trisulrp 1.2.4 → 1.2.5
Sign up to get free protection for your applications and to get access to all the features.
- data/README.rdoc +7 -4
- data/VERSION +1 -1
- data/lib/trisulrp/protocol.rb +199 -45
- data/lib/trisulrp/trp.proto +3 -3
- data/test/test_alerts.rb +37 -72
- data/test/test_cap.rb +23 -43
- data/test/test_key_flows.rb +34 -51
- data/test/test_resources.rb +42 -65
- data/test/test_trisulrp.rb +1 -2
- data/trisulrp.gemspec +2 -2
- metadata +4 -4
data/README.rdoc
CHANGED
|
@@ -1,13 +1,17 @@
|
|
|
1
1
|
= trisulrp
|
|
2
2
|
|
|
3
|
-
Trisul Remote Protocol
|
|
4
|
-
|
|
3
|
+
== Trisul Remote Protocol
|
|
4
|
+
|
|
5
|
+
This gem allows you to automate incident response or network forensics tasks on the Trisul Network Metering and Forensics platform.
|
|
6
|
+
|
|
7
|
+
|
|
5
8
|
|
|
6
9
|
Key Features :
|
|
7
10
|
* Analysis done remotely (at Trisul server)
|
|
8
11
|
* All communications over TLS
|
|
9
12
|
* Strong authentication using Client Certificates
|
|
10
13
|
* Easy to use
|
|
14
|
+
* Can do everything from getting statistics, flows, and pcaps
|
|
11
15
|
|
|
12
16
|
|
|
13
17
|
|
|
@@ -23,6 +27,5 @@ Key Features :
|
|
|
23
27
|
|
|
24
28
|
== Copyright
|
|
25
29
|
|
|
26
|
-
Copyright (c) 2010
|
|
27
|
-
further details.
|
|
30
|
+
Copyright (c) 2010-11 Unleash Networks. See LICENSE.txt for further details.
|
|
28
31
|
|
data/VERSION
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
1.2.
|
|
1
|
+
1.2.5
|
data/lib/trisulrp/protocol.rb
CHANGED
|
@@ -7,22 +7,41 @@ require 'openssl'
|
|
|
7
7
|
require 'socket'
|
|
8
8
|
require 'time'
|
|
9
9
|
|
|
10
|
+
# ==== TrisulRP::Protocol
|
|
11
|
+
# Contains methods to help with common TRP tasks like
|
|
12
|
+
# * creating connections
|
|
13
|
+
# * interacting with Trisul via requests/responses
|
|
14
|
+
# * helpers to create objects
|
|
15
|
+
#
|
|
16
|
+
#
|
|
17
|
+
|
|
10
18
|
module TrisulRP::Protocol
|
|
11
19
|
include TrisulRP::Guids
|
|
12
20
|
|
|
13
|
-
#
|
|
14
|
-
#
|
|
15
|
-
#
|
|
16
|
-
#
|
|
17
|
-
#
|
|
21
|
+
# Establish a TLS connection to a Trisul instance
|
|
22
|
+
#
|
|
23
|
+
# [server] IP Address or hostname
|
|
24
|
+
# [port] TRP port, typically 12001 (see trisulConfig.xml)
|
|
25
|
+
# [client_cert_file] Client certificate file issued by admin
|
|
26
|
+
# [client_key_file] Client key file issued by admin
|
|
18
27
|
#
|
|
19
|
-
# yields or returns a connection object that can be used in subsequent
|
|
20
|
-
# calls to communicate to the trisul instance
|
|
21
28
|
#
|
|
29
|
+
# ==== Returns
|
|
30
|
+
# ==== Yields
|
|
31
|
+
# a connection object that can be used in subsequent calls
|
|
22
32
|
#
|
|
23
|
-
|
|
33
|
+
# ==== On error
|
|
34
|
+
# If a connection cannot be established, an exception is thrown which can point
|
|
35
|
+
# to the actual cause. The most common causes are
|
|
36
|
+
#
|
|
37
|
+
# * Trisul is not running
|
|
38
|
+
# * Trisul is not running in trp mode (see the docs for runmode)
|
|
39
|
+
# * Using the wrong port ( check netstat to verify trisul remote protocol port - typically 12001)
|
|
40
|
+
# * The Access Control List does not permit connections from client IP
|
|
41
|
+
#
|
|
42
|
+
def connect(server,port,client_cert_file,client_key_file)
|
|
24
43
|
tcp_sock=TCPSocket.open(server,port)
|
|
25
|
-
ctx = OpenSSL::SSL::SSLContext.new
|
|
44
|
+
ctx = OpenSSL::SSL::SSLContext.new(:TLSv1)
|
|
26
45
|
ctx.cert = OpenSSL::X509::Certificate.new(File.read(client_cert_file))
|
|
27
46
|
ctx.key = OpenSSL::PKey::RSA.new(File.read(client_key_file))
|
|
28
47
|
ssl_sock = OpenSSL::SSL::SSLSocket.new(tcp_sock, ctx)
|
|
@@ -31,14 +50,20 @@ module TrisulRP::Protocol
|
|
|
31
50
|
return ssl_sock
|
|
32
51
|
end
|
|
33
52
|
|
|
34
|
-
#
|
|
35
|
-
#
|
|
36
|
-
#
|
|
53
|
+
# Dispatch request to server & get response
|
|
54
|
+
# [conn] TRP connection previously opened via TrisulRP::Protocol::connect
|
|
55
|
+
# [trp_request] a TRP request object, created directly or using the mk_request helper
|
|
37
56
|
#
|
|
38
|
-
#
|
|
39
|
-
#
|
|
57
|
+
# ==== Returns
|
|
58
|
+
# ==== Yields
|
|
59
|
+
# a response object, you can then inspect the fields in the response and spawn additional
|
|
60
|
+
# requests if required
|
|
40
61
|
#
|
|
41
|
-
|
|
62
|
+
# ==== On error
|
|
63
|
+
# raises an error if the server returns an ErrorResponse - this contains an error_message field
|
|
64
|
+
# which can tell you what went wrong
|
|
65
|
+
#
|
|
66
|
+
def get_response(conn,trp_request)
|
|
42
67
|
outbuf=""
|
|
43
68
|
outbuf=trp_request.serialize_to_string
|
|
44
69
|
trp_socket.write([outbuf.length].pack("N*"))
|
|
@@ -55,49 +80,178 @@ module TrisulRP::Protocol
|
|
|
55
80
|
end
|
|
56
81
|
|
|
57
82
|
|
|
58
|
-
|
|
59
|
-
|
|
83
|
+
# Query the total time window available in Trisul
|
|
84
|
+
#
|
|
85
|
+
# [conn] TRP connection previously opened via connect
|
|
86
|
+
#
|
|
87
|
+
# ==== Returns
|
|
88
|
+
# returns an array of two Time objects [Time_from, Time_to] representing start and end time
|
|
89
|
+
#
|
|
90
|
+
# ==== Typical usage
|
|
91
|
+
#
|
|
92
|
+
# You pass the output of this method to mk_time_interval to get an object you can attach to a
|
|
93
|
+
# TRP request.
|
|
94
|
+
#
|
|
95
|
+
# <code>
|
|
96
|
+
#
|
|
97
|
+
# tmarr = TrisulRP::Protocol::get_avaiable_time(conn)
|
|
98
|
+
# req =TrisulRP::Protocol.mk_request( :source_ip => target_ip,...
|
|
99
|
+
# :time_interval => TrisulRP::Protocol::mk_time_interval(tm_arr))
|
|
100
|
+
#
|
|
101
|
+
# </code>
|
|
102
|
+
#
|
|
103
|
+
def get_available_time(conn)
|
|
60
104
|
from_tm=to_tm=nil
|
|
61
105
|
req=mk_request(TRP::Message::Command::COUNTER_GROUP_INFO_REQUEST,
|
|
62
|
-
|
|
106
|
+
:counter_group => TrisulRP::Guids::CG_AGGREGATE)
|
|
63
107
|
get_response(conn,req) do |resp|
|
|
64
108
|
from_tm = Time.at(resp.counter_group_info_response.group_details[0].time_interval.from.tv_sec)
|
|
65
109
|
to_tm = Time.at(resp.counter_group_info_response.group_details[0].time_interval.to.tv_sec)
|
|
66
110
|
end
|
|
67
111
|
return [from_tm,to_tm]
|
|
68
|
-
|
|
112
|
+
end
|
|
69
113
|
|
|
70
|
-
|
|
71
|
-
|
|
72
|
-
|
|
73
|
-
|
|
74
|
-
|
|
75
|
-
|
|
76
|
-
|
|
77
|
-
|
|
78
|
-
|
|
79
|
-
|
|
114
|
+
# convert a set of keys into labels
|
|
115
|
+
#
|
|
116
|
+
# This method accepts an array of keys (which are references to counter items in Trisul) and sends
|
|
117
|
+
# a key lookup request to Trisul. Trisul responds with labels for those keys that had labels. Finally a
|
|
118
|
+
# ready to use map is constructed and returned to the caller.
|
|
119
|
+
#
|
|
120
|
+
# [conn] a TRP connection opened earlier via connect(..)
|
|
121
|
+
# [cgguid] a counter group id. See TrisulRP::Guids for a list of common guids
|
|
122
|
+
# [key_arr] an array of keys, possibly obtained as a result of an earlier command
|
|
123
|
+
#
|
|
124
|
+
# ==== Returns
|
|
125
|
+
# a hash of Key => Label. All keys in the incoming array will have a hash entry. If Trisul could not
|
|
126
|
+
# find a label for a key, it will store the key itself as the hash value.
|
|
127
|
+
#
|
|
128
|
+
# ==== Typical usage
|
|
129
|
+
#
|
|
130
|
+
# You use this method as a bulk resolving mechanism.
|
|
131
|
+
# <code>
|
|
132
|
+
#
|
|
133
|
+
# host_keys = ["0A.0A.18.E0", "B1.01.8F.01",...]
|
|
134
|
+
# host_names = TrisulRP::Protocol.get_labels_for_keys(conn,
|
|
135
|
+
# TrisulRP::Guids::CG_HOSTS, host_keys)
|
|
136
|
+
#
|
|
137
|
+
# host_names["0A.0A.18.E0"] = "demo.trisul.org" # ok
|
|
138
|
+
# host_names["B1.01.8F.01"] = "B1.01.8F.01" # no label for this key
|
|
139
|
+
#
|
|
140
|
+
# </code>
|
|
141
|
+
#
|
|
142
|
+
def get_labels_for_keys(conn, cgguid, key_arr)
|
|
143
|
+
req = mk_request(TRP::Message::Command::KEY_LOOKUP_REQUEST,
|
|
144
|
+
:counter_group => cgguid, :keys => key_arr.uniq )
|
|
145
|
+
h = key_arr.inject({}) { |m,i| m.store(i,i); m }
|
|
146
|
+
get_response(conn,req) do |resp|
|
|
147
|
+
resp.key_lookup_response.key_details.each { |d| h.store(d.key,d.label) }
|
|
148
|
+
end
|
|
149
|
+
return h
|
|
150
|
+
end
|
|
80
151
|
|
|
81
|
-
|
|
82
|
-
|
|
83
|
-
|
|
84
|
-
|
|
85
|
-
|
|
86
|
-
|
|
87
|
-
|
|
152
|
+
# Helper to create a TRP TimeInterval object
|
|
153
|
+
#
|
|
154
|
+
# [tmarr] An array of two Time objects representing a window
|
|
155
|
+
#
|
|
156
|
+
# ==== Returns
|
|
157
|
+
# A TRP::TimeInterval object which can be attached to any :time_interval field of a TRP request
|
|
158
|
+
#
|
|
159
|
+
def mk_time_interval(tmarr)
|
|
160
|
+
tint=TRP::TimeInterval.new
|
|
161
|
+
tint.from=TRP::Timestamp.new(:tv_sec => tmarr[0].tv_sec, :tv_usec => 0)
|
|
162
|
+
tint.to=TRP::Timestamp.new(:tv_sec => tmarr[1].tv_sec, :tv_usec => 0)
|
|
163
|
+
return tint
|
|
164
|
+
end
|
|
88
165
|
|
|
89
|
-
|
|
90
|
-
|
|
91
|
-
|
|
92
|
-
|
|
93
|
-
|
|
94
|
-
|
|
166
|
+
# Helper to create a TRP request object
|
|
167
|
+
#
|
|
168
|
+
# Read the TRP documentation wiki for a description of each command.
|
|
169
|
+
#
|
|
170
|
+
# [cmd_id] The command ID.
|
|
171
|
+
# [params] A hash containing command parameters
|
|
172
|
+
#
|
|
173
|
+
# ==== Typical usage
|
|
174
|
+
#
|
|
175
|
+
# <code>
|
|
176
|
+
#
|
|
177
|
+
# # create a new command of type KeySessionActivityRequest
|
|
178
|
+
# req = TrisulRP::Protocol.mk_request(TRP::Message::Command::KEY_SESS_ACTIVITY_REQUEST,
|
|
179
|
+
# :key => target_key ,
|
|
180
|
+
# :time_interval => mk_time_interval(tmarr))
|
|
181
|
+
#
|
|
182
|
+
# ... now you can use the req object ...
|
|
183
|
+
#
|
|
184
|
+
# </code>
|
|
185
|
+
#
|
|
186
|
+
# You can also create the request objects directly, just a little too verbose for our liking
|
|
187
|
+
#
|
|
188
|
+
# <code>
|
|
189
|
+
#
|
|
190
|
+
# # create a new command of type CounterItemRequest
|
|
191
|
+
# req =TRP::Message.new(:trp_command => TRP::Message::Command::KEY_SESS_ACTIVITY_REQUEST )
|
|
192
|
+
# req.key_session_activity_request = TRP::KeySessionActivityRequest.new(
|
|
193
|
+
# :key => target_key ,
|
|
194
|
+
# :time_interval => mk_time_interval(tmarr))
|
|
195
|
+
#
|
|
196
|
+
# ... now you can use the req object ...
|
|
197
|
+
#
|
|
198
|
+
# </code>
|
|
199
|
+
#
|
|
200
|
+
#
|
|
201
|
+
def mk_request(cmd_id,params)
|
|
202
|
+
req = TRP::Message.new(:trp_command => cmd_id)
|
|
203
|
+
case cmd_id
|
|
204
|
+
when TRP::Message::Command::HELLO_REQUEST
|
|
205
|
+
req.hello_request = TRP::HelloRequest.new(params)
|
|
206
|
+
when TRP::Message::Command::COUNTER_GROUP_REQUEST
|
|
207
|
+
req.counter_group_request = TRP::CounterGroupRequest.new(params)
|
|
208
|
+
when TRP::Message::Command::COUNTER_ITEM_REQUEST
|
|
209
|
+
req.counter_item_request = TRP::CounterItemRequest.new(params)
|
|
210
|
+
when TRP::Message::Command::RELEASE_RESOURCE_REQUEST
|
|
211
|
+
req.release_resource_request = TRP::ReleaseResourceRequest.new(params)
|
|
212
|
+
when TRP::Message::Command::CONTROLLED_COUNTER_GROUP_REQUEST
|
|
213
|
+
req.controlled_counter_group_request = TRP::ControlledCounterGroupRequest.new(params)
|
|
214
|
+
when TRP::Message::Command::FILTERED_DATAGRAMS_REQUEST
|
|
215
|
+
req.filtered_datagrams_request = TRP::FilteredDatagramsRequest.new(params)
|
|
216
|
+
when TRP::Message::Command::CONTROLLED_CONTEXT_REQUEST
|
|
217
|
+
req.controlled_context_request = TRP::ControlledContextRequest.new(params)
|
|
218
|
+
when TRP::Message::Command::SEARCH_KEYS_REQUEST
|
|
219
|
+
req.search_keys_request = TRP::SearchKeysRequest.new(params)
|
|
220
|
+
when TRP::Message::Command::BULK_COUNTER_ITEM_REQUEST
|
|
221
|
+
req.bulk_counter_item_request = TRP::BulkItemRequest.new(params)
|
|
222
|
+
when TRP::Message::Command:: CGMONITOR_REQUEST
|
|
223
|
+
req.cgmonitor_request = TRP::CgmonitorRequest.new(params)
|
|
224
|
+
when TRP::Message::Command::TOPPER_SNAPSHOT_REQUEST
|
|
225
|
+
req.topper_snapshot_request = TRP::TopperSnapshotRequest.new(params)
|
|
226
|
+
when TRP::Message::Command::UPDATE_KEY_REQUEST
|
|
227
|
+
req.update_key_request = TRP::UpdateKeyRequest.new(params)
|
|
228
|
+
when TRP::Message::Command::RING_STATS_REQUEST
|
|
229
|
+
req.ring_stats_request = TRP::RingStatsRequest.new(params)
|
|
230
|
+
when TRP::Message::Command::SERVER_STATS_REQUEST
|
|
231
|
+
req.server_stats_request = TRP::ServerStatsRequest.new(params)
|
|
232
|
+
when TRP::Message::Command::SESSION_ITEM_REQUEST
|
|
233
|
+
req.session_item_request = TRP::SessionItemRequest.new(params)
|
|
234
|
+
when TRP::Message::Command::SESSION_GROUP_REQUEST
|
|
235
|
+
req.session_group_request = TRP::SessionGroupRequest.new(params)
|
|
236
|
+
when TRP::Message::Command::ALERT_ITEM_REQUEST
|
|
237
|
+
req.alert_item_request = TRP::AlertItemRequest.new(params)
|
|
238
|
+
when TRP::Message::Command::ALERT_GROUP_REQUEST
|
|
239
|
+
req.alert_group_request = TRP::AlertGroupRequest.new(params)
|
|
240
|
+
when TRP::Message::Command::RESOURCE_ITEM_REQUEST
|
|
241
|
+
req.resource_item_request = TRP::ResourceItemRequest.new(params)
|
|
242
|
+
when TRP::Message::Command::RESOURCE_GROUP_REQUEST
|
|
243
|
+
req.resource_group_request = TRP::ResourceGroupRequest.new(params)
|
|
95
244
|
when TRP::Message::Command::KEY_LOOKUP_REQUEST
|
|
96
|
-
|
|
245
|
+
req.key_lookup_request = TRP::KeyLookupRequest.new(params)
|
|
246
|
+
when TRP::Message::Command::COUNTER_GROUP_INFO_REQUEST
|
|
247
|
+
req.counter_group_info_request = TRP::CounterGroupInfoRequest.new(params)
|
|
248
|
+
when TRP::Message::Command::KEY_SESS_ACTIVITY_REQUEST
|
|
249
|
+
req.key_session_activity_request = TRP::KeySessionActivityRequest.new(params)
|
|
97
250
|
else
|
|
98
251
|
raise "Unknown TRP command ID"
|
|
252
|
+
end
|
|
253
|
+
return req
|
|
99
254
|
end
|
|
100
|
-
return req
|
|
101
|
-
end
|
|
102
255
|
|
|
103
256
|
end
|
|
257
|
+
|
data/lib/trisulrp/trp.proto
CHANGED
|
@@ -76,7 +76,7 @@ enum PcapFormat {
|
|
|
76
76
|
}
|
|
77
77
|
|
|
78
78
|
message Message {
|
|
79
|
-
enum Command {
|
|
79
|
+
enum Command { HELLO_REQUEST=1;
|
|
80
80
|
HELLO_RESPONSE=2;
|
|
81
81
|
OK_RESPONSE=3;
|
|
82
82
|
ERROR_RESPONSE=5;
|
|
@@ -105,7 +105,7 @@ message Message {
|
|
|
105
105
|
CGMONITOR_REQUEST=28;
|
|
106
106
|
CGMONITOR_RESPONSE=29;
|
|
107
107
|
TOPPER_SNAPSHOT_REQUEST=30;
|
|
108
|
-
|
|
108
|
+
TOPPER_SNAPSHOT_RESPONSE=31;
|
|
109
109
|
UPDATE_KEY_REQUEST=32;
|
|
110
110
|
UPDATE_KEY_RESPONSE=33;
|
|
111
111
|
KEY_SESS_ACTIVITY_REQUEST=34;
|
|
@@ -113,7 +113,7 @@ message Message {
|
|
|
113
113
|
RING_STATS_REQUEST=36;
|
|
114
114
|
RING_STATS_RESPONSE=37;
|
|
115
115
|
SERVER_STATS_REQUEST=38;
|
|
116
|
-
|
|
116
|
+
SERVER_STATS_RESPONSE=39;
|
|
117
117
|
SESSION_GROUP_REQUEST=40;
|
|
118
118
|
SESSION_GROUP_RESPONSE=41;
|
|
119
119
|
ALERT_ITEM_REQUEST=42;
|
data/test/test_alerts.rb
CHANGED
|
@@ -4,81 +4,46 @@
|
|
|
4
4
|
require 'rubygems'
|
|
5
5
|
|
|
6
6
|
require './helper'
|
|
7
|
-
include
|
|
8
|
-
|
|
9
|
-
GUID_CG_APP = "{C51B48D4-7876-479E-B0D9-BD9EFF03CE2E}"
|
|
10
|
-
|
|
11
|
-
AG_IDS = "{9AFD8C08-07EB-47E0-BF05-28B4A7AE8DC9}"
|
|
12
|
-
CG_SIGDS = "{A0FA9464-B496-4A20-A9AB-4D2D09AFF902}"
|
|
13
|
-
|
|
14
|
-
CG_HOSTS = "{4CD742B1-C1CA-4708-BE78-0FCA2EB01A86}"
|
|
15
|
-
CG_APPS = "{C51B48D4-7876-479E-B0D9-BD9EFF03CE2E}"
|
|
16
|
-
|
|
17
|
-
|
|
7
|
+
include TrisulRP::Protocol
|
|
8
|
+
require guidmap
|
|
18
9
|
class TestTrisulrp < Test::Unit::TestCase
|
|
19
10
|
|
|
20
|
-
def setup
|
|
21
|
-
if @trp_conn.nil?
|
|
22
|
-
@trp_conn=TRPLib::connect_trp("127.0.0.1",
|
|
23
|
-
12001,
|
|
24
|
-
"Demo_Client.crt",
|
|
25
|
-
"Demo_Client.key")
|
|
26
|
-
end
|
|
27
|
-
end
|
|
28
|
-
|
|
29
|
-
|
|
30
11
|
def test_query_alerts
|
|
31
12
|
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
|
|
46
|
-
|
|
47
|
-
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
|
|
56
|
-
|
|
57
|
-
|
|
58
|
-
|
|
59
|
-
|
|
60
|
-
|
|
61
|
-
|
|
62
|
-
|
|
63
|
-
|
|
64
|
-
|
|
65
|
-
|
|
66
|
-
|
|
67
|
-
|
|
68
|
-
resp.items.each do |item|
|
|
69
|
-
print "#{Time.at(item.time.tv_sec)} "
|
|
70
|
-
print "#{sip_names[item.source_ip]}".ljust(28)
|
|
71
|
-
print "#{sport_names[item.source_port]}".ljust(11)
|
|
72
|
-
print "#{dip_names[item.destination_ip]}".ljust(28)
|
|
73
|
-
print "#{dport_names[item.destination_port]}".ljust(11)
|
|
74
|
-
print "#{sigid_names[item.sigid]}".rjust(10)
|
|
75
|
-
print "\n"
|
|
76
|
-
end
|
|
77
|
-
end
|
|
78
|
-
end
|
|
79
|
-
|
|
80
|
-
|
|
81
|
-
end
|
|
13
|
+
target_ip = "0A.02.C7.EB" # 10.2.199.235"
|
|
14
|
+
TrisulRP::Protocol.connect("127.0.0.1",12001,"Demo_Client.crt","Demo_Client.key") do |conn|
|
|
15
|
+
tm_arr = TrisulRP::Protocol.get_available_time(conn)
|
|
16
|
+
req =TrisulRP::Protocol.mk_request(:context => 0,:alert_group =>TrisulRP::Guids::AG_IDS, :source_ip => target_ip,
|
|
17
|
+
:maxitems => 1000,
|
|
18
|
+
:time_interval => TRPLib.mk_time_interval(tm_arr))
|
|
19
|
+
|
|
20
|
+
TrisulRP::Protocol.get_response(conn,req) do |resp|
|
|
21
|
+
follow_up = TrisulRP::Protocol.mk_request(:alert_group => TrisulRP::Guids::AG_IDS)
|
|
22
|
+
resp.alert_group_response.alerts.each do |al|
|
|
23
|
+
follow_up.alert_item_request.alert_ids << TRP::AlertID.new(:slice_id => al.slice_id, :alert_id => al.alert_id)
|
|
24
|
+
end
|
|
25
|
+
|
|
26
|
+
TrisulRP::Protocol.getresponse(conn,follow_up) do | resp2 |
|
|
27
|
+
resp=resp2.alert_item_response
|
|
28
|
+
resolv_candidates = resp.items.collect { |item| [item.source_ip, item.source_port, item.destination_ip, item.destination_port,item.sigid] }
|
|
29
|
+
resolv_arr = resolv_candidates.transpose
|
|
30
|
+
sip_names = TrisulRP::Protocol.get_labels_for_keys(conn,TrisulRP::Guids::CG_HOSTS, resolv_arr[0])
|
|
31
|
+
sport_names = TrisulRP::Protocol.get_labels_for_keys(conn,TrisulRP::Guids::CG_APPS, resolv_arr[1])
|
|
32
|
+
dip_names = TrisulRP::Protocol.get_labels_for_keys(conn,TrisulRP::Guids::CG_HOSTS, resolv_arr[2])
|
|
33
|
+
dport_names = TrisulRP::Protocol.get_labels_for_keys(conn,TrisulRP::Guids::CG_APPS, resolv_arr[3])
|
|
34
|
+
sigid_names = TrisulRP::Protocol.get_labels_for_keys(conn,TrisulRP::Guids::CG_SIGDS, resolv_arr[4])
|
|
35
|
+
resp.items.each do |item|
|
|
36
|
+
print "#{Time.at(item.time.tv_sec)} "
|
|
37
|
+
print "#{sip_names[item.source_ip]}".ljust(28)
|
|
38
|
+
print "#{sport_names[item.source_port]}".ljust(11)
|
|
39
|
+
print "#{dip_names[item.destination_ip]}".ljust(28)
|
|
40
|
+
print "#{dport_names[item.destination_port]}".ljust(11)
|
|
41
|
+
print "#{sigid_names[item.sigid]}".rjust(10)
|
|
42
|
+
print "\n"
|
|
43
|
+
end
|
|
44
|
+
end
|
|
45
|
+
end
|
|
46
|
+
end
|
|
47
|
+
end
|
|
82
48
|
end
|
|
83
49
|
|
|
84
|
-
|
data/test/test_cap.rb
CHANGED
|
@@ -2,54 +2,34 @@
|
|
|
2
2
|
# Akhil.M & Dhinesh.K (c) 2010 Unleash Networks
|
|
3
3
|
# Testing change
|
|
4
4
|
require 'rubygems'
|
|
5
|
-
|
|
6
5
|
require './helper'
|
|
7
|
-
include
|
|
6
|
+
include TrisulRP::Protocol
|
|
8
7
|
require 'guidmap'
|
|
9
8
|
|
|
10
9
|
|
|
11
10
|
class TestCap < Test::Unit::TestCase
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
follow_up = TRP::Message.new(:trp_command => TRP::Message::Command::FILTERED_DATAGRAMS_REQUEST)
|
|
35
|
-
follow_up.filtered_datagram_request = TRP::FilteredDatagramRequest.new(
|
|
36
|
-
:filter_expression => "#{GUIDMap::SG_TCP}=#{si.session_key}",
|
|
37
|
-
:time_interval => si.time_interval )
|
|
38
|
-
TRPLib::get_trp_response(@trp_conn,follow_up) do |resp|
|
|
39
|
-
fdr=resp.filtered_datagram_response
|
|
40
|
-
|
|
41
|
-
p "Number of bytes = #{fdr.num_bytes}\n"
|
|
42
|
-
p "Number of pkts = #{fdr.num_datagrams}\n"
|
|
43
|
-
p "Hash = #{fdr.sha1}\n"
|
|
44
|
-
|
|
45
|
-
File.open("t.pcap","wb") do |f|
|
|
46
|
-
f.write(fdr.contents)
|
|
47
|
-
end
|
|
48
|
-
end
|
|
49
|
-
|
|
50
|
-
end
|
|
51
|
-
end
|
|
52
|
-
|
|
11
|
+
def test_dpi
|
|
12
|
+
target_sess = TRP::SessionID.new(:slice_id => 2, :session_id => 207)
|
|
13
|
+
TrisulRP::Protocol.connect("127.0.0.1", 12001,"Demo_Client.crt","Demo_Client.key") do |conn|
|
|
14
|
+
req = TrisulRP::Protocol.mk_request(TRP::Message::Command::SESSION_ITEM_REQUEST,
|
|
15
|
+
:session_ids => [target_sess])
|
|
16
|
+
TrisulRP::Protocol.get_response(conn,req) do |resp|
|
|
17
|
+
si = resp.session_item_response.items[0]
|
|
18
|
+
follow_up = TrisulRP::Protocol.mk_request(:filter_expression => "#{GUIDMap::SG_TCP}=#{si.session_key}",
|
|
19
|
+
:time_interval => si.time_interval )
|
|
20
|
+
TrisulRP::Protocol.get_response(conn,follow_up) do |resp|
|
|
21
|
+
fdr=resp.filtered_datagram_response
|
|
22
|
+
p "Number of bytes = #{fdr.num_bytes}\n"
|
|
23
|
+
p "Number of pkts = #{fdr.num_datagrams}\n"
|
|
24
|
+
p "Hash = #{fdr.sha1}\n"
|
|
25
|
+
|
|
26
|
+
File.open("t.pcap","wb") do |f|
|
|
27
|
+
f.write(fdr.contents)
|
|
28
|
+
end
|
|
29
|
+
end
|
|
30
|
+
end
|
|
31
|
+
end
|
|
32
|
+
end
|
|
53
33
|
end
|
|
54
34
|
|
|
55
35
|
|
data/test/test_key_flows.rb
CHANGED
|
@@ -2,60 +2,43 @@
|
|
|
2
2
|
# Akhil.M & Dhinesh.K (c) 2010 Unleash Networks
|
|
3
3
|
# Testing change
|
|
4
4
|
require 'rubygems'
|
|
5
|
-
|
|
6
|
-
|
|
7
5
|
require './helper'
|
|
8
|
-
include
|
|
9
|
-
|
|
10
|
-
GUID_CG_APP = "{C51B48D4-7876-479E-B0D9-BD9EFF03CE2E}"
|
|
6
|
+
include TrisulRP::Protocol
|
|
7
|
+
require guidmap
|
|
11
8
|
|
|
12
9
|
class TestTrisulrp < Test::Unit::TestCase
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
print "#{item.key1A.label}".ljust(28)
|
|
46
|
-
print "#{item.key2A.label}".ljust(11)
|
|
47
|
-
print "#{item.key1Z.label}".ljust(28)
|
|
48
|
-
print "#{item.key2Z.label}".ljust(11)
|
|
49
|
-
print "#{item.az_bytes}".rjust(10)
|
|
50
|
-
print "#{item.za_bytes}".rjust(10)
|
|
51
|
-
print "\n"
|
|
52
|
-
end
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
end
|
|
56
|
-
end
|
|
57
|
-
end
|
|
58
|
-
|
|
10
|
+
def test_flows_for_host
|
|
11
|
+
|
|
12
|
+
target_key = "0A.01.3C.BB"
|
|
13
|
+
TrisulRP::Protocol.connect("127.0.0.1",12001,"Demo_Client.crt","Demo_Client.key") do |conn|
|
|
14
|
+
|
|
15
|
+
tmarr = TrisulRP::Protocol.get_available_time(conn)
|
|
16
|
+
|
|
17
|
+
req = TrisulRP::Protocol.mk_request(TRP::Message::Command::KEY_SESS_ACTIVITY_REQUEST,
|
|
18
|
+
:key => target_key ,:time_interval =>TrisulRP::Protocol.mk_time_interval(tmarr))
|
|
19
|
+
TrisulRP::Protocol.get_response(conn,req) do |resp|
|
|
20
|
+
all_sids = resp.key_session_activity_response.sessions.collect{ |ai| TRP::SessionID.new(
|
|
21
|
+
:slice_id => ai.slice_id,
|
|
22
|
+
:session_id => ai.session_id ) }
|
|
23
|
+
|
|
24
|
+
follow_up = TrisulRP::Protocol.mk_request(:session_ids => all_sids)
|
|
25
|
+
TrisulRP::Protocol.get_response(conn,follow_up) do |resp|
|
|
26
|
+
resp.session_item_response.items.each do |item|
|
|
27
|
+
print "#{item.state} "
|
|
28
|
+
print "#{Time.at(item.time_interval.from.tv_sec)} "
|
|
29
|
+
print "#{item.time_interval.to.tv_sec-item.time_interval.from.tv_sec} ".rjust(8)
|
|
30
|
+
print "#{item.key1A.label}".ljust(28)
|
|
31
|
+
print "#{item.key2A.label}".ljust(11)
|
|
32
|
+
print "#{item.key1Z.label}".ljust(28)
|
|
33
|
+
print "#{item.key2Z.label}".ljust(11)
|
|
34
|
+
print "#{item.az_bytes}".rjust(10)
|
|
35
|
+
print "#{item.za_bytes}".rjust(10)
|
|
36
|
+
print "\n"
|
|
37
|
+
end
|
|
38
|
+
end
|
|
39
|
+
end
|
|
40
|
+
end
|
|
41
|
+
end
|
|
59
42
|
end
|
|
60
43
|
|
|
61
44
|
|
data/test/test_resources.rb
CHANGED
|
@@ -2,75 +2,52 @@
|
|
|
2
2
|
# Akhil.M & Dhinesh.K (c) 2010 Unleash Networks
|
|
3
3
|
# Testing change
|
|
4
4
|
require 'rubygems'
|
|
5
|
-
|
|
6
|
-
|
|
7
5
|
require './helper'
|
|
8
|
-
include
|
|
9
|
-
|
|
10
|
-
GUID_CG_APP = "{C51B48D4-7876-479E-B0D9-BD9EFF03CE2E}"
|
|
6
|
+
include TrisulRP::Protocol
|
|
7
|
+
require guidmap
|
|
11
8
|
|
|
12
9
|
class TestTrisulrp < Test::Unit::TestCase
|
|
13
10
|
|
|
14
|
-
def setup
|
|
15
|
-
if @trp_conn.nil?
|
|
16
|
-
@trp_conn=TRPLib::connect_trp("127.0.0.1",
|
|
17
|
-
12001,
|
|
18
|
-
"Demo_Client.crt",
|
|
19
|
-
"Demo_Client.key")
|
|
20
|
-
end
|
|
21
|
-
end
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
def itest_resource_items
|
|
25
|
-
req=TRPLib::mk_resource_item_request(1,[574,575])
|
|
26
|
-
get_trp_response(@trp_conn,req) do |resp|
|
|
27
|
-
TRPLib::print_resource_item_response(resp)
|
|
28
|
-
end
|
|
29
|
-
end
|
|
30
11
|
|
|
12
|
+
# demonstrates getting all HTTP requests getting a *DLL
|
|
31
13
|
def test_query_resources
|
|
32
14
|
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
|
|
46
|
-
|
|
47
|
-
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
|
|
56
|
-
|
|
57
|
-
|
|
58
|
-
|
|
59
|
-
|
|
60
|
-
|
|
61
|
-
|
|
62
|
-
|
|
63
|
-
|
|
64
|
-
|
|
65
|
-
|
|
66
|
-
|
|
67
|
-
|
|
68
|
-
|
|
69
|
-
|
|
70
|
-
|
|
71
|
-
|
|
72
|
-
|
|
73
|
-
end
|
|
74
|
-
end
|
|
75
|
-
|
|
76
|
-
|
|
15
|
+
target_ip = "0A.02.C7.EB" # 10.2.199.235"
|
|
16
|
+
|
|
17
|
+
TrisulRP::Protocol.connect_trp("127.0.0.1", 12001,"Demo_Client.crt","Demo_Client.key") do |conn|
|
|
18
|
+
|
|
19
|
+
tm_arr = TrisulRP::Protocol. get_available_time(conn)
|
|
20
|
+
req = TrisulRP::Protocol.mk_request(TRP::Message::Command::RESOURCE_GROUP_REQUEST,
|
|
21
|
+
:context => 0,
|
|
22
|
+
:resource_group => TrisulRP::Guids::RG_URL,
|
|
23
|
+
:uri_pattern => "dll",:maxitems => 1000, :time_interval => mk_time_interval(tm_arr))
|
|
24
|
+
|
|
25
|
+
TrisulRP::Protocol.get_response(conn,req) do |resp|
|
|
26
|
+
|
|
27
|
+
# matching resource ids
|
|
28
|
+
resource_ids = resp.resource_group_response.resources.collect do |res|
|
|
29
|
+
TRP::ResourceID.new(:slice_id => res.slice_id, :resource_id => res.resource_id)
|
|
30
|
+
end
|
|
31
|
+
|
|
32
|
+
follow_up = TrisulRP::Protocol.mk_request( TRP::Message::Command::RESOURCE_ITEM_REQUEST,
|
|
33
|
+
:context => 0, :resource_group => TrisulRP::Guids::RG_URL,
|
|
34
|
+
:resource_ids => resource_ids)
|
|
35
|
+
|
|
36
|
+
TrisulRP::Protocol.get_response(conn,follow_up) do | resp2 |
|
|
37
|
+
resp=resp2.resource_item_response
|
|
38
|
+
resp.items.each do |item|
|
|
39
|
+
print "#{Time.at(item.time.tv_sec)} "
|
|
40
|
+
print "#{item.source_ip}".ljust(28)
|
|
41
|
+
print "#{item.source_port}".ljust(11)
|
|
42
|
+
print "#{item.destination_ip}".ljust(28)
|
|
43
|
+
print "#{item.destination_port}".ljust(11)
|
|
44
|
+
print "#{item.uri}".rjust(10)
|
|
45
|
+
print "\n"
|
|
46
|
+
end
|
|
47
|
+
end
|
|
48
|
+
end
|
|
49
|
+
end
|
|
50
|
+
|
|
51
|
+
end
|
|
52
|
+
|
|
53
|
+
end
|
data/test/test_trisulrp.rb
CHANGED
|
@@ -6,8 +6,7 @@ class TestTrisulrp < Test::Unit::TestCase
|
|
|
6
6
|
|
|
7
7
|
def test_basic
|
|
8
8
|
|
|
9
|
-
TrisulRP::Protocol.connect("127.0.0.1", 12001,
|
|
10
|
-
"Demo_Client.crt", "Demo_Client.key") do |conn|
|
|
9
|
+
TrisulRP::Protocol.connect("127.0.0.1", 12001,"Demo_Client.crt", "Demo_Client.key") do |conn|
|
|
11
10
|
TrisulRP::Protocol.get_available_time(conn)
|
|
12
11
|
end
|
|
13
12
|
|
data/trisulrp.gemspec
CHANGED
|
@@ -5,11 +5,11 @@
|
|
|
5
5
|
|
|
6
6
|
Gem::Specification.new do |s|
|
|
7
7
|
s.name = %q{trisulrp}
|
|
8
|
-
s.version = "1.2.
|
|
8
|
+
s.version = "1.2.5"
|
|
9
9
|
|
|
10
10
|
s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
|
|
11
11
|
s.authors = ["vivek"]
|
|
12
|
-
s.date = %q{2011-01-
|
|
12
|
+
s.date = %q{2011-01-17}
|
|
13
13
|
s.description = %q{This gem deals about the trisul remote protocol}
|
|
14
14
|
s.email = %q{vivek_rajagopal@yahoo.com}
|
|
15
15
|
s.extra_rdoc_files = [
|
metadata
CHANGED
|
@@ -5,8 +5,8 @@ version: !ruby/object:Gem::Version
|
|
|
5
5
|
segments:
|
|
6
6
|
- 1
|
|
7
7
|
- 2
|
|
8
|
-
-
|
|
9
|
-
version: 1.2.
|
|
8
|
+
- 5
|
|
9
|
+
version: 1.2.5
|
|
10
10
|
platform: ruby
|
|
11
11
|
authors:
|
|
12
12
|
- vivek
|
|
@@ -14,7 +14,7 @@ autorequire:
|
|
|
14
14
|
bindir: bin
|
|
15
15
|
cert_chain: []
|
|
16
16
|
|
|
17
|
-
date: 2011-01-
|
|
17
|
+
date: 2011-01-17 00:00:00 +05:30
|
|
18
18
|
default_executable:
|
|
19
19
|
dependencies:
|
|
20
20
|
- !ruby/object:Gem::Dependency
|
|
@@ -149,7 +149,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
|
149
149
|
requirements:
|
|
150
150
|
- - ">="
|
|
151
151
|
- !ruby/object:Gem::Version
|
|
152
|
-
hash:
|
|
152
|
+
hash: 236447741
|
|
153
153
|
segments:
|
|
154
154
|
- 0
|
|
155
155
|
version: "0"
|