From: Stefan Schantl Date: Mon, 29 Feb 2016 10:34:46 +0000 (+0100) Subject: Allow to process multiple events at once. X-Git-Tag: 2.0~22 X-Git-Url: http://git.ipfire.org/?p=people%2Fstevee%2Fguardian.git;a=commitdiff_plain;h=43fdb161bb2c7100eb86ee2d22ce70553de6ddec Allow to process multiple events at once. If a parser recives multiple lines at once, all of them needs to be parsed and the result has to be returned to the main process for enqueuing into the event queue. Signed-off-by: Stefan Schantl --- diff --git a/guardian b/guardian index 148f50e..3e6128f 100644 --- a/guardian +++ b/guardian @@ -247,17 +247,24 @@ sub Worker ($) { close(FILE); # Send filename and message to the parser, - # which will return if an action has to be performed. - my $action = &Guardian::Parser::Parser("$parser", @message); + # which will return if any actions have to be performed. + my @actions = &Guardian::Parser::Parser("$parser", @message); # Send the action to the main process and put it into # the queue. - if (defined ($action)) { + if (@actions) { # Lock the queue. lock($queue); - # Put the required action into the queue. - $queue->enqueue($action); + # Loop through the actions array, and perform + # every single action. + foreach my $action (@actions) { + # Prevent from enqueuing empty actions. + if (defined($action)) { + # Put the required action into the queue. + $queue->enqueue($action); + } + } } } else { # Sleep for 10ms until the next round of the loop will start. diff --git a/modules/Parser.pm b/modules/Parser.pm index 65f7708..5c2f53f 100644 --- a/modules/Parser.pm +++ b/modules/Parser.pm @@ -30,15 +30,15 @@ sub Parser ($$) { } # Call responsible message parser. - my $action = $logfile_parsers{$parser}->(@message); + my @actions = $logfile_parsers{$parser}->(@message); # In case an action has been returned, return it too. - if (defined($action)) { - # Return which action should be performed. - return "count $action"; + if (@actions) { + # Return which actions should be performed. + return @actions; } - # Return undef, no action required. + # Return undef, if no actions are required. return undef; } @@ -87,6 +87,7 @@ sub message_parser_snort($) { # sub message_parser_ssh (@) { my @message = @_; + my @actions; # The name of the parser module. my $name = "SSH"; @@ -117,12 +118,18 @@ sub message_parser_ssh (@) { # Set event message. $message = "Possible SSH-Bruteforce Attack - failed preauth."; } + + # Check if at least the IP-address information has been extracted. + if (defined ($address)) { + # Add the extracted values and event message for the computed + # event to the actions array. + push(@actions, "count $address $name $message"); + } } - # Check if at least the IP-address information has been extracted. - if (defined ($address)) { - # Return the extracted values and event message. - return "$address $name $message"; + # If any actions are required, return the array. + if (@actions) { + return (@actions); } # If we got here, the provided message is not affected by any filter and @@ -138,6 +145,7 @@ sub message_parser_ssh (@) { # sub message_parser_httpd (@) { my @message = @_; + my @actions; # The name of the parser module. my $name = "HTTPD"; @@ -168,12 +176,17 @@ sub message_parser_httpd (@) { # Set event message. $message = "Possible WUI brute-force attack, wrong password for user: $2."; } + + # Check if at least the IP-address information has been extracted. + if (defined ($address)) { + # Add the extracted values and event message to the actions array. + push(@actions, "count $address $name $message"); + } } - # Check if at least the IP-address information has been extracted. - if (defined ($address)) { - # Return the extracted values and event message. - return "$address $name $message"; + # If any actions are required, return the array. + if (@actions) { + return @actions; } # If we got here, the provided message is not affected by any filter and