/*
Function: init_socket
Purpose : initialises a Linux/BSD socket.
Input : string containing the GUI IP address.
Return : A valid socket = success, -1 = fail.
*/
int init_socket(char *gui_ip_address)
{
struct sockaddr_in serv_addr;
if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
{
print_log_entry("init_socket() <ERROR> Could not create socket \n");
return(-1);
}
memset(&serv_addr, '0', sizeof(serv_addr));
serv_addr.sin_family = AF_INET;
serv_addr.sin_port = htons(atoi(GUI_SERVER_PORT_STRING));
if(inet_pton(AF_INET, gui_ip_address, &serv_addr.sin_addr)<=0)
{
print_log_entry("init_socket() <ERROR> inet_pton error occured\n");
return(-1);
}
if(connect(sockfd, (struct sockaddr *)&serv_addr, sizeof(serv_addr)) < 0)
{
printf("init_socket() <ERROR> Connect Failed \n");
return(-1);
}
return(0);
}
int main(int argc, char *argv[])
{
char evtx_in_file[FL_PATH_MAX];
char fl_out_file[FL_PATH_MAX];
char gui_ip_address[FL_IP_ADDR_MAX];
char filter_file[FL_PATH_MAX];
int mode;
int res = open_log_file(argv[0]);
if (res < 0)
{
printf("main() <ERROR> Could not open log file.\n");
exit(FILE_ERROR);
}
print_log_entry("main() <INFO> Starting FineLine 1.0\n");
mode = parse_command_line_args(argc, argv, fl_out_file, evtx_in_file, gui_ip_address, filter_file);
if (mode > 0)
{
if (mode & FL_EVT_IN)
{
parse_evt_event_log(evtx_in_file, fl_out_file, mode, gui_ip_address, filter_file);
}
else if (mode & FL_EVTX_IN)
{
parse_evtx_event_log(evtx_in_file, fl_out_file, mode, gui_ip_address, filter_file);
}
else
{
print_log_entry("main() <ERROR> Invalid command line options!\n");
print_help();
}
}
else
{
print_log_entry("main() <ERROR> Invalid command line options!\n");
print_help();
}
close_log_file();
exit(0);
}
/*
Function: write_fineline_project_header()
Purpose : Creates an event log header string and prints to the event file.
:
Input : Log header string, event file and log file.
Output : Timestamped log header entry.
*/
int write_fineline_project_header(char *pstr, FILE *evt_file, int record_count)
{
time_t curtime;
struct tm *loctime;
int slen = strlen(pstr) + FL_MAX_INPUT_STR;
char *hdr = (char *) xcalloc(slen);
char *time_str;
char start_date_time_string[32];
char end_date_time_string[32];
/* struct fl_event_record *fler; */
memset(start_date_time_string, 0, 32);
memset(end_date_time_string, 0, 32);
strncpy(start_date_time_string, "NONE", 4);
strncpy(end_date_time_string, "NONE", 4);
/* Get the current time. */
curtime = time (NULL);
loctime = localtime (&curtime);
time_str = asctime(loctime);
/* Get the date of the first and last event records and use these to set the project start/end dates
fler = get_first_event_record();
if (fler != NULL)
{
strncpy(start_date_time_string, fler->event_time_string, 32);
}
fler = get_last_event_record();
if (fler != NULL)
{
strncpy(end_date_time_string, fler->event_time_string, 32);
}
*/
/* First and last records are same day because event file is a circular buffer with a fixed maximum size */
/* TODO: determine a method of getting the last date/time stamp from the event file */
strcpy(hdr, "<project><name>FineLine Project ");
strncat(hdr, time_str, strlen(time_str) - 1);
strcat(hdr, "</name><investigator>NONE</investigator><summary>NONE</summary><startdate>");
strncat(hdr, start_date_time_string, 32);
strcat(hdr,"</startdate><enddate>");
strncat(hdr, end_date_time_string, 32);
strcat(hdr, "</enddate><description>");
strncat(hdr, pstr, slen);
strcat(hdr, "</description></project>\n");
fputs (hdr, evt_file);
print_log_entry("write_fineline_project_header() <INFO> Wrote Project Header.\n");
xfree(hdr, slen);
return(0);
}
int send_event(char *event_string)
{
int k;
k = send(sockfd, event_string, strlen(event_string), 0);
if (k == -1)
{
print_log_entry("send_event() <ERROR> Cannot write to server!\n");
}
return(k);
}
/*
Function: send_event
Purpose : sends the string to the GUI.
Input : socket, event record string.
Return : 0 = success, -1 = fail.
*/
int send_event(char *event_string)
{
int result;
result = send(connect_socket, event_string, (int)strlen(event_string), 0);
if (result == SOCKET_ERROR)
{
print_log_entry("send_event() <ERROR> Send failed with error.\n");
closesocket(connect_socket);
WSACleanup();
return(-1);
}
printf("send_event() <INFO> Sent event record %s\n", event_string);
return(0);
}
bool read_log(silvia_card_channel* card, std::string userPIN)
{
bool rv = true;
std::vector<bytestring> commands;
std::vector<bytestring> results;
silvia_irma_manager irma_manager;
commands = irma_manager.get_log_commands(userPIN);
int n_ent = 1;
if (communicate_with_card(card, commands, results))
{
int i = 2; // The first two results corresponds to SELECT and VERIFY APDUs.
for (char start_entry = 0x00; start_entry < irma_manager.LOG_SIZE; start_entry = (char)(start_entry + irma_manager.LOG_ENTRIES_PER_APDU))
{
std::string entry = results[i].hex_str();
for (int j = 0; j < irma_manager.LOG_ENTRIES_PER_APDU; j++)
{
std::string e = entry.substr(j*irma_manager.LOG_ENTRY_SIZE*2, irma_manager.LOG_ENTRY_SIZE*2);
print_log_entry(n_ent++, e);
}
i++;
}
}
else
{
printf("Failed to communicate with the card, was it removed prematurely?\n");
rv = false;
}
return rv;
}
/*
Function: sensor_connection_handler
Purpose : Called by the posix thread, opens sensor log file then
loops on the socket recv command, logs messages received
from the sensor and updates the IP statistics hash map.
Input : Socket descriptor.
Return : returns NULL.
*/
void *sensor_connection_handler(void *socket_desc)
{
int sock = *(int*)socket_desc;
int read_size, tlen;
char timestr[100];
char sensor_id[100];
char sensor_message[PV_MAX_INPUT_STR];
char event_filename[PV_MAX_INPUT_STR];
FILE *sensor_log;
/* TODO: pv_ip_record_t *connection_map = NULL; the hash map head record */
print_log_entry("sensor_connection_handler() <INFO> Connection handler starting.\n");
/* !!!CLEAR THE BUFFERS!!! */
memset(sensor_message, 0, PV_MAX_INPUT_STR);
memset(event_filename, 0, PV_MAX_INPUT_STR);
memset(sensor_id, 0, 100);
memset(timestr, 0, 100);
/*
Read the first message from the sensor, extract the sensor ID from the message
and open the log file. A separate log file is maintained for each sensor.
The file format is plain text Fineline Event format ->
https://code.google.com/p/fineline-computer-forensics-timeline-tools/
The log file name format is: SID0000-YYYYMMDD-HHMMSS.fle
*/
if ((read_size = recv(sock, sensor_message, PV_MAX_INPUT_STR, 0)) > 0)
{
get_sensor_id(sensor_message, sensor_id);
strncpy(event_filename, sensor_id, strlen(sensor_id));
tlen = get_time_string(timestr, 100);
if (tlen > 0) /* Build the default event log filename, SENSOR0000-YYYYMMDD-HHMMSS.fle */
{
strncat(event_filename, timestr, tlen);
}
else
{
strncat(event_filename, "-YYYYMMDD-HHMMSS", 16);
print_log_entry("sensor_connection_handler() <WARNING> Invalid time string.\n");
}
strncat(event_filename, EVENT_FILE_EXT, 4);
sensor_log = open_sensor_log_file(event_filename);
if (sensor_log == NULL)
{
print_log_entry("sensor_connection_handler() <ERROR> Could not open sensor log file.\n");
return(NULL);
}
/* TODO: update statistics hashmap */
write_project_header(sensor_log, "Pivotal Sensor Log");
write_sensor_log_record(sensor_log, sensor_message);
}
else
{
print_log_entry("sensor_connection_handler() <ERROR> Sensor receive failed.\n");
return(NULL);
}
/*
Start the receive loop, only exit receive on error or sensor disconnect.
*/
while((read_size = recv(sock, sensor_message, PV_MAX_INPUT_STR, 0)) > 0 )
{
if (strncmp(sensor_message, "<event>", 7) == 0)
{
/* TODO: update connections statistics map */
write_sensor_log_record(sensor_log, sensor_message);
memset(sensor_message, 0, PV_MAX_INPUT_STR);
}
else /* We have a control message from the sensor. */
{
/* TODO: check for disconnect, alarm or error message. */
break;
}
}
print_log_entry("sensor_connection_handler() <INFO> Sensor disconnected.\n");
close_sensor_log_file(sensor_log);
free(socket_desc);
return(NULL);
}
int main(int argc, char *argv[])
{
char FL_out_file[FL_PATH_MAX_LENGTH];
char server_ip_address[FL_IP_ADDR_MAX];
char filter_file[FL_PATH_MAX_LENGTH];
char capture_device[FL_PATH_MAX_LENGTH];
char bpf_string[FL_PATH_MAX_LENGTH];
int mode;
int res = open_log_file(argv[0]);
if (res < 0)
{
printf("fineline-sensor.c main() <ERROR> Could not open log file.\n");
exit(FILE_ERROR);
}
print_log_entry("fineline-sensor.c main() <INFO> Starting Fineline Sensor 1.0\n");
mode = parse_command_line_args(argc, argv, capture_device, FL_out_file, server_ip_address, filter_file);
if (mode > 0)
{
if (mode & FL_CAPTURE_INPUT)
{
if (mode & FL_FILTER_ON)
{
load_bpf_filters(filter_file, bpf_string);
}
else
{
/* Only do layer 3 and above and not destination Fineline GUI */
/* as we will be pushing events to the Fineline GUI which may */
/* may be running on the local machine. */
if (mode & FL_GUI_OUT)
{
sprintf(bpf_string, "ip and not (host %s and port %s)", server_ip_address, GUI_SERVER_PORT_STRING);
}
else
{
strncpy(bpf_string, "ip", 2); /* Not sending to GUI, so just filter on layer 3 packets. */
}
}
start_capture(capture_device, bpf_string, FL_out_file, server_ip_address, mode);
}
else if (mode & FL_UNIFIED2_INPUT)
{
/* TODO: tail suricata logs (popen("tail")) */
printf("TODO: Unified2 log monitoring not implemented.\n");
}
else
{
print_log_entry("fineline-sensor.c main() <ERROR> Invalid command line options - no capture mode specified!\n");
show_sensor_help();
}
}
else
{
print_log_entry("fineline-sensor.c main() <ERROR> Invalid command line options!\n");
show_sensor_help();
}
close_log_file();
exit(0);
}
/*
Function: parse_command_line_args
Purpose : Validates command line arguments.
Input : argc, argv, capture interface, server ip and filter file strings.
Return : returns -1 on error, mode of operation on success.
*/
int parse_command_line_args(int argc, char *argv[], char *capture_device, char *event_filename, char *server_ip_address, char *filter_file)
{
int retval = 0;
char timestr[100];
int tlen;
tlen = get_time_string(timestr, 99);
memset(capture_device, 0, FL_PATH_MAX_LENGTH);
memset(event_filename, 0, FL_PATH_MAX_LENGTH);
memset(server_ip_address, 0, FL_PATH_MAX_LENGTH);
memset(filter_file, 0, FL_PATH_MAX_LENGTH);
strncpy(event_filename, EVENT_FILE, strlen(EVENT_FILE)); /* the default event file name */
strncpy(capture_device, "eth0", 4);
strncpy(server_ip_address, "127.0.0.1", 9); /* Default server on the local machine */
if (tlen > 0) /* Build the default event filename, fineline-events-YYYYMMDD-HHMMSS.fle */
{
strncat(event_filename, timestr, tlen);
}
else
{
print_log_entry("parse_command_line_args() <WARNING> Invalid time string.\n");
}
strncat(event_filename, EVENT_FILE_EXT, 4);
if (argc < 2)
{
print_log_entry("parse_command_line_args(): invalid arguments < 2\n");
return(-1);
}
else
{
int i;
for (i = 1; i < argc; i++)
{
if (strncmp(argv[i], "-c", 2) == 0)
{
retval = retval | FL_CAPTURE_INPUT; /* Capture packets on a network interface */
}
if (strncmp(argv[i], "-t", 2) == 0)
{
retval = retval | FL_UNIFIED2_INPUT; /* Tail Unified2 log files */
}
else if (strncmp(argv[i], "-w", 2) == 0)
{
retval = retval | FL_FILE_OUT; /* Create FineLine event file */
}
else if (strncmp(argv[i], "-g", 2) == 0)
