]>
Commit | Line | Data |
---|---|---|
88d9af2c SS |
1 | package Guardian::Parser; |
2 | use strict; | |
3 | use warnings; | |
4 | ||
5 | use Exporter qw(import); | |
6 | ||
cfe5a220 | 7 | our @EXPORT_OK = qw(IsSupportedParser Parser); |
88d9af2c | 8 | |
cfe5a220 SS |
9 | # This hash contains all supported parsers and which function |
10 | # has to be called to parse messages in the right way. | |
88d9af2c | 11 | my %logfile_parsers = ( |
cfe5a220 | 12 | "snort" => \&message_parser_snort, |
0b1fe046 | 13 | "ssh" => \&message_parser_ssh, |
88d9af2c SS |
14 | ); |
15 | ||
16 | # | |
17 | ## The main parsing function. | |
18 | # | |
19 | ## It is used to determine which sub-parser has to be used to | |
20 | ## parse the given message in the right way and to return if | |
21 | ## any action should be performed. | |
22 | # | |
23 | sub Parser ($$) { | |
cfe5a220 | 24 | my ($parser, @message) = @_; |
88d9af2c SS |
25 | |
26 | # If no responsible message parser could be found, just return nothing. | |
cfe5a220 | 27 | unless (exists($logfile_parsers{$parser})) { |
88d9af2c SS |
28 | return; |
29 | } | |
30 | ||
cfe5a220 SS |
31 | # Call responsible message parser. |
32 | my $action = $logfile_parsers{$parser}->(@message); | |
88d9af2c | 33 | |
8fba3c57 SS |
34 | # In case an action has been returned, return it too. |
35 | if (defined($action)) { | |
36 | # Return which action should be performed. | |
37 | return "count $action"; | |
38 | } | |
39 | ||
40 | # Return undef, no action required. | |
41 | return undef; | |
88d9af2c SS |
42 | } |
43 | ||
cfe5a220 SS |
44 | # |
45 | ## IsSupportedParser function. | |
46 | # | |
47 | ## This very tiny function checks if a given parser name is available and | |
48 | ## therefore a supported parser. | |
49 | # | |
50 | ## To perform these check, the function is going to lookup if a key in the | |
51 | ## hash of supported parsers is available | |
52 | # | |
53 | sub IsSupportedParser ($) { | |
54 | my $parser = $_[0]; | |
55 | ||
56 | # Check if a key for the given parser exists in the hash of logfile_parsers. | |
57 | if(exists($logfile_parsers{$parser})) { | |
58 | # Found a valid parser, so return nothing. | |
59 | return 1; | |
60 | } | |
61 | ||
62 | # Return "False" if we got here, and therefore no parser | |
63 | # is available. | |
64 | return; | |
65 | } | |
66 | ||
88d9af2c SS |
67 | # |
68 | ## The Snort message parser. | |
69 | # | |
70 | ## This subfunction is responsible for parsing sort alerts and determine if | |
71 | ## an action should be performed. | |
72 | # | |
73 | sub message_parser_snort($) { | |
74 | my @message = @_; | |
75 | ||
76 | # XXX | |
77 | # Currently this parser just returns a simple message. | |
ebd440a9 | 78 | return "$message[0] SNORT A simple Snort Message"; |
88d9af2c SS |
79 | } |
80 | ||
0b1fe046 SS |
81 | # |
82 | ## The SSH message parser. | |
83 | # | |
84 | ## This subfunction is used for parsing and detecting different attacks | |
85 | ## against the SSH service. | |
86 | # | |
87 | sub message_parser_ssh (@) { | |
88 | my @message = @_; | |
89 | ||
90 | # The name of the parser module. | |
91 | my $name = "SSH"; | |
92 | ||
93 | # Variable to store the grabbed IP-address. | |
94 | my $address; | |
95 | ||
96 | # Variable to store the parsed event. | |
97 | my $message; | |
98 | ||
99 | # Loop through all lines, in case multiple one have | |
100 | # been passed. | |
101 | foreach my $line (@message) { | |
102 | # Check for failed password attempts. | |
103 | if ($line =~/.*sshd.*Failed password for (.*) from (.*) port.*/) { | |
104 | # Store the grabbed IP-address. | |
105 | $address = $2; | |
106 | ||
107 | # Set event message. | |
108 | $message = "Possible SSH-Bruteforce Attack for user: $1."; | |
109 | } | |
110 | ||
111 | # This should catch Bruteforce Attacks with enabled preauth | |
112 | elsif ($line =~ /.*sshd.*Received disconnect from (.*):.*\[preauth\]/) { | |
113 | # Store obtained IP-address. | |
114 | $address = $1; | |
115 | ||
116 | # Set event message. | |
117 | $message = "Possible SSH-Bruteforce Attack - failed preauth."; | |
118 | } | |
119 | } | |
120 | ||
121 | # Check if at least the IP-address information has been extracted. | |
122 | if (defined ($address)) { | |
123 | # Return the extracted values and event message. | |
124 | return "$address $name $message"; | |
125 | } | |
126 | ||
127 | # If we got here, the provided message is not affected by any filter and | |
128 | # therefore can be skipped. Return nothing (False) in this case. | |
129 | return; | |
130 | } | |
131 | ||
88d9af2c | 132 | 1; |