Skip to content
Snippets Groups Projects

Compare revisions

Changes are shown as if the source revision was being merged into the target revision. Learn more about comparing revisions.

Source

Select target project
No results found

Target

Select target project
  • Pavel.Valach/warden
1 result
Show changes
Hide whitespace changes
Inline Side-by-side
Showing
with 660 additions and 1163 deletions
contrib/map/frontend/css/warden-map.css 0 → 100644
View file @ b08e2629
/*
*
* -*- coding: utf-8 -*-
*
* warden-map.css
*
* Copyright (C) 2016 Cesnet z.s.p.o
* Use of this source is governed by a 3-clause BSD-style license, see LICENSE file.
*
*/
body {
font-family: 'Oswald', sans-serif;
background: #00253D;
border: 0px;
padding: 0px;
margin: 0px;
}
h2 {
color: #0062a2;
}
.hoverinfo {
font-family: 'Oswald', sans-serif;
}
#country {
color: #0062a2; /* Cesnet blue */
font-weight: bold;
}
table {
text-align: left;
margin: 0;
padding: 0;
font-size: 12px;
}
table th {
color: #0062a2; /* Cesnet blue */
padding: 0;
}
table td {
color: #4b4d4a; /* Greenish gray */
padding: 0;
}
#container {
overflow: hidden;
/* border: 2px solid #0062a2;
border: 0px;
padding: 0px;
margin: 0px;
border-radius: 5px;*/
position: relative;
/* width: 1280px;
height: 720px;*/
max-width: 100%;
max-height: 100%
width: 100%;
height: 100vh;*/
}
.zoom-button {
width: 40px;
height: 40px;
border-radius: 5px;
border: none;
background: #dcdcda;
font-size: 23px;
font-weight: bold;
color: white;
cursor: pointer;
}
.zoom-button:hover {
background-color: #0062a2;
}
#zoom-info {
display: inline-block;
padding: 10px;
color: #0062a2;
}
#warden-logo {
position: absolute;
top: 30px;
left: 30px;
background: white;
padding: 10px;
border-radius: 10px;
width: 240px;
height: 92px;
text-align: center;
}
#cesnet-logo {
position: absolute;
top: 30px;
right: 30px;
background: white;
padding: 10px;
border-radius: 10px;
width: 240px;
height: 92px;
text-align: center;
}
#legend-box {
position: absolute;
bottom: 30px;
left: 30px;
background-color: rgba(0,0,0,0.3);
color: white;
padding: 10px;
border-radius: 10px;
/*width: 240px;
height: 92px;
text-align: center;*/
}
#heading {
position: absolute;
top: 30px;
left: 50%;
width: 40em;
height: 92px;
margin-left: -20em;
font-size: xx-large;
color: white;
text-align: center;
vertical-align: middle;
line-height: 92px;
}
contrib/map/frontend/js/warden-map.js 0 → 100644
View file @ b08e2629
/*
*
* -*- coding: utf-8 -*-
*
* warden-map.js
*
* Copyright (C) 2016 Cesnet z.s.p.o
* Use of this source is governed by a 3-clause BSD-style license, see LICENSE file.
*
*/
// NOTE: Change path in a function d3.json() if you separate backend and frontend!
// Zooming functionality is based on WunderBart's implementation
// Please see following links:
// https://github.com/wunderbart
// https://jsfiddle.net/wunderbart/Lom3b0gb/
function Zoom(args) {
$.extend(this, {
$buttons: $(".zoom-button"),
$info: $("#zoom-info"),
scale: { max: 50, currentShift: 0 },
$container: args.$container,
datamap: args.datamap
});
this.init();
}
Zoom.prototype.init = function() {
var paths = this.datamap.svg.selectAll("path"),
subunits = this.datamap.svg.selectAll(".datamaps-subunit");
// preserve stroke thickness
paths.style("vector-effect", "non-scaling-stroke");
// disable click on drag end
subunits.call(
d3.behavior.drag().on("dragend", function() {
d3.event.sourceEvent.stopPropagation();
})
);
this.scale.set = this._getScalesArray();
this.d3Zoom = d3.behavior.zoom().scaleExtent([ 1, this.scale.max ]);
this._displayPercentage(1);
this.listen();
};
Zoom.prototype.listen = function() {
this.$buttons.off("click").on("click", this._handleClick.bind(this));
this.datamap.svg
.call(this.d3Zoom.on("zoom", this._handleScroll.bind(this)))
.on("dblclick.zoom", null); // disable zoom on double-click
};
Zoom.prototype.reset = function() {
this._shift("reset");
};
Zoom.prototype._handleScroll = function() {
var translate = d3.event.translate,
scale = d3.event.scale,
limited = this._bound(translate, scale);
this.scrolled = true;
this._update(limited.translate, limited.scale);
};
Zoom.prototype._handleClick = function(event) {
var direction = $(event.target).data("zoom");
this._shift(direction);
};
Zoom.prototype._shift = function(direction) {
var center = [ this.$container.width() / 2, this.$container.height() / 2 ],
translate = this.d3Zoom.translate(), translate0 = [], l = [],
view = {
x: translate[0],
y: translate[1],
k: this.d3Zoom.scale()
}, bounded;
translate0 = [
(center[0] - view.x) / view.k,
(center[1] - view.y) / view.k
];
if (direction == "reset") {
view.k = 1;
this.scrolled = true;
} else {
view.k = this._getNextScale(direction);
}
l = [ translate0[0] * view.k + view.x, translate0[1] * view.k + view.y ];
view.x += center[0] - l[0];
view.y += center[1] - l[1];
bounded = this._bound([ view.x, view.y ], view.k);
this._animate(bounded.translate, bounded.scale);
};
Zoom.prototype._bound = function(translate, scale) {
var width = this.$container.width(),
height = this.$container.height();
translate[0] = Math.min(
(width / height) * (scale - 1),
Math.max( width * (1 - scale), translate[0] )
);
translate[1] = Math.min(0, Math.max(height * (1 - scale), translate[1]));
return { translate: translate, scale: scale };
};
Zoom.prototype._update = function(translate, scale) {
this.d3Zoom
.translate(translate)
.scale(scale);
this.datamap.svg.selectAll("g")
.attr("transform", "translate(" + translate + ")scale(" + scale + ")");
