ChipMaster
/
Poor-Mans-IDS
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
The Poor Man's (or Woman's) Intrusion Detection System
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
16 Commits
1 Branch
133 KiB
 
 
 
 
Tree: d12a3e9f4d
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'd12a3e9f4d'
${ noResults }
Poor-Mans-IDS/trafficmon/trafficmon.cpp

333 lines
10 KiB
Raw Blame History 

  1. //////////////////////////////////////////////////////////////////////

  2. // IP traffic monitor

  3. // Written by Jonathan A. Foster <ChipMaster@YeOlPiShack.net>

  4. // Started August 11th, 2021

  5. //

  6. // The idea is to analyze iptables LOG entries in combination with

  7. // DNSmasq's query log entries and combine them to list the hosts

  8. // that were accessed. This will be read in real time from SysLogD

  9. // using the "pipe" feature. Access records will be logged to MySQL

  10. // for reporting and record keeping.

  11. //////////////////////////////////////////////////////////////////////

  12. // TODO: catch signals and attempt removal of PID file during shutdown.

  13. #include <string.h>

  14. #include <errno.h>

  15. #include <sys/types.h>

  16. #include <sys/stat.h>

  17. #include <syslog.h>

  18. #include <unistd.h>

  19. #include <string>

  20. #include <iostream>

  21. #include <fstream>

  22. #include <stdexcept>

  23. #include <vector>

  24. #include <map>

  25. 

  26. #include "../cli.h"

  27. #include "../data.h"

  28. #include "../config.h"

  29. #include "appbase.h"

  30. using namespace std;

  31. 

  32. 

  33. 

  34. //////////////////////////////////////////////////////////////////////

  35. // Monitor Config

  36. //////////////////////////////////////////////////////////////////////

  37. 

  38. struct MonitorConf: public MonitorBaseConf {

  39.   INIusList    us;

  40. 

  41.   MonitorConf() { groups["us"] = &us; }

  42. };

  43. 

  44. 

  45. 

  46. //////////////////////////////////////////////////////////////////////

  47. // Application class to store data passed in through a pipe or

  48. // file(s).

  49. //////////////////////////////////////////////////////////////////////

  50. //#define DEBUG

  51. 

  52. struct TrafficMon: public TrafficMonBaseApp {

  53.   LogAnalyzer     analyze;

  54.   istream        *log;

  55.   LiveBug         bug;

  56.   bool            setup_db;

  57.   bool            piping;               // are we sucking on a pipe?

  58.   bool            background_me;        // daemonize?

  59.   string          pid_file;             // Name of file to write PID in

  60.   int             inp_ct;               // How many inputs were on the CLI

  61.   bool            running;              // Whether or not its time to run logs

  62.   long long       line_no;              // current line # in the active input

  63. 

  64. 

  65. 

  66.   TrafficMon():

  67.     log(              0),

  68.     setup_db(     false),

  69.     piping(       false),

  70.     background_me(false),

  71.     inp_ct(           0),

  72.     running(      false),

  73.     line_no(          0)

  74.   {

  75.     config = new MonitorConf;

  76.     analyze.us = &(((MonitorConf *)config)->us.vals);

  77.   }

  78. 

  79. 

  80. 

  81.   int help() {

  82.     cerr <<

  83.       "\n"

  84.       "trafficmon -c {config file} [-i] [-d] [-b] [-p {pipe name} | [{log name} ...]]\n"

  85.       "\n"

  86.       "Arguments:\n"

  87.       "  -c  Load configuration from file (required)\n"

  88.       "  -i  PID file to write (optional, use with -b)\n"

  89.       "  -d  Create data tables (optional, use once)\n"

  90.       "  -b  Run in background - daemonize (optional, use -i too)\n"

  91.       "  -p  read from pipe creating it if needed (optional, good with -b)\n"

  92.       "\n"

  93.       "Other arguments are log files to be processed. This can be used to bulk\n"

  94.       "load data prior to going live with an always on daemon or for catching\n"

  95.       "up if the daemon stopped for some reason.";

  96.     return ExitCode = 1;

  97.   }

  98. 

  99. 

  100. 

  101.   unsigned do_switch(const char *sw) {

  102.     if(sw[1]==0) {

  103.       switch(*sw) {

  104.       case 'b': background_me = true; return 0;

  105.       case 'd': setup_db      = true; return 0;

  106.       case 'i':                       return 1;

  107.       case 'p': piping        = true; return !running; // second pass treats it as a file

  108.       }

  109.     }

  110.     return TrafficMonBaseApp::do_switch(sw);

  111.   }

  112. 

