Menu
▾
▴
nuggetfarm-devel — Razorback Nugget Development List
You can subscribe to this list here.
| 2010 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
(28) |
Sep
(9) |
Oct
(9) |
Nov
(1) |
Dec
(3) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2011 |
Jan
(5) |
Feb
(5) |
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Nigel H. <nho...@so...> - 2011-04-07 17:39:57
|
All, A great deal of work has been going on with Razorback, if you have been watching the SVN commits on razorback-devel you will have seen all the nuggets being imported and included in the Razorback SVN repository. A detailed blog post on the recent shenanigans is here: http://vrt-blog.snort.org/2011/03/razorback-whats-going-on.html Since we have moved the Nuggets into the main Razorback source, the Nugget Farm Devel and Users list have become superfluous. We will be closing these lists in the near future. The Nugget Farm SVN, mailing list archives and project pages will remain for archival purposes, but will not be updated. All Nugget related issues will now be handled on the main Razorback mailing lists and project sites instead. At some point in the future, we may well open the Nugget Farm once more if it makes sense to do so. Moving forward, if you want to keep up with Nugget and Razorback development and you are not subscribed to the mailing lists, please visit the following links to subscribe: https://lists.sourceforge.net/lists/listinfo/razorbacktm-users https://lists.sourceforge.net/lists/listinfo/razorbacktm-devel The Razorback project Trac can be found here: http://sourceforge.net/apps/trac/razorbacktm/ Thanks. -- Nigel Houghton Head Mentalist SF VRT Department of Intelligence Excellence http://vrt-blog.snort.org/ && http://labs.snort.org/ |
|
From: <lin...@us...> - 2011-02-28 00:37:35
|
Revision: 42
http://nuggetfarm.svn.sourceforge.net/nuggetfarm/?rev=42&view=rev
Author: linuxgeek247
Date: 2011-02-28 00:37:29 +0000 (Mon, 28 Feb 2011)
Log Message:
-----------
Initial commit of yara detection nugget
Added Paths:
-----------
trunk/detection-nuggets/yara/
trunk/detection-nuggets/yara/Makefile
trunk/detection-nuggets/yara/README.txt
trunk/detection-nuggets/yara/yara.c
Added: trunk/detection-nuggets/yara/Makefile
===================================================================
--- trunk/detection-nuggets/yara/Makefile (rev 0)
+++ trunk/detection-nuggets/yara/Makefile 2011-02-28 00:37:29 UTC (rev 42)
@@ -0,0 +1,15 @@
+CC = gcc -ggdb
+INCLUDES = `pkg-config --cflags razorback`
+RZBLIBS = `pkg-config --libs razorback`
+
+LIBS = -lm -lyara
+LIBS += $(RZBLIBS)
+
+all: yara
+
+yara:
+ $(CC) $(INCLUDES) $(LIBS) -Wall -fPIC -g -c yara.c
+ $(CC) $(INCLUDES) $(LIBS) -shared -Wall -o yara.so.1 yara.o -lc
+
+clean:
+ rm -f *.o *.so.1
Added: trunk/detection-nuggets/yara/README.txt
===================================================================
--- trunk/detection-nuggets/yara/README.txt (rev 0)
+++ trunk/detection-nuggets/yara/README.txt 2011-02-28 00:37:29 UTC (rev 42)
@@ -0,0 +1,11 @@
+This detection uses libyara from the yara project.
+http://code.google.com/p/yara-project/
+
+Installation:
+ 1. Download and install the latest version of yara.
+ 2. Update RULE_PATH in yara.c to point to the directory holding your yara rules files.
+ 3. Make sure all other razorback requirements are installed.
+ 4. make
+ 5. Copy the yara.so.1 file to your razorback library directory with the rest of the nuggets.
+ (Default: /usr/local/lib/razorback)
+ 6. If everything compiled correctly, you should now be able to start the nugget handler (rzbNugget).
Added: trunk/detection-nuggets/yara/yara.c
===================================================================
--- trunk/detection-nuggets/yara/yara.c (rev 0)
+++ trunk/detection-nuggets/yara/yara.c 2011-02-28 00:37:29 UTC (rev 42)
@@ -0,0 +1,136 @@
+#include <stdio.h>
+#include <string.h>
+#include <dirent.h>
+#include <yara.h>
+#include <uuid/uuid.h>
+#include <rzb_detection_api.h>
+#include <arpa/inet.h>
+
+// Update RULE_PATH with the location of your custom rules
+#define RULE_PATH "/tmp/rules"
+#define MAX_RULE_PATH 1024
+
+int detection_callback(RULE* rule, unsigned char* buffer, unsigned int buffer_size, void* data);
+void yara_handler(BLOCK_META_DATA *metaData);
+int load_rules();
+void report_error(const char* file_name, int line_number, const char* error_message);
+
+// The yara context that will hold all loaded files
+YARA_CONTEXT *context = NULL;
+
+// Razorback detection
+static const DetectionAPI *detection = NULL;
+
+// We just need to start the scan for detection and let the callback do the alerting
+void yara_handler(BLOCK_META_DATA *metaData) {
+ yr_scan_mem(metaData->data, metaData->size, context, detection_callback, (void *)metaData);
+}
+
+// Add all rule files in te RULE_PATH to the yara context
+int load_rules() {
+ DIR *dp = NULL;
+ struct dirent *ep = NULL;
+ char rule_file_path[MAX_RULE_PATH];
+ FILE *rule_file = NULL;
+
+ if((dp = opendir(RULE_PATH)) == NULL) {
+ return -1;
+ }
+
+ while((ep = readdir(dp))) {
+
+ // Make sure we filter any rule files in the directory
+ if(strncmp(ep->d_name, ".", 1) && strncmp(ep->d_name, "..", 2)) {
+ snprintf(rule_file_path, MAX_RULE_PATH, "%s/%s", RULE_PATH, ep->d_name);
+
+ if((rule_file = fopen(rule_file_path, "r")) == NULL) {
+ fprintf(stderr, "Error opening rule file: %s\n", rule_file_path);
+ }
+
+ yr_push_file_name(context, rule_file_path);
+
+ if(yr_compile_file(rule_file, context)) {
+ fprintf(stderr, "Error compiling rule file");
+ }
+ }
+ }
+
+ closedir(dp);
+
+ return 0;
+}
+
+// This call back is called once there is a successful detection
+int detection_callback(RULE* rule, unsigned char* buffer, unsigned int buffer_size, void* data) {
+ ALERT alert;
+ char msg[MAX_MSG_SIZE];
+ unsigned char tmp_md5[RZB_HASH_SIZE];
+ BLOCK_META_DATA *metaData = (BLOCK_META_DATA *)data;
+
+ memset(&alert, 0, sizeof(alert));
+ alert.msg = msg;
+
+ if(rule->flags & RULE_FLAGS_MATCH) {
+
+ // Add our message
+ snprintf(msg, sizeof(msg), "Yara signature detected: %s\n", rule->identifier);
+ alert.msg_size = strlen(msg);
+
+ // Copy the rest of the fields
+ alert.event_id = metaData->eventid;
+ inet_ntop(AF_INET, &metaData->src_ip, alert.src_ip, sizeof(alert.src_ip));
+ inet_ntop(AF_INET, &metaData->dst_ip, alert.dst_ip, sizeof(alert.dst_ip));
+ alert.ip_proto = metaData->ip_proto;
+ alert.src_port = metaData->src_port;
+ alert.dst_port = metaData->dst_port;
+ alert.priority = 1;
+ uuid_copy(alert.dataType, metaData->datatype);
+ detection->hashData(metaData->data, metaData->size, tmp_md5);
+ alert.main_hash = tmp_md5;
+ alert.data_block = metaData->data;
+ alert.db_size = metaData->size;
+
+ // Finally, send our alert
+ detection->sendAlert(&alert);
+
+ }
+
+ return 0;
+}
+
+void report_error(const char* file_name, int line_number, const char* error_message)
+{
+ fprintf(stderr, "%s:%d: %s\n", file_name, line_number, error_message);
+}
+
+// 2f631118-42cf-11e0-83c8-000c298fbda4
+UUID_DEFINE(YARA_NUGGET, 0x2f, 0x63, 0x11, 0x18, 0x42, 0xcf, 0x11, 0xe0, 0x83, 0xc8, 0x00, 0x0c, 0x29, 0x8f, 0xbd, 0xa4);
+
+HRESULT initNug(DetectionAPI *detectionObj)
+{
+ uuid_t list1[2];
+ uuid_copy(list1[0], PDF_FILE);
+ uuid_copy(list1[1], PE_FILE);
+
+ detection = detectionObj;
+
+ yr_init();
+
+ if((context = yr_create_context()) == NULL) {
+ fprintf(stderr, "Error creating yara context\n");
+ return R_FAIL;
+ }
+
+ context->error_report_function = report_error;
+
+ if(load_rules()) {
+ fprintf(stderr, "Error loading rules\n");
+ yr_destroy_context(context);
+ return R_FAIL;
+ }
+
+ detection->registerHandler(&yara_handler, (const uuid_t *)&list1, 2, YARA_NUGGET);
+
+ return R_SUCCESS;
+}
+
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: Matt O. <mo...@so...> - 2011-02-20 17:38:20
|
The dispatcher doesn't execute the threads. If you are using the nugget loader provided with the tarball, that does spawn your nuggets with threads. If you have built a stand-alone nugget using the API, then any threading issues are your own. matt On Sat, Feb 19, 2011 at 11:44 PM, Mannix, Frank - 0668 - MITLL < fra...@ll...> wrote: > Hi guys, > > I've been seeing some weird behavior from a nugget I created by cobbling > some legacy C code together. The original C code came from a program meant > to run as a single, heavyweight process. I am getting segmentation > violations when the nugget is called a couple of times quickly in succession > by the dispatcher. I isolated the problem to a free() system call to > release memory that had already been released. > Then it dawned on me what was happening. The dispatcher must be executing > the nuggets as lightweight threads. If that's the case, is there anything > I can do to short of rewriting the nugget to be thread safe that will allow > me to keep as much of the legacy code intact? > > Frank > > ------------------------------------------------------------------------------ > The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: > Pinpoint memory and threading errors before they happen. > Find and fix more than 250 security defects in the development cycle. > Locate bottlenecks in serial and parallel code that limit performance. > http://p.sf.net/sfu/intel-dev2devfeb > _______________________________________________ > Nuggetfarm-devel mailing list > Nug...@li... > https://lists.sourceforge.net/lists/listinfo/nuggetfarm-devel > |
|
From: Mannix, F. - 0. - M. <fra...@ll...> - 2011-02-20 04:44:53
|
Hi guys, I've been seeing some weird behavior from a nugget I created by cobbling some legacy C code together. The original C code came from a program meant to run as a single, heavyweight process. I am getting segmentation violations when the nugget is called a couple of times quickly in succession by the dispatcher. I isolated the problem to a free() system call to release memory that had already been released. Then it dawned on me what was happening. The dispatcher must be executing the nuggets as lightweight threads. If that's the case, is there anything I can do to short of rewriting the nugget to be thread safe that will allow me to keep as much of the legacy code intact? Frank |
|
From: <pho...@us...> - 2011-02-04 16:04:17
|
Revision: 41
http://nuggetfarm.svn.sourceforge.net/nuggetfarm/?rev=41&view=rev
Author: phoogazi
Date: 2011-02-04 16:04:11 +0000 (Fri, 04 Feb 2011)
Log Message:
-----------
fixed command for enabling razorback in configure
Modified Paths:
--------------
trunk/collection-nuggets/saac/README
Modified: trunk/collection-nuggets/saac/README
===================================================================
--- trunk/collection-nuggets/saac/README 2011-02-03 19:01:17 UTC (rev 40)
+++ trunk/collection-nuggets/saac/README 2011-02-04 16:04:11 UTC (rev 41)
@@ -11,7 +11,7 @@
http://sourceforge.net/projects/razorbacktm/files/razorback-0.1.3.tar.gz/download
-Configure snort using --enable-razorback and --enable-pthread at a minimum.
+Configure snort using --enable-rzb-saac and --enable-pthread at a minimum.
CONFIGURATION
=============
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <lin...@us...> - 2011-02-03 19:01:23
|
Revision: 40
http://nuggetfarm.svn.sourceforge.net/nuggetfarm/?rev=40&view=rev
Author: linuxgeek247
Date: 2011-02-03 19:01:17 +0000 (Thu, 03 Feb 2011)
Log Message:
-----------
Fixed path issue with javascript emulator js file
Modified Paths:
--------------
trunk/detection-nuggets/pdf-dissector/dissector.py
trunk/detection-nuggets/pdf-dissector/modules/utils.py
Modified: trunk/detection-nuggets/pdf-dissector/dissector.py
===================================================================
--- trunk/detection-nuggets/pdf-dissector/dissector.py 2011-01-10 19:27:27 UTC (rev 39)
+++ trunk/detection-nuggets/pdf-dissector/dissector.py 2011-02-03 19:01:17 UTC (rev 40)
@@ -3,12 +3,11 @@
import sys
import os
-
# Update this to point to your installed pdf-dissector directory
-zynamics_path = '/usr/src/path/to/zynamics'
+zynamics_path = '/opt/zynamics'
# This needs to point to where the python pieces are installed (the directory this file is installed)
-base_path = '/usr/src/path/to/pdf-dissector'
+base_path = '/home/hal/Projects/nuggetfarm/trunk/detection-nuggets/pdf-dissector'
os.chdir(base_path)
@@ -41,7 +40,7 @@
decodedData = convertToUchar(obj.stream.decodedData)
if len(obj.stream.decodedData) > 0:
- result = getJavaScript(pdf, obj)
+ result = getJavaScript(pdf, obj, zynamics_path)
# This should be javascript
if result:
Modified: trunk/detection-nuggets/pdf-dissector/modules/utils.py
===================================================================
--- trunk/detection-nuggets/pdf-dissector/modules/utils.py 2011-01-10 19:27:27 UTC (rev 39)
+++ trunk/detection-nuggets/pdf-dissector/modules/utils.py 2011-02-03 19:01:17 UTC (rev 40)
@@ -28,11 +28,11 @@
else:
print "Alert has no data"
-def getJavaScript(pdf, obj):
+def getJavaScript(pdf, obj, zynamics_path):
result = None
try:
- result = Interpreter.interpret(pdf, String(obj.stream.decodedData), getEmulatorScript())
+ result = Interpreter.interpret(pdf, String(obj.stream.decodedData), getEmulatorScript(zynamics_path))
except:
pass
@@ -41,9 +41,11 @@
def unescape(data):
return ''.join([(chr(int(chunk[0:2], 16)) + chr(int(chunk[2:4], 16))) for chunk in data.split('%u')[1:]])
-def getEmulatorScript():
- return open('emulator/emulator.js', "r").read()
+def getEmulatorScript(zynamics_path):
+ script_path = ("%s/emulator/emulator.js" % zynamics_path)
+ return open(script_path, "r").read()
+
def convertUnicodeToUchar(data):
try:
return ''.join([struct.pack('H', ord(i)) for i in data])
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: Patrick M. <pm...@so...> - 2011-01-18 21:23:55
|
Chris, I'll put together a more complete answer for you tomorrow (unless Ron steps in with a complete answer), but librazorback_api.so probably should not have been put into the snort_dynamicpreprocessor directory. The architecture has changed a bit since I last worked on it, but librazorback_api.so should be loaded by the SaaC preprocessor SO, and it's this SaaC preprocessor SO that should be located in the dynamic preprocessor directory. This is why there is no LibVersion() information -- the razorback API shared object is not a snort preprocessor object. Hopefully, this points you in the right direction. Let me know if this gets you any further and if not I'll get the latest version running tomorrow and post my results. I'm still setting up my new computer so it'll be good to get that all working again. Thanks, ~Patrick 2011/1/18 c.willie <c.w...@gm...>: > "ERROR: Failed to find LibVersion() function in > /usr/local/lib/snort_dynamicpreprocessor/librazorback_api.so: \ > /usr/local/lib/snort_dynamicpreprocessor/librazorback_api.so: undefined > symbol: LibVersion > Fatal Error, Quitting.." |
|
From: c.willie <c.w...@gm...> - 2011-01-18 14:21:45
|
All- I downloaded and installed snort-2.9.0.3 with the SaaC integration. Everything compiled and installed without a problem but when I run `snort -c /usr/local/src/snort-2.9.0.3/etc/snort.saac.conf -A cmg -q -i eth0` or `snort -c /usr/local/src/snort-2.9.0.3/etc/snort.saac.conf -A cmg -q -r ~/tmp.pcap` I get the error: "ERROR: Failed to find LibVersion() function in /usr/local/lib/snort_dynamicpreprocessor/librazorback_api.so: \ /usr/local/lib/snort_dynamicpreprocessor/librazorback_api.so: undefined symbol: LibVersion Fatal Error, Quitting.." I did try the oracle of our modern times (google) and the only thing I could find that was similar was a problem with the example .so rules. The solution there was to delete them, but I don't think deleting will work in this instance. user@Snort:/usr/local/src$ sudo uname -a Linux Snort 2.6.32-21-generic #32-Ubuntu SMP Fri Apr 16 08:09:38 UTC 2010 x86_64 GNU/Linux user@Snort:/usr/local/src$ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 10.04.1 LTS Release: 10.04 Codename: lucid The box is running in a VM. I know that shouldn't make any difference. Cheers, Chris |
|
From: <lin...@us...> - 2011-01-10 19:27:33
|
Revision: 39
http://nuggetfarm.svn.sourceforge.net/nuggetfarm/?rev=39&view=rev
Author: linuxgeek247
Date: 2011-01-10 19:27:27 +0000 (Mon, 10 Jan 2011)
Log Message:
-----------
Fixed issue if no report is returned from virustotal
Modified Paths:
--------------
trunk/detection-nuggets/virustotal/virustotal.c
Modified: trunk/detection-nuggets/virustotal/virustotal.c
===================================================================
--- trunk/detection-nuggets/virustotal/virustotal.c 2011-01-10 19:23:58 UTC (rev 38)
+++ trunk/detection-nuggets/virustotal/virustotal.c 2011-01-10 19:27:27 UTC (rev 39)
@@ -12,7 +12,7 @@
#include <rzb_detection_api.h>
#define VIRUSTOTAL_URL "https://www.virustotal.com/api/get_file_report.json"
-#define VIRUSTOTAL_KEY "3394e0d7d9dd7e8b3ed636e675c977d10a0a48c017976dca0432e064135f74a0"
+#define VIRUSTOTAL_KEY "your-virus-total-api-key"
#define VIRUSTOTAL_DATA_FORMAT "resource=%s&key=%s"
#define VIRUSTOTAL_DATA_LENGTH 4096
#define VIRUSTOTAL_MAX_RESULT_SIZE 8192
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <lin...@us...> - 2011-01-10 19:24:07
|
Revision: 38
http://nuggetfarm.svn.sourceforge.net/nuggetfarm/?rev=38&view=rev
Author: linuxgeek247
Date: 2011-01-10 19:23:58 +0000 (Mon, 10 Jan 2011)
Log Message:
-----------
Fixed issue if no report is returned from virustotal
Modified Paths:
--------------
trunk/detection-nuggets/virustotal/virustotal.c
Modified: trunk/detection-nuggets/virustotal/virustotal.c
===================================================================
--- trunk/detection-nuggets/virustotal/virustotal.c 2011-01-07 19:05:17 UTC (rev 37)
+++ trunk/detection-nuggets/virustotal/virustotal.c 2011-01-10 19:23:58 UTC (rev 38)
@@ -12,7 +12,7 @@
#include <rzb_detection_api.h>
#define VIRUSTOTAL_URL "https://www.virustotal.com/api/get_file_report.json"
-#define VIRUSTOTAL_KEY "yourvirustotalkey"
+#define VIRUSTOTAL_KEY "3394e0d7d9dd7e8b3ed636e675c977d10a0a48c017976dca0432e064135f74a0"
#define VIRUSTOTAL_DATA_FORMAT "resource=%s&key=%s"
#define VIRUSTOTAL_DATA_LENGTH 4096
#define VIRUSTOTAL_MAX_RESULT_SIZE 8192
@@ -87,14 +87,13 @@
res = curl_easy_perform(curl);
// Hopefully we got everything
- if(!res) {
+ if(!res && ((result.data != NULL) && (strlen(result.data) >= 4) && (strncmp(result.data, "None", 4)))) {
// Start by parsing the json
doc = json_tokener_parse(result.data);
// Make sure the md5 was found
- if(json_object_get_int(json_object_object_get(doc, "result")) == 1) {
- printf("Found\n");
+ if((doc != NULL) && json_object_get_int(json_object_object_get(doc, "result")) == 1) {
// Save this for later
report = json_object_object_get(doc, "report");
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <rde...@us...> - 2011-01-07 19:05:27
|
Revision: 37
http://nuggetfarm.svn.sourceforge.net/nuggetfarm/?rev=37&view=rev
Author: rdempster
Date: 2011-01-07 19:05:17 +0000 (Fri, 07 Jan 2011)
Log Message:
-----------
Added snort-2.9.0.3.tar.gz with the SaaC integrated.
Modified Paths:
--------------
trunk/collection-nuggets/saac/README
Added Paths:
-----------
trunk/collection-nuggets/saac/snort-2.9.0.3.tar.gz
Removed Paths:
-------------
trunk/collection-nuggets/saac/install.sh
trunk/collection-nuggets/saac/rzb_debug.c
trunk/collection-nuggets/saac/rzb_debug.h
trunk/collection-nuggets/saac/rzb_http-client.c
trunk/collection-nuggets/saac/rzb_http-client.h
trunk/collection-nuggets/saac/rzb_http-fileinfo.c
trunk/collection-nuggets/saac/rzb_http-fileinfo.h
trunk/collection-nuggets/saac/rzb_http-server.c
trunk/collection-nuggets/saac/rzb_http-server.h
trunk/collection-nuggets/saac/rzb_smtp-collector.c
trunk/collection-nuggets/saac/rzb_smtp-collector.h
trunk/collection-nuggets/saac/snort-2.8.6-saac.diff
trunk/collection-nuggets/saac/spp_rzb-collector-dispatch.c
trunk/collection-nuggets/saac/spp_rzb-collector-dispatch.h
Modified: trunk/collection-nuggets/saac/README
===================================================================
--- trunk/collection-nuggets/saac/README 2010-12-08 22:13:21 UTC (rev 36)
+++ trunk/collection-nuggets/saac/README 2011-01-07 19:05:17 UTC (rev 37)
@@ -4,28 +4,23 @@
INSTALLATION
============
-Obtain the Snort 2.8.6 tarball:
-
-http://sourceforge.net/projects/nuggetfarm/files/Nuggets/SaaC/snort-2.8.6.tar.gz/download
-
Untar the Snort tarball.
In order to use the SAAC, you must have compiled the API, which is available in the core
razorback tarball:
-http://sourceforge.net/projects/razorbacktm/files/razorback-0.1.tar.gz/download
+http://sourceforge.net/projects/razorbacktm/files/razorback-0.1.3.tar.gz/download
-run the ./install.sh [path_to_untared_snort] script
+Configure snort using --enable-razorback and --enable-pthread at a minimum.
-
CONFIGURATION
=============
-Once installed, copy the snort.saac.conf file to your prefered config directory:
+Once installed, create a snort.conf file containing at least the following line:
-src/etc/snort.saac.conf
+preprocessor rzb: rzb_conf <path of rzb.conf file>
-You will need to edit the rzb.conf file in the src directory. The required items
-for the SAAC collector are:
+You will need to create an rzb.conf file. The required items for the SAAC collector
+are the following:
GLOBAL:
MAXTHREADS 100
@@ -63,7 +58,7 @@
If you see the following:
-vrt@blumpkin:~/rzb/nuggetfarm/snort-2.8.6/src$ ./snort -c etc/snort.saac.conf -A cmg -q -i eth0
+vrt@blumpkin:~/rzb/nuggetfarm/snort-2.9.0.3/src$ ./snort -c etc/snort.saac.conf -A cmg -q -i eth0
Razorback Snort Data Collector Initializing.
ERROR: Failed to initialize dynamic preprocessor: SF_Dynamic_Example_Preprocessor version 1.0.1
Fatal Error, Quitting..
Deleted: trunk/collection-nuggets/saac/install.sh
===================================================================
--- trunk/collection-nuggets/saac/install.sh 2010-12-08 22:13:21 UTC (rev 36)
+++ trunk/collection-nuggets/saac/install.sh 2011-01-07 19:05:17 UTC (rev 37)
@@ -1,56 +0,0 @@
-#!/bin/sh
-if [ $# != 1 ]
-then
- echo "You must supply one and only one argument, the path to the snort 2.8.6.0 package"
- echo
- echo "Usage: ./install.sh /home/user/snort-2.8.6/"
- exit
-fi
-
-echo
-echo "This script patches and installs the saac with some assumptions."
-echo "If these assumptions are incorrect please run patch.sh and handle"
-echo "the differences via the configuation."
-echo
-echo "You may choose to only install the patch by exiting after the patch"
-echo "is applied with ctrl-c at the \"Press enter to run configure\" prompt"
-echo
-
-read -p "Press enter to apply patch to source" nothing
-cp rzb.conf $1
-cp *.c $1/src/preprocessors/
-cp *.h $1/src/preprocessors/
-cp snort-2.8.6-saac.diff $1
-cd $1
-patch -p 1 < snort-2.8.6-saac.diff
-
-read -p "Press enter to run configure (./configure --enable-razorback --enable-pthread)" nothing
-./configure --enable-razorback --enable-pthread
-if [ $? != 0]
-then
- echo "Configuration failed"
- exit ${1}
-fi
-
-read -p "Press enter to run make" nothing
-make
-if [ $? != 0]
-then
- echo "make failed"
- exit ${1}
-fi
-
-read -p "Press enter to run sudo make install" nothing
-sudo make install
-if [ $? != 0]
-then
- echo "Sudo make install failed"
- exit ${1}
-fi
-
-echo "The rzb.conf file is in ${1}, you should edit the"
-echo "IP and PORT fields under "DISPATCHSRV" in rzb.conf"
-echo "to point to your dispatch server"
-echo
-echo "From the ${1} directory you should now be able to run snort as:"
-echo "snort -c src/etc/snort.saac.conf -A cmg -q -i eth1"
Deleted: trunk/collection-nuggets/saac/rzb_debug.c
===================================================================
--- trunk/collection-nuggets/saac/rzb_debug.c 2010-12-08 22:13:21 UTC (rev 36)
+++ trunk/collection-nuggets/saac/rzb_debug.c 2011-01-07 19:05:17 UTC (rev 37)
@@ -1,35 +0,0 @@
-#include "rzb_debug.h"
-
-#include <stdio.h>
-#include <string.h>
-
-void prettyprint(const unsigned char *data, unsigned int size) {
- unsigned int i;
- const unsigned char *dataptr = data;
- unsigned char asciigraph[17];
-
- memset(asciigraph, '\x00', 17);
-
- //printf("Datasize: %d\n", size);
-
-#ifdef PACKETDUMPSIZE
- size = (size > PACKETDUMPSIZE) ? PACKETDUMPSIZE : size;
-#endif
-
- for(i=0; i < size; i++, dataptr++) {
- printf("%02x ", *dataptr);
- asciigraph[i % 16] = (isgraph(*dataptr) || (*dataptr == ' ')) ? *dataptr : '.';
-
- if(i % 16 == 15) {
- printf("%s\n", asciigraph);
- memset(asciigraph, '\x00', 17);
- }
- }
-
- // Dump any remaining data
- if(i % 16) {
- printf("%*s", (16 - (i%16)) * 3, " ");
- printf("%s\n", asciigraph);
- }
-}
-
Deleted: trunk/collection-nuggets/saac/rzb_debug.h
===================================================================
--- trunk/collection-nuggets/saac/rzb_debug.h 2010-12-08 22:13:21 UTC (rev 36)
+++ trunk/collection-nuggets/saac/rzb_debug.h 2011-01-07 19:05:17 UTC (rev 37)
@@ -1,37 +0,0 @@
-#ifndef NRT_DEBUG_H
-#define NRT_DEBUG_H
-
-#define D_CRITICAL 0xFFFF
-
-#define D_EMERG 0x0001
-#define D_WARN 0x0002
-#define D_DEBUG 0x0004
-#define D_INFO 0x0008
-#define D_ALLLVL 0x00FF
-#define D_CRIT 0x0080
-
-#define D_CLIENT 0x0100
-#define D_SERVER 0X0200
-#define D_DETECT 0x0400
-#define D_PACKET 0x0800
-#define D_FILE 0x1000
-#define D_ALERT 0x2000
-#define D_ALLCOMP 0xFF00
-
-#define D_ALLDEBUG 0xFFFF
-
-//#define DEBUG
-#ifdef DEBUG
-#define DEBUGLEVEL ((D_ALLCOMP & ~D_PACKET) | D_CRIT)// (D_ALLDEBUG & ~D_PACKET)
-#define DEBUGOUT(flag, code) if((flag & DEBUGLEVEL & 0xFF00) && (flag & DEBUGLEVEL & 0x00FF)) code
-#else
-#define DEBUGOUT(flag, code)
-#endif
-
-#define PACKETDUMPSIZE 256
-
-void prettyprint(const unsigned char *, unsigned int);
-
-
-#endif
-
Deleted: trunk/collection-nuggets/saac/rzb_http-client.c
===================================================================
--- trunk/collection-nuggets/saac/rzb_http-client.c 2010-12-08 22:13:21 UTC (rev 36)
+++ trunk/collection-nuggets/saac/rzb_http-client.c 2011-01-07 19:05:17 UTC (rev 37)
@@ -1,238 +0,0 @@
-#include "rzb_http-client.h"
-#include "rzb_debug.h"
-#include "rzb_http-fileinfo.h"
-#include "rzb_global.h"
-#include "rzb_http-server.h"
-#include "spp_rzb-collector-dispatch.h"
-#include "rzb_intel_global.h"
-#include "rzb_intel_api.h"
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <pcre.h>
-
-typedef struct {
- pcre *re;
- pcre_extra *pe;
-} pcrestruct;
-
-// Ensure the pcre enum lines up with the pcre strings array
-enum { PCRE_EOH, PCRE_URL, PCRE_HOST, PCRE_COOKIE, PCRE_UA } http_pcre_enum;
-#define NUM_HTTP_PCRES PCRE_UA+1
-pcrestruct http_pcre_structs[NUM_HTTP_PCRES];
-char *http_pcre_strings[] = {
- "\\n\\r?\\n",
- "^(GET|POST)\\s+([^\\s]+)\\s+HTTP/1\\.[01]\\s*$",
- "^Host:\\s*([^\\r\\n]+)",
- "^Cookie:\\s*([^\\r\\n]+)",
- "^User-Agent:\\s*([^\\r\\n]+)"
- };
-
-int init_HTTP_PCREs(void) {
- const char *error;
- int erroffset;
-
- int i;
-
- for(i = 0; i < NUM_HTTP_PCRES; i++) {
-// /*DEBUGOUT((D_CLIENT | D_INFO),*/printf("Initializing PCRE %d: %s\n", i, http_pcre_strings[i]);//);
-
- http_pcre_structs[i].re = pcre_compile(http_pcre_strings[i], PCRE_CASELESS | PCRE_DOTALL | PCRE_MULTILINE, &error, &erroffset, NULL);
-
- if(http_pcre_structs[i].re == NULL) {
- printf("Failed to compile pcre regex %d (%s): %s\n", i, http_pcre_strings[i], error);
- return(-1);
- }
-
- http_pcre_structs[i].pe = pcre_study(http_pcre_structs[i].re, 0, &error);
-
- if(error != NULL) {
- printf("Failed to study pcre regex %d /%s/: %s\n", i, http_pcre_strings[i], error);
- return(-1);
- }
- }
-
- return 1;
-}
-
-// < 0 for error. >= 0 for len of extracted string
-int extractHTTPClientHeaderVal(const u_int8_t *buf, u_int32_t size, int pcreidx, int substringnum, char *valuebuf, int valuelen) {
- int result;
- int ovector[9];
- int ovecsize = 9;
- const char *tmpstring;
-
-// printf("Searching for pcre %d (%s)\n", pcreidx, http_pcre_strings[pcreidx]);
-
- result = pcre_exec(http_pcre_structs[pcreidx].re, http_pcre_structs[pcreidx].pe,
- (const char *)buf, size, 0, 0, ovector, ovecsize);
-
- if(result < 0 || result == PCRE_ERROR_NOMATCH) {
-// printf("pcre not found\n");
- return(-1); // We need to find the URL or this isn't a valid request
- }
-
- if(valuebuf) {
- result = pcre_get_substring((const char *)buf, ovector, result, substringnum, &tmpstring);
- if(result < 0) {
-// printf("unable to extract substring\n");
- return(-2);
- }
-
- strncpy(valuebuf, tmpstring, valuelen);
- valuebuf[valuelen-1] = '\0';
-
- pcre_free_substring(tmpstring);
- return(strlen(valuebuf));
- }
-
- return(0);
-}
-
-
-int ParseClientRequest(const u_int8_t *payload, u_int32_t payload_size, WEB_ENTRY* webentry) {
-
- u_int32_t offset_eoh = 0;
- int result;
-
- DEBUGOUT((D_CLIENT | D_INFO), printf("ParseClientRequest enter\n"));
-
- if(payload == NULL) {
- DEBUGOUT(D_CRITICAL, printf("ParseClientRequest payload is NULL. wtf.\n"));
- return(-1);
- }
-
- if(payload_size < 15) {
- return(-1);
- }
-
- // I get the sneaking suspicion that eventually I'm going to realize that I still
- // need to keep track of HEAD, OPTION, etc because some jackass is going to desynch me by
- // injecting such requests into the stream so when I receive file data it won't line up
- // correctly. I really should just rob the code from http_inspect here.
