Commit ad813eaa authored by Ecklory's avatar Ecklory

First release

parent 3ed457c5
# Описание
Файл *Template App Suricata.xml* добавляет темплейт *Template App Suricata*, предназначенный для мониторинга IPS/IDS Suricata. *Template App Suricata* состоит в группах: Templates, Templates App и Templates Custom.
С использованием данного темплейта осуществляется мониторинг:
- производительности;
- количества обнаруженных угроз;
- zabbix-sender
# Установка
## Настройка
Необходимо изменить формат логирования состояния suricata. Для этого откройте файл /etc/suricata/suricata.yaml и исправьте следующую секцию:
```
stats:
enabled: yes
interval: 30
<...>
- stats:
totals: yes # stats for all threads merged together
threads: no # per thread stats
deltas: no # include delta values
```
## Установка
```
~# cd /etc/zabbix/zabbix_agentd.d && \
wget 'https://raw.githubusercontent.com/kviset/zabbix/master/Linux App/Template App Suricata/suricata.conf'
~# cd /usr/lib/zabbix/agentscripts/ && \
wget 'https://raw.githubusercontent.com/kviset/zabbix/master/Linux App/Template App Suricata/suricata.pl' && \
chown zabbix suricata.pl && chmod 550 suricata.pl
~# /etc/init.d/zabbix-agent restart
```
Добавьте хост в темплейт Template App Suricata
\ No newline at end of file
#!/usr/bin/perl -w
require "/etc/zabbix/scripts/suricata/zsender.pl";
my $SURICATA_STATS = shift || "/var/log/suricata/stats.log";
my %PARAM = (DEBUG => 0, NOSEND => 0);
my $PRESTR = "script.suricata";
my @DATA = ();
my $RESULT = zs_system("tail -n 61 $SURICATA_STATS && echo > $SURICATA_STATS",{%PARAM});
if (defined $RESULT ){
foreach $str (split /\n/,$RESULT){
my @CELL = split /\|/, $str;
for (@CELL){ s/\s+//g; }
push @DATA,[$CELL[0],$CELL[2]];
}
}
push @DATA,["barnyard2.proc",zs_system("ps -C barnyard2 --no-headers |wc -l",{%PARAM})];
push @DATA,["suricata.proc",zs_system("ps -C Suricata-Main --no-headers |wc -l",{%PARAM})];
print zs_zsender_arr($PRESTR,\@DATA,{%PARAM});
\ No newline at end of file
UserParameter=script.suricata.run,/etc/zabbix/scripts/suricata/suricata.pl
UserParameter=script.suricata.rule,cat /etc/suricata/rules/*.rules | cksum |awk '{ print $1 }'
This diff is collapsed.
#Includ for all perl zabbix-sender based monitoring scripts.
#Place: /usr/lob/zabbix
#Depends: aptitude install zabbix-sender
my $VERSION = "0.3.9";
#ZABBIX SERVER PARAMETERS
my $ZABBIX_AGENTD_CONF = '/etc/zabbix/zabbix_agentd.conf';
my $ZABBIX_HOSTNAME = `/usr/sbin/zabbix_agentd -t agent.hostname`; $ZABBIX_HOSTNAME =~ s/.*\|//; $ZABBIX_HOSTNAME =~ s/]$//; chop $ZABBIX_HOSTNAME;
my $ZABBIX_TEMPFILE = "/tmp/zabbix.".time.".".$$;
sub zs_version { return $VERSION; }
sub zs_debug {
my $MSG = $_[0];
my $LVL = $_[1];
my %PARAM = (
DEBUG => 0,
LOGNAME => undef
);
if (defined $_[2]){ @PARAM{keys %{$_[2]}} = values %{$_[2]}; };
if (defined $PARAM{LOGNAME} and $PARAM{DEBUG} == 0){ $PARAM{DEBUG} = 1;}
$MSG =~ s/\n/\\n/gm;
openlog("$PARAM{LOGNAME}", "ndelay,pid", "local0") if defined $PARAM{LOGNAME};
if ( $PARAM{DEBUG} >= $LVL){
print "$MSG\n";
syslog(LOG_INFO,"$MSG") if defined $PARAM{LOGNAME};
}
closelog () if defined $PARAM{LOGNAME};
}
sub zs_system {
my $CMD = $_[0];
my %PARAM = (
DEBUG => 0
);
if (defined $_[1]){ @PARAM{keys %{$_[1]}} = values %{$_[1]}; };
zs_debug ("zs_system execute: '$CMD'",5,{%PARAM});
my $RESULT = `$CMD 2>&1`;
unless ($? == 0){
zs_debug ("WARNING: Execution '$CMD' failed.\nmsg: '$!'.\nReturn: $RESULT",0,{%PARAM});
return;
}
zs_debug ("zs_system result: '$RESULT'",5,{%PARAM});
return $RESULT;
}
sub zs_curl {
my $URL = $_[0];
my %PARAM = (
DEBUG => 0,
EXEC_TIMEOUT => 2,
FOLLOW_REDIR => 1
);
if (defined $_[1]){ @PARAM{keys %{$_[1]}} = values %{$_[1]}; };
zs_debug ("zs_curl get URL: '$URL'",5,{%PARAM});
my $RESULT = zs_system("curl -isS --insecure --max-time $PARAM{EXEC_TIMEOUT} '$URL'");
if (defined $RESULT){
my ($HEAD) = $RESULT =~ /(.*)\r\n\r\n/ms;
my ($RETCODE) = $HEAD =~ /HTTP\/[0-9|\.]+\s(\d{3})\s/m;
$RESULT =~ s/(.*)\r\n\r\n//ms;
zs_debug ("zs_curl RETCODE: '$RETCODE'",1,{%PARAM});
zs_debug ("zs_curl FOLLOW_REDIR: '$PARAM{FOLLOW_REDIR}'",1,{%PARAM});
zs_debug ("zs_curl HEAD: '$HEAD'",1,{%PARAM});
unless ($RETCODE == 200){
if ((($RETCODE == 301) or ($RETCODE == 302))and($PARAM{FOLLOW_REDIR} > 0)){
$PARAM{FOLLOW_REDIR} = $PARAM{FOLLOW_REDIR} - 1;
($URL) = $HEAD =~ /Location:\s(.*)\r\n/m;
$RESULT = zs_curl($URL,{%PARAM});
}else{
zs_debug ("ERROR: HTTP request return code do not equal 200. Return code: $RETCODE.\n$RESULT\n",0,{%PARAM});
die "ERROR: HTTP request return code do not equal 200. Return code: $RETCODE.\n$RESULT\n";
}
}
}
return $RESULT;
}
sub zs_discovery_arr {
my $VARNAME = $_[0];
my @VALUES = @{$_[1]};
my %PARAM = (
DEBUG => 0
);
if (defined $_[2]){ @PARAM{keys %{$_[2]}} = values %{$_[2]}; };
my @VARNAME2D = ($VARNAME);
my @VALUES2D;
foreach $tmp (@VALUES){ push @VALUES2D,[$tmp];}
return zs_discovery_2darr(\@VARNAME2D,\@VALUES2D,{%PARAM});
}
sub zs_discovery_2darr {
my @VARNAME = @{$_[0]};
my @VALUES = @{$_[1]};
my %PARAM = (
DEBUG => 0
);
if (defined $_[2]){ @PARAM{keys %{$_[2]}} = values %{$_[2]}; };
unless ($#VARNAME == $#{$VALUES[0]}){
zs_debug ("ERROR: Dimension VARNAME not equal VALUES",0,{%PARAM});
die "ERROR: Dimension VARNAME not equal VALUES\n";
}
my $colfirst = 1;
my $RESULT = "{\"data\":[";
for(my $I=0;$I<=$#VALUES;$I++){
$RESULT = $RESULT."," if not $colfirst;
$colfirst = 0;
$RESULT = $RESULT."{";
my $rowfirst = 1;
for(my $N=0;$N<=$#VARNAME;$N++){
$RESULT = $RESULT."," if not $rowfirst;
$rowfirst = 0;
if (defined $VALUES[$I][$N]){
$RESULT = $RESULT."\"{#$VARNAME[$N]}\":\"$VALUES[$I][$N]\"";
}else{
$RESULT = $RESULT."\"{#$VARNAME[$N]}\":\"0\"";
}
}
$RESULT = $RESULT."}";
}
$RESULT = $RESULT."]}\n";
return $RESULT;
}
sub zs_zsender_arr {
my $PRESTR = $_[0];
my @DATA = @{$_[1]};
my %PARAM = (
ZABBIX_AGENTD_CONF => $ZABBIX_AGENTD_CONF,
ZABBIX_HOSTNAME => $ZABBIX_HOSTNAME,
ZABBIX_TEMPFILE => $ZABBIX_TEMPFILE,
POLLING_TIME => int time,
DEBUG => 0,
NOSEND => 0
);
if (defined $_[2]){ @PARAM{keys %{$_[2]}} = values %{$_[2]}; };
unless(($PRESTR =~ m/(^$|\.$)/)){ $PRESTR = $PRESTR."."; }
zs_debug ("File $PARAM{ZABBIX_TEMPFILE}:",1,{%PARAM});
open OUT,">$PARAM{ZABBIX_TEMPFILE}" or die "ERROR: Can not create file $PARAM{ZABBIX_TEMPFILE}. $!";
for(my $I = 0;$I <= $#DATA; $I++){
if ( defined $DATA[$I][1]){
my $HOSTNAME = $PARAM{ZABBIX_HOSTNAME};
$DATA[$I][0] =~ s/\n//gm;
$DATA[$I][1] =~ s/\n//gm;
if( defined $DATA[$I][2]){
$DATA[$I][2] =~ s/\n//gm;
$HOSTNAME = $DATA[$I][2];
}
print OUT "\"$HOSTNAME\" $PRESTR$DATA[$I][0] $PARAM{POLLING_TIME} $DATA[$I][1]\n";
zs_debug ("\"$HOSTNAME\" $PRESTR$DATA[$I][0] $PARAM{POLLING_TIME} $DATA[$I][1]",1,{%PARAM});
}else{
zs_debug ("WARNING: Value for key '$DATA[$I][0]' do not defined.",0,{%PARAM});
}
}
close OUT;
if ($PARAM{NOSEND} > 0){
return "WARNING: Flag NOSEND=$PARAM{NOSEND}. Data do not send to zabbix server.\n";
}else{
my $RESULT = `zabbix_sender -v -T -c $PARAM{'ZABBIX_AGENTD_CONF'} -i $PARAM{'ZABBIX_TEMPFILE'} 2>&1; rm $PARAM{'ZABBIX_TEMPFILE'}`;
return $RESULT
}
}
\ No newline at end of file
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment