From 1de52a6578813d7a55b43bba42586920bb2f2ae9 Mon Sep 17 00:00:00 2001
From: Michal Kostenec <kostenec@civ.zcu.cz>
Date: Mon, 25 Jun 2012 14:02:40 +0200
Subject: [PATCH] Oprava chybneho merge s receive-apache2
---
src/warden-server/lib/Warden.pm | 145 ++++++++++++++++++--------------
1 file changed, 84 insertions(+), 61 deletions(-)
diff --git a/src/warden-server/lib/Warden.pm b/src/warden-server/lib/Warden.pm
index 1cc497a..0e7f255 100755
--- a/src/warden-server/lib/Warden.pm
+++ b/src/warden-server/lib/Warden.pm
@@ -27,7 +27,7 @@ our $VERSION = "2.0";
# READING OF CONFIGURATION VARIABLES
################################################################################
-my $conf_file = "/opt/warden-server-2/etc/warden-server.conf";
+my $conf_file = "/opt/warden-server/etc/warden-server.conf";
our $FACILITY = undef;
our $DB_NAME = undef;
our $DB_USER = undef;
@@ -111,7 +111,7 @@ sub getAltNames
my $der = decode_base64(join("", @a));
my $decoded= Crypt::X509->new(cert => $der);
- foreach my $tmp (@{$decoded->SubjectAltName}){
+ foreach my $tmp (@{$decoded->SubjectAltName}) {
if($tmp =~ s/dNSName=//){
push(@an_array, $DBH->quote($tmp));
}
@@ -121,6 +121,64 @@ sub getAltNames
}
+#-------------------------------------------------------------------------------
+# authorizeClient - authorize client by CN,AN and source IP range
+#-------------------------------------------------------------------------------
+
+sub authorizeClient
+{
+ my ($alt_names, $ip, $service_type, $client_type, $function_name) = @_;
+
+ my $sth;
+ # obtain cidr based on rigth common name and alternate names, service and client_type
+ if($function_name eq 'saveNewEvent') {
+ $sth = $DBH->prepare( "SELECT hostname, ip_net_client, receive_own_events
+ FROM clients WHERE hostname IN ($alt_names) AND service = ? AND client_type = ?
+ ORDER BY SUBSTRING_INDEX(ip_net_client,'/', -1) DESC;");
+ }
+ elsif($function_name eq 'getNewEvents') {
+ $sth = $DBH->prepare( "SELECT hostname, ip_net_client, receive_own_events
+ FROM clients WHERE hostname IN ($alt_names) AND type = ? AND client_type = ?
+ ORDER BY SUBSTRING_INDEX(ip_net_client,'/', -1) DESC;");
+ }
+
+ if (!defined $sth) { die("Cannot prepare authorization statement in $function_name: $DBI::errstr\n")}
+ $sth->execute($service_type, $client_type);
+
+ my ($an, $cidr, $receive_own, $cidr_list);
+ my $correct_ip_source = 0;
+ my %ret;
+
+ while(($an, $cidr, $receive_own) = $sth->fetchrow()) {
+ my $cidr_list = Net::CIDR::Lite-> new -> add($cidr);
+
+ $ret{'dns'} = $an;
+ $ret{'cidr'} = $cidr;
+ $ret{'receive_own'} = $receive_own;
+
+ if ($cidr_list->bin_find($ip)) {
+ $correct_ip_source = 1;
+ last;
+ }
+ };
+
+ # check if client is registered
+ if ($sth->rows == 0) {
+ write2log ("err", "Unauthorized access to $function_name from: $ip (CN(AN): $alt_names) - client is not registered");
+ die("Access denied - client is not registered at warden server!");
+ return undef;
+ }
+
+ # check if client has IP from registered CIDR
+ if (!$correct_ip_source) {
+ write2log ("err", "Unauthorized access to $function_name from: $ip (CN(AN): $alt_names) - access from bad subnet: " . $ret{'cidr'});
+ die("Access denied - access from unauthorized subnet!");
+ return undef;
+ }
+
+ return %ret;
+}
+
################################################################################
# SOAP Functions
@@ -147,42 +205,26 @@ sub saveNewEvent
# parse object (event) parameters
my $service = $data->{'SERVICE'};
my $detected = $data->{'DETECTED'};
- my $type = $data->{'TYPE'};
+ my $type = $data->{'TYPE'};
my $source_type = $data->{'SOURCE_TYPE'};
my $source = $data->{'SOURCE'};
my $target_proto = $data->{'TARGET_PROTO'};
my $target_port = $data->{'TARGET_PORT'};
my $attack_scale = $data->{'ATTACK_SCALE'};
- my $note = $data->{'NOTE'};
+ my $note = $data->{'NOTE'};
my $priority = $data->{'PRIORITY'};
my $timeout = $data->{'TIMEOUT'};
- # obtain cidr based on rigth common name and alternate names, service and client_type
- $sth = $DBH->prepare("SELECT hostname, ip_net_client FROM clients WHERE hostname IN ($alt_names) AND service = ? AND client_type = ? LIMIT 1;");
- if (!defined $sth) {die("Cannot prepare authorization statement in saveNewEvent: $DBI::errstr\n")}
- $sth->execute($service, $client_type);
- my ($an, $cidr) = $sth->fetchrow();
-
- # check if client is registered
- if (!defined $cidr) {
- write2log ("err", "Unauthorized access to saveNewEvent from: $ip (CN: $cn; AN: $an) - client is not registered");
- die("Access denied - client is not registered at warden server!");
- } else {
- $cidr_list = Net::CIDR::Lite
- -> new
- -> add($cidr);
- }
-
- # check if client has IP from registered CIDR
- if (!$cidr_list->bin_find($ip)) {
- write2log ("err", "Unauthorized access to saveNewEvent from: $ip (CN: $cn; AN: $an) - access from bad subnet: $cidr");
- die("Access denied - access from unauthorized subnet!");
- } else {
+ my %client = authorizeClient($alt_names, $ip, $service, $client_type, 'saveNewEvent');
+ if(defined %client) {
# insert new events into DB
$sth=$DBH->prepare("INSERT INTO events VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?,?,?);");
- if (!defined $sth) {die("Cannot do insert statement in saveNewEvent: $DBI::errstr\n")}
- $sth->execute(undef, $cn, $service, $detected, $received, $type, $source_type, $source, $target_proto, $target_port, $attack_scale, $note, $priority, $timeout, $valid);
+ if (!defined $sth) { die("Cannot do insert statement in saveNewEvent: $DBI::errstr\n") }
+
+ $sth->execute(undef, $client{'dns'}, $service, $detected, $received, $type, $source_type, $source, $target_proto, $target_port, $attack_scale, $note, $priority, $timeout, $valid);
+
+ return 1;
}
} # END of saveNewEvent
@@ -197,40 +239,21 @@ sub getNewEvents
my ($id, $hostname, $service, $detected, $type, $source_type, $source, $target_proto, $target_port, $attack_scale, $note, $priority, $timeout);
# client network information
- my $cn = $ENV{'SSL_CLIENT_S_DN_CN'};
+ my $cn = $ENV{'SSL_CLIENT_S_DN_CN'};
my $alt_names = getAltNames(undef);
- my $ip = $ENV{'REMOTE_ADDR'};
+ my $ip = $ENV{'REMOTE_ADDR'};
my $client_type = "r"; # incoming client MUST be sender
# parse SOAP data object
- my $requested_type = $data->{'REQUESTED_TYPE'};
- my $last_id = $data->{'LAST_ID'};
+ my $requested_type = $data->{'REQUESTED_TYPE'};
+ my $last_id = $data->{'LAST_ID'};
- # obtain cidr based on rigth common name, service and client_type
- $sth = $DBH->prepare("SELECT hostname, receive_own_events, ip_net_client FROM clients WHERE hostname IN ($alt_names) AND type = ? AND client_type = ? LIMIT 1;");
- if (!defined $sth) {die("Cannot prepare authorization statement in getNewEvents: $DBI::errstr\n")}
- $sth->execute($requested_type, $client_type);
- my ($an, $receive_own_events, $cidr) = $sth->fetchrow();
-
- # check if client is registered
- if (!defined $cidr) {
- write2log ("err", "Unauthorized access to getNewEvents from: $ip (CN: $cn; AN: $an) - client is not registered");
- die("Access denied - client is not registered at warden server!");
- } else {
- $cidr_list = Net::CIDR::Lite
- -> new
- -> add($cidr);
- }
-
- # check if client has IP from registered CIDR
- if (!$cidr_list->bin_find($ip)) {
- write2log ("err", "Unauthorized access to getNewEvents from: $ip (CN: $cn; AN: $an) - access from bad subnet: $cidr");
- die("Access denied - access from unathorized subnet!");
- } else {
+ my %client = authorizeClient($alt_names, $ip, $requested_type, $client_type, 'getNewEvents');
+ if(defined %client) {
# check if client want your own events or not
- if ($receive_own_events eq 't') {
+ if ($client{'receive_own'} eq 't') {
$sth = $DBH->prepare("SELECT * FROM events WHERE type != 'test' AND id > ? AND type = ? AND valid = 't' ORDER BY id ASC;");
if (!defined $sth) {die("Cannot prepare ROE statement in getNewEvents: $DBI::errstr\n")}
$sth->execute($last_id, $requested_type);
@@ -253,19 +276,19 @@ sub getNewEvents
$source = $result[7];
$target_proto = $result[8];
$target_port = $result[9];
- $attack_scale = $result[10];
+ $attack_scale = $result[10];
$note = $result[11];
$priority = $result[12];
$timeout = $result[13];
# create SOAP data object
$event = SOAP::Data->name(event => \SOAP::Data->value(
- SOAP::Data->name(ID => $id),
+ SOAP::Data->name(ID => $id),
SOAP::Data->name(HOSTNAME => $hostname),
SOAP::Data->name(SERVICE => $service),
SOAP::Data->name(DETECTED => $detected),
SOAP::Data->name(TYPE => $type),
- SOAP::Data->name(SOURCE_TYPE => $source_type),
+ SOAP::Data->name(SOURCE_TYPE=> $source_type),
SOAP::Data->name(SOURCE => $source),
SOAP::Data->name(TARGET_PROTO => $target_proto),
SOAP::Data->name(TARGET_PORT => $target_port),
@@ -281,9 +304,9 @@ sub getNewEvents
# log sent ID of events
if (scalar @events != 0) {
if (scalar @ids == 1) {
- write2log("info", "Sent 1 events [#$ids[0]] to $ip (CN: $cn; AN: $an)");
+ write2log("info", "Sent 1 events [#$ids[0]] to $ip (CN(AN): $alt_names)");
} else {
- write2log("info", "Sent " . scalar @ids . " events [#$ids[0] - #$ids[-1]] to $ip (CN: $cn; AN: $an)");
+ write2log("info", "Sent " . scalar @ids . " events [#$ids[0] - #$ids[-1]] to $ip (CN(AN): $alt_names)");
}
}
return @events;
@@ -358,9 +381,9 @@ sub registerSender
} # END of registerSender
-#-----------------------------------------------------------------------------
-# registerReceiver - register new receiver
-#-----------------------------------------------------------------------------
+##-----------------------------------------------------------------------------
+## registerReceiver - register new receiver
+##-----------------------------------------------------------------------------
sub registerReceiver
{
my ($class, $data) = @_;
--
GitLab