Skip to content
Snippets Groups Projects

Compare revisions

Changes are shown as if the source revision was being merged into the target revision. Learn more about comparing revisions.

Source

Select target project
No results found

Target

Select target project
  • Pavel.Valach/warden
1 result
Show changes
Expand all Hide whitespace changes
Inline Side-by-side
Showing
with 1773 additions and 2 deletions
warden3/warden_client/LICENSE contrib/connectors/hp-dio/LICENSE
View file @ b08e2629
BSD License
Copyright © 2011-2013 Cesnet z.s.p.o
Copyright © 2011-2015 Cesnet z.s.p.o
All rights reserved.
Redistribution and use in source and binary forms, with or without modification,
......
contrib/connectors/hp-dio/README 0 → 100644
View file @ b08e2629
+---------------------------------------------+
| Warden Dionaea connector 0.1 for Warden 3.X |
+---------------------------------------------+
Content
A. Introduction
B. Dependencies
C. Usage
D. Configuration
------------------------------------------------------------------------------
A. Introduction
Warden Dionaea connector (executable warden3-dio-sender.py) is a one-shot
script to send events from Dionaea honeypot toward the Warden server.
------------------------------------------------------------------------------
B. Dependencies
1. Platform
Python 2.7+
2. Python packages
warden_client 3.0+
------------------------------------------------------------------------------
C. Usage
warden3-dio-sender.py
This script does not run as a daemon, for regularly run use job scheduler cron.
------------------------------------------------------------------------------
D. Configuration
warden_client-dio.cfg
warden - path to warden-client config, e.g. 'warden/warden_client.cfg'
name - sensor's source id used as a source of events, e.g. 'cz.cesnet.server.dionaea'
secret - secret to authenticate client
- if 'secret' is non empty, is used instead of value in client's configuration
- useful while using more sensors with single client's configuration
anonymised - no | yes | omit
- no (default value)
- yes = anonymize to 'target_net' (see below)
- omit = completely omit target field
target_net - anonymized network used as target if 'anonymized' option is 'yes'
dbfile - path to sqlite database file, e.g. '/opt/dionaea/var/dionaea/logsql.sqlite'
binaries_path - path to stored malware, e.g. '/opt/dionaea/var/dionaea/binaries'
report_binaries - 'true' if malware attachment have to be included in event, otherwise 'false'
con_attempts - number of attempts connection to the database, it may be exclusive locked
con_retry_interval - interval between each attempt (in seconds)
awin - aggregation window (in minutes), e.g. 5 for events in the last 5 minutes
cron
SCRIPT_PATH=/opt/warden_client/
*/5 * * * * root cd $SCRIPT_PATH; python warden3-dio-sender.py > /dev/null 2>&1
Note: Repeat interval must be the same as value of 'awin'.
------------------------------------------------------------------------------
Copyright (C) 2011-2015 Cesnet z.s.p.o
contrib/connectors/hp-dio/warden3-dio-sender.py 0 → 100755
View file @ b08e2629
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright (C) 2011-2015 Cesnet z.s.p.o
# Use of this source is governed by a 3-clause BSD-style license, see LICENSE file.
from warden_client import Client, Error, read_cfg, format_timestamp
import json
import string
import urllib
from time import time, gmtime, strftime, sleep
from math import trunc
from uuid import uuid4
from os import path
import base64
import sqlite3
import sys
DEFAULT_ACONFIG = 'warden_client-dio.cfg'
DEFAULT_WCONFIG = 'warden_client.cfg'
DEFAULT_BINPATH = '/opt/dionaea/var/dionaea/binaries'
DEFAULT_DBFILE = '/opt/dionea/var/dionea/logsql.sqlite'
DEFAULT_NAME = 'org.example.warden.test'
DEFAULT_REPORT_BINARIES = 'false'
DEFAULT_AWIN = 5
DEFAULT_CON_ATTEMPTS = 3
DEFAULT_CON_RETRY_INTERVAL = 5
DEFAULT_ATTACH_NAME = 'att1'
DEFAULT_HASHTYPE = 'md5'
DEFAULT_CONTENT_TYPE = 'application/octet-stream'
DEFAULT_CONTENT_ENCODING = 'base64'
DEFAULT_ANONYMISED = 'no'
DEFAULT_TARGET_NET = '0.0.0.0/0'
DEFAULT_SECRET = ''
def gen_attach_idea(logger, report_binaries, binaries_path, filename, hashtype, hashdigest, vtpermalink, avref):
refs = []
attach = {
"Handle": DEFAULT_ATTACH_NAME,
"FileName": [filename],
"Type": ["Malware"],
"Hash": ["%s:%s" % (hashtype, hashdigest)],
}
if vtpermalink is not None:
refs.append('url:' + vtpermalink)
if avref is not None:
refs.extend(avref.split(';'))
if refs:
refs = [urllib.quote(ref, safe=':') for ref in refs]
refs = list(set(refs))
attach['Ref'] = refs
if report_binaries == 'true':
try:
fpath = path.join(binaries_path, hashdigest)
with open(fpath, "r") as f:
fdata = f.read()
attach['ContentType'] = DEFAULT_CONTENT_TYPE
attach['ContentEncoding'] = DEFAULT_CONTENT_ENCODING
attach['Size'] = len(fdata)
attach['Content'] = base64.b64encode(fdata)
except (IOError) as e:
logger.info("Reading id file \"%s\" with malware failed, information will not be attached." % (fpath))
return attach
def gen_event_idea(logger, binaries_path, report_binaries, client_name, anonymised, target_net, detect_time, win_start_time, win_end_time, aggr_win, data):
category = []
event = {
"Format": "IDEA0",
"ID": str(uuid4()),
"DetectTime": detect_time,
"WinStartTime": win_start_time,
"WinEndTime": win_end_time,
"ConnCount": data['attack_scale'],
"Source": [{}],
"Target": [{}],
"Node": [
{
"Name": client_name,
"Type": ["Connection","Honeypot","Recon"],
"SW": ["Dionaea"],
"AggrWin": strftime("%H:%M:%S", gmtime(aggr_win))
}
]
}
# Determine IP address family
af = "IP4" if not ':' in data['src_ip'] else "IP6"
# Extract & save proto and service name
proto = [data['proto']]
if data['service'] in ['mysql', 'mssql']:
proto.append(data['service'])
elif data['service'] in ['httpd', 'smbd']:
proto.append(data['service'][:-1])
# Choose correct category
if data['service'] != 'pcap':
category.append('Attempt.Exploit')
else:
category.append('Recon.Scanning')
# smbd allows save malware
if data['service'] == 'smbd' and data['download_md5_hash'] is not None:
category.append('Malware')
event['Source'][0]['URL'] = [data['download_url']]
filename = data['download_url'].split('/')[-1]
if filename != '' and data['download_md5_hash'] != '':
# Generate "Attach" part of IDEA
a = gen_attach_idea(logger, report_binaries, binaries_path, filename, DEFAULT_HASHTYPE, data['download_md5_hash'], data['virustotal_permalink'], data['scan_result'])
event['Source'][0]['AttachHand'] = [DEFAULT_ATTACH_NAME]
event['Attach'] = [a]
event['Source'][0][af] = [data['src_ip']]
event['Source'][0]['Port'] = [data['src_port']]
if anonymised != 'omit':
if anonymised == 'yes':
event['Target'][0]['Anonymised'] = True
event['Target'][0][af] = [target_net]
else:
event['Target'][0][af] = [data['dst_ip']]
event['Target'][0]['Port'] = [data['dst_port']]
event['Target'][0]['Proto'] = proto
event['Category'] = category
return event
def main():
aconfig = read_cfg(DEFAULT_ACONFIG)
wconfig = read_cfg(aconfig.get('warden', DEFAULT_WCONFIG))
aname = aconfig.get('name', DEFAULT_NAME)
wconfig['name'] = aname
asecret = aconfig.get('secret', DEFAULT_SECRET)
if asecret:
wconfig['secret'] = asecret
wclient = Client(**wconfig)
awin = aconfig.get('awin', DEFAULT_AWIN) * 60
abinpath = aconfig.get('binaries_path', DEFAULT_BINPATH)
adbfile = aconfig.get('dbfile', DEFAULT_DBFILE)
aconattempts = aconfig.get('con_attempts', DEFAULT_CON_ATTEMPTS)
aretryinterval = aconfig.get('con_retry_interval', DEFAULT_CON_RETRY_INTERVAL)
areportbinaries = aconfig.get('report_binaries', DEFAULT_REPORT_BINARIES)
aanonymised = aconfig.get('anonymised', DEFAULT_ANONYMISED)
if aanonymised not in ['no', 'yes', 'omit']:
wclient.logger.error("Configuration error: anonymised: '%s' - possible typo? use 'no', 'yes' or 'omit'" % aanonymised)
sys.exit(2)
atargetnet = aconfig.get('target_net', DEFAULT_TARGET_NET)
aanonymised = aanonymised if (atargetnet != DEFAULT_TARGET_NET) or (aanonymised == 'omit') else DEFAULT_ANONYMISED
con = sqlite3.connect(adbfile)
con.row_factory = sqlite3.Row
crs = con.cursor()
events = []
query = "SELECT c.connection_timestamp AS timestamp, c.remote_host AS src_ip, c.remote_port AS src_port, c.connection_transport AS proto, \
c.local_host AS dst_ip, c.local_port AS dst_port, COUNT(c.connection) as attack_scale, c.connection_protocol AS service, d.download_url, d.download_md5_hash, \
