Changeset 416
- Timestamp:
- 05/30/07 10:45:14 (1 year ago)
- Files:
-
- honeyclient/branches/exp/mbriggs-db/bin/StartAgent.pl (modified) (5 diffs)
- honeyclient/branches/exp/mbriggs-db/bin/StartManager.pl (modified) (1 diff)
- honeyclient/branches/exp/mbriggs-db/bin/run.sh (copied) (copied from honeyclient/trunk/bin/run.sh)
- honeyclient/branches/exp/mbriggs-db/etc/file_checklist.txt (modified) (1 diff)
- honeyclient/branches/exp/mbriggs-db/etc/honeyclient.xml (modified) (7 diffs)
- honeyclient/branches/exp/mbriggs-db/etc/honeyclient_log.conf (modified) (2 diffs)
- honeyclient/branches/exp/mbriggs-db/lib/HoneyClient/Agent.pm (modified) (24 diffs)
- honeyclient/branches/exp/mbriggs-db/lib/HoneyClient/Agent/Driver.pm (modified) (4 diffs)
- honeyclient/branches/exp/mbriggs-db/lib/HoneyClient/Agent/Driver/Browser.pm (modified) (7 diffs)
- honeyclient/branches/exp/mbriggs-db/lib/HoneyClient/Agent/Driver/Browser/FF.pm (modified) (2 diffs)
- honeyclient/branches/exp/mbriggs-db/lib/HoneyClient/Agent/Driver/Browser/IE.pm (modified) (3 diffs)
- honeyclient/branches/exp/mbriggs-db/lib/HoneyClient/Agent/Integrity.pm (modified) (10 diffs)
- honeyclient/branches/exp/mbriggs-db/lib/HoneyClient/Agent/Integrity/Filesystem.pm (copied) (copied from honeyclient/trunk/lib/HoneyClient/Agent/Integrity/Filesystem.pm)
- honeyclient/branches/exp/mbriggs-db/lib/HoneyClient/Agent/Integrity/Registry.pm (modified) (29 diffs)
- honeyclient/branches/exp/mbriggs-db/lib/HoneyClient/Agent/Integrity/Registry/Parser.pm (modified) (13 diffs)
- honeyclient/branches/exp/mbriggs-db/lib/HoneyClient/Agent/Integrity/Registry/Parser.yp (modified) (13 diffs)
- honeyclient/branches/exp/mbriggs-db/lib/HoneyClient/Manager.pm (modified) (17 diffs)
- honeyclient/branches/exp/mbriggs-db/lib/HoneyClient/Manager/FW.pm (modified) (8 diffs)
- honeyclient/branches/exp/mbriggs-db/lib/HoneyClient/Manager/VM.pm (modified) (31 diffs)
- honeyclient/branches/exp/mbriggs-db/lib/HoneyClient/Util/Config.pm (modified) (18 diffs)
- honeyclient/branches/exp/mbriggs-db/lib/HoneyClient/Util/SOAP.pm (modified) (6 diffs)
- honeyclient/branches/exp/mbriggs-db/t/honeyclient_agent.t (modified) (1 diff)
- honeyclient/branches/exp/mbriggs-db/t/honeyclient_agent_integrity.t (modified) (2 diffs)
- honeyclient/branches/exp/mbriggs-db/t/honeyclient_agent_integrity_filesystem.t (copied) (copied from honeyclient/trunk/t/honeyclient_agent_integrity_filesystem.t)
- honeyclient/branches/exp/mbriggs-db/t/honeyclient_manager_vm.t (modified) (8 diffs)
- honeyclient/branches/exp/mbriggs-db/t/honeyclient_util_config.t (modified) (1 diff)
- honeyclient/branches/exp/mbriggs-db/t/testVM (deleted)
- honeyclient/branches/exp/mbriggs-db/t/test_filesystem (copied) (copied from honeyclient/trunk/t/test_filesystem)
- honeyclient/branches/exp/mbriggs-db/t/test_vm (copied) (copied from honeyclient/trunk/t/test_vm)
- honeyclient/branches/exp/mbriggs-db/t/testintegrity (deleted)
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
honeyclient/branches/exp/mbriggs-db/bin/StartAgent.pl
r149 r416 7 7 use Carp (); 8 8 9 use HoneyClient::Util::Config qw(getVar); 9 10 use HoneyClient::Agent; 10 11 use HoneyClient::Util::SOAP qw(getClientHandle); … … 12 13 use MIME::Base64 qw(decode_base64 encode_base64); 13 14 use Storable qw(thaw nfreeze); 15 use Log::Log4perl qw(:easy); 16 17 # The global logging object. 18 our $LOG = get_logger(); 14 19 15 20 our ($stub, $som); … … 18 23 our $agentState = undef; 19 24 my $tempState = undef; 25 our $faultDetected = 0; 20 26 21 27 print "URL: " . $URL. "\n"; … … 35 41 } 36 42 37 print "Watchdog fault detected, recovering Agent daemon.\n"; 43 if (!$faultDetected) { 44 $LOG->error("Watchdog fault detected, recovering Agent daemon."); 45 $faultDetected = 1; 46 } 38 47 # XXX: Reenable this, eventually. 39 #Carp::carp __PACKAGE__ . "->_watchdogFaultHandler(): Error occurred during processing.\n" . $errMsg; 48 $LOG->error(__PACKAGE__ . "->_watchdogFaultHandler(): Error occurred during processing.\n" . $errMsg); 49 Carp::carp __PACKAGE__ . "->_watchdogFaultHandler(): Error occurred during processing.\n" . $errMsg; 40 50 41 51 … … 43 53 # XXX: Sanity check this, eventually. 44 54 HoneyClient::Agent->destroy(); 55 56 # Wait for a small amount of time, in order for the killed process to release 57 # its control of the bound TCP port. 58 sleep 5; 45 59 46 60 $URL = HoneyClient::Agent->init(); honeyclient/branches/exp/mbriggs-db/bin/StartManager.pl
r149 r416 15 15 use MIME::Base64 qw(encode_base64 decode_base64); 16 16 17 # Include Getopt Parser 18 use Getopt::Long; 19 17 20 use HoneyClient::Manager; 18 21 19 22 # We expect that the user will supply a single argument to this script. 20 23 # Namely, the initial URL that they want the Agent to use. 24 # They can however supply multiple urls which will be processed in order 25 26 my $driver = "IE"; 27 my $config = "/vm/master-vms/Agent.Master-19/winXPPro.cfg"; 28 my $maxrel = 5; 29 my $nexturl = ""; 30 my $urllist= ""; 31 32 # TODO: Need --help option, along with sanity checking. 33 # TODO: Also need a decent POD for this code. 34 GetOptions('driver=s' => \$driver, 35 'master_vm_config=s' => \$config, 36 'url_list=s' => \$urllist, 37 'max_relative_links:i' => \$maxrel); 38 39 # Go through the list of urls to create the array 40 # Anything not associated with an option is a URL 41 # Grab those first and then get the ones from the file specified 42 my @urls; 43 push( @urls, @ARGV ); 44 if( -e $urllist ){ 45 open URL, $urllist; 46 push(@urls, <URL>); 47 } 48 49 # Get the first url from the list 50 # Create a hashtable in the form: url => 1 for links_to_visit 51 chomp @urls; 52 my $firsturl = shift @urls; 53 my %remaining_urls; 54 foreach(@urls){ 55 # We assign our initial list of URLs a priority of 1000, so that 56 # they'll be (likely to be) selected first, before going to any other 57 # external URLs found from subsequent drive operations. 58 $remaining_urls{$_} = 1000; 59 } 21 60 22 61 my $agentState = HoneyClient::Manager->run( 23 driver => 'IE', # Change to 'IE' or 'FF'24 master_vm_config => '/vm/Agent.Master-7/winXPPro.cfg',62 driver => $driver, # Change to 'IE' or 'FF' 63 master_vm_config => $config, 25 64 agent_state => encode_base64(nfreeze({ 26 IE=> { # Change to 'IE' or 'FF'27 next_link_to_visit => $ ARGV[0],65 $driver => { # Change to 'IE' or 'FF' 66 next_link_to_visit => $firsturl, 28 67 # Enable this line, if you want to only go to the 29 68 # first 5 links for each domain. 30 max_relative_links_to_visit => 5, 69 max_relative_links_to_visit => $maxrel, 70 links_to_visit => \%remaining_urls, 31 71 }, 32 72 })), honeyclient/branches/exp/mbriggs-db/etc/file_checklist.txt
r149 r416 1 /cygdrive/c/ WINDOWS/SYSTEM32/1 /cygdrive/c/ honeyclient/branches/exp/mbriggs-db/etc/honeyclient.xml
r414 r416 49 49 <!-- Note: This timeout should be long enough so that the Agent watchdog code will properly let the integrity checking code finish, before detecting a faulty timeout in processing. --> 50 50 <timeout description="Default timeout used for all communications between each module (in seconds)." default="900"> 51 180051 3600 52 52 </timeout> 53 53 <log_config description="The global Log4perl configuration file, used throughout all modules. This setting should not need to be changed." default="etc/honeyclient_log.conf"> 54 54 etc/honeyclient_log.conf 55 55 </log_config> 56 <syslog_address description="The IP address of the syslog server that all logging messages will be sent to by both Agent and Manager processes over UDP port 514." default="10.0.0.1"> 57 10.0.0.1 58 </syslog_address> 56 59 <!-- HoneyClient::Agent Options --> 57 60 <Agent> … … 69 72 <!-- TODO: Update this. --> 70 73 <timeout description="How long the Driver waits during a drive operation, before timing out (in seconds)." default="60"> 71 1074 30 72 75 </timeout> 73 76 <Browser> … … 84 87 -1 85 88 </max_relative_links_to_visit> 86 89 <goodwords description="A comma-separated list of good words which will increase the score of links within a webpage." default=""> 87 90 news,new,big,latest,main,update,sell,free,buy 88 91 </goodwords> 89 92 <badwords description="A comma-separated list of bad words which will decrease the score of links within a webpage." default=""> 90 93 archive,privacy,legal,disclaim,about,contact,copyright,jobs,careers 91 94 </badwords> … … 125 128 <!-- HoneyClient::Agent::Integrity Options --> 126 129 <Integrity> 127 <!-- Files which are read in only. --> 128 <!-- TODO: Update this. --> 129 <file_checklist description="The file containing the list of files and directories to check during filesystem checking." default="none"> 130 etc/file_checklist.txt 131 </file_checklist> 132 <!-- TODO: Update this. --> 133 <file_exclude description="The file containing the list of files or directories to exclude if found in subdirectories during filesystem checking." default="none"> 134 ../../../etc/file_exclude.txt 135 </file_exclude> 136 <!-- Files which are written out only. --> 137 <!-- TODO: Update this. --> 138 <clean_file description="File to store hashes for files selected during baseline process."> 139 /tmp/cleanfile.txt 140 </clean_file> 141 <!-- TODO: Update this. --> 142 <change_file description="File to write any found changes to."> 130 <changes_found_file description="When an integrity check fails, all changes will be written to this file within the compromized honeyclient VM's filesystem." default="/tmp/changes.txt"> 143 131 /tmp/changes.txt 144 </change_file> 145 <!-- Files to read and write. --> 146 <!-- TODO: Update this. --> 147 <test_dir description="If you're testing integrity checks, this is the directory that you can specify to minimize testing time. Only the files in this directory will be part of the integrity check."> 148 ../t/testintegrity 149 </test_dir> 132 </changes_found_file> 133 <!-- HoneyClient::Agent::Integrity::Filesystem Options --> 134 <Filesystem> 135 <directories_to_check description="List of base directories on the filesystem to recursively analyze. Use a regular slash (/) instead of a backslash (\) as a directory separator character."> 136 <name>C:/</name> 137 </directories_to_check> 138 <exclude_list description="List of regular expressions that match files/directories to exclude from analysis. These entries match files/directories that change normally during the course of driving the target application. As such, they are excluded from analysis in order to reduce false positives. Use a regular slash (/) instead of a backslash (\) as a directory separator character. Never prefix any entry with a carat (^) before the drive letter, such as '^C:/', and never add the regex suffix ($) to the end of an expression, such as 'C:/Temp$'. All comparisons are case-insensitive."> 139 <regex>C:/Documents and Settings/All Users/Application Data/Microsoft/Network/Downloader.*</regex> 140 <regex>C:/Documents and Settings/Administrator/Application Data/Mozilla/Firefox/Profiles.*</regex> 141 <regex>C:/Documents and Settings/Administrator/Cookies.*</regex> 142 <regex>C:/Documents and Settings/Administrator/Local Settings/Application Data/Macromedia/Flash Player.*</regex> 143 <regex>C:/Documents and Settings/Administrator/Local Settings/Application Data/Microsoft/Windows Media.*</regex> 144 <regex>C:/Documents and Settings/Administrator/Local Settings/Application Data/Mozilla/Firefox/Profiles.*</regex> 145 <regex>C:/Documents and Settings/Administrator/Local Settings/History/History.IE5.*</regex> 146 <regex>C:/Documents and Settings/Administrator/Local Settings/Temporary Internet Files/Content.IE5.*</regex> 147 <regex>C:/Documents and Settings/Administrator/Local Settings/Temp</regex> 148 <regex>C:/Documents and Settings/Administrator/Recent.*</regex> 149 <regex>C:/Documents and Settings/Administrator/ntuser.dat.LOG</regex> 150 <regex>C:/Program Files/Mozilla Firefox/active-update.xml</regex> 151 <regex>C:/Program Files/Mozilla Firefox/updates</regex> 152 <regex>C:/WINDOWS/PCHEALTH/HELPCTR/DataColl.*</regex> 153 <regex>C:/WINDOWS/Prefetch.*</regex> 154 <regex>C:/WINDOWS/Debug/UserMode/userenv.log</regex> 155 <regex>C:/WINDOWS/SchedLgU.txt</regex> 156 <regex>C:/WINDOWS/SoftwareDistribution/DataStore.*</regex> 157 <regex>C:/WINDOWS/SoftwareDistribution/ReportingEvents.log</regex> 158 <regex>C:/WINDOWS/SoftwareDistribution/WuRedir.*</regex> 159 <regex>C:/WINDOWS/SYSTEM32/config/SecEvent.evt</regex> 160 <regex>C:/WINDOWS/SYSTEM32/config/SysEvent.evt</regex> 161 <regex>C:/WINDOWS/SYSTEM32/config/software</regex> 162 <regex>C:/WINDOWS/SYSTEM32/config/software.log</regex> 163 <regex>C:/WINDOWS/SYSTEM32/config/system.LOG</regex> 164 <regex>C:/WINDOWS/SYSTEM32/Macromed/Flash.*</regex> 165 <regex>C:/WINDOWS/SYSTEM32/wbem.*</regex> 166 <regex>C:/WINDOWS/WindowsUpdate.log</regex> 167 <!-- To exclude entries inside cygwin, use the following format. --> 168 <regex>/cygdrive/c/cygwin/tmp.*</regex> 169 <regex>/cygdrive/c/cygwin/home/Administrator/honeyclient.*</regex> 170 </exclude_list> 171 <!-- HoneyClient::Agent::Integrity::Filesystem::Test Options --> 172 <Test> 173 <!-- 174 Note: you should *never* need to change *any* values 175 within this section of the configuration. All contents 176 are *only* used for unit testing. 177 --> 178 <monitor_dir description="The relative path to the test directory, that's used during unit testing." default="t/test_filesystem"> 179 t/test_filesystem 180 </monitor_dir> 181 </Test> 182 </Filesystem> 183 <!-- HoneyClient::Agent::Integrity::Registry Options --> 150 184 <Registry> 185 <hives_to_check description="List of registry hives to analyze."> 186 <name>HKEY_LOCAL_MACHINE</name> 187 <name>HKEY_CLASSES_ROOT</name> 188 <name>HKEY_CURRENT_USER</name> 189 <name>HKEY_USERS</name> 190 <name>HKEY_CURRENT_CONFIG</name> 191 </hives_to_check> 192 <exclude_list description="List of perl regular expressions, each matching one or more registry key directory names to exclude from analysis. These entries match registry key directories that change normally during the course of driving the target application. As such, they are excluded from analysis in order to reduce false positives. As in normal regular expressions, each backslash (\) must be escaped (\\) and each regex must not end with any backslash character."> 193 <regex>^HKEY_CURRENT_USER\\SessionInformation.*$</regex> 194 <regex>^HKEY_CURRENT_USER\\Software\\Microsoft\\ActiveMovie\\devenum.*$</regex> 195 <regex>^HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\IntelliForms$</regex> 196 <regex>^HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\International$</regex> 197 <regex>^HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\International\\CpMRU$</regex> 198 <regex>^HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main$</regex> 199 <regex>^HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Security\\AntiPhishing.*$</regex> 200 <regex>^HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\TypedURLs$</regex> 201 <regex>^HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MenuOrder\\Favorites\\Links.*$</regex> 202 <regex>^HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MenuOrder\\Start Menu2\\Programs.*$</regex> 203 <regex>^HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume.*$</regex> 204 <regex>^HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU.*$</regex> 205 <regex>^HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\.+\\Count.*$</regex> 206 <regex>^HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\.*$</regex> 207 <regex>^HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections.*$</regex> 208 <regex>^HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache.*$</regex> 209 <regex>^HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\ShellNoRoam\\DUIBags\\ShellFolders\\.*$</regex> 210 <regex>^HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\ShellNoRoam\\BagMRU.*$</regex> 211 <regex>^HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\ShellNoRoam\\MUICache.*$</regex> 212 <regex>^HKEY_CURRENT_USER\\Volatile Environment$</regex> 213 <regex>^HKEY_LOCAL_MACHINE\\SOFTWARE\\Macromedia$</regex> 214 <regex>^HKEY_LOCAL_MACHINE\\SOFTWARE\\Macromedia\\FlashPlayer$</regex> 215 <regex>^HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\RNG$</regex> 216 <regex>^HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\BITS$</regex> 217 <regex>^HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\State\\Machine\\Extension-List\\.*$</regex> 218 <regex>^HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\State\\S.+\\Extension-List\\.*$</regex> 219 <regex>^HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WindowsUpdate\\.*$</regex> 220 <regex>^HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WindowsUpdate\\Auto Update.*$</regex> 221 <regex>^HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SystemCertificates\\CA\\Certificates\\.*$</regex> 222 <regex>^HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Prefetcher$</regex> 223 <regex>^HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify\\WgaLogon\\Settings$</regex> 224 <regex>^HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet.+\\Services\\.+\\Parameters\\Tcpip.*$</regex> 225 <regex>^HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet.+\\Services\\Dhcp\\Parameters.*$</regex> 226 <regex>^HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet.+\\Services\\Eventlog\\Application\\ESENT.*$</regex> 227 <regex>^HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet.+\\Services\\SharedAccess\\Epoch.*$</regex> 228 <regex>^HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet.+\\Services\\Tcpip\\Parameters\\Interfaces\\.*$</regex> 229 <regex>^HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Dhcp\\Parameters.*$</regex> 230 <regex>^HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Eventlog\\Application\\ESENT.*$</regex> 231 <regex>^HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Epoch$</regex> 232 <regex>^HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces\\.