RubyGems - suricata - Versions diffs - 0.2.0 - Mend

suricata 0.2.0

Files changed (21) hide show

checksums.yaml ADDED Viewed

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 8a347bc8cc5e5dbf6907cdef669ea7eebc314d01
+  data.tar.gz: e59816882b172ef88dc4567cd6f8f40333a42efb
+SHA512:
+  metadata.gz: 81b095d2a8fdd94c61bd956b90b90cf2ae8b37aed0567052040f823ab8e9e2a256ea8d2e356663262f0ab1d3fd7d00110eb060b50c43ab23864c96f91a7c41d9
+  data.tar.gz: 6c0d068cba65906585acde1fb1ecdc1875419e20161c9ddf5f788c859a310e57c42bdd2a9e39aaa04caeda0f3b69c7d96aa33bb0cc8aece4516c15bd7c373611

data/.gitignore ADDED Viewed

@@ -0,0 +1,9 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/

data/.rspec ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ --format documentation
2	+ --color

data/.travis.yml ADDED Viewed

@@ -0,0 +1,5 @@
+sudo: false
+language: ruby
+rvm:
+  - 2.1.3
+before_install: gem install bundler -v 1.12.5

data/Gemfile ADDED Viewed

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+# Specify your gem's dependencies in suricata.gemspec
+gemspec

data/LICENSE.txt ADDED Viewed

@@ -0,0 +1,340 @@
+		    GNU GENERAL PUBLIC LICENSE
+		       Version 2, June 1991
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.
+                 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+			    Preamble
+  The licenses for most software are designed to take away your
+freedom to share and change it.  By contrast, the GNU General Public
+License is intended to guarantee your freedom to share and change free
+software--to make sure the software is free for all its users.  This
+General Public License applies to most of the Free Software
+Foundation's software and to any other program whose authors commit to
+using it.  (Some other Free Software Foundation software is covered by
+the GNU Library General Public License instead.)  You can apply it to
+your programs, too.
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+this service if you wish), that you receive source code or can get it
+if you want it, that you can change the software or use pieces of it
+in new free programs; and that you know you can do these things.
+  To protect your rights, we need to make restrictions that forbid
+anyone to deny you these rights or to ask you to surrender the rights.
+These restrictions translate to certain responsibilities for you if you
+distribute copies of the software, or if you modify it.
+  For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must give the recipients all the rights that
+you have.  You must make sure that they, too, receive or can get the
+source code.  And you must show them these terms so they know their
+rights.
+  We protect your rights with two steps: (1) copyright the software, and
+(2) offer you this license which gives you legal permission to copy,
+distribute and/or modify the software.
+  Also, for each author's protection and ours, we want to make certain
+that everyone understands that there is no warranty for this free
+software.  If the software is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original, so
+that any problems introduced by others will not reflect on the original
+authors' reputations.
+  Finally, any free program is threatened constantly by software
+patents.  We wish to avoid the danger that redistributors of a free
+program will individually obtain patent licenses, in effect making the
+program proprietary.  To prevent this, we have made it clear that any
+patent must be licensed for everyone's free use or not licensed at all.
+  The precise terms and conditions for copying, distribution and
+modification follow.
+		    GNU GENERAL PUBLIC LICENSE
+   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+  0. This License applies to any program or other work which contains
+a notice placed by the copyright holder saying it may be distributed
+under the terms of this General Public License.  The "Program", below,
+refers to any such program or work, and a "work based on the Program"
+means either the Program or any derivative work under copyright law:
+that is to say, a work containing the Program or a portion of it,
+either verbatim or with modifications and/or translated into another
+language.  (Hereinafter, translation is included without limitation in
+the term "modification".)  Each licensee is addressed as "you".
+Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope.  The act of
+running the Program is not restricted, and the output from the Program
+is covered only if its contents constitute a work based on the
+Program (independent of having been made by running the Program).
+Whether that is true depends on what the Program does.
+  1. You may copy and distribute verbatim copies of the Program's
+source code as you receive it, in any medium, provided that you
+conspicuously and appropriately publish on each copy an appropriate
+copyright notice and disclaimer of warranty; keep intact all the
+notices that refer to this License and to the absence of any warranty;
+and give any other recipients of the Program a copy of this License
+along with the Program.
+You may charge a fee for the physical act of transferring a copy, and
+you may at your option offer warranty protection in exchange for a fee.
+  2. You may modify your copy or copies of the Program or any portion
+of it, thus forming a work based on the Program, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+    a) You must cause the modified files to carry prominent notices
+    stating that you changed the files and the date of any change.
+    b) You must cause any work that you distribute or publish, that in
+    whole or in part contains or is derived from the Program or any
+    part thereof, to be licensed as a whole at no charge to all third
+    parties under the terms of this License.
+    c) If the modified program normally reads commands interactively
+    when run, you must cause it, when started running for such
+    interactive use in the most ordinary way, to print or display an
+    announcement including an appropriate copyright notice and a
+    notice that there is no warranty (or else, saying that you provide
+    a warranty) and that users may redistribute the program under
+    these conditions, and telling the user how to view a copy of this
+    License.  (Exception: if the Program itself is interactive but
+    does not normally print such an announcement, your work based on
+    the Program is not required to print an announcement.)
+These requirements apply to the modified work as a whole.  If
+identifiable sections of that work are not derived from the Program,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works.  But when you
+distribute the same sections as part of a whole which is a work based
+on the Program, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote it.
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Program.
+In addition, mere aggregation of another work not based on the Program
+with the Program (or with a work based on the Program) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+  3. You may copy and distribute the Program (or a work based on it,
+under Section 2) in object code or executable form under the terms of
+Sections 1 and 2 above provided that you also do one of the following:
+    a) Accompany it with the complete corresponding machine-readable
+    source code, which must be distributed under the terms of Sections
+    1 and 2 above on a medium customarily used for software interchange; or,
+    b) Accompany it with a written offer, valid for at least three
+    years, to give any third party, for a charge no more than your
+    cost of physically performing source distribution, a complete
+    machine-readable copy of the corresponding source code, to be
+    distributed under the terms of Sections 1 and 2 above on a medium
+    customarily used for software interchange; or,
+    c) Accompany it with the information you received as to the offer
+    to distribute corresponding source code.  (This alternative is
+    allowed only for noncommercial distribution and only if you
+    received the program in object code or executable form with such
+    an offer, in accord with Subsection b above.)
+The source code for a work means the preferred form of the work for
+making modifications to it.  For an executable work, complete source
+code means all the source code for all modules it contains, plus any
+associated interface definition files, plus the scripts used to
+control compilation and installation of the executable.  However, as a
+special exception, the source code distributed need not include
+anything that is normally distributed (in either source or binary
+form) with the major components (compiler, kernel, and so on) of the
+operating system on which the executable runs, unless that component
+itself accompanies the executable.
+If distribution of executable or object code is made by offering
+access to copy from a designated place, then offering equivalent
+access to copy the source code from the same place counts as
+distribution of the source code, even though third parties are not
+compelled to copy the source along with the object code.
+  4. You may not copy, modify, sublicense, or distribute the Program
+except as expressly provided under this License.  Any attempt
+otherwise to copy, modify, sublicense or distribute the Program is
+void, and will automatically terminate your rights under this License.
+However, parties who have received copies, or rights, from you under
+this License will not have their licenses terminated so long as such
+parties remain in full compliance.
+  5. You are not required to accept this License, since you have not
+signed it.  However, nothing else grants you permission to modify or
+distribute the Program or its derivative works.  These actions are
+prohibited by law if you do not accept this License.  Therefore, by
+modifying or distributing the Program (or any work based on the
+Program), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Program or works based on it.
+  6. Each time you redistribute the Program (or any work based on the
+Program), the recipient automatically receives a license from the
+original licensor to copy, distribute or modify the Program subject to
+these terms and conditions.  You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties to
+this License.
+  7. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Program at all.  For example, if a patent
+license would not permit royalty-free redistribution of the Program by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Program.
+If any portion of this section is held invalid or unenforceable under
+any particular circumstance, the balance of the section is intended to
+apply and the section as a whole is intended to apply in other
+circumstances.
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system, which is
+implemented by public license practices.  Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+  8. If the distribution and/or use of the Program is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Program under this License
+may add an explicit geographical distribution limitation excluding
+those countries, so that distribution is permitted only in or among
+countries not thus excluded.  In such case, this License incorporates
+the limitation as if written in the body of this License.
+  9. The Free Software Foundation may publish revised and/or new versions
+of the General Public License from time to time.  Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+Each version is given a distinguishing version number.  If the Program
+specifies a version number of this License which applies to it and "any
+later version", you have the option of following the terms and conditions
+either of that version or of any later version published by the Free
+Software Foundation.  If the Program does not specify a version number of
+this License, you may choose any version ever published by the Free Software
+Foundation.
+  10. If you wish to incorporate parts of the Program into other free
+programs whose distribution conditions are different, write to the author
+to ask for permission.  For software which is copyrighted by the Free
+Software Foundation, write to the Free Software Foundation; we sometimes
+make exceptions for this.  Our decision will be guided by the two goals
+of preserving the free status of all derivatives of our free software and
+of promoting the sharing and reuse of software generally.
+			    NO WARRANTY
+  11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
+OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
+TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
+PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+REPAIR OR CORRECTION.
+  12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGES.
+		     END OF TERMS AND CONDITIONS
+	    How to Apply These Terms to Your New Programs
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+    <one line to give the program's name and a brief idea of what it does.>
+    Copyright (C) <year>  <name of author>
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; either version 2 of the License, or
+    (at your option) any later version.
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+    You should have received a copy of the GNU General Public License
+    along with this program; if not, write to the Free Software
+    Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA
+Also add information on how to contact you by electronic and paper mail.
+If the program is interactive, make it output a short notice like this
+when it starts in an interactive mode:
+    Gnomovision version 69, Copyright (C) year name of author
+    Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+    This is free software, and you are welcome to redistribute it
+    under certain conditions; type `show c' for details.
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License.  Of course, the commands you use may
+be called something other than `show w' and `show c'; they could even be
+mouse-clicks or menu items--whatever suits your program.
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary.  Here is a sample; alter the names:
+  Yoyodyne, Inc., hereby disclaims all copyright interest in the program
+  `Gnomovision' (which makes passes at compilers) written by James Hacker.
+  <signature of Ty Coon>, 1 April 1989
+  Ty Coon, President of Vice
+This General Public License does not permit incorporating your program into
+proprietary programs.  If your program is a subroutine library, you may
+consider it more useful to permit linking proprietary applications with the
+library.  If this is what you want to do, use the GNU Library General
+Public License instead of this License.

data/README.md ADDED Viewed

@@ -0,0 +1,71 @@
+# Suricata
+[![GPL Licence](https://badges.frapsoft.com/os/gpl/gpl.png?v=103)](https://github.com/whotwagner/suricata/blob/master/LICENSE.txt)
+[![Build Status](https://travis-ci.org/whotwagner/suricata.svg?branch=master)](https://travis-ci.org/whotwagner/suricata)
+[![Inline docs](http://inch-ci.org/github/whotwagner/suricata.svg?branch=master)](http://inch-ci.org/github/whotwagner/suricata)
+[![Code Climate](https://codeclimate.com/github/whotwagner/suricata/badges/gpa.svg)](https://codeclimate.com/github/whotwagner/suricata)
+[![Gem Version](https://badge.fury.io/rb/suricata.svg)](https://badge.fury.io/rb/mindwave)
+This gem offers classes for parsing suricata logfiles. It ships with a nagios-plugin.
+## Installation
+Add this line to your application's Gemfile:
+```ruby
+gem 'suricata'
+```
+And then execute:
+    $ bundle
+Or install it yourself as:
+    $ gem install suricata
+## Usage
+### Nagios-Plugin
+This gem comes with a Nagios-plugin to search suricata's fast-logfile for specific strings in the threat-description.
+```
+Usage: check_suricata.rb [ -a alertfile ] [ -w whitelistfile ] -e searchstring
+    -h, --help                       This help screen
+    -a, --alertfile ALERTFILE        alertfile(default: /var/log/suricata/fast.log)
+    -w, --whitelist WHITELISTFILE    whitelistfile
+    -e, --search STRING              searchstring
+    -i, --interactive                interactive
+    -k, --ackfile ACKFILE            ackfile(default: /tmp/surack.lst)
+```
+It is possible to interactively acknowlege search hits so that they will not occur on the next search:
+```
+check_suricata.rb -i -e "ET CHAT"
+Acknowlege the following entry:
+10/04/2016-13:39:45.498785 [**] [1:2001595:10] ET CHAT Skype VOIP Checking Version (Startup) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 192.168.0.1:40460 -> 15.14.13.12:80
+Acknowlege(y|n): y
+Acknowlege the following entry:
+10/05/2016-09:25:01.186862 [**] [1:2001595:10] ET CHAT Skype VOIP Checking Version (Startup) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 192.168.0.1:49491 -> 100.254.198.10:80
+Acknowlege(y|n): n
+```
+## Documentation
+[rubydoc.info](http://www.rubydoc.info/github/whotwagner/suricata/master)
+## Development
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+## Contributing
+Bug reports and pull requests are welcome on GitHub at https://github.com/whotwagner/suricata.
+---
+Powered by [Toscom](http://www.toscom.at)

data/Rakefile ADDED Viewed

@@ -0,0 +1,6 @@
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+RSpec::Core::RakeTask.new(:spec)
+task :default => :spec

data/bin/console ADDED Viewed

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+require "bundler/setup"
+require "suricata"
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+require "irb"
+IRB.start

data/bin/setup ADDED Viewed

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+bundle install
+# Do any other automated setup that you need to do here

data/exe/check_suricata.rb ADDED Viewed

@@ -0,0 +1,11 @@
+#!/usr/bin/env ruby
+require 'suricata/nagios'
+begin
+nagios = Suricata::Nagios.new
+nagios.runApp(ARGV)
+rescue Errno::ENOENT => e
+	puts "#{e.message}\n"
+	exit 3
+end

data/lib/suricata/connection.rb ADDED Viewed

@@ -0,0 +1,76 @@
+#--
+# Copyright (C) 2016 Wolfgang Hotwagner <code@toscom.at>
+#
+# This file is part of the suricata gem
+#
+# This mindwave gem is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This gem is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this gem; if not, write to the
+# Free Software Foundation, Inc., 51 Franklin St, Fifth Floor,
+# Boston, MA  02110-1301  USA
+#++
+module Suricata
+# This class splits a connection string into it's parts
+class Connection
+# @!attribute proto
+#   protocol
+# @!attribute src
+#   source-ip
+# @!attribute dst
+#   destination-ip
+# @!attribute sport
+#   source port
+# @!attribute dport
+#   destination port
+attr_accessor :proto, :src, :dst, :sport, :dport
+# This constructor calls parse(string) if string is not nil
+#
+# @param [String] string string to parse
+def initialize(string=nil)
+	if not string.nil?
+		parse(string)
+	end
+end
+# This function parses a connection-string into it's parts
+#
+# @param [String] string string to parse
+# @raise [Exception] Parsing error
+def parse(string)
+	if string.nil?
+		raise "Invalid argument"
+	end
+	string = string.chomp
+	if string =~ /^\{(.+)\}\s+(.+)\:(\d{1,5})\s+\-\>\s+(.+)\:(\d{1,5})$/
+		@proto = $1
+		@src = $2
+		@sport = $3.to_i
+		@dst = $4
+		@dport = $5.to_i
+	else
+		raise "Parsing error: >>#{string}<<"
+	end
+end
+# converts parsed values back to string
+# @return [String] connection-string
+def to_s
+	"{#{proto}} #{src}:#{sport} -> #{dst}:#{dport}"
+end
+end
+end

