unified2 0.4.0 → 0.5.0

data/example/connect.rb

@@ -1,20 +0,0 @@
-require 'rubygems'
-require 'datamapper'
-require 'dm-mysql-adapter'
-require 'models'
-
-class Connect
-  
-  def self.setup
-    @connection = DataMapper.setup(:default, { 
-      :adapter => "mysql",
-      :host => "localhost",
-      :database => "rUnified2",
-      :username => "rUnified2",
-      :password => "password"
-    })
-    DataMapper.finalize
-    DataMapper.auto_upgrade!
-  end
-  
-end

data/example/models.rb

@@ -1,194 +0,0 @@
-class Event
-  include DataMapper::Resource
-  storage_names[:default] = "events"
-  
-  timestamps :created_at, :updated_at
-
-  property :id, Serial, :index => true
-  
-  property :event_id, Integer, :index => true
-  
-  property :sensor_id, Integer, :index => true
-  
-  property :source_ip, String, :index => true
-  
-  property :source_port, Integer
-  
-  property :destination_ip, String, :index => true
-  
-  property :destination_port, Integer
-  
-  property :severity_id, Integer, :index => true
-  
-  property :classification_id, Integer, :index => true
-  
-  property :category_id, Integer, :index => true
-  
-  property :user_id, Integer, :index => true
-  
-  property :protocol, String, :index => true
-
-  property :link_type, Integer
-  
-  property :packet_length, Integer
-  
-  property :packet, Text
-  
-  belongs_to :sensor
-  
-  belongs_to :classification
-  
-  belongs_to :signature
-  
-  validates_uniqueness_of :uid
-  
-  def update_sensor
-    sensor.update(:last_event_id => self.event_id)
-    sensor.save
-  end
-  
-end
-
-class Sensor
-  include DataMapper::Resource
-  timestamps :created_at, :updated_at
-  
-  property :id, Serial, :index => true
-  
-  property :hostname, Text, :index => true
-  
-  property :interface, String
-  
-  property :name, String, :index => true
-  
-  property :last_event_id, Integer, :index => true
-  
-  property :signatures_md5, String, :length => 32, :index => true
-  
-  property :generators_md5, String, :length => 32, :index => true
-  
-  property :classifications_md5, String, :length => 32, :index => true
-  
-  has n, :events
-  
-  validates_uniqueness_of :hostname, :name
-  
-  def events_count
-    last_event_id
-  end
-  
-  def self.find(object)
-    name = object.name ? object.name : object.hostname
-    
-    sensor = first_or_create({:hostname => object.hostname, :interface => object.interface}, {
-      :hostname => object.hostname, 
-      :interface => object.interface,
-      :name => name,
-    })    
-    
-    sensor
-  end
-  
-end
-
-class Signature
-  include DataMapper::Resource
-  storage_names[:default] = "signatures"
-  
-  timestamps :created_at, :updated_at
-  
-  property :id, Serial, :index => true
-  
-  property :signature_id, Integer, :index => true
-  
-  property :generator_id, Integer, :index => true
-  
-  property :name, Text
-  
-  has n, :events
-  
-  validates_uniqueness_of :name
-  
-  def self.import(options={})
-    
-    if options.has_key?(:signatures)
-      
-      options[:signatures].each do |key, value|
-        signature = Signature.get(:signature_id => key)
-        next if signature && options[:force]
-        
-        if signature
-          signature.update(value)
-        else
-          value.merge!(:signature_id => key, :generator_id => 1)
-          Signature.create(value)
-        end
-        
-      end
-      
-    end
-    
-    if options.has_key?(:generators)
-      
-      options[:generators].each do |key, value|
-        genid, sid = key.split('.')
-        signature = Signature.get(:signature_id => sid, :generator_id => genid)
-        next if signature && options[:force]
-        
-        if signature
-          signature.update(value)
-        else
-          value.merge!(:signature_id => sid, :generator_id => genid)
-          Signature.create(value)
-        end
-        
-      end
-      
-    end
-    
-  end
-end
-
-class Classification
-  include DataMapper::Resource
-  
-  storage_names[:default] = "classifications"
-  
-  timestamps :created_at, :updated_at
-  
-  property :id, Serial, :index => true
-  
-  property :classification_id, Integer, :index => true
-  
-  property :name, Text
-  
-  property :short, String
-  
-  property :severity_id, Integer, :index => true
-
-  has n, :events
-
-  # belongs_to :severity
-
-  validates_uniqueness_of :name, :classification_id
-
-  def self.import(options={})
-    
-    if options.has_key?(:classifications)
-      
-      options[:classifications].each do |key,value|
-        classification = Classification.get(:classification_id => key)
-        next if classification && options[:force]
-        
-        if classification
-          classification.update(value)
-        else
-          value.merge!(:classification_id => key)
-          Classification.create(value)
-        end
-      end
-      
-    end
-  end
-  
-end

data/example/mysql-example.rb

@@ -1,73 +0,0 @@
-$:.unshift File.join(File.dirname(__FILE__), "..", "lib")
-$:.unshift File.join(File.dirname(__FILE__), "..", "example")
-
-require 'unified2'
-require 'connect'
-require 'pp'
-
-# Initialize Database Connection 
-Connect.setup
-
-# Unified2 Configuration
-Unified2.configuration do
-  
-  # Sensor Configurations
-  sensor :interface => 'en1', :name => 'Example Sensor'
-
-  # Load signatures, generators & classifications into memory
-  load :signatures, 'seeds/sid-msg.map'
-  load :generators, 'seeds/gen-msg.map'
-  load :classifications, 'seeds/classification.config'
-end
-
-# Locate the sensor in the database using
-# the hostname and interface. If this fails
-# rUnified2 will create a new sensor record.
-sensor = Sensor.find(Unified2.sensor)
-Unified2.sensor.id = sensor.id
-
-# Load the classifications, generators &
-# signatures into the database and store the 
-# md5 in the sensor record. This will only
-# update if the md5s DO NOT match.
-[[Classification,:classifications], [Signature, :signatures], [Signature, :generators]].each do |klass, method|
-  unless sensor.send(:"#{method}_md5") == Unified2.send(method).send(:md5)
-    klass.send(:import,  { method => Unified2.send(method).send(:data), :force => true })
-    sensor.update(:"#{method}_md5" => Unified2.send(method).send(:md5))
-  end
-end
-
-# Monitor the unfied2 log and process the data.
-# The second argument is the last event processed by
-# the sensor. If the last_event_id column is blank in the
-# sensor table it will begin at the first available event.
-Unified2.watch('seeds/unified2', sensor ? sensor.last_event_id + 1 : :first) do |event|
-  next if event.signature.blank?
-
-  puts event
-
-  insert_event = Event.new({
-                       :event_id => event.id,
-                       :checksum => event.checksum,
-                       :created_at => event.timestamp,
-                       :sensor_id => event.sensor.id,
-                       :source_ip => event.source_ip,
-                       :source_port => event.source_port,
-                       :destination_ip => event.destination_ip,
-                       :destination_port => event.destination_port,
-                       :severity_id => event.severity,
-                       :protocol => event.protocol,
-                       :link_type => event.payload.linktype,
-                       :packet_length => event.payload.length,
-                       :packet => event.payload.hex,
-                       :classification_id => event.classification.id,
-                       :signature_id => event.signature.id
-  })
-
-  if insert_event.save
-    insert_event.update_sensor
-  else
-    STDERR.puts "VALIDATION ERROR OR RECORD ALREADY EXISTS #{insert_event.errors}"
-  end
-
-end

data/example/search.rb

@@ -1,14 +0,0 @@
-$:.unshift File.join(File.dirname(__FILE__), "..", "lib")
-$:.unshift File.join(File.dirname(__FILE__), "..", "example")
-
-require 'unified2'
-require 'connect'
-require 'pp'
-
-Connect.setup
-
-@sensor = Sensor.first
-
-@sensor.events.each do |event|
-  puts event.signature.name
-end

data/example/untitled.rb

@@ -1,31 +0,0 @@
-#!/usr/bin/env ruby
-#
-# http://192.168.1.254/xslt?PAGE=A06&THISPAGE=&NEXTPAGE=A06
-
-@file = File.open('/Users/mephux/Source/passwords/wpa.txt')
-
-require 'rubygems'
-require 'mechanize'
-
-a = Mechanize.new
-
-a.get('http://192.168.1.254/xslt?PAGE=A06&THISPAGE=&NEXTPAGE=A06') do |page|
-  
-  @file.each_line do |password|
-    next unless password[/^e/]
-
-    puts password
-    login_form = page.form_with(:action => '/xslt', :method => 'POST')
-    login_form['PASSWORD'] = password
-    page = a.submit login_form
-
-    if page.body =~ /The password is incorrect./
-      puts 'FAIL'
-    else
-      puts 'W0ots'
-      puts password
-      exit -1
-    end
-  end
-
-end

data/lib/unified2/construct.rb

@@ -1,54 +0,0 @@
-require 'unified2/event_ip4'
-require 'unified2/event_ip6'
-require 'unified2/record_header'
-require 'unified2/packet'
-
-module Unified2
-  
-  class Construct < ::BinData::Record
-    record_header :header
-    
-    choice :data, :selection => :type_selection do
-      packet "packet"
-      event_ip4  "ev4"
-      event_ip6 "ev6"
-    end
-
-    # padding
-    string :read_length => :padding_length
-
-    def type_selection
-      case header.u2type.to_i
-      when 1
-        # define UNIFIED2_EVENT 1
-      when 2
-        # define UNIFIED2_PACKET 2
-        "packet"
-      when 7
-        # define UNIFIED2_IDS_EVENT 7
-        "ev4"
-      when 66
-        # define UNIFIED2_EVENT_EXTENDED 66
-      when 67
-        # define UNIFIED2_PERFORMANCE 67
-      when 68
-        # define UNIFIED2_PORTSCAN 68
-      when 72
-        # define UNIFIED2_IDS_EVENT_IPV6 72
-        "ev6"
-      else
-        "unknown type #{header.u2type}"
-      end
-    end
-
-    # sometimes the data needs extra padding
-    def padding_length
-      if header.u2length > data.num_bytes
-        header.u2length - data.num_bytes
-      else
-        0
-      end
-    end
-  end
-  
-end

data/lib/unified2/event_ip4.rb

@@ -1,26 +0,0 @@
-require 'unified2/primitive/ipv4'
-
-module Unified2
-  
-  class EventIP4 < ::BinData::Record
-    
-    endian :big
-
-    uint32    :sensor_id
-    uint32    :event_id
-    uint32    :event_second
-    uint32    :event_microsecond
-    uint32    :signature_id
-    uint32    :generator_id
-    uint32    :signature_revision
-    uint32    :classification_id
-    uint32    :priority_id
-    ipv4      :ip_source
-    ipv4      :ip_destination
-    uint16    :sport_itype
-    uint16    :dport_icode
-    uint8     :protocol
-    uint8     :packet_action
-  end
-
-end

data/lib/unified2/event_ip6.rb

@@ -1,23 +0,0 @@
-module Unified2
-  
-  class EventIP6 < ::BinData::Record
-    endian :big
-
-    uint32    :sensor_id
-    uint32    :event_id
-    uint32    :event_second
-    uint32    :event_microsecond
-    uint32    :signature_id
-    uint32    :generator_id
-    uint32    :signature_revision
-    uint32    :classification_id
-    uint32    :priority_id
-    uint128   :ip_source
-    uint128   :ip_destination
-    uint16    :sport_itype
-    uint16    :dport_icode
-    uint8     :protocol
-    uint8     :packet_action
-  end
-  
-end

data/lib/unified2/packet.rb

@@ -1,16 +0,0 @@
-module Unified2
-  
-  class Packet < ::BinData::Record
-    endian :big
-
-    uint32 :sensor_id
-    uint32 :event_id
-    uint32 :event_second
-    uint32 :packet_second
-    uint32 :packet_microsecond
-    uint32 :linktype
-    uint32 :packet_length
-    string :packet_data, :read_length => :packet_length
-  end
-  
-end

data/lib/unified2/primitive/ipv4.rb

@@ -1,19 +0,0 @@
-module Unified2
-  module Primitive
-    
-    class IPV4 < ::BinData::Primitive
-      array :octets, :type => :uint8, :initial_length => 4
-
-      def set(val)
-        ints = val.split(/\./).collect { |int| int.to_i }
-        self.octets = ints
-      end
-
-      def get
-        self.octets.collect { |octet| "%d" % octet }.join(".")
-      end
-
-    end
-    
-  end
-end

data/lib/unified2/record_header.rb

@@ -1,10 +0,0 @@
-module Unified2
-  
-  class RecordHeader < ::BinData::Record
-    endian :big
-
-    uint32 :u2type
-    uint32 :u2length
-  end
-  
-end