Skip to content
Snippets Groups Projects
Commit 9467d78b authored by Jakub Cegan's avatar Jakub Cegan
Browse files

Feature #941 pridan conf soubor, bugfixy watchdogu

parent 2d4eb4db
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
src/contrib/wardenWatchdog/WardenWatchdog.conf
+ 2
2
View file @ 9467d78b
...@@ -57,11 +57,11 @@ END;'); ...@@ -57,11 +57,11 @@ END;');
#------------------------------------------------------------------------------- #-------------------------------------------------------------------------------
@sql_queries = ( @sql_queries = (
{query => "SELECT hostname, service, MAX(received) FROM events WHERE valid = 't' GROUP BY hostname, service ORDER BY MAX(received) ASC;", text => "Uvedeny klient, nebo klienti jiz delsi dobu nereportovali zadne udalosti do Wardenu. Je mozne, ze nefunguji spravne.", contact => 'jakubcegan@cesnet.cz, ph@cesnet.cz'}, {query => "SELECT hostname, service, MAX(received) FROM events WHERE valid = 't' GROUP BY hostname, service ORDER BY MAX(received) ASC;", text => "Uvedeny klient, nebo klienti jiz delsi dobu nereportovali zadne udalosti do Wardenu. Je mozne, ze nefunguji spravne.", contact => 'jakubcegan@cesnet.cz, ph@cesnet.cz'},
{query => "SELECT requestor FROM clients WHERE service IN (SELECT service FROM events WHERE detected > '$date' AND type NOT IN ('portscan', 'bruteforce', 'probe', 'spam', 'phishing', 'botnet_c_c', 'dos', 'malware', 'copyright', 'webattack', 'test', 'other') AND valid = 't' GROUP BY service) GROUP BY requestor;", text => "Uvedeny klient, nebo klienti zasilaji nepodporovany nebo zastaraly typ udalosti na server Warden", contact => 'jakubcegan@cesnet.cz, ph@cesnet.cz'}, {query => "SELECT * FROM clients WHERE service IN (SELECT service FROM events WHERE detected > '\$date' AND type NOT IN ('portscan', 'bruteforce', 'probe', 'spam', 'phishing', 'botnet_c_c', 'dos', 'malware', 'copyright', 'webattack', 'test', 'other') AND valid = 't' GROUP BY service) GROUP BY requestor;", text => "Uvedeny klient, nebo klienti zasilaji nepodporovany nebo zastaraly typ udalosti na server Warden", contact => 'jakubcegan@cesnet.cz, ph@cesnet.cz'},
{query => "SELECT hostname, service, type, COUNT(*) FROM events WHERE detected - received > 0 AND received > '$date' GROUP BY hostname, service, type;", text => "Uvedeny klient, nebo klienti odesilaji odesilaji udalosti s casem z budoucnosti. Cas prirazeny serverem pri prichodu udalosti (received) musi byt vzdy roven nebo vetsi casu detekce (detected).", contact => 'jakubcegan@cesnet.cz, ph@cesnet.cz'}, {query => "SELECT hostname, service, type, COUNT(*) FROM events WHERE detected - received > 0 AND received > '$date' GROUP BY hostname, service, type;", text => "Uvedeny klient, nebo klienti odesilaji odesilaji udalosti s casem z budoucnosti. Cas prirazeny serverem pri prichodu udalosti (received) musi byt vzdy roven nebo vetsi casu detekce (detected).", contact => 'jakubcegan@cesnet.cz, ph@cesnet.cz'},
{query => "SELECT hostname, service, received, source, count(source) AS c, min(received), max(received) FROM events WHERE valid = 't' AND source_type = 'IP' AND iptest(source) GROUP BY hostname, service, source ORDER BY c DESC;", text => "Uvedeni klient, nebo klienti odesilaji udalosti se zdrojovou adresou, ktera by se nemela objevit v internetu (privatni rozsah), nebo je neplatna (prazdny oktet, oktet je vetsi nez 255, apod.). kvuli omezeni verzi MySQL serveru funguje zatim pouze pro IPv6.", contact => 'jakubcegan@cesnet.cz, ph@cesnet.cz'}); {query => "SELECT hostname, service, received, source, count(source) AS c, min(received), max(received) FROM events WHERE valid = 't' AND source_type = 'IP' AND iptest(source) GROUP BY hostname, service, source ORDER BY c DESC;", text => "Uvedeni klient, nebo klienti odesilaji udalosti se zdrojovou adresou, ktera by se nemela objevit v internetu (privatni rozsah), nebo je neplatna (prazdny oktet, oktet je vetsi nez 255, apod.). kvuli omezeni verzi MySQL serveru funguje zatim pouze pro IPv6.", contact => 'jakubcegan@cesnet.cz, ph@cesnet.cz'});
#------------------------------------------------------------------------------- #-------------------------------------------------------------------------------
# sql_postcondition - # sql_postcondition -
#------------------------------------------------------------------------------- #-------------------------------------------------------------------------------
#@sql_postcondition = (); @sql_postcondition = ('DROP FUNCTION IF EXISTS iptest;');
src/contrib/wardenWatchdog/WardenWatchdog.pm
+ 28
18
View file @ 9467d78b
...@@ -108,8 +108,6 @@ sub update_procedures{ ...@@ -108,8 +108,6 @@ sub update_procedures{
} }
my @sqlQueries = @{$procRef}; my @sqlQueries = @{$procRef};
foreach my $proc (@sqlQueries) { foreach my $proc (@sqlQueries) {
$dbh->do($proc); $dbh->do($proc);
} }
...@@ -207,13 +205,13 @@ sub run{ ...@@ -207,13 +205,13 @@ sub run{
$errMsg = "Errors in config file '$conf_file': $@"; $errMsg = "Errors in config file '$conf_file': $@";
#syslog("err|$errMsg"); #syslog("err|$errMsg");
print $errMsg; print $errMsg;
return (0,"$errMsg"); return (0,"Warden watchdog - $errMsg");
} }
if (!(defined $_)){ if (!(defined $_)){
$errMsg = "Can't read config file '$conf_file': $!"; $errMsg = "Can't read config file '$conf_file': $!";
#syslog("err|$errMsg"); #syslog("err|$errMsg");
print $errMsg; print $errMsg;
return (0,"$errMsg"); return (0,"Warden watchdog - $errMsg");
} }
} }
...@@ -231,13 +229,13 @@ sub run{ ...@@ -231,13 +229,13 @@ sub run{
$errMsg = "Errors in config file '$server_conf': $@"; $errMsg = "Errors in config file '$server_conf': $@";
#syslog("err|$errMsg"); #syslog("err|$errMsg");
print $errMsg; print $errMsg;
return (0,"$errMsg"); return (0,"Warden watchdog - $errMsg");
} }
if (!(defined $_)){ if (!(defined $_)){
$errMsg = "Can't read config file '$server_conf': $!"; $errMsg = "Can't read config file '$server_conf': $!";
#syslog("err|$errMsg"); #syslog("err|$errMsg");
print $errMsg; print $errMsg;
return (0,"$errMsg"); return (0,"Warden watchdog - $errMsg");
} }
} }
...@@ -251,33 +249,45 @@ sub run{ ...@@ -251,33 +249,45 @@ sub run{
$date = $dt->date(); $date = $dt->date();
} or do { } or do {
#print "Warden watchdog - can't work with date\n"; #print "Warden watchdog - can't work with date\n";
syslog("err|Warden watchdog - can't work with date\n"); syslog("Warden watchdog - can't work with date\n");
}; };
my $dbh; my $dbh;
# connect to DB # connect to DB
my ($rc,$err) = connect_to_DB(\%db_conf,\$dbh); my ($rc,$err) = connect_to_DB(\%db_conf,\$dbh);
if (!$rc){ if (!$rc){
$errMsg = "Warden watchdog can\'t connect do DB: $err"; $errMsg = "Warden watchdog can\'t connect do DB: $err";
syslog("err|$errMsg"); return (0,"Warden watchdog - $errMsg");
return (0,"$errMsg");
} }
($rc,$err) = update_procedures(\$dbh,\@sql_precondition); if(@sql_precondition){
if (!$rc){ ($rc,$err) = update_procedures(\$dbh,\@sql_precondition);
#print "Warden watchdog - $err\n"; if (!$rc){
syslog("err|Warden watchdog - $err\n"); #print "Warden watchdog - $err\n";
return (0,"Warden watchdog - $err\n");
}
} }
my %bad_events; my %bad_events;
my $i = 0; if(@sql_queries){
while ($i < scalar(@sql_queries)) { foreach my $query (@sql_queries){
$query->{query} =~ s/\$date/$date/;
}
my ($rc,$err) = send_query(\$dbh,\@sql_queries,\%bad_events); my ($rc,$err) = send_query(\$dbh,\@sql_queries,\%bad_events);
if (!$rc){ if (!$rc){
#print "Warden watchdog - $err\n"; #print "Warden watchdog - $err\n";
syslog("err|Warden watchdog - $err\n"); return (0,"Warden watchdog - $err\n");
}
}
if(@sql_postcondition){
my ($rc,$err) = update_procedures(\$dbh,\@sql_postcondition);
if (!$rc){
#print "Warden watchdog - $err\n";
return (0,"Warden watchdog - $err\n");
} }
$i++;
} }
while (my ($contact, $text) = each(%bad_events)){ while (my ($contact, $text) = each(%bad_events)){
...@@ -285,7 +295,7 @@ sub run{ ...@@ -285,7 +295,7 @@ sub run{
my ($rc,$err) = send_report(\%input); my ($rc,$err) = send_report(\%input);
if (!$rc){ if (!$rc){
#print $err; #print $err;
syslog("err|Warden client - networkReporter $err\n"); return (0,"Warden client - networkReporter $err\n");
} }
} }
......
src/contrib/wardenWatchdog/WardenWatchdogOfflinecheck.conf 0 → 100644
+ 95
0
View file @ 9467d78b
#
# wardenWatchdog.conf - configuration file for Wachdog script
#
#-------------------------------------------------------------------------------
# server_conf - warden server configuration file path
#-------------------------------------------------------------------------------
$server_conf = '/opt/warden-server/etc/warden-server.conf';
#-------------------------------------------------------------------------------
# domain_name - server full domain name
#-------------------------------------------------------------------------------
$domain_name = "warden-dev.cesnet.cz";
#-------------------------------------------------------------------------------
# email_subject -
#-------------------------------------------------------------------------------
$email_subject = "Kontrola stavu udalosti warden serveru na stroji $domain_name";
#-------------------------------------------------------------------------------
# email_server_conf -
#-------------------------------------------------------------------------------
$email_server_conf = '|/usr/sbin/sendmail -oi -t';
#-------------------------------------------------------------------------------
# sql_precondition -
#-------------------------------------------------------------------------------
@sql_precondition = ('DROP FUNCTION IF EXISTS iptest;', 'CREATE FUNCTION iptest(ip VARCHAR(15)) RETURNS TINYINT(1) DETERMINISTIC
BEGIN
SET @nip = INET_ATON(ip);
IF(
ISNULL( @nip) OR
@nip BETWEEN 0 AND 16777216 OR
@nip BETWEEN 167772160 AND 171966464 OR
@nip BETWEEN 2130706432 AND 2130706433 OR
@nip BETWEEN 2851995648 AND 2851995649 OR
@nip BETWEEN 2886729728 AND 2886729729 OR
@nip BETWEEN 3221225472 AND 3221225473 OR
@nip BETWEEN 3221225984 AND 3221225985 OR
@nip BETWEEN 3227017984 AND 3227017985 OR
@nip BETWEEN 3232235520 AND 3232235521 OR
@nip BETWEEN 3323068416 AND 3323068417 OR
@nip BETWEEN 3325256704 AND 3325256705 OR
@nip BETWEEN 3405803776 AND 3405803777 OR
@nip BETWEEN 3758096384 AND 3758096385 OR
@nip BETWEEN 4026531840 AND 4026531841 OR
@nip > 4294967295) THEN
RETURN TRUE;
ELSE
RETURN FALSE;
END IF;
END;');
#-------------------------------------------------------------------------------
# sql_queries -
# {query => ; text => ; contact => }
#-------------------------------------------------------------------------------
@sql_queries = (
{query => "SELECT * FROM events WHERE (detected > NOW() OR detected < '2013-02-05 00:00:00') AND valid = 't' GROUP BY service;",
text => "Tito udalosti maji cas \"detected\" z doby pred spustenim Wardenu nebo z budoucnosti",
contact => 'jakubcegan@cesnet.cz'
},
{query => "SELECT * FROM clients WHERE service IN (SELECT service FROM events WHERE detected > '\$date' AND NOT FIND_IN_SET(type, 'portscan,bruteforce,probe,spam,phishing,botnet_c_c,dos,malware,copyright,webattack,test,other') AND valid = 't' GROUP BY service) GROUP BY requestor;",
text => "Tito klienti posilaji udalosti s \"type\", ktery neni ve slovniku",
contact => 'jakubcegan@cesnet.cz'},
{query => "SELECT * FROM clients WHERE service IN (SELECT service FROM events WHERE detected > '\$date' AND NOT FIND_IN_SET(source_type, 'IP,URL,Reply-To:') AND valid = 't' GROUP BY service) GROUP BY requestor;",
text => "Tito klienti posilaji udalosti s \"source_type\", ktery neni ve slovniku",
contact => 'jakubcegan@cesnet.cz'},
{query => "SELECT * FROM clients WHERE service IN (SELECT service FROM events WHERE detected > '\$date' AND NOT FIND_IN_SET(target_proto, 'IP,HTTP,TCP,UDP') AND valid = 't' GROUP BY service) GROUP BY requestor;",
text => "Tito klienti posilaji udalosti s \"target_proto\", ktery neni ve slovniku",
contact => 'jakubcegan@cesnet.cz'},
{query => "SELECT * FROM clients WHERE service IN (SELECT service FROM events WHERE detected > '\$date' AND target_port NOT REGEXP ('[0-9]+') AND target_port IS NOT NULL AND valid = 't' GROUP BY service) GROUP BY requestor;",
text => "Tito klienti posilaji udalosti s \"target_port\", ktery neni cislo ani NULL",
contact => 'jakubcegan@cesnet.cz'},
{query => "SELECT * FROM clients WHERE service IN (SELECT service FROM events WHERE detected > '\$date' AND attack_scale NOT REGEXP ('[0-9]+') AND attack_scale IS NOT NULL AND valid = 't' GROUP BY service) GROUP BY requestor;",
text => "Tito klienti posilaji udalosti s \"attack_scale\", ktery neni cislo ani NULL",
contact => 'jakubcegan@cesnet.cz'},
{query => "SELECT * FROM clients WHERE service IN (SELECT service FROM events WHERE detected > '\$date' AND priority NOT REGEXP ('[0-9]+') AND priority IS NOT NULL AND valid = 't' GROUP BY service) GROUP BY requestor;",
text => "Tito klienti posilaji udalosti s \"priority\", ktery neni cislo ani NULL",
contact => 'jakubcegan@cesnet.cz'},
{query => "SELECT * FROM clients WHERE service IN (SELECT service FROM events WHERE detected > '\$date' AND timeout NOT REGEXP ('[0-9]+') AND timeout IS NOT NULL AND valid = 't' GROUP BY service) GROUP BY requestor;",
text => "Tito klienti posilaji udalosti s \"timeout\", ktery neni cislo ani NULL",
contact => 'jakubcegan@cesnet.cz'},
{query => "SELECT * FROM clients WHERE service IN (SELECT service FROM events WHERE detected > '\$date' AND attack_scale IS NOT NULL AND attack_scale < 1 AND valid = 't' GROUP BY service) GROUP BY requestor;",
text => "Tito klienti posilaji udalosti s \"attack_scale\", ktery je cislo mensi nez jedna",
contact => 'jakubcegan@cesnet.cz'},
{query => "SELECT * FROM clients WHERE service IN (SELECT * FROM events WHERE source NOT REGEXP ('(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(\d|[1-2]\d|3[0-2]))') AND source NOT REGEXP ('^(https?://|www\\.)[\.A-Za-z0-9\-]+\\.[a-zA-Z]{2,4}') AND source NOT REGEXP ('((\w|<|>|\ |.{2}|@)+)') GROUP BY service) GROUP BY requestor;",
text => "Tito klienti posilaji udalosti se \"source\", ktery neni URL, IP nebo emailova adresa.",
contact => 'jakubcegan@cesnet.cz'},
);
#-------------------------------------------------------------------------------
# sql_postcondition -
#-------------------------------------------------------------------------------
@sql_postcondition = ('DROP FUNCTION IF EXISTS iptest;');
src/contrib/wardenWatchdog/wardenWatchdog.pl
+ 7
2
View file @ 9467d78b
...@@ -9,8 +9,13 @@ ...@@ -9,8 +9,13 @@
use strict; use strict;
use warnings; use warnings;
use WardenWatchdog;
use Getopt::Long; use Getopt::Long;
use FindBin;
FindBin::again();
use lib "$FindBin::Bin";
use WardenWatchdog;
sub help { sub help {
my $help =" USAGE: ./wardenWatchdog.pl -c '/path/WardenWatchdog.conf' -i 7 my $help =" USAGE: ./wardenWatchdog.pl -c '/path/WardenWatchdog.conf' -i 7
...@@ -18,7 +23,7 @@ sub help { ...@@ -18,7 +23,7 @@ sub help {
OPTIONS OPTIONS
-c conf configuration file name and path -c conf configuration file name and path
-i interval interval in days from now back to the past -i interval interval in days from now back to the past
"; ";
print $help; print $help;
return 1; return 1;
} }
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment