Saving content of print jobs to a file
pipitas
k1pfeifle at gmx.net
Mon Dec 27 17:42:42 PST 2004
Matt wrote:
> Hi. I've been receiving a windows executable through my CUPS printing
> system (even with printer sharing disabled). The printer would not print
> immediately because it appears that someone or some program was trying to
> send a raw executable to my system. I've fixed the problem by putting up
> a firewall, but am interested in setting up a honeypot; thus allowing the
> person/software to send the file as a print job and saving the print job's
> entire content to a file, then sending that file to an anti-virus scanner
> to see what it is. How do I save print job's contents (whole contents) to
> a file, where the file would be on queue for printing but is still waiting
> for me to turn my printer on. Do I have to set up a RAW printer >> file?
> or can I simply save the data as sent to my currently installed actual
> printer?
>
> Thanks for your help. I'm really wanting to capture this to a file for
> examination. Thanks.
I am not sure I understand your setup. Is it so that you have the
lines referring to "application/octet-stream" enabled in your
mime.{types,convs} files?
You could do the followint:
1) write a special filter that catches all "appliction/octet-stream"
files and saves them to disk (and does anything else you like,
such as alarm you via email if this incidence occurs).
2) enable application/octet-stream printing.
Such a filter, call it "octetstream-catcher" could look, in its most
simple form like this:
------ snip ------------------
#!/bin/bash
# octetstream-catcher
cat $6 > /tmp/my-last-catched-octetstream.printjob
exit 1
------ snip ------------------
Of course, you could make it a bit more sophisticatd and log a few
more facts.
A first shot for such beast is here:
------ snip ------------------
#!/bin/bash
# job-id, user, title, copies, options, [filename or stdin]
# this filter logs all attempts to print
# "application/octet-stream" file types
# and saves the file to
# /tmp/octetstream-printfile.<currentdate-and-time>.<PID-of-filter>
# comment next line in or out depending on your debugging needs
set -x
# change the "/tmp" path to something more secure. The path must be
# writeable to the user cupsd runs as:
LOGFILE=/tmp/octetstreamfilter.log
printfile=/tmp/octetstream-printfile.$(date +%b%d-%H%M%S).$$
# 2 functions that do help with logging
log() { echo "$@" >> "$LOGFILE"
}
logdo() { log "$@"; "$@"
}
# Start!
log " "
log " # ----------------------------------------------------------------------"
log " # -- OCTETSTREAMFILTER START: $@"
log " # -- .... now is $(date)"
log " # ----------------------------------------------------------------------"
log " "
log " printfile=$printfile"
# first prepare a few things for debugging, and log everything:
logdo export LOGFILE=/tmp/octetstreamfilter.log
# now test if the filter is called with the correct number of arguments, and
# log everything
case $# in
0) logdo echo "ERROR: $(basename $0) job-id user title copies \"options\" [jobfile]"
logdo exit 0
;;
1|2|3|4) logdo echo "ERROR: wrong number of arguments -- should be 5 or 6."
logdo exit 1
;;
5) logdo export input="-"
;;
6) logdo export input=$6
;;
*) logdo echo "ERROR: too many arguments ($#) for my little brain -- should be 5 or 6."
logdo echo "ERROR: arguments were $@"
logdo exit 1
# alternatively, we could also just ignore all arguments beyond $6 and continue...
;;
esac
# log a few more things:
logdo export filtername="${0}"
logdo export job_id="${1}"
logdo export user="${2}"
logdo export title="${3}"
logdo export copies="${4}"
logdo export options="\"${5}\""
logdo export file="${6}"
logdo export printer="$PRINTER"
logdo export ppd="$PPD"
logdo export user="$USER"
logdo export device_uri="$DEVICE_URI"
# find job input source (mainly to be able to test the filter
# from the commandline, standalone):
if [ x"$file" = x ]; then
logdo export jobinput="-"
else
logdo export jobinput="$file"
fi
# do the main work here:
logdo cat ${jobinput} > ${printfile}
# pass an error message downstream so that it gets logged into the
# CUPS error_log file, and that printer backend has something to
# process
echo "ERROR: I received an application/octet-stream and saved " 1>&2
echo "ERROR: it to $printfile " 1>&2
exit 1
------ snip ------------------
Cheers,
Kurt
More information about the cups
mailing list