line |
stmt |
bran |
cond |
sub |
pod |
time |
code |
1
|
|
|
|
|
|
|
package RINO::Client; |
2
|
|
|
|
|
|
|
|
3
|
1
|
|
|
1
|
|
23426
|
use 5.008008; |
|
1
|
|
|
|
|
3
|
|
|
1
|
|
|
|
|
30
|
|
4
|
1
|
|
|
1
|
|
4
|
use strict; |
|
1
|
|
|
|
|
2
|
|
|
1
|
|
|
|
|
29
|
|
5
|
1
|
|
|
1
|
|
4
|
use warnings; |
|
1
|
|
|
|
|
5
|
|
|
1
|
|
|
|
|
58
|
|
6
|
|
|
|
|
|
|
|
7
|
|
|
|
|
|
|
our $VERSION = '0.03'; |
8
|
|
|
|
|
|
|
$VERSION = eval $VERSION; # see L |
9
|
|
|
|
|
|
|
|
10
|
1
|
|
|
1
|
|
923
|
use Module::Pluggable require => 1; |
|
1
|
|
|
|
|
17661
|
|
|
1
|
|
|
|
|
6
|
|
11
|
|
|
|
|
|
|
require XML::IODEF; |
12
|
|
|
|
|
|
|
|
13
|
|
|
|
|
|
|
# Preloaded methods go here. |
14
|
|
|
|
|
|
|
|
15
|
|
|
|
|
|
|
sub _plugins { |
16
|
0
|
|
|
0
|
|
|
my @plugs = plugins(); |
17
|
0
|
|
|
|
|
|
foreach (@plugs){ |
18
|
0
|
|
|
|
|
|
$_ = lc($_); |
19
|
0
|
|
|
|
|
|
$_ =~ s/rino::client::plugin:://; |
20
|
|
|
|
|
|
|
} |
21
|
0
|
|
|
|
|
|
return(@plugs); |
22
|
|
|
|
|
|
|
} |
23
|
|
|
|
|
|
|
|
24
|
|
|
|
|
|
|
sub new { |
25
|
0
|
|
|
0
|
|
|
my ($class,%args) = (shift,@_); |
26
|
0
|
|
|
|
|
|
my $self = {}; |
27
|
0
|
|
|
|
|
|
bless($self,$class); |
28
|
0
|
0
|
|
|
|
|
if($args{'iodef'}){ |
29
|
0
|
|
|
|
|
|
$self->to_hash($args{'iodef'}); |
30
|
|
|
|
|
|
|
} |
31
|
0
|
|
|
|
|
|
return($self); |
32
|
|
|
|
|
|
|
} |
33
|
|
|
|
|
|
|
|
34
|
|
|
|
|
|
|
sub write_out { |
35
|
0
|
|
|
0
|
|
|
my $self = shift; |
36
|
0
|
|
0
|
|
|
|
my $plugin = shift || 'csv'; |
37
|
|
|
|
|
|
|
|
38
|
0
|
|
|
|
|
|
$plugin = 'RINO::Client::Plugin::'.ucfirst($plugin); |
39
|
0
|
|
|
|
|
|
eval "require $plugin"; |
40
|
0
|
0
|
|
|
|
|
die($@) if($@); |
41
|
|
|
|
|
|
|
|
42
|
0
|
|
|
|
|
|
my $ref = $self->to_simple(); |
43
|
0
|
|
|
|
|
|
return $plugin->write_out($ref); |
44
|
|
|
|
|
|
|
} |
45
|
|
|
|
|
|
|
|
46
|
|
|
|
|
|
|
sub to_hash { |
47
|
0
|
|
|
0
|
|
|
my $self = shift; |
48
|
0
|
|
|
|
|
|
my $xml = shift; |
49
|
0
|
0
|
|
|
|
|
return($self->{'_tree'}) if(defined($self->{'_tree'})); |
50
|
|
|
|
|
|
|
|
51
|
0
|
0
|
|
|
|
|
return unless($xml); |
52
|
0
|
|
|
|
|
|
my $iodef = XML::IODEF->new(); |
53
|
0
|
0
|
|
|
|
|
$iodef->in($xml) || return('invalid iodef object',undef); |
54
|
0
|
|
|
|
|
|
$self->{'_xml'} = $iodef; |
55
|
0
|
|
|
|
|
|
$self->{'_tree'} = $iodef->to_tree(); |
56
|
0
|
|
|
|
|
|
return(undef,$self->{'_tree'}); |
57
|
|
|
|
|
|
|
} |
58
|
|
|
|
|
|
|
|
59
|
|
|
|
|
|
|
sub to_simple { |
60
|
0
|
|
|
0
|
|
|
my $self = shift; |
61
|
0
|
|
|
|
|
|
my $xml = shift; |
62
|
0
|
|
|
|
|
|
my $hash = $self->to_hash($xml); |
63
|
0
|
|
|
|
|
|
my @incidents; |
64
|
0
|
|
|
|
|
|
my @header = ['IncidentID','Description','Address','DetectTime','Port','Destination','AdditionalData']; |
65
|
|
|
|
|
|
|
|
66
|
0
|
|
|
|
|
|
$hash = $hash->{'Incident'}; |
67
|
0
|
0
|
|
|
|
|
if(ref($hash) eq 'HASH'){ |
68
|
0
|
|
|
|
|
|
push(@incidents,$hash); |
69
|
|
|
|
|
|
|
} else { |
70
|
0
|
|
|
|
|
|
@incidents = @{$hash}; |
|
0
|
|
|
|
|
|
|
71
|
|
|
|
|
|
|
} |
72
|
|
|
|
|
|
|
|
73
|
|
|
|
|
|
|
#only pass back the header info if we're being called from a plugin |
74
|
0
|
|
|
|
|
|
my $caller = caller(); |
75
|
0
|
|
|
|
|
|
my @return_array; |
76
|
0
|
0
|
|
|
|
|
if($caller =~ /Client$/){ |
77
|
0
|
|
|
|
|
|
@return_array = @header; |
78
|
|
|
|
|
|
|
} |
79
|
|
|
|
|
|
|
|
80
|
0
|
|
|
|
|
|
foreach my $ri (@incidents) { |
81
|
|
|
|
|
|
|
## embedded " in CSV needs to be "" |
82
|
0
|
|
|
|
|
|
$ri->{IncidentID}{content} =~ s/"/""/g; |
83
|
0
|
|
|
|
|
|
$ri->{Description} =~ s/"/""/g; |
84
|
|
|
|
|
|
|
|
85
|
|
|
|
|
|
|
## within each Incident there may be one or more EventData, "normalize" |
86
|
0
|
|
|
|
|
|
my $re = $ri->{'EventData'}; |
87
|
0
|
|
|
|
|
|
my @events_array = (); |
88
|
0
|
0
|
|
|
|
|
if(ref($re) eq 'HASH') { push(@events_array,$re); } else { @events_array = @{$re}; } |
|
0
|
|
|
|
|
|
|
|
0
|
|
|
|
|
|
|
|
0
|
|
|
|
|
|
|
89
|
|
|
|
|
|
|
|
90
|
|
|
|
|
|
|
## process each EventData |
91
|
0
|
|
|
|
|
|
foreach my $re (@events_array) { |
92
|
0
|
|
|
|
|
|
$re->{DetectTime} =~ s/"/""/g; |
93
|
0
|
|
|
|
|
|
$re->{Flow}{System}{Node}{Address}{content} =~ s/"/""/g; |
94
|
0
|
0
|
|
|
|
|
if (exists $re->{Flow}{System}{Service}{Port}) { |
95
|
0
|
|
|
|
|
|
$re->{Flow}{System}{Service}{Port} =~ s/"/""/g; |
96
|
|
|
|
|
|
|
} else { |
97
|
0
|
|
|
|
|
|
$re->{Flow}{System}{Service}{Port} = ''; |
98
|
|
|
|
|
|
|
} |
99
|
|
|
|
|
|
|
|
100
|
|
|
|
|
|
|
## within each EventData there may be zero or more AdditionalData |
101
|
|
|
|
|
|
|
## if "destination address" is one of those, it will have it's own position in the CSV |
102
|
|
|
|
|
|
|
## all others will be combined into paired values (JSON-like) and placed in one position in the CSV |
103
|
0
|
|
|
|
|
|
my $destination = ''; |
104
|
0
|
|
|
|
|
|
my $additional; |
105
|
|
|
|
|
|
|
|
106
|
0
|
0
|
|
|
|
|
if (exists $re->{AdditionalData}) { |
107
|
|
|
|
|
|
|
## "normalize" |
108
|
0
|
|
|
|
|
|
my $ra = $re->{AdditionalData}; |
109
|
0
|
|
|
|
|
|
my @additionaldata_array = (); |
110
|
0
|
0
|
|
|
|
|
if(ref($ra) eq 'HASH') { push(@additionaldata_array,$ra); } else { @additionaldata_array = @{$ra}; } |
|
0
|
|
|
|
|
|
|
|
0
|
|
|
|
|
|
|
|
0
|
|
|
|
|
|
|
111
|
|
|
|
|
|
|
|
112
|
|
|
|
|
|
|
## process each AdditionalData |
113
|
0
|
|
|
|
|
|
foreach my $a (@additionaldata_array) { |
114
|
|
|
|
|
|
|
## if "destination address", then hold separately, otherwise accumulate pairs in $additional |
115
|
0
|
0
|
|
|
|
|
if ($a->{meaning} eq 'destination address') { |
116
|
0
|
|
|
|
|
|
$destination = $a->{content}; |
117
|
|
|
|
|
|
|
} else { |
118
|
0
|
|
|
|
|
|
$additional .= qq|"$a->{meaning}":"$a->{content}", |; |
119
|
|
|
|
|
|
|
} |
120
|
|
|
|
|
|
|
} |
121
|
|
|
|
|
|
|
## if there is additiona, remove trailing comma and wrap in braces |
122
|
0
|
0
|
|
|
|
|
if ($additional) { $additional =~ s/, $//; $additional = '{ '.$additional.' }'; } |
|
0
|
|
|
|
|
|
|
|
0
|
|
|
|
|
|
|
123
|
|
|
|
|
|
|
} |
124
|
0
|
|
|
|
|
|
push(@return_array, { |
125
|
|
|
|
|
|
|
IncidentID => $ri->{'IncidentID'}{'content'}, |
126
|
|
|
|
|
|
|
Description => $ri->{'Description'}, |
127
|
|
|
|
|
|
|
Address => $re->{'Flow'}{'System'}{'Node'}{'Address'}{'content'}, |
128
|
|
|
|
|
|
|
DetectTime => $re->{'DetectTime'}, |
129
|
|
|
|
|
|
|
Port => $re->{'Flow'}{'System'}{'Service'}{'Port'}, |
130
|
|
|
|
|
|
|
Destination => $destination, |
131
|
|
|
|
|
|
|
AdditionalData => $additional |
132
|
|
|
|
|
|
|
}); |
133
|
|
|
|
|
|
|
} |
134
|
|
|
|
|
|
|
} |
135
|
0
|
|
|
|
|
|
return(\@return_array); |
136
|
|
|
|
|
|
|
} |
137
|
|
|
|
|
|
|
|
138
|
|
|
|
|
|
|
|
139
|
|
|
|
|
|
|
sub sources { |
140
|
0
|
|
|
0
|
|
|
my $self = shift; |
141
|
0
|
0
|
|
|
|
|
return('you must ->to_hash($xml) first',undef) unless($self->{'_tree'}); |
142
|
0
|
|
|
|
|
|
my $h = $self->{'_tree'}; |
143
|
0
|
|
|
|
|
|
my @events = @{$h->{'Incident'}->{'EventData'}}; |
|
0
|
|
|
|
|
|
|
144
|
0
|
|
|
|
|
|
foreach my $event (@events){ |
145
|
0
|
|
|
|
|
|
my $sys = $event->{'Flow'}->{'System'}; |
146
|
0
|
0
|
|
|
|
|
next unless($sys->{'category'} eq 'source'); |
147
|
|
|
|
|
|
|
} |
148
|
|
|
|
|
|
|
|
149
|
|
|
|
|
|
|
} |
150
|
|
|
|
|
|
|
1; |
151
|
|
|
|
|
|
|
__END__ |