Hawk IDS initial git setup

LICENSES

@@ -0,0 +1,21 @@
+Copyright (c) 2007, Marian Marinov <mm@yuhu.biz>
+
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
+
+    * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
+    * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
+    * Neither the name of the SiteGround LLC nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
+CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

blacklist.tmpl

@@ -0,0 +1,11 @@
+Search in the blacklist log:<br />
+<form method=post>
+<input type='hidden' name='action' value='blacklist'>
+<div class="tab_panel" id="tab_detail" style='border-top: 1px solid black; text-align: center'>
+<input type='hidden' name='w' value='ip'>
+IP Address: <input type='text' name='addr'><br />
+<input type=submit value='Search for this address'>
+</div>
+</form>
+
+

broots.tmpl

@@ -0,0 +1,10 @@
+Bruteforce attempts by hour(last 56 hours only):<br />
+<table cellspacing=0 cellpadding=0 class='broots'>
+<tr>
+  <td class='td-top'><a href="?action=listbroots&order=0">Date</a></td>
+  <td class='td-top'><a href="?action=listbroots&order=1">IP Address</td>
+  <td class='td-top'><a href="?action=listbroots&order=2">Service</td>
+</tr>
+__CONTENTS__
+</table>
+

failed.tmpl

@@ -0,0 +1,10 @@
+Failed attempts by hour(last 24 hours only):<br />
+<table cellspacing=0 cellpadding=0 class='broots'>
+<tr>
+  <td class='td-top'><a href="?action=listfailed&order=0">Date</a></td>
+  <td class='td-top'><a href="?action=listfailed&order=1">IP Address</td>
+  <td class='td-top'><a href="?action=listfailed&order=2">Service</td>
+  <td class='td-top'><a href="?action=listfailed&order=3">User</td>
+</tr>
+__CONTENTS__
+</table>

graphs-xml.tmpl

@@ -0,0 +1,15 @@
+<graph 
+	xaxisname='__XNAME__' 
+	yaxisname='__YNAME__' 
+	caption='__TITLE__'  
+	lineThickness='1' 
+	animation='0' 
+	showLimits='1' 
+	decimalPrecision='1' 
+	limitsDecimalPrecision='0' 
+	showNames='1' 
+	showValues='1'  
+	showLegend='1' 
+	showAnchors='1'>
+	__OPTIONS__
+</graph>

graphs.tmpl

@@ -0,0 +1,24 @@
+<OBJECT 
+	classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000"
+	codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,0,0"
+	width="__WIDTH__" 
+	height="__HEIGHT__" 
+	id="charts735460494" ALIGN="middle">
+	<PARAM NAME="movie" 
+	VALUE="charts.swf?s=__WIDTH__&stage_height=__HEIGHT__&library_path=charts_library&xml_source=__SOURCE__">
+	<PARAM NAME="quality" VALUE="high">
+	<param name="allowScriptAccess" value="sameDomain" />
+	<PARAM NAME="bgcolor" VALUE="__BGCOLOR__">
+	<EMBED 
+		src="charts.swf?stage_width=__WIDTH__&stage_height=__HEIGHT__&library_path=charts_library&xml_source=__SOURCE__" 
+		quality="high" 
+		bgcolor="__BGCOLOR__" 
+		width="__WIDTH__" 
+		height="__HEIGHT__" 
+		NAME="charts735460494" 
+		ALIGN="middle" 
+		allowScriptAccess="sameDomain"  
+		TYPE="application/x-shockwave-flash" 
+		PLUGINSPAGE="http://www.macromedia.com/go/getflashplayer">
+	</EMBED>
+</OBJECT>

