nepenthes-0.1.6, utility to determine the malware activity on a network

from rui reis

net/nepenthes/Makefile

@@ -0,0 +1,52 @@
+# $OpenBSD: Makefile,v 1.1.1.1 2006/04/14 17:08:25 jolan Exp $
+SHARED_ONLY=	Yes
+
+COMMENT=	"determine the malware activity on a network"
+
+DISTNAME= 	nepenthes-0.1.6
+CATEGORIES=	net
+
+HOMEPAGE=	http://nepenthes.mwcollect.org/
+
+MAINTAINER=	Rui Reis <rui@rui.cx>
+
+# GPL
+PERMIT_PACKAGE_CDROM=	Yes
+PERMIT_PACKAGE_FTP=	Yes
+PERMIT_DISTFILES_CDROM=	Yes
+PERMIT_DISTFILES_FTP=	Yes
+
+MASTER_SITES=   ${MASTER_SITE_SOURCEFORGE:=nepenthes/}
+
+USE_LIBTOOL=	Yes
+LIBTOOL_FLAGS+=	--tag=disable-static
+
+LIB_DEPENDS=	adns.1::net/adns \
+	 	curl.3.3::net/curl \
+		GeoIP.4::net/GeoIP \
+		magic.1::devel/libmagic \
+		pcre.1::devel/pcre
+
+WANTLIB=	c crypto m ssl stdc++ z
+
+FAKE_FLAGS+=	localstatedir='/var/nepenthes' \
+		sysconfdir='${PREFIX}/share/examples'
+
+CONFIGURE_STYLE=gnu
+CONFIGURE_ENV+=	CPPFLAGS="-I${LOCALBASE}/include"
+CONFIGURE_ARGS+=--disable-geolocation-ip2location \
+		--disable-mysql \
+		--disable-postgre \
+		--enable-geolocation \
+		--localstatedir='/var/nepenthes' \
+		--with-curl-lib=${PREFIX}/lib
+
+pre-install:
+	@perl -pi -e 's:\"var:\"\/var\/nepenthes:g' \
+		${WRKBUILD}/conf/nepenthes.conf.dist
+	@perl -pi -e 's:\"etc:\"${SYSCONFDIR}:g' \
+		${WRKBUILD}/conf/nepenthes.conf.dist
+	@perl -pi -e 's:\"var\/log:\"\/var\/nepenthes\/log:g' \
+		${WRKBUILD}/modules/log-download/log-download.conf.dist
+
+.include <bsd.port.mk>

net/nepenthes/distinfo

@@ -0,0 +1,4 @@
+MD5 (nepenthes-0.1.6.tar.gz) = 317afd3dc86d57a22570632bdf839ef2
+RMD160 (nepenthes-0.1.6.tar.gz) = 61cd0ffae12750970c813d42732b10b645d83d3b
+SHA1 (nepenthes-0.1.6.tar.gz) = 847a37b220676c34e0b461e518bf3622c3a7fcc0
+SIZE (nepenthes-0.1.6.tar.gz) = 794938

net/nepenthes/patches/patch-Makefile_in

@@ -0,0 +1,16 @@
+$OpenBSD: patch-Makefile_in,v 1.1.1.1 2006/04/14 17:08:25 jolan Exp $
+--- Makefile.in.orig	Sun Jan 15 16:46:20 2006
++++ Makefile.in	Wed Apr  5 03:32:42 2006
+@@ -686,12 +686,6 @@ install-data-local:
+ 	$(mkinstalldirs) $(DESTDIR)$(mandir)
+ 	$(mkinstalldirs) $(DESTDIR)$(mandir)/man8
+ 	$(INSTALL_DATA) $(srcdir)/doc/nepenthes.8 $(DESTDIR)$(mandir)/man8/nepenthes.8;
+-	$(mkinstalldirs) $(DESTDIR)$(localstatedir)/cache
+-	$(mkinstalldirs) $(DESTDIR)$(localstatedir)/cache/nepenthes
+-	$(mkinstalldirs) $(DESTDIR)$(localstatedir)/cache/nepenthes/geolocation
+-	$(mkinstalldirs) $(DESTDIR)$(localstatedir)/log
+-	$(mkinstalldirs) $(DESTDIR)$(localstatedir)/binaries
+-	$(mkinstalldirs) $(DESTDIR)$(localstatedir)/hexdumps
+ # Tell versions [3.59,3.63) of GNU make to not export all variables.
+ # Otherwise a system limit (for SysV at least) may be exceeded.
+ .NOEXPORT:

net/nepenthes/patches/patch-modules_geolocation-geoip_geolocation-geoip_cpp

@@ -0,0 +1,10 @@
+--- modules/geolocation-geoip/geolocation-geoip.cpp.orig	Fri Mar 24 23:41:35 2006
++++ modules/geolocation-geoip/geolocation-geoip.cpp	Fri Mar 24 23:38:53 2006
+@@ -32,6 +32,7 @@
+ #ifdef HAVE_GEOLOCATION
+ 
+ #include <ctype.h>
++#include <sys/param.h>
+ #include <sys/socket.h>
+ #include <netinet/in.h>
+ #include <arpa/inet.h>

net/nepenthes/patches/patch-modules_geolocation-hostip_GeoDialogue_cpp

@@ -0,0 +1,11 @@
+--- modules/geolocation-hostip/GeoDialogue.cpp.orig	Fri Mar 24 23:24:57 2006
++++ modules/geolocation-hostip/GeoDialogue.cpp	Fri Mar 24 23:23:47 2006
+@@ -32,7 +32,7 @@
+ #ifdef HAVE_GEOLOCATION
+ 
+ #include <ctype.h>
+-#include <ctype.h>
++#include <sys/param.h>
+ #include <sys/socket.h>
+ #include <netinet/in.h>
+ #include <arpa/inet.h>

net/nepenthes/patches/patch-modules_geolocation-hostip_geolocation-hostip_cpp

@@ -0,0 +1,28 @@
+--- modules/geolocation-hostip/geolocation-hostip.cpp.orig	Fri Dec 16 09:15:14 2005
++++ modules/geolocation-hostip/geolocation-hostip.cpp	Wed Apr  5 03:16:56 2006
+@@ -32,6 +32,7 @@
+ #ifdef HAVE_GEOLOCATION
+ 
+ #include <ctype.h>
++#include <sys/param.h>
+ #include <sys/socket.h>
+ #include <netinet/in.h>
+ #include <arpa/inet.h>
+@@ -213,7 +214,7 @@ void GeoLocationHostIp::downloadSuccess(
+ 
+ 	if (test[2].m_Value != NULL)
+ 	{
+-		len = strtof(test[2].m_Value,NULL);
++		len = (float)strtod(test[2].m_Value,NULL);
+ 	}else
+ 	{
+ 		len = 0.0;
+@@ -221,7 +222,7 @@ void GeoLocationHostIp::downloadSuccess(
+ 
+ 	if (test[3].m_Value != NULL)
+ 	{
+-		lat = strtof(test[3].m_Value,NULL);
++		lat = (float)strtod(test[3].m_Value,NULL);
+ 	}else
+ 	{
+ 		lat = 0.0;

net/nepenthes/patches/patch-modules_geolocation-ip2location_geolocation-ip2location_cpp

@@ -0,0 +1,10 @@
+--- modules/geolocation-ip2location/geolocation-ip2location.cpp.orig	Fri Mar 24 23:48:14 2006
++++ modules/geolocation-ip2location/geolocation-ip2location.cpp	Fri Mar 24 23:46:30 2006
+@@ -32,6 +32,7 @@
+ #ifdef HAVE_GEOLOCATION
+ 
+ #include <ctype.h>
++#include <sys/param.h>
+ #include <sys/socket.h>
+ #include <netinet/in.h>
+ #include <arpa/inet.h>

net/nepenthes/patches/patch-modules_x-8_x-8_cpp

@@ -0,0 +1,11 @@
+--- modules/x-8/x-8.cpp.orig	Mon Oct 31 09:47:19 2005
++++ modules/x-8/x-8.cpp	Wed Apr  5 03:16:56 2006
+@@ -315,7 +315,7 @@ void X8Dialogue::locationSuccess(GeoLoca
+ 	reply += "\n";
+ 
+ 	reply += "\t Context: ";
+-	sprintf(ctx,"%x",(uint32_t)result->getObject());
++	sprintf(ctx,"%x",(uint32_t)((intptr_t)result->getObject()));
+ 	reply += ctx;
+ 	reply += "\n";
+ 

net/nepenthes/patches/patch-nepenthes-core_src_GeoLocationManager_cpp

@@ -0,0 +1,20 @@
+--- nepenthes-core/src/GeoLocationManager.cpp.orig	Mon Oct 31 09:47:28 2005
++++ nepenthes-core/src/GeoLocationManager.cpp	Wed Apr  5 03:16:56 2006
+@@ -31,7 +31,7 @@
+ 
+ #ifdef HAVE_GEOLOCATION
+ 
+-
++#include <sys/param.h>
+ #include <sys/socket.h>
+ #include <netinet/in.h>
+ #include <arpa/inet.h>
+@@ -371,7 +371,7 @@ bool GeoLocationManager::Init()
+  */
+ bool GeoLocationManager::Exit()
+ {
+-
++	return true;
+ }
+ 
+ 

net/nepenthes/pkg/DESCR

@@ -0,0 +1,16 @@
+Nepenthes can determine the malware activity on a network
+by deploying a nepenthes sensor (i.e. honeypot). The programm
+emulates different well known vulnerabilities waiting for
+malicious connections trying to exploit them.
+
+Packages can be built with additional FLAVORs:
+
+  geoip: In order to provide usefull information to visualize 
+the collected data, we have to resolve attacking ip 
+addresses to their location. 
+
+  mysql:  To setup a Nepenthes powerd google Map you need a 
+running and working xmlrpc server with mysql database. 
+
+  pgsql:  Dumps the Captured files to a postgresql database, 
+so you can track how many hits a file gets. 

net/nepenthes/pkg/PFRAG.shared

@@ -0,0 +1,54 @@
+@comment $OpenBSD: PFRAG.shared,v 1.1.1.1 2006/04/14 17:08:25 jolan Exp $
+lib/nepenthes/dnsresolveadns.so
+lib/nepenthes/downloadcreceive.so
+lib/nepenthes/downloadcsend.so
+lib/nepenthes/downloadcurl.so
+lib/nepenthes/downloadftp.so
+lib/nepenthes/downloadhttp.so
+lib/nepenthes/downloadlink.so
+lib/nepenthes/downloadnepenthes.so
+lib/nepenthes/downloadrcp.so
+lib/nepenthes/downloadtftp.so
+lib/nepenthes/geolocationgeoip.so
+lib/nepenthes/geolocationhostip.so
+lib/nepenthes/geolocationip2location.so
+lib/nepenthes/logdownload.so
+lib/nepenthes/logirc.so
+lib/nepenthes/logsurfnet.so
+lib/nepenthes/moduleportwatch.so
+lib/nepenthes/shellcodegeneric.so
+lib/nepenthes/shellemuwinnt.so
+lib/nepenthes/submitfile.so
+lib/nepenthes/submitnepenthes.so
+lib/nepenthes/submitnorman.so
+lib/nepenthes/submitxmlrpc.so
+lib/nepenthes/uploadhttp.so
+lib/nepenthes/vulnasn1.so
+lib/nepenthes/vulnbagle.so
+lib/nepenthes/vulndameware.so
+lib/nepenthes/vulndcom.so
+lib/nepenthes/vulniis.so
+lib/nepenthes/vulnkuang2.so
+lib/nepenthes/vulnlsass.so
+lib/nepenthes/vulnmsdtc.so
+lib/nepenthes/vulnmsmq.so
+lib/nepenthes/vulnmssql.so
+lib/nepenthes/vulnmydoom.so
+lib/nepenthes/vulnnetbiosname.so
+lib/nepenthes/vulnnetdde.so
+lib/nepenthes/vulnoptix.so
+lib/nepenthes/vulnpnp.so
+lib/nepenthes/vulnsasserftpd.so
+lib/nepenthes/vulnssh.so
+lib/nepenthes/vulnsub7.so
+lib/nepenthes/vulnupnp.so
+lib/nepenthes/vulnveritas.so
+lib/nepenthes/vulnwins.so
+lib/nepenthes/x1.so
+lib/nepenthes/x2.so
+lib/nepenthes/x3.so
+lib/nepenthes/x4.so
+lib/nepenthes/x5.so
+lib/nepenthes/x6.so
+lib/nepenthes/x7.so
+lib/nepenthes/x8.so

net/nepenthes/pkg/PLIST

@@ -0,0 +1,148 @@
+@comment $OpenBSD: PLIST,v 1.1.1.1 2006/04/14 17:08:25 jolan Exp $
+%%SHARED%%
+bin/nepenthes
+lib/nepenthes/
+lib/nepenthes/dnsresolveadns.la
+lib/nepenthes/downloadcreceive.la
+lib/nepenthes/downloadcsend.la
+lib/nepenthes/downloadcurl.la
+lib/nepenthes/downloadftp.la
+lib/nepenthes/downloadhttp.la
+lib/nepenthes/downloadlink.la
+lib/nepenthes/downloadnepenthes.la
+lib/nepenthes/downloadrcp.la
+lib/nepenthes/downloadtftp.la
+lib/nepenthes/geolocationgeoip.la
+lib/nepenthes/geolocationhostip.la
+lib/nepenthes/geolocationip2location.la
+lib/nepenthes/logdownload.la
+lib/nepenthes/logirc.la
+lib/nepenthes/logsurfnet.la
+lib/nepenthes/moduleportwatch.la
+lib/nepenthes/shellcodegeneric.la
+lib/nepenthes/shellemuwinnt.la
+lib/nepenthes/submitfile.la
+lib/nepenthes/submitnepenthes.la
+lib/nepenthes/submitnorman.la
+lib/nepenthes/submitxmlrpc.la
+lib/nepenthes/uploadhttp.la
+lib/nepenthes/vulnasn1.la
+lib/nepenthes/vulnbagle.la
+lib/nepenthes/vulndameware.la
+lib/nepenthes/vulndcom.la
+lib/nepenthes/vulniis.la
+lib/nepenthes/vulnkuang2.la
+lib/nepenthes/vulnlsass.la
+lib/nepenthes/vulnmsdtc.la
+lib/nepenthes/vulnmsmq.la
+lib/nepenthes/vulnmssql.la
+lib/nepenthes/vulnmydoom.la
+lib/nepenthes/vulnnetbiosname.la
+lib/nepenthes/vulnnetdde.la
+lib/nepenthes/vulnoptix.la
+lib/nepenthes/vulnpnp.la
+lib/nepenthes/vulnsasserftpd.la
+lib/nepenthes/vulnssh.la
+lib/nepenthes/vulnsub7.la
+lib/nepenthes/vulnupnp.la
+lib/nepenthes/vulnveritas.la
+lib/nepenthes/vulnwins.la
+lib/nepenthes/x1.la
+lib/nepenthes/x2.la
+lib/nepenthes/x3.la
+lib/nepenthes/x4.la
+lib/nepenthes/x5.la
+lib/nepenthes/x6.la
+lib/nepenthes/x7.la
+lib/nepenthes/x8.la
+@man man/man8/nepenthes.8
+share/doc/README
+share/doc/README.VFS
+share/doc/logo-shaded.svg
+@sample ${SYSCONFDIR}/nepenthes/
+share/examples/nepenthes/
+share/examples/nepenthes/download-csend.conf
+@sample ${SYSCONFDIR}/nepenthes/download-csend.conf
+share/examples/nepenthes/download-curl.conf
+@sample ${SYSCONFDIR}/nepenthes/download-curl.conf
+share/examples/nepenthes/download-link.conf
+@sample ${SYSCONFDIR}/nepenthes/download-link.conf
+share/examples/nepenthes/download-nepenthes.conf
+@sample ${SYSCONFDIR}/nepenthes/download-nepenthes.conf
+share/examples/nepenthes/download-tftp.conf
+@sample ${SYSCONFDIR}/nepenthes/download-tftp.conf
+share/examples/nepenthes/geolocation-ip2location.conf
+@sample ${SYSCONFDIR}/nepenthes/geolocation-ip2location.conf
+share/examples/nepenthes/log-download.conf
+@sample ${SYSCONFDIR}/nepenthes/log-download.conf
+share/examples/nepenthes/log-irc.conf
+@sample ${SYSCONFDIR}/nepenthes/log-irc.conf
+share/examples/nepenthes/log-surfnet.conf
+@sample ${SYSCONFDIR}/nepenthes/log-surfnet.conf
+share/examples/nepenthes/module-portwatch.conf
+@sample ${SYSCONFDIR}/nepenthes/module-portwatch.conf
+share/examples/nepenthes/nepenthes.conf
+@sample ${SYSCONFDIR}/nepenthes/nepenthes.conf
+share/examples/nepenthes/nepenthes.conf.dist
+share/examples/nepenthes/shellcode-generic.conf
+@sample ${SYSCONFDIR}/nepenthes/shellcode-generic.conf
+share/examples/nepenthes/submit-file.conf
+@sample ${SYSCONFDIR}/nepenthes/submit-file.conf
+share/examples/nepenthes/submit-nepenthes.conf
+@sample ${SYSCONFDIR}/nepenthes/submit-nepenthes.conf
+share/examples/nepenthes/submit-norman.conf
+@sample ${SYSCONFDIR}/nepenthes/submit-norman.conf
+share/examples/nepenthes/submit-xmlrpc.conf
+@sample ${SYSCONFDIR}/nepenthes/submit-xmlrpc.conf
+share/examples/nepenthes/vuln-asn1.conf
+@sample ${SYSCONFDIR}/nepenthes/vuln-asn1.conf
+share/examples/nepenthes/vuln-bagle.conf
+@sample ${SYSCONFDIR}/nepenthes/vuln-bagle.conf
+share/examples/nepenthes/vuln-dameware.conf
+@sample ${SYSCONFDIR}/nepenthes/vuln-dameware.conf
+share/examples/nepenthes/vuln-dcom.conf
+@sample ${SYSCONFDIR}/nepenthes/vuln-dcom.conf
+share/examples/nepenthes/vuln-iis.conf
+@sample ${SYSCONFDIR}/nepenthes/vuln-iis.conf
+share/examples/nepenthes/vuln-kuang2.conf
+@sample ${SYSCONFDIR}/nepenthes/vuln-kuang2.conf
+share/examples/nepenthes/vuln-lsass.conf
+@sample ${SYSCONFDIR}/nepenthes/vuln-lsass.conf
+share/examples/nepenthes/vuln-msdtc.conf
+@sample ${SYSCONFDIR}/nepenthes/vuln-msdtc.conf
+share/examples/nepenthes/vuln-msmq.conf
+@sample ${SYSCONFDIR}/nepenthes/vuln-msmq.conf
+share/examples/nepenthes/vuln-mssql.conf
+@sample ${SYSCONFDIR}/nepenthes/vuln-mssql.conf
+share/examples/nepenthes/vuln-mydoom.conf
+@sample ${SYSCONFDIR}/nepenthes/vuln-mydoom.conf
+share/examples/nepenthes/vuln-netbiosname.conf
+@sample ${SYSCONFDIR}/nepenthes/vuln-netbiosname.conf
+share/examples/nepenthes/vuln-netdde.conf
+@sample ${SYSCONFDIR}/nepenthes/vuln-netdde.conf
+share/examples/nepenthes/vuln-optix.conf
+@sample ${SYSCONFDIR}/nepenthes/vuln-optix.conf
+share/examples/nepenthes/vuln-pnp.conf
+@sample ${SYSCONFDIR}/nepenthes/vuln-pnp.conf
+share/examples/nepenthes/vuln-sasserftpd.conf
+@sample ${SYSCONFDIR}/nepenthes/vuln-sasserftpd.conf
+share/examples/nepenthes/vuln-ssh.conf
+@sample ${SYSCONFDIR}/nepenthes/vuln-ssh.conf
+share/examples/nepenthes/vuln-sub7.conf
+@sample ${SYSCONFDIR}/nepenthes/vuln-sub7.conf
+share/examples/nepenthes/vuln-upnp.conf
+@sample ${SYSCONFDIR}/nepenthes/vuln-upnp.conf
+share/examples/nepenthes/vuln-veritas.conf
+@sample ${SYSCONFDIR}/nepenthes/vuln-veritas.conf
+share/examples/nepenthes/vuln-wins.conf
+@sample ${SYSCONFDIR}/nepenthes/vuln-wins.conf
+share/examples/nepenthes/x-2.conf
+@sample ${SYSCONFDIR}/nepenthes/x-2.conf
+@extraunexec rm -fr /var/nepenthes/
+@sample /var/nepenthes/
+@sample /var/nepenthes/binaries/
+@sample /var/nepenthes/cache/
+@sample /var/nepenthes/cache/nepenthes/
+@sample /var/nepenthes/cache/nepenthes/geolocation/
+@sample /var/nepenthes/hexdumps/
+@sample /var/nepenthes/log/