void ConvertCaptureToDump(std::string captureFolder)
{
engine = new ClassificationAggregator();
Database::Inst()->ClearAllSuspects();
if(chdir(Config::Inst()->GetPathHome().c_str()) == -1)
{
LOG(CRITICAL, "Unable to change folder to " + Config::Inst()->GetPathHome(), "");
}
string dumpFile = captureFolder + "/nova.dump";
string pcapFile = captureFolder + "/capture.pcap";
string haystackFile = captureFolder + "/haystackIps.txt";
UpdateHaystackFeatures(haystackFile);
trainingFileStream.open(dumpFile);
if(!trainingFileStream.is_open())
{
LOG(CRITICAL, "Unable to open the training capture file.", "Unable to open training capture file at: "+dumpFile);
}
FilePacketCapture capture(pcapFile);
capture.SetPacketCb(HandleTrainingPacket);
capture.Init();
capture.SetFilter(ConstructFilterString());
capture.StartCaptureBlocking();
LOG(DEBUG, "Done processing PCAP file.", "");
suspects.WriteToDatabase();
vector<Suspect> suspects = Database::Inst()->GetSuspects(SUSPECTLIST_ALL);
for (int i = 0; i < suspects.size(); i++)
{
Suspect suspectCopy = suspects[i];
//Store in training file if needed
trainingFileStream << suspectCopy.GetIpString() << " ";
suspectCopy.GetFeatureSet();
EvidenceAccumulator fs = suspectCopy.GetFeatureSet(MAIN_FEATURES);
if(fs.m_features[0] != fs.m_features[0] )
{
cout << "This can't be good..." << endl;
}
for(int j = 0; j < DIM; j++)
{
trainingFileStream << fs.m_features[j] << " ";
}
trainingFileStream << "\n";
}
trainingFileStream.close();
}
void *UpdateIPFilter(void *ptr)
{
MaskKillSignals();
while(true)
{
if(honeydDHCPWatch > 0)
{
int BUF_LEN = (1024 *(sizeof(struct inotify_event)) + 16);
char buf[BUF_LEN];
// Blocking call, only moves on when the kernel notifies it that file has been changed
int readLen = read(honeydDHCPNotifyFd, buf, BUF_LEN);
if(readLen > 0)
{
honeydDHCPWatch = inotify_add_watch(honeydDHCPNotifyFd, dhcpListFile.c_str(),
IN_CLOSE_WRITE | IN_MOVED_TO | IN_MODIFY | IN_DELETE);
haystackDhcpAddresses = Config::GetHoneydIpAddresses(dhcpListFile);
UpdateHaystackFeatures();
{
Lock lock(&packetCapturesLock);
for(uint i = 0; i < packetCaptures.size(); i++)
{
try {
string captureFilterString = ConstructFilterString(packetCaptures.at(i)->GetIdentifier());
packetCaptures.at(i)->SetFilter(captureFilterString);
}
catch (Nova::PacketCaptureException &e)
{
LOG(ERROR, string("Unable to update capture filter: ") + e.what(), "");
}
}
}
}
}
else
{
// This is the case when there's no file to watch, just sleep and wait for it to
// be created by honeyd when it starts up.
sleep(2);
honeydDHCPWatch = inotify_add_watch(honeydDHCPNotifyFd, dhcpListFile.c_str(),
IN_CLOSE_WRITE | IN_MOVED_TO | IN_MODIFY | IN_DELETE);
}
}
return NULL;
}
void *UpdateIPFilter(void *ptr)
{
MaskKillSignals();
while(true)
{
if(honeydDHCPWatch > 0)
{
int BUF_LEN = (1024 *(sizeof(struct inotify_event)) + 16);
char buf[BUF_LEN];
char errbuf[PCAP_ERRBUF_SIZE];
char filter_exp[64];
struct bpf_program *fp = new struct bpf_program();
bpf_u_int32 maskp;
bpf_u_int32 netp;
// Blocking call, only moves on when the kernel notifies it that file has been changed
int readLen = read(honeydDHCPNotifyFd, buf, BUF_LEN);
if(readLen > 0)
{
honeydDHCPWatch = inotify_add_watch(honeydDHCPNotifyFd, dhcpListFile.c_str(),
IN_CLOSE_WRITE | IN_MOVED_TO | IN_MODIFY | IN_DELETE);
haystackDhcpAddresses = Config::GetIpAddresses(dhcpListFile);
string haystackAddresses_csv = ConstructFilterString();
UpdateHaystackFeatures();
for(uint i = 0; i < handles.size(); i++)
{
// ask pcap for the network address and mask of the device
int ret = pcap_lookupnet(Config::Inst()->GetInterface(i).c_str(), &netp, &maskp, errbuf);
if(ret == -1)
{
LOG(ERROR, "Unable to start packet capture.",
"Unable to get the network address and mask: "+string(strerror(errno)));
exit(EXIT_FAILURE);
}
if(pcap_compile(handles[i], fp, haystackAddresses_csv.data(), 0, maskp) == -1)
{
LOG(ERROR, "Unable to enable packet capture.",
"Couldn't parse pcap filter: "+ string(filter_exp) + " " + pcap_geterr(handles[i]));
}
if(pcap_setfilter(handles[i], fp) == -1)
{
LOG(ERROR, "Unable to enable packet capture.",
"Couldn't install pcap filter: "+ string(filter_exp) + " " + pcap_geterr(handles[i]));
}
//Free the compiled filter program after assignment, it is no longer needed after set filter
pcap_freecode(fp);
}
}
delete fp;
}
else
{
// This is the case when there's no file to watch, just sleep and wait for it to
// be created by honeyd when it starts up.
sleep(2);
honeydDHCPWatch = inotify_add_watch(honeydDHCPNotifyFd, dhcpListFile.c_str(),
IN_CLOSE_WRITE | IN_MOVED_TO | IN_MODIFY | IN_DELETE);
}
}
return NULL;
}
