OSSEC/bin/ossec-update-rules-database.pl

71 lines
1.6 KiB
Perl

#!/usr/bin/env perl
#ABSTRACT: script to update the rules within the mysql database
#PODNAME: ossec-update-rules-database.pl
use strict;
use warnings;
use File::Basename;
use OSSEC;
use XML::LibXML;
use Try::Tiny;
my $ossec = OSSEC->new();
my $mysql = $ossec->mysql();
# clear rules from database
$mysql->deleteAllRules();
my @includes = $ossec->config()->getElementsByTagName("include");
for my $i (@includes)
{
if (! -e $ossec->ossecPath() . "/rules/" . $i->textContent)
{
warn($i . " not found\n");
}
else
{
readpipe("echo \"<root>\" > /tmp/".$i->textContent);
readpipe("cat " . $ossec->ossecPath() . "/rules/" . $i->textContent . ">> /tmp/".$i->textContent);
readpipe("echo \"</root>\" >> /tmp/".$i->textContent);
readpipe("sed -i '/pcre2/d' /tmp/".$i->textContent );
open(my $fh, '<', "/tmp/" . $i->textContent);
binmode $fh;
my $ruleFile;
my $parser = XML::LibXML->new;
$parser->set_option("pedantic_parser",0);
$parser->set_option("validation", 0);
$parser->set_option("recover",1);
try {
$ruleFile = $parser->load_xml(IO => $fh);
} catch {
warn("Error parsing " . $i->textContent . ": $_\n");
};
close $fh;
my @rules = $ruleFile->getElementsByTagName("rule");
for my $r (@rules)
{
my $rule = {};
my $description;
if ($r->getElementsByTagName("description"))
{
$description = $r->getElementsByTagName("description")->[0]->textContent;
}
else
{
$description = "unknown";
}
$mysql->addRule($r->getAttribute("id"), $r->getAttribute("level"), $description);
}
}
}