1#!/usr/bin/perl
2
3# add_alert_set_notes_to_anns.pl, distributed as part of Snortsnarf v021111.1
4# Author: James Hoagland, Silicon Defense (hoagland@SiliconDefense.com)
5# copyright (c) 2000 by Silicon Defense (http://www.silicondefense.com/)
6# Released under GNU General Public License, see the COPYING file included
7# with the distribution or http://www.silicondefense.com/software/snortsnarf/
8# for details.
9
10# add_alert_set_notes_to_anns.pl is a Pipeline module to add annotations that
11# the given alerts have been added to the given labeled set and file
12# pipeline args: alerts, set name, set file
13# side effect: adds the annotation to the annotation database listed in the
14# config file
15
16# Please send complaints, kudos, and especially improvements and bugfixes to
17# hoagland@SiliconDefense.com.  As described in GNU General Public License, no
18# warranty is expressed for this program.
19
20sub process {
21	require "sisr_utils.pl";
22	require "ann_xml.pl";
23	my ($input)= shift;
24	@_ == 3 || (&reporterr("add_alert_set_notes_to_anns.pl takes 3 arguments (alerts,set name,labeled alert set file), but got:".join(' ',@_),0) && return 0);
25
26	my($alerts,$setname,$lsfile)= &arg_to_val($input,@_);
27	my $configfile= $input->param('configfile');
28	my($annfile)= &get_config_field($configfile,'ann-db-loc');
29	if ($annfile eq '') {
30		warn "ann-db-locnot provided in $configfile, so no annotations made on labeled set creation";
31		return;
32	}
33
34	my $setviewurl='view_lset.pl?'.join('&','setname='.&url_encode($setname),'setfile='.&url_encode($lsfile),'configfile='.&url_encode($configfile));
35	my $settext= "<A HREF=\"$setviewurl\">set \"$setname\" in file $lsfile</A>";
36
37	my $tree= &load_XML_tree($annfile);
38
39	$tree->[0] eq "ANNOTATION-BASE" || die "invalid annotation XML file ($annfile); expected root element to be ANNOTATION-BASE";
40
41	$tree= &create_ann_tree_unless_exists($tree);
42	my($a,%sip,%snet,$src,@srcs);
43	foreach $a (@{$alerts}) {
44		if (ref($a) eq 'HASH') { # old style hash
45			@srcs= ($a->{'src'});
46		} else { # alert API instance
47			@srcs= map($_->sip(),$a->packets());
48		}
49		foreach $src (@srcs) {
50			$sip{$src}++;
51			$src =~ /^(\d+\.\d+\.\d+)/;
52			$snet{$1.'.0/24'}++;
53			$src =~ /^(\d+\.\d+)/;
54			$snet{$1.'.0.0/16'}++;
55        }
56	}
57	foreach (keys %sip) {
58		&add_ann($tree,'IP',$_,'SISR','in labeled set',$sip{$_}." packets with $_ as source are in $settext");
59	}
60	foreach (keys %snet) {
61		&add_ann($tree,'network',$_,'SISR','in labeled set',$snet{$_}." packets with $_ as source network are in $settext");
62	}
63
64	&save_XML_tree($tree,$annfile);
65};
66
67\&process;
68
69# $Id: add_alert_set_notes_to_anns.pl,v 1.11 2001/10/18 18:23:25 jim Exp $
70