From e8c77caafc631866750742b83e9bf4748c2032ed Mon Sep 17 00:00:00 2001 From: Frank Brehm Date: Mon, 12 Apr 2021 15:28:10 +0200 Subject: [PATCH] committing changes in /etc made by "apt install -y ulogd2 ulogd2-dbi ulogd2-json ulogd2-mysql ulogd2-pcap ulogd2-pgsql ulogd2-sqlite3 tcpdump tshark mmdb-bin" Package changes: +libc-ares2 1.14.0-1 amd64 +libdbi1 0.9.0-5 amd64 +libmaxminddb0 1.3.2-1+deb10u1 amd64 +libnetfilter-acct1 1.0.3-2 amd64 +libnetfilter-log1 1.0.1-1.1+b1 amd64 +libnl-3-200 3.4.0-1 amd64 +libnl-genl-3-200 3.4.0-1 amd64 +libpcap0.8 1.8.1-6 amd64 +libpq5 11.11-0+deb10u1 amd64 +libsbc1 1.4-1 amd64 +libsmi2ldbl 0.4.8+dfsg2-16 amd64 +libspandsp2 0.0.6+dfsg-2 amd64 +libssh-gcrypt-4 0.8.7-1+deb10u1 amd64 +libwireshark-data 2.6.20-0+deb10u1 all +libwireshark11 2.6.20-0+deb10u1 amd64 +libwiretap8 2.6.20-0+deb10u1 amd64 +libwscodecs2 2.6.20-0+deb10u1 amd64 +libwsutil9 2.6.20-0+deb10u1 amd64 +mmdb-bin 1.3.2-1+deb10u1 amd64 +tcpdump 4.9.3-1~deb10u2 amd64 +tshark 2.6.20-0+deb10u1 amd64 +ulogd2 2.0.7-1+b1 amd64 +ulogd2-dbi 2.0.7-1+b1 amd64 +ulogd2-json 2.0.7-1+b1 amd64 +ulogd2-mysql 2.0.7-1+b1 amd64 +ulogd2-pcap 2.0.7-1+b1 amd64 +ulogd2-pgsql 2.0.7-1+b1 amd64 +ulogd2-sqlite3 2.0.7-1+b1 amd64 +wireshark-common 2.6.20-0+deb10u1 amd64 --- .etckeeper | 11 + apparmor.d/local/usr.sbin.tcpdump | 0 apparmor.d/usr.sbin.tcpdump | 63 ++ group | 1 + group- | 2 +- gshadow | 1 + gshadow- | 2 +- init.d/ulogd2 | 131 ++++ libnl-3/classid | 45 ++ libnl-3/pktloc | 76 ++ logrotate.d/ulogd2 | 14 + passwd | 1 + passwd- | 2 + rc0.d/K01ulogd2 | 1 + rc1.d/K01ulogd2 | 1 + rc2.d/S01ulogd2 | 1 + rc3.d/S01ulogd2 | 1 + rc4.d/S01ulogd2 | 1 + rc5.d/S01ulogd2 | 1 + rc6.d/K01ulogd2 | 1 + shadow | 1 + shadow- | 2 + smi.conf | 41 + .../multi-user.target.wants/ulogd2.service | 1 + systemd/system/ulogd.service | 1 + ulogd.conf | 332 +++++++++ wireshark/init.lua | 703 ++++++++++++++++++ 27 files changed, 1435 insertions(+), 2 deletions(-) create mode 100644 apparmor.d/local/usr.sbin.tcpdump create mode 100644 apparmor.d/usr.sbin.tcpdump create mode 100755 init.d/ulogd2 create mode 100644 libnl-3/classid create mode 100644 libnl-3/pktloc create mode 100644 logrotate.d/ulogd2 create mode 120000 rc0.d/K01ulogd2 create mode 120000 rc1.d/K01ulogd2 create mode 120000 rc2.d/S01ulogd2 create mode 120000 rc3.d/S01ulogd2 create mode 120000 rc4.d/S01ulogd2 create mode 120000 rc5.d/S01ulogd2 create mode 120000 rc6.d/K01ulogd2 create mode 100644 smi.conf create mode 120000 systemd/system/multi-user.target.wants/ulogd2.service create mode 120000 systemd/system/ulogd.service create mode 100644 ulogd.conf create mode 100644 wireshark/init.lua diff --git a/.etckeeper b/.etckeeper index 8d5a14d..2575f63 100755 --- a/.etckeeper +++ b/.etckeeper @@ -255,12 +255,14 @@ maybe chmod 0644 'apparmor.d/local/usr.bin.man' maybe chmod 0644 'apparmor.d/local/usr.sbin.chronyd' maybe chmod 0644 'apparmor.d/local/usr.sbin.clamd' maybe chmod 0644 'apparmor.d/local/usr.sbin.named' +maybe chmod 0644 'apparmor.d/local/usr.sbin.tcpdump' maybe chmod 0644 'apparmor.d/usr.bin.freshclam' maybe chmod 0644 'apparmor.d/usr.bin.man' maybe chmod 0644 'apparmor.d/usr.sbin.chronyd' maybe chmod 0644 'apparmor.d/usr.sbin.clamd' maybe chmod 0644 'apparmor.d/usr.sbin.mysqld' maybe chmod 0644 'apparmor.d/usr.sbin.named' +maybe chmod 0644 'apparmor.d/usr.sbin.tcpdump' maybe chmod 0755 'apt' maybe chmod 0644 'apt/SALTSTACK-GPG-KEY.pub' maybe chmod 0755 'apt/apt.conf.d' @@ -702,6 +704,7 @@ maybe chmod 0755 'init.d/spamassassin' maybe chmod 0755 'init.d/ssh' maybe chmod 0755 'init.d/sudo' maybe chmod 0755 'init.d/udev' +maybe chmod 0755 'init.d/ulogd2' maybe chmod 0755 'init.d/uwsgi' maybe chmod 0644 'init/php7.3-fpm.conf' maybe chmod 0755 'initramfs-tools' @@ -766,6 +769,9 @@ maybe chmod 0644 'ldap/ldap.conf' maybe chmod 0755 'ldap/schema' maybe chmod 0644 'ldap/schema/amavis.schema' maybe chmod 0644 'libaudit.conf' +maybe chmod 0755 'libnl-3' +maybe chmod 0644 'libnl-3/classid' +maybe chmod 0644 'libnl-3/pktloc' maybe chmod 0644 'locale.alias' maybe chmod 0644 'locale.gen' maybe chmod 0755 'logcheck' @@ -806,6 +812,7 @@ maybe chmod 0644 'logrotate.d/nginx' maybe chmod 0644 'logrotate.d/php7.3-fpm' maybe chmod 0644 'logrotate.d/rsyslog' maybe chmod 0644 'logrotate.d/salt-common' +maybe chmod 0644 'logrotate.d/ulogd2' maybe chmod 0644 'logrotate.d/uwsgi' maybe chmod 0644 'logrotate.d/wtmp' maybe chmod 0755 'logwatch' @@ -1192,6 +1199,7 @@ maybe chmod 0644 'skel/.bashrc' maybe chmod 0644 'skel/.bashrc.orig' maybe chmod 0644 'skel/.cloud-locale-test.skip' maybe chmod 0644 'skel/.profile' +maybe chmod 0644 'smi.conf' maybe chmod 0755 'spamassassin' maybe chmod 0644 'spamassassin/65_debian.cf' maybe chmod 0644 'spamassassin/init.pre' @@ -1288,6 +1296,7 @@ maybe chmod 0644 'ufw/applications.d/dovecot-pop3d' maybe chmod 0644 'ufw/applications.d/nginx' maybe chmod 0644 'ufw/applications.d/openssh-server' maybe chmod 0644 'ufw/applications.d/postfix' +maybe chmod 0600 'ulogd.conf' maybe chmod 0755 'update-motd.d' maybe chmod 0755 'update-motd.d/10-uname' maybe chmod 0644 'updatedb.conf' @@ -1301,6 +1310,8 @@ maybe chmod 0644 'vim/vimrc' maybe chmod 0644 'vim/vimrc.local' maybe chmod 0644 'vim/vimrc.tiny' maybe chmod 0644 'wgetrc' +maybe chmod 0755 'wireshark' +maybe chmod 0644 'wireshark/init.lua' maybe chmod 0644 'xattr.conf' maybe chmod 0755 'xdg' maybe chmod 0755 'xdg/systemd' diff --git a/apparmor.d/local/usr.sbin.tcpdump b/apparmor.d/local/usr.sbin.tcpdump new file mode 100644 index 0000000..e69de29 diff --git a/apparmor.d/usr.sbin.tcpdump b/apparmor.d/usr.sbin.tcpdump new file mode 100644 index 0000000..7a7da4f --- /dev/null +++ b/apparmor.d/usr.sbin.tcpdump @@ -0,0 +1,63 @@ +# vim:syntax=apparmor +#include + +/usr/sbin/tcpdump { + #include + #include + #include + + capability net_raw, + capability setuid, + capability setgid, + capability dac_override, + network raw, + network packet, + + # for -D + @{PROC}/bus/usb/ r, + @{PROC}/bus/usb/** r, + + # for finding an interface + @{PROC}/[0-9]*/net/dev r, + /sys/bus/usb/devices/ r, + /sys/class/net/ r, + /sys/devices/**/net/* r, + + # for -j + capability net_admin, + + # for tracing USB bus, which libpcap supports + /dev/usbmon* r, + /dev/bus/usb/ r, + /dev/bus/usb/** r, + + # for init_etherarray(), with -e + /etc/ethers r, + + # for USB probing (see libpcap-1.1.x/pcap-usb-linux.c:probe_devices()) + /dev/bus/usb/**/[0-9]* w, + + # for -z + /{usr/,}bin/gzip ixr, + /{usr/,}bin/bzip2 ixr, + + # for -F and -w + audit deny @{HOME}/.* mrwkl, + audit deny @{HOME}/.*/ rw, + audit deny @{HOME}/.*/** mrwkl, + audit deny @{HOME}/bin/ rw, + audit deny @{HOME}/bin/** mrwkl, + owner @{HOME}/ r, + owner @{HOME}/** rw, + + # for -r, -F and -w + /**.[pP][cC][aA][pP] rw, + + # for convenience with -r (ie, read pcap files from other sources) + /var/log/snort/*log* r, + + /usr/sbin/tcpdump mr, + + # Site-specific additions and overrides. See local/README for details. + #include +} diff --git a/group b/group index 8a4ad65..d25de8c 100644 --- a/group +++ b/group @@ -66,3 +66,4 @@ mlmmj:x:2003: iredadmin:x:2001: iredapd:x:2002: netdata:x:2004: +ulog:x:124: diff --git a/group- b/group- index 25433ec..8a4ad65 100644 --- a/group- +++ b/group- @@ -10,7 +10,7 @@ mail:x:8:frank news:x:9: uucp:x:10: man:x:12:frank -proxy:x:13: +proxy:x:13:netdata kmem:x:15: dialout:x:20: fax:x:21: diff --git a/gshadow b/gshadow index e5ce203..0c74206 100644 --- a/gshadow +++ b/gshadow @@ -66,3 +66,4 @@ mlmmj:!:: iredadmin:!:: iredapd:!:: netdata:!:: +ulog:!:: diff --git a/gshadow- b/gshadow- index d4c00ca..e5ce203 100644 --- a/gshadow- +++ b/gshadow- @@ -10,7 +10,7 @@ mail:*::frank news:*:: uucp:*:: man:*::frank -proxy:*:: +proxy:*::netdata kmem:*:: dialout:*:: fax:*:: diff --git a/init.d/ulogd2 b/init.d/ulogd2 new file mode 100755 index 0000000..2a759e3 --- /dev/null +++ b/init.d/ulogd2 @@ -0,0 +1,131 @@ +#!/bin/sh +### BEGIN INIT INFO +# Provides: ulogd2 ulogd +# Required-Start: $remote_fs $syslog +# Required-Stop: $remote_fs $syslog +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Starts ulogd2 +# Description: Starts the netfilter userspace log daemon +### END INIT INFO + +# Author: Chris Boot + +PATH=/sbin:/usr/sbin:/bin:/usr/bin +DESC="netfilter userspace log daemon" +NAME=ulogd +DAEMON=/usr/sbin/$NAME +DAEMON_USER=ulog +PIDDIR=/run/ulog +PIDFILE=$PIDDIR/$NAME.pid +DAEMON_ARGS="--daemon --uid $DAEMON_USER --pidfile $PIDFILE" +SCRIPTNAME=/etc/init.d/$NAME + +# Exit if the package is not installed +[ -x "$DAEMON" ] || exit 0 + +# Read configuration variable file if it is present +[ -r /etc/default/$NAME ] && . /etc/default/$NAME + +# Load the VERBOSE setting and other rcS variables +. /lib/init/vars.sh + +# Define LSB log_* functions. +# Depend on lsb-base (>= 3.2-14) to ensure that this file is present +# and status_of_proc is working. +. /lib/lsb/init-functions + +# +# Function that starts the daemon/service +# +do_start() +{ + # Make sure our /run directory exists + if [ ! -d $PIDDIR ]; then + mkdir $PIDDIR + chown $DAEMON_USER: $PIDDIR + fi + + # Return + # 0 if daemon has been started + # 1 if daemon was already running + # 2 if daemon could not be started + start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON \ + --test > /dev/null || return 1 + start-stop-daemon --start --quiet --pidfile $PIDFILE --exec $DAEMON -- \ + $DAEMON_ARGS || return 2 +} + +# +# Function that stops the daemon/service +# +do_stop() +{ + # Return + # 0 if daemon has been stopped + # 1 if daemon was already stopped + # 2 if daemon could not be stopped + # other if a failure occurred + start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 \ + --pidfile $PIDFILE --name $NAME +} + +# +# Function that sends a SIGHUP to the daemon/service +# +do_reload() { + start-stop-daemon --stop --signal HUP --quiet --pidfile $PIDFILE \ + --name $NAME + return 0 +} + +case "$1" in + start) + log_daemon_msg "Starting $DESC" "$NAME" + do_start; RET=$? + case $RET in + 0|1) log_end_msg 0; exit 0 ;; + *) log_end_msg 1; exit 1 ;; + esac + ;; + stop) + log_daemon_msg "Stopping $DESC" "$NAME" + do_stop; RET=$? + case $RET in + 0|1) log_end_msg 0; exit 0 ;; + *) log_end_msg 1; exit 1 ;; + esac + ;; + status) + status_of_proc "$DAEMON" "$NAME" + ;; + reload|force-reload) + log_daemon_msg "Reloading $DESC" "$NAME" + do_reload; RET=$? + log_end_msg $RET + exit $RET + ;; + restart) + log_daemon_msg "Restarting $DESC" "$NAME" + do_stop; RET=$? + case $RET in + 0|1) + do_start; RET=$? + case $RET in + 0) log_end_msg 0; exit 0 ;; + 1) log_end_msg 1; exit 1 ;; # Old process is still running + *) log_end_msg 1; exit 1 ;; # Failed to start + esac + ;; + *) + # Failed to stop + log_end_msg 1; exit 1 + ;; + esac + ;; + *) + echo "Usage: $SCRIPTNAME {start|stop|status|restart|reload|force-reload}" >&2 + exit 3 + ;; +esac + diff --git a/libnl-3/classid b/libnl-3/classid new file mode 100644 index 0000000..2203243 --- /dev/null +++ b/libnl-3/classid @@ -0,0 +1,45 @@ +############################################################################### +# +# ClassID <-> Name Translation Table +# +# This file can be used to assign names to classids for easier reference +# in all libnl tools. +# +# Format: +# # qdisc definition +# # class deifnition +# # class definition referencing an +# existing qdisc definition. +# +# Example: +# 1: top # top -> 1:0 +# top:1 interactive # interactive -> 1:1 +# top:2 www # www -> 1:2 +# top:3 bulk # bulk -> 1:3 +# 2:1 test_class # test_class -> 2:1 +# +# Illegal Example: +# 30:1 classD +# classD:2 invalidClass # classD refers to a class, not a qdisc +# +############################################################################### + +# + +# Reserved default classids +0:0 none +ffff:ffff root +ffff:fff1 ingress + +# +# List your classid definitions here: +# + + + +############################################################################### +# List of auto-generated classids +# +# DO NOT ADD CLASSID DEFINITIONS BELOW THIS LINE +# +# diff --git a/libnl-3/pktloc b/libnl-3/pktloc new file mode 100644 index 0000000..8559161 --- /dev/null +++ b/libnl-3/pktloc @@ -0,0 +1,76 @@ +# +# Location definitions for packet matching +# + +# name alignment offset mask shift +ip.version u8 net+0 0xF0 4 +ip.hdrlen u8 net+0 0x0F +ip.diffserv u8 net+1 +ip.length u16 net+2 +ip.id u16 net+4 +ip.flag.res u8 net+6 0xff 7 +ip.df u8 net+6 0x40 6 +ip.mf u8 net+6 0x20 5 +ip.offset u16 net+6 0x1FFF +ip.ttl u8 net+8 +ip.proto u8 net+9 +ip.chksum u16 net+10 +ip.src u32 net+12 +ip.dst u32 net+16 + +# if ip.ihl > 5 +ip.opts u32 net+20 + + +# +# IP version 6 +# +# name alignment offset mask shift +ip6.version u8 net+0 0xF0 4 +ip6.tc u16 net+0 0xFF0 4 +ip6.flowlabel u32 net+0 0xFFFFF +ip6.length u16 net+4 +ip6.nexthdr u8 net+6 +ip6.hoplimit u8 net+7 +ip6.src 16 net+8 +ip6.dst 16 net+24 + +# +# Transmission Control Protocol (TCP) +# +# name alignment offset mask shift +tcp.sport u16 tcp+0 +tcp.dport u16 tcp+2 +tcp.seq u32 tcp+4 +tcp.ack u32 tcp+8 + +# Data offset (4 bits) +tcp.off u8 tcp+12 0xF0 4 + +# Reserved [0 0 0] (3 bits) +tcp.reserved u8 tcp+12 0x04 1 + +# ECN [N C E] (3 bits) +tcp.ecn u16 tcp+12 0x01C00 6 + +# Individual TCP flags (0|1) (6 bits in total) +tcp.flag.urg u8 tcp+13 0x20 5 +tcp.flag.ack u8 tcp+13 0x10 4 +tcp.flag.psh u8 tcp+13 0x08 3 +tcp.flag.rst u8 tcp+13 0x04 2 +tcp.flag.syn u8 tcp+13 0x02 1 +tcp.flag.fin u8 tcp+13 0x01 + +tcp.win u16 tcp+14 +tcp.csum u16 tcp+16 +tcp.urg u16 tcp+18 +tcp.opts u32 tcp+20 + +# +# User Datagram Protocol (UDP) +# +# name alignment offset mask shift +udp.sport u16 tcp+0 +udp.dport u16 tcp+2 +udp.length u16 tcp+4 +udp.csum u16 tcp+6 diff --git a/logrotate.d/ulogd2 b/logrotate.d/ulogd2 new file mode 100644 index 0000000..4d03ba9 --- /dev/null +++ b/logrotate.d/ulogd2 @@ -0,0 +1,14 @@ +/var/log/ulog/*.log /var/log/ulog/*.pcap { + missingok + compress + delaycompress + sharedscripts + create 640 ulog adm + postrotate + if [ -d /run/systemd/system ] && command systemctl >/dev/null 2>&1 && systemctl is-active --quiet ulogd2.service; then + systemctl kill --kill-who main --signal=SIGHUP ulogd2.service + else + invoke-rc.d ulogd2 reload > /dev/null + fi + endscript +} diff --git a/passwd b/passwd index 107f7e6..91a1b70 100644 --- a/passwd +++ b/passwd @@ -38,3 +38,4 @@ mlmmj:x:2003:2003::/var/vmail/mlmmj:/usr/sbin/nologin iredadmin:x:2001:2001::/home/iredadmin:/usr/sbin/nologin iredapd:x:2002:2002::/home/iredapd:/usr/sbin/nologin netdata:x:2004:2004::/home/netdata:/usr/sbin/nologin +ulog:x:115:124::/var/log/ulog:/bin/false diff --git a/passwd- b/passwd- index 927e4c0..91a1b70 100644 --- a/passwd- +++ b/passwd- @@ -37,3 +37,5 @@ vmail:x:2000:2000::/home/vmail:/usr/sbin/nologin mlmmj:x:2003:2003::/var/vmail/mlmmj:/usr/sbin/nologin iredadmin:x:2001:2001::/home/iredadmin:/usr/sbin/nologin iredapd:x:2002:2002::/home/iredapd:/usr/sbin/nologin +netdata:x:2004:2004::/home/netdata:/usr/sbin/nologin +ulog:x:115:124::/var/log/ulog:/bin/false diff --git a/rc0.d/K01ulogd2 b/rc0.d/K01ulogd2 new file mode 120000 index 0000000..aac15cc --- /dev/null +++ b/rc0.d/K01ulogd2 @@ -0,0 +1 @@ +../init.d/ulogd2 \ No newline at end of file diff --git a/rc1.d/K01ulogd2 b/rc1.d/K01ulogd2 new file mode 120000 index 0000000..aac15cc --- /dev/null +++ b/rc1.d/K01ulogd2 @@ -0,0 +1 @@ +../init.d/ulogd2 \ No newline at end of file diff --git a/rc2.d/S01ulogd2 b/rc2.d/S01ulogd2 new file mode 120000 index 0000000..aac15cc --- /dev/null +++ b/rc2.d/S01ulogd2 @@ -0,0 +1 @@ +../init.d/ulogd2 \ No newline at end of file diff --git a/rc3.d/S01ulogd2 b/rc3.d/S01ulogd2 new file mode 120000 index 0000000..aac15cc --- /dev/null +++ b/rc3.d/S01ulogd2 @@ -0,0 +1 @@ +../init.d/ulogd2 \ No newline at end of file diff --git a/rc4.d/S01ulogd2 b/rc4.d/S01ulogd2 new file mode 120000 index 0000000..aac15cc --- /dev/null +++ b/rc4.d/S01ulogd2 @@ -0,0 +1 @@ +../init.d/ulogd2 \ No newline at end of file diff --git a/rc5.d/S01ulogd2 b/rc5.d/S01ulogd2 new file mode 120000 index 0000000..aac15cc --- /dev/null +++ b/rc5.d/S01ulogd2 @@ -0,0 +1 @@ +../init.d/ulogd2 \ No newline at end of file diff --git a/rc6.d/K01ulogd2 b/rc6.d/K01ulogd2 new file mode 120000 index 0000000..aac15cc --- /dev/null +++ b/rc6.d/K01ulogd2 @@ -0,0 +1 @@ +../init.d/ulogd2 \ No newline at end of file diff --git a/shadow b/shadow index 84b864c..f99089b 100644 --- a/shadow +++ b/shadow @@ -38,3 +38,4 @@ mlmmj:!:18725:0:99999:7::: iredadmin:!:18725:0:99999:7::: iredapd:!:18725:0:99999:7::: netdata:!:18725:0:99999:7::: +ulog:*:18729:0:99999:7::: diff --git a/shadow- b/shadow- index e034360..f99089b 100644 --- a/shadow- +++ b/shadow- @@ -37,3 +37,5 @@ vmail:!:18725:0:99999:7::: mlmmj:!:18725:0:99999:7::: iredadmin:!:18725:0:99999:7::: iredapd:!:18725:0:99999:7::: +netdata:!:18725:0:99999:7::: +ulog:*:18729:0:99999:7::: diff --git a/smi.conf b/smi.conf new file mode 100644 index 0000000..744ec22 --- /dev/null +++ b/smi.conf @@ -0,0 +1,41 @@ +# +# smi.conf - Global SMI configuration file. +# +# Copyright (c) 2000 Frank Strauss, Technical University of Braunschweig. +# +# See the file "COPYING" for information on usage and redistribution +# of this file, and for a DISCLAIMER OF ALL WARRANTIES. +# +# See smi_config(3) for detailed information on configuration files. +# +# Debian version by Remco van de Meent +# 20010612 + +# Extend (note the semicolon) the libsmi default module search path. +# (On Windows systems, use `;' instead of `:', and `\' instead of `/'.) + +path :/usr/share/snmp/mibs +path :/usr/share/snmp/mibs/iana +path :/usr/share/snmp/mibs/ietf +path :/usr/share/snmp/mibs/site +path :/var/lib/snmp/mibs/site +path :/usr/share/mibs/site + +# Don't show any errors by default. +level 0 + +# Preload some basic SMIv2 modules. +load SNMPv2-SMI +load SNMPv2-TC +load SNMPv2-CONF + +# Make smilint shout loud to report all errors and warnings. +smilint: level 9 + +# But please don't claim about any names longer than 32 chars. +# (note: this is the prefix of errors `namelength-32-module, +# -type, -object, -enumeration, and -bit) +smilint: hide namelength-32 + +# Preloading some more modules for special applications. +# smiquery: load IF-MIB diff --git a/systemd/system/multi-user.target.wants/ulogd2.service b/systemd/system/multi-user.target.wants/ulogd2.service new file mode 120000 index 0000000..c2b8879 --- /dev/null +++ b/systemd/system/multi-user.target.wants/ulogd2.service @@ -0,0 +1 @@ +/lib/systemd/system/ulogd2.service \ No newline at end of file diff --git a/systemd/system/ulogd.service b/systemd/system/ulogd.service new file mode 120000 index 0000000..c2b8879 --- /dev/null +++ b/systemd/system/ulogd.service @@ -0,0 +1 @@ +/lib/systemd/system/ulogd2.service \ No newline at end of file diff --git a/ulogd.conf b/ulogd.conf new file mode 100644 index 0000000..285cf9b --- /dev/null +++ b/ulogd.conf @@ -0,0 +1,332 @@ +# Example configuration for ulogd +# Adapted to Debian by Achilleas Kotsis + +[global] +###################################################################### +# GLOBAL OPTIONS +###################################################################### + + +# logfile for status messages +logfile="syslog" + +# loglevel: debug(1), info(3), notice(5), error(7) or fatal(8) (default 5) +loglevel=3 + +###################################################################### +# PLUGIN OPTIONS +###################################################################### + +# We have to configure and load all the plugins we want to use + +# general rules: +# +# 0. don't specify any plugin for ulogd to load them all +# 1. load the plugins _first_ from the global section +# 2. options for each plugin in seperate section below + +#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_inppkt_NFLOG.so" +#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_inppkt_ULOG.so" +#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_inppkt_UNIXSOCK.so" +#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_inpflow_NFCT.so" +#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_IFINDEX.so" +#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_IP2STR.so" +#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_IP2BIN.so" +#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_IP2HBIN.so" +#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_PRINTPKT.so" +#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_HWHDR.so" +#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_PRINTFLOW.so" +#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_filter_MARK.so" +#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_LOGEMU.so" +#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_SYSLOG.so" +#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_XML.so" +#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_SQLITE3.so" +#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_GPRINT.so" +#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_NACCT.so" +#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_PCAP.so" +#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_PGSQL.so" +#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_MYSQL.so" +#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_DBI.so" +#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_raw2packet_BASE.so" +#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_inpflow_NFACCT.so" +#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_GRAPHITE.so" +#plugin="/usr/lib/x86_64-linux-gnu/ulogd/ulogd_output_JSON.so" + +# this is a stack for logging packet send by system via LOGEMU +stack=log1:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU + +# this is a stack for packet-based logging via LOGEMU +#stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU + +# this is a stack for ULOG packet-based logging via LOGEMU +#stack=ulog1:ULOG,base1:BASE,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU + +# this is a stack for packet-based logging via LOGEMU with filtering on MARK +#stack=log2:NFLOG,base1:BASE,mark1:MARK,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,emu1:LOGEMU + +# this is a stack for packet-based logging via GPRINT +#stack=log1:NFLOG,gp1:GPRINT + +# this is a stack for flow-based logging via LOGEMU +#stack=ct1:NFCT,ip2str1:IP2STR,print1:PRINTFLOW,emu1:LOGEMU + +# this is a stack for flow-based logging via GPRINT +#stack=ct1:NFCT,gp1:GPRINT + +# this is a stack for flow-based logging via XML +#stack=ct1:NFCT,xml1:XML + +# this is a stack for logging in XML +#stack=log1:NFLOG,xml1:XML + +# this is a stack for accounting-based logging via XML +#stack=acct1:NFACCT,xml1:XML + +# this is a stack for accounting-based logging to a Graphite server +#stack=acct1:NFACCT,graphite1:GRAPHITE + +# this is a stack for NFLOG packet-based logging to PCAP +#stack=log2:NFLOG,base1:BASE,pcap1:PCAP + +# this is a stack for logging packet to MySQL +#stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2bin1:IP2BIN,mac2str1:HWHDR,mysql1:MYSQL + +# this is a stack for logging packet to PGsql after a collect via NFLOG +#stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,mac2str1:HWHDR,pgsql1:PGSQL + +# this is a stack for logging packet to JSON formatted file after a collect via NFLOG +#stack=log2:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,mac2str1:HWHDR,json1:JSON + +# this is a stack for logging packets to syslog after a collect via NFLOG +#stack=log3:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,sys1:SYSLOG + +# this is a stack for logging packets to syslog after a collect via NuFW +#stack=nuauth1:UNIXSOCK,base1:BASE,ip2str1:IP2STR,print1:PRINTPKT,sys1:SYSLOG + +# this is a stack for flow-based logging to MySQL +#stack=ct1:NFCT,ip2bin1:IP2BIN,mysql2:MYSQL + +# this is a stack for flow-based logging to PGSQL +#stack=ct1:NFCT,ip2str1:IP2STR,pgsql2:PGSQL + +# this is a stack for flow-based logging to PGSQL without local hash +#stack=ct1:NFCT,ip2str1:IP2STR,pgsql3:PGSQL + +# this is a stack for flow-based logging to SQLITE3 +#stack=ct1:NFCT,sqlite3_ct:SQLITE3 + +# this is a stack for logging packet to SQLITE3 +#stack=log1:NFLOG,sqlite3_pkt:SQLITE3 + +# this is a stack for flow-based logging in NACCT compatible format +#stack=ct1:NFCT,ip2str1:IP2STR,nacct1:NACCT + +# this is a stack for accounting-based logging via GPRINT +#stack=acct1:NFACCT,gp1:GPRINT + +[ct1] +#netlink_socket_buffer_size=217088 +#netlink_socket_buffer_maxsize=1085440 +#netlink_resync_timeout=60 # seconds to wait to perform