Skip to content
Snippets Groups Projects

Compare revisions

Changes are shown as if the source revision was being merged into the target revision. Learn more about comparing revisions.

Source

Select target project
No results found

Target

Select target project
  • 713/warden/warden
  • Pavel.Valach/warden
2 results
Show changes
Commits on Source (36)
Hide whitespace changes
Inline Side-by-side
Showing
with 5886 additions and 12 deletions
contrib/ansible/warden-filer-receiver/defaults/main.yml
View file @ b08e2629
---
server_admin: "{{ root@inventory_hostname }}"
warden_filer_bin_path: /opt/warden-filer
warden_filer_lib_path: /var/lib/warden_filer
warden_filer_run_path: /run/warden_filer
warden_client_cert_path: /etc/ssl/certs/warden.cert.pem
warden_client_key_path: /etc/ssl/private/warden.key.pem
warden_client_id_store: /var/lib/warden_filer/warden_filer.id
......
contrib/ansible/warden-filer-receiver/tasks/main.yml
View file @ b08e2629
---
- name: Checkout Warden repository
git:
repo: https://homeproj.cesnet.cz/git/warden.git/
repo: https://gitlab.cesnet.cz/713/warden/warden.git
version: warden-client-3.0-beta3
dest: /tmp/warden_client_repository
- name: Create bin dir for warden_filer
file:
path: "{{ warden_filer_bin_path }}"
state: directory
owner: root
group: root
mode: "755"
- name: Create lib and run dir for warden_filer
file:
path: "{{ item }}"
state: directory
owner: "{{ warden_filer_uid }}"
group: "{{ warden_filer_gid }}"
mode: "755"
with_items:
- "{{ warden_filer_lib_path }}"
- "{{ warden_filer_run_path }}"
- name: Install Filer binaries
copy:
src: "/tmp/warden_client_repository/{{ src }}"
dest: "{{ warden_filer_bin_path }}/{{ dest }}"
remote_src: true
src: "/tmp/warden_client_repository/{{ item.src }}"
dest: "{{ warden_filer_bin_path }}/{{ item.dest }}"
mode: "755"
with_items:
- src: warden_client/warden_client.py
dest: warden_client.py
......@@ -17,15 +38,26 @@
- src: warden_filer/check_file_count
dest: check_file_count
- name: Link Filer binary to /usr/local/bin
file:
src: "{{ warden_filer_bin_path }}/warden_filer.py"
dest: "/usr/local/bin/warden_filer.py"
state: link
owner: root
group: root
mode: "755"
- name: Install Warden Filer config
template:
src: "{{ item }}"
dest: "/{{ item }}"
with_items:
- etc/warden_filer.cfg
- etc/defaults/warden_filer_receiver
- etc/default/warden_filer_receiver
- name: Install Warden Filer init script
copy:
remote_src: true
src: /tmp/warden_client_repository/warden_filer/warden_filer_receiver
dest: /etc/init.d/warden_filer_receiver
mode: "755"
contrib/ansible/warden-server/tasks/main.yml
View file @ b08e2629
---
- name: Checkout Warden repository
git:
repo: https://homeproj.cesnet.cz/git/warden.git/
repo: https://gitlab.cesnet.cz/713/warden/warden.git
version: warden-server-3.0-beta3
dest: /tmp/warden_server_repository
......
contrib/banner/banner-template.svg 0 → 100644
View file @ b08e2629
Source diff could not be displayed: it is too large. Options to address this: view the blob.
contrib/banner/banner.py 0 → 100755
View file @ b08e2629
#!/usr/bin/env python
# -*- coding: utf-8 -*-
#
# banner.py
#
# Copyright 2015 CESNET z. s. p. o.
# Author Jakub Cegan cegan@ics.muni.cz
#
#
def main(args):
SVGNS = "http://www.w3.org/2000/svg"
# We set up path and names
banner_path = "/var/www/banner/"
banner_name_cz = "banner-cz.svg"
banner_name_en = "banner-en.svg"
template_name = "banner-template.svg"
banners = [{'name': banner_name_en, 'database' : "Database Size:", 'events' : "Number of Events:", 'senders' : "Number of Senders:", 'receivers' : "Number of Receivers:", 'created' : "Banner Created:"}, {'name': banner_name_cz, 'database' : "Velikost databáze:", 'events' : "Suma všech událostí:", 'senders' : "Odesílající klienti:", 'receivers' : "Přijímající klienti:", 'created' : "Banner vytvořen:"}]
# We have DB credentials
host, database, user, password = sys.argv[1:]
db = MySQLdb.connect(host = host, user = user, passwd = password, db = database)
cursor = db.cursor()
cursor.execute('SELECT count(*) AS reader_count FROM clients WHERE clients.read <> 0 AND clients.valid <> 0 AND clients.test = 0;')
row = cursor.fetchone()
receivers = str(row[0])
#receivers = str(random.randint(0,100))
cursor.execute('SELECT count(*) AS writer_count FROM clients WHERE clients.write <> 0 AND clients.valid <> 0 AND clients.test = 0;')
row = cursor.fetchone()
senders = str(row[0])
#senders = str(random.randint(0,100))
cursor.execute('SELECT sum(round(((data_length + index_length) / 1024 / 1024 / 1024), 2)) AS db_size FROM information_schema.tables WHERE table_schema = "warden3" AND table_name="events"')
row = cursor.fetchone()
database_size = str(row[0]) + ' GB'
#database_size = str(random.randint(0,50)) + ' GB'
cursor.execute('SELECT max(id) - min(id) AS event_count FROM events;')
row = cursor.fetchone()
events = str(row[0])
#events = str(random.randint(0,10000000))
#cursor.execute('SELECT max(id) AS last_id FROM events;')
#row = cursor.fetchone()
#last_event = str(row[0])
time = datetime.datetime.today().strftime("%Y-%m-%dT%H:%M:%S%Z")
for banner in banners:
xml_data = etree.parse(template_name)
# We search for element 'text' with id='tile_text' in SVG namespace
# Fill texts
find_text = etree.ETXPath("//{%s}text[@id='database-text']" % (SVGNS))
find_text(xml_data)[0].text = banner['database']
find_text = etree.ETXPath("//{%s}text[@id='events-text']" % (SVGNS))
find_text(xml_data)[0].text = banner['events']
find_text = etree.ETXPath("//{%s}text[@id='senders-text']" % (SVGNS))
find_text(xml_data)[0].text = banner['senders']
find_text = etree.ETXPath("//{%s}text[@id='receivers-text']" % (SVGNS))
find_text(xml_data)[0].text = banner['receivers']
find_text = etree.ETXPath("//{%s}text[@id='latest-text']" % (SVGNS))
find_text(xml_data)[0].text = banner['created']
# Insert values from database
find_text = etree.ETXPath("//{%s}text[@id='database']" % (SVGNS))
find_text(xml_data)[0].text = database_size
find_text = etree.ETXPath("//{%s}text[@id='events']" % (SVGNS))
find_text(xml_data)[0].text = events
find_text = etree.ETXPath("//{%s}text[@id='senders']" % (SVGNS))
find_text(xml_data)[0].text = senders
find_text = etree.ETXPath("//{%s}text[@id='receivers']" % (SVGNS))
find_text(xml_data)[0].text = receivers
find_text = etree.ETXPath("//{%s}text[@id='latest']" % (SVGNS))
find_text(xml_data)[0].text = time
# Write edited svg into file
new_svg = etree.tostring(xml_data)
xml_data.write(banner_path + banner['name'])
# We will not use pygal graphs for now
#chart = pygal.StackedLine(fill=True, style=CleanStyle, x_label_rotation=40, tooltip_border_radius=10) # Setting style here is not necessary
#chart.title = 'Events in last 24 hours'
#chart.x_labels = map(lambda d: d.strftime('%H:%M:%S'), reversed([base - datetime.timedelta(hours=x) for x in range(0, 24)]))
#chart.add('Event type A', [random.randint(0,5000) for r in xrange(24)])
#chart.add('Event type B', [random.randint(0,5000) for r in xrange(24)])
#chart.add('Event type C', [random.randint(0,5000) for r in xrange(24)])
#chart.add('Other types', [random.randint(0,5000) for r in xrange(24)])
#chart.render_to_file('chart_hours.svg') # Save the svg to a file
#chart = pygal.StackedLine(fill=True, style=CleanStyle, x_label_rotation=40, tooltip_border_radius=10) # Setting style here is not necessary
#chart.title = 'Events in last month'
#chart.x_labels = map(lambda d: d.strftime('%d. %m. %Y'), reversed([base - datetime.timedelta(days=x) for x in range(0, 31)]))
#chart.add('Event type A', [random.randint(0,5000) for r in xrange(31)])
#chart.add('Event type B', [random.randint(0,5000) for r in xrange(31)])
#chart.add('Event type C', [random.randint(0,5000) for r in xrange(31)])
#chart.add('Other types', [random.randint(0,5000) for r in xrange(31)])
#chart.render_to_file('chart_month.svg') # Save the svg to a file
return 0
if __name__ == '__main__':
import sys
import random
import datetime
import MySQLdb
from lxml import etree
#import pygal
#from pygal.style import CleanStyle
sys.exit(main(sys.argv))
contrib/connectors/cznichaas2warden/README.md 0 → 100644
View file @ b08e2629
# haas2warden
Warden connector for data of [CZ.NIC HaaS project](https://haas.nic.cz/).
It downloads daily [HaaS data dumps](https://haas.nic.cz/stats/export/),
converts them to IDEA messages and sends them to CESNET's Warden server.
It should be run from `cron` every night when data from previous day are
available (at 3:30).
The script just writes IDEA messages as files into a "filer" directory.
A _warden_filer_ daemon must be configured to pick up the messages
and send them to Warden server.
There is a systemd file which can be used to run the warden_filer.
contrib/connectors/cznichaas2warden/haas2warden.cron 0 → 100644
View file @ b08e2629
# Run every day at 03:30
30 03 * * * haas2warden python3 /data/haas2warden/haas2warden.py -p /data/haas2warden/warden_filer/ -n org.example.ext.cznic_haas -t >> /data/haas2warden/haas2warden.log 2>&1
contrib/connectors/cznichaas2warden/haas2warden.py 0 → 100644
View file @ b08e2629
#!/usr/bin/env python3
from gzip import decompress
from json import loads
from datetime import datetime, timedelta
import argparse
import logging
import uuid
import json
import os
import requests
data_date = datetime.date(datetime.utcnow()) - timedelta(days=1)
LOGFORMAT = "%(asctime)-15s,%(name)s [%(levelname)s] %(message)s"
LOGDATEFORMAT = "%Y-%m-%dT%H:%M:%S"
logging.basicConfig(level=logging.INFO, format=LOGFORMAT, datefmt=LOGDATEFORMAT)
logger = logging.getLogger('haas2warden')
def createIDEAFile(idea_id, idea_msg):
"""
Creates file for IDEA message in .../tmp folder, then move it to .../incoming folder
"""
tmp_dir_path = os.path.join(args.path, "tmp")
idea_file_path = os.path.join(tmp_dir_path, idea_id+".idea")
os.makedirs(tmp_dir_path, exist_ok=True)
idea_file = open(idea_file_path, "w")
idea_file.write(idea_msg)
idea_file.close()
incoming_dir_path = os.path.join(args.path, "incoming")
incoming_file_path = os.path.join(incoming_dir_path,idea_id+".idea")
os.makedirs(incoming_dir_path, exist_ok=True)
os.rename(idea_file_path,incoming_file_path)
def createIDEA(time, time_closed, ip, login_successful, commands):
"""
Creates IDEA message
"""
idea_id = str(uuid.uuid4())
if login_successful:
category = "[\"Intrusion.UserCompromise\"]"
description = "SSH login on honeypot (HaaS)"
if args.test:
category = "[\"Intrusion.UserCompromise\", \"Test\"]"
attach = f''',
"Attach": [
{{
"Note": "commands",
"Type": ["ShellCode"],
"ContentType": "application/json",
"Content": {json.dumps(commands)}
}}
]''' # ^-- "commands" is already serialiezed into a json string, we want to include it into a bigger JSON so we must encode it again (to escape quotes and any other special charaters)
else:
category = "[\"Attempt.Login\"]"
description = "Unsuccessful SSH login attempt on honeypot (HaaS)"
if args.test:
category = "[\"Attempt.Login\", \"Test\"]"
attach = ""
if time_closed: # sometimes time_closed is empty, in such case we must omit CeaseTime completely from IDEA msg
cease_time = f'"CeaseTime": "{time_closed}",'
else:
cease_time = ""
idea_msg = f"""\
{{
"Format": "IDEA0",
"ID": "{idea_id}",
"Category": {category},
"Description": "{description}",
"Note": "Extracted from data of CZ.NIC HaaS project",
"DetectTime": "{time}",
"EventTime": "{time}",
{cease_time}
"CreateTime": "{datetime.utcnow().strftime('%Y-%m-%dT%H:%M:%SZ')}",
"Source": [
{{
"IP4": ["{ip}"],
"Proto": ["tcp", "ssh"]
}}
],
"Node": [
{{
"Name": "{args.name}",
"SW": ["CZ.NIC HaaS"],
"Type": ["Connection", "Auth", "Honeypot"],
"Note": "A script converting daily HaaS data dumps from https://haas.nic.cz/stats/export/"
}}
]{attach}
}}
"""
createIDEAFile(idea_id, idea_msg)
def processJSON():
"""
Downloads data from https://haas.nic.cz/stats/export/ and process json files.
"""
date = datetime.strptime(args.date, '%Y-%m-%d').date()
# get url
url = "https://haas.nic.cz/stats/export/{}/{}/{}.json.gz".format(str(date).split('-')[0],str(date).split('-')[1], str(date))
# get data
logger.info("Downloading {}".format(url))
response = requests.get(url)
if response.status_code == 200:
# unzip and read json file
json_objects = loads(decompress(response.content))
logger.info("Found {} records, converting to IDEA messages".format(len(json_objects)))
# go through all json objects
for json_object in json_objects:
createIDEA(json_object["time"], json_object["time_closed"], json_object["ip"], json_object["login_successful"], json.dumps(json_object["commands"]))
if __name__ == "__main__":
# parse arguments
parser = argparse.ArgumentParser(
prog="haas_receiver.py",
description="A script converting daily HaaS data dumps from https://haas.nic.cz/stats/export/"
)
parser.add_argument('-d', '--date', metavar='DATE', default = str(data_date),
help='To download data from date YYYY-MM-DD, use date + 1 day (default: utcnow - 1 day)')
parser.add_argument('-p', '--path', metavar='DIRPATH', default = "/data/haas2warden/warden_filer/",
help='Target folder for Idea messages (default: "/data/haas2warden/warden_filer/")')
parser.add_argument('-n', '--name', metavar='NODENAME', default = "undefined",
help='Name of the node (default: undefined)')
parser.add_argument('-t', '--test', action="store_true",
help='Test category')
args = parser.parse_args()
processJSON()
logger.info("Done")
contrib/connectors/cznichaas2warden/warden-filer.service 0 → 100644
View file @ b08e2629
# Template of Systemd unit for Warden filer daemon
#
# TODO: set paths, username and mode (receiver/sender) in the last two lines
# and uncomment them. Then copy the file to:
# /etc/systemd/system/warden-filer.service
# and run:
# systemctl daemon-reload
[Unit]
Description=Warden filer for haas2warden
After=syslog.target network.target
[Service]
Type=forking
User=haas2warden
PIDFile=/data/haas2warden/warden_filer.pid
ExecStart=/opt/warden_filer/warden_filer.py --daemon -c "/data/haas2warden/warden_filer.cfg" --pid_file "/data/haas2warden/warden_filer.pid" sender
contrib/connectors/cznichaas2warden/warden_filer.cfg 0 → 100644
View file @ b08e2629
{
// Warden config can be also referenced as:
// "warden": "/path/to/warden_client.cfg"
"warden": {
"url": "https://warden-hub.cesnet.cz/warden3",
"cafile": "/etc/pki/tls/certs/ca-bundle.crt",
"keyfile": "/data/haas2warden/key.pem",
"certfile": "/data/haas2warden/cert.pem",
"timeout": 10,
"errlog": {"level": "warning"},
"filelog": {"level": "info", "file": "/data/haas2warden/warden_filer.log"},
"idstore": "/data/haas2warden/warden_filer.id",
"name": "org.example.cznic_haas"
},
"sender": {
// Maildir like directory, whose "incoming" subdir will be checked
// for Idea events to send out
"dir": "/data/haas2warden/warden_filer",
"poll_time": 60
}
}
contrib/connectors/hp-labrea/labrea-idea.py
View file @ b08e2629
......@@ -432,10 +432,6 @@ def daemonize(
os.close(fd)
except Exception:
pass
# Redirect stdin, stdout, stderr to /dev/null
devnull = os.open(os.devnull, os.O_RDWR)
for fd in range(3):
os.dup2(devnull, fd)
# PID file
if pidfile is not None:
pidd = os.open(pidfile, os.O_RDWR | os.O_CREAT | os.O_EXCL | os.O_TRUNC)
......@@ -449,6 +445,10 @@ def daemonize(
os.unlink(pidfile)
except Exception:
pass
# Redirect stdin, stdout, stderr to /dev/null
devnull = os.open(os.devnull, os.O_RDWR)
for fd in range(3):
os.dup2(devnull, fd)
def save_events(aggr, filer):
......
contrib/map/LICENSE 0 → 100644
View file @ b08e2629
BSD License
Copyright © 2016 Cesnet z.s.p.o
All rights reserved.
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.
* Neither the name of the Cesnet z.s.p.o nor the names of its
contributors may be used to endorse or promote products derived from this
software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE Cesnet z.s.p.o BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA,
OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
contrib/map/README 0 → 100644
View file @ b08e2629
+---------------------------------+
| Warden Map Client 1.0 |
+---------------------------------+
Content
A. Introduction
B. Configuration
C. Usage & Help
------------------------------------------------------------------------------
A. Introduction
Warden Map Client is very simple client for drawing a map with events from
database of the Warden server. It consists of a Python 2.7 backend and
a javascript/jquery frontend.
Backend uses Warden API for downloading of events. Events are processed and
enhanced with a geodata via freegeoip.net API. Finally warden-map.json file
with information for the frontend is created.
Frontend uses datamaps project (http://datamaps.github.io/) for visualisation
of events on a map. It is possible to check details of the event by moving
cursor on a arc. It is also possible to zoom map via scrolling and/or clicking
on the plus, minus and, home buttons.
------------------------------------------------------------------------------
B. Configuration
1. Copy frontend folder into desired location.
2. Copy html snippet into your web page, or use it as an iframe.
NOTE: If necessary, change css/js paths in a html snippet.
3. Copy backend folder into desired location.
4. Setup backend call (warden-map.py) in a crontab.
NOTE: Please make sure you will have stored warden-map.json file
in the frontend folder.
EXAMPLE: ./warden-map.py --client cz.cesnet.warden.map \
--key certs/key.pem \
--cert certs/cert.pem \
--output ../frontend/
5. Enjoy your map.
------------------------------------------------------------------------------
C. Usage & Help
usage: warden-map.py [-h] [--output /path/] --events <number> --client
<org.ex.cl> --key /path/key.pem --cert /path/cert.pem
--cacert /path/cacert.pem --secret <SeCreT>
optional arguments:
-h, --help show this help message and exit
--output path/ path where warden-map.json should be saved
required arguments:
--events <number> count of events for a map
--client <org.ex.cl> client name
--key path/key.pem SSL key for a client
--cert path/cert.pem SSL cert for a client
--cacert path/cacert.pem SSL cacert for a client
--secret <SeCreT> secret key for a client
------------------------------------------------------------------------------
Copyright (C) 2016 Cesnet z.s.p.o
contrib/map/backend/warden-map.py 0 → 100755
View file @ b08e2629
#!/usr/bin/env python
# -*- coding: utf-8 -*-
#
# warden-map.py
#
# Copyright (C) 2016 Cesnet z.s.p.o
# Use of this source is governed by a 3-clause BSD-style license, see LICENSE file.
import json
import codecs
import time
import argparse
import GeoIP
import requests
def getLastEvents(client, key, cert):
res = requests.post(
'https://warden-hub.cesnet.cz/warden3/getEvents?client=%s' % (client,),
cert=(cert, key)
)
data = res.json()
i = 0
eventsList = []
for p in data['events']:
event = {}
for key, value in { 'event': 'Category', 'time': 'DetectTime', 'origin': 'Source', 'destination': 'Target'}.items():
if value in p:
if (key == 'origin') or (key == 'destination'):
event[key] = {}
if 'IP4' in p[value][0]:
event[key]['ip'] = p[value][0]['IP4'][0]
else:
event[key] = {}
elif (key == 'event'):
event[key] = ', '.join(p[value])
else:
event[key] = p[value]
else:
if (key == 'origin') or (key == 'destination'):
event[key] = {}
else:
event[key] = {}
if 'ip' in event['origin']:
eventsList.append(event)
i += 1
return eventsList
def getGeolocation(ip, db):
data = db.record_by_addr(ip)
if not data:
return {}
else:
return {
'latitude': data['latitude'],
'longitude': data['longitude'],
'country_name': data['country_name'] if data['country_name'] else None,
'city': data['city'] if data['city'] else None
}
def main(args):
client = args.client[0]
key = args.key[0]
cert = args.cert[0]
if args.output is not None:
path = args.output[0] + 'warden-map.json'
else:
path = 'warden-map.json'
db = GeoIP.open("GeoLiteCity.dat", GeoIP.GEOIP_MEMORY_CACHE)
db.set_charset(GeoIP.GEOIP_CHARSET_UTF8)
wardenEvents = getLastEvents(client, key, cert)
for p in wardenEvents:
for target in {'origin', 'destination'}:
geoData = {}
if 'ip' in p[target]:
geoData = getGeolocation(p[target]['ip'], db)
for value in {'latitude', 'longitude', 'country_name', 'city'}:
if value in geoData:
if not geoData[value]:
p[target][value] = "???"
else:
p[target][value] = geoData[value]
else:
p[target][value] = "???"
else:
p[target]['ip'] = "???"
p[target]['country_name'] = "Czech Republic"
p[target]['city'] = "???"
p[target]['latitude'] = 49.743
p[target]['longitude'] = 15.338
wardenEvents.append(int(time.time()));
with open(path, 'w') as outfile:
json.dump(wardenEvents, outfile)
if __name__ == '__main__':
parser = argparse.ArgumentParser(description='Creates warden-map.json for warden-map.html frontend.',
formatter_class=lambda prog: argparse.HelpFormatter(prog,max_help_position=30))
parser.add_argument('--output', metavar='path/', type=str,
nargs=1, help='path where warden-map.json should be saved')
requiredNamed = parser.add_argument_group('required arguments')
requiredNamed.add_argument('--client', metavar='<org.ex.cl>', type=str, required=True,
nargs=1, help='client name')
requiredNamed.add_argument('--key', metavar='path/key.pem', type=str, required=True,
nargs=1, help='SSL key for a client')
requiredNamed.add_argument('--cert', metavar='path/cert.pem', type=str, required=True,
nargs=1, help='SSL cert for a client')
args = parser.parse_args()
main(args)
contrib/map/frontend/css/warden-map.css 0 → 100644
View file @ b08e2629
/*
*
* -*- coding: utf-8 -*-
*
* warden-map.css
*
* Copyright (C) 2016 Cesnet z.s.p.o
* Use of this source is governed by a 3-clause BSD-style license, see LICENSE file.
*
*/
body {
font-family: 'Oswald', sans-serif;
background: #00253D;
border: 0px;
padding: 0px;
margin: 0px;
}
h2 {
color: #0062a2;
}
.hoverinfo {
font-family: 'Oswald', sans-serif;
}
#country {
color: #0062a2; /* Cesnet blue */
font-weight: bold;
}
table {
text-align: left;
margin: 0;
padding: 0;
font-size: 12px;
}
table th {
color: #0062a2; /* Cesnet blue */
padding: 0;
}
table td {
color: #4b4d4a; /* Greenish gray */
padding: 0;
}
#container {
overflow: hidden;
/* border: 2px solid #0062a2;
border: 0px;
padding: 0px;
margin: 0px;
border-radius: 5px;*/
position: relative;
/* width: 1280px;
height: 720px;*/
max-width: 100%;
max-height: 100%
width: 100%;
height: 100vh;*/
}
.zoom-button {
width: 40px;
height: 40px;
border-radius: 5px;
border: none;
background: #dcdcda;
font-size: 23px;
font-weight: bold;
color: white;
cursor: pointer;
}
.zoom-button:hover {
background-color: #0062a2;
}
#zoom-info {
display: inline-block;
padding: 10px;
color: #0062a2;
}
#warden-logo {
position: absolute;
top: 30px;
left: 30px;
background: white;
padding: 10px;
border-radius: 10px;
width: 240px;
height: 92px;
text-align: center;
}
#cesnet-logo {
position: absolute;
top: 30px;
right: 30px;
background: white;
padding: 10px;
border-radius: 10px;
width: 240px;
height: 92px;
text-align: center;
}
#legend-box {
position: absolute;
bottom: 30px;
left: 30px;
background-color: rgba(0,0,0,0.3);
color: white;
padding: 10px;
border-radius: 10px;
/*width: 240px;
height: 92px;
text-align: center;*/
}
#heading {
position: absolute;
top: 30px;
left: 50%;
width: 40em;
height: 92px;
margin-left: -20em;
font-size: xx-large;
color: white;
text-align: center;
vertical-align: middle;
line-height: 92px;
}
contrib/map/frontend/js/warden-map.js 0 → 100644
View file @ b08e2629
/*
*
* -*- coding: utf-8 -*-
*
* warden-map.js
*
* Copyright (C) 2016 Cesnet z.s.p.o
* Use of this source is governed by a 3-clause BSD-style license, see LICENSE file.
*
*/
// NOTE: Change path in a function d3.json() if you separate backend and frontend!
// Zooming functionality is based on WunderBart's implementation
// Please see following links:
// https://github.com/wunderbart
// https://jsfiddle.net/wunderbart/Lom3b0gb/
function Zoom(args) {
$.extend(this, {
$buttons: $(".zoom-button"),
$info: $("#zoom-info"),
scale: { max: 50, currentShift: 0 },
$container: args.$container,
datamap: args.datamap
});
this.init();
}
Zoom.prototype.init = function() {
var paths = this.datamap.svg.selectAll("path"),
subunits = this.datamap.svg.selectAll(".datamaps-subunit");
// preserve stroke thickness
paths.style("vector-effect", "non-scaling-stroke");
// disable click on drag end
subunits.call(
d3.behavior.drag().on("dragend", function() {
d3.event.sourceEvent.stopPropagation();
})
);
this.scale.set = this._getScalesArray();
this.d3Zoom = d3.behavior.zoom().scaleExtent([ 1, this.scale.max ]);
this._displayPercentage(1);
this.listen();
};
Zoom.prototype.listen = function() {
this.$buttons.off("click").on("click", this._handleClick.bind(this));
this.datamap.svg
.call(this.d3Zoom.on("zoom", this._handleScroll.bind(this)))
.on("dblclick.zoom", null); // disable zoom on double-click
};
Zoom.prototype.reset = function() {
this._shift("reset");
};
Zoom.prototype._handleScroll = function() {
var translate = d3.event.translate,
scale = d3.event.scale,
limited = this._bound(translate, scale);
this.scrolled = true;
this._update(limited.translate, limited.scale);
};
Zoom.prototype._handleClick = function(event) {
var direction = $(event.target).data("zoom");
this._shift(direction);
};
Zoom.prototype._shift = function(direction) {
var center = [ this.$container.width() / 2, this.$container.height() / 2 ],
translate = this.d3Zoom.translate(), translate0 = [], l = [],
view = {
x: translate[0],
y: translate[1],
k: this.d3Zoom.scale()
}, bounded;
translate0 = [
(center[0] - view.x) / view.k,
(center[1] - view.y) / view.k
];
if (direction == "reset") {
view.k = 1;
this.scrolled = true;
} else {
view.k = this._getNextScale(direction);
}
l = [ translate0[0] * view.k + view.x, translate0[1] * view.k + view.y ];
view.x += center[0] - l[0];
view.y += center[1] - l[1];
bounded = this._bound([ view.x, view.y ], view.k);
this._animate(bounded.translate, bounded.scale);
};
Zoom.prototype._bound = function(translate, scale) {
var width = this.$container.width(),
height = this.$container.height();
translate[0] = Math.min(
(width / height) * (scale - 1),
Math.max( width * (1 - scale), translate[0] )
);
translate[1] = Math.min(0, Math.max(height * (1 - scale), translate[1]));
return { translate: translate, scale: scale };
};
Zoom.prototype._update = function(translate, scale) {
this.d3Zoom
.translate(translate)
.scale(scale);
this.datamap.svg.selectAll("g")
.attr("transform", "translate(" + translate + ")scale(" + scale + ")");
this._displayPercentage(scale);
};
Zoom.prototype._animate = function(translate, scale) {
var _this = this,
d3Zoom = this.d3Zoom;
d3.transition().duration(350).tween("zoom", function() {
var iTranslate = d3.interpolate(d3Zoom.translate(), translate),
iScale = d3.interpolate(d3Zoom.scale(), scale);
return function(t) {
_this._update(iTranslate(t), iScale(t));
};
});
};
Zoom.prototype._displayPercentage = function(scale) {
var value;
value = Math.round(Math.log(scale) / Math.log(this.scale.max) * 100);
this.$info.text(value + "%");
};
Zoom.prototype._getScalesArray = function() {
var array = [],
scaleMaxLog = Math.log(this.scale.max);
for (var i = 0; i <= 10; i++) {
array.push(Math.pow(Math.E, 0.1 * i * scaleMaxLog));
}
return array;
};
Zoom.prototype._getNextScale = function(direction) {
var scaleSet = this.scale.set,
currentScale = this.d3Zoom.scale(),
lastShift = scaleSet.length - 1,
shift, temp = [];
if (this.scrolled) {
for (shift = 0; shift <= lastShift; shift++) {
temp.push(Math.abs(scaleSet[shift] - currentScale));
}
shift = temp.indexOf(Math.min.apply(null, temp));
if (currentScale >= scaleSet[shift] && shift < lastShift) {
shift++;
}
if (direction == "out" && shift > 0) {
shift--;
}
this.scrolled = false;
} else {
shift = this.scale.currentShift;
if (direction == "out") {
shift > 0 && shift--;
} else {
shift < lastShift && shift++;
}
}
this.scale.currentShift = shift;
return scaleSet[shift];
};
function defaults(obj) {
Array.prototype.slice.call(arguments, 1).forEach(function(source) {
if (source) {
for (var prop in source) {
// Deep copy if property not set
if (obj[prop] == null) {
if (typeof source[prop] == 'function') {
obj[prop] = source[prop];
}
else {
obj[prop] = JSON.parse(JSON.stringify(source[prop]));
}
}
}
}
});
return obj;
}
function val( datumValue, optionsValue, context ) {
if ( typeof context === 'undefined' ) {
context = optionsValue;
optionsValues = undefined;
}
var value = typeof datumValue !== 'undefined' ? datumValue : optionsValue;
if (typeof value === 'undefined') {
return null;
}
if ( typeof value === 'function' ) {
var fnContext = [context];
if ( context.geography ) {
fnContext = [context.geography, context.data];
}
return value.apply(null, fnContext);
}
else {
return value;
}
}
var cat_color = {
"Abusive": "MediumPurple",
"Malware": "Red",
"Recon": "LightSlateGray",
"Attempt": "GhostWhite",
"Intrusion": "DarkTurquoise",
"Availability": "HotPink",
"Information": "PaleTurquoise",
"Fraud": "Yellow",
"Vulnerable": "DarkGoldenRod",
"Anomaly": "Brown",
"Other": "Green"
}
var cat_desc = {
"Abusive": "spam",
"Malware": "virus, worm, trojan, malware",
"Recon": "scanning, sniffing",
"Attempt": "bruteforce, exploitation attempt",
"Intrusion": "botnet, successful exploit",
"Availability": "(D)DOS",
"Information": "wiretapping, spoofing, hijacking",
"Fraud": "phishing, scam",
"Vulnerable": "open for abuse",
"Anomaly": "unusual traffic",
"Other": "unknown/unidentified"
}
function handleArcs (layer, data, options) {
var self = this,
svg = this.svg;
if ( !data || (data && !data.slice) ) {
throw "Datamaps Error - arcs must be an array";
}
// For some reason arc options were put in an `options` object instead of the parent arc
// I don't like this, so to match bubbles and other plugins I'm moving it
// This is to keep backwards compatability
for ( var i = 0; i < data.length; i++ ) {
data[i] = defaults(data[i], data[i].options);
delete data[i].options;
}
if ( typeof options === "undefined" ) {
options = defaultOptions.arcConfig;
}
var arcs = layer.selectAll('path.datamaps-arc').data( data, JSON.stringify );
var path = d3.geo.path()
.projection(self.projection);
arcs
.enter()
.append('svg:path')
.attr('class', 'datamaps-arc')
.style('stroke-linecap', 'round')
.style('stroke', function(datum) {
/* return val(datum.strokeColor, options.strokeColor, datum);*/
for (cat in cat_color) {
if (datum.event.startsWith(cat)) {
return cat_color[cat];
}
}
return "Green";
})
.style('fill', 'none')
.style('stroke-width', function(datum) {
return val(datum.strokeWidth, options.strokeWidth, datum);
})
.attr('d', function(datum) {
var originXY, destXY;
originXY = self.latLngToXY(val(datum.origin.latitude, datum), val(datum.origin.longitude, datum))
destXY = self.latLngToXY(val(datum.destination.latitude, datum), val(datum.destination.longitude, datum));
var midXY = [ (originXY[0] + destXY[0]) / 2, (originXY[1] + destXY[1]) / 2];
if (options.greatArc) {
// TODO: Move this to inside `if` clause when setting attr `d`
var greatArc = d3.geo.greatArc()
.source(function(d) { return [val(d.origin.longitude, d), val(d.origin.latitude, d)]; })
.target(function(d) { return [val(d.destination.longitude, d), val(d.destination.latitude, d)]; });
return path(greatArc(datum))
}
var sharpness = val(datum.arcSharpness, options.arcSharpness, datum);
return "M" + originXY[0] + ',' + originXY[1] + "S" + (midXY[0] + (50 * sharpness)) + "," + (midXY[1] - (75 * sharpness)) + "," + destXY[0] + "," + destXY[1];
})
.attr('data-info', function(datum) {
return JSON.stringify(datum);
})
.on('mouseover', function ( datum ) {
var $this = d3.select(this);
if (options.popupOnHover) {
self.updatePopup($this, datum, options, svg);
}
})
.on('mouseout', function ( datum ) {
var $this = d3.select(this);
d3.selectAll('.datamaps-hoverover').style('display', 'none');
})
.transition()
.style('fill', function(datum, i) {
/*
Thank you Jake Archibald, this is awesome.
Source: http://jakearchibald.com/2013/animated-line-drawing-svg/
*/
var length = this.getTotalLength();
this.style.transition = this.style.WebkitTransition = 'none';
this.style.strokeDasharray = length + ' ' + length;
this.style.strokeDashoffset = length;
this.getBoundingClientRect();
this.style.transition = this.style.WebkitTransition = 'stroke-dashoffset ' + val(datum.animationSpeed, options.animationSpeed, datum) + 'ms ' + datum.delay*1000 + 'ms ease-out';
this.style.strokeDashoffset = '0';
return 'none';
});
arcs.exit()
.transition()
.duration(1000)
.style('opacity', 0)
.remove();
}
var main_data = [];
var prev_data = 0;
// Configuration of datamap canvas
// Futher reading can be found at https://datamaps.github.io/
function Datamap() {
this.$container = $("#container");
instance = this.instance = new Datamaps({
scope: 'world',
element: this.$container.get(0),
done: this._handleMapReady.bind(this),
projection: 'mercator',
fills: {
/*defaultFill: '#454545'*/
defaultFill: 'black'
},
geographyConfig: {
hideAntarctica: true,
borderColor: '#0062a2',
highlightFillColor: '#4b4d4a',
highlightBorderColor: '#fdfdfd',
popupOnHover: true,
popupTemplate: function(geography, data) {
return '<div class="hoverinfo" id="country">' + geography.properties.name + '</div>';
},
},
ph_arcConfig: {
strokeColor: '#0062a2',
strokeWidth: 2,
arcSharpness: 2, /* 5 */
animationSpeed: 3000, // Milliseconds
popupOnHover: true,
// Case with latitude and longitude
popupTemplate: function(geography, data) {
if ( ( data.origin && data.destination ) && data.origin.latitude && data.origin.longitude && data.destination.latitude && data.destination.longitude ) {
// Content of info table
str = '<div class="hoverinfo"><table id="event"><tr><th>Warden Event</th></tr><tr><td>Type</td><td>'+ JSON.stringify(data.event) +'</td></tr><tr><td>Detect Time</td><td>'+ JSON.stringify(data.time) +'</td></tr><tr><th>Event origin</th></tr><tr><td>IP</td><td>' + JSON.stringify(data.origin.ip) + '</td></tr><tr><td>City & Country</td><td>' + JSON.stringify(data.origin.city) + ',&nbsp;' + JSON.stringify(data.origin.country_name) + '</td></tr><tr><td>GPS</td><td>' + JSON.stringify(data.origin.latitude) + ',&nbsp;' + JSON.stringify(data.origin.longitude) + '</td></tr><tr><th>Event Destination</th></tr><tr><td>IP</td><td>' + JSON.stringify(data.destination.ip) + '</td></tr><tr><td>City & Country</td><td>' + JSON.stringify(data.destination.city) + ',&nbsp;' + JSON.stringify(data.destination.country_name) + '</td></tr><tr><td>GPS</td><td>' + JSON.stringify(data.destination.latitude) + ',&nbsp;' + JSON.stringify(data.destination.longitude) + '</td></tr></table></div>';
return str.replace(/&quot;/g,"");
}
// Missing information
else {
return '';
}
}
}
});
legend_data = d3.select("#legend")
.selectAll("li")
.data(Object.keys(cat_color).sort())
.enter()
.append("li")
.append("span")
.style("color", function(datum) { return cat_color[datum]})
.text(function(datum) { return datum; })
.append("span")
.text(function(datum) { return "" + cat_desc[datum]})
.style("color", "white");
instance.addPlugin('ph_arc', handleArcs);
setInterval(function(){
d3.json("./warden-map.json", function(error, data) {
if (data) {
var cur_data = data.pop()
var cur_time = new Date().getTime();
if (cur_data != prev_data) {
prev_data = cur_data;
for (var i=0; i<data.length; i++) {
data[i].arrivalTime = cur_time;
data[i].delay = i/data.length;
}
main_data = main_data.concat(data);
}
}
var trimmed_data = [];
for (var i=0; i<main_data.length; i++) {
if (main_data[i].arrivalTime + 3500 > cur_time) {
trimmed_data.push(main_data[i]);
}
}
main_data = trimmed_data;
trimmed_data = cur_time = cur_data = error = data = null;
instance.ph_arc(main_data);
});
}, 1000);
};
Datamap.prototype._handleMapReady = function(datamap) {
this.zoom = new Zoom({
$container: this.$container,
datamap: datamap
});
}
contrib/map/frontend/warden-map.html 0 → 100644
View file @ b08e2629
<!-- -->
<!-- -->
<!-- -*- coding: utf-8 -*- -->
<!-- -->
<!-- warden-map.html -->
<!-- -->
<!-- Copyright (C) 2016 Cesnet z.s.p.o -->
<!-- Use of this source is governed by a 3-clause BSD-style license, see LICENSE file. -->
<!-- -->
<!-- -->
<!DOCTYPE html>
<meta name="robots" content="noindex">
<meta charset="utf-8">
<link href='https://fonts.googleapis.com/css?family=Oswald&amp;subset=latin,latin-ext' rel='stylesheet' type='text/css'>
<link rel="stylesheet" type="text/css" href="./css/warden-map.css"/>
<body>
<script src="https://d3js.org/d3.v3.min.js"></script>
<script src="https://d3js.org/topojson.v1.min.js"></script>
<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.11.0/jquery.min.js"></script>
<script src="./js/datamaps.world.min.js"></script>
<script src="./js/warden-map.js"></script>
<!--
<h2>Warden Map</h2>
<div id="tools">
<button class="zoom-button" data-zoom="reset">&#x2302</button>
<button class="zoom-button" data-zoom="out">-</button>
<button class="zoom-button" data-zoom="in">+</button>
<div id="zoom-info"></div>
</div>
-->
<div id="container"></div>
<div id="heading">Attacks, detected in CESNET network<br/>
SABU - Sharing and Analysis of Security Events
</div>
<div id="legend-box">
<p><b>Reported to Warden right <i>now</i>.</b></p>
<ul id="legend"></ul>
</div>
<!-- Draw datamap into id="container" -->
<script>new Datamap();</script>
</body>
</html>
warden_client/README
View file @ b08e2629
......@@ -53,7 +53,7 @@ C.1. Event description format
IDEA - Intrusion Detection Extensible Alert, flexible extensible format
for security events, see:
https://csirt.cesnet.cz/IDEA
https://idea.cesnet.cz/
C.2. Event serial ID
......
warden_client/warden_client.py
View file @ b08e2629
......@@ -44,7 +44,7 @@ class HTTPSConnection(httplib.HTTPSConnection):
def __init__(self, host, **kwargs):
self.ciphers = kwargs.pop('ciphers', None)
self.ca_certs = kwargs.pop('ca_certs', None)
self.ssl_version = kwargs.pop('ssl_version', ssl.PROTOCOL_TLS)
self.ssl_version = kwargs.pop('ssl_version', getattr(ssl, "PROTOCOL_TLS", ssl.PROTOCOL_SSLv23))
httplib.HTTPSConnection.__init__(self,host,**kwargs)
......@@ -270,7 +270,7 @@ class Client(object):
self.pause = int(pause)
self.ciphers = None
self.sslversion = ssl.PROTOCOL_TLS
self.sslversion = getattr(ssl, "PROTOCOL_TLS", ssl.PROTOCOL_SSLv23)
# If Python is new enough to have SSLContext, use it for SSL settings,
# otherwise our own class derived from httplib.HTTPSConnection is used
......