533 lines
18 KiB
Perl
533 lines
18 KiB
Perl
package PandoraFMS::ReconServer;
|
|
##########################################################################
|
|
# Pandora FMS Recon Server.
|
|
# Pandora FMS. the Flexible Monitoring System. http://www.pandorafms.org
|
|
##########################################################################
|
|
# Copyright (c) 2005-2009 Artica Soluciones Tecnologicas S.L
|
|
#
|
|
# This program is free software; you can redistribute it and/or
|
|
# modify it under the terms of the GNU Lesser General Public License
|
|
# as published by the Free Software Foundation; version 2
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program; if not, write to the Free Software
|
|
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
|
##########################################################################
|
|
|
|
use strict;
|
|
use warnings;
|
|
|
|
use threads;
|
|
use threads::shared;
|
|
use Thread::Semaphore;
|
|
|
|
use IO::Socket::INET;
|
|
use POSIX qw(strftime ceil);
|
|
use JSON qw(decode_json encode_json);
|
|
use Encode qw(encode_utf8);
|
|
|
|
# Default lib dir for RPM and DEB packages
|
|
use lib '/usr/lib/perl5';
|
|
|
|
use PandoraFMS::Tools;
|
|
use PandoraFMS::DB;
|
|
use PandoraFMS::Core;
|
|
use PandoraFMS::ProducerConsumerServer;
|
|
use PandoraFMS::GIS qw(get_reverse_geoip_sql get_reverse_geoip_file get_random_close_point);
|
|
|
|
# Patched Nmap::Parser. See http://search.cpan.org/dist/Nmap-Parser/.
|
|
use PandoraFMS::NmapParser;
|
|
|
|
# Inherits from PandoraFMS::ProducerConsumerServer
|
|
our @ISA = qw(PandoraFMS::ProducerConsumerServer);
|
|
|
|
# Global variables
|
|
my @TaskQueue :shared;
|
|
my %PendingTasks :shared;
|
|
my $Sem :shared;
|
|
my $TaskSem :shared;
|
|
|
|
########################################################################################
|
|
# Recon Server class constructor.
|
|
########################################################################################
|
|
sub new ($$$$$$) {
|
|
my ($class, $config, $dbh) = @_;
|
|
|
|
return undef unless $config->{'reconserver'} == 1;
|
|
|
|
if (! -e $config->{'nmap'}) {
|
|
logger ($config, ' [E] ' . $config->{'nmap'} . " needed by Pandora FMS Recon Server not found.", 1);
|
|
print_message ($config, ' [E] ' . $config->{'nmap'} . " needed by Pandora FMS Recon Server not found.", 1);
|
|
return undef;
|
|
}
|
|
|
|
# Initialize semaphores and queues
|
|
@TaskQueue = ();
|
|
%PendingTasks = ();
|
|
$Sem = Thread::Semaphore->new;
|
|
$TaskSem = Thread::Semaphore->new (0);
|
|
|
|
# Call the constructor of the parent class
|
|
my $self = $class->SUPER::new($config, 3, \&PandoraFMS::ReconServer::data_producer, \&PandoraFMS::ReconServer::data_consumer, $dbh);
|
|
|
|
bless $self, $class;
|
|
return $self;
|
|
}
|
|
|
|
###############################################################################
|
|
# Run.
|
|
###############################################################################
|
|
sub run ($) {
|
|
my $self = shift;
|
|
my $pa_config = $self->getConfig ();
|
|
|
|
print_message ($pa_config, " [*] Starting Pandora FMS Recon Server.", 1);
|
|
$self->setNumThreads ($pa_config->{'recon_threads'});
|
|
$self->SUPER::run (\@TaskQueue, \%PendingTasks, $Sem, $TaskSem);
|
|
}
|
|
|
|
###############################################################################
|
|
# Data producer.
|
|
###############################################################################
|
|
sub data_producer ($) {
|
|
my $self = shift;
|
|
my ($pa_config, $dbh) = ($self->getConfig (), $self->getDBH ());
|
|
|
|
my @tasks;
|
|
|
|
my $server_id = get_server_id ($dbh, $pa_config->{'servername'}, $self->getServerType ());
|
|
return @tasks unless defined ($server_id);
|
|
|
|
# Manual tasks have interval_sweep = 0
|
|
# Manual tasks are "forced" like the other, setting the utimestamp to 1
|
|
# By default, after create a tasks it takes the utimestamp to 0
|
|
# Status -1 means "done".
|
|
|
|
my @rows = get_db_rows ($dbh, 'SELECT * FROM trecon_task
|
|
WHERE id_recon_server = ?
