Now we save attack details in separate files

2014-12-05 14:02:46 +03:00 · 2014-12-05 14:02:46 +03:00 · 2b723a1eb8
parent 0e14d3437d
commit 2b723a1eb8
1 changed files with 71 additions and 13 deletions
--- a/fastnetmon.cpp
+++ b/fastnetmon.cpp
@ -12,6 +12,7 @@

 #include <sys/socket.h>
 #include <sys/resource.h>
+#include <sys/stat.h>
 #include <arpa/inet.h>
 #include <netinet/ip.h>
 #include <netinet/tcp.h>
@ -168,6 +169,7 @@ unsigned int ban_details_records_count = 500;
 // log file
 log4cpp::Category& logger = log4cpp::Category::getRoot();
 string log_file_path = "/var/log/fastnetmon.log";
+string attack_details_folder = "/var/log/fastnetmon_attacks";

 /* Configuration block ends */

@ -376,6 +378,10 @@ bool we_do_real_ban = true;
 #ifdef HWFILTER_LOCKING
 void block_all_traffic_with_82599_hardware_filtering(string client_ip_as_string);
 #endif
+
+void print_attack_details_to_file(string details, string client_ip_as_string,  attack_details current_attack);
+bool folder_exists(string path);
+string print_time_t_in_fastnetmon_format(time_t current_time);
 string print_ban_thresholds();
 bool load_configuration_file();
 std::string print_flow_tracking_for_ip(conntrack_main_struct& conntrack_element, string client_ip);
@ -396,7 +402,7 @@ string convert_timeval_to_date(struct timeval tv);
 void free_up_all_resources();
 void main_packet_process_task();
 unsigned int get_cidr_mask_from_network_as_string(string network_cidr_format);
-string send_ddos_attack_details();
+string print_ddos_attack_details();
 void execute_ip_ban(uint32_t client_ip, unsigned int in_pps, unsigned int out_pps, unsigned int in_bps, unsigned int out_bps, unsigned int in_flows, unsigned int out_flows, string flow_attack_details);
 direction get_packet_direction(uint32_t src_ip, uint32_t dst_ip, unsigned long& subnet);
 void recalculate_speed();
@ -1678,7 +1684,7 @@ void calculation_programm() {

    if (!ban_list.empty()) {
        output_buffer<<endl<<"Ban list:"<<endl;  
-        output_buffer<<send_ddos_attack_details();
+        output_buffer<<print_ddos_attack_details();
    }
 
    printw( (output_buffer.str()).c_str());
@ -1741,6 +1747,19 @@ void init_logging() {
    logger.info("Logger initialized!");
 }

+bool folder_exists(string path) {
+    if (access(path.c_str(), 0) == 0) {
+        struct stat status;
+        stat(path.c_str(), &status);
+
+        if (status.st_mode & S_IFDIR) {
+            return true;
+        }
+    }
+
+    return false;
+}
+
 int main(int argc,char **argv) {
    lookup_tree = New_Patricia(32);
    whitelist_tree = New_Patricia(32);
@ -1759,12 +1778,22 @@ int main(int argc,char **argv) {

    init_logging();

+    /* Create folder for attack details */
+    if (!folder_exists(attack_details_folder)) {
+        int mkdir_result = mkdir(attack_details_folder.c_str(), S_IRWXU);
+
+        if (mkdir_result != 0) {
+            logger<<log4cpp::Priority::INFO<<"Can't create folder for attack details: "<<attack_details_folder;
+            exit(1);
+        }
+    }
+
    if (getenv("DUMP_ALL_PACKETS") != NULL) {
        DEBUG_DUMP_ALL_PACKETS = true;
    }

    if (sizeof(packed_conntrack_hash) != sizeof(uint64_t) or sizeof(packed_conntrack_hash) != 8) {
-        logger<< log4cpp::Priority::INFO<<"Asserion about size of packed_conntrack_hash, it's "<<sizeof(packed_conntrack_hash)<<" instead 8";
+        logger<< log4cpp::Priority::INFO<<"Assertion about size of packed_conntrack_hash, it's "<<sizeof(packed_conntrack_hash)<<" instead 8";
        exit(1);
    }
 
@ -2320,15 +2349,15 @@ void execute_ip_ban(uint32_t client_ip, unsigned int in_pps, unsigned int out_pp
    block_all_traffic_with_82599_hardware_filtering(client_ip_as_string);
 #endif

+    string full_attack_description = get_attack_description(client_ip, current_attack) + flow_attack_details;
+    print_attack_details_to_file(full_attack_description, client_ip_as_string, current_attack);
+
    if (file_exists(notify_script_path)) {
-        string script_call_params = notify_script_path + " " + client_ip_as_string + " " +
-            data_direction_as_string + " " + pps_as_string + " ban";
-     
+        string script_call_params = notify_script_path + " " + client_ip_as_string + " " + data_direction_as_string + " " + pps_as_string + " ban";
        logger<<log4cpp::Priority::INFO<<"Call script for ban client: "<<client_ip_as_string; 

        // We should execute external script in separate thread because any lag in this code will be very distructive 
-        boost::thread exec_thread(exec_with_stdin_params, script_call_params,
-            get_attack_description(client_ip, current_attack) + flow_attack_details);
+        boost::thread exec_thread(exec_with_stdin_params, script_call_params, full_attack_description);
        exec_thread.detach();

        logger<<log4cpp::Priority::INFO<<"Script for ban client is finished: "<<client_ip_as_string;
@ -2441,7 +2470,19 @@ void cleanup_ban_list() {
    }
 }

-string send_ddos_attack_details() {
+string print_time_t_in_fastnetmon_format(time_t current_time) {
+    struct tm* timeinfo;
+    char buffer[80];
+
+    timeinfo = localtime (&current_time);
+
+    strftime (buffer, sizeof(buffer), "%d_%m_%y_%H:%M:%S", timeinfo);
+    puts (buffer);
+
+    return std::string(buffer);
+}
+
+string print_ddos_attack_details() {
    stringstream output_buffer;

    for( map<uint32_t,banlist_item>::iterator ii=ban_list.begin(); ii!=ban_list.end(); ++ii) {
@ -2452,7 +2493,7 @@ string send_ddos_attack_details() {
        string max_pps_as_string = convert_int_to_string(((*ii).second).max_attack_power);
        string attack_direction = get_direction_name(((*ii).second).attack_direction);

-        output_buffer<<client_ip_as_string<<"/"<<max_pps_as_string<<" pps "<<attack_direction<<endl;
+        output_buffer<<client_ip_as_string<<"/"<<max_pps_as_string<<" pps "<<attack_direction<<" at "<<print_time_t_in_fastnetmon_format(ii->second.ban_timestamp)<<endl;

        send_attack_details(client_ip, (*ii).second);
    }
@ -2520,8 +2561,9 @@ void send_attack_details(uint32_t client_ip, attack_details current_attack_detai
            <<") for protocol: "<< get_protocol_name_by_number(max_proto->first)<<"\n";
        
        logger<<log4cpp::Priority::INFO<<"Attack with direction: "<<attack_direction<<
-            " IP: "<<client_ip_as_string<<" Power: "<<pps_as_string;
-        logger<<log4cpp::Priority::INFO<<attack_details.str();
+            " IP: "<<client_ip_as_string<<" Power: "<<pps_as_string<<" traffic sampel collected";
+
+        print_attack_details_to_file(attack_details.str(), client_ip_as_string, current_attack_details);

        // Pass attack details to script
        if (file_exists(notify_script_path)) {
@ -2566,7 +2608,7 @@ int extract_bit_value(uint8_t num, int bit) {

 string print_tcp_flags(uint8_t flag_value) {
    if (flag_value == 0) {
-        return "";
+        return "-";
    }

    // cod from pfring.h
@ -2837,3 +2879,19 @@ string print_ban_thresholds() {
    return output_buffer.str();
 }

+void print_attack_details_to_file(string details, string client_ip_as_string,  attack_details current_attack) { 
+    ofstream my_attack_details_file;
+
+    string ban_timestamp_as_string = print_time_t_in_fastnetmon_format(current_attack.ban_timestamp); 
+    string attack_dump_path =attack_details_folder + "/" + client_ip_as_string + "_" + ban_timestamp_as_string;
+
+    my_attack_details_file.open(attack_dump_path.c_str(), ios::app);
+
+    if (my_attack_details_file.is_open()) {
+        my_attack_details_file << details << "\n\n"; 
+        my_attack_details_file.close();
+    } else {
+        logger<<log4cpp::Priority::INFO<<"Can't print attack details to file";
+    }    
+}
+