fidius-evasiondb 0.0.1

data/test/test_preludedb.rb

@@ -0,0 +1,41 @@
+require_relative 'helper'
+class TestPreludeDB < Test::Unit::TestCase
+  def test_prelude_event
+    PreludeDBHelper.setup_prelude_db($yml_config["ids_db"])
+    PreludeDBHelper.insert_event(223,"BadExploit","snort")
+
+    p = FIDIUS::PreludeDB::Alert.first
+    p = FIDIUS::PreludeDB::Classification.first
+    p1 = FIDIUS::PreludeDB::PreludeEvent.find :first
+    p2 = FIDIUS::PreludeDB::PreludeEvent.find :last
+    assert_equal p1.id, p2.id
+    assert_equal [p1],FIDIUS::PreludeDB::PreludeEvent.find(:all)
+    assert_equal p1, FIDIUS::PreludeDB::PreludeEvent.find(p1.id)
+
+    assert_equal "127.0.0.1", p1.source_ip
+    assert_equal "127.0.0.1", p1.dest_ip
+    assert_equal 445, p1.source_port
+    assert_equal 446, p1.dest_port
+    assert_equal FIDIUS::PreludeDB::DetectTime.first.time, p1.detect_time
+    assert_equal "BadExploit", p1.text
+    assert_equal "high", p1.severity
+    assert_equal "snort", p1.analyzer_model
+    assert_equal 223, p1.id
+    assert_equal "00042a60-1fd5-11df-ad31", p1.messageid
+    assert_equal "BadExploit: 127.0.0.1:445 -> 127.0.0.1:446", p1.to_s
+
+    p1 = FIDIUS::PreludeDB::PreludeEvent.new(nil)
+    assert_equal "No Ref", p1.source_ip
+    assert_equal "No Ref", p1.dest_ip
+    assert_equal "No Ref", p1.source_port
+    assert_equal "No Ref", p1.dest_port
+    assert_equal "No Ref", p1.detect_time
+    assert_equal "No Ref", p1.text
+    assert_equal "No Ref", p1.analyzer_model
+    assert_equal "No Ref", p1.severity
+    assert_equal "No Ref", p1.id
+    assert_equal "No Ref", p1.messageid
+    assert_equal "No Ref: No Ref:No Ref -> No Ref:No Ref", p1.to_s
+
+  end
+end

data/test/test_recorders.rb

@@ -0,0 +1,115 @@
+require_relative 'helper'
+
+module FIDIUS
+  module EvasionDB
+    module TestFetcher
+      def fetch_events(*args)
+        result = []
+        5.times do |i|
+          result << FIDIUS::EvasionDB::Knowledge::IdmefEvent.create(:payload=>"payload",
+                            :detect_time=>Time.now,
+                            :dest_ip=>"10.0.0.1",:src_ip=>"10.20.20.1",
+                            :dest_port=>445,:src_port=>4465,
+                            :text=>"Hard Event",:severity=>"High",
+                            :analyzer_model=>"Snort",:ident=>i)
+        end
+        result
+      end
+    end
+  end
+end
+class TestRecorders < Test::Unit::TestCase
+  class SocketStub
+    def localhost
+      "10.0.0.1"
+    end
+    def localport
+      4446
+    end
+    def peerhost
+      "10.20.20.1"
+    end
+    def peerport
+      445
+    end
+  end
+
+  class MsfModuleInstanceStub
+    def datastore
+      {"RHOST"=>"127.0.0.1","Payload" => "windows/meterpreter/bind_tcp","RHOSTS"=>"127.0.0.1"}
+    end
+    def fullname
+      "windows/smb/ms08_067_netapi"
+    end
+  end
+
+  def test_msf_recorder
+    FIDIUS::EvasionDB::Knowledge::AttackModule.destroy_all
+    instance = MsfModuleInstanceStub.new
+    socket = SocketStub.new
+    FIDIUS::EvasionDB.use_recoder "Msf-Recorder"
+    FIDIUS::EvasionDB.use_fetcher "TestFetcher"
+
+    FIDIUS::EvasionDB.current_recorder.module_started(instance)
+    assert_equal 1, FIDIUS::EvasionDB::Knowledge::AttackModule.all.size
+    assert_equal instance.fullname,  FIDIUS::EvasionDB::Knowledge::AttackModule.first.name
+    10.times do |i|
+      FIDIUS::EvasionDB.current_recorder.log_packet(instance,"payload#{i}",socket)
+    end
+    FIDIUS::EvasionDB.current_recorder.module_completed(instance)
+    assert_equal "127.0.0.1", FIDIUS::EvasionDB.current_fetcher.local_ip
+    assert_equal 10,  FIDIUS::EvasionDB::Knowledge::AttackModule.first.packets.size
+  end
+
+  def test_meterpreter_record
+    FIDIUS::EvasionDB::Knowledge::AttackModule.destroy_all
+
+    instance = MsfModuleInstanceStub.new
+    socket = SocketStub.new
+    FIDIUS::EvasionDB.use_recoder "Msf-Recorder"
+    FIDIUS::EvasionDB.use_fetcher "TestFetcher"
+
+    FIDIUS::EvasionDB.current_recorder.module_started(instance)
+    assert_equal 1, FIDIUS::EvasionDB::Knowledge::AttackModule.all.size
+    assert_equal instance.fullname,  FIDIUS::EvasionDB::Knowledge::AttackModule.first.name
+
+    FIDIUS::EvasionDB.current_recorder.module_completed(instance)
+    10.times do |i|
+      FIDIUS::EvasionDB.current_recorder.log_packet("Meterpreter","payload#{i}",socket)
+    end
+    FIDIUS::EvasionDB.current_recorder.module_completed(instance)
+    assert_equal "127.0.0.1", FIDIUS::EvasionDB.current_fetcher.local_ip
+    assert_equal 10,  FIDIUS::EvasionDB::Knowledge::AttackModule.first.attack_payload.packets.size
+  end
+
+  def test_module_error
+    FIDIUS::EvasionDB::Knowledge::AttackModule.destroy_all
+    instance = MsfModuleInstanceStub.new
+    socket = SocketStub.new
+    FIDIUS::EvasionDB.use_recoder "Msf-Recorder"
+    FIDIUS::EvasionDB.use_fetcher "TestFetcher"
+
+    FIDIUS::EvasionDB.current_recorder.module_started(instance)
+    assert_equal 1, FIDIUS::EvasionDB::Knowledge::AttackModule.all.size
+    assert_equal instance.fullname,  FIDIUS::EvasionDB::Knowledge::AttackModule.first.name
+    10.times do |i|
+      FIDIUS::EvasionDB.current_recorder.log_packet(instance,"payload#{i}",socket)
+    end
+    FIDIUS::EvasionDB.current_recorder.module_error(instance,"ERROR")
+    assert_equal "127.0.0.1", FIDIUS::EvasionDB.current_fetcher.local_ip
+    assert_equal 10,  FIDIUS::EvasionDB::Knowledge::AttackModule.first.packets.size
+
+  end
+
+  def test_overwrites
+    recorder = FIDIUS::EvasionDB::Recorder.new("a") do
+
+    end
+    assert_raises RuntimeError do
+      recorder.start
+    end
+    assert_raises RuntimeError do
+      recorder.log_packet
+    end
+  end
+end

metadata

@@ -0,0 +1,238 @@
+--- !ruby/object:Gem::Specification 
+name: fidius-evasiondb
+version: !ruby/object:Gem::Version 
+  prerelease: false
+  segments: 
+  - 0
+  - 0
+  - 1
+  version: 0.0.1
+platform: ruby
+authors: 
+- "Jens F\xC3\xA4rber"
+- Bernhard Katzmarski
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2011-04-20 00:00:00 +02:00
+default_executable: 
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: fidius-common
+  prerelease: false
+  requirement: &id001 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        segments: 
+        - 0
+        version: "0"
+  type: :runtime
+  version_requirements: *id001
+- !ruby/object:Gem::Dependency 
+  name: activerecord
+  prerelease: false
+  requirement: &id002 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        segments: 
+        - 0
+        version: "0"
+  type: :runtime
+  version_requirements: *id002
+- !ruby/object:Gem::Dependency 
+  name: activerecord
+  prerelease: false
+  requirement: &id003 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        segments: 
+        - 3
+        - 0
+        - 0
+        version: 3.0.0
+  type: :runtime
+  version_requirements: *id003
+- !ruby/object:Gem::Dependency 
+  name: activesupport
+  prerelease: false
+  requirement: &id004 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        segments: 
+        - 3
+        - 0
+        - 0
+        version: 3.0.0
+  type: :runtime
+  version_requirements: *id004
+- !ruby/object:Gem::Dependency 
+  name: fidius-common
+  prerelease: false
+  requirement: &id005 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        segments: 
+        - 0
+        - 0
+        - 4
+        version: 0.0.4
+  type: :runtime
+  version_requirements: *id005
+description: |-
+  The FIDIUS EvasionDB Gem provides a database which contains knowledge about metasploit exploits and their corresponding alerts/events produced by intrusion detection systems (IDS).
+  
+  It includes a Metasploit plugin which supports the recording of thrown alerts during the execution of an exploit.
+email: 
+- jfaerber+evasiondb@tzi.de
+- bkatzm+evasiondb@tzi.de
+executables: 
+- fidius-evasiondb
+extensions: []
+
+extra_rdoc_files: []
+
+files: 
+- .gitignore
+- .yardopts
+- Gemfile
+- LICENSE
+- README.md
+- Rakefile
+- bin/fidius-evasiondb
+- evasion-db.gemspec
+- lib/db/db-install.rb
+- lib/db/migrations/001_create_packets.rb
+- lib/db/migrations/002_create_idmef_events.rb
+- lib/db/migrations/003_create_attack_modules.rb
+- lib/db/migrations/004_create_attack_options.rb
+- lib/db/migrations/005_create_attack_payloads.rb
+- lib/evasion-db/base.rb
+- lib/evasion-db/idmef-fetchers/fetchers.rb
+- lib/evasion-db/idmef-fetchers/prelude-db/fetcher.rb
+- lib/evasion-db/idmef-fetchers/prelude-db/lib/models/additional_data.rb
+- lib/evasion-db/idmef-fetchers/prelude-db/lib/models/address.rb
+- lib/evasion-db/idmef-fetchers/prelude-db/lib/models/alert.rb
+- lib/evasion-db/idmef-fetchers/prelude-db/lib/models/analyzer.rb
+- lib/evasion-db/idmef-fetchers/prelude-db/lib/models/classification.rb
+- lib/evasion-db/idmef-fetchers/prelude-db/lib/models/connection.rb
+- lib/evasion-db/idmef-fetchers/prelude-db/lib/models/detect_time.rb
+- lib/evasion-db/idmef-fetchers/prelude-db/lib/models/impact.rb
+- lib/evasion-db/idmef-fetchers/prelude-db/lib/models/prelude_event.rb
+- lib/evasion-db/idmef-fetchers/prelude-db/lib/models/service.rb
+- lib/evasion-db/idmef-fetchers/prelude-db/lib/patches/postgres_patch.rb
+- lib/evasion-db/idmef-fetchers/prelude-db/lib/prelude_event_fetcher.rb
+- lib/evasion-db/idmef-fetchers/test-fetcher/fetcher.rb
+- lib/evasion-db/idmef-fetchers/test-fetcher/lib/test_fetcher.rb
+- lib/evasion-db/knowledge.rb
+- lib/evasion-db/knowledge/attack_module.rb
+- lib/evasion-db/knowledge/attack_option.rb
+- lib/evasion-db/knowledge/attack_payload.rb
+- lib/evasion-db/knowledge/connection.rb
+- lib/evasion-db/knowledge/idmef_event.rb
+- lib/evasion-db/knowledge/packet.rb
+- lib/evasion-db/log_matches_helper.rb
+- lib/evasion-db/recorders/msf-recorder/lib/msf-recorder.rb
+- lib/evasion-db/recorders/msf-recorder/recorder.rb
+- lib/evasion-db/recorders/recorders.rb
+- lib/evasion-db/version.rb
+- lib/fidius-evasiondb.rb
+- lib/msf-plugins/database.yml.example
+- lib/msf-plugins/evasiondb.rb
+- test/config/database.yml
+- test/config/prelude.sql
+- test/helper.rb
+- test/preludedb_helper.rb
+- test/test_fetchers.rb
+- test/test_knowledge.rb
+- test/test_preludedb.rb
+- test/test_recorders.rb
+has_rdoc: true
+homepage: http://fidius.me
+licenses: []
+
+post_install_message: 
+rdoc_options: 
+- --title
+- fidius-evasiondb
+- --main
+- README.md
+- --show-hash
+- - lib/db/db-install.rb
+  - lib/db/migrations/001_create_packets.rb
+  - lib/db/migrations/002_create_idmef_events.rb
+  - lib/db/migrations/003_create_attack_modules.rb
+  - lib/db/migrations/004_create_attack_options.rb
+  - lib/db/migrations/005_create_attack_payloads.rb
+  - lib/evasion-db/base.rb
+  - lib/evasion-db/idmef-fetchers/fetchers.rb
+  - lib/evasion-db/idmef-fetchers/prelude-db/fetcher.rb
+  - lib/evasion-db/idmef-fetchers/prelude-db/lib/models/additional_data.rb
+  - lib/evasion-db/idmef-fetchers/prelude-db/lib/models/address.rb
+  - lib/evasion-db/idmef-fetchers/prelude-db/lib/models/alert.rb
+  - lib/evasion-db/idmef-fetchers/prelude-db/lib/models/analyzer.rb
+  - lib/evasion-db/idmef-fetchers/prelude-db/lib/models/classification.rb
+  - lib/evasion-db/idmef-fetchers/prelude-db/lib/models/connection.rb
+  - lib/evasion-db/idmef-fetchers/prelude-db/lib/models/detect_time.rb
+  - lib/evasion-db/idmef-fetchers/prelude-db/lib/models/impact.rb
+  - lib/evasion-db/idmef-fetchers/prelude-db/lib/models/prelude_event.rb
+  - lib/evasion-db/idmef-fetchers/prelude-db/lib/models/service.rb
+  - lib/evasion-db/idmef-fetchers/prelude-db/lib/patches/postgres_patch.rb
+  - lib/evasion-db/idmef-fetchers/prelude-db/lib/prelude_event_fetcher.rb
+  - lib/evasion-db/idmef-fetchers/test-fetcher/fetcher.rb
+  - lib/evasion-db/idmef-fetchers/test-fetcher/lib/test_fetcher.rb
+  - lib/evasion-db/knowledge.rb
+  - lib/evasion-db/knowledge/attack_module.rb
+  - lib/evasion-db/knowledge/attack_option.rb
+  - lib/evasion-db/knowledge/attack_payload.rb
+  - lib/evasion-db/knowledge/connection.rb
+  - lib/evasion-db/knowledge/idmef_event.rb
+  - lib/evasion-db/knowledge/packet.rb
+  - lib/evasion-db/log_matches_helper.rb
+  - lib/evasion-db/recorders/msf-recorder/lib/msf-recorder.rb
+  - lib/evasion-db/recorders/msf-recorder/recorder.rb
+  - lib/evasion-db/recorders/recorders.rb
+  - lib/evasion-db/version.rb
+  - lib/fidius-evasiondb.rb
+  - lib/msf-plugins/database.yml.example
+  - lib/msf-plugins/evasiondb.rb
+- README.md
+- LICENSE
+- CREDITS.md
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      segments: 
+      - 0
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      segments: 
+      - 0
+      version: "0"
+requirements: []
+
+rubyforge_project: ""
+rubygems_version: 1.3.7
+signing_key: 
+specification_version: 3
+summary: The FIDIUS EvasionDB Gem provides a database which contains knowledge about metasploit exploits and their corresponding alerts/events produced by intrusion detection systems (IDS).
+test_files: []
+