clean up parsers code a little bit

pirate · Oct 22, 2016 · 9cc478a · 9cc478a
1 parent 220dfd7
commit 9cc478a
Show file tree

Hide file tree

Showing 5 changed files with 21 additions and 13 deletions.
diff --git a/parsers/connections.py b/parsers/connections.py
@@ -13,7 +13,7 @@ def parse_connection(log_line, port=None):
     return {
         'tcp_version': tcp_vers,
         'port': port or '',
-        'state': state[1:-1],  # remove parens (LISTEN) -> LISTEN
+        'state': state[1:-1],  # removes parens (LISTEN) -> LISTEN
         'user': user,
         'process': str(proc),
         'pid': pid,
@@ -25,5 +25,8 @@ def parse_connection(log_line, port=None):
 def parse(line, source=None):
     conn = parse_connection(line, source)
     if conn:
-        return ('notify', TITLE.format(**conn), BODY.format(**conn))
+        return ('notify',
+            TITLE.format(**conn),
+            BODY.format(**conn))
+
     return (None, '', '')
diff --git a/parsers/ostiarius.py b/parsers/ostiarius.py
@@ -1,6 +1,6 @@
 import re
 
-#27/04/16 09:42:38,000 kernel[0]: OSTIARIUS: /Applications/Xoib.app/Contents/MacOS/Xoib is from the internet & is unsigned -> BLOCKING!
+# 27/04/16 09:42:38,000 kernel[0]: OSTIARIUS: /Applications/Xoib.app/Contents/MacOS/Xoib is from the internet & is unsigned -> BLOCKING!
 OSTIARIUS_EVENT_FILTER = re.compile('OSTIARIUS: .+BLOCKING')
 
 def parse(line, source=None):

diff --git a/parsers/ssh.py b/parsers/ssh.py
@@ -13,13 +13,15 @@
 
 
 def word_after(line, word):
+    """'a black sheep', 'black' -> 'sheep'"""
     return line.split(word, 1)[-1].split(' ', 1)[0]
 
 def parse_summary(line):
-    # truncated error msg
+    """get the summary of an SSH failure from an SSH log event line"""
     return line.split(' sshd[', 1)[-1].split(' ', 1)[-1][:40] + '...'
 
 def parse_line(line):
+    """parse out the user and connection source from an SSH log event line"""
     user = (
         word_after(line, ' for ')
         if ' for ' in line else ' '

diff --git a/parsers/sudo.py b/parsers/sudo.py
@@ -4,11 +4,14 @@
 
 SUDO_EVENT_FILTER = re.compile('sudo')
 
-TITLE = 'SUDO EVENT: {0} [{1}]'
-BODY = '{0}\n@ {1}'
+TITLE = 'SUDO EVENT: {user} [{tty}]'
+BODY = '{command}\n@ {pwd}'
+
+EXCLUDE_LINES = ('/usr/sbin/lsof +c 0',)  # dont alert on sudo events that contain these strings
+
 
 def parse(line, source=None):
-    if SUDO_EVENT_FILTER.findall(line) and '/usr/sbin/lsof +c 0' not in line:
+    if SUDO_EVENT_FILTER.findall(line) and not any(pattern in line for pattern in EXCLUDE_LINES):
         pre, pwd, _, command = line.split(' ; ', 3)
 
         user = pre.split(' : ', 1)[0].split(' ')[-1]
@@ -17,7 +20,7 @@ def parse(line, source=None):
         pwd = pwd.split('PWD=', 1)[-1].split('/Users/', 1)[-1]
 
         return ('alert',
-            TITLE.format(user, tty),
-            BODY.format(command, pwd))
+            TITLE.format(user=user, tty=tty),
+            BODY.format(command=command, pwd=pwd))
 
     return (None, '', '')
diff --git a/parsers/vnc.py b/parsers/vnc.py
@@ -1,13 +1,13 @@
 from .connections import parse_connection
 
-TITLE = 'VNC CONNECTED {0}'
-BODY = 'To: {0} {1} ({2}) on {3}'
+TITLE = 'VNC CONNECTED {source}'
+BODY = 'To: {user} {process} ({pid}) on {target}'
 
 def parse(line, source=None):
     conn = parse_connection(line, source)
     if conn:
         return ('alert',
-            TITLE.format(conn['source']),
-            BODY.format(conn['user'], conn['process'], conn['pid'], conn['target']),
+            TITLE.format(**conn),
+            BODY.format(**conn),
         )
     return (None, '', '')