logstash-codec-idmef 0.9.2 → 0.9.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +3 -0
- data/docs/index.asciidoc +61 -22
- data/lib/logstash/codecs/idmef-message.dtd +661 -0
- data/lib/logstash/codecs/idmef.rb +283 -202
- data/logstash-codec-idmef.gemspec +1 -1
- data/spec/codecs/idmef_spec.rb +102 -12
- metadata +17 -17
@@ -1,7 +1,7 @@
|
|
1
1
|
Gem::Specification.new do |s|
|
2
2
|
|
3
3
|
s.name = 'logstash-codec-idmef'
|
4
|
-
s.version = '0.9.
|
4
|
+
s.version = '0.9.3'
|
5
5
|
s.licenses = ['Apache License (2.0)']
|
6
6
|
s.summary = "Create IDMEF in XML"
|
7
7
|
s.description = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
|
data/spec/codecs/idmef_spec.rb
CHANGED
@@ -6,20 +6,110 @@ require 'insist'
|
|
6
6
|
|
7
7
|
describe LogStash::Codecs::IDMEF do
|
8
8
|
|
9
|
-
context "
|
10
|
-
|
9
|
+
context "Encode IDMEF" do
|
10
|
+
describe "with default configuration" do
|
11
|
+
let(:config) { {"paths" => {"alert.messageid" => "67a63ad4-11b9-4ee2-8aee-d1c032a13b35",
|
12
|
+
"alert.analyzer(0).analyzerid" => "localhost.localdomain"
|
13
|
+
},
|
14
|
+
"validate_xml" => "true"
|
15
|
+
}
|
16
|
+
}
|
17
|
+
subject(:codec) { LogStash::Codecs::IDMEF.new(config) }
|
18
|
+
|
19
|
+
let(:expected_result) { %Q(<?xml version=\"1.0\"?><idmef:IDMEF-Message xmlns:idmef=\"http://iana.org/idmef\"><idmef:Alert messageid=\"67a63ad4-11b9-4ee2-8aee-d1c032a13b35\"><idmef:Analyzer analyzerid=\"localhost.localdomain\"/><idmef:CreateTime ntpstamp=\"0xe274b756.0xc20c49ba\">2020-05-24T09:05:26+00:00</idmef:CreateTime><idmef:DetectTime ntpstamp=\"0xe274b756.0xc20c49ba\">2020-05-24T09:05:26+00:00</idmef:DetectTime><idmef:AnalyzerTime ntpstamp=\"0xe274b756.0xc20c49ba\">2020-05-24T09:05:26+00:00</idmef:AnalyzerTime><idmef:Target decoy=\"unknown\"><idmef:Node category=\"unknown\"><idmef:name>localhost.localdomain</idmef:name></idmef:Node></idmef:Target><idmef:Classification text=\"Login attempt\"/><idmef:AdditionalData meaning=\"@version\" type=\"string\"><idmef:string>1</idmef:string></idmef:AdditionalData></idmef:Alert></idmef:IDMEF-Message>\n)}
|
20
|
+
let(:results) { [] }
|
21
|
+
|
22
|
+
it "should return proper IDMEF XML from event" do
|
23
|
+
codec.on_event{|data, newdata| results << newdata}
|
24
|
+
event = LogStash::Event.new("@timestamp" => DateTime.parse("2020-05-24T09:05:26.758Z").to_time,
|
25
|
+
"host" => "localhost.localdomain",
|
26
|
+
"message" => "Login attempt",
|
27
|
+
"@version" => "1",
|
28
|
+
"msg" => "")
|
29
|
+
codec.encode(event)
|
30
|
+
insist {results.first} == expected_result
|
31
|
+
end
|
32
|
+
end
|
33
|
+
|
34
|
+
describe "with additionaldata disabled" do
|
35
|
+
let(:config) { {"paths" => {"alert.messageid" => "67a63ad4-11b9-4ee2-8aee-d1c032a13b35",
|
36
|
+
"alert.analyzer(0).analyzerid" => "localhost.localdomain"
|
37
|
+
},
|
38
|
+
"validate_xml" => "true",
|
39
|
+
"additionaldata" => "false"
|
40
|
+
}
|
41
|
+
}
|
42
|
+
subject(:codec) { LogStash::Codecs::IDMEF.new(config) }
|
43
|
+
|
44
|
+
let(:expected_result) { %Q(<?xml version=\"1.0\"?><idmef:IDMEF-Message xmlns:idmef=\"http://iana.org/idmef\"><idmef:Alert messageid=\"67a63ad4-11b9-4ee2-8aee-d1c032a13b35\"><idmef:Analyzer analyzerid=\"localhost.localdomain\"/><idmef:CreateTime ntpstamp=\"0xe274b756.0xc20c49ba\">2020-05-24T09:05:26+00:00</idmef:CreateTime><idmef:DetectTime ntpstamp=\"0xe274b756.0xc20c49ba\">2020-05-24T09:05:26+00:00</idmef:DetectTime><idmef:AnalyzerTime ntpstamp=\"0xe274b756.0xc20c49ba\">2020-05-24T09:05:26+00:00</idmef:AnalyzerTime><idmef:Target decoy=\"unknown\"><idmef:Node category=\"unknown\"><idmef:name>localhost.localdomain</idmef:name></idmef:Node></idmef:Target><idmef:Classification text=\"Login attempt\"/></idmef:Alert></idmef:IDMEF-Message>\n)}
|
45
|
+
let(:results) { [] }
|
46
|
+
|
47
|
+
it "should return proper IDMEF XML from event" do
|
48
|
+
codec.on_event{|data, newdata| results << newdata}
|
49
|
+
event = LogStash::Event.new("@timestamp" => DateTime.parse("2020-05-24T09:05:26.758Z").to_time,
|
50
|
+
"host" => "localhost.localdomain",
|
51
|
+
"message" => "Login attempt",
|
52
|
+
"@version" => "1",
|
53
|
+
"msg" => "")
|
54
|
+
codec.encode(event)
|
55
|
+
insist {results.first} == expected_result
|
56
|
+
end
|
57
|
+
end
|
58
|
+
|
59
|
+
describe "with defaults paths disabled" do
|
60
|
+
let(:config) { {"paths" => {"alert.messageid" => "67a63ad4-11b9-4ee2-8aee-d1c032a13b35",
|
61
|
+
"alert.analyzer(0).analyzerid" => "localhost.localdomain",
|
62
|
+
"alert.create_time" => "%{@timestamp}",
|
63
|
+
"alert.classification.text" => "%{message}"
|
64
|
+
},
|
65
|
+
"validate_xml" => "true",
|
66
|
+
"defaults" => "false"
|
67
|
+
}
|
68
|
+
}
|
69
|
+
subject(:codec) { LogStash::Codecs::IDMEF.new(config) }
|
70
|
+
|
71
|
+
let(:expected_result) { %Q(<?xml version=\"1.0\"?><idmef:IDMEF-Message xmlns:idmef=\"http://iana.org/idmef\"><idmef:Alert messageid=\"67a63ad4-11b9-4ee2-8aee-d1c032a13b35\"><idmef:Analyzer analyzerid=\"localhost.localdomain\"/><idmef:CreateTime ntpstamp=\"0xe274b756.0xc20c49ba\">2020-05-24T09:05:26+00:00</idmef:CreateTime><idmef:Classification text=\"Login attempt\"/><idmef:AdditionalData meaning=\"host\" type=\"string\"><idmef:string>localhost.localdomain</idmef:string></idmef:AdditionalData><idmef:AdditionalData meaning=\"@version\" type=\"string\"><idmef:string>1</idmef:string></idmef:AdditionalData></idmef:Alert></idmef:IDMEF-Message>\n)}
|
72
|
+
let(:results) { [] }
|
73
|
+
|
74
|
+
it "should return proper IDMEF XML from event" do
|
75
|
+
codec.on_event{|data, newdata| results << newdata}
|
76
|
+
event = LogStash::Event.new("@timestamp" => DateTime.parse("2020-05-24T09:05:26.758Z").to_time,
|
77
|
+
"host" => "localhost.localdomain",
|
78
|
+
"message" => "Login attempt",
|
79
|
+
"@version" => "1",
|
80
|
+
"msg" => "")
|
81
|
+
codec.encode(event)
|
82
|
+
insist {results.first} == expected_result
|
83
|
+
end
|
84
|
+
end
|
11
85
|
|
12
|
-
|
13
|
-
|
14
|
-
|
15
|
-
|
16
|
-
|
17
|
-
|
18
|
-
|
19
|
-
|
20
|
-
|
86
|
+
describe "with defaults paths and additionaldata disabled" do
|
87
|
+
let(:config) { {"paths" => {"alert.messageid" => "67a63ad4-11b9-4ee2-8aee-d1c032a13b35",
|
88
|
+
"alert.analyzer(0).analyzerid" => "localhost.localdomain",
|
89
|
+
"alert.create_time" => "%{@timestamp}",
|
90
|
+
"alert.classification.text" => "%{message}"
|
91
|
+
},
|
92
|
+
"validate_xml" => "true",
|
93
|
+
"defaults" => "false",
|
94
|
+
"additionaldata" => "false"
|
95
|
+
}
|
96
|
+
}
|
97
|
+
subject(:codec) { LogStash::Codecs::IDMEF.new(config) }
|
98
|
+
|
99
|
+
let(:expected_result) { %Q(<?xml version=\"1.0\"?><idmef:IDMEF-Message xmlns:idmef=\"http://iana.org/idmef\"><idmef:Alert messageid=\"67a63ad4-11b9-4ee2-8aee-d1c032a13b35\"><idmef:Analyzer analyzerid=\"localhost.localdomain\"/><idmef:CreateTime ntpstamp=\"0xe274b756.0xc20c49ba\">2020-05-24T09:05:26+00:00</idmef:CreateTime><idmef:Classification text=\"Login attempt\"/></idmef:Alert></idmef:IDMEF-Message>\n)}
|
100
|
+
let(:results) { [] }
|
101
|
+
|
102
|
+
it "should return proper IDMEF XML from event" do
|
103
|
+
codec.on_event{|data, newdata| results << newdata}
|
104
|
+
event = LogStash::Event.new("@timestamp" => DateTime.parse("2020-05-24T09:05:26.758Z").to_time,
|
105
|
+
"host" => "localhost.localdomain",
|
106
|
+
"message" => "Login attempt",
|
107
|
+
"@version" => "1",
|
108
|
+
"msg" => "")
|
109
|
+
codec.encode(event)
|
110
|
+
insist {results.first} == expected_result
|
111
|
+
end
|
21
112
|
end
|
22
113
|
|
23
114
|
end
|
24
|
-
|
25
115
|
end
|
metadata
CHANGED
@@ -1,16 +1,17 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: logstash-codec-idmef
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.9.
|
4
|
+
version: 0.9.3
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Prelude Team
|
8
|
-
autorequire:
|
8
|
+
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2020-
|
11
|
+
date: 2020-06-07 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
|
+
name: logstash-core-plugin-api
|
14
15
|
requirement: !ruby/object:Gem::Requirement
|
15
16
|
requirements:
|
16
17
|
- - ">="
|
@@ -19,9 +20,8 @@ dependencies:
|
|
19
20
|
- - "<="
|
20
21
|
- !ruby/object:Gem::Version
|
21
22
|
version: '2.99'
|
22
|
-
name: logstash-core-plugin-api
|
23
|
-
prerelease: false
|
24
23
|
type: :runtime
|
24
|
+
prerelease: false
|
25
25
|
version_requirements: !ruby/object:Gem::Requirement
|
26
26
|
requirements:
|
27
27
|
- - ">="
|
@@ -31,56 +31,56 @@ dependencies:
|
|
31
31
|
- !ruby/object:Gem::Version
|
32
32
|
version: '2.99'
|
33
33
|
- !ruby/object:Gem::Dependency
|
34
|
+
name: logstash-codec-plain
|
34
35
|
requirement: !ruby/object:Gem::Requirement
|
35
36
|
requirements:
|
36
37
|
- - ">="
|
37
38
|
- !ruby/object:Gem::Version
|
38
39
|
version: '0'
|
39
|
-
name: logstash-codec-plain
|
40
|
-
prerelease: false
|
41
40
|
type: :runtime
|
41
|
+
prerelease: false
|
42
42
|
version_requirements: !ruby/object:Gem::Requirement
|
43
43
|
requirements:
|
44
44
|
- - ">="
|
45
45
|
- !ruby/object:Gem::Version
|
46
46
|
version: '0'
|
47
47
|
- !ruby/object:Gem::Dependency
|
48
|
+
name: nokogiri
|
48
49
|
requirement: !ruby/object:Gem::Requirement
|
49
50
|
requirements:
|
50
51
|
- - ">="
|
51
52
|
- !ruby/object:Gem::Version
|
52
53
|
version: '0'
|
53
|
-
name: nokogiri
|
54
|
-
prerelease: false
|
55
54
|
type: :runtime
|
55
|
+
prerelease: false
|
56
56
|
version_requirements: !ruby/object:Gem::Requirement
|
57
57
|
requirements:
|
58
58
|
- - ">="
|
59
59
|
- !ruby/object:Gem::Version
|
60
60
|
version: '0'
|
61
61
|
- !ruby/object:Gem::Dependency
|
62
|
+
name: logstash-devutils
|
62
63
|
requirement: !ruby/object:Gem::Requirement
|
63
64
|
requirements:
|
64
65
|
- - ">="
|
65
66
|
- !ruby/object:Gem::Version
|
66
67
|
version: '0'
|
67
|
-
name: logstash-devutils
|
68
|
-
prerelease: false
|
69
68
|
type: :development
|
69
|
+
prerelease: false
|
70
70
|
version_requirements: !ruby/object:Gem::Requirement
|
71
71
|
requirements:
|
72
72
|
- - ">="
|
73
73
|
- !ruby/object:Gem::Version
|
74
74
|
version: '0'
|
75
75
|
- !ruby/object:Gem::Dependency
|
76
|
+
name: insist
|
76
77
|
requirement: !ruby/object:Gem::Requirement
|
77
78
|
requirements:
|
78
79
|
- - ">="
|
79
80
|
- !ruby/object:Gem::Version
|
80
81
|
version: '0'
|
81
|
-
name: insist
|
82
|
-
prerelease: false
|
83
82
|
type: :development
|
83
|
+
prerelease: false
|
84
84
|
version_requirements: !ruby/object:Gem::Requirement
|
85
85
|
requirements:
|
86
86
|
- - ">="
|
@@ -102,6 +102,7 @@ files:
|
|
102
102
|
- NOTICE.TXT
|
103
103
|
- README.md
|
104
104
|
- docs/index.asciidoc
|
105
|
+
- lib/logstash/codecs/idmef-message.dtd
|
105
106
|
- lib/logstash/codecs/idmef.rb
|
106
107
|
- logstash-codec-idmef.gemspec
|
107
108
|
- spec/codecs/idmef_spec.rb
|
@@ -111,7 +112,7 @@ licenses:
|
|
111
112
|
metadata:
|
112
113
|
logstash_plugin: 'true'
|
113
114
|
logstash_group: codec
|
114
|
-
post_install_message:
|
115
|
+
post_install_message:
|
115
116
|
rdoc_options: []
|
116
117
|
require_paths:
|
117
118
|
- lib
|
@@ -126,9 +127,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
126
127
|
- !ruby/object:Gem::Version
|
127
128
|
version: '0'
|
128
129
|
requirements: []
|
129
|
-
|
130
|
-
|
131
|
-
signing_key:
|
130
|
+
rubygems_version: 3.1.2
|
131
|
+
signing_key:
|
132
132
|
specification_version: 4
|
133
133
|
summary: Create IDMEF in XML
|
134
134
|
test_files:
|