*$</regex> 233 <regex>^HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\.+\\Parameters\\Tcpip.*$</regex> 234 <regex>^HKEY_USERS\\.+\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\.+\\Count.*$</regex> 235 <regex>^HKEY_USERS\\.+\\Software\\Microsoft\\Windows\\ShellNoRoam\\BagMRU.*$</regex> 236 <regex>^HKEY_USERS\\.+\\UNICODE Program Groups.*$</regex> 237 <regex>^HKEY_USERS\\S.+\\SessionInformation$</regex> 238 <regex>^HKEY_USERS\\S.+\\Software\\Microsoft\\Internet Explorer\\IntelliForms$</regex> 239 <regex>^HKEY_USERS\\S.+\\Software\\Microsoft\\Internet Explorer\\International$</regex> 240 <regex>^HKEY_USERS\\S.+\\Software\\Microsoft\\Internet Explorer\\International\\CpMRU$</regex> 241 <regex>^HKEY_USERS\\S.+\\Software\\Microsoft\\Internet Explorer\\Main$</regex> 242 <regex>^HKEY_USERS\\S.+\\Software\\Microsoft\\Internet Explorer\\Security\\AntiPhishing.*$</regex> 243 <regex>^HKEY_USERS\\S.+\\Software\\Microsoft\\Internet Explorer\\TypedURLs$</regex> 244 <regex>^HKEY_USERS\\S.+\\Software\\Microsoft\\MediaPlayer\\Preferences.*$</regex> 245 <regex>^HKEY_USERS\\S.+\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MenuOrder\\Favorites\\Links.*$</regex> 246 <regex>^HKEY_USERS\\S.+\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MenuOrder\\Start Menu2\\Programs.*$</regex> 247 <regex>^HKEY_USERS\\S.+\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume.*$</regex> 248 <regex>^HKEY_USERS\\S.+\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU.*$</regex> 249 <regex>^HKEY_USERS\\S.+\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\.*$</regex> 250 <regex>^HKEY_USERS\\S.+\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections.*$</regex> 251 <regex>^HKEY_USERS\\S.+\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache.*$</regex> 252 <regex>^HKEY_USERS\\S.+\\Software\\Microsoft\\Windows\\ShellNoRoam\\DUIBags\\ShellFolders\\.*$</regex> 253 <regex>^HKEY_USERS\\S.+\\Software\\Microsoft\\Windows\\ShellNoRoam\\MUICache.*$</regex> 254 </exclude_list> 151 255 <!-- HoneyClient::Agent::Integrity::Registry::Test Options --> 152 256 <Test> … … 316 420 <!-- HoneyClient::Manager::VM Options --> 317 421 <VM> 318 <!-- TODO: Update this. -->319 422 <!-- Note: This port should be unique and not already in use by other modules, services, or daemons running on the host system. --> 320 423 <port description="The TCP port number that the SOAP server for all Manager modules will listen on for requests." default="8089"> 321 424 8089 322 425 </port> 323 <!-- TODO: Update this. -->324 426 <datastore_path description="The absolute path to the parent directory, where all HoneyClient VM data is stored on the host server. It is assumed that individual VM data is stored in separate subdirectories within this parent directory." default="/vm"> 325 /vm 427 /vm/clones 326 428 </datastore_path> 327 <!-- TODO: Update this. -->328 429 <snapshot_path description="The absolute path to the directory that contains all snapshot data, associated with every HoneyClient VM." default="/vm/snapshots"> 329 430 /vm/snapshots 330 431 </snapshot_path> 331 <!-- TODO: Update this. -->332 432 <vmware_port description="The TCP port that VMware Server / GSX uses for console communication. By default, this TCP port is 902. Unless you've explicitly changes this port during the vmware-config.pl setup process, leave this setting as the default." default="902"> 333 433 902 334 434 </vmware_port> 335 <!-- TODO: Update this. -->336 435 <bin_tar description="The absolute path to the 'tar' executable, accessible on the host filesystem." default="/bin/tar"> 337 436 /bin/tar 338 437 </bin_tar> 339 <!-- TODO: Update this. -->340 438 <vm_id_length description="The length of each corresponding VM identifier (VMID). This value can be any integer between 1 and 32, inclusive. The VMID is a hexadecimal string that represents the VM's name. It is designed to be generated once per clone and remain for the life of the VM (regardless of where it runs). The VMID is used externally by HoneyClient::Manager and HoneyClient::Manager::FW. The HoneyClient::Manager::FW package uses IPTables and binds each rule to a specific VMID. However, IPTable's firewall rule labels can only be a maximum of 30 characters in length. Thus, 26 is specified here, to account for 'VMID-OUT' as a possible chain name." default="26"> 341 439 26 342 440 </vm_id_length> 343 <!-- TODO: Update this. -->344 441 <dhcp_log description="The absolute path to the file that contains the DHCP logs, when a new VM gets a DHCP lease from the VMware Server / GSX server." default="/var/log/messages"> 345 442 /var/log/messages … … 352 449 are *only* used for unit testing. 353 450 --> 354 <test_vm_config description="The relative path to the (empty) test VM, that's used during unit testing." default="t/test VM/winXPPro.vmx">355 t/test VM/winXPPro.vmx451 <test_vm_config description="The relative path to the (empty) test VM, that's used during unit testing." default="t/test_vm/winXPPro.vmx"> 452 t/test_vm/winXPPro.vmx 356 453 </test_vm_config> 357 454 </Test> … … 376 473 </Bar> 377 474 </Foo> 475 <Yok> 476 <childA>12345678</childA> 477 <childA>ABCDEFGH</childA> 478 <childB>09876543</childB> 479 <childB>ZYXVTUWG</childB> 480 </Yok> 378 481 </Test> 379 482 </Config> honeyclient/branches/exp/mbriggs-db/etc/honeyclient_log.conf
r166 r416 59 59 ####################################################################### 60 60 61 log4perl.rootLogger=INFO, Screen 61 log4perl.rootLogger=INFO, Screen, Syslog 62 63 # Screen Logging Settings 62 64 #log4perl.logger.HoneyClient.Agent.Integrity.Registry=DEBUG, Screen 63 65 # Suppress Parser Debugging Messages … … 70 72 log4perl.appender.Screen.layout=Log::Log4perl::Layout::PatternLayout 71 73 log4perl.appender.Screen.layout.ConversionPattern=%d{yyyy-MM-dd HH:mm:ss} %5p [%M] (%F:%L) - %m%n 74 75 # Syslog Logging Settings 76 log4perl.appender.Syslog=Log::Dispatch::Syslog 77 log4perl.appender.Syslog.socket=inet 78 log4perl.appender.Syslog.Threshold=DEBUG 79 log4perl.appender.Syslog.layout=Log::Log4perl::Layout::PatternLayout 80 log4perl.appender.Syslog.layout.ConversionPattern=%5p [%M] (%F:%L) - %m%n honeyclient/branches/exp/mbriggs-db/lib/HoneyClient/Agent.pm
r190 r416 9 9 # @author knwang, ttruong, kindlund 10 10 # 11 # Copyright (C) 200 6The MITRE Corporation. All rights reserved.11 # Copyright (C) 2007 The MITRE Corporation. All rights reserved. 12 12 # 13 13 # This program is free software; you can redistribute it and/or … … 38 38 =head1 VERSION 39 39 40 0.9 240 0.97 41 41 42 42 =head1 SYNOPSIS … … 79 79 80 80 # Set our package version. 81 $VERSION = 0.9 2;81 $VERSION = 0.97; 82 82 83 83 @ISA = qw(Exporter); … … 163 163 164 164 # Make sure Storable loads. 165 BEGIN { use_ok('Storable', qw( nfreeze thaw)) or diag("Can't load Storable package. Check to make sure the package library is correctly listed within the path."); }165 BEGIN { use_ok('Storable', qw(freeze nfreeze thaw dclone)) or diag("Can't load Storable package. Check to make sure the package library is correctly listed within the path."); } 166 166 require_ok('Storable'); 167 can_ok('Storable', 'freeze'); 167 168 can_ok('Storable', 'nfreeze'); 168 169 can_ok('Storable', 'thaw'); 169 use Storable qw(nfreeze thaw); 170 can_ok('Storable', 'dclone'); 171 use Storable qw(freeze nfreeze thaw dclone); 170 172 171 173 # Make sure MIME::Base64 loads. … … 208 210 209 211 # Include Hash Serialization Utility Libraries 210 # TODO: Update unit tests to include 'dclone' 211 use Storable qw(nfreeze thaw dclone); 212 use Storable qw(freeze nfreeze thaw dclone); 212 213 $Storable::Deparse = 1; 213 214 $Storable::Eval = 1; … … 227 228 use Data::Compare; 228 229 230 # Include Logging Library 231 use Log::Log4perl qw(:easy); 232 233 # The global logging object. 234 our $LOG = get_logger(); 235 229 236 # Complete URL of SOAP server, when initialized. 230 237 our $URL_BASE : shared = undef; … … 239 246 getVar(name => "perform_integrity_checks"); 240 247 241 # A globally shared , serialized hashtable, containing the242 # initialized integrity state of the VM -- ready to be checked243 # against, at any time.244 our $integrity State : shared = undef;248 # A globally shared object, containing the initialized integrity 249 # state of the VM -- ready to be checked against, at any time after 250 # initialization. 251 our $integrityData; 245 252 246 253 # A globally shared, serialized hashtable, containing data per … … 342 349 # Sanity check. Make sure the daemon isn't already running. 343 350 if (defined($DAEMON_PID)) { 351 $LOG->fatal("Error: " . __PACKAGE__ . " daemon is already running (PID = " . $DAEMON_PID .")!"); 344 352 Carp::croak "Error: " . __PACKAGE__ . " daemon is already running (PID = $DAEMON_PID)!\n"; 345 353 } … … 368 376 369 377 # Perform initial integrity baseline check. 370 #my $integrity = undef; 371 #if ($PERFORM_INTEGRITY_CHECKS) { 372 # print "Initializing Integrity Check...\n"; 373 # # TODO: Initialize Integrity Checks 374 # $integrity = HoneyClient::Agent::Integrity->new(); 375 # $integrity->initAll(); 376 #} 377 #$integrityState = $integrity->serialize(); 378 if ($PERFORM_INTEGRITY_CHECKS) { 379 $integrityData = HoneyClient::Agent::Integrity->new(); 380 $integrityData->closeFiles(); 381 } 378 382 379 383 # Release data lock. … … 409 413 # Make sure the fork was successful. 410 414 if (!defined($pid)) { 415 $LOG->fatal("Error: Unable to fork child process.\n$!"); 411 416 Carp::croak "Error: Unable to fork child process.\n$!"; 412 417 } … … 435 440 436 441 for (;;) { 437 $daemon->handle ;442 $daemon->handle(); 438 443 } 439 444 } … … 469 474 # the parent process... 470 475 if (defined($DAEMON_PID) && ($DAEMON_PID != 0)) { 476 $LOG->error("Killing PID = " . $DAEMON_PID); 477 print STDERR "Killing PID = " . $DAEMON_PID . "\n"; 471 478 # The Win32 version of kill() seems to only respond to SIGKILL(9). 472 $ret = kill(9, $DAEMON_PID); 479 # XXX: This doesn't work. 480 #$ret = kill(9, $DAEMON_PID); 481 482 # TODO: Need unit tests. 483 require Win32::Process; 484 Win32::Process::KillProcess($DAEMON_PID, 0); 485 $ret = 1; 473 486 } 474 487 if ($ret) { … … 484 497 %driverUpdateQueues = ( ); 485 498 499 # Destroy all integrity data, if defined. 500 if (defined($integrityData)) { 501 $integrityData->destroy(); 502 } 503 $integrityData = undef; 504 486 505 # Release data lock. 487 506 _unlock(); … … 552 571 # When called from run(), this function takes in the corresponding 553 572 # Driver object; checks to see if there's a new entry within the 554 # driver's corresponding update queue; and dequeues the * first*555 # entr yin the queue, overwriting the Driver's state data573 # driver's corresponding update queue; and dequeues the *all* 574 # entries in the queue, overwriting the Driver's state data 556 575 # accordingly. 557 576 # 558 577 # The external updateState() call adds new driver state into the queue, 559 578 # one entry per call. The internal _update() function merges this 560 # driver state with the currently running driver, one merge561 # operationper call. In order words, a single call to _update()562 # may *NOT* empty the corresponding Driver update queue completely563 # -- only one entrywithin the queue will be dequeued per _update()579 # driver state with the currently running driver, merging everything 580 # queued per call. In order words, a single call to _update() 581 # *WILL* empty the corresponding Driver update queue completely 582 # -- all entries within the queue will be dequeued per _update() 564 583 # call made. 565 584 # … … 577 596 my $queue = $driverUpdateQueues{$driverName}; 578 597 598 # XXX: One possible DoS condition here; what if 599 # the manager keeps feeding updates to the Agent 600 # before the Agent has a chance to do any work? 601 579 602 # If we have data in our driver specific queue... 580 if($queue->pending) {603 while ($queue->pending) { 581 604 582 605 # Update our driver state with the first entry … … 653 676 # Read the TID. 654 677 $tid = $data->{$driverName}->{'thread_id'}; 678 679 # XXX: Delete this, eventually. 680 print "Checking TID = " . Dumper($tid) . "\n"; 681 if (defined(threads->object($tid))) { 682 print "Thread defined.\n"; 683 if (threads->object($tid)->is_running()) { 684 print "Thread is running.\n"; 685 } else { 686 print "Thread is NOT running.\n"; 687 } 688 } else { 689 print "Thread NOT defined.\n"; 690 } 655 691 656 692 # Sanity check: Return false, if we already have a … … 664 700 665 701 return 0; 702 } else { 703 # XXX: Remove this, eventually. 704 print "Creating a new run() child thread...\n"; 666 705 } 667 706 … … 683 722 _unlock($data); 684 723 685 # TODO: Clean up this comment block. 686 # This function should do the following: 687 # - Initialize all drivers with starting state. 688 # - "Drive" each driver, one-by-one. 689 # - Collect any integrity violations found, with offending 690 # state information. 691 # 692 # Notes: 693 # This function will eventually sit in a sub-thread, allowing the parent 694 # thread to return without any delay. It is expected that the Manager 695 # would then subsequently call a getStatus() operation, in order to 696 # then poll for any new violations found. 697 # 698 # TODO: We need to create a fault reporting mechanism, in order 699 # to properly deal with exceptions/faults that occur within this 700 # thread. 701 $thread = async { 702 threads->yield(); 703 704 # Trap all faults that may occur from these asynchronous operations. 705 eval { 706 707 ################################### 708 ### Driver Initialization Phase ### 709 ################################### 710 711 # Initially set local integrity object to undef. 712 my $integrity = undef; 713 714 # Initially set all driver objects to undef. 715 my $driver = undef; 716 717 # Acquire lock on stored driver state. 718 $data = _lock(); 719 720 if ($PERFORM_INTEGRITY_CHECKS) { 721 # XXX: WARNING - The $integrityState object data is NOT thread-safe 722 # (since it relies on external data stored on the file system). 723 # As such, do NOT try to call integrity checks on multiple, simultaneous 724 # asynchronous threaded drivers. 725 #$integrity = thaw($integrityState); 726 # Perform initial integrity baseline check. 727 print "Initializing Integrity Check...\n"; 728 # TODO: Initialize Integrity Checks 729 $integrity = HoneyClient::Agent::Integrity->new(); 730 $integrity->initAll(); 731 732 # TODO: Delete this. 733 #$Data::Dumper::Indent = 1; 734 #$Data::Dumper::Terse = 1; 735 #print "Integrity: " . Dumper($integrity) . "\n"; 736 } 737 738 # Now, initialize each driver object. 739 # Figure out which $driver object to use... 740 my $driverClass = 'HoneyClient::Agent::Driver::Browser::' . $driverName; 741 742 if (!defined($data->{$driverName}->{'state'})) { 743 744 # If the driver state is undefined, then 745 # create a new state object. 746 $driver = $driverClass->new(); 747 748 } else { 749 # Then the driver state object is already defined, 750 # so go ahead and reuse it. 751 $driver = $driverClass->new( 752 %{$data->{$driverName}->{'state'}}, 753 ); 754 } 755 756 # Next, we make sure we have no updates, before we update 757 # the corresponding shared memory version. 758 $driver = _update($driver); 759 760 # Once we've initialized the object, be sure to update 761 # the corresponding shared memory version. We do this 762 # one time before the loop starts, in case we end up 763 # finishing before we drove anywhere. 764 765 # Copy object data to shared memory. 766 $data->{$driverName}->{'next'} = $driver->next(); 767 $data->{$driverName}->{'status'} = $driver->status(); 768 $data->{$driverName}->{'status'}->{'is_compromised'} = 0; 769 $data->{$driverName}->{'state'} = $driver; 770 771 if ($driver->isFinished()) { 772 # Thread is about to finish, set the ID back to undef. 773 # This looks ugly, but setting it this early avoids the 774 # potential race condition of when the run() thread is finished 775 # and when updateState() checks for $driverData->{$driverName}->{'thread_id'} 776 # to be set to undef. 777 $data->{$driverName}->{'thread_id'} = undef; 778 } 779 780 # Release lock on stored driver state. 781 _unlock($data); 782 783 ################################### 784 ### Driver Running Phase ### 785 ################################### 786 787 # Boolean to indicate that the driver is about to transition 788 # to a new set of targets upon the next drive() operation. 789 my $driverTargetsChanged = 0; 790 791 while (!$driver->isFinished() && !$driverTargetsChanged) { 792 # XXX: Debug. Remove this. 793 # We assume $driver->next() returns defined data. 794 foreach my $resource (keys %{$driver->next()->{resources}}) { 795 print "Using Resource: " . $resource . "\n"; 796 } 797 798 # Drive the driver for one step. 799 # If the operation fails, then an exception will be generated. 800 $driver->drive(); 801 802 # Acquire lock on stored driver state. 803 $data = _lock(); 804 805 # Check for any additional external driver updates. 806 $driver = _update($driver); 807 808 # Check to see if our driver's targets have changed. 809 $driverTargetsChanged = not(Compare($data->{$driverName}->{'next'}->{'targets'}, $driver->next()->{'targets'})); 810 811 # Copy object data to shared memory. 812 $data->{$driverName}->{'next'} = $driver->next(); 813 $data->{$driverName}->{'status'} = $driver->status(); 814 $data->{$driverName}->{'status'}->{'is_compromised'} = 0; 815 $data->{$driverName}->{'state'} = $driver; 816 817 if ($driver->isFinished() or $driverTargetsChanged) { 818 # Thread is about to finish, set the ID back to undef. 819 # This looks ugly, but setting it this early avoids the 820 # potential race condition of when the run() thread is finished 821 # and when updateState() checks for $driverData->{$driverName}->{'thread_id'} 822 # to be set to undef. 823 $data->{$driverName}->{'thread_id'} = undef; 824 } 825 826 # Release lock on stored driver state. 827 _unlock($data); 828 } 829 &n