Class: Suricata::Fast

Inherits:
Object
  • Object
show all
Defined in:
lib/suricata/fast.rb

Overview

This class parses suricatas fast.log-files

Instance Attribute Summary collapse

Instance Method Summary collapse

Instance Attribute Details

#classificationObject

threat-classification


41
# File 'lib/suricata/fast.rb', line 41

attr_accessor :timestamp, :id, :description, :classification, :priority, :conn

#connObject

Suricata::Connection connection


41
# File 'lib/suricata/fast.rb', line 41

attr_accessor :timestamp, :id, :description, :classification, :priority, :conn

#descriptionObject

signature-description


41
# File 'lib/suricata/fast.rb', line 41

attr_accessor :timestamp, :id, :description, :classification, :priority, :conn

#idObject

signature-id


41
# File 'lib/suricata/fast.rb', line 41

attr_accessor :timestamp, :id, :description, :classification, :priority, :conn

#priorityObject

priority


41
# File 'lib/suricata/fast.rb', line 41

attr_accessor :timestamp, :id, :description, :classification, :priority, :conn

#timestampObject

log-time


41
42
43
# File 'lib/suricata/fast.rb', line 41

def timestamp
  @timestamp
end

Instance Method Details

#getThreatObject


74
75
76
# File 'lib/suricata/fast.rb', line 74

def getThreat
	return [ @description, @priority, @classification ]
end

#parse(string) ⇒ Object

this function parses an entry of fast.log

Parameters:

  • string (String)

    one line of fast.log

Raises:

  • (Exception)

    if string is nil


46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
# File 'lib/suricata/fast.rb', line 46

def parse(string)
	if string.nil?
		raise "Invalid argument"
	end

	if string =~ /^([^ ]+)\s+/
		@timestamp = $1.chomp(' ')
	end

	if string =~ /\[\*\*\]\s+\[(\d+\:\d+\:\d+)\]\s+(.*)\[\*\*\]/
		@id = $1
		@description = $2.chomp(' ')
	end

	if string =~ /\[Classification: ([^\]]+)\]/
		@classification = $1
	end

	if string =~ /\[Priority: ([^\]]+)\]/
		@priority = $1
	end

	if string =~ /\]\s+([^\]]+)$/
		@conn = Suricata::Connection.new($1)
	end

end

#to_sString

this function converts the parsed entry back to string

Returns:

  • (String)

    converted string


80
81
82
# File 'lib/suricata/fast.rb', line 80

def to_s
	"#{@timestamp} [**] [#{@id}] #{@description} [**] [Classification: #{@classification}] [Priority: #{@priority}] #{@conn}"
end