dap 0.0.1 → 0.0.2

data/lib/dap/filter/vulnmatch.rb

@@ -0,0 +1,68 @@
+require_relative '../../../data/vulndb'
+
+module Dap
+module Filter
+
+module BaseVulnMatch
+  def search(hash, service)
+    SEARCHES[service].each do | entry |
+      entry[:regex].each do | regex, value |
+        if regex =~ hash[entry[:hash_key]].force_encoding('BINARY')
+          # Handle cases that could be multiple hits, not for upnp but could be others.
+          hash[entry[:output_key]] = ( hash[entry[:output_key]] ? hash[entry[:output_key]] + value : value )
+        end
+      end if hash[entry[:hash_key]]
+    end
+    hash
+  end
+
+  def lookup(hash, service)
+    SEARCHES[service].each do | entry |
+      if hash[entry[:hash_key]]
+        res = entry[:cvemap][hash[entry[:hash_key]]]
+        if res
+          hash[entry[:output_key]] = res
+        end
+      end
+    end
+    hash
+  end
+end
+
+class FilterVulnMatchUPNP
+  include Base
+  include BaseVulnMatch
+
+  def process(doc)
+    doc = search(doc, :upnp)
+    [ doc ]
+  end
+end
+
+class FilterVulnMatchIPMI
+  include Base
+  include BaseVulnMatch
+
+  def process(doc)
+    doc = search(doc, :ipmi)
+
+    if (doc['data.ipmi_user_non_null'] == "0") && (doc['data.ipmi_user_null'] == "0")
+      doc["vulnerability"] = ( doc["vulnerability"] ? doc["vulnerability"] + ["IPMI-ANON"] : ["IPMI-ANON"] )
+    end
+
+    [ doc ]
+  end
+end
+
+class FilterVulnMatchMSSQL
+  include Base
+  include BaseVulnMatch
+
+  def process(doc)
+    doc = lookup(doc, :mssql)
+    [ doc ]
+  end
+end
+
+end
+end

data/lib/dap/output.rb

@@ -1,15 +1,18 @@
+require 'oj'
+require 'csv'
+
+
 module Dap
 module Output
 
-  require 'oj'
 
   module FileDestination
-    
+
     attr_accessor :fd
 
     def open(file_name)
       close
-      self.fd = ['-', 'stdout', nil].include?(file_name) ? 
+      self.fd = ['-', 'stdout', nil].include?(file_name) ?
         $stdout : ::File.open(file_name, "wb")
     end
 
@@ -26,6 +29,33 @@ module Output
     def stop
     end
 
+    # String sanitizer for UTF-8
+    def sanitize(o)
+
+      # Handle strings
+      if o.kind_of? ::String
+        return o.to_s.encode(o.encoding, "UTF-8", :invalid => :replace, :undef => :replace, :replace => '')
+      end
+
+      # Handle hashes
+      if o.kind_of? ::Hash
+        r = {}
+        o.each_pair do |k,v|
+          k = sanitize(k)
+          v = sanitize(v)
+          r[k] = v
+        end
+        return r
+      end
+
+      # Handle arrays
+      if o.kind_of? ::Array
+        return o.map{|x| sanitize(x) }
+      end
+
+      # Leave as-is
+      o
+    end
   end
 
 
@@ -34,7 +64,7 @@ module Output
   # XXX: Quoted field handling is not supported, CSV should be a new output type
   #
   class OutputLines
-    
+
     attr_accessor :fields, :delimiter
     FIELD_WILDCARD = '_'
 
@@ -44,7 +74,7 @@ module Output
       file = nil
       self.delimiter = ","
       self.fields    = FIELD_WILDCARD
-      
+
       header = false
 
       args.each do |str|
@@ -57,7 +87,7 @@ module Output
         when 'fields'
           self.fields = v.split(',')
         when 'delimiter'
-          self.delimiter = 
+          self.delimiter =
             case v.to_s
             when 'tab'
               "\t"
@@ -72,6 +102,7 @@ module Output
 
       if header and not fields.include?(FIELD_WILDCARD)
         self.fd.puts self.fields.join(self.delimiter)
+        self.fd.flush
       end
 
     end
@@ -81,17 +112,18 @@ module Output
 
       if self.fields.include?(FIELD_WILDCARD)
         doc.each_pair do |k,v|
-          out << v.to_s
+          out << sanitize(v.to_s)
         end
       else
         self.fields.each do |k|
-          out << doc[k].to_s
+          out << sanitize(doc[k].to_s)
         end
       end
 
       return unless out.length > 0
 
       self.fd.puts out.join(self.delimiter)
+      self.fd.flush
     end
 
   end
@@ -100,15 +132,83 @@ module Output
   # JSON Output (line-delimited records)
   #
   class OutputJSON
-    
+
     include FileDestination
 
     def initialize(args)
       self.open(args.first)
     end
 
-    def write_record(doc)  
-      self.fd.puts Oj.dump(doc)
+    def write_record(doc)
+      self.fd.puts Oj.dump(sanitize(doc))
+      self.fd.flush
+    end
+
+  end
+
+
+  #
+  # CSV Output
+  #
+  class OutputCSV
+
+    attr_accessor :fields, :delimiter
+    FIELD_WILDCARD = '_'
+
+    include FileDestination
+
+    def initialize(args)
+      file = nil
+      self.delimiter = ","
+      self.fields    = FIELD_WILDCARD
+
+      header = false
+
+      args.each do |str|
+        k,v = str.split('=', 2)
+        case k
+        when 'file'
+          file = v
+        when 'header'
+          header = ( v =~ /^[ty1]/i ? true : false )
+        when 'fields'
+          self.fields = v.split(',')
+        when 'delimiter'
+          self.delimiter =
+            case v.to_s
+            when 'tab'
+              "\t"
+            when 'null'
+              "\x00"
+            else
+              v
+            end
+        end
+      end
+      self.open(file)
+
+      if header and not fields.include?(FIELD_WILDCARD)
+        self.fd.puts self.fields.to_csv
+      end
+
+    end
+
+    def write_record(doc)
+      out = []
+
+      if self.fields.include?(FIELD_WILDCARD)
+        doc.each_pair do |k,v|
+          out << sanitize(v.to_s)
+        end
+      else
+        self.fields.each do |k|
+          out << sanitize(doc[k].to_s)
+        end
+      end
+
+      return unless out.length > 0
+
+      self.fd.puts out.to_csv
     end
 
   end

data/lib/dap/proto/mssql.rb

@@ -0,0 +1,114 @@
+# -*- coding: binary -*-
+module Dap
+module Proto
+module MSSQL
+
+  #
+  # Data condensed from http://sqlserverbuilds.blogspot.com/
+  # Given a version like 8.00.2039, this data structure allows
+  # us to determine that the year version is 2000 sp4.
+  # The version_num_to_name method implements this conversion.
+  #
+  MSSQL_VERSIONS = {
+      '7.00'=> {
+          :year=>'7.0',
+          :service_packs=> {
+              623=>'-',
+              699=>'sp1',
+              842=>'sp2',
+              961=>'sp3',
+              1063=>'sp4'
+          }
+      },
+      '8.00'=> {
+          :year=>'2000',
+          :service_packs=> {
+              194=>'-',
+              384=>'sp1',
+              534=>'sp2',
+              760=>'sp3',
+              2039=>'sp4'
+          }
+      },
+      '9.00'=> {
+          :year=>'2005',
+          :service_packs=> {
+              1399=>'-',
+              2047=>'sp1',
+              3042=>'sp2',
+              4035=>'sp3',
+              5000=>'sp4'
+          }
+      },
+      '10.00'=> {
+          :year=>'2008',
+          :service_packs=> {
+              1600=>'-',
+              2531=>'sp1',
+              4000=>'sp2',
+              5500=>'sp3'
+          }
+      },
+      '10.50'=> {
+          :year=>'2008',
+          :service_packs=> {
+              1600=>'r2',
+              2500=>'r2 sp1',
+              4000=>'r2 sp2'
+          }
+      },
+      '11.00'=> {
+          :year=>'2012',
+          :service_packs=> {
+              2100=>'-',
+              3000=>'sp1'
+          }
+      },
+      '12.00'=> {
+          :year=>'2014',
+          :service_packs=> {
+              2000=>'-'
+          }
+      }
+  }
+
+  #
+  # Given a XX.YY.ZZ[.AA] version, will attempt to get the sql server
+  # year/service pack version for it.
+  def self.version_num_to_name(version)
+    rx  = /(\d+)\.(\d+)\.(\d+).*/
+    if version =~ rx
+      v1 = $1.to_i
+      v2 = $2.to_i
+      v3 = $3.to_i
+    else
+      return [ nil, nil ]
+    end
+    #puts("v1=#{v1}, v2=#{v2}, v3=#{v3}")
+    key = sprintf("%d.%02d",v1,v2)
+    svc_pack = nil
+    year = nil
+    if MSSQL_VERSIONS[key]
+      year = MSSQL_VERSIONS[key][:year]
+      svc_packs = MSSQL_VERSIONS[key][:service_packs]
+      is_first=true
+      svc_packs.each do | k, v|
+        #puts( "k=#{k}, v=#{v}")
+        if v3 <= k and is_first
+          svc_pack = v
+          break
+        elsif v3 == k
+          svc_pack = v
+          break
+        else
+          svc_pack = v
+        end
+        is_first=false
+      end
+    end
+    [ year, svc_pack]
+  end
+
+end
+end
+end

