logstash-codec-idmef 0.9.0 → 0.9.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +3 -0
- data/lib/logstash/codecs/idmef.rb +17 -20
- data/logstash-codec-idmef.gemspec +1 -1
- data/spec/codecs/idmef_spec.rb +1 -1
- metadata +1 -1
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 687a8fdbf7434f7a0cc7062d44463550a7b6f5922bb41086fc01ccd8db0711a1
|
4
|
+
data.tar.gz: d3c65c530b4e8b74eca83a9c6ba3eaf1ba9293a22860ea256447407cd13e8f69
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: f416eeb9bc08f9d9c6c1d8241a3377ddb92fc47421f62053b5f1f791fb2a8f9b0683e0065c0630488724c23eb3dc9fafbab471acdf8a5c87843faccbb83cf970
|
7
|
+
data.tar.gz: bc4d4fba048ac2ece7058b86af575b4d5ee43217236834e0ab2d1f62b0fe0288a95d8654d0ba40efda50ec23ef7ad07cd3315afaad7095af8b390ba73d46973a
|
data/CHANGELOG.md
CHANGED
@@ -1,6 +1,7 @@
|
|
1
1
|
# encoding: utf-8
|
2
2
|
require "logstash/codecs/base"
|
3
3
|
|
4
|
+
require 'socket'
|
4
5
|
require 'nokogiri'
|
5
6
|
require 'json'
|
6
7
|
require 'date'
|
@@ -253,7 +254,7 @@ class LogStash::Codecs::IDMEF < LogStash::Codecs::Base
|
|
253
254
|
:name => "AdditionalData",
|
254
255
|
"meaning" => { :type => :attr, :name => "meaning" },
|
255
256
|
"type" => { :type => :attr, :name => "type" },
|
256
|
-
"data" => { :type => :
|
257
|
+
"data" => { :type => :list_value, :name => :type }
|
257
258
|
}
|
258
259
|
# RFC 4765: CorrelationAlert Class
|
259
260
|
IDMEFCorrelationAlert = { :type => :class,
|
@@ -328,7 +329,7 @@ class LogStash::Codecs::IDMEF < LogStash::Codecs::Base
|
|
328
329
|
value = v
|
329
330
|
end
|
330
331
|
end
|
331
|
-
if value.kind_of?(Array)
|
332
|
+
if value.kind_of?(Array) or value.to_s.empty?
|
332
333
|
next
|
333
334
|
end
|
334
335
|
if value.kind_of?(String)
|
@@ -373,20 +374,15 @@ class LogStash::Codecs::IDMEF < LogStash::Codecs::Base
|
|
373
374
|
if rfc[name][:format] == :datetime
|
374
375
|
value = DateTime.parse(value.to_s).strftime("%FT%T%:z")
|
375
376
|
end
|
376
|
-
|
377
|
+
n = rfc[name][:name] == :type ? curr["type"] : rfc[name][:name]
|
378
|
+
no = Nokogiri::XML::Node.new(n, doc)
|
377
379
|
no.content = value.to_s
|
378
380
|
curr << no
|
379
|
-
curr = no
|
380
381
|
elsif ne_t == :attr
|
381
382
|
if rfc[name][:format] == :datetime
|
382
383
|
value = DateTime.parse(value.to_s).strftime("%FT%T%:z")
|
383
384
|
end
|
384
385
|
curr[rfc[name][:name]] = value.to_s
|
385
|
-
elsif ne_t == :value
|
386
|
-
if rfc[name][:format] == :datetime
|
387
|
-
value = DateTime.parse(value.to_s).strftime("%FT%T%:z")
|
388
|
-
end
|
389
|
-
curr.content = value.to_s
|
390
386
|
end
|
391
387
|
rfc.each do |kk, vv|
|
392
388
|
if vv.respond_to?(:each_pair) && vv[:default] && vv[:type] == :attr && !curr[vv[:name]]
|
@@ -418,12 +414,11 @@ class LogStash::Codecs::IDMEF < LogStash::Codecs::Base
|
|
418
414
|
@utf8_charset.logger = self.logger
|
419
415
|
|
420
416
|
@local_paths = {
|
421
|
-
"alert.classification.text" => ["$rule_name", "$event", "$message"],
|
422
|
-
"alert.detect_time" => "$@timestamp",
|
423
|
-
"alert.create_time" => "$@timestamp",
|
424
|
-
"alert.analyzer_time" => "$@timestamp",
|
425
417
|
"alert.analyzer(0).name" => ["$product", "$devname"],
|
426
418
|
"alert.analyzer(0).manufacturer" => "$vendor",
|
419
|
+
"alert.create_time" => "$@timestamp",
|
420
|
+
"alert.detect_time" => "$@timestamp",
|
421
|
+
"alert.analyzer_time" => "$@timestamp",
|
427
422
|
"alert.source(0).node.address(0).address" => ["$srcip", "$src"],
|
428
423
|
"alert.source(0).node.name" => ["$shost", "$srchost", "$shostname", "$srchostname", "$sname", "$srcname"],
|
429
424
|
"alert.source(0).service.port" => ["$spt", "$sport", "$s_port"],
|
@@ -436,6 +431,7 @@ class LogStash::Codecs::IDMEF < LogStash::Codecs::Base
|
|
436
431
|
"alert.target(0).user.user_id(0).number" => ["$uid", "$dstuid", "$duid"],
|
437
432
|
"alert.target(0).process.name" => ["$proc", "$process"],
|
438
433
|
"alert.target(0).process.pid" => ["$dpid", "$pid"],
|
434
|
+
"alert.classification.text" => ["$rule_name", "$event", "$message"],
|
439
435
|
"alert.assessment.impact.severity" => ["$severity", "$level"],
|
440
436
|
"alert.assessment.action.description" => ["$action"],
|
441
437
|
}
|
@@ -454,13 +450,14 @@ class LogStash::Codecs::IDMEF < LogStash::Codecs::Base
|
|
454
450
|
# Copy event
|
455
451
|
e = event.clone
|
456
452
|
|
453
|
+
# Set messageid and analyzerid
|
454
|
+
p = { "%s.messageid" % @type => java.util.UUID.randomUUID.to_s,
|
455
|
+
"%s.analyzer(0).analyzerid" % @type => Socket.gethostname.to_s
|
456
|
+
}
|
457
|
+
xml = idmefpaths_to_xml(e, p)
|
458
|
+
|
457
459
|
# Set paths
|
458
|
-
xml = idmefpaths_to_xml(e, @allpaths)
|
459
|
-
|
460
|
-
# Set messageid
|
461
|
-
if !@allpaths.key?("%s.messageid" % @type)
|
462
|
-
xml = idmefpaths_to_xml(e, {"%s.messageid" % @type => java.util.UUID.randomUUID.to_s}, xml)
|
463
|
-
end
|
460
|
+
xml = idmefpaths_to_xml(e, @allpaths, xml)
|
464
461
|
|
465
462
|
# Set Additional data
|
466
463
|
if @additionaldata
|
@@ -474,8 +471,8 @@ class LogStash::Codecs::IDMEF < LogStash::Codecs::Base
|
|
474
471
|
t = "string"
|
475
472
|
end
|
476
473
|
p = { "alert.additional_data(%d).meaning" % idx => key,
|
477
|
-
"alert.additional_data(%d).data" % idx => value.to_s,
|
478
474
|
"alert.additional_data(%d).type" % idx => t,
|
475
|
+
"alert.additional_data(%d).data" % idx => value.to_s,
|
479
476
|
}
|
480
477
|
xml = idmefpaths_to_xml(e, p , xml)
|
481
478
|
idx = idx + 1
|
@@ -1,7 +1,7 @@
|
|
1
1
|
Gem::Specification.new do |s|
|
2
2
|
|
3
3
|
s.name = 'logstash-codec-idmef'
|
4
|
-
s.version = '0.9.
|
4
|
+
s.version = '0.9.1'
|
5
5
|
s.licenses = ['Apache License (2.0)']
|
6
6
|
s.summary = "Create IDMEF in XML"
|
7
7
|
s.description = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
|
data/spec/codecs/idmef_spec.rb
CHANGED
@@ -9,7 +9,7 @@ describe LogStash::Codecs::IDMEF do
|
|
9
9
|
context "encode IDMEF" do
|
10
10
|
subject(:codec) { LogStash::Codecs::IDMEF.new }
|
11
11
|
|
12
|
-
let(:expected_result) { %Q(<?xml version
|
12
|
+
let(:expected_result) { %Q(<?xml version=\"1.0\"?><idmef:IDMEF-Message xmlns:idmef=\"http://iana.org/idmef\"><idmef:Alert messageid=\"67a63ad4-11b9-4ee2-8aee-d1c032a13b35\"><idmef:Analyzer analyzerid=\"localhost.localdomain\"/><idmef:CreateTime>2020-05-24T09:05:26+00:00</idmef:CreateTime><idmef:DetectTime>2020-05-24T09:05:26+00:00</idmef:DetectTime><idmef:AnalyzerTime>2020-05-24T09:05:26+00:00</idmef:AnalyzerTime><idmef:Target decoy=\"unknown\"><idmef:Node category=\"unknown\"><idmef:name>localhost.localdomain</idmef:name></idmef:Node></idmef:Target><idmef:Classification text=\"Login attempt\"/><idmef:AdditionalData meaning=\"@version\" type=\"string\"><idmef:string>1</idmef:string></idmef:AdditionalData></idmef:Alert></idmef:IDMEF-Message>\n)}
|
13
13
|
let(:results) { []}
|
14
14
|
|
15
15
|
it "should return proper IDMEF XML from event" do
|