[people/stevee/guardian.git] / modules / Parser.pm

package Guardian::Parser;
use strict;
use warnings;

use Exporter qw(import);

our @EXPORT_OK = qw(IsSupportedParser Parser);

# This hash contains all supported parsers and which function
# has to be called to parse messages in the right way.
my %logfile_parsers = (
	"snort" => \&message_parser_snort,
	"ssh" => \&message_parser_ssh,
);

#
## The main parsing function.
#
## It is used to determine which sub-parser has to be used to
## parse the given message in the right way and to return if
## any action should be performed.
#
sub Parser ($$) {
        my ($parser, @message) = @_;

	# If no responsible message parser could be found, just return nothing.
	unless (exists($logfile_parsers{$parser})) {
		return;
	}

	# Call responsible message parser.
	my $action = $logfile_parsers{$parser}->(@message);

	# Return which action should be performed.
	return "count $action";
}

#
## IsSupportedParser function.
#
## This very tiny function checks if a given parser name is available and
## therefore a supported parser.
#
## To perform these check, the function is going to lookup if a key in the
## hash of supported parsers is available
#
sub IsSupportedParser ($) {
	my $parser = $_[0];

	# Check if a key for the given parser exists in the hash of logfile_parsers.
	if(exists($logfile_parsers{$parser})) {
		# Found a valid parser, so return nothing.
		return 1;
	}

	# Return "False" if we got here, and therefore no parser
	# is available.
	return;
}

#
## The Snort message parser.
#
## This subfunction is responsible for parsing sort alerts and determine if
## an action should be performed.
#
sub message_parser_snort($) {
	my @message = @_;

	# XXX
	# Currently this parser just returns a simple message.
	return "$message[0] SNORT A simple Snort Message";
}

#
## The SSH message parser.
#
## This subfunction is used for parsing and detecting different attacks
## against the SSH service.
#
sub message_parser_ssh (@) {
	my @message = @_;

	# The name of the parser module.
	my $name = "SSH";

	# Variable to store the grabbed IP-address.
	my $address;

	# Variable to store the parsed event.
	my $message;

	# Loop through all lines, in case multiple one have
	# been passed.
	foreach my $line (@message) {
		# Check for failed password attempts.
		if ($line =~/.*sshd.*Failed password for (.*) from (.*) port.*/) {
			# Store the grabbed IP-address.
			$address = $2;

			# Set event message.
			$message = "Possible SSH-Bruteforce Attack for user: $1.";
		}

		# This should catch Bruteforce Attacks with enabled preauth
		elsif ($line =~ /.*sshd.*Received disconnect from (.*):.*\[preauth\]/) {
			# Store obtained IP-address.
			$address = $1;

			# Set event message.
			$message = "Possible SSH-Bruteforce Attack - failed preauth.";
		}
	}

	# Check if at least the IP-address information has been extracted.
	if (defined ($address)) {
		# Return the extracted values and event message.
		return "$address $name $message";
	}

	# If we got here, the provided message is not affected by any filter and
	# therefore can be skipped. Return nothing (False) in this case.
	return;
}

1;
Commit	Line	Data
88d9af2c SS	1	package Guardian::Parser;
	2	use strict;
	3	use warnings;
	4
	5	use Exporter qw(import);
	6
cfe5a220	7	our @EXPORT_OK = qw(IsSupportedParser Parser);
88d9af2c	8
cfe5a220 SS	9	# This hash contains all supported parsers and which function
cfe5a220 SS	10	# has to be called to parse messages in the right way.
88d9af2c	11	my %logfile_parsers = (
cfe5a220	12	"snort" => \&message_parser_snort,
0b1fe046	13	"ssh" => \&message_parser_ssh,
88d9af2c SS	14	);
	15
	16	#
	17	## The main parsing function.
	18	#
	19	## It is used to determine which sub-parser has to be used to
	20	## parse the given message in the right way and to return if
	21	## any action should be performed.
	22	#
	23	sub Parser ($$) {
cfe5a220	24	my ($parser, @message) = @_;
88d9af2c SS	25
88d9af2c SS	26	# If no responsible message parser could be found, just return nothing.
cfe5a220	27	unless (exists($logfile_parsers{$parser})) {
88d9af2c SS	28	return;
	29	}
	30
cfe5a220 SS	31	# Call responsible message parser.
cfe5a220 SS	32	my $action = $logfile_parsers{$parser}->(@message);
88d9af2c	33
72d0b626 SS	34	# Return which action should be performed.
72d0b626 SS	35	return "count $action";
88d9af2c SS	36	}
88d9af2c SS	37
cfe5a220 SS	38	#
	39	## IsSupportedParser function.
	40	#
	41	## This very tiny function checks if a given parser name is available and
	42	## therefore a supported parser.
	43	#
	44	## To perform these check, the function is going to lookup if a key in the
	45	## hash of supported parsers is available
	46	#
	47	sub IsSupportedParser ($) {
	48	my $parser = $_[0];
	49
	50	# Check if a key for the given parser exists in the hash of logfile_parsers.
	51	if(exists($logfile_parsers{$parser})) {
	52	# Found a valid parser, so return nothing.
	53	return 1;
	54	}
	55
	56	# Return "False" if we got here, and therefore no parser
	57	# is available.
	58	return;
	59	}
	60
88d9af2c SS	61	#
	62	## The Snort message parser.
	63	#
	64	## This subfunction is responsible for parsing sort alerts and determine if
	65	## an action should be performed.
	66	#
	67	sub message_parser_snort($) {
	68	my @message = @_;
	69
	70	# XXX
	71	# Currently this parser just returns a simple message.
ebd440a9	72	return "$message[0] SNORT A simple Snort Message";
88d9af2c SS	73	}
88d9af2c SS	74
0b1fe046 SS	75	#
	76	## The SSH message parser.
	77	#
	78	## This subfunction is used for parsing and detecting different attacks
	79	## against the SSH service.
	80	#
	81	sub message_parser_ssh (@) {
	82	my @message = @_;
	83
	84	# The name of the parser module.
	85	my $name = "SSH";
	86
	87	# Variable to store the grabbed IP-address.
	88	my $address;
	89
	90	# Variable to store the parsed event.
	91	my $message;
	92
	93	# Loop through all lines, in case multiple one have
	94	# been passed.
	95	foreach my $line (@message) {
	96	# Check for failed password attempts.
	97	if ($line =~/.sshd.Failed password for (.) from (.) port.*/) {
	98	# Store the grabbed IP-address.
	99	$address = $2;
	100
	101	# Set event message.
	102	$message = "Possible SSH-Bruteforce Attack for user: $1.";
	103	}
	104
	105	# This should catch Bruteforce Attacks with enabled preauth
	106	elsif ($line =~ /.sshd.Received disconnect from (.):.\[preauth\]/) {
	107	# Store obtained IP-address.
	108	$address = $1;
	109
	110	# Set event message.
	111	$message = "Possible SSH-Bruteforce Attack - failed preauth.";
	112	}
	113	}
	114
	115	# Check if at least the IP-address information has been extracted.
	116	if (defined ($address)) {
	117	# Return the extracted values and event message.
	118	return "$address $name $message";
	119	}
	120
	121	# If we got here, the provided message is not affected by any filter and
	122	# therefore can be skipped. Return nothing (False) in this case.
	123	return;
	124	}
	125
88d9af2c	126	1;