Permalink
Browse files

First commit - some simple dissectors

  • Loading branch information...
0 parents commit cc563b89f306c076b483178493000ca06e5762a8 @adamvr committed Feb 15, 2012
Showing with 140 additions and 0 deletions.
  1. +17 −0 dissectors/ssh-invalid-user.js
  2. +19 −0 dissectors/ssh-login.js
  3. +17 −0 dissectors/ssh-logout.js
  4. +19 −0 dissectors/sudo-failure.js
  5. +19 −0 dissectors/sudo-success.js
  6. +39 −0 index.js
  7. +10 −0 test.js
@@ -0,0 +1,17 @@
+var regex = /(\S+ \S+ \S+) (\S+) sshd\[(\S+)\]: Invalid user (\S+) from (\S+)/
+
+var map = {
+ 1: 'date'
+, 2: 'locahost'
+, 3: 'pid'
+, 4: 'invaliduser'
+, 5: 'remotehost'
+};
+
+var type = 'ssh-invalid-user'
+
+module.exports = {
+ regex: regex
+, map: map
+, type: type
+}
@@ -0,0 +1,19 @@
+var regex = /(\S+ \S+ \S+) (\S+) sshd\[(\S+)\]: Accepted (\S+) for (\S+) from (\S+) port (\S+) ssh2/
+
+var map = {
+ 1: 'date'
+, 2: 'localhost'
+, 3: 'pid'
+, 4: 'authMethod'
+, 5: 'user'
+, 6: 'remotehost'
+, 7: 'port'
+};
+
+var type = 'ssh-login';
+
+module.exports = {
+ regex: regex
+, map: map
+, type: type
+};
@@ -0,0 +1,17 @@
+var regex = /(\S+ \S+ \S+) (\S+) sshd\[(\S+)\]: Received disconnect from (\S+): \S+: (.*$)/
+
+var map = {
+ 1: 'date'
+, 2: 'localhost'
+, 3: 'pid'
+, 4: 'remotehost'
+, 5: 'reason'
+};
+
+var type = 'ssh-logout';
+
+module.exports = {
+ regex: regex
+, map: map
+, type: type
+};
@@ -0,0 +1,19 @@
+var regex = /(\S+ \S+ \S+) (\S+) sudo: pam_unix(sudo:auth): authentication failure; logname=(\S+) uid=(\S+) euid=(\S+) tty=(\S+) ruser= rhost= user=(\S+)/
+
+var map = {
+ 1: 'date'
+, 2: 'localhost'
+, 3: 'logname'
+, 4: 'uid'
+, 5: 'euid'
+, 6: 'tty'
+, 7: 'user'
+};
+
+var type = 'sudo-failure';
+
+module.exports = {
+ regex: regex
+, map: map
+, type: type
+};
@@ -0,0 +1,19 @@
+var regex = /(\S+ \S+ \S+) (\S+) sudo: (\S+) : TTY=(\S+) ; PWD=(\S+) ; USER=(\S+) ; COMMAND=(.*$)/
+
+var map = {
+ 1: 'date'
+, 2: 'localhost'
+, 3: 'currentuser'
+, 4: 'tty'
+, 5: 'pwd'
+, 6: 'superuser'
+, 7: 'command'
+};
+
+var type = 'sudo-success';
+
+module.exports = {
+ regex: regex
+, map: map
+, type: type
+};
@@ -0,0 +1,39 @@
+var fs = require('fs')
+ , path = require('path')
+ , util = require('util');
+
+var dissectors = {};
+
+var files = fs.readdirSync(path.join(__dirname, 'dissectors'));
+
+function exec(dissector) {
+ var regex = dissector.regex
+ , map = dissector.map
+ , type = dissector.type;
+
+ return function(string) {
+ var matches = string.match(regex)
+ , ret = {};
+
+ if (!matches) return null;
+
+ console.dir(matches);
+
+ for (var k in map) {
+ var v = map[k];
+ ret[v] = matches[k];
+ }
+
+ ret.type = type;
+ return ret;
+ }
+}
+
+for (var i = 0; i < files.length; i++) {
+ var module = require(path.join(__dirname, 'dissectors', files[i]));
+ if (!module) continue;
+ module.dissect = exec(module);
+ dissectors[module['type']] = module;
+};
+
+exports.dissectors = dissectors;
@@ -0,0 +1,10 @@
+var d = require('.');
+console.dir(d);
+
+/*
+console.dir(login.dissect('Feb 15 09:00:07 summer sshd[2470]: Accepted publickey for chris_rieger from 130.102.70.13 port 46410 ssh2'));
+console.dir(logout.dissect('Feb 14 15:38:18 summer sshd[31962]: Received disconnect from 130.102.70.70: 11: disconnected by user'));
+console.dir(sudos.dissect('Feb 15 11:13:43 summer sudo: aabhushan : TTY=pts/4 ; PWD=/home/aabhushan ; USER=root ; COMMAND=/bin/vi /var/www/html/test/ledon.xml'));
+console.dir(sudof.dissect('Feb 15 11:30:56 summer sudo: pam_unix(sudo:auth): authentication failure; logname=aabhushan uid=0 euid=0 tty=/dev/pts/4 ruser= rhost= user=aabhushan'));
+console.dir(baduser.dissect('Feb 13 10:51:35 summer sshd[27435]: Invalid user adam from 172.18.65.144'));
+*/

0 comments on commit cc563b8

Please sign in to comment.