logstash-codec-cef 6.0.0-java → 6.0.1-java
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +3 -0
- data/lib/logstash/codecs/cef.rb +8 -5
- data/logstash-codec-cef.gemspec +1 -1
- data/spec/codecs/cef_spec.rb +24 -0
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: dd13e0f9bfc0b86dcd6d9f3f9b062a10ecb14113bf4c2064d3fdee3067b1cca2
|
|
4
|
+
data.tar.gz: 62193bfe55ae9faebb85ddc6c734c80125df69a91fe5c7a922dd91e6f2785acd
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: bd27d064fa1a760dbf1f8c9afe53d0c3b1d561c3d195c199ae2748b3c4067bff64b4abd838f6413811f863e4adcf7ec6403c215ae04d038741198f94ea325922
|
|
7
|
+
data.tar.gz: 6038f059336b2e5dd896716d577cae12a6798ff850b9b4ac7f28312e863de931f9fa4b1ab189a3230dba38a9373f3c7c68814b1c1acc19296462bda3c95de19f
|
data/CHANGELOG.md
CHANGED
data/lib/logstash/codecs/cef.rb
CHANGED
|
@@ -189,13 +189,16 @@ class LogStash::Codecs::CEF < LogStash::Codecs::Base
|
|
|
189
189
|
# commas, periods, and square-bracketed index offsets.
|
|
190
190
|
#
|
|
191
191
|
# To support this, we look for a specific sequence of characters that are followed by an equals sign. This pattern
|
|
192
|
-
# will correctly identify all strictly-legal keys, and will also match those that include a dot "
|
|
192
|
+
# will correctly identify all strictly-legal keys, and will also match those that include a dot-joined "subkeys" and
|
|
193
|
+
# square-bracketed array indexing
|
|
193
194
|
#
|
|
194
195
|
# That sequence must begin with one or more `\w` (word: alphanumeric + underscore), which _optionally_ may be followed
|
|
195
|
-
# by "subkey"
|
|
196
|
-
#
|
|
197
|
-
#
|
|
198
|
-
|
|
196
|
+
# by one or more "subkey" sequences and an optional square-bracketed index.
|
|
197
|
+
#
|
|
198
|
+
# To be understood by this implementation, a "subkey" sequence must consist of a literal dot (`.`) followed by one or
|
|
199
|
+
# more characters that do not convey semantic meaning within CEF (e.g., literal-dot (`.`), literal-equals (`=`),
|
|
200
|
+
# whitespace (`\s`), literal-pipe (`|`), literal-backslash ('\'), or literal-square brackets (`[` or `]`)).
|
|
201
|
+
EXTENSION_KEY_PATTERN = /(?:\w+(?:\.[^\.=\s\|\\\[\]]+)*(?:\[[0-9]+\])?(?==))/
|
|
199
202
|
|
|
200
203
|
# Some CEF extension keys seen in the wild use an undocumented array-like syntax that may not be compatible with
|
|
201
204
|
# the Event API's strict-mode FieldReference parser (e.g., `fieldname[0]`).
|
data/logstash-codec-cef.gemspec
CHANGED
data/spec/codecs/cef_spec.rb
CHANGED
|
@@ -555,6 +555,16 @@ describe LogStash::Codecs::CEF do
|
|
|
555
555
|
end
|
|
556
556
|
end
|
|
557
557
|
|
|
558
|
+
let (:dots_in_keys) {'CEF:0|Vendor|Device|Version|13|my message|5|dvchost=loghost cat=traffic deviceSeverity=notice ad.nn=TEST src=192.168.0.1 destinationPort=53'}
|
|
559
|
+
it "should be OK with dots in keys" do
|
|
560
|
+
decode_one(subject, dots_in_keys) do |e|
|
|
561
|
+
insist { e.get("deviceHostName") } == "loghost"
|
|
562
|
+
insist { e.get("ad.nn") } == 'TEST'
|
|
563
|
+
insist { e.get("sourceAddress") } == '192.168.0.1'
|
|
564
|
+
insist { e.get("destinationPort") } == '53'
|
|
565
|
+
end
|
|
566
|
+
end
|
|
567
|
+
|
|
558
568
|
let (:allow_spaces_in_values) {'CEF:0|security|threatmanager|1.0|100|trojan successfully stopped|10|src=10.0.0.192 dst=12.121.122.82 spt=1232 dproc=InternetExplorer x.x.x.x'}
|
|
559
569
|
it "should be OK to have one or more spaces in values" do
|
|
560
570
|
decode_one(subject, allow_spaces_in_values) do |e|
|
|
@@ -580,6 +590,20 @@ describe LogStash::Codecs::CEF do
|
|
|
580
590
|
end
|
|
581
591
|
end
|
|
582
592
|
|
|
593
|
+
let(:preserve_complex_multiple_dot_notation_in_extension_fields) { 'CEF:0|security|threatmanager|1.0|100|trojan successfully stopped|10|src=10.0.0.192 additional.dotfieldName=new_value ad.Authentification=MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 ad.Error_,Code=3221225578 dst=12.121.122.82 ad.field[0]=field0 ad.foo.name[1]=new_name' }
|
|
594
|
+
it "should keep ad.fields" do
|
|
595
|
+
decode_one(subject, preserve_complex_multiple_dot_notation_in_extension_fields) do |e|
|
|
596
|
+
validate(e)
|
|
597
|
+
insist { e.get("sourceAddress") } == "10.0.0.192"
|
|
598
|
+
insist { e.get("destinationAddress") } == "12.121.122.82"
|
|
599
|
+
insist { e.get("[ad.field][0]") } == "field0"
|
|
600
|
+
insist { e.get("[ad.foo.name][1]") } == "new_name"
|
|
601
|
+
insist { e.get("ad.Authentification") } == "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0"
|
|
602
|
+
insist { e.get('ad.Error_,Code') } == "3221225578"
|
|
603
|
+
insist { e.get("additional.dotfieldName") } == "new_value"
|
|
604
|
+
end
|
|
605
|
+
end
|
|
606
|
+
|
|
583
607
|
let (:preserve_random_values_key_value_pairs_alongside_with_additional_fields) {'CEF:0|security|threatmanager|1.0|100|trojan successfully stopped|10|src=10.0.0.192 cs4=401 random.user Admin 0 23041A10181C0000 23041810181C0000 /CN\=random.user/OU\=User Login End-Entity /CN\=TEST/OU\=Login CA TEST 34 additional.dotfieldName=new_value ad.Authentification=MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 ad.Error_,Code=3221225578 dst=12.121.122.82 ad.field[0]=field0 ad.name[1]=new_name'}
|
|
584
608
|
it "should correctly parse random values even with additional fields in message" do
|
|
585
609
|
decode_one(subject, preserve_random_values_key_value_pairs_alongside_with_additional_fields) do |e|
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: logstash-codec-cef
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 6.0.
|
|
4
|
+
version: 6.0.1
|
|
5
5
|
platform: java
|
|
6
6
|
authors:
|
|
7
7
|
- Elastic
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2019-
|
|
11
|
+
date: 2019-09-11 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
requirement: !ruby/object:Gem::Requirement
|