Class: Unified2::Event

Inherits:
Object
  • Object
show all
Defined in:
lib/unified2/event.rb

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(id) ⇒ Event

Returns a new instance of Event.



14
15
16
 
# File 'lib/unified2/event.rb', line 14

def initialize(id)
  @id = id
end

Instance Attribute Details

#idObject

Returns the value of attribute id.



12
13
14
 
# File 'lib/unified2/event.rb', line 12

def id
  @id
end

#metadataObject

Returns the value of attribute metadata.



12
13
14
 
# File 'lib/unified2/event.rb', line 12

def metadata
  @metadata
end

#packetObject

Returns the value of attribute packet.



12
13
14
 
# File 'lib/unified2/event.rb', line 12

def packet
  @packet
end

Instance Method Details

#classificationObject 



73
74
75
76
77
 
# File 'lib/unified2/event.rb', line 73

def classification
  if @metadata.is_a?(Hash)
    @classification = Classification.new(@metadata[:classification]) if @metadata[:classification]
  end
end

#destination_portObject

Add ICMP code



112
113
114
115
 
# File 'lib/unified2/event.rb', line 112

def destination_port
  return 0 if icmp?
  @source_port = @metadata[:dport_icode] if @metadata.has_key?(:dport_icode)
end

#event_timeObject Also known as: timestamp 



29
30
31
32
33
 
# File 'lib/unified2/event.rb', line 29

def event_time
  if @packet.has_key?(:event_second)
    @timestamp = Time.at(@packet[:event_second].to_i)
  end
end

#generator_idObject 



85
86
87
88
89
 
# File 'lib/unified2/event.rb', line 85

def generator_id
  if @metadata.is_a?(Hash)
    @metadata[:generator_id] if @metadata.has_key?(:generator_id)
  end
end

#icmp?Boolean

Returns:

  • (Boolean) 


58
59
60
61
 
# File 'lib/unified2/event.rb', line 58

def icmp?
  return true if protocol == :ICMP
  false
end

#ip_destinationObject Also known as: destination_ip 



104
105
106
107
108
 
# File 'lib/unified2/event.rb', line 104

def ip_destination
  if @metadata.is_a?(Hash)
    @metadata[:ip_destination] if @metadata.has_key?(:ip_destination)
  end
end

#ip_sourceObject Also known as: source_ip 



91
92
93
94
95
 
# File 'lib/unified2/event.rb', line 91

def ip_source
  if @metadata.is_a?(Hash)
    @metadata[:ip_source] if @metadata.has_key?(:ip_source)
  end
end

#jsonObject 



158
159
160
 
# File 'lib/unified2/event.rb', line 158

def json
  to_h.to_json
end

#load(event) ⇒ Object 



129
130
131
132
133
134
135
136
137
 
# File 'lib/unified2/event.rb', line 129

def load(event)
  if event.data.respond_to?(:signature_id)
    @metadata ||= build_event_metadata(event)
  end

  if event.data.respond_to?(:packet_data)
    @packet ||= build_packet_metadata(event)
  end
end

#microsecondsObject 



36
37
38
39
40
 
# File 'lib/unified2/event.rb', line 36

def microseconds
  if @metadata.has_key?(:event_microsecond)
    @microseconds = @metadata[:event_microsecond]
  end
end

#packet_actionObject 



46
47
48
49
50
 
# File 'lib/unified2/event.rb', line 46

def packet_action
  if @metadata.has_key?(:event_second)
    @packet_action = @metadata[:packet_action]
  end
end

#packet_timeObject 



18
19
20
21
22
23
 
# File 'lib/unified2/event.rb', line 18

def packet_time
  if @packet.has_key?(:packet_second)
    @packet[:packet_second]
    @timestamp = Time.at(@packet[:packet_second].to_i)
  end
end

#payloadObject 



121
122
123
124
125
126
127
 
# File 'lib/unified2/event.rb', line 121

def payload
  if @packet.is_a?(Hash)
    Payload.new(@packet)
  else
    Payload.new
  end
end

#protocolObject 



52
53
54
55
56
 
# File 'lib/unified2/event.rb', line 52

def protocol
  if @metadata.has_key?(:protocol)
    @protocol = determine_protocol(@metadata[:protocol])
  end
end

#sensorObject 



42
43
44
 
# File 'lib/unified2/event.rb', line 42

def sensor
  @sensor ||= Unified2.sensor
end

#severityObject 



117
118
119
 
# File 'lib/unified2/event.rb', line 117

def severity
  @severity = @metadata[:priority_id] if @metadata.has_key?(:priority_id)
end

#signatureObject 



79
80
81
82
83
 
# File 'lib/unified2/event.rb', line 79

def signature
  if @metadata.is_a?(Hash)
    @signature = Signature.new(@metadata[:signature])
  end
end

#source_portObject

Add ICMP type



99
100
101
102
 
# File 'lib/unified2/event.rb', line 99

def source_port
  return 0 if icmp?
  @source_port = @metadata[:sport_itype] if @metadata.has_key?(:sport_itype)
end

#tcp?Boolean

Returns:

  • (Boolean) 


63
64
65
66
 
# File 'lib/unified2/event.rb', line 63

def tcp?
  return true if protocol == :TCP
  false
end

#to_hObject 



139
140
141
142
143
144
145
146
147
148
149
150
151
152
 
# File 'lib/unified2/event.rb', line 139

def to_h
  if @metadata.is_a?(Hash)
    if @packet.is_a?(Hash)
      data = {}
      data.merge!(@metadata)
      data.merge!(@packet)
      return data
    end
  else
    if @packet.is_a?(Hash)
      return @packet
    end
  end
end

#to_iObject 



154
155
156
 
# File 'lib/unified2/event.rb', line 154

def to_i
  @id.to_i
end

#to_sObject 



162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
 
# File 'lib/unified2/event.rb', line 162

def to_s
data = %{
#############################################################################
# Sensor: #{sensor.id}
# Event ID: #{id}
# Timestamp: #{timestamp}
# Severity: #{severity}
# Protocol: #{protocol}
# Source IP: #{source_ip}:#{source_port}
# Destination IP: #{destination_ip}:#{destination_port}
# Signature: #{signature.name}
# Classification: #{classification.name}
# Payload:

}
  if payload.blank?
    data + '#############################################################################'
  else
    payload.dump(:width => 30, :output => data)
    data + "#############################################################################"
  end
end

#udp?Boolean

Returns:

  • (Boolean) 


68
69
70
71
 
# File 'lib/unified2/event.rb', line 68

def udp?
  return true if protocol == :UDP
  false
end

#uidObject 



25
26
27
 
# File 'lib/unified2/event.rb', line 25

def uid
  "#{sensor.id}.#{@id}"
end