Rails - Mar 2006 - Converted tattle.pl to ruby - anyone want to be a tester?

The basic idea of tattle (http://www.securiteam.com/tools/5JP0520G0Q.html)
is that it will go through your /var/logs/messages to find brute force
attack attempts on your machine via ssh. It then looks up the abuse records
and emails the network owners about the attack.

It worked well until the log format changed a little when I updated last and
it broke. So, as an exercise in learning ruby and rails, I converted it so
that it now uses ruby and ActionMailer to send out the notifications.

I am looking for any volunteers that would like to test this and write the
install guide. I was going to then put it up on sourceforge for the wider
community under GPL.

Basic code looks like this:

puts "open logs"
helper = SecurityHelper.new
notif = Notifier.new
offenders = helper.getoffenders( logfile )

offenders.each { |key, offender|
  puts offender.rhost + " (" + offender.abuse + ")"

  Notifier::deliver_send_report(offender)

}

with

class SecurityHelper

  def getoffenders( logfile )

    @off = Hash.new
    File.open(logfile).each { |line|
    if( line =~ /sshd/ and line =~ /rhost/ )
      records = line.split( /\s/).collect
      records.each { |record|
        if record[''rhost'']
          if @off.has_key?(record)
            @off.fetch(record).lines << line
          else
            attacker = Attacker.new
            attacker.rhost = record.split("=")[1]
            attacker.lines << line
            @off[record] = attacker
          end
        end
       }
    end
    }
    @off
  end

end

class Notifier < ActionMailer::Base

  def send_report( offender )
    # Email header info MUST be added here
    @recipients = "iconnor@projectlounge.com"
    @from = "iconnor@projectlounge.com"
    @subject = "Breach of AUP: " + offender.rhost

    # Email body substitutions go here
    @body["lines"] = offender.lines
    @body["email"] = offender.abuse
  end

end

class Attacker

  require ''net/http''

  attr_accessor  :rhost, :lines

  def initialize
  @lines = []
  end

  def abuse
        Net::HTTP.start(''www.spamcop.net'') {|http|
          req = Net::HTTP::Get.new(''/sc?action=rcache;ip='' +
rhost)
          response = http.request(req)
          lins = response.body.split("<br>")
          lins.each { |lin|
          if lin[''Using best contacts'']
            @abuse = lin.split(" ")[3]
          end
          }
        }
        @abuse
  end

end


Copyright (C) 2006 Ian Connor - GNU General Public License
as published by the Free Software Foundation; either version 2
of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://wrath.rubyonrails.org/pipermail/rails/attachments/20060305/43ca3c91/attachment.html