RubyGems - fluent-plugin-nginx-nap-decode - Versions diffs - 0.1.0 → 0.4.6 - Mend

fluent-plugin-nginx-nap-decode 0.1.0 → 0.4.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

checksums.yaml +4 -4
data/.gitignore +3 -0
data/fluent-plugin-nginx-nap-decode.gemspec +1 -1
data/lib/fluent/plugin/filter_nginx_nap_decode.rb +84 -87
metadata +3 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e848df6edbc6c6ce5dd5c29374a9d83ed2dea0c55b5e4ebcba07751d316f81c7
-  data.tar.gz: cdd540297741bb0db5845794039a5e5d05c00d9fd1d56a398c42407181d75987
+  metadata.gz: '010867c0eee3e9fc2ef76c6d84050864f527321c7c84db81394d3fdd3eab17f8'
+  data.tar.gz: 76203ad83b452ef1b9244fda0d0994da2f7b5328065badb05873e3da4b144123
 SHA512:
-  metadata.gz: faa553fa4367a100a8739382462090f0c2a7821b0ce93c0288df2d553d77fe04ddc6624610cd27ca5f26306d0f4489f9d8d7ff2310982dfaf427222b9411a2e1
-  data.tar.gz: b69e6bc5a6a7aa9c3a4d2e4e7a27328aee1d575ce22021066a5a5c0fc5805b83c4e4a19cb157a8b125c5123a409a268c9ff629fd2727dc4fa3d891b7291b09c7
+  metadata.gz: dbacb374827831eda39ab2fbfa72289cc416b9c0506fc1d3a42011f521e938c27dfe279e801b156b4abcfdacc06990cc5c1ef67f6caf088bdd35f6ad5fc3eb23
+  data.tar.gz: 41790deea3e148c03d6cd8b766a18b047d2b43613cdfa6dc10a5f93b48c464a235c93ee52af75d1060f4f99f1cbb033171bad84ced6101c974e4de4d67047318

data/.gitignore ADDED Viewed

@@ -0,0 +1,3 @@
+Gemfile.lock
+.gem
+.txt

data/fluent-plugin-nginx-nap-decode.gemspec CHANGED Viewed

@@ -3,7 +3,7 @@ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 Gem::Specification.new do |spec|
   spec.name    = "fluent-plugin-nginx-nap-decode"
-  spec.version = "0.1.0"
+  spec.version = "0.4.6"
   spec.authors = ["Kostas Skenderidis"]
   spec.email   = ["skenderidis@gmail.com"]

data/lib/fluent/plugin/filter_nginx_nap_decode.rb CHANGED Viewed

@@ -26,93 +26,90 @@ module Fluent
       def filter(tag, time, record)
         case record['violations']['violation']['name']
-           when 'VIOL_ATTACK_SIGNATURE'
-              #Based on observedEntity we will determined if it is cookie/header/url/parameter/etc
-              if record['violations'].has_key?('observedEntity')
-                 #If attack signature is found on cookies
-                 if record['violations']['policyEntity'].has_key?('cookies')
-                    record['violations']['context']='cookies'
-                    record['violations']['snippet']['buffer-decode']=URI.encode_www_form_component(Base64.decode64(record['violations']['snippet']['buffer'])) #base64 decode
-                    record['violations']['observedEntity']['value-decode']=URI.encode_www_form_component(Base64.decode64(record['violations']['observedEntity']['value'])) #base64 decode
-                    # If header is explicit then the NAP does NOT provide the "observedEntity". This
-                    # This creates a problem with reporting later on, so we added the record "name"
-                    # Notes: Why is parameters an array!!
-                    if record['violations']['policyEntity']['cookies'][0]['type']=="wildcard"
-                       record['violations']['observedEntity']['name-decode']=URI.encode_www_form_component(Base64.decode64(record['violations']['observedEntity']['name'])) #base64 decode
-                    else
-                       record['violations']['observedEntity']['name-decode']=record['violations']['policyEntity']['cookies'][0]['name']
-                    end
-                 end
-                 if record['violations']['policyEntity'].has_key?('headers')
-                    record['violations']['context']='headers'
-                    record['violations']['snippet']['buffer-decode']=URI.encode_www_form_component(Base64.decode64(record['violations']['snippet']['buffer'])) #base64 decode
-                    record['violations']['observedEntity']['value-decode']=URI.encode_www_form_component(Base64.decode64(record['violations']['observedEntity']['value'])) #base64 decode
-                    # If header is explicit then the NAP does NOT provide the "observedEntity". This
-                    # This creates a problem with reporting later on, so we added the record "name"
-                    # Notes: Why is parameters an array!!
-                    if record['violations']['policyEntity']['headers'][0]['type']=="wildcard"
-                       record['violations']['observedEntity']['name-decode']=URI.encode_www_form_component(Base64.decode64(record['violations']['observedEntity']['name'])) #base64 decode
-                    else
-                       record['violations']['observedEntity']['name-decode']=record['violations']['policyEntity']['headers'][0]['name']
-                    end
-                 end
-                 if record['violations']['policyEntity'].has_key?('parameters')
-                    record['violations']['context']='parameters'
-                    record['violations']['snippet']['buffer-decode']=URI.encode_www_form_component(Base64.decode64(record['violations']['snippet']['buffer'])) #base64 decode
-                    record['violations']['observedEntity']['value-decode']=URI.encode_www_form_component(Base64.decode64(record['violations']['observedEntity']['value'])) #base64 decode
-                    # If parameter is explicit then the NAP does NOT provide the "observedEntity". This
-                    # This creates a problem with reporting later on, so we added the record "name"
-                    # Notes: Why is parameters an array!!
-                    if record['violations']['policyEntity']['parameters'][0]['type']=="wildcard"
-                       record['violations']['observedEntity']['name-decode']=URI.encode_www_form_component(Base64.decode64(record['violations']['observedEntity']['name'])) #base64 decode
-                    else
-                       record['violations']['observedEntity']['name-decode']=record['violations']['policyEntity']['parameters'][0]['name']
-                    end
-                 end
-                 if record['violations']['policyEntity'].has_key?('urls')
-                    record['violations']['context']='urls'
-                    record['violations']['snippet']['buffer-decode']=URI.encode_www_form_component(Base64.decode64(record['violations']['snippet']['buffer'])) #base64 decode
-                    record['violations']['observedEntity']['name-decode']=URI.encode_www_form_component(Base64.decode64(record['violations']['observedEntity']['name'])) #base64 decode
-                 end
-              else
-                 record['violations']['context']='request'
-                 record['violations']['snippet']['buffer-decode']=URI.encode_www_form_component(Base64.decode64(record['violations']['snippet']['buffer'])) #base64 decode
-              end
-           when 'VIOL_PARAMETER_VALUE_METACHAR'
-              record['violations']['observedEntity']['value-decode']=URI.encode_www_form_component(Base64.decode64(record['violations']['observedEntity']['value'])) #base64 decode
-              # If header is explicit then the NAP does NOT provide the "observedEntity". This
-              # This creates a problem with reporting later on, so we added the record "name"
-              # Notes: Why is parameters an array!!
-              if record['violations']['policyEntity']['parameters'][0]['type']=="wildcard"
-                 record['violations']['observedEntity']['name-decode']=URI.encode_www_form_component(Base64.decode64(record['violations']['observedEntity']['name'])) #base64 decode
-              else
-                 record['violations']['observedEntity']['name-decode']=record['violations']['policyEntity']['parameters'][0]['name']
-              end
-              #if record['violations'].has_key?('snippet')
-              #end
-              #if record.key?(@target_key)
-                 #encoded_value = record[@target_key]
-                 #decoded_value = Base64.decode64(encoded_value)
-                 #record[@output_key] = decoded_value
-              #end
+          when 'VIOL_ATTACK_SIGNATURE'
+            #Based on observedEntity we will determined if it is cookie/header/url/parameter/etc
+            if record['violations'].has_key?('observedEntity')
+                #If attack signature is found on cookies
+                if record['violations']['policyEntity'].has_key?('cookies')
+                  record['violations']['context']='cookies'
+                  record['violations']['snippet']['buffer-decode']=URI.encode_www_form_component(Base64.decode64(record['violations']['snippet']['buffer'])) #base64 decode
+                  record['violations']['observedEntity']['value-decode']=URI.encode_www_form_component(Base64.decode64(record['violations']['observedEntity']['value'])) #base64 decode
+                  # If header is explicit then the NAP does NOT provide the "observedEntity". This
+                  # This creates a problem with reporting later on, so we added the record "name"
+                  # Notes: Why is parameters an array!!
+                  if record['violations']['policyEntity']['cookies'][0]['type']=="wildcard"
+                      record['violations']['observedEntity']['name-decode']=URI.encode_www_form_component(Base64.decode64(record['violations']['observedEntity']['name'])) #base64 decode
+                  else
+                      record['violations']['observedEntity']['name-decode']=record['violations']['policyEntity']['cookies'][0]['name']
+                  end
+                end
+                if record['violations']['policyEntity'].has_key?('headers')
+                  record['violations']['context']='headers'
+                  record['violations']['snippet']['buffer-decode']=URI.encode_www_form_component(Base64.decode64(record['violations']['snippet']['buffer'])) #base64 decode
+                  record['violations']['observedEntity']['value-decode']=URI.encode_www_form_component(Base64.decode64(record['violations']['observedEntity']['value'])) #base64 decode
+                  # If header is explicit then the NAP does NOT provide the "observedEntity". This
+                  # This creates a problem with reporting later on, so we added the record "name"
+                  # Notes: Why is parameters an array!!
+                  if record['violations']['policyEntity']['headers'][0]['type']=="wildcard"
+                      record['violations']['observedEntity']['name-decode']=URI.encode_www_form_component(Base64.decode64(record['violations']['observedEntity']['name'])) #base64 decode
+                  else
+                      record['violations']['observedEntity']['name-decode']=record['violations']['policyEntity']['headers'][0]['name']
+                  end
+                end
+                if record['violations']['policyEntity'].has_key?('parameters')
+                  record['violations']['context']='parameters'
+                  record['violations']['snippet']['buffer-decode']=URI.encode_www_form_component(Base64.decode64(record['violations']['snippet']['buffer'])) #base64 decode
+                  record['violations']['observedEntity']['value-decode']=URI.encode_www_form_component(Base64.decode64(record['violations']['observedEntity']['value'])) #base64 decode
+                  # If parameter is explicit then the NAP does NOT provide the "observedEntity". This
+                  # This creates a problem with reporting later on, so we added the record "name"
+                  # Notes: Why is parameters an array!!
+                  if record['violations']['policyEntity']['parameters'][0]['type']=="wildcard"
+                      record['violations']['observedEntity']['name-decode']=URI.encode_www_form_component(Base64.decode64(record['violations']['observedEntity']['name'])) #base64 decode
+                  else
+                      record['violations']['observedEntity']['name-decode']=record['violations']['policyEntity']['parameters'][0]['name']
+                  end
+                end
+                if record['violations']['policyEntity'].has_key?('urls')
+                  record['violations']['context']='urls'
+                  record['violations']['snippet']['buffer-decode']=URI.encode_www_form_component(Base64.decode64(record['violations']['snippet']['buffer'])) #base64 decode
+                  record['violations']['observedEntity']['name-decode']=URI.encode_www_form_component(Base64.decode64(record['violations']['observedEntity']['name'])) #base64 decode
+                end
+            else
+                record['violations']['context']='request'
+                record['violations']['snippet']['buffer-decode']=URI.encode_www_form_component(Base64.decode64(record['violations']['snippet']['buffer'])) #base64 decode
+            end
+          when 'VIOL_COOKIE_LENGTH', 'VIOL_HEADER_LENGTH', 'VIOL_URL_METACHAR'
+            record['violations']['observedEntity']['name-decode']=URI.encode_www_form_component(Base64.decode64(record['violations']['observedEntity']['name'])) #base64 decode
+          when 'VIOL_PARAMETER_VALUE_METACHAR', 'VIOL_PARAMETER_DATA_TYPE', 'VIOL_PARAMETER_EMPTY_VALUE', 'VIOL_PARAMETER_NUMERIC_VALUE', 'VIOL_PARAMETER_VALUE_LENGTH'
+            record['violations']['observedEntity']['value-decode']=URI.encode_www_form_component(Base64.decode64(record['violations']['observedEntity']['value'])) #base64 decode
+            # If parameter is explicit then the NAP does NOT provide the "observedEntity".
+            # For consistency we create the observedEntity.value
+            # This creates a problem with reporting later on, so we added the record "name"
+            # Notes: Why is parameters an array!!
+            if record['violations']['policyEntity']['parameters'][0]['type']=="wildcard"
+                record['violations']['observedEntity']['name-decode']=URI.encode_www_form_component(Base64.decode64(record['violations']['observedEntity']['name'])) #base64 decode
+            else
+                record['violations']['observedEntity']['name-decode']=record['violations']['policyEntity']['parameters'][0]['name']
+            end
+          when 'VIOL_URL_LENGTH', 'VIOL_POST_DATA_LENGTH', 'VIOL_QUERY_STRING_LENGTH', 'VIOL_REQUEST_LENGTH'
+            record['violations']['observedEntity']['value-decode']=URI.encode_www_form_component(Base64.decode64(record['violations']['observedEntity']['value'])) #base64 decode
+            # If filetype is explicit then the NAP does NOT provide the "observedEntity".
+            # For consistency we create the observedEntity.value
+            # This creates a problem with reporting later on, so we added the record "name"
+            # Notes: Why is filetypes an array!!
+            if record['violations']['policyEntity']['filetypes'][0]['type']=="wildcard"
+                record['violations']['observedEntity']['name-decode']=URI.encode_www_form_component(Base64.decode64(record['violations']['observedEntity']['name'])) #base64 decode
+            else
+                record['violations']['observedEntity']['name-decode']=record['violations']['policyEntity']['filetypes'][0]['name']
+            end
         end
         record
       end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: fluent-plugin-nginx-nap-decode
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.4.6
 platform: ruby
 authors:
 - Kostas Skenderidis
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-10-18 00:00:00.000000000 Z
+date: 2023-10-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: fluentd
@@ -37,6 +37,7 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".gitignore"
 - Gemfile
 - LICENSE
 - README.md