cef 1.0.0 → 2.1.1.pre

data/lib/cef/constants.rb

@@ -1,166 +0,0 @@
-module CEF
-  SEVERITY_LOW="1"
-
-  LOG_FORMAT="<%d>%s %s CEF:0|%s|%s"
-  LOG_TIME_FORMAT="%b %d %Y %H:%M:%S"
-
-  # CEF Dictionary
-  # CEF Prefix attributes
-  PREFIX_ATTRIBUTES = {
-    :deviceVendor       => "deviceVendor",
-    :deviceProduct      => "deviceProduct",
-    :deviceVersion      => "deviceVersion",
-    :deviceEventClassId => "deviceEventClassId",
-    :name               => "name",
-    :deviceSeverity     => "deviceSeverity"
-  }
-
-  # these are the basic extension attributes. implementing others is as
-  # simple as adding :symbolRepresentingMethodName => "cefkeyname", but
-  # i am supremely lazy to type in the whole dictionary right now. perhaps
-  # this should be a .yaml config file. Extension attributes are formatted
-  # differently than core attributes.
-  EXTENSION_ATTRIBUTES = {
-    :applicationProtocol          => "app",
-
-    :agentZoneURI                 => "agentZoneURI",
-    :agentAddress                 => "agt",
-    :agentHostName                => "ahost",
-    :agentId                      => "aid",
-    :agentName                    => "agentName",
-    :agentType                    => "at",
-    :agentTimeZone                => "atz",
-    :agentVersion                 => "av",
-
-    :baseEventCount               => "cnt",
-    :baseEventIds                 => "baseEventIds",
-    :bytesIn                      => "in",
-    :bytesOut                     => "out",
-
-    :categoryBehavior             => "categoryBehavior",
-    :categoryDeviceGroup          => "categoryDeviceGroup",
-    :categoryObject               => "categoryObject",
-    :categoryOutcome              => "categoryOutcome",
-    :categorySignificance         => "categorySignificance",
-
-
-
-    :deviceAction                 => "act",
-    :deviceDirection              => "deviceDirection",
-    :deviceDnsDomain              => "deviceDnsDomain",
-    :deviceEventCategory          => "cat",
-    :deviceExternalId             => "deviceExternalId",
-    :deviceFacility               => "deviceFacility",
-    :deviceAddress                => "dvc",
-    :deviceHostName               => "dvchost",
-    :deviceInboundInterface       => "deviceInboundInterface",
-    :deviceMacAddress             => "deviceMacAddress",
-    :deviceNtDomain               => "deviceNtDomain",
-    :deviceOutboundInterface      => "deviceOutboundInterface",
-    :devicePayloadId              => "devicePayloadId",
-    :deviceProcessName            => "deviceProcessName",
-    :deviceTimeZone               => "dtz",
-    :deviceTranslatedAddress      => "deviceTranslatedAddress",
-    :deviceTranslatedZoneURI      => "deviceTranslatedZoneURI",
-    :deviceZoneURI                => "deviceZoneURI",
-
-    :deviceCustomNumber1          => "cn1",
-    :deviceCustomNumber2          => "cn2",
-    :deviceCustomNumber3          => "cn3",
-    :deviceCustomNumber1Label     => "cn1Label",
-    :deviceCustomNumber2Label     => "cn2Label",
-    :deviceCustomNumber3Label     => "cn3Label",
-    :deviceCustomString1          => "cs1",
-    :deviceCustomString2          => "cs2",
-    :deviceCustomString3          => "cs3",
-    :deviceCustomString4          => "cs4",
-    :deviceCustomString5          => "cs5",
-    :deviceCustomString6          => "cs6",
-    :deviceCustomString1Label     => "cs1Label",
-    :deviceCustomString2Label     => "cs2Label",
-    :deviceCustomString3Label     => "cs3Label",
-    :deviceCustomString4Label     => "cs4Label",
-    :deviceCustomString5Label     => "cs5Label",
-    :deviceCustomString6Label     => "cs6Label",
-    :deviceCustomDate1            => "deviceCustomDate1",
-    :deviceCustomDate2            => "deviceCustomDate2",
-    :deviceCustomDate1Label       => "deviceCustomDate1Label",
-    :deviceCustomDate2Label       => "deviceCustomDate2Label",
-
-    :destinationAddress           => "dst",
-    :destinationDnsDomain         => "destinationDnsDomain",
-    :destinationNtDomain          => "dntdom",
-    :destinationHostName          => "dhost",
-    :destinationMacAddress        => "dmac",
-    :destinationPort              => "dpt",
-    :destinationProcessName       => "dproc",
-    :destinationServiceName       => "destinationServiceName",
-    :destinationTranslatedAddress => "destinationTranslatedAddress",
-    :destinationTranslatedPort    => "destinationTranslatedPort",
-    :destinationUserId            => "duid",
-    :destinationUserPrivileges    => "dpriv",
-    :destinationUserName          => "duser",
-    :destinationZoneURI           => "destinationZoneURI",
-
-    :eventId                      => "eventId",
-    :externalId                   => "externalId",
-    :eventType                    => "type",
-
-    :fileHash                     => "fileHash",
-    :fileId                       => "fileId",
-    :fileName                     => "fname",
-    :filePath                     => "filePath",
-    :filePermission               => "filePermission",
-    :fileSize                     => "fsize",
-    :fileType                     => "fileType",
-
-    :generatorID                  => "generatorID",
-
-    :message                      => "msg",
-
-    :oldfileHash                  => "oldfileHash",
-    :oldfileId                    => "oldfileId",
-    :oldFilename                  => "oldFilename",
-    :oldfilePath                  => "oldfilePath",
-    :oldfilePermission            => "oldfilePermission",
-    :oldfsize                     => "oldfsize",
-    :oldfileType                  => "oldfileType",
-
-    :requestURL                   => "request",
-    :requestClientApplication     => "requestClientApplication",
-    :requestCookies               => "requestCookies",
-    :requestMethod                => "requestMethod",
-
-    :sourceAddress                => "src",
-    :sourceDnsDomain              => "sourceDnsDomain",
-    :sourceHostName               => "shost",
-    :sourceMacAddress             => "smac",
-    :sourceNtDomain               => "sntdom",
-    :sourcePort                   => "spt",
-    :sourceServiceName            => "sourceServiceName",
-    :sourceTranslatedAddress      => "sourceTranslatedAddress",
-    :sourceTranslatedPort         => "sourceTranslatedPort",
-    :sourceUserPrivileges         => "spriv",
-    :sourceUserId                 => "suid",
-    :sourceUserName               => "suser",
-    :sourceZoneURI                => "sourceZoneURI",
-
-    :transportProtocol            => "proto"
-  }
-
-  # these are tracked separately so they can be normalized during formatting
-  TIME_ATTRIBUTES={
-    :fileCreateTime          => "fileCreateTime",
-    :fileModificationTime    => "fileModificationTime",
-    :oldfileCreateTime       => "oldfileCreateTime",
-    :oldfileModificationTime => "oldfileModificationTime",
-    :receiptTime             => "rt",
-    :startTime               => "start",
-    :endTime                 => "end",
-    :managerReceiptTime      => "mrt",
-    :agentReceiptTime        => "art",
-
-  }
-
-  ATTRIBUTES=PREFIX_ATTRIBUTES.merge EXTENSION_ATTRIBUTES.merge TIME_ATTRIBUTES
-end