hawk-big.pl

@@ -0,0 +1,112 @@
+#!/usr/bin/perl -T
+use strict;
+use warnings;
+use DBD::mysql;
+use POSIX qw(setsid), qw(strftime);	# use only setsid & strftime from POSIX
+
+# system variables
+$ENV{PATH} = '';		# remove unsecure path
+my $version = '0.1';	# version string
+
+# Hawk files
+my $logfile = '/var/log//hawk.log';	# daemon logfile
+my $pidfile = '/var/run/hawk.pid';	# daemon pidfile
+my $ioerrfile = '/home/sentry/public_html/io.err'; # File where to add timestamps for I/O Errors
+my $log_list = '/usr/bin/tail -f /var/log/messages |';
+our $debug = 0;			# by default debuging is OFF
+
+my $start_time = time();
+
+# check for debug
+if ( defined($ARGV[0]) && $ARGV[0] =~ /debug/ ) {
+	$debug=1;		# turn on debuging
+}
+
+# changing to unbuffered output
+our $| = 1;
+
+# Change program name
+$0 = "[Hawk]";
+
+# open the logfile
+open HAWK, '>>', $logfile or die "DIE: Unable to open logfile $logfile: $!\n";
+logger("Hawk version $version started!");
+#print HAWK get_time(), " Hawk version $version started!\n";
+
+
+# execute this before DIE-ing :)
+$SIG{__DIE__}  = sub { logger(@_); };
+
+# check if the daemon is running
+if ( -e $pidfile ) {
+        # get the old pid
+        open PIDFILE, '<', $pidfile or die "DIE: Can't open pid file($pidfile): $!\n";
+	my $old_pid = <PIDFILE>;
+        close PIDFILE;
+        # check if $old_pid is still running
+	if ( $old_pid =~ /[0-9]+/ ) {
+		if ( -d "/proc/$old_pid" ) {
+			logger("Hawk is already running!");
+			die "DIE: Hawk is already running!\n";
+	        }
+	} else {
+		logger("Incorrect pid format!");
+		die "DIE: Incorrect pid format!\n";
+	}
+}
+
+# generate time format: 15.May.07 02:41:52
+sub get_time {
+	return strftime('%b %d %H:%M:%S', localtime(time));
+}
+
+sub logger {
+	print HAWK strftime('%b %d %H:%M:%S', localtime(time)) . ' ' . $_[0] . "\n";
+}
+
+# Fork to background
+defined(my $pid=fork) or die "DIE: Cannot fork process: $! \n";
+exit if $pid;
+setsid or die "DIE: Unable to setsid: $!\n";
+umask 0;
+
+# redirect standart file descriptors to /dev/null
+open STDIN, '</dev/null' or die "DIE: Cannot read stdin: $! \n";
+open STDOUT, '>>/dev/null' or die "DIE: Cannot write to stdout: $! \n";
+if (!$debug) {
+	open STDERR, '>>/dev/null' or die "DIE: Cannot write to stderr: $! \n";
+}
+
+# write the program pid to the $pidfile
+open PIDFILE, '>', $pidfile or die "DIE: Unable to open pidfile $pidfile: $!\n";
+print PIDFILE $$;
+close PIDFILE;
+
+# open logs
+open LOGS, $log_list or die "DIE: Unable to open logs: $!\n";
+
+# make the output unbuffered
+select((select(HAWK), $| = 1)[0]);
+select((select(LOGS), $| = 1)[0]);
+
+
+while (<LOGS>) {
+	# Feb 13 19:18:35 serv01 kernel: end_request: I/O error, dev sdb, sector 1405725148
+	# Feb 13 19:18:58 serv01 kernel: end_request: I/O error, dev sdb, sector 1405727387 
+	if ( $_ =~ /I\/O error/i ) {
+		my @line = split /\s+/, $_;
+		open IOERR, '>', $ioerrfile or logger('Unable to log I/O Error');
+		print IOERR get_time() . "$line[9]\n";
+		close IOERR;
+ 	} else {
+		next;
+	}
+}
+close LOGS;
+close HAWK;
+close STDIN;
+close STDOUT;
+if (!$debug) {
+	close STDERR;
+}
+exit 0;