From 55852ce70d1b75d67e4f4ddf20e106e9911c2e60 Mon Sep 17 00:00:00 2001
From: Stefan Schantl <stefan.schantl@ipfire.org>
Date: Thu, 18 Feb 2016 13:13:31 +0100
Subject: [PATCH] Introduce message parser for HTTPD related notifications.

This new messge parser is able to detect htaccess related
brute-force login attempts on a running HTTPD server and
to report the source IP-address (IPv4 and IPv6).

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
---
 modules/Parser.pm | 52 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 52 insertions(+)

diff --git a/modules/Parser.pm b/modules/Parser.pm
index 4f03bf9..65f7708 100644
--- a/modules/Parser.pm
+++ b/modules/Parser.pm
@@ -9,6 +9,7 @@ our @EXPORT_OK = qw(IsSupportedParser Parser);
 # This hash contains all supported parsers and which function
 # has to be called to parse messages in the right way.
 my %logfile_parsers = (
+	"httpd" => \&message_parser_httpd,
 	"snort" => \&message_parser_snort,
 	"ssh" => \&message_parser_ssh,
 );
@@ -129,4 +130,55 @@ sub message_parser_ssh (@) {
 	return;
 }
 
+#
+## The HTTPD message parser.
+#
+## This subfunction is used for parsing and detecting different attacks
+## against a running HTTPD service.
+#
+sub message_parser_httpd (@) {
+	my @message = @_;
+
+	# The name of the parser module.
+	my $name = "HTTPD";
+
+	# Variable to store the grabbed IP-address.
+	my $address;
+
+	# Variable to store the parsed event.
+	my $message;
+
+	# Loop through all lines, in case multiple one have
+	# been passed.
+	foreach my $line (@message) {
+		# This will catch brute-force attacks against htaccess logins (username).
+		if ($line =~ /.*\[error\] \[client (.*)\] user(.*) not found:.*/) {
+			# Store the grabbed IP-address.
+			$address = $1;
+
+			# Set event message.
+			$message = "Possible WUI brute-force attack, wrong user: $2.";
+		}
+
+		# Detect htaccess password brute-forcing against a username.
+		elsif ($line =~ /.*\[error\] \[client (.*)\] user(.*): authentication failure for.*/) {
+			# Store the extracted IP-address.
+			$address = $1;
+
+			# Set event message.
+			$message = "Possible WUI brute-force attack, wrong password for user: $2.";
+		}
+	}
+
+	# Check if at least the IP-address information has been extracted.
+	if (defined ($address)) {
+		# Return the extracted values and event message.
+		return "$address $name $message";
+	}
+
+	# If we got here, the provided message is not affected by any filter and
+	# therefore can be skipped. Return nothing (False) in this case.
+	return;
+}
+
 1;
-- 
2.39.2