Skip to content
Snippets Groups Projects
Commit 572037e4 authored by Tomáš Plesník's avatar Tomáš Plesník
Browse files

uprava hlavicky souboru; nastavovani kontaktu u jednotlivych queries pomoci... 

uprava hlavicky souboru; nastavovani kontaktu u jednotlivych queries pomoci nove pridane promenne $contact
parent 99a3a245
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
src/warden-server/etc/warden-watchdog.conf.tmpl.update
+ 13
5
View file @ 572037e4
#
# wardenWatchdog.conf - configuration file for Wachdog script
# warden-watchdog.conf - configuration file for Wachdog script
#
# Copyright (C) 2011-2014 Cesnet z.s.p.o
#
# Use of this source is governed by a BSD-style license, see LICENSE file.
#-------------------------------------------------------------------------------
# domain_name - server full domain name
#-------------------------------------------------------------------------------
$domain_name = "_HOSTNAME_";
#-------------------------------------------------------------------------------
# contact - contact to server administrator
#-------------------------------------------------------------------------------
$contact = "_CONTACT_";
#-------------------------------------------------------------------------------
# email_subject - ...
#-------------------------------------------------------------------------------
......@@ -56,10 +64,10 @@ END;');
# in a database table.
#-------------------------------------------------------------------------------
@sql_queries = (
{query => "SELECT hostname, service, MAX(received) FROM events WHERE valid = 't' GROUP BY hostname, service ORDER BY MAX(received) ASC;", text => "Uvedeny klient, nebo klienti jiz delsi dobu nereportovali zadne udalosti do Wardenu. Je mozne, ze nefunguji spravne.", contact => 'jakubcegan@cesnet.cz, ph@cesnet.cz'},
{query => "SELECT clients.* FROM clients JOIN events ON clients.service=events.service WHERE events.detected > '\$date' AND NOT FIND_IN_SET(events.type, 'portscan,bruteforce,probe,spam,phishing,botnet_c_c,dos,malware,copyright,webattack,test,other') AND events.valid = 't' GROUP BY requestor;", text => "Uvedeny klient, nebo klienti zasilaji nepodporovany nebo zastaraly typ udalosti na server Warden", contact => 'jakubcegan@cesnet.cz, ph@cesnet.cz'},
{query => "SELECT hostname, service, type, COUNT(*) FROM events WHERE detected - received > 0 AND received > '$date' GROUP BY hostname, service, type;", text => "Uvedeny klient, nebo klienti odesilaji odesilaji udalosti s casem z budoucnosti. Cas prirazeny serverem pri prichodu udalosti (received) musi byt vzdy roven nebo vetsi casu detekce (detected).", contact => 'jakubcegan@cesnet.cz, ph@cesnet.cz'},
{query => "SELECT hostname, service, received, source, count(source) AS c, min(received), max(received) FROM events WHERE valid = 't' AND source_type = 'IP' AND iptest(source) GROUP BY hostname, service, source ORDER BY c DESC;", text => "Uvedeni klient, nebo klienti odesilaji udalosti se zdrojovou adresou, ktera by se nemela objevit v internetu (privatni rozsah), nebo je neplatna (prazdny oktet, oktet je vetsi nez 255, apod.). kvuli omezeni verzi MySQL serveru funguje zatim pouze pro IPv6.", contact => 'jakubcegan@cesnet.cz, ph@cesnet.cz'});
{query => "SELECT hostname, service, MAX(received) FROM events WHERE valid = 't' GROUP BY hostname, service ORDER BY MAX(received) ASC;", text => "These clients do not report any events for a long time. It is possible, that they are misconfigured or not running.", contact => "$contact"},
{query => "SELECT clients.* FROM clients JOIN events ON clients.service=events.service WHERE events.detected > '$date' AND NOT FIND_IN_SET(events.type, 'portscan,bruteforce,probe,spam,phishing,botnet_c_c,dos,malware,copyright,webattack,test,other') AND events.valid = 't' GROUP BY requestor;", text => "Following client(s) report unsupported or obsolete type of event to a Warden server.", contact => "$contact"},
{query => "SELECT hostname, service, type, COUNT(*) FROM events WHERE detected - received > 0 AND received > '$date' GROUP BY hostname, service, type;", text => "Following client(s) report events to a Warden server with a timestamp from future. Server timestamp (received) has to be always greater or equal to a timestam of detection.", contact => "$contact"},
{query => "SELECT hostname, service, received, source, count(source) AS c, min(received), max(received) FROM events WHERE valid = 't' AND source_type = 'IP' AND iptest(source) GROUP BY hostname, service, source ORDER BY c DESC;", text => "Following client(s) report events to a Warden server with a private or invalid IPv4 address.", contact => "$contact"});
#-------------------------------------------------------------------------------
# sql_postcondition - array of procedures which are executed "after" main action
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment