diff --git a/src/contrib/wardenWatchdog/WardenWatchdog.conf b/src/contrib/wardenWatchdog/WardenWatchdog.conf
index bdcdbb11e319c68a45768b88743d7da4d28e865b..d87bed3e657c29b859a68020701344065b501bda 100644
--- a/src/contrib/wardenWatchdog/WardenWatchdog.conf
+++ b/src/contrib/wardenWatchdog/WardenWatchdog.conf
@@ -57,11 +57,11 @@ END;');
#-------------------------------------------------------------------------------
@sql_queries = (
{query => "SELECT hostname, service, MAX(received) FROM events WHERE valid = 't' GROUP BY hostname, service ORDER BY MAX(received) ASC;", text => "Uvedeny klient, nebo klienti jiz delsi dobu nereportovali zadne udalosti do Wardenu. Je mozne, ze nefunguji spravne.", contact => 'jakubcegan@cesnet.cz, ph@cesnet.cz'},
- {query => "SELECT requestor FROM clients WHERE service IN (SELECT service FROM events WHERE detected > '$date' AND type NOT IN ('portscan', 'bruteforce', 'probe', 'spam', 'phishing', 'botnet_c_c', 'dos', 'malware', 'copyright', 'webattack', 'test', 'other') AND valid = 't' GROUP BY service) GROUP BY requestor;", text => "Uvedeny klient, nebo klienti zasilaji nepodporovany nebo zastaraly typ udalosti na server Warden", contact => 'jakubcegan@cesnet.cz, ph@cesnet.cz'},
+ {query => "SELECT * FROM clients WHERE service IN (SELECT service FROM events WHERE detected > '\$date' AND type NOT IN ('portscan', 'bruteforce', 'probe', 'spam', 'phishing', 'botnet_c_c', 'dos', 'malware', 'copyright', 'webattack', 'test', 'other') AND valid = 't' GROUP BY service) GROUP BY requestor;", text => "Uvedeny klient, nebo klienti zasilaji nepodporovany nebo zastaraly typ udalosti na server Warden", contact => 'jakubcegan@cesnet.cz, ph@cesnet.cz'},
{query => "SELECT hostname, service, type, COUNT(*) FROM events WHERE detected - received > 0 AND received > '$date' GROUP BY hostname, service, type;", text => "Uvedeny klient, nebo klienti odesilaji odesilaji udalosti s casem z budoucnosti. Cas prirazeny serverem pri prichodu udalosti (received) musi byt vzdy roven nebo vetsi casu detekce (detected).", contact => 'jakubcegan@cesnet.cz, ph@cesnet.cz'},
{query => "SELECT hostname, service, received, source, count(source) AS c, min(received), max(received) FROM events WHERE valid = 't' AND source_type = 'IP' AND iptest(source) GROUP BY hostname, service, source ORDER BY c DESC;", text => "Uvedeni klient, nebo klienti odesilaji udalosti se zdrojovou adresou, ktera by se nemela objevit v internetu (privatni rozsah), nebo je neplatna (prazdny oktet, oktet je vetsi nez 255, apod.). kvuli omezeni verzi MySQL serveru funguje zatim pouze pro IPv6.", contact => 'jakubcegan@cesnet.cz, ph@cesnet.cz'});
#-------------------------------------------------------------------------------
# sql_postcondition -
#-------------------------------------------------------------------------------
-#@sql_postcondition = ();
+@sql_postcondition = ('DROP FUNCTION IF EXISTS iptest;');
diff --git a/src/contrib/wardenWatchdog/WardenWatchdog.pm b/src/contrib/wardenWatchdog/WardenWatchdog.pm
index a50023183405eba7c556fb6bd5c359577e68edca..ccd786926e60c3440c8d158cea4c637c59226ee6 100644
--- a/src/contrib/wardenWatchdog/WardenWatchdog.pm
+++ b/src/contrib/wardenWatchdog/WardenWatchdog.pm
@@ -108,8 +108,6 @@ sub update_procedures{
}
my @sqlQueries = @{$procRef};
-
-
foreach my $proc (@sqlQueries) {
$dbh->do($proc);
}
@@ -207,13 +205,13 @@ sub run{
$errMsg = "Errors in config file '$conf_file': $@";
#syslog("err|$errMsg");
print $errMsg;
- return (0,"$errMsg");
+ return (0,"Warden watchdog - $errMsg");
}
if (!(defined $_)){
$errMsg = "Can't read config file '$conf_file': $!";
#syslog("err|$errMsg");
print $errMsg;
- return (0,"$errMsg");
+ return (0,"Warden watchdog - $errMsg");
}
}
@@ -231,13 +229,13 @@ sub run{
$errMsg = "Errors in config file '$server_conf': $@";
#syslog("err|$errMsg");
print $errMsg;
- return (0,"$errMsg");
+ return (0,"Warden watchdog - $errMsg");
}
if (!(defined $_)){
$errMsg = "Can't read config file '$server_conf': $!";
#syslog("err|$errMsg");
print $errMsg;
- return (0,"$errMsg");
+ return (0,"Warden watchdog - $errMsg");
}
}
@@ -251,33 +249,45 @@ sub run{
$date = $dt->date();
} or do {
#print "Warden watchdog - can't work with date\n";
- syslog("err|Warden watchdog - can't work with date\n");
+ syslog("Warden watchdog - can't work with date\n");
};
+
+
my $dbh;
# connect to DB
my ($rc,$err) = connect_to_DB(\%db_conf,\$dbh);
if (!$rc){
$errMsg = "Warden watchdog can\'t connect do DB: $err";
- syslog("err|$errMsg");
- return (0,"$errMsg");
+ return (0,"Warden watchdog - $errMsg");
}
- ($rc,$err) = update_procedures(\$dbh,\@sql_precondition);
- if (!$rc){
- #print "Warden watchdog - $err\n";
- syslog("err|Warden watchdog - $err\n");
+ if(@sql_precondition){
+ ($rc,$err) = update_procedures(\$dbh,\@sql_precondition);
+ if (!$rc){
+ #print "Warden watchdog - $err\n";
+ return (0,"Warden watchdog - $err\n");
+ }
}
my %bad_events;
- my $i = 0;
- while ($i < scalar(@sql_queries)) {
+ if(@sql_queries){
+ foreach my $query (@sql_queries){
+ $query->{query} =~ s/\$date/$date/;
+ }
my ($rc,$err) = send_query(\$dbh,\@sql_queries,\%bad_events);
if (!$rc){
#print "Warden watchdog - $err\n";
- syslog("err|Warden watchdog - $err\n");
+ return (0,"Warden watchdog - $err\n");
+ }
+ }
+
+ if(@sql_postcondition){
+ my ($rc,$err) = update_procedures(\$dbh,\@sql_postcondition);
+ if (!$rc){
+ #print "Warden watchdog - $err\n";
+ return (0,"Warden watchdog - $err\n");
}
- $i++;
}
while (my ($contact, $text) = each(%bad_events)){
@@ -285,7 +295,7 @@ sub run{
my ($rc,$err) = send_report(\%input);
if (!$rc){
#print $err;
- syslog("err|Warden client - networkReporter $err\n");
+ return (0,"Warden client - networkReporter $err\n");
}
}
diff --git a/src/contrib/wardenWatchdog/WardenWatchdogOfflinecheck.conf b/src/contrib/wardenWatchdog/WardenWatchdogOfflinecheck.conf
new file mode 100644
index 0000000000000000000000000000000000000000..7a7c7eca48c936da466ccb8df20916795bc6c15d
--- /dev/null
+++ b/src/contrib/wardenWatchdog/WardenWatchdogOfflinecheck.conf
@@ -0,0 +1,95 @@
+#
+# wardenWatchdog.conf - configuration file for Wachdog script
+#
+
+#-------------------------------------------------------------------------------
+# server_conf - warden server configuration file path
+#-------------------------------------------------------------------------------
+$server_conf = '/opt/warden-server/etc/warden-server.conf';
+
+#-------------------------------------------------------------------------------
+# domain_name - server full domain name
+#-------------------------------------------------------------------------------
+$domain_name = "warden-dev.cesnet.cz";
+
+#-------------------------------------------------------------------------------
+# email_subject -
+#-------------------------------------------------------------------------------
+$email_subject = "Kontrola stavu udalosti warden serveru na stroji $domain_name";
+
+#-------------------------------------------------------------------------------
+# email_server_conf -
+#-------------------------------------------------------------------------------
+$email_server_conf = '|/usr/sbin/sendmail -oi -t';
+
+#-------------------------------------------------------------------------------
+# sql_precondition -
+#-------------------------------------------------------------------------------
+@sql_precondition = ('DROP FUNCTION IF EXISTS iptest;', 'CREATE FUNCTION iptest(ip VARCHAR(15)) RETURNS TINYINT(1) DETERMINISTIC
+BEGIN
+ SET @nip = INET_ATON(ip);
+ IF(
+ ISNULL( @nip) OR
+ @nip BETWEEN 0 AND 16777216 OR
+ @nip BETWEEN 167772160 AND 171966464 OR
+ @nip BETWEEN 2130706432 AND 2130706433 OR
+ @nip BETWEEN 2851995648 AND 2851995649 OR
+ @nip BETWEEN 2886729728 AND 2886729729 OR
+ @nip BETWEEN 3221225472 AND 3221225473 OR
+ @nip BETWEEN 3221225984 AND 3221225985 OR
+ @nip BETWEEN 3227017984 AND 3227017985 OR
+ @nip BETWEEN 3232235520 AND 3232235521 OR
+ @nip BETWEEN 3323068416 AND 3323068417 OR
+ @nip BETWEEN 3325256704 AND 3325256705 OR
+ @nip BETWEEN 3405803776 AND 3405803777 OR
+ @nip BETWEEN 3758096384 AND 3758096385 OR
+ @nip BETWEEN 4026531840 AND 4026531841 OR
+ @nip > 4294967295) THEN
+ RETURN TRUE;
+ ELSE
+ RETURN FALSE;
+ END IF;
+END;');
+
+#-------------------------------------------------------------------------------
+# sql_queries -
+# {query => ; text => ; contact => }
+#-------------------------------------------------------------------------------
+@sql_queries = (
+ {query => "SELECT * FROM events WHERE (detected > NOW() OR detected < '2013-02-05 00:00:00') AND valid = 't' GROUP BY service;",
+ text => "Tito udalosti maji cas \"detected\" z doby pred spustenim Wardenu nebo z budoucnosti",
+ contact => 'jakubcegan@cesnet.cz'
+ },
+ {query => "SELECT * FROM clients WHERE service IN (SELECT service FROM events WHERE detected > '\$date' AND NOT FIND_IN_SET(type, 'portscan,bruteforce,probe,spam,phishing,botnet_c_c,dos,malware,copyright,webattack,test,other') AND valid = 't' GROUP BY service) GROUP BY requestor;",
+ text => "Tito klienti posilaji udalosti s \"type\", ktery neni ve slovniku",
+ contact => 'jakubcegan@cesnet.cz'},
+ {query => "SELECT * FROM clients WHERE service IN (SELECT service FROM events WHERE detected > '\$date' AND NOT FIND_IN_SET(source_type, 'IP,URL,Reply-To:') AND valid = 't' GROUP BY service) GROUP BY requestor;",
+ text => "Tito klienti posilaji udalosti s \"source_type\", ktery neni ve slovniku",
+ contact => 'jakubcegan@cesnet.cz'},
+ {query => "SELECT * FROM clients WHERE service IN (SELECT service FROM events WHERE detected > '\$date' AND NOT FIND_IN_SET(target_proto, 'IP,HTTP,TCP,UDP') AND valid = 't' GROUP BY service) GROUP BY requestor;",
+ text => "Tito klienti posilaji udalosti s \"target_proto\", ktery neni ve slovniku",
+ contact => 'jakubcegan@cesnet.cz'},
+ {query => "SELECT * FROM clients WHERE service IN (SELECT service FROM events WHERE detected > '\$date' AND target_port NOT REGEXP ('[0-9]+') AND target_port IS NOT NULL AND valid = 't' GROUP BY service) GROUP BY requestor;",
+ text => "Tito klienti posilaji udalosti s \"target_port\", ktery neni cislo ani NULL",
+ contact => 'jakubcegan@cesnet.cz'},
+ {query => "SELECT * FROM clients WHERE service IN (SELECT service FROM events WHERE detected > '\$date' AND attack_scale NOT REGEXP ('[0-9]+') AND attack_scale IS NOT NULL AND valid = 't' GROUP BY service) GROUP BY requestor;",
+ text => "Tito klienti posilaji udalosti s \"attack_scale\", ktery neni cislo ani NULL",
+ contact => 'jakubcegan@cesnet.cz'},
+ {query => "SELECT * FROM clients WHERE service IN (SELECT service FROM events WHERE detected > '\$date' AND priority NOT REGEXP ('[0-9]+') AND priority IS NOT NULL AND valid = 't' GROUP BY service) GROUP BY requestor;",
+ text => "Tito klienti posilaji udalosti s \"priority\", ktery neni cislo ani NULL",
+ contact => 'jakubcegan@cesnet.cz'},
+ {query => "SELECT * FROM clients WHERE service IN (SELECT service FROM events WHERE detected > '\$date' AND timeout NOT REGEXP ('[0-9]+') AND timeout IS NOT NULL AND valid = 't' GROUP BY service) GROUP BY requestor;",
+ text => "Tito klienti posilaji udalosti s \"timeout\", ktery neni cislo ani NULL",
+ contact => 'jakubcegan@cesnet.cz'},
+ {query => "SELECT * FROM clients WHERE service IN (SELECT service FROM events WHERE detected > '\$date' AND attack_scale IS NOT NULL AND attack_scale < 1 AND valid = 't' GROUP BY service) GROUP BY requestor;",
+ text => "Tito klienti posilaji udalosti s \"attack_scale\", ktery je cislo mensi nez jedna",
+ contact => 'jakubcegan@cesnet.cz'},
+ {query => "SELECT * FROM clients WHERE service IN (SELECT * FROM events WHERE source NOT REGEXP ('(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/(\d|[1-2]\d|3[0-2]))') AND source NOT REGEXP ('^(https?://|www\\.)[\.A-Za-z0-9\-]+\\.[a-zA-Z]{2,4}') AND source NOT REGEXP ('((\w|<|>|\ |.{2}|@)+)') GROUP BY service) GROUP BY requestor;",
+ text => "Tito klienti posilaji udalosti se \"source\", ktery neni URL, IP nebo emailova adresa.",
+ contact => 'jakubcegan@cesnet.cz'},
+ );
+
+#-------------------------------------------------------------------------------
+# sql_postcondition -
+#-------------------------------------------------------------------------------
+@sql_postcondition = ('DROP FUNCTION IF EXISTS iptest;');
diff --git a/src/contrib/wardenWatchdog/wardenWatchdog.pl b/src/contrib/wardenWatchdog/wardenWatchdog.pl
index bf1ccca550d3251492fa2c1abef4c919d0d59022..0238b799014ec5f651f2d1daa4fe474fa2447272 100755
--- a/src/contrib/wardenWatchdog/wardenWatchdog.pl
+++ b/src/contrib/wardenWatchdog/wardenWatchdog.pl
@@ -9,8 +9,13 @@
use strict;
use warnings;
-use WardenWatchdog;
+
use Getopt::Long;
+use FindBin;
+FindBin::again();
+
+use lib "$FindBin::Bin";
+use WardenWatchdog;
sub help {
my $help =" USAGE: ./wardenWatchdog.pl -c '/path/WardenWatchdog.conf' -i 7
@@ -18,7 +23,7 @@ sub help {
OPTIONS
-c conf configuration file name and path
-i interval interval in days from now back to the past
- ";
+";
print $help;
return 1;
}