[people/stevee/guardian.git] / modules / Parser.pm

package Guardian::Parser;
use strict;
use warnings;

use Exporter qw(import);

our @EXPORT_OK = qw(IsSupportedParser Parser);

# This hash contains all supported parsers and which function
# has to be called to parse messages in the right way.
my %logfile_parsers = (
	"httpd" => \&message_parser_httpd,
	"snort" => \&message_parser_snort,
	"ssh" => \&message_parser_ssh,
);

#
## The main parsing function.
#
## It is used to determine which sub-parser has to be used to
## parse the given message in the right way and to return if
## any action should be performed.
#
sub Parser ($$) {
        my ($parser, @message) = @_;

	# If no responsible message parser could be found, just return nothing.
	unless (exists($logfile_parsers{$parser})) {
		return;
	}

	# Call responsible message parser.
	my @actions = $logfile_parsers{$parser}->(@message);

	# In case an action has been returned, return it too. 
	if (@actions) {
		# Return which actions should be performed.
		return @actions;
	}

	# Return undef, if no actions are required.
	return undef;
}

#
## IsSupportedParser function.
#
## This very tiny function checks if a given parser name is available and
## therefore a supported parser.
#
## To perform these check, the function is going to lookup if a key in the
## hash of supported parsers is available
#
sub IsSupportedParser ($) {
	my $parser = $_[0];

	# Check if a key for the given parser exists in the hash of logfile_parsers.
	if(exists($logfile_parsers{$parser})) {
		# Found a valid parser, so return nothing.
		return 1;
	}

	# Return "False" if we got here, and therefore no parser
	# is available.
	return;
}

#
## The Snort message parser.
#
## This subfunction is responsible for parsing sort alerts and determine if
## an action should be performed.
#
## XXX Currently the parser only supports IPv4. Add support for IPv6 at a
## later time.
#
sub message_parser_snort(@) {
	my @message = @_;
	my @actions;

	# Temporary array to store single alerts.
	my @alert;

	# The name of the parser module.
	my $name = "SNORT";

	# Default returned message in case no one could be grabbed
	# from the snort alert.
	my $message = "An active snort rule has matched and gained an alert.";

	# Snort uses a log buffer and a result of this, when detecting multiple
	# events at once, multiple alerts will be written at one time to the alert
	# file. They have to be seperated from each, to be able to parse them
	# individually.
	foreach my $line (@message) {
		# Remove any newlines.
		chomp($line);

		# A single alert contains multiple lines, push all of them
		# a temporary array.
		push(@alert, $line);

		# Each alert ends with an empty line, if one is found,
		# all lines of the current processed alert have been found
		# and pushed to the temporary array.
		if($line =~ /^\s*$/) {
			# Variable to store the grabbed IP-address.
			my $address;

			# Loop through all lines of the current alert.
			foreach my $line (@alert) {
				# Check Priority Level and skip the alert if it is to low.
				#if ($line =~ /.*\[Priority: (\d+)\].*/) {
				#	return unless($1 < $priority);
				#}

				# Search for a line like xxx.xxx.xxx.xxx -> xxx.xxx.xxx.xxx
				if ($line =~ /(\d+\.\d+\.\d+\.\d+)+ -\> (\d+\.\d+\.\d+\.\d+)+/) {
					# Store the grabbed IP-address.
					$address = $1;
				}

				# Search for a line like xxx.xxx.xxx.xxx:xxx -> xxx.xxx.xxx.xxx:xxx
				elsif ($line =~ /(\d+\.\d+\.\d+\.\d+):\d+ -\> (\d+\.\d+\.\d+\.\d+):\d+/) {
					# Store the obtained IP-address.
					$address = $1;
				}

				# Obtain the reported reason from the headline of the alert.
				if ($line =~ /.*\] (.*) \[\*\*\]/) {
					# Store the extracted message.
					$message = $1;
				}

				# If the reason could not be determined, try to obtain it from a msg field.
				elsif ($line =~ /.*msg:\"(.*)\".*/) {
					# Store the extracted message.
					$message = $1;
				}
			}

			# Check if at least the IP-address information has been extracted.
			if (defined ($address)) {
				# Add the extracted values and event message for the computed
				# event to the actions array.
				push(@actions, "count $address $name $message");
			}

			# The alert has been processed, clear the temporary array for storing
			# the next alert.
			@alert = ();
		}
	}

	# If any actions are required, return the array.
	if (@actions) {
		return (@actions);
	}

	# If we got here, the alert could not be parsed correctly, or did not match any filter.
	# Therefore it can be skipped - return nothing.
	return;
}

#
## The SSH message parser.
#
## This subfunction is used for parsing and detecting different attacks
## against the SSH service.
#
sub message_parser_ssh (@) {
	my @message = @_;
	my @actions;

	# The name of the parser module.
	my $name = "SSH";

	# Variable to store the grabbed IP-address.
	my $address;

	# Variable to store the parsed event.
	my $message;

	# Loop through all lines, in case multiple one have
	# been passed.
	foreach my $line (@message) {
		# Check for failed password attempts.
		if ($line =~/.*sshd.*Failed password for (.*) from (.*) port.*/) {
			# Store the grabbed IP-address.
			$address = $2;

			# Set event message.
			$message = "Possible SSH-Bruteforce Attack for user: $1.";
		}

		# This should catch Bruteforce Attacks with enabled preauth
		elsif ($line =~ /.*sshd.*Received disconnect from (.*):.*\[preauth\]/) {
			# Store obtained IP-address.
			$address = $1;

			# Set event message.
			$message = "Possible SSH-Bruteforce Attack - failed preauth.";
		}

		# Check if at least the IP-address information has been extracted.
		if (defined ($address)) {
			# Add the extracted values and event message for the computed
			# event to the actions array.
			push(@actions, "count $address $name $message");
		}
	}

	# If any actions are required, return the array.
	if (@actions) {
		return (@actions);
	}

	# If we got here, the provided message is not affected by any filter and
	# therefore can be skipped. Return nothing (False) in this case.
	return;
}

#
## The HTTPD message parser.
#
## This subfunction is used for parsing and detecting different attacks
## against a running HTTPD service.
#
sub message_parser_httpd (@) {
	my @message = @_;
	my @actions;

	# The name of the parser module.
	my $name = "HTTPD";

	# Variable to store the grabbed IP-address.
	my $address;

	# Variable to store the parsed event.
	my $message;

	# Loop through all lines, in case multiple one have
	# been passed.
	foreach my $line (@message) {
		# This will catch brute-force attacks against htaccess logins (username).
		if ($line =~ /.*\[error\] \[client (.*)\] user(.*) not found:.*/) {
			# Store the grabbed IP-address.
			$address = $1;

			# Set event message.
			$message = "Possible WUI brute-force attack, wrong user: $2.";
		}

		# Detect htaccess password brute-forcing against a username.
		elsif ($line =~ /.*\[error\] \[client (.*)\] user(.*): authentication failure for.*/) {
			# Store the extracted IP-address.
			$address = $1;

			# Set event message.
			$message = "Possible WUI brute-force attack, wrong password for user: $2.";
		}

		# Check if at least the IP-address information has been extracted.
		if (defined ($address)) {
			# Add the extracted values and event message to the actions array.
			push(@actions, "count $address $name $message");
		}
	}

	# If any actions are required, return the array.
	if (@actions) {
		return @actions;
	}

	# If we got here, the provided message is not affected by any filter and
	# therefore can be skipped. Return nothing (False) in this case.
	return;
}

1;
Commit	Line	Data
88d9af2c SS	1	package Guardian::Parser;
	2	use strict;
	3	use warnings;
	4
	5	use Exporter qw(import);
	6
cfe5a220	7	our @EXPORT_OK = qw(IsSupportedParser Parser);
88d9af2c	8
cfe5a220 SS	9	# This hash contains all supported parsers and which function
cfe5a220 SS	10	# has to be called to parse messages in the right way.
88d9af2c	11	my %logfile_parsers = (
55852ce7	12	"httpd" => \&message_parser_httpd,
cfe5a220	13	"snort" => \&message_parser_snort,
0b1fe046	14	"ssh" => \&message_parser_ssh,
88d9af2c SS	15	);
	16
	17	#
	18	## The main parsing function.
	19	#
	20	## It is used to determine which sub-parser has to be used to
	21	## parse the given message in the right way and to return if
	22	## any action should be performed.
	23	#
	24	sub Parser ($$) {
cfe5a220	25	my ($parser, @message) = @_;
88d9af2c SS	26
88d9af2c SS	27	# If no responsible message parser could be found, just return nothing.
cfe5a220	28	unless (exists($logfile_parsers{$parser})) {
88d9af2c SS	29	return;
	30	}
	31
cfe5a220	32	# Call responsible message parser.
43fdb161	33	my @actions = $logfile_parsers{$parser}->(@message);
88d9af2c	34
8fba3c57	35	# In case an action has been returned, return it too.
43fdb161 SS	36	if (@actions) {
	37	# Return which actions should be performed.
	38	return @actions;
8fba3c57 SS	39	}
8fba3c57 SS	40
43fdb161	41	# Return undef, if no actions are required.
8fba3c57	42	return undef;
88d9af2c SS	43	}
88d9af2c SS	44
cfe5a220 SS	45	#
	46	## IsSupportedParser function.
	47	#
	48	## This very tiny function checks if a given parser name is available and
	49	## therefore a supported parser.
	50	#
	51	## To perform these check, the function is going to lookup if a key in the
	52	## hash of supported parsers is available
	53	#
	54	sub IsSupportedParser ($) {
	55	my $parser = $_[0];
	56
	57	# Check if a key for the given parser exists in the hash of logfile_parsers.
	58	if(exists($logfile_parsers{$parser})) {
	59	# Found a valid parser, so return nothing.
	60	return 1;
	61	}
	62
	63	# Return "False" if we got here, and therefore no parser
	64	# is available.
	65	return;
	66	}
	67
88d9af2c SS	68	#
	69	## The Snort message parser.
	70	#
	71	## This subfunction is responsible for parsing sort alerts and determine if
	72	## an action should be performed.
	73	#
53a02397 SS	74	## XXX Currently the parser only supports IPv4. Add support for IPv6 at a
	75	## later time.
	76	#
	77	sub message_parser_snort(@) {
88d9af2c	78	my @message = @_;
8bc363c5 SS	79	my @actions;
	80
	81	# Temporary array to store single alerts.
	82	my @alert;
88d9af2c	83
53a02397 SS	84	# The name of the parser module.
	85	my $name = "SNORT";
	86
53a02397 SS	87	# Default returned message in case no one could be grabbed
	88	# from the snort alert.
	89	my $message = "An active snort rule has matched and gained an alert.";
	90
8bc363c5 SS	91	# Snort uses a log buffer and a result of this, when detecting multiple
	92	# events at once, multiple alerts will be written at one time to the alert
	93	# file. They have to be seperated from each, to be able to parse them
	94	# individually.
53a02397	95	foreach my $line (@message) {
8bc363c5 SS	96	# Remove any newlines.
	97	chomp($line);
	98
	99	# A single alert contains multiple lines, push all of them
	100	# a temporary array.
	101	push(@alert, $line);
	102
	103	# Each alert ends with an empty line, if one is found,
	104	# all lines of the current processed alert have been found
	105	# and pushed to the temporary array.
	106	if($line =~ /^\s*$/) {
	107	# Variable to store the grabbed IP-address.
	108	my $address;
	109
	110	# Loop through all lines of the current alert.
	111	foreach my $line (@alert) {
	112	# Check Priority Level and skip the alert if it is to low.
	113	#if ($line =~ /.\[Priority: (\d+)\]./) {
	114	# return unless($1 < $priority);
	115	#}
	116
	117	# Search for a line like xxx.xxx.xxx.xxx -> xxx.xxx.xxx.xxx
	118	if ($line =~ /(\d+\.\d+\.\d+\.\d+)+ -\> (\d+\.\d+\.\d+\.\d+)+/) {
	119	# Store the grabbed IP-address.
	120	$address = $1;
	121	}
	122
	123	# Search for a line like xxx.xxx.xxx.xxx:xxx -> xxx.xxx.xxx.xxx:xxx
	124	elsif ($line =~ /(\d+\.\d+\.\d+\.\d+):\d+ -\> (\d+\.\d+\.\d+\.\d+):\d+/) {
	125	# Store the obtained IP-address.
	126	$address = $1;
	127	}
	128
	129	# Obtain the reported reason from the headline of the alert.
	130	if ($line =~ /.\] (.) \[\\\]/) {
	131	# Store the extracted message.
	132	$message = $1;
	133	}
	134
	135	# If the reason could not be determined, try to obtain it from a msg field.
	136	elsif ($line =~ /.msg:\"(.)\".*/) {
	137	# Store the extracted message.
	138	$message = $1;
	139	}
	140	}
	141
	142	# Check if at least the IP-address information has been extracted.
	143	if (defined ($address)) {
	144	# Add the extracted values and event message for the computed
	145	# event to the actions array.
	146	push(@actions, "count $address $name $message");
	147	}
	148
	149	# The alert has been processed, clear the temporary array for storing
	150	# the next alert.
	151	@alert = ();
53a02397 SS	152	}
	153	}
	154
8bc363c5 SS	155	# If any actions are required, return the array.
	156	if (@actions) {
	157	return (@actions);
53a02397 SS	158	}
53a02397 SS	159
8bc363c5 SS	160	# If we got here, the alert could not be parsed correctly, or did not match any filter.
8bc363c5 SS	161	# Therefore it can be skipped - return nothing.
53a02397	162	return;
88d9af2c SS	163	}
88d9af2c SS	164
0b1fe046 SS	165	#
	166	## The SSH message parser.
	167	#
	168	## This subfunction is used for parsing and detecting different attacks
	169	## against the SSH service.
	170	#
	171	sub message_parser_ssh (@) {
	172	my @message = @_;
43fdb161	173	my @actions;
0b1fe046 SS	174
	175	# The name of the parser module.
	176	my $name = "SSH";
	177
	178	# Variable to store the grabbed IP-address.
	179	my $address;
	180
	181	# Variable to store the parsed event.
	182	my $message;
	183
	184	# Loop through all lines, in case multiple one have
	185	# been passed.
	186	foreach my $line (@message) {
	187	# Check for failed password attempts.
	188	if ($line =~/.sshd.Failed password for (.) from (.) port.*/) {
	189	# Store the grabbed IP-address.
	190	$address = $2;
	191
	192	# Set event message.
	193	$message = "Possible SSH-Bruteforce Attack for user: $1.";
	194	}
	195
	196	# This should catch Bruteforce Attacks with enabled preauth
	197	elsif ($line =~ /.sshd.Received disconnect from (.):.\[preauth\]/) {
	198	# Store obtained IP-address.
	199	$address = $1;
	200
	201	# Set event message.
	202	$message = "Possible SSH-Bruteforce Attack - failed preauth.";
	203	}
43fdb161 SS	204
	205	# Check if at least the IP-address information has been extracted.
	206	if (defined ($address)) {
	207	# Add the extracted values and event message for the computed
	208	# event to the actions array.
	209	push(@actions, "count $address $name $message");
	210	}
0b1fe046 SS	211	}
0b1fe046 SS	212
43fdb161 SS	213	# If any actions are required, return the array.
	214	if (@actions) {
	215	return (@actions);
0b1fe046 SS	216	}
	217
	218	# If we got here, the provided message is not affected by any filter and
	219	# therefore can be skipped. Return nothing (False) in this case.
	220	return;
	221	}
	222
55852ce7 SS	223	#
	224	## The HTTPD message parser.
	225	#
	226	## This subfunction is used for parsing and detecting different attacks
	227	## against a running HTTPD service.
	228	#
	229	sub message_parser_httpd (@) {
	230	my @message = @_;
43fdb161	231	my @actions;
55852ce7 SS	232
	233	# The name of the parser module.
	234	my $name = "HTTPD";
	235
	236	# Variable to store the grabbed IP-address.
	237	my $address;
	238
	239	# Variable to store the parsed event.
	240	my $message;
	241
	242	# Loop through all lines, in case multiple one have
	243	# been passed.
	244	foreach my $line (@message) {
	245	# This will catch brute-force attacks against htaccess logins (username).
	246	if ($line =~ /.\[error\] \[client (.)\] user(.) not found:./) {
	247	# Store the grabbed IP-address.
	248	$address = $1;
	249
	250	# Set event message.
	251	$message = "Possible WUI brute-force attack, wrong user: $2.";
	252	}
	253
	254	# Detect htaccess password brute-forcing against a username.
	255	elsif ($line =~ /.\[error\] \[client (.)\] user(.): authentication failure for./) {
	256	# Store the extracted IP-address.
	257	$address = $1;
	258
	259	# Set event message.
	260	$message = "Possible WUI brute-force attack, wrong password for user: $2.";
	261	}
43fdb161 SS	262
	263	# Check if at least the IP-address information has been extracted.
	264	if (defined ($address)) {
	265	# Add the extracted values and event message to the actions array.
	266	push(@actions, "count $address $name $message");
	267	}
55852ce7 SS	268	}
55852ce7 SS	269
43fdb161 SS	270	# If any actions are required, return the array.
	271	if (@actions) {
	272	return @actions;
55852ce7 SS	273	}
	274
	275	# If we got here, the provided message is not affected by any filter and
	276	# therefore can be skipped. Return nothing (False) in this case.
	277	return;
	278	}
	279
88d9af2c	280	1;