shadowbq/barnyard_waldo.rb

## barnyard_waldo.rb
#!/usr/bin/env ruby
#
# $> ./barnyard_waldo.rb
# Barnyard spool: /var/log/snort/merged.log.1431634445
# 2015-05-14 20:14:05 +0000

# Notes:
# Ruby String #unpack
# V | Integer | 32-bit unsigned, VAX (little-endian) byte order

# Barnyard2 Data Reference:
# <spooler.h>
# define MAX_FILEPATH_BUF    1024
# typedef struct _WaldoData
# {
#    char                    spool_dir[MAX_FILEPATH_BUF];
#    char                    spool_filebase[MAX_FILEPATH_BUF];
#    uint32_t                timestamp;
#    uint32_t                record_idx;
# } WaldoData;

MAX_FILEPATH_BUF = 1024
bookmark = '/var/spool/barnyard.waldo'
fp = open(bookmark, 'rb')


s = fp.read(MAX_FILEPATH_BUF)
spool_dir = s.strip

s = fp.read(MAX_FILEPATH_BUF)
spool_filebase = s.strip

s = fp.read(32)
epoch = s.unpack('V').first

# Unpack the bytes and the array:
puts "Barnyard spool: #{spool_dir}/#{spool_filebase}.#{epoch}"
puts Time.at(epoch)
	#!/usr/bin/env ruby
	#
	# $> ./barnyard_waldo.rb
	# Barnyard spool: /var/log/snort/merged.log.1431634445
	# 2015-05-14 20:14:05 +0000

	# Notes:
	# Ruby String #unpack
	# V \| Integer \| 32-bit unsigned, VAX (little-endian) byte order

	# Barnyard2 Data Reference:
	# <spooler.h>
	# define MAX_FILEPATH_BUF 1024
	# typedef struct _WaldoData
	# {
	# char spool_dir[MAX_FILEPATH_BUF];
	# char spool_filebase[MAX_FILEPATH_BUF];
	# uint32_t timestamp;
	# uint32_t record_idx;
	# } WaldoData;

	MAX_FILEPATH_BUF = 1024
	bookmark = '/var/spool/barnyard.waldo'
	fp = open(bookmark, 'rb')


	s = fp.read(MAX_FILEPATH_BUF)
	spool_dir = s.strip

	s = fp.read(MAX_FILEPATH_BUF)
	spool_filebase = s.strip

	s = fp.read(32)
	epoch = s.unpack('V').first

	# Unpack the bytes and the array:
	puts "Barnyard spool: #{spool_dir}/#{spool_filebase}.#{epoch}"
	puts Time.at(epoch)