sguil-cvs Mailing List for Sguil
Status: Beta
Brought to you by:
bamm
You can subscribe to this list here.
2003 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(16) |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2004 |
Jan
(23) |
Feb
(8) |
Mar
(22) |
Apr
(55) |
May
(20) |
Jun
(43) |
Jul
(40) |
Aug
(38) |
Sep
(6) |
Oct
(55) |
Nov
(42) |
Dec
(17) |
2005 |
Jan
(54) |
Feb
(17) |
Mar
(34) |
Apr
(18) |
May
(8) |
Jun
(9) |
Jul
(1) |
Aug
(11) |
Sep
(22) |
Oct
(56) |
Nov
(53) |
Dec
(16) |
2006 |
Jan
(23) |
Feb
(46) |
Mar
(3) |
Apr
(19) |
May
(1) |
Jun
(8) |
Jul
(1) |
Aug
(1) |
Sep
(5) |
Oct
(12) |
Nov
(7) |
Dec
(4) |
2007 |
Jan
|
Feb
(1) |
Mar
(32) |
Apr
(5) |
May
(22) |
Jun
(17) |
Jul
(4) |
Aug
(3) |
Sep
(9) |
Oct
(2) |
Nov
|
Dec
|
2008 |
Jan
(9) |
Feb
(22) |
Mar
(29) |
Apr
(12) |
May
(3) |
Jun
(4) |
Jul
(6) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(1) |
2010 |
Jan
|
Feb
|
Mar
(3) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(2) |
Oct
|
Nov
|
Dec
|
2011 |
Jan
|
Feb
|
Mar
(6) |
Apr
|
May
(2) |
Jun
(1) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2012 |
Jan
|
Feb
|
Mar
(2) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(6) |
Dec
(5) |
2013 |
Jan
(2) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(2) |
Oct
|
Nov
|
Dec
|
From: Bamm V. <ba...@us...> - 2013-09-05 00:38:48
|
Update of /cvsroot/sguil/sguil/server/lib In directory sfp-cvs-1.v30.ch3.sourceforge.com:/tmp/cvs-serv10867/server/lib Modified Files: SguildAutoCat.tcl SguildClientCmdRcvd.tcl SguildEvent.tcl SguildSensorCmdRcvd.tcl SguildTranscript.tcl Log Message: Merged sguil_0_8 into HEAD. Index: SguildClientCmdRcvd.tcl =================================================================== RCS file: /cvsroot/sguil/sguil/server/lib/SguildClientCmdRcvd.tcl,v retrieving revision 1.48 retrieving revision 1.49 diff -C2 -d -r1.48 -r1.49 *** SguildClientCmdRcvd.tcl 17 Mar 2011 02:39:29 -0000 1.48 --- SguildClientCmdRcvd.tcl 5 Sep 2013 00:38:45 -0000 1.49 *************** *** 8,15 **** global clientList validSockets GLOBAL_QRY_LIST REPORT_QRY_LIST ! if { [eof $socketID] || [catch {gets $socketID data}] } { # Socket closed ! close $socketID ClientExitClose $socketID LogMessage "Socket $socketID closed" --- 8,22 ---- global clientList validSockets GLOBAL_QRY_LIST REPORT_QRY_LIST ! if { [eof $socketID] || [catch {gets $socketID data}] || [catch {llength $data} tmpLen] } { ! ! if { [info exists tmpLen] } { ! ! LogMessage "Error: Received poorly formatted message from $socketID: \n$data: \n$tmpLen" ! SendSocket $socketID [list ErrorMessage "Error: Your client sent improperly formatted data to sguild."] ! ! } # Socket closed ! catch {close $socketID} ClientExitClose $socketID LogMessage "Socket $socketID closed" *************** *** 19,23 **** --- 26,32 ---- # Don't display the user passwds if { [regexp ^ValidateUser $data] } { + InfoMessage "Client Command Received: [lrange $data 0 1] ********" + } elseif { [lindex $data 0] == "ChangePass" } { *************** *** 120,123 **** --- 129,134 ---- ChangePass { $clientCmd $socketID [lindex $data 1] [lindex $data 2] [lindex $data 3] } + AutoCatRequest { $clientCmd $socketID [lrange $data 1 end] } + default { InfoMessage "Unrecognized command from $socketID: $data" } *************** *** 163,167 **** global socketInfo clientList ! set userMsg [lindex $userMsg 0] # Simple command stuff. --- 174,178 ---- global socketInfo clientList ! #set userMsg [lindex $userMsg 0] # Simple command stuff. Index: SguildAutoCat.tcl =================================================================== RCS file: /cvsroot/sguil/sguil/server/lib/SguildAutoCat.tcl,v retrieving revision 1.5 retrieving revision 1.6 diff -C2 -d -r1.5 -r1.6 *** SguildAutoCat.tcl 6 Mar 2006 23:18:24 -0000 1.5 --- SguildAutoCat.tcl 5 Sep 2013 00:38:45 -0000 1.6 *************** *** 2,76 **** # Format for the autocat file is: ! # <erase time>||<sensorName>||<src_ip>||<src_port>||<dst_ip>||<dst_port>||<proto>||<sig msg>||<cat value> ! proc LoadAutoCatFile { filename } { ! set i 0 ! for_file line $filename { ! if ![regexp ^# $line] { ! set cTime [ctoken line "||"] ! if { $cTime != "none" && $cTime != "NONE" } { ! set cTimeSecs [clock scan "$cTime" -gmt true] ! if { $cTimeSecs > [clock seconds] } { ! # Set up the removal ! set DELAY [expr ($cTimeSecs - [clock seconds]) * 1000] ! after $DELAY RemoveAutoCatRule $i ! AddAutoCatRule $line $i ! incr i } ! } else { ! AddAutoCatRule $line $i ! incr i ! } } ! } } proc RemoveAutoCatRule { rid } { ! global acRules acCat ! LogMessage "Removing Rule: $acRules($rid)" ! unset acRules($rid) ! unset acCat($rid) } ! proc AddAutoCatRule { line rid } { global acRules acCat ! InfoMessage "Adding AutoCat Rule: $line" # dIndex are the indexes within each data line # that we want to look at. foreach dIndex [list 3 8 11 9 12 10 7] { # Next field in the rule ! set tmpVar [ctoken line "||"] ! # All the fields have the option of being 'any'. ! # If one is, then we basically ignore that field. ! if { $tmpVar == "ANY" || $tmpVar == "any" } { continue } # Need to test the regexp if we are looking at the sig index ! if { $dIndex == 7 } { if [regsub "^%%REGEXP%%" $tmpVar "" regVar] { if [catch {regexp $regVar "XXTESTINGXX"} tmpError] { LogMessage "Bad regexp in autocat rule $rid Error: $tmpError dropping rule" # Rm any parts from the rule if { [info exists acRules($rid)] } { unset acRules($rid) } return } } ! } elseif { ($dIndex == 8 || $dIndex == 9) && ($tmpVar != "ANY" || $tmpVar != "any") } { # test the ip address field for CIDR and convert the IP to decimal set ipList [ValidateIPAddress $tmpVar] if { $ipList == 0 } { LogMessage "Bad IP address in autocat rule $rid dropping rule" if { [info exists acRules($rid)] } { unset acRules($rid) } return } # IP is valid and now we have a list with our ip range (net number - bcast address) # if it was a single address and not a net, these numbers will be the same set tmpVar [list [InetAtoN [lindex $ipList 2]] [InetAtoN [lindex $ipList 3]]] } # add the match var to the rule list lappend acRules($rid) [list $dIndex $tmpVar] ! } ! set acCat($rid) [ctoken line "||"] } --- 2,133 ---- # Format for the autocat file is: ! # +------------+----------------------+------+-----+---------+----------------+ ! # | Field | Type | Null | Key | Default | Extra | ! # +------------+----------------------+------+-----+---------+----------------+ ! # | autoid | int(10) unsigned | NO | PRI | NULL | auto_increment | ! # | erase | datetime | YES | | NULL | | ! # | sensorname | varchar(255) | YES | | NULL | | ! # | src_ip | int(10) unsigned | YES | | NULL | | ! # | src_port | int(10) unsigned | YES | | NULL | | ! # | dst_ip | int(10) unsigned | YES | | NULL | | ! # | dst_port | int(10) unsigned | YES | | NULL | | ! # | ip_proto | tinyint(3) unsigned | YES | | NULL | | ! # | signature | varchar(255) | YES | | NULL | | ! # | status | smallint(5) unsigned | NO | | NULL | | ! # | active | enum('Y','N') | YES | | Y | | ! # | uid | int(10) unsigned | NO | | NULL | | ! # | timestamp | datetime | NO | | NULL | | ! # +------------+----------------------+------+-----+---------+----------------+ ! ! proc LoadAutoCats {} { ! ! set aquery \ ! "SELECT \ ! autoid, erase, sensorname, src_ip, src_port, \ ! dst_ip, dst_port, ip_proto, signature, status \ ! FROM autocat \ ! WHERE active='Y'" ! ! foreach line [MysqlSelect $aquery list] { ! ! puts "DEBUG #### $line" ! ! set clearTime [lindex $line 1] ! if { $clearTime != "" } { ! ! set cTimeSecs [clock scan "$clearTime" -gmt true] ! ! if { $cTimeSecs > [clock seconds] } { ! ! # Set up the removal ! set DELAY [expr ($cTimeSecs - [clock seconds]) * 1000] ! after $DELAY RemoveAutoCatRule [lindex $line 0] ! ! } ! } ! ! AddAutoCatRule [lindex $line 0] [lrange $line 2 end] ! } ! } proc RemoveAutoCatRule { rid } { ! ! global acRules acCat ! LogMessage "Removing Rule: $acRules($rid)" ! unset acRules($rid) ! unset acCat($rid) ! } ! proc AddAutoCatRule { rid rList } { ! global acRules acCat ! ! InfoMessage "Adding AutoCat Rule: $rid $rList" ! ! # Counter for moving through rList indexes ! set i 0 ! # dIndex are the indexes within each data line # that we want to look at. foreach dIndex [list 3 8 11 9 12 10 7] { + # Next field in the rule ! set tmpVar [lindex $rList $i ] ! # All the fields have the option of being empty except status. ! if { $tmpVar == "" || $tmpVar == "any" || $tmpVar == "ANY" || $tmpVar == "none" || $tmpVar == "NONE" } { incr i; continue } # Need to test the regexp if we are looking at the sig index ! if { $dIndex == "7" } { ! if [regsub "^%%REGEXP%%" $tmpVar "" regVar] { + if [catch {regexp $regVar "XXTESTINGXX"} tmpError] { + LogMessage "Bad regexp in autocat rule $rid Error: $tmpError dropping rule" + # Rm any parts from the rule if { [info exists acRules($rid)] } { unset acRules($rid) } + return + } + } ! ! ! } elseif { ($dIndex == 8 || $dIndex == 9) && $tmpVar != "" } { ! # test the ip address field for CIDR and convert the IP to decimal set ipList [ValidateIPAddress $tmpVar] + if { $ipList == 0 } { + LogMessage "Bad IP address in autocat rule $rid dropping rule" if { [info exists acRules($rid)] } { unset acRules($rid) } return + } + # IP is valid and now we have a list with our ip range (net number - bcast address) # if it was a single address and not a net, these numbers will be the same set tmpVar [list [InetAtoN [lindex $ipList 2]] [InetAtoN [lindex $ipList 3]]] + } # add the match var to the rule list lappend acRules($rid) [list $dIndex $tmpVar] + + incr i ! } ! ! # Define the status matches are updated to ! set acCat($rid) [lindex $rList $i] ! } *************** *** 125,126 **** --- 182,248 ---- } + proc AutoCatRequest { clientSocketID ruleList } { + + global userIDArray MAIN_DB_SOCKETID + + if { [llength $ruleList] != 9 } { + + SendSocket $clientSocketID [list ErrorMessage "Invalid number of values in autocat list: $ruleList"] + return + + } + + set i 0 + foreach t [list erase sensorname src_ip src_port dst_ip dst_port ip_proto signature status] { + + set v [lindex $ruleList $i] + + lappend tables $t + + if { $v != "none" && $v != "NONE" && $v != "any" && $v != "ANY" } { + + lappend values "\'$v\'" + + } else { + + lappend values NULL + + } + + incr i + + } + + lappend tables active timestamp uid + lappend values "\'Y\'" "\'[GetCurrentTimeStamp]\'" "\'$userIDArray($clientSocketID)\'" + + # Build INSERT query + set q "INSERT INTO autocat ([join $tables ,]) VALUES ([join $values ,])" + puts "DEBUG #### $q" + + # INSERT + if { [catch {::mysql::exec $MAIN_DB_SOCKETID $q} tmpError] } { + + SendSocket $clientSocketID [list ErrorMessage "Error inserting autocat rule into the DB: $tmpError"] + return + + } + + if { [catch {::mysql::insertid $MAIN_DB_SOCKETID} rid] || $rid == "" } { + + SendSocket $clientSocketID [list ErrorMessage "Error retrieving new autocat rule id: $rid"] + return + + } + + if { [catch {AddAutoCatRule $rid [lrange $ruleList 1 end]} tmpError] } { + + SendSocket $clientSocketID [list ErrorMessage "Error inserting autocat rule: $rid"] + + } else { + + SendSocket $clientSocketID [list InfoMessage "AutoCat rule $rid successfully implemented."] + + } + + } Index: SguildEvent.tcl =================================================================== RCS file: /cvsroot/sguil/sguil/server/lib/SguildEvent.tcl,v retrieving revision 1.23 retrieving revision 1.24 diff -C2 -d -r1.23 -r1.24 *** SguildEvent.tcl 9 Apr 2008 04:20:52 -0000 1.23 --- SguildEvent.tcl 5 Sep 2013 00:38:45 -0000 1.24 *************** *** 43,47 **** && [lsearch -exact $EMAIL_DISABLE_SIDS $sigID] < 0)\ || [lsearch -exact $EMAIL_ENABLE_SIDS $sigID] >= 0 } { ! EmailEvent $eventDataList } } --- 43,50 ---- && [lsearch -exact $EMAIL_DISABLE_SIDS $sigID] < 0)\ || [lsearch -exact $EMAIL_ENABLE_SIDS $sigID] >= 0 } { ! if { [catch {EmailEvent $eventDataList} tmpError] } { ! # Email failed ! LogMessage "Error: Failed to send notification email: $eventDataList" ! } } } Index: SguildTranscript.tcl =================================================================== RCS file: /cvsroot/sguil/sguil/server/lib/SguildTranscript.tcl,v retrieving revision 1.21 retrieving revision 1.22 diff -C2 -d -r1.21 -r1.22 *** SguildTranscript.tcl 10 Mar 2011 22:03:33 -0000 1.21 --- SguildTranscript.tcl 5 Sep 2013 00:38:45 -0000 1.22 *************** *** 48,52 **** if [catch { InitRawFileArchive $date $sensor $srcIP $dstIP $srcPort $dstPort $ipProto }\ rawDataFileNameInfo] { ! SendSocket $socketID [list ErrorMessage "Error getting pcap: $rawDataFileNameInfo"] return } --- 48,52 ---- if [catch { InitRawFileArchive $date $sensor $srcIP $dstIP $srcPort $dstPort $ipProto }\ rawDataFileNameInfo] { ! catch {SendSocket $socketID [list ErrorMessage "Error getting pcap: $rawDataFileNameInfo"]} return } *************** *** 59,64 **** if { ![GetRawDataFromSensor $TRANS_ID $sensor $sensorID $timestamp $srcIP $srcPort $dstIP $dstPort $ipProto $rawDataFileName wireshark] } { # This means the sensor_agent for this sensor isn't connected. ! SendSocket $socketID [list ErrorMessage "ERROR: Unable to request rawdata at this time.\ ! The sensor $sensor is NOT connected."] } } else { --- 59,64 ---- if { ![GetRawDataFromSensor $TRANS_ID $sensor $sensorID $timestamp $srcIP $srcPort $dstIP $dstPort $ipProto $rawDataFileName wireshark] } { # This means the sensor_agent for this sensor isn't connected. ! catch {SendSocket $socketID [list ErrorMessage "ERROR: Unable to request rawdata at this time.\ ! The sensor $sensor is NOT connected."]} } } else { *************** *** 79,83 **** # Send the client a session key and file name to download set clientSocketID [lindex $transInfoArray($TRANS_ID) 0] ! SendSocket $clientSocketID [list PcapAvailable $sKey [file tail $fileName]] set pcapKeys(fileName,$sKey) $fileName --- 79,83 ---- # Send the client a session key and file name to download set clientSocketID [lindex $transInfoArray($TRANS_ID) 0] ! catch {SendSocket $clientSocketID [list PcapAvailable $sKey [file tail $fileName]]} set pcapKeys(fileName,$sKey) $fileName *************** *** 94,98 **** # Failed to open file ! SendSocket $pcapKeys(socketID,$sKey) [list ErrorMessage "Failed to open ${fileName}: ${fileID}"] unset pcapKeys(socketID,$sKey) unset pcapKeys(fileName,$sKey) --- 94,98 ---- # Failed to open file ! catch {SendSocket $pcapKeys(socketID,$sKey) [list ErrorMessage "Failed to open ${fileName}: ${fileID}"]} unset pcapKeys(socketID,$sKey) unset pcapKeys(fileName,$sKey) *************** *** 108,112 **** # fcopy failed ! SendSocket $pcapKeys(socketID,$sKey) [list ErrorMessage "Failed to copy ${fileName}: ${tmpError}"] catch {close $socketID} unset pcapKeys(socketID,$sKey) --- 108,112 ---- # fcopy failed ! catch {SendSocket $pcapKeys(socketID,$sKey) [list ErrorMessage "Failed to copy ${fileName}: ${tmpError}"]} catch {close $socketID} unset pcapKeys(socketID,$sKey) *************** *** 129,133 **** # Error during copy set fileName $pcapKeys(fileName,$sKey) ! SendSocket $pcapKeys(socketID,$sKey) [list ErrorMessage "Failed to copy file ${fileName}: ${error}"] } --- 129,133 ---- # Error during copy set fileName $pcapKeys(fileName,$sKey) ! catch {SendSocket $pcapKeys(socketID,$sKey) [list ErrorMessage "Failed to copy file ${fileName}: ${error}"]} } *************** *** 175,180 **** # If we don't have TCPFLOW then error to the user and return if { ![info exists TCPFLOW] || ![file exists $TCPFLOW] || ![file executable $TCPFLOW] } { ! SendSocket $socketID [list ErrorMessage "ERROR: tcpflow is not installed on the server."] ! SendSocket $socketID [list XscriptDebugMsg $winID "ERROR: tcpflow is not installed on the server."] return } --- 175,180 ---- # If we don't have TCPFLOW then error to the user and return if { ![info exists TCPFLOW] || ![file exists $TCPFLOW] || ![file executable $TCPFLOW] } { ! catch {SendSocket $socketID [list ErrorMessage "ERROR: tcpflow is not installed on the server."]} ! catch {SendSocket $socketID [list XscriptDebugMsg $winID "ERROR: tcpflow is not installed on the server."]} return } *************** *** 186,196 **** if [catch { InitRawFileArchive $date $sensor $srcIP $dstIP $srcPort $dstPort 6 }\ rawDataFileNameInfo] { ! SendSocket $socketID\ [list ErrorMessage "Please pass the following to your sguild administrator:\ ! Error from sguild while getting pcap: $rawDataFileNameInfo"] ! SendSocket $socketID [list XscriptDebugMsg $winID\ "ErrorMessage Please pass the following to your sguild administrator:\ ! Error from sguild while getting pcap: $rawDataFileNameInfo"] ! SendSocket $socketID [list XscriptMainMsg $winID DONE] return } --- 186,196 ---- if [catch { InitRawFileArchive $date $sensor $srcIP $dstIP $srcPort $dstPort 6 }\ rawDataFileNameInfo] { ! catch {SendSocket $socketID\ [list ErrorMessage "Please pass the following to your sguild administrator:\ ! Error from sguild while getting pcap: $rawDataFileNameInfo"]} ! catch {SendSocket $socketID [list XscriptDebugMsg $winID\ "ErrorMessage Please pass the following to your sguild administrator:\ ! Error from sguild while getting pcap: $rawDataFileNameInfo"]} ! catch {SendSocket $socketID [list XscriptMainMsg $winID DONE]} return } *************** *** 203,215 **** if { ![GetRawDataFromSensor $TRANS_ID $sensor $sensorID $timestamp $srcIP $srcPort $dstIP $dstPort 6 $rawDataFileName xscript] } { # This means the sensor_agent for this sensor isn't connected. ! SendSocket $socketID [list ErrorMessage "ERROR: Unable to request xscript at this time.\ ! The sensor $sensor is NOT connected."] ! SendSocket $socketID [list XscriptDebugMsg $winID "ERROR: Unable to request xscript at this time.\ ! The sensor $sensor is NOT connected."] ! SendSocket $socketID [list XscriptMainMsg $winID DONE] } } else { # The data is archive locally. ! SendSocket $socketID [list XscriptDebugMsg $winID "Using archived data: $sensorDir/$rawDataFileName"] GenerateXscript $sensorDir/$rawDataFileName $socketID $winID $TRANS_ID } --- 203,215 ---- if { ![GetRawDataFromSensor $TRANS_ID $sensor $sensorID $timestamp $srcIP $srcPort $dstIP $dstPort 6 $rawDataFileName xscript] } { # This means the sensor_agent for this sensor isn't connected. ! catch {SendSocket $socketID [list ErrorMessage "ERROR: Unable to request xscript at this time.\ ! The sensor $sensor is NOT connected."]} ! catch {SendSocket $socketID [list XscriptDebugMsg $winID "ERROR: Unable to request xscript at this time.\ ! The sensor $sensor is NOT connected."]} ! catch {SendSocket $socketID [list XscriptMainMsg $winID DONE]} } } else { # The data is archive locally. ! catch {SendSocket $socketID [list XscriptDebugMsg $winID "Using archived data: $sensorDir/$rawDataFileName"]} GenerateXscript $sensorDir/$rawDataFileName $socketID $winID $TRANS_ID } *************** *** 237,242 **** flush $pcapSocketID if { $type == "xscript" } { ! SendSocket [lindex $transInfoArray($TRANS_ID) 0]\ ! [list XscriptDebugMsg [lindex $transInfoArray($TRANS_ID) 1] "Raw data request sent to $sensor."] } } else { --- 237,242 ---- flush $pcapSocketID if { $type == "xscript" } { ! catch {SendSocket [lindex $transInfoArray($TRANS_ID) 0]\ ! [list XscriptDebugMsg [lindex $transInfoArray($TRANS_ID) 1] "Raw data request sent to $sensor."]} } } else { *************** *** 255,260 **** InfoMessage "Receiving rawdata file $fileName." if { $type == "xscript" } { ! SendSocket [lindex $transInfoArray($TRANS_ID) 0]\ ! [list XscriptDebugMsg [lindex $transInfoArray($TRANS_ID) 1] "Receiving raw file from sensor."] } --- 255,260 ---- InfoMessage "Receiving rawdata file $fileName." if { $type == "xscript" } { ! catch {SendSocket [lindex $transInfoArray($TRANS_ID) 0]\ ! [list XscriptDebugMsg [lindex $transInfoArray($TRANS_ID) 1] "Receiving raw file from sensor."]} } *************** *** 281,286 **** if [info exists transInfoArray($TRANS_ID)] { ! SendSocket [lindex $transInfoArray($TRANS_ID) 0]\ ! [list XscriptDebugMsg [lindex $transInfoArray($TRANS_ID) 1] $msg] } } --- 281,286 ---- if [info exists transInfoArray($TRANS_ID)] { ! catch {SendSocket [lindex $transInfoArray($TRANS_ID) 0]\ ! [list XscriptDebugMsg [lindex $transInfoArray($TRANS_ID) 1] $msg]} } } *************** *** 297,324 **** set srcMask [TcpFlowFormat $srcIP $srcPort $dstIP $dstPort] set dstMask [TcpFlowFormat $dstIP $dstPort $srcIP $srcPort] ! SendSocket $clientSocketID [list XscriptMainMsg $winName HDR] ! SendSocket $clientSocketID [list XscriptMainMsg $winName "Sensor Name:\t[lindex $transInfoArray($TRANS_ID) 4]"] ! SendSocket $clientSocketID [list XscriptMainMsg $winName "Timestamp:\t[lindex $transInfoArray($TRANS_ID) 5]"] ! SendSocket $clientSocketID [list XscriptMainMsg $winName "Connection ID:\t$winName"] ! SendSocket $clientSocketID [list XscriptMainMsg $winName "Src IP:\t\t$srcIP\t([GetHostbyAddr $srcIP])"] ! SendSocket $clientSocketID [list XscriptMainMsg $winName "Dst IP:\t\t$dstIP\t([GetHostbyAddr $dstIP])"] ! SendSocket $clientSocketID [list XscriptMainMsg $winName "Src Port:\t\t$srcPort"] ! SendSocket $clientSocketID [list XscriptMainMsg $winName "Dst Port:\t\t$dstPort"] if {$P0F} { if { ![file exists $P0F_PATH] || ![file executable $P0F_PATH] } { ! SendSocket $clientSocketID [list XscriptDebugMsg $winName "Cannot find p0f in: $P0F_PATH"] ! SendSocket $clientSocketID [list XscriptDebugMsg $winName "OS fingerprint has been disabled"] } else { set p0fID [open "| $P0F_PATH -q -s $fileName"] while { [gets $p0fID data] >= 0 } { ! SendSocket $clientSocketID [list XscriptMainMsg $winName "OS Fingerprint:\t$data"] } catch {close $p0fID} closeError } } ! SendSocket $clientSocketID [list XscriptMainMsg $winName " "] if [catch {open "| $TCPFLOW -c -r $fileName"} tcpflowID] { LogMessage "ERROR: tcpflow: $tcpflowID" ! SendSocket $clientSocketID [list XscriptDebugMsg $winName "ERROR: tcpflow: $tcpflowID"] catch {close $tcpflowID} return --- 297,324 ---- set srcMask [TcpFlowFormat $srcIP $srcPort $dstIP $dstPort] set dstMask [TcpFlowFormat $dstIP $dstPort $srcIP $srcPort] ! catch {SendSocket $clientSocketID [list XscriptMainMsg $winName HDR]} ! catch {SendSocket $clientSocketID [list XscriptMainMsg $winName "Sensor Name:\t[lindex $transInfoArray($TRANS_ID) 4]"]} ! catch {SendSocket $clientSocketID [list XscriptMainMsg $winName "Timestamp:\t[lindex $transInfoArray($TRANS_ID) 5]"]} ! catch {SendSocket $clientSocketID [list XscriptMainMsg $winName "Connection ID:\t$winName"]} ! catch {SendSocket $clientSocketID [list XscriptMainMsg $winName "Src IP:\t\t$srcIP\t([GetHostbyAddr $srcIP])"]} ! catch {SendSocket $clientSocketID [list XscriptMainMsg $winName "Dst IP:\t\t$dstIP\t([GetHostbyAddr $dstIP])"]} ! catch {SendSocket $clientSocketID [list XscriptMainMsg $winName "Src Port:\t\t$srcPort"]} ! catch {SendSocket $clientSocketID [list XscriptMainMsg $winName "Dst Port:\t\t$dstPort"]} if {$P0F} { if { ![file exists $P0F_PATH] || ![file executable $P0F_PATH] } { ! catch {SendSocket $clientSocketID [list XscriptDebugMsg $winName "Cannot find p0f in: $P0F_PATH"]} ! catch {SendSocket $clientSocketID [list XscriptDebugMsg $winName "OS fingerprint has been disabled"]} } else { set p0fID [open "| $P0F_PATH -q -s $fileName"] while { [gets $p0fID data] >= 0 } { ! catch {SendSocket $clientSocketID [list XscriptMainMsg $winName "OS Fingerprint:\t$data"]} } catch {close $p0fID} closeError } } ! catch {SendSocket $clientSocketID [list XscriptMainMsg $winName " "]} if [catch {open "| $TCPFLOW -c -r $fileName"} tcpflowID] { LogMessage "ERROR: tcpflow: $tcpflowID" ! catch {SendSocket $clientSocketID [list XscriptDebugMsg $winName "ERROR: tcpflow: $tcpflowID"]} catch {close $tcpflowID} return *************** *** 332,336 **** set state DST } ! SendSocket $clientSocketID [list XscriptMainMsg $winName $state] SendSocket $clientSocketID [list XscriptMainMsg $winName $data] update --- 332,336 ---- set state DST } ! catch {SendSocket $clientSocketID [list XscriptMainMsg $winName $state]} SendSocket $clientSocketID [list XscriptMainMsg $winName $data] update *************** *** 338,347 **** } if [catch {close $tcpflowID} closeError] { ! SendSocket $clientSocketID [list XscriptDebugMsg $winName "ERROR: tcpflow: $closeError"] } if {$NODATAFLAG} { ! SendSocket $clientSocketID [list XscriptMainMsg $winName "No Data Sent."] } ! SendSocket $clientSocketID [list XscriptMainMsg $winName DONE] unset transInfoArray($TRANS_ID) --- 338,347 ---- } if [catch {close $tcpflowID} closeError] { ! catch {SendSocket $clientSocketID [list XscriptDebugMsg $winName "ERROR: tcpflow: $closeError"]} } if {$NODATAFLAG} { ! catch {SendSocket $clientSocketID [list XscriptMainMsg $winName "No Data Sent."]} } ! catch {SendSocket $clientSocketID [list XscriptMainMsg $winName DONE]} unset transInfoArray($TRANS_ID) *************** *** 376,381 **** } else { ! SendSocket $clientSocketID [list XscriptMainMsg foo "Unable to find alert $alertID in RealTime array"] ! SendSocket $clientSocketID [list XscriptMainMsg foo DONE] } --- 376,381 ---- } else { ! catch {SendSocket $clientSocketID [list XscriptMainMsg foo "Unable to find alert $alertID in RealTime array"]} ! catch {SendSocket $clientSocketID [list XscriptMainMsg foo DONE]} } Index: SguildSensorCmdRcvd.tcl =================================================================== RCS file: /cvsroot/sguil/sguil/server/lib/SguildSensorCmdRcvd.tcl,v retrieving revision 1.31 retrieving revision 1.32 diff -C2 -d -r1.31 -r1.32 *** SguildSensorCmdRcvd.tcl 16 Mar 2011 22:00:30 -0000 1.31 --- SguildSensorCmdRcvd.tcl 5 Sep 2013 00:38:45 -0000 1.32 *************** *** 31,56 **** switch -exact -- $sensorCmd { ! LastPcapTime { UpdateLastPcapTime $socketID [lindex $data 1] } ! RegisterAgent { RegisterAgent $socketID [lindex $data 1] [lindex $data 2] [lindex $data 3] } ! GenericEvent { GenericEvent $socketID [lrange $data 1 end] } ! PadsAsset { ProcessPadsAsset [lindex $data 1] } ! SancpFile { RcvSancpFile $socketID [lindex $data 1] [lindex $data 2] [lindex $data 3] } ! AgentInit { AgentInit $socketID [lindex $data 1] [lindex $data 2] } ! BarnyardInit { BarnyardInit $socketID [lindex $data 1] [lindex $data 2] } ! AgentLastCidReq { AgentLastCidReq $socketID [lindex $data 1] [lindex $data 2] } ! BYEventRcvd { eval BYEventRcvd $socketID [lrange $data 1 end] } ! DiskReport { $sensorCmd $socketID [lindex $data 1] [lindex $data 2] } ! PING { SendSensorAgent $socketID "PONG" } ! PONG { SensorAgentPongRcvd $socketID } ! XscriptDebugMsg { $sensorCmd [lindex $data 1] [lindex $data 2] } ! RawDataFile { $sensorCmd $socketID [lindex $data 1] [lindex $data 2] [lindex $data 3] } ! SystemMessage { SystemMsgRcvd $socketID [lindex $data 1] } ! SnortStats { SnortStatsRcvd $socketID [lindex $data 1] } ! BarnyardConnect { BarnyardConnect $socketID [lindex $data 1] } ! BarnyardDisConnect { BarnyardDisConnect $socketID [lindex $data 1] } ! PadsSensorIDReq { GetPadsID $socketID [lindex $data 1] } ! VersionInfo { AgentVersionCheck $socketID [lindex $data 1] } default { if {$sensorCmd != ""} { LogMessage "Sensor Cmd Unknown ($socketID): $sensorCmd" } } } } } --- 31,64 ---- switch -exact -- $sensorCmd { ! LastPcapTime { set cmd [list UpdateLastPcapTime $socketID [lindex $data 1]] } ! RegisterAgent { set cmd [list RegisterAgent $socketID [lindex $data 1] [lindex $data 2] [lindex $data 3]] } ! GenericEvent { set cmd [list GenericEvent $socketID [lrange $data 1 end]] } ! PadsAsset { set cmd [list ProcessPadsAsset [lindex $data 1]] } ! SancpFile { set cmd [list RcvSancpFile $socketID [lindex $data 1] [lindex $data 2] [lindex $data 3]] } ! AgentInit { set cmd [list AgentInit $socketID [lindex $data 1] [lindex $data 2]] } ! BarnyardInit { set cmd [list BarnyardInit $socketID [lindex $data 1] [lindex $data 2]] } ! AgentLastCidReq { set cmd [list AgentLastCidReq $socketID [lindex $data 1] [lindex $data 2]] } ! BYEventRcvd { set cmd "BYEventRcvd $socketID [lrange $data 1 end]" } ! DiskReport { set cmd [list DiskReport $socketID [lindex $data 1] [lindex $data 2]] } ! PING { set cmd [list SendSensorAgent $socketID "PONG"] } ! PONG { set cmd [list SensorAgentPongRcvd $socketID] } ! XscriptDebugMsg { set cmd [list XscriptDebugMsg [lindex $data 1] [lindex $data 2]] } ! RawDataFile { set cmd [list RawDataFile $socketID [lindex $data 1] [lindex $data 2] [lindex $data 3]] } ! SystemMessage { set cmd [list SystemMsgRcvd $socketID [lindex $data 1]] } ! SnortStats { set cmd [list SnortStatsRcvd $socketID [lindex $data 1]] } ! BarnyardConnect { set cmd [list BarnyardConnect $socketID [lindex $data 1]] } ! BarnyardDisConnect { set cmd [list BarnyardDisConnect $socketID [lindex $data 1]] } ! PadsSensorIDReq { set cmd [list GetPadsID $socketID [lindex $data 1]] } ! VersionInfo { set cmd [list AgentVersionCheck $socketID [lindex $data 1]] } default { if {$sensorCmd != ""} { LogMessage "Sensor Cmd Unknown ($socketID): $sensorCmd" } } } + + # Catch poorly formatted cmds + if { $sensorCmd != "" } { + if { [catch {eval $cmd} tmpError] } { + LogMessage "Error: Improper sensor cmd received: $data: $tmpError" + } + } + } } |
From: Bamm V. <ba...@us...> - 2013-09-05 00:38:47
|
Update of /cvsroot/sguil/sguil/client In directory sfp-cvs-1.v30.ch3.sourceforge.com:/tmp/cvs-serv10867/client Modified Files: sguil.tk Log Message: Merged sguil_0_8 into HEAD. Index: sguil.tk =================================================================== RCS file: /cvsroot/sguil/sguil/client/sguil.tk,v retrieving revision 1.263 retrieving revision 1.264 diff -C2 -d -r1.263 -r1.264 *** sguil.tk 9 Mar 2011 05:00:04 -0000 1.263 --- sguil.tk 5 Sep 2013 00:38:45 -0000 1.264 *************** *** 2145,2148 **** --- 2145,2149 ---- #source $SGUILLIB/SguilToolTip.tcl source $SGUILLIB/SguilUtil.tcl + source $SGUILLIB/SguilAutoCat.tcl # Load TableList *************** *** 2204,2207 **** --- 2205,2209 ---- } set fileList [menu $fileMenu.menu -tearoff 0] + $fileList add command -label "AutoCat" -command { AutoCatBldr none any any any any any any any 1 } $fileList add command -label "Display Incident Categories" -command DisplayIncidentCats $fileList add command -label "Change Password" -command LaunchPassChange *************** *** 2998,3001 **** --- 3000,3004 ---- set statusMenu [ menu .statusMenu -background $SELECTBACKGROUND -foreground $SELECTFOREGROUND\ -activeforeground $SELECTBACKGROUND -activebackground $SELECTFOREGROUND -tearoff 0 ] + $statusMenu add command -label "Create AutoCat From Event" -command "AutoCatFromEvent" $statusMenu add command -label "Expire Event As NA (F8)" -command "ValidateEvent 1" $statusMenu add command -label "Expire Event As NA With Comment" -command "ValidateEvent 1 1" |
From: Bamm V. <ba...@us...> - 2013-01-16 03:13:20
|
Update of /cvsroot/sguil/sguil/server/lib In directory sfp-cvs-1.v30.ch3.sourceforge.com:/tmp/cvs-serv25437 Modified Files: Tag: sguil_0_8 SguildSensorCmdRcvd.tcl Log Message: Improved sensor cmd error handling. Reports to LogMessage. Index: SguildSensorCmdRcvd.tcl =================================================================== RCS file: /cvsroot/sguil/sguil/server/lib/SguildSensorCmdRcvd.tcl,v retrieving revision 1.31 retrieving revision 1.31.2.1 diff -C2 -d -r1.31 -r1.31.2.1 *** SguildSensorCmdRcvd.tcl 16 Mar 2011 22:00:30 -0000 1.31 --- SguildSensorCmdRcvd.tcl 16 Jan 2013 03:13:18 -0000 1.31.2.1 *************** *** 31,56 **** switch -exact -- $sensorCmd { ! LastPcapTime { UpdateLastPcapTime $socketID [lindex $data 1] } ! RegisterAgent { RegisterAgent $socketID [lindex $data 1] [lindex $data 2] [lindex $data 3] } ! GenericEvent { GenericEvent $socketID [lrange $data 1 end] } ! PadsAsset { ProcessPadsAsset [lindex $data 1] } ! SancpFile { RcvSancpFile $socketID [lindex $data 1] [lindex $data 2] [lindex $data 3] } ! AgentInit { AgentInit $socketID [lindex $data 1] [lindex $data 2] } ! BarnyardInit { BarnyardInit $socketID [lindex $data 1] [lindex $data 2] } ! AgentLastCidReq { AgentLastCidReq $socketID [lindex $data 1] [lindex $data 2] } ! BYEventRcvd { eval BYEventRcvd $socketID [lrange $data 1 end] } ! DiskReport { $sensorCmd $socketID [lindex $data 1] [lindex $data 2] } ! PING { SendSensorAgent $socketID "PONG" } ! PONG { SensorAgentPongRcvd $socketID } ! XscriptDebugMsg { $sensorCmd [lindex $data 1] [lindex $data 2] } ! RawDataFile { $sensorCmd $socketID [lindex $data 1] [lindex $data 2] [lindex $data 3] } ! SystemMessage { SystemMsgRcvd $socketID [lindex $data 1] } ! SnortStats { SnortStatsRcvd $socketID [lindex $data 1] } ! BarnyardConnect { BarnyardConnect $socketID [lindex $data 1] } ! BarnyardDisConnect { BarnyardDisConnect $socketID [lindex $data 1] } ! PadsSensorIDReq { GetPadsID $socketID [lindex $data 1] } ! VersionInfo { AgentVersionCheck $socketID [lindex $data 1] } default { if {$sensorCmd != ""} { LogMessage "Sensor Cmd Unknown ($socketID): $sensorCmd" } } } } } --- 31,64 ---- switch -exact -- $sensorCmd { ! LastPcapTime { set cmd [list UpdateLastPcapTime $socketID [lindex $data 1]] } ! RegisterAgent { set cmd [list RegisterAgent $socketID [lindex $data 1] [lindex $data 2] [lindex $data 3]] } ! GenericEvent { set cmd [list GenericEvent $socketID [lrange $data 1 end]] } ! PadsAsset { set cmd [list ProcessPadsAsset [lindex $data 1]] } ! SancpFile { set cmd [list RcvSancpFile $socketID [lindex $data 1] [lindex $data 2] [lindex $data 3]] } ! AgentInit { set cmd [list AgentInit $socketID [lindex $data 1] [lindex $data 2]] } ! BarnyardInit { set cmd [list BarnyardInit $socketID [lindex $data 1] [lindex $data 2]] } ! AgentLastCidReq { set cmd [list AgentLastCidReq $socketID [lindex $data 1] [lindex $data 2]] } ! BYEventRcvd { set cmd "BYEventRcvd $socketID [lrange $data 1 end]" } ! DiskReport { set cmd [list DiskReport $socketID [lindex $data 1] [lindex $data 2]] } ! PING { set cmd [list SendSensorAgent $socketID "PONG"] } ! PONG { set cmd [list SensorAgentPongRcvd $socketID] } ! XscriptDebugMsg { set cmd [list XscriptDebugMsg [lindex $data 1] [lindex $data 2]] } ! RawDataFile { set cmd [list RawDataFile $socketID [lindex $data 1] [lindex $data 2] [lindex $data 3]] } ! SystemMessage { set cmd [list SystemMsgRcvd $socketID [lindex $data 1]] } ! SnortStats { set cmd [list SnortStatsRcvd $socketID [lindex $data 1]] } ! BarnyardConnect { set cmd [list BarnyardConnect $socketID [lindex $data 1]] } ! BarnyardDisConnect { set cmd [list BarnyardDisConnect $socketID [lindex $data 1]] } ! PadsSensorIDReq { set cmd [list GetPadsID $socketID [lindex $data 1]] } ! VersionInfo { set cmd [list AgentVersionCheck $socketID [lindex $data 1]] } default { if {$sensorCmd != ""} { LogMessage "Sensor Cmd Unknown ($socketID): $sensorCmd" } } } + + # Catch poorly formatted cmds + if { $sensorCmd != "" } { + if { [catch {eval $cmd} tmpError] } { + LogMessage "Error: Improper sensor cmd received: $data: $tmpError" + } + } + } } |
From: Bamm V. <ba...@us...> - 2013-01-16 02:33:32
|
Update of /cvsroot/sguil/sguil/server/lib In directory sfp-cvs-1.v30.ch3.sourceforge.com:/tmp/cvs-serv21607 Modified Files: Tag: sguil_0_8 SguildEvent.tcl Log Message: Catch email failures and report via LogMessage. Index: SguildEvent.tcl =================================================================== RCS file: /cvsroot/sguil/sguil/server/lib/SguildEvent.tcl,v retrieving revision 1.23 retrieving revision 1.23.2.1 diff -C2 -d -r1.23 -r1.23.2.1 *** SguildEvent.tcl 9 Apr 2008 04:20:52 -0000 1.23 --- SguildEvent.tcl 16 Jan 2013 02:33:29 -0000 1.23.2.1 *************** *** 43,47 **** && [lsearch -exact $EMAIL_DISABLE_SIDS $sigID] < 0)\ || [lsearch -exact $EMAIL_ENABLE_SIDS $sigID] >= 0 } { ! EmailEvent $eventDataList } } --- 43,50 ---- && [lsearch -exact $EMAIL_DISABLE_SIDS $sigID] < 0)\ || [lsearch -exact $EMAIL_ENABLE_SIDS $sigID] >= 0 } { ! if { [catch {EmailEvent $eventDataList} tmpError] } { ! # Email failed ! LogMessage "Error: Failed to send notification email: $eventDataList" ! } } } |
From: Bamm V. <ba...@us...> - 2012-12-21 04:43:29
|
Update of /cvsroot/sguil/sguil/client/lib In directory sfp-cvs-1.v30.ch3.sourceforge.com:/tmp/cvs-serv3811/lib Modified Files: Tag: sguil_0_8 SguilAutoCat.tcl Log Message: Prepopulate autocat wizard via right-click status menu. Index: SguilAutoCat.tcl =================================================================== RCS file: /cvsroot/sguil/sguil/client/lib/Attic/SguilAutoCat.tcl,v retrieving revision 1.1.2.1 retrieving revision 1.1.2.2 diff -C2 -d -r1.1.2.1 -r1.1.2.2 *** SguilAutoCat.tcl 13 Dec 2012 21:23:04 -0000 1.1.2.1 --- SguilAutoCat.tcl 21 Dec 2012 04:43:27 -0000 1.1.2.2 *************** *** 166,169 **** --- 166,190 ---- } + proc AutoCatFromEvent {} { + + global ACTIVE_EVENT MULTI_SELECT CUR_SEL_PANE + + if { $ACTIVE_EVENT && !$MULTI_SELECT } { + + set selectedIndex [$CUR_SEL_PANE(name) curselection] + set sensor [$CUR_SEL_PANE(name) getcells $selectedIndex,sensor] + set sip [$CUR_SEL_PANE(name) getcells $selectedIndex,srcip] + set sport [$CUR_SEL_PANE(name) getcells $selectedIndex,srcport] + set dip [$CUR_SEL_PANE(name) getcells $selectedIndex,dstip] + set dport [$CUR_SEL_PANE(name) getcells $selectedIndex,dstport] + set proto [$CUR_SEL_PANE(name) getcells $selectedIndex,ipproto] + set sig [$CUR_SEL_PANE(name) getcells $selectedIndex,event] + + AutoCatBldr {1 day} $sensor $sip $sport $dip $dport $proto $sig 1 + + } + + + } proc UpdateACText { name } { *************** *** 175,179 **** switch -exact -- $name { ! erase { set msgtxt "Time (YYYY-MM-DD HH:MM:SS) this autocat rule expires.\nStrings like '2 days' or '48 hours' will be converted." } sip { set msgtxt "Source IP address or CIDR (192.168.1.2 or 192.168.1.0/24 or 127/8) or any" } sport { set msgtxt "Source port or any" } --- 196,200 ---- switch -exact -- $name { ! erase { set msgtxt "Time (YYYY-MM-DD HH:MM:SS) this autocat rule expires or \"none\".\nStrings like '2 days' or '48 hours' will be converted." } sip { set msgtxt "Source IP address or CIDR (192.168.1.2 or 192.168.1.0/24 or 127/8) or any" } sport { set msgtxt "Source port or any" } *************** *** 264,269 **** } ! if { $proto != "any" && $proto != "ANY" && ($proto < 0 || $dport > 255) } { ! return -code error "IP Protocol is invalid." } --- 285,290 ---- } ! if { $proto != "any" && $proto != "ANY" && ($proto < 0 || $proto > 255) } { ! return -code error "IP Protocol \"$proto\" is invalid." } |
From: Bamm V. <ba...@us...> - 2012-12-13 21:23:08
|
Update of /cvsroot/sguil/sguil/client In directory sfp-cvs-1.v30.ch3.sourceforge.com:/tmp/cvs-serv320 Modified Files: Tag: sguil_0_8 sguil.tk Log Message: Generic autocat builder. Index: sguil.tk =================================================================== RCS file: /cvsroot/sguil/sguil/client/sguil.tk,v retrieving revision 1.263 retrieving revision 1.263.2.1 diff -C2 -d -r1.263 -r1.263.2.1 *** sguil.tk 9 Mar 2011 05:00:04 -0000 1.263 --- sguil.tk 13 Dec 2012 21:23:04 -0000 1.263.2.1 *************** *** 2145,2148 **** --- 2145,2149 ---- #source $SGUILLIB/SguilToolTip.tcl source $SGUILLIB/SguilUtil.tcl + source $SGUILLIB/SguilAutoCat.tcl # Load TableList *************** *** 2204,2207 **** --- 2205,2209 ---- } set fileList [menu $fileMenu.menu -tearoff 0] + $fileList add command -label "AutoCat" -command { AutoCatBldr none any any any any any any any 1 } $fileList add command -label "Display Incident Categories" -command DisplayIncidentCats $fileList add command -label "Change Password" -command LaunchPassChange |
From: Bamm V. <ba...@us...> - 2012-12-13 21:23:07
|
Update of /cvsroot/sguil/sguil/client/lib In directory sfp-cvs-1.v30.ch3.sourceforge.com:/tmp/cvs-serv320/lib Added Files: Tag: sguil_0_8 SguilAutoCat.tcl Log Message: Generic autocat builder. --- NEW FILE: SguilAutoCat.tcl --- # $Id: SguilAutoCat.tcl,v 1.1.2.1 2012/12/13 21:23:04 bamm Exp $ proc AutoCatBldr { erase sensor sip sport dip dport proto sig status } { global autocat USERNAME # Grab the current pointer locations set xy [winfo pointerxy .] # Create the window set autoBldWin .autoBldWin if { [winfo exists $autoBldWin] } { wm withdraw $autoBldWin wm deiconify $autoBldWin return } toplevel $autoBldWin wm title $autoBldWin "AutoCat Rule Builder" set height [winfo height .] set width [winfo width .] set y [expr ( ( $height / 2 ) - 250)] if { $y < 0 } { set y 0 } set x [expr ( ( $width / 2 ) - 350)] if { $x < 0 } { set x 0 } wm geometry $autoBldWin +$x+$y set bf [frame $autoBldWin.bf -background #dcdcec -borderwidth 1] set eraseEntry [ iwidgets::entryfield $bf.time \ -labeltext "Expire Time" \ -labelpos n \ -width 18 \ -focuscommand { UpdateACText erase } \ -command "ACConvertTime $bf.time" \ ] set sensorEntry [ iwidgets::entryfield $bf.sensor \ -labeltext "Sensor Name" \ -labelpos n \ -width 18 \ -focuscommand { UpdateACText erase } \ ] set sipEntry [ iwidgets::entryfield $bf.sip \ -labeltext "Src IP" \ -labelpos n \ -width 16 \ -focuscommand { UpdateACText sip } \ -command "ACIPNormalize $bf.sip" \ ] set sportEntry [ iwidgets::entryfield $bf.sport \ -labeltext "Src Port" \ -labelpos n \ -width 6 \ -focuscommand { UpdateACText sport } \ ] set dipEntry [ iwidgets::entryfield $bf.dip \ -labeltext "Dst IP" \ -labelpos n \ -width 16 \ -focuscommand { UpdateACText dip } \ -command "ACIPNormalize $bf.dip" \ ] set dportEntry [ iwidgets::entryfield $bf.dport \ -labeltext "Dst Port" \ -labelpos n \ -width 6 \ -focuscommand { UpdateACText dport } \ ] set protoEntry [ iwidgets::entryfield $bf.proto \ -labeltext "Pr" \ -labelpos n \ -width 3 \ -focuscommand { UpdateACText proto } \ ] set sigEntry [ iwidgets::entryfield $bf.sig\ -labeltext "Signature" \ -labelpos n \ -width 30 \ -focuscommand { UpdateACText sig } \ ] set statusEntry [ iwidgets::entryfield $bf.status\ -labeltext "St" \ -labelpos n \ -width 3 \ -focuscommand { UpdateACText status } \ ] pack $eraseEntry $sensorEntry $sipEntry $sportEntry $dipEntry $dportEntry $protoEntry \ -side left \ -expand false pack $sigEntry \ -side left \ -fill x \ -expand true pack $statusEntry \ -side left \ -expand false set h [message $autoBldWin.h \ -justify left \ -width 800 \ -text "Modify auto cat rule above." \ ] set bb [buttonbox $autoBldWin.bb] $bb add cancel -text "Cancel" -command "set autocat(state) cancel" $bb add submit -text "Submit" -command "set autocat(state) submit" pack $bf -side top -fill x pack $h -side top -fill both -expand true pack $bb -side top foreach value [list erase sensor sip sport dip dport proto sig status] { eval $${value}Entry insert 0 $$value } vwait autocat(state) if { $autocat(state) == "submit" } { ACConvertTime $eraseEntry ACIPNormalize $sipEntry ACIPNormalize $dipEntry foreach value [list erase sensor sip sport dip dport proto sig status] { set $value [eval $${value}Entry get] } destroy $autoBldWin if { [catch {ValidateAutoCat $erase $sensor $sip $sport $dip $dport $proto $sig $status} tmpError] } { ErrorMessage "You have an error with your rule syntax:\n $tmpError" AutoCatBldr $erase $sensor $sip $sport $dip $dport $proto $sig $status } else { puts "DEBUG #### good -> $erase $sensor $sip $sport $dip $dport $proto $sig $status" SendToSguild [list AutoCatRequest $erase $sensor $sip $sport $dip $dport $proto $sig $status] InfoMessage "Autocat rule sent to server." } } else { destroy $autoBldWin } } proc UpdateACText { name } { # Update help text based on entry w/focus set winName .autoBldWin.h switch -exact -- $name { erase { set msgtxt "Time (YYYY-MM-DD HH:MM:SS) this autocat rule expires.\nStrings like '2 days' or '48 hours' will be converted." } sip { set msgtxt "Source IP address or CIDR (192.168.1.2 or 192.168.1.0/24 or 127/8) or any" } sport { set msgtxt "Source port or any" } dip { set msgtxt "Destination IP address or CIDR (192.168.1.2 or 192.168.1.0/24 or 127/8) or any" } dport { set msgtxt "Destination port or any" } proto { set msgtxt "IP protocol in decimal (ICMP = 0, TCP = 6, UDP = 17)" } sig { set msgtxt "Sig msg can use TCL regexp format. To make a sig msg a regexp begin the rule with %%REGEXP%%\n\ Matching is case sensitive unless the string is preceded by a (?i).\n\ Use ^ to match the beginning of the line and $ for the end.\n\ Examples:\n\n\ '%%REGEXP%%Testing' would match '123Testing123' but not '123testing123'\n\ '%%REGEXP%%(?i)testing' would match both '123Testing123' and '123testing123'\n\ '%%REGEXP%%^Testing' would match 'Testing' but not '123Testing' and not 'testing'\n\ '%%REGEXP%%(?i)^testing would match 'Testing' and 'testing' but not '123testing'\n\n\ If you don't use %%REGEXP%% the string you type in the sig must EXACTLY match the rule." } status { set msgtxt "Status the alert matches will be automatically categorized to (NA=1, Cat I-VII = 11-17)" } default { return } } $winName configure -text $msgtxt } proc ACConvertTime { winName } { set erase [$winName get] if { $erase != "none" && $erase != "NONE" } { if { [catch {clock scan $erase} secs] } { ErrorMessage {Timestamp is not formatted correctly. Use the format YYYY-MM-DD HH:MM:SS or a descriptor like "24 hours".} } else { set timestamp [clock format $secs -gmt true -f "%Y-%m-%d %T"] $winName clear $winName insert 0 $timestamp } } } proc ACIPNormalize { winName } { set ip [$winName get] if { $ip != "any" && $ip != "ANY" } { if { [catch {ip::normalize $ip} ip] } { ErrorMessage "The IP address is not formatted correctly. \ Please use dotted notation or a CIDR. (192.168.8.8 or 127/8 or 192.168.8.0/24)" } else { $winName clear $winName insert 0 $ip } } } proc ValidateAutoCat { erase sensor sip sport dip dport proto sig status } { if { $erase != "none" && $erase != "NONE" && [catch {clock scan $erase} tmpError] } { return -code error "Timestamp is not formatted correctly." } if { $sip != "any" && $sip != "ANY" && [ip::version $sip] != 4 } { return -code error "Source IP is invalid." } if { $sensor == "" } { return -code error "Sensor cannot be left blank" } if { $sport != "any" && $sport != "ANY" && [string is integer $sport] && ($sport < 0 || $sport > 65535) } { return -code error "Source Port is invalid." } if { $dip != "any" && $dip != "ANY" && [ip::version $sip] != 4 } { return -code error "Destination IP is invalid." } if { $dport != "any" && $dport != "ANY" && ($dport < 0 || $dport > 65535) } { return -code error "Destination Port is invalid." } if { $proto != "any" && $proto != "ANY" && ($proto < 0 || $dport > 255) } { return -code error "IP Protocol is invalid." } if { ![string is integer -strict $status] || $status < 1 } { return -code error "An invalid status was provided" } } |
From: Bamm V. <ba...@us...> - 2012-12-13 21:21:28
|
Update of /cvsroot/sguil/sguil/server/lib In directory sfp-cvs-1.v30.ch3.sourceforge.com:/tmp/cvs-serv32686/lib Modified Files: Tag: sguil_0_8 SguildAutoCat.tcl SguildClientCmdRcvd.tcl Log Message: Support for Sguil client created auto cat rules. Index: SguildAutoCat.tcl =================================================================== RCS file: /cvsroot/sguil/sguil/server/lib/SguildAutoCat.tcl,v retrieving revision 1.5.6.3 retrieving revision 1.5.6.4 diff -C2 -d -r1.5.6.3 -r1.5.6.4 *** SguildAutoCat.tcl 29 Nov 2012 02:39:51 -0000 1.5.6.3 --- SguildAutoCat.tcl 13 Dec 2012 21:21:25 -0000 1.5.6.4 *************** *** 15,18 **** --- 15,21 ---- # | signature | varchar(255) | YES | | NULL | | # | status | smallint(5) unsigned | NO | | NULL | | + # | active | enum('Y','N') | YES | | Y | | + # | uid | int(10) unsigned | NO | | NULL | | + # | timestamp | datetime | NO | | NULL | | # +------------+----------------------+------+-----+---------+----------------+ *************** *** 21,26 **** set aquery \ "SELECT \ ! autoid, erase, sensorname, INET_NTOA(src_ip), src_port, \ ! INET_NTOA(dst_ip), dst_port, ip_proto, signature, status \ FROM autocat \ WHERE active='Y'" --- 24,29 ---- set aquery \ "SELECT \ ! autoid, erase, sensorname, src_ip, src_port, \ ! dst_ip, dst_port, ip_proto, signature, status \ FROM autocat \ WHERE active='Y'" *************** *** 28,32 **** foreach line [MysqlSelect $aquery list] { ! set clearTime [lindex $line 0] if { $clearTime != "" } { --- 31,37 ---- foreach line [MysqlSelect $aquery list] { ! puts "DEBUG #### $line" ! ! set clearTime [lindex $line 1] if { $clearTime != "" } { *************** *** 37,41 **** # Set up the removal set DELAY [expr ($cTimeSecs - [clock seconds]) * 1000] ! after $DELAY RemoveAutoCatRule $i } --- 42,46 ---- # Set up the removal set DELAY [expr ($cTimeSecs - [clock seconds]) * 1000] ! after $DELAY RemoveAutoCatRule [lindex $line 0] } *************** *** 75,79 **** # All the fields have the option of being empty except status. ! if { $tmpVar == "" } { incr i; continue } # Need to test the regexp if we are looking at the sig index --- 80,84 ---- # All the fields have the option of being empty except status. ! if { $tmpVar == "" || $tmpVar == "any" || $tmpVar == "ANY" || $tmpVar == "none" || $tmpVar == "NONE" } { incr i; continue } # Need to test the regexp if we are looking at the sig index *************** *** 177,178 **** --- 182,248 ---- } + proc AutoCatRequest { clientSocketID ruleList } { + + global userIDArray MAIN_DB_SOCKETID + + if { [llength $ruleList] != 9 } { + + SendSocket $clientSocketID [list ErrorMessage "Invalid number of values in autocat list: $ruleList"] + return + + } + + set i 0 + foreach t [list erase sensorname src_ip src_port dst_ip dst_port ip_proto signature status] { + + set v [lindex $ruleList $i] + + lappend tables $t + + if { $v != "none" && $v != "NONE" && $v != "any" && $v != "ANY" } { + + lappend values "\'$v\'" + + } else { + + lappend values NULL + + } + + incr i + + } + + lappend tables active timestamp uid + lappend values "\'Y\'" "\'[GetCurrentTimeStamp]\'" "\'$userIDArray($clientSocketID)\'" + + # Build INSERT query + set q "INSERT INTO autocat ([join $tables ,]) VALUES ([join $values ,])" + puts "DEBUG #### $q" + + # INSERT + if { [catch {::mysql::exec $MAIN_DB_SOCKETID $q} tmpError] } { + + SendSocket $clientSocketID [list ErrorMessage "Error inserting autocat rule into the DB: $tmpError"] + return + + } + + if { [catch {::mysql::insertid $MAIN_DB_SOCKETID} rid] || $rid == "" } { + + SendSocket $clientSocketID [list ErrorMessage "Error retrieving new autocat rule id: $rid"] + return + + } + + if { [catch {AddAutoCatRule $rid [lrange $ruleList 1 end]} tmpError] } { + + SendSocket $clientSocketID [list ErrorMessage "Error inserting autocat rule: $rid"] + + } else { + + SendSocket $clientSocketID [list InfoMessage "AutoCat rule $rid successfully implemented."] + + } + + } Index: SguildClientCmdRcvd.tcl =================================================================== RCS file: /cvsroot/sguil/sguil/server/lib/SguildClientCmdRcvd.tcl,v retrieving revision 1.48.2.1 retrieving revision 1.48.2.2 diff -C2 -d -r1.48.2.1 -r1.48.2.2 *** SguildClientCmdRcvd.tcl 26 Nov 2012 04:33:29 -0000 1.48.2.1 --- SguildClientCmdRcvd.tcl 13 Dec 2012 21:21:25 -0000 1.48.2.2 *************** *** 8,15 **** global clientList validSockets GLOBAL_QRY_LIST REPORT_QRY_LIST ! if { [eof $socketID] || [catch {gets $socketID data}] } { # Socket closed ! close $socketID ClientExitClose $socketID LogMessage "Socket $socketID closed" --- 8,22 ---- global clientList validSockets GLOBAL_QRY_LIST REPORT_QRY_LIST ! if { [eof $socketID] || [catch {gets $socketID data}] || [catch {llength $data} tmpLen] } { ! ! if { [info exists tmpLen] } { ! ! LogMessage "Error: Received poorly formatted message from $socketID: \n$data: \n$tmpLen" ! SendSocket $socketID [list ErrorMessage "Error: Your client sent improperly formatted data to sguild."] ! ! } # Socket closed ! catch {close $socketID} ClientExitClose $socketID LogMessage "Socket $socketID closed" *************** *** 19,23 **** --- 26,32 ---- # Don't display the user passwds if { [regexp ^ValidateUser $data] } { + InfoMessage "Client Command Received: [lrange $data 0 1] ********" + } elseif { [lindex $data 0] == "ChangePass" } { *************** *** 120,123 **** --- 129,134 ---- ChangePass { $clientCmd $socketID [lindex $data 1] [lindex $data 2] [lindex $data 3] } + AutoCatRequest { $clientCmd $socketID [lrange $data 1 end] } + default { InfoMessage "Unrecognized command from $socketID: $data" } |
From: Bamm V. <ba...@us...> - 2012-12-01 00:15:00
|
Update of /cvsroot/sguil/sguil/server/lib In directory sfp-cvs-1.v30.ch3.sourceforge.com:/tmp/cvs-serv13788 Modified Files: Tag: sguil_0_8 SguildTranscript.tcl Log Message: Wrapped SendSocket{} statements inside [catch] in case clients disconnect abruptly. Index: SguildTranscript.tcl =================================================================== RCS file: /cvsroot/sguil/sguil/server/lib/SguildTranscript.tcl,v retrieving revision 1.21 retrieving revision 1.21.2.1 diff -C2 -d -r1.21 -r1.21.2.1 *** SguildTranscript.tcl 10 Mar 2011 22:03:33 -0000 1.21 --- SguildTranscript.tcl 1 Dec 2012 00:14:58 -0000 1.21.2.1 *************** *** 48,52 **** if [catch { InitRawFileArchive $date $sensor $srcIP $dstIP $srcPort $dstPort $ipProto }\ rawDataFileNameInfo] { ! SendSocket $socketID [list ErrorMessage "Error getting pcap: $rawDataFileNameInfo"] return } --- 48,52 ---- if [catch { InitRawFileArchive $date $sensor $srcIP $dstIP $srcPort $dstPort $ipProto }\ rawDataFileNameInfo] { ! catch {SendSocket $socketID [list ErrorMessage "Error getting pcap: $rawDataFileNameInfo"]} return } *************** *** 59,64 **** if { ![GetRawDataFromSensor $TRANS_ID $sensor $sensorID $timestamp $srcIP $srcPort $dstIP $dstPort $ipProto $rawDataFileName wireshark] } { # This means the sensor_agent for this sensor isn't connected. ! SendSocket $socketID [list ErrorMessage "ERROR: Unable to request rawdata at this time.\ ! The sensor $sensor is NOT connected."] } } else { --- 59,64 ---- if { ![GetRawDataFromSensor $TRANS_ID $sensor $sensorID $timestamp $srcIP $srcPort $dstIP $dstPort $ipProto $rawDataFileName wireshark] } { # This means the sensor_agent for this sensor isn't connected. ! catch {SendSocket $socketID [list ErrorMessage "ERROR: Unable to request rawdata at this time.\ ! The sensor $sensor is NOT connected."]} } } else { *************** *** 79,83 **** # Send the client a session key and file name to download set clientSocketID [lindex $transInfoArray($TRANS_ID) 0] ! SendSocket $clientSocketID [list PcapAvailable $sKey [file tail $fileName]] set pcapKeys(fileName,$sKey) $fileName --- 79,83 ---- # Send the client a session key and file name to download set clientSocketID [lindex $transInfoArray($TRANS_ID) 0] ! catch {SendSocket $clientSocketID [list PcapAvailable $sKey [file tail $fileName]]} set pcapKeys(fileName,$sKey) $fileName *************** *** 94,98 **** # Failed to open file ! SendSocket $pcapKeys(socketID,$sKey) [list ErrorMessage "Failed to open ${fileName}: ${fileID}"] unset pcapKeys(socketID,$sKey) unset pcapKeys(fileName,$sKey) --- 94,98 ---- # Failed to open file ! catch {SendSocket $pcapKeys(socketID,$sKey) [list ErrorMessage "Failed to open ${fileName}: ${fileID}"]} unset pcapKeys(socketID,$sKey) unset pcapKeys(fileName,$sKey) *************** *** 108,112 **** # fcopy failed ! SendSocket $pcapKeys(socketID,$sKey) [list ErrorMessage "Failed to copy ${fileName}: ${tmpError}"] catch {close $socketID} unset pcapKeys(socketID,$sKey) --- 108,112 ---- # fcopy failed ! catch {SendSocket $pcapKeys(socketID,$sKey) [list ErrorMessage "Failed to copy ${fileName}: ${tmpError}"]} catch {close $socketID} unset pcapKeys(socketID,$sKey) *************** *** 129,133 **** # Error during copy set fileName $pcapKeys(fileName,$sKey) ! SendSocket $pcapKeys(socketID,$sKey) [list ErrorMessage "Failed to copy file ${fileName}: ${error}"] } --- 129,133 ---- # Error during copy set fileName $pcapKeys(fileName,$sKey) ! catch {SendSocket $pcapKeys(socketID,$sKey) [list ErrorMessage "Failed to copy file ${fileName}: ${error}"]} } *************** *** 175,180 **** # If we don't have TCPFLOW then error to the user and return if { ![info exists TCPFLOW] || ![file exists $TCPFLOW] || ![file executable $TCPFLOW] } { ! SendSocket $socketID [list ErrorMessage "ERROR: tcpflow is not installed on the server."] ! SendSocket $socketID [list XscriptDebugMsg $winID "ERROR: tcpflow is not installed on the server."] return } --- 175,180 ---- # If we don't have TCPFLOW then error to the user and return if { ![info exists TCPFLOW] || ![file exists $TCPFLOW] || ![file executable $TCPFLOW] } { ! catch {SendSocket $socketID [list ErrorMessage "ERROR: tcpflow is not installed on the server."]} ! catch {SendSocket $socketID [list XscriptDebugMsg $winID "ERROR: tcpflow is not installed on the server."]} return } *************** *** 186,196 **** if [catch { InitRawFileArchive $date $sensor $srcIP $dstIP $srcPort $dstPort 6 }\ rawDataFileNameInfo] { ! SendSocket $socketID\ [list ErrorMessage "Please pass the following to your sguild administrator:\ ! Error from sguild while getting pcap: $rawDataFileNameInfo"] ! SendSocket $socketID [list XscriptDebugMsg $winID\ "ErrorMessage Please pass the following to your sguild administrator:\ ! Error from sguild while getting pcap: $rawDataFileNameInfo"] ! SendSocket $socketID [list XscriptMainMsg $winID DONE] return } --- 186,196 ---- if [catch { InitRawFileArchive $date $sensor $srcIP $dstIP $srcPort $dstPort 6 }\ rawDataFileNameInfo] { ! catch {SendSocket $socketID\ [list ErrorMessage "Please pass the following to your sguild administrator:\ ! Error from sguild while getting pcap: $rawDataFileNameInfo"]} ! catch {SendSocket $socketID [list XscriptDebugMsg $winID\ "ErrorMessage Please pass the following to your sguild administrator:\ ! Error from sguild while getting pcap: $rawDataFileNameInfo"]} ! catch {SendSocket $socketID [list XscriptMainMsg $winID DONE]} return } *************** *** 203,215 **** if { ![GetRawDataFromSensor $TRANS_ID $sensor $sensorID $timestamp $srcIP $srcPort $dstIP $dstPort 6 $rawDataFileName xscript] } { # This means the sensor_agent for this sensor isn't connected. ! SendSocket $socketID [list ErrorMessage "ERROR: Unable to request xscript at this time.\ ! The sensor $sensor is NOT connected."] ! SendSocket $socketID [list XscriptDebugMsg $winID "ERROR: Unable to request xscript at this time.\ ! The sensor $sensor is NOT connected."] ! SendSocket $socketID [list XscriptMainMsg $winID DONE] } } else { # The data is archive locally. ! SendSocket $socketID [list XscriptDebugMsg $winID "Using archived data: $sensorDir/$rawDataFileName"] GenerateXscript $sensorDir/$rawDataFileName $socketID $winID $TRANS_ID } --- 203,215 ---- if { ![GetRawDataFromSensor $TRANS_ID $sensor $sensorID $timestamp $srcIP $srcPort $dstIP $dstPort 6 $rawDataFileName xscript] } { # This means the sensor_agent for this sensor isn't connected. ! catch {SendSocket $socketID [list ErrorMessage "ERROR: Unable to request xscript at this time.\ ! The sensor $sensor is NOT connected."]} ! catch {SendSocket $socketID [list XscriptDebugMsg $winID "ERROR: Unable to request xscript at this time.\ ! The sensor $sensor is NOT connected."]} ! catch {SendSocket $socketID [list XscriptMainMsg $winID DONE]} } } else { # The data is archive locally. ! catch {SendSocket $socketID [list XscriptDebugMsg $winID "Using archived data: $sensorDir/$rawDataFileName"]} GenerateXscript $sensorDir/$rawDataFileName $socketID $winID $TRANS_ID } *************** *** 237,242 **** flush $pcapSocketID if { $type == "xscript" } { ! SendSocket [lindex $transInfoArray($TRANS_ID) 0]\ ! [list XscriptDebugMsg [lindex $transInfoArray($TRANS_ID) 1] "Raw data request sent to $sensor."] } } else { --- 237,242 ---- flush $pcapSocketID if { $type == "xscript" } { ! catch {SendSocket [lindex $transInfoArray($TRANS_ID) 0]\ ! [list XscriptDebugMsg [lindex $transInfoArray($TRANS_ID) 1] "Raw data request sent to $sensor."]} } } else { *************** *** 255,260 **** InfoMessage "Receiving rawdata file $fileName." if { $type == "xscript" } { ! SendSocket [lindex $transInfoArray($TRANS_ID) 0]\ ! [list XscriptDebugMsg [lindex $transInfoArray($TRANS_ID) 1] "Receiving raw file from sensor."] } --- 255,260 ---- InfoMessage "Receiving rawdata file $fileName." if { $type == "xscript" } { ! catch {SendSocket [lindex $transInfoArray($TRANS_ID) 0]\ ! [list XscriptDebugMsg [lindex $transInfoArray($TRANS_ID) 1] "Receiving raw file from sensor."]} } *************** *** 281,286 **** if [info exists transInfoArray($TRANS_ID)] { ! SendSocket [lindex $transInfoArray($TRANS_ID) 0]\ ! [list XscriptDebugMsg [lindex $transInfoArray($TRANS_ID) 1] $msg] } } --- 281,286 ---- if [info exists transInfoArray($TRANS_ID)] { ! catch {SendSocket [lindex $transInfoArray($TRANS_ID) 0]\ ! [list XscriptDebugMsg [lindex $transInfoArray($TRANS_ID) 1] $msg]} } } *************** *** 297,324 **** set srcMask [TcpFlowFormat $srcIP $srcPort $dstIP $dstPort] set dstMask [TcpFlowFormat $dstIP $dstPort $srcIP $srcPort] ! SendSocket $clientSocketID [list XscriptMainMsg $winName HDR] ! SendSocket $clientSocketID [list XscriptMainMsg $winName "Sensor Name:\t[lindex $transInfoArray($TRANS_ID) 4]"] ! SendSocket $clientSocketID [list XscriptMainMsg $winName "Timestamp:\t[lindex $transInfoArray($TRANS_ID) 5]"] ! SendSocket $clientSocketID [list XscriptMainMsg $winName "Connection ID:\t$winName"] ! SendSocket $clientSocketID [list XscriptMainMsg $winName "Src IP:\t\t$srcIP\t([GetHostbyAddr $srcIP])"] ! SendSocket $clientSocketID [list XscriptMainMsg $winName "Dst IP:\t\t$dstIP\t([GetHostbyAddr $dstIP])"] ! SendSocket $clientSocketID [list XscriptMainMsg $winName "Src Port:\t\t$srcPort"] ! SendSocket $clientSocketID [list XscriptMainMsg $winName "Dst Port:\t\t$dstPort"] if {$P0F} { if { ![file exists $P0F_PATH] || ![file executable $P0F_PATH] } { ! SendSocket $clientSocketID [list XscriptDebugMsg $winName "Cannot find p0f in: $P0F_PATH"] ! SendSocket $clientSocketID [list XscriptDebugMsg $winName "OS fingerprint has been disabled"] } else { set p0fID [open "| $P0F_PATH -q -s $fileName"] while { [gets $p0fID data] >= 0 } { ! SendSocket $clientSocketID [list XscriptMainMsg $winName "OS Fingerprint:\t$data"] } catch {close $p0fID} closeError } } ! SendSocket $clientSocketID [list XscriptMainMsg $winName " "] if [catch {open "| $TCPFLOW -c -r $fileName"} tcpflowID] { LogMessage "ERROR: tcpflow: $tcpflowID" ! SendSocket $clientSocketID [list XscriptDebugMsg $winName "ERROR: tcpflow: $tcpflowID"] catch {close $tcpflowID} return --- 297,324 ---- set srcMask [TcpFlowFormat $srcIP $srcPort $dstIP $dstPort] set dstMask [TcpFlowFormat $dstIP $dstPort $srcIP $srcPort] ! catch {SendSocket $clientSocketID [list XscriptMainMsg $winName HDR]} ! catch {SendSocket $clientSocketID [list XscriptMainMsg $winName "Sensor Name:\t[lindex $transInfoArray($TRANS_ID) 4]"]} ! catch {SendSocket $clientSocketID [list XscriptMainMsg $winName "Timestamp:\t[lindex $transInfoArray($TRANS_ID) 5]"]} ! catch {SendSocket $clientSocketID [list XscriptMainMsg $winName "Connection ID:\t$winName"]} ! catch {SendSocket $clientSocketID [list XscriptMainMsg $winName "Src IP:\t\t$srcIP\t([GetHostbyAddr $srcIP])"]} ! catch {SendSocket $clientSocketID [list XscriptMainMsg $winName "Dst IP:\t\t$dstIP\t([GetHostbyAddr $dstIP])"]} ! catch {SendSocket $clientSocketID [list XscriptMainMsg $winName "Src Port:\t\t$srcPort"]} ! catch {SendSocket $clientSocketID [list XscriptMainMsg $winName "Dst Port:\t\t$dstPort"]} if {$P0F} { if { ![file exists $P0F_PATH] || ![file executable $P0F_PATH] } { ! catch {SendSocket $clientSocketID [list XscriptDebugMsg $winName "Cannot find p0f in: $P0F_PATH"]} ! catch {SendSocket $clientSocketID [list XscriptDebugMsg $winName "OS fingerprint has been disabled"]} } else { set p0fID [open "| $P0F_PATH -q -s $fileName"] while { [gets $p0fID data] >= 0 } { ! catch {SendSocket $clientSocketID [list XscriptMainMsg $winName "OS Fingerprint:\t$data"]} } catch {close $p0fID} closeError } } ! catch {SendSocket $clientSocketID [list XscriptMainMsg $winName " "]} if [catch {open "| $TCPFLOW -c -r $fileName"} tcpflowID] { LogMessage "ERROR: tcpflow: $tcpflowID" ! catch {SendSocket $clientSocketID [list XscriptDebugMsg $winName "ERROR: tcpflow: $tcpflowID"]} catch {close $tcpflowID} return *************** *** 332,336 **** set state DST } ! SendSocket $clientSocketID [list XscriptMainMsg $winName $state] SendSocket $clientSocketID [list XscriptMainMsg $winName $data] update --- 332,336 ---- set state DST } ! catch {SendSocket $clientSocketID [list XscriptMainMsg $winName $state]} SendSocket $clientSocketID [list XscriptMainMsg $winName $data] update *************** *** 338,347 **** } if [catch {close $tcpflowID} closeError] { ! SendSocket $clientSocketID [list XscriptDebugMsg $winName "ERROR: tcpflow: $closeError"] } if {$NODATAFLAG} { ! SendSocket $clientSocketID [list XscriptMainMsg $winName "No Data Sent."] } ! SendSocket $clientSocketID [list XscriptMainMsg $winName DONE] unset transInfoArray($TRANS_ID) --- 338,347 ---- } if [catch {close $tcpflowID} closeError] { ! catch {SendSocket $clientSocketID [list XscriptDebugMsg $winName "ERROR: tcpflow: $closeError"]} } if {$NODATAFLAG} { ! catch {SendSocket $clientSocketID [list XscriptMainMsg $winName "No Data Sent."]} } ! catch {SendSocket $clientSocketID [list XscriptMainMsg $winName DONE]} unset transInfoArray($TRANS_ID) *************** *** 376,381 **** } else { ! SendSocket $clientSocketID [list XscriptMainMsg foo "Unable to find alert $alertID in RealTime array"] ! SendSocket $clientSocketID [list XscriptMainMsg foo DONE] } --- 376,381 ---- } else { ! catch {SendSocket $clientSocketID [list XscriptMainMsg foo "Unable to find alert $alertID in RealTime array"]} ! catch {SendSocket $clientSocketID [list XscriptMainMsg foo DONE]} } |
From: Bamm V. <ba...@us...> - 2012-11-29 04:28:32
|
Update of /cvsroot/sguil/sguil/server/sql_scripts In directory sfp-cvs-1.v30.ch3.sourceforge.com:/tmp/cvs-serv29050 Modified Files: Tag: sguil_0_8 autocat2mysql.tcl create_sguildb.sql update_sguildb_v13-v14.sql Log Message: Added columns for the user id (uid) and timestamp. Index: autocat2mysql.tcl =================================================================== RCS file: /cvsroot/sguil/sguil/server/sql_scripts/Attic/autocat2mysql.tcl,v retrieving revision 1.1.2.1 retrieving revision 1.1.2.2 diff -C2 -d -r1.1.2.1 -r1.1.2.2 *** autocat2mysql.tcl 29 Nov 2012 03:50:07 -0000 1.1.2.1 --- autocat2mysql.tcl 29 Nov 2012 04:28:27 -0000 1.1.2.2 *************** *** 16,20 **** puts "Usage: $cmd \[--dbuser <username>\] \[--dbhost <hostname>\]\ \[--dbport <port>\] \[--dbname <dbname>\]\ ! --file </path/to/autocat.conf>" exit } --- 16,21 ---- puts "Usage: $cmd \[--dbuser <username>\] \[--dbhost <hostname>\]\ \[--dbport <port>\] \[--dbname <dbname>\]\ ! --file </path/to/autocat.conf>\ ! --user <sguil user>" exit } *************** *** 54,57 **** --- 55,59 ---- --dbname { set STATE dbname } --file { set STATE fileName } + --user { set STATE user } default { DisplayUsage $argv0 } } *************** *** 62,65 **** --- 64,68 ---- dbname { set DBNAME $arg; set STATE flag } fileName { set fileName $arg; set STATE flag } + user { set user $arg; set STATE flag } default { DisplayUsage $argv0 } } *************** *** 126,129 **** --- 129,154 ---- } + puts -nonewline "Available Sguil usernames: " + puts [FlatDBQuery $dbSocketID "SELECT username FROM user_info"] + puts "" + + if { ![info exists user] } { + + puts -nonewline "Please enter your sguil login username: " + flush stdout + set user [gets stdin] + + } + + set uid [FlatDBQuery $dbSocketID "SELECT uid FROM user_info WHERE username='$user'"] + + if { $uid == "" } { + + puts "Error: Failed to get a uid for the user $user." + puts "Please check the user_info table and ensure the user exists." + exit + + } + for_file line $fileName { *************** *** 134,139 **** puts "Processing line: $line" ! set TABLES "" ! set VALUES "" foreach t [list erase sensorname src_ip src_port dst_ip dst_port ip_proto signature status] { --- 159,164 ---- puts "Processing line: $line" ! set TABLES [list uid timestamp] ! set VALUES [list \'$uid\' "now()"] foreach t [list erase sensorname src_ip src_port dst_ip dst_port ip_proto signature status] { Index: update_sguildb_v13-v14.sql =================================================================== RCS file: /cvsroot/sguil/sguil/server/sql_scripts/Attic/update_sguildb_v13-v14.sql,v retrieving revision 1.1.2.2 retrieving revision 1.1.2.3 diff -C2 -d -r1.1.2.2 -r1.1.2.3 *** update_sguildb_v13-v14.sql 29 Nov 2012 02:39:00 -0000 1.1.2.2 --- update_sguildb_v13-v14.sql 29 Nov 2012 04:28:28 -0000 1.1.2.3 *************** *** 12,15 **** --- 12,17 ---- status SMALLINT UNSIGNED NOT NULL, active ENUM('Y','N') DEFAULT 'Y', + timestamp DATETIME NOT NULL, + uid INT UNSIGNED NOT NULL, PRIMARY KEY (autoid) ) ENGINE = MYISAM; Index: create_sguildb.sql =================================================================== RCS file: /cvsroot/sguil/sguil/server/sql_scripts/create_sguildb.sql,v retrieving revision 1.21.2.2 retrieving revision 1.21.2.3 diff -C2 -d -r1.21.2.2 -r1.21.2.3 *** create_sguildb.sql 29 Nov 2012 02:39:00 -0000 1.21.2.2 --- create_sguildb.sql 29 Nov 2012 04:28:28 -0000 1.21.2.3 *************** *** 166,169 **** --- 166,171 ---- status SMALLINT UNSIGNED NOT NULL, active ENUM('Y','N') DEFAULT 'Y', + timestamp DATETIME NOT NULL, + uid INT UNSIGNED NOT NULL, PRIMARY KEY (autoid) ) ENGINE = MYISAM; |
From: Bamm V. <ba...@us...> - 2012-11-29 03:50:10
|
Update of /cvsroot/sguil/sguil/server/sql_scripts In directory sfp-cvs-1.v30.ch3.sourceforge.com:/tmp/cvs-serv25115 Added Files: Tag: sguil_0_8 autocat2mysql.tcl Log Message: Script imports autocat.conf files into the DB. --- NEW FILE: autocat2mysql.tcl --- #!/bin/sh # Run tcl from users PATH \ exec tclsh "$0" "$@" # $Id: autocat2mysql.tcl,v 1.1.2.1 2012/11/29 03:50:07 bamm Exp $ # # Default vars set DBHOST localhost set DBPORT 3306 set DBUSER root set DBNAME sguildb set DB_VERSION "0.14" proc DisplayUsage { cmd } { puts "Usage: $cmd \[--dbuser <username>\] \[--dbhost <hostname>\]\ \[--dbport <port>\] \[--dbname <dbname>\]\ --file </path/to/autocat.conf>" exit } proc FlatDBQuery { dbSocketID query } { set queryResults [mysqlsel $dbSocketID $query -flatlist] return $queryResults } # Load mysql support. if [catch {package require mysqltcl} mysqltclVersion] { puts "ERROR: The mysqltcl extension does NOT appear to be installed on this sysem." puts "Download it at http://www.xdobry.de/mysqltcl/" exit } # Load extended tcl if [catch {package require Tclx} tclxVersion] { puts "ERROR: The tclx extension does NOT appear to be installed on this sysem." puts "Extended tcl (tclx) is available as a port/package for most linux and BSD systems." exit } # Get db stuff set STATE flag foreach arg $argv { switch -- $STATE { flag { switch -glob -- $arg { --dbuser { set STATE dbuser } --dbhost { set STATE dbhost } --dbport { set STATE dbport } --dbname { set STATE dbname } --file { set STATE fileName } default { DisplayUsage $argv0 } } } dbuser { set DBUSER $arg; set STATE flag } dbhost { set DBHOST $arg; set STATE flag } dbport { set DBPORT $arg; set STATE flag } dbname { set DBNAME $arg; set STATE flag } fileName { set fileName $arg; set STATE flag } default { DisplayUsage $argv0 } } } if { ![info exists fileName] || ![file exists $fileName] } { puts "Error opening autocat file." DisplayUsage } puts "Use this script at your own risk. Be sure to back" puts "up your data before proceeding!!" puts -nonewline "Do you want to continue? (y/N) " flush stdout set ans [gets stdin] if { $ans != "Y" && $ans != "y" } { puts "You answered no. Goodbye" exit } # Get the DB pass puts -nonewline "Database password: " flush stdout exec stty -echo set DBPASS [gets stdin] exec stty echo puts "" if { $DBPASS == "" } { set dbConnectCmd "-host $DBHOST -user $DBUSER -port $DBPORT" } else { set dbConnectCmd "-host $DBHOST -user $DBUSER -port $DBPORT -password $DBPASS" } puts -nonewline "Connecting to database..." flush stdout # Connect to mysqld if [catch {eval mysqlconnect $dbConnectCmd} dbSocketID] { puts "ERROR: Unable to connect to $DBHOST on $DBPORT: Make sure mysql is running." puts "$dbSocketID" exit } puts "Success" # See if the DB we want to use exists if { [catch {mysqluse $dbSocketID $DBNAME} noDBError] } { puts "Error: $noDBError" exit } # Make sure we have a compatible DB version set currentDBVer [FlatDBQuery $dbSocketID "SELECT version FROM version"] puts "SguilDB Version: $currentDBVer" if { [lsearch $DB_VERSION $currentDBVer] < 0 } { puts "ERROR: Incompatable DB schema. Required Version: $DB_VERSION \ Installed Version: $currentDBVer Check the server/sql_scripts directory of \ the src that came with sguild for scripts to help you upgrade" exit } for_file line $fileName { set tmpLine $line if ![regexp ^# $line] { puts "Processing line: $line" set TABLES "" set VALUES "" foreach t [list erase sensorname src_ip src_port dst_ip dst_port ip_proto signature status] { set v [ctoken line "||"] if { $v != "none" && $v != "NONE" && $v != "any" && $v != "ANY" } { lappend TABLES $t lappend VALUES \'$v\' } } set q "INSERT INTO autocat ([join $TABLES ,]) VALUES ([join $VALUES ,])" puts "Inserting autocat rule to the DB: $q" if { [catch {mysqlexec $dbSocketID $q} tmpError] } { puts "Error: Failed to add $tmpLine to the DB.\n$tmpError" } } } |
