unified2
Description
A ruby interface for unified2 output. rUnified2 allows you to manipulate unified2 output for custom storage and/or analysis.
Features
* Monitor unified2 logs and manipulate the data.
* Modular adaptor support (monogdb, mysql, postgresql, sguil etc..)
* Parse unified2 log files
* Numerous connivence methods for statistical analysis
Examples
require 'unified2'
# load rules into memory
Unified2.configuration do
# Sensor Configurations
sensor :id => 1, :name => 'Test Sensor', :interface => 'en1'
# Load signatures, generators & classifications into memory
load :signatures, 'sid-msg.map'
load :generators, 'gen-msg.map'
load :classifications, 'classification.config'
end
# Unified2#watch
# Watch a unified2 file for changes and process the results.
Unified2.watch('/var/log/snort/merged.log', :last) do |event|
next if event.signature.name.blank?
puts "#{event.id} | #{event.ip_destination} | #{event.ip_source} | #{event.signature.name}"
puts event.payload.dump(:width => 30)
puts event.classification.name
end
# Unified2#read
# Parse a unified2 file and process the results.
Unified2.read('/var/log/snort/merged.log') do |event|
puts "#{event.id} | #{event.ip_destination} | #{event.ip_source} | #{event.signature.name}"
end
Requirements
* bindata ~> 1.3.1
* hexdump: ~> 0.1.0
Install
$ gem install unified2
Copyright
Copyright © 2011 Dustin Willis Webber
See LICENSE.txt for details.