#!/usr/bin/perl

# extr_alerts.pl, distributed as part of Snortsnarf v011601.1
# Author: James Hoagland, Silicon Defense (hoagland@SiliconDefense.com)
# copyright (c) 2000 by Silicon Defense (http://www.silicondefense.com/)
# Released under GNU General Public License, see the COPYING file included
# with the distribution or http://www.silicondefense.com/snortsnarf/ for
# details.

# extr_alerts.pl is a Pipeline module extract the alerts chosen on the form
#   created by sel_to_add.pl.  This involved loading the selected alerts
#   from files and parsing it.
# pipeline args: alerts (fileid:number;fileid:number), file info fields
#   prefix (for mapping prefix_<fileid> to [file format,path], output loc
# side effect: in the output loc, the parsed alerts indicated 

# Please send complaints, kudos, and especially improvements and bugfixes to
# hoagland@SiliconDefense.com.  As described in GNU General Public License, no
# warranty is expressed for this program.

sub process {
	require "sisr_utils.pl";
	require "snort_alert_parse.pl";
	my ($input)= shift;
	@_ == 3 || (&reporterr("extr_alerts.pl takes 3 arguments (alert locations,file info fields prefix,output field/envvar), but got:".join(' ',@_),0) && return 0);
	my($outloc)= pop;
	
	my ($alertlocs,$info_field_prefix)= &arg_to_val($input,@_);

	my %file_info= ();
	foreach $fld ($input->param) {
#print "param $fld\n";
		if ($fld =~ /^$info_field_prefix/) {
			$file= $fld;
			$file =~ s/^$info_field_prefix//;
#print "  contains $file\n";
			$file_info{$file}= [split(',',$input->param($fld),2)]; # [file format, path]
		}	
	}
	
	my @alerts= &get_alerts_parsed(split(';',$alertlocs),\%file_info);
	
	&write_out_to_arg($input,$outloc,\@alerts);
};

\&process;

# $Id: extr_alerts.pl,v 1.10 2001/01/17 01:07:23 jim Exp $