Class: Unified2::Event

Inherits:

Object

• Object
• Unified2::Event

Defined in:

lib/unified2/event.rb

Overview

Event

Constant Summary

EVENT_TYPES =

Normal Event headers types

[7, 72, 104, 105]

EXTRA =

Extra Data Event Header Types

[ 110 ]

LEGACY_EVENT_TYPES =

Legacy Event Header Types

[7, 72]

PACKET_TYPES =

Packet Event Header Types

[2]

Instance Attribute Summary

• #event ⇒ Object

  Setup method defaults.

• #extras {|Extra| ... } ⇒ Array

  Extras.

• #id ⇒ Object

  Setup method defaults.

• #packets {|Packet| ... } ⇒ Array

  Packets.

Instance Method Summary

• #checksum ⇒ String

  Checksum.

• #classification ⇒ Classification

  Classification.

• #destination_port ⇒ Integer

  Destination Port.

• #event_time ⇒ Time^? (also: #timestamp)

  Event Time.

• #extras? ⇒ True, False

  Has Extra Data.

• #icmp? ⇒ true, false

  ICMP?.

• #initialize(id) ⇒ Event constructor

  Initialize event.

• #ip_destination ⇒ IPAddr (also: #destination_ip)

  Destination IP Address.

• #ip_source ⇒ IPAddr (also: #source_ip)

  Source IP Address.

• #json ⇒ String

  Convert To Json.

• #load(event) ⇒ nil

  Load.

• #microseconds ⇒ String^?

  Microseconds.

• #packet_action ⇒ Integer^?

  Packet Action.

• #packet_time ⇒ Time^?

  Packet Time.

• #packets? ⇒ True, False

  Has Packet Data.

• #protocol ⇒ Protocol

  Protocol.

• #sensor ⇒ Sensor

  Sensor.

• #severity ⇒ Integer

  Severity.

• #signature ⇒ Signature^?

  Signature.

• #source_port ⇒ Integer

  Source Port.

• #tcp? ⇒ true, false

  TCP?.

• #to_h ⇒ Hash

  Convert To Hash.

• #to_i ⇒ Integer

  Convert To Integer.

• #to_s ⇒ String

  Convert To String.

• #udp? ⇒ true, false

  UDP?.

Constructor Details

#initialize(id) ⇒ Event

Initialize event

Parameters:

• id (Integer) —

  Event id

# File 'lib/unified2/event.rb', line 51

def initialize(id)
  @id = id.to_i
  @packets = []
  @extras = []
end

Instance Attribute Details

#event ⇒ Object

Setup method defaults

# File 'lib/unified2/event.rb', line 44

def event
  @event
end

#extras {|Extra| ... } ⇒ Array

Extras

Yields:

• (Extra) —

  yield event extra objects

Returns:

• (Array) —

  Extra object array

# File 'lib/unified2/event.rb', line 44

def extras
  @extras
end

#id ⇒ Object

Setup method defaults

# File 'lib/unified2/event.rb', line 44

def id
  @id
end

#packets {|Packet| ... } ⇒ Array

Packets

Yields:

• (Packet) —

  Description

Returns:

• (Array) —

  Packet object array

# File 'lib/unified2/event.rb', line 44

def packets
  @packets
end

Instance Method Details

#checksum ⇒ String

Checksum

Create a unique checksum for each event using the ip source, destination, signature id, generator id, sensor id, severity id, and the classification id.

Returns:

• (String) —

  Event checksum

# File 'lib/unified2/event.rb', line 81

def checksum
  checkdum = [ip_source, ip_destination, signature.id, signature.generator, sensor.id, severity, classification.id]
  Digest::MD5.hexdigest(checkdum.join(''))
end

#classification ⇒ Classification

Classification

Returns:

• (Classification) —

  Event classification object

# File 'lib/unified2/event.rb', line 168

def classification
  Classification.new(@event_data[:classification])
end

#destination_port ⇒ Integer

Note:

Event#destination_port will return zero if the event protocol is icmp.

Destination Port

Returns:

• (Integer) —

  Event destination port

# File 'lib/unified2/event.rb', line 223

def destination_port
  @event_data[:destination_port]
end

#event_time ⇒ Time^? Also known as: timestamp

Event Time

The event timestamp created by unified2.

Returns:

• (Time, nil) —

  Event time object

# File 'lib/unified2/event.rb', line 93

def event_time
  Time.at(@event_data[:timestamp].to_i)
end

#extras? ⇒ True, False

Has Extra Data

Returns:

• (True, False) —

  Does the event have extra data?

# File 'lib/unified2/event.rb', line 274

def extras?
  @extras.empty?
end

#icmp? ⇒ true, false

ICMP?

Returns:

• (true, false) —

  Check is protocol is icmp

# File 'lib/unified2/event.rb', line 132

def icmp?
  protocol == :ICMP
end

#ip_destination ⇒ IPAddr Also known as: destination_ip

Destination IP Address

Returns:

• (IPAddr) —

  Event destination ip address

# File 'lib/unified2/event.rb', line 209

def ip_destination
  @event_data[:destination_ip]
end

#ip_source ⇒ IPAddr Also known as: source_ip

Source IP Address

Returns:

• (IPAddr) —

  Event source ip address

# File 'lib/unified2/event.rb', line 186

def ip_source
  @event_data[:source_ip]
end

#json ⇒ String

Convert To Json

Returns:

• (String) —

  Event hash in json format

# File 'lib/unified2/event.rb', line 348

def json
  to_h.to_json
end

#load(event) ⇒ nil

Load

Initializes the raw data returned by bindata into a more comfortable format.

Parameters:

• Name (Hash) —

  Description

Returns:

• (nil)

# File 'lib/unified2/event.rb', line 288

def load(event)

  if EXTRA.include?(event.header.u2type)
    extra = Extra.new(event)
    @extras.push(extra)
  end

  if EVENT_TYPES.include?(event.header.u2type)
    @event = event
    @event_data = build_event_data
  end

  if PACKET_TYPES.include?(event.header.u2type)
    packet = Packet.new(build_packet_data(event))
    @packets.push(packet)
  end

end

#microseconds ⇒ String^?

Microseconds

The event time in microseconds.

Returns:

• (String, nil) —

  Event microseconds

# File 'lib/unified2/event.rb', line 105

def microseconds
  @event_data[:event_microsecond]
end

#packet_action ⇒ Integer^?

Packet Action

Returns:

• (Integer, nil) —

  Packet action

# File 'lib/unified2/event.rb', line 123

def packet_action
  @event_data[:packet_action]
end

#packet_time ⇒ Time^?

Packet Time

Time of creation for the unified2 packet.

Returns:

• (Time, nil) —

  Packet time object

# File 'lib/unified2/event.rb', line 64

def packet_time
  if @packet_data.has_key?(:packet_second)
    @packet_data[:packet_second]
    @timestamp = Time.at(@packet_data[:packet_second].to_i)
  end
end

#packets? ⇒ True, False

Has Packet Data

Returns:

• (True, False) —

  Does the event have packet data?

# File 'lib/unified2/event.rb', line 253

def packets?
  @packets.empty?
end

#protocol ⇒ Protocol

Protocol

Returns:

• (Protocol) —

  Event protocol object

# File 'lib/unified2/event.rb', line 159

def protocol
  @protocol ||= determine_protocol
end

#sensor ⇒ Sensor

Sensor

Returns:

• (Sensor) —

  Sensor object

# File 'lib/unified2/event.rb', line 114

def sensor
  @sensor ||= Unified2.sensor
end

#severity ⇒ Integer

Severity

Returns:

• (Integer) —

  Event severity id

# File 'lib/unified2/event.rb', line 232

def severity
  @severity = @event_data[:priority_id].to_i
end

#signature ⇒ Signature^?

Signature

Returns:

• (Signature, nil) —

  Event signature object

# File 'lib/unified2/event.rb', line 177

def signature
  @signature ||= Signature.new(@event_data[:signature])
end

#source_port ⇒ Integer

Note:

Event#source_port will return zero if the event protocol is icmp.

Source Port

Returns:

• (Integer) —

  Event source port

# File 'lib/unified2/event.rb', line 200

def source_port
  @event_data[:source_port]
end

#tcp? ⇒ true, false

TCP?

Returns:

• (true, false) —

  Check is protocol is tcp

# File 'lib/unified2/event.rb', line 141

def tcp?
  protocol == :TCP
end

#to_h ⇒ Hash

Convert To Hash

Returns:

• (Hash) —

  Event hash object

# File 'lib/unified2/event.rb', line 312

def to_h
  @to_hash = {}
  
  @event_data[:extras] = @extras
  @event_data[:packets] = @packets

  #unless payload.blank?
    #hexdump = ''
    #payload.dump(:width => 30, :output => hexdump)
    #@packet_data[:packet] = hexdump
  #end

  #.encode('utf-8', 'iso-8859-1')
  
  #[@event_data, @packet_data].each do |hash|
    #@to_hash.merge!(hash) if hash.is_a?(Hash)
  #end
  
  #@to_hash
  @event_data
end

#to_i ⇒ Integer

Convert To Integer

Returns:

• (Integer) —

  Event id

# File 'lib/unified2/event.rb', line 339

def to_i
  @id.to_i
end

#to_s ⇒ String

Convert To String

Returns:

• (String) —

  Event string object

# File 'lib/unified2/event.rb', line 357

def to_s
  data = "EVENT\n"
  data += "\tevent id: #{id}\n"
  data += "\tsensor id: #{sensor.id}\n"
  data += "\ttimestamp: #{timestamp.strftime('%D %H:%M:%S')}\n"
  data += "\tseverity: #{severity}\n"
  data += "\tprotocol: #{protocol}\n"
  data += "\tsource ip: #{source_ip} (#{source_port})\n"
  data += "\tdestination ip: #{destination_ip} (#{destination_port})\n"
  data += "\tsignature: #{signature.name}\n"
  data += "\tclassification: #{classification.name}\n"
  data += "\tchecksum: #{checksum}\n"

  packet_count = 1
  length = packets.count

  packets.each do |packet|
    data += "\n\tPACKET  (#{packet_count} of #{length})\n\n"

    data += "\tsensor id: #{sensor.id}"
    data += "\tevent id: #{id}"
    data += "\tevent second: #{packet.event_timestamp.to_i}\n"
    data += "\tpacket second: #{packet.timestamp.to_i}"
    data += "\tpacket microsecond: #{packet.microsecond.to_i}\n"
    data += "\tlinktype: #{packet.link_type}"
    data += "\tpacket length: #{packet.length}\n"
    data += "\tchecksum: #{packet.checksum}\n\n"

    hexdump = packet.hexdump(:width => 16)
    hexdump.each_line { |line| data += "\t" + line }

    packet_count += 1
  end

  extra_count = 1
  length = extras.count

  extras.each do |extra|
    data += "\n\tEXTRA   (#{extra_count} of #{length})\n\n"

    data += "\tname: #{extra.name}"
    data += "\tevent type: #{extra.header[:event_type]}"
    data += "\tevent length: #{extra.header[:event_length]}\n"
    data += "\tsensor id: #{sensor.id}"
    data += "\tevent id: #{id}"
    data += "\tevent second: #{extra.timestamp}\n"
    data += "\ttype: #{extra.type_id}"
    data += "\tdata type: #{extra.data_type}"
    data += "\tlength: #{extra.length}\n"
    data += "\tvalue: " + extra.value + "\n"

    extra_count += 1
  end

  data += "\n"
end

#udp? ⇒ true, false

UDP?

Returns:

• (true, false) —

  Check is protocol is udp

# File 'lib/unified2/event.rb', line 150

def udp?
  protocol == :UDP
end