Project

vectra

0.0
No commit activity in last 3 years
No release in over 3 years
vectramikemackintosh/ruby-vectraHomepageDocumentationSource CodeBug TrackerWiki
Easily interface with the Vectra API for consuming detections, threats and events
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
 Popularity
Downloads
14,332
Stars
1
Forks
0
Watchers
2
 Releases
Current version
0.1.3
Total releases
6
First release
2015-02-23
Latest release
2015-02-23
 Issues
Open Issues
1
Closed Issues
0
Total Issues
1
Issue Closure Rate
0%
 Development
Primary Language
Ruby
Licenses
MIT
Average date of last 50 commits
2015-03-01
Reverse Dependencies
0

 Dependencies

Development

bundler
>= 0
rake
>= 0
rspec
>= 0
webmock
>= 0

Runtime

fattr
>= 0
httparty
>= 0
 Project Readme

Ruby Vectra

A Ruby extension for interfacing with Vectra API.

Installation

Like any other gem:

gem install vectra

Testing

Update spec/spec_helper.rb with the following details:

# Set endpoint details
@endpoint_url = 'https://vectra-appliance/api/'
@username = "api"
@password = "BLAH"

To run tests, run:

rake test

Usage

Basic Block Configuration:

Vectra.configure do |config|
  config.endpoint = @endpoint_url
  config.username = @username
  config.password = @password
end

endpoint should be your Vectra box URL, no need to add the /api suffix. If you include it, it won't break things either.

Detections

To get all detections, use #all:

Vectra::Detections.all

You can also get a detection by ID or by referencing the detection URL:

Vectra::Detections.get(1)
Vectra::Detections.get('https://vectra/detection/1')

Detection Details

Within the response of a detection, you may find Detection Details. You can get more details on these like so:

Vectra::Detections.get(1)["detection_detail_set"].each do |d|
  details = Vectra::DetectionDetails.get(d)
  puts "--> #{details["destination"]}:#{details["dst_port"]}"
end

Relayed Comms

Another type of detection detail you may see is the following:

Vectra::Detections.get(1)["relayed_comm_set"].each do |r|
  details = Vectra::RelayComms.get(r)
  puts "--> #{details['inbound_proto']} #{details["inbound_ip"]}:#{details["inbound_port"]} @ #{details['total_bytes_rcvd']} bytes"
end

DNS

There is also a DNS set:

Vectra::Detections.get(1)["dns_set"].each do |d|
  details = Vectra::DNS.get(r)
  puts "--> DNS Server: #{details['dns_ip']} resolved #{details['dns_request']} to #{details['resp']}"
end

SQL Injection

And lastly, an SQL Injection Set

Vectra::Detections.get(1)["sqli_set"].each do |s|
  details = Vectra::SQLi.get(s)
  puts "Injection Attempted: #{details['ngram']} to #{details['destination']}"
end

Hosts

Do not use ::Hosts.all if you are in production. This will be very costly if you have more than 5,000 discovered hosts.

Instead, pass a Host ID or URL:

Vectra::Hosts.get(1)

Notes

Vectra uses a next parameter in their responses for pagination. Default pagination is 50. This API client will follow the next pages.

Currently, all responses which contain arrays (hosts and detections) will be sorted in ASC order by ID.

Credit

Mike Mackintosh