data/lib/suricata/fast.rb ADDED Viewed

@@ -0,0 +1,82 @@
+#--
+# Copyright (C) 2016 Wolfgang Hotwagner <code@toscom.at>
+#
+# This file is part of the suricata gem
+#
+# This mindwave gem is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This gem is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this gem; if not, write to the
+# Free Software Foundation, Inc., 51 Franklin St, Fifth Floor,
+# Boston, MA  02110-1301  USA
+#++
+module Suricata
+require 'suricata/connection'
+# This class parses suricatas fast.log-files
+class Fast
+# @!attribute timestamp
+#  log-time
+# @!attribute id
+#  signature-id
+# @!attribute description
+#  signature-description
+# @!attribute classification
+#   threat-classification
+# @!attribute priority
+#  priority
+# @!attribute conn
+#  Suricata::Connection connection
+attr_accessor :timestamp, :id, :description, :classification, :priority, :conn
+# this function parses an entry of fast.log
+# @param [String] string one line of fast.log
+# @raise [Exception] if string is nil
+def parse(string)
+	if string.nil?
+		raise "Invalid argument"
+	end
+	if string =~ /^([^ ]+)\s+/
+		@timestamp = $1.chomp(' ')
+	end
+	if string =~ /\[\*\*\]\s+\[(\d+\:\d+\:\d+)\]\s+(.*)\[\*\*\]/
+		@id = $1
+		@description = $2.chomp(' ')
+	end
+	if string =~ /\[Classification: ([^\]]+)\]/
+		@classification = $1
+	end
+	if string =~ /\[Priority: ([^\]]+)\]/
+		@priority = $1
+	end
+	if string =~ /\]\s+([^\]]+)$/
+		@conn = Suricata::Connection.new($1)
+	end
+end
+# this function converts the parsed entry back to string
+# @return [String] converted string
+def to_s
+	"#{@timestamp} [**] [#{@id}] #{@description} [**] [Classification: #{@classification}] [Priority: #{@priority}] #{@conn}"
+end
+end
+end

data/lib/suricata/logfile.rb ADDED Viewed

@@ -0,0 +1,124 @@
+#--
+# Copyright (C) 2016 Wolfgang Hotwagner <code@toscom.at>
+#
+# This file is part of the suricata gem
+#
+# This mindwave gem is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This gem is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this gem; if not, write to the
+# Free Software Foundation, Inc., 51 Franklin St, Fifth Floor,
+# Boston, MA  02110-1301  USA
+#++
+module Suricata
+require "suricata/fast"
+# This class opens a logfile, offers methods for reading logfiles
+# and calls the logfile-parser
+class Logfile
+# @!attribute logfile
+#   path and filename of the logfile
+# @!attribute parser
+#   parser to use(default: Suricata::Fast)
+attr_accessor :logfile, :parser
+# @!attribute file
+#   file-descriptor for logfile
+# @!attribute line
+#   current line of the logfile. set by readline and readline_parse
+attr_reader :file, :line
+# constructor
+# @param [String] logfile path and filename of the logfile
+# @param [Boolean] autoopen calls open if true(default: true)
+def initialize(logfile,autoopen=true)
+	@logfile = logfile
+	@parser = Suricata::Fast.new
+	if autoopen == true
+		open
+	end
+end
+# this method calls parser.parse(string)
+# @param [String] string logfile-entry to parse
+# @raise [Exception] "Invalid argument" if string is nil
+# @raise [Exception] "Invalid parser" if parser is nil
+# @return [Object] parser
+def parse(string)
+	if string.nil?
+		raise "Invalid argument"
+	end
+	if @parser.nil?
+		raise "Invalid parser"
+	end
+	@parser.parse(string)
+	return @parser
+end
+# this method reads a line of the logfile and calls the parser
+# @return [Object] parsed object if not called with a block(default: Surricata::Fast)
+# @return [false] if there is nothing to read and if not called with a block
+# @yieldparam [Object] @line parsed object(default Suricata::Fast)
+def readline_parse
+	if block_given?
+		while readline
+			yield(parse(@line))
+		end
+	else
+		if not readline
+			return false
+		else
+			return parse(@line)
+		end
+	end
+end
+# this method reads a line of the logfile
+# @return [String] line current logfile entry
+# @return [Boolean] false when EOF reached
+# @yieldparam [String] @line current logfile entry
+def readline
+	begin
+	if block_given?
+		while @line = @file.readline
+			yield(@line)
+		end
+	else
+		@line = @file.readline
+		return @line
+	end
+	rescue EOFError
+		return false
+	end
+end
+# this method opens the logfile and initialises file
+def open
+	@file = File.new(@logfile,"r")
+end
+# this method closes the logfile
+def close
+	@file.close()
+end
+end
+end

data/lib/suricata/nagios.rb ADDED Viewed

@@ -0,0 +1,218 @@
+#--
+# Copyright (C) 2016 Wolfgang Hotwagner <code@toscom.at>
+#
+# This file is part of the suricata gem
+#
+# This mindwave gem is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This gem is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this gem; if not, write to the
+# Free Software Foundation, Inc., 51 Franklin St, Fifth Floor,
+# Boston, MA  02110-1301  USA
+#++
+module Suricata
+require 'suricata/logfile'
+require 'suricata/fast'
+require 'optparse'
+# This class offers all functionalities for a suricata-nagios-plugin
+class Nagios
+# @!attribute fast
+#  this attribute stores the Suricata::Logfile-object
+# @!attribute found_str
+#  this attribute stores the string found by search() in the Logfile-object
+# @!attribute search_str
+#  the search-pattern is stored in this attribute
+attr_reader :fast, :found_str, :search_str
+# @!attribute whitelist
+#  this whitelist can be used to exclude results from the search
+# @!attribute alertfile
+#  this alertfile(fast.log) is used for the search
+# @!attribute return_found
+#  this value is returned from search() on succes. (Default: 2)
+# @!attribute return_notfound
+#  this value is returned from search() on failure (Default: 0)
+# @!attribute ack
+#  it is possible to acknowlege alerts, so that they will be
+#  excluded from the next search. Use this member to set the acknowlege-file.
+#  Default ack-file is: /tmp/surack.lst
+attr_accessor :whitelist, :alertfile, :return_found, :return_notfound, :ack
+# constructor
+# @param [String] alertfile path to the suricata-log-file(default: /var/log/suricata/fast.log)
+# @param [String] whitelist path to the whitelist(default: nil)
+def initialize(alertfile="/var/log/suricata/fast.log",whitelist=nil)
+	@whitelist = whitelist
+	@alertfile = alertfile
+	@return_found = 2
+	@return_notfound = 0
+	@ack = "/tmp/surack.lst"
+end
+# this method initializes the Suricata::Logfile(@fast) and opens
+# the @alertfile
+# @see alertfile
+def init_log
+	@fast = Suricata::Logfile.new(@alertfile)
+end
+# this is the check_suricata-application. this function exits with 3
+# on error
+# @param [Array] args typically ARGV
+# @return [Integer] @return_found if searchstring was found
+# @return [Integer] @return_notfound if searchstring was not found
+# @see return_found
+# @see return_notfound
+def runApp(args)
+	help = nil
+	interactive = false
+	OptionParser.new do |opt|
+		opt.banner = "Usage: #{$PROGRAM_NAME} [ -a alertfile ] [ -w whitelistfile ] -e searchstring"
+		opt.on('-h', '--help', 'This help screen') do
+  			$stderr.puts opt
+			exit 3
+  		end
+		opt.on('-a','--alertfile ALERTFILE','alertfile(default: /var/log/suricata/fast.log)') { |o| @alertfile = o }
+		opt.on('-w','--whitelist WHITELISTFILE','whitelistfile') { |o| @whitelist = o }
