logstash-codec-nmap 0.0.9 → 0.0.10

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 9b915c7826f05f545606e74a99585c670f3cf1e0
-  data.tar.gz: 49b35f3cf3d483d5c4e0c54a5b51c6d27137a9f2
+  metadata.gz: eb9b854678cab49c0f5832940e7881a0b7211cae
+  data.tar.gz: a8fb24f5c1b5e05f0e526e8a90016beebe80483c
 SHA512:
-  metadata.gz: a03fbdfe80a2d20230dde379fe416f51844e909d259bfc28164518b674d61aa4b0c573aa264ca1d80465d970fd2e4d043561fd1f526b69670dc7b633bc5fdd45
-  data.tar.gz: f3aa9ea6a1976e59a2bc8f6bfc2a62c2a20edcd0f7e8f5ac63eadac5b2f320ed2620ba86c79bee5676021935b78eae5af99d5606e55a73da8c418c4c20b49fcc
+  metadata.gz: 0e7242b4045a0f9a11ef48c23b7da3e840ae87c48545fdb0614c840c7183da3d76670a5dd5e534f7e450db6c30fde240d878801a8208ef334f4df596aa20e854
+  data.tar.gz: 46eca983628be28e86aee61adde73a7d775018024e402ac4c7c421935f46e243431bfa3b054a24dfa8a74614796ea1c54f163ae3aacbac6d26d973cf1c764bc9

data/CHANGELOG.md

@@ -0,0 +1,3 @@
+## 0.0.10
+  - Add top level metadata object
+  - Improve examples

data/README.md

@@ -1,5 +1,17 @@
 # Logstash Plugin
 
+[![Travis Build Status](https://travis-ci.org/logstash-plugins/logstash-codec-nmap.svg)](https://travis-ci.org/logstash-plugins/logstash-codec-nmap)
+
+
+This is a plugin for [Logstash](https://github.com/elastic/logstash).
+
+@@ -86,4 +85,4 @@ Programming is not a required skill. Whatever you've seen about open source and
+
+It is more important to the community that you are able to contribute.
+
++For more information about contributing, see the [CONTRIBUTING](https://github.com/elastic/logstash/blob/master/CONTRIBUTING.md) file.
+-For more information about contributing, see the [CONTRIBUTING](https://github.com/elastic/logstash/blob/master/CONTRIBUTING.md) file.It is more important to the community that you are able to contribute.This is a plugin for [Logstash](https://github.com/elastic/logstash).-Status](http://build-eu-00.elastic.co/view/LS%20Plugins/view/LS%20Inputs/job/logstash-plugin-input-rabbitmq-unit/badge/icon)](http://build-eu-00.elastic.co/view/LS%20Plugins/view/LS%20Inputs/job/logstash-plugin-input-rabbitmq-unit/)
+
 This is a plugin for [Logstash](https://github.com/elastic/logstash).
 
 It is fully free and fully open source. The license is Apache 2.0, meaning you are pretty much free to use it however you want in whatever way.

data/lib/logstash/codecs/nmap.rb

@@ -3,12 +3,20 @@ require "logstash/codecs/base"
 require "nmap/xml"
 require 'securerandom'
 
-# This codec may be used to decode (via inputs) only.
-# It decodes nmap generated XML and outputs each host as its own event
+# This codec may be used to decode only
+#
+# Event types are listed below
+#
+# `nmap_scan_metadata`: An object containing top level information about the scan, including how many hosts were up, and how many were down. Useful for the case where you need to check if a DNS based hostname does not resolve, where both those numbers will be zero.
+# `nmap_host`: One event is created per host. The full data covering an individual host, including open ports and traceroute information as a nested structure.
+# `nmap_port`: One event is created per host/port. This duplicates data already in `nmap_host`: This was put in for the case where you want to model ports as separate documents in Elasticsearch (which Kibana prefers).
+# `nmap_traceroute_link`: One of these is output per traceroute 'connection', with a `from` and a `to` object describing each hop. Note that traceroute hop data is not always correct due to the fact that each tracing ICMP packet may take a different route. Also very useful for Kibana visualizations.
 
 class LogStash::Codecs::Nmap < LogStash::Codecs::Base
   config_name "nmap"
 
+  # Emit scan metadata
+  config :emit_scan_metadata, :validate => :boolean, :default => true
   # Emit all host data as a nested document (including ports + traceroutes) with the type 'nmap_fullscan'
   config :emit_hosts, :validate => :boolean, :default => true
   # Emit each port as a separate document with type 'nmap_port'
@@ -25,25 +33,36 @@ class LogStash::Codecs::Nmap < LogStash::Codecs::Base
     xml = Nmap::XML.parse(data)
     scan_id = SecureRandom.uuid
 
+    base = {}
+    base['arguments'] = xml.scanner.arguments
+    base['version'] = xml.scanner.version
+    base['scan_id'] = scan_id
+
+    # This really needs to be put into ruby-nmap
+    scan_host_stats = Hash[xml.instance_variable_get(:@doc).xpath('/nmaprun[@scanner="nmap"]/runstats/hosts').first.attributes.map {|k,v| [k,v.value.to_i]}]
+
+    if @emit_scan_metadata
+        yield LogStash::Event.new(base.merge({
+          'type' => 'nmap_scan_metadata',
+          'host_stats' => scan_host_stats,
+          'run_stats' =>  xml.run_stats.first
+        }))
+    end
+
     xml.hosts.each_with_index do |host,idx|
-      # Convert the host to a 'base' host event
+      # Convert the host to a 'host_base' host event
       # This will be used for the later port/hop types
-      base = hashify_host(host, xml)
+      host_base = hashify_host(host, xml).merge(base)
 
-      # Add some scanner-wide attributes
-      base['arguments'] = xml.scanner.arguments
-      base['version'] = xml.scanner.version
-      base['scan_id'] = scan_id
 
       # Pull out the detail
       ports = host.ports.map {|p| hashify_port(p)}
       traceroute = hashify_traceroute(host.traceroute)
-
       scan_host_id = scan_id + "-h#{idx}"
 
       if @emit_ports && ports
         ports.each.with_index do |port,idx|
-          yield LogStash::Event.new(base.merge(
+          yield LogStash::Event.new(host_base.merge(
             'type' => 'nmap_port',
             'port' => port,
             'scan_host_id' => scan_host_id,
@@ -55,7 +74,7 @@ class LogStash::Codecs::Nmap < LogStash::Codecs::Base
       if @emit_traceroute_links && traceroute && (hops = traceroute['hops'])
         hops.each_with_index do |hop,idx|
           next_hop = hops[idx+1]
-          yield LogStash::Event.new(base.merge(
+          yield LogStash::Event.new(host_base.merge(
             'type' =>'nmap_traceroute_link',
             'from' => hop,
             'to' => next_hop,
@@ -67,7 +86,7 @@ class LogStash::Codecs::Nmap < LogStash::Codecs::Base
       end
 
       if @emit_hosts
-        yield LogStash::Event.new(base.merge(
+        yield LogStash::Event.new(host_base.merge(
           'type' => 'nmap_host',
           'ports' => ports,
           'traceroute' => traceroute,

data/logstash-codec-nmap.gemspec

@@ -1,7 +1,7 @@
 Gem::Specification.new do |s|
 
   s.name            = 'logstash-codec-nmap'
-  s.version         = '0.0.9'
+  s.version         = '0.0.10'
   s.licenses        = ['Apache License (2.0)']
   s.summary         = "This codec may be used to decode Nmap XML"
   s.description     = "This gem is a logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/plugin install gemname. This gem is not a stand-alone program"

data/spec/codecs/nmap_spec.rb

@@ -46,7 +46,6 @@ describe LogStash::Codecs::Nmap do
       it_should_behave_like "a valid parse"
     end
 
-
     describe "localscan.xml" do
       let(:xml_string) { File.open("spec/fixtures/localscan.xml").read }
       it_should_behave_like "a valid parse"
@@ -57,12 +56,21 @@ describe LogStash::Codecs::Nmap do
       it_should_behave_like "a valid parse"
     end
 
-
     describe "full_scan.xml" do
       let(:xml_string) { File.open("spec/fixtures/full_scan.xml").read }
       it_should_behave_like "a valid parse"
     end
 
+    describe "nothingup.xml" do
+      let(:xml_string) { File.open("spec/fixtures/nothingup.xml").read }
+      it_should_behave_like "a valid parse"
+    end
+
+    describe "ip_down.xml" do
+      let(:xml_string) { File.open("spec/fixtures/ip_down.xml").read }
+      it_should_behave_like "a valid parse"
+    end
+
   end
 
 end

data/spec/fixtures/ip_down.xml

@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE nmaprun>
+<?xml-stylesheet href="file:///usr/local/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
+<!-- Nmap 7.01 scan initiated Tue Jan 26 15:54:25 2016 as: nmap -sP -oX - 192.168.88.88 -->
+<nmaprun scanner="nmap" args="nmap -sP -oX - 192.168.88.88" start="1453845265" startstr="Tue Jan 26 15:54:25 2016" version="7.01" xmloutputversion="1.04">
+<verbose level="0"/>
+<debugging level="0"/>
+<runstats><finished time="1453845268" timestr="Tue Jan 26 15:54:28 2016" elapsed="3.01" summary="Nmap done at Tue Jan 26 15:54:28 2016; 1 IP address (0 hosts up) scanned in 3.01 seconds" exit="success"/><hosts up="0" down="1" total="1"/>
+</runstats>
+</nmaprun>

