mirror of
https://github.com/The-Art-of-Hacking/h4cker
synced 2024-11-22 02:43:02 +00:00
Create ParseLogs.py
This commit is contained in:
parent
b928c48ba5
commit
da686ceba8
1 changed files with 159 additions and 0 deletions
159
python_ruby_and_bash/parsing_auth_log/ParseLogs.py
Normal file
159
python_ruby_and_bash/parsing_auth_log/ParseLogs.py
Normal file
|
@ -0,0 +1,159 @@
|
||||||
|
import gzip
|
||||||
|
import re
|
||||||
|
|
||||||
|
|
||||||
|
#
|
||||||
|
# ParseLogs.py
|
||||||
|
# Parsing component of Logalyzer. Original: https://github.com/hatRiot/logalyzer
|
||||||
|
# Converted to python3.6 by @programmerchad
|
||||||
|
#
|
||||||
|
|
||||||
|
# log object
|
||||||
|
# Stuck into a dictionary by user:Log, where log houses
|
||||||
|
# logs, fails, successes, logged IPs, and commands used
|
||||||
|
class Log:
|
||||||
|
# dump date of first log
|
||||||
|
def first_date(self):
|
||||||
|
if len(self.logs) > 0:
|
||||||
|
date = None
|
||||||
|
i = 0
|
||||||
|
# sometimes the first few aren't right, so look
|
||||||
|
# until we find one
|
||||||
|
while i < len(self.logs) and date is None:
|
||||||
|
date = ParseDate(self.logs[i])
|
||||||
|
i += 1
|
||||||
|
return date
|
||||||
|
|
||||||
|
# dump date of last log
|
||||||
|
def last_date(self):
|
||||||
|
if len(self.logs) > 0:
|
||||||
|
return ParseDate(self.logs[len(self.logs) - 1])
|
||||||
|
|
||||||
|
def __init__(self, usr):
|
||||||
|
self.usr = usr
|
||||||
|
self.logs = []
|
||||||
|
self.fail_logs = []
|
||||||
|
self.succ_logs = []
|
||||||
|
self.ips = []
|
||||||
|
self.commands = []
|
||||||
|
|
||||||
|
|
||||||
|
# parse user from various lines
|
||||||
|
def ParseUsr(line):
|
||||||
|
usr = None
|
||||||
|
if "Accepted password" in line:
|
||||||
|
usr = re.search(r'(\bfor\s)(\w+)', line)
|
||||||
|
elif "sudo:" in line:
|
||||||
|
usr = re.search(r'(sudo:\s+)(\w+)', line)
|
||||||
|
elif "authentication failure" in line:
|
||||||
|
usr = re.search(r'USER=\w+', line)
|
||||||
|
elif "for invalid user" in line:
|
||||||
|
usr = re.search(r'(\buser\s)(\w+)', line)
|
||||||
|
if usr is not None:
|
||||||
|
return usr.group(2)
|
||||||
|
|
||||||
|
|
||||||
|
# parse an IP from a line
|
||||||
|
def ParseIP(line):
|
||||||
|
ip = re.search(r'(\bfrom\s)(\b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b)', line)
|
||||||
|
if ip is not None:
|
||||||
|
return ip.group(2)
|
||||||
|
|
||||||
|
|
||||||
|
# parse a date from the line
|
||||||
|
def ParseDate(line):
|
||||||
|
date = re.search(r'^[A-Za-z]{3}\s*[0-9]{1,2}\s[0-9]{1,2}:[0-9]{2}:[0-9]{2}', line)
|
||||||
|
if date is not None:
|
||||||
|
return date.group(0)
|
||||||
|
|
||||||
|
|
||||||
|
# parse a command from a line
|
||||||
|
def ParseCmd(line):
|
||||||
|
# parse command to end of line
|
||||||
|
cmd = re.search(r'(\bCOMMAND=)(.+?$)', line)
|
||||||
|
if cmd is not None:
|
||||||
|
return cmd.group(2)
|
||||||
|
|
||||||
|
|
||||||
|
# begin parsing the passed LOG
|
||||||
|
def ParseLogs(log):
|
||||||
|
# initialize the dictionary
|
||||||
|
logs = {}
|
||||||
|
|
||||||
|
# parse the log
|
||||||
|
f = None
|
||||||
|
try:
|
||||||
|
f = gzip.open(log, 'r') if '.gz' in log else open(log, 'r')
|
||||||
|
log = f.read()
|
||||||
|
except Exception as e:
|
||||||
|
print('[-] Error opening \'%s\': %s' % (log, e))
|
||||||
|
return None
|
||||||
|
finally:
|
||||||
|
if f is not None:
|
||||||
|
f.close()
|
||||||
|
|
||||||
|
for line in log.split('\n'):
|
||||||
|
# match a login
|
||||||
|
if "Accepted password for" in line:
|
||||||
|
usr = ParseUsr(line)
|
||||||
|
|
||||||
|
# add 'em if they don't exist
|
||||||
|
if usr not in logs:
|
||||||
|
logs[usr] = Log(usr)
|
||||||
|
|
||||||
|
ip = ParseIP(line)
|
||||||
|
# set info
|
||||||
|
if ip not in logs[usr].ips:
|
||||||
|
logs[usr].ips.append(ip)
|
||||||
|
logs[usr].succ_logs.append(line.rstrip('\n'))
|
||||||
|
logs[usr].logs.append(line.rstrip('\n'))
|
||||||
|
|
||||||
|
# match a failed login
|
||||||
|
elif "Failed password for" in line:
|
||||||
|
# parse user
|
||||||
|
usr = ParseUsr(line)
|
||||||
|
|
||||||
|
if usr not in logs:
|
||||||
|
logs[usr] = Log(usr)
|
||||||
|
|
||||||
|
ip = ParseIP(line)
|
||||||
|
|
||||||
|
if ip not in logs[usr].ips:
|
||||||
|
logs[usr].ips.append(ip)
|
||||||
|
logs[usr].fail_logs.append(line.rstrip('\n'))
|
||||||
|
logs[usr].logs.append(line.rstrip('\n'))
|
||||||
|
|
||||||
|
# match failed auth
|
||||||
|
elif ":auth): authentication failure;" in line:
|
||||||
|
# so there are three flavors of authfail we care about;
|
||||||
|
# su, sudo, and ssh. Lets parse each.
|
||||||
|
usr = re.search(r'(\blogname=)(\w+)', line)
|
||||||
|
if usr is not None:
|
||||||
|
usr = usr.group(2)
|
||||||
|
# parse a fail log to ssh
|
||||||
|
if "(sshd:auth)" in line:
|
||||||
|
# ssh doesn't have a logname hurr
|
||||||
|
usr = ParseUsr(line)
|
||||||
|
if usr not in logs:
|
||||||
|
logs[usr] = Log(usr)
|
||||||
|
logs[usr].ips.append(ParseIP(line))
|
||||||
|
# parse sudo/su fails
|
||||||
|
else:
|
||||||
|
if usr not in logs:
|
||||||
|
logs[usr] = Log(usr)
|
||||||
|
logs[usr].fail_logs.append(line.rstrip('\n'))
|
||||||
|
logs[usr].logs.append(line.rstrip('\n'))
|
||||||
|
# match commands
|
||||||
|
elif "sudo:" in line:
|
||||||
|
# parse user
|
||||||
|
usr = ParseUsr(line)
|
||||||
|
if usr not in logs:
|
||||||
|
logs[usr] = Log(usr)
|
||||||
|
|
||||||
|
cmd = ParseCmd(line)
|
||||||
|
# append the command if it isn't there already
|
||||||
|
if cmd is not None:
|
||||||
|
if cmd not in logs[usr].commands:
|
||||||
|
logs[usr].commands.append(cmd)
|
||||||
|
logs[usr].logs.append(line.rstrip('\n'))
|
||||||
|
return logs
|
Loading…
Reference in a new issue