From: Bamm V. <ba...@us...> - 2012-11-29 02:39:53
|
Update of /cvsroot/sguil/sguil/server/lib In directory sfp-cvs-1.v30.ch3.sourceforge.com:/tmp/cvs-serv16189/lib Modified Files: Tag: sguil_0_8 SguildAutoCat.tcl Log Message: Removed DEBUG #### messages. Index: SguildAutoCat.tcl =================================================================== RCS file: /cvsroot/sguil/sguil/server/lib/SguildAutoCat.tcl,v retrieving revision 1.5.6.2 retrieving revision 1.5.6.3 diff -C2 -d -r1.5.6.2 -r1.5.6.3 *** SguildAutoCat.tcl 29 Nov 2012 02:38:59 -0000 1.5.6.2 --- SguildAutoCat.tcl 29 Nov 2012 02:39:51 -0000 1.5.6.3 *************** *** 71,76 **** foreach dIndex [list 3 8 11 9 12 10 7] { - puts "DEBUG #### $dIndex -> $i" - # Next field in the rule set tmpVar [lindex $rList $i ] --- 71,74 ---- *************** *** 82,87 **** if { $dIndex == "7" } { - puts "DEBUG #### sig -> $tmpVar" - if [regsub "^%%REGEXP%%" $tmpVar "" regVar] { --- 80,83 ---- *************** *** 109,113 **** LogMessage "Bad IP address in autocat rule $rid dropping rule" if { [info exists acRules($rid)] } { unset acRules($rid) } - puts "DEBUG #### FAIL" return --- 105,108 ---- *************** *** 130,135 **** set acCat($rid) [lindex $rList $i] - puts "DEBUG #### $acCat($rid) -> $acRules($rid)" - } --- 125,128 ---- |
From: Bamm V. <ba...@us...> - 2012-11-29 02:39:02
|
Update of /cvsroot/sguil/sguil/server/lib In directory sfp-cvs-1.v30.ch3.sourceforge.com:/tmp/cvs-serv16129/lib Modified Files: Tag: sguil_0_8 SguildAutoCat.tcl Log Message: Added column "active" to status table. Only active=Y autocat rules are loaded. Index: SguildAutoCat.tcl =================================================================== RCS file: /cvsroot/sguil/sguil/server/lib/SguildAutoCat.tcl,v retrieving revision 1.5.6.1 retrieving revision 1.5.6.2 diff -C2 -d -r1.5.6.1 -r1.5.6.2 *** SguildAutoCat.tcl 29 Nov 2012 02:02:25 -0000 1.5.6.1 --- SguildAutoCat.tcl 29 Nov 2012 02:38:59 -0000 1.5.6.2 *************** *** 23,27 **** autoid, erase, sensorname, INET_NTOA(src_ip), src_port, \ INET_NTOA(dst_ip), dst_port, ip_proto, signature, status \ ! FROM autocat" foreach line [MysqlSelect $aquery list] { --- 23,28 ---- autoid, erase, sensorname, INET_NTOA(src_ip), src_port, \ INET_NTOA(dst_ip), dst_port, ip_proto, signature, status \ ! FROM autocat \ ! WHERE active='Y'" foreach line [MysqlSelect $aquery list] { |
From: Bamm V. <ba...@us...> - 2012-11-29 02:02:28
|
Update of /cvsroot/sguil/sguil/server/sql_scripts In directory sfp-cvs-1.v30.ch3.sourceforge.com:/tmp/cvs-serv13304/sql_scripts Modified Files: Tag: sguil_0_8 create_sguildb.sql Added Files: Tag: sguil_0_8 update_sguildb_v13-v14.sql Log Message: Moved autocat rules the DB. --- NEW FILE: update_sguildb_v13-v14.sql --- CREATE TABLE IF NOT EXISTS `autocat` ( autoid INT UNSIGNED NOT NULL AUTO_INCREMENT, erase DATETIME, sensorname VARCHAR(255), src_ip INT UNSIGNED, src_port INT UNSIGNED, dst_ip INT UNSIGNED, dst_port INT UNSIGNED, ip_proto TINYINT UNSIGNED, signature VARCHAR(255), status SMALLINT UNSIGNED NOT NULL, PRIMARY KEY (autoid) ) ENGINE = MYISAM; UPDATE version SET version="0.14", installed = now(); Index: create_sguildb.sql =================================================================== RCS file: /cvsroot/sguil/sguil/server/sql_scripts/create_sguildb.sql,v retrieving revision 1.21 retrieving revision 1.21.2.1 diff -C2 -d -r1.21 -r1.21.2.1 *** create_sguildb.sql 15 Sep 2010 23:39:49 -0000 1.21 --- create_sguildb.sql 29 Nov 2012 02:02:25 -0000 1.21.2.1 *************** *** 108,112 **** PRIMARY KEY (sid), INDEX hostname_idx (hostname) ! ); CREATE TABLE portscan --- 108,112 ---- PRIMARY KEY (sid), INDEX hostname_idx (hostname) ! ) ENGINE = MYISAM; CREATE TABLE portscan *************** *** 120,124 **** data TEXT, INDEX ps_src_ip (src_ip), ! INDEX ps_timestamp (timestamp)); -- Depreciated --- 120,124 ---- data TEXT, INDEX ps_src_ip (src_ip), ! INDEX ps_timestamp (timestamp)) ENGINE = MYISAM; -- Depreciated *************** *** 151,155 **** long_desc VARCHAR(255), PRIMARY KEY (status_id) ! ); CREATE TABLE history --- 151,170 ---- long_desc VARCHAR(255), PRIMARY KEY (status_id) ! ) ENGINE = MYISAM; ! ! CREATE TABLE autocat ! ( ! autoid INT UNSIGNED NOT NULL AUTO_INCREMENT, ! erase DATETIME, ! sensorname VARCHAR(255), ! src_ip INT UNSIGNED, ! src_port INT UNSIGNED, ! dst_ip INT UNSIGNED, ! dst_port INT UNSIGNED, ! ip_proto TINYINT UNSIGNED, ! signature VARCHAR(255), ! status SMALLINT UNSIGNED NOT NULL, ! PRIMARY KEY (autoid) ! ) ENGINE = MYISAM; CREATE TABLE history *************** *** 162,166 **** comment VARCHAR(255), INDEX log_time (timestamp) ! ); CREATE TABLE user_info --- 177,181 ---- comment VARCHAR(255), INDEX log_time (timestamp) ! ) ENGINE = MYISAM; CREATE TABLE user_info *************** *** 171,175 **** password VARCHAR(42), PRIMARY KEY (uid) ! ); CREATE TABLE nessus_data --- 186,190 ---- password VARCHAR(42), PRIMARY KEY (uid) ! ) ENGINE = MYISAM; CREATE TABLE nessus_data *************** *** 180,184 **** level VARCHAR(20), description TEXT, ! INDEX rid (rid)); CREATE TABLE nessus --- 195,199 ---- level VARCHAR(20), description TEXT, ! INDEX rid (rid)) ENGINE = MYISAM; CREATE TABLE nessus *************** *** 190,194 **** timeend DATETIME, PRIMARY KEY (rid), ! INDEX ip (ip)); CREATE TABLE IF NOT EXISTS `pads` --- 205,209 ---- timeend DATETIME, PRIMARY KEY (rid), ! INDEX ip (ip)) ENGINE = MYISAM; CREATE TABLE IF NOT EXISTS `pads` *************** *** 205,209 **** hex_payload VARCHAR(255), PRIMARY KEY (sid,asset_id) ! ); -- --- 220,224 ---- hex_payload VARCHAR(255), PRIMARY KEY (sid,asset_id) ! ) ENGINE = MYISAM; -- *************** *** 252,257 **** version VARCHAR(32), installed DATETIME ! ); ! INSERT INTO version (version, installed) VALUES ("0.13", now()); --- 267,272 ---- version VARCHAR(32), installed DATETIME ! ) ENGINE = MYISAM; ! INSERT INTO version (version, installed) VALUES ("0.14", now()); |
From: Bamm V. <ba...@us...> - 2012-11-26 04:33:32
|
Update of /cvsroot/sguil/sguil/server/lib In directory vz-cvs-3.sog:/tmp/cvs-serv11505 Modified Files: Tag: sguil_0_8 SguildClientCmdRcvd.tcl Log Message: Removed index parsing of userMsg in UserMsgRcvd to fix first word bug. Index: SguildClientCmdRcvd.tcl =================================================================== RCS file: /cvsroot/sguil/sguil/server/lib/SguildClientCmdRcvd.tcl,v retrieving revision 1.48 retrieving revision 1.48.2.1 diff -C2 -d -r1.48 -r1.48.2.1 *** SguildClientCmdRcvd.tcl 17 Mar 2011 02:39:29 -0000 1.48 --- SguildClientCmdRcvd.tcl 26 Nov 2012 04:33:29 -0000 1.48.2.1 *************** *** 163,167 **** global socketInfo clientList ! set userMsg [lindex $userMsg 0] # Simple command stuff. --- 163,167 ---- global socketInfo clientList ! #set userMsg [lindex $userMsg 0] # Simple command stuff. |
From: Bamm V. <ba...@us...> - 2012-03-19 21:28:20
|
Update of /cvsroot/sguil/sguil/contrib In directory vz-cvs-3.sog:/tmp/cvs-serv7449 Modified Files: quickscript.tcl Log Message: Made 0.8.0 compatible. Index: quickscript.tcl =================================================================== RCS file: /cvsroot/sguil/sguil/contrib/quickscript.tcl,v retrieving revision 1.3 retrieving revision 1.4 diff -C2 -d -r1.3 -r1.4 *** quickscript.tcl 2 Apr 2008 16:33:52 -0000 1.3 --- quickscript.tcl 19 Mar 2012 21:28:17 -0000 1.4 *************** *** 16,20 **** ########################## GLOBALS ################################## ! set VERSION "SGUIL-0.7.0 OPENSSL ENABLED" set SERVER localhost --- 16,20 ---- ########################## GLOBALS ################################## ! set VERSION "SGUIL-0.8.0 OPENSSL ENABLED" set SERVER localhost *************** *** 171,175 **** # Send the server our version info ! SendToSguild $socketID "VersionInfo $VERSION" # SSL-ify the socket --- 171,175 ---- # Send the server our version info ! SendToSguild $socketID [list VersionInfo $VERSION] # SSL-ify the socket |
From: Bamm V. <ba...@us...> - 2012-03-19 21:13:32
|
Update of /cvsroot/sguil/sguil/server/lib In directory vz-cvs-3.sog:/tmp/cvs-serv5941 Modified Files: SguildConnect.tcl Log Message: Removed duplicate close client socket in ClientVersionCheck. Index: SguildConnect.tcl =================================================================== RCS file: /cvsroot/sguil/sguil/server/lib/SguildConnect.tcl,v retrieving revision 1.26 retrieving revision 1.27 diff -C2 -d -r1.26 -r1.27 *** SguildConnect.tcl 29 May 2011 15:41:16 -0000 1.26 --- SguildConnect.tcl 19 Mar 2012 21:13:29 -0000 1.27 *************** *** 75,79 **** LogMessage "CLIENT VERSION: $clientVersion" LogMessage "SERVER VERSION: $VERSION" - close $socketID ClientExitClose $socketID return --- 75,78 ---- |
From: Bamm V. <ba...@us...> - 2011-06-29 03:07:28
|
Update of /cvsroot/sguil/sguil/client/lib In directory vz-cvs-3.sog:/tmp/cvs-serv7524/lib Modified Files: extdata.tcl Log Message: Change saved pcap filenames from : to _. Index: extdata.tcl =================================================================== RCS file: /cvsroot/sguil/sguil/client/lib/extdata.tcl,v retrieving revision 1.69 retrieving revision 1.70 diff -C2 -d -r1.69 -r1.70 *** extdata.tcl 9 Mar 2011 05:00:05 -0000 1.69 --- extdata.tcl 29 Jun 2011 03:07:26 -0000 1.70 *************** *** 631,634 **** --- 631,637 ---- global WIRESHARK_STORE_DIR WIRESHARK_PATH + # Windows doesn't like colons + regsub -all {:} [file tail $fileName] {_} fileName + set fileName $WIRESHARK_STORE_DIR/$fileName if { [catch {open $fileName w} outfileID] } { |
From: Bamm V. <ba...@us...> - 2011-05-29 15:41:18
|
Update of /cvsroot/sguil/sguil/server In directory vz-cvs-3.sog:/tmp/cvs-serv26559 Modified Files: sguild Log Message: Log agent connections to file. Index: sguild =================================================================== RCS file: /cvsroot/sguil/sguil/server/sguild,v retrieving revision 1.192 retrieving revision 1.193 diff -C2 -d -r1.192 -r1.193 *** sguild 29 May 2011 15:17:32 -0000 1.192 --- sguild 29 May 2011 15:41:16 -0000 1.193 *************** *** 244,250 **** --- 244,261 ---- catch {close $CLIENT_LOG} + # Create agent access log + set AGENT_LOG "$LOG_PATH/agent.log" + if { [catch {open $AGENT_LOG a} createError] } { + + puts "ERROR: Unable to create $AGENT_LOG : $createError" + CleanExit 1 + + } + catch {close $AGENT_LOG} + # Change perms if { [info exists USER] } { + # User log if { [catch {chown $USER $CLIENT_LOG} tmpError] } { *************** *** 254,260 **** --- 265,281 ---- } + # Agent log + if { [catch {chown $USER $AGENT_LOG} tmpError] } { + + puts "ERROR: Unable change owner to $USER for $AGENT_LOG : $tmpError" + CleanExit 1 + + } + } + if { [info exists GROUP] } { + # User log if { [catch {chgrp $GROUP $CLIENT_LOG} tmpError] } { *************** *** 264,267 **** --- 285,296 ---- } + # Agent log + if { [catch {chgrp $GROUP $AGENT_LOG} tmpError] } { + + puts "ERROR: Unable change group to $USER for $AGENT_LOG : $tmpError" + CleanExit 1 + + } + } |
From: Bamm V. <ba...@us...> - 2011-05-29 15:17:34
|
Update of /cvsroot/sguil/sguil/server/lib In directory vz-cvs-3.sog:/tmp/cvs-serv23561/lib Modified Files: SguildUtils.tcl Log Message: Arg -L to define sguild log path. Index: SguildUtils.tcl =================================================================== RCS file: /cvsroot/sguil/sguil/server/lib/SguildUtils.tcl,v retrieving revision 1.14 retrieving revision 1.15 diff -C2 -d -r1.14 -r1.15 *** SguildUtils.tcl 9 Mar 2011 04:59:12 -0000 1.14 --- SguildUtils.tcl 29 May 2011 15:17:32 -0000 1.15 *************** *** 282,286 **** Syslog $msg err } else { ! puts $msg } CleanExit 1 --- 282,286 ---- Syslog $msg err } else { ! puts "[GetCurrentTimeStamp] $msg" } CleanExit 1 *************** *** 296,300 **** Syslog $msg info } else { ! puts "pid([pid]) $msg" } } --- 296,300 ---- Syslog $msg info } else { ! puts "[GetCurrentTimeStamp] pid([pid]) $msg" } } *************** *** 310,314 **** Syslog $msg notice } else { ! puts "pid([pid]) $msg" } } --- 310,314 ---- Syslog $msg notice } else { ! puts "[GetCurrentTimeStamp] pid([pid]) $msg" } } |
From: Bamm V. <ba...@us...> - 2011-03-17 02:39:31
|
Update of /cvsroot/sguil/sguil/server/lib In directory vz-cvs-3.sog:/tmp/cvs-serv22206/lib Modified Files: SguildAccess.tcl SguildClientCmdRcvd.tcl Log Message: Added user logging to /var/log/sguild/user.log. Index: SguildAccess.tcl =================================================================== RCS file: /cvsroot/sguil/sguil/server/lib/SguildAccess.tcl,v retrieving revision 1.10 retrieving revision 1.11 diff -C2 -d -r1.10 -r1.11 *** SguildAccess.tcl 17 Feb 2011 04:26:20 -0000 1.10 --- SguildAccess.tcl 17 Mar 2011 02:39:29 -0000 1.11 *************** *** 313,316 **** --- 313,333 ---- } + proc LogClientAccess { message } { + + global CLIENT_LOG + + if { [catch {open $CLIENT_LOG a} fileID] } { + + puts "ERROR: Unable to log access -> $message" + puts "ERROR: $fileID" + return + + } + + puts $fileID $message + catch {close $fileID} + + } + proc ValidateUser { socketID username password } { *************** *** 330,333 **** --- 347,353 ---- "UPDATE user_info SET last_login='[GetCurrentTimeStamp]' WHERE uid=$userIDArray($socketID)" + # Log the access + LogClientAccess "[GetCurrentTimeStamp]: $socketID - $username logged in from $socketInfo($socketID)" + # Mark the socket as valid lappend validSockets $socketID Index: SguildClientCmdRcvd.tcl =================================================================== RCS file: /cvsroot/sguil/sguil/server/lib/SguildClientCmdRcvd.tcl,v retrieving revision 1.47 retrieving revision 1.48 diff -C2 -d -r1.47 -r1.48 *** SguildClientCmdRcvd.tcl 9 Mar 2011 04:59:12 -0000 1.47 --- SguildClientCmdRcvd.tcl 17 Mar 2011 02:39:29 -0000 1.48 *************** *** 134,137 **** --- 134,139 ---- set userName [lindex $socketInfo($socketID) 2] + LogClientAccess "[GetCurrentTimeStamp]: $socketID - $userName logged out" + if { [info exists clientList] } { set clientList [ldelete $clientList $socketID] *************** *** 155,158 **** --- 157,161 ---- SendSystemInfoMsg sguild "User $tmpUserName has disconnected." } + } |
From: Bamm V. <ba...@us...> - 2011-03-16 23:31:29
|
Update of /cvsroot/sguil/sguil/server In directory vz-cvs-3.sog:/tmp/cvs-serv28000 Modified Files: sguild sguild.conf Log Message: Added set uid and group id Index: sguild =================================================================== RCS file: /cvsroot/sguil/sguil/server/sguild,v retrieving revision 1.189 retrieving revision 1.190 diff -C2 -d -r1.189 -r1.190 *** sguild 17 Feb 2011 04:26:20 -0000 1.189 --- sguild 16 Mar 2011 23:31:26 -0000 1.190 *************** *** 190,193 **** --- 190,196 ---- -l { set state sguild_lib } -d { set state debug_level } + -U { set state user } + -G { set state group } + -L { set state log_dir } -adduser { set state adduser } -changepasswd { set state changepasswd } *************** *** 206,213 **** --- 209,225 ---- accessfile { set ACCESS_FILE $arg; set state flag } debug_level { set DEBUG_OVERRIDE 1; set DEBUG_LEVEL $arg; set DEBUG $arg; set state flag } + user { set USER $arg; set state flag } + group { set GROUP $arg; set state flag } + log_dir { set LOG_DIR $arg; set state flag } default { DisplayUsage $argv0 } } } + ################################## + + # Do all priv account actions here. + # Open log files/etc. Privs will be dropped after. + + # OpenSSL is a requirement set VERSION "$VERSION OPENSSL ENABLED" *************** *** 296,299 **** --- 308,340 ---- } + ################################## + # Drop privs + + # Group first + if { [info exists GROUP] } { + + if { [catch {id group $GROUP} tmpError] } { + + # Failed + puts "ERROR: Unable to change group privs to $GROUP : $tmpError" + CleanExit 1 + + } + + } + + # Then user + if { [info exists USER] } { + + if { [catch {id user $USER} tmpError] } { + + # Failed + puts "ERROR: Unable to change user privs to $USER : $tmpError" + CleanExit 1 + + } + + } + # Set sensor aggregation to 1 if not specified if { ![info exists SENSOR_AGGREGATION_ON] } { set SENSOR_AGGREGATION_ON 1 } Index: sguild.conf =================================================================== RCS file: /cvsroot/sguil/sguil/server/sguild.conf,v retrieving revision 1.29 retrieving revision 1.30 diff -C2 -d -r1.29 -r1.30 *** sguild.conf 2 Jun 2006 20:40:57 -0000 1.29 --- sguild.conf 16 Mar 2011 23:31:26 -0000 1.30 *************** *** 1,4 **** --- 1,8 ---- # $Id$ # + # Set user and group to run as. + #set USER sguil + #set GROUP sguil + # Path the sguild libs set SGUILD_LIB_PATH ./lib |
From: Bamm V. <ba...@us...> - 2011-03-16 22:00:32
|
Update of /cvsroot/sguil/sguil/server/lib In directory vz-cvs-3.sog:/tmp/cvs-serv31898 Modified Files: SguildSensorAgentComms.tcl SguildSensorCmdRcvd.tcl Log Message: Fixed close/wait bug Index: SguildSensorCmdRcvd.tcl =================================================================== RCS file: /cvsroot/sguil/sguil/server/lib/SguildSensorCmdRcvd.tcl,v retrieving revision 1.30 retrieving revision 1.31 diff -C2 -d -r1.30 -r1.31 *** SguildSensorCmdRcvd.tcl 10 Mar 2011 22:03:33 -0000 1.30 --- SguildSensorCmdRcvd.tcl 16 Mar 2011 22:00:30 -0000 1.31 *************** *** 75,82 **** proc BinCopyFinished { socketID outFileID outFile callback bytes {error {}} } { ! if { $error != "" } { LogMessage "Error during background copy: $error" } catch {close $outFileID} ! CleanUpDisconnectedAgent $socketID # Callback is what we do after the copy is finished. --- 75,90 ---- proc BinCopyFinished { socketID outFileID outFile callback bytes {error {}} } { ! global validSensorSockets ! ! # Remove the agent socket from the valid (registered) list. ! if [info exists validSensorSockets] { ! set validSensorSockets [ldelete $validSensorSockets $socketID] ! } catch {close $outFileID} ! catch {close $socketID} ! ! if { $error != "" } { LogMessage "Error during background copy: $error" } ! # Callback is what we do after the copy is finished. Index: SguildSensorAgentComms.tcl =================================================================== RCS file: /cvsroot/sguil/sguil/server/lib/SguildSensorAgentComms.tcl,v retrieving revision 1.31 retrieving revision 1.32 diff -C2 -d -r1.31 -r1.32 *** SguildSensorAgentComms.tcl 18 Feb 2011 23:30:55 -0000 1.31 --- SguildSensorAgentComms.tcl 16 Mar 2011 22:00:30 -0000 1.32 *************** *** 13,28 **** lappend validSensorSockets $socketID ! if { $type != "data" } { ! ! set sensorID [GetSensorID $sensorName $type $netName] ! set maxCid [GetMaxCid $sensorID] ! # Send agent id to the agent ! SendSensorAgent $socketID [list AgentInfo $sensorName $type $netName $sensorID $maxCid] ! # Sid NetName Map ! set sidNetNameMap($sensorID) $netName ! } # SensorName to SocketID mapping --- 13,27 ---- lappend validSensorSockets $socketID ! # Data cnx stop here ! if { $type == "data" } { return } ! set sensorID [GetSensorID $sensorName $type $netName] ! set maxCid [GetMaxCid $sensorID] ! # Send agent id to the agent ! SendSensorAgent $socketID [list AgentInfo $sensorName $type $netName $sensorID $maxCid] ! # Sid NetName Map ! set sidNetNameMap($sensorID) $netName # SensorName to SocketID mapping *************** *** 41,46 **** } - # Data cnx stop here - if { $type == "data" } { return } set agentSocketInfo($socketID) [list $sensorID $sensorName $netName $type] --- 40,43 ---- |
From: Bamm V. <ba...@us...> - 2011-03-10 22:03:35
|
Update of /cvsroot/sguil/sguil/server/lib In directory vz-cvs-3.sog:/tmp/cvs-serv29881/server/lib Modified Files: SguildSensorCmdRcvd.tcl SguildTranscript.tcl Log Message: Fix for too many openfiles sancp and pcap bug. fileevent. Index: SguildTranscript.tcl =================================================================== RCS file: /cvsroot/sguil/sguil/server/lib/SguildTranscript.tcl,v retrieving revision 1.20 retrieving revision 1.21 diff -C2 -d -r1.20 -r1.21 *** SguildTranscript.tcl 9 Mar 2011 04:59:12 -0000 1.20 --- SguildTranscript.tcl 10 Mar 2011 22:03:33 -0000 1.21 *************** *** 271,274 **** --- 271,276 ---- } + puts "DEBUG #### callback -> $callback" + RcvBinCopy $socketID $outfile $bytes $callback Index: SguildSensorCmdRcvd.tcl =================================================================== RCS file: /cvsroot/sguil/sguil/server/lib/SguildSensorCmdRcvd.tcl,v retrieving revision 1.29 retrieving revision 1.30 diff -C2 -d -r1.29 -r1.30 *** SguildSensorCmdRcvd.tcl 17 Feb 2011 03:53:00 -0000 1.29 --- SguildSensorCmdRcvd.tcl 10 Mar 2011 22:03:33 -0000 1.30 *************** *** 3,9 **** proc SensorCmdRcvd { socketID } { global agentSensorNameArray validSensorSockets ! if { [eof $socketID] || [catch {gets $socketID data}] } { # Socket closed catch { close $socketID } closeError InfoMessage "Socket $socketID closed" if { [info exists agentSensorNameArray($socketID)] } { --- 3,10 ---- proc SensorCmdRcvd { socketID } { global agentSensorNameArray validSensorSockets ! if { [eof $socketID] || [catch {gets $socketID data} getsError] } { # Socket closed catch { close $socketID } closeError + if { [info exists getsError] } { LogMessage "Error from $socketID: $getsError" } InfoMessage "Socket $socketID closed" if { [info exists agentSensorNameArray($socketID)] } { *************** *** 57,72 **** proc RcvBinCopy { socketID outFile bytes {callback {}} } { set outFileID [open $outFile w] - fconfigure $outFileID -translation binary - fconfigure $socketID -translation binary ! fcopy $socketID $outFileID -command [list BinCopyFinished $socketID $outFileID $outFile $callback] } ! proc BinCopyFinished { socketID outFileID outFile {callback {}} {error {}} } { catch {close $outFileID} CleanUpDisconnectedAgent $socketID if { $callback != ""} { eval $callback } --- 58,84 ---- proc RcvBinCopy { socketID outFile bytes {callback {}} } { + # Turn off the fileevent handler + fileevent $socketID readable {} + + # Open the output file for writing set outFileID [open $outFile w] ! # Binary transfer ! fconfigure $outFileID -translation binary -encoding binary ! fconfigure $socketID -translation binary -encoding binary ! ! # Copy in the background ! fcopy $socketID $outFileID -size $bytes -command [list BinCopyFinished $socketID $outFileID $outFile $callback] } ! proc BinCopyFinished { socketID outFileID outFile callback bytes {error {}} } { ! ! if { $error != "" } { LogMessage "Error during background copy: $error" } catch {close $outFileID} CleanUpDisconnectedAgent $socketID + + # Callback is what we do after the copy is finished. if { $callback != ""} { eval $callback } |
From: Bamm V. <ba...@us...> - 2011-03-09 05:00:07
|
Update of /cvsroot/sguil/sguil/client In directory vz-cvs-3.sog:/tmp/cvs-serv22313 Modified Files: sguil.tk Log Message: Added pcap data transfer channel for client and server. Index: sguil.tk =================================================================== RCS file: /cvsroot/sguil/sguil/client/sguil.tk,v retrieving revision 1.262 retrieving revision 1.263 diff -C2 -d -r1.262 -r1.263 *** sguil.tk 21 Feb 2011 22:48:36 -0000 1.262 --- sguil.tk 9 Mar 2011 05:00:04 -0000 1.263 *************** *** 207,210 **** --- 207,211 ---- WiresharkDataBase64 { $serverCmd [lindex $data 1] [lindex $data 2] } WiresharkDataPcap { $serverCmd $socketID [lindex $data 1] [lindex $data 2] } + PcapAvailable { $serverCmd $socketID [lindex $data 1] [lindex $data 2] } PassChange { $serverCmd [lindex $data 1] [lindex $data 2] } default { puts "Unrecognized command from $socketID: $data" } |