karasz
/
package-update
1
0
Fork 0
Code Issues Releases Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3298 Commits
46 Branches
0 Tags
0 B
Tree: d1f92ec21d
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'd1f92ec21d'
${ noResults }
package-update/network/nepenthes/nepenthes-0.2.0-update-r134...

4596 lines
148 KiB
Raw Normal View History Unescape

* updated nepenthes (0.2.0 -> 0.2.0-1) * added update patch that incorporates all changes from upstream svn up to r1345 * removed prelude-hotfix.patch (obsolete - included in update patch) * fixed nepenthes to find libssh if available git-svn-id: svn://svn.opensde.net/opensde/package/trunk@21963 10447126-35f2-4685-b0cf-6dd780d3921f
17 years ago
# --- SDE-COPYRIGHT-NOTE-BEGIN ---
# This copyright note is auto-generated by ./scripts/Create-CopyPatch.
Regenerated copyright notes broadly, without renewing them.
17 years ago
#
* updated nepenthes (0.2.0 -> 0.2.0-1) * added update patch that incorporates all changes from upstream svn up to r1345 * removed prelude-hotfix.patch (obsolete - included in update patch) * fixed nepenthes to find libssh if available git-svn-id: svn://svn.opensde.net/opensde/package/trunk@21963 10447126-35f2-4685-b0cf-6dd780d3921f
17 years ago
# Filename: package/.../nepenthes/nepenthes-0.2.0-update-r1345.patch
# Copyright (C) 2007 The OpenSDE Project
Regenerated copyright notes broadly, without renewing them.
17 years ago
#
* updated nepenthes (0.2.0 -> 0.2.0-1) * added update patch that incorporates all changes from upstream svn up to r1345 * removed prelude-hotfix.patch (obsolete - included in update patch) * fixed nepenthes to find libssh if available git-svn-id: svn://svn.opensde.net/opensde/package/trunk@21963 10447126-35f2-4685-b0cf-6dd780d3921f
17 years ago
# More information can be found in the files COPYING and README.
Regenerated copyright notes broadly, without renewing them.
17 years ago
#
* updated nepenthes (0.2.0 -> 0.2.0-1) * added update patch that incorporates all changes from upstream svn up to r1345 * removed prelude-hotfix.patch (obsolete - included in update patch) * fixed nepenthes to find libssh if available git-svn-id: svn://svn.opensde.net/opensde/package/trunk@21963 10447126-35f2-4685-b0cf-6dd780d3921f
17 years ago
# This patch file is dual-licensed. It is available under the license the
# patched project is licensed under, as long as it is an OpenSource license
# as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms
# of the GNU General Public License as published by the Free Software
# Foundation; either version 2 of the License, or (at your option) any later
# version.
# --- SDE-COPYRIGHT-NOTE-END ---
diff -ruN nepenthes-0.2.0/conf/nepenthes.conf.dist nepenthes-0.2.0-r1345/conf/nepenthes.conf.dist
--- nepenthes-0.2.0/conf/nepenthes.conf.dist 2006-11-13 20:40:03.000000000 +0100
+++ nepenthes-0.2.0-r1345/conf/nepenthes.conf.dist 2007-08-06 00:46:15.000000000 +0200
@@ -35,10 +35,12 @@
// "submitnorman.so", "submit-norman.conf", ""
// "submitnepenthes.so", "submit-nepenthes.conf", "" // send to download-nepenthes in other nepenthes instances
// "submitxmlrpc.so", "submit-xmlrpc.conf", "" // submit files to a xmlrpc server
+// "submithttp.so", "submit-http.conf", "" // submit files to a web server
// logging
"logdownload.so", "log-download.conf", ""
// "logirc.so", "log-irc.conf", "" // needs configuration
+// "logprelude.so", "log-prelude.conf", ""
// dumping and logging
diff -ruN nepenthes-0.2.0/configure.ac nepenthes-0.2.0-r1345/configure.ac
--- nepenthes-0.2.0/configure.ac 2006-11-13 20:50:47.000000000 +0100
+++ nepenthes-0.2.0-r1345/configure.ac 2007-08-06 00:46:15.000000000 +0200
@@ -201,6 +201,9 @@
# libdl
AC_SUBST([LIB_DL])
+# libssh
+AC_SUBST([LIB_SSH])
+
dnl **************************************************
dnl * libdl linking flag *
dnl **************************************************
@@ -788,12 +791,11 @@
AC_DEFINE(HAVE_LIBPRELUDE, 1,[Define if you want to use libprelude])
PRELUDE_LDFLAGS=`$LIBPRELUDE_CONFIG --ldflags`
PRELUDE_LIBS=`$LIBPRELUDE_CONFIG --libs`
- PRELUDE_CPPFLAGS=`$LIBPRELUDE_CONFIG --cflags`
+ PRELUDE_CPPFLAGS=`$LIBPRELUDE_CONFIG --pthread-cflags`
LIB_PRELUDE="$PRELUDE_LIBS"
LDFLAG_PRELUDE="$PRELUDE_LDFLAGS"
- CPPFLAG="$PRELUDE_CPPFLAGS"
-
+ CPPFLAGS="$CPPFLAGS $PRELUDE_CPPFLAGS"
fi
fi
@@ -913,6 +915,8 @@
modules/submit-gotek/Makefile
modules/submit-norman/Makefile
modules/submit-postgres/Makefile
+ modules/submit-http/Makefile
+ modules/submit-mwserv/Makefile
modules/vuln-asn1/Makefile
modules/vuln-bagle/Makefile
modules/vuln-dameware/Makefile
@@ -931,6 +935,7 @@
modules/vuln-pnp/Makefile
modules/vuln-realvnc/Makefile
modules/vuln-sasserftpd/Makefile
+ modules/vuln-sav/Makefile
modules/vuln-ssh/Makefile
modules/vuln-sub7/Makefile
modules/vuln-upnp/Makefile
diff -ruN nepenthes-0.2.0/modules/Makefile.am nepenthes-0.2.0-r1345/modules/Makefile.am
--- nepenthes-0.2.0/modules/Makefile.am 2006-11-13 20:40:11.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/Makefile.am 2007-08-06 00:46:15.000000000 +0200
@@ -4,11 +4,11 @@
SUBDIRS = download-creceive download-csend download-curl download-ftp download-http download-link download-tftp download-rcp\
log-download log-irc \
- submit-file submit-gotek submit-norman submit-postgres\
+ submit-file submit-gotek submit-norman submit-postgres submit-http submit-mwserv \
shellcode-generic shellemu-winnt \
vuln-asn1 vuln-bagle vuln-dcom vuln-iis vuln-kuang2 vuln-lsass \
vuln-msdtc vuln-msmq vuln-mssql vuln-mydoom \
- vuln-netbiosname vuln-netdde vuln-optix vuln-pnp vuln-sasserftpd \
+ vuln-netbiosname vuln-netdde vuln-optix vuln-pnp vuln-sasserftpd vuln-sav \
vuln-sub7 vuln-upnp vuln-veritas vuln-wins vuln-dameware vuln-ssh vuln-realvnc \
module-portwatch module-honeytrap module-bridge module-peiros\
dnsresolve-adns \
diff -ruN nepenthes-0.2.0/modules/dnsresolve-adns/Makefile.am nepenthes-0.2.0-r1345/modules/dnsresolve-adns/Makefile.am
--- nepenthes-0.2.0/modules/dnsresolve-adns/Makefile.am 2006-11-13 20:40:10.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/dnsresolve-adns/Makefile.am 2007-08-06 00:46:15.000000000 +0200
@@ -12,4 +12,4 @@
dnsresolveadns_la_SOURCES = dnsresolve-adns.cpp dnsresolve-adns.hpp
-dnsresolveadns_la_LDFLAGS = -module -no-undefined -avoid-version
+dnsresolveadns_la_LDFLAGS = -module -no-undefined -avoid-version $(AM_LDFLAGS)
diff -ruN nepenthes-0.2.0/modules/dnsresolve-adns/dnsresolve-adns.cpp nepenthes-0.2.0-r1345/modules/dnsresolve-adns/dnsresolve-adns.cpp
--- nepenthes-0.2.0/modules/dnsresolve-adns/dnsresolve-adns.cpp 2006-11-13 20:40:10.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/dnsresolve-adns/dnsresolve-adns.cpp 2007-08-06 00:46:15.000000000 +0200
@@ -47,6 +47,7 @@
#include "EventManager.hpp"
+#include "Nepenthes.hpp"
using namespace std;
diff -ruN nepenthes-0.2.0/modules/download-creceive/CReceiveDialogue.cpp nepenthes-0.2.0-r1345/modules/download-creceive/CReceiveDialogue.cpp
--- nepenthes-0.2.0/modules/download-creceive/CReceiveDialogue.cpp 2006-11-13 20:40:09.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/download-creceive/CReceiveDialogue.cpp 2007-08-06 00:46:15.000000000 +0200
@@ -87,7 +87,7 @@
CReceiveDialogue::~CReceiveDialogue()
{
-// g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *)m_Buffer->getData(),m_Buffer->getSize());
+// HEXDUMP(m_Socket,(byte *)m_Buffer->getData(),m_Buffer->getSize());
// delete m_Buffer;
delete m_Download;
}
diff -ruN nepenthes-0.2.0/modules/download-curl/Makefile.am nepenthes-0.2.0-r1345/modules/download-curl/Makefile.am
--- nepenthes-0.2.0/modules/download-curl/Makefile.am 2006-11-13 20:40:06.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/download-curl/Makefile.am 2007-08-06 00:46:15.000000000 +0200
@@ -12,4 +12,4 @@
downloadcurl_la_SOURCES = download-curl.conf.dist download-curl.hpp download-curl.cpp
-downloadcurl_la_LDFLAGS = -module -no-undefined -avoid-version
+downloadcurl_la_LDFLAGS = -module -no-undefined -avoid-version $(AM_LDFLAGS)
diff -ruN nepenthes-0.2.0/modules/download-curl/download-curl.cpp nepenthes-0.2.0-r1345/modules/download-curl/download-curl.cpp
--- nepenthes-0.2.0/modules/download-curl/download-curl.cpp 2006-11-13 20:40:06.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/download-curl/download-curl.cpp 2007-08-06 00:46:15.000000000 +0200
@@ -230,7 +230,9 @@
down->getDownloadUrl()->getPort(),
down->getDownloadUrl()->getPath().c_str());
// string auth = down->getDownloadUrl()->getUser() + ":" + down->getDownloadUrl()->getPass();
+#if LIBCURL_VERSION_NUM < 0x071000
curl_easy_setopt(pCurlHandle, CURLOPT_SOURCE_USERPWD,(char *)down->getDownloadUrl()->getAuth().c_str());
+#endif
curl_easy_setopt(pCurlHandle, CURLOPT_USERPWD,(char *)down->getDownloadUrl()->getAuth().c_str());
curl_easy_setopt(pCurlHandle, CURLOPT_URL , url);
curl_easy_setopt(pCurlHandle, CURLOPT_FTP_RESPONSE_TIMEOUT, 120); // 2 min ftp timeout
diff -ruN nepenthes-0.2.0/modules/download-http/HTTPDialogue.cpp nepenthes-0.2.0-r1345/modules/download-http/HTTPDialogue.cpp
--- nepenthes-0.2.0/modules/download-http/HTTPDialogue.cpp 2006-11-13 20:40:04.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/download-http/HTTPDialogue.cpp 2007-08-06 00:46:15.000000000 +0200
@@ -178,7 +178,7 @@
if ( end == NULL )
{
logWarn("HTTP ERROR header found %i\n", size);
- g_Nepenthes->getUtilities()->hexdump((byte *)start,size);
+// g_Nepenthes->getUtilities()->hexdump((byte *)start,size);
return CL_DROP;
}else
if ( end != NULL )
diff -ruN nepenthes-0.2.0/modules/download-link/LinkDialogue.cpp nepenthes-0.2.0-r1345/modules/download-link/LinkDialogue.cpp
--- nepenthes-0.2.0/modules/download-link/LinkDialogue.cpp 2006-11-13 20:40:10.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/download-link/LinkDialogue.cpp 2007-08-06 00:46:15.000000000 +0200
@@ -122,7 +122,7 @@
case LINK_NULL:
{
m_Buffer->add(msg->getMsg(),msg->getSize());
-// g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *)m_Buffer->getData(),m_Buffer->getSize());
+// HEXDUMP(m_Socket,(byte *)m_Buffer->getData(),m_Buffer->getSize());
msg->getResponder()->doRespond((char *)&m_Challenge,4);
m_State = LINK_FILE;
diff -ruN nepenthes-0.2.0/modules/log-irc/log-irc.cpp nepenthes-0.2.0-r1345/modules/log-irc/log-irc.cpp
--- nepenthes-0.2.0/modules/log-irc/log-irc.cpp 2006-11-13 20:40:09.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/log-irc/log-irc.cpp 2007-08-06 00:46:15.000000000 +0200
@@ -171,7 +171,7 @@
}
// m_Nepenthes->getSocketMgr()->bindTCPSocket(0,10002,0,45,this);
- g_Nepenthes->getLogMgr()->addLogger(this,l_dl|l_sub);
+ g_Nepenthes->getLogMgr()->addLogger(this,l_all);
return true;
}
diff -ruN nepenthes-0.2.0/modules/log-prelude/Makefile.am nepenthes-0.2.0-r1345/modules/log-prelude/Makefile.am
--- nepenthes-0.2.0/modules/log-prelude/Makefile.am 2006-11-13 20:40:08.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/log-prelude/Makefile.am 2007-08-06 00:46:15.000000000 +0200
@@ -4,7 +4,7 @@
AUTOMAKE_OPTIONS = foreign
-AM_CPPFLAGS = -I/usr/include/libprelude -I$(top_srcdir)/nepenthes-core/include -I$(top_srcdir)/nepenthes-core/src -pipe -D _GNU_SOURCE $(CPPFLAG_PRELUDE)
+AM_CPPFLAGS = -I$(top_srcdir)/nepenthes-core/include -I$(top_srcdir)/nepenthes-core/src -pipe -D _GNU_SOURCE
AM_CXXFLAGS = -Wall
AM_LDFLAGS = $(LDFLAG_PRELUDE) ${LIB_PRELUDE}
@@ -12,5 +12,5 @@
logprelude_la_SOURCES = log-prelude.cpp log-prelude.hpp log-prelude.conf.dist
-logprelude_la_LDFLAGS = -module -no-undefined -avoid-version
+logprelude_la_LDFLAGS = -module -no-undefined -avoid-version $(AM_LDFLAGS)
diff -ruN nepenthes-0.2.0/modules/log-prelude/log-prelude.conf.dist nepenthes-0.2.0-r1345/modules/log-prelude/log-prelude.conf.dist
--- nepenthes-0.2.0/modules/log-prelude/log-prelude.conf.dist 2006-11-13 20:40:08.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/log-prelude/log-prelude.conf.dist 2007-08-06 00:46:15.000000000 +0200
@@ -1,7 +1,9 @@
log-prelude
{
- analyzerClass "NIDS";
- analyzerModel "nepenthes";
- analyzerName "nepenthes";
-
+
+ // Name of the Prelude analyzer to use (default is nepenthes).
+ // analyzerName "nepenthes";
+
+ // Name of the Prelude profile to use (default is nepenthes).
+ // analyzerProfile "nepenthes";
};
diff -ruN nepenthes-0.2.0/modules/log-prelude/log-prelude.cpp nepenthes-0.2.0-r1345/modules/log-prelude/log-prelude.cpp
--- nepenthes-0.2.0/modules/log-prelude/log-prelude.cpp 2006-11-13 20:40:08.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/log-prelude/log-prelude.cpp 2007-08-06 00:48:07.000000000 +0200
@@ -27,14 +27,6 @@
/* $Id: log-prelude.cpp 550 2006-05-04 10:25:35Z common $ */
-#ifdef HAVE_LIBPRELUDE
-#include <prelude.h>
-#include <libprelude/prelude-log.h>
-#include <idmef-message-print.h>
-#include <prelude-io.h>
-#include <libprelude/prelude-timer.h>
-#endif
-
#include <arpa/inet.h>
#include "log-prelude.hpp"
#include "Nepenthes.hpp"
@@ -63,7 +55,11 @@
#define STDTAGS l_mod | l_ev | l_hlr
#define ANALYZER_MANUFACTURER "http://nepenthes.sf.net"
-#define NEPENTHES_VERSION "$Rev: 550 $"
+#define DEFAULT_ANALYZER_NAME "nepenthes"
+#define DEFAULT_ANALYZER_PROFILE "nepenthes"
+#define ANALYZER_MODEL "Nepenthes"
+#define ANALYZER_CLASS "Honeypot"
+#define ANALYZER_MANUFACTURER "http://nepenthes.mwcollect.org/"
@@ -132,28 +128,21 @@
#ifdef HAVE_LIBPRELUDE
- if ( m_Config == NULL )
- {
- logCrit("I need a config\n");
- return false;
- }
-
- string analyzerClass;
- string analyzerModel;
string analyzerName;
-
- try
- {
- analyzerClass = (m_Config->getValString("log-prelude.analyzerClass"));
- analyzerModel = m_Config->getValString("log-prelude.analyzerModel");
- analyzerName = m_Config->getValString("log-prelude.analyzerName");
-
- } catch ( ... )
- {
- logCrit("Error setting needed vars, check your config\n");
- return false;
- }
-
+ string analyzerProfile;
+
+ try {
+ analyzerName = m_Config->getValString("log-prelude.analyzerName");
+ } catch ( ... ) {
+ analyzerName = DEFAULT_ANALYZER_NAME;
+ }
+
+ try {
+ analyzerProfile = m_Config->getValString("log-prelude.analyzerProfile");
+ } catch ( ... ) {
+ analyzerProfile = DEFAULT_ANALYZER_PROFILE;
+ }
+
m_ModuleManager = m_Nepenthes->getModuleMgr();
m_Events.set(EV_SOCK_TCP_ACCEPT);
m_Events.set(EV_SOCK_TCP_CLOSE);
@@ -163,44 +152,39 @@
m_Events.set(EV_DOWNLOAD);
m_Events.set(EV_SUBMISSION);
-
- const char *profile, *config;
-
- config = NULL;
- profile = analyzerName.c_str();
-
-
-
-
int32_t ret;
// Initialize Prelude Library
ret = prelude_init(NULL, NULL);
- if ( ret < 0 )
+ if ( ret < 0 ) {
logCrit("%s: Unable to initialize the Prelude library: %s.\n",
prelude_strsource(ret),
prelude_strerror(ret));
+ return false;
+ }
// generate a new Prelude client
- ret = prelude_client_new(&m_PreludeClient, profile);
+ ret = prelude_client_new(&m_PreludeClient, analyzerProfile.c_str());
- if ( ret < 0 )
+ if ( ret < 0 ) {
logCrit("%s: Unable to create a prelude client object: %s.\n",
prelude_strsource(ret),
prelude_strerror(ret));
+ return false;
+ }
-
+
// set options in the analyzer-part of the client
prelude_string_t *string;
- ret = idmef_analyzer_new_model(prelude_client_get_analyzer(m_PreludeClient), &string);
+ ret = idmef_analyzer_new_class(prelude_client_get_analyzer(m_PreludeClient), &string);
if ( ret < 0 )
return false;
- prelude_string_set_constant(string, analyzerModel.c_str());
-
- ret = idmef_analyzer_new_class(prelude_client_get_analyzer(m_PreludeClient), &string);
+ prelude_string_set_constant(string, ANALYZER_CLASS);
+
+ ret = idmef_analyzer_new_model(prelude_client_get_analyzer(m_PreludeClient), &string);
if ( ret < 0 )
return false;
- prelude_string_set_constant(string, analyzerClass.c_str());
+ prelude_string_set_constant(string, ANALYZER_MODEL);
ret = idmef_analyzer_new_manufacturer(prelude_client_get_analyzer(m_PreludeClient), &string);
if ( ret < 0 )
@@ -209,28 +193,31 @@
ret = idmef_analyzer_new_version(prelude_client_get_analyzer(m_PreludeClient), &string);
if ( ret < 0 )
- return false;
-
- prelude_string_set_constant(string, NEPENTHES_VERSION);
+ return false;
+ prelude_string_set_constant(string, VERSION);
-// start the Prelude Client
+ ret = idmef_analyzer_new_name(prelude_client_get_analyzer(m_PreludeClient), &string);
+ if ( ret < 0 )
+ return false;
+ prelude_string_set_dup(string, analyzerName.c_str());
+
+ // start the Prelude Client
ret = prelude_client_start(m_PreludeClient);
if ( ret < 0 )
{
- if ( prelude_client_is_setup_needed(ret) )
- prelude_client_print_setup_error(m_PreludeClient);
-
logCrit("%s: Unable to initialize prelude client: %s.\n",
prelude_strsource(ret), prelude_strerror(ret));
+ return false;
}
-// set async Prelude Flags for the client, makes the application multithreaded
- ret = prelude_client_set_flags(m_PreludeClient, (prelude_client_flags_t) (PRELUDE_CLIENT_FLAGS_CONNECT | PRELUDE_CLIENT_FLAGS_ASYNC_SEND | PRELUDE_CLIENT_FLAGS_ASYNC_TIMER));
- if ( ret < 0 )
+ // set async Prelude Flags for the client, makes the application multithreaded
+ ret = prelude_client_set_flags(m_PreludeClient, (prelude_client_flags_t) (PRELUDE_CLIENT_FLAGS_CONNECT | PRELUDE_CLIENT_FLAGS_ASYNC_SEND | PRELUDE_CLIENT_FLAGS_ASYNC_TIMER));
+ if ( ret < 0 ) {
logCrit("%s: Unable to set asynchronous send and timer: %s.\n",
prelude_strsource(ret),
prelude_strerror(ret));
-
+ return false;
+ }
REG_EVENT_HANDLER(this);
return true;
@@ -274,7 +261,7 @@
idmef_value_t *val;
idmef_path_t *path;
- ret = idmef_path_new(&path, object);
+ ret = idmef_path_new_fast(&path, object);
if ( ret < 0 )
{
logWarn("imdef error #1 %s -> %s %i (%s) \n",object,value,ret, prelude_strerror(ret));
@@ -376,7 +363,6 @@
add_idmef_object(idmef, "alert.classification.text" ,"TCP Connection established");
add_idmef_object(idmef, "alert.classification.ident", EV_SOCK_TCP_ACCEPT);
-// add_idmef_object(idmef, "alert.classification.reference(0).origin" ,"vendor-specific" );
add_idmef_object(idmef, "alert.source(0).Spoofed" ,"no");
@@ -449,7 +435,6 @@
add_idmef_object(idmef, "alert.classification.text" ,"TCP Connection closed");
add_idmef_object(idmef, "alert.classification.ident", EV_SOCK_TCP_CLOSE);
-// add_idmef_object(idmef, "alert.classification.reference(0).origin" ,"vendor-specific" );
add_idmef_object(idmef, "alert.source(0).Service.protocol" ,"TCP");
@@ -515,7 +500,6 @@
// hl: added ident
add_idmef_object(idmef, "alert.classification.ident", EV_SHELLCODE_DONE);
- // add_idmef_object(idmef, "alert.classification.reference(0).origin" ,"vendor-specific" );
add_idmef_object(idmef, "alert.source(0).Spoofed" ,"no");
diff -ruN nepenthes-0.2.0/modules/log-prelude/log-prelude.cpp~ nepenthes-0.2.0-r1345/modules/log-prelude/log-prelude.cpp~
--- nepenthes-0.2.0/modules/log-prelude/log-prelude.cpp~ 1970-01-01 01:00:00.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/log-prelude/log-prelude.cpp~ 2006-11-13 20:40:08.000000000 +0100
@@ -0,0 +1,857 @@
+/********************************************************************************
+ * Nepenthes
+ * - finest collection -
+ *
+ *
+ *
+ * Copyright (C) 2005 Paul Baecher & Markus Koetter
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+ *
+ *
+ * contact nepenthesdev@users.sourceforge.net
+ *
+ *******************************************************************************/
+
+ /* $Id: log-prelude.cpp 550 2006-05-04 10:25:35Z common $ */
+
+#ifdef HAVE_LIBPRELUDE
+#include <prelude.h>
+#include <libprelude/prelude-log.h>
+#include <idmef-message-print.h>
+#include <prelude-io.h>
+#include <libprelude/prelude-timer.h>
+#endif
+
+#include <arpa/inet.h>
+#include "log-prelude.hpp"
+#include "Nepenthes.hpp"
+#include "LogManager.hpp"
+#include "EventManager.hpp"
+#include "SubmitEvent.hpp"
+
+#include "Download.hpp"
+#include "DownloadUrl.hpp"
+#include "DownloadBuffer.hpp"
+
+#include "Socket.hpp"
+#include "SocketEvent.hpp"
+
+#include "Message.hpp"
+#include "Utilities.hpp"
+#include "Config.hpp"
+#include "ShellcodeHandler.hpp"
+
+
+using namespace nepenthes;
+
+#ifdef STDTAGS
+#undef STDTAGS
+#endif
+
+#define STDTAGS l_mod | l_ev | l_hlr
+#define ANALYZER_MANUFACTURER "http://nepenthes.sf.net"
+#define NEPENTHES_VERSION "$Rev: 550 $"
+
+
+
+/**
+ * as we may need a global pointer to our Nepenthes in our modules,
+ * and cant access the cores global pointer to nepenthes
+ * we have to use a own global pointer to nepenthes per module
+ * we need this pointer for logInfo() etc
+ */
+Nepenthes *g_Nepenthes;
+
+/**
+ * Constructor
+ * creates a new LogPrelude Module, where x% is public Module, public EventHandler
+ * - sets the ModuleName
+ * - sets the ModuleDescription
+ * - sets the EventHandlerName
+ * - sets the EventHandlerDescription
+ * - sets the EventHandlers Timeout
+ * - sets the Modules global pointer to the Nepenthes
+ *
+ * @param nepenthes pointer to our nepenthes master class
+ */
+LogPrelude::LogPrelude(Nepenthes *nepenthes)
+{
+ m_ModuleName = "log-prelude";
+ m_ModuleDescription = "event based prelude logger";
+ m_ModuleRevision = "$Rev: 550 $";
+ m_Nepenthes = nepenthes;
+
+ m_EventHandlerName = "LogPreludeEventHandler";
+ m_EventHandlerDescription = "log events to a prelude database";
+
+// m_Timeout = time(NULL) + rand()%23;
+
+ g_Nepenthes = nepenthes;
+
+#ifdef HAVE_LIBPRELUDE
+ m_PreludeClient = NULL;
+#endif
+}
+
+
+/**
+ * exerything important happens in ::Exit() as we have a return value there
+ */
+LogPrelude::~LogPrelude()
+{
+
+}
+
+
+
+/**
+ * bool Module::Init()
+ * setup Module specific values
+ * here:
+ * - register as EventHandler
+ * - set wanted events
+ *
+ * @return returns true if everything was fine, else false
+ * returning false will showup errors in warning a module
+ */
+bool LogPrelude::Init()
+{
+
+#ifdef HAVE_LIBPRELUDE
+
+ if ( m_Config == NULL )
+ {
+ logCrit("I need a config\n");
+ return false;
+ }
+
+ string analyzerClass;
+ string analyzerModel;
+ string analyzerName;
+
+ try
+ {
+ analyzerClass = (m_Config->getValString("log-prelude.analyzerClass"));
+ analyzerModel = m_Config->getValString("log-prelude.analyzerModel");
+ analyzerName = m_Config->getValString("log-prelude.analyzerName");
+
+ } catch ( ... )
+ {
+ logCrit("Error setting needed vars, check your config\n");
+ return false;
+ }
+
+ m_ModuleManager = m_Nepenthes->getModuleMgr();
+ m_Events.set(EV_SOCK_TCP_ACCEPT);
+ m_Events.set(EV_SOCK_TCP_CLOSE);
+ m_Events.set(EV_DIALOGUE_ASSIGN_AND_DONE);
+ m_Events.set(EV_SHELLCODE_DONE);
+
+ m_Events.set(EV_DOWNLOAD);
+ m_Events.set(EV_SUBMISSION);
+
+
+ const char *profile, *config;
+
+ config = NULL;
+ profile = analyzerName.c_str();
+
+
+
+
+ int32_t ret;
+// Initialize Prelude Library
+ ret = prelude_init(NULL, NULL);
+ if ( ret < 0 )
+ logCrit("%s: Unable to initialize the Prelude library: %s.\n",
+ prelude_strsource(ret),
+ prelude_strerror(ret));
+
+// generate a new Prelude client
+ ret = prelude_client_new(&m_PreludeClient, profile);
+
+ if ( ret < 0 )
+ logCrit("%s: Unable to create a prelude client object: %s.\n",
+ prelude_strsource(ret),
+ prelude_strerror(ret));
+
+
+ // set options in the analyzer-part of the client
+ prelude_string_t *string;
+
+ ret = idmef_analyzer_new_model(prelude_client_get_analyzer(m_PreludeClient), &string);
+ if ( ret < 0 )
+ return false;
+ prelude_string_set_constant(string, analyzerModel.c_str());
+
+ ret = idmef_analyzer_new_class(prelude_client_get_analyzer(m_PreludeClient), &string);
+ if ( ret < 0 )
+ return false;
+ prelude_string_set_constant(string, analyzerClass.c_str());
+
+ ret = idmef_analyzer_new_manufacturer(prelude_client_get_analyzer(m_PreludeClient), &string);
+ if ( ret < 0 )
+ return false;
+ prelude_string_set_constant(string, ANALYZER_MANUFACTURER);
+
+ ret = idmef_analyzer_new_version(prelude_client_get_analyzer(m_PreludeClient), &string);
+ if ( ret < 0 )
+ return false;
+
+ prelude_string_set_constant(string, NEPENTHES_VERSION);
+
+// start the Prelude Client
+ ret = prelude_client_start(m_PreludeClient);
+ if ( ret < 0 )
+ {
+ if ( prelude_client_is_setup_needed(ret) )
+ prelude_client_print_setup_error(m_PreludeClient);
+
+ logCrit("%s: Unable to initialize prelude client: %s.\n",
+ prelude_strsource(ret), prelude_strerror(ret));
+ }
+
+// set async Prelude Flags for the client, makes the application multithreaded
+ ret = prelude_client_set_flags(m_PreludeClient, (prelude_client_flags_t) (PRELUDE_CLIENT_FLAGS_CONNECT | PRELUDE_CLIENT_FLAGS_ASYNC_SEND | PRELUDE_CLIENT_FLAGS_ASYNC_TIMER));
+ if ( ret < 0 )
+ logCrit("%s: Unable to set asynchronous send and timer: %s.\n",
+ prelude_strsource(ret),
+ prelude_strerror(ret));
+
+
+ REG_EVENT_HANDLER(this);
+ return true;
+#else
+ logCrit("Module log-prelude is compiled without libprelude, this wont work, reconfigure the whole source and recompile");
+ return false;
+#endif
+
+}
+
+
+/**
+ * unregister as EventHandler, destroy the Prelude Client
+ *
+ * @return returns true if everything was fine
+ */
+bool LogPrelude::Exit()
+{
+#ifdef HAVE_LIBPRELUDE
+ if( m_PreludeClient != NULL)
+ {
+ prelude_client_destroy(m_PreludeClient, (prelude_client_exit_status_t)(PRELUDE_CLIENT_EXIT_STATUS_SUCCESS));
+ prelude_deinit();
+ }
+ // disabled by harald due to segfaults
+ //UNREG_EVENT_HANDLER(this);
+#endif
+ return true;
+}
+
+
+
+/**
+ * This function adds char * idmef values into an idmef message
+ *
+ */
+#ifdef HAVE_LIBPRELUDE
+int32_t add_idmef_object(idmef_message_t *message, const char *object, const char *value)
+{
+ int32_t ret=0;
+ idmef_value_t *val;
+ idmef_path_t *path;
+
+ ret = idmef_path_new(&path, object);
+ if ( ret < 0 )
+ {
+ logWarn("imdef error #1 %s -> %s %i (%s) \n",object,value,ret, prelude_strerror(ret));
+ return -1;
+ }
+
+ ret = idmef_value_new_from_path(&val, path, value);
+ if ( ret < 0 )
+ {
+ idmef_path_destroy(path);
+ logWarn("imdef error #2 %s -> %s %i (%s) \n",object,value,ret, prelude_strerror(ret));
+ return -1;
+ }
+
+ ret = idmef_path_set(path, message, val);
+
+ idmef_value_destroy(val);
+ idmef_path_destroy(path);
+ return ret;
+}
+
+
+/**
+ *
+ * This function adds int32_t idmef values into an idmef message
+ */
+int32_t add_idmef_object(idmef_message_t *message, const char *object, int32_t i)
+{
+ char value[20];
+ memset(value,0,20);
+ snprintf(value,19,"%i",i);
+ return add_idmef_object(message,object,value);
+}
+
+#endif
+
+
+/**
+ * the handleEvent method is called whenever an event occurs
+ * the EventHandler wanted to have.
+ *
+ * @param event the Event
+ *
+ * @return return 0
+ */
+uint32_t LogPrelude::handleEvent(Event *event)
+{
+// logPF();
+// logInfo("Event %i\n",event->getType());
+ switch(event->getType())
+ {
+
+ case EV_SOCK_TCP_ACCEPT:
+ handleTCPaccept(event);
+ break;
+
+ case EV_SOCK_TCP_CLOSE:
+ handleTCPclose(event);
+ break;
+
+ case EV_SUBMISSION:
+ handleSubmission(event);
+ break;
+
+ case EV_DIALOGUE_ASSIGN_AND_DONE:
+ handleDialogueAssignAndDone(event);
+ break;
+
+ case EV_SHELLCODE_DONE:
+ handleShellcodeDone(event);
+ break;
+
+
+ case EV_DOWNLOAD:
+ handleDownload(event);
+ break;
+
+ default:
+ logWarn("this should not happen\n");
+ }
+ return 0;
+}
+
+
+void LogPrelude::handleTCPaccept(Event *event)
+{
+
+
+ logInfo("LogPrelude EVENT EV_SOCK_TCP_ACCEPT\n");
+
+#ifdef HAVE_LIBPRELUDE
+ Socket *socket = ((SocketEvent *)event)->getSocket();
+
+ idmef_message_t *idmef;
+
+ int32_t ret = idmef_message_new(&idmef);
+ if ( ret < 0 )
+ return;
+
+ add_idmef_object(idmef, "alert.classification.text" ,"TCP Connection established");
+ add_idmef_object(idmef, "alert.classification.ident", EV_SOCK_TCP_ACCEPT);
+// add_idmef_object(idmef, "alert.classification.reference(0).origin" ,"vendor-specific" );
+
+
+ add_idmef_object(idmef, "alert.source(0).Spoofed" ,"no");
+ add_idmef_object(idmef, "alert.source(0).Service.protocol" ,"TCP");
+ add_idmef_object(idmef, "alert.source(0).Service.port" ,socket->getRemotePort());
+
+ uint32_t addr = socket->getRemoteHost();
+ string address = inet_ntoa(*(in_addr *)&addr);
+ add_idmef_object(idmef, "alert.source(0).Node.Address(0).address" ,address.c_str());
+
+
+ add_idmef_object(idmef, "alert.target(0).Decoy" ,"yes");
+ add_idmef_object(idmef, "alert.target(0).Service.protocol" ,"TCP");
+ add_idmef_object(idmef, "alert.target(0).Service.port" ,socket->getLocalPort());
+
+ addr = socket->getLocalHost();
+ address = inet_ntoa(*(in_addr *)&addr);
+ add_idmef_object(idmef, "alert.target(0).Node.Address(0).address" ,address.c_str());
+
+
+
+
+ idmef_time_t *time;
+
+ ret = idmef_time_new_from_gettimeofday(&time);
+ idmef_alert_set_create_time(idmef_message_get_alert(idmef),
+ time);
+
+
+ // analyzer id
+ idmef_alert_set_analyzer(idmef_message_get_alert(idmef),
+ idmef_analyzer_ref(prelude_client_get_analyzer(m_PreludeClient)),
+ IDMEF_LIST_PREPEND);
+
+
+ prelude_client_send_idmef(m_PreludeClient, idmef);
+
+ //prelude_string_t *field = idmef_alert_get_messageid(idmef_message_get_alert(idmef));
+ //const char *msgid = prelude_string_get_string(field);
+
+ //logInfo("PreludeMessageID = %s \n",msgid);
+
+ idmef_message_destroy(idmef);
+#endif
+}
+
+
+
+
+void LogPrelude::handleTCPclose(Event *event)
+{
+
+ Socket *socket = ((SocketEvent *)event)->getSocket();
+
+ if (! socket->isAccept())
+ {
+ return;
+ }
+
+ logInfo("LogPrelude EVENT EV_SOCK_TCP_CLOSE\n");
+
+#ifdef HAVE_LIBPRELUDE
+
+ idmef_message_t *idmef;
+
+ int32_t ret = idmef_message_new(&idmef);
+ if ( ret < 0 )
+ return;
+
+
+ add_idmef_object(idmef, "alert.classification.text" ,"TCP Connection closed");
+ add_idmef_object(idmef, "alert.classification.ident", EV_SOCK_TCP_CLOSE);
+// add_idmef_object(idmef, "alert.classification.reference(0).origin" ,"vendor-specific" );
+
+
+ add_idmef_object(idmef, "alert.source(0).Service.protocol" ,"TCP");
+ add_idmef_object(idmef, "alert.source(0).Service.port" ,socket->getRemotePort());
+
+ uint32_t addr = socket->getRemoteHost();
+ string address = inet_ntoa(*(in_addr *)&addr);
+ add_idmef_object(idmef, "alert.source(0).Node.Address(0).address" ,address.c_str());
+
+ add_idmef_object(idmef, "alert.target(0).Service.protocol" ,"TCP");
+ add_idmef_object(idmef, "alert.target(0).Service.port" ,socket->getLocalPort());
+
+ addr = socket->getLocalHost();
+ address = inet_ntoa(*(in_addr *)&addr);
+ add_idmef_object(idmef, "alert.target(0).Node.Address(0).address",address.c_str());
+
+ idmef_time_t *time;
+
+ ret = idmef_time_new_from_gettimeofday(&time);
+ idmef_alert_set_create_time(idmef_message_get_alert(idmef),
+ time);
+
+
+ // analyzer id
+ idmef_alert_set_analyzer(idmef_message_get_alert(idmef),
+ idmef_analyzer_ref(prelude_client_get_analyzer(m_PreludeClient)),
+ IDMEF_LIST_PREPEND);
+
+
+ prelude_client_send_idmef(m_PreludeClient, idmef);
+
+// prelude_string_t *field = idmef_alert_get_messageid(idmef_message_get_alert(idmef));
+// const char *msgid = prelude_string_get_string(field);
+
+// logInfo("CloseMessageID = %s \n",msgid);
+
+ idmef_message_destroy(idmef);
+
+#endif
+}
+
+
+/**
+ * Send idmef message when finished with the Shellcode
+ *
+ */
+void LogPrelude::handleShellcodeDone(Event *event)
+{
+ logInfo("LogPrelude EVENT EV_SHELLCODE_DONE\n");
+
+#ifdef HAVE_LIBPRELUDE
+
+ ShellcodeHandler *handler = ((ShellcodeEvent *)event)->getShellcodeHandler();
+ Socket *socket = ((ShellcodeEvent *)event)->getSocket();
+
+ idmef_message_t *idmef;
+
+ int32_t ret = idmef_message_new(&idmef);
+ if ( ret < 0 )
+ return;
+ string shellcodeText = "Shellcode detected: " + handler->getShellcodeHandlerName();
+ add_idmef_object(idmef, "alert.classification.text", shellcodeText.c_str());
+ // hl: added ident
+ add_idmef_object(idmef, "alert.classification.ident", EV_SHELLCODE_DONE);
+
+ // add_idmef_object(idmef, "alert.classification.reference(0).origin" ,"vendor-specific" );
+
+
+ add_idmef_object(idmef, "alert.source(0).Spoofed" ,"no");
+ add_idmef_object(idmef, "alert.source(0).Service.protocol" ,"TCP");
+ add_idmef_object(idmef, "alert.source(0).Service.port" ,socket->getRemotePort());
+
+ uint32_t addr = socket->getRemoteHost();
+ string address = inet_ntoa(*(in_addr *)&addr);
+ add_idmef_object(idmef, "alert.source(0).Node.Address(0).address" ,address.c_str());
+
+
+ add_idmef_object(idmef, "alert.target(0).Decoy" ,"yes");
+ add_idmef_object(idmef, "alert.target(0).Service.protocol" ,"TCP");
+ add_idmef_object(idmef, "alert.target(0).Service.port" ,socket->getLocalPort());
+
+ addr = socket->getLocalHost();
+ address = inet_ntoa(*(in_addr *)&addr);
+ add_idmef_object(idmef, "alert.target(0).Node.Address(0).address" ,address.c_str());
+
+
+ add_idmef_object(idmef, "alert.assessment.impact.description" ,"possible Shellcode has been detected.");
+ add_idmef_object(idmef, "alert.assessment.impact.severity" ,"medium");
+// add_idmef_object(idmef, "alert.assessment.impact.completion" ,"succeeded");
+ add_idmef_object(idmef, "alert.assessment.impact.type" ,"other");
+
+
+ // hl: added for additional information
+ add_idmef_object(idmef, "alert.additional_data(0).type", "string");
+ add_idmef_object(idmef, "alert.additional_data(0).meaning", "Shellcode");
+ add_idmef_object(idmef, "alert.additional_data(0).data", handler->getShellcodeHandlerName().c_str());
+
+
+ idmef_time_t *time;
+
+ ret = idmef_time_new_from_gettimeofday(&time);
+ idmef_alert_set_create_time(idmef_message_get_alert(idmef),
+ time);
+
+
+ // analyzer id
+ idmef_alert_set_analyzer(idmef_message_get_alert(idmef),
+ idmef_analyzer_ref(prelude_client_get_analyzer(m_PreludeClient)),
+ IDMEF_LIST_PREPEND);
+
+
+ prelude_client_send_idmef(m_PreludeClient, idmef);
+
+// prelude_string_t *field = idmef_alert_get_messageid(idmef_message_get_alert(idmef));
+// const char *msgid = prelude_string_get_string(field);
+// logInfo("RecvMessageID = %s \n",msgid);
+
+ idmef_message_destroy(idmef);
+#endif
+}
+
+
+/**
+ *
+ * handle submitted files
+ */
+void LogPrelude::handleSubmission(Event *event)
+{
+ SubmitEvent *se = (SubmitEvent *)event;
+ Download *down = se->getDownload();
+
+ logInfo("LogPrelude EVENT EV_SUBMISSION %s %s %i \n",down->getUrl().c_str(),
+ down->getMD5Sum().c_str(),
+ down->getDownloadBuffer()->getSize());
+
+#ifdef HAVE_LIBPRELUDE
+ idmef_message_t *idmef;
+
+ int32_t ret = idmef_message_new(&idmef);
+ if ( ret < 0 )
+ return;
+
+ // generic information
+ // hl: changed submited to submitted, added ident
+ add_idmef_object(idmef, "alert.classification.text" ,"Malware submitted");
+ add_idmef_object(idmef, "alert.classification.ident", EV_SUBMISSION);
+
+ string url = "http://nepenthes.sf.net/wiki/submission/" + down->getMD5Sum();
+ add_idmef_object(idmef, "alert.classification.reference(0).origin" ,"vendor-specific" );
+ add_idmef_object(idmef, "alert.classification.reference(0).url" ,url.c_str() );
+
+
+ // file name and info
+ // hl: changed file tags because of DTD violation
+ add_idmef_object(idmef, "alert.target(0).file(0).name" ,down->getDownloadUrl()->getFile().c_str());
+ add_idmef_object(idmef, "alert.target(0).file(0).path" ,down->getUrl().c_str());
+ add_idmef_object(idmef, "alert.target(0).file(0).category" ,"current");
+ add_idmef_object(idmef, "alert.target(0).file(0).ident" ,down->getMD5Sum().c_str());
+ add_idmef_object(idmef, "alert.target(0).file(0).data_size" ,down->getDownloadBuffer()->getSize());
+
+ //hl: some debug stuff, prelude-manager doesnt write the checksums into xml
+ ret = add_idmef_object(idmef, "alert.target(0).file(0).checksum(0).algorithm" ,"MD5");
+ //logInfo("LogPrelude DEBUG MD5 %i\n", ret);
+ ret = add_idmef_object(idmef, "alert.target(0).file(0).checksum(0).value" ,down->getMD5Sum().c_str());
+ //logInfo("LogPrelude DEBUG Hash %i\n", ret);
+ ret = add_idmef_object(idmef, "alert.target(0).file(0).checksum(1).algorithm" ,"SHA2-512");
+ //logInfo("LogPrelude DEBUG SHA %i\n", ret);
+ ret = add_idmef_object(idmef, "alert.target(0).file(0).checksum(1).value" ,down->getSHA512Sum().c_str());
+ //logInfo("LogPrelude DEBUG Hash %i\n", ret);
+
+ uint32_t addr = down->getLocalHost();
+ string address = inet_ntoa(*(in_addr *)&addr);
+ add_idmef_object(idmef, "alert.target(0).Node.Address(0).address" ,address.c_str());
+
+
+
+ // infection host
+ addr = down->getRemoteHost();
+ address = inet_ntoa(*(in_addr *)&addr);
+ add_idmef_object(idmef, "alert.source(0).Node.Address(0).address" ,address.c_str());
+
+
+ // download source
+ add_idmef_object(idmef, "alert.source(0).Service.port", down->getDownloadUrl()->getPort());
+
+ /* hl: previous dirty workaround -> commented
+ string protocol;
+ if (down->getDownloadUrl()->getProtocol() == "tftp" )
+ protocol = "UDP";
+ else
+ protocol = "TCP";
+
+ add_idmef_object(idmef, "alert.source(0).Service.protocol" ,protocol.c_str());
+ */
+
+ add_idmef_object(idmef, "alert.source(0).Service.web_service.url" ,down->getUrl().c_str());
+ // hl: not needed
+ //add_idmef_object(idmef, "alert.source(0).Service.web_service.http_method" ,"get");
+
+ add_idmef_object(idmef, "alert.assessment.impact.description" ,"possible Malware stored for further analysis");
+ add_idmef_object(idmef, "alert.assessment.impact.severity" ,"high");
+// add_idmef_object(idmef, "alert.assessment.impact.completion" ,"succeeded");
+ add_idmef_object(idmef, "alert.assessment.impact.type" ,"other");
+
+ // time
+ idmef_time_t *time;
+ ret = idmef_time_new_from_gettimeofday(&time);
+ idmef_alert_set_create_time(idmef_message_get_alert(idmef),
+ time);
+
+
+ // analyzer id
+ idmef_alert_set_analyzer(idmef_message_get_alert(idmef),
+ idmef_analyzer_ref(prelude_client_get_analyzer(m_PreludeClient)),
+ IDMEF_LIST_PREPEND);
+
+
+ prelude_client_send_idmef(m_PreludeClient, idmef);
+ idmef_message_destroy(idmef);
+
+#endif
+}
+
+
+
+/**
+ *
+ *
+ *
+ */
+void LogPrelude::handleDialogueAssignAndDone(Event *event)
+{
+ logInfo("LogPrelude EVENT EV_ASSIGN_AND_DONE\n");
+
+#ifdef HAVE_LIBPRELUDE
+
+ Dialogue *dia = ((DialogueEvent *)event)->getDialogue();
+ Socket *socket = ((DialogueEvent *)event)->getSocket();
+ idmef_message_t *idmef;
+
+ int32_t ret = idmef_message_new(&idmef);
+ if ( ret < 0 )
+ return;
+
+ string attack = "Exploit attempt: " + dia->getDialogueName();
+
+ // generic information
+ add_idmef_object(idmef, "alert.classification.text", attack.c_str());
+ // hl: added ident field
+ add_idmef_object(idmef, "alert.classification.ident", EV_DIALOGUE_ASSIGN_AND_DONE);
+
+// add_idmef_object(idmef, "alert.classification.reference(0).origin" ,"vendor-specific" );
+
+
+ // attacker
+ uint32_t addr = socket->getRemoteHost();
+ string address = inet_ntoa(*(in_addr *)&addr);
+ add_idmef_object(idmef, "alert.source(0).Node.Address(0).address", address.c_str());
+
+ // target
+ addr = socket->getLocalHost();
+ address = inet_ntoa(*(in_addr *)&addr);
+ add_idmef_object(idmef, "alert.target(0).Node.Address(0).address", address.c_str());
+
+// string protocol;
+// if (down->getDownloadUrl()->getProtocol() == "tftp" )
+// protocol = "UDP";
+// else
+// protocol = "TCP";
+//
+// add_idmef_object(idmef, "alert.source(0).Service.protocol" ,protocol.c_str());
+// add_idmef_object(idmef, "alert.source(0).Service.web_service.url" ,down->getUrl().c_str());
+// add_idmef_object(idmef, "alert.source(0).Service.web_service.http_method" ,"get");
+
+ add_idmef_object(idmef, "alert.assessment.impact.description" ,"An exploit attempt is getting handled.");
+ add_idmef_object(idmef, "alert.assessment.impact.severity" ,"low");
+// add_idmef_object(idmef, "alert.assessment.impact.completion" ,"succeeded");
+ add_idmef_object(idmef, "alert.assessment.impact.type" ,"other");
+
+
+ // hl: added
+ add_idmef_object(idmef, "alert.additional_data(0).type", "string");
+ add_idmef_object(idmef, "alert.additional_data(0).meaning", "Dialogue");
+ add_idmef_object(idmef, "alert.additional_data(0).data", dia->getDialogueName().c_str());
+
+ // time
+ idmef_time_t *time;
+ ret = idmef_time_new_from_gettimeofday(&time);
+ idmef_alert_set_create_time(idmef_message_get_alert(idmef),
+ time);
+
+
+ // analyzer id
+ idmef_alert_set_analyzer(idmef_message_get_alert(idmef),
+ idmef_analyzer_ref(prelude_client_get_analyzer(m_PreludeClient)),
+ IDMEF_LIST_PREPEND);
+
+
+ prelude_client_send_idmef(m_PreludeClient, idmef);
+
+
+ idmef_message_destroy(idmef);
+
+#endif
+}
+
+
+
+
+
+
+/**
+ *
+ *
+ */
+void LogPrelude::handleDownload(Event *event)
+{
+ SubmitEvent *se = (SubmitEvent *)event;
+ Download *down = se->getDownload();
+ string url = se->getDownload()->getUrl();
+
+ se->getType();
+ logInfo("LogPrelude EVENT EV_DOWNLOAD %s %s %i \n",down->getUrl().c_str(),
+ down->getMD5Sum().c_str(),
+ down->getDownloadBuffer()->getSize());
+
+#ifdef HAVE_LIBPRELUDE
+
+ idmef_message_t *idmef;
+
+ int32_t ret = idmef_message_new(&idmef);
+ if ( ret < 0 )
+ return;
+
+ // generic information
+ // hl: changed message
+ string message = "possible Malware offered: " + down->getUrl();
+
+ add_idmef_object(idmef, "alert.classification.text", message.c_str());
+ // hl: changed to ident number
+ add_idmef_object(idmef, "alert.classification.ident", EV_DOWNLOAD);
+
+// add_idmef_object(idmef, "alert.classification.reference(0).origin" ,"vendor-specific" );
+
+
+ // infection host
+ uint32_t addr = down->getRemoteHost();
+ string address = inet_ntoa(*(in_addr *)&addr);
+ add_idmef_object(idmef, "alert.source(0).Node.Address(0).address" ,address.c_str());
+ //target host
+ addr = down->getLocalHost();
+ address = inet_ntoa(*(in_addr *)&addr);
+ add_idmef_object(idmef, "alert.target(0).Node.Address(0).address" ,address.c_str());
+
+
+ // download source
+ // hl: removed protocol, added url
+ /*
+ string protocol;
+ if (down->getDownloadUrl()->getProtocol() == "tftp" )
+ protocol = "UDP";
+ else
+ protocol = "TCP";
+ */
+ add_idmef_object(idmef, "alert.source(0).Service.port" ,down->getDownloadUrl()->getPort());
+ //add_idmef_object(idmef, "alert.source(0).Service.protocol" ,protocol.c_str());
+ add_idmef_object(idmef, "alert.source(0).Service.web_service.url" ,down->getUrl().c_str());
+// add_idmef_object(idmef, "alert.source(0).Service.web_service.http_method" ,"get");
+ add_idmef_object(idmef, "alert.assessment.impact.description" ,"Parsing the Shellcode has unrevealed a URL.");
+ add_idmef_object(idmef, "alert.assessment.impact.severity" ,"medium");
+// add_idmef_object(idmef, "alert.assessment.impact.completion" ,"succeeded");
+ add_idmef_object(idmef, "alert.assessment.impact.type" ,"other");
+
+ // time
+ idmef_time_t *time;
+ ret = idmef_time_new_from_gettimeofday(&time);
+ idmef_alert_set_create_time(idmef_message_get_alert(idmef),
+ time);
+
+
+ // analyzer id
+ idmef_alert_set_analyzer(idmef_message_get_alert(idmef),
+ idmef_analyzer_ref(prelude_client_get_analyzer(m_PreludeClient)),
+ IDMEF_LIST_PREPEND);
+
+
+ prelude_client_send_idmef(m_PreludeClient, idmef);
+
+
+ idmef_message_destroy(idmef);
+#endif
+
+}
+
+
+
+extern "C" int32_t module_init(int32_t version, Module **module, Nepenthes *nepenthes)
+{
+ if (version == MODULE_IFACE_VERSION) {
+ *module = new LogPrelude(nepenthes);
+ return 1;
+ } else {
+ return 0;
+ }
+}
diff -ruN nepenthes-0.2.0/modules/log-prelude/log-prelude.hpp nepenthes-0.2.0-r1345/modules/log-prelude/log-prelude.hpp
--- nepenthes-0.2.0/modules/log-prelude/log-prelude.hpp 2006-11-13 20:40:08.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/log-prelude/log-prelude.hpp 2007-08-06 00:46:15.000000000 +0200
@@ -30,7 +30,7 @@
#include "config.h"
#ifdef HAVE_LIBPRELUDE
-#include <prelude.h>
+#include <libprelude/prelude.h>
#endif
#include <string>
diff -ruN nepenthes-0.2.0/modules/log-surfnet/Makefile.am nepenthes-0.2.0-r1345/modules/log-surfnet/Makefile.am
--- nepenthes-0.2.0/modules/log-surfnet/Makefile.am 2006-11-13 20:40:10.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/log-surfnet/Makefile.am 2007-08-06 00:46:15.000000000 +0200
@@ -6,7 +6,6 @@
AM_CPPFLAGS = -I$(top_srcdir)/nepenthes-core/include -I$(top_srcdir)/nepenthes-core/src -I/usr/include/postgresql -pipe -D _GNU_SOURCE
AM_CXXFLAGS = -Wall -Werror
-AM_LDFLAGS = ${LIB_POSTGRES}
pkglib_LTLIBRARIES = logsurfnet.la
diff -ruN nepenthes-0.2.0/modules/log-surfnet/log-surfnet.conf.dist nepenthes-0.2.0-r1345/modules/log-surfnet/log-surfnet.conf.dist
--- nepenthes-0.2.0/modules/log-surfnet/log-surfnet.conf.dist 2006-11-13 20:40:10.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/log-surfnet/log-surfnet.conf.dist 2007-08-06 00:46:15.000000000 +0200
@@ -49,175 +49,3 @@
};
-
-/*
-
-don't forget to create these fn's in your surfnet ids database.
-
-
-CREATE PROCEDURAL LANGUAGE plpgsql;
-
-CREATE FUNCTION surfnet_attack_add(integer, inet, integer, inet, integer, macaddr, inet) RETURNS integer
- AS $_$DECLARE
- p_severity ALIAS FOR $1;
- p_attackerip ALIAS FOR $2;
- p_attackerport ALIAS FOR $3;
- p_decoyip ALIAS FOR $4;
- p_decoyport ALIAS FOR $5;
- p_hwa ALIAS FOR $6;
- p_localhost ALIAS FOR $7;
- m_attackid INTEGER;
- m_sensorid INTEGER;
-BEGIN
-
- SELECT INTO m_sensorid surfnet_sensorid_get(p_localhost);
- SELECT INTO m_attackid surfnet_attack_add_by_id(p_severity,
- p_attackerip, p_attackerport, p_decoyip,
- p_decoyport, p_hwa, m_sensorid);
-
- return m_attackid;
-END$_$
- LANGUAGE plpgsql;
-
-
-CREATE FUNCTION surfnet_attack_add_by_id(integer, inet, integer, inet, integer, macaddr, integer) RETURNS integer
- AS $_$DECLARE
- p_severity ALIAS FOR $1;
- p_attackerip ALIAS FOR $2;
- p_attackerport ALIAS FOR $3;
- p_decoyip ALIAS FOR $4;
- p_decoyport ALIAS FOR $5;
- p_hwa ALIAS FOR $6;
- p_sensorid ALIAS FOR $7;
- m_attackid INTEGER;
-BEGIN
- INSERT INTO attacks
- (severity,
- timestamp,
- dest,
- dport,
- source,
- sport,
- sensorid,
- src_mac)
- VALUES
- (p_severity,
- extract(epoch from current_timestamp(0))::integer,
- p_attackerip,
- p_attackerport,
- p_decoyip,
- p_decoyport,
- p_sensorid,
- p_hwa);
-
- SELECT INTO m_attackid currval('attacks_id_seq');
- return m_attackid;
-END$_$
- LANGUAGE plpgsql;
-
-
-
-CREATE FUNCTION surfnet_attack_update_severity(integer, integer) RETURNS void
- AS $_$DECLARE
- p_attackid ALIAS FOR $1;
- p_severity ALIAS FOR $2;
-BEGIN
- UPDATE attacks SET severity = p_severity WHERE id = p_attackid;
- return;
-END;$_$
- LANGUAGE plpgsql;
-
-
-CREATE FUNCTION surfnet_detail_add(integer, inet, integer, character varying) RETURNS void
- AS $_$DECLARE
- p_attackid ALIAS FOR $1;
- p_localhost ALIAS FOR $2;
- p_type ALIAS FOR $3;
- p_data ALIAS FOR $4;
-
- m_sensorid INTEGER;
-BEGIN
- SELECT INTO m_sensorid surfnet_sensorid_get(p_localhost);
-
- INSERT INTO details
- (attackid,sensorid,type,text)
- VALUES
- (p_attackid,m_sensorid,p_type,p_data);
-END$_$
- LANGUAGE plpgsql;
-
-
-CREATE FUNCTION surfnet_detail_add_by_id(integer, integer, integer, character varying) RETURNS void
- AS $_$DECLARE
- p_attackid ALIAS FOR $1;
- m_sensorid ALIAS FOR $2;
- p_type ALIAS FOR $3;
- p_data ALIAS FOR $4;
-BEGIN
- INSERT INTO details
- (attackid,sensorid,type,text)
- VALUES
- (p_attackid,m_sensorid,p_type,p_data);
-END$_$
- LANGUAGE plpgsql;
-
-
-CREATE FUNCTION surfnet_detail_add_download(inet, inet, character varying, character varying) RETURNS void
- AS $_$DECLARE
- p_remotehost ALIAS FOR $1;
- p_localhost ALIAS FOR $2;
- p_url ALIAS FOR $3;
- p_hash ALIAS FOR $4;
-
- m_sensorid INTEGER;
- m_attackid INTEGER;
-BEGIN
- SELECT INTO m_sensorid surfnet_sensorid_get(p_localhost);
- SELECT INTO m_attackid surfnet_attack_add_by_id(32,p_remotehost, 0,
- p_localhost, 0,
- NULL,m_sensorid);
-
- PERFORM surfnet_detail_add_by_id(m_attackid,
- m_sensorid,4,p_url);
- PERFORM surfnet_detail_add_by_id(m_attackid,
- m_sensorid,8,p_hash);
-
- return;
-END; $_$
- LANGUAGE plpgsql;
-
-
-CREATE FUNCTION surfnet_detail_add_offer(inet, inet, character varying) RETURNS void
- AS $_$DECLARE
- p_remotehost ALIAS FOR $1;
- p_localhost ALIAS FOR $2;
- p_url ALIAS FOR $3;
-
- m_sensorid INTEGER;
- m_attackid INTEGER;
-BEGIN
- SELECT INTO m_sensorid surfnet_sensorid_get(p_localhost);
- SELECT INTO m_attackid surfnet_attack_add_by_id(16,p_remotehost, 0,
- p_localhost, 0,
- NULL,m_sensorid);
-
- PERFORM surfnet_detail_add_by_id(m_attackid,
- m_sensorid,4,p_url);
- return;
-END; $_$
- LANGUAGE plpgsql;
-
-
-CREATE FUNCTION surfnet_sensorid_get(inet) RETURNS integer
- AS $_$DECLARE
- p_localhost ALIAS FOR $1;
- m_sensorid INTEGER;
-BEGIN
- SELECT INTO m_sensorid id FROM sensors WHERE tapip = p_localhost;
- return m_sensorid;
-END
-$_$
- LANGUAGE plpgsql;
-
-
-*/
diff -ruN nepenthes-0.2.0/modules/log-surfnet/log-surfnet.cpp nepenthes-0.2.0-r1345/modules/log-surfnet/log-surfnet.cpp
--- nepenthes-0.2.0/modules/log-surfnet/log-surfnet.cpp 2006-11-13 20:40:10.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/log-surfnet/log-surfnet.cpp 2007-08-06 00:46:15.000000000 +0200
@@ -76,7 +76,7 @@
m_attackID = 0;
m_closed = false;
- m_severity = 0;
+ m_severity = -1;
}
@@ -471,7 +471,13 @@
(uint32_t) ((intptr_t)socket),
attackid);
- m_SocketTracker[(uintptr_t) socket].m_closed = true;
+ if (m_SocketTracker[(uintptr_t) socket].m_Details.size() > 0)
+ {
+ m_SocketTracker[(uintptr_t) socket].m_closed = true;
+ }else
+ {
+ m_SocketTracker.erase((uintptr_t)socket);
+ }
}
void LogSurfNET::handleDialogueAssignAndDone(Socket *socket, Dialogue *dia, uint32_t attackid)
@@ -649,6 +655,19 @@
m_SocketTracker[(uintptr_t)s].m_Details.pop_front();
}
+ if (m_SocketTracker[(uintptr_t)s].m_severity != -1)
+ {
+ string query;
+
+ query = "SELECT surfnet_attack_update_severity('";
+ query += itos(m_SocketTracker[(uintptr_t)s].m_attackID);
+ query += "','";
+ query += itos(m_SocketTracker[(uintptr_t)s].m_severity);
+ query += "');";
+
+ m_SQLHandler->addQuery(&query,NULL,NULL);
+ }
+
if (m_SocketTracker[(uintptr_t)s].m_closed == true)
{
m_SocketTracker.erase((uintptr_t)s);
@@ -660,6 +679,11 @@
bool LogSurfNET::sqlFailure(SQLResult *result)
{
logPF();
+
+ Socket *s;
+ s = (Socket *)result->getObject();
+ logCrit("Getting attackid for socket %x failed, dropping the whole attack, forgetting all details\n",(uintptr_t)s);
+ m_SocketTracker.erase((uintptr_t)s);
return true;
}
diff -ruN nepenthes-0.2.0/modules/module-honeytrap/Makefile.am nepenthes-0.2.0-r1345/modules/module-honeytrap/Makefile.am
--- nepenthes-0.2.0/modules/module-honeytrap/Makefile.am 2006-11-13 20:40:09.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/module-honeytrap/Makefile.am 2007-08-06 00:46:15.000000000 +0200
@@ -15,4 +15,4 @@
modulehoneytrap_la_SOURCES += TrapSocket.cpp TrapSocket.hpp
modulehoneytrap_la_SOURCES += module-honeytrap.conf.dist
-modulehoneytrap_la_LDFLAGS = -module -no-undefined -avoid-version
+modulehoneytrap_la_LDFLAGS = -module -no-undefined -avoid-version $(AM_LDFLAGS)
diff -ruN nepenthes-0.2.0/modules/module-honeytrap/TrapSocket.cpp nepenthes-0.2.0-r1345/modules/module-honeytrap/TrapSocket.cpp
--- nepenthes-0.2.0/modules/module-honeytrap/TrapSocket.cpp 2006-11-13 20:40:09.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/module-honeytrap/TrapSocket.cpp 2007-08-06 00:46:15.000000000 +0200
@@ -782,11 +782,18 @@
{
printIPpacket(data,size);
+ uint16_t port;
+
+ if ( tcp->th_flags & TH_SYN && !(tcp->th_flags & TH_ACK) )
+ port = ntohs(tcp->th_dport); // inline mode
+ else
+ port = ntohs(tcp->th_sport); // pcap mode
+
if (1)// isPortListening(ntohs(tcp->th_dport),*(uint32_t *)&(ip->ip_dst)) == false )
{
- logInfo("Connection to unbound port %i requested, binding port\n",ntohs(tcp->th_dport));
+ logInfo("Connection to unbound port %i requested, binding port\n",port);
- Socket *sock = g_Nepenthes->getSocketMgr()->bindTCPSocket(INADDR_ANY,ntohs(tcp->th_dport),60,60);
+ Socket *sock = g_Nepenthes->getSocketMgr()->bindTCPSocket(INADDR_ANY,port,60,60);
if ( sock != NULL && (sock->getDialogst()->size() == 0 && sock->getFactories()->size() == 0) )
{
diff -ruN nepenthes-0.2.0/modules/module-peiros/module-peiros.cpp nepenthes-0.2.0-r1345/modules/module-peiros/module-peiros.cpp
--- nepenthes-0.2.0/modules/module-peiros/module-peiros.cpp 2006-11-13 20:40:08.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/module-peiros/module-peiros.cpp 2007-08-06 00:46:15.000000000 +0200
@@ -29,6 +29,7 @@
#include <ctype.h>
#include <string.h>
+#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
diff -ruN nepenthes-0.2.0/modules/module-portwatch/WatchDialogue.cpp nepenthes-0.2.0-r1345/modules/module-portwatch/WatchDialogue.cpp
--- nepenthes-0.2.0/modules/module-portwatch/WatchDialogue.cpp 2006-11-13 20:40:09.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/module-portwatch/WatchDialogue.cpp 2007-08-06 00:46:15.000000000 +0200
@@ -47,6 +47,9 @@
#include "Utilities.hpp"
+#include "EventManager.hpp"
+#include "SocketEvent.hpp"
+
#ifdef STDTAGS
#undef STDTAGS
#endif
@@ -77,7 +80,7 @@
WatchDialogue::~WatchDialogue()
{
logWarn("Unknown WatchDialogue %i bytes, port %i\n",m_Buffer->getSize(), m_Socket->getLocalPort());
- g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *) m_Buffer->getData(), m_Buffer->getSize());
+ HEXDUMP(m_Socket,(byte *) m_Buffer->getData(), m_Buffer->getSize());
delete m_Buffer;
}
diff -ruN nepenthes-0.2.0/modules/shellcode-generic/Makefile.am nepenthes-0.2.0-r1345/modules/shellcode-generic/Makefile.am
--- nepenthes-0.2.0/modules/shellcode-generic/Makefile.am 2006-11-13 20:40:07.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/shellcode-generic/Makefile.am 2007-08-06 00:46:15.000000000 +0200
@@ -32,4 +32,4 @@
shellcodegeneric_la_SOURCES += sch_generic_leimbach_url_xor.cpp sch_generic_leimbach_url_xor.hpp
shellcodegeneric_la_SOURCES += sch_generic_wget.cpp sch_generic_wget.hpp
-shellcodegeneric_la_LDFLAGS = -module -no-undefined -avoid-version
+shellcodegeneric_la_LDFLAGS = -module -no-undefined -avoid-version $(AM_LDFLAGS)
diff -ruN nepenthes-0.2.0/modules/shellcode-generic/sch_generic_cmd.cpp nepenthes-0.2.0-r1345/modules/shellcode-generic/sch_generic_cmd.cpp
--- nepenthes-0.2.0/modules/shellcode-generic/sch_generic_cmd.cpp 2006-11-13 20:40:07.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/shellcode-generic/sch_generic_cmd.cpp 2007-08-06 00:46:15.000000000 +0200
@@ -95,7 +95,7 @@
if((iResult = pcre_exec(m_pcre, 0, (char *) shellcode, len, 0, 0, (int *)piOutput, sizeof(piOutput)/sizeof(int32_t))) > 0)
{
// logDebug("GenricCMD (improve pcre debug) (%i bytes)\n",(*msg)->getSize());
-// g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *)(*msg)->getMsg(),(*msg)->getSize());
+// HEXDUMP(m_Socket,(byte *)(*msg)->getMsg(),(*msg)->getSize());
const char * pRemoteCommand;
diff -ruN nepenthes-0.2.0/modules/shellcode-generic/sch_generic_leimbach_url_xor.cpp nepenthes-0.2.0-r1345/modules/shellcode-generic/sch_generic_leimbach_url_xor.cpp
--- nepenthes-0.2.0/modules/shellcode-generic/sch_generic_leimbach_url_xor.cpp 2006-11-13 20:40:07.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/shellcode-generic/sch_generic_leimbach_url_xor.cpp 2007-08-06 00:46:15.000000000 +0200
@@ -203,7 +203,7 @@
pcre_free_substring(preload);
pcre_free_substring(xordecoder);
- g_Nepenthes->getUtilities()->hexdump(l_crit,(byte *)newshellcode, len);
+// g_Nepenthes->getUtilities()->hexdump(l_crit,(byte *)newshellcode, len);
Message *newMessage = new Message((char *)newshellcode, len, (*msg)->getLocalPort(), (*msg)->getRemotePort(),
(*msg)->getLocalHost(), (*msg)->getRemoteHost(), (*msg)->getResponder(), (*msg)->getSocket());
diff -ruN nepenthes-0.2.0/modules/shellcode-generic/sch_generic_url.cpp nepenthes-0.2.0-r1345/modules/shellcode-generic/sch_generic_url.cpp
--- nepenthes-0.2.0/modules/shellcode-generic/sch_generic_url.cpp 2006-11-13 20:40:07.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/shellcode-generic/sch_generic_url.cpp 2007-08-06 00:46:15.000000000 +0200
@@ -119,7 +119,7 @@
if((iResult = pcre_exec(m_pcre, 0, (char *) shellcode, len, 0, 0, (int *)piOutput, sizeof(piOutput)/sizeof(int32_t))) > 0)
{
-// g_Nepenthes->getUtilities()->hexdump(STDTAGS,shellcode,len);
+// HEXDUMP(m_Socket,shellcode,len);
const char * pUrl;
pcre_get_substring((char *) shellcode, (int *)piOutput, (int)iResult, 1, &pUrl);
diff -ruN nepenthes-0.2.0/modules/shellcode-signatures/Makefile.am nepenthes-0.2.0-r1345/modules/shellcode-signatures/Makefile.am
--- nepenthes-0.2.0/modules/shellcode-signatures/Makefile.am 2006-11-13 20:40:04.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/shellcode-signatures/Makefile.am 2007-08-06 00:46:15.000000000 +0200
@@ -33,5 +33,5 @@
shellcodesignatures_la_SOURCES += sch_namespace_konstanzxor.cpp sch_namespace_konstanzxor.hpp
shellcodesignatures_la_SOURCES += sch_namespace_alphanumericxor.cpp sch_namespace_alphanumericxor.hpp
-shellcodesignatures_la_LDFLAGS = -module -no-undefined -avoid-version
+shellcodesignatures_la_LDFLAGS = -module -no-undefined -avoid-version $(AM_LDFLAGS)
diff -ruN nepenthes-0.2.0/modules/shellcode-signatures/shellcode-signatures.sc nepenthes-0.2.0-r1345/modules/shellcode-signatures/shellcode-signatures.sc
--- nepenthes-0.2.0/modules/shellcode-signatures/shellcode-signatures.sc 2006-11-13 20:40:04.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/shellcode-signatures/shellcode-signatures.sc 2007-08-06 00:46:15.000000000 +0200
@@ -178,6 +178,13 @@
mapping (none,pre,decoder,size,key,post);
};
+xor::marburganderlahn
+{
+ pattern
+ "(.*)(\\xEB\\x0E\\x5A\\x4A\\x31\\xC9\\xB1(.)\\x80\\x34\\x11(.)\\xE2\\xFA\\xEB\\x05\\xE8\\xED\xFF\xFF\xFF)(.*)$";
+ mapping (none,pre,decoder,size,key,post);
+};
+
/*
* too inaccurate
*
@@ -944,8 +951,8 @@
pattern
"\\xeb\\x02\\xeb\\x6b"
"\\xe8\\xf9\\xff\\xff\\xff\\x53\\x55\\x56\\x57\\x8b\\x6c\\x24\\x18\\x8b\\x45\\x3c"
- "\\x8b\\x54\\x05\\x78\\x03\\xd5\\x8b\\x4a\\x18\\x8b\\x5a\\x20\\x03\\xdd\\xe3\\x32"
- "\\x49\\x8b\\x34\\x8b\\x03\\xf5\\x33\\xff\\xfc\\x33\\xc0\\xac\\x3a\\xc4\\x74\\x07"
+ "\\x8b\\x54.\\x78\\x03\\xd5\\x8b\\x4a\\x18\\x8b\\x5a\\x20\\x03\\xdd\\xe3\\x32"
+ "\\x49\\x8b\\x34\\x8b\\x03\\xf5\\x33\\xff\\xfc\\x33\\xc0\\xac..\\x74\\x07"
"\\xc1\\xcf\\x0d\\x03\\xf8\\xeb\\xf2\\x3b\\x7c\\x24\\x14\\x75\\xe1\\x8b\\x5a\\x24"
"\\x03\\xdd\\x66\\x8b\\x0c\\x4b\\x8b\\x5a\\x1c\\x03\\xdd\\x8b\\x04\\x8b\\x03\\xc5"
"\\xeb\\x02\\x33\\xc0\\x5f\\x5e\\x5d\\x5b\\x89\\x44\\x24\\x04\\x8b\\x04\\x24\\x89"
diff -ruN nepenthes-0.2.0/modules/shellemu-winnt/VFSCommandFTP.cpp nepenthes-0.2.0-r1345/modules/shellemu-winnt/VFSCommandFTP.cpp
--- nepenthes-0.2.0/modules/shellemu-winnt/VFSCommandFTP.cpp 2006-11-13 20:40:06.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/shellemu-winnt/VFSCommandFTP.cpp 2007-08-06 00:46:15.000000000 +0200
@@ -425,7 +425,6 @@
logSpam("VFSCommandFTP Setting Hosts %i %i\n",remotehost,localhost);
remotehost = m_VFS->getDialogue()->getSocket()->getRemoteHost();
localhost = m_VFS->getDialogue()->getSocket()->getLocalHost();
-
}
logSpam("VFSCommandFTP LocalHost %s\n",inet_ntoa(*(in_addr *)&localhost));
diff -ruN nepenthes-0.2.0/modules/sqlhandler-postgres/Makefile.am nepenthes-0.2.0-r1345/modules/sqlhandler-postgres/Makefile.am
--- nepenthes-0.2.0/modules/sqlhandler-postgres/Makefile.am 2006-11-13 20:40:05.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/sqlhandler-postgres/Makefile.am 2007-08-06 00:46:15.000000000 +0200
@@ -12,4 +12,4 @@
sqlhandlerpostgres_la_SOURCES = sqlhandler-postgres.cpp sqlhandler-postgres.hpp
-sqlhandlerpostgres_la_LDFLAGS = -module -no-undefined -avoid-version
+sqlhandlerpostgres_la_LDFLAGS = -module -no-undefined -avoid-version $(AM_LDFLAGS)
diff -ruN nepenthes-0.2.0/modules/sqlhandler-postgres/sqlhandler-postgres.cpp nepenthes-0.2.0-r1345/modules/sqlhandler-postgres/sqlhandler-postgres.cpp
--- nepenthes-0.2.0/modules/sqlhandler-postgres/sqlhandler-postgres.cpp 2006-11-13 20:40:05.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/sqlhandler-postgres/sqlhandler-postgres.cpp 2007-08-06 00:46:15.000000000 +0200
@@ -145,6 +145,7 @@
m_PGTable = table;
m_PGUser = user;
m_PGPass = passwd;
+ m_PGOptions = options;
m_Callback = cb;
}
@@ -760,6 +761,10 @@
"' user = '" + m_PGUser +
"' password = '" + m_PGPass +"'";
+ if ( m_PGOptions.size() > 0 )
+ ConnectString += m_PGOptions;
+
+
if (m_PGConnection != NULL)
PQfinish(m_PGConnection);
else
diff -ruN nepenthes-0.2.0/modules/sqlhandler-postgres/sqlhandler-postgres.hpp nepenthes-0.2.0-r1345/modules/sqlhandler-postgres/sqlhandler-postgres.hpp
--- nepenthes-0.2.0/modules/sqlhandler-postgres/sqlhandler-postgres.hpp 2006-11-13 20:40:05.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/sqlhandler-postgres/sqlhandler-postgres.hpp 2007-08-06 00:46:15.000000000 +0200
@@ -141,6 +141,7 @@
string m_PGTable;
string m_PGUser;
string m_PGPass;
+ string m_PGOptions;
};
diff -ruN nepenthes-0.2.0/modules/submit-gotek/gotekCTRLDialogue.cpp nepenthes-0.2.0-r1345/modules/submit-gotek/gotekCTRLDialogue.cpp
--- nepenthes-0.2.0/modules/submit-gotek/gotekCTRLDialogue.cpp 2006-11-13 20:40:11.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/submit-gotek/gotekCTRLDialogue.cpp 2007-08-06 00:46:15.000000000 +0200
@@ -112,7 +112,7 @@
unsigned char sessionkey[8];
memcpy((char *)sessionkey,(char *)m_Buffer->getData(),8);
- g_Nepenthes->getUtilities()->hexdump(sessionkey,8);
+// g_Nepenthes->getUtilities()->hexdump(sessionkey,8);
@@ -128,13 +128,13 @@
byte hashme[1032];
memset(hashme,0,1032);
- g_Nepenthes->getUtilities()->hexdump(g_GotekSubmitHandler->getCommunityKey(),1024);
+// g_Nepenthes->getUtilities()->hexdump(g_GotekSubmitHandler->getCommunityKey(),1024);
memcpy(hashme,g_GotekSubmitHandler->getCommunityKey(),1024);
memcpy(hashme+1024,sessionkey,8);
- g_Nepenthes->getUtilities()->hexdump(hashme, 1032);
+// g_Nepenthes->getUtilities()->hexdump(hashme, 1032);
g_Nepenthes->getUtilities()->sha512(hashme, 1032, hash);
- g_Nepenthes->getUtilities()->hexdump(hash,64);
+// g_Nepenthes->getUtilities()->hexdump(hash,64);
m_Socket->doRespond((char *)hash,64);
diff -ruN nepenthes-0.2.0/modules/submit-gotek/gotekDATADialogue.cpp nepenthes-0.2.0-r1345/modules/submit-gotek/gotekDATADialogue.cpp
--- nepenthes-0.2.0/modules/submit-gotek/gotekDATADialogue.cpp 2006-11-13 20:40:11.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/submit-gotek/gotekDATADialogue.cpp 2007-08-06 00:46:15.000000000 +0200
@@ -173,7 +173,7 @@
byte hashme[1032];
memset(hashme,0,1032);
- g_Nepenthes->getUtilities()->hexdump(g_GotekSubmitHandler->getCommunityKey(),1024);
+// g_Nepenthes->getUtilities()->hexdump(g_GotekSubmitHandler->getCommunityKey(),1024);
memcpy(hashme,g_GotekSubmitHandler->getCommunityKey(),1024);
memcpy(hashme+1024,&sessionkey,8);
g_Nepenthes->getUtilities()->sha512(hashme, 1032, hash);
diff -ruN nepenthes-0.2.0/modules/submit-http/HTTPSession.cpp nepenthes-0.2.0-r1345/modules/submit-http/HTTPSession.cpp
--- nepenthes-0.2.0/modules/submit-http/HTTPSession.cpp 1970-01-01 01:00:00.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/submit-http/HTTPSession.cpp 2007-08-06 00:46:15.000000000 +0200
@@ -0,0 +1,187 @@
+/********************************************************************************
+ * Nepenthes
+ * - finest collection -
+ *
+ *
+ *
+ * Copyright (C) 2006 Niklas Schiffler <nick@digitician.eu>
+ * Copyright (C) 2005 Paul Baecher & Markus Koetter
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+ *
+ *
+ * contact nepenthesdev@users.sourceforge.net
+ *
+ *******************************************************************************/
+
+
+#include <curl/curl.h>
+#include <curl/types.h> /* new for v7 */
+#include <curl/easy.h> /* new for v7 */
+#include <sstream>
+#include <netinet/in.h>
+
+#include "HTTPSession.hpp"
+#include "submit-http.hpp"
+#include "DownloadBuffer.hpp"
+#include "DownloadUrl.hpp"
+
+using namespace nepenthes;
+
+HTTPSession::HTTPSession(string &url, string &email, string &user, string &password, Download* down)
+{
+ state = S_ERROR;
+ postInfo = NULL;
+ postFile = NULL;
+ curlInfoHandle = NULL;
+ curlFileHandle = NULL;
+
+ submitURL = url;
+
+ if ( user.length() > 0 && password.length() > 0 )
+ submitAuthStr = user + ":" + password;
+
+ md5 = down->getMD5Sum();
+ sha512 = down->getSHA512Sum();
+ fileSize = down->getDownloadBuffer()->getSize();
+ fileName = down->getDownloadUrl()->getFile();
+ fileSourceURL = down->getUrl();
+
+ fileBuffer = new uint8_t[fileSize];
+ fileBuffer = (uint8_t*)memcpy(fileBuffer, down->getDownloadBuffer()->getData(), fileSize);
+
+ curlInfoHandle = curl_easy_init();
+ if ( curlInfoHandle )
+ {
+ struct curl_httppost* last = NULL;
+
+ if ( email.length() > 0 )
+ curl_formadd(&postInfo, &last, CURLFORM_COPYNAME, "email", CURLFORM_COPYCONTENTS, email.c_str(), CURLFORM_END);
+
+ stringstream sSourceHost; sSourceHost << htonl(down->getRemoteHost());
+ stringstream sTargetHost; sTargetHost << htonl(down->getLocalHost());
+
+ curl_formadd(&postInfo, &last, CURLFORM_PTRNAME, "url", CURLFORM_COPYCONTENTS, fileSourceURL.c_str(), CURLFORM_END);
+ curl_formadd(&postInfo, &last, CURLFORM_PTRNAME, "trigger", CURLFORM_COPYCONTENTS, down->getTriggerLine().c_str(), CURLFORM_END);
+ curl_formadd(&postInfo, &last, CURLFORM_PTRNAME, "md5", CURLFORM_COPYCONTENTS, md5.c_str(), CURLFORM_END);
+ curl_formadd(&postInfo, &last, CURLFORM_PTRNAME, "sha512", CURLFORM_COPYCONTENTS, sha512.c_str(), CURLFORM_END);
+ curl_formadd(&postInfo, &last, CURLFORM_PTRNAME, "filetype", CURLFORM_COPYCONTENTS, down->getFileType().c_str(), CURLFORM_END);
+ curl_formadd(&postInfo, &last, CURLFORM_PTRNAME, "source_host", CURLFORM_COPYCONTENTS, sSourceHost.str().c_str(), CURLFORM_END);
+ curl_formadd(&postInfo, &last, CURLFORM_PTRNAME, "target_host", CURLFORM_COPYCONTENTS, sTargetHost.str().c_str(), CURLFORM_END);
+ curl_formadd(&postInfo, &last, CURLFORM_PTRNAME, "filename", CURLFORM_COPYCONTENTS, down->getDownloadUrl()->getFile().c_str(), CURLFORM_END);
+
+ setCURLOpts(curlInfoHandle, postInfo);
+ }
+}
+
+HTTPSession::~HTTPSession()
+{
+ delete [] fileBuffer;
+ curl_formfree(postInfo);
+ if ( postFile )
+ curl_formfree(postFile);
+ curl_easy_cleanup(curlInfoHandle);
+ if ( curlFileHandle )
+ curl_easy_cleanup(curlFileHandle);
+}
+
+CURL* HTTPSession::getSubmitInfoHandle()
+{
+ return curlInfoHandle;
+}
+
+CURL* HTTPSession::getSubmitFileHandle()
+{
+ curlFileHandle = curl_easy_init();
+ if ( curlFileHandle )
+ {
+ postFile = NULL;
+ struct curl_httppost* last = NULL;
+
+ curl_formadd(&postFile, &last, CURLFORM_PTRNAME, "md5", CURLFORM_COPYCONTENTS, md5.c_str(), CURLFORM_END);
+ curl_formadd(&postFile, &last, CURLFORM_PTRNAME, "sha512", CURLFORM_COPYCONTENTS, sha512.c_str(), CURLFORM_END);
+
+ curl_formadd(&postFile, &last,
+ CURLFORM_COPYNAME, "file",
+ CURLFORM_BUFFER, fileName.c_str(),
+ CURLFORM_BUFFERPTR, fileBuffer,
+ CURLFORM_BUFFERLENGTH, fileSize,
+ CURLFORM_END);
+
+ setCURLOpts(curlFileHandle, postFile);
+ }
+ return curlFileHandle;
+}
+
+string HTTPSession::getMD5()
+{
+ return md5;
+}
+
+string HTTPSession::getSHA512()
+{
+ return sha512;
+}
+
+void HTTPSession::setCURLOpts(CURL* c, curl_httppost* post)
+{
+ curl_easy_setopt(c, CURLOPT_HTTPPOST, post);
+ curl_easy_setopt(c, CURLOPT_SSL_VERIFYHOST, false);
+ curl_easy_setopt(c, CURLOPT_SSL_VERIFYPEER, false);
+ curl_easy_setopt(c, CURLOPT_URL, submitURL.c_str());
+ curl_easy_setopt(c, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; nepenthes; Linux)");
+ curl_easy_setopt(c, CURLOPT_PRIVATE, (char*) this);
+ curl_easy_setopt(c, CURLOPT_WRITEDATA, this);
+ curl_easy_setopt(c, CURLOPT_WRITEFUNCTION, HTTPSession::WriteCallback);
+
+ if ( submitAuthStr.length() > 0 )
+ curl_easy_setopt(c, CURLOPT_USERPWD, submitAuthStr.c_str());
+}
+
+size_t HTTPSession::WriteCallback(char *buffer, size_t size, size_t nitems, void *p)
+{
+ HTTPSession* s = (HTTPSession*)p;
+ int32_t iSize = size * nitems;
+
+ string res(buffer, iSize);
+ if ( res.find("S_FILEREQUEST") != string::npos )
+ s->setState(S_FILEREQUEST);
+ else
+ if ( res.find("S_FILEKNOWN") != string::npos )
+ s->setState(S_FILEKNOWN);
+ else
+ if ( res.find("S_FILEOK") != string::npos )
+ s->setState(S_FILEOK);
+ else
+ s->setState(S_ERROR);
+
+// delete(strBuf);
+ return iSize;
+}
+
+uint8_t HTTPSession::getState()
+{
+ return state;
+}
+
+void HTTPSession::setState(uint8_t s)
+{
+ this->state = s;
+}
+
+string HTTPSession::getFileSourceURL()
+{
+ return fileSourceURL;
+}
diff -ruN nepenthes-0.2.0/modules/submit-http/HTTPSession.hpp nepenthes-0.2.0-r1345/modules/submit-http/HTTPSession.hpp
--- nepenthes-0.2.0/modules/submit-http/HTTPSession.hpp 1970-01-01 01:00:00.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/submit-http/HTTPSession.hpp 2007-08-06 00:46:15.000000000 +0200
@@ -0,0 +1,82 @@
+/********************************************************************************
+ * Nepenthes
+ * - finest collection -
+ *
+ *
+ *
+ * Copyright (C) 2006 Niklas Schiffler <nick@digitician.eu>
+ * Copyright (C) 2005 Paul Baecher & Markus Koetter
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+ *
+ *
+ * contact nepenthesdev@users.sourceforge.net
+ *
+ *******************************************************************************/
+
+ /* $Id$ */
+
+#include <curl/curl.h>
+#include <curl/types.h>
+
+#include "Download.hpp"
+
+using namespace std;
+
+namespace nepenthes
+{
+
+
+ class HTTPSession
+ {
+ public:
+ static const uint8_t S_FILEKNOWN = 0;
+ static const uint8_t S_FILEREQUEST = 1;
+ static const uint8_t S_FILEOK = 2;
+ static const uint8_t S_FILEPENDING = 3;
+ static const uint8_t S_ERROR = 4;
+
+ HTTPSession(string &url, string &email, string &user, string &password, Download* down);
+ ~HTTPSession();
+ CURL* getSubmitInfoHandle();
+ CURL* getSubmitFileHandle();
+ string getMD5();
+ string getSHA512();
+ void setCURLOpts(CURL* c, curl_httppost* post);
+ uint8_t getState();
+ void setState(uint8_t s);
+ string getFileSourceURL();
+
+ static size_t WriteCallback(char *buffer, size_t size, size_t nitems, void *userp);
+
+ protected:
+ CURL* curlInfoHandle;
+ CURL* curlFileHandle;
+ uint8_t* fileBuffer;
+ size_t fileSize;
+ struct curl_httppost* postInfo;
+ struct curl_httppost* postFile;
+ string fileName;
+ string fileSourceURL;
+ string md5;
+ string sha512;
+ string submitURL;
+ string submitAuthStr;
+ uint8_t state;
+
+ };
+
+}
+
diff -ruN nepenthes-0.2.0/modules/submit-http/Makefile.am nepenthes-0.2.0-r1345/modules/submit-http/Makefile.am
--- nepenthes-0.2.0/modules/submit-http/Makefile.am 1970-01-01 01:00:00.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/submit-http/Makefile.am 2007-08-06 00:46:15.000000000 +0200
@@ -0,0 +1,14 @@
+AUTOMAKE_OPTIONS = foreign
+
+AM_CPPFLAGS = -I$(top_srcdir)/nepenthes-core/include -I$(top_srcdir)/nepenthes-core/src -pipe -D _GNU_SOURCE
+AM_CXXFLAGS = -Wall -Werror
+
+AM_LDFLAGS = $(LIB_CURL)
+
+pkglib_LTLIBRARIES = submithttp.la
+
+submithttp_la_SOURCES = submit-http.cpp submit-http.hpp
+submithttp_la_SOURCES += HTTPSession.hpp HTTPSession.cpp
+submithttp_la_SOURCES += submit-http.conf.dist
+
+submithttp_la_LDFLAGS = -module -no-undefined -avoid-version $(AM_LDFLAGS)
diff -ruN nepenthes-0.2.0/modules/submit-http/submit-http.conf.dist nepenthes-0.2.0-r1345/modules/submit-http/submit-http.conf.dist
--- nepenthes-0.2.0/modules/submit-http/submit-http.conf.dist 1970-01-01 01:00:00.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/submit-http/submit-http.conf.dist 2007-08-06 00:46:15.000000000 +0200
@@ -0,0 +1,8 @@
+submit-http
+{
+ url "http://somehost.de/submit.php";
+ email "your@email"; // optional
+ user "httpuser"; // optional
+ pass "httppass"; // optional
+};
+
diff -ruN nepenthes-0.2.0/modules/submit-http/submit-http.cpp nepenthes-0.2.0-r1345/modules/submit-http/submit-http.cpp
--- nepenthes-0.2.0/modules/submit-http/submit-http.cpp 1970-01-01 01:00:00.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/submit-http/submit-http.cpp 2007-08-06 00:46:15.000000000 +0200
@@ -0,0 +1,231 @@
+/********************************************************************************
+ * Nepenthes
+ * - finest collection -
+ *
+ *
+ *
+ * Copyright (C) 2006 Niklas Schiffler <nick@digitician.eu>
+ * Copyright (C) 2005 Paul Baecher & Markus Koetter
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+ *
+ *
+ * contact nepenthesdev@users.sourceforge.net
+ *
+ *******************************************************************************/
+
+ /* $Id$ */
+
+#include "submit-http.hpp"
+#include "Download.hpp"
+#include "Utilities.hpp"
+#include "SubmitManager.hpp"
+#include "LogManager.hpp"
+#include "Event.hpp"
+#include "EventManager.hpp"
+#include "EventHandler.cpp" // das ist Mist!
