unified2 0.5.4 → 0.6.0

data/lib/unified2/exceptions/unknown_load_type.rb

@@ -1,7 +1,10 @@
+#
+# Unified2
+#
 module Unified2
   #
   # Unknown Load Type
   # 
   class UnknownLoadType < StandardError; end # class UnknownLoadType
   
-end # module Unified2
+end # module Unified2

data/lib/unified2/exceptions.rb

@@ -1,2 +1,3 @@
 require 'unified2/exceptions/file_not_found'
-require 'unified2/exceptions/file_not_readable'
+require 'unified2/exceptions/file_not_readable'
+require 'unified2/exceptions/binary_read_error'

data/lib/unified2/extra.rb

@@ -0,0 +1,128 @@
+#
+# Unified2
+#
+module Unified2
+
+  #
+  # Extra
+  #
+  class Extra
+
+    # Type 1: True-Client-IP/XFF IPv4 address
+    # Type 2: True-Client-IP/XFF IPv6 address
+    # Type 3: ???
+    # Type 4: HTTP Gzip decompressed data
+    # Type 5: SMTP filename
+    # Type 6: SMTP MAIL FROM addresses
+    # Type 7: SMTP RCPT TO addresses
+    # Type 8: SMTP Email headers
+    # Type 9: HTTP Request URI
+    # Type 10: HTTP Request Hostname
+    # Type 11: Packet's IPv6 Source IP Address
+    # Type 12: Packet's IPv6 Destination IP Address
+    EXTRA_TYPES = {
+      1 => [
+        "EVENT_INFO_XFF_IPV4", 
+        "True-Client-IP/XFF IPv4 address"
+      ],
+      2 => [
+        "EVENT_INFO_XFF_IPV6", 
+        "True-Client-IP/XFF IPv6 address"
+      ],
+      3 => [
+        "EVENT_INFO_REVIEWED_BY", 
+        "EVENT_INFO_REVIEWED_BY"
+      ],
+      4 => [
+        "EVENT_INFO_GZIP_DATA", 
+        "HTTP Gzip decompressed data"
+      ],
+      5 => [
+        "EVENT_INFO_SMTP_FILENAME", 
+        "SMTP filename"
+      ],
+      6 => [
+        "EVENT_INFO_SMTP_MAILFROM", 
+        "SMTP MAIL FROM addresses"
+      ],
+      7 => [
+        "EVENT_INFO_SMTP_RCPTTO", 
+        "SMTP RCPT TO addresses"
+      ],
+      8 => [
+        "EVENT_INFO_SMTP_EMAIL_HDRS", 
+        "SMTP Email headers"
+      ],
+      9 => [
+        "EVENT_INFO_HTTP_URI", 
+        "HTTP Request URI"
+      ],
+      10 => [
+        "EVENT_INFO_HTTP_HOSTNAME", 
+        "HTTP Request Hostname"
+      ],
+      11 => [
+        "EVENT_INFO_IPV6_SRC", 
+        "Packet's IPv6 Source IP Address"
+      ],
+      12 => [
+        "EVENT_INFO_IPV6_DS", 
+        "Packet's IPv6 Destination IP Addres"
+      ]
+    }
+
+    #
+    # Build methods defaults
+    #
+    attr_reader :extra, :header, :type_id, 
+      :data_type, :value, :length, :timestamp, :data
+
+    #
+    # Initialize Extra object
+    # 
+    # @param [Hash] data Extra data hash
+    # 
+    def initialize(data)
+      extra = data[:data]
+      @header = extra[:header]
+      @data = extra[:data]
+
+      @timestamp = Time.at(@data[:event_second].to_i)
+      @value = @data[:blob].to_s
+      @length = @data[:blob_length].to_i
+      @type_id = @data[:extra_type].to_i
+      @data_type = @data[:data_type].to_i
+      @type = EXTRA_TYPES[@type_id.to_i]
+    end
+
+    #
+    # Blank?
+    #
+    # @return [true, false] Check is extra value is blank
+    #
+    def blank?
+      return true unless @value
+      false
+    end
+
+    #
+    # Description
+    #
+    # @return [String] Extra data description
+    #
+    def description
+      @type.last
+    end
+
+    #
+    # Name
+    #
+    # @return [String] Extra data name
+    #
+    def name
+      @type.first
+    end
+
+  end
+end
+

data/lib/unified2/packet.rb

@@ -0,0 +1,211 @@
+require 'hexdump'
+require 'unified2/protocol'
+
+#
+# Unified2
+#
+module Unified2
+
+
+  #
+  # Packet
+  # 
+  class Packet
+
+    #
+    # Build method defaults
+    #
+    attr_reader :link_type, :event_id,
+      :microsecond, :timestamp, :length,
+      :raw, :event_timestamp
+
+    #
+    # Initialize packet Object
+    #
+    # @param [Hash] Packet Packet hash
+    #
+    def initialize(packet)
+      @raw = packet
+      @link_type = packet[:linktype]
+      @microsecond = packet[:packet_microsecond]
+
+      @event_timestamp = Time.at(packet[:timestamp])
+      @timestamp = Time.at(packet[:packet_timestamp])
+      @length = packet[:packet_length].to_i
+      @event_id = packet[:event_id]
+
+      @packet ||= PacketFu::Packet.parse(packet[:packet])
+      @protocol = @packet.protocol.last.to_sym
+    end
+
+    #
+    # IP Header
+    # 
+    # @return [Hash] IP header
+    #
+    def ip_header
+      if @packet.is_ip?
+        @ip_header = {
+          :ip_ver => @packet.ip_header.ip_v,
+          :ip_hlen => @packet.ip_header.ip_hl,
+          :ip_tos => @packet.ip_header.ip_tos,
+          :ip_len => @packet.ip_header.ip_len,
+          :ip_id => @packet.ip_header.ip_id,
+          :ip_frag => @packet.ip_header.ip_frag,
+          :ip_ttl => @packet.ip_header.ip_ttl,
+          :ip_proto => @packet.ip_header.ip_proto,
+          :ip_csum => @packet.ip_header.ip_sum
+        }
+      else
+        @ip_header = {}
+      end
+
+      @ip_header
+    end
+
+    #
+    # Protocol
+    #
+    # @return [Protocol] packet protocol object
+    #
+    def protocol
+      @proto ||= Protocol.new(@protocol, @packet)
+    end
+
+    #
+    # String
+    #
+    # @return [String] Signature name
+    #
+    def to_s
+      payload.to_s
+    end
+
+    #
+    # Payload
+    #
+    # @return [Payload] Event payload object
+    #
+    def payload
+      @packet.payload
+    end
+
+    #
+    # Blank?
+    #
+    # @return [true, false] Check is payload is blank
+    #
+    def blank?
+      return true unless @packet
+      false
+    end
+
+    #
+    # Raw
+    #
+    # @return [String] Raw binary payload
+    #
+    def raw
+      @packet
+    end
+
+    #
+    # Hex
+    #
+    # @return [String] Convert payload to hex
+    #
+    def hex(include_header=true)
+      packet = if include_header
+                 @packet.to_s
+               else
+                 @packet.payload.to_s
+               end
+
+      hex = packet.unpack('H*')
+      return hex.first if hex
+      nil
+    end
+
+    #
+    # Dump
+    #
+    # @param [options] options Hash of options for Hexdump#dump
+    #
+    # @option options [Integer] :width (16)
+    #   The number of bytes to dump for each line.
+    #
+    # @option options [Symbol, Integer] :base (:hexadecimal)
+    #   The base to print bytes in. Supported bases include, `:hexadecimal`,
+    #   `:hex`, `16, `:decimal`, `:dec`, `10, `:octal`, `:oct`, `8`,
+    #   `:binary`, `:bin` and `2`.
+    #
+    # @option options [Boolean] :ascii (false)
+    #   Print ascii characters when possible.
+    #
+    # @option options [#<<] :output (STDOUT)
+    #   The output to print the hexdump to.
+    #
+    # @yield [index,hex_segment,print_segment]
+    #   The given block will be passed the hexdump break-down of each segment.
+    #
+    # @yieldparam [Integer] index
+    #   The index of the hexdumped segment.
+    #
+    # @yieldparam [Array<String>] hex_segment
+    #   The hexadecimal-byte representation of the segment.
+    #
+    # @yieldparam [Array<String>] print_segment
+    #   The print-character representation of the segment.
+    #
+    # @return [nil]
+    #
+    # @raise [ArgumentError]
+    #   The given data does not define the `#each_byte` method, or
+    #
+    # @note
+    #   Please view the hexdump documentation for more
+    #   information. Hexdump is a great lib by @postmodern. 
+    #   (http://github.com/postmodern/hexdump)
+    # 
+    def dump(options={})
+      packet = if options[:header]
+                 @raw[:packet]
+               else
+                 @packet.payload
+               end
+
+      Hexdump.dump(packet, options)
+    end
+
+    #
+    # Hexdump
+    #
+    # @see Packet#dump
+    #
+    # @example 
+    #   packet.hexdump(:width => 16)
+    #
+    def hexdump(options={})
+      hexdump = options[:output] ||= ""
+      options[:width] ||= 30
+      options[:header] ||= true
+
+      dump(options)
+      hexdump
+    end
+    
+    #
+    # Checksum
+    #
+    # Create a unique payload checksum
+    #
+    # @return [String] Payload checksum
+    #
+    def checksum
+      Digest::MD5.hexdigest(hex(false))
+    end
+
+  end # class Packet
+
+end # module Unified2
+

data/lib/unified2/protocol.rb

@@ -1,3 +1,6 @@
+#
+# Unified2
+#
 module Unified2
   #
   # Protocol
@@ -16,29 +19,13 @@ module Unified2
       @packet = packet
     end
 
-    #
-    # Protocol Header
-    # 
-    # @return [Object, nil] Protocol header object
-    # 
-    def header
-      if @packet.has_data?
-        if @packet.send(:"is_#{@protocol.downcase}?")
-          @packet.send(:"#{@protocol.downcase}_header")
-        end
-      else
-        nil
-      end
-    end
-
     #
     # ICMP?
     # 
     # @return [true, false] Check is protocol is icmp
     # 
     def icmp?
-      return true if @protocol == :ICMP
-      false
+      @protocol == :ICMP
     end
 
     #
@@ -47,8 +34,7 @@ module Unified2
     # @return [true, false] Check is protocol is tcp
     #
     def tcp?
-      return true if @protocol == :TCP
-      false
+      @protocol == :TCP
     end
 
     #
@@ -57,8 +43,7 @@ module Unified2
     # @return [true, false] Check is protocol is udp
     #
     def udp?
-      return true if @protocol == :UDP
-      false
+      @protocol == :UDP
     end
 
     #
@@ -88,53 +73,59 @@ module Unified2
         {}
       end
     end
+    alias header to_h
 
     private
       
-      def icmp(include_body=false)
-        @icmp = {
-          :length => header.len,
-          :type => header.icmp_type,
-          :csum => header.icmp_sum,
-          :code => header.icmp_code
-        }
-        
-        @icmp[:body] = header.body if include_body
-        
-        @icmp
-      end
+    def hdr
+      return nil unless @packet.send(:"is_#{@protocol.downcase}?")
+      @packet.send(:"#{@protocol.downcase}_header")
+    end
 
-      def udp(include_body=false)
-        @udp = {
-          :length => header.len,
-          :csum => header.udp_sum,
-        }
-        
-        @udp[:body] = header.body if include_body
-        
-        @udp
-      end
+    def icmp(include_body=false)
+      icmp = {
+        :length => hdr.len,
+        :type => hdr.icmp_type,
+        :csum => hdr.icmp_sum,
+        :code => hdr.icmp_code
+      }
+      
+      icmp[:body] = hdr.body if include_body
+      
+      icmp
+    end
 
-      def tcp(include_body=false)
-        @tcp = {
-          :length => header.len,
-          :seq => header.tcp_seq,
-          :ack => header.tcp_ack,
-          :win => header.tcp_win,
-          :csum => header.tcp_sum,
-          :urg => header.tcp_urg,
-          :hlen => header.tcp_hlen,
-          :reserved => header.tcp_reserved,
-          :ecn => header.tcp_ecn,
-          :opts_len => header.tcp_opts_len,
-          :rand_port => header.rand_port,
-          :options => header.tcp_options
-        }
-        
-        @tcp[:body] = header.body if include_body
-        
-        @tcp
-      end
+    def udp(include_body=false)
+      udp = {
+        :length => hdr.len,
+        :csum => hdr.udp_sum,
+      }
+      
+      udp[:body] = hdr.body if include_body
+      
+      udp
+    end
+
+    def tcp(include_body=false)
+      tcp = {
+        :length => hdr.len,
+        :seq => hdr.tcp_seq,
+        :ack => hdr.tcp_ack,
+        :win => hdr.tcp_win,
+        :csum => hdr.tcp_sum,
+        :urg => hdr.tcp_urg,
+        :hlen => hdr.tcp_hlen,
+        :reserved => hdr.tcp_reserved,
+        :ecn => hdr.tcp_ecn,
+        :opts_len => hdr.tcp_opts_len,
+        :rand_port => hdr.rand_port,
+        :options => hdr.tcp_options
+      }
+      
+      tcp[:body] = hdr.body if include_body
+      
+      tcp
+    end
 
   end
 end

data/lib/unified2/sensor.rb

@@ -1,3 +1,6 @@
+#
+# Unified2
+#
 module Unified2
   #
   # Sensor
@@ -22,7 +25,16 @@ module Unified2
       @interface ||= options[:interface] || nil
       @checksum = nil
     end
-    
+
+    #
+    # To String
+    #
+    # @return [String] Sensor Name
+    #
+    def to_s
+      @name
+    end
+
     #
     # Update
     # 
@@ -45,4 +57,4 @@ module Unified2
     end
     
   end
-end
+end

data/lib/unified2/signature.rb

@@ -1,3 +1,6 @@
+#
+# Unified2
+#
 module Unified2
   #
   # Signature
@@ -25,6 +28,15 @@ module Unified2
       @blank = signature[:blank] || false
     end
 
+    #
+    # to_string
+    #
+    # @return [String] Signature name
+    #
+    def to_s
+      @name
+    end
+
     #
     # Blank?
     # 

data/lib/unified2/version.rb

@@ -1,4 +1,7 @@
+#
+# Unified2
+#
 module Unified2
   # Unified2 version
-  VERSION = "0.5.4"
+  VERSION = "0.6.0"
 end