logstash-codec-idmef 0.9.0 → 0.9.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +3 -0
- data/lib/logstash/codecs/idmef.rb +17 -20
- data/logstash-codec-idmef.gemspec +1 -1
- data/spec/codecs/idmef_spec.rb +1 -1
- metadata +1 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 687a8fdbf7434f7a0cc7062d44463550a7b6f5922bb41086fc01ccd8db0711a1
|
|
4
|
+
data.tar.gz: d3c65c530b4e8b74eca83a9c6ba3eaf1ba9293a22860ea256447407cd13e8f69
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: f416eeb9bc08f9d9c6c1d8241a3377ddb92fc47421f62053b5f1f791fb2a8f9b0683e0065c0630488724c23eb3dc9fafbab471acdf8a5c87843faccbb83cf970
|
|
7
|
+
data.tar.gz: bc4d4fba048ac2ece7058b86af575b4d5ee43217236834e0ab2d1f62b0fe0288a95d8654d0ba40efda50ec23ef7ad07cd3315afaad7095af8b390ba73d46973a
|
data/CHANGELOG.md
CHANGED
|
@@ -1,6 +1,7 @@
|
|
|
1
1
|
# encoding: utf-8
|
|
2
2
|
require "logstash/codecs/base"
|
|
3
3
|
|
|
4
|
+
require 'socket'
|
|
4
5
|
require 'nokogiri'
|
|
5
6
|
require 'json'
|
|
6
7
|
require 'date'
|
|
@@ -253,7 +254,7 @@ class LogStash::Codecs::IDMEF < LogStash::Codecs::Base
|
|
|
253
254
|
:name => "AdditionalData",
|
|
254
255
|
"meaning" => { :type => :attr, :name => "meaning" },
|
|
255
256
|
"type" => { :type => :attr, :name => "type" },
|
|
256
|
-
"data" => { :type => :
|
|
257
|
+
"data" => { :type => :list_value, :name => :type }
|
|
257
258
|
}
|
|
258
259
|
# RFC 4765: CorrelationAlert Class
|
|
259
260
|
IDMEFCorrelationAlert = { :type => :class,
|
|
@@ -328,7 +329,7 @@ class LogStash::Codecs::IDMEF < LogStash::Codecs::Base
|
|
|
328
329
|
value = v
|
|
329
330
|
end
|
|
330
331
|
end
|
|
331
|
-
if value.kind_of?(Array)
|
|
332
|
+
if value.kind_of?(Array) or value.to_s.empty?
|
|
332
333
|
next
|
|
333
334
|
end
|
|
334
335
|
if value.kind_of?(String)
|
|
@@ -373,20 +374,15 @@ class LogStash::Codecs::IDMEF < LogStash::Codecs::Base
|
|
|
373
374
|
if rfc[name][:format] == :datetime
|
|
374
375
|
value = DateTime.parse(value.to_s).strftime("%FT%T%:z")
|
|
375
376
|
end
|
|
376
|
-
|
|
377
|
+
n = rfc[name][:name] == :type ? curr["type"] : rfc[name][:name]
|
|
378
|
+
no = Nokogiri::XML::Node.new(n, doc)
|
|
377
379
|
no.content = value.to_s
|
|
378
380
|
curr << no
|
|
379
|
-
curr = no
|
|
380
381
|
elsif ne_t == :attr
|
|
381
382
|
if rfc[name][:format] == :datetime
|
|
382
383
|
value = DateTime.parse(value.to_s).strftime("%FT%T%:z")
|
|
383
384
|
end
|
|
384
385
|
curr[rfc[name][:name]] = value.to_s
|
|
385
|
-
elsif ne_t == :value
|
|
386
|
-
if rfc[name][:format] == :datetime
|
|
387
|
-
value = DateTime.parse(value.to_s).strftime("%FT%T%:z")
|
|
388
|
-
end
|
|
389
|
-
curr.content = value.to_s
|
|
390
386
|
end
|
|
391
387
|
rfc.each do |kk, vv|
|
|
392
388
|
if vv.respond_to?(:each_pair) && vv[:default] && vv[:type] == :attr && !curr[vv[:name]]
|
|
@@ -418,12 +414,11 @@ class LogStash::Codecs::IDMEF < LogStash::Codecs::Base
|
|
|
418
414
|
@utf8_charset.logger = self.logger
|
|
419
415
|
|
|
420
416
|
@local_paths = {
|
|
421
|
-
"alert.classification.text" => ["$rule_name", "$event", "$message"],
|
|
422
|
-
"alert.detect_time" => "$@timestamp",
|
|
423
|
-
"alert.create_time" => "$@timestamp",
|
|
424
|
-
"alert.analyzer_time" => "$@timestamp",
|
|
425
417
|
"alert.analyzer(0).name" => ["$product", "$devname"],
|
|
426
418
|
"alert.analyzer(0).manufacturer" => "$vendor",
|
|
419
|
+
"alert.create_time" => "$@timestamp",
|
|
420
|
+
"alert.detect_time" => "$@timestamp",
|
|
421
|
+
"alert.analyzer_time" => "$@timestamp",
|
|
427
422
|
"alert.source(0).node.address(0).address" => ["$srcip", "$src"],
|
|
428
423
|
"alert.source(0).node.name" => ["$shost", "$srchost", "$shostname", "$srchostname", "$sname", "$srcname"],
|
|
429
424
|
"alert.source(0).service.port" => ["$spt", "$sport", "$s_port"],
|
|
@@ -436,6 +431,7 @@ class LogStash::Codecs::IDMEF < LogStash::Codecs::Base
|
|
|
436
431
|
"alert.target(0).user.user_id(0).number" => ["$uid", "$dstuid", "$duid"],
|
|
437
432
|
"alert.target(0).process.name" => ["$proc", "$process"],
|
|
438
433
|
"alert.target(0).process.pid" => ["$dpid", "$pid"],
|
|
434
|
+
"alert.classification.text" => ["$rule_name", "$event", "$message"],
|
|
439
435
|
"alert.assessment.impact.severity" => ["$severity", "$level"],
|
|
440
436
|
"alert.assessment.action.description" => ["$action"],
|
|
441
437
|
}
|
|
@@ -454,13 +450,14 @@ class LogStash::Codecs::IDMEF < LogStash::Codecs::Base
|
|
|
454
450
|
# Copy event
|
|
455
451
|
e = event.clone
|
|
456
452
|
|
|
453
|
+
# Set messageid and analyzerid
|
|
454
|
+
p = { "%s.messageid" % @type => java.util.UUID.randomUUID.to_s,
|
|
455
|
+
"%s.analyzer(0).analyzerid" % @type => Socket.gethostname.to_s
|
|
456
|
+
}
|
|
457
|
+
xml = idmefpaths_to_xml(e, p)
|
|
458
|
+
|
|
457
459
|
# Set paths
|
|
458
|
-
xml = idmefpaths_to_xml(e, @allpaths)
|
|
459
|
-
|
|
460
|
-
# Set messageid
|
|
461
|
-
if !@allpaths.key?("%s.messageid" % @type)
|
|
462
|
-
xml = idmefpaths_to_xml(e, {"%s.messageid" % @type => java.util.UUID.randomUUID.to_s}, xml)
|
|
463
|
-
end
|
|
460
|
+
xml = idmefpaths_to_xml(e, @allpaths, xml)
|
|
464
461
|
|
|
465
462
|
# Set Additional data
|
|
466
463
|
if @additionaldata
|
|
@@ -474,8 +471,8 @@ class LogStash::Codecs::IDMEF < LogStash::Codecs::Base
|
|
|
474
471
|
t = "string"
|
|
475
472
|
end
|
|
476
473
|
p = { "alert.additional_data(%d).meaning" % idx => key,
|
|
477
|
-
"alert.additional_data(%d).data" % idx => value.to_s,
|
|
478
474
|
"alert.additional_data(%d).type" % idx => t,
|
|
475
|
+
"alert.additional_data(%d).data" % idx => value.to_s,
|
|
479
476
|
}
|
|
480
477
|
xml = idmefpaths_to_xml(e, p , xml)
|
|
481
478
|
idx = idx + 1
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
Gem::Specification.new do |s|
|
|
2
2
|
|
|
3
3
|
s.name = 'logstash-codec-idmef'
|
|
4
|
-
s.version = '0.9.
|
|
4
|
+
s.version = '0.9.1'
|
|
5
5
|
s.licenses = ['Apache License (2.0)']
|
|
6
6
|
s.summary = "Create IDMEF in XML"
|
|
7
7
|
s.description = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
|
data/spec/codecs/idmef_spec.rb
CHANGED
|
@@ -9,7 +9,7 @@ describe LogStash::Codecs::IDMEF do
|
|
|
9
9
|
context "encode IDMEF" do
|
|
10
10
|
subject(:codec) { LogStash::Codecs::IDMEF.new }
|
|
11
11
|
|
|
12
|
-
let(:expected_result) { %Q(<?xml version
|
|
12
|
+
let(:expected_result) { %Q(<?xml version=\"1.0\"?><idmef:IDMEF-Message xmlns:idmef=\"http://iana.org/idmef\"><idmef:Alert messageid=\"67a63ad4-11b9-4ee2-8aee-d1c032a13b35\"><idmef:Analyzer analyzerid=\"localhost.localdomain\"/><idmef:CreateTime>2020-05-24T09:05:26+00:00</idmef:CreateTime><idmef:DetectTime>2020-05-24T09:05:26+00:00</idmef:DetectTime><idmef:AnalyzerTime>2020-05-24T09:05:26+00:00</idmef:AnalyzerTime><idmef:Target decoy=\"unknown\"><idmef:Node category=\"unknown\"><idmef:name>localhost.localdomain</idmef:name></idmef:Node></idmef:Target><idmef:Classification text=\"Login attempt\"/><idmef:AdditionalData meaning=\"@version\" type=\"string\"><idmef:string>1</idmef:string></idmef:AdditionalData></idmef:Alert></idmef:IDMEF-Message>\n)}
|
|
13
13
|
let(:results) { []}
|
|
14
14
|
|
|
15
15
|
it "should return proper IDMEF XML from event" do
|