nwsdk 1.1.3

data/lib/nwsdk/packets.rb

@@ -0,0 +1,56 @@
+module Nwsdk
+  class Packets
+    include Helpers
+
+    attr_accessor :group, :file_prefix, :query, :endpoint, :condition
+
+    def initialize(*args)
+      Hash[*args].each {|k,v| self.send("%s="%k, v)}
+      @group       ||= 1000
+      @file_prefix ||= "pcap"
+      @query       ||= Nwsdk::Query.new(keys: %w{ sessionid })
+    end
+
+    def request
+      pcaps={}
+      each_pcap_group do | group |
+        pcaps[group[:filename]]=data
+      end
+      pcaps
+    end
+
+    def build_request(sessions=[])
+      endpoint.get_request(
+        path: 'sdk/packets',
+        params: {
+          sessions: sessions.join(',')
+        }
+      )
+    end
+
+    def get_pcap_data(sessions=[])
+      build_request(sessions).execute
+    end
+
+    def each_pcap_group
+      sessions=get_sessionids(self)
+      sessions_digits=sessions.size.to_s.length
+      session_counter=0
+      session_stamp=Time.new.to_i
+      fformat="%s_%0#{sessions_digits}d-%0#{sessions_digits}d.pcap"
+      sessions.each_slice(group) do |slice|
+        sstart=session_counter
+        ssend = sstart + slice.size - 1
+        fname=sprintf(fformat, file_prefix, sstart, ssend)
+        data=get_pcap_data(slice)
+        yield pcap_group={
+          group_start: sstart,
+          group_end:   ssend,
+          filename:    fname,
+          data:        data
+        }
+        session_counter += slice.size
+      end
+    end
+  end
+end

data/lib/nwsdk/query.rb

@@ -0,0 +1,62 @@
+module Nwsdk
+  class Query
+    include Helpers
+
+    attr_accessor :limit, :keys, :id1, :id2, :endpoint, :condition
+
+    def initialize(*args)
+      Hash[*args].each {|k,v| self.send("%s="%k, v)}
+      @limit   ||= 10000
+      @keys    ||= %w{ * }
+    end
+
+    def request
+      result=build_request.execute
+      if response_successful?(result)
+        unroll_result(JSON.parse(result))
+      else
+        result
+      end
+    end
+
+    def build_request
+      endpoint.get_request(
+        path: 'sdk',
+        params:   {
+          msg:   'query',
+          query: format_select,
+          size:  limit * width
+        }
+      )
+    end
+
+    def width
+      if keys==["*"]
+        100
+      else
+        keys.size
+      end
+    end
+
+    def format_select
+      sprintf("select %s where %s", keys.join(','), condition.format)
+    end
+
+    def unroll_result(result)
+      grouped=result["results"]["fields"].group_by {|f| f["group"] }
+      grouped.map do |gid,fields|
+        report=Hash.new
+        fields.each do |field|
+          key = field["type"]
+          val = decode_value(field)
+          if report.has_key?(key)
+            report[key]=[*report[key],val]
+          else
+            report[key]=val
+          end
+        end
+        report
+      end
+    end
+  end
+end

data/lib/nwsdk/timeline.rb

@@ -0,0 +1,48 @@
+module Nwsdk
+  class Timeline
+    include Helpers
+
+    attr_accessor :flags, :condition, :endpoint, :limit
+
+    def initialize(*args)
+      Hash[*args].each {|k,v| self.send("%s="%k, v)}
+      @limit ||= 10000
+      @flags ||= %w{ size }
+    end
+
+    def request
+      result=build_request.execute
+      if response_successful?(result)
+        res=count_results(JSON.parse(result))
+        keys=res.keys.map {|k| k - k.gmtoff}
+        Hash[keys.zip(res.values)]
+      else
+        result
+      end
+    end
+
+    def build_request
+      endpoint.get_request(
+        path: 'sdk',
+        params: build_params
+      )
+    end
+    def build_params
+      
+      params={
+        msg: 'timeline',
+        time1: format_timestamp(condition.time1),
+        time2: format_timestamp(condition.time2),
+        size:  limit,
+        timezone: 0,
+        flags: flags.join(','),
+      }
+      if condition.where.nil?
+        params
+      else
+        params.merge(where: condition.format(use_time: false))
+      end
+    end
+
+  end
+end

data/lib/nwsdk/values.rb

@@ -0,0 +1,38 @@
+module Nwsdk
+  class Values
+    include Helpers
+
+    attr_accessor :key_name, :flags, :limit, :condition, :endpoint
+
+    def initialize(*args)
+      Hash[*args].each {|k,v| self.send("%s="%k, v)}
+      @flags    ||= %w{ sort-total sessions order-descending }
+      @limit    ||= 10000
+      @key_name ||= 'service'
+    end
+
+    def build_request
+      endpoint.get_request(
+        path: 'sdk',
+        params: {
+          msg:       'values',
+          where:     condition.format(use_time: false),
+          time1:     format_timestamp(condition.time1.utc),
+          time2:     format_timestamp(condition.time2.utc),
+          size:      limit,
+          flags:     flags.join(','),
+          fieldName: key_name
+        }
+      )
+    end
+
+    def request
+      result=build_request.execute
+      if response_successful?(result)
+        count_results(JSON.parse(result))
+      else
+        result
+      end
+    end
+  end
+end

data/lib/nwsdk/version.rb

@@ -0,0 +1,3 @@
+module Nwsdk
+  VERSION = '1.1.3'
+end

data/lib/nwsdk.rb

@@ -0,0 +1,19 @@
+require 'rest-client'
+require 'openssl'
+require 'json'
+require 'ipaddr'
+require 'pry'
+require 'nwsdk/version'
+require 'nwsdk/constants'
+require 'nwsdk/helpers'
+require 'nwsdk/endpoint'
+require 'nwsdk/condition'
+require 'nwsdk/query'
+require 'nwsdk/packets'
+require 'nwsdk/values'
+require 'nwsdk/timeline'
+require 'nwsdk/content'
+
+module Nwsdk
+
+end

data/nwsdk.gemspec

@@ -0,0 +1,34 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'nwsdk/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'nwsdk'
+  spec.version       = Nwsdk::VERSION
+  spec.authors       = ['Ryan Breed']
+  spec.email         = ['ryan.breed@ercot.com']
+
+  spec.summary       = %q{ small wrapper around netwitness REST API }
+  spec.description   = %q{ allows users to run queries, extracts, and generate cef alerts }
+  spec.homepage      = 'http://github.com/ryanbreed/nwsdk'
+  spec.license       = 'GPLv3'
+
+  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  spec.bindir        = 'bin'
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.require_paths = ['lib']
+
+  spec.add_dependency 'cef', '~> 1.0'
+  spec.add_dependency 'chronic', '0.10.2'
+  spec.add_dependency 'rest-client', '~> 1.8'
+  spec.add_dependency 'thor', '~> 0.19'
+
+  spec.add_development_dependency 'pry', '~> 0.10'
+  spec.add_development_dependency 'bundler', '~> 1.10'
+  spec.add_development_dependency 'rake', '~> 10.0'
+  spec.add_development_dependency 'rspec', '~> 3.3'
+  spec.add_development_dependency 'guard', '~> 2.13'
+  spec.add_development_dependency 'guard-rspec', '~> 4.6'
+  spec.add_development_dependency 'simplecov', '~> 0.10'
+end

metadata

@@ -0,0 +1,219 @@
+--- !ruby/object:Gem::Specification
+name: nwsdk
+version: !ruby/object:Gem::Version
+  version: 1.1.3
+platform: ruby
+authors:
+- Ryan Breed
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2015-09-03 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: cef
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+- !ruby/object:Gem::Dependency
+  name: chronic
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.10.2
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.10.2
+- !ruby/object:Gem::Dependency
+  name: rest-client
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.8'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.8'
+- !ruby/object:Gem::Dependency
+  name: thor
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.19'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.19'
+- !ruby/object:Gem::Dependency
+  name: pry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.10'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.10'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.10'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.10'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.3'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.3'
+- !ruby/object:Gem::Dependency
+  name: guard
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.13'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.13'
+- !ruby/object:Gem::Dependency
+  name: guard-rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.6'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.6'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.10'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.10'
+description: " allows users to run queries, extracts, and generate cef alerts "
+email:
+- ryan.breed@ercot.com
+executables:
+- nw
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- Gemfile
+- Guardfile
+- LICENSE
+- README.md
+- Rakefile
+- bin/nw
+- lib/nwsdk.rb
+- lib/nwsdk/cli.rb
+- lib/nwsdk/condition.rb
+- lib/nwsdk/constants.rb
+- lib/nwsdk/content.rb
+- lib/nwsdk/endpoint.rb
+- lib/nwsdk/helpers.rb
+- lib/nwsdk/packets.rb
+- lib/nwsdk/query.rb
+- lib/nwsdk/timeline.rb
+- lib/nwsdk/values.rb
+- lib/nwsdk/version.rb
+- nwsdk.gemspec
+homepage: http://github.com/ryanbreed/nwsdk
+licenses:
+- GPLv3
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.5
+signing_key: 
+specification_version: 4
+summary: small wrapper around netwitness REST API
+test_files: []