1#!/usr/bin/perl
2
3# set_flags.pl, distributed as part of Snortsnarf v021111.1
4# Author: James Hoagland, Silicon Defense (hoagland@SiliconDefense.com)
5# copyright (c) 2000 by Silicon Defense (http://www.silicondefense.com/)
6# Released under GNU General Public License, see the COPYING file included
7# with the distribution or http://www.silicondefense.com/software/snortsnarf/
8# for details.
9
10# set_flags.pl is a Pipeline module used summarize the FLAGS field in the events into a string.  The distinct values found in that
11#   field are made easily human readable and sorted lexically and joined by commas into a string.  Events with that field empty are ignored.  These
12#   events are in the format of the hash created by the event_details
13#   routine in alertset_xml.pl.
14# pipeline args: event details,output loc
15# side effect: output loc gets set
16
17# Please send complaints, kudos, and especially improvements and bugfixes to
18# hoagland@SiliconDefense.com.  As described in GNU General Public License, no
19# warranty is expressed for this program.
20
21sub process {
22    require "sisr_utils.pl";
23    my ($input)= shift;
24    @_ == 2 || (&reporterr("set_flags.pl takes 2 arguments (event details,output file/envvar), but got:".join(' ',@_),0) && return 0);
25    my $outloc= pop(@_);
26
27    my ($events)= &arg_to_val($input,@_);
28
29    my $event;
30    my %vals=();
31    my $flags;
32    foreach $event (@{$events}) {
33        $flags= $event->{'FLAGS'};
34        if (defined($flags)) {
35            if ($flags eq '********') {
36                $alert{'flags'}= 'NULL';
37            } else {
38                @flags= ();
39                push(@flags,'SYN') if $flags =~ /S/;
40                push(@flags,'FIN') if $flags =~ /F/;
41                push(@flags,'RST') if $flags =~ /R/;
42                push(@flags,'PSH') if $flags =~ /P/;
43                push(@flags,'ACK') if $flags =~ /A/;
44                push(@flags,'URG') if $flags =~ /U/;
45                push(@flags,'RES1') if $flags =~ /1/;
46                push(@flags,'RES2') if $flags =~ /2/;
47                $flags= join('-',@flags);
48            }
49            $vals{$flags}++
50        }
51    }
52
53    my $summ= join(',',sort keys %vals);
54
55    &write_out_to_arg($input,$outloc,$summ);
56};
57
58\&process;
59
60# $Id: set_flags.pl,v 1.8 2001/10/18 18:23:25 jim Exp $
61