package Iodef::Pb::Simple::Plugin::Malware;
use base 'Iodef::Pb::Simple::Plugin';

use strict;
use warnings;

use MIME::Base64;
use Compress::Snappy;
use Digest::SHA1 qw(sha1_hex);
use Digest::MD5 qw(md5_hex);

sub process {
    my $self = shift;
    my $data = shift;
    my $iodef = shift;
       
    return unless($data->{'malware_md5'} || $data->{'malware_sha1'} || $data->{'Malware'});
    
    my $ad = [];
    
   if(my $f = $data->{'Malware'}){
        my $stream;
        if($f =~ /^(\/\S+|[a-zA-Z]+\/\S+)/){
            # we got a file
            # 1Meg.
            return ('file too large') unless((-s $f) < 1048576);
            open(F,$f) or return('unable to open '.$f.': '.$!);
            $f = <F>;
            close(F);
        }
        $data->{'malware_sha1'} = sha1_hex($f);
        $data->{'malware_md5'} = md5_hex($f);
        $f = encode_base64(Compress::Snappy::compress($f));
        push(@$ad,
            ExtensionType->new({
                meaning     => 'binary',
                formatid    => 'base64+snappy',
                content     => $f,
                dtype       => ExtensionType::DtypeType::dtype_type_string(),
            })
        );
    }
    if($data->{'malware_md5'}){
        push(@$ad, 
            ExtensionType->new({
                meaning     => 'malware hash',
                formatid    => 'md5',
                content     => $data->{'malware_md5'},
                dtype       => ExtensionType::DtypeType::dtype_type_string(),
            })
        );
    }
    
    if($data->{'malware_sha1'}){
        push(@$ad, 
            ExtensionType->new({
                meaning     => 'malware hash',
                formatid    => 'sha1',
                content     => $data->{'malware_sha1'},
                dtype       => ExtensionType::DtypeType::dtype_type_string(),
            })
        );
    }

    my $incident = @{$iodef->get_Incident()}[0];
    push(@{$incident->{'AdditionalData'}},@$ad);  

}

1;