fluent-plugin-nginx-nap-decode 0.4.63 → 1.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: a470e811dc51325dfea59ccf696aa376efbc4499c3e8105140e025a827559268
|
|
4
|
+
data.tar.gz: bfb25f0d137f797b4dcdfec5ab44f0ed2176c15c177fb90750a43015c4045234
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: b66cb8ac301c224f873597c487cc5be41f64674f17500dfae8b2ee0a6cdb0868a6bf20d783dd1ac65e61202da163b9c4d6cd21965536f08ddec5913e9c639cbe
|
|
7
|
+
data.tar.gz: e9520b1b8c3f7560802e919ad4b327b849126bd173f262efee435f6b58769789ba5e9455d93b2fd07779654f41429578c72dc5acfb35760f5fd989ffd5d8d04e
|
|
Binary file
|
|
@@ -3,7 +3,7 @@ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
|
|
|
3
3
|
|
|
4
4
|
Gem::Specification.new do |spec|
|
|
5
5
|
spec.name = "fluent-plugin-nginx-nap-decode"
|
|
6
|
-
spec.version = "0.
|
|
6
|
+
spec.version = "1.0.0"
|
|
7
7
|
spec.authors = ["Kostas Skenderidis"]
|
|
8
8
|
spec.email = ["skenderidis@gmail.com"]
|
|
9
9
|
|
|
@@ -33,63 +33,53 @@ module Fluent
|
|
|
33
33
|
#If attack signature is found on cookies
|
|
34
34
|
|
|
35
35
|
if record['violations']['policyEntity'].has_key?('cookies')
|
|
36
|
-
record['violations']['context']='cookies'
|
|
37
|
-
record['violations']['observedEntity']['value-decode']=Base64.decode64(record['violations']['observedEntity']['value'])
|
|
38
|
-
if record['violations'].has_key?('snippet')
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
# If header is explicit then the NAP does NOT provide the "observedEntity". This
|
|
42
|
-
# This creates a problem with reporting later on, so we added the record "name"
|
|
43
|
-
# Notes: Why is parameters an array!!
|
|
36
|
+
record['violations']['context']='cookies' #Create context that is missing
|
|
37
|
+
record['violations']['observedEntity']['value-decode']=Base64.decode64(record['violations']['observedEntity']['value'])
|
|
38
|
+
record['violations']['snippet']['buffer-decode']=Base64.decode64(record['violations']['snippet']['buffer']) if record['violations'].has_key?('snippet')
|
|
39
|
+
|
|
40
|
+
# If header is explicit then the NAP does NOT provide the "observedEntity". This creates a problem with reporting later on, so we added the record "name"
|
|
44
41
|
if record['violations']['policyEntity']['cookies'][0]['type']=="wildcard"
|
|
45
|
-
record['violations']['observedEntity']['name-decode']=Base64.decode64(record['violations']['observedEntity']['name'])
|
|
42
|
+
record['violations']['observedEntity']['name-decode']=Base64.decode64(record['violations']['observedEntity']['name'])
|
|
46
43
|
else
|
|
47
44
|
record['violations']['observedEntity']['name-decode']=record['violations']['policyEntity']['cookies'][0]['name']
|
|
48
45
|
end
|
|
49
46
|
end
|
|
47
|
+
|
|
50
48
|
if record['violations']['policyEntity'].has_key?('headers')
|
|
51
|
-
record['violations']['context']='headers'
|
|
52
|
-
record['violations']['observedEntity']['value-decode']=Base64.decode64(record['violations']['observedEntity']['value'])
|
|
53
|
-
if record['violations'].has_key?('snippet')
|
|
54
|
-
|
|
55
|
-
|
|
56
|
-
# If header is explicit then the NAP does NOT provide the "observedEntity". This
|
|
57
|
-
# This creates a problem with reporting later on, so we added the record "name"
|
|
58
|
-
# Notes: Why is parameters an array!!
|
|
49
|
+
record['violations']['context']='headers' #Create context that is missing
|
|
50
|
+
record['violations']['observedEntity']['value-decode']=Base64.decode64(record['violations']['observedEntity']['value'])
|
|
51
|
+
record['violations']['snippet']['buffer-decode']=Base64.decode64(record['violations']['snippet']['buffer']) if record['violations'].has_key?('snippet')
|
|
52
|
+
|
|
53
|
+
# If header is explicit then the NAP does NOT provide the "observedEntity". This creates a problem with reporting later on, so we added the record "name"
|
|
59
54
|
if record['violations']['policyEntity']['headers'][0]['type']=="wildcard"
|
|
60
|
-
record['violations']['observedEntity']['name-decode']=Base64.decode64(record['violations']['observedEntity']['name'])
|
|
55
|
+
record['violations']['observedEntity']['name-decode']=Base64.decode64(record['violations']['observedEntity']['name'])
|
|
61
56
|
else
|
|
62
57
|
record['violations']['observedEntity']['name-decode']=record['violations']['policyEntity']['headers'][0]['name']
|
|
63
58
|
end
|
|
64
59
|
end
|
|
60
|
+
|
|
65
61
|
if record['violations']['policyEntity'].has_key?('parameters')
|
|
66
|
-
record['violations']['context']='parameters'
|
|
62
|
+
record['violations']['context']='parameters' #Create context that is missing
|
|
67
63
|
|
|
68
|
-
record['violations']['observedEntity']['value-decode']=Base64.decode64(record['violations']['observedEntity']['value'])
|
|
69
|
-
if record['violations'].has_key?('snippet')
|
|
70
|
-
|
|
71
|
-
|
|
72
|
-
# If parameter is explicit then the NAP does NOT provide the "observedEntity". This
|
|
73
|
-
# This creates a problem with reporting later on, so we added the record "name"
|
|
74
|
-
# Notes: Why is parameters an array!!
|
|
64
|
+
record['violations']['observedEntity']['value-decode']=Base64.decode64(record['violations']['observedEntity']['value'])
|
|
65
|
+
record['violations']['snippet']['buffer-decode']=Base64.decode64(record['violations']['snippet']['buffer']) if record['violations'].has_key?('snippet')
|
|
66
|
+
|
|
67
|
+
# If parameter is explicit then the NAP does NOT provide the "observedEntity". This creates a problem with reporting later on, so we added the record "name"
|
|
75
68
|
if record['violations']['policyEntity']['parameters'][0]['type']=="wildcard"
|
|
76
|
-
record['violations']['observedEntity']['name-decode']=Base64.decode64(record['violations']['observedEntity']['name'])
|
|
69
|
+
record['violations']['observedEntity']['name-decode']=Base64.decode64(record['violations']['observedEntity']['name'])
|
|
77
70
|
else
|
|
78
71
|
record['violations']['observedEntity']['name-decode']=record['violations']['policyEntity']['parameters'][0]['name']
|
|
79
72
|
end
|
|
80
|
-
end
|
|
73
|
+
end
|
|
74
|
+
|
|
81
75
|
if record['violations']['policyEntity'].has_key?('urls')
|
|
82
|
-
record['violations']['context']='urls'
|
|
83
|
-
if record['violations'].has_key?('snippet')
|
|
84
|
-
|
|
85
|
-
end
|
|
86
|
-
record['violations']['observedEntity']['name-decode']=Base64.decode64(record['violations']['observedEntity']['name']) #base64 decode
|
|
76
|
+
record['violations']['context']='urls' #Create context that is missing
|
|
77
|
+
record['violations']['snippet']['buffer-decode']=Base64.decode64(record['violations']['snippet']['buffer']) if record['violations'].has_key?('snippet')
|
|
78
|
+
record['violations']['observedEntity']['name-decode']=Base64.decode64(record['violations']['observedEntity']['name'])
|
|
87
79
|
end
|
|
88
80
|
else
|
|
89
81
|
record['violations']['context']='request'
|
|
90
|
-
if record['violations'].has_key?('snippet')
|
|
91
|
-
record['violations']['snippet']['buffer-decode']=Base64.decode64(record['violations']['snippet']['buffer']) #base64 decode
|
|
92
|
-
end
|
|
82
|
+
record['violations']['snippet']['buffer-decode']=Base64.decode64(record['violations']['snippet']['buffer']) if record['violations'].has_key?('snippet')
|
|
93
83
|
end
|
|
94
84
|
|
|
95
85
|
|
|
@@ -98,27 +88,35 @@ module Fluent
|
|
|
98
88
|
|
|
99
89
|
when 'VIOL_PARAMETER_VALUE_METACHAR', 'VIOL_PARAMETER_DATA_TYPE', 'VIOL_PARAMETER_NUMERIC_VALUE', 'VIOL_PARAMETER_VALUE_LENGTH', 'VIOL_PARAMETER_ARRAY_VALUE', 'VIOL_PARAMETER_LOCATION', 'VIOL_PARAMETER_STATIC_VALUE'
|
|
100
90
|
record['violations']['observedEntity']['value-decode']=Base64.decode64(record['violations']['observedEntity']['value']) #base64 decode
|
|
101
|
-
# If parameter is explicit then the NAP does NOT provide the "observedEntity".
|
|
102
|
-
# For consistency we create the observedEntity.value
|
|
103
|
-
# This creates a problem with reporting later on, so we added the record "name"
|
|
91
|
+
# If parameter is explicit then the NAP does NOT provide the "observedEntity". This creates a problem with reporting later on, so we added the record "name"
|
|
104
92
|
# Notes: Why is parameters an array!!
|
|
105
93
|
if record['violations']['policyEntity']['parameters'][0]['type']=="wildcard"
|
|
106
94
|
record['violations']['observedEntity']['name-decode']=Base64.decode64(record['violations']['observedEntity']['name']) #base64 decode
|
|
107
95
|
else
|
|
108
96
|
record['violations']['observedEntity']['name-decode']=record['violations']['policyEntity']['parameters'][0]['name']
|
|
109
97
|
end
|
|
110
|
-
|
|
111
|
-
|
|
112
|
-
#
|
|
113
|
-
|
|
114
|
-
|
|
98
|
+
when 'VIOL_PARAMETER_EMPTY_VALUE', 'VIOL_PARAMETER'
|
|
99
|
+
# If filetype is explicit then the NAP does NOT provide the "observedEntity". This creates a problem with reporting later on, so we added the record "name"
|
|
100
|
+
# Notes: Why is filetypes an array!!
|
|
101
|
+
if record['violations']['policyEntity']['parameters'][0]['type']=="wildcard"
|
|
102
|
+
record['violations']['observedEntity']['name-decode']=Base64.decode64(record['violations']['observedEntity']['name']) #base64 decode
|
|
103
|
+
else
|
|
104
|
+
record['violations']['observedEntity']['name-decode']=record['violations']['policyEntity']['parameters'][0]['name']
|
|
105
|
+
end
|
|
106
|
+
when 'VIOL_URL_LENGTH', 'VIOL_POST_DATA_LENGTH', 'VIOL_QUERY_STRING_LENGTH', 'VIOL_REQUEST_LENGTH', 'VIOL_COOKIE_LENGTH', 'VIOL_HEADER_LENGTH'
|
|
107
|
+
# If filetype is explicit then the NAP does NOT provide the "observedEntity". This creates a problem with reporting later on, so we added the record "name"
|
|
115
108
|
# Notes: Why is filetypes an array!!
|
|
116
109
|
if record['violations']['policyEntity']['filetypes'][0]['type']=="wildcard"
|
|
117
110
|
record['violations']['observedEntity']['name-decode']=Base64.decode64(record['violations']['observedEntity']['name']) #base64 decode
|
|
118
111
|
else
|
|
119
112
|
record['violations']['observedEntity']['name-decode']=record['violations']['policyEntity']['filetypes'][0]['name']
|
|
120
113
|
end
|
|
121
|
-
|
|
114
|
+
when 'VIOL_EVASION'
|
|
115
|
+
# if the observed entity is parameter then base64-decode the parameter
|
|
116
|
+
if record['violations']['observedEntity']['scope']=="parameter"
|
|
117
|
+
record['violations']['observedEntity']['name-decode']=Base64.decode64(record['violations']['observedEntity']['name']) #base64 decode
|
|
118
|
+
record['violations']['observedEntity']['value-decode']=Base64.decode64(record['violations']['observedEntity']['value']) #base64 decode
|
|
119
|
+
end
|
|
122
120
|
end
|
|
123
121
|
record
|
|
124
122
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: fluent-plugin-nginx-nap-decode
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 1.0.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Kostas Skenderidis
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2024-04-
|
|
11
|
+
date: 2024-04-05 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: fluentd
|
|
@@ -42,7 +42,7 @@ files:
|
|
|
42
42
|
- LICENSE
|
|
43
43
|
- README.md
|
|
44
44
|
- Rakefile
|
|
45
|
-
- fluent-plugin-nginx-nap-decode-0.4.
|
|
45
|
+
- fluent-plugin-nginx-nap-decode-0.4.64.gem
|
|
46
46
|
- fluent-plugin-nginx-nap-decode.gemspec
|
|
47
47
|
- lib/fluent/plugin/filter_nginx_nap_decode.rb
|
|
48
48
|
- publish.md
|
|
Binary file
|