logstash-codec-idmef 0.9.2 → 0.9.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +3 -0
- data/docs/index.asciidoc +61 -22
- data/lib/logstash/codecs/idmef-message.dtd +661 -0
- data/lib/logstash/codecs/idmef.rb +283 -202
- data/logstash-codec-idmef.gemspec +1 -1
- data/spec/codecs/idmef_spec.rb +102 -12
- metadata +17 -17
@@ -1,7 +1,7 @@
|
|
1
1
|
Gem::Specification.new do |s|
|
2
2
|
|
3
3
|
s.name = 'logstash-codec-idmef'
|
4
|
-
s.version = '0.9.
|
4
|
+
s.version = '0.9.3'
|
5
5
|
s.licenses = ['Apache License (2.0)']
|
6
6
|
s.summary = "Create IDMEF in XML"
|
7
7
|
s.description = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
|
data/spec/codecs/idmef_spec.rb
CHANGED
@@ -6,20 +6,110 @@ require 'insist'
|
|
6
6
|
|
7
7
|
describe LogStash::Codecs::IDMEF do
|
8
8
|
|
9
|
-
context "
|
10
|
-
|
9
|
+
context "Encode IDMEF" do
|
10
|
+
describe "with default configuration" do
|
11
|
+
let(:config) { {"paths" => {"alert.messageid" => "67a63ad4-11b9-4ee2-8aee-d1c032a13b35",
|
12
|
+
"alert.analyzer(0).analyzerid" => "localhost.localdomain"
|
13
|
+
},
|
14
|
+
"validate_xml" => "true"
|
15
|
+
}
|
16
|
+
}
|
17
|
+
subject(:codec) { LogStash::Codecs::IDMEF.new(config) }
|
18
|
+
|
19
|
+
let(:expected_result) { %Q(<?xml version=\"1.0\"?><idmef:IDMEF-Message xmlns:idmef=\"http://iana.org/idmef\"><idmef:Alert messageid=\"67a63ad4-11b9-4ee2-8aee-d1c032a13b35\"><idmef:Analyzer analyzerid=\"localhost.localdomain\"/><idmef:CreateTime ntpstamp=\"0xe274b756.0xc20c49ba\">2020-05-24T09:05:26+00:00</idmef:CreateTime><idmef:DetectTime ntpstamp=\"0xe274b756.0xc20c49ba\">2020-05-24T09:05:26+00:00</idmef:DetectTime><idmef:AnalyzerTime ntpstamp=\"0xe274b756.0xc20c49ba\">2020-05-24T09:05:26+00:00</idmef:AnalyzerTime><idmef:Target decoy=\"unknown\"><idmef:Node category=\"unknown\"><idmef:name>localhost.localdomain</idmef:name></idmef:Node></idmef:Target><idmef:Classification text=\"Login attempt\"/><idmef:AdditionalData meaning=\"@version\" type=\"string\"><idmef:string>1</idmef:string></idmef:AdditionalData></idmef:Alert></idmef:IDMEF-Message>\n)}
|
20
|
+
let(:results) { [] }
|
21
|
+
|
22
|
+
it "should return proper IDMEF XML from event" do
|
23
|
+
codec.on_event{|data, newdata| results << newdata}
|
24
|
+
event = LogStash::Event.new("@timestamp" => DateTime.parse("2020-05-24T09:05:26.758Z").to_time,
|
25
|
+
"host" => "localhost.localdomain",
|
26
|
+
"message" => "Login attempt",
|
27
|
+
"@version" => "1",
|
28
|
+
"msg" => "")
|
29
|
+
codec.encode(event)
|
30
|
+
insist {results.first} == expected_result
|
31
|
+
end
|
32
|
+
end
|
33
|
+
|
34
|
+
describe "with additionaldata disabled" do
|
35
|
+
let(:config) { {"paths" => {"alert.messageid" => "67a63ad4-11b9-4ee2-8aee-d1c032a13b35",
|
36
|
+
"alert.analyzer(0).analyzerid" => "localhost.localdomain"
|
37
|
+
},
|
38
|
+
"validate_xml" => "true",
|
39
|
+
"additionaldata" => "false"
|
40
|
+
}
|
41
|
+
}
|
42
|
+
subject(:codec) { LogStash::Codecs::IDMEF.new(config) }
|
43
|
+
|
44
|
+
let(:expected_result) { %Q(<?xml version=\"1.0\"?><idmef:IDMEF-Message xmlns:idmef=\"http://iana.org/idmef\"><idmef:Alert messageid=\"67a63ad4-11b9-4ee2-8aee-d1c032a13b35\"><idmef:Analyzer analyzerid=\"localhost.localdomain\"/><idmef:CreateTime ntpstamp=\"0xe274b756.0xc20c49ba\">2020-05-24T09:05:26+00:00</idmef:CreateTime><idmef:DetectTime ntpstamp=\"0xe274b756.0xc20c49ba\">2020-05-24T09:05:26+00:00</idmef:DetectTime><idmef:AnalyzerTime ntpstamp=\"0xe274b756.0xc20c49ba\">2020-05-24T09:05:26+00:00</idmef:AnalyzerTime><idmef:Target decoy=\"unknown\"><idmef:Node category=\"unknown\"><idmef:name>localhost.localdomain</idmef:name></idmef:Node></idmef:Target><idmef:Classification text=\"Login attempt\"/></idmef:Alert></idmef:IDMEF-Message>\n)}
|
45
|
+
let(:results) { [] }
|
46
|
+
|
47
|
+
it "should return proper IDMEF XML from event" do
|
48
|
+
codec.on_event{|data, newdata| results << newdata}
|
49
|
+
event = LogStash::Event.new("@timestamp" => DateTime.parse("2020-05-24T09:05:26.758Z").to_time,
|
50
|
+
"host" => "localhost.localdomain",
|
51
|
+
"message" => "Login attempt",
|
52
|
+
"@version" => "1",
|
53
|
+
"msg" => "")
|
54
|
+
codec.encode(event)
|
55
|
+
insist {results.first} == expected_result
|
56
|
+
end
|
57
|
+
end
|
58
|
+
|
59
|
+
describe "with defaults paths disabled" do
|
60
|
+
let(:config) { {"paths" => {"alert.messageid" => "67a63ad4-11b9-4ee2-8aee-d1c032a13b35",
|
61
|
+
"alert.analyzer(0).analyzerid" => "localhost.localdomain",
|
62
|
+
"alert.create_time" => "%{@timestamp}",
|
63
|
+
"alert.classification.text" => "%{message}"
|
64
|
+
},
|
65
|
+
"validate_xml" => "true",
|
66
|
+
"defaults" => "false"
|
67
|
+
}
|
68
|
+
}
|
69
|
+
subject(:codec) { LogStash::Codecs::IDMEF.new(config) }
|
70
|
+
|
71
|
+
let(:expected_result) { %Q(<?xml version=\"1.0\"?><idmef:IDMEF-Message xmlns:idmef=\"http://iana.org/idmef\"><idmef:Alert messageid=\"67a63ad4-11b9-4ee2-8aee-d1c032a13b35\"><idmef:Analyzer analyzerid=\"localhost.localdomain\"/><idmef:CreateTime ntpstamp=\"0xe274b756.0xc20c49ba\">2020-05-24T09:05:26+00:00</idmef:CreateTime><idmef:Classification text=\"Login attempt\"/><idmef:AdditionalData meaning=\"host\" type=\"string\"><idmef:string>localhost.localdomain</idmef:string></idmef:AdditionalData><idmef:AdditionalData meaning=\"@version\" type=\"string\"><idmef:string>1</idmef:string></idmef:AdditionalData></idmef:Alert></idmef:IDMEF-Message>\n)}
|
72
|
+
let(:results) { [] }
|
73
|
+
|
74
|
+
it "should return proper IDMEF XML from event" do
|
75
|
+
codec.on_event{|data, newdata| results << newdata}
|
76
|
+
event = LogStash::Event.new("@timestamp" => DateTime.parse("2020-05-24T09:05:26.758Z").to_time,
|
77
|
+
"host" => "localhost.localdomain",
|
78
|
+
"message" => "Login attempt",
|
79
|
+
"@version" => "1",
|
80
|
+
"msg" => "")
|
81
|
+
codec.encode(event)
|
82
|
+
insist {results.first} == expected_result
|
83
|
+
end
|
84
|
+
end
|
11
85
|
|
12
|
-
|
13
|
-
|
14
|
-
|
15
|
-
|
16
|
-
|
17
|
-
|
18
|
-
|
19
|
-
|
20
|
-
|
86
|
+
describe "with defaults paths and additionaldata disabled" do
|
87
|
+
let(:config) { {"paths" => {"alert.messageid" => "67a63ad4-11b9-4ee2-8aee-d1c032a13b35",
|
88
|
+
"alert.analyzer(0).analyzerid" => "localhost.localdomain",
|
89
|
+
"alert.create_time" => "%{@timestamp}",
|
90
|
+
"alert.classification.text" => "%{message}"
|
91
|
+
},
|
92
|
+
"validate_xml" => "true",
|
93
|
+
"defaults" => "false",
|
94
|
+
"additionaldata" => "false"
|
95
|
+
}
|
96
|
+
}
|
97
|
+
subject(:codec) { LogStash::Codecs::IDMEF.new(config) }
|
98
|
+
|
99
|
+
let(:expected_result) { %Q(<?xml version=\"1.0\"?><idmef:IDMEF-Message xmlns:idmef=\"http://iana.org/idmef\"><idmef:Alert messageid=\"67a63ad4-11b9-4ee2-8aee-d1c032a13b35\"><idmef:Analyzer analyzerid=\"localhost.localdomain\"/><idmef:CreateTime ntpstamp=\"0xe274b756.0xc20c49ba\">2020-05-24T09:05:26+00:00</idmef:CreateTime><idmef:Classification text=\"Login attempt\"/></idmef:Alert></idmef:IDMEF-Message>\n)}
|
100
|
+
let(:results) { [] }
|
101
|
+
|
102
|
+
it "should return proper IDMEF XML from event" do
|
103
|
+
codec.on_event{|data, newdata| results << newdata}
|
104
|
+
event = LogStash::Event.new("@timestamp" => DateTime.parse("2020-05-24T09:05:26.758Z").to_time,
|
105
|
+
"host" => "localhost.localdomain",
|
106
|
+
"message" => "Login attempt",
|
107
|
+
"@version" => "1",
|
108
|
+
"msg" => "")
|
109
|
+
codec.encode(event)
|
110
|
+
insist {results.first} == expected_result
|
111
|
+
end
|
21
112
|
end
|
22
113
|
|
23
114
|
end
|
24
|
-
|
25
115
|
end
|
metadata
CHANGED
@@ -1,16 +1,17 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: logstash-codec-idmef
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.9.
|
4
|
+
version: 0.9.3
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Prelude Team
|
8
|
-
autorequire:
|
8
|
+
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2020-
|
11
|
+
date: 2020-06-07 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
|
+
name: logstash-core-plugin-api
|
14
15
|
requirement: !ruby/object:Gem::Requirement
|
15
16
|
requirements:
|
16
17
|
- - ">="
|
@@ -19,9 +20,8 @@ dependencies:
|
|
19
20
|
- - "<="
|
20
21
|
- !ruby/object:Gem::Version
|
21
22
|
version: '2.99'
|
22
|
-
name: logstash-core-plugin-api
|
23
|
-
prerelease: false
|
24
23
|
type: :runtime
|
24
|
+
prerelease: false
|
25
25
|
version_requirements: !ruby/object:Gem::Requirement
|
26
26
|
requirements:
|
27
27
|
- - ">="
|
@@ -31,56 +31,56 @@ dependencies:
|
|
31
31
|
- !ruby/object:Gem::Version
|
32
32
|
version: '2.99'
|
33
33
|
- !ruby/object:Gem::Dependency
|
34
|
+
name: logstash-codec-plain
|
34
35
|
requirement: !ruby/object:Gem::Requirement
|
35
36
|
requirements:
|
36
37
|
- - ">="
|
37
38
|
- !ruby/object:Gem::Version
|
38
39
|
version: '0'
|
39
|
-
name: logstash-codec-plain
|
40
|
-
prerelease: false
|
41
40
|
type: :runtime
|
41
|
+
prerelease: false
|
42
42
|
version_requirements: !ruby/object:Gem::Requirement
|
43
43
|
requirements:
|
44
44
|
- - ">="
|
45
45
|
- !ruby/object:Gem::Version
|
46
46
|
version: '0'
|
47
47
|
- !ruby/object:Gem::Dependency
|
48
|
+
name: nokogiri
|
48
49
|
requirement: !ruby/object:Gem::Requirement
|
49
50
|
requirements:
|
50
51
|
- - ">="
|
51
52
|
- !ruby/object:Gem::Version
|
52
53
|
version: '0'
|
53
|
-
name: nokogiri
|
54
|
-
prerelease: false
|
55
54
|
type: :runtime
|
55
|
+
prerelease: false
|
56
56
|
version_requirements: !ruby/object:Gem::Requirement
|
57
57
|
requirements:
|
58
58
|
- - ">="
|
59
59
|
- !ruby/object:Gem::Version
|
60
60
|
version: '0'
|
61
61
|
- !ruby/object:Gem::Dependency
|
62
|
+
name: logstash-devutils
|
62
63
|
requirement: !ruby/object:Gem::Requirement
|
63
64
|
requirements:
|
64
65
|
- - ">="
|
65
66
|
- !ruby/object:Gem::Version
|
66
67
|
version: '0'
|
67
|
-
name: logstash-devutils
|
68
|
-
prerelease: false
|
69
68
|
type: :development
|
69
|
+
prerelease: false
|
70
70
|
version_requirements: !ruby/object:Gem::Requirement
|
71
71
|
requirements:
|
72
72
|
- - ">="
|
73
73
|
- !ruby/object:Gem::Version
|
74
74
|
version: '0'
|
75
75
|
- !ruby/object:Gem::Dependency
|
76
|
+
name: insist
|
76
77
|
requirement: !ruby/object:Gem::Requirement
|
77
78
|
requirements:
|
78
79
|
- - ">="
|
79
80
|
- !ruby/object:Gem::Version
|
80
81
|
version: '0'
|
81
|
-
name: insist
|
82
|
-
prerelease: false
|
83
82
|
type: :development
|
83
|
+
prerelease: false
|
84
84
|
version_requirements: !ruby/object:Gem::Requirement
|
85
85
|
requirements:
|
86
86
|
- - ">="
|
@@ -102,6 +102,7 @@ files:
|
|
102
102
|
- NOTICE.TXT
|
103
103
|
- README.md
|
104
104
|
- docs/index.asciidoc
|
105
|
+
- lib/logstash/codecs/idmef-message.dtd
|
105
106
|
- lib/logstash/codecs/idmef.rb
|
106
107
|
- logstash-codec-idmef.gemspec
|
107
108
|
- spec/codecs/idmef_spec.rb
|
@@ -111,7 +112,7 @@ licenses:
|
|
111
112
|
metadata:
|
112
113
|
logstash_plugin: 'true'
|
113
114
|
logstash_group: codec
|
114
|
-
post_install_message:
|
115
|
+
post_install_message:
|
115
116
|
rdoc_options: []
|
116
117
|
require_paths:
|
117
118
|
- lib
|
@@ -126,9 +127,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
126
127
|
- !ruby/object:Gem::Version
|
127
128
|
version: '0'
|
128
129
|
requirements: []
|
129
|
-
|
130
|
-
|
131
|
-
signing_key:
|
130
|
+
rubygems_version: 3.1.2
|
131
|
+
signing_key:
|
132
132
|
specification_version: 4
|
133
133
|
summary: Create IDMEF in XML
|
134
134
|
test_files:
|