1#!/usr/bin/perl 2 3# incident_view.pl, distributed as part of Snortsnarf v021111.1 4# Author: James Hoagland, Silicon Defense (hoagland@SiliconDefense.com) 5# copyright (c) 2000 by Silicon Defense (http://www.silicondefense.com/) 6# Released under GNU General Public License, see the COPYING file included 7# with the distribution or http://www.silicondefense.com/software/snortsnarf/ 8# for details. 9 10# incident_view.pl is a Pipeline module to take an incident name and a path 11# to an incident file and show the incident on the browser 12# pipeline args: incident name, incident file 13# side effect: displayes HTML on browser 14 15# Please send complaints, kudos, and especially improvements and bugfixes to 16# hoagland@SiliconDefense.com. As described in GNU General Public License, no 17# warranty is expressed for this program. 18 19sub process { 20 require "sisr_utils.pl"; 21 require "inc_xml.pl"; 22 my ($input)= shift; 23 @_ == 2 || (&reporterr("incident_view.pl takes 2 arguments (inc name,inc file), but got:".join(' ',@_),0) && return 0); 24 25 my ($incname,$incfile)= &arg_to_val($input,@_); 26 27 # print out headers 28 print $input->header(-header => 'text/html',-expires => '+0d'); 29 30 my $configfile= $input->param('configfile'); 31 32 # probably really want to get these from the config file 33 my($path)= $input->param('_path'); 34 35 # get mail template file names and descriptions 36 %mailtmpl= &get_mail_tmpl_hash($configfile); 37 38 my $tree= &load_XML_tree($incfile); 39 my $inc= &find_incident_named($tree,$incname); 40 # should check if $inc= undef; indicates there is no such incident 41 my %attrs= &incident_attrs($inc); 42 my($fldsref,$notesref)= &incident_fields_and_notes($inc); 43 my(@text_fields)= @{$fldsref}; 44 my(@notes)= @{$notesref}; 45 46 my $created= localtime($attrs{'created'}); 47 my $setfile= $attrs{'event-set-loc'}; 48 $setfile =~ s/^file:\/\///; 49 my $seturl= &pipeline_submit_url("lab_set_view.pl $attrs{'event-set-name'} $setfile",$path,'configfile' => $configfile); 50 my $setfileurl= &pipeline_submit_url("set_list_view.pl $setfile",$path,'configfile' => $configfile); 51 print <<">>"; 52<HTML> 53<HEAD> 54 <TITLE>Listing of incident $incname</TITLE> 55</HEAD> 56<BODY bgcolor="#E7DEBD"> 57<H1>Incident $incname</H1> 58Incident <B>$incname</B> was created on <B>$created</B> by <B>$attrs{'creator'}</B>. 59<table border cellpadding = 3><CAPTION>Alert set location and text fields</CAPTION> 60 <TR> 61 <TH>Field</TH> 62 <TH>Value</TH> 63 </TR> 64 <TR> 65 <TD ALIGN=right>Alert set name</TD> 66 <TD ALIGN=left><A HREF="$seturl">$attrs{'event-set-name'}</A></TD> 67 </TR> 68 <TR> 69 <TD ALIGN=right>Alert set file location</TD> 70 <TD ALIGN=left><A HREF="$setfileurl">$attrs{'event-set-loc'}</A></TD> 71 </TR> 72>> 73 my($fldname,$descr,$val); 74 foreach (@text_fields) { 75 ($fldname,$descr,$val)= &get_incident_text_field_info($_); 76 $val =~ s/\&/&/g; 77 $val =~ s/\</</g; 78 $val =~ s/\>/>/g; 79 $val =~ s/\"/"/g; 80 print <<">>"; 81 <TR> 82 <TD ALIGN=right>$descr</TD> 83 <TD ALIGN=left>$val</TD> 84 </TR> 85>> 86 } 87 print "</table>\n"; 88 if (@notes) { 89 print '<TABLE border CELLPADDING=5><TR ALIGN=center><CAPTION>Annotations</CAPTION><TD><B>Subject</B></TD><TD><B>Author</B></TD><TD><B>Date</B></TD><TD><B>Annotation</B></TD></TR>'; 90 foreach (@notes) { 91 my ($author,$date,$subject,$note)= &get_note_info($_); 92 $note =~ s/\&/&/g; 93 $note =~ s/\</</g; 94 $note =~ s/\>/>/g; 95 $note =~ s/\"/"/g; 96 $note =~ s/[\n\r]/\<BR\>/g; 97 print "\n<TR ALIGN=center><TD>$subject</TD><TD>$author</TD><TD>$date</TD><TD>$note</TD></TR>"; 98 } 99 print "</table>\n"; 100 } else { 101 print "<P>(No annotations found for $incname.)"; 102 } 103 print <<">>"; 104<HR> 105Add an annotation: 106>> 107 108 &pipeline_form_start("config_inc_flds_db.pl $configfile \$ifieldinfo \$incfile | add_annotation_to_inc_db.pl \$incfile $incname \$author \$subject \$note | incident_view.pl $incname \$incfile",$path); 109 110 print <<">>"; 111<INPUT TYPE="hidden" NAME="configfile" VALUE="$configfile"> 112<INPUT TYPE="hidden" NAME="incname" VALUE="$incname"> 113 114<TABLE> 115 <TR><TD align=right>Your name:</TD><TD align=left><INPUT TYPE="text" NAME="author" SIZE="12"></TD></TR> 116 <TR><TD align=right>Subject:</TD><TD align=left><INPUT TYPE="text" NAME="subject" SIZE="20"></TD></TR> 117 <TR><TD align=right>Note:</TD><TD align=left><TEXTAREA NAME="note" wrap=yes ROWS="6" COLS="60"></TEXTAREA></TD></TR> 118</TABLE> 119<INPUT TYPE="submit" VALUE="Add Annotation"> 120<HR> 121</FORM> 122>> 123 # eventually want to add links to save selection, delete set, deleted selected, rename, arrange (listing) by field, etc. 124 125 # link to create report 126 127 #config_alert_set_db.pl $configfile \$setfile | set_list_view.pl \$setfile 128 print '<A HREF="inclist.pl?configfile='.&url_encode($configfile),"\">List all incidents</A><P>"; 129 130 &pipeline_form_start("parse_mailtempl.pl \$reporttempl | load_inc_fields.pl $incname $incfile | inst_flds.pl mail- |confirm_email.pl \$reporttempl mail-",$path); 131 132 print <<">>"; 133<INPUT TYPE="hidden" NAME="configfile" VALUE="$configfile"> 134<INPUT TYPE="hidden" NAME="incname" VALUE="$incname"> 135<INPUT TYPE="hidden" NAME="incfile" VALUE="$incfile"> 136Create a report from template: <SELECT NAME="reporttempl"> 137>> 138 my $file; 139 foreach $file (keys %mailtmpl) { 140 print "\t<OPTION VALUE=\"$file\"> $mailtmpl{$file}\n"; 141 } 142 print <<">>"; 143</SELECT> 144<INPUT TYPE="submit" VALUE="Create"> 145</FORM> 146</BODY> 147</HTML> 148>> 149}; 150 151sub get_mail_tmpl_hash { 152 my($configfile)= shift; 153 154 my $maildir= &get_config_field($configfile,'report-tmpl-dir-mail'); 155 return undef if $maildir eq ''; 156 my %hash=(); 157 opendir(D,$maildir) || die "could not open mail report directory $maildir"; 158 while ($file=readdir(D)) { 159 next if $file =~ /^\./ || ($file =~ /~$/); 160 my $fullpath="$maildir/$file"; 161 next unless -f $fullpath; # exclude dirs, etc 162 my $descr= $file; 163 open(F,"<$fullpath") || die "could not open mail template file $fullpath"; 164 while (<F>) { 165 last if /^\s*$/; # separation 166 if (s/^Description\s*:\s*//i) { 167 $descr= $_; 168 last; 169 } 170 } 171 close F; 172 $hash{$fullpath}= $descr; 173 } 174 closedir(D); 175 return %hash; 176} 177 178\&process; 179 180# $Id: incident_view.pl,v 1.11 2001/10/18 18:23:25 jim Exp $ 181