[people/stevee/guardian.git] / modules / Parser.pm

package Guardian::Parser;
use strict;
use warnings;

use Exporter qw(import);

our @EXPORT_OK = qw(IsSupportedParser Parser);

# This hash contains all supported parsers and which function
# has to be called to parse messages in the right way.
my %logfile_parsers = (
	"httpd" => \&message_parser_httpd,
	"owncloud" => \&message_parser_owncloud,
	"snort" => \&message_parser_snort,
	"ssh" => \&message_parser_ssh,
);

#
## The main parsing function.
#
## It is used to determine which sub-parser has to be used to
## parse the given message in the right way and to return if
## any action should be performed.
#
sub Parser ($$) {
        my ($parser, @message) = @_;

	# If no responsible message parser could be found, just return nothing.
	unless (exists($logfile_parsers{$parser})) {
		return;
	}

	# Call responsible message parser.
	my @actions = $logfile_parsers{$parser}->(@message);

	# In case an action has been returned, return it too. 
	if (@actions) {
		# Return which actions should be performed.
		return @actions;
	}

	# Return undef, if no actions are required.
	return undef;
}

#
## IsSupportedParser function.
#
## This very tiny function checks if a given parser name is available and
## therefore a supported parser.
#
## To perform these check, the function is going to lookup if a key in the
## hash of supported parsers is available
#
sub IsSupportedParser ($) {
	my $parser = $_[0];

	# Check if a key for the given parser exists in the hash of logfile_parsers.
	if(exists($logfile_parsers{$parser})) {
		# Found a valid parser, so return nothing.
		return 1;
	}

	# Return "False" if we got here, and therefore no parser
	# is available.
	return;
}

#
## The Snort message parser.
#
## This subfunction is responsible for parsing sort alerts and determine if
## an action should be performed.
#
## XXX Currently the parser only supports IPv4. Add support for IPv6 at a
## later time.
#
sub message_parser_snort(@) {
	my @message = @_;
	my @actions;

	# Temporary array to store single alerts.
	my @alert;

	# The name of the parser module.
	my $name = "SNORT";

	# Default returned message in case no one could be grabbed
	# from the snort alert.
	my $message = "An active snort rule has matched and gained an alert.";

	# Snort uses a log buffer and a result of this, when detecting multiple
	# events at once, multiple alerts will be written at one time to the alert
	# file. They have to be seperated from each, to be able to parse them
	# individually.
	foreach my $line (@message) {
		# Remove any newlines.
		chomp($line);

		# A single alert contains multiple lines, push all of them
		# a temporary array.
		push(@alert, $line);

		# Each alert ends with an empty line, if one is found,
		# all lines of the current processed alert have been found
		# and pushed to the temporary array.
		if($line =~ /^\s*$/) {
			# Variable to store the grabbed IP-address.
			my $address;

			# Loop through all lines of the current alert.
			foreach my $line (@alert) {
				# Check Priority Level and skip the alert if it is to low.
				#if ($line =~ /.*\[Priority: (\d+)\].*/) {
				#	return unless($1 < $priority);
				#}

				# Search for a line like xxx.xxx.xxx.xxx -> xxx.xxx.xxx.xxx
				if ($line =~ /(\d+\.\d+\.\d+\.\d+)+ -\> (\d+\.\d+\.\d+\.\d+)+/) {
					# Store the grabbed IP-address.
					$address = $1;
				}

				# Search for a line like xxx.xxx.xxx.xxx:xxx -> xxx.xxx.xxx.xxx:xxx
				elsif ($line =~ /(\d+\.\d+\.\d+\.\d+):\d+ -\> (\d+\.\d+\.\d+\.\d+):\d+/) {
					# Store the obtained IP-address.
					$address = $1;
				}

				# Obtain the reported reason from the headline of the alert.
				if ($line =~ /.*\] (.*) \[\*\*\]/) {
					# Store the extracted message.
					$message = $1;
				}

				# If the reason could not be determined, try to obtain it from a msg field.
				elsif ($line =~ /.*msg:\"(.*)\".*/) {
					# Store the extracted message.
					$message = $1;
				}
			}

