cef 0.7.1 → 0.8.0

data/VERSION

@@ -1 +1 @@
-0.7.1
+0.8.0

data/cef.gemspec

@@ -5,11 +5,11 @@
 
 Gem::Specification.new do |s|
   s.name = %q{cef}
-  s.version = "0.7.1"
+  s.version = "0.8.0"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Ryan Breed"]
-  s.date = %q{2011-03-11}
+  s.date = %q{2011-03-30}
   s.default_executable = %q{cef_sender}
   s.description = %q{ format/send CEF logs via API+syslog or client program }
   s.email = %q{opensource@breed.org}
@@ -32,6 +32,7 @@ Gem::Specification.new do |s|
     "lib/cef/constants.rb",
     "lib/cef/event.rb",
     "lib/cef/file_logger.rb",
+    "lib/cef/parser.rb",
     "lib/cef/sender.rb",
     "spec/cef_spec.rb",
     "spec/spec_helper.rb"

data/lib/cef/constants.rb

@@ -1,7 +1,7 @@
 module CEF
-    PREFIX_FORMAT="<%d>%s %s CEF:0|%s|%s"
+  PREFIX_FORMAT="<%d>%s %s CEF:0|%s|%s"
   VERSION=File.read(File.join(File.expand_path(File.dirname(__FILE__)),'..','..','VERSION'))
-
+  LOG_TIME_FORMAT="%b %d %Y %H:%M:%S"
 
   # CEF Dictionary
   # CEF Prefix attributes
@@ -21,15 +21,48 @@ module CEF
   # differently than core attributes.
   EXTENSION_ATTRIBUTES = {
     :applicationProtocol          => "app",
+
+    :agentZoneURI                 => "agentZoneURI",
+    :agentAddress                 => "agt",
+    :agentHostName                => "ahost",
+    :agentId                      => "aid",
+    :agentName                    => "agentName",
+    :agentType                    => "at",
+    :agentTimeZone                => "atz",
+    :agentVersion                 => "av",
+
     :baseEventCount               => "cnt",
+    :baseEventIds                 => "baseEventIds",
     :bytesIn                      => "in",
     :bytesOut                     => "out",
+
+    :categoryBehavior             => "categoryBehavior",
+    :categoryDeviceGroup          => "categoryDeviceGroup",
+    :categoryObject               => "categoryObject",
+    :categoryOutcome              => "categoryOutcome",
+    :categorySignificance         => "categorySignificance",
+
+
+
     :deviceAction                 => "act",
-    :deviceHostNam                => "dvc",
-    :deviceNtDomain               => "deviceNtDomain",
+    :deviceDirection              => "deviceDirection",
     :deviceDnsDomain              => "deviceDnsDomain",
-    :deviceTranslatedAddress      => "deviceTranslatedAddress",
+    :deviceEventCategory          => "cat",
+    :deviceExternalId             => "deviceExternalId",
+    :deviceFacility               => "deviceFacility",
+    :deviceAddress                => "dvc",
+    :deviceHostName               => "dvchost",
+    :deviceInboundInterface       => "deviceInboundInterface",
     :deviceMacAddress             => "deviceMacAddress",
+    :deviceNtDomain               => "deviceNtDomain",
+    :deviceOutboundInterface      => "deviceOutboundInterface",
+    :devicePayloadId              => "devicePayloadId",
+    :deviceProcessName            => "deviceProcessName",
+    :deviceTimeZone               => "dtz",
+    :deviceTranslatedAddress      => "deviceTranslatedAddress",
+    :deviceTranslatedZoneURI      => "deviceTranslatedZoneURI",
+    :deviceZoneURI                => "deviceZoneURI",
+
     :deviceCustomNumber1          => "cn1",
     :deviceCustomNumber2          => "cn2",
     :deviceCustomNumber3          => "cn3",
@@ -52,7 +85,7 @@ module CEF
     :deviceCustomDate2            => "deviceCustomDate2",
     :deviceCustomDate1Label       => "deviceCustomDate1Label",
     :deviceCustomDate2Label       => "deviceCustomDate2Label",
-    :deviceEventCategory          => "cat",
+
     :destinationAddress           => "dst",
     :destinationDnsDomain         => "destinationDnsDomain",
     :destinationNtDomain          => "dntdom",
@@ -61,26 +94,29 @@ module CEF
     :destinationPort              => "dpt",
     :destinationProcessName       => "dproc",
     :destinationServiceName       => "destinationServiceName",
+    :destinationTranslatedAddress => "destinationTranslatedAddress",
+    :destinationTranslatedPort    => "destinationTranslatedPort",
     :destinationUserId            => "duid",
     :destinationUserPrivileges    => "dpriv",
     :destinationUserName          => "duser",
-    :destinationTranslatedAddress => "destinationTranslatedAddress",
-    :destinationTranslatedPort    => "destinationTranslatedPort",
-    :deviceDirection              => "deviceDirection",
-    :deviceExternalId             => "deviceExternalId",
-    :deviceFacility               => "deviceFacility",
-    :deviceInboundInterface       => "deviceInboundInterface",
-    :deviceOutboundInterface      => "deviceOutboundInterface",
-    :deviceProcessName            => "deviceProcessName",
+    :destinationZoneURI           => "destinationZoneURI",
+
+    :eventId                      => "eventId",
     :externalId                   => "externalId",
+    :eventType                    => "type",
+
     :fileHash                     => "fileHash",
     :fileId                       => "fileId",
     :fileName                     => "fname",
     :filePath                     => "filePath",
     :filePermission               => "filePermission",
-    :fsize                        => "fsize",
+    :fileSize                     => "fsize",
     :fileType                     => "fileType",
+
+    :generatorID                  => "generatorID",
+
     :message                      => "msg",
+
     :oldfileHash                  => "oldfileHash",
     :oldfileId                    => "oldfileId",
     :oldFilename                  => "oldFilename",
@@ -88,10 +124,12 @@ module CEF
     :oldfilePermission            => "oldfilePermission",
     :oldfsize                     => "oldfsize",
     :oldfileType                  => "oldfileType",
+
     :requestURL                   => "request",
     :requestClientApplication     => "requestClientApplication",
     :requestCookies               => "requestCookies",
     :requestMethod                => "requestMethod",
+
     :sourceAddress                => "src",
     :sourceDnsDomain              => "sourceDnsDomain",
     :sourceHostName               => "shost",
@@ -104,6 +142,8 @@ module CEF
     :sourceUserPrivileges         => "spriv",
     :sourceUserId                 => "suid",
     :sourceUserName               => "suser",
+    :sourceZoneURI                => "sourceZoneURI",
+
     :transportProtocol            => "proto"
   }
 
@@ -115,7 +155,10 @@ module CEF
     :oldfileModificationTime => "oldfileModificationTime",
     :receiptTime             => "rt",
     :startTime               => "start",
-    :endTime                 => "end"
+    :endTime                 => "end",
+    :managerReceiptTime      => "mrt",
+    :agentReceiptTime        => "art",
+
   }
 
   ATTRIBUTES=PREFIX_ATTRIBUTES.merge EXTENSION_ATTRIBUTES.merge TIME_ATTRIBUTES

data/lib/cef/event.rb

@@ -1,6 +1,6 @@
 module CEF
   class Event
-    attr_accessor :my_hostname, :syslog_pri
+    attr_accessor :my_hostname, :syslog_pri, :event_time
     # set up accessors for all of the CEF event attributes. ruby meta magic.
     CEF::ATTRIBUTES.each do |k,v|
       self.instance_eval do
@@ -20,20 +20,37 @@ module CEF
       # used to avoid requiring syslog.h on windoze
       #syslog_pri= Syslog::LOG_LOCAL0 | Syslog::LOG_NOTICE
       @syslog_pri  ||= 131
+      @other_attrs={}
+      @additional={}
     end
   
     # returns a cef formatted string
     def format_cef
+      log_time=nil
+      if event_time.nil?
+        log_time=Time.new.strftime(CEF::LOG_TIME_FORMAT)
+      else
+        log_time=event_time.strftime(CEF::LOG_TIME_FORMAT)
+      end
+
       cef_message=CEF::PREFIX_FORMAT % [
         syslog_pri.to_s,
         my_hostname,
-        Time.new.strftime("%b %d %Y %H:%M:%S"),
+        log_time,
         format_prefix,
         format_extension
       ]
       cef_message
     end
 
+    # used for non-schema fields
+    def set_additional(k,v)
+      @additional[k]=v
+    end
+    def get_additional(k,v)
+      @additional[k]
+    end
+
     private
       # make a guess as to how the time was set. parse strings and convert
       # them to epoch milliseconds, or leave it alone if it looks like a number
@@ -70,7 +87,7 @@ module CEF
       # only equals signs need to be escaped in the extension. i think.
       # TODO: something in the spec about \n and some others.
       def extension_escape(val)
-        val.gsub(/=/,'\=').gsub(/\n/,' ')
+        val.gsub(/=/,'\=').gsub(/\n/,' ').gsub(/\\/,'\\')
       end
 
       # returns a pipe-delimeted list of prefix attributes

data/lib/cef/parser.rb

@@ -0,0 +1,56 @@
+# COPYRIGHT: Ryan Breed
+# DATE:      3/27/11
+module CEF
+  class Parser
+    # TODO: deal with escaping delimeters
+    
+    attr_accessor :file_name
+
+    def initialize(*args)
+      # Parser.new(:foo=>"bar)
+      Hash[*args].each { |argname, argval| self.send(("%s="%argname), argval) }
+      
+      yield self if block_given?
+    end
+
+    def parse_file
+      events=[]
+      File.open(file_name) do |f|
+        f.each_line do |line|
+          line.chomp!
+          prefix=line.split(/\|/)
+          e=Event.new
+          extension_string=prefix[7..-1].join("|")
+          extension_av_pairs=extension_string.split(/ ([\w\.]+)=/)
+          extension_av_pairs.shift
+
+          begin
+            extension=Hash[ *extension_av_pairs.map {|i| i.strip} ]
+            extension.each do |k,v|
+              next if k.match(/^ad\./)
+              methname=CEF::ATTRIBUTES.invert[k].to_s
+              #puts "METHNAME: #{k} -> #{methname}"
+              e.send("%s=" % methname, v)
+            end
+
+          rescue Exception => except
+            puts except.message
+            pp   extension_av_pairs
+            puts line
+            next
+          end
+
+          %w{ deviceVendor deviceProduct deviceVersion
+              deviceEventClassId name deviceSeverity }.each_with_index {|att,i| e.send("%s="%att,prefix[i+1]) }
+
+          if block_given?
+            yield e
+          else
+            events.push e
+          end
+        end
+      end
+      events
+    end
+  end
+end

data/spec/cef_spec.rb

@@ -1,13 +1,36 @@
 require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
 
-describe "CEF Event Format" do
-  it "should output a preamble" do
-    prefix_vals=test_prefix_vals
-    e=CEF::Event.new
-    prefix_vals.each {|k,v| e.send("%s="%k,v) }
-    formatted=CEF::PREFIX_FORMAT % [ 131, *prefix_vals.values ]
-    
-    e.format_cef==formatted
+describe "CEF Event Formatter" do
+  describe "CEF Preamble" do
+    it "should output a preamble" do
+      prefix_vals=test_prefix_vals
+      t=Time.new
+      e=CEF::Event.new
+      e.event_time=t
+      prefix_vals.each {|k,v| e.send("%s="%k,v) }
+      preformatted=CEF::PREFIX_FORMAT % [ 131, Socket.gethostname, t.strftime(CEF::LOG_TIME_FORMAT), test_prefix_string, ""]
+      formatted=e.format_cef
+      preformatted.should == formatted
+    end
+    it "should escape pipes in the prefix" do
+      prefix_vals=test_prefix_escape_vals
+      t=Time.new
+      e=CEF::Event.new
+      e.event_time=t
+      prefix_vals.each {|k,v| e.send("%s="%k,v) }
+      preformatted=CEF::PREFIX_FORMAT % [ 131, Socket.gethostname, t.strftime(CEF::LOG_TIME_FORMAT), test_prefix_escape_string, ""]
+      formatted=e.format_cef
+      preformatted.should == formatted
+    end
   end
+  describe "Cef Extension" do
+    it "should output an extension"
+    it "should escape newlines"
+    it "should escape equal signs"
+    it "should format time attributes"
+  end
+end
 
+describe "UDPSender" do
+  
 end

data/spec/spec_helper.rb

@@ -22,6 +22,27 @@ def test_prefix_vals
   }
 end
 
+def test_prefix_escape_vals
+  test_prefix_escape_vals={
+    :deviceVendor       => "bre|ed",
+    :deviceProduct      => "CEF Sender",
+    :deviceVersion      => "0.1",
+    :deviceEventClassId => "0:debug",
+    :name               => "test",
+    :deviceSeverity     => "1"
+  }
+end
+
+def test_extension_vals
+  test_extension_vals={
+      :sourceAddress      => "192.168.1.1",
+      :destinationAddress => "192.168.1.2"
+  }
+end
+
 def test_prefix_string
-  "CEF:0|breed|CEF Sender|0.1|0:debug|test|1|"
+  "breed|CEF Sender|0.1|0:debug|test|1"
+  end
+def test_prefix_escape_string
+  "bre\\|ed|CEF Sender|0.1|0:debug|test|1"
 end

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: cef
 version: !ruby/object:Gem::Version 
-  hash: 1
+  hash: 63
   prerelease: 
   segments: 
   - 0
-  - 7
-  - 1
-  version: 0.7.1
+  - 8
+  - 0
+  version: 0.8.0
 platform: ruby
 authors: 
 - Ryan Breed
@@ -15,7 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2011-03-11 00:00:00 -06:00
+date: 2011-03-30 00:00:00 -05:00
 default_executable: cef_sender
 dependencies: 
 - !ruby/object:Gem::Dependency 
@@ -119,6 +119,7 @@ files:
 - lib/cef/constants.rb
 - lib/cef/event.rb
 - lib/cef/file_logger.rb
+- lib/cef/parser.rb
 - lib/cef/sender.rb
 - spec/cef_spec.rb
 - spec/spec_helper.rb