X-Git-Url: http://git.ipfire.org/?p=people%2Fstevee%2Fguardian.git;a=blobdiff_plain;f=modules%2FParser.pm;fp=modules%2FParser.pm;h=255e6cc3012aa80e54df13639f2f5d02794e8a07;hp=db54cf35f95f2cae7910556ffe297d70df844d50;hb=945fab35dbc028da7a1b2d790abec10cb97a6edd;hpb=53a023971f734c0ea15e7ce46acc5b0bd0954076 diff --git a/modules/Parser.pm b/modules/Parser.pm index db54cf3..255e6cc 100644 --- a/modules/Parser.pm +++ b/modules/Parser.pm @@ -9,7 +9,9 @@ our @EXPORT_OK = qw(IsSupportedParser Parser); # This hash contains all supported parsers and which function # has to be called to parse messages in the right way. my %logfile_parsers = ( + "httpd" => \&message_parser_httpd, "snort" => \&message_parser_snort, + "ssh" => \&message_parser_ssh, ); # @@ -28,18 +30,16 @@ sub Parser ($$) { } # Call responsible message parser. - my $action = $logfile_parsers{$parser}->(@message); + my @actions = $logfile_parsers{$parser}->(@message); - # If the parser successfully parsed the message, an action - # has been returned. - if ($action) { - # Return which action should be performed. - return "count $action"; + # In case an action has been returned, return it too. + if (@actions) { + # Return which actions should be performed. + return @actions; } - # If the parser was not able to parse the the given message - # in the right way, return Nothing. - return; + # Return undef, if no actions are required. + return undef; } # @@ -125,4 +125,119 @@ sub message_parser_snort(@) { return; } +# +## The SSH message parser. +# +## This subfunction is used for parsing and detecting different attacks +## against the SSH service. +# +sub message_parser_ssh (@) { + my @message = @_; + my @actions; + + # The name of the parser module. + my $name = "SSH"; + + # Variable to store the grabbed IP-address. + my $address; + + # Variable to store the parsed event. + my $message; + + # Loop through all lines, in case multiple one have + # been passed. + foreach my $line (@message) { + # Check for failed password attempts. + if ($line =~/.*sshd.*Failed password for (.*) from (.*) port.*/) { + # Store the grabbed IP-address. + $address = $2; + + # Set event message. + $message = "Possible SSH-Bruteforce Attack for user: $1."; + } + + # This should catch Bruteforce Attacks with enabled preauth + elsif ($line =~ /.*sshd.*Received disconnect from (.*):.*\[preauth\]/) { + # Store obtained IP-address. + $address = $1; + + # Set event message. + $message = "Possible SSH-Bruteforce Attack - failed preauth."; + } + + # Check if at least the IP-address information has been extracted. + if (defined ($address)) { + # Add the extracted values and event message for the computed + # event to the actions array. + push(@actions, "count $address $name $message"); + } + } + + # If any actions are required, return the array. + if (@actions) { + return (@actions); + } + + # If we got here, the provided message is not affected by any filter and + # therefore can be skipped. Return nothing (False) in this case. + return; +} + +# +## The HTTPD message parser. +# +## This subfunction is used for parsing and detecting different attacks +## against a running HTTPD service. +# +sub message_parser_httpd (@) { + my @message = @_; + my @actions; + + # The name of the parser module. + my $name = "HTTPD"; + + # Variable to store the grabbed IP-address. + my $address; + + # Variable to store the parsed event. + my $message; + + # Loop through all lines, in case multiple one have + # been passed. + foreach my $line (@message) { + # This will catch brute-force attacks against htaccess logins (username). + if ($line =~ /.*\[error\] \[client (.*)\] user(.*) not found:.*/) { + # Store the grabbed IP-address. + $address = $1; + + # Set event message. + $message = "Possible WUI brute-force attack, wrong user: $2."; + } + + # Detect htaccess password brute-forcing against a username. + elsif ($line =~ /.*\[error\] \[client (.*)\] user(.*): authentication failure for.*/) { + # Store the extracted IP-address. + $address = $1; + + # Set event message. + $message = "Possible WUI brute-force attack, wrong password for user: $2."; + } + + # Check if at least the IP-address information has been extracted. + if (defined ($address)) { + # Add the extracted values and event message to the actions array. + push(@actions, "count $address $name $message"); + } + } + + # If any actions are required, return the array. + if (@actions) { + return @actions; + } + + # If we got here, the provided message is not affected by any filter and + # therefore can be skipped. Return nothing (False) in this case. + return; +} + 1;