket->getLocalHost(); 433 434 string attackerhost = inet_ntoa(*(in_addr *)&attackerip); 435 string decoyhost = inet_ntoa(*(in_addr *)&decoyip); 436 437 438 string query; 439 query = "SELECT surfnet_attack_add('"; 440 query += itos(AS_POSSIBLE_MALICIOUS_CONNECTION); 441 query += "','"; 442 query += attackerhost; 443 query += "','"; 444 query += itos(socket->getRemotePort()); 445 query += "','"; 446 query += decoyhost; 447 query += "','"; 448 query += itos(socket->getLocalPort()); 449 if (hwa != "") 450 { 451 query += "','"; 452 query += hwa; 453 query += "','"; 454 }else 455 { 456 query += "',NULL,'"; 457 } 458 query += decoyhost; 459 query += "');"; 460 461 m_SQLHandler->addQuery(&query,this,socket); 462 m_SocketTracker[(uintptr_t) socket].m_attackID = 0; 342 463 } 343 464 344 465 void LogSurfNET::handleTCPclose(Socket *socket, uint32_t attackid) 345 466 { 346 logCrit("handleTCPclose()\n" 467 logPF(); 468 logSpam("handleTCPclose()\n" 347 469 "\tSocket 0x%x\n" 348 470 "\tattackID %i\n", … … 350 472 attackid); 351 473 352 m_SocketTracker .erase((uintptr_t) socket);474 m_SocketTracker[(uintptr_t) socket].m_closed = true; 353 475 } 354 476 355 477 void LogSurfNET::handleDialogueAssignAndDone(Socket *socket, Dialogue *dia, uint32_t attackid) 356 478 { 357 logCrit("handleDialogueAssignAndDone()\n" 479 logPF(); 480 logSpam("handleDialogueAssignAndDone()\n" 358 481 "\tSocket 0x%x\n" 359 482 "\tDialogue %s\n" … … 363 486 attackid); 364 487 365 int32_t sensorid = m_DB->getSensorID(socket->getLocalHost()); 366 367 m_DB->addDetail(attackid, sensorid, DT_DIALOGUE_NAME, dia->getDialogueName().c_str()); 368 m_DB->updateAttackSeverity(attackid,AS_DEFINITLY_MALICIOUS_CONNECTION); 369 488 if ( attackid > 0 ) 489 { 490 491 uint32_t decoyip = socket->getLocalHost(); 492 string decoyhost = inet_ntoa(*(in_addr *)&decoyip); 493 494 string query; 495 query = "SELECT surfnet_detail_add('"; 496 query += itos(attackid); 497 query += "','"; 498 query += decoyhost; 499 query += "','"; 500 query += itos(DT_DIALOGUE_NAME); 501 query += "','"; 502 query += dia->getDialogueName(); 503 query += "');"; 504 505 m_SQLHandler->addQuery(&query,NULL,NULL); 506 507 508 query = "SELECT surfnet_attack_update_severity("; 509 query += itos(attackid); 510 query += "','"; 511 query += itos(AS_DEFINITLY_MALICIOUS_CONNECTION); 512 query += "');"; 513 514 m_SQLHandler->addQuery(&query,NULL,NULL); 515 } 516 else 517 { 518 LSDetail *d = new LSDetail(socket->getLocalHost(),DT_DIALOGUE_NAME,dia->getDialogueName()); 519 m_SocketTracker[(uintptr_t) socket].m_Details.push_back(d); 520 m_SocketTracker[(uintptr_t) socket].m_severity = AS_DEFINITLY_MALICIOUS_CONNECTION; 521 } 370 522 371 523 } … … 374 526 void LogSurfNET::handleShellcodeDone(Socket *socket, ShellcodeHandler *handler, uint32_t attackid) 375 527 { 376 log Crit("handleShellcodeDone()\n"528 logSpam("handleShellcodeDone()\n" 377 529 "\tSocket 0x%x\n" 378 530 "\tShellcodeHandler %s\n" … … 382 534 attackid); 383 535 384 // m_DB->addDetail(int32_t attackid, char *text); 385 int32_t sensorid = m_DB->getSensorID(socket->getLocalHost()); 386 m_DB->addDetail(attackid, sensorid, DT_SHELLCODEHANDLER_NAME ,handler->getShellcodeHandlerName().c_str()); 536 if ( attackid > 0 ) 537 { 538 uint32_t decoyip = socket->getLocalHost(); 539 string decoyhost = inet_ntoa(*(in_addr *)&decoyip); 540 541 string query; 542 query = "SELECT surfnet_detail_add('"; 543 query += itos(attackid); 544 query += "','"; 545 query += decoyhost; 546 query += "','"; 547 query += itos(DT_SHELLCODEHANDLER_NAME); 548 query += "','"; 549 query += handler->getShellcodeHandlerName(); 550 query += "');"; 551 552 m_SQLHandler->addQuery(&query,NULL,NULL); 553 }else 554 { 555 LSDetail *d = new LSDetail(socket->getLocalHost(),DT_SHELLCODEHANDLER_NAME,handler->getShellcodeHandlerName()); 556 m_SocketTracker[(uintptr_t) socket].m_Details.push_back(d); 557 } 387 558 } 388 559 … … 391 562 void LogSurfNET::handleDownloadOffer(uint32_t localhost, uint32_t remotehost,const char *url) 392 563 { 564 logPF(); 393 565 string hwa = ""; 394 566 395 int32_t sensorid = m_DB->getSensorID(localhost); 396 int32_t attackid = m_DB->addAttack(AS_DOWNLOAD_OFFER, remotehost, 0, localhost, 0,hwa,sensorid); 397 m_DB->addDetail(attackid, sensorid, DT_DOWNLOAD_URL, url); 567 string attackerhost = inet_ntoa(*(in_addr *)&remotehost); 568 string decoyhost = inet_ntoa(*(in_addr *)&localhost); 569 570 string surl = url; 571 572 string query; 573 query = "SELECT surfnet_detail_add_offer('"; 574 query += attackerhost; 575 query += "','"; 576 query += decoyhost; 577 query += "','"; 578 query += m_SQLHandler->escapeString(&surl); 579 query += "');"; 580 581 m_SQLHandler->addQuery(&query,NULL,NULL); 582 398 583 } 399 584 400 585 void LogSurfNET::handleDownloadSuccess(uint32_t localhost, uint32_t remotehost, const char *url, const char *md5hash) 401 586 { 402 string hwa = ""; 403 404 int32_t sensorid = m_DB->getSensorID(localhost); 405 int32_t attackid = m_DB->addAttack(AS_DOWNLOAD_SUCCESS, remotehost, 0, localhost, 0, hwa, sensorid); 406 407 m_DB->addDetail(attackid, sensorid, DT_DOWNLOAD_URL, url); 408 m_DB->addDetail(attackid, sensorid, DT_DOWNLOAD_HASH, md5hash); 587 logPF(); 588 589 string attackerhost = inet_ntoa(*(in_addr *)&remotehost); 590 string decoyhost = inet_ntoa(*(in_addr *)&localhost); 591 592 string surl = url; 593 string smd5hash = md5hash; 594 595 string query; 596 query = "SELECT surfnet_detail_add_download('"; 597 query += attackerhost; 598 query += "','"; 599 query += decoyhost; 600 query += "','"; 601 query += m_SQLHandler->escapeString(&surl); 602 query += "','"; 603 query += m_SQLHandler->escapeString(&smd5hash); 604 query += "');"; 605 606 m_SQLHandler->addQuery(&query,NULL,NULL); 607 } 608 609 610 bool LogSurfNET::sqlSuccess(SQLResult *result) 611 { 612 logPF(); 613 Socket *s; 614 vector< map<string,string> > resvec = *result->getResult(); 615 s = (Socket *)result->getObject(); 616 617 logCrit("Socket %x has cookie %s \n",(uintptr_t)s, 618 resvec[0]["surfnet_attack_add"].c_str()); 619 m_SocketTracker[(uintptr_t)s].m_attackID = atoi(resvec[0]["surfnet_attack_add"].c_str()); 620 621 622 if (m_SocketTracker[(uintptr_t)s].m_Details.size() > 0) 623 { 624 logDebug("Processing Event Backlog for this connection\n"); 625 } 626 627 while (m_SocketTracker[(uintptr_t)s].m_Details.size() > 