Skip to content
Browse files

add option for initial event_id incrementation

  • Loading branch information...
1 parent e821946 commit 5293f2c2fbbcc1b4300d1db9fced78a86103bd21 @mephux committed
Showing with 71 additions and 73 deletions.
  1. +2 −21 .gitignore
  2. +1 −0 .yardopts
  3. +2 −1 ChangeLog.rdoc
  4. +1 −1 LICENSE.txt
  5. +15 −8 Rakefile
  6. +1 −2 example/example.rb
  7. +3 −2 gemspec.yml
  8. +25 −21 lib/unified2.rb
  9. +14 −11 lib/unified2/event.rb
  10. +5 −4 lib/unified2/signature.rb
  11. +1 −1 spec/spec_helper.rb
  12. +1 −1 unified2.gemspec
View
23 .gitignore
@@ -1,21 +1,2 @@
-## MAC OS
-.DS_Store
-
-## TEXTMATE
-*.tmproj
-tmtags
-
-## VIM
-*.swp
-
-## PROJECT::GENERAL
-coverage
-rdoc
-doc
-.yardoc
-pkg
-
-## PROJECT::SPECIFIC
-.bundle/
-.document
-unified2.gemspec
+doc/
+pkg/
View
1 .yardopts
@@ -0,0 +1 @@
+--markup rdoc --title "unified2 Documentation" --protected
View
3 ChangeLog.rdoc
@@ -1,3 +1,4 @@
=== 0.1.0 / 2011-03-07
-* Initial release:
+* Initial release:
+
View
2 LICENSE.txt
@@ -1,4 +1,4 @@
-Copyright (c) 2011 Dustin Willis Webber
+Copyright (c) 2011 mephux
Permission is hereby granted, free of charge, to any person obtaining
a copy of this software and associated documentation files (the
View
23 Rakefile
@@ -11,15 +11,8 @@ rescue LoadError => e
STDERR.puts "Run `gem install ore-tasks` to install 'ore/tasks'."
end
-require 'rake/rdoctask'
-Rake::RDocTask.new do |rdoc|
- rdoc.title = "unified2"
- rdoc.rdoc_files.include("README.rdoc")
- rdoc.rdoc_files.include("lib/**/*.rb")
-end
-
begin
- gem 'rspec', '~> 2.4.0'
+ gem 'rspec', '~> 2.4'
require 'rspec/core/rake_task'
RSpec::Core::RakeTask.new
@@ -28,4 +21,18 @@ rescue LoadError => e
abort "Please run `gem install rspec` to install RSpec."
end
end
+
+task :test => :spec
task :default => :spec
+
+begin
+ gem 'yard', '~> 0.6.0'
+ require 'yard'
+
+ YARD::Rake::YardocTask.new
+rescue LoadError => e
+ task :yard do
+ abort "Please run `gem install yard` to install YARD."
+ end
+end
+task :doc => :yard
View
3 example/example.rb
@@ -11,14 +11,13 @@
:host => 'localhost'
load 'sid-msg.map'
- load 'sid-msg.map'
end
# Unified2#watch will continuously monitor
# the unified output for modifications and
# process the data accordingly.
-Unified2.watch('unified2', :start => 451) do |event|
+Unified2.watch('/var/log/snort/merged.log') do |event|
puts "#{event.id} | #{event.ip_destination} | #{event.ip_source} | #{event.signature.name}"
end
View
5 gemspec.yml
@@ -7,5 +7,6 @@ homepage: https://github.com/mephux/unified2
development_dependencies:
bindata: ~> 1.3.1
- ore-tasks: ~> 0.5.2
- rspec: ~> 2.4.0
+ ore-tasks: ~> 0.4
+ rspec: ~> 2.4
+ yard: ~> 0.6.0
View
46 lib/unified2.rb
@@ -1,6 +1,6 @@
require 'bindata'
# http://cvs.snort.org/viewcvs.cgi/snort/src/output-plugins/spo_unified2.c?rev=1.3&content-type=text/vnd.viewcvs-markup
-
+
require 'unified2/construct'
require 'unified2/event'
require 'unified2/plugin'
@@ -41,9 +41,7 @@ def self.load(path)
end
end
- def self.watch(path, options={}, &block)
- event_id = options[:start] || false
- timeout = options[:timeout].to_i || 5
+ def self.watch(path, event_id=false, &block)
unless File.exists?(path)
raise('Error - file does not exist.')
@@ -55,26 +53,32 @@ def self.watch(path, options={}, &block)
if event_id
@event = Event.new(event_id.to_i)
else
- first_open = File.open(path)
- first_event = Unified2::Construct.read(first_open)
- first_open.close
- @event = Event.new(first_event.data.event_id)
+
+ until io.eof?
+ event = Unified2::Construct.read(io)
+ end
+ event_id = event.data.event_id
+
+ # first_open = File.open(path)
+ # first_event = Unified2::Construct.read(first_open)
+ # first_open.close
+ @event = Event.new(event_id)
end
loop do
begin
event = Unified2::Construct.read(io)
-
+
if event_id
if event.data.event_id.to_i > (event_id - 1)
check_event(event, block)
end
- else
+ else
check_event(event, block)
end
-
+
rescue EOFError
- sleep timeout
+ sleep 5
retry
end
end
@@ -117,15 +121,15 @@ def self.read(path, options={}, &block)
private
-
- def self.check_event(event, block)
- if @event.id == event.data.event_id
- @event.load(event)
- else
- block.call(@event)
- @event = Event.new(event.data.event_id)
- @event.load(event)
+
+ def self.check_event(event, block)
+ if @event.id == event.data.event_id
+ @event.load(event)
+ else
+ block.call(@event)
+ @event = Event.new(event.data.event_id)
+ @event.load(event)
+ end
end
- end
end
View
25 lib/unified2/event.rb
@@ -12,11 +12,7 @@ def initialize(id)
end
def signature
- if ((@metadata) && @metadata.has_key?(:signature))
- @signature = Signature.new(@metadata[:signature])
- else
- @signature = Signature.new(:id => @metadata[:signature_id])
- end
+ @signature = Signature.new(@metadata[:signature])
end
def ip_destination
@@ -59,16 +55,23 @@ def build_event_metadata(event)
:event_microsecond => event.data.event_microsecond
}
- if Unified2.signatures.has_key?(event.data.signature_id.to_s)
- sig = Unified2.signatures[event.data.signature_id.to_s]
+ if Unified2.signatures
+ if Unified2.signatures.has_key?(event.data.signature_id.to_s)
+ sig = Unified2.signatures[event.data.signature_id.to_s]
+
+ hash[:signature] = {
+ :signature_id => event.data.signature_id,
+ :name => sig[:name],
+ :references => sig[:references]
+ }
+ end
+ else
hash[:signature] = {
:signature_id => event.data.signature_id,
- :name => sig[:name],
- :references => sig[:references]
+ :name => "Unknow Signature #{event.data.signature_id}",
+ :references => []
}
- else
- hash[:signature_id] = event.data.signature_id
end
hash
View
9 lib/unified2/signature.rb
@@ -6,18 +6,19 @@ class Signature
def initialize(signature={})
@id = signature[:signature_id] || 0
- @name = signature[:name]
+ @name = signature[:name] || "Unknow Signature #{@id}"
@references = signature[:references] || []
end
def id
@id.to_i
end
-
+
def name
- @name.strip
+ return @name.strip if @name
+ @name
end
-
+
def references
@references
end
View
2 spec/spec_helper.rb
@@ -1,4 +1,4 @@
-gem 'rspec', '~> 2.4.0'
+gem 'rspec', '~> 2.4'
require 'rspec'
require 'unified2/version'
View
2 unified2.gemspec
@@ -9,7 +9,7 @@ rescue NameError
require 'ore/specification'
retry
rescue LoadError
- STDERR.puts "The 'unified2.gemspec' file requires Ore."
+ STDERR.puts "The '#{__FILE__}' file requires Ore."
STDERR.puts "Run `gem install ore-core` to install Ore."
end
end

0 comments on commit 5293f2c

Please sign in to comment.
Something went wrong with that request. Please try again.