Skip to content
Snippets Groups Projects
Commit 67dee796 authored by Jakub Cegan's avatar Jakub Cegan
Browse files

Opraveny nazvy polozek ve WardenWatchdog.conf a opraven mix tabu a mezer v Common.

parent f7127539
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
src/warden-server/etc/warden-watchdog.conf
+ 16
21
View file @ 67dee796
......@@ -6,29 +6,24 @@
# Use of this source is governed by a BSD-style license, see LICENSE file.
#-------------------------------------------------------------------------------
# domain_name - server full domain name
# DOMAIN_NAME - server full domain name
#-------------------------------------------------------------------------------
$domain_name = "warden-dev.cesnet.cz";
$DOMAIN_NAME = "warden-dev.cesnet.cz";
#-------------------------------------------------------------------------------
# contact - contact to server administrator
# EMAIL_SUBJECT - subject of an report for Warden watchdog script
#-------------------------------------------------------------------------------
$contact = "jakubcegan@cesnet.cz, ph@cesnet.cz";
$EMAIL_SUBJECT = "Database check of a Warden server ($DOMAIN_NAME)";
#-------------------------------------------------------------------------------
# email_subject - ...
# EMAIL_SERVER_CONF - path and params of an email server for reports sending
#-------------------------------------------------------------------------------
$email_subject = "Database check of a Warden server ($domain_name)";
$EMAIL_SERVER_CONF = '|/usr/sbin/sendmail -oi -t';
#-------------------------------------------------------------------------------
# email_server_conf - path and params of an email server for reports sending
# SQL_PRECONDITION - array of procedures which are executed "before" main action
#-------------------------------------------------------------------------------
$email_server_conf = '|/usr/sbin/sendmail -oi -t';
#-------------------------------------------------------------------------------
# sql_precondition - array of procedures which are executed "before" main action
#-------------------------------------------------------------------------------
@sql_precondition = ('DROP FUNCTION IF EXISTS iptest;', 'CREATE FUNCTION iptest(ip VARCHAR(15)) RETURNS TINYINT(1) DETERMINISTIC
@SQL_PRECONDITION = ('DROP FUNCTION IF EXISTS iptest;', 'CREATE FUNCTION iptest(ip VARCHAR(15)) RETURNS TINYINT(1) DETERMINISTIC
BEGIN
SET @nip = INET_ATON(ip);
IF(
......@@ -55,7 +50,7 @@ BEGIN
END;');
#-------------------------------------------------------------------------------
# sql_queries - array of hashes of actions for the WardenWatchdog script.
# SQL_QUERIES - array of hashes of actions for the WardenWatchdog script.
# Each action has three followin parts:
# query => sql query of an action (check) on Warden database
# text => body of an email which is send to a admin of an client
......@@ -63,13 +58,13 @@ END;');
