unified2 0.5.0 → 0.5.3
Sign up to get free protection for your applications and to get access to all the features.
- data/{ChangeLog.rdoc → ChangeLog.md} +5 -0
- data/README.md +2 -1
- data/example/example.rb +10 -5
- data/lib/unified2.rb +12 -6
- data/lib/unified2/constructor/event_ip4.rb +1 -1
- data/lib/unified2/event.rb +11 -32
- data/lib/unified2/payload.rb +11 -0
- data/lib/unified2/protocol.rb +2 -3
- data/lib/unified2/version.rb +1 -1
- metadata +5 -6
- data/lib/unified2/constructor/primitive.rb +0 -1
data/README.md
CHANGED
@@ -60,12 +60,13 @@ A ruby interface for unified2 output. rUnified2 allows you to manipulate unified
|
|
60
60
|
* bindata ~> 1.3.1
|
61
61
|
* hexdump: ~> 0.1.0
|
62
62
|
* packetfu: ~> 1.0.0
|
63
|
+
* pcaprub: ~> 0.9.2
|
63
64
|
|
64
65
|
## Install
|
65
66
|
|
66
67
|
`$ gem install unified2`
|
67
68
|
|
68
|
-
|
69
|
+
## Copyright
|
69
70
|
|
70
71
|
Copyright (c) 2011 Dustin Willis Webber
|
71
72
|
|
data/example/example.rb
CHANGED
@@ -5,24 +5,29 @@ require 'unified2'
|
|
5
5
|
Unified2.configuration do
|
6
6
|
|
7
7
|
# Sensor Configurations
|
8
|
-
sensor :interface => 'en1',
|
8
|
+
sensor :interface => 'en1',
|
9
|
+
:name => 'Example Sensor', :id => 3
|
9
10
|
|
10
11
|
# Load signatures, generators & classifications into memory
|
11
12
|
load :signatures, 'seeds/sid-msg.map'
|
12
|
-
|
13
|
+
|
13
14
|
load :generators, 'seeds/gen-msg.map'
|
14
15
|
|
15
16
|
load :classifications, 'seeds/classification.config'
|
16
17
|
|
17
18
|
end
|
18
19
|
|
20
|
+
#
|
19
21
|
# Monitor the unfied2 log and process the data.
|
22
|
+
#
|
20
23
|
# The second argument is the last event processed by
|
21
24
|
# the sensor. If the last_event_id column is blank in the
|
22
25
|
# sensor table it will begin at the first available event.
|
26
|
+
#
|
23
27
|
Unified2.watch('seeds/unified2.log', :first) do |event|
|
24
28
|
next if event.signature.blank?
|
25
|
-
|
29
|
+
|
26
30
|
puts event
|
27
|
-
|
28
|
-
|
31
|
+
puts "\n"
|
32
|
+
|
33
|
+
end
|
data/lib/unified2.rb
CHANGED
@@ -142,12 +142,18 @@ module Unified2
|
|
142
142
|
event_id = false
|
143
143
|
|
144
144
|
when :first
|
145
|
-
|
146
|
-
|
147
|
-
|
148
|
-
|
149
|
-
|
150
|
-
|
145
|
+
begin
|
146
|
+
|
147
|
+
first_open = File.open(path)
|
148
|
+
first_event = Unified2::Constructor::Construct.read(first_open)
|
149
|
+
first_open.close
|
150
|
+
event_id = first_event.data.event_id
|
151
|
+
@event = Event.new(event_id)
|
152
|
+
|
153
|
+
rescue EOFError
|
154
|
+
sleep 5
|
155
|
+
retry
|
156
|
+
end
|
151
157
|
|
152
158
|
end
|
153
159
|
end
|
data/lib/unified2/event.rb
CHANGED
@@ -266,29 +266,6 @@ module Unified2
|
|
266
266
|
to_h.to_json
|
267
267
|
end
|
268
268
|
|
269
|
-
#
|
270
|
-
# Ethernet Header
|
271
|
-
#
|
272
|
-
# @return [Hash] Ethernet header
|
273
|
-
#
|
274
|
-
def eth_header
|
275
|
-
if ((packet.is_eth?) && packet.has_data?)
|
276
|
-
@ip_header = {
|
277
|
-
:v => payload.packet.ip_header.ip_v,
|
278
|
-
:hl => payload.packet.ip_header.ip_hl,
|
279
|
-
:tos => payload.packet.ip_header.ip_tos,
|
280
|
-
:len => payload.packet.ip_header.ip_len,
|
281
|
-
:id => payload.packet.ip_header.ip_id,
|
282
|
-
:frag => payload.packet.ip_header.ip_frag,
|
283
|
-
:ttl => payload.packet.ip_header.ip_ttl,
|
284
|
-
:proto => payload.packet.ip_header.ip_proto,
|
285
|
-
:sum => payload.packet.ip_header.ip_sum
|
286
|
-
}
|
287
|
-
else
|
288
|
-
@ip_header = {}
|
289
|
-
end
|
290
|
-
end
|
291
|
-
|
292
269
|
#
|
293
270
|
# IP Header
|
294
271
|
#
|
@@ -297,15 +274,15 @@ module Unified2
|
|
297
274
|
def ip_header
|
298
275
|
if ((packet.is_ip?) && packet.has_data?)
|
299
276
|
@ip_header = {
|
300
|
-
:
|
301
|
-
:
|
302
|
-
:
|
303
|
-
:
|
304
|
-
:
|
305
|
-
:
|
306
|
-
:
|
307
|
-
:
|
308
|
-
:
|
277
|
+
:ip_ver => packet.ip_header.ip_v,
|
278
|
+
:ip_hlen => packet.ip_header.ip_hl,
|
279
|
+
:ip_tos => packet.ip_header.ip_tos,
|
280
|
+
:ip_len => packet.ip_header.ip_len,
|
281
|
+
:ip_id => packet.ip_header.ip_id,
|
282
|
+
:ip_frag => packet.ip_header.ip_frag,
|
283
|
+
:ip_ttl => packet.ip_header.ip_ttl,
|
284
|
+
:ip_proto => packet.ip_header.ip_proto,
|
285
|
+
:ip_csum => packet.ip_header.ip_sum
|
309
286
|
}
|
310
287
|
else
|
311
288
|
@ip_header = {}
|
@@ -328,8 +305,10 @@ module Unified2
|
|
328
305
|
Destination IP: #{destination_ip}:#{destination_port}
|
329
306
|
Signature: #{signature.name}
|
330
307
|
Classification: #{classification.name}
|
308
|
+
Event Checksum: #{checksum}
|
331
309
|
}
|
332
310
|
unless payload.blank?
|
311
|
+
data += "Payload Checksum: #{payload.checksum}\n"
|
333
312
|
data += "Payload:\n"
|
334
313
|
payload.dump(:width => 30, :output => data)
|
335
314
|
end
|
data/lib/unified2/payload.rb
CHANGED
@@ -98,6 +98,17 @@ module Unified2
|
|
98
98
|
def dump(options={})
|
99
99
|
Hexdump.dump(@packet, options)
|
100
100
|
end
|
101
|
+
|
102
|
+
#
|
103
|
+
# Checksum
|
104
|
+
#
|
105
|
+
# Create a unique payload checksum
|
106
|
+
#
|
107
|
+
# @return [String] Payload checksum
|
108
|
+
#
|
109
|
+
def checksum
|
110
|
+
Digest::MD5.hexdigest(@packet)
|
111
|
+
end
|
101
112
|
|
102
113
|
end
|
103
114
|
end
|
data/lib/unified2/protocol.rb
CHANGED
@@ -107,7 +107,7 @@ module Unified2
|
|
107
107
|
def udp(include_body=false)
|
108
108
|
@udp = {
|
109
109
|
:length => header.len,
|
110
|
-
:
|
110
|
+
:csum => header.udp_sum,
|
111
111
|
}
|
112
112
|
|
113
113
|
@udp[:body] = header.body if include_body
|
@@ -121,12 +121,11 @@ module Unified2
|
|
121
121
|
:seq => header.tcp_seq,
|
122
122
|
:ack => header.tcp_ack,
|
123
123
|
:win => header.tcp_win,
|
124
|
-
:
|
124
|
+
:csum => header.tcp_sum,
|
125
125
|
:urg => header.tcp_urg,
|
126
126
|
:hlen => header.tcp_hlen,
|
127
127
|
:reserved => header.tcp_reserved,
|
128
128
|
:ecn => header.tcp_ecn,
|
129
|
-
:opts => header.tcp_opts,
|
130
129
|
:opts_len => header.tcp_opts_len,
|
131
130
|
:rand_port => header.rand_port,
|
132
131
|
:options => header.tcp_options
|
data/lib/unified2/version.rb
CHANGED
metadata
CHANGED
@@ -2,7 +2,7 @@
|
|
2
2
|
name: unified2
|
3
3
|
version: !ruby/object:Gem::Version
|
4
4
|
prerelease:
|
5
|
-
version: 0.5.
|
5
|
+
version: 0.5.3
|
6
6
|
platform: ruby
|
7
7
|
authors:
|
8
8
|
- Dustin Willis Webber
|
@@ -10,7 +10,7 @@ autorequire:
|
|
10
10
|
bindir: bin
|
11
11
|
cert_chain: []
|
12
12
|
|
13
|
-
date: 2011-03-
|
13
|
+
date: 2011-03-24 00:00:00 -04:00
|
14
14
|
default_executable:
|
15
15
|
dependencies:
|
16
16
|
- !ruby/object:Gem::Dependency
|
@@ -99,13 +99,13 @@ extensions: []
|
|
99
99
|
|
100
100
|
extra_rdoc_files:
|
101
101
|
- README.md
|
102
|
-
- ChangeLog.
|
102
|
+
- ChangeLog.md
|
103
103
|
- LICENSE.txt
|
104
104
|
files:
|
105
105
|
- .document
|
106
106
|
- .rspec
|
107
107
|
- .yardopts
|
108
|
-
- ChangeLog.
|
108
|
+
- ChangeLog.md
|
109
109
|
- LICENSE.txt
|
110
110
|
- README.md
|
111
111
|
- Rakefile
|
@@ -123,7 +123,6 @@ files:
|
|
123
123
|
- lib/unified2/constructor/event_ip4.rb
|
124
124
|
- lib/unified2/constructor/event_ip6.rb
|
125
125
|
- lib/unified2/constructor/packet.rb
|
126
|
-
- lib/unified2/constructor/primitive.rb
|
127
126
|
- lib/unified2/constructor/primitive/ipv4.rb
|
128
127
|
- lib/unified2/constructor/record_header.rb
|
129
128
|
- lib/unified2/core_ext.rb
|
@@ -166,7 +165,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
166
165
|
requirements: []
|
167
166
|
|
168
167
|
rubyforge_project: unified2
|
169
|
-
rubygems_version: 1.
|
168
|
+
rubygems_version: 1.5.0
|
170
169
|
signing_key:
|
171
170
|
specification_version: 3
|
172
171
|
summary: A ruby interface for unified2 output.
|
@@ -1 +0,0 @@
|
|
1
|
-
require 'primitive/ipv4'
|