void fifo_service (output_plugin *p, asset *main, serv_asset *service, connection *cxt) { FILE *fd; static char sip[INET6_ADDRSTRLEN]; static char dip[INET6_ADDRSTRLEN]; char *role = B64_PRADS_CLIENT; if(!cxt) cxt = &NULL_CXT; /* Print to FIFO */ if (p->data == NULL) { elog("[!] ERROR: File handle not open!\n"); return; } fd = (FILE *)p->data; /* prads_agent.tcl process each line until it receivs a dot by itself */ u_ntop(main->ip_addr, main->af, sip); u_ntop(cxt->d_ip, cxt->af, dip); if ( service->role == SC_SERVER ) { /* SERVER ASSET */ role = B64_PRADS_SERVER; } fprintf(fd, "01\n%s\n%u\n%s\n%u\n%d\n%d\n%d\n%s\n%s\n%lu\n%s\n.\n", sip, htonl(IP4ADDR(&cxt->s_ip)), dip, htonl(IP4ADDR(&cxt->d_ip)), ntohs(cxt->s_port), ntohs(cxt->d_port), service->proto, bdata(service->service), bdata(service->application), main->first_seen, role); fflush(fd); }
/* ---------------------------------------------------------- * FUNCTION : file_service * DESC : Prints a service asset to the log file. * INPUT : 0 - Main asset * : 1 - Serice asset * ---------------------------------------------------------- */ void file_service (output_plugin* log,asset *main, serv_asset *service, connection *cxt) { if ((FILE*)log->data != NULL) { uint8_t tmp_ttl; static char ip_addr_s[INET6_ADDRSTRLEN]; u_ntop(main->ip_addr, main->af, ip_addr_s); /* ip,vlan,port,proto,SERVICE,application,timstamp*/ fprintf((FILE*)log->data, "%s,%u,%d,%d,", ip_addr_s, main->vlan ? ntohs(main->vlan) : 0, ntohs(service->port),service->proto); if (service->role == SC_SERVER) { fprintf((FILE*)log->data, "SERVER,[%s:%s]", (char*)bdata(service->service), (char *)bdata(service->application)); } else { fprintf((FILE*)log->data, "CLIENT,[%s:%s]", (char*)bdata(service->service), (char*)bdata(service->application)); } tmp_ttl = normalize_ttl(service->ttl); fprintf((FILE*)log->data, ",%d,%lu\n",tmp_ttl - service->ttl,service->last_seen); fflush((FILE*)log->data); } else { if(log->flags & CONFIG_VERBOSE ) elog("[!] ERROR: File handle not open!\n"); } }
void u_cidr_to_str(u_cidr *cidr, char *s) { struct in_addr in; in.s_addr = htonl(cidr->addr); u_ntop(&in, s); s += strlen(s); sprintf(s, "/%d", cidr->netsize); }
void log_asset_os (asset *main, os_asset *os, connection *cxt) { #ifdef DEBUG static char ip_addr_s[INET6_ADDRSTRLEN]; u_ntop(main->ip_addr, main->af, ip_addr_s); #ifdef DEBUG_LOG dlog("[%lu] Incoming asset, %s: %s:%u [%s]\n", os->last_seen, (char*)bdata(os->detection),ip_addr_s,ntohs(os->port),(char*)bdata(os->raw_fp)); #endif #endif log_foo(os, log_output, n_outputs, main, os, cxt); }
void log_asset_service (asset *main, serv_asset *service, connection *cxt) { #ifdef DEBUG static char ip_addr_s[INET6_ADDRSTRLEN]; u_ntop(main->ip_addr, main->af, ip_addr_s); if (service->role == SC_SERVER ) { fprintf(stderr, "[*] new service: %s:%d %s\n",ip_addr_s,ntohs(service->port),(char *)bdata(service->application)); } else { fprintf(stderr, "[*] new client: %s:%d %s\n",ip_addr_s,ntohs(service->port),(char *)bdata(service->application)); } #endif log_foo(service, log_output, n_outputs, main, service, cxt); }
int connection_tracking(packetinfo *pi) { static char ip_addr_s[INET6_ADDRSTRLEN]; static char ip_addr_d[INET6_ADDRSTRLEN]; struct in_addr *ipa; cx_track(pi); if(pi->af == AF_INET6) { u_ntop(pi->ip6->ip_src, pi->af, ip_addr_s); u_ntop(pi->ip6->ip_dst, pi->af, ip_addr_d); } else { ipa = pi->ip4->ip_src; inet_ntop(pi->af, &ipa, ip_addr_s, INET6_ADDRSTRLEN); ipa = pi->ip4->ip_dst; inet_ntop(pi->af, &ipa, ip_addr_d, INET6_ADDRSTRLEN); } if(config.cflags & CONFIG_CONNECT) printf("conn[%4lu] %s:%u -> %s:%u [%s]\n", pi->cxt->cxid, ip_addr_s, ntohs(pi->s_port), ip_addr_d, ntohs(pi->d_port), pi->sc?pi->sc==SC_SERVER? "server":"client":"NONE"); return 0; }
/* ---------------------------------------------------------- * FUNCTION : print_stat_sguil * DESC : This function prints stats info to the FIFO file * INPUT : 0 - IP Address * : 1 - Port * : 2 - Protocol * Example : ID \n IP \n NumIP \n PORT \n PROTO \n timestamp \n . \n * 03\n10.10.10.83\n168430163\n22\n6\n1100847309\n.\n * ---------------------------------------------------------- */ void fifo_stat (output_plugin *p, asset *rec, os_asset *os, /*UNUSED*/ connection *cxt) { (void)(cxt); /* UNUSED */ static char ip_addr_s[INET6_ADDRSTRLEN]; if (p->data == NULL) { elog("[!] ERROR: File handle not open!\n"); return; } /* pads_agent.tcl process each line until it receivs a dot by itself */ u_ntop(rec->ip_addr, rec->af, ip_addr_s); fprintf((FILE*)p->data, "03\n%s\n%u\n%d\n%d\n%ld\n.\n", ip_addr_s, htonl(IP4ADDR(&rec->ip_addr)), ntohs(os->port), 6 /*just for now*/, rec->last_seen); fflush((FILE*) p->data); }
/* ---------------------------------------------------------- * FUNCTION : add_asset * DESCRIPTION : This function will add an asset to the * : specified asset data structure. * INPUT : 0 - packetinfo (af, ip_src, vlan) * RETURN : None! * ---------------------------------------------------------- */ void add_asset(packetinfo *pi) { uint64_t hash; asset *masset = NULL; config.pr_s.assets++; masset = (asset *) calloc(1, sizeof(asset)); masset->af = pi->af; masset->vlan = pi->vlan; masset->i_attempts = 0; masset->first_seen = masset->last_seen = pi->pheader->ts.tv_sec; if (pi->af == AF_INET) { if(pi->arph) // mongo arp check //memcpy(&masset->ip_addr.__u6_addr.__u6_addr32[0], pi->arph->arp_spa, sizeof(uint32_t)); IP4ADDR(&masset->ip_addr) = *(uint32_t*) pi->arph->arp_spa; else IP4ADDR(&masset->ip_addr) = PI_IP4SRC(pi); hash = ASSET_HASH4(IP4ADDR(&masset->ip_addr)); } else if (pi->af == AF_INET6) { masset->ip_addr = PI_IP6SRC(pi); hash = ASSET_HASH6(PI_IP6SRC(pi)); } masset->next = passet[hash]; if (passet[hash] != NULL) passet[hash]->prev = masset; masset->prev = NULL; masset->os = NULL; masset->services = NULL; masset->macentry = NULL; passet[hash] = masset; #ifdef DEBUGG /* verbose info for sanity checking */ static char ip_addr_s[INET6_ADDRSTRLEN]; // pi->ip_src does not exist! u_ntop(pi->ip_src, pi->af, ip_addr_s); dlog("[*] asset added: %s\n",ip_addr_s); #endif //return masset; }
/* ---------------------------------------------------------- * FUNCTION : file_arp * DESC : This function prints an ARP asset to the log file * INPUT : 0 - Main asset * RETURN : VOID * ---------------------------------------------------------- */ void file_arp (output_plugin *log, asset *main) { /* ip,vlan,port,proto,ARP (mac-resolved),mac-address,timstamp*/ static char ip_addr_s[INET6_ADDRSTRLEN]; if ((FILE*)log->data == NULL) { if(log->flags & CONFIG_VERBOSE ) elog("[!] ERROR: File handle not open!\n"); return; } u_ntop(main->ip_addr, main->af, ip_addr_s); if (main->macentry != NULL) { /* ip,0,0,ARP (mac-resolved),mac-address,timstamp */ /* XXX: vendor info breaks csv niceness */ fprintf((FILE*)log->data, "%s,%u,0,0,ARP (%s),%s,0,%lu\n", ip_addr_s, main->vlan ? ntohs(main->vlan) : 0,main->macentry->vendor, hex2mac(main->mac_addr), main->last_seen); } else { /* ip,0,0,ARP,mac-address,timstamp */ fprintf((FILE*)log->data, "%s,%u,0,0,ARP,[%s],0,%lu\n", ip_addr_s, main->vlan ? ntohs(main->vlan) : 0,hex2mac(main->mac_addr), main->last_seen); } fflush((FILE*)log->data); }
/* ---------------------------------------------------------- * FUNCTION : fifo_arp * DESC : This function prints an ARP asset to the FIFO file. * INPUT : 0 - IP Address * : 1 - MAC Address * ---------------------------------------------------------- */ void fifo_arp (output_plugin *p, asset *main) { static char ip_addr_s[INET6_ADDRSTRLEN]; FILE *fd; /* Print to FIFO */ if (p->data == NULL) { elog("[!] ERROR: File handle not open!\n"); return; } fd = (FILE *)p->data; u_ntop(main->ip_addr, main->af, ip_addr_s); if (main->macentry != NULL) { /* prads_agent.tcl process each line until it receivs a dot by itself */ fprintf(fd, "02\n%s\n%u\n%s\n%s\n%lu\n.\n", ip_addr_s, htonl(IP4ADDR(&main->ip_addr)), main->macentry->vendor, hex2mac(main->mac_addr), main->last_seen); } else { /* prads_agent.tcl process each line until it receivs a dot by itself */ fprintf(fd, "02\n%s\n%u\nunknown\n%s\n%lu\n.\n", ip_addr_s, htonl(IP4ADDR(&main->ip_addr)), hex2mac(main->mac_addr), main->last_seen); } fflush(fd); }
/* ---------------------------------------------------------- * FUNCTION : file_os * DESC : Prints a os asset to the log file. * INPUT : 0 - Main asset * : 1 - OS asset * RETURN : VOID * ---------------------------------------------------------- */ void file_os (output_plugin *log, asset *main, os_asset *os, connection *cxt) { static char ip_addr_s[INET6_ADDRSTRLEN]; uint8_t tmp_ttl; if (!log) { return; // nah.. } if(log->data == NULL){ if(log->flags & CONFIG_VERBOSE) elog("[!] ERROR: File handle not open: %s!\n", log->path); return; } u_ntop(main->ip_addr, main->af, ip_addr_s); /* ip,vlan,port,proto,OS-FP,FP,timstamp*/ fprintf((FILE*)log->data, "%s,%u,%d,", ip_addr_s, main->vlan ? ntohs(main->vlan) : 0, os->port); //ntohs(main->port),service->proto); switch (os->detection) { case CO_SYN: fprintf((FILE*)log->data, "6,SYN"); break; case CO_SYNACK: fprintf((FILE*)log->data, "6,SYNACK"); break; case CO_ACK: fprintf((FILE*)log->data, "6,ACK"); break; case CO_RST: fprintf((FILE*)log->data, "6,RST"); break; case CO_FIN: fprintf((FILE*)log->data, "6,FIN"); break; case CO_UDP: fprintf((FILE*)log->data, "17,UDP"); break; case CO_ICMP: // 58 is ICMPv6 fprintf((FILE*)log->data, "1,ICMP"); break; default: fprintf(stderr, "[!] error in detection type %d (isn't implemented!)\n", os->detection); } if (os->raw_fp != NULL) { fprintf((FILE*)log->data, ",[%s:", (char *)bdata(os->raw_fp)); } else { //bstring b = gen_fp_tcp(&os->fp, os->fp.zero_stamp, 0); bstring b = gen_fp_tcp(&os->fp, os->uptime, 0); os->raw_fp = b; fprintf((FILE*)log->data, ",[%s:", (char *)bdata(os->raw_fp)); } if (os->fp.os != NULL) fprintf((FILE*)log->data,"%s", os->fp.os); else fprintf((FILE*)log->data, "unknown"); if (os->fp.desc != NULL) fprintf((FILE*)log->data, ":%s", os->fp.desc); else fprintf((FILE*)log->data, ":unknown"); if (os->fp.mss) fprintf((FILE*)log->data, ":link:%s",lookup_link(os->fp.mss,1)); if (os->uptime) fprintf((FILE*)log->data, ":uptime:%dhrs",os->uptime/360000); tmp_ttl = normalize_ttl(os->ttl); fprintf((FILE*)log->data, "],%d,%lu\n",tmp_ttl - os->ttl, os->last_seen); fflush((FILE*)log->data); }
void print_passet(pdns_record *l, pdns_asset *p, ldns_rr *rr, ldns_rdf *lname, uint16_t rcode) { FILE *fd = NULL; static char ip_addr_s[INET6_ADDRSTRLEN]; static char ip_addr_c[INET6_ADDRSTRLEN]; char *d = config.log_delimiter; char *rr_class; char *rr_type; char *rr_rcode; char buffer[1000] = ""; char *output = buffer; int offset = 0; uint8_t is_err_record = 0; #ifdef HAVE_JSON json_t *jdata; size_t data_flags = 0; /* Print in the same order as inserted */ data_flags |= JSON_PRESERVE_ORDER; /* No whitespace between fields */ data_flags |= JSON_COMPACT; #endif /* HAVE_JSON */ /* If pdns_asset is not defined, then this is a NXD record */ if (p == NULL) { is_err_record = 1; } /* Use the correct file descriptor */ if (is_err_record && config.output_log_nxd) { if (config.logfile_all) { fd = config.logfile_fd; } else { fd = config.logfile_nxd_fd; } if (fd == NULL) return; } else if (!is_err_record && config.output_log) { fd = config.logfile_fd; if (fd == NULL) return; } if (is_err_record) { u_ntop(l->sip, l->af, ip_addr_s); u_ntop(l->cip, l->af, ip_addr_c); } else { u_ntop(p->sip, p->af, ip_addr_s); u_ntop(p->cip, p->af, ip_addr_c); } rr_class = malloc(10); rr_type = malloc(10); rr_rcode = malloc(20); switch (ldns_rr_get_class(rr)) { case LDNS_RR_CLASS_IN: snprintf(rr_class, 10, "IN"); break; case LDNS_RR_CLASS_CH: snprintf(rr_class, 10, "CH"); break; case LDNS_RR_CLASS_HS: snprintf(rr_class, 10, "HS"); break; case LDNS_RR_CLASS_NONE: snprintf(rr_class, 10, "NONE"); break; case LDNS_RR_CLASS_ANY: snprintf(rr_class, 10, "ANY"); break; default: snprintf(rr_class, 10, "%d", ldns_rr_get_class(rr)); break; } switch (ldns_rr_get_type(rr)) { case LDNS_RR_TYPE_PTR: snprintf(rr_type, 10, "PTR"); break; case LDNS_RR_TYPE_A: snprintf(rr_type, 10, "A"); break; case LDNS_RR_TYPE_AAAA: snprintf(rr_type, 10, "AAAA"); break; case LDNS_RR_TYPE_CNAME: snprintf(rr_type, 10, "CNAME"); break; case LDNS_RR_TYPE_DNAME: snprintf(rr_type, 10, "DNAME"); break; case LDNS_RR_TYPE_NAPTR: snprintf(rr_type, 10, "NAPTR"); break; case