possibility to dump the current profiles to an 'eci' file

bonsaiviking · Feb 16, 2004 · 12ddde8 · 12ddde8
1 parent c6281ef
commit 12ddde8
Show file tree

Hide file tree

Showing 10 changed files with 158 additions and 44 deletions.
diff --git a/CHANGELOG b/CHANGELOG
@@ -70,6 +70,8 @@ NG-0.7.0    ????????
       + resizable under X11
       + mouse event are supported
       + customizable colors
+      + completely new menu-driven interface
+   + profiles can be dumped to a file
    + A lot of new bugs^H^H^H^H random features to be discovered ;)
    !! offline sniffing actually does not bind to any NICs
    - packet factory was removed

diff --git a/TODO b/TODO
@@ -7,6 +7,7 @@
    + FIXING
       - dissect_free_session
       - input for curses gui
+      - ip address in the filter
 
    + PCAP RELATED
       + reset the stats when the sniffing thread starts
@@ -48,14 +49,10 @@ this is the unofficial and floating in time roadmap:
       - it is done by the ui looking the sessions (locking them)
       - reset modified connection (on user request)
       - flag to mark encripted connections
-      - pptp
-      - gre
 
-   + LOGGING
-      - log current profiles
-
    + CONNECTION
       - kill a connection
+      - flag for injected/modified connection
 
    + DISSECTORS
       - convert all the old dissectors:
@@ -82,6 +79,8 @@ this is the unofficial and floating in time roadmap:
    + INTERFACE ENGINE
       - gtk
 
+   + NETWORK MAPPER
+
    + BINDER
 
    + ETTERLOG

diff --git a/include/ec_log.h b/include/ec_log.h
@@ -1,5 +1,5 @@
 
-/* $Id: ec_log.h,v 1.19 2004/02/15 15:48:14 alor Exp $ */
+/* $Id: ec_log.h,v 1.20 2004/02/16 20:21:55 alor Exp $ */
 
 #ifndef EC_LOG_H
 #define EC_LOG_H
@@ -131,6 +131,7 @@ extern int set_msg_loglevel(int level, char *filename);
 
 int log_open(struct log_fd *fd, char *filename);
 void log_close(struct log_fd *fd);
+int log_write_header(struct log_fd *fd, int type);
 void log_write_packet(struct log_fd *fd, struct packet_object *po);
 void log_write_info(struct log_fd *fd, struct packet_object *po);
 

diff --git a/include/ec_profiles.h b/include/ec_profiles.h
@@ -1,5 +1,5 @@
 
-/* $Id: ec_profiles.h,v 1.15 2004/02/15 15:48:14 alor Exp $ */
+/* $Id: ec_profiles.h,v 1.16 2004/02/16 20:21:55 alor Exp $ */
 
 #ifndef EC_PROFILES_H
 #define EC_PROFILES_H
@@ -70,7 +70,7 @@ extern void profile_purge_local(void);
 extern void profile_purge_remote(void);
 extern void profile_purge_all(void);
 extern int profile_convert_to_hostlist(void);
-extern void profile_dump_to_file(char *filename);
+extern int profile_dump_to_file(char *filename);
 
 /* fake forward declaration (profiles include packet and viceversa) */
 struct packet_object;

diff --git a/src/dissectors/ec_ssh.c b/src/dissectors/ec_ssh.c
@@ -17,7 +17,7 @@
     along with this program; if not, write to the Free Software
     Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 
-    $Id: ec_ssh.c,v 1.21 2004/01/21 20:20:07 alor Exp $
+    $Id: ec_ssh.c,v 1.22 2004/02/16 20:21:55 alor Exp $
 */
 
 #include <ec.h>
@@ -165,8 +165,11 @@ FUNC_DECODER(dissector_ssh)
          }
 
          /* Catch the version banner */
-         SAFE_CALLOC(PACKET->DISSECTOR.banner, 9, 1);
-         memcpy(PACKET->DISSECTOR.banner, PACKET->DATA.data, 8);
+         PACKET->DISSECTOR.banner = strdup(PACKET->DATA.data);
+
+         /* remove the \n */
+         if ( (ptr = strchr(PACKET->DISSECTOR.banner, '\n')) != NULL )
+            *ptr = '\0';
       }      
    } else { /* The session exists */
       session_data =(ssh_session_data *)s->data;

diff --git a/src/ec_log.c b/src/ec_log.c
@@ -17,7 +17,7 @@
     along with this program; if not, write to the Free Software
     Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 
-    $Id: ec_log.c,v 1.31 2004/02/15 15:48:14 alor Exp $
+    $Id: ec_log.c,v 1.32 2004/02/16 20:21:55 alor Exp $
 */
 
