fluent-plugin-nginx-nap-decode 0.4.63 → 0.4.64
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 4b05d88c6346625519167d3f3b263b93b216662bb9fc9b55180c29abca2e0668
|
|
4
|
+
data.tar.gz: 78f3a8946faf7d578ed833a8462faf3e6d4f244578e36c2b4b46e416966300a8
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 81660db9f36ab40db4c43a45efc41eae2badcf8004423dedfb2aa0612f6091d27b984ffc06bc2bdd327e8ff1ed5ac3c1de2a83db40de998aab5d53b12f17cee8
|
|
7
|
+
data.tar.gz: 7ed4aae41c076961ab5fcc1239c58c696ab198db9281d87d938e5f22e88f24a74a4dfc86688706af83a6da66abcf7f1bc4830257db86602b5823a3d925cd6582
|
|
@@ -3,7 +3,7 @@ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
|
|
|
3
3
|
|
|
4
4
|
Gem::Specification.new do |spec|
|
|
5
5
|
spec.name = "fluent-plugin-nginx-nap-decode"
|
|
6
|
-
spec.version = "0.4.
|
|
6
|
+
spec.version = "0.4.64"
|
|
7
7
|
spec.authors = ["Kostas Skenderidis"]
|
|
8
8
|
spec.email = ["skenderidis@gmail.com"]
|
|
9
9
|
|
|
@@ -33,63 +33,53 @@ module Fluent
|
|
|
33
33
|
#If attack signature is found on cookies
|
|
34
34
|
|
|
35
35
|
if record['violations']['policyEntity'].has_key?('cookies')
|
|
36
|
-
record['violations']['context']='cookies'
|
|
37
|
-
record['violations']['observedEntity']['value-decode']=Base64.decode64(record['violations']['observedEntity']['value'])
|
|
38
|
-
if record['violations'].has_key?('snippet')
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
# If header is explicit then the NAP does NOT provide the "observedEntity". This
|
|
42
|
-
# This creates a problem with reporting later on, so we added the record "name"
|
|
43
|
-
# Notes: Why is parameters an array!!
|
|
36
|
+
record['violations']['context']='cookies' #Create context that is missing
|
|
37
|
+
record['violations']['observedEntity']['value-decode']=Base64.decode64(record['violations']['observedEntity']['value'])
|
|
38
|
+
record['violations']['snippet']['buffer-decode']=Base64.decode64(record['violations']['snippet']['buffer']) if record['violations'].has_key?('snippet')
|
|
39
|
+
|
|
40
|
+
# If header is explicit then the NAP does NOT provide the "observedEntity". This creates a problem with reporting later on, so we added the record "name"
|
|
44
41
|
if record['violations']['policyEntity']['cookies'][0]['type']=="wildcard"
|
|
45
|
-
record['violations']['observedEntity']['name-decode']=Base64.decode64(record['violations']['observedEntity']['name'])
|
|
42
|
+
record['violations']['observedEntity']['name-decode']=Base64.decode64(record['violations']['observedEntity']['name'])
|
|
46
43
|
else
|
|
47
44
|
record['violations']['observedEntity']['name-decode']=record['violations']['policyEntity']['cookies'][0]['name']
|
|
48
45
|
end
|
|
49
46
|
end
|
|
47
|
+
|
|
50
48
|
if record['violations']['policyEntity'].has_key?('headers')
|
|
51
|
-
record['violations']['context']='headers'
|
|
52
|
-
record['violations']['observedEntity']['value-decode']=Base64.decode64(record['violations']['observedEntity']['value'])
|
|
53
|
-
if record['violations'].has_key?('snippet')
|
|
54
|
-
|
|
55
|
-
|
|
56
|
-
# If header is explicit then the NAP does NOT provide the "observedEntity". This
|
|
57
|
-
# This creates a problem with reporting later on, so we added the record "name"
|
|
58
|
-
# Notes: Why is parameters an array!!
|
|
49
|
+
record['violations']['context']='headers' #Create context that is missing
|
|
50
|
+
record['violations']['observedEntity']['value-decode']=Base64.decode64(record['violations']['observedEntity']['value'])
|
|
51
|
+
record['violations']['snippet']['buffer-decode']=Base64.decode64(record['violations']['snippet']['buffer']) if record['violations'].has_key?('snippet')
|
|
52
|
+
|
|
53
|
+
# If header is explicit then the NAP does NOT provide the "observedEntity". This creates a problem with reporting later on, so we added the record "name"
|
|
59
54
|
if record['violations']['policyEntity']['headers'][0]['type']=="wildcard"
|
|
60
|
-
record['violations']['observedEntity']['name-decode']=Base64.decode64(record['violations']['observedEntity']['name'])
|
|
55
|
+
record['violations']['observedEntity']['name-decode']=Base64.decode64(record['violations']['observedEntity']['name'])
|
|
61
56
|
else
|
|
62
57
|
record['violations']['observedEntity']['name-decode']=record['violations']['policyEntity']['headers'][0]['name']
|
|
63
58
|
end
|
|
64
59
|
end
|
|
60
|
+
|
|
65
61
|
if record['violations']['policyEntity'].has_key?('parameters')
|
|
66
|
-
record['violations']['context']='parameters'
|
|
62
|
+
record['violations']['context']='parameters' #Create context that is missing
|
|
63
|
+
|
|
64
|
+
record['violations']['observedEntity']['value-decode']=Base64.decode64(record['violations']['observedEntity']['value'])
|
|
65
|
+
record['violations']['snippet']['buffer-decode']=Base64.decode64(record['violations']['snippet']['buffer']) if record['violations'].has_key?('snippet')
|
|
67
66
|
|
|
68
|
-
|
|
69
|
-
if record['violations'].has_key?('snippet')
|
|
70
|
-
record['violations']['snippet']['buffer-decode']=Base64.decode64(record['violations']['snippet']['buffer']) #base64 decode
|
|
71
|
-
end
|
|
72
|
-
# If parameter is explicit then the NAP does NOT provide the "observedEntity". This
|
|
73
|
-
# This creates a problem with reporting later on, so we added the record "name"
|
|
74
|
-
# Notes: Why is parameters an array!!
|
|
67
|
+
# If parameter is explicit then the NAP does NOT provide the "observedEntity". This creates a problem with reporting later on, so we added the record "name"
|
|
75
68
|
if record['violations']['policyEntity']['parameters'][0]['type']=="wildcard"
|
|
76
|
-
record['violations']['observedEntity']['name-decode']=Base64.decode64(record['violations']['observedEntity']['name'])
|
|
69
|
+
record['violations']['observedEntity']['name-decode']=Base64.decode64(record['violations']['observedEntity']['name'])
|
|
77
70
|
else
|
|
78
71
|
record['violations']['observedEntity']['name-decode']=record['violations']['policyEntity']['parameters'][0]['name']
|
|
79
72
|
end
|
|
80
|
-
end
|
|
73
|
+
end
|
|
74
|
+
|
|
81
75
|
if record['violations']['policyEntity'].has_key?('urls')
|
|
82
|
-
record['violations']['context']='urls'
|
|
83
|
-
if record['violations'].has_key?('snippet')
|
|
84
|
-
|
|
85
|
-
end
|
|
86
|
-
record['violations']['observedEntity']['name-decode']=Base64.decode64(record['violations']['observedEntity']['name']) #base64 decode
|
|
76
|
+
record['violations']['context']='urls' #Create context that is missing
|
|
77
|
+
record['violations']['snippet']['buffer-decode']=Base64.decode64(record['violations']['snippet']['buffer']) if record['violations'].has_key?('snippet')
|
|
78
|
+
record['violations']['observedEntity']['name-decode']=Base64.decode64(record['violations']['observedEntity']['name'])
|
|
87
79
|
end
|
|
88
80
|
else
|
|
89
81
|
record['violations']['context']='request'
|
|
90
|
-
if record['violations'].has_key?('snippet')
|
|
91
|
-
record['violations']['snippet']['buffer-decode']=Base64.decode64(record['violations']['snippet']['buffer']) #base64 decode
|
|
92
|
-
end
|
|
82
|
+
record['violations']['snippet']['buffer-decode']=Base64.decode64(record['violations']['snippet']['buffer']) if record['violations'].has_key?('snippet')
|
|
93
83
|
end
|
|
94
84
|
|
|
95
85
|
|
|
@@ -98,20 +88,24 @@ module Fluent
|
|
|
98
88
|
|
|
99
89
|
when 'VIOL_PARAMETER_VALUE_METACHAR', 'VIOL_PARAMETER_DATA_TYPE', 'VIOL_PARAMETER_NUMERIC_VALUE', 'VIOL_PARAMETER_VALUE_LENGTH', 'VIOL_PARAMETER_ARRAY_VALUE', 'VIOL_PARAMETER_LOCATION', 'VIOL_PARAMETER_STATIC_VALUE'
|
|
100
90
|
record['violations']['observedEntity']['value-decode']=Base64.decode64(record['violations']['observedEntity']['value']) #base64 decode
|
|
101
|
-
# If parameter is explicit then the NAP does NOT provide the "observedEntity".
|
|
102
|
-
# For consistency we create the observedEntity.value
|
|
103
|
-
# This creates a problem with reporting later on, so we added the record "name"
|
|
91
|
+
# If parameter is explicit then the NAP does NOT provide the "observedEntity". This creates a problem with reporting later on, so we added the record "name"
|
|
104
92
|
# Notes: Why is parameters an array!!
|
|
105
93
|
if record['violations']['policyEntity']['parameters'][0]['type']=="wildcard"
|
|
106
94
|
record['violations']['observedEntity']['name-decode']=Base64.decode64(record['violations']['observedEntity']['name']) #base64 decode
|
|
107
95
|
else
|
|
108
96
|
record['violations']['observedEntity']['name-decode']=record['violations']['policyEntity']['parameters'][0]['name']
|
|
109
97
|
end
|
|
98
|
+
when 'VIOL_PARAMETER_EMPTY_VALUE', 'VIOL_PARAMETER'
|
|
99
|
+
# If filetype is explicit then the NAP does NOT provide the "observedEntity". This creates a problem with reporting later on, so we added the record "name"
|
|
100
|
+
# Notes: Why is filetypes an array!!
|
|
101
|
+
if record['violations']['policyEntity']['parameters'][0]['type']=="wildcard"
|
|
102
|
+
record['violations']['observedEntity']['name-decode']=Base64.decode64(record['violations']['observedEntity']['name']) #base64 decode
|
|
103
|
+
else
|
|
104
|
+
record['violations']['observedEntity']['name-decode']=record['violations']['policyEntity']['parameters'][0]['name']
|
|
105
|
+
end
|
|
110
106
|
|
|
111
|
-
when 'VIOL_URL_LENGTH', 'VIOL_POST_DATA_LENGTH', 'VIOL_QUERY_STRING_LENGTH', 'VIOL_REQUEST_LENGTH', '
|
|
112
|
-
# If filetype is explicit then the NAP does NOT provide the "observedEntity".
|
|
113
|
-
# For consistency we create the observedEntity.value
|
|
114
|
-
# This creates a problem with reporting later on, so we added the record "name"
|
|
107
|
+
when 'VIOL_URL_LENGTH', 'VIOL_POST_DATA_LENGTH', 'VIOL_QUERY_STRING_LENGTH', 'VIOL_REQUEST_LENGTH', 'VIOL_COOKIE_LENGTH', 'VIOL_HEADER_LENGTH'
|
|
108
|
+
# If filetype is explicit then the NAP does NOT provide the "observedEntity". This creates a problem with reporting later on, so we added the record "name"
|
|
115
109
|
# Notes: Why is filetypes an array!!
|
|
116
110
|
if record['violations']['policyEntity']['filetypes'][0]['type']=="wildcard"
|
|
117
111
|
record['violations']['observedEntity']['name-decode']=Base64.decode64(record['violations']['observedEntity']['name']) #base64 decode
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: fluent-plugin-nginx-nap-decode
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.4.
|
|
4
|
+
version: 0.4.64
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Kostas Skenderidis
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2024-04-
|
|
11
|
+
date: 2024-04-05 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: fluentd
|
|
@@ -42,7 +42,6 @@ files:
|
|
|
42
42
|
- LICENSE
|
|
43
43
|
- README.md
|
|
44
44
|
- Rakefile
|
|
45
|
-
- fluent-plugin-nginx-nap-decode-0.4.61.gem
|
|
46
45
|
- fluent-plugin-nginx-nap-decode.gemspec
|
|
47
46
|
- lib/fluent/plugin/filter_nginx_nap_decode.rb
|
|
48
47
|
- publish.md
|
|
Binary file
|