Converted tattle.pl to ruby - anyone want to be a tester?


#1

The basic idea of tattle
(http://www.securiteam.com/tools/5JP0520G0Q.html)
is that it will go through your /var/logs/messages to find brute force
attack attempts on your machine via ssh. It then looks up the abuse
records
and emails the network owners about the attack.

It worked well until the log format changed a little when I updated last
and
it broke. So, as an exercise in learning ruby and rails, I converted it
so
that it now uses ruby and ActionMailer to send out the notifications.

I am looking for any volunteers that would like to test this and write
the
install guide. I was going to then put it up on sourceforge for the
wider
community under GPL.

Basic code looks like this:

puts “open logs”
helper = SecurityHelper.new
notif = Notifier.new
offenders = helper.getoffenders( logfile )

offenders.each { |key, offender|
puts offender.rhost + " (" + offender.abuse + “)”

Notifier::deliver_send_report(offender)

}

with

class SecurityHelper

def getoffenders( logfile )

@off = Hash.new
File.open(logfile).each { |line|
if( line =~ /sshd/ and line =~ /rhost/ )
  records = line.split( /\s/).collect
  records.each { |record|
    if record['rhost']
      if @off.has_key?(record)
        @off.fetch(record).lines << line
      else
        attacker = Attacker.new
        attacker.rhost = record.split("=")[1]
        attacker.lines << line
        @off[record] = attacker
      end
    end
   }
end
}
@off

end

end

class Notifier < ActionMailer::Base

def send_report( offender )
# Email header info MUST be added here
@recipients = “removed_email_address@domain.invalid”
@from = “removed_email_address@domain.invalid”
@subject = "Breach of AUP: " + offender.rhost

# Email body substitutions go here
@body["lines"] = offender.lines
@body["email"] = offender.abuse

end

end

class Attacker

require ‘net/http’

attr_accessor :rhost, :lines

def initialize
@lines = []
end

def abuse
Net::HTTP.start(‘www.spamcop.net’) {|http|
req = Net::HTTP::Get.new(’/sc?action=rcache;ip=’ + rhost)
response = http.request(req)
lins = response.body.split("
")
lins.each { |lin|
if lin[‘Using best contacts’]
@abuse = lin.split(" ")[3]
end
}
}
@abuse
end

end

Copyright © 2006 Ian C. - GNU General Public License
as published by the Free Software Foundation; either version 2
of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
02110-1301, USA.