]>
git.ipfire.org Git - people/stevee/guardian.git/blob - modules/Parser.pm
a73192db23701680bea149b39dd8be3306536fd1
1 package Guardian
::Parser
;
5 use Exporter
qw(import);
7 our @EXPORT_OK = qw(IsSupportedParser Parser);
9 # This hash contains all supported parsers and which function
10 # has to be called to parse messages in the right way.
11 my %logfile_parsers = (
12 "snort" => \
&message_parser_snort
,
13 "ssh" => \
&message_parser_ssh
,
17 ## The main parsing function.
19 ## It is used to determine which sub-parser has to be used to
20 ## parse the given message in the right way and to return if
21 ## any action should be performed.
24 my ($parser, @message) = @_;
26 # If no responsible message parser could be found, just return nothing.
27 unless (exists($logfile_parsers{$parser})) {
31 # Call responsible message parser.
32 my $action = $logfile_parsers{$parser}->(@message);
34 # Return which action should be performed.
35 return "count $action";
39 ## IsSupportedParser function.
41 ## This very tiny function checks if a given parser name is available and
42 ## therefore a supported parser.
44 ## To perform these check, the function is going to lookup if a key in the
45 ## hash of supported parsers is available
47 sub IsSupportedParser
($) {
50 # Check if a key for the given parser exists in the hash of logfile_parsers.
51 if(exists($logfile_parsers{$parser})) {
52 # Found a valid parser, so return nothing.
56 # Return "False" if we got here, and therefore no parser
62 ## The Snort message parser.
64 ## This subfunction is responsible for parsing sort alerts and determine if
65 ## an action should be performed.
67 sub message_parser_snort
($) {
71 # Currently this parser just returns a simple message.
72 return "$message[0] SNORT A simple Snort Message";
76 ## The SSH message parser.
78 ## This subfunction is used for parsing and detecting different attacks
79 ## against the SSH service.
81 sub message_parser_ssh
(@
) {
84 # The name of the parser module.
87 # Variable to store the grabbed IP-address.
90 # Variable to store the parsed event.
93 # Loop through all lines, in case multiple one have
95 foreach my $line (@message) {
96 # Check for failed password attempts.
97 if ($line =~/.*sshd.*Failed password for (.*) from (.*) port.*/) {
98 # Store the grabbed IP-address.
102 $message = "Possible SSH-Bruteforce Attack for user: $1.";
105 # This should catch Bruteforce Attacks with enabled preauth
106 elsif ($line =~ /.*sshd.*Received disconnect from (.*):.*\[preauth\]/) {
107 # Store obtained IP-address.
111 $message = "Possible SSH-Bruteforce Attack - failed preauth.";
115 # Check if at least the IP-address information has been extracted.
116 if (defined ($address)) {
117 # Return the extracted values and event message.
118 return "$address $name $message";
121 # If we got here, the provided message is not affected by any filter and
122 # therefore can be skipped. Return nothing (False) in this case.