File Coverage

blib/lib/Armadito/Agent/Antivirus/Eset/Task/Alerts.pm
Criterion Covered Total %
statement 15 43 34.8
branch 0 4 0.0
condition 0 3 0.0
subroutine 5 8 62.5
pod 1 1 100.0
total 21 59 35.5


line stmt bran cond sub pod time code
1             package Armadito::Agent::Antivirus::Eset::Task::Alerts;
2              
3 1     1   14117072 use strict;
  1         7  
  1         46  
4 1     1   3 use warnings;
  1         2  
  1         61  
5 1     1   4 use base 'Armadito::Agent::Task::Alerts';
  1         45  
  1         478  
6 1     1   459 use Armadito::Agent::Patterns::Matcher;
  1         1  
  1         10  
7 1     1   496 use Parse::Syslog;
  1         9682  
  1         10  
8              
9             sub _getSystemLogs {
10 0     0     my ($self) = @_;
11              
12 0           my $selected_logs = "";
13 0           my $tsnow = time;
14 0           my $tssince = $tsnow - 3600; # last hour
15 0           my $parser = Parse::Syslog->new('/var/log/syslog');
16              
17 0           while ( my $sl = $parser->next ) {
18             $selected_logs .= "timestamp=\"" . $sl->{timestamp} . "\", " . $sl->{text} . "\n"
19 0 0 0       if ( $sl->{program} eq "esets_daemon" && $sl->{timestamp} >= $tssince );
20             }
21              
22 0           return $selected_logs;
23             }
24              
25             # Nov 23 14:22:33 n5trusty32a esets_daemon[6974]: summ[1b3e0300]: vdb=31502, agent=pac, name="/home/malwares/contagio-malware/rtf/MALWARE_RTF_CVE-2012-0158_300_files/CVE-2012-0158_E94F9B67A66FFAF62FB5CE87B677DC5C.rtf", virus="Win32/Exploit.CVE-2012-0158.AJ trojan", action="cleaned by deleting", info="Event occurred on a new file created by the application: /usr/bin/scp (EEBC3C511B955D5AE2A52A5CE66EC472398AB6B9).", avstatus="clean (deleted)", hop="discarded"
26              
27             sub _parseLogs {
28 0     0     my ( $self, $logs ) = @_;
29              
30 0           my $parser = Armadito::Agent::Patterns::Matcher->new( logger => $self->{logger} );
31              
32 0           my $labels = [ 'detection_time', 'filepath', 'name', 'action', 'info' ];
33 0           my $pattern = 'timestamp="(.*?)".*?name="(.*?)", virus="(.*?)", action="(.*?)", info="(.*?)",';
34 0           $parser->addPattern( "alerts", $pattern, $labels );
35 0           $parser->addExclusionPattern(', avstatus="not scanned"');
36 0           $parser->run( $logs, '\n' );
37              
38 0           return $parser->getResults();
39             }
40              
41             sub run {
42 0     0 1   my ( $self, %params ) = @_;
43 0           $self = $self->SUPER::run(%params);
44              
45 0           my $eset_logs = $self->_getSystemLogs();
46 0 0         if ( $eset_logs eq "" ) {
47 0           $self->{logger}->info("No alerts found.");
48 0           return $self;
49             }
50              
51 0           my $alerts = $self->_parseLogs($eset_logs);
52 0           my $n_alerts = @{ $alerts->{alerts} };
  0            
53 0           $self->{logger}->info( $n_alerts . " alert(s) found." );
54 0           $self->_sendAlerts($alerts);
55              
56 0           return $self;
57             }
58              
59             1;
60              
61             __END__
62              
63             =head1 NAME
64              
65             Armadito::Agent::Antivirus::Eset::Task::Alerts - Alerts Task for ESET Antivirus.
66              
67             =head1 DESCRIPTION
68              
69             This task inherits from L<Armadito::Agent::Task:Alerts>. Get Antivirus' alerts and send them as json messages to armadito glpi plugin.
70              
71             =head1 FUNCTIONS
72              
73             =head2 run ( $self, %params )
74              
75             Run the task.
76              
77             =head2 new ( $self, %params )
78              
79             Instanciate Task.
80