Module: FIDIUS::EvasionDB::Knowledge

Defined in:

lib/evasion-db/knowledge.rb,
lib/evasion-db/knowledge/packet.rb,
lib/evasion-db/knowledge/ids_rule.rb,
lib/evasion-db/knowledge/connection.rb,
lib/evasion-db/knowledge/idmef_event.rb,
lib/evasion-db/knowledge/attack_module.rb,
lib/evasion-db/knowledge/attack_option.rb,
lib/evasion-db/knowledge/enabled_rules.rb,
lib/evasion-db/knowledge/attack_payload.rb

Overview

This module provides active-record classes for the knowledge database. Some handy query methods are also available.

Defined Under Namespace

Classes: AttackModule, AttackOption, AttackPayload, Connection, EnabledRules, IdmefEvent, IdsRule, Packet

Constant Summary

MIN_EVENTS =

used in find_events_for_exploit to indicate that the exploit with minimal events should be searched

1

MAX_EVENTS =

used in find_events_for_exploit to indicate that the exploit with maximal events should be searched

2

Class Method Summary

• .find_events_for_exploit(name, options = {}, result = MIN_EVENTS) ⇒ Object

  find events for an module(exploit).

• .find_exploits_for_service(port) ⇒ Object

  returns all exploits for the given service.

• .find_exploits_for_services(ports_list) ⇒ Object

  returns all exploits for the given services.

• .get_event(event_id) ⇒ Object

  return an certain event.

• .get_events ⇒ Object

  returns all idmef-events.

• .get_events_for_payload(payload) ⇒ Object

  find out the events raised by the given payload.

• .get_exploit(id) ⇒ Object
• .get_exploits ⇒ Object

  returns all modules(exploits) in knowledge database.

• .get_packet(pid) ⇒ Object

  returns a certain packet.

• .get_packet_for_event(event_id) ⇒ Object

  returns the packets which might be responsible for the given event.

Class Method Details

.find_events_for_exploit(name, options = {}, result = MIN_EVENTS) ⇒ Object

find events for an module(exploit). you can restrict your results by setting options which sould be used by the exploit. You can even determine if minimal or maximal size of events should be returned

Parameters:

• exploit/module (string) —

  name

• options (hash) (defaults to: {}) —

  which should be used

• MIN_EVENTS||MAX_EVENTS (integer)

# File 'lib/evasion-db/knowledge.rb', line 107

def self.find_events_for_exploit(name,options={},result = MIN_EVENTS)
  attacks = AttackModule.find_all_by_name(name).delete_if do |attack|
    !attack.has_options(options)
  end

  if attacks.size > 0
    res = nil
    if result == MIN_EVENTS
      min_cnt = 1073741823 #max value
      attacks.each do |attack|
        events_cnt = attack.idmef_events.size
        if events_cnt < min_cnt
          min_cnt = events_cnt
          res = attack
        end
      end
    elsif result == MAX_EVENTS
      min_cnt = 0 #min value
      attacks.each do |attack|
        events_cnt = attack.idmef_events.size
        if events_cnt > min_cnt
          min_cnt = events_cnt
          res = attack
        end
      end
    end
    return res.idmef_events if result
  end
  nil
end

.find_exploits_for_service(port) ⇒ Object

returns all exploits for the given service

Parameters:

• port (integer)

# File 'lib/evasion-db/knowledge.rb', line 69

def self.find_exploits_for_service(port)
  option_set = AttackOption.where(:option_key => "RPORT",
                                  :option_value => port)
  exploits = []
  option_set.each { |opt| exploits << opt.attack_module }
  exploits
end

.find_exploits_for_services(ports_list) ⇒ Object

returns all exploits for the given services

Parameters:

• ports_list (array)

# File 'lib/evasion-db/knowledge.rb', line 60

def self.find_exploits_for_services(ports_list)
  exploits = []
  ports_list.each { |port| exploits.concat(find_exploits_for_service(port)) }
  exploits.map { |e| e.id }
end

.get_event(event_id) ⇒ Object

return an certain event

Parameters:

• event (integer) —

  id

# File 'lib/evasion-db/knowledge.rb', line 46

def self.get_event(event_id)
  IdmefEvent.find(event_id)
end

.get_events ⇒ Object

returns all idmef-events

# File 'lib/evasion-db/knowledge.rb', line 39

def self.get_events
  IdmefEvent.all
end

.get_events_for_payload(payload) ⇒ Object

find out the events raised by the given payload

Parameters:

• payload (string)

# File 'lib/evasion-db/knowledge.rb', line 88

def self.get_events_for_payload(payload)
  #TODO: Search all packets which belong to this event
  events = []
  search_payload = FIDIUS::EvasionDB::LogMatchesHelper.to_hex(payload)
  IdmefEvent.find_each do |event|
    event_payload = FIDIUS::EvasionDB::LogMatchesHelper.to_hex(event.payload)
    events << event if event_payload.include?(search_payload)
  end

  events
end

.get_exploit(id) ⇒ Object

# File 'lib/evasion-db/knowledge.rb', line 27

def self.get_exploit(id)
  AttackModule.find(id)
end

.get_exploits ⇒ Object

returns all modules(exploits) in knowledge database

# File 'lib/evasion-db/knowledge.rb', line 23

def self.get_exploits
  AttackModule.all
end

.get_packet(pid) ⇒ Object

returns a certain packet

Parameters:

• packet (integer) —

  id

# File 'lib/evasion-db/knowledge.rb', line 34

def self.get_packet(id)
  Packet.find(id)
end

.get_packet_for_event(event_id) ⇒ Object

returns the packets which might be responsible for the given event

Parameters:

• event (integer) —

  id

# File 'lib/evasion-db/knowledge.rb', line 80

def self.get_packet_for_event(event_id)
  event = IdmefEvent.find(event_id)
  FIDIUS::EvasionDB::LogMatchesHelper.find_packets_for_event(event,Packet.all)
end