thm 0.3.2 → 0.4.5
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Rakefile +107 -0
- data/bin/thm-trafviz +35 -10
- data/config.rb +1 -0
- data/lib/thm/dataservices/geolocation/geolocation.rb +1 -1
- data/lib/thm/dataservices/trafviz/trafviz.rb +58 -13
- data/lib/thm/version.rb +3 -3
- data/lib/thm.rb +14 -8
- data/sql/geoipdata-monetdb.sql +2 -0
- data/sql/threatmonitor-http.sql +60 -4
- metadata +19 -4
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 40bbc67ea101f1fc34f2f85fdb06c13677451fd0
|
4
|
+
data.tar.gz: 78a08e73c11da31adf4834dbd5913fbfbb93eb35
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: fcd88da68f3f44c7072378134bd3c2ab644b1db8f07db52d43a1644009d76ba92d8787b4b4c625b47b5199a922b7e80e72e69624766e496abcedae914910c3c4
|
7
|
+
data.tar.gz: 8ce4134539e86fae9dac11d7e9cfedde5310c80a9088eafb7a94f02d575b3ee5e6c4bb4e183b8409569d329e7aa8b048c21edd1ff2e4938be87381e10777cf0b
|
data/Rakefile
ADDED
@@ -0,0 +1,107 @@
|
|
1
|
+
# coding: utf-8
|
2
|
+
require './lib/thm/version.rb'
|
3
|
+
|
4
|
+
def java?
|
5
|
+
/java/ === RUBY_PLATFORM
|
6
|
+
end
|
7
|
+
|
8
|
+
ENV['LANG'] = "en_US.UTF-8"
|
9
|
+
|
10
|
+
VERSION = Thm::VERSION::STRING
|
11
|
+
|
12
|
+
Gem::Specification.new do |spec|
|
13
|
+
spec.name = "thm"
|
14
|
+
spec.version = VERSION
|
15
|
+
spec.authors = ["puppetpies"]
|
16
|
+
spec.email = "brianh6854@googlemail.com"
|
17
|
+
spec.description = "Threatmonitor - Packet Capture / Analysis Suite"
|
18
|
+
spec.summary = "Packet Data Analysis"
|
19
|
+
spec.executables = ["thm-consumer", "thm-producer", "thm-session", "thm-useradmin", "thm-pcap", "thm-trafviz"]
|
20
|
+
spec.homepage = "https://github.com/puppetpies/threatmonitor"
|
21
|
+
spec.requirements = "libpcap"
|
22
|
+
spec.license = "MIT"
|
23
|
+
|
24
|
+
spec.files = [
|
25
|
+
"config.rb",
|
26
|
+
"Rakefile",
|
27
|
+
"lib/thm/datalayerlight.rb",
|
28
|
+
"thm-authentication.rb",
|
29
|
+
"thm-authorization.rb",
|
30
|
+
"bin/thm-consumer",
|
31
|
+
"bin/thm-producer",
|
32
|
+
"bin/thm-session",
|
33
|
+
"bin/thm-useradmin",
|
34
|
+
"bin/thm-pcap",
|
35
|
+
"bin/thm-trafviz",
|
36
|
+
"thm-privileges.rb",
|
37
|
+
"service_definitions.csv",
|
38
|
+
"lib/thm.rb",
|
39
|
+
"lib/thm/consumer.rb",
|
40
|
+
"lib/thm/dataservices.rb",
|
41
|
+
"lib/thm/fileservices.rb",
|
42
|
+
"lib/thm/localmachine.rb",
|
43
|
+
"lib/thm/producer.rb",
|
44
|
+
"lib/thm/version.rb",
|
45
|
+
"lib/thm/dataservices/geolocation/geolocation.rb",
|
46
|
+
"lib/thm/dataservices/trafviz/trafviz.rb",
|
47
|
+
"js/jquery.min.js",
|
48
|
+
"js/chartkick.js",
|
49
|
+
"js/JSXTransformer.js",
|
50
|
+
"js/marked.min.js",
|
51
|
+
"js/react.js",
|
52
|
+
"js/jsapi.js",
|
53
|
+
"js/files/authenticate.jsx",
|
54
|
+
"stylesheets/screen.css",
|
55
|
+
"sql/geoipdata-monetdb.sql",
|
56
|
+
"sql/threatmonitor-monetdb.sql",
|
57
|
+
"sql/threatmonitor-mysql.sql",
|
58
|
+
"sql/threatmonitor-http.sql",
|
59
|
+
"views/authenticate.slim",
|
60
|
+
"views/dashboard.erb",
|
61
|
+
"views/logout.slim"
|
62
|
+
]
|
63
|
+
|
64
|
+
spec.extra_rdoc_files = [
|
65
|
+
"README.md",
|
66
|
+
"README.1ST"
|
67
|
+
]
|
68
|
+
spec.executables = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
|
69
|
+
spec.test_files = spec.files.grep(%r{^(test|spec|features)/})
|
70
|
+
spec.require_paths = ["lib"]
|
71
|
+
|
72
|
+
spec.add_development_dependency "bundler", "~> 1.3"
|
73
|
+
spec.add_development_dependency "rake", "~> 10.4"
|
74
|
+
spec.add_development_dependency "rake-compiler", "~> 0.9"
|
75
|
+
spec.add_runtime_dependency "bunny", "~> 1.7"
|
76
|
+
spec.add_runtime_dependency "amqp", "~> 1.5"
|
77
|
+
spec.add_runtime_dependency "pcap", "~> 0.7"
|
78
|
+
spec.add_runtime_dependency "guid", "~> 0.1"
|
79
|
+
spec.add_runtime_dependency "eventmachine", "~> 1.0"
|
80
|
+
spec.add_runtime_dependency "chartkick", "~> 1.3"
|
81
|
+
spec.add_runtime_dependency "sinatra", "~> 1.4"
|
82
|
+
spec.add_runtime_dependency "slim", "~> 3.0"
|
83
|
+
spec.add_runtime_dependency "keycounter", "~> 0.0.8"
|
84
|
+
spec.add_runtime_dependency "walltime", "~> 0.0.5"
|
85
|
+
end
|
86
|
+
|
87
|
+
require 'rubygems/tasks'
|
88
|
+
Gem::Tasks.new
|
89
|
+
task :default do
|
90
|
+
|
91
|
+
end
|
92
|
+
|
93
|
+
# Override standard release task
|
94
|
+
require 'git'
|
95
|
+
Rake::Task["release"].clear
|
96
|
+
task :release do
|
97
|
+
version = "#{VERSION}"
|
98
|
+
remote = 'origin'
|
99
|
+
puts "Creating tag v#{version}"
|
100
|
+
git = Git.open(".")
|
101
|
+
git.add_tag("v#{version}")
|
102
|
+
puts "Pushing tag to #{remote}"
|
103
|
+
git.push(remote, 'master', true)
|
104
|
+
Rake::Task['gem'].invoke
|
105
|
+
gemtask = Gem::Tasks::Push.new
|
106
|
+
gemtask.push("pkg/thm-#{version}.gem")
|
107
|
+
end
|
data/bin/thm-trafviz
CHANGED
@@ -26,6 +26,16 @@ conf.thmhome?
|
|
26
26
|
include Thm::Defaults
|
27
27
|
include Tools
|
28
28
|
|
29
|
+
class FalseClass
|
30
|
+
|
31
|
+
def []
|
32
|
+
=begin
|
33
|
+
#<NoMethodError: undefined method `[]' for false:FalseClass>
|
34
|
+
=end
|
35
|
+
end
|
36
|
+
|
37
|
+
end
|
38
|
+
|
29
39
|
class NilClass
|
30
40
|
|
31
41
|
def strip
|
@@ -42,6 +52,18 @@ exception when looping over each packet loop: #<NoMethodError: undefined method
|
|
42
52
|
=end
|
43
53
|
end
|
44
54
|
|
55
|
+
def > name=nil
|
56
|
+
=begin
|
57
|
+
exception when looping over each packet loop: #<NoMethodError: undefined method `>' for nil:NilClass>
|
58
|
+
/data2/Projects/threatmonitor/lib/thm/dataservices/geolocation/geolocation.rb:47:in `block in define_component': undefined method `>' for nil:NilClass (NoMethodError)
|
59
|
+
from /data2/Projects/threatmonitor/lib/thm/dataservices/geolocation/geolocation.rb:73:in `geoiplookup'
|
60
|
+
from ./thm-trafviz:284:in `block in <main>'
|
61
|
+
from /usr/lib/ruby/gems/2.1.0/gems/pcap-0.7.7/lib/pcaplet.rb:94:in `loop'
|
62
|
+
from /usr/lib/ruby/gems/2.1.0/gems/pcap-0.7.7/lib/pcaplet.rb:94:in `each_packet'
|
63
|
+
from ./thm-trafviz:271:in `<main>'
|
64
|
+
=end
|
65
|
+
end
|
66
|
+
|
45
67
|
end
|
46
68
|
|
47
69
|
ARGV[0] = "--help" if ARGV[0] == nil
|
@@ -91,6 +113,8 @@ puts banner
|
|
91
113
|
|
92
114
|
# Trafviz DataServices
|
93
115
|
tv = Thm::DataServices::Trafviz.new
|
116
|
+
tv.reqtable = HTTP_REQUEST_TABLE
|
117
|
+
tv.reqtableua = HTTP_REQUEST_TABLE_UA
|
94
118
|
# Connect to Datastore
|
95
119
|
gloc = Thm::DataServices::Geolocation.new
|
96
120
|
gloc.datastore = DATASTORE
|
@@ -264,13 +288,13 @@ a.menu!
|
|
264
288
|
=end
|
265
289
|
|
266
290
|
@trafviz = Pcaplet.new(startup)
|
267
|
-
HTTP_REQUEST
|
291
|
+
HTTP_REQUEST = Pcap::Filter.new('tcp dst port 80', @trafviz.capture)
|
268
292
|
HTTP_RESPONSE = Pcap::Filter.new('tcp src portrange 1024-65535', @trafviz.capture)
|
269
293
|
|
270
294
|
@trafviz.add_filter(HTTP_REQUEST | HTTP_RESPONSE)
|
271
295
|
@trafviz.each_packet {|pkt|
|
272
296
|
data = pkt.tcp_data.to_s
|
273
|
-
data_orig = data.clone
|
297
|
+
data_orig = data.clone # Preserve copy in its own object_id
|
274
298
|
data_highlight = tv.text_highlighter(data_orig)
|
275
299
|
case pkt
|
276
300
|
when HTTP_REQUEST
|
@@ -278,21 +302,22 @@ HTTP_RESPONSE = Pcap::Filter.new('tcp src portrange 1024-65535', @trafviz.captur
|
|
278
302
|
stwt = Stopwatch.new
|
279
303
|
stwt.watch('start')
|
280
304
|
path = $1
|
281
|
-
host = pkt.dst.to_s
|
282
|
-
host << ":\e[1;33m#{pkt.dport}\e[0m\ "
|
305
|
+
host = "#{pkt.dst.to_s}:\e[1;33m#{pkt.dport}\e[0m\ "
|
283
306
|
s = "\e[1;33m#{pkt.src}:\e[1;31m#{pkt.sport}\e[0m\ > GET \e[1;33mhttp://#{host}\e[1;32mHTTP/1.1\e[0m "
|
284
307
|
geo = gloc.geoiplookup(host.split(":")[0])
|
285
308
|
puts "\e[4;36mGeo Location:\e[0m\ \n\e[0;35m#{geo} \e[0m\ "
|
286
309
|
puts "\e[4;36mRequest Data:\e[0m\ \n\e[0;32m#{data_highlight} \e[0m\ "
|
287
310
|
tv.makeurl(data_orig)
|
288
311
|
# Process data and prepare then send elsewhere
|
289
|
-
query_return_sql = tv.request_filter(
|
290
|
-
# Store data into
|
312
|
+
query_return_sql = tv.request_filter(data)
|
313
|
+
# Store data into Datastore
|
291
314
|
begin
|
292
|
-
|
293
|
-
|
294
|
-
|
295
|
-
|
315
|
+
query_return_sql.each {|sql|
|
316
|
+
ires = gloc.query("#{sql}")
|
317
|
+
if @debug == true
|
318
|
+
puts "\e[4;36mStructured Query:\e[0m\ #{sql} \e[4;36mResult:\e[0m\ #{ires}"
|
319
|
+
end
|
320
|
+
}
|
296
321
|
rescue
|
297
322
|
Tools::log_errors("/tmp/thm-sql-errors.log", "SQL Error - #{Time.now} - #{query_return_sql}") # Catch them all
|
298
323
|
end
|
data/config.rb
CHANGED
@@ -54,7 +54,7 @@ module Thm
|
|
54
54
|
while row = resgeo.fetch_hash do
|
55
55
|
populategeo = instance_variable_get("@#{name_func}_name")
|
56
56
|
populategeo << row["#{name_func}_name"].to_s
|
57
|
-
instance_variable_set("@#{name_func}_name", populategeo)
|
57
|
+
instance_variable_set("@#{name_func}_name", populategeo) # Only returns 1 row
|
58
58
|
@continent_name = row["continent_name"].to_s
|
59
59
|
end
|
60
60
|
rescue => e
|
@@ -8,14 +8,37 @@
|
|
8
8
|
#
|
9
9
|
########################################################################
|
10
10
|
|
11
|
+
require 'pp'
|
11
12
|
require 'json'
|
13
|
+
require 'walltime'
|
12
14
|
|
13
|
-
module
|
15
|
+
module TimeWarp
|
16
|
+
|
17
|
+
refine Stopwatch do
|
18
|
+
|
19
|
+
def print_stats
|
20
|
+
round = round_to(@t2 - @t1, 2)
|
21
|
+
puts "Start: #{Time.at(@t1)} Finish: #{Time.at(@t2)} Total time: #{round}"
|
22
|
+
diff = (Time.at(@t2) - Time.at(@t1))*1000
|
23
|
+
puts "Difference: #{diff.to_s.gsub(".", "")[0..2]}ms"
|
24
|
+
end
|
25
|
+
|
26
|
+
end
|
27
|
+
|
28
|
+
end
|
14
29
|
|
30
|
+
module Thm
|
31
|
+
|
15
32
|
class DataServices::Trafviz
|
16
33
|
|
34
|
+
attr_writer :reqtable, :reqtableua
|
35
|
+
|
36
|
+
# For refinement of print_stats
|
37
|
+
using TimeWarp
|
38
|
+
|
17
39
|
def initialize
|
18
|
-
@debug =
|
40
|
+
@debug = false
|
41
|
+
@reqtable, @reqtableua = String.new, String.new
|
19
42
|
end
|
20
43
|
|
21
44
|
def makeurl(data)
|
@@ -50,20 +73,25 @@ module Thm
|
|
50
73
|
end
|
51
74
|
|
52
75
|
# This is just an informal function when in debug mode
|
53
|
-
def hit_header(hdrs)
|
54
|
-
puts "Hit #{hdrs} header"
|
76
|
+
def hit_header(hdrs, comment="")
|
77
|
+
puts "Hit #{hdrs} header #{comment}"
|
55
78
|
end
|
56
79
|
|
80
|
+
|
57
81
|
# Cookie ommit as we don't want to steal cookie data and pointless to store.
|
82
|
+
# Other useless headers / slight issues
|
58
83
|
def filter_header?(lkey)
|
59
84
|
puts "MY LKEY: |#{lkey}|" if @debug == true
|
60
|
-
case
|
61
|
-
when "cookie"
|
85
|
+
case
|
86
|
+
when lkey == "cookie"
|
62
87
|
hit_header(lkey) if @debug == true
|
63
88
|
return true
|
64
|
-
when "range"
|
89
|
+
when lkey == "range"
|
65
90
|
hit_header(lkey) if @debug == true
|
66
91
|
return true
|
92
|
+
when lkey =~ /^get |^post /
|
93
|
+
hit_heaer(lkey, "Seen this unsure why it even occurs yet !") if @debug == true
|
94
|
+
return true
|
67
95
|
else
|
68
96
|
return false
|
69
97
|
end
|
@@ -84,19 +112,22 @@ module Thm
|
|
84
112
|
end
|
85
113
|
|
86
114
|
# Filter request data and build query
|
87
|
-
def request_filter(
|
115
|
+
def request_filter(data, keysamples=2000)
|
88
116
|
if !request_valid?(data)
|
89
117
|
sql = "SELECT 1;"
|
90
118
|
return sql
|
91
119
|
end
|
120
|
+
flt = Stopwatch.new
|
121
|
+
flt.watch('start')
|
92
122
|
guid = Tools::guid
|
93
123
|
cols, vals = String.new, String.new
|
94
124
|
lkey, rkey = String.new, String.new
|
125
|
+
sql_ua = String.new
|
95
126
|
json_data_pieces = String.new
|
96
127
|
t = 0
|
97
128
|
json_data_hdr = "@json_template = { 'http' => { "
|
98
129
|
json_data_ftr = " } }"
|
99
|
-
sql = "INSERT INTO #{reqtable} (recv_time,recv_date,guid,json_data) "
|
130
|
+
sql = "INSERT INTO #{@reqtable} (recv_time,recv_date,guid,json_data) "
|
100
131
|
data.each_line {|n|
|
101
132
|
unless n.strip == ""
|
102
133
|
if t > 0 # Don't processes GET / POST Line
|
@@ -105,14 +136,25 @@ module Thm
|
|
105
136
|
rkeyenc = filter_header?(lkey)
|
106
137
|
if rkeyenc == false
|
107
138
|
rkeyenc = rkey_decode(rkey)
|
139
|
+
if lkey == "useragent"
|
140
|
+
ua = Tools::ua_parser(rkeyenc)
|
141
|
+
sql_ua = "INSERT INTO #{@reqtableua} (family, "
|
142
|
+
sql_ua << "major, minor, " unless ua.version == nil
|
143
|
+
sql_ua << "os, guid) "
|
144
|
+
sql_ua << "VALUES ('#{ua.family}', "
|
145
|
+
sql_ua << "'#{ua.version.major}', '#{ua.version.minor}', " unless ua.version == nil
|
146
|
+
sql_ua << "'#{ua.os.to_s}', '#{guid}');"
|
147
|
+
end
|
108
148
|
else
|
109
149
|
rkey = "ommited"
|
110
150
|
end
|
111
|
-
if rkey
|
151
|
+
if rkey != "" or lkey != ""
|
112
152
|
prerkeyins = rkey.gsub('"', '') # Strip Quotes
|
113
153
|
prerkeyins = "blank" if prerkeyins.strip == "" # Seems JSON values can't be "accept":""
|
114
154
|
puts "Found Blank Value!!!" if prerkeyins == "blank"
|
115
|
-
|
155
|
+
if lkey != "useragent"
|
156
|
+
json_data_pieces << "'#{lkey}' => \"#{prerkeyins}\",\n"
|
157
|
+
end
|
116
158
|
end
|
117
159
|
end
|
118
160
|
t += 1
|
@@ -129,7 +171,10 @@ module Thm
|
|
129
171
|
remove_instance_variable("@json_template") # Hence remove instance variable here
|
130
172
|
# Added GUID as i could extend TCP/IP capture suites in the future for HTTP traffic
|
131
173
|
sql = "#{sql}VALUES (NOW(), NOW(), '#{guid}', '#{json_data}');"
|
132
|
-
|
174
|
+
flt.watch('stop')
|
175
|
+
print "\e[4;36mFilter Time Taken:\e[0m\ "
|
176
|
+
flt.print_stats
|
177
|
+
return [sql, sql_ua]
|
133
178
|
rescue => e
|
134
179
|
pp e
|
135
180
|
end
|
@@ -140,7 +185,7 @@ module Thm
|
|
140
185
|
"Safari", "Mozilla", "Gecko", "AppleWebKit", "Windows",
|
141
186
|
"MSIE", "Win64", "Trident", "wispr", "PHPSESSID", "JSESSIONID",
|
142
187
|
"AMD64", "Darwin", "Macintosh", "Mac OS X", "Dalvik", "text/html", "xml"]
|
143
|
-
cpicker = [2,3,4,1,7,5,6]
|
188
|
+
cpicker = [2,3,4,1,7,5,6] # Just a selection of colours
|
144
189
|
keys.each {|n|
|
145
190
|
text.gsub!("#{n}", "\e[4;3#{cpicker[rand(cpicker.size)]}m#{n}\e[0m\ \e[0;32m".strip)
|
146
191
|
}
|
data/lib/thm/version.rb
CHANGED
data/lib/thm.rb
CHANGED
@@ -16,13 +16,9 @@ require 'guid'
|
|
16
16
|
require 'yaml'
|
17
17
|
require 'pcaplet'
|
18
18
|
require 'pcaprub' # For Live capture / write
|
19
|
+
require 'user_agent_parser'
|
19
20
|
include Pcap
|
20
21
|
|
21
|
-
# TODO
|
22
|
-
#
|
23
|
-
# Create def's for that packet SQL / Refactor to provent code duplication
|
24
|
-
# Create def's for Hash table YAML same idea as above.
|
25
|
-
|
26
22
|
class String
|
27
23
|
|
28
24
|
def size_minus(min=1)
|
@@ -34,11 +30,20 @@ end
|
|
34
30
|
module Tools
|
35
31
|
|
36
32
|
class << self
|
37
|
-
|
33
|
+
|
34
|
+
# Guid.new isn't hard but this Module will expand
|
38
35
|
def guid
|
39
36
|
guid = Guid.new # Generate GUID
|
40
37
|
end
|
41
|
-
|
38
|
+
|
39
|
+
# User agent parsing magic for Trafviz via uap-ruby on Github
|
40
|
+
def ua_parser(agent)
|
41
|
+
# Load all user agent data / regexp / patterns once
|
42
|
+
@ua ||= UserAgentParser::Parser.new
|
43
|
+
@ua.parse(agent)
|
44
|
+
end
|
45
|
+
|
46
|
+
# Thm system errors
|
42
47
|
def log_errors(file, data)
|
43
48
|
File.open("#{file}", 'a') {|n|
|
44
49
|
n.puts("#{data}")
|
@@ -47,6 +52,7 @@ module Tools
|
|
47
52
|
|
48
53
|
end
|
49
54
|
|
55
|
+
# User defined functions
|
50
56
|
def use_const_defined_unless?(const)
|
51
57
|
const_down = const.downcase
|
52
58
|
if Kernel.const_defined?("#{const}")
|
@@ -68,7 +74,7 @@ end
|
|
68
74
|
require File.expand_path(File.join(
|
69
75
|
File.dirname(__FILE__),
|
70
76
|
"../lib/thm/datalayerlight.rb"))
|
71
|
-
|
77
|
+
|
72
78
|
# Load Datasources / Services contains defaults
|
73
79
|
require File.expand_path(File.join(
|
74
80
|
File.dirname(__FILE__),
|
data/sql/geoipdata-monetdb.sql
CHANGED
data/sql/threatmonitor-http.sql
CHANGED
@@ -1,3 +1,4 @@
|
|
1
|
+
SET SCHEMA "threatmonitor";
|
1
2
|
|
2
3
|
DROP TABLE "threatmonitor".http_traffic_json;
|
3
4
|
CREATE TABLE "threatmonitor".http_traffic_json (
|
@@ -6,10 +7,65 @@ id INT GENERATED ALWAYS AS
|
|
6
7
|
START WITH 0 INCREMENT BY 1
|
7
8
|
NO MINVALUE NO MAXVALUE
|
8
9
|
CACHE 2 CYCLE
|
9
|
-
)
|
10
|
-
guid
|
11
|
-
recv_date
|
12
|
-
recv_time
|
10
|
+
) PRIMARY KEY,
|
11
|
+
guid CHAR(36) NOT NULL,
|
12
|
+
recv_date DATE,
|
13
|
+
recv_time TIME,
|
13
14
|
json_data JSON
|
14
15
|
);
|
15
16
|
|
17
|
+
CREATE INDEX index_traffic_json_id ON "threatmonitor".http_traffic_json(id);
|
18
|
+
CREATE INDEX index_traffic_json_guid ON "threatmonitor".http_traffic_json(guid);
|
19
|
+
|
20
|
+
DROP TABLE "threatmonitor".http_traffic_ua;
|
21
|
+
CREATE TABLE "threatmonitor".http_traffic_ua (
|
22
|
+
id INT GENERATED ALWAYS AS
|
23
|
+
IDENTITY (
|
24
|
+
START WITH 0 INCREMENT BY 1
|
25
|
+
NO MINVALUE NO MAXVALUE
|
26
|
+
CACHE 2 CYCLE
|
27
|
+
) PRIMARY KEY,
|
28
|
+
family VARCHAR(30),
|
29
|
+
major CHAR(3) default 'NaN',
|
30
|
+
minor CHAR(3) default 'NaN',
|
31
|
+
os CHAR(20) NOT NULL,
|
32
|
+
guid CHAR(36) NOT NULL
|
33
|
+
);
|
34
|
+
|
35
|
+
CREATE FUNCTION JSON_SQUASH(name string)
|
36
|
+
RETURNS string
|
37
|
+
BEGIN
|
38
|
+
RETURN REPLACE(REPLACE(REPLACE(name, '[\"', ''), '\"]', ''), '"', '');
|
39
|
+
END;
|
40
|
+
|
41
|
+
/*
|
42
|
+
PLAN SELECT
|
43
|
+
JSON_SQUASH(host) AS host,
|
44
|
+
JSON_SQUASH(acceptlanguage) as acceptlanguage,
|
45
|
+
JSON_SQUASH(acceptencoding) as acceptencoding,
|
46
|
+
JSON_SQUASH(referer) as referer,
|
47
|
+
family,
|
48
|
+
major,
|
49
|
+
minor,
|
50
|
+
os
|
51
|
+
FROM
|
52
|
+
(SELECT
|
53
|
+
json.filter(json_data, '$.http.host') AS host,
|
54
|
+
json.filter(json_data, '$.http.acceptlanguage') AS acceptlanguage,
|
55
|
+
json.filter(json_data, '$.http.acceptencoding') AS acceptencoding,
|
56
|
+
json.filter(json_data, '$.http.referer') AS referer,
|
57
|
+
b.family,
|
58
|
+
b.major,
|
59
|
+
b.minor,
|
60
|
+
b.os
|
61
|
+
FROM http_traffic_json a JOIN http_traffic_ua b
|
62
|
+
ON (a.guid = b.guid)) AS origin WHERE referer ILIKE '%http://%' LIMIT 30;
|
63
|
+
*/
|
64
|
+
|
65
|
+
/*
|
66
|
+
SELECT MIN(json_data) FROM http_traffic_json
|
67
|
+
*/
|
68
|
+
|
69
|
+
/*
|
70
|
+
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
|
71
|
+
*/
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: thm
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.4.5
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- puppetpies
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2015-09-
|
11
|
+
date: 2015-09-14 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: bundler
|
@@ -170,14 +170,28 @@ dependencies:
|
|
170
170
|
requirements:
|
171
171
|
- - "~>"
|
172
172
|
- !ruby/object:Gem::Version
|
173
|
-
version:
|
173
|
+
version: 0.0.8
|
174
174
|
type: :runtime
|
175
175
|
prerelease: false
|
176
176
|
version_requirements: !ruby/object:Gem::Requirement
|
177
177
|
requirements:
|
178
178
|
- - "~>"
|
179
179
|
- !ruby/object:Gem::Version
|
180
|
-
version:
|
180
|
+
version: 0.0.8
|
181
|
+
- !ruby/object:Gem::Dependency
|
182
|
+
name: walltime
|
183
|
+
requirement: !ruby/object:Gem::Requirement
|
184
|
+
requirements:
|
185
|
+
- - "~>"
|
186
|
+
- !ruby/object:Gem::Version
|
187
|
+
version: 0.0.5
|
188
|
+
type: :runtime
|
189
|
+
prerelease: false
|
190
|
+
version_requirements: !ruby/object:Gem::Requirement
|
191
|
+
requirements:
|
192
|
+
- - "~>"
|
193
|
+
- !ruby/object:Gem::Version
|
194
|
+
version: 0.0.5
|
181
195
|
description: Threatmonitor - Packet Capture / Analysis Suite
|
182
196
|
email: brianh6854@googlemail.com
|
183
197
|
executables:
|
@@ -194,6 +208,7 @@ extra_rdoc_files:
|
|
194
208
|
files:
|
195
209
|
- README.1ST
|
196
210
|
- README.md
|
211
|
+
- Rakefile
|
197
212
|
- bin/thm-consumer
|
198
213
|
- bin/thm-pcap
|
199
214
|
- bin/thm-producer
|