unified2 0.2.1 → 0.3.0
Sign up to get free protection for your applications and to get access to all the features.
- data/ChangeLog.rdoc +6 -1
- data/README.rdoc +4 -3
- data/example/basic-example.rb +27 -0
- data/example/{example.rb → mysql-example.rb} +2 -2
- data/example/untitled.rb +31 -0
- data/gemspec.yml +1 -0
- data/lib/unified2/event.rb +8 -2
- data/lib/unified2/version.rb +1 -1
- metadata +26 -13
data/ChangeLog.rdoc
CHANGED
data/README.rdoc
CHANGED
@@ -18,6 +18,7 @@ A ruby interface for unified2 output. rUnified2 allows you to manipulate unified
|
|
18
18
|
require 'unified2'
|
19
19
|
|
20
20
|
# load rules into memory
|
21
|
+
|
21
22
|
Unified2.configuration do
|
22
23
|
# Sensor Configurations
|
23
24
|
sensor :id => 1, :name => 'Test Sensor', :interface => 'en1'
|
@@ -30,15 +31,15 @@ A ruby interface for unified2 output. rUnified2 allows you to manipulate unified
|
|
30
31
|
|
31
32
|
# Unified2#watch
|
32
33
|
# Watch a unified2 file for changes and process the results.
|
34
|
+
|
33
35
|
Unified2.watch('/var/log/snort/merged.log', :last) do |event|
|
34
36
|
next if event.signature.name.blank?
|
35
|
-
|
36
|
-
puts event
|
37
|
-
|
37
|
+
puts event
|
38
38
|
end
|
39
39
|
|
40
40
|
# Unified2#read
|
41
41
|
# Parse a unified2 file and process the results.
|
42
|
+
|
42
43
|
Unified2.read('/var/log/snort/merged.log') do |event|
|
43
44
|
puts "#{event.id} | #{event.ip_destination} | #{event.ip_source} | #{event.signature.name}"
|
44
45
|
end
|
@@ -0,0 +1,27 @@
|
|
1
|
+
$:.unshift File.join(File.dirname(__FILE__), "..", "lib")
|
2
|
+
require 'unified2'
|
3
|
+
require 'pp'
|
4
|
+
|
5
|
+
# Unified2 Configuration
|
6
|
+
Unified2.configuration do
|
7
|
+
|
8
|
+
# Sensor Configurations
|
9
|
+
sensor :interface => 'en1', :name => 'Example Sensor'
|
10
|
+
|
11
|
+
# Load signatures, generators & classifications into memory
|
12
|
+
load :signatures, 'seeds/sid-msg.map'
|
13
|
+
load :generators, 'seeds/gen-msg.map'
|
14
|
+
load :classifications, 'seeds/classification.config'
|
15
|
+
|
16
|
+
end
|
17
|
+
|
18
|
+
# Monitor the unfied2 log and process the data.
|
19
|
+
# The second argument is the last event processed by
|
20
|
+
# the sensor. If the last_event_id column is blank in the
|
21
|
+
# sensor table it will begin at the first available event.
|
22
|
+
Unified2.watch('/var/log/snort/merged.log', :first) do |event|
|
23
|
+
next if event.signature.blank?
|
24
|
+
|
25
|
+
puts event.checksum # => 66302273aa2f181d0310aa789027bac3ce1efb4f
|
26
|
+
|
27
|
+
end
|
@@ -15,7 +15,7 @@ Unified2.configuration do
|
|
15
15
|
sensor :interface => 'en1', :name => 'Example Sensor'
|
16
16
|
|
17
17
|
# Load signatures, generators & classifications into memory
|
18
|
-
load :signatures, 'seeds/
|
18
|
+
load :signatures, 'seeds/sid-msg.map'
|
19
19
|
load :generators, 'seeds/gen-msg.map'
|
20
20
|
load :classifications, 'seeds/classification.config'
|
21
21
|
|
@@ -45,7 +45,7 @@ end
|
|
45
45
|
Unified2.watch('/var/log/snort/merged.log', sensor.last_event_id + 1 || :first) do |event|
|
46
46
|
next if event.signature.blank?
|
47
47
|
|
48
|
-
|
48
|
+
puts event
|
49
49
|
|
50
50
|
insert_event = Event.new({
|
51
51
|
:event_id => event.id,
|
data/example/untitled.rb
ADDED
@@ -0,0 +1,31 @@
|
|
1
|
+
#!/usr/bin/env ruby
|
2
|
+
#
|
3
|
+
# http://192.168.1.254/xslt?PAGE=A06&THISPAGE=&NEXTPAGE=A06
|
4
|
+
|
5
|
+
@file = File.open('/Users/mephux/Source/passwords/wpa.txt')
|
6
|
+
|
7
|
+
require 'rubygems'
|
8
|
+
require 'mechanize'
|
9
|
+
|
10
|
+
a = Mechanize.new
|
11
|
+
|
12
|
+
a.get('http://192.168.1.254/xslt?PAGE=A06&THISPAGE=&NEXTPAGE=A06') do |page|
|
13
|
+
|
14
|
+
@file.each_line do |password|
|
15
|
+
next unless password[/^e/]
|
16
|
+
|
17
|
+
puts password
|
18
|
+
login_form = page.form_with(:action => '/xslt', :method => 'POST')
|
19
|
+
login_form['PASSWORD'] = password
|
20
|
+
page = a.submit login_form
|
21
|
+
|
22
|
+
if page.body =~ /The password is incorrect./
|
23
|
+
puts 'FAIL'
|
24
|
+
else
|
25
|
+
puts 'W0ots'
|
26
|
+
puts password
|
27
|
+
exit -1
|
28
|
+
end
|
29
|
+
end
|
30
|
+
|
31
|
+
end
|
data/gemspec.yml
CHANGED
data/lib/unified2/event.rb
CHANGED
@@ -1,3 +1,4 @@
|
|
1
|
+
require 'gibbler'
|
1
2
|
require 'ipaddr'
|
2
3
|
require 'json'
|
3
4
|
require 'unified2/classification'
|
@@ -6,9 +7,10 @@ require 'unified2/sensor'
|
|
6
7
|
require 'unified2/signature'
|
7
8
|
|
8
9
|
module Unified2
|
9
|
-
|
10
|
+
|
10
11
|
class Event
|
11
|
-
|
12
|
+
include Gibbler::Complex
|
13
|
+
|
12
14
|
attr_accessor :id, :metadata, :packet
|
13
15
|
|
14
16
|
def initialize(id)
|
@@ -22,6 +24,10 @@ module Unified2
|
|
22
24
|
end
|
23
25
|
end
|
24
26
|
|
27
|
+
def checksum
|
28
|
+
gibbler
|
29
|
+
end
|
30
|
+
|
25
31
|
def uid
|
26
32
|
"#{sensor.id}.#{@id}"
|
27
33
|
end
|
data/lib/unified2/version.rb
CHANGED
metadata
CHANGED
@@ -2,7 +2,7 @@
|
|
2
2
|
name: unified2
|
3
3
|
version: !ruby/object:Gem::Version
|
4
4
|
prerelease:
|
5
|
-
version: 0.
|
5
|
+
version: 0.3.0
|
6
6
|
platform: ruby
|
7
7
|
authors:
|
8
8
|
- Dustin Willis Webber
|
@@ -10,64 +10,75 @@ autorequire:
|
|
10
10
|
bindir: bin
|
11
11
|
cert_chain: []
|
12
12
|
|
13
|
-
date: 2011-03-
|
13
|
+
date: 2011-03-14 00:00:00 -04:00
|
14
14
|
default_executable:
|
15
15
|
dependencies:
|
16
16
|
- !ruby/object:Gem::Dependency
|
17
|
-
name:
|
17
|
+
name: gibbler
|
18
18
|
prerelease: false
|
19
19
|
requirement: &id001 !ruby/object:Gem::Requirement
|
20
20
|
none: false
|
21
21
|
requirements:
|
22
22
|
- - ~>
|
23
23
|
- !ruby/object:Gem::Version
|
24
|
-
version:
|
24
|
+
version: 0.8.9
|
25
25
|
type: :runtime
|
26
26
|
version_requirements: *id001
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
|
-
name:
|
28
|
+
name: bindata
|
29
29
|
prerelease: false
|
30
30
|
requirement: &id002 !ruby/object:Gem::Requirement
|
31
31
|
none: false
|
32
32
|
requirements:
|
33
33
|
- - ~>
|
34
34
|
- !ruby/object:Gem::Version
|
35
|
-
version:
|
35
|
+
version: 1.3.1
|
36
36
|
type: :runtime
|
37
37
|
version_requirements: *id002
|
38
38
|
- !ruby/object:Gem::Dependency
|
39
|
-
name:
|
39
|
+
name: hexdump
|
40
40
|
prerelease: false
|
41
41
|
requirement: &id003 !ruby/object:Gem::Requirement
|
42
|
+
none: false
|
43
|
+
requirements:
|
44
|
+
- - ~>
|
45
|
+
- !ruby/object:Gem::Version
|
46
|
+
version: 0.1.0
|
47
|
+
type: :runtime
|
48
|
+
version_requirements: *id003
|
49
|
+
- !ruby/object:Gem::Dependency
|
50
|
+
name: ore-tasks
|
51
|
+
prerelease: false
|
52
|
+
requirement: &id004 !ruby/object:Gem::Requirement
|
42
53
|
none: false
|
43
54
|
requirements:
|
44
55
|
- - ~>
|
45
56
|
- !ruby/object:Gem::Version
|
46
57
|
version: "0.4"
|
47
58
|
type: :development
|
48
|
-
version_requirements: *
|
59
|
+
version_requirements: *id004
|
49
60
|
- !ruby/object:Gem::Dependency
|
50
61
|
name: rspec
|
51
62
|
prerelease: false
|
52
|
-
requirement: &
|
63
|
+
requirement: &id005 !ruby/object:Gem::Requirement
|
53
64
|
none: false
|
54
65
|
requirements:
|
55
66
|
- - ~>
|
56
67
|
- !ruby/object:Gem::Version
|
57
68
|
version: "2.4"
|
58
69
|
type: :development
|
59
|
-
version_requirements: *
|
70
|
+
version_requirements: *id005
|
60
71
|
- !ruby/object:Gem::Dependency
|
61
72
|
name: yard
|
62
73
|
prerelease: false
|
63
|
-
requirement: &
|
74
|
+
requirement: &id006 !ruby/object:Gem::Requirement
|
64
75
|
none: false
|
65
76
|
requirements:
|
66
77
|
- - ~>
|
67
78
|
- !ruby/object:Gem::Version
|
68
79
|
version: 0.6.0
|
69
80
|
type: :development
|
70
|
-
version_requirements: *
|
81
|
+
version_requirements: *id006
|
71
82
|
description: A ruby interface for unified2 output. rUnified2 allows you to manipulate unified2 output for custom storage and/or analysis.
|
72
83
|
email:
|
73
84
|
- dustin.webber@gmail.com
|
@@ -87,14 +98,16 @@ files:
|
|
87
98
|
- LICENSE.txt
|
88
99
|
- README.rdoc
|
89
100
|
- Rakefile
|
101
|
+
- example/basic-example.rb
|
90
102
|
- example/connect.rb
|
91
|
-
- example/example.rb
|
92
103
|
- example/models.rb
|
104
|
+
- example/mysql-example.rb
|
93
105
|
- example/search.rb
|
94
106
|
- example/seeds/classification.config
|
95
107
|
- example/seeds/gen-msg.map
|
96
108
|
- example/seeds/sid-msg.map
|
97
109
|
- example/seeds/unified2
|
110
|
+
- example/untitled.rb
|
98
111
|
- gemspec.yml
|
99
112
|
- lib/unified2.rb
|
100
113
|
- lib/unified2/classification.rb
|