[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: arpwatch patch [was: Re: Firewall Public IP's?]



On Sat, Apr 13, 2002 at 03:04:35PM -0700, Blars Blarson wrote:
> In article <20020413211239.GA28354@wohnheim.fh-wedel.de> 
> apb@wohnheim.fh-wedel.de writes:
> >After my mail I checked on the bugreports and started chewing on the
> >code, and I can already call an external script. I think having an
> >explicit way to call a script is a saner way than replacing sendmail
> >with something smarter.
> >But maybe one can include an option to suppress the whole message if
> >the external script returns something != 0 - how would you like
> >that?
> 
> Sounds good.  The -s option works, but isn't pretty.  I think that
> "suppress email" and "suppress syslog entry" should be separate
> though.

I'm still thinking about this - trouble is, if something is broken
with the script, you want to alert the user. If you use error codes
for signaling you are lost. Maybe you need a single script for each
decision?

> The "something smarter" I have now is just a 20-line perl script that
> sends the message on to sendmail if certain conditons arn't met.
Sounds a little bit 'hackish' ;-)

> My "scan the network" perl program that queries the switches isn't in
> releasable shape, it has a bunch of hard-coded assumpitons about our
> network.  I'd have to ask permission as well, since it was written for
> work.
That's not necassary (at least for me), 'cos I have my own set of
shell scripts for funny stuff like calculating room numbers from
ports - that was fun ;-)))

But, I've attached my work this far as a patch, maybe you could have
a look at it? Because honestly, I want to have at least one night's
sleep over it before deploying it to security critical machines...

You just have the option -c checkfile (parameters are mac address
and ip address) and the output is appended to the mail.

-- 
Ciao, Arne.
                                                                  -o)
GPG 1024D/913C2F81 2000-10-11 Arne P. Boettger <apb@createx.de>   /\\
Fingerprint = 6ED9 9A64 CD8A EB6F D841  0391 2F08 8F86 913C 2F81 _\_V
diff -ur arpwatch-2.1a11.orig/arpsnmp.8 arpwatch-2.1a11/arpsnmp.8
--- arpwatch-2.1a11.orig/arpsnmp.8	Sun Apr 14 00:11:13 2002
+++ arpwatch-2.1a11/arpsnmp.8	Sun Apr 14 00:09:12 2002
@@ -36,6 +36,9 @@
 ] [
 .B -s
 .I sendmail_path
+] [
+.B -c
+.I checkfile
 ]
 .br
 .ti +8
@@ -76,6 +79,14 @@
 Any program that takes the option -odi and then text from stdin
 can be substituted. This is useful for redirecting reports
 to log files instead of mail. (Debian specific)
+.LP
+The
+.B -c
+flag is used to specify the path to the checking program.
+It can be used to perform further investigation of the suspicious
+machine. It is called with the mac ethernet address as first and the 
+ip address as second parameter. This is useful for querying an 
+snmp-capable switch for the port of the occurence. (Debian specific)
 .LP
 Note that an empty
 .I arp.dat
diff -ur arpwatch-2.1a11.orig/arpsnmp.c arpwatch-2.1a11/arpsnmp.c
--- arpwatch-2.1a11.orig/arpsnmp.c	Sun Apr 14 00:11:13 2002
+++ arpwatch-2.1a11/arpsnmp.c	Sat Apr 13 23:42:05 2002
@@ -68,6 +68,7 @@
 
 char *prog;
 char *path_sendmail = PATH_SENDMAIL;
+char *path_checkfile = NULL;
 
 extern int optind;
 extern int opterr;
@@ -84,6 +85,7 @@
 		"m:"
 		"f:"
 		"s:"
+		"c:"
 	;
 
 	if ((cp = strrchr(argv[0], '/')) != NULL)
@@ -118,6 +120,10 @@
 
 		case 's':
 			path_sendmail = optarg;
+			break;
+
+		case 'c':
+			path_checkfile = optarg;
 			break;
 
 		default:
diff -ur arpwatch-2.1a11.orig/arpwatch.8 arpwatch-2.1a11/arpwatch.8
--- arpwatch-2.1a11.orig/arpwatch.8	Sun Apr 14 00:11:13 2002
+++ arpwatch-2.1a11/arpwatch.8	Sun Apr 14 00:07:14 2002
@@ -57,6 +57,9 @@
 [
 .B -s
 .I sendmail_path
+] [
+.B -c
+.I checkfile
 ]
 .ad
 .SH DESCRIPTION
@@ -141,6 +144,14 @@
 Any program that takes the option -odi and then text from stdin
 can be substituted. This is useful for redirecting reports
 to log files instead of mail. (Debian specific)
+.LP
+The
+.B -c
+flag is used to specify the path to the checking program.
+It can be used to perform further investigation of the suspicious
+machine. It is called with the mac ethernet address as first and the 
+ip address as second parameter. This is useful for querying an 
+snmp-capable switch for the port of the occurence. (Debian specific)
 .LP
 Note that an empty
 .I arp.dat
diff -ur arpwatch-2.1a11.orig/arpwatch.c arpwatch-2.1a11/arpwatch.c
--- arpwatch-2.1a11.orig/arpwatch.c	Sun Apr 14 00:11:13 2002
+++ arpwatch-2.1a11/arpwatch.c	Sat Apr 13 23:35:30 2002
@@ -107,6 +107,7 @@
 
 char *prog;
 char *path_sendmail = PATH_SENDMAIL;
+char *path_checkfile = NULL;
 
 int can_checkpoint;
 int swapped;
@@ -165,6 +166,7 @@
 		"p"
 		"r:"
 		"s:"
+		"c:"
 	;
 
 	if (argv[0] == NULL)
@@ -229,6 +231,10 @@
 
 		case 's':
 			path_sendmail = optarg;
+			break;
+
+		case 'c':
+			path_checkfile = optarg;
 			break;
 
 		default:
diff -ur arpwatch-2.1a11.orig/report.c arpwatch-2.1a11/report.c
--- arpwatch-2.1a11.orig/report.c	Sun Apr 14 00:11:13 2002
+++ arpwatch-2.1a11/report.c	Sat Apr 13 23:51:47 2002
@@ -236,14 +236,17 @@
     register u_char *e2, register time_t *t1p, register time_t *t2p)
 {
         extern char *path_sendmail;
+	extern char *path_checkfile;
 	register char *cp, *hn;
 	register int fd, pid;
 	register FILE *f;
+	FILE *p;
 	char tempfile[64], cpu[64], os[64];
 	char *fmt = "%20s: %s\n";
 	char *watcher = mailaddress;
 	char *watchee = WATCHEE;
 	char *sendmail = path_sendmail;
+	char *checkfile = path_checkfile;
 	char *unknown = "<unknown>";
 	char buf[132];
 	static int init = 0;
@@ -333,6 +336,25 @@
 		(void)fprintf(f, fmt, "previous timestamp", fmtdate(*t2p));
 	if (t1p && t2p && *t1p && *t2p)
 		(void)fprintf(f, fmt, "delta", fmtdelta(*t1p - *t2p));
+
+	if (checkfile) {
+		(void)strcpy(buf,checkfile);
+		(void)strcat(buf," ");
+		(void)strcat(buf, e2str(e1));
+		(void)strcat(buf, " ");
+		(void)strcat(buf, intoa(a));
+		if ((p = popen(buf, "r"))) {
+			/* strcpy(buf,""); */
+			while (fgets(buf,sizeof(buf),p)) {
+				(void)fputs(buf, f);
+			}
+			if (! pclose(p)) {
+				syslog(LOG_ERR, "pclose: %s: %m", checkfile);
+			}
+		} else {
+			syslog(LOG_ERR, "popen: %s: %m", checkfile);
+		}
+	}
 
 	if (debug) {
 		fflush(f);

Reply to: