cef 1.0.0 → 2.1.1.pre

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -1,166 +0,0 @@
1
- module CEF
2
- SEVERITY_LOW="1"
3
-
4
- LOG_FORMAT="<%d>%s %s CEF:0|%s|%s"
5
- LOG_TIME_FORMAT="%b %d %Y %H:%M:%S"
6
-
7
- # CEF Dictionary
8
- # CEF Prefix attributes
9
- PREFIX_ATTRIBUTES = {
10
- :deviceVendor => "deviceVendor",
11
- :deviceProduct => "deviceProduct",
12
- :deviceVersion => "deviceVersion",
13
- :deviceEventClassId => "deviceEventClassId",
14
- :name => "name",
15
- :deviceSeverity => "deviceSeverity"
16
- }
17
-
18
- # these are the basic extension attributes. implementing others is as
19
- # simple as adding :symbolRepresentingMethodName => "cefkeyname", but
20
- # i am supremely lazy to type in the whole dictionary right now. perhaps
21
- # this should be a .yaml config file. Extension attributes are formatted
22
- # differently than core attributes.
23
- EXTENSION_ATTRIBUTES = {
24
- :applicationProtocol => "app",
25
-
26
- :agentZoneURI => "agentZoneURI",
27
- :agentAddress => "agt",
28
- :agentHostName => "ahost",
29
- :agentId => "aid",
30
- :agentName => "agentName",
31
- :agentType => "at",
32
- :agentTimeZone => "atz",
33
- :agentVersion => "av",
34
-
35
- :baseEventCount => "cnt",
36
- :baseEventIds => "baseEventIds",
37
- :bytesIn => "in",
38
- :bytesOut => "out",
39
-
40
- :categoryBehavior => "categoryBehavior",
41
- :categoryDeviceGroup => "categoryDeviceGroup",
42
- :categoryObject => "categoryObject",
43
- :categoryOutcome => "categoryOutcome",
44
- :categorySignificance => "categorySignificance",
45
-
46
-
47
-
48
- :deviceAction => "act",
49
- :deviceDirection => "deviceDirection",
50
- :deviceDnsDomain => "deviceDnsDomain",
51
- :deviceEventCategory => "cat",
52
- :deviceExternalId => "deviceExternalId",
53
- :deviceFacility => "deviceFacility",
54
- :deviceAddress => "dvc",
55
- :deviceHostName => "dvchost",
56
- :deviceInboundInterface => "deviceInboundInterface",
57
- :deviceMacAddress => "deviceMacAddress",
58
- :deviceNtDomain => "deviceNtDomain",
59
- :deviceOutboundInterface => "deviceOutboundInterface",
60
- :devicePayloadId => "devicePayloadId",
61
- :deviceProcessName => "deviceProcessName",
62
- :deviceTimeZone => "dtz",
63
- :deviceTranslatedAddress => "deviceTranslatedAddress",
64
- :deviceTranslatedZoneURI => "deviceTranslatedZoneURI",
65
- :deviceZoneURI => "deviceZoneURI",
66
-
67
- :deviceCustomNumber1 => "cn1",
68
- :deviceCustomNumber2 => "cn2",
69
- :deviceCustomNumber3 => "cn3",
70
- :deviceCustomNumber1Label => "cn1Label",
71
- :deviceCustomNumber2Label => "cn2Label",
72
- :deviceCustomNumber3Label => "cn3Label",
73
- :deviceCustomString1 => "cs1",
74
- :deviceCustomString2 => "cs2",
75
- :deviceCustomString3 => "cs3",
76
- :deviceCustomString4 => "cs4",
77
- :deviceCustomString5 => "cs5",
78
- :deviceCustomString6 => "cs6",
79
- :deviceCustomString1Label => "cs1Label",
80
- :deviceCustomString2Label => "cs2Label",
81
- :deviceCustomString3Label => "cs3Label",
82
- :deviceCustomString4Label => "cs4Label",
83
- :deviceCustomString5Label => "cs5Label",
84
- :deviceCustomString6Label => "cs6Label",
85
- :deviceCustomDate1 => "deviceCustomDate1",
86
- :deviceCustomDate2 => "deviceCustomDate2",
87
- :deviceCustomDate1Label => "deviceCustomDate1Label",
88
- :deviceCustomDate2Label => "deviceCustomDate2Label",
89
-
90
- :destinationAddress => "dst",
91
- :destinationDnsDomain => "destinationDnsDomain",
92
- :destinationNtDomain => "dntdom",
93
- :destinationHostName => "dhost",
94
- :destinationMacAddress => "dmac",
95
- :destinationPort => "dpt",
96
- :destinationProcessName => "dproc",
97
- :destinationServiceName => "destinationServiceName",
98
- :destinationTranslatedAddress => "destinationTranslatedAddress",
99
- :destinationTranslatedPort => "destinationTranslatedPort",
100
- :destinationUserId => "duid",
101
- :destinationUserPrivileges => "dpriv",
102
- :destinationUserName => "duser",
103
- :destinationZoneURI => "destinationZoneURI",
104
-
105
- :eventId => "eventId",
106
- :externalId => "externalId",
107
- :eventType => "type",
108
-
109
- :fileHash => "fileHash",
110
- :fileId => "fileId",
111
- :fileName => "fname",
112
- :filePath => "filePath",
113
- :filePermission => "filePermission",
114
- :fileSize => "fsize",
115
- :fileType => "fileType",
116
-
117
- :generatorID => "generatorID",
118
-
119
- :message => "msg",
120
-
121
- :oldfileHash => "oldfileHash",
122
- :oldfileId => "oldfileId",
123
- :oldFilename => "oldFilename",
124
- :oldfilePath => "oldfilePath",
125
- :oldfilePermission => "oldfilePermission",
126
- :oldfsize => "oldfsize",
127
- :oldfileType => "oldfileType",
128
-
129
- :requestURL => "request",
130
- :requestClientApplication => "requestClientApplication",
131
- :requestCookies => "requestCookies",
132
- :requestMethod => "requestMethod",
133
-
134
- :sourceAddress => "src",
135
- :sourceDnsDomain => "sourceDnsDomain",
136
- :sourceHostName => "shost",
137
- :sourceMacAddress => "smac",
138
- :sourceNtDomain => "sntdom",
139
- :sourcePort => "spt",
140
- :sourceServiceName => "sourceServiceName",
141
- :sourceTranslatedAddress => "sourceTranslatedAddress",
142
- :sourceTranslatedPort => "sourceTranslatedPort",
143
- :sourceUserPrivileges => "spriv",
144
- :sourceUserId => "suid",
145
- :sourceUserName => "suser",
146
- :sourceZoneURI => "sourceZoneURI",
147
-
148
- :transportProtocol => "proto"
149
- }
150
-
151
- # these are tracked separately so they can be normalized during formatting
152
- TIME_ATTRIBUTES={
153
- :fileCreateTime => "fileCreateTime",
154
- :fileModificationTime => "fileModificationTime",
155
- :oldfileCreateTime => "oldfileCreateTime",
156
- :oldfileModificationTime => "oldfileModificationTime",
157
- :receiptTime => "rt",
158
- :startTime => "start",
159
- :endTime => "end",
160
- :managerReceiptTime => "mrt",
161
- :agentReceiptTime => "art",
162
-
163
- }
164
-
165
- ATTRIBUTES=PREFIX_ATTRIBUTES.merge EXTENSION_ATTRIBUTES.merge TIME_ATTRIBUTES
166
- end
@@ -1,39 +0,0 @@
1
- module CEF
2
- require 'socket'
3
-
4
- class Sender
5
- attr_accessor :receiver, :receiverPort, :eventDefaults
6
- attr_reader :sock
7
- def initialize(*args)
8
- Hash[*args].each { |argname, argval| self.send(("%s="%argname), argval) }
9
- @sock=nil
10
- end
11
- end
12
-
13
- #TODO: Implement relp/tcp senders
14
-
15
- class UDPSender < Sender
16
- def initialize(receiver='127.0.0.1', port=514)
17
- @receiver = receiver
18
- @port = port
19
- end
20
-
21
- #fire the message off
22
- def emit(event)
23
- self.socksetup if self.sock.nil?
24
- # process eventDefaults - we are expecting a hash here. These will
25
- # override any values in the events passed to us. i know. brutal.
26
- unless self.eventDefaults.nil?
27
- self.eventDefaults.each do |k,v|
28
- event.send("%s=" % k,v)
29
- end
30
- end
31
- self.sock.send event.to_s, 0
32
- end
33
-
34
- def socksetup
35
- @sock=UDPSocket.new
36
- @sock.connect(@receiver, @port)
37
- end
38
- end
39
- end
@@ -1,44 +0,0 @@
1
- require 'spec_helper'
2
-
3
- describe CEF::Event do
4
- let(:formatted_time) { "Apr 25 1975 12:00:00" }
5
- let(:time) { DateTime.strptime(formatted_time , '%b %d %Y %H:%M:%S')}
6
-
7
- context "formatting the syslog message" do
8
- let(:formatted) { "<131>Apr 25 1975 12:00:00 cefspec CEF:0|breed.org|CEF|#{CEF::VERSION}|0:event|unnamed event|1|" }
9
- let(:escaped) { "<131>Apr 25 1975 12:00:00 cefspec CEF:0|bre\\|ed|CEF|#{CEF::VERSION}|0:event|unnamed event|1|" }
10
- end
11
-
12
- context "formatting the CEF prefix" do
13
- let(:formatted) {"breed.org|CEF|#{CEF::VERSION}|0:event|unnamed event|1"}
14
- let(:escaped) {"bre\\|ed|CEF|#{CEF::VERSION}|0:event|unnamed event|1"}
15
- describe "#format_cef" do
16
- it "formats prefix values" do
17
- event=CEF::Event.new(
18
- event_time: time,
19
- my_hostname: "cefspec"
20
- )
21
- expect(event.format_prefix).to eq(formatted)
22
- end
23
- it "escapes pipes in the prefix" do
24
- event=CEF::Event.new(
25
- event_time: time,
26
- my_hostname: "cefspec",
27
- deviceVendor: "bre|ed"
28
- )
29
- expect(event.format_prefix).to eq(escaped)
30
- end
31
- end
32
- end
33
-
34
- context 'formatting the CEF extension' do
35
- let(:escaped) { "suser=User\\=Name" }
36
-
37
- it 'escapes equal signs' do
38
- event = CEF::Event.new(
39
- sourceUserName: 'User=Name'
40
- )
41
- expect(event.format_extension).to eq(escaped)
42
- end
43
- end
44
- end
@@ -1,24 +0,0 @@
1
- require 'spec_helper'
2
-
3
- describe CEF::UDPSender do
4
- it 'defaults receiver to localhost on port 514' do
5
- sock_double = double
6
- expect(UDPSocket).to receive(:new).and_return(sock_double)
7
- expect(sock_double).to receive(:connect).with('127.0.0.1', 514)
8
-
9
- sender = CEF::UDPSender.new
10
- sender.socksetup
11
- end
12
-
13
- it 'receives an escaped message when emit is called' do
14
- event = CEF::Event.new
15
-
16
- sock_double = double
17
- expect(UDPSocket).to receive(:new).and_return(sock_double)
18
- expect(sock_double).to receive(:connect).with('myDomain.org', 4321)
19
- expect(sock_double).to receive(:send).with(event.to_s, 0)
20
-
21
- sender = CEF::UDPSender.new('myDomain.org', 4321)
22
- sender.emit(event)
23
- end
24
- end
@@ -1,9 +0,0 @@
1
- require 'spec_helper'
2
-
3
- describe "CEF Event Formatter" do
4
- describe "Cef Extension" do
5
- it "should output an extension"
6
- it "should escape newlines"
7
- it "should format time attributes"
8
- end
9
- end
@@ -1,7 +0,0 @@
1
- require 'cef'
2
-
3
- RSpec.configure do |config|
4
- config.run_all_when_everything_filtered = true
5
- config.filter_run :focus
6
- config.order = 'random'
7
- end