Newer
Older
#!/usr/bin/perl -w
#
# WardenClientReceive.pm
#
#
# Use of this source is governed by a BSD-style license, see LICENSE file.
package WardenClientReceive;
use strict;
use FindBin;
use Sys::Syslog;
our $VERSION = "2.2";
#-------------------------------------------------------------------------------
# getNewEvents - get new events from warden server greater than last received ID
#-------------------------------------------------------------------------------
sub getNewEvents
{
my @events;
my $warden_path = shift;
my $requested_type = shift;
my $vardir = $warden_path . "/var/";
my $etcdir = $warden_path . "/etc/";
my $libdir = $warden_path . "/lib/";
require $libdir . "WardenClientConf.pm";
require $libdir . "WardenClientCommon.pm";
# read the config file
my $conf_file = $etcdir . "warden-client.conf";
WardenClientConf::loadConf($conf_file);
# set name of ID file for each client aplication
Pavel Kácha
committed
my ($caller_name) = ($FindBin::Script =~ /^(.*)$/); # untaint
my $id_file = $vardir . $caller_name . "-". ($requested_type || "any") . ".id";
#-----------------------------------------------------------------------------
# get last ID from ID file (if exist) or
# get last ID from warden server DB and save it into ID file
my $last_id;
if (-e $id_file) {
open(ID, "< $id_file") or return WardenClientCommon::errMsg("Cannot open ID file $id_file: $!");
foreach(<ID>) {
$last_id = $_;
}
close ID;
} else {
# c2s() returns undef on fail
my $response = WardenClientCommon::c2s($WardenClientConf::URI, $WardenClientConf::SSL_KEY_FILE, $WardenClientConf::SSL_CERT_FILE, $WardenClientConf::SSL_CA_FILE, "getLastId");
defined $response or return; # receive data or return undef
# SOAP generates random names for unnamed return values, we sidestep through array
my @last_id = values(%{$response->{'getLastIdResponse'}});
$last_id = $last_id[0];
open(ID, "> $id_file") or return WardenClientCommon::errMsg("Cannot open ID file $id_file: $!");
print ID $last_id;
close ID;
}
#-----------------------------------------------------------------------------
# get new events from warden server DB based on gathered last ID
my %request_data = (
"REQUESTED_TYPE" => $requested_type,
"LAST_ID" => $last_id,
"MAX_RCV_EVENTS_LIMIT" => $WardenClientConf::MAX_RCV_EVENTS_LIMIT
);
# call server method getNewEvents
my $response = WardenClientCommon::c2s($WardenClientConf::URI, $WardenClientConf::SSL_KEY_FILE, $WardenClientConf::SSL_CERT_FILE, $WardenClientConf::SSL_CA_FILE, "getNewEvents", \%request_data);
defined $response or return; # connect to warden server or return undef
# parse returned SOAP data object
my ($id, $hostname, $service, $detected, $type, $source_type, $source, $target_proto, $target_port, $attack_scale, $note, $priority, $timeout);
my $response_list = ($response->{'getNewEventsResponse'}->{'event'} or []);
while (scalar @{$response_list}) {
my $response_data = shift(@{$response_list});
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
my @event;
# parse items of one event
$id = $response_data->{'ID'};
$hostname = $response_data->{'HOSTNAME'};
$service = $response_data->{'SERVICE'};
$detected = $response_data->{'DETECTED'};
$type = $response_data->{'TYPE'};
$source_type = $response_data->{'SOURCE_TYPE'};
$source = $response_data->{'SOURCE'};
$target_proto = $response_data->{'TARGET_PROTO'};
$target_port = $response_data->{'TARGET_PORT'};
$attack_scale = $response_data->{'ATTACK_SCALE'};
$note = $response_data->{'NOTE'};
$priority = $response_data->{'PRIORITY'};
$timeout = $response_data->{'TIMEOUT'};
# push new event from warden server into @events which is returned
@event = ($id, $hostname, $service, $detected, $type, $source_type, $source, $target_proto, $target_port, $attack_scale, $note, $priority, $timeout);
push (@events, \@event);
# set maximum received ID from current batch
if ($id > $last_id) {
$last_id = $id;
}
} #end of while loop
# write last return ID
if (defined $last_id) { # must be defined for first check ID
open(ID, "> $id_file") or return WardenClientCommon::errMsg("Cannot open ID file $id_file: $!");
print ID $last_id;
close ID;
}
return @events;
} # End of getNewEvents
1;