unified2 0.4.0 → 0.5.0

data/lib/unified2/protocol.rb

@@ -0,0 +1,141 @@
+module Unified2
+  #
+  # Protocol
+  #
+  class Protocol
+    
+    #
+    # Initialize protocol object
+    # 
+    # @param [String] protocol Event protocol
+    # 
+    # @param [Event#packet] packet PacketFu object
+    # 
+    def initialize(protocol, packet=nil)
+      @protocol = protocol
+      @packet = packet
+    end
+
+    #
+    # Protocol Header
+    # 
+    # @return [Object, nil] Protocol header object
+    # 
+    def header
+      if @packet.has_data?
+        if @packet.send(:"is_#{@protocol.downcase}?")
+          @packet.send(:"#{@protocol.downcase}_header")
+        end
+      else
+        nil
+      end
+    end
+
+    #
+    # ICMP?
+    # 
+    # @return [true, false] Check is protocol is icmp
+    # 
+    def icmp?
+      return true if @protocol == :ICMP
+      false
+    end
+
+    #
+    # TCP?
+    # 
+    # @return [true, false] Check is protocol is tcp
+    #
+    def tcp?
+      return true if @protocol == :TCP
+      false
+    end
+
+    #
+    # UDP?
+    # 
+    # @return [true, false] Check is protocol is udp
+    #
+    def udp?
+      return true if @protocol == :UDP
+      false
+    end
+
+    #
+    # Convert To String
+    # 
+    # @return [String] Protocol
+    # 
+    # @example 
+    #   event.protocol #=> 'TCP'
+    # 
+    def to_s
+      @protocol.to_s
+    end
+
+    #
+    # Convert To Hash
+    # 
+    # @return [Hash] Protocol header hash object
+    # 
+    # @example
+    #   event.protocol.to_h #=> {:length=>379, :seq=>3934511163, :ack=>1584708129 ... }
+    # 
+    def to_h
+      if send(:"#{@protocol.downcase}?")
+        self.send(:"#{@protocol.downcase}")
+      else
+        {}
+      end
+    end
+
+    private
+      
+      def icmp(include_body=false)
+        @icmp = {
+          :length => header.len,
+          :type => header.icmp_type,
+          :csum => header.icmp_sum,
+          :code => header.icmp_code
+        }
+        
+        @icmp[:body] = header.body if include_body
+        
+        @icmp
+      end
+
+      def udp(include_body=false)
+        @udp = {
+          :length => header.len,
+          :sum => header.udp_sum,
+        }
+        
+        @udp[:body] = header.body if include_body
+        
+        @udp
+      end
+
+      def tcp(include_body=false)
+        @tcp = {
+          :length => header.len,
+          :seq => header.tcp_seq,
+          :ack => header.tcp_ack,
+          :win => header.tcp_win,
+          :sum => header.tcp_sum,
+          :urg => header.tcp_urg,
+          :hlen => header.tcp_hlen,
+          :reserved => header.tcp_reserved,
+          :ecn => header.tcp_ecn,
+          :opts => header.tcp_opts,
+          :opts_len => header.tcp_opts_len,
+          :rand_port => header.rand_port,
+          :options => header.tcp_options
+        }
+        
+        @tcp[:body] = header.body if include_body
+        
+        @tcp
+      end
+
+  end
+end

data/lib/unified2/sensor.rb

@@ -1,8 +1,20 @@
 module Unified2
+  #
+  # Sensor
+  #
   class Sensor
     
     attr_accessor :id, :hostname, :interface, :name, :checksum
     
+    #
+    # Initialize sensor object
+    # 
+    # @param [Hash] options Sensor hash attributes
+    # 
+    # @option options [Integer] :id Sensor id
+    # @option options [String] :name Sensor name
+    # @option options [String] :interface Sensor interface
+    # 
     def initialize(options={})
       @id = options[:id] || 0
       @name = options[:name] || ""
@@ -11,6 +23,16 @@ module Unified2
       @checksum = nil
     end
     
+    #
+    # Update
+    # 
+    # @param [Hash] attributes Sensor attributes
+    # 
+    # @option attributes [Integer] :id Sensor id
+    # @option attributes [String] :hostname Sensor hostname
+    # @option attributes [String] :name Sensor name
+    # @option attributes [String] :interface Sensor interface
+    # 
     def update(attributes={})
       return self if attributes.empty?
       

data/lib/unified2/signature.rb

@@ -1,21 +1,45 @@
 module Unified2
-
+  #
+  # Signature
+  #
   class Signature
+    
+    attr_accessor :id, :generator, :revision, :name, :blank
 
-    attr_accessor :id, :generator, :revision, :name
-
+    #
+    # Initialize signature object
+    # 
+    # @param [Hash] signature Signature hash attributes
+    # 
+    # @option signature [Integer] :signature_id Signature id
+    # @option signature [Integer] :generator_id Generator id
+    # @option signature [Integer] :revision Signature revision
+    # @option signature [Integer] :name Signature name
+    # @option signature [true, false] :blank Signature exists
+    # 
     def initialize(signature={})
       @id = signature[:signature_id] || 0
       @generator = signature[:generator_id]
       @revision = signature[:revision]
       @name = signature[:name].strip
-      @blank = signature[:blank]
+      @blank = signature[:blank] || false
     end
 
+    #
+    # Blank?
+    # 
+    # @return [true, false] 
+    #   Return true if signature exists
+    # 
     def blank?
       @blank
     end
 
+    #
+    # References
+    # 
+    # @return [Array<String,String>] Signature references
+    # 
     def references
       @references
     end

data/lib/unified2/version.rb

@@ -1,4 +1,4 @@
 module Unified2
-  # unified2 version
-  VERSION = "0.4.0"
+  # Unified2 version
+  VERSION = "0.5.0"
 end

data/lib/unified2.rb

@@ -1,34 +1,67 @@
 require 'bindata'
 require 'digest'
 require 'socket'
-# http://cvs.snort.org/viewcvs.cgi/snort/src/output-plugins/spo_unified2.c?rev=1.3&content-type=text/vnd.viewcvs-markup
 
-require 'unified2/construct'
+require 'unified2/constructor'
 require 'unified2/config_file'
 require 'unified2/core_ext'
 require 'unified2/event'
 require 'unified2/exceptions'
 require 'unified2/version'
 
+#
+# Unified2 Namespace
+# 
 module Unified2
-
+  
+  #
+  # Configuration File Types
+  # 
+  # Holds the available configuration
+  # file types current supported.
+  # 
   TYPES = [
     :signatures,
     :generators,
     :classifications
   ]
-
+  
   class << self
     attr_accessor :signatures, :generators,
       :sensor, :hostname, :interface,
       :classifications
   end
 
+  #
+  # Configuration
+  # 
+  # @param [Hash] options Sensor Configuration
+  # @yield [ConfigFile] block Configurations
+  # 
+  # @option options [Integer] :id Sensor id
+  # @option options [String] :name Sensor name
+  # @option options [String] :interface Sensor interface
+  # 
+  # @return [nil]
+  # 
   def self.configuration(options={}, &block)
-    @sensor ||= Sensor.new
+    @sensor ||= Sensor.new(options)
     self.instance_eval(&block)
   end
-
+  
+  #
+  # Sensor
+  # 
+  # @param [Hash] options Sensor Configuration
+  # @yield [Sensor] block Sensor attributes
+  # 
+  # @option options [Integer] :id Sensor id
+  # @option options [String] :hostname Sensor hostname
+  # @option options [String] :name Sensor name
+  # @option options [String] :interface Sensor interface
+  #
+  # @return [nil]
+  # 
   def self.sensor(options={}, &block)
     if block
       @sensor.instance_eval(&block)
@@ -36,6 +69,17 @@ module Unified2
     @sensor.update(options)
   end
 
+  #
+  # Load
+  # 
+  # @param [String] type Configuration type
+  # @param [String] path Configuration path
+  # 
+  # @return [nil]
+  # 
+  # @raise [FileNotReadable] Path not readable
+  # @raise [FileNotFound] File not found
+  # 
   def self.load(type, path)
     unless TYPES.include?(type.to_sym)
       raise UnknownLoadType, "Error - #{@type} is unknown."
@@ -52,6 +96,20 @@ module Unified2
     end
   end
 
+  #
+  # Watch
+  # 
+  # Monitor the unified2 file for events and process.
+  # 
+  # @param [String] path Unified2 file path
+  # @param [String,Symbol,Integer] position IO position
+  # @yield [Event] block Event object
+  # 
+  # @raise [FileNotReadable] Path not readable
+  # @raise [FileNotFound] File not found
+  # 
+  # @return [nil]
+  # 
   def self.watch(path, position=:first, &block)
 
     unless File.exists?(path)
@@ -73,7 +131,7 @@ module Unified2
         when :last
 
           until io.eof?
-            event = Unified2::Construct.read(io)
+            event = Unified2::Constructor::Construct.read(io)
             event_id = event.data.event_id if event
           end
 
@@ -86,7 +144,7 @@ module Unified2
         when :first
 
           first_open = File.open(path)
-          first_event = Unified2::Construct.read(first_open)
+          first_event = Unified2::Constructor::Construct.read(first_open)
           first_open.close
           event_id = first_event.data.event_id
           @event = Event.new(event_id)
@@ -96,7 +154,7 @@ module Unified2
 
       loop do
         begin
-          event = Unified2::Construct.read(io)
+          event = Unified2::Constructor::Construct.read(io)
 
           if event_id
             if event.data.event_id.to_i > (event_id - 1)
@@ -116,7 +174,21 @@ module Unified2
       raise FileNotReadable, "Error - #{path} not readable."
     end
   end
-
+  
+  #
+  # Read
+  # 
+  # Read the unified2 log until EOF and process
+  # events.
+  # 
+  # @param [String] path Unified2 file path
+  # @yield [Event] block Event object
+  # 
+  # @raise [FileNotReadable] Path not readable
+  # @raise [FileNotFound] File not found
+  # 
+  # @return [nil]
+  #
   def self.read(path, &block)
 
     unless File.exists?(path)
@@ -127,13 +199,13 @@ module Unified2
       io = File.open(path)
 
       first_open = File.open(path)
-      first_event = Unified2::Construct.read(first_open)
+      first_event = Unified2::Constructor::Construct.read(first_open)
       first_open.close
 
       @event = Event.new(first_event.data.event_id)
 
       until io.eof?
-        event = Unified2::Construct.read(io)
+        event = Unified2::Constructor::Construct.read(io)
         check_event(event, block)
       end
 
@@ -142,7 +214,6 @@ module Unified2
     end
   end
 
-
   private
 
     def self.check_event(event, block)

data/spec/event_spec.rb

@@ -0,0 +1,112 @@
+require 'spec_helper'
+require 'unified2'
+
+describe Event do
+
+  before(:all) do
+    @event = Unified2.first('example/seeds/unified2.log')
+  end
+
+  it "should have an event_id" do
+    @event.to_i.should == 1
+  end
+
+  it "should have an event time" do
+    @event.timestamp.to_s.should == '2010-10-05 22:50:18 -0400'
+  end
+
+  it "should have a sensor id" do
+    @event.sensor.id.should == 50000000000
+  end
+  
+  it "should have a sensor name" do
+    @event.sensor.name.should == "Example Sensor"
+  end
+  
+  it "should have a sensor interface" do
+    @event.sensor.interface.should == "en1"
+  end
+  
+  it "should have a sensor hostname" do
+    @event.sensor.hostname.should == "W0ots.local"
+  end
+
+  it "should have a source address" do
+    @event.source_ip.should == "24.19.7.110"
+  end
+
+  it "should have a source port" do
+    @event.source_port.should == 0
+  end
+
+  it "should have a destination address" do
+    @event.destination_ip.should == "10.0.1.6"
+  end
+
+  it "should have a destination port" do
+    @event.destination_port.should == 0
+  end
+  
+  it "should have a protocol" do
+    @event.protocol.to_s.should == 'ICMP'
+  end
+  
+  it "should have a severity" do
+    @event.severity.should == 3
+  end
+
+  it "should have an event checksum" do
+    @event.checksum.should == "6e96db6e8fe649c939711400ea4625eb"
+  end
+
+  it "should have a signature id" do
+    @event.signature.id.should == 485
+  end
+
+  it "should have a signature generator id" do
+    @event.signature.generator.should == 1
+  end
+
+  it "should have a signature revision" do
+    @event.signature.revision.should == 5
+  end
+
+  it "should have a signature thats not blank" do
+    @event.signature.blank.should == false
+  end
+
+  it "should have a signature name" do
+    @event.signature.name.should == "DELETED ICMP Destination Unreachable" \
+      " Communication Administratively Prohibited"
+  end
+
+  it "should have a classification id" do
+    @event.classification.id.should == 29
+  end
+
+  it "should have a classification short name" do
+    @event.classification.short.should == "misc-activity"
+  end
+
+  it "should have a classification severity" do
+    @event.classification.severity.should == 3
+  end
+
+  it "should have a classification name" do
+    @event.classification.name.should == "Misc activity"
+  end
+  
+  it "should have a payload thats not blank" do
+    @event.payload.blank?.should == false
+  end
+  
+  it "should have a hex payload" do
+    p = "000000004520008323bc000032113a080a0001061813076e90c84fac006fe498"
+    @event.payload.hex.should == p
+  end
+  
+  it "should have a payload length" do
+    @event.payload.length.should == 70
+  end
+
+end

data/spec/spec_helper.rb

@@ -1,5 +1,49 @@
 gem 'rspec', '~> 2.4'
 require 'rspec'
-require 'unified2/version'
 
+require 'unified2'
 include Unified2
+
+module Unified2
+  
+  def self.first(path)
+    unless File.exists?(path)
+      raise FileNotFound, "Error - #{path} not found."
+    end
+
+    if File.readable?(path)
+      io = File.open(path)
+
+      first_open = File.open(path)
+      first_event = Unified2::Constructor::Construct.read(first_open)
+      first_open.close
+
+      @event = Event.new(first_event.data.event_id)
+
+      loop do
+        event = Unified2::Constructor::Construct.read(io)
+
+        if event.data.event_id.to_i == @event.id.to_i
+          @event.load(event)
+        else
+          return @event
+        end
+      end
+
+    else
+      raise FileNotReadable, "Error - #{path} not readable."
+    end
+  end
+  
+end
+
+Unified2.configuration do
+  sensor :interface => 'en1',
+    :name => 'Example Sensor',
+    :hostname => 'W0ots.local',
+    :id => 50000000000
+
+  load :signatures, 'example/seeds/sid-msg.map'
+  load :generators, 'example/seeds/gen-msg.map'
+  load :classifications, 'example/seeds/classification.config'
+end

data/spec/unified2_spec.rb

@@ -2,7 +2,93 @@ require 'spec_helper'
 require 'unified2'
 
 describe Unified2 do
+
   it "should have a VERSION constant" do
     subject.const_get('VERSION').should_not be_empty
   end
-end
+  
+  it "should have a TYPES constant" do
+    subject.const_get('TYPES').should_not be_empty
+  end
+  
+  it "should have the correct signature size" do
+    Unified2.signatures.size.should == 16710
+  end
+  
+  it "should have the correct signature name" do
+    signature_name = "EXPLOIT Oracle BEA Weblogic server " \
+    "console-help.portal cross-site scripting attempt"
+    
+    Unified2.signatures.data['16710'][:name].should == signature_name
+  end
+  
+  it "should have the correct signature id" do
+    Unified2.signatures.data['16710'][:signature_id].should == 16710
+  end
+  
+  it "should have the correct signature generator id" do
+    Unified2.signatures.data['16710'][:generator_id].should == 1
+  end
+  
+  it "should have the correct classification size" do
+    Unified2.classifications.size.should == 35
+  end
+  
+  it "should have the correct classification id" do
+    Unified2.classifications.data['35'][:severity_id].should == 2
+  end
+  
+  it "should have the correct classification name" do
+    classification_name = "Sensitive Data was Transmitted Across the Network"
+    Unified2.classifications.data['35'][:name].should == classification_name
+  end
+  
+  it "should have the correct classification short name" do
+    Unified2.classifications.data['35'][:short].should == "sdf"
+  end
+  
+  it "should have the correct generator size" do
+    Unified2.generators.size.should == 388
+  end
+  
+  it "should have the correct generator id" do
+    Unified2.generators.data["138.6"][:generator_id].should == 138
+  end
+  
+  it "should have the correct generator name" do
+    generator_name = "sensitive_data: sensitive data - U.S. phone numbers"
+    Unified2.generators.data["138.6"][:name].should == generator_name
+  end
+  
+  it "should have the correct generator signature id" do
+    Unified2.generators.data["138.6"][:signature_id].should == 6
+  end
+  
+  it "should have a sensor name" do
+    Unified2.sensor.name.should == "Example Sensor"
+  end
+  
+  it "should have a sensor interface" do
+    Unified2.sensor.interface.should == 'en1'
+  end
+  
+  it "should have a sensor hostname" do
+    Unified2.sensor.hostname.should == 'W0ots.local'
+  end
+  
+  it "should have a new sensor hostname if set" do
+    Unified2.sensor.hostname = 'OMG.stuff.local'
+    Unified2.sensor.hostname.should == 'OMG.stuff.local'
+  end
+  
+  it "should have a new sensor interface if set" do
+    Unified2.sensor.interface = 'eth1'
+    Unified2.sensor.interface.should == 'eth1'
+  end
+  
+  it "should have a new sensor name if set" do
+    Unified2.sensor.name = 'Mephux FTW!'
+    Unified2.sensor.name.should == "Mephux FTW!"
+  end
+  
+end