by2 1.0.0

data/spec/by2/client_spec.rb

@@ -0,0 +1,157 @@
+require_relative "../spec_helper"
+
+
+describe By2::Client do
+  context("finding records by src or dst ip") do
+    it "finds entries that match src ip" do
+      records = By2::Client.new(["-i", "0.0.0.1"]).find_records
+
+      records.count.should eql(1)
+      records.first.ip_src.should eql("0.0.0.1")
+    end
+
+    it "finds entries that match src ip and src port" do
+      records = By2::Client.new(["-i", "0.0.0.1:80"]).find_records
+
+      records.count.should eql(1)
+      records.first.ip_src.should eql("0.0.0.1")
+      records.first.sport.should eql(80)
+    end
+
+    it "finds entries that match dst ip" do
+      records = By2::Client.new(["-i", "0.0.0.4"]).find_records
+
+      records.count.should eql(1)
+      records.first.ip_dst.should eql("0.0.0.4")
+    end
+
+    it "finds entries that match dst ip and dst port" do
+      records = By2::Client.new(["-i", "0.0.0.4:85"]).find_records
+
+      records.count.should eql(1)
+      records.first.ip_dst.should eql("0.0.0.4")
+      records.first.dport.should eql(85)
+    end
+
+    it "finds entries that match dst or src ip" do
+      records = By2::Client.new(["-i", "0.0.0.2"]).find_records
+
+      records.count.should eql(2)
+      records.all? do |r|
+        ((r.ip_dst.eql?("0.0.0.2")) || (r.ip_src.eql?("0.0.0.2"))).should be_true
+      end
+    end
+
+    it "finds entries that match dst ip and port or src ip and port" do
+      records = By2::Client.new(["-i", "0.0.0.2:82"]).find_records
+      records.count.should eql(1)
+      records.first.sport.should eql(82)
+
+      records = By2::Client.new(["-i", "0.0.0.2:81"]).find_records
+      records.count.should eql(1)
+      records.first.dport.should eql(81)
+    end
+  end
+
+  context("finding records by src and dst ip") do
+    it "finds entries that match src ip" do
+      records = By2::Client.new(["-s", "0.0.0.1"]).find_records
+
+      records.count.should eql(1)
+      records.first.ip_src.should eql("0.0.0.1")
+    end
+
+    it "finds entries that match src ip and src port" do
+      records = By2::Client.new(["-s", "0.0.0.1:80"]).find_records
+
+      records.count.should eql(1)
+      records.first.ip_src.should eql("0.0.0.1")
+      records.first.sport.should eql(80)
+    end
+
+    it "finds entries that match dst ip" do
+      records = By2::Client.new(["-d", "0.0.0.2"]).find_records
+
+      records.count.should eql(1)
+      records.first.ip_dst.should eql("0.0.0.2")
+    end
+
+    it "finds entries that match dst ip and dst port" do
+      records = By2::Client.new(["-d", "0.0.0.2:81"]).find_records
+
+      records.count.should eql(1)
+      records.first.ip_dst.should eql("0.0.0.2")
+      records.first.dport.should eql(81)
+    end
+
+    it "finds entries that match src ip and dst ip" do
+      records = By2::Client.new(["-s", "0.0.0.1", "-d", "0.0.0.2"]).find_records
+
+      records.count.should eql(1)
+      records.first.ip_src.should eql("0.0.0.1")
+      records.first.ip_dst.should eql("0.0.0.2")
+    end
+
+    it "finds entries that match src ip/port and dst ip/port" do
+      records = By2::Client.new(["-s", "0.0.0.1:80", "-d", "0.0.0.2:81"]).find_records
+
+      records.count.should eql(1)
+      records.first.ip_src.should eql("0.0.0.1")
+      records.first.ip_dst.should eql("0.0.0.2")
+      records.first.sport.should eql(80)
+      records.first.dport.should eql(81)
+    end
+  end
+
+  context("by2 -n SRC_IP:SRC_PORT -> DST_IP:DST_PORT") do
+    it "finds entries that match src ip/port and dst ip/port" do
+      records = By2::Client.new(["-m", "0.0.0.1:80 -> 0.0.0.2:81"]).find_records
+
+      records.count.should eql(1)
+      records.first.ip_src.should eql("0.0.0.1")
+      records.first.ip_dst.should eql("0.0.0.2")
+      records.first.sport.should eql(80)
+      records.first.dport.should eql(81)
+    end
+  end
+
+  context("finding records by date") do
+    it "finds on specific day" do
+      today = By2::Utils.fdate(Date.today)
+
+      records = By2::Client.new(["-t", "#{today}"]).find_records
+      records.count.should eql(1)
+    end
+
+    it "finds on and after specific date" do
+      four_days_ago = By2::Utils.fdate(4.days.ago)
+
+      records = By2::Client.new(["-t", "#{four_days_ago}:"]).find_records
+      records.count.should eql(3)
+    end
+
+    it "finds within date range" do
+      today = By2::Utils.fdate(Date.today)
+      four_days_ago = By2::Utils.fdate(4.days.ago)
+
+      records = By2::Client.new(["-t", "#{four_days_ago}:#{today}"]).find_records
+      records.count.should eql(3)
+    end
+  end
+
+  context("finding records with combined options") do
+    it "finds src or dst ip within date range" do
+      four_days_ago = By2::Utils.fdate(4.days.ago)
+
+      records = By2::Client.new(["-i", "0.0.0.3", "-t", "#{four_days_ago}:"]).find_records
+      records.count.should eql(2)
+    end
+
+    it "finds src or dst ip/port within date range" do
+      four_days_ago = By2::Utils.fdate(4.days.ago)
+
+      records = By2::Client.new(["-i", "0.0.0.3:82", "-t", "#{four_days_ago}:"]).find_records
+      records.count.should eql(1)
+    end
+  end
+end

