Malware::Parser::NormanSandBoxLive - Perl extension for parsing norman sandbox email digests

  my $n = Malware::Parser::NormanSandBoxLive->new( -zip => $f, -cleanup => 1);

  my (@http,@bn);
  foreach my $m (@{$n->malware()}){
  	if(my @a = $m->returnConnectionsByLayer_array(-type => 'url', -layer => 7, -protocol => 'http')){
  		push(@http,@a) if(@a);
  	}
  	if(my @a = $m->returnConnectionsByLayer_array(-type => 'dns', -layer => 7, -protocol => 'irc')){
  		push(@bn,@a) if(@a);
  	}
  }

  warn Dumper(@http);
  warn Dumper(@bn);

This module is a parser for NormanSandBoxLive email digests (does the web too...but email is better if you can get it). From here you can take the malware behavior and use it to create detection rules etc...

  my $n = Malware::Parser::NormanSandBoxLive->new(
  	-auto => 1, # default, do we want to auto extract the zip and parse? (yes, rgc, i am that lazy ;-)
  	-zip => $PATH_TO_ZIPFILE,
  	-path => $PATH_TO_SANDBOX_FILE # use this if you dont have the zip, filename must start with 'sandbox_'
  	-cleanup => 1, # clean up the zip file and its extractions after?
  }

Uses Archive::Extract to open up the zip file (used internally if you -auto on new()) and sets the path of the sandbox file.

  $n->zip($zipFilePath);
  $n->extractFromZip();

Returns 1 on sucess, dies() on error

Parses the main text file and pushes each malware object it creates into $self->malware()

Returns 1 on success, dies() if the file can't be opened

Sets and Returns the zipFile path

Sets and Returns the sandbox_ file path

Sets and Returns auto property (auto parse)

Sets and Returns the cleanup property (do we unlink() files on parse?)

Stores an arrayref of malware objects.

Accepts Malware Objects or return ($errstr,undef)

Returns arrayref of malware objects

Stores an array of strings that hold unknown classifications

Accepts strings

Returns arrayref of strings

Malware,Net::Connection::Simple,Net::Connection::Simple,Time::Timestamp

Wes Young, <saxguard9-cpan@yahoo.com>

Copyright (C) 2006 by Wes Young

This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself, either Perl version 5.8.7 or, at your option, any later version of Perl 5 you may have available.