by2 1.0.0

data/lib/by2.rb

@@ -0,0 +1,69 @@
+require 'rubygems'
+require 'yaml'
+require "optparse"
+require 'ostruct'
+require 'pg'
+require 'active_record'
+require 'composite_primary_keys'
+
+require_relative 'by2/version'
+require_relative 'by2/options'
+require_relative 'by2/config_loader'
+require_relative 'by2/utils'
+require_relative 'by2/ext/active_record'
+require_relative 'by2/models'
+require_relative 'by2/client'
+
+
+module By2
+  def self.root
+    @root ||= File.expand_path(File.join(__FILE__, '..', '..'))
+  end
+
+  def self.config
+    @config ||= ConfigLoader.new
+  end
+
+  def self.fixtures_dir
+    File.join(root, "spec", "fixtures")
+  end
+
+  def self.db_connect
+    @conn ||= begin
+      conn_config = config.load("database.yml")
+      #ActiveSupport::Deprecation.silenced = true
+      ActiveRecord::Base.default_timezone = :local
+      ActiveRecord::Base.establish_connection(conn_config[env])
+      ActiveRecord::Base.connection
+      ActiveRecord::Base.logger = Logger.new(STDOUT) if debug?
+    end
+  end
+
+  def self.env
+    @env ||= (ENV['BY2_ENV'] || config.load("env.yml", false) || "development")
+  end
+
+  def self.debug?
+    @debug ||= false
+  end
+
+  def self.debug=(d)
+    @debug = d
+  end
+
+  def self.debug(msg)
+    $stdout.puts(msg) if debug?
+  end
+end
+
+
+By2.db_connect
+
+=begin
+require "./lib/by2"
+By2.db_connect
+cli = By2::Client.new([])
+ip = By2::Utils.int32_to_ip(2154959208)
+
+q = cli.find_entries({ip: ip});
+=end

data/lib/by2/client.rb

@@ -0,0 +1,109 @@
+module By2
+  class Client
+    include Models
+
+    def initialize(argv=[])
+      @opts = Options.parse(argv)
+
+      By2.debug = @opts.delete(:debug)
+      By2.db_connect
+      By2.debug(@opts.inspect)
+    end
+
+    ##
+    # payload: sid: 1, cid: 5
+    # 2149599422 => "128.32.72.190"
+    # 2954912804 => "176.32.100.36"
+    def find_records(options = {})
+      @opts = @opts.merge(options)
+      tables = %w(iphdr tcphdr udphdr icmphdr payload)
+
+      query = Event.
+          includes(*tables).
+          references(*tables).
+          order("event.timestamp")
+
+      query.
+          merge(ip_src_or_dst).
+          merge(port_src_or_dst).
+          merge(port_src).
+          merge(port_dst).
+          merge(ip_src).
+          merge(ip_dst).
+          merge(date).
+          merge(date_range)
+    end
+
+    def run
+      records = find_records
+
+      unless @opts[:count]
+        records.each { |r| $stdout.puts(terminal(r)) }
+      end
+
+      $stdout.puts(record_separator)
+      $stdout.puts(record_count(records.count))
+    end
+
+    private
+
+    def record_separator
+      ("-" * 80)
+    end
+
+    def record_count(n)
+      "Total records: #{n}\n\n"
+    end
+
+    def terminal(event)
+      e = event
+      ("-" * 80) + "\n" \
+      "[#{e.timestamp}] #{e.iphdr.ipaddr_src}:#{e.sport} -> #{e.iphdr.ipaddr_dst}:#{e.dport} (#{e.transport})\n\n" \
+        "#{(e.payload && e.payload.to_s.strip) || "[no payload]"}\n\n"
+    end
+
+    def all
+      Event.all
+    end
+
+    def ip_src_or_dst
+      return all if @opts[:ip].nil?
+      Iphdr.ip_src_or_dst(@opts[:ip])
+    end
+
+    def port_src_or_dst
+      return all if @opts[:port].nil?
+      Tcphdr.src_or_dst_port(@opts[:port]).or(Udphdr.src_or_dst_port(@opts[:port]))
+    end
+
+    def port_src
+      return all if @opts[:src_port].nil?
+      Tcphdr.src_port(@opts[:src_port]).or(Udphdr.src_port(@opts[:src_port]))
+    end
+
+    def port_dst
+      return all if @opts[:dst_port].nil?
+      Tcphdr.dst_port(@opts[:dst_port]).or(Udphdr.dst_port(@opts[:dst_port]))
+    end
+
+    def ip_src
+      return all if @opts[:src_ip].nil?
+      Iphdr.ip_src(@opts[:src_ip])
+    end
+
+    def ip_dst
+      return all if @opts[:dst_ip].nil?
+      Iphdr.ip_dst(@opts[:dst_ip])
+    end
+
+    def date
+      return all if @opts[:date].nil?
+      Event.on_date(@opts[:date])
+    end
+
+    def date_range
+      return all if @opts[:start_date].nil?
+      Event.in_date_range(@opts[:start_date], @opts[:end_date])
+    end
+  end
+end

data/lib/by2/config_loader.rb

@@ -0,0 +1,34 @@
+module By2
+  class ConfigLoader
+    attr_accessor :search_paths
+
+    def initialize
+      @search_paths ||= [app_config, user_config]
+    end
+
+    def load(config_file, required = false)
+      search_paths.each do |path|
+        file = File.expand_path(File.join(path, config_file))
+        By2.debug("Searching for #{file} in #{path}")
+
+        if File.exists?(file)
+          By2.debug("Loaded: #{file}")
+          return YAML.load_file(file)
+        end
+      end
+
+      By2.debug("Could not load: #{config_file}")
+      required ? raise : nil
+    end
+
+    private
+
+    def app_config
+      @app_config ||= File.expand_path(File.join(::By2.root, "config"))
+    end
+
+    def user_config
+      @user_config ||= File.expand_path(File.join(ENV['HOME'], ".by2"))
+    end
+  end
+end

data/lib/by2/ext/active_record.rb

@@ -0,0 +1,105 @@
+# At some point this should be merged into ActiveRecord or a gem should
+# become available with this same functionality.
+#
+# Original gist: https://gist.github.com/j-mcnally/250eaaceef234dd8971b
+# Github Pull Request: https://github.com/rails/rails/pull/9052
+
+module ActiveRecord
+  module Querying
+    delegate :or, :to => :all
+  end
+end
+
+module ActiveRecord
+  module QueryMethods
+  	 # OrChain objects act as placeholder for queries in which #or does not have any parameter.
+    # In this case, #or must be chained with any other relation method to return a new relation.
+    # It is intended to allow .or.where() and .or.named_scope.
+    class OrChain
+      def initialize(scope)
+        @scope = scope
+      end
+
+      def method_missing(method, *args, &block)
+        right_relation = @scope.klass.unscoped do
+          @scope.klass.send(method, *args, &block)
+        end
+        @scope.or(right_relation)
+      end
+    end
+
+    # Returns a new relation, which is the result of filtering the current relation
+    # according to the conditions in the arguments, joining WHERE clauses with OR
+    # operand, contrary to the default behaviour that uses AND.
+    #
+    # #or accepts conditions in one of several formats. In the examples below, the resulting
+    # SQL is given as an illustration; the actual query generated may be different depending
+    # on the database adapter.
+    #
+    # === without arguments
+    #
+    # If #or is used without arguments, it returns an ActiveRecord::OrChain object that can
+    # be used to chain queries with any other relation method, like where:
+    #
+    #    Post.where("id = 1").or.where("id = 2")
+    #    # SELECT `posts`.* FROM `posts`  WHERE (('id = 1' OR 'id = 2'))
+    #
+    # It can also be chained with a named scope:
+    #
+    #    Post.where("id = 1").or.containing_the_letter_a
+    #    # SELECT `posts`.* FROM `posts`  WHERE (('id = 1' OR 'body LIKE \\'%a%\\''))
+    #
+    # === ActiveRecord::Relation
+    #
+    # When #or is used with an ActiveRecord::Relation as an argument, it merges the two
+    # relations, with the exception of the WHERE clauses, that are joined using the OR
+    # operand.
+    #
+    #    Post.where("id = 1").or(Post.where("id = 2"))
+    #    # SELECT `posts`.* FROM `posts`  WHERE (('id = 1' OR 'id = 2'))
+    #
+    # === anything you would pass to #where
+    #
+    # #or also accepts anything that could be passed to the #where method, as
+    # a shortcut:
+    #
+    #    Post.where("id = 1").or("id = ?", 2)
+    #    # SELECT `posts`.* FROM `posts`  WHERE (('id = 1' OR 'id = 2'))
+    #
+    def or(opts = :chain, *rest)
+      if opts == :chain
+        OrChain.new(self)
+      else
+        left = with_default_scope
+        right = (ActiveRecord::Relation === opts) ? opts : klass.unscoped.where(opts, rest)
+
+        unless left.where_values.empty? || right.where_values.empty?
+          left.where_values = [left.where_ast.or(right.where_ast)]
+          right.where_values = []
+        end
+
+        left = left.merge(right)
+      end
+    end
+
+
+ 	# Returns an Arel AST containing only where_values
+    def where_ast
+      arel_wheres = []
+
+      where_values.each do |where|
+        arel_wheres << (String === where ? Arel.sql(where) : where)
+      end
+
+      return Arel::Nodes::And.new(arel_wheres) if arel_wheres.length >= 2
+
+      if Arel::Nodes::SqlLiteral === arel_wheres.first
+        Arel::Nodes::Grouping.new(arel_wheres.first)
+      else
+        arel_wheres.first
+      end
+    end
+
+
+  end
+end

data/lib/by2/models.rb

@@ -0,0 +1,10 @@
+require_relative 'models/event'
+require_relative 'models/payload'
+require_relative 'models/tcphdr'
+require_relative 'models/udphdr'
+require_relative 'models/icmphdr'
+require_relative 'models/iphdr'
+
+
+module Models
+end

data/lib/by2/models/event.rb

@@ -0,0 +1,50 @@
+module By2
+  module Models
+
+    class Event < ActiveRecord::Base
+      self.table_name = 'event'
+      self.primary_keys = :sid, :cid
+
+      has_one :payload, :foreign_key => [:sid, :cid]
+      has_one :tcphdr, :foreign_key => [:sid, :cid]
+      has_one :udphdr, :foreign_key => [:sid, :cid]
+      has_one :icmphdr, :foreign_key => [:sid, :cid]
+      has_one :iphdr, :foreign_key => [:sid, :cid]
+
+
+      def self.on_date(date)
+        where("cast(\"timestamp\" as date) = ?", date)
+      end
+
+      def self.in_date_range(start_date, end_date)
+        query = where("cast(\"timestamp\" as date) >= ?", start_date)
+        query = query.merge(where("cast(\"timestamp\" as date) <= ?", end_date)) if end_date
+        query
+      end
+
+      def transport
+        return "TCP"  if tcphdr
+        return "UCP"  if udphdr
+        return "ICMP" if icmphdr
+
+        "UNKNOWN"
+      end
+
+      def dport
+        tcphdr.try(:dport) || udphdr.try(:dport)
+      end
+
+      def sport
+        tcphdr.try(:sport) || udphdr.try(:sport)
+      end
+
+      def ip_src
+        iphdr.try(:ipaddr_src)
+      end
+
+      def ip_dst
+        iphdr.try(:ipaddr_dst)
+      end
+    end
+  end
+end

data/lib/by2/models/icmphdr.rb

@@ -0,0 +1,10 @@
+module By2
+  module Models
+    class Icmphdr < ActiveRecord::Base
+      self.table_name = 'icmphdr'
+      self.primary_keys = :sid, :cid
+
+      belongs_to :event, :foreign_key => [:sid, :cid]
+    end
+  end
+end

data/lib/by2/models/iphdr.rb

@@ -0,0 +1,38 @@
+module By2
+  module Models
+
+    class Iphdr < ActiveRecord::Base
+      self.table_name = 'iphdr'
+      self.primary_keys = :sid, :cid
+
+      belongs_to :event, :foreign_key => [:sid, :cid]
+
+
+      def self.ip_src_or_dst(ip)
+        where("iphdr.ip_dst = ? or iphdr.ip_src = ?",  int32(ip),  int32(ip))
+      end
+
+      def self.ip_src(ip)
+        where("iphdr.ip_src = ?", int32(ip))
+      end
+
+      def self.ip_dst(ip)
+        where("iphdr.ip_dst = ?", int32(ip))
+      end
+
+      def ipaddr_src
+        Utils.int32_to_ip(self.ip_src)
+      end
+
+      def ipaddr_dst
+        Utils.int32_to_ip(self.ip_dst)
+      end
+
+      private
+
+      def self.int32(ip)
+        Utils.ip_to_int32(ip)
+      end
+    end
+  end
+end

data/lib/by2/models/payload.rb

@@ -0,0 +1,16 @@
+module By2
+  module Models
+
+    class Payload < ActiveRecord::Base
+      self.table_name = 'data'
+      self.primary_keys = :sid, :cid
+
+      belongs_to :event, :foreign_key => [:sid, :cid]
+
+
+      def to_s
+        Utils.hex_to_ascii(self.data_payload)
+      end
+    end
+  end
+end