cef 1.0.0 → 2.1.1.pre
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.gitignore +3 -7
- data/.rspec +2 -1
- data/Guardfile +55 -0
- data/README.rdoc +3 -64
- data/VERSION +1 -1
- data/bin/cef_sender +0 -0
- data/cef.gemspec +17 -15
- data/conf/cef-schema.json +251 -0
- data/lib/cef.rb +39 -3
- data/lib/cef/event.rb +82 -134
- data/lib/cef/loggers/cef_file.rb +19 -0
- data/lib/cef/loggers/cef_syslog_udp.rb +40 -0
- data/lib/cef/time_extensions.rb +15 -0
- data/lib/cef/version.rb +1 -1
- metadata +83 -33
- data/lib/cef/constants.rb +0 -166
- data/lib/cef/sender.rb +0 -39
- data/spec/lib/cef/event_spec.rb +0 -44
- data/spec/lib/cef/sender_spec.rb +0 -24
- data/spec/lib/cef_spec.rb +0 -9
- data/spec/spec_helper.rb +0 -7
data/lib/cef/constants.rb
DELETED
@@ -1,166 +0,0 @@
|
|
1
|
-
module CEF
|
2
|
-
SEVERITY_LOW="1"
|
3
|
-
|
4
|
-
LOG_FORMAT="<%d>%s %s CEF:0|%s|%s"
|
5
|
-
LOG_TIME_FORMAT="%b %d %Y %H:%M:%S"
|
6
|
-
|
7
|
-
# CEF Dictionary
|
8
|
-
# CEF Prefix attributes
|
9
|
-
PREFIX_ATTRIBUTES = {
|
10
|
-
:deviceVendor => "deviceVendor",
|
11
|
-
:deviceProduct => "deviceProduct",
|
12
|
-
:deviceVersion => "deviceVersion",
|
13
|
-
:deviceEventClassId => "deviceEventClassId",
|
14
|
-
:name => "name",
|
15
|
-
:deviceSeverity => "deviceSeverity"
|
16
|
-
}
|
17
|
-
|
18
|
-
# these are the basic extension attributes. implementing others is as
|
19
|
-
# simple as adding :symbolRepresentingMethodName => "cefkeyname", but
|
20
|
-
# i am supremely lazy to type in the whole dictionary right now. perhaps
|
21
|
-
# this should be a .yaml config file. Extension attributes are formatted
|
22
|
-
# differently than core attributes.
|
23
|
-
EXTENSION_ATTRIBUTES = {
|
24
|
-
:applicationProtocol => "app",
|
25
|
-
|
26
|
-
:agentZoneURI => "agentZoneURI",
|
27
|
-
:agentAddress => "agt",
|
28
|
-
:agentHostName => "ahost",
|
29
|
-
:agentId => "aid",
|
30
|
-
:agentName => "agentName",
|
31
|
-
:agentType => "at",
|
32
|
-
:agentTimeZone => "atz",
|
33
|
-
:agentVersion => "av",
|
34
|
-
|
35
|
-
:baseEventCount => "cnt",
|
36
|
-
:baseEventIds => "baseEventIds",
|
37
|
-
:bytesIn => "in",
|
38
|
-
:bytesOut => "out",
|
39
|
-
|
40
|
-
:categoryBehavior => "categoryBehavior",
|
41
|
-
:categoryDeviceGroup => "categoryDeviceGroup",
|
42
|
-
:categoryObject => "categoryObject",
|
43
|
-
:categoryOutcome => "categoryOutcome",
|
44
|
-
:categorySignificance => "categorySignificance",
|
45
|
-
|
46
|
-
|
47
|
-
|
48
|
-
:deviceAction => "act",
|
49
|
-
:deviceDirection => "deviceDirection",
|
50
|
-
:deviceDnsDomain => "deviceDnsDomain",
|
51
|
-
:deviceEventCategory => "cat",
|
52
|
-
:deviceExternalId => "deviceExternalId",
|
53
|
-
:deviceFacility => "deviceFacility",
|
54
|
-
:deviceAddress => "dvc",
|
55
|
-
:deviceHostName => "dvchost",
|
56
|
-
:deviceInboundInterface => "deviceInboundInterface",
|
57
|
-
:deviceMacAddress => "deviceMacAddress",
|
58
|
-
:deviceNtDomain => "deviceNtDomain",
|
59
|
-
:deviceOutboundInterface => "deviceOutboundInterface",
|
60
|
-
:devicePayloadId => "devicePayloadId",
|
61
|
-
:deviceProcessName => "deviceProcessName",
|
62
|
-
:deviceTimeZone => "dtz",
|
63
|
-
:deviceTranslatedAddress => "deviceTranslatedAddress",
|
64
|
-
:deviceTranslatedZoneURI => "deviceTranslatedZoneURI",
|
65
|
-
:deviceZoneURI => "deviceZoneURI",
|
66
|
-
|
67
|
-
:deviceCustomNumber1 => "cn1",
|
68
|
-
:deviceCustomNumber2 => "cn2",
|
69
|
-
:deviceCustomNumber3 => "cn3",
|
70
|
-
:deviceCustomNumber1Label => "cn1Label",
|
71
|
-
:deviceCustomNumber2Label => "cn2Label",
|
72
|
-
:deviceCustomNumber3Label => "cn3Label",
|
73
|
-
:deviceCustomString1 => "cs1",
|
74
|
-
:deviceCustomString2 => "cs2",
|
75
|
-
:deviceCustomString3 => "cs3",
|
76
|
-
:deviceCustomString4 => "cs4",
|
77
|
-
:deviceCustomString5 => "cs5",
|
78
|
-
:deviceCustomString6 => "cs6",
|
79
|
-
:deviceCustomString1Label => "cs1Label",
|
80
|
-
:deviceCustomString2Label => "cs2Label",
|
81
|
-
:deviceCustomString3Label => "cs3Label",
|
82
|
-
:deviceCustomString4Label => "cs4Label",
|
83
|
-
:deviceCustomString5Label => "cs5Label",
|
84
|
-
:deviceCustomString6Label => "cs6Label",
|
85
|
-
:deviceCustomDate1 => "deviceCustomDate1",
|
86
|
-
:deviceCustomDate2 => "deviceCustomDate2",
|
87
|
-
:deviceCustomDate1Label => "deviceCustomDate1Label",
|
88
|
-
:deviceCustomDate2Label => "deviceCustomDate2Label",
|
89
|
-
|
90
|
-
:destinationAddress => "dst",
|
91
|
-
:destinationDnsDomain => "destinationDnsDomain",
|
92
|
-
:destinationNtDomain => "dntdom",
|
93
|
-
:destinationHostName => "dhost",
|
94
|
-
:destinationMacAddress => "dmac",
|
95
|
-
:destinationPort => "dpt",
|
96
|
-
:destinationProcessName => "dproc",
|
97
|
-
:destinationServiceName => "destinationServiceName",
|
98
|
-
:destinationTranslatedAddress => "destinationTranslatedAddress",
|
99
|
-
:destinationTranslatedPort => "destinationTranslatedPort",
|
100
|
-
:destinationUserId => "duid",
|
101
|
-
:destinationUserPrivileges => "dpriv",
|
102
|
-
:destinationUserName => "duser",
|
103
|
-
:destinationZoneURI => "destinationZoneURI",
|
104
|
-
|
105
|
-
:eventId => "eventId",
|
106
|
-
:externalId => "externalId",
|
107
|
-
:eventType => "type",
|
108
|
-
|
109
|
-
:fileHash => "fileHash",
|
110
|
-
:fileId => "fileId",
|
111
|
-
:fileName => "fname",
|
112
|
-
:filePath => "filePath",
|
113
|
-
:filePermission => "filePermission",
|
114
|
-
:fileSize => "fsize",
|
115
|
-
:fileType => "fileType",
|
116
|
-
|
117
|
-
