unified2 0.6.0 → 0.6.1

data/ChangeLog.md

@@ -1,3 +1,8 @@
+=== 0.6.1 / 2011/11/20
+
+* Add to_h method for core classes
+* Add to_pacp/to_file method for packet class
+
 === 0.6.0 / 2011-11-13
 
 * update deps

data/example/example.rb

@@ -17,7 +17,10 @@ Unified2.configuration do
 
 end
 
-Unified2.watch('seeds/unified2-current.log', :first) do |event|
+#path = 'seeds/unified2-current.log'
+path = '/var/log/snort/merged.log'
+
+Unified2.watch(path, :last) do |event|
 
   puts event
 

data/example/example2.rb

@@ -23,6 +23,8 @@ end
 Unified2.watch('seeds/unified2-current.log', :first) do |event|
   
   puts event.id
+  
+  puts event.position
 
   puts event.severity
 

data/lib/unified2.rb

@@ -134,12 +134,13 @@ module Unified2
 
     # Start with a null event.
     # This will always be ignored.
-    @event = Event.new(0)
+    @event = Event.new(0, 0)
 
     loop do
       begin
+        position = io.pos
         event = Unified2::Constructor::Construct.read(io)
-        check_event(event, block)
+        check_event(event, position, block)
       rescue EOFError
         sleep 5
         retry
@@ -175,11 +176,12 @@ module Unified2
     
     # Start with a null event.
     # This will always be ignored.
-    @event = Event.new(0)
+    @event = Event.new(0, 0)
 
     until io.eof?
+      position = io.pos
       event = Unified2::Constructor::Construct.read(io)
-      check_event(event, block)
+      check_event(event, position, block)
     end
 
   rescue Interrupt
@@ -199,15 +201,15 @@ module Unified2
     end 
   end
 
-  def self.check_event(event, block)
-
+  def self.check_event(event, position=0, block)
+    
     if event.data.respond_to?(:event_id)
       if @event.id == event.data.event_id
         @event.load(event)
       else
+        @event.next_position = position
         block.call(@event) unless @event.id.zero?
-        @extra_data = false
-        @event = Event.new(event.data.event_id)
+        @event = Event.new(event.data.event_id, position.to_i)
         @event.load(event)
       end
     else 

data/lib/unified2/event.rb

@@ -41,19 +41,30 @@ module Unified2
     #
     # Setup method defaults
     #
-    attr_accessor :id, :event, :packets, :extras
+    attr_accessor :id, :event, :packets, :extras, :position,
+      :next_position
 
     #
     # Initialize event
     #
     # @param [Integer] id Event id
     #
-    def initialize(id)
+    def initialize(id, position)
       @id = id.to_i
+      @position = position
       @packets = []
       @extras = []
     end
 
+    #
+    # Event length
+    #
+    # @return [Integer] Event length
+    #
+    def length
+      @event_data[:header][:length].to_i
+    end
+
     #
     # Packet Time
     #
@@ -310,25 +321,29 @@ module Unified2
     # @return [Hash] Event hash object
     # 
     def to_h
-      @to_hash = {}
-      
-      @event_data[:extras] = @extras
-      @event_data[:packets] = @packets
-
-      #unless payload.blank?
-        #hexdump = ''
-        #payload.dump(:width => 30, :output => hexdump)
-        #@packet_data[:packet] = hexdump
-      #end
-
-      #.encode('utf-8', 'iso-8859-1')
-      
-      #[@event_data, @packet_data].each do |hash|
-        #@to_hash.merge!(hash) if hash.is_a?(Hash)
-      #end
-      
-      #@to_hash
-      @event_data
+      @event_data[:position] = position
+      @event_data[:next_position] = next_position.to_i
+
+      @event_data[:protocol] = protocol
+      @event_data[:timestamp] = timestamp.to_s
+      @event_data[:checksum] = checksum
+      @event_data[:sensor] = sensor.to_h
+
+      @to_hash = {
+        :event => @event_data,
+        :packets => [],
+        :extras => []
+      }
+
+      extras.each do |extra|
+        @to_hash[:extras].push(extra.to_h)
+      end
+
+      packets.each do |packet|
+        @to_hash[:packets].push(packet.to_h)
+      end
+
+      @to_hash
     end
 
     #
@@ -417,6 +432,10 @@ module Unified2
         event_hash = {}
 
         event_hash = {
+          :header => {
+            :type => @event.header.u2type,
+            :length => @event.header.u2length
+          },
           :destination_ip => @event.data.ip_destination,
           :priority_id => @event.data.priority_id,
           :signature_revision => @event.data.signature_revision,

data/lib/unified2/extra.rb

@@ -123,6 +123,22 @@ module Unified2
       @type.first
     end
 
+    def to_h
+     to_h = {
+      :value => value,
+      :header => {
+        :type => header[:event_type],
+        :length => header[:event_length],
+      },
+      :length => length,
+      :name => name,
+      :description => description,
+      :timestamp => timestamp.to_s,
+      :type_id => type_id,
+      :data_type => data_type
+     }
+    end
+
   end
 end
 

data/lib/unified2/packet.rb

@@ -6,7 +6,6 @@ require 'unified2/protocol'
 #
 module Unified2
 
-
   #
   # Packet
   # 
@@ -17,7 +16,7 @@ module Unified2
     #
     attr_reader :link_type, :event_id,
       :microsecond, :timestamp, :length,
-      :raw, :event_timestamp
+      :raw, :event_timestamp, :packet
 
     #
     # Initialize packet Object
@@ -45,7 +44,7 @@ module Unified2
     #
     def ip_header
       if @packet.is_ip?
-        @ip_header = {
+        ip_header = {
           :ip_ver => @packet.ip_header.ip_v,
           :ip_hlen => @packet.ip_header.ip_hl,
           :ip_tos => @packet.ip_header.ip_tos,
@@ -57,10 +56,48 @@ module Unified2
           :ip_csum => @packet.ip_header.ip_sum
         }
       else
-        @ip_header = {}
+        ip_header = {}
       end
 
-      @ip_header
+      ip_header
+    end
+
+    #
+    # Valid
+    #
+    # @return [true,false] Is this a valid packet
+    #
+    def valid?
+      !@packet.is_invalid?
+    end
+
+    #
+    # Ehternet
+    #
+    # @return [true,false] Ethernet packet
+    #
+    def eth?
+      @packet.is_eth?
+    end
+    alias ethernet? eth?
+
+    #
+    # IP Version 4
+    #
+    # @return [true,false]
+    #
+    def ipv4?
+      @packet.is_ip?
+    end
+    alias ip? ipv4?
+
+    #
+    # IP Version 6
+    #
+    # @return [true,false]
+    #
+    def ipv6?
+      @packet.is_ipv6?
     end
 
     #
@@ -81,6 +118,20 @@ module Unified2
       payload.to_s
     end
 
+    #
+    # Convert to libpcap format
+    #
+    def to_pcap
+      @packet.to_pcap
+    end
+
+    #
+    # Output to file
+    #
+    def to_file(filename, mode)
+      @packet.to_f(filename, mode)
+    end
+
     #
     # Payload
     #
@@ -109,6 +160,22 @@ module Unified2
       @packet
     end
 
+    def to_h
+      @to_hash = {
+        :event_timestamp => event_timestamp.to_s,
+        :timestamp => timestamp.to_s,
+        :length => length,
+        :microsecond => microsecond,
+        :hex => hex,
+        :hexdump => hexdump,
+        :checksum => checksum,
+        :payload => payload,
+        :link_type => link_type,
+        :protocol => protocol.to_h,
+        :ip_header => ip_header
+      }
+    end
+
     #
     # Hex
     #

data/lib/unified2/protocol.rb

@@ -67,11 +67,15 @@ module Unified2
     #   event.protocol.to_h #=> {:length=>379, :seq=>3934511163, :ack=>1584708129 ... }
     # 
     def to_h
+      hash = {
+        :type => @protocol.to_s
+      }
+
       if send(:"#{@protocol.downcase}?")
-        self.send(:"#{@protocol.downcase}")
-      else
-        {}
+        hash.merge!(self.send(:"#{@protocol.downcase}"))
       end
+
+      hash
     end
     alias header to_h
 

data/lib/unified2/sensor.rb

@@ -35,6 +35,16 @@ module Unified2
       @name
     end
 
+    def to_h
+      to_hash = {
+        :name => name,
+        :hostname => hostname,
+        :checksum => checksum,
+        :id => id,
+        :interface => interface
+      }
+    end
+
     #
     # Update
     # 

data/lib/unified2/version.rb

@@ -3,5 +3,5 @@
 #
 module Unified2
   # Unified2 version
-  VERSION = "0.6.0"
+  VERSION = "0.6.1"
 end

data/spec/spec_helper.rb

@@ -12,7 +12,7 @@ module Unified2
     io = File.open(path)
     io.sysseek(0, IO::SEEK_SET)
 
-    @event = Event.new(1)
+    @event = Event.new(1, 0)
 
     loop do
       event = Unified2::Constructor::Construct.read(io)

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: unified2
 version: !ruby/object:Gem::Version
-  version: 0.6.0
+  version: 0.6.1
   prerelease: 
 platform: ruby
 authors:
@@ -9,11 +9,11 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2011-11-13 00:00:00.000000000 Z
+date: 2011-11-21 00:00:00.000000000Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bindata
-  requirement: &70345281255100 !ruby/object:Gem::Requirement
+  requirement: &2151769080 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -21,10 +21,10 @@ dependencies:
         version: '1.4'
   type: :runtime
   prerelease: false
-  version_requirements: *70345281255100
+  version_requirements: *2151769080
 - !ruby/object:Gem::Dependency
   name: packetfu
-  requirement: &70345281252460 !ruby/object:Gem::Requirement
+  requirement: &2151759620 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -32,10 +32,10 @@ dependencies:
         version: '1.1'
   type: :runtime
   prerelease: false
-  version_requirements: *70345281252460
+  version_requirements: *2151759620
 - !ruby/object:Gem::Dependency
   name: hexdump
-  requirement: &70345281251340 !ruby/object:Gem::Requirement
+  requirement: &2151743760 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -43,10 +43,10 @@ dependencies:
         version: '0.2'
   type: :runtime
   prerelease: false
-  version_requirements: *70345281251340
+  version_requirements: *2151743760
 - !ruby/object:Gem::Dependency
   name: ore-tasks
-  requirement: &70345281250320 !ruby/object:Gem::Requirement
+  requirement: &2151739240 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -54,10 +54,10 @@ dependencies:
         version: '0.5'
   type: :development
   prerelease: false
-  version_requirements: *70345281250320
+  version_requirements: *2151739240
 - !ruby/object:Gem::Dependency
   name: rspec
-  requirement: &70345281388740 !ruby/object:Gem::Requirement
+  requirement: &2152201460 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -65,10 +65,10 @@ dependencies:
         version: '2.4'
   type: :development
   prerelease: false
-  version_requirements: *70345281388740
+  version_requirements: *2152201460
 - !ruby/object:Gem::Dependency
   name: yard
-  requirement: &70345281387940 !ruby/object:Gem::Requirement
+  requirement: &2164417300 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -76,10 +76,10 @@ dependencies:
         version: '0.7'
   type: :development
   prerelease: false
-  version_requirements: *70345281387940
+  version_requirements: *2164417300
 - !ruby/object:Gem::Dependency
   name: rdiscount
-  requirement: &70345281386700 !ruby/object:Gem::Requirement
+  requirement: &2168702220 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -87,7 +87,7 @@ dependencies:
         version: '1.6'
   type: :development
   prerelease: false
-  version_requirements: *70345281386700
+  version_requirements: *2168702220
 description: A ruby interface for unified2 output. rUnified2 allows you to manipulate
   unified2 output for custom storage and/or analysis.
 email:
@@ -110,6 +110,7 @@ files:
 - bin/ru2
 - example/example.rb
 - example/example2.rb
+- example/output.pcap
 - example/seeds/classification.config
 - example/seeds/gen-msg.map
 - example/seeds/sid-msg.map
@@ -171,7 +172,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: unified2
-rubygems_version: 1.8.10
+rubygems_version: 1.8.9
 signing_key: 
 specification_version: 3
 summary: A ruby interface for unified2 output.