Article delegate-en/4476 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A4474@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en

[DeleGate-En] Re: NAT odst available to scripts on DeleGate
28 May 2009 16:57:54 GMT =?ISO-8859-1?Q?Guilherme_V=EAnere?= <pniiqbdyi-re5dixw3ohtr.ml@ml.delegate.org>


Hello Mr Yutaka,

Thank you very much, it worked perfectly.

I'm sorry for not introducing myself properly before. I'm Brazillian,
and I work for a technical school developing trainings in advanced
topics like malware analysis and computer forensics.

This project i'm developing is part of a hands on class I was
preparing for malware analysis. I'm developing a virtual machine with
all services installed and then redirecting all network traffic to it.
This way we can study which network activity the malware generates.
The biggest problems was to identify unknown protocols and services,
and also when the malware used non standard ports to communicate.
That's when DeleGate helps me. I can use it to redirect all unknown
traffic, and see what it tries to do and where it tries to connect.

With this patch now i'm able to do that, thank you very much again!

Regards,

Guilherme

On Thu, May 28, 2009 at 2:07 AM, Yutaka Sato <feedback@delegate.org> wrote:
> Hi,
>
> In message <_A4472@delegate-en.ML_> on 05/28/09(11:30:57)
> you =?ISO-8859-1?Q?Guilherme_V=EAnere?= <pniiqbdyi-re5dixw3ohtr.ml@ml.delegate.org> wrote:
>  |I'm afraid I need to bother you a little more. As I explained before,
>
> Questions on advanced usages of DeleGate, as yours, are very helpful
> and welcome.
> But those in anonymous mails are treated in low priority.
> Although I don't like to know personal information of a user, but
> generic attributes especially the nationality of him/her, or where
> he/she is, are helpful to understand the question and to make answer.
>
>  |I'm trying to use DeleGate as a generic proxy on a machine i'm
>  |configuring to study malware behaviour. As such, I'm redirecting all
>  |traffic to any external IP to my gateway address, where I receive the
>  |connection with DeleGate. I'm using NAT with iptables on Linux to do
>  |the redirection.
>  |
>  |But when DeleGate run my script (with XCOM=script.pl or
>  |XFIL=script.pl) I want to have access to the original IP:PORT. I
>  |tought the best way to have access to those values would be by
>  |environment variables, so I looked at src/filter.c, and found the code
>  |where you create the variables, and tried to add the following code
>  |there:
> ...
>  |+     sprintf(env,"ORIG_DST1=%s",Origdst_Host); putenv(stralloc(env));
>  |+     sprintf(env,"ORIG_PORT1=%d",Origdst_Port); putenv(stralloc(env));
> ...
>  |It create the variables but they are empty. I'm pretty sure there is
>  |something else I need to do to make this work, but i can't figure it
>  |out.
>
> Those values in Origdst_XXXX is filled only if "odst.-" is used
> somewhere in configuration parameters, or the option
>
>  -Eao
>
> is specified.  So just add "-Eao" to your command line options for DeleGate.
> I'll add environment variable "ORIGINAL_SERVER_NAME" and
> "ORIGINAL_SERVER_PORT" as the enclosed patch in the next release.
>
> Cheers,
> Yutaka
> --
>  9 9   Yutaka Sato <y.sato@delegate.org> http://delegate.org/y.sato/
>  ( ~ )  National Institute of Advanced Industrial Science and Technology
> _<   >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
> Do the more with the less -- B. Fuller
>
> *** dist/src/delegate9.9.4-pre3/src/filter.c    Sat Jan  3 12:18:29 2009
> --- ./src/filter.c      Thu May 28 17:53:50 2009
> ***************
> *** 1427,1434 ****
> --- 1427,1439 ----
>        sprintf(env,"SERVER_NAME=%s",host); putenv(stralloc(env));
>        sprintf(env,"SERVER_PORT=%d",port); putenv(stralloc(env));
>        }
>
> +       if( lORIGDST() ){
> +       sprintf(env,"ORIGINAL_SERVER_NAME=%s",Origdst_Host); putenv(stralloc(env));
> +       sprintf(env,"ORIGINAL_SERVER_PORT=%d",Origdst_Port); putenv(stralloc(env));
> +       }
> +
>        serv = DST_HOST;
>        sprintf(env,"SERVER_HOST=%s",serv); putenv(stralloc(env));
>        if( addr = gethostaddr(serv) )
>        {
>

  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V