[Netpass-devel] NetPass/lib/NetPass API.pm,1.20,1.21
Brought to you by:
jeffmurphy
Menu
▾
▴
[Netpass-devel] NetPass/lib/NetPass API.pm,1.20,1.21
|
From: Matt <mt...@us...> - 2005-07-13 15:35:39
|
Update of /cvsroot/netpass/NetPass/lib/NetPass In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv8479 Modified Files: API.pm Log Message: Index: API.pm =================================================================== RCS file: /cvsroot/netpass/NetPass/lib/NetPass/API.pm,v retrieving revision 1.20 retrieving revision 1.21 diff -u -d -r1.20 -r1.21 --- API.pm 3 Jun 2005 19:06:59 -0000 1.20 +++ API.pm 13 Jul 2005 15:35:25 -0000 1.21 @@ -41,14 +41,71 @@ return ($their_secret eq $my_secret) ? 1 : 0; }; -=head2 $aref = getSnortRules(-secret => $secret, -type => $type = <enabled | disabled | all> - -ignorequarrule => 0|1) +=head2 $rule = getSnortPCAPFilter(-secret => $secret, -sensor => $hostname -ignorequar => [1|0]) + +Get the necessary pcap rules for the particular sensor. Argument +-ignorequar will append the necessary vlan rules to exclude quarantine +vlans if true. Returns a string of the rule on success, C<undef> on failure. + +=cut + +sub getSnortPCAPFilter { + my $self = shift; + my $np = $::np; + my $nws = (); + my @pcap; + + my $parms = parse_parms({ + -parms => \@_, + -legal => [ qw(-secret -sensor -ignorequar) ], + -defaults => { -secret => '', + -sensor => '', + -ignorequar => 0, + } + }); + + return "invalid params\n".Carp::longmess(Class::ParmList->error) if (!defined($parms)); + my ($secret, $sensor, $ignorequar) = $parms->get('-secret', '-sensor', '-ignorequar'); + + return undef unless ($self->$check_soap_auth($secret)); + + if ($sensor !~ /^\w*\.*\w*\.*\w+\.\w+:\d+$/) { + _log("ERROR", "Incorrect sensor format $sensor"); + return undef; + } + + $nws = $np->cfg->getNetworks(); + if (!defined($nws) || ref($nws) ne 'ARRAY') { + _log("ERROR", "Unable to retrieve list of networks"); + return undef; + } + + foreach my $net (@$nws) { + next unless $np->cfg->snortEnabled($net) =~ /^(enabled|not_really)$/; + my $nets = $np->cfg->getSnortSensors($net); + next unless defined $nets && ref($nets) eq 'HASH'; + + if (exists $nets->{$sensor}) { + my $r = "("; + if ($ignorequar) { + my $qvlan = $np->cfg->quarantineVlan($net); + $r .= "not vlan $qvlan and" if $qvlan =~ /^\d+$/; + } + + $r .= " src net $net)"; + push @pcap, $r; + } + } + + return join(' or ', @pcap); +} + +=head2 $aref = getSnortRules(-secret => $secret, -type => $type = <enabled | disabled | all>) + Retrieve snort rules registered in the NetPass database. Arguments include a secret, type either return all enabled rules, all disabled rules, or all -rules. Argument ignorequarrule will prepend vlan filtering rules to filter -quarantine traffic from being monitored by snort. Returns an C<array reference> -on success, C<undef> on failure. +rules. Returns an C<array reference> on success, C<undef> on failure. =cut @@ -62,30 +119,17 @@ -legal => [ qw(-secret -type -ignorequarrule) ], -defaults => { -secret => '', -type => '', - -ignorequarrule => 0, } }); return "invalid params\n".Carp::longmess(Class::ParmList->error) if (!defined($parms)); - my ($secret, $type, $ignorequarrule) = $parms->get('-secret', '-type', '-ignorequarrule'); + my ($secret, $type) = $parms->get('-secret', '-type'); return undef unless ($self->$check_soap_auth($secret)); return undef unless ($type =~ /^(enabled|disabled|all)$/); - my $network = $np->cfg->getNetworks(); - return undef unless (defined ($network)); - _log("DEBUG", "retrieving snort rules"); - if ($ignorequarrule) { - foreach my $nw (@$network) { - my $qvlan = $np->cfg->quarantineVlan($nw); - next unless defined $qvlan; - push @aref, sprintf("pass tcp any any -> any any (vlan:%d;)\n", $qvlan); - - } - } - my $rules = $np->db->getSnortRules($type); _log("ERROR", "Unable to retrieve rules from database") unless defined($rules); @@ -114,16 +158,20 @@ return $np->cfg->snortEnabled($nw); } -=head2 my $networks = snortEnabledNetworks($secret) +=head2 my $networks = snortEnabledNetworks($secret, $sensor) -Get all the networks snort is enabled on. Returns an ARRAY ref of -all the snort enabled networks on success, C<undef> on failure. +Get all the networks snort is enabled on. If $sensor is defined +as hostname:port of a configured snort sensor all the networks +that particular sensor is enabled on is returned as an ARRAY +ref. Returns an ARRAY ref of all the snort enabled networks on +success, C<undef> on failure. =cut sub snortEnabledNetworks { my $self = shift; my $secret = shift; + my $sensor = shift; my $np = $::np; my $nws = (); @@ -137,24 +185,34 @@ return undef; } + if ($sensor !~ /^\w*\.*\w*\.*\w+\.\w+:\d+$/) { + _log("ERROR", "Incorrect sensor format $sensor"); + return undef; + } + foreach my $net (@$nws) { - push(@snortnws, $net) if ($np->cfg->snortEnabled($net) =~ /^(enabled|not_really)$/); + next unless $np->cfg->snortEnabled($net) =~ /^(enabled|not_really)$/; + my $nets = $np->cfg->getSnortSensors($net); + next unless defined $nets && ref($nets) eq 'HASH'; + next unless exists $nets->{$sensor}; + push @snortnws, $net; } return \@snortnws; } -=head2 my $results = quarantineByIP(-secret => $secret, -ip => $ip, -id => $id, -type => $type) +=head2 my $results = quarantineByIP(-secret => $secret, -ip => $ip, -id => $id, -type => $type, -time => $time) Arguments to this function include a secret key, ip address to be -quarantined, an id associated to either a Nessus or Snort ID, and -a type corresponding to what exactly quarantined this ip. The type -and id flags can also be ARRAY references for multiple id's with -their corresponding types, however there must be an equal number -of elements in each of the ARRAY or an error will occur. This -function returns either C<quarantined> if the ip as been quarantined, -C<nothing> if nothing has been done or C<undef> on failure. +quarantined, an id associated to either a Nessus or Snort ID, +a type corresponding to what exactly quarantined this ip, and a timestamp +when the incident occured. The type, id, and time variables can also be +ARRAY references for multiple id's with their corresponding types and +timestamps, however there must be an equal number of elements in each +of the arrays or an error will occur. This function returns either +C<quarantined> if the ip as been quarantined, C<nothing> if nothing +has been done or C<undef> on failure. =cut @@ -165,7 +223,7 @@ my @msgs; my $parms = parse_parms({ -parms => \@_, - -legal => [ qw(-secret -type -id -ip) ], + -legal => [ qw(-secret -type -id -ip -time) ], -defaults => { -secret => '', -type => '', -id => '', @@ -174,21 +232,21 @@ }); return "invalid params\n".Carp::longmess(Class::ParmList->error) if (!defined($parms)); - my ($secret, $type, $id, $ip) = $parms->get('-secret', '-type', '-id', '-ip'); + my ($secret, $type, $id, $ip, $time) = $parms->get('-secret', '-type', '-id', '-ip', '-time'); return undef unless ($self->$check_soap_auth($secret)); - if (ref($type) eq 'ARRAY' && ref($id) eq 'ARRAY') { + if (ref($type) eq 'ARRAY' && ref($id) eq 'ARRAY' && ref($time) eq 'ARRAY') { $arrays = 1; } - if (!$arrays && (ref($type) eq 'ARRAY' || ref($id) eq 'ARRAY')) { + if (!$arrays && (ref($type) eq 'ARRAY' || ref($id) eq 'ARRAY' || ref($time) eq 'ARRAY')) { _log("ERROR", "Invalid Paramaters passed"); return undef; } - if ($arrays && $#$type != $#$id) { - _log("ERROR", "LIST Paramaters type and id do not have the same number of elements"); + if ($arrays && ($#$type != $#$id || $#$type != $#$time)) { + _log("ERROR", "LIST Paramaters type, id, and time do not have the same number of elements"); return undef; } @@ -218,11 +276,29 @@ if ($arrays) { for (my $i = 0; $i <= $#$type; $i++) { - push @msgs, sprintf("%s quarantine of %s %s for violation of %d plugin.", - $type->[$i], $ip, $mac, $id->[$i]); + my $t = "Unknown"; + $t = localtime($time->[$i]) if $time->[$i] =~ /^\d+$/; + + if ($mode eq "not_really") { + push @msgs, sprintf("%s report-only for violation of %d plugin at %s.", + $type->[$i], $id->[$i], $t); + } else { + push @msgs, sprintf("%s quarantine for violation of %d plugin at %s.", + $type->[$i], $id->[$i], $t); + + } } } else { - push @msgs, "$type quarantine of $ip $mac for violation of $id plugin."; + my $t = "Unknown"; + $t = localtime($time) if $time =~ /^\d+$/; + + if ($mode eq "not_really") { + push @msgs, sprintf("%s report-only for violation of %d plugin at %s", + $type, $id, $t); + } else { + push @msgs, sprintf("%s quarantine for violation of %d plugin at %s.", + $type, $id, $t); + } } $np->db->audit ( |
