forked from The-Art-of-Hacking/h4cker
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathParseLogs.py
158 lines (134 loc) · 4.56 KB
/
ParseLogs.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
import gzip
import re
#
# ParseLogs.py
# Parsing component of Logalyzer. Original: https://github.com/hatRiot/logalyzer
# Converted to python3.6 by @programmerchad
#
# log object
# Stuck into a dictionary by user:Log, where log houses
# logs, fails, successes, logged IPs, and commands used
class Log:
# dump date of first log
def first_date(self):
if len(self.logs) > 0:
date = None
i = 0
# sometimes the first few aren't right, so look
# until we find one
while i < len(self.logs) and date is None:
date = ParseDate(self.logs[i])
i += 1
return date
# dump date of last log
def last_date(self):
if len(self.logs) > 0:
return ParseDate(self.logs[len(self.logs) - 1])
def __init__(self, usr):
self.usr = usr
self.logs = []
self.fail_logs = []
self.succ_logs = []
self.ips = []
self.commands = []
# parse user from various lines
def ParseUsr(line):
usr = None
if "Accepted password" in line:
usr = re.search(r'(\bfor\s)(\w+)', line)
elif "sudo:" in line:
usr = re.search(r'(sudo:\s+)(\w+)', line)
elif "authentication failure" in line:
usr = re.search(r'USER=\w+', line)
elif "for invalid user" in line:
usr = re.search(r'(\buser\s)(\w+)', line)
if usr is not None:
return usr.group(2)
# parse an IP from a line
def ParseIP(line):
ip = re.search(r'(\bfrom\s)(\b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b)', line)
if ip is not None:
return ip.group(2)
# parse a date from the line
def ParseDate(line):
date = re.search(r'^[A-Za-z]{3}\s*[0-9]{1,2}\s[0-9]{1,2}:[0-9]{2}:[0-9]{2}', line)
if date is not None:
return date.group(0)
# parse a command from a line
def ParseCmd(line):
# parse command to end of line
cmd = re.search(r'(\bCOMMAND=)(.+?$)', line)
if cmd is not None:
return cmd.group(2)
# begin parsing the passed LOG
def ParseLogs(log):
# initialize the dictionary
logs = {}
# parse the log
f = None
try:
f = gzip.open(log, 'r') if '.gz' in log else open(log, 'r')
log = f.read()
except Exception as e:
print('[-] Error opening \'%s\': %s' % (log, e))
return None
finally:
if f is not None:
f.close()
for line in log.split('\n'):
# match a login
if "Accepted password for" in line:
usr = ParseUsr(line)
# add 'em if they don't exist
if usr not in logs:
logs[usr] = Log(usr)
ip = ParseIP(line)
# set info
if ip not in logs[usr].ips:
logs[usr].ips.append(ip)
logs[usr].succ_logs.append(line.rstrip('\n'))
logs[usr].logs.append(line.rstrip('\n'))
# match a failed login
elif "Failed password for" in line:
# parse user
usr = ParseUsr(line)
if usr not in logs:
logs[usr] = Log(usr)
ip = ParseIP(line)
if ip not in logs[usr].ips:
logs[usr].ips.append(ip)
logs[usr].fail_logs.append(line.rstrip('\n'))
logs[usr].logs.append(line.rstrip('\n'))
# match failed auth
elif ":auth): authentication failure;" in line:
# so there are three flavors of authfail we care about;
# su, sudo, and ssh. Lets parse each.
usr = re.search(r'(\blogname=)(\w+)', line)
if usr is not None:
usr = usr.group(2)
# parse a fail log to ssh
if "(sshd:auth)" in line:
# ssh doesn't have a logname hurr
usr = ParseUsr(line)
if usr not in logs:
logs[usr] = Log(usr)
logs[usr].ips.append(ParseIP(line))
# parse sudo/su fails
else:
if usr not in logs:
logs[usr] = Log(usr)
logs[usr].fail_logs.append(line.rstrip('\n'))
logs[usr].logs.append(line.rstrip('\n'))
# match commands
elif "sudo:" in line:
# parse user
usr = ParseUsr(line)
if usr not in logs:
logs[usr] = Log(usr)
cmd = ParseCmd(line)
# append the command if it isn't there already
if cmd is not None:
if cmd not in logs[usr].commands:
logs[usr].commands.append(cmd)
logs[usr].logs.append(line.rstrip('\n'))
return logs