unified2 0.1.1

data/lib/unified2.rb

@@ -0,0 +1,206 @@
+require 'bindata'
+require 'socket'
+# http://cvs.snort.org/viewcvs.cgi/snort/src/output-plugins/spo_unified2.c?rev=1.3&content-type=text/vnd.viewcvs-markup
+
+require 'unified2/construct'
+require 'unified2/core_ext'
+require 'unified2/event'
+require 'unified2/exceptions'
+require 'unified2/version'
+
+module Unified2
+
+  TYPES = [
+    :signatures,
+    :generators,
+    :classifications
+  ]
+
+  class << self
+    attr_accessor :signatures, :generators,
+      :sensor, :hostname, :interface,
+      :classifications
+  end
+
+  def self.configuration(options={}, &block)
+    @sensor ||= Sensor.new
+    self.instance_eval(&block)
+  end
+
+  def self.sensor(options={}, &block)
+    if block
+      @sensor.instance_eval(&block)
+    end
+    @sensor.update(options)
+  end
+
+  def self.load(type, path)
+
+    unless TYPES.include?(type.to_sym)
+      raise UnknownLoadType, "Error - #{type} is unknown."
+    end
+
+    if File.exists?(path)
+      instance_variable_set("@#{type}", {})
+    else
+      raise FileNotFound, "Error - #{path} not found."
+    end
+
+    if File.readable?(path)
+      file = File.open(path)
+
+      case type.to_sym
+      when :classifications
+        
+        count = 0
+        file.each_line do |line|
+          next if line[/^\#/]
+          next unless line[/^config\s/]
+          count += 1
+          
+          # attempted-dos,Attempted Denial of Service,2
+          data = line.gsub!(/config classification: /, '')
+          short, name, priority = data.to_s.split(',')
+          
+          @classifications[count.to_s] = {
+            :short => short,
+            :name => name,
+            :priority => priority.to_i
+          }
+        end
+        
+      when :generators
+
+        file.each_line do |line|
+          next if line[/^\#/]
+          generator_id, alert_id, name = line.split(' || ')
+          id = "#{generator_id}.#{alert_id}"
+
+          @generators[id] = {
+            :generator_id => generator_id,
+            :name => name,
+            :alert_id => alert_id
+          }
+        end
+
+      when :signatures
+
+        file.each_line do |line|
+          next if line[/^\#/]
+          id, body, *references = line.split(' || ')
+          @signatures[id] = {
+            :id => id,
+            :name => body,
+            :references => references
+          }
+        end
+
+      end
+
+    end
+  end
+
+  def self.watch(path, position=:last, &block)
+
+    unless File.exists?(path)
+      raise FileNotFound, "Error - #{path} not found."
+    end
+
+    if File.readable?(path)
+      io = File.open(path)
+
+      case position
+      when Integer, Fixnum
+
+        event_id = position.to_i.zero? ? 1 : position.to_i
+        @event = Event.new(event_id)
+
+      when Symbol, String
+
+        case position.to_sym
+        when :last
+
+          until io.eof?
+            event = Unified2::Construct.read(io)
+            event_id = event.data.event_id if event
+          end
+          
+          @event = Event.new(event_id + 1)
+          
+          # set event_id to false to catch
+          # beginning loop and process
+          event_id = false
+
+        when :first
+
+          first_open = File.open(path)
+          first_event = Unified2::Construct.read(first_open)
+          first_open.close
+          event_id = first_event.data.event_id
+          @event = Event.new(event_id)
+
+        end
+      end
+
+      loop do
+        begin
+          event = Unified2::Construct.read(io)
+
+          if event_id
+            if event.data.event_id.to_i > (event_id - 1)
+              check_event(event, block)
+            end
+          else
+            check_event(event, block)
+          end
+
+        rescue EOFError
+          sleep 5
+          retry
+        end
+      end
+
+    else
+      raise FileNotReadable, "Error - #{path} not readable."
+    end
+  end
+
+  def self.read(path, &block)
+
+    unless File.exists?(path)
+      raise FileNotFound, "Error - #{path} not found."
+    end
+
+    if File.readable?(path)
+      io = File.open(path)
+
+      first_open = File.open(path)
+      first_event = Unified2::Construct.read(first_open)
+      first_open.close
+
+      @event = Event.new(first_event.data.event_id)
+
+      until io.eof?
+        event = Unified2::Construct.read(io)
+        check_event(event, block)
+      end
+
+    else
+      raise FileNotReadable, "Error - #{path} not readable."
+    end
+  end
+
+
+  private
+
+    def self.check_event(event, block)
+      if @event.id == event.data.event_id
+        @event.load(event)
+      else
+        block.call(@event)
+        @event = Event.new(event.data.event_id)
+        @event.load(event)
+      end
+    end
+
+end

data/spec/spec_helper.rb

@@ -0,0 +1,5 @@
+gem 'rspec', '~> 2.4'
+require 'rspec'
+require 'unified2/version'
+
+include Unified2

data/spec/unified2_spec.rb

@@ -0,0 +1,8 @@
+require 'spec_helper'
+require 'unified2'
+
+describe Unified2 do
+  it "should have a VERSION constant" do
+    subject.const_get('VERSION').should_not be_empty
+  end
+end

data/unified2.gemspec

@@ -0,0 +1,15 @@
+# -*- encoding: utf-8 -*-
+
+begin
+  Ore::Specification.new do |gemspec|
+    # custom logic here
+  end
+rescue NameError
+  begin
+    require 'ore/specification'
+    retry
+  rescue LoadError
+    STDERR.puts "The '#{__FILE__}' file requires Ore."
+    STDERR.puts "Run `gem install ore-core` to install Ore."
+  end
+end

metadata

@@ -0,0 +1,148 @@
+--- !ruby/object:Gem::Specification 
+name: unified2
+version: !ruby/object:Gem::Version 
+  prerelease: 
+  version: 0.1.1
+platform: ruby
+authors: 
+- Dustin Willis Webber
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2011-03-09 00:00:00 -05:00
+default_executable: 
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: bindata
+  prerelease: false
+  requirement: &id001 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        version: 1.3.1
+  type: :development
+  version_requirements: *id001
+- !ruby/object:Gem::Dependency 
+  name: hexdump
+  prerelease: false
+  requirement: &id002 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        version: 0.1.0
+  type: :development
+  version_requirements: *id002
+- !ruby/object:Gem::Dependency 
+  name: ore-tasks
+  prerelease: false
+  requirement: &id003 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        version: "0.4"
+  type: :development
+  version_requirements: *id003
+- !ruby/object:Gem::Dependency 
+  name: rspec
+  prerelease: false
+  requirement: &id004 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        version: "2.4"
+  type: :development
+  version_requirements: *id004
+- !ruby/object:Gem::Dependency 
+  name: yard
+  prerelease: false
+  requirement: &id005 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        version: 0.6.0
+  type: :development
+  version_requirements: *id005
+description: A ruby interface for unified2 output. rUnified2 allows you to manipulate unified2 output for custom storage and/or analysis.
+email: 
+- dustin.webber@gmail.com
+executables: []
+
+extensions: []
+
+extra_rdoc_files: 
+- README.rdoc
+- ChangeLog.rdoc
+- LICENSE.txt
+files: 
+- .document
+- .rspec
+- .yardopts
+- ChangeLog.rdoc
+- LICENSE.txt
+- README.rdoc
+- Rakefile
+- example/classification.config
+- example/example.rb
+- example/gen-msg.map
+- example/sid-msg.map
+- example/unified2
+- gemspec.yml
+- lib/unified2.rb
+- lib/unified2/classification.rb
+- lib/unified2/construct.rb
+- lib/unified2/core_ext.rb
+- lib/unified2/core_ext/string.rb
+- lib/unified2/event.rb
+- lib/unified2/event_ip4.rb
+- lib/unified2/event_ip6.rb
+- lib/unified2/exceptions.rb
+- lib/unified2/exceptions/file_not_found.rb
+- lib/unified2/exceptions/file_not_readable.rb
+- lib/unified2/exceptions/unknown_load_type.rb
+- lib/unified2/packet.rb
+- lib/unified2/payload.rb
+- lib/unified2/primitive.rb
+- lib/unified2/primitive/ipv4.rb
+- lib/unified2/record_header.rb
+- lib/unified2/sensor.rb
+- lib/unified2/signature.rb
+- lib/unified2/version.rb
+- spec/spec_helper.rb
+- spec/unified2_spec.rb
+- unified2.gemspec
+has_rdoc: yard
+homepage: https://github.com/mephux/unified2
+licenses: 
+- MIT
+post_install_message: 
+rdoc_options: []
+
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  none: false
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+requirements: []
+
+rubyforge_project: unified2
+rubygems_version: 1.6.1
+signing_key: 
+specification_version: 3
+summary: A ruby interface for unified2 output.
+test_files: 
+- spec/unified2_spec.rb