Module: FIDIUS::EvasionDB::PreludeEventFetcher

Defined in:
lib/evasion-db/idmef-fetchers/prelude-db/lib/prelude_event_fetcher.rb

Instance Method Summary collapse

Instance Method Details

#begin_recordObject 



14
15
16
17
 
# File 'lib/evasion-db/idmef-fetchers/prelude-db/lib/prelude_event_fetcher.rb', line 14

def begin_record
  t = FIDIUS::PreludeDB::DetectTime.find(:first,:order=>"time DESC")
  @start_time = t.time
end

#config(conf) ⇒ Object 



4
5
6
7
8
9
10
11
12
 
# File 'lib/evasion-db/idmef-fetchers/prelude-db/lib/prelude_event_fetcher.rb', line 4

def config(conf)
  $logger.debug "INIT PRELUDE EVENT FETCHER"
  ids_db = conf['ids_db']
  raise "no ids_db part found" unless ids_db
  FIDIUS::PreludeDB::Connection.establish_connection ids_db
  connection = FIDIUS::PreludeDB::Connection.connection
  $logger.debug "connection is: #{connection}"
  require (File.join File.dirname(__FILE__), 'patches', 'postgres_patch.rb')
end

#fetch_events(module_instance = nil) ⇒ Object 



49
50
51
52
53
54
55
56
57
58
59
60
61
 
# File 'lib/evasion-db/idmef-fetchers/prelude-db/lib/prelude_event_fetcher.rb', line 49

def fetch_events(module_instance=nil)
  result = []
  events = get_events
  events.each do |event|
    idmef_event = FIDIUS::EvasionDB::Knowledge::IdmefEvent.create(:payload=>event.payload,:detect_time=>event.detect_time,
                      :dest_ip=>event.dest_ip,:src_ip=>event.source_ip,
                      :dest_port=>event.dest_port,:src_port=>event.source_port,
                      :text=>event.text,:severity=>event.severity,
                      :analyzer_model=>event.analyzer_model,:ident=>event.id)
    result << idmef_event
  end
  return result
end

#get_eventsObject 



19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
 
# File 'lib/evasion-db/idmef-fetchers/prelude-db/lib/prelude_event_fetcher.rb', line 19

def get_events
  raise "please begin_record before fetching" if @start_time == nil
  res = Array.new
  sleep 3
  $logger.debug "alert.find(:all,:joins=>[:detect_time],time > #{@start_time})"

  detect_times = FIDIUS::PreludeDB::DetectTime.find(:all,:order=>"time DESC",:conditions=>["time > :d",{:d => @start_time}])
  events = []
  detect_times.each do |dt|
    events << FIDIUS::PreludeDB::Alert.find(:first,:conditions=>{:_ident=>dt._message_ident})
  end
  ################################################

  $logger.debug "found #{events.size} events"
  events.each do |event|
    ev = FIDIUS::PreludeDB::PreludeEvent.new(event)
    $logger.debug "Event #{ev.source_ip} -> #{ev.dest_ip}  local_ip:#{@local_ip}"
    if @local_ip
      if (ev.source_ip == @local_ip || ev.dest_ip == @local_ip)
        $logger.debug "adding #{ev.inspect} to events "
        res << ev
      end
    else
      $logger.debug "adding #{ev.inspect} to events "
      res << ev
    end
  end
  return res
end