unified2 0.5.4 → 0.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (46) hide show
  1. data/ChangeLog.md +10 -0
  2. data/README.md +41 -35
  3. data/Rakefile +3 -2
  4. data/bin/ru2 +76 -0
  5. data/example/example.rb +10 -18
  6. data/example/example2.rb +44 -0
  7. data/example/seeds/classification.config +1 -1
  8. data/example/seeds/gen-msg.map +86 -9
  9. data/example/seeds/sid-msg.map +2849 -316
  10. data/example/seeds/unified2-current.log +0 -0
  11. data/example/seeds/{unified2.log → unified2-legacy.log} +0 -0
  12. data/gemspec.yml +2 -1
  13. data/lib/unified2/classification.rb +12 -0
  14. data/lib/unified2/config_file.rb +4 -1
  15. data/lib/unified2/constructor/construct.rb +52 -6
  16. data/lib/unified2/constructor/event_ip4.rb +18 -3
  17. data/lib/unified2/constructor/event_ip6.rb +22 -4
  18. data/lib/unified2/constructor/extra_construct.rb +46 -0
  19. data/lib/unified2/constructor/extra_data.rb +37 -0
  20. data/lib/unified2/constructor/extra_data_header.rb +28 -0
  21. data/lib/unified2/constructor/legacy_event_ip4.rb +54 -0
  22. data/lib/unified2/constructor/legacy_event_ip6.rb +52 -0
  23. data/lib/unified2/constructor/packet.rb +9 -1
  24. data/lib/unified2/constructor/primitive/ipv4.rb +9 -0
  25. data/lib/unified2/constructor/record_header.rb +9 -0
  26. data/lib/unified2/constructor.rb +2 -1
  27. data/lib/unified2/core_ext/string.rb +2 -1
  28. data/lib/unified2/event.rb +290 -165
  29. data/lib/unified2/exceptions/binary_read_error.rb +11 -0
  30. data/lib/unified2/exceptions/file_not_found.rb +4 -1
  31. data/lib/unified2/exceptions/file_not_readable.rb +4 -1
  32. data/lib/unified2/exceptions/unknown_load_type.rb +4 -1
  33. data/lib/unified2/exceptions.rb +2 -1
  34. data/lib/unified2/extra.rb +128 -0
  35. data/lib/unified2/packet.rb +211 -0
  36. data/lib/unified2/protocol.rb +54 -63
  37. data/lib/unified2/sensor.rb +14 -2
  38. data/lib/unified2/signature.rb +12 -0
  39. data/lib/unified2/version.rb +4 -1
  40. data/lib/unified2.rb +65 -81
  41. data/spec/event_spec.rb +40 -27
  42. data/spec/legacy_event_spec.rb +122 -0
  43. data/spec/spec_helper.rb +10 -21
  44. data/spec/unified2_spec.rb +3 -3
  45. metadata +124 -140
  46. data/lib/unified2/payload.rb +0 -114
data/example/seeds/unified2-current.log ADDED
Binary file
data/example/seeds/{unified2.log → unified2-legacy.log} RENAMED
File without changes
data/gemspec.yml CHANGED
@@ -14,4 +14,5 @@ dependencies:
14
14
  development_dependencies:
15
15
  ore-tasks: ~> 0.5
16
16
  rspec: ~> 2.4
17
- yard: ~> 0.6.0
17
+ yard: ~> 0.7
18
+ rdiscount: ~> 1.6
data/lib/unified2/classification.rb CHANGED
@@ -1,3 +1,6 @@
1
+ #
2
+ # Unified2
3
+ #
1
4
  module Unified2
2
5
  #
3
6
  # Classification
@@ -23,6 +26,15 @@ module Unified2
23
26
  @severity = classification[:severity]
24
27
  end
25
28
 
29
+ #
30
+ # String
31
+ #
32
+ # @return [String] Signature name
33
+ #
34
+ def to_s
35
+ @name
36
+ end
37
+
26
38
  end # class Classification
27
39
 
28
40
  end # module Unified2
data/lib/unified2/config_file.rb CHANGED
@@ -1,3 +1,6 @@
1
+ #
2
+ # Unified2
3
+ #
1
4
  module Unified2
2
5
  #
3
6
  # Configuration file
@@ -101,4 +104,4 @@ module Unified2
101
104
 
102
105
  end # class ConfigFile
103
106
 
104
- end # module Unified2
107
+ end # module Unified2
data/lib/unified2/constructor/construct.rb CHANGED
@@ -1,17 +1,27 @@
1
1
  require 'unified2/constructor/event_ip4'
2
2
  require 'unified2/constructor/event_ip6'
3
+ require 'unified2/constructor/extra_construct'
4
+ require 'unified2/constructor/extra_data'
5
+ require 'unified2/constructor/legacy_event_ip4'
6
+ require 'unified2/constructor/legacy_event_ip6'
3
7
  require 'unified2/constructor/record_header'
4
8
  require 'unified2/constructor/packet'
5
9
 
10
+ #
11
+ # Unified2
12
+ #
6
13
  module Unified2
14
+
7
15
  #
8
16
  # Unified2 Constructor Namespace
9
17
  #
10
18
  module Constructor
19
+
11
20
  #
12
21
  # Unified2 Construction
13
22
  #
14
23
  class Construct < ::BinData::Record
24
+
15
25
  #
16
26
  # Rename record_header to header
17
27
  # to simplify and cut down on verbosity
@@ -21,13 +31,16 @@ module Unified2
21
31
  #
22
32
  # Unified2 data types
23
33
  #
24
- # Currently rUnified2 only supports packet,
25
- # event_ip4 and event_ip6.
26
- #
27
34
  choice :data, :selection => :type_selection do
28
35
  packet "packet"
36
+
29
37
  event_ip4 "ev4"
30
38
  event_ip6 "ev6"
39
+
40
+ legacy_event_ip4 "lev4"
41
+ legacy_event_ip6 "lev6"
42
+
43
+ extra_construct "extra_data"
31
44
  end
32
45
 
33
46
  #
@@ -41,27 +54,60 @@ module Unified2
41
54
  # Deterime and call data type based on
42
55
  # the unified2 type attribute
43
56
  #
57
+ # SNORT DEFINES
58
+ # Long time ago...
59
+ # define UNIFIED2_EVENT 1
60
+ #
61
+ # CURRENT
62
+ # define UNIFIED2_PACKET 2
63
+ # define UNIFIED2_IDS_EVENT 7
64
+ # define UNIFIED2_IDS_EVENT_IPV6 72
65
+ # define UNIFIED2_IDS_EVENT_MPLS 99
66
+ # define UNIFIED2_IDS_EVENT_IPV6_MPLS 100
67
+ # define UNIFIED2_IDS_EVENT_VLAN 104
68
+ # define UNIFIED2_IDS_EVENT_IPV6_VLAN 105
69
+ # define UNIFIED2_EXTRA_DATA 110
70
+ #
44
71
  def type_selection
45
72
  case header.u2type.to_i
46
73
  when 1
74
+ # LEGACY
47
75
  # define UNIFIED2_EVENT 1
48
76
  when 2
49
77
  # define UNIFIED2_PACKET 2
50
78
  "packet"
51
79
  when 7
52
80
  # define UNIFIED2_IDS_EVENT 7
53
- "ev4"
81
+ "lev4"
54
82
  when 66
83
+ # LEGACY
55
84
  # define UNIFIED2_EVENT_EXTENDED 66
56
85
  when 67
86
+ # LEGACY
57
87
  # define UNIFIED2_PERFORMANCE 67
58
88
  when 68
89
+ # LEGACY
59
90
  # define UNIFIED2_PORTSCAN 68
60
91
  when 72
61
92
  # define UNIFIED2_IDS_EVENT_IPV6 72
93
+ "lev6"
94
+ when 99
95
+ # define UNIFIED2_IDS_EVENT_MPLS 99
96
+ puts "99"
97
+ when 100
98
+ # define UNIFIED2_IDS_EVENT_IPV6_MPLS
99
+ puts "100"
100
+ when 104
101
+ # define UNIFIED2_IDS_EVENT_VLAN 104
102
+ "ev4"
103
+ when 105
104
+ # define UNIFIED2_IDS_EVENT_IPV6_VLAN 105
62
105
  "ev6"
106
+ when 110
107
+ # define UNIFIED2_EXTRA_DATA 110
108
+ "extra_data"
63
109
  else
64
- "unknown type #{header.u2type}"
110
+ raise "unknown type #{header.u2type}"
65
111
  end
66
112
  end
67
113
 
@@ -80,4 +126,4 @@ module Unified2
80
126
 
81
127
  end # module Construct
82
128
 
83
- end # module Unified2
129
+ end # module Unified2
data/lib/unified2/constructor/event_ip4.rb CHANGED
@@ -1,14 +1,18 @@
1
1
  require 'unified2/constructor/primitive/ipv4'
2
2
 
3
+ #
4
+ # Unified2
5
+ #
3
6
  module Unified2
4
7
 
5
8
  module Constructor
9
+
6
10
  #
7
11
  # Event IP Version 4
8
12
  #
9
13
  class EventIP4 < ::BinData::Record
10
14
 
11
- endian :big
15
+ endian :big
12
16
 
13
17
  uint32 :sensor_id
14
18
 
@@ -38,10 +42,21 @@ module Unified2
38
42
 
39
43
  uint8 :protocol
40
44
 
41
- uint8 :packet_action
42
-
45
+ uint8 :impact_flag
46
+
47
+ uint8 :impact
48
+
49
+ uint8 :blocked
50
+
51
+ uint32 :mpls_label
52
+
53
+ uint16 :vlanId
54
+
55
+ uint16 :pad2
56
+
43
57
  end # class EventIP4
44
58
 
45
59
  end # module Constructor
46
60
 
47
61
  end # module Unified2
62
+
data/lib/unified2/constructor/event_ip6.rb CHANGED
@@ -1,11 +1,19 @@
1
+ #
2
+ # Unified2
3
+ #
1
4
  module Unified2
2
5
 
6
+ #
7
+ # Constructor
8
+ #
3
9
  module Constructor
10
+
4
11
  #
5
12
  # Event IP Version 6
6
13
  #
7
14
  class EventIP6 < ::BinData::Record
8
- endian :big
15
+
16
+ endian :big
9
17
 
10
18
  uint32 :sensor_id
11
19
 
@@ -35,10 +43,20 @@ module Unified2
35
43
 
36
44
  uint8 :protocol
37
45
 
38
- uint8 :packet_action
39
-
46
+ uint8 :impact_flag
47
+
48
+ uint8 :impact
49
+
50
+ uint8 :blocked
51
+
52
+ uint32 :mpls_label
53
+
54
+ uint16 :vlanId
55
+
56
+ uint16 :pad2
57
+
40
58
  end # class EventIP6
41
59
 
42
60
  end # module Constructor
43
61
 
44
- end # module Unified2
62
+ end # module Unified2
data/lib/unified2/constructor/extra_construct.rb ADDED
@@ -0,0 +1,46 @@
1
+ require 'unified2/constructor/extra_data'
2
+ require 'unified2/constructor/extra_data_header'
3
+
4
+ #
5
+ # Unified2
6
+ #
7
+ module Unified2
8
+
9
+ #
10
+ # Unified2 Constructor Namespace
11
+ #
12
+ module Constructor
13
+
14
+ #
15
+ # Unified2 Construction
16
+ #
17
+ class ExtraConstruct < ::BinData::Record
18
+
19
+ #
20
+ # Rename record_header to header
21
+ # to simplify and cut down on verbosity
22
+ #
23
+ extra_data_header :header
24
+
25
+ #
26
+ # Unified2 data types
27
+ #
28
+ extra_data :data
29
+
30
+ #
31
+ # Sometimes the data needs extra padding
32
+ #
33
+ def padding_length
34
+ if header.event_length > data.num_bytes
35
+ header.event_length - data.num_bytes
36
+ else
37
+ 0
38
+ end
39
+ end
40
+
41
+ end # class ExtraConstruct
42
+
43
+ end # module Construct
44
+
45
+ end # module Unified2
46
+
data/lib/unified2/constructor/extra_data.rb ADDED
@@ -0,0 +1,37 @@
1
+ #
2
+ # Unified2
3
+ #
4
+ module Unified2
5
+
6
+ #
7
+ # Constructor
8
+ #
9
+ module Constructor
10
+
11
+ #
12
+ # Event Packet
13
+ #
14
+ class ExtraData < ::BinData::Record
15
+
16
+ endian :big
17
+
18
+ uint32 :sensor_id
19
+
20
+ uint32 :event_id
21
+
22
+ uint32 :event_second
23
+
24
+ uint32 :extra_type
25
+
26
+ uint32 :data_type
27
+
28
+ uint32 :blob_length
29
+
30
+ string :blob, :read_length => lambda { blob_length - 8 }
31
+
32
+ end # class ExtraData
33
+
34
+ end # module Constructor
35
+
36
+ end # module Unified2
37
+
data/lib/unified2/constructor/extra_data_header.rb ADDED
@@ -0,0 +1,28 @@
1
+ #
2
+ # Unified2
3
+ #
4
+ module Unified2
5
+
6
+ #
7
+ # Constructor
8
+ #
9
+ module Constructor
10
+
11
+ #
12
+ # Extra Data Header
13
+ #
14
+ class ExtraDataHeader < ::BinData::Record
15
+
16
+ endian :big
17
+
18
+ uint32 :event_type
19
+
20
+ uint32 :event_length
21
+
22
+ end # class ExtraDataHeader
23
+
24
+ end # module Constructor
25
+
26
+ end # module Unified2
27
+
28
+
data/lib/unified2/constructor/legacy_event_ip4.rb ADDED
@@ -0,0 +1,54 @@
1
+ require 'unified2/constructor/primitive/ipv4'
2
+
3
+ #
4
+ # Unified2
5
+ #
6
+ module Unified2
7
+
8
+ #
9
+ # Constructor
10
+ #
11
+ module Constructor
12
+
13
+ #
14
+ # Legacy Event IP Version 4
15
+ #
16
+ class LegacyEventIP4 < ::BinData::Record
17
+
18
+ endian :big
19
+
20
+ uint32 :sensor_id
21
+
22
+ uint32 :event_id
23
+
24
+ uint32 :event_second
25
+
26
+ uint32 :event_microsecond
27
+
28
+ uint32 :signature_id
29
+
30
+ uint32 :generator_id
31
+
32
+ uint32 :signature_revision
33
+
34
+ uint32 :classification_id
35
+
36
+ uint32 :priority_id
37
+
38
+ ipv4 :ip_source
39
+
40
+ ipv4 :ip_destination
41
+
42
+ uint16 :sport_itype
43
+
44
+ uint16 :dport_icode
45
+
46
+ uint8 :protocol
47
+
48
+ uint8 :packet_action
49
+
50
+ end # class EventIP4
51
+
52
+ end # module Constructor
53
+
54
+ end # module Unified2
data/lib/unified2/constructor/legacy_event_ip6.rb ADDED
@@ -0,0 +1,52 @@
1
+ #
2
+ # Unified2
3
+ #
4
+ module Unified2
5
+
6
+ #
7
+ # Constructor
8
+ #
9
+ module Constructor
10
+
11
+ #
12
+ # Legacy Event IP Version 6
13
+ #
14
+ class LegacyEventIP6 < ::BinData::Record
15
+
16
+ endian :big
17
+
18
+ uint32 :sensor_id
19
+
20
+ uint32 :event_id
21
+
22
+ uint32 :event_second
23
+
24
+ uint32 :event_microsecond
25
+
26
+ uint32 :signature_id
27
+
28
+ uint32 :generator_id
29
+
30
+ uint32 :signature_revision
31
+
32
+ uint32 :classification_id
33
+
34
+ uint32 :priority_id
35
+
36
+ uint128 :ip_source
37
+
38
+ uint128 :ip_destination
39
+
40
+ uint16 :sport_itype
41
+
42
+ uint16 :dport_icode
43
+
44
+ uint8 :protocol
45
+
46
+ uint8 :packet_action
47
+
48
+ end # class EventIP6
49
+
50
+ end # module Constructor
51
+
52
+ end # module Unified2
data/lib/unified2/constructor/packet.rb CHANGED
@@ -1,10 +1,18 @@
1
+ #
2
+ # Unified2
3
+ #
1
4
  module Unified2
2
5
 
6
+ #
7
+ # Constructor
8
+ #
3
9
  module Constructor
10
+
4
11
  #
5
12
  # Event Packet
6
13
  #
7
14
  class Packet < ::BinData::Record
15
+
8
16
  endian :big
9
17
 
10
18
  uint32 :sensor_id
@@ -27,4 +35,4 @@ module Unified2
27
35
 
28
36
  end # module Constructor
29
37
 
30
- end # module Unified2
38
+ end # module Unified2
data/lib/unified2/constructor/primitive/ipv4.rb CHANGED
@@ -1,14 +1,23 @@
1
+ #
2
+ # Unified2
3
+ #
1
4
  module Unified2
2
5
 
6
+ #
7
+ # Constructor
8
+ #
3
9
  module Constructor
10
+
4
11
  #
5
12
  # Unified2 Primitive Namespace
6
13
  #
7
14
  module Primitive
15
+
8
16
  #
9
17
  # BinData Primitive IP4 Constructor
10
18
  #
11
19
  class IPV4 < ::BinData::Primitive
20
+
12
21
  array :octets, :type => :uint8, :initial_length => 4
13
22
 
14
23
  # IPV4#set
data/lib/unified2/constructor/record_header.rb CHANGED
@@ -1,13 +1,22 @@
1
+ #
2
+ # Unified2
3
+ #
1
4
  module Unified2
2
5
 
6
+ #
7
+ # Constructor
8
+ #
3
9
  module Constructor
10
+
4
11
  #
5
12
  # Unified2 Header
6
13
  #
7
14
  class RecordHeader < ::BinData::Record
15
+
8
16
  endian :big
9
17
 
10
18
  uint32 :u2type
19
+
11
20
  uint32 :u2length
12
21
 
13
22
  end # class RecordHeader
data/lib/unified2/constructor.rb CHANGED
@@ -1 +1,2 @@
1
- require 'unified2/constructor/construct'
1
+ require 'unified2/constructor/construct'
2
+ require 'unified2/constructor/extra_construct'
data/lib/unified2/core_ext/string.rb CHANGED
@@ -2,6 +2,7 @@
2
2
  # String monkeypatches
3
3
  #
4
4
  class String
5
+
5
6
  #
6
7
  # Blank?
7
8
  #
@@ -13,4 +14,4 @@ class String
13
14
  false
14
15
  end
15
16
 
16
- end # class String
17
+ end # class String