this._displayPercentage(scale);
};
Zoom.prototype._animate = function(translate, scale) {
var _this = this,
d3Zoom = this.d3Zoom;
d3.transition().duration(350).tween("zoom", function() {
var iTranslate = d3.interpolate(d3Zoom.translate(), translate),
iScale = d3.interpolate(d3Zoom.scale(), scale);
return function(t) {
_this._update(iTranslate(t), iScale(t));
};
});
};
Zoom.prototype._displayPercentage = function(scale) {
var value;
value = Math.round(Math.log(scale) / Math.log(this.scale.max) * 100);
this.$info.text(value + "%");
};
Zoom.prototype._getScalesArray = function() {
var array = [],
scaleMaxLog = Math.log(this.scale.max);
for (var i = 0; i <= 10; i++) {
array.push(Math.pow(Math.E, 0.1 * i * scaleMaxLog));
}
return array;
};
Zoom.prototype._getNextScale = function(direction) {
var scaleSet = this.scale.set,
currentScale = this.d3Zoom.scale(),
lastShift = scaleSet.length - 1,
shift, temp = [];
if (this.scrolled) {
for (shift = 0; shift <= lastShift; shift++) {
temp.push(Math.abs(scaleSet[shift] - currentScale));
}
shift = temp.indexOf(Math.min.apply(null, temp));
if (currentScale >= scaleSet[shift] && shift < lastShift) {
shift++;
}
if (direction == "out" && shift > 0) {
shift--;
}
this.scrolled = false;
} else {
shift = this.scale.currentShift;
if (direction == "out") {
shift > 0 && shift--;
} else {
shift < lastShift && shift++;
}
}
this.scale.currentShift = shift;
return scaleSet[shift];
};
function defaults(obj) {
Array.prototype.slice.call(arguments, 1).forEach(function(source) {
if (source) {
for (var prop in source) {
// Deep copy if property not set
if (obj[prop] == null) {
if (typeof source[prop] == 'function') {
obj[prop] = source[prop];
}
else {
obj[prop] = JSON.parse(JSON.stringify(source[prop]));
}
}
}
}
});
return obj;
}
function val( datumValue, optionsValue, context ) {
if ( typeof context === 'undefined' ) {
context = optionsValue;
optionsValues = undefined;
}
var value = typeof datumValue !== 'undefined' ? datumValue : optionsValue;
if (typeof value === 'undefined') {
return null;
}
if ( typeof value === 'function' ) {
var fnContext = [context];
if ( context.geography ) {
fnContext = [context.geography, context.data];
}
return value.apply(null, fnContext);
}
else {
return value;
}
}
var cat_color = {
"Abusive": "MediumPurple",
"Malware": "Red",
"Recon": "LightSlateGray",
"Attempt": "GhostWhite",
"Intrusion": "DarkTurquoise",
"Availability": "HotPink",
"Information": "PaleTurquoise",
"Fraud": "Yellow",
"Vulnerable": "DarkGoldenRod",
"Anomaly": "Brown",
"Other": "Green"
}
var cat_desc = {
"Abusive": "spam",
"Malware": "virus, worm, trojan, malware",
"Recon": "scanning, sniffing",
"Attempt": "bruteforce, exploitation attempt",
"Intrusion": "botnet, successful exploit",
"Availability": "(D)DOS",
"Information": "wiretapping, spoofing, hijacking",
"Fraud": "phishing, scam",
"Vulnerable": "open for abuse",
"Anomaly": "unusual traffic",
"Other": "unknown/unidentified"
}
function handleArcs (layer, data, options) {
var self = this,
svg = this.svg;
if ( !data || (data && !data.slice) ) {
throw "Datamaps Error - arcs must be an array";
}
// For some reason arc options were put in an `options` object instead of the parent arc
// I don't like this, so to match bubbles and other plugins I'm moving it
// This is to keep backwards compatability
for ( var i = 0; i < data.length; i++ ) {
data[i] = defaults(data[i], data[i].options);
delete data[i].options;
}
if ( typeof options === "undefined" ) {
options = defaultOptions.arcConfig;
}
var arcs = layer.selectAll('path.datamaps-arc').data( data, JSON.stringify );
var path = d3.geo.path()
.projection(self.projection);
arcs
.enter()
.append('svg:path')
.attr('class', 'datamaps-arc')
.style('stroke-linecap', 'round')
.style('stroke', function(datum) {
/* return val(datum.strokeColor, options.strokeColor, datum);*/
for (cat in cat_color) {
if (datum.event.startsWith(cat)) {
return cat_color[cat];
}
}
return "Green";
})
.style('fill', 'none')
.style('stroke-width', function(datum) {
return val(datum.strokeWidth, options.strokeWidth, datum);
})
.attr('d', function(datum) {
var originXY, destXY;
originXY = self.latLngToXY(val(datum.origin.latitude, datum), val(datum.origin.longitude, datum))
destXY = self.latLngToXY(val(datum.destination.latitude, datum), val(datum.destination.longitude, datum));
var midXY = [ (originXY[0] + destXY[0]) / 2, (originXY[1] + destXY[1]) / 2];
if (options.greatArc) {
// TODO: Move this to inside `if` clause when setting attr `d`
var greatArc = d3.geo.greatArc()
.source(function(d) { return [val(d.origin.longitude, d), val(d.origin.latitude, d)]; })
.target(function(d) { return [val(d.destination.longitude, d), val(d.destination.latitude, d)]; });
return path(greatArc(datum))
}
var sharpness = val(datum.arcSharpness, options.arcSharpness, datum);
return "M" + originXY[0] + ',' + originXY[1] + "S" + (midXY[0] + (50 * sharpness)) + "," + (midXY[1] - (75 * sharpness)) + "," + destXY[0] + "," + destXY[1];
})
.attr('data-info', function(datum) {
return JSON.stringify(datum);
})
.on('mouseover', function ( datum ) {
var $this = d3.select(this);
if (options.popupOnHover) {
self.updatePopup($this, datum, options, svg);
}
})
.on('mouseout', function ( datum ) {
var $this = d3.select(this);
d3.selectAll('.datamaps-hoverover').style('display', 'none');
})
.transition()
.style('fill', function(datum, i) {
/*
Thank you Jake Archibald, this is awesome.