0) 628 { 629 /* logSpam("WOOOOHOOOOO %s %s %i \n", 630 m_SocketTracker[(uintptr_t)s].m_Details.front()->m_host.c_str(), 631 m_SocketTracker[(uintptr_t)s].m_Details.front()->m_data.c_str(), 632 m_SocketTracker[(uintptr_t)s].m_Details.front()->m_type); 633 */ 634 635 string query; 636 query = "SELECT surfnet_detail_add('"; 637 query += itos(m_SocketTracker[(uintptr_t)s].m_attackID); 638 query += "','"; 639 query += m_SocketTracker[(uintptr_t)s].m_Details.front()->m_host; 640 query += "','"; 641 query += itos(m_SocketTracker[(uintptr_t)s].m_Details.front()->m_type); 642 query += "','"; 643 query += m_SocketTracker[(uintptr_t)s].m_Details.front()->m_data.c_str(); 644 query += "');"; 645 646 m_SQLHandler->addQuery(&query,NULL,NULL); 647 648 delete m_SocketTracker[(uintptr_t)s].m_Details.front(); 649 m_SocketTracker[(uintptr_t)s].m_Details.pop_front(); 650 } 651 652 if (m_SocketTracker[(uintptr_t)s].m_closed == true) 653 { 654 m_SocketTracker.erase((uintptr_t)s); 655 } 656 657 return true; 658 } 659 660 bool LogSurfNET::sqlFailure(SQLResult *result) 661 { 662 logPF(); 663 return true; 664 } 665 666 void LogSurfNET::sqlConnected() 667 { 668 logPF(); 669 } 670 671 void LogSurfNET::sqlDisconnected() 672 { 673 logPF(); 409 674 } 410 675 … … 412 677 extern "C" int32_t module_init(int32_t version, Module **module, Nepenthes *nepenthes) 413 678 { 414 if (version == MODULE_IFACE_VERSION) { 415 *module = new LogSurfNET(nepenthes); 416 return 1; 417 } else { 418 return 0; 419 } 420 } 679 if ( version == MODULE_IFACE_VERSION ) 680 { 681 *module = new LogSurfNET(nepenthes); 682 return 1; 683 } 684 else 685 { 686 return 0; 687 } 688 } 689 nepenthes/trunk/modules/log-surfnet/log-surfnet.hpp
r332 r673 35 35 #include "Nepenthes.hpp" 36 36 #include "EventHandler.hpp" 37 #include "SQLCallback.hpp" 38 37 39 38 40 using namespace std; … … 62 64 }; 63 65 64 66 class LSDetail 67 { 68 public: 69 LSDetail(uint32_t host, int type, string data); 70 string m_host; 71 int m_type; 72 string m_data; 73 }; 74 75 class LSContext 76 { 77 public: 78 LSContext(); 79 uint32_t m_attackID; 80 list <LSDetail *> m_Details; 81 bool m_closed; 82 int m_severity; 83 }; 84 85 86 typedef enum 87 { 88 LS_MODE_ANY, 89 LS_MODE_LIST, 90 } log_surfnet_mode; 91 65 92 66 93 class ShellcodeHandler; 67 class DatabaseConnection; 94 95 class SQLHandler; 68 96 69 97 /** … … 72 100 * 73 101 */ 74 class LogSurfNET : public Module , public EventHandler 102 class LogSurfNET : public Module , public EventHandler, public SQLCallback 75 103 { 76 104 public: … … 82 110 uint32_t handleEvent(Event *event); 83 111 112 bool sqlSuccess(SQLResult *result); 113 bool sqlFailure(SQLResult *result); 114 void sqlConnected(); 115 void sqlDisconnected(); 116 117 84 118 private: 85 map <uint32_t, uint32_t, ltint> m_SocketTracker;119 map <uint32_t, LSContext, ltint> m_SocketTracker; 86 120 87 121 uint16_t *m_Ports; … … 100 134 void handleDownloadSuccess(uint32_t localhost, uint32_t remotehost,const char *url, const char *md5hash); 101 135 102 DatabaseConnection *m_DB;103 //136 SQLHandler *m_SQLHandler; 137 log_surfnet_mode m_RunningMode; 104 138 }; 139 105 140 106 141 }
