cif-client 1.0.5 → 1.0.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 33d88d9d1618e47335347f1c07369d3e919937cd
-  data.tar.gz: a019752359cc76c33aaf776a88b885037008334d
+  metadata.gz: b140c16760108b5eb0caf70728504407d85c8a46
+  data.tar.gz: b89b03af6edc6afe611d150e9c23627a4dbcf9cb
 SHA512:
-  metadata.gz: 5dbde1276b4b250489b368a81f42b732b31929f304d00d38fbbceac83bc05fd9246ee01667357b138b373ec464add60eaee6d6a08ba1d86e8932c07220492f56
-  data.tar.gz: f29e3f3335787ae5983feb376b271bee67aa07078c3944aaadf0bd5e38cf2b95441c76e795cf37a9cd29151c43fa43f146ed06c85cf8d13ad2b10c17f3fddade
+  metadata.gz: 1fe6997c11f8c2bdb5c19f9945c2253b903cb1dc2b8e5fd87039a4f62a7c11a27ef5879af49d48ef82d87dfd66cd5a6c26ee3521ba738041a4fe2b55c9f413e9
+  data.tar.gz: 4c47ecfd3b69151ad8e11b38a58468865104c7c23fa2fca568df74c1b67aeaed1a4ad891f56bcb5fff3c2821630719a1324502921249271f90a3acaf20aeaeaf

checksums.yaml.gz.sig

@@ -1 +1,3 @@
-�����پRqo*��0��՝>�(F��	���Oq�W�lN:�R��D������ȖSPm��v~z��'�/��*��<]o� ;rg�0�k�i����,���50��wJ�׌($H~L�~�5��ૹ
����yQnZr��C[�����Y�61�g},���A!�!��8�"}���\���
���>a֢�C	ƘE���
���^~�DoM�Dׅ���'�2�����u2ϒ�S�]5
��co�Г/`�|'������
+RD��2��am
+~�G���Ef������`��i���E��Ax�990^
+Ín��iwm;�h��T���o����j��矪;s�D?v<�(�	'B[���V���^�Zutj�z���La�ciР�>��g�}�ka�{=v��r�v��,G*���8�u�N���aV��5�iL���BKF��Y

data.tar.gz.sig

@@ -1 +1,2 @@
-���5���^o���(���L?���&�bޚ�֓QAPdi!��E3����m.C_w�@��_i��@�Ix�k(��?P?f����k�ȹN�oc��Bښ�V��Wn�0>3�gN��Q�h���#��@���Da�ܚ+Rm���&�j�1Y&�7�c��2�1[�]�h~C�dD�(E&"ё5���X=s�`�	N
�XYnA#s�c�]�2�uorP�D����h�_ߤ�*�Cf�K���8��`�K(��;��
+Q���#��t%a&|֜�F�F��K[q-ʺjt鎯�ph�Q��Ǭ��cN��2����ؒ�a�� �[����i`�
+(ۥ�(�^bS%����ZqJ�a��8�Z�f�cA�y��mlL���wYJ�G�	�l#v�I"i.�y���e�A7[�Ѩ�X�&n��j�io

data/bin/cifcli

@@ -9,86 +9,86 @@ require 'snort-rule'
 require 'configparser'
 
 def usage
-	puts "Usage: #{$0} [-h] [-c <config>] [-s <severity>] [-r <restriction>] [-n] [-x|-j|-y|-t|-o] [-d <delim>] <query> [<query> ...]"
-	puts "-h               prints this help"
-	puts "-c <config>      specifies a configuration file with the API key and host endpoint"
-	puts "-s <severity>    severity: low, medium, or high"
-	puts "-r <restriction> examples: need-to-know and private"
-	puts "-n               requests the server to not log the query"
-	puts "-x               outputs in XML"
-	puts "-j               outputs in JSON"
-	puts "-y               outputs in YAML"
-	puts "-o               outputs in SNORT formatted rules"
-	puts "-t               outputs in ASCII text (broken in 1.0.0)"
-	puts "-d <delimiter>   specifies the delimiter for text (default tab)"
-	puts "<query>          terms, usually domains, IPs, or CIDRs, that are being queried from the CIF"
-	exit
+  puts "Usage: #{$0} [-h] [-c <config>] [-s <severity>] [-r <restriction>] [-n] [-x|-j|-y|-t|-o] [-d <delim>] <query> [<query> ...]"
+  puts "-h               prints this help"
+  puts "-c <config>      specifies a configuration file with the API key and host endpoint"
+  puts "-s <severity>    severity: low, medium, or high"
+  puts "-r <restriction> examples: need-to-know and private"
+  puts "-n               requests the server to not log the query"
+  puts "-x               outputs in XML"
+  puts "-j               outputs in JSON"
+  puts "-y               outputs in YAML"
+  puts "-o               outputs in SNORT formatted rules"
+  puts "-t               outputs in ASCII text (broken in 1.0.0)"
+  puts "-d <delimiter>   specifies the delimiter for text (default tab)"
+  puts "<query>          terms, usually domains, IPs, or CIDRs, that are being queried from the CIF"
+  exit
 end
 
 def format_results(results,format,delim)
-	return unless results
-	case format
-	when 'xml'
-		results.to_xml
-	when 'json'
-		results.to_json
-	when 'yaml'
-		results.to_yaml
-	when 'text'
-		fields = nil
-		output = ""
-		results['entry'].each do |item|
-			unless fields
-				fields = item.keys 
-				output += fields.join(delim)+"\n"
-			end
-			sep = ""
-			fields.each do |field|
-				output += sep
-				output += item[field].chomp if item[field] and item[field].class == String
-				sep = delim
-			end
-			output += "\n"
-		end
-		output
-	when 'snort'
-		sid = 1
-		output = ""
-		results['entry'].each do |item|
-			begin
-				item = item['Incident']
-				next unless item['EventData']['Flow']['System']['Node']['Address']
-				portlist = item['EventData']['Flow']['System']['Service']['Portlist']
-				rule = Snort::Rule.new
-			
-				rule.dst = item['EventData']['Flow']['System']['Node']['Address']
-				rule.dport = portlist || 'any'
-				rule.opts['msg'] = "#{item['restriction']} - #{item['description']}" if item['restriction'] and item['description']
-				rule.opts['threshold'] = 'type limit,track by_src,count 1,seconds 3600'
-				rule.opts['sid'] = sid
-				sid += 1
-				rule.opts['reference'] = item['AlternativeID']['IncidentID']['content'] if item['AlternativeID']['IncidentID']['content']
-				output += rule.to_s + "\n"
-			rescue Exception => e
-				# do nothing
-			end
-		end
-		output
-	end
+  return unless results
+  case format
+  when 'xml'
+    results.to_xml
+  when 'json'
+    results.to_json
+  when 'yaml'
+    results.to_yaml
+  when 'text'
+    fields = nil
+    output = ""
+    results['entry'].each do |item|
+      unless fields
+        fields = item.keys 
+        output += fields.join(delim)+"\n"
+      end
+      sep = ""
+      fields.each do |field|
+        output += sep
+        output += item[field].chomp if item[field] and item[field].class == String
+        sep = delim
+      end
+      output += "\n"
+    end
+    output
+  when 'snort'
+    sid = 1
+    output = ""
+    results['entry'].each do |item|
+      begin
+        item = item['Incident']
+        next unless item['EventData']['Flow']['System']['Node']['Address']
+        portlist = item['EventData']['Flow']['System']['Service']['Portlist']
+        rule = Snort::Rule.new
+      
+        rule.dst = item['EventData']['Flow']['System']['Node']['Address']
+        rule.dport = portlist || 'any'
+        rule.options << Snort::RuleOption.new('msg', "#{item['restriction']} - #{item['description']}") if item['restriction'] and item['description']
+        rule.options << Snort::RuleOption.new('threshold', 'type limit,track by_src,count 1,seconds 3600')
+        rule.options << Snort::RuleOption.new('sid', sid)
+        rule.options << Snort::RuleOption.new('reference', item['AlternativeID']['IncidentID']['content']) if item['AlternativeID']['IncidentID']['content']
+        sid += 1
+        output += rule.to_s + "\n"
+      rescue Exception => e
+        # do nothing
+      end
+    end
+    output
+  end
 end
 
 opts = GetoptLong.new(
-	[ '--help', '-h', GetoptLong::NO_ARGUMENT ],
-	[ '--config', '-c', GetoptLong::REQUIRED_ARGUMENT ],
-	[ '--severity', '-s', GetoptLong::REQUIRED_ARGUMENT ],
-	[ '--restriction', '-r', GetoptLong::REQUIRED_ARGUMENT ],
-	[ '--nolog', '-n', GetoptLong::NO_ARGUMENT ],
-	[ '--xml', '-x', GetoptLong::NO_ARGUMENT ],
-	[ '--json', '-j', GetoptLong::NO_ARGUMENT ],
-	[ '--yaml', '-y', GetoptLong::NO_ARGUMENT ],
-	[ '--delim', '-d', GetoptLong::REQUIRED_ARGUMENT ],
-	[ '--text', '-t', GetoptLong::NO_ARGUMENT ],
-	[ '--snort', '-o', GetoptLong::NO_ARGUMENT ]
+  [ '--help', '-h', GetoptLong::NO_ARGUMENT ],
+  [ '--config', '-c', GetoptLong::REQUIRED_ARGUMENT ],
+  [ '--severity', '-s', GetoptLong::REQUIRED_ARGUMENT ],
+  [ '--restriction', '-r', GetoptLong::REQUIRED_ARGUMENT ],
+  [ '--nolog', '-n', GetoptLong::NO_ARGUMENT ],
+  [ '--xml', '-x', GetoptLong::NO_ARGUMENT ],
+  [ '--json', '-j', GetoptLong::NO_ARGUMENT ],
+  [ '--yaml', '-y', GetoptLong::NO_ARGUMENT ],
+  [ '--delim', '-d', GetoptLong::REQUIRED_ARGUMENT ],
+  [ '--text', '-t', GetoptLong::NO_ARGUMENT ],
+  [ '--snort', '-o', GetoptLong::NO_ARGUMENT ]
 )
 config = "#{ENV['HOME']}/.cif"
 severity = nil
@@ -98,43 +98,43 @@ format = 'text'
 delim = "\t"
 
 opts.each do |opt, arg|
-	case opt
-	when '--help'
-		usage
-	when '--config'
-		config = arg
-	when '--severity'
-		severity = arg
-	when '--restriction'
-		restriction = arg
-	when '--nolog'
-		nolog = true
-	when '--xml'
-		format = 'xml'
-	when '--json'
-		format = 'json'
-	when '--yaml'
-		format = 'yaml'
-	when '--snort'
-		format = 'snort'
-	when '--delim'
-		delim = arg
-	when '--text'
-		format = 'text'
-	else
-		usage
-	end
+  case opt
+  when '--help'
+    usage
+  when '--config'
+    config = arg
+  when '--severity'
+    severity = arg
+  when '--restriction'
+    restriction = arg
+  when '--nolog'
+    nolog = true
+  when '--xml'
+    format = 'xml'
+  when '--json'
+    format = 'json'
+  when '--yaml'
+    format = 'yaml'
+  when '--snort'
+    format = 'snort'
+  when '--delim'
+    delim = arg
+  when '--text'
+    format = 'text'
+  else
+    usage
+  end
 end
 usage if ARGV.length == 0
 unless(File.exists?(config))
-	puts "cifcli requires a configuration file to work. It defaults to ~/.cif"
-	puts "please refer to the documentation for more detail"
-	exit
+  puts "cifcli requires a configuration file to work. It defaults to ~/.cif"
+  puts "please refer to the documentation for more detail"
+  exit
 end
 config = ConfigParser.new(config)
 host = config['client']['host']
 apikey = config['client']['apikey']
 client = CIF::Client.new(host,apikey,severity,restriction,nolog)
 ARGV.each do |query|
-	puts format_results(client.query(query),format,delim)
+  puts format_results(client.query(query),format,delim)
 end

data/cif-client.gemspec

@@ -4,26 +4,26 @@ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 require 'cif/client/version'
 
 Gem::Specification.new do |spec|
-	spec.name          = "cif-client"
-	spec.version       = CIF::Client::VERSION
-	spec.authors       = ["chrislee35"]
-	spec.email         = ["rubygems@chrislee.dhs.org"]
-	spec.description   = %q{CIF is a cyber threat intelligence management system. CIF allows you to combine known malicious threat information from many sources and use that information for identification (incident response), detection (IDS) and mitigation (null route). The most common types of threat intelligence warehoused in CIF are IP addresses, domains and urls that are observed to be related to malicious activity.}
-	spec.summary       = %q{Ruby-based client and library for the Collective Intelligence Framework}
-	spec.homepage      = "https://code.google.com/p/collective-intelligence-framework/"
-	spec.license       = "MIT"
+  spec.name          = "cif-client"
+  spec.version       = CIF::Client::VERSION
+  spec.authors       = ["chrislee35"]
+  spec.email         = ["rubygems@chrislee.dhs.org"]
+  spec.description   = %q{CIF is a cyber threat intelligence management system. CIF allows you to combine known malicious threat information from many sources and use that information for identification (incident response), detection (IDS) and mitigation (null route). The most common types of threat intelligence warehoused in CIF are IP addresses, domains and urls that are observed to be related to malicious activity.}
+  spec.summary       = %q{Ruby-based client and library for the Collective Intelligence Framework}
+  spec.homepage      = "https://code.google.com/p/collective-intelligence-framework/"
+  spec.license       = "MIT"
 
-	spec.files         = `git ls-files`.split($/)
-	spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
-	spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
-	spec.require_paths = ["lib"]
+  spec.files         = `git ls-files`.split($/)
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ["lib"]
 
-	spec.add_runtime_dependency "configparser", "~> 0.1.2"
-	spec.add_runtime_dependency "json", "~> 1.4.3"
-	spec.add_runtime_dependency "snort-rule", "~> 0.1.1"
-	spec.add_development_dependency "bundler", "~> 1.3"
-	spec.add_development_dependency "rake"
+  spec.add_runtime_dependency "configparser", "~> 0.1.2"
+  spec.add_runtime_dependency "json", "~> 1.4.3"
+  spec.add_runtime_dependency "snort-rule", "~> 1.0.2"
+  spec.add_development_dependency "bundler", "~> 1.3"
+  spec.add_development_dependency "rake"
 
-	spec.signing_key   = "#{File.dirname(__FILE__)}/../gem-private_key.pem"
-	spec.cert_chain    = ["#{File.dirname(__FILE__)}/../gem-public_cert.pem"]
+  spec.signing_key   = "#{File.dirname(__FILE__)}/../gem-private_key.pem"
+  spec.cert_chain    = ["#{File.dirname(__FILE__)}/../gem-public_cert.pem"]
 end

data/lib/cif/client.rb

@@ -9,38 +9,39 @@ require 'net/https'
 require 'openssl'
 
 module CIF
-	class Client
-		attr_accessor :fields
-		attr_writer :severity, :restriction, :fields
-		def initialize(host,apikey,severity=nil,restriction=nil,nolog=false)
-			@host = host
-			@apikey = apikey
-			@severity = severity
-			@nolog = nolog
-			@restriction = restriction
-		end
-		
-		def query(q,severity=nil,restriction=nil,nolog=false)
-			params = {'apikey' => @apikey}
-			params['restriction'] = restriction || @restriction if restriction || @restriction
-			params['severity'] = severity || @severity if severity || @severity
-			params['nolog'] = 1 if nolog || @nolog
-			s = "#{@host}/#{q}?"+params.map{|k,v| "#{k}=#{v}"}.join("&")
-			url = URI.parse s
-			http = Net::HTTP.new(url.host, url.port)
-			http.use_ssl = (url.scheme == 'https')
-			http.verify_mode = OpenSSL::SSL::VERIFY_NONE
-			http.verify_depth = 5
-			request = Net::HTTP::Get.new(url.path+"?"+url.query)
-			request.add_field("User-Agent", "Ruby/#{RUBY_VERSION} cif-client v#{CIF::Client::VERSION}")
-			response = http.request(request)
-			doc = response.body
-			data = JSON.parse(doc)
-			@response_code = data['status']
-			if data['data'] and data['data']['feed']
-				feed = data['data']['feed']
-			end
-			feed
-		end
-	end
+  class Client
+    attr_accessor :fields
+    attr_writer :severity, :restriction, :fields
+    def initialize(host,apikey,severity=nil,restriction=nil,nolog=false)
+      @host = host
+      @apikey = apikey
+      @severity = severity
+      @nolog = nolog
+      @restriction = restriction
+    end
+    
+    def query(q,severity=nil,restriction=nil,nolog=false)
+      params = {'apikey' => @apikey}
+      params['restriction'] = restriction || @restriction if restriction || @restriction
+      params['severity'] = severity || @severity if severity || @severity
+      params['nolog'] = 1 if nolog || @nolog
+      s = "#{@host}/#{q}?"+params.map{|k,v| "#{k}=#{v}"}.join("&")
+      url = URI.parse s
+      http = Net::HTTP.new(url.host, url.port)
+      http.use_ssl = (url.scheme == 'https')
+      http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+      http.verify_depth = 5
+      request = Net::HTTP::Get.new(url.path+"?"+url.query)
+      request.add_field("User-Agent", "Ruby/#{RUBY_VERSION} cif-client v#{CIF::Client::VERSION}")
+      request.add_field("Accept", "application/json")
+      response = http.request(request)
+      doc = response.body
+      data = JSON.parse(doc)
+      @response_code = data['status']
+      if data['data'] and data['data']['feed']
+        feed = data['data']['feed']
+      end
+      feed
+    end
+  end
 end

data/lib/cif/client/version.rb

@@ -1,5 +1,5 @@
 module CIF
   class Client
-    VERSION = "1.0.5"
+    VERSION = "1.0.6"
   end
 end

data/test/test_cif-client.rb

@@ -1,27 +1,27 @@
 unless Kernel.respond_to?(:require_relative)
-	module Kernel
-		def require_relative(path)
-			require File.join(File.dirname(caller[0]), path.to_str)
-		end
-	end
+  module Kernel
+    def require_relative(path)
+      require File.join(File.dirname(caller[0]), path.to_str)
+    end
+  end
 end
 
 require_relative 'helper'
 
 class TestCIFClient < Test::Unit::TestCase
-	def test_perform_a_query_and_receive_results
-		config = "#{ENV['HOME']}/.cif"
-		severity = nil
-		restriction = nil
-		nolog = false
+  def test_perform_a_query_and_receive_results
+    config = "#{ENV['HOME']}/.cif"
+    severity = nil
+    restriction = nil
+    nolog = false
 
-		config = ConfigParser.new(config)
-		host = config['client']['host']
-		apikey = config['client']['apikey']
-		query = "64.120.146.250"
-		client = CIF::Client.new(host,apikey,severity,restriction,nolog)
-		results = client.query(query)
-		assert_not_nil(results)
-		puts results
-	end
+    config = ConfigParser.new(config)
+    host = config['client']['host']
+    apikey = config['client']['apikey']
+    query = "64.120.146.250"
+    client = CIF::Client.new(host,apikey,severity,restriction,nolog)
+    results = client.query(query)
+    assert_not_nil(results)
+    puts results
+  end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: cif-client
 version: !ruby/object:Gem::Version
-  version: 1.0.5
+  version: 1.0.6
 platform: ruby
 authors:
 - chrislee35
@@ -30,7 +30,7 @@ cert_chain:
   jLXMQu2ZgISYwXNjNbGVHehut82U7U9oiHoWcrOGazaRUmGO9TXP+aJLH0gw2dcK
   AfMglXPi
   -----END CERTIFICATE-----
-date: 2014-04-18 00:00:00.000000000 Z
+date: 2014-05-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: configparser
@@ -66,14 +66,14 @@ dependencies:
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
-        version: 0.1.1
+        version: 1.0.2
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
-        version: 0.1.1
+        version: 1.0.2
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement