ChipMaster
/
Poor-Mans-IDS
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
The Poor Man's (or Woman's) Intrusion Detection System
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
15 Commits
1 Branch
133 KiB
 
 
 
 
Tree: bb0278f2a5
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'bb0278f2a5'
${ noResults }
Poor-Mans-IDS/trafficmon/trafficmon.cpp

336 lines
10 KiB
Raw Blame History 

  1. //////////////////////////////////////////////////////////////////////

  2. // IP traffic monitor

  3. // Written by Jonathan A. Foster <ChipMaster@YeOlPiShack.net>

  4. // Started August 11th, 2021

  5. //

  6. // The idea is to analyze iptables LOG entries in combination with

  7. // DNSmasq's query log entries and combine them to list the hosts

  8. // that were accessed. This will be read in real time from SysLogD

  9. // using the "pipe" feature. Access records will be logged to MySQL

  10. // for reporting and record keeping.

  11. //////////////////////////////////////////////////////////////////////

  12. // TODO: catch signals and attempt removal of PID file during shutdown.

  13. #include <string.h>

  14. #include <errno.h>

  15. #include <sys/types.h>

  16. #include <sys/stat.h>

  17. #include <syslog.h>

  18. #include <unistd.h>

  19. #include <string>

  20. #include <iostream>

  21. #include <fstream>

  22. #include <stdexcept>

  23. #include <vector>

  24. #include <map>

  25. #include <cppdb/frontend.h>

  26. 

  27. #include "../cli.h"

  28. #include "../data.h"

  29. #include "../miniini.h"

  30. #include "../config.h"

  31. using namespace std;

  32. 

  33. 

  34. 

  35. //////////////////////////////////////////////////////////////////////

  36. // Monitor Config

  37. //////////////////////////////////////////////////////////////////////

  38. 

  39. struct MonitorConf: public MiniINI {

  40.   MiniINIvars  traffic_mon; // This app's config variables

  41.   INIusList    us;

  42. 

  43.   MonitorConf() { groups["Traffic Mon"] = &traffic_mon; groups["us"] = &us; }

  44. };

  45. 

  46. 

  47. 

  48. //////////////////////////////////////////////////////////////////////

  49. // Application class to store data passed in through a pipe or

  50. // file(s).

  51. //////////////////////////////////////////////////////////////////////

  52. //#define DEBUG

  53. 

  54. struct TrafficMon: public cBaseApp {

  55.   MonitorConf     config;

  56.   LogAnalyzer     analyze;

  57.   istream        *log;

  58.   cppdb::session  db;

  59.   LiveBug         bug;

  60.   bool            setup_db;

  61.   bool            piping;               // are we sucking on a pipe?

  62.   bool            background_me;        // daemonize?

  63.   string          pid_file;             // Name of file to write PID in

  64.   int             inp_ct;               // How many inputs were on the CLI

  65.   bool            running;              // Whether or not its time to run logs

  66.   long long       line_no;              // current line # in the active input

  67. 

  68. 

  69. 

  70.   TrafficMon():

  71.     log(              0),

  72.     setup_db(     false),

  73.     piping(       false),

  74.     background_me(false),

  75.     inp_ct(           0),

  76.     running(      false),

  77.     line_no(          0)

  78.   {

  79.     analyze.us = &(config.us.vals);

  80.   }

  81. 

  82. 

  83. 

  84.   void help() {

  85.     cerr << 

  86.       "\n"

  87.       "trafficmon -c {config file} [-i] [-d] [-b] [-p {pipe name} | [{log name} ...]]\n"

  88.       "\n"

  89.       "Arguments:\n"

  90.       "  -c  Load configuration from file (required)\n"

  91.       "  -i  PID file to write (optional, use with -b)\n"

  92.       "  -d  Create data tables (optional, use once)\n"

  93.       "  -b  Run in background - daemonize (optional, use -i too)\n"

  94.       "  -p  read from pipe creating it if needed (optional, good with -b)\n"

  95.       "\n"

  96.       "Other arguments are log files to be processed. This can be used to bulk\n"

  97.       "load data prior to going live with an always on daemon or for catching\n"

  98.       "up if the daemon stopped for some reason.";

  99.     ExitCode = 1;

  100.   }

  101. 

  102. 

  103. 

