Created
January 9, 2015 11:40
-
-
Save anonymous/50baf5343c6bd517a228 to your computer and use it in GitHub Desktop.
basic ossec broker client
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
### example is taken and modified from python doc website from socketserver | |
# server.py | |
# to run the example: $ python server.py | |
#!/usr/bin/python | |
import threading | |
import socket | |
import SocketServer | |
import multiprocessing | |
# This class handles UDP requests that come in on the server. Here we do the main work | |
# of the program, that is, we check if the OSSEC server is alive and processing logs | |
# Each thread sends a TCP request to the OSSEC BROKER SERVER, and if it gets a reply, | |
# forwards the original UDP packet from the OSSEC agent to the OSSEC server | |
# | |
# If it fails, i.e. gets no answer, then it places the data into a queue for later replay | |
# | |
# If it succeeds, i.e. it gets an answer from the OSSEC BROKER SERVER, it sends the packet onwards, | |
# and then waits for 5 seconds for a potential reply from the server. If it gets a reply, this is | |
# forwarded back to the agent. Otherwise the thread is killed off to prevent leakage | |
class ThreadedUDPRequestHandler( | |
SocketServer.BaseRequestHandler): | |
def handle(self): | |
# queue is defined as global so that it is accessbile across all threads | |
global queue | |
# get sent data, and remove extra spaces | |
data = self.request[0].strip() | |
# get port number | |
port = self.client_address[1] | |
# get the communicate socket | |
client_socket = self.request[1] | |
### get client host ip address | |
client_address = (self.client_address[0]) | |
### proof of multithread - more for debug than anything else | |
cur_thread = threading.current_thread() | |
print "thread %s" %cur_thread.name | |
print "received call from client address :%s" %client_address | |
print "received data from port [%s]: %s" %(port,data) | |
# try to connect to OSSEC BROKER SERVER | |
try: | |
broker_server = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | |
broker_server.settimeout(5) | |
## note the hardcoded IP address, this should be changed | |
broker_server.connect(("192.168.10.177", 1514)) | |
print "sending PING to broker ???" | |
# send a ping to the broker server | |
broker_server.send("ping") | |
# get the response | |
broker_response = broker_server.recv(1024) | |
broker_server.close() | |
# if the broker server connection fails, put the original OSSEC agent packet into | |
# an in-memory queue, and exit | |
except: | |
print "did not get PONG from server ---- " | |
queue.put(data) | |
return | |
# assuming we got a response, we check if all is ok | |
# if all is ok, the server will respond with "pong" | |
if broker_response == "pong": | |
# if the server responded, we first check if there are packets in the queue waiting to be sent | |
# if there are, we send them out to the OSSEC server over UDP | |
while not queue.empty(): | |
# we have messages to replay | |
replay_data = queue.get() | |
print "replaying data on to server ------------>" | |
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) | |
s.sendto(replay_data, ('192.168.10.177',1514)) | |
print "got PONG from broker ***" | |
# once the queue has been emptied, we continue on to send | |
# the original packet to the OSSEC server | |
try: | |
print "sending data on to server ------------>" | |
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) | |
# OSSEC agent doesnt always expect an answer back from the server, so we set a very short timeout | |
# this may need to be tuned if used over a noisy or high latnecy network link | |
s.settimeout(5) | |
s.sendto(data, ('192.168.10.177',1514)) | |
### assemble a response message to client | |
data, addr = s.recvfrom(32768) | |
print "sending data on to client <------------" | |
client_socket.sendto(data, self.client_address) | |
# if socket timeout, it means that the agent sent a packet which did not require a response, move along | |
except socket.timeout: | |
print "timeout....moving on" | |
# if the server doesn't send "PONG", it means the server is rechable but ossec remoted is down, so again place the | |
# packet into a queue | |
else: | |
print "did not get PONG from server ---- " | |
# place into queue for later replay | |
queue.put(data) | |
class ThreadedUDPServer( | |
SocketServer.ThreadingMixIn, | |
SocketServer.UDPServer): | |
pass | |
if __name__ == "__main__": | |
# first setup the info for the connections to be made: host and port | |
# these should always be localhost and 1514 respectively | |
HOST, PORT = "localhost", 1514 | |
global queue | |
queue = multiprocessing.Queue() | |
# second, startup the Threaded UDP Server on above defined host and port | |
# and define that ThreadedUDPRequestHandler will handle requests | |
server = ThreadedUDPServer((HOST, PORT), | |
ThreadedUDPRequestHandler) | |
# serve forever - as in keep on serving requests, do not kill off after one | |
server.serve_forever() | |
# Start a thread with the server -- | |
# that thread will then start one | |
# more thread for each request | |
server_thread = threading.Thread(target=server.serve_forever) | |
# Exit the server thread when the main thread terminates | |
server_thread.daemon = True | |
server_thread.start() | |
server.shutdown() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment