trisulrp 1.2.3 → 1.2.4

data/README.rdoc

@@ -1,6 +1,15 @@
 = trisulrp
 
-Description goes here.
+Trisul Remote Protocol 
+This gem allows you to script advanced network security analysis tasks via Ruby.
+
+Key Features :
+* Analysis done remotely (at Trisul server)
+* All communications over TLS
+* Strong authentication using Client Certificates
+* Easy to use 
+
+
 
 == Contributing to trisulrp
  

data/VERSION

@@ -1 +1 @@
-1.2.3
+1.2.4

data/lib/trisulrp/guids.rb

@@ -0,0 +1,43 @@
+# == Guids - shortcuts to some wellknown guids
+#
+module  TrisulRP::Guids
+
+  CG_AGGREGATE             = "{393B5EBC-AB41-4387-8F31-8077DB917336}" # Aggregate statistics 
+  CG_APP                   = "{C51B48D4-7876-479E-B0D9-BD9EFF03CE2E}" # Application wise traffic 
+  CG_DIRMAC                = "{79F60A94-44BD-4C55-891A-77823D59161B}" # Traffic between two MACs
+  CG_HOST                  = "{4CD742B1-C1CA-4708-BE78-0FCA2EB01A86}" # Stats for each IP Host
+  CG_EXTERNAL_HOST         = "{00AA77BB-0063-11A5-8380-FEBDBABBDBEA}" # Hosts outside HOME NETWORK
+  CG_INTERNAL_HOST         = "{889900CC-0063-11A5-8380-FEBDBABBDBEA}" # Hosts in HOME NETWORK 
+  CG_WEB_HOST      	       = "{EEF95297-0C8D-4673-AD6B-F4BD2345FD69}" # Hosts talking HTTP/HTTPS
+  CG_EMAIL_HOST 	       = "{22D4082E-B8BA-40D0-A287-1F524DF8DA7B}" # Hosts with Email traffic
+  CG_SSH_HOST 	 	       = "{439002E4-3758-4E88-9438-8034FE1616AF}" # Hosts with SSH traffic
+  CG_UNUSUAL_TRAFFIC_HOSTS = "{AE3A1449-5663-41A5-A028-FDE61DBB7EFA}" # Hosts with Unusual traffic 
+  CG_SUBNET                = "{429B65AD-CDA4-452E-A852-24D8A3D0FBB3}" # Stats for configured IP Subnets
+  CG_INTERFACE 	           = "{8AC478BC-8891-0009-5F31-80774B010086}" # Per interface statistics
+  CG_UNLEASH_APPS          = "{FF889910-9293-AAA5-0028-883991889884}" # Demo of Rule based cg,count your enterprise apps
+  CG_ALERT_SIGNATURES      = "{A0FA9464-B496-4A20-A9AB-4D2D09AFF902}" # Individual Alert Signatures
+  CG_ALERT_CLASSES	       = "{20BC4345-37F0-44D0-ABFF-3BED97363CB1}" # IDS Alert Classfication
+  CG_META_COUNTER_GROUP    = "{4D88CC23-2883-4DEA-A313-A23B60FE8BDA}" # Second order stats for counters
+  CG_META_SESSION_GROUP    = "{594606BD-EEB2-4E0B-BAC4-84B7057088C8}" # Second order stats for flow activity 
+  CG_FLOWGENS              = "{2314BB8E-2BCC-4B86-8AA2-677E5554C0FE}" # Flow generator traffic
+  CG_FLOWINTFS 		       = "{C0B04CA7-95FA-44EF-8475-3835F3314761}" # Flow interface traffic	
+  CG_HTTP_HOSTS		       = "{D2AAD7C6-E129-4366-A2AD-A8CB9AA4C2F4}" # Traffic by HTTP Host Headers
+  CG_HTTP_CONTENT_TYPES    = "{C0C9757F-2005-4CC5-BB96-D72F607E6188}" # Traffic by HTTP Content Types
+  CG_MAC		           = "{4B09BD22-3B99-40FC-8215-94A430EA0A35}" # Traffic per Ethernet MAC	
+  CG_LINKLAYERSTATS	       = "{9F5AD3A9-C74D-46D8-A8A8-DCDD773730BA}" # Breakdown of activity at link layer 	
+  CG_NETWORKLAYERSTATS	   = "{E89BCD56-30AD-40F5-B1C8-8B7683F440BD}" # Breakdown of activity at network layer 
+  CG_VSAT		           = "{A8776788-B8E3-4108-AD24-0E3927D9364B}" # Traffic per VSAT	
+  CG_VLANSTATS		       = "{0EC72E9E-3AD2-43FD-8173-74693EEA08D0}" # Per VLAN Activity Monitor	
+  CG_HOSTSIPV6		       = "{6CD742B1-C1CA-4708-BE78-0FCA2EB01A86}" # Stats for each IPv6 Host	
+
+  AG_IDS                   = "{9AFD8C08-07EB-47E0-BF05-28B4A7AE8DC9}" # Track IDS Alerts
+  AG_BLACKLIST             = "{5E97C3A3-41DB-4E34-92C3-87C904FAB83E}" # Blacklist used for Badfellas and Malware
+  AG_TCA                   = "{03AC6B72-FDB7-44C0-9B8C-7A1975C1C5BA}" # Track TCA Alerts
+  AG_FLOWTRACK             = "{18CE5961-38FF-4AEA-BAF8-2019F3A09063}" # Track flow based Alerts
+
+  RG_URL                   = "{4EF9DEB9-4332-4867-A667-6A30C5900E9E}" # URL Resources
+  RG_DNS                   = "{D1E27FF0-6D66-4E57-BB91-99F76BB2143E}" # DNS Resources
+
+  SG_TCP                   = "{99A78737-4B41-4387-8F31-8077DB917336}" # TCP Sessions
+  	
+end

data/lib/trisulrp/keys.rb

@@ -0,0 +1,200 @@
+# == Keys - Utilities to convert a key to a human readable string & back
+#
+module TrisulRP::Keys
+
+class Null
+    def self.xform(kstring)
+        yield kstring if block_given?
+        kstring
+    end
+end
+
+class HNumber
+    # key to human string
+    # => width unused
+    # => kstring = hex number like A011
+    # output is a decimal number
+    def self.xform(kstring)
+        ret = kstring.hex.to_s
+        yield ret if block_given?
+        ret
+    end
+
+    # human string to key
+    # => width padding eg to output 000B when input = 11 and field is a 2 byte
+    # => dstring input decimal
+    def self.invert_xform(width,dstring)
+        ret = dstring.to_i.to_s(16).rjust(width,"0").upcase
+        yield ret if block_given?
+        ret
+    end
+
+    # is_key_pattern?
+    def self.is_key_form? patt
+		return false if patt.nil?
+        [2,4,8].member? patt.length and patt =~ /(\d|[a-f]|[A-F])+/
+    end
+
+    # is_human_pattern?
+    def self.is_human_form? patt
+      patt.to_i > 0 or patt.squeeze("0") == "0"
+    end
+end
+
+
+class Host
+    # key to human string
+    def self.xform(kstring)
+        ret = kstring.split('.').collect { |hexbyte| hexbyte.hex.to_s }.join('.')
+        yield ret if block_given?
+        ret
+    end
+
+    # human string to key
+    def self.invert_xform(dstring)
+        ret = dstring.split('.').collect { |decbyte| decbyte.to_i.to_s(16).rjust(2,"00").upcase}.join('.')
+        yield ret if block_given?
+        ret
+    end
+
+    # is_key_pattern?
+    def self.is_key_form? patt
+		return false if patt.nil?
+      patt.length == 11 and (patt[2] == "." || patt[5] == "." || patt[8] == ".")
+    end
+
+    # is_human_pattern?
+    def self.is_human_form? patt
+      patt.split('.').select { |szbyte| (1..255).cover?(szbyte.to_i) or szbyte.squeeze("0") == "0" }.size == 4
+    end
+end
+
+  # UDP/TCP port a 2 byte number
+class Port
+
+    # key to human string
+    def self.xform(kstring)
+          s =  "Port-" + kstring[2..-1].hex.to_s
+          yield s if block_given?
+          return s
+    end
+
+    # human string to key
+    # handles formats
+    # => Port-80
+    # => port-80
+    # => 80
+    def self.invert_xform(dstring)
+      if dstring.size > 5 and dstring[0..4].upcase == "PORT-"
+          return "p-"+dstring.slice(5..-1).to_i.to_s(16).rjust(4,"0000").upcase
+      else
+          return "p-"+dstring.to_i.to_s(16).rjust(4,"0000").upcase
+      end
+    end
+
+    # is_key_form?
+    def self.is_key_form? patt
+		return false if patt.nil?
+      patt.length == 6 and patt[0] == 'p' and patt[1] == '-'
+    end
+
+    # is_human_form?
+    def self.is_human_form? patt
+      patt[0..4].upcase == "PORT-" and ((1..65535).include? patt[5..-1].to_i)
+    end
+end
+
+class Subnet
+    # key to human string
+    # => key - 00.00.00.00_8888
+    def self.xform(kstring)
+        parts=kstring.split('/')
+        ret = Host.xform(parts[0]) + "/" + HNumber.xform(parts[1])
+        yield ret if block_given?
+        ret
+    end
+
+    # human string to key
+    def self.invert_xform(dstring)
+        parts=dstring.split('/')
+        ret = Host.invert_xform(parts[0]) + "/" + HNumber.invert_xform(2,parts[1])
+        yield ret if block_given?
+        ret
+    end
+
+    # is_key_pattern?
+    def self.is_key_form? patt
+	  return false if patt.nil?
+      parts = patt.split('/')
+      parts.size == 2 and Host.is_key_form?(parts[0]) and HNumber.is_key_form?(parts[1])
+    end
+
+    # is_human_pattern?
+    def self.is_human_form? patt
+      parts = patt.split('/')
+      parts.size == 2 and Host.is_human_form?(parts[0]) and HNumber.is_human_form?(parts[1])
+    end
+end
+
+
+class HostInterface
+    # key to human string
+    # => key - 00.00.00.00/10
+    def self.xform(kstring)
+        parts=kstring.split('_')
+        ret = Host.xform(parts[0]) + "_" + HNumber.xform(parts[1])
+        yield ret if block_given?
+        ret
+    end
+
+    # human string to key
+    def self.invert_xform(dstring)
+        parts=dstring.split('_')
+        ret = Host.invert_xform(parts[0]) + "_" + HNumber.invert_xform(4,parts[1])
+        yield ret if block_given?
+        ret
+    end
+
+    # is_key_pattern?
+    def self.is_key_form? patt
+	  return false if patt.nil?
+      parts = patt.split('_')
+      parts.size == 2 and Host.is_key_form?(parts[0]) and HNumber.is_key_form?(parts[1])
+    end
+
+    # is_human_pattern?
+    def self.is_human_form? patt
+      parts = patt.split('_')
+      parts.size == 2 and Host.is_human_form?(parts[0]) and HNumber.is_human_form?(parts[1])
+    end
+end
+
+  # key and human form are same
+class ASNumber
+    # key to human string
+    # => key - ASnnn
+    def self.xform(kstring)
+        yield kstring if block_given?
+        kstring
+    end
+
+    # human string to key
+    def self.invert_xform(dstring)
+        yield dstring if block_given?
+        dstring
+    end
+
+    # is_key_pattern?
+    def self.is_key_form? patt
+      return false if patt.nil?
+      patt[0..1]=="AS"
+    end
+
+    # is_human_pattern?
+    def self.is_human_form? patt
+      return false if patt.nil?
+      patt[0..1]=="AS"
+    end
+end
+
+end

data/lib/trisulrp/protocol.rb

@@ -0,0 +1,103 @@
+# = Trisul Remote Protocol helper  functions
+# 
+# dependency = ruby_protobuf
+#
+# Akhil.M & Dhinesh.K (c) 2010 Unleash Networks
+require 'openssl'
+require 'socket'
+require 'time'
+
+module TrisulRP::Protocol
+	include TrisulRP::Guids
+
+	# == TLS Connect to a Trisul instance 
+	# => server : IP Address or hostname 
+	# => port   : TRP port, typically 12001 (see trisulConfig.xml)
+	# => client_cert_file  : Client certificate file issued by admin
+	# => client_key_file  : Client key file issued by admin
+	#
+	# yields or returns a connection object that can be used in subsequent
+	# calls to communicate to the trisul instance 
+	#
+	#
+	def    connect(server,port,client_cert_file,client_key_file)
+		tcp_sock=TCPSocket.open(server,port)
+		ctx = OpenSSL::SSL::SSLContext.new
+		ctx.cert = OpenSSL::X509::Certificate.new(File.read(client_cert_file))
+		ctx.key = OpenSSL::PKey::RSA.new(File.read(client_key_file))
+		ssl_sock = OpenSSL::SSL::SSLSocket.new(tcp_sock, ctx)
+		ssl_sock.connect
+		yield ssl_sock if block_given?
+		return ssl_sock
+	end
+
+	# == Dispatch request & get response 
+	# => trp_socket : socket previously opened via connect_trp
+	# => trp_request : a TRP request object
+	#
+	# yields or returns a response object 
+	# raises an error if the server returns an ErrorResponse
+	#
+	def     get_response(trp_socket,trp_request)
+		outbuf=""
+		outbuf=trp_request.serialize_to_string
+		trp_socket.write([outbuf.length].pack("N*"))
+		trp_socket.write(outbuf)
+		inbuf = trp_socket.read(4)
+		buflenarr=inbuf.unpack("N*")
+		datalen=buflenarr[0]
+		dataarray=trp_socket.read(datalen)
+		resp =TRP::Message.new
+		resp.parse dataarray
+		raise resp.error_response if resp.trp_command == TRP::Message::Command::ERROR_RESPONSE
+		yield resp if block_given?
+		return resp
+	end
+
+
+  # returns an array of [Time_from, Time_to] representing time window available on Trisul
+  def get_available_time(conn)
+		from_tm=to_tm=nil
+		req=mk_request(TRP::Message::Command::COUNTER_GROUP_INFO_REQUEST,
+					  :counter_group => TrisulRP::Guids::CG_AGGREGATE)
+		get_response(conn,req) do |resp|
+			from_tm =  Time.at(resp.counter_group_info_response.group_details[0].time_interval.from.tv_sec)
+			to_tm =  Time.at(resp.counter_group_info_response.group_details[0].time_interval.to.tv_sec)
+		end
+		return [from_tm,to_tm]
+  end
+
+  # returns a hash of key => label
+  def get_labels_for_keys(conn, cgguid, key_arr)
+	req = mk_request(TRP::Message::Command::KEY_LOOKUP_REQUEST,
+	                 :counter_group  => cgguid, :keys => key_arr.uniq )
+	h = key_arr.inject({}) { |m,i| m.store(i,i); m }
+	get_response(conn,req) do |resp|
+			resp.key_lookup_response.key_details.each { |d| h.store(d.key,d.label) }
+	end
+	return h
+  end
+
+  # fill up time_interval 
+  def mk_time_interval(tmarr)
+     tint=TRP::TimeInterval.new
+     tint.from=TRP::Timestamp.new(:tv_sec => tmarr[0].tv_sec, :tv_usec => 0)
+     tint.to=TRP::Timestamp.new(:tv_sec => tmarr[1].tv_sec, :tv_usec => 0)
+	 return tint
+  end
+
+  # shortcut to make a request 
+  def mk_request(cmd_id,params)
+	req = TRP::Message.new(:trp_command => cmd_id )
+	case cmd_id
+		when TRP::Message::Command::COUNTER_GROUP_INFO_REQUEST
+			req.counter_group_info_request = TRP::CounterGroupInfoRequest.new(params)
+		when TRP::Message::Command::KEY_LOOKUP_REQUEST
+			req.key_lookup_request = TRP::KeyLookupRequest.new(params)
+		else
+			raise "Unknown TRP command ID"
+	end
+	return req
+  end
+
+end

data/lib/{trp.pb.rb → trisulrp/trp.pb.rb}

@@ -61,6 +61,8 @@ module TRP
   class ResourceItemResponse < ::ProtocolBuffers::Message; end
   class ResourceGroupRequest < ::ProtocolBuffers::Message; end
   class ResourceGroupResponse < ::ProtocolBuffers::Message; end
+  class KeyLookupRequest < ::ProtocolBuffers::Message; end
+  class KeyLookupResponse < ::ProtocolBuffers::Message; end
 
   # enums
   module AuthLevel
@@ -212,6 +214,8 @@ module TRP
       RESOURCE_ITEM_RESPONSE = 47
       RESOURCE_GROUP_REQUEST = 48
       RESOURCE_GROUP_RESPONSE = 49
+      KEY_LOOKUP_REQUEST = 50
+      KEY_LOOKUP_RESPONSE = 51
     end
 
     required ::TRP::Message::Command, :trp_command, 1
@@ -257,6 +261,8 @@ module TRP
     optional ::TRP::ResourceItemResponse, :resource_item_response, 46
     optional ::TRP::ResourceGroupRequest, :resource_group_request, 47
     optional ::TRP::ResourceGroupResponse, :resource_group_response, 48
+    optional ::TRP::KeyLookupRequest, :key_lookup_request, 49
+    optional ::TRP::KeyLookupResponse, :key_lookup_response, 50
 
     gen_methods! # new fields ignored after this point
   end
@@ -372,7 +378,8 @@ module TRP
     required ::TRP::TimeInterval, :time_interval, 3
     required :int64, :num_datagrams, 4
     required :int64, :num_bytes, 5
-    required :string, :contents, 6
+    required :string, :sha1, 6
+    required :bytes, :contents, 7
 
     gen_methods! # new fields ignored after this point
   end
@@ -393,7 +400,7 @@ module TRP
   end
 
   class SearchKeysRequest < ::ProtocolBuffers::Message
-    optional :int64, :context, 1
+    optional :int64, :context, 1, :default => 0
     required :string, :counter_group, 2
     required :string, :pattern, 3
     required :int64, :maxitems, 4
@@ -410,7 +417,7 @@ module TRP
   end
 
   class CounterGroupInfoRequest < ::ProtocolBuffers::Message
-    optional :int64, :context, 1
+    optional :int64, :context, 1, :default => 0
     optional :string, :counter_group, 2
 
     gen_methods! # new fields ignored after this point
@@ -424,34 +431,44 @@ module TRP
   end
 
   class SessionItemRequest < ::ProtocolBuffers::Message
-    optional :int64, :context, 1
-    required :string, :session_group, 2
-    optional :string, :session_key, 3
-    optional ::TRP::SessionID, :session_id, 4
+    optional :int64, :context, 1, :default => 0
+    optional :string, :session_group, 2, :default => "{99A78737-4B41-4387-8F31-8077DB917336}"
+    repeated :string, :session_keys, 3
+    repeated ::TRP::SessionID, :session_ids, 4
 
     gen_methods! # new fields ignored after this point
   end
 
   class SessionItemResponse < ::ProtocolBuffers::Message
-    optional :int64, :context, 1
+    # forward declarations
+    class Item < ::ProtocolBuffers::Message; end
+
+    # nested messages
+    class Item < ::ProtocolBuffers::Message
+      optional :string, :session_key, 1
+      optional ::TRP::SessionID, :session_id, 2
+      optional :string, :user_label, 3
+      required ::TRP::TimeInterval, :time_interval, 4
+      required :int64, :state, 5
+      required :int64, :az_bytes, 6
+      required :int64, :za_bytes, 7
+      required ::TRP::KeyDetails, :key1A, 8
+      required ::TRP::KeyDetails, :key2A, 9
+      required ::TRP::KeyDetails, :key1Z, 10
+      required ::TRP::KeyDetails, :key2Z, 11
+
+      gen_methods! # new fields ignored after this point
+    end
+
+    optional :int64, :context, 1, :default => 0
     required :string, :session_group, 2
-    optional :string, :session_key, 3
-    optional ::TRP::SessionID, :session_id, 4
-    optional :string, :user_label, 5
-    required ::TRP::TimeInterval, :time_interval, 6
-    required :int64, :state, 7
-    required :int64, :az_bytes, 8
-    required :int64, :za_bytes, 9
-    required ::TRP::KeyDetails, :key1A, 10
-    required ::TRP::KeyDetails, :key2A, 11
-    required ::TRP::KeyDetails, :key1Z, 12
-    required ::TRP::KeyDetails, :key2Z, 13
+    repeated ::TRP::SessionItemResponse::Item, :items, 3
 
     gen_methods! # new fields ignored after this point
   end
 
   class BulkCounterItemRequest < ::ProtocolBuffers::Message
-    optional :int64, :context, 1
+    optional :int64, :context, 1, :default => 0
     required :string, :counter_group, 2
     required :int64, :meter, 3
     required ::TRP::TimeInterval, :time_interval, 4
@@ -468,7 +485,7 @@ module TRP
   end
 
   class TopperSnapshotRequest < ::ProtocolBuffers::Message
-    optional :int64, :context, 1
+    optional :int64, :context, 1, :default => 0
     required :string, :counter_group, 2
     required :int64, :meter, 3
     required ::TRP::TimeInterval, :Time, 4
@@ -490,7 +507,7 @@ module TRP
   end
 
   class UpdateKeyRequest < ::ProtocolBuffers::Message
-    optional :int64, :context, 1
+    optional :int64, :context, 1, :default => 0
     required :string, :counter_group, 2
     required :string, :key, 4
     required :string, :label, 5
@@ -500,12 +517,12 @@ module TRP
   end
 
   class KeySessionActivityRequest < ::ProtocolBuffers::Message
-    optional :int64, :context, 1
-    required :string, :session_group, 2
+    optional :int64, :context, 1, :default => 0
+    optional :string, :session_group, 2, :default => "{99A78737-4B41-4387-8F31-8077DB917336}"
     required :string, :key, 3
-    required :int64, :maxitems, 4
-    required :int64, :volume_filter, 5
-    required :int64, :duration_filter, 6
+    optional :int64, :maxitems, 4, :default => 100
+    optional :int64, :volume_filter, 5, :default => 0
+    optional :int64, :duration_filter, 6, :default => 0
     required ::TRP::TimeInterval, :time_interval, 7
 
     gen_methods! # new fields ignored after this point
@@ -520,8 +537,8 @@ module TRP
   end
 
   class SessionTrackerRequest < ::ProtocolBuffers::Message
-    optional :int64, :context, 1
-    required :string, :session_group, 2
+    optional :int64, :context, 1, :default => 0
+    optional :string, :session_group, 2, :default => "{99A78737-4B41-4387-8F31-8077DB917336}"
     required :int64, :tracker_id, 3, :default => 1
     optional :int64, :maxitems, 4, :default => 100
     required ::TRP::TimeInterval, :time_interval, 5
@@ -538,8 +555,8 @@ module TRP
   end
 
   class SessionGroupRequest < ::ProtocolBuffers::Message
-    optional :int64, :context, 1
-    required :string, :session_group, 2
+    optional :int64, :context, 1, :default => 0
+    optional :string, :session_group, 2, :default => "{99A78737-4B41-4387-8F31-8077DB917336}"
     optional :int64, :tracker_id, 3
     optional :string, :key_filter, 4
     optional :int64, :maxitems, 5, :default => 100
@@ -579,34 +596,44 @@ module TRP
   end
 
   class AlertItemRequest < ::ProtocolBuffers::Message
-    optional :int64, :context, 1
+    optional :int64, :context, 1, :default => 0
     required :string, :alert_group, 2
-    optional ::TRP::AlertID, :alert_id, 3
+    repeated ::TRP::AlertID, :alert_ids, 3
 
     gen_methods! # new fields ignored after this point
   end
 
   class AlertItemResponse < ::ProtocolBuffers::Message
+    # forward declarations
+    class Item < ::ProtocolBuffers::Message; end
+
+    # nested messages
+    class Item < ::ProtocolBuffers::Message
+      optional :int64, :sensor_id, 1
+      required ::TRP::Timestamp, :time, 2
+      optional :string, :source_ip, 3
+      optional :string, :source_port, 4
+      optional :string, :destination_ip, 5
+      optional :string, :destination_port, 6
+      required :string, :sigid, 7
+      required :string, :classification, 8
+      required :string, :priority, 9
+      required ::TRP::Timestamp, :dispatch_time, 10
+      required :string, :aux_message1, 11
+      required :string, :aux_message2, 12
+
+      gen_methods! # new fields ignored after this point
+    end
+
     optional :int64, :context, 1
     required :string, :alert_group, 2
-    optional :int64, :sensor_id, 3
-    required ::TRP::Timestamp, :time, 4
-    optional :string, :source_ip, 5
-    optional :string, :source_port, 6
-    optional :string, :destination_ip, 7
-    optional :string, :destination_port, 8
-    required :string, :sigid, 9
-    required :string, :classification, 10
-    required :string, :priority, 11
-    required ::TRP::Timestamp, :dispatch_time, 12
-    required :string, :aux_message1, 13
-    required :string, :aux_message2, 14
+    repeated ::TRP::AlertItemResponse::Item, :items, 3
 
     gen_methods! # new fields ignored after this point
   end
 
   class AlertGroupRequest < ::ProtocolBuffers::Message
-    optional :int64, :context, 1
+    optional :int64, :context, 1, :default => 0
     required :string, :alert_group, 2
     required ::TRP::TimeInterval, :time_interval, 3
     optional :int64, :maxitems, 5, :default => 10
@@ -632,7 +659,7 @@ module TRP
   end
 
   class ResourceItemRequest < ::ProtocolBuffers::Message
-    optional :int64, :context, 1
+    optional :int64, :context, 1, :default => 0
     required :string, :resource_group, 2
     repeated ::TRP::ResourceID, :resource_ids, 3
 
@@ -665,7 +692,7 @@ module TRP
   end
 
   class ResourceGroupRequest < ::ProtocolBuffers::Message
-    optional :int64, :context, 1
+    optional :int64, :context, 1, :default => 0
     required :string, :resource_group, 2
     required ::TRP::TimeInterval, :time_interval, 3
     optional :int64, :maxitems, 4, :default => 10
@@ -687,4 +714,20 @@ module TRP
     gen_methods! # new fields ignored after this point
   end
 
+  class KeyLookupRequest < ::ProtocolBuffers::Message
+    optional :int64, :context, 1, :default => 0
+    required :string, :counter_group, 2
+    repeated :string, :keys, 3
+
+    gen_methods! # new fields ignored after this point
+  end
+
+  class KeyLookupResponse < ::ProtocolBuffers::Message
+    optional :int64, :context, 1
+    required :string, :counter_group, 2
+    repeated ::TRP::KeyDetails, :key_details, 3
+
+    gen_methods! # new fields ignored after this point
+  end
+
 end