Skip to content
Snippets Groups Projects

Compare revisions

Changes are shown as if the source revision was being merged into the target revision. Learn more about comparing revisions.

Source

Select target project
No results found

Target

Select target project
  • Pavel.Valach/warden
1 result
Show changes
Hide whitespace changes
Inline Side-by-side
Showing
with 0 additions and 1369 deletions
src/contrib/warden-app/bin/warden-factory.pl deleted 100755 → 0
View file @ d2f37ebe
#!/usr/bin/perl
use strict;
use warnings;
use FindBin qw($Bin);
use lib "$Bin/../";
use WardenApp::DB;
use WardenApp::Factory;
use Config::Simple;
use WardenApp::Constants;
use constant RECEIVER_SECTION => 'receiver';
use constant DB_CONFIG_FILE => "$Bin/../etc/db.conf";
use constant RECV_CONFIG_FILE => "$Bin/../etc/receiver.conf";
use constant GENERAL_CONFIG_FILE => "$Bin/../etc/factory.conf";
my $cfg = new Config::Simple;
$cfg->read(GENERAL_CONFIG_FILE) or die $cfg->error();
my $cfg_rcv = new Config::Simple;
$cfg_rcv->read(RECV_CONFIG_FILE) or die $cfg_rcv->error();
my $cfg_db = new Config::Simple;
$cfg_db->read(DB_CONFIG_FILE) or die $cfg_db->error();
my $db_engine = Constants::assignValue("DB.dbengine", $cfg_rcv, RECEIVER_SECTION);
my $dbh = DB::connectDB($cfg_db, $db_engine);
if(not defined $dbh) {
exit 0;
}
if(defined $ARGV[0] and $ARGV[0] ne "") {
if(Factory::runModule($ARGV[0], $cfg, $dbh, $db_engine)) {
exit 1;
}
else {
exit 0;
}
}
else {
print "Use module's name as parameter", "\n";
exit 0;
}
DB::closeDB($dbh);
src/contrib/warden-app/bin/warden-receiver.pl deleted 100755 → 0
View file @ d2f37ebe
#!/usr/bin/perl -w
use strict;
use warnings;
use FindBin qw($Bin);
use lib "$Bin/../";
use Config::Simple;
use WardenApp::DB;
use WardenApp::Receiver;
use WardenApp::Constants;
use constant GENERAL_CONFIG_FILE => "$Bin/../etc/receiver.conf";
use constant DB_CONFIG_FILE => "$Bin/../etc/db.conf";
use constant RECEIVER_SECTION => 'receiver';
use constant DEFAULT_REQ_ALL => undef;
use constant TRUE => 1;
use constant FALSE => 0;
use Data::Dumper;
my $cfg = new Config::Simple;
$cfg->read(GENERAL_CONFIG_FILE) or exit 0;
my $cfg_db = new Config::Simple;
$cfg_db->read(DB_CONFIG_FILE) or exit 0;
my @general_method = Constants::assignValue('GENERAL.method', $cfg, RECEIVER_SECTION);
my $general_method_stdout = (grep (/stdout/, @general_method) ? TRUE : FALSE);
my $general_method_file = (grep (/file/, @general_method) ? TRUE : FALSE);
my $general_method_db = (grep (/db/, @general_method) ? TRUE : FALSE);
my $warden_path = Constants::assignValue('GENERAL.wardenpath', $cfg, RECEIVER_SECTION);
my $requested_type = Constants::assignValue('GENERAL.requested_type', $cfg, RECEIVER_SECTION);
$requested_type = DEFAULT_REQ_ALL if $requested_type eq "";
my $logfile = Constants::assignValue('GENERAL.logfile', $cfg, RECEIVER_SECTION);
my $db_engine = Constants::assignValue('DB.dbengine', $cfg, RECEIVER_SECTION);
my $dbh = DB::connectDB($cfg_db, $db_engine) if $general_method_db;
my $file_ref = Receiver::openfile($cfg) if $general_method_file;
require $warden_path . '/lib/WardenClientReceive.pm';
# Download of new evetns from Warden server
while (my @new_events = WardenClientReceive::getNewEvents($warden_path, $requested_type)) {
foreach my $event_ref (@new_events) {
if($general_method_stdout) {
Receiver::printToStdout($event_ref);
}
if($general_method_file) {
Receiver::saveToFile($file_ref, $event_ref);
}
if($general_method_db) {
Receiver::saveToDB($dbh, $event_ref, $db_engine);
}
}
}
DB::closeDB($dbh) if $general_method_db;
Receiver::closeFile($file_ref) if $general_method_file;
src/contrib/warden-app/doc/WApp.README deleted 100644 → 0
View file @ d2f37ebe
+-------------------------------+
| README - WardenApp (WApp) 0.1 |
+-------------------------------+
Content
A. Overall Information
B. Installation Dependencies
C. Installation
D. Uninstallation
E. Configuration
F. Modules
G. Run
H. The requirements of modules
X. Tutorial: Running of the WApp along with the database backend
XX. Tutorial: Writing your own module
--------------------------------------------------------------------------------
A. Overall Information
1. About WardenApp
Warden is a client-based architecture service designed to share detected
security events (issues) among CSIRT and CERT teams in a simple and fast
way.
WardenApp included in this package is an extension of classical Warden Client.
It allows automated evaluation received data and generates base of data for
another tools or just allows generating reports for human checking.
2. Version
0.1 (2013-03-20)
3. Package structure
warden-app/
|-- bin
| |-- warden-cleaner.pl
| |-- warden-factory.pl
| `-- warden-receiver.pl
|-- doc
| |-- WApp.cron
| `-- WApp.README
|-- etc
| |-- cleaner.conf
| |-- db.conf
| |-- factory.conf
| `-- receiver.conf
|-- Modules
| |-- DNSblacklist.pm
| |-- IPblacklist.pm
| |-- IPtables.pm
| |-- IPset.pm
| `-- MailReport.pm
|-- sh
| |-- create_tables_mysql.sh
| `-- create_tables_sqlite.sh
`-- WardenApp
|-- Constants.pm
|-- DB.pm
|-- Factory.pm
|-- Receiver.pm
`-- Utils.pm
--------------------------------------------------------------------------------
A1. Essence of WardenApp
The core consists of three parts with this specific functions:
Receiver - Receives data and stores it in the selected location (stdout, file, db [sqlite, MySQL])
Factory - Generates output that is requested. In short, it processes the data from the database
and generates an output dependent on the module. More about modules in section X.
Cleaner - Erases old unnecessary events.
Each part is represented by a Perl script that runs at defined intervals by the cron daemon. See
section H.
--------------------------------------------------------------------------------
B. Installation Dependencies
Perl >= 5.10.1
Config::Simple >= 4.59-5
DBI
Supported drivers for DBI are DBD::mysql and DBD::SQLite.
--------------------------------------------------------------------------------
C. Installation
1. Check SHA1 checksum of corresponding WardenApp package archive
$ sha1sum -c warden-app-0.1.tar.gz.sig
2. Untar it
$ tar xzvf warden-app-0.1.tar.gz
3. Just copy
Copy to any directory. For simplicity, use the default location of the Warden
project (/opt).
4. Installation Privileges
The Warden client is designed to be run under standard privileges. It should
be a part of other applications that are run under usual user privileges.
5. Configuration files
The files are located in directory 'conf'. For defails, see section E.
6. Initialize database backend
WApp has interface for use MySQL or sqlite as database engine. Preparing
for the basic database structure can use the scripts from 'bin' directory.
MySQL - create_tables_mysql.sh
sqlite - create_tables_sqlite.sh
--------------------------------------------------------------------------------
D. Uninstallation
Simply delete all files from WardenApp's installation directory.
Optionally delete database if you used this choice.
--------------------------------------------------------------------------------
E. Configuration
All configuration files are placed in 'conf' directory. File 'factory.conf'
is used for configuration each of modules, other 'db.conf', 'receiver.conf'
and 'cleaner.conf' are used for general purposes.
Each of configuration parameters is described directly in configuration file.
--------------------------------------------------------------------------------
F. Modules
Modules are placed in 'Modules' directory. Module is assigned to specific configuration
section in 'conf/facory.conf' file.
This package includes these modules with these specific functions:
DNSblacklist - generates zone file for the most widely used DNS software on the Internet.
IPblacklist - generates traditional CSV file with IP addresses.
IPtables - generates iptables rules.
IPset - generates ipset rules (use on big sets of addresses rather than iptables).
MailReport - generates reports which are sent to specific recipients.
Section XX. describes how to write own module.
Some modules require additional requirements for their proper functioning. Specific
examples are described in section H.
--------------------------------------------------------------------------------
G. Run
1. Receiver
Usage: warden-receiver.pl
2. Factory
Usage: warden-factory.pl MODULE_CONF_NAME
MODULE_CONF_NAME
Represents specific configuration section placed in 'factory.conf'. Each of modules
can have more configuration alternatives which are distinguished by name.
For simple call of individual modules is possible use prepared cron script
placed in 'etc/cron.d/' directory.
*WARNING: When generating a report using cron, the interval in configuration file and
interval in cron script must be IDENTICAL, otherwise a result may be INACCURATE.
3. Cleaner
Usage: warden-cleaner.pl
--------------------------------------------------------------------------------
H. The requirements of modules
These modules require an initial steps:
1. IPtables
Redirect of specific traffic to chain specified in the configuration.
If the 'chainname="BLOCK"' option is used and you are interested in SSH attackers (tcp/22),
it's necessary use these commands:
iptables -N BLOCK
iptables -I INPUT 1 --protocol tcp --dport 22 --jump BLOCK
2. IPset
Initialize the new set and create a blocking rule in iptables.
If the 'setname="BLOCK"' and 'outputfile="rules.txt"' options are used and and you are
interested in SSH attackers (tcp/22) it's necessary use these commands:
ipset --create BLOCK iphash
iptables -I INPUT 1 --protocol tcp --dport 22 -m set --match-set BLOCK src --jump DROP
Change of the rules using script consume a lot of CPU resources, so it is necessary
to use a pipe:
ipset - < rules.txt
--------------------------------------------------------------------------------
X. Tutorial: Running of the WApp along with the database backend
1. Database engine configuration (conf/db.conf)
[SQLITE]
db="var/warden.db"
user=
pass=
2. Receiver configuration (conf/receiver.conf)
[GENERAL]
method="db"
wardenpath="/opt/warden-client"
# Type of event which will be requested. To get all types of event, leave this option blank.
requested_type=
[DB]
dbengine="sqlite"
3. Factory configuration, IPtables module (conf/factory.conf)
[MOD_IPTABLES_1]
enabled="yes"
module="IPtables"
outputfile="tmp/iptables.txt"
threshold="10"
excludedip="1.1.1.1","2.2.2.2"
eventtype=
chainname="BLOCK"
destchain="DROP"
maxage="4M"
4. Cleaner configuration (conf/cleaner.conf)
[GENERAL]
method="db"
maxage="5D"
5. Run
I. Manually
# ./warden-receiver.pl
# ./warden-factory.pl MOD_IPTABLES_1
# ./warden-cleaner.pl
II. Regularly using cron (example in etc/cron.d/wardenapp)
SCRIPT_PATH=/opt/warden-app/
*/5 * * * * root cd $SCRIPT_PATH; ./warden-receiver.pl
21 * * * * root cd $SCRIPT_PATH; ./warden-factory.pl MOD_IPTABLES_1
1 1 * * * root cd $SCRIPT_PATH; ./warden-cleaner.pl
--------------------------------------------------------------------------------
X. Tutorial: Writing your own module
The base for modules is interface with hashes '%CONSTANTS', '%FORMAT' and sub 'run()'.
Both of them has to be implemented. Modules are placed in 'Modules' directory.
sub run() - Main subroutine, which is always called from the parent's environment.
%CONSTANTS - Variable with all supported options and their default values.
%FORMAT - Regexp for variables which must have a specific format.
IPtables module more deeply
===========================
1. Defining configuration parameters
All configuration options with their default values are stored in %CONSTANTS hash.
my %CONSTANTS = (
enabled => "no",
outputfile => "tmp/iptables.txt",
threshold => 250,
excludedip => [],
eventtype => [],
chainname => "BLOCK",
destchain => "DROP",
maxage => "1D",
);
In this case is used parameter maxage which must be in format '\d+[hdmHDM]'. Then it is
possible use '%FORMAT' hash to enforce specific format, otherwise will be used default
value from '%CONSTANTS'.
my %FORMAT = ( maxage => qr/\d+[hdmHDM]/, );
2. Implementation of the main function
I. The usual start function, reading the parameters from the parent function and retrieving
values from the config file.
sub run {
my (undef, $modprefix, $cfg, $dbh, $db_engine) = @_;
my $v = Constants::mergeConfigs($cfg, $modprefix, \%CONSTANTS, \%FORMAT);
II. Creating of string with database query. It is possible use built-in routines like joinIN,
joinNotIN, getOldDataDB or getQueryCondThreshold.
my $eventtype_query = DB::joinIN("type", \@{$v->{'eventtype'}});
my $excluded_query = DB::joinNotIN("source", \@{$v->{'excludedip'}});
my $condition = substr($excluded_query . $eventtype_query, 0, -5);
my @columns= ("source");
my @params = ($condition, DB::getOldDataDB($db_engine, "NEWER", $v->{'maxage'}));
my $query = DB::getQueryCondThreshold($db_engine, "events", \@columns, \@params, $v->{'threshold'});
III. Executing of created query and storing result to array.
my @rows = Utils::fetchall_array_hashref($dbh, $query);
IV. Implementing of subroutines 'header', 'record' and 'footer'. References to these functions
can be used like parameter in routine, which generates the final output. Mentioned routines
can get configuration values as a parameter and in addition, 'record' gets value of actual
record in loop over result of query.
sub header { my $v = shift; return "/sbin/iptables -F $v->{'chainname'}\n"; };
sub record { my ($r, $v) = @_; return "/sbin/iptables -A $v->{'chainname'} -s $r->{'source'}/32 -j $v->{'destchain'}\n"; };
my $ret = Utils::generateOutput($v->{'outputfile'}, \@rows, \&header, \&record, undef, $v);
V. Exit code is returned to parent.
return $ret;
}
--------------------------------------------------------------------------------
Copyright (C) 2013 Cesnet z.s.p.o
src/contrib/warden-app/doc/WApp.cron deleted 100644 → 0
View file @ d2f37ebe
#+--------------------------- minute [0-59;*/10 means every 10 minutes (0,10,20,30,40,50)]
#| +------------------- hour [0-23]
#| | +--------------- day of month [1-31]
#| | | +------------- month [1-12]
#| | | | +----------- day of week [0-7; 0 or 7 is Sunday]
#| | | | | +-------- user
#| | | | | | +-- command
#| | | | | | |
SCRIPT_PATH=/opt/warden-app/
*/5 * * * * root cd $SCRIPT_PATH; ./warden-receiver.pl
21 * * * * root cd $SCRIPT_PATH; ./warden-factory.pl MOD_IPTABLES_1
21 * * * * root cd $SCRIPT_PATH; ./warden-factory.pl MOD_BLACKLISTIP_1
1 1 * * * root cd $SCRIPT_PATH; ./warden-cleaner.pl
src/contrib/warden-app/etc/cleaner.conf deleted 100644 → 0
View file @ d2f37ebe
#CLEANER configuration file
[GENERAL]
#What will be cleaned; [db]
method="db"
#How old events will be deleted [D - Days, M - Months, H - Hours];
maxage="5M"
src/contrib/warden-app/etc/db.conf deleted 100644 → 0
View file @ d2f37ebe
#DB configuration file
[SQLITE]
# Path to sqlite database file
db="/root/warden/src/contrib/warden-app/var/warden.db"
# Username
user=
# Password
pass=
[MYSQL]
# Name of MySQL database
db="warden2"
# Username
user="root"
# Password
pass=
# Hostname or IP of MySQL server
host="localhost"
# Port
port="3306"
src/contrib/warden-app/etc/factory.conf deleted 100644 → 0
View file @ d2f37ebe
#FACTORY configuration file
[GENERAL]
# Directory with modules
moddir="Modules"
[MOD_BLACKLISTIP_1]
# Enabling module [yes, no]
enabled="yes"
# Type of module; see 'moddir' directory
module="IPblacklist"
# Where will be result stored
outputfile="/root/warden/src/contrib/warden-app/tmp/blacklist.csv"
# Threshold for SQL query (events grouped by source IP) [number]
threshold="2"
# Which source IP we want to exclude from result [ip1, ip2, ipN]
excludedip="147.228.1.70","147.228.1.61"
# Which type of events we want to process [ see Warden manual ]
eventtype="portscan","bruteforce","spam"
# Time interval for generating data [D - Days, M - Months, H - Hours];
maxage="10M"
[MOD_IPTABLES_1]
# Enabling module [yes, no]
enabled="yes"
# Type of module; see 'moddir' directory
module="IPtables"
# Where will be result stored
outputfile="/root/warden/src/contrib/warden-app/tmp/iptables2.txt"
# Threshold for SQL query (events grouped by source IP) [number]
threshold="10"
# Which source IP we want to exclude from result [ip1, ip2, ipN]
excludedip="1.1.1.1"
# Which type of events we want to process [ see Warden manual ]
eventtype=
# Chain in which will be iptables rules inserted
chainname="BLOCK"
# Default chain after -j (jump) statement
destchain="DROP"
# Time interval for generating data [D - Days, M - Months, H - Hours];
maxage="4M"
[MOD_IPSET_1]
# Enabling module [yes, no]
enabled="yes"
# Type of module; see 'moddir' directory
module="IPset"
# Where will be result stored
outputfile="/root/warden/src/contrib/warden-app/tmp/ipset.txt"
# Threshold for SQL query (events grouped by source IP) [number]
threshold="10"
# Which source IP we want to exclude from result [ip1, ip2, ipN]
excludedip="1.1.1.1"
# Which type of events we want to process [ see Warden manual ]
eventtype=
# Chain in which will be iptables rules inserted
setname="BLOCK"
# Time interval for generating data [D - Days, M - Months, H - Hours];
maxage="4M"
[MOD_DNSBL_1]
# Enabling module [yes, no]
enabled="yes"
# Type of module; see 'moddir' directory
module="DNSblacklist"
# Where will be result stored
outputfile="/root/warden/src/contrib/warden-app/tmp/dnsbl2.txt"
# Default target for blacklisted A record
target="127.0.0.2"
# Threshold for SQL query (events grouped by source IP) [number]
threshold="0"
# Which source IP we want to exclude from result [ip1, ip2, ipN]
excludedip=
# Which type of events we want to process [ see Warden manual ]
eventtype=
# Chain in which will be iptables rules inserted
maxage="10M"
# Default TTL for DNS zone file
ttl="3600"
# DNS name of zone
zone="@"
# SOA authoritative DNS server for zone
dns="dns3.example.com"
# SOA hostmaster's e-mail
hostmaster="hostmaster@example.com"
# SOA refresh value [s]
refresh="1800 ; refresh (30 minutes)"
# SOA retry value [s]
retry="600 ; retry (10 minutes)"
# SOA expire value [s]
expire="1209600 ; expire (2 weeks)"
# SOA minimum value [s]
minimum="86400 ; minimum (1 day)"
[MOD_MREPORT_1]
# Enabling module [yes, no]
enabled="yes"
# Type of module; see 'moddir' directory
module="MailReport"
# Tool for send e-mails [sendmail,ssmtp]
tool="sendmail"
# Senders address
sender="wardenapp@domena.cz"
# Recipient addresses
recipients="kostenec@zcu.cz","kostenec@civ.zcu.cz"
# Subject of e-mail; leave blank for subject like [MOD_NAME (Warden-app) on HOSTNAME
subject=""
# E-mail signature
signature="XXX Incidents Response Team (XIRT)"
# List of excluded sensors
excludedsensor=
# Watched network subnets [syntax LIKE subnet%]
subnets="147.228."
# Threshold for SQL query (events grouped by source IP) [number]
threshold="0"
# Which source IP we want to exclude from result [ip1, ip2, ipN]
excludedip="147.228.209.171","147.228.1.61"
# Which type of events we want to process [ see Warden manual ]
eventtype=
# Chain in which will be iptables rules inserted
maxage="3M"
# All records will be sent in one summarized e-mail or one e-mail per record [yes,no]
summary="yes"
src/contrib/warden-app/etc/receiver.conf deleted 100644 → 0
View file @ d2f37ebe
#RECEIVER configuration file
[GENERAL]
# Where will be received events stored [stdout,file,db]
method="stdout","file","db"
# Path to Warden client
wardenpath="/opt/warden-client"
# Type of event which will be requested. To get all types of event, leave this option blank.
requested_type=
[FILE]
# Where will be received results stored
directory="/root/warden/src/warden-app/var/fileout/"
# How we will handle files
# append - one file named by 'appendfilename' param,
# newfile - new file for every client's call in dd-mm-yyyy_hh_mm ended by 'extension' param
method="append"
# Name of file when method 'append' will be chosen
appendfilename="warden-received"
# Extension of file when method 'newfile' or 'append' will be chosen
extension="csv"
[DB]
# Database engine in which will be received events stored
dbengine="sqlite"
src/contrib/warden-app/sh/create_tables_mysql.sh deleted 100755 → 0
View file @ d2f37ebe
#!/bin/bash
USER=$1
DB=$2
if [ $# -ne 2 ]; then
echo "Usage: $0 username dbname"
exit -1
fi
# create table events
echo "CREATE TABLE \`events\` (
\`id\` int(11) NOT NULL AUTO_INCREMENT,
\`hostname\` varchar(256) DEFAULT NULL,
\`service\` varchar(64) DEFAULT NULL,
\`detected\` timestamp NOT NULL DEFAULT '0000-00-00 00:00:00',
\`type\` varchar(64) DEFAULT NULL,
\`source_type\` varchar(64) DEFAULT NULL,
\`source\` varchar(256) DEFAULT NULL,
\`target_proto\` varchar(16) DEFAULT NULL,
\`target_port\` int(2) DEFAULT NULL,
\`attack_scale\` int(4) DEFAULT NULL,
\`note\` text,
\`priority\` int(1) DEFAULT NULL,
\`timeout\` int(2) DEFAULT NULL,
PRIMARY KEY (\`id\`)
) ENGINE=MyISAM AUTO_INCREMENT=1 DEFAULT CHARSET=latin1;" | mysql -u$USER -p $DB
exit 0
src/contrib/warden-app/sh/create_tables_sqlite.sh deleted 100755 → 0
View file @ d2f37ebe
#!/bin/bash
db_file=$1
if [ $# -ne 1 ]; then
echo "Usage: $0 dbfile"
exit -1
fi
# create table events
sqlite3 $db_file "CREATE TABLE events (id INTEGER, hostname VARCHAR(256), service VARCHAR(64), detected TIMESTAMP, type VARCHAR(64), source_type VARCHAR(64), source VARCHAR(256), target_proto VARCHAR(16), target_port INT(2), attack_scale INT(4), note TEXT, priority INT(1), timeout INT(2));"
exit 0
src/contrib/warden-client-nosoap/doc/AUTHORS deleted 100644 → 0
View file @ d2f37ebe
AUTHORS AND MAINTAINERS :
PROJECT ARCHITECTS:
Pavel Kacha <ph@cesnet.cz>
Andrea Kropacova <andrea@cesnet.cz>
Jan Vykopal <vykopal@cesnet.cz>
MAIN DEVELOPERS:
Michal Kostenec <kostenec@cesnet.cz>
Tomas Plesnik <plesnik@cesnet.cz>
Jan Soukal <soukal@cesnet.cz>
TESTING:
Jakub Cegan <jakubcegan@cesnet.cz>
CONTRIBUTORS:
Radoslav Bodo <bodik@civ.zcu.cz>
Martin Drasar <drasar@ics.muni.cz>
Vit Slama <slama@cis.vutbr.cz>
COMMUNITY:
Radomir Orkac <orkac@cesnet.cz>
Daniel Studeny <Daniel.Studeny@cesnet.cz>
Pavel Vachek <Pavel.Vachek@cesnet.cz>
Martin Zadnik <izadnik@fit.vutbr.cz>
src/contrib/warden-client-nosoap/doc/CHANGELOG deleted 100644 → 0
View file @ d2f37ebe
2013-11-28 v.2.2-nosoap-alpha2
--------------------------------------------------------------------------------
- replaced SOAP::Lite and LWP::Protocol::https by own Warden specific soap/http
client based on Net::SSLeay and XML::Parser
2012-12-?? v.2.2-beta version
--------------------------------------------------------------------------------
- Added support of connection timeout interval (#925)
- Added new getClientInfo() function allowing the client to see (#609)
information regarding other involved clients
- Enhanced handling of errors. Die() functions are removed from (#599)
the code, errors are handled using return values.
2013-02-05 v.2.1 stable
--------------------------------------------------------------------------------
- Minor changes in documentation
2012-11-05 v.2.1-beta version
--------------------------------------------------------------------------------
- Added WardenClientCommon.pm package containing error-handling and
connect-to-server functions
- Installation of Warden client does not require copying of certificates
and keys (#553)
- Enhanced error messages (#552)
- Reading of configuration file enhanced (#533)
- Added protection from unexpected results in XML data returned from
server (#532)
- Added support for error (debug) logging via STDERR and/or Syslog (#520,#522)
- Receiving of all types of messages now supported
- Unexpected errors does not crush the client application (#519)
- Maximum number of events received ($MAX_RCV_EVENTS_LIMIT) in one
batch can be set in etc/warden-client.conf. Default is 6000. (#504)
- Added support for batch processing (#504)
2012-07-27 v.2.0 stable version and bugfix release of warden-client-2.0.0-beta
--------------------------------------------------------------------------------
- Sender client code fixed, so that it will not terminate "parent"
application when crashed
2012-05-10 v.2.0.0-beta beta version of warden-client-2.0.0
--------------------------------------------------------------------------------
- Changed communication with server: HTTP layer added (compatible with
Apache mod_perl version of Warden server)
- Removed Linux version check in install.sh, unistall.sh and update.sh
- Removed shell (BASH) dependencies in install.sh, unistall.sh and update.sh
2012-03-30 v1.2.0 stable version and bugfix release of warden-client-1.1.0
--------------------------------------------------------------------------------
- Fixed SSL certificate/key access privileges security issue
- Fixed client crash after multiple events download
- Fixed install.sh crash when warden client installation dictionary doesn't exist
- Fixed configuration error in permission access to etc directory in update.sh
- Fixed bug in backup process in update.sh
- Fixed several small bugs/issues
2012-02-06 v1.1.0 stable version and bugfix release of warden-client-1.0.0
--------------------------------------------------------------------------------
- Fixed bug when receiving of events
- Fixed earlier declaration in same scope of variable $data
- Fixed errMsg function -> finishing by the die function
- Added client configuration module WardenClientConf.pm
- Added error message when warden server is down
- Added README.cesnet (CESNET Specifics) file
- Added uninstallation script -> uninstall.sh
- Added update script -> update.sh
- Fixed several small bugs/issues
2011-11-16 v1.0.0 stable version
--------------------------------------------------------------------------------
- Initial package of warden client
- SSL certificate authentication/authorization supported
- Automatized installation process
src/contrib/warden-client-nosoap/doc/INSTALL deleted 100644 → 0
View file @ d2f37ebe
This code is experimental and does not yet have streamlined instalation.
Simply copy the tree into desired place (usually /opt/warden-client, or
preferably /opt/warden-client-nosoap), add necessary certificates, edit
etc/warden-client.conf to your liking and from your application import
library and call the API exactly the same way you did with original SOAP
client (see the readme or examples in doc directory).
src/contrib/warden-client-nosoap/doc/README deleted 100644 → 0
View file @ d2f37ebe
+------------------------------------------+
| README - Warden Client 2.2-nosoap-alpha2 |
+------------------------------------------+
WARNING - this code is experimental and especially documentation may not
exactly reflect the exact state of affairs.
Content
A. Overall Information
B. Installation Dependencies
C. Installation, Configuration, Registration, Usage
--------------------------------------------------------------------------------
A. Overall Information
1. About Warden Client
Warden is a client-based architecture service designed to share detected
security events (issues) among CSIRT and CERT teams in a simple and fast
way.
This package offers a client capable of both reporting events to server and
retreiving batch of new events from server. It consists of several Perl
modules/libraries which should be included into detection applications.
This is experimental version of Warden client without dependence on
SOAP::Lite and LWP::Protocol::https. However it is designed to work with
existing SOAP capable Warden server and expose exactly the same API as
SOAP::Lite based client (so there's no need for any changes in existing
applications whatsoever).
--------------------------------------------------------------------------------
B. Installation Dependencies
Perl >= 5.10.1
Net::SSLeay >= 1.55
XML::Parser >= 2.41
FindBin >= 1.50
DateTime >= 0.61
Carp >= 1.11
--------------------------------------------------------------------------------
C. Installation, Configuration, Registration, Usage
This code is experimental and does not yet have streamlined instalation.
Simply copy the tree into desired place (usually /opt/warden-client, or
preferably /opt/warden-client-nosoap), add necessary certificates, edit
etc/warden-client.conf to your liking and from your application import
library and call the API exactly the same way you did with original SOAP
client (see the readme or examples in doc directory).
For configuration, registration and usage please refer to documentation
of original SOAP based Warden client.
--------------------------------------------------------------------------------
Copyright (C) 2011-2013 Cesnet z.s.p.o
src/contrib/warden-client-nosoap/doc/README.cesnet deleted 100644 → 0
View file @ d2f37ebe
+-----------------------------------+
| README.cesnet - Warden Client 2.1 |
| |
| CESNET Specifics |
+-----------------------------------+
Content
A. Overall Information
B. Registration
C. Description tags
D. Types of events
E. Configuration
F. Testing
G. Authors of this document
--------------------------------------------------------------------------------
A. Overall Information
1. About CESNET Warden Server
Warden is a client-based architecture service designed to share detected
security events (issues) among CSIRT and CERT teams in a simple and fast way.
CESNET offers Warden server for security events exchange within its networks.
2. Version
2.1 (2013-02-05)
--------------------------------------------------------------------------------
B. Registration
Client attempting to communicate with CESNET Warden server must be
registered. Registration is currently provided by Tomas Plesnik at
mail address plesnik@ics.muni.cz and following information is needed:
* For sender client:
- hostname of the machine, where client runs,
- client type = sender,
- name of the detection service (for example 'ScanDetector'),
- description tags of sent events (see below)
- CIDR from which client will communicate with Warden server.
* For receiver client:
- hostname of the machine, where client runs,
- client type = receiver,
- whether client should receive all events, or type of requested
events (for example 'portscan', see below) otherwise
- receiving of sent events from my organization = yes/no (organizations
are separated based on the top-level and second-level domain),
- CIDR from which client will communicate with Warden server.
Clients need to have valid certificate to prove their identity to the
Warden server. For CESNET network, 'server' type certificate from Terena
Certificate Service (provided by Comodo) is needed. Hostname of the
machine must correspond with certificate subject, Alternative Name
extension is not supported. Administrator of Warden client must be
entitled to obtain this certificate. CESNET TCS request service
interface resides at
https://tcs.cesnet.cz/
--------------------------------------------------------------------------------
C. Description tags
Tags are case insensitive alphanumeric strings, designed to allow event
receivers to do more general filtering according to event source. Receiver
can for example decide to use only events originating at honeypots, or
filter out events, generated by human conclusions or correlation engines.
Sender client specifies its descriptive tags during registration, it is
up to client administrator's judgment to select or omit any particular tag.
Currently tags fall into four general categories - based on event medium,
data source, detection methodology and detector or analyzer product name.
Product name tag is free to choose if same product name was not yet
accepted by registrar, otherwise existing form must be used (registrar will
notify about such cases).
Categories list is certainly not complete. Therefore if new client's
administrator feels that name or type of important feature of his (or
others) detector is not covered, providers of Warden server are glad to
discuss it at registration address or at Warden project mailing list
(warden@cesnet.cz).
However, it may or may not be accepted, as aim is to keep the list of
categories possibly unambiguous, short and usable.
Following is grouped list of tags together with closer description and
examples.
1. Detection medium
* Network - network data based (Snort, Suricata, Bro, FTAS, LaBrea, Kippo,
Dionaea)
* Host - host based (Swatch, Logcheck)
* Correlation - corellation engines (Prelude, OSSIM)
* External - credible external sources (incident reporting, ticket
systems, human verified events)
2. Data source
* Content - datagram content based detectors (Snort, Bro)
* Flow - netflow based (FTAS, FlowMon, HoneyScan)
* Connection - connection data (portscan, portsweep)
* Data - application data based (SpamAssassin, antiviruses)
* Log - based on system logs, where more specific source is not
applicable (Swatch, Logcheck, SSH scans)
* IR - incident reporting, ticket systems, human verified events
3. Detection methodology
* Honeypot (LaBrea, Kippo, Dionaea)
* Antispam (SpamAssassin, Bogofilter, CRM114, Policyd, greylisting)
* Antivirus (ClamAV)
* IDS - IDS/IPS, Snort, Suricata, Bro
4. Detector/analyzer product name examples
* Snort, FTAS, SpamAssassin, LaBrea, Swatch, Prelude, Kippo, Dionaea
--------------------------------------------------------------------------------
D. Types of events
Event types purpose is to allow event receivers to filter and/or categorise
particular events according to attack characteristics. Types are loosely
chosen as list of common security incidents nowadays observed. List is by no
means complete, however it was created based on expected use cases at
receiving places. Possibility of a new type is also open to discussion.
* portscan - TCP/UDP port scanning/sweeping
* bruteforce - dictionary/bruteforce attack to services authentication
* probe - other connection attempts (for example ICMP) or
unrecognized/undecided portscan or bruteforce
* spam - unsolicited commercial email (except phishing)
* phishing - email, trying to scam user to revealing personal information
(possibly by some other channel)
* botnet_c_c - botnet command & control master machine
* dos - (possibly distributed) denial of service attack
* malware - virus/malware sample
* copyright - copyright infringement
* webattack - web application attack
* test - clients can use these at will when debugging/testing, these
messages will be processed and stored, but ignored later
* other - the rest, uncategorizable yet
In case of complex scenarios with structured info more events with
particular parts of information can be created.
--------------------------------------------------------------------------------
E. Configuration
CESNET Warden server resides at URI 'https://warden.cesnet.cz:443/Warden'.
--------------------------------------------------------------------------------
F. Testing
For testing purposes of sender clients, event type 'test' can be used.
These events will end up in server database, but will not be taken
further into consideration.
--------------------------------------------------------------------------------
G. Authors of this document
Pavel Kacha <ph@cesnet.cz>
Jan Soukal <soukal@ics.muni.cz>
Copyright (C) 2011-2013 Cesnet z.s.p.o
src/contrib/warden-client-nosoap/doc/command-line-sender.pl deleted 100755 → 0
View file @ d2f37ebe
#!/usr/bin/perl -w
#
# Copyright (C) 2011-2013 Cesnet z.s.p.o
#
# Use of this source is governed by a BSD-style license, see LICENSE file.
use strict;
use DateTime;
use Getopt::Long;
#-------------------------------------------------------------------------------
# Warden 2.2. Command-line Client, Sender
#
# Command-line warden-client sender. For detailed info how to use particular
# variables and/or values see warden-client/doc/README file.
#-------------------------------------------------------------------------------
#-------------------------------------------------------------------------------
# Preparation of event attributes.
# Mandatory attributes
my $opt_s; # service
my $opt_t = "" . DateTime->from_epoch(epoch => time()) . ""; # time of detection
my $opt_e; # type of detected event
my $opt_o; # event source type
# Optional attributes
my $opt_v = ""; # event source value
my $opt_p = ""; # target protocol
my $opt_r = ""; # target port
my $opt_a = ""; # attack scale
my $opt_n = ""; # note
# Other attributes
my $opt_w = "../../warden-client"; # path to warden directory
my $opt_h; # display help
# Check whether mandatory fields are given. Otherwise print help and exit.
if (!GetOptions("service|s=s" => \$opt_s,
"timestamp|t=s" => \$opt_t,
"event-type|e=s" => \$opt_e,
"source-type|o=s" => \$opt_o,
"source-value|v=s" => \$opt_v,
"proto|p=s" => \$opt_p,
"port|r=i" => \$opt_r,
"attack-scale|a=i" => \$opt_a,
"note|n=s" => \$opt_n,
"warden-dir|w=s" => \$opt_w,
"help|h" => \$opt_h) ||
!defined($opt_s) || !defined($opt_e) || !defined($opt_o) ||
$opt_h) {
print "\nAbout command-line-sender.pl\n";
print "\n Script is supposed to be used as a simple command-line warden client that can send one event to the warden server at a time. For more information about the Warden system and it's events' structure, please see warden-client/doc/README file.\n";
print "\nUsage:\n\n ./command-line-sender.pl -s <service> -e <event_type> -o <source_type> [-t <timestamp_of_detection>] [-v <source>] [-p <protocol>] [-r <port>] [-a <attack_scale>] [-n <note>] [-w <warden_directory>] [-h]\n";
print "\nArguments:\n\n";
print " -s SERVICE, --service=SERVICE - Name of detection service\n\n";
print " -e EVENT_TYPE, --event-type=EVENT_TYPE - Type of detected event\n\n";
print " -o SOURCE_TYPE, --source-type=SOURCE_TYPE - Type of detected event\'s source\n\n";
print "\n";
print "Optional (but important) arguments:\n\n";
print " -t TIMESTAMP, --timestamp=TIMESTAMP - Timestamp of detection.\n";
print " Default is current system time (" . DateTime->from_epoch(epoch => time()) . ")\n\n";
print " -v SOURCE_VALUE, --source-value=SOURCE_VALUE - Source of detected event\n\n";
print " -p PROTO, --proto=PROTO - Protocol\n\n";
print " -r PORT, --port=PORT - Port\n\n";
print " -a ATTACK_SCALE, --attack-scale=ATTACK_SCALE - Scale of detected event\n\n";
print " -n NOTE, --note=NOTE - Note, comment or other data\n\n";
print " -w WARDEN_DIR, --warden-dir=WARDEN_DIR - Path to the warden-client directory. Default is \'../../warden-client\'\n\n";
print " -h, --help - Print help\n\n";
print "\nExample #1: ./command-line-sender.pl -s PhishTracker -e webattack -o URL -v 123.123.098.098 -p TCP -r 443 -a 100 -n \"important notice\"\n";
print "\nExample #2: ./command-line-sender.pl --service=ScanGuardian --event-type=portscan --source-type=IP --timestamp=\"2013-04-25T13:36:31\" --source-value=\"123.123.1.23\" --proto=TCP --port=25 --attack-scale=1234 --note=\"The very first run of ScanGuardian :)\" --warden-dir \"/opt/warden/warden-client\"\n";
print "\nNOTE: For more information how to use particular values see warden-client/doc/README file.\n\n";
exit 0;
}
my @event = ($opt_s, $opt_t, $opt_e, $opt_o, $opt_v,
$opt_p, $opt_r, $opt_a, $opt_n);
#-------------------------------------------------------------------------------
# Use of warden-client sender.
# Path to warden-client folder
my $warden_path = $opt_w;
# Inclusion of warden-client sender module
require $warden_path . '/lib/WardenClientSend.pm';
# Sending event to Warden server
WardenClientSend::saveNewEvent($warden_path, \@event);
exit 0;
src/contrib/warden-client-nosoap/doc/example-info.pl.txt deleted 100755 → 0
View file @ d2f37ebe
#!/usr/bin/perl -w
#
# Copyright (C) 2011-2013 Cesnet z.s.p.o
#
# Use of this source is governed by a BSD-style license, see LICENSE file.
use strict;
#------------------------------------------------------------------------------
# Warden 2.2 Client, Info, Example
#
# Simple use of warden-client Info functionality to receive information about
# client registered to Warden server. This code illustrates how to integrate
# warden-client info functionality into local applications.
#------------------------------------------------------------------------------
#------------------------------------------------------------------------------
# This code should developer add into his/her application.
# Path to warden-client directory
my $warden_path = '/opt/warden-client/';
# Inclusion of warden-client receiving functionality
require $warden_path . '/lib/WardenClientCommon.pm';
my @clients = WardenClientCommon::getClientsInfo($warden_path) or exit 1; # receive data or exit
print "+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n";
print "| Client ID | Hostname | Registered | Requestor | Service | CT | Type | ROE | Description tags | IP Net Client |\n";
print "+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n";
foreach (@clients) {
printf("| %-10s ", $_->{'client_id'} || "NULL");
printf("| %-30s ", $_->{'hostname'} || "NULL");
printf("| %19s ", $_->{'registered'} || "NULL");
printf("| %-23s ", $_->{'requestor'} || "NULL");
printf("| %-25s ", $_->{'service'} || "NULL");
printf("| %-2s ", $_->{'client_type'} || "NULL");
printf("| %-15s ", $_->{'type'} || "NULL");
printf("| %-4s ", $_->{'receive_own_events'} || "NULL");
printf("| %-50s ", $_->{'description_tags'} || "NULL");
printf("| %-18s |\n", $_->{'ip_net_client'} || "NULL");
}
print "+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+\n";
print "\n";
print "Current registered clients in: " . scalar localtime(time) . "\n";
exit 0;
src/contrib/warden-client-nosoap/doc/example-receiver.pl.txt deleted 100755 → 0
View file @ d2f37ebe
#!/usr/bin/perl -w
#
# Copyright (C) 2011-2013 Cesnet z.s.p.o
#
# Use of this source is governed by a BSD-style license, see LICENSE file.
use strict;
#------------------------------------------------------------------------------
# Warden 2.2 Client, Receiver, Example
#
# Simple use of warden-client receiver functionality to download new events
# from # Warden server. This code illustrates how to integrate warden-client
# receive functionality into local applications.
#------------------------------------------------------------------------------
#------------------------------------------------------------------------------
# This code should developer add into his/her application.
# Path to warden-client directory
my $warden_path = '/opt/warden-client/';
# Inclusion of warden-client receiving functionality
require $warden_path . '/lib/WardenClientReceive.pm';
# Definition of requested event type. This attributes is also set on server
# and must not change.
my $requested_type = "portscan";
#------------------------------------------------------------------------------
# Simple code that prints out new events obtained from Warden server.
print "+------------------------------------------------------------------------------------------------------------------------------------------+\n";
print "| id | hostname | service | detected | type | source_type | source | target_proto | target_port | attack_scale | note | priority | timeout |\n";
print "+------------------------------------------------------------------------------------------------------------------------------------------+\n";
# Download of new evetns from Warden server
while (my @new_events = WardenClientReceive::getNewEvents($warden_path, $requested_type)) {
foreach my $event_ref (@new_events) {
my @event = @$event_ref;
print "| " . join(' | ', map { $_ || '' } @event) . " |" . "\n";
}
print "+------------------------------------------------------------------------------------------------------------------------------------------+\n";
}
print "+------------------------------------------------------------------------------------------------------------------------------------------+";
print "\n";
print "Last events in: " . scalar(localtime(time)) . "\n";
exit 0;
src/contrib/warden-client-nosoap/doc/example-sender-random.pl.txt deleted 100755 → 0
View file @ d2f37ebe
#!/usr/bin/perl -w
#
# Copyright (C) 2011-2013 Cesnet z.s.p.o
#
# Use of this source is governed by a BSD-style license, see LICENSE file.
use Switch;
use strict;
use DateTime;
my $warden_path = '/opt/warden-client';
require $warden_path . '/lib/WardenClientSend.pm';
my $service = "test";
# service is needed in authorization process of the client,
# therefore it can not be set randomly
#switch (int(rand(3) + 0.5)) {
# case 1 { $service = 'ScanDetector'; }
# case 2 { $service = 'PhiGaro'; }
# case 3 { $service = 'HoneyScan'; }
# }
my $detected = DateTime->from_epoch(epoch => time());
my $type = "";
switch (int(rand(10) + 0.5)) {
case 1 { $type = 'portscan'; }
case 2 { $type = 'bruteforce'; }
case 3 { $type = 'spam'; }
case 4 { $type = 'phishing'; }
case 5 { $type = 'botnet_c_c'; }
case 6 { $type = 'dos'; }
case 7 { $type = 'malware'; }
case 8 { $type = 'copyright'; }
case 9 { $type = 'webattack'; }
case 10 { $type = 'other'; }
}
my $source_type = "";
switch (int(rand(3) + 0.5)) {
case 1 { $source_type = 'IP'; }
case 2 { $source_type = 'URL'; }
case 3 { $source_type = 'Reply-To:'; }
}
my $source = (int(rand(254) + 0.5) + 1) . "." . (int(rand(254) + 0.5) + 1) . "." . (int(rand(254) + 0.5) + 1) . "." . (int(rand(254) + 0.5) + 1);
my $target_proto = "";
switch (int(rand(2) + 0.5)) {
case 1 { $target_proto = 'TCP'; }
case 2 { $target_proto = 'UDP'; }
}
my $target_port = "";
switch (int(rand(6) + 0.5)) {
case 1 { $target_port = '22'; }
case 2 { $target_port = '23'; }
case 3 { $target_port = '25'; }
case 4 { $target_port = '443'; }
case 5 { $target_port = '3389'; }
case 6 { $target_port = 'null'; }
}
my $attack_scale = (int(rand(100000) + 0.5) + 1000);
my $note = "tohle je takova normalni jednoducha poznamka";
my $priority = int(rand(255) + 0.5);
my $timeout = int(rand(255) + 0.5);
my @event = (
$service, # $service
"$detected", # $detected
$type, # $type
$source_type, # $source_type
$source, # $source
$target_proto, # $target_proto
$target_port, # $target_port
$attack_scale, # $attack_scale
$note, # $note
$priority, # $priority
$timeout, # $timeout
);
WardenClientSend::saveNewEvent($warden_path, \@event);
#foreach (@event) {
# print "$_\n";
#}
src/contrib/warden-client-nosoap/doc/example-sender.pl.txt deleted 100755 → 0
View file @ d2f37ebe
#!/usr/bin/perl -w
#
# Copyright (C) 2011-2013 Cesnet z.s.p.o
#
# Use of this source is governed by a BSD-style license, see LICENSE file.
use strict;
use DateTime;
#-------------------------------------------------------------------------------
# Warden 2.2. Client, Sender, Example
#
# Sample script using warden-client sending functionality. This example is not
# intended to be a standalone script. It only shows how to use warden-client
# functionality.
#-------------------------------------------------------------------------------
#-------------------------------------------------------------------------------
# Preparation of event attributes.
# This should be handled by detection application.
my $local_detected = DateTime->from_epoch(epoch => time());
my $service = "test";
my $detected = "$local_detected";
my $type = "portscan";
my $source_type = "IP";
my $source = "123.123.123.123";
my $target_proto = "TCP";
my $target_port = "22";
my $attack_scale = "1234567890";
my $note = "important note or comment";
my $priority = 1;
my $timeout = 20;
my @event = ($service, $detected, $type, $source_type, $source,
$target_proto, $target_port, $attack_scale, $note,
$priority, $timeout );
#-------------------------------------------------------------------------------
# Use of warden-client sender.
# This code should developer add to his/her detection application
# (with corresponding paths appropriately changed).
# Path to warden-client folder
my $warden_path = '/opt/warden-client';
# Inclusion of warden-client sender module
require $warden_path . '/lib/WardenClientSend.pm';
# Sending event to Warden server
for (my $i = 0; $i < 10; $i++) {
print "Sending $i-st event on server\n";
WardenClientSend::saveNewEvent($warden_path, \@event);
}
exit 0;