aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--src/bne.c2
-rw-r--r--src/data/proto/hostinfo_rsp4
-rw-r--r--src/data/sql/hi-create.sql4
-rw-r--r--src/proone-hostinfod.c8
-rw-r--r--src/proone-htbtclient.c4
-rw-r--r--src/proone-htbthost.c2
-rw-r--r--src/proone-test_proto.c24
-rw-r--r--src/proone.c8
-rw-r--r--src/protocol.c135
-rw-r--r--src/protocol.h10
10 files changed, 95 insertions, 106 deletions
diff --git a/src/bne.c b/src/bne.c
index d899864..1e8f0e1 100644
--- a/src/bne.c
+++ b/src/bne.c
@@ -26,7 +26,7 @@ static const struct timespec BNE_SCK_OP_TIMEOUT = { 30, 0 }; // 30s
static const struct timespec BNE_CLOSE_OP_TIMEOUT = { 1, 0 }; // 1s
static const struct timespec BNE_ERR_PAUSE = { 0, 500000000 }; // 500ms
static const struct timespec BNE_PROMPT_PAUSE = { 4, 0 }; // 4s
-static const uint64_t BNE_M2M_UPBIN_INT = 43200; // 12 hours
+static const uint32_t BNE_M2M_UPBIN_INT = 43200; // 12 hours
static const size_t BNE_STDIO_IB_SIZE[] = {
#if !PRNE_USE_MIN_MEM
diff --git a/src/data/proto/hostinfo_rsp b/src/data/proto/hostinfo_rsp
index 659a146..af03557 100644
--- a/src/data/proto/hostinfo_rsp
+++ b/src/data/proto/hostinfo_rsp
@@ -8,8 +8,8 @@
301d2539908542fd90b6200b4a3b0855
# instance_id
25dc7ea24ac64a299facbe184233c485
- ABBABABEFEFFFFFE # parent_uptime
- DEADBEEFAABBCCDD # child_uptime
+ ABBABABE # parent_uptime
+ DEADBEEF # child_uptime
8899AABBCCDDEEFF # bne_cnt
ABBAABBAABBAABBA # infect_cnt
11223344 # crash_cnt
diff --git a/src/data/sql/hi-create.sql b/src/data/sql/hi-create.sql
index 8859248..52a7596 100644
--- a/src/data/sql/hi-create.sql
+++ b/src/data/sql/hi-create.sql
@@ -3,8 +3,8 @@ CREATE TABLE `prne-hi` (
`org_id` binary(16) DEFAULT NULL,
`inserted` datetime NOT NULL,
`updated` datetime NOT NULL,
- `parent_uptime` bigint(20) unsigned DEFAULT NULL,
- `child_uptime` bigint(20) unsigned DEFAULT NULL,
+ `parent_uptime` int(10) unsigned DEFAULT NULL,
+ `child_uptime` int(10) unsigned DEFAULT NULL,
`bne_cnt` bigint(20) unsigned DEFAULT NULL,
`infect_cnt` bigint(20) unsigned DEFAULT NULL,
`parent_pid` int(11) unsigned DEFAULT NULL,
diff --git a/src/proone-hostinfod.c b/src/proone-hostinfod.c
index e5f45e6..8a9e967 100644
--- a/src/proone-hostinfod.c
+++ b/src/proone-hostinfod.c
@@ -701,8 +701,8 @@ static int build_hostinfo_query_str (
"%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X'),\n"
"\t@`org_id` = UNHEX('"
"%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X'),\n"
- "\t@`parent_uptime` = %"PRIu64",\n"
- "\t@`child_uptime` = %"PRIu64",\n"
+ "\t@`parent_uptime` = %"PRIu32",\n"
+ "\t@`child_uptime` = %"PRIu32",\n"
"\t@`bne_cnt` = %"PRIu64",\n"
"\t@`infect_cnt` = %"PRIu64",\n"
"\t@`parent_pid` = %"PRIu32",\n"
@@ -961,8 +961,8 @@ static bool handle_db_qe (
fprintf(
stderr,
"db@%"PRIxPTR": hostinfo("
- "parent_uptime = %"PRIu64", "
- "child_uptime = %"PRIu64", "
+ "parent_uptime = %"PRIu32", "
+ "child_uptime = %"PRIu32", "
"bne_cnt = %"PRIu64", "
"infect_cnt = %"PRIu64", "
"parent_pid = %"PRIu32", "
diff --git a/src/proone-htbtclient.c b/src/proone-htbtclient.c
index d120ecf..b3c5cce 100644
--- a/src/proone-htbtclient.c
+++ b/src/proone-htbtclient.c
@@ -1681,9 +1681,9 @@ static void emit_hostinfo_frame (const prne_htbt_host_info_t *hi) {
emit_mapping_start();
emit_scalar(YAML_STR_TAG, "parent_uptime");
- emit_scalar_fmt(YAML_INT_TAG, "%"PRIu64, hi->parent_uptime);
+ emit_scalar_fmt(YAML_INT_TAG, "%"PRIu32, hi->parent_uptime);
emit_scalar(YAML_STR_TAG, "child_uptime");
- emit_scalar_fmt(YAML_INT_TAG, "%"PRIu64, hi->child_uptime);
+ emit_scalar_fmt(YAML_INT_TAG, "%"PRIu32, hi->child_uptime);
emit_scalar(YAML_STR_TAG, "bne_cnt");
emit_scalar_fmt(YAML_INT_TAG, "%"PRIu64, hi->bne_cnt);
emit_scalar(YAML_STR_TAG, "infect_cnt");
diff --git a/src/proone-htbthost.c b/src/proone-htbthost.c
index b34fdf5..106d899 100644
--- a/src/proone-htbthost.c
+++ b/src/proone-htbthost.c
@@ -81,7 +81,7 @@ static bool cb_hostinfo (void *ctx, prne_htbt_host_info_t *out) {
int fd;
now = prne_gettime(CLOCK_MONOTONIC);
- out->child_uptime = out->parent_uptime = prne_sub_timespec(
+ out->child_uptime = out->parent_uptime = (uint32_t)prne_sub_timespec(
now,
proc_start).tv_sec;
out->bne_cnt = 0;
diff --git a/src/proone-test_proto.c b/src/proone-test_proto.c
index 1fb1c9d..e1aa992 100644
--- a/src/proone-test_proto.c
+++ b/src/proone-test_proto.c
@@ -370,8 +370,8 @@ static void test_ser (void) {
prne_htbt_init_host_info(&hi_a);
prne_htbt_init_host_info(&hi_b);
// without ownership of host_cred
- hi_a.parent_uptime = 0xABBABABEFEFFFFFE;
- hi_a.child_uptime = 0xDEADBEEFAABBCCDD;
+ hi_a.parent_uptime = 0xABBABABE;
+ hi_a.child_uptime = 0xDEADBEEF;
hi_a.crash_cnt = 0x11223344;
hi_a.bne_cnt = 0x8899AABBCCDDEEFF;
hi_a.infect_cnt = 0xABBAABBAABBAABBA;
@@ -401,7 +401,7 @@ static void test_ser (void) {
PRNE_HTBT_PROTO_MIN_BUF,
&proto_buf_cnt_len,
&hi_a) == PRNE_HTBT_SER_RC_OK);
- assert(proto_buf_cnt_len == 112 + cred_data_len + sizeof(BF));
+ assert(proto_buf_cnt_len == 104 + cred_data_len + sizeof(BF));
assert(memcmp(proto_buf, prog_ver, 16) == 0);
assert(memcmp(
proto_buf + 16,
@@ -411,20 +411,20 @@ static void test_ser (void) {
"\x25\xdc\x7e\xa2\x4a\xc6\x4a\x29\x9f\xac\xbe\x18\x42\x33\xc4\x85"
