#!/usr/bin/perl -nwT
#
# Copyright Hank Leininger <hlein@korelogic.com>, KoreLogic, Inc

INIT {
  $::V = '$Id: extract_web-get-exes,v 1.6 2007/10/03 04:25:02 hlein Exp $';
  $::V =~ s/^.*,v //; $::V =~ s/ .*//;
}

# Read in HTTP GETs of .EXE files, and produce a list of GETs,
# one per line, of the form:
# sip dip desthost requested_file

INIT
{
  if (  (@ARGV and $ARGV[0] =~ /^-./) or
	(-t STDIN and not @ARGV) ) {
    (my $basename = $0) =~ s%.*/%%;
    warn "  Usage: $basename decoded_db_with_binary_data
     or: dbgrep -S -e WEB:GET-EXE dragon.db | dbcat -D | $basename
  
$basename version: $::V
";
    exit;
  }
  # autoflush stdout, in case we are being piped
  $|=1;
}

use strict;

our ($sip, $dip, $dhost, $url);

exit unless defined($_);

# Are we at the start of a new GET?
if (/^20[0-9]{2}-[0-9]{2}-[0-9]{2} .*\|WEB:GET-EXE\|([0-9.]+)\|([0-9.]+)\|/)
{
  next if /repeat=/;

  # If so, snag the source and dest IPs
  my ($newsip, $newdip) = ($1, $2);
  # Print any pending line
  &PrintGet;
  $dhost = $url = "";
  $sip=$newsip;
  $dip=$newdip;
  next;
}
elsif (m%GET (/[^ ]+) HTTP/1\.%)
{
  $url=$1;
}
elsif (/Host: ([^\r\n]+)\r?\n/)
{
  $dhost=$1;
}

# Flush any pending data blob at EOF
END
{
  &PrintGet;
}

# Attempt to inflate and print our blob of POSTed data
sub PrintGet
{
  return unless ($sip and $dip);
  $dhost = '[unknown]' unless ($dhost);
  $url   = '[unknown]' unless ($url);
  print "$sip $dip $dhost $url\n";
}