view release on metacpan or  search on metacpan

lib/CAPE/Utils.pm  view on Meta::CPAN

	}

	openlog( $sender, 'cons,pid', 'daemon' );
	syslog( $level, '%s', $message );
	closelog();
} ## end sub log_drek

=head1 CONFIG FILE

The default config file is '/usr/local/etc/cape_utils.ini'.

The defaults are as below, which out of the box, it will work by
default with CAPEv2 in it's default config.

    # The DBI dsn to use
    dsn=dbi:Pg:dbname=cape
    # DB user
    user=cape
    # DB password
    pass=
    # the install base for CAPEv2
    base=/opt/CAPEv2/
    # 0/1 if poetry should be used
    poetry=1
    # the path for poetry... point this at where poetry is setup for your CAPEv2 install
    # defaults to /etc/poetry/bin/poetry to be compatible with new CAPEv2 installs
    poetry_path=/etc/poetry/bin/poetry
    # 0/1 if fail should be allowed to run with out a where statement
    fail_all=0
    # colums to use for pending table show
    pending_columns=id,target,package,timeout,ET,route,options,clock,added_on
    # colums to use for runniong table show
    running_columns=id,target,package,timeout,ET,route,options,clock,added_on,started_on,machine
    # colums to use for tasks table
    task_columns=id,target,package,timeout,ET,route,options,clock,added_on,latest,machine,status
    # if the target column for running table display should be clipped to the filename
    running_target_clip=1
    # if microseconds should be clipped from time for running table display
    running_time_clip=1
    # if the target column for pending table display should be clipped to the filename
    pending_target_clip=1
    # if microseconds should be clipped from time for pending table display
    pending_time_clip=1
    # if the target column for task table display should be clipped to the filename
    task_target_clip=1
    # if microseconds should be clipped from time for task table display
    task_time_clip=1
    # default table color
    table_color=Text::ANSITable::Standard::NoGradation
    # default table border
    table_border=ASCII::None
    # when submitting use now for the current time
    set_clock_to_now=1
    # default timeout value for submit
    timeout=200
    # default value for enforce timeout for submit
    enforce_timeout=0
    # how to auth for mojo_cape_submit
    # ip = match against subnets
    # apikey = use apikey
    # both = require both to match
    # either = either may work
    auth=ip
    # the api key to for with mojo_cape_submit
    #apikey=
    # comma seperated list of allowed subnets for mojo_cape_submit
    subnets=192.168.0.0/16,127.0.0.1/8,::1/128,172.16.0.0/12,10.0.0.0/8
    # incoming dir to use for mojo_cape_submit
    incoming=/malware/client-incoming
    # directory to store json data files for submissions recieved by mojo_cape_submit
    # this directory is also used for storing run specific eves
    incoming_json=/malware/incoming-json
    # Location to write the eve log to.
    eve=/opt/CAPEv2/log/eve.json
    # how far to go back for processing eve
    eve_look_back=360
    # malscore for changing the event_type for eve from potential_malware_detonation to alert
    malscore=0

=head2 Report Munge Section

INI sections matching /^munge\_/ will be used for report munging. This requires two values for that sections,
'check' and 'munge'.

'check' is a path to a Perl script that will wrapped in a eval and require to check if the file should be
munged or not.

'munge' is a path to a Perl script that will wrapped in a eval and require to do the munging.

Below is a example showing the setup for a single script.

    [munge_pdf]
    check=/usr/local/etc/cape_utils_munge/pdf_check
    munge=/usr/local/etc/cape_utils_munge/pdf_munge

If more than one munge section exists, they are ran in sorted order.

If the paths specied do not start with a '/', './', or '../', then '/usr/local/etc/cape_utils_munge/' is
applied to the start.

The scripts are read as evaled strings.

The relevant variables are as below.

    - $munge_it :: Perl boolean for if it should be munged or not. Should be set by the check script.

    - $report :: The hash ref containing the parsed JSON report.

    - $changed :: Perl boolean for if it changed or not.

For some examples see the directory 'munge_examples'.

=head1 CAPEv2 lite.json to EVE handling

Tasks are found by looking back X number of seconds in the tasks table for tasks that have reported.
The amount of time is determined by the config value 'eve_look_back'.

It will check if a task has been processed already or not be seeing if a task specified EVE JSON
has been created under the 'incoming_json' directory. This is in the format $task_id.'eve.json'.
If not, it will proceed.