1 /* $Id: ssp_8signs.c,v 2.3 2008/04/26 19:53:21 fknobbe Exp $
2 *
3 *
4 * Copyright (c) 2004-2008 Frank Knobbe <frank@knobbe.us>
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 *
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26 * SUCH DAMAGE.
27 *
28 *
29 * ssp_8signs.c
30 *
31 * Purpose:
32 *
33 * This SnortSam plugin calls the dfw.exe program of the 8Signs firewall to
34 * block/unblock IP addresses.
35 *
36 */
37
38 #if defined(WIN32)
39
40 #ifndef __SSP_8SIGNS_C__
41 #define __SSP_8SIGNS_C__
42
43
44 #include "snortsam.h"
45 #include "ssp_8signs.h"
46
47 #include <stdio.h>
48 #include <string.h>
49
50
51 /* Parsing config options
52 */
DFWParse(char * val,char * file,unsigned long line,DATALIST * plugindatalist)53 void DFWParse(char *val,char *file,unsigned long line,DATALIST *plugindatalist)
54 { char *filename,*p2,msg[STRBUFSIZE+2];
55
56 #ifdef FWSAMDEBUG
57 printf("Debug: [8signs] Plugin Parsing...\n");
58 #endif
59
60 if(*val)
61 { p2=val;
62 while(*p2 && !myisspace(*p2))
63 p2++;
64 if(*p2)
65 *p2++ =0;
66 filename=safemalloc(strlen(val)+2,"DFWParse","filename");
67 strcpy(filename+1,val); /* save exectuable path/name */
68 *filename='n'; /* Flag for NO TARPIT */
69 plugindatalist->data=filename;
70
71 if(*p2)
72 { val=p2;
73 while(*val && myisspace(*val)) /* now parse the remaining text */
74 val++;
75 if(val) /* if there's more, it should be tar */
76 { p2=val;
77 while(*p2 && !myisspace(*p2))
78 p2++;
79 *p2=0;
80 if(!stricmp(val,"tarpit"))
81 *filename='t';
82 }
83 }
84
85 snprintf(msg,sizeof(msg)-1,"8signs: Will call '%s' to initiate blocks%s.",filename+1, *filename=='t'?" with tarpit":"");
86 logmessage(3,msg,"8signs",0);
87 }
88 else
89 { snprintf(msg,sizeof(msg)-1,"Error: [%s: %lu] No dfw.exe executable specified.",file,line);
90 logmessage(1,msg,"8signs",0);
91 }
92 }
93
94
95 /* This routine initiates the block by calling dfw.exe.
96 */
DFWBlock(BLOCKINFO * bd,void * data,unsigned long qp)97 void DFWBlock(BLOCKINFO *bd,void *data,unsigned long qp)
98 { char cmd[STRBUFSIZE+2],*filename;
99 const char pref[]="start /low /min ";
100 #ifdef FWSAMDEBUG
101 unsigned long threadid=GetCurrentThreadId();
102 #endif
103
104 if(!data)
105 return;
106 filename=(char *)data;
107
108 if(bd->block)
109 snprintf(cmd,sizeof(cmd)-1,"%s%s -ban %s -expiry n %s -reason \"Blocked by Snort SID %lu\"",pref,filename+1,inettoa(bd->blockip),*filename=='t'?"-tarpit":"",bd->sig_id);
110 else
111 snprintf(cmd,sizeof(cmd)-1,"%s%s -unban %s",pref,filename+1,inettoa(bd->blockip));
112
113 #ifdef FWSAMDEBUG
114 printf("Debug: [8signs][%lx] Calling: %s\n",threadid,cmd);
115 #endif
116
117 system(cmd); /* or maybe use spawnlp */
118 }
119
120
121 #endif /* __SSP_8SIGNS_C__ */
122 #endif /* WIN32 */
123