def parse_log_file(self):
"""
Parse the log files to get the list of usernames.
Args:
None
Raises:
None
Returns:
None
"""
# Open the log files
log_file1_data = utils.open_file(self.log_file[0])
log_file2_data = utils.open_file(self.log_file[1])
for line in log_file1_data:
user = line.split(":")[0]
if user.strip("\n") not in self.log1_users:
self.log1_users.append(user.strip("\n"))
for line in log_file2_data:
user = line.split(":")[0]
if user.strip("\n") not in self.log2_users:
self.log2_users.append(user.strip("\n"))
def parse_log_file(self):
"""
Parse log file to extract commands
executed as root / sudo.
Args:
None
Raises:
None
Returns:
None
"""
# Open the log file
log_file_data = utils.open_file(self.log_file)
for line in log_file_data:
found = re.findall(self.COMMAND, line)
if (found is not None and found != []):
command = found[0]
command = command.strip(" ")
if self.check_command(command): # if command is harmful
if command not in self.found_harmful:
self.found_harmful.append(command)
self.logger.log(
"Possible harmful command found: {}".format(
command),
logtype="warning")
def parse_log_file(self):
"""
Parse log file to extract invalid SSH user /
their authentication failure / login attempts.
Args:
None
Raises:
None
Returns:
None
"""
# Open the log file
log_file_data = utils.open_file(self.log_file)
for line in log_file_data:
found = re.findall(self.INVALID_USER, line)
if (found is not None and found != []):
date = found[0][0]
month = date.split(" ")[0]
day = date.split(" ")[1]
last_time = found[0][1]
username = found[0][2]
ip = found[0][3]
# convert date, time to epoch time
epoch_time = utils.get_epoch_time(month, day, last_time)
self.update_username_dict(username, ip, date, epoch_time)
def parse_log_file(self):
"""
Parse the log file to extract IP address
showing quick Recieved Disconnect.
Args:
None
Raises:
None
Returns:
None
"""
# Open the log file
log_file_data = utils.open_file(self.log_file)
for line in log_file_data:
found = re.findall(self.RECIEVED_DISCONNECT, line)
if (found is not None and found != []):
date = found[0][0]
month = date.split(" ")[0]
day = date.split(" ")[1]
last_time = found[0][1]
ip = found[0][2]
# convert date, time to epoch time
epoch_time = utils.get_epoch_time(month, day, last_time)
self.update_ip_dict(ip, date, epoch_time)
def parse_log_file(self):
"""
Parse the log file to extract
authentication failure / login attempts.
Args:
None
Raises:
None
Returns:
None
"""
# Open the log file
log_data = utils.open_file(self.log_file)
for line in log_data:
found = re.findall(self.AUTH_FAILURE, line)
if (found is not None and found != []):
username = re.findall(self.USERNAME, found[0])[0][1]
data_in_list = found[0].split(" ")
if data_in_list[1] != "": # if double digit day
month = data_in_list[0]
day = data_in_list[1]
last_time = data_in_list[2]
date = month + " " + day
else: # if single digit day
month = data_in_list[0]
day = data_in_list[2]
last_time = data_in_list[3]
date = month + " " + day
# convert date, time to epoch time
epoch_time = utils.get_epoch_time(month, day, last_time)
count = 1 # number of attempts (by default is 1)
message_repeated = re.findall(self.MESSAGE_REPEAT, found[0])
if message_repeated != []:
count = int(message_repeated[0])
# update user_to_count dict
self.update_user_dict(username, date, epoch_time, count)
def parse_log_file(self):
"""
Parse log file to collect hashed passwords.
Args:
None
Raises:
None
Returns:
None
"""
# Open log file
log_file_data = utils.open_file(self.log_file)
for line in log_file_data:
algo = line.strip("\n").split(":")[1]
if len(algo) > 3:
hash_algo = algo.split("$")[1]
if hash_algo not in self.used_algo:
self.used_algo.append(hash_algo)
def parse_log_file(self):
"""
Parse log file to collect usernames
and their hashed password.
Args:
None
Raises:
None
Returns:
None
"""
# Open log file
log_data = utils.open_file(self.log_file)
for line in log_data:
user = (line.split(":")[0]).strip("\n")
found_pss = (line.split(":")[1]).strip("\n")
if (found_pss is None or found_pss == "" or found_pss == " "):
self.update_dict(user, found_pss)
def parse_log_file(self):
"""
Parse log file to extract PROMISC mode.
Args:
None
Raises:
None
Returns:
None
"""
log_file_data = utils.open_file(self.log_file)
for line in log_file_data:
found = re.findall(self.SNIFFER, line)
if found != []:
if found[0].strip(" ") not in self.found_promisc:
self.found_promisc.append(found[0].strip(" "))
msg = "Possible malicious sniffer detected " + found[
0].strip(" ")
self.logger.log(msg, logtype="warning")
def __init__(self, debug=False):
"""
Initialize HarmfulCommnads.
Detect harmful commands executed as root / sudo.
Args:
debug (bool): Log on terminal or not
Raises:
None
Returns:
None
"""
# Initialize logger
self.logger = logger.SecureTeaLogger(__name__, debug=debug)
# OS name to command-log path map
self.system_log_map = {"debian": "/var/log/auth.log"}
os_name = utils.categorize_os()
self.log_file = None
if os_name:
try:
self.log_file = self.system_log_map[os_name]
except KeyError:
self.logger.log("Could not find path for the command-log file",
logtype="error")
return
else:
return
# Path for file of harmful commands
self.COMMNAND_FILE_PATH = "/etc/securetea/log_monitor/system_log/harmful_command.txt"
self.COMMAND = r'COMMAND=(.*\s)' # regex to extract commands
self.harmful_commands = utils.open_file(self.COMMNAND_FILE_PATH)
self.found_harmful = [] # list of harmful commands found
