sdee 0.0.5 → 0.0.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 6c39d248867f7a55a8ea2cbd846691a2f1efb189
-  data.tar.gz: 322f39dfdae8b005eda45483c08180adbf61b7af
+  metadata.gz: d7400ca72437d03e9249f3b91a190fecb02b8a72
+  data.tar.gz: fc34ce94cbd1a08adeb77a30e4941f0bd5e43a35
 SHA512:
-  metadata.gz: f1bf0f3ebd41dcdda633900f261ea8499e678a96da671def45347251a694a78866e1cd9c6c49209eac99f81e72480ac7a0c1ebae73b5c23728bbef99d6638c53
-  data.tar.gz: fd59c85676a8d136c2ee729dc29f0a9f708356462541979a964b96cb7de24135c0ee7dfc73fced027c98e3cf644b564762429651617177229d6041e160969d97
+  metadata.gz: b83055d523805ae87fb1e28791cb292f4891325550e1d202cee1c8b592ca3c8078af65b41465c6629f0cd084f2b67cc68f53e454275e887c33b1b9b711085825
+  data.tar.gz: 6a21642660cbfbfc27d3ed575d6515fc6d1f5300dd7a436205531340411a7f23ecc8b3685bf5699a6eff1c905b1f9e4e7a648477046f7eceee46764eee28c228

data/.gitignore

@@ -0,0 +1,18 @@
+*.gem
+*.rbc
+.bundle
+.config
+coverage
+InstalledFiles
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp
+
+# YARD artifacts
+.yardoc
+_yardoc
+doc/

data/Gemfile

@@ -0,0 +1,3 @@
+source 'https://rubygems.org'
+
+gemspec

data/Gemfile.lock

@@ -0,0 +1,28 @@
+PATH
+  remote: .
+  specs:
+    sdee (0.0.5)
+      json
+      nokogiri (~> 1.5.0, >= 1.5.0)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    diff-lcs (1.2.5)
+    json (1.8.1)
+    nokogiri (1.5.10)
+    rspec (2.14.1)
+      rspec-core (~> 2.14.0)
+      rspec-expectations (~> 2.14.0)
+      rspec-mocks (~> 2.14.0)
+    rspec-core (2.14.7)
+    rspec-expectations (2.14.4)
+      diff-lcs (>= 1.1.3, < 2.0)
+    rspec-mocks (2.14.4)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  rspec
+  sdee!

