1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
|
# /usr/local/thp/thpfunc.pl version 0.4.4
# Functions for use in thp 0.4.x A component of the thp
# honeypot kit.
#
# Copyright George Bakos - alpinista@bigfoot.com
# July 15, 2002
# This is free software, released under the terms of the GNU General
# Public License avaiable at http://www.fsf.org/licenses/gpl.txt
use POSIX qw(strftime);
sub getip {
$thpaddr = 0;
if ( $intf =~ /^\w+$/ ) {
$reply = `/sbin/ifconfig $intf`;
if ($reply =~ /^.*?\b(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\b.*/is) {
$thpaddr = $1
}
}
}
# Since our SIDs are hex concatanations of unix time in seconds & microseconds,
# we need a way to pull hi-resolution timestamps. Otherwise, we settle for
# one-second accuracy, possibly leading to some mangled session logging.
# If Time::HiRes is available, our lives are easy. If not, lets see if the
# necessary headers are available for a gettimeofday() syscall. If that
# bombs too, we're stuck with plain ol' time. :-p
sub gettime {
if ( eval "require Time::HiRes" ) {
import Time::HiRes ;
my ($secs, $usecs) = Time::HiRes::gettimeofday();
$timestp = sprintf ("%.X%.X", ("$secs", "$usecs"));
$shorttime = $secs;
} elsif (eval "require 'sys/syscall.ph'") {
my $now = pack("LL", ());
syscall( &SYS_gettimeofday, $now, undef) >= 0
or die "gettimeofday: $!";
my($secs, $usecs) = unpack("LL", $now);
$timestp = sprintf ("%.X%.X", ("$secs", "$usecs"));
$shorttime = $secs;
} else {
$shorttime = $timestp = time();
}
}
# signal handlers
# Use a SIGALRM to limit time of execution of each script
# Since $sid is only used to label the caplog entry (once
# things get going) we can here add a comment to it and exit
# with a nonzero value.
# It's a bit of a kludge; please improve on this, folks.
sub closeout {
$sid = "$sid - timeout";
clcaplog();
close(CAPLOG);
exit 5;
}
$SIG{ALRM} = \&closeout;
# Here, we manage the caplog file, which tracks all sessions
sub opncaplog {
gettime();
$start = $shorttime;
$sid = $timestp;
if ($svcname) {
$sid="$sid.$svcname"}
if ( -d "$logdir" ) {
$sesslog="$logdir/$sid";
} else {
$now = strftime "%a %b %e %H:%M:%S %Y", localtime;
print ERRLOG "$now\tCannot create session directory since $logdir is not a valid directory.\n";
closeout();
# Unfortunatly, we should break at this point since we cannot log the
# connections.
exit(1);
}
# TODO: Consider using the following code (to separate per address, maybe
# as an option?)
# (from simple honeypot)
# if ( -d "$logdir/$saddr"){
# $sesslog="$logdir/$saddr/$sid";
# } else {
#TODO: this should check if $saddr is safe before doing this
# `mkdir $logdir/$saddr`;
# $sesslog="$logdir/$saddr/$sid";
# }
if ($logtype eq "single") {
@capdata = ((strftime("%b %d %T", localtime(time))), ("SID=$sid"), ("PID=$procid"), ("SRC=$saddr"), ("SPT=$sport"));
} else { print (CAPLOG "\n", strftime("%b %d %T", localtime(time)), " start thp SID $sid, UNIX pid $procid source $nsdata[4]\n");
}
}
sub clcaplog {
gettime();
$end = $shorttime;
$eltime = $end - $start;
if ($logtype ne "single") {
print CAPLOG strftime("%b %d %T", localtime(time)), " end thp SID $sid\n";
}
if ($eltime > 0) {
$etstr = (strftime("%T", gmtime($eltime)));
push (@capdata,("ET=$etstr"));
if ($logtype ne "single") {
print CAPLOG "\t- elapsed time ", $etstr, "\n";
}
}
if ($size=(-s $sesslog)) {
push (@capdata,("BYTES=$size"));
if ($logtype ne "single") {
print CAPLOG "\t- total $size bytes\n";
}
}
if ($logtype eq "single") {
print CAPLOG "@capdata\n";
}
}
|
