by2 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,30 @@
1
+ module By2
2
+ module Models
3
+ class Tcphdr < ActiveRecord::Base
4
+ self.table_name = 'tcphdr'
5
+ self.primary_keys = :sid, :cid
6
+
7
+ belongs_to :event, :foreign_key => [:sid, :cid]
8
+
9
+ def self.src_or_dst_port(port)
10
+ where("tcphdr.tcp_sport = ? or tcphdr.tcp_dport = ?", port, port)
11
+ end
12
+
13
+ def self.src_port(port)
14
+ where("tcphdr.tcp_sport = ?", port)
15
+ end
16
+
17
+ def self.dst_port(port)
18
+ where("tcphdr.tcp_dport = ?", port)
19
+ end
20
+
21
+ def dport
22
+ tcp_dport
23
+ end
24
+
25
+ def sport
26
+ tcp_sport
27
+ end
28
+ end
29
+ end
30
+ end
@@ -0,0 +1,30 @@
1
+ module By2
2
+ module Models
3
+ class Udphdr < ActiveRecord::Base
4
+ self.table_name = 'udphdr'
5
+ self.primary_keys = :sid, :cid
6
+
7
+ belongs_to :event, :foreign_key => [:sid, :cid]
8
+
9
+ def self.src_or_dst_port(port)
10
+ where("udphdr.udp_sport = ? or udphdr.udp_dport = ?", port, port)
11
+ end
12
+
13
+ def self.src_port(port)
14
+ where("udphdr.udp_sport = ?", port)
15
+ end
16
+
17
+ def self.dst_port(port)
18
+ where("udphdr.udp_dport = ?", port)
19
+ end
20
+
21
+ def dport
22
+ udp_dport
23
+ end
24
+
25
+ def sport
26
+ udp_sport
27
+ end
28
+ end
29
+ end
30
+ end
@@ -0,0 +1,77 @@
1
+ module By2
2
+ class Options
3
+ OptionsError = Class.new(RuntimeError)
4
+
5
+ def self.parse(argv)
6
+ options = { start_date: 2.weeks.ago }
7
+ req_options = {}
8
+
9
+ opts = OptionParser.new do |x|
10
+ x.banner = "Usage: by2 [options]"
11
+
12
+ x.separator ""
13
+ x.separator "Required options (at least one is required):"
14
+
15
+ x.on("-i IP", String, "source or destination ip w/optional port") do |ip|
16
+ req_options[:ip], req_options[:port] = ip.split(":")
17
+ end
18
+
19
+ x.on("-s SRC_IP", String, "source ip w/optional port") do |ip|
20
+ req_options[:src_ip], req_options[:src_port] = ip.split(":")
21
+ end
22
+
23
+ x.on("-d DST_IP", String, "destination ip w/optional port") do |ip|
24
+ req_options[:dst_ip], req_options[:dst_port] = ip.split(":")
25
+ end
26
+
27
+ x.on("-m DUMP_STR", String, "dump string: \"src_ip:src_port -> dst_ip:dst_port\"") do |ips|
28
+ src_ip, dst_ip = ips.split("->")
29
+ req_options[:src_ip], req_options[:src_port] = src_ip.strip.split(":")
30
+ req_options[:dst_ip], req_options[:dst_port] = dst_ip.strip.split(":")
31
+ end
32
+
33
+ x.on("-t DATE", String, "date (yyyy-mm-dd)") do |date|
34
+ if date.include?(":")
35
+ req_options[:start_date], req_options[:end_date] = date.split(":")
36
+ else
37
+ req_options[:date] = date
38
+ options.delete(:start_date)
39
+ end
40
+ end
41
+
42
+
43
+ x.separator ""
44
+ x.separator "Additional options:"
45
+
46
+ x.on("-l LIMIT", Integer, "limit number of returned records") do |l|
47
+ options[:limit] = l
48
+ end
49
+
50
+ x.on("-D", TrueClass, "debug flag") do
51
+ options[:debug] = true
52
+ end
53
+
54
+ x.on("-C", TrueClass, "only print number of records found") do
55
+ options[:count] = true
56
+ end
57
+
58
+ x.on("-h", "Show this message") do
59
+ $stdout.puts(opts); exit
60
+ end
61
+
62
+ x.on("-H", "Show man page") do
63
+ $stdout.puts(File.read("#{::By2.root}/man/by2.1.txt")); exit
64
+ end
65
+ end
66
+
67
+ opts.parse!(argv)
68
+
69
+ raise OptionsError if req_options.empty?
70
+
71
+ options.merge(req_options)
72
+ rescue OptionParser::ParseError, OptionsError => err
73
+ raise OptionsError.new(opts) if err.is_a?(OptionsError)
74
+ raise OptionsError.new(err)
75
+ end
76
+ end
77
+ end
data/lib/by2/utils.rb ADDED
@@ -0,0 +1,22 @@
1
+ require 'ipaddr'
2
+
3
+
4
+ module By2
5
+ module Utils
6
+ def self.int32_to_ip(int32)
7
+ IPAddr.new(int32, Socket::AF_INET).to_s
8
+ end
9
+
10
+ def self.ip_to_int32(ip)
11
+ IPAddr.new(ip).to_i
12
+ end
13
+
14
+ def self.hex_to_ascii(hex)
15
+ [hex].pack("H*")
16
+ end
17
+
18
+ def self.fdate(date)
19
+ date.strftime("%Y-%m-%d")
20
+ end
21
+ end
22
+ end
@@ -0,0 +1,3 @@
1
+ module By2
2
+ VERSION = "1.0.0"
3
+ end
data/man/by2.1 ADDED
@@ -0,0 +1,105 @@
1
+ .\" generated with Ronn/v0.7.3
2
+ .\" http://github.com/rtomayko/ronn/tree/0.7.3
3
+ .
4
+ .TH "BY2" "1" "May 2014" "" ""
5
+ .
6
+ .SH "NAME"
7
+ \fBby2\fR \- Client for Querying a Barnyard2 DB
8
+ .
9
+ .SH "SYNOPSIS"
10
+ \fBby2 [\-CD] [\-i IP] [\-s SRC_IP] [\-d DST_IP] [\-l LIMIT] [\-t DATE] [\-m DUMP_STR]\fR
11
+ .
12
+ .SH "DESCRIPTION"
13
+ \fBby2\fR is a simple command\-line tool for querying a barnyard2 database for packets that match the provided options\. By default, only records that have been create in the last 2 weeks will be returned\. See the below options for overriding this behaviour\.
14
+ .
15
+ .P
16
+ Results are returned in the following format:
17
+ .
18
+ .IP "" 4
19
+ .
20
+ .nf
21
+
22
+ \-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-
23
+ [Timestamp1] src_ip:src_port \-> dst_ip:dst_port
24
+
25
+ PAYLOAD
26
+ \-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-
27
+ [Timestamp2] src_ip:src_port \-> dst_ip:dst_port
28
+
29
+ PAYLOAD
30
+ \-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-
31
+ Record Count: <N>
32
+ .
33
+ .fi
34
+ .
35
+ .IP "" 0
36
+ .
37
+ .SH "OPTIONS"
38
+ .
39
+ .TP
40
+ \fB\-C\fR
41
+ Only print the number of records found\.
42
+ .
43
+ .TP
44
+ \fB\-D\fR
45
+ Print debugging information\.
46
+ .
47
+ .TP
48
+ \fB\-d DST_IP\fR
49
+ Find all records where the destination ip matches the provided ip\. You may optionally provide a port: DST_IP:DST_PORT\. This will find all records where the destination ip and destination port match the provided ip and port\.
50
+ .
51
+ .TP
52
+ \fB\-i IP\fR
53
+ Find all records where the source ip or the destination ip match the provided ip\. You may optionally provide a port: IP:PORT\. This will find all records where the source ip and source port or the destination ip and destination port match the provided ip and port\.
54
+ .
55
+ .TP
56
+ \fB\-l LIMIT\fR
57
+ Limits the number of records returned to be <= LIMIT\.
58
+ .
59
+ .TP
60
+ \fB\-m DUMP_STR\fR
61
+ Find all records that match the tokens in DUMP_STR\. DUMP_STR tokens are formatted like so "SRC_IP:SRC_PORT \-> DST_IP:DST_PORT"\.
62
+ .
63
+ .TP
64
+ \fB\-t DATE\fR
65
+ Find all records with a timestamp equal to DATE\. Expected format of DATE is yyyy\-mm\-dd\. You may pass in a range of dates by separating the start date from the end date with a ":" (START_DATE:END_DATE)\. You can also pass in START_DATE: with no end date to indicate that you want to find all records with a timestamp greater than or equal to START_DATE\. When matching on a date range, dates are inclusive\. If \-t option is not provided, a default range will be used: "2\.weeks\.ago:"
66
+ .
67
+ .TP
68
+ \fB\-s SRC_IP\fR
69
+ Find all records where the source ip matches the provided ip\. You may optionally provide a port: SRC_IP:SRC_PORT\. This will find all records where the source ip and source port match the provided ip and port\.
70
+ .
71
+ .SH "EXAMPLES"
72
+ Finds all records where source ip or destination ip are equal to "128\.1\.1\.1"
73
+ .
74
+ .P
75
+ $ by2 \-i 128\.1\.1\.1
76
+ .
77
+ .P
78
+ Finds all records where source ip and port or destination ip and port a equal to "128\.1\.1\.1:80"
79
+ .
80
+ .P
81
+ $ by2 \-i 128\.1\.1\.1:80
82
+ .
83
+ .P
84
+ Finds all records where timestamp is equal to 2014\-02\-01
85
+ .
86
+ .P
87
+ $ by2 \-d 2014\-02\-01
88
+ .
89
+ .P
90
+ Finds all records where source ip is equal to 128\.1\.1\.1 and the timestamp is greater than or equal to 2014\-02\-01
91
+ .
92
+ .P
93
+ $ by2 \-s 128\.1\.1\.1 \-d 2014\-02\-01:
94
+ .
95
+ .P
96
+ Finds all records where source ip is equal to 128\.1\.1\.1 and the timestamp is between (inclusive) 2014\-02\-01 and 2014\-02\-01
97
+ .
98
+ .P
99
+ $ by2 \-s 128\.1\.1\.1 \-d 2014\-02\-01:2014\-01\-01
100
+ .
101
+ .P
102
+ Finds all records with ips/ports matching the dump string:
103
+ .
104
+ .P
105
+ $ by2 \-m "128\.1\.1\.1:80 \-> 128\.0\.0\.1:443"
data/man/by2.1.ronn ADDED
@@ -0,0 +1,98 @@
1
+ by2(1) -- Client for Querying a Barnyard2 DB
2
+ ============================================
3
+
4
+ ## SYNOPSIS
5
+
6
+ `by2 [-CD] [-i IP] [-s SRC_IP] [-d DST_IP] [-l LIMIT] [-t DATE] [-m DUMP_STR]`
7
+
8
+ ## DESCRIPTION
9
+
10
+ **by2** is a simple command-line tool for querying a barnyard2 database for packets
11
+ that match the provided options. By default, only records that have been create in
12
+ the last 2 weeks will be returned. See the below options for overriding this behaviour.
13
+
14
+ Results are returned in the following format:
15
+
16
+ ----------------------------------------------
17
+ [Timestamp1] src_ip:src_port -> dst_ip:dst_port
18
+
19
+ PAYLOAD
20
+ ----------------------------------------------
21
+ [Timestamp2] src_ip:src_port -> dst_ip:dst_port
22
+
23
+ PAYLOAD
24
+ ----------------------------------------------
25
+ Record Count: <N>
26
+
27
+
28
+ ## OPTIONS
29
+
30
+ * `-C`:
31
+ Only print the number of records found.
32
+
33
+ * `-D`:
34
+ Print debugging information.
35
+
36
+ * `-d DST_IP`:
37
+ Find all records where the destination ip matches the provided ip. You may optionally
38
+ provide a port: DST_IP:DST_PORT. This will find all records where the destination ip
39
+ and destination port match the provided ip and port.
40
+
41
+ * `-i IP`:
42
+ Find all records where the source ip or the destination ip match the provided ip.
43
+ You may optionally provide a port: IP:PORT. This will find all records where the
44
+ source ip and source port or the destination ip and destination port match the
45
+ provided ip and port.
46
+
47
+ * `-l LIMIT`:
48
+ Limits the number of records returned to be <= LIMIT.
49
+
50
+ * `-m DUMP_STR`:
51
+ Find all records that match the tokens in DUMP_STR. DUMP_STR tokens are formatted
52
+ like so "SRC_IP:SRC_PORT -> DST_IP:DST_PORT".
53
+
54
+ * `-t DATE`:
55
+ Find all records with a timestamp equal to DATE. Expected format of DATE is
56
+ yyyy-mm-dd. You may pass in a range of dates by separating the start date
57
+ from the end date with a ":" (START_DATE:END_DATE). You can also pass in
58
+ START_DATE: with no end date to indicate that you want to find all records
59
+ with a timestamp greater than or equal to START_DATE. When matching on a date
60
+ range, dates are inclusive. If -t option is not provided, a default range
61
+ will be used: "2.weeks.ago:"
62
+
63
+
64
+ * `-s SRC_IP`:
65
+ Find all records where the source ip matches the provided ip. You may optionally
66
+ provide a port: SRC_IP:SRC_PORT. This will find all records where the source ip
67
+ and source port match the provided ip and port.
68
+
69
+ ## EXAMPLES
70
+
71
+ Finds all records where source ip or destination ip are equal to "128.1.1.1"
72
+
73
+ $ by2 -i 128.1.1.1
74
+
75
+ Finds all records where source ip and port or destination ip and port a equal
76
+ to "128.1.1.1:80"
77
+
78
+ $ by2 -i 128.1.1.1:80
79
+
80
+ Finds all records where timestamp is equal to 2014-02-01
81
+
82
+ $ by2 -d 2014-02-01
83
+
84
+ Finds all records where source ip is equal to 128.1.1.1 and the timestamp is
85
+ greater than or equal to 2014-02-01
86
+
87
+ $ by2 -s 128.1.1.1 -d 2014-02-01:
88
+
89
+ Finds all records where source ip is equal to 128.1.1.1 and the timestamp is
90
+ between (inclusive) 2014-02-01 and 2014-02-01
91
+
92
+ $ by2 -s 128.1.1.1 -d 2014-02-01:2014-01-01
93
+
94
+
95
+ Finds all records with ips/ports matching the dump string:
96
+
97
+ $ by2 -m "128.1.1.1:80 -> 128.0.0.1:443"
98
+
data/man/by2.1.txt ADDED
@@ -0,0 +1,107 @@
1
+ BY2(1) BY2(1)
2
+
3
+
4
+
5
+ NAME
6
+ by2 - Client for Querying a Barnyard2 DB
7
+
8
+ SYNOPSIS
9
+ by2 [-CD] [-i IP] [-s SRC_IP] [-d DST_IP] [-l LIMIT] [-t DATE] [-m
10
+ DUMP_STR]
11
+
12
+ DESCRIPTION
13
+ by2 is a simple command-line tool for querying a barnyard2 database for
14
+ packets that match the provided options. By default, only records that
15
+ have been create in the last 2 weeks will be returned. See the below
16
+ options for overriding this behaviour.
17
+
18
+ Results are returned in the following format:
19
+
20
+
21
+
22
+ ----------------------------------------------
23
+ [Timestamp1] src_ip:src_port -> dst_ip:dst_port
24
+
25
+ PAYLOAD
26
+ ----------------------------------------------
27
+ [Timestamp2] src_ip:src_port -> dst_ip:dst_port
28
+
29
+ PAYLOAD
30
+ ----------------------------------------------
31
+ Record Count: <N>
32
+
33
+
34
+
35
+ OPTIONS
36
+ -C Only print the number of records found.
37
+
38
+ -D Print debugging information.
39
+
40
+ -d DST_IP
41
+ Find all records where the destination ip matches the provided
42
+ ip. You may optionally provide a port: DST_IP:DST_PORT. This
43
+ will find all records where the destination ip and destination
44
+ port match the provided ip and port.
45
+
46
+ -i IP Find all records where the source ip or the destination ip match
47
+ the provided ip. You may optionally provide a port: IP:PORT.
48
+ This will find all records where the source ip and source port
49
+ or the destination ip and destination port match the provided ip
50
+ and port.
51
+
52
+ -l LIMIT
53
+ Limits the number of records returned to be <= LIMIT.
54
+
55
+ -m DUMP_STR
56
+ Find all records that match the tokens in DUMP_STR. DUMP_STR
57
+ tokens are formatted like so "SRC_IP:SRC_PORT ->
58
+ DST_IP:DST_PORT".
59
+
60
+ -t DATE
61
+ Find all records with a timestamp equal to DATE. Expected format
62
+ of DATE is yyyy-mm-dd. You may pass in a range of dates by sepa-
63
+ rating the start date from the end date with a ":"
64
+ (START_DATE:END_DATE). You can also pass in START_DATE: with no
65
+ end date to indicate that you want to find all records with a
66
+ timestamp greater than or equal to START_DATE. When matching on
67
+ a date range, dates are inclusive. If -t option is not provided,
68
+ a default range will be used: "2.weeks.ago:"
69
+
70
+ -s SRC_IP
71
+ Find all records where the source ip matches the provided ip.
72
+ You may optionally provide a port: SRC_IP:SRC_PORT. This will
73
+ find all records where the source ip and source port match the
74
+ provided ip and port.
75
+
76
+ EXAMPLES
77
+ Finds all records where source ip or destination ip are equal to
78
+ "128.1.1.1"
79
+
80
+ $ by2 -i 128.1.1.1
81
+
82
+ Finds all records where source ip and port or destination ip and port a
83
+ equal to "128.1.1.1:80"
84
+
85
+ $ by2 -i 128.1.1.1:80
86
+
87
+ Finds all records where timestamp is equal to 2014-02-01
88
+
89
+ $ by2 -d 2014-02-01
90
+
91
+ Finds all records where source ip is equal to 128.1.1.1 and the time-
92
+ stamp is greater than or equal to 2014-02-01
93
+
94
+ $ by2 -s 128.1.1.1 -d 2014-02-01:
95
+
96
+ Finds all records where source ip is equal to 128.1.1.1 and the time-
97
+ stamp is between (inclusive) 2014-02-01 and 2014-02-01
98
+
99
+ $ by2 -s 128.1.1.1 -d 2014-02-01:2014-01-01
100
+
101
+ Finds all records with ips/ports matching the dump string:
102
+
103
+ $ by2 -m "128.1.1.1:80 -> 128.0.0.1:443"
104
+
105
+
106
+
107
+ May 2014 BY2(1)