data/lib/cef/sender.rb

@@ -1,39 +0,0 @@
-module CEF
-  require 'socket'
-
-  class Sender
-    attr_accessor :receiver, :receiverPort, :eventDefaults
-    attr_reader   :sock
-    def initialize(*args)
-      Hash[*args].each { |argname, argval| self.send(("%s="%argname), argval) }
-      @sock=nil
-    end
-  end
-
-  #TODO: Implement relp/tcp senders
-
-  class UDPSender < Sender
-    def initialize(receiver='127.0.0.1', port=514)
-      @receiver = receiver
-      @port = port
-    end
-
-    #fire the message off
-    def emit(event)
-      self.socksetup if self.sock.nil?
-      # process eventDefaults - we are expecting a hash here. These will
-      # override any values in the events passed to us. i know. brutal.
-      unless self.eventDefaults.nil?
-        self.eventDefaults.each do |k,v|
-          event.send("%s=" % k,v)
-        end
-      end
-      self.sock.send event.to_s, 0
-    end
-
-    def socksetup
-      @sock=UDPSocket.new
-      @sock.connect(@receiver, @port)
-    end
-  end
-end

data/spec/lib/cef/event_spec.rb

@@ -1,44 +0,0 @@
-require 'spec_helper'
-
-describe CEF::Event do
-  let(:formatted_time) { "Apr 25 1975 12:00:00" }
-  let(:time)  { DateTime.strptime(formatted_time , '%b %d %Y %H:%M:%S')}
-  
-  context "formatting the syslog message" do
-    let(:formatted) { "<131>Apr 25 1975 12:00:00 cefspec CEF:0|breed.org|CEF|#{CEF::VERSION}|0:event|unnamed event|1|" }
-    let(:escaped)   { "<131>Apr 25 1975 12:00:00 cefspec CEF:0|bre\\|ed|CEF|#{CEF::VERSION}|0:event|unnamed event|1|" }
-  end
-
-  context "formatting the CEF prefix" do
-    let(:formatted) {"breed.org|CEF|#{CEF::VERSION}|0:event|unnamed event|1"}
-    let(:escaped)   {"bre\\|ed|CEF|#{CEF::VERSION}|0:event|unnamed event|1"}
-    describe "#format_cef" do
-      it "formats prefix values" do
-        event=CEF::Event.new(
-          event_time:         time,
-          my_hostname:        "cefspec"
-        )    
-        expect(event.format_prefix).to eq(formatted)
-      end
-      it "escapes pipes in the prefix" do
-        event=CEF::Event.new(
-          event_time:         time,
-          my_hostname:        "cefspec",
-          deviceVendor:       "bre|ed"
-        )    
-        expect(event.format_prefix).to eq(escaped)
-      end
-    end
-  end
-
-  context 'formatting the CEF extension' do
-    let(:escaped) { "suser=User\\=Name" }
-
-    it 'escapes equal signs' do
-      event = CEF::Event.new(
-          sourceUserName: 'User=Name'
-      )
-      expect(event.format_extension).to eq(escaped)
-    end
-  end
-end

data/spec/lib/cef/sender_spec.rb

@@ -1,24 +0,0 @@
-require 'spec_helper'
-
-describe CEF::UDPSender do
-  it 'defaults receiver to localhost on port 514' do
-    sock_double = double
-    expect(UDPSocket).to receive(:new).and_return(sock_double)
-    expect(sock_double).to receive(:connect).with('127.0.0.1', 514)
-
-    sender = CEF::UDPSender.new
-    sender.socksetup
-  end
-
-  it 'receives an escaped message when emit is called' do
-    event = CEF::Event.new
-
-    sock_double = double
-    expect(UDPSocket).to receive(:new).and_return(sock_double)
-    expect(sock_double).to receive(:connect).with('myDomain.org', 4321)
-    expect(sock_double).to receive(:send).with(event.to_s, 0)
-
-    sender = CEF::UDPSender.new('myDomain.org', 4321)
-    sender.emit(event)
-  end
-end

data/spec/lib/cef_spec.rb

@@ -1,9 +0,0 @@
-require 'spec_helper'
-
-describe "CEF Event Formatter" do
-  describe "Cef Extension" do
-    it "should output an extension"
-    it "should escape newlines"
-    it "should format time attributes"
-  end
-end

data/spec/spec_helper.rb

@@ -1,7 +0,0 @@
-require 'cef'
-
-RSpec.configure do |config|
-  config.run_all_when_everything_filtered = true
-  config.filter_run :focus
-  config.order = 'random'
-end