Module: Unified2

Defined in:
lib/unified2.rb,
lib/unified2/event.rb,
lib/unified2/extra.rb,
lib/unified2/packet.rb,
lib/unified2/sensor.rb,
lib/unified2/version.rb,
lib/unified2/protocol.rb,
lib/unified2/signature.rb,
lib/unified2/config_file.rb,
lib/unified2/classification.rb,
lib/unified2/constructor/packet.rb,
lib/unified2/constructor/construct.rb,
lib/unified2/constructor/event_ip4.rb,
lib/unified2/constructor/event_ip6.rb,
lib/unified2/constructor/extra_data.rb,
lib/unified2/constructor/record_header.rb,
lib/unified2/exceptions/file_not_found.rb,
lib/unified2/constructor/primitive/ipv4.rb,
lib/unified2/constructor/extra_construct.rb,
lib/unified2/constructor/legacy_event_ip4.rb,
lib/unified2/constructor/legacy_event_ip6.rb,
lib/unified2/exceptions/binary_read_error.rb,
lib/unified2/exceptions/file_not_readable.rb,
lib/unified2/exceptions/unknown_load_type.rb,
lib/unified2/constructor/extra_data_header.rb

Overview

Unified2

Defined Under Namespace

Modules: Constructor Classes: BinaryReadError, Classification, ConfigFile, Event, Extra, FileNotFound, FileNotReadable, Packet, Protocol, Sensor, Signature, UnknownLoadType

Constant Summary collapse

TYPES =

Configuration File Types

Holds the available configuration file types current supported.

[
  :signatures,
  :generators,
  :classifications
]
VERSION =

Unified2 version

"0.6.1"

Class Attribute Summary collapse

Class Method Summary collapse

Class Attribute Details

.classificationsObject

Returns the value of attribute classifications.



30
31
32
 
# File 'lib/unified2.rb', line 30

def classifications
  @classifications
end

.generatorsObject

Returns the value of attribute generators.



30
31
32
 
# File 'lib/unified2.rb', line 30

def generators
  @generators
end

.hostnameObject

Returns the value of attribute hostname.



30
31
32
 
# File 'lib/unified2.rb', line 30

def hostname
  @hostname
end

.interfaceObject

Returns the value of attribute interface.



30
31
32
 
# File 'lib/unified2.rb', line 30

def interface
  @interface
end

.sensor(options = {}) {|Sensor| ... } ⇒ nil

Sensor

Parameters:

  • options (Hash) (defaults to: {})

    Sensor Configuration

Options Hash (options):

  • :id (Integer)

    Sensor id

  • :hostname (String)

    Sensor hostname

  • :name (String)

    Sensor name

  • :interface (String)

    Sensor interface

Yields:

  • (Sensor)

    block Sensor attributes

Returns:

  • (nil) 


65
66
67
 
# File 'lib/unified2.rb', line 65

def sensor
  @sensor
end

.signaturesObject

Returns the value of attribute signatures.



30
31
32
 
# File 'lib/unified2.rb', line 30

def signatures
  @signatures
end

Class Method Details

.configuration(options = {}) {|ConfigFile| ... } ⇒ nil

Configuration

Parameters:

  • options (Hash) (defaults to: {})

    Sensor Configuration

Options Hash (options):

  • :id (Integer)

    Sensor id

  • :name (String)

    Sensor name

  • :interface (String)

    Sensor interface

Yields:

Returns:

  • (nil) 


47
48
49
50
 
# File 'lib/unified2.rb', line 47

def self.configuration(options={}, &block)
  @sensor ||= Sensor.new(options)
  self.instance_eval(&block)
end

.load(type, path) ⇒ nil

Load

Parameters:

  • type (String)

    Configuration type

  • path (String)

    Configuration path

Returns:

  • (nil)

Raises:



83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
 
# File 'lib/unified2.rb', line 83

def self.load(type, path)
  unless TYPES.include?(type.to_sym)
    raise UnknownLoadType, "Error - #{@type} is unknown."
  end

  if File.exists?(path)
    if File.readable?(path)
      instance_variable_set("@#{type}", ConfigFile.new(type, path))
    else
      raise FileNotReadable, "Error - #{path} not readable."
    end
  else
    raise FileNotFound, "Error - #{path} not found."
  end
end

.read(path) {|Event| ... } ⇒ nil

Read

Read the unified2 log until EOF and process events.

Parameters:

  • path (String)

    Unified2 file path

Yields:

  • (Event)

    block Event object

Returns:

  • (nil)

Raises:



172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
 
# File 'lib/unified2.rb', line 172

def self.read(path, &block)
  validate_path(path)

  io = File.open(path)
  
  # Start with a null event.
  # This will always be ignored.
  @event = Event.new(0, 0)

  until io.eof?
    position = io.pos
    event = Unified2::Constructor::Construct.read(io)
    check_event(event, position, block)
  end

rescue Interrupt
ensure
  io.close if io
end

.watch(path, position = :first) {|Event| ... } ⇒ nil

Watch

Monitor the unified2 file for events and process.

Parameters:

  • path (String)

    Unified2 file path

  • position (String, Symbol, Integer) (defaults to: :first)

    IO position

Yields:

  • (Event)

    block Event object

Returns:

  • (nil)

Raises:



114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
 
# File 'lib/unified2.rb', line 114

def self.watch(path, position=:first, &block)
  validate_path(path)

  io = File.open(path)

  case position      
  when Integer
    io.sysseek(position, IO::SEEK_CUR)

  when Symbol, String
  
    if position == :last
      io.sysseek(0, IO::SEEK_END)
    else
      io.sysseek(0, IO::SEEK_SET)
    end
 
  else
    io.sysseek(0, IO::SEEK_SET)
  end

  # Start with a null event.
  # This will always be ignored.
  @event = Event.new(0, 0)

  loop do
    begin
      position = io.pos
      event = Unified2::Constructor::Construct.read(io)
      check_event(event, position, block)
    rescue EOFError
      sleep 5
      retry
    end
  end

rescue RuntimeError
  raise(BinaryReadError, "incorrect file format or position seek error")
rescue Interrupt
  io.pos if io
ensure
  io.close if io
end