#!/usr/bin/perl
# honeysuckle - Vulnerability Correlation with snort & nessus
#
# Copyright (C) 2002 Brian Caswell <bmc@snort.org>
#
# "Any sufficiently advanced technology is indistinguishable from a simple perl 
# script"
#
# honeysuckle is an implementation of IDS alert & vulnerabity correlation based
# on snort alerts & nessus scan.  We modify our priority in attempt to get our
# monitor jockies to focus on the really important stuff.
#
# I don't know about you, but when someone is shooting bullets at me, I
# would like to know they are shooting at me, even if they miss.
#
# (If you want to be dumb, err... ignore attacks that "you are not vulnerable 
# to" move the print line to be inside of the last if statement)
#
# This code uses Nessus reports and snort's sig-msg.map to handle mappings
# via CVE maps.  We take CSV input of the following format:
#    srcip,dstip,priority,event
#

use strict;

if (@ARGV ne 2) {print "Usage : $0 output.nsr sid-msg.map < log.csv\n"; exit;}

open(NSR,    $ARGV[0]) || die "Ack, your NSR isn't there!\n";
open(SIDMAP, $ARGV[1]) || die "Ack, your sig-msg.map isn't there!\n";

my (%vulnerabilities, %sigs);

foreach my $line (<NSR>) {
   if ($line =~
     /^(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}).*\;CVE : (\w{3}-\d{4}-\d+)\;/)
   {
      $vulnerabilities{$1}{$2} = 1;
   }
}

foreach my $line (<SIDMAP>) {
   next if ($line =~ /^\s*\#/);
   my ($sid, $msg, @refs) = split (/ \|\| /, $line);
   foreach my $ref (@refs) {
      if ($ref =~ /^cve,(.*)$/) {
         $sigs{$msg}{$1} = 1;
         # $sids{$sid}{$1} = 1; 	# Got sids?  try using these...
      }
   }
}

foreach my $line (<STDIN>) {
   chomp($line);
   my ($srcip, $dstip, $priority, $event) = split (/,/, $line);
   if ($sigs{$event}) {
      foreach my $cve (%{$sigs{$event}}) {
         if ($vulnerabilities{$srcip}{$cve} || $vulnerabilities{$dstip}{$cve}) {
            $priority++;
         }
      }
   }
   print "$srcip,$dstip,$priority,$event\n";
}