NAME

Lilith - Work with Suricata/Sagan EVE logs and PostgreSQL.

VERSION

Version 0.6.0

SYNOPSIS

my $toml_raw = read_file($config_file) or die 'Failed to read "' . $config_file . '"';
my ( $toml, $err ) = from_toml($toml_raw);
unless ($toml) {
    die "Error parsing toml,'" . $config_file . "'" . $err;
}

 my $lilith=Lilith->new(
                        dsn=>$toml->{dsn},
                        sagan=>$toml->{sagan},
                        suricata=>$toml->{suricata},
                        user=>$toml->{user},
                        pass=>$toml->{pass},
                       );


 $lilith->create_table(
                       dsn=>$toml->{dsn},
                       sagan=>$toml->{sagan},
                       suricata=>$toml->{suricata},
                       user=>$toml->{user},
                       pass=>$toml->{pass},
                      );

my %files;
my @toml_keys = keys( %{$toml} );
my $int       = 0;
while ( defined( $toml_keys[$int] ) ) {
    my $item = $toml_keys[$int];

    if ( ref( $toml->{$item} ) eq "HASH" ) {
            # add the file in question
            $files{$item} = $toml->{$item};
    }

    $int++;
}

$ilith->run(
            files=>\%files,
           );

FUNCTIONS

new

Initiates it.

my $lilith=Lilith->run(
                       dsn=>$toml->{dsn},
                       sagan=>$toml->{sagan},
                       suricata=>$toml->{suricata},
                       user=>$toml->{user},
                       pass=>$toml->{pass},
                      );

The args taken by this are as below.

- dsn :: The DSN to use for with DBI.

- sagan :: Name of the table for Sagan alerts.
  Default :: sagan_alerts

- suricata :: Name of the table for Suricata alerts.
  Default :: suricata_alerts

- cape :: Name of the table for CAPEv2 alerts.
  Default :: cape_alerts

- user :: Name for use with DBI for the DB connection.
  Default :: lilith

- pass :: pass for use with DBI for the DB connection.
  Default :: undef

- sid_ignore :: Array of SIDs to ignore for Suricata and Sagan
                for the extend.
  Default :: undef

- class_ignore :: Array of classes to ignore for the
                  extend for Suricata and Sagan
  Default :: undef

- suricata_sid_ignore :: Array of SIDs to ignore for Suricata
                         for the extend.
  Default :: undef

- suricata_class_ignore :: Array of classes to ignore for the
                           extend for Suricata.
  Default :: undef

- sagan_sid_ignore :: Array of SIDs to ignore for Sagan for
                      the extend.
  Default :: undef

- sagan_class_ignore :: Array of classes to ignore for the
                        extend for Sagan.
  Default :: undef

run

Start processing. This method is not expected to return.

$lilith->run(
             files=>{
                    foo=>{
                          type=>'suricata',
                          instance=>'foo-pie',
                          eve=>'/var/log/suricata/alerts-pie.json',
                          },
                    'foo-lae'=>{
                                type=>'sagan',
                                eve=>'/var/log/sagan/alerts-lae.json',
                                },
                    },
            );

One argument named 'files' is taken and it is hash of hashes. The keys are below.

- type :: Either 'suricata', 'sagan', or 'cape', depending
          on the type it is.

- eve :: Path to the EVE file to read.

- instance :: Instance name. If not specified the key
              is used.

create_tables

Just creates the required tables in the DB.

$lilith->create_tables;

extend

my $return=$lilith->extend(
	                       go_back_minutes=>5,
                          );

generate_baphomet_yamls

Geneartes fastlog parsing YAMLs for baphomet.

One argument is required is required and that is the dir to write out to.

If there are any errors, it will die.

get_short_class

Get SNMP short class name for a class.

my $short_class_name=$lilith->get_short_class($class);

get_short_class_snmp

Get SNMP short class name for a class. This is the same as the short class name, but with /^\!/ replaced with 'not_'.

my $snmp_class_name=$lilith->get_short_class_snmp($class);

get_short_class_snmp_list

Gets a list of short SNMP class names.

my $snmp_classes=$lilith->get_short_class_snmp_list;

foreach my $item (@{ $snmp_classes }){
    print $item."\n";
}

Searches the specified table and returns a array of found rows.

- table :: 'suricata', 'cape', 'sagan' depending on the desired table to
           use. Will die if something other is specified. The table
           name used is based on what was passed to new(if not the
           default).
  Default :: suricata

- go_back_minutes :: How far back to search in minutes.
  Default :: 1440

- limit :: Limit on how many to return.
  Default :: undef

- offset :: Offset for when using limit.
  Default :: undef

- order_by :: Column to order by.
  Default :: timetamp
  Cape Default :: id

- order_dir :: Direction to order.
  Default :: ASC

Below are simple search items that if given will be matched via a basic equality.

- src_ip
- dest_ip
- event_id
- md5
- sha1
- sha256
- subbed_from_ip

# will become "and src_ip = '192.168.1.2'"
src_ip => '192.168.1.2',

Below are a list of numeric items. The value taken is a array and anything prefixed '!' with add as a and not equal.

- src_port
- dest_port
- gid
- sid
- rev
- id
- size
- malscore
- task

# will become "and src_port = '22' and src_port != ''512'"
src_port => ['22', '!512'],

Below are a list of string items. On top of these variables, any of those with '_like' or '_not' will my modified respectively.

- host
- instance_host
- instance
- class
- signature
- app_proto
- in_iface
- url
- url_hostname
- slug
- pkg

# will become "and host = 'foo.bar'"
host => 'foo.bar',

# will become "and class != 'foo'"
class => 'foo',
class_not => 1,

# will become "and instance like '%foo'"
instance => '%foo',
instance_like => 1,

# will become "and instance not like '%foo'"
instance => '%foo',
instance_like => 1,
instance_not => 1,

Below are complex items.

- ip
- port

# will become "and ( src_ip != '192.168.1.2' or dest_ip != '192.168.1.2' )"
ip => '192.16.1.2'

# will become "and ( src_port != '22' or dest_port != '22' )"
port => '22'

AUTHOR

Zane C. Bowers-Hadley, <vvelox at vvelox.net>

BUGS

Please report any bugs or feature requests to bug-lilith at rt.cpan.org, or through the web interface at https://rt.cpan.org/NoAuth/ReportBug.html?Queue=Lilith. I will be notified, and then you'll automatically be notified of progress on your bug as I make changes.

SUPPORT

You can find documentation for this module with the perldoc command.

perldoc Lilith

You can also look for information at:

ACKNOWLEDGEMENTS

LICENSE AND COPYRIGHT

This software is Copyright (c) 2022 by Zane C. Bowers-Hadley.

This is free software, licensed under:

The Artistic License 2.0 (GPL Compatible)