data/spec/by2/models/event_spec.rb

@@ -0,0 +1,14 @@
+require_relative "../../spec_helper"
+
+
+describe By2::Models::Event do
+  let(:event) { By2::Models::Event.find(1,1) }
+
+  it "knows its #ip_src" do
+    event.ip_src.should eql("0.0.0.1")
+  end
+
+  it "knows its #ip_dst" do
+    event.ip_dst.should eql("0.0.0.2")
+  end
+end

data/spec/by2/options_spec.rb

@@ -0,0 +1,107 @@
+require_relative "../spec_helper"
+
+
+describe By2::Options do
+  context("by2") do
+    it "outputs help options" do
+      pending
+    end
+  end
+
+  context("by2 -i IP") do
+    it "parses ip option" do
+      options = By2::Options.parse(["-i", "128.32.72.190"])
+      options[:ip].should eql("128.32.72.190")
+    end
+  end
+
+  context("by2 -s SRC_IP -d DST_IP") do
+    it "parses src_ip" do
+      options = By2::Options.parse(["-s", "128.32.72.190"])
+      options[:src_ip].should eql("128.32.72.190")
+    end
+
+    it "parses dst_ip" do
+      options = By2::Options.parse(["-d", "128.32.72.190"])
+      options[:dst_ip].should eql("128.32.72.190")
+    end
+
+    it "parses src and dst ips" do
+      options = By2::Options.parse(["-d", "128.32.72.191", "-s", "128.32.72.190"])
+
+      options[:src_ip].should eql("128.32.72.190")
+      options[:dst_ip].should eql("128.32.72.191")
+    end
+  end
+
+  context("by2 -s SRC_IP:SRC_PORT -d DST_IP:DST_PORT") do
+    it "ip parses src_ip with port" do
+      options = By2::Options.parse(["-s", "128.32.72.190:80"])
+
+      options[:src_ip].should eql("128.32.72.190")
+      options[:src_port].should eql("80")
+    end
+
+    it "ip parses dst_ip with port" do
+      options = By2::Options.parse(["-d", "128.32.72.190:80"])
+
+      options[:dst_ip].should eql("128.32.72.190")
+      options[:dst_port].should eql("80")
+    end
+
+    it "ip parses src and dst ips with port" do
+      options = By2::Options.parse(["-s", "128.32.72.190:80", "-d", "128.32.72.191:81"])
+
+      options[:src_ip].should eql("128.32.72.190")
+      options[:src_port].should eql("80")
+      options[:dst_ip].should eql("128.32.72.191")
+      options[:dst_port].should eql("81")
+    end
+  end
+
+  context("by2 -m SRC_IP -> DST_IP") do
+    it "parses src and dst ips in -> format" do
+      options = By2::Options.parse(["-m", "128.32.72.190 -> 128.32.72.191"])
+
+      options[:src_ip].should eql("128.32.72.190")
+      options[:dst_ip].should eql("128.32.72.191")
+      options[:src_port].should be_nil
+      options[:dst_port].should be_nil
+    end
+  end
+
+  context("by2 -m SRC_IP:SRC_PORT -> DST_IP:DST_PORT") do
+    it "parses src and dst ips and ports in -> format" do
+      options = By2::Options.parse(["-m", "128.32.72.190:80 -> 128.32.72.191:81"])
+
+      options[:src_ip].should eql("128.32.72.190")
+      options[:src_port].should eql("80")
+      options[:dst_ip].should eql("128.32.72.191")
+      options[:dst_port].should eql("81")
+    end
+  end
+
+  context("by2 -t DATE") do
+    it "parses date" do
+      options = By2::Options.parse(["-t", "2014-02-01"])
+      options[:date].should eql("2014-02-01")
+
+      options[:start_date].should be_nil
+      options[:end_date].should be_nil
+    end
+  end
+
+  context("by2 -t START_DATE:END_DATE") do
+    it "parses date with a range" do
+      options = By2::Options.parse(["-t", "2014-02-01:"])
+      options[:start_date].should eql("2014-02-01")
+      options[:end_date].should be_nil
+      options[:date].should be_nil
+
+      options = By2::Options.parse(["-t", "2014-02-01:2014-02-07"])
+      options[:start_date].should eql("2014-02-01")
+      options[:end_date].should eql("2014-02-07")
+      options[:date].should be_nil
+    end
+  end
+end

data/spec/by2/utils_spec.rb

@@ -0,0 +1,19 @@
+require_relative "../spec_helper"
+
+
+describe By2::Utils do
+  it "converts an integer to an ip for .int32_to_ip(int32)" do
+    By2::Utils.int32_to_ip(2147615233).should eql("128.2.2.1")
+    By2::Utils.int32_to_ip(2).should eql("0.0.0.2")
+  end
+
+  it "converts an ip to an integer for .ip_to_int32(ip)" do
+    By2::Utils.ip_to_int32("128.2.2.1").should eql(2147615233)
+    By2::Utils.ip_to_int32("0.0.0.2").should eql(2)
+  end
+
+  it "converts hex to ascii text for .hex_to_ascii(hex)" do
+    hex = "4c6f6f6b206d6f6d2c206e6f2068616e6473"
+    By2::Utils.hex_to_ascii(hex).should eql("Look mom, no hands")
+  end
+end

data/spec/fixtures/data.yml

@@ -0,0 +1,19 @@
+payload1:
+  sid: 1
+  cid: 1
+  data_payload: 48454144202F20485454502F312E310D0A557365722D4167656E743A204A6176612F312E372E305F32310D0A486F73743A206177732E616D617A6F6E2E636F6D0D0A4163636570743A20746578742F68746D6C2C20696D6167652F6769662C20696D6167652F6A7065672C202A3B20713D2E322C202A2F2A3B20713D2E320D0A5669613A20312E31206C6F63616C686F7374202873717569642F332E312E3134290D0A582D466F727761726465642D466F723A203132372E302E302E310D0A43616368652D436F6E74726F6C3A206D61782D6167653D3235393230300D0A436F6E6E656374696F6E3A206B6565702D616C6976650D0A0D0A
+
+payload2:
+  sid: 1
+  cid: 2
+  data_payload: 474554202F7469636B65723F6D6F64653D6865617274626561742669643D303030393646414234303438266865696768743D323426747A3D2D3432302672657169643D3133383233383736383336343420485454502F312E310D0A557365722D4167656E743A204A6176612F312E372E305F32310D0A486F73743A20726973657469636B65722E61707073706F742E636F6D0D0A4163636570743A20746578742F68746D6C2C20696D6167652F6769662C20696D6167652F6A7065672C202A3B20713D2E322C202A2F2A3B20713D2E320D0A436F6E6E656374696F6E3A206B6565702D616C6976650D0A0D0A
+
+payload3:
+  sid: 1
+  cid: 3
+  data_payload: 48454144202F20485454502F312E310D0A557365722D4167656E743A204A6176612F312E372E305F32310D0A486F73743A206177732E616D617A6F6E2E636F6D0D0A4163636570743A20746578742F68746D6C2C20696D6167652F6769662C20696D6167652F6A7065672C202A3B20713D2E322C202A2F2A3B20713D2E320D0A5669613A20312E31206C6F63616C686F7374202873717569642F332E312E3134290D0A582D466F727761726465642D466F723A203132372E302E302E310D0A43616368652D436F6E74726F6C3A206D61782D6167653D3235393230300D0A436F6E6E656374696F6E3A206B6565702D616C6976650D0A0D0A
+
+payload4:
+  sid: 1
+  cid: 4
+  data_payload: 474554202F7469636B65723F6D6F64653D6865617274626561742669643D303030393646414234303438266865696768743D323426747A3D2D3432302672657169643D3133383233383736383336343420485454502F312E310D0A557365722D4167656E743A204A6176612F312E372E305F32310D0A486F73743A20726973657469636B65722E61707073706F742E636F6D0D0A4163636570743A20746578742F68746D6C2C20696D6167652F6769662C20696D6167652F6A7065672C202A3B20713D2E322C202A2F2A3B20713D2E320D0A436F6E6E656374696F6E3A206B6565702D616C6976650D0A0D0A

data/spec/fixtures/event.yml

@@ -0,0 +1,36 @@
+event1_tcp:
+  sid: 1
+  cid: 1
+  signature: 493
+  timestamp: <%= Time.now.strftime("%Y-%m-%d") %>
+
+event2_tcp:
+  sid: 1
+  cid: 2
+  signature: 493
+  timestamp: <%= 2.days.ago %>
+
+event3_tcp:
+  sid: 1
+  cid: 3
+  signature: 493
+  timestamp: <%= 4.days.ago %>
+
+event4_tcp:
+  sid: 1
+  cid: 4
+  signature: 493
+  timestamp: <%= 6.days.ago %>
+
+event5_icmp:
+  sid: 1
+  cid: 5
+  signature: 493
+  timestamp: <%= 8.days.ago %>
+
+event6_udp:
+  sid: 1
+  cid: 6
+  signature: 494
+  timestamp: <%= 8.days.ago %>
+

data/spec/fixtures/icmphdr.yml

@@ -0,0 +1,7 @@
+icmp5:
+  sid: 1
+  cid: 5
+  icmp_type: 1
+  icmp_code: 1
+  icmp_id: 1
+  icmp_seq: 1

data/spec/fixtures/iphdr.yml

@@ -0,0 +1,108 @@
+# ip_src: 0.0.0.1
+# ip_dst: 0.0.0.2
+iphdr1:
+  sid: 1
+  cid: 1
+  ip_src: 1
+  ip_dst: 2
+  ip_ver: 4
+  ip_hlen: 5
+  ip_tos: 0
+  ip_len: 288
+  ip_id: 41846
+  ip_flags: 0
+  ip_off: 0
+  ip_ttl: 62
+  ip_proto: 6
+  ip_csum: 47934
+
+# ip_src: 0.0.0.2
+# ip_dst: 0.0.0.3
+iphdr2:
+  sid: 1
+  cid: 2
+  ip_src: 2
+  ip_dst: 3
+  ip_ver: 4
+  ip_hlen: 5
+  ip_tos: 0
+  ip_len: 288
+  ip_id: 50886
+  ip_flags: 0
+  ip_off: 0
+  ip_ttl: 62
+  ip_proto: 6
+  ip_csum: 17705
+
+
+# ip_src: 0.0.0.3
+# ip_dst: 0.0.0.4
+iphdr3:
+  sid: 1
+  cid: 3
+  ip_src: 3
+  ip_dst: 4
+  ip_ver: 4
+  ip_hlen: 5
+  ip_tos: 0
+  ip_len: 288
+  ip_id: 41856
+  ip_flags: 0
+  ip_off: 0
+  ip_ttl: 62
+  ip_proto: 6
+  ip_csum: 47924
+
+# ip_src: 0.0.0.5
+# ip_dst: 0.0.0.6
+iphdr4:
+  sid: 1
+  cid: 4
+  ip_src: 5
+  ip_dst: 6
+  ip_ver: 4
+  ip_hlen: 5
+  ip_tos: 0
+  ip_len: 288
+  ip_id: 959
+  ip_flags: 0
+  ip_off: 0
+  ip_ttl: 62
+  ip_proto: 6
+  ip_csum: 2097
+
+# ip_src: 0.0.0.6
+# ip_dst: 0.0.0.7
+iphdr5:
+  sid: 1
+  cid: 5
+  ip_src: 6
+  ip_dst: 7
+  ip_ver: 4
+  ip_hlen: 5
+  ip_tos: 0
+  ip_len: 223
+  ip_id: 29257
+  ip_flags: 0
+  ip_off: 0
+  ip_ttl: 62
+  ip_proto: 6
+  ip_csum: 25578
+
+# ip_src: 0.0.0.7
+# ip_dst: 0.0.0.8
+iphdr6:
+  sid: 1
+  cid: 6
+  ip_src: 7
+  ip_dst: 8
+  ip_ver: 4
+  ip_hlen: 5
+  ip_tos: 0
+  ip_len: 223
+  ip_id: 29257
+  ip_flags: 0
+  ip_off: 0
+  ip_ttl: 62
+  ip_proto: 6
+  ip_csum: 25578