v.virustotal_permalink, GROUP_CONCAT('urn:' || vt.virustotalscan_scanner || ':' || vt.virustotalscan_result,';') AS scan_result \
FROM connections AS c LEFT JOIN downloads AS d ON c.connection = d.connection \
LEFT JOIN virustotals AS v ON d.download_md5_hash = v.virustotal_md5_hash \
LEFT JOIN virustotalscans vt ON v.virustotal = vt.virustotal \
WHERE datetime(connection_timestamp,'unixepoch') > datetime('now','-%d seconds') AND c.remote_host != '' \
GROUP BY c.remote_host, c.local_port ORDER BY c.connection_timestamp ASC;" % (awin)
attempts = 0
while attempts < aconattempts:
try:
crs.execute(query)
break
except sqlite3.Error, e:
attempts += 1
wclient.logger.info("Info: %s - attempt %d/%d." % (e.args[0], attempts, aconattempts))
if attempts == aconattempts:
wclient.logger.error("Error: %s (dbfile: %s)" % (e.args[0], adbfile))
sleep(aretryinterval)
rows = crs.fetchall()
if con:
con.close
etime = format_timestamp(time())
stime = format_timestamp(time() - awin)
for row in rows:
dtime = format_timestamp(row['timestamp'])
events.append(gen_event_idea(logger = wclient.logger, binaries_path = abinpath, report_binaries = areportbinaries, client_name = aname, anonymised = aanonymised, target_net = atargetnet, detect_time = dtime, win_start_time = stime, win_end_time = etime, aggr_win = awin, data = row))
print "=== Sending ==="
start = time()
ret = wclient.sendEvents(events)
if ret:
wclient.logger.info("%d event(s) successfully delivered." % len(rows))
print "Time: %f" % (time() - start)
if __name__ == "__main__":
main()
contrib/connectors/hp-dio/warden_client-dio.cfg 0 → 100644
View file @ b08e2629
{
"warden": "warden_client.cfg",
"name": "cz.cesnet.server.dionaea",
"secret": "",
"anonymised": "no",
"target_net": "195.113.0.0/16",
"dbfile": "/opt/dionaea/var/dionaea/logsql.sqlite",
"binaries_path" : "/opt/dionaea/var/dionaea/binaries",
"report_binaries" : "true",
"con_attempts" : 3,
"con_retry_interval" : 5,
"awin": 5
}
warden3/warden_server/LICENSE contrib/connectors/hp-kippo/LICENSE
View file @ b08e2629
BSD License
Copyright © 2011-2014 Cesnet z.s.p.o
Copyright © 2011-2015 Cesnet z.s.p.o
All rights reserved.
Redistribution and use in source and binary forms, with or without modification,
......
contrib/connectors/hp-kippo/README 0 → 100644
View file @ b08e2629
+-------------------------------------------+
| Warden Kippo connector 0.1 for Warden 3.X |
+-------------------------------------------+
Content
A. Introduction
B. Dependencies
C. Usage
D. Configuration
------------------------------------------------------------------------------
A. Introduction
Warden Kippo connector (executable warden3-kippo-sender.py) is a one-shot
script to send events from Kippo honeypot toward the Warden server.
------------------------------------------------------------------------------
B. Dependencies
1. Platform
Python 2.7+
2. Python packages
warden_client 3.0+
------------------------------------------------------------------------------
C. Usage
warden3-kippo-sender.py
This script does not run as a daemon, for regularly run use job scheduler cron.
------------------------------------------------------------------------------
D. Configuration
warden_client-kippo.cfg
warden - path to warden-client config, e.g. 'warden/warden_client.cfg'
name - sensor's source id used as a source of events, e.g. 'cz.cesnet.server.kippo'
secret - secret to authenticate client
- if 'secret' is non empty, is used instead of value in client's configuration
- useful while using more sensors with single client's configuration
anonymised - no | yes | omit
- no (default value)
- yes = anonymize to 'target_net' (see below)
- omit = completely omit target field
target_net - anonymized network used as target if 'anonymized' option is 'yes'
dbhost - hostname/IP of MySQL DB server
dbuser - username
dbpass - password
dbname - database
dbport - db port
awin - aggregation window, e.g. 5 for events in the last 5 minutes
cron
SCRIPT_PATH=/opt/warden_client/
*/5 * * * * root cd $SCRIPT_PATH; python warden3-kippo-sender.py > /dev/null 2>&1
Note: Repeat interval must be the same as value of 'awin'.
------------------------------------------------------------------------------
Copyright (C) 2011-2015 Cesnet z.s.p.o
contrib/connectors/hp-kippo/warden3-kippo-sender.py 0 → 100755
View file @ b08e2629
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright (C) 2011-2015 Cesnet z.s.p.o
# Use of this source is governed by a 3-clause BSD-style license, see LICENSE file.
from warden_client import Client, Error, read_cfg, format_timestamp
import json
import string
from time import time, gmtime, strftime
from math import trunc
from uuid import uuid4
from os import path
import sys
import MySQLdb as my
import MySQLdb.cursors as mycursors
DEFAULT_ACONFIG = 'warden_client-kippo.cfg'
DEFAULT_WCONFIG = 'warden_client.cfg'
DEFAULT_NAME = 'org.example.warden.test'
DEFAULT_AWIN = 5
DEFAULT_ANONYMISED = 'no'
DEFAULT_TARGET_NET = '0.0.0.0/0'
DEFAULT_SECRET = ''
def gen_event_idea(client_name, detect_time, win_start_time, win_end_time, conn_count, src_ip, dst_ip, aggr_win, anonymised, target_net):
event = {
"Format": "IDEA0",
"ID": str(uuid4()),
"DetectTime": detect_time,
"WinStartTime": win_start_time,
"WinEndTime": win_end_time,
"Category": ["Attempt.Login"],
"Note": "SSH login attempt",
"ConnCount": conn_count,
"Source": [{}],
"Target": [
{
"Proto": ["tcp", "ssh"],
"Port" : [22]
}
],
"Node": [
{
"Name": client_name,
"Type": ["Connection","Honeypot","Recon"],
"SW": ["Kippo"],
"AggrWin": strftime("%H:%M:%S", gmtime(aggr_win))
}
]
}
af = "IP4" if not ':' in src_ip else "IP6"
event['Source'][0][af] = [src_ip]
if anonymised != 'omit':
if anonymised == 'yes':
event['Target'][0]['Anonymised'] = True
event['Target'][0][af] = [target_net]
else:
event['Target'][0][af] = [dst_ip]
return event
def main():
aconfig = read_cfg(DEFAULT_ACONFIG)
wconfig = read_cfg(aconfig.get('warden', DEFAULT_WCONFIG))
aname = aconfig.get('name', DEFAULT_NAME)
awin = aconfig.get('awin', DEFAULT_AWIN) * 60
wconfig['name'] = aname
asecret = aconfig.get('secret', DEFAULT_SECRET)
if asecret:
wconfig['secret'] = asecret
wclient = Client(**wconfig)
aanonymised = aconfig.get('anonymised', DEFAULT_ANONYMISED)
if aanonymised not in ['no', 'yes', 'omit']:
wclient.logger.error("Configuration error: anonymised: '%s' - possible typo? use 'no', 'yes' or 'omit'" % aanonymised)
sys.exit(2)
atargetnet = aconfig.get('target_net', DEFAULT_TARGET_NET)
aanonymised = aanonymised if (atargetnet != DEFAULT_TARGET_NET) or (aanonymised == 'omit') else DEFAULT_ANONYMISED
con = my.connect( host=aconfig['dbhost'], user=aconfig['dbuser'], passwd=aconfig['dbpass'],
db=aconfig['dbname'], port=aconfig['dbport'], cursorclass=mycursors.DictCursor)
crs = con.cursor()
events = []
query = "SELECT MIN(UNIX_TIMESTAMP(s.starttime)) as starttime, s.ip, COUNT(s.id) as attack_scale, sn.ip as sensor \
FROM sessions s \
LEFT JOIN sensors sn ON s.sensor=sn.id \
WHERE s.starttime > DATE_SUB(CURRENT_TIMESTAMP(), INTERVAL + %s SECOND) \
GROUP BY s.ip, sn.ip ORDER BY starttime ASC;"
crs.execute(query, (awin,))
rows = crs.fetchall()
for row in rows:
dtime = format_timestamp(row['starttime'])
etime = format_timestamp(time())
stime = format_timestamp(time() - awin)
events.append(gen_event_idea(client_name = aname, detect_time = dtime, win_start_time = stime, win_end_time = etime, conn_count = row['attack_scale'], src_ip = row['ip'], dst_ip = row['sensor'], aggr_win = awin, anonymised = aanonymised, target_net = atargetnet))
print "=== Sending ==="
start = time()
ret = wclient.sendEvents(events)
if ret:
wclient.logger.info("%d event(s) successfully delivered." % len(rows))
print "Time: %f" % (time() - start)
if __name__ == "__main__":
main()
contrib/connectors/hp-kippo/warden_client-kippo.cfg 0 → 100644
View file @ b08e2629
{
"warden": "warden_client.cfg",
"name": "cz.cesnet.server.kippo",
"secret": "",
"anonymised": "no",
"target_net": "195.113.0.0/16",
"dbhost": "localhost",
"dbuser": "kippo",
"dbpass": "kippopass",
"dbname": "kippo",
"dbport": 3306,
"a_win": 5
}
contrib/connectors/hp-labrea/README 0 → 100644
View file @ b08e2629
Warden LaBrea connector 0.1 for Warden 3.X
==========================================
Introduction
------------
labrea-idea.py is a daemon, meant for continuous watching of LaBrea log files
and generation of Idea_ format of corresponding security events. It is
usually run in correspondence with warden_filer daemon, which picks the
resulting events up and feeds them to the Warden_ server. Connector supports
sliding window aggregation, so sets of connections with the same source are
reported as one event (within aggregation window).
Dependencies
------------
1. Platform
Python 2.7+
2. Python packages
warden_filer 3.0+ (recommended)
Usage
-----
./labrea-idea.py [options] logfile ...
Options:
-h, --help show this help message and exit
-w WINDOW, --window=WINDOW
max detection window (default: 900)
-t TIMEOUT, --timeout=TIMEOUT
detection timeout (default: 300)
-n NAME, --name=NAME Warden client name
--test Add Test category
-o, --oneshot process files and quit (do not daemonize)
--poll=POLL log file polling interval
-d DIR, --dir=DIR Target directory (mandatory)
-p PID, --pid=PID create PID file with this name (default: /var/run
/labrea-idea.pid)
-u UID, --uid=UID user id to run under
-g GID, --gid=GID group id to run under
-v, --verbose turn on debug logging
--log=LOG syslog facility or log file name (default: local7)
--realtime use system time along with log timestamps (default)
--norealtime don't system time, use solely log timestamps
Configuration
-------------
However, the daemon is usually run by init script (example one is a part of
the distribution, along with sample logrotate definition). Options then can
be configured by /etc/sysconfig/labrea-idea or /etc/defaults/labrea-idea,
depending on your distribution custom, where at least PARAMS variable has
to be specified (for others, see the init script).
.. _Warden: https://warden.cesnet.cz/
.. _Idea: https://idea.cesnet.cz/
------------------------------------------------------------------------------
Copyright (C) 2017 Cesnet z.s.p.o
contrib/connectors/hp-labrea/labrea-idea 0 → 100755
View file @ b08e2629
#!/bin/bash
#
### BEGIN INIT INFO
# Provides: labrea-idea
# Required-Start: $local_fs $syslog
# Required-Stop: $local_fs $syslog
# Should-Start: $network
# Should-Stop: $network
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Labrea-Idea aggregator/converter
### END INIT INFO
DAEMON_NAME=labrea-idea
DAEMON_PATH=/usr/local/bin/"$DAEMON_NAME".py
PID=/var/run/"$DAEMON_NAME".pid
# Try Debian & Fedora/RHEL/Suse sysconfig
for n in default sysconfig; do
[ -f /etc/$n/"$DAEMON_NAME" ] && . /etc/$n/"$DAEMON_NAME"
done
# Fallback
function log_daemon_msg () { echo -n "$@"; }
function log_end_msg () { [ $1 -eq 0 ] && echo " OK" || echo " Failed"; }
function status_of_proc () { [ -f "$PID" ] && ps u -p $(<"$PID") || echo "$PID not found."; }
[ -f /lib/lsb/init-functions ] && . /lib/lsb/init-functions
ACTION="$1"
case "$ACTION" in
start)
if [ -z "$PARAMS" ]; then
log_daemon_msg "Unconfigured $DAEMON_NAME, not starting."
exit 2
fi
mkdir -p "${PID%/*}"
log_daemon_msg "Starting $DAEMON_NAME"
start_daemon -p "$PID" "$DAEMON_PATH" --pid "$PID" $PARAMS
log_end_msg $?
