AUTHLOG PARSER

This tool simulates part of a real-world host-based intrusion detection system by parsing system authentication logs (auth.log) and detecting signs of brute-force login attempts. It integrates basic network context and validates usernames against the system to distinguish between mistyped and malicious logins.

43KB
auth.log

ALGORITHM

//INPUT
 * Successful Logins | Failed Logins
 
 * Test whether the auth.log file exists and can be accessed
    - view the contents if it was read
 * identify tokens to use for failure/success
    - For Failed Logins, the identifier is
       - "Failed password for"
    - For Successful Logins, the identifier is 
       - "..."
 
 
//PROCESS
 * in auth.log, the following is your identifier before the username
    - if (Failed password for invalid user)
       strcpy(x, username)
      else
       strcpy(x, username)
       
    - if there is no such account for the specified username in the system,
      then say so as that indicated a potential malicious user
       - grab and compare the username obtained from auth.log to
         /etc/passwd file or others


//OUTPUT
 
 * Successful Logins Selection
    - Display the following
       - Total Successful Authentication: {#}
       - Timestamp: {...}
       - 5 Tuple Details...
          - Username: {username}
          - Source IP: {}
          - Source Port: {}
          - Destination IP: {}
             - if this is local IP then say so
          - Destination Port: {}
          - Protocol: {}
    
 * Failed Logins Selection
    - Display the following
       - Total Failed Authentication: {#}
       - Timestamp: {}
       - 5 Tuple Details...
          - Username: {username}
          - Source IP: {}
          - Source Port: {}
          - Destination IP: {}
             - if this is local IP then say so
          - Destination Port: {}
          - Protocol: {}

AUTHLOGPARSER.C

keep the name as authLogParser.c as this will be turned into a bigger project that looks for signs of brute-forcing, etc.

/*######################################################################################
# Dev: cnd.dev
# Program Name: N/A
# Version: 1.0.0
#  - Major.Minor.Update/BuildNumber
# Date: 291517JUN25
# Filename: authLogParser.c
# Dependency: auth.log
# Compile Cmd: gcc -m64 -O1 authLogParser.c -o authLogParser-v1.0.0-linux-x86-64
# Synopsis:
#  - Overview: This tool simulates part of a real-world host-based
#    intrusion detection system by parsing system authentication logs
#    (auth.log) and detecting signs of brute-force login attempts. It
#    integrates basic network context and validates usernames against the
#    system to distinguish between mistyped and malicious logins.
#  - Technical: ...
######################################################################################*/

#include <stdio.h>
#include <string.h>
#include <stdbool.h>

/*int selectMode(int *mode) {
  bool selection = true;
  while (selection) {
    printf("MODE: ");
    if (scanf("%d", mode) == 1 && (*mode == 1 || *mode == 2) ) {
      break;
    }
    while (getchar() != '\n');  // Clear invalid input
  }
  return 0;
}*/

//mode selector
int modeSelector(void){
  int mode;
  int inputStatus;

  while (1){
    printf("mode: ");
    inputStatus = scanf("%d", &mode);
    //if input is successfully read...clear the rest of the line including newline
    if (inputStatus == 1){
      while (getchar() != '\n');
        return mode;
    } 
    else {
      printf("Invalid input. Select a number.\n");
      while (getchar() != '\n');
    }
  }
}

FILE* openAuthLogFile(){
  int flag = 1;
  char filePath[255] = "auth.log";   //full path /var/log/auth.log
  FILE* authLogFile = fopen(filePath, "r");
  return authLogFile;
}

//this passwd file is just a helper for identifying usernames that aren't in the system
//when a brute force attack is occurring, actors are typically spraying a bunch of usernames and passwords in a short amount of time
//for password spraying, it is the password that is being sprayed a bunch of times against a single username
FILE* openPasswdFile(){
  int flag = 1;
  char filePath[255] = "passwd";  //full path /etc/passwd
  FILE * passwdFile = fopen(filePath, "r");
  return passwdFile;
}

int main(int argc, char *argv[])
{
  int mode = 0;
  int totalFailedLogins = 0;
  int totalSuccessfulLogins = 0;
  int lineReadBuffer = 255;
  char readLines[lineReadBuffer];
  char failedLoginsMarker[] = "Failed password for";
  char successfulLoginsMarker[] = "Accepted password for";

  //char delimiter[] = " ";
  //char *token = NULL;
  //
  // Pointer to hold each extracted word (token)
  //char *token = strtok(str, delimiter);

//----------------------------------------------------

  puts("Select Mode: ");
  //puts("1. Brute Force Detection: ");
  //puts("2. Command Injection Detection: ");
  puts("1. Failed Logins");
  puts("2. Successful Logins");
  puts("3. Valid Users");

  mode = modeSelector();

  //INPUT
  FILE* authLogFile = openAuthLogFile();
  FILE* passwdFile = openPasswdFile();

  if (authLogFile == NULL || passwdFile == NULL){
    puts("Error opening file.\n");
    puts("Rerun the program to continue...");
  }
  else{
    puts("Files Successfully Opened");

    if (mode == 1){	  
	  //PROCESS: 1.DISPLAY FAILED LOGINS
	  while(fgets(readLines, sizeof(readLines), authLogFile)){
	    if (strstr(readLines, failedLoginsMarker)){
		  printf("%s", readLines);
		  totalFailedLogins++;
		}
	  }
	  printf("\nTotal Failed Logins: %d", totalFailedLogins);
	}
	else if (mode == 2){
	  //PROCESS: 2.DISPLAY SUCCESSFUL LOGINS
	  while(fgets(readLines, sizeof(readLines), authLogFile)){
	    if (strstr(readLines, successfulLoginsMarker)){
		  printf("%s", readLines);
		  totalSuccessfulLogins++;
		}
	  }
	  printf("\nTotal Successful Logins: %d", totalSuccessfulLogins);
	}
	else if (mode == 3){
	  //GET ONLY THE 1st word (usernames) in the passwd file (fullpath /etc/passwd) - 100 usernames total (for now)
	  char usernameDelimiter[] = ":";   //tokenize /etc/passwd
	  char passwdUsernames[100][100];
	  char *token = NULL;
	  int userIndex = 0;
	  
	  while(fgets(readLines, sizeof(readLines), passwdFile) && userIndex < 100){
	    // Pointer to hold each extracted word (token)
	    token = strtok(readLines, usernameDelimiter);    //this grabs the usernames (first column)
	  
	    // Loop to extract and print all tokens
        if (token != NULL) {
		  strncpy(passwdUsernames[userIndex], token, sizeof(passwdUsernames[userIndex]) - 1);
		  passwdUsernames[userIndex][sizeof(passwdUsernames[userIndex]) - 1] = '\0';  // null terminate each usernames
          userIndex++;
        }
	  }	
      for (int i = 0; i < userIndex; i++) {
        printf("Valid User [%d]: %s\n", i, passwdUsernames[i]);
      }
	}
	else{
	  puts("Invalid Selection...rerun the program again to continue.");
	}
  }
  fclose(authLogFile);
  fclose(passwdFile);

  return 0;
}
PreviousPASSWORD GENERATORNextGEOMETRY CALCULATOR

Last updated