package Iodef::Pb::Format::Bro;
use base 'Iodef::Pb::Format';

use strict;
use warnings;

use Regexp::Common qw/net/;
use Regexp::Common qw /URI/;
use Regexp::Common::net::CIDR ();

sub write_out {
    my $self    = shift;
    my $args    = shift;
    
    my $config  = $args->{'config'};
    my $array   = $self->SUPER::to_keypair($args);
    
    return '' unless(exists(@{$array}[0]->{'address'}));
    
    $config = $config->{'config'};
    
    my @config_search_path = ('claoverride',  $args->{'query'}, 'client' );
    # this is just as example...
    # my $cfg_option = $args->{'bro_option'} || $self->SUPER::confor($config, \@config_search_path, 'bro_option',        undef);

    my $result = "#fields\thost\tnet\tstr\tstr_type\tmeta.source\tmeta.desc\tmeta.url\tmeta.cif_impact\tmeta.cif_severity\tmeta.cif_confidence\n";
    foreach my $a (@$array){
        next unless($a->{'address'});
        
        my $ip = 0;
        my $net = 0;
        my $domain = 0;
        my $url = 0;

        ## TODO -- convert these into /https?/, long urls tend to crush $RE{'URI'}
        if(exists($a->{'address'}) and $a->{'address'}) {
            if($a->{'address'} =~ m/^$RE{URI}{HTTP}{-scheme=>'https?'}{-keep}$/i){
                if( $3 and $5 ){ $url = $3.$5; }
                elsif( $3 ){ $url = $3; }
            }
            elsif($a->{'address'} =~ m/^$RE{URI}{FTP}{-keep}$/){
                if( $3 and $5 ){ $url = $3.$5; }
                elsif( $3 ){ $url = $3; }
            }
            elsif($a->{'address'} =~ m/^$RE{net}{domain}$/){$domain = $a->{'address'};}

            # TODO: Add IPv6 support when that gets added to CIF                                                                                                                                                                                                                
            elsif($a->{'address'} =~ m/$RE{net}{CIDR}{IPv4}/){$net = $a->{'address'};}
            elsif($a->{'address'} =~ m/$RE{net}{IPv4}/){$ip = $a->{'address'};}

            # host    net    str   str_type                                                                                                                                                                                                                                     

            if($domain){ $result .= "-\t-\t".$domain."\tIntel::DOMAIN\t"; }
            if($url){    $result .= "-\t-\t".$url."\tIntel::URL\t"; }
            if($ip){     $result .= $ip."\t-\t-\t-\t"; }
            if($net){    $result .= "-\t".$net."\t-\t-\t"; }
        }

        if($ip or $net or $domain or $url) {
            $result .= "CIF - ";
            if(exists($a->{'restriction'}) and $a->{'restriction'}) { $result .= $a->{'restriction'}."\t"; }
            else { $result .= "Unknown\t"; }

            if(exists($a->{'description'}) and $a->{'description'}) { $result .= $a->{'description'}."\t"; }
            else { $result .= "-\t"; }

            if(exists($a->{'alternativeid'}) and $a->{'alternativeid'}) { $result .= $a->{'alternativeid'}." "; }
            else { $result .= "- "; }

            if(exists($a->{'alternativeid_restriction'}) and $a->{'alternativeid_restriction'}) { $result .= "(".$a->{'alternativeid_restriction'}.")\t"; }
            else { $result .= "(Unknown)\t"; }

            if(exists($a->{'impact'}) and $a->{'impact'}) { $result .= $a->{'impact'}."\t"; }
            else { $result .= "-\t"; }

            if(exists($a->{'severity'}) and $a->{'severity'}) { $result .= $a->{'severity'}."\t"; }
            else { $result .= "-\t"; }

            if(exists($a->{'confidence'}) and $a->{'confidence'}) { $result .= $a->{'confidence'}."\n"; }
            else { $result .= "-\n"; }
        }
    }
    return $result;
}
1;