logstash-codec-cef 6.0.0-java → 6.0.1-java

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +3 -0
  3. data/lib/logstash/codecs/cef.rb +8 -5
  4. data/logstash-codec-cef.gemspec +1 -1
  5. data/spec/codecs/cef_spec.rb +24 -0
  6. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 30965bf1274a21adf481546aeef0435748e4ff33758d5dac3f02ff40191a0f88
4
- data.tar.gz: f8860f9eeb553c05e960b75836a1a82aaa1dcd0559251c124434b07660964566
3
+ metadata.gz: dd13e0f9bfc0b86dcd6d9f3f9b062a10ecb14113bf4c2064d3fdee3067b1cca2
4
+ data.tar.gz: 62193bfe55ae9faebb85ddc6c734c80125df69a91fe5c7a922dd91e6f2785acd
5
5
  SHA512:
6
- metadata.gz: 4d52df92912ea498c721d70e02619d879c3d900e721b67b215bbf87bcc14184655b7e4af6bbc52e3e2e79e73e54565e59ab11982734d931d80b810f568fdda35
7
- data.tar.gz: d951daf3544ce79a61efef3fe2038c91f0eb219bd5874aeab0623c8225b4ca0bd9ed1a025a69001d9670e4f514a56cabbf58f16ef345c0f33021fd12a7dea5dc
6
+ metadata.gz: bd27d064fa1a760dbf1f8c9afe53d0c3b1d561c3d195c199ae2748b3c4067bff64b4abd838f6413811f863e4adcf7ec6403c215ae04d038741198f94ea325922
7
+ data.tar.gz: 6038f059336b2e5dd896716d577cae12a6798ff850b9b4ac7f28312e863de931f9fa4b1ab189a3230dba38a9373f3c7c68814b1c1acc19296462bda3c95de19f
data/CHANGELOG.md CHANGED
@@ -1,3 +1,6 @@
1
+ ## 6.0.1
2
+ - Fixed support for deep dot notation [#73](https://github.com/logstash-plugins/logstash-codec-cef/pull/73)
3
+
1
4
  ## 6.0.0
2
5
  - Removed obsolete `sev` and `deprecated_v1_fields` fields
3
6
 
data/lib/logstash/codecs/cef.rb CHANGED
@@ -189,13 +189,16 @@ class LogStash::Codecs::CEF < LogStash::Codecs::Base
189
189
  # commas, periods, and square-bracketed index offsets.
190
190
  #
191
191
  # To support this, we look for a specific sequence of characters that are followed by an equals sign. This pattern
192
- # will correctly identify all strictly-legal keys, and will also match those that include a dot "subkey"
192
+ # will correctly identify all strictly-legal keys, and will also match those that include a dot-joined "subkeys" and
193
+ # square-bracketed array indexing
193
194
  #
194
195
  # That sequence must begin with one or more `\w` (word: alphanumeric + underscore), which _optionally_ may be followed
195
- # by "subkey" sequence consisting of a literal dot (`.`) followed by a non-whitespace character, then one or more word
196
- # characters, and then one or more characters that do not convey semantic meaning within CEF (e.g., literal-pipe (`|`),
197
- # whitespace (`\s`), literal-dot (`.`), literal-equals (`=`), or literal-backslash ('\')).
198
- EXTENSION_KEY_PATTERN = /(?:\w+(?:\.[^\s]\w+[^\|\s\.\=\\]+)?(?==))/
196
+ # by one or more "subkey" sequences and an optional square-bracketed index.
197
+ #
198
+ # To be understood by this implementation, a "subkey" sequence must consist of a literal dot (`.`) followed by one or
199
+ # more characters that do not convey semantic meaning within CEF (e.g., literal-dot (`.`), literal-equals (`=`),
200
+ # whitespace (`\s`), literal-pipe (`|`), literal-backslash ('\'), or literal-square brackets (`[` or `]`)).
201
+ EXTENSION_KEY_PATTERN = /(?:\w+(?:\.[^\.=\s\|\\\[\]]+)*(?:\[[0-9]+\])?(?==))/
199
202
 
200
203
  # Some CEF extension keys seen in the wild use an undocumented array-like syntax that may not be compatible with
201
204
  # the Event API's strict-mode FieldReference parser (e.g., `fieldname[0]`).
data/logstash-codec-cef.gemspec CHANGED
@@ -1,7 +1,7 @@
1
1
  Gem::Specification.new do |s|
2
2
 
3
3
  s.name = 'logstash-codec-cef'
4
- s.version = '6.0.0'
4
+ s.version = '6.0.1'
5
5
  s.platform = 'java'
6
6
  s.licenses = ['Apache License (2.0)']
7
7
  s.summary = "Reads the ArcSight Common Event Format (CEF)."
data/spec/codecs/cef_spec.rb CHANGED
@@ -555,6 +555,16 @@ describe LogStash::Codecs::CEF do
555
555
  end
556
556
  end
557
557
 
558
+ let (:dots_in_keys) {'CEF:0|Vendor|Device|Version|13|my message|5|dvchost=loghost cat=traffic deviceSeverity=notice ad.nn=TEST src=192.168.0.1 destinationPort=53'}
559
+ it "should be OK with dots in keys" do
560
+ decode_one(subject, dots_in_keys) do |e|
561
+ insist { e.get("deviceHostName") } == "loghost"
562
+ insist { e.get("ad.nn") } == 'TEST'
563
+ insist { e.get("sourceAddress") } == '192.168.0.1'
564
+ insist { e.get("destinationPort") } == '53'
565
+ end
566
+ end
567
+
558
568
  let (:allow_spaces_in_values) {'CEF:0|security|threatmanager|1.0|100|trojan successfully stopped|10|src=10.0.0.192 dst=12.121.122.82 spt=1232 dproc=InternetExplorer x.x.x.x'}
559
569
  it "should be OK to have one or more spaces in values" do
560
570
  decode_one(subject, allow_spaces_in_values) do |e|
@@ -580,6 +590,20 @@ describe LogStash::Codecs::CEF do
580
590
  end
581
591
  end
582
592
 
593
+ let(:preserve_complex_multiple_dot_notation_in_extension_fields) { 'CEF:0|security|threatmanager|1.0|100|trojan successfully stopped|10|src=10.0.0.192 additional.dotfieldName=new_value ad.Authentification=MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 ad.Error_,Code=3221225578 dst=12.121.122.82 ad.field[0]=field0 ad.foo.name[1]=new_name' }
594
+ it "should keep ad.fields" do
595
+ decode_one(subject, preserve_complex_multiple_dot_notation_in_extension_fields) do |e|
596
+ validate(e)
597
+ insist { e.get("sourceAddress") } == "10.0.0.192"
598
+ insist { e.get("destinationAddress") } == "12.121.122.82"
599
+ insist { e.get("[ad.field][0]") } == "field0"
600
+ insist { e.get("[ad.foo.name][1]") } == "new_name"
601
+ insist { e.get("ad.Authentification") } == "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0"
602
+ insist { e.get('ad.Error_,Code') } == "3221225578"
603
+ insist { e.get("additional.dotfieldName") } == "new_value"
604
+ end
605
+ end
606
+
583
607
  let (:preserve_random_values_key_value_pairs_alongside_with_additional_fields) {'CEF:0|security|threatmanager|1.0|100|trojan successfully stopped|10|src=10.0.0.192 cs4=401 random.user Admin 0 23041A10181C0000 23041810181C0000 /CN\=random.user/OU\=User Login End-Entity /CN\=TEST/OU\=Login CA TEST 34 additional.dotfieldName=new_value ad.Authentification=MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 ad.Error_,Code=3221225578 dst=12.121.122.82 ad.field[0]=field0 ad.name[1]=new_name'}
584
608
  it "should correctly parse random values even with additional fields in message" do
585
609
  decode_one(subject, preserve_random_values_key_value_pairs_alongside_with_additional_fields) do |e|
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: logstash-codec-cef
3
3
  version: !ruby/object:Gem::Version
4
- version: 6.0.0
4
+ version: 6.0.1
5
5
  platform: java
6
6
  authors:
7
7
  - Elastic
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2019-01-11 00:00:00.000000000 Z
11
+ date: 2019-09-11 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  requirement: !ruby/object:Gem::Requirement