Ossim lookup ip script – Execute using a rule


This script parse an ip address looking up geoip information and populating a database with its information and suricata ids information.


use Geo::IP::PurePerl;
use Email::MIME;
use Email::Sender::Simple qw(sendmail);
use Net::IP::Match::Regexp qw( create_iprange_regexp match_ip );
use DBI;

my $gi = Geo::IP::PurePerl->new("/usr/local/share/GeoIP/GeoIP.dat", GEOIP_STANDARD);
my $srcip = $ARGV[0];
my $country = $gi->country_code_by_addr($ARGV[0]);
my $date = qx(date +%Y-%m-%d);
my $time = qx(date +%H:%M:%S);
my $sidname = $ARGV[1];
my $srcport = $ARGV[2];
my $protocol = $ARGV[3];
my $dstip = $ARGV[4];
my $dstport = $ARGV[5];

open (MYFILE, '>/tmp/temp.txt');
foreach $argnum (0 .. $#ARGV) {
 print MYFILE "$ARGV[$argnum]\n";
close (MYFILE);

my $regexp = create_iprange_regexp('','','','');
if ( match_ip($srcip, $regexp) ) {
 print "ip interna \n";
 exit 0;
} else {
 print "ip externa \n";

my $dbh = DBI->connect("DBI:Pg:dbname=siem;host=localhost", "database", "password", {'RaiseError' => 1});
my $registry = $dbh->do("INSERT INTO ips_db (date,time,sensor,sid_name,src_ip,src_port,dst_ip,dst_port,src_country,action) VALUES ('$date','$time','','$sidname','$srcip','$srcport','$dstip','$dstport','$country','database')");