-
- // Find the end of the HTTP headers
- // XXX This code is pretty useless here unless I get an offset for the end of headers
- result = extractHTTPClientHeaderVal(payload, payload_size, PCRE_EOH, 0, NULL, 0);
- offset_eoh = /*(result >= 0) ? result :*/ payload_size;
-
- // Get the URL
- result = extractHTTPClientHeaderVal(payload, offset_eoh, PCRE_URL, 2, webentry->url, sizeof(webentry->url));
-
- // We need a URL (also validates this is a valid request)
- if(result < 0) {
-// printf("Unable to extract URL\n");
- return(-1);
- }
-
- // The remaining headers are optional (PCRE_HOST, PCRE_COOKIE, PCRE_UA)
- result = extractHTTPClientHeaderVal(payload, offset_eoh, PCRE_HOST, 1, webentry->host, sizeof(webentry->host));
- if(result < 0) {
-// printf("Unable to extract Host header\n");
- webentry->host[0] = '\0';
- }
-
- result = extractHTTPClientHeaderVal(payload, offset_eoh, PCRE_COOKIE, 1, webentry->cookie, sizeof(webentry->cookie));
- if(result < 0) {
-// printf("Unable to extract Cookie header\n");
- webentry->cookie[0] = '\0';
- }
-
- result = extractHTTPClientHeaderVal(payload, offset_eoh, PCRE_UA, 1, webentry->user_agent, sizeof(webentry->user_agent));
- if(result < 0) {
-// printf("Unable to extract User-Agent header\n");
- webentry->user_agent[0] = '\0';
- }
-
- return(1);
-}
-
-int ProcessFromClient(Packet *sp, RZBConfig *config) {
- RULEDATA *ruledata;
-
- WEB_ENTRY webentry;
-
- int result;
- FILEINFO *fileinfo;
-
- DEBUGOUT((D_CLIENT | D_INFO), printf("ProcessFromClient enter\n"));
- DEBUGOUT((D_PACKET | D_WARN), prettyprint(sp->data, sp->dsize));
-
- ruledata = (RULEDATA*)getRuleData(sp);
-
- if(!ruledata) {
- DEBUGOUT((D_CLIENT | D_DEBUG), printf("ProcessFromClient: adding new rule data\n"));
- ruledata = calloc(1, sizeof(RULEDATA));
- if(!ruledata) {
- DEBUGOUT(D_CRITICAL, printf("ProcessFromClient: ruledata malloc failed\n"));
- return(-1);
- }
-
- storeRuleData(sp, (void*)ruledata, &free); // Since we have the capability, we should do something cooler on stream destruction
- ruledata->sid = NRTSID;
- ruledata->streaminfoidx = INVALIDSTREAMIDX;
- ruledata->state = WAITINGFORRESPONSEHEADER;
-
- } else if(ruledata->sid != NRTSID) {
- DEBUGOUT(D_CRITICAL, printf("ProcessFromClient: Not our data! (sid %d/0x%08x)\n", ruledata->sid, ruledata->sid));
- return(-1);
- } else if(IsStreamIgnored(ruledata)) {
- DEBUGOUT((D_SERVER | D_WARN), printf("ProcessFromClient: stream is ignored\n"));
- return(-1);
- }
-
- fileinfo = calloc(1, sizeof(FILEINFO));
-
- // Set all counts and sizes to 0, all strings to empty, and pointers to NULL
- // memset(fileinfo, '\0', sizeof(FILEINFO));
-
- result = ParseClientRequest(sp->data, sp->dsize, &webentry);
- DEBUGOUT((D_CLIENT | D_INFO), printf("return from ParseClientRequest() was %d\n", result));
-
- if(result <= 0) {
- free(fileinfo);
- return(-1);
- }
-
- // Copy URL and Host header out of webentry into fileinfo
- snprintf(fileinfo->url, sizeof(fileinfo->url), "%s", webentry.url);
- fileinfo->url[sizeof(fileinfo->url) - 1] = 0;
- snprintf(fileinfo->hostname, sizeof(fileinfo->hostname), "%s", webentry.host);
- fileinfo->hostname[sizeof(fileinfo->hostname) - 1] = 0;
-
- // Now store what we know about this request
- fileinfo->saddr = sp->iph->ip_src;
- fileinfo->daddr = sp->iph->ip_dst;
-
- // Add address info to webentry
- webentry.src_ip = sp->iph->ip_src;
- webentry.dst_ip = sp->iph->ip_dst;
-
- // Now send our webentry as an Intel Nugget!
- if(sendWebTrack(&webentry) == R_FAIL) {
- printf("Failed to send web track info!\n");
- // Not making this fatal error
- }
-
- DEBUGOUT((D_CLIENT | D_DEBUG), DumpFileInfo(fileinfo));
-
- result = AddFileInfoListElem(ruledata, fileinfo);
-
- DEBUGOUT((D_CLIENT | D_INFO), printf("return from StoreFileData() was %d\n", result));
-
- if(result < 0) {
- DEBUGOUT(D_CRITICAL, printf("AddFileInfoListElem failed!\n"));
- free(fileinfo);
- return(-1);
- }
-
- DEBUGOUT((D_CLIENT | D_WARN), DumpFileInfoList(ruledata));
-
-// _dpd.alertAdd(GENERATOR_NRT, DST_PORT_MATCH,
-// 1, 0, 3, DST_PORT_MATCH_STR, 0);
-
- return(0);
-}
-
-
Deleted: trunk/collection-nuggets/saac/rzb_http-client.h
===================================================================
--- trunk/collection-nuggets/saac/rzb_http-client.h 2010-12-08 22:13:21 UTC (rev 36)
+++ trunk/collection-nuggets/saac/rzb_http-client.h 2011-01-07 19:05:17 UTC (rev 37)
@@ -1,20 +0,0 @@
-#ifndef NRT_CLIENT_H
-#define NRT_CLIENT_H
-
-//#include "nrt_client.h"
-//#include "nrt_debug.h"
-//#include "nrt_fileinfo.h"
-#include "rzb_global.h"
-//#include "nrt_server.h"
-//#include "spp_nrt.h"
-
-#include "decode.h"
-//#include "stream_api.h"
-
-#include "rzb_intel_global.h"
-
-int ParseClientRequest(const u_int8_t *, u_int32_t, WEB_ENTRY*);
-int ProcessFromClient(Packet *, RZBConfig *);
-int init_HTTP_PCREs(void);
-
-#endif
Deleted: trunk/collection-nuggets/saac/rzb_http-fileinfo.c
===================================================================
--- trunk/collection-nuggets/saac/rzb_http-fileinfo.c 2010-12-08 22:13:21 UTC (rev 36)
+++ trunk/collection-nuggets/saac/rzb_http-fileinfo.c 2011-01-07 19:05:17 UTC (rev 37)
@@ -1,247 +0,0 @@
-#include "rzb_http-client.h"
-#include "rzb_debug.h"
-#include "rzb_http-fileinfo.h"
-#include "rzb_global.h"
-#include "rzb_http-server.h"
-#include "spp_rzb-collector-dispatch.h"
-
-#include <stdio.h>
-#include <stdlib.h>
-
-int numfileinfostructsinuse = 0;
-
-u_int32_t nextfreestreaminfoidx = 0;
-FILEINFOLISTELEM *fileinfolist[NUMSTREAMSTOTRACK];
-
-void DumpFileInfo(FILEINFO *fileinfo) {
-
- if(fileinfo == NULL) {
- DEBUGOUT(D_CRITICAL, printf("DumpFileInfo fileinfo is NULL!\n"));
- return;
- }
-
- printf("/--- fileinfo start ---\n");
- printf("| url: %s\n", fileinfo->url);
- printf("| hostname: %s\n", fileinfo->hostname);
- printf("| saddr: %s\n", inet_ntoa(fileinfo->saddr)); // OMG not threadsafe!
- printf("| daddr: %s\n", inet_ntoa(fileinfo->daddr)); // OMG not threadsafe!
- printf("| filesize: %d\n", fileinfo->filesize);
- printf("| amountstored: %d\n", fileinfo->amountstored);
- printf("| bufferindex: %d\n", fileinfo->bufferindex);
- printf("| filedata = %p\n", fileinfo->filedata);
-
- if(fileinfo->filedata != NULL) {
- DEBUGOUT((D_FILE | D_WARN), prettyprint(fileinfo->filedata, fileinfo->filesize));
-#ifndef DEBUG
- prettyprint(fileinfo->filedata, (fileinfo->filesize > 256) ? 256 : fileinfo->filesize);
-#endif
- }
-
- printf("\\--- fileinfo end ---\n");
-}
-
-
-int DumpFileInfoList(RULEDATA *ruledata) {
- FILEINFOLISTELEM *tmp;
-
- printf("DumpFileInfoList, index %d\n", ruledata->streaminfoidx);
- if(ruledata->streaminfoidx == INVALIDSTREAMIDX) {
- printf("Invalid stream index!\n");
- return(-1);
- }
-
- tmp = fileinfolist[ruledata->streaminfoidx];
-
- if(tmp == NULL) {
- printf("Head node is NULL!\n");
- return(-1);
- }
-
- do {
- DumpFileInfo(tmp->fileinfo);
- } while((tmp = tmp->next));
-
- return(1);
-}
-
-
-void FreeFileInfo(FILEINFO *fileinfo) {
- if(fileinfo) {
- if(fileinfo->filedata) {
- //printf("Freeing file data 0x%08x\n", fileinfo->filedata);
- free(fileinfo->filedata);
- //fileinfo->filedata = NULL;
- }
-
- free(fileinfo);
- numfileinfostructsinuse--;
- }
-
-// printf("FreeFileInfo numfileinfostructsinuse=%d\n", numfileinfostructsinuse);
-}
-
-void FreeNRTStreamData(void *inptr) {
- RULEDATA *ruledata = (RULEDATA *)inptr;
-
- printf("Freeing NRT stream data. Be afraid. Be very afraid.\n");
-
- DEBUGOUT((D_CLIENT|D_SERVER|D_DEBUG), printf("FreeNRTStreamData enter\n"));
-
- if(!ruledata) {
- DEBUGOUT((D_SERVER|D_CLIENT|D_DEBUG), printf(" inptr is NULL, exiting\n"));
- return;
- }
-
- FreeFileInfoList(ruledata);
-
- free(ruledata);
-}
-
-
-void FreeFileInfoList(RULEDATA *ruledata) {
-
- DEBUGOUT((D_CLIENT|D_SERVER|D_DEBUG), printf("FreeFileInfoList enter\n"));
-
- if(!ruledata) {
- DEBUGOUT((D_SERVER|D_CLIENT|D_DEBUG), printf(" inptr is NULL, exiting\n"));
- return;
- }
-
- if(ruledata->streaminfoidx != INVALIDSTREAMIDX) {
- while(fileinfolist[ruledata->streaminfoidx]) {
- DEBUGOUT((D_DEBUG | D_SERVER), printf(" deleting %s\n", (fileinfolist[ruledata->streaminfoidx])->fileinfo->url));
-
- DeleteFileInfoListHead(ruledata);
- }
- }
-
- ruledata->streaminfoidx = INVALIDSTREAMIDX;
-}
-
-int AddFileInfoListElem(RULEDATA *ruledata, FILEINFO *fileinfo) {
- FILEINFOLISTELEM *tmp, *addme;
-
- int i;
-
- DEBUGOUT((D_FILE | D_INFO), printf("AddFileInfoListElem enter\n"));
-
- if(ruledata->streaminfoidx == INVALIDSTREAMIDX) {
- if(nextfreestreaminfoidx == OUTOFSTREAMINFOSTORAGE) {
- DEBUGOUT(D_CRITICAL, printf("out of stream storage!\n"));
- return(-1);
- }
-
- ruledata->streaminfoidx = nextfreestreaminfoidx;
- DEBUGOUT((D_FILE | D_DEBUG), printf("Using next open slot, at index %d\n", nextfreestreaminfoidx));
-
- // Now let's find the next open index
- i = nextfreestreaminfoidx + 1;
- while(i < NUMSTREAMSTOTRACK) {
- if(fileinfolist[i] == NULL)
- break;
- else
- i++;
- }
-
- if(i == NUMSTREAMSTOTRACK) {
- i = 0;
- while(i < nextfreestreaminfoidx) {
- if(fileinfolist[i] == NULL)
- break;
- else
- i++;
- }
- }
-
- // Out of additional storage
- if(i == ruledata->streaminfoidx)
- {
- printf("Out of streaminfo storage\n");
- nextfreestreaminfoidx = OUTOFSTREAMINFOSTORAGE;
- }else
- nextfreestreaminfoidx = i;
-
- DEBUGOUT((D_FILE | D_DEBUG), printf("nextfreestreaminfoidx = %d\n", nextfreestreaminfoidx));
- }
-
- DEBUGOUT((D_FILE | D_DEBUG), printf("adding fileinfo at index %d\n", ruledata->streaminfoidx));
-
- addme = calloc(1, sizeof(*addme));
-
- if(addme == NULL) {
- DEBUGOUT(D_CRITICAL, printf("Unable to allocate fileinfolistelem!\n"));
- return(-1);
- }
-
- addme->fileinfo = fileinfo;
- addme->next = '\0';
-
- tmp = fileinfolist[ruledata->streaminfoidx];
-
- if(tmp) {
- while(tmp->next) {
- tmp = tmp->next;
- }
-
- tmp->next = addme;
- } else {
- fileinfolist[ruledata->streaminfoidx] = addme;
- }
-
- numfileinfostructsinuse++;
-// printf("AddFileInfoListElem numfileinfostructsinuse=%d\n", numfileinfostructsinuse);
-
- return(1);
-}
-
-
-FILEINFO *PopFileInfo(RULEDATA *ruledata) {
- FILEINFOLISTELEM *tmp;
- FILEINFO *fileinfo;
-
- DEBUGOUT((D_FILE | D_INFO), printf("PopFileInfo enter\n"));
-
- if(ruledata->streaminfoidx == INVALIDSTREAMIDX) {
- DEBUGOUT(D_CRITICAL, printf("PopFileInfo streaminfoidx is INVALIDSTREAMIDX!\n"));
- return(NULL);
- }
-
- tmp = fileinfolist[ruledata->streaminfoidx];
-
- if(tmp == NULL) {
- DEBUGOUT(D_CRITICAL, printf("PopFileInfo fileinfolist entry is NULL!\n"));
- return(NULL);
- }
-
- // Change the head
- fileinfolist[ruledata->streaminfoidx] = tmp->next;
-
- // Grab the fileinfo and free the container
- fileinfo = tmp->fileinfo;
- free(tmp);
-
- DEBUGOUT((D_CLIENT | D_SERVER | D_INFO), printf("PopFileInfo freed fileinfo container at %p\n", tmp));
-
- return(fileinfo);
-}
-
-
-int DeleteFileInfoListHead(RULEDATA *ruledata) {
- FILEINFO *fileinfo;
-
- DEBUGOUT((D_FILE | D_INFO), printf("DeleteFileInfoListHead enter\n"));
-
- fileinfo = PopFileInfo(ruledata);
-
- DEBUGOUT((D_CLIENT | D_SERVER | D_INFO), printf("freeing fileinfo at %p\n", fileinfo));
-
- if(fileinfo == NULL)
- return(-1);
-
- FreeFileInfo(fileinfo);
-
- return(1);
-}
-
-
-
Deleted: trunk/collection-nuggets/saac/rzb_http-fileinfo.h
===================================================================
--- trunk/collection-nuggets/saac/rzb_http-fileinfo.h 2010-12-08 22:13:21 UTC (rev 36)
+++ trunk/collection-nuggets/saac/rzb_http-fileinfo.h 2011-01-07 19:05:17 UTC (rev 37)
@@ -1,29 +0,0 @@
-#ifndef NRT_FILEINFO_H
-#define NRT_FILEINFO_H
-
-//#include "nrt_client.h"
-//#include "nrt_debug.h"
-//#include "nrt_fileinfo.h"
-#include "rzb_global.h"
-//#include "nrt_server.h"
-//#include "spp_nrt.h"
-
-//#include "stream_api.h"
-//#include "decode.h"
-#include "rzb_http-server.h"
-
-int AddFileInfoListElem(RULEDATA *, FILEINFO *);
-void DumpFileInfo(FILEINFO *);
-int DumpFileInfoList(RULEDATA *);
-void FreeFileInfo(FILEINFO *);
-
-int DeleteFileInfoListHead(RULEDATA *);
-FILEINFO *PopFileInfo(RULEDATA *);
-void FreeFileInfoList(RULEDATA *);
-void FreeNRTStreamData(void *);
-
-extern FILEINFOLISTELEM *fileinfolist[];
-extern int numfileinfostructsinuse;
-
-#endif
-
Deleted: trunk/collection-nuggets/saac/rzb_http-server.c
===================================================================
--- trunk/collection-nuggets/saac/rzb_http-server.c 2010-12-08 22:13:21 UTC (rev 36)
+++ trunk/collection-nuggets/saac/rzb_http-server.c 2011-01-07 19:05:17 UTC (rev 37)
@@ -1,423 +0,0 @@
-#include "rzb_api.h"
-#include "rzb_http-client.h"
-#include "rzb_debug.h"
-#include "rzb_http-fileinfo.h"
-#include "rzb_global.h"
-#include "rzb_alert_util.h"
-#include "rzb_http-server.h"
-#include "spp_rzb-collector-dispatch.h"
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <pthread.h>
-
-int SkipToEndOfHTTPHeader(const u_int8_t **in_cursor, const u_int8_t *end_of_data) {
- const u_int8_t *cursor = *in_cursor;
-
- while(cursor < end_of_data) {
- while(cursor < end_of_data && *cursor++ != '\n');
-
- if(cursor[0] == '\r' && cursor[1] == '\n') {
- cursor += 2;
- *in_cursor = cursor;
- return(1);
- } else if(cursor[0] == '\n') {
- cursor++;
- *in_cursor = cursor;
- return(1);
- }
- }
-
- return(-1);
-}
-
-
-enum filereadstatus ReadFileData(const u_int8_t **in_cursor, const u_int8_t *end_of_data, FILEINFO *fileinfo) {
- const u_int8_t *cursor = *in_cursor;
-
- u_int32_t amounttoalloc;
- u_int32_t bytesavailable;
-
- const u_int8_t *end_of_file;
- u_int8_t *filedataptr;
-
- if(cursor >= end_of_data)
- return(ERROR);
-
- // Make sure we have somewhere to store our data
- if((fileinfo->filedata) == NULL) {
- // ZDNOTE Need to limit the amount of memory that will be allocated at a time. This may involve some
- // ZDNOTE changes to the FILEINFO struct.
- // ZDNOTE amounttoalloc = (fileinfo->filesize < MAXFILEALLOCCHUNK) ? fileinfo->filesize : MAXFILEALLOCCHUNK;
- if(fileinfo->filesize > 100000000 /*ULONG_MAX*/) {
- // ZDNOTE this will also trip on files for which we don't have a Content-Length header
- DEBUGOUT((D_FILE | D_DEBUG), printf("ReadFileData filesize is >100M! Bailing!\n"));
- return(ERROR);
- }
-
- amounttoalloc = fileinfo->filesize;
-
- fileinfo->filedata = calloc(amounttoalloc, 1);
-
- if((fileinfo->filedata) == NULL) {
- printf("ReadFileData unable to allocate file contents buffer!\n");
- return(ERROR);
- }
-
- fileinfo->amountstored = 0;
- fileinfo->bufferindex = 0;
- }
-
- end_of_file = cursor + (fileinfo->filesize - fileinfo->amountstored);
- if(end_of_file > end_of_data) {
- end_of_file = end_of_data;
- }
-
- bytesavailable = end_of_file - cursor;
-
- // ZDNOTE Need to verify there is enough space left in the buffer before copy
-
- filedataptr = &((fileinfo->filedata)[fileinfo->bufferindex]);
-
- while(cursor < end_of_file) {
- *filedataptr++ = *cursor++;
- }
-
- *in_cursor = cursor;
- fileinfo->amountstored += bytesavailable;
- fileinfo->bufferindex += bytesavailable; // ZDNOTE again, check buffer size
-
- DEBUGOUT((D_FILE | D_DEBUG), printf("Saved %d bytes. (%d/%d total)\n", bytesavailable, fileinfo->amountstored, fileinfo->filesize));
-
- if(fileinfo->amountstored == fileinfo->filesize)
- return(WAITINGFORRESPONSEHEADER);
- else if(fileinfo->amountstored < fileinfo->filesize)
- return(WAITINGFORDATA);
- else
- return(ERROR);
-}
-
-
-int CallDetectionFunction(FILEINFO *fileinfo) {
-
- BLOCK_META_DATA *mdata = NULL;
- const unsigned char *tmp;
-
- // Init the metadata structure
- if((mdata = calloc(1, sizeof(*mdata))) == NULL) {
- perror("Error allocating mdata\n");
- return -1;
- }
-
- // Fill in the required fields
- mdata->timestamp = (unsigned int)time(NULL);
- mdata->data = fileinfo->filedata;
- mdata->size = fileinfo->filesize;
- mdata->src_ip.s_addr = 0x01010101;
- mdata->dst_ip.s_addr = 0x02020202;
- mdata->ip_proto = 6;
- mdata->src_port = 25;
- mdata->dst_port = 8000;
- tmp = file_type_lookup(fileinfo->filedata, fileinfo->filesize);
- uuid_copy(mdata->datatype, tmp);
-
-// DEBUGOUT((D_DETECT | D_INFO), printf("CallDetectionFunction enter\n"));
-
- // ZDNOTE Dunno what to do, so we're just going to...
- printf("Calling detection function with following file information:\n");
- DumpFileInfo(fileinfo);
-
- rzb_collection.sendData(mdata);
-
- fileinfo->filedata = NULL;
- fileinfo->filesize = 0;
-
- return(0);
-}
-
-
-enum filereadstatus ProcessServerHeader(const u_int8_t **in_cursor, const u_int8_t *end_of_data, FILEINFO *fileinfo) {
- const u_int8_t *cursor = *in_cursor;
-
- if(cursor + 15 >= end_of_data) {
- DEBUGOUT(D_CRITICAL, printf("ProcessServerHeader not enough data!\n"));
- return(ERROR);
- }
-
- // Check for HTTP/1.[01] header
- if( (strncasecmp((const char *)cursor, "http/1.", 7) != 0) || (cursor[7] != '0' && cursor[7] != '1'))
-// (*cursor++ | 0x20) != 'h' ||
-// (*cursor++ | 0x20) != 't' ||
-// (*cursor++ | 0x20) != 't' ||
-// (*cursor++ | 0x20) != 'p' ||
-// *cursor++ != '/' ||
-// *cursor++ != '1' ||
-// *cursor++ != '.' ||
-// (*cursor != '0' && *cursor != '1'))
- {
- DEBUGOUT(D_CRITICAL, printf("ProcessServerHeader not a valid HTTP version\n"));
- return(ERROR);
- }
-
- cursor += 8;
-// cursor++;
-
- while(cursor < end_of_data && *cursor == ' ')
- cursor++;
-
- if(cursor + 6 >= end_of_data) {
- DEBUGOUT(D_CRITICAL, printf("ProcessServerHeader not enough data 2!\n"));
- return(ERROR);
- }
-
- if( memcmp(cursor, "200", 3) != 0)
-// *cursor++ != '2' ||
-// *cursor++ != '0' ||
-// *cursor++ != '0')
- {
-// DEBUGOUT((D_FILE | D_DEBUG), printf("Unhandled response code: %c%c%c%c%c\n", cursor[-2], cursor[-1], cursor[0], cursor[1], cursor[2]));
-// DEBUGOUT((D_SERVER | D_WARN), printf("ProcessServerHeader not 200 response (is %c%c%d)\n", *(cursor-3), *(cursor-2), *(cursor-1)));
- DEBUGOUT((D_SERVER | D_WARN), printf("ProcessServerHeader not 200 response (is %c%c%d)\n", *cursor, *(cursor+1), *(cursor+2)));
- *in_cursor = cursor;
- return(SERVERRETURNNOT200); // ZDNOTE We really need to handle other codes to skip over data
- }
-
- cursor += 3;
- // ZDNOTE Don't know if it matters, but we're not caring about the response message
-
- // Now, we're going to see if we can find a Content-Length header.
- // By definition, it has to be at the start of a line. So, we're just going
- // To look for newlines and every time we find one, see if we're now looking
- // at Content-Length:
- while(cursor < end_of_data) {
- while(cursor < end_of_data && *cursor++ != '\n'); // Find next newline
-
- // No Content-Length: header.
- if(cursor + 16 >= end_of_data) {
- DEBUGOUT((D_SERVER | D_EMERG), printf("No content-length header\n"));
- //SkipToEndOfHTTPHeader(&cursor, end_of_data);
- fileinfo->filesize = ULONG_MAX;
- break; //return(WAITINGFORDATA); // ZDNOTE bug if header spans packets. INHTTPHEADERS state??
- }
- if( strncasecmp((const char *)cursor, "content-length:", 15) == 0 )
-// (cursor[0] | 0x20) == 'c' &&
-// (cursor[1] | 0x20) == 'o' &&
-// (cursor[2] | 0x20) == 'n' &&
-// (cursor[3] | 0x20) == 't' &&
-// (cursor[4] | 0x20) == 'e' &&
-// (cursor[5] | 0x20) == 'n' &&
-// (cursor[6] | 0x20) == 't' &&
-// cursor[7] == '-' &&
-// (cursor[8] | 0x20) == 'l' &&
-// (cursor[9] | 0x20) == 'e' &&
-// (cursor[10] | 0x20) == 'n' &&
-// (cursor[11] | 0x20) == 'g' &&
-// (cursor[12] | 0x20) == 't' &&
-// (cursor[13] | 0x20) == 'h' &&
-// cursor[14] == ':')
- {
- cursor += 15;
- if(cursor + 10 <= end_of_data) {
- fileinfo->filesize = strtoul((char *)cursor, (char**)(&cursor), 10); // ignores preceeding whitespace
- }
-
- DEBUGOUT((D_SERVER | D_DEBUG), printf("Found content-length. Filesize = %d\n", fileinfo->filesize));
-
- SkipToEndOfHTTPHeader(&cursor, end_of_data);
- break;
-
- } else if(cursor[0] == '\r' && cursor[1] == '\n') {
- cursor += 2;
- break;
- } else if(cursor[0] == '\n') {
- cursor++;
- break;
- }
- }
-
- *in_cursor = cursor;
-
- return(WAITINGFORDATA);
-}
-
-
-int ProcessFromServer(Packet *sp, RZBConfig *config) {
- RULEDATA *ruledata;
-
- int result;
-
- const u_int8_t *cursor = sp->data;
- const u_int8_t *end_of_data;
-
- FILEINFO *currentfile;
-
-// u_int32_t remaining_data = 0;
-
- DEBUGOUT((D_SERVER | D_INFO), printf("ProcessFromServer enter\n"));
- DEBUGOUT((D_PACKET | D_WARN), prettyprint(sp->data, sp->dsize));
-
- ruledata = (RULEDATA*)getRuleData(sp);
-
- if(!ruledata) {
- DEBUGOUT((D_SERVER | D_DEBUG), printf("ProcessFromServer: no rule data!\n"));
- return(-1);
- } else if(ruledata->sid != NRTSID) {
- DEBUGOUT((D_SERVER | D_WARN), printf("Not our data! (sid %d/0x%08x)\n", ruledata->sid, ruledata->sid));
- return(-1);
- } else if(IsStreamIgnored(ruledata)) {
- DEBUGOUT((D_SERVER | D_WARN), printf("ProcessFromServer: stream is ignored\n"));
- return(-1);
- }
-
-
- if(fileinfolist[ruledata->streaminfoidx] == NULL) {
- printf("Craptacular, the fileinfolist is NULL, ruledata->streaminfoidx = %d\n", ruledata->streaminfoidx);
- DEBUGOUT(D_CRITICAL, printf("ProcessFromServer fileinfolist[ruledata->streaminfoidx] is NULL!\n"));
- return(-1);
- }
-
- currentfile = (fileinfolist[ruledata->streaminfoidx])->fileinfo;
-
- if(currentfile == NULL) {
- DEBUGOUT(D_CRITICAL, printf("ProcessFromServer head fileinfo is NULL!\n"));
- return(-1);
- }
-
- cursor = sp->data;
-// dataremaining = sp->dsize;
- end_of_data = sp->data + sp->dsize;
-
- while(cursor < end_of_data && !IsStreamIgnored(ruledata)) {
- switch(ruledata->state) {
- case WAITINGFORRESPONSEHEADER:
- // We're currently waiting for the server to answer our request
- // ProcessServerHeader moves the cursor to the beginning of the response body
- // ...unless the header bridges packets. This will be a bug. ZDNOTE
- result = ProcessServerHeader(&cursor, end_of_data, currentfile);
-
- DEBUGOUT((D_SERVER | D_INFO), printf("return from ProcessServerResponse() was %d\n", result));
- DEBUGOUT((D_SERVER | D_WARN), DumpFileInfo(currentfile));
-
- switch(result) {
- case WAITINGFORDATA:
- // Successfully processed header, now waiting for data
- ruledata->state = WAITINGFORDATA;
- break;
-
- case SERVERRETURNNOT200:
- case IGNORESTREAM:
- case ERROR:
- default:
- DEBUGOUT(D_CRITICAL, printf("ProcessServerHeader() unhandled response code (%d)\n", result));
- IgnoreStream(ruledata);
- //cursor = end_of_data;
- break;
- }
- break;
-
- case WAITINGFORDATA:
- result = ReadFileData(&cursor, end_of_data, currentfile);
-
- switch(result) {
- case WAITINGFORDATA:
- // Nothing's changed regarding state
- break;
-
- case WAITINGFORRESPONSEHEADER:
-
- DEBUGOUT((D_DEBUG | D_SERVER), printf("WE HAVE A COMPLETE FILE! ruledata=%p, streaminfoidx=%d\n", ruledata, ruledata->streaminfoidx));
- DEBUGOUT((D_DEBUG | D_SERVER), DumpFileInfoList(ruledata));
-
- // This means we got all of our data. Call the detection function.
- CallDetectionFunction(currentfile);
-
- // Get the current file off of the stack
- PopFileInfo(ruledata);
-
- // And grab the next file on the list
- if(fileinfolist[ruledata->streaminfoidx])
- currentfile = (fileinfolist[ruledata->streaminfoidx])->fileinfo;
- else
- currentfile = NULL; // ZDNOTE hm....
-
- IgnoreStream(ruledata); // POC1 for now we're ignoring pipelining
-
- //cursor = end_of_data;
- //ruledata->state = IGNORESTREAM;
- break;
-
- default:
- DEBUGOUT(D_CRITICAL, printf("ProcessFromServer Unhandled response from ReadFileData (%d)\n", result));
- IgnoreStream(ruledata);
- //cursor = end_of_data;
- break;
- }
-
- break;
-
- case SKIPTONEXTRESPONSE:
- // Read data, skipping until we find a server response.
- // We can totally cheat if we know a content length.
-// break;
-
- default:
- DEBUGOUT(D_CRITICAL, printf("ProcessFromServer Unhandled ruledate state (%d). Bailing.\n", ruledata->state));
- IgnoreStream(ruledata);
- //cursor = end_of_data;
- break;
- }
- }
-
-// _dpd.alertAdd(GENERATOR_NRT, DST_PORT_MATCH,
-// 1, 0, 3, DST_PORT_MATCH_STR, 0);
-
- if(IsStreamIgnored(ruledata))
- return(-1);
- else
- return(0);
-}
-
-
-// Partially debug / hackery, partially something we'll probably want to keep
-void IgnoreStream(RULEDATA *ruledata) {
-
- if(ruledata == NULL)
- return;
-
- DEBUGOUT((D_DEBUG | D_SERVER), printf("Clearing streaminfoidx %d (%p)\n", ruledata->streaminfoidx, ruledata));
- DEBUGOUT((D_DEBUG | D_SERVER), DumpFileInfoList(ruledata));
-
- // Set state to ignore and clear out the list
- ruledata->state = IGNORESTREAM;
-
- FreeFileInfoList(ruledata);
-
-// if(ruledata->streaminfoidx == INVALIDSTREAMIDX) {
-// DEBUGOUT((D_DEBUG | D_SERVER), printf(" INVALIDSTREAMIDX, exiting\n"));
-// return;
-// }
-//
-// while(fileinfolist[ruledata->streaminfoidx]) {
-// DEBUGOUT((D_DEBUG | D_SERVER), printf(" popping %s\n", (fileinfolist[ruledata->streaminfoidx])->fileinfo->url));
-//
-// DeleteFileInfoListHead(ruledata);
-//// printf("ZDNOTE MEMORY LEAK! Setting pointer to NULL.\n");
-//// fileinfolist[ruledata->streaminfoidx] = NULL;
-// }
-//
-// ruledata->streaminfoidx = INVALIDSTREAMIDX;
-}
-
-int IsStreamIgnored(RULEDATA *ruledata) {
- if(ruledata == NULL || ruledata->state == IGNORESTREAM || ruledata->streaminfoidx == INVALIDSTREAMIDX)
- return(1);
-
- return(0);
-}
-
-
-
-
-
-
-
Deleted: trunk/collection-nuggets/saac/rzb_http-server.h
===================================================================
--- trunk/collection-nuggets/saac/rzb_http-server.h 2010-12-08 22:13:21 UTC (rev 36)
+++ trunk/collection-nuggets/saac/rzb_http-server.h 2011-01-07 19:05:17 UTC (rev 37)
@@ -1,52 +0,0 @@
-#ifndef NRT_SERVER_H
-#define NRT_SERVER_H
-
-//#include "stream_api.h"
-//#include "decode.h"
-
-//#include "nrt_client.h"
-//#include "nrt_debug.h"
-//#include "nrt_fileinfo.h"
-#include "rzb_global.h"
-//#include "nrt_server.h"
-//#include "spp_nrt.h"
-
-typedef struct _FILEINFO
-{
- char url[URLLEN];
- char hostname[HOSTNAMELEN];
- struct in_addr saddr;
- struct in_addr daddr;
- unsigned int filesize;
- unsigned int amountstored;
- unsigned int bufferindex;
- unsigned char *filedata;
- unsigned char md5[RZB_HASH_SIZE];
- int alert;
-} FILEINFO;
-
-typedef struct _FILEINFOLISTELEM
-{
- FILEINFO *fileinfo;
- struct _FILEINFOLISTELEM *next;
-} FILEINFOLISTELEM;
-
-enum filereadstatus { ERROR = -1, WAITINGFORRESPONSEHEADER = 1, SERVERRETURNNOT200, SKIPTONEXTRESPONSE, WAITINGFORDATA, IGNORESTREAM };
-
-typedef struct _RULEDATA
-{
- u_int32_t sid;
- u_int32_t streaminfoidx;
- enum filereadstatus state;
-} RULEDATA;
-
-int ProcessFromServer(Packet *, RZBConfig *);
-enum filereadstatus ProcessServerHeader(const u_int8_t **, const u_int8_t *, FILEINFO *);
-enum filereadstatus ReadFileData(const u_int8_t **, const u_int8_t *, FILEINFO *);
-int SkipToEndOfHTTPHeader(const u_int8_t **, const u_int8_t *);
-int CallDetectionFunction(FILEINFO *);
-
-int IsStreamIgnored(RULEDATA *);
-void IgnoreStream(RULEDATA *);
-
-#endif
Deleted: trunk/collection-nuggets/saac/rzb_smtp-collector.c
===================================================================
--- trunk/collection-nuggets/saac/rzb_smtp-collector.c 2010-12-08 22:13:21 UTC (rev 36)
+++ trunk/collection-nuggets/saac/rzb_smtp-collector.c 2011-01-07 19:05:17 UTC (rev 37)
@@ -1,259 +0,0 @@
-//#include "sf_snort_plugin_api.h"
-//#include "sf_snort_packet.h"
-
-#include <errno.h>
-#include <string.h>
-#include <ctype.h>
-
-#include "rzb_global.h"
-#include "rzb_api.h"
-#include "stream_api.h"
-#include "decode.h"
-#include "rzb_smtp-collector.h"
-#include "spp_rzb-collector-dispatch.h"
-
-#ifndef RULE_MATCH
- #define RULE_MATCH 1
-#endif
-
-#ifndef RULE_NOMATCH
- #define RULE_NOMATCH -1
-#endif
-
-#define SMTPDUMPERID 2525
-
-#define DISPLAY_DEMO_OUTPUT
-
-void prettyprint(const unsigned char *data, unsigned int size) {
- unsigned int i;
- const unsigned char *dataptr = data;
- unsigned char asciigraph[17];
-
- memset(asciigraph, '\x00', 17);
-
- //printf("Datasize: %d\n", size);
-
-#ifdef PACKETDUMPSIZE
- size = (size > PACKETDUMPSIZE) ? PACKETDUMPSIZE : size;
-#endif
-
- for(i=0; i < size; i++, dataptr++) {
- printf("%02x ", *dataptr);
- asciigraph[i % 16] = (isgraph(*dataptr) || (*dataptr == ' ')) ? *dataptr : '.';
-
- if(i % 16 == 15) {
- printf("%s\n", asciigraph);
- memset(asciigraph, '\x00', 17);
- }
- }
-
- // Dump any remaining data
- if(i % 16) {
- printf("%*s", (16 - (i%16)) * 3, " ");
- printf("%s\n", asciigraph);
- }
-}
-
-
-#define SMTPCAP_INITSIZE 30000
-#define SMTPCAP_MAXSIZE 15000000
-
-
-typedef struct {
- u_int32_t sid;
- u_int32_t totalsize;
- u_int32_t storedsize;
- u_int8_t *clientdata;
-} smtpcapture;
-
-
-void smtpdumper_freedata(smtpcapture *sessiondata) {
-
- //printf("SMTPDUMP smtpdumper_freedata enter\n");
-
- if(!sessiondata) {
- //printf("SMTPDUMP sessiondata is NULL!\n");
- return;
- }
-
- if(sessiondata->clientdata) {
- free(sessiondata->clientdata);
- } else {
- //printf("SMTPDUMP sessiondata->clientdata is NULL!\n");
- }
-
- free(sessiondata);
-}
-
-void smtpdumper_calldetection(void *dataptr) {
-
- BLOCK_META_DATA *mdata = NULL;
-
- uuid_t myuuid;
-
- smtpcapture *smtpcapturedata = (smtpcapture*)dataptr;
-
- //printf("SMTPDUMP smtpdumper_calldetection enter\n");
-
- if(!dataptr) {
- //printf("SMTPDUMP dataptr is NULL!\n");
- return;
- }
-
- if(smtpcapturedata->clientdata) {
-
-// printf("SMTPDUMP Calling sendData() with the following data (%d bytes):\n\n", ((smtpcapture*)(dataptr))->storedsize);
-#ifdef DISPLAY_DEMO_OUTPUT
- prettyprint(((smtpcapture*)(dataptr))->clientdata, ((smtpcapture*)(dataptr))->storedsize);
- printf("\n\n");
-#endif
-
- if ((mdata = calloc(1, sizeof(BLOCK_META_DATA))) == NULL)
- return;
-
- // Fill in the required fields
- mdata->timestamp = (unsigned int)time(NULL);
- mdata->data = ((smtpcapture*)(dataptr))->clientdata;
- mdata->size = ((smtpcapture*)(dataptr))->storedsize;
- mdata->src_ip.s_addr = 0x01010101;
- mdata->dst_ip.s_addr = 0x02020202;
- mdata->ip_proto = 6;
- mdata->src_port = 25;
- mdata->dst_port = 8000;
-
- uuid_copy(mdata->datatype, MAIL_CAPTURE);
-
- rzb_collection.sendData(mdata); //0/*eventid*/, ((smtpcapture*)(dataptr))->clientdata, ((smtpcapture*)(dataptr))->storedsize, MAIL_CAPTURE);
-
- } else {
- //printf("SMTPDUMP dataptr->clientdata is NULL!\n");
- }
-
- //printf("SMTPDUMP Freeing session data\n");
- // Data is freed by sendData; we just need to clear out the rest of the structure.
- // We can accomplish this by setting clientdata to NULL so we don't do the doublefree
- ((smtpcapture*)(dataptr))->clientdata = NULL;
- smtpdumper_freedata((smtpcapture*)dataptr);
-
-}
-
-
-/* detection functions */
-int smtpdumpereval(void *p, RZBConfig *config) {
- const u_int8_t *cursor_normal, *end_of_payload = 0;
- Packet *sp = (Packet *) p;
-
- smtpcapture *sessiondata = NULL;
- u_int8_t *tmpdataptr; // For realloc()s
-
- u_int32_t incoming_data_size = 0;
-
- //printf("SMTPDUMP smtpdumpereval enter\n");
-
- if(sp == NULL)
- return RULE_NOMATCH;
-
- if(sp->data == NULL)
- return RULE_NOMATCH;
-
- // flow:established, to_server;
-// if(checkFlow(p, smtpdumperoptions[0]->option_u.flowFlags) <= 0 )
-// return RULE_NOMATCH;
-
- sessiondata = (smtpcapture*)getRuleData(p);
-
- //printf("SMTPDUMP sessiondata = %p\n", sessiondata);
-
- if(sessiondata) {
- if(sessiondata->sid != SMTPDUMPERID) {
- printf("SMTPDUMP Someone else's data!\n");
- return RULE_NOMATCH;
- }
-
- if(sessiondata->storedsize >= SMTPCAP_MAXSIZE) {
- printf("SMTPDUMP Already have SMTPCAP_MAXSIZE(%d) bytes of data\n", SMTPCAP_MAXSIZE);
- return RULE_NOMATCH;
- }
- } else {
-
- sessiondata = (smtpcapture*)calloc(1, sizeof(smtpcapture));
-
- if(!sessiondata) {
- printf("SMTPDUMP sessiondata malloc failed!\n");
- return RULE_NOMATCH;
- }
-
- sessiondata->sid = SMTPDUMPERID;
- sessiondata->clientdata = (u_int8_t*)malloc(SMTPCAP_INITSIZE);
-
- if(!sessiondata->clientdata) {
- printf("SMTPDUMP sessiondata->clientdata malloc failed!\n");
- smtpdumper_freedata(sessiondata);
- return RULE_NOMATCH;
- }
-
- sessiondata->totalsize = SMTPCAP_INITSIZE;
- sessiondata->storedsize = 0;
-
- //printf("SMTPDUMP storing rule data\n");
-
- storeRuleData(p, sessiondata, &smtpdumper_calldetection);
- //printf("SMTPDUMP stored rule data\n");
- }
-
-// if(getBuffer(p, CONTENT_BUF_NORMALIZED, &cursor_normal, &end_of_payload) <= 0) {
-// printf("SMTPDUMP getBuffer() failed!!\n");
-//
-// smtpdumper_freedata(sessiondata);
-// return RULE_NOMATCH;
-// }
-
- cursor_normal = sp->data;
- end_of_payload = sp->data + sp->dsize;
-
- incoming_data_size = sp->dsize; //end_of_payload - cursor_normal;
-
- //printf("SMTPDUMP incoming_data_size = %d\n", incoming_data_size);
-
- // Check if we have enough room for the incoming data
- if(incoming_data_size > (sessiondata->totalsize - sessiondata->storedsize)) {
- // We've previously ensured we are not already overcapped on data
-
- //printf("SMTPDUMP reallocating to %d bytes\n", sessiondata->totalsize * 2);
-
- // Double our amount of storage
- tmpdataptr = realloc(sessiondata->clientdata, sessiondata->totalsize * 2);
-
- if(!tmpdataptr) {
- // If there is not enough available memory, realloc() returns a null pointer and sets errno to [ENOMEM].
- if(errno == ENOMEM) {
- smtpdumper_freedata(sessiondata);
- return(RULE_NOMATCH);
- } else {
- printf("SMTPDUMP realloc() failed but I dunno wtf\n");
- smtpdumper_freedata(sessiondata);
- return(RULE_NOMATCH);
- }
- }
-
- sessiondata->clientdata = tmpdataptr;
- sessiondata->totalsize *= 2;
-
- //printf("SMTPDUMP totalsize is now %d\n", sessiondata->totalsize);
- }
-
- // We have enough room, so store the data
- //printf("SMTPDUMP storing %d bytes at %p\n", incoming_data_size, &((sessiondata->clientdata)[sessiondata->storedsize]));
- memcpy(&((sessiondata->clientdata)[sessiondata->storedsize]), cursor_normal, incoming_data_size);
- sessiondata->storedsize += incoming_data_size;
- //printf("SMTPDUMP stored size is now %d\n", sessiondata->storedsize);
-
- return RULE_NOMATCH;
-}
-
-/*
-Rule *rules[] = {
- &smtpdumper,
- NULL
-};
-*/
Deleted: trunk/collection-nuggets/saac/rzb_smtp-collector.h
===================================================================
--- trunk/collection-nuggets/saac/rzb_smtp-collector.h 2010-12-08 22:13:21 UTC (rev 36)
+++ trunk/collection-nuggets/saac/rzb_smtp-collector.h 2011-01-07 19:05:17 UTC (rev 37)
@@ -1,9 +0,0 @@
-
-#ifndef __RZB_SMTP_DUMP_H__
-#define __RZB_SMTP_DUMP_H__
-
-#include "spp_rzb-collector-dispatch.h"
-
-int smtpdumpereval(void *, RZBConfig *);
-
-#endif // __RZB_SMTP_DUMP_H__
Deleted: trunk/collection-nuggets/saac/snort-2.8.6-saac.diff
===================================================================
--- trunk/collection-nuggets/saac/snort-2.8.6-saac.diff 2010-12-08 22:13:21 UTC (rev 36)
+++ trunk/collection-nuggets/saac/snort-2.8.6-saac.diff 2011-01-07 19:05:17 UTC (rev 37)
@@ -1,37349 +0,0 @@
-diff -urN snort-2.8.6/aclocal.m4 snort-2.8.6-saac/aclocal.m4
---- snort-2.8.6/aclocal.m4 2010-03-19 14:57:54.000000000 -0400
-+++ snort-2.8.6-saac/aclocal.m4 2010-09-01 15:03:41.731379000 -0400
-@@ -13,8 +13,8 @@
-
- m4_ifndef([AC_AUTOCONF_VERSION],
- [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl
--m4_if(m4_defn([AC_AUTOCONF_VERSION]), [2.63],,
--[m4_warning([this file was generated for autoconf 2.63.
-+m4_if(m4_defn([AC_AUTOCONF_VERSION]), [2.64],,
-+[m4_warning([this file was generated for autoconf 2.64.
- You have another version of autoconf. It may work, but is not guaranteed to.
- If you have problems, you may need to regenerate the build system entirely.
- To do so, use the procedure documented by the package, typically `autoreconf'.])])
-@@ -2485,13 +2485,10 @@
- # before this can be enabled.
- hardcode_into_libs=yes
-
-- # Add ABI-specific directories to the system library path.
-- sys_lib_dlsearch_path_spec="/lib64 /usr/lib64 /lib /usr/lib"
--
- # Append ld.so.conf contents to the search path
- if test -f /etc/ld.so.conf; then
- lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \[$]2)); skip = 1; } { if (!skip) print \[$]0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;/^$/d' | tr '\n' ' '`
-- sys_lib_dlsearch_path_spec="$sys_lib_dlsearch_path_spec $lt_ld_extra"
-+ sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra"
- fi
-
- # We used to test for /lib/ld.so.1 and disable shared libraries on
-@@ -2503,6 +2500,18 @@
- dynamic_linker='GNU/Linux ld.so'
- ;;
-
-+netbsdelf*-gnu)
-+ version_type=linux
-+ need_lib_prefix=no
-+ need_version=no
-+ library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}'
-+ soname_spec='${libname}${release}${shared_ext}$major'
-+ shlibpath_var=LD_LIBRARY_PATH
-+ shlibpath_overrides_runpath=no
-+ hardcode_into_libs=yes
-+ dynamic_linker='NetBSD ld.elf_so'
-+ ;;
-+
- netbsd*)
- version_type=sunos
- need_lib_prefix=no
-@@ -3094,7 +3103,7 @@
- lt_cv_deplibs_check_method=pass_all
- ;;
-
--netbsd*)
-+netbsd* | netbsdelf*-gnu)
- if echo __ELF__ | $CC -E - | $GREP __ELF__ > /dev/null; then
- lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so\.[[0-9]]+\.[[0-9]]+|_pic\.a)$'
- else
-@@ -3775,7 +3784,7 @@
- ;;
- esac
- ;;
-- netbsd*)
-+ netbsd* | netbsdelf*-gnu)
- ;;
- *qnx* | *nto*)
- # QNX uses GNU C++, but need to define -shared option too, otherwise
-@@ -4200,6 +4209,9 @@
- cygwin* | mingw* | cegcc*)
- _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGRS]][[ ]]/s/.*[[ ]]\([[^ ]]*\)/\1 DATA/;/^.*[[ ]]__nm__/s/^.*[[ ]]__nm__\([[^ ]]*\)[[ ]][[^ ]]*/\1 DATA/;/^I[[ ]]/d;/^[[AITW]][[ ]]/s/.* //'\'' | sort | uniq > $export_symbols'
- ;;
-+ linux* | k*bsd*-gnu)
-+ _LT_TAGVAR(link_all_deplibs, $1)=no
-+ ;;
- *)
- _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols'
- ;;
-@@ -4264,6 +4276,9 @@
- openbsd*)
- with_gnu_ld=no
- ;;
-+ linux* | k*bsd*-gnu)
-+ _LT_TAGVAR(link_all_deplibs, $1)=no
-+ ;;
- esac
-
- _LT_TAGVAR(ld_shlibs, $1)=yes
-@@ -4446,7 +4461,7 @@
- fi
- ;;
-
-- netbsd*)
-+ netbsd* | netbsdelf*-gnu)
- if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then
- _LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib'
- wlarc=
-@@ -4621,6 +4636,7 @@
- if test "$aix_use_runtimelinking" = yes; then
- shared_flag="$shared_flag "'${wl}-G'
- fi
-+ _LT_TAGVAR(link_all_deplibs, $1)=no
- else
- # not using gcc
- if test "$host_cpu" = ia64; then
-@@ -4859,7 +4875,7 @@
- _LT_TAGVAR(link_all_deplibs, $1)=yes
- ;;
-
-- netbsd*)
-+ netbsd* | netbsdelf*-gnu)
- if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then
- _LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags' # a.out
- else
-@@ -7968,6 +7984,164 @@
- m4_ifndef([AC_LIBTOOL_CONFIG], [AC_DEFUN([AC_LIBTOOL_CONFIG])])
- m4_ifndef([_LT_AC_FILE_LTDLL_C], [AC_DEFUN([_LT_AC_FILE_LTDLL_C])])
-
-+# pkg.m4 - Macros to locate and utilise pkg-config. -*- Autoconf -*-
-+#
-+# Copyright © 2004 Scott James Remnant <sc...@ne...>.
-+#
-+# This program is free software; you can redistribute it and/or modify
-+# it under the terms of the GNU General Public License as published by
-+# the Free Software Foundation; either version 2 of the License, or
-+# (at your option) any later version.
-+#
-+# This program is distributed in the hope that it will be useful, but
-+# WITHOUT ANY WARRANTY; without even the implied warranty of
-+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-+# General Public License for more details.
-+#
-+# You should have received a copy of the GNU General Public License
-+# along with this program; if not, write to the Free Software
-+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
-+#
-+# As a special exception to the GNU General Public License, if you
-+# distribute this file as part of a program that contains a
-+# configuration script generated by Autoconf, you may include it under
-+# the same distribution terms that you use for the rest of that program.
-+
-+# PKG_PROG_PKG_CONFIG([MIN-VERSION])
-+# ----------------------------------
-+AC_DEFUN([PKG_PROG_PKG_CONFIG],
-+[m4_pattern_forbid([^_?PKG_[A-Z_]+$])
-+m4_pattern_allow([^PKG_CONFIG(_PATH)?$])
-+AC_ARG_VAR([PKG_CONFIG], [path to pkg-config utility])dnl
-+if test "x$ac_cv_env_PKG_CONFIG_set" != "xset"; then
-+ AC_PATH_TOOL([PKG_CONFIG], [pkg-config])
-+fi
-+if test -n "$PKG_CONFIG"; then
-+ _pkg_min_version=m4_default([$1], [0.9.0])
-+ AC_MSG_CHECKING([pkg-config is at least version $_pkg_min_version])
-+ if $PKG_CONFIG --atleast-pkgconfig-version $_pkg_min_version; then
-+ AC_MSG_RESULT([yes])
-+ else
-+ AC_MSG_RESULT([no])
-+ PKG_CONFIG=""
-+ fi
-+
-+fi[]dnl
-+])# PKG_PROG_PKG_CONFIG
-+
-+# PKG_CHECK_EXISTS(MODULES, [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND])
-+#
-+# Check to see whether a particular set of modules exists. Similar
-+# to PKG_CHECK_MODULES(), but does not set variables or print errors.
-+#
-+#
-+# Similar to PKG_CHECK_MODULES, make sure that the first instance of
-+# this or PKG_CHECK_MODULES is called, or make sure to call
-+# PKG_CHECK_EXISTS manually
-+# --------------------------------------------------------------
-+AC_DEFUN([PKG_CHECK_EXISTS],
-+[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl
-+if test -n "$PKG_CONFIG" && \
-+ AC_RUN_LOG([$PKG_CONFIG --exists --print-errors "$1"]); then
-+ m4_ifval([$2], [$2], [:])
-+m4_ifvaln([$3], [else
-+ $3])dnl
-+fi])
-+
-+
-+# _PKG_CONFIG([VARIABLE], [COMMAND], [MODULES])
-+# ---------------------------------------------
-+m4_define([_PKG_CONFIG],
-+[if test -n "$PKG_CONFIG"; then
-+ if test -n "$$1"; then
-+ pkg_cv_[]$1="$$1"
-+ else
-+ PKG_CHECK_EXISTS([$3],
-+ [pkg_cv_[]$1=`$PKG_CONFIG --[]$2 "$3" 2>/dev/null`],
-+ [pkg_failed=yes])
-+ fi
-+else
-+ pkg_failed=untried
-+fi[]dnl
-+])# _PKG_CONFIG
-+
-+# _PKG_SHORT_ERRORS_SUPPORTED
-+# -----------------------------
-+AC_DEFUN([_PKG_SHORT_ERRORS_SUPPORTED],
-+[AC_REQUIRE([PKG_PROG_PKG_CONFIG])
-+if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
-+ _pkg_short_errors_supported=yes
-+else
-+ _pkg_short_errors_supported=no
-+fi[]dnl
-+])# _PKG_SHORT_ERRORS_SUPPORTED
-+
-+
-+# PKG_CHECK_MODULES(VARIABLE-PREFIX, MODULES, [ACTION-IF-FOUND],
-+# [ACTION-IF-NOT-FOUND])
-+#
-+#
-+# Note that if there is a possibility the first call to
-+# PKG_CHECK_MODULES might not happen, you should be sure to include an
-+# explicit call to PKG_PROG_PKG_CONFIG in your configure.ac
-+#
-+#
-+# --------------------------------------------------------------
-+AC_DEFUN([PKG_CHECK_MODULES],
-+[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl
-+AC_ARG_VAR([$1][_CFLAGS], [C compiler flags for $1, overriding pkg-config])dnl
-+AC_ARG_VAR([$1][_LIBS], [linker flags for $1, overriding pkg-config])dnl
-+
-+pkg_failed=no
-+AC_MSG_CHECKING([for $1])
-+
-+_PKG_CONFIG([$1][_CFLAGS], [cflags], [$2])
-+_PKG_CONFIG([$1][_LIBS], [libs], [$2])
-+
-+m4_define([_PKG_TEXT], [Alternatively, you may set the environment variables $1[]_CFLAGS
-+and $1[]_LIBS to avoid the need to call pkg-config.
-+See the pkg-config man page for more details.])
-+
-+if test $pkg_failed = yes; then
-+ _PKG_SHORT_ERRORS_SUPPORTED
-+ if test $_pkg_short_errors_supported = yes; then
-+ $1[]_PKG_ERRORS=`$PKG_CONFIG --short-errors --errors-to-stdout --print-errors "$2"`
-+ else
-+ $1[]_PKG_ERRORS=`$PKG_CONFIG --errors-to-stdout --print-errors "$2"`
-+ fi
-+ # Put the nasty error message in config.log where it belongs
-+ echo "$$1[]_PKG_ERRORS" >&AS_MESSAGE_LOG_FD
-+
-+ ifelse([$4], , [AC_MSG_ERROR(dnl
-+[Package requirements ($2) were not met:
-+
-+$$1_PKG_ERRORS
-+
-+Consider adjusting the PKG_CONFIG_PATH environment variable if you
-+installed software in a non-standard prefix.
-+
-+_PKG_TEXT
-+])],
-+ [AC_MSG_RESULT([no])
-+ $4])
-+elif test $pkg_failed = untried; then
-+ ifelse([$4], , [AC_MSG_FAILURE(dnl
-+[The pkg-config script could not be found or is too old. Make sure it
-+is in your PATH or set the PKG_CONFIG environment variable to the full
-+path to pkg-config.
-+
-+_PKG_TEXT
-+
-+To get pkg-config, see <http://pkg-config.freedesktop.org/>.])],
-+ [$4])
-+else
-+ $1[]_CFLAGS=$pkg_cv_[]$1[]_CFLAGS
-+ $1[]_LIBS=$pkg_cv_[]$1[]_LIBS
-+ AC_MSG_RESULT([yes])
-+ ifelse([$3], , :, [$3])
-+fi[]dnl
-+])# PKG_CHECK_MODULES
-+
- # Copyright (C) 2002, 2003, 2005, 2006, 2007, 2008 Free Software Foundation, Inc.
- #
- # This file is free software; the Free Software Foundation
-diff -urN snort-2.8.6/config.h.in snort-2.8.6-saac/config.h.in
---- snort-2.8.6/config.h.in 2010-03-19 14:57:57.000000000 -0400
-+++ snort-2.8.6-saac/config.h.in 2010-09-01 14:40:52.000000000 -0400
-@@ -257,6 +257,9 @@
- /* Define to the one symbol short name of this package. */
- #undef PACKAGE_TARNAME
-
-+/* Define to the home page for this package. */
-+#undef PACKAGE_URL
-+
- /* Define to the version of this package. */
- #undef PACKAGE_VERSION
-
-diff -urN snort-2.8.6/configure snort-2.8.6-saac/configure
---- snort-2.8.6/configure 2010-03-19 14:58:11.000000000 -0400
-+++ snort-2.8.6-saac/configure 2010-09-01 15:04:03.167553000 -0400
-@@ -1,18 +1,20 @@
- #! /bin/sh
- # Guess values for system-dependent variables and create Makefiles.
--# Generated by GNU Autoconf 2.63.
-+# Generated by GNU Autoconf 2.64.
- #
- # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001,
--# 2002, 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc.
-+# 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software
-+# Foundation, Inc.
-+#
- # This configure script is free software; the Free Software Foundation
- # gives unlimited permission to copy, distribute and modify it.
--## --------------------- ##
--## M4sh Initialization. ##
--## --------------------- ##
-+## -------------------- ##
-+## M4sh Initialization. ##
-+## -------------------- ##
-
- # Be more Bourne compatible
- DUALCASE=1; export DUALCASE # for MKS sh
--if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then
-+if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then :
- emulate sh
- NULLCMD=:
- # Pre-4.2 versions of ...
[truncated message content] |
|
From: Nigel H. <nho...@so...> - 2010-12-08 22:39:48
|
All, The tar-balls for Razorback 0.1.3, the API for 0.1.3 and the NuggetFarm for 0.1.3 are now available for download from Sourceforge. You can get them all from https://sourceforge.net/projects/razorbacktm/files/ Thanks for using Razorback. -- Nigel Houghton Head Mentalist SF VRT Department of Intelligence Excellence http://vrt-sourcefire.blogspot.com && http://labs.snort.org/ |
|
From: <rde...@us...> - 2010-12-08 22:13:30
|
Revision: 36
http://nuggetfarm.svn.sourceforge.net/nuggetfarm/?rev=36&view=rev
Author: rdempster
Date: 2010-12-08 22:13:21 +0000 (Wed, 08 Dec 2010)
Log Message:
-----------
The SaaC code is not compatible with the latest API. The SaaC is being integrated into snort.
Added Paths:
-----------
trunk/collection-nuggets/saac/OBSOLETE
Added: trunk/collection-nuggets/saac/OBSOLETE
===================================================================
--- trunk/collection-nuggets/saac/OBSOLETE (rev 0)
+++ trunk/collection-nuggets/saac/OBSOLETE 2010-12-08 22:13:21 UTC (rev 36)
@@ -0,0 +1,2 @@
+This code is no longer maintained. The Razorback SaaC is being integrated into
+the Snort 2.9 code base. Please monitor http://www.snort.org for the release.
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <rde...@us...> - 2010-12-06 16:08:23
|
Revision: 35
http://nuggetfarm.svn.sourceforge.net/nuggetfarm/?rev=35&view=rev
Author: rdempster
Date: 2010-12-06 16:08:14 +0000 (Mon, 06 Dec 2010)
Log Message:
-----------
Sync with latest API.
Modified Paths:
--------------
trunk/collection-nuggets/fsmonitor/fsmonitor.c
trunk/collection-nuggets/fswalk/fswalk.c
trunk/collection-nuggets/saac/rzb_http-client.c
trunk/collection-nuggets/saac/rzb_http-client.h
trunk/collection-nuggets/saac/rzb_http-server.c
trunk/collection-nuggets/saac/rzb_http-server.h
trunk/collection-nuggets/saac/rzb_smtp-collector.c
trunk/collection-nuggets/saac/rzb_smtp-collector.h
trunk/collection-nuggets/saac/spp_rzb-collector-dispatch.c
trunk/collection-nuggets/saac/spp_rzb-collector-dispatch.h
trunk/detection-nuggets/clamav/ClamAVNugget.c
trunk/detection-nuggets/libemu/libemu.c
trunk/detection-nuggets/officecat/OfficeCatNugget.c
trunk/detection-nuggets/smtp/buildit.sh
trunk/detection-nuggets/smtp/smtp_parser.c
trunk/detection-nuggets/swf/swf_scanner.c
trunk/detection-nuggets/swf/swf_scanner.h
trunk/detection-nuggets/virustotal/virustotal.c
Removed Paths:
-------------
trunk/detection-nuggets/smtp/smtpTestStub.c
Modified: trunk/collection-nuggets/fsmonitor/fsmonitor.c
===================================================================
--- trunk/collection-nuggets/fsmonitor/fsmonitor.c 2010-10-29 21:26:34 UTC (rev 34)
+++ trunk/collection-nuggets/fsmonitor/fsmonitor.c 2010-12-06 16:08:14 UTC (rev 35)
@@ -7,13 +7,13 @@
#include <inotifytools/inotifytools.h>
#include <inotifytools/inotify.h>
#include <uuid/uuid.h>
-#include <rzb_global.h>
-#include <rzb_alert_util.h>
-#include <rzb_conf.h>
-#include <rzb_client.h>
-#include <rzb_network.h>
-#include <rzb_api.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <unistd.h>
+#include <errno.h>
+#include <rzb_collection_api.h>
+
#define MAX_FILE_NAME 1024
static volatile sig_atomic_t halt_processing = 0;
@@ -67,7 +67,10 @@
}
-int main(int argc, char *argv[]) {
+UUID_DEFINE(FSMONITOR_NUGGET, 0xb1, 0x85, 0x6e, 0x90, 0xaf, 0xb1, 0x11, 0xdf, 0xa7, 0xb9, 0xdb, 0x6c, 0xe9, 0x2e, 0x17, 0xa0);
+
+int main(int argc, char *argv[])
+{
int i;
struct inotify_event *event;
char filename[MAX_FILE_NAME];
@@ -100,13 +103,13 @@
signal(SIGQUIT, cleanup);
// Read in the config
- readConfig(&nrtconfig, "rzb.conf");
+ rzb_collection.initRZB("rzb.conf");
// We'll need this later to randomize our port
//srand(time(NULL));
// Register ourselves as a nugget
- //registerNugget(COLLECTOR, TESTCOLLECT, NO_DATA_TYPE, ((rand() % 30000) + 30000), 1, 0, "file-monitor-collector");
+ //registerNugget(COLLECTOR, FSMONITOR_NUGGET, NO_DATA_TYPE, ((rand() % 30000) + 30000), 1, 0, "file-monitor-collector");
// Read all of the events and send any files being written to
while(!halt_processing && (event = inotifytools_next_event(-1))) {
@@ -133,7 +136,7 @@
metaData->timestamp = time(NULL);
metaData->data = data;
metaData->size = (unsigned)size;
- uuid_copy(metaData->datatype, file_type_lookup(data, size));
+ uuid_copy(metaData->datatype, rzb_collection.file_type_lookup(data, size));
// Required for now
metaData->ip_proto = 6;
@@ -144,7 +147,7 @@
// Finally, send the data (sendData will free)
if(uuid_compare(metaData->datatype, NO_DATA_TYPE) != 0) {
- sendData(metaData);
+ rzb_collection.sendData(metaData);
}
else {
free(metaData->data);
@@ -154,6 +157,7 @@
}
printf("\nCleaning up and shutting down\n");
+ rzb_collection.finiRZB(30);
inotifytools_cleanup();
return 0;
Modified: trunk/collection-nuggets/fswalk/fswalk.c
===================================================================
--- trunk/collection-nuggets/fswalk/fswalk.c 2010-10-29 21:26:34 UTC (rev 34)
+++ trunk/collection-nuggets/fswalk/fswalk.c 2010-12-06 16:08:14 UTC (rev 35)
@@ -13,20 +13,20 @@
2010 - Ted Bedwell - tbe...@so...
*/
-#include "rzb_api.h"
-#include "rzb_global.h"
-#include "rzb_conf.h"
-#include "rzb_client.h"
-#include "rzb_network.h"
#include <uuid/uuid.h>
#include <time.h>
#include <ftw.h>
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
+#include <sys/types.h>
#include <sys/stat.h>
+#include <unistd.h>
#include <arpa/inet.h>
+#include <errno.h>
+#include "rzb_collection_api.h"
+
#define MAX_FILE_SIZE (100*1024*1024)
int processNode(const char *name, const struct stat *status, int type);
@@ -38,6 +38,7 @@
int ext_len=0;
uuid_t nugType;
+UUID_DEFINE(FSWALK_NUGGET, 0xfb, 0xd7, 0x3e, 0x9a, 0xb5, 0x21, 0x11, 0xdf, 0x98, 0x21, 0x00, 0x1c, 0x23, 0x09, 0xdb, 0xa9);
int main(int argc, char *argv[])
{
@@ -78,13 +79,15 @@
}
// Setup the RZB connection
- readConfig(&nrtconfig, "rzb.conf");
+ rzb_collection.initRZB("rzb.conf");
srand(time(NULL));
//registerNugget(COLLECTOR, FSWALK_NUGGET, nugType, ((rand() % 30000) + 30000), 1, 0, "rzb-fswalk", &nuggetid);
// I go walkin' after midnight out in the moonlight....
ftw(argv[1], processNode, 1);
+ rzb_collection.finiRZB(30);
+
exit(EXIT_SUCCESS);
}
@@ -92,7 +95,7 @@
// ftw callback that looks for files with the provided extension
int processNode(const char *name, const struct stat *status, int type) {
int name_len, offset;
-
+
if (type == FTW_F)
{
name_len = strlen(name);
@@ -102,7 +105,7 @@
if (!strncasecmp(file_ext, (name + offset), ext_len))
{
- printf("Found - %s\n",name);
+ printf("Found - %s\n",name);
fireToDispatcher(name);
}
}
@@ -163,8 +166,8 @@
uuid_copy(metaData->datatype, nugType);
inet_pton(AF_INET, "127.0.0.1", &metaData->dst_ip);
inet_pton(AF_INET, "127.0.0.1", &metaData->src_ip);
-
- sendData(metaData);
+
+ rzb_collection.sendData(metaData);
sleep(1);
}
Modified: trunk/collection-nuggets/saac/rzb_http-client.c
===================================================================
--- trunk/collection-nuggets/saac/rzb_http-client.c 2010-10-29 21:26:34 UTC (rev 34)
+++ trunk/collection-nuggets/saac/rzb_http-client.c 2010-12-06 16:08:14 UTC (rev 35)
@@ -37,7 +37,7 @@
for(i = 0; i < NUM_HTTP_PCRES; i++) {
// /*DEBUGOUT((D_CLIENT | D_INFO),*/printf("Initializing PCRE %d: %s\n", i, http_pcre_strings[i]);//);
-
+
http_pcre_structs[i].re = pcre_compile(http_pcre_strings[i], PCRE_CASELESS | PCRE_DOTALL | PCRE_MULTILINE, &error, &erroffset, NULL);
if(http_pcre_structs[i].re == NULL) {
@@ -71,26 +71,26 @@
if(result < 0 || result == PCRE_ERROR_NOMATCH) {
// printf("pcre not found\n");
return(-1); // We need to find the URL or this isn't a valid request
- }
+ }
if(valuebuf) {
result = pcre_get_substring((const char *)buf, ovector, result, substringnum, &tmpstring);
if(result < 0) {
// printf("unable to extract substring\n");
return(-2);
- }
+ }
strncpy(valuebuf, tmpstring, valuelen);
valuebuf[valuelen-1] = '\0';
pcre_free_substring(tmpstring);
- return(strlen(valuebuf));
+ return(strlen(valuebuf));
}
return(0);
}
-
+
int ParseClientRequest(const u_int8_t *payload, u_int32_t payload_size, WEB_ENTRY* webentry) {
u_int32_t offset_eoh = 0;
@@ -148,7 +148,7 @@
return(1);
}
-int ProcessFromClient(Packet *sp, NRTConfig *config) {
+int ProcessFromClient(Packet *sp, RZBConfig *config) {
RULEDATA *ruledata;
WEB_ENTRY webentry;
@@ -230,7 +230,7 @@
DEBUGOUT((D_CLIENT | D_WARN), DumpFileInfoList(ruledata));
// _dpd.alertAdd(GENERATOR_NRT, DST_PORT_MATCH,
-// 1, 0, 3, DST_PORT_MATCH_STR, 0);
+// 1, 0, 3, DST_PORT_MATCH_STR, 0);
return(0);
}
Modified: trunk/collection-nuggets/saac/rzb_http-client.h
===================================================================
--- trunk/collection-nuggets/saac/rzb_http-client.h 2010-10-29 21:26:34 UTC (rev 34)
+++ trunk/collection-nuggets/saac/rzb_http-client.h 2010-12-06 16:08:14 UTC (rev 35)
@@ -14,7 +14,7 @@
#include "rzb_intel_global.h"
int ParseClientRequest(const u_int8_t *, u_int32_t, WEB_ENTRY*);
-int ProcessFromClient(Packet *, NRTConfig *);
+int ProcessFromClient(Packet *, RZBConfig *);
int init_HTTP_PCREs(void);
#endif
Modified: trunk/collection-nuggets/saac/rzb_http-server.c
===================================================================
--- trunk/collection-nuggets/saac/rzb_http-server.c 2010-10-29 21:26:34 UTC (rev 34)
+++ trunk/collection-nuggets/saac/rzb_http-server.c 2010-12-06 16:08:14 UTC (rev 35)
@@ -104,25 +104,21 @@
const unsigned char *tmp;
// Init the metadata structure
- if((mdata = malloc(sizeof(BLOCK_META_DATA))) == NULL) {
+ if((mdata = calloc(1, sizeof(*mdata))) == NULL) {
perror("Error allocating mdata\n");
return -1;
}
- // Zero out the structure
- memset(mdata, 0, sizeof(BLOCK_META_DATA));
-
// Fill in the required fields
mdata->timestamp = (unsigned int)time(NULL);
mdata->data = fileinfo->filedata;
mdata->size = fileinfo->filesize;
- mdata->parent_data = NULL;
mdata->src_ip.s_addr = 0x01010101;
mdata->dst_ip.s_addr = 0x02020202;
mdata->ip_proto = 6;
mdata->src_port = 25;
mdata->dst_port = 8000;
- tmp = file_type_lookup(fileinfo->filedata, sizeof(fileinfo->filedata));
+ tmp = file_type_lookup(fileinfo->filedata, fileinfo->filesize);
uuid_copy(mdata->datatype, tmp);
// DEBUGOUT((D_DETECT | D_INFO), printf("CallDetectionFunction enter\n"));
@@ -131,41 +127,11 @@
printf("Calling detection function with following file information:\n");
DumpFileInfo(fileinfo);
- rzb_collector.sendData(mdata);
+ rzb_collection.sendData(mdata);
fileinfo->filedata = NULL;
fileinfo->filesize = 0;
-// (*httpcollector->sendData)(0/*eventid*/, fileinfo->filedata, fileinfo->filesize, NO_DATA_TYPE);
-// unsigned int retval;
-//
-// if (numthreads < maxthreads) {
-// THREADARGS *threadargs = (THREADARGS *)malloc(sizeof(THREADARGS));
-// threadargs->fileinfo = fileinfo;
-// DEBUGOUT((D_FILE | D_DEBUG), printf("Opening thread for: %s\n", fileinfo->url));
-// DEBUGOUT((D_FILE | D_DEBUG), printf("%d threads open\n", numthreads));
-//
-// pthread_mutex_lock(&trackingmutex);
-// threadargs->threadindex = freethreads[nextfreethread];
-// retval = pthread_create(&thread[freethreads[nextfreethread--]], &attr, (void *)&threadme, (void *)threadargs);
-// if(!retval)
-// numthreads++;
-// else {
-// printf("pthread_create() failed! (retval=%d) ", retval);
-// printf(" numfileinfostructsinuse=%d\n", numfileinfostructsinuse);
-// free(threadargs);
-// FreeFileInfo(fileinfo);
-// }
-// pthread_mutex_unlock(&trackingmutex);
-// }
-// else {
-// printf("\nThread dropped!\n");
-// FreeFileInfo(fileinfo);
-// }
-
- // Remember to not free file data if successfully call sendData()
-// ZDNOTE HUGE FUCKING MEMORY LEAK RIGHT HERE FO SHIZZLE FreeFileInfo(fileinfo);
-
return(0);
}
@@ -275,7 +241,7 @@
}
-int ProcessFromServer(Packet *sp, NRTConfig *config) {
+int ProcessFromServer(Packet *sp, RZBConfig *config) {
RULEDATA *ruledata;
int result;
Modified: trunk/collection-nuggets/saac/rzb_http-server.h
===================================================================
--- trunk/collection-nuggets/saac/rzb_http-server.h 2010-10-29 21:26:34 UTC (rev 34)
+++ trunk/collection-nuggets/saac/rzb_http-server.h 2010-12-06 16:08:14 UTC (rev 35)
@@ -21,7 +21,7 @@
unsigned int amountstored;
unsigned int bufferindex;
unsigned char *filedata;
- unsigned char md5[MD5_SIZE];
+ unsigned char md5[RZB_HASH_SIZE];
int alert;
} FILEINFO;
@@ -40,7 +40,7 @@
enum filereadstatus state;
} RULEDATA;
-int ProcessFromServer(Packet *, NRTConfig *);
+int ProcessFromServer(Packet *, RZBConfig *);
enum filereadstatus ProcessServerHeader(const u_int8_t **, const u_int8_t *, FILEINFO *);
enum filereadstatus ReadFileData(const u_int8_t **, const u_int8_t *, FILEINFO *);
int SkipToEndOfHTTPHeader(const u_int8_t **, const u_int8_t *);
Modified: trunk/collection-nuggets/saac/rzb_smtp-collector.c
===================================================================
--- trunk/collection-nuggets/saac/rzb_smtp-collector.c 2010-10-29 21:26:34 UTC (rev 34)
+++ trunk/collection-nuggets/saac/rzb_smtp-collector.c 2010-12-06 16:08:14 UTC (rev 35)
@@ -108,31 +108,23 @@
printf("\n\n");
#endif
- mdata = calloc(1, sizeof(BLOCK_META_DATA));
- // Zero out the structure
- //memset(mdata, 0, sizeof(BLOCK_META_DATA));
+ if ((mdata = calloc(1, sizeof(BLOCK_META_DATA))) == NULL)
+ return;
// Fill in the required fields
mdata->timestamp = (unsigned int)time(NULL);
mdata->data = ((smtpcapture*)(dataptr))->clientdata;
mdata->size = ((smtpcapture*)(dataptr))->storedsize;
- mdata->parent_data = NULL;
mdata->src_ip.s_addr = 0x01010101;
mdata->dst_ip.s_addr = 0x02020202;
mdata->ip_proto = 6;
mdata->src_port = 25;
mdata->dst_port = 8000;
-// if(uuid_parse(MAIL_CAP_API, myuuid) == -1) {
-// printf("failed to parse UUID string\n");
-// return R_FAIL;
-// }
+ uuid_copy(mdata->datatype, MAIL_CAPTURE);
- uuid_parse("d147f215-128e-4746-a1e2-b6c978bb1869", myuuid);
- uuid_copy(mdata->datatype, myuuid);
+ rzb_collection.sendData(mdata); //0/*eventid*/, ((smtpcapture*)(dataptr))->clientdata, ((smtpcapture*)(dataptr))->storedsize, MAIL_CAPTURE);
- rzb_collector.sendData(mdata); //0/*eventid*/, ((smtpcapture*)(dataptr))->clientdata, ((smtpcapture*)(dataptr))->storedsize, MAIL_CAPTURE);
-
} else {
//printf("SMTPDUMP dataptr->clientdata is NULL!\n");
}
@@ -147,7 +139,7 @@
/* detection functions */
-int smtpdumpereval(void *p, NRTConfig *config) {
+int smtpdumpereval(void *p, RZBConfig *config) {
const u_int8_t *cursor_normal, *end_of_payload = 0;
Packet *sp = (Packet *) p;
Modified: trunk/collection-nuggets/saac/rzb_smtp-collector.h
===================================================================
--- trunk/collection-nuggets/saac/rzb_smtp-collector.h 2010-10-29 21:26:34 UTC (rev 34)
+++ trunk/collection-nuggets/saac/rzb_smtp-collector.h 2010-12-06 16:08:14 UTC (rev 35)
@@ -4,6 +4,6 @@
#include "spp_rzb-collector-dispatch.h"
-int smtpdumpereval(void *, NRTConfig *);
+int smtpdumpereval(void *, RZBConfig *);
#endif // __RZB_SMTP_DUMP_H__
Modified: trunk/collection-nuggets/saac/spp_rzb-collector-dispatch.c
===================================================================
--- trunk/collection-nuggets/saac/spp_rzb-collector-dispatch.c 2010-10-29 21:26:34 UTC (rev 34)
+++ trunk/collection-nuggets/saac/spp_rzb-collector-dispatch.c 2010-12-06 16:08:14 UTC (rev 35)
@@ -76,15 +76,10 @@
void * dlHandle = NULL; // For the API library
static void RZBCleanExit(int, void *);
-static void ProcessArgs(NRTConfig *, char *);
+static void ProcessArgs(RZBConfig *, char *);
static void RZBProcess(Packet *, void *);
-static void PrintConfig(NRTConfig *);
+static void PrintConfig(RZBConfig *);
-//ZDNOTE_API HRESULT (*registerCollector)(CollectorInfo *);
-//ZDNOTE_API HRESULT (*checkResource)(uuid_t *, unsigned char *, uuid_t *);
-//ZDNOTE_API HRESULT (*sendData)(uuid_t *, unsigned char *, unsigned int, uuid_t *);
-//ZDNOTE_API HRESULT (*sendMetaData)(uuid_t *, unsigned char *, unsigned int, uuid_t *);
-
static tSfPolicyUserContextId rzb_config = NULL;
/* list of function prototypes for this preprocessor */
@@ -101,8 +96,8 @@
printf("Razorback Snort Data Collector Initializing.\n");
- init_HTTP_PCREs();
-
+ init_HTTP_PCREs();
+
}
void __attribute__((destructor)) detect_fini() {
@@ -121,21 +116,21 @@
void storeRuleData(void *p, void *data, RuleFreeFunc destructor) {
Packet *pkt = (Packet *)p;
if (stream_api && pkt)
- stream_api->set_application_data(pkt->ssnptr, PP_RULES, data, destructor);
+ stream_api->set_application_data(pkt->ssnptr, PP_RULES, data, destructor);
}
-static void ProcessArgs(NRTConfig *rzb, char *args)
+static void ProcessArgs(RZBConfig *rzb, char *args)
{
// char *arg;
// printf("RZB ProcessArgs: There are no args. Goodbye.\n");
-
+
// if ((args == NULL) || (rzb == NULL))
// return;
//
// arg = strtok(args, " ");
-//
+//
// while ( arg != NULL ) {
// if ( !strncasecmp(arg, "configpath", sizeof("configpath")) ) {
// arg = strtok(NULL, " ");
@@ -145,7 +140,7 @@
//// printConfig(rzb);
// }
// else
-// FatalError("%s(%d) => Unknown rzb option %s.\n",
+// FatalError("%s(%d) => Unknown rzb option %s.\n",
// file_name, file_line, arg);
//
// arg = strtok(NULL, " ");
@@ -155,16 +150,16 @@
}
-static void PrintConfig(NRTConfig *rzb) {
+static void PrintConfig(RZBConfig *rzb) {
// printf("RZB Configuration:\n");
// if (rzb == NULL)
// return;
}
-static int RZBFreeConfigPolicy( tSfPolicyUserContextId rzb,
+static int RZBFreeConfigPolicy( tSfPolicyUserContextId rzb,
tSfPolicyId policyId, void* pData) {
- NRTConfig *pPolicyConfig = (NRTConfig *)pData;
+ RZBConfig *pPolicyConfig = (RZBConfig *)pData;
sfPolicyUserDataClear (rzb, policyId);
free(pPolicyConfig);
@@ -187,19 +182,19 @@
#ifdef SNORT_RELOAD
static void RZBReload(char *args) {
int policy_id = (int)getParserPolicy();
- NRTConfig *pPolicyConfig = NULL;
+ RZBConfig *pPolicyConfig = NULL;
if (rzb_swap_config == NULL)
rzb_swap_config = sfPolicyConfigCreate();
sfPolicyUserPolicySet (rzb_swap_config, policy_id);
- pPolicyConfig = (NRTConfig *)sfPolicyUserDataGetCurrent(rzb_swap_config);
- if (pPolicyConfig)
+ pPolicyConfig = (RZBConfig *)sfPolicyUserDataGetCurrent(rzb_swap_config);
+ if (pPolicyConfig)
ParseError("RZB preprocessor can only be configured once.\n");
- pPolicyConfig = (NRTConfig *)SnortAlloc(sizeof(NRTConfig));
- if (!pPolicyConfig)
+ pPolicyConfig = (RZBConfig *)SnortAlloc(sizeof(RZBConfig));
+ if (!pPolicyConfig)
ParseError("RZB preprocessor: memory allocate failed.\n");
sfPolicyUserDataSetCurrent(rzb_swap_config, pPolicyConfig);
@@ -230,22 +225,24 @@
+#define TESTCOLLECT (const unsigned char *)"\xec\x4a\x83\xcc\x7e\x92\x4d\xbf\xa3\x64\xb9\x0f\xf9\xf6\x05\x87" /* SF - Test Collector v.1 */
+
void RZBProcess(Packet *p, void *context)
{
Packet *sp = (Packet *)p;
- NRTConfig *config;
+ RZBConfig *config;
// Get our configuration information
// _dpd.alertAdd(GENERATOR_RZB, SRC_PORT_MATCH,
// 1, 0, 3, SRC_PORT_MATCH_STR, 0);
-
+
//printf("RZBProcess enter\n");
//if (!sp->iph || !(sp->proto_bits & PROTO_BIT__TCP))
if (sp->iph == NULL)
- {
+ {
/* Not for me, return */
//printf("Not for RZB\n");
return;
@@ -253,7 +250,7 @@
// Only rebuilt packets from server
if (sp->sp == 80 && !(sp->packet_flags & PKT_REBUILT_STREAM) && sp->dsize != 0)
- {
+ {
/* Source port matched, log alert */
// _dpd.alertAdd(GENERATOR_RZB, SRC_PORT_MATCH,
// 1, 0, 3, SRC_PORT_MATCH_STR, 0);
@@ -276,7 +273,7 @@
//EXAMPLE if(sp->dp == 25 && (sp->packet_flags & PKT_REBUILT_STREAM) && sp->dsize != 0)
//EXAMPLE {
//EXAMPLE printf("Processing rebuilt packet going to smtp server\n");
-//EXAMPLE
+//EXAMPLE
//EXAMPLE smtpdumpereval(sp, config);
//EXAMPLE return;
//EXAMPLE }
@@ -284,7 +281,7 @@
if(sp->dp == 25 && (sp->packet_flags & PKT_REBUILT_STREAM) && sp->dsize != 0)
{
//printf("Processing rebuilt packet going to smtp server\n");
-
+
smtpdumpereval(sp, config);
return;
}
@@ -294,7 +291,7 @@
static void RZBInit(char *args) {
int policy_id = (int)getParserPolicy();
- NRTConfig *pPolicyConfig = NULL;
+ RZBConfig *pPolicyConfig = NULL;
unsigned int nuggetid;
//printf("RZBInit enter\n");
@@ -314,11 +311,11 @@
}
sfPolicyUserPolicySet (rzb_config, policy_id);
- pPolicyConfig = (NRTConfig *)sfPolicyUserDataGetCurrent(rzb_config);
+ pPolicyConfig = (RZBConfig *)sfPolicyUserDataGetCurrent(rzb_config);
if (pPolicyConfig)
ParseError("RZB preprocessor can only be configured once.\n");
- pPolicyConfig = (NRTConfig *)SnortAlloc(sizeof(NRTConfig));
+ pPolicyConfig = (RZBConfig *)SnortAlloc(sizeof(RZBConfig));
if (!pPolicyConfig)
ParseError("RZB preprocessor: memory allocate failed.\n");
@@ -326,34 +323,18 @@
ProcessArgs(pPolicyConfig, args);
//printf("Adding RZBProcess to preproc list...\n");
- // Open the Collector API lib and set the global function pointers
+ // Open the Collector API lib and set the global function pointers
AddFuncToPreprocList(RZBProcess, PRIORITY_TUNNEL, PP_SAAC, PROTO_BIT__TCP);
-//printf("about to register\n");
- // Register with the Dispatcher (Should this be registerCollector() now? I think this API is not done, yet.
-// (*collector->registerNugget)(DSRVADDR, DSRVPORT, COLLECTOR, TESTCOLLECT, MAIL_CAPTURE, /*3037*/3068, 1, 0, "dc-nf-68");
- readConfig(&nrtconfig, "rzb.conf");
+ readConfig("rzb.conf");
registerNugget(COLLECTOR, TESTCOLLECT, MAIL_CAPTURE, /*3037*/3068, 1, 0, "Snort Collector", &nuggetid);
-
-
-
-//printf("registered\n");
- // Now tell all of our processors how to talk to the collector
-
-// printf("Contents of CollectionAPI:\n");
-// printf("\tcheckResource=%p\n", rzb_collector.checkResource);
-// printf("\tsendData=%p\n", rzb_collector.sendData);
-// printf("\tsendMetaData=%p\n", rzb_collector.sendMetaData);
-// printf("\tregisterNugget=%p\n", rzb_collector.registerNugget);
-// printf("\n");
-
}
void SetupRZB(void)
{
- /* link the preprocessor keyword to the init function in
+ /* link the preprocessor keyword to the init function in
the preproc list */
#ifndef SNORT_RELOAD
RegisterPreprocessor("rzb", RZBInit);
Modified: trunk/collection-nuggets/saac/spp_rzb-collector-dispatch.h
===================================================================
--- trunk/collection-nuggets/saac/spp_rzb-collector-dispatch.h 2010-10-29 21:26:34 UTC (rev 34)
+++ trunk/collection-nuggets/saac/spp_rzb-collector-dispatch.h 2010-12-06 16:08:14 UTC (rev 35)
@@ -25,22 +25,14 @@
#include <uuid/uuid.h>
-#include "rzb_global.h" // Fix path
+#include "rzb_global.h" // Fix path
#include "sf_dynamic_engine.h"
void SetupRZB(void);
-//typedef char * NRTConfig;
-
// Note the pointer to the destructor, ala 2.9.0.0
// Set to &free if you want default behavior
void *getRuleData(void *);
void storeRuleData(void *, void *, RuleFreeFunc);
-// Function pointers to make collectors' lives easier
-//extern HRESULT (*registerCollector)(CollectorInfo *);
-//extern HRESULT (*checkResource)(uuid_t *, unsigned char *, uuid_t *);
-//extern HRESULT (*sendData)(uuid_t *, unsigned char *, unsigned int, uuid_t *);
-//extern HRESULT (*sendMetaData)(uuid_t *, unsigned char *, unsigned int, uuid_t *);
-
#endif /* __SPP_RZB_COLLECTOR_DISPATCH_H__ */
Modified: trunk/detection-nuggets/clamav/ClamAVNugget.c
===================================================================
--- trunk/detection-nuggets/clamav/ClamAVNugget.c 2010-10-29 21:26:34 UTC (rev 34)
+++ trunk/detection-nuggets/clamav/ClamAVNugget.c 2010-12-06 16:08:14 UTC (rev 35)
@@ -3,15 +3,11 @@
#include <stdint.h>
#include <sys/mount.h>
#include <string.h>
-#include "clamav.h"
-//#include "others.h"
-#include "rzb_global.h"
-#include "rzb_alert_api.h"
-#include "rzb_alert_util.h"
-#include "rzb_alert_global.h"
#include <uuid/uuid.h>
#include <arpa/inet.h>
#include <errno.h>
+#include <clamav.h>
+#include <rzb_detection_api.h>
static struct cl_engine * RZB_start_clamav(const char *db_dir);
static int RZB_scan_buffer(struct cl_engine * engine, const uint8_t * buffer, int buffer_size, const char ** virname);
@@ -19,7 +15,7 @@
static void RZB_CLAMAV_Detection_Nugget(BLOCK_META_DATA *metaData);
//static int RZB_clamav_md5sig(const char *hdb_filename, char * buffer, int buffer_size);
-DetectionAPI *detection; // Provides pointers to API functions
+static const DetectionAPI *detection; // Provides pointers to API functions
static struct cl_engine *engine = NULL;
//#define DEBUG
@@ -286,10 +282,10 @@
return ret;
}
-HRESULT initNug(DetectionAPI *detectionObj)
+UUID_DEFINE(CLAMAV_NUGGET, 0xba, 0x9b, 0xeb, 0x5f, 0x06, 0x53, 0x4b, 0x04, 0x95, 0x52, 0x3b, 0xfb, 0x63, 0x4c, 0xa7, 0xfc);
+
+HRESULT initNug(const DetectionAPI *detectionObj)
{
- uuid_t myuuid;
- detection = detectionObj;
uuid_t list[2];
uuid_copy(list[0], PE_FILE);
uuid_copy(list[1], PDF_FILE);
@@ -300,13 +296,9 @@
return R_FAIL;
}
- if(uuid_parse("ba9beb5f-0653-4b04-9552-3bfb634ca7fc", myuuid) == -1)
- {
- printf("Failed to parse uuid string\n");
- return R_FAIL;
- }
+ detection = detectionObj;
- detection->registerHandler(&RZB_CLAMAV_Detection_Nugget, (const uuid_t *)&list, 2, myuuid);
+ detection->registerHandler(&RZB_CLAMAV_Detection_Nugget, (const uuid_t *)&list, 2, CLAMAV_NUGGET);
return R_SUCCESS;
}
@@ -315,7 +307,7 @@
{
const char * virname;
char message[1024];
- unsigned char tmp_md5[MD5_SIZE];
+ unsigned char tmp_md5[RZB_HASH_SIZE];
ALERT alert;
uint8_t *data = metaData->data;
@@ -336,8 +328,8 @@
alert.short_data = NULL;
alert.sd_size = 0;
uuid_copy(alert.dataType, metaData->datatype);
- md5sum(data, data_len, tmp_md5);
- alert.main_md5 = tmp_md5;
+ detection->hashData(data, data_len, tmp_md5);
+ alert.main_hash = tmp_md5;
alert.long_data = NULL;
alert.ld_size = 0;
alert.data_block = data;
@@ -346,7 +338,7 @@
alert.norm_size= 0;
DEBUG_RZB(printf("ALERT! %s\n", message););
- sendAlert(&alert);
+ detection->sendAlert(&alert);
}
}
Modified: trunk/detection-nuggets/libemu/libemu.c
===================================================================
--- trunk/detection-nuggets/libemu/libemu.c 2010-10-29 21:26:34 UTC (rev 34)
+++ trunk/detection-nuggets/libemu/libemu.c 2010-12-06 16:08:14 UTC (rev 35)
@@ -12,20 +12,17 @@
#include <emu/emu_cpu_instruction.h>
#include <emu/emu_instruction.h>
-#include "rzb_global.h"
-#include "rzb_client.h"
-#include "rzb_network.h"
-#include "rzb_alert_api.h"
-#include "rzb_alert_global.h"
-#include "rzb_alert_util.h"
+#include <rzb_detection_api.h>
#define MAX_INSTRUCTION_SIZE 1024
+static const DetectionAPI *detection;
+
void shellcode_handler(BLOCK_META_DATA *metaData) {
struct emu *emu = emu_new();
struct emu_cpu *cpu = NULL;
char instruction[MAX_INSTRUCTION_SIZE];
- char tmp_md5[MD5_SIZE];
+ char tmp_md5[RZB_HASH_SIZE];
int shellcode_start = 0;
ALERT alert;
char msg[MAX_MSG_SIZE];
@@ -55,8 +52,8 @@
alert.dst_port = metaData->dst_port;
alert.priority = 1;
uuid_copy(alert.dataType, metaData->datatype);
- md5sum(metaData->data, metaData->size, tmp_md5);
- alert.main_md5 = tmp_md5;
+ detection->hashData(metaData->data, metaData->size, tmp_md5);
+ alert.main_hash = tmp_md5;
alert.data_block = metaData->data;
alert.db_size = metaData->size;
@@ -77,24 +74,21 @@
// Finally, send the alert
- sendAlert(&alert);
+ detection->sendAlert(&alert);
}
emu_free(emu);
}
-HRESULT initNug(DetectionAPI *detectionObj) {
- uuid_t myuuid;
+UUID_DEFINE(LIBEMU_NUGGET, 0x36, 0xeb, 0xbb, 0xd8, 0x40, 0x9a, 0x49, 0x5d, 0xa0, 0x49, 0xd7, 0x2d, 0xdf, 0xeb, 0xc0, 0x6e);
+HRESULT initNug(const DetectionAPI *detectionObj)
+{
uuid_t list1;
uuid_copy(list1, SHELLCODE);
- if(uuid_parse("36ebbbd8-409a-495d-a049-d72ddfebc06e", myuuid) == -1)
- {
- printf("Failed to parse uuid string\n");
- return R_FAIL;
- }
+ detection = detectionObj;
- detectionObj->registerHandler(&shellcode_handler, (const uuid_t *)&list1, 1, myuuid);
+ detection->registerHandler(&shellcode_handler, (const uuid_t *)&list1, 1, LIBEMU_NUGGET);
return R_SUCCESS;
}
Modified: trunk/detection-nuggets/officecat/OfficeCatNugget.c
===================================================================
--- trunk/detection-nuggets/officecat/OfficeCatNugget.c 2010-10-29 21:26:34 UTC (rev 34)
+++ trunk/detection-nuggets/officecat/OfficeCatNugget.c 2010-12-06 16:08:14 UTC (rev 35)
@@ -6,10 +6,7 @@
#include <errno.h>
#include <arpa/inet.h>
-#include "rzb_global.h"
-#include "rzb_alert_global.h"
-#include "rzb_alert_api.h"
-#include "rzb_alert_util.h"
+#include <rzb_detection_api.h>
#define MAX_ALERT_SIZE 512
@@ -22,6 +19,8 @@
#define DEBUG_RZB(code)
#endif
+static const DetectionAPI *detection;
+
/***********************************************************
* Title: RZB_scan_officecat
@@ -165,20 +164,18 @@
return ret;
}
-HRESULT initNug(DetectionAPI *detectionObj)
+UUID_DEFINE(OFFICECAT_NUGGET, 0x06, 0xe0, 0xc1, 0xdb, 0x89, 0x15, 0x4b, 0x96, 0x9d, 0x7e, 0xd7, 0x2f, 0x43, 0xba, 0x07, 0xcf);
+
+HRESULT initNug(const DetectionAPI *detectionObj)
{
- uuid_t myuuid;
uuid_t list;
uuid_copy(list, OLE_DOC);
- if(uuid_parse("06e0c1db-8915-4b96-9d7e-d72f43ba07cf", myuuid) == -1)
- {
- printf("Failed to parse uuid string\n");
- return R_FAIL;
- }
- detectionObj->registerHandler(&RZB_officecat_Detection_Nugget, (const uuid_t *)&list, 1, myuuid);
+ detection = detectionObj;
+ detection->registerHandler(&RZB_officecat_Detection_Nugget, (const uuid_t *)&list, 1, OFFICECAT_NUGGET);
+
return R_SUCCESS;
}
@@ -190,7 +187,7 @@
uint8_t *data = metaData->data;
size_t data_len = metaData->size;
char vuln_name[1024];
- unsigned char tmp_md5[MD5_SIZE];
+ unsigned char tmp_md5[RZB_HASH_SIZE];
if ((ret = RZB_scan_officecat(data, data_len, vuln_name, sizeof(vuln_name))) == R_FOUND)
{
@@ -207,8 +204,8 @@
alert.short_data = NULL;
alert.sd_size = 0;
uuid_copy(alert.dataType, metaData->datatype);
- md5sum(data, data_len, tmp_md5);
- alert.main_md5 = tmp_md5;
+ detection->hashData(data, data_len, tmp_md5);
+ alert.main_hash = tmp_md5;
alert.long_data = NULL;
alert.ld_size = 0;
alert.data_block = data;
@@ -217,8 +214,9 @@
alert.norm_size= 0;
printf("%s\n", message);
- sendAlert(&alert);
+ detection->sendAlert(&alert);
}
else if (ret == R_NOT_FOUND)
printf("%s\n", "OFFICECAT DID NOT FIND ANYTHING");
}
+
Modified: trunk/detection-nuggets/smtp/buildit.sh
===================================================================
--- trunk/detection-nuggets/smtp/buildit.sh 2010-10-29 21:26:34 UTC (rev 34)
+++ trunk/detection-nuggets/smtp/buildit.sh 2010-12-06 16:08:14 UTC (rev 35)
@@ -5,7 +5,5 @@
gcc -Wall -fPIC ${RZBINC} -g -c smtp_parser.c
echo "gcc -shared -Wl -o smtp_parser.so.1 smtp_parser.o -lc -lpcre ${RZBLIB}"
gcc -shared -Wl -o smtp_parser.so.1 smtp_parser.o -lc -lpcre ${RZBLIB}
-#gcc smtpTestStub.c -luuid -ldl -o smtpTestStub
-#echo "To run: ./smtpTestStub ./smtp_parser.so.1 <inputFile>"
echo "copy smtp_parser.so.1 to your nuggets directory to be run by rzbNugget"
Deleted: trunk/detection-nuggets/smtp/smtpTestStub.c
===================================================================
--- trunk/detection-nuggets/smtp/smtpTestStub.c 2010-10-29 21:26:34 UTC (rev 34)
+++ trunk/detection-nuggets/smtp/smtpTestStub.c 2010-12-06 16:08:14 UTC (rev 35)
@@ -1,183 +0,0 @@
-#include "rzb_global.h" // should point to the copy in SVN
-#include "rzb_api.h" // should point to the copy in SVN
-//#include "detection.h"
-//#include "testStub.h"
-#include <dlfcn.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <sys/stat.h>
-#include <fcntl.h>
-#include <fcntl.h>
-
-unsigned handlerCount = 0;
-handlerNode *head = NULL;
-DetectionAPI detection;
-
-void usage(char *progName) {
- printf("Not enough arguments:\n");
- printf("Usage: %s <libPath> <inputData>", progName);
-}
-
-HRESULT addHandler(void (*fp)()) {
- handlerNode *newNode;
-
- newNode = (handlerNode *) malloc(sizeof (handlerNode));
- if (newNode == NULL)
- return R_FAIL;
-
- newNode->fp = fp;
- newNode->next = head;
- head = newNode;
-
- return R_SUCCESS;
-}
-
-HRESULT registerHandler(
- void (*fp)(unsigned char *data, size_t length, uuid_t *type, uuid_t *id),
- NUGTYPE *acceptedTypes,
- size_t numTypes,
- uuid_t *libId
- ) {
- unsigned i;
-
- handlerCount++;
-
- // The stub will ignore types, but list what you attempted to register...