  104.   unsigned do_switch(const char *sw) {

  105.     if(sw[1]==0) {

  106.       switch(*sw) {

  107.       case 'b': background_me = true; return 0;

  108.       case 'c':                       return 1;

  109.       case 'd': setup_db      = true; return 0;

  110.       case 'i':                       return 1;

  111.       case 'p': piping        = true; return !running; // second pass treats it as a file

  112.       }

  113.     }

  114.     throw CLIerror("Unrecognized Switch");

  115.   }

  116. 

  117. 

  118. 

  119.   void do_switch_arg(const char *sw, const string &val) {

  120.     // If "running" is set then we've already done this. So skip it!

  121.     if(running) return;

  122. 

  123.     switch(*sw) {

  124. 

  125.     /// Load config file ///

  126. 

  127.     case 'c':

  128.       // This is only called with "c". See above

  129.       config.load(val);

  130.       if(!config.us.vals.size()) throw CLIerror(

  131.         "The configuration files MUST contain an [us] section with "

  132.         "appropriate values"

  133.       );

  134.       if(!config.traffic_mon.vals.size()) throw CLIerror(

  135.         "The configuration files MUST contain an [Traffic Mon] section with "

  136.         "appropriate values"

  137.       );

  138. 

  139.       /// configure resources from config file ///

  140. 

  141.       // TODO: pre-validate some of these?

  142.       db.open("mysql:user="+qesc(config.traffic_mon.get("db user"))+

  143.         ";password="+qesc(config.traffic_mon.get("db password"))+

  144.         ";host="+qesc(config.traffic_mon.get("db host"))+

  145.         ";database="+qesc(config.traffic_mon.get("db name"))+

  146.         ";@opt_reconnect=1");

  147.       return;

  148.       

  149.     /// PID file to write ID in if we're daemonizing ///

  150.     

  151.     case 'i':

  152.       pid_file = val;

  153.       return;

  154. 

  155.     /// Make pipe if requested ///

  156.     

  157.     case 'p':

  158.       // This can't wait for "running" since we want it to fail in foreground

  159.       // Make read/write by process owner (root) only

  160.       if(mkfifo(val.c_str(), 0600)<0 && errno!=17 /*already exists*/) {

  161.         ExitCode = 2;

  162.         throw runtime_error("Making pipe raised error "+str(errno));

  163.       }

  164.       inp_ct++;

  165.     }

  166.   }

  167. 

  168. 

  169. 

  170.   void do_arg(const char *fname) {

  171.     // if not "running" we don't want to do this yet. Just count inputs.

  172.     if(!running) {

  173.       inp_ct++;

  174.       return;

  175.     }

  176. 

  177.     // the only thing we expect on the CLI is a log/pipe name

  178.     if(log==&cin) log = 0; // won't happen right now

  179.     if(log)

  180.       ((ifstream*)log)->close();

  181.     else

  182.       log = new ifstream;

  183.     if(!background_me) cerr << fname << ":\n";

  184. restart:

  185.     ((ifstream*)log)->open(fname);

  186.     ExitCode = run();

  187.     if(piping) {

  188.       // If a process closes the write end of the pipe, like during log

  189.       // rotation, we receive an EOF, end up here, and have to re-open the pipe

  190.       // to be able to receive more on it.

  191.       ((ifstream*)log)->close();

  192.       sleep(1); // This is just to make sure we don't hog CPU in a loop

  193.       goto restart;

  194.     }

  195.   }

  196. 

  197. 

  198. 

  199.   // This is the actual data process

  200.   // probably should daemonize around here.

  201.   int run() {

  202.     string l;

  203.     cppdb::statement db_add = db << // prepare insert statement

  204.       "INSERT INTO connections "

  205.       "(us, us_port, them, them_port, them_name, protocol, inbound) "

  206.       "VALUES (?,?,?,?,?,?,?)";

  207. 

  208.     /// parse log file ///

  209. 

  210.     line_no=0;

  211.     while(getline(*log, l)) {

  212.       line_no++;

  213.       if(!background_me)

  214.         cerr << bug << ' ' << line_no << '\r' << flush;

  215. 

  216.       /// process connections ///

  217. 

  218.       if(analyze.line(l)) {

  219.         // TODO: time stamp handling?

  220.         // insert record

  221.         db_add.reset();

  222.         db_add << analyze.conn.us << analyze.conn.us_port << analyze.conn.them

  223.                << analyze.conn.them_port << analyze.conn.name

  224.                << analyze.conn.protocol << analyze.conn.in

  225.                << cppdb::exec;

  226.       }

  227.     }

  228.     // In a real pipe situation this should never get reached.

  229.     if(!background_me) {

  230.       cerr << "\nLines:      " << line_no

  231.            << "\nTotal rDNS: " << analyze.rdns.size() << '\n' << endl;

  232.     }

  233.     return 0;

  234.   }

  235. 

  236. 

  237. 

  238.   void create_tables() {

  239. 

  240.     /// Connection recrods ///

  241. 

  242.     db << "CREATE TABLE connections ("

  243.             "id        INT        NOT NULL AUTO_INCREMENT PRIMARY KEY,"

  244.             "tstamp    TIMESTAMP  NOT NULL," // default is NOW()

  245.             "us        CHAR(80)   NOT NULL DEFAULT '',"

  246.             "us_port   INT        NOT NULL DEFAULT 0,"

  247.             "them      CHAR(80)   NOT NULL DEFAULT '',"

  248.             "them_port INT        NOT NULL DEFAULT 0,"

  249.             "them_name CHAR(128)  NOT NULL DEFAULT '',"

  250.             "protocol  CHAR(12)   NOT NULL DEFAULT '',"

  251.             "inbound   TINYINT(1) NOT NULL DEFAULT 0,"

  252.             "INDEX tstamp(tstamp, them_name)"

  253.           ") Engine=MyISAM"

  254.        << cppdb::exec;

  255.     // NOTE: MyISAM is thousands of times faster than InnoDB for this sort

  256.     //       of work load. Mostly continuous writes with occasional reads.

  257.     //       But will it work for all I'm going to do? AriaDB is slower but

  258.     //       significantly faster than InnoDB.

  259. 

  260.     /// Status of domain names ///

  261. 

  262.     db << "CREATE TABLE dns ("

  263.             "name CHAR(128) NOT NULL PRIMARY KEY,"

  264.             "decided TIMESTAMP NOT NULL,"

  265.             "status TINYINT(1) NOT NULL DEFAULT 0"

  266.           ") Engine=MyISAM"

  267.        << cppdb::exec;

  268.   }

  269. 

  270. 

  271. 

  272.   int main() {

  273.     try {

  274.       cBaseApp::main();

  275.       if(!config.us.vals.size())

  276.         // Since -c requires something in [us] we'll only get here if a config

  277.         // wasn't loaded.

  278.         throw CLIerror("You must specify a config file to load");

  279.       if(piping && inp_ct!=1) throw CLIerror(

  280.         "Pipe requires one and only one file name to read from."

  281.       );

  282.       if(setup_db) create_tables();

  283. 

  284.       // if requested attempt daemonizing.

  285.       if(background_me) {

  286.         if(inp_ct==0) throw CLIerror(

  287.           "Backgrounding requires the specification of an input source. "

  288.           "STDIN is unavailable when we move to background."

  289.         );

  290. 

  291.         if(daemon(0,0)<0) throw CLIerror("Failed to switch to background");

  292.         // If we get here we're in the background. No STDIN, STDOUT, STDERR

  293.         if(pid_file!="") { // pid_file requested

  294.           ofstream pf(pid_file.c_str());

  295.           pf << getpid();

  296.         }

  297.       }

  298.     } catch(const CLIerror &e) {

  299.       cerr << "ERROR: " << e.what() << "\n";

  300.       help();

  301.       return ExitCode ? ExitCode : 1; // JIC someone sets a different exit code

  302.     }

  303. 

  304.     try {

  305.       // CLI processed now lets analyze data.

  306.       running = true;

  307.       cBaseApp::main(); // re-run CLI args for inputs

  308.       if(!log) {

  309.         // no inputs spec'd on CLI assume stdin (we're not a daemon)

  310.         log = &cin;

  311.         ExitCode = run();

  312.       }

  313.     } catch(const exception &e) {

  314.       if(ExitCode==0) ExitCode = 2;

  315.       if(background_me) {

  316.         openlog("trafficmon", LOG_CONS | LOG_PID, LOG_DAEMON);

  317.         syslog(LOG_ALERT, "%s", e.what());

  318.         closelog();

  319.       } else

  320.         cerr << "ERROR: " << e.what() << "\n";

  321.     }

  322.     return ExitCode;

  323.   }

  324. 

  325. 

  326. 

  327. };

  328. 

  329. 

  330. 

  331. //////////////////////////////////////////////////////////////////////

  332. // Run it

  333. //////////////////////////////////////////////////////////////////////

  334. 

  335. MAIN(TrafficMon)