forked from tillmannw/honeytrap
-
Notifications
You must be signed in to change notification settings - Fork 0
/
ChangeLog
141 lines (141 loc) · 6.71 KB
/
ChangeLog
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
Version 1.1.0
- Fixed a memory leak in the httpDownload plugin
- New xmatch plugin for automatic pattern-based decoding of XOR encoded data (requires libxmatch)
- Fix: Don't reset port mode to default, keep configured mode
- Fix: Default port mode 'ignore' was ignored (call it irony...)
- reworked build process to be gcc 4.3 compatible
- store download tries in attack record
- magicPE plugin for identifying PE files that are submitted as attack strings
- submitMWserv plugin for submissions to the mwcollect alliance
- support for periodic events (resolution: 1 second)
- 'bind_address' configuration option added for binding dynamic servers
to a specific IP address to make it possible to run several honeytrap
instances in parallel on a single machine
- Code cleanup: asprintf()
- Error handling for failed malloc()'s where it was missing
- Fix: Improper logging of IP address pairs
- Nebula submission plugin
- reworked NFQ stream monitor hooking to prevent unbinding errors
- hex2bin tool: Command line switch for byte order swapping added
- reworked emu plugin
Version 1.0.0
- Improved configure script
- New plugin: Basic http download wrapper
- VNC plugin redesigned to generate virtual attacks
- Safe signal delivery and handling using per-process pipes
- New configuration concept with hierarchically organized file format
- Default port configuration can be set to "ignore", "normal" or "mirror"
- New plugin: libclamav-based virus scanner module
- New plugin: Saving attack data in files is performed by a module now
- malloc(NULL) segfault bug in tftpDownload plugin fixed
- Try to download from the attacking host in case of failed ftp connect()s
- Improved connection request handling in the nfq stream monitor
- Reconfiguration on SIGHUP fixed
- Log addressed destination
Version 0.7.0
- Plugins can be prioritized
- x86 CPU emulation module for generic shellcode analysis
based on libemu by Markus and Paul (unstable)
- PostgreSQL module for commits into mwcollect database
- SHA512 hash support
- Performance improvements
- Improved connection request handling in the nfq stream monitor
- FTP download plugin is now source-based routing safe
- Changed autotools process to make module builts optional
Version 0.6.5
- Introduced an nfnetlink_queue-based connection monitor
- Some compile errors fixed
- Configure script changed to run on MacOS X
- Do not install htm_SpamSum by default
Version 0.6.4
- PoC plugin for locality sensitive hashing
- Clean solution for giving packet control back to the kernel
when using the ip_queue connection monitor
- Fixed a segfault in the bpf filter string assembling routine
- Failed mirror connections did not fall back to normal mode sometimes
due to wrong return value handling for a non-blocking connect(). Fixed.
- The dynamic server code was redesigned.
- UDP support added.
Version 0.6.3.1
- The FTP download plugin supports explicit binding of data connections
to ip addresses or hostnames to work on NAT'ed hosts
- Modes of operation are already determined in network stream monitors
to prevent gratuitous forking
- Listener processes now have a backlog queue of size 10
- BPF strings can include up to 2^32 characters instead of 2^8
- Some changes and cleanups make the code more readable
Version 0.6.3
- A 10 second timeout is used for mirror connection attempts to prevent
simultaneous timeouts after a blocking connect() returns
- md5 checksum calculation snprintf size parameter corrected
- Fixed a bug with config file lines with trailing blanks, thanks to Emre
- DESTDIR is used in Makefiles now, thanks to kanedaaa for the patch
- Plugin installation was wrong on non-Linux systems and is fixed now
- Attack connections are closed after a configurable byte limit
to prevent memory exhaustion - suggestion from kanedaaa
- Added a plugin to decode and process base64 encoded attacks
- Small pcap connection monitor changes
- Fixed a segfault for zero lenght attacks in the htm_vncDownload plugin
- Further small changes
Version 0.6.2
- Added a plugin for execution of HTTP downloads from VNC attacks via wget
- Connection monitor can be chosen from "configure" parameter
- Introduced an ip_queue based connection monitor
(idea from the nepenthes honeytrap module)
- Native OS dl implementations and libdl are both supported
- Should compile on Free/OpenBSD now, thanks to Stephen and Gary
- Network device handling is completely done with pcap functions
for the pcap connection monitor
- Trapping on device 'any' is now possible (if available)
- Added support for other link types than ethernet
- Logging of remote TCP port and IP address was faulty - fixed
- Changed bpf string to filter RST packets to be more portable
- Connections are closed before attack processor plugins are called
- Configuration file supports includes of other files
- Proxy mode introduced
- Connection handling mode can be configured per port
- Specific ports can be configured to ignore connection requests
- Some minor bugfixes
Version 0.6.1
- Temporarily removed BDB stuff, a plugin will be available soon
- Added plugin hooks 'unload_plugins' and 'process_attack'
- Moved attack save code into a plugin
- Moved ftp download code into a plugin
- Moved tftp download code into a plugin
- Establish mirror connection right after incoming SYN
- Reload configuration on SIGHUP
- Cleanup of TCP dynamic server code
- Some file descriptors are closed earlier
- Fixed bpf command line expression stuff
- Some man page changes
- Automake: shared libraries are only installed in plugin directory now
Version 0.6.0
- Support for configuration file added
- Added a plugin interface (still a lot of work to do)
- Mirrored connections are closed after a timeout
Version 0.5.1
- Fixed tftp bug - files bigger than 128k were corrupted during transfer
- Many minor cosmetic fixes
Version 0.5.0
- Mirror mode added - get answers from mirror connection to the client
- Partial rewrite of TCP server stuff
Version 0.4.2
- PID file will correctly be removed if startup fails
- Improved tftp routine
- Made ftp command string parser more sensitive
- Invalid IP addresses in download ressources are recognized and filtered
Version 0.4.1
- Retransmission of tftp packets after timeout occured
- Silly bug in tftp routine fixed - files may also be sent from server port != 69
- Workaround for communication with buggy ftp servers included
- Fixed minor bugs in ftp and tftp routines
- Improved download command parsing routine, it shouldn't fail anymore
- Attack string naming corrected
- Added logfile and pidfile support
- Switched to write() to improve logging performance
Version 0.4.0
- Auto download files via ftp using a fake Windows ftp dialogue
- Auto download files via tftp
- Improved signal handling to prevent zombie processes
- Get IP address for bpf string from interface
- Fixed error handling in db code