#
# Snort Check, assumes that alerts go to /var/log/secure
# (C) Vladimir Ivaschenko <vi@maks.net>, based on sample_functions.mod
#
# Rules.cfg example:
# o:snort:"^month/^day ^time SNORT: ^source - ^user."
# r:snort:mod_snort_check:0h10m0s:Admins:
# f:snort:/var/log/secure:snort:snort
#

sub mod_snort_check {
	(my %tmphash=());
	(my %services=());
	(my $evilhost="");
	(my $victim="");
	(my $num_probes=0);
	(my @retval=());
	(my $keys="");
	(my @keys=());
	(my $i);

	(my $time_frame = 180);
	(my $max_probes = 2);

	$logs[$_[0]]{'logline'}=~/^.* (.*?): (.*?): (.*?):.* -> (.*?):.*$/i;
	if ($1 ne "snort" || $logs[$_[0]]{'logfile'} ne "/var/log/secure") { return @retval; }
	$scantypes=$2;
	$evilhost=$3;
	$victim=$4;

	%tmphash=&head_parse($logs[$_[0]]{'logline'});

	$ep=&to_epoch($logs[$_[0]]{'logline'});
	$newep=$ep+1;
	for($i=$_[0];($ep-$newep)<$time_frame && $i>=0;$i--) {
		if($logs[$i]{'logfile'} eq "/var/log/secure" && $ep >= $newep) { 
			%tmphash=&head_parse($logs[$i]{'logline'});
			$logs[$i]{'logline'}=~/^.* snort: (.*?): (.*?):.* -> (.*?):.*$/i;
			if($2 eq $evilhost && $3 eq $victim) {
				$scantypes.="+$1";
				$num_probes++;
			}
		}
		if ($newep > $ep && $logs[$i-1]{'logfile'} eq "/var/log/secure") 
		    { $newep=&to_epoch($logs[$i-1]{'logline'}); }
	}

	if($num_probes > $max_probes) {
		@retval=($evilhost,"$victim, $scantypes");
	}
	return @retval;
}

1;