?? sbdump.pl
字號:
#!/usr/bin/perl##--------------------------------------------------------------------#----- $Header: /home/cvsroot/sebek/dump/sbdump.pl,v 1.4 2002/09/08 22:48:57 cvs Exp $#--------------------------------------------------------------------## Copyright (C) 2001/2002 The Honeynet Project.# All rights reserved.## Redistribution and use in source and binary forms, with or without# modification, are permitted provided that the following conditions# are met:# 1. Redistributions of source code must retain the above copyright# notice, this list of conditions and the following disclaimer.# 2. Redistributions in binary form must reproduce the above copyright# notice, this list of conditions and the following disclaimer in the# documentation and/or other materials provided with the distribution.# 3. All advertising materials mentioning features or use of this software# must display the following acknowledgement:# This product includes software developed by The Honeynet Project.# 4. The name "The Honeynet Project" may not be used to endorse or promote# products derived from this software without specific prior written# permission.## THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF# SUCH DAMAGE.##----- Log processor for sebek -------------------------------------------------use strict;use 5.004;use Getopt::Std;use Time::gmtime;use FileHandle;#-------------------------------------------------------------------------------#----- sub timefmt: formats the time stamp all pretty like#-------------------------------------------------------------------------------sub timefmt{ my $tm; $tm = gmtime(shift); return sprintf("%02d:%02d:%02d-%04d/%02d/%02d", $tm->hour,$tm->min,$tm->sec,$tm->year+1900,$tm->mon+1,$tm->mday);}#-------------------------------------------------------------------------------#---- Get the data collected by sebek in char by char mode, this corresponds#---- to interactive terminals usually#-------------------------------------------------------------------------------sub char{ my $file = shift; my $next_rec = 0; my $x = 0; my $head_sz = 64; my $time; my $tmp_ts; my $tmp_data; my %data; #----- multidimensional hash uid->pid->the log my ($stamp,$pid,$uid,$comm,$fd,$tty,$type,$len,$rest,$head,$data); open(DATA,$file) or die("cant open $file"); while(read(DATA,$head,$head_sz,0) > 0){ #----- split out the fields in the head ($stamp,$pid,$uid,$comm,$fd,$tty,$type,$len,$rest) = split(':',$head,9); #----- set pointer to beginning of current data $next_rec += length($pid) + 1; $next_rec += length($uid) + 1; $next_rec += length($comm) + 1; $next_rec += length($stamp) + 1; $next_rec += length($fd) + 1; $next_rec += length($tty) + 1; $next_rec += length($type) + 1; $next_rec += length($len) + 1; #----- read data if type C if($type eq "c" && $tty){ seek(DATA,$next_rec,0); read(DATA,$data,$len,0); $time = timefmt($stamp); chop($data); #--- print(" -->$data<--\n"); #----- if the rec not defined record the ts if(!defined($data{$uid}{"$pid:$comm"})){ $data{$uid}{"$pid:$comm"}{"ts"} = $time; } #------ add the data $data{$uid}{"$pid:$comm"}{"data"} .= $data; #----- if the char is a new line then print + purge if($data eq "\r"){ $tmp_ts = $data{$uid}{"$pid:$comm"}{"ts"}; $tmp_data = $data{$uid}{"$pid:$comm"}{"data"}; print("$tmp_ts [$uid:$comm:$pid:$tty:$fd]"); print("$tmp_data\n"); undef($data{$uid}{"$pid:$comm"}); } } #------ set pointer to beginning of next record $next_rec += $len; seek(DATA,$next_rec,0); $head = ""; }}#-------------------------------------------------------------------------------#---- From remote: remote -> local#-------------------------------------------------------------------------------sub scp0{ my $file = shift; my $next_rec = 0; my $x = 0; my $head_sz = 64; my $time; my $tmp; my $buff; my $ready; my $ftime; my $fname; my $fsize; my $fmod; my %fh; my %data; #----- multidimensional hash uid->pid->the log my ($stamp,$pid,$uid,$comm,$fd,$tty,$type,$len,$rest,$head,$data); open(DATA,$file) or die("cant open $file"); while(read(DATA,$head,$head_sz,0) > 0){ #----- split out the fields in the head ($stamp,$pid,$uid,$comm,$fd,$tty,$type,$len,$rest) = split(':',$head,9); #----- set pointer to beginning of current data $next_rec += length($pid) + 1; $next_rec += length($uid) + 1; $next_rec += length($comm) + 1; $next_rec += length($stamp) + 1; $next_rec += length($fd) + 1; $next_rec += length($tty) + 1; $next_rec += length($type) + 1; $next_rec += length($len) + 1; #----- read data if its scp header data if($type eq "c" && $comm eq "scp" && !$tty && ($fd == 0 || $fd == 4)){ seek(DATA,$next_rec,0); read(DATA,$buff,$len,0); $time = timefmt($stamp); chop($buff); #------ add the data $data{$pid}{"data"} .= $buff; if($buff eq "\n"){ ($fmod,$fsize,$fname) = split(" ",$data{$pid}{"data"}); $data{$pid}{"fname"} = $fname; $tmp = timefmt($stamp); print("$tmp SCP (remote)->local $fname $fsize bytes\n"); $fh{$pid} = FileHandle->new(); open($fh{$pid},">$fname") || die "unable to open $fname\n"; } } #----- read data if its scp copied data if(defined($data{$pid}) && $type eq "b" && $comm eq "scp" && !$tty && $fd == 0){ seek(DATA,$next_rec,0); read(DATA,$buff,$len,0); syswrite($fh{$pid},$buff,$len,0); } #------ set pointer to beginning of next record $next_rec += $len; seek(DATA,$next_rec,0); $head = ""; }}#-------------------------------------------------------------------------------#---- From remote: remote <- local#-------------------------------------------------------------------------------sub scp1{ my $file = shift; my $next_rec = 0; my $x = 0; my $head_sz = 64; my $time; my $tmp; my $ready; my $ftime; my $fname; my $fsize; my $fmod; my %fh; my %data; #----- multidimensional hash uid->pid->the log my ($stamp,$pid,$uid,$comm,$fd,$tty,$type,$len,$rest,$head,$buff); open(DATA,$file) or die("cant open $file"); while(read(DATA,$head,$head_sz,0) > 0){ #----- split out the fields in the head ($stamp,$pid,$uid,$comm,$fd,$tty,$type,$len,$rest) = split(':',$head,9); #----- set pointer to beginning of current data $next_rec += length($pid) + 1; $next_rec += length($uid) + 1; $next_rec += length($comm) + 1; $next_rec += length($stamp) + 1; $next_rec += length($fd) + 1; $next_rec += length($tty) + 1; $next_rec += length($type) + 1; $next_rec += length($len) + 1; #----- read data if its scp copied data if($type eq "b" && (($comm eq "sshd" && $fd == 5) || ($comm eq "scp" && $fd == 3))){ seek(DATA,$next_rec,0); read(DATA,$buff,$len,0); if(!$ready && $comm eq "sshd" && $buff =~/^C\d+\s\d+\s.+/){ ($fmod,$fsize,$fname) = split(" ",$buff); $data{$pid}{"fname"} = $fname; $tmp = timefmt($stamp); print("$tmp SCP local->(remote) $fname $fsize bytes\n"); $ready++; }else{ if($ready && $comm eq "scp"){ if(!$fh{$pid}){ $fh{$pid} = FileHandle->new(); #----- crappy pid hack again $tmp =$data{$pid-1}{"fname"}; open($fh{$pid},">$tmp") || die " unable to open $tmp\n"; } syswrite($fh{$pid},$buff,$len,0); } } } #------ set pointer to beginning of next record $next_rec += $len; seek(DATA,$next_rec,0); $head = ""; }}#-------------------------------------------------------------------------------#---- From localhost: local -> remote#---- to interactive terminals usually#-------------------------------------------------------------------------------sub scp2{ my $file = shift; my $next_rec = 0; my $x = 0; my $head_sz = 64; my $time; my $tmp; my $ready; my $ftime; my $fname; my $fsize; my $fmod; my %fh; my %data; #----- multidimensional hash uid->pid->the log my ($stamp,$pid,$uid,$comm,$fd,$tty,$type,$len,$rest,$head,$buff); open(DATA,$file) or die("cant open $file"); while(read(DATA,$head,$head_sz,0) > 0){ #----- split out the fields in the head ($stamp,$pid,$uid,$comm,$fd,$tty,$type,$len,$rest) = split(':',$head,9); #----- set pointer to beginning of current data $next_rec += length($pid) + 1; $next_rec += length($uid) + 1; $next_rec += length($comm) + 1; $next_rec += length($stamp) + 1; $next_rec += length($fd) + 1; $next_rec += length($tty) + 1; $next_rec += length($type) + 1; $next_rec += length($len) + 1; #----- read data if its scp header data if($type eq "c" && $tty && ($fd == 0 || $fd == 4) && $comm eq "ssh"){ seek(DATA,$next_rec,0); read(DATA,$buff,$len,0); chop($buff); if(!defined($data{$pid})){ $data{$pid}{"pw"} = ""; } #------ record the password $buff =~ s/\n/ /g; $data{$pid}{"pw"} .= $buff; } #----- read data if its scp copied data if(defined($data{$pid}) && $type eq "b" && $comm eq "ssh" && $tty && $fd == 4){ seek(DATA,$next_rec,0); read(DATA,$buff,$len,0); if(!$ready){ ($fmod,$fsize,$fname) = split(" ",$buff); $data{$pid}{"fname"} = $fname; $tmp = timefmt($stamp); print("$tmp SCP (local)->remote $fname $fsize bytes\n"); $buff = $data{$pid}{"pw"}; print("$tmp SCP: passwd $buff\n\n"); $ready++; }else{ if(!$fh{$pid}){ $fh{$pid} = FileHandle->new(); $tmp =$data{$pid}{"fname"}; open($fh{$pid},">$tmp") || die "unable to open $fname\n"; } syswrite($fh{$pid},$buff,$len,0); } } #------ set pointer to beginning of next record $next_rec += $len; seek(DATA,$next_rec,0); $head = ""; }}#-------------------------------------------------------------------------------#---- From localhost: local <- remote#---- to interactive terminals usually#-------------------------------------------------------------------------------sub scp3{ my $file = shift; my $next_rec = 0; my $x = 0; my $head_sz = 64; my $time; my $tmp; my $ready; my $ftime; my $fname; my $fsize; my $fmod; my %fh; my %data; #----- multidimensional hash uid->pid->the log my ($stamp,$pid,$uid,$comm,$fd,$tty,$type,$len,$rest,$head,$buff); open(DATA,$file) or die("cant open $file"); while(read(DATA,$head,$head_sz,0) > 0){ #----- split out the fields in the head ($stamp,$pid,$uid,$comm,$fd,$tty,$type,$len,$rest) = split(':',$head,9); #----- set pointer to beginning of current data $next_rec += length($pid) + 1; $next_rec += length($uid) + 1; $next_rec += length($comm) + 1; $next_rec += length($stamp) + 1; $next_rec += length($fd) + 1; $next_rec += length($tty) + 1; $next_rec += length($type) + 1; $next_rec += length($len) + 1; #----- read data if its scp header data if($type eq "c" && $tty && ($fd == 7 || $fd == 4) && ($comm eq "ssh" || $comm eq "scp")){ seek(DATA,$next_rec,0); read(DATA,$buff,$len,0); chop($buff); #----- passwd if($fd == 4){ $buff =~ s/\n/ /; $data{$pid }{"pw"} .= $buff; } #----- file info if($fd == 7){ $data{$pid}{"file"} .= $buff; if($buff eq "\n"){ ($fmod,$fsize,$fname) = split(" ",$data{$pid}{"file"}); $tmp = timefmt($stamp); print("$tmp SCP (local)<-remote $fname $fsize bytes\n"); $data{$pid}{"fname"} = $fname; #----- pid increment is a crappy hack $buff = $data{$pid +1}{"pw"}; print("$tmp SCP: passwd $buff\n\n"); } } } #----- read data if its scp copied data if(defined($data{$pid}) && $type eq "b" && $comm eq "scp" && $tty && $fd == 7){ seek(DATA,$next_rec,0); read(DATA,$buff,$len,0); ($fmod,$fsize,$fname) = split(" ",$data{$pid}{"file"}); if(!$fh{$pid}){ $fh{$pid} = FileHandle->new(); $tmp = $data{$pid}{"fname"}; open($fh{$pid},">$tmp") || die "unable to open $tmp\n"; } syswrite($fh{$pid},$buff,$len,0); } #------ set pointer to beginning of next record $next_rec += $len; seek(DATA,$next_rec,0); $head = ""; }}#-------------------------------------------------------------------------------#----- This displays the bulk data recorded by sebek, this is raw an nasty stuff#----- but it will yeild passwds that are entered, so it is usefull now and then#-------------------------------------------------------------------------------sub bulk{ my $file = shift; my $next_rec = 0; my $x = 0; my $head_sz = 64; my $time; my ($stamp,$pid,$uid,$comm,$fd,$tty,$type,$len,$rest,$head,$data); open(DATA,$file) or die("cant open $file"); while(read(DATA,$head,$head_sz,0) > 0){ #----- split out the fields in the head ($stamp,$pid,$uid,$comm,$fd,$tty,$type,$len,$rest) = split(':',$head,9); #----- set pointer to beginning of current data $next_rec += length($pid) + 1; $next_rec += length($uid) + 1; $next_rec += length($comm) + 1; $next_rec += length($stamp) + 1; $next_rec += length($tty) + 1; $next_rec += length($type) + 1; $next_rec += length($len) + 1; #print("[$stamp:$tty:$type:$len:] $next_rec\n"); #----- read data if type C if($type eq "b"){ seek(DATA,$next_rec,0); read(DATA,$data,$len,0); $time = timefmt($stamp); print("$time [$comm:$uid $pid:$fd:$tty]$data"); } #------ set pointer to beginning of next record $next_rec += $len; seek(DATA,$next_rec,0); $head = ""; }}sub usage{ print "This is a program to parse sebek logfiles, it is handy\n"; print "$0 [-c|-b|-s] filename\n"; print "\t -c extracts data gathered character by character\n"; print "\t -b extracts data gathered in bulk\n"; print "\t -s extracts SCPed files recorded by sebek in the log\n"; print "\n";}sub main { my %opt; #--- get the action --- getopts("c:b:s:",\%opt); if($opt{c}){ char($opt{c}); exit(); } if($opt{b}){ bulk($opt{b}); exit; } if($opt{s}){ scp0($opt{s}); scp1($opt{s}); scp2($opt{s}); scp3($opt{s}); exit(); } usage();}main();?? 快捷鍵說明
復制代碼
Ctrl + C
搜索代碼
Ctrl + F
全屏模式
F11
切換主題
Ctrl + Shift + D
顯示快捷鍵
?
增大字號
Ctrl + =
減小字號
Ctrl + -