From: Stefan Schantl <stefan.schantl@ipfire.org>
Date: Wed, 17 Feb 2016 13:29:42 +0000 (+0100)
Subject: Introduce message parser for snort alerts.
X-Git-Tag: 2.0~19^2
X-Git-Url: http://git.ipfire.org/?p=people%2Fstevee%2Fguardian.git;a=commitdiff_plain;h=53a023971f734c0ea15e7ce46acc5b0bd0954076

Introduce message parser for snort alerts.

This currently on IPv4 limited message parser is able to
parse and obtain various details from gained snort alerts.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
---

diff --git a/modules/Parser.pm b/modules/Parser.pm
index 9ec0586..db54cf3 100644
--- a/modules/Parser.pm
+++ b/modules/Parser.pm
@@ -71,12 +71,58 @@ sub IsSupportedParser ($) {
 ## This subfunction is responsible for parsing sort alerts and determine if
 ## an action should be performed.
 #
-sub message_parser_snort($) {
+## XXX Currently the parser only supports IPv4. Add support for IPv6 at a
+## later time.
+#
+sub message_parser_snort(@) {
 	my @message = @_;
 
-	# XXX
-	# Currently this parser just returns a simple message.
-	return "$message[0] SNORT A simple Snort Message";
+	# The name of the parser module.
+	my $name = "SNORT";
+
+	# Variable to store the grabbed IP-address.
+	my $address;
+
+	# Default returned message in case no one could be grabbed
+	# from the snort alert.
+	my $message = "An active snort rule has matched and gained an alert.";
+
+	# A snort alert contains multiple lines, loop through all lines
+	# to parse the complete alert.
+	foreach my $line (@message) {
+		# Check Priority Level and skip the alert if it is to low.
+		#if ($line =~ /.*\[Priority: (\d+)\].*/) {
+		#	return unless($1 < $priority);
+		#}
+
+		# Search for a line like xxx.xxx.xxx.xxx -> xxx.xxx.xxx.xxx
+		if ($line =~ /(\d+\.\d+\.\d+\.\d+)+ -\> (\d+\.\d+\.\d+\.\d+)+/) {
+			# Store the grabbed IP-address.
+			$address = $1;
+		}
+
+		# Search for a line like xxx.xxx.xxx.xxx:xxx -> xxx.xxx.xxx.xxx:xxx
+		elsif ($line =~ /(\d+\.\d+\.\d+\.\d+):\d+ -\> (\d+\.\d+\.\d+\.\d+):\d+/) {
+			# Store the obtained IP-address.
+			$address = $1;
+		}
+
+		# Obtain the reported reason.
+		if ($line =~ /.*msg:\"(.*)\".*/) {
+			# Store the extracted message.
+			$message = $1;
+		}
+	}
+
+	# Check if at least the IP-address information are obtained from the
+	# provided alert.
+	if ($address) {
+		# Return the extracted values.
+		return "$address $name $message";
+	}
+
+	# If we got here, the alert could not be parsed correctly, return nothing.
+	return;
 }
 
 1;