# --- SDE-COPYRIGHT-NOTE-BEGIN --- # This copyright note is auto-generated by ./scripts/Create-CopyPatch. # # Filename: package/.../nepenthes/nepenthes-0.2.0-update-r1345.patch # Copyright (C) 2007 The OpenSDE Project # # More information can be found in the files COPYING and README. # # This patch file is dual-licensed. It is available under the license the # patched project is licensed under, as long as it is an OpenSource license # as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms # of the GNU General Public License as published by the Free Software # Foundation; either version 2 of the License, or (at your option) any later # version. # --- SDE-COPYRIGHT-NOTE-END --- diff -ruN nepenthes-0.2.0/conf/nepenthes.conf.dist nepenthes-0.2.0-r1345/conf/nepenthes.conf.dist --- nepenthes-0.2.0/conf/nepenthes.conf.dist 2006-11-13 20:40:03.000000000 +0100 +++ nepenthes-0.2.0-r1345/conf/nepenthes.conf.dist 2007-08-06 00:46:15.000000000 +0200 @@ -35,10 +35,12 @@ // "submitnorman.so", "submit-norman.conf", "" // "submitnepenthes.so", "submit-nepenthes.conf", "" // send to download-nepenthes in other nepenthes instances // "submitxmlrpc.so", "submit-xmlrpc.conf", "" // submit files to a xmlrpc server +// "submithttp.so", "submit-http.conf", "" // submit files to a web server // logging "logdownload.so", "log-download.conf", "" // "logirc.so", "log-irc.conf", "" // needs configuration +// "logprelude.so", "log-prelude.conf", "" // dumping and logging diff -ruN nepenthes-0.2.0/configure.ac nepenthes-0.2.0-r1345/configure.ac --- nepenthes-0.2.0/configure.ac 2006-11-13 20:50:47.000000000 +0100 +++ nepenthes-0.2.0-r1345/configure.ac 2007-08-06 00:46:15.000000000 +0200 @@ -201,6 +201,9 @@ # libdl AC_SUBST([LIB_DL]) +# libssh +AC_SUBST([LIB_SSH]) + dnl ************************************************** dnl * libdl linking flag * dnl ************************************************** @@ -788,12 +791,11 @@ AC_DEFINE(HAVE_LIBPRELUDE, 1,[Define if you want to use libprelude]) PRELUDE_LDFLAGS=`$LIBPRELUDE_CONFIG --ldflags` PRELUDE_LIBS=`$LIBPRELUDE_CONFIG --libs` - PRELUDE_CPPFLAGS=`$LIBPRELUDE_CONFIG --cflags` + PRELUDE_CPPFLAGS=`$LIBPRELUDE_CONFIG --pthread-cflags` LIB_PRELUDE="$PRELUDE_LIBS" LDFLAG_PRELUDE="$PRELUDE_LDFLAGS" - CPPFLAG="$PRELUDE_CPPFLAGS" - + CPPFLAGS="$CPPFLAGS $PRELUDE_CPPFLAGS" fi fi @@ -913,6 +915,8 @@ modules/submit-gotek/Makefile modules/submit-norman/Makefile modules/submit-postgres/Makefile + modules/submit-http/Makefile + modules/submit-mwserv/Makefile modules/vuln-asn1/Makefile modules/vuln-bagle/Makefile modules/vuln-dameware/Makefile @@ -931,6 +935,7 @@ modules/vuln-pnp/Makefile modules/vuln-realvnc/Makefile modules/vuln-sasserftpd/Makefile + modules/vuln-sav/Makefile modules/vuln-ssh/Makefile modules/vuln-sub7/Makefile modules/vuln-upnp/Makefile diff -ruN nepenthes-0.2.0/modules/Makefile.am nepenthes-0.2.0-r1345/modules/Makefile.am --- nepenthes-0.2.0/modules/Makefile.am 2006-11-13 20:40:11.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/Makefile.am 2007-08-06 00:46:15.000000000 +0200 @@ -4,11 +4,11 @@ SUBDIRS = download-creceive download-csend download-curl download-ftp download-http download-link download-tftp download-rcp\ log-download log-irc \ - submit-file submit-gotek submit-norman submit-postgres\ + submit-file submit-gotek submit-norman submit-postgres submit-http submit-mwserv \ shellcode-generic shellemu-winnt \ vuln-asn1 vuln-bagle vuln-dcom vuln-iis vuln-kuang2 vuln-lsass \ vuln-msdtc vuln-msmq vuln-mssql vuln-mydoom \ - vuln-netbiosname vuln-netdde vuln-optix vuln-pnp vuln-sasserftpd \ + vuln-netbiosname vuln-netdde vuln-optix vuln-pnp vuln-sasserftpd vuln-sav \ vuln-sub7 vuln-upnp vuln-veritas vuln-wins vuln-dameware vuln-ssh vuln-realvnc \ module-portwatch module-honeytrap module-bridge module-peiros\ dnsresolve-adns \ diff -ruN nepenthes-0.2.0/modules/dnsresolve-adns/Makefile.am nepenthes-0.2.0-r1345/modules/dnsresolve-adns/Makefile.am --- nepenthes-0.2.0/modules/dnsresolve-adns/Makefile.am 2006-11-13 20:40:10.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/dnsresolve-adns/Makefile.am 2007-08-06 00:46:15.000000000 +0200 @@ -12,4 +12,4 @@ dnsresolveadns_la_SOURCES = dnsresolve-adns.cpp dnsresolve-adns.hpp -dnsresolveadns_la_LDFLAGS = -module -no-undefined -avoid-version +dnsresolveadns_la_LDFLAGS = -module -no-undefined -avoid-version $(AM_LDFLAGS) diff -ruN nepenthes-0.2.0/modules/dnsresolve-adns/dnsresolve-adns.cpp nepenthes-0.2.0-r1345/modules/dnsresolve-adns/dnsresolve-adns.cpp --- nepenthes-0.2.0/modules/dnsresolve-adns/dnsresolve-adns.cpp 2006-11-13 20:40:10.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/dnsresolve-adns/dnsresolve-adns.cpp 2007-08-06 00:46:15.000000000 +0200 @@ -47,6 +47,7 @@ #include "EventManager.hpp" +#include "Nepenthes.hpp" using namespace std; diff -ruN nepenthes-0.2.0/modules/download-creceive/CReceiveDialogue.cpp nepenthes-0.2.0-r1345/modules/download-creceive/CReceiveDialogue.cpp --- nepenthes-0.2.0/modules/download-creceive/CReceiveDialogue.cpp 2006-11-13 20:40:09.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/download-creceive/CReceiveDialogue.cpp 2007-08-06 00:46:15.000000000 +0200 @@ -87,7 +87,7 @@ CReceiveDialogue::~CReceiveDialogue() { -// g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *)m_Buffer->getData(),m_Buffer->getSize()); +// HEXDUMP(m_Socket,(byte *)m_Buffer->getData(),m_Buffer->getSize()); // delete m_Buffer; delete m_Download; } diff -ruN nepenthes-0.2.0/modules/download-curl/Makefile.am nepenthes-0.2.0-r1345/modules/download-curl/Makefile.am --- nepenthes-0.2.0/modules/download-curl/Makefile.am 2006-11-13 20:40:06.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/download-curl/Makefile.am 2007-08-06 00:46:15.000000000 +0200 @@ -12,4 +12,4 @@ downloadcurl_la_SOURCES = download-curl.conf.dist download-curl.hpp download-curl.cpp -downloadcurl_la_LDFLAGS = -module -no-undefined -avoid-version +downloadcurl_la_LDFLAGS = -module -no-undefined -avoid-version $(AM_LDFLAGS) diff -ruN nepenthes-0.2.0/modules/download-curl/download-curl.cpp nepenthes-0.2.0-r1345/modules/download-curl/download-curl.cpp --- nepenthes-0.2.0/modules/download-curl/download-curl.cpp 2006-11-13 20:40:06.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/download-curl/download-curl.cpp 2007-08-06 00:46:15.000000000 +0200 @@ -230,7 +230,9 @@ down->getDownloadUrl()->getPort(), down->getDownloadUrl()->getPath().c_str()); // string auth = down->getDownloadUrl()->getUser() + ":" + down->getDownloadUrl()->getPass(); +#if LIBCURL_VERSION_NUM < 0x071000 curl_easy_setopt(pCurlHandle, CURLOPT_SOURCE_USERPWD,(char *)down->getDownloadUrl()->getAuth().c_str()); +#endif curl_easy_setopt(pCurlHandle, CURLOPT_USERPWD,(char *)down->getDownloadUrl()->getAuth().c_str()); curl_easy_setopt(pCurlHandle, CURLOPT_URL , url); curl_easy_setopt(pCurlHandle, CURLOPT_FTP_RESPONSE_TIMEOUT, 120); // 2 min ftp timeout diff -ruN nepenthes-0.2.0/modules/download-http/HTTPDialogue.cpp nepenthes-0.2.0-r1345/modules/download-http/HTTPDialogue.cpp --- nepenthes-0.2.0/modules/download-http/HTTPDialogue.cpp 2006-11-13 20:40:04.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/download-http/HTTPDialogue.cpp 2007-08-06 00:46:15.000000000 +0200 @@ -178,7 +178,7 @@ if ( end == NULL ) { logWarn("HTTP ERROR header found %i\n", size); - g_Nepenthes->getUtilities()->hexdump((byte *)start,size); +// g_Nepenthes->getUtilities()->hexdump((byte *)start,size); return CL_DROP; }else if ( end != NULL ) diff -ruN nepenthes-0.2.0/modules/download-link/LinkDialogue.cpp nepenthes-0.2.0-r1345/modules/download-link/LinkDialogue.cpp --- nepenthes-0.2.0/modules/download-link/LinkDialogue.cpp 2006-11-13 20:40:10.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/download-link/LinkDialogue.cpp 2007-08-06 00:46:15.000000000 +0200 @@ -122,7 +122,7 @@ case LINK_NULL: { m_Buffer->add(msg->getMsg(),msg->getSize()); -// g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *)m_Buffer->getData(),m_Buffer->getSize()); +// HEXDUMP(m_Socket,(byte *)m_Buffer->getData(),m_Buffer->getSize()); msg->getResponder()->doRespond((char *)&m_Challenge,4); m_State = LINK_FILE; diff -ruN nepenthes-0.2.0/modules/log-irc/log-irc.cpp nepenthes-0.2.0-r1345/modules/log-irc/log-irc.cpp --- nepenthes-0.2.0/modules/log-irc/log-irc.cpp 2006-11-13 20:40:09.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/log-irc/log-irc.cpp 2007-08-06 00:46:15.000000000 +0200 @@ -171,7 +171,7 @@ } // m_Nepenthes->getSocketMgr()->bindTCPSocket(0,10002,0,45,this); - g_Nepenthes->getLogMgr()->addLogger(this,l_dl|l_sub); + g_Nepenthes->getLogMgr()->addLogger(this,l_all); return true; } diff -ruN nepenthes-0.2.0/modules/log-prelude/Makefile.am nepenthes-0.2.0-r1345/modules/log-prelude/Makefile.am --- nepenthes-0.2.0/modules/log-prelude/Makefile.am 2006-11-13 20:40:08.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/log-prelude/Makefile.am 2007-08-06 00:46:15.000000000 +0200 @@ -4,7 +4,7 @@ AUTOMAKE_OPTIONS = foreign -AM_CPPFLAGS = -I/usr/include/libprelude -I$(top_srcdir)/nepenthes-core/include -I$(top_srcdir)/nepenthes-core/src -pipe -D _GNU_SOURCE $(CPPFLAG_PRELUDE) +AM_CPPFLAGS = -I$(top_srcdir)/nepenthes-core/include -I$(top_srcdir)/nepenthes-core/src -pipe -D _GNU_SOURCE AM_CXXFLAGS = -Wall AM_LDFLAGS = $(LDFLAG_PRELUDE) ${LIB_PRELUDE} @@ -12,5 +12,5 @@ logprelude_la_SOURCES = log-prelude.cpp log-prelude.hpp log-prelude.conf.dist -logprelude_la_LDFLAGS = -module -no-undefined -avoid-version +logprelude_la_LDFLAGS = -module -no-undefined -avoid-version $(AM_LDFLAGS) diff -ruN nepenthes-0.2.0/modules/log-prelude/log-prelude.conf.dist nepenthes-0.2.0-r1345/modules/log-prelude/log-prelude.conf.dist --- nepenthes-0.2.0/modules/log-prelude/log-prelude.conf.dist 2006-11-13 20:40:08.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/log-prelude/log-prelude.conf.dist 2007-08-06 00:46:15.000000000 +0200 @@ -1,7 +1,9 @@ log-prelude { - analyzerClass "NIDS"; - analyzerModel "nepenthes"; - analyzerName "nepenthes"; - + + // Name of the Prelude analyzer to use (default is nepenthes). + // analyzerName "nepenthes"; + + // Name of the Prelude profile to use (default is nepenthes). + // analyzerProfile "nepenthes"; }; diff -ruN nepenthes-0.2.0/modules/log-prelude/log-prelude.cpp nepenthes-0.2.0-r1345/modules/log-prelude/log-prelude.cpp --- nepenthes-0.2.0/modules/log-prelude/log-prelude.cpp 2006-11-13 20:40:08.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/log-prelude/log-prelude.cpp 2007-08-06 00:48:07.000000000 +0200 @@ -27,14 +27,6 @@ /* $Id: log-prelude.cpp 550 2006-05-04 10:25:35Z common $ */ -#ifdef HAVE_LIBPRELUDE -#include -#include -#include -#include -#include -#endif - #include #include "log-prelude.hpp" #include "Nepenthes.hpp" @@ -63,7 +55,11 @@ #define STDTAGS l_mod | l_ev | l_hlr #define ANALYZER_MANUFACTURER "http://nepenthes.sf.net" -#define NEPENTHES_VERSION "$Rev: 550 $" +#define DEFAULT_ANALYZER_NAME "nepenthes" +#define DEFAULT_ANALYZER_PROFILE "nepenthes" +#define ANALYZER_MODEL "Nepenthes" +#define ANALYZER_CLASS "Honeypot" +#define ANALYZER_MANUFACTURER "http://nepenthes.mwcollect.org/" @@ -132,28 +128,21 @@ #ifdef HAVE_LIBPRELUDE - if ( m_Config == NULL ) - { - logCrit("I need a config\n"); - return false; - } - - string analyzerClass; - string analyzerModel; string analyzerName; - - try - { - analyzerClass = (m_Config->getValString("log-prelude.analyzerClass")); - analyzerModel = m_Config->getValString("log-prelude.analyzerModel"); - analyzerName = m_Config->getValString("log-prelude.analyzerName"); - - } catch ( ... ) - { - logCrit("Error setting needed vars, check your config\n"); - return false; - } - + string analyzerProfile; + + try { + analyzerName = m_Config->getValString("log-prelude.analyzerName"); + } catch ( ... ) { + analyzerName = DEFAULT_ANALYZER_NAME; + } + + try { + analyzerProfile = m_Config->getValString("log-prelude.analyzerProfile"); + } catch ( ... ) { + analyzerProfile = DEFAULT_ANALYZER_PROFILE; + } + m_ModuleManager = m_Nepenthes->getModuleMgr(); m_Events.set(EV_SOCK_TCP_ACCEPT); m_Events.set(EV_SOCK_TCP_CLOSE); @@ -163,44 +152,39 @@ m_Events.set(EV_DOWNLOAD); m_Events.set(EV_SUBMISSION); - - const char *profile, *config; - - config = NULL; - profile = analyzerName.c_str(); - - - - int32_t ret; // Initialize Prelude Library ret = prelude_init(NULL, NULL); - if ( ret < 0 ) + if ( ret < 0 ) { logCrit("%s: Unable to initialize the Prelude library: %s.\n", prelude_strsource(ret), prelude_strerror(ret)); + return false; + } // generate a new Prelude client - ret = prelude_client_new(&m_PreludeClient, profile); + ret = prelude_client_new(&m_PreludeClient, analyzerProfile.c_str()); - if ( ret < 0 ) + if ( ret < 0 ) { logCrit("%s: Unable to create a prelude client object: %s.\n", prelude_strsource(ret), prelude_strerror(ret)); + return false; + } - + // set options in the analyzer-part of the client prelude_string_t *string; - ret = idmef_analyzer_new_model(prelude_client_get_analyzer(m_PreludeClient), &string); + ret = idmef_analyzer_new_class(prelude_client_get_analyzer(m_PreludeClient), &string); if ( ret < 0 ) return false; - prelude_string_set_constant(string, analyzerModel.c_str()); - - ret = idmef_analyzer_new_class(prelude_client_get_analyzer(m_PreludeClient), &string); + prelude_string_set_constant(string, ANALYZER_CLASS); + + ret = idmef_analyzer_new_model(prelude_client_get_analyzer(m_PreludeClient), &string); if ( ret < 0 ) return false; - prelude_string_set_constant(string, analyzerClass.c_str()); + prelude_string_set_constant(string, ANALYZER_MODEL); ret = idmef_analyzer_new_manufacturer(prelude_client_get_analyzer(m_PreludeClient), &string); if ( ret < 0 ) @@ -209,28 +193,31 @@ ret = idmef_analyzer_new_version(prelude_client_get_analyzer(m_PreludeClient), &string); if ( ret < 0 ) - return false; - - prelude_string_set_constant(string, NEPENTHES_VERSION); + return false; + prelude_string_set_constant(string, VERSION); -// start the Prelude Client + ret = idmef_analyzer_new_name(prelude_client_get_analyzer(m_PreludeClient), &string); + if ( ret < 0 ) + return false; + prelude_string_set_dup(string, analyzerName.c_str()); + + // start the Prelude Client ret = prelude_client_start(m_PreludeClient); if ( ret < 0 ) { - if ( prelude_client_is_setup_needed(ret) ) - prelude_client_print_setup_error(m_PreludeClient); - logCrit("%s: Unable to initialize prelude client: %s.\n", prelude_strsource(ret), prelude_strerror(ret)); + return false; } -// set async Prelude Flags for the client, makes the application multithreaded - ret = prelude_client_set_flags(m_PreludeClient, (prelude_client_flags_t) (PRELUDE_CLIENT_FLAGS_CONNECT | PRELUDE_CLIENT_FLAGS_ASYNC_SEND | PRELUDE_CLIENT_FLAGS_ASYNC_TIMER)); - if ( ret < 0 ) + // set async Prelude Flags for the client, makes the application multithreaded + ret = prelude_client_set_flags(m_PreludeClient, (prelude_client_flags_t) (PRELUDE_CLIENT_FLAGS_CONNECT | PRELUDE_CLIENT_FLAGS_ASYNC_SEND | PRELUDE_CLIENT_FLAGS_ASYNC_TIMER)); + if ( ret < 0 ) { logCrit("%s: Unable to set asynchronous send and timer: %s.\n", prelude_strsource(ret), prelude_strerror(ret)); - + return false; + } REG_EVENT_HANDLER(this); return true; @@ -274,7 +261,7 @@ idmef_value_t *val; idmef_path_t *path; - ret = idmef_path_new(&path, object); + ret = idmef_path_new_fast(&path, object); if ( ret < 0 ) { logWarn("imdef error #1 %s -> %s %i (%s) \n",object,value,ret, prelude_strerror(ret)); @@ -376,7 +363,6 @@ add_idmef_object(idmef, "alert.classification.text" ,"TCP Connection established"); add_idmef_object(idmef, "alert.classification.ident", EV_SOCK_TCP_ACCEPT); -// add_idmef_object(idmef, "alert.classification.reference(0).origin" ,"vendor-specific" ); add_idmef_object(idmef, "alert.source(0).Spoofed" ,"no"); @@ -449,7 +435,6 @@ add_idmef_object(idmef, "alert.classification.text" ,"TCP Connection closed"); add_idmef_object(idmef, "alert.classification.ident", EV_SOCK_TCP_CLOSE); -// add_idmef_object(idmef, "alert.classification.reference(0).origin" ,"vendor-specific" ); add_idmef_object(idmef, "alert.source(0).Service.protocol" ,"TCP"); @@ -515,7 +500,6 @@ // hl: added ident add_idmef_object(idmef, "alert.classification.ident", EV_SHELLCODE_DONE); - // add_idmef_object(idmef, "alert.classification.reference(0).origin" ,"vendor-specific" ); add_idmef_object(idmef, "alert.source(0).Spoofed" ,"no"); diff -ruN nepenthes-0.2.0/modules/log-prelude/log-prelude.cpp~ nepenthes-0.2.0-r1345/modules/log-prelude/log-prelude.cpp~ --- nepenthes-0.2.0/modules/log-prelude/log-prelude.cpp~ 1970-01-01 01:00:00.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/log-prelude/log-prelude.cpp~ 2006-11-13 20:40:08.000000000 +0100 @@ -0,0 +1,857 @@ +/******************************************************************************** + * Nepenthes + * - finest collection - + * + * + * + * Copyright (C) 2005 Paul Baecher & Markus Koetter + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version 2 + * of the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + * + * + * contact nepenthesdev@users.sourceforge.net + * + *******************************************************************************/ + + /* $Id: log-prelude.cpp 550 2006-05-04 10:25:35Z common $ */ + +#ifdef HAVE_LIBPRELUDE +#include +#include +#include +#include +#include +#endif + +#include +#include "log-prelude.hpp" +#include "Nepenthes.hpp" +#include "LogManager.hpp" +#include "EventManager.hpp" +#include "SubmitEvent.hpp" + +#include "Download.hpp" +#include "DownloadUrl.hpp" +#include "DownloadBuffer.hpp" + +#include "Socket.hpp" +#include "SocketEvent.hpp" + +#include "Message.hpp" +#include "Utilities.hpp" +#include "Config.hpp" +#include "ShellcodeHandler.hpp" + + +using namespace nepenthes; + +#ifdef STDTAGS +#undef STDTAGS +#endif + +#define STDTAGS l_mod | l_ev | l_hlr +#define ANALYZER_MANUFACTURER "http://nepenthes.sf.net" +#define NEPENTHES_VERSION "$Rev: 550 $" + + + +/** + * as we may need a global pointer to our Nepenthes in our modules, + * and cant access the cores global pointer to nepenthes + * we have to use a own global pointer to nepenthes per module + * we need this pointer for logInfo() etc + */ +Nepenthes *g_Nepenthes; + +/** + * Constructor + * creates a new LogPrelude Module, where x% is public Module, public EventHandler + * - sets the ModuleName + * - sets the ModuleDescription + * - sets the EventHandlerName + * - sets the EventHandlerDescription + * - sets the EventHandlers Timeout + * - sets the Modules global pointer to the Nepenthes + * + * @param nepenthes pointer to our nepenthes master class + */ +LogPrelude::LogPrelude(Nepenthes *nepenthes) +{ + m_ModuleName = "log-prelude"; + m_ModuleDescription = "event based prelude logger"; + m_ModuleRevision = "$Rev: 550 $"; + m_Nepenthes = nepenthes; + + m_EventHandlerName = "LogPreludeEventHandler"; + m_EventHandlerDescription = "log events to a prelude database"; + +// m_Timeout = time(NULL) + rand()%23; + + g_Nepenthes = nepenthes; + +#ifdef HAVE_LIBPRELUDE + m_PreludeClient = NULL; +#endif +} + + +/** + * exerything important happens in ::Exit() as we have a return value there + */ +LogPrelude::~LogPrelude() +{ + +} + + + +/** + * bool Module::Init() + * setup Module specific values + * here: + * - register as EventHandler + * - set wanted events + * + * @return returns true if everything was fine, else false + * returning false will showup errors in warning a module + */ +bool LogPrelude::Init() +{ + +#ifdef HAVE_LIBPRELUDE + + if ( m_Config == NULL ) + { + logCrit("I need a config\n"); + return false; + } + + string analyzerClass; + string analyzerModel; + string analyzerName; + + try + { + analyzerClass = (m_Config->getValString("log-prelude.analyzerClass")); + analyzerModel = m_Config->getValString("log-prelude.analyzerModel"); + analyzerName = m_Config->getValString("log-prelude.analyzerName"); + + } catch ( ... ) + { + logCrit("Error setting needed vars, check your config\n"); + return false; + } + + m_ModuleManager = m_Nepenthes->getModuleMgr(); + m_Events.set(EV_SOCK_TCP_ACCEPT); + m_Events.set(EV_SOCK_TCP_CLOSE); + m_Events.set(EV_DIALOGUE_ASSIGN_AND_DONE); + m_Events.set(EV_SHELLCODE_DONE); + + m_Events.set(EV_DOWNLOAD); + m_Events.set(EV_SUBMISSION); + + + const char *profile, *config; + + config = NULL; + profile = analyzerName.c_str(); + + + + + int32_t ret; +// Initialize Prelude Library + ret = prelude_init(NULL, NULL); + if ( ret < 0 ) + logCrit("%s: Unable to initialize the Prelude library: %s.\n", + prelude_strsource(ret), + prelude_strerror(ret)); + +// generate a new Prelude client + ret = prelude_client_new(&m_PreludeClient, profile); + + if ( ret < 0 ) + logCrit("%s: Unable to create a prelude client object: %s.\n", + prelude_strsource(ret), + prelude_strerror(ret)); + + + // set options in the analyzer-part of the client + prelude_string_t *string; + + ret = idmef_analyzer_new_model(prelude_client_get_analyzer(m_PreludeClient), &string); + if ( ret < 0 ) + return false; + prelude_string_set_constant(string, analyzerModel.c_str()); + + ret = idmef_analyzer_new_class(prelude_client_get_analyzer(m_PreludeClient), &string); + if ( ret < 0 ) + return false; + prelude_string_set_constant(string, analyzerClass.c_str()); + + ret = idmef_analyzer_new_manufacturer(prelude_client_get_analyzer(m_PreludeClient), &string); + if ( ret < 0 ) + return false; + prelude_string_set_constant(string, ANALYZER_MANUFACTURER); + + ret = idmef_analyzer_new_version(prelude_client_get_analyzer(m_PreludeClient), &string); + if ( ret < 0 ) + return false; + + prelude_string_set_constant(string, NEPENTHES_VERSION); + +// start the Prelude Client + ret = prelude_client_start(m_PreludeClient); + if ( ret < 0 ) + { + if ( prelude_client_is_setup_needed(ret) ) + prelude_client_print_setup_error(m_PreludeClient); + + logCrit("%s: Unable to initialize prelude client: %s.\n", + prelude_strsource(ret), prelude_strerror(ret)); + } + +// set async Prelude Flags for the client, makes the application multithreaded + ret = prelude_client_set_flags(m_PreludeClient, (prelude_client_flags_t) (PRELUDE_CLIENT_FLAGS_CONNECT | PRELUDE_CLIENT_FLAGS_ASYNC_SEND | PRELUDE_CLIENT_FLAGS_ASYNC_TIMER)); + if ( ret < 0 ) + logCrit("%s: Unable to set asynchronous send and timer: %s.\n", + prelude_strsource(ret), + prelude_strerror(ret)); + + + REG_EVENT_HANDLER(this); + return true; +#else + logCrit("Module log-prelude is compiled without libprelude, this wont work, reconfigure the whole source and recompile"); + return false; +#endif + +} + + +/** + * unregister as EventHandler, destroy the Prelude Client + * + * @return returns true if everything was fine + */ +bool LogPrelude::Exit() +{ +#ifdef HAVE_LIBPRELUDE + if( m_PreludeClient != NULL) + { + prelude_client_destroy(m_PreludeClient, (prelude_client_exit_status_t)(PRELUDE_CLIENT_EXIT_STATUS_SUCCESS)); + prelude_deinit(); + } + // disabled by harald due to segfaults + //UNREG_EVENT_HANDLER(this); +#endif + return true; +} + + + +/** + * This function adds char * idmef values into an idmef message + * + */ +#ifdef HAVE_LIBPRELUDE +int32_t add_idmef_object(idmef_message_t *message, const char *object, const char *value) +{ + int32_t ret=0; + idmef_value_t *val; + idmef_path_t *path; + + ret = idmef_path_new(&path, object); + if ( ret < 0 ) + { + logWarn("imdef error #1 %s -> %s %i (%s) \n",object,value,ret, prelude_strerror(ret)); + return -1; + } + + ret = idmef_value_new_from_path(&val, path, value); + if ( ret < 0 ) + { + idmef_path_destroy(path); + logWarn("imdef error #2 %s -> %s %i (%s) \n",object,value,ret, prelude_strerror(ret)); + return -1; + } + + ret = idmef_path_set(path, message, val); + + idmef_value_destroy(val); + idmef_path_destroy(path); + return ret; +} + + +/** + * + * This function adds int32_t idmef values into an idmef message + */ +int32_t add_idmef_object(idmef_message_t *message, const char *object, int32_t i) +{ + char value[20]; + memset(value,0,20); + snprintf(value,19,"%i",i); + return add_idmef_object(message,object,value); +} + +#endif + + +/** + * the handleEvent method is called whenever an event occurs + * the EventHandler wanted to have. + * + * @param event the Event + * + * @return return 0 + */ +uint32_t LogPrelude::handleEvent(Event *event) +{ +// logPF(); +// logInfo("Event %i\n",event->getType()); + switch(event->getType()) + { + + case EV_SOCK_TCP_ACCEPT: + handleTCPaccept(event); + break; + + case EV_SOCK_TCP_CLOSE: + handleTCPclose(event); + break; + + case EV_SUBMISSION: + handleSubmission(event); + break; + + case EV_DIALOGUE_ASSIGN_AND_DONE: + handleDialogueAssignAndDone(event); + break; + + case EV_SHELLCODE_DONE: + handleShellcodeDone(event); + break; + + + case EV_DOWNLOAD: + handleDownload(event); + break; + + default: + logWarn("this should not happen\n"); + } + return 0; +} + + +void LogPrelude::handleTCPaccept(Event *event) +{ + + + logInfo("LogPrelude EVENT EV_SOCK_TCP_ACCEPT\n"); + +#ifdef HAVE_LIBPRELUDE + Socket *socket = ((SocketEvent *)event)->getSocket(); + + idmef_message_t *idmef; + + int32_t ret = idmef_message_new(&idmef); + if ( ret < 0 ) + return; + + add_idmef_object(idmef, "alert.classification.text" ,"TCP Connection established"); + add_idmef_object(idmef, "alert.classification.ident", EV_SOCK_TCP_ACCEPT); +// add_idmef_object(idmef, "alert.classification.reference(0).origin" ,"vendor-specific" ); + + + add_idmef_object(idmef, "alert.source(0).Spoofed" ,"no"); + add_idmef_object(idmef, "alert.source(0).Service.protocol" ,"TCP"); + add_idmef_object(idmef, "alert.source(0).Service.port" ,socket->getRemotePort()); + + uint32_t addr = socket->getRemoteHost(); + string address = inet_ntoa(*(in_addr *)&addr); + add_idmef_object(idmef, "alert.source(0).Node.Address(0).address" ,address.c_str()); + + + add_idmef_object(idmef, "alert.target(0).Decoy" ,"yes"); + add_idmef_object(idmef, "alert.target(0).Service.protocol" ,"TCP"); + add_idmef_object(idmef, "alert.target(0).Service.port" ,socket->getLocalPort()); + + addr = socket->getLocalHost(); + address = inet_ntoa(*(in_addr *)&addr); + add_idmef_object(idmef, "alert.target(0).Node.Address(0).address" ,address.c_str()); + + + + + idmef_time_t *time; + + ret = idmef_time_new_from_gettimeofday(&time); + idmef_alert_set_create_time(idmef_message_get_alert(idmef), + time); + + + // analyzer id + idmef_alert_set_analyzer(idmef_message_get_alert(idmef), + idmef_analyzer_ref(prelude_client_get_analyzer(m_PreludeClient)), + IDMEF_LIST_PREPEND); + + + prelude_client_send_idmef(m_PreludeClient, idmef); + + //prelude_string_t *field = idmef_alert_get_messageid(idmef_message_get_alert(idmef)); + //const char *msgid = prelude_string_get_string(field); + + //logInfo("PreludeMessageID = %s \n",msgid); + + idmef_message_destroy(idmef); +#endif +} + + + + +void LogPrelude::handleTCPclose(Event *event) +{ + + Socket *socket = ((SocketEvent *)event)->getSocket(); + + if (! socket->isAccept()) + { + return; + } + + logInfo("LogPrelude EVENT EV_SOCK_TCP_CLOSE\n"); + +#ifdef HAVE_LIBPRELUDE + + idmef_message_t *idmef; + + int32_t ret = idmef_message_new(&idmef); + if ( ret < 0 ) + return; + + + add_idmef_object(idmef, "alert.classification.text" ,"TCP Connection closed"); + add_idmef_object(idmef, "alert.classification.ident", EV_SOCK_TCP_CLOSE); +// add_idmef_object(idmef, "alert.classification.reference(0).origin" ,"vendor-specific" ); + + + add_idmef_object(idmef, "alert.source(0).Service.protocol" ,"TCP"); + add_idmef_object(idmef, "alert.source(0).Service.port" ,socket->getRemotePort()); + + uint32_t addr = socket->getRemoteHost(); + string address = inet_ntoa(*(in_addr *)&addr); + add_idmef_object(idmef, "alert.source(0).Node.Address(0).address" ,address.c_str()); + + add_idmef_object(idmef, "alert.target(0).Service.protocol" ,"TCP"); + add_idmef_object(idmef, "alert.target(0).Service.port" ,socket->getLocalPort()); + + addr = socket->getLocalHost(); + address = inet_ntoa(*(in_addr *)&addr); + add_idmef_object(idmef, "alert.target(0).Node.Address(0).address",address.c_str()); + + idmef_time_t *time; + + ret = idmef_time_new_from_gettimeofday(&time); + idmef_alert_set_create_time(idmef_message_get_alert(idmef), + time); + + + // analyzer id + idmef_alert_set_analyzer(idmef_message_get_alert(idmef), + idmef_analyzer_ref(prelude_client_get_analyzer(m_PreludeClient)), + IDMEF_LIST_PREPEND); + + + prelude_client_send_idmef(m_PreludeClient, idmef); + +// prelude_string_t *field = idmef_alert_get_messageid(idmef_message_get_alert(idmef)); +// const char *msgid = prelude_string_get_string(field); + +// logInfo("CloseMessageID = %s \n",msgid); + + idmef_message_destroy(idmef); + +#endif +} + + +/** + * Send idmef message when finished with the Shellcode + * + */ +void LogPrelude::handleShellcodeDone(Event *event) +{ + logInfo("LogPrelude EVENT EV_SHELLCODE_DONE\n"); + +#ifdef HAVE_LIBPRELUDE + + ShellcodeHandler *handler = ((ShellcodeEvent *)event)->getShellcodeHandler(); + Socket *socket = ((ShellcodeEvent *)event)->getSocket(); + + idmef_message_t *idmef; + + int32_t ret = idmef_message_new(&idmef); + if ( ret < 0 ) + return; + string shellcodeText = "Shellcode detected: " + handler->getShellcodeHandlerName(); + add_idmef_object(idmef, "alert.classification.text", shellcodeText.c_str()); + // hl: added ident + add_idmef_object(idmef, "alert.classification.ident", EV_SHELLCODE_DONE); + + // add_idmef_object(idmef, "alert.classification.reference(0).origin" ,"vendor-specific" ); + + + add_idmef_object(idmef, "alert.source(0).Spoofed" ,"no"); + add_idmef_object(idmef, "alert.source(0).Service.protocol" ,"TCP"); + add_idmef_object(idmef, "alert.source(0).Service.port" ,socket->getRemotePort()); + + uint32_t addr = socket->getRemoteHost(); + string address = inet_ntoa(*(in_addr *)&addr); + add_idmef_object(idmef, "alert.source(0).Node.Address(0).address" ,address.c_str()); + + + add_idmef_object(idmef, "alert.target(0).Decoy" ,"yes"); + add_idmef_object(idmef, "alert.target(0).Service.protocol" ,"TCP"); + add_idmef_object(idmef, "alert.target(0).Service.port" ,socket->getLocalPort()); + + addr = socket->getLocalHost(); + address = inet_ntoa(*(in_addr *)&addr); + add_idmef_object(idmef, "alert.target(0).Node.Address(0).address" ,address.c_str()); + + + add_idmef_object(idmef, "alert.assessment.impact.description" ,"possible Shellcode has been detected."); + add_idmef_object(idmef, "alert.assessment.impact.severity" ,"medium"); +// add_idmef_object(idmef, "alert.assessment.impact.completion" ,"succeeded"); + add_idmef_object(idmef, "alert.assessment.impact.type" ,"other"); + + + // hl: added for additional information + add_idmef_object(idmef, "alert.additional_data(0).type", "string"); + add_idmef_object(idmef, "alert.additional_data(0).meaning", "Shellcode"); + add_idmef_object(idmef, "alert.additional_data(0).data", handler->getShellcodeHandlerName().c_str()); + + + idmef_time_t *time; + + ret = idmef_time_new_from_gettimeofday(&time); + idmef_alert_set_create_time(idmef_message_get_alert(idmef), + time); + + + // analyzer id + idmef_alert_set_analyzer(idmef_message_get_alert(idmef), + idmef_analyzer_ref(prelude_client_get_analyzer(m_PreludeClient)), + IDMEF_LIST_PREPEND); + + + prelude_client_send_idmef(m_PreludeClient, idmef); + +// prelude_string_t *field = idmef_alert_get_messageid(idmef_message_get_alert(idmef)); +// const char *msgid = prelude_string_get_string(field); +// logInfo("RecvMessageID = %s \n",msgid); + + idmef_message_destroy(idmef); +#endif +} + + +/** + * + * handle submitted files + */ +void LogPrelude::handleSubmission(Event *event) +{ + SubmitEvent *se = (SubmitEvent *)event; + Download *down = se->getDownload(); + + logInfo("LogPrelude EVENT EV_SUBMISSION %s %s %i \n",down->getUrl().c_str(), + down->getMD5Sum().c_str(), + down->getDownloadBuffer()->getSize()); + +#ifdef HAVE_LIBPRELUDE + idmef_message_t *idmef; + + int32_t ret = idmef_message_new(&idmef); + if ( ret < 0 ) + return; + + // generic information + // hl: changed submited to submitted, added ident + add_idmef_object(idmef, "alert.classification.text" ,"Malware submitted"); + add_idmef_object(idmef, "alert.classification.ident", EV_SUBMISSION); + + string url = "http://nepenthes.sf.net/wiki/submission/" + down->getMD5Sum(); + add_idmef_object(idmef, "alert.classification.reference(0).origin" ,"vendor-specific" ); + add_idmef_object(idmef, "alert.classification.reference(0).url" ,url.c_str() ); + + + // file name and info + // hl: changed file tags because of DTD violation + add_idmef_object(idmef, "alert.target(0).file(0).name" ,down->getDownloadUrl()->getFile().c_str()); + add_idmef_object(idmef, "alert.target(0).file(0).path" ,down->getUrl().c_str()); + add_idmef_object(idmef, "alert.target(0).file(0).category" ,"current"); + add_idmef_object(idmef, "alert.target(0).file(0).ident" ,down->getMD5Sum().c_str()); + add_idmef_object(idmef, "alert.target(0).file(0).data_size" ,down->getDownloadBuffer()->getSize()); + + //hl: some debug stuff, prelude-manager doesnt write the checksums into xml + ret = add_idmef_object(idmef, "alert.target(0).file(0).checksum(0).algorithm" ,"MD5"); + //logInfo("LogPrelude DEBUG MD5 %i\n", ret); + ret = add_idmef_object(idmef, "alert.target(0).file(0).checksum(0).value" ,down->getMD5Sum().c_str()); + //logInfo("LogPrelude DEBUG Hash %i\n", ret); + ret = add_idmef_object(idmef, "alert.target(0).file(0).checksum(1).algorithm" ,"SHA2-512"); + //logInfo("LogPrelude DEBUG SHA %i\n", ret); + ret = add_idmef_object(idmef, "alert.target(0).file(0).checksum(1).value" ,down->getSHA512Sum().c_str()); + //logInfo("LogPrelude DEBUG Hash %i\n", ret); + + uint32_t addr = down->getLocalHost(); + string address = inet_ntoa(*(in_addr *)&addr); + add_idmef_object(idmef, "alert.target(0).Node.Address(0).address" ,address.c_str()); + + + + // infection host + addr = down->getRemoteHost(); + address = inet_ntoa(*(in_addr *)&addr); + add_idmef_object(idmef, "alert.source(0).Node.Address(0).address" ,address.c_str()); + + + // download source + add_idmef_object(idmef, "alert.source(0).Service.port", down->getDownloadUrl()->getPort()); + + /* hl: previous dirty workaround -> commented + string protocol; + if (down->getDownloadUrl()->getProtocol() == "tftp" ) + protocol = "UDP"; + else + protocol = "TCP"; + + add_idmef_object(idmef, "alert.source(0).Service.protocol" ,protocol.c_str()); + */ + + add_idmef_object(idmef, "alert.source(0).Service.web_service.url" ,down->getUrl().c_str()); + // hl: not needed + //add_idmef_object(idmef, "alert.source(0).Service.web_service.http_method" ,"get"); + + add_idmef_object(idmef, "alert.assessment.impact.description" ,"possible Malware stored for further analysis"); + add_idmef_object(idmef, "alert.assessment.impact.severity" ,"high"); +// add_idmef_object(idmef, "alert.assessment.impact.completion" ,"succeeded"); + add_idmef_object(idmef, "alert.assessment.impact.type" ,"other"); + + // time + idmef_time_t *time; + ret = idmef_time_new_from_gettimeofday(&time); + idmef_alert_set_create_time(idmef_message_get_alert(idmef), + time); + + + // analyzer id + idmef_alert_set_analyzer(idmef_message_get_alert(idmef), + idmef_analyzer_ref(prelude_client_get_analyzer(m_PreludeClient)), + IDMEF_LIST_PREPEND); + + + prelude_client_send_idmef(m_PreludeClient, idmef); + idmef_message_destroy(idmef); + +#endif +} + + + +/** + * + * + * + */ +void LogPrelude::handleDialogueAssignAndDone(Event *event) +{ + logInfo("LogPrelude EVENT EV_ASSIGN_AND_DONE\n"); + +#ifdef HAVE_LIBPRELUDE + + Dialogue *dia = ((DialogueEvent *)event)->getDialogue(); + Socket *socket = ((DialogueEvent *)event)->getSocket(); + idmef_message_t *idmef; + + int32_t ret = idmef_message_new(&idmef); + if ( ret < 0 ) + return; + + string attack = "Exploit attempt: " + dia->getDialogueName(); + + // generic information + add_idmef_object(idmef, "alert.classification.text", attack.c_str()); + // hl: added ident field + add_idmef_object(idmef, "alert.classification.ident", EV_DIALOGUE_ASSIGN_AND_DONE); + +// add_idmef_object(idmef, "alert.classification.reference(0).origin" ,"vendor-specific" ); + + + // attacker + uint32_t addr = socket->getRemoteHost(); + string address = inet_ntoa(*(in_addr *)&addr); + add_idmef_object(idmef, "alert.source(0).Node.Address(0).address", address.c_str()); + + // target + addr = socket->getLocalHost(); + address = inet_ntoa(*(in_addr *)&addr); + add_idmef_object(idmef, "alert.target(0).Node.Address(0).address", address.c_str()); + +// string protocol; +// if (down->getDownloadUrl()->getProtocol() == "tftp" ) +// protocol = "UDP"; +// else +// protocol = "TCP"; +// +// add_idmef_object(idmef, "alert.source(0).Service.protocol" ,protocol.c_str()); +// add_idmef_object(idmef, "alert.source(0).Service.web_service.url" ,down->getUrl().c_str()); +// add_idmef_object(idmef, "alert.source(0).Service.web_service.http_method" ,"get"); + + add_idmef_object(idmef, "alert.assessment.impact.description" ,"An exploit attempt is getting handled."); + add_idmef_object(idmef, "alert.assessment.impact.severity" ,"low"); +// add_idmef_object(idmef, "alert.assessment.impact.completion" ,"succeeded"); + add_idmef_object(idmef, "alert.assessment.impact.type" ,"other"); + + + // hl: added + add_idmef_object(idmef, "alert.additional_data(0).type", "string"); + add_idmef_object(idmef, "alert.additional_data(0).meaning", "Dialogue"); + add_idmef_object(idmef, "alert.additional_data(0).data", dia->getDialogueName().c_str()); + + // time + idmef_time_t *time; + ret = idmef_time_new_from_gettimeofday(&time); + idmef_alert_set_create_time(idmef_message_get_alert(idmef), + time); + + + // analyzer id + idmef_alert_set_analyzer(idmef_message_get_alert(idmef), + idmef_analyzer_ref(prelude_client_get_analyzer(m_PreludeClient)), + IDMEF_LIST_PREPEND); + + + prelude_client_send_idmef(m_PreludeClient, idmef); + + + idmef_message_destroy(idmef); + +#endif +} + + + + + + +/** + * + * + */ +void LogPrelude::handleDownload(Event *event) +{ + SubmitEvent *se = (SubmitEvent *)event; + Download *down = se->getDownload(); + string url = se->getDownload()->getUrl(); + + se->getType(); + logInfo("LogPrelude EVENT EV_DOWNLOAD %s %s %i \n",down->getUrl().c_str(), + down->getMD5Sum().c_str(), + down->getDownloadBuffer()->getSize()); + +#ifdef HAVE_LIBPRELUDE + + idmef_message_t *idmef; + + int32_t ret = idmef_message_new(&idmef); + if ( ret < 0 ) + return; + + // generic information + // hl: changed message + string message = "possible Malware offered: " + down->getUrl(); + + add_idmef_object(idmef, "alert.classification.text", message.c_str()); + // hl: changed to ident number + add_idmef_object(idmef, "alert.classification.ident", EV_DOWNLOAD); + +// add_idmef_object(idmef, "alert.classification.reference(0).origin" ,"vendor-specific" ); + + + // infection host + uint32_t addr = down->getRemoteHost(); + string address = inet_ntoa(*(in_addr *)&addr); + add_idmef_object(idmef, "alert.source(0).Node.Address(0).address" ,address.c_str()); + //target host + addr = down->getLocalHost(); + address = inet_ntoa(*(in_addr *)&addr); + add_idmef_object(idmef, "alert.target(0).Node.Address(0).address" ,address.c_str()); + + + // download source + // hl: removed protocol, added url + /* + string protocol; + if (down->getDownloadUrl()->getProtocol() == "tftp" ) + protocol = "UDP"; + else + protocol = "TCP"; + */ + add_idmef_object(idmef, "alert.source(0).Service.port" ,down->getDownloadUrl()->getPort()); + //add_idmef_object(idmef, "alert.source(0).Service.protocol" ,protocol.c_str()); + add_idmef_object(idmef, "alert.source(0).Service.web_service.url" ,down->getUrl().c_str()); +// add_idmef_object(idmef, "alert.source(0).Service.web_service.http_method" ,"get"); + add_idmef_object(idmef, "alert.assessment.impact.description" ,"Parsing the Shellcode has unrevealed a URL."); + add_idmef_object(idmef, "alert.assessment.impact.severity" ,"medium"); +// add_idmef_object(idmef, "alert.assessment.impact.completion" ,"succeeded"); + add_idmef_object(idmef, "alert.assessment.impact.type" ,"other"); + + // time + idmef_time_t *time; + ret = idmef_time_new_from_gettimeofday(&time); + idmef_alert_set_create_time(idmef_message_get_alert(idmef), + time); + + + // analyzer id + idmef_alert_set_analyzer(idmef_message_get_alert(idmef), + idmef_analyzer_ref(prelude_client_get_analyzer(m_PreludeClient)), + IDMEF_LIST_PREPEND); + + + prelude_client_send_idmef(m_PreludeClient, idmef); + + + idmef_message_destroy(idmef); +#endif + +} + + + +extern "C" int32_t module_init(int32_t version, Module **module, Nepenthes *nepenthes) +{ + if (version == MODULE_IFACE_VERSION) { + *module = new LogPrelude(nepenthes); + return 1; + } else { + return 0; + } +} diff -ruN nepenthes-0.2.0/modules/log-prelude/log-prelude.hpp nepenthes-0.2.0-r1345/modules/log-prelude/log-prelude.hpp --- nepenthes-0.2.0/modules/log-prelude/log-prelude.hpp 2006-11-13 20:40:08.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/log-prelude/log-prelude.hpp 2007-08-06 00:46:15.000000000 +0200 @@ -30,7 +30,7 @@ #include "config.h" #ifdef HAVE_LIBPRELUDE -#include +#include #endif #include diff -ruN nepenthes-0.2.0/modules/log-surfnet/Makefile.am nepenthes-0.2.0-r1345/modules/log-surfnet/Makefile.am --- nepenthes-0.2.0/modules/log-surfnet/Makefile.am 2006-11-13 20:40:10.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/log-surfnet/Makefile.am 2007-08-06 00:46:15.000000000 +0200 @@ -6,7 +6,6 @@ AM_CPPFLAGS = -I$(top_srcdir)/nepenthes-core/include -I$(top_srcdir)/nepenthes-core/src -I/usr/include/postgresql -pipe -D _GNU_SOURCE AM_CXXFLAGS = -Wall -Werror -AM_LDFLAGS = ${LIB_POSTGRES} pkglib_LTLIBRARIES = logsurfnet.la diff -ruN nepenthes-0.2.0/modules/log-surfnet/log-surfnet.conf.dist nepenthes-0.2.0-r1345/modules/log-surfnet/log-surfnet.conf.dist --- nepenthes-0.2.0/modules/log-surfnet/log-surfnet.conf.dist 2006-11-13 20:40:10.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/log-surfnet/log-surfnet.conf.dist 2007-08-06 00:46:15.000000000 +0200 @@ -49,175 +49,3 @@ }; - -/* - -don't forget to create these fn's in your surfnet ids database. - - -CREATE PROCEDURAL LANGUAGE plpgsql; - -CREATE FUNCTION surfnet_attack_add(integer, inet, integer, inet, integer, macaddr, inet) RETURNS integer - AS $_$DECLARE - p_severity ALIAS FOR $1; - p_attackerip ALIAS FOR $2; - p_attackerport ALIAS FOR $3; - p_decoyip ALIAS FOR $4; - p_decoyport ALIAS FOR $5; - p_hwa ALIAS FOR $6; - p_localhost ALIAS FOR $7; - m_attackid INTEGER; - m_sensorid INTEGER; -BEGIN - - SELECT INTO m_sensorid surfnet_sensorid_get(p_localhost); - SELECT INTO m_attackid surfnet_attack_add_by_id(p_severity, - p_attackerip, p_attackerport, p_decoyip, - p_decoyport, p_hwa, m_sensorid); - - return m_attackid; -END$_$ - LANGUAGE plpgsql; - - -CREATE FUNCTION surfnet_attack_add_by_id(integer, inet, integer, inet, integer, macaddr, integer) RETURNS integer - AS $_$DECLARE - p_severity ALIAS FOR $1; - p_attackerip ALIAS FOR $2; - p_attackerport ALIAS FOR $3; - p_decoyip ALIAS FOR $4; - p_decoyport ALIAS FOR $5; - p_hwa ALIAS FOR $6; - p_sensorid ALIAS FOR $7; - m_attackid INTEGER; -BEGIN - INSERT INTO attacks - (severity, - timestamp, - dest, - dport, - source, - sport, - sensorid, - src_mac) - VALUES - (p_severity, - extract(epoch from current_timestamp(0))::integer, - p_attackerip, - p_attackerport, - p_decoyip, - p_decoyport, - p_sensorid, - p_hwa); - - SELECT INTO m_attackid currval('attacks_id_seq'); - return m_attackid; -END$_$ - LANGUAGE plpgsql; - - - -CREATE FUNCTION surfnet_attack_update_severity(integer, integer) RETURNS void - AS $_$DECLARE - p_attackid ALIAS FOR $1; - p_severity ALIAS FOR $2; -BEGIN - UPDATE attacks SET severity = p_severity WHERE id = p_attackid; - return; -END;$_$ - LANGUAGE plpgsql; - - -CREATE FUNCTION surfnet_detail_add(integer, inet, integer, character varying) RETURNS void - AS $_$DECLARE - p_attackid ALIAS FOR $1; - p_localhost ALIAS FOR $2; - p_type ALIAS FOR $3; - p_data ALIAS FOR $4; - - m_sensorid INTEGER; -BEGIN - SELECT INTO m_sensorid surfnet_sensorid_get(p_localhost); - - INSERT INTO details - (attackid,sensorid,type,text) - VALUES - (p_attackid,m_sensorid,p_type,p_data); -END$_$ - LANGUAGE plpgsql; - - -CREATE FUNCTION surfnet_detail_add_by_id(integer, integer, integer, character varying) RETURNS void - AS $_$DECLARE - p_attackid ALIAS FOR $1; - m_sensorid ALIAS FOR $2; - p_type ALIAS FOR $3; - p_data ALIAS FOR $4; -BEGIN - INSERT INTO details - (attackid,sensorid,type,text) - VALUES - (p_attackid,m_sensorid,p_type,p_data); -END$_$ - LANGUAGE plpgsql; - - -CREATE FUNCTION surfnet_detail_add_download(inet, inet, character varying, character varying) RETURNS void - AS $_$DECLARE - p_remotehost ALIAS FOR $1; - p_localhost ALIAS FOR $2; - p_url ALIAS FOR $3; - p_hash ALIAS FOR $4; - - m_sensorid INTEGER; - m_attackid INTEGER; -BEGIN - SELECT INTO m_sensorid surfnet_sensorid_get(p_localhost); - SELECT INTO m_attackid surfnet_attack_add_by_id(32,p_remotehost, 0, - p_localhost, 0, - NULL,m_sensorid); - - PERFORM surfnet_detail_add_by_id(m_attackid, - m_sensorid,4,p_url); - PERFORM surfnet_detail_add_by_id(m_attackid, - m_sensorid,8,p_hash); - - return; -END; $_$ - LANGUAGE plpgsql; - - -CREATE FUNCTION surfnet_detail_add_offer(inet, inet, character varying) RETURNS void - AS $_$DECLARE - p_remotehost ALIAS FOR $1; - p_localhost ALIAS FOR $2; - p_url ALIAS FOR $3; - - m_sensorid INTEGER; - m_attackid INTEGER; -BEGIN - SELECT INTO m_sensorid surfnet_sensorid_get(p_localhost); - SELECT INTO m_attackid surfnet_attack_add_by_id(16,p_remotehost, 0, - p_localhost, 0, - NULL,m_sensorid); - - PERFORM surfnet_detail_add_by_id(m_attackid, - m_sensorid,4,p_url); - return; -END; $_$ - LANGUAGE plpgsql; - - -CREATE FUNCTION surfnet_sensorid_get(inet) RETURNS integer - AS $_$DECLARE - p_localhost ALIAS FOR $1; - m_sensorid INTEGER; -BEGIN - SELECT INTO m_sensorid id FROM sensors WHERE tapip = p_localhost; - return m_sensorid; -END -$_$ - LANGUAGE plpgsql; - - -*/ diff -ruN nepenthes-0.2.0/modules/log-surfnet/log-surfnet.cpp nepenthes-0.2.0-r1345/modules/log-surfnet/log-surfnet.cpp --- nepenthes-0.2.0/modules/log-surfnet/log-surfnet.cpp 2006-11-13 20:40:10.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/log-surfnet/log-surfnet.cpp 2007-08-06 00:46:15.000000000 +0200 @@ -76,7 +76,7 @@ m_attackID = 0; m_closed = false; - m_severity = 0; + m_severity = -1; } @@ -471,7 +471,13 @@ (uint32_t) ((intptr_t)socket), attackid); - m_SocketTracker[(uintptr_t) socket].m_closed = true; + if (m_SocketTracker[(uintptr_t) socket].m_Details.size() > 0) + { + m_SocketTracker[(uintptr_t) socket].m_closed = true; + }else + { + m_SocketTracker.erase((uintptr_t)socket); + } } void LogSurfNET::handleDialogueAssignAndDone(Socket *socket, Dialogue *dia, uint32_t attackid) @@ -649,6 +655,19 @@ m_SocketTracker[(uintptr_t)s].m_Details.pop_front(); } + if (m_SocketTracker[(uintptr_t)s].m_severity != -1) + { + string query; + + query = "SELECT surfnet_attack_update_severity('"; + query += itos(m_SocketTracker[(uintptr_t)s].m_attackID); + query += "','"; + query += itos(m_SocketTracker[(uintptr_t)s].m_severity); + query += "');"; + + m_SQLHandler->addQuery(&query,NULL,NULL); + } + if (m_SocketTracker[(uintptr_t)s].m_closed == true) { m_SocketTracker.erase((uintptr_t)s); @@ -660,6 +679,11 @@ bool LogSurfNET::sqlFailure(SQLResult *result) { logPF(); + + Socket *s; + s = (Socket *)result->getObject(); + logCrit("Getting attackid for socket %x failed, dropping the whole attack, forgetting all details\n",(uintptr_t)s); + m_SocketTracker.erase((uintptr_t)s); return true; } diff -ruN nepenthes-0.2.0/modules/module-honeytrap/Makefile.am nepenthes-0.2.0-r1345/modules/module-honeytrap/Makefile.am --- nepenthes-0.2.0/modules/module-honeytrap/Makefile.am 2006-11-13 20:40:09.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/module-honeytrap/Makefile.am 2007-08-06 00:46:15.000000000 +0200 @@ -15,4 +15,4 @@ modulehoneytrap_la_SOURCES += TrapSocket.cpp TrapSocket.hpp modulehoneytrap_la_SOURCES += module-honeytrap.conf.dist -modulehoneytrap_la_LDFLAGS = -module -no-undefined -avoid-version +modulehoneytrap_la_LDFLAGS = -module -no-undefined -avoid-version $(AM_LDFLAGS) diff -ruN nepenthes-0.2.0/modules/module-honeytrap/TrapSocket.cpp nepenthes-0.2.0-r1345/modules/module-honeytrap/TrapSocket.cpp --- nepenthes-0.2.0/modules/module-honeytrap/TrapSocket.cpp 2006-11-13 20:40:09.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/module-honeytrap/TrapSocket.cpp 2007-08-06 00:46:15.000000000 +0200 @@ -782,11 +782,18 @@ { printIPpacket(data,size); + uint16_t port; + + if ( tcp->th_flags & TH_SYN && !(tcp->th_flags & TH_ACK) ) + port = ntohs(tcp->th_dport); // inline mode + else + port = ntohs(tcp->th_sport); // pcap mode + if (1)// isPortListening(ntohs(tcp->th_dport),*(uint32_t *)&(ip->ip_dst)) == false ) { - logInfo("Connection to unbound port %i requested, binding port\n",ntohs(tcp->th_dport)); + logInfo("Connection to unbound port %i requested, binding port\n",port); - Socket *sock = g_Nepenthes->getSocketMgr()->bindTCPSocket(INADDR_ANY,ntohs(tcp->th_dport),60,60); + Socket *sock = g_Nepenthes->getSocketMgr()->bindTCPSocket(INADDR_ANY,port,60,60); if ( sock != NULL && (sock->getDialogst()->size() == 0 && sock->getFactories()->size() == 0) ) { diff -ruN nepenthes-0.2.0/modules/module-peiros/module-peiros.cpp nepenthes-0.2.0-r1345/modules/module-peiros/module-peiros.cpp --- nepenthes-0.2.0/modules/module-peiros/module-peiros.cpp 2006-11-13 20:40:08.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/module-peiros/module-peiros.cpp 2007-08-06 00:46:15.000000000 +0200 @@ -29,6 +29,7 @@ #include #include +#include #include #include #include diff -ruN nepenthes-0.2.0/modules/module-portwatch/WatchDialogue.cpp nepenthes-0.2.0-r1345/modules/module-portwatch/WatchDialogue.cpp --- nepenthes-0.2.0/modules/module-portwatch/WatchDialogue.cpp 2006-11-13 20:40:09.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/module-portwatch/WatchDialogue.cpp 2007-08-06 00:46:15.000000000 +0200 @@ -47,6 +47,9 @@ #include "Utilities.hpp" +#include "EventManager.hpp" +#include "SocketEvent.hpp" + #ifdef STDTAGS #undef STDTAGS #endif @@ -77,7 +80,7 @@ WatchDialogue::~WatchDialogue() { logWarn("Unknown WatchDialogue %i bytes, port %i\n",m_Buffer->getSize(), m_Socket->getLocalPort()); - g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *) m_Buffer->getData(), m_Buffer->getSize()); + HEXDUMP(m_Socket,(byte *) m_Buffer->getData(), m_Buffer->getSize()); delete m_Buffer; } diff -ruN nepenthes-0.2.0/modules/shellcode-generic/Makefile.am nepenthes-0.2.0-r1345/modules/shellcode-generic/Makefile.am --- nepenthes-0.2.0/modules/shellcode-generic/Makefile.am 2006-11-13 20:40:07.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/shellcode-generic/Makefile.am 2007-08-06 00:46:15.000000000 +0200 @@ -32,4 +32,4 @@ shellcodegeneric_la_SOURCES += sch_generic_leimbach_url_xor.cpp sch_generic_leimbach_url_xor.hpp shellcodegeneric_la_SOURCES += sch_generic_wget.cpp sch_generic_wget.hpp -shellcodegeneric_la_LDFLAGS = -module -no-undefined -avoid-version +shellcodegeneric_la_LDFLAGS = -module -no-undefined -avoid-version $(AM_LDFLAGS) diff -ruN nepenthes-0.2.0/modules/shellcode-generic/sch_generic_cmd.cpp nepenthes-0.2.0-r1345/modules/shellcode-generic/sch_generic_cmd.cpp --- nepenthes-0.2.0/modules/shellcode-generic/sch_generic_cmd.cpp 2006-11-13 20:40:07.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/shellcode-generic/sch_generic_cmd.cpp 2007-08-06 00:46:15.000000000 +0200 @@ -95,7 +95,7 @@ if((iResult = pcre_exec(m_pcre, 0, (char *) shellcode, len, 0, 0, (int *)piOutput, sizeof(piOutput)/sizeof(int32_t))) > 0) { // logDebug("GenricCMD (improve pcre debug) (%i bytes)\n",(*msg)->getSize()); -// g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *)(*msg)->getMsg(),(*msg)->getSize()); +// HEXDUMP(m_Socket,(byte *)(*msg)->getMsg(),(*msg)->getSize()); const char * pRemoteCommand; diff -ruN nepenthes-0.2.0/modules/shellcode-generic/sch_generic_leimbach_url_xor.cpp nepenthes-0.2.0-r1345/modules/shellcode-generic/sch_generic_leimbach_url_xor.cpp --- nepenthes-0.2.0/modules/shellcode-generic/sch_generic_leimbach_url_xor.cpp 2006-11-13 20:40:07.