#!/usr/bin/perl # # networkReporter.pl - Warden client for communication with RT ticketing system # # Copyright (C) 2012 Masaryk University # Author(s): Jakub CEGAN <cegan@ics.muni.cz> # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions are met: # # * Redistributions of source code must retain the above copyright notice, # this list of conditions and the following disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, # this list of conditions and the following disclaimer in the documentation # and/or other materials provided with the distribution. # * Neither the name of Masaryk University nor the names of its contributors may be # used to endorse or promote products derived from this software without # specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE # LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE # POSSIBILITY OF SUCH DAMAGE. # use warnings; use strict; use lib '/opt/warden-client'; use Email::Simple; use Sys::Hostname; use Text::Wrap; use DateTime; sub sendmailWrapper{ my $message = shift; if(open(my $sendmail, '|/usr/sbin/sendmail -oi -t')){ print $sendmail $message; close $sendmail; return 1; } else { return (0, "Sending email failed: $!"); } } sub timeToLocal{ my $time = shift; my ($y,$m,$d,$h,$mm,$s); if(!($$time =~ m/(\d{4})\-(\d{2})\-(\d{2})\ (\d{2})\:(\d{2})\:(\d{2})/)){ return (0, "Bad time format!\n"); } ($y,$m,$d,$h,$mm,$s) = $$time =~ m/(\d{4})\-(\d{2})\-(\d{2})\ (\d{2})\:(\d{2})\:(\d{2})/; eval{ my $dt = DateTime->new( year => $y, month => $m, day => $d, hour => $h, minute => $mm, second => $s, time_zone =>'gmt'); $dt->set_time_zone('local'); $$time = $dt->strftime('%d. %m. %Y v %H:%M');}; if($@){ return (0, "Can't convert time to epoch format!\n"); } return 1; } #------------------------------------------------------------------------------- # reportToRT - fuction for creating tickets in the RT system # # param: hash with gateway address and warden event array # # return: ok || fail #------------------------------------------------------------------------------- sub reportToRT{ my $inputData = shift; my $toGateway = $$inputData{'gateway'}; my @event = @{$$inputData{'data'}}; my $fromHostname; my $message; my ($rc, $err); if(!($toGateway)){ return (0, "Empty 'To' email header!\n"); } eval{ $fromHostname = hostname(); if(!($fromHostname =~ m/\.ics\.muni\.cz/gi)){ $fromHostname .= '.ics.muni.cz'; } }; if($@){ return (0, "Can't retrive hostname for 'From' header!\n"); } ($rc, $err) = timeToLocal(\$event[3]); if(!$rc){ return (0, $err); } my $text = "Dobrý den, z Vaší IP adresy $event[6] jsme zaznamenali $event[3] celkem $event[9] pokus(y) o připojení k neexistující službě (tzv. honeypotu). V tomto konkrétním případě se jednalo o protokol $event[7] a port číslo $event[8]. Je pravděpodobné, že se jedná o virus, napadený počítač či zneužitý uživatelský účet. Doporučujeme Vám zkontrolovat zabezpečení tohoto počitače. S pozdravem CSIRT-MU http://www.muni.cz/csirt"; eval{ $message = Email::Simple->create( header => [ To => $toGateway, From => 'tools@'.$fromHostname, Subject => 'Pristup na honeypot v siti CESNET'], body => fill('','',$text)); }; if($@){ return (0, "Can't create email message\n"); } ($rc, $err) = sendmailWrapper($message->as_string); if(!$rc){ return (0, $err); } return 1; } my $warden_path = '/opt/warden-client'; require $warden_path . '/lib/WardenClientReceive.pm'; my $requested_type = "portscan"; my $ip_reg = '147\.251\.\d+\.\d+'; my $client = 'CESNET_IDS'; my $gateway = 'rt@rt-devel.ics.muni.cz'; $Text::Wrap::columns = 90; my $logger; my @new_events; @new_events = WardenClientReceive::getNewEvents($warden_path, $requested_type); #@new_events = (["5179620","au1.cesnet.cz","CESNET_IDS","2012-11-08 17:04:56","portscan","IP","147.251.216.8","XXX","666","2","","0","720"]); foreach (@new_events) { my @event = @$_; if(($event[6] =~ /^$ip_reg$/i) and ($event[2] =~ /^$client$/i)){ my %input = (gateway => $gateway, data => \@event); my ($rc,$err) = reportToRT(\%input); if(!$rc){ #print "ERR: $err\n"; syslog("err|Warden client - networkReporter $err\n"); } } } exit 0;