resynchronization +#pollinterval=10 # use poll-based logging instead of event-driven +# If pollinterval is not set, NFCT plugin will work in event mode +# In this case, you can use the following filters on events: +#accept_src_filter=192.168.1.0/24,1:2::/64 # source ip of connection must belong to these networks +#accept_dst_filter=192.168.1.0/24 # destination ip of connection must belong to these networks +#accept_proto_filter=tcp,sctp # layer 4 proto of connections + +[ct2] +#netlink_socket_buffer_size=217088 +#netlink_socket_buffer_maxsize=1085440 +#reliable=1 # enable reliable flow-based logging (may drop packets) +hash_enable=0 + +# Logging of system packet through NFLOG +[log1] +# netlink multicast group (the same as the iptables --nflog-group param) +# Group O is used by the kernel to log connection tracking invalid message +group=0 +#netlink_socket_buffer_size=217088 +#netlink_socket_buffer_maxsize=1085440 +# set number of packet to queue inside kernel +#netlink_qthreshold=1 +# set the delay before flushing packet in the queue inside kernel (in 10ms) +#netlink_qtimeout=100 + +# packet logging through NFLOG for group 1 +[log2] +# netlink multicast group (the same as the iptables --nflog-group param) +group=1 # Group has to be different from the one use in log1 +#netlink_socket_buffer_size=217088 +#netlink_socket_buffer_maxsize=1085440 +# If your kernel is older than 2.6.29 and if a NFLOG input plugin with +# group 0 is not used by any stack, you need to have at least one NFLOG +# input plugin with bind set to 1. If you don't do that you may not +# receive any message from the kernel. +#bind=1 + +# packet logging through NFLOG for group 2, numeric_label is +# set to 1 +[log3] +# netlink multicast group (the same as the iptables --nflog-group param) +group=2 # Group has to be different from the one use in log1/log2 +numeric_label=1 # you can label the log info based on the packet verdict +#netlink_socket_buffer_size=217088 +#netlink_socket_buffer_maxsize=1085440 +#bind=1 + +[ulog1] +# netlink multicast group (the same as the iptables --ulog-nlgroup param) +nlgroup=1 +#numeric_label=0 # optional argument + +[nuauth1] +socket_path="/tmp/nuauth_ulogd2.sock" + +[emu1] +file="/var/log/ulog/syslogemu.log" +sync=1 + +[op1] +file="/var/log/ulog/oprint.log" +sync=1 + +[gp1] +file="/var/log/ulog/gprint.log" +sync=1 +timestamp=1 + +[xml1] +directory="/var/log/ulog/" +sync=1 + +[json1] +sync=1 +#file="/var/log/ulog/ulogd.json" +#timestamp=0 +# device name to be used in JSON message +#device="My awesome Netfilter firewall" +# If boolean_label is set to 1 then the numeric_label put on packet +# by the input plugin is coding the action on packet: if 0, then +# packet has been blocked and if non null it has been accepted. +#boolean_label=1 +# Uncomment the following line to use JSON v1 event format that +# can provide better compatility with some JSON file reader. +#eventv1=1 + +[pcap1] +#default file is /var/log/ulogd.pcap +#file="/var/log/ulog/ulogd.pcap" +sync=1 + +[mysql1] +db="nulog" +host="localhost" +user="nupik" +table="ulog" +pass="changeme" +procedure="INSERT_PACKET_FULL" +# backlog configuration: +# set backlog_memcap to the size of memory that will be +# allocated to store events in memory if data is temporary down +# and insert them when the database came back. +#backlog_memcap=1000000 +# number of events to insert at once when backlog is not empty +#backlog_oneshot_requests=10 + +[mysql2] +db="nulog" +host="localhost" +user="nupik" +table="conntrack" +pass="changeme" +procedure="INSERT_CT" + +[pgsql1] +db="nulog" +host="localhost" +user="nupik" +table="ulog" +#schema="public" +pass="changeme" +procedure="INSERT_PACKET_FULL" +# connstring can be used to define PostgreSQL connection string which +# contains all parameters of the connection. If set, this value has +# precedence on other variables used to build the connection string. +# See http://www.postgresql.org/docs/9.2/static/libpq-connect.html#LIBPQ-CONNSTRING +# for a complete description of options. +#connstring="host=localhost port=4321 dbname=nulog user=nupik password=changeme" +#backlog_memcap=1000000 +#backlog_oneshot_requests=10 +# If superior to 1 a thread dedicated to SQL request execution +# is created. The value stores the number of SQL request to keep +# in the ring buffer +#ring_buffer_size=1000 + +[pgsql2] +db="nulog" +host="localhost" +user="nupik" +table="ulog2_ct" +#schema="public" +pass="changeme" +procedure="INSERT_CT" + +[pgsql3] +db="nulog" +host="localhost" +user="nupik" +table="ulog2_ct" +#schema="public" +pass="changeme" +procedure="INSERT_OR_REPLACE_CT" + +[pgsql4] +db="nulog" +host="localhost" +user="nupik" +table="nfacct" +#schema="public" +pass="changeme" +procedure="INSERT_NFACCT" + +[dbi1] +db="ulog2" +dbtype="pgsql" +host="localhost" +user="ulog2" +table="ulog" +pass="ulog2" +procedure="INSERT_PACKET_FULL" + +[sqlite3_ct] +table="ulog_ct" +db="/var/log/ulog/ulogd.sqlite3db" + +[sqlite3_pkt] +table="ulog_pkt" +db="/var/log/ulog/ulogd.sqlite3db" + +[sys2] +facility=LOG_LOCAL2 + +[nacct1] +sync = 1 +#file = /var/log/ulog/nacct.log + +[mark1] +mark = 1 + +[acct1] +pollinterval = 2 +# If set to 0, we don't reset the counters for each polling (default is 1). +#zerocounter = 0 +# Set timestamp (default is 0, which means not set). This timestamp can be +# interpreted by the output plugin. +#timestamp = 1 + +[graphite1] +host="127.0.0.1" +port="2003" +# Prefix of data name sent to graphite server +prefix="netfilter.nfacct" diff --git a/wireshark/init.lua b/wireshark/init.lua new file mode 100644 index 0000000..91c0d10 --- /dev/null +++ b/wireshark/init.lua @@ -0,0 +1,703 @@ +-- init.lua +-- +-- initialize wireshark's lua +-- +-- This file is going to be executed before any other lua script. +-- It can be used to load libraries, disable functions and more. +-- +-- Wireshark - Network traffic analyzer +-- By Gerald Combs +-- Copyright 1998 Gerald Combs +-- +-- SPDX-License-Identifier: GPL-2.0-or-later + +-- Set disable_lua to true to disable Lua support. +disable_lua = false + +if disable_lua then + return +end + +-- If set and we are running with special privileges this setting +-- tells whether scripts other than this one are to be run. +run_user_scripts_when_superuser = false + + +-- disable potentialy harmful lua functions when running superuser +if running_superuser then + local hint = "has been disabled due to running Wireshark as superuser. See https://wiki.wireshark.org/CaptureSetup/CapturePrivileges for help in running Wireshark as an unprivileged user." + local disabled_lib = {} + setmetatable(disabled_lib,{ __index = function() error("this package ".. hint) end } ); + + dofile = function() error("dofile " .. hint) end + loadfile = function() error("loadfile " .. hint) end + loadlib = function() error("loadlib " .. hint) end + require = function() error("require " .. hint) end + os = disabled_lib + io = disabled_lib + file = disabled_lib +end + +-- to avoid output to stdout which can cause problems lua's print () +-- has been suppresed so that it yields an error. +-- have print() call info() instead. +if gui_enabled() then + print = info +end + +function typeof(obj) + local mt = getmetatable(obj) + return mt and mt.__typeof or obj.__typeof or type(obj) +end + +-- the following function checks if a file exists +-- since 1.11.3 +function file_exists(name) + local f = io.open(name,"r") + if f ~= nil then io.close(f) return true else return false end +end + +-- the following function prepends the given directory name to +-- the package.path, so that a 'require "foo"' will work if 'foo' +-- is in the directory name given to this function. For example, +-- if your Lua file will do a 'require "foo"' and the foo.lua +-- file is in a local directory (local to your script) named 'bar', +-- then call this function before doing your 'require', by doing +-- package.prepend_path("bar") +-- and that will let Wireshark's Lua find the file "bar/foo.lua" +-- when you later do 'require "foo"' +-- +-- Because this function resides here in init.lua, it does not +-- have the same environment as your script, so it has to get it +-- using the debug library, which is why the code appears so +-- cumbersome. +-- +-- since 1.11.3 +function package.prepend_path(name) + local debug = require "debug" + -- get the function calling this package.prepend_path function + local dt = debug.getinfo(2, "f") + if not dt then + error("could not retrieve debug info table") + end + -- get its upvalue + local _, val = debug.getupvalue(dt.func, 1) + if not val or type(val) ~= 'table' then + error("No calling function upvalue or it is not a table") + end + -- get the __DIR__ field in its upvalue table + local dir = val["__DIR__"] + -- get the platform-specific directory separator character + local sep = package.config:sub(1,1) + -- prepend the dir and given name to path + if dir and dir:len() > 0 then + package.path = dir .. sep .. name .. sep .. "?.lua;" .. package.path + end + -- also prepend just the name as a directory + package.path = name .. sep .. "?.lua;" .. package.path +end + +-- Wiretap encapsulations XXX +wtap_encaps = { + ["PER_PACKET"] = -1, + ["UNKNOWN"] = 0, + ["ETHERNET"] = 1, + ["TOKEN_RING"] = 2, + ["SLIP"] = 3, + ["PPP"] = 4, + ["FDDI"] = 5, + ["FDDI_BITSWAPPED"] = 6, + ["RAW_IP"] = 7, + ["ARCNET"] = 8, + ["ARCNET_LINUX"] = 9, + ["ATM_RFC1483"] = 10, + ["LINUX_ATM_CLIP"] = 11, + ["LAPB"] = 12, + ["ATM_PDUS"] = 13, + ["ATM_PDUS_UNTRUNCATED"] = 14, + ["NULL"] = 15, + ["ASCEND"] = 16, + ["ISDN"] = 17, + ["IP_OVER_FC"] = 18, + ["PPP_WITH_PHDR"] = 19, + ["IEEE_802_11"] = 20, + ["IEEE_802_11_PRISM"] = 21, + ["IEEE_802_11_WITH_RADIO"] = 22, + ["IEEE_802_11_RADIOTAP"] = 23, + ["IEEE_802_11_AVS"] = 24, + ["SLL"] = 25, + ["FRELAY"] = 26, + ["FRELAY_WITH_PHDR"] = 27, + ["CHDLC"] = 28, + ["CISCO_IOS"] = 29, + ["LOCALTALK"] = 30, + ["OLD_PFLOG"] = 31, + ["HHDLC"] = 32, + ["DOCSIS"] = 33, + ["COSINE"] = 34, + ["WFLEET_HDLC"] = 35, + ["SDLC"] = 36, + ["TZSP"] = 37, + ["ENC"] = 38, + ["PFLOG"] = 39, + ["CHDLC_WITH_PHDR"] = 40, + ["BLUETOOTH_H4"] = 41, + ["MTP2"] = 42, + ["MTP3"] = 43, + ["IRDA"] = 44, + ["USER0"] = 45, + ["USER1"] = 46, + ["USER2"] = 47, + ["USER3"] = 48, + ["USER4"] = 49, + ["USER5"] = 50, + ["USER6"] = 51, + ["USER7"] = 52, + ["USER8"] = 53, + ["USER9"] = 54, + ["USER10"] = 55, + ["USER11"] = 56, + ["USER12"] = 57, + ["USER13"] = 58, + ["USER14"] = 59, + ["USER15"] = 60, + ["SYMANTEC"] = 61, + ["APPLE_IP_OVER_IEEE1394"] = 62, + ["BACNET_MS_TP"] = 63, + ["NETTL_RAW_ICMP"] = 64, + ["NETTL_RAW_ICMPV6"] = 65, + ["GPRS_LLC"] = 66, + ["JUNIPER_ATM1"] = 67, + ["JUNIPER_ATM2"] = 68, + ["REDBACK"] = 69, + ["NETTL_RAW_IP"] = 70, + ["NETTL_ETHERNET"] = 71, + ["NETTL_TOKEN_RING"] = 72, + ["NETTL_FDDI"] = 73, + ["NETTL_UNKNOWN"] = 74, + ["MTP2_WITH_PHDR"] = 75, + ["JUNIPER_PPPOE"] = 76, + ["GCOM_TIE1"] = 77, + ["GCOM_SERIAL"] = 78, + ["NETTL_X25"] = 79, + ["K12"] = 80, + ["JUNIPER_MLPPP"] = 81, + ["JUNIPER_MLFR"] = 82, + ["JUNIPER_ETHER"] = 83, + ["JUNIPER_PPP"] = 84, + ["JUNIPER_FRELAY"] = 85, + ["JUNIPER_CHDLC"] = 86, + ["JUNIPER_GGSN"] = 87, + ["LINUX_LAPD"] = 88, + ["CATAPULT_DCT2000"] = 89, + ["BER"] = 90, + ["JUNIPER_VP"] = 91, + ["USB_FREEBSD"] = 92, + ["IEEE802_16_MAC_CPS"] = 93, + ["NETTL_RAW_TELNET"] = 94, + ["USB_LINUX"] = 95, + ["MPEG"] = 96, + ["PPI"] = 97, + ["ERF"] = 98, + ["BLUETOOTH_H4_WITH_PHDR"] = 99, + ["SITA"] = 100, + ["SCCP"] = 101, + ["BLUETOOTH_HCI"] = 102, + ["IPMB"] = 103, + ["IEEE802_15_4"] = 104, + ["X2E_XORAYA"] = 105, + ["FLEXRAY"] = 106, + ["LIN"] = 107, + ["MOST"] = 108, + ["CAN20B"] = 109, + ["LAYER1_EVENT"] = 110, + ["X2E_SERIAL"] = 111, + ["I2C"] = 112, + ["IEEE802_15_4_NONASK_PHY"] = 113, + ["TNEF"] = 114, + ["USB_LINUX_MMAPPED"] = 115, + ["GSM_UM"] = 116, + ["DPNSS"] = 117, + ["PACKETLOGGER"] = 118, + ["NSTRACE_1_0"] = 119, + ["NSTRACE_2_0"] = 120, + ["FIBRE_CHANNEL_FC2"] = 121, + ["FIBRE_CHANNEL_FC2_WITH_FRAME_DELIMS"] = 122, + ["JPEG_JFIF"] = 123, + ["IPNET"] = 124, + ["SOCKETCAN"] = 125, + ["IEEE_802_11_NETMON"] = 126, + ["IEEE802_15_4_NOFCS"] = 127, + ["RAW_IPFIX"] = 128, + ["RAW_IP4"] = 129, + ["RAW_IP6"] = 130, + ["LAPD"] = 131, + ["DVBCI"] = 132, + ["MUX27010"] = 133, + ["MIME"] = 134, + ["NETANALYZER"] = 135, + ["NETANALYZER_TRANSPARENT"] = 136, + ["IP_OVER_IB_SNOOP"] = 137, + ["MPEG_2_TS"] = 138, + ["PPP_ETHER"] = 139, + ["NFC_LLCP"] = 140, + ["NFLOG"] = 141, + ["V5_EF"] = 142, + ["BACNET_MS_TP_WITH_PHDR"] = 143, + ["IXVERIWAVE"] = 144, + ["SDH"] = 145, + ["DBUS"] = 146, + ["AX25_KISS"] = 147, + ["AX25"] = 148, + ["SCTP"] = 149, + ["INFINIBAND"] = 150, + ["JUNIPER_SVCS"] = 151, + ["USBPCAP"] = 152, + ["RTAC_SERIAL"] = 153, + ["BLUETOOTH_LE_LL"] = 154, + ["WIRESHARK_UPPER_PDU"] = 155, + ["STANAG_4607"] = 156, + ["STANAG_5066_D_PDU"] = 157, + ["NETLINK"] = 158, + ["BLUETOOTH_LINUX_MONITOR"] = 159, + ["BLUETOOTH_BREDR_BB"] = 160, + ["BLUETOOTH_LE_LL_WITH_PHDR"] = 161, + ["NSTRACE_3_0"] = 162, + ["LOGCAT"] = 163, + ["LOGCAT_BRIEF"] = 164, + ["LOGCAT_PROCESS"] = 165, + ["LOGCAT_TAG"] = 166, + ["LOGCAT_THREAD"] = 167, + ["LOGCAT_TIME"] = 168, + ["LOGCAT_THREADTIME"] = 169, + ["LOGCAT_LONG"] = 170, + ["PKTAP"] = 171, + ["EPON"] = 172, + ["IPMI_TRACE"] = 173, + ["LOOP"] = 174, + ["JSON"] = 175, + ["NSTRACE_3_5"] = 176, + ["ISO14443"] = 177, + ["GFP_T"] = 178, + ["GFP_F"] = 179, + ["IP_OVER_IB_PCAP"] = 180, + ["JUNIPER_VN"] = 181, + ["USB_DARWIN"] = 182, + ["LORATAP"] = 183, + ["3MB_ETHERNET"] = 184, + ["VSOCK"] = 185, + ["NORDIC_BLE"] = 186, + ["NETMON_NET_NETEVENT"] = 187, + ["NETMON_HEADER"] = 188, + ["NETMON_NET_FILTER"] = 189, + ["NETMON_NETWORK_INFO_EX"] = 190, + ["MA_WFP_CAPTURE_V4"] = 191, + ["MA_WFP_CAPTURE_V6"] = 192, + ["MA_WFP_CAPTURE_2V4"] = 193, + ["MA_WFP_CAPTURE_2V6"] = 194, + ["MA_WFP_CAPTURE_AUTH_V4"] = 195, + ["MA_WFP_CAPTURE_AUTH_V6"] = 196, + ["JUNIPER_ST"] = 197, + ["ETHERNET_MPACKET"] = 198, + ["DOCSIS31_XRA31"] = 199 +} +wtap = wtap_encaps -- for bw compatibility + + +-- Wiretap file types +wtap_filetypes = { + ["UNKNOWN"] = 0, + ["PCAP"] = 1, + ["PCAPNG"] = 2, + ["PCAP_NSEC"] = 3, + ["PCAP_AIX"] = 4, + ["PCAP_SS991029"] = 5, + ["PCAP_NOKIA"] = 6, + ["PCAP_SS990417"] = 7, + ["PCAP_SS990915"] = 8, + ["5VIEWS"] = 9, + ["IPTRACE_1_0"] = 10, + ["IPTRACE_2_0"] = 11, + ["BER"] = 12, + ["HCIDUMP"] = 13, + ["CATAPULT_DCT2000"] = 14, + ["NETXRAY_OLD"] = 15, + ["NETXRAY_1_0"] = 16, + ["COSINE"] = 17, + ["CSIDS"] = 18, + ["DBS_ETHERWATCH"] = 19, + ["ERF"] = 20, + ["EYESDN"] = 21, + ["NETTL"] = 22, + ["ISERIES"] = 23, + ["ISERIES_UNICODE"] = 24, + ["I4BTRACE"] = 25, + ["ASCEND"] = 26, + ["NGSNIFFER_UNCOMPRESSED"] = 29, + ["NGSNIFFER_COMPRESSED"] = 30, + ["NETXRAY_1_1"] = 31, + ["NETWORK_INSTRUMENTS"] = 33, + ["LANALYZER"] = 34, + ["PPPDUMP"] = 35, + ["RADCOM"] = 36, + ["SNOOP"] = 37, + ["SHOMITI"] = 38, + ["VMS"] = 39, + ["K12"] = 40, + ["TOSHIBA"] = 41, + ["VISUAL_NETWORKS"] = 42, + ["PEEKCLASSIC_V56"] = 43, + ["PEEKCLASSIC_V7"] = 44, + ["PEEKTAGGED"] = 45, + ["MPEG"] = 46, + ["K12TEXT"] = 47, + ["NETSCREEN"] = 48, + ["COMMVIEW"] = 49, + ["BTSNOOP"] = 50, + ["TNEF"] = 51, + ["DCT3TRACE"] = 52, + ["PACKETLOGGER"] = 53, + ["DAINTREE_SNA"] = 54, + ["NETSCALER_1_0"] = 55, + ["NETSCALER_2_0"] = 56, + ["JPEG_JFIF"] = 57, + ["IPFIX"] = 58, + ["MIME"] = 59, + ["AETHRA"] = 60, + ["MPEG_2_TS"] = 61, + ["VWR_80211"] = 62, + ["VWR_ETH"] = 63, + ["CAMINS"] = 64, + ["STANAG_4607"] = 65, + ["NETSCALER_3_0"] = 66, + ["LOGCAT"] = 67, + ["LOGCAT_BRIEF"] = 68, + ["LOGCAT_PROCESS"] = 69, + ["LOGCAT_TAG"] = 70, + ["LOGCAT_THREAD"] = 71, + ["LOGCAT_TIME"] = 72, + ["LOGCAT_THREADTIME"] = 73, + ["LOGCAT_LONG"] = 74, + ["COLASOFT_CAPSA"] = 75, + ["COLASOFT_PACKET_BUILDER"] = 76, + ["JSON"] = 77, + ["NETSCALER_3_5"] = 78, + ["NETTRACE_3GPP_32_423"] = 79, + ["MPLOG"] = 80, + ["TSPREC_SEC"] = 0, + ["TSPREC_DSEC"] = 1, + ["TSPREC_CSEC"] = 2, + ["TSPREC_MSEC"] = 3, + ["TSPREC_USEC"] = 6, + ["TSPREC_NSEC"] = 9 +} + + +-- Wiretap timestamp precision types +wtap_tsprecs = { + ["SEC"] = 0, + ["DSEC"] = 1, + ["CSEC"] = 2, + ["MSEC"] = 3, + ["USEC"] = 6, + ["NSEC"] = 9 +} + + +-- Wiretap file comment types +wtap_comments = { + ["PER_SECTION"] = 0x00000001, + ["PER_INTERFACE"] = 0x00000002, + ["PER_PACKET"] = 0x00000004 +} + + +-- Field Types +ftypes = { + ["NONE"] = 0, + ["PROTOCOL"] = 1, + ["BOOLEAN"] = 2, + ["CHAR"] = 3, + ["UINT8"] = 4, + ["UINT16"] = 5, + ["UINT24"] = 6, + ["UINT32"] = 7, + ["UINT40"] = 8, + ["UINT48"] = 9, + ["UINT56"] = 10, + ["UINT64"] = 11, + ["INT8"] = 12, + ["INT16"] = 13, + ["INT24"] = 14, + ["INT32"] = 15, + ["INT40"] = 16, + ["INT48"] = 17, + ["INT56"] = 18, + ["INT64"] = 19, + ["IEEE_11073_SFLOAT"] = 20, + ["IEEE_11073_FLOAT"] = 21, + ["FLOAT"] = 22, + ["DOUBLE"] = 23, + ["ABSOLUTE_TIME"] = 24, + ["RELATIVE_TIME"] = 25, + ["STRING"] = 26, + ["STRINGZ"] = 27, + ["UINT_STRING"] = 28, + ["ETHER"] = 29, + ["BYTES"] = 30, + ["UINT_BYTES"] = 31, + ["IPv4"] = 32, + ["IPv6"] = 33, + ["IPXNET"] = 34, + ["FRAMENUM"] = 35, + ["PCRE"] = 36, + ["GUID"] = 37, + ["OID"] = 38, + ["EUI64"] = 39, + ["AX25"] = 40, + ["VINES"] = 41, + ["REL_OID"] = 42, + ["SYSTEM_ID"] = 43, + ["STRINGZPAD"] = 44, + ["FCWWN"] = 45 +} + + +-- the following table is since 2.0 +-- Field Type FRAMENUM Types +frametype = { + ["NONE"] = 0, + ["REQUEST"] = 1, + ["RESPONSE"] = 2, + ["ACK"] = 3, + ["DUP_ACK"] = 4, + ["RETRANS_PREV"] = 5, + ["RETRANS_NEXT"] = 6 +} + + +-- the following table is since 1.12 +-- Wiretap record_types +wtap_rec_types = { + ["PACKET"] = 0, -- packet + ["FT_SPECIFIC_EVENT"] = 1, -- file-type-specific event + ["FT_SPECIFIC_REPORT"] = 2, -- file-type-specific report + ["SYSCALL"] = 3, -- system call +} + + +-- the following table is since 1.11.3 +-- Wiretap presence flags +wtap_presence_flags = { + ["TS"] = 1, -- time stamp + ["CAP_LEN"] = 2, -- captured length separate from on-the-network length + ["INTERFACE_ID"] = 4, -- interface ID + ["COMMENTS"] = 8, -- comments + ["DROP_COUNT"] = 16, -- drop count + ["PACK_FLAGS"] = 32, -- packet flags +} + + +-- Display Bases +base = { + ["NONE"] = 0, -- none + ["DEC"] = 1, -- decimal + ["HEX"] = 2, -- hexadecimal + ["OCT"] = 3, -- octal + ["DEC_HEX"] = 4, -- decimal (hexadecimal) + ["HEX_DEC"] = 5, -- hexadecimal (decimal) + ["CUSTOM"] = 6, -- call custom routine (in ->strings) to format + ["ASCII"] = 0, -- shows non-printable ASCII characters as C-style escapes + ["UNICODE"] = 7, -- shows non-printable UNICODE characters as \\uXXXX (XXX for now non-printable characters display depends on UI) + ["DOT"] = 8, -- hexadecimal bytes with a period (.) between each byte + ["DASH"] = 9, -- hexadecimal bytes with a dash (-) between each byte + ["COLON"] = 10, -- hexadecimal bytes with a colon (:) between each byte + ["SPACE"] = 11, -- hexadecimal bytes with a space between each byte + ["NETMASK"] = 12, -- Used for IPv4 address that shouldn't be resolved (like for netmasks) + ["PT_UDP"] = 13, -- UDP port + ["PT_TCP"] = 14, -- TCP port + ["PT_DCCP"] = 15, -- DCCP port + ["PT_SCTP"] = 16, -- SCTP port + ["OUI"] = 17, -- OUI resolution + ["UNIT_STRING"] = 4096, -- Add unit text to the field value + ["LOCAL"] = 1000, -- local time in our time zone, with month and day + ["UTC"] = 1001, -- UTC, with month and day + ["DOY_UTC"] = 1002, -- UTC, with 1-origin day-of-year +} + + +-- Encodings +ENC_BIG_ENDIAN = 0 +ENC_LITTLE_ENDIAN = 2147483648 +ENC_TIME_TIMESPEC = 0 +ENC_TIME_NTP = 2 +ENC_TIME_TOD = 4 +ENC_TIME_RTPS = 8 +ENC_TIME_NTP_BASE_ZERO = 14 +ENC_TIME_TIMEVAL = 16 +ENC_TIME_SECS = 18 +ENC_TIME_MSECS = 20 +ENC_TIME_SECS_NTP = 24 +ENC_TIME_RFC_3971 = 32 +ENC_TIME_MSEC_NTP = 34 +ENC_CHARENCODING_MASK = 2147483646 +ENC_ASCII = 0 +ENC_UTF_8 = 2 +ENC_UTF_16 = 4 +ENC_UCS_2 = 6 +ENC_UCS_4 = 8 +ENC_ISO_8859_1 = 10 +ENC_ISO_8859_2 = 12 +ENC_ISO_8859_3 = 14 +ENC_ISO_8859_4 = 16 +ENC_ISO_8859_5 = 18 +ENC_ISO_8859_6 = 20 +ENC_ISO_8859_7 = 22 +ENC_ISO_8859_8 = 24 +ENC_ISO_8859_9 = 26 +ENC_ISO_8859_10 = 28 +ENC_ISO_8859_11 = 30 +ENC_ISO_8859_13 = 34 +ENC_ISO_8859_14 = 36 +ENC_ISO_8859_15 = 38 +ENC_ISO_8859_16 = 40 +ENC_WINDOWS_1250 = 42 +ENC_3GPP_TS_23_038_7BITS = 44 +ENC_EBCDIC = 46 +ENC_MAC_ROMAN = 48 +ENC_CP437 = 50 +ENC_ASCII_7BITS = 52 +ENC_T61 = 54 +ENC_EBCDIC_CP037 = 56 +ENC_ZIGBEE = 58 +ENC_NA = 0 +ENC_STR_NUM = 16777216 +ENC_STR_HEX = 33554432 +ENC_STRING = 50331648 +ENC_STR_MASK = 65534 +ENC_NUM_PREF = 2097152 +ENC_VARINT_PROTOBUF = 2 +ENC_VARINT_QUIC = 4 +ENC_SEP_NONE = 65536 +ENC_SEP_COLON = 131072 +ENC_SEP_DASH = 262144 +ENC_SEP_DOT = 524288 +ENC_SEP_SPACE = 1048576 +ENC_SEP_MASK = 2031616 +ENC_ISO_8601_DATE = 65536 +ENC_ISO_8601_TIME = 131072 +ENC_ISO_8601_DATE_TIME = 196608 +ENC_RFC_822 = 262144 +ENC_RFC_1123 = 524288 +ENC_STR_TIME_MASK = 983040 + + + +-- Expert flags and facilities (deprecated - see 'expert' table below) +PI_SEVERITY_MASK = 15728640 +PI_COMMENT = 1048576 +PI_CHAT = 2097152 +PI_NOTE = 4194304 +PI_WARN = 6291456 +PI_ERROR = 8388608 +PI_GROUP_MASK = 4278190080 +PI_CHECKSUM = 16777216 +PI_SEQUENCE = 33554432 +PI_RESPONSE_CODE = 50331648 +PI_REQUEST_CODE = 67108864 +PI_UNDECODED = 83886080 +PI_REASSEMBLE = 100663296 +PI_MALFORMED = 117440512 +PI_DEBUG = 134217728 +PI_PROTOCOL = 150994944 +PI_SECURITY = 167772160 +PI_COMMENTS_GROUP = 184549376 +PI_DECRYPTION = 201326592 +PI_ASSUMPTION = 218103808 +PI_DEPRECATED = 234881024 + + + +-- the following table is since 1.11.3 +-- Expert flags and facilities +expert = { + -- Expert event groups + group = { + -- The protocol field has a bad checksum, usually uses PI_WARN severity + ["CHECKSUM"] = 16777216, + -- The protocol field indicates a sequence problem (e.g. TCP window is zero) + ["SEQUENCE"] = 33554432, + -- The protocol field indicates a bad application response code (e.g. HTTP 404), usually PI_NOTE severity + ["RESPONSE_CODE"] = 50331648, + -- The protocol field indicates an application request (e.g. File Handle == xxxx), usually PI_CHAT severity + ["REQUEST_CODE"] = 67108864, + -- The data is undecoded, the protocol dissection is incomplete here, usually PI_WARN severity + ["UNDECODED"] = 83886080, + -- The protocol field indicates a reassemble (e.g. DCE/RPC defragmentation), usually PI_CHAT severity (or PI_ERROR) + ["REASSEMBLE"] = 100663296, + -- The packet data is malformed, the dissector has "given up", usually PI_ERROR severity + ["MALFORMED"] = 117440512, + -- A generic debugging message (shouldn't remain in production code!), usually PI_ERROR severity + ["DEBUG"] = 134217728, + -- The protocol field violates a protocol specification, usually PI_WARN severity + ["PROTOCOL"] = 150994944, + -- The protocol field indicates a security problem (e.g. insecure implementation) + ["SECURITY"] = 167772160, + -- The protocol field indicates a packet comment + ["COMMENTS_GROUP"] = 184549376, + -- The protocol field indicates a decryption problem + ["DECRYPTION"] = 201326592, + -- The protocol field has incomplete data, decode based on assumed value + ["ASSUMPTION"] = 218103808, + -- The protocol field has been deprecated, usually PI_NOTE severity + ["DEPRECATED"] = 234881024, + }, + -- Expert severity levels + severity = { + -- Packet comment + ["COMMENT"] = 1048576, + -- Usual workflow, e.g. TCP connection establishing + ["CHAT"] = 2097152, + -- Notable messages, e.g. an application returned an "unusual" error code like HTTP 404 + ["NOTE"] = 4194304, + -- Warning, e.g. application returned an "unusual" error code + ["WARN"] = 6291456, + -- Serious problems, e.g. a malformed packet + ["ERROR"] = 8388608, + }, +} + + + +-- menu groups for register_menu +MENU_ANALYZE_UNSORTED = 0 +MENU_ANALYZE_CONVERSATION = 1 +MENU_STAT_UNSORTED = 2 +MENU_STAT_GENERIC = 3 +MENU_STAT_CONVERSATION = 4 +MENU_STAT_ENDPOINT = 5 +MENU_STAT_RESPONSE = 6 +MENU_STAT_TELEPHONY = 7 +MENU_STAT_TELEPHONY_ANSI = 8 +MENU_STAT_TELEPHONY_GSM = 9 +MENU_STAT_TELEPHONY_LTE = 10 +MENU_STAT_TELEPHONY_MTP = 11 +MENU_STAT_TELEPHONY_SCTP = 12 +MENU_TOOLS_UNSORTED = 13 + + +-- other useful constants +-- DATA_DIR and USER_DIR have a trailing directory separator. +GUI_ENABLED = gui_enabled() +DATA_DIR = Dir.global_config_path()..package.config:sub(1,1) +USER_DIR = Dir.personal_config_path()..package.config:sub(1,1) + +-- deprecated function names +datafile_path = Dir.global_config_path +persconffile_path = Dir.personal_config_path + + +if not running_superuser or run_user_scripts_when_superuser then + dofile(DATA_DIR.."console.lua") +end +--dofile(DATA_DIR.."dtd_gen.lua") -- 2.39.5