diff --git a/network/nepenthes/nepenthes-0.2.0-update-r1345.patch b/network/nepenthes/nepenthes-0.2.0-update-r1345.patch deleted file mode 100644 index 715a2eee1..000000000 --- a/network/nepenthes/nepenthes-0.2.0-update-r1345.patch +++ /dev/null @@ -1,4595 +0,0 @@ -# --- SDE-COPYRIGHT-NOTE-BEGIN --- -# This copyright note is auto-generated by ./scripts/Create-CopyPatch. -# -# Filename: package/.../nepenthes/nepenthes-0.2.0-update-r1345.patch -# Copyright (C) 2007 The OpenSDE Project -# -# More information can be found in the files COPYING and README. -# -# This patch file is dual-licensed. It is available under the license the -# patched project is licensed under, as long as it is an OpenSource license -# as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms -# of the GNU General Public License as published by the Free Software -# Foundation; either version 2 of the License, or (at your option) any later -# version. -# --- SDE-COPYRIGHT-NOTE-END --- - -diff -ruN nepenthes-0.2.0/conf/nepenthes.conf.dist nepenthes-0.2.0-r1345/conf/nepenthes.conf.dist ---- nepenthes-0.2.0/conf/nepenthes.conf.dist 2006-11-13 20:40:03.000000000 +0100 -+++ nepenthes-0.2.0-r1345/conf/nepenthes.conf.dist 2007-08-06 00:46:15.000000000 +0200 -@@ -35,10 +35,12 @@ - // "submitnorman.so", "submit-norman.conf", "" - // "submitnepenthes.so", "submit-nepenthes.conf", "" // send to download-nepenthes in other nepenthes instances - // "submitxmlrpc.so", "submit-xmlrpc.conf", "" // submit files to a xmlrpc server -+// "submithttp.so", "submit-http.conf", "" // submit files to a web server - - // logging - "logdownload.so", "log-download.conf", "" - // "logirc.so", "log-irc.conf", "" // needs configuration -+// "logprelude.so", "log-prelude.conf", "" - - - // dumping and logging -diff -ruN nepenthes-0.2.0/configure.ac nepenthes-0.2.0-r1345/configure.ac ---- nepenthes-0.2.0/configure.ac 2006-11-13 20:50:47.000000000 +0100 -+++ nepenthes-0.2.0-r1345/configure.ac 2007-08-06 00:46:15.000000000 +0200 -@@ -201,6 +201,9 @@ - # libdl - AC_SUBST([LIB_DL]) - -+# libssh -+AC_SUBST([LIB_SSH]) -+ - dnl ************************************************** - dnl * libdl linking flag * - dnl ************************************************** -@@ -788,12 +791,11 @@ - AC_DEFINE(HAVE_LIBPRELUDE, 1,[Define if you want to use libprelude]) - PRELUDE_LDFLAGS=`$LIBPRELUDE_CONFIG --ldflags` - PRELUDE_LIBS=`$LIBPRELUDE_CONFIG --libs` -- PRELUDE_CPPFLAGS=`$LIBPRELUDE_CONFIG --cflags` -+ PRELUDE_CPPFLAGS=`$LIBPRELUDE_CONFIG --pthread-cflags` - - LIB_PRELUDE="$PRELUDE_LIBS" - LDFLAG_PRELUDE="$PRELUDE_LDFLAGS" -- CPPFLAG="$PRELUDE_CPPFLAGS" -- -+ CPPFLAGS="$CPPFLAGS $PRELUDE_CPPFLAGS" - fi - fi - -@@ -913,6 +915,8 @@ - modules/submit-gotek/Makefile - modules/submit-norman/Makefile - modules/submit-postgres/Makefile -+ modules/submit-http/Makefile -+ modules/submit-mwserv/Makefile - modules/vuln-asn1/Makefile - modules/vuln-bagle/Makefile - modules/vuln-dameware/Makefile -@@ -931,6 +935,7 @@ - modules/vuln-pnp/Makefile - modules/vuln-realvnc/Makefile - modules/vuln-sasserftpd/Makefile -+ modules/vuln-sav/Makefile - modules/vuln-ssh/Makefile - modules/vuln-sub7/Makefile - modules/vuln-upnp/Makefile -diff -ruN nepenthes-0.2.0/modules/Makefile.am nepenthes-0.2.0-r1345/modules/Makefile.am ---- nepenthes-0.2.0/modules/Makefile.am 2006-11-13 20:40:11.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/Makefile.am 2007-08-06 00:46:15.000000000 +0200 -@@ -4,11 +4,11 @@ - - SUBDIRS = download-creceive download-csend download-curl download-ftp download-http download-link download-tftp download-rcp\ - log-download log-irc \ -- submit-file submit-gotek submit-norman submit-postgres\ -+ submit-file submit-gotek submit-norman submit-postgres submit-http submit-mwserv \ - shellcode-generic shellemu-winnt \ - vuln-asn1 vuln-bagle vuln-dcom vuln-iis vuln-kuang2 vuln-lsass \ - vuln-msdtc vuln-msmq vuln-mssql vuln-mydoom \ -- vuln-netbiosname vuln-netdde vuln-optix vuln-pnp vuln-sasserftpd \ -+ vuln-netbiosname vuln-netdde vuln-optix vuln-pnp vuln-sasserftpd vuln-sav \ - vuln-sub7 vuln-upnp vuln-veritas vuln-wins vuln-dameware vuln-ssh vuln-realvnc \ - module-portwatch module-honeytrap module-bridge module-peiros\ - dnsresolve-adns \ -diff -ruN nepenthes-0.2.0/modules/dnsresolve-adns/Makefile.am nepenthes-0.2.0-r1345/modules/dnsresolve-adns/Makefile.am ---- nepenthes-0.2.0/modules/dnsresolve-adns/Makefile.am 2006-11-13 20:40:10.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/dnsresolve-adns/Makefile.am 2007-08-06 00:46:15.000000000 +0200 -@@ -12,4 +12,4 @@ - - dnsresolveadns_la_SOURCES = dnsresolve-adns.cpp dnsresolve-adns.hpp - --dnsresolveadns_la_LDFLAGS = -module -no-undefined -avoid-version -+dnsresolveadns_la_LDFLAGS = -module -no-undefined -avoid-version $(AM_LDFLAGS) -diff -ruN nepenthes-0.2.0/modules/dnsresolve-adns/dnsresolve-adns.cpp nepenthes-0.2.0-r1345/modules/dnsresolve-adns/dnsresolve-adns.cpp ---- nepenthes-0.2.0/modules/dnsresolve-adns/dnsresolve-adns.cpp 2006-11-13 20:40:10.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/dnsresolve-adns/dnsresolve-adns.cpp 2007-08-06 00:46:15.000000000 +0200 -@@ -47,6 +47,7 @@ - - - #include "EventManager.hpp" -+#include "Nepenthes.hpp" - - using namespace std; - -diff -ruN nepenthes-0.2.0/modules/download-creceive/CReceiveDialogue.cpp nepenthes-0.2.0-r1345/modules/download-creceive/CReceiveDialogue.cpp ---- nepenthes-0.2.0/modules/download-creceive/CReceiveDialogue.cpp 2006-11-13 20:40:09.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/download-creceive/CReceiveDialogue.cpp 2007-08-06 00:46:15.000000000 +0200 -@@ -87,7 +87,7 @@ - - CReceiveDialogue::~CReceiveDialogue() - { --// g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *)m_Buffer->getData(),m_Buffer->getSize()); -+// HEXDUMP(m_Socket,(byte *)m_Buffer->getData(),m_Buffer->getSize()); - // delete m_Buffer; - delete m_Download; - } -diff -ruN nepenthes-0.2.0/modules/download-curl/Makefile.am nepenthes-0.2.0-r1345/modules/download-curl/Makefile.am ---- nepenthes-0.2.0/modules/download-curl/Makefile.am 2006-11-13 20:40:06.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/download-curl/Makefile.am 2007-08-06 00:46:15.000000000 +0200 -@@ -12,4 +12,4 @@ - - downloadcurl_la_SOURCES = download-curl.conf.dist download-curl.hpp download-curl.cpp - --downloadcurl_la_LDFLAGS = -module -no-undefined -avoid-version -+downloadcurl_la_LDFLAGS = -module -no-undefined -avoid-version $(AM_LDFLAGS) -diff -ruN nepenthes-0.2.0/modules/download-curl/download-curl.cpp nepenthes-0.2.0-r1345/modules/download-curl/download-curl.cpp ---- nepenthes-0.2.0/modules/download-curl/download-curl.cpp 2006-11-13 20:40:06.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/download-curl/download-curl.cpp 2007-08-06 00:46:15.000000000 +0200 -@@ -230,7 +230,9 @@ - down->getDownloadUrl()->getPort(), - down->getDownloadUrl()->getPath().c_str()); - // string auth = down->getDownloadUrl()->getUser() + ":" + down->getDownloadUrl()->getPass(); -+#if LIBCURL_VERSION_NUM < 0x071000 - curl_easy_setopt(pCurlHandle, CURLOPT_SOURCE_USERPWD,(char *)down->getDownloadUrl()->getAuth().c_str()); -+#endif - curl_easy_setopt(pCurlHandle, CURLOPT_USERPWD,(char *)down->getDownloadUrl()->getAuth().c_str()); - curl_easy_setopt(pCurlHandle, CURLOPT_URL , url); - curl_easy_setopt(pCurlHandle, CURLOPT_FTP_RESPONSE_TIMEOUT, 120); // 2 min ftp timeout -diff -ruN nepenthes-0.2.0/modules/download-http/HTTPDialogue.cpp nepenthes-0.2.0-r1345/modules/download-http/HTTPDialogue.cpp ---- nepenthes-0.2.0/modules/download-http/HTTPDialogue.cpp 2006-11-13 20:40:04.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/download-http/HTTPDialogue.cpp 2007-08-06 00:46:15.000000000 +0200 -@@ -178,7 +178,7 @@ - if ( end == NULL ) - { - logWarn("HTTP ERROR header found %i\n", size); -- g_Nepenthes->getUtilities()->hexdump((byte *)start,size); -+// g_Nepenthes->getUtilities()->hexdump((byte *)start,size); - return CL_DROP; - }else - if ( end != NULL ) -diff -ruN nepenthes-0.2.0/modules/download-link/LinkDialogue.cpp nepenthes-0.2.0-r1345/modules/download-link/LinkDialogue.cpp ---- nepenthes-0.2.0/modules/download-link/LinkDialogue.cpp 2006-11-13 20:40:10.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/download-link/LinkDialogue.cpp 2007-08-06 00:46:15.000000000 +0200 -@@ -122,7 +122,7 @@ - case LINK_NULL: - { - m_Buffer->add(msg->getMsg(),msg->getSize()); --// g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *)m_Buffer->getData(),m_Buffer->getSize()); -+// HEXDUMP(m_Socket,(byte *)m_Buffer->getData(),m_Buffer->getSize()); - msg->getResponder()->doRespond((char *)&m_Challenge,4); - - m_State = LINK_FILE; -diff -ruN nepenthes-0.2.0/modules/log-irc/log-irc.cpp nepenthes-0.2.0-r1345/modules/log-irc/log-irc.cpp ---- nepenthes-0.2.0/modules/log-irc/log-irc.cpp 2006-11-13 20:40:09.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/log-irc/log-irc.cpp 2007-08-06 00:46:15.000000000 +0200 -@@ -171,7 +171,7 @@ - } - // m_Nepenthes->getSocketMgr()->bindTCPSocket(0,10002,0,45,this); - -- g_Nepenthes->getLogMgr()->addLogger(this,l_dl|l_sub); -+ g_Nepenthes->getLogMgr()->addLogger(this,l_all); - return true; - } - -diff -ruN nepenthes-0.2.0/modules/log-prelude/Makefile.am nepenthes-0.2.0-r1345/modules/log-prelude/Makefile.am ---- nepenthes-0.2.0/modules/log-prelude/Makefile.am 2006-11-13 20:40:08.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/log-prelude/Makefile.am 2007-08-06 00:46:15.000000000 +0200 -@@ -4,7 +4,7 @@ - - AUTOMAKE_OPTIONS = foreign - --AM_CPPFLAGS = -I/usr/include/libprelude -I$(top_srcdir)/nepenthes-core/include -I$(top_srcdir)/nepenthes-core/src -pipe -D _GNU_SOURCE $(CPPFLAG_PRELUDE) -+AM_CPPFLAGS = -I$(top_srcdir)/nepenthes-core/include -I$(top_srcdir)/nepenthes-core/src -pipe -D _GNU_SOURCE - AM_CXXFLAGS = -Wall - AM_LDFLAGS = $(LDFLAG_PRELUDE) ${LIB_PRELUDE} - -@@ -12,5 +12,5 @@ - - logprelude_la_SOURCES = log-prelude.cpp log-prelude.hpp log-prelude.conf.dist - --logprelude_la_LDFLAGS = -module -no-undefined -avoid-version -+logprelude_la_LDFLAGS = -module -no-undefined -avoid-version $(AM_LDFLAGS) - -diff -ruN nepenthes-0.2.0/modules/log-prelude/log-prelude.conf.dist nepenthes-0.2.0-r1345/modules/log-prelude/log-prelude.conf.dist ---- nepenthes-0.2.0/modules/log-prelude/log-prelude.conf.dist 2006-11-13 20:40:08.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/log-prelude/log-prelude.conf.dist 2007-08-06 00:46:15.000000000 +0200 -@@ -1,7 +1,9 @@ - log-prelude - { -- analyzerClass "NIDS"; -- analyzerModel "nepenthes"; -- analyzerName "nepenthes"; -- -+ -+ // Name of the Prelude analyzer to use (default is nepenthes). -+ // analyzerName "nepenthes"; -+ -+ // Name of the Prelude profile to use (default is nepenthes). -+ // analyzerProfile "nepenthes"; - }; -diff -ruN nepenthes-0.2.0/modules/log-prelude/log-prelude.cpp nepenthes-0.2.0-r1345/modules/log-prelude/log-prelude.cpp ---- nepenthes-0.2.0/modules/log-prelude/log-prelude.cpp 2006-11-13 20:40:08.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/log-prelude/log-prelude.cpp 2007-08-06 00:48:07.000000000 +0200 -@@ -27,14 +27,6 @@ - - /* $Id: log-prelude.cpp 550 2006-05-04 10:25:35Z common $ */ - --#ifdef HAVE_LIBPRELUDE --#include --#include --#include --#include --#include --#endif -- - #include - #include "log-prelude.hpp" - #include "Nepenthes.hpp" -@@ -63,7 +55,11 @@ - - #define STDTAGS l_mod | l_ev | l_hlr - #define ANALYZER_MANUFACTURER "http://nepenthes.sf.net" --#define NEPENTHES_VERSION "$Rev: 550 $" -+#define DEFAULT_ANALYZER_NAME "nepenthes" -+#define DEFAULT_ANALYZER_PROFILE "nepenthes" -+#define ANALYZER_MODEL "Nepenthes" -+#define ANALYZER_CLASS "Honeypot" -+#define ANALYZER_MANUFACTURER "http://nepenthes.mwcollect.org/" - - - -@@ -132,28 +128,21 @@ - - #ifdef HAVE_LIBPRELUDE - -- if ( m_Config == NULL ) -- { -- logCrit("I need a config\n"); -- return false; -- } -- -- string analyzerClass; -- string analyzerModel; - string analyzerName; -- -- try -- { -- analyzerClass = (m_Config->getValString("log-prelude.analyzerClass")); -- analyzerModel = m_Config->getValString("log-prelude.analyzerModel"); -- analyzerName = m_Config->getValString("log-prelude.analyzerName"); -- -- } catch ( ... ) -- { -- logCrit("Error setting needed vars, check your config\n"); -- return false; -- } -- -+ string analyzerProfile; -+ -+ try { -+ analyzerName = m_Config->getValString("log-prelude.analyzerName"); -+ } catch ( ... ) { -+ analyzerName = DEFAULT_ANALYZER_NAME; -+ } -+ -+ try { -+ analyzerProfile = m_Config->getValString("log-prelude.analyzerProfile"); -+ } catch ( ... ) { -+ analyzerProfile = DEFAULT_ANALYZER_PROFILE; -+ } -+ - m_ModuleManager = m_Nepenthes->getModuleMgr(); - m_Events.set(EV_SOCK_TCP_ACCEPT); - m_Events.set(EV_SOCK_TCP_CLOSE); -@@ -163,44 +152,39 @@ - m_Events.set(EV_DOWNLOAD); - m_Events.set(EV_SUBMISSION); - -- -- const char *profile, *config; -- -- config = NULL; -- profile = analyzerName.c_str(); -- -- -- -- - int32_t ret; - // Initialize Prelude Library - ret = prelude_init(NULL, NULL); -- if ( ret < 0 ) -+ if ( ret < 0 ) { - logCrit("%s: Unable to initialize the Prelude library: %s.\n", - prelude_strsource(ret), - prelude_strerror(ret)); -+ return false; -+ } - - // generate a new Prelude client -- ret = prelude_client_new(&m_PreludeClient, profile); -+ ret = prelude_client_new(&m_PreludeClient, analyzerProfile.c_str()); - -- if ( ret < 0 ) -+ if ( ret < 0 ) { - logCrit("%s: Unable to create a prelude client object: %s.\n", - prelude_strsource(ret), - prelude_strerror(ret)); -+ return false; -+ } - -- -+ - // set options in the analyzer-part of the client - prelude_string_t *string; - -- ret = idmef_analyzer_new_model(prelude_client_get_analyzer(m_PreludeClient), &string); -+ ret = idmef_analyzer_new_class(prelude_client_get_analyzer(m_PreludeClient), &string); - if ( ret < 0 ) - return false; -- prelude_string_set_constant(string, analyzerModel.c_str()); -- -- ret = idmef_analyzer_new_class(prelude_client_get_analyzer(m_PreludeClient), &string); -+ prelude_string_set_constant(string, ANALYZER_CLASS); -+ -+ ret = idmef_analyzer_new_model(prelude_client_get_analyzer(m_PreludeClient), &string); - if ( ret < 0 ) - return false; -- prelude_string_set_constant(string, analyzerClass.c_str()); -+ prelude_string_set_constant(string, ANALYZER_MODEL); - - ret = idmef_analyzer_new_manufacturer(prelude_client_get_analyzer(m_PreludeClient), &string); - if ( ret < 0 ) -@@ -209,28 +193,31 @@ - - ret = idmef_analyzer_new_version(prelude_client_get_analyzer(m_PreludeClient), &string); - if ( ret < 0 ) -- return false; -- -- prelude_string_set_constant(string, NEPENTHES_VERSION); -+ return false; -+ prelude_string_set_constant(string, VERSION); - --// start the Prelude Client -+ ret = idmef_analyzer_new_name(prelude_client_get_analyzer(m_PreludeClient), &string); -+ if ( ret < 0 ) -+ return false; -+ prelude_string_set_dup(string, analyzerName.c_str()); -+ -+ // start the Prelude Client - ret = prelude_client_start(m_PreludeClient); - if ( ret < 0 ) - { -- if ( prelude_client_is_setup_needed(ret) ) -- prelude_client_print_setup_error(m_PreludeClient); -- - logCrit("%s: Unable to initialize prelude client: %s.\n", - prelude_strsource(ret), prelude_strerror(ret)); -+ return false; - } - --// set async Prelude Flags for the client, makes the application multithreaded -- ret = prelude_client_set_flags(m_PreludeClient, (prelude_client_flags_t) (PRELUDE_CLIENT_FLAGS_CONNECT | PRELUDE_CLIENT_FLAGS_ASYNC_SEND | PRELUDE_CLIENT_FLAGS_ASYNC_TIMER)); -- if ( ret < 0 ) -+ // set async Prelude Flags for the client, makes the application multithreaded -+ ret = prelude_client_set_flags(m_PreludeClient, (prelude_client_flags_t) (PRELUDE_CLIENT_FLAGS_CONNECT | PRELUDE_CLIENT_FLAGS_ASYNC_SEND | PRELUDE_CLIENT_FLAGS_ASYNC_TIMER)); -+ if ( ret < 0 ) { - logCrit("%s: Unable to set asynchronous send and timer: %s.\n", - prelude_strsource(ret), - prelude_strerror(ret)); -- -+ return false; -+ } - - REG_EVENT_HANDLER(this); - return true; -@@ -274,7 +261,7 @@ - idmef_value_t *val; - idmef_path_t *path; - -- ret = idmef_path_new(&path, object); -+ ret = idmef_path_new_fast(&path, object); - if ( ret < 0 ) - { - logWarn("imdef error #1 %s -> %s %i (%s) \n",object,value,ret, prelude_strerror(ret)); -@@ -376,7 +363,6 @@ - - add_idmef_object(idmef, "alert.classification.text" ,"TCP Connection established"); - add_idmef_object(idmef, "alert.classification.ident", EV_SOCK_TCP_ACCEPT); --// add_idmef_object(idmef, "alert.classification.reference(0).origin" ,"vendor-specific" ); - - - add_idmef_object(idmef, "alert.source(0).Spoofed" ,"no"); -@@ -449,7 +435,6 @@ - - add_idmef_object(idmef, "alert.classification.text" ,"TCP Connection closed"); - add_idmef_object(idmef, "alert.classification.ident", EV_SOCK_TCP_CLOSE); --// add_idmef_object(idmef, "alert.classification.reference(0).origin" ,"vendor-specific" ); - - - add_idmef_object(idmef, "alert.source(0).Service.protocol" ,"TCP"); -@@ -515,7 +500,6 @@ - // hl: added ident - add_idmef_object(idmef, "alert.classification.ident", EV_SHELLCODE_DONE); - -- // add_idmef_object(idmef, "alert.classification.reference(0).origin" ,"vendor-specific" ); - - - add_idmef_object(idmef, "alert.source(0).Spoofed" ,"no"); -diff -ruN nepenthes-0.2.0/modules/log-prelude/log-prelude.cpp~ nepenthes-0.2.0-r1345/modules/log-prelude/log-prelude.cpp~ ---- nepenthes-0.2.0/modules/log-prelude/log-prelude.cpp~ 1970-01-01 01:00:00.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/log-prelude/log-prelude.cpp~ 2006-11-13 20:40:08.000000000 +0100 -@@ -0,0 +1,857 @@ -+/******************************************************************************** -+ * Nepenthes -+ * - finest collection - -+ * -+ * -+ * -+ * Copyright (C) 2005 Paul Baecher & Markus Koetter -+ * -+ * This program is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU General Public License -+ * as published by the Free Software Foundation; either version 2 -+ * of the License, or (at your option) any later version. -+ * -+ * This program is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ * GNU General Public License for more details. -+ * -+ * You should have received a copy of the GNU General Public License -+ * along with this program; if not, write to the Free Software -+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -+ * -+ * -+ * contact nepenthesdev@users.sourceforge.net -+ * -+ *******************************************************************************/ -+ -+ /* $Id: log-prelude.cpp 550 2006-05-04 10:25:35Z common $ */ -+ -+#ifdef HAVE_LIBPRELUDE -+#include -+#include -+#include -+#include -+#include -+#endif -+ -+#include -+#include "log-prelude.hpp" -+#include "Nepenthes.hpp" -+#include "LogManager.hpp" -+#include "EventManager.hpp" -+#include "SubmitEvent.hpp" -+ -+#include "Download.hpp" -+#include "DownloadUrl.hpp" -+#include "DownloadBuffer.hpp" -+ -+#include "Socket.hpp" -+#include "SocketEvent.hpp" -+ -+#include "Message.hpp" -+#include "Utilities.hpp" -+#include "Config.hpp" -+#include "ShellcodeHandler.hpp" -+ -+ -+using namespace nepenthes; -+ -+#ifdef STDTAGS -+#undef STDTAGS -+#endif -+ -+#define STDTAGS l_mod | l_ev | l_hlr -+#define ANALYZER_MANUFACTURER "http://nepenthes.sf.net" -+#define NEPENTHES_VERSION "$Rev: 550 $" -+ -+ -+ -+/** -+ * as we may need a global pointer to our Nepenthes in our modules, -+ * and cant access the cores global pointer to nepenthes -+ * we have to use a own global pointer to nepenthes per module -+ * we need this pointer for logInfo() etc -+ */ -+Nepenthes *g_Nepenthes; -+ -+/** -+ * Constructor -+ * creates a new LogPrelude Module, where x% is public Module, public EventHandler -+ * - sets the ModuleName -+ * - sets the ModuleDescription -+ * - sets the EventHandlerName -+ * - sets the EventHandlerDescription -+ * - sets the EventHandlers Timeout -+ * - sets the Modules global pointer to the Nepenthes -+ * -+ * @param nepenthes pointer to our nepenthes master class -+ */ -+LogPrelude::LogPrelude(Nepenthes *nepenthes) -+{ -+ m_ModuleName = "log-prelude"; -+ m_ModuleDescription = "event based prelude logger"; -+ m_ModuleRevision = "$Rev: 550 $"; -+ m_Nepenthes = nepenthes; -+ -+ m_EventHandlerName = "LogPreludeEventHandler"; -+ m_EventHandlerDescription = "log events to a prelude database"; -+ -+// m_Timeout = time(NULL) + rand()%23; -+ -+ g_Nepenthes = nepenthes; -+ -+#ifdef HAVE_LIBPRELUDE -+ m_PreludeClient = NULL; -+#endif -+} -+ -+ -+/** -+ * exerything important happens in ::Exit() as we have a return value there -+ */ -+LogPrelude::~LogPrelude() -+{ -+ -+} -+ -+ -+ -+/** -+ * bool Module::Init() -+ * setup Module specific values -+ * here: -+ * - register as EventHandler -+ * - set wanted events -+ * -+ * @return returns true if everything was fine, else false -+ * returning false will showup errors in warning a module -+ */ -+bool LogPrelude::Init() -+{ -+ -+#ifdef HAVE_LIBPRELUDE -+ -+ if ( m_Config == NULL ) -+ { -+ logCrit("I need a config\n"); -+ return false; -+ } -+ -+ string analyzerClass; -+ string analyzerModel; -+ string analyzerName; -+ -+ try -+ { -+ analyzerClass = (m_Config->getValString("log-prelude.analyzerClass")); -+ analyzerModel = m_Config->getValString("log-prelude.analyzerModel"); -+ analyzerName = m_Config->getValString("log-prelude.analyzerName"); -+ -+ } catch ( ... ) -+ { -+ logCrit("Error setting needed vars, check your config\n"); -+ return false; -+ } -+ -+ m_ModuleManager = m_Nepenthes->getModuleMgr(); -+ m_Events.set(EV_SOCK_TCP_ACCEPT); -+ m_Events.set(EV_SOCK_TCP_CLOSE); -+ m_Events.set(EV_DIALOGUE_ASSIGN_AND_DONE); -+ m_Events.set(EV_SHELLCODE_DONE); -+ -+ m_Events.set(EV_DOWNLOAD); -+ m_Events.set(EV_SUBMISSION); -+ -+ -+ const char *profile, *config; -+ -+ config = NULL; -+ profile = analyzerName.c_str(); -+ -+ -+ -+ -+ int32_t ret; -+// Initialize Prelude Library -+ ret = prelude_init(NULL, NULL); -+ if ( ret < 0 ) -+ logCrit("%s: Unable to initialize the Prelude library: %s.\n", -+ prelude_strsource(ret), -+ prelude_strerror(ret)); -+ -+// generate a new Prelude client -+ ret = prelude_client_new(&m_PreludeClient, profile); -+ -+ if ( ret < 0 ) -+ logCrit("%s: Unable to create a prelude client object: %s.\n", -+ prelude_strsource(ret), -+ prelude_strerror(ret)); -+ -+ -+ // set options in the analyzer-part of the client -+ prelude_string_t *string; -+ -+ ret = idmef_analyzer_new_model(prelude_client_get_analyzer(m_PreludeClient), &string); -+ if ( ret < 0 ) -+ return false; -+ prelude_string_set_constant(string, analyzerModel.c_str()); -+ -+ ret = idmef_analyzer_new_class(prelude_client_get_analyzer(m_PreludeClient), &string); -+ if ( ret < 0 ) -+ return false; -+ prelude_string_set_constant(string, analyzerClass.c_str()); -+ -+ ret = idmef_analyzer_new_manufacturer(prelude_client_get_analyzer(m_PreludeClient), &string); -+ if ( ret < 0 ) -+ return false; -+ prelude_string_set_constant(string, ANALYZER_MANUFACTURER); -+ -+ ret = idmef_analyzer_new_version(prelude_client_get_analyzer(m_PreludeClient), &string); -+ if ( ret < 0 ) -+ return false; -+ -+ prelude_string_set_constant(string, NEPENTHES_VERSION); -+ -+// start the Prelude Client -+ ret = prelude_client_start(m_PreludeClient); -+ if ( ret < 0 ) -+ { -+ if ( prelude_client_is_setup_needed(ret) ) -+ prelude_client_print_setup_error(m_PreludeClient); -+ -+ logCrit("%s: Unable to initialize prelude client: %s.\n", -+ prelude_strsource(ret), prelude_strerror(ret)); -+ } -+ -+// set async Prelude Flags for the client, makes the application multithreaded -+ ret = prelude_client_set_flags(m_PreludeClient, (prelude_client_flags_t) (PRELUDE_CLIENT_FLAGS_CONNECT | PRELUDE_CLIENT_FLAGS_ASYNC_SEND | PRELUDE_CLIENT_FLAGS_ASYNC_TIMER)); -+ if ( ret < 0 ) -+ logCrit("%s: Unable to set asynchronous send and timer: %s.\n", -+ prelude_strsource(ret), -+ prelude_strerror(ret)); -+ -+ -+ REG_EVENT_HANDLER(this); -+ return true; -+#else -+ logCrit("Module log-prelude is compiled without libprelude, this wont work, reconfigure the whole source and recompile"); -+ return false; -+#endif -+ -+} -+ -+ -+/** -+ * unregister as EventHandler, destroy the Prelude Client -+ * -+ * @return returns true if everything was fine -+ */ -+bool LogPrelude::Exit() -+{ -+#ifdef HAVE_LIBPRELUDE -+ if( m_PreludeClient != NULL) -+ { -+ prelude_client_destroy(m_PreludeClient, (prelude_client_exit_status_t)(PRELUDE_CLIENT_EXIT_STATUS_SUCCESS)); -+ prelude_deinit(); -+ } -+ // disabled by harald due to segfaults -+ //UNREG_EVENT_HANDLER(this); -+#endif -+ return true; -+} -+ -+ -+ -+/** -+ * This function adds char * idmef values into an idmef message -+ * -+ */ -+#ifdef HAVE_LIBPRELUDE -+int32_t add_idmef_object(idmef_message_t *message, const char *object, const char *value) -+{ -+ int32_t ret=0; -+ idmef_value_t *val; -+ idmef_path_t *path; -+ -+ ret = idmef_path_new(&path, object); -+ if ( ret < 0 ) -+ { -+ logWarn("imdef error #1 %s -> %s %i (%s) \n",object,value,ret, prelude_strerror(ret)); -+ return -1; -+ } -+ -+ ret = idmef_value_new_from_path(&val, path, value); -+ if ( ret < 0 ) -+ { -+ idmef_path_destroy(path); -+ logWarn("imdef error #2 %s -> %s %i (%s) \n",object,value,ret, prelude_strerror(ret)); -+ return -1; -+ } -+ -+ ret = idmef_path_set(path, message, val); -+ -+ idmef_value_destroy(val); -+ idmef_path_destroy(path); -+ return ret; -+} -+ -+ -+/** -+ * -+ * This function adds int32_t idmef values into an idmef message -+ */ -+int32_t add_idmef_object(idmef_message_t *message, const char *object, int32_t i) -+{ -+ char value[20]; -+ memset(value,0,20); -+ snprintf(value,19,"%i",i); -+ return add_idmef_object(message,object,value); -+} -+ -+#endif -+ -+ -+/** -+ * the handleEvent method is called whenever an event occurs -+ * the EventHandler wanted to have. -+ * -+ * @param event the Event -+ * -+ * @return return 0 -+ */ -+uint32_t LogPrelude::handleEvent(Event *event) -+{ -+// logPF(); -+// logInfo("Event %i\n",event->getType()); -+ switch(event->getType()) -+ { -+ -+ case EV_SOCK_TCP_ACCEPT: -+ handleTCPaccept(event); -+ break; -+ -+ case EV_SOCK_TCP_CLOSE: -+ handleTCPclose(event); -+ break; -+ -+ case EV_SUBMISSION: -+ handleSubmission(event); -+ break; -+ -+ case EV_DIALOGUE_ASSIGN_AND_DONE: -+ handleDialogueAssignAndDone(event); -+ break; -+ -+ case EV_SHELLCODE_DONE: -+ handleShellcodeDone(event); -+ break; -+ -+ -+ case EV_DOWNLOAD: -+ handleDownload(event); -+ break; -+ -+ default: -+ logWarn("this should not happen\n"); -+ } -+ return 0; -+} -+ -+ -+void LogPrelude::handleTCPaccept(Event *event) -+{ -+ -+ -+ logInfo("LogPrelude EVENT EV_SOCK_TCP_ACCEPT\n"); -+ -+#ifdef HAVE_LIBPRELUDE -+ Socket *socket = ((SocketEvent *)event)->getSocket(); -+ -+ idmef_message_t *idmef; -+ -+ int32_t ret = idmef_message_new(&idmef); -+ if ( ret < 0 ) -+ return; -+ -+ add_idmef_object(idmef, "alert.classification.text" ,"TCP Connection established"); -+ add_idmef_object(idmef, "alert.classification.ident", EV_SOCK_TCP_ACCEPT); -+// add_idmef_object(idmef, "alert.classification.reference(0).origin" ,"vendor-specific" ); -+ -+ -+ add_idmef_object(idmef, "alert.source(0).Spoofed" ,"no"); -+ add_idmef_object(idmef, "alert.source(0).Service.protocol" ,"TCP"); -+ add_idmef_object(idmef, "alert.source(0).Service.port" ,socket->getRemotePort()); -+ -+ uint32_t addr = socket->getRemoteHost(); -+ string address = inet_ntoa(*(in_addr *)&addr); -+ add_idmef_object(idmef, "alert.source(0).Node.Address(0).address" ,address.c_str()); -+ -+ -+ add_idmef_object(idmef, "alert.target(0).Decoy" ,"yes"); -+ add_idmef_object(idmef, "alert.target(0).Service.protocol" ,"TCP"); -+ add_idmef_object(idmef, "alert.target(0).Service.port" ,socket->getLocalPort()); -+ -+ addr = socket->getLocalHost(); -+ address = inet_ntoa(*(in_addr *)&addr); -+ add_idmef_object(idmef, "alert.target(0).Node.Address(0).address" ,address.c_str()); -+ -+ -+ -+ -+ idmef_time_t *time; -+ -+ ret = idmef_time_new_from_gettimeofday(&time); -+ idmef_alert_set_create_time(idmef_message_get_alert(idmef), -+ time); -+ -+ -+ // analyzer id -+ idmef_alert_set_analyzer(idmef_message_get_alert(idmef), -+ idmef_analyzer_ref(prelude_client_get_analyzer(m_PreludeClient)), -+ IDMEF_LIST_PREPEND); -+ -+ -+ prelude_client_send_idmef(m_PreludeClient, idmef); -+ -+ //prelude_string_t *field = idmef_alert_get_messageid(idmef_message_get_alert(idmef)); -+ //const char *msgid = prelude_string_get_string(field); -+ -+ //logInfo("PreludeMessageID = %s \n",msgid); -+ -+ idmef_message_destroy(idmef); -+#endif -+} -+ -+ -+ -+ -+void LogPrelude::handleTCPclose(Event *event) -+{ -+ -+ Socket *socket = ((SocketEvent *)event)->getSocket(); -+ -+ if (! socket->isAccept()) -+ { -+ return; -+ } -+ -+ logInfo("LogPrelude EVENT EV_SOCK_TCP_CLOSE\n"); -+ -+#ifdef HAVE_LIBPRELUDE -+ -+ idmef_message_t *idmef; -+ -+ int32_t ret = idmef_message_new(&idmef); -+ if ( ret < 0 ) -+ return; -+ -+ -+ add_idmef_object(idmef, "alert.classification.text" ,"TCP Connection closed"); -+ add_idmef_object(idmef, "alert.classification.ident", EV_SOCK_TCP_CLOSE); -+// add_idmef_object(idmef, "alert.classification.reference(0).origin" ,"vendor-specific" ); -+ -+ -+ add_idmef_object(idmef, "alert.source(0).Service.protocol" ,"TCP"); -+ add_idmef_object(idmef, "alert.source(0).Service.port" ,socket->getRemotePort()); -+ -+ uint32_t addr = socket->getRemoteHost(); -+ string address = inet_ntoa(*(in_addr *)&addr); -+ add_idmef_object(idmef, "alert.source(0).Node.Address(0).address" ,address.c_str()); -+ -+ add_idmef_object(idmef, "alert.target(0).Service.protocol" ,"TCP"); -+ add_idmef_object(idmef, "alert.target(0).Service.port" ,socket->getLocalPort()); -+ -+ addr = socket->getLocalHost(); -+ address = inet_ntoa(*(in_addr *)&addr); -+ add_idmef_object(idmef, "alert.target(0).Node.Address(0).address",address.c_str()); -+ -+ idmef_time_t *time; -+ -+ ret = idmef_time_new_from_gettimeofday(&time); -+ idmef_alert_set_create_time(idmef_message_get_alert(idmef), -+ time); -+ -+ -+ // analyzer id -+ idmef_alert_set_analyzer(idmef_message_get_alert(idmef), -+ idmef_analyzer_ref(prelude_client_get_analyzer(m_PreludeClient)), -+ IDMEF_LIST_PREPEND); -+ -+ -+ prelude_client_send_idmef(m_PreludeClient, idmef); -+ -+// prelude_string_t *field = idmef_alert_get_messageid(idmef_message_get_alert(idmef)); -+// const char *msgid = prelude_string_get_string(field); -+ -+// logInfo("CloseMessageID = %s \n",msgid); -+ -+ idmef_message_destroy(idmef); -+ -+#endif -+} -+ -+ -+/** -+ * Send idmef message when finished with the Shellcode -+ * -+ */ -+void LogPrelude::handleShellcodeDone(Event *event) -+{ -+ logInfo("LogPrelude EVENT EV_SHELLCODE_DONE\n"); -+ -+#ifdef HAVE_LIBPRELUDE -+ -+ ShellcodeHandler *handler = ((ShellcodeEvent *)event)->getShellcodeHandler(); -+ Socket *socket = ((ShellcodeEvent *)event)->getSocket(); -+ -+ idmef_message_t *idmef; -+ -+ int32_t ret = idmef_message_new(&idmef); -+ if ( ret < 0 ) -+ return; -+ string shellcodeText = "Shellcode detected: " + handler->getShellcodeHandlerName(); -+ add_idmef_object(idmef, "alert.classification.text", shellcodeText.c_str()); -+ // hl: added ident -+ add_idmef_object(idmef, "alert.classification.ident", EV_SHELLCODE_DONE); -+ -+ // add_idmef_object(idmef, "alert.classification.reference(0).origin" ,"vendor-specific" ); -+ -+ -+ add_idmef_object(idmef, "alert.source(0).Spoofed" ,"no"); -+ add_idmef_object(idmef, "alert.source(0).Service.protocol" ,"TCP"); -+ add_idmef_object(idmef, "alert.source(0).Service.port" ,socket->getRemotePort()); -+ -+ uint32_t addr = socket->getRemoteHost(); -+ string address = inet_ntoa(*(in_addr *)&addr); -+ add_idmef_object(idmef, "alert.source(0).Node.Address(0).address" ,address.c_str()); -+ -+ -+ add_idmef_object(idmef, "alert.target(0).Decoy" ,"yes"); -+ add_idmef_object(idmef, "alert.target(0).Service.protocol" ,"TCP"); -+ add_idmef_object(idmef, "alert.target(0).Service.port" ,socket->getLocalPort()); -+ -+ addr = socket->getLocalHost(); -+ address = inet_ntoa(*(in_addr *)&addr); -+ add_idmef_object(idmef, "alert.target(0).Node.Address(0).address" ,address.c_str()); -+ -+ -+ add_idmef_object(idmef, "alert.assessment.impact.description" ,"possible Shellcode has been detected."); -+ add_idmef_object(idmef, "alert.assessment.impact.severity" ,"medium"); -+// add_idmef_object(idmef, "alert.assessment.impact.completion" ,"succeeded"); -+ add_idmef_object(idmef, "alert.assessment.impact.type" ,"other"); -+ -+ -+ // hl: added for additional information -+ add_idmef_object(idmef, "alert.additional_data(0).type", "string"); -+ add_idmef_object(idmef, "alert.additional_data(0).meaning", "Shellcode"); -+ add_idmef_object(idmef, "alert.additional_data(0).data", handler->getShellcodeHandlerName().c_str()); -+ -+ -+ idmef_time_t *time; -+ -+ ret = idmef_time_new_from_gettimeofday(&time); -+ idmef_alert_set_create_time(idmef_message_get_alert(idmef), -+ time); -+ -+ -+ // analyzer id -+ idmef_alert_set_analyzer(idmef_message_get_alert(idmef), -+ idmef_analyzer_ref(prelude_client_get_analyzer(m_PreludeClient)), -+ IDMEF_LIST_PREPEND); -+ -+ -+ prelude_client_send_idmef(m_PreludeClient, idmef); -+ -+// prelude_string_t *field = idmef_alert_get_messageid(idmef_message_get_alert(idmef)); -+// const char *msgid = prelude_string_get_string(field); -+// logInfo("RecvMessageID = %s \n",msgid); -+ -+ idmef_message_destroy(idmef); -+#endif -+} -+ -+ -+/** -+ * -+ * handle submitted files -+ */ -+void LogPrelude::handleSubmission(Event *event) -+{ -+ SubmitEvent *se = (SubmitEvent *)event; -+ Download *down = se->getDownload(); -+ -+ logInfo("LogPrelude EVENT EV_SUBMISSION %s %s %i \n",down->getUrl().c_str(), -+ down->getMD5Sum().c_str(), -+ down->getDownloadBuffer()->getSize()); -+ -+#ifdef HAVE_LIBPRELUDE -+ idmef_message_t *idmef; -+ -+ int32_t ret = idmef_message_new(&idmef); -+ if ( ret < 0 ) -+ return; -+ -+ // generic information -+ // hl: changed submited to submitted, added ident -+ add_idmef_object(idmef, "alert.classification.text" ,"Malware submitted"); -+ add_idmef_object(idmef, "alert.classification.ident", EV_SUBMISSION); -+ -+ string url = "http://nepenthes.sf.net/wiki/submission/" + down->getMD5Sum(); -+ add_idmef_object(idmef, "alert.classification.reference(0).origin" ,"vendor-specific" ); -+ add_idmef_object(idmef, "alert.classification.reference(0).url" ,url.c_str() ); -+ -+ -+ // file name and info -+ // hl: changed file tags because of DTD violation -+ add_idmef_object(idmef, "alert.target(0).file(0).name" ,down->getDownloadUrl()->getFile().c_str()); -+ add_idmef_object(idmef, "alert.target(0).file(0).path" ,down->getUrl().c_str()); -+ add_idmef_object(idmef, "alert.target(0).file(0).category" ,"current"); -+ add_idmef_object(idmef, "alert.target(0).file(0).ident" ,down->getMD5Sum().c_str()); -+ add_idmef_object(idmef, "alert.target(0).file(0).data_size" ,down->getDownloadBuffer()->getSize()); -+ -+ //hl: some debug stuff, prelude-manager doesnt write the checksums into xml -+ ret = add_idmef_object(idmef, "alert.target(0).file(0).checksum(0).algorithm" ,"MD5"); -+ //logInfo("LogPrelude DEBUG MD5 %i\n", ret); -+ ret = add_idmef_object(idmef, "alert.target(0).file(0).checksum(0).value" ,down->getMD5Sum().c_str()); -+ //logInfo("LogPrelude DEBUG Hash %i\n", ret); -+ ret = add_idmef_object(idmef, "alert.target(0).file(0).checksum(1).algorithm" ,"SHA2-512"); -+ //logInfo("LogPrelude DEBUG SHA %i\n", ret); -+ ret = add_idmef_object(idmef, "alert.target(0).file(0).checksum(1).value" ,down->getSHA512Sum().c_str()); -+ //logInfo("LogPrelude DEBUG Hash %i\n", ret); -+ -+ uint32_t addr = down->getLocalHost(); -+ string address = inet_ntoa(*(in_addr *)&addr); -+ add_idmef_object(idmef, "alert.target(0).Node.Address(0).address" ,address.c_str()); -+ -+ -+ -+ // infection host -+ addr = down->getRemoteHost(); -+ address = inet_ntoa(*(in_addr *)&addr); -+ add_idmef_object(idmef, "alert.source(0).Node.Address(0).address" ,address.c_str()); -+ -+ -+ // download source -+ add_idmef_object(idmef, "alert.source(0).Service.port", down->getDownloadUrl()->getPort()); -+ -+ /* hl: previous dirty workaround -> commented -+ string protocol; -+ if (down->getDownloadUrl()->getProtocol() == "tftp" ) -+ protocol = "UDP"; -+ else -+ protocol = "TCP"; -+ -+ add_idmef_object(idmef, "alert.source(0).Service.protocol" ,protocol.c_str()); -+ */ -+ -+ add_idmef_object(idmef, "alert.source(0).Service.web_service.url" ,down->getUrl().c_str()); -+ // hl: not needed -+ //add_idmef_object(idmef, "alert.source(0).Service.web_service.http_method" ,"get"); -+ -+ add_idmef_object(idmef, "alert.assessment.impact.description" ,"possible Malware stored for further analysis"); -+ add_idmef_object(idmef, "alert.assessment.impact.severity" ,"high"); -+// add_idmef_object(idmef, "alert.assessment.impact.completion" ,"succeeded"); -+ add_idmef_object(idmef, "alert.assessment.impact.type" ,"other"); -+ -+ // time -+ idmef_time_t *time; -+ ret = idmef_time_new_from_gettimeofday(&time); -+ idmef_alert_set_create_time(idmef_message_get_alert(idmef), -+ time); -+ -+ -+ // analyzer id -+ idmef_alert_set_analyzer(idmef_message_get_alert(idmef), -+ idmef_analyzer_ref(prelude_client_get_analyzer(m_PreludeClient)), -+ IDMEF_LIST_PREPEND); -+ -+ -+ prelude_client_send_idmef(m_PreludeClient, idmef); -+ idmef_message_destroy(idmef); -+ -+#endif -+} -+ -+ -+ -+/** -+ * -+ * -+ * -+ */ -+void LogPrelude::handleDialogueAssignAndDone(Event *event) -+{ -+ logInfo("LogPrelude EVENT EV_ASSIGN_AND_DONE\n"); -+ -+#ifdef HAVE_LIBPRELUDE -+ -+ Dialogue *dia = ((DialogueEvent *)event)->getDialogue(); -+ Socket *socket = ((DialogueEvent *)event)->getSocket(); -+ idmef_message_t *idmef; -+ -+ int32_t ret = idmef_message_new(&idmef); -+ if ( ret < 0 ) -+ return; -+ -+ string attack = "Exploit attempt: " + dia->getDialogueName(); -+ -+ // generic information -+ add_idmef_object(idmef, "alert.classification.text", attack.c_str()); -+ // hl: added ident field -+ add_idmef_object(idmef, "alert.classification.ident", EV_DIALOGUE_ASSIGN_AND_DONE); -+ -+// add_idmef_object(idmef, "alert.classification.reference(0).origin" ,"vendor-specific" ); -+ -+ -+ // attacker -+ uint32_t addr = socket->getRemoteHost(); -+ string address = inet_ntoa(*(in_addr *)&addr); -+ add_idmef_object(idmef, "alert.source(0).Node.Address(0).address", address.c_str()); -+ -+ // target -+ addr = socket->getLocalHost(); -+ address = inet_ntoa(*(in_addr *)&addr); -+ add_idmef_object(idmef, "alert.target(0).Node.Address(0).address", address.c_str()); -+ -+// string protocol; -+// if (down->getDownloadUrl()->getProtocol() == "tftp" ) -+// protocol = "UDP"; -+// else -+// protocol = "TCP"; -+// -+// add_idmef_object(idmef, "alert.source(0).Service.protocol" ,protocol.c_str()); -+// add_idmef_object(idmef, "alert.source(0).Service.web_service.url" ,down->getUrl().c_str()); -+// add_idmef_object(idmef, "alert.source(0).Service.web_service.http_method" ,"get"); -+ -+ add_idmef_object(idmef, "alert.assessment.impact.description" ,"An exploit attempt is getting handled."); -+ add_idmef_object(idmef, "alert.assessment.impact.severity" ,"low"); -+// add_idmef_object(idmef, "alert.assessment.impact.completion" ,"succeeded"); -+ add_idmef_object(idmef, "alert.assessment.impact.type" ,"other"); -+ -+ -+ // hl: added -+ add_idmef_object(idmef, "alert.additional_data(0).type", "string"); -+ add_idmef_object(idmef, "alert.additional_data(0).meaning", "Dialogue"); -+ add_idmef_object(idmef, "alert.additional_data(0).data", dia->getDialogueName().c_str()); -+ -+ // time -+ idmef_time_t *time; -+ ret = idmef_time_new_from_gettimeofday(&time); -+ idmef_alert_set_create_time(idmef_message_get_alert(idmef), -+ time); -+ -+ -+ // analyzer id -+ idmef_alert_set_analyzer(idmef_message_get_alert(idmef), -+ idmef_analyzer_ref(prelude_client_get_analyzer(m_PreludeClient)), -+ IDMEF_LIST_PREPEND); -+ -+ -+ prelude_client_send_idmef(m_PreludeClient, idmef); -+ -+ -+ idmef_message_destroy(idmef); -+ -+#endif -+} -+ -+ -+ -+ -+ -+ -+/** -+ * -+ * -+ */ -+void LogPrelude::handleDownload(Event *event) -+{ -+ SubmitEvent *se = (SubmitEvent *)event; -+ Download *down = se->getDownload(); -+ string url = se->getDownload()->getUrl(); -+ -+ se->getType(); -+ logInfo("LogPrelude EVENT EV_DOWNLOAD %s %s %i \n",down->getUrl().c_str(), -+ down->getMD5Sum().c_str(), -+ down->getDownloadBuffer()->getSize()); -+ -+#ifdef HAVE_LIBPRELUDE -+ -+ idmef_message_t *idmef; -+ -+ int32_t ret = idmef_message_new(&idmef); -+ if ( ret < 0 ) -+ return; -+ -+ // generic information -+ // hl: changed message -+ string message = "possible Malware offered: " + down->getUrl(); -+ -+ add_idmef_object(idmef, "alert.classification.text", message.c_str()); -+ // hl: changed to ident number -+ add_idmef_object(idmef, "alert.classification.ident", EV_DOWNLOAD); -+ -+// add_idmef_object(idmef, "alert.classification.reference(0).origin" ,"vendor-specific" ); -+ -+ -+ // infection host -+ uint32_t addr = down->getRemoteHost(); -+ string address = inet_ntoa(*(in_addr *)&addr); -+ add_idmef_object(idmef, "alert.source(0).Node.Address(0).address" ,address.c_str()); -+ //target host -+ addr = down->getLocalHost(); -+ address = inet_ntoa(*(in_addr *)&addr); -+ add_idmef_object(idmef, "alert.target(0).Node.Address(0).address" ,address.c_str()); -+ -+ -+ // download source -+ // hl: removed protocol, added url -+ /* -+ string protocol; -+ if (down->getDownloadUrl()->getProtocol() == "tftp" ) -+ protocol = "UDP"; -+ else -+ protocol = "TCP"; -+ */ -+ add_idmef_object(idmef, "alert.source(0).Service.port" ,down->getDownloadUrl()->getPort()); -+ //add_idmef_object(idmef, "alert.source(0).Service.protocol" ,protocol.c_str()); -+ add_idmef_object(idmef, "alert.source(0).Service.web_service.url" ,down->getUrl().c_str()); -+// add_idmef_object(idmef, "alert.source(0).Service.web_service.http_method" ,"get"); -+ add_idmef_object(idmef, "alert.assessment.impact.description" ,"Parsing the Shellcode has unrevealed a URL."); -+ add_idmef_object(idmef, "alert.assessment.impact.severity" ,"medium"); -+// add_idmef_object(idmef, "alert.assessment.impact.completion" ,"succeeded"); -+ add_idmef_object(idmef, "alert.assessment.impact.type" ,"other"); -+ -+ // time -+ idmef_time_t *time; -+ ret = idmef_time_new_from_gettimeofday(&time); -+ idmef_alert_set_create_time(idmef_message_get_alert(idmef), -+ time); -+ -+ -+ // analyzer id -+ idmef_alert_set_analyzer(idmef_message_get_alert(idmef), -+ idmef_analyzer_ref(prelude_client_get_analyzer(m_PreludeClient)), -+ IDMEF_LIST_PREPEND); -+ -+ -+ prelude_client_send_idmef(m_PreludeClient, idmef); -+ -+ -+ idmef_message_destroy(idmef); -+#endif -+ -+} -+ -+ -+ -+extern "C" int32_t module_init(int32_t version, Module **module, Nepenthes *nepenthes) -+{ -+ if (version == MODULE_IFACE_VERSION) { -+ *module = new LogPrelude(nepenthes); -+ return 1; -+ } else { -+ return 0; -+ } -+} -diff -ruN nepenthes-0.2.0/modules/log-prelude/log-prelude.hpp nepenthes-0.2.0-r1345/modules/log-prelude/log-prelude.hpp ---- nepenthes-0.2.0/modules/log-prelude/log-prelude.hpp 2006-11-13 20:40:08.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/log-prelude/log-prelude.hpp 2007-08-06 00:46:15.000000000 +0200 -@@ -30,7 +30,7 @@ - #include "config.h" - - #ifdef HAVE_LIBPRELUDE --#include -+#include - #endif - - #include -diff -ruN nepenthes-0.2.0/modules/log-surfnet/Makefile.am nepenthes-0.2.0-r1345/modules/log-surfnet/Makefile.am ---- nepenthes-0.2.0/modules/log-surfnet/Makefile.am 2006-11-13 20:40:10.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/log-surfnet/Makefile.am 2007-08-06 00:46:15.000000000 +0200 -@@ -6,7 +6,6 @@ - - AM_CPPFLAGS = -I$(top_srcdir)/nepenthes-core/include -I$(top_srcdir)/nepenthes-core/src -I/usr/include/postgresql -pipe -D _GNU_SOURCE - AM_CXXFLAGS = -Wall -Werror --AM_LDFLAGS = ${LIB_POSTGRES} - - pkglib_LTLIBRARIES = logsurfnet.la - -diff -ruN nepenthes-0.2.0/modules/log-surfnet/log-surfnet.conf.dist nepenthes-0.2.0-r1345/modules/log-surfnet/log-surfnet.conf.dist ---- nepenthes-0.2.0/modules/log-surfnet/log-surfnet.conf.dist 2006-11-13 20:40:10.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/log-surfnet/log-surfnet.conf.dist 2007-08-06 00:46:15.000000000 +0200 -@@ -49,175 +49,3 @@ - - }; - -- --/* -- --don't forget to create these fn's in your surfnet ids database. -- -- --CREATE PROCEDURAL LANGUAGE plpgsql; -- --CREATE FUNCTION surfnet_attack_add(integer, inet, integer, inet, integer, macaddr, inet) RETURNS integer -- AS $_$DECLARE -- p_severity ALIAS FOR $1; -- p_attackerip ALIAS FOR $2; -- p_attackerport ALIAS FOR $3; -- p_decoyip ALIAS FOR $4; -- p_decoyport ALIAS FOR $5; -- p_hwa ALIAS FOR $6; -- p_localhost ALIAS FOR $7; -- m_attackid INTEGER; -- m_sensorid INTEGER; --BEGIN -- -- SELECT INTO m_sensorid surfnet_sensorid_get(p_localhost); -- SELECT INTO m_attackid surfnet_attack_add_by_id(p_severity, -- p_attackerip, p_attackerport, p_decoyip, -- p_decoyport, p_hwa, m_sensorid); -- -- return m_attackid; --END$_$ -- LANGUAGE plpgsql; -- -- --CREATE FUNCTION surfnet_attack_add_by_id(integer, inet, integer, inet, integer, macaddr, integer) RETURNS integer -- AS $_$DECLARE -- p_severity ALIAS FOR $1; -- p_attackerip ALIAS FOR $2; -- p_attackerport ALIAS FOR $3; -- p_decoyip ALIAS FOR $4; -- p_decoyport ALIAS FOR $5; -- p_hwa ALIAS FOR $6; -- p_sensorid ALIAS FOR $7; -- m_attackid INTEGER; --BEGIN -- INSERT INTO attacks -- (severity, -- timestamp, -- dest, -- dport, -- source, -- sport, -- sensorid, -- src_mac) -- VALUES -- (p_severity, -- extract(epoch from current_timestamp(0))::integer, -- p_attackerip, -- p_attackerport, -- p_decoyip, -- p_decoyport, -- p_sensorid, -- p_hwa); -- -- SELECT INTO m_attackid currval('attacks_id_seq'); -- return m_attackid; --END$_$ -- LANGUAGE plpgsql; -- -- -- --CREATE FUNCTION surfnet_attack_update_severity(integer, integer) RETURNS void -- AS $_$DECLARE -- p_attackid ALIAS FOR $1; -- p_severity ALIAS FOR $2; --BEGIN -- UPDATE attacks SET severity = p_severity WHERE id = p_attackid; -- return; --END;$_$ -- LANGUAGE plpgsql; -- -- --CREATE FUNCTION surfnet_detail_add(integer, inet, integer, character varying) RETURNS void -- AS $_$DECLARE -- p_attackid ALIAS FOR $1; -- p_localhost ALIAS FOR $2; -- p_type ALIAS FOR $3; -- p_data ALIAS FOR $4; -- -- m_sensorid INTEGER; --BEGIN -- SELECT INTO m_sensorid surfnet_sensorid_get(p_localhost); -- -- INSERT INTO details -- (attackid,sensorid,type,text) -- VALUES -- (p_attackid,m_sensorid,p_type,p_data); --END$_$ -- LANGUAGE plpgsql; -- -- --CREATE FUNCTION surfnet_detail_add_by_id(integer, integer, integer, character varying) RETURNS void -- AS $_$DECLARE -- p_attackid ALIAS FOR $1; -- m_sensorid ALIAS FOR $2; -- p_type ALIAS FOR $3; -- p_data ALIAS FOR $4; --BEGIN -- INSERT INTO details -- (attackid,sensorid,type,text) -- VALUES -- (p_attackid,m_sensorid,p_type,p_data); --END$_$ -- LANGUAGE plpgsql; -- -- --CREATE FUNCTION surfnet_detail_add_download(inet, inet, character varying, character varying) RETURNS void -- AS $_$DECLARE -- p_remotehost ALIAS FOR $1; -- p_localhost ALIAS FOR $2; -- p_url ALIAS FOR $3; -- p_hash ALIAS FOR $4; -- -- m_sensorid INTEGER; -- m_attackid INTEGER; --BEGIN -- SELECT INTO m_sensorid surfnet_sensorid_get(p_localhost); -- SELECT INTO m_attackid surfnet_attack_add_by_id(32,p_remotehost, 0, -- p_localhost, 0, -- NULL,m_sensorid); -- -- PERFORM surfnet_detail_add_by_id(m_attackid, -- m_sensorid,4,p_url); -- PERFORM surfnet_detail_add_by_id(m_attackid, -- m_sensorid,8,p_hash); -- -- return; --END; $_$ -- LANGUAGE plpgsql; -- -- --CREATE FUNCTION surfnet_detail_add_offer(inet, inet, character varying) RETURNS void -- AS $_$DECLARE -- p_remotehost ALIAS FOR $1; -- p_localhost ALIAS FOR $2; -- p_url ALIAS FOR $3; -- -- m_sensorid INTEGER; -- m_attackid INTEGER; --BEGIN -- SELECT INTO m_sensorid surfnet_sensorid_get(p_localhost); -- SELECT INTO m_attackid surfnet_attack_add_by_id(16,p_remotehost, 0, -- p_localhost, 0, -- NULL,m_sensorid); -- -- PERFORM surfnet_detail_add_by_id(m_attackid, -- m_sensorid,4,p_url); -- return; --END; $_$ -- LANGUAGE plpgsql; -- -- --CREATE FUNCTION surfnet_sensorid_get(inet) RETURNS integer -- AS $_$DECLARE -- p_localhost ALIAS FOR $1; -- m_sensorid INTEGER; --BEGIN -- SELECT INTO m_sensorid id FROM sensors WHERE tapip = p_localhost; -- return m_sensorid; --END --$_$ -- LANGUAGE plpgsql; -- -- --*/ -diff -ruN nepenthes-0.2.0/modules/log-surfnet/log-surfnet.cpp nepenthes-0.2.0-r1345/modules/log-surfnet/log-surfnet.cpp ---- nepenthes-0.2.0/modules/log-surfnet/log-surfnet.cpp 2006-11-13 20:40:10.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/log-surfnet/log-surfnet.cpp 2007-08-06 00:46:15.000000000 +0200 -@@ -76,7 +76,7 @@ - m_attackID = 0; - m_closed = false; - -- m_severity = 0; -+ m_severity = -1; - } - - -@@ -471,7 +471,13 @@ - (uint32_t) ((intptr_t)socket), - attackid); - -- m_SocketTracker[(uintptr_t) socket].m_closed = true; -+ if (m_SocketTracker[(uintptr_t) socket].m_Details.size() > 0) -+ { -+ m_SocketTracker[(uintptr_t) socket].m_closed = true; -+ }else -+ { -+ m_SocketTracker.erase((uintptr_t)socket); -+ } - } - - void LogSurfNET::handleDialogueAssignAndDone(Socket *socket, Dialogue *dia, uint32_t attackid) -@@ -649,6 +655,19 @@ - m_SocketTracker[(uintptr_t)s].m_Details.pop_front(); - } - -+ if (m_SocketTracker[(uintptr_t)s].m_severity != -1) -+ { -+ string query; -+ -+ query = "SELECT surfnet_attack_update_severity('"; -+ query += itos(m_SocketTracker[(uintptr_t)s].m_attackID); -+ query += "','"; -+ query += itos(m_SocketTracker[(uintptr_t)s].m_severity); -+ query += "');"; -+ -+ m_SQLHandler->addQuery(&query,NULL,NULL); -+ } -+ - if (m_SocketTracker[(uintptr_t)s].m_closed == true) - { - m_SocketTracker.erase((uintptr_t)s); -@@ -660,6 +679,11 @@ - bool LogSurfNET::sqlFailure(SQLResult *result) - { - logPF(); -+ -+ Socket *s; -+ s = (Socket *)result->getObject(); -+ logCrit("Getting attackid for socket %x failed, dropping the whole attack, forgetting all details\n",(uintptr_t)s); -+ m_SocketTracker.erase((uintptr_t)s); - return true; - } - -diff -ruN nepenthes-0.2.0/modules/module-honeytrap/Makefile.am nepenthes-0.2.0-r1345/modules/module-honeytrap/Makefile.am ---- nepenthes-0.2.0/modules/module-honeytrap/Makefile.am 2006-11-13 20:40:09.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/module-honeytrap/Makefile.am 2007-08-06 00:46:15.000000000 +0200 -@@ -15,4 +15,4 @@ - modulehoneytrap_la_SOURCES += TrapSocket.cpp TrapSocket.hpp - modulehoneytrap_la_SOURCES += module-honeytrap.conf.dist - --modulehoneytrap_la_LDFLAGS = -module -no-undefined -avoid-version -+modulehoneytrap_la_LDFLAGS = -module -no-undefined -avoid-version $(AM_LDFLAGS) -diff -ruN nepenthes-0.2.0/modules/module-honeytrap/TrapSocket.cpp nepenthes-0.2.0-r1345/modules/module-honeytrap/TrapSocket.cpp ---- nepenthes-0.2.0/modules/module-honeytrap/TrapSocket.cpp 2006-11-13 20:40:09.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/module-honeytrap/TrapSocket.cpp 2007-08-06 00:46:15.000000000 +0200 -@@ -782,11 +782,18 @@ - { - printIPpacket(data,size); - -+ uint16_t port; -+ -+ if ( tcp->th_flags & TH_SYN && !(tcp->th_flags & TH_ACK) ) -+ port = ntohs(tcp->th_dport); // inline mode -+ else -+ port = ntohs(tcp->th_sport); // pcap mode -+ - if (1)// isPortListening(ntohs(tcp->th_dport),*(uint32_t *)&(ip->ip_dst)) == false ) - { -- logInfo("Connection to unbound port %i requested, binding port\n",ntohs(tcp->th_dport)); -+ logInfo("Connection to unbound port %i requested, binding port\n",port); - -- Socket *sock = g_Nepenthes->getSocketMgr()->bindTCPSocket(INADDR_ANY,ntohs(tcp->th_dport),60,60); -+ Socket *sock = g_Nepenthes->getSocketMgr()->bindTCPSocket(INADDR_ANY,port,60,60); - if ( sock != NULL && (sock->getDialogst()->size() == 0 && sock->getFactories()->size() == 0) ) - { - -diff -ruN nepenthes-0.2.0/modules/module-peiros/module-peiros.cpp nepenthes-0.2.0-r1345/modules/module-peiros/module-peiros.cpp ---- nepenthes-0.2.0/modules/module-peiros/module-peiros.cpp 2006-11-13 20:40:08.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/module-peiros/module-peiros.cpp 2007-08-06 00:46:15.000000000 +0200 -@@ -29,6 +29,7 @@ - - #include - #include -+#include - #include - #include - #include -diff -ruN nepenthes-0.2.0/modules/module-portwatch/WatchDialogue.cpp nepenthes-0.2.0-r1345/modules/module-portwatch/WatchDialogue.cpp ---- nepenthes-0.2.0/modules/module-portwatch/WatchDialogue.cpp 2006-11-13 20:40:09.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/module-portwatch/WatchDialogue.cpp 2007-08-06 00:46:15.000000000 +0200 -@@ -47,6 +47,9 @@ - - #include "Utilities.hpp" - -+#include "EventManager.hpp" -+#include "SocketEvent.hpp" -+ - #ifdef STDTAGS - #undef STDTAGS - #endif -@@ -77,7 +80,7 @@ - WatchDialogue::~WatchDialogue() - { - logWarn("Unknown WatchDialogue %i bytes, port %i\n",m_Buffer->getSize(), m_Socket->getLocalPort()); -- g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *) m_Buffer->getData(), m_Buffer->getSize()); -+ HEXDUMP(m_Socket,(byte *) m_Buffer->getData(), m_Buffer->getSize()); - delete m_Buffer; - } - -diff -ruN nepenthes-0.2.0/modules/shellcode-generic/Makefile.am nepenthes-0.2.0-r1345/modules/shellcode-generic/Makefile.am ---- nepenthes-0.2.0/modules/shellcode-generic/Makefile.am 2006-11-13 20:40:07.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/shellcode-generic/Makefile.am 2007-08-06 00:46:15.000000000 +0200 -@@ -32,4 +32,4 @@ - shellcodegeneric_la_SOURCES += sch_generic_leimbach_url_xor.cpp sch_generic_leimbach_url_xor.hpp - shellcodegeneric_la_SOURCES += sch_generic_wget.cpp sch_generic_wget.hpp - --shellcodegeneric_la_LDFLAGS = -module -no-undefined -avoid-version -+shellcodegeneric_la_LDFLAGS = -module -no-undefined -avoid-version $(AM_LDFLAGS) -diff -ruN nepenthes-0.2.0/modules/shellcode-generic/sch_generic_cmd.cpp nepenthes-0.2.0-r1345/modules/shellcode-generic/sch_generic_cmd.cpp ---- nepenthes-0.2.0/modules/shellcode-generic/sch_generic_cmd.cpp 2006-11-13 20:40:07.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/shellcode-generic/sch_generic_cmd.cpp 2007-08-06 00:46:15.000000000 +0200 -@@ -95,7 +95,7 @@ - if((iResult = pcre_exec(m_pcre, 0, (char *) shellcode, len, 0, 0, (int *)piOutput, sizeof(piOutput)/sizeof(int32_t))) > 0) - { - // logDebug("GenricCMD (improve pcre debug) (%i bytes)\n",(*msg)->getSize()); --// g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *)(*msg)->getMsg(),(*msg)->getSize()); -+// HEXDUMP(m_Socket,(byte *)(*msg)->getMsg(),(*msg)->getSize()); - - const char * pRemoteCommand; - -diff -ruN nepenthes-0.2.0/modules/shellcode-generic/sch_generic_leimbach_url_xor.cpp nepenthes-0.2.0-r1345/modules/shellcode-generic/sch_generic_leimbach_url_xor.cpp ---- nepenthes-0.2.0/modules/shellcode-generic/sch_generic_leimbach_url_xor.cpp 2006-11-13 20:40:07.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/shellcode-generic/sch_generic_leimbach_url_xor.cpp 2007-08-06 00:46:15.000000000 +0200 -@@ -203,7 +203,7 @@ - pcre_free_substring(preload); - pcre_free_substring(xordecoder); - -- g_Nepenthes->getUtilities()->hexdump(l_crit,(byte *)newshellcode, len); -+// g_Nepenthes->getUtilities()->hexdump(l_crit,(byte *)newshellcode, len); - - Message *newMessage = new Message((char *)newshellcode, len, (*msg)->getLocalPort(), (*msg)->getRemotePort(), - (*msg)->getLocalHost(), (*msg)->getRemoteHost(), (*msg)->getResponder(), (*msg)->getSocket()); -diff -ruN nepenthes-0.2.0/modules/shellcode-generic/sch_generic_url.cpp nepenthes-0.2.0-r1345/modules/shellcode-generic/sch_generic_url.cpp ---- nepenthes-0.2.0/modules/shellcode-generic/sch_generic_url.cpp 2006-11-13 20:40:07.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/shellcode-generic/sch_generic_url.cpp 2007-08-06 00:46:15.000000000 +0200 -@@ -119,7 +119,7 @@ - - if((iResult = pcre_exec(m_pcre, 0, (char *) shellcode, len, 0, 0, (int *)piOutput, sizeof(piOutput)/sizeof(int32_t))) > 0) - { --// g_Nepenthes->getUtilities()->hexdump(STDTAGS,shellcode,len); -+// HEXDUMP(m_Socket,shellcode,len); - const char * pUrl; - - pcre_get_substring((char *) shellcode, (int *)piOutput, (int)iResult, 1, &pUrl); -diff -ruN nepenthes-0.2.0/modules/shellcode-signatures/Makefile.am nepenthes-0.2.0-r1345/modules/shellcode-signatures/Makefile.am ---- nepenthes-0.2.0/modules/shellcode-signatures/Makefile.am 2006-11-13 20:40:04.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/shellcode-signatures/Makefile.am 2007-08-06 00:46:15.000000000 +0200 -@@ -33,5 +33,5 @@ - shellcodesignatures_la_SOURCES += sch_namespace_konstanzxor.cpp sch_namespace_konstanzxor.hpp - shellcodesignatures_la_SOURCES += sch_namespace_alphanumericxor.cpp sch_namespace_alphanumericxor.hpp - --shellcodesignatures_la_LDFLAGS = -module -no-undefined -avoid-version -+shellcodesignatures_la_LDFLAGS = -module -no-undefined -avoid-version $(AM_LDFLAGS) - -diff -ruN nepenthes-0.2.0/modules/shellcode-signatures/shellcode-signatures.sc nepenthes-0.2.0-r1345/modules/shellcode-signatures/shellcode-signatures.sc ---- nepenthes-0.2.0/modules/shellcode-signatures/shellcode-signatures.sc 2006-11-13 20:40:04.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/shellcode-signatures/shellcode-signatures.sc 2007-08-06 00:46:15.000000000 +0200 -@@ -178,6 +178,13 @@ - mapping (none,pre,decoder,size,key,post); - }; - -+xor::marburganderlahn -+{ -+ pattern -+ "(.*)(\\xEB\\x0E\\x5A\\x4A\\x31\\xC9\\xB1(.)\\x80\\x34\\x11(.)\\xE2\\xFA\\xEB\\x05\\xE8\\xED\xFF\xFF\xFF)(.*)$"; -+ mapping (none,pre,decoder,size,key,post); -+}; -+ - /* - * too inaccurate - * -@@ -944,8 +951,8 @@ - pattern - "\\xeb\\x02\\xeb\\x6b" - "\\xe8\\xf9\\xff\\xff\\xff\\x53\\x55\\x56\\x57\\x8b\\x6c\\x24\\x18\\x8b\\x45\\x3c" -- "\\x8b\\x54\\x05\\x78\\x03\\xd5\\x8b\\x4a\\x18\\x8b\\x5a\\x20\\x03\\xdd\\xe3\\x32" -- "\\x49\\x8b\\x34\\x8b\\x03\\xf5\\x33\\xff\\xfc\\x33\\xc0\\xac\\x3a\\xc4\\x74\\x07" -+ "\\x8b\\x54.\\x78\\x03\\xd5\\x8b\\x4a\\x18\\x8b\\x5a\\x20\\x03\\xdd\\xe3\\x32" -+ "\\x49\\x8b\\x34\\x8b\\x03\\xf5\\x33\\xff\\xfc\\x33\\xc0\\xac..\\x74\\x07" - "\\xc1\\xcf\\x0d\\x03\\xf8\\xeb\\xf2\\x3b\\x7c\\x24\\x14\\x75\\xe1\\x8b\\x5a\\x24" - "\\x03\\xdd\\x66\\x8b\\x0c\\x4b\\x8b\\x5a\\x1c\\x03\\xdd\\x8b\\x04\\x8b\\x03\\xc5" - "\\xeb\\x02\\x33\\xc0\\x5f\\x5e\\x5d\\x5b\\x89\\x44\\x24\\x04\\x8b\\x04\\x24\\x89" -diff -ruN nepenthes-0.2.0/modules/shellemu-winnt/VFSCommandFTP.cpp nepenthes-0.2.0-r1345/modules/shellemu-winnt/VFSCommandFTP.cpp ---- nepenthes-0.2.0/modules/shellemu-winnt/VFSCommandFTP.cpp 2006-11-13 20:40:06.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/shellemu-winnt/VFSCommandFTP.cpp 2007-08-06 00:46:15.000000000 +0200 -@@ -425,7 +425,6 @@ - logSpam("VFSCommandFTP Setting Hosts %i %i\n",remotehost,localhost); - remotehost = m_VFS->getDialogue()->getSocket()->getRemoteHost(); - localhost = m_VFS->getDialogue()->getSocket()->getLocalHost(); -- - } - - logSpam("VFSCommandFTP LocalHost %s\n",inet_ntoa(*(in_addr *)&localhost)); -diff -ruN nepenthes-0.2.0/modules/sqlhandler-postgres/Makefile.am nepenthes-0.2.0-r1345/modules/sqlhandler-postgres/Makefile.am ---- nepenthes-0.2.0/modules/sqlhandler-postgres/Makefile.am 2006-11-13 20:40:05.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/sqlhandler-postgres/Makefile.am 2007-08-06 00:46:15.000000000 +0200 -@@ -12,4 +12,4 @@ - - sqlhandlerpostgres_la_SOURCES = sqlhandler-postgres.cpp sqlhandler-postgres.hpp - --sqlhandlerpostgres_la_LDFLAGS = -module -no-undefined -avoid-version -+sqlhandlerpostgres_la_LDFLAGS = -module -no-undefined -avoid-version $(AM_LDFLAGS) -diff -ruN nepenthes-0.2.0/modules/sqlhandler-postgres/sqlhandler-postgres.cpp nepenthes-0.2.0-r1345/modules/sqlhandler-postgres/sqlhandler-postgres.cpp ---- nepenthes-0.2.0/modules/sqlhandler-postgres/sqlhandler-postgres.cpp 2006-11-13 20:40:05.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/sqlhandler-postgres/sqlhandler-postgres.cpp 2007-08-06 00:46:15.000000000 +0200 -@@ -145,6 +145,7 @@ - m_PGTable = table; - m_PGUser = user; - m_PGPass = passwd; -+ m_PGOptions = options; - - m_Callback = cb; - } -@@ -760,6 +761,10 @@ - "' user = '" + m_PGUser + - "' password = '" + m_PGPass +"'"; - -+ if ( m_PGOptions.size() > 0 ) -+ ConnectString += m_PGOptions; -+ -+ - if (m_PGConnection != NULL) - PQfinish(m_PGConnection); - else -diff -ruN nepenthes-0.2.0/modules/sqlhandler-postgres/sqlhandler-postgres.hpp nepenthes-0.2.0-r1345/modules/sqlhandler-postgres/sqlhandler-postgres.hpp ---- nepenthes-0.2.0/modules/sqlhandler-postgres/sqlhandler-postgres.hpp 2006-11-13 20:40:05.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/sqlhandler-postgres/sqlhandler-postgres.hpp 2007-08-06 00:46:15.000000000 +0200 -@@ -141,6 +141,7 @@ - string m_PGTable; - string m_PGUser; - string m_PGPass; -+ string m_PGOptions; - - }; - -diff -ruN nepenthes-0.2.0/modules/submit-gotek/gotekCTRLDialogue.cpp nepenthes-0.2.0-r1345/modules/submit-gotek/gotekCTRLDialogue.cpp ---- nepenthes-0.2.0/modules/submit-gotek/gotekCTRLDialogue.cpp 2006-11-13 20:40:11.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/submit-gotek/gotekCTRLDialogue.cpp 2007-08-06 00:46:15.000000000 +0200 -@@ -112,7 +112,7 @@ - - unsigned char sessionkey[8]; - memcpy((char *)sessionkey,(char *)m_Buffer->getData(),8); -- g_Nepenthes->getUtilities()->hexdump(sessionkey,8); -+// g_Nepenthes->getUtilities()->hexdump(sessionkey,8); - - - -@@ -128,13 +128,13 @@ - byte hashme[1032]; - memset(hashme,0,1032); - -- g_Nepenthes->getUtilities()->hexdump(g_GotekSubmitHandler->getCommunityKey(),1024); -+// g_Nepenthes->getUtilities()->hexdump(g_GotekSubmitHandler->getCommunityKey(),1024); - memcpy(hashme,g_GotekSubmitHandler->getCommunityKey(),1024); - memcpy(hashme+1024,sessionkey,8); -- g_Nepenthes->getUtilities()->hexdump(hashme, 1032); -+// g_Nepenthes->getUtilities()->hexdump(hashme, 1032); - - g_Nepenthes->getUtilities()->sha512(hashme, 1032, hash); -- g_Nepenthes->getUtilities()->hexdump(hash,64); -+// g_Nepenthes->getUtilities()->hexdump(hash,64); - - m_Socket->doRespond((char *)hash,64); - -diff -ruN nepenthes-0.2.0/modules/submit-gotek/gotekDATADialogue.cpp nepenthes-0.2.0-r1345/modules/submit-gotek/gotekDATADialogue.cpp ---- nepenthes-0.2.0/modules/submit-gotek/gotekDATADialogue.cpp 2006-11-13 20:40:11.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/submit-gotek/gotekDATADialogue.cpp 2007-08-06 00:46:15.000000000 +0200 -@@ -173,7 +173,7 @@ - byte hashme[1032]; - memset(hashme,0,1032); - -- g_Nepenthes->getUtilities()->hexdump(g_GotekSubmitHandler->getCommunityKey(),1024); -+// g_Nepenthes->getUtilities()->hexdump(g_GotekSubmitHandler->getCommunityKey(),1024); - memcpy(hashme,g_GotekSubmitHandler->getCommunityKey(),1024); - memcpy(hashme+1024,&sessionkey,8); - g_Nepenthes->getUtilities()->sha512(hashme, 1032, hash); -diff -ruN nepenthes-0.2.0/modules/submit-http/HTTPSession.cpp nepenthes-0.2.0-r1345/modules/submit-http/HTTPSession.cpp ---- nepenthes-0.2.0/modules/submit-http/HTTPSession.cpp 1970-01-01 01:00:00.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/submit-http/HTTPSession.cpp 2007-08-06 00:46:15.000000000 +0200 -@@ -0,0 +1,187 @@ -+/******************************************************************************** -+ * Nepenthes -+ * - finest collection - -+ * -+ * -+ * -+ * Copyright (C) 2006 Niklas Schiffler -+ * Copyright (C) 2005 Paul Baecher & Markus Koetter -+ * -+ * This program is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU General Public License -+ * as published by the Free Software Foundation; either version 2 -+ * of the License, or (at your option) any later version. -+ * -+ * This program is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ * GNU General Public License for more details. -+ * -+ * You should have received a copy of the GNU General Public License -+ * along with this program; if not, write to the Free Software -+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -+ * -+ * -+ * contact nepenthesdev@users.sourceforge.net -+ * -+ *******************************************************************************/ -+ -+ -+#include -+#include /* new for v7 */ -+#include /* new for v7 */ -+#include -+#include -+ -+#include "HTTPSession.hpp" -+#include "submit-http.hpp" -+#include "DownloadBuffer.hpp" -+#include "DownloadUrl.hpp" -+ -+using namespace nepenthes; -+ -+HTTPSession::HTTPSession(string &url, string &email, string &user, string &password, Download* down) -+{ -+ state = S_ERROR; -+ postInfo = NULL; -+ postFile = NULL; -+ curlInfoHandle = NULL; -+ curlFileHandle = NULL; -+ -+ submitURL = url; -+ -+ if ( user.length() > 0 && password.length() > 0 ) -+ submitAuthStr = user + ":" + password; -+ -+ md5 = down->getMD5Sum(); -+ sha512 = down->getSHA512Sum(); -+ fileSize = down->getDownloadBuffer()->getSize(); -+ fileName = down->getDownloadUrl()->getFile(); -+ fileSourceURL = down->getUrl(); -+ -+ fileBuffer = new uint8_t[fileSize]; -+ fileBuffer = (uint8_t*)memcpy(fileBuffer, down->getDownloadBuffer()->getData(), fileSize); -+ -+ curlInfoHandle = curl_easy_init(); -+ if ( curlInfoHandle ) -+ { -+ struct curl_httppost* last = NULL; -+ -+ if ( email.length() > 0 ) -+ curl_formadd(&postInfo, &last, CURLFORM_COPYNAME, "email", CURLFORM_COPYCONTENTS, email.c_str(), CURLFORM_END); -+ -+ stringstream sSourceHost; sSourceHost << htonl(down->getRemoteHost()); -+ stringstream sTargetHost; sTargetHost << htonl(down->getLocalHost()); -+ -+ curl_formadd(&postInfo, &last, CURLFORM_PTRNAME, "url", CURLFORM_COPYCONTENTS, fileSourceURL.c_str(), CURLFORM_END); -+ curl_formadd(&postInfo, &last, CURLFORM_PTRNAME, "trigger", CURLFORM_COPYCONTENTS, down->getTriggerLine().c_str(), CURLFORM_END); -+ curl_formadd(&postInfo, &last, CURLFORM_PTRNAME, "md5", CURLFORM_COPYCONTENTS, md5.c_str(), CURLFORM_END); -+ curl_formadd(&postInfo, &last, CURLFORM_PTRNAME, "sha512", CURLFORM_COPYCONTENTS, sha512.c_str(), CURLFORM_END); -+ curl_formadd(&postInfo, &last, CURLFORM_PTRNAME, "filetype", CURLFORM_COPYCONTENTS, down->getFileType().c_str(), CURLFORM_END); -+ curl_formadd(&postInfo, &last, CURLFORM_PTRNAME, "source_host", CURLFORM_COPYCONTENTS, sSourceHost.str().c_str(), CURLFORM_END); -+ curl_formadd(&postInfo, &last, CURLFORM_PTRNAME, "target_host", CURLFORM_COPYCONTENTS, sTargetHost.str().c_str(), CURLFORM_END); -+ curl_formadd(&postInfo, &last, CURLFORM_PTRNAME, "filename", CURLFORM_COPYCONTENTS, down->getDownloadUrl()->getFile().c_str(), CURLFORM_END); -+ -+ setCURLOpts(curlInfoHandle, postInfo); -+ } -+} -+ -+HTTPSession::~HTTPSession() -+{ -+ delete [] fileBuffer; -+ curl_formfree(postInfo); -+ if ( postFile ) -+ curl_formfree(postFile); -+ curl_easy_cleanup(curlInfoHandle); -+ if ( curlFileHandle ) -+ curl_easy_cleanup(curlFileHandle); -+} -+ -+CURL* HTTPSession::getSubmitInfoHandle() -+{ -+ return curlInfoHandle; -+} -+ -+CURL* HTTPSession::getSubmitFileHandle() -+{ -+ curlFileHandle = curl_easy_init(); -+ if ( curlFileHandle ) -+ { -+ postFile = NULL; -+ struct curl_httppost* last = NULL; -+ -+ curl_formadd(&postFile, &last, CURLFORM_PTRNAME, "md5", CURLFORM_COPYCONTENTS, md5.c_str(), CURLFORM_END); -+ curl_formadd(&postFile, &last, CURLFORM_PTRNAME, "sha512", CURLFORM_COPYCONTENTS, sha512.c_str(), CURLFORM_END); -+ -+ curl_formadd(&postFile, &last, -+ CURLFORM_COPYNAME, "file", -+ CURLFORM_BUFFER, fileName.c_str(), -+ CURLFORM_BUFFERPTR, fileBuffer, -+ CURLFORM_BUFFERLENGTH, fileSize, -+ CURLFORM_END); -+ -+ setCURLOpts(curlFileHandle, postFile); -+ } -+ return curlFileHandle; -+} -+ -+string HTTPSession::getMD5() -+{ -+ return md5; -+} -+ -+string HTTPSession::getSHA512() -+{ -+ return sha512; -+} -+ -+void HTTPSession::setCURLOpts(CURL* c, curl_httppost* post) -+{ -+ curl_easy_setopt(c, CURLOPT_HTTPPOST, post); -+ curl_easy_setopt(c, CURLOPT_SSL_VERIFYHOST, false); -+ curl_easy_setopt(c, CURLOPT_SSL_VERIFYPEER, false); -+ curl_easy_setopt(c, CURLOPT_URL, submitURL.c_str()); -+ curl_easy_setopt(c, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; nepenthes; Linux)"); -+ curl_easy_setopt(c, CURLOPT_PRIVATE, (char*) this); -+ curl_easy_setopt(c, CURLOPT_WRITEDATA, this); -+ curl_easy_setopt(c, CURLOPT_WRITEFUNCTION, HTTPSession::WriteCallback); -+ -+ if ( submitAuthStr.length() > 0 ) -+ curl_easy_setopt(c, CURLOPT_USERPWD, submitAuthStr.c_str()); -+} -+ -+size_t HTTPSession::WriteCallback(char *buffer, size_t size, size_t nitems, void *p) -+{ -+ HTTPSession* s = (HTTPSession*)p; -+ int32_t iSize = size * nitems; -+ -+ string res(buffer, iSize); -+ if ( res.find("S_FILEREQUEST") != string::npos ) -+ s->setState(S_FILEREQUEST); -+ else -+ if ( res.find("S_FILEKNOWN") != string::npos ) -+ s->setState(S_FILEKNOWN); -+ else -+ if ( res.find("S_FILEOK") != string::npos ) -+ s->setState(S_FILEOK); -+ else -+ s->setState(S_ERROR); -+ -+// delete(strBuf); -+ return iSize; -+} -+ -+uint8_t HTTPSession::getState() -+{ -+ return state; -+} -+ -+void HTTPSession::setState(uint8_t s) -+{ -+ this->state = s; -+} -+ -+string HTTPSession::getFileSourceURL() -+{ -+ return fileSourceURL; -+} -diff -ruN nepenthes-0.2.0/modules/submit-http/HTTPSession.hpp nepenthes-0.2.0-r1345/modules/submit-http/HTTPSession.hpp ---- nepenthes-0.2.0/modules/submit-http/HTTPSession.hpp 1970-01-01 01:00:00.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/submit-http/HTTPSession.hpp 2007-08-06 00:46:15.000000000 +0200 -@@ -0,0 +1,82 @@ -+/******************************************************************************** -+ * Nepenthes -+ * - finest collection - -+ * -+ * -+ * -+ * Copyright (C) 2006 Niklas Schiffler -+ * Copyright (C) 2005 Paul Baecher & Markus Koetter -+ * -+ * This program is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU General Public License -+ * as published by the Free Software Foundation; either version 2 -+ * of the License, or (at your option) any later version. -+ * -+ * This program is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ * GNU General Public License for more details. -+ * -+ * You should have received a copy of the GNU General Public License -+ * along with this program; if not, write to the Free Software -+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -+ * -+ * -+ * contact nepenthesdev@users.sourceforge.net -+ * -+ *******************************************************************************/ -+ -+ /* $Id$ */ -+ -+#include -+#include -+ -+#include "Download.hpp" -+ -+using namespace std; -+ -+namespace nepenthes -+{ -+ -+ -+ class HTTPSession -+ { -+ public: -+ static const uint8_t S_FILEKNOWN = 0; -+ static const uint8_t S_FILEREQUEST = 1; -+ static const uint8_t S_FILEOK = 2; -+ static const uint8_t S_FILEPENDING = 3; -+ static const uint8_t S_ERROR = 4; -+ -+ HTTPSession(string &url, string &email, string &user, string &password, Download* down); -+ ~HTTPSession(); -+ CURL* getSubmitInfoHandle(); -+ CURL* getSubmitFileHandle(); -+ string getMD5(); -+ string getSHA512(); -+ void setCURLOpts(CURL* c, curl_httppost* post); -+ uint8_t getState(); -+ void setState(uint8_t s); -+ string getFileSourceURL(); -+ -+ static size_t WriteCallback(char *buffer, size_t size, size_t nitems, void *userp); -+ -+ protected: -+ CURL* curlInfoHandle; -+ CURL* curlFileHandle; -+ uint8_t* fileBuffer; -+ size_t fileSize; -+ struct curl_httppost* postInfo; -+ struct curl_httppost* postFile; -+ string fileName; -+ string fileSourceURL; -+ string md5; -+ string sha512; -+ string submitURL; -+ string submitAuthStr; -+ uint8_t state; -+ -+ }; -+ -+} -+ -diff -ruN nepenthes-0.2.0/modules/submit-http/Makefile.am nepenthes-0.2.0-r1345/modules/submit-http/Makefile.am ---- nepenthes-0.2.0/modules/submit-http/Makefile.am 1970-01-01 01:00:00.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/submit-http/Makefile.am 2007-08-06 00:46:15.000000000 +0200 -@@ -0,0 +1,14 @@ -+AUTOMAKE_OPTIONS = foreign -+ -+AM_CPPFLAGS = -I$(top_srcdir)/nepenthes-core/include -I$(top_srcdir)/nepenthes-core/src -pipe -D _GNU_SOURCE -+AM_CXXFLAGS = -Wall -Werror -+ -+AM_LDFLAGS = $(LIB_CURL) -+ -+pkglib_LTLIBRARIES = submithttp.la -+ -+submithttp_la_SOURCES = submit-http.cpp submit-http.hpp -+submithttp_la_SOURCES += HTTPSession.hpp HTTPSession.cpp -+submithttp_la_SOURCES += submit-http.conf.dist -+ -+submithttp_la_LDFLAGS = -module -no-undefined -avoid-version $(AM_LDFLAGS) -diff -ruN nepenthes-0.2.0/modules/submit-http/submit-http.conf.dist nepenthes-0.2.0-r1345/modules/submit-http/submit-http.conf.dist ---- nepenthes-0.2.0/modules/submit-http/submit-http.conf.dist 1970-01-01 01:00:00.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/submit-http/submit-http.conf.dist 2007-08-06 00:46:15.000000000 +0200 -@@ -0,0 +1,8 @@ -+submit-http -+{ -+ url "http://somehost.de/submit.php"; -+ email "your@email"; // optional -+ user "httpuser"; // optional -+ pass "httppass"; // optional -+}; -+ -diff -ruN nepenthes-0.2.0/modules/submit-http/submit-http.cpp nepenthes-0.2.0-r1345/modules/submit-http/submit-http.cpp ---- nepenthes-0.2.0/modules/submit-http/submit-http.cpp 1970-01-01 01:00:00.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/submit-http/submit-http.cpp 2007-08-06 00:46:15.000000000 +0200 -@@ -0,0 +1,231 @@ -+/******************************************************************************** -+ * Nepenthes -+ * - finest collection - -+ * -+ * -+ * -+ * Copyright (C) 2006 Niklas Schiffler -+ * Copyright (C) 2005 Paul Baecher & Markus Koetter -+ * -+ * This program is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU General Public License -+ * as published by the Free Software Foundation; either version 2 -+ * of the License, or (at your option) any later version. -+ * -+ * This program is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ * GNU General Public License for more details. -+ * -+ * You should have received a copy of the GNU General Public License -+ * along with this program; if not, write to the Free Software -+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -+ * -+ * -+ * contact nepenthesdev@users.sourceforge.net -+ * -+ *******************************************************************************/ -+ -+ /* $Id$ */ -+ -+#include "submit-http.hpp" -+#include "Download.hpp" -+#include "Utilities.hpp" -+#include "SubmitManager.hpp" -+#include "LogManager.hpp" -+#include "Event.hpp" -+#include "EventManager.hpp" -+#include "EventHandler.cpp" // das ist Mist! -+#include "Config.hpp" -+#include "ModuleManager.hpp" -+ -+#include "HTTPSession.hpp" -+ -+using namespace nepenthes; -+ -+ -+Nepenthes *g_Nepenthes; -+ -+ -+HTTPSubmitHandler::HTTPSubmitHandler(Nepenthes *nepenthes) -+{ -+ m_ModuleName = "submit-http"; -+ m_ModuleDescription = "HTTP submit handler"; -+ m_ModuleRevision = "$Rev$"; -+ m_Nepenthes = nepenthes; -+ m_SubmitterName = "submit-http"; -+ m_SubmitterDescription = "submit binary file via HTTP POST request"; -+ g_Nepenthes = nepenthes; -+ -+ m_Queued = 0; -+ m_Timeout = time(NULL); -+ m_Events.reset(); -+} -+ -+ -+HTTPSubmitHandler::~HTTPSubmitHandler() -+{ -+} -+ -+bool HTTPSubmitHandler::Init() -+{ -+ logPF(); -+ -+ if ( m_Config == NULL ) -+ { -+ logCrit("I need a config\n"); -+ return false; -+ } -+ -+ try -+ { -+ m_URL = m_Config->getValString("submit-http.url"); -+ } -+ catch ( ... ) -+ { -+ logCrit("Error: Config property \"url\" missing\n"); -+ return false; -+ } -+ -+ try -+ { -+ m_Email = m_Config->getValString("submit-http.email"); -+ m_User = m_Config->getValString("submit-http.user"); -+ m_Password = m_Config->getValString("submit-http.pass"); -+ } -+ catch ( ... ) -+ { -+ } -+ -+ m_ModuleManager = m_Nepenthes->getModuleMgr(); -+ -+ if ( (m_CurlStack = curl_multi_init()) == NULL ) -+ { -+ logCrit("Could not init Curl Multi Perform Stack %s\n",strerror(errno)); -+ return false; -+ } -+ -+ REG_SUBMIT_HANDLER(this); -+ REG_EVENT_HANDLER(this); -+ return true; -+} -+ -+bool HTTPSubmitHandler::Exit() -+{ -+ curl_multi_cleanup(m_CurlStack); -+ return true; -+} -+ -+ -+void HTTPSubmitHandler::Submit(Download *down) -+{ -+ logPF(); -+ -+ if ( m_Events.test(EV_TIMEOUT) == false ) -+ m_Events.set(EV_TIMEOUT); -+ -+ HTTPSession* session = new HTTPSession(m_URL, m_Email, m_User, m_Password, down); -+ curl_multi_add_handle(m_CurlStack, session->getSubmitInfoHandle()); -+ m_Queued++; -+} -+ -+void HTTPSubmitHandler::Hit(Download *down) -+{ -+ Submit(down); -+} -+ -+ -+uint32_t HTTPSubmitHandler::handleEvent(Event *event) -+{ -+ logPF(); -+ if ( event->getType() != EV_TIMEOUT ) -+ { -+ logCrit("Unwanted event %i\n",event->getType()); -+ return 1; -+ } -+ -+ // do file info submits -+ int32_t iQueue = 0; -+ while ( curl_multi_perform(m_CurlStack, (int *)&iQueue) == CURLM_CALL_MULTI_PERFORM ); -+ -+ if ( m_Queued > iQueue ) -+ { -+ logSpam("m_Queued (%i) > (%i) iQueue\n", m_Queued, iQueue); -+ CURLMsg * pMessage; -+ -+ while ( (pMessage = curl_multi_info_read(m_CurlStack, (int *)&iQueue)) ) -+ { -+ if ( pMessage->msg == CURLMSG_DONE ) -+ { -+ HTTPSession *session; -+ char *cSession; -+ -+ curl_easy_getinfo(pMessage->easy_handle, CURLINFO_PRIVATE, (char**)&cSession); -+ session = (HTTPSession *)cSession; -+ -+ uint8_t sessionState = session->getState(); -+ -+ if ( sessionState == HTTPSession::S_FILEKNOWN || sessionState == HTTPSession::S_FILEREQUEST ) -+ { -+ if ( pMessage->data.result ) -+ { -+ logInfo("Error: Submitting file info (%s, %s) failed: %s\n", session->getMD5().c_str(), session->getFileSourceURL().c_str(), curl_easy_strerror(pMessage->data.result)); -+ delete session; -+ curl_multi_remove_handle(m_CurlStack, pMessage->easy_handle); -+ --m_Queued; -+ continue; -+ } -+ logInfo("File info submitted (%s, %s)\n", session->getMD5().c_str(), session->getFileSourceURL().c_str()); -+ } -+ -+ switch ( sessionState ) -+ { -+ case HTTPSession::S_FILEKNOWN: -+ logInfo("File already known (%s, %s)\n", session->getMD5().c_str(), session->getFileSourceURL().c_str()); -+ break; -+ case HTTPSession::S_FILEREQUEST: -+ logInfo("File upload requested (%s, %s)\n", session->getMD5().c_str(), session->getFileSourceURL().c_str()); -+ session->setState(HTTPSession::S_FILEPENDING); -+ curl_multi_add_handle(m_CurlStack, session->getSubmitFileHandle()); -+ break; -+ case HTTPSession::S_FILEOK: -+ logInfo("File uploaded (%s, %s)\n", session->getMD5().c_str(), session->getFileSourceURL().c_str()); -+ break; -+ case HTTPSession::S_ERROR: -+ logInfo("Error handling file (%s, %s)\n", session->getMD5().c_str(), session->getFileSourceURL().c_str()); -+ break; -+ } -+ -+ curl_multi_remove_handle(m_CurlStack, pMessage->easy_handle); -+ -+ if ( sessionState == HTTPSession::S_FILEKNOWN || -+ sessionState == HTTPSession::S_FILEOK || -+ sessionState == HTTPSession::S_ERROR ) -+ { -+ delete session; -+ --m_Queued; -+ } -+ } -+ } -+ } -+ -+ if ( m_Queued == 0 ) -+ m_Events.reset(EV_TIMEOUT); -+ -+ m_Timeout = time(NULL) + 1; -+ return 0; -+} -+ -+ -+extern "C" int32_t module_init(int32_t version, Module **module, Nepenthes *nepenthes) -+{ -+ if ( version == MODULE_IFACE_VERSION ) -+ { -+ *module = new HTTPSubmitHandler(nepenthes); -+ return 1; -+ } -+ else -+ { -+ return 0; -+ } -+} -diff -ruN nepenthes-0.2.0/modules/submit-http/submit-http.hpp nepenthes-0.2.0-r1345/modules/submit-http/submit-http.hpp ---- nepenthes-0.2.0/modules/submit-http/submit-http.hpp 1970-01-01 01:00:00.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/submit-http/submit-http.hpp 2007-08-06 00:46:15.000000000 +0200 -@@ -0,0 +1,72 @@ -+/******************************************************************************** -+ * Nepenthes -+ * - finest collection - -+ * -+ * -+ * -+ * Copyright (C) 2006 Niklas Schiffler -+ * Copyright (C) 2005 Paul Baecher & Markus Koetter -+ * -+ * This program is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU General Public License -+ * as published by the Free Software Foundation; either version 2 -+ * of the License, or (at your option) any later version. -+ * -+ * This program is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ * GNU General Public License for more details. -+ * -+ * You should have received a copy of the GNU General Public License -+ * along with this program; if not, write to the Free Software -+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -+ * -+ * -+ * contact nepenthesdev@users.sourceforge.net -+ * -+ *******************************************************************************/ -+ -+ /* $Id$ */ -+ -+#include -+#include /* new for v7 */ -+#include /* new for v7 */ -+ -+#include "Nepenthes.hpp" -+#include "Module.hpp" -+#include "SubmitHandler.hpp" -+#include "EventHandler.hpp" -+#include "Download.hpp" -+ -+ -+using namespace std; -+ -+namespace nepenthes -+{ -+ -+ class HTTPSubmitHandler : public Module , public SubmitHandler, public EventHandler -+ { -+ public: -+ HTTPSubmitHandler(Nepenthes *nep); -+ ~HTTPSubmitHandler(); -+ bool Init(); -+ bool Exit(); -+ -+ void Submit(Download *down); -+ void Hit(Download *down); -+ -+ uint32_t handleEvent(Event *event); -+ -+ protected: -+ CURLM* m_CurlStack; -+ int32_t m_Queued; -+ string m_URL; -+ string m_Email; -+ string m_User; -+ string m_Password; -+ -+ }; -+ -+} -+ -+extern nepenthes::Nepenthes *g_Nepenthes; -diff -ruN nepenthes-0.2.0/modules/submit-mwserv/Makefile.am nepenthes-0.2.0-r1345/modules/submit-mwserv/Makefile.am ---- nepenthes-0.2.0/modules/submit-mwserv/Makefile.am 1970-01-01 01:00:00.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/submit-mwserv/Makefile.am 2007-08-06 00:46:15.000000000 +0200 -@@ -0,0 +1,19 @@ -+# nepenthes module Makefile -+# Paul Baecher, Maximillian Dornseif, Markus Koetter -+# $Id: Makefile.am 718 2006-12-28 23:29:59Z common $ -+ -+AUTOMAKE_OPTIONS = foreign -+ -+AM_CPPFLAGS = -I$(top_srcdir)/nepenthes-core/include -I$(top_srcdir)/nepenthes-core/src -pipe -D _GNU_SOURCE -+AM_CXXFLAGS = -Wall -Werror -+ -+AM_LDFLAGS = $(LIB_CURL) -+ -+pkglib_LTLIBRARIES = submitmwserv.la -+ -+submitmwserv_la_SOURCES = submit-mwserv.cpp submit-mwserv.hpp -+submitmwserv_la_SOURCES += TransferSession.cpp TransferSession.hpp -+submitmwserv_la_SOURCES += submit-mwserv.conf.dist -+ -+submitmwserv_la_CXXFLAGS = -fno-strict-aliasing -+submitmwserv_la_LDFLAGS = -module -no-undefined -avoid-version $(AM_LDFLAGS) -diff -ruN nepenthes-0.2.0/modules/submit-mwserv/TransferSession.cpp nepenthes-0.2.0-r1345/modules/submit-mwserv/TransferSession.cpp ---- nepenthes-0.2.0/modules/submit-mwserv/TransferSession.cpp 1970-01-01 01:00:00.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/submit-mwserv/TransferSession.cpp 2007-08-06 00:46:15.000000000 +0200 -@@ -0,0 +1,402 @@ -+/******************************************************************************** -+ * Nepenthes -+ * - finest collection - -+ * -+ * -+ * -+ * Copyright (C) 2007 Georg Wicherski -+ * Copyright (C) 2005 Paul Baecher & Markus Koetter -+ * -+ * This program is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU General Public License -+ * as published by the Free Software Foundation; either version 2 -+ * of the License, or (at your option) any later version. -+ * -+ * This program is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ * GNU General Public License for more details. -+ * -+ * You should have received a copy of the GNU General Public License -+ * along with this program; if not, write to the Free Software -+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -+ * -+ * -+ * contact nepenthesdev@users.sourceforge.net -+ * -+ *******************************************************************************/ -+ -+#include "submit-mwserv.hpp" -+ -+#include "LogManager.hpp" -+#include "EventManager.hpp" -+ -+#include "POLLSocket.cpp" -+#include "Socket.cpp" -+ -+ -+ -+#if defined(__GNUG__) -+ #define MY_COMPILER "g++" -+#elif defined(__CYGWIN__) -+ #define MY_COMPILER "cygwin" -+#else -+ #define MY_COMPILER "unknown Compiler" -+#endif -+ -+#if defined(__FreeBSD__) -+# define MY_OS "FreeBSD" -+#elif defined(linux) || defined (__linux) -+# define MY_OS "Linux" -+#elif defined (__MACOSX__) || defined (__APPLE__) -+# define MY_OS "Mac OS X" -+#elif defined(__NetBSD__) -+# define MY_OS "NetBSD" -+#elif defined(__OpenBSD__) -+# define MY_OS "OpenBSD" -+#elif defined(_WIN32) || defined(__WIN32__) || defined(__TOS_WIN__) -+# define MY_OS "Windows" -+#elif defined(CYGWIN) -+# define MY_OS "Cygwin\Windows" -+#else -+# define MY_OS "Unknown OS" -+#endif -+ -+#if defined(__alpha__) || defined(__alpha) || defined(_M_ALPHA) -+# define MY_ARCH "Alpha" -+#elif defined(__arm__) -+# if defined(__ARMEB__) -+# define MY_ARCH "ARMeb" -+# else -+# define MY_ARCH "ARM" -+# endif -+#elif defined(i386) || defined(__i386__) || defined(__i386) || defined(_M_IX86) || defined(_X86_) || defined(__THW_INTEL) -+# define MY_ARCH "x86" -+#elif defined(__x86_64__) || defined(__amd64__) -+# define MY_ARCH "x86_64" -+#elif defined(__ia64__) || defined(_IA64) || defined(__IA64__) || defined(_M_IA64) -+# define MY_ARCH "Intel Architecture-64" -+#elif defined(__mips__) || defined(__mips) || defined(__MIPS__) -+# if defined(__mips32__) || defined(__mips32) -+# define MY_ARCH "MIPS32" -+# else -+# define MY_ARCH "MIPS" -+# endif -+#elif defined(__hppa__) || defined(__hppa) -+# define MY_ARCH "PA RISC" -+#elif defined(__powerpc) || defined(__powerpc__) || defined(__POWERPC__) || defined(__ppc__) || defined(_M_PPC) || defined(__PPC) || defined(__PPC__) -+# define MY_ARCH "PowerPC" -+#elif defined(__THW_RS6000) || defined(_IBMR2) || defined(_POWER) || defined(_ARCH_PWR) || defined(_ARCH_PWR2) -+# define MY_ARCH "RS/6000" -+#elif defined(__sparc__) || defined(sparc) || defined(__sparc) -+# define MY_ARCH "SPARC" -+#else -+# define MY_ARCH "Unknown Architecture" -+#endif -+ -+ -+ -+namespace nepenthes -+{ -+ -+ -+TransferSession::TransferSession(Type type, SubmitMwservModule * parent) -+{ -+ m_type = type; -+ m_parent = parent; -+ -+ m_sample.binary = 0; -+ m_multiHandle = 0; -+ m_postInfo = m_postInfoLast = 0; -+ m_curlHandle = 0; -+ -+ m_Type |= ST_NODEL; -+} -+ -+void TransferSession::transfer(TransferSample& sample, string url) -+{ -+ m_sample = sample; -+ -+ if(!(m_curlHandle = curl_easy_init()) || !(m_multiHandle = -+ curl_multi_init())) -+ { -+ logCrit("%s failed!\n", __PRETTY_FUNCTION__); -+ return; -+ } -+ -+ m_targetUrl = url; -+ m_sample = sample; -+ -+ initializeHandle(); -+} -+ -+TransferSession::~TransferSession() -+{ -+ Exit(); -+} -+ -+void TransferSession::initializeHandle() -+{ -+ m_postInfo = m_postInfoLast = 0; -+ -+ curl_formadd(&m_postInfo, &m_postInfoLast, CURLFORM_PTRNAME, "guid", -+ CURLFORM_COPYCONTENTS, m_sample.guid.c_str(), CURLFORM_END); -+ curl_formadd(&m_postInfo, &m_postInfoLast, CURLFORM_PTRNAME, -+ "maintainer", CURLFORM_COPYCONTENTS, m_sample.maintainer.c_str(), -+ CURLFORM_END); -+ curl_formadd(&m_postInfo, &m_postInfoLast, CURLFORM_PTRNAME, "secret", -+ CURLFORM_COPYCONTENTS, m_sample.secret.c_str(), CURLFORM_END); -+ -+ if(m_type != TST_HEARTBEAT) -+ { -+ curl_formadd(&m_postInfo, &m_postInfoLast, CURLFORM_PTRNAME, "url", -+ CURLFORM_COPYCONTENTS, m_sample.url.c_str(), CURLFORM_END); -+ curl_formadd(&m_postInfo, &m_postInfoLast, CURLFORM_PTRNAME, "sha512", -+ CURLFORM_COPYCONTENTS, m_sample.sha512.c_str(), CURLFORM_END); -+ curl_formadd(&m_postInfo, &m_postInfoLast, CURLFORM_PTRNAME, "saddr", -+ CURLFORM_COPYCONTENTS, m_sample.saddr.c_str(), CURLFORM_END); -+ curl_formadd(&m_postInfo, &m_postInfoLast, CURLFORM_PTRNAME, "daddr", -+ CURLFORM_COPYCONTENTS, m_sample.daddr.c_str(), CURLFORM_END); -+ -+ if(m_type == TST_SAMPLE) -+ { -+ curl_formadd(&m_postInfo, &m_postInfoLast, CURLFORM_PTRNAME, "data", -+ CURLFORM_PTRCONTENTS, m_sample.binary, CURLFORM_CONTENTSLENGTH, -+ m_sample.binarySize, CURLFORM_END); -+ } -+ } -+ else -+ { -+ curl_formadd(&m_postInfo, &m_postInfoLast, CURLFORM_PTRNAME, "software", -+ CURLFORM_COPYCONTENTS, "nepenthes " VERSION " (" MY_OS ", " MY_ARCH -+ ", " MY_COMPILER ")", CURLFORM_END); -+ } -+ -+ curl_easy_setopt(m_curlHandle, CURLOPT_HTTPPOST, m_postInfo); -+ curl_easy_setopt(m_curlHandle, CURLOPT_FORBID_REUSE, 1); -+ curl_easy_setopt(m_curlHandle, CURLOPT_SSL_VERIFYHOST, false); -+ curl_easy_setopt(m_curlHandle, CURLOPT_SSL_VERIFYPEER, false); -+ curl_easy_setopt(m_curlHandle, CURLOPT_URL, m_targetUrl.c_str()); -+ curl_easy_setopt(m_curlHandle, CURLOPT_USERAGENT, -+ "nepenthes " VERSION " (" MY_OS ", " MY_ARCH ", " MY_COMPILER ")"); -+ curl_easy_setopt(m_curlHandle, CURLOPT_WRITEDATA, this); -+ curl_easy_setopt(m_curlHandle, CURLOPT_WRITEFUNCTION, -+ TransferSession::readData); -+ -+ CURLMcode error; -+ -+ if((error = curl_multi_add_handle(m_multiHandle, m_curlHandle))) -+ logCrit("Error adding easy to multi: %s\n", curl_multi_strerror(error)); -+ -+ int handles = 0; -+ -+ while(curl_multi_perform(m_multiHandle, &handles) == -+ CURLM_CALL_MULTI_PERFORM && handles); -+} -+ -+//size_t function( void *ptr, size_t size, size_t nmemb, void *stream); -+size_t TransferSession::readData(void *buffer, size_t s, size_t n, void *data) -+{ -+ ((TransferSession *) data)->m_buffer.append((const char *)buffer, s * n); -+ return s * n; -+} -+ -+TransferSession::Status TransferSession::getTransferStatus() -+{ -+ if(m_type != TST_HEARTBEAT) -+ { -+ if(m_buffer == "OK") -+ return TSS_OK; -+ else if(m_buffer == "UNKNOWN") -+ return TSS_UNKNOWN; -+ else -+ return TSS_ERROR; -+ } -+ else -+ { -+ if(m_buffer.substr(0, 4) == "OK: ") -+ return TSS_HEARTBEAT; -+ else -+ return TSS_ERROR; -+ } -+} -+ -+bool TransferSession::Init() -+{ -+ return true; -+} -+ -+bool TransferSession::Exit() -+{ -+ if(m_multiHandle) -+ curl_multi_remove_handle(m_multiHandle, m_curlHandle); -+ -+ if(m_postInfo) -+ curl_formfree(m_postInfo); -+ -+ if(m_curlHandle) -+ curl_easy_cleanup(m_curlHandle); -+ -+ if(m_multiHandle) -+ { -+ curl_multi_cleanup(m_multiHandle); -+ m_multiHandle = 0; -+ } -+ -+ if(m_sample.binary) -+ { -+ delete [] m_sample.binary; -+ m_sample.binary = 0; -+ } -+ -+ return true; -+} -+ -+bool TransferSession::wantSend() -+{ -+ fd_set readSet, writeSet, errorSet; -+ int maxFd = 0; -+ CURLMcode error; -+ FD_ZERO(&readSet); FD_ZERO(&writeSet); FD_ZERO(&errorSet); -+ -+ if((error = curl_multi_fdset(m_multiHandle, &readSet, &writeSet, &errorSet, -+ &maxFd))) -+ { -+ logCrit("Obtaining write socket failed: %s\n", -+ curl_multi_strerror(error)); -+ return false; -+ } -+ -+ return FD_ISSET(maxFd, &writeSet); -+} -+ -+int32_t TransferSession::doSend() -+{ -+ return doRecv(); -+} -+ -+int32_t TransferSession::doRecv() -+{ -+ int handles = 0, queued = 0; -+ -+ while(curl_multi_perform(m_multiHandle, &handles) == -+ CURLM_CALL_MULTI_PERFORM && handles); -+ -+ CURLMsg * message; -+ -+ while((message = curl_multi_info_read(m_multiHandle, &queued))) -+ { -+ if(message->msg == CURLMSG_DONE) -+ { -+ if(message->data.result) -+ { -+ logCrit("Connection to %s failed: %s [\"%s\"]\n", -+ m_targetUrl.c_str(), curl_easy_strerror(message-> -+ data.result), m_buffer.c_str()); -+ -+ if(m_type == TST_HEARTBEAT) -+ m_parent->scheduleHeartbeat(DEFAULT_HEARTBEAT_DELTA); -+ else -+ { -+ m_parent->retrySample(m_sample); -+ m_sample.binary = 0; -+ } -+ } -+ else -+ { -+ switch(getTransferStatus()) -+ { -+ case TransferSession::TSS_OK: -+ logInfo("Transmitted %s to %s.\n", m_sample.url.c_str(), -+ m_targetUrl.c_str()); -+ -+ break; -+ -+ case TransferSession::TSS_UNKNOWN: -+ logInfo("submit-mwserv: uploading data for %s\n", -+ m_sample.url.c_str()); -+ -+ m_parent->submitSample(m_sample); -+ m_sample.binary = 0; -+ -+ break; -+ -+ case TransferSession::TSS_HEARTBEAT: -+ { -+ unsigned long delta = strtoul(m_buffer.substr(4). -+ c_str(), 0, 0); -+ logDebug("Next heartbeat in %u seconds.\n", delta); -+ -+ m_parent->scheduleHeartbeat(delta); -+ -+ break; -+ } -+ -+ case TransferSession::TSS_ERROR: -+ if(m_type == TST_HEARTBEAT) -+ m_parent->scheduleHeartbeat(DEFAULT_HEARTBEAT_DELTA); -+ -+ logCrit("%s reported \"%s\"\n", m_targetUrl.c_str(), -+ m_buffer.c_str()); -+ -+ break; -+ } -+ } -+ -+ m_Type |= ~ST_NODEL; -+ m_Status = SS_CLOSED; -+ } -+ } -+ -+ return 0; -+} -+ -+int32_t TransferSession::getSocket() -+{ -+ if(!m_multiHandle) -+ return -1; -+ -+ fd_set readSet, writeSet, errorSet; -+ int maxFd = 0; -+ CURLMcode error; -+ FD_ZERO(&readSet); FD_ZERO(&writeSet); FD_ZERO(&errorSet); -+ -+ if((error = curl_multi_fdset(m_multiHandle, &readSet, &writeSet, &errorSet, -+ &maxFd))) -+ { -+ logCrit("Obtaining read socket failed: %s\n", -+ curl_multi_strerror(error)); -+ return -1; -+ } -+ -+ if(maxFd == -1) -+ return -1; -+ -+ if(!FD_ISSET(maxFd, &readSet) && !FD_ISSET(maxFd, &writeSet) && -+ !FD_ISSET(maxFd, &errorSet)) -+ { -+ logCrit("maxFd not in set: %i!\n", maxFd); -+ return -1; -+ } -+ -+ return maxFd; -+} -+ -+int32_t TransferSession::getsockOpt(int32_t level, int32_t optname, -+ void *optval, socklen_t *optlen) -+{ -+ return getsockopt(getSocket(), level, optname, optval, optlen); -+} -+ -+ -+} -+ -+ -+bool TransferSession::checkTimeout() -+{ -+ // if the connection is bad, give curl a chance to take care, so we can get rid of the connection -+ if (getSocket() == -1) -+ doRecv(); -+ -+ return false; -+} -diff -ruN nepenthes-0.2.0/modules/submit-mwserv/TransferSession.hpp nepenthes-0.2.0-r1345/modules/submit-mwserv/TransferSession.hpp ---- nepenthes-0.2.0/modules/submit-mwserv/TransferSession.hpp 1970-01-01 01:00:00.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/submit-mwserv/TransferSession.hpp 2007-08-06 00:46:15.000000000 +0200 -@@ -0,0 +1,129 @@ -+/******************************************************************************** -+ * Nepenthes -+ * - finest collection - -+ * -+ * -+ * -+ * Copyright (C) 2007 Georg Wicherski -+ * Copyright (C) 2005 Paul Baecher & Markus Koetter -+ * -+ * This program is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU General Public License -+ * as published by the Free Software Foundation; either version 2 -+ * of the License, or (at your option) any later version. -+ * -+ * This program is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ * GNU General Public License for more details. -+ * -+ * You should have received a copy of the GNU General Public License -+ * along with this program; if not, write to the Free Software -+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -+ * -+ * -+ * contact nepenthesdev@users.sourceforge.net -+ * -+ *******************************************************************************/ -+ -+#include -+#include -+#include -+ -+#include -+using namespace std; -+ -+#include "Nepenthes.hpp" -+#include "Module.hpp" -+#include "SubmitHandler.hpp" -+#include "Download.hpp" -+ -+#include "POLLSocket.hpp" -+ -+ -+namespace nepenthes -+{ -+ -+ -+struct TransferSample -+{ -+ string guid; -+ string maintainer; -+ string secret; -+ -+ string url; -+ string saddr, daddr; -+ string sha512; -+ -+ char * binary; -+ unsigned int binarySize; -+}; -+ -+ -+class SubmitMwservModule; -+ -+class TransferSession : public POLLSocket -+{ -+public: -+ enum Type -+ { -+ TST_INSTANCE, -+ TST_SAMPLE, -+ TST_HEARTBEAT, -+ }; -+ -+ TransferSession(Type type, SubmitMwservModule * parent); -+ virtual ~TransferSession(); -+ -+ enum Status -+ { -+ TSS_OK, -+ TSS_UNKNOWN, -+ TSS_HEARTBEAT, -+ TSS_ERROR, -+ }; -+ -+ TransferSession::Status getTransferStatus(); -+ -+ void transfer(TransferSample& sample, string url); -+ -+ // POLLSocket -+ bool Init(); -+ bool Exit(); -+ -+ bool wantSend(); -+ -+ int32_t doSend(); -+ int32_t doRecv(); -+ int32_t getSocket(); -+ int32_t getsockOpt(int32_t level, int32_t optname, -+ void *optval, socklen_t *optlen); -+ bool checkTimeout(); -+ -+protected: -+ string m_targetUrl; -+ TransferSample m_sample; -+ -+ CURL * m_curlHandle; -+ CURLM * m_multiHandle; -+ curl_httppost * m_postInfo, * m_postInfoLast; -+ -+ char * m_dataCopy; -+ unsigned int m_dataSize; -+ -+ void initializeHandle(); -+ void recreateWithSampleData(); -+ -+ string m_buffer; -+ -+ Type m_type; -+ SubmitMwservModule * m_parent; -+ -+ unsigned long m_heartbeatDelta; -+ -+private: -+ static size_t readData(void *buffer, size_t size, size_t n, void *data); -+}; -+ -+ -+} -diff -ruN nepenthes-0.2.0/modules/submit-mwserv/submit-mwserv.conf.dist nepenthes-0.2.0-r1345/modules/submit-mwserv/submit-mwserv.conf.dist ---- nepenthes-0.2.0/modules/submit-mwserv/submit-mwserv.conf.dist 1970-01-01 01:00:00.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/submit-mwserv/submit-mwserv.conf.dist 2007-08-06 00:46:15.000000000 +0200 -@@ -0,0 +1,18 @@ -+// lightweight libcurl based module for file submission via HTTP to the mwserv -+// python script suite (typically running on an apache2 with mod_python) -+// This is primarily used by the mwcollect Alliance - alliance.mwcollect.org -+ -+submit-mwserv -+{ -+ // the url to send the submission requests to -+ url = ""; -+ -+ // username of the maintainer of this sensor -+ maintainer = ""; -+ -+ // guid of this sensor, as generated serverside; typically 8 chars -+ guid = ""; -+ -+ // shared secret used for authentication aka `password'; typically 48 chars -+ secret = ""; -+}; -diff -ruN nepenthes-0.2.0/modules/submit-mwserv/submit-mwserv.cpp nepenthes-0.2.0-r1345/modules/submit-mwserv/submit-mwserv.cpp ---- nepenthes-0.2.0/modules/submit-mwserv/submit-mwserv.cpp 1970-01-01 01:00:00.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/submit-mwserv/submit-mwserv.cpp 2007-08-06 00:46:15.000000000 +0200 -@@ -0,0 +1,224 @@ -+/******************************************************************************** -+ * Nepenthes -+ * - finest collection - -+ * -+ * -+ * -+ * Copyright (C) 2007 Georg Wicherski -+ * Copyright (C) 2005 Paul Baecher & Markus Koetter -+ * -+ * This program is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU General Public License -+ * as published by the Free Software Foundation; either version 2 -+ * of the License, or (at your option) any later version. -+ * -+ * This program is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ * GNU General Public License for more details. -+ * -+ * You should have received a copy of the GNU General Public License -+ * along with this program; if not, write to the Free Software -+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -+ * -+ * -+ * contact nepenthesdev@users.sourceforge.net -+ * -+ *******************************************************************************/ -+ -+#include "Download.hpp" -+#include "Utilities.hpp" -+#include "SubmitManager.hpp" -+#include "LogManager.hpp" -+#include "Event.hpp" -+#include "EventManager.hpp" -+#include "EventHandler.cpp" -+#include "Config.hpp" -+#include "ModuleManager.hpp" -+#include "SocketManager.hpp" -+ -+#include "DownloadBuffer.hpp" -+#include "DownloadUrl.hpp" -+ -+#include "submit-mwserv.hpp" -+ -+#include -+#include -+#include -+#include -+ -+ -+#define SUBMIT_URI "nepenthes/submit" -+#define HEARTBEAT_URI "heartbeat" -+ -+ -+namespace nepenthes -+{ -+ -+ -+SubmitMwservModule::SubmitMwservModule(Nepenthes * nepenthes) -+{ -+ m_ModuleName = "submit-mwserv"; -+ m_ModuleDescription = "mwserv.py HTTP Post Submission"; -+ m_ModuleRevision = "$Rev: 921 $"; -+ m_Nepenthes = nepenthes; -+ m_SubmitterName = "submit-mwserv"; -+ m_SubmitterDescription = "mwserv.py HTTP Post Submission"; -+ -+ m_Timeout = 0; -+ m_TimeoutIntervall = 0; -+} -+ -+bool SubmitMwservModule::Init() -+{ -+ if(!m_Config) -+ { -+ logCrit("No configuration for submit-mwserv provided.\n"); -+ return false; -+ } -+ -+ try -+ { -+ m_url = m_Config->getValString("submit-mwserv.url"); -+ m_guid = m_Config->getValString("submit-mwserv.guid"); -+ m_maintainer = m_Config->getValString("submit-mwserv.maintainer"); -+ m_secret = m_Config->getValString("submit-mwserv.secret"); -+ } -+ catch(...) -+ { -+ logCrit("Missing configuration option for submit-mwserv.\n"); -+ return false; -+ } -+ -+ if(m_guid.find(":") != string::npos || m_maintainer.find(":") -+ != string::npos || m_secret.find(":") != string::npos || -+ m_guid.find("+") != string::npos || m_maintainer.find("+") -+ != string::npos || m_secret.find("+") != string::npos) -+ { -+ logCrit("submit-mwserv: guid, maintainer or secret from configuration" -+ "contained ':' or '+'; this is not allowed.\n"); -+ return false; -+ } -+ -+ if(* m_url.rbegin() != '/') -+ m_url += "/"; -+ -+ REG_SUBMIT_HANDLER(this); -+ REG_EVENT_HANDLER(this); -+ -+ handleEvent(0); -+ -+ return true; -+} -+ -+bool SubmitMwservModule::Exit() -+{ -+ return true; -+} -+ -+void SubmitMwservModule::Submit(Download * download) -+{ -+ Hit(download); -+} -+ -+void SubmitMwservModule::Hit(Download * download) -+{ -+ TransferSample sample; -+ TransferSession * session = new TransferSession(TransferSession:: -+ TST_INSTANCE, this); -+ -+ { -+ struct in_addr saddr, daddr; -+ -+ saddr.s_addr = download->getRemoteHost(); -+ daddr.s_addr = download->getLocalHost(); -+ -+ sample.saddr = inet_ntoa(saddr); -+ sample.daddr = inet_ntoa(daddr); -+ -+ sample.guid = m_guid; -+ sample.maintainer = m_maintainer; -+ sample.secret = m_secret; -+ -+ sample.url = download->getUrl(); -+ sample.sha512 = download->getSHA512Sum(); -+ -+ sample.binarySize = download->getDownloadBuffer()->getSize(); -+ sample.binary = new char[sample.binarySize]; -+ memcpy(sample.binary, download->getDownloadBuffer()->getData(), -+ sample.binarySize); -+ } -+ -+ session->transfer(sample, m_url + SUBMIT_URI); -+ g_Nepenthes->getSocketMgr()->addPOLLSocket(session); -+} -+ -+void SubmitMwservModule::retrySample(TransferSample& sample) -+{ -+ TransferSession * session = new TransferSession(TransferSession:: -+ TST_INSTANCE, this); -+ -+ session->transfer(sample, m_url + SUBMIT_URI); -+ g_Nepenthes->getSocketMgr()->addPOLLSocket(session); -+} -+ -+void SubmitMwservModule::submitSample(TransferSample& sample) -+{ -+ TransferSession * session = new TransferSession(TransferSession:: -+ TST_SAMPLE, this); -+ -+ session->transfer(sample, m_url + SUBMIT_URI); -+ g_Nepenthes->getSocketMgr()->addPOLLSocket(session); -+} -+ -+uint32_t SubmitMwservModule::handleEvent(Event * ev) -+{ -+ m_Events.reset(EV_TIMEOUT); -+ -+ TransferSample sample; -+ TransferSession * session = new TransferSession(TransferSession:: -+ TST_HEARTBEAT, this); -+ -+ sample.guid = m_guid; -+ sample.maintainer = m_maintainer; -+ sample.secret = m_secret; -+ sample.binary = 0; -+ -+ session->transfer(sample, m_url + HEARTBEAT_URI); -+ g_Nepenthes->getSocketMgr()->addPOLLSocket(session); -+ -+ return 0; -+} -+ -+void SubmitMwservModule::scheduleHeartbeat(unsigned long delta) -+{ -+ if(delta > MAX_HEARTBEAT_DELTA) -+ { -+ logInfo("Capping server heartbeat delta of %u sec to %u sec.\n", delta, -+ MAX_HEARTBEAT_DELTA); -+ -+ delta = MAX_HEARTBEAT_DELTA; -+ } -+ -+ m_Events.set(EV_TIMEOUT); -+ m_Timeout = time(0) + delta; -+} -+ -+ -+extern "C" int32_t module_init(int32_t version, Module **module, Nepenthes *nepenthes) -+{ -+ g_Nepenthes = nepenthes; -+ -+ if(version == MODULE_IFACE_VERSION) -+ { -+ * module = new SubmitMwservModule(nepenthes); -+ return 1; -+ } -+ -+ return 0; -+} -+ -+ -+} -+ -+Nepenthes * g_Nepenthes; -diff -ruN nepenthes-0.2.0/modules/submit-mwserv/submit-mwserv.hpp nepenthes-0.2.0-r1345/modules/submit-mwserv/submit-mwserv.hpp ---- nepenthes-0.2.0/modules/submit-mwserv/submit-mwserv.hpp 1970-01-01 01:00:00.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/submit-mwserv/submit-mwserv.hpp 2007-08-06 00:46:15.000000000 +0200 -@@ -0,0 +1,78 @@ -+/******************************************************************************** -+ * Nepenthes -+ * - finest collection - -+ * -+ * -+ * -+ * Copyright (C) 2007 Georg Wicherski -+ * Copyright (C) 2005 Paul Baecher & Markus Koetter -+ * -+ * This program is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU General Public License -+ * as published by the Free Software Foundation; either version 2 -+ * of the License, or (at your option) any later version. -+ * -+ * This program is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ * GNU General Public License for more details. -+ * -+ * You should have received a copy of the GNU General Public License -+ * along with this program; if not, write to the Free Software -+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -+ * -+ * -+ * contact nepenthesdev@users.sourceforge.net -+ * -+ *******************************************************************************/ -+ -+#include -+#include -+#include -+ -+#include "Nepenthes.hpp" -+#include "Module.hpp" -+#include "SubmitHandler.hpp" -+#include "EventHandler.hpp" -+#include "Download.hpp" -+ -+#include "TransferSession.hpp" -+ -+ -+#define DEFAULT_HEARTBEAT_DELTA 30 -+#define MAX_HEARTBEAT_DELTA 300 -+ -+ -+using namespace std; -+ -+namespace nepenthes -+{ -+ -+ -+class SubmitMwservModule : public Module , public SubmitHandler, -+ public EventHandler -+{ -+public: -+ SubmitMwservModule(Nepenthes * nepenthes); -+ -+ bool Init(); -+ bool Exit(); -+ -+ void Submit(Download * download); -+ void Hit(Download * download); -+ -+ uint32_t handleEvent(Event *event); -+ -+ void submitSample(TransferSample& sample); -+ void retrySample(TransferSample& sample); -+ void scheduleHeartbeat(unsigned long delta); -+ -+protected: -+ string m_url, m_guid, m_maintainer, m_secret; -+ uint32_t m_inTransfer; -+}; -+ -+ -+} -+ -+extern nepenthes::Nepenthes *g_Nepenthes; -diff -ruN nepenthes-0.2.0/modules/submit-norman/Makefile.am nepenthes-0.2.0-r1345/modules/submit-norman/Makefile.am ---- nepenthes-0.2.0/modules/submit-norman/Makefile.am 2006-11-13 20:40:09.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/submit-norman/Makefile.am 2007-08-06 00:46:15.000000000 +0200 -@@ -12,4 +12,4 @@ - - submitnorman_la_SOURCES = submit-norman.conf.dist submit-norman.hpp submit-norman.cpp - --submitnorman_la_LDFLAGS = -module -no-undefined -avoid-version -+submitnorman_la_LDFLAGS = -module -no-undefined -avoid-version $(AM_LDFLAGS) -diff -ruN nepenthes-0.2.0/modules/submit-norman/submit-norman.conf.dist nepenthes-0.2.0-r1345/modules/submit-norman/submit-norman.conf.dist ---- nepenthes-0.2.0/modules/submit-norman/submit-norman.conf.dist 2006-11-13 20:40:09.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/submit-norman/submit-norman.conf.dist 2007-08-06 00:46:15.000000000 +0200 -@@ -1,8 +1,8 @@ - submit-norman - { - // this is the adress where norman sandbox reports will be sent -- email "malware@mac.com"; -- urls ("http://sandbox.norman.no/live_4.html", -+ email "nsbx@mwcollect.org"; -+ urls ("http://www.norman.com/microsites/nsic/Submit/Special/45773/", - "http://luigi.informatik.uni-mannheim.de/submit.php?action=verify"); - - }; -diff -ruN nepenthes-0.2.0/modules/submit-postgres/Makefile.am nepenthes-0.2.0-r1345/modules/submit-postgres/Makefile.am ---- nepenthes-0.2.0/modules/submit-postgres/Makefile.am 2006-11-13 20:40:05.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/submit-postgres/Makefile.am 2007-08-06 00:46:15.000000000 +0200 -@@ -13,5 +13,6 @@ - submitpostgres_la_SOURCES = submit-postgres.cpp submit-postgres.hpp - submitpostgres_la_SOURCES += PGDownloadContext.cpp PGDownloadContext.hpp - submitpostgres_la_SOURCES += bencoding.c bencoding.h -+submitpostgres_la_SOURCES += submit-postgres.conf.dist - - submitpostgres_la_LDFLAGS = -module -no-undefined -avoid-version -diff -ruN nepenthes-0.2.0/modules/vuln-asn1/IISDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-asn1/IISDialogue.cpp ---- nepenthes-0.2.0/modules/vuln-asn1/IISDialogue.cpp 2006-11-13 20:40:08.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/vuln-asn1/IISDialogue.cpp 2007-08-06 00:46:15.000000000 +0200 -@@ -43,6 +43,9 @@ - - #include "Socket.hpp" - -+#include "EventManager.hpp" -+#include "SocketEvent.hpp" -+ - #ifdef STDTAGS - #undef STDTAGS - #endif -@@ -79,7 +82,7 @@ - case IIS_POST: - case IIS_GET: - logWarn("Unknown IIS %i bytes State %i\n",m_Buffer->getSize(), m_State); -- g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *) m_Buffer->getData(), m_Buffer->getSize()); -+ HEXDUMP(m_Socket,(byte *) m_Buffer->getData(), m_Buffer->getSize()); - break; - - case IIS_SEARCH: -@@ -102,7 +105,7 @@ - ConsumeLevel IISDialogue::incomingData(Message *msg) - { - m_Buffer->add(msg->getMsg(),msg->getSize()); --// g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *) m_Buffer->getData(), m_Buffer->getSize()); -+// HEXDUMP(m_Socket,(byte *) m_Buffer->getData(), m_Buffer->getSize()); - - // FIXME this can only recognize urldownloadtofile foobar - -diff -ruN nepenthes-0.2.0/modules/vuln-asn1/SMBDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-asn1/SMBDialogue.cpp ---- nepenthes-0.2.0/modules/vuln-asn1/SMBDialogue.cpp 2006-11-13 20:40:08.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/vuln-asn1/SMBDialogue.cpp 2007-08-06 00:46:15.000000000 +0200 -@@ -43,8 +43,13 @@ - #include "Utilities.hpp" - #include "ShellcodeManager.hpp" - -+#include "EventManager.hpp" -+#include "SocketEvent.hpp" -+ - #include "vuln-asn1.hpp" - -+ -+ - #ifdef STDTAGS - #undef STDTAGS - #endif -@@ -227,5 +232,5 @@ - void SMBDialogue::dump() - { - logWarn("Unknown %s Shellcode (Buffer %i bytes) (State %i)\n","ASN1_SMB",m_Buffer->getSize(),m_State); -- g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *)m_Buffer->getData(),m_Buffer->getSize()); -+ HEXDUMP(m_Socket,(byte *)m_Buffer->getData(),m_Buffer->getSize()); - } -diff -ruN nepenthes-0.2.0/modules/vuln-bagle/BagleDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-bagle/BagleDialogue.cpp ---- nepenthes-0.2.0/modules/vuln-bagle/BagleDialogue.cpp 2006-11-13 20:40:09.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/vuln-bagle/BagleDialogue.cpp 2007-08-06 00:46:15.000000000 +0200 -@@ -124,7 +124,7 @@ - } - - logCrit("Unknown Bagle Auth (%i)\n",m_Buffer->getSize()); -- g_Nepenthes->getUtilities()->hexdump(l_crit | STDTAGS ,(byte *)m_Buffer->getData(),m_Buffer->getSize()); -+// g_Nepenthes->getUtilities()->hexdump(l_crit | STDTAGS ,(byte *)m_Buffer->getData(),m_Buffer->getSize()); - if (m_Buffer->getSize() > 128 ) - return CL_DROP; - -diff -ruN nepenthes-0.2.0/modules/vuln-bagle/Makefile.am nepenthes-0.2.0-r1345/modules/vuln-bagle/Makefile.am ---- nepenthes-0.2.0/modules/vuln-bagle/Makefile.am 2006-11-13 20:40:09.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/vuln-bagle/Makefile.am 2007-08-06 00:46:15.000000000 +0200 -@@ -6,7 +6,6 @@ - - AM_CPPFLAGS = -I$(top_srcdir)/nepenthes-core/include -I$(top_srcdir)/nepenthes-core/src -pipe -D _GNU_SOURCE - AM_CXXFLAGS = -Wall -Werror --AM_LDFLAGS = -lpcre - - pkglib_LTLIBRARIES = vulnbagle.la - -diff -ruN nepenthes-0.2.0/modules/vuln-dameware/DWDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-dameware/DWDialogue.cpp ---- nepenthes-0.2.0/modules/vuln-dameware/DWDialogue.cpp 2006-11-13 20:40:05.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/vuln-dameware/DWDialogue.cpp 2007-08-06 00:46:15.000000000 +0200 -@@ -48,6 +48,9 @@ - - #include "Utilities.hpp" - -+#include "EventManager.hpp" -+#include "SocketEvent.hpp" -+ - #ifdef STDTAGS - #undef STDTAGS - #endif -@@ -209,5 +212,5 @@ - void DWDialogue::dump() - { - logWarn("Unknown %s Shellcode (Buffer %i bytes) (State %i)\n","DameWare",m_Buffer->getSize(),m_State); -- g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *)m_Buffer->getData(),m_Buffer->getSize()); -+ HEXDUMP(m_Socket,(byte *)m_Buffer->getData(),m_Buffer->getSize()); - } -diff -ruN nepenthes-0.2.0/modules/vuln-dcom/DCOMDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-dcom/DCOMDialogue.cpp ---- nepenthes-0.2.0/modules/vuln-dcom/DCOMDialogue.cpp 2006-11-13 20:40:05.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/vuln-dcom/DCOMDialogue.cpp 2007-08-06 00:46:15.000000000 +0200 -@@ -39,6 +39,10 @@ - #include "Utilities.hpp" - - -+#include "EventManager.hpp" -+#include "SocketEvent.hpp" -+ -+ - #ifdef STDTAGS - #undef STDTAGS - #endif -@@ -234,5 +238,5 @@ - void DCOMDialogue::dump() - { - logWarn("Unknown %s Shellcode (Buffer %i bytes) (State %i)\n","DCOM",m_Buffer->getSize(),m_State); -- g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *)m_Buffer->getData(),m_Buffer->getSize()); -+ HEXDUMP(m_Socket,(byte *)m_Buffer->getData(),m_Buffer->getSize()); - } -diff -ruN nepenthes-0.2.0/modules/vuln-ftpd/vuln-ftpd.cpp nepenthes-0.2.0-r1345/modules/vuln-ftpd/vuln-ftpd.cpp ---- nepenthes-0.2.0/modules/vuln-ftpd/vuln-ftpd.cpp 2006-11-13 20:40:03.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/vuln-ftpd/vuln-ftpd.cpp 2007-08-06 00:46:15.000000000 +0200 -@@ -55,6 +55,9 @@ - - #include "Utilities.hpp" - -+#include "EventManager.hpp" -+#include "SocketEvent.hpp" -+ - #ifdef STDTAGS - #undef STDTAGS - #endif -@@ -220,7 +223,7 @@ - uint32_t i = 0; - bool buffercut=false; - -- g_Nepenthes->getUtilities()->hexdump((byte *) m_Buffer->getData(),m_Buffer->getSize()); -+// g_Nepenthes->getUtilities()->hexdump((byte *) m_Buffer->getData(),m_Buffer->getSize()); - while ( i < m_Buffer->getSize() ) - { - buffercut = false; -@@ -418,7 +421,7 @@ - void FTPdDialogue::dump() - { - logWarn("Unknown exploit %i bytes \n",m_Shellcode->getSize()); -- g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *) m_Shellcode->getData(), m_Shellcode->getSize()); -+ HEXDUMP(m_Socket,(byte *) m_Shellcode->getData(), m_Shellcode->getSize()); - } - - ftp_exploit FTPdDialogue::identExploit(string line) -diff -ruN nepenthes-0.2.0/modules/vuln-iis/IISDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-iis/IISDialogue.cpp ---- nepenthes-0.2.0/modules/vuln-iis/IISDialogue.cpp 2006-11-13 20:40:10.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/vuln-iis/IISDialogue.cpp 2007-08-06 00:46:15.000000000 +0200 -@@ -49,6 +49,9 @@ - #include "Message.hpp" - #include "Message.cpp" - -+#include "EventManager.hpp" -+#include "SocketEvent.hpp" -+ - #ifdef STDTAGS - #undef STDTAGS - #endif -@@ -85,7 +88,7 @@ - case IIS_NULL: - case IIS_SSL: - logWarn("Unknown IIS SSL exploit %i bytes State %i\n",m_Buffer->getSize(), m_State); -- g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *) m_Buffer->getData(), m_Buffer->getSize()); -+ HEXDUMP(m_Socket,(byte *) m_Buffer->getData(), m_Buffer->getSize()); - break; - - case IIS_DONE: -diff -ruN nepenthes-0.2.0/modules/vuln-lsass/LSASSDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-lsass/LSASSDialogue.cpp ---- nepenthes-0.2.0/modules/vuln-lsass/LSASSDialogue.cpp 2006-11-13 20:40:11.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/vuln-lsass/LSASSDialogue.cpp 2007-08-06 00:46:15.000000000 +0200 -@@ -46,6 +46,8 @@ - #include "Buffer.hpp" - #include "Buffer.cpp" - -+#include "EventManager.hpp" -+#include "SocketEvent.hpp" - - #ifdef STDTAGS - #undef STDTAGS -@@ -281,6 +283,6 @@ - void LSASSDialogue::dump() - { - logWarn("Unknown %s Shellcode (Buffer %i bytes) (State %i)\n","LSASS",m_Buffer->getSize(),m_State); -- g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *)m_Buffer->getData(),m_Buffer->getSize()); -+ HEXDUMP(m_Socket,(byte *)m_Buffer->getData(),m_Buffer->getSize()); - } - -diff -ruN nepenthes-0.2.0/modules/vuln-msdtc/MSDTCDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-msdtc/MSDTCDialogue.cpp ---- nepenthes-0.2.0/modules/vuln-msdtc/MSDTCDialogue.cpp 2006-11-13 20:40:05.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/vuln-msdtc/MSDTCDialogue.cpp 2007-08-06 00:46:15.000000000 +0200 -@@ -38,6 +38,8 @@ - #include "ShellcodeManager.hpp" - #include "Utilities.hpp" - -+#include "EventManager.hpp" -+#include "SocketEvent.hpp" - - #ifdef STDTAGS - #undef STDTAGS -@@ -181,5 +183,5 @@ - void MSDTCDialogue::dump() - { - logWarn("Unknown %s Shellcode (Buffer %i bytes) (State %i)\n","MSDTC",m_Buffer->getSize(),m_State); -- g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *)m_Buffer->getData(),m_Buffer->getSize()); -+ HEXDUMP(m_Socket,(byte *)m_Buffer->getData(),m_Buffer->getSize()); - } -diff -ruN nepenthes-0.2.0/modules/vuln-msmq/MSMQDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-msmq/MSMQDialogue.cpp ---- nepenthes-0.2.0/modules/vuln-msmq/MSMQDialogue.cpp 2006-11-13 20:40:05.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/vuln-msmq/MSMQDialogue.cpp 2007-08-06 00:46:15.000000000 +0200 -@@ -43,6 +43,8 @@ - #include "Nepenthes.hpp" - #include "LogManager.hpp" - -+#include "EventManager.hpp" -+#include "SocketEvent.hpp" - - using namespace nepenthes; - -@@ -73,7 +75,7 @@ - case MSMQ_NULL: - case MSMQ_SHELLCODE: - logWarn("Unknown MSMQ exploit %i bytes State %i\n",m_Buffer->getSize(), m_State); -- g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *) m_Buffer->getData(), m_Buffer->getSize()); -+ HEXDUMP(m_Socket,(byte *) m_Buffer->getData(), m_Buffer->getSize()); - break; - - case MSMQ_DONE: -diff -ruN nepenthes-0.2.0/modules/vuln-mssql/MSSQLDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-mssql/MSSQLDialogue.cpp ---- nepenthes-0.2.0/modules/vuln-mssql/MSSQLDialogue.cpp 2006-11-13 20:40:03.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/vuln-mssql/MSSQLDialogue.cpp 2007-08-06 00:46:15.000000000 +0200 -@@ -41,6 +41,9 @@ - - #include "Utilities.hpp" - -+#include "EventManager.hpp" -+#include "SocketEvent.hpp" -+ - #ifdef STDTAGS - #undef STDTAGS - #endif -@@ -115,7 +118,7 @@ - } - else - { // hexdump it -- g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte*)msg->getMsg(),msg->getSize()); -+ HEXDUMP(m_Socket,(byte*)msg->getMsg(),msg->getSize()); - - } - -diff -ruN nepenthes-0.2.0/modules/vuln-netbiosname/SMBNameDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-netbiosname/SMBNameDialogue.cpp ---- nepenthes-0.2.0/modules/vuln-netbiosname/SMBNameDialogue.cpp 2006-11-13 20:40:05.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/vuln-netbiosname/SMBNameDialogue.cpp 2007-08-06 00:46:15.000000000 +0200 -@@ -49,6 +49,8 @@ - - #include "Utilities.hpp" - -+#include "EventManager.hpp" -+#include "SocketEvent.hpp" - - #ifdef STDTAGS - #undef STDTAGS -@@ -146,7 +148,7 @@ - case SMBName_NEGOTIATE: - case SMBName_NULL: - logWarn("Unknown SMBName exploit %i bytes State %i\n",m_Buffer->getSize(), m_State); --// g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *) m_Buffer->getData(), m_Buffer->getSize()); -+// HEXDUMP(m_Socket,(byte *) m_Buffer->getData(), m_Buffer->getSize()); - break; - - -diff -ruN nepenthes-0.2.0/modules/vuln-netdde/NETDDEDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-netdde/NETDDEDialogue.cpp ---- nepenthes-0.2.0/modules/vuln-netdde/NETDDEDialogue.cpp 2006-11-13 20:40:05.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/vuln-netdde/NETDDEDialogue.cpp 2007-08-06 00:46:15.000000000 +0200 -@@ -49,6 +49,8 @@ - - #include "Utilities.hpp" - -+#include "EventManager.hpp" -+#include "SocketEvent.hpp" - - #ifdef STDTAGS - #undef STDTAGS -@@ -201,5 +203,5 @@ - void NETDDEDialogue::dump() - { - logWarn("Unknown NETDDE exploit %i bytes State %i\n",m_Buffer->getSize(), m_State); -- g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *) m_Buffer->getData(), m_Buffer->getSize()); -+ HEXDUMP(m_Socket,(byte *) m_Buffer->getData(), m_Buffer->getSize()); - } -diff -ruN nepenthes-0.2.0/modules/vuln-optix/Makefile.am nepenthes-0.2.0-r1345/modules/vuln-optix/Makefile.am ---- nepenthes-0.2.0/modules/vuln-optix/Makefile.am 2006-11-13 20:40:08.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/vuln-optix/Makefile.am 2007-08-06 00:46:15.000000000 +0200 -@@ -12,4 +12,4 @@ - - vulnoptix_la_SOURCES = vuln-optix.conf.dist OPTIXBindDialogue.hpp OPTIXDownloadDialogue.hpp OPTIXDownloadHandler.hpp OPTIXShellDialogue.hpp vuln-optix.hpp OPTIXBindDialogue.cpp OPTIXDownloadDialogue.cpp OPTIXDownloadHandler.cpp OPTIXShellDialogue.cpp vuln-optix.cpp - --vulnoptix_la_LDFLAGS = -module -no-undefined -avoid-version -+vulnoptix_la_LDFLAGS = -module -no-undefined -avoid-version $(AM_LDFLAGS) -diff -ruN nepenthes-0.2.0/modules/vuln-optix/OPTIXShellDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-optix/OPTIXShellDialogue.cpp ---- nepenthes-0.2.0/modules/vuln-optix/OPTIXShellDialogue.cpp 2006-11-13 20:40:08.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/vuln-optix/OPTIXShellDialogue.cpp 2007-08-06 00:46:15.000000000 +0200 -@@ -107,7 +107,7 @@ - case OPTIX_AUTHED: - if (m_Buffer->getSize() >= 6) - { -- g_Nepenthes->getUtilities()->hexdump((byte *)m_Buffer->getData(),m_Buffer->getSize()); -+// g_Nepenthes->getUtilities()->hexdump((byte *)m_Buffer->getData(),m_Buffer->getSize()); - // we could do this with pcre ... - if (memcmp(m_Buffer->getData(),"019¬\r\n",6) == 0) - { -diff -ruN nepenthes-0.2.0/modules/vuln-pnp/PNPDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-pnp/PNPDialogue.cpp ---- nepenthes-0.2.0/modules/vuln-pnp/PNPDialogue.cpp 2006-11-13 20:40:08.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/vuln-pnp/PNPDialogue.cpp 2007-08-06 00:46:15.000000000 +0200 -@@ -47,6 +47,8 @@ - #include "Buffer.hpp" - #include "Buffer.cpp" - -+#include "EventManager.hpp" -+#include "SocketEvent.hpp" - - #ifdef STDTAGS - #undef STDTAGS -@@ -276,5 +278,5 @@ - void PNPDialogue::dump() - { - logWarn("Unknown %s Shellcode (Buffer %i bytes) (State %i)\n","PNP",m_Buffer->getSize(),m_State); -- g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *)m_Buffer->getData(),m_Buffer->getSize()); -+ HEXDUMP(m_Socket,(byte *)m_Buffer->getData(),m_Buffer->getSize()); - } -diff -ruN nepenthes-0.2.0/modules/vuln-realvnc/vuln-realvnc.cpp nepenthes-0.2.0-r1345/modules/vuln-realvnc/vuln-realvnc.cpp ---- nepenthes-0.2.0/modules/vuln-realvnc/vuln-realvnc.cpp 2006-11-13 20:40:07.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/vuln-realvnc/vuln-realvnc.cpp 2007-08-06 00:46:15.000000000 +0200 -@@ -246,7 +246,7 @@ - { - - logSpam("VNC_HANDSHAKE\n"); -- g_Nepenthes->getUtilities()->hexdump((byte *)m_Buffer->getData(),m_Buffer->getSize()); -+// g_Nepenthes->getUtilities()->hexdump((byte *)m_Buffer->getData(),m_Buffer->getSize()); - if (m_Buffer->getSize() >= strlen(rfb_version_003_008) && - memcmp(m_Buffer->getData(),rfb_version_003_008,strlen(rfb_version_003_008)) == 0) - { -@@ -262,7 +262,7 @@ - if ( m_State == VNC_AUTH) - { - logSpam("VNC_AUTH\n"); -- g_Nepenthes->getUtilities()->hexdump((byte *)m_Buffer->getData(),m_Buffer->getSize()); -+// g_Nepenthes->getUtilities()->hexdump((byte *)m_Buffer->getData(),m_Buffer->getSize()); - if (m_Buffer->getSize() >= 1 ) - { - if (1)// *(char *) (m_Buffer->getData()) == 1) -@@ -546,7 +546,7 @@ - - case 6: - logSpam("ClientReq: CutEvent\n"); -- g_Nepenthes->getUtilities()->hexdump((byte *)m_Buffer->getData(),m_Buffer->getSize()); -+// g_Nepenthes->getUtilities()->hexdump((byte *)m_Buffer->getData(),m_Buffer->getSize()); - if (m_Buffer->getSize() >= 8 ) - { - uint32_t cpbytes; -diff -ruN nepenthes-0.2.0/modules/vuln-sasserftpd/SasserFTPDDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-sasserftpd/SasserFTPDDialogue.cpp ---- nepenthes-0.2.0/modules/vuln-sasserftpd/SasserFTPDDialogue.cpp 2006-11-13 20:40:09.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/vuln-sasserftpd/SasserFTPDDialogue.cpp 2007-08-06 00:46:15.000000000 +0200 -@@ -49,6 +49,8 @@ - - #include "Utilities.hpp" - -+#include "EventManager.hpp" -+#include "SocketEvent.hpp" - - #ifdef STDTAGS - #undef STDTAGS -@@ -219,5 +221,5 @@ - void SasserFTPDDialogue::dump() - { - logWarn("Unknown SasserFTPD exploit %i bytes State %i\n",m_Buffer->getSize(), m_State); -- g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *) m_Buffer->getData(), m_Buffer->getSize()); -+ HEXDUMP(m_Socket,(byte *) m_Buffer->getData(), m_Buffer->getSize()); - } -diff -ruN nepenthes-0.2.0/modules/vuln-sav/Makefile.am nepenthes-0.2.0-r1345/modules/vuln-sav/Makefile.am ---- nepenthes-0.2.0/modules/vuln-sav/Makefile.am 1970-01-01 01:00:00.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/vuln-sav/Makefile.am 2007-08-06 00:46:15.000000000 +0200 -@@ -0,0 +1,14 @@ -+# nepenthes module Makefile -+# Paul Baecher, Maximillian Dornseif, Markus Koetter -+# $Id$ -+ -+AUTOMAKE_OPTIONS = foreign -+ -+AM_CPPFLAGS = -I$(top_srcdir)/nepenthes-core/include -I$(top_srcdir)/nepenthes-core/src -pipe -D _GNU_SOURCE -+AM_CXXFLAGS = -Wall -Werror -+ -+pkglib_LTLIBRARIES = vulnsav.la -+ -+vulnsav_la_SOURCES = vuln-sav.cpp vuln-sav.hpp -+ -+vulnsav_la_LDFLAGS = -module -no-undefined -avoid-version -diff -ruN nepenthes-0.2.0/modules/vuln-sav/vuln-sav.cpp nepenthes-0.2.0-r1345/modules/vuln-sav/vuln-sav.cpp ---- nepenthes-0.2.0/modules/vuln-sav/vuln-sav.cpp 1970-01-01 01:00:00.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/vuln-sav/vuln-sav.cpp 2007-08-06 00:46:15.000000000 +0200 -@@ -0,0 +1,278 @@ -+/******************************************************************************** -+ * Nepenthes -+ * - finest collection - -+ * -+ * -+ * -+ * Copyright (C) 2005 Paul Baecher & Markus Koetter -+ * -+ * This program is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU General Public License -+ * as published by the Free Software Foundation; either version 2 -+ * of the License, or (at your option) any later version. -+ * -+ * This program is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ * GNU General Public License for more details. -+ * -+ * You should have received a copy of the GNU General Public License -+ * along with this program; if not, write to the Free Software -+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -+ * -+ * -+ * contact nepenthesdev@users.sourceforge.net -+ * -+ *******************************************************************************/ -+ -+ /* $Id$ */ -+ -+#include -+ -+#include "vuln-sav.hpp" -+ -+#include "SocketManager.hpp" -+ -+#include "DownloadManager.hpp" -+#include "LogManager.hpp" -+#include "DialogueFactoryManager.hpp" -+ -+ -+#include "Buffer.hpp" -+#include "Buffer.cpp" -+ -+#include "Message.hpp" -+#include "Message.cpp" -+ -+#include "ShellcodeManager.hpp" -+ -+#include "Config.hpp" -+ -+#include "Download.hpp" -+ -+#ifdef STDTAGS -+#undef STDTAGS -+#endif -+#define STDTAGS l_mod -+ -+using namespace nepenthes; -+ -+ -+/** -+ * as we may need a global pointer to our Nepenthes in our modules, -+ * and cant access the cores global pointer to nepenthes -+ * we have to use a own global pointer to nepenthes per module -+ * we need this pointer for logInfo() etc -+ */ -+Nepenthes *g_Nepenthes; -+ -+/** -+ * The Constructor -+ * creates a new VulnSAV Module, -+ * VulnSAV is an example for binding a socket & setting up the Dialogue & DialogueFactory -+ * -+ * -+ * it can be used as a shell emu to allow trigger commands -+ * -+ * -+ * sets the following values: -+ * - m_DialogueFactoryName -+ * - m_DialogueFactoryDescription -+ * -+ * @param nepenthes the pointer to our Nepenthes -+ */ -+VulnSAV::VulnSAV(Nepenthes *nepenthes) -+{ -+ m_ModuleName = "vuln-sav"; -+ m_ModuleDescription = "emulate the bug in symantec antivirus product"; -+ m_ModuleRevision = "$Rev$"; -+ m_Nepenthes = nepenthes; -+ -+ m_DialogueFactoryName = "SAV Factory"; -+ m_DialogueFactoryDescription = "Symantec Antivirus Client Dialogue Factory"; -+ -+ g_Nepenthes = nepenthes; -+} -+ -+VulnSAV::~VulnSAV() -+{ -+ -+} -+ -+ -+/** -+ * Module::Init() -+ * -+ * binds the port, adds the DialogueFactory to the Socket -+ * -+ * @return returns true if everything was fine, else false -+ * false indicates a fatal error -+ */ -+bool VulnSAV::Init() -+{ -+/* if ( m_Config == NULL ) -+ { -+ logCrit("I need a config\n"); -+ return false; -+ } -+*/ -+ m_Nepenthes->getSocketMgr()->bindTCPSocket(0,2967,0,30,this); -+ return true; -+} -+ -+bool VulnSAV::Exit() -+{ -+ return true; -+} -+ -+/** -+ * DialogueFactory::createDialogue(Socket *) -+ * -+ * creates a new SAVDialogue -+ * -+ * @param socket the socket the DIalogue has to use, can be NULL if the Dialogue can handle it -+ * -+ * @return returns the new created dialogue -+ */ -+Dialogue *VulnSAV::createDialogue(Socket *socket) -+{ -+ return new SAVDialogue(socket); -+// return g_Nepenthes->getFactoryMgr()->getFactory("WinNTShell DialogueFactory")->createDialogue(socket); -+} -+ -+ -+ -+ -+ -+ -+ -+/** -+ * Dialogue::Dialogue(Socket *) -+ * construktor for the SAVDialogue, creates a new SAVDialogue -+ * -+ * replies some crap to the socket -+ * -+ * @param socket the Socket the Dialogue has to use -+ */ -+SAVDialogue::SAVDialogue(Socket *socket) -+{ -+ m_Socket = socket; -+ m_DialogueName = "SAVDialogue"; -+ m_DialogueDescription = "Symantec Antivirus Dialogue"; -+ -+ m_ConsumeLevel = CL_ASSIGN; -+ -+ m_Buffer = new Buffer(512); -+} -+ -+SAVDialogue::~SAVDialogue() -+{ -+ delete m_Buffer; -+} -+ -+/** -+ * Dialogue::incomingData(Message *) -+ * -+ * a small and ugly shell where we can use -+ * "download protocol://localction:port/path/to/file -+ * to trigger a download -+ * -+ * @param msg the Message the Socker received. -+ * -+ * -+ * @return CL_ASSIGN -+ */ -+ConsumeLevel SAVDialogue::incomingData(Message *msg) -+{ -+ -+ m_Buffer->add(msg->getMsg(),msg->getSize()); -+ -+ if ( m_Buffer->getSize() > 0xcd0 ) -+ { -+ Message *Msg = new Message((char *)m_Buffer->getData(), m_Buffer->getSize(),m_Socket->getLocalPort(), m_Socket->getRemotePort(), -+ m_Socket->getLocalHost(), m_Socket->getRemoteHost(), m_Socket, m_Socket); -+ sch_result sch; -+ sch = g_Nepenthes->getShellcodeMgr()->handleShellcode(&Msg); -+ delete Msg; -+ -+ if ( sch == SCH_DONE ) -+ { -+ m_Buffer->clear(); -+ return CL_ASSIGN_AND_DONE; -+ } -+ -+ } -+ -+ return CL_ASSIGN; -+} -+ -+/** -+ * Dialogue::outgoingData(Message *) -+ * as we are not interested in these socket actions -+ * we simply return CL_DROP to show the socket -+ * -+ * @param msg -+ * -+ * @return CL_DROP -+ */ -+ConsumeLevel SAVDialogue::outgoingData(Message *msg) -+{ -+ return CL_ASSIGN; -+} -+ -+/** -+ * Dialogue::handleTimeout(Message *) -+ * as we are not interested in these socket actions -+ * we simply return CL_DROP to show the socket -+ * -+ * @param msg -+ * -+ * @return CL_DROP -+ */ -+ConsumeLevel SAVDialogue::handleTimeout(Message *msg) -+{ -+ return CL_DROP; -+} -+ -+/** -+ * Dialogue::connectionLost(Message *) -+ * as we are not interested in these socket actions -+ * we simply return CL_DROP to show the socket -+ * -+ * @param msg -+ * -+ * @return CL_DROP -+ */ -+ConsumeLevel SAVDialogue::connectionLost(Message *msg) -+{ -+ return CL_DROP; -+} -+ -+/** -+ * Dialogue::connectionShutdown(Message *) -+ * as we are not interested in these socket actions -+ * we simply return CL_DROP to show the socket -+ * -+ * @param msg -+ * -+ * @return CL_DROP -+ */ -+ConsumeLevel SAVDialogue::connectionShutdown(Message *msg) -+{ -+ return CL_DROP; -+} -+ -+ -+ -+ -+extern "C" int32_t module_init(int32_t version, Module **module, Nepenthes *nepenthes) -+{ -+ if ( version == MODULE_IFACE_VERSION ) -+ { -+ *module = new VulnSAV(nepenthes); -+ return (1); -+ } else -+ { -+ return (0); -+ } -+} -diff -ruN nepenthes-0.2.0/modules/vuln-sav/vuln-sav.hpp nepenthes-0.2.0-r1345/modules/vuln-sav/vuln-sav.hpp ---- nepenthes-0.2.0/modules/vuln-sav/vuln-sav.hpp 1970-01-01 01:00:00.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/vuln-sav/vuln-sav.hpp 2007-08-06 00:46:15.000000000 +0200 -@@ -0,0 +1,72 @@ -+/******************************************************************************** -+ * Nepenthes -+ * - finest collection - -+ * -+ * -+ * -+ * Copyright (C) 2005 Paul Baecher & Markus Koetter -+ * -+ * This program is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU General Public License -+ * as published by the Free Software Foundation; either version 2 -+ * of the License, or (at your option) any later version. -+ * -+ * This program is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ * GNU General Public License for more details. -+ * -+ * You should have received a copy of the GNU General Public License -+ * along with this program; if not, write to the Free Software -+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. -+ * -+ * -+ * contact nepenthesdev@users.sourceforge.net -+ * -+ *******************************************************************************/ -+ -+ /* $Id$ */ -+ -+#include "DialogueFactory.hpp" -+#include "Module.hpp" -+#include "ModuleManager.hpp" -+#include "SocketManager.hpp" -+#include "Nepenthes.hpp" -+#include "Dialogue.hpp" -+#include "Socket.hpp" -+ -+using namespace std; -+ -+namespace nepenthes -+{ -+ -+ class Buffer; -+ -+ class VulnSAV : public Module , public DialogueFactory -+ { -+ public: -+ VulnSAV(Nepenthes *); -+ ~VulnSAV(); -+ Dialogue *createDialogue(Socket *socket); -+ bool Init(); -+ bool Exit(); -+ }; -+ -+ class SAVDialogue : public Dialogue -+ { -+ public: -+ SAVDialogue(Socket *socket); -+ ~SAVDialogue(); -+ ConsumeLevel incomingData(Message *msg); -+ ConsumeLevel outgoingData(Message *msg); -+ ConsumeLevel handleTimeout(Message *msg); -+ ConsumeLevel connectionLost(Message *msg); -+ ConsumeLevel connectionShutdown(Message *msg); -+ -+ protected: -+ Buffer *m_Buffer; -+ -+ }; -+ -+} -+extern nepenthes::Nepenthes *g_Nepenthes; -diff -ruN nepenthes-0.2.0/modules/vuln-sav/x-2.conf.dist nepenthes-0.2.0-r1345/modules/vuln-sav/x-2.conf.dist ---- nepenthes-0.2.0/modules/vuln-sav/x-2.conf.dist 1970-01-01 01:00:00.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/vuln-sav/x-2.conf.dist 2007-08-06 00:46:15.000000000 +0200 -@@ -0,0 +1,5 @@ -+x-2 -+{ -+ ports ("10002"); -+ accepttimeout "45"; -+}; -diff -ruN nepenthes-0.2.0/modules/vuln-ssh/Makefile.am nepenthes-0.2.0-r1345/modules/vuln-ssh/Makefile.am ---- nepenthes-0.2.0/modules/vuln-ssh/Makefile.am 2006-11-13 20:40:03.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/vuln-ssh/Makefile.am 2007-08-06 00:46:15.000000000 +0200 -@@ -10,6 +10,6 @@ - - pkglib_LTLIBRARIES = vulnssh.la - --vulnssh_la_SOURCES = vuln-ssh.cpp vuln-ssh.hpp SSHSocket.cpp SSHSocket.hpp SSHDialogue.cpp SSHDialogue.hpp vuln-ssh.conf.dist -+vulnssh_la_SOURCES = vuln-ssh.cpp vuln-ssh.hpp SSHSocket.cpp SSHSocket.hpp SSHDialogue.cpp SSHDialogue.hpp - --vulnssh_la_LDFLAGS = -module -no-undefined -avoid-version -+vulnssh_la_LDFLAGS = -module -no-undefined -avoid-version $(AM_LDFLAGS) -diff -ruN nepenthes-0.2.0/modules/vuln-upnp/UPNPDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-upnp/UPNPDialogue.cpp ---- nepenthes-0.2.0/modules/vuln-upnp/UPNPDialogue.cpp 2006-11-13 20:40:10.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/vuln-upnp/UPNPDialogue.cpp 2007-08-06 00:46:15.000000000 +0200 -@@ -49,6 +49,8 @@ - - #include "Utilities.hpp" - -+#include "EventManager.hpp" -+#include "SocketEvent.hpp" - - #ifdef STDTAGS - #undef STDTAGS -@@ -190,5 +192,5 @@ - void UPNPDialogue::dump() - { - logWarn("Unknown UPNP exploit %i bytes State %i\n",m_Buffer->getSize(), m_State); -- g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *) m_Buffer->getData(), m_Buffer->getSize()); -+ HEXDUMP(m_Socket,(byte *) m_Buffer->getData(), m_Buffer->getSize()); - } -diff -ruN nepenthes-0.2.0/modules/vuln-veritas/VERITASDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-veritas/VERITASDialogue.cpp ---- nepenthes-0.2.0/modules/vuln-veritas/VERITASDialogue.cpp 2006-11-13 20:40:09.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/vuln-veritas/VERITASDialogue.cpp 2007-08-06 00:46:15.000000000 +0200 -@@ -49,6 +49,8 @@ - - #include "Utilities.hpp" - -+#include "EventManager.hpp" -+#include "SocketEvent.hpp" - - #ifdef STDTAGS - #undef STDTAGS -@@ -98,7 +100,7 @@ - m_Buffer->add(msg->getMsg(),msg->getSize()); - - logInfo("Traffic for VERITAS (%i bytes)\n",msg->getSize()); -- g_Nepenthes->getUtilities()->hexdump(STDTAGS|l_warn,(byte *) m_Buffer->getData(), m_Buffer->getSize()); -+// g_Nepenthes->getUtilities()->hexdump(STDTAGS|l_warn,(byte *) m_Buffer->getData(), m_Buffer->getSize()); - - /* - switch (m_State) -@@ -189,5 +191,5 @@ - void VERITASDialogue::dump() - { - logWarn("Unknown VERITAS exploit %i bytes State %i\n",m_Buffer->getSize(), m_State); -- g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *) m_Buffer->getData(), m_Buffer->getSize()); -+ HEXDUMP(m_Socket,(byte *) m_Buffer->getData(), m_Buffer->getSize()); - } -diff -ruN nepenthes-0.2.0/modules/vuln-wins/WINSDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-wins/WINSDialogue.cpp ---- nepenthes-0.2.0/modules/vuln-wins/WINSDialogue.cpp 2006-11-13 20:40:10.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/vuln-wins/WINSDialogue.cpp 2007-08-06 00:46:15.000000000 +0200 -@@ -41,6 +41,9 @@ - - #include "Socket.hpp" - -+#include "EventManager.hpp" -+#include "SocketEvent.hpp" -+ - #ifdef STDTAGS - #undef STDTAGS - #endif -@@ -123,5 +126,5 @@ - { - - logWarn("WINS unknown shellcode %i bytes State 0\n",m_Buffer->getSize()); -- g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *) m_Buffer->getData(), m_Buffer->getSize()); -+ HEXDUMP(m_Socket,(byte *) m_Buffer->getData(), m_Buffer->getSize()); - } -diff -ruN nepenthes-0.2.0/modules/x-4/x-4.cpp nepenthes-0.2.0-r1345/modules/x-4/x-4.cpp ---- nepenthes-0.2.0/modules/x-4/x-4.cpp 2006-11-13 20:40:11.000000000 +0100 -+++ nepenthes-0.2.0-r1345/modules/x-4/x-4.cpp 2007-08-06 00:46:15.000000000 +0200 -@@ -118,7 +118,7 @@ - */ - void X4::Submit(Download *down) - { -- m_Nepenthes->getUtilities()->hexdump((byte *)down->getDownloadBuffer()->getData(),down->getDownloadBuffer()->getSize()); -+// m_Nepenthes->getUtilities()->hexdump((byte *)down->getDownloadBuffer()->getData(),down->getDownloadBuffer()->getSize()); - } - - /** -diff -ruN nepenthes-0.2.0/nepenthes-core/include/DNSQuery.hpp nepenthes-0.2.0-r1345/nepenthes-core/include/DNSQuery.hpp ---- nepenthes-0.2.0/nepenthes-core/include/DNSQuery.hpp 2006-11-13 20:40:01.000000000 +0100 -+++ nepenthes-0.2.0-r1345/nepenthes-core/include/DNSQuery.hpp 2007-08-06 00:46:15.000000000 +0200 -@@ -56,6 +56,7 @@ - virtual ~DNSQuery(); - - virtual DNSCallback *getCallback(); -+ virtual void cancelCallback(); - virtual string getDNS(); - virtual uint16_t getQueryType(); - virtual void *getObject(); -diff -ruN nepenthes-0.2.0/nepenthes-core/include/Event.hpp nepenthes-0.2.0-r1345/nepenthes-core/include/Event.hpp ---- nepenthes-0.2.0/nepenthes-core/include/Event.hpp 2006-11-13 20:40:01.000000000 +0100 -+++ nepenthes-0.2.0-r1345/nepenthes-core/include/Event.hpp 2007-08-06 00:46:15.000000000 +0200 -@@ -71,6 +71,8 @@ - - #define EV_SHELLCODE_DONE 24 - -+#define EV_HEXDUMP 25 -+ - class Event - { - public: -diff -ruN nepenthes-0.2.0/nepenthes-core/include/SocketEvent.hpp nepenthes-0.2.0-r1345/nepenthes-core/include/SocketEvent.hpp ---- nepenthes-0.2.0/nepenthes-core/include/SocketEvent.hpp 2006-11-13 20:40:01.000000000 +0100 -+++ nepenthes-0.2.0-r1345/nepenthes-core/include/SocketEvent.hpp 2007-08-06 00:46:15.000000000 +0200 -@@ -137,5 +137,50 @@ - Dialogue *m_Dialogue; - }; - -+#ifdef HAVE_DEBUG_LOGGING -+#define HEXDUMP(socket,data,size) \ -+{ \ -+ HexdumpEvent *he = new HexdumpEvent(socket,data,size); \ -+ g_Nepenthes->getEventMgr()->handleEvent(he); \ -+ delete he; \ -+} -+#else // HAVE_DEBUG_LOGGING -+#define HEXDUMP(socket,data,size) -+#endif // HAVE_DEBUG_LOGGING -+ -+ -+ -+ class HexdumpEvent : public Event -+ { -+ public: -+ HexdumpEvent(Socket *s, void *data, uint32_t size) -+ { -+ m_EventType = EV_HEXDUMP; -+ m_Socket = s; -+ m_Size = size; -+ m_Data = data; -+ } -+ -+ virtual Socket *getSocket() -+ { -+ return m_Socket; -+ } -+ -+ virtual void *getData() -+ { -+ return m_Data; -+ } -+ -+ virtual uint32_t getSize() -+ { -+ return m_Size; -+ } -+ -+ private: -+ Socket *m_Socket; -+ void *m_Data; -+ uint32_t m_Size; -+ }; -+ - - } -diff -ruN nepenthes-0.2.0/nepenthes-core/include/Utilities.hpp nepenthes-0.2.0-r1345/nepenthes-core/include/Utilities.hpp ---- nepenthes-0.2.0/nepenthes-core/include/Utilities.hpp 2006-11-13 20:40:01.000000000 +0100 -+++ nepenthes-0.2.0-r1345/nepenthes-core/include/Utilities.hpp 2007-08-06 00:46:15.000000000 +0200 -@@ -130,10 +130,10 @@ - void MD5Init(struct MD5Context *context); - void MD5Update(struct MD5Context *context, unsigned char const *buf,unsigned len); - void MD5Final(unsigned char digest[16], struct MD5Context *context); -- -+/* - virtual void hexdump(byte *data, uint32_t len); - virtual void hexdump(uint32_t mask, byte *data, uint32_t len); -- -+*/ - virtual unsigned char *b64encode_alloc(unsigned char *in); - virtual unsigned char *b64encode_alloc(unsigned char *in, int32_t inlen); - virtual unsigned char *b64decode_alloc(unsigned char *in); -diff -ruN nepenthes-0.2.0/nepenthes-core/src/DNSQuery.cpp nepenthes-0.2.0-r1345/nepenthes-core/src/DNSQuery.cpp ---- nepenthes-0.2.0/nepenthes-core/src/DNSQuery.cpp 2006-11-13 20:40:03.000000000 +0100 -+++ nepenthes-0.2.0-r1345/nepenthes-core/src/DNSQuery.cpp 2007-08-06 00:46:15.000000000 +0200 -@@ -54,6 +54,15 @@ - return m_Callback; - } - -+ -+/** -+ * chancel the callback -+ */ -+void DNSQuery::cancelCallback() -+{ -+ m_Callback = NULL; -+} -+ - /** - * get the dns to resolve - * -diff -ruN nepenthes-0.2.0/nepenthes-core/src/DNSResult.cpp nepenthes-0.2.0-r1345/nepenthes-core/src/DNSResult.cpp ---- nepenthes-0.2.0/nepenthes-core/src/DNSResult.cpp 2006-11-13 20:40:03.000000000 +0100 -+++ nepenthes-0.2.0-r1345/nepenthes-core/src/DNSResult.cpp 2007-08-06 00:46:15.000000000 +0200 -@@ -89,7 +89,7 @@ - while ( test->i != -1 ) - { - m_TXT.append(test->str,test->i); -- g_Nepenthes->getUtilities()->hexdump((byte *)test->str,test->i); -+// g_Nepenthes->getUtilities()->hexdump((byte *)test->str,test->i); - test++; - } - } -diff -ruN nepenthes-0.2.0/nepenthes-core/src/LogManager.cpp nepenthes-0.2.0-r1345/nepenthes-core/src/LogManager.cpp ---- nepenthes-0.2.0/nepenthes-core/src/LogManager.cpp 2006-11-13 20:40:02.000000000 +0100 -+++ nepenthes-0.2.0-r1345/nepenthes-core/src/LogManager.cpp 2007-08-06 00:46:15.000000000 +0200 -@@ -146,7 +146,7 @@ - { - if ( m_Loggers.size() == 0) - { -- printf("%s",message); -+// printf("%s",message); - return; - } - -diff -ruN nepenthes-0.2.0/nepenthes-core/src/Nepenthes.cpp nepenthes-0.2.0-r1345/nepenthes-core/src/Nepenthes.cpp ---- nepenthes-0.2.0/nepenthes-core/src/Nepenthes.cpp 2006-11-13 20:40:03.000000000 +0100 -+++ nepenthes-0.2.0-r1345/nepenthes-core/src/Nepenthes.cpp 2007-08-06 00:46:15.000000000 +0200 -@@ -43,6 +43,8 @@ - #include - #include - #include -+#include -+#include - - #ifdef HAVE_LIBCAP - #undef _POSIX_SOURCE -@@ -211,7 +213,7 @@ - { "user", 1, 0, 'u' }, - { "version", 0, 0, 'V' }, - { "verbose", 0, 0, 'v' }, -- { "workingdir", 0, 0, 'w' }, -+ { "workingdir", 1, 0, 'w' }, - { 0, 0, 0, 0 } - }; - -@@ -370,26 +372,27 @@ - - - -+ m_LogManager->registerTag(l_crit, "crit"); -+ m_LogManager->registerTag(l_warn, "warn"); -+ m_LogManager->registerTag(l_debug, "debug"); -+ m_LogManager->registerTag(l_info, "info"); -+ m_LogManager->registerTag(l_spam, "spam"); -+ m_LogManager->registerTag(l_net, "net"); -+ m_LogManager->registerTag(l_script, "script"); -+ m_LogManager->registerTag(l_shell, "shell"); -+ m_LogManager->registerTag(l_mem, "mem"); -+ m_LogManager->registerTag(l_sc, "sc"); -+ m_LogManager->registerTag(l_dl, "down"); -+ m_LogManager->registerTag(l_mgr, "mgr"); -+ m_LogManager->registerTag(l_hlr, "handler"); -+ m_LogManager->registerTag(l_dia, "dia"); -+ m_LogManager->registerTag(l_sub, "submit"); -+ m_LogManager->registerTag(l_ev, "event"); -+ m_LogManager->registerTag(l_mod, "module"); -+ m_LogManager->registerTag(l_stdtag, "fixme"); -+ - if ( opt.m_runMode != runFileCheck || opt.m_verbose ) - { -- m_LogManager->registerTag(l_crit, "crit"); -- m_LogManager->registerTag(l_warn, "warn"); -- m_LogManager->registerTag(l_debug, "debug"); -- m_LogManager->registerTag(l_info, "info"); -- m_LogManager->registerTag(l_spam, "spam"); -- m_LogManager->registerTag(l_net, "net"); -- m_LogManager->registerTag(l_script, "script"); -- m_LogManager->registerTag(l_shell, "shell"); -- m_LogManager->registerTag(l_mem, "mem"); -- m_LogManager->registerTag(l_sc, "sc"); -- m_LogManager->registerTag(l_dl, "down"); -- m_LogManager->registerTag(l_mgr, "mgr"); -- m_LogManager->registerTag(l_hlr, "handler"); -- m_LogManager->registerTag(l_dia, "dia"); -- m_LogManager->registerTag(l_sub, "submit"); -- m_LogManager->registerTag(l_ev, "event"); -- m_LogManager->registerTag(l_mod, "module"); -- m_LogManager->registerTag(l_stdtag, "fixme"); - - if ( opt.m_consoleTags ) - m_LogManager->addLogger(new ConsoleLogger(m_LogManager), m_LogManager->parseTagString(opt.m_consoleTags)); -@@ -460,52 +463,53 @@ - return 0; - - -- if ( opt.m_ringLogger == true ) -+ if ( opt.m_runMode != runFileCheck || opt.m_verbose ) - { -- string rlpath; -- try -- { -- rlpath = m_Config->getValString("nepenthes.logmanager.ring_logging_file"); -- } -- catch ( ... ) -+ -+ if ( opt.m_ringLogger == true ) - { -- logCrit("Could not find nepenthes.logmanager.ring_logging_file in Config\n"); -- return false; -- } -+ string rlpath; -+ try -+ { -+ rlpath = m_Config->getValString("nepenthes.logmanager.ring_logging_file"); -+ } catch ( ... ) -+ { -+ logCrit("Could not find nepenthes.logmanager.ring_logging_file in Config\n"); -+ return (false); -+ } - - -- RingFileLogger *fl = new RingFileLogger(m_LogManager); -+ RingFileLogger *fl = new RingFileLogger(m_LogManager); - -- fl->setLogFileFormat((char *)rlpath.c_str()); -- fl->setMaxFiles(5); -- fl->setMaxSize(1024 * 1024); -+ fl->setLogFileFormat((char *)rlpath.c_str()); -+ fl->setMaxFiles(5); -+ fl->setMaxSize(1024 * 1024); - -- if ( opt.m_diskTags ) -- m_LogManager->addLogger(fl, m_LogManager->parseTagString(opt.m_diskTags)); -- else -- m_LogManager->addLogger(fl, l_all); -+ if ( opt.m_diskTags ) -+ m_LogManager->addLogger(fl, m_LogManager->parseTagString(opt.m_diskTags)); -+ else -+ m_LogManager->addLogger(fl, l_all); - -- } -- else -- { -- string flpath; -- try -- { -- flpath = m_Config->getValString("nepenthes.logmanager.file_logging_file"); -- } -- catch ( ... ) -+ } else - { -- logCrit("Could not find nepenthes.logmanager.file_logging_file in Config\n"); -- return false; -- } -+ string flpath; -+ try -+ { -+ flpath = m_Config->getValString("nepenthes.logmanager.file_logging_file"); -+ } catch ( ... ) -+ { -+ logCrit("Could not find nepenthes.logmanager.file_logging_file in Config\n"); -+ return (false); -+ } - -- FileLogger *fl = new FileLogger(m_LogManager); -- fl->setLogFile(flpath.c_str()); -- if ( opt.m_diskTags ) -- m_LogManager->addLogger(fl, m_LogManager->parseTagString(opt.m_diskTags)); -- else -- m_LogManager->addLogger(fl, l_all); -+ FileLogger *fl = new FileLogger(m_LogManager); -+ fl->setLogFile(flpath.c_str()); -+ if ( opt.m_diskTags ) -+ m_LogManager->addLogger(fl, m_LogManager->parseTagString(opt.m_diskTags)); -+ else -+ m_LogManager->addLogger(fl, l_all); - -+ } - } - - if (opt.m_daemonize == true) -@@ -665,7 +669,7 @@ - struct stat fileinfo; - if ( stat((const char*)argv[opti],&fileinfo) != 0 ) - { -- printf("failed\n"); -+ printf("Could not stat %s: %s", (const char*)argv[opti], strerror(errno)); - return -1; - } - -@@ -680,7 +684,10 @@ - ) - - { -- unlink(argv[opti]); -+ if (unlink(argv[opti]) != 0) -+ { -+ printf("could not remove file %s (%s)\n",argv[opti],strerror(errno)); -+ } - } - - }else -@@ -693,7 +700,7 @@ - while ( (dirnode = readdir(bindir)) != NULL && m_running == true ) - { - --#if !defined(CYGWIN) && !defined(CYGWIN32) &&!defined(__CYGWIN__) || !defined(__CYGWIN32__) -+#if defined(d_type_IS_NOT_A_POSIX_SPEC) - if ( dirnode->d_type == 8 ) - #else - if (1) -@@ -708,7 +715,10 @@ - ) - - { -- unlink(filepath.c_str()); -+ if (unlink(filepath.c_str()) != 0) -+ { -+ printf("could not remove file %s (%s)\n",filepath.c_str(),strerror(errno)); -+ } - } - } - } -diff -ruN nepenthes-0.2.0/nepenthes-core/src/SocketManager.cpp nepenthes-0.2.0-r1345/nepenthes-core/src/SocketManager.cpp ---- nepenthes-0.2.0/nepenthes-core/src/SocketManager.cpp 2006-11-13 20:40:03.000000000 +0100 -+++ nepenthes-0.2.0-r1345/nepenthes-core/src/SocketManager.cpp 2007-08-06 00:46:15.000000000 +0200 -@@ -273,13 +273,17 @@ - } - } - -+ int32_t socketcounter, socketmax; -+ socketcounter=0; -+ socketmax = m_Sockets.size(); -+ - int32_t iPollRet = poll(polls,i,50); - - if (iPollRet != 0) - { - // read sockets - i=0; -- for (itSocket = m_Sockets.begin();itSocket != m_Sockets.end(); itSocket++) -+ for (itSocket = m_Sockets.begin();itSocket != m_Sockets.end(), socketcounter < socketmax ; itSocket++, socketcounter++) - { - if ( (*itSocket)->isPolled() == true ) - { -@@ -303,7 +307,8 @@ - - // write sockets - i=0; -- for (itSocket = m_Sockets.begin();itSocket != m_Sockets.end(); itSocket++) -+ socketcounter=0; -+ for (itSocket = m_Sockets.begin();itSocket != m_Sockets.end(), socketcounter < socketmax; itSocket++, socketcounter++) - { - if ( (*itSocket)->isPolled() == true ) - { -@@ -331,7 +336,8 @@ - - // accept new, non udp clients as udp does not accept() - i=0; -- for (itSocket = m_Sockets.begin();itSocket != m_Sockets.end(); itSocket++) -+ socketcounter=0; -+ for (itSocket = m_Sockets.begin();itSocket != m_Sockets.end(), socketcounter < socketmax; itSocket++, socketcounter++) - { - - -diff -ruN nepenthes-0.2.0/nepenthes-core/src/Utilities.cpp nepenthes-0.2.0-r1345/nepenthes-core/src/Utilities.cpp ---- nepenthes-0.2.0/nepenthes-core/src/Utilities.cpp 2006-11-13 20:40:02.000000000 +0100 -+++ nepenthes-0.2.0-r1345/nepenthes-core/src/Utilities.cpp 2007-08-06 00:46:15.000000000 +0200 -@@ -339,7 +339,7 @@ - - // ENDOF MD5Sum - -- -+/* - - void Utilities::hexdump(byte *data, uint32_t len) - { -@@ -430,7 +430,7 @@ - - } - -- -+*/ - - - diff --git a/network/nepenthes/nepenthes.conf b/network/nepenthes/nepenthes.conf index 29353e0c7..8a930ae26 100644 --- a/network/nepenthes/nepenthes.conf +++ b/network/nepenthes/nepenthes.conf @@ -2,7 +2,7 @@ # This copyright note is auto-generated by ./scripts/Create-CopyPatch. # # Filename: package/.../nepenthes/nepenthes.conf -# Copyright (C) 2006 - 2007 The OpenSDE Project +# Copyright (C) 2006 - 2009 The OpenSDE Project # # More information can be found in the files COPYING and README. # @@ -17,9 +17,6 @@ if [ $prefix_auto = 1 ] ; then set_confopt fi -# we patch configure.ac -hook_add preconf 5 "aclocal ; autoconf ; automake --add-missing" - # Prelude-IDS support if pkginstalled libprelude ; then pkgprefix -t libprelude diff --git a/network/nepenthes/nepenthes.desc b/network/nepenthes/nepenthes.desc index 96d945875..12b52a2ce 100644 --- a/network/nepenthes/nepenthes.desc +++ b/network/nepenthes/nepenthes.desc @@ -2,7 +2,7 @@ [COPY] This copyright note is auto-generated by ./scripts/Create-CopyPatch. [COPY] [COPY] Filename: package/.../nepenthes/nepenthes.desc -[COPY] Copyright (C) 2006 - 2007 The OpenSDE Project +[COPY] Copyright (C) 2006 - 2009 The OpenSDE Project [COPY] [COPY] More information can be found in the files COPYING and README. [COPY] @@ -31,7 +31,7 @@ [L] OpenSource [S] Beta -[V] 0.2.0-1 +[V] 0.2.2 [P] X -----5---9 300.000 -[D] 2264113893 nepenthes-0.2.0.tar.bz2 http://dl.sourceforge.net/sourceforge/nepenthes/ +[D] 1901284442 nepenthes-0.2.2.tar.bz2 http://dl.sourceforge.net/sourceforge/nepenthes/