void PrintSuspectData(in_addr_t address, string interface)
{
Connect();
SuspectIdentifier id(ntohl(address), interface);
Suspect *suspect = GetSuspectWithData(id);
if (suspect != NULL)
{
cout << suspect->ToString() << endl;
cout << "Details follow" << endl;
cout << suspect->GetFeatureSet(MAIN_FEATURES).toString() << endl;
}
else
{
cout << "Error: No suspect received" << endl;
}
delete suspect;
CloseNovadConnection();
}
Handle<Value> NovaNode::GetSuspectDetailsString(const Arguments &args) {
HandleScope scope;
string details;
string suspectIp = cvv8::CastFromJS<string>(args[0]);
string suspectInterface = cvv8::CastFromJS<string>(args[1]);
struct in_addr address;
inet_pton(AF_INET, suspectIp.c_str(), &address);
SuspectIdentifier id;
id.m_ip = htonl(address.s_addr);
id.m_interface = suspectInterface;
Suspect *suspect = GetSuspectWithData(id);
if (suspect != NULL) {
details = suspect->ToString();
details += "\n";
details += suspect->GetFeatureSet().toString();
delete suspect;
} else {
details = "Unable to complete request";
}
return scope.Close(cvv8::CastToJS(details));
}
void PrintAllSuspects(enum SuspectListType listType, bool csv)
{
Connect();
vector<SuspectIdentifier> suspects = GetSuspectList(listType);
// Print the CSV header
if (csv)
{
cout << "IP,";
cout << "INTERFACE,";
for(int i = 0; i < DIM; i++)
{
cout << FeatureSet::m_featureNames[i] << ",";
}
cout << "CLASSIFICATION" << endl;
}
for(uint i = 0; i < suspects.size(); i++)
{
Suspect *suspect = GetSuspect(suspects.at(i));
if(suspect != NULL)
{
if(!csv)
{
cout << suspect->ToString() << endl;
}
else
{
cout << suspect->GetIpString() << ",";
cout << suspect->GetIdentifier().m_interface << ",";
for(int i = 0; i < DIM; i++)
{
cout << suspect->GetFeatureSet().m_features[i] << ",";
}
cout << suspect->GetClassification() << endl;
}
delete suspect;
}
else
{
cout << "Error: No suspect received" << endl;
}
}
CloseNovadConnection();
}
void PrintSuspect(in_addr_t address, string interface)
{
Connect();
SuspectIdentifier id(ntohl(address), interface);
Suspect *suspect = GetSuspect(id);
if(suspect != NULL)
{
cout << suspect->ToString() << endl;
}
else
{
cout << "Error: No suspect received" << endl;
}
delete suspect;
CloseNovadConnection();
}
void *SilentAlarmLoop(void *ptr)
{
MaskKillSignals();
int sockfd;
u_char buf[MAX_MSG_SIZE];
struct sockaddr_in sendaddr;
if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1)
{
LOG(CRITICAL, "Unable to create the silent alarm socket.",
"Unable to create the silent alarm socket: "+string(strerror(errno)));
close(sockfd);
exit(EXIT_FAILURE);
}
sendaddr.sin_family = AF_INET;
sendaddr.sin_port = htons(Config::Inst()->GetSaPort());
sendaddr.sin_addr.s_addr = INADDR_ANY;
memset(sendaddr.sin_zero, '\0', sizeof sendaddr.sin_zero);
struct sockaddr *sockaddrPtr = (struct sockaddr*) &sendaddr;
socklen_t sendaddrSize = sizeof sendaddr;
if(::bind(sockfd, sockaddrPtr, sendaddrSize) == -1)
{
LOG(CRITICAL, "Unable to bind to the silent alarm socket.",
"Unable to bind to the silent alarm socket: "+string(strerror(errno)));
close(sockfd);
exit(EXIT_FAILURE);
}
stringstream ss;
ss << "sudo iptables -A INPUT -p udp --dport "
<< Config::Inst()->GetSaPort() << " -j REJECT"
" --reject-with icmp-port-unreachable";
if(system(ss.str().c_str()) == -1)
{
LOG(ERROR, "Failed to update iptables.", "");
}
ss.str("");
ss << "sudo iptables -A INPUT -p tcp --dport "
<< Config::Inst()->GetSaPort()
<< " -j REJECT --reject-with tcp-reset";
if(system(ss.str().c_str()) == -1)
{
LOG(ERROR, "Failed to update iptables.", "");
}
if(listen(sockfd, SOCKET_QUEUE_SIZE) == -1)
{
LOG(CRITICAL, "Unable to listen on the silent alarm socket.",
"Unable to listen on the silent alarm socket.: "+string(strerror(errno)));
close(sockfd);
exit(EXIT_FAILURE);
}
int connectionSocket, bytesRead;
Suspect suspectCopy;
//Accept incoming Silent Alarm TCP Connections
while(1)
{
bzero(buf, MAX_MSG_SIZE);
//Blocking call
if((connectionSocket = accept(sockfd, sockaddrPtr, &sendaddrSize)) == -1)
{
LOG(CRITICAL, "Problem while accepting incoming silent alarm connection.",
"Problem while accepting incoming silent alarm connection: "+string(strerror(errno)));
continue;
}
if((bytesRead = recv(connectionSocket, buf, MAX_MSG_SIZE, MSG_WAITALL))== -1)
{
LOG(CRITICAL, "Problem while receiving incoming silent alarm connection.",
"Problem while receiving incoming silent alarm connection: "+string(strerror(errno)));
close(connectionSocket);
continue;
}
for(uint i = 0; i < hostAddrs.size(); i++)
{
//If this is from ourselves, then drop it.
if(hostAddrs[i].sin_addr.s_addr == sendaddr.sin_addr.s_addr)
{
close(connectionSocket);
continue;
}
}
CryptBuffer(buf, bytesRead, DECRYPT);
in_addr_t addr = 0;
memcpy(&addr, buf, 4);
uint64_t key = addr;
Suspect *newSuspect = new Suspect();
if(newSuspect->Deserialize(buf, MAX_MSG_SIZE, MAIN_FEATURE_DATA) == 0)
{
close(connectionSocket);
continue;
}
//If this suspect exists, update the information
if(suspects.IsValidKey(key))
{
suspectCopy = suspects.CheckOut(key);
suspectCopy.SetFlaggedByAlarm(true);
FeatureSet fs = newSuspect->GetFeatureSet(MAIN_FEATURES);
suspectCopy.AddFeatureSet(&fs, MAIN_FEATURES);
suspects.CheckIn(&suspectCopy);
// TODO: This looks like it may be a memory leak of newSuspect
}
//If this is a new suspect put it in the table
else
{
newSuspect->SetIsHostile(false);
newSuspect->SetFlaggedByAlarm(true);
//We set isHostile to false so that when we classify the first time
// the suspect will go from benign to hostile and be sent to the doppelganger module
suspects.AddNewSuspect(newSuspect);
}
LOG(CRITICAL, string("Got a silent alarm!. Suspect: "+ newSuspect->ToString()), "");
if(!Config::Inst()->GetClassificationTimeout())
{
UpdateAndClassify(newSuspect->GetIpAddress());
}
close(connectionSocket);
}
close(sockfd);
LOG(CRITICAL, "The code should never get here, something went very wrong.", "");
return NULL;
}