fidius-evasiondb 0.0.1 → 0.0.2

data/evasion-db.gemspec

@@ -21,17 +21,22 @@ Gem::Specification.new do |s|
 
   s.rubyforge_project = ""
 
-  s.add_dependency "activerecord", ">= 3.0.0"
-  s.add_dependency "activesupport", ">= 3.0.0"
-  s.add_dependency "fidius-common", ">= 0.0.4"
+  s.add_dependency "activerecord" #, ">= 3.0.0"
+  s.add_dependency "activesupport" #, ">= 3.0.0"
+  s.add_dependency "fidius-common", "~> 0.0.4"
+  s.add_dependency "snortor", "~> 0.0.1"
 
   s.files         = `git ls-files`.split("\n")
   s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
   s.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
   s.require_paths = ["lib"]
   
-  s.rdoc_options << '--title' << s.name <<
-                    '--main'  << 'README.md' << '--show-hash' <<
-                    `git ls-files -- lib/*`.split("\n") <<
-                    'README.md' << 'LICENSE' << 'CREDITS.md'
+  # TODO: this raises error ERROR:  While executing gem ... (Gem::InvalidSpecificationException)
+  # rdoc_options must be an Array of String
+  # with bundler 1.0.14
+  # ##################################################
+  #s.rdoc_options = '--title' << s.name <<
+  #                  '--main'  << 'README.md' << '--show-hash' <<
+  #                  `git ls-files -- lib/*`.split("\n") <<
+  #                  'README.md' << 'LICENSE' << 'CREDITS.md'
 end

data/lib/db/db-install.rb

@@ -63,7 +63,11 @@ module FIDIUS
         @charset   = ENV['CHARSET']   || 'utf8'
         @collation = ENV['COLLATION'] || 'utf8_unicode_ci'
         creation_options = {:charset => (config['charset'] || @charset), :collation => (config['collation'] || @collation)}
-        error_class = config['adapter'] =~ /mysql2/ ? Mysql2::Error : Mysql::Error
+        begin
+          error_class = config['adapter'] =~ /mysql2/ ? Mysql2::Error : Mysql::Error
+        rescue
+          error_class = Mysql::Error
+        end
         access_denied_error = 1045
         begin
           ActiveRecord::Base.establish_connection(config.merge('database' => nil))

data/lib/db/migrations/006_create_ids_rules.rb

@@ -0,0 +1,15 @@
+class CreateIdsRules < ActiveRecord::Migration
+  def self.up
+    create_table :ids_rules do |t|
+      t.integer :sort
+      t.text :rule_text
+      t.string :rule_hash
+      t.timestamps
+    end
+    add_index :ids_rules, :rule_hash,:unique => true
+  end
+
+  def self.down
+    drop_table :ids_rules
+  end
+end

data/lib/db/migrations/007_create_enabled_rules.rb

@@ -0,0 +1,13 @@
+class CreateEnabledRules < ActiveRecord::Migration
+  def self.up
+    create_table :enabled_rules do |t|
+      t.integer :attack_module_id
+      t.text :bitstring
+      t.timestamps
+    end
+  end
+
+  def self.down
+    drop_table :enabled_rules
+  end
+end

data/lib/evasion-db/base.rb

@@ -11,6 +11,7 @@ module FIDIUS
     @@yml_config = nil
     @@current_fetcher = nil
     @@current_recorder = nil
+    @@current_rule_fetcher = nil
 
     # Configures EvasionDB. 
     #
@@ -32,6 +33,7 @@ module FIDIUS
       else
         #self.load_db_adapter(evasion_db['adapter'])
         FIDIUS::EvasionDB::Knowledge::Connection.establish_connection evasion_db
+        #require File.join(GEM_BASE, 'evasion-db', 'postgres_patch.rb')
         FIDIUS::EvasionDB::Knowledge::Connection.connection
       end
     end
@@ -55,8 +57,20 @@ module FIDIUS
     def self.use_fetcher(fetcher_name)
       raise "not configured. use FIDIUS::EvasionDB.config first" unless @@yml_config
       @@current_fetcher = Fetcher.by_name(fetcher_name)
+      raise "fetcher #{fetcher_name} not found" unless @@current_fetcher    
       @@current_fetcher.config(@@yml_config)
-      raise "fetcher #{recorder_name} not found" unless @@current_fetcher    
+    end
+
+    # Use a given rule-fetcher. RuleFetchers are used to fetch rules from an rule based ids.
+    # Currently there is only the Fetcher for a Snort IDS. 
+    #
+    # @param [String] rule_fetcher_name
+    # @raise RuntimeError if fetcher not found
+    def self.use_rule_fetcher(rule_fetcher_name)
+      raise "not configured. use FIDIUS::EvasionDB.config first" unless @@yml_config
+      @@current_rule_fetcher = RuleFetcher.by_name(rule_fetcher_name)
+      raise "rule-fetcher #{rule_fetcher_name} not found" unless @@current_rule_fetcher    
+      @@current_rule_fetcher.config(@@yml_config)
     end
 
     # Returns the current recorder
@@ -76,5 +90,13 @@ module FIDIUS
       raise "no fetcher set. Use FIDIUS::EvasionDB.use_fetcher" unless @@current_fetcher
       @@current_fetcher
     end
+
+
+    # Returns the current rule fetcher
+    #
+    # @see #use_rule_fetcher
+    def self.current_rule_fetcher
+      @@current_rule_fetcher
+    end
   end# module EvasionDB
 end# module FIDIUS

data/lib/evasion-db/idmef-fetchers/prelude-db/lib/models/alert.rb

@@ -12,11 +12,12 @@ module FIDIUS
       has_one :analyzer, :class_name => 'Analyzer', :foreign_key => :_message_ident, :primary_key => :_ident
       has_one :impact, :class_name => 'Impact', :foreign_key => :_message_ident, :primary_key => :_ident
       has_one :payload, :class_name => 'AdditionalData', :foreign_key => :_message_ident, :primary_key => :_ident, :conditions=>["Prelude_AdditionalData.meaning='payload'"]
-      set_primary_key :_ident
 
