by2 1.0.0

data/lib/by2/models/tcphdr.rb

@@ -0,0 +1,30 @@
+module By2
+  module Models
+    class Tcphdr < ActiveRecord::Base
+      self.table_name = 'tcphdr'
+      self.primary_keys = :sid, :cid
+
+      belongs_to :event, :foreign_key => [:sid, :cid]
+
+      def self.src_or_dst_port(port)
+        where("tcphdr.tcp_sport = ? or tcphdr.tcp_dport = ?",  port, port)
+      end
+
+      def self.src_port(port)
+        where("tcphdr.tcp_sport = ?",  port)
+      end
+
+      def self.dst_port(port)
+        where("tcphdr.tcp_dport = ?",  port)
+      end
+
+      def dport
+        tcp_dport
+      end
+
+      def sport
+        tcp_sport
+      end
+    end
+  end
+end

data/lib/by2/models/udphdr.rb

@@ -0,0 +1,30 @@
+module By2
+  module Models
+    class Udphdr < ActiveRecord::Base
+      self.table_name = 'udphdr'
+      self.primary_keys = :sid, :cid
+
+      belongs_to :event, :foreign_key => [:sid, :cid]
+
+      def self.src_or_dst_port(port)
+        where("udphdr.udp_sport = ? or udphdr.udp_dport = ?",  port, port)
+      end
+
+      def self.src_port(port)
+        where("udphdr.udp_sport = ?",  port)
+      end
+
+      def self.dst_port(port)
+        where("udphdr.udp_dport = ?",  port)
+      end
+
+      def dport
+        udp_dport
+      end
+
+      def sport
+        udp_sport
+      end
+    end
+  end
+end

data/lib/by2/options.rb

@@ -0,0 +1,77 @@
+module By2
+  class Options
+    OptionsError = Class.new(RuntimeError)
+
+    def self.parse(argv)
+      options = { start_date: 2.weeks.ago }
+      req_options = {}
+
+      opts = OptionParser.new do |x|
+        x.banner = "Usage: by2 [options]"
+
+        x.separator ""
+        x.separator "Required options (at least one is required):"
+
+        x.on("-i IP", String, "source or destination ip w/optional port") do |ip|
+          req_options[:ip], req_options[:port] = ip.split(":")
+        end
+
+        x.on("-s SRC_IP", String, "source ip w/optional port") do |ip|
+          req_options[:src_ip], req_options[:src_port] = ip.split(":")
+        end
+
+        x.on("-d DST_IP", String, "destination ip w/optional port") do |ip|
+          req_options[:dst_ip], req_options[:dst_port] = ip.split(":")
+        end
+
+        x.on("-m DUMP_STR", String, "dump string: \"src_ip:src_port -> dst_ip:dst_port\"") do |ips|
+          src_ip, dst_ip = ips.split("->")
+          req_options[:src_ip], req_options[:src_port] = src_ip.strip.split(":")
+          req_options[:dst_ip], req_options[:dst_port] = dst_ip.strip.split(":")
+        end
+
+        x.on("-t DATE", String, "date (yyyy-mm-dd)") do |date|
+          if date.include?(":")
+            req_options[:start_date], req_options[:end_date] = date.split(":")
+          else
+            req_options[:date] = date
+            options.delete(:start_date)
+          end
+        end
+
+
+        x.separator ""
+        x.separator "Additional options:"
+
+        x.on("-l LIMIT", Integer, "limit number of returned records") do |l|
+          options[:limit] = l
+        end
+
+        x.on("-D", TrueClass, "debug flag") do
+          options[:debug] = true
+        end
+
+        x.on("-C", TrueClass, "only print number of records found") do
+          options[:count] = true
+        end
+
+        x.on("-h", "Show this message") do
+          $stdout.puts(opts); exit
+        end
+
+        x.on("-H", "Show man page") do
+          $stdout.puts(File.read("#{::By2.root}/man/by2.1.txt")); exit
+        end
+      end
+
+      opts.parse!(argv)
+
+      raise OptionsError if req_options.empty?
+
+      options.merge(req_options)
+    rescue OptionParser::ParseError, OptionsError => err
+      raise OptionsError.new(opts) if err.is_a?(OptionsError)
+      raise OptionsError.new(err)
+    end
+  end
+end

data/lib/by2/utils.rb

@@ -0,0 +1,22 @@
+require 'ipaddr'
+
+
+module By2
+  module Utils
+    def self.int32_to_ip(int32)
+      IPAddr.new(int32, Socket::AF_INET).to_s
+    end
+
+    def self.ip_to_int32(ip)
+      IPAddr.new(ip).to_i
+    end
+
+    def self.hex_to_ascii(hex)
+      [hex].pack("H*")
+    end
+
+    def self.fdate(date)
+      date.strftime("%Y-%m-%d")
+    end
+  end
+end

data/lib/by2/version.rb

@@ -0,0 +1,3 @@
+module By2
+  VERSION = "1.0.0"
+end

data/man/by2.1

@@ -0,0 +1,105 @@
+.\" generated with Ronn/v0.7.3
+.\" http://github.com/rtomayko/ronn/tree/0.7.3
+.
+.TH "BY2" "1" "May 2014" "" ""
+.
+.SH "NAME"
+\fBby2\fR \- Client for Querying a Barnyard2 DB
+.
+.SH "SYNOPSIS"
+\fBby2 [\-CD] [\-i IP] [\-s SRC_IP] [\-d DST_IP] [\-l LIMIT] [\-t DATE] [\-m DUMP_STR]\fR
+.
+.SH "DESCRIPTION"
+\fBby2\fR is a simple command\-line tool for querying a barnyard2 database for packets that match the provided options\. By default, only records that have been create in the last 2 weeks will be returned\. See the below options for overriding this behaviour\.
+.
+.P
+Results are returned in the following format:
+.
+.IP "" 4
+.
+.nf
+
+\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-
+[Timestamp1] src_ip:src_port \-> dst_ip:dst_port
+
+PAYLOAD
+\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-
+[Timestamp2] src_ip:src_port \-> dst_ip:dst_port
+
+PAYLOAD
+\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-
+Record Count: <N>
+.
+.fi
+.
+.IP "" 0
+.
+.SH "OPTIONS"
+.
+.TP
+\fB\-C\fR
+Only print the number of records found\.
+.
+.TP
+\fB\-D\fR
+Print debugging information\.
+.
+.TP
+\fB\-d DST_IP\fR
+Find all records where the destination ip matches the provided ip\. You may optionally provide a port: DST_IP:DST_PORT\. This will find all records where the destination ip and destination port match the provided ip and port\.
+.
+.TP
+\fB\-i IP\fR
+Find all records where the source ip or the destination ip match the provided ip\. You may optionally provide a port: IP:PORT\. This will find all records where the source ip and source port or the destination ip and destination port match the provided ip and port\.
+.
+.TP
+\fB\-l LIMIT\fR
+Limits the number of records returned to be <= LIMIT\.
+.
+.TP
+\fB\-m DUMP_STR\fR
+Find all records that match the tokens in DUMP_STR\. DUMP_STR tokens are formatted like so "SRC_IP:SRC_PORT \-> DST_IP:DST_PORT"\.
+.
+.TP
+\fB\-t DATE\fR
+Find all records with a timestamp equal to DATE\. Expected format of DATE is yyyy\-mm\-dd\. You may pass in a range of dates by separating the start date from the end date with a ":" (START_DATE:END_DATE)\. You can also pass in START_DATE: with no end date to indicate that you want to find all records with a timestamp greater than or equal to START_DATE\. When matching on a date range, dates are inclusive\. If \-t option is not provided, a default range will be used: "2\.weeks\.ago:"
+.
+.TP
+\fB\-s SRC_IP\fR
+Find all records where the source ip matches the provided ip\. You may optionally provide a port: SRC_IP:SRC_PORT\. This will find all records where the source ip and source port match the provided ip and port\.
+.
+.SH "EXAMPLES"
+Finds all records where source ip or destination ip are equal to "128\.1\.1\.1"
+.
+.P
+$ by2 \-i 128\.1\.1\.1
+.
+.P
+Finds all records where source ip and port or destination ip and port a equal to "128\.1\.1\.1:80"
+.
+.P
+$ by2 \-i 128\.1\.1\.1:80
+.
+.P
+Finds all records where timestamp is equal to 2014\-02\-01
+.
+.P
+$ by2 \-d 2014\-02\-01
+.
+.P
+Finds all records where source ip is equal to 128\.1\.1\.1 and the timestamp is greater than or equal to 2014\-02\-01
+.
+.P
+$ by2 \-s 128\.1\.1\.1 \-d 2014\-02\-01:
+.
+.P
+Finds all records where source ip is equal to 128\.1\.1\.1 and the timestamp is between (inclusive) 2014\-02\-01 and 2014\-02\-01
+.
+.P
+$ by2 \-s 128\.1\.1\.1 \-d 2014\-02\-01:2014\-01\-01
+.
+.P
+Finds all records with ips/ports matching the dump string:
+.
+.P
+$ by2 \-m "128\.1\.1\.1:80 \-> 128\.0\.0\.1:443"

data/man/by2.1.ronn

@@ -0,0 +1,98 @@
+by2(1) -- Client for Querying a Barnyard2 DB
+============================================
+
+## SYNOPSIS
+
+`by2 [-CD] [-i IP] [-s SRC_IP] [-d DST_IP] [-l LIMIT] [-t DATE] [-m DUMP_STR]`
+
+## DESCRIPTION
+
+**by2** is a simple command-line tool for querying a barnyard2 database for packets
+that match the provided options.  By default, only records that have been create in
+the last 2 weeks will be returned.  See the below options for overriding this behaviour.
+
+Results are returned in the following format:
+
+    ----------------------------------------------
+    [Timestamp1] src_ip:src_port -> dst_ip:dst_port
+
+    PAYLOAD
+    ----------------------------------------------
+    [Timestamp2] src_ip:src_port -> dst_ip:dst_port
+
+    PAYLOAD
+    ----------------------------------------------
+    Record Count: <N>
+
+
+## OPTIONS
+
+* `-C`:
+  Only print the number of records found.
+
+* `-D`:
+  Print debugging information.
+
+* `-d DST_IP`:
+  Find all records where the destination ip matches the provided ip. You may optionally
+  provide a port: DST_IP:DST_PORT.  This will find all records where the destination ip
+  and destination port match the provided ip and port.
+
+* `-i IP`:
+  Find all records where the source ip or the destination ip match the provided ip.
+  You may optionally provide a port: IP:PORT.  This will find all records where the
+  source ip and source port or the destination ip and destination port match the
+  provided ip and port.
+
+* `-l LIMIT`:
+  Limits the number of records returned to be <= LIMIT.
+
+* `-m DUMP_STR`:
+  Find all records that match the tokens in DUMP_STR.  DUMP_STR tokens are formatted
+  like so "SRC_IP:SRC_PORT -> DST_IP:DST_PORT".
+
+* `-t DATE`:
+  Find all records with a timestamp equal to DATE.  Expected format of DATE is
+  yyyy-mm-dd. You may pass in a range of dates by separating the start date
+  from the end date with a ":" (START_DATE:END_DATE). You can also pass in
+  START_DATE: with no end date to indicate that you want to find all records
+  with a timestamp greater than or equal to START_DATE.  When matching on a date
+  range, dates are inclusive.  If -t option is not provided, a default range
+  will be used: "2.weeks.ago:"
+
+
+* `-s SRC_IP`:
+  Find all records where the source ip matches the provided ip. You may optionally
+  provide a port: SRC_IP:SRC_PORT.  This will find all records where the source ip
+  and source port match the provided ip and port.
+
+## EXAMPLES
+
+Finds all records where source ip or destination ip are equal to "128.1.1.1"
+
+ $ by2 -i 128.1.1.1
+
+Finds all records where source ip and port or destination ip and port a equal
+to "128.1.1.1:80"
+
+   $ by2 -i 128.1.1.1:80
+
+Finds all records where timestamp is equal to 2014-02-01
+
+   $ by2 -d 2014-02-01
+
+Finds all records where source ip is equal to 128.1.1.1 and the timestamp is
+greater than or equal to 2014-02-01
+
+   $ by2 -s 128.1.1.1 -d 2014-02-01:
+
+Finds all records where source ip is equal to 128.1.1.1 and the timestamp is
+between (inclusive) 2014-02-01 and 2014-02-01
+
+   $ by2 -s 128.1.1.1 -d 2014-02-01:2014-01-01
+
+
+Finds all records with ips/ports matching the dump string:
+
+   $ by2 -m "128.1.1.1:80 -> 128.0.0.1:443"
+

