Class: Unified2::Event

Inherits:
Object
  • Object
show all
Defined in:
lib/unified2/event.rb

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(id) ⇒ Event

Returns a new instance of Event.



14
15
16
 
# File 'lib/unified2/event.rb', line 14

def initialize(id)
  @id = id
end

Instance Attribute Details

#idObject

Returns the value of attribute id.



12
13
14
 
# File 'lib/unified2/event.rb', line 12

def id
  @id
end

#metadataObject

Returns the value of attribute metadata.



12
13
14
 
# File 'lib/unified2/event.rb', line 12

def metadata
  @metadata
end

#packetObject

Returns the value of attribute packet.



12
13
14
 
# File 'lib/unified2/event.rb', line 12

def packet
  @packet
end

Instance Method Details

#classificationObject 



69
70
71
72
73
 
# File 'lib/unified2/event.rb', line 69

def classification
  if @metadata.is_a?(Hash)
    @classification = Classification.new(@metadata[:classification]) if @metadata[:classification]
  end
end

#destination_portObject

Add ICMP code



108
109
110
111
 
# File 'lib/unified2/event.rb', line 108

def destination_port
  return 0 if icmp?
  @source_port = @metadata[:dport_icode] if @metadata.has_key?(:dport_icode)
end

#event_timeObject Also known as: timestamp 



25
26
27
28
29
 
# File 'lib/unified2/event.rb', line 25

def event_time
  if @packet.has_key?(:event_second)
    @timestamp = Time.at(@packet[:event_second].to_i)
  end
end

#generator_idObject 



81
82
83
84
85
 
# File 'lib/unified2/event.rb', line 81

def generator_id
  if @metadata.is_a?(Hash)
    @metadata[:generator_id] if @metadata.has_key?(:generator_id)
  end
end

#icmp?Boolean

Returns:

  • (Boolean) 


54
55
56
57
 
# File 'lib/unified2/event.rb', line 54

def icmp?
  return true if protocol == :ICMP
  false
end

#ip_destinationObject Also known as: destination_ip 



100
101
102
103
104
 
# File 'lib/unified2/event.rb', line 100

def ip_destination
  if @metadata.is_a?(Hash)
    @metadata[:ip_destination] if @metadata.has_key?(:ip_destination)
  end
end

#ip_sourceObject Also known as: source_ip 



87
88
89
90
91
 
# File 'lib/unified2/event.rb', line 87

def ip_source
  if @metadata.is_a?(Hash)
    @metadata[:ip_source] if @metadata.has_key?(:ip_source)
  end
end

#jsonObject 



154
155
156
 
# File 'lib/unified2/event.rb', line 154

def json
  to_h.to_json
end

#load(event) ⇒ Object 



125
126
127
128
129
130
131
132
133
 
# File 'lib/unified2/event.rb', line 125

def load(event)
  if event.data.respond_to?(:signature_id)
    @metadata ||= build_event_metadata(event)
  end

  if event.data.respond_to?(:packet_data)
    @packet ||= build_packet_metadata(event)
  end
end

#microsecondsObject 



32
33
34
35
36
 
# File 'lib/unified2/event.rb', line 32

def microseconds
  if @metadata.has_key?(:event_microsecond)
    @microseconds = @metadata[:event_microsecond]
  end
end

#packet_actionObject 



42
43
44
45
46
 
# File 'lib/unified2/event.rb', line 42

def packet_action
  if @metadata.has_key?(:event_second)
    @packet_action = @metadata[:packet_action]
  end
end

#packet_timeObject 



18
19
20
21
22
23
 
# File 'lib/unified2/event.rb', line 18

def packet_time
  if @packet.has_key?(:packet_second)
    @packet[:packet_second]
    @timestamp = Time.at(@packet[:packet_second].to_i)
  end
end

#payloadObject 



117
118
119
120
121
122
123
 
# File 'lib/unified2/event.rb', line 117

def payload
  if @packet.is_a?(Hash)
    Payload.new(@packet)
  else
    Payload.new
  end
end

#protocolObject 



48
49
50
51
52
 
# File 'lib/unified2/event.rb', line 48

def protocol
  if @metadata.has_key?(:protocol)
    @protocol = determine_protocol(@metadata[:protocol])
  end
end

#sensorObject 



38
39
40
 
# File 'lib/unified2/event.rb', line 38

def sensor
  @sensor ||= Unified2.sensor
end

#severityObject 



113
114
115
 
# File 'lib/unified2/event.rb', line 113

def severity
  @severity = @metadata[:priority_id] if @metadata.has_key?(:priority_id)
end

#signatureObject 



75
76
77
78
79
 
# File 'lib/unified2/event.rb', line 75

def signature
  if @metadata.is_a?(Hash)
    @signature = Signature.new(@metadata[:signature])
  end
end

#source_portObject

Add ICMP type



95
96
97
98
 
# File 'lib/unified2/event.rb', line 95

def source_port
  return 0 if icmp?
  @source_port = @metadata[:sport_itype] if @metadata.has_key?(:sport_itype)
end

#tcp?Boolean

Returns:

  • (Boolean) 


59
60
61
62
 
# File 'lib/unified2/event.rb', line 59

def tcp?
  return true if protocol == :TCP
  false
end

#to_hObject 



135
136
137
138
139
140
141
142
143
144
145
146
147
148
 
# File 'lib/unified2/event.rb', line 135

def to_h
  if @metadata.is_a?(Hash)
    if @packet.is_a?(Hash)
      data = {}
      data.merge!(@metadata)
      data.merge!(@packet)
      return data
    end
  else
    if @packet.is_a?(Hash)
      return @packet
    end
  end
end

#to_iObject 



150
151
152
 
# File 'lib/unified2/event.rb', line 150

def to_i
  @id.to_i
end

#to_sObject 



158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
 
# File 'lib/unified2/event.rb', line 158

def to_s
data = %{
#############################################################################
Event ID: #{id}
Timestamp: #{timestamp}
Severity: #{severity}
Protocol: #{protocol}
Source IP: #{source_ip}:#{source_port}
Destination IP: #{destination_ip}:#{destination_port}
Signature: #{signature.name}
Payload:

}
  if payload.blank?
    data + '#############################################################################'
  else
    payload.dump(:width => 30, :output => data)
    data + "#############################################################################"
  end
end

#udp?Boolean

Returns:

  • (Boolean) 


64
65
66
67
 
# File 'lib/unified2/event.rb', line 64

def udp?
  return true if protocol == :UDP
  false
end