Saving content of print jobs to a file

Matt wsbg at sympatico.ca
Wed Dec 29 16:04:57 PST 2004 

Thanks for the info.  I'm quite interested in finding out how the data was sent to my printer even when I had disallowed printer sharing over networks.

pipitas wrote:
> pipitas wrote:
>
> > Matt wrote:
> >
> >> Hi.  I've been receiving a windows executable through my CUPS printing
> >> system (even with printer sharing disabled).  The printer would not print
> >> immediately because it appears that someone or some program was trying to
> >> send a raw executable to my system.  I've fixed the problem by putting up
> >> a firewall, but am interested in setting up a honeypot; thus allowing the
> >> person/software to send the file as a print job and saving the print
> >> job's entire content to a file, then sending that file to an anti-virus
> >> scanner
> >> to see what it is.  How do I save print job's contents (whole contents)
> >> to a file, where the file would be on queue for printing but is still
> >> waiting
> >> for me to turn my printer on.  Do I have to set up a RAW printer >> file?
> >> or can I simply save the data as sent to my currently installed actual
> >> printer?
> >>
> >> Thanks for your help.  I'm really wanting to capture this to a file for
> >> examination.  Thanks.
> >
> >
> > I am not sure I understand your setup. Is it so that you have the
> > lines referring to "application/octet-stream" enabled in your
> > mime.{types,convs} files?
> >
> > You could do the followint:
> >
> >   1) write a special filter that catches all "appliction/octet-stream"
> >      files and saves them to disk (and does anything else you like,
> >      such as alarm you via email if this incidence occurs).
> >   2) enable application/octet-stream printing.
> >
> > Such a filter, call it "octetstream-catcher" could look, in its most
> > simple form like this:
> >
> > ------ snip ------------------
> > #!/bin/bash
> > # octetstream-catcher
> > cat $6 > /tmp/my-last-catched-octetstream.printjob
> > exit 1
> > ------ snip ------------------
>
>
> Sorry, I forgot some important info, because my CVS-version newsreader
> kept crashing...  ;-)
>
> How to install octetstream-catcher:
>
> 1) copy octetstream-catcher to /usr/lib/cups/filter/ and make it
>    world-executable (as root):
>       cp octetstream-catcher /usr/lib/cups/filter/
>       chmod a+x /usr/lib/cups/filter/octetstream-catcher
>
> 2) make sure the line refering to "application/octet-stream" at
>    the end of /etc/cups/mime.types is enabled (no "#" char at the
>    beginning).
>
> 3) edit /etc/cups/mime.convs and disable the original line:
>       #application/octet-stream  application/vnd.cups-raw  0  -
>    while putting this new one in:
>       application/octet-stream  application/vnd.cups-raw  0  octetstream-catcher
>
> 4) restart cupsd.
>
>
> Cheers,
> Kurt
>
>
> > Of course, you could make it a bit more sophisticatd and log a few
> > more facts.
> >
> > A first shot for such beast is here:
> > ------ snip ------------------
> > #!/bin/bash
> > # job-id, user, title, copies, options, [filename or stdin]
> >
> > # this filter logs all attempts to print
> > # "application/octet-stream" file types
> > # and saves the file to
> > # /tmp/octetstream-printfile.<currentdate-and-time>.<PID-of-filter>
> >
> >
> > # comment next line in or out depending on your debugging needs
> > set -x
> >
> >
> > # change the "/tmp" path to something more secure. The path must be
> > # writeable to the user cupsd runs as:
> > LOGFILE=/tmp/octetstreamfilter.log
> > printfile=/tmp/octetstream-printfile.$(date +%b%d-%H%M%S).$$
> >
> >
> > # 2 functions that do help with logging
> > log() { echo "$@" >> "$LOGFILE"
> > }
> >
> > logdo() { log "$@"; "$@"
> > }
> >
> >
> > # Start!
> > log " "
> > log " #
> > ----------------------------------------------------------------------"
> > log " # -- OCTETSTREAMFILTER START: $@" log " # -- .... now is $(date)"
> > log " #
> > ----------------------------------------------------------------------"
> > log " " log " printfile=$printfile"
> >
> >
> > # first prepare a few things for debugging, and log everything:
> > logdo export LOGFILE=/tmp/octetstreamfilter.log
> >
> >
> > # now test if the filter is called with the correct number of arguments,
> > # and log everything
> > case $# in
> >   0) logdo echo "ERROR: $(basename $0) job-id user title copies
> >   \"options\" [jobfile]"
> >      logdo exit 0
> >      ;;
> >   1|2|3|4) logdo echo "ERROR: wrong number of arguments -- should be 5 or
> >   6."
> >      logdo exit 1
> >      ;;
> >   5) logdo export input="-"
> >      ;;
> >   6) logdo export input=$6
> >      ;;
> >   *) logdo echo "ERROR: too many arguments ($#) for my little brain --
> >   should be 5 or 6."
> >      logdo echo "ERROR: arguments were $@"
> >      logdo exit 1
> >      # alternatively, we could also just ignore all arguments beyond $6
> >      # and continue...
> >      ;;
> > esac
> >
> >
> > # log a few more things:
> > logdo export filtername="${0}"
> > logdo export job_id="${1}"
> > logdo export user="${2}"
> > logdo export title="${3}"
> > logdo export copies="${4}"
> > logdo export options="\"${5}\""
> > logdo export file="${6}"
> > logdo export printer="$PRINTER"
> > logdo export ppd="$PPD"
> > logdo export user="$USER"
> > logdo export device_uri="$DEVICE_URI"
> >
> >
> > # find job input source (mainly to be able to test the filter
> > # from the commandline, standalone):
> > if [ x"$file" = x ]; then
> >    logdo export jobinput="-"
> > else
> >    logdo export jobinput="$file"
> > fi
> >
> >
> > # do the main work here:
> > logdo cat ${jobinput} > ${printfile}
> >
> >
> > # pass an error message downstream so that it gets logged into the
> > # CUPS error_log file, and that printer backend has something to
> > # process
> > echo "ERROR: I received an application/octet-stream and saved " 1>&2
> > echo "ERROR: it to $printfile " 1>&2
> > exit 1
> >
> > ------ snip ------------------
> >
> > Cheers,
> > Kurt
>

More information about the cups mailing list