//--------------------------------------------------------------------//----- $Header: /home/cvsroot/sebek/sniff/sebeksniff.c,v 1.7 2002/09/08 22:48:57 cvs Exp $//--------------------------------------------------------------------/* * Copyright (C) 2001/2002 The Honeynet Project. * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright *    notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright *    notice, this list of conditions and the following disclaimer in the *    documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software *    must display the following acknowledgement: *      This product includes software developed by The Honeynet Project. * 4. The name "The Honeynet Project" may not be used to endorse or promote *    products derived from this software without specific prior written *    permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */#include <stdio.h>#include <unistd.h>#ifdef FREEBSD#include <pcap.h>#include <netinet/in.h>#include <netinet/in_systm.h>#include <sys/socket.h>#include <netinet/if_ether.h>#else#include <pcap/pcap.h>#include <arpa/inet.h>#include <netinet/ether.h>#endif#include <netinet/ip.h>#include <netinet/udp.h>#include <netinet/tcp.h>#include <netinet/ip_icmp.h>#include <openssl/md5.h>#include <openssl/blowfish.h>char ethdump, ipdump, tcpdump, udpdump, icmpdump, arpdump;char ethlen, iplen, tcplen, udplen, icmplen, arplen;FILE *f;BF_KEY key;//----- need to check for better setting but, buff was too small and dropped//----- pktsu_char buff[24000];u_char digest[16];u_char sched[8];int static_port = 0;int syslog=0;int sebek=0;int magic = 7777;void handler (char *, const struct pcap_pkthdr *, const u_char *);void help (void);int main(int argc, char **argv){	int buffsize = 65535;		int promisc = 1;	int timeout = 1000;			char pcap_err[PCAP_ERRBUF_SIZE];	u_char buffer[255];		char i,c;	char *dev="eth0";	struct in_addr net, mask;	pcap_t *pcap_nic;	char pass[70];	char *lfile="logfile";	ethdump = 0;	ipdump = 0;	icmpdump = 0;	tcpdump = 0;	udpdump = 0;	arpdump = 0;	ethlen = sizeof(struct ether_header);#ifdef FREEBSD	iplen = sizeof(struct ip);	icmplen = sizeof(struct icmp);#else	iplen = sizeof(struct iphdr);	icmplen = sizeof(struct icmphdr);#endif	tcplen = sizeof(struct tcphdr);	udplen = sizeof(struct udphdr);       	arplen = sizeof(struct ether_arp);	while ((c = getopt(argc,argv,"Shd:p:s:m:")) != EOF) {			switch(c){				case 'd':				dev = optarg;				break;				case 'p':				static_port = atoi(optarg);				break;				case 'h':				help();				break;				case 'S':				syslog = 1;				break;				case 'm':				magic = atoi(optarg);				break;				case 's':				strncpy(pass,optarg,64);				if(strlen(pass) < 4){					printf("Invalid symmetric key\n");					return;}				sebek = 1;				break;				}        }				udpdump = 1;	/*if (!(dev = pcap_lookupdev(pcap_err))) {		perror(pcap_err);		exit(-1);	}*/	if ((pcap_nic = pcap_open_live(dev, buffsize, promisc, timeout, pcap_err)) == NULL) {		perror(pcap_err);		exit(-1);	}/*	if (pcap_lookupnet(dev, &net.s_addr, &mask.s_addr, pcap_err) == -1) {		perror(pcap_err);		exit(-1);	}*/        f = fopen(lfile,"a");	 	if(static_port == 0){         printf("Device: %s\nMagic: %i\n",dev,magic);}	else{         printf("Device: %s\nPort: %i\n",dev,static_port);}	if(sebek){		printf("Sebek monitoring enabled\n");		printf("Sebek symmetric key: %s\n",pass);}	if(syslog){		printf("Syslog grab enabled\n");}          MD5(pass,strlen(pass),digest);       BF_set_key(&key,sizeof(digest),digest);	while (pcap_loop(pcap_nic, -1, (pcap_handler)handler, buffer))		;}void handler (char *usr, const struct pcap_pkthdr *header, const u_char *pkt) {		struct ether_header *ethheader;#ifdef FREEBSD	struct ip *ipheader;	struct icmp *icmpheader;#else	struct iphdr *ipheader;	struct icmphdr *icmpheader;#endif	struct udphdr *udpheader;	struct tcphdr *tcpheader;	struct ether_arp *arppkt;	struct in_addr source, dest;	int y,spt,size,dpt;	int num =0;	char fname[16];	struct in_addr address;	u_int32_t id;        const u_char *tmp=pkt+ethlen+iplen+udplen;	u_char *string[256];		ethheader = (struct ether_header *) pkt;		bzero(buff,sizeof(buff));	if (ethheader->ether_type == 0x0008) {#ifdef FREEBSD		ipheader = (struct ip *) (pkt+ethlen);		if (udpdump && (ipheader->ip_p == 0x11)) {		  udpheader = (struct udphdr *) (pkt+ethlen+iplen);		  spt = ntohs(udpheader->uh_sport);		  dpt = ntohs(udpheader->uh_dport);		  #else		ipheader = (struct iphdr *) (pkt+ethlen);		if (udpdump && (ipheader->protocol == 0x11)) {		  udpheader = (struct udphdr *) (pkt+ethlen+iplen);		  spt = ntohs(udpheader->source);		  dpt = ntohs(udpheader->dest);#endif		  udpheader = (struct udphdr *) (pkt+ethlen+iplen);		//Log Syslog packets		if( dpt == 514 && syslog == 1){			//---  07/29 edb butchering			//size = header->caplen - ethlen - iplen - udplen;		    				//memcpy(&source,&ipheader->saddr,sizeof(source));			//if = fopen(inet_ntoa(source),"a");			//fwrite(tmp,1,size,f);			//fflush(f);				        //fclose(f);		} // End If		  		  //Check if the ports add up		if(sebek){		  if( (spt + dpt) == magic || dpt == static_port){		    size = header->caplen - ethlen - iplen - udplen;		    memset(sched,0,sizeof(sched));		    //Decrypt		    		    BF_cfb64_encrypt(tmp,buff,size,&key,sched,&num,BF_DECRYPT);		    		    //----- get the ID, and use that for the filename			  //----- surely opening and closing the file for each pkt			  //----- isnt the most efficient idea.		    memcpy(&id,buff,sizeof(id));		    		    if(id != 0x00000000){		      address.s_addr = ntohl(id);		      f = fopen((const char *)inet_ntoa(address),"a");		      printf("write %s:  %u bytes\n",inet_ntoa(address),size - sizeof(id));		      fwrite(buff + sizeof(id),1,size - sizeof(id),f);		      fflush(f);				      fclose(f);		    }		    		  }		  }		}		}	return;}void help(){printf("Sebek Sniffer\n");printf("  -d <device>\n");printf("  -S log syslog packets\n");printf("  -p <dest port to look for>\n");printf("  -m  <MAGIC number>\n");printf("  -s <symmetric key> enable sebek monitoring\n");printf("  -h  This screen\n");exit(0);}