|
Michal Ambroz |
aea04ba |
https://github.com/DinoTools/dionaea/issues/170
|
|
Michal Ambroz |
aea04ba |
https://github.com/DinoTools/dionaea/pull/179
|
|
Michal Ambroz |
aea04ba |
diff --git a/doc/source/ihandler/log_sqlite.rst b/doc/source/ihandler/log_sqlite.rst
|
|
Michal Ambroz |
aea04ba |
index 040a2a8..e6cca5b 100644
|
|
Michal Ambroz |
aea04ba |
--- a/doc/source/ihandler/log_sqlite.rst
|
|
Michal Ambroz |
aea04ba |
+++ b/doc/source/ihandler/log_sqlite.rst
|
|
Michal Ambroz |
aea04ba |
@@ -28,21 +28,18 @@ when retrieving the data from the database:
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
Additionally, you can query the database for many different things, refer to:
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
-* dionaea sql logging 2009/11/06
|
|
Michal Ambroz |
aea04ba |
- <http://carnivore.it/2009/11/06/dionaea_sql_logging>
|
|
Michal Ambroz |
aea04ba |
-* post it yourself 2009/12/08
|
|
Michal Ambroz |
aea04ba |
- <http://carnivore.it/2009/12/08/post_it_yourself>
|
|
Michal Ambroz |
aea04ba |
-* sqlite performance 2009/12/12
|
|
Michal Ambroz |
aea04ba |
- <http://carnivore.it/2009/12/12/sqlite_performance>
|
|
Michal Ambroz |
aea04ba |
-* virustotal fun 2009/12/14
|
|
Michal Ambroz |
aea04ba |
- <http://carnivore.it/2009/12/14/virustotal_fun>
|
|
Michal Ambroz |
aea04ba |
-* Andrew Waite's Blog <http://infosanity.wordpress.com/> for mimic-nepstats.py
|
|
Michal Ambroz |
aea04ba |
+* `dionaea sql logging 2009/11/06 <http://carnivore.it/2009/11/06/dionaea_sql_logging>`_
|
|
Michal Ambroz |
aea04ba |
+* `post it yourself 2009/12/08 <http://carnivore.it/2009/12/08/post_it_yourself>`_
|
|
Michal Ambroz |
aea04ba |
+* `sqlite performance 2009/12/12 <http://carnivore.it/2009/12/12/sqlite_performance>`_
|
|
Michal Ambroz |
aea04ba |
+* `virustotal fun 2009/12/14 <http://carnivore.it/2009/12/14/virustotal_fun>`_
|
|
Michal Ambroz |
aea04ba |
+* `Andrew Waite's Blog <http://infosanity.wordpress.com/>`_ for mimic-nepstats.py
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
for more examples how to make use of the database.
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
Example config
|
|
Michal Ambroz |
aea04ba |
--------------
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
-.. literalinclude:: ../../../conf/ihandlers/log_sqlite.yaml.in
|
|
Michal Ambroz |
aea04ba |
- :language: yaml
|
|
Michal Ambroz |
aea04ba |
- :caption: ihandlers/log_sqlite.yaml
|
|
Michal Ambroz |
aea04ba |
+::
|
|
Michal Ambroz |
aea04ba |
+ .. literalinclude:: ../../../conf/ihandlers/log_sqlite.yaml.in
|
|
Michal Ambroz |
aea04ba |
+ :language: yaml
|
|
Michal Ambroz |
aea04ba |
+ :caption: ihandlers/log_sqlite.yaml
|
|
Michal Ambroz |
aea04ba |
diff --git a/doc/source/old/configuration.rst b/doc/source/old/configuration.rst
|
|
Michal Ambroz |
aea04ba |
index bb46217..7f1b19f 100644
|
|
Michal Ambroz |
aea04ba |
--- a/doc/source/old/configuration.rst
|
|
Michal Ambroz |
aea04ba |
+++ b/doc/source/old/configuration.rst
|
|
Michal Ambroz |
aea04ba |
@@ -90,18 +90,12 @@ gnuplotsql <#gnuplotsql> script.
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
The blog on logsql:
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
- * 2009-11-06 dionaea sql logging
|
|
Michal Ambroz |
aea04ba |
- <http://carnivore.it/2009/11/06/dionaea_sql_logging>
|
|
Michal Ambroz |
aea04ba |
- * 2009-12-08 post it yourself
|
|
Michal Ambroz |
aea04ba |
- <http://carnivore.it/2009/12/08/post_it_yourself>
|
|
Michal Ambroz |
aea04ba |
- * 2009-12-12 sqlite performance
|
|
Michal Ambroz |
aea04ba |
- <http://carnivore.it/2009/12/12/sqlite_performance>
|
|
Michal Ambroz |
aea04ba |
- * 2009-12-14 virustotal fun
|
|
Michal Ambroz |
aea04ba |
- <http://carnivore.it/2009/12/14/virustotal_fun>
|
|
Michal Ambroz |
aea04ba |
- * 2009-12-15 paris mission pack avs
|
|
Michal Ambroz |
aea04ba |
- <http://carnivore.it/2009/12/15/paris_mission_pack_avs>
|
|
Michal Ambroz |
aea04ba |
- * 2010-06-06 data visualisation
|
|
Michal Ambroz |
aea04ba |
- <http://carnivore.it/2010/06/06/data_visualisation>
|
|
Michal Ambroz |
aea04ba |
+ * `2009-11-06 dionaea sql logging <http://carnivore.it/2009/11/06/dionaea_sql_logging>`_
|
|
Michal Ambroz |
aea04ba |
+ * `2009-12-08 post it yourself <http://carnivore.it/2009/12/08/post_it_yourself>`_
|
|
Michal Ambroz |
aea04ba |
+ * `2009-12-12 sqlite performance <http://carnivore.it/2009/12/12/sqlite_performance>`_
|
|
Michal Ambroz |
aea04ba |
+ * `2009-12-14 virustotal fun <http://carnivore.it/2009/12/14/virustotal_fun>`_
|
|
Michal Ambroz |
aea04ba |
+ * `2009-12-15 paris mission pack avs <http://carnivore.it/2009/12/15/paris_mission_pack_avs>`_
|
|
Michal Ambroz |
aea04ba |
+ * `2010-06-06 data visualisation <http://carnivore.it/2010/06/06/data_visualisation>`_
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
logxmpp
|
|
Michal Ambroz |
aea04ba |
@@ -114,9 +108,9 @@ sensors anonymously.
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
The blog on logxmpp:
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
- * 2010-02-10 xmpp backend <http://carnivore.it/2010/02/10/xmpp_backend>
|
|
Michal Ambroz |
aea04ba |
- * 2010-05-12 xmpp take #2 <http://carnivore.it/2010/05/12/xmpp_-_take_2>
|
|
Michal Ambroz |
aea04ba |
- * 2010-05-15 xmpp take #3 <http://carnivore.it/2010/05/15/xmpp_-_take_3>
|
|
Michal Ambroz |
aea04ba |
+ * `2010-02-10 xmpp backend <http://carnivore.it/2010/02/10/xmpp_backend>`_
|
|
Michal Ambroz |
aea04ba |
+ * `2010-05-12 xmpp take #2 <http://carnivore.it/2010/05/12/xmpp_-_take_2>`_
|
|
Michal Ambroz |
aea04ba |
+ * `2010-05-15 xmpp take #3 <http://carnivore.it/2010/05/15/xmpp_-_take_3>`_
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
pg_backend <#pg_backend> can be used as a backend for xmpp logging sensors.
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
@@ -130,8 +124,7 @@ and start p0f as suggested in the config. It costs nothing, and gives
|
|
Michal Ambroz |
aea04ba |
some pretty cool, even if outdated, informations about the attackers
|
|
Michal Ambroz |
aea04ba |
operating system, and you can look them up from the sqlite database,
|
|
Michal Ambroz |
aea04ba |
even the rejected connections.
|
|
Michal Ambroz |
aea04ba |
-If you face problems, here
|
|
Michal Ambroz |
aea04ba |
-<http://blog.infosanity.co.uk/2010/12/04/dionaea-with-p0f/> are some hints.
|
|
Michal Ambroz |
aea04ba |
+If you face problems, `here <http://blog.infosanity.co.uk/2010/12/04/dionaea-with-p0f/>`_ are some hints.
