OpenSSH Watcher

Author: iUseYahoo

main.py

@@ -1,6 +1,7 @@
 import watchers.windowsdefender as WindowsDefender
 import watchers.windowsfirewall as WindowsFirewall
 import watchers.powershell as PowerShell
+import watchers.openssh as OpenSSH
 import os, sys, time
 import threading
 from term_image.image import from_file
@@ -14,7 +15,8 @@ def clear():
 watching_config = {
  "WindowsDefender": False,
  "WindowsFirewall": False,
- "PowerShell": False
+ "PowerShell": False,
+ "OpenSSH": False
 }
 
 class colors:
@@ -67,6 +69,8 @@ def mon(key):
  WindowsFirewall.Watch()
  elif key == "PowerShell":
  PowerShell.Watch()
+ elif key == "OpenSSH":
+ OpenSSH.Watch()
  else:
  print(f"{colors.red}Invalid watcher!{colors.reset}")
  break
@@ -90,7 +94,8 @@ def main():
  print(f"{colors.blue}1. Windows Defender: " + str(watching_config["WindowsDefender"]) + f"{colors.reset}")
  print(f"{colors.blue}2. Windows Firewall: " + str(watching_config["WindowsFirewall"]) + f"{colors.reset}")
  print(f"{colors.blue}3. PowerShell: " + str(watching_config["PowerShell"]) + f"{colors.reset}")
- print(f"{colors.blue}4. Start LogSentry{colors.reset}")
+ print(f"{colors.blue}4. Start OpenSSH: " + str(watching_config["PowerShell"]) + f"{colors.reset}")
+ print(f"{colors.blue}5. Start LogSentry{colors.reset}")
 
  choice = input("\nEnter your choice: ")
  if choice == "1":
@@ -100,6 +105,8 @@ def main():
  elif choice == "3":
  watching_config["PowerShell"] = not watching_config["PowerShell"]
  elif choice == "4":
+ watching_config["OpenSSH"] = not watching_config["OpenSSH"]
+ elif choice == "5":
  threads = []
 
  for key,value in watching_config.items():

parser/winevent.py

@@ -114,6 +114,39 @@ def WindowsPowerShell(self):
  print("-" * 15 + " | Windows PowerShell Event | " + "-" * 13)
  print("-" * 58 + colors.reset)
 
+ for key, value in event_info.items():
+ print(f"{key}: {value}")
+
+ return event_info
+ 
+ def OpenSSH(self):
+ event_info = {}
+ lines = self.event_record.split("\n")[1:]
+ description = []
+
+ for line in lines:
+ if ":" in line:
+ key, value = map(str.strip, line.split(":", 1))
+ event_info[key] = value
+ else:
+ # If the line does not contain a colon, assume it's part of the description
+ description.append(line.strip())
+
+ # Combine multiline description
+ event_info["Description"] = "\n".join(description)
+
+ # Extract additional information from the Description field
+ for line in event_info["Description"].split("\n"):
+ if ":" in line:
+ key, value = map(str.strip, line.split(":", 1))
+ event_info[key] = value
+
+ # Print the extracted information
+ print("\n")
+ print(f"{colors.darkgreen}-" * 58)
+ print("-" * 15 + " | OpenSSH Event | " + "-" * 13)
+ print("-" * 58 + colors.reset)
+
  for key, value in event_info.items():
  print(f"{key}: {value}")
 

watchers/openssh.py

@@ -0,0 +1,60 @@
+from parser import winevent as winevent_parser
+import subprocess
+import hashlib
+import base64
+import time
+
+ignore_list = []
+stored_events = []
+
+class colors:
+ darkred = "\033[31m"
+ red = "\033[91m"
+ lightred = "\033[38;5;196m"
+ darkgreen = "\033[32m"
+ green = "\033[92m"
+ lightgreen = "\033[38;5;46m"
+ darkyellow = "\033[33m"
+ yellow = "\033[93m"
+ lightyellow = "\033[38;5;226m"
+ darkblue = "\033[34m"
+ blue = "\033[94m"
+ lightblue = "\033[38;5;21m"
+ reset = "\033[0m"
+ fire = "\033[38;5;196m"
+
+def Watch():
+ try:
+ result = subprocess.run(
+ ["wevtutil", "qe", "OpenSSH/Operational", "/c:1", "/rd:true", "/f:text"],
+ capture_output=True,
+ text=True,
+ check=True
+ )
+
+ latest_event = result.stdout
+ 
+ base64_hash = hashlib.sha256(latest_event.encode("utf-8")).hexdigest()
+ if base64_hash in stored_events:
+ return None
+
+ stored_events.append(base64_hash)
+
+ event_id = latest_event.split("\n")[4].split(":")[1].strip()
+
+ if int(event_id) in ignore_list:
+ return "Retrieved event is in the ignore list."
+
+ winevent_parser.Parser(latest_event).OpenSSH()
+ return latest_event
+
+ except subprocess.CalledProcessError as e:
+ print("Error:", e)
+ with open("logs.txt", "w") as f:
+ currenttime = time.strftime("%H:%M:%S")
+ f.write(f"[{currenttime}] Error: {e}\n")
+
+ # dont need to close bcos with open closes it automatically
+ # f.close()
+
+ return None