[people/stevee/guardian.git] / modules / Parser.pm

package Guardian::Parser;
use strict;
use warnings;

use Exporter qw(import);

our @EXPORT_OK = qw(IsSupportedParser Parser);

# This hash contains all supported parsers and which function
# has to be called to parse messages in the right way.
my %logfile_parsers = (
	"httpd" => \&message_parser_httpd,
	"snort" => \&message_parser_snort,
	"ssh" => \&message_parser_ssh,
);

#
## The main parsing function.
#
## It is used to determine which sub-parser has to be used to
## parse the given message in the right way and to return if
## any action should be performed.
#
sub Parser ($$) {
        my ($parser, @message) = @_;

	# If no responsible message parser could be found, just return nothing.
	unless (exists($logfile_parsers{$parser})) {
		return;
	}

	# Call responsible message parser.
	my @actions = $logfile_parsers{$parser}->(@message);

	# In case an action has been returned, return it too. 
	if (@actions) {
		# Return which actions should be performed.
		return @actions;
	}

	# Return undef, if no actions are required.
	return undef;
}

#
## IsSupportedParser function.
#
## This very tiny function checks if a given parser name is available and
## therefore a supported parser.
#
## To perform these check, the function is going to lookup if a key in the
## hash of supported parsers is available
#
sub IsSupportedParser ($) {
	my $parser = $_[0];

	# Check if a key for the given parser exists in the hash of logfile_parsers.
	if(exists($logfile_parsers{$parser})) {
		# Found a valid parser, so return nothing.
		return 1;
	}

	# Return "False" if we got here, and therefore no parser
	# is available.
	return;
}

#
## The Snort message parser.
#
## This subfunction is responsible for parsing sort alerts and determine if
## an action should be performed.
#
## XXX Currently the parser only supports IPv4. Add support for IPv6 at a
## later time.
#
sub message_parser_snort(@) {
	my @message = @_;

	# The name of the parser module.
	my $name = "SNORT";

	# Variable to store the grabbed IP-address.
	my $address;

	# Default returned message in case no one could be grabbed
	# from the snort alert.
	my $message = "An active snort rule has matched and gained an alert.";

	# A snort alert contains multiple lines, loop through all lines
	# to parse the complete alert.
	foreach my $line (@message) {
		# Check Priority Level and skip the alert if it is to low.
		#if ($line =~ /.*\[Priority: (\d+)\].*/) {
		#	return unless($1 < $priority);
		#}

		# Search for a line like xxx.xxx.xxx.xxx -> xxx.xxx.xxx.xxx
		if ($line =~ /(\d+\.\d+\.\d+\.\d+)+ -\> (\d+\.\d+\.\d+\.\d+)+/) {
			# Store the grabbed IP-address.
			$address = $1;
		}

		# Search for a line like xxx.xxx.xxx.xxx:xxx -> xxx.xxx.xxx.xxx:xxx
		elsif ($line =~ /(\d+\.\d+\.\d+\.\d+):\d+ -\> (\d+\.\d+\.\d+\.\d+):\d+/) {
			# Store the obtained IP-address.
			$address = $1;
		}

		# Obtain the reported reason.
		if ($line =~ /.*msg:\"(.*)\".*/) {
			# Store the extracted message.
			$message = $1;
		}
	}

	# Check if at least the IP-address information are obtained from the
	# provided alert.
	if ($address) {
		# Return the extracted values.
		return "$address $name $message";
	}

	# If we got here, the alert could not be parsed correctly, return nothing.
	return;
}

#
## The SSH message parser.
#
## This subfunction is used for parsing and detecting different attacks
## against the SSH service.
#
sub message_parser_ssh (@) {
	my @message = @_;
	my @actions;

	# The name of the parser module.
	my $name = "SSH";

	# Variable to store the grabbed IP-address.
	my $address;

	# Variable to store the parsed event.
	my $message;

	# Loop through all lines, in case multiple one have
	# been passed.
	foreach my $line (@message) {
		# Check for failed password attempts.
		if ($line =~/.*sshd.*Failed password for (.*) from (.*) port.*/) {
			# Store the grabbed IP-address.
			$address = $2;

			# Set event message.
			$message = "Possible SSH-Bruteforce Attack for user: $1.";
		}

		# This should catch Bruteforce Attacks with enabled preauth
		elsif ($line =~ /.*sshd.*Received disconnect from (.*):.*\[preauth\]/) {
			# Store obtained IP-address.
			$address = $1;

			# Set event message.
			$message = "Possible SSH-Bruteforce Attack - failed preauth.";
		}

		# Check if at least the IP-address information has been extracted.
		if (defined ($address)) {
			# Add the extracted values and event message for the computed
			# event to the actions array.
			push(@actions, "count $address $name $message");
		}
	}

	# If any actions are required, return the array.
	if (@actions) {
		return (@actions);
	}

	# If we got here, the provided message is not affected by any filter and
	# therefore can be skipped. Return nothing (False) in this case.
	return;
}

#
## The HTTPD message parser.
#
## This subfunction is used for parsing and detecting different attacks
## against a running HTTPD service.
#
sub message_parser_httpd (@) {
	my @message = @_;
	my @actions;

	# The name of the parser module.
	my $name = "HTTPD";

	# Variable to store the grabbed IP-address.
	my $address;

	# Variable to store the parsed event.
	my $message;

	# Loop through all lines, in case multiple one have
	# been passed.
	foreach my $line (@message) {
		# This will catch brute-force attacks against htaccess logins (username).
		if ($line =~ /.*\[error\] \[client (.*)\] user(.*) not found:.*/) {
			# Store the grabbed IP-address.
			$address = $1;

			# Set event message.
			$message = "Possible WUI brute-force attack, wrong user: $2.";
		}

		# Detect htaccess password brute-forcing against a username.
		elsif ($line =~ /.*\[error\] \[client (.*)\] user(.*): authentication failure for.*/) {
			# Store the extracted IP-address.
			$address = $1;

			# Set event message.
			$message = "Possible WUI brute-force attack, wrong password for user: $2.";
		}

		# Check if at least the IP-address information has been extracted.
		if (defined ($address)) {
			# Add the extracted values and event message to the actions array.
			push(@actions, "count $address $name $message");
		}
	}

	# If any actions are required, return the array.
	if (@actions) {
		return @actions;
	}

	# If we got here, the provided message is not affected by any filter and
	# therefore can be skipped. Return nothing (False) in this case.
	return;
}

1;
Commit	Line	Data
88d9af2c SS	1	package Guardian::Parser;
	2	use strict;
	3	use warnings;
	4
	5	use Exporter qw(import);
	6
cfe5a220	7	our @EXPORT_OK = qw(IsSupportedParser Parser);
88d9af2c	8
cfe5a220 SS	9	# This hash contains all supported parsers and which function
cfe5a220 SS	10	# has to be called to parse messages in the right way.
88d9af2c	11	my %logfile_parsers = (
55852ce7	12	"httpd" => \&message_parser_httpd,
cfe5a220	13	"snort" => \&message_parser_snort,
0b1fe046	14	"ssh" => \&message_parser_ssh,
88d9af2c SS	15	);
	16
	17	#
	18	## The main parsing function.
	19	#
	20	## It is used to determine which sub-parser has to be used to
	21	## parse the given message in the right way and to return if
	22	## any action should be performed.
	23	#
	24	sub Parser ($$) {
cfe5a220	25	my ($parser, @message) = @_;
88d9af2c SS	26
88d9af2c SS	27	# If no responsible message parser could be found, just return nothing.
cfe5a220	28	unless (exists($logfile_parsers{$parser})) {
88d9af2c SS	29	return;
	30	}
	31
cfe5a220	32	# Call responsible message parser.
43fdb161	33	my @actions = $logfile_parsers{$parser}->(@message);
88d9af2c	34
8fba3c57	35	# In case an action has been returned, return it too.
43fdb161 SS	36	if (@actions) {
	37	# Return which actions should be performed.
	38	return @actions;
8fba3c57 SS	39	}
8fba3c57 SS	40
43fdb161	41	# Return undef, if no actions are required.
8fba3c57	42	return undef;
88d9af2c SS	43	}
88d9af2c SS	44
cfe5a220 SS	45	#
	46	## IsSupportedParser function.
	47	#
	48	## This very tiny function checks if a given parser name is available and
	49	## therefore a supported parser.
	50	#
	51	## To perform these check, the function is going to lookup if a key in the
	52	## hash of supported parsers is available
	53	#
	54	sub IsSupportedParser ($) {
	55	my $parser = $_[0];
	56
	57	# Check if a key for the given parser exists in the hash of logfile_parsers.
	58	if(exists($logfile_parsers{$parser})) {
	59	# Found a valid parser, so return nothing.
	60	return 1;
	61	}
	62
	63	# Return "False" if we got here, and therefore no parser
	64	# is available.
	65	return;
	66	}
	67
88d9af2c SS	68	#
	69	## The Snort message parser.
	70	#
	71	## This subfunction is responsible for parsing sort alerts and determine if
	72	## an action should be performed.
	73	#
53a02397 SS	74	## XXX Currently the parser only supports IPv4. Add support for IPv6 at a
	75	## later time.
	76	#
	77	sub message_parser_snort(@) {
88d9af2c SS	78	my @message = @_;
88d9af2c SS	79
53a02397 SS	80	# The name of the parser module.
	81	my $name = "SNORT";
	82
	83	# Variable to store the grabbed IP-address.
	84	my $address;
	85
	86	# Default returned message in case no one could be grabbed
	87	# from the snort alert.
	88	my $message = "An active snort rule has matched and gained an alert.";
	89
	90	# A snort alert contains multiple lines, loop through all lines
	91	# to parse the complete alert.
	92	foreach my $line (@message) {
	93	# Check Priority Level and skip the alert if it is to low.
	94	#if ($line =~ /.\[Priority: (\d+)\]./) {
	95	# return unless($1 < $priority);
	96	#}
	97
	98	# Search for a line like xxx.xxx.xxx.xxx -> xxx.xxx.xxx.xxx
	99	if ($line =~ /(\d+\.\d+\.\d+\.\d+)+ -\> (\d+\.\d+\.\d+\.\d+)+/) {
	100	# Store the grabbed IP-address.
	101	$address = $1;
	102	}
	103
	104	# Search for a line like xxx.xxx.xxx.xxx:xxx -> xxx.xxx.xxx.xxx:xxx
	105	elsif ($line =~ /(\d+\.\d+\.\d+\.\d+):\d+ -\> (\d+\.\d+\.\d+\.\d+):\d+/) {
	106	# Store the obtained IP-address.
	107	$address = $1;
	108	}
	109
	110	# Obtain the reported reason.
	111	if ($line =~ /.msg:\"(.)\".*/) {
	112	# Store the extracted message.
	113	$message = $1;
	114	}
	115	}
	116
	117	# Check if at least the IP-address information are obtained from the
	118	# provided alert.
	119	if ($address) {
	120	# Return the extracted values.
	121	return "$address $name $message";
	122	}
	123
	124	# If we got here, the alert could not be parsed correctly, return nothing.
	125	return;
88d9af2c SS	126	}
88d9af2c SS	127
0b1fe046 SS	128	#
	129	## The SSH message parser.
	130	#
	131	## This subfunction is used for parsing and detecting different attacks
	132	## against the SSH service.
	133	#
	134	sub message_parser_ssh (@) {
	135	my @message = @_;
43fdb161	136	my @actions;
0b1fe046 SS	137
	138	# The name of the parser module.
	139	my $name = "SSH";
	140
	141	# Variable to store the grabbed IP-address.
	142	my $address;
	143
	144	# Variable to store the parsed event.
	145	my $message;
	146
	147	# Loop through all lines, in case multiple one have
	148	# been passed.
	149	foreach my $line (@message) {
	150	# Check for failed password attempts.
	151	if ($line =~/.sshd.Failed password for (.) from (.) port.*/) {
	152	# Store the grabbed IP-address.
	153	$address = $2;
	154
	155	# Set event message.
	156	$message = "Possible SSH-Bruteforce Attack for user: $1.";
	157	}
	158
	159	# This should catch Bruteforce Attacks with enabled preauth
	160	elsif ($line =~ /.sshd.Received disconnect from (.):.\[preauth\]/) {
	161	# Store obtained IP-address.
	162	$address = $1;
	163
	164	# Set event message.
	165	$message = "Possible SSH-Bruteforce Attack - failed preauth.";
	166	}
43fdb161 SS	167
	168	# Check if at least the IP-address information has been extracted.
	169	if (defined ($address)) {
	170	# Add the extracted values and event message for the computed
	171	# event to the actions array.
	172	push(@actions, "count $address $name $message");
	173	}
0b1fe046 SS	174	}
0b1fe046 SS	175
43fdb161 SS	176	# If any actions are required, return the array.
	177	if (@actions) {
	178	return (@actions);
0b1fe046 SS	179	}
	180
	181	# If we got here, the provided message is not affected by any filter and
	182	# therefore can be skipped. Return nothing (False) in this case.
	183	return;
	184	}
	185
55852ce7 SS	186	#
	187	## The HTTPD message parser.
	188	#
	189	## This subfunction is used for parsing and detecting different attacks
	190	## against a running HTTPD service.
	191	#
	192	sub message_parser_httpd (@) {
	193	my @message = @_;
43fdb161	194	my @actions;
55852ce7 SS	195
	196	# The name of the parser module.
	197	my $name = "HTTPD";
	198
	199	# Variable to store the grabbed IP-address.
	200	my $address;
	201
	202	# Variable to store the parsed event.
	203	my $message;
	204
	205	# Loop through all lines, in case multiple one have
	206	# been passed.
	207	foreach my $line (@message) {
	208	# This will catch brute-force attacks against htaccess logins (username).
	209	if ($line =~ /.\[error\] \[client (.)\] user(.) not found:./) {
	210	# Store the grabbed IP-address.
	211	$address = $1;
	212
	213	# Set event message.
	214	$message = "Possible WUI brute-force attack, wrong user: $2.";
	215	}
	216
	217	# Detect htaccess password brute-forcing against a username.
	218	elsif ($line =~ /.\[error\] \[client (.)\] user(.): authentication failure for./) {
	219	# Store the extracted IP-address.
	220	$address = $1;
	221
	222	# Set event message.
	223	$message = "Possible WUI brute-force attack, wrong password for user: $2.";
	224	}
43fdb161 SS	225
	226	# Check if at least the IP-address information has been extracted.
	227	if (defined ($address)) {
	228	# Add the extracted values and event message to the actions array.
	229	push(@actions, "count $address $name $message");
	230	}
55852ce7 SS	231	}
55852ce7 SS	232
43fdb161 SS	233	# If any actions are required, return the array.
	234	if (@actions) {
	235	return @actions;
55852ce7 SS	236	}
	237
	238	# If we got here, the provided message is not affected by any filter and
	239	# therefore can be skipped. Return nothing (False) in this case.
	240	return;
	241	}
	242
88d9af2c	243	1;