LDNS_RR_TYPE_RP: snprintf(rr_type, 10, "RP"); break; case LDNS_RR_TYPE_SRV: snprintf(rr_type, 10, "SRV"); break; case LDNS_RR_TYPE_TXT: snprintf(rr_type, 10, "TXT"); break; case LDNS_RR_TYPE_SOA: snprintf(rr_type, 10, "SOA"); break; case LDNS_RR_TYPE_NS: snprintf(rr_type, 10, "NS"); break; case LDNS_RR_TYPE_MX: snprintf(rr_type, 10, "MX"); break; default: if (is_err_record) { snprintf(rr_type, 10, "%d", ldns_rdf_get_type(lname)); } else { snprintf(rr_type, 10, "%d", p->rr->_rr_type); } break; } if (is_err_record) { switch (rcode) { case 1: snprintf(rr_rcode, 20, "FORMERR"); break; case 2: snprintf(rr_rcode, 20, "SERVFAIL"); break; case 3: snprintf(rr_rcode, 20, "NXDOMAIN"); break; case 4: snprintf(rr_rcode, 20, "NOTIMPL"); break; case 5: snprintf(rr_rcode, 20, "REFUSED"); break; case 6: snprintf(rr_rcode, 20, "YXDOMAIN"); break; case 7: snprintf(rr_rcode, 20, "YXRRSET"); break; case 8: snprintf(rr_rcode, 20, "NXRRSET"); break; case 9: snprintf(rr_rcode, 20, "NOTAUTH"); break; case 10: snprintf(rr_rcode, 20, "NOTZONE"); break; default: snprintf(rr_rcode, 20, "UNKNOWN-ERROR-%d", rcode); break; } } #ifdef HAVE_JSON if ((is_err_record && config.use_json_nxd) || (!is_err_record && config.use_json)) { jdata = json_object(); if (config.fieldsf & FIELD_TIMESTAMP_S) json_object_set_new(jdata, JSON_TIMESTAMP_S, json_integer(l->last_seen.tv_sec)); if (config.fieldsf & FIELD_TIMESTAMP_MS) json_object_set_new(jdata, JSON_TIMESTAMP_MS, json_integer(l->last_seen.tv_usec)); if (config.fieldsf & FIELD_CLIENT) json_object_set_new(jdata, JSON_CLIENT, json_string(ip_addr_c)); if (config.fieldsf & FIELD_SERVER) json_object_set_new(jdata, JSON_SERVER, json_string(ip_addr_s)); if (config.fieldsf & FIELD_CLASS) json_object_set_new(jdata, JSON_CLASS, json_string(rr_class)); if (config.fieldsf & FIELD_QUERY) json_object_set_new(jdata, JSON_QUERY, json_string((const char *)l->qname)); if (config.fieldsf & FIELD_TYPE) json_object_set_new(jdata, JSON_TYPE, json_string(rr_type)); if (is_err_record) { if (config.fieldsf & FIELD_ANSWER) json_object_set_new(jdata, JSON_ANSWER, json_string(rr_rcode)); if (config.fieldsf & FIELD_TTL) json_object_set_new(jdata, JSON_TTL, json_integer(PASSET_ERR_TTL)); if (config.fieldsf & FIELD_COUNT) json_object_set_new(jdata, JSON_COUNT, json_integer(PASSET_ERR_COUNT)); } else { if (config.fieldsf & FIELD_ANSWER) json_object_set_new(jdata, JSON_ANSWER, json_string((const char *)p->answer)); if (config.fieldsf & FIELD_TTL) json_object_set_new(jdata, JSON_TTL, json_integer(p->rr->_ttl)); if (config.fieldsf & FIELD_COUNT) json_object_set_new(jdata, JSON_COUNT, json_integer(p->seen)); } output = json_dumps(jdata, data_flags); if (output == NULL) return; } else { #endif /* HAVE_JSON */ /* Print timestamp */ if ((config.fieldsf & FIELD_TIMESTAMP_S) && (config.fieldsf & FIELD_TIMESTAMP_MS)) { if (is_err_record) { offset += snprintf(output, sizeof(buffer) - offset, "%lu.%06lu", l->last_seen.tv_sec, l->last_seen.tv_usec); } else { offset += snprintf(output, sizeof(buffer) - offset, "%lu.%06lu", p->last_seen.tv_sec, p->last_seen.tv_usec); } } else if (config.fieldsf & FIELD_TIMESTAMP_S) { if (is_err_record) { offset += snprintf(output, sizeof(buffer) - offset, "%lu", l->last_seen.tv_sec); } else { offset += snprintf(output, sizeof(buffer) - offset, "%lu", p->last_seen.tv_sec); } } else if (config.fieldsf & FIELD_TIMESTAMP_MS) { if (is_err_record) { offset += snprintf(output, sizeof(buffer) - offset, "%06lu", l->last_seen.tv_usec); } else { offset += snprintf(output, sizeof(buffer) - offset, "%06lu", p->last_seen.tv_usec); } } /* Print client IP */ if (config.fieldsf & FIELD_CLIENT) { if (offset != 0) offset += snprintf(output+offset, sizeof(buffer) - offset, "%s", d); offset += snprintf(output+offset, sizeof(buffer) - offset, "%s", ip_addr_c); } /* Print server IP */ if (config.fieldsf & FIELD_SERVER) { if (offset != 0) offset += snprintf(output+offset, sizeof(buffer) - offset, "%s", d); offset += snprintf(output+offset, sizeof(buffer) - offset, "%s", ip_addr_s); } /* Print class */ if (config.fieldsf & FIELD_CLASS) { if (offset != 0) offset += snprintf(output+offset, sizeof(buffer) - offset, "%s", d); offset += snprintf(output+offset, sizeof(buffer) - offset, "%s", rr_class); } /* Print query */ if (config.fieldsf & FIELD_QUERY) { if (offset != 0) offset += snprintf(output+offset, sizeof(buffer) - offset, "%s", d); offset += snprintf(output+offset, sizeof(buffer) - offset, "%s", l->qname); } /* Print type */ if (config.fieldsf & FIELD_TYPE) { if (offset != 0) offset += snprintf(output+offset, sizeof(buffer) - offset, "%s", d); offset += snprintf(output+offset, sizeof(buffer) - offset, "%s", rr_type); } /* Print answer */ if (config.fieldsf & FIELD_ANSWER) { if (offset != 0) offset += snprintf(output+offset, sizeof(buffer) - offset, "%s", d); if (is_err_record) offset += snprintf(output+offset, sizeof(buffer) - offset, "%s", rr_rcode); else offset += snprintf(output+offset, sizeof(buffer) - offset, "%s", p->answer); } /* Print TTL */ if (config.fieldsf & FIELD_TTL) { if (offset != 0) offset += snprintf(output+offset, sizeof(buffer) - offset, "%s", d); if (is_err_record) offset += snprintf(output+offset, sizeof(buffer) - offset, "%d", PASSET_ERR_TTL); else offset += snprintf(output+offset, sizeof(buffer) - offset, "%u", p->rr->_ttl); } /* Print count */ if (config.fieldsf & FIELD_COUNT) { if (offset != 0) offset += snprintf(output+offset, sizeof(buffer) - offset, "%s", d); if (is_err_record) offset += snprintf(output+offset, sizeof(buffer) - offset, "%d", PASSET_ERR_COUNT); else offset += snprintf(output+offset, sizeof(buffer) - offset, "%lu", p->seen); } #ifdef HAVE_JSON } #endif /* HAVE_JSON */ /* Print to log file */ if (fd) { fprintf(fd, "%s\n", output); fflush(fd); } /* Print to syslog */ if ((is_err_record && config.output_syslog_nxd) || (!is_err_record && config.output_syslog)) { openlog(PDNS_IDENT, LOG_NDELAY, LOG_LOCAL7); syslog(LOG_INFO, "%s", output); closelog(); } if (is_err_record) { l->last_print = l->last_seen; l->seen = 0; } else { p->last_print = p->last_seen; p->seen = 0; } free(rr_class); free(rr_type); free(rr_rcode); }