Changeset 1486
- Timestamp:
- 04/08/08 14:48:13 (4 months ago)
- Files:
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
honeyclient/branches/exp/kindlund-simpler_agent/lib/HoneyClient/Manager/VM/Clone.pm
r1472 r1486 539 539 if (($OBJECT_COUNT >= 0) && defined($self->{'config'})) { 540 540 # Signal firewall to deny traffic from this clone. 541 # XXX: Fill this in.541 $self->_denyNetwork(); 542 542 543 543 # Initialize a new handler, but suppress any initial connection errors. … … 725 725 726 726 # Signal firewall to allow traffic from this clone through. 727 # XXX: Test this.728 727 $self->_allowNetwork(); 729 728 … … 858 857 !defined($args{'fingerprint'})) { 859 858 860 # Croak if no valid argument is supplied. 861 $LOG->error("Error: No fingerprint argument supplied."); 862 Carp::croak "Error: No fingerprint argument supplied."; 863 } 864 865 $LOG->info("(" . $self->{'name'} . ") - Inserting Fingerprint Into Database."); 866 # Make sure the fingerprint contains a client_id. 867 $args{'fingerprint'}->{'client_id'} = $self->{'database_id'}; 868 my $fingerprint_id = undef; 869 eval { 870 $fingerprint_id = HoneyClient::Manager::Database::insert_fingerprint($args{'fingerprint'}); 871 }; 872 if ($@ || ($fingerprint_id == 0) || !defined($fingerprint_id)) { 873 $LOG->warn("(" . $self->{'name'} . ") - Failure Inserting Fingerprint: " . $@); 859 # Warn if no valid fingerprint is supplied. 860 $LOG->warn("(" . $self->{'name'} . ") - No valid fingerprint found."); 861 Carp::carp "(" . $self->{'name'} . ") - No valid fingerprint found."; 862 863 # Mark the VM as suspicious, manually. 864 my $dt = DateTime::HiRes->now(time_zone => "local"); 865 HoneyClient::Manager::Database::set_client_suspicious({ 866 client_id => $self->{'database_id'}, 867 compromise => $dt->ymd('-').'T'.$dt->hms(':'), 868 }); 869 874 870 } else { 875 $LOG->info("(" . $self->{'name'} . ") - Database Insert Successful."); 871 872 # Mark the VM as suspicious indirectly, by inserting the fingerprint. 873 874 $LOG->info("(" . $self->{'name'} . ") - Inserting Fingerprint Into Database."); 875 # Make sure the fingerprint contains a client_id. 876 $args{'fingerprint'}->{'client_id'} = $self->{'database_id'}; 877 my $fingerprint_id = undef; 878 eval { 879 $fingerprint_id = HoneyClient::Manager::Database::insert_fingerprint($args{'fingerprint'}); 880 }; 881 if ($@ || ($fingerprint_id == 0) || !defined($fingerprint_id)) { 882 $LOG->warn("(" . $self->{'name'} . ") - Failure Inserting Fingerprint: " . $@); 883 } else { 884 $LOG->info("(" . $self->{'name'} . ") - Database Insert Successful."); 885 } 876 886 } 877 887 } elsif (/compromised/) { … … 925 935 } 926 936 937 # Mark that the VM has been granted network access. 938 $self->{'_has_network_access'} = 1; 939 927 940 # Build our VM's network connection table. 928 941 # Note: We assume our VM has a single MAC address … … 946 959 947 960 $LOG->info("Allowing VM (" . $self->{'name'} . ") network access."); 961 # XXX: Currently, faults get propagated -- is this okay? 948 962 $self->{'_fw_handle'}->addChain($netTable); 949 963 $self->{'_fw_handle'}->addRules($netTable); … … 961 975 return; 962 976 } 977 978 # Check if the VM even has network access. 979 if (!$self->{'_has_network_access'}) { 980 return; 981 } 982 983 # Mark that the VM has been denied network access. 984 $self->{'_has_network_access'} = 0; 963 985 964 986 # Build our VM's network connection table. … … 973 995 }; 974 996 997 # XXX: This is a defect. The current FW code requires we set a target, but 998 # doesn't care what hostname we provide -- as long as it's resolvable. 999 # However, it *does* care about the target ports, which are hardcoded. 1000 $netTable->{$self->{'name'}}->{'targets'} = { 1001 'www.cnn.com' => { 1002 tcp => [ 80, 443, 3690 ], 1003 }, 1004 }; 1005 975 1006 $LOG->info("Denying VM (" . $self->{'name'} . ") network access."); 1007 # XXX: Currently, faults get propagated -- is this okay? 1008 $self->{'_fw_handle'}->deleteRules($netTable); 976 1009 $self->{'_fw_handle'}->deleteChain($netTable); 977 1010 } … … 1180 1213 # (For testing use only.) 1181 1214 _bypass_firewall => 0, 1215 1216 # A variable indicating if the cloned VM has been granted 1217 # network access. 1218 _has_network_access => 0, 1182 1219 ); 1183 1220 … … 1203 1240 $self->{'_fw_handle'} = getClientHandle(namespace => "HoneyClient::Manager::FW"); 1204 1241 1205 # XXX: Deletethis, eventually.1242 # TODO: Fix this, eventually. 1206 1243 $LOG->info("Installing default firewall rules."); 1244 # XXX: Currently, faults get propagated -- is this okay? 1207 1245 $self->{'_fw_handle'}->installDefaultRules(); 1208 1246 1209 1247 # Determine if the firewall needs to be bypassed. 1210 1248 if ($self->{'_bypass_firewall'}) { 1249 # XXX: Currently, faults get propagated -- is this okay? 1211 1250 $self->{'_fw_handle'}->allowAllTraffic(); 1212 1251 } … … 1372 1411 1373 1412 # Signal firewall to deny traffic from this clone. 1374 # XXX: Fill this in.1413 $self->_denyNetwork(); 1375 1414 1376 1415 # Extract the VM configuration file. … … 1381 1420 $self->{'config'} = undef; 1382 1421 1383 $LOG-> debug("Suspending clone VM (" . $vmConfig . ").");1422 $LOG->info("Suspending clone VM (" . $vmConfig . ")."); 1384 1423 my $som = $self->{'_vm_handle'}->suspendVM(config => $vmConfig); 1385 1424 … … 1549 1588 $currentWork = _pop($args{'work'}); 1550 1589 1551 $LOG->info("(" . $self->{'name'} . ") - " . $self->{'driver_name'} . " - Driving To Resource: " . $currentWork); 1552 $som = $self->{'_agent_handle'}->drive(driver_name => $self->{'driver_name'}, 1553 parameters => encode_base64($currentWork)); 1554 $result = thaw(decode_base64($som->result())); 1590 # Drive the Agent. 1591 eval { 1592 $LOG->info("(" . $self->{'name'} . ") - " . $self->{'driver_name'} . " - Driving To Resource: " . $currentWork); 1593 $som = $self->{'_agent_handle'}->drive(driver_name => $self->{'driver_name'}, 1594 parameters => encode_base64($currentWork)); 1595 $result = thaw(decode_base64($som->result())); 1596 }; 1597 if ($@) { 1598 # We lost communications with the Agent; assume the worst 1599 # and mark the VM as suspicious. 1600 $LOG->warn("(" . $self->{'name'} . ") - Lost Communication with Agent! Assuming Integrity Failure."); 1601 1602 # Suspend and archive the cloned VM. 1603 $self->suspend(); 1604 1605 # If possibile, insert work history. 1606 # XXX: This may need to be changed; we need to mark these URLs differently. 1607 # Technically, the link didn't time out; we lost some sort of communication 1608 # with the Agent, when we tried visiting the link. 1609 $finishedWork->{'links_timed_out'}->{$currentWork} = $result->{'time_at'}; 1610 if (defined($self->{'database_id'})) { 1611 $numWorkInserted = HoneyClient::Manager::Database::insert_history_urls($finishedWork); 1612 $LOG->info($numWorkInserted . " URL(s) Inserted."); 1613 } 1614 1615 # Mark the VM as suspicious. 1616 $self->_changeStatus(status => "suspicious"); 1555 1617 1556 1618 # Figure out if there was a compromise found. 1557 if (scalar(@{$result->{'fingerprint'}->{os_processes}})) {1619 } elsif (scalar(@{$result->{'fingerprint'}->{os_processes}})) { 1558 1620 $LOG->warn("(" . $self->{'name'} . ") - " . $self->{'driver_name'} . " - Integrity Check: FAILED"); 1559 1621 … … 1588 1650 1589 1651 # Create a new clone, if a compromise was found and we still have work to do. 1590 if ( scalar(@{$result->{'fingerprint'}->{os_processes}}) &&1652 if (($self->{'status'} eq "suspicious") && 1591 1653 scalar(%{$args{'work'}})) { 1592 1654 # Be sure to carry over any customizations into the newly created … … 1599 1661 } 1600 1662 1601 # XXX: Add error handling.1663 # TODO: Add more error handling? 1602 1664 1603 1665 return $self;