- printf("Handler %d accepts the following types:\n", handlerCount);
- for (i = 0; i < numTypes; i++) {
- printf("\t%d\n", acceptedTypes[i]);
- }
-
- return (addHandler(fp));
-
-}
-
-HRESULT sendAlert(
- uuid_t *id,
- unsigned int alertid,
- char *alertmsg,
- unsigned int metacode,
- unsigned int metasize,
- void *metadata
- ) {
-
- printf("\tALERT - %d: %s\n", alertid, alertmsg);
-
- return R_SUCCESS;
-}
-
-
-void prettyprint(const unsigned char *data, unsigned int size) {
- unsigned int i;
- const unsigned char *dataptr = data;
- unsigned char asciigraph[17];
-
- memset(asciigraph, '\x00', 17);
-
- //printf("Datasize: %d\n", size);
-
-#ifdef PACKETDUMPSIZE
- size = (size > PACKETDUMPSIZE) ? PACKETDUMPSIZE : size;
-#endif
-
- for(i=0; i < size; i++, dataptr++) {
- printf("%02x ", *dataptr);
- asciigraph[i % 16] = (isgraph(*dataptr) || (*dataptr == ' ')) ? *dataptr : '.';
-
- if(i % 16 == 15) {
- printf("%s\n", asciigraph);
- memset(asciigraph, '\x00', 17);
- }
- }
-
- // Dump any remaining data
- if(i % 16) {
- printf("%*s", (16 - (i%16)) * 3, " ");
- printf("%s\n", asciigraph);
- }
-}
-
-
-HRESULT sendData(
- uuid_t *id,
- unsigned char *data,
- unsigned int size,
- uuid_t *type
- ) {
- printf("\tsendData - %d bytes -\n", size);
- prettyprint(data, size);
-}
-
-HRESULT sendMetaData(
- uuid_t *id,
- unsigned char *mdData,
- unsigned int size,
- uuid_t *type
- ) {
- printf("\tsendMetaData - %d bytes -\n", size);
- prettyprint(mdData, size);
-}
-
-
-
-
-
-
-
-
-int main(int argc, char **argv) {
- void *dlHandle;
- HRESULT (*init)();
- int result, fd;
- struct stat fStats;
- struct handlerNode *node;
- unsigned char *buf;
-
- if (argc < 3) {
- usage(argv[0]);
- return (-1);
- }
-
- // Load the library
- dlHandle = dlopen(argv[1], RTLD_LOCAL | RTLD_LAZY);
- if (dlHandle == NULL) {
- printf("Failed to open %s\n", argv[1]);
- exit(-1);
- }
- init = dlsym(dlHandle, "initNug");
- if (init == NULL) {
- printf("Failed to resolve init() for %s.\n", argv[1]);
- fputs(dlerror(), stderr);
- exit(-1);
- }
-
- detection.sendAlert = &sendAlert;
- detection.registerHandler = ®isterHandler;
- detection.sendData = &sendData;
- detection.sendMetaData = &sendMetaData;
-
- (*init)(&detection);
-
- fd = open(argv[2], O_RDONLY);
- if (fd < 0) {
- printf("Failed to open %s.\n", argv[2]);
- exit(-1);
- }
-
- result = fstat(fd, &fStats);
- if (result == -1) {
- printf("Failed to stat %s.\n", argv[2]);
- exit(-1);
- }
-
- buf = (unsigned char *) malloc(fStats.st_size);
-
- read(fd, buf, fStats.st_size);
-
- node = head;
- while (node != NULL) {
- printf("Handler %d:\n", handlerCount--);
- (*(node->fp))(buf, fStats.st_size, 0);
- node = node->next;
- }
-}
Modified: trunk/detection-nuggets/smtp/smtp_parser.c
===================================================================
--- trunk/detection-nuggets/smtp/smtp_parser.c 2010-10-29 21:26:34 UTC (rev 34)
+++ trunk/detection-nuggets/smtp/smtp_parser.c 2010-12-06 16:08:14 UTC (rev 35)
@@ -5,13 +5,10 @@
#include <string.h>
#include <stdint.h>
#include <ctype.h>
-
-#include "rzb_global.h" // This should link to the svn copy
-#include "rzb_api.h"
-#include "rzb_alert_api.h"
-#include "rzb_alert_util.h"
#include <uuid/uuid.h>
+#include <rzb_detection_api.h>
+
#define MAX_BOUNDARY_LEN 70 /* Max length of boundary string, defined in RFC 2046 */
#define SAFEMEM_ERROR 0
@@ -33,13 +30,13 @@
#define SMTP_NOHEADER -4
-DetectionAPI *detection; // Provides pointers to API functions
+static const DetectionAPI *detection;
//#define SMTP_DEBUG
#ifdef SMTP_DEBUG
-#define DEBUG_RZB(code) code
+# define DEBUG_RZB(code) code
#else
-#define DEBUG_RZB(code)
+# define DEBUG_RZB(code)
#endif
unsigned char *data_start = NULL;
@@ -48,233 +45,239 @@
int id;
int index;
int length;
-
} SMTPSearchInfo;
typedef struct _SMTPMimeBoundary
{
char boundary[2 + MAX_BOUNDARY_LEN + 1]; /* '--' + MIME boundary string + '\0' */
int boundary_len;
-
} SMTPMimeBoundary;
typedef struct _SMTPPcre
{
pcre *re;
pcre_extra *pe;
-
} SMTPPcre;
SMTPPcre mime_boundary_pcre;
SMTPPcre mime_base64_pcre;
#define PP_COLS 16
-static void prettyprint(const unsigned char *data, unsigned int size) {
- unsigned int i;
- const unsigned char *dataptr = data;
- unsigned char asciigraph[PP_COLS + 1];
+static void prettyprint(const unsigned char *data, unsigned size)
+{
+ unsigned i;
+ const unsigned char *dataptr = data;
+ char asciigraph[PP_COLS + 1];
- memset(asciigraph, '\x00', PP_COLS + 1);
+ memset(asciigraph, '\x00', sizeof(asciigraph));
- //printf("Datasize: %d\n", size);
+ //printf("Datasize: %d\n", size);
#ifdef PACKETDUMPSIZE
- size = (size > PACKETDUMPSIZE) ? PACKETDUMPSIZE : size;
+ size = (size > PACKETDUMPSIZE) ? PACKETDUMPSIZE : size;
#endif
- for(i=0; i < size; i++, dataptr++) {
- printf("%02x ", *dataptr);
- asciigraph[i % PP_COLS] = (isgraph(*dataptr) || (*dataptr == ' ')) ? *dataptr : '.';
+ for (i=0; i < size; i++, dataptr++)
+ {
+ printf("%02x ", *dataptr);
+ asciigraph[i % PP_COLS] = (char)((isgraph(*dataptr) || (*dataptr == ' ')) ? *dataptr : '.');
- if(i % PP_COLS == (PP_COLS - 1)) {
- printf("%s\n", asciigraph);
- memset(asciigraph, '\x00', PP_COLS + 1);
- }
- }
+ if (i % PP_COLS == (PP_COLS - 1))
+ {
+ printf("%s\n", asciigraph);
+ memset(asciigraph, '\x00', sizeof(asciigraph));
+ }
+ }
- // Dump any remaining data
- if(i % PP_COLS) {
- printf("%*s", (PP_COLS - (i%PP_COLS)) * 3, " ");
- printf("%s\n", asciigraph);
- }
+ // Dump any remaining data
+ if (i % PP_COLS)
+ {
+ printf("%*s", (int)(PP_COLS - (i%PP_COLS)) * 3, " ");
+ printf("%s\n", asciigraph);
+ }
}
#ifdef SMTP_DEBUG
-static void PrintSMTPProcessMessageReturnCode(int code) {
- switch(code) {
- case SMTP_DONE:
- printf("SMTP_DONE\n");
- break;
- case SMTP_ENDOFPARTS:
- printf("SMTP_ENDOFPARTS\n");
- break;
- case SMTP_OUTOFDATA:
- printf("SMTP_OUTOFDATA\n");
- break;
- case SMTP_NOBOUNDARY:
- printf("SMTP_NOBOUNDARY\n");
- break;
- case SMTP_NOHEADER:
- printf("SMTP_NOHEADER\n");
- break;
- default:
- printf("Unknown ProcessMessage return (%d)\n", code);
- break;
- }
+static void PrintSMTPProcessMessageReturnCode(int code)
+{
+ switch (code)
+ {
+ case SMTP_DONE:
+ printf("SMTP_DONE\n");
+ break;
+ case SMTP_ENDOFPARTS:
+ printf("SMTP_ENDOFPARTS\n");
+ break;
+ case SMTP_OUTOFDATA:
+ printf("SMTP_OUTOFDATA\n");
+ break;
+ case SMTP_NOBOUNDARY:
+ printf("SMTP_NOBOUNDARY\n");
+ break;
+ case SMTP_NOHEADER:
+ printf("SMTP_NOHEADER\n");
+ break;
+ default:
+ printf("Unknown ProcessMessage return (%d)\n", code);
+ break;
+ }
}
-static void PrintPartStats(unsigned char *bufferstart, unsigned char *part_start, unsigned char *part_end) {
- printf("global offsets -- start:%ld end:%ld ", (long)(part_start - data_start), (long)(part_end - data_start));
- printf("part_start=%p(%ld) part_end=%p(%ld) length=%ld\n", part_start, (long)(part_start-bufferstart), part_end, (long)(part_end - bufferstart), (long)(part_end - part_start));
+static void PrintPartStats(unsigned char *bufferstart, unsigned char *part_start, unsigned char *part_end)
+{
+ printf("global offsets -- start:%lu end:%lu ", (unsigned long)(part_start - data_start),
+ (unsigned long)(part_end - data_start));
+ printf("part_start=%p(%lu) part_end=%p(%lu) length=%lu\n", part_start, (unsigned long)(part_start-bufferstart),
+ part_end, (unsigned long)(part_end - bufferstart), (unsigned long)(part_end - part_start));
}
#endif
-static void compute_prefix(const char* str, size_t size, int *result) {
- size_t q;
- int k;
- result[0] = 0;
+static void compute_prefix(const char *str, size_t size, int *result)
+{
+ size_t q;
+ int k;
+ result[0] = 0;
- k = 0;
- for (q = 1; q < size; q++) {
- while (k > 0 && str[k] != str[q])
- k = result[k-1];
+ k = 0;
+ for (q = 1; q < size; q++)
+ {
+ while (k > 0 && str[k] != str[q])
+ k = result[k-1];
- if (str[k] == str[q])
- k++;
- result[q] = k;
- }
+ if (str[k] == str[q])
+ k++;
+ result[q] = k;
+ }
}
-static void prepare_badcharacter_heuristic(const char *str, size_t size,
- int *result) {
+static void prepare_badcharacter_heuristic(const char *str, size_t size, int *result)
+{
+ size_t i;
- size_t i;
+ for (i = 0; i < ALPHABET_SIZE; i++)
+ result[i] = -1;
- for (i = 0; i < ALPHABET_SIZE; i++)
- result[i] = -1;
-
- for (i = 0; i < size; i++)
- result[(size_t) str[i]] = i;
+ for (i = 0; i < size; i++)
+ result[(size_t) str[i]] = i;
}
-static void prepare_goodsuffix_heuristic(const char *normal, size_t size,
- int *result) {
+static void prepare_goodsuffix_heuristic(const char *normal, size_t size, int *result)
+{
+ const char *left = normal;
+ const char *right = left + size;
+ char *reversed;
+ char *tmp;
+ size_t i;
- const char *left = normal;
- const char *right = left + size;
- char *reversed;
- char *tmp;
- size_t i;
+ int j, k; // originally "const int" within loop below
- int j, k; // originally "const int" within loop below
+ int *prefix_normal;
+ int *prefix_reversed;
- int *prefix_normal;
- int *prefix_reversed;
+ /* reverse string */
+ reversed = malloc(size+1);
+ tmp = reversed + size;
- /* reverse string */
- reversed = malloc(size+1);
- tmp = reversed + size;
+ *tmp = 0;
+ while (left < right)
+ *(--tmp) = *(left++);
- *tmp = 0;
- while (left < right)
- *(--tmp) = *(left++);
+ prefix_normal = malloc(size * sizeof(int));
+ prefix_reversed = malloc(size * sizeof(int));
- prefix_normal = malloc(size * sizeof(int));
- prefix_reversed = malloc(size * sizeof(int));
+ compute_prefix(normal, size, prefix_normal);
+ compute_prefix(reversed, size, prefix_reversed);
- compute_prefix(normal, size, prefix_normal);
- compute_prefix(reversed, size, prefix_reversed);
+ for (i = 0; i <= size; i++)
+ {
+ result[i] = size - prefix_normal[size-1];
+ }
- for (i = 0; i <= size; i++) {
- result[i] = size - prefix_normal[size-1];
- }
+ for (i = 0; i < size; i++)
+ {
+ j = size - prefix_reversed[i];
+ k = i - prefix_reversed[i]+1;
- for (i = 0; i < size; i++) {
- j = size - prefix_reversed[i];
- k = i - prefix_reversed[i]+1;
-
- if (result[j] > k)
- result[j] = k;
- }
- free(reversed);
- free(prefix_normal);
- free(prefix_reversed);
+ if (result[j] > k)
+ result[j] = k;
+ }
+ free(reversed);
+ free(prefix_normal);
+ free(prefix_reversed);
}
/*
* Boyer-Moore search algorithm
*/
-static unsigned char *boyermoore_search(unsigned char *haystack, size_t haystack_len, SMTPMimeBoundary *mime_boundary_info) {
- /*
- * Calc string sizes
- */
+static unsigned char *boyermoore_search(unsigned char *haystack, size_t haystack_len, SMTPMimeBoundary *mime_boundary_info)
+{
+ /*
+ * Calc string sizes
+ */
char *needle = mime_boundary_info->boundary;
size_t needle_len = mime_boundary_info->boundary_len;
int badcharacter[ALPHABET_SIZE];
int *goodsuffix;
size_t s;
- size_t j;
- int k;
- int m;
+ size_t j;
+ int k;
+ int m;
- DEBUG_RZB(printf("boyermoore_search(%p, %d, %s, %d)\n", haystack, haystack_len, needle, needle_len));
+ DEBUG_RZB(printf("boyermoore_search(%p, %ld, %s, %ld)\n", haystack, haystack_len, needle, needle_len));
- if(haystack_len < needle_len) {
- DEBUG_RZB(printf("not a big enough haystack to support that needle, son.\n"));
- return NULL;
- }
+ if (haystack_len < needle_len)
+ {
+ DEBUG_RZB(printf("not a big enough haystack to support that needle, son.\n"));
+ return NULL;
+ }
- /*
- * Simple checks
- */
- if(haystack_len == 0)
- return NULL;
- if(needle_len == 0)
- return haystack;
+ /*
+ * Simple checks
+ */
+ if (haystack_len == 0)
+ return NULL;
+ if (needle_len == 0)
+ return haystack;
- /*
- * Initialize heuristics
- */
- goodsuffix = malloc((needle_len+1) * sizeof(int));
+ /*
+ * Initialize heuristics
+ */
+ goodsuffix = malloc((needle_len+1) * sizeof(int));
- prepare_badcharacter_heuristic(needle, needle_len, badcharacter);
- prepare_goodsuffix_heuristic(needle, needle_len, goodsuffix);
+ prepare_badcharacter_heuristic(needle, needle_len, badcharacter);
+ prepare_goodsuffix_heuristic(needle, needle_len, goodsuffix);
- /*
- * Boyer-Moore search
- */
- s = 0;
- while(s <= (haystack_len - needle_len))
- {
- j = needle_len;
- while(j > 0 && needle[j-1] == haystack[s+j-1])
- j--;
+ /*
+ * Boyer-Moore search
+ */
+ s = 0;
+ while (s <= (haystack_len - needle_len))
+ {
+ j = needle_len;
+ while (j > 0 && needle[j-1] == haystack[s+j-1])
+ j--;
- if(j > 0)
- {
- k = badcharacter[(size_t) haystack[s+j-1]];
+ if (j > 0)
+ {
+ k = badcharacter[(size_t) haystack[s+j-1]];
- if(k < (int)j && (m = j-k-1) > goodsuffix[j])
- s+= m;
- else
- s+= goodsuffix[j];
- }
- else
- {
- return haystack + s;
- }
- }
+ if (k < (int)j && (m = j-k-1) > goodsuffix[j])
+ s+= m;
+ else
+ s+= goodsuffix[j];
+ }
+ else
+ {
+ return haystack + s;
+ }
+ }
- free(goodsuffix);
+ free(goodsuffix);
- return NULL; // not found
+ return NULL; // not found
}
-
-
-
-
static int inBounds(const uint8_t *start, const uint8_t *end, const uint8_t *p)
{
if ((p >= start) && (p < end))
@@ -282,8 +285,7 @@
return 0;
}
-static int SafeMemCheck(void *dst, size_t n,
- const void *start, const void *end)
+static int SafeMemCheck(void *dst, size_t n, const void *start, const void *end)
{
void *tmp;
@@ -329,19 +331,19 @@
// */
static int SMTP_BoundarySearchInit(void)
{
- const char *error;
- int erroffset;
+ const char *error;
+ int erroffset;
- /* create regex for finding boundary string - since it can be cut across multiple
- * lines, a straight search won't do. Shouldn't be too slow since it will most
- * likely only be acting on a small portion of data */
+ /* create regex for finding boundary string - since it can be cut across multiple
+ * lines, a straight search won't do. Shouldn't be too slow since it will most
+ * likely only be acting on a small portion of data */
mime_boundary_pcre.re = pcre_compile("^Content-Type\\s*:\\s*multipart[^\\n]*boundary\\s*=\\s*\"?([^\\s\"]+)\"?", //"^Content-Type\\s*:\\s*multipart[^\\n]*boundary\\s*=\\s*\"?([^\\s\"]+)\"?",
- PCRE_CASELESS | PCRE_DOTALL | PCRE_MULTILINE,
- &error, &erroffset, NULL);
+ PCRE_CASELESS | PCRE_DOTALL | PCRE_MULTILINE,
+ &error, &erroffset, NULL);
if (mime_boundary_pcre.re == NULL)
{
printf("Failed to compile pcre regex for getting boundary "
- "in a multipart SMTP message: %s\n", error);
+ "in a multipart SMTP message: %s\n", error);
return(-1);
}
@@ -350,7 +352,7 @@
if (error != NULL)
{
printf("Failed to study pcre regex for getting boundary "
- "in a multipart SMTP message: %s\n", error);
+ "in a multipart SMTP message: %s\n", error);
return(-1);
}
@@ -362,19 +364,19 @@
// */
static int SMTP_Base64SearchInit(void)
{
- const char *error;
- int erroffset;
+ const char *error;
+ int erroffset;
- /* create regex for finding boundary string - since it can be cut across multiple
- * lines, a straight search won't do. Shouldn't be too slow since it will most
- * likely only be acting on a small portion of data */
+ /* create regex for finding boundary string - since it can be cut across multiple
+ * lines, a straight search won't do. Shouldn't be too slow since it will most
+ * likely only be acting on a small portion of data */
mime_base64_pcre.re = pcre_compile("^Content-Transfer-Encoding\\s*:\\s*base64\\s*$",
- PCRE_CASELESS | PCRE_DOTALL | PCRE_MULTILINE,
- &error, &erroffset, NULL);
+ PCRE_CASELESS | PCRE_DOTALL | PCRE_MULTILINE,
+ &error, &erroffset, NULL);
if (mime_base64_pcre.re == NULL)
{
printf("Failed to compile pcre regex for finding base64 encoding "
- "in a multipart SMTP message: %s\n", error);
+ "in a multipart SMTP message: %s\n", error);
return(-1);
}
@@ -383,7 +385,7 @@
if (error != NULL)
{
printf("Failed to study pcre regex for finding base64 encoding "
- "in a multipart SMTP message: %s\n", error);
+ "in a multipart SMTP message: %s\n", error);
return(-1);
}
@@ -408,7 +410,8 @@
/* result will be the number of matches (including submatches) */
result = pcre_exec(mime_boundary_pcre.re, mime_boundary_pcre.pe,
(const char *)data, data_len, 0, 0, ovector, ovecsize);
- if (result < 0) {
+ if (result < 0)
+ {
DEBUG_RZB(printf("pcre not found\n"));
return -1;
}
@@ -446,7 +449,8 @@
return(ovector[1]); // offset of byte AFTER the boundary string
}
-static int ContentIsBase64(const u_int8_t *data, int data_len) {
+static int ContentIsBase64(const uint8_t *data, int data_len)
+{
int result;
int ovector[9];
int ovecsize = 9;
@@ -457,109 +461,116 @@
}
+static int SMTP_FindMessageData(uint8_t *buffer, int length, uint8_t **beginning)
+{
+ int i;
+ const char begofdata[] = "DATA";
-static int SMTP_FindMessageData(uint8_t *buffer, int length, uint8_t **beginning) {
- int i;
+ length -= sizeof(begofdata) - 1; // Optimization so later we don't have to worry about if we have room for search text
- char begofdata[] = "DATA";
+ for (i=0; i < length; i++)
+ {
- length -= strlen(begofdata); // Optimization so later we don't have to worry about if we have room for search text
+ // See if this is the start of the data block
+ if (strncmp(begofdata, (const char *)&(buffer[i]), sizeof(begofdata) - 1) == 0)
+ {
+ i += strlen(begofdata);
- for(i=0; i < length; i++) {
+ // Jump over "\r?\n"
+ // This is pretty fast and loose. Do we/how do we handle if there is "DATA" at the
+ // beginning of the line but it's not actually followed with "\r?\n"?
+ if (i + 1 < length && buffer[i] == '\r') i++;
+ if (i + 1 < length && buffer[i] == '\n') i++;
- // See if this is the start of the data block
- if (strncmp(begofdata, (const char *)&(buffer[i]), sizeof(begofdata) - 1) == 0) {
- i += strlen(begofdata);
+ // Note it's up to the calling function to determine we haven't just stepped
+ // off the end of the incoming data!
+ *beginning = &(buffer[i]);
+ return 1;
+ }
- // Jump over "\r?\n"
- // This is pretty fast and loose. Do we/how do we handle if there is "DATA" at the
- // beginning of the line but it's not actually followed with "\r?\n"?
- if(i + 1 < length && buffer[i] == '\r') i++;
- if(i + 1 < length && buffer[i] == '\n') i++;
+ // No match. Look for the end of line so we can try again
+ while ((i < length) && (buffer[i] != '\n'))
+ {
+ i++; // Skip!
+ }
+ }
- // Note it's up to the calling function to determine we haven't just stepped
- // off the end of the incoming data!
- *beginning = &(buffer[i]);
- return 1;
- }
-
- // No match. Look for the end of line so we can try again
- while((i < length) && (buffer[i] != '\n')) {
- i++; // Skip!
- }
- }
-
- return 0;
+ return 0;
}
-static int SMTP_FindEndOfHeader(uint8_t *buffer, int length, uint8_t **end) {
- int i = 0;
+static int SMTP_FindEndOfHeader(uint8_t *buffer, int length, uint8_t **end)
+{
+ int i = 0;
- if(length < 2)
- return 0;
+ if (length < 2)
+ return 0;
- if(buffer[i] == '\n' && buffer[i+1] == '\n') {
- *end = &(buffer[i+1]);
- return 1;
- }
+ if (buffer[i] == '\n' && buffer[i+1] == '\n')
+ {
+ *end = &(buffer[i+1]);
+ return 1;
+ }
- for(i=2; i < length; i++) {
- if(buffer[i] == '\n' && ((buffer[i-1] == '\n') || ((buffer[i-1] == '\r') && (buffer[i-2] == '\n')))) {
- *end = &(buffer[i+1]);
- return 1;
- }
- }
+ for (i=2; i < length; i++)
+ {
+ if (buffer[i] == '\n' && ((buffer[i-1] == '\n') || ((buffer[i-1] == '\r') && (buffer[i-2] == '\n'))))
+ {
+ *end = &(buffer[i+1]);
+ return 1;
+ }
+ }
- return 0;
+ return 0;
}
-static int SendToDispatcher(uint8_t *data, int len, unsigned int eventID)
+static int SendToDispatcher(uint8_t *data, int len, unsigned eventID)
{
- BLOCK_META_DATA *mdata = NULL;
- uint8_t *data_copy;
+ BLOCK_META_DATA *mdata = NULL;
+ uint8_t *data_copy;
- // Init the metadata structure
- if((mdata = calloc(1, sizeof(BLOCK_META_DATA))) == NULL) {
- perror("Error allocating mdata\n");
- return R_MALLOC_FAIL;
- }
+ // Init the metadata structure
+ if((mdata = calloc(1, sizeof(BLOCK_META_DATA))) == NULL) {
+ perror("Error allocating mdata\n");
+ return R_MALLOC_FAIL;
+ }
- // Fill in the required fields
- mdata->timestamp = (unsigned int)time(NULL);
- if (data && len)
- {
- if ((data_copy = malloc(len)) == NULL)
- {
- perror("Error allocating data copy\n");
- free(mdata);
- return R_MALLOC_FAIL;
- }
- memcpy(data_copy, data, len);
- }
- else
- data_copy = NULL;
- mdata->data = data_copy;
- mdata->size = len;
- mdata->parent_data = NULL;
- mdata->src_ip.s_addr = 0x01010101;
- mdata->dst_ip.s_addr = 0x02020202;
- mdata->ip_proto = 6;
- mdata->src_port = 25;
- mdata->dst_port = 8000;
- uuid_copy(mdata->datatype, file_type_lookup(data_copy, len));
+ // Fill in the required fields
+ mdata->timestamp = (unsigned)time(NULL);
+ if (data && len)
+ {
+ if ((data_copy = malloc(len)) == NULL)
+ {
+ perror("Error allocating data copy\n");
+ free(mdata);
+ return R_MALLOC_FAIL;
+ }
+ memcpy(data_copy, data, len);
+ }
+ else
+ data_copy = NULL;
+ mdata->data = data_copy;
+ mdata->size = len;
+ mdata->src_ip.family = AF_INET;
+ mdata->src_ip.ip.ipv4.s_addr = htonl(0x01010101);
+ mdata->dst_ip.family = AF_INET;
+ mdata->dst_ip.ip.ipv4.s_addr = htonl(0x02020202);
+ mdata->ip_proto = 6;
+ mdata->src_port = 25;
+ mdata->dst_port = 8000;
+ uuid_copy(mdata->datatype, detection->file_type_lookup(data_copy, len));
- printf("\n\n\nVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV\n");
- printf("*************************** SendToDispatcher() ***************************\n");
- prettyprint(data_copy, len);
- printf("*************************** SendToDispatcher() ***************************\n");
- printf("^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n\n\n\n");
+ printf("\n\n\nVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV\n");
+ printf("*********************** Sample SendToDispatcher() ************************\n");
+ prettyprint(data_copy, len);
+ printf("*********************** Sample SendToDispatcher() ************************\n");
+ printf("^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n\n\n\n");
- // Finally, send our data (sendData will free mdata)
- sendData(mdata);
+ // Finally, send our data (sendData will free mdata)
+ detection->sendData(mdata);
- return(1);
+ return(1);
}
@@ -577,7 +588,8 @@
* On return, *bytes_written contains the number of valid bytes in the output buffer.
*/
-static int base64_decode(unsigned char *inbuf, int inbuf_size, unsigned char **outbuf, int *bytes_written) {
+static int base64_decode(unsigned char *inbuf, int inbuf_size, unsigned char **outbuf, int *bytes_written)
+{
/* Our lookup table for decoding base64 */
static const unsigned int decode64tab[256] = {
@@ -598,287 +610,331 @@
100,100,100,100,100,100,100,100,100,100,100,100,100,100,100,100,
100,100,100,100,100,100,100,100,100,100,100,100,100,100,100,100};
- const unsigned char *cursor, *endofinbuf;
- unsigned char *outbuf_ptr, *end_of_outbuf;
- unsigned char base64data[4], *base64data_ptr; /* temporary holder for current base64 chunk */
- unsigned char tableval_a, tableval_b, tableval_c, tableval_d;
+ const unsigned char *cursor, *endofinbuf;
+ unsigned char *outbuf_ptr, *end_of_outbuf;
+ unsigned char base64data[4], *base64data_ptr; /* temporary holder for current base64 chunk */
+ unsigned char tableval_a, tableval_b, tableval_c, tableval_d;
- u_int32_t n;
+ uint32_t n;
- int outbuf_size = 0;
+ int outbuf_size = 0;
- int error = 0;
+ int error = 0;
- // Allocate space for the data
- outbuf_size = inbuf_size * 4 / 3;
+ // Allocate space for the data
+ outbuf_size = inbuf_size * 4 / 3;
- if(outbuf_size % 4)
- outbuf_size += 4 - (outbuf_size % 4);
+ if (outbuf_size % 4)
+ outbuf_size += 4 - (outbuf_size % 4);
- DEBUG_RZB(printf("inbuf_size = %d, outbuf_size = %d\n", inbuf_size, outbuf_size));
+ DEBUG_RZB(printf("i...
[truncated message content] |
|
From: Nigel H. <nho...@so...> - 2010-11-15 18:53:02
|
On Mon, 15 Nov 2010 13:38:41 -0500, Joel Esler wrote: > I have several projects in mind alerady, but the first thing is I > want to hear from you. Suggestions, ideas, complaints, and > compliments. > ∙ How we can make things better. > ∙ Problems with Snort, ClamAV, DaemonLogger, or Razorback > ∙ Features you'd like to see with these projects > ∙ What isn't working now? > ∙ What is working now! > ∙ How can we make bug tracking more efficient? > ∙ How can we make False positive submissions better? > ∙ What can we put out (in terms of training and whitepapers) for > better understanding and results? > ∙ ??? > Let me hear it. Email me directly at je...@so.... I want > to be able to track your ideas so I can write you back when we make > movement. > > I'll summarize your submissions in a blog post in the future and let > everyone know where we are at with the progress of these great ideas. For Razorback(tm) please continue to submit feature requests and any other Razorback items to the Razorback Trac at: http://sourceforge.net/apps/trac/razorbacktm/ And for Nugget related items please use: http://sourceforge.net/apps/trac/nuggetfarm/ You can of course, also use the mailing lists for Razorback and the Nugget Farm. Thanks. -- Nigel Houghton Head Mentalist SF VRT Department of Intelligence Excellence http://vrt-sourcefire.blogspot.com && http://labs.snort.org/ |
|
From: <rde...@us...> - 2010-10-29 21:26:41
|
Revision: 34
http://nuggetfarm.svn.sourceforge.net/nuggetfarm/?rev=34&view=rev
Author: rdempster
Date: 2010-10-29 21:26:34 +0000 (Fri, 29 Oct 2010)
Log Message:
-----------
Updates to work with API 0.1.2.
Modified Paths:
--------------
trunk/collection-nuggets/saac/rzb_http-server.c
trunk/detection-nuggets/officecat/OfficeCatNugget.c
trunk/detection-nuggets/smtp/buildit.sh
trunk/detection-nuggets/smtp/smtp_parser.c
trunk/detection-nuggets/swf/Makefile
trunk/detection-nuggets/swf/swf_scanner.c
Added Paths:
-----------
trunk/detection-nuggets/officecat/Makefile
Modified: trunk/collection-nuggets/saac/rzb_http-server.c
===================================================================
--- trunk/collection-nuggets/saac/rzb_http-server.c 2010-10-29 14:38:24 UTC (rev 33)
+++ trunk/collection-nuggets/saac/rzb_http-server.c 2010-10-29 21:26:34 UTC (rev 34)
@@ -47,9 +47,9 @@
// Make sure we have somewhere to store our data
if((fileinfo->filedata) == NULL) {
// ZDNOTE Need to limit the amount of memory that will be allocated at a time. This may involve some
- // ZDNOTE changes to the FILEINFO struct.
+ // ZDNOTE changes to the FILEINFO struct.
// ZDNOTE amounttoalloc = (fileinfo->filesize < MAXFILEALLOCCHUNK) ? fileinfo->filesize : MAXFILEALLOCCHUNK;
- if(fileinfo->filesize > 100000000 /*ULONG_MAX*/) {
+ if(fileinfo->filesize > 100000000 /*ULONG_MAX*/) {
// ZDNOTE this will also trip on files for which we don't have a Content-Length header
DEBUGOUT((D_FILE | D_DEBUG), printf("ReadFileData filesize is >100M! Bailing!\n"));
return(ERROR);
@@ -75,7 +75,7 @@
bytesavailable = end_of_file - cursor;
- // ZDNOTE Need to verify there is enough space left in the buffer before copy
+ // ZDNOTE Need to verify there is enough space left in the buffer before copy
filedataptr = &((fileinfo->filedata)[fileinfo->bufferindex]);
@@ -125,15 +125,17 @@
tmp = file_type_lookup(fileinfo->filedata, sizeof(fileinfo->filedata));
uuid_copy(mdata->datatype, tmp);
-
// DEBUGOUT((D_DETECT | D_INFO), printf("CallDetectionFunction enter\n"));
// ZDNOTE Dunno what to do, so we're just going to...
printf("Calling detection function with following file information:\n");
DumpFileInfo(fileinfo);
- rzb_collector.sendData(mdata);
+ rzb_collector.sendData(mdata);
+ fileinfo->filedata = NULL;
+ fileinfo->filesize = 0;
+
// (*httpcollector->sendData)(0/*eventid*/, fileinfo->filedata, fileinfo->filesize, NO_DATA_TYPE);
// unsigned int retval;
//
@@ -366,7 +368,7 @@
// Get the current file off of the stack
PopFileInfo(ruledata);
- // And grab the next file on the list
+ // And grab the next file on the list
if(fileinfolist[ruledata->streaminfoidx])
currentfile = (fileinfolist[ruledata->streaminfoidx])->fileinfo;
else
@@ -412,7 +414,7 @@
// Partially debug / hackery, partially something we'll probably want to keep
void IgnoreStream(RULEDATA *ruledata) {
-
+
if(ruledata == NULL)
return;
@@ -439,7 +441,7 @@
//
// ruledata->streaminfoidx = INVALIDSTREAMIDX;
}
-
+
int IsStreamIgnored(RULEDATA *ruledata) {
if(ruledata == NULL || ruledata->state == IGNORESTREAM || ruledata->streaminfoidx == INVALIDSTREAMIDX)
return(1);
Added: trunk/detection-nuggets/officecat/Makefile
===================================================================
--- trunk/detection-nuggets/officecat/Makefile (rev 0)
+++ trunk/detection-nuggets/officecat/Makefile 2010-10-29 21:26:34 UTC (rev 34)
@@ -0,0 +1,14 @@
+INCLUDES = $(shell pkg-config --cflags razorback)
+
+LIBS = -lm -lmagic -lssl -ldl -lpcre
+LIBS += $(shell pkg-config --libs razorback)
+CFLAGS+=-Wall -fPIC -DPIC -ggdb $(INCLUDES)
+
+all: OfficeCatNugget.so.1
+
+%.so.1: %.o
+ $(CC) $(LIBS) -shared -Wl -o $@ $^ -lc
+ @echo "copy $@ to your nuggets directory to be run by rzbNugget"
+
+clean:
+ rm -f *.o *.so.1
Modified: trunk/detection-nuggets/officecat/OfficeCatNugget.c
===================================================================
--- trunk/detection-nuggets/officecat/OfficeCatNugget.c 2010-10-29 14:38:24 UTC (rev 33)
+++ trunk/detection-nuggets/officecat/OfficeCatNugget.c 2010-10-29 21:26:34 UTC (rev 34)
@@ -3,19 +3,18 @@
#include <stdint.h>
#include <string.h>
#include <uuid/uuid.h>
+#include <errno.h>
+#include <arpa/inet.h>
#include "rzb_global.h"
-#include "alert/rzb_alert_global.h"
+#include "rzb_alert_global.h"
+#include "rzb_alert_api.h"
+#include "rzb_alert_util.h"
#define MAX_ALERT_SIZE 512
+static void RZB_officecat_Detection_Nugget(BLOCK_META_DATA *metaData);
-DetectionAPI *detection; // Provides pointers to API functions
-
-
-int RZB_scan_officecat(char * buffer, size_t buffer_size, char **vuln_name);
-void RZB_officecat_Detection_Nugget(BLOCK_META_DATA *metaData);
-
//#define DEBUG
#ifdef DEBUG
#define DEBUG_RZB(code) code
@@ -48,330 +47,126 @@
initialized with RZB_start_clamav.
***********************************************************/
-int RZB_scan_officecat(char * buffer, size_t buffer_size, char **vuln_name)
+static int RZB_scan_officecat(const uint8_t *buffer, size_t buffer_size, char *vuln_name, size_t vuln_len)
{
- FILE *out_file = NULL; /* Output stream to create a temporary file on tmpfs */
- FILE *pf = NULL;
- int ret, i; /* Return value for the function RZB_scan_officecat */
- const char *virus_name; /* Virus name, as returned by cl_scanfile */
- char tmp_string[strlen("/mnt/RZB_Officecat/tmpfile") + 4]; /* Temporary string to use for path to tmpfile */
+ FILE *out_file; /* Output stream to create a temporary file on tmpfs */
+ FILE *pf;
+ int ret; /* Return value for the function RZB_scan_officecat */
+ char tmp_string[L_tmpnam]; /* Temporary string to use for path to tmpfile */
char cmd [512];
- char *officecat_path = "/usr/local/bin/officecat.exe";
- ALERT *alert;
- char *line = (char *)malloc(MAX_ALERT_SIZE);
- size_t len = MAX_ALERT_SIZE;
- char *p=NULL;
- char *output_str =(char *)malloc(MAX_ALERT_SIZE);
- char tmp_str[512];
- int second_to_last_line = 0;
+ static const char *officecat_path = "/usr/local/bin/officecat.exe";
+ char *p;
+ char output_str[MAX_ALERT_SIZE];
+ unsigned offset;
+ int second_to_last_line = 0;
+#if 0
+ ALERT alert;
+ char tmp_str[512];
+#endif
DEBUG_RZB(printf("BUFFER SIZE: %d\n", (int)buffer_size););
DEBUG_RZB(printf("MOUNT DIR: %s\n", mount_dir););
- /* Create string to use for path to tmpfile */
- strcpy(tmp_string, "/mnt/RZB_Officecat/tmpfile");
+ ret = R_NOT_FOUND;
- /* Create at most 999 different tmpfiles at the same time */
- for (i=0; i < 1000; i ++)
- {
- sprintf(tmp_string,"/mnt/RZB_Officecat/tmpfile%d",i);
+ tmp_string[0] = 0;
+ if (tmpnam_r(tmp_string) == NULL)
+ {
+ fprintf(stderr, "Cannot create temporary file name: (%d) %s\n", errno, strerror(errno));
+ return R_FAIL;
+ }
- DEBUG_RZB(printf ("%s\n", tmp_string););
+ /* Create tmpfile */
+ if ((out_file = fopen(tmp_string, "w")) == NULL)
+ {
+ fprintf(stderr, "Cannot create temporary file %s: (%d) %s\n", tmp_string, errno, strerror(errno));
+ return R_FAIL;
+ }
- /* Create tmpfile */
- if ((out_file = fopen(tmp_string, "w")) != NULL)
- break;
- else
- {
- if (i == 999)
- {
- fprintf(stderr, "Cannot create temporary file in: /mnt/RZB_Officecat\n");
- return 1;
- }
- else
- continue;
- }
- }
-
/* Read from buffer and write to out_file */
if(fwrite (buffer, 1, buffer_size, out_file) != buffer_size)
- perror("Error writing tempfile file to tmpfs");
+ {
+ fprintf(stderr, "Error writing file %s: (%d) %s\n", tmp_string, errno, strerror(errno));
+ fclose(out_file);
+ return R_FAIL;
+ }
- /* Close file associated with stream */
- if (out_file !=NULL)
- fclose(out_file);
+ fclose(out_file);
// Build our cmd to run
- snprintf(cmd, sizeof(cmd) - 1, "%s %s", officecat_path, tmp_string);
+ snprintf(cmd, sizeof(cmd), "%s %s", officecat_path, tmp_string);
// Create our dissector
- if((pf = popen(cmd, "r")) == NULL)
+ if((pf = popen(cmd, "r")) == NULL)
{
- printf("Error while running officecat\n");
- }
- else
+ fprintf(stderr, "Error while running '%s': (%d) %s\n", cmd, errno, strerror(errno));
+ }
+ else
{
+ offset = 0;
while(!feof(pf))
{
int c;
c = getc(pf);
if (c !='\x0D' || c !='\x0A' || c !='\x0C' || c !='\x09')
- output_str[strlen(output_str)]=c;
+ {
+ if (offset < sizeof(output_str) - 1)
+ output_str[offset++]=c;
+ }
- if (c =='\x0D' || /*c =='\x0A' || c =='\x0C' ||*/ c =='\x09')
+ else if (c =='\x0D' || /*c =='\x0A' || c =='\x0C' ||*/ c =='\x09')
{
- puts (output_str);
+ output_str[offset] = 0;
+ puts(output_str);
+ offset = 0;;
- if ((p=strstr(output_str, "CORRUPTED:"))!=NULL)
- {
-#if 0
- alert = (ALERT *)malloc(sizeof(ALERT));
- memset(alert, 0, sizeof(ALERT));
+ if ((p = strstr(output_str, "CORRUPTED:")) != NULL)
+ {
+ }
- // Set up our static fields
- alert->priority = 1;
- alert->src_ip = SRCIP;
- alert->dst_ip = DSTIP;
- alert->ip_proto = 6;
- alert->src_port = 80;
- alert->dst_port = 2437;
+ else if ((p = strstr(output_str, "VULNERABLE:")) != NULL)
+ {
+ }
- sprintf(tmp_str, "THE FOLLOWING HAS BEEN FOUND BY OFFICECAT: %s", p);
-
- alert->msg = (char *)malloc(strlen(tmp_str));
- memset(alert->msg, 0, strlen(tmp_str));
- memcpy(alert->msg, tmp_str, strlen(tmp_str)-1);
- sendAlert(DSTIP, SRCIP, alert);
-
- if(alert->msg != NULL)
- free(alert->msg);
- free(alert);
-#endif
- }
-
- if ((p=strstr(output_str, "VULNERABLE:"))!=NULL)
- {
-#if 0
- alert = (ALERT *)malloc(sizeof(ALERT));
- memset(alert, 0, sizeof(ALERT));
-
- // Set up our static fields
- alert->priority = 1;
- alert->src_ip = SRCIP;
- alert->dst_ip = DSTIP;
- alert->ip_proto = 6;
- alert->src_port = 80;
- alert->dst_port = 2437;
-
- sprintf(tmp_str, "THE FOLLOWING HAS BEEN FOUND BY OFFICECAT: %s", p);
-
- alert->msg = (char *)malloc(strlen(tmp_str));
- memset(alert->msg, 0, strlen(tmp_str));
- memcpy(alert->msg, tmp_str, strlen(tmp_str)-1);
- sendAlert(DSTIP, SRCIP, alert);
-
- if(alert->msg != NULL)
- free(alert->msg);
- free(alert);
-#endif
- }
-
- if ((p=strstr(output_str, "CVE"))!=NULL)
+ else if ((p = strstr(output_str, "CVE")) != NULL)
{
- vuln_name = p;
- ret = R_FOUND;
-#if 0
- // puts("FOUND CVE!!!!!!\n");
- alert = (ALERT *)malloc(sizeof(ALERT));
- memset(alert, 0, sizeof(ALERT));
-
- // Set up our static fields
- alert->priority = 1;
- alert->src_ip = SRCIP;
- alert->dst_ip = DSTIP;
- alert->ip_proto = 6;
- alert->src_port = 80;
- alert->dst_port = 2437;
-
- sprintf(tmp_str, "THE FOLLOWING HAS BEEN FOUND BY OFFICECAT: %s", p);
-
- alert->msg = (char *)malloc(strlen(tmp_str));
- memset(alert->msg, 0, strlen(tmp_str));
- // strncpy(tmp_str, p, strlen(p)-1);
- // strcpy(tmp_str, p);
-// snprintf(tmp_str, sizeof(tmp_str) - 1, "%s HAS BEEN FOUND BY OFFICECAT", p);
-// strcat(tmp_str, " HAS BEEN FOUND BY OFFICECAT");
-//puts(tmp_str);
- memcpy(alert->msg, tmp_str, strlen(tmp_str)-1);
- alert->msg_size = strlen(alert->msg);
-
- sendAlert(DSTIP, SRCIP, alert);
-
- if(alert->msg != NULL)
- free(alert->msg);
-
- free(alert);
-#endif
+ snprintf(vuln_name, vuln_len, "%s", p);
+ ret = R_FOUND;
+ break;
}
- if ((p=strstr(output_str, "MS"))!=NULL)
+ else if ((p = strstr(output_str, "MS")) != NULL)
{
-#if 0
- alert = (ALERT *)malloc(sizeof(ALERT));
- memset(alert, 0, sizeof(ALERT));
-
- // Set up our static fields
- alert->priority = 1;
- alert->src_ip = SRCIP;
- alert->dst_ip = DSTIP;
- alert->ip_proto = 6;
- alert->src_port = 80;
- alert->dst_port = 2437;
-
- sprintf(tmp_str, "THE FOLLOWING HAS BEEN FOUND BY OFFICECAT: %s", p);
-
- alert->msg = (char *)malloc(strlen(tmp_str));
- memset(alert->msg, 0, strlen(tmp_str));
- memcpy(alert->msg, tmp_str, strlen(tmp_str)-1);
- sendAlert(DSTIP, SRCIP, alert);
-
- if(alert->msg != NULL)
- free(alert->msg);
- free(alert);
-#endif
}
- if ((p=strstr(output_str, "embedded ActiveX"))!=NULL)
- {
-#if 0
- alert = (ALERT *)malloc(sizeof(ALERT));
- memset(alert, 0, sizeof(ALERT));
+ else if ((p = strstr(output_str, "embedded ActiveX")) != NULL)
+ {
+ }
- // Set up our static fields
- alert->priority = 1;
- alert->src_ip = SRCIP;
- alert->dst_ip = DSTIP;
- alert->ip_proto = 6;
- alert->src_port = 80;
- alert->dst_port = 2437;
+ else if ((p = strstr(output_str, "SAFE")) != NULL)
+ {
+ }
- sprintf(tmp_str, "THE FOLLOWING HAS BEEN FOUND BY OFFICECAT: %s", p);
+ else if ((p = strstr(output_str, "Type: ")) != NULL)
+ {
+ }
- alert->msg = (char *)malloc(strlen(tmp_str));
- memset(alert->msg, 0, strlen(tmp_str));
- memcpy(alert->msg, tmp_str, strlen(tmp_str)-1);
- sendAlert(DSTIP, SRCIP, alert);
-
- if(alert->msg != NULL)
- free(alert->msg);
- free(alert);
-#endif
- }
-
- if ((p=strstr(output_str, "SAFE"))!=NULL)
- {
-#if 0
- alert = (ALERT *)malloc(sizeof(ALERT));
- memset(alert, 0, sizeof(ALERT));
-
- // Set up our static fields
- alert->priority = 1;
- alert->src_ip = SRCIP;
- alert->dst_ip = DSTIP;
- alert->ip_proto = 6;
- alert->src_port = 80;
- alert->dst_port = 2437;
-
- sprintf(tmp_str, "THE FOLLOWING HAS BEEN FOUND BY OFFICECAT: %s", p);
-
- alert->msg = (char *)malloc(strlen(tmp_str));
- memset(alert->msg, 0, strlen(tmp_str));
- memcpy(alert->msg, tmp_str, strlen(tmp_str)-1);
- sendAlert(DSTIP, SRCIP, alert);
-
- if(alert->msg != NULL)
- free(alert->msg);
- free(alert);
-#endif
-
- }
-
- if ((p=strstr(output_str, "Type: "))!=NULL)
- {
-#if 0
- alert = (ALERT *)malloc(sizeof(ALERT));
- memset(alert, 0, sizeof(ALERT));
-
- // Set up our static fields
- alert->priority = 1;
- alert->src_ip = SRCIP;
- alert->dst_ip = DSTIP;
- alert->ip_proto = 6;
- alert->src_port = 80;
- alert->dst_port = 2437;
-
- sprintf(tmp_str, "THE FOLLOWING HAS BEEN FOUND BY OFFICECAT: %s", p);
-
- alert->msg = (char *)malloc(strlen(tmp_str));
- memset(alert->msg, 0, strlen(tmp_str));
- memcpy(alert->msg, tmp_str, strlen(tmp_str)-1);
- sendAlert(DSTIP, SRCIP, alert);
-
- if(alert->msg != NULL)
- free(alert->msg);
- free(alert);
-
- /*Set a flag to know that we read the second to last line */
- second_to_last_line = 1;
-
- memset(output_str, 0, MAX_ALERT_SIZE);
-#endif
- }
-
- if ((strlen (output_str) > 5) && (second_to_last_line == 1))
- {
-#if 0
- alert = (ALERT *)malloc(sizeof(ALERT));
- memset(alert, 0, sizeof(ALERT));
-
- // Set up our static fields
- alert->priority = 1;
- alert->src_ip = SRCIP;
- alert->dst_ip = DSTIP;
- alert->ip_proto = 6;
- alert->src_port = 80;
- alert->dst_port = 2437;
-
- sprintf(tmp_str, "THE FOLLOWING HAS BEEN FOUND BY OFFICECAT: %s", output_str);
-
- alert->msg = (char *)malloc(strlen(tmp_str));
- memset(alert->msg, 0, strlen(tmp_str));
- memcpy(alert->msg, tmp_str, strlen(tmp_str)-1);
- sendAlert(DSTIP, SRCIP, alert);
-
- if(alert->msg != NULL)
- free(alert->msg);
- free(alert);
-#endif
- }
-
- memset(output_str, 0, MAX_ALERT_SIZE);
- //*output_str="";
+ else if ((strlen (output_str) > 5) && (second_to_last_line == 1))
+ {
+ }
}
}
}
/* Remove file */
if (remove(tmp_string) != 0)
- fprintf(stderr,"Error in deleting tmpfile\n");
- ret = R_NOT_FOUND;
+ fprintf(stderr,"Error in deleting tmpfile\n");
return ret;
}
HRESULT initNug(DetectionAPI *detectionObj)
{
- int ret;
uuid_t myuuid;
uuid_t list;
@@ -387,42 +182,43 @@
return R_SUCCESS;
}
-void RZB_officecat_Detection_Nugget(BLOCK_META_DATA *metaData)
+static void RZB_officecat_Detection_Nugget(BLOCK_META_DATA *metaData)
{
int ret;
- char message[1024];
+ char message[2048];
ALERT alert;
- unsigned char *data = metaData->data;
+ uint8_t *data = metaData->data;
size_t data_len = metaData->size;
char vuln_name[1024];
unsigned char tmp_md5[MD5_SIZE];
- if(ret = RZB_scan_officecat(data, data_len, &vuln_name) == R_FOUND)
+ if ((ret = RZB_scan_officecat(data, data_len, vuln_name, sizeof(vuln_name))) == R_FOUND)
{
- sprintf(message, "THE FOLLOWING HAS BEEN FOUND BY OFFICECAT: %s\n", vuln_name);
+ snprintf(message, sizeof(message), "THE FOLLOWING HAS BEEN FOUND BY OFFICECAT: %s\n", vuln_name);
- alert.event_id = metaData->eventid;
- inet_ntop(AF_INET, metaData->src_ip, alert.src_ip, sizeof(alert.src_ip));
- inet_ntop(AF_INET, metaData->dst_ip, alert.dst_ip, sizeof(alert.dst_ip));
+ alert.event_id = metaData->eventid;
+ inet_ntop(AF_INET, &metaData->src_ip, alert.src_ip, sizeof(alert.src_ip));
+ inet_ntop(AF_INET, &metaData->dst_ip, alert.dst_ip, sizeof(alert.dst_ip));
alert.ip_proto = metaData->ip_proto;
- alert.src_port = metaData->src_port;
- alert.dst_port = metaData->dst_port;
- alert.msg = message;
- alert.msg_size = strlen(message);
- alert.short_data = NULL;
- alert.sd_size = 0;
- uuid_copy(alert.dataType, metaData->datatype);
- md5sum(data, data_len, tmp_md5);
- alert.main_md5 = tmp_md5;
- alert.long_data = NULL;
- alert.ld_size = 0;
- alert.data_block = data;
- alert.db_size = data_len;
- alert.norm_block = NULL;
- alert.norm_size= 0;
+ alert.src_port = metaData->src_port;
+ alert.dst_port = metaData->dst_port;
+ alert.msg = message;
+ alert.msg_size = strlen(message);
+ alert.short_data = NULL;
+ alert.sd_size = 0;
+ uuid_copy(alert.dataType, metaData->datatype);
+ md5sum(data, data_len, tmp_md5);
+ alert.main_md5 = tmp_md5;
+ alert.long_data = NULL;
+ alert.ld_size = 0;
+ alert.data_block = data;
+ alert.db_size = data_len;
+ alert.norm_block = NULL;
+ alert.norm_size= 0;
- DEBUG_RZB(printf("ALERT! %s\n", message););
- sendAlert(&alert);
+ printf("%s\n", message);
+ sendAlert(&alert);
}
-
+ else if (ret == R_NOT_FOUND)
+ printf("%s\n", "OFFICECAT DID NOT FIND ANYTHING");
}
Modified: trunk/detection-nuggets/smtp/buildit.sh
===================================================================
--- trunk/detection-nuggets/smtp/buildit.sh 2010-10-29 14:38:24 UTC (rev 33)
+++ trunk/detection-nuggets/smtp/buildit.sh 2010-10-29 21:26:34 UTC (rev 34)
@@ -2,7 +2,10 @@
RZBINC=`pkg-config --cflags razorback`
RZBLIB=`pkg-config --libs razorback`
echo "gcc -fPIC ${RZBINC} -g -c smtp_parser.c"
-gcc -fPIC ${RZBINC} -g -c smtp_parser.c
+gcc -Wall -fPIC ${RZBINC} -g -c smtp_parser.c
+echo "gcc -shared -Wl -o smtp_parser.so.1 smtp_parser.o -lc -lpcre ${RZBLIB}"
gcc -shared -Wl -o smtp_parser.so.1 smtp_parser.o -lc -lpcre ${RZBLIB}
-gcc smtpTestStub.c -luuid -ldl -o smtpTestStub
-echo "To run: ./smtpTestStub ./smtp_parser.so.1 <inputFile>"
+#gcc smtpTestStub.c -luuid -ldl -o smtpTestStub
+#echo "To run: ./smtpTestStub ./smtp_parser.so.1 <inputFile>"
+echo "copy smtp_parser.so.1 to your nuggets directory to be run by rzbNugget"
+
Modified: trunk/detection-nuggets/smtp/smtp_parser.c
===================================================================
--- trunk/detection-nuggets/smtp/smtp_parser.c 2010-10-29 14:38:24 UTC (rev 33)
+++ trunk/detection-nuggets/smtp/smtp_parser.c 2010-10-29 21:26:34 UTC (rev 34)
@@ -4,8 +4,12 @@
#include <pcre.h>
#include <string.h>
#include <stdint.h>
+#include <ctype.h>
#include "rzb_global.h" // This should link to the svn copy
+#include "rzb_api.h"
+#include "rzb_alert_api.h"
+#include "rzb_alert_util.h"
#include <uuid/uuid.h>
#define MAX_BOUNDARY_LEN 70 /* Max length of boundary string, defined in RFC 2046 */
@@ -65,7 +69,7 @@
SMTPPcre mime_base64_pcre;
#define PP_COLS 16
-void prettyprint(const unsigned char *data, unsigned int size) {
+static void prettyprint(const unsigned char *data, unsigned int size) {
unsigned int i;
const unsigned char *dataptr = data;
unsigned char asciigraph[PP_COLS + 1];
@@ -95,7 +99,8 @@
}
}
-void PrintSMTPProcessMessageReturnCode(int code) {
+#ifdef SMTP_DEBUG
+static void PrintSMTPProcessMessageReturnCode(int code) {
switch(code) {
case SMTP_DONE:
printf("SMTP_DONE\n");
@@ -118,12 +123,13 @@
}
}
-void PrintPartStats(unsigned char *bufferstart, unsigned char *part_start, unsigned char *part_end) {
+static void PrintPartStats(unsigned char *bufferstart, unsigned char *part_start, unsigned char *part_end) {
printf("global offsets -- start:%ld end:%ld ", (long)(part_start - data_start), (long)(part_end - data_start));
printf("part_start=%p(%ld) part_end=%p(%ld) length=%ld\n", part_start, (long)(part_start-bufferstart), part_end, (long)(part_end - bufferstart), (long)(part_end - part_start));
}
+#endif
-static void compute_prefix(unsigned char* str, size_t size, int *result) {
+static void compute_prefix(const char* str, size_t size, int *result) {
size_t q;
int k;
result[0] = 0;
@@ -139,7 +145,7 @@
}
}
-static void prepare_badcharacter_heuristic(unsigned char *str, size_t size,
+static void prepare_badcharacter_heuristic(const char *str, size_t size,
int *result) {
size_t i;
@@ -151,11 +157,11 @@
result[(size_t) str[i]] = i;
}
-void prepare_goodsuffix_heuristic(unsigned char *normal, size_t size,
+static void prepare_goodsuffix_heuristic(const char *normal, size_t size,
int *result) {
- char *left = (char *) normal;
- char *right = left + size;
+ const char *left = normal;
+ const char *right = left + size;
char *reversed;
char *tmp;
size_t i;
@@ -198,16 +204,16 @@
/*
* Boyer-Moore search algorithm
*/
-unsigned char *boyermoore_search(unsigned char *haystack, size_t haystack_len, SMTPMimeBoundary *mime_boundary_info) {
+static unsigned char *boyermoore_search(unsigned char *haystack, size_t haystack_len, SMTPMimeBoundary *mime_boundary_info) {
/*
* Calc string sizes
*/
- unsigned char *needle = mime_boundary_info->boundary;
- size_t needle_len = mime_boundary_info->boundary_len;
- int badcharacter[ALPHABET_SIZE];
- int *goodsuffix;
+ char *needle = mime_boundary_info->boundary;
+ size_t needle_len = mime_boundary_info->boundary_len;
+ int badcharacter[ALPHABET_SIZE];
+ int *goodsuffix;
- size_t s;
+ size_t s;
size_t j;
int k;
int m;
@@ -269,13 +275,34 @@
-int inBounds(const uint8_t *start, const uint8_t *end, const uint8_t *p)
+static int inBounds(const uint8_t *start, const uint8_t *end, const uint8_t *p)
{
if ((p >= start) && (p < end))
return 1;
return 0;
}
+static int SafeMemCheck(void *dst, size_t n,
+ const void *start, const void *end)
+{
+ void *tmp;
+
+ if (n < 1)
+ return SAFEMEM_ERROR;
+
+ if ((dst == NULL) || (start == NULL) || (end == NULL))
+ return SAFEMEM_ERROR;
+
+ tmp = ((uint8_t *)dst) + (n - 1);
+ if (tmp < dst)
+ return SAFEMEM_ERROR;
+
+ if (!inBounds(start, end, dst) || !inBounds(start, end, tmp))
+ return SAFEMEM_ERROR;
+
+ return SAFEMEM_SUCCESS;
+}
+
/**
* A Safer Memcpy
*
@@ -287,7 +314,7 @@
*
* @return SAFEMEM_ERROR on failure, SAFEMEM_SUCCESS on success
*/
-int SafeMemcpy(void *dst, const void *src, size_t n, const void *start, const void *end)
+static int SafeMemcpy(void *dst, const void *src, size_t n, const void *start, const void *end)
{
if (SafeMemCheck(dst, n, start, end) != SAFEMEM_SUCCESS)
ERRORRET;
@@ -297,27 +324,6 @@
return SAFEMEM_SUCCESS;
}
-int SafeMemCheck(void *dst, size_t n,
- const void *start, const void *end)
-{
- void *tmp;
-
- if (n < 1)
- return SAFEMEM_ERROR;
-
- if ((dst == NULL) || (start == NULL) || (end == NULL))
- return SAFEMEM_ERROR;
-
- tmp = ((uint8_t *)dst) + (n - 1);
- if (tmp < dst)
- return SAFEMEM_ERROR;
-
- if (!inBounds(start, end, dst) || !inBounds(start, end, tmp))
- return SAFEMEM_ERROR;
-
- return SAFEMEM_SUCCESS;
-}
-
///*
// * Initialize run-time boundary search
// */
@@ -385,7 +391,7 @@
}
-static int SMTP_GetBoundary(unsigned char *data, int data_len, SMTPMimeBoundary *mime_boundary_info)
+static int SMTP_GetBoundary(const uint8_t *data, int data_len, SMTPMimeBoundary *mime_boundary_info)
{
int result;
int ovector[9];
@@ -401,13 +407,13 @@
/* result will be the number of matches (including submatches) */
result = pcre_exec(mime_boundary_pcre.re, mime_boundary_pcre.pe,
- data, data_len, 0, 0, ovector, ovecsize);
+ (const char *)data, data_len, 0, 0, ovector, ovecsize);
if (result < 0) {
DEBUG_RZB(printf("pcre not found\n"));
return -1;
}
- result = pcre_get_substring(data, ovector, result, 1/*2*/, &boundary);
+ result = pcre_get_substring((const char *)data, ovector, result, 1/*2*/, &boundary);
if (result < 0)
return -1;
@@ -440,20 +446,20 @@
return(ovector[1]); // offset of byte AFTER the boundary string
}
-static int ContentIsBase64(unsigned char *data, int data_len) {
+static int ContentIsBase64(const u_int8_t *data, int data_len) {
int result;
int ovector[9];
int ovecsize = 9;
result = pcre_exec(mime_base64_pcre.re, mime_base64_pcre.pe,
- data, data_len, 0, 0, ovector, ovecsize);
+ (const char *)data, data_len, 0, 0, ovector, ovecsize);
return(result);
}
-int SMTP_FindMessageData(unsigned char *buffer, int length, unsigned char **beginning) {
+static int SMTP_FindMessageData(uint8_t *buffer, int length, uint8_t **beginning) {
int i;
char begofdata[] = "DATA";
@@ -463,7 +469,7 @@
for(i=0; i < length; i++) {
// See if this is the start of the data block
- if(strncmp(begofdata, &(buffer[i]), strlen(begofdata)) == 0) {
+ if (strncmp(begofdata, (const char *)&(buffer[i]), sizeof(begofdata) - 1) == 0) {
i += strlen(begofdata);
// Jump over "\r?\n"
@@ -488,7 +494,7 @@
}
-int SMTP_FindEndOfHeader(unsigned char *buffer, int length, unsigned char **end) {
+static int SMTP_FindEndOfHeader(uint8_t *buffer, int length, uint8_t **end) {
int i = 0;
if(length < 2)
@@ -500,7 +506,7 @@
}
for(i=2; i < length; i++) {
- if(buffer[i] == '\n' && ((buffer[i-1] == '\n')) || ((buffer[i-1] == '\r') && (buffer[i-2] == '\n'))) {
+ if(buffer[i] == '\n' && ((buffer[i-1] == '\n') || ((buffer[i-1] == '\r') && (buffer[i-2] == '\n')))) {
*end = &(buffer[i+1]);
return 1;
}
@@ -509,22 +515,32 @@
return 0;
}
-int SendToDispatcher(unsigned char *data, int len, unsigned int eventID) {
-
+static int SendToDispatcher(uint8_t *data, int len, unsigned int eventID)
+{
BLOCK_META_DATA *mdata = NULL;
+ uint8_t *data_copy;
// Init the metadata structure
- if((mdata = malloc(sizeof(BLOCK_META_DATA))) == NULL) {
+ if((mdata = calloc(1, sizeof(BLOCK_META_DATA))) == NULL) {
perror("Error allocating mdata\n");
- return;
+ return R_MALLOC_FAIL;
}
- // Zero out the structure
- memset(mdata, 0, sizeof(BLOCK_META_DATA));
-
// Fill in the required fields
mdata->timestamp = (unsigned int)time(NULL);
- mdata->data = data;
+ if (data && len)
+ {
+ if ((data_copy = malloc(len)) == NULL)
+ {
+ perror("Error allocating data copy\n");
+ free(mdata);
+ return R_MALLOC_FAIL;
+ }
+ memcpy(data_copy, data, len);
+ }
+ else
+ data_copy = NULL;
+ mdata->data = data_copy;
mdata->size = len;
mdata->parent_data = NULL;
mdata->src_ip.s_addr = 0x01010101;
@@ -532,11 +548,11 @@
mdata->ip_proto = 6;
mdata->src_port = 25;
mdata->dst_port = 8000;
- file_type_lookup(data, len, (unsigned char *)&mdata->datatype);
+ uuid_copy(mdata->datatype, file_type_lookup(data_copy, len));
printf("\n\n\nVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV\n");
printf("*************************** SendToDispatcher() ***************************\n");
- prettyprint(data,len);
+ prettyprint(data_copy, len);
printf("*************************** SendToDispatcher() ***************************\n");
printf("^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n\n\n\n");
@@ -561,10 +577,10 @@
* On return, *bytes_written contains the number of valid bytes in the output buffer.
*/
-int base64_decode(unsigned char *inbuf, int inbuf_size, unsigned char **outbuf, int *bytes_written) {
+static int base64_decode(unsigned char *inbuf, int inbuf_size, unsigned char **outbuf, int *bytes_written) {
/* Our lookup table for decoding base64 */
-unsigned int decode64tab[256] = {
+static const unsigned int decode64tab[256] = {
100,100,100,100,100,100,100,100,100,100,100,100,100,100,100,100,
100,100,100,100,100,100,100,100,100,100,100,100,100,100,100,100,
100,100,100,100,100,100,100,100,100,100,100,62 ,100,100,100, 63,
@@ -701,12 +717,12 @@
}
-int ProcessMessage(unsigned char *data, int data_len, unsigned int eventID) {
+static int ProcessMessage(uint8_t *data, int data_len, unsigned int eventID) {
int retval = SMTP_NOBOUNDARY;
unsigned char *end_of_header;
- unsigned char *part_start, *part_end, *loop_part_start, *loop_part_end;
+ unsigned char *part_start, *part_end;
unsigned char *base64_decoded_data = NULL;
int base64_decoded_size = 0;
@@ -814,9 +830,9 @@
}
-void RZB_SMTP_Detection_Nugget(BLOCK_META_DATA *metaData) {
+static void RZB_SMTP_Detection_Nugget(BLOCK_META_DATA *metaData) {
- unsigned char *beg_of_message;
+ uint8_t *beg_of_message;
int retval;
@@ -830,7 +846,7 @@
beg_of_message = metaData->data;
}
- retval = ProcessMessage(beg_of_message, (unsigned char *)metaData->data + metaData->size - beg_of_message, metaData->eventid);
+ retval = ProcessMessage(beg_of_message, metaData->data + metaData->size - beg_of_message, metaData->eventid);
DEBUG_RZB(printf("main: ProcessMessage() = ", retval));
DEBUG_RZB(PrintSMTPProcessMessageReturnCode(retval));
}
Modified: trunk/detection-nuggets/swf/Makefile
===================================================================
--- trunk/detection-nuggets/swf/Makefile 2010-10-29 14:38:24 UTC (rev 33)
+++ trunk/detection-nuggets/swf/Makefile 2010-10-29 21:26:34 UTC (rev 34)
@@ -1,18 +1,14 @@
-CC = gcc
-RZBAPI=/usr/local/razorback
-# Uncomment the following to enable debug
-#CC = gcc -ggdb
-# Going to have to change some paths below....
-INCLUDES = -I${PWD}/.. -I${PWD} -I$(RZBAPI)/include
-LIBS = -lm -lmagic -luuid -lssl -ldl -lpcre -L$(RZBAPI)/lib -lrazorback_api
+INCLUDES = $(shell pkg-config --cflags razorback)
-all: swf-scanner
+LIBS = -lm -lmagic -lssl -ldl -lpcre
+LIBS += $(shell pkg-config --libs razorback)
+CFLAGS+=-Wall -fPIC -DPIC -ggdb $(INCLUDES)
-swf-scanner:
- $(CC) $(INCLUDES) $(LIBS) -fPIC -g -Wall -c swf_scanner.c
- $(CC) $(INCLUDES) $(LIBS) -shared -Wall -o swf_scanner.so.1 swf_scanner.o -lc
+all: swf_scanner.so.1
+%.so.1: %.o
+ $(CC) $(LIBS) -shared -Wl -o $@ $^ -lc
+ @echo "copy $@ to your nuggets directory to be run by rzbNugget"
+
clean:
- rm -f *.o
- rm -f swf_scanner
- rm -f *.so.1
+ rm -f *.o *.so.1
Modified: trunk/detection-nuggets/swf/swf_scanner.c
===================================================================
--- trunk/detection-nuggets/swf/swf_scanner.c 2010-10-29 14:38:24 UTC (rev 33)
+++ trunk/detection-nuggets/swf/swf_scanner.c 2010-10-29 21:26:34 UTC (rev 34)
@@ -1,6 +1,7 @@
#include "swf_scanner.h"
static void sendWarnings(ALERT *alert, ErrorCode errCode);
+#define TEST 1
#ifdef VERBOSE
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <rde...@us...> - 2010-10-29 14:38:30
|
Revision: 33
http://nuggetfarm.svn.sourceforge.net/nuggetfarm/?rev=33&view=rev
Author: rdempster
Date: 2010-10-29 14:38:24 +0000 (Fri, 29 Oct 2010)
Log Message:
-----------
Now compatible with api 0.1.2
Modified Paths:
--------------
trunk/detection-nuggets/clamav/ClamAVNugget.c
trunk/detection-nuggets/clamav/buildit.sh
Modified: trunk/detection-nuggets/clamav/ClamAVNugget.c
===================================================================
--- trunk/detection-nuggets/clamav/ClamAVNugget.c 2010-10-25 14:48:02 UTC (rev 32)
+++ trunk/detection-nuggets/clamav/ClamAVNugget.c 2010-10-29 14:38:24 UTC (rev 33)
@@ -3,17 +3,21 @@
#include <stdint.h>
#include <sys/mount.h>
#include <string.h>
-#include "libclamav/clamav.h"
-#include "libclamav/others.h"
+#include "clamav.h"
+//#include "others.h"
#include "rzb_global.h"
+#include "rzb_alert_api.h"
+#include "rzb_alert_util.h"
#include "rzb_alert_global.h"
#include <uuid/uuid.h>
+#include <arpa/inet.h>
+#include <errno.h>
-struct cl_engine * RZB_start_clamav(const char *db_dir);
-int RZB_scan_buffer(struct cl_engine * engine, char * buffer, int buffer_size, const char ** virname);
-int RZB_stop_clamav(struct cl_engine * engine);
-void RZB_CLAMAV_Detection_Nugget(BLOCK_META_DATA *metaData);
-int RZB_clamav_md5sig(const char *hdb_filename, char * buffer, int buffer_size);
+static struct cl_engine * RZB_start_clamav(const char *db_dir);
+static int RZB_scan_buffer(struct cl_engine * engine, const uint8_t * buffer, int buffer_size, const char ** virname);
+static int RZB_stop_clamav(struct cl_engine * engine);
+static void RZB_CLAMAV_Detection_Nugget(BLOCK_META_DATA *metaData);
+//static int RZB_clamav_md5sig(const char *hdb_filename, char * buffer, int buffer_size);
DetectionAPI *detection; // Provides pointers to API functions
static struct cl_engine *engine = NULL;
@@ -46,7 +50,7 @@
Linux kernel 2.4 or up required (for tmpfs)
***********************************************************/
-struct cl_engine * RZB_start_clamav(const char *db_dir)
+static struct cl_engine * RZB_start_clamav(const char *db_dir)
{
int ret; /* Return value for the function RZB_scan_buffer */
struct cl_engine *engine = NULL; /* Pointer to ClamAV engine */
@@ -107,68 +111,53 @@
initialized with RZB_start_clamav.
***********************************************************/
-int RZB_scan_buffer(struct cl_engine * engine, char * buffer, int buffer_size, const char ** virname)
+static int RZB_scan_buffer(struct cl_engine * engine, const uint8_t * buffer, int buffer_size, const char ** virname)
{
- FILE *out_file; /* Output stream to create a temporary file on tmpfs */
- int ret, i; /* Return value for the function RZB_scan_buffer */
- const char *virus_name; /* Virus name, as returned by cl_scanfile */
- char tmp_string[strlen("/mnt/RZB_ClamAV/tmpfile") + 4]; /* Temporary string to use for path to tmpfile */
+ FILE *out_file; /* Output stream to create a temporary file on tmpfs */
+ int ret; /* Return value for the function RZB_scan_buffer */
+ const char *virus_name; /* Virus name, as returned by cl_scanfile */
+ char tmp_string[L_tmpnam]; /* Temporary string to use for path to tmpfile */
- /* Create string to use for path to tmpfile */
- strcpy(tmp_string, "/mnt/RZB_ClamAV/tmpfile");
-
- /* Create at most 999 different tmpfiles at the same time */
- for (i=0; i < 1000; i ++)
+ tmp_string[0] = 0;
+ if (tmpnam_r(tmp_string) == NULL)
{
- sprintf(tmp_string,"/mnt/RZB_ClamAV/tmpfile%d",i);
+ fprintf(stderr, "Cannot create temporary file name: (%d) %s\n", errno, strerror(errno));
+ return 1;
+ }
- DEBUG_RZB(printf ("%s\n", tmp_string););
-
- /* Create tmpfile */
- if ((out_file = fopen(tmp_string, "w")) != NULL)
- break;
- else
- {
- if (i == 999)
- {
- fprintf(stderr, "Cannot create temporary file in: /mnt/RZB_ClamAV\n");
- return 1;
- }
- else
- continue;
- }
+ /* Create tmpfile */
+ if ((out_file = fopen(tmp_string, "w")) == NULL)
+ {
+ fprintf(stderr, "Cannot create temporary file %s: (%d) %s\n", tmp_string, errno, strerror(errno));
+ return 1;
}
/* Read from buffer and write to out_file */
if(fwrite (buffer, 1, buffer_size, out_file) != buffer_size)
- {
perror("Error writing tempfile file to tmpfs");
- }
- /* Close file associated with stream */
- if (out_file !=NULL)
- fclose(out_file);
+ fclose(out_file);
/* Scan the file with standard scan options */
- if((ret = cl_scanfile(tmp_string, &virus_name, NULL, engine, CL_SCAN_STDOPT)) == CL_VIRUS)
- {
- printf("Virus %s detected in %s\n", virus_name, "tmpfile");
+ if((ret = cl_scanfile(tmp_string, &virus_name, NULL, engine, CL_SCAN_STDOPT)) == CL_VIRUS)
+ {
+ printf("Virus %s detected in %s\n", virus_name, "tmpfile");
*virname = virus_name;
- ret = R_FOUND;
- }
- else
- {
+ ret = R_FOUND;
+ }
+ else
+ {
*virname = "No virus detected\n";
/* If no virus was detected */
- printf("No virus detected.\n");
+ printf("No virus detected.\n");
/* If no virus was detected...and the file isn't clean */
- if(ret != CL_CLEAN)
- {
- fprintf(stderr, "Error: %s\n", cl_strerror(ret));
- return ret;
- }
- ret = R_NOT_FOUND;
+ if(ret != CL_CLEAN)
+ {
+ fprintf(stderr, "Error: %s\n", cl_strerror(ret));
+ return ret;
+ }
+ ret = R_NOT_FOUND;
}
/* Delete the file from tmpfs */
@@ -178,7 +167,8 @@
return ret;
}
-int RZB_clamav_md5sig(const char *hdb_filename, char * buffer, int buffer_size)
+#if 0
+static int RZB_clamav_md5sig(const char *hdb_filename, char * buffer, int buffer_size)
{
char *md5=NULL;
struct stat sb;
@@ -263,6 +253,7 @@
return 0;
}
+#endif
/***********************************************************
@@ -281,7 +272,7 @@
done using the ClamAV engine.
***********************************************************/
-int RZB_stop_clamav(struct cl_engine * engine)
+static int RZB_stop_clamav(struct cl_engine * engine)
{
int ret; /* Return value for the function RZB_scan_buffer */
@@ -320,16 +311,14 @@
return R_SUCCESS;
}
-void RZB_CLAMAV_Detection_Nugget(BLOCK_META_DATA *metaData)
-//unsigned char *data, size_t data_len, uuid_t *type, uuid_t *eventID)
+static void RZB_CLAMAV_Detection_Nugget(BLOCK_META_DATA *metaData)
{
- int ret;
const char * virname;
char message[1024];
unsigned char tmp_md5[MD5_SIZE];
ALERT alert;
- unsigned char *data = metaData->data;
+ uint8_t *data = metaData->data;
size_t data_len = metaData->size;
if(RZB_scan_buffer(engine, data, data_len, &virname) == R_FOUND) {
@@ -337,8 +326,8 @@
sprintf(message, "MALWARE: %s found\n", virname);
alert.event_id = metaData->eventid;
- inet_ntop(AF_INET, metaData->src_ip, alert.src_ip, sizeof(alert.src_ip));
- inet_ntop(AF_INET, metaData->dst_ip, alert.dst_ip, sizeof(alert.dst_ip));
+ inet_ntop(AF_INET, &metaData->src_ip, alert.src_ip, sizeof(alert.src_ip));
+ inet_ntop(AF_INET, &metaData->dst_ip, alert.dst_ip, sizeof(alert.dst_ip));
alert.ip_proto = metaData->ip_proto;
alert.src_port = metaData->src_port;
alert.dst_port = metaData->dst_port;
@@ -366,3 +355,4 @@
{
RZB_stop_clamav(engine);
}
+
Modified: trunk/detection-nuggets/clamav/buildit.sh
===================================================================
--- trunk/detection-nuggets/clamav/buildit.sh 2010-10-25 14:48:02 UTC (rev 32)
+++ trunk/detection-nuggets/clamav/buildit.sh 2010-10-29 14:38:24 UTC (rev 33)
@@ -1,10 +1,10 @@
#!/bin/bash
-CLAMSRCDIR="/path/to/source/files/for/clamav-0.96.1/"
-CLAMLIBDIR="/path/where/libclamav/is/installed--/usr/local/lib/"
+CLAMCFLAGS=`pkg-config --cflags libclamav`
+CLAMLIBS=`pkg-config --libs libclamav`
API=`pkg-config --cflags razorback`
APILIBS=`pkg-config --libs razorback`
-echo "gcc -fPIC -g -c -I$CLAMSRCDIR ${API} ClamAVNugget.c"
-gcc -fPIC -g -c -I$CLAMSRCDIR ${API} ClamAVNugget.c
-echo "gcc -shared -Wl -I$CLAMSRCDIR -L$CLAMLIBDIR -o ClamAVNugget.so.1 ClamAVNugget.o -lc -lpcre -lclamav ${APILIBS}"
-gcc -shared -Wl -I$CLAMSRCDIR -L$CLAMLIBDIR -o ClamAVNugget.so.1 ClamAVNugget.o -lc -lpcre -lclamav ${APILIBS}
+echo "gcc -Wall -fPIC -g -c ${CLAMCFLAGS} ${API} ClamAVNugget.c"
+gcc -Wall -fPIC -g -c ${CLAMCFLAGS} ${API} ClamAVNugget.c
+echo "gcc -shared -Wl -o ClamAVNugget.so.1 ClamAVNugget.o -lc -lpcre ${APILIBS} ${CLAMLIBS}"
+gcc -shared -Wl -o ClamAVNugget.so.1 ClamAVNugget.o -lc -lpcre ${APILIBS} ${CLAMLIBS}
echo "copy ClamAVNugget.so.1 to your nuggets directory to be run by rzbNugget"
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: Ron D. <rde...@so...> - 2010-10-25 21:48:58
|
This is due to a bug in the dispatcher/API. The routing table forwards a copy of the data to every type of nugget that is registered to receive data of that type. The rzbNugget software receives the data and passes it to all nuggets interested in the data type. The following is what happens on my system: Dispatcher routing table follows (3 different types of nuggets interested in PDF_FILE all from the same rzbNugget at 127.0.0.1:10003): Defense Routing Table ===================== Data Type: Alert Output Data (9bfc666d-c3d8-55cc-a2a5-4d66d5a50c59) App Type: Output Nugget (a3d0d1f9-c049-474e-bf01-2128ea00a751) Nugget ID: 5 Name: ringstinger2 Socket: 127.0.0.1:10003 Nugget Mem Loc: 0x8cec40 Data Type: Adobe Flash (7ab45fff-7c73-412c-8b86-c07619c8fc7d) App Type: SF - TEST Detector v.2 (90ad2ed4-69ba-11df-8425-33609fdc1302) Nugget ID: 5 Name: ringstinger2 Socket: 127.0.0.1:10003 Nugget Mem Loc: 0x8cec40 Nugget ID: 5 Name: ringstinger2 Socket: 127.0.0.1:10003 Nugget Mem Loc: 0x8cec40 Data Type: PDF Document (005d5464-7a44-4907-af57-4db08a61e13c) App Type: Unknown (31d751b9-a79a-01eb-1b69-8c681bde593d) Nugget ID: 5 Name: ringstinger2 Socket: 127.0.0.1:10003 Nugget Mem Loc: 0x8cec40 App Type: SF - TEST Detector v.2 (90ad2ed4-69ba-11df-8425-33609fdc1302) Nugget ID: 5 Name: ringstinger2 Socket: 127.0.0.1:10003 Nugget Mem Loc: 0x8cec40 App Type: Unknown (e05c5801-0000-0000-3c99-984cb87f0000) Nugget ID: 5 Name: ringstinger2 Socket: 127.0.0.1:10003 Nugget Mem Loc: 0x8cec40 Data Type: Suspected Shellcode (4e72c8ec-ff88-4371-a0f0-dfe2b4c733dc) App Type: Unknown (36ebbbd8-409a-495d-a049-d72ddfebc06e) Nugget ID: 5 Name: ringstinger2 Socket: 127.0.0.1:10003 Nugget Mem Loc: 0x8cec40 Data Type: SMTP Mail Capture (d147f215-128e-4746-a1e2-b6c978bb1869) App Type: SF - TEST Detector v.2 (90ad2ed4-69ba-11df-8425-33609fdc1302) Nugget ID: 5 Name: ringstinger2 Socket: 127.0.0.1:10003 Nugget Mem Loc: 0x8cec40 Data Type: PE Executable (ba9beb5f-0653-4b04-9552-3bfb634ca7fc) App Type: Unknown (e05c5801-0000-0000-3c99-984cb87f0000) Nugget ID: 5 Name: ringstinger2 Socket: 127.0.0.1:10003 Nugget Mem Loc: 0x8cec40 The rzbNugget output when I use the collector nugget to send a 2 byte file (0x61 0x0A) is as follows: Searching for 60b725f10c9c85c70d97880dfe8191b3: Searching for 60b725f10c9c85c70d97880dfe8191b3: Searching for 60b725f10c9c85c70d97880dfe8191b3: Not found pdf_nugget received 2 bytes of data sh: /usr/src/nrt/detection/pdf-dissector/dissector.py: not found Event id: 1 Size: 2 File: a Not found pdf_nugget received 2 bytes of data Not found pdf_nugget received 2 bytes of data sh: /usr/src/nrt/detection/pdf-dissector/dissector.py: not found Event id: 1 Size: 2 File: a sh: /usr/src/nrt/detection/pdf-dissector/dissector.py: not found Event id: 1 Size: 2 File: a The dispatcher sends the data to be inspected by the pdf_dissector nugget and rzbNugget calls the pdf_dissector, simple, and virustotal nuggets. The dispatcher sends the data to be inspected by the simple nugget and rzbNugget calls the pdf_dissector, simple, and virustotal nuggets. The dispatcher sends the data to be inspected by the virustotal nugget and rzbNugget calls the pdf_dissector, simple, and virustotal nuggets. Thus, the file is inspected by all 3 nuggets, 3 times. This bug will be addressed in the next release. Ron On Mon, Oct 25, 2010 at 5:14 PM, Jonathan Blount <jj...@ms...> wrote: > I was misinterpreting how nuggets connect to the dispatcher and the > rzbNugget Server, also I was confused about the location of the nugget > directory, > I built a Ubuntu 10.10 VM and after dropping virustotal.so.1 in the correct > place: /usr/local/lib/razorback/, and restarting rzbNugget everything works > now. Thanks for the help, Christopher and Ron. > > Another issue I have is when I use the collector nugget to send files to > the dispatcher, and the file type is PDF_FILE, the output is now printed > twice in the rzbNugget window. > I assume this is because two nuggets have registered to dispatcher to take > PDF type data, but I haven't figured out why its printing output from the > nuggets (virustotal, simple, and output_nugget) twice. > When I rerun collector using PE_FILE it only prints once. > Any thoughts? > > > On Mon, Oct 25, 2010 at 1:18 PM, Christopher McBee < > chr...@so...> wrote: > >> I tested with http://oss.metaparadigm.com/json-c/json-c-0.9.tar.gz >> which is the version shipping with 10.10 currently and it works >> without issue. That should fix the library dependency issue. As for >> the segfault, is this on 64-bit or 32-bit ubuntu 9.10? >> >> 2010/10/24 Jonathan Blount <jj...@ms...>: >> > I'm trying to run Christopher McBee's virustotal nugget from the SVN. >> I'm >> > using a fresh install of Ubuntu 9.10 and got razorback running. >> > The problem is with the json library required for virustotal, >> libjson0-dev >> > is in lucid but not karmic, I tried libjson-glib-dev, but couldn't get >> it to >> > work. >> > So I found and built json-c from here: >> http://oss.metaparadigm.com/json-c/ >> > . I added my API key to the source and ran make, but when I run it, it >> seg >> > faults. >> > >> > After a lot of searching, this thread >> > >> http://stackoverflow.com/questions/1691014/qt-application-crashing-immediately-without-debugging-info-how-do-i-track-down >> > leads me to believe there's a static initializers problem in the >> library. >> > So I'm back to trying to find a json library, what one should I use in >> > Ubuntu 9.10? Or should I start over in 10.4/10.10? >> > >> > Thanks, >> > Jon >> > >> > >> ------------------------------------------------------------------------------ >> > Nokia and AT&T present the 2010 Calling All Innovators-North America >> contest >> > Create new apps & games for the Nokia N8 for consumers in U.S. and >> Canada >> > $10 million total in prizes - $4M cash, 500 devices, nearly $6M in >> marketing >> > Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store >> > http://p.sf.net/sfu/nokia-dev2dev >> > _______________________________________________ >> > Nuggetfarm-devel mailing list >> > Nug...@li... >> > https://lists.sourceforge.net/lists/listinfo/nuggetfarm-devel >> > >> > >> > > |
|
From: Jonathan B. <jj...@ms...> - 2010-10-25 21:14:38
|
I was misinterpreting how nuggets connect to the dispatcher and the rzbNugget Server, also I was confused about the location of the nugget directory, I built a Ubuntu 10.10 VM and after dropping virustotal.so.1 in the correct place: /usr/local/lib/razorback/, and restarting rzbNugget everything works now. Thanks for the help, Christopher and Ron. Another issue I have is when I use the collector nugget to send files to the dispatcher, and the file type is PDF_FILE, the output is now printed twice in the rzbNugget window. I assume this is because two nuggets have registered to dispatcher to take PDF type data, but I haven't figured out why its printing output from the nuggets (virustotal, simple, and output_nugget) twice. When I rerun collector using PE_FILE it only prints once. Any thoughts? On Mon, Oct 25, 2010 at 1:18 PM, Christopher McBee < chr...@so...> wrote: > I tested with http://oss.metaparadigm.com/json-c/json-c-0.9.tar.gz > which is the version shipping with 10.10 currently and it works > without issue. That should fix the library dependency issue. As for > the segfault, is this on 64-bit or 32-bit ubuntu 9.10? > > 2010/10/24 Jonathan Blount <jj...@ms...>: > > I'm trying to run Christopher McBee's virustotal nugget from the SVN. I'm > > using a fresh install of Ubuntu 9.10 and got razorback running. > > The problem is with the json library required for virustotal, > libjson0-dev > > is in lucid but not karmic, I tried libjson-glib-dev, but couldn't get it > to > > work. > > So I found and built json-c from here: > http://oss.metaparadigm.com/json-c/ > > . I added my API key to the source and ran make, but when I run it, it > seg > > faults. > > > > After a lot of searching, this thread > > > http://stackoverflow.com/questions/1691014/qt-application-crashing-immediately-without-debugging-info-how-do-i-track-down > > leads me to believe there's a static initializers problem in the library. > > So I'm back to trying to find a json library, what one should I use in > > Ubuntu 9.10? Or should I start over in 10.4/10.10? > > > > Thanks, > > Jon > > > > > ------------------------------------------------------------------------------ > > Nokia and AT&T present the 2010 Calling All Innovators-North America > contest > > Create new apps & games for the Nokia N8 for consumers in U.S. and > Canada > > $10 million total in prizes - $4M cash, 500 devices, nearly $6M in > marketing > > Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store > > http://p.sf.net/sfu/nokia-dev2dev > > _______________________________________________ > > Nuggetfarm-devel mailing list > > Nug...@li... > > https://lists.sourceforge.net/lists/listinfo/nuggetfarm-devel > > > > > |
|
From: Christopher M. <chr...@so...> - 2010-10-25 18:18:27
|
I tested with http://oss.metaparadigm.com/json-c/json-c-0.9.tar.gz which is the version shipping with 10.10 currently and it works without issue. That should fix the library dependency issue. As for the segfault, is this on 64-bit or 32-bit ubuntu 9.10? 2010/10/24 Jonathan Blount <jj...@ms...>: > I'm trying to run Christopher McBee's virustotal nugget from the SVN. I'm > using a fresh install of Ubuntu 9.10 and got razorback running. > The problem is with the json library required for virustotal, libjson0-dev > is in lucid but not karmic, I tried libjson-glib-dev, but couldn't get it to > work. > So I found and built json-c from here: http://oss.metaparadigm.com/json-c/ > . I added my API key to the source and ran make, but when I run it, it seg > faults. > > After a lot of searching, this thread > http://stackoverflow.com/questions/1691014/qt-application-crashing-immediately-without-debugging-info-how-do-i-track-down > leads me to believe there's a static initializers problem in the library. > So I'm back to trying to find a json library, what one should I use in > Ubuntu 9.10? Or should I start over in 10.4/10.10? > > Thanks, > Jon > > ------------------------------------------------------------------------------ > Nokia and AT&T present the 2010 Calling All Innovators-North America contest > Create new apps & games for the Nokia N8 for consumers in U.S. and Canada > $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing > Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store > http://p.sf.net/sfu/nokia-dev2dev > _______________________________________________ > Nuggetfarm-devel mailing list > Nug...@li... > https://lists.sourceforge.net/lists/listinfo/nuggetfarm-devel > > |
|
From: Ron D. <rde...@so...> - 2010-10-25 15:00:38
|
Check out the latest versions on the Makefile and virustotal.c files at http://nuggetfarm.svn.sourceforge.net/viewvc/nuggetfarm/trunk/detection-nuggets/virustotal/ <http://nuggetfarm.svn.sourceforge.net/viewvc/nuggetfarm/trunk/detection-nuggets/virustotal/>Also, you will need to patch and rebuild the API (assuming you are starting from version 0.1.2 of the API). The files rzb_alert_util.h and rzb_alert_util.c are found at http://razorbacktm.svn.sourceforge.net/viewvc/razorbacktm/trunk/src/api/src/ <http://razorbacktm.svn.sourceforge.net/viewvc/razorbacktm/trunk/src/api/src/>I had to install the libjson0-dev and libcurl4-openssl-dev packages, but I am running Ubuntu 10.10, so I am not sure if the packages for 9.10 are the same. Let me know if you still have issues. Ron On Mon, Oct 25, 2010 at 1:27 AM, Christopher McBee < chr...@so...> wrote: > Jonathan, > I'll build a Ubuntu 9.10 VM tomorrow and see if I can figure out > what's broken or how to make it work and let you know. > > Christopher > > 2010/10/24 Jonathan Blount <jj...@ms...>: > > I'm trying to run Christopher McBee's virustotal nugget from the SVN. I'm > > using a fresh install of Ubuntu 9.10 and got razorback running. > > The problem is with the json library required for virustotal, > libjson0-dev > > is in lucid but not karmic, I tried libjson-glib-dev, but couldn't get it > to > > work. > > So I found and built json-c from here: > http://oss.metaparadigm.com/json-c/ > > . I added my API key to the source and ran make, but when I run it, it > seg > > faults. > > > > After a lot of searching, this thread > > > http://stackoverflow.com/questions/1691014/qt-application-crashing-immediately-without-debugging-info-how-do-i-track-down > > leads me to believe there's a static initializers problem in the library. > > So I'm back to trying to find a json library, what one should I use in > > Ubuntu 9.10? Or should I start over in 10.4/10.10? > > > > Thanks, > > Jon > > > > > ------------------------------------------------------------------------------ > > Nokia and AT&T present the 2010 Calling All Innovators-North America > contest > > Create new apps & games for the Nokia N8 for consumers in U.S. and > Canada > > $10 million total in prizes - $4M cash, 500 devices, nearly $6M in > marketing > > Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store > > http://p.sf.net/sfu/nokia-dev2dev > > _______________________________________________ > > Nuggetfarm-devel mailing list > > Nug...@li... > > https://lists.sourceforge.net/lists/listinfo/nuggetfarm-devel > > > > > > > ------------------------------------------------------------------------------ > Nokia and AT&T present the 2010 Calling All Innovators-North America > contest > Create new apps & games for the Nokia N8 for consumers in U.S. and Canada > $10 million total in prizes - $4M cash, 500 devices, nearly $6M in > marketing > Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store > http://p.sf.net/sfu/nokia-dev2dev > _______________________________________________ > Nuggetfarm-devel mailing list > Nug...@li... > https://lists.sourceforge.net/lists/listinfo/nuggetfarm-devel > |
|
From: <rde...@us...> - 2010-10-25 14:48:09
|
Revision: 32
http://nuggetfarm.svn.sourceforge.net/nuggetfarm/?rev=32&view=rev
Author: rdempster
Date: 2010-10-25 14:48:02 +0000 (Mon, 25 Oct 2010)
Log Message:
-----------
Updates to be more compatible with version 0.1.2 of the API.
Modified Paths:
--------------
trunk/collection-nuggets/saac/rzb_smtp-collector.c
trunk/detection-nuggets/clamav/ClamAVNugget.c
trunk/detection-nuggets/clamav/buildit.sh
trunk/detection-nuggets/libemu/Makefile
trunk/detection-nuggets/libemu/libemu.c
trunk/detection-nuggets/officecat/OfficeCatNugget.c
trunk/detection-nuggets/smtp/buildit.sh
trunk/detection-nuggets/smtp/smtpTestStub.c
trunk/detection-nuggets/smtp/smtp_parser.c
trunk/detection-nuggets/swf/swf_scanner.c
trunk/detection-nuggets/virustotal/Makefile
trunk/detection-nuggets/virustotal/virustotal.c
Modified: trunk/collection-nuggets/saac/rzb_smtp-collector.c
===================================================================
--- trunk/collection-nuggets/saac/rzb_smtp-collector.c 2010-09-22 15:16:52 UTC (rev 31)
+++ trunk/collection-nuggets/saac/rzb_smtp-collector.c 2010-10-25 14:48:02 UTC (rev 32)
@@ -77,7 +77,7 @@
}
if(sessiondata->clientdata) {
- free(sessiondata->clientdata);
+ free(sessiondata->clientdata);
} else {
//printf("SMTPDUMP sessiondata->clientdata is NULL!\n");
}
@@ -111,7 +111,7 @@
mdata = calloc(1, sizeof(BLOCK_META_DATA));
// Zero out the structure
//memset(mdata, 0, sizeof(BLOCK_META_DATA));
-
+
// Fill in the required fields
mdata->timestamp = (unsigned int)time(NULL);
mdata->data = ((smtpcapture*)(dataptr))->clientdata;
@@ -125,7 +125,7 @@
// if(uuid_parse(MAIL_CAP_API, myuuid) == -1) {
// printf("failed to parse UUID string\n");
-// return(S_FAIL);
+// return R_FAIL;
// }
uuid_parse("d147f215-128e-4746-a1e2-b6c978bb1869", myuuid);
@@ -141,7 +141,7 @@
// Data is freed by sendData; we just need to clear out the rest of the structure.
// We can accomplish this by setting clientdata to NULL so we don't do the doublefree
((smtpcapture*)(dataptr))->clientdata = NULL;
- smtpdumper_freedata((smtpcapture*)dataptr);
+ smtpdumper_freedata((smtpcapture*)dataptr);
}
@@ -163,7 +163,7 @@
if(sp->data == NULL)
return RULE_NOMATCH;
-
+
// flow:established, to_server;
// if(checkFlow(p, smtpdumperoptions[0]->option_u.flowFlags) <= 0 )
// return RULE_NOMATCH;
@@ -214,7 +214,7 @@
//
// smtpdumper_freedata(sessiondata);
// return RULE_NOMATCH;
-// }
+// }
cursor_normal = sp->data;
end_of_payload = sp->data + sp->dsize;
@@ -229,7 +229,7 @@
//printf("SMTPDUMP reallocating to %d bytes\n", sessiondata->totalsize * 2);
- // Double our amount of storage
+ // Double our amount of storage
tmpdataptr = realloc(sessiondata->clientdata, sessiondata->totalsize * 2);
if(!tmpdataptr) {
@@ -239,7 +239,7 @@
return(RULE_NOMATCH);
} else {
printf("SMTPDUMP realloc() failed but I dunno wtf\n");
- smtpdumper_freedata(sessiondata);
+ smtpdumper_freedata(sessiondata);
return(RULE_NOMATCH);
}
}
@@ -249,7 +249,7 @@
//printf("SMTPDUMP totalsize is now %d\n", sessiondata->totalsize);
}
-
+
// We have enough room, so store the data
//printf("SMTPDUMP storing %d bytes at %p\n", incoming_data_size, &((sessiondata->clientdata)[sessiondata->storedsize]));
memcpy(&((sessiondata->clientdata)[sessiondata->storedsize]), cursor_normal, incoming_data_size);
Modified: trunk/detection-nuggets/clamav/ClamAVNugget.c
===================================================================
--- trunk/detection-nuggets/clamav/ClamAVNugget.c 2010-09-22 15:16:52 UTC (rev 31)
+++ trunk/detection-nuggets/clamav/ClamAVNugget.c 2010-10-25 14:48:02 UTC (rev 32)
@@ -9,9 +9,6 @@
#include "rzb_alert_global.h"
#include <uuid/uuid.h>
-#define S_OK 0x1
-#define S_FAIL 0xFFFFFFFF
-
struct cl_engine * RZB_start_clamav(const char *db_dir);
int RZB_scan_buffer(struct cl_engine * engine, char * buffer, int buffer_size, const char ** virname);
int RZB_stop_clamav(struct cl_engine * engine);
@@ -34,21 +31,21 @@
* Authors: Alain Zidouemba, Sourcefire, Inc.
-* Inputs:
+* Inputs:
const char *db_dir: path to the directory with ClamAV databases.
You can pass
- const char *cl_retdbdir(void);
- as a parameter. It returns the default
- path to the directory with ClamAV
+ const char *cl_retdbdir(void);
+ as a parameter. It returns the default
+ path to the directory with ClamAV
databases.
* Output:
struct *cl_engine
-* Description: Initialization function for ClamAV for NRT.
- Needs to be run under a user account that can create /mnt/tmp.
- Linux kernel 2.4 or up required (for tmpfs)
+* Description: Initialization function for ClamAV for NRT.
+ Needs to be run under a user account that can create /mnt/tmp.
+ Linux kernel 2.4 or up required (for tmpfs)
-***********************************************************/
+***********************************************************/
struct cl_engine * RZB_start_clamav(const char *db_dir)
{
int ret; /* Return value for the function RZB_scan_buffer */
@@ -83,7 +80,7 @@
cl_engine_free(engine);
return NULL;
}
-
+
return engine;
}
@@ -91,13 +88,13 @@
* Title: RZB_scan_buffer
-* Authors: Alain Zidouemba, Sourcefire, Inc.
+* Authors: Alain Zidouemba, Sourcefire, Inc.
* Inputs:
struct cl_engine * engine: pointer to scan engine
char * buffer: buffer you want to scan
int buffer_size: size of the buffer to scan
-
+
* Output:
int: 0 if successful
!0 if unsuccessful
@@ -109,7 +106,7 @@
Scan a buffer with a ClamAV engine that has been
initialized with RZB_start_clamav.
-***********************************************************/
+***********************************************************/
int RZB_scan_buffer(struct cl_engine * engine, char * buffer, int buffer_size, const char ** virname)
{
FILE *out_file; /* Output stream to create a temporary file on tmpfs */
@@ -119,12 +116,12 @@
/* Create string to use for path to tmpfile */
strcpy(tmp_string, "/mnt/RZB_ClamAV/tmpfile");
-
+
/* Create at most 999 different tmpfiles at the same time */
for (i=0; i < 1000; i ++)
{
sprintf(tmp_string,"/mnt/RZB_ClamAV/tmpfile%d",i);
-
+
DEBUG_RZB(printf ("%s\n", tmp_string););
/* Create tmpfile */
@@ -141,13 +138,13 @@
continue;
}
}
-
- /* Read from buffer and write to out_file */
+
+ /* Read from buffer and write to out_file */
if(fwrite (buffer, 1, buffer_size, out_file) != buffer_size)
{
perror("Error writing tempfile file to tmpfs");
}
-
+
/* Close file associated with stream */
if (out_file !=NULL)
fclose(out_file);
@@ -165,7 +162,7 @@
/* If no virus was detected */
printf("No virus detected.\n");
- /* If no virus was detected...and the file isn't clean */
+ /* If no virus was detected...and the file isn't clean */
if(ret != CL_CLEAN)
{
fprintf(stderr, "Error: %s\n", cl_strerror(ret));
@@ -173,7 +170,7 @@
}
ret = R_NOT_FOUND;
}
-
+
/* Delete the file from tmpfs */
if (remove(tmp_string) != 0)
fprintf(stderr,"Error in deleting tmpfile\n");
@@ -271,7 +268,7 @@
* Title: RZB_stop_clamav
-* Authors: Alain Zidouemba, Sourcefire, Inc.
+* Authors: Alain Zidouemba, Sourcefire, Inc.
* Inputs:
struct cl_engine * engine: pointer to scan engine
@@ -280,7 +277,7 @@
int: 0 if successful
!0 if unsuccessful
-* Description: This function needs to be called after you are
+* Description: This function needs to be called after you are
done using the ClamAV engine.
***********************************************************/
@@ -298,7 +295,7 @@
return ret;
}
-HRESULT initNug(DetectionAPI *detectionObj)
+HRESULT initNug(DetectionAPI *detectionObj)
{
uuid_t myuuid;
detection = detectionObj;
@@ -309,18 +306,18 @@
if((engine = RZB_start_clamav(cl_retdbdir())) == NULL)
{
printf("Failed to start ClamAV engine\n");
- return(S_FAIL);
+ return R_FAIL;
}
if(uuid_parse("ba9beb5f-0653-4b04-9552-3bfb634ca7fc", myuuid) == -1)
{
printf("Failed to parse uuid string\n");
- return(S_FAIL);
+ return R_FAIL;
}
-
+
detection->registerHandler(&RZB_CLAMAV_Detection_Nugget, (const uuid_t *)&list, 2, myuuid);
- return(S_OK);
+ return R_SUCCESS;
}
void RZB_CLAMAV_Detection_Nugget(BLOCK_META_DATA *metaData)
@@ -329,14 +326,14 @@
int ret;
const char * virname;
char message[1024];
- unsigned char tmp_md5[MD5_SIZE];
+ unsigned char tmp_md5[MD5_SIZE];
ALERT alert;
unsigned char *data = metaData->data;
size_t data_len = metaData->size;
- if(RZB_scan_buffer(engine, data, data_len, &virname) == R_FOUND) {
-
+ if(RZB_scan_buffer(engine, data, data_len, &virname) == R_FOUND) {
+
sprintf(message, "MALWARE: %s found\n", virname);
alert.event_id = metaData->eventid;
Modified: trunk/detection-nuggets/clamav/buildit.sh
===================================================================
--- trunk/detection-nuggets/clamav/buildit.sh 2010-09-22 15:16:52 UTC (rev 31)
+++ trunk/detection-nuggets/clamav/buildit.sh 2010-10-25 14:48:02 UTC (rev 32)
@@ -1,8 +1,10 @@
#!/bin/bash
CLAMSRCDIR="/path/to/source/files/for/clamav-0.96.1/"
CLAMLIBDIR="/path/where/libclamav/is/installed--/usr/local/lib/"
-APIDIR="/usr/local/razorback/"
-
-gcc -fPIC -g -c -I$CLAMSRCDIR -I$APIDIR/include -L$CLAMLIBDIR ClamAVNugget.c
-gcc -shared -Wl -I$CLAMSRCDIR -L$APIDIR/lib -L$CLAMLIBDIR -o ClamAVNugget.so.1 ClamAVNugget.o -lc -lpcre -lclamav
+API=`pkg-config --cflags razorback`
+APILIBS=`pkg-config --libs razorback`
+echo "gcc -fPIC -g -c -I$CLAMSRCDIR ${API} ClamAVNugget.c"
+gcc -fPIC -g -c -I$CLAMSRCDIR ${API} ClamAVNugget.c
+echo "gcc -shared -Wl -I$CLAMSRCDIR -L$CLAMLIBDIR -o ClamAVNugget.so.1 ClamAVNugget.o -lc -lpcre -lclamav ${APILIBS}"
+gcc -shared -Wl -I$CLAMSRCDIR -L$CLAMLIBDIR -o ClamAVNugget.so.1 ClamAVNugget.o -lc -lpcre -lclamav ${APILIBS}
echo "copy ClamAVNugget.so.1 to your nuggets directory to be run by rzbNugget"
Modified: trunk/detection-nuggets/libemu/Makefile
===================================================================
--- trunk/detection-nuggets/libemu/Makefile 2010-09-22 15:16:52 UTC (rev 31)
+++ trunk/detection-nuggets/libemu/Makefile 2010-10-25 14:48:02 UTC (rev 32)
@@ -1,12 +1,11 @@
CC = gcc -ggdb
-RZB_API_PATH = /usr/local/razorback
-INCLUDES = -I$(RZB_API_PATH)/include
+INCLUDES = $(shell pkg-config --cflags razorback)
INCLUDES += $(shell pkg-config --cflags libemu)
LIBS = -lm -lmagic -lssl -ldl -lpcre
LIBS += $(shell pkg-config --libs libemu)
-LIBS += -L$(RZB_API_PATH)/lib -lrazorback_api
+LIBS += $(shell pkg-config --libs razorback)
all: libemu
Modified: trunk/detection-nuggets/libemu/libemu.c
===================================================================
--- trunk/detection-nuggets/libemu/libemu.c 2010-09-22 15:16:52 UTC (rev 31)
+++ trunk/detection-nuggets/libemu/libemu.c 2010-10-25 14:48:02 UTC (rev 32)
@@ -19,9 +19,6 @@
#include "rzb_alert_global.h"
#include "rzb_alert_util.h"
-#define S_OK 0x1
-#define S_FAIL 0xFFFFFFFF
-
#define MAX_INSTRUCTION_SIZE 1024
void shellcode_handler(BLOCK_META_DATA *metaData) {
@@ -33,7 +30,7 @@
ALERT alert;
char msg[MAX_MSG_SIZE];
char long_data[MAX_LONG_SIZE];
-
+
memset(&alert, 0, sizeof(alert));
memset(msg, 0, sizeof(msg));
memset(long_data, 0, sizeof(long_data));
@@ -91,8 +88,14 @@
uuid_t list1;
uuid_copy(list1, SHELLCODE);
+ if(uuid_parse("36ebbbd8-409a-495d-a049-d72ddfebc06e", myuuid) == -1)
+ {
+ printf("Failed to parse uuid string\n");
+ return R_FAIL;
+ }
+
detectionObj->registerHandler(&shellcode_handler, (const uuid_t *)&list1, 1, myuuid);
- return (S_OK);
+ return R_SUCCESS;
}
Modified: trunk/detection-nuggets/officecat/OfficeCatNugget.c
===================================================================
--- trunk/detection-nuggets/officecat/OfficeCatNugget.c 2010-09-22 15:16:52 UTC (rev 31)
+++ trunk/detection-nuggets/officecat/OfficeCatNugget.c 2010-10-25 14:48:02 UTC (rev 32)
@@ -7,8 +7,6 @@
#include "rzb_global.h"
#include "alert/rzb_alert_global.h"
-#define S_OK 0x1
-#define S_FAIL 0xFFFFFFFF
#define MAX_ALERT_SIZE 512
@@ -29,15 +27,15 @@
* Title: RZB_scan_officecat
-* Authors: Alain Zidouemba, Sourcefire, Inc.
+* Authors: Alain Zidouemba, Sourcefire, Inc.
* Inputs:
struct cl_engine * engine: pointer to scan engine
- const char * mount_dir: path to the directory
+ const char * mount_dir: path to the directory
used to mount tmpfs
char * buffer: buffer you want to scan
int buffer_size: size of the buffer to scan
-
+
* Output:
int: 0 if successful
!0 if unsuccessful
@@ -49,7 +47,7 @@
Scan a buffer with a ClamAV engine that has been
initialized with RZB_start_clamav.
-***********************************************************/
+***********************************************************/
int RZB_scan_officecat(char * buffer, size_t buffer_size, char **vuln_name)
{
FILE *out_file = NULL; /* Output stream to create a temporary file on tmpfs */
@@ -61,7 +59,7 @@
char *officecat_path = "/usr/local/bin/officecat.exe";
ALERT *alert;
char *line = (char *)malloc(MAX_ALERT_SIZE);
- size_t len = MAX_ALERT_SIZE;
+ size_t len = MAX_ALERT_SIZE;
char *p=NULL;
char *output_str =(char *)malloc(MAX_ALERT_SIZE);
char tmp_str[512];
@@ -69,7 +67,7 @@
DEBUG_RZB(printf("BUFFER SIZE: %d\n", (int)buffer_size););
DEBUG_RZB(printf("MOUNT DIR: %s\n", mount_dir););
-
+
/* Create string to use for path to tmpfile */
strcpy(tmp_string, "/mnt/RZB_Officecat/tmpfile");
@@ -77,7 +75,7 @@
for (i=0; i < 1000; i ++)
{
sprintf(tmp_string,"/mnt/RZB_Officecat/tmpfile%d",i);
-
+
DEBUG_RZB(printf ("%s\n", tmp_string););
/* Create tmpfile */
@@ -94,24 +92,24 @@
continue;
}
}
-
- /* Read from buffer and write to out_file */
+
+ /* Read from buffer and write to out_file */
if(fwrite (buffer, 1, buffer_size, out_file) != buffer_size)
perror("Error writing tempfile file to tmpfs");
-
+
/* Close file associated with stream */
if (out_file !=NULL)
fclose(out_file);
// Build our cmd to run
snprintf(cmd, sizeof(cmd) - 1, "%s %s", officecat_path, tmp_string);
-
- // Create our dissector
+
+ // Create our dissector
if((pf = popen(cmd, "r")) == NULL)
{
printf("Error while running officecat\n");
}
- else
+ else
{
while(!feof(pf))
{
@@ -124,7 +122,7 @@
if (c =='\x0D' || /*c =='\x0A' || c =='\x0C' ||*/ c =='\x09')
{
puts (output_str);
-
+
if ((p=strstr(output_str, "CORRUPTED:"))!=NULL)
{
#if 0
@@ -187,7 +185,7 @@
// puts("FOUND CVE!!!!!!\n");
alert = (ALERT *)malloc(sizeof(ALERT));
memset(alert, 0, sizeof(ALERT));
-
+
// Set up our static fields
alert->priority = 1;
alert->src_ip = SRCIP;
@@ -212,7 +210,7 @@
if(alert->msg != NULL)
free(alert->msg);
-
+
free(alert);
#endif
}
@@ -230,7 +228,7 @@
alert->ip_proto = 6;
alert->src_port = 80;
alert->dst_port = 2437;
-
+
sprintf(tmp_str, "THE FOLLOWING HAS BEEN FOUND BY OFFICECAT: %s", p);
alert->msg = (char *)malloc(strlen(tmp_str));
@@ -243,7 +241,7 @@
free(alert);
#endif
}
-
+
if ((p=strstr(output_str, "embedded ActiveX"))!=NULL)
{
#if 0
@@ -326,11 +324,11 @@
/*Set a flag to know that we read the second to last line */
second_to_last_line = 1;
-
+
memset(output_str, 0, MAX_ALERT_SIZE);
#endif
}
-
+
if ((strlen (output_str) > 5) && (second_to_last_line == 1))
{
#if 0
@@ -355,7 +353,7 @@
if(alert->msg != NULL)
free(alert->msg);
free(alert);
-#endif
+#endif
}
memset(output_str, 0, MAX_ALERT_SIZE);
@@ -371,21 +369,22 @@
return ret;
}
-HRESULT initNug(DetectionAPI *detectionObj)
+HRESULT initNug(DetectionAPI *detectionObj)
{
int ret;
uuid_t myuuid;
- uuid_t list = {OLE_DOC};
- uuid_copy(list, OLE_DOC);
+ uuid_t list;
- if(uuid_parse("ba9beb5f-0653-4b04-9552-3bfb634ca7fc", myuuid) == -1)
+ uuid_copy(list, OLE_DOC);
+
+ if(uuid_parse("06e0c1db-8915-4b96-9d7e-d72f43ba07cf", myuuid) == -1)
{
printf("Failed to parse uuid string\n");
- return(S_FAIL);
+ return R_FAIL;
}
detectionObj->registerHandler(&RZB_officecat_Detection_Nugget, (const uuid_t *)&list, 1, myuuid);
- return(S_OK);
+ return R_SUCCESS;
}
void RZB_officecat_Detection_Nugget(BLOCK_META_DATA *metaData)
@@ -397,7 +396,7 @@
size_t data_len = metaData->size;
char vuln_name[1024];
unsigned char tmp_md5[MD5_SIZE];
-
+
if(ret = RZB_scan_officecat(data, data_len, &vuln_name) == R_FOUND)
{
sprintf(message, "THE FOLLOWING HAS BEEN FOUND BY OFFICECAT: %s\n", vuln_name);
@@ -423,7 +422,7 @@
alert.norm_size= 0;
DEBUG_RZB(printf("ALERT! %s\n", message););
- sendAlert(&alert);
+ sendAlert(&alert);
}
}
Modified: trunk/detection-nuggets/smtp/buildit.sh
===================================================================
--- trunk/detection-nuggets/smtp/buildit.sh 2010-09-22 15:16:52 UTC (rev 31)
+++ trunk/detection-nuggets/smtp/buildit.sh 2010-10-25 14:48:02 UTC (rev 32)
@@ -1,6 +1,8 @@
#!/bin/bash
-RZBAPI=/usr/local/razorback
-gcc -fPIC -I${RZBAPI}/include -g -c smtp_parser.c
-gcc -shared -Wl -o smtp_parser.so.1 smtp_parser.o -lc -lpcre
+RZBINC=`pkg-config --cflags razorback`
+RZBLIB=`pkg-config --libs razorback`
+echo "gcc -fPIC ${RZBINC} -g -c smtp_parser.c"
+gcc -fPIC ${RZBINC} -g -c smtp_parser.c
+gcc -shared -Wl -o smtp_parser.so.1 smtp_parser.o -lc -lpcre ${RZBLIB}
gcc smtpTestStub.c -luuid -ldl -o smtpTestStub
echo "To run: ./smtpTestStub ./smtp_parser.so.1 <inputFile>"
Modified: trunk/detection-nuggets/smtp/smtpTestStub.c
===================================================================
--- trunk/detection-nuggets/smtp/smtpTestStub.c 2010-09-22 15:16:52 UTC (rev 31)
+++ trunk/detection-nuggets/smtp/smtpTestStub.c 2010-10-25 14:48:02 UTC (rev 32)
@@ -1,16 +1,15 @@
-#include "nrt_global.h" // should point to the copy in SVN
-#include "detection.h"
-#include "testStub.h"
+#include "rzb_global.h" // should point to the copy in SVN
+#include "rzb_api.h" // should point to the copy in SVN
+//#include "detection.h"
+//#include "testStub.h"
#include <dlfcn.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/stat.h>
#include <fcntl.h>
+#include <fcntl.h>
-#define S_OK 0x1
-#define S_FAIL 0xFFFFFFFF
-
-DWORD handlerCount = 0;
+unsigned handlerCount = 0;
handlerNode *head = NULL;
DetectionAPI detection;
@@ -24,13 +23,13 @@
newNode = (handlerNode *) malloc(sizeof (handlerNode));
if (newNode == NULL)
- return (S_FAIL);
+ return R_FAIL;
newNode->fp = fp;
newNode->next = head;
head = newNode;
- return (S_OK);
+ return R_SUCCESS;
}
HRESULT registerHandler(
@@ -39,7 +38,7 @@
size_t numTypes,
uuid_t *libId
) {
- DWORD i;
+ unsigned i;
handlerCount++;
@@ -48,7 +47,7 @@
for (i = 0; i < numTypes; i++) {
printf("\t%d\n", acceptedTypes[i]);
}
-
+
return (addHandler(fp));
}
@@ -61,10 +60,10 @@
unsigned int metasize,
void *metadata
) {
-
+
printf("\tALERT - %d: %s\n", alertid, alertmsg);
- return (S_OK);
+ return R_SUCCESS;
}
@@ -132,13 +131,13 @@
int result, fd;
struct stat fStats;
struct handlerNode *node;
- unsigned char *buf;
+ unsigned char *buf;
if (argc < 3) {
usage(argv[0]);
return (-1);
}
-
+
// Load the library
dlHandle = dlopen(argv[1], RTLD_LOCAL | RTLD_LAZY);
if (dlHandle == NULL) {
@@ -165,7 +164,7 @@
exit(-1);
}
- result = fstat(fd, &fStats);
+ result = fstat(fd, &fStats);
if (result == -1) {
printf("Failed to stat %s.\n", argv[2]);
exit(-1);
Modified: trunk/detection-nuggets/smtp/smtp_parser.c
===================================================================
--- trunk/detection-nuggets/smtp/smtp_parser.c 2010-09-22 15:16:52 UTC (rev 31)
+++ trunk/detection-nuggets/smtp/smtp_parser.c 2010-10-25 14:48:02 UTC (rev 32)
@@ -17,7 +17,7 @@
#include <limits.h>
#include <string.h>
-// CHAR_BIT is 8
+// CHAR_BIT is 8
#define ALPHABET_SIZE (1 << CHAR_BIT)
// Return values for ProcessMessage()
@@ -29,9 +29,6 @@
#define SMTP_NOHEADER -4
-#define S_OK 0x1
-#define S_FAIL 0xFFFFFFFF
-
DetectionAPI *detection; // Provides pointers to API functions
//#define SMTP_DEBUG
@@ -125,38 +122,38 @@
printf("global offsets -- start:%ld end:%ld ", (long)(part_start - data_start), (long)(part_end - data_start));
printf("part_start=%p(%ld) part_end=%p(%ld) length=%ld\n", part_start, (long)(part_start-bufferstart), part_end, (long)(part_end - bufferstart), (long)(part_end - part_start));
}
-
+
static void compute_prefix(unsigned char* str, size_t size, int *result) {
size_t q;
int k;
result[0] = 0;
-
+
k = 0;
for (q = 1; q < size; q++) {
while (k > 0 && str[k] != str[q])
k = result[k-1];
-
+
if (str[k] == str[q])
k++;
result[q] = k;
}
}
-
+
static void prepare_badcharacter_heuristic(unsigned char *str, size_t size,
int *result) {
-
+
size_t i;
-
+
for (i = 0; i < ALPHABET_SIZE; i++)
result[i] = -1;
-
+
for (i = 0; i < size; i++)
result[(size_t) str[i]] = i;
}
-
+
void prepare_goodsuffix_heuristic(unsigned char *normal, size_t size,
int *result) {
-
+
char *left = (char *) normal;
char *right = left + size;
char *reversed;
@@ -168,7 +165,7 @@
int *prefix_normal;
int *prefix_reversed;
-
+
/* reverse string */
reversed = malloc(size+1);
tmp = reversed + size;
@@ -176,21 +173,21 @@
*tmp = 0;
while (left < right)
*(--tmp) = *(left++);
-
+
prefix_normal = malloc(size * sizeof(int));
prefix_reversed = malloc(size * sizeof(int));
-
+
compute_prefix(normal, size, prefix_normal);
compute_prefix(reversed, size, prefix_reversed);
-
+
for (i = 0; i <= size; i++) {
result[i] = size - prefix_normal[size-1];
}
-
+
for (i = 0; i < size; i++) {
j = size - prefix_reversed[i];
k = i - prefix_reversed[i]+1;
-
+
if (result[j] > k)
result[j] = k;
}
@@ -207,7 +204,7 @@
*/
unsigned char *needle = mime_boundary_info->boundary;
size_t needle_len = mime_boundary_info->boundary_len;
- int badcharacter[ALPHABET_SIZE];
+ int badcharacter[ALPHABET_SIZE];
int *goodsuffix;
size_t s;
@@ -229,15 +226,15 @@
return NULL;
if(needle_len == 0)
return haystack;
-
+
/*
* Initialize heuristics
*/
goodsuffix = malloc((needle_len+1) * sizeof(int));
-
+
prepare_badcharacter_heuristic(needle, needle_len, badcharacter);
prepare_goodsuffix_heuristic(needle, needle_len, goodsuffix);
-
+
/*
* Boyer-Moore search
*/
@@ -247,7 +244,7 @@
j = needle_len;
while(j > 0 && needle[j-1] == haystack[s+j-1])
j--;
-
+
if(j > 0)
{
k = badcharacter[(size_t) haystack[s+j-1]];
@@ -264,7 +261,7 @@
}
free(goodsuffix);
-
+
return NULL; // not found
}
@@ -279,15 +276,15 @@
return 0;
}
-/**
+/**
* A Safer Memcpy
- *
+ *
* @param dst where to copy to
* @param src where to copy from
* @param n number of bytes to copy
* @param start start of the dest buffer
* @param end end of the dst buffer
- *
+ *
* @return SAFEMEM_ERROR on failure, SAFEMEM_SUCCESS on success
*/
int SafeMemcpy(void *dst, const void *src, size_t n, const void *start, const void *end)
@@ -321,7 +318,7 @@
return SAFEMEM_SUCCESS;
}
-///*
+///*
// * Initialize run-time boundary search
// */
static int SMTP_BoundarySearchInit(void)
@@ -333,7 +330,7 @@
* lines, a straight search won't do. Shouldn't be too slow since it will most
* likely only be acting on a small portion of data */
mime_boundary_pcre.re = pcre_compile("^Content-Type\\s*:\\s*multipart[^\\n]*boundary\\s*=\\s*\"?([^\\s\"]+)\"?", //"^Content-Type\\s*:\\s*multipart[^\\n]*boundary\\s*=\\s*\"?([^\\s\"]+)\"?",
- PCRE_CASELESS | PCRE_DOTALL | PCRE_MULTILINE,
+ PCRE_CASELESS | PCRE_DOTALL | PCRE_MULTILINE,
&error, &erroffset, NULL);
if (mime_boundary_pcre.re == NULL)
{
@@ -354,7 +351,7 @@
return 1;
}
-///*
+///*
// * Initialize run-time boundary search
// */
static int SMTP_Base64SearchInit(void)
@@ -452,7 +449,7 @@
data, data_len, 0, 0, ovector, ovecsize);
return(result);
-}
+}
@@ -537,17 +534,17 @@
mdata->dst_port = 8000;
file_type_lookup(data, len, (unsigned char *)&mdata->datatype);
- printf("\n\n\nVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV\n");
- printf("*************************** SendToDispatcher() ***************************\n");
- prettyprint(data,len);
- printf("*************************** SendToDispatcher() ***************************\n");
- printf("^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n\n\n\n");
+ printf("\n\n\nVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV\n");
+ printf("*************************** SendToDispatcher() ***************************\n");
+ prettyprint(data,len);
+ printf("*************************** SendToDispatcher() ***************************\n");
+ printf("^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n\n\n\n");
// Finally, send our data (sendData will free mdata)
sendData(mdata);
return(1);
-}
+}
/* base64decode assumes the input data terminates with '=' and/or at the end of the input buffer
@@ -702,8 +699,8 @@
else
return(0);
}
-
-
+
+
int ProcessMessage(unsigned char *data, int data_len, unsigned int eventID) {
int retval = SMTP_NOBOUNDARY;
@@ -744,7 +741,7 @@
// Get the SMTP boundary string
if(SMTP_GetBoundary(data, end_of_header - data/*data_len*/, &mime_boundary_info) <= 0) {
DEBUG_RZB(printf("SMTP_GetBoundary() <= 0\n"));
-
+
if(!base64_encoded) {
SendToDispatcher(/*data*/ end_of_header, data + data_len - end_of_header, eventID);
// build_and_send_data(end_of_header, data + data_len - end_of_header, eventID);
@@ -756,7 +753,7 @@
// build_and_send_data(base64_decoded_data, base64_decoded_size, eventID);
free(base64_decoded_data);
}
-
+
DEBUG_RZB(printf("returning SMTP_DONE\n"));
return SMTP_NOBOUNDARY; // Means no MIME components
}
@@ -772,7 +769,7 @@
if(!part_start) {
DEBUG_RZB(printf("No parts!\n"));
- SendToDispatcher(data, data_len, eventID);
+ SendToDispatcher(data, data_len, eventID);
return(SMTP_NOSUBCOMPONENTS);
}
@@ -809,7 +806,7 @@
part_start = part_end;// + mime_boundary_info->boundary_len; // Add is at top of loop plus bounds check
part_start += mime_boundary_info.boundary_len;
DEBUG_RZB(printf("looping. Moved part_start, finding part_end\n"));
- }
+ }
DEBUG_RZB(printf("returning from ProcessMessage()\n"));
// PrintSMTPProcessMessageReturnCode(retval);
@@ -848,18 +845,24 @@
uuid_t list;
uuid_copy(list, MAIL_CAPTURE);
+ if(uuid_parse("2605c284-e417-462a-b99e-a80a817daa28", myuuid) == -1)
+ {
+ printf("Failed to parse uuid string\n");
+ return R_FAIL;
+ }
+
if(SMTP_BoundarySearchInit() <= 0) {
printf("Failed to init pcre search structure for boundary\n");
- return(S_FAIL);
+ return R_FAIL;
}
if(SMTP_Base64SearchInit() <= 0) {
printf("Failed to init pcre search structure for base64\n");
- return(S_FAIL);
+ return R_FAIL;
}
detection->registerHandler(&RZB_SMTP_Detection_Nugget, (const uuid_t *)&list, 1, myuuid);
-
- return(S_OK);
+
+ return R_SUCCESS;
}
Modified: trunk/detection-nuggets/swf/swf_scanner.c
===================================================================
--- trunk/detection-nuggets/swf/swf_scanner.c 2010-09-22 15:16:52 UTC (rev 31)
+++ trunk/detection-nuggets/swf/swf_scanner.c 2010-10-25 14:48:02 UTC (rev 32)
@@ -714,7 +714,7 @@
/* gDetectionAPI.sendData == NULL || */
/* gDetectionAPI.sendMetaData == NULL */)
{
- return -1;
+ return R_FAIL;
}
#endif
@@ -723,8 +723,8 @@
else
{
printf("registerHandler is not valid\n");
- return -1;
+ return R_FAIL;
}
- return 1;
+ return R_SUCCESS;
}
Modified: trunk/detection-nuggets/virustotal/Makefile
===================================================================
--- trunk/detection-nuggets/virustotal/Makefile 2010-09-22 15:16:52 UTC (rev 31)
+++ trunk/detection-nuggets/virustotal/Makefile 2010-10-25 14:48:02 UTC (rev 32)
@@ -1,20 +1,19 @@
CC = gcc -ggdb
-RZB_LIBS = /opt/razorback/lib
-RZB_INCLUDES = /opt/razorback/include
+INCLUDES = `pkg-config --cflags razorback`
+RZBLIBS = `pkg-config --libs razorback`
-INCLUDES = -I$(RZB_INCLUDES)
INCLUDES += -I$(shell pkg-config --cflags json)
INCLUDES += -I$(shell curl-config --cflags)
-LIBS = -lm -lmagic -lssl -ldl -lpcre
-LIBS += -L$(shell pkg-config --libs json)
-LIBS += -L$(shell curl-config --libs)
-LIBS += -L$(RZB_LIBS)
+LIBS = -lm -lmagic -luuid -lssl -ldl -lpcre
+LIBS += $(shell pkg-config --libs json)
+LIBS += $(shell curl-config --libs)
+LIBS += $(RZBLIBS)
all: virustotal
virustotal:
- $(CC) $(INCLUDES) $(LIBS) -fPIC -g -c virustotal.c
+ $(CC) $(INCLUDES) $(LIBS) -Wall -fPIC -g -c virustotal.c
$(CC) $(INCLUDES) $(LIBS) -shared -Wall -o virustotal.so.1 virustotal.o -lc
clean:
Modified: trunk/detection-nuggets/virustotal/virustotal.c
===================================================================
--- trunk/detection-nuggets/virustotal/virustotal.c 2010-09-22 15:16:52 UTC (rev 31)
+++ trunk/detection-nuggets/virustotal/virustotal.c 2010-10-25 14:48:02 UTC (rev 32)
@@ -7,6 +7,7 @@
#include <curl/curl.h>
#include <curl/easy.h>
#include <json/json.h>
+#include <arpa/inet.h>
#include "rzb_global.h"
#include "rzb_client.h"
@@ -15,9 +16,6 @@
#include "rzb_alert_global.h"
#include "rzb_alert_util.h"
-#define S_OK 0x1
-#define S_FAIL 0xFFFFFFFF
-
#define VIRUSTOTAL_URL "https://www.virustotal.com/api/get_file_report.json"
#define VIRUSTOTAL_KEY "yourvirustotalkey"
#define VIRUSTOTAL_DATA_FORMAT "resource=%s&key=%s"
@@ -31,7 +29,6 @@
} page_result;
size_t result_handler(void *buffer, size_t size, size_t nmemb, void *userp) {
- int i = 0;
// Make sure we have something to work with
if((buffer != NULL) || (nmemb > 0)) {
@@ -74,7 +71,7 @@
curl_easy_setopt(curl, CURLOPT_URL, VIRUSTOTAL_URL);
// Make sure we have md5 to request
- if((md5 = md5sum_string(metaData->data, metaData->size)) != NULL) {
+ if((md5 = md5sum_string(metaData->data, metaData->size)) != NULL) {
printf("Searching for %s: ", md5);
// Create our data
@@ -91,7 +88,7 @@
// Send the request
res = curl_easy_perform(curl);
-
+
// Hopefully we got everything
if(!res) {
@@ -107,16 +104,16 @@
// Make sure the report is in the proper format
if(json_object_array_length(report) == 2) {
-
+
// Begin converting our report with the submission date
- snprintf(short_data, sizeof(short_data),
- "First submitted: %s\n",
+ snprintf(short_data, sizeof(short_data),
+ "First submitted: %s\n",
json_object_get_string(json_object_array_get_idx(report, 0))
);
// We'll need this list a few times
tmp = json_object_array_get_idx(report, 1);
-
+
// Get the AV vender list and results
entry = json_object_get_object(tmp)->head;
@@ -145,8 +142,8 @@
// Copy the rest of the fields
alert.event_id = metaData->eventid;
- inet_ntop(AF_INET, metaData->src_ip, alert.src_ip, sizeof(alert.src_ip));
- inet_ntop(AF_INET, metaData->dst_ip, alert.dst_ip, sizeof(alert.dst_ip));
+ inet_ntop(AF_INET, &metaData->src_ip, alert.src_ip, sizeof(alert.src_ip));
+ inet_ntop(AF_INET, &metaData->dst_ip, alert.dst_ip, sizeof(alert.dst_ip));
alert.ip_proto = metaData->ip_proto;
alert.src_port = metaData->src_port;
alert.dst_port = metaData->dst_port;
@@ -156,7 +153,7 @@
alert.main_md5 = tmp_md5;
alert.data_block = metaData->data;
alert.db_size = metaData->size;
-
+
// Finally, send our alert
sendAlert(&alert);
@@ -170,7 +167,7 @@
}
}
}
-
+
// Cleanup
curl_easy_cleanup(curl);
@@ -204,7 +201,13 @@
uuid_copy(list1[0], PDF_FILE);
uuid_copy(list1[1], PE_FILE);
+ if(uuid_parse("d4273ed7-5976-44fd-b307-bbdd350bf0c5", myuuid) == -1)
+ {
+ printf("Failed to parse uuid string\n");
+ return R_FAIL;
+ }
+
detectionObj->registerHandler(&file_handler, (const uuid_t *)&list1, 2, myuuid);
- return (S_OK);
+ return R_SUCCESS;
}
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: Christopher M. <chr...@so...> - 2010-10-25 05:27:20
|
Jonathan, I'll build a Ubuntu 9.10 VM tomorrow and see if I can figure out what's broken or how to make it work and let you know. Christopher 2010/10/24 Jonathan Blount <jj...@ms...>: > I'm trying to run Christopher McBee's virustotal nugget from the SVN. I'm > using a fresh install of Ubuntu 9.10 and got razorback running. > The problem is with the json library required for virustotal, libjson0-dev > is in lucid but not karmic, I tried libjson-glib-dev, but couldn't get it to > work. > So I found and built json-c from here: http://oss.metaparadigm.com/json-c/ > . I added my API key to the source and ran make, but when I run it, it seg > faults. > > After a lot of searching, this thread > http://stackoverflow.com/questions/1691014/qt-application-crashing-immediately-without-debugging-info-how-do-i-track-down > leads me to believe there's a static initializers problem in the library. > So I'm back to trying to find a json library, what one should I use in > Ubuntu 9.10? Or should I start over in 10.4/10.10? > > Thanks, > Jon > > ------------------------------------------------------------------------------ > Nokia and AT&T present the 2010 Calling All Innovators-North America contest > Create new apps & games for the Nokia N8 for consumers in U.S. and Canada > $10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing > Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store > http://p.sf.net/sfu/nokia-dev2dev > _______________________________________________ > Nuggetfarm-devel mailing list > Nug...@li... > https://lists.sourceforge.net/lists/listinfo/nuggetfarm-devel > > |
|
From: Jonathan B. <jj...@ms...> - 2010-10-25 04:08:21
|
I'm trying to run Christopher McBee's virustotal nugget from the SVN. I'm using a fresh install of Ubuntu 9.10 and got razorback running. The problem is with the json library required for virustotal, libjson0-dev is in lucid but not karmic, I tried libjson-glib-dev, but couldn't get it to work. So I found and built json-c from here: http://oss.metaparadigm.com/json-c/. I added my API key to the source and ran make, but when I run it, it seg faults. After a lot of searching, this thread http://stackoverflow.com/questions/1691014/qt-application-crashing-immediately-without-debugging-info-how-do-i-track-down leads me to believe there's a static initializers problem in the library. So I'm back to trying to find a json library, what one should I use in Ubuntu 9.10? Or should I start over in 10.4/10.10? Thanks, Jon |
|
From: Matt O. <mo...@so...> - 2010-09-22 22:41:31
|
Razorback 0.1.1 Release With the help of Sourcefire's core development group (especially the incredible Dempster), today we released 0.1.1 of the Razorback dispaatcher nd the API. A lot of annoying bugs fixed, including a revamp of the mySQL connections, a build system a normal UNIX user will recognize and improved documentation. Keep up your feedback, we're still grinding! A number of more critical bugs were nocked out as well, especially if you haven't been keeping up on SVN. Find them all here: https://sourceforge.net/projects/razorbacktm/files/razorback-0.1.1.tar.gz/download https://sourceforge.net/projects/razorbacktm/files/razorback_api-0.1.1.tar.gz/download Matt /kpyke |
