Saving content of print jobs to a file
pipitas
k1pfeifle at gmx.net
Mon Dec 27 18:09:32 PST 2004
pipitas wrote:
> Matt wrote:
>
>> Hi. I've been receiving a windows executable through my CUPS printing
>> system (even with printer sharing disabled). The printer would not print
>> immediately because it appears that someone or some program was trying to
>> send a raw executable to my system. I've fixed the problem by putting up
>> a firewall, but am interested in setting up a honeypot; thus allowing the
>> person/software to send the file as a print job and saving the print
>> job's entire content to a file, then sending that file to an anti-virus
>> scanner
>> to see what it is. How do I save print job's contents (whole contents)
>> to a file, where the file would be on queue for printing but is still
>> waiting
>> for me to turn my printer on. Do I have to set up a RAW printer >> file?
>> or can I simply save the data as sent to my currently installed actual
>> printer?
>>
>> Thanks for your help. I'm really wanting to capture this to a file for
>> examination. Thanks.
>
>
> I am not sure I understand your setup. Is it so that you have the
> lines referring to "application/octet-stream" enabled in your
> mime.{types,convs} files?
>
> You could do the followint:
>
> 1) write a special filter that catches all "appliction/octet-stream"
> files and saves them to disk (and does anything else you like,
> such as alarm you via email if this incidence occurs).
> 2) enable application/octet-stream printing.
>
> Such a filter, call it "octetstream-catcher" could look, in its most
> simple form like this:
>
> ------ snip ------------------
> #!/bin/bash
> # octetstream-catcher
> cat $6 > /tmp/my-last-catched-octetstream.printjob
> exit 1
> ------ snip ------------------
Sorry, I forgot some important info, because my CVS-version newsreader
kept crashing... ;-)
How to install octetstream-catcher:
1) copy octetstream-catcher to /usr/lib/cups/filter/ and make it
world-executable (as root):
cp octetstream-catcher /usr/lib/cups/filter/
chmod a+x /usr/lib/cups/filter/octetstream-catcher
2) make sure the line refering to "application/octet-stream" at
the end of /etc/cups/mime.types is enabled (no "#" char at the
beginning).
3) edit /etc/cups/mime.convs and disable the original line:
#application/octet-stream application/vnd.cups-raw 0 -
while putting this new one in:
application/octet-stream application/vnd.cups-raw 0 octetstream-catcher
4) restart cupsd.
Cheers,
Kurt
> Of course, you could make it a bit more sophisticatd and log a few
> more facts.
>
> A first shot for such beast is here:
> ------ snip ------------------
> #!/bin/bash
> # job-id, user, title, copies, options, [filename or stdin]
>
> # this filter logs all attempts to print
> # "application/octet-stream" file types
> # and saves the file to
> # /tmp/octetstream-printfile.<currentdate-and-time>.<PID-of-filter>
>
>
> # comment next line in or out depending on your debugging needs
> set -x
>
>
> # change the "/tmp" path to something more secure. The path must be
> # writeable to the user cupsd runs as:
> LOGFILE=/tmp/octetstreamfilter.log
> printfile=/tmp/octetstream-printfile.$(date +%b%d-%H%M%S).$$
>
>
> # 2 functions that do help with logging
> log() { echo "$@" >> "$LOGFILE"
> }
>
> logdo() { log "$@"; "$@"
> }
>
>
> # Start!
> log " "
> log " #
> ----------------------------------------------------------------------"
> log " # -- OCTETSTREAMFILTER START: $@" log " # -- .... now is $(date)"
> log " #
> ----------------------------------------------------------------------"
> log " " log " printfile=$printfile"
>
>
> # first prepare a few things for debugging, and log everything:
> logdo export LOGFILE=/tmp/octetstreamfilter.log
>
>
> # now test if the filter is called with the correct number of arguments,
> # and log everything
> case $# in
> 0) logdo echo "ERROR: $(basename $0) job-id user title copies
> \"options\" [jobfile]"
> logdo exit 0
> ;;
> 1|2|3|4) logdo echo "ERROR: wrong number of arguments -- should be 5 or
> 6."
> logdo exit 1
> ;;
> 5) logdo export input="-"
> ;;
> 6) logdo export input=$6
> ;;
> *) logdo echo "ERROR: too many arguments ($#) for my little brain --
> should be 5 or 6."
> logdo echo "ERROR: arguments were $@"
> logdo exit 1
> # alternatively, we could also just ignore all arguments beyond $6
> # and continue...
> ;;
> esac
>
>
> # log a few more things:
> logdo export filtername="${0}"
> logdo export job_id="${1}"
> logdo export user="${2}"
> logdo export title="${3}"
> logdo export copies="${4}"
> logdo export options="\"${5}\""
> logdo export file="${6}"
> logdo export printer="$PRINTER"
> logdo export ppd="$PPD"
> logdo export user="$USER"
> logdo export device_uri="$DEVICE_URI"
>
>
> # find job input source (mainly to be able to test the filter
> # from the commandline, standalone):
> if [ x"$file" = x ]; then
> logdo export jobinput="-"
> else
> logdo export jobinput="$file"
> fi
>
>
> # do the main work here:
> logdo cat ${jobinput} > ${printfile}
>
>
> # pass an error message downstream so that it gets logged into the
> # CUPS error_log file, and that printer backend has something to
> # process
> echo "ERROR: I received an application/octet-stream and saved " 1>&2
> echo "ERROR: it to $printfile " 1>&2
> exit 1
>
> ------ snip ------------------
>
> Cheers,
> Kurt
More information about the cups
mailing list