unified2 0.1.2 → 0.2.0

data/lib/unified2/classification.rb

@@ -1,13 +1,13 @@
 module Unified2
   class Classification
 
-    attr_accessor :id, :name, :short, :priority
+    attr_accessor :id, :name, :short, :severity
 
     def initialize(classification={})
       @id = classification[:classification_id]
       @name = classification[:name]
       @short = classification[:short]
-      @priority = classification[:priority]
+      @severity = classification[:severity]
     end
 
   end

data/lib/unified2/config_file.rb

@@ -0,0 +1,80 @@
+module Unified2
+  class ConfigFile
+
+    attr_accessor :type, :path, :md5, :data
+
+    def initialize(type, path)
+      @type = type
+      @path = path
+      @data = {}
+      @md5 = Digest::MD5.hexdigest(@path)
+      import
+    end
+
+    private
+
+      def import
+        file = File.open(@path)
+        
+        case @type.to_sym
+        when :classifications
+
+          count = 0
+          file.each_line do |line|
+            next if line[/^\#/]
+            next unless line[/^config\s/]
+            count += 1
+
+            # attempted-dos,Attempted Denial of Service,2
+            data = line.gsub!(/config classification: /, '')
+            short, name, severity = data.to_s.split(',')
+
+            @data[count.to_s] = {
+              :short => short,
+              :name => name,
+              :severity_id => severity.to_i
+            }
+          end
+
+        when :generators
+
+          file.each_line do |line|
+            next if line[/^\#/]
+            generator_id, alert_id, name = line.split(' || ')
+            id = "#{generator_id}.#{alert_id}"
+
+            @data[id] = {
+              :generator_id => generator_id,
+              :name => name,
+              :signature_id => alert_id
+            }
+          end
+
+        when :signatures
+
+          file.each_line do |line|
+            next if line[/^\#/]
+            id, body, *reference_data = line.split(' || ')
+            
+            references = {}
+            reference_data.each do |line|
+              key, value = line.split(',')
+              if references.has_key?(key.downcase.to_sym)
+                references[key.downcase.to_sym] << value
+              else
+                references[key.downcase.to_sym] = [value]
+              end
+            end
+            
+            @data[id] = {
+              :signature_id => id,
+              :name => body,
+              :generator_id => 1
+            }
+          end
+
+        end
+      end
+
+  end
+end

data/lib/unified2/event.rb

@@ -22,6 +22,10 @@ module Unified2
       end
     end
 
+    def uid
+      "#{sensor.id}.#{@id}"
+    end
+
     def event_time
       if @packet.has_key?(:event_second)
         @timestamp = Time.at(@packet[:event_second].to_i)
@@ -158,14 +162,16 @@ module Unified2
     def to_s
 data = %{
 #############################################################################
-Event ID: #{id}
-Timestamp: #{timestamp}
-Severity: #{severity}
-Protocol: #{protocol}
-Source IP: #{source_ip}:#{source_port}
-Destination IP: #{destination_ip}:#{destination_port}
-Signature: #{signature.name}
-Payload:
+# Sensor: #{sensor.id}
+# Event ID: #{id}
+# Timestamp: #{timestamp}
+# Severity: #{severity}
+# Protocol: #{protocol}
+# Source IP: #{source_ip}:#{source_port}
+# Destination IP: #{destination_ip}:#{destination_port}
+# Signature: #{signature.name}
+# Classification: #{classification.name}
+# Payload:
 
 }
       if payload.blank?
@@ -223,15 +229,15 @@ Payload:
       end
 
       def build_generator(event)
-        if Unified2.generators
-          if Unified2.generators.has_key?("#{event.data.generator_id}.#{event.data.signature_id}")
+        if Unified2.generators.data
+          if Unified2.generators.data.has_key?("#{event.data.generator_id}.#{event.data.signature_id}")
             sig = Unified2.generators["#{event.data.generator_id}.#{event.data.signature_id}"]
 
             @event_hash[:signature] = {
               :signature_id => event.data.signature_id,
+              :generator_id => event.data.generator_id,
               :revision => event.data.signature_revision,
               :name => sig[:name],
-              :references => sig[:references],
               :blank => false
             }
           end
@@ -240,24 +246,25 @@ Payload:
         unless @event_hash.has_key?(:signature)
           @event_hash[:signature] = {
             :signature_id => event.data.signature_id,
+            :generator_id => event.data.generator_id,
             :revision => 0,
             :name => "Unknown Signature #{event.data.signature_id}",
-            :references => [],
             :blank => true
           }
         end
       end
 
       def build_signature(event)
-        if Unified2.signatures
-          if Unified2.signatures.has_key?(event.data.signature_id.to_s)
-            sig = Unified2.signatures[event.data.signature_id.to_s]
+        if Unified2.signatures.data
+          if Unified2.signatures.data.has_key?(event.data.signature_id.to_s)
+            sig = Unified2.signatures.data[event.data.signature_id.to_s]
 
             @event_hash[:signature] = {
               :signature_id => event.data.signature_id,
+              :generator_id => event.data.generator_id,
               :revision => event.data.signature_revision,
               :name => sig[:name],
-              :references => sig[:references]
+              :blank => false
             }
           end
         end
@@ -265,23 +272,24 @@ Payload:
         unless @event_hash.has_key?(:signature)
           @event_hash[:signature] = {
             :signature_id => event.data.signature_id,
+            :generator_id => event.data.generator_id,
             :revision => 0,
             :name => "Unknown Signature #{event.data.signature_id}",
-            :references => []
+            :blank => true
           }
         end
       end
 
       def build_classifications(event)
-        if Unified2.classifications
-          if Unified2.classifications.has_key?("#{event.data.classification_id}")
-            classification = Unified2.classifications["#{event.data.classification_id}"]
+        if Unified2.classifications.data
+          if Unified2.classifications.data.has_key?("#{event.data.classification_id}")
+            classification = Unified2.classifications.data["#{event.data.classification_id}"]
 
             @event_hash[:classification] = {
               :classification_id => event.data.classification_id,
               :name => classification[:name],
               :short => classification[:short],
-              :priority => classification[:priority]
+              :severity => classification[:severity_id]
             }
           end
         end
@@ -291,7 +299,7 @@ Payload:
             :classification_id => event.data.classification_id,
             :name => 'Unknown',
             :short => 'n/a',
-            :priority => 0
+            :severity => 0
           }
         end
       end

data/lib/unified2/payload.rb

@@ -21,7 +21,9 @@ module Unified2
     end
     
     def hex
-      @payload.to_s.unpack('H*')
+      @hex = @payload.to_s.unpack('H*')
+      return @hex.first if @hex
+      nil
     end
 
     def dump(options={})

data/lib/unified2/signature.rb

@@ -2,13 +2,13 @@ module Unified2
 
   class Signature
 
-    attr_accessor :id, :revision, :name, :references
+    attr_accessor :id, :generator, :revision, :name
 
     def initialize(signature={})
       @id = signature[:signature_id] || 0
+      @generator = signature[:generator_id]
       @revision = signature[:revision]
       @name = signature[:name].strip
-      @references = signature[:references]
       @blank = signature[:blank]
     end
 

data/lib/unified2/version.rb

@@ -1,4 +1,4 @@
 module Unified2
   # unified2 version
-  VERSION = "0.1.2"
+  VERSION = "0.2.0"
 end

data/lib/unified2.rb

@@ -3,6 +3,7 @@ require 'socket'
 # http://cvs.snort.org/viewcvs.cgi/snort/src/output-plugins/spo_unified2.c?rev=1.3&content-type=text/vnd.viewcvs-markup
 
 require 'unified2/construct'
+require 'unified2/config_file'
 require 'unified2/core_ext'
 require 'unified2/event'
 require 'unified2/exceptions'
@@ -35,72 +36,22 @@ module Unified2
   end
 
   def self.load(type, path)
-
     unless TYPES.include?(type.to_sym)
-      raise UnknownLoadType, "Error - #{type} is unknown."
+      raise UnknownLoadType, "Error - #{@type} is unknown."
     end
 
     if File.exists?(path)
-      instance_variable_set("@#{type}", {})
+      if File.readable?(path)
+        instance_variable_set("@#{type}", ConfigFile.new(type, path))
+      else
+        raise FileNotReadable, "Error - #{path} not readable."
+      end
     else
       raise FileNotFound, "Error - #{path} not found."
     end
-
-    if File.readable?(path)
-      file = File.open(path)
-
-      case type.to_sym
-      when :classifications
-        
-        count = 0
-        file.each_line do |line|
-          next if line[/^\#/]
-          next unless line[/^config\s/]
-          count += 1
-          
-          # attempted-dos,Attempted Denial of Service,2
-          data = line.gsub!(/config classification: /, '')
-          short, name, priority = data.to_s.split(',')
-          
-          @classifications[count.to_s] = {
-            :short => short,
-            :name => name,
-            :priority => priority.to_i
-          }
-        end
-        
-      when :generators
-
-        file.each_line do |line|
-          next if line[/^\#/]
-          generator_id, alert_id, name = line.split(' || ')
-          id = "#{generator_id}.#{alert_id}"
-
-          @generators[id] = {
-            :generator_id => generator_id,
-            :name => name,
-            :alert_id => alert_id
-          }
-        end
-
-      when :signatures
-
-        file.each_line do |line|
-          next if line[/^\#/]
-          id, body, *references = line.split(' || ')
-          @signatures[id] = {
-            :id => id,
-            :name => body,
-            :references => references
-          }
-        end
-
-      end
-
-    end
   end
 
-  def self.watch(path, position=:last, &block)
+  def self.watch(path, position=:first, &block)
 
     unless File.exists?(path)
       raise FileNotFound, "Error - #{path} not found."
@@ -124,9 +75,9 @@ module Unified2
             event = Unified2::Construct.read(io)
             event_id = event.data.event_id if event
           end
-          
+
           @event = Event.new(event_id + 1)
-          
+
           # set event_id to false to catch
           # beginning loop and process
           event_id = false

metadata

@@ -1,12 +1,8 @@
 --- !ruby/object:Gem::Specification 
 name: unified2
 version: !ruby/object:Gem::Version 
-  prerelease: false
-  segments: 
-  - 0
-  - 1
-  - 2
-  version: 0.1.2
+  prerelease: 
+  version: 0.2.0
 platform: ruby
 authors: 
 - Dustin Willis Webber
@@ -14,7 +10,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2011-03-09 00:00:00 -05:00
+date: 2011-03-12 00:00:00 -05:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
@@ -25,10 +21,6 @@ dependencies:
     requirements: 
     - - ~>
       - !ruby/object:Gem::Version 
-        segments: 
-        - 1
-        - 3
-        - 1
         version: 1.3.1
   type: :runtime
   version_requirements: *id001
@@ -40,10 +32,6 @@ dependencies:
     requirements: 
     - - ~>
       - !ruby/object:Gem::Version 
-        segments: 
-        - 0
-        - 1
-        - 0
         version: 0.1.0
   type: :runtime
   version_requirements: *id002
@@ -55,9 +43,6 @@ dependencies:
     requirements: 
     - - ~>
       - !ruby/object:Gem::Version 
-        segments: 
-        - 0
-        - 4
         version: "0.4"
   type: :development
   version_requirements: *id003
@@ -69,9 +54,6 @@ dependencies:
     requirements: 
     - - ~>
       - !ruby/object:Gem::Version 
-        segments: 
-        - 2
-        - 4
         version: "2.4"
   type: :development
   version_requirements: *id004
@@ -83,10 +65,6 @@ dependencies:
     requirements: 
     - - ~>
       - !ruby/object:Gem::Version 
-        segments: 
-        - 0
-        - 6
-        - 0
         version: 0.6.0
   type: :development
   version_requirements: *id005
@@ -109,14 +87,18 @@ files:
 - LICENSE.txt
 - README.rdoc
 - Rakefile
-- example/classification.config
+- example/connect.rb
 - example/example.rb
-- example/gen-msg.map
-- example/sid-msg.map
-- example/unified2
+- example/models.rb
+- example/search.rb
+- example/seeds/classification.config
+- example/seeds/gen-msg.map
+- example/seeds/sid-msg.map
+- example/seeds/unified2
 - gemspec.yml
 - lib/unified2.rb
 - lib/unified2/classification.rb
+- lib/unified2/config_file.rb
 - lib/unified2/construct.rb
 - lib/unified2/core_ext.rb
 - lib/unified2/core_ext/string.rb
@@ -152,21 +134,17 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements: 
   - - ">="
     - !ruby/object:Gem::Version 
-      segments: 
-      - 0
       version: "0"
 required_rubygems_version: !ruby/object:Gem::Requirement 
   none: false
   requirements: 
   - - ">="
     - !ruby/object:Gem::Version 
-      segments: 
-      - 0
       version: "0"
 requirements: []
 
 rubyforge_project: unified2
-rubygems_version: 1.3.7
+rubygems_version: 1.6.1
 signing_key: 
 specification_version: 3
 summary: A ruby interface for unified2 output.