class Unified2::Event

Event

Constants

EVENT_TYPES

Normal Event headers types

EXTRA

Extra Data Event Header Types

LEGACY_EVENT_TYPES

Legacy Event Header Types

PACKET_TYPES

Packet Event Header Types

Attributes

event[RW]

Setup method defaults

extras[RW]

Setup method defaults

id[RW]

Setup method defaults

next_position[RW]

Setup method defaults

packets[RW]

Setup method defaults

position[RW]

Setup method defaults

Public Class Methods

new(id, position) click to toggle source

Initialize event

@param [Integer] id Event id

# File lib/unified2/event.rb, line 52
def initialize(id, position)
  @id = id.to_i
  @position = position
  @packets = []
  @extras = []
end

Public Instance Methods

checksum() click to toggle source

Checksum

Create a unique checksum for each event using the ip source, destination, signature id, generator id, sensor id, severity id, and the classification id.

@return [String] Event checksum

# File lib/unified2/event.rb, line 92
def checksum
  checkdum = [ip_source, ip_destination, signature.id, signature.generator, sensor.id, severity, classification.id]
  Digest::MD5.hexdigest(checkdum.join(''))
end
classification() click to toggle source

Classification

@return [Classification] Event classification object

# File lib/unified2/event.rb, line 179
def classification
  Classification.new(@event_data[:classification])
end
destination_ip()
Alias for: ip_destination
destination_port() click to toggle source

Destination Port

@return [Integer] Event destination port

@note

Event#destination_port will return zero if the 
event protocol is icmp.
# File lib/unified2/event.rb, line 234
def destination_port
  @event_data[:destination_port]
end
event_time() click to toggle source

Event Time

The event timestamp created by unified2.

@return [Time, nil] Event time object

# File lib/unified2/event.rb, line 104
def event_time
  Time.at(@event_data[:timestamp].to_i)
end
Also aliased as: timestamp
extras?() click to toggle source

Has Extra Data

@return [True,False] Does the event have extra data?

# File lib/unified2/event.rb, line 285
def extras?
  @extras.empty?
end
icmp?() click to toggle source

ICMP?

@return [true, false] Check is protocol is icmp

# File lib/unified2/event.rb, line 143
def icmp?
  protocol == :ICMP
end
ip_destination() click to toggle source

Destination IP Address

@return [IPAddr] Event destination ip address

# File lib/unified2/event.rb, line 220
def ip_destination
  @event_data[:destination_ip]
end
Also aliased as: destination_ip
ip_source() click to toggle source

Source IP Address

@return [IPAddr] Event source ip address

# File lib/unified2/event.rb, line 197
def ip_source
  @event_data[:source_ip]
end
Also aliased as: source_ip
json() click to toggle source

Convert To Json

@return [String] Event hash in json format

# File lib/unified2/event.rb, line 363
def json
  to_h.to_json
end
length() click to toggle source

Event length

@return [Integer] Event length

# File lib/unified2/event.rb, line 64
def length
  @event_data[:header][:length].to_i
end
load(event) click to toggle source

Load

Initializes the raw data returned by bindata into a more comfortable format.

@param [Hash] Name Description

@return [nil]

# File lib/unified2/event.rb, line 299
def load(event)

  if EXTRA.include?(event.header.u2type)
    extra = Extra.new(event)
    @extras.push(extra)
  end

  if EVENT_TYPES.include?(event.header.u2type)
    @event = event
    @event_data = build_event_data
  end

  if PACKET_TYPES.include?(event.header.u2type)
    packet = Packet.new(build_packet_data(event))
    @packets.push(packet)
  end

end
microseconds() click to toggle source

Microseconds

The event time in microseconds.

@return [String, nil] Event microseconds

# File lib/unified2/event.rb, line 116
def microseconds
  @event_data[:event_microsecond]
end
packet_action() click to toggle source

Packet Action

@return [Integer, nil] Packet action

# File lib/unified2/event.rb, line 134
def packet_action
  @event_data[:packet_action]
end
packet_time() click to toggle source

Packet Time

Time of creation for the unified2 packet.

@return [Time, nil] Packet time object

# File lib/unified2/event.rb, line 75
def packet_time
  if @packet_data.has_key?(:packet_second)
    @packet_data[:packet_second]
    @timestamp = Time.at(@packet_data[:packet_second].to_i)
  end
end
packets?() click to toggle source

Has Packet Data

@return [True,False] Does the event have packet data?

# File lib/unified2/event.rb, line 264
def packets?
  @packets.empty?
end
protocol() click to toggle source

Protocol

@return [Protocol] Event protocol object

# File lib/unified2/event.rb, line 170
def protocol
  @protocol ||= determine_protocol
end
sensor() click to toggle source

Sensor

@return [Sensor] Sensor object

# File lib/unified2/event.rb, line 125
def sensor
  @sensor ||= Unified2.sensor
end
severity() click to toggle source

Severity

@return [Integer] Event severity id

# File lib/unified2/event.rb, line 243
def severity
  @severity = @event_data[:priority_id].to_i
end
signature() click to toggle source

Signature

@return [Signature, nil] Event signature object

# File lib/unified2/event.rb, line 188
def signature
  @signature ||= Signature.new(@event_data[:signature])
end
source_ip()
Alias for: ip_source
source_port() click to toggle source

Source Port

@return [Integer] Event source port

@note

Event#source_port will return zero if the 
event protocol is icmp.
# File lib/unified2/event.rb, line 211
def source_port
  @event_data[:source_port]
end
tcp?() click to toggle source

TCP?

@return [true, false] Check is protocol is tcp

# File lib/unified2/event.rb, line 152
def tcp?
  protocol == :TCP
end
timestamp()
Alias for: event_time
to_h() click to toggle source

Convert To Hash

@return [Hash] Event hash object

# File lib/unified2/event.rb, line 323
def to_h
  @event_data[:position] = position
  @event_data[:next_position] = next_position.to_i

  @event_data[:protocol] = protocol
  @event_data[:timestamp] = timestamp.to_s
  @event_data[:checksum] = checksum
  @event_data[:sensor] = sensor.to_h

  @to_hash = {
    :event => @event_data,
    :packets => [],
    :extras => []
  }

  extras.each do |extra|
    @to_hash[:extras].push(extra.to_h)
  end

  packets.each do |packet|
    @to_hash[:packets].push(packet.to_h)
  end

  @to_hash
end
to_i() click to toggle source

Convert To Integer

@return [Integer] Event id

# File lib/unified2/event.rb, line 354
def to_i
  @id.to_i
end
to_s() click to toggle source

Convert To String

@return [String] Event string object

# File lib/unified2/event.rb, line 372
def to_s
  data = "EVENT\n"
  data += "\tevent id: #{id}\n"
  data += "\tsensor id: #{sensor.id}\n"
  data += "\ttimestamp: #{timestamp.strftime('%D %H:%M:%S')}\n"
  data += "\tseverity: #{severity}\n"
  data += "\tprotocol: #{protocol}\n"
  data += "\tsource ip: #{source_ip} (#{source_port})\n"
  data += "\tdestination ip: #{destination_ip} (#{destination_port})\n"
  data += "\tsignature: #{signature.name}\n"
  data += "\tclassification: #{classification.name}\n"
  data += "\tchecksum: #{checksum}\n"

  packet_count = 1
  length = packets.count

  packets.each do |packet|
    data += "\n\tPACKET  (#{packet_count} of #{length})\n\n"

    data += "\tsensor id: #{sensor.id}"
    data += "\tevent id: #{id}"
    data += "\tevent second: #{packet.event_timestamp.to_i}\n"
    data += "\tpacket second: #{packet.timestamp.to_i}"
    data += "\tpacket microsecond: #{packet.microsecond.to_i}\n"
    data += "\tlinktype: #{packet.link_type}"
    data += "\tpacket length: #{packet.length}\n"
    data += "\tchecksum: #{packet.checksum}\n\n"

    hexdump = packet.hexdump(:width => 16)
    hexdump.each_line { |line| data += "\t" + line }

    packet_count += 1
  end

  extra_count = 1
  length = extras.count

  extras.each do |extra|
    data += "\n\tEXTRA   (#{extra_count} of #{length})\n\n"

    data += "\tname: #{extra.name}"
    data += "\tevent type: #{extra.header[:event_type]}"
    data += "\tevent length: #{extra.header[:event_length]}\n"
    data += "\tsensor id: #{sensor.id}"
    data += "\tevent id: #{id}"
    data += "\tevent second: #{extra.timestamp}\n"
    data += "\ttype: #{extra.type_id}"
    data += "\tdata type: #{extra.data_type}"
    data += "\tlength: #{extra.length}\n"
    data += "\tvalue: " + extra.value + "\n"

    extra_count += 1
  end

  data += "\n"
end
udp?() click to toggle source

UDP?

@return [true, false] Check is protocol is udp

# File lib/unified2/event.rb, line 161
def udp?
  protocol == :UDP
end

Private Instance Methods

build_classifications() click to toggle source
# File lib/unified2/event.rb, line 555
def build_classifications
  classification = {}

  if Unified2.classifications
    key = "#{event.data.classification_id}"

    if Unified2.classifications.data.has_key?(key)
      classification = Unified2.classifications.data[key]

      classification = {
        :classification_id => @event.data.classification_id,
        :name => classification[:name],
        :short => classification[:short],
        :severity => classification[:severity_id]
      }
    end
  end

  if classification.empty?
    classification = {
      :classification_id => @event.data.classification_id,
      :name => 'Unknown',
      :short => 'n/a',
      :severity => 0
    }
  end

  classification
end
build_event_data() click to toggle source
# File lib/unified2/event.rb, line 431
def build_event_data
  event_hash = {}

  event_hash = {
    :header => {
      :type => @event.header.u2type,
      :length => @event.header.u2length
    },
    :destination_ip => @event.data.ip_destination,
    :priority_id => @event.data.priority_id,
    :signature_revision => @event.data.signature_revision,
    :event_id => @event.data.event_id,
    :protocol => @event.data.protocol,
    :source_port => @event.data.sport_itype,
    :timestamp => @event.data.event_second,
    :destination_port => @event.data.dport_icode,
    :sensor_id => @event.data.sensor_id,
    :generator_id => @event.data.generator_id,
    :source_ip => @event.data.ip_source,
    :event_microsecond => @event.data.event_microsecond
  }

  if LEGACY_EVENT_TYPES.include?(@event.header.u2type)
    event_hash[:packet_action] = @event.data.packet_action
  else
    event_hash.merge!({
      :impact_flag => @event.data.impact_flag,
      :impact => @event.data.impact,
      :blocked => @event.data.blocked,
      :mpls_label => @event.data.mpls_label,
      :vlan_id => @event.data.vlanId,
      :policy_id => @event.data.pad2
    })
  end

  event_hash[:classification] = build_classifications

  if @event.data.generator_id.to_i == 1
    event_hash[:signature] = build_signature
  else
    event_hash[:signature] = build_generator
  end

  event_hash
end
build_generator() click to toggle source
# File lib/unified2/event.rb, line 491
def build_generator
  signature = {}

  if Unified2.generators
    key = "#{@event.data.generator_id}.#{@event.data.signature_id}"

    if Unified2.generators.data.has_key?(key)
      sig = Unified2.generators.data[key]

      signature = {
        :signature_id => @event.data.signature_id,
        :generator_id => @event.data.generator_id,
        :revision => @event.data.signature_revision,
        :name => sig[:name],
        :blank => false
      }
    end
  end

  if signature.empty?
    signature = {
      :signature_id => @event.data.signature_id,
      :generator_id => @event.data.generator_id,
      :revision => 0,
      :name => "Unknown Signature #{@event.data.signature_id}",
      :blank => true
    }
  end

  signature
end
build_packet_data(packet) click to toggle source
# File lib/unified2/event.rb, line 477
def build_packet_data(packet)
  packet_hash = {}
  packet_hash = {
    :linktype => packet.data.linktype,
    :packet_microsecond => packet.data.packet_microsecond,
    :packet_timestamp => packet.data.packet_second,
    :packet => packet.data.packet_data,
    :timestamp => packet.data.event_second,
    :packet_length => packet.data.packet_length
  }

  packet_hash
end
build_signature() click to toggle source
# File lib/unified2/event.rb, line 523
def build_signature
  signature = {}

  if Unified2.signatures
    key = event.data.signature_id.to_s

    if Unified2.signatures.data.has_key?(key)
      sig = Unified2.signatures.data[key]

      signature = {
        :signature_id => @event.data.signature_id,
        :generator_id => @event.data.generator_id,
        :revision => @event.data.signature_revision,
        :name => sig[:name],
        :blank => false
      }
    end
  end

  if signature.empty?
    signature = {
      :signature_id => @event.data.signature_id,
      :generator_id => @event.data.generator_id,
      :revision => 0,
      :name => "Unknown Signature #{@event.data.signature_id}",
      :blank => true
    }
  end

  signature
end
determine_protocol() click to toggle source
# File lib/unified2/event.rb, line 585
def determine_protocol
  case @event.data.protocol.to_i
  when 1
    :ICMP # ICMP (Internet Control Message Protocol) packet type.
  when 2
    :IGMP # IGMP (Internet Group Message Protocol) packet type.
  when 6
    :TCP # TCP (Transmition Control Protocol) packet type.
  when 17
    :UDP # UDP (User Datagram Protocol) packet type.
  else
    :'N/A'
  end
end