data/spec/fixtures/nothingup.xml

@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE nmaprun>
+<?xml-stylesheet href="file:///usr/local/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
+<!-- Nmap 7.01 scan initiated Tue Jan 26 15:53:54 2016 as: nmap -sP -oX - ouercheuonheuonctueo.net -->
+<nmaprun scanner="nmap" args="nmap -sP -oX - ouercheuonheuonctueo.net" start="1453845234" startstr="Tue Jan 26 15:53:54 2016" version="7.01" xmloutputversion="1.04">
+<verbose level="0"/>
+<debugging level="0"/>
+<runstats><finished time="1453845234" timestr="Tue Jan 26 15:53:54 2016" elapsed="0.00" summary="Nmap done at Tue Jan 26 15:53:54 2016; 0 IP addresses (0 hosts up) scanned in 0.00 seconds" exit="success"/><hosts up="0" down="0" total="0"/>
+</runstats>
+</nmaprun>

metadata

@@ -1,17 +1,18 @@
 --- !ruby/object:Gem::Specification
 name: logstash-codec-nmap
 version: !ruby/object:Gem::Version
-  version: 0.0.9
+  version: 0.0.10
 platform: ruby
 authors:
 - Elastic
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2016-01-17 00:00:00.000000000 Z
+date: 2016-01-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
-  requirement: !ruby/object:Gem::Requirement
+  name: logstash-core
+  version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '>='
       - !ruby/object:Gem::Version
@@ -19,10 +20,7 @@ dependencies:
     - - <
       - !ruby/object:Gem::Version
         version: 3.0.0
-  name: logstash-core
-  prerelease: false
-  type: :runtime
-  version_requirements: !ruby/object:Gem::Requirement
+  requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '>='
       - !ruby/object:Gem::Version
@@ -30,34 +28,36 @@ dependencies:
     - - <
       - !ruby/object:Gem::Version
         version: 3.0.0
+  prerelease: false
+  type: :runtime
 - !ruby/object:Gem::Dependency
+  name: ruby-nmap
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '>='
       - !ruby/object:Gem::Version
         version: '0'
-  name: ruby-nmap
   prerelease: false
   type: :runtime
+- !ruby/object:Gem::Dependency
+  name: logstash-devutils
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '>='
       - !ruby/object:Gem::Version
         version: '0'
-- !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - '>='
       - !ruby/object:Gem::Version
         version: '0'
-  name: logstash-devutils
   prerelease: false
   type: :development
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - '>='
-      - !ruby/object:Gem::Version
-        version: '0'
 description: This gem is a logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/plugin install gemname. This gem is not a stand-alone program
 email: info@elastic.co
 executables: []
@@ -65,7 +65,6 @@ extensions: []
 extra_rdoc_files: []
 files:
 - CHANGELOG.md
-- CONTRIBUTORS
 - Gemfile
 - LICENSE
 - NOTICE.TXT
@@ -74,8 +73,10 @@ files:
 - logstash-codec-nmap.gemspec
 - spec/codecs/nmap_spec.rb
 - spec/fixtures/full_scan.xml
+- spec/fixtures/ip_down.xml
 - spec/fixtures/ipv6_all.xml
 - spec/fixtures/localscan.xml
+- spec/fixtures/nothingup.xml
 - spec/fixtures/pingsweep.xml
 - spec/fixtures/scanme.nmap.org
 - spec/fixtures/scanme_A.xml
@@ -110,8 +111,10 @@ summary: This codec may be used to decode Nmap XML
 test_files:
 - spec/codecs/nmap_spec.rb
 - spec/fixtures/full_scan.xml
+- spec/fixtures/ip_down.xml
 - spec/fixtures/ipv6_all.xml
 - spec/fixtures/localscan.xml
+- spec/fixtures/nothingup.xml
 - spec/fixtures/pingsweep.xml
 - spec/fixtures/scanme.nmap.org
 - spec/fixtures/scanme_A.xml

data/CONTRIBUTORS

@@ -1,17 +0,0 @@
-The following is a list of people who have contributed ideas, code, bug
-reports, or in general have helped logstash along its way.
-
-Contributors:
-* Colin Surprenant (colinsurprenant)
-* Jordan Sissel (jordansissel)
-* João Duarte (jsvd)
-* Kurt Hurtado (kurtado)
-* Nick Ethier (nickethier)
-* Pier-Hugues Pellerin (ph)
-* Richard Pijnenburg (electrical)
-* Tal Levy (talevy)
-
-Note: If you've sent us patches, bug reports, or otherwise contributed to
-Logstash, and you aren't on the list above and want to be, please let us know
-and we'll make sure you're here. Contributions from folks like you are what make
-open source awesome.