#!/usr/bin/perl
# inc_xml.pl, distributed as part of Snortsnarf v020516.1
# Author: James Hoagland, Silicon Defense (hoagland@SiliconDefense.com)
# copyright (c) 2000 by Silicon Defense (http://www.silicondefense.com/)
# Released under GNU General Public License, see the COPYING file included
# with the distribution or http://www.silicondefense.com/software/snortsnarf/
# for details.
# inc_xml.pl contains useful functions in working with the incident
# database XML.
# Please send complaints, kudos, and especially improvements and bugfixes to
# hoagland@SiliconDefense.com. As described in GNU General Public License, no
# warranty is expressed for this program.
require "xml_help.pl";
# if given an exisiting tree, returns it. If given undef creates a new
# incidents tree.
sub create_tree_unless_exists {
my($tree)= shift;
if (defined($tree) && @$tree) {
return $tree;
} else {
return ['INCIDENTS',[{}]];
}
}
# return all INCIDENT entries in the tree
sub get_all_incidents {
my($tree)= @_;
my(@incs)= ();
my @content= @{$tree->[1]};
shift @content; # ignore INCIDENTS attrs
while (@content) {
my $tagname=shift(@content);
my $content=shift(@content);
next unless $tagname eq 'INCIDENT'; # should always be this actually
push(@incs,$content);
}
return @incs;
}
# add an incident to the tree with the given name, creator, set name and set location
sub add_incident {
my($tree,$incname,$creator,$setname,$setloc)= @_;
my $inctree=[{'name' => $incname, 'creator' => $creator, 'event-set-name' => $setname, 'event-set-loc' => $setloc, 'created' => time()}];
push(@{$tree->[1]},'INCIDENT',$inctree);
return $inctree;
}
# find the incident with the given name in the tree
sub find_incident_named {
my($tree,$incname)= @_;
my @content= @{$tree->[1]};
shift @content; # ignore INCIDENTS attrs
while (@content) {
my $tagname=shift(@content);
my $content=shift(@content);
next unless $tagname eq 'INCIDENT'; # should always be this actually
my @inc_trees= @{$content};
my %inc_attrs= %{shift(@inc_trees)};
return $content if $inc_attrs{'name'} eq $incname;
}
return undef;
}
# return the attributes of the given incident
sub incident_attrs {
my($inctree)= shift;
return %{$inctree->[0]};
}
# return two references, one to a list of TEXT-FIELDs in a incident tree and
# the other to a list of NOTEs in the tree
sub incident_fields_and_notes {
my($tree)= @_;
return undef unless defined($tree);
my(@fields)= ();
my(@notes)= ();
my @content= @{$tree};
shift @content; # ignore INCIDENTS attrs
while (@content) {
my $tagname=shift(@content);
my $content=shift(@content);
if ($tagname eq 'TEXT-FIELD') {
push(@fields,$content);
} elsif ($tagname eq 'NOTE') {
push(@notes,$content);
}
}
return (\@fields,\@notes);
}
# adds a text field wiht the given name, description and value to a given
# incident
sub add_text_field_to_incident {
my($incroot,$name,$descr,$val)= @_;
push(@{$incroot},'TEXT-FIELD',[
{'name' => $name, 'descr' => $descr},
0,$val
]);
}
# adds a new note with the given author, subject and text and the current time
# to the given incident
sub add_note_to_incident {
my($incroot,$author,$subject,$note)= @_;
my(@t)=localtime(time());
my $date=($t[5]+1900)."/".($t[4]+1)."/$t[3]";
push(@{$incroot},'NOTE',[
{'author' => $author, 'date' => $date, 'subject' => $subject},
0,$note
]);
}
# given an reference to an entry for a field (such as that returned by
# incident_fields_and_notes()), return its name, description, and text content
sub get_incident_text_field_info {
my($fieldtree)= shift;
my @content= @{$fieldtree};
my %attrs= %{shift @content};
return ($attrs{'name'},$attrs{'descr'},$content[1]);
}
# given an reference to an entry for a NOTE (such as that returned by
# incident_fields_and_notes()), return its author, date, subject, and text
sub get_note_info {
my($notetree)= shift;
my @content= @{$notetree};
my %attrs= %{shift @content};
return ($attrs{'author'},$attrs{'date'},$attrs{'subject'},$content[1]);
}
1;
# $Id: inc_xml.pl,v 1.2 2000/06/14 18:39:47 jim Exp $
