Merge pull request #130 from kitabisa/development

v1.1.1

CHANGELOG.md

@@ -2,9 +2,16 @@
 
 All notable changes to this project should be documented in this file.
 
+### v1.1.1
+
+- Add interrupt handler
+- Set default logger to debug
+- Add notifies if no logs are analyzed
+- Refactoring analyzer threads
+
 ### v1.1.0
 
-- Upgrade dependencies.
+- Upgrade dependencies
 
 ### v1.0.3
 

README.md

@@ -81,6 +81,7 @@ All related documentation about installation, usage & configuration is on our [W
 
 - [teler - Protect Your WebApp!](https://dw1.io/files/teler%20-%20Protect%20Your%20WebApp.pdf) Talks were brought to the **OWASP Jakarta: Virtual AppSec Indonesia 2020** event.
 - [Tutorial: Cyber Threat Hunting - Useful Threat Hunting Tools (Part One)](https://youtu.be/0m54WOXO6Gc), Semi Yulianto gave a brief explanation and how to use **teler** in the video.
+- [Empowering Teler HTTP Intrusion Detection as WAF with Fail2ban](https://link.medium.com/OXVZIMkZEeb).
 
 ## Contributors
 

cmd/teler/main.go

@@ -3,12 +3,15 @@ package main
 import (
 	"runtime"
 
+	"github.com/projectdiscovery/gologger"
+	"github.com/projectdiscovery/gologger/levels"
 	"ktbs.dev/teler/internal/runner"
 )
 
 func init() {
 	cpu := runtime.NumCPU()
 	runtime.GOMAXPROCS(cpu + 1)
+	gologger.DefaultLogger.SetMaxLevel(levels.LevelDebug)
 }
 
 func main() {

common/vars.go

@@ -2,7 +2,7 @@ package common
 
 var (
 	Email       = "infosec@kitabisa.com"
-	Development = true
+	Development = false
 	Version     = ""
 	Banner      = `
 	  __      __       

internal/runner/runner.go

@@ -6,6 +6,7 @@ import (
 	"io"
 	"net/http"
 	"os"
+	"os/signal"
 	"regexp"
 
 	"github.com/acarl005/stripansi"
@@ -30,6 +31,7 @@ func removeLBR(s string) string {
 func New(options *common.Options) {
 	var input *os.File
 	var out string
+	var pass int
 
 	metric, promserve, promendpoint := prometheus(options)
 	if metric {
@@ -49,15 +51,25 @@ func New(options *common.Options) {
 	jobs := make(chan *gonx.Entry)
 	gologger.Info().Msg("Analyzing...")
 
+	stop := make(chan os.Signal, 1)
+	signal.Notify(stop, os.Interrupt)
+	go func() {
+		<-stop
+		gologger.Warning().Msg("Interuppted. Exiting...")
+
+		close(jobs)
+		done(pass)
+	}()
+
 	con := options.Concurrency
 	swg := sizedwaitgroup.New(con)
-	for i := 0; i < con; i++ {
-		swg.Add()
-		go func() {
-			defer swg.Done()
+	go func() {
+		for log := range jobs {
+			swg.Add()
+			go func(line *gonx.Entry) {
+				defer swg.Done()
 
-			for log := range jobs {
-				threat, obj := teler.Analyze(options, log)
+				threat, obj := teler.Analyze(options, line)
 
 				if threat {
 					if metric {
@@ -93,9 +105,9 @@ func New(options *common.Options) {
 
 					alert.New(options, common.Version, obj)
 				}
-			}
-		}()
-	}
+			}(log)
+		}
+	}()
 
 	if options.Stdin {
 		input = os.Stdin
@@ -116,10 +128,19 @@ func New(options *common.Options) {
 			break
 		}
 		jobs <- line
+		pass++
 	}
 
 	close(jobs)
-
 	swg.Wait()
+	done(pass)
+}
+
+func done(i int) {
+	if i == 0 {
+		gologger.Warning().Msg("No logs analyzed, did you write log format correctly?")
+	}
 	gologger.Info().Msg("Done!")
+
+	os.Exit(1)
 }

teler.fail2ban-filter.example.conf

@@ -0,0 +1,10 @@
+# Fail2Ban filter detected threats in teler log
+
+[Definition]
+
+failregex = \[<HOST>\] \[(Common Web Attack(: .*)?|CVE-[0-9]{4}-[0-9]{4,7}|Bad (IP Address|Referrer|Crawler)|Directory Bruteforce)\] .*$
+
+# NOTES: You can ignore false-positive threats hereby or whitelist in the teler configuration file
+ignoreregex = 
+
+datepattern = {^LN-BEG}

teler.fail2ban-jail.example.conf

@@ -0,0 +1,11 @@
+[teler]
+enabled  = true
+port     = http,https
+filter   = teler
+logpath  = /path/to/teler-threats.log
+## Change as you wish
+# Ban rules
+maxretry = 10
+findtime = 60
+# Ban in seconds
+bantime  = 600