:generatorID => "generatorID",
|
118
|
-
|
119
|
-
:message => "msg",
|
120
|
-
|
121
|
-
:oldfileHash => "oldfileHash",
|
122
|
-
:oldfileId => "oldfileId",
|
123
|
-
:oldFilename => "oldFilename",
|
124
|
-
:oldfilePath => "oldfilePath",
|
125
|
-
:oldfilePermission => "oldfilePermission",
|
126
|
-
:oldfsize => "oldfsize",
|
127
|
-
:oldfileType => "oldfileType",
|
128
|
-
|
129
|
-
:requestURL => "request",
|
130
|
-
:requestClientApplication => "requestClientApplication",
|
131
|
-
:requestCookies => "requestCookies",
|
132
|
-
:requestMethod => "requestMethod",
|
133
|
-
|
134
|
-
:sourceAddress => "src",
|
135
|
-
:sourceDnsDomain => "sourceDnsDomain",
|
136
|
-
:sourceHostName => "shost",
|
137
|
-
:sourceMacAddress => "smac",
|
138
|
-
:sourceNtDomain => "sntdom",
|
139
|
-
:sourcePort => "spt",
|
140
|
-
:sourceServiceName => "sourceServiceName",
|
141
|
-
:sourceTranslatedAddress => "sourceTranslatedAddress",
|
142
|
-
:sourceTranslatedPort => "sourceTranslatedPort",
|
143
|
-
:sourceUserPrivileges => "spriv",
|
144
|
-
:sourceUserId => "suid",
|
145
|
-
:sourceUserName => "suser",
|
146
|
-
:sourceZoneURI => "sourceZoneURI",
|
147
|
-
|
148
|
-
:transportProtocol => "proto"
|
149
|
-
}
|
150
|
-
|
151
|
-
# these are tracked separately so they can be normalized during formatting
|
152
|
-
TIME_ATTRIBUTES={
|
153
|
-
:fileCreateTime => "fileCreateTime",
|
154
|
-
:fileModificationTime => "fileModificationTime",
|
155
|
-
:oldfileCreateTime => "oldfileCreateTime",
|
156
|
-
:oldfileModificationTime => "oldfileModificationTime",
|
157
|
-
:receiptTime => "rt",
|
158
|
-
:startTime => "start",
|
159
|
-
:endTime => "end",
|
160
|
-
:managerReceiptTime => "mrt",
|
161
|
-
:agentReceiptTime => "art",
|
162
|
-
|
163
|
-
}
|
164
|
-
|
165
|
-
ATTRIBUTES=PREFIX_ATTRIBUTES.merge EXTENSION_ATTRIBUTES.merge TIME_ATTRIBUTES
|
166
|
-
end
|
data/lib/cef/sender.rb
DELETED
@@ -1,39 +0,0 @@
|
|
1
|
-
module CEF
|
2
|
-
require 'socket'
|
3
|
-
|
4
|
-
class Sender
|
5
|
-
attr_accessor :receiver, :receiverPort, :eventDefaults
|
6
|
-
attr_reader :sock
|
7
|
-
def initialize(*args)
|
8
|
-
Hash[*args].each { |argname, argval| self.send(("%s="%argname), argval) }
|
9
|
-
@sock=nil
|
10
|
-
end
|
11
|
-
end
|
12
|
-
|
13
|
-
#TODO: Implement relp/tcp senders
|
14
|
-
|
15
|
-
class UDPSender < Sender
|
16
|
-
def initialize(receiver='127.0.0.1', port=514)
|
17
|
-
@receiver = receiver
|
18
|
-
@port = port
|
19
|
-
end
|
20
|
-
|
21
|
-
#fire the message off
|
22
|
-
def emit(event)
|
23
|
-
self.socksetup if self.sock.nil?
|
24
|
-
# process eventDefaults - we are expecting a hash here. These will
|
25
|
-
# override any values in the events passed to us. i know. brutal.
|
26
|
-
unless self.eventDefaults.nil?
|
27
|
-
self.eventDefaults.each do |k,v|
|
28
|
-
event.send("%s=" % k,v)
|
29
|
-
end
|
30
|
-
end
|
31
|
-
self.sock.send event.to_s, 0
|
32
|
-
end
|
33
|
-
|
34
|
-
def socksetup
|
35
|
-
@sock=UDPSocket.new
|
36
|
-
@sock.connect(@receiver, @port)
|
37
|
-
end
|
38
|
-
end
|
39
|
-
end
|
data/spec/lib/cef/event_spec.rb
DELETED
@@ -1,44 +0,0 @@
|
|
1
|
-
require 'spec_helper'
|
2
|
-
|
3
|
-
describe CEF::Event do
|
4
|
-
let(:formatted_time) { "Apr 25 1975 12:00:00" }
|
5
|
-
let(:time) { DateTime.strptime(formatted_time , '%b %d %Y %H:%M:%S')}
|
6
|
-
|
7
|
-
context "formatting the syslog message" do
|
8
|
-
let(:formatted) { "<131>Apr 25 1975 12:00:00 cefspec CEF:0|breed.org|CEF|#{CEF::VERSION}|0:event|unnamed event|1|" }
|
9
|
-
let(:escaped) { "<131>Apr 25 1975 12:00:00 cefspec CEF:0|bre\\|ed|CEF|#{CEF::VERSION}|0:event|unnamed event|1|" }
|
10
|
-
end
|
11
|
-
|
12
|
-
context "formatting the CEF prefix" do
|
13
|
-
let(:formatted) {"breed.org|CEF|#{CEF::VERSION}|0:event|unnamed event|1"}
|
14
|
-
let(:escaped) {"bre\\|ed|CEF|#{CEF::VERSION}|0:event|unnamed event|1"}
|
15
|
-
describe "#format_cef" do
|
16
|
-
it "formats prefix values" do
|
17
|
-
event=CEF::Event.new(
|
18
|
-
event_time: time,
|
19
|
-
my_hostname: "cefspec"
|
20
|
-
)
|
21
|
-
expect(event.format_prefix).to eq(formatted)
|
22
|
-
end
|
23
|
-
it "escapes pipes in the prefix" do
|
24
|
-
event=CEF::Event.new(
|
25
|
-
event_time: time,
|
26
|
-
my_hostname: "cefspec",
|
27
|
-
deviceVendor: "bre|ed"
|
28
|
-
)
|
29
|
-
expect(event.format_prefix).to eq(escaped)
|
30
|
-
end
|
31
|
-
end
|
32
|
-
end
|
33
|
-
|
34
|
-
context 'formatting the CEF extension' do
|
35
|
-
let(:escaped) { "suser=User\\=Name" }
|
36
|
-
|
37
|
-
it 'escapes equal signs' do
|
38
|
-
event = CEF::Event.new(
|
39
|
-
sourceUserName: 'User=Name'
|
40
|
-
)
|
41
|
-
expect(event.format_extension).to eq(escaped)
|
42
|
-
end
|
43
|
-
end
|
44
|
-
end
|
data/spec/lib/cef/sender_spec.rb
DELETED
@@ -1,24 +0,0 @@
|
|
1
|
-
require 'spec_helper'
|
2
|
-
|
3
|
-
describe CEF::UDPSender do
|
4
|
-
it 'defaults receiver to localhost on port 514' do
|
5
|
-
sock_double = double
|
6
|
-
expect(UDPSocket).to receive(:new).and_return(sock_double)
|
7
|
-
expect(sock_double).to receive(:connect).with('127.0.0.1', 514)
|
8
|
-
|
9
|
-
sender = CEF::UDPSender.new
|
10
|
-
sender.socksetup
|
11
|
-
end
|
12
|
-
|
13
|
-
it 'receives an escaped message when emit is called' do
|
14
|
-
event = CEF::Event.new
|
15
|
-
|
16
|
-
sock_double = double
|
17
|
-
expect(UDPSocket).to receive(:new).and_return(sock_double)
|
18
|
-
expect(sock_double).to receive(:connect).with('myDomain.org', 4321)
|
19
|
-
expect(sock_double).to receive(:send).with(event.to_s, 0)
|
20
|
-
|
21
|
-
sender = CEF::UDPSender.new('myDomain.org', 4321)
|
22
|
-
sender.emit(event)
|
23
|
-
end
|
24
|
-
end
|
data/spec/lib/cef_spec.rb
DELETED