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/shellcode-generic/sch_generic_leimbach_url_xor.cpp 2007-08-06 00:46:15.000000000 +0200 @@ -203,7 +203,7 @@ pcre_free_substring(preload); pcre_free_substring(xordecoder); - g_Nepenthes->getUtilities()->hexdump(l_crit,(byte *)newshellcode, len); +// g_Nepenthes->getUtilities()->hexdump(l_crit,(byte *)newshellcode, len); Message *newMessage = new Message((char *)newshellcode, len, (*msg)->getLocalPort(), (*msg)->getRemotePort(), (*msg)->getLocalHost(), (*msg)->getRemoteHost(), (*msg)->getResponder(), (*msg)->getSocket()); diff -ruN nepenthes-0.2.0/modules/shellcode-generic/sch_generic_url.cpp nepenthes-0.2.0-r1345/modules/shellcode-generic/sch_generic_url.cpp --- nepenthes-0.2.0/modules/shellcode-generic/sch_generic_url.cpp 2006-11-13 20:40:07.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/shellcode-generic/sch_generic_url.cpp 2007-08-06 00:46:15.000000000 +0200 @@ -119,7 +119,7 @@ if((iResult = pcre_exec(m_pcre, 0, (char *) shellcode, len, 0, 0, (int *)piOutput, sizeof(piOutput)/sizeof(int32_t))) > 0) { -// g_Nepenthes->getUtilities()->hexdump(STDTAGS,shellcode,len); +// HEXDUMP(m_Socket,shellcode,len); const char * pUrl; pcre_get_substring((char *) shellcode, (int *)piOutput, (int)iResult, 1, &pUrl); diff -ruN nepenthes-0.2.0/modules/shellcode-signatures/Makefile.am nepenthes-0.2.0-r1345/modules/shellcode-signatures/Makefile.am --- nepenthes-0.2.0/modules/shellcode-signatures/Makefile.am 2006-11-13 20:40:04.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/shellcode-signatures/Makefile.am 2007-08-06 00:46:15.000000000 +0200 @@ -33,5 +33,5 @@ shellcodesignatures_la_SOURCES += sch_namespace_konstanzxor.cpp sch_namespace_konstanzxor.hpp shellcodesignatures_la_SOURCES += sch_namespace_alphanumericxor.cpp sch_namespace_alphanumericxor.hpp -shellcodesignatures_la_LDFLAGS = -module -no-undefined -avoid-version +shellcodesignatures_la_LDFLAGS = -module -no-undefined -avoid-version $(AM_LDFLAGS) diff -ruN nepenthes-0.2.0/modules/shellcode-signatures/shellcode-signatures.sc nepenthes-0.2.0-r1345/modules/shellcode-signatures/shellcode-signatures.sc --- nepenthes-0.2.0/modules/shellcode-signatures/shellcode-signatures.sc 2006-11-13 20:40:04.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/shellcode-signatures/shellcode-signatures.sc 2007-08-06 00:46:15.000000000 +0200 @@ -178,6 +178,13 @@ mapping (none,pre,decoder,size,key,post); }; +xor::marburganderlahn +{ + pattern + "(.*)(\\xEB\\x0E\\x5A\\x4A\\x31\\xC9\\xB1(.)\\x80\\x34\\x11(.)\\xE2\\xFA\\xEB\\x05\\xE8\\xED\xFF\xFF\xFF)(.*)$"; + mapping (none,pre,decoder,size,key,post); +}; + /* * too inaccurate * @@ -944,8 +951,8 @@ pattern "\\xeb\\x02\\xeb\\x6b" "\\xe8\\xf9\\xff\\xff\\xff\\x53\\x55\\x56\\x57\\x8b\\x6c\\x24\\x18\\x8b\\x45\\x3c" - "\\x8b\\x54\\x05\\x78\\x03\\xd5\\x8b\\x4a\\x18\\x8b\\x5a\\x20\\x03\\xdd\\xe3\\x32" - "\\x49\\x8b\\x34\\x8b\\x03\\xf5\\x33\\xff\\xfc\\x33\\xc0\\xac\\x3a\\xc4\\x74\\x07" + "\\x8b\\x54.\\x78\\x03\\xd5\\x8b\\x4a\\x18\\x8b\\x5a\\x20\\x03\\xdd\\xe3\\x32" + "\\x49\\x8b\\x34\\x8b\\x03\\xf5\\x33\\xff\\xfc\\x33\\xc0\\xac..\\x74\\x07" "\\xc1\\xcf\\x0d\\x03\\xf8\\xeb\\xf2\\x3b\\x7c\\x24\\x14\\x75\\xe1\\x8b\\x5a\\x24" "\\x03\\xdd\\x66\\x8b\\x0c\\x4b\\x8b\\x5a\\x1c\\x03\\xdd\\x8b\\x04\\x8b\\x03\\xc5" "\\xeb\\x02\\x33\\xc0\\x5f\\x5e\\x5d\\x5b\\x89\\x44\\x24\\x04\\x8b\\x04\\x24\\x89" diff -ruN nepenthes-0.2.0/modules/shellemu-winnt/VFSCommandFTP.cpp nepenthes-0.2.0-r1345/modules/shellemu-winnt/VFSCommandFTP.cpp --- nepenthes-0.2.0/modules/shellemu-winnt/VFSCommandFTP.cpp 2006-11-13 20:40:06.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/shellemu-winnt/VFSCommandFTP.cpp 2007-08-06 00:46:15.000000000 +0200 @@ -425,7 +425,6 @@ logSpam("VFSCommandFTP Setting Hosts %i %i\n",remotehost,localhost); remotehost = m_VFS->getDialogue()->getSocket()->getRemoteHost(); localhost = m_VFS->getDialogue()->getSocket()->getLocalHost(); - } logSpam("VFSCommandFTP LocalHost %s\n",inet_ntoa(*(in_addr *)&localhost)); diff -ruN nepenthes-0.2.0/modules/sqlhandler-postgres/Makefile.am nepenthes-0.2.0-r1345/modules/sqlhandler-postgres/Makefile.am --- nepenthes-0.2.0/modules/sqlhandler-postgres/Makefile.am 2006-11-13 20:40:05.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/sqlhandler-postgres/Makefile.am 2007-08-06 00:46:15.000000000 +0200 @@ -12,4 +12,4 @@ sqlhandlerpostgres_la_SOURCES = sqlhandler-postgres.cpp sqlhandler-postgres.hpp -sqlhandlerpostgres_la_LDFLAGS = -module -no-undefined -avoid-version +sqlhandlerpostgres_la_LDFLAGS = -module -no-undefined -avoid-version $(AM_LDFLAGS) diff -ruN nepenthes-0.2.0/modules/sqlhandler-postgres/sqlhandler-postgres.cpp nepenthes-0.2.0-r1345/modules/sqlhandler-postgres/sqlhandler-postgres.cpp --- nepenthes-0.2.0/modules/sqlhandler-postgres/sqlhandler-postgres.cpp 2006-11-13 20:40:05.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/sqlhandler-postgres/sqlhandler-postgres.cpp 2007-08-06 00:46:15.000000000 +0200 @@ -145,6 +145,7 @@ m_PGTable = table; m_PGUser = user; m_PGPass = passwd; + m_PGOptions = options; m_Callback = cb; } @@ -760,6 +761,10 @@ "' user = '" + m_PGUser + "' password = '" + m_PGPass +"'"; + if ( m_PGOptions.size() > 0 ) + ConnectString += m_PGOptions; + + if (m_PGConnection != NULL) PQfinish(m_PGConnection); else diff -ruN nepenthes-0.2.0/modules/sqlhandler-postgres/sqlhandler-postgres.hpp nepenthes-0.2.0-r1345/modules/sqlhandler-postgres/sqlhandler-postgres.hpp --- nepenthes-0.2.0/modules/sqlhandler-postgres/sqlhandler-postgres.hpp 2006-11-13 20:40:05.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/sqlhandler-postgres/sqlhandler-postgres.hpp 2007-08-06 00:46:15.000000000 +0200 @@ -141,6 +141,7 @@ string m_PGTable; string m_PGUser; string m_PGPass; + string m_PGOptions; }; diff -ruN nepenthes-0.2.0/modules/submit-gotek/gotekCTRLDialogue.cpp nepenthes-0.2.0-r1345/modules/submit-gotek/gotekCTRLDialogue.cpp --- nepenthes-0.2.0/modules/submit-gotek/gotekCTRLDialogue.cpp 2006-11-13 20:40:11.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/submit-gotek/gotekCTRLDialogue.cpp 2007-08-06 00:46:15.000000000 +0200 @@ -112,7 +112,7 @@ unsigned char sessionkey[8]; memcpy((char *)sessionkey,(char *)m_Buffer->getData(),8); - g_Nepenthes->getUtilities()->hexdump(sessionkey,8); +// g_Nepenthes->getUtilities()->hexdump(sessionkey,8); @@ -128,13 +128,13 @@ byte hashme[1032]; memset(hashme,0,1032); - g_Nepenthes->getUtilities()->hexdump(g_GotekSubmitHandler->getCommunityKey(),1024); +// g_Nepenthes->getUtilities()->hexdump(g_GotekSubmitHandler->getCommunityKey(),1024); memcpy(hashme,g_GotekSubmitHandler->getCommunityKey(),1024); memcpy(hashme+1024,sessionkey,8); - g_Nepenthes->getUtilities()->hexdump(hashme, 1032); +// g_Nepenthes->getUtilities()->hexdump(hashme, 1032); g_Nepenthes->getUtilities()->sha512(hashme, 1032, hash); - g_Nepenthes->getUtilities()->hexdump(hash,64); +// g_Nepenthes->getUtilities()->hexdump(hash,64); m_Socket->doRespond((char *)hash,64); diff -ruN nepenthes-0.2.0/modules/submit-gotek/gotekDATADialogue.cpp nepenthes-0.2.0-r1345/modules/submit-gotek/gotekDATADialogue.cpp --- nepenthes-0.2.0/modules/submit-gotek/gotekDATADialogue.cpp 2006-11-13 20:40:11.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/submit-gotek/gotekDATADialogue.cpp 2007-08-06 00:46:15.000000000 +0200 @@ -173,7 +173,7 @@ byte hashme[1032]; memset(hashme,0,1032); - g_Nepenthes->getUtilities()->hexdump(g_GotekSubmitHandler->getCommunityKey(),1024); +// g_Nepenthes->getUtilities()->hexdump(g_GotekSubmitHandler->getCommunityKey(),1024); memcpy(hashme,g_GotekSubmitHandler->getCommunityKey(),1024); memcpy(hashme+1024,&sessionkey,8); g_Nepenthes->getUtilities()->sha512(hashme, 1032, hash); diff -ruN nepenthes-0.2.0/modules/submit-http/HTTPSession.cpp nepenthes-0.2.0-r1345/modules/submit-http/HTTPSession.cpp --- nepenthes-0.2.0/modules/submit-http/HTTPSession.cpp 1970-01-01 01:00:00.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/submit-http/HTTPSession.cpp 2007-08-06 00:46:15.000000000 +0200 @@ -0,0 +1,187 @@ +/******************************************************************************** + * Nepenthes + * - finest collection - + * + * + * + * Copyright (C) 2006 Niklas Schiffler + * Copyright (C) 2005 Paul Baecher & Markus Koetter + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version 2 + * of the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + * + * + * contact nepenthesdev@users.sourceforge.net + * + *******************************************************************************/ + + +#include +#include /* new for v7 */ +#include /* new for v7 */ +#include +#include + +#include "HTTPSession.hpp" +#include "submit-http.hpp" +#include "DownloadBuffer.hpp" +#include "DownloadUrl.hpp" + +using namespace nepenthes; + +HTTPSession::HTTPSession(string &url, string &email, string &user, string &password, Download* down) +{ + state = S_ERROR; + postInfo = NULL; + postFile = NULL; + curlInfoHandle = NULL; + curlFileHandle = NULL; + + submitURL = url; + + if ( user.length() > 0 && password.length() > 0 ) + submitAuthStr = user + ":" + password; + + md5 = down->getMD5Sum(); + sha512 = down->getSHA512Sum(); + fileSize = down->getDownloadBuffer()->getSize(); + fileName = down->getDownloadUrl()->getFile(); + fileSourceURL = down->getUrl(); + + fileBuffer = new uint8_t[fileSize]; + fileBuffer = (uint8_t*)memcpy(fileBuffer, down->getDownloadBuffer()->getData(), fileSize); + + curlInfoHandle = curl_easy_init(); + if ( curlInfoHandle ) + { + struct curl_httppost* last = NULL; + + if ( email.length() > 0 ) + curl_formadd(&postInfo, &last, CURLFORM_COPYNAME, "email", CURLFORM_COPYCONTENTS, email.c_str(), CURLFORM_END); + + stringstream sSourceHost; sSourceHost << htonl(down->getRemoteHost()); + stringstream sTargetHost; sTargetHost << htonl(down->getLocalHost()); + + curl_formadd(&postInfo, &last, CURLFORM_PTRNAME, "url", CURLFORM_COPYCONTENTS, fileSourceURL.c_str(), CURLFORM_END); + curl_formadd(&postInfo, &last, CURLFORM_PTRNAME, "trigger", CURLFORM_COPYCONTENTS, down->getTriggerLine().c_str(), CURLFORM_END); + curl_formadd(&postInfo, &last, CURLFORM_PTRNAME, "md5", CURLFORM_COPYCONTENTS, md5.c_str(), CURLFORM_END); + curl_formadd(&postInfo, &last, CURLFORM_PTRNAME, "sha512", CURLFORM_COPYCONTENTS, sha512.c_str(), CURLFORM_END); + curl_formadd(&postInfo, &last, CURLFORM_PTRNAME, "filetype", CURLFORM_COPYCONTENTS, down->getFileType().c_str(), CURLFORM_END); + curl_formadd(&postInfo, &last, CURLFORM_PTRNAME, "source_host", CURLFORM_COPYCONTENTS, sSourceHost.str().c_str(), CURLFORM_END); + curl_formadd(&postInfo, &last, CURLFORM_PTRNAME, "target_host", CURLFORM_COPYCONTENTS, sTargetHost.str().c_str(), CURLFORM_END); + curl_formadd(&postInfo, &last, CURLFORM_PTRNAME, "filename", CURLFORM_COPYCONTENTS, down->getDownloadUrl()->getFile().c_str(), CURLFORM_END); + + setCURLOpts(curlInfoHandle, postInfo); + } +} + +HTTPSession::~HTTPSession() +{ + delete [] fileBuffer; + curl_formfree(postInfo); + if ( postFile ) + curl_formfree(postFile); + curl_easy_cleanup(curlInfoHandle); + if ( curlFileHandle ) + curl_easy_cleanup(curlFileHandle); +} + +CURL* HTTPSession::getSubmitInfoHandle() +{ + return curlInfoHandle; +} + +CURL* HTTPSession::getSubmitFileHandle() +{ + curlFileHandle = curl_easy_init(); + if ( curlFileHandle ) + { + postFile = NULL; + struct curl_httppost* last = NULL; + + curl_formadd(&postFile, &last, CURLFORM_PTRNAME, "md5", CURLFORM_COPYCONTENTS, md5.c_str(), CURLFORM_END); + curl_formadd(&postFile, &last, CURLFORM_PTRNAME, "sha512", CURLFORM_COPYCONTENTS, sha512.c_str(), CURLFORM_END); + + curl_formadd(&postFile, &last, + CURLFORM_COPYNAME, "file", + CURLFORM_BUFFER, fileName.c_str(), + CURLFORM_BUFFERPTR, fileBuffer, + CURLFORM_BUFFERLENGTH, fileSize, + CURLFORM_END); + + setCURLOpts(curlFileHandle, postFile); + } + return curlFileHandle; +} + +string HTTPSession::getMD5() +{ + return md5; +} + +string HTTPSession::getSHA512() +{ + return sha512; +} + +void HTTPSession::setCURLOpts(CURL* c, curl_httppost* post) +{ + curl_easy_setopt(c, CURLOPT_HTTPPOST, post); + curl_easy_setopt(c, CURLOPT_SSL_VERIFYHOST, false); + curl_easy_setopt(c, CURLOPT_SSL_VERIFYPEER, false); + curl_easy_setopt(c, CURLOPT_URL, submitURL.c_str()); + curl_easy_setopt(c, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; nepenthes; Linux)"); + curl_easy_setopt(c, CURLOPT_PRIVATE, (char*) this); + curl_easy_setopt(c, CURLOPT_WRITEDATA, this); + curl_easy_setopt(c, CURLOPT_WRITEFUNCTION, HTTPSession::WriteCallback); + + if ( submitAuthStr.length() > 0 ) + curl_easy_setopt(c, CURLOPT_USERPWD, submitAuthStr.c_str()); +} + +size_t HTTPSession::WriteCallback(char *buffer, size_t size, size_t nitems, void *p) +{ + HTTPSession* s = (HTTPSession*)p; + int32_t iSize = size * nitems; + + string res(buffer, iSize); + if ( res.find("S_FILEREQUEST") != string::npos ) + s->setState(S_FILEREQUEST); + else + if ( res.find("S_FILEKNOWN") != string::npos ) + s->setState(S_FILEKNOWN); + else + if ( res.find("S_FILEOK") != string::npos ) + s->setState(S_FILEOK); + else + s->setState(S_ERROR); + +// delete(strBuf); + return iSize; +} + +uint8_t HTTPSession::getState() +{ + return state; +} + +void HTTPSession::setState(uint8_t s) +{ + this->state = s; +} + +string HTTPSession::getFileSourceURL() +{ + return fileSourceURL; +} diff -ruN nepenthes-0.2.0/modules/submit-http/HTTPSession.hpp nepenthes-0.2.0-r1345/modules/submit-http/HTTPSession.hpp --- nepenthes-0.2.0/modules/submit-http/HTTPSession.hpp 1970-01-01 01:00:00.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/submit-http/HTTPSession.hpp 2007-08-06 00:46:15.000000000 +0200 @@ -0,0 +1,82 @@ +/******************************************************************************** + * Nepenthes + * - finest collection - + * + * + * + * Copyright (C) 2006 Niklas Schiffler + * Copyright (C) 2005 Paul Baecher & Markus Koetter + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version 2 + * of the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + * + * + * contact nepenthesdev@users.sourceforge.net + * + *******************************************************************************/ + + /* $Id$ */ + +#include +#include + +#include "Download.hpp" + +using namespace std; + +namespace nepenthes +{ + + + class HTTPSession + { + public: + static const uint8_t S_FILEKNOWN = 0; + static const uint8_t S_FILEREQUEST = 1; + static const uint8_t S_FILEOK = 2; + static const uint8_t S_FILEPENDING = 3; + static const uint8_t S_ERROR = 4; + + HTTPSession(string &url, string &email, string &user, string &password, Download* down); + ~HTTPSession(); + CURL* getSubmitInfoHandle(); + CURL* getSubmitFileHandle(); + string getMD5(); + string getSHA512(); + void setCURLOpts(CURL* c, curl_httppost* post); + uint8_t getState(); + void setState(uint8_t s); + string getFileSourceURL(); + + static size_t WriteCallback(char *buffer, size_t size, size_t nitems, void *userp); + + protected: + CURL* curlInfoHandle; + CURL* curlFileHandle; + uint8_t* fileBuffer; + size_t fileSize; + struct curl_httppost* postInfo; + struct curl_httppost* postFile; + string fileName; + string fileSourceURL; + string md5; + string sha512; + string submitURL; + string submitAuthStr; + uint8_t state; + + }; + +} + diff -ruN nepenthes-0.2.0/modules/submit-http/Makefile.am nepenthes-0.2.0-r1345/modules/submit-http/Makefile.am --- nepenthes-0.2.0/modules/submit-http/Makefile.am 1970-01-01 01:00:00.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/submit-http/Makefile.am 2007-08-06 00:46:15.000000000 +0200 @@ -0,0 +1,14 @@ +AUTOMAKE_OPTIONS = foreign + +AM_CPPFLAGS = -I$(top_srcdir)/nepenthes-core/include -I$(top_srcdir)/nepenthes-core/src -pipe -D _GNU_SOURCE +AM_CXXFLAGS = -Wall -Werror + +AM_LDFLAGS = $(LIB_CURL) + +pkglib_LTLIBRARIES = submithttp.la + +submithttp_la_SOURCES = submit-http.cpp submit-http.hpp +submithttp_la_SOURCES += HTTPSession.hpp HTTPSession.cpp +submithttp_la_SOURCES += submit-http.conf.dist + +submithttp_la_LDFLAGS = -module -no-undefined -avoid-version $(AM_LDFLAGS) diff -ruN nepenthes-0.2.0/modules/submit-http/submit-http.conf.dist nepenthes-0.2.0-r1345/modules/submit-http/submit-http.conf.dist --- nepenthes-0.2.0/modules/submit-http/submit-http.conf.dist 1970-01-01 01:00:00.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/submit-http/submit-http.conf.dist 2007-08-06 00:46:15.000000000 +0200 @@ -0,0 +1,8 @@ +submit-http +{ + url "http://somehost.de/submit.php"; + email "your@email"; // optional + user "httpuser"; // optional + pass "httppass"; // optional +}; + diff -ruN nepenthes-0.2.0/modules/submit-http/submit-http.cpp nepenthes-0.2.0-r1345/modules/submit-http/submit-http.cpp --- nepenthes-0.2.0/modules/submit-http/submit-http.cpp 1970-01-01 01:00:00.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/submit-http/submit-http.cpp 2007-08-06 00:46:15.000000000 +0200 @@ -0,0 +1,231 @@ +/******************************************************************************** + * Nepenthes + * - finest collection - + * + * + * + * Copyright (C) 2006 Niklas Schiffler + * Copyright (C) 2005 Paul Baecher & Markus Koetter + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version 2 + * of the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + * + * + * contact nepenthesdev@users.sourceforge.net + * + *******************************************************************************/ + + /* $Id$ */ + +#include "submit-http.hpp" +#include "Download.hpp" +#include "Utilities.hpp" +#include "SubmitManager.hpp" +#include "LogManager.hpp" +#include "Event.hpp" +#include "EventManager.hpp" +#include "EventHandler.cpp" // das ist Mist! +#include "Config.hpp" +#include "ModuleManager.hpp" + +#include "HTTPSession.hpp" + +using namespace nepenthes; + + +Nepenthes *g_Nepenthes; + + +HTTPSubmitHandler::HTTPSubmitHandler(Nepenthes *nepenthes) +{ + m_ModuleName = "submit-http"; + m_ModuleDescription = "HTTP submit handler"; + m_ModuleRevision = "$Rev$"; + m_Nepenthes = nepenthes; + m_SubmitterName = "submit-http"; + m_SubmitterDescription = "submit binary file via HTTP POST request"; + g_Nepenthes = nepenthes; + + m_Queued = 0; + m_Timeout = time(NULL); + m_Events.reset(); +} + + +HTTPSubmitHandler::~HTTPSubmitHandler() +{ +} + +bool HTTPSubmitHandler::Init() +{ + logPF(); + + if ( m_Config == NULL ) + { + logCrit("I need a config\n"); + return false; + } + + try + { + m_URL = m_Config->getValString("submit-http.url"); + } + catch ( ... ) + { + logCrit("Error: Config property \"url\" missing\n"); + return false; + } + + try + { + m_Email = m_Config->getValString("submit-http.email"); + m_User = m_Config->getValString("submit-http.user"); + m_Password = m_Config->getValString("submit-http.pass"); + } + catch ( ... ) + { + } + + m_ModuleManager = m_Nepenthes->getModuleMgr(); + + if ( (m_CurlStack = curl_multi_init()) == NULL ) + { + logCrit("Could not init Curl Multi Perform Stack %s\n",strerror(errno)); + return false; + } + + REG_SUBMIT_HANDLER(this); + REG_EVENT_HANDLER(this); + return true; +} + +bool HTTPSubmitHandler::Exit() +{ + curl_multi_cleanup(m_CurlStack); + return true; +} + + +void HTTPSubmitHandler::Submit(Download *down) +{ + logPF(); + + if ( m_Events.test(EV_TIMEOUT) == false ) + m_Events.set(EV_TIMEOUT); + + HTTPSession* session = new HTTPSession(m_URL, m_Email, m_User, m_Password, down); + curl_multi_add_handle(m_CurlStack, session->getSubmitInfoHandle()); + m_Queued++; +} + +void HTTPSubmitHandler::Hit(Download *down) +{ + Submit(down); +} + + +uint32_t HTTPSubmitHandler::handleEvent(Event *event) +{ + logPF(); + if ( event->getType() != EV_TIMEOUT ) + { + logCrit("Unwanted event %i\n",event->getType()); + return 1; + } + + // do file info submits + int32_t iQueue = 0; + while ( curl_multi_perform(m_CurlStack, (int *)&iQueue) == CURLM_CALL_MULTI_PERFORM ); + + if ( m_Queued > iQueue ) + { + logSpam("m_Queued (%i) > (%i) iQueue\n", m_Queued, iQueue); + CURLMsg * pMessage; + + while ( (pMessage = curl_multi_info_read(m_CurlStack, (int *)&iQueue)) ) + { + if ( pMessage->msg == CURLMSG_DONE ) + { + HTTPSession *session; + char *cSession; + + curl_easy_getinfo(pMessage->easy_handle, CURLINFO_PRIVATE, (char**)&cSession); + session = (HTTPSession *)cSession; + + uint8_t sessionState = session->getState(); + + if ( sessionState == HTTPSession::S_FILEKNOWN || sessionState == HTTPSession::S_FILEREQUEST ) + { + if ( pMessage->data.result ) + { + logInfo("Error: Submitting file info (%s, %s) failed: %s\n", session->getMD5().c_str(), session->getFileSourceURL().c_str(), curl_easy_strerror(pMessage->data.result)); + delete session; + curl_multi_remove_handle(m_CurlStack, pMessage->easy_handle); + --m_Queued; + continue; + } + logInfo("File info submitted (%s, %s)\n", session->getMD5().c_str(), session->getFileSourceURL().c_str()); + } + + switch ( sessionState ) + { + case HTTPSession::S_FILEKNOWN: + logInfo("File already known (%s, %s)\n", session->getMD5().c_str(), session->getFileSourceURL().c_str()); + break; + case HTTPSession::S_FILEREQUEST: + logInfo("File upload requested (%s, %s)\n", session->getMD5().c_str(), session->getFileSourceURL().c_str()); + session->setState(HTTPSession::S_FILEPENDING); + curl_multi_add_handle(m_CurlStack, session->getSubmitFileHandle()); + break; + case HTTPSession::S_FILEOK: + logInfo("File uploaded (%s, %s)\n", session->getMD5().c_str(), session->getFileSourceURL().c_str()); + break; + case HTTPSession::S_ERROR: + logInfo("Error handling file (%s, %s)\n", session->getMD5().c_str(), session->getFileSourceURL().c_str()); + break; + } + + curl_multi_remove_handle(m_CurlStack, pMessage->easy_handle); + + if ( sessionState == HTTPSession::S_FILEKNOWN || + sessionState == HTTPSession::S_FILEOK || + sessionState == HTTPSession::S_ERROR ) + { + delete session; + --m_Queued; + } + } + } + } + + if ( m_Queued == 0 ) + m_Events.reset(EV_TIMEOUT); + + m_Timeout = time(NULL) + 1; + return 0; +} + + +extern "C" int32_t module_init(int32_t version, Module **module, Nepenthes *nepenthes) +{ + if ( version == MODULE_IFACE_VERSION ) + { + *module = new HTTPSubmitHandler(nepenthes); + return 1; + } + else + { + return 0; + } +} diff -ruN nepenthes-0.2.0/modules/submit-http/submit-http.hpp nepenthes-0.2.0-r1345/modules/submit-http/submit-http.hpp --- nepenthes-0.2.0/modules/submit-http/submit-http.hpp 1970-01-01 01:00:00.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/submit-http/submit-http.hpp 2007-08-06 00:46:15.000000000 +0200 @@ -0,0 +1,72 @@ +/******************************************************************************** + * Nepenthes + * - finest collection - + * + * + * + * Copyright (C) 2006 Niklas Schiffler + * Copyright (C) 2005 Paul Baecher & Markus Koetter + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version 2 + * of the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + * + * + * contact nepenthesdev@users.sourceforge.net + * + *******************************************************************************/ + + /* $Id$ */ + +#include +#include /* new for v7 */ +#include /* new for v7 */ + +#include "Nepenthes.hpp" +#include "Module.hpp" +#include "SubmitHandler.hpp" +#include "EventHandler.hpp" +#include "Download.hpp" + + +using namespace std; + +namespace nepenthes +{ + + class HTTPSubmitHandler : public Module , public SubmitHandler, public EventHandler + { + public: + HTTPSubmitHandler(Nepenthes *nep); + ~HTTPSubmitHandler(); + bool Init(); + bool Exit(); + + void Submit(Download *down); + void Hit(Download *down); + + uint32_t handleEvent(Event *event); + + protected: + CURLM* m_CurlStack; + int32_t m_Queued; + string m_URL; + string m_Email; + string m_User; + string m_Password; + + }; + +} + +extern nepenthes::Nepenthes *g_Nepenthes; diff -ruN nepenthes-0.2.0/modules/submit-mwserv/Makefile.am nepenthes-0.2.0-r1345/modules/submit-mwserv/Makefile.am --- nepenthes-0.2.0/modules/submit-mwserv/Makefile.am 1970-01-01 01:00:00.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/submit-mwserv/Makefile.am 2007-08-06 00:46:15.000000000 +0200 @@ -0,0 +1,19 @@ +# nepenthes module Makefile +# Paul Baecher, Maximillian Dornseif, Markus Koetter +# $Id: Makefile.am 718 2006-12-28 23:29:59Z common $ + +AUTOMAKE_OPTIONS = foreign + +AM_CPPFLAGS = -I$(top_srcdir)/nepenthes-core/include -I$(top_srcdir)/nepenthes-core/src -pipe -D _GNU_SOURCE +AM_CXXFLAGS = -Wall -Werror + +AM_LDFLAGS = $(LIB_CURL) + +pkglib_LTLIBRARIES = submitmwserv.la + +submitmwserv_la_SOURCES = submit-mwserv.cpp submit-mwserv.hpp +submitmwserv_la_SOURCES += TransferSession.cpp TransferSession.hpp +submitmwserv_la_SOURCES += submit-mwserv.conf.dist + +submitmwserv_la_CXXFLAGS = -fno-strict-aliasing +submitmwserv_la_LDFLAGS = -module -no-undefined -avoid-version $(AM_LDFLAGS) diff -ruN nepenthes-0.2.0/modules/submit-mwserv/TransferSession.cpp nepenthes-0.2.0-r1345/modules/submit-mwserv/TransferSession.cpp --- nepenthes-0.2.0/modules/submit-mwserv/TransferSession.cpp 1970-01-01 01:00:00.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/submit-mwserv/TransferSession.cpp 2007-08-06 00:46:15.000000000 +0200 @@ -0,0 +1,402 @@ +/******************************************************************************** + * Nepenthes + * - finest collection - + * + * + * + * Copyright (C) 2007 Georg Wicherski + * Copyright (C) 2005 Paul Baecher & Markus Koetter + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version 2 + * of the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + * + * + * contact nepenthesdev@users.sourceforge.net + * + *******************************************************************************/ + +#include "submit-mwserv.hpp" + +#include "LogManager.hpp" +#include "EventManager.hpp" + +#include "POLLSocket.cpp" +#include "Socket.cpp" + + + +#if defined(__GNUG__) + #define MY_COMPILER "g++" +#elif defined(__CYGWIN__) + #define MY_COMPILER "cygwin" +#else + #define MY_COMPILER "unknown Compiler" +#endif + +#if defined(__FreeBSD__) +# define MY_OS "FreeBSD" +#elif defined(linux) || defined (__linux) +# define MY_OS "Linux" +#elif defined (__MACOSX__) || defined (__APPLE__) +# define MY_OS "Mac OS X" +#elif defined(__NetBSD__) +# define MY_OS "NetBSD" +#elif defined(__OpenBSD__) +# define MY_OS "OpenBSD" +#elif defined(_WIN32) || defined(__WIN32__) || defined(__TOS_WIN__) +# define MY_OS "Windows" +#elif defined(CYGWIN) +# define MY_OS "Cygwin\Windows" +#else +# define MY_OS "Unknown OS" +#endif + +#if defined(__alpha__) || defined(__alpha) || defined(_M_ALPHA) +# define MY_ARCH "Alpha" +#elif defined(__arm__) +# if defined(__ARMEB__) +# define MY_ARCH "ARMeb" +# else +# define MY_ARCH "ARM" +# endif +#elif defined(i386) || defined(__i386__) || defined(__i386) || defined(_M_IX86) || defined(_X86_) || defined(__THW_INTEL) +# define MY_ARCH "x86" +#elif defined(__x86_64__) || defined(__amd64__) +# define MY_ARCH "x86_64" +#elif defined(__ia64__) || defined(_IA64) || defined(__IA64__) || defined(_M_IA64) +# define MY_ARCH "Intel Architecture-64" +#elif defined(__mips__) || defined(__mips) || defined(__MIPS__) +# if defined(__mips32__) || defined(__mips32) +# define MY_ARCH "MIPS32" +# else +# define MY_ARCH "MIPS" +# endif +#elif defined(__hppa__) || defined(__hppa) +# define MY_ARCH "PA RISC" +#elif defined(__powerpc) || defined(__powerpc__) || defined(__POWERPC__) || defined(__ppc__) || defined(_M_PPC) || defined(__PPC) || defined(__PPC__) +# define MY_ARCH "PowerPC" +#elif defined(__THW_RS6000) || defined(_IBMR2) || defined(_POWER) || defined(_ARCH_PWR) || defined(_ARCH_PWR2) +# define MY_ARCH "RS/6000" +#elif defined(__sparc__) || defined(sparc) || defined(__sparc) +# define MY_ARCH "SPARC" +#else +# define MY_ARCH "Unknown Architecture" +#endif + + + +namespace nepenthes +{ + + +TransferSession::TransferSession(Type type, SubmitMwservModule * parent) +{ + m_type = type; + m_parent = parent; + + m_sample.binary = 0; + m_multiHandle = 0; + m_postInfo = m_postInfoLast = 0; + m_curlHandle = 0; + + m_Type |= ST_NODEL; +} + +void TransferSession::transfer(TransferSample& sample, string url) +{ + m_sample = sample; + + if(!(m_curlHandle = curl_easy_init()) || !(m_multiHandle = + curl_multi_init())) + { + logCrit("%s failed!\n", __PRETTY_FUNCTION__); + return; + } + + m_targetUrl = url; + m_sample = sample; + + initializeHandle(); +} + +TransferSession::~TransferSession() +{ + Exit(); +} + +void TransferSession::initializeHandle() +{ + m_postInfo = m_postInfoLast = 0; + + curl_formadd(&m_postInfo, &m_postInfoLast, CURLFORM_PTRNAME, "guid", + CURLFORM_COPYCONTENTS, m_sample.guid.c_str(), CURLFORM_END); + curl_formadd(&m_postInfo, &m_postInfoLast, CURLFORM_PTRNAME, + "maintainer", CURLFORM_COPYCONTENTS, m_sample.maintainer.c_str(), + CURLFORM_END); + curl_formadd(&m_postInfo, &m_postInfoLast, CURLFORM_PTRNAME, "secret", + CURLFORM_COPYCONTENTS, m_sample.secret.c_str(), CURLFORM_END); + + if(m_type != TST_HEARTBEAT) + { + curl_formadd(&m_postInfo, &m_postInfoLast, CURLFORM_PTRNAME, "url", + CURLFORM_COPYCONTENTS, m_sample.url.c_str(), CURLFORM_END); + curl_formadd(&m_postInfo, &m_postInfoLast, CURLFORM_PTRNAME, "sha512", + CURLFORM_COPYCONTENTS, m_sample.sha512.c_str(), CURLFORM_END); + curl_formadd(&m_postInfo, &m_postInfoLast, CURLFORM_PTRNAME, "saddr", + CURLFORM_COPYCONTENTS, m_sample.saddr.c_str(), CURLFORM_END); + curl_formadd(&m_postInfo, &m_postInfoLast, CURLFORM_PTRNAME, "daddr", + CURLFORM_COPYCONTENTS, m_sample.daddr.c_str(), CURLFORM_END); + + if(m_type == TST_SAMPLE) + { + curl_formadd(&m_postInfo, &m_postInfoLast, CURLFORM_PTRNAME, "data", + CURLFORM_PTRCONTENTS, m_sample.binary, CURLFORM_CONTENTSLENGTH, + m_sample.binarySize, CURLFORM_END); + } + } + else + { + curl_formadd(&m_postInfo, &m_postInfoLast, CURLFORM_PTRNAME, "software", + CURLFORM_COPYCONTENTS, "nepenthes " VERSION " (" MY_OS ", " MY_ARCH + ", " MY_COMPILER ")", CURLFORM_END); + } + + curl_easy_setopt(m_curlHandle, CURLOPT_HTTPPOST, m_postInfo); + curl_easy_setopt(m_curlHandle, CURLOPT_FORBID_REUSE, 1); + curl_easy_setopt(m_curlHandle, CURLOPT_SSL_VERIFYHOST, false); + curl_easy_setopt(m_curlHandle, CURLOPT_SSL_VERIFYPEER, false); + curl_easy_setopt(m_curlHandle, CURLOPT_URL, m_targetUrl.c_str()); + curl_easy_setopt(m_curlHandle, CURLOPT_USERAGENT, + "nepenthes " VERSION " (" MY_OS ", " MY_ARCH ", " MY_COMPILER ")"); + curl_easy_setopt(m_curlHandle, CURLOPT_WRITEDATA, this); + curl_easy_setopt(m_curlHandle, CURLOPT_WRITEFUNCTION, + TransferSession::readData); + + CURLMcode error; + + if((error = curl_multi_add_handle(m_multiHandle, m_curlHandle))) + logCrit("Error adding easy to multi: %s\n", curl_multi_strerror(error)); + + int handles = 0; + + while(curl_multi_perform(m_multiHandle, &handles) == + CURLM_CALL_MULTI_PERFORM && handles); +} + +//size_t function( void *ptr, size_t size, size_t nmemb, void *stream); +size_t TransferSession::readData(void *buffer, size_t s, size_t n, void *data) +{ + ((TransferSession *) data)->m_buffer.append((const char *)buffer, s * n); + return s * n; +} + +TransferSession::Status TransferSession::getTransferStatus() +{ + if(m_type != TST_HEARTBEAT) + { + if(m_buffer == "OK") + return TSS_OK; + else if(m_buffer == "UNKNOWN") + return TSS_UNKNOWN; + else + return TSS_ERROR; + } + else + { + if(m_buffer.substr(0, 4) == "OK: ") + return TSS_HEARTBEAT; + else + return TSS_ERROR; + } +} + +bool TransferSession::Init() +{ + return true; +} + +bool TransferSession::Exit() +{ + if(m_multiHandle) + curl_multi_remove_handle(m_multiHandle, m_curlHandle); + + if(m_postInfo) + curl_formfree(m_postInfo); + + if(m_curlHandle) + curl_easy_cleanup(m_curlHandle); + + if(m_multiHandle) + { + curl_multi_cleanup(m_multiHandle); + m_multiHandle = 0; + } + + if(m_sample.binary) + { + delete [] m_sample.binary; + m_sample.binary = 0; + } + + return true; +} + +bool TransferSession::wantSend() +{ + fd_set readSet, writeSet, errorSet; + int maxFd = 0; + CURLMcode error; + FD_ZERO(&readSet); FD_ZERO(&writeSet); FD_ZERO(&errorSet); + + if((error = curl_multi_fdset(m_multiHandle, &readSet, &writeSet, &errorSet, + &maxFd))) + { + logCrit("Obtaining write socket failed: %s\n", + curl_multi_strerror(error)); + return false; + } + + return FD_ISSET(maxFd, &writeSet); +} + +int32_t TransferSession::doSend() +{ + return doRecv(); +} + +int32_t TransferSession::doRecv() +{ + int handles = 0, queued = 0; + + while(curl_multi_perform(m_multiHandle, &handles) == + CURLM_CALL_MULTI_PERFORM && handles); + + CURLMsg * message; + + while((message = curl_multi_info_read(m_multiHandle, &queued))) + { + if(message->msg == CURLMSG_DONE) + { + if(message->data.result) + { + logCrit("Connection to %s failed: %s [\"%s\"]\n", + m_targetUrl.c_str(), curl_easy_strerror(message-> + data.result), m_buffer.c_str()); + + if(m_type == TST_HEARTBEAT) + m_parent->scheduleHeartbeat(DEFAULT_HEARTBEAT_DELTA); + else + { + m_parent->retrySample(m_sample); + m_sample.binary = 0; + } + } + else + { + switch(getTransferStatus()) + { + case TransferSession::TSS_OK: + logInfo("Transmitted %s to %s.\n", m_sample.url.c_str(), + m_targetUrl.c_str()); + + break; + + case TransferSession::TSS_UNKNOWN: + logInfo("submit-mwserv: uploading data for %s\n", + m_sample.url.c_str()); + + m_parent->submitSample(m_sample); + m_sample.binary = 0; + + break; + + case TransferSession::TSS_HEARTBEAT: + { + unsigned long delta = strtoul(m_buffer.substr(4). + c_str(), 0, 0); + logDebug("Next heartbeat in %u seconds.\n", delta); + + m_parent->scheduleHeartbeat(delta); + + break; + } + + case TransferSession::TSS_ERROR: + if(m_type == TST_HEARTBEAT) + m_parent->scheduleHeartbeat(DEFAULT_HEARTBEAT_DELTA); + + logCrit("%s reported \"%s\"\n", m_targetUrl.c_str(), + m_buffer.c_str()); + + break; + } + } + + m_Type |= ~ST_NODEL; + m_Status = SS_CLOSED; + } + } + + return 0; +} + +int32_t TransferSession::getSocket() +{ + if(!m_multiHandle) + return -1; + + fd_set readSet, writeSet, errorSet; + int maxFd = 0; + CURLMcode error; + FD_ZERO(&readSet); FD_ZERO(&writeSet); FD_ZERO(&errorSet); + + if((error = curl_multi_fdset(m_multiHandle, &readSet, &writeSet, &errorSet, + &maxFd))) + { + logCrit("Obtaining read socket failed: %s\n", + curl_multi_strerror(error)); + return -1; + } + + if(maxFd == -1) + return -1; + + if(!FD_ISSET(maxFd, &readSet) && !FD_ISSET(maxFd, &writeSet) && + !FD_ISSET(maxFd, &errorSet)) + { + logCrit("maxFd not in set: %i!\n", maxFd); + return -1; + } + + return maxFd; +} + +int32_t TransferSession::getsockOpt(int32_t level, int32_t optname, + void *optval, socklen_t *optlen) +{ + return getsockopt(getSocket(), level, optname, optval, optlen); +} + + +} + + +bool TransferSession::checkTimeout() +{ + // if the connection is bad, give curl a chance to take care, so we can get rid of the connection + if (getSocket() == -1) + doRecv(); + + return false; +} diff -ruN nepenthes-0.2.0/modules/submit-mwserv/TransferSession.hpp nepenthes-0.2.0-r1345/modules/submit-mwserv/TransferSession.hpp --- nepenthes-0.2.0/modules/submit-mwserv/TransferSession.hpp 1970-01-01 01:00:00.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/submit-mwserv/TransferSession.hpp 2007-08-06 00:46:15.000000000 +0200 @@ -0,0 +1,129 @@ +/******************************************************************************** + * Nepenthes + * - finest collection - + * + * + * + * Copyright (C) 2007 Georg Wicherski + * Copyright (C) 2005 Paul Baecher & Markus Koetter + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version 2 + * of the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + * + * + * contact nepenthesdev@users.sourceforge.net + * + *******************************************************************************/ + +#include +#include +#include + +#include +using namespace std; + +#include "Nepenthes.hpp" +#include "Module.hpp" +#include "SubmitHandler.hpp" +#include "Download.hpp" + +#include "POLLSocket.hpp" + + +namespace nepenthes +{ + + +struct TransferSample +{ + string guid; + string maintainer; + string secret; + + string url; + string saddr, daddr; + string sha512; + + char * binary; + unsigned int binarySize; +}; + + +class SubmitMwservModule; + +class TransferSession : public POLLSocket +{ +public: + enum Type + { + TST_INSTANCE, + TST_SAMPLE, + TST_HEARTBEAT, + }; + + TransferSession(Type type, SubmitMwservModule * parent); + virtual ~TransferSession(); + + enum Status + { + TSS_OK, + TSS_UNKNOWN, + TSS_HEARTBEAT, + TSS_ERROR, + }; + + TransferSession::Status getTransferStatus(); + + void transfer(TransferSample& sample, string url); + + // POLLSocket + bool Init(); + bool Exit(); + + bool wantSend(); + + int32_t doSend(); + int32_t doRecv(); + int32_t getSocket(); + int32_t getsockOpt(int32_t level, int32_t optname, + void *optval, socklen_t *optlen); + bool checkTimeout(); + +protected: + string m_targetUrl; + TransferSample m_sample; + + CURL * m_curlHandle; + CURLM * m_multiHandle; + curl_httppost * m_postInfo, * m_postInfoLast; + + char * m_dataCopy; + unsigned int m_dataSize; + + void initializeHandle(); + void recreateWithSampleData(); + + string m_buffer; + + Type m_type; + SubmitMwservModule * m_parent; + + unsigned long m_heartbeatDelta; + +private: + static size_t readData(void *buffer, size_t size, size_t n, void *data); +}; + + +} diff -ruN nepenthes-0.2.0/modules/submit-mwserv/submit-mwserv.conf.dist nepenthes-0.2.0-r1345/modules/submit-mwserv/submit-mwserv.conf.dist --- nepenthes-0.2.0/modules/submit-mwserv/submit-mwserv.conf.dist 1970-01-01 01:00:00.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/submit-mwserv/submit-mwserv.conf.dist 2007-08-06 00:46:15.000000000 +0200 @@ -0,0 +1,18 @@ +// lightweight libcurl based module for file submission via HTTP to the mwserv +// python script suite (typically running on an apache2 with mod_python) +// This is primarily used by the mwcollect Alliance - alliance.mwcollect.org + +submit-mwserv +{ + // the url to send the submission requests to + url = ""; + + // username of the maintainer of this sensor + maintainer = ""; + + // guid of this sensor, as generated serverside; typically 8 chars + guid = ""; + + // shared secret used for authentication aka `password'; typically 48 chars + secret = ""; +}; diff -ruN nepenthes-0.2.0/modules/submit-mwserv/submit-mwserv.cpp nepenthes-0.2.0-r1345/modules/submit-mwserv/submit-mwserv.cpp --- nepenthes-0.2.0/modules/submit-mwserv/submit-mwserv.cpp 1970-01-01 01:00:00.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/submit-mwserv/submit-mwserv.cpp 2007-08-06 00:46:15.000000000 +0200 @@ -0,0 +1,224 @@ +/******************************************************************************** + * Nepenthes + * - finest collection - + * + * + * + * Copyright (C) 2007 Georg Wicherski + * Copyright (C) 2005 Paul Baecher & Markus Koetter + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version 2 + * of the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + * + * + * contact nepenthesdev@users.sourceforge.net + * + *******************************************************************************/ + +#include "Download.hpp" +#include "Utilities.hpp" +#include "SubmitManager.hpp" +#include "LogManager.hpp" +#include "Event.hpp" +#include "EventManager.hpp" +#include "EventHandler.cpp" +#include "Config.hpp" +#include "ModuleManager.hpp" +#include "SocketManager.hpp" + +#include "DownloadBuffer.hpp" +#include "DownloadUrl.hpp" + +#include "submit-mwserv.hpp" + +#include +#include +#include +#include + + +#define SUBMIT_URI "nepenthes/submit" +#define HEARTBEAT_URI "heartbeat" + + +namespace nepenthes +{ + + +SubmitMwservModule::SubmitMwservModule(Nepenthes * nepenthes) +{ + m_ModuleName = "submit-mwserv"; + m_ModuleDescription = "mwserv.py HTTP Post Submission"; + m_ModuleRevision = "$Rev: 921 $"; + m_Nepenthes = nepenthes; + m_SubmitterName = "submit-mwserv"; + m_SubmitterDescription = "mwserv.py HTTP Post Submission"; + + m_Timeout = 0; + m_TimeoutIntervall = 0; +} + +bool SubmitMwservModule::Init() +{ + if(!m_Config) + { + logCrit("No configuration for submit-mwserv provided.\n"); + return false; + } + + try + { + m_url = m_Config->getValString("submit-mwserv.url"); + m_guid = m_Config->getValString("submit-mwserv.guid"); + m_maintainer = m_Config->getValString("submit-mwserv.maintainer"); + m_secret = m_Config->getValString("submit-mwserv.secret"); + } + catch(...) + { + logCrit("Missing configuration option for submit-mwserv.\n"); + return false; + } + + if(m_guid.find(":") != string::npos || m_maintainer.find(":") + != string::npos || m_secret.find(":") != string::npos || + m_guid.find("+") != string::npos || m_maintainer.find("+") + != string::npos || m_secret.find("+") != string::npos) + { + logCrit("submit-mwserv: guid, maintainer or secret from configuration" + "contained ':' or '+'; this is not allowed.\n"); + return false; + } + + if(* m_url.rbegin() != '/') + m_url += "/"; + + REG_SUBMIT_HANDLER(this); + REG_EVENT_HANDLER(this); + + handleEvent(0); + + return true; +} + +bool SubmitMwservModule::Exit() +{ + return true; +} + +void SubmitMwservModule::Submit(Download * download) +{ + Hit(download); +} + +void SubmitMwservModule::Hit(Download * download) +{ + TransferSample sample; + TransferSession * session = new TransferSession(TransferSession:: + TST_INSTANCE, this); + + { + struct in_addr saddr, daddr; + + saddr.s_addr = download->getRemoteHost(); + daddr.s_addr = download->getLocalHost(); + + sample.saddr = inet_ntoa(saddr); + sample.daddr = inet_ntoa(daddr); + + sample.guid = m_guid; + sample.maintainer = m_maintainer; + sample.secret = m_secret; + + sample.url = download->getUrl(); + sample.sha512 = download->getSHA512Sum(); + + sample.binarySize = download->getDownloadBuffer()->getSize(); + sample.binary = new char[sample.binarySize]; + memcpy(sample.binary, download->getDownloadBuffer()->getData(), + sample.binarySize); + } + + session->transfer(sample, m_url + SUBMIT_URI); + g_Nepenthes->getSocketMgr()->addPOLLSocket(session); +} + +void SubmitMwservModule::retrySample(TransferSample& sample) +{ + TransferSession * session = new TransferSession(TransferSession:: + TST_INSTANCE, this); + + session->transfer(sample, m_url + SUBMIT_URI); + g_Nepenthes->getSocketMgr()->addPOLLSocket(session); +} + +void SubmitMwservModule::submitSample(TransferSample& sample) +{ + TransferSession * session = new TransferSession(TransferSession:: + TST_SAMPLE, this); + + session->transfer(sample, m_url + SUBMIT_URI); + g_Nepenthes->getSocketMgr()->addPOLLSocket(session); +} + +uint32_t SubmitMwservModule::handleEvent(Event * ev) +{ + m_Events.reset(EV_TIMEOUT); + + TransferSample sample; + TransferSession * session = new TransferSession(TransferSession:: + TST_HEARTBEAT, this); + + sample.guid = m_guid; + sample.maintainer = m_maintainer; + sample.secret = m_secret; + sample.binary = 0; + + session->transfer(sample, m_url + HEARTBEAT_URI); + g_Nepenthes->getSocketMgr()->addPOLLSocket(session); + + return 0; +} + +void SubmitMwservModule::scheduleHeartbeat(unsigned long delta) +{ + if(delta > MAX_HEARTBEAT_DELTA) + { + logInfo("Capping server heartbeat delta of %u sec to %u sec.\n", delta, + MAX_HEARTBEAT_DELTA); + + delta = MAX_HEARTBEAT_DELTA; + } + + m_Events.set(EV_TIMEOUT); + m_Timeout = time(0) + delta; +} + + +extern "C" int32_t module_init(int32_t version, Module **module, Nepenthes *nepenthes) +{ + g_Nepenthes = nepenthes; + + if(version == MODULE_IFACE_VERSION) + { + * module = new SubmitMwservModule(nepenthes); + return 1; + } + + return 0; +} + + +} + +Nepenthes * g_Nepenthes; diff -ruN nepenthes-0.2.0/modules/submit-mwserv/submit-mwserv.hpp nepenthes-0.2.0-r1345/modules/submit-mwserv/submit-mwserv.hpp --- nepenthes-0.2.0/modules/submit-mwserv/submit-mwserv.hpp 1970-01-01 01:00:00.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/submit-mwserv/submit-mwserv.hpp 2007-08-06 00:46:15.000000000 +0200 @@ -0,0 +1,78 @@ +/******************************************************************************** + * Nepenthes + * - finest collection - + * + * + * + * Copyright (C) 2007 Georg Wicherski + * Copyright (C) 2005 Paul Baecher & Markus Koetter + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version 2 + * of the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + * + * + * contact nepenthesdev@users.sourceforge.net + * + *******************************************************************************/ + +#include +#include +#include + +#include "Nepenthes.hpp" +#include "Module.hpp" +#include "SubmitHandler.hpp" +#include "EventHandler.hpp" +#include "Download.hpp" + +#include "TransferSession.hpp" + + +#define DEFAULT_HEARTBEAT_DELTA 30 +#define MAX_HEARTBEAT_DELTA 300 + + +using namespace std; + +namespace nepenthes +{ + + +class SubmitMwservModule : public Module , public SubmitHandler, + public EventHandler +{ +public: + SubmitMwservModule(Nepenthes * nepenthes); + + bool Init(); + bool Exit(); + + void Submit(Download * download); + void Hit(Download * download); + + uint32_t handleEvent(Event *event); + + void submitSample(TransferSample& sample); + void retrySample(TransferSample& sample); + void scheduleHeartbeat(unsigned long delta); + +protected: + string m_url, m_guid, m_maintainer, m_secret; + uint32_t m_inTransfer; +}; + + +} + +extern nepenthes::Nepenthes *g_Nepenthes; diff -ruN nepenthes-0.2.0/modules/submit-norman/Makefile.am nepenthes-0.2.0-r1345/modules/submit-norman/Makefile.am --- nepenthes-0.2.0/modules/submit-norman/Makefile.am 2006-11-13 20:40:09.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/submit-norman/Makefile.am 2007-08-06 00:46:15.000000000 +0200 @@ -12,4 +12,4 @@ submitnorman_la_SOURCES = submit-norman.conf.dist submit-norman.hpp submit-norman.cpp -submitnorman_la_LDFLAGS = -module -no-undefined -avoid-version +submitnorman_la_LDFLAGS = -module -no-undefined -avoid-version $(AM_LDFLAGS) diff -ruN nepenthes-0.2.0/modules/submit-norman/submit-norman.conf.dist nepenthes-0.2.0-r1345/modules/submit-norman/submit-norman.conf.dist --- nepenthes-0.2.0/modules/submit-norman/submit-norman.conf.dist 2006-11-13 20:40:09.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/submit-norman/submit-norman.conf.dist 2007-08-06 00:46:15.000000000 +0200 @@ -1,8 +1,8 @@ submit-norman { // this is the adress where norman sandbox reports will be sent - email "malware@mac.com"; - urls ("http://sandbox.norman.no/live_4.html", + email "nsbx@mwcollect.org"; + urls ("http://www.norman.com/microsites/nsic/Submit/Special/45773/", "http://luigi.informatik.uni-mannheim.de/submit.php?action=verify"); }; diff -ruN nepenthes-0.2.0/modules/submit-postgres/Makefile.am nepenthes-0.2.0-r1345/modules/submit-postgres/Makefile.am --- nepenthes-0.2.0/modules/submit-postgres/Makefile.am 2006-11-13 20:40:05.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/submit-postgres/Makefile.am 2007-08-06 00:46:15.000000000 +0200 @@ -13,5 +13,6 @@ submitpostgres_la_SOURCES = submit-postgres.cpp submit-postgres.hpp submitpostgres_la_SOURCES += PGDownloadContext.cpp PGDownloadContext.hpp submitpostgres_la_SOURCES += bencoding.c bencoding.h +submitpostgres_la_SOURCES += submit-postgres.conf.dist submitpostgres_la_LDFLAGS = -module -no-undefined -avoid-version diff -ruN nepenthes-0.2.0/modules/vuln-asn1/IISDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-asn1/IISDialogue.cpp --- nepenthes-0.2.0/modules/vuln-asn1/IISDialogue.cpp 2006-11-13 20:40:08.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/vuln-asn1/IISDialogue.cpp 2007-08-06 00:46:15.000000000 +0200 @@ -43,6 +43,9 @@ #include "Socket.hpp" +#include "EventManager.hpp" +#include "SocketEvent.hpp" + #ifdef STDTAGS #undef STDTAGS #endif @@ -79,7 +82,7 @@ case IIS_POST: case IIS_GET: logWarn("Unknown IIS %i bytes State %i\n",m_Buffer->getSize(), m_State); - g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *) m_Buffer->getData(), m_Buffer->getSize()); + HEXDUMP(m_Socket,(byte *) m_Buffer->getData(), m_Buffer->getSize()); break; case IIS_SEARCH: @@ -102,7 +105,7 @@ ConsumeLevel IISDialogue::incomingData(Message *msg) { m_Buffer->add(msg->getMsg(),msg->getSize()); -// g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *) m_Buffer->getData(), m_Buffer->getSize()); +// HEXDUMP(m_Socket,(byte *) m_Buffer->getData(), m_Buffer->getSize()); // FIXME this can only recognize urldownloadtofile foobar diff -ruN nepenthes-0.2.0/modules/vuln-asn1/SMBDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-asn1/SMBDialogue.cpp --- nepenthes-0.2.0/modules/vuln-asn1/SMBDialogue.cpp 2006-11-13 20:40:08.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/vuln-asn1/SMBDialogue.cpp 2007-08-06 00:46:15.000000000 +0200 @@ -43,8 +43,13 @@ #include "Utilities.hpp" #include "ShellcodeManager.hpp" +#include "EventManager.hpp" +#include "SocketEvent.hpp" + #include "vuln-asn1.hpp" + + #ifdef STDTAGS #undef STDTAGS #endif @@ -227,5 +232,5 @@ void SMBDialogue::dump() { logWarn("Unknown %s Shellcode (Buffer %i bytes) (State %i)\n","ASN1_SMB",m_Buffer->getSize(),m_State); - g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *)m_Buffer->getData(),m_Buffer->getSize()); + HEXDUMP(m_Socket,(byte *)m_Buffer->getData(),m_Buffer->getSize()); } diff -ruN nepenthes-0.2.0/modules/vuln-bagle/BagleDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-bagle/BagleDialogue.cpp --- nepenthes-0.2.0/modules/vuln-bagle/BagleDialogue.cpp 2006-11-13 20:40:09.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/vuln-bagle/BagleDialogue.cpp 2007-08-06 00:46:15.000000000 +0200 @@ -124,7 +124,7 @@ } logCrit("Unknown Bagle Auth (%i)\n",m_Buffer->getSize()); - g_Nepenthes->getUtilities()->hexdump(l_crit | STDTAGS ,(byte *)m_Buffer->getData(),m_Buffer->getSize()); +// g_Nepenthes->getUtilities()->hexdump(l_crit | STDTAGS ,(byte *)m_Buffer->getData(),m_Buffer->getSize()); if (m_Buffer->getSize() > 128 ) return CL_DROP; diff -ruN nepenthes-0.2.0/modules/vuln-bagle/Makefile.am nepenthes-0.2.0-r1345/modules/vuln-bagle/Makefile.am --- nepenthes-0.2.0/modules/vuln-bagle/Makefile.am 2006-11-13 20:40:09.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/vuln-bagle/Makefile.am 2007-08-06 00:46:15.000000000 +0200 @@ -6,7 +6,6 @@ AM_CPPFLAGS = -I$(top_srcdir)/nepenthes-core/include -I$(top_srcdir)/nepenthes-core/src -pipe -D _GNU_SOURCE AM_CXXFLAGS = -Wall -Werror -AM_LDFLAGS = -lpcre pkglib_LTLIBRARIES = vulnbagle.la diff -ruN nepenthes-0.2.0/modules/vuln-dameware/DWDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-dameware/DWDialogue.cpp --- nepenthes-0.2.0/modules/vuln-dameware/DWDialogue.cpp 2006-11-13 20:40:05.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/vuln-dameware/DWDialogue.cpp 2007-08-06 00:46:15.000000000 +0200 @@ -48,6 +48,9 @@ #include "Utilities.hpp" +#include "EventManager.hpp" +#include "SocketEvent.hpp" + #ifdef STDTAGS #undef STDTAGS #endif @@ -209,5 +212,5 @@ void DWDialogue::dump() { logWarn("Unknown %s Shellcode (Buffer %i bytes) (State %i)\n","DameWare",m_Buffer->getSize(),m_State); - g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *)m_Buffer->getData(),m_Buffer->getSize()); + HEXDUMP(m_Socket,(byte *)m_Buffer->getData(),m_Buffer->getSize()); } diff -ruN nepenthes-0.2.0/modules/vuln-dcom/DCOMDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-dcom/DCOMDialogue.cpp --- nepenthes-0.2.0/modules/vuln-dcom/DCOMDialogue.cpp 2006-11-13 20:40:05.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/vuln-dcom/DCOMDialogue.cpp 2007-08-06 00:46:15.000000000 +0200 @@ -39,6 +39,10 @@ #include "Utilities.hpp" +#include "EventManager.hpp" +#include "SocketEvent.hpp" + + #ifdef STDTAGS #undef STDTAGS #endif @@ -234,5 +238,5 @@ void DCOMDialogue::dump() { logWarn("Unknown %s Shellcode (Buffer %i bytes) (State %i)\n","DCOM",m_Buffer->getSize(),m_State); - g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *)m_Buffer->getData(),m_Buffer->getSize()); + HEXDUMP(m_Socket,(byte *)m_Buffer->getData(),m_Buffer->getSize()); } diff -ruN nepenthes-0.2.0/modules/vuln-ftpd/vuln-ftpd.cpp nepenthes-0.2.0-r1345/modules/vuln-ftpd/vuln-ftpd.cpp --- nepenthes-0.2.0/modules/vuln-ftpd/vuln-ftpd.cpp 2006-11-13 20:40:03.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/vuln-ftpd/vuln-ftpd.cpp 2007-08-06 00:46:15.000000000 +0200 @@ -55,6 +55,9 @@ #include "Utilities.hpp" +#include "EventManager.hpp" +#include "SocketEvent.hpp" + #ifdef STDTAGS #undef STDTAGS #endif @@ -220,7 +223,7 @@ uint32_t i = 0; bool buffercut=false; - g_Nepenthes->getUtilities()->hexdump((byte *) m_Buffer->getData(),m_Buffer->getSize()); +// g_Nepenthes->getUtilities()->hexdump((byte *) m_Buffer->getData(),m_Buffer->getSize()); while ( i < m_Buffer->getSize() ) { buffercut = false; @@ -418,7 +421,7 @@ void FTPdDialogue::dump() { logWarn("Unknown exploit %i bytes \n",m_Shellcode->getSize()); - g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *) m_Shellcode->getData(), m_Shellcode->getSize()); + HEXDUMP(m_Socket,(byte *) m_Shellcode->getData(), m_Shellcode->getSize()); } ftp_exploit FTPdDialogue::identExploit(string line) diff -ruN nepenthes-0.2.0/modules/vuln-iis/IISDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-iis/IISDialogue.cpp --- nepenthes-0.2.0/modules/vuln-iis/IISDialogue.cpp 2006-11-13 20:40:10.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/vuln-iis/IISDialogue.cpp 2007-08-06 00:46:15.000000000 +0200 @@ -49,6 +49,9 @@ #include "Message.hpp" #include "Message.cpp" +#include "EventManager.hpp" +#include "SocketEvent.hpp" + #ifdef STDTAGS #undef STDTAGS #endif @@ -85,7 +88,7 @@ case IIS_NULL: case IIS_SSL: logWarn("Unknown IIS SSL exploit %i bytes State %i\n",m_Buffer->getSize(), m_State); - g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *) m_Buffer->getData(), m_Buffer->getSize()); + HEXDUMP(m_Socket,(byte *) m_Buffer->getData(), m_Buffer->getSize()); break; case IIS_DONE: diff -ruN nepenthes-0.2.0/modules/vuln-lsass/LSASSDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-lsass/LSASSDialogue.cpp --- nepenthes-0.2.0/modules/vuln-lsass/LSASSDialogue.cpp 2006-11-13 20:40:11.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/vuln-lsass/LSASSDialogue.cpp 2007-08-06 00:46:15.000000000 +0200 @@ -46,6 +46,8 @@ #include "Buffer.hpp" #include "Buffer.cpp" +#include "EventManager.hpp" +#include "SocketEvent.hpp" #ifdef STDTAGS #undef STDTAGS @@ -281,6 +283,6 @@ void LSASSDialogue::dump() { logWarn("Unknown %s Shellcode (Buffer %i bytes) (State %i)\n","LSASS",m_Buffer->getSize(),m_State); - g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *)m_Buffer->getData(),m_Buffer->getSize()); + HEXDUMP(m_Socket,(byte *)m_Buffer->getData(),m_Buffer->getSize()); } diff -ruN nepenthes-0.2.0/modules/vuln-msdtc/MSDTCDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-msdtc/MSDTCDialogue.cpp --- nepenthes-0.2.0/modules/vuln-msdtc/MSDTCDialogue.cpp 2006-11-13 20:40:05.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/vuln-msdtc/MSDTCDialogue.cpp 2007-08-06 00:46:15.000000000 +0200 @@ -38,6 +38,8 @@ #include "ShellcodeManager.hpp" #include "Utilities.hpp" +#include "EventManager.hpp" +#include "SocketEvent.hpp" #ifdef STDTAGS #undef STDTAGS @@ -181,5 +183,5 @@ void MSDTCDialogue::dump() { logWarn("Unknown %s Shellcode (Buffer %i bytes) (State %i)\n","MSDTC",m_Buffer->getSize(),m_State); - g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *)m_Buffer->getData(),m_Buffer->getSize()); + HEXDUMP(m_Socket,(byte *)m_Buffer->getData(),m_Buffer->getSize()); } diff -ruN nepenthes-0.2.0/modules/vuln-msmq/MSMQDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-msmq/MSMQDialogue.cpp --- nepenthes-0.2.0/modules/vuln-msmq/MSMQDialogue.cpp 2006-11-13 20:40:05.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/vuln-msmq/MSMQDialogue.cpp 2007-08-06 00:46:15.000000000 +0200 @@ -43,6 +43,8 @@ #include "Nepenthes.hpp" #include "LogManager.hpp" +#include "EventManager.hpp" +#include "SocketEvent.hpp" using namespace nepenthes; @@ -73,7 +75,7 @@ case MSMQ_NULL: case MSMQ_SHELLCODE: logWarn("Unknown MSMQ exploit %i bytes State %i\n",m_Buffer->getSize(), m_State); - g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *) m_Buffer->getData(), m_Buffer->getSize()); + HEXDUMP(m_Socket,(byte *) m_Buffer->getData(), m_Buffer->getSize()); break; case MSMQ_DONE: diff -ruN nepenthes-0.2.0/modules/vuln-mssql/MSSQLDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-mssql/MSSQLDialogue.cpp --- nepenthes-0.2.0/modules/vuln-mssql/MSSQLDialogue.cpp 2006-11-13 20:40:03.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/vuln-mssql/MSSQLDialogue.cpp 2007-08-06 00:46:15.000000000 +0200 @@ -41,6 +41,9 @@ #include "Utilities.hpp" +#include "EventManager.hpp" +#include "SocketEvent.hpp" + #ifdef STDTAGS #undef STDTAGS #endif @@ -115,7 +118,7 @@ } else { // hexdump it - g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte*)msg->getMsg(),msg->getSize()); + HEXDUMP(m_Socket,(byte*)msg->getMsg(),msg->getSize()); } diff -ruN nepenthes-0.2.0/modules/vuln-netbiosname/SMBNameDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-netbiosname/SMBNameDialogue.cpp --- nepenthes-0.2.0/modules/vuln-netbiosname/SMBNameDialogue.cpp 2006-11-13 20:40:05.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/vuln-netbiosname/SMBNameDialogue.cpp 2007-08-06 00:46:15.000000000 +0200 @@ -49,6 +49,8 @@ #include "Utilities.hpp" +#include "EventManager.hpp" +#include "SocketEvent.hpp" #ifdef STDTAGS #undef STDTAGS @@ -146,7 +148,7 @@ case SMBName_NEGOTIATE: case SMBName_NULL: logWarn("Unknown SMBName exploit %i bytes State %i\n",m_Buffer->getSize(), m_State); -// g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *) m_Buffer->getData(), m_Buffer->getSize()); +// HEXDUMP(m_Socket,(byte *) m_Buffer->getData(), m_Buffer->getSize()); break; diff -ruN nepenthes-0.2.0/modules/vuln-netdde/NETDDEDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-netdde/NETDDEDialogue.cpp --- nepenthes-0.2.0/modules/vuln-netdde/NETDDEDialogue.cpp 2006-11-13 20:40:05.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/vuln-netdde/NETDDEDialogue.cpp 2007-08-06 00:46:15.000000000 +0200 @@ -49,6 +49,8 @@ #include "Utilities.hpp" +#include "EventManager.hpp" +#include "SocketEvent.hpp" #ifdef STDTAGS #undef STDTAGS @@ -201,5 +203,5 @@ void NETDDEDialogue::dump() { logWarn("Unknown NETDDE exploit %i bytes State %i\n",m_Buffer->getSize(), m_State); - g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *) m_Buffer->getData(), m_Buffer->getSize()); + HEXDUMP(m_Socket,(byte *) m_Buffer->getData(), m_Buffer->getSize()); } diff -ruN nepenthes-0.2.0/modules/vuln-optix/Makefile.am nepenthes-0.2.0-r1345/modules/vuln-optix/Makefile.am --- nepenthes-0.2.0/modules/vuln-optix/Makefile.am 2006-11-13 20:40:08.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/vuln-optix/Makefile.am 2007-08-06 00:46:15.000000000 +0200 @@ -12,4 +12,4 @@ vulnoptix_la_SOURCES = vuln-optix.conf.dist OPTIXBindDialogue.hpp OPTIXDownloadDialogue.hpp OPTIXDownloadHandler.hpp OPTIXShellDialogue.hpp vuln-optix.hpp OPTIXBindDialogue.cpp OPTIXDownloadDialogue.cpp OPTIXDownloadHandler.cpp OPTIXShellDialogue.cpp vuln-optix.cpp -vulnoptix_la_LDFLAGS = -module -no-undefined -avoid-version +vulnoptix_la_LDFLAGS = -module -no-undefined -avoid-version $(AM_LDFLAGS) diff -ruN nepenthes-0.2.0/modules/vuln-optix/OPTIXShellDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-optix/OPTIXShellDialogue.cpp --- nepenthes-0.2.0/modules/vuln-optix/OPTIXShellDialogue.cpp 2006-11-13 20:40:08.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/vuln-optix/OPTIXShellDialogue.cpp 2007-08-06 00:46:15.000000000 +0200 @@ -107,7 +107,7 @@ case OPTIX_AUTHED: if (m_Buffer->getSize() >= 6) { - g_Nepenthes->getUtilities()->hexdump((byte *)m_Buffer->getData(),m_Buffer->getSize()); +// g_Nepenthes->getUtilities()->hexdump((byte *)m_Buffer->getData(),m_Buffer->getSize()); // we could do this with pcre ... if (memcmp(m_Buffer->getData(),"019¬\r\n",6) == 0) { diff -ruN nepenthes-0.2.0/modules/vuln-pnp/PNPDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-pnp/PNPDialogue.cpp --- nepenthes-0.2.0/modules/vuln-pnp/PNPDialogue.cpp 2006-11-13 20:40:08.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/vuln-pnp/PNPDialogue.cpp 2007-08-06 00:46:15.000000000 +0200 @@ -47,6 +47,8 @@ #include "Buffer.hpp" #include "Buffer.cpp" +#include "EventManager.hpp" +#include "SocketEvent.hpp" #ifdef STDTAGS #undef STDTAGS @@ -276,5 +278,5 @@ void PNPDialogue::dump() { logWarn("Unknown %s Shellcode (Buffer %i bytes) (State %i)\n","PNP",m_Buffer->getSize(),m_State); - g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *)m_Buffer->getData(),m_Buffer->getSize()); + HEXDUMP(m_Socket,(byte *)m_Buffer->getData(),m_Buffer->getSize()); } diff -ruN nepenthes-0.2.0/modules/vuln-realvnc/vuln-realvnc.cpp nepenthes-0.2.0-r1345/modules/vuln-realvnc/vuln-realvnc.cpp --- nepenthes-0.2.0/modules/vuln-realvnc/vuln-realvnc.cpp 2006-11-13 20:40:07.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/vuln-realvnc/vuln-realvnc.cpp 2007-08-06 00:46:15.000000000 +0200 @@ -246,7 +246,7 @@ { logSpam("VNC_HANDSHAKE\n"); - g_Nepenthes->getUtilities()->hexdump((byte *)m_Buffer->getData(),m_Buffer->getSize()); +// g_Nepenthes->getUtilities()->hexdump((byte *)m_Buffer->getData(),m_Buffer->getSize()); if (m_Buffer->getSize() >= strlen(rfb_version_003_008) && memcmp(m_Buffer->getData(),rfb_version_003_008,strlen(rfb_version_003_008)) == 0) { @@ -262,7 +262,7 @@ if ( m_State == VNC_AUTH) { logSpam("VNC_AUTH\n"); - g_Nepenthes->getUtilities()->hexdump((byte *)m_Buffer->getData(),m_Buffer->getSize()); +// g_Nepenthes->getUtilities()->hexdump((byte *)m_Buffer->getData(),m_Buffer->getSize()); if (m_Buffer->getSize() >= 1 ) { if (1)// *(char *) (m_Buffer->getData()) == 1) @@ -546,7 +546,7 @@ case 6: logSpam("ClientReq: CutEvent\n"); - g_Nepenthes->getUtilities()->hexdump((byte *)m_Buffer->getData(),m_Buffer->getSize()); +// g_Nepenthes->getUtilities()->hexdump((byte *)m_Buffer->getData(),m_Buffer->getSize()); if (m_Buffer->getSize() >= 8 ) { uint32_t cpbytes; diff -ruN nepenthes-0.2.0/modules/vuln-sasserftpd/SasserFTPDDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-sasserftpd/SasserFTPDDialogue.cpp --- nepenthes-0.2.0/modules/vuln-sasserftpd/SasserFTPDDialogue.cpp 2006-11-13 20:40:09.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/vuln-sasserftpd/SasserFTPDDialogue.cpp 2007-08-06 00:46:15.000000000 +0200 @@ -49,6 +49,8 @@ #include "Utilities.hpp" +#include "EventManager.hpp" +#include "SocketEvent.hpp" #ifdef STDTAGS #undef STDTAGS @@ -219,5 +221,5 @@ void SasserFTPDDialogue::dump() { logWarn("Unknown SasserFTPD exploit %i bytes State %i\n",m_Buffer->getSize(), m_State); - g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *) m_Buffer->getData(), m_Buffer->getSize()); + HEXDUMP(m_Socket,(byte *) m_Buffer->getData(), m_Buffer->getSize()); } diff -ruN nepenthes-0.2.0/modules/vuln-sav/Makefile.am nepenthes-0.2.0-r1345/modules/vuln-sav/Makefile.am --- nepenthes-0.2.0/modules/vuln-sav/Makefile.am 1970-01-01 01:00:00.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/vuln-sav/Makefile.am 2007-08-06 00:46:15.000000000 +0200 @@ -0,0 +1,14 @@ +# nepenthes module Makefile +# Paul Baecher, Maximillian Dornseif, Markus Koetter +# $Id$ + +AUTOMAKE_OPTIONS = foreign + +AM_CPPFLAGS = -I$(top_srcdir)/nepenthes-core/include -I$(top_srcdir)/nepenthes-core/src -pipe -D _GNU_SOURCE +AM_CXXFLAGS = -Wall -Werror + +pkglib_LTLIBRARIES = vulnsav.la + +vulnsav_la_SOURCES = vuln-sav.cpp vuln-sav.hpp + +vulnsav_la_LDFLAGS = -module -no-undefined -avoid-version diff -ruN nepenthes-0.2.0/modules/vuln-sav/vuln-sav.cpp nepenthes-0.2.0-r1345/modules/vuln-sav/vuln-sav.cpp --- nepenthes-0.2.0/modules/vuln-sav/vuln-sav.cpp 1970-01-01 01:00:00.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/vuln-sav/vuln-sav.cpp 2007-08-06 00:46:15.000000000 +0200 @@ -0,0 +1,278 @@ +/******************************************************************************** + * Nepenthes + * - finest collection - + * + * + * + * Copyright (C) 2005 Paul Baecher & Markus Koetter + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version 2 + * of the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + * + * + * contact nepenthesdev@users.sourceforge.net + * + *******************************************************************************/ + + /* $Id$ */ + +#include + +#include "vuln-sav.hpp" + +#include "SocketManager.hpp" + +#include "DownloadManager.hpp" +#include "LogManager.hpp" +#include "DialogueFactoryManager.hpp" + + +#include "Buffer.hpp" +#include "Buffer.cpp" + +#include "Message.hpp" +#include "Message.cpp" + +#include "ShellcodeManager.hpp" + +#include "Config.hpp" + +#include "Download.hpp" + +#ifdef STDTAGS +#undef STDTAGS +#endif +#define STDTAGS l_mod + +using namespace nepenthes; + + +/** + * as we may need a global pointer to our Nepenthes in our modules, + * and cant access the cores global pointer to nepenthes + * we have to use a own global pointer to nepenthes per module + * we need this pointer for logInfo() etc + */ +Nepenthes *g_Nepenthes; + +/** + * The Constructor + * creates a new VulnSAV Module, + * VulnSAV is an example for binding a socket & setting up the Dialogue & DialogueFactory + * + * + * it can be used as a shell emu to allow trigger commands + * + * + * sets the following values: + * - m_DialogueFactoryName + * - m_DialogueFactoryDescription + * + * @param nepenthes the pointer to our Nepenthes + */ +VulnSAV::VulnSAV(Nepenthes *nepenthes) +{ + m_ModuleName = "vuln-sav"; + m_ModuleDescription = "emulate the bug in symantec antivirus product"; + m_ModuleRevision = "$Rev$"; + m_Nepenthes = nepenthes; + + m_DialogueFactoryName = "SAV Factory"; + m_DialogueFactoryDescription = "Symantec Antivirus Client Dialogue Factory"; + + g_Nepenthes = nepenthes; +} + +VulnSAV::~VulnSAV() +{ + +} + + +/** + * Module::Init() + * + * binds the port, adds the DialogueFactory to the Socket + * + * @return returns true if everything was fine, else false + * false indicates a fatal error + */ +bool VulnSAV::Init() +{ +/* if ( m_Config == NULL ) + { + logCrit("I need a config\n"); + return false; + } +*/ + m_Nepenthes->getSocketMgr()->bindTCPSocket(0,2967,0,30,this); + return true; +} + +bool VulnSAV::Exit() +{ + return true; +} + +/** + * DialogueFactory::createDialogue(Socket *) + * + * creates a new SAVDialogue + * + * @param socket the socket the DIalogue has to use, can be NULL if the Dialogue can handle it + * + * @return returns the new created dialogue + */ +Dialogue *VulnSAV::createDialogue(Socket *socket) +{ + return new SAVDialogue(socket); +// return g_Nepenthes->getFactoryMgr()->getFactory("WinNTShell DialogueFactory")->createDialogue(socket); +} + + + + + + + +/** + * Dialogue::Dialogue(Socket *) + * construktor for the SAVDialogue, creates a new SAVDialogue + * + * replies some crap to the socket + * + * @param socket the Socket the Dialogue has to use + */ +SAVDialogue::SAVDialogue(Socket *socket) +{ + m_Socket = socket; + m_DialogueName = "SAVDialogue"; + m_DialogueDescription = "Symantec Antivirus Dialogue"; + + m_ConsumeLevel = CL_ASSIGN; + + m_Buffer = new Buffer(512); +} + +SAVDialogue::~SAVDialogue() +{ + delete m_Buffer; +} + +/** + * Dialogue::incomingData(Message *) + * + * a small and ugly shell where we can use + * "download protocol://localction:port/path/to/file + * to trigger a download + * + * @param msg the Message the Socker received. + * + * + * @return CL_ASSIGN + */ +ConsumeLevel SAVDialogue::incomingData(Message *msg) +{ + + m_Buffer->add(msg->getMsg(),msg->getSize()); + + if ( m_Buffer->getSize() > 0xcd0 ) + { + Message *Msg = new Message((char *)m_Buffer->getData(), m_Buffer->getSize(),m_Socket->getLocalPort(), m_Socket->getRemotePort(), + m_Socket->getLocalHost(), m_Socket->getRemoteHost(), m_Socket, m_Socket); + sch_result sch; + sch = g_Nepenthes->getShellcodeMgr()->handleShellcode(&Msg); + delete Msg; + + if ( sch == SCH_DONE ) + { + m_Buffer->clear(); + return CL_ASSIGN_AND_DONE; + } + + } + + return CL_ASSIGN; +} + +/** + * Dialogue::outgoingData(Message *) + * as we are not interested in these socket actions + * we simply return CL_DROP to show the socket + * + * @param msg + * + * @return CL_DROP + */ +ConsumeLevel SAVDialogue::outgoingData(Message *msg) +{ + return CL_ASSIGN; +} + +/** + * Dialogue::handleTimeout(Message *) + * as we are not interested in these socket actions + * we simply return CL_DROP to show the socket + * + * @param msg + * + * @return CL_DROP + */ +ConsumeLevel SAVDialogue::handleTimeout(Message *msg) +{ + return CL_DROP; +} + +/** + * Dialogue::connectionLost(Message *) + * as we are not interested in these socket actions + * we simply return CL_DROP to show the socket + * + * @param msg + * + * @return CL_DROP + */ +ConsumeLevel SAVDialogue::connectionLost(Message *msg) +{ + return CL_DROP; +} + +/** + * Dialogue::connectionShutdown(Message *) + * as we are not interested in these socket actions + * we simply return CL_DROP to show the socket + * + * @param msg + * + * @return CL_DROP + */ +ConsumeLevel SAVDialogue::connectionShutdown(Message *msg) +{ + return CL_DROP; +} + + + + +extern "C" int32_t module_init(int32_t version, Module **module, Nepenthes *nepenthes) +{ + if ( version == MODULE_IFACE_VERSION ) + { + *module = new VulnSAV(nepenthes); + return (1); + } else + { + return (0); + } +} diff -ruN nepenthes-0.2.0/modules/vuln-sav/vuln-sav.hpp nepenthes-0.2.0-r1345/modules/vuln-sav/vuln-sav.hpp --- nepenthes-0.2.0/modules/vuln-sav/vuln-sav.hpp 1970-01-01 01:00:00.