data/man/by2.1.txt

@@ -0,0 +1,107 @@
+BY2(1)									BY2(1)
+
+
+
+NAME
+       by2 - Client for Querying a Barnyard2 DB
+
+SYNOPSIS
+       by2  [-CD]  [-i	IP]  [-s  SRC_IP] [-d DST_IP] [-l LIMIT] [-t DATE] [-m
+       DUMP_STR]
+
+DESCRIPTION
+       by2 is a simple command-line tool for querying a barnyard2 database for
+       packets	that match the provided options. By default, only records that
+       have been create in the last 2 weeks will be returned.  See  the  below
+       options for overriding this behaviour.
+
+       Results are returned in the following format:
+
+
+
+	   ----------------------------------------------
+	   [Timestamp1] src_ip:src_port -> dst_ip:dst_port
+
+	   PAYLOAD
+	   ----------------------------------------------
+	   [Timestamp2] src_ip:src_port -> dst_ip:dst_port
+
+	   PAYLOAD
+	   ----------------------------------------------
+	   Record Count: <N>
+
+
+
+OPTIONS
+       -C     Only print the number of records found.
+
+       -D     Print debugging information.
+
+       -d DST_IP
+	      Find  all  records where the destination ip matches the provided
+	      ip. You may optionally provide  a  port:	DST_IP:DST_PORT.  This
+	      will  find  all records where the destination ip and destination
+	      port match the provided ip and port.
+
+       -i IP  Find all records where the source ip or the destination ip match
+	      the  provided  ip.  You  may optionally provide a port: IP:PORT.
+	      This will find all records where the source ip and  source  port
+	      or the destination ip and destination port match the provided ip
+	      and port.
+
+       -l LIMIT
+	      Limits the number of records returned to be <= LIMIT.
+
+       -m DUMP_STR
+	      Find all records that match the  tokens  in  DUMP_STR.  DUMP_STR
+	      tokens	are    formatted    like    so	 "SRC_IP:SRC_PORT   ->
+	      DST_IP:DST_PORT".
+
+       -t DATE
+	      Find all records with a timestamp equal to DATE. Expected format
+	      of DATE is yyyy-mm-dd. You may pass in a range of dates by sepa-
+	      rating  the  start  date	from  the  end	 date	with   a   ":"
+	      (START_DATE:END_DATE).  You can also pass in START_DATE: with no
+	      end date to indicate that you want to find all  records  with  a
+	      timestamp  greater than or equal to START_DATE. When matching on
+	      a date range, dates are inclusive. If -t option is not provided,
+	      a default range will be used: "2.weeks.ago:"
+
+       -s SRC_IP
+	      Find  all  records  where the source ip matches the provided ip.
+	      You may optionally provide a port:  SRC_IP:SRC_PORT.  This  will
+	      find  all  records where the source ip and source port match the
+	      provided ip and port.
+
+EXAMPLES
+       Finds all records where source  ip  or  destination  ip	are  equal  to
+       "128.1.1.1"
+
+       $ by2 -i 128.1.1.1
+
+       Finds all records where source ip and port or destination ip and port a
+       equal to "128.1.1.1:80"
+
+       $ by2 -i 128.1.1.1:80
+
+       Finds all records where timestamp is equal to 2014-02-01
+
+       $ by2 -d 2014-02-01
+
+       Finds all records where source ip is equal to 128.1.1.1 and  the  time-
+       stamp is greater than or equal to 2014-02-01
+
+       $ by2 -s 128.1.1.1 -d 2014-02-01:
+
+       Finds  all  records where source ip is equal to 128.1.1.1 and the time-
+       stamp is between (inclusive) 2014-02-01 and 2014-02-01
+
+       $ by2 -s 128.1.1.1 -d 2014-02-01:2014-01-01
+
+       Finds all records with ips/ports matching the dump string:
+
+       $ by2 -m "128.1.1.1:80 -> 128.0.0.1:443"
+
+
+
+				   May 2014				BY2(1)