unified2 0.5.0 → 0.5.3

data/{ChangeLog.rdoc → ChangeLog.md}

@@ -1,3 +1,8 @@
+=== 0.5.1 / 2011-03-21
+
+* fixed exception when watching an empty unified2 log file
+* renamed a few Event#ip_header hash keys
+
 === 0.5.0 / 2011-03-18
 
 * major refactoring

data/README.md

@@ -60,12 +60,13 @@ A ruby interface for unified2 output. rUnified2 allows you to manipulate unified
  * bindata ~> 1.3.1
  * hexdump: ~> 0.1.0
  * packetfu: ~> 1.0.0
+ * pcaprub: ~> 0.9.2
 
 ## Install
 
 	`$ gem install unified2`
 
-== Copyright
+## Copyright
 
 Copyright (c) 2011 Dustin Willis Webber
 

data/example/example.rb

@@ -5,24 +5,29 @@ require 'unified2'
 Unified2.configuration do
   
   # Sensor Configurations
-  sensor :interface => 'en1', :name => 'Example Sensor'
+  sensor :interface => 'en1', 
+  :name => 'Example Sensor', :id => 3
 
   # Load signatures, generators & classifications into memory
   load :signatures, 'seeds/sid-msg.map'
-  
+
   load :generators, 'seeds/gen-msg.map'
   
   load :classifications, 'seeds/classification.config'
   
 end
 
+#
 # Monitor the unfied2 log and process the data.
+# 
 # The second argument is the last event processed by
 # the sensor. If the last_event_id column is blank in the
 # sensor table it will begin at the first available event.
+#
 Unified2.watch('seeds/unified2.log', :first) do |event|
   next if event.signature.blank?
-
+  
   puts event
-
-end
+  puts "\n"
+  
+end

data/lib/unified2.rb

@@ -142,12 +142,18 @@ module Unified2
           event_id = false
 
         when :first
-
-          first_open = File.open(path)
-          first_event = Unified2::Constructor::Construct.read(first_open)
-          first_open.close
-          event_id = first_event.data.event_id
-          @event = Event.new(event_id)
+          begin
+            
+            first_open = File.open(path)
+            first_event = Unified2::Constructor::Construct.read(first_open)
+            first_open.close
+            event_id = first_event.data.event_id
+            @event = Event.new(event_id)
+  
+          rescue EOFError
+            sleep 5
+            retry
+          end
 
         end
       end

data/lib/unified2/constructor/event_ip4.rb

@@ -1,4 +1,4 @@
-require 'unified2/primitive/ipv4'
+require 'unified2/constructor/primitive/ipv4'
 
 module Unified2
 

data/lib/unified2/event.rb

@@ -266,29 +266,6 @@ module Unified2
       to_h.to_json
     end
 
-    #
-    # Ethernet Header
-    # 
-    # @return [Hash] Ethernet header
-    # 
-    def eth_header
-      if ((packet.is_eth?) && packet.has_data?)
-        @ip_header = {
-          :v => payload.packet.ip_header.ip_v,
-          :hl => payload.packet.ip_header.ip_hl,
-          :tos => payload.packet.ip_header.ip_tos,
-          :len => payload.packet.ip_header.ip_len,
-          :id => payload.packet.ip_header.ip_id,
-          :frag => payload.packet.ip_header.ip_frag,
-          :ttl => payload.packet.ip_header.ip_ttl,
-          :proto => payload.packet.ip_header.ip_proto,
-          :sum => payload.packet.ip_header.ip_sum
-        }
-      else
-        @ip_header = {}
-      end
-    end
-
     #
     # IP Header
     # 
@@ -297,15 +274,15 @@ module Unified2
     def ip_header
       if ((packet.is_ip?) && packet.has_data?)
         @ip_header = {
-          :v => packet.ip_header.ip_v,
-          :hl => packet.ip_header.ip_hl,
-          :tos => packet.ip_header.ip_tos,
-          :len => packet.ip_header.ip_len,
-          :id => packet.ip_header.ip_id,
-          :frag => packet.ip_header.ip_frag,
-          :ttl => packet.ip_header.ip_ttl,
-          :proto => packet.ip_header.ip_proto,
-          :sum => packet.ip_header.ip_sum
+          :ip_ver => packet.ip_header.ip_v,
+          :ip_hlen => packet.ip_header.ip_hl,
+          :ip_tos => packet.ip_header.ip_tos,
+          :ip_len => packet.ip_header.ip_len,
+          :ip_id => packet.ip_header.ip_id,
+          :ip_frag => packet.ip_header.ip_frag,
+          :ip_ttl => packet.ip_header.ip_ttl,
+          :ip_proto => packet.ip_header.ip_proto,
+          :ip_csum => packet.ip_header.ip_sum
         }
       else
         @ip_header = {}
@@ -328,8 +305,10 @@ module Unified2
         Destination IP: #{destination_ip}:#{destination_port}
         Signature: #{signature.name}
         Classification: #{classification.name}
+        Event Checksum: #{checksum}
       }
       unless payload.blank?
+        data += "Payload Checksum: #{payload.checksum}\n"
         data += "Payload:\n"
         payload.dump(:width => 30, :output => data)
       end

data/lib/unified2/payload.rb

@@ -98,6 +98,17 @@ module Unified2
     def dump(options={})
       Hexdump.dump(@packet, options)
     end
+    
+    #
+    # Checksum
+    #
+    # Create a unique payload checksum
+    #
+    # @return [String] Payload checksum
+    #
+    def checksum
+      Digest::MD5.hexdigest(@packet)
+    end
 
   end
 end

data/lib/unified2/protocol.rb

@@ -107,7 +107,7 @@ module Unified2
       def udp(include_body=false)
         @udp = {
           :length => header.len,
-          :sum => header.udp_sum,
+          :csum => header.udp_sum,
         }
         
         @udp[:body] = header.body if include_body
@@ -121,12 +121,11 @@ module Unified2
           :seq => header.tcp_seq,
           :ack => header.tcp_ack,
           :win => header.tcp_win,
-          :sum => header.tcp_sum,
+          :csum => header.tcp_sum,
           :urg => header.tcp_urg,
           :hlen => header.tcp_hlen,
           :reserved => header.tcp_reserved,
           :ecn => header.tcp_ecn,
-          :opts => header.tcp_opts,
           :opts_len => header.tcp_opts_len,
           :rand_port => header.rand_port,
           :options => header.tcp_options

data/lib/unified2/version.rb

@@ -1,4 +1,4 @@
 module Unified2
   # Unified2 version
-  VERSION = "0.5.0"
+  VERSION = "0.5.3"
 end

metadata

@@ -2,7 +2,7 @@
 name: unified2
 version: !ruby/object:Gem::Version 
   prerelease: 
-  version: 0.5.0
+  version: 0.5.3
 platform: ruby
 authors: 
 - Dustin Willis Webber
@@ -10,7 +10,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2011-03-18 00:00:00 -04:00
+date: 2011-03-24 00:00:00 -04:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
@@ -99,13 +99,13 @@ extensions: []
 
 extra_rdoc_files: 
 - README.md
-- ChangeLog.rdoc
+- ChangeLog.md
 - LICENSE.txt
 files: 
 - .document
 - .rspec
 - .yardopts
-- ChangeLog.rdoc
+- ChangeLog.md
 - LICENSE.txt
 - README.md
 - Rakefile
@@ -123,7 +123,6 @@ files:
 - lib/unified2/constructor/event_ip4.rb
 - lib/unified2/constructor/event_ip6.rb
 - lib/unified2/constructor/packet.rb
-- lib/unified2/constructor/primitive.rb
 - lib/unified2/constructor/primitive/ipv4.rb
 - lib/unified2/constructor/record_header.rb
 - lib/unified2/core_ext.rb
@@ -166,7 +165,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
 requirements: []
 
 rubyforge_project: unified2
-rubygems_version: 1.6.1
+rubygems_version: 1.5.0
 signing_key: 
 specification_version: 3
 summary: A ruby interface for unified2 output.

data/lib/unified2/constructor/primitive.rb

@@ -1 +0,0 @@
-require 'primitive/ipv4'