by2 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 7c5fe1f382eae68da92360236ee9a8d7884c963f
+  data.tar.gz: 8f22f2a626782a418952ebc915b529d086ea1af4
+SHA512:
+  metadata.gz: 1eaa0643dbf1c7f5eaffbe52fc22c0703cbd5a8a84593a384ece71b00296aa89aa02de2e55abb83345ffff19f0e06feaa1ded33d7946f272e08dac98cb31dd3b
+  data.tar.gz: b7b5a013889d4ae2664d2a596063f9f40042eff50970d98f3f0d37f0f3d13828a030d536692ea9c9f1d5d2c2d1d1577c4989e63dc64155f4f0b7850106384e81

data/.gitignore

@@ -0,0 +1,20 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp
+*.idea
+*.iml
+config/*.yml

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in by2.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2014 sahglie
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,50 @@
+# By2
+
+Commandline tool for querying a barnyard2 database.
+
+## Installation
+
+    gem install by2
+
+## Configuration
+
+    mkdir $HOME/.by2
+    touch $HOME/.by2/database.yml
+    touch $HOME/.by2/env.yml
+
+Place database credentials in database.yml.  You can have multiple database environments
+configured in database.yml.  By default, by2 will try to use the "development" environment.
+It is recommended that you set the environment you want to use in *env.yml*.  For example,
+if env.yml contains the string "production", then by2 will use the production database
+creds in database.yml.  You can also set the environment variable BY2_ENV=<environment>
+(which takes precedence over env.yml) to select the database environment.
+
+## Usage
+
+    by2 -h # shows basic usage
+    by2 -H # shows man page
+    by2 -m "128.0.0.1:80 -> 128.0.0.2:81" # query database from dump string
+
+## Development
+
+### Dependencies
+
+  You should have a local install of postgres.
+
+### Setup
+ * Check out the code: `git clone git@donjulio.security.berkeley.edu:by2.git`
+
+ * Create databases: execute ddl in config/setup.sql
+
+ * Copy config/database.yml.example to config/database.yml and set the credentials
+   appropriately.
+
+ * Run db Migrations:
+   `rake db:migrate BY2_ENV=development`
+   `rake db:migrate BY2_ENV=test`
+
+ * Populate your local db with fixture data:
+   `BY2_ENV=development rake db:fixtures:load`
+   `BY2_ENV=test rake db:fixtures:load`
+
+ * Run tests: `rake spec`

data/Rakefile

@@ -0,0 +1,98 @@
+require "./lib/by2"
+require "bundler/gem_tasks"
+require 'ronn'
+require "rails/generators"
+load "active_record/railties/databases.rake"
+require 'rspec/core/rake_task'
+
+module Rails
+  def self.root; By2.root end
+end
+
+include ActiveRecord::Tasks
+
+DatabaseTasks.db_dir = "#{By2.root}/db"
+DatabaseTasks.fixtures_path = By2.fixtures_dir
+
+
+namespace :man do
+  directory "man"
+
+  Dir["man/*.ronn"].each do |ronn|
+    basename = File.basename(ronn, ".ronn")
+    roff = "man/#{basename}"
+
+    file roff => ["man", ronn] do
+      sh "#{Gem.ruby} -S ronn --roff --pipe #{ronn} > #{roff}"
+    end
+
+    file "#{roff}.txt" => roff do
+      sh "groff -Wall -mtty-char -mandoc -Tascii #{roff} | col -b > #{roff}.txt"
+    end
+
+    task :build_all_pages => "#{roff}.txt"
+  end
+
+  desc "Build the man pages"
+  task :build => "man:build_all_pages"
+
+  desc "Clean up from the built man pages"
+  task :clean do
+    file = "man/by2.1"
+    rm file if File.exists?(file)
+
+    file = "man/by2.1.txt"
+    rm file if File.exists?(file)
+  end
+end
+
+task :build => ["man:clean", "man:build"]
+task :svn_ci => :build
+task :release => ["man:clean", "man:build"]
+
+
+task :environment do
+  ENV["BY2_ENV"] ||= 'development'
+  By2.db_connect
+end
+
+
+task :svn_ci do
+  # TODO: remove hardcoded value, set from command line ENV var.
+  username = "runner"
+  repo_path = "svn+ssh://#{username}@donjulio.security.berkeley.edu/by2"
+  gem_name = "by2-#{By2::VERSION}.gem"
+  cmd = "svn import pkg/#{gem_name} #{repo_path}/trunk/#{gem_name} -m 'committed gem #{gem_name}'"
+  output = `#{cmd} 2>&1`
+  $stdout.puts(output)
+end
+
+namespace :db do
+  def self.migration(name, options="")
+    generator_params = [name] + options.split(" ")
+    Rails::Generators.invoke("active_record:migration", generator_params, :destination_root => Rails.root)
+  end
+
+
+  desc "Creates a new migration file with the specified name"
+  task :migration, :name, :options do |t, args|
+    name = args[:name] || ENV['name']
+    options = args[:options] || ENV['options']
+
+    unless name
+      puts "Error: must provide name of migration to generate."
+      puts "For example: rake #{t.name} name=add_field_to_form"
+      abort
+    end
+
+    options ? migration(name, options.gsub('/', ' ')) : migration(name)
+  end
+end
+
+
+RSpec::Core::RakeTask.new(:spec)
+
+task :default => :spec
+
+
+

