Project

General

Profile

Bug #217

new row for relation "prelude_checksum" violates check constraint "prelude_checksum_algorithm_check"

Added by over 12 years ago. Updated over 10 years ago.

Status:
Closed
Priority:
Normal
Target version:
Start date:
Due date:
% Done:

0%

Resolution:
fixed

Description

I am using nepenthes 0.2.0 in combination with prelude-manager 0.9.7.2, libprelude 0.9.13.2 and libpreludedb 0.9.12. Every time nepenthes downloads malware, it can not be logged into the prelude db (pgsql):

[ info handler event module ] [[LogPrelude]] EVENT EV_SOCK_TCP_ACCEPT

[ crit sc handler ] MATCH linkxor::link  matchCount 5 map_items 5

[ info sc handler ]  i = 1 map_items 5 , map = size

[ info sc handler ]  i = 2 map_items 5 , map = size

[ info sc handler ]  i = 3 map_items 5 , map = key

[ info sc handler ]  i = 4 map_items 5 , map = post

[ info sc handler ] Found linkbot XOR decoder, key 0x17, payload is 0x00b2 bytes long.

[ info sc handler ] connectbackfiletransfer::linktransfer -> 129.13.x.x:50391

[ info sc handler ] connectbackfiletransfer::linktransfer -> 129.13.x.x:50391, key 0x63f635d0.

[ info handler event module ] [[LogPrelude]] EVENT EV_DOWNLOAD link://129.13.x.x:50391/Y/Y10A==  0

[ info down mgr ] Handler link download handler will download link://129.13.x.x:50391/Y/Y10A==

[ info handler event module ] [[LogPrelude]] EVENT EV_SHELLCODE_DONE

[ info handler event module ] [[LogPrelude]] EVENT EV_ASSIGN_AND_DONE

[ info handler event module ] [[LogPrelude]] EVENT EV_SOCK_TCP_CLOSE

[ info handler dia ] Download via linkbot filetransferr done! ( download is 37888 bytes)

[ info mgr submit ] File ed82850exxxxxxxxxxxxxxxxxxx has type MS-DOS executable, MZ for MS-DOS

[ info handler event module ] [[LogPrelude]] EVENT EV_SUBMISSION 

link://129.13.x.x:50391/Y/Y10A== ed82850exxxxxxxxxxxxxxxxxxx 37888

And that's what prelude-manager says:

could not insert message into database: ERROR:  new row for relation "prelude_checksum" violates check constraint "prelude_checksum_algorithm_check".

The only thing that is presented via prewikka is:

7 x Shellcode detected: connectbackfiletransfer::linktransfer
7 x possible Malware offered: link://129.13.x.x:50391/Y/Y10A== 

but NOT the message about the successful download of the malware

History

#1 Updated by over 12 years ago

this is a dump of the table constraint:

ALTER TABLE prelude_checksum

ADD CONSTRAINT prelude_checksum_algorithm_check CHECK (algorithm::text = 'md4'::text OR algorithm::text = 'md5'::text OR algorithm::text = 'sha1'::text OR algorithm::text = 'sha2-256'::text OR algorithm::text = 'sha2-384'::text OR algorithm::text = 'sha2-512'::text OR algorithm::text = 'crc-32'::text OR algorithm::text = 'haval'::text OR algorithm::text = 'tiger'::text OR algorithm::text = 'gost'::text);

#2 Updated by over 12 years ago

nepenthes writes the checksums name uppercase

add_idmef_object(idmef, "alert.target(0).file(0).checksum(0).algorithm" ,"MD5");

not sure what is correct

#3 Updated by Yoann VANDOORSELAERE over 12 years ago

  • Status changed from New to Assigned

Replying to [comment:2 ]:

nepenthes writes the checksums name uppercase

add_idmef_object(idmef, "alert.target(0).file(0).checksum(0).algorithm" ,"MD5");

not sure what is correct

Yes, this is correct.

The problem is within the libpreludedb database schema that use lowercase in place of uppercase. Application can use either since it's normalized to upper case (as specified by IDMEF) within libprelude.

The upcoming libpreludedb release will fix this issue.

#4 Updated by Yoann VANDOORSELAERE over 12 years ago

While waiting for the upcoming libpreludedb release, you can fix your issue using:

BEGIN;
ALTER TABLE Prelude_Checksum DROP CONSTRAINT prelude_checksum_algorithm_check;
ALTER TABLE Prelude_Checksum ADD CHECK ( algorithm IN ('MD4', 'MD5', 'SHA1', 'SHA2-256', 'SHA2-384', 'SHA2-512', 'CRC-32', 'Haval', 'Tiger', 'Gost'));
COMMIT;

#5 Updated by Yoann VANDOORSELAERE over 12 years ago

  • Status changed from Assigned to Closed
  • Resolution set to fixed

Fixed in r9426.

#6 Updated by Yoann VANDOORSELAERE over 10 years ago

  • Project changed from PRELUDE SIEM to LibpreludeDB
  • Category deleted (2)
  • Target version deleted (0.9.13)

Also available in: Atom PDF