1#!/usr/bin/perl 2 3# set_field_summation.pl, distributed as part of Snortsnarf v021111.1 4# Author: James Hoagland, Silicon Defense (hoagland@SiliconDefense.com) 5# copyright (c) 2000 by Silicon Defense (http://www.silicondefense.com/) 6# Released under GNU General Public License, see the COPYING file included 7# with the distribution or http://www.silicondefense.com/software/snortsnarf/ 8# for details. 9 10# set_field_summation.pl is a Pipeline module used summarize a certain 11# field in the events into a string. The distinct values found in that 12# field are sorted lexically and joined by commas into a string. These 13# events are in the format of the hash created by the event_details 14# routine in alertset_xml.pl. 15# pipeline args: event details, field to sum, output loc 16# side effect: output loc get set 17 18# Please send complaints, kudos, and especially improvements and bugfixes to 19# hoagland@SiliconDefense.com. As described in GNU General Public License, no 20# warranty is expressed for this program. 21 22sub process { 23 require "sisr_utils.pl"; 24 my ($input)= shift; 25 @_ == 3 || (&reporterr("set_field_summation.pl takes 3 arguments (event details,field to sum,output file/envvar), but got:".join(' ',@_),0) && return 0); 26 my $outloc= pop(@_); 27 28 my ($events,$fld)= &arg_to_val($input,@_); 29 30 my $event; 31 my %vals=(); 32 my $val; 33#&reporterr("debug***: ".join(',',@{$events}),0); 34 foreach $event (@{$events}) { 35#&reporterr("debug: $event\->{$fld}=".$event->{$fld},0); 36 $val= $event->{$fld}; 37 $val= '*undef*' unless defined($val); 38 $vals{$val}++; 39 } 40 my $summ= join(',',sort keys %vals); 41 42 &write_out_to_arg($input,$outloc,$summ); 43}; 44 45\&process; 46 47# $Id: set_field_summation.pl,v 1.11 2001/10/18 18:23:25 jim Exp $ 48