;;
stop)
log_daemon_msg "Stopping $DAEMON_NAME"
killproc -p "$PID" "$DAEMON_PATH"
log_end_msg $?
;;
restart|force-reload)
$0 stop && sleep 2 && exec $0 start
;;
status)
status_of_proc -p "$PID" "$DAEMON_PATH"
;;
*)
echo "Usage: $0 {start|stop|restart|status}"
exit 2
;;
esac
contrib/connectors/hp-labrea/labrea-idea.logrotate 0 → 100644
View file @ b08e2629
/var/log/labrea-idea.log
{
rotate 52
weekly
missingok
notifempty
compress
delaycompress
dateext
create 640 mentat mentat
}
contrib/connectors/hp-labrea/labrea-idea.py 0 → 100755
View file @ b08e2629
This diff is collapsed.
contrib/connectors/warden_client-rt/LICENSE 0 → 100644
View file @ b08e2629
BSD License
Copyright © 2011-2015 Cesnet z.s.p.o
All rights reserved.
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.
* Neither the name of the Cesnet z.s.p.o nor the names of its
contributors may be used to endorse or promote products derived from this
software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE Cesnet z.s.p.o BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA,
OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
contrib/connectors/warden_client-rt/README 0 → 100644
View file @ b08e2629
+-----------------------------------------------------------------+
| Warden client Request Tracker connector 20150903 for Warden 3.X |
+-----------------------------------------------------------------+
Content
A. Introduction
B. Dependencies
C. Usage
D. Configuration
------------------------------------------------------------------------------
A. Introduction
Warden client Request Tracker connector (executable warden_client-rt.py) is a one-shot
script to send events from Warden queue toward the Request Tracker.
------------------------------------------------------------------------------
B. Dependencies
1. Platform
Python 2.7+
2. Python packages
warden_client 3.0+
------------------------------------------------------------------------------
C. Usage
warden_client-rt.py
This script does not run as a daemon, for regularly run use job scheduler cron.
------------------------------------------------------------------------------
D. Configuration
warden_client-rt.cfg
warden - path to warden-client config, e.g. 'warden/warden_client.cfg'
bt - templates for request tracker tickets and array of cidrs for reporting
rt - requestr tracker account section
filter - filtering warden events
cron
SCRIPT_PATH=/opt/warden_client/
0 */1 * * * root cd $SCRIPT_PATH; python warden_client-rt.py > /dev/null 2>&1
------------------------------------------------------------------------------
Copyright (C) 2011-2015 Cesnet z.s.p.o
contrib/connectors/warden_client-rt/bittorrent.tpl 0 → 100644
View file @ b08e2629
Dobrý den,
přišlo nám upozornění od cizí organizace, že Váš počítač nabízel produkty uvedené níže.
Do doby než nám zašlete vysvětlení Vám byla zablokována registrace.
Notice ID: {id}
Protocol: BitTorrent
IP Address: {ip}
File Name: {filename}
Timestamp: {timestamp}
Chtěli bychom Vás požádat o prověření, zda nedochází k porušování autorských práv z této stanice.
Prosíme, ověřte stav Vaší stanice, a zašlete nám vysvětlující zprávu, kde uvedete kroky, které jste realizoval, aby dále k tomuto jevu nedocházelo.
Bližší informace o problematice naleznete na adrese:
http://idoc.vsb.cz/cit/tuonet/pravidla/az/
---
Hello,
we received an information from foreign organization, that your PC shared (uploaded) copyrighted material listed below.
Your registration (access to computer network and internet) will be suppressed until you send us an explanation.
Notice ID: {id}
Protocol: BitTorrent
IP Address: {ip}
File Name: {filename}
Timestamp: {timestamp}
We would like to ask you for verify your PC (installed software), if there is some software which may be the cause for breaking the copyright act.
Please check your PC and send us your deliverance, including the steps you realized to avoid this in the future.
contrib/connectors/warden_client-rt/warden_client-rt.cfg 0 → 100644
View file @ b08e2629
{
"warden": {
"url": "https://warden-hub.cesnet.cz/warden3",
"certfile": "/etc/ssl/mentat.vsb.cz/server.crt",
"keyfile": "/etc/ssl/mentat.vsb.cz/serverkey_de.pem",
"cafile": "/etc/ssl/mentat.vsb.cz/tcs-ca-bundle.pem",
"timeout": 60,
#"recv_events_limit": 6000,
"errlog": {"level": "debug"},
"filelog": {"file": "/var/log/warden_client.log", "level": "warning"},
"idstore": "/var/lib/warden/warden_client.id",
"name": "cz.vsb.bittorrent",
"secret": "TAJNE"
},
"bt": {
"template": "bittorrent.tpl",
"matching_cidrs": ["158.196.0.0/16", "89.0.0.0/8"]
},
"rt": {
"rtrest": "https://idesk.vsb.cz/REST/1.0/",
"rtuser": "LOGIN",
"rtpass": "HESLO",
# <option value="3">Bezpečnostní síťové incidenty</option>
"rtqueue": 7,
"category": "sdileni",
"other": " - zablokovano",
"rtsubject": "{category} {ip}{login}{other}"
},
"filter": {
"cat": ["Fraud.Copyright"]
}
}
contrib/connectors/warden_client-rt/warden_client-rt.py 0 → 100755
View file @ b08e2629
#!/usr/bin/python
# -*- coding: UTF-8 -*-
import os, sys
from netaddr import all_matching_cidrs # apt-get install python-netaddr
from warden_client import Client, Error, read_cfg
# pip install python-rtkit
from rtkit.resource import RTResource
from rtkit.authenticators import QueryStringAuthenticator
from rtkit.errors import RTResourceError
from rtkit import set_logging
import logging
set_logging('debug')
logger = logging.getLogger('rtkit')
def createTicket (config, body, ip):
template = config.get('rtsubject')
# "rtsubject": "{category} {ip} {login} {other}"
subject = template.format(category=config.get("category", "sdileni"), ip="("+ip+")", login="", other=config.get("other", " - zablokovano"))
content = {
'content': {
'Queue': config.get('rtqueue'),
'Subject': subject,
'Text': body,
}
}
try:
resource = RTResource(config.get('rtrest'), config.get('rtuser'), config.get('rtpass'), QueryStringAuthenticator)
response = resource.post(path='ticket/new', payload=content,)
logger.info(response.parsed)
except RTResourceError as e:
logger.error(e.response.status_int)
logger.error(e.response.status)
logger.error(e.response.parsed)
def main():
config = read_cfg("warden_client-rt.cfg")
# Allow inline or external Warden config
wconfig = config.get("warden", "warden_client.cfg")
if isinstance(wconfig, basestring):
wconfig = read_cfg(wconfig)
wclient = Client(**wconfig)
btconfig = config.get("bt", None)
matching_cidrs = btconfig.get('matching_cidrs')
with open(btconfig.get('template', None)) as f:
template = f.read()
filt = {}
conf_filt = config.get("filter", {})
# Extract filter explicitly to be sure we have right param names for getEvents
for s in ("cat", "nocat", "tag", "notag", "group", "nogroup"):
filt[s] = conf_filt.get(s, None)
ret = wclient.getEvents(**filt)
for e in ret:
try:
ip = e.get("Source")[0].get("IP4")[0]
id = e.get("ID")
timestamp = e.get("DetectTime")
filename = e['Attach'][0]['FileName'][0]
except:
pass
message = template.format(id=id, ip=ip, filename=filename, timestamp=timestamp)
#print message
if all_matching_cidrs(ip, btconfig.get('matching_cidrs', None)):
createTicket(config.get('rt',None), message, ip)
if __name__ == "__main__":
main()
contrib/map/LICENSE 0 → 100644
View file @ b08e2629
BSD License
Copyright © 2016 Cesnet z.s.p.o
All rights reserved.
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.
* Neither the name of the Cesnet z.s.p.o nor the names of its
contributors may be used to endorse or promote products derived from this
software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE Cesnet z.s.p.o BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA,
OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
contrib/map/README 0 → 100644
View file @ b08e2629
+---------------------------------+
| Warden Map Client 1.0 |
+---------------------------------+
Content
A. Introduction
B. Configuration
C. Usage & Help
------------------------------------------------------------------------------
A. Introduction
Warden Map Client is very simple client for drawing a map with events from
database of the Warden server. It consists of a Python 2.7 backend and
a javascript/jquery frontend.
Backend uses Warden API for downloading of events. Events are processed and
enhanced with a geodata via freegeoip.net API. Finally warden-map.json file
with information for the frontend is created.
Frontend uses datamaps project (http://datamaps.github.io/) for visualisation
of events on a map. It is possible to check details of the event by moving
cursor on a arc. It is also possible to zoom map via scrolling and/or clicking
on the plus, minus and, home buttons.
------------------------------------------------------------------------------
B. Configuration
1. Copy frontend folder into desired location.
2. Copy html snippet into your web page, or use it as an iframe.
NOTE: If necessary, change css/js paths in a html snippet.
3. Copy backend folder into desired location.
4. Setup backend call (warden-map.py) in a crontab.
NOTE: Please make sure you will have stored warden-map.json file
in the frontend folder.
EXAMPLE: ./warden-map.py --client cz.cesnet.warden.map \
--key certs/key.pem \
--cert certs/cert.pem \
--output ../frontend/
5. Enjoy your map.
------------------------------------------------------------------------------
C. Usage & Help
usage: warden-map.py [-h] [--output /path/] --events <number> --client
<org.ex.cl> --key /path/key.pem --cert /path/cert.pem
--cacert /path/cacert.pem --secret <SeCreT>
optional arguments:
-h, --help show this help message and exit
--output path/ path where warden-map.json should be saved
required arguments:
--events <number> count of events for a map
--client <org.ex.cl> client name
--key path/key.pem SSL key for a client
--cert path/cert.pem SSL cert for a client
--cacert path/cacert.pem SSL cacert for a client
--secret <SeCreT> secret key for a client
------------------------------------------------------------------------------
Copyright (C) 2016 Cesnet z.s.p.o
contrib/map/backend/warden-map.py 0 → 100755
View file @ b08e2629
#!/usr/bin/env python
# -*- coding: utf-8 -*-
#
# warden-map.py
#
# Copyright (C) 2016 Cesnet z.s.p.o
# Use of this source is governed by a 3-clause BSD-style license, see LICENSE file.
import json
import codecs
import time
import argparse
import GeoIP
import requests
def getLastEvents(client, key, cert):
res = requests.post(
'https://warden-hub.cesnet.cz/warden3/getEvents?client=%s' % (client,),
cert=(cert, key)
)
data = res.json()
i = 0
eventsList = []
for p in data['events']:
event = {}
for key, value in { 'event': 'Category', 'time': 'DetectTime', 'origin': 'Source', 'destination': 'Target'}.items():
if value in p:
if (key == 'origin') or (key == 'destination'):
event[key] = {}
if 'IP4' in p[value][0]:
event[key]['ip'] = p[value][0]['IP4'][0]
else:
event[key] = {}
elif (key == 'event'):
event[key] = ', '.join(p[value])
else:
event[key] = p[value]
else:
if (key == 'origin') or (key == 'destination'):
event[key] = {}
else:
event[key] = {}
if 'ip' in event['origin']:
eventsList.append(event)
i += 1
return eventsList
def getGeolocation(ip, db):
data = db.record_by_addr(ip)
if not data:
return {}
else:
return {
'latitude': data['latitude'],
'longitude': data['longitude'],
'country_name': data['country_name'] if data['country_name'] else None,
'city': data['city'] if data['city'] else None
}
def main(args):
client = args.client[0]
key = args.key[0]
cert = args.cert[0]
if args.output is not None:
path = args.output[0] + 'warden-map.json'
else:
path = 'warden-map.json'
db = GeoIP.open("GeoLiteCity.dat", GeoIP.GEOIP_MEMORY_CACHE)
db.set_charset(GeoIP.GEOIP_CHARSET_UTF8)
wardenEvents = getLastEvents(client, key, cert)
for p in wardenEvents:
for target in {'origin', 'destination'}:
geoData = {}
if 'ip' in p[target]:
geoData = getGeolocation(p[target]['ip'], db)
for value in {'latitude', 'longitude', 'country_name', 'city'}:
if value in geoData:
if not geoData[value]:
p[target][value] = "???"
else:
p[target][value] = geoData[value]
else:
p[target][value] = "???"
else:
p[target]['ip'] = "???"
p[target]['country_name'] = "Czech Republic"
p[target]['city'] = "???"
p[target]['latitude'] = 49.743
p[target]['longitude'] = 15.338
wardenEvents.append(int(time.time()));
with open(path, 'w') as outfile:
json.dump(wardenEvents, outfile)
if __name__ == '__main__':
parser = argparse.ArgumentParser(description='Creates warden-map.json for warden-map.html frontend.',
formatter_class=lambda prog: argparse.HelpFormatter(prog,max_help_position=30))
parser.add_argument('--output', metavar='path/', type=str,
nargs=1, help='path where warden-map.json should be saved')
requiredNamed = parser.add_argument_group('required arguments')
requiredNamed.add_argument('--client', metavar='<org.ex.cl>', type=str, required=True,
nargs=1, help='client name')
requiredNamed.add_argument('--key', metavar='path/key.pem', type=str, required=True,
nargs=1, help='SSL key for a client')
requiredNamed.add_argument('--cert', metavar='path/cert.pem', type=str, required=True,
nargs=1, help='SSL cert for a client')
args = parser.parse_args()
main(args)