fidius-evasiondb 0.0.1

data/.gitignore

@@ -0,0 +1,9 @@
+*.gem
+.bundle
+Gemfile.lock
+pkg/*
+*~
+*.sqlite3
+coverage/
+doc/
+.yardoc/

data/.yardopts

@@ -0,0 +1,6 @@
+--title 'EvasionDB'
+--private
+--protected
+--readme 'README.md'
+lib/**/*.rb -
+LICENSE CREDITS.md

data/Gemfile

@@ -0,0 +1,5 @@
+source "http://rubygems.org"
+
+# Specify your gem's dependencies in evasion-db.gemspec
+gemspec
+

data/LICENSE

@@ -0,0 +1,57 @@
+The Simplified BSD License
+
+Copyright (C) 2010-2011  FIDIUS Intrusion Detection with Intelligent
+User Support (FIDIUS). All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+1. Redistributions of source code must retain the above copyright
+   notice, this list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright
+   notice, this list of conditions and the following disclaimer in the
+   documentation and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY FIDIUS ``AS IS'' AND ANY EXPRESS OR
+IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL FIDIUS OR CONTRIBUTORS BE LIABLE FOR ANY
+DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGE.
+
+The views and conclusions contained in the software and documentation
+are those of the authors and should not be interpreted as representing
+official policies, either expressed or implied, of FIDIUS.
+
+
+*OR*
+
+                    GNU GENERAL PUBLIC LICENSE
+                       Version 2, June 1991
+
+Copyright (C) 2010-2011  FIDIUS Intrusion Detection with Intelligent
+User Suppport.
+
+This program is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License along
+with this program; if not, write to the Free Software Foundation, Inc.,
+51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+A digital copy is also available for download here:
+http://www.gnu.org/licenses/gpl-2.0.txt.

data/README.md

@@ -0,0 +1,180 @@
+# FIDIUS EvasionDB
+
+The FIDIUS EvasionDB Gem provides a database which contains knowledge about metasploit exploits
+and their corresponding alerts/events produced by intrusion detection systems (IDS). It includes a
+Metasploit plugin which supports the recording of thrown alerts during the execution of an exploit.
+
+## Description
+
+This gem is developed in the context of the students project "FIDIUS" at the
+University of Bremen, for more information about FIDIUS visit [fidius.me](http://fidius.me/en).
+
+## Installation
+
+Simply install this package with Rubygems:
+
+    $ gem install fidius-evasiondb
+
+Then switch to the root directory of your Metasploit installation and run
+
+    $ fidius-evasiondb -c
+
+Follow the instructions. 
+
+This Gem currently uses 2 databases:
+
+ * `ids_db`: A Prelude Manager database for fetching IDMEF events.
+ * `evasion_db`: Knowledge database for information about exploits and their IDMEF events.
+ 
+Please note: The Evasion-DB Gem has only been tested with Linux systems and might not work with Windows.
+
+## Configuration
+
+The database configuration can be found in
+
+    path/to/your/metasploit/root/data/database.yml 
+
+It has been tested with PostgreSQL and MySQL databases but should work for others, too.
+
+## Usage
+
+There are two possibilities to use this Gem, either inside the Metasploit console (with a plugin) or
+from external scripts by requiring the Gem. The first method (use in `msfconsole`) is intended to
+generate knowledge about exploits. You can execute any module within metasploit and log
+corresponding IDMEF events. 
+
+Please note: Currently it is only possible to fetch IDMEF events from an existing and configured
+Prelude Manager database. At the beginning of a module execution, the timestamp and number of total
+events in prelude are measured. After the module is finished newly generated events are identified
+via timestamp and the attackers source IP address.
+
+### In MSF console
+
+Example for monitoring an exploit. After loading the plugin all modules which are executed by
+metasploit will be monitored. All payload which is send to the target will be stored in the
+Knowledge database. After executing of the module finished generated IDMEF events will be fetched
+from the Prelude database and stored to the Knowledge database, too.
+  
+    $ msf > load evasiondb
+    $ [*] EvasionDB plugin loaded.
+    $ [*] Successfully loaded plugin: FIDIUS-EvasionDB
+    $ msf > use exploit/windows/smb/ms08_067_netapi
+    $ msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
+    $ PAYLOAD => windows/meterpreter/bind_tcp
+    $ msf exploit(ms08_067_netapi) > set RHOST 10.20.20.1
+    $ RHOST => 10.20.20.1
+    $ msf exploit(ms08_067_netapi) > exploit
+    $ [*] Started bind handler
+    $ [*] Automatically detecting the target...
+    $ [*] Fingerprint: Windows XP - Service Pack 2 - lang:German
+    $ [*] Selected Target: Windows XP SP2 German (NX)
+    $ [*] Attempting to trigger the vulnerability...
+    $ [*] Sending stage (749056 bytes) to 10.20.20.1
+    $ [*] Meterpreter session 1 opened (10.0.0.100:52764 -> 10.20.20.1:4444) at 2011-03-28 16:42:53 +0200
+    $ meterpreter > exit
+    $ [*] Meterpreter session 1 closed.  Reason: User exit
+    $ msf exploit(ms08_067_netapi) > show_events
+    $ ------------------------------------------------------------
+    $ exploit/windows/smb/ms08_067_netapi with 47 options
+    $ ------------------------------------------------------------
+    $ 11 idmef-events fetched
+    $ ------------------------------------------------------------
+    $ (1)COMMUNITY SIP TCP/IP message flooding directed to SIP proxy with 0 bytes payload
+    $ (2)COMMUNITY SIP TCP/IP message flooding directed to SIP proxy with 1324 bytes payload
+    $ (3)COMMUNITY SIP TCP/IP message flooding directed to SIP proxy with 0 bytes payload
+    $ (4)COMMUNITY SIP TCP/IP message flooding directed to SIP proxy with 1324 bytes payload
+    $ (5)COMMUNITY SIP TCP/IP message flooding directed to SIP proxy with 0 bytes payload
+    $ (6)COMMUNITY SIP TCP/IP message flooding directed to SIP proxy with 1324 bytes payload
+    $ (7)ET POLICY PE EXE or DLL Windows file download with 1324 bytes payload
+    $ (8)ET POLICY PE EXE or DLL Windows file download with 1324 bytes payload
+    $ (9)ET EXPLOIT x86 JmpCallAdditive Encoder with 759 bytes payload
+    $ (10)ET EXPLOIT x86 JmpCallAdditive Encoder with 467 bytes payload
+    $ (11)NETBIOS SMB-DS IPC$ share access with 72 bytes payload
+    $ msf exploit(ms08_067_netapi) > 
+
+### From external scripts or IRb
+
+From external scripts or inside IRb, there are only queries to the Evasion DB possible.
+The usage is quite simple.
+
+Just `require 'fidius-evasion'` in your script and call 
+
+    FIDIUS::EvasionDB.config 'path/to/your/database.yml'
+
+This will connect to the database and give you the possibility to use one of the query methods below. 
+
+### Queries
+
+Sample how the knowledge in EvasionDB can be queried:
+
+    ruby-1.9.1-p378 > require 'fidius-evasiondb'
+    => true 
+    ruby-1.9.1-p378 > FIDIUS::EvasionDB.config "data/database.yml"
+    ruby-1.9.1-p378 > events = FIDIUS::EvasionDB::Knowledge.find_events_for_exploit "exploit/windows/smb/ms08_067_netapi"
+    ruby-1.9.1-p378 > events.size
+    => 11 
+    ruby-1.9.1-p378 > events.first.severity
+    => "medium" 
+    ruby-1.9.1-p378 > events.first.text
+    => "COMMUNITY SIP TCP/IP message flooding directed to SIP proxy" 
+
+### Find an Exploit
+
+    ruby-1.9.1-p378 > m = FIDIUS::EvasionDB::Knowledge::AttackModule.first
+    => #<FIDIUS::EvasionDB::Knowledge::AttackModule id: 1, name: "exploit/windows/smb/ms08_067_netapi", options_hash: "4d70ba1e95523e6d602e316a2553decf", finished: true, created_at: "2011-04-02 13:43:44", updated_at: "2011-04-02 13:45:05">
+
+### Find IdmefEvents
+
+    ruby-1.9.1-p378 > event = m.idmef_events.first
+    => #<FIDIUS::EvasionDB::Knowledge::IdmefEvent id: 1, attack_module_id: 1, attack_payload_id: nil, payload: "wrong lookup type\x00\x00\x00unsupported algorithm\x00\x00\x00unknown...", detect_time: "2011-04-02 13:44:30", dest_ip: "10.20.20.1", src_ip: "10.0.0.100", dest_port: 4444, src_port: 45944, text: "COMMUNITY SIP TCP/IP message flooding directed to S...", severity: "medium", analyzer_model: "prelude-manager", ident: 1076676, created_at: "2011-04-02 13:45:03", updated_at: "2011-04-02 13:45:05"> 
+
+### Find Packets
+
+    ruby-1.9.1-p378 > m.packets.first
+    => #<FIDIUS::EvasionDB::Knowledge::Packet id: 1, attack_module_id: 1, attack_payload_id: nil, src_addr: "0.0.0.0", dest_addr: "10.20.20.1", src_port: "0", dest_port: "445", payload: "\x00\x00\x00T\xFFSMBr\x00\x00\x00\x00\x18\x01(\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xCD\x11\x00\x00\xB2|\x001\x00\x02LANMAN1.0\x00\x02...", created_at: "2011-04-02 13:43:47", updated_at: "2011-04-02 13:43:47"> 
+
+### Find Payload of Packet
+
+    ruby-1.9.1-p378 > m.packets.first.payload
+    => "\x00\x00\x00T\xFFSMBr\x00\x00\x00\x00\x18\x01(\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xCD\x11\x00\x00\xB2|\x001\x00\x02LANMAN1.0\x00\x02LM1.2X002\x00\x02NT LANMAN 1.0\x00\x02NT LM 0.12\x00" 
+
+
+### Find Options of Exploit
+
+    ruby-1.9.1-p378 > m.attack_options.first.option_key
+    => "EXITFUNC" 
+    ruby-1.9.1-p378 > m.attack_options.first.option_value
+    => "thread" 
+
+## Import and export the database
+
+Run
+
+    $ fidius-evasiondb -e 
+
+in your Metasploit root to dump the database into a directory. It will create a directory named `evasion_db_yyyy-mm-dd-hhmmss` which contains a `schema.rb` file with the table structure and an `evasion_db.yml` file with the database dump.
+
+To import an Evasion DB, simply run
+
+    $ fidius-evasiondb -i dump_dir 
+
+where `dump_dir` is a path to a directory that contains an exported Evasion DB.
+
+## Authors and Contact
+
+fidius-evasiondb was written by
+
+* FIDIUS Intrusion Detection with Intelligent User Support
+  <grp-fidius+evasiondb@tzi.de>, <http://fidius.me>
+* in particular:
+ * Bernhard Katzmarski <bkatzm+evasiondb@tzi.de>
+ * Jens Färber <jfaerber+evasiondb@tzi.de>
+
+If you have any questions, remarks, suggestion, improvements, etc. feel free to drop a line at the 
+addresses given above. You might also join `#fidius` on Freenode or use the contact form on our
+[website](http://fidius.me/en/contact).
+
+
+## License
+
+Simplified BSD License and GNU GPLv2. See also the file LICENSE.

data/Rakefile

@@ -0,0 +1,33 @@
+# fix error: cant convert nil into String
+# Rakefile:1 in include?
+unless ENV['GEM_HOME'] && (__FILE__.include? ENV['GEM_HOME'])
+  require 'bundler'
+  Bundler::GemHelper.install_tasks
+end
+
+require 'rake/testtask'
+Rake::TestTask.new(:test) do |test|
+  test.libs << 'lib' << 'test'
+  test.pattern = 'test/**/test_*.rb'
+  test.verbose = true
+end
+
+begin
+  require 'yard'
+
+  YARD::Rake::YardocTask.new(:doc) do |t|
+    t.files = ['lib/**/*.rb']
+    exclude = 'lib/db'
+    static_files = 'LICENSE,CREDITS.md'
+    t.options += [
+      '--title', 'FIDIUS EvasionDB',
+      '--private',   # include private methods
+      '--protected', # include protected methods
+      '--exclude', exclude,
+      '--files', static_files,
+      '--readme', 'README.md'
+    ]
+  end
+rescue LoadError
+  puts 'YARD not installed (gem install yard), http://yardoc.org'
+end

data/bin/fidius-evasiondb

@@ -0,0 +1,111 @@
+#!/usr/bin/env ruby
+require 'optparse'
+require 'fidius-evasiondb'
+require 'fileutils'
+
+GEM_BASE = File.expand_path('../../lib', __FILE__)
+
+messages = { 'root' => "Please run this script in the root directory of " +
+                   "your metasploit installation",
+             'pre-db' => "This will migrate the Evasion DB schema into the " +
+                         "database specified in MSF-ROOT/data/database.yml " +
+                         "in the section 'evasion_db'.\nPlease make sure, you " +
+                         "configured that first. Are you ready to proceed? (y/n)",
+             'empty' => "Initialize FIDIUS Evasion DB",
+             'db-config' => "If you do not have a database config in 'data/database.yml', " +
+                            "you can create an example file now. (y/n)"
+}
+
+options = {}
+
+optparse = OptionParser.new do |opts|
+
+  opts.banner = "Usage: fidius-evasiondb [options]"
+
+  opts.on_tail("-c", "--create", "create empty FIDIUS Evasion DB") do
+    puts messages['empty']
+    if in_msf_root?
+      puts "Copy files for MSF-Plugin..."
+      plugin_source = File.join(GEM_BASE, 'msf-plugins', 'evasiondb.rb')
+      FileUtils.cp(plugin_source, 'plugins')
+      puts "Copied plugin to 'plugins/evasion_tester.rb'"
+
+      puts messages['db-config']
+      if yes_no_dialog?
+        db_source = File.join(GEM_BASE, 'msf-plugins', 'database.yml.example')
+        FileUtils.cp(db_source, File.join('data', 'database.yml'))
+        puts "Copied sample database configuration file to data/database.yml"
+      end
+
+      puts messages['pre-db']
+      if yes_no_dialog?
+        migrate_models
+      end
+    else
+      puts messages['root']
+    end
+    exit
+  end
+
+  opts.on_tail("-e", "--export", "export FIDIUS Evasion DB to YAML") do
+    if in_msf_root?
+      require 'fidius-common'
+      dir = FIDIUS::Common::Db.export("data/database.yml", "evasion_db")
+      puts "Created dump in '#{dir}'"
+    else
+      puts messages['root']
+    end
+  end
+
+  opts.on("-i", "--import IMPORT_DIR", "import FIDIUS Evasion DB from YAML") do |dir|
+    if in_msf_root?
+      require 'fidius-common'
+      dir = FIDIUS::Common::Db.import("data/database.yml", "evasion_db", dir)
+    else
+      puts messages['root']
+    end
+    dir
+  end
+
+  opts.on_tail("-h", "--help", "Show this message") do
+    puts "GEM_BASE=#{GEM_BASE}"
+    puts opts
+    exit
+  end
+
+  opts.on_tail("-v", "--version", "Show version") do
+    puts "FIDIUS Evasion DB, Version #{FIDIUS::EvasionDB::VERSION}"
+    exit
+  end
+end
+
+def in_msf_root?
+  files = ['data', 'plugins', 'msfconsole', 'msfcli', 'msfgui', 'msfpayload']
+  files.each { |file| return false unless File.exists? file }
+
+  return true
+end
+
+def migrate_models
+  require File.join(GEM_BASE, 'db', 'db-install.rb')
+  include FIDIUS::EvasionDB
+
+  migrations_path = File.join(GEM_BASE, 'db', 'migrations')
+  db_config_path = File.join(Dir.pwd, 'data')
+  FIDIUS::EvasionDB.migrate(migrations_path, db_config_path)
+end
+
+def yes_no_dialog?
+  while answer = gets
+    case answer
+    when "y\n"
+      return true
+    when "n\n"
+      return false
+    else
+      puts "I don't know what you mean, enter 'y' for yes or 'n' for no."
+    end
+  end
+end
+
+optparse.parse!

data/evasion-db.gemspec

@@ -0,0 +1,37 @@
+# -*- encoding: utf-8 -*-
+$:.push File.expand_path("../lib", __FILE__)
+require "evasion-db/version"
+
+Gem::Specification.new do |s|
+  s.name        = "fidius-evasiondb"
+  s.version     = FIDIUS::EvasionDB::VERSION
+  s.platform    = Gem::Platform::RUBY
+  s.authors     = ["Jens Färber", "Bernhard Katzmarski"]
+  s.email       = ["jfaerber+evasiondb@tzi.de", "bkatzm+evasiondb@tzi.de"]
+  s.homepage    = "http://fidius.me"
+
+  s.add_dependency('fidius-common')
+  s.add_dependency('activerecord')
+
+  s.summary     = "The FIDIUS EvasionDB Gem provides a database which contains knowledge about "+
+                  "metasploit exploits and their corresponding alerts/events produced by intrusion "+
+                  "detection systems (IDS)."
+  s.description = s.summary + "\n\nIt includes a Metasploit plugin which supports the recording of "+
+                  "thrown alerts during the execution of an exploit."
+
+  s.rubyforge_project = ""
+
+  s.add_dependency "activerecord", ">= 3.0.0"
+  s.add_dependency "activesupport", ">= 3.0.0"
+  s.add_dependency "fidius-common", ">= 0.0.4"
+
+  s.files         = `git ls-files`.split("\n")
+  s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
+  s.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
+  s.require_paths = ["lib"]
+  
+  s.rdoc_options << '--title' << s.name <<
+                    '--main'  << 'README.md' << '--show-hash' <<
+                    `git ls-files -- lib/*`.split("\n") <<
+                    'README.md' << 'LICENSE' << 'CREDITS.md'
+end

data/lib/db/db-install.rb

@@ -0,0 +1,103 @@
+require 'rake/testtask'
+require 'active_record'
+require 'logger'
+
+module FIDIUS
+  module EvasionDB
+
+    def self.migrate migrations_path, db_config_path
+      @CFG_D = db_config_path
+
+      self.connection_data
+
+      begin
+        self.drop_database @connection_data['evasion_db']
+      rescue
+        puts "DB drop: Could not find database #{@connection_data['database']}"
+      end
+
+      self.create_database @connection_data['evasion_db']
+
+      self.with_db do
+        ActiveRecord::Migrator.migrate(migrations_path, ENV["VERSION"] ? ENV["VERSION"].to_i : nil)
+      end
+    end
+
+    def connection_data
+      @connection_data ||= YAML.load_file("#{@CFG_D}/database.yml")
+    end
+
+    def with_db &block
+      begin
+        ActiveRecord::Base.establish_connection(connection_data['evasion_db'])
+        ActiveRecord::Base.logger = Logger.new(STDOUT)
+        ActiveRecord::Base.logger.level = Logger::WARN
+        yield connection_data
+      rescue
+        raise
+      ensure
+        ActiveRecord::Base.connection.disconnect!
+      end
+    end
+
+    # copied and modified activerecord-3.0.4/lib/active_record/railties/database.rake
+    def drop_database(config)
+      case config['adapter']
+      when /sqlite/
+        FileUtils.rm (config['database'])
+      when /mysql/
+        ActiveRecord::Base.establish_connection(config)
+        ActiveRecord::Base.connection.drop_database config['database']
+      when 'postgresql'
+        ActiveRecord::Base.establish_connection(config.merge('database' => 'postgres', 'schema_search_path' => 'public'))
+        ActiveRecord::Base.connection.drop_database config['database']
+      end
+    end
+
+    # dito
+    def create_database(config)
+      case config['adapter']
+
+      when /mysql/
+        require 'mysql'
+        @charset   = ENV['CHARSET']   || 'utf8'
+        @collation = ENV['COLLATION'] || 'utf8_unicode_ci'
+        creation_options = {:charset => (config['charset'] || @charset), :collation => (config['collation'] || @collation)}
+        error_class = config['adapter'] =~ /mysql2/ ? Mysql2::Error : Mysql::Error
+        access_denied_error = 1045
+        begin
+          ActiveRecord::Base.establish_connection(config.merge('database' => nil))
+          ActiveRecord::Base.connection.create_database(config['database'], creation_options)
+          ActiveRecord::Base.establish_connection(config)
+        rescue error_class => sqlerr
+          if sqlerr.errno == access_denied_error
+            print "#{sqlerr.error}. \nPlease provide the root password for your mysql installation\n>"
+          root_password = $stdin.gets.strip
+            grant_statement = "GRANT ALL PRIVILEGES ON #{config['database']}.* " \
+            "TO '#{config['username']}'@'localhost' " \
+            "IDENTIFIED BY '#{config['password']}' WITH GRANT OPTION;"
+            ActiveRecord::Base.establish_connection(config.merge('database' => nil, 'username' => 'root', 'password' => root_password))
+            ActiveRecord::Base.connection.create_database(config['database'], creation_options)
+            ActiveRecord::Base.connection.execute grant_statement
+            ActiveRecord::Base.establish_connection(config)
+          else
+            $stderr.puts sqlerr.error
+            $stderr.puts "Couldn't create database for #{config.inspect}, charset: #{config['charset'] || @charset}, collation: #{config['collation'] || @collation}"
+            $stderr.puts "(if you set the charset manually, make sure you have a matching collation)" if config['charset']
+          end
+        end
+      when 'postgresql'
+        @encoding = config['encoding'] || ENV['CHARSET'] || 'utf8'
+        begin
+          ActiveRecord::Base.establish_connection(config.merge('database' => 'postgres', 'schema_search_path' => 'public'))
+          ActiveRecord::Base.connection.create_database(config['database'], config.merge('encoding' => @encoding))
+          ActiveRecord::Base.establish_connection(config)
+        rescue Exception => e
+          $stderr.puts e, *(e.backtrace)
+          $stderr.puts "Couldn't create database for #{config.inspect}"
+        end
+      end
+
+    end
+  end
+end

data/lib/db/migrations/001_create_packets.rb

@@ -0,0 +1,18 @@
+class CreatePackets < ActiveRecord::Migration
+  def self.up
+    create_table :packets do |t|
+      t.integer :attack_module_id
+      t.integer :attack_payload_id
+      t.string :src_addr
+      t.string :dest_addr
+      t.string :src_port
+      t.string :dest_port
+      t.column :payload, :binary
+      t.timestamps
+    end
+  end
+
+  def self.down
+    drop_table :packets
+  end
+end

data/lib/db/migrations/002_create_idmef_events.rb

@@ -0,0 +1,23 @@
+class CreateIdmefEvents < ActiveRecord::Migration
+  def self.up
+    create_table :idmef_events do |t|
+      t.integer :attack_module_id
+      t.integer :attack_payload_id
+      t.column :payload, :binary
+      t.datetime :detect_time
+      t.string :dest_ip
+      t.string :src_ip
+      t.integer :dest_port
+      t.integer :src_port
+      t.string :text
+      t.string :severity
+      t.string :analyzer_model
+      t.column :ident, :bigint
+      t.timestamps
+    end
+  end
+
+  def self.down
+    drop_table :idmef_events
+  end
+end

data/lib/db/migrations/003_create_attack_modules.rb

@@ -0,0 +1,14 @@
+class CreateAttackModules < ActiveRecord::Migration
+  def self.up
+    create_table :attack_modules do |t|
+      t.string :name
+      t.string :options_hash
+      t.boolean :finished, :default=>false
+      t.timestamps
+    end
+  end
+
+  def self.down
+    drop_table :attack_modules
+  end
+end

data/lib/db/migrations/004_create_attack_options.rb

@@ -0,0 +1,14 @@
+class CreateAttackOptions < ActiveRecord::Migration
+  def self.up
+    create_table :attack_options do |t|
+      t.integer :attack_module_id
+      t.string :option_key
+      t.string :option_value
+      t.timestamps
+    end
+  end
+
+  def self.down
+    drop_table :attack_options
+  end
+end

data/lib/db/migrations/005_create_attack_payloads.rb

@@ -0,0 +1,13 @@
+class CreateAttackPayloads < ActiveRecord::Migration
+  def self.up
+    create_table :attack_payloads do |t|
+      t.string :name
+      t.integer :attack_module_id
+      t.timestamps
+    end
+  end
+
+  def self.down
+    drop_table :attack_payloads
+  end
+end