pridana podpora pro validaci typu prichozich udalosti + doplnen install.sh

ac58da12 · Tomáš Plesník · cca30802 · ac58da12 · ac58da12 · ac58da12
Commit ac58da12 authored 12 years ago by Tomáš Plesník
--- a/src/warden-server/etc/warden-server.conf
+++ b/src/warden-server/etc/warden-server.conf
@@ -34,6 +34,13 @@ $DB_HOST = "localhost";

 #-------------------------------------------------------------------------------
 # MAX_EVENT_LIMIT - maximum number of events that can be downloaded from
-#                   Warden server in a single getNewEvents client function call
+# 		    Warden server in a single getNewEvents client function call
 #-------------------------------------------------------------------------------
 $MAX_EVENT_LIMIT = "1000000";
+
+#-------------------------------------------------------------------------------
+# VALID_STRINGS - validation hash containing allowed event attributes
+#-------------------------------------------------------------------------------
+%VALID_STRINGS = (
+"type" => ["portscan", "bruteforce", "spam", "phishing", "botnet_c_c", "dos", "malware", "copyright", "webattack", "test", "other", "_any_"],
+);
--- a/src/warden-server/lib/Warden.pm
+++ b/src/warden-server/lib/Warden.pm
@@ -19,6 +19,7 @@ use Net::CIDR::Lite;
 use DateTime;
 use MIME::Base64;
 use Crypt::X509;
+use List::Util 'first';

 our $VERSION = "2.1";

@@ -33,7 +34,8 @@ our $DB_NAME	= undef;
 our $DB_USER	= undef;
 our $DB_PASS	= undef;
 our $DB_HOST	= undef;
-our $MAX_EVENT_LIMIT = undef;
+our $MAX_EVENT_LIMIT	= undef;
+our %VALID_STRINGS	= undef;

 # read config file
 if (!open( TMP, $conf_file)) {
@@ -164,14 +166,14 @@ sub authorizeClient

  # check if client is registered
  if ($sth->rows == 0) {
-    write2log ("err", "Unauthorized access to $function_name from: $ip (CN(AN): $alt_names), used service '$service_type' - client is not registered");
+    write2log ("err", "Unauthorized access to $function_name from: $ip; CN(AN): $alt_names; used service: '$service_type' - client is not registered");
    die("Access denied - client is not registered at warden server!");
    return undef;
  }

  # check if client has IP from registered CIDR
  if (!$correct_ip_source) {
-    write2log ("err", "Unauthorized access to $function_name from: $ip (CN(AN): $alt_names), used service '$service_type' - access from bad subnet: Registered subnet '" . $ret{'cidr'} . "'");
+    write2log ("err", "Unauthorized access to $function_name from: $ip; CN(AN): $alt_names; used service: '$service_type' - access from bad subnet: Registered subnet '" . $ret{'cidr'} . "'");
    die("Access denied - access from unauthorized subnet!");
    return undef;
  }
@@ -198,8 +200,9 @@ sub saveNewEvent
  my $ip	= $ENV{'REMOTE_ADDR'};

  # variables defined by server
-  my $client_type	= "s";			# incoming client MUST be sender
-  my $valid		= "t";			# registered sender has valid events
+  my $function_name	= 'saveNewEvent';
+  my $client_type	= 's';			# incoming client MUST be sender
+  my $valid		= 't';			# registered sender has valid events
  my $received		= DateTime->now;	# time of event delivery (UTC)

  # parse object (event) parameters
@@ -215,13 +218,22 @@ sub saveNewEvent
  my $priority		= $data->{'PRIORITY'};
  my $timeout		= $data->{'TIMEOUT'};

-  my %client = authorizeClient($alt_names, $ip, $service, $client_type, 'saveNewEvent');
+  my %client = authorizeClient($alt_names, $ip, $service, $client_type, $function_name);
  if(defined %client) {
-    # insert new events into DB
-    $sth=$DBH->prepare("INSERT INTO events VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?,?,?);");
-    if (!defined $sth) { die("Cannot do insert statement in saveNewEvent: $DBI::errstr\n") }
-    $sth->execute(undef, $client{'dns'}, $service, $detected, $received, $type, $source_type, $source, $target_proto, $target_port, $attack_scale, $note, $priority, $timeout, $valid);
-    return 1;
+
+    # check validity of event attributes - TYPE
+    my $valid_types_ref = $VALID_STRINGS{'type'};
+    my @valid_types = @$valid_types_ref;
+    my $match = first { /$type/ } @valid_types;
+    if ($match) {
+      $sth=$DBH->prepare("INSERT INTO events VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?,?,?);");
+      if (!defined $sth) { die("Cannot do insert statement in $function_name: $DBI::errstr\n") }
+      $sth->execute(undef, $client{'dns'}, $service, $detected, $received, $type, $source_type, $source, $target_proto, $target_port, $attack_scale, $note, $priority, $timeout, $valid);
+      return 1;
+    } else {
+      write2log ("err", "Unknown event type - client from: $ip; CN(AN): $alt_names; used type: '$type'");
+      die("Unknown event type - client sent event with unknown type '$type'!");
+    }
  }
 } # END of saveNewEvent

