]> git.ipfire.org Git - people/stevee/guardian.git/blob - modules/Parser.pm
projects / people / stevee / guardian.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge branch 'ssh-parser'
[people/stevee/guardian.git] / modules / Parser.pm
1 package Guardian::Parser;
2 use strict;
3 use warnings;
4
5 use Exporter qw(import);
6
7 our @EXPORT_OK = qw(IsSupportedParser Parser);
8
9 # This hash contains all supported parsers and which function
10 # has to be called to parse messages in the right way.
11 my %logfile_parsers = (
12 "snort" => \&message_parser_snort,
13 "ssh" => \&message_parser_ssh,
14 );
15
16 #
17 ## The main parsing function.
18 #
19 ## It is used to determine which sub-parser has to be used to
20 ## parse the given message in the right way and to return if
21 ## any action should be performed.
22 #
23 sub Parser ($$) {
24 my ($parser, @message) = @_;
25
26 # If no responsible message parser could be found, just return nothing.
27 unless (exists($logfile_parsers{$parser})) {
28 return;
29 }
30
31 # Call responsible message parser.
32 my $action = $logfile_parsers{$parser}->(@message);
33
34 # In case an action has been returned, return it too.
35 if (defined($action)) {
36 # Return which action should be performed.
37 return "count $action";
38 }
39
40 # Return undef, no action required.
41 return undef;
42 }
43
44 #
45 ## IsSupportedParser function.
46 #
47 ## This very tiny function checks if a given parser name is available and
48 ## therefore a supported parser.
49 #
50 ## To perform these check, the function is going to lookup if a key in the
51 ## hash of supported parsers is available
52 #
53 sub IsSupportedParser ($) {
54 my $parser = $_[0];
55
56 # Check if a key for the given parser exists in the hash of logfile_parsers.
57 if(exists($logfile_parsers{$parser})) {
58 # Found a valid parser, so return nothing.
59 return 1;
60 }
61
62 # Return "False" if we got here, and therefore no parser
63 # is available.
64 return;
65 }
66
67 #
68 ## The Snort message parser.
69 #
70 ## This subfunction is responsible for parsing sort alerts and determine if
71 ## an action should be performed.
72 #
73 sub message_parser_snort($) {
74 my @message = @_;
75
76 # XXX
77 # Currently this parser just returns a simple message.
78 return "$message[0] SNORT A simple Snort Message";
79 }
80
81 #
82 ## The SSH message parser.
83 #
84 ## This subfunction is used for parsing and detecting different attacks
85 ## against the SSH service.
86 #
87 sub message_parser_ssh (@) {
88 my @message = @_;
89
90 # The name of the parser module.
91 my $name = "SSH";
92
93 # Variable to store the grabbed IP-address.
94 my $address;
95
96 # Variable to store the parsed event.
97 my $message;
98
99 # Loop through all lines, in case multiple one have
100 # been passed.
101 foreach my $line (@message) {
102 # Check for failed password attempts.
103 if ($line =~/.*sshd.*Failed password for (.*) from (.*) port.*/) {
104 # Store the grabbed IP-address.
105 $address = $2;
106
107 # Set event message.
108 $message = "Possible SSH-Bruteforce Attack for user: $1.";
109 }
110
111 # This should catch Bruteforce Attacks with enabled preauth
112 elsif ($line =~ /.*sshd.*Received disconnect from (.*):.*\[preauth\]/) {
113 # Store obtained IP-address.
114 $address = $1;
115
116 # Set event message.
117 $message = "Possible SSH-Bruteforce Attack - failed preauth.";
118 }
119 }
120
121 # Check if at least the IP-address information has been extracted.
122 if (defined ($address)) {
123 # Return the extracted values and event message.
124 return "$address $name $message";
125 }
126
127 # If we got here, the provided message is not affected by any filter and
128 # therefore can be skipped. Return nothing (False) in this case.
129 return;
130 }
131
132 1;
A perl written Intrusion Prevention System.