Source: http://jakearchibald.com/2013/animated-line-drawing-svg/
*/
var length = this.getTotalLength();
this.style.transition = this.style.WebkitTransition = 'none';
this.style.strokeDasharray = length + ' ' + length;
this.style.strokeDashoffset = length;
this.getBoundingClientRect();
this.style.transition = this.style.WebkitTransition = 'stroke-dashoffset ' + val(datum.animationSpeed, options.animationSpeed, datum) + 'ms ' + datum.delay*1000 + 'ms ease-out';
this.style.strokeDashoffset = '0';
return 'none';
});
arcs.exit()
.transition()
.duration(1000)
.style('opacity', 0)
.remove();
}
var main_data = [];
var prev_data = 0;
// Configuration of datamap canvas
// Futher reading can be found at https://datamaps.github.io/
function Datamap() {
this.$container = $("#container");
instance = this.instance = new Datamaps({
scope: 'world',
element: this.$container.get(0),
done: this._handleMapReady.bind(this),
projection: 'mercator',
fills: {
/*defaultFill: '#454545'*/
defaultFill: 'black'
},
geographyConfig: {
hideAntarctica: true,
borderColor: '#0062a2',
highlightFillColor: '#4b4d4a',
highlightBorderColor: '#fdfdfd',
popupOnHover: true,
popupTemplate: function(geography, data) {
return '<div class="hoverinfo" id="country">' + geography.properties.name + '</div>';
},
},
ph_arcConfig: {
strokeColor: '#0062a2',
strokeWidth: 2,
arcSharpness: 2, /* 5 */
animationSpeed: 3000, // Milliseconds
popupOnHover: true,
// Case with latitude and longitude
popupTemplate: function(geography, data) {
if ( ( data.origin && data.destination ) && data.origin.latitude && data.origin.longitude && data.destination.latitude && data.destination.longitude ) {
// Content of info table
str = '<div class="hoverinfo"><table id="event"><tr><th>Warden Event</th></tr><tr><td>Type</td><td>'+ JSON.stringify(data.event) +'</td></tr><tr><td>Detect Time</td><td>'+ JSON.stringify(data.time) +'</td></tr><tr><th>Event origin</th></tr><tr><td>IP</td><td>' + JSON.stringify(data.origin.ip) + '</td></tr><tr><td>City & Country</td><td>' + JSON.stringify(data.origin.city) + ',&nbsp;' + JSON.stringify(data.origin.country_name) + '</td></tr><tr><td>GPS</td><td>' + JSON.stringify(data.origin.latitude) + ',&nbsp;' + JSON.stringify(data.origin.longitude) + '</td></tr><tr><th>Event Destination</th></tr><tr><td>IP</td><td>' + JSON.stringify(data.destination.ip) + '</td></tr><tr><td>City & Country</td><td>' + JSON.stringify(data.destination.city) + ',&nbsp;' + JSON.stringify(data.destination.country_name) + '</td></tr><tr><td>GPS</td><td>' + JSON.stringify(data.destination.latitude) + ',&nbsp;' + JSON.stringify(data.destination.longitude) + '</td></tr></table></div>';
return str.replace(/&quot;/g,"");
}
// Missing information
else {
return '';
}
}
}
});
legend_data = d3.select("#legend")
.selectAll("li")
.data(Object.keys(cat_color).sort())
.enter()
.append("li")
.append("span")
.style("color", function(datum) { return cat_color[datum]})
.text(function(datum) { return datum; })
.append("span")
.text(function(datum) { return "" + cat_desc[datum]})
.style("color", "white");
instance.addPlugin('ph_arc', handleArcs);
setInterval(function(){
d3.json("./warden-map.json", function(error, data) {
if (data) {
var cur_data = data.pop()
var cur_time = new Date().getTime();
if (cur_data != prev_data) {
prev_data = cur_data;
for (var i=0; i<data.length; i++) {
data[i].arrivalTime = cur_time;
data[i].delay = i/data.length;
}
main_data = main_data.concat(data);
}
}
var trimmed_data = [];
for (var i=0; i<main_data.length; i++) {
if (main_data[i].arrivalTime + 3500 > cur_time) {
trimmed_data.push(main_data[i]);
}
}
main_data = trimmed_data;
trimmed_data = cur_time = cur_data = error = data = null;
instance.ph_arc(main_data);
});
}, 1000);
};
Datamap.prototype._handleMapReady = function(datamap) {
this.zoom = new Zoom({
$container: this.$container,
datamap: datamap
});
}
contrib/map/frontend/warden-map.html 0 → 100644
View file @ b08e2629
<!-- -->
<!-- -->
<!-- -*- coding: utf-8 -*- -->
<!-- -->
<!-- warden-map.html -->
<!-- -->
<!-- Copyright (C) 2016 Cesnet z.s.p.o -->
<!-- Use of this source is governed by a 3-clause BSD-style license, see LICENSE file. -->
<!-- -->
<!-- -->
<!DOCTYPE html>
<meta name="robots" content="noindex">
<meta charset="utf-8">
<link href='https://fonts.googleapis.com/css?family=Oswald&amp;subset=latin,latin-ext' rel='stylesheet' type='text/css'>
<link rel="stylesheet" type="text/css" href="./css/warden-map.css"/>
<body>
<script src="https://d3js.org/d3.v3.min.js"></script>
<script src="https://d3js.org/topojson.v1.min.js"></script>
<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.0/jquery.min.js"></script>
<script src="./js/datamaps.world.min.js"></script>
<script src="./js/warden-map.js"></script>
<!--
<h2>Warden Map</h2>
<div id="tools">
<button class="zoom-button" data-zoom="reset">&#x2302</button>
<button class="zoom-button" data-zoom="out">-</button>
<button class="zoom-button" data-zoom="in">+</button>
<div id="zoom-info"></div>
</div>
-->
<div id="container"></div>
<div id="heading">Attacks, detected in CESNET network<br/>
SABU - Sharing and Analysis of Security Events
</div>
<div id="legend-box">
<p><b>Reported to Warden right <i>now</i>.</b></p>
<ul id="legend"></ul>
</div>
<!-- Draw datamap into id="container" -->
<script>new Datamap();</script>
</body>
</html>
packages/TODO.zcu deleted 100644 → 0
View file @ be94e0fe
* sjednotit warden-client.conf a warden-server.conf
* ipv6
* zrusit vsude licence a nahradit jedinym radkem s odkazem
* generovani konfiguracnich souboru z template z balicku a ne primo ze shell skriptu
* verze klienta a serveru jsou mimo sync coz je osklive, proc mam pouzivat c1.1.1 a s0.1.1 ? to nedava smysl ...
packages/build-client.sh deleted 100755 → 0
View file @ be94e0fe
#!/bin/bash
#
# build-client.sh
#
# Copyright (C) 2011-2012 Cesnet z.s.p.o
# Author(s): Tomas PLESNIK <plesnik@ics.muni.cz>
# Jan SOUKAL <soukal@ics.muni.cz>
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in
# the documentation and/or other materials provided with the
# distribution.
# 3. Neither the name of the Cesnet z.s.p.o nor the names of its
# contributors may be used to endorse or promote products derived from
# this software without specific prior written permission.
#
# This software is provided ``as is'', and any express or implied
# warranties, including, but not limited to, the implied warranties of
# merchantability and fitness for a particular purpose are disclaimed.
# In no event shall the Cesnet z.s.p.o or contributors be liable for
# any direct, indirect, incidental, special, exemplary, or consequential
# damages (including, but not limited to, procurement of substitute
# goods or services; loss of use, data, or profits; or business
# interruption) however caused and on any theory of liability, whether
# in contract, strict liability, or tort (including negligence or
# otherwise) arising in any way out of the use of this software, even
# if advised of the possibility of such damage.
VERSION="1.1"
err()
{
echo "FAILED!"
cat $err
rm -rf $err $package $tar $sig
echo
echo "Build of $package package FAILED!!!"
exit 1
}
#-------------------------------------------------------------------------------
# MAIN
#-------------------------------------------------------------------------------
# edit when you build new package
version="1.1.1"
package_name="warden-client"
package="$package_name-$version"
doc="$package/$package_name/doc"
etc="$package/$package_name/etc"
lib="$package/$package_name/lib"
var="$package/$package_name/var"
tar="$package.tar.gz"
sig="$tar.sig"
err="/tmp/$package-err"
# make directory structure
echo "Building $package_name package version $version ..."
echo
echo -n "Building 'base' directory ... "
mkdir -p $package 2> $err || err
cp -R ../src/$package_name/sh/* $package 2> $err || err
cp ../src/$package_name/doc/CHANGELOG $package 2> $err || err
cp ../src/$package_name/doc/INSTALL $package 2> $err || err
cp ../src/$package_name/doc/LICENSE $package 2> $err || err
cp ../src/$package_name/doc/README $package 2> $err || err
cp ../src/$package_name/doc/README.cesnet $package 2> $err || err
echo "OK"
echo -n "Building '$doc' directory ... "
mkdir -p $doc 2> $err || err
cp -R ../src/$package_name/doc/* $doc 2> $err || err
echo "OK"
echo -n "Building '$etc' directory ... "
mkdir -p $etc 2> $err || err
cp ../src/$package_name/etc/package_version $etc 2> $err || err
echo "OK"
echo -n "Building '$lib' directory ... "
mkdir -p $lib 2> $err || err
cp -R ../src/$package_name/lib/* $lib 2> $err || err
echo "OK"
echo -n "Building '$var' directory ... "
mkdir -p $var 2> $err || err
echo "OK"
# create tarball
echo -n "Creating $tar tarball ... "
tar czf $tar $package 2> $err || err
echo "OK"
# create sign of tarball
echo -n "Creating $sig file ... "
sha1sum $tar > $sig 2> $err || err
echo "OK"
echo
echo "Building of $package package was SUCCESSFULL"
# cleanup section
rm -rf $package $err
exit 0
packages/build-server.sh deleted 100755 → 0
View file @ be94e0fe
#!/bin/bash
#
# build-server.sh
#
# Copyright (C) 2011-2012 Cesnet z.s.p.o
# Author(s): Tomas PLESNIK <plesnik@ics.muni.cz>
# Jan SOUKAL <soukal@ics.muni.cz>
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in
# the documentation and/or other materials provided with the
# distribution.
# 3. Neither the name of the Cesnet z.s.p.o nor the names of its
# contributors may be used to endorse or promote products derived from
# this software without specific prior written permission.
#
# This software is provided ``as is'', and any express or implied
# warranties, including, but not limited to, the implied warranties of
# merchantability and fitness for a particular purpose are disclaimed.
# In no event shall the Cesnet z.s.p.o or contributors be liable for
# any direct, indirect, incidental, special, exemplary, or consequential
# damages (including, but not limited to, procurement of substitute
# goods or services; loss of use, data, or profits; or business
# interruption) however caused and on any theory of liability, whether
# in contract, strict liability, or tort (including negligence or
# otherwise) arising in any way out of the use of this software, even
# if advised of the possibility of such damage.
VERSION="1.0"
err()
{
echo "FAILED!"
cat $err
rm -rf $err $package $tar $sig
echo
echo "Build of $package package FAILED!!!"
exit 1
}
#-------------------------------------------------------------------------------
# MAIN
#-------------------------------------------------------------------------------
# edit when you build new package
version="0.1.1"
package_name="warden-server"
package="$package_name-$version"
bin="$package/$package_name/bin"
doc="$package/$package_name/doc"
etc="$package/$package_name/etc"
lib="$package/$package_name/lib"
var="$package/$package_name/var"
tar="$package.tar.gz"
sig="$tar.sig"
err="/tmp/$package-err"
# make directory structure
echo "Building $package_name package version $version ..."
echo
echo -n "Building 'base' directory ... "
mkdir -p $package 2> $err || err
cp ../src/$package_name/sh/install.sh $package 2> $err || err
cp ../src/$package_name/sh/uninstall.sh $package 2> $err || err
cp ../src/$package_name/doc/CHANGELOG $package 2> $err || err
cp ../src/$package_name/doc/INSTALL $package 2> $err || err
cp ../src/$package_name/doc/LICENSE $package 2> $err || err
cp ../src/$package_name/doc/README $package 2> $err || err
echo "OK"
echo -n "Building '$bin' directory ... "
mkdir -p $bin 2> $err || err
cp -R ../src/$package_name/bin/* $bin 2> $err || err
cp -R ../src/$package_name/sh/create_tables.sh $bin 2> $err || err
echo "OK"
echo -n "Building '$doc' directory ... "
mkdir -p $doc 2> $err || err
cp -R ../src/$package_name/doc/* $doc 2> $err || err
echo "OK"
echo -n "Building '$etc' directory ... "
mkdir -p $etc 2> $err || err
cp ../src/$package_name/etc/package_version $etc 2> $err || err
cp ../src/$package_name/etc/warden-apache.conf $etc 2> $err || err
echo "OK"
echo -n "Building '$lib' directory ... "
mkdir -p $lib 2> $err || err
cp -R ../src/$package_name/lib/* $lib 2> $err || err
echo "OK"
echo -n "Building '$var' directory ... "
mkdir -p $var 2> $err || err
echo "OK"
# create tarball
echo -n "Creating $tar tarball ... "
tar czf $tar $package 2> $err || err
echo "OK"
# create sign of tarball
echo -n "Creating $sig file ... "
sha1sum $tar > $sig 2> $err || err
echo "OK"
echo
echo "Building of $package package was SUCCESSFULL"
# cleanup section
rm -rf $package $err
exit 0
packages/chck_modules_version.sh deleted 100755 → 0
View file @ be94e0fe
#!/bin/bash
#
# Script obtain Perl package version
#
#modules=(SOAP::Lite SOAP::Transport::TCP File::Pid POSIX DBI Format::Human::Bytes Sys::Syslog File::Basename FindBin Net::CIDR::Lite DateTime)
modules=(SOAP::Lite SOAP::Transport::TCP File::Pid POSIX DBI DBD::SQLite Format::Human::Bytes Sys::Syslog File::Basename FindBin Net::CIDR::Lite DateTime Getopt::Std Switch IO::Socket::SSL)
for module in ${modules[@]}
do
perl -e "eval { require $module; }; if (\$@) { print \"$module: version not found\n\"; } else { print \"$module >= \$$module::VERSION\n\"}"
done
exit 0
packages/warden-client-1.0.0.tar.gz deleted 100644 → 0
View file @ be94e0fe
File deleted
packages/warden-client-1.0.0.tar.gz.sig deleted 100644 → 0
View file @ be94e0fe
f04ba44e48b5d9efc754c2332362e2a82a86f387 warden-client-1.0.0.tar.gz
packages/warden-client-1.1.0.tar.gz deleted 100644 → 0
View file @ be94e0fe
File deleted
packages/warden-client-1.1.0.tar.gz.sig deleted 100644 → 0
View file @ be94e0fe
2448a581f61e9169400de2c4d248d76319facfc1 warden-client-1.1.0.tar.gz
packages/warden-server-0.1.0.tar.gz deleted 100644 → 0
View file @ be94e0fe
File deleted
packages/warden-server-0.1.0.tar.gz.sig deleted 100644 → 0
View file @ be94e0fe
6d750f5c16d1b3465279a24c03dd07c540f7bbdd warden-server-0.1.0.tar.gz
src/warden-client/bin/receiver.pl deleted 100755 → 0
View file @ be94e0fe
#!/usr/bin/perl -w
#
# receiver.pl
#
# Copyright (C) 2011-2012 Cesnet z.s.p.o
# Author(s): Tomas PLESNIK <plesnik@ics.muni.cz>
# Jan SOUKAL <soukal@ics.muni.cz>
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in
# the documentation and/or other materials provided with the
# distribution.
# 3. Neither the name of the Cesnet z.s.p.o nor the names of its
# contributors may be used to endorse or promote products derived from
# this software without specific prior written permission.
#
# This software is provided ``as is'', and any express or implied
# warranties, including, but not limited to, the implied warranties of
# merchantability and fitness for a particular purpose are disclaimed.
# In no event shall the Cesnet z.s.p.o or contributors be liable for
# any direct, indirect, incidental, special, exemplary, or consequential
# damages (including, but not limited to, procurement of substitute
# goods or services; loss of use, data, or profits; or business
# interruption) however caused and on any theory of liability, whether
# in contract, strict liability, or tort (including negligence or
# otherwise) arising in any way out of the use of this software, even
# if advised of the possibility of such damage.
#
use strict;
my $warden_path = '/opt/warden-client';
require $warden_path . '/lib/WardenClientReceive.pm';
#my $requested_type = "copyright";
#my $requested_type = "botnet_c_c";
my $requested_type = "bruteforce";
my @new_events = WardenClientReceive::getNewEvents($warden_path, $requested_type);
print "+------------------------------------------------------------------------------------------------------------------------------------------+\n";
print "| id | hostname | service | detected | type | source_type | source | target_proto | target_port | attack_scale | note | priority | timeout |\n";
print "+------------------------------------------------------------------------------------------------------------------------------------------+\n";
foreach (@new_events) {
print "| " . join(' | ', @$_) . " |" . "\n";
}
print "+------------------------------------------------------------------------------------------------------------------------------------------+";
print "\n";
print "Last events in: " . scalar(localtime(time)) . "\n";
exit 0;
src/warden-client/bin/sender.pl deleted 100755 → 0
View file @ be94e0fe
#!/usr/bin/perl -w
#
# sender.pl
#
# Copyright (C) 2011-2012 Cesnet z.s.p.o
# Author(s): Tomas PLESNIK <plesnik@ics.muni.cz>
# Jan SOUKAL <soukal@ics.muni.cz>
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in
# the documentation and/or other materials provided with the
# distribution.
# 3. Neither the name of the Cesnet z.s.p.o nor the names of its
# contributors may be used to endorse or promote products derived from
# this software without specific prior written permission.
#
# This software is provided ``as is'', and any express or implied
# warranties, including, but not limited to, the implied warranties of
# merchantability and fitness for a particular purpose are disclaimed.
# In no event shall the Cesnet z.s.p.o or contributors be liable for
# any direct, indirect, incidental, special, exemplary, or consequential
# damages (including, but not limited to, procurement of substitute
# goods or services; loss of use, data, or profits; or business
# interruption) however caused and on any theory of liability, whether
# in contract, strict liability, or tort (including negligence or
# otherwise) arising in any way out of the use of this software, even
# if advised of the possibility of such damage.
#
use Switch;
use strict;
use DateTime;
my $warden_path = '/opt/warden-client';
require $warden_path . '/lib/WardenClientSend.pm';
my $service = "";
switch (int(rand(2) + 0.5)) {
case 0 { $service = 'ScanDetector'; }
case 1 { $service = 'PhiGaro'; }
case 2 { $service = 'HoneyScan'; }
}
my $detected = DateTime->from_epoch(epoch => time());
my $type = "";
switch (int(rand(9) + 0.5)) {
case 0 { $type = 'portscan'; }
case 1 { $type = 'bruteforce'; }
case 2 { $type = 'spam'; }
case 3 { $type = 'phishing'; }
case 4 { $type = 'botnet_c_c'; }
case 5 { $type = 'dos'; }
case 6 { $type = 'malware'; }
case 7 { $type = 'copyright'; }
case 8 { $type = 'webattack'; }
case 9 { $type = 'other'; }
}
my $source_type = "";
switch (int(rand(2) + 0.5)) {
case 0 { $source_type = 'IP'; }
case 1 { $source_type = 'url'; }
case 2 { $source_type = 'Reply-To:'; }
}
my $source = (int(rand(254) + 0.5) + 1) . "." . (int(rand(254) + 0.5) + 1) . "." . (int(rand(254) + 0.5) + 1) . "." . (int(rand(254) + 0.5) + 1);
my $target_proto = "";
switch (int(rand(1) + 0.5)) {
case 0 { $target_proto = 'TCP'; }
case 1 { $target_proto = 'UDP'; }
}
my $target_port = "";
switch (int(rand(5) + 0.5)) {
case 0 { $target_port = '22'; }
case 1 { $target_port = '23'; }
case 2 { $target_port = '25'; }
case 3 { $target_port = '443'; }
case 4 { $target_port = '3389'; }
case 5 { $target_port = 'null'; }
}
my $attack_scale = (int(rand(100000) + 0.5) + 1000);
my $note = "tohle je takova normalni jednoducha poznamka";
my $priority = "";
switch (int(rand(1) + 0.5)) {
case 0 { $priority = int(rand(255) + 0.5); }
case 1 { $priority = 'null'; }
}
my $timeout = "";
switch (int(rand(1) + 0.5)) {
case 0 { $timeout = int(rand(255) + 0.5); }
case 1 { $timeout = 'null'; }
}
my @event = (
$service, # $service
"$detected", # $detected
$type, # $type
$source_type, # $source_type
$source, # $source
$target_proto, # $target_proto
$target_port, # $target_port
$attack_scale, # $attack_scale
$note, # $note
$priority, # $priority
$timeout, # $timeout
);
WardenClientSend::saveNewEvent($warden_path, \@event);
#foreach (@event) {
# print "$_\n";
#}
src/warden-client/doc/CHANGELOG deleted 100644 → 0
View file @ be94e0fe
2012-00-00 v1.2.0 stable version and bugfix release of warden-client-1.1.0
--------------------------------------------------------------------------
- Fixed SSL certificate/key access privileges security issue
- Fixed client crash after multiple events download
- Fixed several small bugs/issues
2012-02-06 v1.1.0 stable version and bugfix release of warden-client-1.0.0
--------------------------------------------------------------------------
- Fixed bug when receiving of events
- Fixed earlier declaration in same scope of variable $data
- Fixed errMsg function -> finishing by the die function
- Added client configuration module WardenClientConf.pm
- Added error message when warden server is down
- Added README.cesnet (CESNET Specifics) file
- Added uninstallation script -> uninstall.sh
- Added update script -> update.sh
- Fixed several small bugs/issues
2011-11-16 v1.0.0 stable version
--------------------------------
- Initial package of warden client
- SSL certificate authentication/authorization supported
- Automatized installation process
src/warden-client/doc/INSTALL deleted 100644 → 0
View file @ be94e0fe
Installation process
--------------------
For installation of warden-client package on local machine use install.sh.
