]>
git.ipfire.org Git - people/stevee/guardian.git/blob - modules/Parser.pm
255e6cc3012aa80e54df13639f2f5d02794e8a07
1 package Guardian
::Parser
;
5 use Exporter
qw(import);
7 our @EXPORT_OK = qw(IsSupportedParser Parser);
9 # This hash contains all supported parsers and which function
10 # has to be called to parse messages in the right way.
11 my %logfile_parsers = (
12 "httpd" => \
&message_parser_httpd
,
13 "snort" => \
&message_parser_snort
,
14 "ssh" => \
&message_parser_ssh
,
18 ## The main parsing function.
20 ## It is used to determine which sub-parser has to be used to
21 ## parse the given message in the right way and to return if
22 ## any action should be performed.
25 my ($parser, @message) = @_;
27 # If no responsible message parser could be found, just return nothing.
28 unless (exists($logfile_parsers{$parser})) {
32 # Call responsible message parser.
33 my @actions = $logfile_parsers{$parser}->(@message);
35 # In case an action has been returned, return it too.
37 # Return which actions should be performed.
41 # Return undef, if no actions are required.
46 ## IsSupportedParser function.
48 ## This very tiny function checks if a given parser name is available and
49 ## therefore a supported parser.
51 ## To perform these check, the function is going to lookup if a key in the
52 ## hash of supported parsers is available
54 sub IsSupportedParser
($) {
57 # Check if a key for the given parser exists in the hash of logfile_parsers.
58 if(exists($logfile_parsers{$parser})) {
59 # Found a valid parser, so return nothing.
63 # Return "False" if we got here, and therefore no parser
69 ## The Snort message parser.
71 ## This subfunction is responsible for parsing sort alerts and determine if
72 ## an action should be performed.
74 ## XXX Currently the parser only supports IPv4. Add support for IPv6 at a
77 sub message_parser_snort
(@
) {
80 # The name of the parser module.
83 # Variable to store the grabbed IP-address.
86 # Default returned message in case no one could be grabbed
87 # from the snort alert.
88 my $message = "An active snort rule has matched and gained an alert.";
90 # A snort alert contains multiple lines, loop through all lines
91 # to parse the complete alert.
92 foreach my $line (@message) {
93 # Check Priority Level and skip the alert if it is to low.
94 #if ($line =~ /.*\[Priority: (\d+)\].*/) {
95 # return unless($1 < $priority);
98 # Search for a line like xxx.xxx.xxx.xxx -> xxx.xxx.xxx.xxx
99 if ($line =~ /(\d+\.\d+\.\d+\.\d+)+ -\> (\d+\.\d+\.\d+\.\d+)+/) {
100 # Store the grabbed IP-address.
104 # Search for a line like xxx.xxx.xxx.xxx:xxx -> xxx.xxx.xxx.xxx:xxx
105 elsif ($line =~ /(\d+\.\d+\.\d+\.\d+):\d+ -\> (\d+\.\d+\.\d+\.\d+):\d+/) {
106 # Store the obtained IP-address.
110 # Obtain the reported reason.
111 if ($line =~ /.*msg:\"(.*)\".*/) {
112 # Store the extracted message.
117 # Check if at least the IP-address information are obtained from the
120 # Return the extracted values.
121 return "$address $name $message";
124 # If we got here, the alert could not be parsed correctly, return nothing.
129 ## The SSH message parser.
131 ## This subfunction is used for parsing and detecting different attacks
132 ## against the SSH service.
134 sub message_parser_ssh
(@
) {
138 # The name of the parser module.
141 # Variable to store the grabbed IP-address.
144 # Variable to store the parsed event.
147 # Loop through all lines, in case multiple one have
149 foreach my $line (@message) {
150 # Check for failed password attempts.
151 if ($line =~/.*sshd.*Failed password for (.*) from (.*) port.*/) {
152 # Store the grabbed IP-address.
156 $message = "Possible SSH-Bruteforce Attack for user: $1.";
159 # This should catch Bruteforce Attacks with enabled preauth
160 elsif ($line =~ /.*sshd.*Received disconnect from (.*):.*\[preauth\]/) {
161 # Store obtained IP-address.
165 $message = "Possible SSH-Bruteforce Attack - failed preauth.";
168 # Check if at least the IP-address information has been extracted.
169 if (defined ($address)) {
170 # Add the extracted values and event message for the computed
171 # event to the actions array.
172 push(@actions, "count $address $name $message");
176 # If any actions are required, return the array.
181 # If we got here, the provided message is not affected by any filter and
182 # therefore can be skipped. Return nothing (False) in this case.
187 ## The HTTPD message parser.
189 ## This subfunction is used for parsing and detecting different attacks
190 ## against a running HTTPD service.
192 sub message_parser_httpd
(@
) {
196 # The name of the parser module.
199 # Variable to store the grabbed IP-address.
202 # Variable to store the parsed event.
205 # Loop through all lines, in case multiple one have
207 foreach my $line (@message) {
208 # This will catch brute-force attacks against htaccess logins (username).
209 if ($line =~ /.*\[error\] \[client (.*)\] user(.*) not found:.*/) {
210 # Store the grabbed IP-address.
214 $message = "Possible WUI brute-force attack, wrong user: $2.";
217 # Detect htaccess password brute-forcing against a username.
218 elsif ($line =~ /.*\[error\] \[client (.*)\] user(.*): authentication failure for.*/) {
219 # Store the extracted IP-address.
223 $message = "Possible WUI brute-force attack, wrong password for user: $2.";
226 # Check if at least the IP-address information has been extracted.
227 if (defined ($address)) {
228 # Add the extracted values and event message to the actions array.
229 push(@actions, "count $address $name $message");
233 # If any actions are required, return the array.
238 # If we got here, the provided message is not affected by any filter and
239 # therefore can be skipped. Return nothing (False) in this case.