unified2 0.6.0 → 0.6.1
Sign up to get free protection for your applications and to get access to all the features.
- data/ChangeLog.md +5 -0
- data/example/example.rb +4 -1
- data/example/example2.rb +2 -0
- data/example/output.pcap +0 -0
- data/lib/unified2.rb +10 -8
- data/lib/unified2/event.rb +40 -21
- data/lib/unified2/extra.rb +16 -0
- data/lib/unified2/packet.rb +72 -5
- data/lib/unified2/protocol.rb +7 -3
- data/lib/unified2/sensor.rb +10 -0
- data/lib/unified2/version.rb +1 -1
- data/spec/spec_helper.rb +1 -1
- metadata +18 -17
data/ChangeLog.md
CHANGED
data/example/example.rb
CHANGED
data/example/example2.rb
CHANGED
data/example/output.pcap
ADDED
Binary file
|
data/lib/unified2.rb
CHANGED
@@ -134,12 +134,13 @@ module Unified2
|
|
134
134
|
|
135
135
|
# Start with a null event.
|
136
136
|
# This will always be ignored.
|
137
|
-
@event = Event.new(0)
|
137
|
+
@event = Event.new(0, 0)
|
138
138
|
|
139
139
|
loop do
|
140
140
|
begin
|
141
|
+
position = io.pos
|
141
142
|
event = Unified2::Constructor::Construct.read(io)
|
142
|
-
check_event(event, block)
|
143
|
+
check_event(event, position, block)
|
143
144
|
rescue EOFError
|
144
145
|
sleep 5
|
145
146
|
retry
|
@@ -175,11 +176,12 @@ module Unified2
|
|
175
176
|
|
176
177
|
# Start with a null event.
|
177
178
|
# This will always be ignored.
|
178
|
-
@event = Event.new(0)
|
179
|
+
@event = Event.new(0, 0)
|
179
180
|
|
180
181
|
until io.eof?
|
182
|
+
position = io.pos
|
181
183
|
event = Unified2::Constructor::Construct.read(io)
|
182
|
-
check_event(event, block)
|
184
|
+
check_event(event, position, block)
|
183
185
|
end
|
184
186
|
|
185
187
|
rescue Interrupt
|
@@ -199,15 +201,15 @@ module Unified2
|
|
199
201
|
end
|
200
202
|
end
|
201
203
|
|
202
|
-
def self.check_event(event, block)
|
203
|
-
|
204
|
+
def self.check_event(event, position=0, block)
|
205
|
+
|
204
206
|
if event.data.respond_to?(:event_id)
|
205
207
|
if @event.id == event.data.event_id
|
206
208
|
@event.load(event)
|
207
209
|
else
|
210
|
+
@event.next_position = position
|
208
211
|
block.call(@event) unless @event.id.zero?
|
209
|
-
@
|
210
|
-
@event = Event.new(event.data.event_id)
|
212
|
+
@event = Event.new(event.data.event_id, position.to_i)
|
211
213
|
@event.load(event)
|
212
214
|
end
|
213
215
|
else
|
data/lib/unified2/event.rb
CHANGED
@@ -41,19 +41,30 @@ module Unified2
|
|
41
41
|
#
|
42
42
|
# Setup method defaults
|
43
43
|
#
|
44
|
-
attr_accessor :id, :event, :packets, :extras
|
44
|
+
attr_accessor :id, :event, :packets, :extras, :position,
|
45
|
+
:next_position
|
45
46
|
|
46
47
|
#
|
47
48
|
# Initialize event
|
48
49
|
#
|
49
50
|
# @param [Integer] id Event id
|
50
51
|
#
|
51
|
-
def initialize(id)
|
52
|
+
def initialize(id, position)
|
52
53
|
@id = id.to_i
|
54
|
+
@position = position
|
53
55
|
@packets = []
|
54
56
|
@extras = []
|
55
57
|
end
|
56
58
|
|
59
|
+
#
|
60
|
+
# Event length
|
61
|
+
#
|
62
|
+
# @return [Integer] Event length
|
63
|
+
#
|
64
|
+
def length
|
65
|
+
@event_data[:header][:length].to_i
|
66
|
+
end
|
67
|
+
|
57
68
|
#
|
58
69
|
# Packet Time
|
59
70
|
#
|
@@ -310,25 +321,29 @@ module Unified2
|
|
310
321
|
# @return [Hash] Event hash object
|
311
322
|
#
|
312
323
|
def to_h
|
313
|
-
@
|
314
|
-
|
315
|
-
|
316
|
-
@event_data[:
|
317
|
-
|
318
|
-
|
319
|
-
|
320
|
-
|
321
|
-
|
322
|
-
|
323
|
-
|
324
|
-
|
325
|
-
|
326
|
-
|
327
|
-
|
328
|
-
|
329
|
-
|
330
|
-
|
331
|
-
|
324
|
+
@event_data[:position] = position
|
325
|
+
@event_data[:next_position] = next_position.to_i
|
326
|
+
|
327
|
+
@event_data[:protocol] = protocol
|
328
|
+
@event_data[:timestamp] = timestamp.to_s
|
329
|
+
@event_data[:checksum] = checksum
|
330
|
+
@event_data[:sensor] = sensor.to_h
|
331
|
+
|
332
|
+
@to_hash = {
|
333
|
+
:event => @event_data,
|
334
|
+
:packets => [],
|
335
|
+
:extras => []
|
336
|
+
}
|
337
|
+
|
338
|
+
extras.each do |extra|
|
339
|
+
@to_hash[:extras].push(extra.to_h)
|
340
|
+
end
|
341
|
+
|
342
|
+
packets.each do |packet|
|
343
|
+
@to_hash[:packets].push(packet.to_h)
|
344
|
+
end
|
345
|
+
|
346
|
+
@to_hash
|
332
347
|
end
|
333
348
|
|
334
349
|
#
|
@@ -417,6 +432,10 @@ module Unified2
|
|
417
432
|
event_hash = {}
|
418
433
|
|
419
434
|
event_hash = {
|
435
|
+
:header => {
|
436
|
+
:type => @event.header.u2type,
|
437
|
+
:length => @event.header.u2length
|
438
|
+
},
|
420
439
|
:destination_ip => @event.data.ip_destination,
|
421
440
|
:priority_id => @event.data.priority_id,
|
422
441
|
:signature_revision => @event.data.signature_revision,
|
data/lib/unified2/extra.rb
CHANGED
@@ -123,6 +123,22 @@ module Unified2
|
|
123
123
|
@type.first
|
124
124
|
end
|
125
125
|
|
126
|
+
def to_h
|
127
|
+
to_h = {
|
128
|
+
:value => value,
|
129
|
+
:header => {
|
130
|
+
:type => header[:event_type],
|
131
|
+
:length => header[:event_length],
|
132
|
+
},
|
133
|
+
:length => length,
|
134
|
+
:name => name,
|
135
|
+
:description => description,
|
136
|
+
:timestamp => timestamp.to_s,
|
137
|
+
:type_id => type_id,
|
138
|
+
:data_type => data_type
|
139
|
+
}
|
140
|
+
end
|
141
|
+
|
126
142
|
end
|
127
143
|
end
|
128
144
|
|
data/lib/unified2/packet.rb
CHANGED
@@ -6,7 +6,6 @@ require 'unified2/protocol'
|
|
6
6
|
#
|
7
7
|
module Unified2
|
8
8
|
|
9
|
-
|
10
9
|
#
|
11
10
|
# Packet
|
12
11
|
#
|
@@ -17,7 +16,7 @@ module Unified2
|
|
17
16
|
#
|
18
17
|
attr_reader :link_type, :event_id,
|
19
18
|
:microsecond, :timestamp, :length,
|
20
|
-
:raw, :event_timestamp
|
19
|
+
:raw, :event_timestamp, :packet
|
21
20
|
|
22
21
|
#
|
23
22
|
# Initialize packet Object
|
@@ -45,7 +44,7 @@ module Unified2
|
|
45
44
|
#
|
46
45
|
def ip_header
|
47
46
|
if @packet.is_ip?
|
48
|
-
|
47
|
+
ip_header = {
|
49
48
|
:ip_ver => @packet.ip_header.ip_v,
|
50
49
|
:ip_hlen => @packet.ip_header.ip_hl,
|
51
50
|
:ip_tos => @packet.ip_header.ip_tos,
|
@@ -57,10 +56,48 @@ module Unified2
|
|
57
56
|
:ip_csum => @packet.ip_header.ip_sum
|
58
57
|
}
|
59
58
|
else
|
60
|
-
|
59
|
+
ip_header = {}
|
61
60
|
end
|
62
61
|
|
63
|
-
|
62
|
+
ip_header
|
63
|
+
end
|
64
|
+
|
65
|
+
#
|
66
|
+
# Valid
|
67
|
+
#
|
68
|
+
# @return [true,false] Is this a valid packet
|
69
|
+
#
|
70
|
+
def valid?
|
71
|
+
!@packet.is_invalid?
|
72
|
+
end
|
73
|
+
|
74
|
+
#
|
75
|
+
# Ehternet
|
76
|
+
#
|
77
|
+
# @return [true,false] Ethernet packet
|
78
|
+
#
|
79
|
+
def eth?
|
80
|
+
@packet.is_eth?
|
81
|
+
end
|
82
|
+
alias ethernet? eth?
|
83
|
+
|
84
|
+
#
|
85
|
+
# IP Version 4
|
86
|
+
#
|
87
|
+
# @return [true,false]
|
88
|
+
#
|
89
|
+
def ipv4?
|
90
|
+
@packet.is_ip?
|
91
|
+
end
|
92
|
+
alias ip? ipv4?
|
93
|
+
|
94
|
+
#
|
95
|
+
# IP Version 6
|
96
|
+
#
|
97
|
+
# @return [true,false]
|
98
|
+
#
|
99
|
+
def ipv6?
|
100
|
+
@packet.is_ipv6?
|
64
101
|
end
|
65
102
|
|
66
103
|
#
|
@@ -81,6 +118,20 @@ module Unified2
|
|
81
118
|
payload.to_s
|
82
119
|
end
|
83
120
|
|
121
|
+
#
|
122
|
+
# Convert to libpcap format
|
123
|
+
#
|
124
|
+
def to_pcap
|
125
|
+
@packet.to_pcap
|
126
|
+
end
|
127
|
+
|
128
|
+
#
|
129
|
+
# Output to file
|
130
|
+
#
|
131
|
+
def to_file(filename, mode)
|
132
|
+
@packet.to_f(filename, mode)
|
133
|
+
end
|
134
|
+
|
84
135
|
#
|
85
136
|
# Payload
|
86
137
|
#
|
@@ -109,6 +160,22 @@ module Unified2
|
|
109
160
|
@packet
|
110
161
|
end
|
111
162
|
|
163
|
+
def to_h
|
164
|
+
@to_hash = {
|
165
|
+
:event_timestamp => event_timestamp.to_s,
|
166
|
+
:timestamp => timestamp.to_s,
|
167
|
+
:length => length,
|
168
|
+
:microsecond => microsecond,
|
169
|
+
:hex => hex,
|
170
|
+
:hexdump => hexdump,
|
171
|
+
:checksum => checksum,
|
172
|
+
:payload => payload,
|
173
|
+
:link_type => link_type,
|
174
|
+
:protocol => protocol.to_h,
|
175
|
+
:ip_header => ip_header
|
176
|
+
}
|
177
|
+
end
|
178
|
+
|
112
179
|
#
|
113
180
|
# Hex
|
114
181
|
#
|
data/lib/unified2/protocol.rb
CHANGED
@@ -67,11 +67,15 @@ module Unified2
|
|
67
67
|
# event.protocol.to_h #=> {:length=>379, :seq=>3934511163, :ack=>1584708129 ... }
|
68
68
|
#
|
69
69
|
def to_h
|
70
|
+
hash = {
|
71
|
+
:type => @protocol.to_s
|
72
|
+
}
|
73
|
+
|
70
74
|
if send(:"#{@protocol.downcase}?")
|
71
|
-
self.send(:"#{@protocol.downcase}")
|
72
|
-
else
|
73
|
-
{}
|
75
|
+
hash.merge!(self.send(:"#{@protocol.downcase}"))
|
74
76
|
end
|
77
|
+
|
78
|
+
hash
|
75
79
|
end
|
76
80
|
alias header to_h
|
77
81
|
|
data/lib/unified2/sensor.rb
CHANGED
data/lib/unified2/version.rb
CHANGED
data/spec/spec_helper.rb
CHANGED
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: unified2
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.6.
|
4
|
+
version: 0.6.1
|
5
5
|
prerelease:
|
6
6
|
platform: ruby
|
7
7
|
authors:
|
@@ -9,11 +9,11 @@ authors:
|
|
9
9
|
autorequire:
|
10
10
|
bindir: bin
|
11
11
|
cert_chain: []
|
12
|
-
date: 2011-11-
|
12
|
+
date: 2011-11-21 00:00:00.000000000Z
|
13
13
|
dependencies:
|
14
14
|
- !ruby/object:Gem::Dependency
|
15
15
|
name: bindata
|
16
|
-
requirement: &
|
16
|
+
requirement: &2151769080 !ruby/object:Gem::Requirement
|
17
17
|
none: false
|
18
18
|
requirements:
|
19
19
|
- - ~>
|
@@ -21,10 +21,10 @@ dependencies:
|
|
21
21
|
version: '1.4'
|
22
22
|
type: :runtime
|
23
23
|
prerelease: false
|
24
|
-
version_requirements: *
|
24
|
+
version_requirements: *2151769080
|
25
25
|
- !ruby/object:Gem::Dependency
|
26
26
|
name: packetfu
|
27
|
-
requirement: &
|
27
|
+
requirement: &2151759620 !ruby/object:Gem::Requirement
|
28
28
|
none: false
|
29
29
|
requirements:
|
30
30
|
- - ~>
|
@@ -32,10 +32,10 @@ dependencies:
|
|
32
32
|
version: '1.1'
|
33
33
|
type: :runtime
|
34
34
|
prerelease: false
|
35
|
-
version_requirements: *
|
35
|
+
version_requirements: *2151759620
|
36
36
|
- !ruby/object:Gem::Dependency
|
37
37
|
name: hexdump
|
38
|
-
requirement: &
|
38
|
+
requirement: &2151743760 !ruby/object:Gem::Requirement
|
39
39
|
none: false
|
40
40
|
requirements:
|
41
41
|
- - ~>
|
@@ -43,10 +43,10 @@ dependencies:
|
|
43
43
|
version: '0.2'
|
44
44
|
type: :runtime
|
45
45
|
prerelease: false
|
46
|
-
version_requirements: *
|
46
|
+
version_requirements: *2151743760
|
47
47
|
- !ruby/object:Gem::Dependency
|
48
48
|
name: ore-tasks
|
49
|
-
requirement: &
|
49
|
+
requirement: &2151739240 !ruby/object:Gem::Requirement
|
50
50
|
none: false
|
51
51
|
requirements:
|
52
52
|
- - ~>
|
@@ -54,10 +54,10 @@ dependencies:
|
|
54
54
|
version: '0.5'
|
55
55
|
type: :development
|
56
56
|
prerelease: false
|
57
|
-
version_requirements: *
|
57
|
+
version_requirements: *2151739240
|
58
58
|
- !ruby/object:Gem::Dependency
|
59
59
|
name: rspec
|
60
|
-
requirement: &
|
60
|
+
requirement: &2152201460 !ruby/object:Gem::Requirement
|
61
61
|
none: false
|
62
62
|
requirements:
|
63
63
|
- - ~>
|
@@ -65,10 +65,10 @@ dependencies:
|
|
65
65
|
version: '2.4'
|
66
66
|
type: :development
|
67
67
|
prerelease: false
|
68
|
-
version_requirements: *
|
68
|
+
version_requirements: *2152201460
|
69
69
|
- !ruby/object:Gem::Dependency
|
70
70
|
name: yard
|
71
|
-
requirement: &
|
71
|
+
requirement: &2164417300 !ruby/object:Gem::Requirement
|
72
72
|
none: false
|
73
73
|
requirements:
|
74
74
|
- - ~>
|
@@ -76,10 +76,10 @@ dependencies:
|
|
76
76
|
version: '0.7'
|
77
77
|
type: :development
|
78
78
|
prerelease: false
|
79
|
-
version_requirements: *
|
79
|
+
version_requirements: *2164417300
|
80
80
|
- !ruby/object:Gem::Dependency
|
81
81
|
name: rdiscount
|
82
|
-
requirement: &
|
82
|
+
requirement: &2168702220 !ruby/object:Gem::Requirement
|
83
83
|
none: false
|
84
84
|
requirements:
|
85
85
|
- - ~>
|
@@ -87,7 +87,7 @@ dependencies:
|
|
87
87
|
version: '1.6'
|
88
88
|
type: :development
|
89
89
|
prerelease: false
|
90
|
-
version_requirements: *
|
90
|
+
version_requirements: *2168702220
|
91
91
|
description: A ruby interface for unified2 output. rUnified2 allows you to manipulate
|
92
92
|
unified2 output for custom storage and/or analysis.
|
93
93
|
email:
|
@@ -110,6 +110,7 @@ files:
|
|
110
110
|
- bin/ru2
|
111
111
|
- example/example.rb
|
112
112
|
- example/example2.rb
|
113
|
+
- example/output.pcap
|
113
114
|
- example/seeds/classification.config
|
114
115
|
- example/seeds/gen-msg.map
|
115
116
|
- example/seeds/sid-msg.map
|
@@ -171,7 +172,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
171
172
|
version: '0'
|
172
173
|
requirements: []
|
173
174
|
rubyforge_project: unified2
|
174
|
-
rubygems_version: 1.8.
|
175
|
+
rubygems_version: 1.8.9
|
175
176
|
signing_key:
|
176
177
|
specification_version: 3
|
177
178
|
summary: A ruby interface for unified2 output.
|