mirror of
https://github.com/BlackLight/Snort_AIPreproc.git
synced 2024-11-16 21:37:15 +01:00
87 lines
2 KiB
Text
87 lines
2 KiB
Text
|
#!/usr/bin/env perl
|
||
|
|
||
|
use Env qw(DOCUMENT_ROOT QUERY_STRING);
|
||
|
use strict;
|
||
|
use warnings;
|
||
|
|
||
|
my $method = 'xml';
|
||
|
|
||
|
if ( $QUERY_STRING )
|
||
|
{
|
||
|
if ( $QUERY_STRING =~ /method=([a-z]+)/ )
|
||
|
{
|
||
|
if ( $1 eq 'json' or $1 eq 'xml' )
|
||
|
{
|
||
|
$method = $1;
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
|
||
|
my %mon2num = qw( jan 1 feb 2 mar 3 apr 4 may 5 jun 6 jul 7 aug 8 sep 9 oct 10 nov 11 dec 12 );
|
||
|
my $json_file = (( $DOCUMENT_ROOT ) ? $DOCUMENT_ROOT : '.' ).'/correlation_graph.json';
|
||
|
my $json_string = '';
|
||
|
|
||
|
open IN, $json_file or die "Alert JSON file not found";
|
||
|
$json_string .= $_ while ( <IN> );
|
||
|
close IN;
|
||
|
|
||
|
if ( $method eq 'json' )
|
||
|
{
|
||
|
print "Content-Type: application/json\n\n";
|
||
|
print $json_string;
|
||
|
} elsif ( $method eq 'xml' ) {
|
||
|
use JSON;
|
||
|
use Time::Local;
|
||
|
|
||
|
my @json = @{JSON->new->utf8->decode ( $json_string )};
|
||
|
print "Content-Type: application/xml\n\n".
|
||
|
"<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n\n".
|
||
|
"<alerts>\n";
|
||
|
|
||
|
for ( @json )
|
||
|
{
|
||
|
print "\t<alert";
|
||
|
my %element = %$_;
|
||
|
|
||
|
for my $key ( keys %element )
|
||
|
{
|
||
|
if ( $key !~ /[^a-zA-Z0-9_]/ and !UNIVERSAL::isa ( $element{$key}, "ARRAY" ) and !UNIVERSAL::isa ( $element{$key}, "HASH" ))
|
||
|
{
|
||
|
my $k = $key;
|
||
|
|
||
|
if ( $key eq 'snortSID' or $key eq 'snortGID' or $key eq 'snortREV' )
|
||
|
{
|
||
|
$k =~ s/^snort//;
|
||
|
$k = lc $k;
|
||
|
} elsif ( $key eq 'to' or $key eq 'from' ) {
|
||
|
if ( $element{$key} =~ /:([1-9][0-9]*)$/ )
|
||
|
{
|
||
|
my $port = $1;
|
||
|
$element{$key} =~ s/^(.*):[1-9][0-9]*$/$1/;
|
||
|
print " ${key}_port=\"$port\"";
|
||
|
}
|
||
|
} elsif ( $key eq 'date' ) {
|
||
|
if ( $element{$key} =~ /^\s*[a-z]+\s+([a-z]+)\s+([0-9]+)\s+([0-9]+):([0-9]+):([0-9]+)\s+([0-9]+)\s*$/i )
|
||
|
{
|
||
|
my $mon = $mon2num{ lc substr ( $1, 0, 3 )} - 1;
|
||
|
my $day = $2;
|
||
|
my $hour = $3;
|
||
|
my $min = $4;
|
||
|
my $sec = $5;
|
||
|
my $year = $6;
|
||
|
$element{$key} = timelocal ( $sec, $min, $hour, $day, $mon, $year );
|
||
|
}
|
||
|
}
|
||
|
|
||
|
$element{$key} =~ s/(^|[^\\])"/$1\\"/g;
|
||
|
print " $k=\"".$element{$key}."\"";
|
||
|
}
|
||
|
}
|
||
|
|
||
|
print "></alert>\n";
|
||
|
}
|
||
|
|
||
|
print "</alerts>\n";
|
||
|
}
|
||
|
|