Skip to content
Snippets Groups Projects
Commit 1de52a65 authored by Michal Kostenec's avatar Michal Kostenec
Browse files

Oprava chybneho merge s receive-apache2

parent 66a22e77
No related branches found
No related tags found
No related merge requests found
......@@ -27,7 +27,7 @@ our $VERSION = "2.0";
# READING OF CONFIGURATION VARIABLES
################################################################################
my $conf_file = "/opt/warden-server-2/etc/warden-server.conf";
my $conf_file = "/opt/warden-server/etc/warden-server.conf";
our $FACILITY = undef;
our $DB_NAME = undef;
our $DB_USER = undef;
......@@ -121,6 +121,64 @@ sub getAltNames
}
#-------------------------------------------------------------------------------
# authorizeClient - authorize client by CN,AN and source IP range
#-------------------------------------------------------------------------------
sub authorizeClient
{
my ($alt_names, $ip, $service_type, $client_type, $function_name) = @_;
my $sth;
# obtain cidr based on rigth common name and alternate names, service and client_type
if($function_name eq 'saveNewEvent') {
$sth = $DBH->prepare( "SELECT hostname, ip_net_client, receive_own_events
FROM clients WHERE hostname IN ($alt_names) AND service = ? AND client_type = ?
ORDER BY SUBSTRING_INDEX(ip_net_client,'/', -1) DESC;");
}
elsif($function_name eq 'getNewEvents') {
$sth = $DBH->prepare( "SELECT hostname, ip_net_client, receive_own_events
FROM clients WHERE hostname IN ($alt_names) AND type = ? AND client_type = ?
ORDER BY SUBSTRING_INDEX(ip_net_client,'/', -1) DESC;");
}
if (!defined $sth) { die("Cannot prepare authorization statement in $function_name: $DBI::errstr\n")}
$sth->execute($service_type, $client_type);
my ($an, $cidr, $receive_own, $cidr_list);
my $correct_ip_source = 0;
my %ret;
while(($an, $cidr, $receive_own) = $sth->fetchrow()) {
my $cidr_list = Net::CIDR::Lite-> new -> add($cidr);
$ret{'dns'} = $an;
$ret{'cidr'} = $cidr;
$ret{'receive_own'} = $receive_own;
if ($cidr_list->bin_find($ip)) {
$correct_ip_source = 1;
last;
}
};
# check if client is registered
if ($sth->rows == 0) {
write2log ("err", "Unauthorized access to $function_name from: $ip (CN(AN): $alt_names) - client is not registered");
die("Access denied - client is not registered at warden server!");
return undef;
}
# check if client has IP from registered CIDR
if (!$correct_ip_source) {
write2log ("err", "Unauthorized access to $function_name from: $ip (CN(AN): $alt_names) - access from bad subnet: " . $ret{'cidr'});
die("Access denied - access from unauthorized subnet!");
return undef;
}
return %ret;
}
################################################################################
# SOAP Functions
......@@ -158,31 +216,15 @@ sub saveNewEvent
my $timeout = $data->{'TIMEOUT'};
# obtain cidr based on rigth common name and alternate names, service and client_type
$sth = $DBH->prepare("SELECT hostname, ip_net_client FROM clients WHERE hostname IN ($alt_names) AND service = ? AND client_type = ? LIMIT 1;");
if (!defined $sth) {die("Cannot prepare authorization statement in saveNewEvent: $DBI::errstr\n")}
$sth->execute($service, $client_type);
my ($an, $cidr) = $sth->fetchrow();
# check if client is registered
if (!defined $cidr) {
write2log ("err", "Unauthorized access to saveNewEvent from: $ip (CN: $cn; AN: $an) - client is not registered");
die("Access denied - client is not registered at warden server!");
} else {
$cidr_list = Net::CIDR::Lite
-> new
-> add($cidr);
}
# check if client has IP from registered CIDR
if (!$cidr_list->bin_find($ip)) {
write2log ("err", "Unauthorized access to saveNewEvent from: $ip (CN: $cn; AN: $an) - access from bad subnet: $cidr");
die("Access denied - access from unauthorized subnet!");
} else {
my %client = authorizeClient($alt_names, $ip, $service, $client_type, 'saveNewEvent');
if(defined %client) {
# insert new events into DB
$sth=$DBH->prepare("INSERT INTO events VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?,?,?);");
if (!defined $sth) { die("Cannot do insert statement in saveNewEvent: $DBI::errstr\n") }
$sth->execute(undef, $cn, $service, $detected, $received, $type, $source_type, $source, $target_proto, $target_port, $attack_scale, $note, $priority, $timeout, $valid);
$sth->execute(undef, $client{'dns'}, $service, $detected, $received, $type, $source_type, $source, $target_proto, $target_port, $attack_scale, $note, $priority, $timeout, $valid);
return 1;
}
} # END of saveNewEvent
......@@ -208,29 +250,10 @@ sub getNewEvents
my $last_id = $data->{'LAST_ID'};
# obtain cidr based on rigth common name, service and client_type
$sth = $DBH->prepare("SELECT hostname, receive_own_events, ip_net_client FROM clients WHERE hostname IN ($alt_names) AND type = ? AND client_type = ? LIMIT 1;");
if (!defined $sth) {die("Cannot prepare authorization statement in getNewEvents: $DBI::errstr\n")}
$sth->execute($requested_type, $client_type);
my ($an, $receive_own_events, $cidr) = $sth->fetchrow();
# check if client is registered
if (!defined $cidr) {
write2log ("err", "Unauthorized access to getNewEvents from: $ip (CN: $cn; AN: $an) - client is not registered");
die("Access denied - client is not registered at warden server!");
} else {
$cidr_list = Net::CIDR::Lite
-> new
-> add($cidr);
}
# check if client has IP from registered CIDR
if (!$cidr_list->bin_find($ip)) {
write2log ("err", "Unauthorized access to getNewEvents from: $ip (CN: $cn; AN: $an) - access from bad subnet: $cidr");
die("Access denied - access from unathorized subnet!");
} else {
my %client = authorizeClient($alt_names, $ip, $requested_type, $client_type, 'getNewEvents');
if(defined %client) {
# check if client want your own events or not
if ($receive_own_events eq 't') {
if ($client{'receive_own'} eq 't') {
$sth = $DBH->prepare("SELECT * FROM events WHERE type != 'test' AND id > ? AND type = ? AND valid = 't' ORDER BY id ASC;");
if (!defined $sth) {die("Cannot prepare ROE statement in getNewEvents: $DBI::errstr\n")}
$sth->execute($last_id, $requested_type);
......@@ -281,9 +304,9 @@ sub getNewEvents
# log sent ID of events
if (scalar @events != 0) {
if (scalar @ids == 1) {
write2log("info", "Sent 1 events [#$ids[0]] to $ip (CN: $cn; AN: $an)");
write2log("info", "Sent 1 events [#$ids[0]] to $ip (CN(AN): $alt_names)");
} else {
write2log("info", "Sent " . scalar @ids . " events [#$ids[0] - #$ids[-1]] to $ip (CN: $cn; AN: $an)");
write2log("info", "Sent " . scalar @ids . " events [#$ids[0] - #$ids[-1]] to $ip (CN(AN): $alt_names)");
}
}
return @events;
......@@ -358,9 +381,9 @@ sub registerSender
} # END of registerSender
#-----------------------------------------------------------------------------
# registerReceiver - register new receiver
#-----------------------------------------------------------------------------
##-----------------------------------------------------------------------------
## registerReceiver - register new receiver
##-----------------------------------------------------------------------------
sub registerReceiver
{
my ($class, $data) = @_;
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment