unified2
Description
A ruby interface for unified2 output. rUnified2 allows you to manipulate unified2 output for custom storage and/or analysis.
Features
- Monitor/Read unified2 logs & manipulate the data.
- Numerous connivence methods
- Simple & Intuitive to Use
Examples
require 'unified2'
#
# Load rules into memory
#
Unified2.configuration do
# Sensor Configurations
sensor :id => 1, :name => 'Test Sensor', :interface => 'en1'
# Load signatures, generators & classifications into memory
load :signatures, 'sid-msg.map'
load :generators, 'gen-msg.map'
load :classifications, 'classification.config'
end
#
# Unified2#watch
#
# Watch a unified2 file for changes and process the results.
#
Unified2.watch('/var/log/snort/merged.log', :last) do |event|
next if event.signature.name.blank?
puts event
end
# Unified2#read
# Parse a unified2 file and process the results.
Unified2.read('/var/log/snort/merged.log') do |event|
puts event.protocol #=> "TCP"
puts event.protocol.to_h #=> {:length=>379, :seq=>3934511163, :ack=>1584708129 ... }
end
Requirements
- bindata ~> 1.3.1
- hexdump: ~> 0.1.0
- packetfu: ~> 1.0.0
Install
`$ gem install unified2`
== Copyright
Copyright (c) 2011 Dustin Willis Webber
See LICENSE.txt for details.