Changeset 679
- Timestamp:
- 10/26/06 16:56:08 (2 years ago)
- Files:
-
- nepenthes/trunk/modules/module-honeytrap/PCAPSocket.cpp (modified) (4 diffs)
- nepenthes/trunk/modules/module-honeytrap/TrapSocket.cpp (modified) (3 diffs)
- nepenthes/trunk/modules/module-honeytrap/module-honeytrap.cpp (modified) (6 diffs)
- nepenthes/trunk/modules/module-honeytrap/module-honeytrap.hpp (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
nepenthes/trunk/modules/module-honeytrap/PCAPSocket.cpp
r678 r679 58 58 { 59 59 logPF(); 60 logDebug("connectionlogger logged %i packets\n", m_PacketCount); 61 pcap_dump_close(m_PcapDumper); 62 pcap_close(m_PcapSniffer); 60 63 g_ModuleHoneytrap->socketDel(this); 61 64 } … … 179 182 } 180 183 181 /* create the path for logging */ 184 /* free the filter */ 185 pcap_freecode(&filter); 186 187 188 /* create the path for logging 189 this path is uniq, and there is no danger in overwriting existing files, 190 as 191 - we use the timestamp and the connection details remotehost remoteport localhost localport 192 and the ModuleHoneyTrap socket tracker makes sure there is only _one_ pcap listener per 193 connection 194 - this listener has a 10 seconds timeout if the connection is not established 195 so either you wait 10 seconds, change the timestamp, or use a different host/port 196 which will result in a different filename 197 */ 198 182 199 char *pcap_file_path; 183 200 … … 190 207 191 208 192 /* create the buddy who will write the pcap file, the pcap_dumper_t */ 209 /* create the buddy who will write the pcap file, the pcap_dumper_t 210 */ 193 211 if ( (m_PcapDumper = pcap_dump_open(m_PcapSniffer,pcap_file_path)) == NULL ) 194 212 { … … 222 240 bool PCAPSocket::Exit() 223 241 { 224 logDebug("connectionlogger logged %i packets\n", m_PacketCount);225 pcap_dump_close(m_PcapDumper);226 pcap_close(m_PcapSniffer);227 242 setStatus(SS_CLOSED); 228 243 return true; nepenthes/trunk/modules/module-honeytrap/TrapSocket.cpp
r677 r679 188 188 } 189 189 bzero(&m_DivertSin, sizeof(m_DivertSin)); 190 m_DivertSin.sin_port = htons( 4711); // FIXME190 m_DivertSin.sin_port = htons(m_DivertPort); // FIXME 191 191 m_DivertSin.sin_family = PF_INET; 192 192 m_DivertSin.sin_addr.s_addr = INADDR_ANY; … … 197 197 return false; 198 198 } 199 logInfo("Bound divert socket on port %i\n", 4711); //FIXME199 logInfo("Bound divert socket on port %i\n",m_DivertPort); //FIXME 200 200 return true; 201 201 #else … … 792 792 } 793 793 794 795 if (g_ModuleHoneytrap->socketExists((uint32_t)ip->ip_src.s_addr, ntohs(tcp->th_sport), 796 (uint32_t)ip->ip_dst.s_addr,ntohs(tcp->th_dport)) == false) 794 if ( m_HTType != HT_PCAP ) 797 795 { 798 POLLSocket *ps = new PCAPSocket((uint32_t)ip->ip_src.s_addr, ntohs(tcp->th_sport) , 799 (uint32_t)ip->ip_dst.s_addr,ntohs(tcp->th_dport)); 800 if ( ps->Init() == true ) 796 if ( g_ModuleHoneytrap->socketExists((uint32_t)ip->ip_src.s_addr, ntohs(tcp->th_sport), 797 (uint32_t)ip->ip_dst.s_addr,ntohs(tcp->th_dport)) == false ) 801 798 { 802 g_Nepenthes->getSocketMgr()->addPOLLSocket(ps); 803 g_ModuleHoneytrap->socketAdd((uint32_t)ip->ip_src.s_addr, ntohs(tcp->th_sport), 804 (uint32_t)ip->ip_dst.s_addr,ntohs(tcp->th_dport), 805 ps); 799 POLLSocket *ps = new PCAPSocket((uint32_t)ip->ip_src.s_addr, ntohs(tcp->th_sport) , 800 (uint32_t)ip->ip_dst.s_addr,ntohs(tcp->th_dport)); 801 if ( ps->Init() == true ) 802 { 803 g_Nepenthes->getSocketMgr()->addPOLLSocket(ps); 804 g_ModuleHoneytrap->socketAdd((uint32_t)ip->ip_src.s_addr, ntohs(tcp->th_sport), 805 (uint32_t)ip->ip_dst.s_addr,ntohs(tcp->th_dport), 806 ps); 807 } 808 } else 809 { 810 logWarn("Already listening for this buddy\n"); 806 811 } 807 }else808 {809 logWarn("Already listening for this buddy\n");810 812 } 811 813 } nepenthes/trunk/modules/module-honeytrap/module-honeytrap.cpp
r677 r679 237 237 { 238 238 logPF(); 239 logSpam("connection tracking has %i entries\n",m_Sockets.size()); 239 240 connection_t c; 241 memset(&c,0,sizeof(connection_t)); 240 242 c.m_RemoteHost = s->getRemoteHost(); 241 243 c.m_RemotePort = s->getRemotePort(); … … 245 247 if (m_Sockets.count(c) == 0) 246 248 { 249 logWarn("Can not delete untracked socket\n"); 247 250 return false; 248 251 } 249 252 253 logSpam("erasing socket from tracker\n"); 250 254 m_Sockets.erase(c); 251 255 return true; … … 256 260 { 257 261 logPF(); 258 connection_t c; 259 c.m_RemoteHost = remotehost; 260 c.m_RemotePort = remoteport; 261 c.m_LocalHost = localhost; 262 c.m_LocalPort = localport; 263 264 if (m_Sockets.count(c) > 0) 265 return true; 266 267 return false; 268 } 269 270 bool ModuleHoneyTrap::socketAdd(uint32_t remotehost, uint16_t remoteport, uint32_t localhost, uint16_t localport, Socket *s) 271 { 272 logPF(); 273 274 262 logSpam("connection tracking has %i entries\n",m_Sockets.size()); 275 263 connection_t c; 276 264 memset(&c,0,sizeof(connection_t)); … … 280 268 c.m_LocalPort = localport; 281 269 282 // if (m_Sockets.count(c) > 0) 283 // return false; 270 if (m_Sockets.count(c) > 0) 271 { 272 logSpam("Socket exists\n"); 273 return true; 274 } 275 276 logSpam("Socket does not exist\n"); 277 return false; 278 } 279 280 bool ModuleHoneyTrap::socketAdd(uint32_t remotehost, uint16_t remoteport, uint32_t localhost, uint16_t localport, Socket *s) 281 { 282 logPF(); 283 284 285 connection_t c; 286 memset(&c,0,sizeof(connection_t)); 287 c.m_RemoteHost = remotehost; 288 c.m_RemotePort = remoteport; 289 c.m_LocalHost = localhost; 290 c.m_LocalPort = localport; 291 292 if (m_Sockets.count(c) > 0) 293 { 294 logCrit("duplicate socket in tracker\n"); 295 return false; 296 } 284 297 285 298 m_Sockets[c] = s; … … 293 306 logPF(); 294 307 295 308 309 310 if (!(((SocketEvent *)event)->getSocket()->getType() & ST_ACCEPT) ) 311 { 312 logSpam("Not a accept socket, dropping\n"); 313 return 0; 314 315 } 296 316 297 317 connection_t c; … … 303 323 if (m_Sockets.count(c) == 0) 304 324 { 305 logInfo("Socket unknown, dropping\n"); 325 string rhost = inet_ntoa(*(in_addr *)&c.m_RemoteHost); 326 string lhost = inet_ntoa(*(in_addr *)&c.m_LocalHost); 327 328 logInfo("Connection %s:%i %s:%i unknown, dropping\n", rhost.c_str(),c.m_RemotePort, 329 lhost.c_str(),c.m_LocalPort); 306 330 return 0; 307 331 } 332 333 334 308 335 309 336 switch(event->getType()) nepenthes/trunk/modules/module-honeytrap/module-honeytrap.hpp
r677 r679 67 67 bool operator()(connection_t s1, connection_t s2) const 68 68 { 69 if (s1.m_RemoteHost < s2.m_RemoteHost) 70 return true; 71 if (s1.m_RemotePort < s2.m_RemotePort) 72 return true; 73 if (s1.m_LocalHost < s2.m_LocalHost) 74 return true; 75 if (s1.m_LocalPort < s2.m_LocalPort) 76 return true; 69 // printf("the comparator\n"); 70 if ( s1.m_RemoteHost < s2.m_RemoteHost ) 71 { 72 return(true); 73 } else 74 if ( s1.m_RemoteHost == s2.m_RemoteHost ) 75 { 77 76 78 return false; 77 if ( s1.m_RemotePort < s2.m_RemotePort ) 78 { 79 return(true); 80 } else 81 if ( s1.m_RemotePort == s2.m_RemotePort ) 82 { 83 if ( s1.m_LocalHost < s2.m_LocalHost ) 84 { 85 return(true); 86 } else 87 if ( s1.m_LocalHost == s2.m_LocalHost ) 88 { 89 if ( s1.m_LocalPort < s2.m_LocalPort ) 90 return(true); 91 else 92 return(false); 93 } 94 } else 95 { 96 return(false); 97 } 98 } 99 return(false); 79 100 } 80 101 };
