#!/usr/bin/perl # set_flags.pl, distributed as part of Snortsnarf v020516.1 # Author: James Hoagland, Silicon Defense (hoagland@SiliconDefense.com) # copyright (c) 2000 by Silicon Defense (http://www.silicondefense.com/) # Released under GNU General Public License, see the COPYING file included # with the distribution or http://www.silicondefense.com/software/snortsnarf/ # for details. # set_flags.pl is a Pipeline module used summarize the FLAGS field in the events into a string. The distinct values found in that # field are made easily human readable and sorted lexically and joined by commas into a string. Events with that field empty are ignored. These # events are in the format of the hash created by the event_details # routine in alertset_xml.pl. # pipeline args: event details,output loc # side effect: output loc gets set # Please send complaints, kudos, and especially improvements and bugfixes to # hoagland@SiliconDefense.com. As described in GNU General Public License, no # warranty is expressed for this program. sub process { require "sisr_utils.pl"; my ($input)= shift; @_ == 2 || (&reporterr("set_flags.pl takes 2 arguments (event details,output file/envvar), but got:".join(' ',@_),0) && return 0); my $outloc= pop(@_); my ($events)= &arg_to_val($input,@_); my $event; my %vals=(); my $flags; foreach $event (@{$events}) { $flags= $event->{'FLAGS'}; if (defined($flags)) { if ($flags eq '********') { $alert{'flags'}= 'NULL'; } else { @flags= (); push(@flags,'SYN') if $flags =~ /S/; push(@flags,'FIN') if $flags =~ /F/; push(@flags,'RST') if $flags =~ /R/; push(@flags,'PSH') if $flags =~ /P/; push(@flags,'ACK') if $flags =~ /A/; push(@flags,'URG') if $flags =~ /U/; push(@flags,'RES1') if $flags =~ /1/; push(@flags,'RES2') if $flags =~ /2/; $flags= join('-',@flags); } $vals{$flags}++ } } my $summ= join(',',sort keys %vals); &write_out_to_arg($input,$outloc,$summ); }; \&process; # $Id: set_flags.pl,v 1.8 2001/10/18 18:23:25 jim Exp $