fluent-plugin-nginx-nap-decode 0.4.62 → 0.4.64
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 4b05d88c6346625519167d3f3b263b93b216662bb9fc9b55180c29abca2e0668
|
|
4
|
+
data.tar.gz: 78f3a8946faf7d578ed833a8462faf3e6d4f244578e36c2b4b46e416966300a8
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 81660db9f36ab40db4c43a45efc41eae2badcf8004423dedfb2aa0612f6091d27b984ffc06bc2bdd327e8ff1ed5ac3c1de2a83db40de998aab5d53b12f17cee8
|
|
7
|
+
data.tar.gz: 7ed4aae41c076961ab5fcc1239c58c696ab198db9281d87d938e5f22e88f24a74a4dfc86688706af83a6da66abcf7f1bc4830257db86602b5823a3d925cd6582
|
|
@@ -3,7 +3,7 @@ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
|
|
|
3
3
|
|
|
4
4
|
Gem::Specification.new do |spec|
|
|
5
5
|
spec.name = "fluent-plugin-nginx-nap-decode"
|
|
6
|
-
spec.version = "0.4.
|
|
6
|
+
spec.version = "0.4.64"
|
|
7
7
|
spec.authors = ["Kostas Skenderidis"]
|
|
8
8
|
spec.email = ["skenderidis@gmail.com"]
|
|
9
9
|
|
|
@@ -33,75 +33,79 @@ module Fluent
|
|
|
33
33
|
#If attack signature is found on cookies
|
|
34
34
|
|
|
35
35
|
if record['violations']['policyEntity'].has_key?('cookies')
|
|
36
|
-
record['violations']['context']='cookies'
|
|
37
|
-
record['violations']['
|
|
38
|
-
record['violations']['
|
|
39
|
-
|
|
40
|
-
# This creates a problem with reporting later on, so we added the record "name"
|
|
41
|
-
# Notes: Why is parameters an array!!
|
|
36
|
+
record['violations']['context']='cookies' #Create context that is missing
|
|
37
|
+
record['violations']['observedEntity']['value-decode']=Base64.decode64(record['violations']['observedEntity']['value'])
|
|
38
|
+
record['violations']['snippet']['buffer-decode']=Base64.decode64(record['violations']['snippet']['buffer']) if record['violations'].has_key?('snippet')
|
|
39
|
+
|
|
40
|
+
# If header is explicit then the NAP does NOT provide the "observedEntity". This creates a problem with reporting later on, so we added the record "name"
|
|
42
41
|
if record['violations']['policyEntity']['cookies'][0]['type']=="wildcard"
|
|
43
|
-
record['violations']['observedEntity']['name-decode']=Base64.decode64(record['violations']['observedEntity']['name'])
|
|
42
|
+
record['violations']['observedEntity']['name-decode']=Base64.decode64(record['violations']['observedEntity']['name'])
|
|
44
43
|
else
|
|
45
44
|
record['violations']['observedEntity']['name-decode']=record['violations']['policyEntity']['cookies'][0]['name']
|
|
46
45
|
end
|
|
47
46
|
end
|
|
47
|
+
|
|
48
48
|
if record['violations']['policyEntity'].has_key?('headers')
|
|
49
|
-
record['violations']['context']='headers'
|
|
50
|
-
record['violations']['
|
|
51
|
-
record['violations']['
|
|
52
|
-
|
|
53
|
-
# This creates a problem with reporting later on, so we added the record "name"
|
|
54
|
-
# Notes: Why is parameters an array!!
|
|
49
|
+
record['violations']['context']='headers' #Create context that is missing
|
|
50
|
+
record['violations']['observedEntity']['value-decode']=Base64.decode64(record['violations']['observedEntity']['value'])
|
|
51
|
+
record['violations']['snippet']['buffer-decode']=Base64.decode64(record['violations']['snippet']['buffer']) if record['violations'].has_key?('snippet')
|
|
52
|
+
|
|
53
|
+
# If header is explicit then the NAP does NOT provide the "observedEntity". This creates a problem with reporting later on, so we added the record "name"
|
|
55
54
|
if record['violations']['policyEntity']['headers'][0]['type']=="wildcard"
|
|
56
|
-
record['violations']['observedEntity']['name-decode']=Base64.decode64(record['violations']['observedEntity']['name'])
|
|
55
|
+
record['violations']['observedEntity']['name-decode']=Base64.decode64(record['violations']['observedEntity']['name'])
|
|
57
56
|
else
|
|
58
57
|
record['violations']['observedEntity']['name-decode']=record['violations']['policyEntity']['headers'][0]['name']
|
|
59
58
|
end
|
|
60
59
|
end
|
|
60
|
+
|
|
61
61
|
if record['violations']['policyEntity'].has_key?('parameters')
|
|
62
|
-
record['violations']['context']='parameters'
|
|
63
|
-
|
|
64
|
-
record['violations']['observedEntity']['value-decode']=Base64.decode64(record['violations']['observedEntity']['value'])
|
|
65
|
-
|
|
66
|
-
|
|
67
|
-
#
|
|
62
|
+
record['violations']['context']='parameters' #Create context that is missing
|
|
63
|
+
|
|
64
|
+
record['violations']['observedEntity']['value-decode']=Base64.decode64(record['violations']['observedEntity']['value'])
|
|
65
|
+
record['violations']['snippet']['buffer-decode']=Base64.decode64(record['violations']['snippet']['buffer']) if record['violations'].has_key?('snippet')
|
|
66
|
+
|
|
67
|
+
# If parameter is explicit then the NAP does NOT provide the "observedEntity". This creates a problem with reporting later on, so we added the record "name"
|
|
68
68
|
if record['violations']['policyEntity']['parameters'][0]['type']=="wildcard"
|
|
69
|
-
record['violations']['observedEntity']['name-decode']=Base64.decode64(record['violations']['observedEntity']['name'])
|
|
69
|
+
record['violations']['observedEntity']['name-decode']=Base64.decode64(record['violations']['observedEntity']['name'])
|
|
70
70
|
else
|
|
71
71
|
record['violations']['observedEntity']['name-decode']=record['violations']['policyEntity']['parameters'][0]['name']
|
|
72
72
|
end
|
|
73
|
-
end
|
|
73
|
+
end
|
|
74
|
+
|
|
74
75
|
if record['violations']['policyEntity'].has_key?('urls')
|
|
75
|
-
record['violations']['context']='urls'
|
|
76
|
-
record['violations']['snippet']['buffer-decode']=Base64.decode64(record['violations']['snippet']['buffer'])
|
|
77
|
-
record['violations']['observedEntity']['name-decode']=Base64.decode64(record['violations']['observedEntity']['name'])
|
|
76
|
+
record['violations']['context']='urls' #Create context that is missing
|
|
77
|
+
record['violations']['snippet']['buffer-decode']=Base64.decode64(record['violations']['snippet']['buffer']) if record['violations'].has_key?('snippet')
|
|
78
|
+
record['violations']['observedEntity']['name-decode']=Base64.decode64(record['violations']['observedEntity']['name'])
|
|
78
79
|
end
|
|
79
80
|
else
|
|
80
81
|
record['violations']['context']='request'
|
|
81
|
-
record['violations']['snippet']['buffer-decode']=Base64.decode64(record['violations']['snippet']['buffer'])
|
|
82
|
+
record['violations']['snippet']['buffer-decode']=Base64.decode64(record['violations']['snippet']['buffer']) if record['violations'].has_key?('snippet')
|
|
82
83
|
end
|
|
83
84
|
|
|
84
85
|
|
|
85
86
|
when 'VIOL_COOKIE_LENGTH', 'VIOL_HEADER_LENGTH', 'VIOL_URL_METACHAR'
|
|
86
87
|
record['violations']['observedEntity']['name-decode']=Base64.decode64(record['violations']['observedEntity']['name']) #base64 decode
|
|
87
88
|
|
|
88
|
-
when 'VIOL_PARAMETER_VALUE_METACHAR', 'VIOL_PARAMETER_DATA_TYPE', '
|
|
89
|
+
when 'VIOL_PARAMETER_VALUE_METACHAR', 'VIOL_PARAMETER_DATA_TYPE', 'VIOL_PARAMETER_NUMERIC_VALUE', 'VIOL_PARAMETER_VALUE_LENGTH', 'VIOL_PARAMETER_ARRAY_VALUE', 'VIOL_PARAMETER_LOCATION', 'VIOL_PARAMETER_STATIC_VALUE'
|
|
89
90
|
record['violations']['observedEntity']['value-decode']=Base64.decode64(record['violations']['observedEntity']['value']) #base64 decode
|
|
90
|
-
# If parameter is explicit then the NAP does NOT provide the "observedEntity".
|
|
91
|
-
# For consistency we create the observedEntity.value
|
|
92
|
-
# This creates a problem with reporting later on, so we added the record "name"
|
|
91
|
+
# If parameter is explicit then the NAP does NOT provide the "observedEntity". This creates a problem with reporting later on, so we added the record "name"
|
|
93
92
|
# Notes: Why is parameters an array!!
|
|
94
93
|
if record['violations']['policyEntity']['parameters'][0]['type']=="wildcard"
|
|
95
94
|
record['violations']['observedEntity']['name-decode']=Base64.decode64(record['violations']['observedEntity']['name']) #base64 decode
|
|
96
95
|
else
|
|
97
96
|
record['violations']['observedEntity']['name-decode']=record['violations']['policyEntity']['parameters'][0]['name']
|
|
98
97
|
end
|
|
98
|
+
when 'VIOL_PARAMETER_EMPTY_VALUE', 'VIOL_PARAMETER'
|
|
99
|
+
# If filetype is explicit then the NAP does NOT provide the "observedEntity". This creates a problem with reporting later on, so we added the record "name"
|
|
100
|
+
# Notes: Why is filetypes an array!!
|
|
101
|
+
if record['violations']['policyEntity']['parameters'][0]['type']=="wildcard"
|
|
102
|
+
record['violations']['observedEntity']['name-decode']=Base64.decode64(record['violations']['observedEntity']['name']) #base64 decode
|
|
103
|
+
else
|
|
104
|
+
record['violations']['observedEntity']['name-decode']=record['violations']['policyEntity']['parameters'][0]['name']
|
|
105
|
+
end
|
|
99
106
|
|
|
100
|
-
|
|
101
|
-
|
|
102
|
-
# If filetype is explicit then the NAP does NOT provide the "observedEntity".
|
|
103
|
-
# For consistency we create the observedEntity.value
|
|
104
|
-
# This creates a problem with reporting later on, so we added the record "name"
|
|
107
|
+
when 'VIOL_URL_LENGTH', 'VIOL_POST_DATA_LENGTH', 'VIOL_QUERY_STRING_LENGTH', 'VIOL_REQUEST_LENGTH', 'VIOL_COOKIE_LENGTH', 'VIOL_HEADER_LENGTH'
|
|
108
|
+
# If filetype is explicit then the NAP does NOT provide the "observedEntity". This creates a problem with reporting later on, so we added the record "name"
|
|
105
109
|
# Notes: Why is filetypes an array!!
|
|
106
110
|
if record['violations']['policyEntity']['filetypes'][0]['type']=="wildcard"
|
|
107
111
|
record['violations']['observedEntity']['name-decode']=Base64.decode64(record['violations']['observedEntity']['name']) #base64 decode
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: fluent-plugin-nginx-nap-decode
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.4.
|
|
4
|
+
version: 0.4.64
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Kostas Skenderidis
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2024-04-05 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: fluentd
|
|
@@ -42,7 +42,6 @@ files:
|
|
|
42
42
|
- LICENSE
|
|
43
43
|
- README.md
|
|
44
44
|
- Rakefile
|
|
45
|
-
- fluent-plugin-nginx-nap-decode-0.4.61.gem
|
|
46
45
|
- fluent-plugin-nginx-nap-decode.gemspec
|
|
47
46
|
- lib/fluent/plugin/filter_nginx_nap_decode.rb
|
|
48
47
|
- publish.md
|
|
@@ -67,7 +66,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
67
66
|
- !ruby/object:Gem::Version
|
|
68
67
|
version: '0'
|
|
69
68
|
requirements: []
|
|
70
|
-
rubygems_version: 3.4.
|
|
69
|
+
rubygems_version: 3.4.19
|
|
71
70
|
signing_key:
|
|
72
71
|
specification_version: 4
|
|
73
72
|
summary: Decode the base64 values that are included on the NAP logs
|
|
Binary file
|