# contact => contact for message, which overrides contact collumn
# in a database table.
#-------------------------------------------------------------------------------
@sql_queries = (
{query => "SELECT hostname, service, MAX(received) FROM events WHERE valid = 't' GROUP BY hostname, service ORDER BY MAX(received) ASC;", text => "These clients do not report any events for a long time. It is possible, that they are misconfigured or not running.", contact => "$contact"},
{query => "SELECT clients.* FROM clients JOIN events ON clients.service=events.service WHERE events.detected > '$date' AND NOT FIND_IN_SET(events.type, 'portscan,bruteforce,probe,spam,phishing,botnet_c_c,dos,malware,copyright,webattack,test,other') AND events.valid = 't' GROUP BY requestor;", text => "Following client(s) report unsupported or obsolete type of event to a Warden server.", contact => "$contact"},
{query => "SELECT hostname, service, type, COUNT(*) FROM events WHERE detected - received > 0 AND received > '$date' GROUP BY hostname, service, type;", text => "Following client(s) report events to a Warden server with a timestamp from future. Server timestamp (received) has to be always greater or equal to a timestam of detection.", contact => "$contact"},
{query => "SELECT hostname, service, received, source, count(source) AS c, min(received), max(received) FROM events WHERE valid = 't' AND source_type = 'IP' AND iptest(source) GROUP BY hostname, service, source ORDER BY c DESC;", text => "Following client(s) report events to a Warden server with a private or invalid IPv4 address.", contact => "$contact"});
@SQL_QUERIES = (
{query => "SELECT hostname, service, MAX(received) FROM events WHERE valid = 't' GROUP BY hostname, service ORDER BY MAX(received) ASC;", text => "These clients do not report any events for a long time. It is possible, that they are misconfigured or not running.", contact => "jakubcegan@cesnet.cz, ph@cesnet.cz"},
{query => "SELECT clients.* FROM clients JOIN events ON clients.service=events.service WHERE events.detected > '$date' AND NOT FIND_IN_SET(events.type, 'portscan,bruteforce,probe,spam,phishing,botnet_c_c,dos,malware,copyright,webattack,test,other') AND events.valid = 't' GROUP BY requestor;", text => "Following client(s) report unsupported or obsolete type of event to a Warden server.", contact => "jakubcegan@cesnet.cz, ph@cesnet.cz"},
{query => "SELECT hostname, service, type, COUNT(*) FROM events WHERE detected - received > 0 AND received > '$date' GROUP BY hostname, service, type;", text => "Following client(s) report events to a Warden server with a timestamp from future. Server timestamp (received) has to be always greater or equal to a timestam of detection.", contact => "jakubcegan@cesnet.cz, ph@cesnet.cz"},
{query => "SELECT hostname, service, received, source, count(source) AS c, min(received), max(received) FROM events WHERE valid = 't' AND source_type = 'IP' AND iptest(source) GROUP BY hostname, service, source ORDER BY c DESC;", text => "Following client(s) report events to a Warden server with a private or invalid IPv4 address.", contact => "jakubcegan@cesnet.cz, ph@cesnet.cz"});
#-------------------------------------------------------------------------------
# sql_postcondition - array of procedures which are executed "after" main action
# SQL_POSTCONDITION - array of procedures which are executed "after" main action
#-------------------------------------------------------------------------------
@sql_postcondition = ('DROP FUNCTION IF EXISTS iptest;');
@SQL_POSTCONDITION = ('DROP FUNCTION IF EXISTS iptest;');
src/warden-server/lib/WardenCommon.pm
+ 12
12
View file @ 67dee796
......@@ -83,20 +83,20 @@ sub sendMsg
#-------------------------------------------------------------------------------
# loadConf - load configuration file
#-------------------------------------------------------------------------------
sub loadConf
sub loadConf
{
my $conf_file = shift;
my $conf_file = shift;
our $BASEDIR = undef;
our $SYSLOG = undef;
our $SYSLOG_VERBOSE = undef;
our $SYSLOG_FACILITY = undef;
our $BASEDIR = undef;
our $SYSLOG = undef;
our $SYSLOG_VERBOSE = undef;
our $SYSLOG_FACILITY = undef;
our $DB_NAME = undef;
our $DB_USER = undef;
our $DB_PASS = undef;
our $DB_HOST = undef;
our $MAX_EVENTS_LIMIT = 1000000;
our %VALID_STRINGS = ();
our $MAX_EVENTS_LIMIT = 1000000;
our %VALID_STRINGS = ();
unless (do $conf_file) {
die("Errors in config file '$conf_file': $@") if $@;
die("Can't read config file '$conf_file': $!") unless defined $_;
......@@ -110,10 +110,10 @@ sub loadConf
#-------------------------------------------------------------------------------
sub connectDB
{
my $db_name = shift;
my $db_host = shift;
my $db_user = shift;
my $db_pass = shift;
my $db_name = shift;
my $db_host = shift;
my $db_user = shift;
my $db_pass = shift;
my $dbh = DBI->connect("DBI:mysql:database=$db_name;host=$db_host",$db_user, $db_pass, {RaiseError => 1, mysql_auto_reconnect => 1}) || die "Could not connect to database '$db_name' at '$db_host': $DBI::errstr";
return $dbh;
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment