unified2 0.5.4 → 0.6.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (46) hide show
  1. data/ChangeLog.md +10 -0
  2. data/README.md +41 -35
  3. data/Rakefile +3 -2
  4. data/bin/ru2 +76 -0
  5. data/example/example.rb +10 -18
  6. data/example/example2.rb +44 -0
  7. data/example/seeds/classification.config +1 -1
  8. data/example/seeds/gen-msg.map +86 -9
  9. data/example/seeds/sid-msg.map +2849 -316
  10. data/example/seeds/unified2-current.log +0 -0
  11. data/example/seeds/{unified2.log → unified2-legacy.log} +0 -0
  12. data/gemspec.yml +2 -1
  13. data/lib/unified2/classification.rb +12 -0
  14. data/lib/unified2/config_file.rb +4 -1
  15. data/lib/unified2/constructor/construct.rb +52 -6
  16. data/lib/unified2/constructor/event_ip4.rb +18 -3
  17. data/lib/unified2/constructor/event_ip6.rb +22 -4
  18. data/lib/unified2/constructor/extra_construct.rb +46 -0
  19. data/lib/unified2/constructor/extra_data.rb +37 -0
  20. data/lib/unified2/constructor/extra_data_header.rb +28 -0
  21. data/lib/unified2/constructor/legacy_event_ip4.rb +54 -0
  22. data/lib/unified2/constructor/legacy_event_ip6.rb +52 -0
  23. data/lib/unified2/constructor/packet.rb +9 -1
  24. data/lib/unified2/constructor/primitive/ipv4.rb +9 -0
  25. data/lib/unified2/constructor/record_header.rb +9 -0
  26. data/lib/unified2/constructor.rb +2 -1
  27. data/lib/unified2/core_ext/string.rb +2 -1
  28. data/lib/unified2/event.rb +290 -165
  29. data/lib/unified2/exceptions/binary_read_error.rb +11 -0
  30. data/lib/unified2/exceptions/file_not_found.rb +4 -1
  31. data/lib/unified2/exceptions/file_not_readable.rb +4 -1
  32. data/lib/unified2/exceptions/unknown_load_type.rb +4 -1
  33. data/lib/unified2/exceptions.rb +2 -1
  34. data/lib/unified2/extra.rb +128 -0
  35. data/lib/unified2/packet.rb +211 -0
  36. data/lib/unified2/protocol.rb +54 -63
  37. data/lib/unified2/sensor.rb +14 -2
  38. data/lib/unified2/signature.rb +12 -0
  39. data/lib/unified2/version.rb +4 -1
  40. data/lib/unified2.rb +65 -81
  41. data/spec/event_spec.rb +40 -27
  42. data/spec/legacy_event_spec.rb +122 -0
  43. data/spec/spec_helper.rb +10 -21
  44. data/spec/unified2_spec.rb +3 -3
  45. metadata +124 -140
  46. data/lib/unified2/payload.rb +0 -114
data/example/seeds/unified2-current.log ADDED
Binary file
data/example/seeds/{unified2.log → unified2-legacy.log} RENAMED
File without changes
data/gemspec.yml CHANGED
@@ -14,4 +14,5 @@ dependencies:
14
14
  development_dependencies:
15
15
  ore-tasks: ~> 0.5
16
16
  rspec: ~> 2.4
17
- yard: ~> 0.6.0
17
+ yard: ~> 0.7
18
+ rdiscount: ~> 1.6
data/lib/unified2/classification.rb CHANGED
@@ -1,3 +1,6 @@
1
+ #
2
+ # Unified2
3
+ #
1
4
  module Unified2
2
5
  #
3
6
  # Classification
@@ -23,6 +26,15 @@ module Unified2
23
26
  @severity = classification[:severity]
24
27
  end
25
28
 
29
+ #
30
+ # String
31
+ #
32
+ # @return [String] Signature name
33
+ #
34
+ def to_s
35
+ @name
36
+ end
37
+
26
38
  end # class Classification
27
39
 
28
40
  end # module Unified2
data/lib/unified2/config_file.rb CHANGED
@@ -1,3 +1,6 @@
1
+ #
2
+ # Unified2
3
+ #
1
4
  module Unified2
2
5
  #
3
6
  # Configuration file
@@ -101,4 +104,4 @@ module Unified2
101
104
 
102
105
  end # class ConfigFile
103
106
 
104
- end # module Unified2
107
+ end # module Unified2
data/lib/unified2/constructor/construct.rb CHANGED
@@ -1,17 +1,27 @@
1
1
  require 'unified2/constructor/event_ip4'
2
2
  require 'unified2/constructor/event_ip6'
3
+ require 'unified2/constructor/extra_construct'
4
+ require 'unified2/constructor/extra_data'
5
+ require 'unified2/constructor/legacy_event_ip4'
6
+ require 'unified2/constructor/legacy_event_ip6'
3
7
  require 'unified2/constructor/record_header'
4
8
  require 'unified2/constructor/packet'
5
9
 
10
+ #
11
+ # Unified2
12
+ #
6
13
  module Unified2
14
+
7
15
  #
8
16
  # Unified2 Constructor Namespace
9
17
  #
10
18
  module Constructor
19
+
11
20
  #
12
21
  # Unified2 Construction
13
22
  #
14
23
  class Construct < ::BinData::Record
24
+
15
25
  #
16
26
  # Rename record_header to header
17
27
  # to simplify and cut down on verbosity
@@ -21,13 +31,16 @@ module Unified2
21
31
  #
22
32
  # Unified2 data types
23
33
  #
24
- # Currently rUnified2 only supports packet,
25
- # event_ip4 and event_ip6.
26
- #
27
34
  choice :data, :selection => :type_selection do
28
35
  packet "packet"
36
+
29
37
  event_ip4 "ev4"
30
38
  event_ip6 "ev6"
39
+
40
+ legacy_event_ip4 "lev4"
41
+ legacy_event_ip6 "lev6"
42
+
43
+ extra_construct "extra_data"
31
44
  end
32
45
 
33
46
  #
@@ -41,27 +54,60 @@ module Unified2
41
54
  # Deterime and call data type based on
42
55
  # the unified2 type attribute
43
56
  #
57
+ # SNORT DEFINES
58
+ # Long time ago...
59
+ # define UNIFIED2_EVENT 1
60
+ #
61
+ # CURRENT
62
+ # define UNIFIED2_PACKET 2
63
+ # define UNIFIED2_IDS_EVENT 7
64
+ # define UNIFIED2_IDS_EVENT_IPV6 72
65
+ # define UNIFIED2_IDS_EVENT_MPLS 99
66
+ # define UNIFIED2_IDS_EVENT_IPV6_MPLS 100
67
+ # define UNIFIED2_IDS_EVENT_VLAN 104
68
+ # define UNIFIED2_IDS_EVENT_IPV6_VLAN 105
69
+ # define UNIFIED2_EXTRA_DATA 110
70
+ #
44
71
  def type_selection
45
72
  case header.u2type.to_i
46
73
  when 1
74
+ # LEGACY
47
75
  # define UNIFIED2_EVENT 1
48
76
  when 2
49
77
  # define UNIFIED2_PACKET 2
50
78
  "packet"
51
79
  when 7
52
80
  # define UNIFIED2_IDS_EVENT 7
53
- "ev4"
81
+ "lev4"
54
82
  when 66
83
+ # LEGACY
55
84
  # define UNIFIED2_EVENT_EXTENDED 66
56
85
  when 67
86
+ # LEGACY
57
87
  # define UNIFIED2_PERFORMANCE 67
58
88
  when 68
89
+ # LEGACY
59
90
  # define UNIFIED2_PORTSCAN 68
60
91
  when 72
61
92
  # define UNIFIED2_IDS_EVENT_IPV6 72
93
+ "lev6"
94
+ when 99
95
+ # define UNIFIED2_IDS_EVENT_MPLS 99
96
+ puts "99"
97
+ when 100
98
+ # define UNIFIED2_IDS_EVENT_IPV6_MPLS
99
+ puts "100"
100
+ when 104
101
+ # define UNIFIED2_IDS_EVENT_VLAN 104
102
+ "ev4"
103
+ when 105
104
+ # define UNIFIED2_IDS_EVENT_IPV6_VLAN 105
62
105
  "ev6"
106
+ when 110
107
+ # define UNIFIED2_EXTRA_DATA 110
108
+ "extra_data"
63
109
  else
64
- "unknown type #{header.u2type}"
110
+ raise "unknown type #{header.u2type}"
65
111
  end
66
112
  end
67
113
 
@@ -80,4 +126,4 @@ module Unified2
80
126
 
81
127
  end # module Construct
82
128
 
83
- end # module Unified2
129
+ end # module Unified2
data/lib/unified2/constructor/event_ip4.rb CHANGED
@@ -1,14 +1,18 @@
1
1
  require 'unified2/constructor/primitive/ipv4'
2
2
 
3
+ #
4
+ # Unified2
5
+ #
3
6
  module Unified2
4
7
 
5
8
  module Constructor
9
+
6
10
  #
7
11
  # Event IP Version 4
8
12
  #
9
13
  class EventIP4 < ::BinData::Record
10
14
 
11
- endian :big
15
+ endian :big
12
16
 
13
17
  uint32 :sensor_id
14
18
 
@@ -38,10 +42,21 @@ module Unified2
38
42
 
39
43
  uint8 :protocol
40
44
 
41
- uint8 :packet_action
42
-
45
+ uint8 :impact_flag
46
+
47
+ uint8 :impact
48
+
49
+ uint8 :blocked
50
+
51
+ uint32 :mpls_label
52
+
53
+ uint16 :vlanId
54
+
55
+ uint16 :pad2
56
+
43
57
  end # class EventIP4
44
58
 
45
59
  end # module Constructor
46
60
 
47
61
  end # module Unified2
62
+
data/lib/unified2/constructor/event_ip6.rb CHANGED
@@ -1,11 +1,19 @@
1
+ #
2
+ # Unified2
3
+ #
1
4
  module Unified2
2
5
 
6
+ #
7
+ # Constructor
8
+ #
3
9
  module Constructor
10
+
4
11
  #
5
12
  # Event IP Version 6
6
13
  #
7
14
  class EventIP6 < ::BinData::Record
8
- endian :big
15
+
16
+ endian :big
9
17
 
10
18
  uint32 :sensor_id
11
19
 
@@ -35,10 +43,20 @@ module Unified2
35
43
 
36
44
  uint8 :protocol
37
45
 
38
- uint8 :packet_action
39
-
46
+ uint8 :impact_flag
47
+
48
+ uint8 :impact
49
+
50
+ uint8 :blocked
51
+
52
+ uint32 :mpls_label
53
+
54
+ uint16 :vlanId
55
+
56
+ uint16 :pad2
57
+
40
58
  end # class EventIP6
41
59
 
42
60
  end # module Constructor
43
61
 
44
- end # module Unified2
62
+ end # module Unified2
data/lib/unified2/constructor/extra_construct.rb ADDED
@@ -0,0 +1,46 @@
1
+ require 'unified2/constructor/extra_data'
2
+ require 'unified2/constructor/extra_data_header'
3
+
4
+ #
5
+ # Unified2
6
+ #
7
+ module Unified2
8
+
9
+ #
10
+ # Unified2 Constructor Namespace
11
+ #
12
+ module Constructor
13
+
14
+ #
15
+ # Unified2 Construction
16
+ #
17
+ class ExtraConstruct < ::BinData::Record
18
+
19
+ #
20
+ # Rename record_header to header
21
+ # to simplify and cut down on verbosity
22
+ #
23
+ extra_data_header :header
24
+
25
+ #
26
+ # Unified2 data types
27
+ #
28
+ extra_data :data
29
+
30
+ #
31
+ # Sometimes the data needs extra padding
32
+ #
33
+ def padding_length
34
+ if header.event_length > data.num_bytes
35
+ header.event_length - data.num_bytes
36
+ else
37
+ 0
38
+ end
39
+ end
40
+
41
+ end # class ExtraConstruct
42
+
43
+ end # module Construct
44
+
45
+ end # module Unified2
46
+
data/lib/unified2/constructor/extra_data.rb ADDED
@@ -0,0 +1,37 @@
1
+ #
2
+ # Unified2
3
+ #
4
+ module Unified2
5
+
6
+ #
7
+ # Constructor
8
+ #
9
+ module Constructor
10
+
11
+ #
12
+ # Event Packet
13
+ #
14
+ class ExtraData < ::BinData::Record
15
+
16
+ endian :big
17
+
18
+ uint32 :sensor_id
19
+
20
+ uint32 :event_id
21
+
22
+ uint32 :event_second
23
+
24
+ uint32 :extra_type
25
+
26
+ uint32 :data_type
27
+
28
+ uint32 :blob_length
29
+
30
+ string :blob, :read_length => lambda { blob_length - 8 }
31
+
32
+ end # class ExtraData
33
+
34
+ end # module Constructor
35
+
36
+ end # module Unified2
37
+
data/lib/unified2/constructor/extra_data_header.rb ADDED
@@ -0,0 +1,28 @@
1
+ #
2
+ # Unified2
3
+ #
4
+ module Unified2
5
+
6
+ #
7
+ # Constructor
8
+ #
9
+ module Constructor
10
+
11
+ #
12
+ # Extra Data Header
13
+ #
14
+ class ExtraDataHeader < ::BinData::Record
15
+
16
+ endian :big
17
+
18
+ uint32 :event_type
19
+
20
+ uint32 :event_length
21
+
22
+ end # class ExtraDataHeader
23
+
24
+ end # module Constructor
25
+
26
+ end # module Unified2
27
+
28
+
data/lib/unified2/constructor/legacy_event_ip4.rb ADDED
@@ -0,0 +1,54 @@
1
+ require 'unified2/constructor/primitive/ipv4'
2
+
3
+ #
4
+ # Unified2
5
+ #
6
+ module Unified2
7
+
8
+ #
9
+ # Constructor
10
+ #
11
+ module Constructor
12
+
13
+ #
14
+ # Legacy Event IP Version 4
15
+ #
16
+ class LegacyEventIP4 < ::BinData::Record
17
+
18
+ endian :big
19
+
20
+ uint32 :sensor_id
21
+
22
+ uint32 :event_id
23
+
24
+ uint32 :event_second
25
+
26
+ uint32 :event_microsecond
27
+
28
+ uint32 :signature_id
29
+
30
+ uint32 :generator_id
31
+
32
+ uint32 :signature_revision
33
+
34
+ uint32 :classification_id
35
+
36
+ uint32 :priority_id
37
+
38
+ ipv4 :ip_source
39
+
40
+ ipv4 :ip_destination
41
+
42
+ uint16 :sport_itype
43
+
44
+ uint16 :dport_icode
45
+
46
+ uint8 :protocol
47
+
48
+ uint8 :packet_action
49
+
50
+ end # class EventIP4
51
+
52
+ end # module Constructor
53
+
54
+ end # module Unified2
data/lib/unified2/constructor/legacy_event_ip6.rb ADDED
@@ -0,0 +1,52 @@
1
+ #
2
+ # Unified2
3
+ #
4
+ module Unified2
5
+
6
+ #
7
+ # Constructor
8
+ #
9
+ module Constructor
10
+
11
+ #
12
+ # Legacy Event IP Version 6
13
+ #
14
+ class LegacyEventIP6 < ::BinData::Record
15
+
16
+ endian :big
17
+
18
+ uint32 :sensor_id
19
+
20
+ uint32 :event_id
21
+
22
+ uint32 :event_second
23
+
24
+ uint32 :event_microsecond
25
+
26
+ uint32 :signature_id
27
+
28
+ uint32 :generator_id
29
+
30
+ uint32 :signature_revision
31
+
32
+ uint32 :classification_id
33
+
34
+ uint32 :priority_id
35
+
36
+ uint128 :ip_source
37
+
38
+ uint128 :ip_destination
39
+
40
+ uint16 :sport_itype
41
+
42
+ uint16 :dport_icode
43
+
44
+ uint8 :protocol
45
+
46
+ uint8 :packet_action
47
+
48
+ end # class EventIP6
49
+
50
+ end # module Constructor
51
+
52
+ end # module Unified2
data/lib/unified2/constructor/packet.rb CHANGED
@@ -1,10 +1,18 @@
1
+ #
2
+ # Unified2
3
+ #
1
4
  module Unified2
2
5
 
6
+ #
7
+ # Constructor
8
+ #
3
9
  module Constructor
10
+
4
11
  #
5
12
  # Event Packet
6
13
  #
7
14
  class Packet < ::BinData::Record
15
+
8
16
  endian :big
9
17
 
10
18
  uint32 :sensor_id
@@ -27,4 +35,4 @@ module Unified2
27
35
 
28
36
  end # module Constructor
29
37
 
30
- end # module Unified2
38
+ end # module Unified2
data/lib/unified2/constructor/primitive/ipv4.rb CHANGED
@@ -1,14 +1,23 @@
1
+ #
2
+ # Unified2
3
+ #
1
4
  module Unified2
2
5
 
6
+ #
7
+ # Constructor
8
+ #
3
9
  module Constructor
10
+
4
11
  #
5
12
  # Unified2 Primitive Namespace
6
13
  #
7
14
  module Primitive
15
+
8
16
  #
9
17
  # BinData Primitive IP4 Constructor
10
18
  #
11
19
  class IPV4 < ::BinData::Primitive
20
+
12
21
  array :octets, :type => :uint8, :initial_length => 4
13
22
 
14
23
  # IPV4#set
data/lib/unified2/constructor/record_header.rb CHANGED
@@ -1,13 +1,22 @@
1
+ #
2
+ # Unified2
3
+ #
1
4
  module Unified2
2
5
 
6
+ #
7
+ # Constructor
8
+ #
3
9
  module Constructor
10
+
4
11
  #
5
12
  # Unified2 Header
6
13
  #
7
14
  class RecordHeader < ::BinData::Record
15
+
8
16
  endian :big
9
17
 
10
18
  uint32 :u2type
19
+
11
20
  uint32 :u2length
12
21
 
13
22
  end # class RecordHeader
data/lib/unified2/constructor.rb CHANGED
@@ -1 +1,2 @@
1
- require 'unified2/constructor/construct'
1
+ require 'unified2/constructor/construct'
2
+ require 'unified2/constructor/extra_construct'
data/lib/unified2/core_ext/string.rb CHANGED
@@ -2,6 +2,7 @@
2
2
  # String monkeypatches
3
3
  #
4
4
  class String
5
+
5
6
  #
6
7
  # Blank?
7
8
  #
@@ -13,4 +14,4 @@ class String
13
14
  false
14
15
  end
15
16
 
16
- end # class String
17
+ end # class String