Class: Unified2::Event

Inherits:

Object

• Object
• Unified2::Event

Defined in:

lib/unified2/event.rb

Overview

Event

Instance Attribute Summary

• #event_data ⇒ Object

  Returns the value of attribute event_data.

• #id ⇒ Object

  Returns the value of attribute id.

• #packet_data ⇒ Object

  Returns the value of attribute packet_data.

Instance Method Summary

• #checksum ⇒ String

  Checksum.

• #classification ⇒ Classification

  Classification.

• #destination_port ⇒ Integer

  Destination Port.

• #eth_header ⇒ Hash

  Ethernet Header.

• #event_time ⇒ Time^? (also: #timestamp)

  Event Time.

• #initialize(id) ⇒ Event constructor

  Initialize event.

• #ip_destination ⇒ IPAddr (also: #destination_ip)

  Destination IP Address.

• #ip_header ⇒ Hash

  IP Header.

• #ip_source ⇒ IPAddr (also: #source_ip)

  Source IP Address.

• #json ⇒ String

  Convert To Json.

• #load(event) ⇒ nil

  Load.

• #microseconds ⇒ String^?

  Microseconds.

• #packet ⇒ Packet

  Packet.

• #packet_action ⇒ Integer^?

  Packet Action.

• #packet_time ⇒ Time^?

  Packet Time.

• #payload ⇒ Payload

  Payload.

• #protocol ⇒ Protocol

  Protocol.

• #sensor ⇒ Sensor

  Sensor.

• #severity ⇒ Integer

  Severity.

• #signature ⇒ Signature^?

  Signature.

• #source_port ⇒ Integer

  Source Port.

• #to_h ⇒ Hash

  Convert To Hash.

• #to_i ⇒ Integer

  Convert To Integer.

• #to_s ⇒ String

  Convert To String.

Constructor Details

#initialize(id) ⇒ Event

Initialize event

Parameters:

• id (Integer) —

  Event id

# File 'lib/unified2/event.rb', line 23

def initialize(id)
  @id = id.to_i
end

Instance Attribute Details

#event_data ⇒ Object

Returns the value of attribute event_data.

# File 'lib/unified2/event.rb', line 17

def event_data
  @event_data
end

#id ⇒ Object

Returns the value of attribute id.

# File 'lib/unified2/event.rb', line 17

def id
  @id
end

#packet_data ⇒ Object

Returns the value of attribute packet_data.

# File 'lib/unified2/event.rb', line 17

def packet_data
  @packet_data
end

Instance Method Details

#checksum ⇒ String

Checksum

Create a unique checksum for each event using the ip source, destination, signature id, generator id, sensor id, severity id, and the classification id.

Returns:

• (String) —

  Event checksum

# File 'lib/unified2/event.rb', line 51

def checksum
  checkdum = [ip_source, ip_destination, signature.id, signature.generator, sensor.id, severity, classification.id]
  Digest::MD5.hexdigest(checkdum.join(''))
end

#classification ⇒ Classification

Classification

Returns:

• (Classification) —

  Event classification object

# File 'lib/unified2/event.rb', line 118

def classification
  @classification = Classification.new(@event_data[:classification]) if @event_data[:classification]
end

#destination_port ⇒ Integer

Note:

Event#destination_port will return zero if the event protocol is icmp.

Destination Port

Returns:

• (Integer) —

  Event destination port

# File 'lib/unified2/event.rb', line 180

def destination_port
  return 0 if protocol.icmp?
  @source_port = @event_data[:dport_icode] if @event_data.has_key?(:dport_icode)
end

#eth_header ⇒ Hash

Ethernet Header

Returns:

• (Hash) —

  Ethernet header

# File 'lib/unified2/event.rb', line 274

def eth_header
  if ((packet.is_eth?) && packet.has_data?)
    @ip_header = {
      :v => payload.packet.ip_header.ip_v,
      :hl => payload.packet.ip_header.ip_hl,
      :tos => payload.packet.ip_header.ip_tos,
      :len => payload.packet.ip_header.ip_len,
      :id => payload.packet.ip_header.ip_id,
      :frag => payload.packet.ip_header.ip_frag,
      :ttl => payload.packet.ip_header.ip_ttl,
      :proto => payload.packet.ip_header.ip_proto,
      :sum => payload.packet.ip_header.ip_sum
    }
  else
    @ip_header = {}
  end
end

#event_time ⇒ Time^? Also known as: timestamp

Event Time

The event timestamp created by unified2.

Returns:

• (Time, nil) —

  Event time object

# File 'lib/unified2/event.rb', line 63

def event_time
  if @packet_data.has_key?(:event_second)
    @timestamp = Time.at(@packet_data[:event_second].to_i)
  end
end

#ip_destination ⇒ IPAddr Also known as: destination_ip

Destination IP Address

Returns:

• (IPAddr) —

  Event destination ip address

# File 'lib/unified2/event.rb', line 164

def ip_destination
  if @event_data.is_a?(Hash)
    @event_data[:ip_destination] if @event_data.has_key?(:ip_destination)
  end
end

#ip_header ⇒ Hash

IP Header

Returns:

• (Hash) —

  IP header

# File 'lib/unified2/event.rb', line 297

def ip_header
  if ((packet.is_ip?) && packet.has_data?)
    @ip_header = {
      :v => packet.ip_header.ip_v,
      :hl => packet.ip_header.ip_hl,
      :tos => packet.ip_header.ip_tos,
      :len => packet.ip_header.ip_len,
      :id => packet.ip_header.ip_id,
      :frag => packet.ip_header.ip_frag,
      :ttl => packet.ip_header.ip_ttl,
      :proto => packet.ip_header.ip_proto,
      :sum => packet.ip_header.ip_sum
    }
  else
    @ip_header = {}
  end
end

#ip_source ⇒ IPAddr Also known as: source_ip

Source IP Address

Returns:

• (IPAddr) —

  Event source ip address

# File 'lib/unified2/event.rb', line 138

def ip_source
  if @event_data.is_a?(Hash)
    @event_data[:ip_source] if @event_data.has_key?(:ip_source)
  end
end

#json ⇒ String

Convert To Json

Returns:

• (String) —

  Event hash in json format

# File 'lib/unified2/event.rb', line 265

def json
  to_h.to_json
end

#load(event) ⇒ nil

Load

Initializes the raw data returned by bindata into a more comfurtable format.

Parameters:

• Name (Hash) —

  Description

Returns:

• (nil)

# File 'lib/unified2/event.rb', line 226

def load(event)
  if event.data.respond_to?(:signature_id)
    @event_data ||= build_event_data(event)
  end

  if event.data.respond_to?(:packet_data)
    @packet_data ||= build_packet_data(event)
  end
end

#microseconds ⇒ String^?

Microseconds

The event time in microseconds.

Returns:

• (String, nil) —

  Event microseconds

# File 'lib/unified2/event.rb', line 77

def microseconds
  if @event_data.has_key?(:event_microsecond)
    @microseconds = @event_data[:event_microsecond]
  end
end

#packet ⇒ Packet

Note:

Please view the packetfu documentation for more information. (code.google.com/p/packetfu/)

Packet

Returns:

• (Packet) —

  Event packet object

# File 'lib/unified2/event.rb', line 203

def packet
  @packet = PacketFu::Packet.parse(@packet_data[:packet])
end

#packet_action ⇒ Integer^?

Packet Action

Returns:

• (Integer, nil) —

  Packet action

# File 'lib/unified2/event.rb', line 97

def packet_action
  if @event_data.has_key?(:event_second)
    @packet_data_action = @event_data[:packet_action]
  end
end

#packet_time ⇒ Time^?

Packet Time

Time of creation for the unified2 packet.

Returns:

• (Time, nil) —

  Packet time object

# File 'lib/unified2/event.rb', line 34

def packet_time
  if @packet_data.has_key?(:packet_second)
    @packet_data[:packet_second]
    @timestamp = Time.at(@packet_data[:packet_second].to_i)
  end
end

#payload ⇒ Payload

Payload

Returns:

• (Payload) —

  Event payload object

# File 'lib/unified2/event.rb', line 212

def payload
  Payload.new(packet.payload, @packet_data)
end

#protocol ⇒ Protocol

Protocol

Returns:

• (Protocol) —

  Event protocol object

# File 'lib/unified2/event.rb', line 108

def protocol
  @protocol = Protocol.new(determine_protocol(@event_data[:protocol]), packet)
end

#sensor ⇒ Sensor

Sensor

Returns:

• (Sensor) —

  Sensor object

# File 'lib/unified2/event.rb', line 88

def sensor
  @sensor ||= Unified2.sensor
end

#severity ⇒ Integer

Severity

Returns:

• (Integer) —

  Event severity id

# File 'lib/unified2/event.rb', line 190

def severity
  @severity = @event_data[:priority_id].to_i
end

#signature ⇒ Signature^?

Signature

Returns:

• (Signature, nil) —

  Event signature object

# File 'lib/unified2/event.rb', line 127

def signature
  if @event_data.is_a?(Hash)
    @signature = Signature.new(@event_data[:signature])
  end
end

#source_port ⇒ Integer

Note:

Event#source_port will return zero if the event protocol is icmp.

Source Port

Returns:

• (Integer) —

  Event source port

# File 'lib/unified2/event.rb', line 154

def source_port
  return 0 if protocol.icmp?
  @source_port = @event_data[:sport_itype] if @event_data.has_key?(:sport_itype)
end

#to_h ⇒ Hash

Convert To Hash

Returns:

• (Hash) —

  Event hash object

# File 'lib/unified2/event.rb', line 241

def to_h
  @to_hash = {}
  
  [@event_data, @packet_data].each do |hash|
    @to_hash.merge!(hash) if hash.is_a?(Hash)
  end
  
  @to_hash
end

#to_i ⇒ Integer

Convert To Integer

Returns:

• (Integer) —

  Event id

# File 'lib/unified2/event.rb', line 256

def to_i
  @id.to_i
end

#to_s ⇒ String

Convert To String

Returns:

• (String) —

  Event string object

# File 'lib/unified2/event.rb', line 320

def to_s
  data = %{
    Sensor: #{sensor.id}
    Event ID: #{id}
    Timestamp: #{timestamp.strftime('%D %H:%M:%S')}
    Severity: #{severity}
    Protocol: #{protocol}
    Source IP: #{source_ip}:#{source_port}
    Destination IP: #{destination_ip}:#{destination_port}
    Signature: #{signature.name}
    Classification: #{classification.name}
  }
  unless payload.blank?
    data += "Payload:\n"
    payload.dump(:width => 30, :output => data)
  end

  data.gsub(/^\s+/, "")
end