logstash-codec-nmap 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 488618b8922cbf2405ae3fb28897a8023c68501e
+  data.tar.gz: 0ca8bc7dda315cc295776eecb69c5584084376a4
+SHA512:
+  metadata.gz: f9aa96cdee9266e077421a0d675f3ff974862996a24714fdc839efc50dfe0ba77b60d660192e133d4e17b0a98c51154dcaf73ec96a7bda8d2453ea4439f53897
+  data.tar.gz: 9128e6fa5c757d016d5f7f67c2494c1b8db55dc7326d6be2815876f609eac61224bd80ca377659c4a7ee117448f9bca6ccc6a03e0fee9a83d0dea8bda904bcbe

data/CONTRIBUTORS

@@ -0,0 +1,17 @@
+The following is a list of people who have contributed ideas, code, bug
+reports, or in general have helped logstash along its way.
+
+Contributors:
+* Colin Surprenant (colinsurprenant)
+* Jordan Sissel (jordansissel)
+* João Duarte (jsvd)
+* Kurt Hurtado (kurtado)
+* Nick Ethier (nickethier)
+* Pier-Hugues Pellerin (ph)
+* Richard Pijnenburg (electrical)
+* Tal Levy (talevy)
+
+Note: If you've sent us patches, bug reports, or otherwise contributed to
+Logstash, and you aren't on the list above and want to be, please let us know
+and we'll make sure you're here. Contributions from folks like you are what make
+open source awesome.

data/Gemfile

@@ -0,0 +1,2 @@
+source 'https://rubygems.org'
+gemspec

data/LICENSE

@@ -0,0 +1,13 @@
+Copyright (c) 2012–2015 Elasticsearch <http://www.elastic.co>
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

data/NOTICE.TXT

@@ -0,0 +1,5 @@
+Elasticsearch
+Copyright 2012-2015 Elasticsearch
+
+This product includes software developed by The Apache Software
+Foundation (http://www.apache.org/).

data/README.md

@@ -0,0 +1,86 @@
+# Logstash Plugin
+
+This is a plugin for [Logstash](https://github.com/elastic/logstash).
+
+It is fully free and fully open source. The license is Apache 2.0, meaning you are pretty much free to use it however you want in whatever way.
+
+## Documentation
+
+Logstash provides infrastructure to automatically generate documentation for this plugin. We use the asciidoc format to write documentation so any comments in the source code will be first converted into asciidoc and then into html. All plugin documentation are placed under one [central location](http://www.elastic.co/guide/en/logstash/current/).
+
+- For formatting code or config example, you can use the asciidoc `[source,ruby]` directive
+- For more asciidoc formatting tips, see the excellent reference here https://github.com/elastic/docs#asciidoc-guide
+
+## Need Help?
+
+Need help? Try #logstash on freenode IRC or the https://discuss.elastic.co/c/logstash discussion forum.
+
+## Developing
+
+### 1. Plugin Developement and Testing
+
+#### Code
+- To get started, you'll need JRuby with the Bundler gem installed.
+
+- Create a new plugin or clone and existing from the GitHub [logstash-plugins](https://github.com/logstash-plugins) organization. We also provide [example plugins](https://github.com/logstash-plugins?query=example).
+
+- Install dependencies
+```sh
+bundle install
+```
+
+#### Test
+
+- Update your dependencies
+
+```sh
+bundle install
+```
+
+- Run tests
+
+```sh
+bundle exec rspec
+```
+
+### 2. Running your unpublished Plugin in Logstash
+
+#### 2.1 Run in a local Logstash clone
+
+- Edit Logstash `Gemfile` and add the local plugin path, for example:
+```ruby
+gem "logstash-filter-awesome", :path => "/your/local/logstash-filter-awesome"
+```
+- Install plugin
+```sh
+bin/plugin install --no-verify
+```
+- Run Logstash with your plugin
+```sh
+bin/logstash -e 'filter {awesome {}}'
+```
+At this point any modifications to the plugin code will be applied to this local Logstash setup. After modifying the plugin, simply rerun Logstash.
+
+#### 2.2 Run in an installed Logstash
+
+You can use the same **2.1** method to run your plugin in an installed Logstash by editing its `Gemfile` and pointing the `:path` to your local plugin development directory or you can build the gem and install it using:
+
+- Build your plugin gem
+```sh
+gem build logstash-filter-awesome.gemspec
+```
+- Install the plugin from the Logstash home
+```sh
+bin/plugin install /your/local/plugin/logstash-filter-awesome.gem
+```
+- Start Logstash and proceed to test the plugin
+
+## Contributing
+
+All contributions are welcome: ideas, patches, documentation, bug reports, complaints, and even something you drew up on a napkin.
+
+Programming is not a required skill. Whatever you've seen about open source and maintainers or community members  saying "send patches or die" - you will not see that here.
+
+It is more important to the community that you are able to contribute.
+
+For more information about contributing, see the [CONTRIBUTING](https://github.com/elastic/logstash/blob/master/CONTRIBUTING.md) file.

data/lib/logstash/codecs/nmap.rb

@@ -0,0 +1,164 @@
+# encoding: utf-8
+require "logstash/codecs/base"
+require "nmap/xml"
+
+# This codec may be used to decode (via inputs) only.
+# It decodes nmap generated XML and outputs each host as its own event
+
+class LogStash::Codecs::Nmap < LogStash::Codecs::Base
+  config_name "nmap"
+
+
+  public
+  def register
+  end
+
+  public
+  def decode(data)
+    xml = Nmap::XML.parse(data)
+    xml.each_host do |host|
+      event = host_to_event(host)
+
+      event['arguments'.freeze] = xml.scanner.arguments
+      event['version'.freeze] = xml.scanner.version
+
+      yield event
+    end
+  rescue StandardError => e
+    raise e #TODO: REMOVEME
+    @logger.warn("An unexpected error occurred parsing nmap XML",
+                 :input => data,
+                 :message => e.message,
+                 :class => e.class.name,
+                 :backtrace => e.backtrace)
+  end
+
+  def host_to_event(host)
+    event = LogStash::Event.new()
+    event['start_time'.freeze] = host.start_time
+    event['end_time'.freeze] = host.end_time
+
+    # These two are actually different.
+    # Address may contain a MAC, addresses will not AFAICT
+    event['addresses'.freeze] = hashify_structs(host.addresses)
+    event['address'.freeze] = host.address # str
+
+    event['ip'.freeze] = host.ip # str
+    event['ipv4'.freeze] = host.ipv4 # str
+    event['ipv6'.freeze] = host.ipv6 # str
+    event['ports'.freeze] = host.ports.map {|p| hashify_port(p)}
+    event['mac'.freeze] = host.mac # str
+    event['status'.freeze] = hashify_status(host.status)
+    event['hostname'.freeze] = hashify_hostname(host.hostname)
+    event['uptime'.freeze] = hashify_uptime(host.uptime)
+    event['os'.freeze] = hashify_os(host.os)
+    event['traceroute'.freeze] = hashify_traceroute(host.traceroute)
+
+    event
+  end
+
+  def hashify_status(status)
+    return unless status
+
+    {
+      'state'.freeze => status.state, # str
+      'reason'.freeze => status.reason # str
+    }
+  end
+
+  def hashify_hostname(hostname)
+    return unless hostname
+
+    {
+      'name'.freeze => hostname.name, # str
+      'type'.freeze => hostname.type, # str
+    }
+  end
+
+  def hashify_os(os)
+    return unless os
+
+    {
+      'ports_used'.freeze => os.ports_used,
+      'fingerprint'.freeze => os.fingerprint,
+      'classes'.freeze => hashify_os_matches(os.classes),
+      'matches'.freeze => hashify_structs(os_matches)
+    }
+  end
+
+  def hashify_os_classes(classes)
+    return if !classes || classes.empty?
+
+    classes.each do |klass|
+      {
+        'type'.freeze => klass.type.to_s, # returned as sym originally
+        'vendor'.freeze => klass.vendor.to_s,
+        'family'.freeze => klass.family.to_s,
+        'gen'.freeze => klass.gen.to_s,
+        'accuracy'.freeze => klass.accuracy # int
+      }
+    end
+  end
+
+  def hashify_uptime(uptime)
+    return unless uptime
+
+    {
+      'seconds'.freeze => uptime.seconds,
+      'last_boot'.freeze => uptime.last_boot
+    }
+  end
+
+  def hashify_service(service)
+    return unless service
+
+    {
+      'name'.freeze => service.name,
+      'ssl'.freeze => service.ssl?,
+      'protocol'.freeze => service.protocol,
+      'product'.freeze => service.product,
+      'hostname'.freeze => service.hostname, # This is just a string
+      'device_type'.freeze => service.device_type,
+      'fingerprint_method'.freeze => service.fingerprint_method,
+      'fingerprint'.freeze => service.fingerprint,
+      'confidence'.freeze => service.confidence
+    }
+  end
+
+  def hashify_port(port)
+    return unless port
+
+    {
+      'number'.freeze => port.number,
+      'reason'.freeze => port.reason,
+      'protocol'.freeze => port.protocol.to_s,
+      'service'.freeze => hashify_service(port.service),
+      'state'.freeze => port.state
+    }
+  end
+
+  def hashify_traceroute(traceroute)
+    return unless traceroute
+
+    {
+      'port'.freeze => traceroute.port, # int
+      'protocol'.freeze => traceroute.protocol.to_s,
+      'hops' => traceroute.map.with_index do |hop, idx|
+        {
+          'address'.freeze => hop.addr, # str
+          'hostname'.freeze => hop.host, # str
+          'ttl'.freeze => hop.ttl.to_i, # int
+          'index' => idx # int (for searching by distance)
+        }
+      end
+    }
+  end
+
+  def hashify_structs(structs)
+    structs.map {|s| hashify_struct(s)}
+  end
+
+  def hashify_struct(struct)
+    Hash[struct.each_pair.to_a]
+  end
+end

