]> git.ipfire.org Git - people/stevee/guardian.git/blob - modules/Parser.pm
projects / people / stevee / guardian.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Improve snort parser.
[people/stevee/guardian.git] / modules / Parser.pm
1 package Guardian::Parser;
2 use strict;
3 use warnings;
4
5 use Exporter qw(import);
6
7 our @EXPORT_OK = qw(IsSupportedParser Parser);
8
9 # This hash contains all supported parsers and which function
10 # has to be called to parse messages in the right way.
11 my %logfile_parsers = (
12 "httpd" => \&message_parser_httpd,
13 "snort" => \&message_parser_snort,
14 "ssh" => \&message_parser_ssh,
15 );
16
17 #
18 ## The main parsing function.
19 #
20 ## It is used to determine which sub-parser has to be used to
21 ## parse the given message in the right way and to return if
22 ## any action should be performed.
23 #
24 sub Parser ($$) {
25 my ($parser, @message) = @_;
26
27 # If no responsible message parser could be found, just return nothing.
28 unless (exists($logfile_parsers{$parser})) {
29 return;
30 }
31
32 # Call responsible message parser.
33 my @actions = $logfile_parsers{$parser}->(@message);
34
35 # In case an action has been returned, return it too.
36 if (@actions) {
37 # Return which actions should be performed.
38 return @actions;
39 }
40
41 # Return undef, if no actions are required.
42 return undef;
43 }
44
45 #
46 ## IsSupportedParser function.
47 #
48 ## This very tiny function checks if a given parser name is available and
49 ## therefore a supported parser.
50 #
51 ## To perform these check, the function is going to lookup if a key in the
52 ## hash of supported parsers is available
53 #
54 sub IsSupportedParser ($) {
55 my $parser = $_[0];
56
57 # Check if a key for the given parser exists in the hash of logfile_parsers.
58 if(exists($logfile_parsers{$parser})) {
59 # Found a valid parser, so return nothing.
60 return 1;
61 }
62
63 # Return "False" if we got here, and therefore no parser
64 # is available.
65 return;
66 }
67
68 #
69 ## The Snort message parser.
70 #
71 ## This subfunction is responsible for parsing sort alerts and determine if
72 ## an action should be performed.
73 #
74 ## XXX Currently the parser only supports IPv4. Add support for IPv6 at a
75 ## later time.
76 #
77 sub message_parser_snort(@) {
78 my @message = @_;
79 my @actions;
80
81 # Temporary array to store single alerts.
82 my @alert;
83
84 # The name of the parser module.
85 my $name = "SNORT";
86
87 # Default returned message in case no one could be grabbed
88 # from the snort alert.
89 my $message = "An active snort rule has matched and gained an alert.";
90
91 # Snort uses a log buffer and a result of this, when detecting multiple
92 # events at once, multiple alerts will be written at one time to the alert
93 # file. They have to be seperated from each, to be able to parse them
94 # individually.
95 foreach my $line (@message) {
96 # Remove any newlines.
97 chomp($line);
98
99 # A single alert contains multiple lines, push all of them
100 # a temporary array.
101 push(@alert, $line);
102
103 # Each alert ends with an empty line, if one is found,
104 # all lines of the current processed alert have been found
105 # and pushed to the temporary array.
106 if($line =~ /^\s*$/) {
107 # Variable to store the grabbed IP-address.
108 my $address;
109
110 # Loop through all lines of the current alert.
111 foreach my $line (@alert) {
112 # Check Priority Level and skip the alert if it is to low.
113 #if ($line =~ /.*\[Priority: (\d+)\].*/) {
114 # return unless($1 < $priority);
115 #}
116
117 # Search for a line like xxx.xxx.xxx.xxx -> xxx.xxx.xxx.xxx
118 if ($line =~ /(\d+\.\d+\.\d+\.\d+)+ -\> (\d+\.\d+\.\d+\.\d+)+/) {
119 # Store the grabbed IP-address.
120 $address = $1;
121 }
122
123 # Search for a line like xxx.xxx.xxx.xxx:xxx -> xxx.xxx.xxx.xxx:xxx
124 elsif ($line =~ /(\d+\.\d+\.\d+\.\d+):\d+ -\> (\d+\.\d+\.\d+\.\d+):\d+/) {
125 # Store the obtained IP-address.
126 $address = $1;
127 }
128
129 # Obtain the reported reason from the headline of the alert.
130 if ($line =~ /.*\] (.*) \[\*\*\]/) {
131 # Store the extracted message.
132 $message = $1;
133 }
134
135 # If the reason could not be determined, try to obtain it from a msg field.
136 elsif ($line =~ /.*msg:\"(.*)\".*/) {
137 # Store the extracted message.
138 $message = $1;
139 }
140 }
141
142 # Check if at least the IP-address information has been extracted.
143 if (defined ($address)) {
144 # Add the extracted values and event message for the computed
145 # event to the actions array.
146 push(@actions, "count $address $name $message");
147 }
148
149 # The alert has been processed, clear the temporary array for storing
150 # the next alert.
151 @alert = ();
152 }
153 }
154
155 # If any actions are required, return the array.
156 if (@actions) {
157 return (@actions);
158 }
159
160 # If we got here, the alert could not be parsed correctly, or did not match any filter.
161 # Therefore it can be skipped - return nothing.
162 return;
163 }
164
165 #
166 ## The SSH message parser.
167 #
168 ## This subfunction is used for parsing and detecting different attacks
169 ## against the SSH service.
170 #
171 sub message_parser_ssh (@) {
172 my @message = @_;
173 my @actions;
174
175 # The name of the parser module.
176 my $name = "SSH";
177
178 # Variable to store the grabbed IP-address.
179 my $address;
180
181 # Variable to store the parsed event.
182 my $message;
183
184 # Loop through all lines, in case multiple one have
185 # been passed.
186 foreach my $line (@message) {
187 # Check for failed password attempts.
188 if ($line =~/.*sshd.*Failed password for (.*) from (.*) port.*/) {
189 # Store the grabbed IP-address.
190 $address = $2;
191
192 # Set event message.
193 $message = "Possible SSH-Bruteforce Attack for user: $1.";
194 }
195
196 # This should catch Bruteforce Attacks with enabled preauth
197 elsif ($line =~ /.*sshd.*Received disconnect from (.*):.*\[preauth\]/) {
198 # Store obtained IP-address.
199 $address = $1;
200
201 # Set event message.
202 $message = "Possible SSH-Bruteforce Attack - failed preauth.";
203 }
204
205 # Check if at least the IP-address information has been extracted.
206 if (defined ($address)) {
207 # Add the extracted values and event message for the computed
208 # event to the actions array.
209 push(@actions, "count $address $name $message");
210 }
211 }
212
213 # If any actions are required, return the array.
214 if (@actions) {
215 return (@actions);
216 }
217
218 # If we got here, the provided message is not affected by any filter and
219 # therefore can be skipped. Return nothing (False) in this case.
220 return;
221 }
222
223 #
224 ## The HTTPD message parser.
225 #
226 ## This subfunction is used for parsing and detecting different attacks
227 ## against a running HTTPD service.
228 #
229 sub message_parser_httpd (@) {
230 my @message = @_;
231 my @actions;
232
233 # The name of the parser module.
234 my $name = "HTTPD";
235
236 # Variable to store the grabbed IP-address.
237 my $address;
238
239 # Variable to store the parsed event.
240 my $message;
241
242 # Loop through all lines, in case multiple one have
243 # been passed.
244 foreach my $line (@message) {
245 # This will catch brute-force attacks against htaccess logins (username).
246 if ($line =~ /.*\[error\] \[client (.*)\] user(.*) not found:.*/) {
247 # Store the grabbed IP-address.
248 $address = $1;
249
250 # Set event message.
251 $message = "Possible WUI brute-force attack, wrong user: $2.";
252 }
253
254 # Detect htaccess password brute-forcing against a username.
255 elsif ($line =~ /.*\[error\] \[client (.*)\] user(.*): authentication failure for.*/) {
256 # Store the extracted IP-address.
257 $address = $1;
258
259 # Set event message.
260 $message = "Possible WUI brute-force attack, wrong password for user: $2.";
261 }
262
263 # Check if at least the IP-address information has been extracted.
264 if (defined ($address)) {
265 # Add the extracted values and event message to the actions array.
266 push(@actions, "count $address $name $message");
267 }
268 }
269
270 # If any actions are required, return the array.
271 if (@actions) {
272 return @actions;
273 }
274
275 # If we got here, the provided message is not affected by any filter and
276 # therefore can be skipped. Return nothing (False) in this case.
277 return;
278 }
279
280 1;
A perl written Intrusion Prevention System.