Default destination directory is /opt/warden-client/.
For more information about install.sh options run install.sh -h.
You must be root for running this script.
Uninstallation process
----------------------
For uninstallation of warden-client package from local machine use uninstall.sh.
Default uninstallation directory is /opt/warden-client/.
For more information about uninstall.sh options run uninstall.sh -h.
You must be root for running this script.
src/warden-client/doc/README deleted 100644 → 0
View file @ be94e0fe
+------------------------------+
| README - Warden Client 1.1.0 |
+------------------------------+
Content
A. Overall Information
B. Installation Dependencies
C. Registration
D. Installation
E. Update
F. Uninstallation
G. Configuration
H. Integration with Local Applications
I. Functions, Arguments and Calls
J. Authors
--------------------------------------------------------------------------------
A. Overall Information
1. About Warden Client
Warden is a client-based architecture service designed to share detected
security events (issues) among CSIRT and CERT teams in a simple and fast way.
This package offers a client capable of both reporting events to server and
retreiving batch of new events from server. It consists of several Perl
modules/libraries which should be included into detection applications.
2. Version
1.1.0 (2012-02-06)
3. Package structure
warden-client/
doc/
CHANGELOG
example-sender.pl.txt
example-receiver.pl.txt
INSTALL
LICENSE
README
README.cesnet
etc/
warden-client.conf
package_version
lib/
WardenClientConf.pm
WardenClientSend.pm
WardenClientReceive.pm
var/
--------------------------------------------------------------------------------
B. Installation Dependencies
Perl >= 5.10.1
SOAP::Lite >= 0.712
IO::Socket::SSL >= 1.33
SOAP::Transport::TCP >= 0.712
FindBin >= 1.50
DateTime >= 0.61
--------------------------------------------------------------------------------
C. Registration
Any client attempting to communicate with the Warden server must be
registered on this server. Unknown (not registered) clients are not allowed
to exchange any data with server.
Registration of your client is provided by the Warden server administrator.
Usually via e-mail.
Clients also need to have valid client SSL certificates to prove their
identity to the Warden server.
Each client is defined by its hostname, service name, type of client, type
of requested events, receiving of own events, description tags and CIDR
this client is allowed to communicate from.
Hostname hostname of client to be registered
Service name Text string. Unique name of the service
the client is integrated in.
E.g. 'ScanDetector_1.0'. This is mandatory for
'Sender' client. Default value null is used for
'Receiver' client.
Type of client Either 'Sender' or 'Receiver'.
Type of requested events Type of events the client only accepts from
the Warden server. This is mandatory only for
'Receiver' client. Default value null is used
for 'Sender' client. Brief information about
event types is provided in section G. Functions
arguments and calls.
Receiving of own events Enables receiving of events sent from your
organization domain = yes/no (organizations are
separated based on the top-level and
second-level domain). This is mandatory only
for 'Receiver' client.
Description tags Tags are case insensitive alphanumeric strings
designed to allow event receivers to filter
according to event source. For example,
receiver can decide to use only events
originating from honeypots or filter out events
generated manually by users. This is mandatory
for 'Sender' client.
CIDR CIDR stands for IP (sub)net the client is going
to communicate from (see examples below!). Any
communications between the client and the Warden
server must be performed from IP address from
a range stated in CIDR.
Examples: '123.123.0.0/16', '123.123.123.123/32'
For complete information about client attributes and/or event types you will
have to contact particular Warden server administrator/provider.
--------------------------------------------------------------------------------
D. Installation (First installation of the Warden client package)
1. Check SHA1 checksum of corresponding Warden client package archive
$ sha1sum -c warden-client-1.1.0.tar.gz.sig
2. Untar it
$ tar xzvf warden-client-1.1.0.tar.gz
3. Run install.sh
Default destination directory is /opt/warden-client/
For more information about install.sh options run install.sh -h
You must be root for running this script.
4. Installation Privileges
The Warden client is designed to be run under standard privileges. It should
be a part of other applications that are run under usual user privileges.
However, the Warden client uses SSL certificates for security purposes which
are often not accessible by standard users.
To solve this issue, the Warden client should be installed under root
privileges. It copyies local SSL key and certificate files into
warden-client/etc folder where those are accessible even with standard
privileges.
Should users want to preserve standard location of certificate files,
they are advised to remove key and certificate files after installation
from warden-client/etc/ and manually edit paths to certificate files in
warden-client/etc/warden-client.conf. In most cases, this change will force
the Warden client to be run under root privileges though.
5. Configuration file
After successful installation process you are advised to check configuration
file warden-client/etc/warden-client.conf. For more information see section
below G. Configuration.
6. Usage of install.sh
Usage: install.sh [-d <directory>] [-u <user>] [-k <ssl_key_file>]
[-c <ssl_cert_file>] [-a <ssl_ca_file>] [-hV]
-d <directory> installation directory (default: /opt)
-u <user> owner of warden client package (user for
running detection scripts)
-k <ssl_key_file> SSL certificate key file path
-c <ssl_cert_file> SSL certificate file path
-a <ssl_ca_file> CA certificate file path
-h print this help
-V print script version number and exit
Example: # ./install.sh -d /opt -u detector -k /etc/ssl/private/client.key
-c /etc/ssl/certs/client.pem -a /etc/ssl/certs"
--------------------------------------------------------------------------------
E. Update (Update of previously installed the Warden client package)
1. Check SHA1 checksum of corresponding the Warden client package archive
$ sha1sum -c warden-client-1.1.0.tar.gz.sig
2. Untar it
$ tar xzvf warden-client-1.1.0.tar.gz
3. Run update.sh
Default destination directory is /opt/warden-client/
For more information about update.sh options run update.sh -h
You must be root for running this script.
4. Configuration file
After successful update process you are advised to check configuration
file warden-client/etc/warden-client.conf. For more information see section
G. Configuration.
5. Usage of update.sh
Usage: update.sh [-d <directory>] [-hV]
-d <directory> destination directory (default: /opt)
-h print this help
-V print script version number and exit
Example: # ./update.sh -d /opt
Note: You must be root for running this script.
--------------------------------------------------------------------------------
F. Uninstallation
1. Run uninstall.sh
The script is located in warden-client package directory.
Default uninstallation directory is /opt/warden-client/.
For more information about uninstall.sh options, run uninstall.sh -h.
You must be root for running this script.
2. Usage of uninstall.sh
Usage: uninstall.sh [-d <directory>] [-hV]
-d <directory> uninstallation directory (default: /opt)
-h print this help
-V print script version number and exit
Example: # ./uninstall.sh -d /opt
Note: You must be root for running this script.
--------------------------------------------------------------------------------
G. Configuration
SOAP protocol is used for handling communication between server and clients.
Therefore, correct URI of the Warden server must be set.
Authentication of clients and server is performed using client and server
SSL certificates. Both clients and server must have valid certificate.
Configuration file contains following parameters:
URI - URI of the Warden server
e.g. 'https://mywarden.server.com:443/Warden'
SSL_KEY_FILE - path to a host key file,
e.g. '/opt/warden-client/etc/mywarden.server.com.key'
SSL_CERT_FILE - path to a host certificate file,
e.g. '/opt/warden-client/etc/mywarden.server.com.pem'
SSL_CA_FILE - path to a CA file
e.g. '/etc/ssl/certs/tcs-ca-bundle.pem'
--------------------------------------------------------------------------------
H. Integration with Local Applications
(Note: Clients need to be registered on server to be able to communicate with
server properly. See section C. Registration for more information about
client registration.)
1. Client sender (this type of client reports events to the Warden server)
Client is included as a Perl module (WardenClientSend.pm) into Perl code of
local detection application.
See warden-client/doc/example-sender.pl.txt for example how to use
the Warden client sender.
Brief information about syntax of sending functions and functionality is
provided in section I. Functions, Arguments and Calls.
2. Client receiver (this type of clients downloads events from the Warden
server)
Client is included as a Perl module (WardenClientReceive.pm)
into Perl code of local 'reaction' application or may be used as core of
standalone local application.
See warden-client/doc/example-receiver.pl.txt for example how to use
the Warden client receiver.
Brief information about syntax of receiving functions is provided in
section I. Functions, Arguments and Calls.
--------------------------------------------------------------------------------
I. Functions, Arguments and Calls
1. WardenClientSend::saveNewEvent
A function to report one event to the Warden server. See example 'Sender'
client in warden-client/doc/example-sender.pl.txt
Function call (Perl):
# Path to warden-client folder
$warden_path = '/opt/warden-client';
# Inclusion of the Warden client sender module
require $warden_path . '/lib/WardenClientSend.pm';
# Sending event to the Warden server
WardenClientSend::saveNewEvent($warden_path, \@event);
Event array is defined as (Perl):
@event = ($service, $detected, $type, $source_type, $source, $target_proto,
$target_port, $attack_scale, $note, $priority, $timeout );
Event array attributes with example value and explanation on the right
(Perl):
# SERVICE - VARCHAR (64)
# Name of a service detecting this event. Service must be the same with this
# provided in 'Sender' client registration. See more about this issue in
# section C. Registration.
$service = "ScanDetector";
# DETECTED - TIMESTAMP in UTC, ISO 8601
# Date and time when was event detected.
$detected = "2011-07-16T19:20:30.45";
# TYPE - VARCHAR (64)
# Type of reported event. Currently supported values are:
# darkspace - access into honeypot segment
# portscan - scannig of TCP/UDP ports
# bruteforce - bruteforce/dictionary attack against authentication
# service(s)
# spam - unsolicited e-mail that does not have phishing-like
# character
# phishing - e-mail attempting to gather sensitive data
# botnet_c_c - command and control center of botnet
# dos - (distributed) denial of service attack
# malware - virus sample
# copyright - copyright infringement issue
# webattack - attack against web application
# other - anything that does not match any of previous categories
$type = "portscan";
# SOURCE_TYPE - VARCHAR 64
# Type of source of reported attack/issue. Currently supported values are:
# IP, URL, Reply-To:, null
$source_type = "IP";
# SOURCE - VARCHAR 256
# identification of an attack source/origin according to source_type
$source = "123.123.123.123";
# TARGET_PROTO - VARCHAR 16
# Protocol type of reported attack/issue target. Supported are all L3 and L4
# protocols and null.
$target_proto = "TCP";
# TARGET_PORT - INT 2
# Port number of reported attack/issue target or null.
$target_port = "22";
# ATTACK_SCALE - INT 4
# Definition of attack scale, e.g., number of affected targets. Null is also
# possible when attack scale is not known or clear enough.
$attack_scale = "1234567890";
# NOTE - TEXT
# Some important(!) note or comment or null. Also, it may contain virus
# sample, phishing e-mail with headers and other accordingly to event type.
$note = "this threat is dangerous";
# PRIORITY - INT 1
# Subjective definition of incident severity. Values 0-255 or null are
# possible where 0 is the lowest priority.
$priority = "null";
# TIMEOUT - INT 2
# Subjective time (in minutes) or null. After this time event might be
# considered timeouted.
$timeout = "20";
The return value of function SaveNewEvent is 1 when an event was
successfully received by the Warden server. Otherwise, the return value
is 0.
2. WardenClientReceive::getNewEvents
A function to download batch of events from the Warden server. Received
events are stored in @events array. See example 'Receiver' client in
warden-client/doc/example-receiver.pl.txt
Function call (perl):
# Path to warden-client directory
my $warden_path = '/opt/warden-client';
# Inclusion of warden-client receiving functionality
require $warden_path . '/lib/WardenClientReceive.pm';
# Definition of requested event type. Type must be the same with this
# provided in 'Receiver' client registration. See more about this issue in
# section C. Registration. See more about event types in section
# I. 1. WardenClientSend::saveNewEvent
$requested_type = "botnet_c_c";
# Download batch of new events from the Warden server
@new_events = WardenClientReceive::getNewEvents($warden_path,
$requested_type);
Structure of each received event in the event array equals to those
explained in section I. 1. WardenClientSend::saveNewEvent. It has one
additional attribute ID - unique id of this particular event (BIGINT).
--------------------------------------------------------------------------------
J. Authors
Development: Tomas PLESNIK <plesnik@ics.muni.cz>
Jan SOUKAL <soukal@ics.muni.cz>
Copyright (C) 2011-2012 Cesnet z.s.p.o
Special thanks go to Martin Drasar from CSIRT-MU for his help and support
in the development of the Warden system.
src/warden-client/doc/README.cesnet deleted 100644 → 0
View file @ be94e0fe
+-------------------------------------+
| README.cesnet - Warden Client 1.1.0 |
| |
| CESNET Specifics |
+-------------------------------------+
Content
A. Overall Information
B. Registration
C. Description tags
D. Types of events
E. Configuration
F. Testing
G. Authors of this document
--------------------------------------------------------------------------------
A. Overall Information
1. About CESNET Warden Server
Warden is a client-based architecture service designed to share detected
security events (issues) among CSIRT and CERT teams in a simple and fast way.
CESNET offers Warden server for security events exchange within its networks.
2. Version
1.1.0 (2012-02-06)
--------------------------------------------------------------------------------
B. Registration
Client attempting to communicate with CESNET Warden server must be
registered. Registration is currently provided by Tomas Plesnik at
mail address plesnik@ics.muni.cz and following information is needed:
* For sender client:
- hostname of the machine, where client runs,
- client type = sender,
- name of the detection service (for example 'ScanDetector'),
- description tags of sent events (see below)
- CIDR from which client will communicate with Warden server.
* For receiver client:
- hostname of the machine, where client runs,
- client type = receiver,
- type of requested events (for example 'portscan', see below)
- receiving of sent events from my organization = yes/no (organizations
are separated based on the top-level and second-level domain),
- CIDR from which client will communicate with Warden server.
Clients need to have valid certificate to prove their identity to the
Warden server. For CESNET network, 'server' type certificate from Terena
Certificate Service (provided by Comodo) is needed. Hostname of the
machine must correspond with certificate subject, Alternative Name
extension is not supported. Administrator of Warden client must be
entitled to obtain this certificate. CESNET TCS request service
interface resides at
https://tcs.cesnet.cz/
--------------------------------------------------------------------------------
C. Description tags
Tags are case insensitive alphanumeric strings, designed to allow event
receivers to do more general filtering according to event source. Receiver
can for example decide to use only events originating at honeypots, or
filter out events, generated by human conclusions or correlation engines.
Sender client specifies its descriptive tags during registration, it is
up to client administrator's judgment to select or omit any particular tag.
Currently tags fall into four general categories - based on event medium,
data source, detection methodology and detector or analyzer product name.
Product name tag is free to choose if same product name was not yet
accepted by registrar, otherwise existing form must be used (registrar will
notify about such cases).
Categories list is certainly not complete. Therefore if new client's
administrator feels that name or type of important feature of his (or
others) detector is not covered, providers of Warden server are glad to
discuss it at registration address or at Warden project mailing list
(warden@cesnet.cz).
However, it may or may not be accepted, as aim is to keep the list of
categories possibly unambiguous, short and usable.
Following is grouped list of tags together with closer description and
examples.
1. Detection medium
* Network - network data based (Snort, Suricata, Bro, FTAS, LaBrea, Kippo)
* Host - host based (Swatch, Logcheck)
* Correlation - corellation engines (Prelude, OSSIM)
* External - credible external sources (incident reporting, ticket
systems, human verified events)
2. Data source
* Content - datagram content based detectors (Snort, Bro)
* Flow - netflow based (FTAS, FlowMon)
* Connection - connection data (portscan, portsweep)
* Data - application data based (SpamAssassin, antiviruses)
* Log - based on system logs, where more specific source is not
applicable (Swatch, Logcheck, SSH scans)
* IR - incident reporting, ticket systems, human verified events
3. Detection methodology
* Honeypot (LaBrea, Kippo, Dionaea)
* Antispam (SpamAssassin, Bogofilter, CRM114, Policyd, greylisting)
* Antivirus (ClamAV)
* IDS - IDS/IPS, Snort, Suricata, Bro
4. Detector/analyzer product name examples
* Snort, FTAS, SpamAssassin, LaBrea, Swatch, Prelude
--------------------------------------------------------------------------------
D. Types of events
Event types purpose is to allow event receivers to filter and/or categorise
particular events according to attack characteristics. Types are loosely
chosen as list of common security incidents nowadays observed. List is by no
means complete, however it was created based on expected use cases at
receiving places. Possibility of a new type is also open to discussion.
* portscan - TCP/UDP port scanning/sweeping
* bruteforce - dictionary/bruteforce attack to services authentication
* spam - unsolicited commercial email (except phishing)
* phishing - email, trying to scam user to revealing personal information
(possibly by some other channel)
* botnet_c_c - botnet command & control master machine
* dos - (possibly distributed) denial of service attack
* malware - virus/malware sample
* copyright - copyright infringement
* webattack - web application attack
* other - the rest, uncategorizable yet
In case of complex scenarios with structured info more events with
particular parts of information can be created.
--------------------------------------------------------------------------------
E. Configuration
CESNET Warden server resides at URI 'https://warden.cesnet.cz:443/Warden'.
--------------------------------------------------------------------------------
F. Testing
For testing purposes of sender clients, event type 'test' can be used.
These events will end up in server database, but will not be taken
further into consideration.
--------------------------------------------------------------------------------
G. Authors of this document
Pavel Kacha <ph@cesnet.cz>
Jan Soukal <soukal@ics.muni.cz>
Copyright (C) 2011-2012 Cesnet z.s.p.o
src/warden-client/doc/example-receiver.pl.txt deleted 100644 → 0
View file @ be94e0fe
#!/usr/bin/perl -w
#
# Copyright (C) 2011-2012 Cesnet z.s.p.o
# Author(s): Tomas PLESNIK <plesnik@ics.muni.cz>
# Jan SOUKAL <soukal@ics.muni.cz>
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in
# the documentation and/or other materials provided with the
# distribution.
# 3. Neither the name of the Cesnet z.s.p.o nor the names of its
# contributors may be used to endorse or promote products derived from
# this software without specific prior written permission.
#
# This software is provided ``as is'', and any express or implied
# warranties, including, but not limited to, the implied warranties of
# merchantability and fitness for a particular purpose are disclaimed.
# In no event shall the Cesnet z.s.p.o or contributors be liable for
# any direct, indirect, incidental, special, exemplary, or consequential
# damages (including, but not limited to, procurement of substitute
# goods or services; loss of use, data, or profits; or business
# interruption) however caused and on any theory of liability, whether
# in contract, strict liability, or tort (including negligence or
# otherwise) arising in any way out of the use of this software, even
# if advised of the possibility of such damage.
#
use strict;
#------------------------------------------------------------------------------
# Warden 1.1.0. Client, Receiver, Example
#
# Simple use of warden-client receiver functionality to download new events
# from # Warden server. This code illustrates how to integrate warden-client
# receive functionality into local applications.
#------------------------------------------------------------------------------
#------------------------------------------------------------------------------
# This code should developer add into his/her application.
# Path to warden-client directory
my $warden_path = '/opt/warden-client';
# Inclusion of warden-client receiving functionality
require $warden_path . '/lib/WardenClientReceive.pm';
# Definition of requested event type. This attributes is also set on server
# and must not change.
my $requested_type = "botnet_c_c";
# Download of new evetns from Warden server
my @new_events = WardenClientReceive::getNewEvents($warden_path, $requested_type);
#------------------------------------------------------------------------------
# Simple code that prints out new events obtained from Warden server.
print "+------------------------------------------------------------------------------------------------------------------------------------------+\n";
print "| id | hostname | service | detected | type | source_type | source | target_proto | target_port | attack_scale | note | priority | timeout |\n";
print "+------------------------------------------------------------------------------------------------------------------------------------------+\n";
foreach (@new_events) {
print "| " . join(' | ', @$_) . " |" . "\n";
}
print "+------------------------------------------------------------------------------------------------------------------------------------------+";
print "\n";
print "Last events in: " . scalar(localtime(time)) . "\n";
exit 0;