// Update our internal suspect list to that of novad
void NovaNode::SynchInternalList()
{
vector<in_addr_t> *suspects;
suspects = GetSuspectList(SUSPECTLIST_ALL);
if (suspects == NULL)
{
cout << "Failed to get suspect list" << endl;
}
for (uint i = 0; i < suspects->size(); i++)
{
Suspect *suspect = GetSuspect(suspects->at(i));
if (suspect != NULL)
{
HandleNewSuspect(suspect);
if (m_suspects.count(suspect->GetIpAddress()) == 0)
{
delete m_suspects[suspect->GetIpAddress()];
}
m_suspects[suspect->GetIpAddress()] = suspect;
}
else
{
cout << "Error: No suspect received" << endl;
}
}
}
void *SilentAlarmLoop(void *ptr)
{
MaskKillSignals();
int sockfd;
u_char buf[MAX_MSG_SIZE];
struct sockaddr_in sendaddr;
if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1)
{
LOG(CRITICAL, "Unable to create the silent alarm socket.",
"Unable to create the silent alarm socket: "+string(strerror(errno)));
close(sockfd);
exit(EXIT_FAILURE);
}
sendaddr.sin_family = AF_INET;
sendaddr.sin_port = htons(Config::Inst()->GetSaPort());
sendaddr.sin_addr.s_addr = INADDR_ANY;
memset(sendaddr.sin_zero, '\0', sizeof sendaddr.sin_zero);
struct sockaddr *sockaddrPtr = (struct sockaddr*) &sendaddr;
socklen_t sendaddrSize = sizeof sendaddr;
if(::bind(sockfd, sockaddrPtr, sendaddrSize) == -1)
{
LOG(CRITICAL, "Unable to bind to the silent alarm socket.",
"Unable to bind to the silent alarm socket: "+string(strerror(errno)));
close(sockfd);
exit(EXIT_FAILURE);
}
stringstream ss;
ss << "sudo iptables -A INPUT -p udp --dport "
<< Config::Inst()->GetSaPort() << " -j REJECT"
" --reject-with icmp-port-unreachable";
if(system(ss.str().c_str()) == -1)
{
LOG(ERROR, "Failed to update iptables.", "");
}
ss.str("");
ss << "sudo iptables -A INPUT -p tcp --dport "
<< Config::Inst()->GetSaPort()
<< " -j REJECT --reject-with tcp-reset";
if(system(ss.str().c_str()) == -1)
{
LOG(ERROR, "Failed to update iptables.", "");
}
if(listen(sockfd, SOCKET_QUEUE_SIZE) == -1)
{
LOG(CRITICAL, "Unable to listen on the silent alarm socket.",
"Unable to listen on the silent alarm socket.: "+string(strerror(errno)));
close(sockfd);
exit(EXIT_FAILURE);
}
int connectionSocket, bytesRead;
Suspect suspectCopy;
//Accept incoming Silent Alarm TCP Connections
while(1)
{
bzero(buf, MAX_MSG_SIZE);
//Blocking call
if((connectionSocket = accept(sockfd, sockaddrPtr, &sendaddrSize)) == -1)
{
LOG(CRITICAL, "Problem while accepting incoming silent alarm connection.",
"Problem while accepting incoming silent alarm connection: "+string(strerror(errno)));
continue;
}
if((bytesRead = recv(connectionSocket, buf, MAX_MSG_SIZE, MSG_WAITALL))== -1)
{
LOG(CRITICAL, "Problem while receiving incoming silent alarm connection.",
"Problem while receiving incoming silent alarm connection: "+string(strerror(errno)));
close(connectionSocket);
continue;
}
for(uint i = 0; i < hostAddrs.size(); i++)
{
//If this is from ourselves, then drop it.
if(hostAddrs[i].sin_addr.s_addr == sendaddr.sin_addr.s_addr)
{
close(connectionSocket);
continue;
}
}
CryptBuffer(buf, bytesRead, DECRYPT);
in_addr_t addr = 0;
memcpy(&addr, buf, 4);
uint64_t key = addr;
Suspect *newSuspect = new Suspect();
if(newSuspect->Deserialize(buf, MAX_MSG_SIZE, MAIN_FEATURE_DATA) == 0)
{
close(connectionSocket);
continue;
}
//If this suspect exists, update the information
if(suspects.IsValidKey(key))
{
suspectCopy = suspects.CheckOut(key);
suspectCopy.SetFlaggedByAlarm(true);
FeatureSet fs = newSuspect->GetFeatureSet(MAIN_FEATURES);
suspectCopy.AddFeatureSet(&fs, MAIN_FEATURES);
suspects.CheckIn(&suspectCopy);
// TODO: This looks like it may be a memory leak of newSuspect
}
//If this is a new suspect put it in the table
else
{
newSuspect->SetIsHostile(false);
newSuspect->SetFlaggedByAlarm(true);
//We set isHostile to false so that when we classify the first time
// the suspect will go from benign to hostile and be sent to the doppelganger module
suspects.AddNewSuspect(newSuspect);
}
LOG(CRITICAL, string("Got a silent alarm!. Suspect: "+ newSuspect->ToString()), "");
if(!Config::Inst()->GetClassificationTimeout())
{
UpdateAndClassify(newSuspect->GetIpAddress());
}
close(connectionSocket);
}
close(sockfd);
LOG(CRITICAL, "The code should never get here, something went very wrong.", "");
return NULL;
}