1 /* $Id: ssp_snmp_interface_down.c,v 2.3 2009/11/27 01:39:40 fknobbe Exp $
2  *
3  * Copyright (c) 2005-2008 Ali BASEL <ali@basel.name.tr>
4  * All rights reserved.
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions
8  * are met:
9  * 1. Redistributions of source code must retain the above copyright
10  *    notice, this list of conditions and the following disclaimer.
11  * 2. Redistributions in binary form must reproduce the above copyright
12  *    notice, this list of conditions and the following disclaimer in the
13  *    documentation and/or other materials provided with the distribution.
14  *
15  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25  * SUCH DAMAGE.
26  *
27  *
28  * ssp_snmp_interface_shutdown.c
29  *
30  * Purpose:
31  *
32  * This SnortSam plugin calls the trackersnmp program of the tracker(http://www.basel.name.tr) to
33  * shutdown the switch ports of the local intruders to block the IP addresses.
34  *
35  */
36 
37 #ifndef		__SSP_SNMPINTERFACEDOWN_C__
38 #define		__SSP_SNMPINTERFACEDOWN_C__
39 
40 
41 #include "snortsam.h"
42 #include "ssp_snmp_interface_down.h"
43 
44 
45 #include <stdio.h>
46 #include <string.h>
47 
48 
49 /* Parsing config options
50 */
SNMPINTERFACEDOWNParse(char * val,char * file,unsigned long line,DATALIST * plugindatalist)51 void SNMPINTERFACEDOWNParse(char *val, char *file, unsigned long line, DATALIST *plugindatalist)
52 {
53 	char *p2,msg[STRBUFSIZE+2];
54 
55 	SNMPINTERFACEDOWNDATA *snmpinterfacedownp=NULL;
56 
57 #ifdef FWSAMDEBUG
58 	printf("Debug: [snmp_interface_down] Plugin Parsing...\n");
59 #endif
60 
61 	/* Allocate data structure */
62 	snmpinterfacedownp=(SNMPINTERFACEDOWNDATA *)safemalloc(sizeof(SNMPINTERFACEDOWNDATA),"SNMPDOWNParse","snmpinterfacedownp");
63 	plugindatalist->data=snmpinterfacedownp;
64 	snmpinterfacedownp->trackersnmppath[0]=0; /* Set defaults */
65 	snmpinterfacedownp->logflag=FALSE;
66 
67 	while(*val)	/* cycle through the line options */
68 	{	p2=val;
69 		while(*p2 && !myisspace(*p2))
70 			p2++;
71 		if(*p2)
72 			*p2++ =0;
73 
74 		if(!stricmp(val,"log"))	/* If the option is log, we set the logging flag */
75 			snmpinterfacedownp->logflag=TRUE;
76 		else
77 			safecopy(snmpinterfacedownp->trackersnmppath, val); /* Otherwise is should be the path to fltcon.exe */
78 
79 		val=p2;
80 		while(*val && myisspace(*val)) /* skip over spaces */
81 			val++;
82 	}
83 	if(*(snmpinterfacedownp->trackersnmppath))
84 	{	snprintf(msg,sizeof(msg)-1,"snmp_interface_down: Will call '%s' to initiate blocks%s.",snmpinterfacedownp->trackersnmppath, snmpinterfacedownp->logflag?" with logging":"");
85 		logmessage(3,msg,"snmp_interface_down",0);
86 	}
87 	else
88 	{	snprintf(msg,sizeof(msg)-1,"Warning: [%s: %lu] No trackersnmp executable specified. Using just \"trackersnmp\" by default (and hope it's in the path...)",file,line);
89 		safecopy(snmpinterfacedownp->trackersnmppath,"trackersnmp");
90 		logmessage(2,msg,"snmp_interface_down",0);
91 	}
92 }
93 
94 
95 /* This routine initiates the block by calling trackersnmp
96 */
SNMPINTERFACEDOWNBlock(BLOCKINFO * bd,void * data,unsigned long qp)97 void SNMPINTERFACEDOWNBlock(BLOCKINFO *bd,void *data,unsigned long qp)
98 {
99 	char cmd[STRBUFSIZE+2],msg[STRBUFSIZE+2];
100 	const char pref[]="ldap do nostdout host scanner.sabanciuniv.edu to netadmin@scanner.sabanciuniv.edu ";
101 /* #ifdef FWSAMDEBUG
102 	unsigned long threadid=GetCurrentThreadId();
103 #endif
104 */
105 	SNMPINTERFACEDOWNDATA *snmpinterfacedownp;
106 
107 	if(!data) return;
108 	snmpinterfacedownp=(SNMPINTERFACEDOWNDATA *)data;
109 
110 	if(bd->block) {
111 		snprintf(cmd,sizeof(cmd)-1,"%s %s %s shut", snmpinterfacedownp->trackersnmppath, inettoa(bd->blockip), pref);
112 		logmessage(2, cmd, "snmp_interface_down",0);
113 /*		#ifdef FWSAMDEBUG
114 		printf("Debug: [snmp_interface_down][%lx] Calling: %s\n", threadid, cmd);
115 		#endif
116 */
117 		/* Run the command */
118                 if( system(cmd) ) {
119 			snprintf(msg,sizeof(msg)-1,"Error: Command \"%s\" Failed", cmd);
120                         logmessage(1,msg,"snmpinterfacedown",0);
121                 }
122                 else {
123 			snprintf(msg,sizeof(msg)-1,"Info: Command \"%s\" Executed Successfully", cmd);
124                         logmessage(1, msg, "snmpinterfacedown",0);
125                 }
126 	}
127 	else {
128 		snprintf(cmd,sizeof(cmd)-1,"%s %s %s noshut", snmpinterfacedownp->trackersnmppath, inettoa(bd->blockip), pref);
129                 logmessage(2, cmd, "snmp_interface_down",0);
130 		/* Run the command */
131                 if( system(cmd) ) {
132 			snprintf(msg,sizeof(msg)-1,"Error: Command \"%s\" Failed", cmd);
133                         logmessage(1, msg, "snmpinterfacedown", 0);
134                 }
135                 else {
136 			snprintf(msg,sizeof(msg)-1,"Info: Command \"%s\" Executed Successfully", cmd);
137                         logmessage(1, msg, "snmpinterfacedown", 0);
138                 }
139 	}
140 }
141 
142 #endif /* __SSP_SNMPINTERFACEDOWN_C__ */
143