unified2

• Homepage

• Documentation

Description

A ruby interface for unified2 output. rUnified2 allows you to manipulate unified2 output for custom storage and/or analysis.

Features

* Monitor/Read unified2 logs & manipulate the data.
* Numerous connivence methods
* Simple & Intuitive to Use

Examples

require 'unified2'

# load rules into memory
Unified2.configuration do
 # Sensor Configurations
 sensor :id => 1, :name => 'Test Sensor', :interface => 'en1'

 # Load signatures, generators & classifications into memory
 load :signatures, 'sid-msg.map'
 load :generators, 'gen-msg.map'
 load :classifications, 'classification.config'
end

# Unified2#watch
# Watch a unified2 file for changes and process the results.
Unified2.watch('/var/log/snort/merged.log', :last) do |event|
 next if event.signature.name.blank?

puts event

end

# Unified2#read
# Parse a unified2 file and process the results.
Unified2.read('/var/log/snort/merged.log') do |event|
 puts "#{event.id} | #{event.ip_destination} | #{event.ip_source} | #{event.signature.name}"
end

Requirements

* bindata ~> 1.3.1
* hexdump: ~> 0.1.0

Install

$ gem install unified2

Copyright

Copyright © 2011 Dustin Willis Webber

See LICENSE.txt for details.