1#!/usr/bin/perl
2
3# incident_view.pl, distributed as part of Snortsnarf v021111.1
4# Author: James Hoagland, Silicon Defense (hoagland@SiliconDefense.com)
5# copyright (c) 2000 by Silicon Defense (http://www.silicondefense.com/)
6# Released under GNU General Public License, see the COPYING file included
7# with the distribution or http://www.silicondefense.com/software/snortsnarf/
8# for details.
9
10# incident_view.pl is a Pipeline module to take an incident name and a path
11#   to an incident file and show the incident on the browser
12# pipeline args: incident name, incident file
13# side effect: displayes HTML on browser
14
15# Please send complaints, kudos, and especially improvements and bugfixes to
16# hoagland@SiliconDefense.com.  As described in GNU General Public License, no
17# warranty is expressed for this program.
18
19sub process {
20    require "sisr_utils.pl";
21    require "inc_xml.pl";
22    my ($input)= shift;
23    @_ == 2 || (&reporterr("incident_view.pl takes 2 arguments (inc name,inc file), but got:".join(' ',@_),0) && return 0);
24
25    my ($incname,$incfile)= &arg_to_val($input,@_);
26
27    # print out headers
28    print $input->header(-header => 'text/html',-expires => '+0d');
29
30    my $configfile= $input->param('configfile');
31
32    # probably really want to get these from the config file
33    my($path)= $input->param('_path');
34
35    # get mail template file names and descriptions
36    %mailtmpl= &get_mail_tmpl_hash($configfile);
37
38    my $tree= &load_XML_tree($incfile);
39    my $inc= &find_incident_named($tree,$incname);
40    # should check if $inc= undef; indicates there is no such incident
41    my %attrs= &incident_attrs($inc);
42    my($fldsref,$notesref)= &incident_fields_and_notes($inc);
43    my(@text_fields)= @{$fldsref};
44    my(@notes)= @{$notesref};
45
46    my $created= localtime($attrs{'created'});
47    my $setfile= $attrs{'event-set-loc'};
48    $setfile =~ s/^file:\/\///;
49    my $seturl= &pipeline_submit_url("lab_set_view.pl $attrs{'event-set-name'} $setfile",$path,'configfile' => $configfile);
50    my $setfileurl= &pipeline_submit_url("set_list_view.pl $setfile",$path,'configfile' => $configfile);
51    print <<">>";
52<HTML>
53<HEAD>
54    <TITLE>Listing of incident $incname</TITLE>
55</HEAD>
56<BODY bgcolor="#E7DEBD">
57<H1>Incident $incname</H1>
58Incident <B>$incname</B> was created on <B>$created</B> by <B>$attrs{'creator'}</B>.
59<table border cellpadding = 3><CAPTION>Alert set location and text fields</CAPTION>
60    <TR>
61        <TH>Field</TH>
62        <TH>Value</TH>
63    </TR>
64    <TR>
65        <TD ALIGN=right>Alert set name</TD>
66        <TD ALIGN=left><A HREF="$seturl">$attrs{'event-set-name'}</A></TD>
67    </TR>
68    <TR>
69        <TD ALIGN=right>Alert set file location</TD>
70        <TD ALIGN=left><A HREF="$setfileurl">$attrs{'event-set-loc'}</A></TD>
71    </TR>
72>>
73    my($fldname,$descr,$val);
74    foreach (@text_fields) {
75        ($fldname,$descr,$val)= &get_incident_text_field_info($_);
76        $val =~ s/\&/&amp;/g;
77        $val =~ s/\</&lt;/g;
78        $val =~ s/\>/&gt;/g;
79        $val =~ s/\"/&quot;/g;
80    print <<">>";
81    <TR>
82        <TD ALIGN=right>$descr</TD>
83        <TD ALIGN=left>$val</TD>
84    </TR>
85>>
86    }
87    print "</table>\n";
88    if (@notes) {
89        print '<TABLE border CELLPADDING=5><TR ALIGN=center><CAPTION>Annotations</CAPTION><TD><B>Subject</B></TD><TD><B>Author</B></TD><TD><B>Date</B></TD><TD><B>Annotation</B></TD></TR>';
90        foreach (@notes) {
91            my ($author,$date,$subject,$note)= &get_note_info($_);
92            $note =~ s/\&/&amp;/g;
93            $note =~ s/\</&lt;/g;
94            $note =~ s/\>/&gt;/g;
95            $note =~ s/\"/&quot;/g;
96            $note =~ s/[\n\r]/\<BR\>/g;
97            print "\n<TR ALIGN=center><TD>$subject</TD><TD>$author</TD><TD>$date</TD><TD>$note</TD></TR>";
98        }
99        print "</table>\n";
100    } else {
101        print "<P>(No annotations found for $incname.)";
102    }
103    print <<">>";
104<HR>
105Add an annotation:
106>>
107
108    &pipeline_form_start("config_inc_flds_db.pl $configfile \$ifieldinfo \$incfile | add_annotation_to_inc_db.pl \$incfile $incname \$author \$subject \$note | incident_view.pl $incname \$incfile",$path);
109
110    print <<">>";
111<INPUT TYPE="hidden" NAME="configfile" VALUE="$configfile">
112<INPUT TYPE="hidden" NAME="incname" VALUE="$incname">
113
114<TABLE>
115    <TR><TD align=right>Your name:</TD><TD align=left><INPUT TYPE="text" NAME="author" SIZE="12"></TD></TR>
116    <TR><TD align=right>Subject:</TD><TD align=left><INPUT TYPE="text" NAME="subject" SIZE="20"></TD></TR>
117    <TR><TD align=right>Note:</TD><TD align=left><TEXTAREA NAME="note" wrap=yes ROWS="6" COLS="60"></TEXTAREA></TD></TR>
118</TABLE>
119<INPUT TYPE="submit" VALUE="Add Annotation">
120<HR>
121</FORM>
122>>
123    # eventually want to add links to save selection, delete set, deleted selected, rename, arrange (listing) by field, etc.
124
125    # link to create report
126
127    #config_alert_set_db.pl $configfile \$setfile | set_list_view.pl \$setfile
128    print '<A HREF="inclist.pl?configfile='.&url_encode($configfile),"\">List all incidents</A><P>";
129
130    &pipeline_form_start("parse_mailtempl.pl \$reporttempl | load_inc_fields.pl $incname $incfile | inst_flds.pl mail- |confirm_email.pl \$reporttempl mail-",$path);
131
132    print <<">>";
133<INPUT TYPE="hidden" NAME="configfile" VALUE="$configfile">
134<INPUT TYPE="hidden" NAME="incname" VALUE="$incname">
135<INPUT TYPE="hidden" NAME="incfile" VALUE="$incfile">
136Create a report from template: <SELECT NAME="reporttempl">
137>>
138    my $file;
139    foreach $file (keys %mailtmpl) {
140        print "\t<OPTION VALUE=\"$file\"> $mailtmpl{$file}\n";
141    }
142    print <<">>";
143</SELECT>
144<INPUT TYPE="submit" VALUE="Create">
145</FORM>
146</BODY>
147</HTML>
148>>
149};
150
151sub get_mail_tmpl_hash {
152    my($configfile)= shift;
153
154    my $maildir= &get_config_field($configfile,'report-tmpl-dir-mail');
155    return undef if $maildir eq '';
156    my %hash=();
157    opendir(D,$maildir) || die "could not open mail report directory $maildir";
158    while ($file=readdir(D)) {
159        next if $file =~ /^\./ || ($file =~ /~$/);
160        my $fullpath="$maildir/$file";
161        next unless -f $fullpath; # exclude dirs, etc
162        my $descr= $file;
163        open(F,"<$fullpath") || die "could not open mail template file $fullpath";
164        while (<F>) {
165            last if /^\s*$/; # separation
166            if (s/^Description\s*:\s*//i) {
167                $descr= $_;
168                last;
169            }
170        }
171        close F;
172        $hash{$fullpath}= $descr;
173    }
174    closedir(D);
175    return %hash;
176}
177
178\&process;
179
180# $Id: incident_view.pl,v 1.11 2001/10/18 18:23:25 jim Exp $
181