Improved logging mechanism

README

@@ -1,6 +1,6 @@
-Portspoof overview
+Portspoof software overview
 
-Short description
+Short description:
 
 	The portspoof program is designed to enhance OS security through emulation of legitimate service signatures on otherwise closed ports. 
 	It is meant to be a lightweight, fast, portable and secure addition to the any firewall system or security infrastructure.
@@ -10,13 +10,11 @@ Short description
 	 General benefits of using this software are:
 	 - Protection against well known port scanners (all scanning results are chaotic and difficult to interpret)
 	 - Possibility to use your current firewall rules to decide for which hosts "port spoofing" applies
-	 - 
+	 - Port scanning detection functionality
 	
 	http://portspoof.duszynski.eu
 	
-	Author:
-	Piotr Duszynski (piotr@duszynski.eu)
-	Twitter: @drk1wi
+	Author: Piotr Duszynski (piotr@duszynski.eu) # Follow me at @drk1wi
 
 License
 

src/connection.c

@@ -40,6 +40,7 @@
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <sys/ioctl.h>
+#include <time.h> 
 
 #ifdef OPENBSD
 
@@ -254,6 +255,9 @@ void process_connection(void *arg)
 	char buffer;
 	int original_port=DEFAULT_PORT;
 	int n = 0;
+	time_t timestamp;
+	struct sockaddr_in peer_sockaddr;
+	int peer_sockaddr_len=sizeof(struct sockaddr_in);
 	
 	while(1) {
 
@@ -264,14 +268,44 @@ void process_connection(void *arg)
 			if(threads[tid].clients[i] != 0)
 			{
 		     
+				timestamp = time(NULL); 
+				
 			 	n = recv(threads[tid].clients[i], &buffer,1, 0);			
 			
 				// deal with different recv buffer size
 				if(n == 0){
 				
+					#ifdef OPENBSD
 					
+					if ( getpeername(threads[tid].clients[i], (struct sockaddr *) &peer_sockaddr, &peer_sockaddr_len)){
+								perror("Getsockopt failed");
+								goto close_socket;
+					}
+					else
+					original_port=get_original_port(peer_sockaddr.sin_addr,peer_sockaddr.sin_port);
+					
+					#else
+					
+					if ( getsockopt (threads[tid].clients[i], SOL_IP, SO_ORIGINAL_DST, (struct sockaddr*)&peer_sockaddr, &peer_sockaddr_len )){
+								perror("Getsockopt failed");
+								goto close_socket;
+							}
+					else
+					original_port = ntohs(peer_sockaddr.sin_port);
+					
+					#endif
+				
+					//LOG
+					char* msg=malloc(MAX_LOG_MSG_LEN);
+					memset(msg,0,MAX_LOG_MSG_LEN);
+					snprintf(msg,MAX_LOG_MSG_LEN,"%d # Port_probe # REMOVING_SOCKET # source_ip:%s # dst_port:%d  \n",(int)timestamp,(char*)inet_ntoa(peer_sockaddr.sin_addr),original_port);//" port:%d src_ip%s\n", original_port,;
+					log_write(msg);
+					free(msg);
+					//
+				
+					close_socket:
 					if(opts & OPT_DEBUG)
-				fprintf(stderr,"client %d closed connection 0\n", threads[tid].clients[i]);
+					fprintf(stderr,"Thread nr. %d : client %d closed connection\n",tid, threads[tid].clients[i]);
 				
 	        		close(threads[tid].clients[i]);
 				
@@ -284,17 +318,47 @@ void process_connection(void *arg)
 				}
 				else if(n < 0){
 
+						
 					if(errno == EAGAIN)
 					{
 						continue; // Nmap NULL probe (no data) -> skip && go to another socket (client)
 					}
 					else if(errno == 104) // Client terminted connection -> get rid of the socket now!
-					{
-						close(threads[tid].clients[i]); 			
-					}
+					{}
 					else
 					fprintf(stderr,"errno: %d\n", errno);    
 					
+					#ifdef OPENBSD
+					
+					if ( getpeername(threads[tid].clients[i], (struct sockaddr *) &peer_sockaddr, &peer_sockaddr_len)){
+								perror("Getsockopt failed");
+								goto close_socket2;
+					}
+					else
+					original_port=get_original_port(peer_sockaddr.sin_addr,peer_sockaddr.sin_port);
+					
+					#else
+					
+					if ( getsockopt (threads[tid].clients[i], SOL_IP, SO_ORIGINAL_DST, (struct sockaddr*)&peer_sockaddr, &peer_sockaddr_len )){
+								perror("Getsockopt failed");
+								goto close_socket2;
+							}
+					else
+					original_port = ntohs(peer_sockaddr.sin_port);
+					
+					#endif
+				
+					//LOG
+					char* msg=malloc(MAX_LOG_MSG_LEN);
+					memset(msg,0,MAX_LOG_MSG_LEN);
+					snprintf(msg,MAX_LOG_MSG_LEN,"%d # Port_probe # REMOVING_SOCKET # source_ip:%s # dst_port:%d  \n",(int)timestamp,(char*)inet_ntoa(peer_sockaddr.sin_addr),original_port);//" port:%d src_ip%s\n", original_port,;
+					log_write(msg);
+					free(msg);
+					//	
+					
+					close_socket2:
+					close(threads[tid].clients[i]); 			
+					
 					pthread_mutex_lock(&new_connection_mutex);
 					threads[tid].clients[i] = 0;
 					threads[tid].client_count--;
@@ -304,28 +368,31 @@ void process_connection(void *arg)
 				else
 				{
 					
-				struct sockaddr_in peer_sockaddr;
-				int peer_sockaddr_len=sizeof(struct sockaddr_in);
 
 				#ifdef OPENBSD
 				//  BSD
 				getpeername(threads[tid].clients[i], (struct sockaddr *) &peer_sockaddr, &peer_sockaddr_len);
 				original_port=get_original_port(peer_sockaddr.sin_addr,peer_sockaddr.sin_port);
+				//
 				#else
+				// Linux
 				if ( getsockopt (threads[tid].clients[i], SOL_IP, SO_ORIGINAL_DST, (struct sockaddr*)&peer_sockaddr, &peer_sockaddr_len ))
 						perror("Getsockopt failed");
 				original_port = ntohs(peer_sockaddr.sin_port);
+				//
 				#endif
 							  	
+				//LOG
 				char* msg=malloc(MAX_LOG_MSG_LEN);
 				memset(msg,0,MAX_LOG_MSG_LEN);
-				snprintf(msg,MAX_LOG_MSG_LEN,"Connection_attempt: source_ip:%s dst_port:%d  \n",(char*)inet_ntoa(peer_sockaddr.sin_addr),original_port);//" port:%d src_ip%s\n", original_port,;
+				snprintf(msg,MAX_LOG_MSG_LEN,"%d # Service_probe # SIGNATURE_SEND # source_ip:%s # dst_port:%d  \n",(int)timestamp,(char*)inet_ntoa(peer_sockaddr.sin_addr),original_port);//" port:%d src_ip%s\n", original_port,;
 				log_write(msg);
 				free(msg);
+				//
 			
 			  	if(opts & OPT_DEBUG)
 				{
-					fprintf(stderr,"\n---\nThread nr.%d for port %d \n", tid,original_port);//: rcv from %s:%d\n", (int)tid,inet_ntoa(peer_sockaddr.sin_addr), ntohs(peer_sockaddr.sin_port));
+					fprintf(stderr,"\n---\nThread nr.%d for port %d \n", tid,original_port);
 				}
 			
 				str=((signature*)(arr_lines2[signatures[original_port]]))->cptr;
@@ -350,6 +417,8 @@ void process_connection(void *arg)
 				
 				}
 				
+				
+				
 				if(send(threads[tid].clients[i], str, len,0)==-1)
 					perror("Send to socket failed");
 				

src/log.c

@@ -36,9 +36,12 @@ void log_write(char* msg) {
 		
 	}	
 	
+	if(!(opts & OPT_SYSLOG_DIS))
+	{
 	openlog("portspoof", LOG_PID|LOG_CONS, LOG_USER);
- 	syslog(LOG_INFO,"portspoof: %s",msg);
+ 	syslog(LOG_INFO," %s",msg);
  	closelog();
+	}
 	pthread_mutex_unlock(&log_mutex);
 	
 	return;

src/portspoof.c

@@ -106,6 +106,7 @@ usage(void)
 	  "-p			  bind to a user defined port number\n"
 	  "-f			  use user defined signture file\n"
 	  "-l			  log port scanning alerts to a file\n"
+		  "-d			  disable syslog\n"
 	  "-t			  number of threads\n"
 	  "-c			  length of client queue per thread\n"
 	  "-v			  be verbose\n"
@@ -157,7 +158,7 @@ int main(int argc, char **argv)
 	
 	
 	
-	while ((ch = getopt(argc, argv,"l:i:p:f:t:c:dh")) != -1) {
+	while ((ch = getopt(argc, argv,"l:i:p:f:t:c:dvh")) != -1) {
 		switch (ch) {
 		case 'i':
 			bind_ip = optarg;
@@ -171,10 +172,14 @@ int main(int argc, char **argv)
 			signature_file  = optarg;
 			opts |= OPT_SIG_FILE;
 			break;
-		case 'd':
+		case 'v':
 			opts |= OPT_DEBUG;
 			printf("-> Verbose mode on.\n");
 			break;
+		case 'd':
+			opts |= OPT_SYSLOG_DIS;
+			printf("-> Syslog logging disabled.\n");
+			break;
 		case 'l':
 			opts |= OPT_LOG_FILE;
 			log_file  = optarg;
@@ -197,7 +202,7 @@ int main(int argc, char **argv)
 	}
 	
 
-	if( !(opts&OPT_IP || opts&OPT_PORT || opts&OPT_SIG_FILE))
+	if( !(opts&OPT_IP || opts&OPT_PORT || opts&OPT_DEBUG || opts&OPT_SIG_FILE || opts&OPT_LOG_FILE || opts&OPT_SYSLOG_DIS))
 	{
 		printf("-> No parameters - using default values.\n");
 	}

src/portspoof.h

@@ -37,7 +37,7 @@
 #define OPT_DEBUG 1<<3
 #define OPT_SIG_FILE 1<<4
 #define OPT_LOG_FILE 1<<5
-
+#define OPT_SYSLOG_DIS 1<<6
 
 #define DEFAULT_PORT 4444
 extern char opts;