From 44bebb9e44ab3f1565134383ef246ff88874e368 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?V=C3=A1clav=20Barto=C5=A1?= <bartos@cesnet.cz>
Date: Tue, 17 Sep 2019 16:31:16 +0200
Subject: [PATCH] README added for Shodan and Censys connectors

---
 censys/README.txt | 68 +++++++++++++++++++++++++++++++++++++++++++++++
 shodan/README.txt | 63 +++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 131 insertions(+)
 create mode 100644 censys/README.txt
 create mode 100644 shodan/README.txt

diff --git a/censys/README.txt b/censys/README.txt
new file mode 100644
index 0000000..abc0918
--- /dev/null
+++ b/censys/README.txt
@@ -0,0 +1,68 @@
+=========================
+Censys2warden connector
+=========================
+
+This connector uses the internet-wide scanning service Censys.io to search for
+potentially vulnerable open services in given network (ASN) and reports them to
+Warden (via Warden filer daemon).
+
+The script sends a set of preconfigured queries to Censys API to search for all
+matching IPs in given ASN. The queries correspond to various potentially
+vulnerable hosts or other problems with open services.
+
+Since Censys' free account has quite strict limits on number of queries and 
+results obtained, it is recommended to have at least the lowest tier of a paid
+account.
+
+Currently implemented queries:
+
+- Publicly accessible IPMI protocol
+- Publicly accessible SCADA (BACnet) system
+- Publicly accessible printer via IPP protocol
+- Open MongoDB database
+- Publicly accessible PCAnywhere (an unsupported vulnerable remote-access SW)
+- Open Elastic database
+- Web page or other service with a "hacked by" message
+- Web running on an old (unsupported) PHP version
+
+Important: These rules may need to be changed according to needs, interests and
+security policies of each organization.
+
+For each host in given ASN found to be matching a query, a corresponding IDEA
+message is created and put to an output directory. Messages from this directory
+should be sent to Warden by a Warden filer daemon.
+
+The script is assumed to be run periodically (e.g. once a day) by cron.
+
+
+-------------------------
+Installation:
+
+1. create a directory for the script and resulting IDEA files, e.g. 
+   `/data/censys2warden/` and `/data/censys2warden/warden_sender`
+2. put the censys2warden.py script into the first directory
+3. set up warden_filer daemon to read IDEA messages from
+   `/data/censys2warden/warden_sender` and send them to Warden
+   (see README of Warden filer)
+4. set up cron to run the scirpt every day (use censys2warden.cron as an 
+   example)
+
+
+-------------------------
+Configuration:
+
+The script takes the following arguments:
+
+  -h, --help            show this help message and exit
+  -i APIID, --apiid APIID
+                        Censys API ID
+  -s APISECRET, --apisecret APISECRET
+                        Censys API secret
+  -a ASN, --asn ASN     ASN to query
+  -n NODE, --node NODE  Node name to fill into IDEA messages
+  -d PATH, --destdir PATH
+                        Path to destination directory (with 'incoming' and
+                        'temp' subdirectories) (default: CWD)
+  -t, --test            Add 'Test' category to IDEA messages.
+  -v, --verbose         Print information about progress and results
+
diff --git a/shodan/README.txt b/shodan/README.txt
new file mode 100644
index 0000000..247893c
--- /dev/null
+++ b/shodan/README.txt
@@ -0,0 +1,63 @@
+=========================
+Shodan2warden connector
+=========================
+
+This connector uses the internet-wide scanning service Shodan to search for
+potentially vulnerable open services in given network (ASN) and reports them to
+Warden (via Warden filer daemon).
+
+The script sends a set of preconfigured queries to Shodan API to search for all
+matching IPs in given ASN. The queries correspond to various potentially
+vulnerable hosts or other problems with open services.
+
+Currently implemented queries:
+
+- Publicly accessible IPMI protocol
+- Publicly accessible SCADA (BACnet) system
+- Publicly accessible printer via incesure PJL protocol
+- Publicly accessible printer via IPP protocol
+- Open MongoDB database
+- Open Elastic database
+- Open anonymous FTP
+- Web page or other service with a "hacked by" message
+- Web running on an old (unsupported) PHP version
+
+Important: These rules may need to be changed according to needs, interests and
+security policies of each organization.
+
+For each host in given ASN found to be matching a query, a corresponding IDEA
+message is created and put to an output directory. Messages from this directory
+should be sent to Warden by a Warden filer daemon.
+
+The script is assumed to be run periodically (e.g. once a day) by cron.
+
+
+-------------------------
+Installation:
+
+1. create a directory for the script and resulting IDEA files, e.g. 
+   `/data/shodan2warden/` and `/data/shodan2warden/warden_sender`
+2. put the shodan2warden.py script into the first directory
+3. set up warden_filer daemon to read IDEA messages from
+   `/data/shodan2warden/warden_sender` and send them to Warden
+   (see README of Warden filer)
+4. set up cron to run the scirpt every day (use shodan2warden.cron as an 
+   example)
+
+
+-------------------------
+Configuration:
+
+The script takes the following arguments:
+
+  -h, --help            show help message and exit
+  -k APIKEY, --apikey APIKEY
+                        Shodan API key
+  -a ASN, --asn ASN     ASN to query
+  -n NODE, --node NODE  Node name to fill into IDEA messages
+  -d PATH, --destdir PATH
+                        Path to destination directory (with 'incoming' and
+                        'temp' subdirectories) (default: CWD)
+  -t, --test            Add 'Test' category to IDEA messages.
+  -v, --verbose         Print information about progress and results
+
-- 
GitLab