Mercurial > hg > maltfilter
comparison maltfilter @ 86:4362bf9e52e4
Add sanity checking of DroneBL configuration values; Misc. cleanups.
| author | Matti Hamalainen <ccr@tnsp.org> |
|---|---|
| date | Sun, 30 Aug 2009 17:14:09 +0300 |
| parents | 532169789f52 |
| children | cbe5761897f4 |
comparison
equal
deleted
inserted
replaced
| 85:edba50b28190 | 86:4362bf9e52e4 |
|---|---|
| 11 use Net::IP; | 11 use Net::IP; |
| 12 use Net::DNS; | 12 use Net::DNS; |
| 13 use LWP::UserAgent; | 13 use LWP::UserAgent; |
| 14 use IO::Seekable; | 14 use IO::Seekable; |
| 15 | 15 |
| 16 my $progversion = "0.19.0"; | 16 my $progversion = "0.19.1"; |
| 17 my $progbanner = | 17 my $progbanner = |
| 18 "Malicious Attack Livid Termination Filter daemon (maltfilter) v$progversion\n". | 18 "Malicious Attack Livid Termination Filter daemon (maltfilter) v$progversion\n". |
| 19 "Programmed by Matti 'ccr' Hamalainen <ccr\@tnsp.org>\n". | 19 "Programmed by Matti 'ccr' Hamalainen <ccr\@tnsp.org>\n". |
| 20 "(C) Copyright 2009 Tecnic Software productions (TNSP)\n"; | 20 "(C) Copyright 2009 Tecnic Software productions (TNSP)\n"; |
| 21 | 21 |
| 528 my $dronebl_errors = 0; | 528 my $dronebl_errors = 0; |
| 529 my $dronebl_suspend = 0; | 529 my $dronebl_suspend = 0; |
| 530 | 530 |
| 531 sub dronebl_process | 531 sub dronebl_process |
| 532 { | 532 { |
| 533 return if ($dronebl_suspend-- > 0); | |
| 534 return unless ($settings{"DRONEBL"} > 0); | 533 return unless ($settings{"DRONEBL"} > 0); |
| 534 | |
| 535 if ($dronebl_suspend > 0) { | |
| 536 $dronebl_suspend--; | |
| 537 return; | |
| 538 } | |
| 535 | 539 |
| 536 # Create submission data | 540 # Create submission data |
| 537 my $xml = "<?xml version=\"1.0\"?>\n<request key=\"".$settings{"DRONEBL_RPC_KEY"}."\">\n"; | 541 my $xml = "<?xml version=\"1.0\"?>\n<request key=\"".$settings{"DRONEBL_RPC_KEY"}."\">\n"; |
| 538 my $entries = 0; | 542 my $entries = 0; |
| 539 while (my ($ip, $entry) = each(%dronebl)) { | 543 while (my ($ip, $entry) = each(%dronebl)) { |
| 575 } elsif ($str =~ /<response\s*type=.(success|error). *\/>/gm) { | 579 } elsif ($str =~ /<response\s*type=.(success|error). *\/>/gm) { |
| 576 $type = $1; $msg = ""; | 580 $type = $1; $msg = ""; |
| 577 } | 581 } |
| 578 | 582 |
| 579 if ($type eq "success") { | 583 if ($type eq "success") { |
| 580 mlog(1, "[DroneBL] Succesfully submitted $entries entries.\n$msg\n"); | |
| 581 $dronebl_errors = 0; | 584 $dronebl_errors = 0; |
| 585 mlog(1, "[DroneBL] Succesfully submitted $entries entries.\n"); | |
| 582 while (my ($ip, $entry) = each(%dronebl)) { | 586 while (my ($ip, $entry) = each(%dronebl)) { |
| 583 $entry->{"sent"} = 1; | 587 $entry->{"sent"} = 1; |
| 584 $statlist{$ip}{"dronebl"} = 2 if defined($statlist{$ip}); | 588 $statlist{$ip}{"dronebl"} = 2 if defined($statlist{$ip}); |
| 585 } | 589 } |
| 586 } elsif ($type eq "error") { | 590 } elsif ($type eq "error") { |
| 601 } else { | 605 } else { |
| 602 mlog(-1, "[DroneBL] HTTP request failed: [".$res->code."] ".$res->message."\n"); | 606 mlog(-1, "[DroneBL] HTTP request failed: [".$res->code."] ".$res->message."\n"); |
| 603 $dronebl_errors++; | 607 $dronebl_errors++; |
| 604 } | 608 } |
| 605 | 609 |
| 610 # Check error counts | |
| 606 if ($dronebl_errors >= $settings{"DRONEBL_MAX_ERRORS"}) { | 611 if ($dronebl_errors >= $settings{"DRONEBL_MAX_ERRORS"}) { |
| 607 mlog(-1, "Temporarily disabling DroneBL submissions due to too many errors for next ".$settings{"DRONEBL_SUSPEND"}. " rounds.\n"); | 612 # Only log suspension message if don't have recent previous errors |
| 613 mlog(-1, "Temporarily disabling DroneBL submissions due to too many errors for next ".$settings{"DRONEBL_SUSPEND"}. " rounds.\n") | |
| 614 if ($dronebl_errors == $settings{"DRONEBL_MAX_ERRORS"}); | |
| 608 $dronebl_suspend = $settings{"DRONEBL_SUSPEND"}; | 615 $dronebl_suspend = $settings{"DRONEBL_SUSPEND"}; |
| 609 } | 616 } |
| 610 | 617 |
| 611 # Clean up expired entries, warn/note about unsubmitted ones. | 618 # Clean up expired entries, warn/note about unsubmitted ones. |
| 612 while (my ($ip, $entry) = each(%dronebl)) { | 619 while (my ($ip, $entry) = each(%dronebl)) { |
| 623 | 630 |
| 624 return unless ($settings{"DRONEBL"} > 0); | 631 return unless ($settings{"DRONEBL"} > 0); |
| 625 return if check_hosts_array(\@noaction_ips, $mip); | 632 return if check_hosts_array(\@noaction_ips, $mip); |
| 626 | 633 |
| 627 if (!defined($dronebl{$mip})) { | 634 if (!defined($dronebl{$mip})) { |
| 628 mlog(3, "[DroneBL] Queueing $mip \@ $mdate ($mtype)\n"); | 635 mlog(2, "[DroneBL] Queueing $mip \@ $mdate (type $mtype)\n"); |
| 629 $dronebl{$mip}{"type"} = $mtype; | 636 $dronebl{$mip}{"type"} = $mtype; |
| 630 $dronebl{$mip}{"date"} = $mdate; | 637 $dronebl{$mip}{"date"} = $mdate; |
| 631 $dronebl{$mip}{"sent"} = 0; | 638 $dronebl{$mip}{"sent"} = 0; |
| 632 $dronebl{$mip}{"tries"} = 0; | 639 $dronebl{$mip}{"tries"} = 0; |
| 633 $statlist{$mip}{"dronebl"} = 1 if defined($statlist{$mip}); | 640 $statlist{$mip}{"dronebl"} = 1 if defined($statlist{$mip}); |
| 1243 mdie("Evidence directory '$base' is not writable by euid.\n") unless (-w $base); | 1250 mdie("Evidence directory '$base' is not writable by euid.\n") unless (-w $base); |
| 1244 } | 1251 } |
| 1245 | 1252 |
| 1246 # Sanitize DroneBL configuration | 1253 # Sanitize DroneBL configuration |
| 1247 if ($settings{"DRONEBL"} > 0) { | 1254 if ($settings{"DRONEBL"} > 0) { |
| 1248 mdie("DroneBL RPC key not set.\n") unless ($settings{"DRONEBL_RPC_KEY"} ne ""); | 1255 mdie("DroneBL enabled, but DRONEBL_RPC_KEY not set.\n") unless ($settings{"DRONEBL_RPC_KEY"} ne ""); |
| 1256 | |
| 1257 $val = $settings{"DRONEBL_MAX_AGE"}; | |
| 1258 mdie("Invalid DRONEBL_MAX_AGE value $val, must be > 10.\n") unless ($val > 10); | |
| 1259 | |
| 1260 $val = $settings{"DRONEBL_THRESHOLD"}; | |
| 1261 mdie("Invalid DRONEBL_THRESHOLD value $val, must be >= 0.\n") unless ($val >= 0); | |
| 1262 | |
| 1263 $val = $settings{"DRONEBL_MAX_ERRORS"}; | |
| 1264 mdie("Invalid DRONEBL_MAX_ERRORS value $val, must be >= 0.\n") unless ($val >= 0); | |
| 1265 | |
| 1266 $val = $settings{"DRONEBL_SUSPEND"}; | |
| 1267 mdie("Invalid DRONEBL_SUSPEND value $val, must be >= 1.\n") unless ($val >= 1); | |
| 1249 } | 1268 } |
| 1250 | 1269 |
| 1251 # Check system account / passwd settings | 1270 # Check system account / passwd settings |
| 1252 mdie("SYSACCT_MIN_UID must be >= 1.\n") unless ($settings{"SYSACCT_MIN_UID"} >= 1); | 1271 mdie("SYSACCT_MIN_UID must be >= 1.\n") unless ($settings{"SYSACCT_MIN_UID"} >= 1); |
| 1253 mdie("SYSACCT_MAX_UID must be >= SYSACCT_MIN_UID.\n") unless ($settings{"SYSACCT_MAX_UID"} >= $settings{"SYSACCT_MIN_UID"}); | 1272 mdie("SYSACCT_MAX_UID must be >= SYSACCT_MIN_UID.\n") unless ($settings{"SYSACCT_MAX_UID"} >= $settings{"SYSACCT_MIN_UID"}); |