Re: arpwatch patch [was: Re: Firewall Public IP's?]
On Sat, Apr 13, 2002 at 03:04:35PM -0700, Blars Blarson wrote:
> In article <[🔎] 20020413211239.GA28354@wohnheim.fh-wedel.de>
> apb@wohnheim.fh-wedel.de writes:
> >After my mail I checked on the bugreports and started chewing on the
> >code, and I can already call an external script. I think having an
> >explicit way to call a script is a saner way than replacing sendmail
> >with something smarter.
> >But maybe one can include an option to suppress the whole message if
> >the external script returns something != 0 - how would you like
> >that?
>
> Sounds good. The -s option works, but isn't pretty. I think that
> "suppress email" and "suppress syslog entry" should be separate
> though.
I'm still thinking about this - trouble is, if something is broken
with the script, you want to alert the user. If you use error codes
for signaling you are lost. Maybe you need a single script for each
decision?
> The "something smarter" I have now is just a 20-line perl script that
> sends the message on to sendmail if certain conditons arn't met.
Sounds a little bit 'hackish' ;-)
> My "scan the network" perl program that queries the switches isn't in
> releasable shape, it has a bunch of hard-coded assumpitons about our
> network. I'd have to ask permission as well, since it was written for
> work.
That's not necassary (at least for me), 'cos I have my own set of
shell scripts for funny stuff like calculating room numbers from
ports - that was fun ;-)))
But, I've attached my work this far as a patch, maybe you could have
a look at it? Because honestly, I want to have at least one night's
sleep over it before deploying it to security critical machines...
You just have the option -c checkfile (parameters are mac address
and ip address) and the output is appended to the mail.
--
Ciao, Arne.
-o)
GPG 1024D/913C2F81 2000-10-11 Arne P. Boettger <apb@createx.de> /\\
Fingerprint = 6ED9 9A64 CD8A EB6F D841 0391 2F08 8F86 913C 2F81 _\_V
diff -ur arpwatch-2.1a11.orig/arpsnmp.8 arpwatch-2.1a11/arpsnmp.8
--- arpwatch-2.1a11.orig/arpsnmp.8 Sun Apr 14 00:11:13 2002
+++ arpwatch-2.1a11/arpsnmp.8 Sun Apr 14 00:09:12 2002
@@ -36,6 +36,9 @@
] [
.B -s
.I sendmail_path
+] [
+.B -c
+.I checkfile
]
.br
.ti +8
@@ -76,6 +79,14 @@
Any program that takes the option -odi and then text from stdin
can be substituted. This is useful for redirecting reports
to log files instead of mail. (Debian specific)
+.LP
+The
+.B -c
+flag is used to specify the path to the checking program.
+It can be used to perform further investigation of the suspicious
+machine. It is called with the mac ethernet address as first and the
+ip address as second parameter. This is useful for querying an
+snmp-capable switch for the port of the occurence. (Debian specific)
.LP
Note that an empty
.I arp.dat
diff -ur arpwatch-2.1a11.orig/arpsnmp.c arpwatch-2.1a11/arpsnmp.c
--- arpwatch-2.1a11.orig/arpsnmp.c Sun Apr 14 00:11:13 2002
+++ arpwatch-2.1a11/arpsnmp.c Sat Apr 13 23:42:05 2002
@@ -68,6 +68,7 @@
char *prog;
char *path_sendmail = PATH_SENDMAIL;
+char *path_checkfile = NULL;
extern int optind;
extern int opterr;
@@ -84,6 +85,7 @@
"m:"
"f:"
"s:"
+ "c:"
;
if ((cp = strrchr(argv[0], '/')) != NULL)
@@ -118,6 +120,10 @@
case 's':
path_sendmail = optarg;
+ break;
+
+ case 'c':
+ path_checkfile = optarg;
break;
default:
diff -ur arpwatch-2.1a11.orig/arpwatch.8 arpwatch-2.1a11/arpwatch.8
--- arpwatch-2.1a11.orig/arpwatch.8 Sun Apr 14 00:11:13 2002
+++ arpwatch-2.1a11/arpwatch.8 Sun Apr 14 00:07:14 2002
@@ -57,6 +57,9 @@
[
.B -s
.I sendmail_path
+] [
+.B -c
+.I checkfile
]
.ad
.SH DESCRIPTION
@@ -141,6 +144,14 @@
Any program that takes the option -odi and then text from stdin
can be substituted. This is useful for redirecting reports
to log files instead of mail. (Debian specific)
+.LP
+The
+.B -c
+flag is used to specify the path to the checking program.
+It can be used to perform further investigation of the suspicious
+machine. It is called with the mac ethernet address as first and the
+ip address as second parameter. This is useful for querying an
+snmp-capable switch for the port of the occurence. (Debian specific)
.LP
Note that an empty
.I arp.dat
diff -ur arpwatch-2.1a11.orig/arpwatch.c arpwatch-2.1a11/arpwatch.c
--- arpwatch-2.1a11.orig/arpwatch.c Sun Apr 14 00:11:13 2002
+++ arpwatch-2.1a11/arpwatch.c Sat Apr 13 23:35:30 2002
@@ -107,6 +107,7 @@
char *prog;
char *path_sendmail = PATH_SENDMAIL;
+char *path_checkfile = NULL;
int can_checkpoint;
int swapped;
@@ -165,6 +166,7 @@
"p"
"r:"
"s:"
+ "c:"
;
if (argv[0] == NULL)
@@ -229,6 +231,10 @@
case 's':
path_sendmail = optarg;
+ break;
+
+ case 'c':
+ path_checkfile = optarg;
break;
default:
diff -ur arpwatch-2.1a11.orig/report.c arpwatch-2.1a11/report.c
--- arpwatch-2.1a11.orig/report.c Sun Apr 14 00:11:13 2002
+++ arpwatch-2.1a11/report.c Sat Apr 13 23:51:47 2002
@@ -236,14 +236,17 @@
register u_char *e2, register time_t *t1p, register time_t *t2p)
{
extern char *path_sendmail;
+ extern char *path_checkfile;
register char *cp, *hn;
register int fd, pid;
register FILE *f;
+ FILE *p;
char tempfile[64], cpu[64], os[64];
char *fmt = "%20s: %s\n";
char *watcher = mailaddress;
char *watchee = WATCHEE;
char *sendmail = path_sendmail;
+ char *checkfile = path_checkfile;
char *unknown = "<unknown>";
char buf[132];
static int init = 0;
@@ -333,6 +336,25 @@
(void)fprintf(f, fmt, "previous timestamp", fmtdate(*t2p));
if (t1p && t2p && *t1p && *t2p)
(void)fprintf(f, fmt, "delta", fmtdelta(*t1p - *t2p));
+
+ if (checkfile) {
+ (void)strcpy(buf,checkfile);
+ (void)strcat(buf," ");
+ (void)strcat(buf, e2str(e1));
+ (void)strcat(buf, " ");
+ (void)strcat(buf, intoa(a));
+ if ((p = popen(buf, "r"))) {
+ /* strcpy(buf,""); */
+ while (fgets(buf,sizeof(buf),p)) {
+ (void)fputs(buf, f);
+ }
+ if (! pclose(p)) {
+ syslog(LOG_ERR, "pclose: %s: %m", checkfile);
+ }
+ } else {
+ syslog(LOG_ERR, "popen: %s: %m", checkfile);
+ }
+ }
if (debug) {
fflush(f);
Reply to: