unified2 0.5.4 → 0.6.0

data/lib/unified2.rb

@@ -10,10 +10,10 @@ require 'unified2/exceptions'
 require 'unified2/version'
 
 #
-# Unified2 Namespace
+# Unified2
 # 
 module Unified2
-  
+
   #
   # Configuration File Types
   # 
@@ -107,78 +107,51 @@ module Unified2
   # 
   # @raise [FileNotReadable] Path not readable
   # @raise [FileNotFound] File not found
+  # @raise [BinaryReadError] Invalid position or file
   # 
   # @return [nil]
   # 
   def self.watch(path, position=:first, &block)
+    validate_path(path)
 
-    unless File.exists?(path)
-      raise FileNotFound, "Error - #{path} not found."
-    end
-
-    if File.readable?(path)
-      io = File.open(path)
-
-      case position
-      when Integer, Fixnum
-
-        event_id = position.to_i.zero? ? 1 : position.to_i
-        @event = Event.new(event_id)
-
-      when Symbol, String
-
-        case position.to_sym
-        when :last
-
-          until io.eof?
-            event = Unified2::Constructor::Construct.read(io)
-            event_id = event.data.event_id if event
-          end
+    io = File.open(path)
 
-          @event = Event.new(event_id + 1)
+    case position      
+    when Integer
+      io.sysseek(position, IO::SEEK_CUR)
 
-          # set event_id to false to catch
-          # beginning loop and process
-          event_id = false
-
-        when :first
-          begin
-            
-            first_open = File.open(path)
-            first_event = Unified2::Constructor::Construct.read(first_open)
-            first_open.close
-            event_id = first_event.data.event_id
-            @event = Event.new(event_id)
-  
-          rescue EOFError
-            sleep 5
-            retry
-          end
-
-        end
+    when Symbol, String
+    
+      if position == :last
+        io.sysseek(0, IO::SEEK_END)
+      else
+        io.sysseek(0, IO::SEEK_SET)
       end
+   
+    else
+      io.sysseek(0, IO::SEEK_SET)
+    end
 
-      loop do
-        begin
-          event = Unified2::Constructor::Construct.read(io)
-
-          if event_id
-            if event.data.event_id.to_i > (event_id - 1)
-              check_event(event, block)
-            end
-          else
-            check_event(event, block)
-          end
-
-        rescue EOFError
-          sleep 5
-          retry
-        end
-      end
+    # Start with a null event.
+    # This will always be ignored.
+    @event = Event.new(0)
 
-    else
-      raise FileNotReadable, "Error - #{path} not readable."
+    loop do
+      begin
+        event = Unified2::Constructor::Construct.read(io)
+        check_event(event, block)
+      rescue EOFError
+        sleep 5
+        retry
+      end
     end
+
+  rescue RuntimeError
+    raise(BinaryReadError, "incorrect file format or position seek error")
+  rescue Interrupt
+    io.pos if io
+  ensure
+    io.close if io
   end
   
   #
@@ -196,40 +169,51 @@ module Unified2
   # @return [nil]
   #
   def self.read(path, &block)
+    validate_path(path)
 
-    unless File.exists?(path)
-      raise FileNotFound, "Error - #{path} not found."
-    end
+    io = File.open(path)
+    
+    # Start with a null event.
+    # This will always be ignored.
+    @event = Event.new(0)
 
-    if File.readable?(path)
-      io = File.open(path)
+    until io.eof?
+      event = Unified2::Constructor::Construct.read(io)
+      check_event(event, block)
+    end
 
-      first_open = File.open(path)
-      first_event = Unified2::Constructor::Construct.read(first_open)
-      first_open.close
+  rescue Interrupt
+  ensure
+    io.close if io
+  end
 
-      @event = Event.new(first_event.data.event_id)
+  private
 
-      until io.eof?
-        event = Unified2::Constructor::Construct.read(io)
-        check_event(event, block)
-      end
+  def self.validate_path(path)
+    unless File.exists?(path)
+      raise FileNotFound, "Error - #{path} not found."
+    end
 
-    else
+    unless File.readable?(path)
       raise FileNotReadable, "Error - #{path} not readable."
-    end
+    end 
   end
 
-  private
+  def self.check_event(event, block)
 
-    def self.check_event(event, block)
+    if event.data.respond_to?(:event_id)
       if @event.id == event.data.event_id
         @event.load(event)
       else
-        block.call(@event)
+        block.call(@event) unless @event.id.zero?
+        @extra_data = false
         @event = Event.new(event.data.event_id)
         @event.load(event)
       end
+    else 
+      @event.load(event)
     end
 
+  end
+
 end

data/spec/event_spec.rb

@@ -4,15 +4,15 @@ require 'unified2'
 describe Event do
 
   before(:all) do
-    @event = Unified2.first('example/seeds/unified2.log')
+    @event = Unified2.first('example/seeds/unified2-current.log')
   end
 
   it "should have an event_id" do
-    @event.to_i.should == 1
+    @event.id.should == 1
   end
 
   it "should have an event time" do
-    @event.timestamp.to_s.should == '2010-10-05 22:50:18 -0400'
+    @event.timestamp.to_s.should == '2011-11-12 16:04:25 -0500'
   end
 
   it "should have a sensor id" do
@@ -32,35 +32,35 @@ describe Event do
   end
 
   it "should have a source address" do
-    @event.source_ip.should == "24.19.7.110"
+    @event.source_ip.should == "10.0.1.6"
   end
 
   it "should have a source port" do
-    @event.source_port.should == 0
+    @event.source_port.should == 52378
   end
 
   it "should have a destination address" do
-    @event.destination_ip.should == "10.0.1.6"
+    @event.destination_ip.should == "199.47.216.149"
   end
 
   it "should have a destination port" do
-    @event.destination_port.should == 0
+    @event.destination_port.should == 80
   end
   
   it "should have a protocol" do
-    @event.protocol.to_s.should == 'ICMP'
+    @event.protocol.to_s.should == 'TCP'
   end
   
   it "should have a severity" do
-    @event.severity.should == 3
+    @event.severity.should == 1
   end
 
   it "should have an event checksum" do
-    @event.checksum.should == "6e96db6e8fe649c939711400ea4625eb"
+    @event.checksum.should == "01af8a5245fce250989b00990406fa63"
   end
 
   it "should have a signature id" do
-    @event.signature.id.should == 485
+    @event.signature.id.should == 18608
   end
 
   it "should have a signature generator id" do
@@ -68,7 +68,7 @@ describe Event do
   end
 
   it "should have a signature revision" do
-    @event.signature.revision.should == 5
+    @event.signature.revision.should == 3
   end
 
   it "should have a signature thats not blank" do
@@ -76,37 +76,50 @@ describe Event do
   end
 
   it "should have a signature name" do
-    @event.signature.name.should == "DELETED ICMP Destination Unreachable" \
-      " Communication Administratively Prohibited"
+    @event.signature.name.should == "POLICY Dropbox desktop software in use"
   end
 
   it "should have a classification id" do
-    @event.classification.id.should == 29
+    @event.classification.id.should == 33
   end
 
   it "should have a classification short name" do
-    @event.classification.short.should == "misc-activity"
+    @event.classification.short.should == "policy-violation"
   end
 
   it "should have a classification severity" do
-    @event.classification.severity.should == 3
+    @event.classification.severity.should == 1
   end
 
   it "should have a classification name" do
-    @event.classification.name.should == "Misc activity"
+    @event.classification.name.should == "Potential Corporate Privacy Violation"
   end
-  
-  it "should have a payload thats not blank" do
-    @event.payload.blank?.should == false
+
+  it "should have zero packets associated with this event" do
+    @event.packets.count.should == 0
   end
-  
-  it "should have a hex payload" do
-    p = "000000004520008323bc000032113a080a0001061813076e90c84fac006fe498"
-    @event.payload.hex.should == p
+
+  it "event extras count should equal 2" do
+    @event.extras.count.should == 2
+  end
+
+  it "should have extra data thats not blank" do
+    @event.extras.first.blank?.should == false
   end
   
-  it "should have a payload length" do
-    @event.payload.length.should == 70
+  it "extra data should have the correct value" do
+    @event.extras.first.value.should == "/subscribe?host_int=26273724&ns_map=2895792_52721831662858160,15287777_4310255073,2027874_776915740822270306,2816020_68722292756,564088_4146784271384222584,555213_5414107641578813645&ts=1321131865"
+    @event.extras.last.value.should == "notify9.dropbox.com"
+  end
+
+  it "extra data should have a value length" do
+    @event.extras.first.length.should == 204
+  end
+
+  it "extra data should have a header" do
+    @event.extras.first.header[:event_type].should == 4
+    @event.extras.first.header[:event_length].should == 228
   end
 
 end
+

data/spec/legacy_event_spec.rb

@@ -0,0 +1,122 @@
+require 'spec_helper'
+require 'unified2'
+
+describe "LegacyEvent" do
+
+  before(:all) do
+    @event = Unified2.first('example/seeds/unified2-legacy.log')
+  end
+
+  it "should have an event_id" do
+    @event.to_i.should == 1
+  end
+
+  it "should have an event time" do
+    @event.timestamp.to_s.should == '2010-10-05 22:50:18 -0400'
+  end
+
+  it "should have a sensor id" do
+    @event.sensor.id.should == 50000000000
+  end
+  
+  it "should have a sensor name" do
+    @event.sensor.name.should == "Example Sensor"
+  end
+  
+  it "should have a sensor interface" do
+    @event.sensor.interface.should == "en1"
+  end
+  
+  it "should have a sensor hostname" do
+    @event.sensor.hostname.should == "W0ots.local"
+  end
+
+  it "should have a source address" do
+    @event.source_ip.should == "24.19.7.110"
+  end
+
+  it "should have a source port" do
+    @event.source_port.should == 3
+  end
+
+  it "should have a destination address" do
+    @event.destination_ip.should == "10.0.1.6"
+  end
+
+  it "should have a destination port" do
+    @event.destination_port.should == 13
+  end
+  
+  it "should have a protocol" do
+    @event.protocol.to_s.should == 'ICMP'
+  end
+  
+  it "should have a severity" do
+    @event.severity.should == 3
+  end
+
+  it "should have an event checksum" do
+    @event.checksum.should == "6e96db6e8fe649c939711400ea4625eb"
+  end
+
+  it "should have a signature id" do
+    @event.signature.id.should == 485
+  end
+
+  it "should have a signature generator id" do
+    @event.signature.generator.should == 1
+  end
+
+  it "should have a signature revision" do
+    @event.signature.revision.should == 5
+  end
+
+  it "should have a signature thats not blank" do
+    @event.signature.blank.should == false
+  end
+
+  it "should have a signature name" do
+    @event.signature.name.should == "DELETED ICMP Destination Unreachable" \
+      " Communication Administratively Prohibited"
+  end
+
+  it "should have a classification id" do
+    @event.classification.id.should == 29
+  end
+
+  it "should have a classification short name" do
+    @event.classification.short.should == "misc-activity"
+  end
+
+  it "should have a classification severity" do
+    @event.classification.severity.should == 3
+  end
+
+  it "should have a classification name" do
+    @event.classification.name.should == "Misc activity"
+  end
+
+  it "should have a one packet associated with this event" do
+    @event.packets.count.should == 1
+  end
+
+  it "should have a payload thats not blank" do
+    @event.packets.first.blank?.should == false
+  end
+  
+  it "should have a hex payload without the header" do
+    p = "000000004520008323bc000032113a080a0001061813076e90c84fac006fe498"
+    @event.packets.first.hex(false).should == p
+  end
+
+  it "should have a hex payload with the header" do
+    p = "0026bb1b75d30016cbc32b43080045000038c3e80000f001dc551813076e0a000106" +
+      "030d3776000000004520008323bc000032113a080a0001061813076e90c84fac006fe498"
+    @event.packets.first.hex(true).should == p
+  end
+  
+  it "should have a payload length" do
+    @event.packets.first.length.should == 70
+  end
+
+end

data/spec/spec_helper.rb

@@ -7,31 +7,20 @@ include Unified2
 module Unified2
   
   def self.first(path)
-    unless File.exists?(path)
-      raise FileNotFound, "Error - #{path} not found."
-    end
-
-    if File.readable?(path)
-      io = File.open(path)
+    validate_path(path)
 
-      first_open = File.open(path)
-      first_event = Unified2::Constructor::Construct.read(first_open)
-      first_open.close
+    io = File.open(path)
+    io.sysseek(0, IO::SEEK_SET)
 
-      @event = Event.new(first_event.data.event_id)
+    @event = Event.new(1)
 
-      loop do
-        event = Unified2::Constructor::Construct.read(io)
-
-        if event.data.event_id.to_i == @event.id.to_i
-          @event.load(event)
-        else
-          return @event
-        end
+    loop do
+      event = Unified2::Constructor::Construct.read(io)
+      if event.data.respond_to?(:event_id)
+        return @event if event.data.event_id != @event.id
       end
 
-    else
-      raise FileNotReadable, "Error - #{path} not readable."
+      @event.load(event)
     end
   end
   
@@ -46,4 +35,4 @@ Unified2.configuration do
   load :signatures, 'example/seeds/sid-msg.map'
   load :generators, 'example/seeds/gen-msg.map'
   load :classifications, 'example/seeds/classification.config'
-end
+end

data/spec/unified2_spec.rb

@@ -12,7 +12,7 @@ describe Unified2 do
   end
   
   it "should have the correct signature size" do
-    Unified2.signatures.size.should == 16710
+    Unified2.signatures.size.should == 19243
   end
   
   it "should have the correct signature name" do
@@ -48,7 +48,7 @@ describe Unified2 do
   end
   
   it "should have the correct generator size" do
-    Unified2.generators.size.should == 388
+    Unified2.generators.size.should == 461
   end
   
   it "should have the correct generator id" do
@@ -91,4 +91,4 @@ describe Unified2 do
     Unified2.sensor.name.should == "Mephux FTW!"
   end
   
-end
+end