unified2 0.1.2 → 0.2.0

data/README.rdoc

@@ -9,10 +9,9 @@ A ruby interface for unified2 output. rUnified2 allows you to manipulate unified
 
 == Features
 
- * Monitor unified2 logs and manipulate the data.
- * Modular adaptor support (monogdb, mysql, postgresql, sguil etc..)
- * Parse unified2 log files
- * Numerous connivence methods for statistical analysis
+ * Monitor/Read unified2 logs & manipulate the data.
+ * Numerous connivence methods
+ * Simple & Intuitive to Use
 
 == Examples
 
@@ -34,9 +33,8 @@ A ruby interface for unified2 output. rUnified2 allows you to manipulate unified
  Unified2.watch('/var/log/snort/merged.log', :last) do |event|
   next if event.signature.name.blank?
 	
-  puts "#{event.id} | #{event.ip_destination} | #{event.ip_source} | #{event.signature.name}"
-  puts event.payload.dump(:width => 30)
-  puts event.classification.name
+	puts event
+	
  end
 
  # Unified2#read

data/example/connect.rb

@@ -0,0 +1,20 @@
+require 'rubygems'
+require 'datamapper'
+require 'dm-mysql-adapter'
+require 'models'
+
+class Connect
+  
+  def self.setup
+    @connection = DataMapper.setup(:default, { 
+      :adapter => "mysql",
+      :host => "localhost",
+      :database => "rUnified2",
+      :username => "rUnified2",
+      :password => "password"
+    })
+    DataMapper.finalize
+    DataMapper.auto_upgrade!
+  end
+  
+end

data/example/example.rb

@@ -1,43 +1,74 @@
 $:.unshift File.join(File.dirname(__FILE__), "..", "lib")
+$:.unshift File.join(File.dirname(__FILE__), "..", "example")
+
 require 'unified2'
+require 'connect'
 require 'pp'
 
+# Initialize Database Connection 
+Connect.setup
+
 # Unified2 Configuration
 Unified2.configuration do
-  # Sensor Configurations
-  sensor :id => 200, :name => 'Hello Sensor', :interface => 'en1'
   
+  # Sensor Configurations
+  sensor :interface => 'en1', :name => 'Example Sensor'
+
   # Load signatures, generators & classifications into memory
-  load :signatures, 'sid-msg.map'
-  load :generators, 'gen-msg.map'
-  load :classifications, 'classification.config'
+  load :signatures, 'seeds/sid-msg.map'
+  load :generators, 'seeds/gen-msg.map'
+  load :classifications, 'seeds/classification.config'
+  
 end
 
-# Unified2#watch will continuously monitor
-# the unified output for modifications and
-# process the data accordingly.
+# Locate the sensor in the database using
+# the hostname and interface. If this fails
+# rUnified2 will create a new sensor record.
+sensor = Sensor.find(Unified2.sensor)
+Unified2.sensor.id = sensor.id
 
-Unified2.watch('unified2', 1) do |event|
+# Load the classifications, generators &
+# signatures into the database and store the 
+# md5 in the sensor record. This will only
+# update if the md5s DO NOT match.
+[[Classification,:classifications], [Signature, :signatures], [Signature, :generators]].each do |klass, method|
+  unless sensor.send(:"#{method}_md5") == Unified2.send(method).send(:md5)
+    klass.send(:import,  { method => Unified2.send(method).send(:data), :force => true })
+    sensor.update(:"#{method}_md5" => Unified2.send(method).send(:md5))
+  end
+end
+
+# Monitor the unfied2 log and process the data.
+# The second argument is the last event processed by
+# the sensor. If the last_event_id column is blank in the
+# sensor table it will begin at the first available event.
+Unified2.watch('/var/log/snort/merged.log', sensor.last_event_id + 1 || :first) do |event|
   next if event.signature.blank?
 
-  puts event.signature.name
+  #puts event
 
-  # puts "#{event.sensor.name} #{event.timestamp} || #{event.source_port} #{event.destination_port} | #{event.protocol}"
-  
-  # #{event.source_port} #{event.destination_port}
-  # puts "#{event.id} | #{event.ip_destination} | #{event.ip_source} | #{event.signature.name}"
-  # {event.generator_id} || #{event.signature.id}
-end
+  insert_event = Event.new({
+                       :event_id => event.id,
+                       :uid => event.uid,
+                       :created_at => event.timestamp,
+                       :sensor_id => event.sensor.id,
+                       :source_ip => event.source_ip,
+                       :source_port => event.source_port,
+                       :destination_ip => event.destination_ip,
+                       :destination_port => event.destination_port,
+                       :severity_id => event.severity,
+                       :protocol => event.protocol,
+                       :link_type => event.payload.linktype,
+                       :packet_length => event.payload.length,
+                       :packet => event.payload.hex,
+                       :classification_id => event.classification.id,
+                       :signature_id => event.signature.id
+  })
+
+  if insert_event.save
+    insert_event.update_sensor
+  else
+    STDERR.puts "VALIDATION ERROR OR RECORD ALREADY EXISTS #{insert_event.errors}"
+  end
 
-# Unified2#read will parse the supplied
-# unified2 output and return records untill EOF.
-
-# @signatures = []
-# Unified2.watch('unified2', 101) do |event|
-#   next if event.signature.name.blank?
-#   next if @signatures.include?(event.signature.id)
-#   
-#   @signatures.push event.signature.id
-#   
-#   puts "#{event.id} | #{event.ip_destination} | #{event.ip_source} | #{event.signature.name}"
-# end
+end

data/example/models.rb

@@ -0,0 +1,196 @@
+class Event
+  include DataMapper::Resource
+  storage_names[:default] = "events"
+  
+  timestamps :created_at, :updated_at
+
+  property :id, Serial, :index => true
+  
+  property :uid, String, :index => true
+  
+  property :event_id, Integer, :index => true
+  
+  property :sensor_id, Integer, :index => true
+  
+  property :source_ip, String, :index => true
+  
+  property :source_port, Integer
+  
+  property :destination_ip, String, :index => true
+  
+  property :destination_port, Integer
+  
+  property :severity_id, Integer, :index => true
+  
+  property :classification_id, Integer, :index => true
+  
+  property :category_id, Integer, :index => true
+  
+  property :user_id, Integer, :index => true
+  
+  property :protocol, String, :index => true
+
+  property :link_type, Integer
+  
+  property :packet_length, Integer
+  
+  property :packet, Text
+  
+  belongs_to :sensor
+  
+  belongs_to :classification
+  
+  belongs_to :signature
+  
+  validates_uniqueness_of :uid
+  
+  def update_sensor
+    sensor.update(:last_event_id => self.event_id)
+    sensor.save
+  end
+  
+end
+
+class Sensor
+  include DataMapper::Resource
+  timestamps :created_at, :updated_at
+  
+  property :id, Serial, :index => true
+  
+  property :hostname, Text, :index => true
+  
+  property :interface, String
+  
+  property :name, String, :index => true
+  
+  property :last_event_id, Integer, :index => true
+  
+  property :signatures_md5, String, :length => 32, :index => true
+  
+  property :generators_md5, String, :length => 32, :index => true
+  
+  property :classifications_md5, String, :length => 32, :index => true
+  
+  has n, :events
+  
+  validates_uniqueness_of :hostname, :name
+  
+  def events_count
+    last_event_id
+  end
+  
+  def self.find(object)
+    name = object.name ? object.name : object.hostname
+    
+    sensor = first_or_create({:hostname => object.hostname, :interface => object.interface}, {
+      :hostname => object.hostname, 
+      :interface => object.interface,
+      :name => name,
+    })    
+    
+    sensor
+  end
+  
+end
+
+class Signature
+  include DataMapper::Resource
+  storage_names[:default] = "signatures"
+  
+  timestamps :created_at, :updated_at
+  
+  property :id, Serial, :index => true
+  
+  property :signature_id, Integer, :index => true
+  
+  property :generator_id, Integer, :index => true
+  
+  property :name, Text
+  
+  has n, :events
+  
+  validates_uniqueness_of :name
+  
+  def self.import(options={})
+    
+    if options.has_key?(:signatures)
+      
+      options[:signatures].each do |key, value|
+        signature = Signature.get(:signature_id => key)
+        next if signature && options[:force]
+        
+        if signature
+          signature.update(value)
+        else
+          value.merge!(:signature_id => key, :generator_id => 1)
+          Signature.create(value)
+        end
+        
+      end
+      
+    end
+    
+    if options.has_key?(:generators)
+      
+      options[:generators].each do |key, value|
+        genid, sid = key.split('.')
+        signature = Signature.get(:signature_id => sid, :generator_id => genid)
+        next if signature && options[:force]
+        
+        if signature
+          signature.update(value)
+        else
+          value.merge!(:signature_id => sid, :generator_id => genid)
+          Signature.create(value)
+        end
+        
+      end
+      
+    end
+    
+  end
+end
+
+class Classification
+  include DataMapper::Resource
+  
+  storage_names[:default] = "classifications"
+  
+  timestamps :created_at, :updated_at
+  
+  property :id, Serial, :index => true
+  
+  property :classification_id, Integer, :index => true
+  
+  property :name, Text
+  
+  property :short, String
+  
+  property :severity_id, Integer, :index => true
+
+  has n, :events
+
+  # belongs_to :severity
+
+  validates_uniqueness_of :name, :classification_id
+
+  def self.import(options={})
+    
+    if options.has_key?(:classifications)
+      
+      options[:classifications].each do |key,value|
+        classification = Classification.get(:classification_id => key)
+        next if classification && options[:force]
+        
+        if classification
+          classification.update(value)
+        else
+          value.merge!(:classification_id => key)
+          Classification.create(value)
+        end
+      end
+      
+    end
+  end
+  
+end

data/example/search.rb

@@ -0,0 +1,14 @@
+$:.unshift File.join(File.dirname(__FILE__), "..", "lib")
+$:.unshift File.join(File.dirname(__FILE__), "..", "example")
+
+require 'unified2'
+require 'connect'
+require 'pp'
+
+Connect.setup
+
+@sensor = Sensor.first
+
+@sensor.events.each do |event|
+  puts event.signature.name
+end