Mercurial > hg > maltfilter
comparison maltfilter @ 86:4362bf9e52e4
Add sanity checking of DroneBL configuration values; Misc. cleanups.
author | Matti Hamalainen <ccr@tnsp.org> |
---|---|
date | Sun, 30 Aug 2009 17:14:09 +0300 |
parents | 532169789f52 |
children | cbe5761897f4 |
comparison
equal
deleted
inserted
replaced
85:edba50b28190 | 86:4362bf9e52e4 |
---|---|
11 use Net::IP; | 11 use Net::IP; |
12 use Net::DNS; | 12 use Net::DNS; |
13 use LWP::UserAgent; | 13 use LWP::UserAgent; |
14 use IO::Seekable; | 14 use IO::Seekable; |
15 | 15 |
16 my $progversion = "0.19.0"; | 16 my $progversion = "0.19.1"; |
17 my $progbanner = | 17 my $progbanner = |
18 "Malicious Attack Livid Termination Filter daemon (maltfilter) v$progversion\n". | 18 "Malicious Attack Livid Termination Filter daemon (maltfilter) v$progversion\n". |
19 "Programmed by Matti 'ccr' Hamalainen <ccr\@tnsp.org>\n". | 19 "Programmed by Matti 'ccr' Hamalainen <ccr\@tnsp.org>\n". |
20 "(C) Copyright 2009 Tecnic Software productions (TNSP)\n"; | 20 "(C) Copyright 2009 Tecnic Software productions (TNSP)\n"; |
21 | 21 |
528 my $dronebl_errors = 0; | 528 my $dronebl_errors = 0; |
529 my $dronebl_suspend = 0; | 529 my $dronebl_suspend = 0; |
530 | 530 |
531 sub dronebl_process | 531 sub dronebl_process |
532 { | 532 { |
533 return if ($dronebl_suspend-- > 0); | |
534 return unless ($settings{"DRONEBL"} > 0); | 533 return unless ($settings{"DRONEBL"} > 0); |
534 | |
535 if ($dronebl_suspend > 0) { | |
536 $dronebl_suspend--; | |
537 return; | |
538 } | |
535 | 539 |
536 # Create submission data | 540 # Create submission data |
537 my $xml = "<?xml version=\"1.0\"?>\n<request key=\"".$settings{"DRONEBL_RPC_KEY"}."\">\n"; | 541 my $xml = "<?xml version=\"1.0\"?>\n<request key=\"".$settings{"DRONEBL_RPC_KEY"}."\">\n"; |
538 my $entries = 0; | 542 my $entries = 0; |
539 while (my ($ip, $entry) = each(%dronebl)) { | 543 while (my ($ip, $entry) = each(%dronebl)) { |
575 } elsif ($str =~ /<response\s*type=.(success|error). *\/>/gm) { | 579 } elsif ($str =~ /<response\s*type=.(success|error). *\/>/gm) { |
576 $type = $1; $msg = ""; | 580 $type = $1; $msg = ""; |
577 } | 581 } |
578 | 582 |
579 if ($type eq "success") { | 583 if ($type eq "success") { |
580 mlog(1, "[DroneBL] Succesfully submitted $entries entries.\n$msg\n"); | |
581 $dronebl_errors = 0; | 584 $dronebl_errors = 0; |
585 mlog(1, "[DroneBL] Succesfully submitted $entries entries.\n"); | |
582 while (my ($ip, $entry) = each(%dronebl)) { | 586 while (my ($ip, $entry) = each(%dronebl)) { |
583 $entry->{"sent"} = 1; | 587 $entry->{"sent"} = 1; |
584 $statlist{$ip}{"dronebl"} = 2 if defined($statlist{$ip}); | 588 $statlist{$ip}{"dronebl"} = 2 if defined($statlist{$ip}); |
585 } | 589 } |
586 } elsif ($type eq "error") { | 590 } elsif ($type eq "error") { |
601 } else { | 605 } else { |
602 mlog(-1, "[DroneBL] HTTP request failed: [".$res->code."] ".$res->message."\n"); | 606 mlog(-1, "[DroneBL] HTTP request failed: [".$res->code."] ".$res->message."\n"); |
603 $dronebl_errors++; | 607 $dronebl_errors++; |
604 } | 608 } |
605 | 609 |
610 # Check error counts | |
606 if ($dronebl_errors >= $settings{"DRONEBL_MAX_ERRORS"}) { | 611 if ($dronebl_errors >= $settings{"DRONEBL_MAX_ERRORS"}) { |
607 mlog(-1, "Temporarily disabling DroneBL submissions due to too many errors for next ".$settings{"DRONEBL_SUSPEND"}. " rounds.\n"); | 612 # Only log suspension message if don't have recent previous errors |
613 mlog(-1, "Temporarily disabling DroneBL submissions due to too many errors for next ".$settings{"DRONEBL_SUSPEND"}. " rounds.\n") | |
614 if ($dronebl_errors == $settings{"DRONEBL_MAX_ERRORS"}); | |
608 $dronebl_suspend = $settings{"DRONEBL_SUSPEND"}; | 615 $dronebl_suspend = $settings{"DRONEBL_SUSPEND"}; |
609 } | 616 } |
610 | 617 |
611 # Clean up expired entries, warn/note about unsubmitted ones. | 618 # Clean up expired entries, warn/note about unsubmitted ones. |
612 while (my ($ip, $entry) = each(%dronebl)) { | 619 while (my ($ip, $entry) = each(%dronebl)) { |
623 | 630 |
624 return unless ($settings{"DRONEBL"} > 0); | 631 return unless ($settings{"DRONEBL"} > 0); |
625 return if check_hosts_array(\@noaction_ips, $mip); | 632 return if check_hosts_array(\@noaction_ips, $mip); |
626 | 633 |
627 if (!defined($dronebl{$mip})) { | 634 if (!defined($dronebl{$mip})) { |
628 mlog(3, "[DroneBL] Queueing $mip \@ $mdate ($mtype)\n"); | 635 mlog(2, "[DroneBL] Queueing $mip \@ $mdate (type $mtype)\n"); |
629 $dronebl{$mip}{"type"} = $mtype; | 636 $dronebl{$mip}{"type"} = $mtype; |
630 $dronebl{$mip}{"date"} = $mdate; | 637 $dronebl{$mip}{"date"} = $mdate; |
631 $dronebl{$mip}{"sent"} = 0; | 638 $dronebl{$mip}{"sent"} = 0; |
632 $dronebl{$mip}{"tries"} = 0; | 639 $dronebl{$mip}{"tries"} = 0; |
633 $statlist{$mip}{"dronebl"} = 1 if defined($statlist{$mip}); | 640 $statlist{$mip}{"dronebl"} = 1 if defined($statlist{$mip}); |
1243 mdie("Evidence directory '$base' is not writable by euid.\n") unless (-w $base); | 1250 mdie("Evidence directory '$base' is not writable by euid.\n") unless (-w $base); |
1244 } | 1251 } |
1245 | 1252 |
1246 # Sanitize DroneBL configuration | 1253 # Sanitize DroneBL configuration |
1247 if ($settings{"DRONEBL"} > 0) { | 1254 if ($settings{"DRONEBL"} > 0) { |
1248 mdie("DroneBL RPC key not set.\n") unless ($settings{"DRONEBL_RPC_KEY"} ne ""); | 1255 mdie("DroneBL enabled, but DRONEBL_RPC_KEY not set.\n") unless ($settings{"DRONEBL_RPC_KEY"} ne ""); |
1256 | |
1257 $val = $settings{"DRONEBL_MAX_AGE"}; | |
1258 mdie("Invalid DRONEBL_MAX_AGE value $val, must be > 10.\n") unless ($val > 10); | |
1259 | |
1260 $val = $settings{"DRONEBL_THRESHOLD"}; | |
1261 mdie("Invalid DRONEBL_THRESHOLD value $val, must be >= 0.\n") unless ($val >= 0); | |
1262 | |
1263 $val = $settings{"DRONEBL_MAX_ERRORS"}; | |
1264 mdie("Invalid DRONEBL_MAX_ERRORS value $val, must be >= 0.\n") unless ($val >= 0); | |
1265 | |
1266 $val = $settings{"DRONEBL_SUSPEND"}; | |
1267 mdie("Invalid DRONEBL_SUSPEND value $val, must be >= 1.\n") unless ($val >= 1); | |
1249 } | 1268 } |
1250 | 1269 |
1251 # Check system account / passwd settings | 1270 # Check system account / passwd settings |
1252 mdie("SYSACCT_MIN_UID must be >= 1.\n") unless ($settings{"SYSACCT_MIN_UID"} >= 1); | 1271 mdie("SYSACCT_MIN_UID must be >= 1.\n") unless ($settings{"SYSACCT_MIN_UID"} >= 1); |
1253 mdie("SYSACCT_MAX_UID must be >= SYSACCT_MIN_UID.\n") unless ($settings{"SYSACCT_MAX_UID"} >= $settings{"SYSACCT_MIN_UID"}); | 1272 mdie("SYSACCT_MAX_UID must be >= SYSACCT_MIN_UID.\n") unless ($settings{"SYSACCT_MAX_UID"} >= $settings{"SYSACCT_MIN_UID"}); |