]>
Commit | Line | Data |
---|---|---|
1 | package Guardian::Parser; | |
2 | use strict; | |
3 | use warnings; | |
4 | ||
5 | use Exporter qw(import); | |
6 | ||
7 | our @EXPORT_OK = qw(IsSupportedParser Parser); | |
8 | ||
9 | # This hash contains all supported parsers and which function | |
10 | # has to be called to parse messages in the right way. | |
11 | my %logfile_parsers = ( | |
12 | "httpd" => \&message_parser_httpd, | |
13 | "snort" => \&message_parser_snort, | |
14 | "ssh" => \&message_parser_ssh, | |
15 | ); | |
16 | ||
17 | # | |
18 | ## The main parsing function. | |
19 | # | |
20 | ## It is used to determine which sub-parser has to be used to | |
21 | ## parse the given message in the right way and to return if | |
22 | ## any action should be performed. | |
23 | # | |
24 | sub Parser ($$) { | |
25 | my ($parser, @message) = @_; | |
26 | ||
27 | # If no responsible message parser could be found, just return nothing. | |
28 | unless (exists($logfile_parsers{$parser})) { | |
29 | return; | |
30 | } | |
31 | ||
32 | # Call responsible message parser. | |
33 | my @actions = $logfile_parsers{$parser}->(@message); | |
34 | ||
35 | # In case an action has been returned, return it too. | |
36 | if (@actions) { | |
37 | # Return which actions should be performed. | |
38 | return @actions; | |
39 | } | |
40 | ||
41 | # Return undef, if no actions are required. | |
42 | return undef; | |
43 | } | |
44 | ||
45 | # | |
46 | ## IsSupportedParser function. | |
47 | # | |
48 | ## This very tiny function checks if a given parser name is available and | |
49 | ## therefore a supported parser. | |
50 | # | |
51 | ## To perform these check, the function is going to lookup if a key in the | |
52 | ## hash of supported parsers is available | |
53 | # | |
54 | sub IsSupportedParser ($) { | |
55 | my $parser = $_[0]; | |
56 | ||
57 | # Check if a key for the given parser exists in the hash of logfile_parsers. | |
58 | if(exists($logfile_parsers{$parser})) { | |
59 | # Found a valid parser, so return nothing. | |
60 | return 1; | |
61 | } | |
62 | ||
63 | # Return "False" if we got here, and therefore no parser | |
64 | # is available. | |
65 | return; | |
66 | } | |
67 | ||
68 | # | |
69 | ## The Snort message parser. | |
70 | # | |
71 | ## This subfunction is responsible for parsing sort alerts and determine if | |
72 | ## an action should be performed. | |
73 | # | |
74 | ## XXX Currently the parser only supports IPv4. Add support for IPv6 at a | |
75 | ## later time. | |
76 | # | |
77 | sub message_parser_snort(@) { | |
78 | my @message = @_; | |
79 | my @actions; | |
80 | ||
81 | # Temporary array to store single alerts. | |
82 | my @alert; | |
83 | ||
84 | # The name of the parser module. | |
85 | my $name = "SNORT"; | |
86 | ||
87 | # Default returned message in case no one could be grabbed | |
88 | # from the snort alert. | |
89 | my $message = "An active snort rule has matched and gained an alert."; | |
90 | ||
91 | # Snort uses a log buffer and a result of this, when detecting multiple | |
92 | # events at once, multiple alerts will be written at one time to the alert | |
93 | # file. They have to be seperated from each, to be able to parse them | |
94 | # individually. | |
95 | foreach my $line (@message) { | |
96 | # Remove any newlines. | |
97 | chomp($line); | |
98 | ||
99 | # A single alert contains multiple lines, push all of them | |
100 | # a temporary array. | |
101 | push(@alert, $line); | |
102 | ||
103 | # Each alert ends with an empty line, if one is found, | |
104 | # all lines of the current processed alert have been found | |
105 | # and pushed to the temporary array. | |
106 | if($line =~ /^\s*$/) { | |
107 | # Variable to store the grabbed IP-address. | |
108 | my $address; | |
109 | ||
110 | # Loop through all lines of the current alert. | |
111 | foreach my $line (@alert) { | |
112 | # Check Priority Level and skip the alert if it is to low. | |
113 | #if ($line =~ /.*\[Priority: (\d+)\].*/) { | |
114 | # return unless($1 < $priority); | |
115 | #} | |
116 | ||
117 | # Search for a line like xxx.xxx.xxx.xxx -> xxx.xxx.xxx.xxx | |
118 | if ($line =~ /(\d+\.\d+\.\d+\.\d+)+ -\> (\d+\.\d+\.\d+\.\d+)+/) { | |
119 | # Store the grabbed IP-address. | |
120 | $address = $1; | |
121 | } | |
122 | ||
123 | # Search for a line like xxx.xxx.xxx.xxx:xxx -> xxx.xxx.xxx.xxx:xxx | |
124 | elsif ($line =~ /(\d+\.\d+\.\d+\.\d+):\d+ -\> (\d+\.\d+\.\d+\.\d+):\d+/) { | |
125 | # Store the obtained IP-address. | |
126 | $address = $1; | |
127 | } | |
128 | ||
129 | # Obtain the reported reason from the headline of the alert. | |
130 | if ($line =~ /.*\] (.*) \[\*\*\]/) { | |
131 | # Store the extracted message. | |
132 | $message = $1; | |
133 | } | |
134 | ||
135 | # If the reason could not be determined, try to obtain it from a msg field. | |
136 | elsif ($line =~ /.*msg:\"(.*)\".*/) { | |
137 | # Store the extracted message. | |
138 | $message = $1; | |
139 | } | |
140 | } | |
141 | ||
142 | # Check if at least the IP-address information has been extracted. | |
143 | if (defined ($address)) { | |
144 | # Add the extracted values and event message for the computed | |
145 | # event to the actions array. | |
146 | push(@actions, "count $address $name $message"); | |
147 | } | |
148 | ||
149 | # The alert has been processed, clear the temporary array for storing | |
150 | # the next alert. | |
151 | @alert = (); | |
152 | } | |
153 | } | |
154 | ||
155 | # If any actions are required, return the array. | |
156 | if (@actions) { | |
157 | return (@actions); | |
158 | } | |
159 | ||
160 | # If we got here, the alert could not be parsed correctly, or did not match any filter. | |
161 | # Therefore it can be skipped - return nothing. | |
162 | return; | |
163 | } | |
164 | ||
165 | # | |
166 | ## The SSH message parser. | |
167 | # | |
168 | ## This subfunction is used for parsing and detecting different attacks | |
169 | ## against the SSH service. | |
170 | # | |
171 | sub message_parser_ssh (@) { | |
172 | my @message = @_; | |
173 | my @actions; | |
174 | ||
175 | # The name of the parser module. | |
176 | my $name = "SSH"; | |
177 | ||
178 | # Variable to store the grabbed IP-address. | |
179 | my $address; | |
180 | ||
181 | # Variable to store the parsed event. | |
182 | my $message; | |
183 | ||
184 | # Loop through all lines, in case multiple one have | |
185 | # been passed. | |
186 | foreach my $line (@message) { | |
187 | # Check for failed password attempts. | |
188 | if ($line =~/.*sshd.*Failed password for (.*) from (.*) port.*/) { | |
189 | # Store the grabbed IP-address. | |
190 | $address = $2; | |
191 | ||
192 | # Set event message. | |
193 | $message = "Possible SSH-Bruteforce Attack for user: $1."; | |
194 | } | |
195 | ||
196 | # This should catch Bruteforce Attacks with enabled preauth | |
197 | elsif ($line =~ /.*sshd.*Received disconnect from (.*):.*\[preauth\]/) { | |
198 | # Store obtained IP-address. | |
199 | $address = $1; | |
200 | ||
201 | # Set event message. | |
202 | $message = "Possible SSH-Bruteforce Attack - failed preauth."; | |
203 | } | |
204 | ||
205 | # Check if at least the IP-address information has been extracted. | |
206 | if (defined ($address)) { | |
207 | # Add the extracted values and event message for the computed | |
208 | # event to the actions array. | |
209 | push(@actions, "count $address $name $message"); | |
210 | } | |
211 | } | |
212 | ||
213 | # If any actions are required, return the array. | |
214 | if (@actions) { | |
215 | return (@actions); | |
216 | } | |
217 | ||
218 | # If we got here, the provided message is not affected by any filter and | |
219 | # therefore can be skipped. Return nothing (False) in this case. | |
220 | return; | |
221 | } | |
222 | ||
223 | # | |
224 | ## The HTTPD message parser. | |
225 | # | |
226 | ## This subfunction is used for parsing and detecting different attacks | |
227 | ## against a running HTTPD service. | |
228 | # | |
229 | sub message_parser_httpd (@) { | |
230 | my @message = @_; | |
231 | my @actions; | |
232 | ||
233 | # The name of the parser module. | |
234 | my $name = "HTTPD"; | |
235 | ||
236 | # Variable to store the grabbed IP-address. | |
237 | my $address; | |
238 | ||
239 | # Variable to store the parsed event. | |
240 | my $message; | |
241 | ||
242 | # Loop through all lines, in case multiple one have | |
243 | # been passed. | |
244 | foreach my $line (@message) { | |
245 | # This will catch brute-force attacks against htaccess logins (username). | |
246 | if ($line =~ /.*\[error\] \[client (.*)\] user(.*) not found:.*/) { | |
247 | # Store the grabbed IP-address. | |
248 | $address = $1; | |
249 | ||
250 | # Set event message. | |
251 | $message = "Possible WUI brute-force attack, wrong user: $2."; | |
252 | } | |
253 | ||
254 | # Detect htaccess password brute-forcing against a username. | |
255 | elsif ($line =~ /.*\[error\] \[client (.*)\] user(.*): authentication failure for.*/) { | |
256 | # Store the extracted IP-address. | |
257 | $address = $1; | |
258 | ||
259 | # Set event message. | |
260 | $message = "Possible WUI brute-force attack, wrong password for user: $2."; | |
261 | } | |
262 | ||
263 | # Check if at least the IP-address information has been extracted. | |
264 | if (defined ($address)) { | |
265 | # Add the extracted values and event message to the actions array. | |
266 | push(@actions, "count $address $name $message"); | |
267 | } | |
268 | } | |
269 | ||
270 | # If any actions are required, return the array. | |
271 | if (@actions) { | |
272 | return @actions; | |
273 | } | |
274 | ||
275 | # If we got here, the provided message is not affected by any filter and | |
276 | # therefore can be skipped. Return nothing (False) in this case. | |
277 | return; | |
278 | } | |
279 | ||
280 | 1; |