{
retval = retval | FL_GUI_OUT; /* Send event records to Fineline server */
}
else if (strncmp(argv[i], "-b", 2) == 0)
{
retval = retval | FL_FILE_OUT | FL_GUI_OUT; /* Create FineLine event file and send events to server */
}
else if (strncmp(argv[i], "-o", 2) == 0)
{
/* Optional FineLine event file name to use for output of event records */
if ((i+1) < argc)
{
printf("parse_command_line_args() <INFO> FineLine event file: %s\n", argv[i+1]);
strncpy(event_filename, argv[i+1], strlen(argv[i+1]));
}
else
{
print_log_entry("parse_command_line_args() <ERROR> Missing event file name.\n");
return(-1);
}
}
else if (strncmp(argv[i], "-i", 2) == 0)
{
/* Network interface for packet capture */
if ((i+1) < argc)
{
printf("parse_command_line_args() <INFO> Network interface: %s\n", argv[i+1]);
strncpy(capture_device, argv[i+1], strlen(argv[i+1]));
}
else
{
print_log_entry("parse_command_line_args() <ERROR> Missing network interface.\n");
return(-1);
}
}
else if (strncmp(argv[i], "-a", 2) == 0)
{
if ((i+1) < argc)
{
/* IP address of the Fineline NST Server. */
printf("parse_command_line_args() <INFO> Server IP address: %s\n", argv[i+1]);
strncpy(server_ip_address, argv[i+1], strlen(argv[i+1]));
if (validate_ipv4_address(server_ip_address) < 0)
{
print_log_entry("parse_command_line_args() <ERROR> Invalid Ifl4 address.\n");
return(-1);
}
}
else
{
print_log_entry("parse_command_line_args() <ERROR> Missing Ifl4 address.\n");
return(-1);
}
}
else if (strncmp(argv[i], "-f", 2) == 0)
{
/* Filter file name */
if ((i+1) < argc)
{
printf("parse_command_line_args() <INFO> Filter file: %s\n", argv[i+1]);
strncpy(filter_file, argv[i+1], strlen(argv[i+1]));
retval = retval | FL_FILTER_ON;
}
else
{
print_log_entry("parse_command_line_args() <ERROR> Missing filter file name.\n");
return(-1);
}
}
}
}
print_log_entry("parse_command_line_args() <INFO> Finished processing command line arguments.\n");
return(retval);
}
/*
Function: init_socket
Purpose : initialises a WINSOCK socket.
Input : string containing the GUI IP address.
Return : A valid socket = success, INVALID_SOCKET = fail.
*/
int init_socket(char *gui_ip_address)
{
WSADATA wsaData;
struct addrinfo *resultaddrinfo = NULL, *ptr = NULL, hints;
char *sendbuf = NULL;
int result;
result = WSAStartup(MAKEWORD(2,2), &wsaData);
if (result != 0)
{
print_log_entry("init_socket() <ERROR> WSAStartup failed with error.\n");
return(-1);
}
ZeroMemory( &hints, sizeof(hints) );
hints.ai_family = AF_UNSPEC;
hints.ai_socktype = SOCK_STREAM;
hints.ai_protocol = IPPROTO_TCP;
/* Resolve the server address and port NOTE* getaddrinfo is in ws2_32.lib not in the old wsock32.lib */
result = getaddrinfo(gui_ip_address, GUI_SERVER_PORT_STRING, &hints, &resultaddrinfo);
if (result != 0)
{
print_log_entry("init_socket() <ERROR> getaddrinfo failed with error.\n");
WSACleanup();
return(-1);
}
/* Attempt to connect to an address until one succeeds */
for(ptr=resultaddrinfo; ptr != NULL ;ptr=ptr->ai_next)
{
/* Create a SOCKET for connecting to server */
connect_socket = socket(ptr->ai_family, ptr->ai_socktype, ptr->ai_protocol);
if (connect_socket == INVALID_SOCKET)
{
print_log_entry("init_socket() <ERROR> socket failed with error.\n");
WSACleanup();
return(INVALID_SOCKET);
}
/* Connect to server. */
result = connect( connect_socket, ptr->ai_addr, (int)ptr->ai_addrlen);
if (result == SOCKET_ERROR)
{
closesocket(connect_socket);
connect_socket = INVALID_SOCKET;
continue;
}
break;
}
freeaddrinfo(resultaddrinfo);
if (connect_socket == INVALID_SOCKET)
{
print_log_entry("init_socket() <ERROR> Unable to connect to server!\n");
WSACleanup();
return(-1);
}
return(0);
}
/*
Function: parse_command_line_args
Purpose : Validates command line arguments.
Input : argc, argv, log file and db file handles.
Return : mode of operation and database file handle if required.
*/
int parse_command_line_args(int argc, char *argv[], char *fl_event_filename, char *in_file, char *gui_ip_address, char *filter_file)
{
int retval = 0;
int input_file_specified = 0;
char timestr[100];
int tlen;
tlen = get_time_string(timestr, 99);
memset(fl_event_filename, 0, FL_PATH_MAX);
memset(in_file, 0, FL_PATH_MAX);
memset(filter_file, 0, FL_PATH_MAX);
strncpy(fl_event_filename, EVENT_FILE, strlen(EVENT_FILE)); /* the default event filename */
if (tlen > 0)
{
strncat(fl_event_filename, timestr, tlen);
}
else
{
print_log_entry("parse_command_line_args() <WARNING> Invalid time string.\n");
}
strncat(fl_event_filename, EVENT_FILE_EXT, 4);
if (argc < 2)
{
print_log_entry("parse_command_line_args(): invalid arguments < 2\n");
return(-1);
}
else
{
int i;
for (i = 1; i < argc; i++)
{
if (strncmp(argv[i], "-w", 2) == 0)
{
retval = retval | FL_FILE_OUT; /* Create FineLine event file */
}
else if (strncmp(argv[i], "-s", 2) == 0)
{
retval = retval | FL_GUI_OUT; /* Send event records to GUI */
}
else if (strncmp(argv[i], "-b", 2) == 0)
{
retval = retval | FL_FILE_OUT | FL_GUI_OUT; /* Create FineLine event file and send to GUI */
}
else if (strncmp(argv[i], "-o", 2) == 0)
{
/* FineLine event file name to use for output of event records */
if ((i+1) < argc)
{
printf("parse_command_line_args() <INFO> FineLine event file: %s\n", argv[i+1]);
strncpy(fl_event_filename, argv[i+1], strlen(argv[i+1]));
}
else
{
print_log_entry("parse_command_line_args() <ERROR> Missing event file name.\n");
return(-1);
}
}
else if (strncmp(argv[i], "-i", 2) == 0)
{
/* Windows event file name to use for input */
if ((i+1) < argc)
{
printf("parse_command_line_args() <INFO> Windows event file: %s\n", argv[i+1]);
strncpy(in_file, argv[i+1], strlen(argv[i+1]));
input_file_specified = 1;
if (strstr(in_file, ".evtx"))
{
retval = retval | FL_EVTX_IN;
}
else if (strstr(in_file, ".evt"))
{
retval = retval | FL_EVT_IN;
}
else
{
print_log_entry("parse_command_line_args() <ERROR> Unknown event file type.\n");
return(-1);
}
}
else
{
print_log_entry("parse_command_line_args() <ERROR> Missing Windows event file name.\n");
return(-1);
}
}
else if (strncmp(argv[i], "-a", 2) == 0)
{
if ((i+1) < argc)
{
printf("parse_command_line_args() <INFO> GUI IP address: %s\n", argv[i+1]);
strncpy(gui_ip_address, argv[i+1], strlen(argv[i+1]));
if (validate_ipv4_address(gui_ip_address) < 0)
{
print_log_entry("parse_command_line_args() <ERROR> Invalid IPv4 address.\n");
return(-1);
}
}
else
{
print_log_entry("parse_command_line_args() <ERROR> Missing IPv4 address.\n");
return(-1);
}
}
else if (strncmp(argv[i], "-f", 2) == 0)
{
/* Filter event file name */
if ((i+1) < argc)
{
printf("parse_command_line_args() <INFO> Filter file: %s\n", argv[i+1]);
strncpy(filter_file, argv[i+1], strlen(argv[i+1]));
retval = retval | FL_FILTER_ON;
}
else
{
print_log_entry("parse_command_line_args() <ERROR> Missing filter file name.\n");
return(-1);
}
}
}
}
/* Check for input file on command line, if none then do the live system log. */
if (input_file_specified == 0)
{
strncpy(in_file, EVENT_LOG_PATH, strlen(EVENT_LOG_PATH));
strncat(in_file, PATH_SEPARATOR, strlen(PATH_SEPARATOR));
strncat(in_file, SECURITY_LOG_FILE, strlen(SECURITY_LOG_FILE));
retval = retval | FL_EVTX_IN;
print_log_entry("parse_command_line_args() <INFO> Default input file = Security.evtx\n");
}
print_log_entry("parse_command_line_args() <INFO> Finished processing command line arguments.\n");
return(retval);
}
