]> git.ipfire.org Git - people/stevee/guardian.git/blob - modules/Parser.pm
projects / people / stevee / guardian.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Introduce message parser for SSH related notifications.
[people/stevee/guardian.git] / modules / Parser.pm
1 package Guardian::Parser;
2 use strict;
3 use warnings;
4
5 use Exporter qw(import);
6
7 our @EXPORT_OK = qw(IsSupportedParser Parser);
8
9 # This hash contains all supported parsers and which function
10 # has to be called to parse messages in the right way.
11 my %logfile_parsers = (
12 "snort" => \&message_parser_snort,
13 "ssh" => \&message_parser_ssh,
14 );
15
16 #
17 ## The main parsing function.
18 #
19 ## It is used to determine which sub-parser has to be used to
20 ## parse the given message in the right way and to return if
21 ## any action should be performed.
22 #
23 sub Parser ($$) {
24 my ($parser, @message) = @_;
25
26 # If no responsible message parser could be found, just return nothing.
27 unless (exists($logfile_parsers{$parser})) {
28 return;
29 }
30
31 # Call responsible message parser.
32 my $action = $logfile_parsers{$parser}->(@message);
33
34 # Return which action should be performed.
35 return "count $action";
36 }
37
38 #
39 ## IsSupportedParser function.
40 #
41 ## This very tiny function checks if a given parser name is available and
42 ## therefore a supported parser.
43 #
44 ## To perform these check, the function is going to lookup if a key in the
45 ## hash of supported parsers is available
46 #
47 sub IsSupportedParser ($) {
48 my $parser = $_[0];
49
50 # Check if a key for the given parser exists in the hash of logfile_parsers.
51 if(exists($logfile_parsers{$parser})) {
52 # Found a valid parser, so return nothing.
53 return 1;
54 }
55
56 # Return "False" if we got here, and therefore no parser
57 # is available.
58 return;
59 }
60
61 #
62 ## The Snort message parser.
63 #
64 ## This subfunction is responsible for parsing sort alerts and determine if
65 ## an action should be performed.
66 #
67 sub message_parser_snort($) {
68 my @message = @_;
69
70 # XXX
71 # Currently this parser just returns a simple message.
72 return "$message[0] SNORT A simple Snort Message";
73 }
74
75 #
76 ## The SSH message parser.
77 #
78 ## This subfunction is used for parsing and detecting different attacks
79 ## against the SSH service.
80 #
81 sub message_parser_ssh (@) {
82 my @message = @_;
83
84 # The name of the parser module.
85 my $name = "SSH";
86
87 # Variable to store the grabbed IP-address.
88 my $address;
89
90 # Variable to store the parsed event.
91 my $message;
92
93 # Loop through all lines, in case multiple one have
94 # been passed.
95 foreach my $line (@message) {
96 # Check for failed password attempts.
97 if ($line =~/.*sshd.*Failed password for (.*) from (.*) port.*/) {
98 # Store the grabbed IP-address.
99 $address = $2;
100
101 # Set event message.
102 $message = "Possible SSH-Bruteforce Attack for user: $1.";
103 }
104
105 # This should catch Bruteforce Attacks with enabled preauth
106 elsif ($line =~ /.*sshd.*Received disconnect from (.*):.*\[preauth\]/) {
107 # Store obtained IP-address.
108 $address = $1;
109
110 # Set event message.
111 $message = "Possible SSH-Bruteforce Attack - failed preauth.";
112 }
113 }
114
115 # Check if at least the IP-address information has been extracted.
116 if (defined ($address)) {
117 # Return the extracted values and event message.
118 return "$address $name $message";
119 }
120
121 # If we got here, the provided message is not affected by any filter and
122 # therefore can be skipped. Return nothing (False) in this case.
123 return;
124 }
125
126 1;
A perl written Intrusion Prevention System.