Saving content of print jobs to a file

pipitas k1pfeifle at gmx.net
Mon Dec 27 17:42:42 PST 2004 

Matt wrote:

> Hi.  I've been receiving a windows executable through my CUPS printing
> system (even with printer sharing disabled).  The printer would not print
> immediately because it appears that someone or some program was trying to
> send a raw executable to my system.  I've fixed the problem by putting up
> a firewall, but am interested in setting up a honeypot; thus allowing the
> person/software to send the file as a print job and saving the print job's
> entire content to a file, then sending that file to an anti-virus scanner
> to see what it is.  How do I save print job's contents (whole contents) to
> a file, where the file would be on queue for printing but is still waiting
> for me to turn my printer on.  Do I have to set up a RAW printer >> file?
> or can I simply save the data as sent to my currently installed actual
> printer?
> 
> Thanks for your help.  I'm really wanting to capture this to a file for
> examination.  Thanks.


I am not sure I understand your setup. Is it so that you have the
lines referring to "application/octet-stream" enabled in your
mime.{types,convs} files?

You could do the followint:

  1) write a special filter that catches all "appliction/octet-stream"
     files and saves them to disk (and does anything else you like,
     such as alarm you via email if this incidence occurs).
  2) enable application/octet-stream printing.

Such a filter, call it "octetstream-catcher" could look, in its most
simple form like this:

------ snip ------------------
#!/bin/bash
# octetstream-catcher
cat $6 > /tmp/my-last-catched-octetstream.printjob
exit 1
------ snip ------------------


Of course, you could make it a bit more sophisticatd and log a few
more facts.

A first shot for such beast is here:
------ snip ------------------
#!/bin/bash
# job-id, user, title, copies, options, [filename or stdin]

# this filter logs all attempts to print
# "application/octet-stream" file types
# and saves the file to
# /tmp/octetstream-printfile.<currentdate-and-time>.<PID-of-filter>


# comment next line in or out depending on your debugging needs
set -x


# change the "/tmp" path to something more secure. The path must be
# writeable to the user cupsd runs as:
LOGFILE=/tmp/octetstreamfilter.log
printfile=/tmp/octetstream-printfile.$(date +%b%d-%H%M%S).$$


# 2 functions that do help with logging
log() { echo "$@" >> "$LOGFILE"
}

logdo() { log "$@"; "$@"
}


# Start!
log " "
log " # ----------------------------------------------------------------------"
log " # -- OCTETSTREAMFILTER START: $@"
log " # -- .... now is $(date)"
log " # ----------------------------------------------------------------------"
log " "
log " printfile=$printfile"


# first prepare a few things for debugging, and log everything:
logdo export LOGFILE=/tmp/octetstreamfilter.log


# now test if the filter is called with the correct number of arguments, and
# log everything
case $# in
  0) logdo echo "ERROR: $(basename $0) job-id user title copies \"options\" [jobfile]"
     logdo exit 0
     ;;
  1|2|3|4) logdo echo "ERROR: wrong number of arguments -- should be 5 or 6."
     logdo exit 1
     ;;
  5) logdo export input="-"
     ;;
  6) logdo export input=$6
     ;;
  *) logdo echo "ERROR: too many arguments ($#) for my little brain -- should be 5 or 6."
     logdo echo "ERROR: arguments were $@"
     logdo exit 1
     # alternatively, we could also just ignore all arguments beyond $6 and continue...
     ;;
esac


# log a few more things:
logdo export filtername="${0}"
logdo export job_id="${1}"
logdo export user="${2}"
logdo export title="${3}"
logdo export copies="${4}"
logdo export options="\"${5}\""
logdo export file="${6}"
logdo export printer="$PRINTER"
logdo export ppd="$PPD"
logdo export user="$USER"
logdo export device_uri="$DEVICE_URI"


# find job input source (mainly to be able to test the filter
# from the commandline, standalone):
if [ x"$file" = x ]; then
   logdo export jobinput="-"
else
   logdo export jobinput="$file"
fi


# do the main work here:
logdo cat ${jobinput} > ${printfile}


# pass an error message downstream so that it gets logged into the
# CUPS error_log file, and that printer backend has something to
# process
echo "ERROR: I received an application/octet-stream and saved " 1>&2
echo "ERROR: it to $printfile " 1>&2
exit 1

------ snip ------------------

Cheers,
Kurt

More information about the cups mailing list