+#include "Config.hpp"
+#include "ModuleManager.hpp"
+
+#include "HTTPSession.hpp"
+
+using namespace nepenthes;
+
+
+Nepenthes *g_Nepenthes;
+
+
+HTTPSubmitHandler::HTTPSubmitHandler(Nepenthes *nepenthes)
+{
+ m_ModuleName = "submit-http";
+ m_ModuleDescription = "HTTP submit handler";
+ m_ModuleRevision = "$Rev$";
+ m_Nepenthes = nepenthes;
+ m_SubmitterName = "submit-http";
+ m_SubmitterDescription = "submit binary file via HTTP POST request";
+ g_Nepenthes = nepenthes;
+
+ m_Queued = 0;
+ m_Timeout = time(NULL);
+ m_Events.reset();
+}
+
+
+HTTPSubmitHandler::~HTTPSubmitHandler()
+{
+}
+
+bool HTTPSubmitHandler::Init()
+{
+ logPF();
+
+ if ( m_Config == NULL )
+ {
+ logCrit("I need a config\n");
+ return false;
+ }
+
+ try
+ {
+ m_URL = m_Config->getValString("submit-http.url");
+ }
+ catch ( ... )
+ {
+ logCrit("Error: Config property \"url\" missing\n");
+ return false;
+ }
+
+ try
+ {
+ m_Email = m_Config->getValString("submit-http.email");
+ m_User = m_Config->getValString("submit-http.user");
+ m_Password = m_Config->getValString("submit-http.pass");
+ }
+ catch ( ... )
+ {
+ }
+
+ m_ModuleManager = m_Nepenthes->getModuleMgr();
+
+ if ( (m_CurlStack = curl_multi_init()) == NULL )
+ {
+ logCrit("Could not init Curl Multi Perform Stack %s\n",strerror(errno));
+ return false;
+ }
+
+ REG_SUBMIT_HANDLER(this);
+ REG_EVENT_HANDLER(this);
+ return true;
+}
+
+bool HTTPSubmitHandler::Exit()
+{
+ curl_multi_cleanup(m_CurlStack);
+ return true;
+}
+
+
+void HTTPSubmitHandler::Submit(Download *down)
+{
+ logPF();
+
+ if ( m_Events.test(EV_TIMEOUT) == false )
+ m_Events.set(EV_TIMEOUT);
+
+ HTTPSession* session = new HTTPSession(m_URL, m_Email, m_User, m_Password, down);
+ curl_multi_add_handle(m_CurlStack, session->getSubmitInfoHandle());
+ m_Queued++;
+}
+
+void HTTPSubmitHandler::Hit(Download *down)
+{
+ Submit(down);
+}
+
+
+uint32_t HTTPSubmitHandler::handleEvent(Event *event)
+{
+ logPF();
+ if ( event->getType() != EV_TIMEOUT )
+ {
+ logCrit("Unwanted event %i\n",event->getType());
+ return 1;
+ }
+
+ // do file info submits
+ int32_t iQueue = 0;
+ while ( curl_multi_perform(m_CurlStack, (int *)&iQueue) == CURLM_CALL_MULTI_PERFORM );
+
+ if ( m_Queued > iQueue )
+ {
+ logSpam("m_Queued (%i) > (%i) iQueue\n", m_Queued, iQueue);
+ CURLMsg * pMessage;
+
+ while ( (pMessage = curl_multi_info_read(m_CurlStack, (int *)&iQueue)) )
+ {
+ if ( pMessage->msg == CURLMSG_DONE )
+ {
+ HTTPSession *session;
+ char *cSession;
+
+ curl_easy_getinfo(pMessage->easy_handle, CURLINFO_PRIVATE, (char**)&cSession);
+ session = (HTTPSession *)cSession;
+
+ uint8_t sessionState = session->getState();
+
+ if ( sessionState == HTTPSession::S_FILEKNOWN || sessionState == HTTPSession::S_FILEREQUEST )
+ {
+ if ( pMessage->data.result )
+ {
+ logInfo("Error: Submitting file info (%s, %s) failed: %s\n", session->getMD5().c_str(), session->getFileSourceURL().c_str(), curl_easy_strerror(pMessage->data.result));
+ delete session;
+ curl_multi_remove_handle(m_CurlStack, pMessage->easy_handle);
+ --m_Queued;
+ continue;
+ }
+ logInfo("File info submitted (%s, %s)\n", session->getMD5().c_str(), session->getFileSourceURL().c_str());
+ }
+
+ switch ( sessionState )
+ {
+ case HTTPSession::S_FILEKNOWN:
+ logInfo("File already known (%s, %s)\n", session->getMD5().c_str(), session->getFileSourceURL().c_str());
+ break;
+ case HTTPSession::S_FILEREQUEST:
+ logInfo("File upload requested (%s, %s)\n", session->getMD5().c_str(), session->getFileSourceURL().c_str());
+ session->setState(HTTPSession::S_FILEPENDING);
+ curl_multi_add_handle(m_CurlStack, session->getSubmitFileHandle());
+ break;
+ case HTTPSession::S_FILEOK:
+ logInfo("File uploaded (%s, %s)\n", session->getMD5().c_str(), session->getFileSourceURL().c_str());
+ break;
+ case HTTPSession::S_ERROR:
+ logInfo("Error handling file (%s, %s)\n", session->getMD5().c_str(), session->getFileSourceURL().c_str());
+ break;
+ }
+
+ curl_multi_remove_handle(m_CurlStack, pMessage->easy_handle);
+
+ if ( sessionState == HTTPSession::S_FILEKNOWN ||
+ sessionState == HTTPSession::S_FILEOK ||
+ sessionState == HTTPSession::S_ERROR )
+ {
+ delete session;
+ --m_Queued;
+ }
+ }
+ }
+ }
+
+ if ( m_Queued == 0 )
+ m_Events.reset(EV_TIMEOUT);
+
+ m_Timeout = time(NULL) + 1;
+ return 0;
+}
+
+
+extern "C" int32_t module_init(int32_t version, Module **module, Nepenthes *nepenthes)
+{
+ if ( version == MODULE_IFACE_VERSION )
+ {
+ *module = new HTTPSubmitHandler(nepenthes);
+ return 1;
+ }
+ else
+ {
+ return 0;
+ }
+}
diff -ruN nepenthes-0.2.0/modules/submit-http/submit-http.hpp nepenthes-0.2.0-r1345/modules/submit-http/submit-http.hpp
--- nepenthes-0.2.0/modules/submit-http/submit-http.hpp 1970-01-01 01:00:00.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/submit-http/submit-http.hpp 2007-08-06 00:46:15.000000000 +0200
@@ -0,0 +1,72 @@
+/********************************************************************************
+ * Nepenthes
+ * - finest collection -
+ *
+ *
+ *
+ * Copyright (C) 2006 Niklas Schiffler <nick@digitician.eu>
+ * Copyright (C) 2005 Paul Baecher & Markus Koetter
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+ *
+ *
+ * contact nepenthesdev@users.sourceforge.net
+ *
+ *******************************************************************************/
+
+ /* $Id$ */
+
+#include <curl/curl.h>
+#include <curl/types.h> /* new for v7 */
+#include <curl/easy.h> /* new for v7 */
+
+#include "Nepenthes.hpp"
+#include "Module.hpp"
+#include "SubmitHandler.hpp"
+#include "EventHandler.hpp"
+#include "Download.hpp"
+
+
+using namespace std;
+
+namespace nepenthes
+{
+
+ class HTTPSubmitHandler : public Module , public SubmitHandler, public EventHandler
+ {
+ public:
+ HTTPSubmitHandler(Nepenthes *nep);
+ ~HTTPSubmitHandler();
+ bool Init();
+ bool Exit();
+
+ void Submit(Download *down);
+ void Hit(Download *down);
+
+ uint32_t handleEvent(Event *event);
+
+ protected:
+ CURLM* m_CurlStack;
+ int32_t m_Queued;
+ string m_URL;
+ string m_Email;
+ string m_User;
+ string m_Password;
+
+ };
+
+}
+
+extern nepenthes::Nepenthes *g_Nepenthes;
diff -ruN nepenthes-0.2.0/modules/submit-mwserv/Makefile.am nepenthes-0.2.0-r1345/modules/submit-mwserv/Makefile.am
--- nepenthes-0.2.0/modules/submit-mwserv/Makefile.am 1970-01-01 01:00:00.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/submit-mwserv/Makefile.am 2007-08-06 00:46:15.000000000 +0200
@@ -0,0 +1,19 @@
+# nepenthes module Makefile
+# Paul Baecher, Maximillian Dornseif, Markus Koetter
+# $Id: Makefile.am 718 2006-12-28 23:29:59Z common $
+
+AUTOMAKE_OPTIONS = foreign
+
+AM_CPPFLAGS = -I$(top_srcdir)/nepenthes-core/include -I$(top_srcdir)/nepenthes-core/src -pipe -D _GNU_SOURCE
+AM_CXXFLAGS = -Wall -Werror
+
+AM_LDFLAGS = $(LIB_CURL)
+
+pkglib_LTLIBRARIES = submitmwserv.la
+
+submitmwserv_la_SOURCES = submit-mwserv.cpp submit-mwserv.hpp
+submitmwserv_la_SOURCES += TransferSession.cpp TransferSession.hpp
+submitmwserv_la_SOURCES += submit-mwserv.conf.dist
+
+submitmwserv_la_CXXFLAGS = -fno-strict-aliasing
+submitmwserv_la_LDFLAGS = -module -no-undefined -avoid-version $(AM_LDFLAGS)
diff -ruN nepenthes-0.2.0/modules/submit-mwserv/TransferSession.cpp nepenthes-0.2.0-r1345/modules/submit-mwserv/TransferSession.cpp
--- nepenthes-0.2.0/modules/submit-mwserv/TransferSession.cpp 1970-01-01 01:00:00.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/submit-mwserv/TransferSession.cpp 2007-08-06 00:46:15.000000000 +0200
@@ -0,0 +1,402 @@
+/********************************************************************************
+ * Nepenthes
+ * - finest collection -
+ *
+ *
+ *
+ * Copyright (C) 2007 Georg Wicherski <gw@mwcollect.org>
+ * Copyright (C) 2005 Paul Baecher & Markus Koetter
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+ *
+ *
+ * contact nepenthesdev@users.sourceforge.net
+ *
+ *******************************************************************************/
+
+#include "submit-mwserv.hpp"
+
+#include "LogManager.hpp"
+#include "EventManager.hpp"
+
+#include "POLLSocket.cpp"
+#include "Socket.cpp"
+
+
+
+#if defined(__GNUG__)
+ #define MY_COMPILER "g++"
+#elif defined(__CYGWIN__)
+ #define MY_COMPILER "cygwin"
+#else
+ #define MY_COMPILER "unknown Compiler"
+#endif
+
+#if defined(__FreeBSD__)
+# define MY_OS "FreeBSD"
+#elif defined(linux) || defined (__linux)
+# define MY_OS "Linux"
+#elif defined (__MACOSX__) || defined (__APPLE__)
+# define MY_OS "Mac OS X"
+#elif defined(__NetBSD__)
+# define MY_OS "NetBSD"
+#elif defined(__OpenBSD__)
+# define MY_OS "OpenBSD"
+#elif defined(_WIN32) || defined(__WIN32__) || defined(__TOS_WIN__)
+# define MY_OS "Windows"
+#elif defined(CYGWIN)
+# define MY_OS "Cygwin\Windows"
+#else
+# define MY_OS "Unknown OS"
+#endif
+
+#if defined(__alpha__) || defined(__alpha) || defined(_M_ALPHA)
+# define MY_ARCH "Alpha"
+#elif defined(__arm__)
+# if defined(__ARMEB__)
+# define MY_ARCH "ARMeb"
+# else
+# define MY_ARCH "ARM"
+# endif
+#elif defined(i386) || defined(__i386__) || defined(__i386) || defined(_M_IX86) || defined(_X86_) || defined(__THW_INTEL)
+# define MY_ARCH "x86"
+#elif defined(__x86_64__) || defined(__amd64__)
+# define MY_ARCH "x86_64"
+#elif defined(__ia64__) || defined(_IA64) || defined(__IA64__) || defined(_M_IA64)
+# define MY_ARCH "Intel Architecture-64"
+#elif defined(__mips__) || defined(__mips) || defined(__MIPS__)
+# if defined(__mips32__) || defined(__mips32)
+# define MY_ARCH "MIPS32"
+# else
+# define MY_ARCH "MIPS"
+# endif
+#elif defined(__hppa__) || defined(__hppa)
+# define MY_ARCH "PA RISC"
+#elif defined(__powerpc) || defined(__powerpc__) || defined(__POWERPC__) || defined(__ppc__) || defined(_M_PPC) || defined(__PPC) || defined(__PPC__)
+# define MY_ARCH "PowerPC"
+#elif defined(__THW_RS6000) || defined(_IBMR2) || defined(_POWER) || defined(_ARCH_PWR) || defined(_ARCH_PWR2)
+# define MY_ARCH "RS/6000"
+#elif defined(__sparc__) || defined(sparc) || defined(__sparc)
+# define MY_ARCH "SPARC"
+#else
+# define MY_ARCH "Unknown Architecture"
+#endif
+
+
+
+namespace nepenthes
+{
+
+
+TransferSession::TransferSession(Type type, SubmitMwservModule * parent)
+{
+ m_type = type;
+ m_parent = parent;
+
+ m_sample.binary = 0;
+ m_multiHandle = 0;
+ m_postInfo = m_postInfoLast = 0;
+ m_curlHandle = 0;
+
+ m_Type |= ST_NODEL;
+}
+
+void TransferSession::transfer(TransferSample& sample, string url)
+{
+ m_sample = sample;
+
+ if(!(m_curlHandle = curl_easy_init()) || !(m_multiHandle =
+ curl_multi_init()))
+ {
+ logCrit("%s failed!\n", __PRETTY_FUNCTION__);
+ return;
+ }
+
+ m_targetUrl = url;
+ m_sample = sample;
+
+ initializeHandle();
+}
+
+TransferSession::~TransferSession()
+{
+ Exit();
+}
+
+void TransferSession::initializeHandle()
+{
+ m_postInfo = m_postInfoLast = 0;
+
+ curl_formadd(&m_postInfo, &m_postInfoLast, CURLFORM_PTRNAME, "guid",
+ CURLFORM_COPYCONTENTS, m_sample.guid.c_str(), CURLFORM_END);
+ curl_formadd(&m_postInfo, &m_postInfoLast, CURLFORM_PTRNAME,
+ "maintainer", CURLFORM_COPYCONTENTS, m_sample.maintainer.c_str(),
+ CURLFORM_END);
+ curl_formadd(&m_postInfo, &m_postInfoLast, CURLFORM_PTRNAME, "secret",
+ CURLFORM_COPYCONTENTS, m_sample.secret.c_str(), CURLFORM_END);
+
+ if(m_type != TST_HEARTBEAT)
+ {
+ curl_formadd(&m_postInfo, &m_postInfoLast, CURLFORM_PTRNAME, "url",
+ CURLFORM_COPYCONTENTS, m_sample.url.c_str(), CURLFORM_END);
+ curl_formadd(&m_postInfo, &m_postInfoLast, CURLFORM_PTRNAME, "sha512",
+ CURLFORM_COPYCONTENTS, m_sample.sha512.c_str(), CURLFORM_END);
+ curl_formadd(&m_postInfo, &m_postInfoLast, CURLFORM_PTRNAME, "saddr",
+ CURLFORM_COPYCONTENTS, m_sample.saddr.c_str(), CURLFORM_END);
+ curl_formadd(&m_postInfo, &m_postInfoLast, CURLFORM_PTRNAME, "daddr",
+ CURLFORM_COPYCONTENTS, m_sample.daddr.c_str(), CURLFORM_END);
+
+ if(m_type == TST_SAMPLE)
+ {
+ curl_formadd(&m_postInfo, &m_postInfoLast, CURLFORM_PTRNAME, "data",
+ CURLFORM_PTRCONTENTS, m_sample.binary, CURLFORM_CONTENTSLENGTH,
+ m_sample.binarySize, CURLFORM_END);
+ }
+ }
+ else
+ {
+ curl_formadd(&m_postInfo, &m_postInfoLast, CURLFORM_PTRNAME, "software",
+ CURLFORM_COPYCONTENTS, "nepenthes " VERSION " (" MY_OS ", " MY_ARCH
+ ", " MY_COMPILER ")", CURLFORM_END);
+ }
+
+ curl_easy_setopt(m_curlHandle, CURLOPT_HTTPPOST, m_postInfo);
+ curl_easy_setopt(m_curlHandle, CURLOPT_FORBID_REUSE, 1);
+ curl_easy_setopt(m_curlHandle, CURLOPT_SSL_VERIFYHOST, false);
+ curl_easy_setopt(m_curlHandle, CURLOPT_SSL_VERIFYPEER, false);
+ curl_easy_setopt(m_curlHandle, CURLOPT_URL, m_targetUrl.c_str());
+ curl_easy_setopt(m_curlHandle, CURLOPT_USERAGENT,
+ "nepenthes " VERSION " (" MY_OS ", " MY_ARCH ", " MY_COMPILER ")");
+ curl_easy_setopt(m_curlHandle, CURLOPT_WRITEDATA, this);
+ curl_easy_setopt(m_curlHandle, CURLOPT_WRITEFUNCTION,
+ TransferSession::readData);
+
+ CURLMcode error;
+
+ if((error = curl_multi_add_handle(m_multiHandle, m_curlHandle)))
+ logCrit("Error adding easy to multi: %s\n", curl_multi_strerror(error));
+
+ int handles = 0;
+
+ while(curl_multi_perform(m_multiHandle, &handles) ==
+ CURLM_CALL_MULTI_PERFORM && handles);
+}
+
+//size_t function( void *ptr, size_t size, size_t nmemb, void *stream);
+size_t TransferSession::readData(void *buffer, size_t s, size_t n, void *data)
+{
+ ((TransferSession *) data)->m_buffer.append((const char *)buffer, s * n);
+ return s * n;
+}
+
+TransferSession::Status TransferSession::getTransferStatus()
+{
+ if(m_type != TST_HEARTBEAT)
+ {
+ if(m_buffer == "OK")
+ return TSS_OK;
+ else if(m_buffer == "UNKNOWN")
+ return TSS_UNKNOWN;
+ else
+ return TSS_ERROR;
+ }
+ else
+ {
+ if(m_buffer.substr(0, 4) == "OK: ")
+ return TSS_HEARTBEAT;
+ else
+ return TSS_ERROR;
+ }
+}
+
+bool TransferSession::Init()
+{
+ return true;
+}
+
+bool TransferSession::Exit()
+{
+ if(m_multiHandle)
+ curl_multi_remove_handle(m_multiHandle, m_curlHandle);
+
+ if(m_postInfo)
+ curl_formfree(m_postInfo);
+
+ if(m_curlHandle)
+ curl_easy_cleanup(m_curlHandle);
+
+ if(m_multiHandle)
+ {
+ curl_multi_cleanup(m_multiHandle);
+ m_multiHandle = 0;
+ }
+
+ if(m_sample.binary)
+ {
+ delete [] m_sample.binary;
+ m_sample.binary = 0;
+ }
+
+ return true;
+}
+
+bool TransferSession::wantSend()
+{
+ fd_set readSet, writeSet, errorSet;
+ int maxFd = 0;
+ CURLMcode error;
+ FD_ZERO(&readSet); FD_ZERO(&writeSet); FD_ZERO(&errorSet);
+
+ if((error = curl_multi_fdset(m_multiHandle, &readSet, &writeSet, &errorSet,
+ &maxFd)))
+ {
+ logCrit("Obtaining write socket failed: %s\n",
+ curl_multi_strerror(error));
+ return false;
+ }
+
+ return FD_ISSET(maxFd, &writeSet);
+}
+
+int32_t TransferSession::doSend()
+{
+ return doRecv();
+}
+
+int32_t TransferSession::doRecv()
+{
+ int handles = 0, queued = 0;
+
+ while(curl_multi_perform(m_multiHandle, &handles) ==
+ CURLM_CALL_MULTI_PERFORM && handles);
+
+ CURLMsg * message;
+
+ while((message = curl_multi_info_read(m_multiHandle, &queued)))
+ {
+ if(message->msg == CURLMSG_DONE)
+ {
+ if(message->data.result)
+ {
+ logCrit("Connection to %s failed: %s [\"%s\"]\n",
+ m_targetUrl.c_str(), curl_easy_strerror(message->
+ data.result), m_buffer.c_str());
+
+ if(m_type == TST_HEARTBEAT)
+ m_parent->scheduleHeartbeat(DEFAULT_HEARTBEAT_DELTA);
+ else
+ {
+ m_parent->retrySample(m_sample);
+ m_sample.binary = 0;
+ }
+ }
+ else
+ {
+ switch(getTransferStatus())
+ {
+ case TransferSession::TSS_OK:
+ logInfo("Transmitted %s to %s.\n", m_sample.url.c_str(),
+ m_targetUrl.c_str());
+
+ break;
+
+ case TransferSession::TSS_UNKNOWN:
+ logInfo("submit-mwserv: uploading data for %s\n",
+ m_sample.url.c_str());
+
+ m_parent->submitSample(m_sample);
+ m_sample.binary = 0;
+
+ break;
+
+ case TransferSession::TSS_HEARTBEAT:
+ {
+ unsigned long delta = strtoul(m_buffer.substr(4).
