unified2 0.6.0 → 0.6.1

Sign up to get free protection for your applications and to get access to all the features.
@@ -1,3 +1,8 @@
1
+ === 0.6.1 / 2011/11/20
2
+
3
+ * Add to_h method for core classes
4
+ * Add to_pacp/to_file method for packet class
5
+
1
6
  === 0.6.0 / 2011-11-13
2
7
 
3
8
  * update deps
@@ -17,7 +17,10 @@ Unified2.configuration do
17
17
 
18
18
  end
19
19
 
20
- Unified2.watch('seeds/unified2-current.log', :first) do |event|
20
+ #path = 'seeds/unified2-current.log'
21
+ path = '/var/log/snort/merged.log'
22
+
23
+ Unified2.watch(path, :last) do |event|
21
24
 
22
25
  puts event
23
26
 
@@ -23,6 +23,8 @@ end
23
23
  Unified2.watch('seeds/unified2-current.log', :first) do |event|
24
24
 
25
25
  puts event.id
26
+
27
+ puts event.position
26
28
 
27
29
  puts event.severity
28
30
 
Binary file
@@ -134,12 +134,13 @@ module Unified2
134
134
 
135
135
  # Start with a null event.
136
136
  # This will always be ignored.
137
- @event = Event.new(0)
137
+ @event = Event.new(0, 0)
138
138
 
139
139
  loop do
140
140
  begin
141
+ position = io.pos
141
142
  event = Unified2::Constructor::Construct.read(io)
142
- check_event(event, block)
143
+ check_event(event, position, block)
143
144
  rescue EOFError
144
145
  sleep 5
145
146
  retry
@@ -175,11 +176,12 @@ module Unified2
175
176
 
176
177
  # Start with a null event.
177
178
  # This will always be ignored.
178
- @event = Event.new(0)
179
+ @event = Event.new(0, 0)
179
180
 
180
181
  until io.eof?
182
+ position = io.pos
181
183
  event = Unified2::Constructor::Construct.read(io)
182
- check_event(event, block)
184
+ check_event(event, position, block)
183
185
  end
184
186
 
185
187
  rescue Interrupt
@@ -199,15 +201,15 @@ module Unified2
199
201
  end
200
202
  end
201
203
 
202
- def self.check_event(event, block)
203
-
204
+ def self.check_event(event, position=0, block)
205
+
204
206
  if event.data.respond_to?(:event_id)
205
207
  if @event.id == event.data.event_id
206
208
  @event.load(event)
207
209
  else
210
+ @event.next_position = position
208
211
  block.call(@event) unless @event.id.zero?
209
- @extra_data = false
210
- @event = Event.new(event.data.event_id)
212
+ @event = Event.new(event.data.event_id, position.to_i)
211
213
  @event.load(event)
212
214
  end
213
215
  else
@@ -41,19 +41,30 @@ module Unified2
41
41
  #
42
42
  # Setup method defaults
43
43
  #
44
- attr_accessor :id, :event, :packets, :extras
44
+ attr_accessor :id, :event, :packets, :extras, :position,
45
+ :next_position
45
46
 
46
47
  #
47
48
  # Initialize event
48
49
  #
49
50
  # @param [Integer] id Event id
50
51
  #
51
- def initialize(id)
52
+ def initialize(id, position)
52
53
  @id = id.to_i
54
+ @position = position
53
55
  @packets = []
54
56
  @extras = []
55
57
  end
56
58
 
59
+ #
60
+ # Event length
61
+ #
62
+ # @return [Integer] Event length
63
+ #
64
+ def length
65
+ @event_data[:header][:length].to_i
66
+ end
67
+
57
68
  #
58
69
  # Packet Time
59
70
  #
@@ -310,25 +321,29 @@ module Unified2
310
321
  # @return [Hash] Event hash object
311
322
  #
312
323
  def to_h
313
- @to_hash = {}
314
-
315
- @event_data[:extras] = @extras
316
- @event_data[:packets] = @packets
317
-
318
- #unless payload.blank?
319
- #hexdump = ''
320
- #payload.dump(:width => 30, :output => hexdump)
321
- #@packet_data[:packet] = hexdump
322
- #end
323
-
324
- #.encode('utf-8', 'iso-8859-1')
325
-
326
- #[@event_data, @packet_data].each do |hash|
327
- #@to_hash.merge!(hash) if hash.is_a?(Hash)
328
- #end
329
-
330
- #@to_hash
331
- @event_data
324
+ @event_data[:position] = position
325
+ @event_data[:next_position] = next_position.to_i
326
+
327
+ @event_data[:protocol] = protocol
328
+ @event_data[:timestamp] = timestamp.to_s
329
+ @event_data[:checksum] = checksum
330
+ @event_data[:sensor] = sensor.to_h
331
+
332
+ @to_hash = {
333
+ :event => @event_data,
334
+ :packets => [],
335
+ :extras => []
336
+ }
337
+
338
+ extras.each do |extra|
339
+ @to_hash[:extras].push(extra.to_h)
340
+ end
341
+
342
+ packets.each do |packet|
343
+ @to_hash[:packets].push(packet.to_h)
344
+ end
345
+
346
+ @to_hash
332
347
  end
333
348
 
334
349
  #
@@ -417,6 +432,10 @@ module Unified2
417
432
  event_hash = {}
418
433
 
419
434
  event_hash = {
435
+ :header => {
436
+ :type => @event.header.u2type,
437
+ :length => @event.header.u2length
438
+ },
420
439
  :destination_ip => @event.data.ip_destination,
421
440
  :priority_id => @event.data.priority_id,
422
441
  :signature_revision => @event.data.signature_revision,
@@ -123,6 +123,22 @@ module Unified2
123
123
  @type.first
124
124
  end
125
125
 
126
+ def to_h
127
+ to_h = {
128
+ :value => value,
129
+ :header => {
130
+ :type => header[:event_type],
131
+ :length => header[:event_length],
132
+ },
133
+ :length => length,
134
+ :name => name,
135
+ :description => description,
136
+ :timestamp => timestamp.to_s,
137
+ :type_id => type_id,
138
+ :data_type => data_type
139
+ }
140
+ end
141
+
126
142
  end
127
143
  end
128
144
 
@@ -6,7 +6,6 @@ require 'unified2/protocol'
6
6
  #
7
7
  module Unified2
8
8
 
9
-
10
9
  #
11
10
  # Packet
12
11
  #
@@ -17,7 +16,7 @@ module Unified2
17
16
  #
18
17
  attr_reader :link_type, :event_id,
19
18
  :microsecond, :timestamp, :length,
20
- :raw, :event_timestamp
19
+ :raw, :event_timestamp, :packet
21
20
 
22
21
  #
23
22
  # Initialize packet Object
@@ -45,7 +44,7 @@ module Unified2
45
44
  #
46
45
  def ip_header
47
46
  if @packet.is_ip?
48
- @ip_header = {
47
+ ip_header = {
49
48
  :ip_ver => @packet.ip_header.ip_v,
50
49
  :ip_hlen => @packet.ip_header.ip_hl,
51
50
  :ip_tos => @packet.ip_header.ip_tos,
@@ -57,10 +56,48 @@ module Unified2
57
56
  :ip_csum => @packet.ip_header.ip_sum
58
57
  }
59
58
  else
60
- @ip_header = {}
59
+ ip_header = {}
61
60
  end
62
61
 
63
- @ip_header
62
+ ip_header
63
+ end
64
+
65
+ #
66
+ # Valid
67
+ #
68
+ # @return [true,false] Is this a valid packet
69
+ #
70
+ def valid?
71
+ !@packet.is_invalid?
72
+ end
73
+
74
+ #
75
+ # Ehternet
76
+ #
77
+ # @return [true,false] Ethernet packet
78
+ #
79
+ def eth?
80
+ @packet.is_eth?
81
+ end
82
+ alias ethernet? eth?
83
+
84
+ #
85
+ # IP Version 4
86
+ #
87
+ # @return [true,false]
88
+ #
89
+ def ipv4?
90
+ @packet.is_ip?
91
+ end
92
+ alias ip? ipv4?
93
+
94
+ #
95
+ # IP Version 6
96
+ #
97
+ # @return [true,false]
98
+ #
99
+ def ipv6?
100
+ @packet.is_ipv6?
64
101
  end
65
102
 
