# has to be called to parse messages in the right way.
my %logfile_parsers = (
"httpd" => \&message_parser_httpd,
+ "owncloud" => \&message_parser_owncloud,
"snort" => \&message_parser_snort,
"ssh" => \&message_parser_ssh,
);
return;
}
+#
+## The Owncloud message parser.
+#
+## This subfunction is used for parsing and detecting brute-force login
+## attempts against a local running owncloud instance.
+#
+sub message_parser_owncloud (@) {
+ my @message = @_;
+ my @actions;
+
+ # The name of the parser module.
+ my $name = "Owncloud";
+
+ # Variable to store the grabbed IP-address.
+ my $address;
+
+ # Variable to store the parsed event.
+ my $message;
+
+ # Loop through all lines, in case multiple one have
+ # been passed.
+ foreach my $line (@message) {
+ # This will catch brute-force attacks against the login (username).
+ if ($line =~/.*\"Login failed: \'(.*)\' \(Remote IP: \'(.*)\'\,.*/) {
+ # Store the grabbed user name.
+ my $user = $1;
+
+ # Store the grabbed IP-address.
+ $address = $2;
+
+ # Set event message.
+ $message = "Possible brute-force attack, wrong password for user: $user.";
+ }
+
+ # Check if at least the IP-address information has been extracted.
+ if (defined ($address)) {
+ # Add the extracted values and event message to the actions array.
+ push(@actions, "count $address $name $message");
+ }
+ }
+
+ # If any actions are required, return the array.
+ if (@actions) {
+ return @actions;
+ }
+
+ # If we got here, the provided message is not affected by any filter and
+ # therefore can be skipped. Return nothing (False) in this case.
+ return;
+}
+
1;