NAME
Lilith - Work with Suricata/Sagan EVE logs and PostgreSQL.
VERSION
Version 1.0.0
SYNOPSIS
my $toml_raw = read_file($config_file) or die 'Failed to read "' . $config_file . '"';
my ( $toml, $err ) = from_toml($toml_raw);
unless ($toml) {
die "Error parsing toml,'" . $config_file . "'" . $err;
}
my $lilith=Lilith->new(
dsn=>$toml->{dsn},
user=>$toml->{user},
pass=>$toml->{pass},
);
$lilith->create_table(
dsn=>$toml->{dsn},
user=>$toml->{user},
pass=>$toml->{pass},
);
my %files;
my @toml_keys = keys( %{$toml} );
my $int = 0;
while ( defined( $toml_keys[$int] ) ) {
my $item = $toml_keys[$int];
if ( ref( $toml->{$item} ) eq "HASH" ) {
# add the file in question
$files{$item} = $toml->{$item};
}
$int++;
}
$ilith->run(
files=>\%files,
);FUNCTIONS
new
Initiates it.
my $lilith=Lilith->run(
dsn=>$toml->{dsn},
user=>$toml->{user},
pass=>$toml->{pass},
);The args taken by this are as below.
- dsn :: The DSN to use for with DBI.
- suricata :: Name of the table for Suricata alerts.
Default :: suricata_alerts
- user :: Name for use with DBI for the DB connection.
Default :: lilith
- pass :: pass for use with DBI for the DB connection.
Default :: undef
- sid_ignore :: Array of SIDs to ignore for Suricata and Sagan
for the extend.
Default :: undef
- class_ignore :: Array of classes to ignore for the
extend for Suricata and Sagan
Default :: undef
- suricata_sid_ignore :: Array of SIDs to ignore for Suricata
for the extend.
Default :: undef
- suricata_class_ignore :: Array of classes to ignore for the
extend for Suricata.
Default :: undef
- sagan_sid_ignore :: Array of SIDs to ignore for Sagan for
the extend.
Default :: undef
- sagan_class_ignore :: Array of classes to ignore for the
extend for Sagan.
Default :: undefrun
Start processing. This method is not expected to return.
$lilith->run(
files=>{
foo=>{
type=>'suricata',
instance=>'foo-pie',
eve=>'/var/log/suricata/alerts-pie.json',
},
'foo-lae'=>{
type=>'sagan',
eve=>'/var/log/sagan/alerts-lae.json',
},
},
);One argument named 'files' is taken and it is hash of hashes. The keys are below.
- type :: Either 'suricata', 'sagan', or 'cape', depending
on the type it is.
- eve :: Path to the EVE file to read.
- instance :: Instance name. If not specified the key
is used.create_tables
Just creates the required tables in the DB.
$lilith->create_tables;extend
my $return=$lilith->extend(
go_back_minutes=>5,
);get_short_class
Get SNMP short class name for a class.
my $short_class_name=$lilith->get_short_class($class);get_short_class_snmp
Get SNMP short class name for a class. This is the same as the short class name, but with /^\!/ replaced with 'not_'.
my $snmp_class_name=$lilith->get_short_class_snmp($class);get_short_class_snmp_list
Gets a list of short SNMP class names.
my $snmp_classes=$lilith->get_short_class_snmp_list;
foreach my $item (@{ $snmp_classes }){
print $item."\n";
}search
Searches the specified table and returns a array of found rows.
- table :: 'suricata', 'cape', 'sagan' depending on the desired table to
use. Will die if something other is specified. The table
name used is based on what was passed to new(if not the
default).
Default :: suricata
- go_back_minutes :: How far back to search in minutes.
Default :: 1440
- limit :: Limit on how many to return.
Default :: undef
- offset :: Offset for when using limit.
Default :: undef
- order_by :: Column to order by.
Default :: timetamp
Cape Default :: id
- order_dir :: Direction to order.
Default :: ASCBelow are simple search items that if given will be matched via a basic equality.
- src_ip
- dest_ip
- event_id
- md5
- sha1
- sha256
- subbed_from_ip
# will become "and src_ip = '192.168.1.2'"
src_ip => '192.168.1.2',Below are a list of numeric items. The value taken is a array and anything prefixed '!' with add as a and not equal.
- src_port
- dest_port
- gid
- sid
- rev
- id
- size
- malscore
- task
# will become "and src_port = '22' and src_port != ''512'"
src_port => ['22', '!512'],Below are a list of string items. On top of these variables, any of those with '_like' or '_not' will my modified respectively.
- host
- instance_host
- instance
- class
- signature
- app_proto
- in_iface
- url
- url_hostname
- slug
- pkg
# will become "and host = 'foo.bar'"
host => 'foo.bar',
# will become "and class != 'foo'"
class => 'foo',
class_not => 1,
# will become "and instance like '%foo'"
instance => '%foo',
instance_like => 1,
# will become "and instance not like '%foo'"
instance => '%foo',
instance_like => 1,
instance_not => 1,Below are complex items.
- ip
- port
# will become "and ( src_ip != '192.168.1.2' or dest_ip != '192.168.1.2' )"
ip => '192.16.1.2'
# will become "and ( src_port != '22' or dest_port != '22' )"
port => '22'AUTHOR
Zane C. Bowers-Hadley, <vvelox at vvelox.net>
BUGS
Please report any bugs or feature requests to bug-lilith at rt.cpan.org, or through the web interface at https://rt.cpan.org/NoAuth/ReportBug.html?Queue=Lilith. I will be notified, and then you'll automatically be notified of progress on your bug as I make changes.
SUPPORT
You can find documentation for this module with the perldoc command.
perldoc LilithYou can also look for information at:
RT: CPAN's request tracker (report bugs here)
CPAN Ratings
Search CPAN
ACKNOWLEDGEMENTS
LICENSE AND COPYRIGHT
This software is Copyright (c) 2022 by Zane C. Bowers-Hadley.
This is free software, licensed under:
The Artistic License 2.0 (GPL Compatible)