src/output-plugins/log_fifo.c

   1 /*
   2 ** This file is a part of PRADS.
   3 **
   4 ** Copyright (C) 2009, Redpill Linpro
   5 ** Copyright (C) 2009, Edward Fjellskål <edward.fjellskaal@redpill-linpro.com>
   6 ** Copyright (C) 2011, Kacper Wysocki   <kwy@redpill-linpro.com>
   7 **
   8 ** This program is free software; you can redistribute it and/or modify
   9 ** it under the terms of the GNU General Public License as published by
  10 ** the Free Software Foundation; either version 2 of the License, or
  11 ** (at your option) any later version.
  12 **
  13 ** This program is distributed in the hope that it will be useful,
  14 ** but WITHOUT ANY WARRANTY; without even the implied warranty of
  15 ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  16 ** GNU General Public License for more details.
  17 **
  18 ** You should have received a copy of the GNU General Public License
  19 ** along with this program; if not, write to the Free Software
  20 ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
  21 **
  22
  23 ** Props go out to Matt Sheldon <matt@mattsheldon.com>
  24 ** author of pads and the basis of this code.
  25
  26 ** NOTE: fifo output does not reach its full potential as sguil
  27 ** only supports so much data..
  28 */
  29
  30
  31 /*  I N C L U D E S  *********************************************************/
  32 #include "../prads.h"
  33 #include "../config.h"
  34 #include "../sys_func.h"
  35
  36 #include <stdio.h>
  37 #include <sys/stat.h>
  38
  39 #include "log.h"
  40 #include "log_fifo.h"
  41
  42 output_plugin p_fifo = {
  43     .init = &init_output_fifo,
  44     .arp = &fifo_arp,
  45     .os = &fifo_stat,
  46     .service = &fifo_service,
  47     .denit = &fifo_end,
  48 };
  49
  50 output_plugin *init_log_fifo()
  51 {
  52     return &p_fifo;
  53 }
  54
  55 /*
  56  * NOTES:
  57  *
  58  * This module will write asset data to a FIFO special file.  This will
  59  * separate the detection engine from the IO module and increase the
  60  * overall speed of the system.
  61  *
  62  * Output written to the FIFO will be in comma separated format and will
  63  * begin with an action_id field.  This field will allow different types
  64  * of output to be written to the FIFO.
  65  *
  66  * action_id        action
  67  * 01           TCP / ICMP Asset Discovered
  68  * 02           ARP Asset Discovered
  69  * 03           TCP / ICMP Statistic Information
  70  *
  71  * The following lines contains an example of the data written to the
  72  * FIFO:
  73  *
  74  * Sguil patch adds ntohl ip addrs in output
  75  * 01,10.10.10.83,168430163,22,6,ssh,OpenSSH 3.8.1 (Protocol 2.0),1100846817
  76  * 02,10.10.10.81,168430161,3Com 3CRWE73796B,00:50:da:5a:2d:ae,1100846817
  77  * 03,10.10.10.83,168430163,22,6,1100847309
  78  *
  79
  80  01
  81  87.238.42.2
  82  1475226114
  83  94.139.80.5
  84  1586188293
  85  34029
  86  80
  87  6
  88  www
  89  Apache
  90  1267455148
  91  0101080A3131A869006707800101080A3131A86900670780485454502F312E3120323030204F4B0D0A5365727665723A204170616368650D0A4C6173742D4D6F6469666965643A205468752C203139204D617220323030392030383A33353A323020474D540D0A455461673A2022343030652D3265382D34363537346165333238323030220D0A436F6E74656E742D547970653A20746578742F68746D6C3B20636861727365743D49534F2D383835392D310D0A436F6E74656E742D4C656E6774683A203734340D0A446174653A204D6F6E2C203031204D617220323031302031343A35323A323820474D540D0A582D5661726E6973683A20343337333930313335203433373339303133340D0A4167653A2033310D0A5669613A20312E31207661726E6973680D0A436F6E6E656374696F6E3A20636C6F73650D0A0D0A
  92
  93  */
  94
  95 /* ----------------------------------------------------------
  96  * FUNCTION : init_output_fifo
  97  * DESC     : This function will initialize the FIFO file.
  98  * INPUT    : 0 - FIFO filename
  99  * RETURN   : None!
 100  * --------------------------------------------------------- */
 101 int init_output_fifo (output_plugin *p, const char* fifo_file, int flags)
 102 {
 103     FILE *fp;
 104     int e;
 105
 106     /* Make sure report_file isn't NULL. */
 107     if (fifo_file == NULL)
 108         fifo_file = "prads.fifo";
 109
 110     p->path = fifo_file;
 111
 112     if(0 != mkfifo (fifo_file, S_IFIFO | 0755)){
 113         e = errno;
 114         perror("creating fifo"); // not fatal
 115     }
 116     fp = fopen(fifo_file, "w+");
 117     if(fp == NULL) {
 118         e = errno;
 119         perror("opening fifo");
 120         return e;
 121     }
 122     p->data = (void *) fp;
 123    return 0;
 124 }
 125
 126 /* ----------------------------------------------------------
 127  * FUNCTION : fifo_arp
 128  * DESC     : This function prints an ARP asset to the FIFO file.
