src/warden-client/bin/sender.pl

-#!/usr/bin/perl -w
-#
-# sender.pl
-#
-# Copyright (C) 2011-2012 Cesnet z.s.p.o
-# Author(s):    Tomas PLESNIK   <plesnik@ics.muni.cz>
-#               Jan SOUKAL      <soukal@ics.muni.cz>
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions
-# are met:
-# 1. Redistributions of source code must retain the above copyright
-#    notice, this list of conditions and the following disclaimer.
-# 2. Redistributions in binary form must reproduce the above copyright
-#    notice, this list of conditions and the following disclaimer in
-#    the documentation and/or other materials provided with the
-#    distribution.
-# 3. Neither the name of the Cesnet z.s.p.o nor the names of its
-#    contributors may be used to endorse or promote products derived from
-#    this software without specific prior written permission.
-#
-# This software is provided ``as is'', and any express or implied
-# warranties, including, but not limited to, the implied warranties of
-# merchantability and fitness for a particular purpose are disclaimed.
-# In no event shall the Cesnet z.s.p.o or contributors be liable for
-# any direct, indirect, incidental, special, exemplary, or consequential
-# damages (including, but not limited to, procurement of substitute
-# goods or services; loss of use, data, or profits; or business
-# interruption) however caused and on any theory of liability, whether
-# in contract, strict liability, or tort (including negligence or
-# otherwise) arising in any way out of the use of this software, even
-# if advised of the possibility of such damage.
-#
-
-use Switch;
-use strict;
-use DateTime;
-
-my $warden_path = '/opt/warden-client';
-require $warden_path . '/lib/WardenClientSend.pm';
-
-my $service = "";
-switch (int(rand(2) + 0.5)) {
-  case 0 { $service = 'ScanDetector'; }
-  case 1 { $service = 'PhiGaro'; }
-  case 2 { $service = 'HoneyScan'; }
-  }
-
-my $detected = DateTime->from_epoch(epoch => time());
-
-my $type = "";
-switch (int(rand(9) + 0.5)) {
-  case 0 { $type = 'portscan'; }
-  case 1 { $type = 'bruteforce'; }
-  case 2 { $type = 'spam'; }
-  case 3 { $type = 'phishing'; }
-  case 4 { $type = 'botnet_c_c'; }
-  case 5 { $type = 'dos'; }
-  case 6 { $type = 'malware'; }
-  case 7 { $type = 'copyright'; }
-  case 8 { $type = 'webattack'; }
-  case 9 { $type = 'other'; }
-  }
-  
-my $source_type = "";
-switch (int(rand(2) + 0.5)) {
-  case 0 { $source_type = 'IP'; }
-  case 1 { $source_type = 'url'; }
-  case 2 { $source_type = 'Reply-To:'; }
-  }
-
-my $source = (int(rand(254) + 0.5) + 1) . "." . (int(rand(254) + 0.5) + 1) . "." . (int(rand(254) + 0.5) + 1) . "." . (int(rand(254) + 0.5) + 1);
-
-my $target_proto = "";
-switch (int(rand(1) + 0.5)) {
-  case 0 { $target_proto = 'TCP'; }
-  case 1 { $target_proto = 'UDP'; }
-  }
-
-my $target_port = "";
-switch (int(rand(5) + 0.5)) {
-  case 0 { $target_port = '22'; }
-  case 1 { $target_port = '23'; }
-  case 2 { $target_port = '25'; }
-  case 3 { $target_port = '443'; }
-  case 4 { $target_port = '3389'; }
-  case 5 { $target_port = 'null'; }
-  }
-
-my $attack_scale = (int(rand(100000) + 0.5) + 1000);
-
-my $note = "tohle je takova normalni jednoducha poznamka";
-
-my $priority = "";
-switch (int(rand(1) + 0.5)) {
-  case 0 { $priority = int(rand(255) + 0.5); }
-  case 1 { $priority = 'null'; }
-  }
-  
-my $timeout = "";
-switch (int(rand(1) + 0.5)) {
-  case 0 { $timeout = int(rand(255) + 0.5); }
-  case 1 { $timeout = 'null'; }
-  } 
-
-my @event = (
-  $service, # $service
-  "$detected", # $detected
-  $type, # $type
-  $source_type, # $source_type
-  $source, # $source
-  $target_proto, # $target_proto
-  $target_port, # $target_port
-  $attack_scale, # $attack_scale
-  $note, # $note
-  $priority, # $priority
-  $timeout, # $timeout
-  );
-
-WardenClientSend::saveNewEvent($warden_path, \@event);
-
-#foreach (@event) {
-#  print "$_\n";
-#}

src/warden-client/doc/CHANGELOG

-2012-03-30 v1.2.0 stable version and bugfix release of warden-client-1.1.0
---------------------------------------------------------------------------
-- Fixed SSL certificate/key access privileges security issue
-- Fixed client crash after multiple events download
-- Fixed install.sh crash when warden client installation dictionary doesn't exist
-- Fixed configuration error in permission access to etc directory in update.sh
-- Fixed bug in backup process in update.sh
-- Fixed several small bugs/issues
-
-
-2012-02-06 v1.1.0 stable version and bugfix release of warden-client-1.0.0
---------------------------------------------------------------------------
-- Fixed bug when receiving of events
-- Fixed earlier declaration in same scope of variable $data
-- Fixed errMsg function -> finishing by the die function
-- Added client configuration module WardenClientConf.pm
-- Added error message when warden server is down
-- Added README.cesnet (CESNET Specifics) file
-- Added uninstallation script -> uninstall.sh
-- Added update script -> update.sh
-- Fixed several small bugs/issues
-
-
-2011-11-16 v1.0.0 stable version
---------------------------------
-- Initial package of warden client
-- SSL certificate authentication/authorization supported
-- Automatized installation process

src/warden-client/doc/INSTALL

-Installation process
---------------------
-
-For installation of warden-client package on local machine use install.sh.
-  
-Default destination directory is /opt/warden-client/.
-          
-For more information about install.sh options run install.sh -h.
-
-You must be root for running this script.
-
-
-Uninstallation process
-----------------------
-
-For uninstallation of warden-client package from local machine use uninstall.sh.
-  
-Default uninstallation directory is /opt/warden-client/.
-          
-For more information about uninstall.sh options run uninstall.sh -h.
-
-You must be root for running this script.

src/warden-client/doc/README.cesnet

-+-------------------------------------+
-| README.cesnet - Warden Client 1.2.0 |
-|				      |
-| CESNET Specifics                    |
-+-------------------------------------+
-
-Content
-
- A. Overall Information
- B. Registration
- C. Description tags
- D. Types of events
- E. Configuration
- F. Testing
- G. Authors of this document
-
---------------------------------------------------------------------------------
-A. Overall Information
-
- 1. About CESNET Warden Server
-
-    Warden is a client-based architecture service designed to share detected
-    security events (issues) among CSIRT and CERT teams in a simple and fast way.
-
-    CESNET offers Warden server for security events exchange within its networks.
-
- 2. Version
-
-    1.2.0 (2012-03-30)
-
---------------------------------------------------------------------------------
-B. Registration
-
-    Client attempting to communicate with CESNET Warden server must be
-    registered. Registration is currently provided by Tomas Plesnik at
-    mail address plesnik@ics.muni.cz and following information is needed:
-
-    * For sender client:
-      - hostname of the machine, where client runs,
-      - client type = sender,
-      - name of the detection service (for example 'ScanDetector'),
-      - description tags of sent events (see below)
-      - CIDR from which client will communicate with Warden server.
-
-    * For receiver client:
-      - hostname of the machine, where client runs,
-      - client type = receiver,
-      - type of requested events (for example 'portscan', see below)
-      - receiving of sent events from my organization = yes/no (organizations
-        are separated based on the top-level and second-level domain),
-      - CIDR from which client will communicate with Warden server.
-
-    Clients need to have valid certificate to prove their identity to the
-    Warden server. For CESNET network, 'server' type certificate from Terena
-    Certificate Service (provided by Comodo) is needed. Hostname of the
-    machine must correspond with certificate subject, Alternative Name
-    extension is not supported. Administrator of Warden client must be
-    entitled to obtain this certificate. CESNET TCS request service 
-    interface resides at
-
-      https://tcs.cesnet.cz/
-
---------------------------------------------------------------------------------
-C. Description tags
-
-   Tags are case insensitive alphanumeric strings, designed to allow event
-   receivers to do more general filtering according to event source. Receiver
-   can for example decide to use only events originating at honeypots, or
-   filter out events, generated by human conclusions or correlation engines.
-
-   Sender client specifies its descriptive tags during registration, it is
-   up to client administrator's judgment to select or omit any particular tag.
-   Currently tags fall into four general categories - based on event medium,
-   data source, detection methodology and detector or analyzer product name.
-   Product name tag is free to choose if same product name was not yet
-   accepted by registrar, otherwise existing form must be used (registrar will
-   notify about such cases).
-   Categories list is certainly not complete. Therefore if new client's
-   administrator feels that name or type of important feature of his (or
-   others) detector is not covered, providers of Warden server are glad to
-   discuss it at registration address or at Warden project mailing list 
-   (warden@cesnet.cz).
-   However, it may or may not be accepted, as aim is to keep the list of
-   categories possibly unambiguous, short and usable.
-
-   Following is grouped list of tags together with closer description and
-   examples.
-
- 1. Detection medium
-
-    * Network - network data based (Snort, Suricata, Bro, FTAS, LaBrea, Kippo)
-    * Host - host based (Swatch, Logcheck)
-    * Correlation - corellation engines (Prelude, OSSIM)
-    * External - credible external sources (incident reporting, ticket
-                 systems, human verified events)
-
- 2. Data source
-
-    * Content - datagram content based detectors (Snort, Bro)
-    * Flow - netflow based (FTAS, FlowMon)
-    * Connection - connection data (portscan, portsweep)
-    * Data - application data based (SpamAssassin, antiviruses)
-    * Log - based on system logs, where more specific source is not
-            applicable (Swatch, Logcheck, SSH scans)
-    * IR - incident reporting, ticket systems, human verified events
-
- 3. Detection methodology
-
-    * Honeypot (LaBrea, Kippo, Dionaea)
-    * Antispam (SpamAssassin, Bogofilter, CRM114, Policyd, greylisting)
-    * Antivirus (ClamAV)
-    * IDS - IDS/IPS, Snort, Suricata, Bro
-
- 4. Detector/analyzer product name examples
-
-    * Snort, FTAS, SpamAssassin, LaBrea, Swatch, Prelude
-
---------------------------------------------------------------------------------
-D. Types of events
-
-   Event types purpose is to allow event receivers to filter and/or categorise
-   particular events according to attack characteristics. Types are loosely
-   chosen as list of common security incidents nowadays observed. List is by no
-   means complete, however it was created based on expected use cases at
-   receiving places. Possibility of a new type is also open to discussion.
-
-   * portscan - TCP/UDP port scanning/sweeping
-   * bruteforce - dictionary/bruteforce attack to services authentication
-   * spam - unsolicited commercial email (except phishing)
-   * phishing - email, trying to scam user to revealing personal information
-     (possibly by some other channel)
-   * botnet_c_c - botnet command & control master machine
-   * dos - (possibly distributed) denial of service attack
-   * malware - virus/malware sample
-   * copyright - copyright infringement
-   * webattack - web application attack
-   * other - the rest, uncategorizable yet
-
-   In case of complex scenarios with structured info more events with
-   particular parts of information can be created.
-
---------------------------------------------------------------------------------
-E. Configuration
-
-    CESNET Warden server resides at URI 'https://warden.cesnet.cz:443/Warden'.  
-
---------------------------------------------------------------------------------       
-F. Testing
-
-    For testing purposes of sender clients, event type 'test' can be used.
-    These events will end up in server database, but will not be taken
-    further into consideration.
-
---------------------------------------------------------------------------------
-G. Authors of this document
-
-    Pavel Kacha     <ph@cesnet.cz>
-    Jan Soukal      <soukal@ics.muni.cz>
-
-Copyright (C) 2011-2012 Cesnet z.s.p.o

src/warden-client/doc/example-receiver.pl.txt

-#!/usr/bin/perl -w
-#
-# Copyright (C) 2011-2012 Cesnet z.s.p.o
-# Author(s):    Tomas PLESNIK   <plesnik@ics.muni.cz>
-#               Jan SOUKAL      <soukal@ics.muni.cz>
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions
-# are met:
-# 1. Redistributions of source code must retain the above copyright
-#    notice, this list of conditions and the following disclaimer.
-# 2. Redistributions in binary form must reproduce the above copyright
-#    notice, this list of conditions and the following disclaimer in
-#    the documentation and/or other materials provided with the
-#    distribution.
-# 3. Neither the name of the Cesnet z.s.p.o nor the names of its
-#    contributors may be used to endorse or promote products derived from
-#    this software without specific prior written permission.
-#
-# This software is provided ``as is'', and any express or implied
-# warranties, including, but not limited to, the implied warranties of
-# merchantability and fitness for a particular purpose are disclaimed.
-# In no event shall the Cesnet z.s.p.o or contributors be liable for
-# any direct, indirect, incidental, special, exemplary, or consequential
-# damages (including, but not limited to, procurement of substitute
-# goods or services; loss of use, data, or profits; or business
-# interruption) however caused and on any theory of liability, whether
-# in contract, strict liability, or tort (including negligence or
-# otherwise) arising in any way out of the use of this software, even
-# if advised of the possibility of such damage.
-#
-
-use strict;
-
-#------------------------------------------------------------------------------
-# Warden 1.2.0. Client, Receiver, Example
-#
-# Simple use of warden-client receiver functionality to download new events
-# from # Warden server. This code illustrates how to integrate warden-client
-# receive functionality into local applications.
-#------------------------------------------------------------------------------
-
-#------------------------------------------------------------------------------
-# This code should developer add into his/her application.
-
-# Path to warden-client directory
-my $warden_path = '/opt/warden-client';
-
-# Inclusion of warden-client receiving functionality
-require $warden_path . '/lib/WardenClientReceive.pm';
-
-# Definition of requested event type. This attributes is also set on server
-# and must not change.
-my $requested_type = "botnet_c_c";
-
-# Download of new evetns from Warden server
-my @new_events = WardenClientReceive::getNewEvents($warden_path, $requested_type);
-
-#------------------------------------------------------------------------------
-# Simple code that prints out new events obtained from Warden server.
-
-print "+------------------------------------------------------------------------------------------------------------------------------------------+\n";
-print "| id | hostname | service | detected | type | source_type | source | target_proto | target_port | attack_scale | note | priority | timeout |\n";
-print "+------------------------------------------------------------------------------------------------------------------------------------------+\n";
-
-foreach (@new_events) {
-  print "| " . join(' | ', @$_) . " |" . "\n";
-}
-print "+------------------------------------------------------------------------------------------------------------------------------------------+";
-print "\n";
-print "Last events in: " . scalar(localtime(time)) . "\n";
-
-exit 0;

src/warden-client/doc/example-sender.pl.txt

-#!/usr/bin/perl -w
-#
-# Copyright (C) 2011-2012 Cesnet z.s.p.o
-# Author(s):    Tomas PLESNIK   <plesnik@ics.muni.cz>
-#               Jan SOUKAL      <soukal@ics.muni.cz>
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions
-# are met:
-# 1. Redistributions of source code must retain the above copyright
-#    notice, this list of conditions and the following disclaimer.
-# 2. Redistributions in binary form must reproduce the above copyright
-#    notice, this list of conditions and the following disclaimer in
-#    the documentation and/or other materials provided with the
-#    distribution.
-# 3. Neither the name of the Cesnet z.s.p.o nor the names of its
-#    contributors may be used to endorse or promote products derived from
-#    this software without specific prior written permission.
-#
-# This software is provided ``as is'', and any express or implied
-# warranties, including, but not limited to, the implied warranties of
-# merchantability and fitness for a particular purpose are disclaimed.
-# In no event shall the Cesnet z.s.p.o or contributors be liable for
-# any direct, indirect, incidental, special, exemplary, or consequential
-# damages (including, but not limited to, procurement of substitute
-# goods or services; loss of use, data, or profits; or business
-# interruption) however caused and on any theory of liability, whether
-# in contract, strict liability, or tort (including negligence or
-# otherwise) arising in any way out of the use of this software, even
-# if advised of the possibility of such damage.
-#
-
-use strict;
-use DateTime;
-
-#-------------------------------------------------------------------------------
-# Warden 1.2.0. Client, Sender, Example 
-#
-# Sample script using warden-client sending functionality. This example is not
-# intended to be a standalone script. It only shows how to use warden-client
-# functionality.
-#-------------------------------------------------------------------------------
-
-#-------------------------------------------------------------------------------
-# Preparation of event attributes.
-# This should be handled by detection application.
-
-
-my $local_detected = DateTime->from_epoch(epoch => time());
-
-
-my $service 		= "ScanDetector";
-my $detected 		= "$local_detected";
-my $type 		= "portscan";
-my $source_type 	= "IP";
-my $source 		= "123.123.123.123";
-my $target_proto 	= "TCP";
-my $target_port 	= "22";
-my $attack_scale 	= "1234567890";
-my $note 		= "important note or comment";
-my $priority 		= "null";
-my $timeout 		= "20";
-
-my @event 		= ($service, $detected, $type, $source_type, $source,
-			   $target_proto, $target_port, $attack_scale, $note,
-			   $priority, $timeout );
-
-#-------------------------------------------------------------------------------
-# Use of warden-client sender.
-# This code should developer add to his/her detection application
-# (with corresponding paths appropriately changed).
-
-# Path to warden-client folder
-my $warden_path = '/opt/warden-client';
-
-# Inclusion of warden-client sender module
-require $warden_path . '/lib/WardenClientSend.pm';
-
-# Sending event to Warden server
-WardenClientSend::saveNewEvent($warden_path, \@event);
-
-exit 0;

src/warden-client/etc/package_version

-warden-client-1.3.0

src/warden-client/etc/warden-client.conf

-#
-# warden-client.conf - configuration file for the warden sender/receiver client
-#
-
-#-------------------------------------------------------------------------------
-# URI - URI address of Warden server
-#-------------------------------------------------------------------------------
-$URI = "https://warden-dev.cesnet.cz:443/Warden";
-
-#-------------------------------------------------------------------------------
-# SSL_KEY_FILE - path to client SSL certificate key file
-#-------------------------------------------------------------------------------
-$SSL_KEY_FILE = "/opt/warden-client/etc/barny.ics.muni.cz.key";
-
-#-------------------------------------------------------------------------------
-# SSL_CERT_FILE - path to client SSL certificate file
-#-------------------------------------------------------------------------------
-$SSL_CERT_FILE = "/opt/warden-client/etc/barny.ics.muni.cz.pem";
-
-#-------------------------------------------------------------------------------
-# SSL_CA_FILE - path to CA certificate file
-#-------------------------------------------------------------------------------
-$SSL_CA_FILE = "/etc/ssl/certs/tcs-ca-bundle.pem";
-

src/warden-server/bin/getWebStatus.sh

-#!/bin/bash
-
-DB_NAME=`cat /opt/warden-server/etc/warden-server.conf | grep DB_NAME | sed 's/[";]//g' |awk '{print $3}'`
-DB_USER=`cat /opt/warden-server/etc/warden-server.conf | grep DB_USER | sed 's/[";]//g' |awk '{print $3}'`
-DB_PASS=`cat /opt/warden-server/etc/warden-server.conf | grep DB_PASS | sed 's/[";]//g' |awk '{print $3}'`
-DB_HOST=`cat /opt/warden-server/etc/warden-server.conf | grep DB_HOST | sed 's/[";]//g' |awk '{print $3}'`
-
-echo "DB_NAME: $DB_NAME"
-echo "DB_USER: $DB_USER"
-echo "DB_PASS: $DB_PASS"
-echo "DB_HOST: $DB_HOST"
-echo
-
-echo "DB status:"
-echo "----------"
-echo "SELECT FROM_UNIXTIME( UNIX_TIMESTAMP( received ) - ( UNIX_TIMESTAMP( received ) % ( 60 ) ) ) AS t, COUNT( id ) FROM events GROUP BY t" | mysql -h $DB_HOST --user=$DB_USER $DB_NAME --password='w4rd3n&r00t'
-echo
-echo "apache2ctl status:"
-echo "------------------"
-apache2ctl status
-echo
-echo "uptime:"
-echo "-------"
-uptime
-echo 
-#echo -n klientu: ; netstat -nlpa | grep :443 | grep ESTA | wc -l;
-echo -n FIN:; netstat | grep WAIT2 | wc -l
-