[people/stevee/guardian.git] / modules / Parser.pm

package Guardian::Parser;
use strict;
use warnings;

use Exporter qw(import);

our @EXPORT_OK = qw(IsSupportedParser Parser);

# This hash contains all supported parsers and which function
# has to be called to parse messages in the right way.
my %logfile_parsers = (
	"snort" => \&message_parser_snort,
	"ssh" => \&message_parser_ssh,
);

#
## The main parsing function.
#
## It is used to determine which sub-parser has to be used to
## parse the given message in the right way and to return if
## any action should be performed.
#
sub Parser ($$) {
        my ($parser, @message) = @_;

	# If no responsible message parser could be found, just return nothing.
	unless (exists($logfile_parsers{$parser})) {
		return;
	}

	# Call responsible message parser.
	my $action = $logfile_parsers{$parser}->(@message);

	# In case an action has been returned, return it too. 
	if (defined($action)) {
		# Return which action should be performed.
		return "count $action";
	}

	# Return undef, no action required.
	return undef;
}

#
## IsSupportedParser function.
#
## This very tiny function checks if a given parser name is available and
## therefore a supported parser.
#
## To perform these check, the function is going to lookup if a key in the
## hash of supported parsers is available
#
sub IsSupportedParser ($) {
	my $parser = $_[0];

	# Check if a key for the given parser exists in the hash of logfile_parsers.
	if(exists($logfile_parsers{$parser})) {
		# Found a valid parser, so return nothing.
		return 1;
	}

	# Return "False" if we got here, and therefore no parser
	# is available.
	return;
}

#
## The Snort message parser.
#
## This subfunction is responsible for parsing sort alerts and determine if
## an action should be performed.
#
sub message_parser_snort($) {
	my @message = @_;

	# XXX
	# Currently this parser just returns a simple message.
	return "$message[0] SNORT A simple Snort Message";
}

#
## The SSH message parser.
#
## This subfunction is used for parsing and detecting different attacks
## against the SSH service.
#
sub message_parser_ssh (@) {
	my @message = @_;

	# The name of the parser module.
	my $name = "SSH";

	# Variable to store the grabbed IP-address.
	my $address;

	# Variable to store the parsed event.
	my $message;

	# Loop through all lines, in case multiple one have
	# been passed.
	foreach my $line (@message) {
		# Check for failed password attempts.
		if ($line =~/.*sshd.*Failed password for (.*) from (.*) port.*/) {
			# Store the grabbed IP-address.
			$address = $2;

			# Set event message.
			$message = "Possible SSH-Bruteforce Attack for user: $1.";
		}

		# This should catch Bruteforce Attacks with enabled preauth
		elsif ($line =~ /.*sshd.*Received disconnect from (.*):.*\[preauth\]/) {
			# Store obtained IP-address.
			$address = $1;

			# Set event message.
			$message = "Possible SSH-Bruteforce Attack - failed preauth.";
		}
	}

	# Check if at least the IP-address information has been extracted.
	if (defined ($address)) {
		# Return the extracted values and event message.
		return "$address $name $message";
	}

	# If we got here, the provided message is not affected by any filter and
	# therefore can be skipped. Return nothing (False) in this case.
	return;
}

1;
Commit	Line	Data
88d9af2c SS	1	package Guardian::Parser;
	2	use strict;
	3	use warnings;
	4
	5	use Exporter qw(import);
	6
cfe5a220	7	our @EXPORT_OK = qw(IsSupportedParser Parser);
88d9af2c	8
cfe5a220 SS	9	# This hash contains all supported parsers and which function
cfe5a220 SS	10	# has to be called to parse messages in the right way.
88d9af2c	11	my %logfile_parsers = (
cfe5a220	12	"snort" => \&message_parser_snort,
0b1fe046	13	"ssh" => \&message_parser_ssh,
88d9af2c SS	14	);
	15
	16	#
	17	## The main parsing function.
	18	#
	19	## It is used to determine which sub-parser has to be used to
	20	## parse the given message in the right way and to return if
	21	## any action should be performed.
	22	#
	23	sub Parser ($$) {
cfe5a220	24	my ($parser, @message) = @_;
88d9af2c SS	25
88d9af2c SS	26	# If no responsible message parser could be found, just return nothing.
cfe5a220	27	unless (exists($logfile_parsers{$parser})) {
88d9af2c SS	28	return;
	29	}
	30
cfe5a220 SS	31	# Call responsible message parser.
cfe5a220 SS	32	my $action = $logfile_parsers{$parser}->(@message);
88d9af2c	33
8fba3c57 SS	34	# In case an action has been returned, return it too.
	35	if (defined($action)) {
	36	# Return which action should be performed.
	37	return "count $action";
	38	}
	39
	40	# Return undef, no action required.
	41	return undef;
88d9af2c SS	42	}
88d9af2c SS	43
cfe5a220 SS	44	#
	45	## IsSupportedParser function.
	46	#
	47	## This very tiny function checks if a given parser name is available and
	48	## therefore a supported parser.
	49	#
	50	## To perform these check, the function is going to lookup if a key in the
	51	## hash of supported parsers is available
	52	#
	53	sub IsSupportedParser ($) {
	54	my $parser = $_[0];
	55
	56	# Check if a key for the given parser exists in the hash of logfile_parsers.
	57	if(exists($logfile_parsers{$parser})) {
	58	# Found a valid parser, so return nothing.
	59	return 1;
	60	}
	61
	62	# Return "False" if we got here, and therefore no parser
	63	# is available.
	64	return;
	65	}
	66
88d9af2c SS	67	#
	68	## The Snort message parser.
	69	#
	70	## This subfunction is responsible for parsing sort alerts and determine if
	71	## an action should be performed.
	72	#
	73	sub message_parser_snort($) {
	74	my @message = @_;
	75
	76	# XXX
	77	# Currently this parser just returns a simple message.
ebd440a9	78	return "$message[0] SNORT A simple Snort Message";
88d9af2c SS	79	}
88d9af2c SS	80
0b1fe046 SS	81	#
	82	## The SSH message parser.
	83	#
	84	## This subfunction is used for parsing and detecting different attacks
	85	## against the SSH service.
	86	#
	87	sub message_parser_ssh (@) {
	88	my @message = @_;
	89
	90	# The name of the parser module.
	91	my $name = "SSH";
	92
	93	# Variable to store the grabbed IP-address.
	94	my $address;
	95
	96	# Variable to store the parsed event.
	97	my $message;
	98
	99	# Loop through all lines, in case multiple one have
	100	# been passed.
	101	foreach my $line (@message) {
	102	# Check for failed password attempts.
	103	if ($line =~/.sshd.Failed password for (.) from (.) port.*/) {
	104	# Store the grabbed IP-address.
	105	$address = $2;
	106
	107	# Set event message.
	108	$message = "Possible SSH-Bruteforce Attack for user: $1.";
	109	}
	110
	111	# This should catch Bruteforce Attacks with enabled preauth
	112	elsif ($line =~ /.sshd.Received disconnect from (.):.\[preauth\]/) {
	113	# Store obtained IP-address.
	114	$address = $1;
	115
	116	# Set event message.
	117	$message = "Possible SSH-Bruteforce Attack - failed preauth.";
	118	}
	119	}
	120
	121	# Check if at least the IP-address information has been extracted.
	122	if (defined ($address)) {
	123	# Return the extracted values and event message.
	124	return "$address $name $message";
	125	}
	126
	127	# If we got here, the provided message is not affected by any filter and
	128	# therefore can be skipped. Return nothing (False) in this case.
	129	return;
	130	}
	131
88d9af2c	132	1;