Bug #217
new row for relation "prelude_checksum" violates check constraint "prelude_checksum_algorithm_check"
0%
Description
I am using nepenthes 0.2.0 in combination with prelude-manager 0.9.7.2, libprelude 0.9.13.2 and libpreludedb 0.9.12. Every time nepenthes downloads malware, it can not be logged into the prelude db (pgsql):
[ info handler event module ] [[LogPrelude]] EVENT EV_SOCK_TCP_ACCEPT [ crit sc handler ] MATCH linkxor::link matchCount 5 map_items 5 [ info sc handler ] i = 1 map_items 5 , map = size [ info sc handler ] i = 2 map_items 5 , map = size [ info sc handler ] i = 3 map_items 5 , map = key [ info sc handler ] i = 4 map_items 5 , map = post [ info sc handler ] Found linkbot XOR decoder, key 0x17, payload is 0x00b2 bytes long. [ info sc handler ] connectbackfiletransfer::linktransfer -> 129.13.x.x:50391 [ info sc handler ] connectbackfiletransfer::linktransfer -> 129.13.x.x:50391, key 0x63f635d0. [ info handler event module ] [[LogPrelude]] EVENT EV_DOWNLOAD link://129.13.x.x:50391/Y/Y10A== 0 [ info down mgr ] Handler link download handler will download link://129.13.x.x:50391/Y/Y10A== [ info handler event module ] [[LogPrelude]] EVENT EV_SHELLCODE_DONE [ info handler event module ] [[LogPrelude]] EVENT EV_ASSIGN_AND_DONE [ info handler event module ] [[LogPrelude]] EVENT EV_SOCK_TCP_CLOSE [ info handler dia ] Download via linkbot filetransferr done! ( download is 37888 bytes) [ info mgr submit ] File ed82850exxxxxxxxxxxxxxxxxxx has type MS-DOS executable, MZ for MS-DOS [ info handler event module ] [[LogPrelude]] EVENT EV_SUBMISSION link://129.13.x.x:50391/Y/Y10A== ed82850exxxxxxxxxxxxxxxxxxx 37888
And that's what prelude-manager says:
could not insert message into database: ERROR: new row for relation "prelude_checksum" violates check constraint "prelude_checksum_algorithm_check".
The only thing that is presented via prewikka is:
7 x Shellcode detected: connectbackfiletransfer::linktransfer 7 x possible Malware offered: link://129.13.x.x:50391/Y/Y10A==
but NOT the message about the successful download of the malware
History
#1 Updated by about 17 years ago
this is a dump of the table constraint:
ALTER TABLE prelude_checksum
ADD CONSTRAINT prelude_checksum_algorithm_check CHECK (algorithm::text = 'md4'::text OR algorithm::text = 'md5'::text OR algorithm::text = 'sha1'::text OR algorithm::text = 'sha2-256'::text OR algorithm::text = 'sha2-384'::text OR algorithm::text = 'sha2-512'::text OR algorithm::text = 'crc-32'::text OR algorithm::text = 'haval'::text OR algorithm::text = 'tiger'::text OR algorithm::text = 'gost'::text);
#2 Updated by almost 17 years ago
nepenthes writes the checksums name uppercase
add_idmef_object(idmef, "alert.target(0).file(0).checksum(0).algorithm" ,"MD5");
not sure what is correct
#3 Updated by Yoann VANDOORSELAERE almost 17 years ago
- Status changed from New to Assigned
Replying to [comment:2 nepenthesdev@gmail.com]:
nepenthes writes the checksums name uppercase
add_idmef_object(idmef, "alert.target(0).file(0).checksum(0).algorithm" ,"MD5");
not sure what is correct
Yes, this is correct.
The problem is within the libpreludedb database schema that use lowercase in place of uppercase. Application can use either since it's normalized to upper case (as specified by IDMEF) within libprelude.
The upcoming libpreludedb release will fix this issue.
#4 Updated by Yoann VANDOORSELAERE almost 17 years ago
While waiting for the upcoming libpreludedb release, you can fix your issue using:
BEGIN;
ALTER TABLE Prelude_Checksum DROP CONSTRAINT prelude_checksum_algorithm_check;
ALTER TABLE Prelude_Checksum ADD CHECK ( algorithm IN ('MD4', 'MD5', 'SHA1', 'SHA2-256', 'SHA2-384', 'SHA2-512', 'CRC-32', 'Haval', 'Tiger', 'Gost'));
COMMIT;
#5 Updated by Yoann VANDOORSELAERE almost 17 years ago
- Status changed from Assigned to Closed
- Resolution set to fixed
Fixed in r9426.
#6 Updated by Yoann VANDOORSELAERE almost 15 years ago
- Project changed from PRELUDE SIEM to LibpreludeDB
- Category deleted (
2) - Target version deleted (
0.9.13)