data/logstash-codec-nmap.gemspec

@@ -0,0 +1,27 @@
+Gem::Specification.new do |s|
+
+  s.name            = 'logstash-codec-nmap'
+  s.version         = '0.0.1'
+  s.licenses        = ['Apache License (2.0)']
+  s.summary         = "This codec may be used to decode Nmap XML"
+  s.description     = "This gem is a logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/plugin install gemname. This gem is not a stand-alone program"
+  s.authors         = ["Elastic"]
+  s.email           = 'info@elastic.co'
+  s.homepage        = "http://www.elastic.co/guide/en/logstash/current/index.html"
+  s.require_paths = ["lib"]
+
+  # Files
+  s.files = Dir['lib/**/*','spec/**/*','vendor/**/*','*.gemspec','*.md','CONTRIBUTORS','Gemfile','LICENSE','NOTICE.TXT']
+
+  # Tests
+  s.test_files = s.files.grep(%r{^(test|spec|features)/})
+
+  # Special flag to let us know this is actually a logstash plugin
+  s.metadata = { "logstash_plugin" => "true", "logstash_group" => "codec" }
+
+  # Gem dependencies
+  s.add_runtime_dependency "logstash-core", ">= 2.0.0", "< 3.0.0"
+  s.add_runtime_dependency 'ruby-nmap'
+
+  s.add_development_dependency 'logstash-devutils'
+end

data/spec/codecs/nmap_spec.rb

@@ -0,0 +1,52 @@
+require "logstash/devutils/rspec/spec_helper"
+require "logstash/codecs/nmap"
+require "logstash/event"
+require "insist"
+
+describe LogStash::Codecs::Nmap do
+  context "#decode" do
+    subject do
+      events = []
+      LogStash::Codecs::Nmap.new.decode(xml_string) do |event|
+        events << event
+      end
+      events
+    end
+
+    shared_examples_for "a valid parse" do
+      it "should decode without error" do
+        expect(subject).to be_a(Array)
+      end
+
+      it "should encode at least one thing" do
+        expect(subject.length > 0).to eql(true)
+      end
+
+      it "should encode the output as LogStash::Event objects" do
+        subject.each do |event|
+          expect(event).to be_a(LogStash::Event)
+        end
+      end
+    end
+
+    describe "parsing traceroutes" do
+      let(:xml_string) { File.open("spec/fixtures/traceroutes.xml").read }
+      it_should_behave_like "a valid parse"
+    end
+
+    # This is broken until https://github.com/sophsec/ruby-nmap/pull/40 is accepted
+    # describe "parsing ipv6" do
+      # let(:xml_string) { File.open("spec/fixtures/ipv6_all.xml").read }
+
+      # it_should_behave_like "a valid parse"
+    # end
+
+    describe "parsing pingsweeps" do
+      let(:xml_string) { File.open("spec/fixtures/pingsweep.xml").read }
+      it_should_behave_like "a valid parse"
+    end
+
+
+  end
+
+end

data/spec/fixtures/ipv6_all.xml

@@ -0,0 +1,134 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE nmaprun>
+<?xml-stylesheet href="file:///usr/local/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
+<!-- Nmap 7.01 scan initiated Sat Jan 16 07:33:12 2016 as: nmap -6 -A -oX spec/fixtures/ipv6_all.xml 2601:449:4200:577c:3e15:c2ff:feea:b872 -->
+<nmaprun scanner="nmap" args="nmap -6 -A -oX spec/fixtures/ipv6_all.xml 2601:449:4200:577c:3e15:c2ff:feea:b872" start="1452951192" startstr="Sat Jan 16 07:33:12 2016" version="7.01" xmloutputversion="1.04">
+<scaninfo type="connect" protocol="tcp" numservices="1000" services="1,3-4,6-7,9,13,17,19-26,30,32-33,37,42-43,49,53,70,79-85,88-90,99-100,106,109-111,113,119,125,135,139,143-144,146,161,163,179,199,211-212,222,254-256,259,264,280,301,306,311,340,366,389,406-407,416-417,425,427,443-445,458,464-465,481,497,500,512-515,524,541,543-545,548,554-555,563,587,593,616-617,625,631,636,646,648,666-668,683,687,691,700,705,711,714,720,722,726,749,765,777,783,787,800-801,808,843,873,880,888,898,900-903,911-912,981,987,990,992-993,995,999-1002,1007,1009-1011,1021-1100,1102,1104-1108,1110-1114,1117,1119,1121-1124,1126,1130-1132,1137-1138,1141,1145,1147-1149,1151-1152,1154,1163-1166,1169,1174-1175,1183,1185-1187,1192,1198-1199,1201,1213,1216-1218,1233-1234,1236,1244,1247-1248,1259,1271-1272,1277,1287,1296,1300-1301,1309-1311,1322,1328,1334,1352,1417,1433-1434,1443,1455,1461,1494,1500-1501,1503,1521,1524,1533,1556,1580,1583,1594,1600,1641,1658,1666,1687-1688,1700,1717-1721,1723,1755,1761,1782-1783,1801,1805,1812,1839-1840,1862-1864,1875,1900,1914,1935,1947,1971-1972,1974,1984,1998-2010,2013,2020-2022,2030,2033-2035,2038,2040-2043,2045-2049,2065,2068,2099-2100,2103,2105-2107,2111,2119,2121,2126,2135,2144,2160-2161,2170,2179,2190-2191,2196,2200,2222,2251,2260,2288,2301,2323,2366,2381-2383,2393-2394,2399,2401,2492,2500,2522,2525,2557,2601-2602,2604-2605,2607-2608,2638,2701-2702,2710,2717-2718,2725,2800,2809,2811,2869,2875,2909-2910,2920,2967-2968,2998,3000-3001,3003,3005-3007,3011,3013,3017,3030-3031,3052,3071,3077,3128,3168,3211,3221,3260-3261,3268-3269,3283,3300-3301,3306,3322-3325,3333,3351,3367,3369-3372,3389-3390,3404,3476,3493,3517,3527,3546,3551,3580,3659,3689-3690,3703,3737,3766,3784,3800-3801,3809,3814,3826-3828,3851,3869,3871,3878,3880,3889,3905,3914,3918,3920,3945,3971,3986,3995,3998,4000-4006,4045,4111,4125-4126,4129,4224,4242,4279,4321,4343,4443-4446,4449,4550,4567,4662,4848,4899-4900,4998,5000-5004,5009,5030,5033,5050-5051,5054,5060-5061,5080,5087,5100-5102,5120,5190,5200,5214,5221-5222,5225-5226,5269,5280,5298,5357,5405,5414,5431-5432,5440,5500,5510,5544,5550,5555,5560,5566,5631,5633,5666,5678-5679,5718,5730,5800-5802,5810-5811,5815,5822,5825,5850,5859,5862,5877,5900-5904,5906-5907,5910-5911,5915,5922,5925,5950,5952,5959-5963,5987-5989,5998-6007,6009,6025,6059,6100-6101,6106,6112,6123,6129,6156,6346,6389,6502,6510,6543,6547,6565-6567,6580,6646,6666-6669,6689,6692,6699,6779,6788-6789,6792,6839,6881,6901,6969,7000-7002,7004,7007,7019,7025,7070,7100,7103,7106,7200-7201,7402,7435,7443,7496,7512,7625,7627,7676,7741,7777-7778,7800,7911,7920-7921,7937-7938,7999-8002,8007-8011,8021-8022,8031,8042,8045,8080-8090,8093,8099-8100,8180-8181,8192-8194,8200,8222,8254,8290-8292,8300,8333,8383,8400,8402,8443,8500,8600,8649,8651-8652,8654,8701,8800,8873,8888,8899,8994,9000-9003,9009-9011,9040,9050,9071,9080-9081,9090-9091,9099-9103,9110-9111,9200,9207,9220,9290,9415,9418,9485,9500,9502-9503,9535,9575,9593-9595,9618,9666,9876-9878,9898,9900,9917,9929,9943-9944,9968,9998-10004,10009-10010,10012,10024-10025,10082,10180,10215,10243,10566,10616-10617,10621,10626,10628-10629,10778,11110-11111,11967,12000,12174,12265,12345,13456,13722,13782-13783,14000,14238,14441-14442,15000,15002-15004,15660,15742,16000-16001,16012,16016,16018,16080,16113,16992-16993,17877,17988,18040,18101,18988,19101,19283,19315,19350,19780,19801,19842,20000,20005,20031,20221-20222,20828,21571,22939,23502,24444,24800,25734-25735,26214,27000,27352-27353,27355-27356,27715,28201,30000,30718,30951,31038,31337,32768-32785,33354,33899,34571-34573,35500,38292,40193,40911,41511,42510,44176,44442-44443,44501,45100,48080,49152-49161,49163,49165,49167,49175-49176,49400,49999-50003,50006,50300,50389,50500,50636,50800,51103,51493,52673,52822,52848,52869,54045,54328,55055-55056,55555,55600,56737-56738,57294,57797,58080,60020,60443,61532,61900,62078,63331,64623,64680,65000,65129,65389"/>
+<verbose level="0"/>
+<debugging level="0"/>
+<host starttime="1452951192" endtime="1452951336"><status state="up" reason="conn-refused" reason_ttl="0"/>
+<address addr="2601:449:4200:577c:3e15:c2ff:feea:b872" addrtype="ipv6"/>
+<hostnames>
+</hostnames>
+<ports><extraports state="closed" count="498">
+<extrareasons reason="conn-refused" count="498"/>
+</extraports>
+<extraports state="filtered" count="498">
+<extrareasons reason="no-responses" count="498"/>
+</extraports>
+<port protocol="tcp" portid="111"><state state="open" reason="syn-ack" reason_ttl="0"/><service name="rpcbind" version="2-4" extrainfo="RPC #100000" method="probed" conf="10"/><script id="rpcinfo" output="&#xa;  program version   port/proto  service&#xa;  100000  2,3,4        111/tcp  rpcbind&#xa;  100000  2,3,4        111/udp  rpcbind&#xa;  100003  2,3         2049/tcp  nfs&#xa;  100003  2,3         2049/udp  nfs&#xa;  100005  1,3          895/udp  mountd&#xa;  100005  1,3         1023/tcp  mountd&#xa;  100011  1,2          994/udp  rquotad&#xa;  100011  1,2          999/tcp  rquotad&#xa;  100021  0,1,3,4      733/udp  nlockmgr&#xa;  100021  0,1,3,4     1017/tcp  nlockmgr&#xa;  100024  1            896/udp  status&#xa;  100024  1           1021/tcp  status&#xa;"><table key="100000">
+<table key="udp">
+<table key="version">
+<elem>2</elem>
+<elem>3</elem>
+<elem>4</elem>
+</table>
+<elem key="port">111</elem>
+</table>
+<table key="tcp">
+<table key="version">
+<elem>2</elem>
+<elem>3</elem>
+<elem>4</elem>
+</table>
+<elem key="port">111</elem>
+</table>
+</table>
+<table key="100003">
+<table key="udp">
+<table key="version">
+<elem>2</elem>
+<elem>3</elem>
+</table>
+<elem key="port">2049</elem>
+</table>
+<table key="tcp">
+<table key="version">
+<elem>2</elem>
+<elem>3</elem>
+</table>
+<elem key="port">2049</elem>
+</table>
+</table>
+<table key="100021">
+<table key="udp">
+<table key="version">
+<elem>0</elem>
+<elem>1</elem>
+<elem>3</elem>
+<elem>4</elem>
+</table>
+<elem key="port">733</elem>
+</table>
+<table key="tcp">
+<table key="version">
+<elem>0</elem>
+<elem>1</elem>
+<elem>3</elem>
+<elem>4</elem>
+</table>
+<elem key="port">1017</elem>
+</table>
+</table>
+<table key="100005">
+<table key="udp">
+<table key="version">
+<elem>1</elem>
+<elem>3</elem>
+</table>
+<elem key="port">895</elem>
+</table>
+<table key="tcp">
+<table key="version">
+<elem>1</elem>
+<elem>3</elem>
+</table>
+<elem key="port">1023</elem>
+</table>
+</table>
+<table key="100024">
+<table key="udp">
+<table key="version">
+<elem>1</elem>
+</table>
+<elem key="port">896</elem>
+</table>
+<table key="tcp">
+<table key="version">
+<elem>1</elem>
+</table>
+<elem key="port">1021</elem>
+</table>
+</table>
+<table key="100011">
+<table key="udp">
+<table key="version">
+<elem>1</elem>
+<elem>2</elem>
+</table>
+<elem key="port">994</elem>
+</table>
+<table key="tcp">
+<table key="version">
+<elem>1</elem>
+<elem>2</elem>
+</table>
+<elem key="port">999</elem>
+</table>
+</table>
+</script></port>
+<port protocol="tcp" portid="1022"><state state="open" reason="syn-ack" reason_ttl="0"/><service name="mountd" version="1-3" extrainfo="RPC #100005" method="probed" conf="10"/></port>
+<port protocol="tcp" portid="2049"><state state="open" reason="syn-ack" reason_ttl="0"/><service name="tcpwrapped" method="probed" conf="8"/></port>
+<port protocol="tcp" portid="3689"><state state="open" reason="syn-ack" reason_ttl="0"/><service name="daap" product="Apple iTunes DAAP" version="12.3.2.35" ostype="OS X" method="probed" conf="10"><cpe>cpe:/a:apple:itunes:12.3.2.35</cpe></service></port>
+</ports>
+<hostscript><script id="address-info" output="&#xa;  IPv6 EUI-64: &#xa;    MAC address: &#xa;      address: 3c:15:c2:ea:b8:72&#xa;      manuf: Apple"><table key="IPv6 EUI-64">
+<table key="MAC address">
+<elem key="address">3c:15:c2:ea:b8:72</elem>
+<elem key="manuf">Apple</elem>
+</table>
+</table>
+</script></hostscript><times srtt="970" rttvar="474" to="100000"/>
+</host>
+<runstats><finished time="1452951337" timestr="Sat Jan 16 07:35:37 2016" elapsed="144.88" summary="Nmap done at Sat Jan 16 07:35:37 2016; 1 IP address (1 host up) scanned in 144.88 seconds" exit="success"/><hosts up="1" down="0" total="1"/>
+</runstats>
+</nmaprun>

data/spec/fixtures/pingsweep.xml

@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE nmaprun>
+<?xml-stylesheet href="file:///usr/local/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
+<!-- Nmap 7.01 scan initiated Sat Jan 16 07:23:34 2016 as: nmap -sP -oX spec/fixtures/pingsweep.xml 192.168.1.0/24 -->
+<nmaprun scanner="nmap" args="nmap -sP -oX spec/fixtures/pingsweep.xml 192.168.1.0/24" start="1452950614" startstr="Sat Jan 16 07:23:34 2016" version="7.01" xmloutputversion="1.04">
+<verbose level="0"/>
+<debugging level="0"/>
+<host><status state="up" reason="syn-ack" reason_ttl="0"/>
+<address addr="192.168.1.1" addrtype="ipv4"/>
+<hostnames>
+<hostname name="router.asus.com" type="PTR"/>
+</hostnames>
+<times srtt="1844" rttvar="5000" to="100000"/>
+</host>
+<host><status state="up" reason="conn-refused" reason_ttl="0"/>
+<address addr="192.168.1.100" addrtype="ipv4"/>
+<hostnames>
+<hostname name="andrew-bfg" type="PTR"/>
+</hostnames>
+<times srtt="375" rttvar="5000" to="100000"/>
+</host>
+<host><status state="up" reason="conn-refused" reason_ttl="0"/>
+<address addr="192.168.1.132" addrtype="ipv4"/>
+<hostnames>
+</hostnames>
+<times srtt="916" rttvar="4196" to="100000"/>
+</host>
+<runstats><finished time="1452950617" timestr="Sat Jan 16 07:23:37 2016" elapsed="2.58" summary="Nmap done at Sat Jan 16 07:23:37 2016; 256 IP addresses (3 hosts up) scanned in 2.58 seconds" exit="success"/><hosts up="3" down="253" total="256"/>
+</runstats>
+</nmaprun>

data/spec/fixtures/traceroutes.xml

@@ -0,0 +1,37 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE nmaprun>
+<?xml-stylesheet href="file:///usr/local/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
+<!-- Nmap 7.01 scan initiated Sat Jan 16 07:21:54 2016 as: nmap -tr -oX spec/fixtures/traceroutes.xml andrewvc.com blog.andrewvc.com -->
+<nmaprun scanner="nmap" args="nmap -tr -oX spec/fixtures/traceroutes.xml andrewvc.com blog.andrewvc.com" start="1452950514" startstr="Sat Jan 16 07:21:54 2016" version="7.01" xmloutputversion="1.04">
+<scaninfo type="syn" protocol="tcp" numservices="1000" services="1,3-4,6-7,9,13,17,19-26,30,32-33,37,42-43,49,53,70,79-85,88-90,99-100,106,109-111,113,119,125,135,139,143-144,146,161,163,179,199,211-212,222,254-256,259,264,280,301,306,311,340,366,389,406-407,416-417,425,427,443-445,458,464-465,481,497,500,512-515,524,541,543-545,548,554-555,563,587,593,616-617,625,631,636,646,648,666-668,683,687,691,700,705,711,714,720,722,726,749,765,777,783,787,800-801,808,843,873,880,888,898,900-903,911-912,981,987,990,992-993,995,999-1002,1007,1009-1011,1021-1100,1102,1104-1108,1110-1114,1117,1119,1121-1124,1126,1130-1132,1137-1138,1141,1145,1147-1149,1151-1152,1154,1163-1166,1169,1174-1175,1183,1185-1187,1192,1198-1199,1201,1213,1216-1218,1233-1234,1236,1244,1247-1248,1259,1271-1272,1277,1287,1296,1300-1301,1309-1311,1322,1328,1334,1352,1417,1433-1434,1443,1455,1461,1494,1500-1501,1503,1521,1524,1533,1556,1580,1583,1594,1600,1641,1658,1666,1687-1688,1700,1717-1721,1723,1755,1761,1782-1783,1801,1805,1812,1839-1840,1862-1864,1875,1900,1914,1935,1947,1971-1972,1974,1984,1998-2010,2013,2020-2022,2030,2033-2035,2038,2040-2043,2045-2049,2065,2068,2099-2100,2103,2105-2107,2111,2119,2121,2126,2135,2144,2160-2161,2170,2179,2190-2191,2196,2200,2222,2251,2260,2288,2301,2323,2366,2381-2383,2393-2394,2399,2401,2492,2500,2522,2525,2557,2601-2602,2604-2605,2607-2608,2638,2701-2702,2710,2717-2718,2725,2800,2809,2811,2869,2875,2909-2910,2920,2967-2968,2998,3000-3001,3003,3005-3007,3011,3013,3017,3030-3031,3052,3071,3077,3128,3168,3211,3221,3260-3261,3268-3269,3283,3300-3301,3306,3322-3325,3333,3351,3367,3369-3372,3389-3390,3404,3476,3493,3517,3527,3546,3551,3580,3659,3689-3690,3703,3737,3766,3784,3800-3801,3809,3814,3826-3828,3851,3869,3871,3878,3880,3889,3905,3914,3918,3920,3945,3971,3986,3995,3998,4000-4006,4045,4111,4125-4126,4129,4224,4242,4279,4321,4343,4443-4446,4449,4550,4567,4662,4848,4899-4900,4998,5000-5004,5009,5030,5033,5050-5051,5054,5060-5061,5080,5087,5100-5102,5120,5190,5200,5214,5221-5222,5225-5226,5269,5280,5298,5357,5405,5414,5431-5432,5440,5500,5510,5544,5550,5555,5560,5566,5631,5633,5666,5678-5679,5718,5730,5800-5802,5810-5811,5815,5822,5825,5850,5859,5862,5877,5900-5904,5906-5907,5910-5911,5915,5922,5925,5950,5952,5959-5963,5987-5989,5998-6007,6009,6025,6059,6100-6101,6106,6112,6123,6129,6156,6346,6389,6502,6510,6543,6547,6565-6567,6580,6646,6666-6669,6689,6692,6699,6779,6788-6789,6792,6839,6881,6901,6969,7000-7002,7004,7007,7019,7025,7070,7100,7103,7106,7200-7201,7402,7435,7443,7496,7512,7625,7627,7676,7741,7777-7778,7800,7911,7920-7921,7937-7938,7999-8002,8007-8011,8021-8022,8031,8042,8045,8080-8090,8093,8099-8100,8180-8181,8192-8194,8200,8222,8254,8290-8292,8300,8333,8383,8400,8402,8443,8500,8600,8649,8651-8652,8654,8701,8800,8873,8888,8899,8994,9000-9003,9009-9011,9040,9050,9071,9080-9081,9090-9091,9099-9103,9110-9111,9200,9207,9220,9290,9415,9418,9485,9500,9502-9503,9535,9575,9593-9595,9618,9666,9876-9878,9898,9900,9917,9929,9943-9944,9968,9998-10004,10009-10010,10012,10024-10025,10082,10180,10215,10243,10566,10616-10617,10621,10626,10628-10629,10778,11110-11111,11967,12000,12174,12265,12345,13456,13722,13782-13783,14000,14238,14441-14442,15000,15002-15004,15660,15742,16000-16001,16012,16016,16018,16080,16113,16992-16993,17877,17988,18040,18101,18988,19101,19283,19315,19350,19780,19801,19842,20000,20005,20031,20221-20222,20828,21571,22939,23502,24444,24800,25734-25735,26214,27000,27352-27353,27355-27356,27715,28201,30000,30718,30951,31038,31337,32768-32785,33354,33899,34571-34573,35500,38292,40193,40911,41511,42510,44176,44442-44443,44501,45100,48080,49152-49161,49163,49165,49167,49175-49176,49400,49999-50003,50006,50300,50389,50500,50636,50800,51103,51493,52673,52822,52848,52869,54045,54328,55055-55056,55555,55600,56737-56738,57294,57797,58080,60020,60443,61532,61900,62078,63331,64623,64680,65000,65129,65389"/>
+<verbose level="0"/>
+<debugging level="0"/>
+<host starttime="1452950518" endtime="1452950524"><status state="up" reason="echo-reply" reason_ttl="57"/>
+<address addr="23.235.44.133" addrtype="ipv4"/>
+<hostnames>
+<hostname name="blog.andrewvc.com" type="user"/>
+<hostname name="blog.andrewvc.com" type="PTR"/>
+</hostnames>
+<ports><extraports state="filtered" count="998">
+<extrareasons reason="no-responses" count="998"/>
+</extraports>
+<port protocol="tcp" portid="80"><state state="open" reason="syn-ack" reason_ttl="57"/><service name="http" method="table" conf="3"/></port>
+<port protocol="tcp" portid="443"><state state="open" reason="syn-ack" reason_ttl="57"/><service name="https" method="table" conf="3"/></port>
+</ports>
+<trace port="443" proto="tcp">
+<hop ttl="1" ipaddr="192.168.1.1" rtt="2.61" host="router.asus.com"/>
+<hop ttl="2" ipaddr="96.120.48.165" rtt="13.32"/>
+<hop ttl="3" ipaddr="68.85.166.9" rtt="23.94" host="te-0-3-0-21-sur01.swmpls.mn.minn.comcast.net"/>
+<hop ttl="4" ipaddr="68.87.174.154" rtt="23.94" host="te-0-0-0-1-sur02.swmpls.mn.minn.comcast.net"/>
+<hop ttl="5" ipaddr="68.87.174.129" rtt="23.95" host="te-0-8-0-13-ar01.roseville.mn.minn.comcast.net"/>
+<hop ttl="6" ipaddr="68.86.232.170" rtt="23.96" host="hu-0-0-0-0-ar01.crosstown.mn.minn.comcast.net"/>
+<hop ttl="7" ipaddr="68.86.94.5" rtt="33.43" host="be-13367-cr02.denver.co.ibone.comcast.net"/>
+<hop ttl="8" ipaddr="68.86.84.230" rtt="42.92" host="be-11724-cr02.dallas.tx.ibone.comcast.net"/>
+<hop ttl="9" ipaddr="68.86.83.110" rtt="41.42" host="be-14-pe02.1950stemmons.tx.ibone.comcast.net"/>
+<hop ttl="11" ipaddr="23.235.44.133" rtt="50.99" host="blog.andrewvc.com"/>
+</trace>
+<times srtt="43140" rttvar="11005" to="100000"/>
+</host>
+<runstats><finished time="1452950529" timestr="Sat Jan 16 07:22:09 2016" elapsed="14.55" summary="Nmap done at Sat Jan 16 07:22:09 2016; 2 IP addresses (1 host up) scanned in 14.55 seconds" exit="success"/><hosts up="1" down="1" total="2"/>
+</runstats>
+</nmaprun>

metadata

@@ -0,0 +1,109 @@
+--- !ruby/object:Gem::Specification
+name: logstash-codec-nmap
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Elastic
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2016-01-16 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: 2.0.0
+    - - <
+      - !ruby/object:Gem::Version
+        version: 3.0.0
+  name: logstash-core
+  prerelease: false
+  type: :runtime
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: 2.0.0
+    - - <
+      - !ruby/object:Gem::Version
+        version: 3.0.0
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  name: ruby-nmap
+  prerelease: false
+  type: :runtime
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  name: logstash-devutils
+  prerelease: false
+  type: :development
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+description: This gem is a logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/plugin install gemname. This gem is not a stand-alone program
+email: info@elastic.co
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- CHANGELOG.md
+- CONTRIBUTORS
+- Gemfile
+- LICENSE
+- NOTICE.TXT
+- README.md
+- lib/logstash/codecs/nmap.rb
+- logstash-codec-nmap.gemspec
+- spec/codecs/nmap_spec.rb
+- spec/fixtures/ipv6_all.xml
+- spec/fixtures/pingsweep.xml
+- spec/fixtures/traceroutes.xml
+homepage: http://www.elastic.co/guide/en/logstash/current/index.html
+licenses:
+- Apache License (2.0)
+metadata:
+  logstash_plugin: 'true'
+  logstash_group: codec
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project:
+rubygems_version: 2.4.8
+signing_key:
+specification_version: 4
+summary: This codec may be used to decode Nmap XML
+test_files:
+- spec/codecs/nmap_spec.rb
+- spec/fixtures/ipv6_all.xml
+- spec/fixtures/pingsweep.xml
+- spec/fixtures/traceroutes.xml