class Unified2::Event
Constants
Attributes
Setup method defaults
Setup method defaults
Setup method defaults
Setup method defaults
Setup method defaults
Setup method defaults
Public Class Methods
Initialize event
@param [Integer] id Event
id
# File lib/unified2/event.rb, line 52 def initialize(id, position) @id = id.to_i @position = position @packets = [] @extras = [] end
Public Instance Methods
Checksum
Create a unique checksum for each event using the ip source, destination, signature id, generator id, sensor id, severity id, and the classification id.
@return [String] Event
checksum
# File lib/unified2/event.rb, line 92 def checksum checkdum = [ip_source, ip_destination, signature.id, signature.generator, sensor.id, severity, classification.id] Digest::MD5.hexdigest(checkdum.join('')) end
@return [Classification] Event
classification object
# File lib/unified2/event.rb, line 179 def classification Classification.new(@event_data[:classification]) end
Destination Port
@return [Integer] Event
destination port
@note
Event#destination_port will return zero if the event protocol is icmp.
# File lib/unified2/event.rb, line 234 def destination_port @event_data[:destination_port] end
Event
Time
The event timestamp created by unified2.
@return [Time, nil] Event
time object
# File lib/unified2/event.rb, line 104 def event_time Time.at(@event_data[:timestamp].to_i) end
Has Extra
Data
@return [True,False] Does the event have extra data?
# File lib/unified2/event.rb, line 285 def extras? @extras.empty? end
ICMP?
@return [true, false] Check is protocol is icmp
# File lib/unified2/event.rb, line 143 def icmp? protocol == :ICMP end
Destination IP Address
@return [IPAddr] Event
destination ip address
# File lib/unified2/event.rb, line 220 def ip_destination @event_data[:destination_ip] end
Source IP Address
@return [IPAddr] Event
source ip address
# File lib/unified2/event.rb, line 197 def ip_source @event_data[:source_ip] end
Convert To Json
@return [String] Event
hash in json format
# File lib/unified2/event.rb, line 363 def json to_h.to_json end
Load
Initializes the raw data returned by bindata into a more comfortable format.
@param [Hash] Name Description
@return [nil]
# File lib/unified2/event.rb, line 299 def load(event) if EXTRA.include?(event.header.u2type) extra = Extra.new(event) @extras.push(extra) end if EVENT_TYPES.include?(event.header.u2type) @event = event @event_data = build_event_data end if PACKET_TYPES.include?(event.header.u2type) packet = Packet.new(build_packet_data(event)) @packets.push(packet) end end
Microseconds
The event time in microseconds.
@return [String, nil] Event
microseconds
# File lib/unified2/event.rb, line 116 def microseconds @event_data[:event_microsecond] end
Has Packet
Data
@return [True,False] Does the event have packet data?
# File lib/unified2/event.rb, line 264 def packets? @packets.empty? end
Severity
@return [Integer] Event
severity id
# File lib/unified2/event.rb, line 243 def severity @severity = @event_data[:priority_id].to_i end
Source Port
@return [Integer] Event
source port
@note
Event#source_port will return zero if the event protocol is icmp.
# File lib/unified2/event.rb, line 211 def source_port @event_data[:source_port] end
TCP?
@return [true, false] Check is protocol is tcp
# File lib/unified2/event.rb, line 152 def tcp? protocol == :TCP end
Convert To Hash
@return [Hash] Event
hash object
# File lib/unified2/event.rb, line 323 def to_h @event_data[:position] = position @event_data[:next_position] = next_position.to_i @event_data[:protocol] = protocol @event_data[:timestamp] = timestamp.to_s @event_data[:checksum] = checksum @event_data[:sensor] = sensor.to_h @to_hash = { :event => @event_data, :packets => [], :extras => [] } extras.each do |extra| @to_hash[:extras].push(extra.to_h) end packets.each do |packet| @to_hash[:packets].push(packet.to_h) end @to_hash end
Convert To Integer
@return [Integer] Event
id
# File lib/unified2/event.rb, line 354 def to_i @id.to_i end
Convert To String
@return [String] Event
string object
# File lib/unified2/event.rb, line 372 def to_s data = "EVENT\n" data += "\tevent id: #{id}\n" data += "\tsensor id: #{sensor.id}\n" data += "\ttimestamp: #{timestamp.strftime('%D %H:%M:%S')}\n" data += "\tseverity: #{severity}\n" data += "\tprotocol: #{protocol}\n" data += "\tsource ip: #{source_ip} (#{source_port})\n" data += "\tdestination ip: #{destination_ip} (#{destination_port})\n" data += "\tsignature: #{signature.name}\n" data += "\tclassification: #{classification.name}\n" data += "\tchecksum: #{checksum}\n" packet_count = 1 length = packets.count packets.each do |packet| data += "\n\tPACKET (#{packet_count} of #{length})\n\n" data += "\tsensor id: #{sensor.id}" data += "\tevent id: #{id}" data += "\tevent second: #{packet.event_timestamp.to_i}\n" data += "\tpacket second: #{packet.timestamp.to_i}" data += "\tpacket microsecond: #{packet.microsecond.to_i}\n" data += "\tlinktype: #{packet.link_type}" data += "\tpacket length: #{packet.length}\n" data += "\tchecksum: #{packet.checksum}\n\n" hexdump = packet.hexdump(:width => 16) hexdump.each_line { |line| data += "\t" + line } packet_count += 1 end extra_count = 1 length = extras.count extras.each do |extra| data += "\n\tEXTRA (#{extra_count} of #{length})\n\n" data += "\tname: #{extra.name}" data += "\tevent type: #{extra.header[:event_type]}" data += "\tevent length: #{extra.header[:event_length]}\n" data += "\tsensor id: #{sensor.id}" data += "\tevent id: #{id}" data += "\tevent second: #{extra.timestamp}\n" data += "\ttype: #{extra.type_id}" data += "\tdata type: #{extra.data_type}" data += "\tlength: #{extra.length}\n" data += "\tvalue: " + extra.value + "\n" extra_count += 1 end data += "\n" end
UDP?
@return [true, false] Check is protocol is udp
# File lib/unified2/event.rb, line 161 def udp? protocol == :UDP end
Private Instance Methods
# File lib/unified2/event.rb, line 555 def build_classifications classification = {} if Unified2.classifications key = "#{event.data.classification_id}" if Unified2.classifications.data.has_key?(key) classification = Unified2.classifications.data[key] classification = { :classification_id => @event.data.classification_id, :name => classification[:name], :short => classification[:short], :severity => classification[:severity_id] } end end if classification.empty? classification = { :classification_id => @event.data.classification_id, :name => 'Unknown', :short => 'n/a', :severity => 0 } end classification end
# File lib/unified2/event.rb, line 431 def build_event_data event_hash = {} event_hash = { :header => { :type => @event.header.u2type, :length => @event.header.u2length }, :destination_ip => @event.data.ip_destination, :priority_id => @event.data.priority_id, :signature_revision => @event.data.signature_revision, :event_id => @event.data.event_id, :protocol => @event.data.protocol, :source_port => @event.data.sport_itype, :timestamp => @event.data.event_second, :destination_port => @event.data.dport_icode, :sensor_id => @event.data.sensor_id, :generator_id => @event.data.generator_id, :source_ip => @event.data.ip_source, :event_microsecond => @event.data.event_microsecond } if LEGACY_EVENT_TYPES.include?(@event.header.u2type) event_hash[:packet_action] = @event.data.packet_action else event_hash.merge!({ :impact_flag => @event.data.impact_flag, :impact => @event.data.impact, :blocked => @event.data.blocked, :mpls_label => @event.data.mpls_label, :vlan_id => @event.data.vlanId, :policy_id => @event.data.pad2 }) end event_hash[:classification] = build_classifications if @event.data.generator_id.to_i == 1 event_hash[:signature] = build_signature else event_hash[:signature] = build_generator end event_hash end
# File lib/unified2/event.rb, line 491 def build_generator signature = {} if Unified2.generators key = "#{@event.data.generator_id}.#{@event.data.signature_id}" if Unified2.generators.data.has_key?(key) sig = Unified2.generators.data[key] signature = { :signature_id => @event.data.signature_id, :generator_id => @event.data.generator_id, :revision => @event.data.signature_revision, :name => sig[:name], :blank => false } end end if signature.empty? signature = { :signature_id => @event.data.signature_id, :generator_id => @event.data.generator_id, :revision => 0, :name => "Unknown Signature #{@event.data.signature_id}", :blank => true } end signature end
# File lib/unified2/event.rb, line 477 def build_packet_data(packet) packet_hash = {} packet_hash = { :linktype => packet.data.linktype, :packet_microsecond => packet.data.packet_microsecond, :packet_timestamp => packet.data.packet_second, :packet => packet.data.packet_data, :timestamp => packet.data.event_second, :packet_length => packet.data.packet_length } packet_hash end
# File lib/unified2/event.rb, line 523 def build_signature signature = {} if Unified2.signatures key = event.data.signature_id.to_s if Unified2.signatures.data.has_key?(key) sig = Unified2.signatures.data[key] signature = { :signature_id => @event.data.signature_id, :generator_id => @event.data.generator_id, :revision => @event.data.signature_revision, :name => sig[:name], :blank => false } end end if signature.empty? signature = { :signature_id => @event.data.signature_id, :generator_id => @event.data.generator_id, :revision => 0, :name => "Unknown Signature #{@event.data.signature_id}", :blank => true } end signature end
# File lib/unified2/event.rb, line 585 def determine_protocol case @event.data.protocol.to_i when 1 :ICMP # ICMP (Internet Control Message Protocol) packet type. when 2 :IGMP # IGMP (Internet Group Message Protocol) packet type. when 6 :TCP # TCP (Transmition Control Protocol) packet type. when 17 :UDP # UDP (User Datagram Protocol) packet type. else :'N/A' end end