			# Check if at least the IP-address information has been extracted.
			if (defined ($address)) {
				# Add the extracted values and event message for the computed
				# event to the actions array.
				push(@actions, "count $address $name $message");
			}

			# The alert has been processed, clear the temporary array for storing
			# the next alert.
			@alert = ();
		}
	}

	# If any actions are required, return the array.
	if (@actions) {
		return (@actions);
	}

	# If we got here, the alert could not be parsed correctly, or did not match any filter.
	# Therefore it can be skipped - return nothing.
	return;
}

#
## The SSH message parser.
#
## This subfunction is used for parsing and detecting different attacks
## against the SSH service.
#
sub message_parser_ssh (@) {
	my @message = @_;
	my @actions;

	# The name of the parser module.
	my $name = "SSH";

	# Variable to store the grabbed IP-address.
	my $address;

	# Variable to store the parsed event.
	my $message;

	# Loop through all lines, in case multiple one have
	# been passed.
	foreach my $line (@message) {
		# Check for failed password attempts.
		if ($line =~/.*sshd.*Failed password for (.*) from (.*) port.*/) {
			# Store the grabbed IP-address.
			$address = $2;

			# Set event message.
			$message = "Possible SSH-Bruteforce Attack for user: $1.";
		}

		# This should catch Bruteforce Attacks with enabled preauth
		elsif ($line =~ /.*sshd.*Received disconnect from (.*):.*\[preauth\]/) {
			# Store obtained IP-address.
			$address = $1;

			# Set event message.
			$message = "Possible SSH-Bruteforce Attack - failed preauth.";
		}

		# Check if at least the IP-address information has been extracted.
		if (defined ($address)) {
			# Add the extracted values and event message for the computed
			# event to the actions array.
			push(@actions, "count $address $name $message");
		}
	}

	# If any actions are required, return the array.
	if (@actions) {
		return (@actions);
	}

	# If we got here, the provided message is not affected by any filter and
	# therefore can be skipped. Return nothing (False) in this case.
	return;
}

#
## The HTTPD message parser.
#
## This subfunction is used for parsing and detecting different attacks
## against a running HTTPD service.
#
sub message_parser_httpd (@) {
	my @message = @_;
	my @actions;

	# The name of the parser module.
	my $name = "HTTPD";

	# Variable to store the grabbed IP-address.
	my $address;

	# Variable to store the parsed event.
	my $message;

	# Loop through all lines, in case multiple one have
	# been passed.
	foreach my $line (@message) {
		# This will catch brute-force attacks against htaccess logins (username).
		if ($line =~ /.*\[error\] \[client (.*)\] user(.*) not found:.*/) {
			# Store the grabbed IP-address.
			$address = $1;

			# Set event message.
			$message = "Possible WUI brute-force attack, wrong user: $2.";
		}

		# Detect htaccess password brute-forcing against a username.
		elsif ($line =~ /.*\[error\] \[client (.*)\] user(.*): authentication failure for.*/) {
			# Store the extracted IP-address.
			$address = $1;

			# Set event message.
			$message = "Possible WUI brute-force attack, wrong password for user: $2.";
		}

		# Check if at least the IP-address information has been extracted.
		if (defined ($address)) {
			# Add the extracted values and event message to the actions array.
			push(@actions, "count $address $name $message");
		}
	}

	# If any actions are required, return the array.
	if (@actions) {
		return @actions;
	}

	# If we got here, the provided message is not affected by any filter and
	# therefore can be skipped. Return nothing (False) in this case.
	return;
}

#
## The Owncloud message parser.
#
## This subfunction is used for parsing and detecting brute-force login
## attempts against a local running owncloud instance.
#
sub message_parser_owncloud (@) {
	my @message = @_;
	my @actions;

	# The name of the parser module.
	my $name = "Owncloud";

	# Variable to store the grabbed IP-address.
	my $address;

	# Variable to store the parsed event.
	my $message;

	# Loop through all lines, in case multiple one have
	# been passed.
	foreach my $line (@message) {
		 # This will catch brute-force attacks against the login (username).
		if ($line =~/.*\"Login failed: \'(.*)\' \(Remote IP: \'(.*)\'\,.*/) {
			# Store the grabbed user name.
			my $user = $1;

			# Store the grabbed IP-address.
			$address = $2;

			# Set event message.
			$message = "Possible brute-force attack, wrong password for user: $user.";
		}

		# Check if at least the IP-address information has been extracted.
		if (defined ($address)) {
			# Add the extracted values and event message to the actions array.
			push(@actions, "count $address $name $message");
		}
	}

	# If any actions are required, return the array.
	if (@actions) {
		return @actions;
	}

	# If we got here, the provided message is not affected by any filter and
	# therefore can be skipped. Return nothing (False) in this case.
	return;
}

1;
Commit	Line	Data
88d9af2c SS	1	package Guardian::Parser;
	2	use strict;
	3	use warnings;
	4
	5	use Exporter qw(import);
	6
cfe5a220	7	our @EXPORT_OK = qw(IsSupportedParser Parser);
88d9af2c	8
cfe5a220 SS	9	# This hash contains all supported parsers and which function
cfe5a220 SS	10	# has to be called to parse messages in the right way.
88d9af2c	11	my %logfile_parsers = (
55852ce7	12	"httpd" => \&message_parser_httpd,
7306aaf8	13	"owncloud" => \&message_parser_owncloud,
cfe5a220	14	"snort" => \&message_parser_snort,
0b1fe046	15	"ssh" => \&message_parser_ssh,
88d9af2c SS	16	);
	17
	18	#
	19	## The main parsing function.
	20	#
	21	## It is used to determine which sub-parser has to be used to
	22	## parse the given message in the right way and to return if
	23	## any action should be performed.
	24	#
	25	sub Parser ($$) {
cfe5a220	26	my ($parser, @message) = @_;
88d9af2c SS	27
88d9af2c SS	28	# If no responsible message parser could be found, just return nothing.
cfe5a220	29	unless (exists($logfile_parsers{$parser})) {
88d9af2c SS	30	return;
	31	}
	32
cfe5a220	33	# Call responsible message parser.
43fdb161	34	my @actions = $logfile_parsers{$parser}->(@message);
88d9af2c	35
8fba3c57	36	# In case an action has been returned, return it too.
43fdb161 SS	37	if (@actions) {
	38	# Return which actions should be performed.
	39	return @actions;
8fba3c57 SS	40	}
8fba3c57 SS	41
43fdb161	42	# Return undef, if no actions are required.
8fba3c57	43	return undef;
88d9af2c SS	44	}
88d9af2c SS	45
cfe5a220 SS	46	#
	47	## IsSupportedParser function.
	48	#
	49	## This very tiny function checks if a given parser name is available and
	50	## therefore a supported parser.
	51	#
	52	## To perform these check, the function is going to lookup if a key in the
	53	## hash of supported parsers is available
	54	#
	55	sub IsSupportedParser ($) {
	56	my $parser = $_[0];
	57
	58	# Check if a key for the given parser exists in the hash of logfile_parsers.
	59	if(exists($logfile_parsers{$parser})) {
	60	# Found a valid parser, so return nothing.
	61	return 1;
	62	}
	63
	64	# Return "False" if we got here, and therefore no parser
	65	# is available.
	66	return;
	67	}
	68
88d9af2c SS	69	#
	70	## The Snort message parser.
	71	#
	72	## This subfunction is responsible for parsing sort alerts and determine if
	73	## an action should be performed.
	74	#
53a02397 SS	75	## XXX Currently the parser only supports IPv4. Add support for IPv6 at a
	76	## later time.
	77	#
	78	sub message_parser_snort(@) {
88d9af2c	79	my @message = @_;
8bc363c5 SS	80	my @actions;
	81
	82	# Temporary array to store single alerts.
	83	my @alert;
88d9af2c	84
53a02397 SS	85	# The name of the parser module.
	86	my $name = "SNORT";
	87
53a02397 SS	88	# Default returned message in case no one could be grabbed
	89	# from the snort alert.
	90	my $message = "An active snort rule has matched and gained an alert.";
	91
8bc363c5 SS	92	# Snort uses a log buffer and a result of this, when detecting multiple
	93	# events at once, multiple alerts will be written at one time to the alert
	94	# file. They have to be seperated from each, to be able to parse them
	95	# individually.
53a02397	96	foreach my $line (@message) {
8bc363c5 SS	97	# Remove any newlines.
	98	chomp($line);
	99
	100	# A single alert contains multiple lines, push all of them
	101	# a temporary array.
	102	push(@alert, $line);
	103
	104	# Each alert ends with an empty line, if one is found,
	105	# all lines of the current processed alert have been found
	106	# and pushed to the temporary array.
	107	if($line =~ /^\s*$/) {
	108	# Variable to store the grabbed IP-address.
	109	my $address;
	110
	111	# Loop through all lines of the current alert.
	112	foreach my $line (@alert) {
	113	# Check Priority Level and skip the alert if it is to low.
	114	#if ($line =~ /.\[Priority: (\d+)\]./) {
	115	# return unless($1 < $priority);
	116	#}
	117
	118	# Search for a line like xxx.xxx.xxx.xxx -> xxx.xxx.xxx.xxx
	119	if ($line =~ /(\d+\.\d+\.\d+\.\d+)+ -\> (\d+\.\d+\.\d+\.\d+)+/) {
	120	# Store the grabbed IP-address.
	121	$address = $1;
	122	}
	123
	124	# Search for a line like xxx.xxx.xxx.xxx:xxx -> xxx.xxx.xxx.xxx:xxx
	125	elsif ($line =~ /(\d+\.\d+\.\d+\.\d+):\d+ -\> (\d+\.\d+\.\d+\.\d+):\d+/) {
	126	# Store the obtained IP-address.
	127	$address = $1;
	128	}
	129
	130	# Obtain the reported reason from the headline of the alert.
	131	if ($line =~ /.\] (.) \[\\\]/) {
	132	# Store the extracted message.
	133	$message = $1;
	134	}
	135
	136	# If the reason could not be determined, try to obtain it from a msg field.
	137	elsif ($line =~ /.msg:\"(.)\".*/) {
	138	# Store the extracted message.
	139	$message = $1;
	140	}
	141	}
	142
	143	# Check if at least the IP-address information has been extracted.
	144	if (defined ($address)) {
	145	# Add the extracted values and event message for the computed
	146	# event to the actions array.
	147	push(@actions, "count $address $name $message");
	148	}
	149
	150	# The alert has been processed, clear the temporary array for storing
	151	# the next alert.
	152	@alert = ();
53a02397 SS	153	}
	154	}
	155
8bc363c5 SS	156	# If any actions are required, return the array.
	157	if (@actions) {
	158	return (@actions);
53a02397 SS	159	}
53a02397 SS	160
8bc363c5 SS	161	# If we got here, the alert could not be parsed correctly, or did not match any filter.
8bc363c5 SS	162	# Therefore it can be skipped - return nothing.
53a02397	163	return;
88d9af2c SS	164	}
88d9af2c SS	165
0b1fe046 SS	166	#
	167	## The SSH message parser.
	168	#
	169	## This subfunction is used for parsing and detecting different attacks
	170	## against the SSH service.
	171	#
	172	sub message_parser_ssh (@) {
	173	my @message = @_;
43fdb161	174	my @actions;
0b1fe046 SS	175
	176	# The name of the parser module.
	177	my $name = "SSH";
	178
	179	# Variable to store the grabbed IP-address.
	180	my $address;
	181
	182	# Variable to store the parsed event.
	183	my $message;
	184
	185	# Loop through all lines, in case multiple one have
	186	# been passed.
	187	foreach my $line (@message) {
	188	# Check for failed password attempts.
	189	if ($line =~/.sshd.Failed password for (.) from (.) port.*/) {
	190	# Store the grabbed IP-address.
	191	$address = $2;
	192
	193	# Set event message.
	194	$message = "Possible SSH-Bruteforce Attack for user: $1.";
	195	}
	196
	197	# This should catch Bruteforce Attacks with enabled preauth
	198	elsif ($line =~ /.sshd.Received disconnect from (.):.\[preauth\]/) {
	199	# Store obtained IP-address.
	200	$address = $1;
	201
	202	# Set event message.
	203	$message = "Possible SSH-Bruteforce Attack - failed preauth.";
	204	}
43fdb161 SS	205
	206	# Check if at least the IP-address information has been extracted.
	207	if (defined ($address)) {
	208	# Add the extracted values and event message for the computed
	209	# event to the actions array.
	210	push(@actions, "count $address $name $message");
	211	}
0b1fe046 SS	212	}
0b1fe046 SS	213
43fdb161 SS	214	# If any actions are required, return the array.
	215	if (@actions) {
	216	return (@actions);
0b1fe046 SS	217	}
	218
	219	# If we got here, the provided message is not affected by any filter and
	220	# therefore can be skipped. Return nothing (False) in this case.
	221	return;
	222	}
	223
55852ce7 SS	224	#
	225	## The HTTPD message parser.
	226	#
	227	## This subfunction is used for parsing and detecting different attacks
	228	## against a running HTTPD service.
	229	#
	230	sub message_parser_httpd (@) {
	231	my @message = @_;
43fdb161	232	my @actions;
55852ce7 SS	233
	234	# The name of the parser module.
	235	my $name = "HTTPD";
	236
	237	# Variable to store the grabbed IP-address.
	238	my $address;
	239
	240	# Variable to store the parsed event.
	241	my $message;
	242
	243	# Loop through all lines, in case multiple one have
	244	# been passed.
	245	foreach my $line (@message) {
	246	# This will catch brute-force attacks against htaccess logins (username).
	247	if ($line =~ /.\[error\] \[client (.)\] user(.) not found:./) {
	248	# Store the grabbed IP-address.
	249	$address = $1;
	250
	251	# Set event message.
	252	$message = "Possible WUI brute-force attack, wrong user: $2.";
	253	}
	254
	255	# Detect htaccess password brute-forcing against a username.
	256	elsif ($line =~ /.\[error\] \[client (.)\] user(.): authentication failure for./) {
	257	# Store the extracted IP-address.
	258	$address = $1;
	259
	260	# Set event message.
	261	$message = "Possible WUI brute-force attack, wrong password for user: $2.";
	262	}
43fdb161 SS	263
	264	# Check if at least the IP-address information has been extracted.
	265	if (defined ($address)) {
	266	# Add the extracted values and event message to the actions array.
	267	push(@actions, "count $address $name $message");
	268	}
55852ce7 SS	269	}
55852ce7 SS	270
43fdb161 SS	271	# If any actions are required, return the array.
	272	if (@actions) {
	273	return @actions;
55852ce7 SS	274	}
	275
	276	# If we got here, the provided message is not affected by any filter and
	277	# therefore can be skipped. Return nothing (False) in this case.
	278	return;
	279	}
	280
7306aaf8 SS	281	#
	282	## The Owncloud message parser.
	283	#
	284	## This subfunction is used for parsing and detecting brute-force login
	285	## attempts against a local running owncloud instance.
	286	#
	287	sub message_parser_owncloud (@) {
	288	my @message = @_;
	289	my @actions;
	290
	291	# The name of the parser module.
	292	my $name = "Owncloud";
	293
	294	# Variable to store the grabbed IP-address.
	295	my $address;
	296
	297	# Variable to store the parsed event.
	298	my $message;
	299
	300	# Loop through all lines, in case multiple one have
	301	# been passed.
	302	foreach my $line (@message) {
	303	# This will catch brute-force attacks against the login (username).
	304	if ($line =~/.\"Login failed: \'(.)\' \(Remote IP: \'(.)\'\,./) {
	305	# Store the grabbed user name.
	306	my $user = $1;
	307
	308	# Store the grabbed IP-address.
	309	$address = $2;
	310
	311	# Set event message.
	312	$message = "Possible brute-force attack, wrong password for user: $user.";
	313	}
	314
	315	# Check if at least the IP-address information has been extracted.
	316	if (defined ($address)) {
	317	# Add the extracted values and event message to the actions array.
	318	push(@actions, "count $address $name $message");
	319	}
	320	}
	321
	322	# If any actions are required, return the array.
	323	if (@actions) {
	324	return @actions;
	325	}
	326
	327	# If we got here, the provided message is not affected by any filter and
	328	# therefore can be skipped. Return nothing (False) in this case.
	329	return;
	330	}
	331
88d9af2c	332	1;