Saving content of print jobs to a file

pipitas k1pfeifle at gmx.net
Mon Dec 27 18:09:32 PST 2004 

pipitas wrote:

> Matt wrote:
> 
>> Hi.  I've been receiving a windows executable through my CUPS printing
>> system (even with printer sharing disabled).  The printer would not print
>> immediately because it appears that someone or some program was trying to
>> send a raw executable to my system.  I've fixed the problem by putting up
>> a firewall, but am interested in setting up a honeypot; thus allowing the
>> person/software to send the file as a print job and saving the print
>> job's entire content to a file, then sending that file to an anti-virus
>> scanner
>> to see what it is.  How do I save print job's contents (whole contents)
>> to a file, where the file would be on queue for printing but is still
>> waiting
>> for me to turn my printer on.  Do I have to set up a RAW printer >> file?
>> or can I simply save the data as sent to my currently installed actual
>> printer?
>> 
>> Thanks for your help.  I'm really wanting to capture this to a file for
>> examination.  Thanks.
> 
> 
> I am not sure I understand your setup. Is it so that you have the
> lines referring to "application/octet-stream" enabled in your
> mime.{types,convs} files?
> 
> You could do the followint:
> 
>   1) write a special filter that catches all "appliction/octet-stream"
>      files and saves them to disk (and does anything else you like,
>      such as alarm you via email if this incidence occurs).
>   2) enable application/octet-stream printing.
> 
> Such a filter, call it "octetstream-catcher" could look, in its most
> simple form like this:
> 
> ------ snip ------------------
> #!/bin/bash
> # octetstream-catcher
> cat $6 > /tmp/my-last-catched-octetstream.printjob
> exit 1
> ------ snip ------------------


Sorry, I forgot some important info, because my CVS-version newsreader
kept crashing...  ;-)

How to install octetstream-catcher:

1) copy octetstream-catcher to /usr/lib/cups/filter/ and make it
   world-executable (as root):
      cp octetstream-catcher /usr/lib/cups/filter/
      chmod a+x /usr/lib/cups/filter/octetstream-catcher

2) make sure the line refering to "application/octet-stream" at
   the end of /etc/cups/mime.types is enabled (no "#" char at the
   beginning).

3) edit /etc/cups/mime.convs and disable the original line:
      #application/octet-stream  application/vnd.cups-raw  0  -
   while putting this new one in:
      application/octet-stream  application/vnd.cups-raw  0  octetstream-catcher

4) restart cupsd.


Cheers,
Kurt

 
> Of course, you could make it a bit more sophisticatd and log a few
> more facts.
> 
> A first shot for such beast is here:
> ------ snip ------------------
> #!/bin/bash
> # job-id, user, title, copies, options, [filename or stdin]
> 
> # this filter logs all attempts to print
> # "application/octet-stream" file types
> # and saves the file to
> # /tmp/octetstream-printfile.<currentdate-and-time>.<PID-of-filter>
> 
> 
> # comment next line in or out depending on your debugging needs
> set -x
> 
> 
> # change the "/tmp" path to something more secure. The path must be
> # writeable to the user cupsd runs as:
> LOGFILE=/tmp/octetstreamfilter.log
> printfile=/tmp/octetstream-printfile.$(date +%b%d-%H%M%S).$$
> 
> 
> # 2 functions that do help with logging
> log() { echo "$@" >> "$LOGFILE"
> }
> 
> logdo() { log "$@"; "$@"
> }
> 
> 
> # Start!
> log " "
> log " #
> ----------------------------------------------------------------------"
> log " # -- OCTETSTREAMFILTER START: $@" log " # -- .... now is $(date)"
> log " #
> ----------------------------------------------------------------------"
> log " " log " printfile=$printfile"
> 
> 
> # first prepare a few things for debugging, and log everything:
> logdo export LOGFILE=/tmp/octetstreamfilter.log
> 
> 
> # now test if the filter is called with the correct number of arguments,
> # and log everything
> case $# in
>   0) logdo echo "ERROR: $(basename $0) job-id user title copies
>   \"options\" [jobfile]"
>      logdo exit 0
>      ;;
>   1|2|3|4) logdo echo "ERROR: wrong number of arguments -- should be 5 or
>   6."
>      logdo exit 1
>      ;;
>   5) logdo export input="-"
>      ;;
>   6) logdo export input=$6
>      ;;
>   *) logdo echo "ERROR: too many arguments ($#) for my little brain --
>   should be 5 or 6."
>      logdo echo "ERROR: arguments were $@"
>      logdo exit 1
>      # alternatively, we could also just ignore all arguments beyond $6
>      # and continue...
>      ;;
> esac
> 
> 
> # log a few more things:
> logdo export filtername="${0}"
> logdo export job_id="${1}"
> logdo export user="${2}"
> logdo export title="${3}"
> logdo export copies="${4}"
> logdo export options="\"${5}\""
> logdo export file="${6}"
> logdo export printer="$PRINTER"
> logdo export ppd="$PPD"
> logdo export user="$USER"
> logdo export device_uri="$DEVICE_URI"
> 
> 
> # find job input source (mainly to be able to test the filter
> # from the commandline, standalone):
> if [ x"$file" = x ]; then
>    logdo export jobinput="-"
> else
>    logdo export jobinput="$file"
> fi
> 
> 
> # do the main work here:
> logdo cat ${jobinput} > ${printfile}
> 
> 
> # pass an error message downstream so that it gets logged into the
> # CUPS error_log file, and that printer backend has something to
> # process
> echo "ERROR: I received an application/octet-stream and saved " 1>&2
> echo "ERROR: it to $printfile " 1>&2
> exit 1
> 
> ------ snip ------------------
> 
> Cheers,
> Kurt

More information about the cups mailing list