void *UpdateWhitelistIPFilter(void *ptr)
{
MaskKillSignals();
while(true)
{
if(whitelistWatch > 0)
{
int BUF_LEN = (1024 * (sizeof(struct inotify_event)) + 16);
char buf[BUF_LEN];
// Blocking call, only moves on when the kernel notifies it that file has been changed
int readLen = read(whitelistNotifyFd, buf, BUF_LEN);
if(readLen > 0)
{
whitelistWatch = inotify_add_watch(whitelistNotifyFd, Config::Inst()->GetPathWhitelistFile().c_str(),
IN_CLOSE_WRITE | IN_MOVED_TO | IN_MODIFY | IN_DELETE);
whitelistIpAddresses = WhitelistConfiguration::GetIps();
whitelistIpRanges = WhitelistConfiguration::GetIpRanges();
{
Lock lock(&packetCapturesLock);
for(uint i = 0; i < packetCaptures.size(); i++)
{
try
{
string captureFilterString = ConstructFilterString(packetCaptures.at(i)->GetIdentifier());
packetCaptures.at(i)->SetFilter(captureFilterString);
}
catch (Nova::PacketCaptureException &e)
{
LOG(ERROR, string("Unable to update capture filter: ") + e.what(), "");
}
}
}
}
}
else
{
// This is the case when there's no file to watch, just sleep and wait for it to
// be created by honeyd when it starts up.
sleep(3);
whitelistWatch = inotify_add_watch(whitelistNotifyFd, Config::Inst()->GetPathWhitelistFile().c_str(),
IN_CLOSE_WRITE | IN_MOVED_TO | IN_MODIFY | IN_DELETE);
}
}
return NULL;
}
void *UpdateWhitelistIPFilter(void *ptr)
{
MaskKillSignals();
while(true)
{
if(whitelistWatch > 0)
{
int BUF_LEN = (1024 *(sizeof(struct inotify_event)) + 16);
char buf[BUF_LEN];
struct bpf_program fp;
char filter_exp[64];
char errbuf[PCAP_ERRBUF_SIZE];
bpf_u_int32 maskp;
bpf_u_int32 netp;
// Blocking call, only moves on when the kernel notifies it that file has been changed
int readLen = read(whitelistNotifyFd, buf, BUF_LEN);
if(readLen > 0)
{
whitelistWatch = inotify_add_watch(whitelistNotifyFd, Config::Inst()->GetPathWhitelistFile().c_str(),
IN_CLOSE_WRITE | IN_MOVED_TO | IN_MODIFY | IN_DELETE);
whitelistIpAddresses = WhitelistConfiguration::GetIps();
whitelistIpRanges = WhitelistConfiguration::GetIpRanges();
string filterString = ConstructFilterString();
for(uint i = 0; i < handles.size(); i++)
{
/* ask pcap for the network address and mask of the device */
int ret = pcap_lookupnet(Config::Inst()->GetInterface(i).c_str(), &netp, &maskp, errbuf);
if(ret == -1)
{
LOG(ERROR, "Unable to start packet capture.",
"Unable to get the network address and mask: "+string(strerror(errno)));
exit(EXIT_FAILURE);
}
if(pcap_compile(handles[i], &fp, filterString.data(), 0, maskp) == -1)
{
LOG(ERROR, "Unable to enable packet capture.",
"Couldn't parse pcap filter: "+ string(filter_exp) + " " + pcap_geterr(handles[i]));
}
if(pcap_setfilter(handles[i], &fp) == -1)
{
LOG(ERROR, "Unable to enable packet capture.",
"Couldn't install pcap filter: "+ string(filter_exp) + " " + pcap_geterr(handles[i]));
}
pcap_freecode(&fp);
// Clear any suspects that were whitelisted from the GUIs
for(uint i = 0; i < whitelistIpAddresses.size(); i++)
{
if(suspects.Erase(inet_addr(whitelistIpAddresses.at(i).c_str())))
{
UpdateMessage *msg = new UpdateMessage(UPDATE_SUSPECT_CLEARED, DIRECTION_TO_UI);
msg->m_IPAddress = inet_addr(whitelistIpAddresses.at(i).c_str());
NotifyUIs(msg,UPDATE_SUSPECT_CLEARED_ACK, -1);
}
}
}
/*
// TODO: Should we clear IP range whitelisted suspects? Could be a huge number of clears...
// This doesn't work yet.
for(uint i = 0; i < whitelistIpRanges.size(); i++)
{
uint32_t ip = htonl(inet_addr(WhitelistConfiguration::GetIp(whitelistIpRanges.at(i)).c_str()));
string netmask = WhitelistConfiguration::GetSubnet(whitelistIpRanges.at(i));
uint32_t mask;
if(netmask != "")
{
mask = htonl(inet_addr(netmask.c_str()));
}
while(mask != ~0)
{
if(suspects.Erase(ip))
{
UpdateMessage *msg = new UpdateMessage(UPDATE_SUSPECT_CLEARED, DIRECTION_TO_UI);
msg->m_IPAddress = ip;
NotifyUIs(msg,UPDATE_SUSPECT_CLEARED_ACK, -1);
}
in_addr foo;
foo.s_addr = ntohl(ip);
ip++;
mask++;
}
}
*/
}
}
else
{
// This is the case when there's no file to watch, just sleep and wait for it to
// be created by honeyd when it starts up.
sleep(3);
whitelistWatch = inotify_add_watch(whitelistNotifyFd, Config::Inst()->GetPathWhitelistFile().c_str(),
IN_CLOSE_WRITE | IN_MOVED_TO | IN_MODIFY | IN_DELETE);
}
}
return NULL;
}
void *UpdateIPFilter(void *ptr)
{
MaskKillSignals();
while(true)
{
if(honeydDHCPWatch > 0)
{
int BUF_LEN = (1024 *(sizeof(struct inotify_event)) + 16);
char buf[BUF_LEN];
char errbuf[PCAP_ERRBUF_SIZE];
char filter_exp[64];
struct bpf_program *fp = new struct bpf_program();
bpf_u_int32 maskp;
bpf_u_int32 netp;
// Blocking call, only moves on when the kernel notifies it that file has been changed
int readLen = read(honeydDHCPNotifyFd, buf, BUF_LEN);
if(readLen > 0)
{
honeydDHCPWatch = inotify_add_watch(honeydDHCPNotifyFd, dhcpListFile.c_str(),
IN_CLOSE_WRITE | IN_MOVED_TO | IN_MODIFY | IN_DELETE);
haystackDhcpAddresses = Config::GetIpAddresses(dhcpListFile);
string haystackAddresses_csv = ConstructFilterString();
UpdateHaystackFeatures();
for(uint i = 0; i < handles.size(); i++)
{
// ask pcap for the network address and mask of the device
int ret = pcap_lookupnet(Config::Inst()->GetInterface(i).c_str(), &netp, &maskp, errbuf);
if(ret == -1)
{
LOG(ERROR, "Unable to start packet capture.",
"Unable to get the network address and mask: "+string(strerror(errno)));
exit(EXIT_FAILURE);
}
if(pcap_compile(handles[i], fp, haystackAddresses_csv.data(), 0, maskp) == -1)
{
LOG(ERROR, "Unable to enable packet capture.",
"Couldn't parse pcap filter: "+ string(filter_exp) + " " + pcap_geterr(handles[i]));
}
if(pcap_setfilter(handles[i], fp) == -1)
{
LOG(ERROR, "Unable to enable packet capture.",
"Couldn't install pcap filter: "+ string(filter_exp) + " " + pcap_geterr(handles[i]));
}
//Free the compiled filter program after assignment, it is no longer needed after set filter
pcap_freecode(fp);
}
}
delete fp;
}
else
{
// This is the case when there's no file to watch, just sleep and wait for it to
// be created by honeyd when it starts up.
sleep(2);
honeydDHCPWatch = inotify_add_watch(honeydDHCPNotifyFd, dhcpListFile.c_str(),
IN_CLOSE_WRITE | IN_MOVED_TO | IN_MODIFY | IN_DELETE);
}
}
return NULL;
}
