/* Function: init_socket Purpose : initialises a Linux/BSD socket. Input : string containing the GUI IP address. Return : A valid socket = success, -1 = fail. */ int init_socket(char *gui_ip_address) { struct sockaddr_in serv_addr; if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0) { print_log_entry("init_socket() <ERROR> Could not create socket \n"); return(-1); } memset(&serv_addr, '0', sizeof(serv_addr)); serv_addr.sin_family = AF_INET; serv_addr.sin_port = htons(atoi(GUI_SERVER_PORT_STRING)); if(inet_pton(AF_INET, gui_ip_address, &serv_addr.sin_addr)<=0) { print_log_entry("init_socket() <ERROR> inet_pton error occured\n"); return(-1); } if(connect(sockfd, (struct sockaddr *)&serv_addr, sizeof(serv_addr)) < 0) { printf("init_socket() <ERROR> Connect Failed \n"); return(-1); } return(0); }
int main(int argc, char *argv[]) { char evtx_in_file[FL_PATH_MAX]; char fl_out_file[FL_PATH_MAX]; char gui_ip_address[FL_IP_ADDR_MAX]; char filter_file[FL_PATH_MAX]; int mode; int res = open_log_file(argv[0]); if (res < 0) { printf("main() <ERROR> Could not open log file.\n"); exit(FILE_ERROR); } print_log_entry("main() <INFO> Starting FineLine 1.0\n"); mode = parse_command_line_args(argc, argv, fl_out_file, evtx_in_file, gui_ip_address, filter_file); if (mode > 0) { if (mode & FL_EVT_IN) { parse_evt_event_log(evtx_in_file, fl_out_file, mode, gui_ip_address, filter_file); } else if (mode & FL_EVTX_IN) { parse_evtx_event_log(evtx_in_file, fl_out_file, mode, gui_ip_address, filter_file); } else { print_log_entry("main() <ERROR> Invalid command line options!\n"); print_help(); } } else { print_log_entry("main() <ERROR> Invalid command line options!\n"); print_help(); } close_log_file(); exit(0); }
/* Function: write_fineline_project_header() Purpose : Creates an event log header string and prints to the event file. : Input : Log header string, event file and log file. Output : Timestamped log header entry. */ int write_fineline_project_header(char *pstr, FILE *evt_file, int record_count) { time_t curtime; struct tm *loctime; int slen = strlen(pstr) + FL_MAX_INPUT_STR; char *hdr = (char *) xcalloc(slen); char *time_str; char start_date_time_string[32]; char end_date_time_string[32]; /* struct fl_event_record *fler; */ memset(start_date_time_string, 0, 32); memset(end_date_time_string, 0, 32); strncpy(start_date_time_string, "NONE", 4); strncpy(end_date_time_string, "NONE", 4); /* Get the current time. */ curtime = time (NULL); loctime = localtime (&curtime); time_str = asctime(loctime); /* Get the date of the first and last event records and use these to set the project start/end dates fler = get_first_event_record(); if (fler != NULL) { strncpy(start_date_time_string, fler->event_time_string, 32); } fler = get_last_event_record(); if (fler != NULL) { strncpy(end_date_time_string, fler->event_time_string, 32); } */ /* First and last records are same day because event file is a circular buffer with a fixed maximum size */ /* TODO: determine a method of getting the last date/time stamp from the event file */ strcpy(hdr, "<project><name>FineLine Project "); strncat(hdr, time_str, strlen(time_str) - 1); strcat(hdr, "</name><investigator>NONE</investigator><summary>NONE</summary><startdate>"); strncat(hdr, start_date_time_string, 32); strcat(hdr,"</startdate><enddate>"); strncat(hdr, end_date_time_string, 32); strcat(hdr, "</enddate><description>"); strncat(hdr, pstr, slen); strcat(hdr, "</description></project>\n"); fputs (hdr, evt_file); print_log_entry("write_fineline_project_header() <INFO> Wrote Project Header.\n"); xfree(hdr, slen); return(0); }
int send_event(char *event_string) { int k; k = send(sockfd, event_string, strlen(event_string), 0); if (k == -1) { print_log_entry("send_event() <ERROR> Cannot write to server!\n"); } return(k); }
/* Function: send_event Purpose : sends the string to the GUI. Input : socket, event record string. Return : 0 = success, -1 = fail. */ int send_event(char *event_string) { int result; result = send(connect_socket, event_string, (int)strlen(event_string), 0); if (result == SOCKET_ERROR) { print_log_entry("send_event() <ERROR> Send failed with error.\n"); closesocket(connect_socket); WSACleanup(); return(-1); } printf("send_event() <INFO> Sent event record %s\n", event_string); return(0); }
bool read_log(silvia_card_channel* card, std::string userPIN) { bool rv = true; std::vector<bytestring> commands; std::vector<bytestring> results; silvia_irma_manager irma_manager; commands = irma_manager.get_log_commands(userPIN); int n_ent = 1; if (communicate_with_card(card, commands, results)) { int i = 2; // The first two results corresponds to SELECT and VERIFY APDUs. for (char start_entry = 0x00; start_entry < irma_manager.LOG_SIZE; start_entry = (char)(start_entry + irma_manager.LOG_ENTRIES_PER_APDU)) { std::string entry = results[i].hex_str(); for (int j = 0; j < irma_manager.LOG_ENTRIES_PER_APDU; j++) { std::string e = entry.substr(j*irma_manager.LOG_ENTRY_SIZE*2, irma_manager.LOG_ENTRY_SIZE*2); print_log_entry(n_ent++, e); } i++; } } else { printf("Failed to communicate with the card, was it removed prematurely?\n"); rv = false; } return rv; }
/* Function: sensor_connection_handler Purpose : Called by the posix thread, opens sensor log file then loops on the socket recv command, logs messages received from the sensor and updates the IP statistics hash map. Input : Socket descriptor. Return : returns NULL. */ void *sensor_connection_handler(void *socket_desc) { int sock = *(int*)socket_desc; int read_size, tlen; char timestr[100]; char sensor_id[100]; char sensor_message[PV_MAX_INPUT_STR]; char event_filename[PV_MAX_INPUT_STR]; FILE *sensor_log; /* TODO: pv_ip_record_t *connection_map = NULL; the hash map head record */ print_log_entry("sensor_connection_handler() <INFO> Connection handler starting.\n"); /* !!!CLEAR THE BUFFERS!!! */ memset(sensor_message, 0, PV_MAX_INPUT_STR); memset(event_filename, 0, PV_MAX_INPUT_STR); memset(sensor_id, 0, 100); memset(timestr, 0, 100); /* Read the first message from the sensor, extract the sensor ID from the message and open the log file. A separate log file is maintained for each sensor. The file format is plain text Fineline Event format -> https://code.google.com/p/fineline-computer-forensics-timeline-tools/ The log file name format is: SID0000-YYYYMMDD-HHMMSS.fle */ if ((read_size = recv(sock, sensor_message, PV_MAX_INPUT_STR, 0)) > 0) { get_sensor_id(sensor_message, sensor_id); strncpy(event_filename, sensor_id, strlen(sensor_id)); tlen = get_time_string(timestr, 100); if (tlen > 0) /* Build the default event log filename, SENSOR0000-YYYYMMDD-HHMMSS.fle */ { strncat(event_filename, timestr, tlen); } else { strncat(event_filename, "-YYYYMMDD-HHMMSS", 16); print_log_entry("sensor_connection_handler() <WARNING> Invalid time string.\n"); } strncat(event_filename, EVENT_FILE_EXT, 4); sensor_log = open_sensor_log_file(event_filename); if (sensor_log == NULL) { print_log_entry("sensor_connection_handler() <ERROR> Could not open sensor log file.\n"); return(NULL); } /* TODO: update statistics hashmap */ write_project_header(sensor_log, "Pivotal Sensor Log"); write_sensor_log_record(sensor_log, sensor_message); } else { print_log_entry("sensor_connection_handler() <ERROR> Sensor receive failed.\n"); return(NULL); } /* Start the receive loop, only exit receive on error or sensor disconnect. */ while((read_size = recv(sock, sensor_message, PV_MAX_INPUT_STR, 0)) > 0 ) { if (strncmp(sensor_message, "<event>", 7) == 0) { /* TODO: update connections statistics map */ write_sensor_log_record(sensor_log, sensor_message); memset(sensor_message, 0, PV_MAX_INPUT_STR); } else /* We have a control message from the sensor. */ { /* TODO: check for disconnect, alarm or error message. */ break; } } print_log_entry("sensor_connection_handler() <INFO> Sensor disconnected.\n"); close_sensor_log_file(sensor_log); free(socket_desc); return(NULL); }
int main(int argc, char *argv[]) { char FL_out_file[FL_PATH_MAX_LENGTH]; char server_ip_address[FL_IP_ADDR_MAX]; char filter_file[FL_PATH_MAX_LENGTH]; char capture_device[FL_PATH_MAX_LENGTH]; char bpf_string[FL_PATH_MAX_LENGTH]; int mode; int res = open_log_file(argv[0]); if (res < 0) { printf("fineline-sensor.c main() <ERROR> Could not open log file.\n"); exit(FILE_ERROR); } print_log_entry("fineline-sensor.c main() <INFO> Starting Fineline Sensor 1.0\n"); mode = parse_command_line_args(argc, argv, capture_device, FL_out_file, server_ip_address, filter_file); if (mode > 0) { if (mode & FL_CAPTURE_INPUT) { if (mode & FL_FILTER_ON) { load_bpf_filters(filter_file, bpf_string); } else { /* Only do layer 3 and above and not destination Fineline GUI */ /* as we will be pushing events to the Fineline GUI which may */ /* may be running on the local machine. */ if (mode & FL_GUI_OUT) { sprintf(bpf_string, "ip and not (host %s and port %s)", server_ip_address, GUI_SERVER_PORT_STRING); } else { strncpy(bpf_string, "ip", 2); /* Not sending to GUI, so just filter on layer 3 packets. */ } } start_capture(capture_device, bpf_string, FL_out_file, server_ip_address, mode); } else if (mode & FL_UNIFIED2_INPUT) { /* TODO: tail suricata logs (popen("tail")) */ printf("TODO: Unified2 log monitoring not implemented.\n"); } else { print_log_entry("fineline-sensor.c main() <ERROR> Invalid command line options - no capture mode specified!\n"); show_sensor_help(); } } else { print_log_entry("fineline-sensor.c main() <ERROR> Invalid command line options!\n"); show_sensor_help(); } close_log_file(); exit(0); }
/* Function: parse_command_line_args Purpose : Validates command line arguments. Input : argc, argv, capture interface, server ip and filter file strings. Return : returns -1 on error, mode of operation on success. */ int parse_command_line_args(int argc, char *argv[], char *capture_device, char *event_filename, char *server_ip_address, char *filter_file) { int retval = 0; char timestr[100]; int tlen; tlen = get_time_string(timestr, 99); memset(capture_device, 0, FL_PATH_MAX_LENGTH); memset(event_filename, 0, FL_PATH_MAX_LENGTH); memset(server_ip_address, 0, FL_PATH_MAX_LENGTH); memset(filter_file, 0, FL_PATH_MAX_LENGTH); strncpy(event_filename, EVENT_FILE, strlen(EVENT_FILE)); /* the default event file name */ strncpy(capture_device, "eth0", 4); strncpy(server_ip_address, "127.0.0.1", 9); /* Default server on the local machine */ if (tlen > 0) /* Build the default event filename, fineline-events-YYYYMMDD-HHMMSS.fle */ { strncat(event_filename, timestr, tlen); } else { print_log_entry("parse_command_line_args() <WARNING> Invalid time string.