+		opt.on('-e','--search STRING','searchstring') { |o| @search_str = o }
+		opt.on('-i','--interactive','interactive acknowleges') { |o| interactive = o }
+		opt.on('-k','--ackfile ACKFILE','ackfile(default: /tmp/surack.lst)') { |o| @ack = o }
+		help = opt.help
+	end.parse!(args)
+	if @search_str.nil?
+		$stderr.puts help
+		exit 3
+	end
+	if interactive
+		acknowlege(@search_str)
+		exit 3
+	end
+	ret = search(@search_str)
+	if ret > 0
+		puts "FOUND"
+	else
+		puts "OK"
+	end
+	exit ret
+end
+# this method performs a search(str). It will ask interactively for ever
+# hit if it should be acknowleged. In case of "yes", the routine will
+# add a shortform of the entry to the acknowlege-file
+# @param [String] str string to search
+# @see ack
+def acknowlege(str)
+	if @fast.nil?
+		init_log
+	end
+	list = File.open(@ack,'a')
+	@fast.readline_parse do |fast_entry|
+		if fast_entry.description =~ /#{str}/
+			if not search_list("#{fast_entry.timestamp} #{fast_entry.id} #{fast_entry.conn}",@ack)
+			 	printf("Acknowlege the following entry:\n")
+			 	printf("#{fast_entry}\n")
+			 	printf("Acknowlege(y|n): ")
+			 	answer = STDIN.gets
+			 	if answer == "y\n"
+			 		list.write("#{fast_entry.timestamp} #{fast_entry.id} #{fast_entry.conn}\n")
+			 	end
+			end
+		end
+	end
+	list.close
+end
+# this function performs a search for a string(str)
+# in the alert-file. If a whitelistfile is given,
+# or a acknowlege-file, it will search those files
+# too and eventually exclude the hit from the result.
+# @param [String] str search-query
+# @return [Integer] @return_found on success
+# @return [Integer] @return_notfound on failure
+# @see return_found
+# @see return_notfound
+# @see ack
+# @see whitelist
+def search(str)
+	@search_str = str
+	@found_str = nil
+	if @fast.nil?
+		init_log
+	end
+	wl_found = false
+	ack_found = false
+	@fast.readline_parse do |fast_entry|
+		if fast_entry.description =~ /#{@search_str}/
+			if not @whitelist.nil?
+				wl_found =  search_list(fast_entry.description,@whitelist)
+			end
+			if not @ack.nil? and File.file?(@ack)
+				ack_found = search_list("#{fast_entry.timestamp} #{fast_entry.id} #{fast_entry.conn}",@ack)
+			end
+			if wl_found == false and ack_found == false
+				@found_str = fast_entry.description
+				return @return_found
+			end
+		end
+	end
+	@fast.close
+	return @return_notfound
+end
+private
+# this function performs a search for a line in a file
+# @param [String] str search-query
+# @param [String] listfile file to search
+# @return [Boolean] true if it succeded
+# @return [Boolean] false if it did not succed
+def search_list(str,listfile)
+	list = File.open(listfile,'r')
+	begin
+	while entry = list.readline
+		entry = entry.chomp
+		if str =~ /#{entry}/
+			list.close
+			return true
+		end
+	end
+	rescue EOFError
+	end
+	list.close
+	return false
+end
+end
+end

data/lib/suricata/version.rb ADDED Viewed

@@ -0,0 +1,25 @@
+#--
+# Copyright (C) 2016 Wolfgang Hotwagner <code@toscom.at>
+#
+# This file is part of the suricata gem
+#
+# This mindwave gem is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This gem is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this gem; if not, write to the
+# Free Software Foundation, Inc., 51 Franklin St, Fifth Floor,
+# Boston, MA  02110-1301  USA
+#++
+module Suricata
+# yes, this is the version
+  VERSION = "0.2.0"
+end

data/lib/suricata.rb ADDED Viewed

@@ -0,0 +1,6 @@
+require "suricata/version"
+require "suricata/fast"
+require "suricata/connection"
+require "suricata/logfile"
+require "suricata/nagios"

data/misc/fast.log ADDED Viewed

@@ -0,0 +1,11 @@
+10/04/2016-11:03:06.749577  [**] [1:2012843:3] ET POLICY Cleartext WordPress Login [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 192.168.0.1:50650 -> 8.8.8.8:80
+10/04/2016-11:03:06.749577  [**] [1:2012888:3] ET POLICY Http Client Body contains pwd= in cleartext [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 192.168.0.1:50650 -> 8.8.8.1:80
+10/04/2016-11:13:27.634427  [**] [1:2522676:2719] ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 339 [**] [Classification: Misc Attack] [Priority: 2] {UDP} 212.69.166.153:123 -> 1.2.3.4:59740
+10/04/2016-12:17:46.482848  [**] [1:2200074:1] SURICATA TCPv4 invalid checksum [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.0.1:53182 -> 4.3.2.1:443
+10/04/2016-13:39:45.498785  [**] [1:2001595:10] ET CHAT Skype VOIP Checking Version (Startup) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 192.168.0.1:40460 -> 15.14.13.12:80
+10/04/2016-17:10:54.833594  [**] [1:2200074:1] SURICATA TCPv4 invalid checksum [**] [Classification: (null)] [Priority: 3] {TCP} 10.12.32.6:50707 -> 42.42.42.42:443
+10/04/2016-18:30:45.866312  [**] [1:2200074:1] SURICATA TCPv4 invalid checksum [**] [Classification: (null)] [Priority: 3] {TCP} 10.12.32.6:44646 -> 9.1.2.1:443
+10/04/2016-22:18:08.728614  [**] [1:2100230:3] GPL CHAT Jabber/Google Talk Outgoing Traffic [**] [Classification: Not Suspicious Traffic] [Priority: 3] {TCP} 192.168.0.1:33243 -> 8.4.3.7:5222
+10/04/2016-22:57:41.158897  [**] [1:2200074:1] SURICATA TCPv4 invalid checksum [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.0.1:52912 -> 1.2.3.22:80
+10/05/2016-09:25:01.186862  [**] [1:2001595:10] ET CHAT Skype VOIP Checking Version (Startup) [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 192.168.0.1:49491 -> 100.254.198.10:80

data/misc/whitelist.txt ADDED Viewed

	@@ -0,0 +1 @@
1	+ ET CHAT Skype VOIP Checking Version

data/suricata.gemspec ADDED Viewed

@@ -0,0 +1,26 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'suricata/version'
+Gem::Specification.new do |spec|
+  spec.name          = "suricata"
+  spec.version       = Suricata::VERSION
+  spec.authors       = ["Wolfgang Hotwagner"]
+  spec.email         = ["code@toscom.at"]
+  spec.summary       = %q{This gem offers classes to handle suricata logfiles.}
+  spec.description   = %q{This gem offers classes to handle suricata logfiles. It ships with a nagios-plugin. }
+  spec.homepage      = "https://github.com/whotwagner/suricata"
+  spec.licenses      = ["GPL"]
+  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  spec.bindir        = "exe"
+  spec.executables   = [ "check_suricata.rb" ]
+  spec.require_paths = ["lib"]
+  spec.add_development_dependency "bundler", "~> 1.12"
+  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency "rspec", "~> 3.0"
+end

metadata ADDED Viewed

@@ -0,0 +1,107 @@
+--- !ruby/object:Gem::Specification
+name: suricata
+version: !ruby/object:Gem::Version
+  version: 0.2.0
+platform: ruby
+authors:
+- Wolfgang Hotwagner
+autorequire:
+bindir: exe
+cert_chain: []
+date: 2016-10-11 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.12'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.12'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+description: 'This gem offers classes to handle suricata logfiles. It ships with a
+  nagios-plugin. '
+email:
+- code@toscom.at
+executables:
+- check_suricata.rb
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- ".travis.yml"
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- bin/console
+- bin/setup
+- exe/check_suricata.rb
+- lib/suricata.rb
+- lib/suricata/connection.rb
+- lib/suricata/fast.rb
+- lib/suricata/logfile.rb
+- lib/suricata/nagios.rb
+- lib/suricata/version.rb
+- misc/fast.log
+- misc/whitelist.txt
+- suricata.gemspec
+homepage: https://github.com/whotwagner/suricata
+licenses:
+- GPL
+metadata: {}
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project:
+rubygems_version: 2.2.2
+signing_key:
+specification_version: 4
+summary: This gem offers classes to handle suricata logfiles.
+test_files: []