Sign upLogin

whotwagner/suricata

View on GitHub
Star
lib/suricata/fast.rb

Summary

Maintainability
A
25 mins
Test Coverage
#--
# Copyright (C) 2016 Wolfgang Hotwagner <code@toscom.at>       
#                                                                
# This file is part of the suricata gem                                            
# 
# This mindwave gem is free software; you can redistribute it and/or 
# modify it under the terms of the GNU General Public License 
# as published by the Free Software Foundation; either version 2 
# of the License, or (at your option) any later version.
# 
# This gem is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
# 
# You should have received a copy of the GNU General Public License          
# along with this gem; if not, write to the 
# Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, 
# Boston, MA  02110-1301  USA 
#++

module Suricata

require 'suricata/connection'

# This class parses suricatas fast.log-files
class Fast

# @!attribute timestamp
#  log-time
# @!attribute id
#  signature-id
# @!attribute description
#  signature-description
# @!attribute classification
#   threat-classification
# @!attribute priority
#  priority
# @!attribute conn
#  Suricata::Connection connection
attr_accessor :timestamp, :id, :description, :classification, :priority, :conn

# this function parses an entry of fast.log
# @param [String] string one line of fast.log
# @raise [Exception] if string is nil
def parse(string)
    if string.nil?
        raise "Invalid argument"
    end

    if string =~ /^([^ ]+)\s+/
        @timestamp = $1.chomp(' ')
    end

    if string =~ /\[\*\*\]\s+\[(\d+\:\d+\:\d+)\]\s+(.*)\[\*\*\]/
        @id = $1
        @description = $2.chomp(' ')
    end

    if string =~ /\[Classification: ([^\]]+)\]/
        @classification = $1
    end

    if string =~ /\[Priority: ([^\]]+)\]/
        @priority = $1
    end

    if string =~ /\]\s+([^\]]+)$/
        @conn = Suricata::Connection.new($1)
    end

end

def getThreat
    return [ @description, @priority, @classification ]
end

# this function converts the parsed entry back to string
# @return [String] converted string
def to_s
    "#{@timestamp} [**] [#{@id}] #{@description} [**] [Classification: #{@classification}] [Priority: #{@priority}] #{@conn}"
end

end

end