 #include <ec.h>
@@ -107,15 +107,12 @@ int set_loglevel(int level, char *filename)
       case LOG_PACKET:
          if (GBL_OPTIONS->compress) {
             fdp.type = LOG_COMPRESSED;
-            log_open(&fdp, ecp);
          } else {
             fdp.type = LOG_UNCOMPRESSED;
-            log_open(&fdp, ecp);
          }
-
-         /* set the permissions */
-         chmod(ecp, 0600);
 
+         log_open(&fdp, ecp);
+
          /* initialize the log file */
          log_write_header(&fdp, LOG_PACKET);
 
@@ -127,14 +124,11 @@ int set_loglevel(int level, char *filename)
       case LOG_INFO:
          if (GBL_OPTIONS->compress) {
             fdi.type = LOG_COMPRESSED;
-            log_open(&fdi, eci);
          } else {
             fdi.type = LOG_UNCOMPRESSED;
-            log_open(&fdi, eci);
          }
 
-         /* set the permissions */
-         chmod(eci, 0600);
+         log_open(&fdi, eci);
 
          /* initialize the log file */
          log_write_header(&fdi, LOG_INFO);
@@ -183,6 +177,8 @@ int log_open(struct log_fd *fd, char *filename)
 {
    int zerr;
 
+   memset(fd, 0, sizeof(struct log_fd));
+
    if (fd->type == LOG_COMPRESSED) {
       fd->cfd = gzopen(filename, "wb9");
       if (fd->cfd == NULL)
@@ -192,6 +188,9 @@ int log_open(struct log_fd *fd, char *filename)
       if (fd->fd == -1)
          FATAL_MSG("Can't create %s", filename);
    }
+
+   /* set the permissions */
+   chmod(filename, 0600);
 
    return ESUCCESS;
 }

diff --git a/src/ec_profiles.c b/src/ec_profiles.c
@@ -17,7 +17,7 @@
     along with this program; if not, write to the Free Software
     Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 
-    $Id: ec_profiles.c,v 1.34 2004/02/15 15:48:14 alor Exp $
+    $Id: ec_profiles.c,v 1.35 2004/02/16 20:21:55 alor Exp $
 */
 
 #include <ec.h>
@@ -27,6 +27,7 @@
 #include <ec_packet.h>
 #include <ec_hook.h>
 #include <ec_scan.h>
+#include <ec_log.h>
 
 #define ONLY_REMOTE_PROFILES  3
 #define ONLY_LOCAL_PROFILES   2
@@ -40,7 +41,7 @@ void profile_purge_local(void);
 void profile_purge_remote(void);
 void profile_purge_all(void);
 int profile_convert_to_hostlist(void);
-void profile_dump_to_file(char *filename);
+int profile_dump_to_file(char *filename);
 
 void profile_parse(struct packet_object *po);
 static int profile_add_host(struct packet_object *po);
@@ -285,6 +286,10 @@ static void set_gateway(u_char *L2_addr)
 {
    struct host_profile *h;
 
+   /* skip null mac addresses */
+   if (!memcmp(L2_addr, "\x00\x00\x00\x00\x00\x00", MEDIA_ADDR_LEN))
+      return;
+
    PROFILE_LOCK;
 
    TAILQ_FOREACH(h, &GBL_PROFILES, next) {
@@ -613,9 +618,101 @@ void * profile_print(int mode, void *list, char **desc, size_t len)
 /*
  * dump the whole profile list into an eci file
  */
-void profile_dump_to_file(char *filename)
+int profile_dump_to_file(char *filename)
 {
+   struct log_fd fd;
+   char eci[strlen(filename)+5];
+   struct host_profile *h;
+   struct open_port *o;
+   struct active_user *u;
+   struct packet_object po;
+
    DEBUG_MSG("profile_dump_to_file: %s", filename);
+
+   /* append the extension */
+   sprintf(eci, "%s.eci", filename);
+
+   if (GBL_OPTIONS->compress)
+      fd.type = LOG_COMPRESSED;
+   else
+      fd.type = LOG_UNCOMPRESSED;
+
+   /* open the file for dumping */
+   if (log_open(&fd, eci) != ESUCCESS)
+      return -EFATAL;
+
+   /* this is an INFO file */
+   log_write_header(&fd, LOG_INFO);
+
+   /* now parse the profile list and dump to the file */
+   PROFILE_LOCK;
+
+   TAILQ_FOREACH(h, &GBL_PROFILES, next) {
+
+      memset(&po, 0, sizeof(struct packet_object));
+
+      /* create the po for logging */
+      memcpy(&po.L2.src, h->L2_addr, MEDIA_ADDR_LEN);
+      memcpy(&po.L3.src, &h->L3_addr, sizeof(struct ip_addr));
+
+      /* fake the distance by subtracting it from a power of 2 */
+      po.L3.ttl = 128 - h->distance + 1;
+      po.PASSIVE.flags = h->type;
+      memcpy(&po.PASSIVE.fingerprint, h->fingerprint, FINGER_LEN);
+
+      /* log for each host */
+      log_write_info(&fd, &po);
+
+      LIST_FOREACH(o, &(h->open_ports_head), next) {
+
+         memcpy(&po.L2.src, h->L2_addr, MEDIA_ADDR_LEN);
+         memcpy(&po.L3.src, &h->L3_addr, sizeof(struct ip_addr));
+         memset(&po.PASSIVE.fingerprint, 0, FINGER_LEN);
+
+         po.L4.src = o->L4_addr;
+         /* put the fake syn+ack to impersonate an open port */
+         po.L4.flags = TH_SYN | TH_ACK;
+         po.L4.proto = o->L4_proto;
+
+         /* log the packet for the open port */
+         log_write_info(&fd, &po);
+
+         po.DISSECTOR.banner = o->banner;
+
+         /* log for the banner */
+         if (o->banner)
+            log_write_info(&fd, &po);
+
+         LIST_FOREACH(u, &(o->users_list_head), next) {
+
+            memcpy(&po.L3.dst, &h->L3_addr, sizeof(struct ip_addr));
+            /* the source addr is the client address */
+            memcpy(&po.L3.src, &u->client, sizeof(struct ip_addr));
+
+            /* to exclude the open port check */
+            po.L4.flags = TH_PSH;
+            po.L4.dst = o->L4_addr;
+            po.L4.src = 0;
+
+            po.DISSECTOR.user = u->user;
+            po.DISSECTOR.pass = u->pass;
+            po.DISSECTOR.info = u->info;
+            po.DISSECTOR.failed = u->failed;
+
+            /* log for each account:
+             * the host must be on the dest
+             */
+            log_write_info(&fd, &po);
+         }
+      }
+   }
+
+   PROFILE_UNLOCK;
+
+   /* close the file */
+   log_close(&fd);
+
+   return ESUCCESS;
 }
 
 /* EOF */

diff --git a/src/interfaces/curses/ec_curses_view_connections.c b/src/interfaces/curses/ec_curses_view_connections.c
@@ -17,7 +17,7 @@
     along with this program; if not, write to the Free Software
     Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 
-    $Id: ec_curses_view_connections.c,v 1.2 2004/02/15 13:35:28 alor Exp $
+    $Id: ec_curses_view_connections.c,v 1.3 2004/02/16 20:21:55 alor Exp $
 */
 
 #include <ec.h>
@@ -180,6 +180,16 @@ static void curses_connection_data(void *conn)
 {
    struct conn_tail *c = (struct conn_tail *)conn;
    DEBUG_MSG("curses_connection_data");
+
+   /* 
+    * remove any hook on the open connection.
+    * this is done to prevent a switch of connection
+    * with the panel opened
+    */
+   if (curr_conn) {
+      conntrack_hook_conn_del(curr_conn, split_print_po);
+      conntrack_hook_conn_del(curr_conn, join_print_po);
+   }
 
    /* set the global variable to pass the parameter to other functions */
    curr_conn = c->co;
@@ -200,8 +210,6 @@ static void curses_connection_data_split(void)
 
    if (wdg_conndata) {
       wdg_destroy_object(&wdg_conndata);
-      conntrack_hook_conn_del(curr_conn, split_print_po);
-      conntrack_hook_conn_del(curr_conn, join_print_po);
    }
 
    wdg_create_object(&wdg_conndata, WDG_COMPOUND, WDG_OBJ_WANT_FOCUS);
@@ -310,8 +318,6 @@ static void curses_connection_data_join(void)
 
    if (wdg_conndata) {
       wdg_destroy_object(&wdg_conndata);
-      conntrack_hook_conn_del(curr_conn, split_print_po);
-      conntrack_hook_conn_del(curr_conn, join_print_po);
    }
 
    wdg_create_object(&wdg_conndata, WDG_COMPOUND, WDG_OBJ_WANT_FOCUS);

diff --git a/src/interfaces/curses/ec_curses_view_profiles.c b/src/interfaces/curses/ec_curses_view_profiles.c
@@ -17,7 +17,7 @@
     along with this program; if not, write to the Free Software
     Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 
-    $Id: ec_curses_view_profiles.c,v 1.2 2004/02/15 15:48:14 alor Exp $
+    $Id: ec_curses_view_profiles.c,v 1.3 2004/02/16 20:21:55 alor Exp $
 */
 
 #include <ec.h>
@@ -236,8 +236,9 @@ static void curses_profiles_dump(void *dummy)
 
 static void dump_profiles(void)
 {
-   profile_dump_to_file(logfile);
-   curses_message("Profiles dumped to file");
+   /* dump the profiles */
+   if (profile_dump_to_file(logfile) == ESUCCESS)
+      curses_message("Profiles dumped to file");
 }
 
 /* EOF */