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/vuln-sav/vuln-sav.hpp 2007-08-06 00:46:15.000000000 +0200 @@ -0,0 +1,72 @@ +/******************************************************************************** + * Nepenthes + * - finest collection - + * + * + * + * Copyright (C) 2005 Paul Baecher & Markus Koetter + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version 2 + * of the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + * + * + * contact nepenthesdev@users.sourceforge.net + * + *******************************************************************************/ + + /* $Id$ */ + +#include "DialogueFactory.hpp" +#include "Module.hpp" +#include "ModuleManager.hpp" +#include "SocketManager.hpp" +#include "Nepenthes.hpp" +#include "Dialogue.hpp" +#include "Socket.hpp" + +using namespace std; + +namespace nepenthes +{ + + class Buffer; + + class VulnSAV : public Module , public DialogueFactory + { + public: + VulnSAV(Nepenthes *); + ~VulnSAV(); + Dialogue *createDialogue(Socket *socket); + bool Init(); + bool Exit(); + }; + + class SAVDialogue : public Dialogue + { + public: + SAVDialogue(Socket *socket); + ~SAVDialogue(); + ConsumeLevel incomingData(Message *msg); + ConsumeLevel outgoingData(Message *msg); + ConsumeLevel handleTimeout(Message *msg); + ConsumeLevel connectionLost(Message *msg); + ConsumeLevel connectionShutdown(Message *msg); + + protected: + Buffer *m_Buffer; + + }; + +} +extern nepenthes::Nepenthes *g_Nepenthes; diff -ruN nepenthes-0.2.0/modules/vuln-sav/x-2.conf.dist nepenthes-0.2.0-r1345/modules/vuln-sav/x-2.conf.dist --- nepenthes-0.2.0/modules/vuln-sav/x-2.conf.dist 1970-01-01 01:00:00.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/vuln-sav/x-2.conf.dist 2007-08-06 00:46:15.000000000 +0200 @@ -0,0 +1,5 @@ +x-2 +{ + ports ("10002"); + accepttimeout "45"; +}; diff -ruN nepenthes-0.2.0/modules/vuln-ssh/Makefile.am nepenthes-0.2.0-r1345/modules/vuln-ssh/Makefile.am --- nepenthes-0.2.0/modules/vuln-ssh/Makefile.am 2006-11-13 20:40:03.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/vuln-ssh/Makefile.am 2007-08-06 00:46:15.000000000 +0200 @@ -10,6 +10,6 @@ pkglib_LTLIBRARIES = vulnssh.la -vulnssh_la_SOURCES = vuln-ssh.cpp vuln-ssh.hpp SSHSocket.cpp SSHSocket.hpp SSHDialogue.cpp SSHDialogue.hpp vuln-ssh.conf.dist +vulnssh_la_SOURCES = vuln-ssh.cpp vuln-ssh.hpp SSHSocket.cpp SSHSocket.hpp SSHDialogue.cpp SSHDialogue.hpp -vulnssh_la_LDFLAGS = -module -no-undefined -avoid-version +vulnssh_la_LDFLAGS = -module -no-undefined -avoid-version $(AM_LDFLAGS) diff -ruN nepenthes-0.2.0/modules/vuln-upnp/UPNPDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-upnp/UPNPDialogue.cpp --- nepenthes-0.2.0/modules/vuln-upnp/UPNPDialogue.cpp 2006-11-13 20:40:10.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/vuln-upnp/UPNPDialogue.cpp 2007-08-06 00:46:15.000000000 +0200 @@ -49,6 +49,8 @@ #include "Utilities.hpp" +#include "EventManager.hpp" +#include "SocketEvent.hpp" #ifdef STDTAGS #undef STDTAGS @@ -190,5 +192,5 @@ void UPNPDialogue::dump() { logWarn("Unknown UPNP exploit %i bytes State %i\n",m_Buffer->getSize(), m_State); - g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *) m_Buffer->getData(), m_Buffer->getSize()); + HEXDUMP(m_Socket,(byte *) m_Buffer->getData(), m_Buffer->getSize()); } diff -ruN nepenthes-0.2.0/modules/vuln-veritas/VERITASDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-veritas/VERITASDialogue.cpp --- nepenthes-0.2.0/modules/vuln-veritas/VERITASDialogue.cpp 2006-11-13 20:40:09.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/vuln-veritas/VERITASDialogue.cpp 2007-08-06 00:46:15.000000000 +0200 @@ -49,6 +49,8 @@ #include "Utilities.hpp" +#include "EventManager.hpp" +#include "SocketEvent.hpp" #ifdef STDTAGS #undef STDTAGS @@ -98,7 +100,7 @@ m_Buffer->add(msg->getMsg(),msg->getSize()); logInfo("Traffic for VERITAS (%i bytes)\n",msg->getSize()); - g_Nepenthes->getUtilities()->hexdump(STDTAGS|l_warn,(byte *) m_Buffer->getData(), m_Buffer->getSize()); +// g_Nepenthes->getUtilities()->hexdump(STDTAGS|l_warn,(byte *) m_Buffer->getData(), m_Buffer->getSize()); /* switch (m_State) @@ -189,5 +191,5 @@ void VERITASDialogue::dump() { logWarn("Unknown VERITAS exploit %i bytes State %i\n",m_Buffer->getSize(), m_State); - g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *) m_Buffer->getData(), m_Buffer->getSize()); + HEXDUMP(m_Socket,(byte *) m_Buffer->getData(), m_Buffer->getSize()); } diff -ruN nepenthes-0.2.0/modules/vuln-wins/WINSDialogue.cpp nepenthes-0.2.0-r1345/modules/vuln-wins/WINSDialogue.cpp --- nepenthes-0.2.0/modules/vuln-wins/WINSDialogue.cpp 2006-11-13 20:40:10.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/vuln-wins/WINSDialogue.cpp 2007-08-06 00:46:15.000000000 +0200 @@ -41,6 +41,9 @@ #include "Socket.hpp" +#include "EventManager.hpp" +#include "SocketEvent.hpp" + #ifdef STDTAGS #undef STDTAGS #endif @@ -123,5 +126,5 @@ { logWarn("WINS unknown shellcode %i bytes State 0\n",m_Buffer->getSize()); - g_Nepenthes->getUtilities()->hexdump(STDTAGS,(byte *) m_Buffer->getData(), m_Buffer->getSize()); + HEXDUMP(m_Socket,(byte *) m_Buffer->getData(), m_Buffer->getSize()); } diff -ruN nepenthes-0.2.0/modules/x-4/x-4.cpp nepenthes-0.2.0-r1345/modules/x-4/x-4.cpp --- nepenthes-0.2.0/modules/x-4/x-4.cpp 2006-11-13 20:40:11.000000000 +0100 +++ nepenthes-0.2.0-r1345/modules/x-4/x-4.cpp 2007-08-06 00:46:15.000000000 +0200 @@ -118,7 +118,7 @@ */ void X4::Submit(Download *down) { - m_Nepenthes->getUtilities()->hexdump((byte *)down->getDownloadBuffer()->getData(),down->getDownloadBuffer()->getSize()); +// m_Nepenthes->getUtilities()->hexdump((byte *)down->getDownloadBuffer()->getData(),down->getDownloadBuffer()->getSize()); } /** diff -ruN nepenthes-0.2.0/nepenthes-core/include/DNSQuery.hpp nepenthes-0.2.0-r1345/nepenthes-core/include/DNSQuery.hpp --- nepenthes-0.2.0/nepenthes-core/include/DNSQuery.hpp 2006-11-13 20:40:01.000000000 +0100 +++ nepenthes-0.2.0-r1345/nepenthes-core/include/DNSQuery.hpp 2007-08-06 00:46:15.000000000 +0200 @@ -56,6 +56,7 @@ virtual ~DNSQuery(); virtual DNSCallback *getCallback(); + virtual void cancelCallback(); virtual string getDNS(); virtual uint16_t getQueryType(); virtual void *getObject(); diff -ruN nepenthes-0.2.0/nepenthes-core/include/Event.hpp nepenthes-0.2.0-r1345/nepenthes-core/include/Event.hpp --- nepenthes-0.2.0/nepenthes-core/include/Event.hpp 2006-11-13 20:40:01.000000000 +0100 +++ nepenthes-0.2.0-r1345/nepenthes-core/include/Event.hpp 2007-08-06 00:46:15.000000000 +0200 @@ -71,6 +71,8 @@ #define EV_SHELLCODE_DONE 24 +#define EV_HEXDUMP 25 + class Event { public: diff -ruN nepenthes-0.2.0/nepenthes-core/include/SocketEvent.hpp nepenthes-0.2.0-r1345/nepenthes-core/include/SocketEvent.hpp --- nepenthes-0.2.0/nepenthes-core/include/SocketEvent.hpp 2006-11-13 20:40:01.000000000 +0100 +++ nepenthes-0.2.0-r1345/nepenthes-core/include/SocketEvent.hpp 2007-08-06 00:46:15.000000000 +0200 @@ -137,5 +137,50 @@ Dialogue *m_Dialogue; }; +#ifdef HAVE_DEBUG_LOGGING +#define HEXDUMP(socket,data,size) \ +{ \ + HexdumpEvent *he = new HexdumpEvent(socket,data,size); \ + g_Nepenthes->getEventMgr()->handleEvent(he); \ + delete he; \ +} +#else // HAVE_DEBUG_LOGGING +#define HEXDUMP(socket,data,size) +#endif // HAVE_DEBUG_LOGGING + + + + class HexdumpEvent : public Event + { + public: + HexdumpEvent(Socket *s, void *data, uint32_t size) + { + m_EventType = EV_HEXDUMP; + m_Socket = s; + m_Size = size; + m_Data = data; + } + + virtual Socket *getSocket() + { + return m_Socket; + } + + virtual void *getData() + { + return m_Data; + } + + virtual uint32_t getSize() + { + return m_Size; + } + + private: + Socket *m_Socket; + void *m_Data; + uint32_t m_Size; + }; + } diff -ruN nepenthes-0.2.0/nepenthes-core/include/Utilities.hpp nepenthes-0.2.0-r1345/nepenthes-core/include/Utilities.hpp --- nepenthes-0.2.0/nepenthes-core/include/Utilities.hpp 2006-11-13 20:40:01.000000000 +0100 +++ nepenthes-0.2.0-r1345/nepenthes-core/include/Utilities.hpp 2007-08-06 00:46:15.000000000 +0200 @@ -130,10 +130,10 @@ void MD5Init(struct MD5Context *context); void MD5Update(struct MD5Context *context, unsigned char const *buf,unsigned len); void MD5Final(unsigned char digest[16], struct MD5Context *context); - +/* virtual void hexdump(byte *data, uint32_t len); virtual void hexdump(uint32_t mask, byte *data, uint32_t len); - +*/ virtual unsigned char *b64encode_alloc(unsigned char *in); virtual unsigned char *b64encode_alloc(unsigned char *in, int32_t inlen); virtual unsigned char *b64decode_alloc(unsigned char *in); diff -ruN nepenthes-0.2.0/nepenthes-core/src/DNSQuery.cpp nepenthes-0.2.0-r1345/nepenthes-core/src/DNSQuery.cpp --- nepenthes-0.2.0/nepenthes-core/src/DNSQuery.cpp 2006-11-13 20:40:03.000000000 +0100 +++ nepenthes-0.2.0-r1345/nepenthes-core/src/DNSQuery.cpp 2007-08-06 00:46:15.000000000 +0200 @@ -54,6 +54,15 @@ return m_Callback; } + +/** + * chancel the callback + */ +void DNSQuery::cancelCallback() +{ + m_Callback = NULL; +} + /** * get the dns to resolve * diff -ruN nepenthes-0.2.0/nepenthes-core/src/DNSResult.cpp nepenthes-0.2.0-r1345/nepenthes-core/src/DNSResult.cpp --- nepenthes-0.2.0/nepenthes-core/src/DNSResult.cpp 2006-11-13 20:40:03.000000000 +0100 +++ nepenthes-0.2.0-r1345/nepenthes-core/src/DNSResult.cpp 2007-08-06 00:46:15.000000000 +0200 @@ -89,7 +89,7 @@ while ( test->i != -1 ) { m_TXT.append(test->str,test->i); - g_Nepenthes->getUtilities()->hexdump((byte *)test->str,test->i); +// g_Nepenthes->getUtilities()->hexdump((byte *)test->str,test->i); test++; } } diff -ruN nepenthes-0.2.0/nepenthes-core/src/LogManager.cpp nepenthes-0.2.0-r1345/nepenthes-core/src/LogManager.cpp --- nepenthes-0.2.0/nepenthes-core/src/LogManager.cpp 2006-11-13 20:40:02.000000000 +0100 +++ nepenthes-0.2.0-r1345/nepenthes-core/src/LogManager.cpp 2007-08-06 00:46:15.000000000 +0200 @@ -146,7 +146,7 @@ { if ( m_Loggers.size() == 0) { - printf("%s",message); +// printf("%s",message); return; } diff -ruN nepenthes-0.2.0/nepenthes-core/src/Nepenthes.cpp nepenthes-0.2.0-r1345/nepenthes-core/src/Nepenthes.cpp --- nepenthes-0.2.0/nepenthes-core/src/Nepenthes.cpp 2006-11-13 20:40:03.000000000 +0100 +++ nepenthes-0.2.0-r1345/nepenthes-core/src/Nepenthes.cpp 2007-08-06 00:46:15.000000000 +0200 @@ -43,6 +43,8 @@ #include #include #include +#include +#include #ifdef HAVE_LIBCAP #undef _POSIX_SOURCE @@ -211,7 +213,7 @@ { "user", 1, 0, 'u' }, { "version", 0, 0, 'V' }, { "verbose", 0, 0, 'v' }, - { "workingdir", 0, 0, 'w' }, + { "workingdir", 1, 0, 'w' }, { 0, 0, 0, 0 } }; @@ -370,26 +372,27 @@ + m_LogManager->registerTag(l_crit, "crit"); + m_LogManager->registerTag(l_warn, "warn"); + m_LogManager->registerTag(l_debug, "debug"); + m_LogManager->registerTag(l_info, "info"); + m_LogManager->registerTag(l_spam, "spam"); + m_LogManager->registerTag(l_net, "net"); + m_LogManager->registerTag(l_script, "script"); + m_LogManager->registerTag(l_shell, "shell"); + m_LogManager->registerTag(l_mem, "mem"); + m_LogManager->registerTag(l_sc, "sc"); + m_LogManager->registerTag(l_dl, "down"); + m_LogManager->registerTag(l_mgr, "mgr"); + m_LogManager->registerTag(l_hlr, "handler"); + m_LogManager->registerTag(l_dia, "dia"); + m_LogManager->registerTag(l_sub, "submit"); + m_LogManager->registerTag(l_ev, "event"); + m_LogManager->registerTag(l_mod, "module"); + m_LogManager->registerTag(l_stdtag, "fixme"); + if ( opt.m_runMode != runFileCheck || opt.m_verbose ) { - m_LogManager->registerTag(l_crit, "crit"); - m_LogManager->registerTag(l_warn, "warn"); - m_LogManager->registerTag(l_debug, "debug"); - m_LogManager->registerTag(l_info, "info"); - m_LogManager->registerTag(l_spam, "spam"); - m_LogManager->registerTag(l_net, "net"); - m_LogManager->registerTag(l_script, "script"); - m_LogManager->registerTag(l_shell, "shell"); - m_LogManager->registerTag(l_mem, "mem"); - m_LogManager->registerTag(l_sc, "sc"); - m_LogManager->registerTag(l_dl, "down"); - m_LogManager->registerTag(l_mgr, "mgr"); - m_LogManager->registerTag(l_hlr, "handler"); - m_LogManager->registerTag(l_dia, "dia"); - m_LogManager->registerTag(l_sub, "submit"); - m_LogManager->registerTag(l_ev, "event"); - m_LogManager->registerTag(l_mod, "module"); - m_LogManager->registerTag(l_stdtag, "fixme"); if ( opt.m_consoleTags ) m_LogManager->addLogger(new ConsoleLogger(m_LogManager), m_LogManager->parseTagString(opt.m_consoleTags)); @@ -460,52 +463,53 @@ return 0; - if ( opt.m_ringLogger == true ) + if ( opt.m_runMode != runFileCheck || opt.m_verbose ) { - string rlpath; - try - { - rlpath = m_Config->getValString("nepenthes.logmanager.ring_logging_file"); - } - catch ( ... ) + + if ( opt.m_ringLogger == true ) { - logCrit("Could not find nepenthes.logmanager.ring_logging_file in Config\n"); - return false; - } + string rlpath; + try + { + rlpath = m_Config->getValString("nepenthes.logmanager.ring_logging_file"); + } catch ( ... ) + { + logCrit("Could not find nepenthes.logmanager.ring_logging_file in Config\n"); + return (false); + } - RingFileLogger *fl = new RingFileLogger(m_LogManager); + RingFileLogger *fl = new RingFileLogger(m_LogManager); - fl->setLogFileFormat((char *)rlpath.c_str()); - fl->setMaxFiles(5); - fl->setMaxSize(1024 * 1024); + fl->setLogFileFormat((char *)rlpath.c_str()); + fl->setMaxFiles(5); + fl->setMaxSize(1024 * 1024); - if ( opt.m_diskTags ) - m_LogManager->addLogger(fl, m_LogManager->parseTagString(opt.m_diskTags)); - else - m_LogManager->addLogger(fl, l_all); + if ( opt.m_diskTags ) + m_LogManager->addLogger(fl, m_LogManager->parseTagString(opt.m_diskTags)); + else + m_LogManager->addLogger(fl, l_all); - } - else - { - string flpath; - try - { - flpath = m_Config->getValString("nepenthes.logmanager.file_logging_file"); - } - catch ( ... ) + } else { - logCrit("Could not find nepenthes.logmanager.file_logging_file in Config\n"); - return false; - } + string flpath; + try + { + flpath = m_Config->getValString("nepenthes.logmanager.file_logging_file"); + } catch ( ... ) + { + logCrit("Could not find nepenthes.logmanager.file_logging_file in Config\n"); + return (false); + } - FileLogger *fl = new FileLogger(m_LogManager); - fl->setLogFile(flpath.c_str()); - if ( opt.m_diskTags ) - m_LogManager->addLogger(fl, m_LogManager->parseTagString(opt.m_diskTags)); - else - m_LogManager->addLogger(fl, l_all); + FileLogger *fl = new FileLogger(m_LogManager); + fl->setLogFile(flpath.c_str()); + if ( opt.m_diskTags ) + m_LogManager->addLogger(fl, m_LogManager->parseTagString(opt.m_diskTags)); + else + m_LogManager->addLogger(fl, l_all); + } } if (opt.m_daemonize == true) @@ -665,7 +669,7 @@ struct stat fileinfo; if ( stat((const char*)argv[opti],&fileinfo) != 0 ) { - printf("failed\n"); + printf("Could not stat %s: %s", (const char*)argv[opti], strerror(errno)); return -1; } @@ -680,7 +684,10 @@ ) { - unlink(argv[opti]); + if (unlink(argv[opti]) != 0) + { + printf("could not remove file %s (%s)\n",argv[opti],strerror(errno)); + } } }else @@ -693,7 +700,7 @@ while ( (dirnode = readdir(bindir)) != NULL && m_running == true ) { -#if !defined(CYGWIN) && !defined(CYGWIN32) &&!defined(__CYGWIN__) || !defined(__CYGWIN32__) +#if defined(d_type_IS_NOT_A_POSIX_SPEC) if ( dirnode->d_type == 8 ) #else if (1) @@ -708,7 +715,10 @@ ) { - unlink(filepath.c_str()); + if (unlink(filepath.c_str()) != 0) + { + printf("could not remove file %s (%s)\n",filepath.c_str(),strerror(errno)); + } } } } diff -ruN nepenthes-0.2.0/nepenthes-core/src/SocketManager.cpp nepenthes-0.2.0-r1345/nepenthes-core/src/SocketManager.cpp --- nepenthes-0.2.0/nepenthes-core/src/SocketManager.cpp 2006-11-13 20:40:03.000000000 +0100 +++ nepenthes-0.2.0-r1345/nepenthes-core/src/SocketManager.cpp 2007-08-06 00:46:15.000000000 +0200 @@ -273,13 +273,17 @@ } } + int32_t socketcounter, socketmax; + socketcounter=0; + socketmax = m_Sockets.size(); + int32_t iPollRet = poll(polls,i,50); if (iPollRet != 0) { // read sockets i=0; - for (itSocket = m_Sockets.begin();itSocket != m_Sockets.end(); itSocket++) + for (itSocket = m_Sockets.begin();itSocket != m_Sockets.end(), socketcounter < socketmax ; itSocket++, socketcounter++) { if ( (*itSocket)->isPolled() == true ) { @@ -303,7 +307,8 @@ // write sockets i=0; - for (itSocket = m_Sockets.begin();itSocket != m_Sockets.end(); itSocket++) + socketcounter=0; + for (itSocket = m_Sockets.begin();itSocket != m_Sockets.end(), socketcounter < socketmax; itSocket++, socketcounter++) { if ( (*itSocket)->isPolled() == true ) { @@ -331,7 +336,8 @@ // accept new, non udp clients as udp does not accept() i=0; - for (itSocket = m_Sockets.begin();itSocket != m_Sockets.end(); itSocket++) + socketcounter=0; + for (itSocket = m_Sockets.begin();itSocket != m_Sockets.end(), socketcounter < socketmax; itSocket++, socketcounter++) { diff -ruN nepenthes-0.2.0/nepenthes-core/src/Utilities.cpp nepenthes-0.2.0-r1345/nepenthes-core/src/Utilities.cpp --- nepenthes-0.2.0/nepenthes-core/src/Utilities.cpp 2006-11-13 20:40:02.000000000 +0100 +++ nepenthes-0.2.0-r1345/nepenthes-core/src/Utilities.cpp 2007-08-06 00:46:15.000000000 +0200 @@ -339,7 +339,7 @@ // ENDOF MD5Sum - +/* void Utilities::hexdump(byte *data, uint32_t len) { @@ -430,7 +430,7 @@ } - +*/