diff --git a/bin/main.conf b/bin/main.conf new file mode 100644 index 0000000..d79582c --- /dev/null +++ b/bin/main.conf @@ -0,0 +1,39 @@ +[MAAT] +MAAT_MODE=1 +#EFFECTIVE_FLAG= +STAT_SWITCH=1 +PERF_SWITCH=1 +TABLE_INFO=tsgconf/tsg_tableinfo.conf +STAT_FILE=tsg_maat.status +EFFECT_INTERVAL_S=1 +REDIS_IP=127.0.0.1 +REDIS_PORT_NUM=10 +REDIS_PORT=6380 +REDIS_INDEX=2 +JSON_CFG_FILE=tsgconf/tsg_maat.json +INC_CFG_DIR=tsgrule/inc/index/ +FULL_CFG_DIR=tsgrule/full/index/ + +IP_ADDR_TABLE=TSG_OBJ_IP_ADDR +SUBSCRIBER_ID_TABLE=TSG_OBJ_SUBSCRIBER_ID + +[TSG_LOG] +MODE=1 +NIC_NAME=eth1 +MAX_SERVICE=0 +LOG_LEVEL=10 +LOG_PATH=./tsglog/tsglog +BROKER_LIST=127.0.0.1:9092 +COMMON_FIELD_FILE=tsgconf/tsg_log_field.conf + +[FIELD_STAT] +CYCLE=3 +TELEGRAF_PORT=8125 +TELEGRAF_IP=127.0.0.1 +OUTPUT_PATH=./tsg_stat.log +APP_NAME=tsg_master + +[SYSTEM] +LOG_LEVEL=10 +LOG_PATH=./tsglog/tsg_master +POLICY_PRIORITY_LABEL=POLICY_PRIORITY diff --git a/bin/tsg_log_field.conf b/bin/tsg_log_field.conf new file mode 100644 index 0000000..17e8c11 --- /dev/null +++ b/bin/tsg_log_field.conf @@ -0,0 +1,41 @@ +#TYPE:1:UCHAR,2:USHORT,3:ULONG,4:ULOG,5:USTRING,6:FILE,7:UBASE64,8:PACKET +#TYPE TOPIC SERVICE +TOPIC SECURITY-EVENT-LOG 0 + +#TYPE FIELD VALUE +LONG common_policy_id 1 +LONG common_service 2 +LONG common_action 3 +LONG common_start_time 4 +LONG common_end_time 5 +STRING common_l4_protocol 6 +LONG common_address_type 7 +STRING common_server_ip 8 +STRING common_client_ip 9 +LONG common_server_port 10 +LONG common_client_port 11 +LONG common_stream_dir 12 +STRING common_address_list 13 +LONG common_entrance_id 14 +LONG common_device_id 15 +LONG common_link_id 16 +STRING common_isp 17 +LONG common_encapsulation 18 +LONG common_direction 19 +STRING common_sled_ip 20 +STRING common_user_tags 21 +STRING common_user_region 22 +STRING common_app_label 23 +LONG common_app_id 24 +LONG common_protocol_id 25 +LONG common_c2s_pkt_num 26 +LONG common_s2c_pkt_num 27 +LONG common_c2s_byte_num 28 +LONG common_s2c_byte_num 29 +LONG common_con_duration_ms 30 +LONG common_has_dup_traffic 31 +STRING common_stream_error 32 +STRING common_stream_trace_id 33 +STRING common_schema_type 34 +STRING http_host 35 +STRING ssl_sni 36 diff --git a/bin/tsg_maat.json b/bin/tsg_maat.json new file mode 100644 index 0000000..a592c25 --- /dev/null +++ b/bin/tsg_maat.json @@ -0,0 +1,84 @@ +{ + "compile_table": "TSG_SECURITY_COMPILE", + "group_table": "POLICY_OBJECT", + "rules": [ + { + "compile_id": 1, + "service": 0, + "action": 16, + "do_blacklist": 0, + "do_log": 1, + "effective_rage": 0, + "user_region": "anything", + "is_valid": "yes", + "groups": [ + { + "group_name": "group_1", + "regions": [ + { + "table_name": "TSG_OBJ_IP_ADDR", + "table_type": "ip", + "table_content": { + "addr_type": "ipv4", + "src_ip": "61.135.169.125", + "mask_src_ip": "255.255.255.255", + "src_port": "80", + "mask_src_port": "65535", + "dst_ip": "192.168.41.228", + "mask_dst_ip": "255.255.255.255", + "dst_port": "0", + "mask_dst_port": "65535", + "protocol": 6, + "direction": "double" + } + } + ] + } + ] + }, + { + "compile_id": 2, + "service": 0, + "action": 128, + "do_blacklist": 0, + "do_log": 1, + "effective_rage": 0, + "user_region": "anything", + "is_valid": "yes", + "groups": [ + { + "group_name": "FQDN_SNI", + "regions": [ + { + "table_name": "TSG_OBJ_FQDN", + "table_type": "expr", + "table_content": { + "keywords": "baidu.com", + "expr_type": "and", + "match_method": "sub", + "format": "uncase plain" + } + } + ] + } + ] + }, + { + "compile_id": 3, + "service": 0, + "action": 128, + "do_blacklist": 0, + "do_log": 1, + "effective_rage": 0, + "user_region": "Virtual", + "is_valid": "yes", + "groups": [ + { + "group_name":"FQDN_SNI", + "virtual_table":"TSG_FIELD_SSL_SNI", + "not_flag" : 0 + } + ] + } + ] +} diff --git a/bin/tsg_maat_ip_deny.json b/bin/tsg_maat_ip_deny.json new file mode 100644 index 0000000..9e0a2e0 --- /dev/null +++ b/bin/tsg_maat_ip_deny.json @@ -0,0 +1,40 @@ +{ + "compile_table": "TSG_SECURITY_COMPILE", + "group_table": "POLICY_OBJECT", + "rules": [ + { + "compile_id": 1, + "service": 0, + "action": 16, + "do_blacklist": 0, + "do_log": 1, + "effective_rage": 0, + "user_region": "anything", + "is_valid": "yes", + "groups": [ + { + "group_name": "group_1", + "regions": [ + { + "table_name": "TSG_OBJ_IP_ADDR", + "table_type": "ip", + "table_content": { + "addr_type": "ipv4", + "src_ip": "117.18.237.29", + "mask_src_ip": "255.255.255.255", + "src_port": "80", + "mask_src_port": "65535", + "dst_ip": "192.168.41.228", + "mask_dst_ip": "255.255.255.255", + "dst_port": "0", + "mask_dst_port": "65535", + "protocol": 6, + "direction": "double" + } + } + ] + } + ] + } + ] +} \ No newline at end of file diff --git a/bin/tsg_master.inf b/bin/tsg_master.inf new file mode 100644 index 0000000..e18e8dd --- /dev/null +++ b/bin/tsg_master.inf @@ -0,0 +1,9 @@ +[PLUGINFO] +PLUGNAME=TSG_MASTER +SO_PATH=./plug/platform/tsg_master/tsg_master.so +INIT_FUNC=TSG_MASTER_INIT +DESTROY_FUNC=TSG_MASTER_UNLOAD + +[TCP] +FUNC_FLAG=ALL +FUNC_NAME=TSG_MASTER_TCP_ENTRY diff --git a/bin/tsg_tableinfo.conf b/bin/tsg_tableinfo.conf new file mode 100644 index 0000000..9eb7726 --- /dev/null +++ b/bin/tsg_tableinfo.conf @@ -0,0 +1,38 @@ +#each collumn seperate with '\t' +#id (0~65535) +#name string +#type one of ip,expr,expr_plus,digest,intval,compile or plugin +#src_charset one of GBK,BIG5,UNICODE,UTF8 +#dst_charset combined by GBK,BIG5,UNICODE,UTF8,seperate with '/' +#do_merege yes or no +#cross cache 0~max +#quickswitch quickon or quick off +#id name type src_charset dst_charset do_merge cross_cache quickswitch +0 TSG_SECURITY_COMPILE compile escape -- +1 POLICY_OBJECT group UTF8 UTF8 no 0 +2 TSG_OBJ_IP_ADDR ip UTF8 UTF8 no 0 +3 TSG_OBJ_SUBSCRIBER_ID expr UTF8 UTF8 no 0 +4 TSG_OBJ_ACCOUNT expr UTF8 UTF8 no 0 +5 TSG_OBJ_URL expr UTF8 UTF8 no 0 +6 TSG_OBJ_FQDN expr UTF8 UTF8 no 0 +7 TSG_OBJ_KEYWORDS expr UTF8 UTF8 no 0 +8 TSG_FIELD_HTTP_HOST virtual TSG_OBJ_FQDN -- +9 TSG_FIELD_HTTP_URL virtual TSG_OBJ_URL -- +10 TSG_FIELD_HTTP_REQ_HDR virtual TSG_OBJ_HTTP_SIGNATURE -- +11 TSG_FIELD_HTTP_RES_HDR virtual TSG_OBJ_HTTP_SIGNATURE -- +12 TSG_FIELD_HTTP_REQ_CONTENT virtual TSG_OBJ_KEYWORDS -- +13 TSG_FIELD_HTTP_RES_CONTENT virtual TSG_OBJ_KEYWORDS -- +14 TSG_FIELD_SSL_SNI virtual TSG_OBJ_FQDN -- +15 TSG_FIELD_SSL_CN virtual TSG_OBJ_FQDN -- +16 TSG_FIELD_SSL_SAN virtual TSG_OBJ_FQDN -- +17 TSG_FIELD_DNS_QNAME virtual TSG_OBJ_FQDN -- +18 TSG_FIELD_MAIL_ACCOUNT virtual TSG_OBJ_ACCOUNT -- +19 TSG_FIELD_MAIL_FROM virtual TSG_OBJ_ACCOUNT -- +20 TSG_FIELD_MAIL_TO virtual TSG_OBJ_ACCOUNT -- +21 TSG_FIELD_MAIL_SUBJECT virtual TSG_OBJ_KEYWORDS -- +22 TSG_FIELD_MAIL_CONTENT virtual TSG_OBJ_KEYWORDS -- +23 TSG_FIELD_MAIL_ATT_NAME virtual TSG_OBJ_KEYWORDS -- +24 TSG_FIELD_MAIL_ATT_CONTENT virtual TSG_OBJ_KEYWORDS -- +25 TSG_FIELD_FTP_URI virtual TSG_OBJ_URL -- +26 TSG_FIELD_FTP_CONTENT virtual TSG_OBJ_KEYWORDS -- +27 TSG_FIELD_FTP_ACCOUNT virtual TSG_OBJ_ACCOUNT --