|
|
AND disabled = 0
|
|
AND utimestamp = 0 OR (status = -1 AND interval_sweep > 0 AND (utimestamp + interval_sweep) < UNIX_TIMESTAMP())', $server_id);
|
|
foreach my $row (@rows) {
|
|
|
|
# Update task status
|
|
update_recon_task ($dbh, $row->{'id_rt'}, 1);
|
|
|
|
push (@tasks, $row->{'id_rt'});
|
|
}
|
|
|
|
return @tasks;
|
|
}
|
|
|
|
###############################################################################
|
|
# Data consumer.
|
|
###############################################################################
|
|
sub data_consumer ($$) {
|
|
my ($self, $task_id) = @_;
|
|
my ($pa_config, $dbh) = ($self->getConfig (), $self->getDBH ());
|
|
|
|
# Get recon task data
|
|
my $task = get_db_single_row ($dbh, 'SELECT * FROM trecon_task WHERE id_rt = ?', $task_id);
|
|
return -1 unless defined ($task);
|
|
|
|
# Is it a recon script?
|
|
if (defined ($task->{'id_recon_script'}) && ($task->{'id_recon_script'} != 0)) {
|
|
exec_recon_script ($pa_config, $dbh, $task);
|
|
return;
|
|
} else {
|
|
logger($pa_config, 'Starting recon task for net ' . $task->{'subnet'} . '.', 10);
|
|
}
|
|
|
|
# Call nmap
|
|
my $timeout = $pa_config->{'networktimeout'}*1000;
|
|
my $nmap_args = '-nsP -PE --max-retries '.$pa_config->{'icmp_checks'}.' --host-timeout '.$timeout.' -T'.$pa_config->{'nmap_timing_template'};
|
|
my $np = new PandoraFMS::NmapParser;
|
|
eval {
|
|
$np->parsescan($pa_config->{'nmap'}, $nmap_args, ($task->{'subnet'}));
|
|
};
|
|
if ($@) {
|
|
update_recon_task ($dbh, $task_id, -1);
|
|
return;
|
|
}
|
|
|
|
# Parse scanned hosts
|
|
my $module_hash;
|
|
my @up_hosts = $np->all_hosts ('up');
|
|
my $total_up = scalar (@up_hosts);
|
|
my $progress = 0;
|
|
my $added_hosts = '';
|
|
foreach my $host (@up_hosts) {
|
|
$progress++;
|
|
|
|
# Get agent address
|
|
my $addr = $host->addr();
|
|
next unless ($addr ne '0');
|
|
|
|
# Update the recon task or break if it does not exist anymore
|
|
last if (update_recon_task ($dbh, $task_id, ceil ($progress / ($total_up / 100))) eq '0E0');
|
|
|
|
# Resolve hostnames
|
|
my $host_name = undef;
|
|
if ($task->{'resolve_names'} == 1){
|
|
$host_name = gethostbyaddr (inet_aton($addr), AF_INET);
|
|
}
|
|
$host_name = $addr unless defined ($host_name);
|
|
|
|
# Does the host already exist?
|
|
my $agent = get_agent_from_addr ($dbh, $addr);
|
|
if (! defined ($agent)) {
|
|
$agent = get_agent_from_name ($dbh, $host_name);
|
|
}
|
|
|
|
my $agent_id = defined ($agent) ? $agent->{'id_agente'} : 0;
|
|
if ($agent_id > 0) {
|
|
|
|
# Skip if not in learning mode
|
|
next if ($agent->{'modo'} != 1);
|
|
}
|
|
|
|
# Get the parent host
|
|
my $parent_id = 0;
|
|
if ($task->{'parent_detection'} == 1) {
|
|
$parent_id = get_host_parent ($pa_config, $addr, $dbh, $task->{'id_group'}, $task->{'parent_recursion'}, $task->{'resolve_names'}, $task->{'os_detect'});
|
|
}
|
|
|
|
# If the agent already exists update parent and continue
|
|
if ($agent_id > 0) {
|
|
if ($parent_id > 0) {
|
|
db_do ($dbh, 'UPDATE tagente SET id_parent = ? WHERE id_agente = ?', $parent_id, $agent_id );
|
|
}
|
|
next;
|
|
}
|
|
|
|
# Filter by TCP port
|
|
if ((defined ($task->{'recon_ports'})) && ($task->{'recon_ports'} ne "")) {
|
|
next unless (tcp_scan ($pa_config, $addr, $task->{'recon_ports'}) > 0);
|
|
}
|
|
|
|
# Filter by OS
|
|
my $id_os = 11; # Network by default
|
|
if ($task->{'os_detect'} == 1){
|
|
$id_os = guess_os ($pa_config, $dbh, $addr);
|
|
next if ($task->{'id_os'} > 0 && $task->{'id_os'} != $id_os);
|
|
}
|
|
|
|
# GIS Code -----------------------------
|
|
|
|
# If GIS is activated try to geolocate the ip address of the agent
|
|
# and store also it's position.
|
|
|
|
if($pa_config->{'activate_gis'} == 1 && $pa_config->{'recon_reverse_geolocation_mode'} !~ m/^disabled$/i) {
|
|
|
|
# Try to get aproximated positional information for the Agent.
|
|
my $region_info = undef;
|
|
if ($pa_config->{'recon_reverse_geolocation_mode'} =~ m/^sql$/i) {
|
|
logger($pa_config, "Trying to get gis data of $addr from the SQL database", 8);
|
|
$region_info = get_reverse_geoip_sql($pa_config, $addr, $dbh);
|
|
}
|
|
elsif ($pa_config->{'recon_reverse_geolocation_mode'} =~ m/^file$/i) {
|
|
logger($pa_config, "Trying to get gis data of $addr from the file database", 8);
|
|
$region_info = get_reverse_geoip_file($pa_config, $addr);
|
|
}
|
|
else {
|
|
logger($pa_config, "ERROR:Trying to get gis data of $addr. Unknown source", 5);
|
|
}
|
|
if (defined($region_info)) {
|
|
my $location_description = '';
|
|
if (defined($region_info->{'region'})) {
|
|
$location_description .= "$region_info->{'region'}, ";
|
|
}
|
|
if (defined($region_info->{'city'})) {
|
|
$location_description .= "$region_info->{'city'}, ";
|
|
}
|
|
if (defined($region_info->{'country_name'})) {
|
|
$location_description .= "($region_info->{'country_name'})";
|
|
}
|
|
# We store a random offset in the coordinates to avoid all the agents apear on the same place.
|
|
my ($longitude, $latitude) = get_random_close_point ($pa_config, $region_info->{'longitude'}, $region_info->{'latitude'});
|
|
|
|
logger($pa_config, "Placing agent on random position (Lon,Lat) = ($longitude, $latitude)", 8);
|
|
# Crate a new agent adding the positional info (as is unknown we set 0 time_offset, and 0 altitude)
|
|
$agent_id = pandora_create_agent ($pa_config, $pa_config->{'servername'},
|
|
$host_name, $addr, $task->{'id_group'},
|
|
$parent_id, $id_os, '', 300, $dbh, 0,
|
|
$longitude, $latitude, 0, $location_description);
|
|
}
|
|
else {
|
|
logger($pa_config,"Id location of '$addr' for host '$host_name' NOT found", 3);
|
|
# Create a new agent
|
|
$agent_id = pandora_create_agent ($pa_config, $pa_config->{'servername'},
|
|
$host_name, $addr, $task->{'id_group'},
|
|
$parent_id, $id_os, '', 300, $dbh);
|
|
}
|
|
}
|
|
# End of GIS code -----------------------------
|
|
else {
|
|
# Create a new agent
|
|
$agent_id = pandora_create_agent ($pa_config, $pa_config->{'servername'},
|
|
$host_name, $addr, $task->{'id_group'},
|
|
$parent_id, $id_os, '', 300, $dbh);
|
|
}
|
|
|
|
# Check agent creation
|
|
if ($agent_id <= 0) {
|
|
logger($pa_config, "Error creating agent '$host_name'.", 3);
|
|
next;
|
|
}
|
|
|
|
# Add the new address if it does not exist
|
|
my $addr_id = get_addr_id ($dbh, $addr);
|
|
$addr_id = add_address ($dbh, $addr) unless ($addr_id > 0);
|
|
if ($addr_id <= 0) {
|
|
logger($pa_config, "Could not add address '$addr' for host '$host_name'.", 3);
|
|
next;
|
|
}
|
|
|
|
# Assign the new address to the agent
|
|
my $agent_addr_id = get_agent_addr_id ($dbh, $addr_id, $agent_id);
|
|
if ($agent_addr_id <= 0) {
|
|
db_do ($dbh, 'INSERT INTO taddress_agent (' . $RDBMS_QUOTE . 'id_a' . $RDBMS_QUOTE . ', ' .
|
|
$RDBMS_QUOTE . 'id_agent' . $RDBMS_QUOTE . ')
|
|
VALUES (?, ?)', $addr_id, $agent_id);
|
|
}
|
|
|
|
# Create network profile modules for the agent
|
|
create_network_profile_modules ($pa_config, $dbh, $agent_id, $task->{'id_network_profile'}, $addr, $task->{'snmp_community'});
|
|
|
|
# Generate an event
|
|
pandora_event ($pa_config, "[RECON] New host [$host_name] detected on network [" . $task->{'subnet'} . ']',
|
|
$task->{'id_group'}, $agent_id, 2, 0, 0, 'recon_host_detected', 0, $dbh);
|
|
|
|
$added_hosts .= "$addr ";
|
|
}
|
|
|
|
# Create an incident with totals
|
|
if ($added_hosts ne '' && $task->{'create_incident'} == 1) {
|
|
my $text = "At " . strftime ("%Y-%m-%d %H:%M:%S", localtime()) . " ($added_hosts) new hosts were detected by Pandora FMS Recon Server running on [" . $pa_config->{'servername'} . "_Recon]. This incident has been automatically created following instructions for this recon task [" . $task->{'id_group'} . "].\n\n";
|
|
if ($task->{'id_network_profile'} > 0) {
|
|
$text .= "Aditionally, and following instruction for this task, agent(s) has been created, with modules assigned to network component profile [" . get_nc_profile_name ($dbh, $task->{'id_network_profile'}) . "]. Please check this agent as soon as possible to verify it.";
|
|
}
|
|
$text .= "\n\nThis is the list of IP addresses found: \n\n$added_hosts";
|
|
pandora_create_incident ($pa_config, $dbh, "[RECON] New hosts detected", $text, 0, 0, 'Pandora FMS Recon Server', $task->{'id_group'});
|
|
}
|
|
|
|
logger($pa_config, "Finished recon task for net " . $task->{'subnet'} . ".", 10);
|
|
|
|
# Mark recon task as done
|
|
update_recon_task ($dbh, $task_id, -1);
|
|
}
|
|
|
|
|
|
##########################################################################
|
|
# Returns the ID of the parent of the given host if available.
|
|
##########################################################################
|
|
sub get_host_parent {
|
|
my ($pa_config, $host, $dbh, $group, $max_depth, $resolve, $os_detect) = @_;
|
|
|
|
# Call nmap
|
|
my $timeout = $pa_config->{'networktimeout'}*1000;
|
|
my $nmap_args = '-nsP -PE --traceroute --max-retries '.$pa_config->{'icmp_checks'}.' --host-timeout '.$timeout.' -T'.$pa_config->{'nmap_timing_template'};
|
|
my $np = new PandoraFMS::NmapParser;
|
|
eval {
|
|
$np->parsescan($pa_config->{'nmap'}, $nmap_args, ($host));
|
|
};
|
|
if ($@) {
|
|
return 0;
|
|
}
|
|
|
|
# Get hops
|
|
my ($h) = $np->all_hosts ();
|
|
return 0 unless defined ($h);
|
|
my @all_hops = $h->all_trace_hops ();
|
|
my @hops;
|
|
|
|
# Skip target host
|
|
pop (@all_hops);
|
|
|
|
# Save the last max_depth hosts in reverse order
|
|
for (my $i = 0; $i < $max_depth; $i++) {
|
|
my $hop = pop (@all_hops);
|
|
last unless defined ($hop);
|
|
push (@hops, $hop);
|
|
}
|
|
|
|
# Parse hops from first to last
|
|
my $parent_id = 0;
|
|
for (my $i = 0; $i < $max_depth; $i++) {
|
|
my $hop = pop (@hops);
|
|
last unless defined ($hop);
|
|
|
|
# Get host information
|
|
my $host_addr = $hop->ipaddr ();
|
|
|
|
# Check if the host exists
|
|
my $agent = get_agent_from_addr ($dbh, $host_addr);
|
|
if (defined ($agent)) {
|
|
# Move to the next host
|
|
$parent_id = $agent->{'id_agente'};
|
|
next;
|
|
}
|
|
|
|
|
|
# Add the new address if it does not exist
|
|
my $addr_id = get_addr_id ($dbh, $host_addr);
|
|
$addr_id = add_address ($dbh, $host_addr) unless ($addr_id > 0);
|
|
|
|
# Should not happen
|
|
if ($addr_id <= 0) {
|
|
logger($pa_config, "Could not add address '$host_addr'", 1);
|
|
return 0;
|
|
}
|
|
|
|
# Get the host's name
|
|
my $host_name = undef;
|
|
if ($resolve == 1){
|
|
$host_name = gethostbyaddr(inet_aton($host_addr), AF_INET);
|
|
}
|
|
$host_name = $host_addr unless defined ($host_name);
|
|
|
|
# Detect host's OS
|
|
my $id_os = 11;
|
|
if ($os_detect == 1) {
|
|
$id_os = guess_os ($pa_config, $dbh, $host_addr);
|
|
}
|
|
|
|
# Create the host
|
|
my $agent_id = pandora_create_agent ($pa_config, $pa_config->{'servername'}, $host_name, $host_addr, $group, $parent_id, $id_os, '', 300, $dbh);
|
|
$agent_id = 0 unless defined ($parent_id);
|
|
db_do ($dbh, 'INSERT INTO taddress_agent (' . $RDBMS_QUOTE . 'id_a' . $RDBMS_QUOTE . ',' .
|
|
$RDBMS_QUOTE . 'id_agent' . $RDBMS_QUOTE . ')
|
|
VALUES (?, ?)', $addr_id, $agent_id);
|
|
|
|
# Move to the next host
|
|
$parent_id = $agent_id;
|
|
}
|
|
return $parent_id;
|
|
}
|
|
|
|
##############################################################################
|
|
# TCP scan the given host/port. Returns 1 if successful, 0 otherwise.
|
|
##############################################################################
|
|
sub tcp_scan ($$$) {
|
|
my ($pa_config, $host, $portlist) = @_;
|
|
|
|
my $nmap = $pa_config->{'nmap'};
|
|
my $output = `"$nmap" -p$portlist $host | grep open | wc -l`;
|
|
return 0 if ($? != 0);
|
|
return $output;
|
|
}
|
|
|
|
##########################################################################
|
|
# Guess OS using xprobe2.
|
|
##########################################################################
|
|
sub guess_os {
|
|
my ($pa_config, $dbh, $host) = @_;
|
|
|
|
# Use xprobe2 if available
|
|
my $xprobe = $pa_config->{'xprobe2'};
|
|
if (-e $xprobe){
|
|
my $output = `$xprobe $host 2>$DEVNULL | grep 'Running OS' | head -1`;
|
|
return 10 if ($? != 0);
|
|
return pandora_get_os ($dbh, $output);
|
|
}
|
|
|
|
# Use nmap by default
|
|
my $nmap = $pa_config->{'nmap'};
|
|
my $output = `"$nmap" -F -O $host 2>$DEVNULL | grep 'Aggressive OS guesses'`;
|
|
return 10 if ($? != 0);
|
|
return pandora_get_os ($dbh, $output);
|
|
}
|
|
|
|
##########################################################################
|
|
# Update recon task status.
|
|
##########################################################################
|
|
sub update_recon_task ($$$) {
|
|
my ($dbh, $id_task, $status) = @_;
|
|
|
|
db_do ($dbh, 'UPDATE trecon_task SET utimestamp = ?, status = ? WHERE id_rt = ?', time (), $status, $id_task);
|
|
}
|
|
|
|
##########################################################################
|
|
# Create network profile modules for the given agent.
|
|
##########################################################################
|
|
sub create_network_profile_modules {
|
|
my ($pa_config, $dbh, $agent_id, $np_id, $addr, $snmp_community) = @_;
|
|
|
|
return unless ($np_id > 0);
|
|
|
|
# Get network components associated to the network profile
|
|
my @np_components = get_db_rows ($dbh, 'SELECT * FROM tnetwork_profile_component WHERE id_np = ?', $np_id);
|
|
|
|
foreach my $np_component (@np_components) {
|
|
# Get network component data
|
|
my $component = get_db_single_row ($dbh, 'SELECT * FROM tnetwork_component WHERE id_nc = ?', $np_component->{'id_nc'});
|
|
|
|
if (! defined ($component)) {
|
|
logger($pa_config, "Network component ID " . $np_component->{'id_nc'} . " for agent $addr not found.", 3);
|
|
next;
|
|
}
|
|
|
|
# Use snmp_community from network task instead the component snmp_community
|
|
$component->{'snmp_community'} = safe_output ($snmp_community);
|
|
|
|
pandora_create_module_from_network_component($pa_config, $component, $agent_id, $dbh);
|
|
}
|
|
}
|
|
|
|
##########################################################################
|
|
# Executes recon scripts
|
|
##########################################################################
|
|
sub exec_recon_script ($$$) {
|
|
my ($pa_config, $dbh, $task) = @_;
|
|
|
|
# Get recon plugin data
|
|
my $script = get_db_single_row ($dbh, 'SELECT * FROM trecon_script WHERE id_recon_script = ?', $task->{'id_recon_script'});
|
|
return -1 unless defined ($script);
|
|
|
|
logger($pa_config, 'Executing recon script ' . safe_output($script->{'name'}), 10);
|
|
|
|
my $command = safe_output($script->{'script'});
|
|
|
|
my $macros = safe_output($task->{'macros'});
|
|
|
|
# \r and \n should be escaped for decode_json().
|
|
$macros =~ s/\n/\\n/g;
|
|
$macros =~ s/\r/\\r/g;
|
|
my $decoded_macros = decode_json (encode_utf8($macros));
|
|
|
|
my $macros_parameters = '';
|
|
|
|
# Add module macros as parameter
|
|
if(ref($decoded_macros) eq "HASH") {
|
|
# Convert the hash to a sorted array
|
|
my @sorted_macros;
|
|
while (my ($i, $m) = each (%{$decoded_macros})) {
|
|
$sorted_macros[$i] = $m;
|
|
}
|
|
|
|
# Remove the 0 position
|
|
shift @sorted_macros;
|
|
|
|
foreach my $m (@sorted_macros) {
|
|
$macros_parameters = $macros_parameters . ' "' . $m->{"value"} . '"';
|
|
}
|
|
}
|
|
|
|
if (-x $command) {
|
|
`$command $task->{'id_rt'} $task->{'id_group'} $task->{'create_incident'} $macros_parameters`;
|
|
} else {
|
|
logger ($pa_config, "Cannot execute recon task command $command.");
|
|
}
|
|
|
|
# Notify this recon task is ended
|
|
update_recon_task ($dbh, $task->{'id_rt'}, -1);
|
|
|
|
logger($pa_config, 'Done executing recon script ' . safe_output($script->{'name'}), 10);
|
|
return 0;
|
|
}
|
|
|
|
1;
|
|
__END__
|