src/output-plugins/log_sguil.c

   1 /*
   2 ** This file is a part of PRADS.
   3 **
   4 ** Copyright (C) 2009, Redpill Linpro
   5 ** Copyright (C) 2009, Edward Fjellskål <edward.fjellskaal@redpill-linpro.com>
   6 **
   7 ** This program is free software; you can redistribute it and/or modify
   8 ** it under the terms of the GNU General Public License as published by
   9 ** the Free Software Foundation; either version 2 of the License, or
  10 ** (at your option) any later version.
  11 **
  12 ** This program is distributed in the hope that it will be useful,
  13 ** but WITHOUT ANY WARRANTY; without even the implied warranty of
  14 ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  15 ** GNU General Public License for more details.
  16 **
  17 ** You should have received a copy of the GNU General Public License
  18 ** along with this program; if not, write to the Free Software
  19 ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
  20 **
  21 */
  22
  23 #include "log_sguil.h"
  24
  25 /*
  26  * NOTES:
  27  *
  28  * This module will write asset data to a FIFO special file.  This will
  29  * separate the detection engine from the IO module and increase the
  30  * overall speed of the system.
  31  *
  32  * Output written to the FIFO will be in comma separated format and will
  33  * begin with an action_id field.  This field will allow different types
  34  * of output to be written to the FIFO.
  35  *
  36  * action_id        action
  37  * 01           TCP / ICMP Asset Discovered
  38  * 02           ARP Asset Discovered
  39  * 03           TCP / ICMP Statistic Information
  40  *
  41  * The following lines contains an example of the data written to the
  42  * FIFO:
  43  *
  44  * Sguil patch adds ntohl ip addrs in output
  45  * 01,10.10.10.83,168430163,22,6,ssh,OpenSSH 3.8.1 (Protocol 2.0),1100846817
  46  * 02,10.10.10.81,168430161,3Com 3CRWE73796B,00:50:da:5a:2d:ae,1100846817
  47  * 03,10.10.10.83,168430163,22,6,1100847309
  48  *
  49
  50  01
  51  87.238.42.2
  52  1475226114
  53  94.139.80.5
  54  1586188293
  55  34029
  56  80
  57  6
  58  www
  59  Apache
  60  1267455148
  61  0101080A3131A869006707800101080A3131A86900670780485454502F312E3120323030204F4B0D0A5365727665723A204170616368650D0A4C6173742D4D6F6469666965643A205468752C203139204D617220323030392030383A33353A323020474D540D0A455461673A2022343030652D3265382D34363537346165333238323030220D0A436F6E74656E742D547970653A20746578742F68746D6C3B20636861727365743D49534F2D383835392D310D0A436F6E74656E742D4C656E6774683A203734340D0A446174653A204D6F6E2C203031204D617220323031302031343A35323A323820474D540D0A582D5661726E6973683A20343337333930313335203433373339303133340D0A4167653A2033310D0A5669613A20312E31207661726E6973680D0A436F6E6E656374696F6E3A20636C6F73650D0A0D0A
  62
  63  */
  64
  65 sguil_conf output_fifo_conf;
  66
  67 /* ----------------------------------------------------------
  68  * FUNCTION : init_output_sguil
  69  * DESC     : This function will initialize the FIFO file.
  70  * INPUT    : 0 - FIFO filename
  71  * RETURN   : None!
  72  * --------------------------------------------------------- */
  73 int init_output_sguil (bstring fifo_file)
  74 {
  75     FILE *fp;
  76     register u_int len = 0;
  77     char *filename;
  78
  79     /* Make sure report_file isn't NULL. */
  80     if (fifo_file == NULL)
  81     fifo_file = bstrcpy(bfromcstr("prads.fifo"));
  82
  83     output_fifo_conf.filename = bstrcpy(fifo_file);
  84
  85     mkfifo (bdata(fifo_file), S_IFIFO | 0755);
  86
  87     if ((output_fifo_conf.file = fopen(bdata(fifo_file), "w+")) == NULL)
  88     printf("Unable to open FIFO file (%s)!\n", bdata(fifo_file));
  89
  90     return;
  91 }
  92
  93 /* ----------------------------------------------------------
  94  * FUNCTION : sguil_arp
  95  * DESC     : This function prints an ARP asset to the FIFO file.
  96  * INPUT    : 0 - IP Address
  97  *          : 1 - MAC Address
  98  * RETURN   : 0 - Success
  99  *          :-1 - Error
 100  * ---------------------------------------------------------- */
 101 void
 102 sguil_arp (asset *main)
 103 {
 104     static char ip_addr_s[INET6_ADDRSTRLEN];
 105     /* Print to FIFO */
 106     if (output_fifo_conf.file != NULL) {
 107         u_ntop(main->ip_addr, main->af, ip_addr_s);
 108         if (main->mac_resolved != NULL) {
 109             /* prads_agent.tcl process each line until it receivs a dot by itself */
 110             fprintf(output_fifo_conf.file, "02\n%s\n%u\n%s\n%s\n%d\n.\n", ip_addr_s,
 111                     ntohl(main->ip_addr.s_addr), main->mac_resolved,
 112                     hex2mac(&main->mac_addr), main->last_seen);
 113         } else {
 114             /* prads_agent.tcl process each line until it receivs a dot by itself */
 115             fprintf(output_fifo_conf.file, "02\n%s\n%u\nunknown\n%s\n%d\n.\n", ip_addr_s,
 116                     ntohl(main->ip_addr.s_addr), hex2mac(&main->mac_addr), main->last_seen);
 117         }
 118         fflush(output_fifo_conf.file);
 119     } else {
 120         fprintf(stderr, "[!] ERROR:  File handle not open!\n");
 121     }
 122 }
 123
 124 /* ----------------------------------------------------------
 125  * FUNCTION : sguil_service
 126  * DESC     : Prints a service asset to the FIFO file.
 127  * INPUT    : 0 - Port
 128  *          : 1 - IP  Address
 129  *          : 2 - Protocol
 130  *          : 3 - Service
 131  *          : 4 - Application
 132  *          : 5 - Discovered
 133  * RETURN   : 0 - Success
 134  *          : -1 - Error
 135  * ---------------------------------------------------------- */
 136 void
 137 sguil_service (asset *main, serv_asset *service)
 138 {
 139     if (output_fifo_conf.file != NULL) {
 140         /* prads_agent.tcl process each line until it receivs a dot by itself */
 141         fprintf(output_fifo_conf.file, "01\n%s\n%u\n%s\n%u\n%d\n%d\n%d\n%s\n%s\n%d\n%s\n.\n",
 142                 sip, ntohl(main->c_ip_addr.s_addr),
 143                 dip, ntohl(main->ip_addr.s_addr),
 144                 ntohs(main->c_port), ntohs(main->port), main->proto,
 145                 bdata(main->service), bdata(main->application),
 146                 main->discovered, bdata(main->hex_payload));
 147
 148         fflush(output_fifo_conf.file);
 149     }
 150     }
 151     } else {
 152         fprintf(stderr, "[!] ERROR:  File handle not open!\n");
 153     }
 154 }
 155
 156 /* ----------------------------------------------------------
 157  * FUNCTION : print_stat_sguil
 158  * DESC     : This function prints stats info to the FIFO file
 159  * INPUT    : 0 - IP Address
 160  *          : 1 - Port
 161  *          : 2 - Protocol
 162  * RETURN   : 0 - Success
 163  *          :-1 - Error
 164  * ---------------------------------------------------------- */
 165 int print_stat_sguil (Asset *rec)
 166 {
 167     if (output_fifo_conf.file != NULL) {
 168         /* pads_agent.tcl process each line until it receivs a dot by itself */
 169         fprintf(output_fifo_conf.file, "03\n%s\n%d\n%d\n%d\n.\n",
 170                 inet_ntoa(rec->ip_addr), ntohs(rec->port), rec->proto, time(NULL));
 171         fflush(output_fifo_conf.file);
 172     } else {
 173         fprintf(stderr, "[!] ERROR:  File handle not open!\n");
 174         return -1;
 175     }
 176     return 0;
 177 }
 178
 179 /* ----------------------------------------------------------
 180  * FUNCTION : end_output_sguil
 181  * DESC     : This function frees the memory declared by fifo
 182  * INPUT    : None
 183  * OUTPUT   : 0 - Success
 184  *          :-1 - Error
 185  * ---------------------------------------------------------- */
 186 int end_output_sguil ()
 187 {
 188     printf("Closing FIFO File used for Sguil\n");
 189     fclose(output_fifo_conf.file);
 190
 191     /* Clean Up */
 192     if (output_fifo_conf.filename)
 193         bdestroy(output_fifo_conf.filename);
 194
 195     return 0;
 196 }