unified2 0.4.0 → 0.5.0

data/ChangeLog.rdoc

@@ -1,3 +1,9 @@
+=== 0.5.0 / 2011-03-18
+
+* major refactoring
+* Added eth, ip, udp, icmp, and TCP header support
+* Added basic specs and fully documented the source
+
 === 0.4.0 / 2011-03-14
 
 * added checksum support for sensor

data/LICENSE.txt

@@ -1,4 +1,4 @@
-Copyright (c) 2011 mephux
+Copyright (c) 2011 Dustin Willis Webber
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

data/README.md

@@ -0,0 +1,72 @@
+# unified2
+
+* [Homepage](http://github.com/mephux/unified2)
+* [Issues](http://github.com/mephux/unified2/issues)
+* [Documentation](http://rubydoc.info/gems/unified2/frames)
+* [Email](mailto:dustin.webber at gmail.com)
+
+## Description
+
+A ruby interface for unified2 output. rUnified2 allows you to manipulate unified2 output for custom storage and/or analysis.
+
+## Features
+
+ * Monitor/Read unified2 logs & manipulate the data.
+ * Numerous connivence methods
+ * Simple & Intuitive to Use
+
+## Examples
+
+	require 'unified2'
+
+	#
+	# Load rules into memory
+	#
+
+	Unified2.configuration do
+	 # Sensor Configurations
+	 sensor :id => 1, :name => 'Test Sensor', :interface => 'en1'
+
+	 # Load signatures, generators & classifications into memory
+	 load :signatures, 'sid-msg.map'
+	 load :generators, 'gen-msg.map'
+	 load :classifications, 'classification.config'
+	end
+
+	#
+	# Unified2#watch
+	#
+	# Watch a unified2 file for changes and process the results.
+	# 
+
+	Unified2.watch('/var/log/snort/merged.log', :last) do |event|
+	 next if event.signature.name.blank?
+	 puts event	
+	end
+
+	# Unified2#read
+	# Parse a unified2 file and process the results.
+
+	Unified2.read('/var/log/snort/merged.log') do |event|
+	
+	 puts event.protocol #=> "TCP"
+	
+	 puts event.protocol.to_h #=> {:length=>379, :seq=>3934511163, :ack=>1584708129 ... }
+	
+	end
+
+## Requirements
+
+ * bindata ~> 1.3.1
+ * hexdump: ~> 0.1.0
+ * packetfu: ~> 1.0.0
+
+## Install
+
+	`$ gem install unified2`
+
+== Copyright
+
+Copyright (c) 2011 Dustin Willis Webber
+
+See LICENSE.txt for details.

data/example/{basic-example.rb → example.rb}

@@ -1,6 +1,5 @@
 $:.unshift File.join(File.dirname(__FILE__), "..", "lib")
 require 'unified2'
-require 'pp'
 
 # Unified2 Configuration
 Unified2.configuration do
@@ -10,7 +9,9 @@ Unified2.configuration do
 
   # Load signatures, generators & classifications into memory
   load :signatures, 'seeds/sid-msg.map'
+  
   load :generators, 'seeds/gen-msg.map'
+  
   load :classifications, 'seeds/classification.config'
   
 end
@@ -19,7 +20,7 @@ end
 # The second argument is the last event processed by
 # the sensor. If the last_event_id column is blank in the
 # sensor table it will begin at the first available event.
-Unified2.watch('seeds/unified2', :first) do |event|
+Unified2.watch('seeds/unified2.log', :first) do |event|
   next if event.signature.blank?
 
   puts event

data/gemspec.yml

@@ -9,6 +9,8 @@ homepage: https://github.com/mephux/unified2
 dependencies:
   bindata: ~> 1.3.1
   hexdump: ~> 0.1.0
+  packetfu: ~> 1.0.0
+  pcaprub: ~> 0.9.2
   
 development_dependencies:
   ore-tasks: ~> 0.4

data/lib/unified2/classification.rb

@@ -1,8 +1,21 @@
 module Unified2
+  #
+  # Classification
+  # 
   class Classification
 
     attr_accessor :id, :name, :short, :severity
-
+    
+    #
+    # Initialize classification
+    # 
+    # @param [Hash] classification Classification attributes
+    # 
+    # @option classification [Integer] :classification_id Classification id
+    # @option classification [String] :name Classification name
+    # @option classification [String] :short Classification short name
+    # @option classification [String] :severity Classification severity id
+    # 
     def initialize(classification={})
       @id = classification[:classification_id]
       @name = classification[:name]
@@ -10,5 +23,6 @@ module Unified2
       @severity = classification[:severity]
     end
 
-  end
-end
+  end # class Classification
+
+end # module Unified2

data/lib/unified2/config_file.rb

@@ -1,8 +1,17 @@
 module Unified2
+  #
+  # Configuration file
+  #
   class ConfigFile
 
     attr_accessor :type, :path, :md5, :data
 
+    #
+    # Initialize configuration file
+    # 
+    # @param [String, Symbol] type Configuration file type
+    # @param [String] path Configuration file path
+    # 
     def initialize(type, path)
       @type = type
       @path = path
@@ -10,9 +19,24 @@ module Unified2
       @md5 = Digest::MD5.hexdigest(@path)
       import
     end
+    
+    #
+    # Size
+    # 
+    # @return [Integer] Configuration size
+    # 
+    def size
+      @data.size
+    end
 
     private
-
+      
+      #
+      # Configuration Import
+      # 
+      # Parse the configuration files and store
+      # them in memory as a hash.
+      # 
       def import
         file = File.open(@path)
         
@@ -25,9 +49,8 @@ module Unified2
             next unless line[/^config\s/]
             count += 1
 
-            # attempted-dos,Attempted Denial of Service,2
             data = line.gsub!(/config classification: /, '')
-            short, name, severity = data.to_s.split(',')
+            short, name, severity = data.to_s.split(',').map(&:strip)
 
             @data[count.to_s] = {
               :short => short,
@@ -40,13 +63,13 @@ module Unified2
 
           file.each_line do |line|
             next if line[/^\#/]
-            generator_id, alert_id, name = line.split(' || ')
+            generator_id, alert_id, name = line.split(' || ').map(&:strip)
             id = "#{generator_id}.#{alert_id}"
 
             @data[id] = {
-              :generator_id => generator_id,
+              :generator_id => generator_id.to_i,
               :name => name,
-              :signature_id => alert_id
+              :signature_id => alert_id.to_i
             }
           end
 
@@ -54,7 +77,7 @@ module Unified2
 
           file.each_line do |line|
             next if line[/^\#/]
-            id, body, *reference_data = line.split(' || ')
+            id, body, *reference_data = line.split(' || ').map(&:strip)
             
             references = {}
             reference_data.each do |line|
@@ -67,7 +90,7 @@ module Unified2
             end
             
             @data[id] = {
-              :signature_id => id,
+              :signature_id => id.to_i,
               :name => body,
               :generator_id => 1
             }
@@ -76,5 +99,6 @@ module Unified2
         end
       end
 
-  end
-end
+  end # class ConfigFile
+
+end # module Unified2

data/lib/unified2/constructor/construct.rb

@@ -0,0 +1,83 @@
+require 'unified2/constructor/event_ip4'
+require 'unified2/constructor/event_ip6'
+require 'unified2/constructor/record_header'
+require 'unified2/constructor/packet'
+
+module Unified2
+  #
+  # Unified2 Constructor Namespace
+  #
+  module Constructor
+    #
+    # Unified2 Construction
+    #
+    class Construct < ::BinData::Record
+      #
+      # Rename record_header to header
+      # to simplify and cut down on verbosity
+      # 
+      record_header :header
+
+      # 
+      # Unified2 data types
+      # 
+      # Currently rUnified2 only supports packet,
+      # event_ip4 and event_ip6.
+      # 
+      choice :data, :selection => :type_selection do
+        packet "packet"
+        event_ip4  "ev4"
+        event_ip6 "ev6"
+      end
+
+      #
+      # String padding
+      # 
+      string :read_length => :padding_length
+
+      #
+      # Type Selection
+      # 
+      # Deterime and call data type based on 
+      # the unified2 type attribute
+      # 
+      def type_selection
+        case header.u2type.to_i
+        when 1
+          # define UNIFIED2_EVENT 1
+        when 2
+          # define UNIFIED2_PACKET 2
+          "packet"
+        when 7
+          # define UNIFIED2_IDS_EVENT 7
+          "ev4"
+        when 66
+          # define UNIFIED2_EVENT_EXTENDED 66
+        when 67
+          # define UNIFIED2_PERFORMANCE 67
+        when 68
+          # define UNIFIED2_PORTSCAN 68
+        when 72
+          # define UNIFIED2_IDS_EVENT_IPV6 72
+          "ev6"
+        else
+          "unknown type #{header.u2type}"
+        end
+      end
+
+      #
+      # Sometimes the data needs extra padding
+      # 
+      def padding_length
+        if header.u2length > data.num_bytes
+          header.u2length - data.num_bytes
+        else
+          0
+        end
+      end
+
+    end # class Construct
+    
+  end # module Construct
+
+end # module Unified2

data/lib/unified2/constructor/event_ip4.rb

@@ -0,0 +1,47 @@
+require 'unified2/primitive/ipv4'
+
+module Unified2
+
+  module Constructor
+    #
+    # Event IP Version 4
+    # 
+    class EventIP4 < ::BinData::Record
+
+      endian :big
+
+      uint32    :sensor_id
+      
+      uint32    :event_id
+      
+      uint32    :event_second
+      
+      uint32    :event_microsecond
+      
+      uint32    :signature_id
+      
+      uint32    :generator_id
+      
+      uint32    :signature_revision
+      
+      uint32    :classification_id
+      
+      uint32    :priority_id
+      
+      ipv4      :ip_source
+      
+      ipv4      :ip_destination
+      
+      uint16    :sport_itype
+      
+      uint16    :dport_icode
+      
+      uint8     :protocol
+      
+      uint8     :packet_action
+      
+    end # class EventIP4
+
+  end # module Constructor
+
+end # module Unified2

data/lib/unified2/constructor/event_ip6.rb

@@ -0,0 +1,44 @@
+module Unified2
+  
+  module Constructor
+    #
+    # Event IP Version 6
+    #
+    class EventIP6 < ::BinData::Record
+      endian :big
+
+      uint32    :sensor_id
+      
+      uint32    :event_id
+      
+      uint32    :event_second
+      
+      uint32    :event_microsecond
+      
+      uint32    :signature_id
+      
+      uint32    :generator_id
+      
+      uint32    :signature_revision
+      
+      uint32    :classification_id
+      
+      uint32    :priority_id
+      
+      uint128   :ip_source
+      
+      uint128   :ip_destination
+      
+      uint16    :sport_itype
+      
+      uint16    :dport_icode
+      
+      uint8     :protocol
+      
+      uint8     :packet_action
+      
+    end # class EventIP6
+    
+  end # module Constructor
+  
+end # module Unified2

data/lib/unified2/constructor/packet.rb

@@ -0,0 +1,30 @@
+module Unified2
+  
+  module Constructor
+    #
+    # Event Packet
+    #
+    class Packet < ::BinData::Record
+      endian :big
+
+      uint32 :sensor_id
+      
+      uint32 :event_id
+      
+      uint32 :event_second
+      
+      uint32 :packet_second
+      
+      uint32 :packet_microsecond
+      
+      uint32 :linktype
+      
+      uint32 :packet_length
+      
+      string :packet_data, :read_length => :packet_length
+      
+    end # class Packet
+    
+  end # module Constructor
+  
+end # module Unified2

data/lib/unified2/constructor/primitive/ipv4.rb

@@ -0,0 +1,31 @@
+module Unified2
+
+  module Constructor
+    #
+    # Unified2 Primitive Namespace
+    #
+    module Primitive
+      #
+      # BinData Primitive IP4 Constructor
+      #
+      class IPV4 < ::BinData::Primitive
+        array :octets, :type => :uint8, :initial_length => 4
+        
+        # IPV4#set
+        def set(value)
+          ints = value.split(/\./).collect { |int| int.to_i }
+          self.octets = ints
+        end
+        
+        # IPV4#get
+        def get
+          self.octets.collect { |octet| "%d" % octet }.join(".")
+        end
+
+      end # class IPV4
+
+    end # class Primitive
+
+  end # module Constructor
+
+end # module Unified2

data/lib/unified2/constructor/record_header.rb

@@ -0,0 +1,17 @@
+module Unified2
+
+  module Constructor
+    #
+    # Unified2 Header
+    #
+    class RecordHeader < ::BinData::Record
+      endian :big
+
+      uint32 :u2type
+      uint32 :u2length
+      
+    end # class RecordHeader
+
+  end # module Constructor
+
+end # module Unified2

data/lib/unified2/constructor.rb

@@ -0,0 +1 @@
+require 'unified2/constructor/construct'

data/lib/unified2/core_ext/string.rb

@@ -1,8 +1,16 @@
+#
+# String monkeypatches
+#
 class String
-  
+  #
+  # Blank?
+  # 
+  # @return [true, false] If the string
+  # is blank or empty return true.
+  # 
   def blank?
     return true if (self.nil? || self == '')
     false
   end
   
-end
+end # class String