-      def self.table_name
-        "Prelude_Alert"
-      end
+      set_primary_key :_ident
+      set_table_name "Prelude_Alert"
+      #def self.table_name
+      #  "Prelude_Alert"
+      #end
 
       def self.total_entries
         sql = connection();

data/lib/evasion-db/idmef-fetchers/prelude-db/lib/models/detect_time.rb

@@ -2,9 +2,8 @@ module FIDIUS
   module PreludeDB
     # Wrapper for Prelude_DetectTime table
     class DetectTime < FIDIUS::PreludeDB::Connection
-      def self.table_name
-        "Prelude_DetectTime"
-      end
+      set_primary_key :_message_ident
+      set_table_name "Prelude_DetectTime"
     end
   end
 end

data/lib/evasion-db/idmef-fetchers/prelude-db/lib/prelude_event_fetcher.rb

@@ -12,9 +12,8 @@ module FIDIUS
       end
 
       def begin_record
-        a = FIDIUS::PreludeDB::Alert.find(:first,:joins => [:detect_time],:order=>"time DESC")
-        last_event = FIDIUS::PreludeDB::PreludeEvent.new(a)
-        @start_time = last_event.detect_time
+        t = FIDIUS::PreludeDB::DetectTime.find(:first,:order=>"time DESC")
+        @start_time = t.time
       end
 
       def get_events
@@ -22,7 +21,14 @@ module FIDIUS
         res = Array.new
         sleep 3
         $logger.debug "alert.find(:all,:joins=>[:detect_time],time > #{@start_time})"
-        events = FIDIUS::PreludeDB::Alert.find(:all,:joins => [:detect_time],:order=>"time DESC",:conditions=>["time > :d",{:d => @start_time}])
+
+        detect_times = FIDIUS::PreludeDB::DetectTime.find(:all,:order=>"time DESC",:conditions=>["time > :d",{:d => @start_time}])
+        events = []
+        detect_times.each do |dt|
+          events << FIDIUS::PreludeDB::Alert.find(:first,:conditions=>{:_ident=>dt._message_ident})
+        end
+        ################################################
+
         $logger.debug "found #{events.size} events"
         events.each do |event|
           ev = FIDIUS::PreludeDB::PreludeEvent.new(event)
@@ -30,7 +36,7 @@ module FIDIUS
           if @local_ip
             if (ev.source_ip == @local_ip || ev.dest_ip == @local_ip)
               $logger.debug "adding #{ev.inspect} to events "
-              res << ev  
+              res << ev
             end
           else
             $logger.debug "adding #{ev.inspect} to events "
@@ -64,4 +70,3 @@ Dir.glob(File.join File.dirname(__FILE__), 'models', '*.rb') do |rb|
   $logger.debug "loading #{rb}"
   require rb
 end
-

data/lib/evasion-db/knowledge/attack_module.rb

@@ -7,6 +7,7 @@ module FIDIUS::EvasionDB::Knowledge
     has_many :packets, :dependent=>:destroy
     has_many :attack_options, :dependent=>:destroy
     has_one :attack_payload, :dependent=>:destroy
+    has_one :enabled_rules
 
     def self.table_name
       "attack_modules"

data/lib/evasion-db/knowledge/enabled_rules.rb

@@ -0,0 +1,36 @@
+module FIDIUS::EvasionDB::Knowledge
+  class EnabledRules < FIDIUS::EvasionDB::Knowledge::Connection
+    belongs_to :attack_module
+
+    @bitvector = nil
+
+    def self.table_name
+      "enabled_rules"
+    end
+
+    def bitvector
+      return @bitvector if @bitvector
+      res = BitField.new(self.bitstring.size)
+      i = 0
+      self.bitstring.each_char do |bit|
+        res[i] = bit.to_i
+        i += 1
+      end
+      @bitvector = res
+      return @bitvector
+    end
+
+    # count rules
+    # :active or :inactive or :all
+    def count(h)
+      if h == :all
+        return bitvector.size
+      elsif h == :active
+        return bitvector.total_set
+      elsif h == :inactive
+        return (bitvector.size - bitvector.total_set)
+      end
+      raise "use count(:active) or count(:inactive)"
+    end
+  end
+end

data/lib/evasion-db/knowledge/ids_rule.rb

@@ -0,0 +1,33 @@
+module FIDIUS::EvasionDB::Knowledge
+  class IdsRule < FIDIUS::EvasionDB::Knowledge::Connection
+    def self.table_name
+      "ids_rules"
+    end
+
+    def self.exists?(text)
+      self.find_by_rule_hash(Digest::MD5.hexdigest(text)) != nil
+    end
+
+    def self.sub_query_for_insert(text,sort)
+      h = Digest::MD5.hexdigest(text)
+      # escape single quotes
+      text = self.sanitize(text)
+      return "(#{text},'#{h}',#{sort})"
+    end
+
+    def self.create_if_not_exists(text,sort=0)
+      q = self.sub_query_for_insert(text,sort)
+      begin
+        self.connection.execute("INSERT IGNORE INTO ids_rules (rule_text,rule_hash,sort) VALUES #{q};")
+      rescue
+        puts $!.message
+        puts "trying without IGNORE command"
+        begin
+          self.connection.execute("INSERT INTO ids_rules (rule_text,rule_hash,sort) VALUES #{q};")
+        rescue
+          puts $!.message
+        end
+      end
+    end
+  end
+end

data/lib/evasion-db/knowledge.rb

@@ -10,12 +10,14 @@ module FIDIUS
       # to indicate that the exploit with maximal events should be searched
       MAX_EVENTS = 2
 
-      autoload :AttackModule,  'evasion-db/knowledge/attack_module'
-      autoload :AttackOption,  'evasion-db/knowledge/attack_option'
-      autoload :AttackPayload, 'evasion-db/knowledge/attack_payload'
-      autoload :Connection,    'evasion-db/knowledge/connection'
-      autoload :IdmefEvent,    'evasion-db/knowledge/idmef_event'
-      autoload :Packet,        'evasion-db/knowledge/packet'
+      autoload :AttackModule,  "#{GEM_BASE}/evasion-db/knowledge/attack_module"
+      autoload :AttackOption,  "#{GEM_BASE}/evasion-db/knowledge/attack_option"
+      autoload :AttackPayload, "#{GEM_BASE}/evasion-db/knowledge/attack_payload"
+      autoload :Connection,    "#{GEM_BASE}/evasion-db/knowledge/connection"
+      autoload :IdmefEvent,    "#{GEM_BASE}/evasion-db/knowledge/idmef_event"
+      autoload :Packet,        "#{GEM_BASE}/evasion-db/knowledge/packet"
+      autoload :IdsRule,       "#{GEM_BASE}/evasion-db/knowledge/ids_rule"
+      autoload :EnabledRules,  "#{GEM_BASE}/evasion-db/knowledge/enabled_rules"
 
       # returns all modules(exploits) in knowledge database
       def self.get_exploits
@@ -52,6 +54,15 @@ module FIDIUS
         Packet.find(pid)
       end
 
+      # returns all exploits for the given services
+      #
+      #@param [array] ports_list
+      def self.find_exploits_for_services(ports_list)
+        exploits = []
+        ports_list.each { |port| exploits.concat(find_exploits_for_service(port)) }
+        exploits.map { |e| e.id }
+      end
+
       # returns all exploits for the given service
       #
       #@param [integer] port

data/lib/evasion-db/postgres_patch.rb

@@ -0,0 +1,21 @@
+# This Patch will fix the Error:
+#ActiveRecord::StatementInvalid: PGError: ERROR:  relation "Prelude_Alert" does not exist
+#LINE 4:              WHERE a.attrelid = '"Prelude_Alert"'::regclass
+#                                        ^
+#:             SELECT a.attname, format_type(a.atttypid, a.atttypmod), d.adsrc, a.attnotnull
+#              FROM pg_attribute a LEFT JOIN pg_attrdef d
+#                ON a.attrelid = d.adrelid AND a.attnum = d.adnum
+#             WHERE a.attrelid = '"Prelude_Alert"'::regclass
+#               AND a.attnum > 0 AND NOT a.attisdropped
+#             ORDER BY a.attnum
+# provided @http://s3.amazonaws.com/activereload-lighthouse/assets/a3d9b3646f58246ef6ffe027001dd643cca7aade/postgresql-support-capitalized-table-names.diff?AWSAccessKeyId=1AJ9W2TX1B2Z7C2KYB82&Expires=1290010522&Signature=ignfCi9%2Bm37oHijccGBsbJj298w%3D
+
+module ActiveRecord
+  module ConnectionAdapters
+    class PostgreSQLAdapter < AbstractAdapter
+      def quote_table_name(name)
+        return name
+      end
+    end
+  end
+end

data/lib/evasion-db/recorders/msf-recorder/lib/msf-recorder.rb

@@ -1,11 +1,12 @@
 module FIDIUS
   module EvasionDB
     # This recorder provides an interface for the metasploit console
-    # it is used to have callbacks when modules are executed. 
-    # 
+    # it is used to have callbacks when modules are executed.
+    #
     # @see {file:msf-plugins/evasiondb.rb}
     module MsfRecorder
       def module_started(module_instance)
+        # use rule_fetcher if the module starts
         @@current_exploit = FIDIUS::EvasionDB::Knowledge::AttackModule.find_or_create_by_name_and_options(module_instance.fullname,module_instance.datastore)
         FIDIUS::EvasionDB.current_fetcher.begin_record
       end
@@ -27,7 +28,7 @@ module FIDIUS
             if module_instance && module_instance.respond_to?("fullname")
               $logger.debug "idmef_events << #{idmef_event}"
               @@current_exploit.idmef_events << idmef_event
-              # meterpreter is not a module and does not respond to fullname 
+              # meterpreter is not a module and does not respond to fullname
               # we handle this seperatly
             elsif module_instance == "Meterpreter"
               $logger.debug "attack_payload.idmef_events << #{idmef_event}"
@@ -48,17 +49,15 @@ module FIDIUS
 
       def log_packet(module_instance,data,socket)
         begin
-          # set local ip, if there is no
-          #FIDIUS::EvasionDB.current_fetcher.local_ip = FIDIUS::Common.get_my_ip(socket.peerhost)
           $logger.debug "logged module_instance: #{module_instance} with #{data.size} bytes payload"
-          # TODO: what shall we do with meterpreter? 
+          # TODO: what shall we do with meterpreter?
           # it has not options and no fullname, logger assigns only the string "meterpreter"
           if module_instance.respond_to?("fullname")
             unless @@current_exploit.finished
               @@current_exploit.packets << FIDIUS::EvasionDB::Knowledge::Packet.create(:payload=>data,:src_addr=>socket.localhost,:src_port=>socket.localport,:dest_addr=>socket.peerhost,:dest_port=>socket.peerport)
               @@current_exploit.save
             end
-          # meterpreter is not a module and does not respond to fullname 
+          # meterpreter is not a module and does not respond to fullname
           # we handle this seperatly
           elsif module_instance == "Meterpreter"
             $logger.debug "module_instance is meterpreter"
@@ -69,8 +68,8 @@ module FIDIUS
           $logger.debug "LOG: #{module_instance} #{data.size} Bytes on #{socket}"
         rescue ActiveRecord::StatementInvalid
           $logger.error "StatementInvalid"
-        rescue 
-          $logger.error "error:" # "#{$!.message}" ##{$!.inspect}:#{$!.backtrace}"
+        rescue
+          $logger.error "error:"
         end
       end
     end

data/lib/evasion-db/rule_fetchers/rule_fetchers.rb

@@ -0,0 +1,61 @@
+module FIDIUS
+  module EvasionDB
+    def self.rule_fetcher(name,&block)
+      FIDIUS::EvasionDB::RuleFetcher.new(name,&block)
+    end
+
+    def self.install_rule_fetchers
+      $logger.debug "installing rule fetchers"
+      FIDIUS::EvasionDB::RuleFetcher.all.each do |fetcher|
+        fetcher.run_install
+      end
+    end
+
+    # A Fetcher is used to fetch rules from an ids
+    class RuleFetcher
+      @@fetchers = []
+      attr_accessor :name
+
+      def initialize(name,&block)
+        self.instance_eval(&block)
+        @name = name
+        @@fetchers << self
+      end
+
+      def install(&block)
+        $logger.debug "setting installblock"
+        @install = block
+      end
+
+      def run_install
+        raise "no install block given" unless @install
+        $logger.debug "run install of #{@name}"
+        @install.call
+      end
+
+      def config(conf)
+        raise "overwrite this"
+      end
+
+      def fetch_rules(attack_module)
+        raise "overwrite this"
+      end
+
+      def self.all
+        @@fetchers
+      end
+
+      def self.by_name(name)
+        self.all.each do |fetcher|
+          return fetcher if fetcher.name == name
+        end
+        nil
+      end
+    end
+  end
+end
+
+Dir[File.join(File.dirname(__FILE__), "*/rule_fetcher.rb")].each{|fetch_require|
+  $logger.debug "load #{fetch_require}"
+  require fetch_require
+} 

data/lib/evasion-db/rule_fetchers/snort/lib/snort.rb

@@ -0,0 +1,100 @@
+begin
+  require 'snortor'
+rescue
+  raise "can not find snortor gem. Please gem install snortor"
+end
+
+require File.join(FIDIUS::EvasionDB::GEM_BASE, 'evasion-db', 'vendor', 'bitfield')
+
+module FIDIUS
+  module EvasionDB
+    module SnortRuleFetcher
+      @@rule_path = nil
+
+
+      @@ssh_host = nil
+      @@ssh_pw = nil
+      @@ssh_remote_path = nil
+      @@ssh_user = nil
+      @@fetch_remote = false
+      @@ssh_options = {}
+
+      def import_rules_to_snortor
+        raise "no rulepath given" unless @@rule_path
+        if @@fetch_remote
+          a = {:host=>@@ssh_host,:user=>@@ssh_user,:password=>@@ssh_pw,:remote_path=>@@ssh_remote_path,:options=>@@ssh_options}
+          puts "Snortor.import_rules(#{a.inspect})"
+          Snortor.import_rules(a)
+        else
+          Snortor.import_rules(@@rule_path)
+        end
+      end
+      # generate a bitvector based on activated rules
+      # and assign this bisvector to the given attack_module
+      def fetch_rules(attack_module)
+        import_rules_to_snortor
+
+        raise "this attack_module has an ruleset bitvector" if attack_module.enabled_rules
+
+        start_time = Time.now
+        rules_enabled = BitField.new(Snortor.rules.size)
+        i = 0
+        Snortor.rules.each do |rule|
+          if rule.message
+            rules_enabled[i] = (rule.active == true)? 1 : 0
+            i += 1
+          end
+        end
+        end_time = Time.now
+
+        ruleset = FIDIUS::EvasionDB::Knowledge::EnabledRules.create(:bitstring=>rules_enabled.to_s)
+        ruleset.attack_module = attack_module
+        ruleset.save
+      end
+
+      # fetches rules with snortor
+      # and stores them all into db
+      def import_rules
+        raise "rules imported already" if FIDIUS::EvasionDB::Knowledge::IdsRule.all.size > 0
+        import_rules_to_snortor
+
+        i = 0
+        insert_query = []
+        Snortor.rules.each do |rule|
+          if rule.message
+            insert_query << FIDIUS::EvasionDB::Knowledge::IdsRule.sub_query_for_insert(rule.message,i)
+            i += 1
+          end
+        end
+        begin
+          FIDIUS::EvasionDB::Knowledge::IdsRule.connection.execute("INSERT IGNORE INTO ids_rules (rule_text,rule_hash,sort) VALUES #{insert_query.join(',')};")
+        rescue
+          begin
+            # try without IGNORE statement
+            FIDIUS::EvasionDB::Knowledge::IdsRule.connection.execute("INSERT INTO ids_rules (rule_text,rule_hash,sort) VALUES #{insert_query.join(',')};")
+          rescue
+            puts $!.message+":"+$!.backtrace.to_s
+          end
+        end
+      end
+
+      def config(conf)
+        return unless conf
+        conf = conf["snort-fetcher"]
+        return unless conf.class == Hash
+
+        @@rule_path = conf["rule_path"]#"/home/bernd/fidius/snort/rules/fetched"
+
+        @@ssh_host = conf["ssh_host"] #"10.10.10.254"
+        @@ssh_pw = conf["ssh_pw"]#"fidius09"
+        @@ssh_remote_path = conf["ssh_remote_path"] #"/etc/snort/rules/"
+        @@ssh_user = conf["ssh_user"] #"fidius"
+        @@fetch_remote = @@ssh_host != nil
+      end
+
+      def self.ssh_options=(a)
+        @@ssh_options = a
+      end
+    end
+  end
+end

data/lib/evasion-db/rule_fetchers/snort/rule_fetcher.rb

@@ -0,0 +1,6 @@
+FIDIUS::EvasionDB.rule_fetcher "Snortrule-Fetcher" do
+  install do
+    require (File.join File.dirname(__FILE__), 'lib', 'snort.rb')
+    self.extend FIDIUS::EvasionDB::SnortRuleFetcher
+  end
+end

data/lib/evasion-db/vendor/bitfield.rb

@@ -0,0 +1,66 @@
+#        NAME: BitField
+#      AUTHOR: Peter Cooper
+#     LICENSE: MIT ( http://www.opensource.org/licenses/mit-license.php )
+#   COPYRIGHT: (c) 2007 Peter Cooper (http://www.petercooper.co.uk/)
+#     VERSION: v4
+#     HISTORY: v4 (fixed bug where setting 0 bits to 0 caused a set to 1)
+#              v3 (supports dynamic bitwidths for array elements.. now doing 32 bit widths default)
+#              v2 (now uses 1 << y, rather than 2 ** y .. it's 21.8 times faster!)
+#              v1 (first release)
+#
+# DESCRIPTION: Basic, pure Ruby bit field. Pretty fast (for what it is) and memory efficient.
+#              I've written a pretty intensive test suite for it and it passes great. 
+#              Works well for Bloom filters (the reason I wrote it).
+#
+#              Create a bit field 1000 bits wide
+#                bf = BitField.new(1000)
+#
+#              Setting and reading bits
+#                bf[100] = 1
+#                bf[100]    .. => 1
+#                bf[100] = 0
+#
+#              More
+#                bf.to_s = "10101000101010101"  (example)
+#                bf.total_set         .. => 10  (example - 10 bits are set to "1")
+class BitField
+  attr_reader :size
+  include Enumerable
+  
+  ELEMENT_WIDTH = 32
+  
+  def initialize(size)
+    @size = size
+    @field = Array.new(((size - 1) / ELEMENT_WIDTH) + 1, 0)
+  end
+  
+  # Set a bit (1/0)
+  def []=(position, value)
+    if value == 1
+      @field[position / ELEMENT_WIDTH] |= 1 << (position % ELEMENT_WIDTH)
+    elsif (@field[position / ELEMENT_WIDTH]) & (1 << (position % ELEMENT_WIDTH)) != 0
+      @field[position / ELEMENT_WIDTH] ^= 1 << (position % ELEMENT_WIDTH)
+    end
+  end
+  
+  # Read a bit (1/0)
+  def [](position)
+    @field[position / ELEMENT_WIDTH] & 1 << (position % ELEMENT_WIDTH) > 0 ? 1 : 0
+  end
+  
+  # Iterate over each bit
+  def each(&block)
+    @size.times { |position| yield self[position] }
+  end
+  
+  # Returns the field as a string like "0101010100111100," etc.
+  def to_s
+    inject("") { |a, b| a + b.to_s }
+  end
+  
+  # Returns the total number of bits that are set
+  # (The technique used here is about 6 times faster than using each or inject direct on the bitfield)
+  def total_set
+    @field.inject(0) { |a, byte| a += byte & 1 and byte >>= 1 until byte == 0; a }
+  end
+end

data/lib/evasion-db/version.rb

@@ -1,5 +1,5 @@
 module FIDIUS
   module EvasionDB
-    VERSION = "0.0.1"
+    VERSION = "0.0.2"
   end
 end

data/lib/fidius-evasiondb.rb

@@ -12,9 +12,10 @@ module FIDIUS
     GEM_BASE      = File.expand_path('..', __FILE__)
     $logger.debug "GEM_BASE ist: #{GEM_BASE}"
     
-    autoload :VERSION,          'evasion-db/version'
-    autoload :LogMatchesHelper, 'evasion-db/log_matches_helper'
-    autoload :Knowledge,        'evasion-db/knowledge'
+    autoload :VERSION,          "#{GEM_BASE}/evasion-db/version"
+    autoload :LogMatchesHelper, "#{GEM_BASE}/evasion-db/log_matches_helper"
+    autoload :Knowledge,        "#{GEM_BASE}/evasion-db/knowledge"
+    autoload :BitField,         "#{GEM_BASE}/evasion-db/vendor/bitfield"
 
     # install fetchers
     require File.join(GEM_BASE, 'evasion-db', 'idmef-fetchers', 'fetchers.rb')
@@ -23,5 +24,9 @@ module FIDIUS
     # install recorders
     require File.join(GEM_BASE, 'evasion-db', 'recorders', 'recorders.rb')
     FIDIUS::EvasionDB.install_recorders
+
+    # install rule_recorder
+    require File.join(GEM_BASE, 'evasion-db', 'rule_fetchers', 'rule_fetchers.rb')
+    FIDIUS::EvasionDB.install_rule_fetchers
   end
 end

data/lib/msf-plugins/database.yml.example

@@ -22,3 +22,13 @@ evasion_db:
   username: root
   password:
   socket: /opt/lampp/var/mysql/mysql.sock
+
+snort-fetcher:
+  # path with *.rules files 
+  rule_path: /home/bernd/fidius/snort/rules/fetched
+  # optional ssh credentials
+  # content of folder remote_path will be copied via ssh tu rule_path
+  ssh_host: 10.10.10.254
+  ssh_pw: fidius09
+  ssh_remote_path: /etc/snort/rules/
+  ssh_user: root

data/lib/msf-plugins/evasiondb.rb

@@ -34,7 +34,9 @@ class Plugin::EvasionDB < Msf::Plugin
         "send_event_payload" => "send a given payload of an idmef-event to generate false positive",
         "config_exploit" => "configures an exploit with the options of a previous runtime",
         "delete_events" => "deletes events from knowledge",
-        "set_autologging" => "true|false automatically log all executed modules"
+        "set_autologging" => "true|false automatically log all executed modules",
+        "import_rules" => "import rules based on your config (this could take some time)",
+        "assign_rules_to_attack" => "assigns bitvector of activated rules to the given attack"
       }
     end
 
@@ -50,7 +52,7 @@ class Plugin::EvasionDB < Msf::Plugin
 		snl = false
 		lst = 0
     rclosed = true
-		while (idx < str.length)      
+		while (idx < str.length)
 			chunk = str[idx, width]
 			line  = chunk.unpack("H*")[0].scan(/../).join(" ")
       if from >= idx && from < idx+width
@@ -113,6 +115,17 @@ class Plugin::EvasionDB < Msf::Plugin
       end
     end
 
+    def cmd_import_rules(*args)
+      FIDIUS::EvasionDB.current_rule_fetcher.import_rules
+    end
+
+    def cmd_assign_rules_to_attack(*args)
+      raise "please provide an attack module id" if args.size != 1
+      a = FIDIUS::EvasionDB::Knowledge::AttackModule.find(args[0].to_i)
+      FIDIUS::EvasionDB.current_rule_fetcher.fetch_rules(a)
+    end
+
+
     def cmd_send_packet(*args)
       raise "please provide packet id" if args.size != 1
       packet = FIDIUS::EvasionDB::Knowledge.get_packet(args[0].to_i)
@@ -134,6 +147,14 @@ class Plugin::EvasionDB < Msf::Plugin
         print_line "-"*60
         print_line "#{events.size} idmef-events fetched"
         print_line "-"*60
+
+        if exploit.enabled_rules
+          print_line "-"*60
+          all = exploit.enabled_rules.count(:all)
+          active = exploit.enabled_rules.count(:active)
+          print_line "Rules: #{active}/#{all}"
+          print_line "-"*60
+        end
         events.each do |event|
           print_line "(#{event.id})#{event.text} with #{event.payload_size} bytes payload"
         end
@@ -163,7 +184,7 @@ class Plugin::EvasionDB < Msf::Plugin
     def cmd_show_packet(*args)
       raise "please provide packet_id" if args.size != 1
       packet = FIDIUS::EvasionDB::Knowledge::Packet.find(args[0].to_i)
-      
+
       hex = to_hex_dump(packet.payload)
       print_line hex
     end
@@ -182,7 +203,7 @@ class Plugin::EvasionDB < Msf::Plugin
         print_line "#{packet[:packet].payload.size} bytes"
         print_line "match #{packet[:index]} - #{packet[:index]+packet[:length]-1}"
         hex = to_hex_dump(packet[:packet].payload,packet[:index],packet[:index]+packet[:length]-1)
-        print_line hex      
+        print_line hex
       else
         print_line "no packets available"
       end
@@ -192,7 +213,6 @@ class Plugin::EvasionDB < Msf::Plugin
     end
 
     def cmd_fetch_events(*args)
-      #events = FIDIUS::EvasionDB::Knowledge.fetch_events
       FIDIUS::EvasionDB.current_fetcher.local_ip = nil
       events = FIDIUS::EvasionDB.current_fetcher.fetch_events
       if events
@@ -221,6 +241,8 @@ class Plugin::EvasionDB < Msf::Plugin
     FIDIUS::EvasionDB.config(dbconfig_path)
     FIDIUS::EvasionDB.use_recoder "Msf-Recorder"
     FIDIUS::EvasionDB.use_fetcher "PreludeDB"
+    FIDIUS::EvasionDB.use_rule_fetcher "Snortrule-Fetcher"
+    FIDIUS::EvasionDB::SnortRuleFetcher.ssh_options = {:auth_methods=>["password"],:msfmodule=>FIDIUS::MsfModuleStub}
 
     add_console_dispatcher(ConsoleCommandDispatcher)
     framework.events.add_general_subscriber(FIDIUS::ModuleRunCallback.new)
@@ -263,7 +285,7 @@ class PacketLogger
   end
 
   def self.inspect_socket(socket)
-    "#{socket.localhost}:#{socket.localport} -> #{socket.peerhost}:#{socket.peerport}"    
+    "#{socket.localhost}:#{socket.localport} -> #{socket.peerhost}:#{socket.peerport}"
   end
 
   class MySocketEventHandler
@@ -316,7 +338,7 @@ end #class ModuleRunCallback
 end #FIDIUS
 
 # This extends the PacketDispatcher from Rex
-# with Logging 
+# with Logging
 # Original Source is: lib/rex/post/meterpreter/packet_dispatcher.rb
 module Rex::Post::Meterpreter::PacketDispatcher
   def send_packet(packet, completion_routine = nil, completion_param = nil)
@@ -339,7 +361,7 @@ module Rex::Post::Meterpreter::PacketDispatcher
         @finish = true
 
         # Reraise the error to the top-level caller
-        raise e		
+        raise e
       end
     end
 
@@ -376,3 +398,13 @@ module SocketTracer
   end
 end #SocketTracer
 end #FIDIUS
+
+module FIDIUS
+class MsfModuleStub
+  # do nothing to prevent metasploits lib/net/ssh.rb from dieing
+  def self.add_socket(a)
+  end
+  def self.remove_socket(a)
+  end
+end
+end

data/test/config/database.yml

@@ -9,3 +9,10 @@ ids_db:
   database: ids_db.sqlite3
   pool: 5
   timeout: 5000
+
+snort-fetcher:
+  rule_path: test/fixtures
+  #ssh_host: 10.10.10.254
+  #ssh_pw: fidius09
+  #ssh_remote_path: /etc/snort/rules/
+  #ssh_user: fidius

data/test/fixtures/ruleset1.rules

@@ -0,0 +1,3 @@
+alert tcp $EXTERNAL_NET any <> $HOME_NET 0 (msg:"BAD-TRAFFIC tcp port 0 traffic"; flow:stateless; classtype:misc-activity; sid:524; rev:8;)
+alert udp $EXTERNAL_NET any <> $HOME_NET 0 (msg:"BAD-TRAFFIC udp port 0 traffic"; reference:bugtraq,576; reference:cve,1999-0675; reference:nessus,10074; classtype:misc-activity; sid:525; rev:9;)
+

data/test/test_knowledge.rb

@@ -99,4 +99,27 @@ class TestKnowledge < Test::Unit::TestCase
     assert_equal 1,events.size
 
   end
+
+  def test_rule_models
+    IdsRule.create(:rule_text=>"Wurst1")
+    IdsRule.create(:rule_text=>"Wurst2")
+
+    e = EnabledRules.create(:bitstring=>"00101")
+    e.attack_module = FIDIUS::EvasionDB::Knowledge::AttackModule.first
+    e.save
+  end
+
+  def test_ids_rule_helpers
+    IdsRule.create_if_not_exists("wurst",0)
+    IdsRule.create_if_not_exists("brot",1)
+    IdsRule.create_if_not_exists("hans",2)
+    IdsRule.create_if_not_exists("hans",2)
+
+    assert_equal 3, IdsRule.all.size
+
+    assert_equal 0, IdsRule.find_by_rule_text("wurst").sort
+    assert_equal 1, IdsRule.find_by_rule_text("brot").sort
+    assert_equal 2, IdsRule.find_by_rule_text("hans").sort
+  end
+
 end

data/test/test_rule_fetchers.rb

@@ -0,0 +1,17 @@
+require 'helper'
+
+class TestRuleFetchers < Test::Unit::TestCase
+  def test_rule_fetcher
+    FIDIUS::EvasionDB::Knowledge::EnabledRules.destroy_all
+    FIDIUS::EvasionDB::Knowledge::IdsRule.destroy_all
+
+    FIDIUS::EvasionDB.use_rule_fetcher "Snortrule-Fetcher"
+    FIDIUS::EvasionDB::current_rule_fetcher.fetch_rules(FIDIUS::EvasionDB::Knowledge::AttackModule.new)
+
+    # cant provide this for sqlite
+    #assert_equal 2, FIDIUS::EvasionDB::Knowledge::IdsRule.all.size
+    assert_equal 1, FIDIUS::EvasionDB::Knowledge::EnabledRules.all.size
+    enabled_rules = FIDIUS::EvasionDB::Knowledge::EnabledRules.first
+    assert_equal "11", enabled_rules.bitstring
+  end
+end

metadata

@@ -1,108 +1,98 @@
---- !ruby/object:Gem::Specification 
+--- !ruby/object:Gem::Specification
 name: fidius-evasiondb
-version: !ruby/object:Gem::Version 
-  prerelease: false
-  segments: 
-  - 0
-  - 0
-  - 1
-  version: 0.0.1
+version: !ruby/object:Gem::Version
+  version: 0.0.2
+  prerelease: 
 platform: ruby
-authors: 
-- "Jens F\xC3\xA4rber"
+authors:
+- Jens Färber
 - Bernhard Katzmarski
 autorequire: 
 bindir: bin
 cert_chain: []
-
-date: 2011-04-20 00:00:00 +02:00
-default_executable: 
-dependencies: 
-- !ruby/object:Gem::Dependency 
+date: 2011-12-04 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
   name: fidius-common
-  prerelease: false
-  requirement: &id001 !ruby/object:Gem::Requirement 
+  requirement: &10084200 !ruby/object:Gem::Requirement
     none: false
-    requirements: 
-    - - ">="
-      - !ruby/object:Gem::Version 
-        segments: 
-        - 0
-        version: "0"
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
   type: :runtime
-  version_requirements: *id001
-- !ruby/object:Gem::Dependency 
-  name: activerecord
   prerelease: false
-  requirement: &id002 !ruby/object:Gem::Requirement 
+  version_requirements: *10084200
+- !ruby/object:Gem::Dependency
+  name: activerecord
+  requirement: &10083660 !ruby/object:Gem::Requirement
     none: false
-    requirements: 
-    - - ">="
-      - !ruby/object:Gem::Version 
-        segments: 
-        - 0
-        version: "0"
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
   type: :runtime
-  version_requirements: *id002
-- !ruby/object:Gem::Dependency 
-  name: activerecord
   prerelease: false
-  requirement: &id003 !ruby/object:Gem::Requirement 
+  version_requirements: *10083660
+- !ruby/object:Gem::Dependency
+  name: activerecord
+  requirement: &10082480 !ruby/object:Gem::Requirement
     none: false
-    requirements: 
-    - - ">="
-      - !ruby/object:Gem::Version 
-        segments: 
-        - 3
-        - 0
-        - 0
-        version: 3.0.0
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
   type: :runtime
-  version_requirements: *id003
-- !ruby/object:Gem::Dependency 
-  name: activesupport
   prerelease: false
-  requirement: &id004 !ruby/object:Gem::Requirement 
+  version_requirements: *10082480
+- !ruby/object:Gem::Dependency
+  name: activesupport
+  requirement: &10033180 !ruby/object:Gem::Requirement
     none: false
-    requirements: 
-    - - ">="
-      - !ruby/object:Gem::Version 
-        segments: 
-        - 3
-        - 0
-        - 0
-        version: 3.0.0
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
   type: :runtime
-  version_requirements: *id004
-- !ruby/object:Gem::Dependency 
-  name: fidius-common
   prerelease: false
-  requirement: &id005 !ruby/object:Gem::Requirement 
+  version_requirements: *10033180
+- !ruby/object:Gem::Dependency
+  name: fidius-common
+  requirement: &10032340 !ruby/object:Gem::Requirement
     none: false
-    requirements: 
-    - - ">="
-      - !ruby/object:Gem::Version 
-        segments: 
-        - 0
-        - 0
-        - 4
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
         version: 0.0.4
   type: :runtime
-  version_requirements: *id005
-description: |-
-  The FIDIUS EvasionDB Gem provides a database which contains knowledge about metasploit exploits and their corresponding alerts/events produced by intrusion detection systems (IDS).
-  
-  It includes a Metasploit plugin which supports the recording of thrown alerts during the execution of an exploit.
-email: 
+  prerelease: false
+  version_requirements: *10032340
+- !ruby/object:Gem::Dependency
+  name: snortor
+  requirement: &10031600 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.0.1
+  type: :runtime
+  prerelease: false
+  version_requirements: *10031600
+description: ! 'The FIDIUS EvasionDB Gem provides a database which contains knowledge
+  about metasploit exploits and their corresponding alerts/events produced by intrusion
+  detection systems (IDS).
+
+
+  It includes a Metasploit plugin which supports the recording of thrown alerts during
+  the execution of an exploit.'
+email:
 - jfaerber+evasiondb@tzi.de
 - bkatzm+evasiondb@tzi.de
-executables: 
+executables:
 - fidius-evasiondb
 extensions: []
-
 extra_rdoc_files: []
-
-files: 
+files:
 - .gitignore
 - .yardopts
 - Gemfile
@@ -117,6 +107,8 @@ files:
 - lib/db/migrations/003_create_attack_modules.rb
 - lib/db/migrations/004_create_attack_options.rb
 - lib/db/migrations/005_create_attack_payloads.rb
+- lib/db/migrations/006_create_ids_rules.rb
+- lib/db/migrations/007_create_enabled_rules.rb
 - lib/evasion-db/base.rb
 - lib/evasion-db/idmef-fetchers/fetchers.rb
 - lib/evasion-db/idmef-fetchers/prelude-db/fetcher.rb
@@ -139,100 +131,58 @@ files:
 - lib/evasion-db/knowledge/attack_option.rb
 - lib/evasion-db/knowledge/attack_payload.rb
 - lib/evasion-db/knowledge/connection.rb
+- lib/evasion-db/knowledge/enabled_rules.rb
 - lib/evasion-db/knowledge/idmef_event.rb
+- lib/evasion-db/knowledge/ids_rule.rb
 - lib/evasion-db/knowledge/packet.rb
 - lib/evasion-db/log_matches_helper.rb
+- lib/evasion-db/postgres_patch.rb
 - lib/evasion-db/recorders/msf-recorder/lib/msf-recorder.rb
 - lib/evasion-db/recorders/msf-recorder/recorder.rb
 - lib/evasion-db/recorders/recorders.rb
+- lib/evasion-db/rule_fetchers/rule_fetchers.rb
+- lib/evasion-db/rule_fetchers/snort/lib/snort.rb
+- lib/evasion-db/rule_fetchers/snort/rule_fetcher.rb
+- lib/evasion-db/vendor/bitfield.rb
 - lib/evasion-db/version.rb
 - lib/fidius-evasiondb.rb
 - lib/msf-plugins/database.yml.example
 - lib/msf-plugins/evasiondb.rb
 - test/config/database.yml
 - test/config/prelude.sql
+- test/fixtures/ruleset1.rules
 - test/helper.rb
 - test/preludedb_helper.rb
 - test/test_fetchers.rb
 - test/test_knowledge.rb
 - test/test_preludedb.rb
 - test/test_recorders.rb
-has_rdoc: true
+- test/test_rule_fetchers.rb
 homepage: http://fidius.me
 licenses: []
-
 post_install_message: 
-rdoc_options: 
-- --title
-- fidius-evasiondb
-- --main
-- README.md
-- --show-hash
-- - lib/db/db-install.rb
-  - lib/db/migrations/001_create_packets.rb
-  - lib/db/migrations/002_create_idmef_events.rb
-  - lib/db/migrations/003_create_attack_modules.rb
-  - lib/db/migrations/004_create_attack_options.rb
-  - lib/db/migrations/005_create_attack_payloads.rb
-  - lib/evasion-db/base.rb
-  - lib/evasion-db/idmef-fetchers/fetchers.rb
-  - lib/evasion-db/idmef-fetchers/prelude-db/fetcher.rb
-  - lib/evasion-db/idmef-fetchers/prelude-db/lib/models/additional_data.rb
-  - lib/evasion-db/idmef-fetchers/prelude-db/lib/models/address.rb
-  - lib/evasion-db/idmef-fetchers/prelude-db/lib/models/alert.rb
-  - lib/evasion-db/idmef-fetchers/prelude-db/lib/models/analyzer.rb
-  - lib/evasion-db/idmef-fetchers/prelude-db/lib/models/classification.rb
-  - lib/evasion-db/idmef-fetchers/prelude-db/lib/models/connection.rb
-  - lib/evasion-db/idmef-fetchers/prelude-db/lib/models/detect_time.rb
-  - lib/evasion-db/idmef-fetchers/prelude-db/lib/models/impact.rb
-  - lib/evasion-db/idmef-fetchers/prelude-db/lib/models/prelude_event.rb
-  - lib/evasion-db/idmef-fetchers/prelude-db/lib/models/service.rb
-  - lib/evasion-db/idmef-fetchers/prelude-db/lib/patches/postgres_patch.rb
-  - lib/evasion-db/idmef-fetchers/prelude-db/lib/prelude_event_fetcher.rb
-  - lib/evasion-db/idmef-fetchers/test-fetcher/fetcher.rb
-  - lib/evasion-db/idmef-fetchers/test-fetcher/lib/test_fetcher.rb
-  - lib/evasion-db/knowledge.rb
-  - lib/evasion-db/knowledge/attack_module.rb
-  - lib/evasion-db/knowledge/attack_option.rb
-  - lib/evasion-db/knowledge/attack_payload.rb
-  - lib/evasion-db/knowledge/connection.rb
-  - lib/evasion-db/knowledge/idmef_event.rb
-  - lib/evasion-db/knowledge/packet.rb
-  - lib/evasion-db/log_matches_helper.rb
-  - lib/evasion-db/recorders/msf-recorder/lib/msf-recorder.rb
-  - lib/evasion-db/recorders/msf-recorder/recorder.rb
-  - lib/evasion-db/recorders/recorders.rb
-  - lib/evasion-db/version.rb
-  - lib/fidius-evasiondb.rb
-  - lib/msf-plugins/database.yml.example
-  - lib/msf-plugins/evasiondb.rb
-- README.md
-- LICENSE
-- CREDITS.md
-require_paths: 
+rdoc_options: []
+require_paths:
 - lib
-required_ruby_version: !ruby/object:Gem::Requirement 
+required_ruby_version: !ruby/object:Gem::Requirement
   none: false
-  requirements: 
-  - - ">="
-    - !ruby/object:Gem::Version 
-      segments: 
-      - 0
-      version: "0"
-required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
-  requirements: 
-  - - ">="
-    - !ruby/object:Gem::Version 
-      segments: 
-      - 0
-      version: "0"
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
 requirements: []
-
-rubyforge_project: ""
-rubygems_version: 1.3.7
+rubyforge_project: ''
+rubygems_version: 1.8.11
 signing_key: 
 specification_version: 3
-summary: The FIDIUS EvasionDB Gem provides a database which contains knowledge about metasploit exploits and their corresponding alerts/events produced by intrusion detection systems (IDS).
+summary: The FIDIUS EvasionDB Gem provides a database which contains knowledge about
+  metasploit exploits and their corresponding alerts/events produced by intrusion
+  detection systems (IDS).
 test_files: []
-
+has_rdoc: