NAME
Lilith - Work with Suricata/Sagan EVE logs and PostgreSQL.
VERSION
Version 0.6.0
SYNOPSIS
my $toml_raw = read_file($config_file) or die 'Failed to read "' . $config_file . '"';
my ( $toml, $err ) = from_toml($toml_raw);
unless ($toml) {
die "Error parsing toml,'" . $config_file . "'" . $err;
}
my $lilith=Lilith->new(
dsn=>$toml->{dsn},
sagan=>$toml->{sagan},
suricata=>$toml->{suricata},
user=>$toml->{user},
pass=>$toml->{pass},
);
$lilith->create_table(
dsn=>$toml->{dsn},
sagan=>$toml->{sagan},
suricata=>$toml->{suricata},
user=>$toml->{user},
pass=>$toml->{pass},
);
my %files;
my @toml_keys = keys( %{$toml} );
my $int = 0;
while ( defined( $toml_keys[$int] ) ) {
my $item = $toml_keys[$int];
if ( ref( $toml->{$item} ) eq "HASH" ) {
# add the file in question
$files{$item} = $toml->{$item};
}
$int++;
}
$ilith->run(
files=>\%files,
);
FUNCTIONS
new
Initiates it.
my $lilith=Lilith->run(
dsn=>$toml->{dsn},
sagan=>$toml->{sagan},
suricata=>$toml->{suricata},
user=>$toml->{user},
pass=>$toml->{pass},
);
The args taken by this are as below.
- dsn :: The DSN to use for with DBI.
- sagan :: Name of the table for Sagan alerts.
Default :: sagan_alerts
- suricata :: Name of the table for Suricata alerts.
Default :: suricata_alerts
- cape :: Name of the table for CAPEv2 alerts.
Default :: cape_alerts
- user :: Name for use with DBI for the DB connection.
Default :: lilith
- pass :: pass for use with DBI for the DB connection.
Default :: undef
- sid_ignore :: Array of SIDs to ignore for Suricata and Sagan
for the extend.
Default :: undef
- class_ignore :: Array of classes to ignore for the
extend for Suricata and Sagan
Default :: undef
- suricata_sid_ignore :: Array of SIDs to ignore for Suricata
for the extend.
Default :: undef
- suricata_class_ignore :: Array of classes to ignore for the
extend for Suricata.
Default :: undef
- sagan_sid_ignore :: Array of SIDs to ignore for Sagan for
the extend.
Default :: undef
- sagan_class_ignore :: Array of classes to ignore for the
extend for Sagan.
Default :: undef
run
Start processing. This method is not expected to return.
$lilith->run(
files=>{
foo=>{
type=>'suricata',
instance=>'foo-pie',
eve=>'/var/log/suricata/alerts-pie.json',
},
'foo-lae'=>{
type=>'sagan',
eve=>'/var/log/sagan/alerts-lae.json',
},
},
);
One argument named 'files' is taken and it is hash of hashes. The keys are below.
- type :: Either 'suricata', 'sagan', or 'cape', depending
on the type it is.
- eve :: Path to the EVE file to read.
- instance :: Instance name. If not specified the key
is used.
create_tables
Just creates the required tables in the DB.
$lilith->create_tables;
extend
my $return=$lilith->extend(
go_back_minutes=>5,
);
generate_baphomet_yamls
Geneartes fastlog parsing YAMLs for baphomet.
One argument is required is required and that is the dir to write out to.
If there are any errors, it will die.
get_short_class
Get SNMP short class name for a class.
my $short_class_name=$lilith->get_short_class($class);
get_short_class_snmp
Get SNMP short class name for a class. This is the same as the short class name, but with /^\!/ replaced with 'not_'.
my $snmp_class_name=$lilith->get_short_class_snmp($class);
get_short_class_snmp_list
Gets a list of short SNMP class names.
my $snmp_classes=$lilith->get_short_class_snmp_list;
foreach my $item (@{ $snmp_classes }){
print $item."\n";
}
search
Searches the specified table and returns a array of found rows.
- table :: 'suricata', 'cape', 'sagan' depending on the desired table to
use. Will die if something other is specified. The table
name used is based on what was passed to new(if not the
default).
Default :: suricata
- go_back_minutes :: How far back to search in minutes.
Default :: 1440
- limit :: Limit on how many to return.
Default :: undef
- offset :: Offset for when using limit.
Default :: undef
- order_by :: Column to order by.
Default :: timetamp
Cape Default :: id
- order_dir :: Direction to order.
Default :: ASC
Below are simple search items that if given will be matched via a basic equality.
- src_ip
- dest_ip
- event_id
- md5
- sha1
- sha256
- subbed_from_ip
# will become "and src_ip = '192.168.1.2'"
src_ip => '192.168.1.2',
Below are a list of numeric items. The value taken is a array and anything prefixed '!' with add as a and not equal.
- src_port
- dest_port
- gid
- sid
- rev
- id
- size
- malscore
- task
# will become "and src_port = '22' and src_port != ''512'"
src_port => ['22', '!512'],
Below are a list of string items. On top of these variables, any of those with '_like' or '_not' will my modified respectively.
- host
- instance_host
- instance
- class
- signature
- app_proto
- in_iface
- url
- url_hostname
- slug
- pkg
# will become "and host = 'foo.bar'"
host => 'foo.bar',
# will become "and class != 'foo'"
class => 'foo',
class_not => 1,
# will become "and instance like '%foo'"
instance => '%foo',
instance_like => 1,
# will become "and instance not like '%foo'"
instance => '%foo',
instance_like => 1,
instance_not => 1,
Below are complex items.
- ip
- port
# will become "and ( src_ip != '192.168.1.2' or dest_ip != '192.168.1.2' )"
ip => '192.16.1.2'
# will become "and ( src_port != '22' or dest_port != '22' )"
port => '22'
AUTHOR
Zane C. Bowers-Hadley, <vvelox at vvelox.net>
BUGS
Please report any bugs or feature requests to bug-lilith at rt.cpan.org
, or through the web interface at https://rt.cpan.org/NoAuth/ReportBug.html?Queue=Lilith. I will be notified, and then you'll automatically be notified of progress on your bug as I make changes.
SUPPORT
You can find documentation for this module with the perldoc command.
perldoc Lilith
You can also look for information at:
RT: CPAN's request tracker (report bugs here)
CPAN Ratings
Search CPAN
ACKNOWLEDGEMENTS
LICENSE AND COPYRIGHT
This software is Copyright (c) 2022 by Zane C. Bowers-Hadley.
This is free software, licensed under:
The Artistic License 2.0 (GPL Compatible)