 129  * INPUT    : 0 - IP Address
 130  *          : 1 - MAC Address
 131  * ---------------------------------------------------------- */
 132 void fifo_arp (output_plugin *p, asset *main)
 133 {
 134     static char ip_addr_s[INET6_ADDRSTRLEN];
 135     FILE *fd;
 136     /* Print to FIFO */
 137     if (p->data == NULL) {
 138         elog("[!] ERROR:  File handle not open!\n");
 139         return;
 140     }
 141     fd = (FILE *)p->data;
 142     u_ntop(main->ip_addr, main->af, ip_addr_s);
 143     if (main->macentry != NULL) {
 144         /* prads_agent.tcl process each line until it receivs a dot by itself */
 145         fprintf(fd, "02\n%s\n%u\n%s\n%s\n%lu\n.\n", ip_addr_s,
 146                 htonl(IP4ADDR(&main->ip_addr)), main->macentry->vendor,
 147                 hex2mac(main->mac_addr), main->last_seen);
 148     } else {
 149         /* prads_agent.tcl process each line until it receivs a dot by itself */
 150         fprintf(fd, "02\n%s\n%u\nunknown\n%s\n%lu\n.\n", ip_addr_s,
 151                 htonl(IP4ADDR(&main->ip_addr)), hex2mac(main->mac_addr), main->last_seen);
 152     }
 153     fflush(fd);
 154 }
 155
 156 /* ----------------------------------------------------------
 157  * FUNCTION : fifo_service
 158  * DESC     : Prints a service asset to the FIFO file.
 159  * INPUT    : 0 - Port
 160  *          : 1 - IP  Address
 161  *          : 2 - Protocol
 162  *          : 3 - Service
 163  *          : 4 - Application
 164  *          : 5 - Discovered
 165  * ---------------------------------------------------------- */
 166 // base64-encoded payloads for squil happiness
 167 #define B64_PRADS_CLIENT "505241445320434C49454E54"
 168 #define B64_PRADS_SERVER "505241445320534552564552"
 169 static connection NULL_CXT;
 170 void fifo_service (output_plugin *p, asset *main, serv_asset *service, connection *cxt)
 171 {
 172     FILE *fd;
 173     static char sip[INET6_ADDRSTRLEN];
 174     static char dip[INET6_ADDRSTRLEN];
 175     char *role = B64_PRADS_CLIENT;
 176     if(!cxt)
 177         cxt = &NULL_CXT;
 178
 179     /* Print to FIFO */
 180     if (p->data == NULL) {
 181         elog("[!] ERROR:  File handle not open!\n");
 182         return;
 183     }
 184     fd = (FILE *)p->data;
 185     /* prads_agent.tcl process each line until it receivs a dot by itself */
 186     u_ntop(main->ip_addr, main->af, sip);
 187     u_ntop(cxt->d_ip, cxt->af, dip);
 188
 189     if ( service->role == SC_SERVER ) { /* SERVER ASSET */
 190         role = B64_PRADS_SERVER;
 191     }
 192     fprintf(fd, "01\n%s\n%u\n%s\n%u\n%d\n%d\n%d\n%s\n%s\n%lu\n%s\n.\n",
 193             sip, htonl(IP4ADDR(&cxt->s_ip)),
 194             dip, htonl(IP4ADDR(&cxt->d_ip)),
 195             ntohs(cxt->s_port), ntohs(cxt->d_port), service->proto,
 196             bdata(service->service), bdata(service->application),
 197             main->last_seen, role);
 198     fflush(fd);
 199 }
 200
 201 /* ----------------------------------------------------------
 202  * FUNCTION : print_stat_sguil
 203  * DESC     : This function prints stats info to the FIFO file
 204  * INPUT    : 0 - IP Address
 205  *          : 1 - Port
 206  *          : 2 - Protocol
 207  * Example  : ID \n IP \n NumIP \n PORT \n PROTO \n timestamp \n . \n
 208  *            03\n10.10.10.83\n168430163\n22\n6\n1100847309\n.\n
 209  * ---------------------------------------------------------- */
 210 void fifo_stat (output_plugin *p, asset *rec, os_asset *os, /*UNUSED*/ connection *cxt)
 211 {
 212     (void)(cxt); /* UNUSED */
 213     static char ip_addr_s[INET6_ADDRSTRLEN];
 214     if (p->data == NULL) {
 215         elog("[!] ERROR:  File handle not open!\n");
 216         return;
 217     }
 218     /* pads_agent.tcl process each line until it receivs a dot by itself */
 219     u_ntop(rec->ip_addr, rec->af, ip_addr_s);
 220     fprintf((FILE*)p->data, "03\n%s\n%u\n%d\n%d\n%ld\n.\n",
 221               ip_addr_s, htonl(IP4ADDR(&rec->ip_addr)), ntohs(os->port), 6 /*just for now*/, rec->last_seen);
 222     fflush((FILE*) p->data);
 223 }
 224
 225 /* ----------------------------------------------------------
 226  * FUNCTION : fifo_end
 227  * DESC     : This function frees the memory declared by fifo
 228  * INPUT    : None
 229  * OUTPUT   : 0 - Success
 230  *          :-1 - Error
 231  * ---------------------------------------------------------- */
 232 int fifo_end (output_plugin *p)
 233 {
 234     if(p->flags & CONFIG_VERBOSE)
 235        plog("Closing FIFO file\n");
 236     fclose((FILE *)p->data);
 237
 238     p->data = NULL;
 239     p->path = NULL;
 240     return 0;
 241 }