OpenSSH Watcher

cspi-git · Sep 11, 2023 · 255e309 · 255e309
1 parent 78f27d8
commit 255e309
Show file tree

Hide file tree

Showing 3 changed files with 102 additions and 2 deletions.
diff --git a/main.py b/main.py
@@ -1,6 +1,7 @@
 import watchers.windowsdefender as WindowsDefender
 import watchers.windowsfirewall as WindowsFirewall
 import watchers.powershell as PowerShell
+import watchers.openssh as OpenSSH
 import os, sys, time
 import threading
 from term_image.image import from_file
@@ -14,7 +15,8 @@ def clear():
 watching_config = {
     "WindowsDefender": False,
     "WindowsFirewall": False,
-    "PowerShell": False
+    "PowerShell": False,
+    "OpenSSH": False
 }
 
 class colors:
@@ -67,6 +69,8 @@ def mon(key):
                 WindowsFirewall.Watch()
             elif key == "PowerShell":
                 PowerShell.Watch()
+            elif key == "OpenSSH":
+                OpenSSH.Watch()
             else:
                 print(f"{colors.red}Invalid watcher!{colors.reset}")
                 break
@@ -90,7 +94,8 @@ def main():
         print(f"{colors.blue}1. Windows Defender: " + str(watching_config["WindowsDefender"]) + f"{colors.reset}")
         print(f"{colors.blue}2. Windows Firewall: " + str(watching_config["WindowsFirewall"]) + f"{colors.reset}")
         print(f"{colors.blue}3. PowerShell: " + str(watching_config["PowerShell"]) + f"{colors.reset}")
-        print(f"{colors.blue}4. Start LogSentry{colors.reset}")
+        print(f"{colors.blue}4. Start OpenSSH: " + str(watching_config["PowerShell"]) + f"{colors.reset}")
+        print(f"{colors.blue}5. Start LogSentry{colors.reset}")
 
         choice = input("\nEnter your choice: ")
         if choice == "1":
@@ -100,6 +105,8 @@ def main():
         elif choice == "3":
             watching_config["PowerShell"] = not watching_config["PowerShell"]
         elif choice == "4":
+            watching_config["OpenSSH"] = not watching_config["OpenSSH"]
+        elif choice == "5":
             threads = []
 
             for key,value in watching_config.items():

diff --git a/parser/winevent.py b/parser/winevent.py
@@ -114,6 +114,39 @@ def WindowsPowerShell(self):
         print("-" * 15 + " | Windows PowerShell Event | " + "-" * 13)
         print("-" * 58 + colors.reset)
 
+        for key, value in event_info.items():
+            print(f"{key}: {value}")
+
+        return event_info
+
+    def OpenSSH(self):
+        event_info = {}
+        lines = self.event_record.split("\n")[1:]
+        description = []
+
+        for line in lines:
+            if ":" in line:
+                key, value = map(str.strip, line.split(":", 1))
+                event_info[key] = value
+            else:
+                # If the line does not contain a colon, assume it's part of the description
+                description.append(line.strip())
+
+        # Combine multiline description
+        event_info["Description"] = "\n".join(description)
+
+        # Extract additional information from the Description field
+        for line in event_info["Description"].split("\n"):
+            if ":" in line:
+                key, value = map(str.strip, line.split(":", 1))
+                event_info[key] = value
+
+        # Print the extracted information
+        print("\n")
+        print(f"{colors.darkgreen}-" * 58)
+        print("-" * 15 + " | OpenSSH Event | " + "-" * 13)
+        print("-" * 58 + colors.reset)
+
         for key, value in event_info.items():
             print(f"{key}: {value}")
 

diff --git a/watchers/openssh.py b/watchers/openssh.py
@@ -0,0 +1,60 @@
+from parser import winevent as winevent_parser
+import subprocess
+import hashlib
+import base64
+import time
+
+ignore_list = []
+stored_events = []
+
+class colors:
+    darkred = "\033[31m"
+    red = "\033[91m"
+    lightred = "\033[38;5;196m"
+    darkgreen = "\033[32m"
+    green = "\033[92m"
+    lightgreen = "\033[38;5;46m"
+    darkyellow = "\033[33m"
+    yellow = "\033[93m"
+    lightyellow = "\033[38;5;226m"
+    darkblue = "\033[34m"
+    blue = "\033[94m"
+    lightblue = "\033[38;5;21m"
+    reset = "\033[0m"
+    fire = "\033[38;5;196m"
+
+def Watch():
+    try:
+        result = subprocess.run(
+            ["wevtutil", "qe", "OpenSSH/Operational", "/c:1", "/rd:true", "/f:text"],
+            capture_output=True,
+            text=True,
+            check=True
+        )
+
+        latest_event = result.stdout
+
+        base64_hash = hashlib.sha256(latest_event.encode("utf-8")).hexdigest()
+        if base64_hash in stored_events:
+            return None
+
+        stored_events.append(base64_hash)
+
+        event_id = latest_event.split("\n")[4].split(":")[1].strip()
+
+        if int(event_id) in ignore_list:
+            return "Retrieved event is in the ignore list."
+
+        winevent_parser.Parser(latest_event).OpenSSH()
+        return latest_event
+
+    except subprocess.CalledProcessError as e:
+        print("Error:", e)
+        with open("logs.txt", "w") as f:
+            currenttime = time.strftime("%H:%M:%S")
+            f.write(f"[{currenttime}] Error: {e}\n")
+
+        # dont need to close bcos with open closes it automatically
+        # f.close()
+
+        return None