data/lib/dap/version.rb

@@ -1,3 +1,3 @@
 module Dap
-  VERSION = "0.0.1"
+  VERSION = "0.0.2"
 end

data/spec/dap/proto/ipmi_spec.rb

@@ -7,10 +7,10 @@ module IPMI
 
 describe Channel_Auth_Reply do
   it "valid with the proper rmcp version and message length" do
-    expect(subject.valid?).to be_false
-    expect(Channel_Auth_Reply.new(rmcp_version: 6).valid?).to be_false
-    expect(Channel_Auth_Reply.new(message_length: 16).valid?).to be_false
-    expect(Channel_Auth_Reply.new(rmcp_version: 6, message_length: 16).valid?).to be_true
+    expect(subject.valid?).to be false
+    expect(Channel_Auth_Reply.new(rmcp_version: 6).valid?).to be false
+    expect(Channel_Auth_Reply.new(message_length: 16).valid?).to be false
+    expect(Channel_Auth_Reply.new(rmcp_version: 6, message_length: 16).valid?).to be true
   end
 end
 

data/tools/geo-ip-summary.rb

@@ -16,10 +16,18 @@ class GeoIPSummary
     @tree['count'] = 0
   end
 
+  def stringify(o)
+    if o.kind_of?( ::String )
+      o.to_s.encode(o.encoding, "UTF-8", :invalid => :replace, :undef => :replace, :replace => '')
+    else
+      o.to_s
+    end
+  end
+
   def process_hash( json_hash )
-    country = json_hash[@country_name]
-    region  = json_hash[@region_name] || 'Undefined Region'
-    city    = json_hash[@city_name]   || 'Undefined City'
+    country = stringify( json_hash[@country_name] )
+    region  = stringify( json_hash[@region_name] || 'Undefined Region' )
+    city    = stringify( json_hash[@city_name]   || 'Undefined City' )
 
     # Create subhashes and values as needed on down the tree
     @tree[country] ||= {}
@@ -123,7 +131,7 @@ def parse_command_line(args)
     opts.on('--var top-level-var', 'Sets the top level json name, for defining all of country/region/city') do | val |
       options[:var] = val
       options[:country] = "#{val}.country_name"
-      options[:region] = "#{val}.region"
+      options[:region] = "#{val}.region_name"
       options[:city]   = "#{val}.city"
     end
 
@@ -136,14 +144,20 @@ def parse_command_line(args)
   end
   options
 end
-  opts = parse_command_line(ARGV)
-  raise 'Need json key names for country,region and city.' if opts[:country].nil? || opts[:region].nil? || opts[:city].nil?
+opts = parse_command_line(ARGV)
 
-  summarizer = GeoIPSummary.new(opts[:country], opts[:region], opts[:city])
-  while line=gets
-    summarizer.process_hash(Oj.load(line.strip))
-  end
 
-  Oj.default_options={:indent=>2}
+raise 'Need json key names for country,region and city.' if opts[:country].nil? || opts[:region].nil? || opts[:city].nil?
+
+summarizer = GeoIPSummary.new(opts[:country], opts[:region], opts[:city])
+
+
+$stdin.each_line do |line|
+  json = Oj.load(line.unpack("C*").pack("C*").strip) rescue nil
+  next unless json
+  summarizer.process_hash(json)
+end
+
+Oj.default_options={:indent=>2}
 
-  puts Oj.dump(summarizer.order_tree)
+puts Oj.dump(summarizer.order_tree)