[people/stevee/guardian.git] / modules / Parser.pm

package Guardian::Parser;
use strict;
use warnings;

use Exporter qw(import);

our @EXPORT_OK = qw(IsSupportedParser Parser);

# This hash contains all supported parsers and which function
# has to be called to parse messages in the right way.
my %logfile_parsers = (
	"httpd" => \&message_parser_httpd,
	"snort" => \&message_parser_snort,
	"ssh" => \&message_parser_ssh,
);

#
## The main parsing function.
#
## It is used to determine which sub-parser has to be used to
## parse the given message in the right way and to return if
## any action should be performed.
#
sub Parser ($$) {
        my ($parser, @message) = @_;

	# If no responsible message parser could be found, just return nothing.
	unless (exists($logfile_parsers{$parser})) {
		return;
	}

	# Call responsible message parser.
	my @actions = $logfile_parsers{$parser}->(@message);

	# In case an action has been returned, return it too. 
	if (@actions) {
		# Return which actions should be performed.
		return @actions;
	}

	# Return undef, if no actions are required.
	return undef;
}

#
## IsSupportedParser function.
#
## This very tiny function checks if a given parser name is available and
## therefore a supported parser.
#
## To perform these check, the function is going to lookup if a key in the
## hash of supported parsers is available
#
sub IsSupportedParser ($) {
	my $parser = $_[0];

	# Check if a key for the given parser exists in the hash of logfile_parsers.
	if(exists($logfile_parsers{$parser})) {
		# Found a valid parser, so return nothing.
		return 1;
	}

	# Return "False" if we got here, and therefore no parser
	# is available.
	return;
}

#
## The Snort message parser.
#
## This subfunction is responsible for parsing sort alerts and determine if
## an action should be performed.
#
sub message_parser_snort($) {
	my @message = @_;

	# XXX
	# Currently this parser just returns a simple message.
	return "$message[0] SNORT A simple Snort Message";
}

#
## The SSH message parser.
#
## This subfunction is used for parsing and detecting different attacks
## against the SSH service.
#
sub message_parser_ssh (@) {
	my @message = @_;
	my @actions;

	# The name of the parser module.
	my $name = "SSH";

	# Variable to store the grabbed IP-address.
	my $address;

	# Variable to store the parsed event.
	my $message;

	# Loop through all lines, in case multiple one have
	# been passed.
	foreach my $line (@message) {
		# Check for failed password attempts.
		if ($line =~/.*sshd.*Failed password for (.*) from (.*) port.*/) {
			# Store the grabbed IP-address.
			$address = $2;

			# Set event message.
			$message = "Possible SSH-Bruteforce Attack for user: $1.";
		}

		# This should catch Bruteforce Attacks with enabled preauth
		elsif ($line =~ /.*sshd.*Received disconnect from (.*):.*\[preauth\]/) {
			# Store obtained IP-address.
			$address = $1;

			# Set event message.
			$message = "Possible SSH-Bruteforce Attack - failed preauth.";
		}

		# Check if at least the IP-address information has been extracted.
		if (defined ($address)) {
			# Add the extracted values and event message for the computed
			# event to the actions array.
			push(@actions, "count $address $name $message");
		}
	}

	# If any actions are required, return the array.
	if (@actions) {
		return (@actions);
	}

	# If we got here, the provided message is not affected by any filter and
	# therefore can be skipped. Return nothing (False) in this case.
	return;
}

#
## The HTTPD message parser.
#
## This subfunction is used for parsing and detecting different attacks
## against a running HTTPD service.
#
sub message_parser_httpd (@) {
	my @message = @_;
	my @actions;

	# The name of the parser module.
	my $name = "HTTPD";

	# Variable to store the grabbed IP-address.
	my $address;

	# Variable to store the parsed event.
	my $message;

	# Loop through all lines, in case multiple one have
	# been passed.
	foreach my $line (@message) {
		# This will catch brute-force attacks against htaccess logins (username).
		if ($line =~ /.*\[error\] \[client (.*)\] user(.*) not found:.*/) {
			# Store the grabbed IP-address.
			$address = $1;

			# Set event message.
			$message = "Possible WUI brute-force attack, wrong user: $2.";
		}

		# Detect htaccess password brute-forcing against a username.
		elsif ($line =~ /.*\[error\] \[client (.*)\] user(.*): authentication failure for.*/) {
			# Store the extracted IP-address.
			$address = $1;

			# Set event message.
			$message = "Possible WUI brute-force attack, wrong password for user: $2.";
		}

		# Check if at least the IP-address information has been extracted.
		if (defined ($address)) {
			# Add the extracted values and event message to the actions array.
			push(@actions, "count $address $name $message");
		}
	}

	# If any actions are required, return the array.
	if (@actions) {
		return @actions;
	}

	# If we got here, the provided message is not affected by any filter and
	# therefore can be skipped. Return nothing (False) in this case.
	return;
}

1;
Commit	Line	Data
88d9af2c SS	1	package Guardian::Parser;
	2	use strict;
	3	use warnings;
	4
	5	use Exporter qw(import);
	6
cfe5a220	7	our @EXPORT_OK = qw(IsSupportedParser Parser);
88d9af2c	8
cfe5a220 SS	9	# This hash contains all supported parsers and which function
cfe5a220 SS	10	# has to be called to parse messages in the right way.
88d9af2c	11	my %logfile_parsers = (
55852ce7	12	"httpd" => \&message_parser_httpd,
cfe5a220	13	"snort" => \&message_parser_snort,
0b1fe046	14	"ssh" => \&message_parser_ssh,
88d9af2c SS	15	);
	16
	17	#
	18	## The main parsing function.
	19	#
	20	## It is used to determine which sub-parser has to be used to
	21	## parse the given message in the right way and to return if
	22	## any action should be performed.
	23	#
	24	sub Parser ($$) {
cfe5a220	25	my ($parser, @message) = @_;
88d9af2c SS	26
88d9af2c SS	27	# If no responsible message parser could be found, just return nothing.
cfe5a220	28	unless (exists($logfile_parsers{$parser})) {
88d9af2c SS	29	return;
	30	}
	31
cfe5a220	32	# Call responsible message parser.
43fdb161	33	my @actions = $logfile_parsers{$parser}->(@message);
88d9af2c	34
8fba3c57	35	# In case an action has been returned, return it too.
43fdb161 SS	36	if (@actions) {
	37	# Return which actions should be performed.
	38	return @actions;
8fba3c57 SS	39	}
8fba3c57 SS	40
43fdb161	41	# Return undef, if no actions are required.
8fba3c57	42	return undef;
88d9af2c SS	43	}
88d9af2c SS	44
cfe5a220 SS	45	#
	46	## IsSupportedParser function.
	47	#
	48	## This very tiny function checks if a given parser name is available and
	49	## therefore a supported parser.
	50	#
	51	## To perform these check, the function is going to lookup if a key in the
	52	## hash of supported parsers is available
	53	#
	54	sub IsSupportedParser ($) {
	55	my $parser = $_[0];
	56
	57	# Check if a key for the given parser exists in the hash of logfile_parsers.
	58	if(exists($logfile_parsers{$parser})) {
	59	# Found a valid parser, so return nothing.
	60	return 1;
	61	}
	62
	63	# Return "False" if we got here, and therefore no parser
	64	# is available.
	65	return;
	66	}
	67
88d9af2c SS	68	#
	69	## The Snort message parser.
	70	#
	71	## This subfunction is responsible for parsing sort alerts and determine if
	72	## an action should be performed.
	73	#
	74	sub message_parser_snort($) {
	75	my @message = @_;
	76
	77	# XXX
	78	# Currently this parser just returns a simple message.
ebd440a9	79	return "$message[0] SNORT A simple Snort Message";
88d9af2c SS	80	}
88d9af2c SS	81
0b1fe046 SS	82	#
	83	## The SSH message parser.
	84	#
	85	## This subfunction is used for parsing and detecting different attacks
	86	## against the SSH service.
	87	#
	88	sub message_parser_ssh (@) {
	89	my @message = @_;
43fdb161	90	my @actions;
0b1fe046 SS	91
	92	# The name of the parser module.
	93	my $name = "SSH";
	94
	95	# Variable to store the grabbed IP-address.
	96	my $address;
	97
	98	# Variable to store the parsed event.
	99	my $message;
	100
	101	# Loop through all lines, in case multiple one have
	102	# been passed.
	103	foreach my $line (@message) {
	104	# Check for failed password attempts.
	105	if ($line =~/.sshd.Failed password for (.) from (.) port.*/) {
	106	# Store the grabbed IP-address.
	107	$address = $2;
	108
	109	# Set event message.
	110	$message = "Possible SSH-Bruteforce Attack for user: $1.";
	111	}
	112
	113	# This should catch Bruteforce Attacks with enabled preauth
	114	elsif ($line =~ /.sshd.Received disconnect from (.):.\[preauth\]/) {
	115	# Store obtained IP-address.
	116	$address = $1;
	117
	118	# Set event message.
	119	$message = "Possible SSH-Bruteforce Attack - failed preauth.";
	120	}
43fdb161 SS	121
	122	# Check if at least the IP-address information has been extracted.
	123	if (defined ($address)) {
	124	# Add the extracted values and event message for the computed
	125	# event to the actions array.
	126	push(@actions, "count $address $name $message");
	127	}
0b1fe046 SS	128	}
0b1fe046 SS	129
43fdb161 SS	130	# If any actions are required, return the array.
	131	if (@actions) {
	132	return (@actions);
0b1fe046 SS	133	}
	134
	135	# If we got here, the provided message is not affected by any filter and
	136	# therefore can be skipped. Return nothing (False) in this case.
	137	return;
	138	}
	139
55852ce7 SS	140	#
	141	## The HTTPD message parser.
	142	#
	143	## This subfunction is used for parsing and detecting different attacks
	144	## against a running HTTPD service.
	145	#
	146	sub message_parser_httpd (@) {
	147	my @message = @_;
43fdb161	148	my @actions;
55852ce7 SS	149
	150	# The name of the parser module.
	151	my $name = "HTTPD";
	152
	153	# Variable to store the grabbed IP-address.
	154	my $address;
	155
	156	# Variable to store the parsed event.
	157	my $message;
	158
	159	# Loop through all lines, in case multiple one have
	160	# been passed.
	161	foreach my $line (@message) {
	162	# This will catch brute-force attacks against htaccess logins (username).
	163	if ($line =~ /.\[error\] \[client (.)\] user(.) not found:./) {
	164	# Store the grabbed IP-address.
	165	$address = $1;
	166
	167	# Set event message.
	168	$message = "Possible WUI brute-force attack, wrong user: $2.";
	169	}
	170
	171	# Detect htaccess password brute-forcing against a username.
	172	elsif ($line =~ /.\[error\] \[client (.)\] user(.): authentication failure for./) {
	173	# Store the extracted IP-address.
	174	$address = $1;
	175
	176	# Set event message.
	177	$message = "Possible WUI brute-force attack, wrong password for user: $2.";
	178	}
43fdb161 SS	179
	180	# Check if at least the IP-address information has been extracted.
	181	if (defined ($address)) {
	182	# Add the extracted values and event message to the actions array.
	183	push(@actions, "count $address $name $message");
	184	}
55852ce7 SS	185	}
55852ce7 SS	186
43fdb161 SS	187	# If any actions are required, return the array.
	188	if (@actions) {
	189	return @actions;
55852ce7 SS	190	}
	191
	192	# If we got here, the provided message is not affected by any filter and
	193	# therefore can be skipped. Return nothing (False) in this case.
	194	return;
	195	}
	196
88d9af2c	197	1;