def parse_log_file(self): """ Parse the log files to get the list of usernames. Args: None Raises: None Returns: None """ # Open the log files log_file1_data = utils.open_file(self.log_file[0]) log_file2_data = utils.open_file(self.log_file[1]) for line in log_file1_data: user = line.split(":")[0] if user.strip("\n") not in self.log1_users: self.log1_users.append(user.strip("\n")) for line in log_file2_data: user = line.split(":")[0] if user.strip("\n") not in self.log2_users: self.log2_users.append(user.strip("\n"))
def parse_log_file(self): """ Parse log file to extract commands executed as root / sudo. Args: None Raises: None Returns: None """ # Open the log file log_file_data = utils.open_file(self.log_file) for line in log_file_data: found = re.findall(self.COMMAND, line) if (found is not None and found != []): command = found[0] command = command.strip(" ") if self.check_command(command): # if command is harmful if command not in self.found_harmful: self.found_harmful.append(command) self.logger.log( "Possible harmful command found: {}".format( command), logtype="warning")
def parse_log_file(self): """ Parse log file to extract invalid SSH user / their authentication failure / login attempts. Args: None Raises: None Returns: None """ # Open the log file log_file_data = utils.open_file(self.log_file) for line in log_file_data: found = re.findall(self.INVALID_USER, line) if (found is not None and found != []): date = found[0][0] month = date.split(" ")[0] day = date.split(" ")[1] last_time = found[0][1] username = found[0][2] ip = found[0][3] # convert date, time to epoch time epoch_time = utils.get_epoch_time(month, day, last_time) self.update_username_dict(username, ip, date, epoch_time)
def parse_log_file(self): """ Parse the log file to extract IP address showing quick Recieved Disconnect. Args: None Raises: None Returns: None """ # Open the log file log_file_data = utils.open_file(self.log_file) for line in log_file_data: found = re.findall(self.RECIEVED_DISCONNECT, line) if (found is not None and found != []): date = found[0][0] month = date.split(" ")[0] day = date.split(" ")[1] last_time = found[0][1] ip = found[0][2] # convert date, time to epoch time epoch_time = utils.get_epoch_time(month, day, last_time) self.update_ip_dict(ip, date, epoch_time)
def parse_log_file(self): """ Parse the log file to extract authentication failure / login attempts. Args: None Raises: None Returns: None """ # Open the log file log_data = utils.open_file(self.log_file) for line in log_data: found = re.findall(self.AUTH_FAILURE, line) if (found is not None and found != []): username = re.findall(self.USERNAME, found[0])[0][1] data_in_list = found[0].split(" ") if data_in_list[1] != "": # if double digit day month = data_in_list[0] day = data_in_list[1] last_time = data_in_list[2] date = month + " " + day else: # if single digit day month = data_in_list[0] day = data_in_list[2] last_time = data_in_list[3] date = month + " " + day # convert date, time to epoch time epoch_time = utils.get_epoch_time(month, day, last_time) count = 1 # number of attempts (by default is 1) message_repeated = re.findall(self.MESSAGE_REPEAT, found[0]) if message_repeated != []: count = int(message_repeated[0]) # update user_to_count dict self.update_user_dict(username, date, epoch_time, count)
def parse_log_file(self): """ Parse log file to collect hashed passwords. Args: None Raises: None Returns: None """ # Open log file log_file_data = utils.open_file(self.log_file) for line in log_file_data: algo = line.strip("\n").split(":")[1] if len(algo) > 3: hash_algo = algo.split("$")[1] if hash_algo not in self.used_algo: self.used_algo.append(hash_algo)
def parse_log_file(self): """ Parse log file to collect usernames and their hashed password. Args: None Raises: None Returns: None """ # Open log file log_data = utils.open_file(self.log_file) for line in log_data: user = (line.split(":")[0]).strip("\n") found_pss = (line.split(":")[1]).strip("\n") if (found_pss is None or found_pss == "" or found_pss == " "): self.update_dict(user, found_pss)
def parse_log_file(self): """ Parse log file to extract PROMISC mode. Args: None Raises: None Returns: None """ log_file_data = utils.open_file(self.log_file) for line in log_file_data: found = re.findall(self.SNIFFER, line) if found != []: if found[0].strip(" ") not in self.found_promisc: self.found_promisc.append(found[0].strip(" ")) msg = "Possible malicious sniffer detected " + found[ 0].strip(" ") self.logger.log(msg, logtype="warning")
def __init__(self, debug=False): """ Initialize HarmfulCommnads. Detect harmful commands executed as root / sudo. Args: debug (bool): Log on terminal or not Raises: None Returns: None """ # Initialize logger self.logger = logger.SecureTeaLogger(__name__, debug=debug) # OS name to command-log path map self.system_log_map = {"debian": "/var/log/auth.log"} os_name = utils.categorize_os() self.log_file = None if os_name: try: self.log_file = self.system_log_map[os_name] except KeyError: self.logger.log("Could not find path for the command-log file", logtype="error") return else: return # Path for file of harmful commands self.COMMNAND_FILE_PATH = "/etc/securetea/log_monitor/system_log/harmful_command.txt" self.COMMAND = r'COMMAND=(.*\s)' # regex to extract commands self.harmful_commands = utils.open_file(self.COMMNAND_FILE_PATH) self.found_harmful = [] # list of harmful commands found