RubyGems - logstash-codec-idmef - Versions diffs - 0.9.2 → 0.9.3 - Mend

logstash-codec-idmef 0.9.2 → 0.9.3

Files changed (8) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +3 -0
data/docs/index.asciidoc +61 -22
data/lib/logstash/codecs/idmef-message.dtd +661 -0
data/lib/logstash/codecs/idmef.rb +283 -202
data/logstash-codec-idmef.gemspec +1 -1
data/spec/codecs/idmef_spec.rb +102 -12
metadata +17 -17

data/logstash-codec-idmef.gemspec CHANGED

@@ -1,7 +1,7 @@
 Gem::Specification.new do |s|
   s.name            = 'logstash-codec-idmef'
-  s.version         = '0.9.2'
+  s.version         = '0.9.3'
   s.licenses        = ['Apache License (2.0)']
   s.summary         = "Create IDMEF in XML"
   s.description     = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"

data/spec/codecs/idmef_spec.rb CHANGED

@@ -6,20 +6,110 @@ require 'insist'
 describe LogStash::Codecs::IDMEF do
-  context "encode IDMEF" do
-    subject(:codec) { LogStash::Codecs::IDMEF.new }
+  context "Encode IDMEF" do
+    describe "with default configuration" do
+      let(:config) { {"paths" => {"alert.messageid" => "67a63ad4-11b9-4ee2-8aee-d1c032a13b35",
+                                  "alert.analyzer(0).analyzerid" => "localhost.localdomain"
+                                 },
+                      "validate_xml" => "true"
+                     }
+                   }
+      subject(:codec) { LogStash::Codecs::IDMEF.new(config) }
+      let(:expected_result)   { %Q(<?xml version=\"1.0\"?><idmef:IDMEF-Message xmlns:idmef=\"http://iana.org/idmef\"><idmef:Alert messageid=\"67a63ad4-11b9-4ee2-8aee-d1c032a13b35\"><idmef:Analyzer analyzerid=\"localhost.localdomain\"/><idmef:CreateTime ntpstamp=\"0xe274b756.0xc20c49ba\">2020-05-24T09:05:26+00:00</idmef:CreateTime><idmef:DetectTime ntpstamp=\"0xe274b756.0xc20c49ba\">2020-05-24T09:05:26+00:00</idmef:DetectTime><idmef:AnalyzerTime ntpstamp=\"0xe274b756.0xc20c49ba\">2020-05-24T09:05:26+00:00</idmef:AnalyzerTime><idmef:Target decoy=\"unknown\"><idmef:Node category=\"unknown\"><idmef:name>localhost.localdomain</idmef:name></idmef:Node></idmef:Target><idmef:Classification text=\"Login attempt\"/><idmef:AdditionalData meaning=\"@version\" type=\"string\"><idmef:string>1</idmef:string></idmef:AdditionalData></idmef:Alert></idmef:IDMEF-Message>\n)}
+      let(:results) { [] }
+      it "should return proper IDMEF XML from event" do
+        codec.on_event{|data, newdata| results << newdata}
+        event = LogStash::Event.new("@timestamp" => DateTime.parse("2020-05-24T09:05:26.758Z").to_time,
+                                    "host" => "localhost.localdomain",
+                                    "message" => "Login attempt",
+                                    "@version" => "1",
+                                    "msg" => "")
+        codec.encode(event)
+        insist {results.first} == expected_result
+      end
+    end
+    describe "with additionaldata disabled" do
+      let(:config) { {"paths" => {"alert.messageid" => "67a63ad4-11b9-4ee2-8aee-d1c032a13b35",
+                                  "alert.analyzer(0).analyzerid" => "localhost.localdomain"
+                                 },
+                      "validate_xml" => "true",
+                      "additionaldata" => "false"
+                     }
+                   }
+      subject(:codec) { LogStash::Codecs::IDMEF.new(config) }
+      let(:expected_result)   { %Q(<?xml version=\"1.0\"?><idmef:IDMEF-Message xmlns:idmef=\"http://iana.org/idmef\"><idmef:Alert messageid=\"67a63ad4-11b9-4ee2-8aee-d1c032a13b35\"><idmef:Analyzer analyzerid=\"localhost.localdomain\"/><idmef:CreateTime ntpstamp=\"0xe274b756.0xc20c49ba\">2020-05-24T09:05:26+00:00</idmef:CreateTime><idmef:DetectTime ntpstamp=\"0xe274b756.0xc20c49ba\">2020-05-24T09:05:26+00:00</idmef:DetectTime><idmef:AnalyzerTime ntpstamp=\"0xe274b756.0xc20c49ba\">2020-05-24T09:05:26+00:00</idmef:AnalyzerTime><idmef:Target decoy=\"unknown\"><idmef:Node category=\"unknown\"><idmef:name>localhost.localdomain</idmef:name></idmef:Node></idmef:Target><idmef:Classification text=\"Login attempt\"/></idmef:Alert></idmef:IDMEF-Message>\n)}
+      let(:results) { [] }
+      it "should return proper IDMEF XML from event" do
+        codec.on_event{|data, newdata| results << newdata}
+        event = LogStash::Event.new("@timestamp" => DateTime.parse("2020-05-24T09:05:26.758Z").to_time,
+                                    "host" => "localhost.localdomain",
+                                    "message" => "Login attempt",
+                                    "@version" => "1",
+                                    "msg" => "")
+        codec.encode(event)
+        insist {results.first} == expected_result
+      end
+    end
+    describe "with defaults paths disabled" do
+      let(:config) { {"paths" => {"alert.messageid" => "67a63ad4-11b9-4ee2-8aee-d1c032a13b35",
+                                  "alert.analyzer(0).analyzerid" => "localhost.localdomain",
+                                  "alert.create_time" => "%{@timestamp}",
+                                  "alert.classification.text" => "%{message}"
+                                 },
+                      "validate_xml" => "true",
+                      "defaults" => "false"
+                     }
+                   }
+      subject(:codec) { LogStash::Codecs::IDMEF.new(config) }
+      let(:expected_result)   { %Q(<?xml version=\"1.0\"?><idmef:IDMEF-Message xmlns:idmef=\"http://iana.org/idmef\"><idmef:Alert messageid=\"67a63ad4-11b9-4ee2-8aee-d1c032a13b35\"><idmef:Analyzer analyzerid=\"localhost.localdomain\"/><idmef:CreateTime ntpstamp=\"0xe274b756.0xc20c49ba\">2020-05-24T09:05:26+00:00</idmef:CreateTime><idmef:Classification text=\"Login attempt\"/><idmef:AdditionalData meaning=\"host\" type=\"string\"><idmef:string>localhost.localdomain</idmef:string></idmef:AdditionalData><idmef:AdditionalData meaning=\"@version\" type=\"string\"><idmef:string>1</idmef:string></idmef:AdditionalData></idmef:Alert></idmef:IDMEF-Message>\n)}
+      let(:results) { [] }
+      it "should return proper IDMEF XML from event" do
+        codec.on_event{|data, newdata| results << newdata}
+        event = LogStash::Event.new("@timestamp" => DateTime.parse("2020-05-24T09:05:26.758Z").to_time,
+                                    "host" => "localhost.localdomain",
+                                    "message" => "Login attempt",
+                                    "@version" => "1",
+                                    "msg" => "")
+        codec.encode(event)
+        insist {results.first} == expected_result
+      end
+    end
-    let(:expected_result)   { %Q(<?xml version=\"1.0\"?><idmef:IDMEF-Message xmlns:idmef=\"http://iana.org/idmef\"><idmef:Alert messageid=\"67a63ad4-11b9-4ee2-8aee-d1c032a13b35\"><idmef:Analyzer analyzerid=\"localhost.localdomain\"/><idmef:CreateTime>2020-05-24T09:05:26+00:00</idmef:CreateTime><idmef:DetectTime>2020-05-24T09:05:26+00:00</idmef:DetectTime><idmef:AnalyzerTime>2020-05-24T09:05:26+00:00</idmef:AnalyzerTime><idmef:Target decoy=\"unknown\"><idmef:Node category=\"unknown\"><idmef:name>localhost.localdomain</idmef:name></idmef:Node></idmef:Target><idmef:Classification text=\"Login attempt\"/><idmef:AdditionalData meaning=\"@version\" type=\"string\"><idmef:string>1</idmef:string></idmef:AdditionalData></idmef:Alert></idmef:IDMEF-Message>\n)}
-    let(:results) { []}
-    it "should return proper IDMEF XML from event" do
-      codec.on_event{|data, newdata| results << newdata}
-      codec.paths = {"alert.messageid" => "67a63ad4-11b9-4ee2-8aee-d1c032a13b35" }
-      event = LogStash::Event.new("@timestamp" => DateTime.parse("2020-05-24T09:05:26.758Z").to_time, "host" => "localhost.localdomain", "message" => "Login attempt", "@version" => "1", "msg" => "")
-      codec.encode(event)
-      insist {results.first} == expected_result
+    describe "with defaults paths and additionaldata disabled" do
+      let(:config) { {"paths" => {"alert.messageid" => "67a63ad4-11b9-4ee2-8aee-d1c032a13b35",
+                                  "alert.analyzer(0).analyzerid" => "localhost.localdomain",
+                                  "alert.create_time" => "%{@timestamp}",
+                                  "alert.classification.text" => "%{message}"
+                                 },
+                      "validate_xml" => "true",
+                      "defaults" => "false",
+                      "additionaldata" => "false"
+                     }
+                   }
+      subject(:codec) { LogStash::Codecs::IDMEF.new(config) }
+      let(:expected_result)   { %Q(<?xml version=\"1.0\"?><idmef:IDMEF-Message xmlns:idmef=\"http://iana.org/idmef\"><idmef:Alert messageid=\"67a63ad4-11b9-4ee2-8aee-d1c032a13b35\"><idmef:Analyzer analyzerid=\"localhost.localdomain\"/><idmef:CreateTime ntpstamp=\"0xe274b756.0xc20c49ba\">2020-05-24T09:05:26+00:00</idmef:CreateTime><idmef:Classification text=\"Login attempt\"/></idmef:Alert></idmef:IDMEF-Message>\n)}
+      let(:results) { [] }
+      it "should return proper IDMEF XML from event" do
+        codec.on_event{|data, newdata| results << newdata}
+        event = LogStash::Event.new("@timestamp" => DateTime.parse("2020-05-24T09:05:26.758Z").to_time,
+                                    "host" => "localhost.localdomain",
+                                    "message" => "Login attempt",
+                                    "@version" => "1",
+                                    "msg" => "")
+        codec.encode(event)
+        insist {results.first} == expected_result
+      end
     end
   end
 end

metadata CHANGED

@@ -1,16 +1,17 @@
 --- !ruby/object:Gem::Specification
 name: logstash-codec-idmef
 version: !ruby/object:Gem::Version
-  version: 0.9.2
+  version: 0.9.3
 platform: ruby
 authors:
 - Prelude Team
-autorequire:
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2020-05-24 00:00:00.000000000 Z
+date: 2020-06-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
+  name: logstash-core-plugin-api
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -19,9 +20,8 @@ dependencies:
     - - "<="
       - !ruby/object:Gem::Version
         version: '2.99'
-  name: logstash-core-plugin-api
-  prerelease: false
   type: :runtime
+  prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -31,56 +31,56 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '2.99'
 - !ruby/object:Gem::Dependency
+  name: logstash-codec-plain
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-  name: logstash-codec-plain
-  prerelease: false
   type: :runtime
+  prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
+  name: nokogiri
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-  name: nokogiri
-  prerelease: false
   type: :runtime
+  prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
+  name: logstash-devutils
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-  name: logstash-devutils
-  prerelease: false
   type: :development
+  prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
+  name: insist
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-  name: insist
-  prerelease: false
   type: :development
+  prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
@@ -102,6 +102,7 @@ files:
 - NOTICE.TXT
 - README.md
 - docs/index.asciidoc
+- lib/logstash/codecs/idmef-message.dtd
 - lib/logstash/codecs/idmef.rb
 - logstash-codec-idmef.gemspec
 - spec/codecs/idmef_spec.rb
@@ -111,7 +112,7 @@ licenses:
 metadata:
   logstash_plugin: 'true'
   logstash_group: codec
-post_install_message:
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -126,9 +127,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project:
-rubygems_version: 2.7.10
-signing_key:
+rubygems_version: 3.1.2
+signing_key:
 specification_version: 4
 summary: Create IDMEF in XML
 test_files: