diff options
| author | lijia <[email protected]> | 2020-07-28 16:45:36 +0800 |
|---|---|---|
| committer | lijia <[email protected]> | 2020-07-28 16:45:36 +0800 |
| commit | 172b68f701e63a4fb5fa1a487e2b404b94cb68d7 (patch) | |
| tree | 38cc6bc13ad5b9ac4eeff2c88fae9062b3495ff2 | |
| parent | c89ded640aae55be5b64e333cfca788218b3c52c (diff) | |
V20.07版本.
16 files changed, 238 insertions, 5 deletions
diff --git a/cec6_env/group_vars/all.yml b/cec6_transparent_env/group_vars/all.yml index c8811d8..c8811d8 100644 --- a/cec6_env/group_vars/all.yml +++ b/cec6_transparent_env/group_vars/all.yml diff --git a/cec6_env/hosts.xxg b/cec6_transparent_env/hosts.xxg index a625201..a625201 100644 --- a/cec6_env/hosts.xxg +++ b/cec6_transparent_env/hosts.xxg diff --git a/roles/active_defence/files/rpm/houyi-1.3.7.f0b2ace-1.el7.x86_64.rpm b/roles/active_defence/files/rpm/houyi-1.3.7.f0b2ace-1.el7.x86_64.rpm Binary files differdeleted file mode 100644 index 467ee31..0000000 --- a/roles/active_defence/files/rpm/houyi-1.3.7.f0b2ace-1.el7.x86_64.rpm +++ /dev/null diff --git a/roles/active_defence/files/rpm/houyi-1.3.9.9acc87f-1.el7.x86_64.rpm b/roles/active_defence/files/rpm/houyi-1.3.9.9acc87f-1.el7.x86_64.rpm Binary files differnew file mode 100644 index 0000000..1b69c72 --- /dev/null +++ b/roles/active_defence/files/rpm/houyi-1.3.9.9acc87f-1.el7.x86_64.rpm diff --git a/roles/active_defence/files/rpm/houyi-plug-1.3.4.7291a7e-1.el7.x86_64.rpm b/roles/active_defence/files/rpm/houyi-plug-1.3.4.7291a7e-1.el7.x86_64.rpm Binary files differdeleted file mode 100644 index 5e03f01..0000000 --- a/roles/active_defence/files/rpm/houyi-plug-1.3.4.7291a7e-1.el7.x86_64.rpm +++ /dev/null diff --git a/roles/active_defence/files/rpm/houyi-plug-1.3.6.8b91a13-1.el7.x86_64.rpm b/roles/active_defence/files/rpm/houyi-plug-1.3.6.8b91a13-1.el7.x86_64.rpm Binary files differnew file mode 100644 index 0000000..e5e63ae --- /dev/null +++ b/roles/active_defence/files/rpm/houyi-plug-1.3.6.8b91a13-1.el7.x86_64.rpm diff --git a/roles/active_defence/tasks/main.yml b/roles/active_defence/tasks/main.yml index c0eb1b2..7f8d72f 100644 --- a/roles/active_defence/tasks/main.yml +++ b/roles/active_defence/tasks/main.yml @@ -145,17 +145,31 @@ src: "{{ role_path }}/templates/tsg_sn.json.j2" dest: /opt/tsg/etc/tsg_sn.json tags: template + when: install_device_sn | bool +- name: "Template tsg_device_tag.json" + template: + src: "{{ role_path }}/templates/tsg_device_tag.json.j2" + dest: /opt/tsg/etc/tsg_device_tag.json + tags: template + when: install_device_tag | bool + - name: "Template houyi_cc_setup_env.script" template: src: "{{ role_path }}/templates/houyi_cc_setup_env.script.j2" dest: /home/mesasoft/sapp_run/houyi_etc/houyi_cc_setup_env.script tags: template -- name: "Template maat_test.json" +- name: "Template maat_test.json.v2" + template: + src: "{{ role_path }}/templates/maat_test.json.v2.j2" + dest: /opt/houyi/bin/houyi_etc/maat_test.json.v2 + tags: template + +- name: "Template maat_test.json.v3" template: - src: "{{ role_path }}/templates/maat_test.json.j2" - dest: /opt/houyi/bin/houyi_etc/maat_test.json + src: "{{ role_path }}/templates/maat_test.json.v3.j2" + dest: /opt/houyi/bin/houyi_etc/maat_test.json.v3 tags: template - name: "copy houyi.service to destination server" diff --git a/roles/active_defence/templates/houyi.conf.j2 b/roles/active_defence/templates/houyi.conf.j2 index 1871418..3057d98 100644 --- a/roles/active_defence/templates/houyi.conf.j2 +++ b/roles/active_defence/templates/houyi.conf.j2 @@ -4,6 +4,7 @@ stateless_dev_name=tap_0,tap_1,tap_2 statefull_dev_name=tun_cc0,tun_cc1,tun_cc2 log_path=./houyi_log/runtime.log log_level=20 +sled_num_per_device=4 #为了方便, 容错处理, 关于方向的定义, 以下表述全是一个意思: #由内向外: C2I, CtoI, CTOI, ItoE, I2E, @@ -28,4 +29,5 @@ full_dir=./redis_dump/ redis_server_ip={{houyi_global.houyi.redis_server_ip}} redis_server_port={{houyi_global.houyi.redis_server_port}} redis_index={{houyi_global.houyi.redis_index}} +accetp_tags_file=/opt/tsg/etc/tsg_device_tag.json diff --git a/roles/active_defence/templates/houyi_plug.conf.j2 b/roles/active_defence/templates/houyi_plug.conf.j2 index fa0d9d4..a0e8dd6 100644 --- a/roles/active_defence/templates/houyi_plug.conf.j2 +++ b/roles/active_defence/templates/houyi_plug.conf.j2 @@ -24,6 +24,7 @@ full_dir=./redis_dump/ redis_server_ip={{houyi_global.houyi.redis_server_ip}} redis_server_port={{houyi_global.houyi.redis_server_port}} redis_index={{houyi_global.houyi.redis_index}} +accetp_tags_file=/opt/tsg/etc/tsg_device_tag.json [global_traffic_stat] log_interval=3 diff --git a/roles/active_defence/templates/maat_test.json.j2 b/roles/active_defence/templates/maat_test.json.v2.j2 index 5e73b54..5e73b54 100644 --- a/roles/active_defence/templates/maat_test.json.j2 +++ b/roles/active_defence/templates/maat_test.json.v2.j2 diff --git a/roles/active_defence/templates/maat_test.json.v3.j2 b/roles/active_defence/templates/maat_test.json.v3.j2 new file mode 100644 index 0000000..3382dc3 --- /dev/null +++ b/roles/active_defence/templates/maat_test.json.v3.j2 @@ -0,0 +1,164 @@ +{ + "compile_table": "ACTIVE_DEFENCE_COMPILE", + "group2compile_table": "GROUP_COMPILE_RELATION", + "group2group_table": "GROUP_GROUP_RELATION", + "rules": [ + { + "compile_id": 103, + "service": 0, + "action": 2, + "do_blacklist": 0, + "do_log": 1, + "effective_rage": 0, + "user_region": "{\"method\":\"cc\",\"l7_protocol\":\"HTTP\",\"__comments\":\"active_defence_profile_claimed_src_ip.profile_id\",\"target_url\":\"http://ipv4.test.com/index.html\",\"rate_cps\":3,\"claimed_src_ip_profile_id\":4001}", + "is_valid": "yes", + "groups": [ + { + "regions": [ + { + "table_name": "IP_CONFIG", + "table_type": "ip", + "table_content": { + "addr_type": "ipv4", + "src_ip": "0.0.0.0", + "mask_src_ip": "255.255.255.255", + "src_port": "0", + "mask_src_port": "65535", + "dst_ip": "0.0.0.0", + "mask_dst_ip": "255.255.255.255", + "dst_port": "0", + "mask_dst_port": "65535", + "protocol": 6, + "direction": "double" + } + } + ] + } + ] + }, + { + "compile_id": 102, + "service": 0, + "action": 2, + "do_blacklist": 0, + "do_log": 1, + "effective_rage": 0, + "user_region": "{\"method\":\"flood\",\"l4_protocol\":\"TCP\",\"__comments\":\"active_defence_profile_reflector.profile_id\",\"target_ip\":\"192.168.40.134\",\"target_port\":8080,\"rate_pps\":3,\"payload\":\"dGVzdA==\",\"claimed_src_ip_profile_id\":4001}", + "is_valid": "yes", + "groups": [ + { + "regions": [ + { + "table_name": "IP_CONFIG", + "table_type": "ip", + "table_content": { + "addr_type": "ipv4", + "src_ip": "0.0.0.0", + "mask_src_ip": "255.255.255.255", + "src_port": "0", + "mask_src_port": "65535", + "dst_ip": "0.0.0.0", + "mask_dst_ip": "255.255.255.255", + "dst_port": "0", + "mask_dst_port": "65535", + "protocol": 6, + "direction": "double" + } + } + ] + } + ] + }, + { + "compile_id": 101, + "service": 0, + "action": 2, + "do_blacklist": 0, + "do_log": 1, + "effective_rage": 0, + "user_region": "{\"method\":\"reflection\",\"reflector_type\":\"DNS\",\"__comments\":\"active_defence_profile_reflector.profile_id\",\"target_ip\":\"192.168.40.1\",\"target_port\":5353,\"rate_pps\":3,\"payload_profile_id\":5001,\"reflector_profile_id\":4002}", + "is_valid": "yes", + "groups": [ + { + "regions": [ + { + "table_name": "IP_CONFIG", + "table_type": "ip", + "table_content": { + "addr_type": "ipv4", + "src_ip": "0.0.0.0", + "mask_src_ip": "255.255.255.255", + "src_port": "0", + "mask_src_port": "65535", + "dst_ip": "0.0.0.0", + "mask_dst_ip": "255.255.255.255", + "dst_port": "0", + "mask_dst_port": "65535", + "protocol": 6, + "direction": "double" + } + } + ] + } + ] + }, + { + "compile_id": 10000, + "service": 0, + "action": 2, + "do_blacklist": 0, + "do_log": 1, + "effective_range": 0, + "tags":"{\"tag_sets\":[[{\"tag\":\"device_id\",\"value\":[\"device_no_effective\"]}]]}", + "user_region": "{\"method\":\"flood\",\"l4_protocol\":\"TCP\",\"__comments\":\"for_test_effective_rage_tags\",\"target_ip\":\"192.168.40.134\",\"target_port\":8080,\"rate_pps\":1,\"payload\":\"dGVzdA==\",\"claimed_src_ip_profile_id\":4001}", + "is_valid": "yes", + "groups": [ + { + "regions": [ + { + "table_name": "IP_CONFIG", + "table_type": "ip", + "table_content": { + "addr_type": "ipv4", + "src_ip": "0.0.0.0", + "mask_src_ip": "255.255.255.255", + "src_port": "0", + "mask_src_port": "65535", + "dst_ip": "0.0.0.0", + "mask_dst_ip": "255.255.255.255", + "dst_port": "0", + "mask_dst_port": "65535", + "protocol": 6, + "direction": "double" + } + } + ] + } + ] + } + ], + + "plugin_table": [ + { + "table_name": "ACTIVE_DEFENCE_PROFILE_CLAIMED_SRC_IP", + "table_content": [ + "4001\tgroup123\t[\"192.168.10.0/24\",\"192.168.20.0/24\",\"192.168.30.0/24\"]\t4\tnull\t1\t2019-12-02", + "6001\tgroup456\t[\"fe80::2487:81ff:fefa:222d/80\",\"fe80::2487:81ff:fefa:333d/96\"]\t6\tnull\t1\t2019-12-02" + ] + }, + { + "table_name": "ACTIVE_DEFENCE_PROFILE_REFLECTOR", + "table_content": [ + "4002\tgroup1234\t[\"192.168.40.134\",\"192.168.40.134\"]\t4\tDNS\t1\t2019-12-02", + "6002\tgroup4567\t[\"fe80::db5a:b3e0:2d9:ce2c\",\"fe80::db3a:b3e3:3d9:ce3c\"]\t6\tNTP\t1\t2019-12-02" + ] + }, + { + "table_name": "ACTIVE_DEFENCE_PROFILE_REFLECTOR_PAYLOAD", + "table_content": [ + "5001\ttest1\tdns\tzasBAAABAAAAAAAABHRlc3QDY29tAAD/AAE=\t1\t2019-12-02", + "5002\ttest2\tntp\tdGVzdA==\t1\t2019-12-02" + ] + } + ] +} diff --git a/roles/active_defence/templates/tsg_device_tag.json.j2 b/roles/active_defence/templates/tsg_device_tag.json.j2 new file mode 100644 index 0000000..6f9a33b --- /dev/null +++ b/roles/active_defence/templates/tsg_device_tag.json.j2 @@ -0,0 +1,2 @@ +[MAAT] +ACCEPT_TAGS={"tags":[{"tag":"device_id","value":"device_1"}]} diff --git a/xxg_env/group_vars/all.yml b/xxg_debug_env/group_vars/all.yml index bb7ecbb..1c3e985 100644 --- a/xxg_env/group_vars/all.yml +++ b/xxg_debug_env/group_vars/all.yml @@ -14,9 +14,9 @@ houyi_global: redis_index: 0 rpm_files: - houyi_rpm_file: "houyi-1.3.7.f0b2ace-1.el7.x86_64.rpm" + houyi_rpm_file: "houyi-1.3.8.8985b69-1.el7.x86_64.rpm" houyi_common_tools_rpm_file: "houyi-common-tools-1.0.6.4e88b89-1.el7.x86_64.rpm" - houyi_plug_rpm_file: "houyi-plug-1.3.4.7291a7e-1.el7.x86_64.rpm" + houyi_plug_rpm_file: "houyi-plug-1.3.5.73951b4-1.el7.x86_64.rpm" net_flood_rpm_file: "net_flood-2.1.7.c201512-1.el7.x86_64.rpm" sapp_rpm_file: "sapp-4.0.16.d229505-x86_64...rpm" wire_graft_rpm_file: "wire-graft-1.0.3.162dae3-1.el7.x86_64.rpm" diff --git a/xxg_debug_env/hosts.xxg b/xxg_debug_env/hosts.xxg new file mode 100644 index 0000000..f32eeb9 --- /dev/null +++ b/xxg_debug_env/hosts.xxg @@ -0,0 +1,12 @@ +[all:vars] +ansible_user=root +install_sapp=false +install_device_sn=true +install_device_tag=true + +[active_defence] +192.168.40.133 + +[tsg-all:children] +active_defence + diff --git a/xxg_integration_env/group_vars/all.yml b/xxg_integration_env/group_vars/all.yml new file mode 100644 index 0000000..8dbdcf5 --- /dev/null +++ b/xxg_integration_env/group_vars/all.yml @@ -0,0 +1,36 @@ +houyi_global: + sapp: + install: false + packet_io: + inbound_route_dir: 0 + internal_device: "vxlan_user" + external_device: "eth4" + packet_io_depolyment: + mode: "inline" + + houyi: + redis_server_ip: "192.168.40.120" + redis_server_port: 7003 + redis_index: 0 + + rpm_files: + houyi_rpm_file: "houyi-1.3.8.8985b69-1.el7.x86_64.rpm" + houyi_common_tools_rpm_file: "houyi-common-tools-1.0.6.4e88b89-1.el7.x86_64.rpm" + houyi_plug_rpm_file: "houyi-plug-1.3.5.73951b4-1.el7.x86_64.rpm" + net_flood_rpm_file: "net_flood-2.1.7.c201512-1.el7.x86_64.rpm" + sapp_rpm_file: "sapp-4.0.16.d229505-x86_64...rpm" + wire_graft_rpm_file: "wire-graft-1.0.3.162dae3-1.el7.x86_64.rpm" + + kafka: + brokers: "192.168.40.186:9092" + interval: 10 + topic_name: "ACTIVE-DEFENCE-EVENT-LOG" + + log: + device_id: "1" + + traffic_control: + enabled: 1 + redis_server_ip: "192.168.40.120" + redis_server_port: 7003 + redis_index: 6 diff --git a/xxg_env/hosts.xxg b/xxg_integration_env/hosts.xxg index fe3cc1d..58c7660 100644 --- a/xxg_env/hosts.xxg +++ b/xxg_integration_env/hosts.xxg @@ -1,6 +1,8 @@ [all:vars] ansible_user=root install_sapp=false +install_device_sn=false +install_device_tag=false [active_defence] 192.168.40.137 |