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
diff --git a/doc/source/old/seagfaults.rst b/doc/source/old/seagfaults.rst
|
|
Michal Ambroz |
aea04ba |
index 39b8241..e07722a 100644
|
|
Michal Ambroz |
aea04ba |
--- a/doc/source/old/seagfaults.rst
|
|
Michal Ambroz |
aea04ba |
+++ b/doc/source/old/seagfaults.rst
|
|
Michal Ambroz |
aea04ba |
@@ -8,218 +8,216 @@ This software just had a segmentation fault.
|
|
Michal Ambroz |
aea04ba |
The bug you encountered may even be exploitable.
|
|
Michal Ambroz |
aea04ba |
If you want to assist in fixing the bug, please send the backtrace below to nepenthesdev@gmail.com.
|
|
Michal Ambroz |
aea04ba |
You can create better backtraces with gdb, for more information visit http://dionaea.carnivore.it/#segfault
|
|
Michal Ambroz |
aea04ba |
-Once you read this message, your tty may be broken, simply type reset, so it will come to life again
|
|
Michal Ambroz |
aea04ba |
-
|
|
Michal Ambroz |
aea04ba |
-/opt/dionaea/bin/dionaea(sigsegv_backtrace_cb+0x20)[0x805c11e]
|
|
Michal Ambroz |
aea04ba |
-[0x70d420]
|
|
Michal Ambroz |
aea04ba |
-/opt/dionaea/lib/libemu/libemu.so.2(emu_env_w32_eip_check+0x94)[0x186974]
|
|
Michal Ambroz |
aea04ba |
-/opt/dionaea/lib/dionaea/emu.so(run+0x39)[0x89cced]
|
|
Michal Ambroz |
aea04ba |
-/opt/dionaea/lib/dionaea/emu.so(profile+0xbb)[0x89db88]
|
|
Michal Ambroz |
aea04ba |
-/opt/dionaea/lib/dionaea/emu.so(proc_emu_on_io_in+0x1e1)[0x89bfc5]
|
|
Michal Ambroz |
aea04ba |
-/opt/dionaea/bin/dionaea(recurse_io_process+0x31)[0x805df4a]
|
|
Michal Ambroz |
aea04ba |
-/opt/dionaea/bin/dionaea(processors_io_in_thread+0x85)[0x805e08d]
|
|
Michal Ambroz |
aea04ba |
-/opt/dionaea/bin/dionaea(threadpool_wrapper+0x2e)[0x805c99a]
|
|
Michal Ambroz |
aea04ba |
-/opt/dionaea/lib/libglib-2.0.so.0[0xaa9498]
|
|
Michal Ambroz |
aea04ba |
-/opt/dionaea/lib/libglib-2.0.so.0[0xaa7a2f]
|
|
Michal Ambroz |
aea04ba |
-/lib/libpthread.so.0[0xd8973b]
|
|
Michal Ambroz |
aea04ba |
-/lib/libc.so.6(clone+0x5e)[0x2b3cfe]
|
|
Michal Ambroz |
aea04ba |
+Once you read this message, your tty may be broken, simply type reset, so it will come to life again::
|
|
Michal Ambroz |
aea04ba |
+
|
|
Michal Ambroz |
aea04ba |
+ /opt/dionaea/bin/dionaea(sigsegv_backtrace_cb+0x20)[0x805c11e]
|
|
Michal Ambroz |
aea04ba |
+ [0x70d420]
|
|
Michal Ambroz |
aea04ba |
+ /opt/dionaea/lib/libemu/libemu.so.2(emu_env_w32_eip_check+0x94)[0x186974]
|
|
Michal Ambroz |
aea04ba |
+ /opt/dionaea/lib/dionaea/emu.so(run+0x39)[0x89cced]
|
|
Michal Ambroz |
aea04ba |
+ /opt/dionaea/lib/dionaea/emu.so(profile+0xbb)[0x89db88]
|
|
Michal Ambroz |
aea04ba |
+ /opt/dionaea/lib/dionaea/emu.so(proc_emu_on_io_in+0x1e1)[0x89bfc5]
|
|
Michal Ambroz |
aea04ba |
+ /opt/dionaea/bin/dionaea(recurse_io_process+0x31)[0x805df4a]
|
|
Michal Ambroz |
aea04ba |
+ /opt/dionaea/bin/dionaea(processors_io_in_thread+0x85)[0x805e08d]
|
|
Michal Ambroz |
aea04ba |
+ /opt/dionaea/bin/dionaea(threadpool_wrapper+0x2e)[0x805c99a]
|
|
Michal Ambroz |
aea04ba |
+ /opt/dionaea/lib/libglib-2.0.so.0[0xaa9498]
|
|
Michal Ambroz |
aea04ba |
+ /opt/dionaea/lib/libglib-2.0.so.0[0xaa7a2f]
|
|
Michal Ambroz |
aea04ba |
+ /lib/libpthread.so.0[0xd8973b]
|
|
Michal Ambroz |
aea04ba |
+ /lib/libc.so.6(clone+0x5e)[0x2b3cfe]
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
While the backtrace itself gives an idea what might be wrong, it does
|
|
Michal Ambroz |
aea04ba |
not fix the problem. To fix the problem, the logfiles usually help, as
|
|
Michal Ambroz |
aea04ba |
dionaea is very verbose by default. Below are some hints how to get
|
|
Michal Ambroz |
aea04ba |
started with debugging, click here <#support> for assistance.
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
+debugging
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
- debugging
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
+Valgrind
|
|
Michal Ambroz |
aea04ba |
+========
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
- Valgrind
|
|
Michal Ambroz |
aea04ba |
-
|
|
Michal Ambroz |
aea04ba |
-Valgrind does a great job, here is how I use it:
|
|
Michal Ambroz |
aea04ba |
+Valgrind does a great job, here is how I use it::
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
-valgrind -v --leak-check=full --leak-resolution=high --show-reachable=yes \
|
|
Michal Ambroz |
aea04ba |
---log-file=dionaea-debug.log /opt/dionaea/bin/dionaea --my-dionaea-options
|
|
Michal Ambroz |
aea04ba |
+ valgrind -v --leak-check=full --leak-resolution=high --show-reachable=yes \
|
|
Michal Ambroz |
aea04ba |
+ --log-file=dionaea-debug.log /opt/dionaea/bin/dionaea --my-dionaea-options
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
- gdb
|
|
Michal Ambroz |
aea04ba |
+ gdb
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
- logfile assisted
|
|
Michal Ambroz |
aea04ba |
+ logfile assisted
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
For the above example, I was able to scrape the shellcode from the
|
|
Michal Ambroz |
aea04ba |
logfile, and run it in libemu, without involving dionaea at all,
|
|
Michal Ambroz |
aea04ba |
-reducing the problem.
|
|
Michal Ambroz |
aea04ba |
-
|
|
Michal Ambroz |
aea04ba |
-gdb /opt/dionaea/bin/sctest
|
|
Michal Ambroz |
aea04ba |
-(gdb) run -S -s 10000000 -g < sc.bin
|
|
Michal Ambroz |
aea04ba |
-Starting program: /media/sda4/opt64/dionaea/bin/sctest -S -s 10000000 -g < sc.bin
|
|
Michal Ambroz |
aea04ba |
-
|
|
Michal Ambroz |
aea04ba |
-Once it crashed, I retrieved a full backtrace:
|
|
Michal Ambroz |
aea04ba |
-
|
|
Michal Ambroz |
aea04ba |
-Program received signal SIGSEGV, Segmentation fault.
|
|
Michal Ambroz |
aea04ba |
-env_w32_hook_GetProcAddress (env=0x629a30, hook=<value optimized out>) at environment/win32/env_w32_dll_export_kernel32_hooks.c:545
|
|
Michal Ambroz |
aea04ba |
-545 struct emu_env_hook *hook = (struct emu_env_hook *)ehi->value;
|
|
Michal Ambroz |
aea04ba |
-
|
|
Michal Ambroz |
aea04ba |
-(gdb) bt full
|
|
Michal Ambroz |
aea04ba |
-#0 env_w32_hook_GetProcAddress (env=0x629a30, hook=<value optimized out>) at environment/win32/env_w32_dll_export_kernel32_hooks.c:545
|
|
Michal Ambroz |
aea04ba |
- dll = 0x6366f0
|
|
Michal Ambroz |
aea04ba |
- ehi = <value optimized out>
|
|
Michal Ambroz |
aea04ba |
- hook = <value optimized out>
|
|
Michal Ambroz |
aea04ba |
- c = 0x611180
|
|
Michal Ambroz |
aea04ba |
- mem = <value optimized out>
|
|
Michal Ambroz |
aea04ba |
- eip_save = <value optimized out>
|
|
Michal Ambroz |
aea04ba |
- module = 2088763392
|
|
Michal Ambroz |
aea04ba |
- p_procname = 4289925
|
|
Michal Ambroz |
aea04ba |
- procname = <value optimized out>
|
|
Michal Ambroz |
aea04ba |
-#1 0x00007ffff7b884fb in emu_env_w32_eip_check (env=0x629a30) at environment/win32/emu_env_w32.c:306
|
|
Michal Ambroz |
aea04ba |
- dll = <value optimized out>
|
|
Michal Ambroz |
aea04ba |
- ehi = <value optimized out>
|
|
Michal Ambroz |
aea04ba |
- hook = 0x64c5b0
|
|
Michal Ambroz |
aea04ba |
- eip = <value optimized out>
|
|
Michal Ambroz |
aea04ba |
-#2 0x0000000000403995 in test (e=0x60f0e0) at sctestmain.c:277
|
|
Michal Ambroz |
aea04ba |
- hook = 0xe2
|
|
Michal Ambroz |
aea04ba |
- ev = 0x0
|
|
Michal Ambroz |
aea04ba |
- iv = <value optimized out>
|
|
Michal Ambroz |
aea04ba |
- cpu = 0x611180
|
|
Michal Ambroz |
aea04ba |
- mem = <value optimized out>
|
|
Michal Ambroz |
aea04ba |
- env = 0x629a30
|
|
Michal Ambroz |
aea04ba |
- na = <value optimized out>
|
|
Michal Ambroz |
aea04ba |
- j = 7169
|
|
Michal Ambroz |
aea04ba |
- last_vertex = 0x0
|
|
Michal Ambroz |
aea04ba |
- graph = 0x0
|
|
Michal Ambroz |
aea04ba |
- eh = 0x0
|
|
Michal Ambroz |
aea04ba |
- ehi = 0x0
|
|
Michal Ambroz |
aea04ba |
- ret = <value optimized out>
|
|
Michal Ambroz |
aea04ba |
- eipsave = 2088807840
|
|
Michal Ambroz |
aea04ba |
-#3 0x00000000004044e4 in main (argc=5, argv=0x7fffffffe388) at sctestmain.c:971
|
|
Michal Ambroz |
aea04ba |
- e = <value optimized out>
|
|
Michal Ambroz |
aea04ba |
+reducing the problem::
|
|
Michal Ambroz |
aea04ba |
+
|
|
Michal Ambroz |
aea04ba |
+ gdb /opt/dionaea/bin/sctest
|
|
Michal Ambroz |
aea04ba |
+ (gdb) run -S -s 10000000 -g < sc.bin
|
|
Michal Ambroz |
aea04ba |
+ Starting program: /media/sda4/opt64/dionaea/bin/sctest -S -s 10000000 -g < sc.bin
|
|
Michal Ambroz |
aea04ba |
+
|
|
Michal Ambroz |
aea04ba |
+Once it crashed, I retrieved a full backtrace::
|
|
Michal Ambroz |
aea04ba |
+
|
|
Michal Ambroz |
aea04ba |
+ Program received signal SIGSEGV, Segmentation fault.
|
|
Michal Ambroz |
aea04ba |
+ env_w32_hook_GetProcAddress (env=0x629a30, hook=<value optimized out>) at environment/win32/env_w32_dll_export_kernel32_hooks.c:545
|
|
Michal Ambroz |
aea04ba |
+ 545 struct emu_env_hook *hook = (struct emu_env_hook *)ehi->value;
|
|
Michal Ambroz |
aea04ba |
+
|
|
Michal Ambroz |
aea04ba |
+ (gdb) bt full
|
|
Michal Ambroz |
aea04ba |
+ #0 env_w32_hook_GetProcAddress (env=0x629a30, hook=<value optimized out>) at environment/win32/env_w32_dll_export_kernel32_hooks.c:545
|
|
Michal Ambroz |
aea04ba |
+ dll = 0x6366f0
|
|
Michal Ambroz |
aea04ba |
+ ehi = <value optimized out>
|
|
Michal Ambroz |
aea04ba |
+ hook = <value optimized out>
|
|
Michal Ambroz |
aea04ba |
+ c = 0x611180
|
|
Michal Ambroz |
aea04ba |
+ mem = <value optimized out>
|
|
Michal Ambroz |
aea04ba |
+ eip_save = <value optimized out>
|
|
Michal Ambroz |
aea04ba |
+ module = 2088763392
|
|
Michal Ambroz |
aea04ba |
+ p_procname = 4289925
|
|
Michal Ambroz |
aea04ba |
+ procname = <value optimized out>
|
|
Michal Ambroz |
aea04ba |
+ #1 0x00007ffff7b884fb in emu_env_w32_eip_check (env=0x629a30) at environment/win32/emu_env_w32.c:306
|
|
Michal Ambroz |
aea04ba |
+ dll = <value optimized out>
|
|
Michal Ambroz |
aea04ba |
+ ehi = <value optimized out>
|
|
Michal Ambroz |
aea04ba |
+ hook = 0x64c5b0
|
|
Michal Ambroz |
aea04ba |
+ eip = <value optimized out>
|
|
Michal Ambroz |
aea04ba |
+ #2 0x0000000000403995 in test (e=0x60f0e0) at sctestmain.c:277
|
|
Michal Ambroz |
aea04ba |
+ hook = 0xe2
|
|
Michal Ambroz |
aea04ba |
+ ev = 0x0
|
|
Michal Ambroz |
aea04ba |
+ iv = <value optimized out>
|
|
Michal Ambroz |
aea04ba |
+ cpu = 0x611180
|
|
Michal Ambroz |
aea04ba |
+ mem = <value optimized out>
|
|
Michal Ambroz |
aea04ba |
+ env = 0x629a30
|
|
Michal Ambroz |
aea04ba |
+ na = <value optimized out>
|
|
Michal Ambroz |
aea04ba |
+ j = 7169
|
|
Michal Ambroz |
aea04ba |
+ last_vertex = 0x0
|
|
Michal Ambroz |
aea04ba |
+ graph = 0x0
|
|
Michal Ambroz |
aea04ba |
+ eh = 0x0
|
|
Michal Ambroz |
aea04ba |
+ ehi = 0x0
|
|
Michal Ambroz |
aea04ba |
+ ret = <value optimized out>
|
|
Michal Ambroz |
aea04ba |
+ eipsave = 2088807840
|
|
Michal Ambroz |
aea04ba |
+ #3 0x00000000004044e4 in main (argc=5, argv=0x7fffffffe388) at sctestmain.c:971
|
|
Michal Ambroz |
aea04ba |
+ e = <value optimized out>
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
In this case, the problem was a bug in libemu.
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
-
|
|
Michal Ambroz |
aea04ba |
- gdb dump memory
|
|
Michal Ambroz |
aea04ba |
-
|
|
Michal Ambroz |
aea04ba |
-Once again, it broke, and we got a backtrace:
|
|
Michal Ambroz |
aea04ba |
-
|
|
Michal Ambroz |
aea04ba |
-#0 0xb70b0b57 in emu_queue_enqueue (eq=0xb3da0918, data=0x4724ab) at emu_queue.c:63
|
|
Michal Ambroz |
aea04ba |
- eqi = (struct emu_queue_item *) 0x0
|
|
Michal Ambroz |
aea04ba |
-#1 0xb70b15d1 in emu_shellcode_run_and_track (e=0xb4109cd0, data=0xb411c698 "", datasize=<value optimized out>, eipoffset=<value optimized out>,
|
|
Michal Ambroz |
aea04ba |
- steps=256, etas=0xb410cd60, known_positions=0xb3d7a810, stats_tested_positions_list=0xb3da3bf0, brute_force=true) at emu_shellcode.c:408
|
|
Michal Ambroz |
aea04ba |
- current_pos_ti_diff = (struct emu_tracking_info *) 0x88c3c88
|
|
Michal Ambroz |
aea04ba |
- current_pos_ht = <value optimized out>
|
|
Michal Ambroz |
aea04ba |
- current_pos_v = <value optimized out>
|
|
Michal Ambroz |
aea04ba |
- current_pos_satii = (struct emu_source_and_track_instr_info *) 0xb407e7f8
|
|
Michal Ambroz |
aea04ba |
- bfs_queue = (struct emu_queue *) 0xb3e17668
|
|
Michal Ambroz |
aea04ba |
- ret = 4662443
|
|
Michal Ambroz |
aea04ba |
- eipsave = <value optimized out>
|
|
Michal Ambroz |
aea04ba |
- hook = <value optimized out>
|
|
Michal Ambroz |
aea04ba |
- j = 4
|
|
Michal Ambroz |
aea04ba |
- es = <value optimized out>
|
|
Michal Ambroz |
aea04ba |
- eli = (struct emu_list_item *) 0xb3e17658
|
|
Michal Ambroz |
aea04ba |
- cpu = (struct emu_cpu *) 0xb4109ab0
|
|
Michal Ambroz |
aea04ba |
- mem = (struct emu_memory *) 0xb410c3a0
|
|
Michal Ambroz |
aea04ba |
- eq = (struct emu_queue *) 0xb3da0918
|
|
Michal Ambroz |
aea04ba |
- env = (struct emu_env *) 0xb3e10208
|
|
Michal Ambroz |
aea04ba |
- eli = (struct emu_list_item *) 0x4724ab
|
|
Michal Ambroz |
aea04ba |
-#2 0xb70b1a2a in emu_shellcode_test (e=0xb4109cd0, data=0xb411c698 "", size=<value optimized out>) at emu_shellcode.c:546
|
|
Michal Ambroz |
aea04ba |
- es = (struct emu_stats *) 0xb3d92b28
|
|
Michal Ambroz |
aea04ba |
- new_results = (struct emu_list_root *) 0xb3da3bf0
|
|
Michal Ambroz |
aea04ba |
- offset = <value optimized out>
|
|
Michal Ambroz |
aea04ba |
- el = (struct emu_list_root *) 0xb4100510
|
|
Michal Ambroz |
aea04ba |
- etas = (struct emu_track_and_source *) 0xb410cd60
|
|
Michal Ambroz |
aea04ba |
- eh = (struct emu_hashtable *) 0xb3d7a810
|
|
Michal Ambroz |
aea04ba |
- eli = (struct emu_list_item *) 0xb3d92b40
|
|
Michal Ambroz |
aea04ba |
- results = (struct emu_list_root *) 0xb3d82850
|
|
Michal Ambroz |
aea04ba |
- es = <value optimized out>
|
|
Michal Ambroz |
aea04ba |
- __PRETTY_FUNCTION__ = "emu_shellcode_test"
|
|
Michal Ambroz |
aea04ba |
-#3 0xb712140c in proc_emu_on_io_in (con=0x8864b58, pd=0x87dc388) at detect.c:145
|
|
Michal Ambroz |
aea04ba |
- e = (struct emu *) 0xb4109cd0
|
|
Michal Ambroz |
aea04ba |
- ctx = (struct emu_ctx *) 0x87a2400
|
|
Michal Ambroz |
aea04ba |
- offset = 14356
|
|
Michal Ambroz |
aea04ba |
- streamdata = (void *) 0xb411c698
|
|
Michal Ambroz |
aea04ba |
- size = 8196
|
|
Michal Ambroz |
aea04ba |
- ret = 0
|
|
Michal Ambroz |
aea04ba |
- __PRETTY_FUNCTION__ = "proc_emu_on_io_in"
|
|
Michal Ambroz |
aea04ba |
-#4 0x0805e8be in recurse_io_process (pd=0x87dc388, con=0x8864b58, dir=bistream_in) at processor.c:167
|
|
Michal Ambroz |
aea04ba |
-No locals.
|
|
Michal Ambroz |
aea04ba |
-#5 0x0805ea01 in processors_io_in_thread (data=0x8864b58, userdata=0x87dc388) at processor.c:197
|
|
Michal Ambroz |
aea04ba |
- con = (struct connection *) 0x8864b58
|
|
Michal Ambroz |
aea04ba |
- pd = (struct processor_data *) 0x87dc388
|
|
Michal Ambroz |
aea04ba |
- __PRETTY_FUNCTION__ = "processors_io_in_thread"
|
|
Michal Ambroz |
aea04ba |
-#6 0x0805d2da in threadpool_wrapper (data=0x87d7bd0, user_data=0x0) at threads.c:49
|
|
Michal Ambroz |
aea04ba |
- t = (struct thread *) 0x87d7bd0
|
|
Michal Ambroz |
aea04ba |
- timer = (GTimer *) 0xb4108540
|
|
Michal Ambroz |
aea04ba |
-#7 0xb77441f6 in g_thread_pool_thread_proxy (data=0x83db460) at gthreadpool.c:265
|
|
Michal Ambroz |
aea04ba |
- task = (gpointer) 0x87d7bd0
|
|
Michal Ambroz |
aea04ba |
- pool = (GRealThreadPool *) 0x83db460
|
|
Michal Ambroz |
aea04ba |
-#8 0xb7742b8f in g_thread_create_proxy (data=0x83dc7d0) at gthread.c:635
|
|
Michal Ambroz |
aea04ba |
- __PRETTY_FUNCTION__ = "g_thread_create_proxy"
|
|
Michal Ambroz |
aea04ba |
-#9 0xb76744c0 in start_thread () from /lib/i686/cmov/libpthread.so.0
|
|
Michal Ambroz |
aea04ba |
-No symbol table info available.
|
|
Michal Ambroz |
aea04ba |
-#10 0xb75f36de in clone () from /lib/i686/cmov/libc.so.6
|
|
Michal Ambroz |
aea04ba |
-No symbol table info available.
|
|
Michal Ambroz |
aea04ba |
+ gdb dump memory
|
|
Michal Ambroz |
aea04ba |
+
|
|
Michal Ambroz |
aea04ba |
+Once again, it broke, and we got a backtrace::
|
|
Michal Ambroz |
aea04ba |
+
|
|
Michal Ambroz |
aea04ba |
+ #0 0xb70b0b57 in emu_queue_enqueue (eq=0xb3da0918, data=0x4724ab) at emu_queue.c:63
|
|
Michal Ambroz |
aea04ba |
+ eqi = (struct emu_queue_item *) 0x0
|
|
Michal Ambroz |
aea04ba |
+ #1 0xb70b15d1 in emu_shellcode_run_and_track (e=0xb4109cd0, data=0xb411c698 "", datasize=<value optimized out>, eipoffset=<value optimized out>,
|
|
Michal Ambroz |
aea04ba |
+ steps=256, etas=0xb410cd60, known_positions=0xb3d7a810, stats_tested_positions_list=0xb3da3bf0, brute_force=true) at emu_shellcode.c:408
|
|
Michal Ambroz |
aea04ba |
+ current_pos_ti_diff = (struct emu_tracking_info *) 0x88c3c88
|
|
Michal Ambroz |
aea04ba |
+ current_pos_ht = <value optimized out>
|
|
Michal Ambroz |
aea04ba |
+ current_pos_v = <value optimized out>
|
|
Michal Ambroz |
aea04ba |
+ current_pos_satii = (struct emu_source_and_track_instr_info *) 0xb407e7f8
|
|
Michal Ambroz |
aea04ba |
+ bfs_queue = (struct emu_queue *) 0xb3e17668
|
|
Michal Ambroz |
aea04ba |
+ ret = 4662443
|
|
Michal Ambroz |
aea04ba |
+ eipsave = <value optimized out>
|
|
Michal Ambroz |
aea04ba |
+ hook = <value optimized out>
|
|
Michal Ambroz |
aea04ba |
+ j = 4
|
|
Michal Ambroz |
aea04ba |
+ es = <value optimized out>
|
|
Michal Ambroz |
aea04ba |
+ eli = (struct emu_list_item *) 0xb3e17658
|
|
Michal Ambroz |
aea04ba |
+ cpu = (struct emu_cpu *) 0xb4109ab0
|
|
Michal Ambroz |
aea04ba |
+ mem = (struct emu_memory *) 0xb410c3a0
|
|
Michal Ambroz |
aea04ba |
+ eq = (struct emu_queue *) 0xb3da0918
|
|
Michal Ambroz |
aea04ba |
+ env = (struct emu_env *) 0xb3e10208
|
|
Michal Ambroz |
aea04ba |
+ eli = (struct emu_list_item *) 0x4724ab
|
|
Michal Ambroz |
aea04ba |
+ #2 0xb70b1a2a in emu_shellcode_test (e=0xb4109cd0, data=0xb411c698 "", size=<value optimized out>) at emu_shellcode.c:546
|
|
Michal Ambroz |
aea04ba |
+ es = (struct emu_stats *) 0xb3d92b28
|
|
Michal Ambroz |
aea04ba |
+ new_results = (struct emu_list_root *) 0xb3da3bf0
|
|
Michal Ambroz |
aea04ba |
+ offset = <value optimized out>
|
|
Michal Ambroz |
aea04ba |
+ el = (struct emu_list_root *) 0xb4100510
|
|
Michal Ambroz |
aea04ba |
+ etas = (struct emu_track_and_source *) 0xb410cd60
|
|
Michal Ambroz |
aea04ba |
+ eh = (struct emu_hashtable *) 0xb3d7a810
|
|
Michal Ambroz |
aea04ba |
+ eli = (struct emu_list_item *) 0xb3d92b40
|
|
Michal Ambroz |
aea04ba |
+ results = (struct emu_list_root *) 0xb3d82850
|
|
Michal Ambroz |
aea04ba |
+ es = <value optimized out>
|
|
Michal Ambroz |
aea04ba |
+ __PRETTY_FUNCTION__ = "emu_shellcode_test"
|
|
Michal Ambroz |
aea04ba |
+ #3 0xb712140c in proc_emu_on_io_in (con=0x8864b58, pd=0x87dc388) at detect.c:145
|
|
Michal Ambroz |
aea04ba |
+ e = (struct emu *) 0xb4109cd0
|
|
Michal Ambroz |
aea04ba |
+ ctx = (struct emu_ctx *) 0x87a2400
|
|
Michal Ambroz |
aea04ba |
+ offset = 14356
|
|
Michal Ambroz |
aea04ba |
+ streamdata = (void *) 0xb411c698
|
|
Michal Ambroz |
aea04ba |
+ size = 8196
|
|
Michal Ambroz |
aea04ba |
+ ret = 0
|
|
Michal Ambroz |
aea04ba |
+ __PRETTY_FUNCTION__ = "proc_emu_on_io_in"
|
|
Michal Ambroz |
aea04ba |
+ #4 0x0805e8be in recurse_io_process (pd=0x87dc388, con=0x8864b58, dir=bistream_in) at processor.c:167
|
|
Michal Ambroz |
aea04ba |
+ No locals.
|
|
Michal Ambroz |
aea04ba |
+ #5 0x0805ea01 in processors_io_in_thread (data=0x8864b58, userdata=0x87dc388) at processor.c:197
|
|
Michal Ambroz |
aea04ba |
+ con = (struct connection *) 0x8864b58
|
|
Michal Ambroz |
aea04ba |
+ pd = (struct processor_data *) 0x87dc388
|
|
Michal Ambroz |
aea04ba |
+ __PRETTY_FUNCTION__ = "processors_io_in_thread"
|
|
Michal Ambroz |
aea04ba |
+ #6 0x0805d2da in threadpool_wrapper (data=0x87d7bd0, user_data=0x0) at threads.c:49
|
|
Michal Ambroz |
aea04ba |
+ t = (struct thread *) 0x87d7bd0
|
|
Michal Ambroz |
aea04ba |
+ timer = (GTimer *) 0xb4108540
|
|
Michal Ambroz |
aea04ba |
+ #7 0xb77441f6 in g_thread_pool_thread_proxy (data=0x83db460) at gthreadpool.c:265
|
|
Michal Ambroz |
aea04ba |
+ task = (gpointer) 0x87d7bd0
|
|
Michal Ambroz |
aea04ba |
+ pool = (GRealThreadPool *) 0x83db460
|
|
Michal Ambroz |
aea04ba |
+ #8 0xb7742b8f in g_thread_create_proxy (data=0x83dc7d0) at gthread.c:635
|
|
Michal Ambroz |
aea04ba |
+ __PRETTY_FUNCTION__ = "g_thread_create_proxy"
|
|
Michal Ambroz |
aea04ba |
+ #9 0xb76744c0 in start_thread () from /lib/i686/cmov/libpthread.so.0
|
|
Michal Ambroz |
aea04ba |
+ No symbol table info available.
|
|
Michal Ambroz |
aea04ba |
+ #10 0xb75f36de in clone () from /lib/i686/cmov/libc.so.6
|
|
Michal Ambroz |
aea04ba |
+ No symbol table info available.
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
Again, it was a bug in libemu, an unbreakable loop consuming all memory.
|
|
Michal Ambroz |
aea04ba |
To reproduce, we have to dump the tested buffer, therefore we need the
|
|
Michal Ambroz |
aea04ba |
buffers address and size. Luckily the size is noted in frame #2 as 8196
|
|
Michal Ambroz |
aea04ba |
and and the data address is a parameter which got not optimized out for
|
|
Michal Ambroz |
aea04ba |
-frame #2.
|
|
Michal Ambroz |
aea04ba |
+frame #2::
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
-dump binary memory /tmp/sc.bin 0xb411c698 0xb411e89c
|
|
Michal Ambroz |
aea04ba |
+ dump binary memory /tmp/sc.bin 0xb411c698 0xb411e89c
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
Afterwards, debugging libemu by feeding the data into sctest is easy.
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
I've had fun with objgraph and gdb debugging reference count leaks in
|
|
Michal Ambroz |
aea04ba |
python too, here <http://carnivore.it/2009/12/23/arcane_bugs> is the
|
|
Michal Ambroz |
aea04ba |
-writeup.
|
|
Michal Ambroz |
aea04ba |
-
|
|
Michal Ambroz |
aea04ba |
+writeup::
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
- gdb python3 embedded
|
|
Michal Ambroz |
aea04ba |
+ gdb python3 embedded
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
Sometimes, there is something wrong with the python scripts, but gdb
|
|
Michal Ambroz |
aea04ba |
-does not provide any useful output:
|
|
Michal Ambroz |
aea04ba |
-
|
|
Michal Ambroz |
aea04ba |
-bt full
|
|
Michal Ambroz |
aea04ba |
-#12 0xb765f12d in PyEval_EvalFrameEx (f=0x825998c, throwflag=0) at Python/ceval.c:2267
|
|
Michal Ambroz |
aea04ba |
- stack_pointer = (PyObject **) 0x8259af0
|
|
Michal Ambroz |
aea04ba |
- next_instr = (unsigned char *) 0x812fabf "m'"
|
|
Michal Ambroz |
aea04ba |
- opcode = 100
|
|
Michal Ambroz |
aea04ba |
- oparg = <value optimized out>
|
|
Michal Ambroz |
aea04ba |
- why = 3071731824
|
|
Michal Ambroz |
aea04ba |
- err = 1
|
|
Michal Ambroz |
aea04ba |
- x = (PyObject *) 0xb7244aac
|
|
Michal Ambroz |
aea04ba |
- v = <value optimized out>
|
|
Michal Ambroz |
aea04ba |
- w = (PyObject *) 0xadb5e4dc
|
|
Michal Ambroz |
aea04ba |
- u = (PyObject *) 0xb775ccb0
|
|
Michal Ambroz |
aea04ba |
- freevars = (PyObject **) 0x8259af0
|
|
Michal Ambroz |
aea04ba |
- retval = (PyObject *) 0x0
|
|
Michal Ambroz |
aea04ba |
- tstate = (PyThreadState *) 0x809aab0
|
|
Michal Ambroz |
aea04ba |
- co = (PyCodeObject *) 0xb717b800
|
|
Michal Ambroz |
aea04ba |
- instr_ub = -1
|
|
Michal Ambroz |
aea04ba |
- instr_lb = 0
|
|
Michal Ambroz |
aea04ba |
- instr_prev = -1
|
|
Michal Ambroz |
aea04ba |
- first_instr = (unsigned char *) 0x812f918 "t"
|
|
Michal Ambroz |
aea04ba |
- names = (PyObject *) 0xb723f50c
|
|
Michal Ambroz |
aea04ba |
- consts = (PyObject *) 0xb71c9f7c
|
|
Michal Ambroz |
aea04ba |
- opcode_targets = {0xb765d202, 0xb765f60a, 0xb766133a, 0xb76612db, 0xb7661285, 0xb7661222, 0xb765d202, 0xb765d202, 0xb765d202, 0xb76611dd,
|
|
Michal Ambroz |
aea04ba |
- 0xb766114b, 0xb76610b9, 0xb766100f, 0xb765d202, 0xb765d202, 0xb7660f7d, 0xb765d202, 0xb765d202, 0xb765d202, 0xb7660eb7, 0xb7660dfb, 0xb765d202,
|
|
Michal Ambroz |
aea04ba |
- 0xb7660d30, 0xb7660c65, 0xb7660ba9, 0xb7660aed, 0xb7660a31, 0xb7660975, 0xb76608b9, 0xb76607fd, 0xb765d202 <repeats 24 times>, 0xb7660736, 0xb766066b,
|
|
Michal Ambroz |
aea04ba |
- 0xb76605af, 0xb76604f3, 0xb765d202, 0xb7660437, 0xb766035d, 0xb76602ad, 0xb7661aba, 0xb76619fe, 0xb7661942, 0xb7661886, 0xb7661b76, 0xb76614a8,
|
|
Michal Ambroz |
aea04ba |
- 0xb7661413, 0xb766138e, 0xb766171f, 0xb76616e6, 0xb765d202, 0xb765d202, 0xb765d202, 0xb766162a, 0xb766156e, 0xb76601f1, 0xb7660135, 0xb76617ca,
|
|
Michal Ambroz |
aea04ba |
- 0xb7660120, 0xb765fff7, 0xb765d202, 0xb765fd72, 0xb765fc6e, 0xb765d202, 0xb765fc1d, 0xb765fe17, 0xb765fd90, 0xb765fec0, 0xb765fb41, 0xb765fadc,
|
|
Michal Ambroz |
aea04ba |
- 0xb765f9ed, 0xb765f94d, 0xb765f8be, 0xb765f7e3, 0xb765f779, 0xb765f6bd, 0xb765f66c, 0xb765ef1d, 0xb765eea2, 0xb765ede1, 0xb765ed1a, 0xb765ec35,
|
|
Michal Ambroz |
aea04ba |
- 0xb765ebc3, 0xb765eb30, 0xb765ea69, 0xb765f1c7, 0xb765f027, 0xb765f560, 0xb765efc1, 0xb76630e3, 0xb766310c, 0xb765e64c, 0xb765e592, 0xb765f49a,
|
|
Michal Ambroz |
aea04ba |
- 0xb765f3de, 0xb765d202, 0xb765d202, 0xb765f39e, 0xb7663135, 0xb766315f, 0xb765e9cb, 0xb765d202, 0xb765e948, 0xb765e8bb, 0xb765e817, 0xb765d202,
|
|
Michal Ambroz |
aea04ba |
- 0xb765d202, 0xb765d202, 0xb765d2ae, 0xb765e3e0, 0xb7663275, 0xb765e1a2, 0xb766324e, 0xb765e0ba, 0xb765e01e, 0xb765df74, 0xb765d202, 0xb765d202,
|
|
Michal Ambroz |
aea04ba |
- 0xb7663189, 0xb76631d3, 0xb7663220, 0xb765e149, 0xb765d202, 0xb765de09, 0xb765dec0, 0xb765f2c0, 0xb765d202 <repeats 108 times>}
|
|
Michal Ambroz |
aea04ba |
-#13 0xb7664ac0 in PyEval_EvalCodeEx (co=0xb717b800, globals=0xb7160b54, locals=0x0, args=0x84babb8, argcount=9, kws=0x0, kwcount=0, defs=0xb719e978,
|
|
Michal Ambroz |
aea04ba |
- defcount=1, kwdefs=0x0, closure=0x0) at Python/ceval.c:3198
|
|
Michal Ambroz |
aea04ba |
- f = (PyFrameObject *) 0x825998c
|
|
Michal Ambroz |
aea04ba |
- retval = <value optimized out>
|
|
Michal Ambroz |
aea04ba |
- freevars = (PyObject **) 0x8259af0
|
|
Michal Ambroz |
aea04ba |
- tstate = (PyThreadState *) 0x809aab0
|
|
Michal Ambroz |
aea04ba |
- x = <value optimized out>
|
|
Michal Ambroz |
aea04ba |
- u = <value optimized out>
|
|
Michal Ambroz |
aea04ba |
+does not provide any useful output::
|
|
Michal Ambroz |
aea04ba |
+
|
|
Michal Ambroz |
aea04ba |
+ bt full
|
|
Michal Ambroz |
aea04ba |
+ #12 0xb765f12d in PyEval_EvalFrameEx (f=0x825998c, throwflag=0) at Python/ceval.c:2267
|
|
Michal Ambroz |
aea04ba |
+ stack_pointer = (PyObject **) 0x8259af0
|
|
Michal Ambroz |
aea04ba |
+ next_instr = (unsigned char *) 0x812fabf "m'"
|
|
Michal Ambroz |
aea04ba |
+ opcode = 100
|
|
Michal Ambroz |
aea04ba |
+ oparg = <value optimized out>
|
|
Michal Ambroz |
aea04ba |
+ why = 3071731824
|
|
Michal Ambroz |
aea04ba |
+ err = 1
|
|
Michal Ambroz |
aea04ba |
+ x = (PyObject *) 0xb7244aac
|
|
Michal Ambroz |
aea04ba |
+ v = <value optimized out>
|
|
Michal Ambroz |
aea04ba |
+ w = (PyObject *) 0xadb5e4dc
|
|
Michal Ambroz |
aea04ba |
+ u = (PyObject *) 0xb775ccb0
|
|
Michal Ambroz |
aea04ba |
+ freevars = (PyObject **) 0x8259af0
|
|
Michal Ambroz |
aea04ba |
+ retval = (PyObject *) 0x0
|
|
Michal Ambroz |
aea04ba |
+ tstate = (PyThreadState *) 0x809aab0
|
|
Michal Ambroz |
aea04ba |
+ co = (PyCodeObject *) 0xb717b800
|
|
Michal Ambroz |
aea04ba |
+ instr_ub = -1
|
|
Michal Ambroz |
aea04ba |
+ instr_lb = 0
|
|
Michal Ambroz |
aea04ba |
+ instr_prev = -1
|
|
Michal Ambroz |
aea04ba |
+ first_instr = (unsigned char *) 0x812f918 "t"
|
|
Michal Ambroz |
aea04ba |
+ names = (PyObject *) 0xb723f50c
|
|
Michal Ambroz |
aea04ba |
+ consts = (PyObject *) 0xb71c9f7c
|
|
Michal Ambroz |
aea04ba |
+ opcode_targets = {0xb765d202, 0xb765f60a, 0xb766133a, 0xb76612db, 0xb7661285, 0xb7661222, 0xb765d202, 0xb765d202, 0xb765d202, 0xb76611dd,
|
|
Michal Ambroz |
aea04ba |
+ 0xb766114b, 0xb76610b9, 0xb766100f, 0xb765d202, 0xb765d202, 0xb7660f7d, 0xb765d202, 0xb765d202, 0xb765d202, 0xb7660eb7, 0xb7660dfb, 0xb765d202,
|
|
Michal Ambroz |
aea04ba |
+ 0xb7660d30, 0xb7660c65, 0xb7660ba9, 0xb7660aed, 0xb7660a31, 0xb7660975, 0xb76608b9, 0xb76607fd, 0xb765d202 <repeats 24 times>, 0xb7660736, 0xb766066b,
|
|
Michal Ambroz |
aea04ba |
+ 0xb76605af, 0xb76604f3, 0xb765d202, 0xb7660437, 0xb766035d, 0xb76602ad, 0xb7661aba, 0xb76619fe, 0xb7661942, 0xb7661886, 0xb7661b76, 0xb76614a8,
|
|
Michal Ambroz |
aea04ba |
+ 0xb7661413, 0xb766138e, 0xb766171f, 0xb76616e6, 0xb765d202, 0xb765d202, 0xb765d202, 0xb766162a, 0xb766156e, 0xb76601f1, 0xb7660135, 0xb76617ca,
|
|
Michal Ambroz |
aea04ba |
+ 0xb7660120, 0xb765fff7, 0xb765d202, 0xb765fd72, 0xb765fc6e, 0xb765d202, 0xb765fc1d, 0xb765fe17, 0xb765fd90, 0xb765fec0, 0xb765fb41, 0xb765fadc,
|
|
Michal Ambroz |
aea04ba |
+ 0xb765f9ed, 0xb765f94d, 0xb765f8be, 0xb765f7e3, 0xb765f779, 0xb765f6bd, 0xb765f66c, 0xb765ef1d, 0xb765eea2, 0xb765ede1, 0xb765ed1a, 0xb765ec35,
|
|
Michal Ambroz |
aea04ba |
+ 0xb765ebc3, 0xb765eb30, 0xb765ea69, 0xb765f1c7, 0xb765f027, 0xb765f560, 0xb765efc1, 0xb76630e3, 0xb766310c, 0xb765e64c, 0xb765e592, 0xb765f49a,
|
|
Michal Ambroz |
aea04ba |
+ 0xb765f3de, 0xb765d202, 0xb765d202, 0xb765f39e, 0xb7663135, 0xb766315f, 0xb765e9cb, 0xb765d202, 0xb765e948, 0xb765e8bb, 0xb765e817, 0xb765d202,
|
|
Michal Ambroz |
aea04ba |
+ 0xb765d202, 0xb765d202, 0xb765d2ae, 0xb765e3e0, 0xb7663275, 0xb765e1a2, 0xb766324e, 0xb765e0ba, 0xb765e01e, 0xb765df74, 0xb765d202, 0xb765d202,
|
|
Michal Ambroz |
aea04ba |
+ 0xb7663189, 0xb76631d3, 0xb7663220, 0xb765e149, 0xb765d202, 0xb765de09, 0xb765dec0, 0xb765f2c0, 0xb765d202 <repeats 108 times>}
|
|
Michal Ambroz |
aea04ba |
+ #13 0xb7664ac0 in PyEval_EvalCodeEx (co=0xb717b800, globals=0xb7160b54, locals=0x0, args=0x84babb8, argcount=9, kws=0x0, kwcount=0, defs=0xb719e978,
|
|
Michal Ambroz |
aea04ba |
+ defcount=1, kwdefs=0x0, closure=0x0) at Python/ceval.c:3198
|
|
Michal Ambroz |
aea04ba |
+ f = (PyFrameObject *) 0x825998c
|
|
Michal Ambroz |
aea04ba |
+ retval = <value optimized out>
|
|
Michal Ambroz |
aea04ba |
+ freevars = (PyObject **) 0x8259af0
|
|
Michal Ambroz |
aea04ba |
+ tstate = (PyThreadState *) 0x809aab0
|
|
Michal Ambroz |
aea04ba |
+ x = <value optimized out>
|
|
Michal Ambroz |
aea04ba |
+ u = <value optimized out>
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
Luckily python3 ships with some gdb macros, which assist in dealing with
|
|
Michal Ambroz |
aea04ba |
this mess. You can grab them over here
|
|
Michal Ambroz |
aea04ba |
@@ -234,14 +232,14 @@ SIGTTOU, Stopped (tty output).*/, run stty -nostop before running gdb,
|
|
Michal Ambroz |
aea04ba |
reattach the process with fg, close gdb properly, and start over.
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
Once you got the macros loaded properly at gdb startup, set a breakpoint
|
|
Michal Ambroz |
aea04ba |
-on PyEval_EvalFrameEx after dionaea loaded everything:
|
|
Michal Ambroz |
aea04ba |
+on PyEval_EvalFrameEx after dionaea loaded everything::
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
-break PyEval_EvalFrameEx
|
|
Michal Ambroz |
aea04ba |
+ break PyEval_EvalFrameEx
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
-Then we have some useful macros for gdb:
|
|
Michal Ambroz |
aea04ba |
+Then we have some useful macros for gdb::
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
-up
|
|
Michal Ambroz |
aea04ba |
-pyframev
|
|
Michal Ambroz |
aea04ba |
+ up
|
|
Michal Ambroz |
aea04ba |
+ pyframev
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
pyframev combines the output of pyframe and pylocals.
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
diff --git a/doc/source/old/utils.rst b/doc/source/old/utils.rst
|
|
Michal Ambroz |
aea04ba |
index 752362e..657767e 100644
|
|
Michal Ambroz |
aea04ba |
--- a/doc/source/old/utils.rst
|
|
Michal Ambroz |
aea04ba |
+++ b/doc/source/old/utils.rst
|
|
Michal Ambroz |
aea04ba |
@@ -3,21 +3,21 @@ Utils
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
Dionaea ships with some utils, as these utils are written in python and
|
|
Michal Ambroz |
aea04ba |
rely on the python3 interpreter dionaea requires to operate, this
|
|
Michal Ambroz |
aea04ba |
-software can be found in modules/python/utils.
|
|
Michal Ambroz |
aea04ba |
+software can be found in modules/python/utils::
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
- readlogsqltree <#readlogsqltree> -
|
|
Michal Ambroz |
aea04ba |
- modules/python/readlogsqltree.py
|
|
Michal Ambroz |
aea04ba |
+ readlogsqltree <#readlogsqltree> -
|
|
Michal Ambroz |
aea04ba |
+ modules/python/readlogsqltree.py
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
readlogsqltree is a python3 script which queries the logsql sqlite
|
|
Michal Ambroz |
aea04ba |
database for attacks, and prints out all related information for every
|
|
Michal Ambroz |
aea04ba |
attack.
|
|
Michal Ambroz |
aea04ba |
This is an example for an attack, you get the vulnerability exploited,
|
|
Michal Ambroz |
aea04ba |
the time, the attacker, information about the shellcode, the file
|
|
Michal Ambroz |
aea04ba |
-offered for download, and even the virustotal report for the file.
|
|
Michal Ambroz |
aea04ba |
+offered for download, and even the virustotal report for the file::
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
-2010-10-07 20:37:27
|
|
Michal Ambroz |
aea04ba |
- connection 483256 smbd tcp accept 10.0.1.11:445 <- 93.177.176.190:47650 (483256 None)
|
|
Michal Ambroz |
aea04ba |
+ 2010-10-07 20:37:27
|
|
Michal Ambroz |
aea04ba |
+ connection 483256 smbd tcp accept 10.0.1.11:445 <- 93.177.176.190:47650 (483256 None)
|
|
Michal Ambroz |
aea04ba |
dcerpc bind: uuid '4b324fc8-1670-01d3-1278-5a47bf6ee188' (SRVSVC) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
|
|
Michal Ambroz |
aea04ba |
dcerpc bind: uuid '7d705026-884d-af82-7b3d-961deaeb179a' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
|
|
Michal Ambroz |
aea04ba |
dcerpc bind: uuid '7f4fdfe9-2be7-4d6b-a5d4-aa3c831503a1' (None) transfersyntax 8a885d04-1ceb-11c9-9fe8-08002b104860
|
|
Michal Ambroz |
aea04ba |
@@ -38,49 +38,47 @@ offered for download, and even the virustotal report for the file.
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
To create such report for your own honeypots activities for the last 24
|
|
Michal Ambroz |
aea04ba |
-hours run:
|
|
Michal Ambroz |
aea04ba |
+hours run::
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
-./readlogsqltree.py -t $(date '+%s')-24*3600 /opt/dionaea/var/dionaea/logsql.sqlite
|
|
Michal Ambroz |
aea04ba |
+ ./readlogsqltree.py -t $(date '+%s')-24*3600 /opt/dionaea/var/dionaea/logsql.sqlite
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
- gnuplotsql <#gnuplotsql> - modules/python/gnuplotsql.py
|
|
Michal Ambroz |
aea04ba |
+ gnuplotsql <#gnuplotsql> - modules/python/gnuplotsql.py
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
gnuplotsql is a very slow python3 script which runs some queries on the
|
|
Michal Ambroz |
aea04ba |
logsql <#logsql> sqlite database and creates graphs with gnuplot of the
|
|
Michal Ambroz |
aea04ba |
data, stores them on disk and creates an index of the data. The images
|
|
Michal Ambroz |
aea04ba |
are per protocol and look like this: Overview for dionaea smbd.
|
|
Michal Ambroz |
aea04ba |
Here <gnuplotsql> is how the whole thing looks like.
|
|
Michal Ambroz |
aea04ba |
-To create such images of your own data, run:
|
|
Michal Ambroz |
aea04ba |
+To create such images of your own data, run::
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
-./gnuplotsql.py -d /opt/dionaea/var/dionaea/logsql.sqlite -p smbd -p epmapper -p mssqld -p httpd -p ftpd
|
|
Michal Ambroz |
aea04ba |
+ ./gnuplotsql.py -d /opt/dionaea/var/dionaea/logsql.sqlite -p smbd -p epmapper -p mssqld -p httpd -p ftpd
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
The blog got something on gnuplotsql as well:
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
- * 2010-12-05 sudden death <http://carnivore.it/2010/12/05/sudden_death>
|
|
Michal Ambroz |
aea04ba |
- * 2010-10-01 Infosanity's Blog: gnuplotsql.py
|
|
Michal Ambroz |
aea04ba |
- <http://blog.infosanity.co.uk/2010/10/01/gnuplotsql-py/>
|
|
Michal Ambroz |
aea04ba |
- * 2010-09-19 gnuplotsql <http://carnivore.it/2010/09/19/gnuplotsql>
|
|
Michal Ambroz |
aea04ba |
+ * `2010-12-05 sudden death <http://carnivore.it/2010/12/05/sudden_death>`_
|
|
Michal Ambroz |
aea04ba |
+ * `2010-10-01 Infosanity's Blog: gnuplotsql.py <http://blog.infosanity.co.uk/2010/10/01/gnuplotsql-py/>`_
|
|
Michal Ambroz |
aea04ba |
+ * `2010-09-19 gnuplotsql <http://carnivore.it/2010/09/19/gnuplotsql>`_
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
+::
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
- pg_backend <#pg_backend> - modules/python/xmpp/pg_backend.py
|
|
Michal Ambroz |
aea04ba |
+ pg_backend <#pg_backend> - modules/python/xmpp/pg_backend.py
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
pg_backend is the backend for logxmpp <#logxmpp>, currently it is a
|
|
Michal Ambroz |
aea04ba |
python2.x script which uses pyxmpp to access the xmpp service. It parses
|
|
Michal Ambroz |
aea04ba |
the messages received and can store the events in a postgres database
|
|
Michal Ambroz |
aea04ba |
-and the received files on disk. pg_backend requires an xmpp account.
|
|
Michal Ambroz |
aea04ba |
-/without db/
|
|
Michal Ambroz |
aea04ba |
+and the received files on disk. pg_backend requires an xmpp account::
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
+ /without db/
|
|
Michal Ambroz |
aea04ba |
+ ./pg_backend.py -U USER@sensors.carnivore.it -P XMPPPASS -M dionaea.sensors.carnivore.it -C anon-files -C anon-events -f /tmp/
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
-./pg_backend.py -U USER@sensors.carnivore.it -P XMPPPASS -M dionaea.sensors.carnivore.it -C anon-files -C anon-events -f /tmp/
|
|
Michal Ambroz |
aea04ba |
+ /with db/
|
|
Michal Ambroz |
aea04ba |
+ create database
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
+ psql ...
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
-/with db/ create database
|
|
Michal Ambroz |
aea04ba |
+ start backend
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
-psql ...
|
|
Michal Ambroz |
aea04ba |
-
|
|
Michal Ambroz |
aea04ba |
-start backend
|
|
Michal Ambroz |
aea04ba |
-
|
|
Michal Ambroz |
aea04ba |
-
|
|
Michal Ambroz |
aea04ba |
-./pg_backend.py -U USER@sensors.carnivore.it -P XMPPPASS -M dionaea.sensors.carnivore.it -C anon-files -C anon-events -s DBHOST -u DBUSER -d xmpp -p DBPASS -f /tmp/
|
|
Michal Ambroz |
aea04ba |
+ ./pg_backend.py -U USER@sensors.carnivore.it -P XMPPPASS -M dionaea.sensors.carnivore.it -C anon-files -C anon-events -s DBHOST -u DBUSER -d xmpp -p DBPASS -f /tmp/
|
|
Michal Ambroz |
aea04ba |
diff --git a/conf/ihandlers/log_sqlite.yaml.in b/conf/ihandlers/log_sqlite.yaml.in
|
|
Michal Ambroz |
aea04ba |
index 2866f25..d781ca1 100644
|
|
Michal Ambroz |
aea04ba |
--- a/conf/ihandlers/log_sqlite.yaml.in
|
|
Michal Ambroz |
aea04ba |
+++ b/conf/ihandlers/log_sqlite.yaml.in
|
|
Michal Ambroz |
aea04ba |
@@ -1,3 +1,4 @@
|
|
Michal Ambroz |
aea04ba |
- name: log_sqlite
|
|
Michal Ambroz |
aea04ba |
config:
|
|
Michal Ambroz |
aea04ba |
file: @LOCALESTATEDIR@/dionaea/dionaea.sqlite
|
|
Michal Ambroz |
aea04ba |
+
|
|
Michal Ambroz |
aea04ba |
diff --git a/doc/source/configuration.rst b/doc/source/configuration.rst
|
|
Michal Ambroz |
aea04ba |
index 962c18b..76f995c 100644
|
|
Michal Ambroz |
aea04ba |
--- a/doc/source/configuration.rst
|
|
Michal Ambroz |
aea04ba |
+++ b/doc/source/configuration.rst
|
|
Michal Ambroz |
aea04ba |
@@ -5,7 +5,7 @@ If you want to change the software, it is really important to understand how it
|
|
Michal Ambroz |
aea04ba |
:file:`dionaea.cfg` is the main configuration file.
|
|
Michal Ambroz |
aea04ba |
In the example below you can see the default configuration.
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
-.. literalinclude:: ../../conf/dionaea.cfg.in
|
|
Michal Ambroz |
aea04ba |
+.. literalinclude:: ../../conf/dionaea.cfg
|
|
Michal Ambroz |
aea04ba |
:language: ini
|
|
Michal Ambroz |
aea04ba |
:caption: dionaea.cfg
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
diff --git a/doc/source/ihandler/fail2ban.rst b/doc/source/ihandler/fail2ban.rst
|
|
Michal Ambroz |
aea04ba |
index d0e0fe3..e6bb225 100644
|
|
Michal Ambroz |
aea04ba |
--- a/doc/source/ihandler/fail2ban.rst
|
|
Michal Ambroz |
aea04ba |
+++ b/doc/source/ihandler/fail2ban.rst
|
|
Michal Ambroz |
aea04ba |
@@ -4,6 +4,6 @@ fail2ban
|
|
Michal Ambroz |
aea04ba |
Example config
|
|
Michal Ambroz |
aea04ba |
--------------
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
-.. literalinclude:: ../../../conf/ihandlers/fail2ban.yaml.in
|
|
Michal Ambroz |
aea04ba |
+.. literalinclude:: ../../../conf/ihandlers/fail2ban.yaml
|
|
Michal Ambroz |
aea04ba |
:language: yaml
|
|
Michal Ambroz |
aea04ba |
:caption: ihandlers/fail2ban.yaml
|
|
Michal Ambroz |
aea04ba |
\ No newline at end of file
|
|
Michal Ambroz |
aea04ba |
diff --git a/doc/source/ihandler/log_db_sql.rst b/doc/source/ihandler/log_db_sql.rst
|
|
Michal Ambroz |
aea04ba |
index ca85b78..a109c63 100644
|
|
Michal Ambroz |
aea04ba |
--- a/doc/source/ihandler/log_db_sql.rst
|
|
Michal Ambroz |
aea04ba |
+++ b/doc/source/ihandler/log_db_sql.rst
|
|
Michal Ambroz |
aea04ba |
@@ -9,7 +9,7 @@ It uses `SQLAlchemy`_ to support different databases.
|
|
Michal Ambroz |
aea04ba |
Example config
|
|
Michal Ambroz |
aea04ba |
--------------
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
-.. literalinclude:: ../../../conf/ihandlers/log_db_sql.yaml.in
|
|
Michal Ambroz |
aea04ba |
+.. literalinclude:: ../../../conf/ihandlers/log_db_sql.yaml
|
|
Michal Ambroz |
aea04ba |
:language: yaml
|
|
Michal Ambroz |
aea04ba |
:caption: ihandlers/log_db_sql.yaml
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
diff --git a/doc/source/ihandler/log_incident.rst b/doc/source/ihandler/log_incident.rst
|
|
Michal Ambroz |
aea04ba |
index 3c62552..f9830a7 100644
|
|
Michal Ambroz |
aea04ba |
--- a/doc/source/ihandler/log_incident.rst
|
|
Michal Ambroz |
aea04ba |
+++ b/doc/source/ihandler/log_incident.rst
|
|
Michal Ambroz |
aea04ba |
@@ -39,6 +39,6 @@ Format
|
|
Michal Ambroz |
aea04ba |
Example config
|
|
Michal Ambroz |
aea04ba |
--------------
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
-.. literalinclude:: ../../../conf/ihandlers/log_incident.yaml.in
|
|
Michal Ambroz |
aea04ba |
+.. literalinclude:: ../../../conf/ihandlers/log_incident.yaml
|
|
Michal Ambroz |
aea04ba |
:language: yaml
|
|
Michal Ambroz |
aea04ba |
:caption: ihandlers/log_incident.yaml
|
|
Michal Ambroz |
aea04ba |
diff --git a/doc/source/ihandler/log_json.rst b/doc/source/ihandler/log_json.rst
|
|
Michal Ambroz |
aea04ba |
index e6f3bfe..000d5ac 100644
|
|
Michal Ambroz |
aea04ba |
--- a/doc/source/ihandler/log_json.rst
|
|
Michal Ambroz |
aea04ba |
+++ b/doc/source/ihandler/log_json.rst
|
|
Michal Ambroz |
aea04ba |
@@ -46,6 +46,6 @@ Format of the connection information:
|
|
Michal Ambroz |
aea04ba |
Example config
|
|
Michal Ambroz |
aea04ba |
--------------
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
-.. literalinclude:: ../../../conf/ihandlers/log_json.yaml.in
|
|
Michal Ambroz |
aea04ba |
+.. literalinclude:: ../../../conf/ihandlers/log_json.yaml
|
|
Michal Ambroz |
aea04ba |
:language: yaml
|
|
Michal Ambroz |
aea04ba |
:caption: ihandlers/log_json.yaml
|
|
Michal Ambroz |
aea04ba |
diff --git a/doc/source/ihandler/log_sqlite.rst b/doc/source/ihandler/log_sqlite.rst
|
|
Michal Ambroz |
aea04ba |
index e6cca5b..5450912 100644
|
|
Michal Ambroz |
aea04ba |
--- a/doc/source/ihandler/log_sqlite.rst
|
|
Michal Ambroz |
aea04ba |
+++ b/doc/source/ihandler/log_sqlite.rst
|
|
Michal Ambroz |
aea04ba |
@@ -39,7 +39,8 @@ for more examples how to make use of the database.
|
|
Michal Ambroz |
aea04ba |
Example config
|
|
Michal Ambroz |
aea04ba |
--------------
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
-::
|
|
Michal Ambroz |
aea04ba |
- .. literalinclude:: ../../../conf/ihandlers/log_sqlite.yaml.in
|
|
Michal Ambroz |
aea04ba |
+.. literalinclude:: ../../../conf/ihandlers/log_sqlite.yaml
|
|
Michal Ambroz |
aea04ba |
:language: yaml
|
|
Michal Ambroz |
aea04ba |
:caption: ihandlers/log_sqlite.yaml
|
|
Michal Ambroz |
aea04ba |
+
|
|
Michal Ambroz |
aea04ba |
+
|
|
Michal Ambroz |
aea04ba |
diff --git a/doc/source/ihandler/virustotal.rst b/doc/source/ihandler/virustotal.rst
|
|
Michal Ambroz |
aea04ba |
index dc7923e..3f64a02 100644
|
|
Michal Ambroz |
aea04ba |
--- a/doc/source/ihandler/virustotal.rst
|
|
Michal Ambroz |
aea04ba |
+++ b/doc/source/ihandler/virustotal.rst
|
|
Michal Ambroz |
aea04ba |
@@ -18,7 +18,7 @@ Configuration
|
|
Michal Ambroz |
aea04ba |
Example config
|
|
Michal Ambroz |
aea04ba |
--------------
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
-.. literalinclude:: ../../../conf/ihandlers/virustotal.yaml.in
|
|
Michal Ambroz |
aea04ba |
+.. literalinclude:: ../../../conf/ihandlers/virustotal.yaml
|
|
Michal Ambroz |
aea04ba |
:language: yaml
|
|
Michal Ambroz |
aea04ba |
:caption: ihandlers/virustotal.yaml
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
diff --git a/doc/source/service/ftp.rst b/doc/source/service/ftp.rst
|
|
Michal Ambroz |
aea04ba |
index 0f0d52b..0c54bc9 100644
|
|
Michal Ambroz |
aea04ba |
--- a/doc/source/service/ftp.rst
|
|
Michal Ambroz |
aea04ba |
+++ b/doc/source/service/ftp.rst
|
|
Michal Ambroz |
aea04ba |
@@ -9,6 +9,7 @@ something interesting happening on port 21.
|
|
Michal Ambroz |
aea04ba |
Example config
|
|
Michal Ambroz |
aea04ba |
--------------
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
-.. literalinclude:: ../../../conf/services/ftp.yaml.in
|
|
Michal Ambroz |
aea04ba |
+.. literalinclude:: ../../../conf/services/ftp.yaml
|
|
Michal Ambroz |
aea04ba |
:language: yaml
|
|
Michal Ambroz |
aea04ba |
- :caption: services/ftp.yaml
|
|
Michal Ambroz |
aea04ba |
\ No newline at end of file
|
|
Michal Ambroz |
aea04ba |
+ :caption: services/ftp.yaml
|
|
Michal Ambroz |
aea04ba |
+
|
|
Michal Ambroz |
aea04ba |
diff --git a/doc/source/service/http.rst b/doc/source/service/http.rst
|
|
Michal Ambroz |
aea04ba |
index 9e34fce..847d928 100644
|
|
Michal Ambroz |
aea04ba |
--- a/doc/source/service/http.rst
|
|
Michal Ambroz |
aea04ba |
+++ b/doc/source/service/http.rst
|
|
Michal Ambroz |
aea04ba |
@@ -41,7 +41,7 @@ root
|
|
Michal Ambroz |
aea04ba |
Example config
|
|
Michal Ambroz |
aea04ba |
--------------
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
-.. literalinclude:: ../../../conf/services/http.yaml.in
|
|
Michal Ambroz |
aea04ba |
+.. literalinclude:: ../../../conf/services/http.yaml
|
|
Michal Ambroz |
aea04ba |
:language: yaml
|
|
Michal Ambroz |
aea04ba |
:caption: services/http.yaml
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
diff --git a/doc/source/service/tftp.rst b/doc/source/service/tftp.rst
|
|
Michal Ambroz |
aea04ba |
index 436b616..6c159d8 100644
|
|
Michal Ambroz |
aea04ba |
--- a/doc/source/service/tftp.rst
|
|
Michal Ambroz |
aea04ba |
+++ b/doc/source/service/tftp.rst
|
|
Michal Ambroz |
aea04ba |
@@ -9,6 +9,6 @@ tftp services.
|
|
Michal Ambroz |
aea04ba |
Example config
|
|
Michal Ambroz |
aea04ba |
--------------
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
-.. literalinclude:: ../../../conf/services/tftp.yaml.in
|
|
Michal Ambroz |
aea04ba |
+.. literalinclude:: ../../../conf/services/tftp.yaml
|
|
Michal Ambroz |
aea04ba |
:language: yaml
|
|
Michal Ambroz |
aea04ba |
:caption: services/tftp.yaml
|
|
Michal Ambroz |
aea04ba |
diff --git a/doc/source/service/upnp.rst b/doc/source/service/upnp.rst
|
|
Michal Ambroz |
aea04ba |
index fa50de7..e28f928 100644
|
|
Michal Ambroz |
aea04ba |
--- a/doc/source/service/upnp.rst
|
|
Michal Ambroz |
aea04ba |
+++ b/doc/source/service/upnp.rst
|
|
Michal Ambroz |
aea04ba |
@@ -4,6 +4,6 @@ UPnP
|
|
Michal Ambroz |
aea04ba |
Example config
|
|
Michal Ambroz |
aea04ba |
--------------
|
|
Michal Ambroz |
aea04ba |
|
|
Michal Ambroz |
aea04ba |
-.. literalinclude:: ../../../conf/services/upnp.yaml.in
|
|
Michal Ambroz |
aea04ba |
+.. literalinclude:: ../../../conf/services/upnp.yaml
|
|
Michal Ambroz |
aea04ba |
:language: yaml
|
|
Michal Ambroz |
aea04ba |
:caption: services/upnp.yaml
|