my $enable_snort = "true";
my $enable_ssh = "true";
my $enable_httpd = "true";
+my $enable_owncloud = "false";
# Watched files.
my $syslogfile = "/var/log/messages";
my $alert_file = "/var/log/snort.alert";
my $httpdlog_file = "/var/log/httpd/error_log";
+my $owncloudlog_file = "/var/owncloud/data/owncloud.log";
# Variable to store if the red interface is active and in use.
my $red_active;
elsif ("$changed_file" eq "$httpdlog_file") {
&handle_httpd("$message");
}
+ elsif ("$changed_file" eq "$owncloudlog_file") {
+ &handle_owncloud("$message");
+ }
# Drop processed event from queue.
$queue->dequeue();
}
}
+#
+### Function to detect Owncloud Login-Bruteforce Attacks.
+#
+sub handle_owncloud ($) {
+ my $message = @_[0];
+
+ # Check for failed login attempts.
+ if ($message =~/.*\"Login failed:.* \(Remote IP: \'(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\'.*/) {
+ &checkaction ($1, "Possible Owncloud-Bruteforce Attack.");
+ }
+}
+
#
## Function to create inotify tasks for each monitored file.
#
$httpdlog_file = $1;
}
+ # Get path to owncloud logfile.
+ if (/OwncloudLogFile\s+(.*)/) {
+ $owncloudlog_file = $1;
+ }
+
# Read-in path to the ignorefile.
if (/IgnoreFile\s+(.*)/) {
$ignorefile = $1;
if (/EnableHTTPDMonitoring\s+(.*)/) {
$enable_httpd = $1;
}
+ # Owncloud - Brute force attacks.
+ if (/EnableOwncloudMonitoring\s+(.*)/) {
+ $enable_owncloud = $1;
+ }
}
# Validate input.
push(@files, $httpdlog_file);
}
+ # Add owncloud logfile if the monitoring should be enabled.
+ if ($enable_owncloud eq "true" or $enable_owncloud eq "on") {
+ push(@files, $owncloudlog_file);
+ }
+
# Check for and drop non existing files.
foreach my $file (@files) {
# Check if given file exist.