]>
Commit | Line | Data |
---|---|---|
88d9af2c SS |
1 | package Guardian::Parser; |
2 | use strict; | |
3 | use warnings; | |
4 | ||
5 | use Exporter qw(import); | |
6 | ||
cfe5a220 | 7 | our @EXPORT_OK = qw(IsSupportedParser Parser); |
88d9af2c | 8 | |
cfe5a220 SS |
9 | # This hash contains all supported parsers and which function |
10 | # has to be called to parse messages in the right way. | |
88d9af2c | 11 | my %logfile_parsers = ( |
55852ce7 | 12 | "httpd" => \&message_parser_httpd, |
cfe5a220 | 13 | "snort" => \&message_parser_snort, |
0b1fe046 | 14 | "ssh" => \&message_parser_ssh, |
88d9af2c SS |
15 | ); |
16 | ||
17 | # | |
18 | ## The main parsing function. | |
19 | # | |
20 | ## It is used to determine which sub-parser has to be used to | |
21 | ## parse the given message in the right way and to return if | |
22 | ## any action should be performed. | |
23 | # | |
24 | sub Parser ($$) { | |
cfe5a220 | 25 | my ($parser, @message) = @_; |
88d9af2c SS |
26 | |
27 | # If no responsible message parser could be found, just return nothing. | |
cfe5a220 | 28 | unless (exists($logfile_parsers{$parser})) { |
88d9af2c SS |
29 | return; |
30 | } | |
31 | ||
cfe5a220 | 32 | # Call responsible message parser. |
43fdb161 | 33 | my @actions = $logfile_parsers{$parser}->(@message); |
88d9af2c | 34 | |
8fba3c57 | 35 | # In case an action has been returned, return it too. |
43fdb161 SS |
36 | if (@actions) { |
37 | # Return which actions should be performed. | |
38 | return @actions; | |
8fba3c57 SS |
39 | } |
40 | ||
43fdb161 | 41 | # Return undef, if no actions are required. |
8fba3c57 | 42 | return undef; |
88d9af2c SS |
43 | } |
44 | ||
cfe5a220 SS |
45 | # |
46 | ## IsSupportedParser function. | |
47 | # | |
48 | ## This very tiny function checks if a given parser name is available and | |
49 | ## therefore a supported parser. | |
50 | # | |
51 | ## To perform these check, the function is going to lookup if a key in the | |
52 | ## hash of supported parsers is available | |
53 | # | |
54 | sub IsSupportedParser ($) { | |
55 | my $parser = $_[0]; | |
56 | ||
57 | # Check if a key for the given parser exists in the hash of logfile_parsers. | |
58 | if(exists($logfile_parsers{$parser})) { | |
59 | # Found a valid parser, so return nothing. | |
60 | return 1; | |
61 | } | |
62 | ||
63 | # Return "False" if we got here, and therefore no parser | |
64 | # is available. | |
65 | return; | |
66 | } | |
67 | ||
88d9af2c SS |
68 | # |
69 | ## The Snort message parser. | |
70 | # | |
71 | ## This subfunction is responsible for parsing sort alerts and determine if | |
72 | ## an action should be performed. | |
73 | # | |
74 | sub message_parser_snort($) { | |
75 | my @message = @_; | |
76 | ||
77 | # XXX | |
78 | # Currently this parser just returns a simple message. | |
ebd440a9 | 79 | return "$message[0] SNORT A simple Snort Message"; |
88d9af2c SS |
80 | } |
81 | ||
0b1fe046 SS |
82 | # |
83 | ## The SSH message parser. | |
84 | # | |
85 | ## This subfunction is used for parsing and detecting different attacks | |
86 | ## against the SSH service. | |
87 | # | |
88 | sub message_parser_ssh (@) { | |
89 | my @message = @_; | |
43fdb161 | 90 | my @actions; |
0b1fe046 SS |
91 | |
92 | # The name of the parser module. | |
93 | my $name = "SSH"; | |
94 | ||
95 | # Variable to store the grabbed IP-address. | |
96 | my $address; | |
97 | ||
98 | # Variable to store the parsed event. | |
99 | my $message; | |
100 | ||
101 | # Loop through all lines, in case multiple one have | |
102 | # been passed. | |
103 | foreach my $line (@message) { | |
104 | # Check for failed password attempts. | |
105 | if ($line =~/.*sshd.*Failed password for (.*) from (.*) port.*/) { | |
106 | # Store the grabbed IP-address. | |
107 | $address = $2; | |
108 | ||
109 | # Set event message. | |
110 | $message = "Possible SSH-Bruteforce Attack for user: $1."; | |
111 | } | |
112 | ||
113 | # This should catch Bruteforce Attacks with enabled preauth | |
114 | elsif ($line =~ /.*sshd.*Received disconnect from (.*):.*\[preauth\]/) { | |
115 | # Store obtained IP-address. | |
116 | $address = $1; | |
117 | ||
118 | # Set event message. | |
119 | $message = "Possible SSH-Bruteforce Attack - failed preauth."; | |
120 | } | |
43fdb161 SS |
121 | |
122 | # Check if at least the IP-address information has been extracted. | |
123 | if (defined ($address)) { | |
124 | # Add the extracted values and event message for the computed | |
125 | # event to the actions array. | |
126 | push(@actions, "count $address $name $message"); | |
127 | } | |
0b1fe046 SS |
128 | } |
129 | ||
43fdb161 SS |
130 | # If any actions are required, return the array. |
131 | if (@actions) { | |
132 | return (@actions); | |
0b1fe046 SS |
133 | } |
134 | ||
135 | # If we got here, the provided message is not affected by any filter and | |
136 | # therefore can be skipped. Return nothing (False) in this case. | |
137 | return; | |
138 | } | |
139 | ||
55852ce7 SS |
140 | # |
141 | ## The HTTPD message parser. | |
142 | # | |
143 | ## This subfunction is used for parsing and detecting different attacks | |
144 | ## against a running HTTPD service. | |
145 | # | |
146 | sub message_parser_httpd (@) { | |
147 | my @message = @_; | |
43fdb161 | 148 | my @actions; |
55852ce7 SS |
149 | |
150 | # The name of the parser module. | |
151 | my $name = "HTTPD"; | |
152 | ||
153 | # Variable to store the grabbed IP-address. | |
154 | my $address; | |
155 | ||
156 | # Variable to store the parsed event. | |
157 | my $message; | |
158 | ||
159 | # Loop through all lines, in case multiple one have | |
160 | # been passed. | |
161 | foreach my $line (@message) { | |
162 | # This will catch brute-force attacks against htaccess logins (username). | |
163 | if ($line =~ /.*\[error\] \[client (.*)\] user(.*) not found:.*/) { | |
164 | # Store the grabbed IP-address. | |
165 | $address = $1; | |
166 | ||
167 | # Set event message. | |
168 | $message = "Possible WUI brute-force attack, wrong user: $2."; | |
169 | } | |
170 | ||
171 | # Detect htaccess password brute-forcing against a username. | |
172 | elsif ($line =~ /.*\[error\] \[client (.*)\] user(.*): authentication failure for.*/) { | |
173 | # Store the extracted IP-address. | |
174 | $address = $1; | |
175 | ||
176 | # Set event message. | |
177 | $message = "Possible WUI brute-force attack, wrong password for user: $2."; | |
178 | } | |
43fdb161 SS |
179 | |
180 | # Check if at least the IP-address information has been extracted. | |
181 | if (defined ($address)) { | |
182 | # Add the extracted values and event message to the actions array. | |
183 | push(@actions, "count $address $name $message"); | |
184 | } | |
55852ce7 SS |
185 | } |
186 | ||
43fdb161 SS |
187 | # If any actions are required, return the array. |
188 | if (@actions) { | |
189 | return @actions; | |
55852ce7 SS |
190 | } |
191 | ||
192 | # If we got here, the provided message is not affected by any filter and | |
193 | # therefore can be skipped. Return nothing (False) in this case. | |
194 | return; | |
195 | } | |
196 | ||
88d9af2c | 197 | 1; |