File Coverage

lib/ThreatDetector/Handlers/LoginBruteForce.pm

Criterion	Covered	Total	%
statement	21	21	100.0
branch	1	2	50.0
condition	2	2	100.0
subroutine	7	7	100.0
pod	0	2	0.0
total	31	34	91.1

line	stmt	bran	cond	sub	pod	time	code
1							package ThreatDetector::Handlers::LoginBruteForce;
2
3	2			2		143837	use strict;
	2					6
	2					101
4	2			2		15	use warnings;
	2					8
	2					131
5	2			2		11	use Exporter 'import';
	2					3
	2					77
6	2			2		765	use JSON;
	2					17107
	2					12
7	2			2		307	use Time::HiRes qw(gettimeofday);
	2					13
	2					16
8
9							our $VERBOSE = 0;
10							our @EXPORT_OK = qw(handle_login_bruteforce get_login_brute_force_events);
11							our @BRUTE_FORCE_EVENTS;
12							our $VERSION = '0.04';
13
14							sub handle_login_bruteforce {
15	2			2	0	195579	my ($entry) = @_;
16	2					8	my ( $sec, $micro ) = gettimeofday();
17
18							my $alert = {
19							timestamp => "$sec.$micro",
20							type => 'login_bruteforce',
21							ip => $entry->{ip},
22							method => $entry->{method},
23							uri => $entry->{uri},
24							status => $entry->{status},
25							user_agent => $entry->{user_agent},
26	2		100			17	referer => $entry->{referer} \|\| '',
27							};
28	2					3	push @BRUTE_FORCE_EVENTS, $alert;
29	2	50				6	print encode_json($alert) . "\n" if $VERBOSE;
30							}
31
32							sub get_login_brute_force_events {
33	1			1	0	4	return @BRUTE_FORCE_EVENTS;
34							}
35
36							1;
37
38							=head1 NAME
39
40							ThreatDetector::Handlers::LoginBruteForce - Handler for login brute-force attempts
41
42							=head1 SYNOPSIS
43
44							use ThreatDetector::Handlers::LoginBruteForce qw(handle_login_bruteforce);
45
46							handle_login_bruteforce($entry);
47
48							=head1 DESCRIPTION
49
50							Prints a JSON alert for suspected brute-force login attempts. Typically used in conjunction with logic that detects rapid repeated login attempts from the same IP or URI pattern (e.g., `/login`, `/admin`).
51
52							=head1 AUTHOR
53
54							Jason Hall
55
56							=cut