data/bin/by2

@@ -0,0 +1,16 @@
+#!/usr/bin/env ruby
+
+# Exit cleanly from an early interrupt
+Signal.trap("INT") { exit 1 }
+
+require_relative "../lib/by2"
+
+begin
+  By2::Client.new(ARGV).run
+rescue Errno::EPIPE
+  exit 0
+rescue Errno::ENOENT => err
+  abort "by2: #{err.message}"
+rescue By2::Options::OptionsError => err
+  abort err.message
+end

data/by2.gemspec

@@ -0,0 +1,32 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'by2/version'
+
+Gem::Specification.new do |spec|
+  spec.name = "by2"
+  spec.version = By2::VERSION
+  spec.authors = ["runner"]
+  spec.email = ["runner@security.berkeley.edu"]
+  spec.summary = %q{Commandline tool for querying a barnyard2 db.}
+  spec.description = %q{Commandline tool for querying a barnyard2 db.}
+  spec.homepage = ""
+  spec.license = "MIT"
+
+  spec.files = `git ls-files`.split($/)
+  spec.executables = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files = spec.files.grep(%r{^(spec|features)/})
+  spec.require_paths = ["lib"]
+
+  spec.add_development_dependency "bundler", "~> 1.5"
+  spec.add_development_dependency "rake", "~> 10.3.1"
+  spec.add_development_dependency "rspec", "~> 2.14.1"
+  spec.add_development_dependency "rspec-rails"
+  spec.add_development_dependency "ronn"
+
+  spec.add_dependency "pg", "~> 0.17.1"
+  spec.add_dependency "activerecord", "~> 4.0.2"
+  spec.add_dependency "activesupport", "~> 4.0.2"
+  spec.add_dependency "railties", "~> 4.0.2"
+  spec.add_dependency "composite_primary_keys", "= 6.0.1"
+end

data/config/database.yml.example

@@ -0,0 +1,11 @@
+development:
+  adapter: postgresql
+  host: localhost
+  database: barnyard_development
+  username: barnyard
+
+test:
+  adapter: postgresql
+  host: localhost
+  database: barnyard_test
+  username: barnyard

data/config/setup.sql

@@ -0,0 +1,9 @@
+--
+-- Create local dbs for test/development
+--
+
+create user barnyard;
+create database barnyard_development with owner = barnyard;
+create database barnyard_test with owner = barnyard;
+grant all privileges on barnyard_development to barnyard;
+grant all privileges on barnyard_test to barnyard;

data/db/migrate/20140205014806_init_db.rb

@@ -0,0 +1,147 @@
+class InitDb < ActiveRecord::Migration
+  def change
+      # These are extensions that must be enabled in order to support this database
+      enable_extension "plpgsql"
+
+      create_table "data", id: false, force: true do |t|
+        t.integer "sid", null: false
+        t.integer "cid", limit: 8, null: false
+        t.text "data_payload"
+      end
+
+      create_table "detail", id: false, force: true do |t|
+        t.integer "detail_type", limit: 2, null: false
+        t.text "detail_text", null: false
+      end
+
+      create_table "encoding", id: false, force: true do |t|
+        t.integer "encoding_type", limit: 2, null: false
+        t.text "encoding_text", null: false
+      end
+
+      create_table "event", id: false, force: true do |t|
+        t.integer "sid", null: false
+        t.integer "cid", limit: 8, null: false
+        t.integer "signature", null: false
+        t.datetime "timestamp", null: false
+      end
+
+      add_index "event", ["signature"], name: "signature_idx", using: :btree
+      add_index "event", ["timestamp"], name: "timestamp_idx", using: :btree
+
+      create_table "icmphdr", id: false, force: true do |t|
+        t.integer "sid", null: false
+        t.integer "cid", limit: 8, null: false
+        t.integer "icmp_type", limit: 2, null: false
+        t.integer "icmp_code", limit: 2, null: false
+        t.integer "icmp_csum"
+        t.integer "icmp_id"
+        t.integer "icmp_seq"
+      end
+
+      add_index "icmphdr", ["icmp_type"], name: "icmp_type_idx", using: :btree
+
+      create_table "iphdr", id: false, force: true do |t|
+        t.integer "sid", null: false
+        t.integer "cid", limit: 8, null: false
+        t.integer "ip_src", limit: 8, null: false
+        t.integer "ip_dst", limit: 8, null: false
+        t.integer "ip_ver", limit: 2
+        t.integer "ip_hlen", limit: 2
+        t.integer "ip_tos", limit: 2
+        t.integer "ip_len"
+        t.integer "ip_id"
+        t.integer "ip_flags", limit: 2
+        t.integer "ip_off"
+        t.integer "ip_ttl", limit: 2
+        t.integer "ip_proto", limit: 2, null: false
+        t.integer "ip_csum"
+      end
+
+      add_index "iphdr", ["ip_dst"], name: "ip_dst_idx", using: :btree
+      add_index "iphdr", ["ip_src"], name: "ip_src_idx", using: :btree
+
+      create_table "opt", id: false, force: true do |t|
+        t.integer "sid", null: false
+        t.integer "cid", limit: 8, null: false
+        t.integer "optid", limit: 2, null: false
+        t.integer "opt_proto", limit: 2, null: false
+        t.integer "opt_code", limit: 2, null: false
+        t.integer "opt_len"
+        t.text "opt_data"
+      end
+
+      create_table "reference", primary_key: "ref_id", force: true do |t|
+        t.integer "ref_system_id", null: false
+        t.text "ref_tag", null: false
+      end
+
+      create_table "reference_system", primary_key: "ref_system_id", force: true do |t|
+        t.text "ref_system_name"
+      end
+
+      create_table "sensor", primary_key: "sid", force: true do |t|
+        t.text "hostname"
+        t.text "interface"
+        t.text "filter"
+        t.integer "detail", limit: 2
+        t.integer "encoding", limit: 2
+        t.integer "last_cid", limit: 8, null: false
+      end
+
+      create_table "sig_class", primary_key: "sig_class_id", force: true do |t|
+        t.text "sig_class_name", null: false
+      end
+
+      add_index "sig_class", ["sig_class_name"], name: "sig_class_name_idx", using: :btree
+
+      create_table "sig_reference", id: false, force: true do |t|
+        t.integer "sig_id", null: false
+        t.integer "ref_seq", null: false
+        t.integer "ref_id", null: false
+      end
+
+      create_table "signature", primary_key: "sig_id", force: true do |t|
+        t.text "sig_name", null: false
+        t.integer "sig_class_id", limit: 8
+        t.integer "sig_priority", limit: 8
+        t.integer "sig_rev", limit: 8
+        t.integer "sig_sid", limit: 8
+        t.integer "sig_gid", limit: 8
+      end
+
+      add_index "signature", ["sig_class_id"], name: "sig_class_idx", using: :btree
+      add_index "signature", ["sig_name"], name: "sig_name_idx", using: :btree
+
+      create_table "tcphdr", id: false, force: true do |t|
+        t.integer "sid", null: false
+        t.integer "cid", limit: 8, null: false
+        t.integer "tcp_sport", null: false
+        t.integer "tcp_dport", null: false
+        t.integer "tcp_seq", limit: 8
+        t.integer "tcp_ack", limit: 8
+        t.integer "tcp_off", limit: 2
+        t.integer "tcp_res", limit: 2
+        t.integer "tcp_flags", limit: 2, null: false
+        t.integer "tcp_win"
+        t.integer "tcp_csum"
+        t.integer "tcp_urp"
+      end
+
+      add_index "tcphdr", ["tcp_dport"], name: "tcp_dport_idx", using: :btree
+      add_index "tcphdr", ["tcp_flags"], name: "tcp_flags_idx", using: :btree
+      add_index "tcphdr", ["tcp_sport"], name: "tcp_sport_idx", using: :btree
+
+      create_table "udphdr", id: false, force: true do |t|
+        t.integer "sid", null: false
+        t.integer "cid", limit: 8, null: false
+        t.integer "udp_sport", null: false
+        t.integer "udp_dport", null: false
+        t.integer "udp_len"
+        t.integer "udp_csum"
+      end
+
+      add_index "udphdr", ["udp_dport"], name: "udp_dport_idx", using: :btree
+      add_index "udphdr", ["udp_sport"], name: "udp_sport_idx", using: :btree
+  end
+end

data/db/schema.rb

@@ -0,0 +1,160 @@
+# encoding: UTF-8
+# This file is auto-generated from the current state of the database. Instead
+# of editing this file, please use the migrations feature of Active Record to
+# incrementally modify your database, and then regenerate this schema definition.
+#
+# Note that this schema.rb definition is the authoritative source for your
+# database schema. If you need to create the application database on another
+# system, you should be using db:schema:load, not running all the migrations
+# from scratch. The latter is a flawed and unsustainable approach (the more migrations
+# you'll amass, the slower it'll run and the greater likelihood for issues).
+#
+# It's strongly recommended that you check this file into your version control system.
+
+ActiveRecord::Schema.define(version: 20140205014806) do
+
+  # These are extensions that must be enabled in order to support this database
+  enable_extension "plpgsql"
+
+  create_table "data", id: false, force: true do |t|
+    t.integer "sid",                    null: false
+    t.integer "cid",          limit: 8, null: false
+    t.text    "data_payload"
+  end
+
+  create_table "detail", id: false, force: true do |t|
+    t.integer "detail_type", limit: 2, null: false
+    t.text    "detail_text",           null: false
+  end
+
+  create_table "encoding", id: false, force: true do |t|
+    t.integer "encoding_type", limit: 2, null: false
+    t.text    "encoding_text",           null: false
+  end
+
+  create_table "event", id: false, force: true do |t|
+    t.integer  "sid",                 null: false
+    t.integer  "cid",       limit: 8, null: false
+    t.integer  "signature",           null: false
+    t.datetime "timestamp",           null: false
+  end
+
+  add_index "event", ["signature"], name: "signature_idx", using: :btree
+  add_index "event", ["timestamp"], name: "timestamp_idx", using: :btree
+
+  create_table "icmphdr", id: false, force: true do |t|
+    t.integer "sid",                 null: false
+    t.integer "cid",       limit: 8, null: false
+    t.integer "icmp_type", limit: 2, null: false
+    t.integer "icmp_code", limit: 2, null: false
+    t.integer "icmp_csum"
+    t.integer "icmp_id"
+    t.integer "icmp_seq"
+  end
+
+  add_index "icmphdr", ["icmp_type"], name: "icmp_type_idx", using: :btree
+
+  create_table "iphdr", id: false, force: true do |t|
+    t.integer "sid",                null: false
+    t.integer "cid",      limit: 8, null: false
+    t.integer "ip_src",   limit: 8, null: false
+    t.integer "ip_dst",   limit: 8, null: false
+    t.integer "ip_ver",   limit: 2
+    t.integer "ip_hlen",  limit: 2
+    t.integer "ip_tos",   limit: 2
+    t.integer "ip_len"
+    t.integer "ip_id"
+    t.integer "ip_flags", limit: 2
+    t.integer "ip_off"
+    t.integer "ip_ttl",   limit: 2
+    t.integer "ip_proto", limit: 2, null: false
+    t.integer "ip_csum"
+  end
+
+  add_index "iphdr", ["ip_dst"], name: "ip_dst_idx", using: :btree
+  add_index "iphdr", ["ip_src"], name: "ip_src_idx", using: :btree
+
+  create_table "opt", id: false, force: true do |t|
+    t.integer "sid",                 null: false
+    t.integer "cid",       limit: 8, null: false
+    t.integer "optid",     limit: 2, null: false
+    t.integer "opt_proto", limit: 2, null: false
+    t.integer "opt_code",  limit: 2, null: false
+    t.integer "opt_len"
+    t.text    "opt_data"
+  end
+
+  create_table "reference", primary_key: "ref_id", force: true do |t|
+    t.integer "ref_system_id", null: false
+    t.text    "ref_tag",       null: false
+  end
+
+  create_table "reference_system", primary_key: "ref_system_id", force: true do |t|
+    t.text "ref_system_name"
+  end
+
+  create_table "sensor", primary_key: "sid", force: true do |t|
+    t.text    "hostname"
+    t.text    "interface"
+    t.text    "filter"
+    t.integer "detail",    limit: 2
+    t.integer "encoding",  limit: 2
+    t.integer "last_cid",  limit: 8, null: false
+  end
+
+  create_table "sig_class", primary_key: "sig_class_id", force: true do |t|
+    t.text "sig_class_name", null: false
+  end
+
+  add_index "sig_class", ["sig_class_name"], name: "sig_class_name_idx", using: :btree
+
+  create_table "sig_reference", id: false, force: true do |t|
+    t.integer "sig_id",  null: false
+    t.integer "ref_seq", null: false
+    t.integer "ref_id",  null: false
+  end
+
+  create_table "signature", primary_key: "sig_id", force: true do |t|
+    t.text    "sig_name",               null: false
+    t.integer "sig_class_id", limit: 8
+    t.integer "sig_priority", limit: 8
+    t.integer "sig_rev",      limit: 8
+    t.integer "sig_sid",      limit: 8
+    t.integer "sig_gid",      limit: 8
+  end
+
+  add_index "signature", ["sig_class_id"], name: "sig_class_idx", using: :btree
+  add_index "signature", ["sig_name"], name: "sig_name_idx", using: :btree
+
+  create_table "tcphdr", id: false, force: true do |t|
+    t.integer "sid",                 null: false
+    t.integer "cid",       limit: 8, null: false
+    t.integer "tcp_sport",           null: false
+    t.integer "tcp_dport",           null: false
+    t.integer "tcp_seq",   limit: 8
+    t.integer "tcp_ack",   limit: 8
+    t.integer "tcp_off",   limit: 2
+    t.integer "tcp_res",   limit: 2
+    t.integer "tcp_flags", limit: 2, null: false
+    t.integer "tcp_win"
+    t.integer "tcp_csum"
+    t.integer "tcp_urp"
+  end
+
+  add_index "tcphdr", ["tcp_dport"], name: "tcp_dport_idx", using: :btree
+  add_index "tcphdr", ["tcp_flags"], name: "tcp_flags_idx", using: :btree
+  add_index "tcphdr", ["tcp_sport"], name: "tcp_sport_idx", using: :btree
+
+  create_table "udphdr", id: false, force: true do |t|
+    t.integer "sid",                 null: false
+    t.integer "cid",       limit: 8, null: false
+    t.integer "udp_sport",           null: false
+    t.integer "udp_dport",           null: false
+    t.integer "udp_len"
+    t.integer "udp_csum"
+  end
+
+  add_index "udphdr", ["udp_dport"], name: "udp_dport_idx", using: :btree
+  add_index "udphdr", ["udp_sport"], name: "udp_sport_idx", using: :btree
+
+end