\n"); } strncat(event_filename, EVENT_FILE_EXT, 4); if (argc < 2) { print_log_entry("parse_command_line_args(): invalid arguments < 2\n"); return(-1); } else { int i; for (i = 1; i < argc; i++) { if (strncmp(argv[i], "-c", 2) == 0) { retval = retval | FL_CAPTURE_INPUT; /* Capture packets on a network interface */ } if (strncmp(argv[i], "-t", 2) == 0) { retval = retval | FL_UNIFIED2_INPUT; /* Tail Unified2 log files */ } else if (strncmp(argv[i], "-w", 2) == 0) { retval = retval | FL_FILE_OUT; /* Create FineLine event file */ } else if (strncmp(argv[i], "-g", 2) == 0) { retval = retval | FL_GUI_OUT; /* Send event records to Fineline server */ } else if (strncmp(argv[i], "-b", 2) == 0) { retval = retval | FL_FILE_OUT | FL_GUI_OUT; /* Create FineLine event file and send events to server */ } else if (strncmp(argv[i], "-o", 2) == 0) { /* Optional FineLine event file name to use for output of event records */ if ((i+1) < argc) { printf("parse_command_line_args() <INFO> FineLine event file: %s\n", argv[i+1]); strncpy(event_filename, argv[i+1], strlen(argv[i+1])); } else { print_log_entry("parse_command_line_args() <ERROR> Missing event file name.\n"); return(-1); } } else if (strncmp(argv[i], "-i", 2) == 0) { /* Network interface for packet capture */ if ((i+1) < argc) { printf("parse_command_line_args() <INFO> Network interface: %s\n", argv[i+1]); strncpy(capture_device, argv[i+1], strlen(argv[i+1])); } else { print_log_entry("parse_command_line_args() <ERROR> Missing network interface.\n"); return(-1); } } else if (strncmp(argv[i], "-a", 2) == 0) { if ((i+1) < argc) { /* IP address of the Fineline NST Server. */ printf("parse_command_line_args() <INFO> Server IP address: %s\n", argv[i+1]); strncpy(server_ip_address, argv[i+1], strlen(argv[i+1])); if (validate_ipv4_address(server_ip_address) < 0) { print_log_entry("parse_command_line_args() <ERROR> Invalid Ifl4 address.\n"); return(-1); } } else { print_log_entry("parse_command_line_args() <ERROR> Missing Ifl4 address.\n"); return(-1); } } else if (strncmp(argv[i], "-f", 2) == 0) { /* Filter file name */ if ((i+1) < argc) { printf("parse_command_line_args() <INFO> Filter file: %s\n", argv[i+1]); strncpy(filter_file, argv[i+1], strlen(argv[i+1])); retval = retval | FL_FILTER_ON; } else { print_log_entry("parse_command_line_args() <ERROR> Missing filter file name.\n"); return(-1); } } } } print_log_entry("parse_command_line_args() <INFO> Finished processing command line arguments.\n"); return(retval); }
/* Function: init_socket Purpose : initialises a WINSOCK socket. Input : string containing the GUI IP address. Return : A valid socket = success, INVALID_SOCKET = fail. */ int init_socket(char *gui_ip_address) { WSADATA wsaData; struct addrinfo *resultaddrinfo = NULL, *ptr = NULL, hints; char *sendbuf = NULL; int result; result = WSAStartup(MAKEWORD(2,2), &wsaData); if (result != 0) { print_log_entry("init_socket() <ERROR> WSAStartup failed with error.\n"); return(-1); } ZeroMemory( &hints, sizeof(hints) ); hints.ai_family = AF_UNSPEC; hints.ai_socktype = SOCK_STREAM; hints.ai_protocol = IPPROTO_TCP; /* Resolve the server address and port NOTE* getaddrinfo is in ws2_32.lib not in the old wsock32.lib */ result = getaddrinfo(gui_ip_address, GUI_SERVER_PORT_STRING, &hints, &resultaddrinfo); if (result != 0) { print_log_entry("init_socket() <ERROR> getaddrinfo failed with error.\n"); WSACleanup(); return(-1); } /* Attempt to connect to an address until one succeeds */ for(ptr=resultaddrinfo; ptr != NULL ;ptr=ptr->ai_next) { /* Create a SOCKET for connecting to server */ connect_socket = socket(ptr->ai_family, ptr->ai_socktype, ptr->ai_protocol); if (connect_socket == INVALID_SOCKET) { print_log_entry("init_socket() <ERROR> socket failed with error.\n"); WSACleanup(); return(INVALID_SOCKET); } /* Connect to server. */ result = connect( connect_socket, ptr->ai_addr, (int)ptr->ai_addrlen); if (result == SOCKET_ERROR) { closesocket(connect_socket); connect_socket = INVALID_SOCKET; continue; } break; } freeaddrinfo(resultaddrinfo); if (connect_socket == INVALID_SOCKET) { print_log_entry("init_socket() <ERROR> Unable to connect to server!\n"); WSACleanup(); return(-1); } return(0); }
/* Function: parse_command_line_args Purpose : Validates command line arguments. Input : argc, argv, log file and db file handles. Return : mode of operation and database file handle if required. */ int parse_command_line_args(int argc, char *argv[], char *fl_event_filename, char *in_file, char *gui_ip_address, char *filter_file) { int retval = 0; int input_file_specified = 0; char timestr[100]; int tlen; tlen = get_time_string(timestr, 99); memset(fl_event_filename, 0, FL_PATH_MAX); memset(in_file, 0, FL_PATH_MAX); memset(filter_file, 0, FL_PATH_MAX); strncpy(fl_event_filename, EVENT_FILE, strlen(EVENT_FILE)); /* the default event filename */ if (tlen > 0) { strncat(fl_event_filename, timestr, tlen); } else { print_log_entry("parse_command_line_args() <WARNING> Invalid time string.\n"); } strncat(fl_event_filename, EVENT_FILE_EXT, 4); if (argc < 2) { print_log_entry("parse_command_line_args(): invalid arguments < 2\n"); return(-1); } else { int i; for (i = 1; i < argc; i++) { if (strncmp(argv[i], "-w", 2) == 0) { retval = retval | FL_FILE_OUT; /* Create FineLine event file */ } else if (strncmp(argv[i], "-s", 2) == 0) { retval = retval | FL_GUI_OUT; /* Send event records to GUI */ } else if (strncmp(argv[i], "-b", 2) == 0) { retval = retval | FL_FILE_OUT | FL_GUI_OUT; /* Create FineLine event file and send to GUI */ } else if (strncmp(argv[i], "-o", 2) == 0) { /* FineLine event file name to use for output of event records */ if ((i+1) < argc) { printf("parse_command_line_args() <INFO> FineLine event file: %s\n", argv[i+1]); strncpy(fl_event_filename, argv[i+1], strlen(argv[i+1])); } else { print_log_entry("parse_command_line_args() <ERROR> Missing event file name.\n"); return(-1); } } else if (strncmp(argv[i], "-i", 2) == 0) { /* Windows event file name to use for input */ if ((i+1) < argc) { printf("parse_command_line_args() <INFO> Windows event file: %s\n", argv[i+1]); strncpy(in_file, argv[i+1], strlen(argv[i+1])); input_file_specified = 1; if (strstr(in_file, ".evtx")) { retval = retval | FL_EVTX_IN; } else if (strstr(in_file, ".evt")) { retval = retval | FL_EVT_IN; } else { print_log_entry("parse_command_line_args() <ERROR> Unknown event file type.\n"); return(-1); } } else { print_log_entry("parse_command_line_args() <ERROR> Missing Windows event file name.\n"); return(-1); } } else if (strncmp(argv[i], "-a", 2) == 0) { if ((i+1) < argc) { printf("parse_command_line_args() <INFO> GUI IP address: %s\n", argv[i+1]); strncpy(gui_ip_address, argv[i+1], strlen(argv[i+1])); if (validate_ipv4_address(gui_ip_address) < 0) { print_log_entry("parse_command_line_args() <ERROR> Invalid IPv4 address.\n"); return(-1); } } else { print_log_entry("parse_command_line_args() <ERROR> Missing IPv4 address.\n"); return(-1); } } else if (strncmp(argv[i], "-f", 2) == 0) { /* Filter event file name */ if ((i+1) < argc) { printf("parse_command_line_args() <INFO> Filter file: %s\n", argv[i+1]); strncpy(filter_file, argv[i+1], strlen(argv[i+1])); retval = retval | FL_FILTER_ON; } else { print_log_entry("parse_command_line_args() <ERROR> Missing filter file name.\n"); return(-1); } } } } /* Check for input file on command line, if none then do the live system log. */ if (input_file_specified == 0) { strncpy(in_file, EVENT_LOG_PATH, strlen(EVENT_LOG_PATH)); strncat(in_file, PATH_SEPARATOR, strlen(PATH_SEPARATOR)); strncat(in_file, SECURITY_LOG_FILE, strlen(SECURITY_LOG_FILE)); retval = retval | FL_EVTX_IN; print_log_entry("parse_command_line_args() <INFO> Default input file = Security.evtx\n"); } print_log_entry("parse_command_line_args() <INFO> Finished processing command line arguments.\n"); return(retval); }