Wes Young > Malware-1.02 > Malware::Parser::NormanSandBoxLive

Download:
malware/Malware-1.02.tar.gz

Dependencies

Annotate this POD

View/Report Bugs
Module Version: 1.02   Source  

NAME ^

Malware::Parser::NormanSandBoxLive - Perl extension for parsing norman sandbox email digests

SYNOPSIS use Data::Dumper; use Malware::Parser::NormanSandBoxLive; my $f = 'digest.zip'; ^

  my $n = Malware::Parser::NormanSandBoxLive->new( -zip => $f, -cleanup => 1);

  my (@http,@bn);
  foreach my $m (@{$n->malware()}){
        if(my @a = $m->returnConnectionsByLayer_array(-type => 'url', -layer => 7, -protocol => 'http')){
                push(@http,@a) if(@a);
        }
        if(my @a = $m->returnConnectionsByLayer_array(-type => 'dns', -layer => 7, -protocol => 'irc')){
                push(@bn,@a) if(@a);
        }
  }

  warn Dumper(@http);
  warn Dumper(@bn);

DESCRIPTION ^

This module is a parser for NormanSandBoxLive email digests (does the web too...but email is better if you can get it). From here you can take the malware behavior and use it to create detection rules etc...

OBJECT METHODS ^

new()

  my $n = Malware::Parser::NormanSandBoxLive->new(
        -auto => 1, # default, do we want to auto extract the zip and parse? (yes, rgc, i am that lazy ;-)
        -zip => $PATH_TO_ZIPFILE,
        -path => $PATH_TO_SANDBOX_FILE # use this if you dont have the zip, filename must start with 'sandbox_'
        -cleanup => 1, # clean up the zip file and its extractions after?
  }

extractFromZip()

Uses Archive::Extract to open up the zip file (used internally if you -auto on new()) and sets the path of the sandbox file.

  $n->zip($zipFilePath);
  $n->extractFromZip();

Returns 1 on sucess, dies() on error

parse_txtFile()

Parses the main text file and pushes each malware object it creates into $self->malware()

Returns 1 on success, dies() if the file can't be opened

ACCESSORS / MODIFIERS ^

zip()

Sets and Returns the zipFile path

path()

Sets and Returns the sandbox_ file path

auto()

Sets and Returns auto property (auto parse)

cleanup()

Sets and Returns the cleanup property (do we unlink() files on parse?)

malware()

Stores an arrayref of malware objects.

Accepts Malware Objects or return ($errstr,undef)

Returns arrayref of malware objects

unknown()

Stores an array of strings that hold unknown classifications

Accepts strings

Returns arrayref of strings

SEE ALSO ^

Malware,Net::Connection::Simple,Net::Connection::Simple,Time::Timestamp

AUTHOR ^

Wes Young, <saxguard9-cpan@yahoo.com>

COPYRIGHT AND LICENSE ^

Copyright (C) 2006 by Wes Young

This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself, either Perl version 5.8.7 or, at your option, any later version of Perl 5 you may have available.

syntax highlighting: