/usr/share/perl5/Lire/WWW/Filename.pm

package Lire::WWW::Filename;

use strict;

use vars qw/$REVISION $VERSION/;

use Lire::WWW::Filename::Attack;

use Carp;

BEGIN {
    $REVISION  = '$Id: Filename.pm,v 1.2 2006/07/23 13:16:36 vanbaal Exp $';
    $VERSION   = "0.1.0";
}

my %customAttackHash = ();
my %compiledAttackHash = ();

# -----------------------------------------------------------------------------
# Functions
# -----------------------------------------------------------------------------

sub new {
     my ($class, %args) = @_;

     my $self = { 'default' => $args{'default'} || "Unknown/No Attack" };
     bless $self, $class;

     return $self;
}

sub setFilename {
    my ($self, $filename) = @_;

    if (defined $filename) {
        $self->{'filename'} = lc($filename);
    }
}

sub getAttack {
    my ($self) = @_;

    my $filename = $self->{'filename'};
    if (defined $filename) {
        # for filenames this speed up might not be useful (FIXME)
        return $self->{'default'} if ($self->{'notInAttackHash'}{$filename});

        if (defined (my $attack = Lire::WWW::Filename::Attack::getAttack($filename))) {
            return $attack;
        } else {
            # check custom hash
            foreach my $key (keys %customAttackHash) {
		my $re = $compiledAttackHash{$key};
                if ($filename =~ /$re/) {
                    return $customAttackHash{$key};
                }
            }
            $self->{'notInAttackHash'}{$filename} = "1";
            return $self->{'default'};
        }
    }
    return undef;
}

sub addAttack {
    my ($self, $code, $value) = @_;

    croak "Must supply both code and value!\n"
      unless $code eq "" || $value eq "";

    $code = lc $code;
    $customAttackHash{$code} = $value;
    $compiledAttackHash{$code} = qr/$code/;
}

sub addAttackHash {
    my ($self, %Attackhash) = @_;

    foreach my $code (keys %Attackhash) {
        $self->addAttack($code, $Attackhash{$code});
    }
}

1;

__END__

=pod

=head1 NAME

Lire::WWW::Filename - analyze filenames

=head1 SYNOPSIS

 use Lire::WWW::Filename;

 my $test_string = "/default.ida?######...";

 my $analyzer = new Lire::WWW::Filename();
 $analyzer->setFilename($test_string);

 print "  Attack: " . $analyzer->getAttack() . "\n";

=head1 DESCRIPTION

This module offers an interface to databases with known information useful in
analyzing filenames as found in Apache logfiles.  One could use it to analyze
attacks on known webserver vulnerabilities, consisting of specially crafted
HTTP GET requests.

It returns "Unknown/No Attack" when no attack could be detected from
the database. You can change that default by specifying a I<default>
parameter when you create the analyzer:

    my $analyzer = new Lire::WWW::Filename( 'default' => "No Attack" );

Optionally, the user can add custom information to the database with
the addX() and addXHash() functions.

=head1 SEE ALSO

Lire::Extensions::WWW::AttackSchema(3)

=head1 VERSION

$Id: Filename.pm,v 1.2 2006/07/23 13:16:36 vanbaal Exp $

=head1 COPYRIGHT

Copyright (C) 2001  Stichting LogReport Foundation LogReport@LogReport.org

This file is part of Lire.

Lire is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program (see COPYING); if not, check with
http://www.gnu.org/copyleft/gpl.html.

=head1 AUTHORS

Egon Willighagen <egonw@logreport.org>

=cut
lire 2:2.1.1-2.1 / usr / share / perl5 / Lire / WWW / Filename.pm