+ c_str(), 0, 0);
+ logDebug("Next heartbeat in %u seconds.\n", delta);
+
+ m_parent->scheduleHeartbeat(delta);
+
+ break;
+ }
+
+ case TransferSession::TSS_ERROR:
+ if(m_type == TST_HEARTBEAT)
+ m_parent->scheduleHeartbeat(DEFAULT_HEARTBEAT_DELTA);
+
+ logCrit("%s reported \"%s\"\n", m_targetUrl.c_str(),
+ m_buffer.c_str());
+
+ break;
+ }
+ }
+
+ m_Type |= ~ST_NODEL;
+ m_Status = SS_CLOSED;
+ }
+ }
+
+ return 0;
+}
+
+int32_t TransferSession::getSocket()
+{
+ if(!m_multiHandle)
+ return -1;
+
+ fd_set readSet, writeSet, errorSet;
+ int maxFd = 0;
+ CURLMcode error;
+ FD_ZERO(&readSet); FD_ZERO(&writeSet); FD_ZERO(&errorSet);
+
+ if((error = curl_multi_fdset(m_multiHandle, &readSet, &writeSet, &errorSet,
+ &maxFd)))
+ {
+ logCrit("Obtaining read socket failed: %s\n",
+ curl_multi_strerror(error));
+ return -1;
+ }
+
+ if(maxFd == -1)
+ return -1;
+
+ if(!FD_ISSET(maxFd, &readSet) && !FD_ISSET(maxFd, &writeSet) &&
+ !FD_ISSET(maxFd, &errorSet))
+ {
+ logCrit("maxFd not in set: %i!\n", maxFd);
+ return -1;
+ }
+
+ return maxFd;
+}
+
+int32_t TransferSession::getsockOpt(int32_t level, int32_t optname,
+ void *optval, socklen_t *optlen)
+{
+ return getsockopt(getSocket(), level, optname, optval, optlen);
+}
+
+
+}
+
+
+bool TransferSession::checkTimeout()
+{
+ // if the connection is bad, give curl a chance to take care, so we can get rid of the connection
+ if (getSocket() == -1)
+ doRecv();
+
+ return false;
+}
diff -ruN nepenthes-0.2.0/modules/submit-mwserv/TransferSession.hpp nepenthes-0.2.0-r1345/modules/submit-mwserv/TransferSession.hpp
--- nepenthes-0.2.0/modules/submit-mwserv/TransferSession.hpp 1970-01-01 01:00:00.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/submit-mwserv/TransferSession.hpp 2007-08-06 00:46:15.000000000 +0200
@@ -0,0 +1,129 @@
+/********************************************************************************
+ * Nepenthes
+ * - finest collection -
+ *
+ *
+ *
+ * Copyright (C) 2007 Georg Wicherski <gw@mwcollect.org>
+ * Copyright (C) 2005 Paul Baecher & Markus Koetter
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+ *
+ *
+ * contact nepenthesdev@users.sourceforge.net
+ *
+ *******************************************************************************/
+
+#include <curl/curl.h>
+#include <curl/types.h>
+#include <curl/easy.h>
+
+#include <string>
+using namespace std;
+
+#include "Nepenthes.hpp"
+#include "Module.hpp"
+#include "SubmitHandler.hpp"
+#include "Download.hpp"
+
+#include "POLLSocket.hpp"
+
+
+namespace nepenthes
+{
+
+
+struct TransferSample
+{
+ string guid;
+ string maintainer;
+ string secret;
+
+ string url;
+ string saddr, daddr;
+ string sha512;
+
+ char * binary;
+ unsigned int binarySize;
+};
+
+
+class SubmitMwservModule;
+
+class TransferSession : public POLLSocket
+{
+public:
+ enum Type
+ {
+ TST_INSTANCE,
+ TST_SAMPLE,
+ TST_HEARTBEAT,
+ };
+
+ TransferSession(Type type, SubmitMwservModule * parent);
+ virtual ~TransferSession();
+
+ enum Status
+ {
+ TSS_OK,
+ TSS_UNKNOWN,
+ TSS_HEARTBEAT,
+ TSS_ERROR,
+ };
+
+ TransferSession::Status getTransferStatus();
+
+ void transfer(TransferSample& sample, string url);
+
+ // POLLSocket
+ bool Init();
+ bool Exit();
+
+ bool wantSend();
+
+ int32_t doSend();
+ int32_t doRecv();
+ int32_t getSocket();
+ int32_t getsockOpt(int32_t level, int32_t optname,
+ void *optval, socklen_t *optlen);
+ bool checkTimeout();
+
+protected:
+ string m_targetUrl;
+ TransferSample m_sample;
+
+ CURL * m_curlHandle;
+ CURLM * m_multiHandle;
+ curl_httppost * m_postInfo, * m_postInfoLast;
+
+ char * m_dataCopy;
+ unsigned int m_dataSize;
+
+ void initializeHandle();
+ void recreateWithSampleData();
+
+ string m_buffer;
+
+ Type m_type;
+ SubmitMwservModule * m_parent;
+
+ unsigned long m_heartbeatDelta;
+
+private:
+ static size_t readData(void *buffer, size_t size, size_t n, void *data);
+};
+
+
+}
diff -ruN nepenthes-0.2.0/modules/submit-mwserv/submit-mwserv.conf.dist nepenthes-0.2.0-r1345/modules/submit-mwserv/submit-mwserv.conf.dist
--- nepenthes-0.2.0/modules/submit-mwserv/submit-mwserv.conf.dist 1970-01-01 01:00:00.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/submit-mwserv/submit-mwserv.conf.dist 2007-08-06 00:46:15.000000000 +0200
@@ -0,0 +1,18 @@
+// lightweight libcurl based module for file submission via HTTP to the mwserv
+// python script suite (typically running on an apache2 with mod_python)
+// This is primarily used by the mwcollect Alliance - alliance.mwcollect.org
+
+submit-mwserv
+{
+ // the url to send the submission requests to
+ url = "";
+
+ // username of the maintainer of this sensor
+ maintainer = "";
+
+ // guid of this sensor, as generated serverside; typically 8 chars
+ guid = "";
+
+ // shared secret used for authentication aka `password'; typically 48 chars
+ secret = "";
+};
diff -ruN nepenthes-0.2.0/modules/submit-mwserv/submit-mwserv.cpp nepenthes-0.2.0-r1345/modules/submit-mwserv/submit-mwserv.cpp
--- nepenthes-0.2.0/modules/submit-mwserv/submit-mwserv.cpp 1970-01-01 01:00:00.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/submit-mwserv/submit-mwserv.cpp 2007-08-06 00:46:15.000000000 +0200
@@ -0,0 +1,224 @@
+/********************************************************************************
+ * Nepenthes
+ * - finest collection -
+ *
+ *
+ *
+ * Copyright (C) 2007 Georg Wicherski <gw@mwcollect.org>
+ * Copyright (C) 2005 Paul Baecher & Markus Koetter
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+ *
+ *
+ * contact nepenthesdev@users.sourceforge.net
+ *
+ *******************************************************************************/
+
+#include "Download.hpp"
+#include "Utilities.hpp"
+#include "SubmitManager.hpp"
+#include "LogManager.hpp"
+#include "Event.hpp"
+#include "EventManager.hpp"
+#include "EventHandler.cpp"
+#include "Config.hpp"
+#include "ModuleManager.hpp"
+#include "SocketManager.hpp"
+
+#include "DownloadBuffer.hpp"
+#include "DownloadUrl.hpp"
+
+#include "submit-mwserv.hpp"
+
+#include <unistd.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
+
+#define SUBMIT_URI "nepenthes/submit"
+#define HEARTBEAT_URI "heartbeat"
+
+
+namespace nepenthes
+{
+
+
+SubmitMwservModule::SubmitMwservModule(Nepenthes * nepenthes)
+{
+ m_ModuleName = "submit-mwserv";
+ m_ModuleDescription = "mwserv.py HTTP Post Submission";
+ m_ModuleRevision = "$Rev: 921 $";
+ m_Nepenthes = nepenthes;
+ m_SubmitterName = "submit-mwserv";
+ m_SubmitterDescription = "mwserv.py HTTP Post Submission";
+
+ m_Timeout = 0;
+ m_TimeoutIntervall = 0;
+}
+
+bool SubmitMwservModule::Init()
+{
+ if(!m_Config)
+ {
+ logCrit("No configuration for submit-mwserv provided.\n");
+ return false;
+ }
+
+ try
+ {
+ m_url = m_Config->getValString("submit-mwserv.url");
+ m_guid = m_Config->getValString("submit-mwserv.guid");
+ m_maintainer = m_Config->getValString("submit-mwserv.maintainer");
+ m_secret = m_Config->getValString("submit-mwserv.secret");
+ }
+ catch(...)
+ {
+ logCrit("Missing configuration option for submit-mwserv.\n");
+ return false;
+ }
+
+ if(m_guid.find(":") != string::npos || m_maintainer.find(":")
+ != string::npos || m_secret.find(":") != string::npos ||
+ m_guid.find("+") != string::npos || m_maintainer.find("+")
+ != string::npos || m_secret.find("+") != string::npos)
+ {
+ logCrit("submit-mwserv: guid, maintainer or secret from configuration"
+ "contained ':' or '+'; this is not allowed.\n");
+ return false;
+ }
+
+ if(* m_url.rbegin() != '/')
+ m_url += "/";
+
+ REG_SUBMIT_HANDLER(this);
+ REG_EVENT_HANDLER(this);
+
+ handleEvent(0);
+
+ return true;
+}
+
+bool SubmitMwservModule::Exit()
+{
+ return true;
+}
+
+void SubmitMwservModule::Submit(Download * download)
+{
+ Hit(download);
+}
+
+void SubmitMwservModule::Hit(Download * download)
+{
+ TransferSample sample;
+ TransferSession * session = new TransferSession(TransferSession::
+ TST_INSTANCE, this);
+
+ {
+ struct in_addr saddr, daddr;
+
+ saddr.s_addr = download->getRemoteHost();
+ daddr.s_addr = download->getLocalHost();
+
+ sample.saddr = inet_ntoa(saddr);
+ sample.daddr = inet_ntoa(daddr);
+
+ sample.guid = m_guid;
+ sample.maintainer = m_maintainer;
+ sample.secret = m_secret;
+
+ sample.url = download->getUrl();
+ sample.sha512 = download->getSHA512Sum();
+
+ sample.binarySize = download->getDownloadBuffer()->getSize();
+ sample.binary = new char[sample.binarySize];
+ memcpy(sample.binary, download->getDownloadBuffer()->getData(),
+ sample.binarySize);
+ }
+
+ session->transfer(sample, m_url + SUBMIT_URI);
+ g_Nepenthes->getSocketMgr()->addPOLLSocket(session);
+}
+
+void SubmitMwservModule::retrySample(TransferSample& sample)
+{
+ TransferSession * session = new TransferSession(TransferSession::
+ TST_INSTANCE, this);
+
+ session->transfer(sample, m_url + SUBMIT_URI);
+ g_Nepenthes->getSocketMgr()->addPOLLSocket(session);
+}
+
+void SubmitMwservModule::submitSample(TransferSample& sample)
+{
+ TransferSession * session = new TransferSession(TransferSession::
+ TST_SAMPLE, this);
+
+ session->transfer(sample, m_url + SUBMIT_URI);
+ g_Nepenthes->getSocketMgr()->addPOLLSocket(session);
+}
+
+uint32_t SubmitMwservModule::handleEvent(Event * ev)
+{
+ m_Events.reset(EV_TIMEOUT);
+
+ TransferSample sample;
+ TransferSession * session = new TransferSession(TransferSession::
+ TST_HEARTBEAT, this);
+
+ sample.guid = m_guid;
+ sample.maintainer = m_maintainer;
+ sample.secret = m_secret;
+ sample.binary = 0;
+
+ session->transfer(sample, m_url + HEARTBEAT_URI);
+ g_Nepenthes->getSocketMgr()->addPOLLSocket(session);
+
+ return 0;
+}
+
+void SubmitMwservModule::scheduleHeartbeat(unsigned long delta)
+{
+ if(delta > MAX_HEARTBEAT_DELTA)
+ {
+ logInfo("Capping server heartbeat delta of %u sec to %u sec.\n", delta,
+ MAX_HEARTBEAT_DELTA);
+
+ delta = MAX_HEARTBEAT_DELTA;
+ }
+
+ m_Events.set(EV_TIMEOUT);
+ m_Timeout = time(0) + delta;
+}
+
+
+extern "C" int32_t module_init(int32_t version, Module **module, Nepenthes *nepenthes)
+{
+ g_Nepenthes = nepenthes;
+
+ if(version == MODULE_IFACE_VERSION)
+ {
+ * module = new SubmitMwservModule(nepenthes);
+ return 1;
+ }
+
+ return 0;
+}
+
+
+}
+
+Nepenthes * g_Nepenthes;
diff -ruN nepenthes-0.2.0/modules/submit-mwserv/submit-mwserv.hpp nepenthes-0.2.0-r1345/modules/submit-mwserv/submit-mwserv.hpp
--- nepenthes-0.2.0/modules/submit-mwserv/submit-mwserv.hpp 1970-01-01 01:00:00.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/submit-mwserv/submit-mwserv.hpp 2007-08-06 00:46:15.000000000 +0200
@@ -0,0 +1,78 @@
+/********************************************************************************
+ * Nepenthes
+ * - finest collection -
+ *
+ *
+ *
+ * Copyright (C) 2007 Georg Wicherski <gw@mwcollect.org>
+ * Copyright (C) 2005 Paul Baecher & Markus Koetter
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+ *
+ *
+ * contact nepenthesdev@users.sourceforge.net
+ *
+ *******************************************************************************/
+
+#include <curl/curl.h>
+#include <curl/types.h>
+#include <curl/easy.h>
+
+#include "Nepenthes.hpp"
+#include "Module.hpp"
+#include "SubmitHandler.hpp"
+#include "EventHandler.hpp"
+#include "Download.hpp"
+
+#include "TransferSession.hpp"
+
+
+#define DEFAULT_HEARTBEAT_DELTA 30
+#define MAX_HEARTBEAT_DELTA 300
+
+
+using namespace std;
+
+namespace nepenthes
+{
+
+
+class SubmitMwservModule : public Module , public SubmitHandler,
+ public EventHandler
+{
+public:
+ SubmitMwservModule(Nepenthes * nepenthes);
+
+ bool Init();
+ bool Exit();
+
+ void Submit(Download * download);
+ void Hit(Download * download);
+
+ uint32_t handleEvent(Event *event);
+
+ void submitSample(TransferSample& sample);
+ void retrySample(TransferSample& sample);
+ void scheduleHeartbeat(unsigned long delta);
+
+protected:
+ string m_url, m_guid, m_maintainer, m_secret;
+ uint32_t m_inTransfer;
+};
+
+
+}
+
+extern nepenthes::Nepenthes *g_Nepenthes;
diff -ruN nepenthes-0.2.0/modules/submit-norman/Makefile.am nepenthes-0.2.0-r1345/modules/submit-norman/Makefile.am
--- nepenthes-0.2.0/modules/submit-norman/Makefile.am 2006-11-13 20:40:09.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/submit-norman/Makefile.am 2007-08-06 00:46:15.000000000 +0200
@@ -12,4 +12,4 @@
submitnorman_la_SOURCES = submit-norman.conf.dist submit-norman.hpp submit-norman.cpp
-submitnorman_la_LDFLAGS = -module -no-undefined -avoid-version
+submitnorman_la_LDFLAGS = -module -no-undefined -avoid-version $(AM_LDFLAGS)
diff -ruN nepenthes-0.2.0/modules/submit-norman/submit-norman.conf.dist nepenthes-0.2.0-r1345/modules/submit-norman/submit-norman.conf.dist
--- nepenthes-0.2.0/modules/submit-norman/submit-norman.conf.dist 2006-11-13 20:40:09.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/submit-norman/submit-norman.conf.dist 2007-08-06 00:46:15.000000000 +0200
@@ -1,8 +1,8 @@
submit-norman
{
// this is the adress where norman sandbox reports will be sent
- email "malware@mac.com";
- urls ("http://sandbox.norman.no/live_4.html",
+ email "nsbx@mwcollect.org";
+ urls ("http://www.norman.com/microsites/nsic/Submit/Special/45773/",
"http://luigi.informatik.uni-mannheim.de/submit.php?action=verify");
};
diff -ruN nepenthes-0.2.0/modules/submit-postgres/Makefile.am nepenthes-0.2.0-r1345/modules/submit-postgres/Makefile.am
--- nepenthes-0.2.0/modules/submit-postgres/Makefile.am 2006-11-13 20:40:05.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/submit-postgres/Makefile.am 2007-08-06 00:46:15.000000000 +0200
@@ -13,5 +13,6 @@
submitpostgres_la_SOURCES = submit-postgres.cpp submit-postgres.hpp
submitpostgres_la_SOURCES += PGDownloadContext.cpp PGDownloadContext.hpp
submitpostgres_la_SOURCES += bencoding.c bencoding.h
+submitpostgres_la_SOURCES += submit-postgres.conf.dist
submitpostgres_la_LDFLAGS = -module -no-undefined -avoid-version
diff -ruN nepenthes-0.2.0/modules/vuln-asn1/IISDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-asn1/IISDialogue.cpp
--- nepenthes-0.2.0/modules/vuln-asn1/IISDialogue.cpp 2006-11-13 20:40:08.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/vuln-asn1/IISDialogue.cpp 2007-08-06 00:46:15.000000000 +0200
@@ -43,6 +43,9 @@
#include "Socket.hpp"
+#include "EventManager.hpp"
+#include "SocketEvent.hpp"
+
#ifdef STDTAGS
#undef STDTAGS
#endif
@@ -79,7 +82,7 @@
case IIS_POST:
case IIS_GET:
logWarn("Unknown IIS %i bytes State %i\n",m_Buffer->getSize(), m_State);
- g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *) m_Buffer->getData(), m_Buffer->getSize());
+ HEXDUMP(m_Socket,(byte *) m_Buffer->getData(), m_Buffer->getSize());
break;
case IIS_SEARCH:
@@ -102,7 +105,7 @@
ConsumeLevel IISDialogue::incomingData(Message *msg)
{
m_Buffer->add(msg->getMsg(),msg->getSize());
-// g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *) m_Buffer->getData(), m_Buffer->getSize());
+// HEXDUMP(m_Socket,(byte *) m_Buffer->getData(), m_Buffer->getSize());
// FIXME this can only recognize urldownloadtofile foobar
diff -ruN nepenthes-0.2.0/modules/vuln-asn1/SMBDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-asn1/SMBDialogue.cpp
--- nepenthes-0.2.0/modules/vuln-asn1/SMBDialogue.cpp 2006-11-13 20:40:08.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/vuln-asn1/SMBDialogue.cpp 2007-08-06 00:46:15.000000000 +0200
@@ -43,8 +43,13 @@
#include "Utilities.hpp"
#include "ShellcodeManager.hpp"
+#include "EventManager.hpp"
+#include "SocketEvent.hpp"
+
#include "vuln-asn1.hpp"
+
+
#ifdef STDTAGS
#undef STDTAGS
#endif
@@ -227,5 +232,5 @@
void SMBDialogue::dump()
{
logWarn("Unknown %s Shellcode (Buffer %i bytes) (State %i)\n","ASN1_SMB",m_Buffer->getSize(),m_State);
- g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *)m_Buffer->getData(),m_Buffer->getSize());
+ HEXDUMP(m_Socket,(byte *)m_Buffer->getData(),m_Buffer->getSize());
}
diff -ruN nepenthes-0.2.0/modules/vuln-bagle/BagleDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-bagle/BagleDialogue.cpp
--- nepenthes-0.2.0/modules/vuln-bagle/BagleDialogue.cpp 2006-11-13 20:40:09.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/vuln-bagle/BagleDialogue.cpp 2007-08-06 00:46:15.000000000 +0200
@@ -124,7 +124,7 @@
}
logCrit("Unknown Bagle Auth (%i)\n",m_Buffer->getSize());
- g_Nepenthes->getUtilities()->hexdump(l_crit | STDTAGS ,(byte *)m_Buffer->getData(),m_Buffer->getSize());
+// g_Nepenthes->getUtilities()->hexdump(l_crit | STDTAGS ,(byte *)m_Buffer->getData(),m_Buffer->getSize());
if (m_Buffer->getSize() > 128 )
return CL_DROP;
diff -ruN nepenthes-0.2.0/modules/vuln-bagle/Makefile.am nepenthes-0.2.0-r1345/modules/vuln-bagle/Makefile.am
--- nepenthes-0.2.0/modules/vuln-bagle/Makefile.am 2006-11-13 20:40:09.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/vuln-bagle/Makefile.am 2007-08-06 00:46:15.000000000 +0200
@@ -6,7 +6,6 @@
AM_CPPFLAGS = -I$(top_srcdir)/nepenthes-core/include -I$(top_srcdir)/nepenthes-core/src -pipe -D _GNU_SOURCE
AM_CXXFLAGS = -Wall -Werror
-AM_LDFLAGS = -lpcre
pkglib_LTLIBRARIES = vulnbagle.la
diff -ruN nepenthes-0.2.0/modules/vuln-dameware/DWDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-dameware/DWDialogue.cpp
--- nepenthes-0.2.0/modules/vuln-dameware/DWDialogue.cpp 2006-11-13 20:40:05.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/vuln-dameware/DWDialogue.cpp 2007-08-06 00:46:15.000000000 +0200
@@ -48,6 +48,9 @@
#include "Utilities.hpp"
+#include "EventManager.hpp"
+#include "SocketEvent.hpp"
+
#ifdef STDTAGS
#undef STDTAGS
#endif
@@ -209,5 +212,5 @@
void DWDialogue::dump()
{
logWarn("Unknown %s Shellcode (Buffer %i bytes) (State %i)\n","DameWare",m_Buffer->getSize(),m_State);
- g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *)m_Buffer->getData(),m_Buffer->getSize());
+ HEXDUMP(m_Socket,(byte *)m_Buffer->getData(),m_Buffer->getSize());
}
diff -ruN nepenthes-0.2.0/modules/vuln-dcom/DCOMDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-dcom/DCOMDialogue.cpp
--- nepenthes-0.2.0/modules/vuln-dcom/DCOMDialogue.cpp 2006-11-13 20:40:05.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/vuln-dcom/DCOMDialogue.cpp 2007-08-06 00:46:15.000000000 +0200
@@ -39,6 +39,10 @@
#include "Utilities.hpp"
+#include "EventManager.hpp"
+#include "SocketEvent.hpp"
+
+
#ifdef STDTAGS
#undef STDTAGS
#endif
@@ -234,5 +238,5 @@
void DCOMDialogue::dump()
{
logWarn("Unknown %s Shellcode (Buffer %i bytes) (State %i)\n","DCOM",m_Buffer->getSize(),m_State);
- g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *)m_Buffer->getData(),m_Buffer->getSize());
+ HEXDUMP(m_Socket,(byte *)m_Buffer->getData(),m_Buffer->getSize());
}
diff -ruN nepenthes-0.2.0/modules/vuln-ftpd/vuln-ftpd.cpp nepenthes-0.2.0-r1345/modules/vuln-ftpd/vuln-ftpd.cpp
--- nepenthes-0.2.0/modules/vuln-ftpd/vuln-ftpd.cpp 2006-11-13 20:40:03.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/vuln-ftpd/vuln-ftpd.cpp 2007-08-06 00:46:15.000000000 +0200
@@ -55,6 +55,9 @@
#include "Utilities.hpp"
+#include "EventManager.hpp"
+#include "SocketEvent.hpp"
+
#ifdef STDTAGS
#undef STDTAGS
#endif
@@ -220,7 +223,7 @@
uint32_t i = 0;
bool buffercut=false;
- g_Nepenthes->getUtilities()->hexdump((byte *) m_Buffer->getData(),m_Buffer->getSize());
+// g_Nepenthes->getUtilities()->hexdump((byte *) m_Buffer->getData(),m_Buffer->getSize());
while ( i < m_Buffer->getSize() )
{
buffercut = false;
@@ -418,7 +421,7 @@
void FTPdDialogue::dump()
{
logWarn("Unknown exploit %i bytes \n",m_Shellcode->getSize());
- g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *) m_Shellcode->getData(), m_Shellcode->getSize());
+ HEXDUMP(m_Socket,(byte *) m_Shellcode->getData(), m_Shellcode->getSize());
}
ftp_exploit FTPdDialogue::identExploit(string line)
diff -ruN nepenthes-0.2.0/modules/vuln-iis/IISDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-iis/IISDialogue.cpp
--- nepenthes-0.2.0/modules/vuln-iis/IISDialogue.cpp 2006-11-13 20:40:10.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/vuln-iis/IISDialogue.cpp 2007-08-06 00:46:15.000000000 +0200
@@ -49,6 +49,9 @@
#include "Message.hpp"
#include "Message.cpp"
+#include "EventManager.hpp"
+#include "SocketEvent.hpp"
+
#ifdef STDTAGS
#undef STDTAGS
#endif
@@ -85,7 +88,7 @@
case IIS_NULL:
case IIS_SSL:
logWarn("Unknown IIS SSL exploit %i bytes State %i\n",m_Buffer->getSize(), m_State);
- g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *) m_Buffer->getData(), m_Buffer->getSize());
+ HEXDUMP(m_Socket,(byte *) m_Buffer->getData(), m_Buffer->getSize());
break;
case IIS_DONE:
diff -ruN nepenthes-0.2.0/modules/vuln-lsass/LSASSDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-lsass/LSASSDialogue.cpp
--- nepenthes-0.2.0/modules/vuln-lsass/LSASSDialogue.cpp 2006-11-13 20:40:11.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/vuln-lsass/LSASSDialogue.cpp 2007-08-06 00:46:15.000000000 +0200
@@ -46,6 +46,8 @@
#include "Buffer.hpp"
#include "Buffer.cpp"
+#include "EventManager.hpp"
+#include "SocketEvent.hpp"
#ifdef STDTAGS
#undef STDTAGS
@@ -281,6 +283,6 @@
void LSASSDialogue::dump()
{
logWarn("Unknown %s Shellcode (Buffer %i bytes) (State %i)\n","LSASS",m_Buffer->getSize(),m_State);
- g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *)m_Buffer->getData(),m_Buffer->getSize());
+ HEXDUMP(m_Socket,(byte *)m_Buffer->getData(),m_Buffer->getSize());
}
diff -ruN nepenthes-0.2.0/modules/vuln-msdtc/MSDTCDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-msdtc/MSDTCDialogue.cpp
--- nepenthes-0.2.0/modules/vuln-msdtc/MSDTCDialogue.cpp 2006-11-13 20:40:05.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/vuln-msdtc/MSDTCDialogue.cpp 2007-08-06 00:46:15.000000000 +0200
@@ -38,6 +38,8 @@
#include "ShellcodeManager.hpp"
#include "Utilities.hpp"
+#include "EventManager.hpp"
+#include "SocketEvent.hpp"
#ifdef STDTAGS
#undef STDTAGS
@@ -181,5 +183,5 @@
void MSDTCDialogue::dump()
{
logWarn("Unknown %s Shellcode (Buffer %i bytes) (State %i)\n","MSDTC",m_Buffer->getSize(),m_State);
- g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *)m_Buffer->getData(),m_Buffer->getSize());
+ HEXDUMP(m_Socket,(byte *)m_Buffer->getData(),m_Buffer->getSize());
}
diff -ruN nepenthes-0.2.0/modules/vuln-msmq/MSMQDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-msmq/MSMQDialogue.cpp
--- nepenthes-0.2.0/modules/vuln-msmq/MSMQDialogue.cpp 2006-11-13 20:40:05.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/vuln-msmq/MSMQDialogue.cpp 2007-08-06 00:46:15.000000000 +0200
@@ -43,6 +43,8 @@
#include "Nepenthes.hpp"
#include "LogManager.hpp"
+#include "EventManager.hpp"
+#include "SocketEvent.hpp"
using namespace nepenthes;
@@ -73,7 +75,7 @@
case MSMQ_NULL:
case MSMQ_SHELLCODE:
logWarn("Unknown MSMQ exploit %i bytes State %i\n",m_Buffer->getSize(), m_State);
- g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *) m_Buffer->getData(), m_Buffer->getSize());
+ HEXDUMP(m_Socket,(byte *) m_Buffer->getData(), m_Buffer->getSize());
break;
case MSMQ_DONE:
diff -ruN nepenthes-0.2.0/modules/vuln-mssql/MSSQLDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-mssql/MSSQLDialogue.cpp
--- nepenthes-0.2.0/modules/vuln-mssql/MSSQLDialogue.cpp 2006-11-13 20:40:03.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/vuln-mssql/MSSQLDialogue.cpp 2007-08-06 00:46:15.000000000 +0200
@@ -41,6 +41,9 @@
#include "Utilities.hpp"
+#include "EventManager.hpp"
+#include "SocketEvent.hpp"
+
#ifdef STDTAGS
#undef STDTAGS
#endif
@@ -115,7 +118,7 @@
}
else
{ // hexdump it
- g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte*)msg->getMsg(),msg->getSize());
+ HEXDUMP(m_Socket,(byte*)msg->getMsg(),msg->getSize());
}
diff -ruN nepenthes-0.2.0/modules/vuln-netbiosname/SMBNameDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-netbiosname/SMBNameDialogue.cpp
--- nepenthes-0.2.0/modules/vuln-netbiosname/SMBNameDialogue.cpp 2006-11-13 20:40:05.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/vuln-netbiosname/SMBNameDialogue.cpp 2007-08-06 00:46:15.000000000 +0200
@@ -49,6 +49,8 @@
#include "Utilities.hpp"
+#include "EventManager.hpp"
+#include "SocketEvent.hpp"
#ifdef STDTAGS
#undef STDTAGS
@@ -146,7 +148,7 @@
case SMBName_NEGOTIATE:
case SMBName_NULL:
logWarn("Unknown SMBName exploit %i bytes State %i\n",m_Buffer->getSize(), m_State);
-// g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *) m_Buffer->getData(), m_Buffer->getSize());
+// HEXDUMP(m_Socket,(byte *) m_Buffer->getData(), m_Buffer->getSize());
break;
diff -ruN nepenthes-0.2.0/modules/vuln-netdde/NETDDEDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-netdde/NETDDEDialogue.cpp
--- nepenthes-0.2.0/modules/vuln-netdde/NETDDEDialogue.cpp 2006-11-13 20:40:05.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/vuln-netdde/NETDDEDialogue.cpp 2007-08-06 00:46:15.000000000 +0200
@@ -49,6 +49,8 @@
#include "Utilities.hpp"
+#include "EventManager.hpp"
+#include "SocketEvent.hpp"
#ifdef STDTAGS
#undef STDTAGS
@@ -201,5 +203,5 @@
void NETDDEDialogue::dump()
{
logWarn("Unknown NETDDE exploit %i bytes State %i\n",m_Buffer->getSize(), m_State);
- g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *) m_Buffer->getData(), m_Buffer->getSize());
+ HEXDUMP(m_Socket,(byte *) m_Buffer->getData(), m_Buffer->getSize());
}
diff -ruN nepenthes-0.2.0/modules/vuln-optix/Makefile.am nepenthes-0.2.0-r1345/modules/vuln-optix/Makefile.am
--- nepenthes-0.2.0/modules/vuln-optix/Makefile.am 2006-11-13 20:40:08.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/vuln-optix/Makefile.am 2007-08-06 00:46:15.000000000 +0200
@@ -12,4 +12,4 @@
vulnoptix_la_SOURCES = vuln-optix.conf.dist OPTIXBindDialogue.hpp OPTIXDownloadDialogue.hpp OPTIXDownloadHandler.hpp OPTIXShellDialogue.hpp vuln-optix.hpp OPTIXBindDialogue.cpp OPTIXDownloadDialogue.cpp OPTIXDownloadHandler.cpp OPTIXShellDialogue.cpp vuln-optix.cpp
-vulnoptix_la_LDFLAGS = -module -no-undefined -avoid-version
+vulnoptix_la_LDFLAGS = -module -no-undefined -avoid-version $(AM_LDFLAGS)
diff -ruN nepenthes-0.2.0/modules/vuln-optix/OPTIXShellDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-optix/OPTIXShellDialogue.cpp
--- nepenthes-0.2.0/modules/vuln-optix/OPTIXShellDialogue.cpp 2006-11-13 20:40:08.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/vuln-optix/OPTIXShellDialogue.cpp 2007-08-06 00:46:15.000000000 +0200
@@ -107,7 +107,7 @@
case OPTIX_AUTHED:
if (m_Buffer->getSize() >= 6)
{
- g_Nepenthes->getUtilities()->hexdump((byte *)m_Buffer->getData(),m_Buffer->getSize());
+// g_Nepenthes->getUtilities()->hexdump((byte *)m_Buffer->getData(),m_Buffer->getSize());
// we could do this with pcre ...
if (memcmp(m_Buffer->getData(),"019<EFBFBD>\r\n",6) == 0)
{
diff -ruN nepenthes-0.2.0/modules/vuln-pnp/PNPDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-pnp/PNPDialogue.cpp
--- nepenthes-0.2.0/modules/vuln-pnp/PNPDialogue.cpp 2006-11-13 20:40:08.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/vuln-pnp/PNPDialogue.cpp 2007-08-06 00:46:15.000000000 +0200
@@ -47,6 +47,8 @@
#include "Buffer.hpp"
#include "Buffer.cpp"
+#include "EventManager.hpp"
+#include "SocketEvent.hpp"
#ifdef STDTAGS
#undef STDTAGS
@@ -276,5 +278,5 @@
void PNPDialogue::dump()
{
logWarn("Unknown %s Shellcode (Buffer %i bytes) (State %i)\n","PNP",m_Buffer->getSize(),m_State);
- g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *)m_Buffer->getData(),m_Buffer->getSize());
+ HEXDUMP(m_Socket,(byte *)m_Buffer->getData(),m_Buffer->getSize());
}
diff -ruN nepenthes-0.2.0/modules/vuln-realvnc/vuln-realvnc.cpp nepenthes-0.2.0-r1345/modules/vuln-realvnc/vuln-realvnc.cpp
--- nepenthes-0.2.0/modules/vuln-realvnc/vuln-realvnc.cpp 2006-11-13 20:40:07.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/vuln-realvnc/vuln-realvnc.cpp 2007-08-06 00:46:15.000000000 +0200
@@ -246,7 +246,7 @@
{
logSpam("VNC_HANDSHAKE\n");
- g_Nepenthes->getUtilities()->hexdump((byte *)m_Buffer->getData(),m_Buffer->getSize());
+// g_Nepenthes->getUtilities()->hexdump((byte *)m_Buffer->getData(),m_Buffer->getSize());
if (m_Buffer->getSize() >= strlen(rfb_version_003_008) &&
memcmp(m_Buffer->getData(),rfb_version_003_008,strlen(rfb_version_003_008)) == 0)
{
@@ -262,7 +262,7 @@
if ( m_State == VNC_AUTH)
{
logSpam("VNC_AUTH\n");
- g_Nepenthes->getUtilities()->hexdump((byte *)m_Buffer->getData(),m_Buffer->getSize());
+// g_Nepenthes->getUtilities()->hexdump((byte *)m_Buffer->getData(),m_Buffer->getSize());
if (m_Buffer->getSize() >= 1 )
{
if (1)// *(char *) (m_Buffer->getData()) == 1)
@@ -546,7 +546,7 @@
case 6:
logSpam("ClientReq: CutEvent\n");
- g_Nepenthes->getUtilities()->hexdump((byte *)m_Buffer->getData(),m_Buffer->getSize());
+// g_Nepenthes->getUtilities()->hexdump((byte *)m_Buffer->getData(),m_Buffer->getSize());
if (m_Buffer->getSize() >= 8 )
{
uint32_t cpbytes;
diff -ruN nepenthes-0.2.0/modules/vuln-sasserftpd/SasserFTPDDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-sasserftpd/SasserFTPDDialogue.cpp
--- nepenthes-0.2.0/modules/vuln-sasserftpd/SasserFTPDDialogue.cpp 2006-11-13 20:40:09.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/vuln-sasserftpd/SasserFTPDDialogue.cpp 2007-08-06 00:46:15.000000000 +0200
@@ -49,6 +49,8 @@
#include "Utilities.hpp"
+#include "EventManager.hpp"
+#include "SocketEvent.hpp"
#ifdef STDTAGS
#undef STDTAGS
@@ -219,5 +221,5 @@
void SasserFTPDDialogue::dump()
{
logWarn("Unknown SasserFTPD exploit %i bytes State %i\n",m_Buffer->getSize(), m_State);
- g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *) m_Buffer->getData(), m_Buffer->getSize());
+ HEXDUMP(m_Socket,(byte *) m_Buffer->getData(), m_Buffer->getSize());
}
diff -ruN nepenthes-0.2.0/modules/vuln-sav/Makefile.am nepenthes-0.2.0-r1345/modules/vuln-sav/Makefile.am
--- nepenthes-0.2.0/modules/vuln-sav/Makefile.am 1970-01-01 01:00:00.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/vuln-sav/Makefile.am 2007-08-06 00:46:15.000000000 +0200
@@ -0,0 +1,14 @@
+# nepenthes module Makefile
+# Paul Baecher, Maximillian Dornseif, Markus Koetter
+# $Id$
+
+AUTOMAKE_OPTIONS = foreign
+
+AM_CPPFLAGS = -I$(top_srcdir)/nepenthes-core/include -I$(top_srcdir)/nepenthes-core/src -pipe -D _GNU_SOURCE
+AM_CXXFLAGS = -Wall -Werror
+
+pkglib_LTLIBRARIES = vulnsav.la
+
+vulnsav_la_SOURCES = vuln-sav.cpp vuln-sav.hpp
+
+vulnsav_la_LDFLAGS = -module -no-undefined -avoid-version
diff -ruN nepenthes-0.2.0/modules/vuln-sav/vuln-sav.cpp nepenthes-0.2.0-r1345/modules/vuln-sav/vuln-sav.cpp
--- nepenthes-0.2.0/modules/vuln-sav/vuln-sav.cpp 1970-01-01 01:00:00.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/vuln-sav/vuln-sav.cpp 2007-08-06 00:46:15.000000000 +0200
@@ -0,0 +1,278 @@
+/********************************************************************************
+ * Nepenthes
+ * - finest collection -
+ *
+ *
+ *
+ * Copyright (C) 2005 Paul Baecher & Markus Koetter
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+ *
+ *
+ * contact nepenthesdev@users.sourceforge.net
+ *
+ *******************************************************************************/
+
+ /* $Id$ */
+
+#include <ctype.h>
+
+#include "vuln-sav.hpp"
+
+#include "SocketManager.hpp"
+
+#include "DownloadManager.hpp"
+#include "LogManager.hpp"
+#include "DialogueFactoryManager.hpp"
+
+
+#include "Buffer.hpp"
+#include "Buffer.cpp"
+
+#include "Message.hpp"
+#include "Message.cpp"
+
+#include "ShellcodeManager.hpp"
+
+#include "Config.hpp"
+
+#include "Download.hpp"
+
+#ifdef STDTAGS
+#undef STDTAGS
+#endif
+#define STDTAGS l_mod
+
+using namespace nepenthes;
+
+
+/**
+ * as we may need a global pointer to our Nepenthes in our modules,
+ * and cant access the cores global pointer to nepenthes
+ * we have to use a own global pointer to nepenthes per module
+ * we need this pointer for logInfo() etc
+ */
+Nepenthes *g_Nepenthes;
+
+/**
+ * The Constructor
+ * creates a new VulnSAV Module,
+ * VulnSAV is an example for binding a socket & setting up the Dialogue & DialogueFactory
+ *
+ *
+ * it can be used as a shell emu to allow trigger commands
+ *
+ *
+ * sets the following values:
+ * - m_DialogueFactoryName
+ * - m_DialogueFactoryDescription
+ *
+ * @param nepenthes the pointer to our Nepenthes
+ */
+VulnSAV::VulnSAV(Nepenthes *nepenthes)
+{
+ m_ModuleName = "vuln-sav";
+ m_ModuleDescription = "emulate the bug in symantec antivirus product";
+ m_ModuleRevision = "$Rev$";
+ m_Nepenthes = nepenthes;
+
+ m_DialogueFactoryName = "SAV Factory";
+ m_DialogueFactoryDescription = "Symantec Antivirus Client Dialogue Factory";
+
+ g_Nepenthes = nepenthes;
+}
+
+VulnSAV::~VulnSAV()
+{
+
+}
+
+
+/**
+ * Module::Init()
+ *
+ * binds the port, adds the DialogueFactory to the Socket
+ *
+ * @return returns true if everything was fine, else false
+ * false indicates a fatal error
+ */
+bool VulnSAV::Init()
+{
+/* if ( m_Config == NULL )
+ {
+ logCrit("I need a config\n");
+ return false;
+ }
+*/
+ m_Nepenthes->getSocketMgr()->bindTCPSocket(0,2967,0,30,this);
+ return true;
+}
+
+bool VulnSAV::Exit()
+{
+ return true;
+}
+
+/**
+ * DialogueFactory::createDialogue(Socket *)
+ *
+ * creates a new SAVDialogue
+ *
+ * @param socket the socket the DIalogue has to use, can be NULL if the Dialogue can handle it
+ *
+ * @return returns the new created dialogue
+ */
+Dialogue *VulnSAV::createDialogue(Socket *socket)
+{
+ return new SAVDialogue(socket);
+// return g_Nepenthes->getFactoryMgr()->getFactory("WinNTShell DialogueFactory")->createDialogue(socket);
+}
+
+
+
+
+
+
+
+/**
+ * Dialogue::Dialogue(Socket *)
+ * construktor for the SAVDialogue, creates a new SAVDialogue
+ *
+ * replies some crap to the socket
+ *
+ * @param socket the Socket the Dialogue has to use
+ */
+SAVDialogue::SAVDialogue(Socket *socket)
+{
+ m_Socket = socket;
+ m_DialogueName = "SAVDialogue";
+ m_DialogueDescription = "Symantec Antivirus Dialogue";
+
+ m_ConsumeLevel = CL_ASSIGN;
+
+ m_Buffer = new Buffer(512);
+}
+
+SAVDialogue::~SAVDialogue()
+{
+ delete m_Buffer;
+}
+
+/**
+ * Dialogue::incomingData(Message *)
+ *
+ * a small and ugly shell where we can use
+ * "download protocol://localction:port/path/to/file
+ * to trigger a download
+ *
+ * @param msg the Message the Socker received.
+ *
+ *
+ * @return CL_ASSIGN
+ */
+ConsumeLevel SAVDialogue::incomingData(Message *msg)
+{
+
+ m_Buffer->add(msg->getMsg(),msg->getSize());
+
+ if ( m_Buffer->getSize() > 0xcd0 )
+ {
+ Message *Msg = new Message((char *)m_Buffer->getData(), m_Buffer->getSize(),m_Socket->getLocalPort(), m_Socket->getRemotePort(),
+ m_Socket->getLocalHost(), m_Socket->getRemoteHost(), m_Socket, m_Socket);
+ sch_result sch;
+ sch = g_Nepenthes->getShellcodeMgr()->handleShellcode(&Msg);
+ delete Msg;
+
+ if ( sch == SCH_DONE )
+ {
+ m_Buffer->clear();
+ return CL_ASSIGN_AND_DONE;
+ }
+
+ }
+
+ return CL_ASSIGN;
+}
+
+/**
+ * Dialogue::outgoingData(Message *)
+ * as we are not interested in these socket actions
+ * we simply return CL_DROP to show the socket
+ *
+ * @param msg
+ *
+ * @return CL_DROP
+ */
+ConsumeLevel SAVDialogue::outgoingData(Message *msg)
+{
+ return CL_ASSIGN;
+}
+
+/**
+ * Dialogue::handleTimeout(Message *)
+ * as we are not interested in these socket actions
+ * we simply return CL_DROP to show the socket
+ *
+ * @param msg
+ *
+ * @return CL_DROP
+ */
+ConsumeLevel SAVDialogue::handleTimeout(Message *msg)
+{
+ return CL_DROP;
+}
+
+/**
+ * Dialogue::connectionLost(Message *)
+ * as we are not interested in these socket actions
+ * we simply return CL_DROP to show the socket
+ *
+ * @param msg
+ *
+ * @return CL_DROP
+ */
+ConsumeLevel SAVDialogue::connectionLost(Message *msg)
+{
+ return CL_DROP;
+}
+
+/**
+ * Dialogue::connectionShutdown(Message *)
+ * as we are not interested in these socket actions
+ * we simply return CL_DROP to show the socket
+ *
+ * @param msg
+ *
+ * @return CL_DROP
+ */
+ConsumeLevel SAVDialogue::connectionShutdown(Message *msg)
+{
+ return CL_DROP;
+}
+
+
+
+
+extern "C" int32_t module_init(int32_t version, Module **module, Nepenthes *nepenthes)
+{
+ if ( version == MODULE_IFACE_VERSION )
+ {
+ *module = new VulnSAV(nepenthes);
+ return (1);
+ } else
+ {
+ return (0);
+ }
+}
diff -ruN nepenthes-0.2.0/modules/vuln-sav/vuln-sav.hpp nepenthes-0.2.0-r1345/modules/vuln-sav/vuln-sav.hpp
--- nepenthes-0.2.0/modules/vuln-sav/vuln-sav.hpp 1970-01-01 01:00:00.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/vuln-sav/vuln-sav.hpp 2007-08-06 00:46:15.000000000 +0200
@@ -0,0 +1,72 @@
+/********************************************************************************
+ * Nepenthes
+ * - finest collection -
+ *
+ *
+ *
+ * Copyright (C) 2005 Paul Baecher & Markus Koetter
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version 2
+ * of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+ *
+ *
+ * contact nepenthesdev@users.sourceforge.net
+ *
+ *******************************************************************************/
+
+ /* $Id$ */
+
+#include "DialogueFactory.hpp"
+#include "Module.hpp"
+#include "ModuleManager.hpp"
+#include "SocketManager.hpp"
+#include "Nepenthes.hpp"
+#include "Dialogue.hpp"
+#include "Socket.hpp"
+
+using namespace std;
+
+namespace nepenthes
+{
+
+ class Buffer;
+
+ class VulnSAV : public Module , public DialogueFactory
+ {
+ public:
+ VulnSAV(Nepenthes *);
+ ~VulnSAV();
+ Dialogue *createDialogue(Socket *socket);
+ bool Init();
+ bool Exit();
+ };
+
+ class SAVDialogue : public Dialogue
+ {
+ public:
+ SAVDialogue(Socket *socket);
+ ~SAVDialogue();
+ ConsumeLevel incomingData(Message *msg);
+ ConsumeLevel outgoingData(Message *msg);
+ ConsumeLevel handleTimeout(Message *msg);
+ ConsumeLevel connectionLost(Message *msg);
+ ConsumeLevel connectionShutdown(Message *msg);
+
+ protected:
+ Buffer *m_Buffer;
+
+ };
+
+}
+extern nepenthes::Nepenthes *g_Nepenthes;
diff -ruN nepenthes-0.2.0/modules/vuln-sav/x-2.conf.dist nepenthes-0.2.0-r1345/modules/vuln-sav/x-2.conf.dist
--- nepenthes-0.2.0/modules/vuln-sav/x-2.conf.dist 1970-01-01 01:00:00.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/vuln-sav/x-2.conf.dist 2007-08-06 00:46:15.000000000 +0200
@@ -0,0 +1,5 @@
+x-2
+{
+ ports ("10002");
+ accepttimeout "45";
+};
diff -ruN nepenthes-0.2.0/modules/vuln-ssh/Makefile.am nepenthes-0.2.0-r1345/modules/vuln-ssh/Makefile.am
--- nepenthes-0.2.0/modules/vuln-ssh/Makefile.am 2006-11-13 20:40:03.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/vuln-ssh/Makefile.am 2007-08-06 00:46:15.000000000 +0200
@@ -10,6 +10,6 @@
pkglib_LTLIBRARIES = vulnssh.la
-vulnssh_la_SOURCES = vuln-ssh.cpp vuln-ssh.hpp SSHSocket.cpp SSHSocket.hpp SSHDialogue.cpp SSHDialogue.hpp vuln-ssh.conf.dist
+vulnssh_la_SOURCES = vuln-ssh.cpp vuln-ssh.hpp SSHSocket.cpp SSHSocket.hpp SSHDialogue.cpp SSHDialogue.hpp
-vulnssh_la_LDFLAGS = -module -no-undefined -avoid-version
+vulnssh_la_LDFLAGS = -module -no-undefined -avoid-version $(AM_LDFLAGS)
diff -ruN nepenthes-0.2.0/modules/vuln-upnp/UPNPDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-upnp/UPNPDialogue.cpp
--- nepenthes-0.2.0/modules/vuln-upnp/UPNPDialogue.cpp 2006-11-13 20:40:10.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/vuln-upnp/UPNPDialogue.cpp 2007-08-06 00:46:15.000000000 +0200
@@ -49,6 +49,8 @@
#include "Utilities.hpp"
+#include "EventManager.hpp"
+#include "SocketEvent.hpp"
#ifdef STDTAGS
#undef STDTAGS
@@ -190,5 +192,5 @@
void UPNPDialogue::dump()
{
logWarn("Unknown UPNP exploit %i bytes State %i\n",m_Buffer->getSize(), m_State);
- g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *) m_Buffer->getData(), m_Buffer->getSize());
+ HEXDUMP(m_Socket,(byte *) m_Buffer->getData(), m_Buffer->getSize());
}
diff -ruN nepenthes-0.2.0/modules/vuln-veritas/VERITASDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-veritas/VERITASDialogue.cpp
--- nepenthes-0.2.0/modules/vuln-veritas/VERITASDialogue.cpp 2006-11-13 20:40:09.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/vuln-veritas/VERITASDialogue.cpp 2007-08-06 00:46:15.000000000 +0200
@@ -49,6 +49,8 @@
#include "Utilities.hpp"
+#include "EventManager.hpp"
+#include "SocketEvent.hpp"
#ifdef STDTAGS
#undef STDTAGS
@@ -98,7 +100,7 @@
m_Buffer->add(msg->getMsg(),msg->getSize());
logInfo("Traffic for VERITAS (%i bytes)\n",msg->getSize());
- g_Nepenthes->getUtilities()->hexdump(STDTAGS|l_warn,(byte *) m_Buffer->getData(), m_Buffer->getSize());
+// g_Nepenthes->getUtilities()->hexdump(STDTAGS|l_warn,(byte *) m_Buffer->getData(), m_Buffer->getSize());
/*
switch (m_State)
@@ -189,5 +191,5 @@
void VERITASDialogue::dump()
{
logWarn("Unknown VERITAS exploit %i bytes State %i\n",m_Buffer->getSize(), m_State);
- g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *) m_Buffer->getData(), m_Buffer->getSize());
+ HEXDUMP(m_Socket,(byte *) m_Buffer->getData(), m_Buffer->getSize());
}
diff -ruN nepenthes-0.2.0/modules/vuln-wins/WINSDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-wins/WINSDialogue.cpp
--- nepenthes-0.2.0/modules/vuln-wins/WINSDialogue.cpp 2006-11-13 20:40:10.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/vuln-wins/WINSDialogue.cpp 2007-08-06 00:46:15.000000000 +0200
@@ -41,6 +41,9 @@
#include "Socket.hpp"
+#include "EventManager.hpp"
+#include "SocketEvent.hpp"
+
#ifdef STDTAGS
#undef STDTAGS
#endif
@@ -123,5 +126,5 @@
{
logWarn("WINS unknown shellcode %i bytes State 0\n",m_Buffer->getSize());
- g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *) m_Buffer->getData(), m_Buffer->getSize());
+ HEXDUMP(m_Socket,(byte *) m_Buffer->getData(), m_Buffer->getSize());
}
diff -ruN nepenthes-0.2.0/modules/x-4/x-4.cpp nepenthes-0.2.0-r1345/modules/x-4/x-4.cpp
--- nepenthes-0.2.0/modules/x-4/x-4.cpp 2006-11-13 20:40:11.000000000 +0100
+++ nepenthes-0.2.0-r1345/modules/x-4/x-4.cpp 2007-08-06 00:46:15.000000000 +0200
@@ -118,7 +118,7 @@
*/
void X4::Submit(Download *down)
{
- m_Nepenthes->getUtilities()->hexdump((byte *)down->getDownloadBuffer()->getData(),down->getDownloadBuffer()->getSize());
+// m_Nepenthes->getUtilities()->hexdump((byte *)down->getDownloadBuffer()->getData(),down->getDownloadBuffer()->getSize());
}
/**
diff -ruN nepenthes-0.2.0/nepenthes-core/include/DNSQuery.hpp nepenthes-0.2.0-r1345/nepenthes-core/include/DNSQuery.hpp
--- nepenthes-0.2.0/nepenthes-core/include/DNSQuery.hpp 2006-11-13 20:40:01.000000000 +0100
+++ nepenthes-0.2.0-r1345/nepenthes-core/include/DNSQuery.hpp 2007-08-06 00:46:15.000000000 +0200
@@ -56,6 +56,7 @@
virtual ~DNSQuery();
virtual DNSCallback *getCallback();
+ virtual void cancelCallback();
virtual string getDNS();
virtual uint16_t getQueryType();
virtual void *getObject();
diff -ruN nepenthes-0.2.0/nepenthes-core/include/Event.hpp nepenthes-0.2.0-r1345/nepenthes-core/include/Event.hpp
--- nepenthes-0.2.0/nepenthes-core/include/Event.hpp 2006-11-13 20:40:01.000000000 +0100
+++ nepenthes-0.2.0-r1345/nepenthes-core/include/Event.hpp 2007-08-06 00:46:15.000000000 +0200
@@ -71,6 +71,8 @@
#define EV_SHELLCODE_DONE 24
+#define EV_HEXDUMP 25
+
class Event
{
public:
diff -ruN nepenthes-0.2.0/nepenthes-core/include/SocketEvent.hpp nepenthes-0.2.0-r1345/nepenthes-core/include/SocketEvent.hpp
--- nepenthes-0.2.0/nepenthes-core/include/SocketEvent.hpp 2006-11-13 20:40:01.000000000 +0100
+++ nepenthes-0.2.0-r1345/nepenthes-core/include/SocketEvent.hpp 2007-08-06 00:46:15.000000000 +0200
@@ -137,5 +137,50 @@
Dialogue *m_Dialogue;
};
+#ifdef HAVE_DEBUG_LOGGING
+#define HEXDUMP(socket,data,size) \
+{ \
+ HexdumpEvent *he = new HexdumpEvent(socket,data,size); \
+ g_Nepenthes->getEventMgr()->handleEvent(he); \
+ delete he; \
+}
+#else // HAVE_DEBUG_LOGGING
+#define HEXDUMP(socket,data,size)
+#endif // HAVE_DEBUG_LOGGING
+
+
+
+ class HexdumpEvent : public Event
+ {
+ public:
+ HexdumpEvent(Socket *s, void *data, uint32_t size)
+ {
+ m_EventType = EV_HEXDUMP;
+ m_Socket = s;
+ m_Size = size;
+ m_Data = data;
+ }
+
+ virtual Socket *getSocket()
+ {
+ return m_Socket;
+ }
+
+ virtual void *getData()
+ {
+ return m_Data;
+ }
+
+ virtual uint32_t getSize()
+ {
+ return m_Size;
+ }
+
+ private:
+ Socket *m_Socket;
+ void *m_Data;
+ uint32_t m_Size;
+ };
+
}
diff -ruN nepenthes-0.2.0/nepenthes-core/include/Utilities.hpp nepenthes-0.2.0-r1345/nepenthes-core/include/Utilities.hpp
--- nepenthes-0.2.0/nepenthes-core/include/Utilities.hpp 2006-11-13 20:40:01.000000000 +0100
+++ nepenthes-0.2.0-r1345/nepenthes-core/include/Utilities.hpp 2007-08-06 00:46:15.000000000 +0200
@@ -130,10 +130,10 @@
void MD5Init(struct MD5Context *context);
void MD5Update(struct MD5Context *context, unsigned char const *buf,unsigned len);
void MD5Final(unsigned char digest[16], struct MD5Context *context);
-
+/*
virtual void hexdump(byte *data, uint32_t len);
virtual void hexdump(uint32_t mask, byte *data, uint32_t len);
-
+*/
virtual unsigned char *b64encode_alloc(unsigned char *in);
virtual unsigned char *b64encode_alloc(unsigned char *in, int32_t inlen);
virtual unsigned char *b64decode_alloc(unsigned char *in);
diff -ruN nepenthes-0.2.0/nepenthes-core/src/DNSQuery.cpp nepenthes-0.2.0-r1345/nepenthes-core/src/DNSQuery.cpp
--- nepenthes-0.2.0/nepenthes-core/src/DNSQuery.cpp 2006-11-13 20:40:03.000000000 +0100
+++ nepenthes-0.2.0-r1345/nepenthes-core/src/DNSQuery.cpp 2007-08-06 00:46:15.000000000 +0200
@@ -54,6 +54,15 @@
return m_Callback;
}
+
+/**
+ * chancel the callback
+ */
+void DNSQuery::cancelCallback()
+{
+ m_Callback = NULL;
+}
+
/**
* get the dns to resolve
*
diff -ruN nepenthes-0.2.0/nepenthes-core/src/DNSResult.cpp nepenthes-0.2.0-r1345/nepenthes-core/src/DNSResult.cpp
--- nepenthes-0.2.0/nepenthes-core/src/DNSResult.cpp 2006-11-13 20:40:03.000000000 +0100
+++ nepenthes-0.2.0-r1345/nepenthes-core/src/DNSResult.cpp 2007-08-06 00:46:15.000000000 +0200
@@ -89,7 +89,7 @@
while ( test->i != -1 )
{
m_TXT.append(test->str,test->i);
- g_Nepenthes->getUtilities()->hexdump((byte *)test->str,test->i);
+// g_Nepenthes->getUtilities()->hexdump((byte *)test->str,test->i);
test++;
}
}
diff -ruN nepenthes-0.2.0/nepenthes-core/src/LogManager.cpp nepenthes-0.2.0-r1345/nepenthes-core/src/LogManager.cpp
--- nepenthes-0.2.0/nepenthes-core/src/LogManager.cpp 2006-11-13 20:40:02.000000000 +0100
+++ nepenthes-0.2.0-r1345/nepenthes-core/src/LogManager.cpp 2007-08-06 00:46:15.000000000 +0200
@@ -146,7 +146,7 @@
{
if ( m_Loggers.size() == 0)
{
- printf("%s",message);
+// printf("%s",message);
return;
}
diff -ruN nepenthes-0.2.0/nepenthes-core/src/Nepenthes.cpp nepenthes-0.2.0-r1345/nepenthes-core/src/Nepenthes.cpp
--- nepenthes-0.2.0/nepenthes-core/src/Nepenthes.cpp 2006-11-13 20:40:03.000000000 +0100
+++ nepenthes-0.2.0-r1345/nepenthes-core/src/Nepenthes.cpp 2007-08-06 00:46:15.000000000 +0200
@@ -43,6 +43,8 @@
#include <dirent.h>
#include <sys/utsname.h>
#include <ctype.h>
+#include <errno.h>
+#include <string.h>
#ifdef HAVE_LIBCAP
#undef _POSIX_SOURCE
@@ -211,7 +213,7 @@
{ "user", 1, 0, 'u' },
{ "version", 0, 0, 'V' },
{ "verbose", 0, 0, 'v' },
- { "workingdir", 0, 0, 'w' },
+ { "workingdir", 1, 0, 'w' },
{ 0, 0, 0, 0 }
};
@@ -370,26 +372,27 @@
+ m_LogManager->registerTag(l_crit, "crit");
+ m_LogManager->registerTag(l_warn, "warn");
+ m_LogManager->registerTag(l_debug, "debug");
+ m_LogManager->registerTag(l_info, "info");
+ m_LogManager->registerTag(l_spam, "spam");
+ m_LogManager->registerTag(l_net, "net");
+ m_LogManager->registerTag(l_script, "script");
+ m_LogManager->registerTag(l_shell, "shell");
+ m_LogManager->registerTag(l_mem, "mem");
+ m_LogManager->registerTag(l_sc, "sc");
+ m_LogManager->registerTag(l_dl, "down");
+ m_LogManager->registerTag(l_mgr, "mgr");
+ m_LogManager->registerTag(l_hlr, "handler");
+ m_LogManager->registerTag(l_dia, "dia");
+ m_LogManager->registerTag(l_sub, "submit");
+ m_LogManager->registerTag(l_ev, "event");
+ m_LogManager->registerTag(l_mod, "module");
+ m_LogManager->registerTag(l_stdtag, "fixme");
+
if ( opt.m_runMode != runFileCheck || opt.m_verbose )
{
- m_LogManager->registerTag(l_crit, "crit");
- m_LogManager->registerTag(l_warn, "warn");
- m_LogManager->registerTag(l_debug, "debug");
- m_LogManager->registerTag(l_info, "info");
- m_LogManager->registerTag(l_spam, "spam");
- m_LogManager->registerTag(l_net, "net");
- m_LogManager->registerTag(l_script, "script");
- m_LogManager->registerTag(l_shell, "shell");
- m_LogManager->registerTag(l_mem, "mem");
- m_LogManager->registerTag(l_sc, "sc");
- m_LogManager->registerTag(l_dl, "down");
- m_LogManager->registerTag(l_mgr, "mgr");
- m_LogManager->registerTag(l_hlr, "handler");
- m_LogManager->registerTag(l_dia, "dia");
- m_LogManager->registerTag(l_sub, "submit");
- m_LogManager->registerTag(l_ev, "event");
- m_LogManager->registerTag(l_mod, "module");
- m_LogManager->registerTag(l_stdtag, "fixme");
if ( opt.m_consoleTags )
m_LogManager->addLogger(new ConsoleLogger(m_LogManager), m_LogManager->parseTagString(opt.m_consoleTags));
@@ -460,52 +463,53 @@
return 0;
- if ( opt.m_ringLogger == true )
+ if ( opt.m_runMode != runFileCheck || opt.m_verbose )
{
- string rlpath;
- try
- {
- rlpath = m_Config->getValString("nepenthes.logmanager.ring_logging_file");
- }
- catch ( ... )
+
+ if ( opt.m_ringLogger == true )
{
- logCrit("Could not find nepenthes.logmanager.ring_logging_file in Config\n");
- return false;
- }
+ string rlpath;
+ try
+ {
+ rlpath = m_Config->getValString("nepenthes.logmanager.ring_logging_file");
+ } catch ( ... )
+ {
+ logCrit("Could not find nepenthes.logmanager.ring_logging_file in Config\n");
+ return (false);
+ }
- RingFileLogger *fl = new RingFileLogger(m_LogManager);
+ RingFileLogger *fl = new RingFileLogger(m_LogManager);
- fl->setLogFileFormat((char *)rlpath.c_str());
- fl->setMaxFiles(5);
- fl->setMaxSize(1024 * 1024);
+ fl->setLogFileFormat((char *)rlpath.c_str());
+ fl->setMaxFiles(5);
+ fl->setMaxSize(1024 * 1024);
- if ( opt.m_diskTags )
- m_LogManager->addLogger(fl, m_LogManager->parseTagString(opt.m_diskTags));
- else
- m_LogManager->addLogger(fl, l_all);
+ if ( opt.m_diskTags )
+ m_LogManager->addLogger(fl, m_LogManager->parseTagString(opt.m_diskTags));
+ else
+ m_LogManager->addLogger(fl, l_all);
- }
- else
- {
- string flpath;
- try
- {
- flpath = m_Config->getValString("nepenthes.logmanager.file_logging_file");
- }
- catch ( ... )
+ } else
{
- logCrit("Could not find nepenthes.logmanager.file_logging_file in Config\n");
- return false;
- }
+ string flpath;
+ try
+ {
+ flpath = m_Config->getValString("nepenthes.logmanager.file_logging_file");
+ } catch ( ... )
+ {
+ logCrit("Could not find nepenthes.logmanager.file_logging_file in Config\n");
+ return (false);
+ }
- FileLogger *fl = new FileLogger(m_LogManager);
- fl->setLogFile(flpath.c_str());
- if ( opt.m_diskTags )
- m_LogManager->addLogger(fl, m_LogManager->parseTagString(opt.m_diskTags));
- else
- m_LogManager->addLogger(fl, l_all);
+ FileLogger *fl = new FileLogger(m_LogManager);
+ fl->setLogFile(flpath.c_str());
+ if ( opt.m_diskTags )
+ m_LogManager->addLogger(fl, m_LogManager->parseTagString(opt.m_diskTags));
+ else
+ m_LogManager->addLogger(fl, l_all);
+ }
}
if (opt.m_daemonize == true)
@@ -665,7 +669,7 @@
struct stat fileinfo;
if ( stat((const char*)argv[opti],&fileinfo) != 0 )
{
- printf("failed\n");
+ printf("Could not stat %s: %s", (const char*)argv[opti], strerror(errno));
return -1;
}
@@ -680,7 +684,10 @@
)
{
- unlink(argv[opti]);
+ if (unlink(argv[opti]) != 0)
+ {
+ printf("could not remove file %s (%s)\n",argv[opti],strerror(errno));
+ }
}
}else
@@ -693,7 +700,7 @@
while ( (dirnode = readdir(bindir)) != NULL && m_running == true )
{
-#if !defined(CYGWIN) && !defined(CYGWIN32) &&!defined(__CYGWIN__) || !defined(__CYGWIN32__)
+#if defined(d_type_IS_NOT_A_POSIX_SPEC)
if ( dirnode->d_type == 8 )
#else
if (1)
@@ -708,7 +715,10 @@
)
{
- unlink(filepath.c_str());
+ if (unlink(filepath.c_str()) != 0)
+ {
+ printf("could not remove file %s (%s)\n",filepath.c_str(),strerror(errno));
+ }
}
}
}
diff -ruN nepenthes-0.2.0/nepenthes-core/src/SocketManager.cpp nepenthes-0.2.0-r1345/nepenthes-core/src/SocketManager.cpp
--- nepenthes-0.2.0/nepenthes-core/src/SocketManager.cpp 2006-11-13 20:40:03.000000000 +0100
+++ nepenthes-0.2.0-r1345/nepenthes-core/src/SocketManager.cpp 2007-08-06 00:46:15.000000000 +0200
@@ -273,13 +273,17 @@
}
}
+ int32_t socketcounter, socketmax;
+ socketcounter=0;
+ socketmax = m_Sockets.size();
+
int32_t iPollRet = poll(polls,i,50);
if (iPollRet != 0)
{
// read sockets
i=0;
- for (itSocket = m_Sockets.begin();itSocket != m_Sockets.end(); itSocket++)
+ for (itSocket = m_Sockets.begin();itSocket != m_Sockets.end(), socketcounter < socketmax ; itSocket++, socketcounter++)
{
if ( (*itSocket)->isPolled() == true )
{
@@ -303,7 +307,8 @@
// write sockets
i=0;
- for (itSocket = m_Sockets.begin();itSocket != m_Sockets.end(); itSocket++)
+ socketcounter=0;
+ for (itSocket = m_Sockets.begin();itSocket != m_Sockets.end(), socketcounter < socketmax; itSocket++, socketcounter++)
{
if ( (*itSocket)->isPolled() == true )
{
@@ -331,7 +336,8 @@
// accept new, non udp clients as udp does not accept()
i=0;
- for (itSocket = m_Sockets.begin();itSocket != m_Sockets.end(); itSocket++)
+ socketcounter=0;
+ for (itSocket = m_Sockets.begin();itSocket != m_Sockets.end(), socketcounter < socketmax; itSocket++, socketcounter++)
{
diff -ruN nepenthes-0.2.0/nepenthes-core/src/Utilities.cpp nepenthes-0.2.0-r1345/nepenthes-core/src/Utilities.cpp
--- nepenthes-0.2.0/nepenthes-core/src/Utilities.cpp 2006-11-13 20:40:02.000000000 +0100
+++ nepenthes-0.2.0-r1345/nepenthes-core/src/Utilities.cpp 2007-08-06 00:46:15.000000000 +0200
@@ -339,7 +339,7 @@
// ENDOF MD5Sum
-
+/*
void Utilities::hexdump(byte *data, uint32_t len)
{
@@ -430,7 +430,7 @@
}
-
+*/