# has to be called to parse messages in the right way.
my %logfile_parsers = (
"snort" => \&message_parser_snort,
+ "ssh" => \&message_parser_ssh,
);
#
# Call responsible message parser.
my $action = $logfile_parsers{$parser}->(@message);
- # Return which action should be performed.
- return "count $action";
+ # In case an action has been returned, return it too.
+ if (defined($action)) {
+ # Return which action should be performed.
+ return "count $action";
+ }
+
+ # Return undef, no action required.
+ return undef;
}
#
return "$message[0] SNORT A simple Snort Message";
}
+#
+## The SSH message parser.
+#
+## This subfunction is used for parsing and detecting different attacks
+## against the SSH service.
+#
+sub message_parser_ssh (@) {
+ my @message = @_;
+
+ # The name of the parser module.
+ my $name = "SSH";
+
+ # Variable to store the grabbed IP-address.
+ my $address;
+
+ # Variable to store the parsed event.
+ my $message;
+
+ # Loop through all lines, in case multiple one have
+ # been passed.
+ foreach my $line (@message) {
+ # Check for failed password attempts.
+ if ($line =~/.*sshd.*Failed password for (.*) from (.*) port.*/) {
+ # Store the grabbed IP-address.
+ $address = $2;
+
+ # Set event message.
+ $message = "Possible SSH-Bruteforce Attack for user: $1.";
+ }
+
+ # This should catch Bruteforce Attacks with enabled preauth
+ elsif ($line =~ /.*sshd.*Received disconnect from (.*):.*\[preauth\]/) {
+ # Store obtained IP-address.
+ $address = $1;
+
+ # Set event message.
+ $message = "Possible SSH-Bruteforce Attack - failed preauth.";
+ }
+ }
+
+ # Check if at least the IP-address information has been extracted.
+ if (defined ($address)) {
+ # Return the extracted values and event message.
+ return "$address $name $message";
+ }
+
+ # If we got here, the provided message is not affected by any filter and
+ # therefore can be skipped. Return nothing (False) in this case.
+ return;
+}
+
1;
projects / people / stevee / guardian.git / blobdiff