66
103
  #
@@ -81,6 +118,20 @@ module Unified2
81
118
  payload.to_s
82
119
  end
83
120
 
121
+ #
122
+ # Convert to libpcap format
123
+ #
124
+ def to_pcap
125
+ @packet.to_pcap
126
+ end
127
+
128
+ #
129
+ # Output to file
130
+ #
131
+ def to_file(filename, mode)
132
+ @packet.to_f(filename, mode)
133
+ end
134
+
84
135
  #
85
136
  # Payload
86
137
  #
@@ -109,6 +160,22 @@ module Unified2
109
160
  @packet
110
161
  end
111
162
 
163
+ def to_h
164
+ @to_hash = {
165
+ :event_timestamp => event_timestamp.to_s,
166
+ :timestamp => timestamp.to_s,
167
+ :length => length,
168
+ :microsecond => microsecond,
169
+ :hex => hex,
170
+ :hexdump => hexdump,
171
+ :checksum => checksum,
172
+ :payload => payload,
173
+ :link_type => link_type,
174
+ :protocol => protocol.to_h,
175
+ :ip_header => ip_header
176
+ }
177
+ end
178
+
112
179
  #
113
180
  # Hex
114
181
  #
@@ -67,11 +67,15 @@ module Unified2
67
67
  # event.protocol.to_h #=> {:length=>379, :seq=>3934511163, :ack=>1584708129 ... }
68
68
  #
69
69
  def to_h
70
+ hash = {
71
+ :type => @protocol.to_s
72
+ }
73
+
70
74
  if send(:"#{@protocol.downcase}?")
71
- self.send(:"#{@protocol.downcase}")
72
- else
73
- {}
75
+ hash.merge!(self.send(:"#{@protocol.downcase}"))
74
76
  end
77
+
78
+ hash
75
79
  end
76
80
  alias header to_h
77
81
 
@@ -35,6 +35,16 @@ module Unified2
35
35
  @name
36
36
  end
37
37
 
38
+ def to_h
39
+ to_hash = {
40
+ :name => name,
41
+ :hostname => hostname,
42
+ :checksum => checksum,
43
+ :id => id,
44
+ :interface => interface
45
+ }
46
+ end
47
+
38
48
  #
39
49
  # Update
40
50
  #
@@ -3,5 +3,5 @@
3
3
  #
4
4
  module Unified2
5
5
  # Unified2 version
6
- VERSION = "0.6.0"
6
+ VERSION = "0.6.1"
7
7
  end
@@ -12,7 +12,7 @@ module Unified2
12
12
  io = File.open(path)
13
13
  io.sysseek(0, IO::SEEK_SET)
14
14
 
15
- @event = Event.new(1)
15
+ @event = Event.new(1, 0)
16
16
 
17
17
  loop do
18
18
  event = Unified2::Constructor::Construct.read(io)
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: unified2
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.6.0
4
+ version: 0.6.1
5
5
  prerelease:
6
6
  platform: ruby
7
7
  authors:
@@ -9,11 +9,11 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2011-11-13 00:00:00.000000000 Z
12
+ date: 2011-11-21 00:00:00.000000000Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: bindata
16
- requirement: &70345281255100 !ruby/object:Gem::Requirement
16
+ requirement: &2151769080 !ruby/object:Gem::Requirement
17
17
  none: false
18
18
  requirements:
19
19
  - - ~>
@@ -21,10 +21,10 @@ dependencies:
21
21
  version: '1.4'
22
22
  type: :runtime
23
23
  prerelease: false
24
- version_requirements: *70345281255100
24
+ version_requirements: *2151769080
25
25
  - !ruby/object:Gem::Dependency
26
26
  name: packetfu
27
- requirement: &70345281252460 !ruby/object:Gem::Requirement
27
+ requirement: &2151759620 !ruby/object:Gem::Requirement
28
28
  none: false
29
29
  requirements:
30
30
  - - ~>
@@ -32,10 +32,10 @@ dependencies:
32
32
  version: '1.1'
33
33
  type: :runtime
34
34
  prerelease: false
35
- version_requirements: *70345281252460
35
+ version_requirements: *2151759620
36
36
  - !ruby/object:Gem::Dependency
37
37
  name: hexdump
38
- requirement: &70345281251340 !ruby/object:Gem::Requirement
38
+ requirement: &2151743760 !ruby/object:Gem::Requirement
39
39
  none: false
40
40
  requirements:
41
41
  - - ~>
@@ -43,10 +43,10 @@ dependencies:
43
43
  version: '0.2'
44
44
  type: :runtime
45
45
  prerelease: false
46
- version_requirements: *70345281251340
46
+ version_requirements: *2151743760
47
47
  - !ruby/object:Gem::Dependency
48
48
  name: ore-tasks
49
- requirement: &70345281250320 !ruby/object:Gem::Requirement
49
+ requirement: &2151739240 !ruby/object:Gem::Requirement
50
50
  none: false
51
51
  requirements:
52
52
  - - ~>
@@ -54,10 +54,10 @@ dependencies:
54
54
  version: '0.5'
55
55
  type: :development
56
56
  prerelease: false
57
- version_requirements: *70345281250320
57
+ version_requirements: *2151739240
58
58
  - !ruby/object:Gem::Dependency
59
59
  name: rspec
60
- requirement: &70345281388740 !ruby/object:Gem::Requirement
60
+ requirement: &2152201460 !ruby/object:Gem::Requirement
61
61
  none: false
62
62
  requirements:
63
63
  - - ~>
@@ -65,10 +65,10 @@ dependencies:
65
65
  version: '2.4'
66
66
  type: :development
67
67
  prerelease: false
68
- version_requirements: *70345281388740
68
+ version_requirements: *2152201460
69
69
  - !ruby/object:Gem::Dependency
70
70
  name: yard
71
- requirement: &70345281387940 !ruby/object:Gem::Requirement
71
+ requirement: &2164417300 !ruby/object:Gem::Requirement
72
72
  none: false
73
73
  requirements:
74
74
  - - ~>
@@ -76,10 +76,10 @@ dependencies:
76
76
  version: '0.7'
77
77
  type: :development
78
78
  prerelease: false
79
- version_requirements: *70345281387940
79
+ version_requirements: *2164417300
80
80
  - !ruby/object:Gem::Dependency
81
81
  name: rdiscount
82
- requirement: &70345281386700 !ruby/object:Gem::Requirement
82
+ requirement: &2168702220 !ruby/object:Gem::Requirement
83
83
  none: false
84
84
  requirements:
85
85
  - - ~>
@@ -87,7 +87,7 @@ dependencies:
87
87
  version: '1.6'
88
88
  type: :development
89
89
  prerelease: false
90
- version_requirements: *70345281386700
90
+ version_requirements: *2168702220
91
91
  description: A ruby interface for unified2 output. rUnified2 allows you to manipulate
92
92
  unified2 output for custom storage and/or analysis.
93
93
  email:
@@ -110,6 +110,7 @@ files:
110
110
  - bin/ru2
111
111
  - example/example.rb
112
112
  - example/example2.rb
113
+ - example/output.pcap
113
114
  - example/seeds/classification.config
114
115
  - example/seeds/gen-msg.map
115
116
  - example/seeds/sid-msg.map
@@ -171,7 +172,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
171
172
  version: '0'
172
173
  requirements: []
173
174
  rubyforge_project: unified2
174
- rubygems_version: 1.8.10
175
+ rubygems_version: 1.8.9
175
176
  signing_key:
176
177
  specification_version: 3
177
178
  summary: A ruby interface for unified2 output.