use Exporter qw(import);
-our @EXPORT_OK = qw(Parser);
+our @EXPORT_OK = qw(IsSupportedParser Parser);
-# This hash contains all supported logfiles and which function
-# has to be called to parse them in the right way.
+# This hash contains all supported parsers and which function
+# has to be called to parse messages in the right way.
my %logfile_parsers = (
- "/var/log/snort/alert" => \&message_parser_snort,
+ "httpd" => \&message_parser_httpd,
+ "snort" => \&message_parser_snort,
+ "ssh" => \&message_parser_ssh,
);
#
## any action should be performed.
#
sub Parser ($$) {
- my ($file, @message) = @_;
+ my ($parser, @message) = @_;
# If no responsible message parser could be found, just return nothing.
- unless (exists($logfile_parsers{$file})) {
+ unless (exists($logfile_parsers{$parser})) {
return;
}
- # Call responsible logfile parser.
- my $action = $logfile_parsers{$file}->(@message);
+ # Call responsible message parser.
+ my @actions = $logfile_parsers{$parser}->(@message);
- # Return which action should be performed.
- return "count $action";
+ # In case an action has been returned, return it too.
+ if (@actions) {
+ # Return which actions should be performed.
+ return @actions;
+ }
+
+ # Return undef, if no actions are required.
+ return undef;
+}
+
+#
+## IsSupportedParser function.
+#
+## This very tiny function checks if a given parser name is available and
+## therefore a supported parser.
+#
+## To perform these check, the function is going to lookup if a key in the
+## hash of supported parsers is available
+#
+sub IsSupportedParser ($) {
+ my $parser = $_[0];
+
+ # Check if a key for the given parser exists in the hash of logfile_parsers.
+ if(exists($logfile_parsers{$parser})) {
+ # Found a valid parser, so return nothing.
+ return 1;
+ }
+
+ # Return "False" if we got here, and therefore no parser
+ # is available.
+ return;
}
#
## This subfunction is responsible for parsing sort alerts and determine if
## an action should be performed.
#
-sub message_parser_snort($) {
+## XXX Currently the parser only supports IPv4. Add support for IPv6 at a
+## later time.
+#
+sub message_parser_snort(@) {
+ my @message = @_;
+ my @actions;
+
+ # Temporary array to store single alerts.
+ my @alert;
+
+ # The name of the parser module.
+ my $name = "SNORT";
+
+ # Default returned message in case no one could be grabbed
+ # from the snort alert.
+ my $message = "An active snort rule has matched and gained an alert.";
+
+ # Snort uses a log buffer and a result of this, when detecting multiple
+ # events at once, multiple alerts will be written at one time to the alert
+ # file. They have to be seperated from each, to be able to parse them
+ # individually.
+ foreach my $line (@message) {
+ # Remove any newlines.
+ chomp($line);
+
+ # A single alert contains multiple lines, push all of them
+ # a temporary array.
+ push(@alert, $line);
+
+ # Each alert ends with an empty line, if one is found,
+ # all lines of the current processed alert have been found
+ # and pushed to the temporary array.
+ if($line =~ /^\s*$/) {
+ # Variable to store the grabbed IP-address.
+ my $address;
+
+ # Loop through all lines of the current alert.
+ foreach my $line (@alert) {
+ # Check Priority Level and skip the alert if it is to low.
+ #if ($line =~ /.*\[Priority: (\d+)\].*/) {
+ # return unless($1 < $priority);
+ #}
+
+ # Search for a line like xxx.xxx.xxx.xxx -> xxx.xxx.xxx.xxx
+ if ($line =~ /(\d+\.\d+\.\d+\.\d+)+ -\> (\d+\.\d+\.\d+\.\d+)+/) {
+ # Store the grabbed IP-address.
+ $address = $1;
+ }
+
+ # Search for a line like xxx.xxx.xxx.xxx:xxx -> xxx.xxx.xxx.xxx:xxx
+ elsif ($line =~ /(\d+\.\d+\.\d+\.\d+):\d+ -\> (\d+\.\d+\.\d+\.\d+):\d+/) {
+ # Store the obtained IP-address.
+ $address = $1;
+ }
+
+ # Obtain the reported reason from the headline of the alert.
+ if ($line =~ /.*\] (.*) \[\*\*\]/) {
+ # Store the extracted message.
+ $message = $1;
+ }
+
+ # If the reason could not be determined, try to obtain it from a msg field.
+ elsif ($line =~ /.*msg:\"(.*)\".*/) {
+ # Store the extracted message.
+ $message = $1;
+ }
+ }
+
+ # Check if at least the IP-address information has been extracted.
+ if (defined ($address)) {
+ # Add the extracted values and event message for the computed
+ # event to the actions array.
+ push(@actions, "count $address $name $message");
+ }
+
+ # The alert has been processed, clear the temporary array for storing
+ # the next alert.
+ @alert = ();
+ }
+ }
+
+ # If any actions are required, return the array.
+ if (@actions) {
+ return (@actions);
+ }
+
+ # If we got here, the alert could not be parsed correctly, or did not match any filter.
+ # Therefore it can be skipped - return nothing.
+ return;
+}
+
+#
+## The SSH message parser.
+#
+## This subfunction is used for parsing and detecting different attacks
+## against the SSH service.
+#
+sub message_parser_ssh (@) {
+ my @message = @_;
+ my @actions;
+
+ # The name of the parser module.
+ my $name = "SSH";
+
+ # Variable to store the grabbed IP-address.
+ my $address;
+
+ # Variable to store the parsed event.
+ my $message;
+
+ # Loop through all lines, in case multiple one have
+ # been passed.
+ foreach my $line (@message) {
+ # Check for failed password attempts.
+ if ($line =~/.*sshd.*Failed password for (.*) from (.*) port.*/) {
+ # Store the grabbed IP-address.
+ $address = $2;
+
+ # Set event message.
+ $message = "Possible SSH-Bruteforce Attack for user: $1.";
+ }
+
+ # This should catch Bruteforce Attacks with enabled preauth
+ elsif ($line =~ /.*sshd.*Received disconnect from (.*):.*\[preauth\]/) {
+ # Store obtained IP-address.
+ $address = $1;
+
+ # Set event message.
+ $message = "Possible SSH-Bruteforce Attack - failed preauth.";
+ }
+
+ # Check if at least the IP-address information has been extracted.
+ if (defined ($address)) {
+ # Add the extracted values and event message for the computed
+ # event to the actions array.
+ push(@actions, "count $address $name $message");
+ }
+ }
+
+ # If any actions are required, return the array.
+ if (@actions) {
+ return (@actions);
+ }
+
+ # If we got here, the provided message is not affected by any filter and
+ # therefore can be skipped. Return nothing (False) in this case.
+ return;
+}
+
+#
+## The HTTPD message parser.
+#
+## This subfunction is used for parsing and detecting different attacks
+## against a running HTTPD service.
+#
+sub message_parser_httpd (@) {
my @message = @_;
+ my @actions;
+
+ # The name of the parser module.
+ my $name = "HTTPD";
+
+ # Variable to store the grabbed IP-address.
+ my $address;
+
+ # Variable to store the parsed event.
+ my $message;
+
+ # Loop through all lines, in case multiple one have
+ # been passed.
+ foreach my $line (@message) {
+ # This will catch brute-force attacks against htaccess logins (username).
+ if ($line =~ /.*\[error\] \[client (.*)\] user(.*) not found:.*/) {
+ # Store the grabbed IP-address.
+ $address = $1;
+
+ # Set event message.
+ $message = "Possible WUI brute-force attack, wrong user: $2.";
+ }
+
+ # Detect htaccess password brute-forcing against a username.
+ elsif ($line =~ /.*\[error\] \[client (.*)\] user(.*): authentication failure for.*/) {
+ # Store the extracted IP-address.
+ $address = $1;
+
+ # Set event message.
+ $message = "Possible WUI brute-force attack, wrong password for user: $2.";
+ }
+
+ # Check if at least the IP-address information has been extracted.
+ if (defined ($address)) {
+ # Add the extracted values and event message to the actions array.
+ push(@actions, "count $address $name $message");
+ }
+ }
+
+ # If any actions are required, return the array.
+ if (@actions) {
+ return @actions;
+ }
- # XXX
- # Currently this parser just returns a simple message.
- return "$message[0] SNORT A simple Snort Message";
+ # If we got here, the provided message is not affected by any filter and
+ # therefore can be skipped. Return nothing (False) in this case.
+ return;
}
1;