unified2 0.1.2 → 0.2.0
Sign up to get free protection for your applications and to get access to all the features.
- data/README.rdoc +5 -7
- data/example/connect.rb +20 -0
- data/example/example.rb +59 -28
- data/example/models.rb +196 -0
- data/example/search.rb +14 -0
- data/example/{classification.config → seeds/classification.config} +0 -0
- data/example/{gen-msg.map → seeds/gen-msg.map} +0 -0
- data/example/{sid-msg.map → seeds/sid-msg.map} +1086 -182
- data/example/{unified2 → seeds/unified2} +0 -0
- data/lib/unified2/classification.rb +2 -2
- data/lib/unified2/config_file.rb +80 -0
- data/lib/unified2/event.rb +30 -22
- data/lib/unified2/payload.rb +3 -1
- data/lib/unified2/signature.rb +2 -2
- data/lib/unified2/version.rb +1 -1
- data/lib/unified2.rb +10 -59
- metadata +12 -34
File without changes
|
@@ -1,13 +1,13 @@
|
|
1
1
|
module Unified2
|
2
2
|
class Classification
|
3
3
|
|
4
|
-
attr_accessor :id, :name, :short, :
|
4
|
+
attr_accessor :id, :name, :short, :severity
|
5
5
|
|
6
6
|
def initialize(classification={})
|
7
7
|
@id = classification[:classification_id]
|
8
8
|
@name = classification[:name]
|
9
9
|
@short = classification[:short]
|
10
|
-
@
|
10
|
+
@severity = classification[:severity]
|
11
11
|
end
|
12
12
|
|
13
13
|
end
|
@@ -0,0 +1,80 @@
|
|
1
|
+
module Unified2
|
2
|
+
class ConfigFile
|
3
|
+
|
4
|
+
attr_accessor :type, :path, :md5, :data
|
5
|
+
|
6
|
+
def initialize(type, path)
|
7
|
+
@type = type
|
8
|
+
@path = path
|
9
|
+
@data = {}
|
10
|
+
@md5 = Digest::MD5.hexdigest(@path)
|
11
|
+
import
|
12
|
+
end
|
13
|
+
|
14
|
+
private
|
15
|
+
|
16
|
+
def import
|
17
|
+
file = File.open(@path)
|
18
|
+
|
19
|
+
case @type.to_sym
|
20
|
+
when :classifications
|
21
|
+
|
22
|
+
count = 0
|
23
|
+
file.each_line do |line|
|
24
|
+
next if line[/^\#/]
|
25
|
+
next unless line[/^config\s/]
|
26
|
+
count += 1
|
27
|
+
|
28
|
+
# attempted-dos,Attempted Denial of Service,2
|
29
|
+
data = line.gsub!(/config classification: /, '')
|
30
|
+
short, name, severity = data.to_s.split(',')
|
31
|
+
|
32
|
+
@data[count.to_s] = {
|
33
|
+
:short => short,
|
34
|
+
:name => name,
|
35
|
+
:severity_id => severity.to_i
|
36
|
+
}
|
37
|
+
end
|
38
|
+
|
39
|
+
when :generators
|
40
|
+
|
41
|
+
file.each_line do |line|
|
42
|
+
next if line[/^\#/]
|
43
|
+
generator_id, alert_id, name = line.split(' || ')
|
44
|
+
id = "#{generator_id}.#{alert_id}"
|
45
|
+
|
46
|
+
@data[id] = {
|
47
|
+
:generator_id => generator_id,
|
48
|
+
:name => name,
|
49
|
+
:signature_id => alert_id
|
50
|
+
}
|
51
|
+
end
|
52
|
+
|
53
|
+
when :signatures
|
54
|
+
|
55
|
+
file.each_line do |line|
|
56
|
+
next if line[/^\#/]
|
57
|
+
id, body, *reference_data = line.split(' || ')
|
58
|
+
|
59
|
+
references = {}
|
60
|
+
reference_data.each do |line|
|
61
|
+
key, value = line.split(',')
|
62
|
+
if references.has_key?(key.downcase.to_sym)
|
63
|
+
references[key.downcase.to_sym] << value
|
64
|
+
else
|
65
|
+
references[key.downcase.to_sym] = [value]
|
66
|
+
end
|
67
|
+
end
|
68
|
+
|
69
|
+
@data[id] = {
|
70
|
+
:signature_id => id,
|
71
|
+
:name => body,
|
72
|
+
:generator_id => 1
|
73
|
+
}
|
74
|
+
end
|
75
|
+
|
76
|
+
end
|
77
|
+
end
|
78
|
+
|
79
|
+
end
|
80
|
+
end
|
data/lib/unified2/event.rb
CHANGED
@@ -22,6 +22,10 @@ module Unified2
|
|
22
22
|
end
|
23
23
|
end
|
24
24
|
|
25
|
+
def uid
|
26
|
+
"#{sensor.id}.#{@id}"
|
27
|
+
end
|
28
|
+
|
25
29
|
def event_time
|
26
30
|
if @packet.has_key?(:event_second)
|
27
31
|
@timestamp = Time.at(@packet[:event_second].to_i)
|
@@ -158,14 +162,16 @@ module Unified2
|
|
158
162
|
def to_s
|
159
163
|
data = %{
|
160
164
|
#############################################################################
|
161
|
-
|
162
|
-
|
163
|
-
|
164
|
-
|
165
|
-
|
166
|
-
|
167
|
-
|
168
|
-
|
165
|
+
# Sensor: #{sensor.id}
|
166
|
+
# Event ID: #{id}
|
167
|
+
# Timestamp: #{timestamp}
|
168
|
+
# Severity: #{severity}
|
169
|
+
# Protocol: #{protocol}
|
170
|
+
# Source IP: #{source_ip}:#{source_port}
|
171
|
+
# Destination IP: #{destination_ip}:#{destination_port}
|
172
|
+
# Signature: #{signature.name}
|
173
|
+
# Classification: #{classification.name}
|
174
|
+
# Payload:
|
169
175
|
|
170
176
|
}
|
171
177
|
if payload.blank?
|
@@ -223,15 +229,15 @@ Payload:
|
|
223
229
|
end
|
224
230
|
|
225
231
|
def build_generator(event)
|
226
|
-
if Unified2.generators
|
227
|
-
if Unified2.generators.has_key?("#{event.data.generator_id}.#{event.data.signature_id}")
|
232
|
+
if Unified2.generators.data
|
233
|
+
if Unified2.generators.data.has_key?("#{event.data.generator_id}.#{event.data.signature_id}")
|
228
234
|
sig = Unified2.generators["#{event.data.generator_id}.#{event.data.signature_id}"]
|
229
235
|
|
230
236
|
@event_hash[:signature] = {
|
231
237
|
:signature_id => event.data.signature_id,
|
238
|
+
:generator_id => event.data.generator_id,
|
232
239
|
:revision => event.data.signature_revision,
|
233
240
|
:name => sig[:name],
|
234
|
-
:references => sig[:references],
|
235
241
|
:blank => false
|
236
242
|
}
|
237
243
|
end
|
@@ -240,24 +246,25 @@ Payload:
|
|
240
246
|
unless @event_hash.has_key?(:signature)
|
241
247
|
@event_hash[:signature] = {
|
242
248
|
:signature_id => event.data.signature_id,
|
249
|
+
:generator_id => event.data.generator_id,
|
243
250
|
:revision => 0,
|
244
251
|
:name => "Unknown Signature #{event.data.signature_id}",
|
245
|
-
:references => [],
|
246
252
|
:blank => true
|
247
253
|
}
|
248
254
|
end
|
249
255
|
end
|
250
256
|
|
251
257
|
def build_signature(event)
|
252
|
-
if Unified2.signatures
|
253
|
-
if Unified2.signatures.has_key?(event.data.signature_id.to_s)
|
254
|
-
sig = Unified2.signatures[event.data.signature_id.to_s]
|
258
|
+
if Unified2.signatures.data
|
259
|
+
if Unified2.signatures.data.has_key?(event.data.signature_id.to_s)
|
260
|
+
sig = Unified2.signatures.data[event.data.signature_id.to_s]
|
255
261
|
|
256
262
|
@event_hash[:signature] = {
|
257
263
|
:signature_id => event.data.signature_id,
|
264
|
+
:generator_id => event.data.generator_id,
|
258
265
|
:revision => event.data.signature_revision,
|
259
266
|
:name => sig[:name],
|
260
|
-
:
|
267
|
+
:blank => false
|
261
268
|
}
|
262
269
|
end
|
263
270
|
end
|
@@ -265,23 +272,24 @@ Payload:
|
|
265
272
|
unless @event_hash.has_key?(:signature)
|
266
273
|
@event_hash[:signature] = {
|
267
274
|
:signature_id => event.data.signature_id,
|
275
|
+
:generator_id => event.data.generator_id,
|
268
276
|
:revision => 0,
|
269
277
|
:name => "Unknown Signature #{event.data.signature_id}",
|
270
|
-
:
|
278
|
+
:blank => true
|
271
279
|
}
|
272
280
|
end
|
273
281
|
end
|
274
282
|
|
275
283
|
def build_classifications(event)
|
276
|
-
if Unified2.classifications
|
277
|
-
if Unified2.classifications.has_key?("#{event.data.classification_id}")
|
278
|
-
classification = Unified2.classifications["#{event.data.classification_id}"]
|
284
|
+
if Unified2.classifications.data
|
285
|
+
if Unified2.classifications.data.has_key?("#{event.data.classification_id}")
|
286
|
+
classification = Unified2.classifications.data["#{event.data.classification_id}"]
|
279
287
|
|
280
288
|
@event_hash[:classification] = {
|
281
289
|
:classification_id => event.data.classification_id,
|
282
290
|
:name => classification[:name],
|
283
291
|
:short => classification[:short],
|
284
|
-
:
|
292
|
+
:severity => classification[:severity_id]
|
285
293
|
}
|
286
294
|
end
|
287
295
|
end
|
@@ -291,7 +299,7 @@ Payload:
|
|
291
299
|
:classification_id => event.data.classification_id,
|
292
300
|
:name => 'Unknown',
|
293
301
|
:short => 'n/a',
|
294
|
-
:
|
302
|
+
:severity => 0
|
295
303
|
}
|
296
304
|
end
|
297
305
|
end
|
data/lib/unified2/payload.rb
CHANGED
data/lib/unified2/signature.rb
CHANGED
@@ -2,13 +2,13 @@ module Unified2
|
|
2
2
|
|
3
3
|
class Signature
|
4
4
|
|
5
|
-
attr_accessor :id, :
|
5
|
+
attr_accessor :id, :generator, :revision, :name
|
6
6
|
|
7
7
|
def initialize(signature={})
|
8
8
|
@id = signature[:signature_id] || 0
|
9
|
+
@generator = signature[:generator_id]
|
9
10
|
@revision = signature[:revision]
|
10
11
|
@name = signature[:name].strip
|
11
|
-
@references = signature[:references]
|
12
12
|
@blank = signature[:blank]
|
13
13
|
end
|
14
14
|
|
data/lib/unified2/version.rb
CHANGED
data/lib/unified2.rb
CHANGED
@@ -3,6 +3,7 @@ require 'socket'
|
|
3
3
|
# http://cvs.snort.org/viewcvs.cgi/snort/src/output-plugins/spo_unified2.c?rev=1.3&content-type=text/vnd.viewcvs-markup
|
4
4
|
|
5
5
|
require 'unified2/construct'
|
6
|
+
require 'unified2/config_file'
|
6
7
|
require 'unified2/core_ext'
|
7
8
|
require 'unified2/event'
|
8
9
|
require 'unified2/exceptions'
|
@@ -35,72 +36,22 @@ module Unified2
|
|
35
36
|
end
|
36
37
|
|
37
38
|
def self.load(type, path)
|
38
|
-
|
39
39
|
unless TYPES.include?(type.to_sym)
|
40
|
-
raise UnknownLoadType, "Error - #{type} is unknown."
|
40
|
+
raise UnknownLoadType, "Error - #{@type} is unknown."
|
41
41
|
end
|
42
42
|
|
43
43
|
if File.exists?(path)
|
44
|
-
|
44
|
+
if File.readable?(path)
|
45
|
+
instance_variable_set("@#{type}", ConfigFile.new(type, path))
|
46
|
+
else
|
47
|
+
raise FileNotReadable, "Error - #{path} not readable."
|
48
|
+
end
|
45
49
|
else
|
46
50
|
raise FileNotFound, "Error - #{path} not found."
|
47
51
|
end
|
48
|
-
|
49
|
-
if File.readable?(path)
|
50
|
-
file = File.open(path)
|
51
|
-
|
52
|
-
case type.to_sym
|
53
|
-
when :classifications
|
54
|
-
|
55
|
-
count = 0
|
56
|
-
file.each_line do |line|
|
57
|
-
next if line[/^\#/]
|
58
|
-
next unless line[/^config\s/]
|
59
|
-
count += 1
|
60
|
-
|
61
|
-
# attempted-dos,Attempted Denial of Service,2
|
62
|
-
data = line.gsub!(/config classification: /, '')
|
63
|
-
short, name, priority = data.to_s.split(',')
|
64
|
-
|
65
|
-
@classifications[count.to_s] = {
|
66
|
-
:short => short,
|
67
|
-
:name => name,
|
68
|
-
:priority => priority.to_i
|
69
|
-
}
|
70
|
-
end
|
71
|
-
|
72
|
-
when :generators
|
73
|
-
|
74
|
-
file.each_line do |line|
|
75
|
-
next if line[/^\#/]
|
76
|
-
generator_id, alert_id, name = line.split(' || ')
|
77
|
-
id = "#{generator_id}.#{alert_id}"
|
78
|
-
|
79
|
-
@generators[id] = {
|
80
|
-
:generator_id => generator_id,
|
81
|
-
:name => name,
|
82
|
-
:alert_id => alert_id
|
83
|
-
}
|
84
|
-
end
|
85
|
-
|
86
|
-
when :signatures
|
87
|
-
|
88
|
-
file.each_line do |line|
|
89
|
-
next if line[/^\#/]
|
90
|
-
id, body, *references = line.split(' || ')
|
91
|
-
@signatures[id] = {
|
92
|
-
:id => id,
|
93
|
-
:name => body,
|
94
|
-
:references => references
|
95
|
-
}
|
96
|
-
end
|
97
|
-
|
98
|
-
end
|
99
|
-
|
100
|
-
end
|
101
52
|
end
|
102
53
|
|
103
|
-
def self.watch(path, position=:
|
54
|
+
def self.watch(path, position=:first, &block)
|
104
55
|
|
105
56
|
unless File.exists?(path)
|
106
57
|
raise FileNotFound, "Error - #{path} not found."
|
@@ -124,9 +75,9 @@ module Unified2
|
|
124
75
|
event = Unified2::Construct.read(io)
|
125
76
|
event_id = event.data.event_id if event
|
126
77
|
end
|
127
|
-
|
78
|
+
|
128
79
|
@event = Event.new(event_id + 1)
|
129
|
-
|
80
|
+
|
130
81
|
# set event_id to false to catch
|
131
82
|
# beginning loop and process
|
132
83
|
event_id = false
|
metadata
CHANGED
@@ -1,12 +1,8 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: unified2
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
prerelease:
|
5
|
-
|
6
|
-
- 0
|
7
|
-
- 1
|
8
|
-
- 2
|
9
|
-
version: 0.1.2
|
4
|
+
prerelease:
|
5
|
+
version: 0.2.0
|
10
6
|
platform: ruby
|
11
7
|
authors:
|
12
8
|
- Dustin Willis Webber
|
@@ -14,7 +10,7 @@ autorequire:
|
|
14
10
|
bindir: bin
|
15
11
|
cert_chain: []
|
16
12
|
|
17
|
-
date: 2011-03-
|
13
|
+
date: 2011-03-12 00:00:00 -05:00
|
18
14
|
default_executable:
|
19
15
|
dependencies:
|
20
16
|
- !ruby/object:Gem::Dependency
|
@@ -25,10 +21,6 @@ dependencies:
|
|
25
21
|
requirements:
|
26
22
|
- - ~>
|
27
23
|
- !ruby/object:Gem::Version
|
28
|
-
segments:
|
29
|
-
- 1
|
30
|
-
- 3
|
31
|
-
- 1
|
32
24
|
version: 1.3.1
|
33
25
|
type: :runtime
|
34
26
|
version_requirements: *id001
|
@@ -40,10 +32,6 @@ dependencies:
|
|
40
32
|
requirements:
|
41
33
|
- - ~>
|
42
34
|
- !ruby/object:Gem::Version
|
43
|
-
segments:
|
44
|
-
- 0
|
45
|
-
- 1
|
46
|
-
- 0
|
47
35
|
version: 0.1.0
|
48
36
|
type: :runtime
|
49
37
|
version_requirements: *id002
|
@@ -55,9 +43,6 @@ dependencies:
|
|
55
43
|
requirements:
|
56
44
|
- - ~>
|
57
45
|
- !ruby/object:Gem::Version
|
58
|
-
segments:
|
59
|
-
- 0
|
60
|
-
- 4
|
61
46
|
version: "0.4"
|
62
47
|
type: :development
|
63
48
|
version_requirements: *id003
|
@@ -69,9 +54,6 @@ dependencies:
|
|
69
54
|
requirements:
|
70
55
|
- - ~>
|
71
56
|
- !ruby/object:Gem::Version
|
72
|
-
segments:
|
73
|
-
- 2
|
74
|
-
- 4
|
75
57
|
version: "2.4"
|
76
58
|
type: :development
|
77
59
|
version_requirements: *id004
|
@@ -83,10 +65,6 @@ dependencies:
|
|
83
65
|
requirements:
|
84
66
|
- - ~>
|
85
67
|
- !ruby/object:Gem::Version
|
86
|
-
segments:
|
87
|
-
- 0
|
88
|
-
- 6
|
89
|
-
- 0
|
90
68
|
version: 0.6.0
|
91
69
|
type: :development
|
92
70
|
version_requirements: *id005
|
@@ -109,14 +87,18 @@ files:
|
|
109
87
|
- LICENSE.txt
|
110
88
|
- README.rdoc
|
111
89
|
- Rakefile
|
112
|
-
- example/
|
90
|
+
- example/connect.rb
|
113
91
|
- example/example.rb
|
114
|
-
- example/
|
115
|
-
- example/
|
116
|
-
- example/
|
92
|
+
- example/models.rb
|
93
|
+
- example/search.rb
|
94
|
+
- example/seeds/classification.config
|
95
|
+
- example/seeds/gen-msg.map
|
96
|
+
- example/seeds/sid-msg.map
|
97
|
+
- example/seeds/unified2
|
117
98
|
- gemspec.yml
|
118
99
|
- lib/unified2.rb
|
119
100
|
- lib/unified2/classification.rb
|
101
|
+
- lib/unified2/config_file.rb
|
120
102
|
- lib/unified2/construct.rb
|
121
103
|
- lib/unified2/core_ext.rb
|
122
104
|
- lib/unified2/core_ext/string.rb
|
@@ -152,21 +134,17 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
152
134
|
requirements:
|
153
135
|
- - ">="
|
154
136
|
- !ruby/object:Gem::Version
|
155
|
-
segments:
|
156
|
-
- 0
|
157
137
|
version: "0"
|
158
138
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
159
139
|
none: false
|
160
140
|
requirements:
|
161
141
|
- - ">="
|
162
142
|
- !ruby/object:Gem::Version
|
163
|
-
segments:
|
164
|
-
- 0
|
165
143
|
version: "0"
|
166
144
|
requirements: []
|
167
145
|
|
168
146
|
rubyforge_project: unified2
|
169
|
-
rubygems_version: 1.
|
147
|
+
rubygems_version: 1.6.1
|
170
148
|
signing_key:
|
171
149
|
specification_version: 3
|
172
150
|
summary: A ruby interface for unified2 output.
|