// org_id
"\xa3\x0f\xd3\x5e\xe7\xe7\xc3\xb6\x8f\x74\xdf\xf6\x07\x45\x77\xfa"
- "\xAB\xBA\xBA\xBE\xFE\xFF\xFF\xFE" // parent_uptime
- "\xDE\xAD\xBE\xEF\xAA\xBB\xCC\xDD" // child_uptime
+ "\xAB\xBA\xBA\xBE" // parent_uptime
+ "\xDE\xAD\xBE\xEF" // child_uptime
"\x88\x99\xAA\xBB\xCC\xDD\xEE\xFF" // bne_cnt
"\xAB\xBA\xAB\xBA\xAB\xBA\xAB\xBA" // infect_cnt
"\x11\x22\x33\x44" // crash_cnt
"\xDE\xAD\xBE\xEF" // parent_pid
"\xBA\xBE\xBA\xBE", // child_pid
- 92) == 0);
- assert((size_t)proto_buf[16 + 92 + 0] == cred_data_len);
- assert(proto_buf[16 + 92 + 1] == (uint8_t)PRNE_HOST_ARCH);
- assert(proto_buf[16 + 92 + 2] == (uint8_t)PRNE_HOST_OS);
- assert(proto_buf[16 + 92 + 3] == sizeof(BF));
- assert(memcmp(proto_buf + 16 + 92 + 4, cred_data, cred_data_len) == 0);
- assert(memcmp(proto_buf + 16 + 92 + 4 + cred_data_len, BF, sizeof(BF)) == 0);
+ 84) == 0);
+ assert((size_t)proto_buf[16 + 84 + 0] == cred_data_len);
+ assert(proto_buf[16 + 84 + 1] == (uint8_t)PRNE_HOST_ARCH);
+ assert(proto_buf[16 + 84 + 2] == (uint8_t)PRNE_HOST_OS);
+ assert(proto_buf[16 + 84 + 3] == sizeof(BF));
+ assert(memcmp(proto_buf + 16 + 84 + 4, cred_data, cred_data_len) == 0);
+ assert(memcmp(proto_buf + 16 + 84 + 4 + cred_data_len, BF, sizeof(BF)) == 0);
assert(prne_htbt_dser_host_info(
proto_buf,
proto_buf_cnt_len,
diff --git a/src/proone.c b/src/proone.c
index 6b3905d..686660a 100644
--- a/src/proone.c
+++ b/src/proone.c
@@ -110,8 +110,12 @@ static bool cb_htbt_cnc_txtrec (void *ctx, char *out) {
static bool cb_htbt_hostinfo (void *ctx, prne_htbt_host_info_t *out) {
const struct timespec ts_now = prne_gettime(CLOCK_MONOTONIC);
- out->parent_uptime = prne_sub_timespec(ts_now, prne_g.parent_start).tv_sec;
- out->child_uptime = prne_sub_timespec(ts_now, prne_g.child_start).tv_sec;
+ out->parent_uptime = (uint32_t)prne_sub_timespec(
+ ts_now,
+ prne_g.parent_start).tv_sec;
+ out->child_uptime = (uint32_t)prne_sub_timespec(
+ ts_now,
+ prne_g.child_start).tv_sec;
if (prne_s_g != NULL) {
memcpy(out->org_id, prne_s_g->org_id, 16);
out->bne_cnt = prne_s_g->bne_cnt;
diff --git a/src/protocol.c b/src/protocol.c
index bb26392..5aaccc2 100644
--- a/src/protocol.c
+++ b/src/protocol.c
@@ -301,6 +301,7 @@ prne_htbt_ser_rc_t prne_dec_host_cred (
void prne_htbt_init_host_info (prne_htbt_host_info_t *hi) {
prne_memzero(hi, sizeof(prne_htbt_host_info_t));
+ hi->parent_uptime = hi->child_uptime = 0xFFFFFFFF;
}
bool prne_htbt_alloc_host_info (
@@ -642,7 +643,7 @@ prne_htbt_ser_rc_t prne_htbt_ser_host_info (
return PRNE_HTBT_SER_RC_FMT_ERR;
}
- *actual = 112 + in->host_cred_len + in->bf_len;
+ *actual = 104 + in->host_cred_len + in->bf_len;
if (mem_len < *actual) {
return PRNE_HTBT_SER_RC_MORE_BUF;
}
@@ -651,56 +652,48 @@ prne_htbt_ser_rc_t prne_htbt_ser_host_info (
memcpy(mem + 16, in->boot_id, 16);
memcpy(mem + 32, in->instance_id, 16);
memcpy(mem + 48, in->org_id, 16);
- mem[64] = prne_getmsb64(in->parent_uptime, 0);
- mem[65] = prne_getmsb64(in->parent_uptime, 1);
- mem[66] = prne_getmsb64(in->parent_uptime, 2);
- mem[67] = prne_getmsb64(in->parent_uptime, 3);
- mem[68] = prne_getmsb64(in->parent_uptime, 4);
- mem[69] = prne_getmsb64(in->parent_uptime, 5);
- mem[70] = prne_getmsb64(in->parent_uptime, 6);
- mem[71] = prne_getmsb64(in->parent_uptime, 7);
- mem[72] = prne_getmsb64(in->child_uptime, 0);
- mem[73] = prne_getmsb64(in->child_uptime, 1);
- mem[74] = prne_getmsb64(in->child_uptime, 2);
- mem[75] = prne_getmsb64(in->child_uptime, 3);
- mem[76] = prne_getmsb64(in->child_uptime, 4);
- mem[77] = prne_getmsb64(in->child_uptime, 5);
- mem[78] = prne_getmsb64(in->child_uptime, 6);
- mem[79] = prne_getmsb64(in->child_uptime, 7);
- mem[80] = prne_getmsb64(in->bne_cnt, 0);
- mem[81] = prne_getmsb64(in->bne_cnt, 1);
- mem[82] = prne_getmsb64(in->bne_cnt, 2);
- mem[83] = prne_getmsb64(in->bne_cnt, 3);
- mem[84] = prne_getmsb64(in->bne_cnt, 4);
- mem[85] = prne_getmsb64(in->bne_cnt, 5);
- mem[86] = prne_getmsb64(in->bne_cnt, 6);
- mem[87] = prne_getmsb64(in->bne_cnt, 7);
- mem[88] = prne_getmsb64(in->infect_cnt, 0);
- mem[89] = prne_getmsb64(in->infect_cnt, 1);
- mem[90] = prne_getmsb64(in->infect_cnt, 2);
- mem[91] = prne_getmsb64(in->infect_cnt, 3);
- mem[92] = prne_getmsb64(in->infect_cnt, 4);
- mem[93] = prne_getmsb64(in->infect_cnt, 5);
- mem[94] = prne_getmsb64(in->infect_cnt, 6);
- mem[95] = prne_getmsb64(in->infect_cnt, 7);
- mem[96] = prne_getmsb32(in->crash_cnt, 0);
- mem[97] = prne_getmsb32(in->crash_cnt, 1);
- mem[98] = prne_getmsb32(in->crash_cnt, 2);
- mem[99] = prne_getmsb32(in->crash_cnt, 3);
- mem[100] = prne_getmsb32(in->parent_pid, 0);
- mem[101] = prne_getmsb32(in->parent_pid, 1);
- mem[102] = prne_getmsb32(in->parent_pid, 2);
- mem[103] = prne_getmsb32(in->parent_pid, 3);
- mem[104] = prne_getmsb32(in->child_pid, 0);
- mem[105] = prne_getmsb32(in->child_pid, 1);
- mem[106] = prne_getmsb32(in->child_pid, 2);
- mem[107] = prne_getmsb32(in->child_pid, 3);
- mem[108] = (uint8_t)in->host_cred_len;
- mem[109] = (uint8_t)in->arch;
- mem[110] = (uint8_t)in->os;
- mem[111] = (uint8_t)in->bf_len;
- memcpy(mem + 112, in->host_cred, in->host_cred_len);
