File Coverage

blib/lib/ThreatDetector/Reporter.pm
Criterion Covered Total %
statement 21 21 100.0
branch n/a
condition n/a
subroutine 4 4 100.0
pod 1 1 100.0
total 26 26 100.0


line stmt bran cond sub pod time code
1             package ThreatDetector::Reporter;
2            
3 2     2   139961 use strict;
  2         5  
  2         110  
4 2     2   27 use warnings;
  2         3  
  2         192  
5 2     2   15 use Exporter 'import';
  2         4  
  2         714  
6            
7             our @EXPORT_OK = qw(generate_summary);
8             our $VERSION = '0.04';
9            
10             sub generate_summary {
11 1     1 1 182933 my ($label, $events_ref, $fh) = @_;
12 1         3 my @events = @$events_ref;
13            
14 1         5 print $fh "\n=== $label Summary ===\n";
15 1         6 print $fh "Total: " . scalar(@events) . "\n";
16            
17 1         2 my (%ip_count, %uri_count);
18 1         3 for my $e (@events) {
19 6         13 $ip_count{ $e->{ip} }++;
20 6         12 $uri_count{ $e->{uri} }++;
21             }
22            
23 1         3 print $fh "Unique IPs:\n";
24 1         11 print $fh " $_ ($ip_count{$_} hits)\n" for sort keys %ip_count;
25            
26 1         3 print $fh "Targeted URIs:\n";
27 1         12 print $fh " $_ ($uri_count{$_} times)\n" for sort keys %uri_count;
28             }
29            
30             1;
31            
32             =head1 NAME
33            
34             ThreatDetector::Reporter - Summary report generator for classified threat events
35            
36             =head1 SYNOPSIS
37            
38             use ThreatDetector::Reporter qw(generate_summary);
39            
40             my @events = get_sqli_events();
41             generate_summary('SQL Injection', \@events);
42            
43             =head1 DESCRIPTION
44            
45             This module provides a reusable summary reporting function for threat events
46             collected during log analysis. It is designed to work with all threat handler
47             modules that expose a list of collected events via a getter function.
48            
49             The summary includes:
50            
51             =over 4
52            
53             =item * Total number of detected events
54            
55             =item * List of unique IP addresses with hit counts
56            
57             =item * List of targeted URIs with frequency counts
58            
59             =back
60            
61             =head1 FUNCTIONS
62            
63             =head2 generate_summary($label, \@events)
64            
65             Prints a structured summary for a specific threat type. Accepts a human-readable label
66             (e.g. "SQL Injection") and a reference to an array of event hashrefs.
67            
68             Each event should contain at minimum the following keys:
69            
70             ip - Source IP address
71             uri - Targeted endpoint
72            
73             =head1 AUTHOR
74            
75             Jason Hall
76            
77             =cut