line |
stmt |
bran |
cond |
sub |
pod |
time |
code |
1
|
|
|
|
|
|
|
package ThreatNet::Filter::Chain; |
2
|
|
|
|
|
|
|
|
3
|
|
|
|
|
|
|
=pod |
4
|
|
|
|
|
|
|
|
5
|
|
|
|
|
|
|
=head1 NAME |
6
|
|
|
|
|
|
|
|
7
|
|
|
|
|
|
|
ThreatNet::Filter::Chain - Create a chain of ThreatNet filters |
8
|
|
|
|
|
|
|
|
9
|
|
|
|
|
|
|
=head1 SYNOPSIS |
10
|
|
|
|
|
|
|
|
11
|
|
|
|
|
|
|
# After stripping junk ips, pass events through a Threat Cache, |
12
|
|
|
|
|
|
|
# and then keep only the events that have occured in an IP range |
13
|
|
|
|
|
|
|
# that we are responsible for. |
14
|
|
|
|
|
|
|
my $Chain = ThreatNet::Filter::Chain->new( |
15
|
|
|
|
|
|
|
ThreatNet::Filter::Junk->new, |
16
|
|
|
|
|
|
|
ThreatNet::Filter::ThreatCache->new, |
17
|
|
|
|
|
|
|
ThreatNet::Filter::Network->new( '202.123.123.0/24' ), |
18
|
|
|
|
|
|
|
); |
19
|
|
|
|
|
|
|
|
20
|
|
|
|
|
|
|
sub process_message { |
21
|
|
|
|
|
|
|
my $Message = shift; |
22
|
|
|
|
|
|
|
|
23
|
|
|
|
|
|
|
unless ( $Chain->keep($Message) ) { |
24
|
|
|
|
|
|
|
return; |
25
|
|
|
|
|
|
|
} |
26
|
|
|
|
|
|
|
|
27
|
|
|
|
|
|
|
print "Threat spotted in our network at " . $Message->ip . "\n"; |
28
|
|
|
|
|
|
|
} |
29
|
|
|
|
|
|
|
|
30
|
|
|
|
|
|
|
=head1 DESCRIPTION |
31
|
|
|
|
|
|
|
|
32
|
|
|
|
|
|
|
C lets you create filters that represent an |
33
|
|
|
|
|
|
|
entire chain of filters. L objects are checked against |
34
|
|
|
|
|
|
|
each individual filter in the same order. |
35
|
|
|
|
|
|
|
|
36
|
|
|
|
|
|
|
A message must pass the C method of each filter to move down the |
37
|
|
|
|
|
|
|
chain. If a message is rejected at a point in chain, filters further down |
38
|
|
|
|
|
|
|
the chain will not see them. This is mainly of importance to stateful |
39
|
|
|
|
|
|
|
filters such as L. |
40
|
|
|
|
|
|
|
|
41
|
|
|
|
|
|
|
It is assumed you don't actual care B filter rejects a message, |
42
|
|
|
|
|
|
|
and as such there is no way to tell this :) |
43
|
|
|
|
|
|
|
|
44
|
|
|
|
|
|
|
=head1 METHODS |
45
|
|
|
|
|
|
|
|
46
|
|
|
|
|
|
|
The methods are the same as for the parent L class, but |
47
|
|
|
|
|
|
|
with a change to the C constructor. |
48
|
|
|
|
|
|
|
|
49
|
|
|
|
|
|
|
=cut |
50
|
|
|
|
|
|
|
|
51
|
3
|
|
|
3
|
|
2508
|
use strict; |
|
3
|
|
|
|
|
7
|
|
|
3
|
|
|
|
|
146
|
|
52
|
3
|
|
|
3
|
|
23
|
use Params::Util '_SET', '_INSTANCE'; |
|
3
|
|
|
|
|
9
|
|
|
3
|
|
|
|
|
229
|
|
53
|
3
|
|
|
3
|
|
17
|
use base 'ThreatNet::Filter'; |
|
3
|
|
|
|
|
5
|
|
|
3
|
|
|
|
|
694
|
|
54
|
|
|
|
|
|
|
|
55
|
3
|
|
|
3
|
|
14
|
use vars qw{$VERSION}; |
|
3
|
|
|
|
|
6
|
|
|
3
|
|
|
|
|
122
|
|
56
|
|
|
|
|
|
|
BEGIN { |
57
|
3
|
|
|
3
|
|
619
|
$VERSION = '0.20'; |
58
|
|
|
|
|
|
|
} |
59
|
|
|
|
|
|
|
|
60
|
|
|
|
|
|
|
=pod |
61
|
|
|
|
|
|
|
|
62
|
|
|
|
|
|
|
=head2 new $Filter [, $Filter, ... ] |
63
|
|
|
|
|
|
|
|
64
|
|
|
|
|
|
|
The C constructor takes a set of (1 or more) L |
65
|
|
|
|
|
|
|
objects, and creates a Filter object that acts as a I<"short-cutting |
66
|
|
|
|
|
|
|
logical AND"> combination of them. |
67
|
|
|
|
|
|
|
|
68
|
|
|
|
|
|
|
Returns a new C object, or C if not |
69
|
|
|
|
|
|
|
provided with the correct params. |
70
|
|
|
|
|
|
|
|
71
|
|
|
|
|
|
|
=cut |
72
|
|
|
|
|
|
|
|
73
|
|
|
|
|
|
|
sub new { |
74
|
1
|
50
|
|
1
|
1
|
6
|
my $class = ref $_[0] ? ref shift : shift; |
75
|
1
|
50
|
|
|
|
38
|
my $filters = _SET([ @_ ], 'ThreatNet::Filter') or return undef; |
76
|
|
|
|
|
|
|
|
77
|
1
|
|
|
|
|
62
|
my $self = $class->SUPER::new; |
78
|
1
|
|
|
|
|
6
|
$self->{filters} = $filters; |
79
|
|
|
|
|
|
|
|
80
|
1
|
|
|
|
|
3
|
$self; |
81
|
|
|
|
|
|
|
} |
82
|
|
|
|
|
|
|
|
83
|
|
|
|
|
|
|
=pod |
84
|
|
|
|
|
|
|
|
85
|
|
|
|
|
|
|
=head2 keep $Message |
86
|
|
|
|
|
|
|
|
87
|
|
|
|
|
|
|
The C method takes a single L object and checks |
88
|
|
|
|
|
|
|
it against each of the child filters in turn, short-cutting if any of |
89
|
|
|
|
|
|
|
them does not want to keep the message. |
90
|
|
|
|
|
|
|
|
91
|
|
|
|
|
|
|
One small note - The C method returns B the same false value |
92
|
|
|
|
|
|
|
it recieves from the child filter, whether that is normal false or C. |
93
|
|
|
|
|
|
|
|
94
|
|
|
|
|
|
|
Returns true if you should keep the message, or false to discard. |
95
|
|
|
|
|
|
|
|
96
|
|
|
|
|
|
|
=cut |
97
|
|
|
|
|
|
|
|
98
|
|
|
|
|
|
|
sub keep { |
99
|
5
|
|
|
5
|
1
|
3667
|
my $self = shift; |
100
|
5
|
100
|
|
|
|
51
|
my $Message = _INSTANCE(shift, 'ThreatNet::Message') or return undef; |
101
|
|
|
|
|
|
|
|
102
|
3
|
|
|
|
|
6
|
foreach my $Filter ( @{$self->{filters}} ) { |
|
3
|
|
|
|
|
9
|
|
103
|
13
|
|
|
|
|
50
|
my $rv = $Filter->keep($Message); |
104
|
13
|
100
|
|
|
|
50
|
return $rv unless $rv; # false or undef |
105
|
|
|
|
|
|
|
} |
106
|
|
|
|
|
|
|
|
107
|
0
|
|
|
|
|
|
1; |
108
|
|
|
|
|
|
|
} |
109
|
|
|
|
|
|
|
|
110
|
|
|
|
|
|
|
1; |
111
|
|
|
|
|
|
|
|
112
|
|
|
|
|
|
|
=pod |
113
|
|
|
|
|
|
|
|
114
|
|
|
|
|
|
|
=head1 SUPPORT |
115
|
|
|
|
|
|
|
|
116
|
|
|
|
|
|
|
All bugs should be filed via the bug tracker at |
117
|
|
|
|
|
|
|
|
118
|
|
|
|
|
|
|
L |
119
|
|
|
|
|
|
|
|
120
|
|
|
|
|
|
|
For other issues, or commercial enhancement and support, contact the author |
121
|
|
|
|
|
|
|
|
122
|
|
|
|
|
|
|
=head1 AUTHORS |
123
|
|
|
|
|
|
|
|
124
|
|
|
|
|
|
|
Adam Kennedy Eadamk@cpan.orgE |
125
|
|
|
|
|
|
|
|
126
|
|
|
|
|
|
|
=head1 SEE ALSO |
127
|
|
|
|
|
|
|
|
128
|
|
|
|
|
|
|
L, L |
129
|
|
|
|
|
|
|
|
130
|
|
|
|
|
|
|
=head1 COPYRIGHT |
131
|
|
|
|
|
|
|
|
132
|
|
|
|
|
|
|
Copyright (c) 2005 Adam Kennedy. All rights reserved. |
133
|
|
|
|
|
|
|
This program is free software; you can redistribute |
134
|
|
|
|
|
|
|
it and/or modify it under the same terms as Perl itself. |
135
|
|
|
|
|
|
|
|
136
|
|
|
|
|
|
|
The full text of the license can be found in the |
137
|
|
|
|
|
|
|
LICENSE file included with this module. |
138
|
|
|
|
|
|
|
|
139
|
|
|
|
|
|
|
=cut |
140
|
|
|
|
|
|
|
|