- memcpy(mem + 112 + in->host_cred_len, in->bf, in->bf_len);
+ mem[64] = prne_getmsb32(in->parent_uptime, 0);
+ mem[65] = prne_getmsb32(in->parent_uptime, 1);
+ mem[66] = prne_getmsb32(in->parent_uptime, 2);
+ mem[67] = prne_getmsb32(in->parent_uptime, 3);
+ mem[68] = prne_getmsb32(in->child_uptime, 0);
+ mem[69] = prne_getmsb32(in->child_uptime, 1);
+ mem[70] = prne_getmsb32(in->child_uptime, 2);
+ mem[71] = prne_getmsb32(in->child_uptime, 3);
+ mem[72] = prne_getmsb64(in->bne_cnt, 0);
+ mem[73] = prne_getmsb64(in->bne_cnt, 1);
+ mem[74] = prne_getmsb64(in->bne_cnt, 2);
+ mem[75] = prne_getmsb64(in->bne_cnt, 3);
+ mem[76] = prne_getmsb64(in->bne_cnt, 4);
+ mem[77] = prne_getmsb64(in->bne_cnt, 5);
+ mem[78] = prne_getmsb64(in->bne_cnt, 6);
+ mem[79] = prne_getmsb64(in->bne_cnt, 7);
+ mem[80] = prne_getmsb64(in->infect_cnt, 0);
+ mem[81] = prne_getmsb64(in->infect_cnt, 1);
+ mem[82] = prne_getmsb64(in->infect_cnt, 2);
+ mem[83] = prne_getmsb64(in->infect_cnt, 3);
+ mem[84] = prne_getmsb64(in->infect_cnt, 4);
+ mem[85] = prne_getmsb64(in->infect_cnt, 5);
+ mem[86] = prne_getmsb64(in->infect_cnt, 6);
+ mem[87] = prne_getmsb64(in->infect_cnt, 7);
+ mem[88] = prne_getmsb32(in->crash_cnt, 0);
+ mem[89] = prne_getmsb32(in->crash_cnt, 1);
+ mem[90] = prne_getmsb32(in->crash_cnt, 2);
+ mem[91] = prne_getmsb32(in->crash_cnt, 3);
+ mem[92] = prne_getmsb32(in->parent_pid, 0);
+ mem[93] = prne_getmsb32(in->parent_pid, 1);
+ mem[94] = prne_getmsb32(in->parent_pid, 2);
+ mem[95] = prne_getmsb32(in->parent_pid, 3);
+ mem[96] = prne_getmsb32(in->child_pid, 0);
+ mem[97] = prne_getmsb32(in->child_pid, 1);
+ mem[98] = prne_getmsb32(in->child_pid, 2);
+ mem[99] = prne_getmsb32(in->child_pid, 3);
+ mem[100] = (uint8_t)in->host_cred_len;
+ mem[101] = (uint8_t)in->arch;
+ mem[102] = (uint8_t)in->os;
+ mem[103] = (uint8_t)in->bf_len;
+ memcpy(mem + 104, in->host_cred, in->host_cred_len);
+ memcpy(mem + 104 + in->host_cred_len, in->bf, in->bf_len);
return PRNE_HTBT_SER_RC_OK;
}
@@ -872,13 +865,13 @@ prne_htbt_ser_rc_t prne_htbt_dser_host_info (
{
size_t cred_size, bf_size;
- *actual = 112;
+ *actual = 104;
if (len < *actual) {
return PRNE_HTBT_SER_RC_MORE_BUF;
}
- cred_size = data[108];
- bf_size = data[111];
+ cred_size = data[100];
+ bf_size = data[103];
*actual += cred_size + bf_size;
if (len < *actual) {
return PRNE_HTBT_SER_RC_MORE_BUF;
@@ -892,16 +885,17 @@ prne_htbt_ser_rc_t prne_htbt_dser_host_info (
memcpy(out->boot_id, data + 16, 16);
memcpy(out->instance_id, data + 32, 16);
memcpy(out->org_id, data + 48, 16);
- out->parent_uptime = prne_recmb_msb64(
+ out->parent_uptime = prne_recmb_msb32(
data[64],
data[65],
data[66],
- data[67],
+ data[67]);
+ out->child_uptime = prne_recmb_msb32(
data[68],
data[69],
data[70],
data[71]);
- out->child_uptime = prne_recmb_msb64(
+ out->bne_cnt = prne_recmb_msb64(
data[72],
data[73],
data[74],
@@ -910,7 +904,7 @@ prne_htbt_ser_rc_t prne_htbt_dser_host_info (
data[77],
data[78],
data[79]);
- out->bne_cnt = prne_recmb_msb64(
+ out->infect_cnt = prne_recmb_msb64(
data[80],
data[81],
data[82],
@@ -919,34 +913,25 @@ prne_htbt_ser_rc_t prne_htbt_dser_host_info (
data[85],
data[86],
data[87]);
- out->infect_cnt = prne_recmb_msb64(
+ out->crash_cnt = prne_recmb_msb32(
data[88],
data[89],
data[90],
- data[91],
+ data[91]);
+ out->parent_pid = prne_recmb_msb32(
data[92],
data[93],
data[94],
data[95]);
- out->crash_cnt = prne_recmb_msb32(
+ out->child_pid = prne_recmb_msb32(
data[96],
data[97],
data[98],
data[99]);
- out->parent_pid = prne_recmb_msb32(
- data[100],
- data[101],
- data[102],
- data[103]);
- out->child_pid = prne_recmb_msb32(
- data[104],
- data[105],
- data[106],
- data[107]);
- out->arch = (prne_arch_t)data[109];
- out->os = (prne_os_t)data[110];
- memcpy(out->host_cred, data + 112, cred_size);
- memcpy(out->bf, data + 112 + cred_size, bf_size);
+ out->arch = (prne_arch_t)data[101];
+ out->os = (prne_os_t)data[102];
+ memcpy(out->host_cred, data + 104, cred_size);
+ memcpy(out->bf, data + 104 + cred_size, bf_size);
return PRNE_HTBT_SER_RC_OK;
}
diff --git a/src/protocol.h b/src/protocol.h
index e244d6c..822b92a 100644
--- a/src/protocol.h
+++ b/src/protocol.h
@@ -121,8 +121,8 @@ typedef enum {
* uint8_t boot_id[16]
* uint8_t instance_id[16]
* uint8_t org_id[16]
- * uint64_t parent_uptime : in seconds
- * uint64_t child_uptime : in seconds
+ * uint32_t parent_uptime : in seconds
+ * uint32_t child_uptime : in seconds
* uint64_t bne_cnt : break-and-entry count
* uint64_t infect_cnt : infect count ( <= 'bne_cnt')
* uint32_t crash_cnt
@@ -250,8 +250,8 @@ struct prne_htbt_status {
};
struct prne_htbt_host_info {
- uint64_t parent_uptime;
- uint64_t child_uptime;
+ uint32_t parent_uptime;
+ uint32_t child_uptime;
uint64_t bne_cnt;
uint64_t infect_cnt;
uint32_t parent_pid;
@@ -342,7 +342,7 @@ typedef prne_htbt_ser_rc_t(*prne_htbt_dser_ft)(
* Required write buffer size for submissive end. Set to that of
* PRNE_HTBT_OP_HOST_INFO.
*/
-#define PRNE_HTBT_PROTO_SUB_MIN_BUF ((size_t)3 + 94 + 255)
+#define PRNE_HTBT_PROTO_SUB_MIN_BUF ((size_t)3 + 104 + 255 + 255)
const char *prne_os_tostr (const prne_os_t x);
generated by cgit (git 2.34.1) at 2025-02-23 21:35:47 +0000