#!/usr/bin/perl
# incident_view.pl, distributed as part of Snortsnarf v020516.1
# Author: James Hoagland, Silicon Defense (hoagland@SiliconDefense.com)
# copyright (c) 2000 by Silicon Defense (http://www.silicondefense.com/)
# Released under GNU General Public License, see the COPYING file included
# with the distribution or http://www.silicondefense.com/software/snortsnarf/
# for details.
# incident_view.pl is a Pipeline module to take an incident name and a path
# to an incident file and show the incident on the browser
# pipeline args: incident name, incident file
# side effect: displayes HTML on browser
# Please send complaints, kudos, and especially improvements and bugfixes to
# hoagland@SiliconDefense.com. As described in GNU General Public License, no
# warranty is expressed for this program.
sub process {
require "sisr_utils.pl";
require "inc_xml.pl";
my ($input)= shift;
@_ == 2 || (&reporterr("incident_view.pl takes 2 arguments (inc name,inc file), but got:".join(' ',@_),0) && return 0);
my ($incname,$incfile)= &arg_to_val($input,@_);
# print out headers
print $input->header(-header => 'text/html',-expires => '+0d');
my $configfile= $input->param('configfile');
# probably really want to get these from the config file
my($path)= $input->param('_path');
# get mail template file names and descriptions
%mailtmpl= &get_mail_tmpl_hash($configfile);
my $tree= &load_XML_tree($incfile);
my $inc= &find_incident_named($tree,$incname);
# should check if $inc= undef; indicates there is no such incident
my %attrs= &incident_attrs($inc);
my($fldsref,$notesref)= &incident_fields_and_notes($inc);
my(@text_fields)= @{$fldsref};
my(@notes)= @{$notesref};
my $created= localtime($attrs{'created'});
my $setfile= $attrs{'event-set-loc'};
$setfile =~ s/^file:\/\///;
my $seturl= &pipeline_submit_url("lab_set_view.pl $attrs{'event-set-name'} $setfile",$path,'configfile' => $configfile);
my $setfileurl= &pipeline_submit_url("set_list_view.pl $setfile",$path,'configfile' => $configfile);
print <<">>";
<HTML>
<HEAD>
<TITLE>Listing of incident $incname</TITLE>
</HEAD>
<BODY bgcolor="#E7DEBD">
<H1>Incident $incname</H1>
Incident <B>$incname</B> was created on <B>$created</B> by <B>$attrs{'creator'}</B>.
<table border cellpadding = 3><CAPTION>Alert set location and text fields</CAPTION>
<TR>
<TH>Field</TH>
<TH>Value</TH>
</TR>
<TR>
<TD ALIGN=right>Alert set name</TD>
<TD ALIGN=left><A HREF="$seturl">$attrs{'event-set-name'}</A></TD>
</TR>
<TR>
<TD ALIGN=right>Alert set file location</TD>
<TD ALIGN=left><A HREF="$setfileurl">$attrs{'event-set-loc'}</A></TD>
</TR>
>>
my($fldname,$descr,$val);
foreach (@text_fields) {
($fldname,$descr,$val)= &get_incident_text_field_info($_);
$val =~ s/\&/&/g;
$val =~ s/\</</g;
$val =~ s/\>/>/g;
$val =~ s/\"/"/g;
print <<">>";
<TR>
<TD ALIGN=right>$descr</TD>
<TD ALIGN=left>$val</TD>
</TR>
>>
}
print "</table>\n";
if (@notes) {
print '<TABLE border CELLPADDING=5><TR ALIGN=center><CAPTION>Annotations</CAPTION><TD><B>Subject</B></TD><TD><B>Author</B></TD><TD><B>Date</B></TD><TD><B>Annotation</B></TD></TR>';
foreach (@notes) {
my ($author,$date,$subject,$note)= &get_note_info($_);
$note =~ s/\&/&/g;
$note =~ s/\</</g;
$note =~ s/\>/>/g;
$note =~ s/\"/"/g;
$note =~ s/[\n\r]/\<BR\>/g;
print "\n<TR ALIGN=center><TD>$subject</TD><TD>$author</TD><TD>$date</TD><TD>$note</TD></TR>";
}
print "</table>\n";
} else {
print "<P>(No annotations found for $incname.)";
}
print <<">>";
<HR>
Add an annotation:
>>
&pipeline_form_start("config_inc_flds_db.pl $configfile \$ifieldinfo \$incfile | add_annotation_to_inc_db.pl \$incfile $incname \$author \$subject \$note | incident_view.pl $incname \$incfile",$path);
print <<">>";
<INPUT TYPE="hidden" NAME="configfile" VALUE="$configfile">
<INPUT TYPE="hidden" NAME="incname" VALUE="$incname">
<TABLE>
<TR><TD align=right>Your name:</TD><TD align=left><INPUT TYPE="text" NAME="author" SIZE="12"></TD></TR>
<TR><TD align=right>Subject:</TD><TD align=left><INPUT TYPE="text" NAME="subject" SIZE="20"></TD></TR>
<TR><TD align=right>Note:</TD><TD align=left><TEXTAREA NAME="note" wrap=yes ROWS="6" COLS="60"></TEXTAREA></TD></TR>
</TABLE>
<INPUT TYPE="submit" VALUE="Add Annotation">
<HR>
</FORM>
>>
# eventually want to add links to save selection, delete set, deleted selected, rename, arrange (listing) by field, etc.
# link to create report
#config_alert_set_db.pl $configfile \$setfile | set_list_view.pl \$setfile
print '<A HREF="inclist.pl?configfile='.&url_encode($configfile),"\">List all incidents</A><P>";
&pipeline_form_start("parse_mailtempl.pl \$reporttempl | load_inc_fields.pl $incname $incfile | inst_flds.pl mail- |confirm_email.pl \$reporttempl mail-",$path);
print <<">>";
<INPUT TYPE="hidden" NAME="configfile" VALUE="$configfile">
<INPUT TYPE="hidden" NAME="incname" VALUE="$incname">
<INPUT TYPE="hidden" NAME="incfile" VALUE="$incfile">
Create a report from template: <SELECT NAME="reporttempl">
>>
my $file;
foreach $file (keys %mailtmpl) {
print "\t<OPTION VALUE=\"$file\"> $mailtmpl{$file}\n";
}
print <<">>";
</SELECT>
<INPUT TYPE="submit" VALUE="Create">
</FORM>
</BODY>
</HTML>
>>
};
sub get_mail_tmpl_hash {
my($configfile)= shift;
my $maildir= &get_config_field($configfile,'report-tmpl-dir-mail');
return undef if $maildir eq '';
my %hash=();
opendir(D,$maildir) || die "could not open mail report directory $maildir";
while ($file=readdir(D)) {
next if $file =~ /^\./ || ($file =~ /~$/);
my $fullpath="$maildir/$file";
next unless -f $fullpath; # exclude dirs, etc
my $descr= $file;
open(F,"<$fullpath") || die "could not open mail template file $fullpath";
while (<F>) {
last if /^\s*$/; # separation
if (s/^Description\s*:\s*//i) {
$descr= $_;
last;
}
}
close F;
$hash{$fullpath}= $descr;
}
closedir(D);
return %hash;
}
\&process;
# $Id: incident_view.pl,v 1.11 2001/10/18 18:23:25 jim Exp $
