{ "info": { "author": "Mike Kazantsev", "author_email": "mk.fraggod@gmail.com", "bugtrack_url": null, "classifiers": [ "Development Status :: 4 - Beta", "Intended Audience :: Developers", "Intended Audience :: System Administrators", "Intended Audience :: Telecommunications Industry", "License :: OSI Approved", "Operating System :: POSIX", "Operating System :: Unix", "Programming Language :: Python", "Programming Language :: Python :: 2.7", "Programming Language :: Python :: 2 :: Only", "Topic :: Security", "Topic :: System :: Networking :: Monitoring" ], "description": "unified2: pure-python parser for IDS (think `Snort `__) unified2 binary log format\n----------------------------------------------------------------------------------------------------\n\nModule allows to process IDS logs in binary \"unified2\" format into\npython objects.\n\nIt does not resolve rule ids and is not meant to be a replacement for\n`barnyard2 `__ or Snort itself in\nthat role.\n\nIn fact, I've found that snort-produced text logs are enough for my\npurposes, so **this module isn't really maintained or updated** (at\nleast by me), so if you really find it useful, I encourage you to fork\nthe module, and contact me to transfer pypi package ownership to you.\n\nMain purpose is to extract a packet data from the log, associated with\nsome particular triggered (and resolved/logged separately via other\nmeans, e.g. alert\\_syslog or alert\\_csv snort modules) rule, so I\nhaven't paid much attention to processing event metadata.\n\nModule doesn't have C components and doesn't use ctypes, so should be\nfairly portable to non-cPython language implementations.\n\nFormat\n------\n\nFormat definition is derived from Snort headers\n(src/sfutil/Unified2\\_common.h) via\n`pyclibrary `__\nmodule and are cached in unified2/\\_format.py file.\n\nNewer definitions (say, if new data types were added) can be generated\nby running the same script on the Snort's Unified2\\_common.h:\n\n::\n\n bzr branch lp:pyclibrary\n cd pyclibrary\n python .../unified2/_format.py .../snort-2.X.Y.Z/src/sfutil/Unified2_common.h\n\nInstallation\n------------\n\nIt's a regular package for Python 2.7 (not 3.X).\n\nUsing `pip `__ is the best way:\n\n::\n\n % pip install unified2\n\nIf you don't have it, use:\n\n::\n\n % easy_install pip\n % pip install unified2\n\nAlternatively (`see\nalso `__):\n\n::\n\n % curl https://raw.github.com/pypa/pip/master/contrib/get-pip.py | python\n % pip install unified2\n\nOr, if you absolutely must:\n\n::\n\n % easy_install unified2\n\nBut, you really shouldn't do that.\n\nCurrent-git version can be installed like this:\n\n::\n\n % pip install 'git+https://github.com/mk-fg/unified2.git#egg=unified2'\n\nUsage\n-----\n\nSimple example:\n\n::\n\n import unified2.parser\n for ev, ev_tail in unified2.parser.parse('/var/log/snort/snort.u2.1337060186'):\n print 'Event:', ev\n if ev_tail: print 'Event tail:', ev_tail\n\nEvent object here is a dict of metadata and a \"tail\", which can either\nbe a blob or a similar recursively-parsed tuple of metadata-dict and\n\"tail\" (e.g. for UNIFIED2\\_EXTRA\\_DATA).\n\nunified2.parser.Parser interface is best illustrated by the\nunified2.parser.read function:\n\n::\n\n parser, buff_agg = Parser(), ''\n while True:\n buff = parser.read(src)\n if not buff: break # EOF\n buff_agg += buff\n while True:\n buff_agg, ev = parser.process(buff_agg)\n if ev is None: break\n yield ev\n\nIdea here is that Parser.read method should be called with a stream\n(e.g. a file object), returning however many bytes parser needs to get\nthe next parseable chunk of data (one packet, in case of u2 log) or\nwhatever can be read at the moment, empty string is usually an\nindication of EOF or maybe non-blocking read return.\n\nParser.process then should be called with accumulated (by Parser.read\ncalls) buffer, returning the first packet that can be parsed from there\n(or None, if buffer isn't large enough) and remaining (non-parsed)\nbuffer data.\n\nRelated stuff\n-------------\n\n- http://manual.snort.org/node21.html#SECTION00369000000000000000\n- http://www.securixlive.com/barnyard2/docs/unified.php\n- https://github.com/firnsy/barnyard2\n- http://blog.snort.org/2010/12/working-with-unified-and-unified2-files.html\n- https://github.com/mephux/unified2\n- https://code.launchpad.net/~luke-campagnola/pyclibrary\n- https://github.com/mk-fg/bordercamp-irc-bot", "description_content_type": null, "docs_url": null, "download_url": "UNKNOWN", "downloads": { "last_day": -1, "last_month": -1, "last_week": -1 }, "home_page": "http://github.com/mk-fg/unified2", "keywords": "unified2 u2 ids snort suricata parser", "license": "WTFPL", "maintainer": null, "maintainer_email": null, "name": "unified2", "package_url": "https://pypi.org/project/unified2/", "platform": "UNKNOWN", "project_url": "https://pypi.org/project/unified2/", "project_urls": { "Download": "UNKNOWN", "Homepage": "http://github.com/mk-fg/unified2" }, "release_url": "https://pypi.org/project/unified2/15.8.2/", "requires_dist": null, "requires_python": null, "summary": "unified2 IDS binary log format parser", "version": "15.8.2" }, "last_serial": 1679702, "releases": { "12.06.0": [ { "comment_text": "", "digests": { "md5": "f5d913d1a5c6d80f192e728136ce4ac7", "sha256": "ba2147dd7ddca608477027d6438b088af67abe81cc11ecbf3d54756b614722c6" }, "downloads": -1, "filename": "unified2-12.06.0.tar.gz", "has_sig": true, "md5_digest": "f5d913d1a5c6d80f192e728136ce4ac7", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 5329, "upload_time": "2012-06-07T18:16:39", "url": "https://files.pythonhosted.org/packages/3e/66/de572036c362178991928f3d3ad8911459b3f04c230b1d42c985ff5f3bf0/unified2-12.06.0.tar.gz" } ], "12.06.1": [ { "comment_text": "", "digests": { "md5": "1bd1614719bd243f96bebff1fff94eed", "sha256": "c515e39b70970fc82d69e6b3dd0449a59ff10676fdc3b329d5ab9c75fb2499ee" }, "downloads": -1, "filename": "unified2-12.06.1.tar.gz", "has_sig": true, "md5_digest": "1bd1614719bd243f96bebff1fff94eed", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 5487, "upload_time": "2012-06-07T18:45:03", "url": "https://files.pythonhosted.org/packages/b8/2a/bca994ac764a568e9706a1e9488ebd81daaec971bac720cba31ab94bd454/unified2-12.06.1.tar.gz" } ], "12.06.2": [ { "comment_text": "", "digests": { "md5": "617e555b84810074bd7424722eb49639", "sha256": "3ea15091fd78108c3debe4b2a90c5b43290e2d98c388033371213622649078e9" }, "downloads": -1, "filename": "unified2-12.06.2.tar.gz", "has_sig": true, "md5_digest": "617e555b84810074bd7424722eb49639", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 5900, "upload_time": "2012-06-21T12:07:24", "url": "https://files.pythonhosted.org/packages/f9/a9/f98d8c4784314ee2906ea2f51f6b1dd2f26ebbece893c268feed7b48d0b3/unified2-12.06.2.tar.gz" } ], "12.06.3": [ { "comment_text": "", "digests": { "md5": "0c25fa7cf2e2c2b8b42c9d1b85079668", "sha256": "ff9fc0f42cd18715a61840d752c5cf10501cd0990eb2da8b7476f3ffc91fb830" }, "downloads": -1, "filename": "unified2-12.06.3.tar.gz", "has_sig": true, "md5_digest": "0c25fa7cf2e2c2b8b42c9d1b85079668", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 5932, "upload_time": "2012-06-29T03:26:44", "url": "https://files.pythonhosted.org/packages/28/2c/a322ace680b2c51efe4a0b49de7d5b9e921b4a23b23da93f29f0502ae4ba/unified2-12.06.3.tar.gz" } ], "12.07.0": [ { "comment_text": "", "digests": { "md5": "99ee22d916f93f4d2029a42743c7a265", "sha256": "2c01864e561ded258ac039452f65a75fb4b9359659ad023563d559a364bbe683" }, "downloads": -1, "filename": "unified2-12.07.0.tar.gz", "has_sig": true, "md5_digest": "99ee22d916f93f4d2029a42743c7a265", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 5935, "upload_time": "2012-07-29T13:33:31", "url": "https://files.pythonhosted.org/packages/f1/a1/23bedb5b8b6f3cce190bd173b6b8d01ba81f288ea736e60a4ceb2979cbb6/unified2-12.07.0.tar.gz" } ], "12.7.0": [ { "comment_text": "", "digests": { "md5": "b0f21a391c0ea5bb4ad9fbf6793f3395", "sha256": "d38b691e5fee714eb40b2eacd461eb3b8bb212297851b063027e11095d9105da" }, "downloads": -1, "filename": "unified2-12.7.0.tar.gz", "has_sig": true, "md5_digest": "b0f21a391c0ea5bb4ad9fbf6793f3395", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 5876, "upload_time": "2015-08-16T21:22:49", "url": "https://files.pythonhosted.org/packages/b1/ac/9ee27e7248712fc731601c816a0263de6885f9a789e1fa413d415b728a4d/unified2-12.7.0.tar.gz" } ], "15.8.2": [ { "comment_text": "", "digests": { "md5": "714ed3ad1d18da297cfdc015ceb1600b", "sha256": "6df97330f2f5d0ab703e123086e500ec304c9b20f0acd48e8100277f2af774ca" }, "downloads": -1, "filename": "unified2-15.8.2.tar.gz", "has_sig": true, "md5_digest": "714ed3ad1d18da297cfdc015ceb1600b", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 5869, "upload_time": "2015-08-16T21:23:29", "url": "https://files.pythonhosted.org/packages/92/ab/b73f39fb895fb2e0100e3dda5f3355936cd23d3778e9d5187de2e3b446b0/unified2-15.8.2.tar.gz" } ] }, "urls": [ { "comment_text": "", "digests": { "md5": "714ed3ad1d18da297cfdc015ceb1600b", "sha256": "6df97330f2f5d0ab703e123086e500ec304c9b20f0acd48e8100277f2af774ca" }, "downloads": -1, "filename": "unified2-15.8.2.tar.gz", "has_sig": true, "md5_digest": "714ed3ad1d18da297cfdc015ceb1600b", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 5869, "upload_time": "2015-08-16T21:23:29", "url": "https://files.pythonhosted.org/packages/92/ab/b73f39fb895fb2e0100e3dda5f3355936cd23d3778e9d5187de2e3b446b0/unified2-15.8.2.tar.gz" } ] }