RubyGems - cef - Versions diffs - 0.6.1 → 0.7.0 - Mend

cef 0.6.1 → 0.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

data/VERSION CHANGED

	@@ -1 +1 @@
1	- 0.6.1
1	+ 0.7.0

data/bin/cef_sender CHANGED

@@ -3,19 +3,18 @@ require 'rubygems'
 require 'cef'
 require 'getoptlong'
-sender=CEF::Sender.new
-e=CEF::Event.new
 @verbose=0
 @file=nil
+cef_event=CEF::Event.new
 opts=GetoptLong.new(
-  ["--verbose",      GetoptLong::OPTIONAL_ARGUMENT],
-  ["--help",      GetoptLong::OPTIONAL_ARGUMENT],
-  ["--schema",      GetoptLong::OPTIONAL_ARGUMENT],
+  ["--verbose",       GetoptLong::OPTIONAL_ARGUMENT],
+  ["--help",          GetoptLong::OPTIONAL_ARGUMENT],
+  ["--schema",        GetoptLong::OPTIONAL_ARGUMENT],
   ["--receiver",      GetoptLong::OPTIONAL_ARGUMENT],
-  ["--receiverPort",      GetoptLong::OPTIONAL_ARGUMENT],
-  ["--append-file",      GetoptLong::OPTIONAL_ARGUMENT],
-  *e.attrs.keys.collect {|o| ["--#{o}", GetoptLong::OPTIONAL_ARGUMENT]}
+  ["--receiverPort",  GetoptLong::OPTIONAL_ARGUMENT],
+  ["--append-file",   GetoptLong::OPTIONAL_ARGUMENT],
+  ["--tcp",           GetoptLong::OPTIONAL_ARGUMENT],
+  *cef_event.attrs.keys.collect {|o| ["--#{o}", GetoptLong::OPTIONAL_ARGUMENT]}
 )
 def print_usage
@@ -27,6 +26,8 @@ Usage: cef_sender --sourceAddress="192.168.1.1" [--eventAttribute="something"]
      --schema will dump all of the callable event attribute names
      --receiver= syslog receiver hostname/ip
      --receiverPort= syslog port
+     --append-file=  filename to append cef message to
+     --tcp will use TCP instead of the default (UDP) to send the message
 cef_sender will send CEF-formatted syslog messages to a receiver of your choice.
 only the cef fields defined in the cef reader flex connector are supported.
@@ -36,10 +37,11 @@ END_USAGE
 end
-def print_schema(e)
-  e.attrs.keys.collect {|k| k.to_s}.sort.each {|a| puts a}
+def print_schema(event)
+  event.attrs.keys.collect {|k| k.to_s}.sort.each {|a| puts a}
 end
 opts.each do |opt,arg|
   # TODO: set up cases for startTime, receiptTime, endTime to parse
   #       text and convert to unix time * 1000
@@ -47,12 +49,12 @@ opts.each do |opt,arg|
     when "--verbose"
       @verbose+=1
     when "--schema"
-      print_schema(e)
+      print_schema(cef_event)
       exit(0)
     when "--receiverPort"
-      sender.receiverPort=arg
+      @receiver_port=arg
     when "--receiver"
-      sender.receiver=arg
+      @receiver_host=arg
     when "--help"
       print_usage
       exit(0)
@@ -61,10 +63,16 @@ opts.each do |opt,arg|
     else
       fieldname = opt.gsub(/-/,'')
       value=arg
-      e.send("#{fieldname}=",value)
+      cef_event.send("%s=" % fieldname, value)
   end
 end
-msg=sender.format_event(e)
+cef_sender=CEF::UDPSender.new
+cef_sender.receiver=@receiver_host
+cef_sender.receiverPort=@receiver_port
+msg=cef_event.format_cef
 if @verbose>0
@@ -73,5 +81,5 @@ end
 if !(@file.nil?) && File.exists?(@file)
   @file.write "%s\n" % msg.gsub(/^<\d+>/,'')
 else
-  sender.emit(e)
+  cef_sender.emit(cef_event)
 end

data/cef.gemspec ADDED

@@ -0,0 +1,73 @@
+# Generated by jeweler
+# DO NOT EDIT THIS FILE DIRECTLY
+# Instead, edit Jeweler::Tasks in Rakefile, and run 'rake gemspec'
+# -*- encoding: utf-8 -*-
+Gem::Specification.new do |s|
+  s.name = %q{cef}
+  s.version = "0.7.0"
+  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
+  s.authors = ["Ryan Breed"]
+  s.date = %q{2011-03-11}
+  s.default_executable = %q{cef_sender}
+  s.description = %q{ format/send CEF logs via API+syslog or client program }
+  s.email = %q{opensource@breed.org}
+  s.executables = ["cef_sender"]
+  s.extra_rdoc_files = [
+    "LICENSE.txt",
+    "README.rdoc"
+  ]
+  s.files = [
+    ".document",
+    ".rspec",
+    "Gemfile",
+    "LICENSE.txt",
+    "README.rdoc",
+    "Rakefile",
+    "VERSION",
+    "bin/cef_sender",
+    "cef.gemspec",
+    "lib/cef.rb",
+    "lib/cef/constants.rb",
+    "lib/cef/event.rb",
+    "lib/cef/file_logger.rb",
+    "lib/cef/sender.rb",
+    "spec/cef_spec.rb",
+    "spec/spec_helper.rb"
+  ]
+  s.homepage = %q{http://github.com/ryanbreed/cef}
+  s.licenses = ["MIT"]
+  s.require_paths = ["lib"]
+  s.rubygems_version = %q{1.5.2}
+  s.summary = %q{CEF Generation Library and Client}
+  s.test_files = [
+    "spec/cef_spec.rb",
+    "spec/spec_helper.rb"
+  ]
+  if s.respond_to? :specification_version then
+    s.specification_version = 3
+    if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
+      s.add_development_dependency(%q<rspec>, ["~> 2.3.0"])
+      s.add_development_dependency(%q<bundler>, ["~> 1.0.0"])
+      s.add_development_dependency(%q<jeweler>, ["~> 1.5.2"])
+      s.add_development_dependency(%q<rcov>, [">= 0"])
+      s.add_development_dependency(%q<rspec>, ["~> 2.3.0"])
+    else
+      s.add_dependency(%q<rspec>, ["~> 2.3.0"])
+      s.add_dependency(%q<bundler>, ["~> 1.0.0"])
+      s.add_dependency(%q<jeweler>, ["~> 1.5.2"])
+      s.add_dependency(%q<rcov>, [">= 0"])
+      s.add_dependency(%q<rspec>, ["~> 2.3.0"])
+    end
+  else
+    s.add_dependency(%q<rspec>, ["~> 2.3.0"])
+    s.add_dependency(%q<bundler>, ["~> 1.0.0"])
+    s.add_dependency(%q<jeweler>, ["~> 1.5.2"])
+    s.add_dependency(%q<rcov>, [">= 0"])
+    s.add_dependency(%q<rspec>, ["~> 2.3.0"])
+  end
+end

data/lib/cef.rb CHANGED

@@ -1,274 +1,10 @@
 module CEF
   require 'socket'
   require 'parsedate'
-  PREFIX_FORMAT="<%d>%s %s CEF:0|%s|%s"
-  VERSION=File.read(File.join(File.expand_path(File.dirname(__FILE__)),'..','VERSION'))
-  # CEF Dictionary
-  # CEF Prefix attributes
-  PREFIX_ATTRIBUTES = {
-    :deviceVendor       => "deviceVendor",
-    :deviceVersion      => "deviceVersion",
-    :deviceProduct      => "deviceProduct",
-    :name               => "name",
-    :deviceSeverity     => "deviceSeverity",
-    :deviceEventClassId => "deviceEventClassId"
-  }
-  # these are the basic extension attributes. implementing others is as
-  # simple as adding :symbolRepresentingMethodName => "cefkeyname", but
-  # i am supremely lazy to type in the whole dictionary right now. perhaps
-  # this should be a .yaml config file. Extension attributes are formatted
-  # differently than core attributes.
-  EXTENSION_ATTRIBUTES = {
-    :applicationProtocol          => "app",
-    :baseEventCount               => "cnt",
-    :bytesIn                      => "in",
-    :bytesOut                     => "out",
-    :deviceAction                 => "act",
-    :deviceHostNam                => "dvc",
-    :deviceNtDomain               => "deviceNtDomain",
-    :deviceDnsDomain              => "deviceDnsDomain",
-    :deviceTranslatedAddress      => "deviceTranslatedAddress",
-    :deviceMacAddress             => "deviceMacAddress",
-    :deviceCustomNumber1          => "cn1",
-    :deviceCustomNumber2          => "cn2",
-    :deviceCustomNumber3          => "cn3",
-    :deviceCustomNumber1Label     => "cn1Label",
-    :deviceCustomNumber2Label     => "cn2Label",
-    :deviceCustomNumber3Label     => "cn3Label",
-    :deviceCustomString1          => "cs1",
-    :deviceCustomString2          => "cs2",
-    :deviceCustomString3          => "cs3",
-    :deviceCustomString4          => "cs4",
-    :deviceCustomString5          => "cs5",
-    :deviceCustomString6          => "cs6",
-    :deviceCustomString1Label     => "cs1Label",
-    :deviceCustomString2Label     => "cs2Label",
-    :deviceCustomString3Label     => "cs3Label",
-    :deviceCustomString4Label     => "cs4Label",
-    :deviceCustomString5Label     => "cs5Label",
-    :deviceCustomString6Label     => "cs6Label",
-    :deviceCustomDate1            => "deviceCustomDate1",
-    :deviceCustomDate2            => "deviceCustomDate2",
-    :deviceCustomDate1Label       => "deviceCustomDate1Label",
-    :deviceCustomDate2Label       => "deviceCustomDate2Label",
-    :deviceEventCategory          => "cat",
-    :destinationAddress           => "dst",
-    :destinationDnsDomain         => "destinationDnsDomain",
-    :destinationNtDomain          => "dntdom",
-    :destinationHostName          => "dhost",
-    :destinationMacAddress        => "dmac",
-    :destinationPort              => "dpt",
-    :destinationProcessName       => "dproc",
-    :destinationServiceName       => "destinationServiceName",
-    :destinationUserId            => "duid",
-    :destinationUserPrivileges    => "dpriv",
-    :destinationUserName          => "duser",
-    :destinationTranslatedAddress => "destinationTranslatedAddress",
-    :destinationTranslatedPort    => "destinationTranslatedPort",
-    :deviceDirection              => "deviceDirection",
-    :deviceExternalId             => "deviceExternalId",
-    :deviceFacility               => "deviceFacility",
-    :deviceInboundInterface       => "deviceInboundInterface",
-    :deviceOutboundInterface      => "deviceOutboundInterface",
-    :deviceProcessName            => "deviceProcessName",
-    :externalId                   => "externalId",
-    :fileHash                     => "fileHash",
-    :fileId                       => "fileId",
-    :fileName                     => "fname",
-    :filePath                     => "filePath",
-    :filePermission               => "filePermission",
-    :fsize                        => "fsize",
-    :fileType                     => "fileType",
-    :message                      => "msg",
-    :oldfileHash                  => "oldfileHash",
-    :oldfileId                    => "oldfileId",
-    :oldFilename                  => "oldFilename",
-    :oldfilePath                  => "oldfilePath",
-    :oldfilePermission            => "oldfilePermission",
-    :oldfsize                     => "oldfsize",
-    :oldfileType                  => "oldfileType",
-    :requestURL                   => "request",
-    :requestClientApplication     => "requestClientApplication",
-    :requestCookies               => "requestCookies",
-    :requestMethod                => "requestMethod",
-    :sourceAddress                => "src",
-    :sourceDnsDomain              => "sourceDnsDomain",
-    :sourceHostName               => "shost",
-    :sourceMacAddress             => "smac",
-    :sourceNtDomain               => "sntdom",
-    :sourcePort                   => "spt",
-    :sourceServiceName            => "sourceServiceName",
-    :sourceTranslatedAddress      => "sourceTranslatedAddress",
-    :sourceTranslatedPort         => "sourceTranslatedPort",
-    :sourceUserPrivileges         => "spriv",
-    :sourceUserId                 => "suid",
-    :sourceUserName               => "suser",
-    :transportProtocol            => "proto"
-  }
-  # these are tracked separately so they can be normalized during formatting
-  TIME_ATTRIBUTES={
-    :fileCreateTime          => "fileCreateTime",
-    :fileModificationTime    => "fileModificationTime",
-    :oldfileCreateTime       => "oldfileCreateTime",
-    :oldfileModificationTime => "oldfileModificationTime",
-    :receiptTime             => "rt",
-    :startTime               => "start",
-    :endTime                 => "end"
-  }
-  ATTRIBUTES=PREFIX_ATTRIBUTES.merge EXTENSION_ATTRIBUTES.merge TIME_ATTRIBUTES
-  # this class will formats and sends the cef event objects. you can use senders to set
-  # default values for any event attribute, and you can send cef event objects to multiple
-  # senders if you wish.
-  class Sender
-    attr_accessor :receiver, :receiverPort, :eventDefaults
-    attr_reader   :sock
-    # you can pass in a hash of options to be run to set parameters
-    def initialize(*params)
-      Hash[*params].each {|k,v| self.send("%s="%k,v) }
-      @sock=nil
-    end
-    def socksetup
-      @sock=UDPSocket.new
-      receiver= self.receiver || "127.0.0.1"
-      port= self.receiverPort || 514
-      @sock.connect(receiver,port)
-    end
-    # formats a CEFEvent
-    def format_event( event )
-      #HELL yeah it's hard-coded. What are you going to do about it?
-      #syslog_pri= Syslog::LOG_LOCAL0 | Syslog::LOG_NOTICE
-      syslog_pri=131
-      # process eventDefaults - we are expecting a hash here. These will
-      # override any values in the events passed to us. i know. brutal.
-      unless self.eventDefaults.nil?
-        self.eventDefaults.each do |k,v|
-	  event.send("#{k}=",v)
-        end
-      end
-      cef_message=PREFIX_FORMAT % [
-        syslog_pri.to_s,
-        Socket::gethostname,
-	      Time.new.strftime("%b %d %Y %H:%M:%S"),
-        event.prefix,
-        event.extension
-      ]
-      cef_message
-    end
-    #fire the message off
-    def emit(event)
-      self.socksetup if self.sock.nil?
-      self.sock.send self.format_event(event), 0
-    end
-  end
-  class Event
-    #%#
-    # set up accessors for all of the event attributes. ruby meta magic.
-    ATTRIBUTES.each do |k,v|
-      self.instance_eval do
-        attr_accessor k
-      end
-    end
-    def attrs
-      ATTRIBUTES
-    end
-    # so we can CEFEvent.new(:foo=>"bar")
-    def initialize( *params )
-      Hash[*params].each { |k,v| self.send("%s="%k,v) }
-    end
-    # escape only pipes and backslashes in the prefix. you bet your sweet
-    # ass there's a lot of backslashes in the substitution. you can thank
-    # the three levels of lexical analysis/substitution in the ruby interpreter
-    # for that.
-    def prefix_escape(val)
-      val.gsub(/(\||\\)/,'\\\\\&')
-    end
-    # only equals signs need to be escaped in the extension. i think.
-    # TODO: something in the spec about \n and some others.
-    def extension_escape(val)
-      val.gsub(/=/,'\=')
-    end
-    # make a guess as to how the time was set. parse strings and convert
-    # them to epoch milliseconds, or leave it alone if it looks like a number
-    # bigger than epoch milliseconds when i wrote this.
-    def time_convert(val)
-      converted=nil
-      #puts "converting time for #{val.class.to_s}/#{val}"
-      case val.class.to_s
-        when "String"
-          begin
-            converted=val.to_i
-          rescue
-            res=ParseDate.parsedate(val)
-            converted=Time.local(*res).to_i * 1000
-          end
-        when "Integer","Bignum"
-      	  if val < 1232589621000 #Wed Jan 21 20:00:21 -0600 2009
-            converted=val * 1000
-          else
-            converted=val
-          end
-        end
-      converted
-    end
-    # returns a pipe-delimeted list of prefix attributes
-    def prefix
-      vendor=  self.deviceVendor       || "Breed"
-      product= self.deviceProduct      || "CEF Sender"
-      version= self.deviceVersion      || CEF::VERSION
-      declid=  self.deviceEventClassId || "generic:0"
-      name=    self.name               || "Generic Event"
-      sev=     self.deviceSeverity     || "1"
-      cef_prefix="%s|%s|%s|%s|%s|%s" % [
-        prefix_escape(vendor),
-        prefix_escape(product),
-        prefix_escape(version),
-        prefix_escape(declid),
-        prefix_escape(name),
-        prefix_escape(sev),
-      ]
-    end
-    # returns a space-delimeted list of attribute=value pairs for all optionals
-    def extension
-      avpairs=[]
-      EXTENSION_ATTRIBUTES.each do |attribute,shortname|
-        unless self.send(attribute).nil?
-          avpairs.push(
-            "%s=%s" % [ shortname, extension_escape(self.send(attribute)) ]
-          )
-        end
-      end
-      # make sure time comes out as milliseconds since epoch
-      TIME_ATTRIBUTES.each do |attribute,shortname|
-        unless self.send(attribute).nil?
-          avpairs.push(
-            "%s=%s" % [ shortname, time_convert(self.send(attribute)) ]
-          )
-        end
-      end
-      avpairs.join(" ")
-    end
-  end
+  require 'cef/constants'
+  require 'cef/event'
+  require 'cef/sender'
+  require 'cef/file_logger'
 end

data/lib/cef/constants.rb ADDED

@@ -0,0 +1,122 @@
+module CEF
+    PREFIX_FORMAT="<%d>%s %s CEF:0|%s|%s"
+  VERSION=File.read(File.join(File.expand_path(File.dirname(__FILE__)),'..','..','VERSION'))
+  # CEF Dictionary
+  # CEF Prefix attributes
+  PREFIX_ATTRIBUTES = {
+    :deviceVendor       => "deviceVendor",
+    :deviceVersion      => "deviceVersion",
+    :deviceProduct      => "deviceProduct",
+    :name               => "name",
+    :deviceSeverity     => "deviceSeverity",
+    :deviceEventClassId => "deviceEventClassId"
+  }
+  # these are the basic extension attributes. implementing others is as
+  # simple as adding :symbolRepresentingMethodName => "cefkeyname", but
+  # i am supremely lazy to type in the whole dictionary right now. perhaps
+  # this should be a .yaml config file. Extension attributes are formatted
+  # differently than core attributes.
+  EXTENSION_ATTRIBUTES = {
+    :applicationProtocol          => "app",
+    :baseEventCount               => "cnt",
+    :bytesIn                      => "in",
+    :bytesOut                     => "out",
+    :deviceAction                 => "act",
+    :deviceHostNam                => "dvc",
+    :deviceNtDomain               => "deviceNtDomain",
+    :deviceDnsDomain              => "deviceDnsDomain",
+    :deviceTranslatedAddress      => "deviceTranslatedAddress",
+    :deviceMacAddress             => "deviceMacAddress",
+    :deviceCustomNumber1          => "cn1",
+    :deviceCustomNumber2          => "cn2",
+    :deviceCustomNumber3          => "cn3",
+    :deviceCustomNumber1Label     => "cn1Label",
+    :deviceCustomNumber2Label     => "cn2Label",
+    :deviceCustomNumber3Label     => "cn3Label",
+    :deviceCustomString1          => "cs1",
+    :deviceCustomString2          => "cs2",
+    :deviceCustomString3          => "cs3",
+    :deviceCustomString4          => "cs4",
+    :deviceCustomString5          => "cs5",
+    :deviceCustomString6          => "cs6",
+    :deviceCustomString1Label     => "cs1Label",
+    :deviceCustomString2Label     => "cs2Label",
+    :deviceCustomString3Label     => "cs3Label",
+    :deviceCustomString4Label     => "cs4Label",
+    :deviceCustomString5Label     => "cs5Label",
+    :deviceCustomString6Label     => "cs6Label",
+    :deviceCustomDate1            => "deviceCustomDate1",
+    :deviceCustomDate2            => "deviceCustomDate2",
+    :deviceCustomDate1Label       => "deviceCustomDate1Label",
+    :deviceCustomDate2Label       => "deviceCustomDate2Label",
+    :deviceEventCategory          => "cat",
+    :destinationAddress           => "dst",
+    :destinationDnsDomain         => "destinationDnsDomain",
+    :destinationNtDomain          => "dntdom",
+    :destinationHostName          => "dhost",
+    :destinationMacAddress        => "dmac",
+    :destinationPort              => "dpt",
+    :destinationProcessName       => "dproc",
+    :destinationServiceName       => "destinationServiceName",
+    :destinationUserId            => "duid",
+    :destinationUserPrivileges    => "dpriv",
+    :destinationUserName          => "duser",
+    :destinationTranslatedAddress => "destinationTranslatedAddress",
+    :destinationTranslatedPort    => "destinationTranslatedPort",
+    :deviceDirection              => "deviceDirection",
+    :deviceExternalId             => "deviceExternalId",
+    :deviceFacility               => "deviceFacility",
+    :deviceInboundInterface       => "deviceInboundInterface",
+    :deviceOutboundInterface      => "deviceOutboundInterface",
+    :deviceProcessName            => "deviceProcessName",
+    :externalId                   => "externalId",
+    :fileHash                     => "fileHash",
+    :fileId                       => "fileId",
+    :fileName                     => "fname",
+    :filePath                     => "filePath",
+    :filePermission               => "filePermission",
+    :fsize                        => "fsize",
+    :fileType                     => "fileType",
+    :message                      => "msg",
+    :oldfileHash                  => "oldfileHash",
+    :oldfileId                    => "oldfileId",
+    :oldFilename                  => "oldFilename",
+    :oldfilePath                  => "oldfilePath",
+    :oldfilePermission            => "oldfilePermission",
+    :oldfsize                     => "oldfsize",
+    :oldfileType                  => "oldfileType",
+    :requestURL                   => "request",
+    :requestClientApplication     => "requestClientApplication",
+    :requestCookies               => "requestCookies",
+    :requestMethod                => "requestMethod",
+    :sourceAddress                => "src",
+    :sourceDnsDomain              => "sourceDnsDomain",
+    :sourceHostName               => "shost",
+    :sourceMacAddress             => "smac",
+    :sourceNtDomain               => "sntdom",
+    :sourcePort                   => "spt",
+    :sourceServiceName            => "sourceServiceName",
+    :sourceTranslatedAddress      => "sourceTranslatedAddress",
+    :sourceTranslatedPort         => "sourceTranslatedPort",
+    :sourceUserPrivileges         => "spriv",
+    :sourceUserId                 => "suid",
+    :sourceUserName               => "suser",
+    :transportProtocol            => "proto"
+  }
+  # these are tracked separately so they can be normalized during formatting
+  TIME_ATTRIBUTES={
+    :fileCreateTime          => "fileCreateTime",
+    :fileModificationTime    => "fileModificationTime",
+    :oldfileCreateTime       => "oldfileCreateTime",
+    :oldfileModificationTime => "oldfileModificationTime",
+    :receiptTime             => "rt",
+    :startTime               => "start",
+    :endTime                 => "end"
+  }
+  ATTRIBUTES=PREFIX_ATTRIBUTES.merge EXTENSION_ATTRIBUTES.merge TIME_ATTRIBUTES
+end

data/lib/cef/event.rb ADDED

@@ -0,0 +1,116 @@
+module CEF
+  class Event
+    attr_accessor :my_hostname, :syslog_pri
+    # set up accessors for all of the CEF event attributes. ruby meta magic.
+    CEF::ATTRIBUTES.each do |k,v|
+      self.instance_eval do
+        attr_accessor k
+      end
+    end
+    def attrs
+      CEF::ATTRIBUTES
+    end
+    # so we can CEF::Event.new(:foo=>"bar")
+    def initialize( *params )
+      Hash[*params].each { |k,v| self.send("%s="%k,v) }
+      @my_hostname ||= Socket::gethostname
+      # used to avoid requiring syslog.h on windoze
+      #syslog_pri= Syslog::LOG_LOCAL0 | Syslog::LOG_NOTICE
+      @syslog_pri  ||= 131
+    end
+    # returns a cef formatted string
+    def format_cef
+      cef_message=CEF::PREFIX_FORMAT % [
+        syslog_pri.to_s,
+        my_hostname,
+        Time.new.strftime("%b %d %Y %H:%M:%S"),
+        format_prefix,
+        format_extension
+      ]
+      cef_message
+    end
+    private
+      # make a guess as to how the time was set. parse strings and convert
+      # them to epoch milliseconds, or leave it alone if it looks like a number
+      # bigger than epoch milliseconds when i wrote this.
+      def time_convert(val)
+        converted=nil
+        #puts "converting time for #{val.class.to_s}/#{val}"
+        case val.class.to_s
+          when "String"
+            begin
+              converted=val.to_i
+            rescue
+              res=ParseDate.parsedate(val)
+              converted=Time.local(*res).to_i * 1000
+            end
+          when "Integer","Bignum"
+            if val < 1232589621000 #Wed Jan 21 20:00:21 -0600 2009
+              converted=val * 1000
+            else
+              converted=val
+            end
+          end
+        converted
+      end
+      # escape only pipes and backslashes in the prefix. you bet your sweet
+      # ass there's a lot of backslashes in the substitution. you can thank
+      # the three levels of lexical analysis/substitution in the ruby interpreter
+      # for that.
+      def prefix_escape(val)
+        val.gsub(/(\||\\)/,'\\\\\&')
+      end
+      # only equals signs need to be escaped in the extension. i think.
+      # TODO: something in the spec about \n and some others.
+      def extension_escape(val)
+        val.gsub(/=/,'\=').gsub(/\n/,' ')
+      end
+      # returns a pipe-delimeted list of prefix attributes
+      def format_prefix
+        vendor=  self.deviceVendor       || "Breed"
+        product= self.deviceProduct      || "CEF Sender"
+        version= self.deviceVersion      || CEF::VERSION
+        declid=  self.deviceEventClassId || "generic:0"
+        name=    self.name               || "Generic Event"
+        sev=     self.deviceSeverity     || "1"
+        cef_prefix="%s|%s|%s|%s|%s|%s" % [
+          prefix_escape(vendor),
+          prefix_escape(product),
+          prefix_escape(version),
+          prefix_escape(declid),
+          prefix_escape(name),
+          prefix_escape(sev),
+        ]
+      end
+      # returns a space-delimeted list of attribute=value pairs for all optionals
+      def format_extension
+        avpairs=[]
+        CEF::EXTENSION_ATTRIBUTES.each do |attribute,shortname|
+          unless self.send(attribute).nil?
+            avpairs.push(
+              "%s=%s" % [ shortname, extension_escape(self.send(attribute)) ]
+            )
+          end
+        end
+        # make sure time comes out as milliseconds since epoch
+        CEF::TIME_ATTRIBUTES.each do |attribute,shortname|
+          unless self.send(attribute).nil?
+            avpairs.push(
+              "%s=%s" % [ shortname, time_convert(self.send(attribute)) ]
+            )
+          end
+        end
+        avpairs.join(" ")
+      end
+    end
+end

data/lib/cef/file_logger.rb ADDED

@@ -0,0 +1,8 @@
+module CEF
+  class FileLogger
+    def initialize(*args)
+      Hash[*args].each { |argname, argval| self.send(("%s="%argname), argval) }
+    end
+  end
+end

data/lib/cef/sender.rb ADDED

@@ -0,0 +1,38 @@
+module CEF
+  require 'socket'
+  class Sender
+    attr_accessor :receiver, :receiverPort, :eventDefaults
+    attr_reader   :sock
+    def initialize(*args)
+      Hash[*args].each { |argname, argval| self.send(("%s="%argname), argval) }
+      @sock=nil
+    end
+  end
+  #TODO: Implement relp/tcp senders
+  class UDPSender < Sender
+    #fire the message off
+    def emit(event)
+      self.socksetup if self.sock.nil?
+      # process eventDefaults - we are expecting a hash here. These will
+      # override any values in the events passed to us. i know. brutal.
+      unless self.eventDefaults.nil?
+        self.eventDefaults.each do |k,v|
+          event.send("%s=" % k,v)
+        end
+      end
+      self.sock.send event.format_cef, 0
+    end
+    def socksetup
+      @sock=UDPSocket.new
+      receiver= self.receiver || "127.0.0.1"
+      port= self.receiverPort || 514
+      @sock.connect(receiver,port)
+    end
+  end
+end

data/spec/cef_spec.rb CHANGED

@@ -5,8 +5,9 @@ describe "CEF Event Format" do
     prefix_vals=test_prefix_vals
     e=CEF::Event.new
     prefix_vals.each {|k,v| e.send("%s="%k,v) }
-    s=CEF::Sender.new
     formatted=CEF::PREFIX_FORMAT % [ 131, *prefix_vals.values ]
-    s.format_event(e)==formatted
+    e.format_cef==formatted
   end
 end

data/spec/spec_helper.rb CHANGED

@@ -20,4 +20,8 @@ def test_prefix_vals
     :name               => "test",
     :deviceSeverity     => "1"
   }
+end
+def test_prefix_string
+  "CEF:0|breed|CEF Sender|0.1|0:debug|test|1|"
 end

metadata CHANGED

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: cef
 version: !ruby/object:Gem::Version
-  hash: 5
+  hash: 3
   prerelease:
   segments:
   - 0
-  - 6
-  - 1
-  version: 0.6.1
+  - 7
+  - 0
+  version: 0.7.0
 platform: ruby
 authors:
 - Ryan Breed
@@ -15,7 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
-date: 2011-02-20 00:00:00 -06:00
+date: 2011-03-11 00:00:00 -06:00
 default_executable: cef_sender
 dependencies:
 - !ruby/object:Gem::Dependency
@@ -114,7 +114,12 @@ files:
 - Rakefile
 - VERSION
 - bin/cef_sender
+- cef.gemspec
 - lib/cef.rb
+- lib/cef/constants.rb
+- lib/cef/event.rb
+- lib/cef/file_logger.rb
+- lib/cef/sender.rb
 - spec/cef_spec.rb
 - spec/spec_helper.rb
 has_rdoc: true