Merge branch 'master' of homeproj.cesnet.cz:warden

47c643d1 · Jan Soukal · 3f9dc03c · 4422a2b2 · 47c643d1 · 47c643d1
Commit 47c643d1 authored 12 years ago by Jan Soukal
--- a/src/warden-client/doc/README
+++ b/src/warden-client/doc/README
@@ -345,6 +345,8 @@ I. Functions, Arguments and Calls
    # portscan    - scannig of TCP/UDP ports
    # bruteforce  - bruteforce/dictionary attack against authentication
    #               service(s)
+    # probe       - other connection attempts (for example ICMP) or
+    #               unrecognized/undecided portscan or bruteforce
    # spam        - unsolicited e-mail that does not have phishing-like
    #               character
    # phishing    - e-mail attempting to gather sensitive data

--- a/src/warden-client/doc/README.cesnet
+++ b/src/warden-client/doc/README.cesnet
@@ -128,6 +128,8 @@ D. Types of events

   * portscan - TCP/UDP port scanning/sweeping
   * bruteforce - dictionary/bruteforce attack to services authentication
+   * probe - other connection attempts (for example ICMP) or
+             unrecognized/undecided portscan or bruteforce
   * spam - unsolicited commercial email (except phishing)
   * phishing - email, trying to scam user to revealing personal information
     (possibly by some other channel)

--- a/src/warden-server/doc/CHANGELOG
+++ b/src/warden-server/doc/CHANGELOG
 2012-00-00 v2.1 stable version
 ------------------------------
- add limit of events that can be downloaded from server to client
- add receiving of all types of events
- add validation of types of received events
+- added limit of events that can be downloaded from server to client
+- added receiving of all types of events
+- added validation of types of received events
+- added support for client maximum received events limit option
+  (for more information see client documentation) 


 2012-07-27 v2.0 stable version

--- a/src/warden-server/etc/warden-server.conf
+++ b/src/warden-server/etc/warden-server.conf
@@ -42,5 +42,5 @@ $MAX_EVENTS_LIMIT = "1000000";
 # VALID_STRINGS - validation hash containing allowed event attributes
 #-------------------------------------------------------------------------------
 %VALID_STRINGS = (
-"type" => ["portscan", "bruteforce", "spam", "phishing", "botnet_c_c", "dos", "malware", "copyright", "webattack", "test", "other", "_any_"],
+"type" => ["portscan", "bruteforce", "probe", "spam", "phishing", "botnet_c_c", "dos", "malware", "copyright", "webattack", "test", "other", "_any_"],
 );
--- a/src/warden-server/lib/Warden.pm
+++ b/src/warden-server/lib/Warden.pm
@@ -253,8 +253,9 @@ sub getNewEvents
  my $function_name	= 'getNewEvents';

  # parse SOAP data object
-  my $requested_type	= $data->{'REQUESTED_TYPE'};
-  my $last_id		= $data->{'LAST_ID'};
+  my $requested_type		= $data->{'REQUESTED_TYPE'};
+  my $last_id			= $data->{'LAST_ID'};
+  my $max_rcv_events_limit 	= $data->{'MAX_RCV_EVENTS_LIMIT'};

  my %client = authorizeClient($alt_names, $ip, $requested_type, $client_type, $function_name);
  if(defined %client) {
@@ -262,11 +263,11 @@ sub getNewEvents
      if ($requested_type eq '_any_') {		  # check if client want each or only one type of messages
        $sth = $DBH->prepare("SELECT * FROM events WHERE type != 'test' AND id > ? AND valid = 't' ORDER BY id ASC LIMIT ?;");
        if (!defined $sth) {die("Cannot prepare ROE-ANY statement in $function_name: $DBI::errstr\n")}
-        $sth->execute($last_id, $MAX_EVENTS_LIMIT);
+        (defined $max_rcv_events_limit && $max_rcv_events_limit < $MAX_EVENTS_LIMIT) ? $sth->execute($last_id, $max_rcv_events_limit) : $sth->execute($last_id, $MAX_EVENTS_LIMIT);
      } else {
        $sth = $DBH->prepare("SELECT * FROM events WHERE type != 'test' AND id > ? AND type = ? AND valid = 't' ORDER BY id ASC LIMIT ?;");
        if (!defined $sth) {die("Cannot prepare ROE statement in $function_name: $DBI::errstr\n")}
-        $sth->execute($last_id, $requested_type, $MAX_EVENTS_LIMIT);
+        (defined $max_rcv_events_limit && $max_rcv_events_limit < $MAX_EVENTS_LIMIT) ? $sth->execute($last_id, $requested_type, $max_rcv_events_limit) : $sth->execute($last_id, $requested_type, $MAX_EVENTS_LIMIT);
      }
    } else {
      if ($requested_type eq '_any_') {
@@ -274,13 +275,13 @@ sub getNewEvents
        if (!defined $sth) {die("Cannot prepare ANY statement in $function_name: $DBI::errstr\n")}
        my ($domain) = $cn =~ /([^\.]+\.[^\.]+)$/;
        $domain = '\%' . $domain;
-        $sth->execute($last_id, $domain, $MAX_EVENTS_LIMIT);
+        (defined $max_rcv_events_limit && $max_rcv_events_limit < $MAX_EVENTS_LIMIT) ? $sth->execute($last_id, $domain, $max_rcv_events_limit) : $sth->execute($last_id, $domain, $MAX_EVENTS_LIMIT);
      } else {
        $sth = $DBH->prepare("SELECT * FROM events WHERE type != 'test' AND id > ? AND type = ? AND valid = 't' AND hostname NOT LIKE ? ORDER BY id ASC LIMIT ?;");
        if (!defined $sth) {die("Cannot prepare statement in $function_name: $DBI::errstr\n")}
        my ($domain) = $cn =~ /([^\.]+\.[^\.]+)$/;
        $domain = '\%' . $domain;
-        $sth->execute($last_id, $requested_type, $domain, $MAX_EVENTS_LIMIT);
+        (defined $max_rcv_events_limit && $max_rcv_events_limit < $MAX_EVENTS_LIMIT) ? $sth->execute($last_id, $requested_type, $domain, $max_rcv_events_limit) : $sth->execute($last_id, $requested_type, $domain, $MAX_EVENTS_LIMIT);
      }
    }

@@ -323,9 +324,9 @@ sub getNewEvents
    # log sent ID of events
    if (scalar @events != 0) {
      if (scalar @ids == 1) {
-        write2log("info", "Sent 1 events [#$ids[0]] to $ip (CN(AN): $alt_names)");
+        write2log("info", "Sent 1 event [#$ids[0]] to $ip (CN(AN): $alt_names) with client limit $max_rcv_events_limit events");
      } else {
-        write2log("info", "Sent " . scalar @ids . " events [#$ids[0] - #$ids[-1]] to $ip (CN(AN): $alt_names)");
+        write2log("info", "Sent " . scalar @ids . " events [#$ids[0] - #$ids[-1]] to $ip (CN(AN): $alt_names) with client limit $max_rcv_events_limit events");
      }
    }
    return @events;

--- a/src/warden-server/lib/WardenConf.pm
+++ b/src/warden-server/lib/WardenConf.pm
@@ -20,10 +20,10 @@ sub loadConf
  my $conf_file = shift;

  # preset of default variables
-  our $URI = undef;
-  our $SSL_KEY_FILE = undef;
-  our $SSL_CERT_FILE = undef;
-  our $SSL_CA_FILE = undef;
+  our $URI 		= undef;
+  our $SSL_KEY_FILE 	= undef;
+  our $SSL_CERT_FILE 	= undef;
+  our $SSL_CA_FILE 	= undef;

  # read config file
  if ( ! open( TMP, $conf_file) ) {

--- a/src/warden-server/sh/install.sh
+++ b/src/warden-server/sh/install.sh
@@ -232,7 +232,7 @@ make_server_conf()
 # VALID_STRINGS - validation hash containing allowed event attributes
 #-------------------------------------------------------------------------------
 %VALID_STRINGS = ( 
-\"type\" => [\"portscan\", \"bruteforce\", \"spam\", \"phishing\", \"botnet_c_c\", \"dos\", \"malware\", \"copyright\", \"webattack\", \"test\", \"other\", \"_any_\"],
+\"type\" => [\"portscan\", \"bruteforce\", \"probe\", \"spam\", \"phishing\", \"botnet_c_c\", \"dos\", \"malware\", \"copyright\", \"webattack\", \"test\", \"other\", \"_any_\"],
 );
 " > $server_conf 2> $err; ret_val=`echo $?`