line |
stmt |
bran |
cond |
sub |
pod |
time |
code |
1
|
|
|
|
|
|
|
package Armadito::Agent::Antivirus::Eset::Task::Alerts; |
2
|
|
|
|
|
|
|
|
3
|
1
|
|
|
1
|
|
14117072
|
use strict; |
|
1
|
|
|
|
|
7
|
|
|
1
|
|
|
|
|
46
|
|
4
|
1
|
|
|
1
|
|
3
|
use warnings; |
|
1
|
|
|
|
|
2
|
|
|
1
|
|
|
|
|
61
|
|
5
|
1
|
|
|
1
|
|
4
|
use base 'Armadito::Agent::Task::Alerts'; |
|
1
|
|
|
|
|
45
|
|
|
1
|
|
|
|
|
478
|
|
6
|
1
|
|
|
1
|
|
459
|
use Armadito::Agent::Patterns::Matcher; |
|
1
|
|
|
|
|
1
|
|
|
1
|
|
|
|
|
10
|
|
7
|
1
|
|
|
1
|
|
496
|
use Parse::Syslog; |
|
1
|
|
|
|
|
9682
|
|
|
1
|
|
|
|
|
10
|
|
8
|
|
|
|
|
|
|
|
9
|
|
|
|
|
|
|
sub _getSystemLogs { |
10
|
0
|
|
|
0
|
|
|
my ($self) = @_; |
11
|
|
|
|
|
|
|
|
12
|
0
|
|
|
|
|
|
my $selected_logs = ""; |
13
|
0
|
|
|
|
|
|
my $tsnow = time; |
14
|
0
|
|
|
|
|
|
my $tssince = $tsnow - 3600; # last hour |
15
|
0
|
|
|
|
|
|
my $parser = Parse::Syslog->new('/var/log/syslog'); |
16
|
|
|
|
|
|
|
|
17
|
0
|
|
|
|
|
|
while ( my $sl = $parser->next ) { |
18
|
|
|
|
|
|
|
$selected_logs .= "timestamp=\"" . $sl->{timestamp} . "\", " . $sl->{text} . "\n" |
19
|
0
|
0
|
0
|
|
|
|
if ( $sl->{program} eq "esets_daemon" && $sl->{timestamp} >= $tssince ); |
20
|
|
|
|
|
|
|
} |
21
|
|
|
|
|
|
|
|
22
|
0
|
|
|
|
|
|
return $selected_logs; |
23
|
|
|
|
|
|
|
} |
24
|
|
|
|
|
|
|
|
25
|
|
|
|
|
|
|
# Nov 23 14:22:33 n5trusty32a esets_daemon[6974]: summ[1b3e0300]: vdb=31502, agent=pac, name="/home/malwares/contagio-malware/rtf/MALWARE_RTF_CVE-2012-0158_300_files/CVE-2012-0158_E94F9B67A66FFAF62FB5CE87B677DC5C.rtf", virus="Win32/Exploit.CVE-2012-0158.AJ trojan", action="cleaned by deleting", info="Event occurred on a new file created by the application: /usr/bin/scp (EEBC3C511B955D5AE2A52A5CE66EC472398AB6B9).", avstatus="clean (deleted)", hop="discarded" |
26
|
|
|
|
|
|
|
|
27
|
|
|
|
|
|
|
sub _parseLogs { |
28
|
0
|
|
|
0
|
|
|
my ( $self, $logs ) = @_; |
29
|
|
|
|
|
|
|
|
30
|
0
|
|
|
|
|
|
my $parser = Armadito::Agent::Patterns::Matcher->new( logger => $self->{logger} ); |
31
|
|
|
|
|
|
|
|
32
|
0
|
|
|
|
|
|
my $labels = [ 'detection_time', 'filepath', 'name', 'action', 'info' ]; |
33
|
0
|
|
|
|
|
|
my $pattern = 'timestamp="(.*?)".*?name="(.*?)", virus="(.*?)", action="(.*?)", info="(.*?)",'; |
34
|
0
|
|
|
|
|
|
$parser->addPattern( "alerts", $pattern, $labels ); |
35
|
0
|
|
|
|
|
|
$parser->addExclusionPattern(', avstatus="not scanned"'); |
36
|
0
|
|
|
|
|
|
$parser->run( $logs, '\n' ); |
37
|
|
|
|
|
|
|
|
38
|
0
|
|
|
|
|
|
return $parser->getResults(); |
39
|
|
|
|
|
|
|
} |
40
|
|
|
|
|
|
|
|
41
|
|
|
|
|
|
|
sub run { |
42
|
0
|
|
|
0
|
1
|
|
my ( $self, %params ) = @_; |
43
|
0
|
|
|
|
|
|
$self = $self->SUPER::run(%params); |
44
|
|
|
|
|
|
|
|
45
|
0
|
|
|
|
|
|
my $eset_logs = $self->_getSystemLogs(); |
46
|
0
|
0
|
|
|
|
|
if ( $eset_logs eq "" ) { |
47
|
0
|
|
|
|
|
|
$self->{logger}->info("No alerts found."); |
48
|
0
|
|
|
|
|
|
return $self; |
49
|
|
|
|
|
|
|
} |
50
|
|
|
|
|
|
|
|
51
|
0
|
|
|
|
|
|
my $alerts = $self->_parseLogs($eset_logs); |
52
|
0
|
|
|
|
|
|
my $n_alerts = @{ $alerts->{alerts} }; |
|
0
|
|
|
|
|
|
|
53
|
0
|
|
|
|
|
|
$self->{logger}->info( $n_alerts . " alert(s) found." ); |
54
|
0
|
|
|
|
|
|
$self->_sendAlerts($alerts); |
55
|
|
|
|
|
|
|
|
56
|
0
|
|
|
|
|
|
return $self; |
57
|
|
|
|
|
|
|
} |
58
|
|
|
|
|
|
|
|
59
|
|
|
|
|
|
|
1; |
60
|
|
|
|
|
|
|
|
61
|
|
|
|
|
|
|
__END__ |
62
|
|
|
|
|
|
|
|
63
|
|
|
|
|
|
|
=head1 NAME |
64
|
|
|
|
|
|
|
|
65
|
|
|
|
|
|
|
Armadito::Agent::Antivirus::Eset::Task::Alerts - Alerts Task for ESET Antivirus. |
66
|
|
|
|
|
|
|
|
67
|
|
|
|
|
|
|
=head1 DESCRIPTION |
68
|
|
|
|
|
|
|
|
69
|
|
|
|
|
|
|
This task inherits from L<Armadito::Agent::Task:Alerts>. Get Antivirus' alerts and send them as json messages to armadito glpi plugin. |
70
|
|
|
|
|
|
|
|
71
|
|
|
|
|
|
|
=head1 FUNCTIONS |
72
|
|
|
|
|
|
|
|
73
|
|
|
|
|
|
|
=head2 run ( $self, %params ) |
74
|
|
|
|
|
|
|
|
75
|
|
|
|
|
|
|
Run the task. |
76
|
|
|
|
|
|
|
|
77
|
|
|
|
|
|
|
=head2 new ( $self, %params ) |
78
|
|
|
|
|
|
|
|
79
|
|
|
|
|
|
|
Instanciate Task. |
80
|
|
|
|
|
|
|
|