data/LICENSE

@@ -0,0 +1,339 @@
+GNU GENERAL PUBLIC LICENSE
+                       Version 2, June 1991
+
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
+ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+                            Preamble
+
+  The licenses for most software are designed to take away your
+freedom to share and change it.  By contrast, the GNU General Public
+License is intended to guarantee your freedom to share and change free
+software--to make sure the software is free for all its users.  This
+General Public License applies to most of the Free Software
+Foundation's software and to any other program whose authors commit to
+using it.  (Some other Free Software Foundation software is covered by
+the GNU Lesser General Public License instead.)  You can apply it to
+your programs, too.
+
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+this service if you wish), that you receive source code or can get it
+if you want it, that you can change the software or use pieces of it
+in new free programs; and that you know you can do these things.
+
+  To protect your rights, we need to make restrictions that forbid
+anyone to deny you these rights or to ask you to surrender the rights.
+These restrictions translate to certain responsibilities for you if you
+distribute copies of the software, or if you modify it.
+
+  For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must give the recipients all the rights that
+you have.  You must make sure that they, too, receive or can get the
+source code.  And you must show them these terms so they know their
+rights.
+
+  We protect your rights with two steps: (1) copyright the software, and
+(2) offer you this license which gives you legal permission to copy,
+distribute and/or modify the software.
+
+  Also, for each author's protection and ours, we want to make certain
+that everyone understands that there is no warranty for this free
+software.  If the software is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original, so
+that any problems introduced by others will not reflect on the original
+authors' reputations.
+
+  Finally, any free program is threatened constantly by software
+patents.  We wish to avoid the danger that redistributors of a free
+program will individually obtain patent licenses, in effect making the
+program proprietary.  To prevent this, we have made it clear that any
+patent must be licensed for everyone's free use or not licensed at all.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+
+                    GNU GENERAL PUBLIC LICENSE
+   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+  0. This License applies to any program or other work which contains
+a notice placed by the copyright holder saying it may be distributed
+under the terms of this General Public License.  The "Program", below,
+refers to any such program or work, and a "work based on the Program"
+means either the Program or any derivative work under copyright law:
+that is to say, a work containing the Program or a portion of it,
+either verbatim or with modifications and/or translated into another
+language.  (Hereinafter, translation is included without limitation in
+the term "modification".)  Each licensee is addressed as "you".
+
+Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope.  The act of
+running the Program is not restricted, and the output from the Program
+is covered only if its contents constitute a work based on the
+Program (independent of having been made by running the Program).
+Whether that is true depends on what the Program does.
+
+  1. You may copy and distribute verbatim copies of the Program's
+source code as you receive it, in any medium, provided that you
+conspicuously and appropriately publish on each copy an appropriate
+copyright notice and disclaimer of warranty; keep intact all the
+notices that refer to this License and to the absence of any warranty;
+and give any other recipients of the Program a copy of this License
+along with the Program.
+
+You may charge a fee for the physical act of transferring a copy, and
+you may at your option offer warranty protection in exchange for a fee.
+
+  2. You may modify your copy or copies of the Program or any portion
+of it, thus forming a work based on the Program, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+    a) You must cause the modified files to carry prominent notices
+    stating that you changed the files and the date of any change.
+
+    b) You must cause any work that you distribute or publish, that in
+    whole or in part contains or is derived from the Program or any
+    part thereof, to be licensed as a whole at no charge to all third
+    parties under the terms of this License.
+
+    c) If the modified program normally reads commands interactively
+    when run, you must cause it, when started running for such
+    interactive use in the most ordinary way, to print or display an
+    announcement including an appropriate copyright notice and a
+    notice that there is no warranty (or else, saying that you provide
+    a warranty) and that users may redistribute the program under
+    these conditions, and telling the user how to view a copy of this
+    License.  (Exception: if the Program itself is interactive but
+    does not normally print such an announcement, your work based on
+    the Program is not required to print an announcement.)
+
+These requirements apply to the modified work as a whole.  If
+identifiable sections of that work are not derived from the Program,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works.  But when you
+distribute the same sections as part of a whole which is a work based
+on the Program, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Program.
+
+In addition, mere aggregation of another work not based on the Program
+with the Program (or with a work based on the Program) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+  3. You may copy and distribute the Program (or a work based on it,
+under Section 2) in object code or executable form under the terms of
+Sections 1 and 2 above provided that you also do one of the following:
+
+    a) Accompany it with the complete corresponding machine-readable
+    source code, which must be distributed under the terms of Sections
+    1 and 2 above on a medium customarily used for software interchange; or,
+
+    b) Accompany it with a written offer, valid for at least three
+    years, to give any third party, for a charge no more than your
+    cost of physically performing source distribution, a complete
+    machine-readable copy of the corresponding source code, to be
+    distributed under the terms of Sections 1 and 2 above on a medium
+    customarily used for software interchange; or,
+
+    c) Accompany it with the information you received as to the offer
+    to distribute corresponding source code.  (This alternative is
+    allowed only for noncommercial distribution and only if you
+    received the program in object code or executable form with such
+    an offer, in accord with Subsection b above.)
+
+The source code for a work means the preferred form of the work for
+making modifications to it.  For an executable work, complete source
+code means all the source code for all modules it contains, plus any
+associated interface definition files, plus the scripts used to
+control compilation and installation of the executable.  However, as a
+special exception, the source code distributed need not include
+anything that is normally distributed (in either source or binary
+form) with the major components (compiler, kernel, and so on) of the
+operating system on which the executable runs, unless that component
+itself accompanies the executable.
+
+If distribution of executable or object code is made by offering
+access to copy from a designated place, then offering equivalent
+access to copy the source code from the same place counts as
+distribution of the source code, even though third parties are not
+compelled to copy the source along with the object code.
+
+  4. You may not copy, modify, sublicense, or distribute the Program
+except as expressly provided under this License.  Any attempt
+otherwise to copy, modify, sublicense or distribute the Program is
+void, and will automatically terminate your rights under this License.
+However, parties who have received copies, or rights, from you under
+this License will not have their licenses terminated so long as such
+parties remain in full compliance.
+
+  5. You are not required to accept this License, since you have not
+signed it.  However, nothing else grants you permission to modify or
+distribute the Program or its derivative works.  These actions are
+prohibited by law if you do not accept this License.  Therefore, by
+modifying or distributing the Program (or any work based on the
+Program), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Program or works based on it.
+
+  6. Each time you redistribute the Program (or any work based on the
+Program), the recipient automatically receives a license from the
+original licensor to copy, distribute or modify the Program subject to
+these terms and conditions.  You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties to
+this License.
+
+  7. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Program at all.  For example, if a patent
+license would not permit royalty-free redistribution of the Program by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Program.
+
+If any portion of this section is held invalid or unenforceable under
+any particular circumstance, the balance of the section is intended to
+apply and the section as a whole is intended to apply in other
+circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system, which is
+implemented by public license practices.  Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+
+  8. If the distribution and/or use of the Program is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Program under this License
+may add an explicit geographical distribution limitation excluding
+those countries, so that distribution is permitted only in or among
+countries not thus excluded.  In such case, this License incorporates
+the limitation as if written in the body of this License.
+
+  9. The Free Software Foundation may publish revised and/or new versions
+of the General Public License from time to time.  Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+Each version is given a distinguishing version number.  If the Program
+specifies a version number of this License which applies to it and "any
+later version", you have the option of following the terms and conditions
+either of that version or of any later version published by the Free
+Software Foundation.  If the Program does not specify a version number of
+this License, you may choose any version ever published by the Free Software
+Foundation.
+
+  10. If you wish to incorporate parts of the Program into other free
+programs whose distribution conditions are different, write to the author
+to ask for permission.  For software which is copyrighted by the Free
+Software Foundation, write to the Free Software Foundation; we sometimes
+make exceptions for this.  Our decision will be guided by the two goals
+of preserving the free status of all derivatives of our free software and
+of promoting the sharing and reuse of software generally.
+
+                            NO WARRANTY
+
+  11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
+OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
+TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
+PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+REPAIR OR CORRECTION.
+
+  12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGES.
+
+                     END OF TERMS AND CONDITIONS
+
+            How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    Simple ruby SDEE poller
+    Copyright (C) 2013  Elbii
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; either version 2 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License along
+    with this program; if not, write to the Free Software Foundation, Inc.,
+    51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+Also add information on how to contact you by electronic and paper mail.
+
+If the program is interactive, make it output a short notice like this
+when it starts in an interactive mode:
+
+    Gnomovision version 69, Copyright (C) year name of author
+    Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+    This is free software, and you are welcome to redistribute it
+    under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License.  Of course, the commands you use may
+be called something other than `show w' and `show c'; they could even be
+mouse-clicks or menu items--whatever suits your program.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary.  Here is a sample; alter the names:
+
+  Yoyodyne, Inc., hereby disclaims all copyright interest in the program
+  `Gnomovision' (which makes passes at compilers) written by James Hacker.
+
+  {signature of Ty Coon}, 1 April 1989
+  Ty Coon, President of Vice
+
+This General Public License does not permit incorporating your program into
+proprietary programs.  If your program is a subroutine library, you may
+consider it more useful to permit linking proprietary applications with the
+library.  If this is what you want to do, use the GNU Lesser General
+Public License instead of this License.

data/README.md

@@ -0,0 +1,6 @@
+ruby-sdee
+=========
+
+Simple ruby SDEE poller
+
+See example.rb for a simple example.

data/Rakefile

@@ -0,0 +1,5 @@
+require 'rspec/core/rake_task'
+
+RSpec::Core::RakeTask.new(:spec)
+
+task :default => :spec

data/{example.rb → examples/simple.rb}

@@ -1,10 +1,10 @@
 require 'sdee'
 
 # create new SDEE connection
-sdee = SDEE.new(host: 'localhost', user: 'user', pass: 'pass')
+poller = SDEE::Poller.new(host: '10.122.196.67', user: 'cisco', pass: 'MTD@c1sc0')
 
 # login and set subscriptionId, sessionId
-sdee.login
+poller.login
 
 # print events every 1 second in JSON format
-sdee.poll_events 1
+poller.poll_events 1

data/lib/sdee.rb

@@ -1,170 +1,7 @@
-require 'base64'
-require 'net/https'
-require 'uri'
-require 'nokogiri'
-require 'json'
+require 'sdee/poller'
+require 'sdee/alert'
 
-class Alert
-  attr_accessor :event_id, :severity, :originator, :alert_time, :risk_rating,
-    :protocol, :sig_id, :subsig_id, :sig_version, :sig_detail, :attacker,
-    :targets, :attacker_locality, :target_locality, :attacker_port,
-    :target_port, :threat_rating
-
-  def initialize(xml_doc)
-    @doc = xml_doc
-
-    build_alert
-    build_sig
-    build_participants 
-  end
-
-  def to_hash
-    vars = {}
-
-    instance_variables.reject {|var| var == :@doc }.each do |var|
-      vars[var.to_s[1..-1]] = instance_variable_get(var)
-    end
-
-    vars
-  end
-
-  def to_json
-    to_hash.to_json
-  end
-
-  private
-
-  def build_alert
-    @event_id = @doc.xpath('//sd:evIdsAlert').first.attribute('eventId').value
-    @severity = @doc.xpath('//sd:evIdsAlert').first.attribute('severity').value
-    @originator = @doc.xpath('//sd:originator').first.
-      xpath('sd:hostId').first.text
-    @alert_time = @doc.xpath('//sd:time').first.text
-    @risk_rating = @doc.xpath('//cid:riskRatingValue').first.text
-    @threat_rating = @doc.xpath('//cid:threatRatingValue').first.text
-    @protocol = @doc.xpath('//cid:protocol').first.text
-  end
-
-  def build_sig
-    sig = @doc.xpath('//sd:signature').first
-
-    @sig_id = sig.attribute('id').value
-    @sig_version = sig.attribute('version').value
-    @subsig_id = sig.xpath('//cid:subsigId').first.text
-
-    begin
-      @sig_detail = sig.xpath('//cid:sigDetails').first.text
-    rescue
-      @sig_detail = sig.attribute('description').value
-    end
-  end
-
-  def build_participants
-    @targets = []
-
-    attacker = @doc.xpath('//sd:attacker').first
-    attacker_addr = attacker.xpath('//sd:addr').first
-    @attacker_locality = attacker_addr.attribute('locality').value
-    @attacker = attacker_addr.text
-
-    begin
-      @attacker_port = attacker.xpath('//sd:port').first.text
-    rescue
-      @attacker_port = '0'
-    end
-
-    target_list = @doc.xpath('//sd:target')
-
-    target_list.each do |target|
-      data = {}
-
-      target_addr = target.xpath('//sd:addr').first
-
-      data['target'] = target_addr.text
-      data['target_locality'] = target_addr.attribute('locality').value
-
-      begin
-        data['target_port'] = target.xpath('//sd:port').first.text
-      rescue
-        data['target_port'] = '0'
-      end
-
-      @targets << data
-    end
-  end
-end
-
-class SDEE
-  def initialize(options = {})
-    @host = options[:host]
-    @path = '/cgi-bin/sdee-server'
-    @proto = 'https://'
-
-    @creds = Base64.encode64("#{options[:user]}:#{options[:pass]}")
-  end
-
-  def login
-    params = {
-      action: 'open',
-      events: 'evIdsAlert',
-      force: 'yes'
-    }
-
-    response = request params
-    doc = Nokogiri::XML(response.body)
-
-    @session_id = doc.xpath('//env:Header').first.
-      xpath('//sd:oobInfo').first.
-      xpath('//sd:sessionId').first.text
-
-    @subscription_id = doc.xpath('//env:Body').first.
-      xpath('//sd:subscriptionId').first.text
-
-    response
-  end
-
-  def poll_events(sleep_time=5)
-    while true do
-      get_events
-      sleep sleep_time
-    end
-  end
-
-  def get_events
-    puts "Please login first" unless @subscription_id
-
-    params = {
-      action: 'get',
-      confirm: 'yes',
-      timeout: 1,
-      maxNbrofEvents: 20,
-      subscriptionId: @subscription_id,
-      sessionId: @session_id
-    }
-
-    res = request params
-    doc = Nokogiri::XML(res.body)
-
-    xml_alerts = doc.xpath("//sd:evIdsAlert")
-    hash_alerts = xml_alerts.collect {|x| Alert.new(x).to_hash }.uniq
-
-    hash_alerts.each {|h| puts h.to_json }
-
-    hash_alerts
-  end
-
-  def request(params)
-    http = Net::HTTP.new(@host, 443)
-    http.use_ssl = true
-    http.verify_mode = OpenSSL::SSL::VERIFY_NONE
-    http.ssl_version = :SSLv3
-
-    uri = URI(@proto + @host + @path)
-    uri.query = URI.encode_www_form(params)
-
-    req = Net::HTTP::Get.new(uri)
-    req['Authorization'] = "BASIC #{@creds}"
-
-    response = http.request(req)
+module SDEE
+  class << self
   end
 end

data/lib/sdee/alert.rb

@@ -0,0 +1,93 @@
+require 'json'
+
+module SDEE
+  class Alert
+    attr_accessor :event_id, :severity, :originator, :alert_time, :risk_rating,
+      :protocol, :sig_id, :subsig_id, :sig_version, :sig_detail, :attacker,
+      :targets, :attacker_locality, :target_locality, :attacker_port,
+      :target_port, :threat_rating
+
+    def initialize(xml_doc)
+      @alert_xml = xml_doc
+
+      build_alert
+      build_sig
+      build_participants 
+    end
+
+    def to_hash
+      vars = {}
+
+      instance_variables.reject {|var| var == :@alert_xml }.each do |var|
+        vars[var.to_s[1..-1]] = instance_variable_get(var)
+      end
+
+      vars
+    end
+
+    def to_json
+      to_hash.to_json
+    end
+
+    private
+
+    def build_alert
+      @event_id = @alert_xml.attribute('eventId').value
+      @severity = @alert_xml.attribute('severity').value
+      @originator = @alert_xml.xpath('.//sd:originator').first.
+        xpath('sd:hostId').first.text
+      @alert_time = @alert_xml.xpath('.//sd:time').first.text
+      @risk_rating = @alert_xml.xpath('.//cid:riskRatingValue').first.text
+      @threat_rating = @alert_xml.xpath('.//cid:threatRatingValue').first.text
+      @protocol = @alert_xml.xpath('.//cid:protocol').first.text
+    end
+
+    def build_sig
+      sig = @alert_xml.xpath('.//sd:signature').first
+
+      @sig_id = sig.attribute('id').value
+      @sig_version = sig.attribute('version').value
+      @subsig_id = sig.xpath('.//cid:subsigId').first.text
+
+      begin
+        @sig_detail = sig.xpath('.//cid:sigDetails').first.text
+      rescue
+        @sig_detail = sig.attribute('description').value
+      end
+    end
+
+    def build_participants
+      @targets = []
+
+      attacker = @alert_xml.xpath('.//sd:attacker').first
+      attacker_addr = attacker.xpath('.//sd:addr').first
+      @attacker_locality = attacker_addr.attribute('locality').value
+      @attacker = attacker_addr.text
+
+      begin
+        @attacker_port = attacker.xpath('.//sd:port').first.text
+      rescue
+        @attacker_port = '0'
+      end
+
+      target_list = @alert_xml.xpath('.//sd:target')
+
+      target_list.each do |target|
+        data = {}
+
+        target_addr = target.xpath('.//sd:addr').first
+
+        data['target'] = target_addr.text
+        data['target_locality'] = target_addr.attribute('locality').value
+
+        begin
+          data['target_port'] = target.xpath('.//sd:port').first.text
+        rescue
+          data['target_port'] = '0'
+        end
+
+        @targets << data
+      end
+    end
+  end
+end

data/lib/sdee/poller.rb

@@ -0,0 +1,82 @@
+require 'json'
+require 'uri'
+require 'net/https'
+require 'base64'
+require 'nokogiri'
+
+module SDEE
+  class Poller
+    def initialize(options = {})
+      @host = options[:host]
+      @path = '/cgi-bin/sdee-server'
+      @proto = 'https://'
+
+      @creds = Base64.encode64("#{options[:user]}:#{options[:pass]}")
+    end
+
+    def login
+      params = {
+        action: 'open',
+        events: 'evIdsAlert',
+        force: 'yes'
+      }
+
+      response = request params
+      doc = Nokogiri::XML(response.body)
+
+      @session_id = doc.xpath('//env:Header').first.
+        xpath('//sd:oobInfo').first.
+        xpath('//sd:sessionId').first.text
+
+      @subscription_id = doc.xpath('//env:Body').first.
+        xpath('//sd:subscriptionId').first.text
+
+      response
+    end
+
+    def poll_events(sleep_time=5)
+      while true do
+        get_events
+        sleep sleep_time
+      end
+    end
+
+    def get_events
+      puts "Please login first" unless @subscription_id
+
+      params = {
+        action: 'get',
+        confirm: 'yes',
+        timeout: 1,
+        maxNbrofEvents: 20,
+        subscriptionId: @subscription_id,
+        sessionId: @session_id
+      }
+
+      res = request params
+      doc = Nokogiri::XML(res.body)
+
+      xml_alerts = doc.xpath("//sd:evIdsAlert")
+      hash_alerts = xml_alerts.collect {|x| Alert.new(x.to_s).to_hash }.uniq
+
+      hash_alerts.each {|h| puts h.to_json }
+
+      hash_alerts
+    end
+
+    def request(params)
+      http = Net::HTTP.new(@host, 443)
+      http.use_ssl = true
+      http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+      http.ssl_version = :SSLv3
+
+      uri = URI(@proto + @host + @path)
+      uri.query = URI.encode_www_form(params)
+
+      req = Net::HTTP::Get.new(uri)
+      req['Authorization'] = "BASIC #{@creds}"
+
+      http.request(req)
+    end
+  end
+end

data/sdee.gemspec

@@ -0,0 +1,14 @@
+Gem::Specification.new do |s|
+  s.name          = 'sdee'
+  s.version       = '0.0.6'
+  s.summary       = 'Simple Ruby SDEE Poller'
+  s.description   = 'Secure Device Event Exchange (SDEE) is a simple HTTP-based protocol used by security appliances to exchange events and alerts. Results are returned in XML. This is a very bare-bones ruby implementation to get SDEE events from a Cisco IPS in JSON format.'
+  s.authors       = ['Jamil Bou Kheir']
+  s.email         = 'jamil@elbii.com'
+  s.files         = `git ls-files`.split("\n")
+  s.homepage      = 'https://github.com/elbii/ruby-sdee'
+  s.license       = 'MIT'
+  s.add_runtime_dependency 'nokogiri', '~> 1.5.0', '>= 1.5.0'
+  s.add_runtime_dependency 'json'
+  s.add_development_dependency 'rspec'
+end

data/spec/alert_spec.rb

@@ -0,0 +1,157 @@
+require 'sdee'
+
+describe SDEE::Alert do
+  before :all do
+    @doc = Nokogiri::XML(File.open('./spec/data/sample.xml'))
+  end    
+
+  context 'first alert' do
+    before :all do
+      alert_xml = @doc.xpath('//sd:evIdsAlert').first
+      @alert = SDEE::Alert.new(alert_xml)
+    end
+
+    it 'should parse event_id' do
+      @alert.event_id.should eq '6823242457034'
+    end
+
+    it 'should parse severity' do
+      @alert.severity.should eq 'informational'
+    end
+
+    it 'should parse originator' do
+      @alert.originator.should eq 'sample_host'
+    end
+
+    it 'should parse alert_time' do
+      @alert.alert_time.should eq '1385965224300024000'
+    end
+
+    it 'should parse risk_rating' do
+      @alert.risk_rating.should eq '15'
+    end
+
+    it 'should parse protocol' do
+      @alert.protocol.should eq 'IP protocol 0'
+    end
+
+    it 'should parse sig_id' do
+      @alert.sig_id.should eq '1208'
+    end
+
+    it 'should parse subsig_id' do
+      @alert.subsig_id.should eq '0'
+    end
+
+    it 'should parse sig_version' do
+      @alert.sig_version.should eq 'S212'
+    end
+
+    it 'should parse sig_detail' do
+      @alert.sig_detail.should eq 'Fragmented IP Datagram with fragments missing'
+    end
+
+    it 'should parse attacker' do
+      @alert.attacker.should eq '0.0.0.0'
+    end
+
+    it 'should parse targets' do
+      @alert.targets.first['target'].should include '0.0.0.0'
+    end
+
+    it 'should parse attacker_locality' do
+      @alert.attacker_locality.should eq 'OUT'
+    end
+
+    it 'should parse target_locality' do
+      @alert.targets.first['target_locality'].should eq 'OUT'
+    end
+
+    it 'should parse attacker_port' do
+      @alert.attacker_port.should eq '0'
+    end
+
+    it 'should parse target_port' do
+      @alert.targets.first['target_port'].should eq '0'
+    end
+
+    it 'should parse threat_rating' do
+      @alert.threat_rating.should eq '15'
+    end
+  end
+
+  context 'second alert' do
+    before :all do
+      alert_xml = @doc.xpath('//sd:evIdsAlert').last
+      @alert = SDEE::Alert.new(alert_xml)
+    end
+
+    it 'should parse event_id' do
+      @alert.event_id.should eq '6823242457036'
+    end
+
+    it 'should parse severity' do
+      @alert.severity.should eq 'high'
+    end
+
+    it 'should parse originator' do
+      @alert.originator.should eq 'sample_host'
+    end
+
+    it 'should parse alert_time' do
+      @alert.alert_time.should eq '1385965230914381000'
+    end
+
+    it 'should parse risk_rating' do
+      @alert.risk_rating.should eq '100'
+    end
+
+    it 'should parse protocol' do
+      @alert.protocol.should eq 'tcp'
+    end
+
+    it 'should parse sig_id' do
+      @alert.sig_id.should eq '3250'
+    end
+
+    it 'should parse subsig_id' do
+      @alert.subsig_id.should eq '0'
+    end
+
+    it 'should parse sig_version' do
+      @alert.sig_version.should eq 'S739'
+    end
+
+    it 'should parse sig_detail' do
+      @alert.sig_detail.should eq 'TCP Hijack'
+    end
+
+    it 'should parse attacker' do
+      @alert.attacker.should eq '10.0.0.2'
+    end
+
+    it 'should parse targets' do
+      @alert.targets.first['target'].should eq '10.1.0.8'
+    end
+
+    it 'should parse attacker_locality' do
+      @alert.attacker_locality.should eq 'OUT'
+    end
+
+    it 'should parse target_locality' do
+      @alert.targets.first['target_locality'].should eq 'OUT'
+    end
+
+    it 'should parse attacker_port' do
+      @alert.attacker_port.should eq '59433'
+    end
+
+    it 'should parse target_port' do
+      @alert.targets.first['target_port'].should eq '443'
+    end
+
+    it 'should parse threat_rating' do
+      @alert.threat_rating.should eq '100'
+    end
+  end
+end

data/spec/data/sample.xml

@@ -0,0 +1,87 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<env:Envelope xmlns="http://www.cisco.com/cids/2006/08/cidee" xmlns:env="http://www.w3.org/2003/05/soap-envelope" xmlns:sd="http://example.org/2003/08/sdee" xmlns:cid="http://www.cisco.com/cids/2006/08/cidee">
+  <env:Header>
+    <sd:oobInfo>
+      <sd:sessionId>5e5885fc07977bd48ea352344c7230de</sd:sessionId>
+    </sd:oobInfo>
+  </env:Header>
+  <env:Body>
+    <sd:events>
+      <sd:evIdsAlert eventId="6823242457034" vendor="Cisco" severity="informational">
+        <sd:originator>
+          <sd:hostId>sample_host</sd:hostId>
+          <cid:appName>sensorApp</cid:appName>
+          <cid:appInstanceId>27807</cid:appInstanceId>
+        </sd:originator>
+        <sd:time offset="0" timeZone="UTC">1385965224300024000</sd:time>
+        <sd:signature description="IP Fragment Incomplete Datagram" id="1208" cid:version="S212" cid:type="anomaly" cid:created="20030801">
+          <cid:subsigId>0</cid:subsigId>
+          <cid:sigDetails>Fragmented IP Datagram with fragments missing</cid:sigDetails>
+        </sd:signature>
+        <sd:interfaceGroup>vs0</sd:interfaceGroup>
+        <sd:vlan>0</sd:vlan>
+        <sd:participants>
+          <sd:attacker>
+            <sd:addr cid:locality="OUT">0.0.0.0</sd:addr>
+          </sd:attacker>
+          <sd:target>
+            <sd:addr cid:locality="OUT">0.0.0.0</sd:addr>
+            <cid:os idSource="unknown" type="unknown" relevance="unknown"/>
+          </sd:target>
+        </sd:participants>
+        <sd:actions>
+          <cid:denyPacketRequestedNotPerformed>true</cid:denyPacketRequestedNotPerformed>
+        </sd:actions>
+        <cid:riskRatingValue targetValueRating="medium">15</cid:riskRatingValue>
+        <cid:threatRatingValue>15</cid:threatRatingValue>
+        <cid:interface>Unknown</cid:interface>
+        <cid:protocol>IP protocol 0</cid:protocol>
+      </sd:evIdsAlert>
+      <evStatus eventId="6823242457035" vendor="Cisco">
+        <originator>
+          <hostId>sample_host</hostId>
+          <appName>cidwebserver</appName>
+          <appInstanceId>27425</appInstanceId>
+        </originator>
+        <time offset="0" timeZone="UTC">1385965228211631000</time>
+        <loginAction action="loggedIn">
+          <description>User logged into HTTP server</description>
+          <userName>admin</userName>
+          <userAddress port="59344">192.168.1.1</userAddress>
+        </loginAction>
+      </evStatus>
+      <sd:evIdsAlert eventId="6823242457036" vendor="Cisco" severity="high" cid:alarmTraits="32768">
+        <sd:originator>
+          <sd:hostId>sample_host</sd:hostId>
+          <cid:appName>sensorApp</cid:appName>
+          <cid:appInstanceId>27807</cid:appInstanceId>
+        </sd:originator>
+        <sd:time offset="0" timeZone="UTC">1385965230914381000</sd:time>
+        <sd:signature description="TCP Hijack" id="3250" cid:version="S739" cid:type="anomaly" cid:created="20010202">
+          <cid:subsigId>0</cid:subsigId>
+          <cid:sigDetails>TCP Hijack</cid:sigDetails>
+        </sd:signature>
+        <sd:interfaceGroup>vs0</sd:interfaceGroup>
+        <sd:vlan>0</sd:vlan>
+        <sd:participants>
+          <sd:attacker>
+            <sd:addr cid:locality="OUT">10.0.0.2</sd:addr>
+            <sd:port>59433</sd:port>
+          </sd:attacker>
+          <sd:target>
+            <sd:addr cid:locality="OUT">10.1.0.8</sd:addr>
+            <sd:port>443</sd:port>
+            <cid:os idSource="unknown" type="unknown" relevance="relevant"/>
+          </sd:target>
+        </sd:participants>
+        <sd:actions>
+          <cid:denyPacketRequestedNotPerformed>true</cid:denyPacketRequestedNotPerformed>
+        </sd:actions>
+        <cid:riskRatingValue targetValueRating="medium" attackRelevanceRating="relevant">100</cid:riskRatingValue>
+        <cid:threatRatingValue>100</cid:threatRatingValue>
+        <cid:interface>te0_0</cid:interface>
+        <cid:protocol>tcp</cid:protocol>
+      </sd:evIdsAlert>
+    </sd:events>
+  </env:Body>
+</env:Envelope>

data/spec/poller_spec.rb

@@ -0,0 +1,7 @@
+require 'sdee'
+
+describe SDEE::Poller do
+  it 'should eval' do
+    SDEE::Poller.should_not be_nil
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: sdee
 version: !ruby/object:Gem::Version
-  version: 0.0.5
+  version: 0.0.6
 platform: ruby
 authors:
 - Jamil Bou Kheir
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-09-24 00:00:00.000000000 Z
+date: 2013-12-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nokogiri
@@ -30,6 +30,34 @@ dependencies:
     - - '>='
       - !ruby/object:Gem::Version
         version: 1.5.0
+- !ruby/object:Gem::Dependency
+  name: json
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
 description: Secure Device Event Exchange (SDEE) is a simple HTTP-based protocol used
   by security appliances to exchange events and alerts. Results are returned in XML.
   This is a very bare-bones ruby implementation to get SDEE events from a Cisco IPS
@@ -39,11 +67,23 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- .gitignore
+- Gemfile
+- Gemfile.lock
+- LICENSE
+- README.md
+- Rakefile
+- examples/simple.rb
 - lib/sdee.rb
-- example.rb
+- lib/sdee/alert.rb
+- lib/sdee/poller.rb
+- sdee.gemspec
+- spec/alert_spec.rb
+- spec/data/sample.xml
+- spec/poller_spec.rb
 homepage: https://github.com/elbii/ruby-sdee
 licenses:
-- GPL-2
+- MIT
 metadata: {}
 post_install_message: 
 rdoc_options: []
@@ -61,7 +101,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.1.3
+rubygems_version: 2.1.11
 signing_key: 
 specification_version: 4
 summary: Simple Ruby SDEE Poller