  113. 

  114. 

  115.   void do_switch_arg(const char *sw, const string &val) {

  116.     // If "running" is set then we've already done this. So skip it!

  117.     if(running) return;

  118. 

  119.     if(sw[1]==0) switch(*sw) {

  120. 

  121.     /// PID file to write ID in if we're daemonizing ///

  122. 

  123.     case 'i':

  124.       pid_file = val;

  125.       return;

  126. 

  127.     /// Make pipe if requested ///

  128. 

  129.     case 'p':

  130.       // This can't wait for "running" since we want it to fail in foreground

  131.       // Make read/write by process owner (root) only

  132.       if(mkfifo(val.c_str(), 0600)<0 && errno!=17 /*already exists*/) {

  133.         ExitCode = 2;

  134.         throw runtime_error("Making pipe raised error "+str(errno));

  135.       }

  136.       inp_ct++;

  137.     }

  138. 

  139.     TrafficMonBaseApp::do_switch_arg(sw, val);

  140.   }

  141. 

  142. 

  143. 

  144.   void do_arg(const char *fname) {

  145.     // if not "running" we don't want to do this yet. Just count inputs.

  146.     if(!running) {

  147.       inp_ct++;

  148.       return;

  149.     }

  150. 

  151.     // the only thing we expect on the CLI is a log/pipe name

  152.     if(log==&cin) log = 0; // won't happen right now

  153.     if(log)

  154.       ((ifstream*)log)->close();

  155.     else

  156.       log = new ifstream;

  157.     if(!background_me) cerr << fname << ":\n";

  158. restart:

  159.     ((ifstream*)log)->open(fname);

  160.     ExitCode = run();

  161.     if(piping) {

  162.       // If a process closes the write end of the pipe, like during log

  163.       // rotation, we receive an EOF, end up here, and have to re-open the pipe

  164.       // to be able to receive more on it.

  165.       ((ifstream*)log)->close();

  166.       sleep(1); // This is just to make sure we don't hog CPU in a loop

  167.       goto restart;

  168.     }

  169.   }

  170. 

  171. 

  172. 

  173.   // This is the actual data process

  174.   // probably should daemonize around here.

  175.   int run() {

  176.     string l;

  177.     // prepare insert statement

  178.     cppdb::statement db_add = db <<

  179.       "INSERT INTO connections "

  180.       "(us, us_port, them, them_port, them_name, protocol, inbound) "

  181.       "VALUES (?,?,?,?,?,?,?)";

  182. 

  183.     /// parse log file ///

  184. 

  185.     line_no=0;

  186.     while(getline(*log, l)) {

  187.       line_no++;

  188.       if(!background_me)

  189.         cerr << bug << ' ' << line_no << '\r' << flush;

  190. 

  191.       /// process connections ///

  192. 

  193.       if(analyze.line(l)) {

  194.         // TODO: time stamp handling?

  195.         // insert record

  196.         db_add.reset();

  197.         db_add << analyze.conn.us << analyze.conn.us_port << analyze.conn.them

  198.                << analyze.conn.them_port << analyze.conn.name

  199.                << analyze.conn.protocol << analyze.conn.in

  200.                << cppdb::exec;

  201.       }

  202.     }

  203.     // In a real pipe situation this should never get reached.

  204.     if(!background_me) {

  205.       cerr << "\nLines:      " << line_no

  206.            << "\nTotal rDNS: " << analyze.rdns.size() << '\n' << endl;

  207.     }

  208.     return 0;

  209.   }

  210. 

  211. 

  212. 

  213.   void create_tables() {

  214. 

  215.     /// Connection recrods ///

  216. 

  217.     db << "CREATE TABLE connections ("

  218.             "id        INT        NOT NULL AUTO_INCREMENT PRIMARY KEY,"

  219.             "tstamp    TIMESTAMP  NOT NULL," // default is NOW()

  220.             "us        CHAR(80)   NOT NULL DEFAULT '',"

  221.             "us_port   INT        NOT NULL DEFAULT 0,"

  222.             "them      CHAR(80)   NOT NULL DEFAULT '',"

  223.             "them_port INT        NOT NULL DEFAULT 0,"

  224.             "them_name CHAR(128)  NOT NULL DEFAULT '',"

  225.             "protocol  CHAR(12)   NOT NULL DEFAULT '',"

  226.             "inbound   TINYINT(1) NOT NULL DEFAULT 0,"

  227.             "INDEX tstamp(tstamp, them_name)"

  228.           ") Engine=MyISAM"

  229.        << cppdb::exec;

  230.     // NOTE: MyISAM is thousands of times faster than InnoDB for this sort

  231.     //       of work load. Mostly continuous writes with occasional reads.

  232.     //       But will it work for all I'm going to do? AriaDB is slower but

  233.     //       significantly faster than InnoDB.

  234. 

  235.     /// Status of domain names ///

  236. 

  237.     db << "CREATE TABLE dns ("

  238.             "name CHAR(128) NOT NULL PRIMARY KEY,"

  239.             "decided TIMESTAMP NOT NULL,"

  240.             "status TINYINT(1) NOT NULL DEFAULT 0,"

  241.             "note CHAR(128) NOT NULL DEFAULT ''"

  242.           ") Engine=MyISAM"

  243.        << cppdb::exec;

  244. 

  245.     /// wild card DNS list ///

  246. 

  247.     // NOTE: All of these names are treated as if prefixed with "*.". At this

  248.     //       time there are only plans to implement this as a black list.

  249.     //       Many domains are sevices with threat potential and discovering

  250.     //       all of the host and subdomains may not be viable. Think ad and

  251.     //       tracking services.

  252.     db << "CREATE TABLE dns_wild ("

  253.             "name CHAR(128) NOT NULL PRIMARY KEY,"

  254.             "decided TIMESTAMP NOT NULL,"

  255.             "status TINYINT(1) NOT NULL DEFAULT 2,"

  256.             "note CHAR(128) NOT NULL DEFAULT ''"

  257.           ") Engine=MyISAM"

  258.        << cppdb::exec;

  259. 

  260.   }

  261. 

  262. 

  263. 

  264.   int main() {

  265.     int x;

  266.     try {

  267.       if(x=TrafficMonBaseApp::main()) return x;

  268.       if(!((MonitorConf*)config)->us.vals.size()) throw CLIerror(

  269.         "The configuration files MUST contain an [us] section with "

  270.         "appropriate values"

  271.       );

  272.       if(!config->traffic_mon.vals.size()) throw CLIerror(

  273.         "The configuration files MUST contain an [Traffic Mon] section with "

  274.         "appropriate values"

  275.       );

  276.       if(piping && inp_ct!=1) throw CLIerror(

  277.         "Pipe requires one and only one file name to read from."

  278.       );

  279.       if(setup_db) create_tables();

  280. 

  281.       // if requested attempt daemonizing.

  282.       if(background_me) {

  283.         if(inp_ct==0) throw CLIerror(

  284.           "Backgrounding requires the specification of an input source. "

  285.           "STDIN is unavailable when we move to background."

  286.         );

  287. 

  288.         if(daemon(0,0)<0) throw CLIerror("Failed to switch to background");

  289.         // If we get here we're in the background. No STDIN, STDOUT, STDERR

  290.         if(pid_file!="") { // pid_file requested

  291.           ofstream pf(pid_file.c_str());

  292.           pf << getpid();

  293.         }

  294.       }

  295.     } catch(const CLIerror &e) {

  296.       cerr << "ERROR: " << e.what() << "\n";

  297.       help();

  298.       return ExitCode ? ExitCode : 1; // JIC someone sets a different exit code

  299.     }

  300. 

  301.     try {

  302.       // CLI processed now lets analyze data.

  303.       running = true;

  304. // TODO: this is going to break things? Probably should prevent reloading conf. DB is opened in TrafficMonBaseApp::main()

  305. // Actually I think it may actualy work...

  306.       cBaseApp::main(); // re-run CLI args for inputs

  307.       if(!log) {

  308.         // no inputs spec'd on CLI assume stdin (we're not a daemon)

  309.         log = &cin;

  310.         ExitCode = run();

  311.       }

  312.     } catch(const exception &e) {

  313.       if(ExitCode==0) ExitCode = 2;

  314.       if(background_me) {

  315.         openlog("trafficmon", LOG_CONS | LOG_PID, LOG_DAEMON);

  316.         syslog(LOG_ALERT, "%s", e.what());

  317.         closelog();

  318.       } else

  319.         cerr << "ERROR: " << e.what() << "\n";

  320.     }

  321.     return ExitCode;

  322.   }

  323. 

  324. };

  325. 

  326. 

  327. 

  328. //////////////////////////////////////////////////////////////////////

  329. // Run it

  330. //////////////////////////////////////////////////////////////////////

  331. 

  332. MAIN(TrafficMon)