OLD | NEW |
1 # -*- coding: utf-8 -*- | 1 # -*- coding: utf-8 -*- |
2 """This file contains a plugin for SSH syslog entries.""" | 2 """This file contains a plugin for SSH syslog entries.""" |
3 | 3 |
4 from __future__ import unicode_literals | 4 from __future__ import unicode_literals |
5 | 5 |
6 import pyparsing | 6 import pyparsing |
7 | 7 |
8 from plaso.containers import time_events | 8 from plaso.containers import time_events |
9 from plaso.lib import definitions | 9 from plaso.lib import definitions |
10 from plaso.parsers import syslog | 10 from plaso.parsers import syslog |
(...skipping 36 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
47 | 47 |
48 DATA_TYPE = 'syslog:ssh:failed_connection' | 48 DATA_TYPE = 'syslog:ssh:failed_connection' |
49 | 49 |
50 | 50 |
51 class SSHOpenedConnectionEventData(SSHEventData): | 51 class SSHOpenedConnectionEventData(SSHEventData): |
52 """SSH opened connection event data.""" | 52 """SSH opened connection event data.""" |
53 | 53 |
54 DATA_TYPE = 'syslog:ssh:opened_connection' | 54 DATA_TYPE = 'syslog:ssh:opened_connection' |
55 | 55 |
56 | 56 |
57 class SSHPlugin(interface.SyslogPlugin): | 57 class SSHSyslogPlugin(interface.SyslogPlugin): |
58 """A plugin for creating events from syslog message produced by SSH.""" | 58 """A plugin for creating events from syslog message produced by SSH.""" |
| 59 |
59 NAME = 'ssh' | 60 NAME = 'ssh' |
60 DESCRIPTION = 'Parser for SSH syslog entries.' | 61 DESCRIPTION = 'Parser for SSH syslog entries.' |
61 REPORTER = 'sshd' | 62 REPORTER = 'sshd' |
62 | 63 |
63 _AUTHENTICATION_METHOD = ( | 64 _AUTHENTICATION_METHOD = ( |
64 pyparsing.Keyword('password') | pyparsing.Keyword('publickey')) | 65 pyparsing.Keyword('password') | pyparsing.Keyword('publickey')) |
65 | 66 |
66 _PYPARSING_COMPONENTS = { | 67 _PYPARSING_COMPONENTS = { |
67 'address': text_parser.PyparsingConstants.IP_ADDRESS.setResultsName( | 68 'address': text_parser.PyparsingConstants.IP_ADDRESS.setResultsName( |
68 'address'), | 69 'address'), |
(...skipping 48 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
117 Args: | 118 Args: |
118 parser_mediator (ParserMediator): mediates interactions between parsers | 119 parser_mediator (ParserMediator): mediates interactions between parsers |
119 and other components, such as storage and dfvfs. | 120 and other components, such as storage and dfvfs. |
120 key (str): name of the matching grammar. | 121 key (str): name of the matching grammar. |
121 timestamp (int): the timestamp, which contains the number of micro seconds | 122 timestamp (int): the timestamp, which contains the number of micro seconds |
122 since January 1, 1970, 00:00:00 UTC or 0 on error. | 123 since January 1, 1970, 00:00:00 UTC or 0 on error. |
123 tokens (dict[str, str]): tokens derived from a syslog message based on | 124 tokens (dict[str, str]): tokens derived from a syslog message based on |
124 the defined grammar. | 125 the defined grammar. |
125 | 126 |
126 Raises: | 127 Raises: |
127 AttributeError: If an unknown key is provided. | 128 ValueError: If an unknown key is provided. |
128 """ | 129 """ |
129 # TODO: change AttributeError into ValueError or equiv. | |
130 if key not in ('failed_connection', 'login', 'opened_connection'): | 130 if key not in ('failed_connection', 'login', 'opened_connection'): |
131 raise AttributeError('Unknown grammar key: {0:s}'.format(key)) | 131 raise ValueError('Unknown grammar key: {0:s}'.format(key)) |
132 | 132 |
133 if key == 'login': | 133 if key == 'login': |
134 event_data = SSHLoginEventData() | 134 event_data = SSHLoginEventData() |
135 | 135 |
136 elif key == 'failed_connection': | 136 elif key == 'failed_connection': |
137 event_data = SSHFailedConnectionEventData() | 137 event_data = SSHFailedConnectionEventData() |
138 | 138 |
139 elif key == 'opened_connection': | 139 elif key == 'opened_connection': |
140 event_data = SSHOpenedConnectionEventData() | 140 event_data = SSHOpenedConnectionEventData() |
141 | 141 |
(...skipping 10 matching lines...) Expand all Loading... |
152 event_data.port = tokens.get('port', None) | 152 event_data.port = tokens.get('port', None) |
153 event_data.reporter = tokens.get('reporter', None) | 153 event_data.reporter = tokens.get('reporter', None) |
154 event_data.severity = tokens.get('severity', None) | 154 event_data.severity = tokens.get('severity', None) |
155 event_data.username = tokens.get('username', None) | 155 event_data.username = tokens.get('username', None) |
156 | 156 |
157 event = time_events.TimestampEvent( | 157 event = time_events.TimestampEvent( |
158 timestamp, definitions.TIME_DESCRIPTION_WRITTEN) | 158 timestamp, definitions.TIME_DESCRIPTION_WRITTEN) |
159 parser_mediator.ProduceEventWithEventData(event, event_data) | 159 parser_mediator.ProduceEventWithEventData(event, event_data) |
160 | 160 |
161 | 161 |
162 syslog.SyslogParser.RegisterPlugin(SSHPlugin) | 162 syslog.SyslogParser.RegisterPlugin(SSHSyslogPlugin) |
OLD | NEW |