@@ -239,34 +251,36 @@ sub getNewEvents
  my $cn	= $ENV{'SSL_CLIENT_S_DN_CN'};
  my $alt_names	= getAltNames(undef);
  my $ip	= $ENV{'REMOTE_ADDR'};
-  my $client_type = "r";	# incoming client MUST be sender
+
+  my $client_type	= 'r';	# incoming client MUST be sender
+  my $function_name	= 'getNewEvents';

  # parse SOAP data object
  my $requested_type	= $data->{'REQUESTED_TYPE'};
  my $last_id		= $data->{'LAST_ID'};

-  my %client = authorizeClient($alt_names, $ip, $requested_type, $client_type, 'getNewEvents');
+  my %client = authorizeClient($alt_names, $ip, $requested_type, $client_type, $function_name);
  if(defined %client) {
    if ($client{'receive_own'} eq 't') {	# check if client want your own events or not
      if ($requested_type eq '_any_') {		  # check if client want each or only one type of messages
        $sth = $DBH->prepare("SELECT * FROM events WHERE type != 'test' AND id > ? AND valid = 't' ORDER BY id ASC limit $MAX_EVENT_LIMIT;");
-        if (!defined $sth) {die("Cannot prepare ROE-ANY statement in getNewEvents: $DBI::errstr\n")}
+        if (!defined $sth) {die("Cannot prepare ROE-ANY statement in $function_name: $DBI::errstr\n")}
        $sth->execute($last_id);
      } else {
        $sth = $DBH->prepare("SELECT * FROM events WHERE type != 'test' AND id > ? AND type = ? AND valid = 't' ORDER BY id ASC limit $MAX_EVENT_LIMIT;");
-        if (!defined $sth) {die("Cannot prepare ROE statement in getNewEvents: $DBI::errstr\n")}
+        if (!defined $sth) {die("Cannot prepare ROE statement in $function_name: $DBI::errstr\n")}
        $sth->execute($last_id, $requested_type);
      }
    } else {
      if ($requested_type eq '_any_') {
        $sth = $DBH->prepare("SELECT * FROM events WHERE type != 'test' AND id > ? AND valid = 't' AND hostname NOT LIKE ? ORDER BY id ASC limit $MAX_EVENT_LIMIT;");
-        if (!defined $sth) {die("Cannot prepare ANY statement in getNewEvents: $DBI::errstr\n")}
+        if (!defined $sth) {die("Cannot prepare ANY statement in $function_name: $DBI::errstr\n")}
        my ($domain) = $cn =~ /([^\.]+\.[^\.]+)$/;
        $domain = '\%' . $domain;
        $sth->execute($last_id, $domain);
      } else {
        $sth = $DBH->prepare("SELECT * FROM events WHERE type != 'test' AND id > ? AND type = ? AND valid = 't' AND hostname NOT LIKE ? ORDER BY id ASC limit $MAX_EVENT_LIMIT;");
-        if (!defined $sth) {die("Cannot prepare statement in getNewEvents: $DBI::errstr\n")}
+        if (!defined $sth) {die("Cannot prepare statement in $function_name: $DBI::errstr\n")}
        my ($domain) = $cn =~ /([^\.]+\.[^\.]+)$/;
        $domain = '\%' . $domain;
        $sth->execute($last_id, $requested_type, $domain);
@@ -328,9 +342,10 @@ sub getNewEvents
 sub getLastId
 {
  my ($class, $arg) = @_;
+  my $function_name = 'getLastId';

  my $sth = $DBH->prepare("SELECT max(id) FROM events;");
-  if ( !defined $sth ) { die("Cannot prepare statement in getLastId: $DBI::errstr\n") }
+  if ( !defined $sth ) { die("Cannot prepare statement in $function_name: $DBI::errstr\n") }
  $sth->execute;
  my $result = $sth->fetchrow();

@@ -351,8 +366,10 @@ sub registerSender
  my $ip = $ENV{'REMOTE_ADDR'};
  my $local_ip = $ENV{'SERVER_ADDR'};

+  my $function_name = 'registerSender';
+
  if ($local_ip ne $ip) {
-    write2log ("err", "Unauthorized access to registerSender from: $ip ($cn) - access allowed only from localhost");
+    write2log ("err", "Unauthorized access to $function_name from: $ip ($cn) - access allowed only from localhost");
    die("Access denied - access allowed only from localhost!");
  } else {
    # defined variables by method
@@ -370,7 +387,7 @@ sub registerSender

    # check if sender has been already registered
    $sth = $DBH->prepare("SELECT registered FROM clients WHERE hostname = ? AND requestor = ? AND service = ? AND client_type = ? AND type = ? AND receive_own_events = ? AND description_tags = ? AND ip_net_client = ? LIMIT 1;");
-    if (!defined $sth) {die("Cannot prepare check statement in registerSender: $DBI::errstr\n")}
+    if (!defined $sth) {die("Cannot prepare check statement in $function_name: $DBI::errstr\n")}
    $sth->execute($hostname, $requestor, $service, $client_type, $type, $receive_own_events, $description_tags, $ip_net_client);
    my $result = $sth->fetchrow();

@@ -380,7 +397,7 @@ sub registerSender
      die("Error - sender has already been registered at $result");
    } else {
      $sth = $DBH->prepare("INSERT INTO clients VALUES (?,?,?,?,?,?,?,?,?,?);");
-      if (!defined $sth) {die("Cannot do statement in registerSender: $DBI::errstr\n")}
+      if (!defined $sth) {die("Cannot do statement in $function_name: $DBI::errstr\n")}
      $sth->execute(undef, $hostname, $registered, $requestor, $service, $client_type, $type, $receive_own_events, $description_tags, $ip_net_client);
      write2log("info", "New sender $hostname (service: $service, cidr: $ip_net_client) was registered");
      return 1;
@@ -402,8 +419,10 @@ sub registerReceiver
  my $ip = $ENV{'REMOTE_ADDR'};
  my $local_ip = $ENV{'SERVER_ADDR'};

+  my $function_name = 'registerReceiver';
+
  if ($local_ip ne $ip) {
-    write2log ("err", "Unauthorized access to registerReceiver from: $ip ($cn) - access allowed only from localhost");
+    write2log ("err", "Unauthorized access to $function_name from: $ip ($cn) - access allowed only from localhost");
    die("Access denied - access allowed only from localhost!");
  } else {
    # variables defined by method
@@ -421,7 +440,7 @@ sub registerReceiver

    # check if receiver has been already registered
    $sth = $DBH->prepare("SELECT registered FROM clients WHERE hostname = ? AND requestor = ? AND service = ? AND client_type = ? AND type = ? AND receive_own_events = ? AND description_tags = ? AND ip_net_client = ? LIMIT 1;");
-    if (!defined $sth) {die("Cannot prepare check statement in registerReceiver: $DBI::errstr\n")}
+    if (!defined $sth) {die("Cannot prepare check statement in $function_name: $DBI::errstr\n")}
    $sth->execute($hostname, $requestor, $service, $client_type, $type, $receive_own_events, $description_tags, $ip_net_client);
    my $result = $sth->fetchrow();

@@ -431,7 +450,7 @@ sub registerReceiver
      die("Error - receiver has already been registered at $result");
    } else {
      $sth = $DBH->prepare("INSERT INTO clients VALUES (?,?,?,?,?,?,?,?,?,?);");
-      if (!defined($sth)) {die("Cannot do statement in registerReceiver: $DBI::errstr\n")}
+      if (!defined($sth)) {die("Cannot do statement in $function_name: $DBI::errstr\n")}
      $sth->execute(undef, $hostname, $registered, $requestor, $service, $client_type, $type, $receive_own_events, $description_tags, $ip_net_client);
      write2log("info", "New receiver $hostname (type: $type, cidr: $ip_net_client: receive_own_events: $receive_own_events) was registered");
      return 1;
@@ -453,8 +472,10 @@ sub unregisterClient
  my $ip = $ENV{'REMOTE_ADDR'};
  my $local_ip = $ENV{'SERVER_ADDR'};

+  my $function_name = 'unregisterClient';
+
  if ($local_ip ne $ip) {
-    write2log ("err", "Unauthorized access to unregisterClients from: $ip ($cn) - access allowed only from localhost");
+    write2log ("err", "Unauthorized access to $function_name from: $ip ($cn) - access allowed only from localhost");
    die("Access denied - access allowed only from localhost!");
  } else {
    # parse SOAP data oject
@@ -462,7 +483,7 @@ sub unregisterClient

    # check if receiver has been already registered
    $sth = $DBH->prepare("SELECT client_id, hostname, service, client_type FROM clients WHERE client_id = ? LIMIT 1;");
-    if (!defined $sth) {die("Cannot prepare check statement in unregisterClient: $DBI::errstr\n")}
+    if (!defined $sth) {die("Cannot prepare check statement in $function_name: $DBI::errstr\n")}
    $sth->execute($client_id);
    my ($id, $hostname, $service, $client_type) = $sth->fetchrow();

@@ -473,18 +494,18 @@ sub unregisterClient
    } else {
      if ($client_type eq 's') {
        $sth = $DBH->prepare("DELETE FROM clients WHERE client_id = ?;");
-        if (!defined $sth) {die("Cannot do delete statement of sender in unregisterClient: $DBI::errstr\n")}
+        if (!defined $sth) {die("Cannot do delete statement of sender in $function_name: $DBI::errstr\n")}
        $sth->execute($client_id);

        $sth = $DBH->prepare("UPDATE events SET valid = 'f' where hostname = ? AND service = ?;");
-        if (!defined $sth) {die("Cannot do unvalidation statement in unregisterClient: $DBI::errstr\n")}
+        if (!defined $sth) {die("Cannot do unvalidation statement in $function_name: $DBI::errstr\n")}
 	$sth->execute($hostname, $service);

        write2log("info", "Sender $hostname (client_id: $client_id, service: $service) was deleted and its data were invalidated" );
        return 1;
      } else {
        $sth = $DBH->prepare("DELETE FROM clients WHERE client_id = ?;");
-        if (!defined $sth) {die("Cannot do delete statement of receiver in unregisterClient: $DBI::errstr\n")}
+        if (!defined $sth) {die("Cannot do delete statement of receiver in $function_name: $DBI::errstr\n")}
 	$sth->execute($client_id);

        write2log("info", "Receiver $hostname (client_id: $client_id) was deleted" );
@@ -507,14 +528,16 @@ sub getClients
  my $ip = $ENV{'REMOTE_ADDR'};
  my $local_ip = $ENV{'SERVER_ADDR'};

+  my $function_name = 'getClients';
+
  if ($local_ip ne $ip) {
-    write2log ("err", "Unauthorized access to getClients from: $ip ($cn) - access allowed only from localhost");
+    write2log ("err", "Unauthorized access to $function_name from: $ip ($cn) - access allowed only from localhost");
    die("Access denied - access allowed only from localhost!");
  } else {
    my (@clients, $client);
    my ($client_id, $hostname, $registered, $requestor, $service, $client_type, $type, $receive_own_events, $description_tags, $ip_net_client);
    my $sth = $DBH->prepare("SELECT * FROM clients ORDER BY client_id ASC;");
-    if (!defined $sth) { die("Cannot prepare statement in getClients: $DBI::errstr\n") }
+    if (!defined $sth) { die("Cannot prepare statement in $function_name: $DBI::errstr\n") }
    $sth->execute;

    while ( my @result = $sth->fetchrow() ) {
@@ -562,8 +585,10 @@ sub getStatus
  my $ip = $ENV{'REMOTE_ADDR'};
  my $local_ip = $ENV{'SERVER_ADDR'};

+  my $function_name = 'getStatus';
+
  if ($local_ip ne $ip) {
-    write2log ("err", "Unauthorized access to getStatus from: $ip ($cn) - access allowed only from localhost");
+    write2log ("err", "Unauthorized access to $function_name from: $ip ($cn) - access allowed only from localhost");
    die("Access denied - access allowed only from localhost!");
  } else {
    my ($sth, @status);
@@ -585,35 +610,35 @@ sub getStatus

    # sum of records in table events
    $sth = $DBH->prepare("SELECT count(*) FROM events WHERE valid = 't';");
-    if (!defined $sth) { die("Cannot prepare statement in getStatus: $DBI::errstr\n") }
+    if (!defined $sth) { die("Cannot prepare statement in $function_name: $DBI::errstr\n") }
    $sth->execute;
    my $events_sum = $sth->fetchrow();
    if (!defined $events_sum) { $events_sum = "none" }

    # id of last record in table events
    $sth = $DBH->prepare("SELECT max(id) FROM events;");
-    if (!defined $sth) { die("Cannot prepare statement in getStatus: $DBI::errstr\n") }
+    if (!defined $sth) { die("Cannot prepare statement in $function_name: $DBI::errstr\n") }
    $sth->execute;
    my $events_last_id = $sth->fetchrow();
    if (!defined $events_last_id) { $events_last_id = "none" }

    # timestamp of first record in table events
    $sth = $DBH->prepare("SELECT received FROM events WHERE id = (SELECT min(id) FROM events);");
-    if (!defined $sth) { die("Cannot prepare statement in getStatus: $DBI::errstr\n") }
+    if (!defined $sth) { die("Cannot prepare statement in $function_name: $DBI::errstr\n") }
    $sth->execute;
    my $events_first_timestamp = $sth->fetchrow();
    if (!defined $events_first_timestamp) { $events_first_timestamp = "none" }

    # timestamp of last record in table events
    $sth = $DBH->prepare("SELECT received FROM events WHERE id = (SELECT max(id) FROM events);");
-    if (!defined $sth) { die("Cannot prepare statement in getStatus: $DBI::errstr\n") }
+    if (!defined $sth) { die("Cannot prepare statement in $function_name: $DBI::errstr\n") }
    $sth->execute;
    my $events_last_timestamp = $sth->fetchrow();
    if (!defined $events_last_timestamp) { $events_last_timestamp = "none" }

    # sum of records in table clients
    $sth = $DBH->prepare("SELECT count(*) FROM clients;");
-    if (!defined $sth) { die("Cannot prepare statement in getStatus: $DBI::errstr\n") }
+    if (!defined $sth) { die("Cannot prepare statement in $function_name: $DBI::errstr\n") }
    $sth->execute;
    my $clients_sum = $sth->fetchrow();
    if (!defined $clients_sum) { $clients_sum = "none" }
@@ -639,7 +664,7 @@ sub getStatus
    # statistics of senders
    if ($clients_sum != 0) {
      $sth = $DBH->prepare("SELECT client_id, hostname, service FROM clients WHERE client_type = 's' ORDER BY client_id ASC;");
-      if (!defined $sth) {die("Cannot prepare statement in getStatus: $DBI::errstr\n")}
+      if (!defined $sth) {die("Cannot prepare statement in $function_name: $DBI::errstr\n")}
      $sth->execute;
      my ($client_id, $hostname, $service);
      my $client_status;
@@ -647,13 +672,13 @@ sub getStatus
        my $sth2;
        # sum of stored events
        $sth2 = $DBH->prepare("SELECT count(*) FROM events WHERE hostname = ? AND service = ?;");
-        if (!defined $sth2) {die("Cannot prepare statement in getStatus: $DBI::errstr\n")}
+        if (!defined $sth2) {die("Cannot prepare statement in $function_name: $DBI::errstr\n")}
        $sth2->execute($hostname, $service);
        my $count = $sth2->fetchrow();
        if (!defined $count) {$count = "none"}
        # timestamp of last stored event 
        $sth2 = $DBH->prepare("SELECT max(received) FROM events WHERE hostname = ? AND service = ?;");
-        if (!defined $sth2) {die("Cannot prepare statement in getStatus: $DBI::errstr\n")}
+        if (!defined $sth2) {die("Cannot prepare statement in $function_name: $DBI::errstr\n")}
        $sth2->execute($hostname, $service);
        my $timestamp = $sth2->fetchrow();
        if (!defined $timestamp) {$timestamp = "none"}

--- a/src/warden-server/sh/install.sh
+++ b/src/warden-server/sh/install.sh
@@ -227,6 +227,13 @@ make_server_conf()
 #                   Warden server in a single getNewEvents client function call
 #-------------------------------------------------------------------------------
 \$MAX_EVENT_LIMIT = \"1000000\";
+
+#-------------------------------------------------------------------------------
+# VALID_STRINGS - validation hash containing allowed event attributes
+#-------------------------------------------------------------------------------
+%VALID_STRINGS = ( 
+\"type\" => [\"portscan\", \"bruteforce\", \"spam\", \"phishing\", \"botnet_c_c\", \"dos\", \"malware\", \"copyright\", \"webattack\", \"test\", \"other\", \"_any_\"],
+);
 " > $server_conf 2> $err; ret_val=`echo $?`

 	if [ $ret_val -eq 0 ]; then
@@ -281,7 +288,7 @@ create_symlinks()
 #-------------------------------------------------------------------------------

 # list of used Perl modules
-modules=(SOAP::Lite SOAP::Transport::HTTP DBI DBD::mysql Format::Human::Bytes Sys::Syslog File::Basename Net::CIDR::Lite DateTime Getopt::Std Switch IO::Socket::SSL MIME::Base64 Crypt::X509)
+modules=(SOAP::Lite SOAP::Transport::HTTP DBI DBD::mysql Format::Human::Bytes Sys::Syslog File::Basename Net::CIDR::Lite DateTime Getopt::Std Switch IO::Socket::SSL MIME::Base64 Crypt::X509 List::Util)

 # read input
 while getopts "d:k:c:a:Vh" options; do