[people/stevee/guardian.git] / modules / Parser.pm

package Guardian::Parser;
use strict;
use warnings;

use Exporter qw(import);

our @EXPORT_OK = qw(IsSupportedParser Parser);

# This hash contains all supported parsers and which function
# has to be called to parse messages in the right way.
my %logfile_parsers = (
	"httpd" => \&message_parser_httpd,
	"owncloud" => \&message_parser_owncloud,
	"snort" => \&message_parser_snort,
	"ssh" => \&message_parser_ssh,
);

#
## The "Init" (Parser) function.
#
## This function is responsible to initialize the Parser as a class based object.
## It has to be called once before any parsing of messages can be done.
#
sub Init (%) {
	my ( $class, %args ) = @_;
	my $self = \%args;

	# Use bless to make "$self" to an object of class "$class".
	bless($self, $class);

	# Return the class object.
	return $self;
}

#
## The "Update" Parser settings function.
#
## This object based function is called to update various class settings.
#
sub Update (\%) {
	my $self = shift;

	# Dereference the given hash-ref and store
	# the values into a new temporary hash.
	my %settings = %{ $_[0] };

	# Update snort priority level settings or disable it.
	if ((defined($self->{SnortPriorityLevel})) && (exists($settings{SnortPriorityLevel}))) {
			# Change settings.
			$self->{SnortPriorityLevel} = $settings{SnortPriorityLevel};
	} else {
		# Remove setting.
		delete $self->{SnortPriorityLevel};
	}

	# Return modified class object.
	return $self;
}

#
## The main parsing function.
#
## It is used to determine which sub-parser has to be used to
## parse the given message in the right way and to return if
## any action should be performed.
#
sub Parser ($$) {
	my $self = shift;
	my ($parser, @message) = @_;

	# If no responsible message parser could be found, just return nothing.
	unless (exists($logfile_parsers{$parser})) {
		return;
	}

	# Call responsible message parser.
	my @actions = $logfile_parsers{$parser}->($self, @message);

	# In case an action has been returned, return it too. 
	if (@actions) {
		# Return which actions should be performed.
		return @actions;
	}

	# Return undef, if no actions are required.
	return undef;
}

#
## IsSupportedParser function.
#
## This very tiny function checks if a given parser name is available and
## therefore a supported parser.
#
## To perform these check, the function is going to lookup if a key in the
## hash of supported parsers is available
#
sub IsSupportedParser ($) {
	my $parser = $_[0];

	# Check if a key for the given parser exists in the hash of logfile_parsers.
	if(exists($logfile_parsers{$parser})) {
		# Found a valid parser, so return nothing.
		return 1;
	}

	# Return "False" if we got here, and therefore no parser
	# is available.
	return;
}

#
## The Snort message parser.
#
## This subfunction is responsible for parsing sort alerts and determine if
## an action should be performed.
#
## XXX Currently the parser only supports IPv4. Add support for IPv6 at a
## later time.
#
sub message_parser_snort(@) {
	my $self = shift;
	my @message = @_;
	my @actions;

	# Temporary array to store single alerts.
	my @alert;

	# The name of the parser module.
	my $name = "SNORT";

	# Default returned message in case no one could be grabbed
	# from the snort alert.
	my $message = "An active snort rule has matched and gained an alert.";

	# Snort uses a log buffer and a result of this, when detecting multiple
	# events at once, multiple alerts will be written at one time to the alert
	# file. They have to be seperated from each, to be able to parse them
	# individually.
	foreach my $line (@message) {
		# Remove any newlines.
		chomp($line);

		# A single alert contains multiple lines, push all of them
		# a temporary array.
		push(@alert, $line);

		# Each alert ends with an empty line, if one is found,
		# all lines of the current processed alert have been found
		# and pushed to the temporary array.
		if($line =~ /^\s*$/) {
			# Variable to store the grabbed IP-address.
			my $address;
			my $classification;

			# Loop through all lines of the current alert.
			foreach my $line (@alert) {
				# Determine if the alert has been classified.
				if ($line =~ /.*\[Classification: .*\] \[Priority: (\d+)\].*/) {
					my $priority = $1;

					# Set classification to true.
					$classification = "1";

					# Obtain configured priority level.
					my $priority_level = $self->{SnortPriorityLevel};

					# Skip alerts if the priority is to low.
					if ($priority < $priority_level) {
						last;
					}
				}

				# Search for a line like xxx.xxx.xxx.xxx -> xxx.xxx.xxx.xxx
				if ($line =~ /(\d+\.\d+\.\d+\.\d+)+ -\> (\d+\.\d+\.\d+\.\d+)+/) {
					# Store the grabbed IP-address.
					$address = $1;
				}

				# Search for a line like xxx.xxx.xxx.xxx:xxx -> xxx.xxx.xxx.xxx:xxx
				elsif ($line =~ /(\d+\.\d+\.\d+\.\d+):\d+ -\> (\d+\.\d+\.\d+\.\d+):\d+/) {
					# Store the obtained IP-address.
					$address = $1;
				}

				# Grab the reason from a msg field of the alert.
				if ($line =~ /.*msg:\"(.*)\".*/) {
					# Store the extracted message.
					$message = $1;
				}

				# If the reason could not be determined, try to obtain it from the headline of the alert.
				elsif ($line =~ /.*\] (.*) \[\*\*\]/) {
					# Store the extracted message.
					$message = $1;
				}
			}

			# Check if at least the IP-address information has been extracted.
			if ((defined ($classification)) && (defined ($address))) {
				# Add the extracted values and event message for the computed
				# event to the actions array.
				push(@actions, "count $address $name $message");
			}

			# The alert has been processed, clear the temporary array for storing
			# the next alert.
			@alert = ();
		}
	}

	# If any actions are required, return the array.
	if (@actions) {
		return (@actions);
	}

	# If we got here, the alert could not be parsed correctly, or did not match any filter.
	# Therefore it can be skipped - return nothing.
	return;
}

#
## The SSH message parser.
#
## This subfunction is used for parsing and detecting different attacks
## against the SSH service.
#
sub message_parser_ssh (@) {
	my $self = shift;
	my @message = @_;
	my @actions;

	# The name of the parser module.
	my $name = "SSH";

	# Variable to store the grabbed IP-address.
	my $address;

	# Variable to store the parsed event.
	my $message;

	# Loop through all lines, in case multiple one have
	# been passed.
	foreach my $line (@message) {
		# Check for failed password attempts.
		if ($line =~/.*sshd.*Failed password for (.*) from (.*) port.*/) {
			# Store the grabbed IP-address.
			$address = $2;

			# Set event message.
			$message = "Possible SSH-Bruteforce Attack for user: $1.";
		}

		# This should catch Bruteforce Attacks with enabled preauth
		elsif ($line =~ /.*sshd.*Received disconnect from (.*):.*\[preauth\]/) {
			# Store obtained IP-address.
			$address = $1;

			# Set event message.
			$message = "Possible SSH-Bruteforce Attack - failed preauth.";
		}

		# Check if at least the IP-address information has been extracted.
		if (defined ($address)) {
			# Add the extracted values and event message for the computed
			# event to the actions array.
			push(@actions, "count $address $name $message");
		}
	}

	# If any actions are required, return the array.
	if (@actions) {
		return (@actions);
	}

	# If we got here, the provided message is not affected by any filter and
	# therefore can be skipped. Return nothing (False) in this case.
	return;
}

#
## The HTTPD message parser.
#
## This subfunction is used for parsing and detecting different attacks
## against a running HTTPD service.
#
sub message_parser_httpd (@) {
	my $self = shift;
	my @message = @_;
	my @actions;

	# The name of the parser module.
	my $name = "HTTPD";

	# Variable to store the grabbed IP-address.
	my $address;

	# Variable to store the parsed event.
	my $message;

	# Loop through all lines, in case multiple one have
	# been passed.
	foreach my $line (@message) {
		# This will catch brute-force attacks against htaccess logins (username).
		if ($line =~ /.*\[client (.*)\] .* user(.*) not found:.*/) {
			# Store the grabbed IP-address.
			$address = $1;

			# Set event message.
			$message = "Possible WUI brute-force attack, wrong user: $2.";
		}

		# Detect htaccess password brute-forcing against a username.
		elsif ($line =~ /.*\[client (.*)\] .* user(.*): authentication failure for.*/) {
			# Store the extracted IP-address.
			$address = $1;

			# Set event message.
			$message = "Possible WUI brute-force attack, wrong password for user: $2.";
		}

		# Check if at least the IP-address information has been extracted.
		if (defined ($address)) {
			# Check if the address also contains a port value.
			if ($address =~ m/:/) {
				my ($add_address, $port) = split(/:/, $address);

				# Only process the address.
				$address = $add_address;
			}

			# Add the extracted values and event message to the actions array.
			push(@actions, "count $address $name $message");
		}
	}

	# If any actions are required, return the array.
	if (@actions) {
		return @actions;
	}

	# If we got here, the provided message is not affected by any filter and
	# therefore can be skipped. Return nothing (False) in this case.
	return;
}

#
## The Owncloud message parser.
#
## This subfunction is used for parsing and detecting brute-force login
## attempts against a local running owncloud instance.
#
sub message_parser_owncloud (@) {
	my @message = @_;
	my @actions;

	# The name of the parser module.
	my $name = "Owncloud";

	# Variable to store the grabbed IP-address.
	my $address;

	# Variable to store the parsed event.
	my $message;

	# Loop through all lines, in case multiple one have
	# been passed.
	foreach my $line (@message) {
		 # This will catch brute-force attacks against the login (username).
		if ($line =~/.*\"Login failed: \'(.*)\' \(Remote IP: \'(.*)\'\,.*/) {
			# Store the grabbed user name.
			my $user = $1;

			# Store the grabbed IP-address.
			$address = $2;

			# Set event message.
			$message = "Possible brute-force attack, wrong password for user: $user.";
		}

		# Check if at least the IP-address information has been extracted.
		if (defined ($address)) {
			# Add the extracted values and event message to the actions array.
			push(@actions, "count $address $name $message");
		}
	}

	# If any actions are required, return the array.
	if (@actions) {
		return @actions;
	}

	# If we got here, the provided message is not affected by any filter and
	# therefore can be skipped. Return nothing (False) in this case.
	return;
}

1;
Commit	Line	Data
88d9af2c SS	1	package Guardian::Parser;
	2	use strict;
	3	use warnings;
	4
	5	use Exporter qw(import);
	6
cfe5a220	7	our @EXPORT_OK = qw(IsSupportedParser Parser);
88d9af2c	8
cfe5a220 SS	9	# This hash contains all supported parsers and which function
cfe5a220 SS	10	# has to be called to parse messages in the right way.
88d9af2c	11	my %logfile_parsers = (
55852ce7	12	"httpd" => \&message_parser_httpd,
7306aaf8	13	"owncloud" => \&message_parser_owncloud,
cfe5a220	14	"snort" => \&message_parser_snort,
0b1fe046	15	"ssh" => \&message_parser_ssh,
88d9af2c SS	16	);
88d9af2c SS	17
df8eb305 SS	18	#
	19	## The "Init" (Parser) function.
	20	#
	21	## This function is responsible to initialize the Parser as a class based object.
	22	## It has to be called once before any parsing of messages can be done.
	23	#
	24	sub Init (%) {
	25	my ( $class, %args ) = @_;
	26	my $self = \%args;
	27
	28	# Use bless to make "$self" to an object of class "$class".
	29	bless($self, $class);
	30
	31	# Return the class object.
	32	return $self;
	33	}
	34
	35	#
	36	## The "Update" Parser settings function.
	37	#
	38	## This object based function is called to update various class settings.
	39	#
	40	sub Update (\%) {
	41	my $self = shift;
	42
	43	# Dereference the given hash-ref and store
	44	# the values into a new temporary hash.
	45	my %settings = %{ $_[0] };
	46
	47	# Update snort priority level settings or disable it.
	48	if ((defined($self->{SnortPriorityLevel})) && (exists($settings{SnortPriorityLevel}))) {
	49	# Change settings.
	50	$self->{SnortPriorityLevel} = $settings{SnortPriorityLevel};
	51	} else {
	52	# Remove setting.
	53	delete $self->{SnortPriorityLevel};
	54	}
	55
	56	# Return modified class object.
	57	return $self;
	58	}
	59
88d9af2c SS	60	#
	61	## The main parsing function.
	62	#
	63	## It is used to determine which sub-parser has to be used to
	64	## parse the given message in the right way and to return if
	65	## any action should be performed.
	66	#
	67	sub Parser ($$) {
df8eb305 SS	68	my $self = shift;
df8eb305 SS	69	my ($parser, @message) = @_;
88d9af2c SS	70
88d9af2c SS	71	# If no responsible message parser could be found, just return nothing.
cfe5a220	72	unless (exists($logfile_parsers{$parser})) {
88d9af2c SS	73	return;
	74	}
	75
cfe5a220	76	# Call responsible message parser.
df8eb305	77	my @actions = $logfile_parsers{$parser}->($self, @message);
88d9af2c	78
8fba3c57	79	# In case an action has been returned, return it too.
43fdb161 SS	80	if (@actions) {
	81	# Return which actions should be performed.
	82	return @actions;
8fba3c57 SS	83	}
8fba3c57 SS	84
43fdb161	85	# Return undef, if no actions are required.
8fba3c57	86	return undef;
88d9af2c SS	87	}
88d9af2c SS	88
cfe5a220 SS	89	#
	90	## IsSupportedParser function.
	91	#
	92	## This very tiny function checks if a given parser name is available and
	93	## therefore a supported parser.
	94	#
	95	## To perform these check, the function is going to lookup if a key in the
	96	## hash of supported parsers is available
	97	#
	98	sub IsSupportedParser ($) {
	99	my $parser = $_[0];
	100
	101	# Check if a key for the given parser exists in the hash of logfile_parsers.
	102	if(exists($logfile_parsers{$parser})) {
	103	# Found a valid parser, so return nothing.
	104	return 1;
	105	}
	106
	107	# Return "False" if we got here, and therefore no parser
	108	# is available.
	109	return;
	110	}
	111
88d9af2c SS	112	#
	113	## The Snort message parser.
	114	#
	115	## This subfunction is responsible for parsing sort alerts and determine if
	116	## an action should be performed.
	117	#
53a02397 SS	118	## XXX Currently the parser only supports IPv4. Add support for IPv6 at a
	119	## later time.
	120	#
	121	sub message_parser_snort(@) {
df8eb305	122	my $self = shift;
88d9af2c	123	my @message = @_;
8bc363c5 SS	124	my @actions;
	125
	126	# Temporary array to store single alerts.
	127	my @alert;
88d9af2c	128
53a02397 SS	129	# The name of the parser module.
	130	my $name = "SNORT";
	131
53a02397 SS	132	# Default returned message in case no one could be grabbed
	133	# from the snort alert.
	134	my $message = "An active snort rule has matched and gained an alert.";
	135
8bc363c5 SS	136	# Snort uses a log buffer and a result of this, when detecting multiple
	137	# events at once, multiple alerts will be written at one time to the alert
	138	# file. They have to be seperated from each, to be able to parse them
	139	# individually.
53a02397	140	foreach my $line (@message) {
8bc363c5 SS	141	# Remove any newlines.
	142	chomp($line);
	143
	144	# A single alert contains multiple lines, push all of them
	145	# a temporary array.
	146	push(@alert, $line);
	147
	148	# Each alert ends with an empty line, if one is found,
	149	# all lines of the current processed alert have been found
	150	# and pushed to the temporary array.
	151	if($line =~ /^\s*$/) {
	152	# Variable to store the grabbed IP-address.
	153	my $address;
df8eb305	154	my $classification;
8bc363c5 SS	155
	156	# Loop through all lines of the current alert.
	157	foreach my $line (@alert) {
df8eb305 SS	158	# Determine if the alert has been classified.
	159	if ($line =~ /.\[Classification: .\] \[Priority: (\d+)\].*/) {
	160	my $priority = $1;
	161
	162	# Set classification to true.
	163	$classification = "1";
	164
	165	# Obtain configured priority level.
	166	my $priority_level = $self->{SnortPriorityLevel};
	167
	168	# Skip alerts if the priority is to low.
	169	if ($priority < $priority_level) {
	170	last;
	171	}
	172	}
8bc363c5 SS	173
	174	# Search for a line like xxx.xxx.xxx.xxx -> xxx.xxx.xxx.xxx
	175	if ($line =~ /(\d+\.\d+\.\d+\.\d+)+ -\> (\d+\.\d+\.\d+\.\d+)+/) {
	176	# Store the grabbed IP-address.
	177	$address = $1;
	178	}
	179
	180	# Search for a line like xxx.xxx.xxx.xxx:xxx -> xxx.xxx.xxx.xxx:xxx
	181	elsif ($line =~ /(\d+\.\d+\.\d+\.\d+):\d+ -\> (\d+\.\d+\.\d+\.\d+):\d+/) {
	182	# Store the obtained IP-address.
	183	$address = $1;
	184	}
	185
df8eb305 SS	186	# Grab the reason from a msg field of the alert.
df8eb305 SS	187	if ($line =~ /.msg:\"(.)\".*/) {
8bc363c5 SS	188	# Store the extracted message.
	189	$message = $1;
	190	}
	191
df8eb305 SS	192	# If the reason could not be determined, try to obtain it from the headline of the alert.
df8eb305 SS	193	elsif ($line =~ /.\] (.) \[\\\]/) {
8bc363c5 SS	194	# Store the extracted message.
	195	$message = $1;
	196	}
	197	}
	198
	199	# Check if at least the IP-address information has been extracted.
df8eb305	200	if ((defined ($classification)) && (defined ($address))) {
8bc363c5 SS	201	# Add the extracted values and event message for the computed
	202	# event to the actions array.
	203	push(@actions, "count $address $name $message");
	204	}
	205
	206	# The alert has been processed, clear the temporary array for storing
	207	# the next alert.
	208	@alert = ();
53a02397 SS	209	}
	210	}
	211
8bc363c5 SS	212	# If any actions are required, return the array.
	213	if (@actions) {
	214	return (@actions);
53a02397 SS	215	}
53a02397 SS	216
8bc363c5 SS	217	# If we got here, the alert could not be parsed correctly, or did not match any filter.
8bc363c5 SS	218	# Therefore it can be skipped - return nothing.
53a02397	219	return;
88d9af2c SS	220	}
88d9af2c SS	221
0b1fe046 SS	222	#
	223	## The SSH message parser.
	224	#
	225	## This subfunction is used for parsing and detecting different attacks
	226	## against the SSH service.
	227	#
	228	sub message_parser_ssh (@) {
df8eb305	229	my $self = shift;
0b1fe046	230	my @message = @_;
43fdb161	231	my @actions;
0b1fe046 SS	232
	233	# The name of the parser module.
	234	my $name = "SSH";
	235
	236	# Variable to store the grabbed IP-address.
	237	my $address;
	238
	239	# Variable to store the parsed event.
	240	my $message;
	241
	242	# Loop through all lines, in case multiple one have
	243	# been passed.
	244	foreach my $line (@message) {
	245	# Check for failed password attempts.
	246	if ($line =~/.sshd.Failed password for (.) from (.) port.*/) {
	247	# Store the grabbed IP-address.
	248	$address = $2;
	249
	250	# Set event message.
	251	$message = "Possible SSH-Bruteforce Attack for user: $1.";
	252	}
	253
	254	# This should catch Bruteforce Attacks with enabled preauth
	255	elsif ($line =~ /.sshd.Received disconnect from (.):.\[preauth\]/) {
	256	# Store obtained IP-address.
	257	$address = $1;
	258
	259	# Set event message.
	260	$message = "Possible SSH-Bruteforce Attack - failed preauth.";
	261	}
43fdb161 SS	262
	263	# Check if at least the IP-address information has been extracted.
	264	if (defined ($address)) {
	265	# Add the extracted values and event message for the computed
	266	# event to the actions array.
	267	push(@actions, "count $address $name $message");
	268	}
0b1fe046 SS	269	}
0b1fe046 SS	270
43fdb161 SS	271	# If any actions are required, return the array.
	272	if (@actions) {
	273	return (@actions);
0b1fe046 SS	274	}
	275
	276	# If we got here, the provided message is not affected by any filter and
	277	# therefore can be skipped. Return nothing (False) in this case.
	278	return;
	279	}
	280
55852ce7 SS	281	#
	282	## The HTTPD message parser.
	283	#
	284	## This subfunction is used for parsing and detecting different attacks
	285	## against a running HTTPD service.
	286	#
	287	sub message_parser_httpd (@) {
df8eb305	288	my $self = shift;
55852ce7	289	my @message = @_;
43fdb161	290	my @actions;
55852ce7 SS	291
	292	# The name of the parser module.
	293	my $name = "HTTPD";
	294
	295	# Variable to store the grabbed IP-address.
	296	my $address;
	297
	298	# Variable to store the parsed event.
	299	my $message;
	300
	301	# Loop through all lines, in case multiple one have
	302	# been passed.
	303	foreach my $line (@message) {
	304	# This will catch brute-force attacks against htaccess logins (username).
5028c7fd	305	if ($line =~ /.\[client (.)\] .* user(.) not found:./) {
55852ce7 SS	306	# Store the grabbed IP-address.
	307	$address = $1;
	308
	309	# Set event message.
	310	$message = "Possible WUI brute-force attack, wrong user: $2.";
	311	}
	312
	313	# Detect htaccess password brute-forcing against a username.
5028c7fd	314	elsif ($line =~ /.\[client (.)\] .* user(.): authentication failure for./) {
55852ce7 SS	315	# Store the extracted IP-address.
	316	$address = $1;
	317
	318	# Set event message.
	319	$message = "Possible WUI brute-force attack, wrong password for user: $2.";
	320	}
43fdb161 SS	321
	322	# Check if at least the IP-address information has been extracted.
	323	if (defined ($address)) {
5028c7fd SS	324	# Check if the address also contains a port value.
	325	if ($address =~ m/:/) {
	326	my ($add_address, $port) = split(/:/, $address);
	327
	328	# Only process the address.
	329	$address = $add_address;
	330	}
	331
43fdb161 SS	332	# Add the extracted values and event message to the actions array.
	333	push(@actions, "count $address $name $message");
	334	}
55852ce7 SS	335	}
55852ce7 SS	336
43fdb161 SS	337	# If any actions are required, return the array.
	338	if (@actions) {
	339	return @actions;
55852ce7 SS	340	}
	341
	342	# If we got here, the provided message is not affected by any filter and
	343	# therefore can be skipped. Return nothing (False) in this case.
	344	return;
	345	}
	346
7306aaf8 SS	347	#
	348	## The Owncloud message parser.
	349	#
	350	## This subfunction is used for parsing and detecting brute-force login
	351	## attempts against a local running owncloud instance.
	352	#
	353	sub message_parser_owncloud (@) {
	354	my @message = @_;
	355	my @actions;
	356
	357	# The name of the parser module.
	358	my $name = "Owncloud";
	359
	360	# Variable to store the grabbed IP-address.
	361	my $address;
	362
	363	# Variable to store the parsed event.
	364	my $message;
	365
	366	# Loop through all lines, in case multiple one have
	367	# been passed.
	368	foreach my $line (@message) {
	369	# This will catch brute-force attacks against the login (username).
	370	if ($line =~/.\"Login failed: \'(.)\' \(Remote IP: \'(.)\'\,./) {
	371	# Store the grabbed user name.
	372	my $user = $1;
	373
	374	# Store the grabbed IP-address.
	375	$address = $2;
	376
	377	# Set event message.
	378	$message = "Possible brute-force attack, wrong password for user: $user.";
	379	}
	380
	381	# Check if at least the IP-address information has been extracted.
	382	if (defined ($address)) {
	383	# Add the extracted values and event message to the actions array.
	384	push(@actions, "count $address $name $message");
	385	}
	386	}
	387
	388	# If any actions are required, return the array.
	389	if (@actions) {
	390	return @actions;
	391	}
	392
	393	# If we got here, the provided message is not affected by any filter and
	394	# therefore can be skipped. Return nothing (False) in this case.
	395	return;
	396	}
	397
88d9af2c	398	1;