]> git.ipfire.org Git - people/stevee/guardian.git/blob - modules/Parser.pm
projects / people / stevee / guardian.git / blob
? search:


5c2f53fa79437753d3a10dbdcf7fd44a4676d0e9
[people/stevee/guardian.git] / modules / Parser.pm
1 package Guardian::Parser;
2 use strict;
3 use warnings;
4
5 use Exporter qw(import);
6
7 our @EXPORT_OK = qw(IsSupportedParser Parser);
8
9 # This hash contains all supported parsers and which function
10 # has to be called to parse messages in the right way.
11 my %logfile_parsers = (
12 "httpd" => \&message_parser_httpd,
13 "snort" => \&message_parser_snort,
14 "ssh" => \&message_parser_ssh,
15 );
16
17 #
18 ## The main parsing function.
19 #
20 ## It is used to determine which sub-parser has to be used to
21 ## parse the given message in the right way and to return if
22 ## any action should be performed.
23 #
24 sub Parser ($$) {
25 my ($parser, @message) = @_;
26
27 # If no responsible message parser could be found, just return nothing.
28 unless (exists($logfile_parsers{$parser})) {
29 return;
30 }
31
32 # Call responsible message parser.
33 my @actions = $logfile_parsers{$parser}->(@message);
34
35 # In case an action has been returned, return it too.
36 if (@actions) {
37 # Return which actions should be performed.
38 return @actions;
39 }
40
41 # Return undef, if no actions are required.
42 return undef;
43 }
44
45 #
46 ## IsSupportedParser function.
47 #
48 ## This very tiny function checks if a given parser name is available and
49 ## therefore a supported parser.
50 #
51 ## To perform these check, the function is going to lookup if a key in the
52 ## hash of supported parsers is available
53 #
54 sub IsSupportedParser ($) {
55 my $parser = $_[0];
56
57 # Check if a key for the given parser exists in the hash of logfile_parsers.
58 if(exists($logfile_parsers{$parser})) {
59 # Found a valid parser, so return nothing.
60 return 1;
61 }
62
63 # Return "False" if we got here, and therefore no parser
64 # is available.
65 return;
66 }
67
68 #
69 ## The Snort message parser.
70 #
71 ## This subfunction is responsible for parsing sort alerts and determine if
72 ## an action should be performed.
73 #
74 sub message_parser_snort($) {
75 my @message = @_;
76
77 # XXX
78 # Currently this parser just returns a simple message.
79 return "$message[0] SNORT A simple Snort Message";
80 }
81
82 #
83 ## The SSH message parser.
84 #
85 ## This subfunction is used for parsing and detecting different attacks
86 ## against the SSH service.
87 #
88 sub message_parser_ssh (@) {
89 my @message = @_;
90 my @actions;
91
92 # The name of the parser module.
93 my $name = "SSH";
94
95 # Variable to store the grabbed IP-address.
96 my $address;
97
98 # Variable to store the parsed event.
99 my $message;
100
101 # Loop through all lines, in case multiple one have
102 # been passed.
103 foreach my $line (@message) {
104 # Check for failed password attempts.
105 if ($line =~/.*sshd.*Failed password for (.*) from (.*) port.*/) {
106 # Store the grabbed IP-address.
107 $address = $2;
108
109 # Set event message.
110 $message = "Possible SSH-Bruteforce Attack for user: $1.";
111 }
112
113 # This should catch Bruteforce Attacks with enabled preauth
114 elsif ($line =~ /.*sshd.*Received disconnect from (.*):.*\[preauth\]/) {
115 # Store obtained IP-address.
116 $address = $1;
117
118 # Set event message.
119 $message = "Possible SSH-Bruteforce Attack - failed preauth.";
120 }
121
122 # Check if at least the IP-address information has been extracted.
123 if (defined ($address)) {
124 # Add the extracted values and event message for the computed
125 # event to the actions array.
126 push(@actions, "count $address $name $message");
127 }
128 }
129
130 # If any actions are required, return the array.
131 if (@actions) {
132 return (@actions);
133 }
134
135 # If we got here, the provided message is not affected by any filter and
136 # therefore can be skipped. Return nothing (False) in this case.
137 return;
138 }
139
140 #
141 ## The HTTPD message parser.
142 #
143 ## This subfunction is used for parsing and detecting different attacks
144 ## against a running HTTPD service.
145 #
146 sub message_parser_httpd (@) {
147 my @message = @_;
148 my @actions;
149
150 # The name of the parser module.
151 my $name = "HTTPD";
152
153 # Variable to store the grabbed IP-address.
154 my $address;
155
156 # Variable to store the parsed event.
157 my $message;
158
159 # Loop through all lines, in case multiple one have
160 # been passed.
161 foreach my $line (@message) {
162 # This will catch brute-force attacks against htaccess logins (username).
163 if ($line =~ /.*\[error\] \[client (.*)\] user(.*) not found:.*/) {
164 # Store the grabbed IP-address.
165 $address = $1;
166
167 # Set event message.
168 $message = "Possible WUI brute-force attack, wrong user: $2.";
169 }
170
171 # Detect htaccess password brute-forcing against a username.
172 elsif ($line =~ /.*\[error\] \[client (.*)\] user(.*): authentication failure for.*/) {
173 # Store the extracted IP-address.
174 $address = $1;
175
176 # Set event message.
177 $message = "Possible WUI brute-force attack, wrong password for user: $2.";
178 }
179
180 # Check if at least the IP-address information has been extracted.
181 if (defined ($address)) {
182 # Add the extracted values and event message to the actions array.
183 push(@actions, "count $address $name $message");
184 }
185 }
186
187 # If any actions are required, return the array.
188 if (@actions) {
189 return @actions;
190 }
191
192 # If we got here, the provided message is not affected by any filter and
193 # therefore can be skipped. Return nothing (False) in this case.
194 return;
195 }
196
197 1;
A perl written Intrusion Prevention System.