logstash-codec-nmap 0.0.9 → 0.0.10
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +3 -0
- data/README.md +12 -0
- data/lib/logstash/codecs/nmap.rb +31 -12
- data/logstash-codec-nmap.gemspec +1 -1
- data/spec/codecs/nmap_spec.rb +10 -2
- data/spec/fixtures/ip_down.xml +10 -0
- data/spec/fixtures/nothingup.xml +10 -0
- metadata +19 -16
- data/CONTRIBUTORS +0 -17
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: eb9b854678cab49c0f5832940e7881a0b7211cae
|
4
|
+
data.tar.gz: a8fb24f5c1b5e05f0e526e8a90016beebe80483c
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 0e7242b4045a0f9a11ef48c23b7da3e840ae87c48545fdb0614c840c7183da3d76670a5dd5e534f7e450db6c30fde240d878801a8208ef334f4df596aa20e854
|
7
|
+
data.tar.gz: 46eca983628be28e86aee61adde73a7d775018024e402ac4c7c421935f46e243431bfa3b054a24dfa8a74614796ea1c54f163ae3aacbac6d26d973cf1c764bc9
|
data/CHANGELOG.md
CHANGED
data/README.md
CHANGED
@@ -1,5 +1,17 @@
|
|
1
1
|
# Logstash Plugin
|
2
2
|
|
3
|
+
[![Travis Build Status](https://travis-ci.org/logstash-plugins/logstash-codec-nmap.svg)](https://travis-ci.org/logstash-plugins/logstash-codec-nmap)
|
4
|
+
|
5
|
+
|
6
|
+
This is a plugin for [Logstash](https://github.com/elastic/logstash).
|
7
|
+
|
8
|
+
@@ -86,4 +85,4 @@ Programming is not a required skill. Whatever you've seen about open source and
|
9
|
+
|
10
|
+
It is more important to the community that you are able to contribute.
|
11
|
+
|
12
|
+
+For more information about contributing, see the [CONTRIBUTING](https://github.com/elastic/logstash/blob/master/CONTRIBUTING.md) file.
|
13
|
+
-For more information about contributing, see the [CONTRIBUTING](https://github.com/elastic/logstash/blob/master/CONTRIBUTING.md) file.It is more important to the community that you are able to contribute.This is a plugin for [Logstash](https://github.com/elastic/logstash).-Status](http://build-eu-00.elastic.co/view/LS%20Plugins/view/LS%20Inputs/job/logstash-plugin-input-rabbitmq-unit/badge/icon)](http://build-eu-00.elastic.co/view/LS%20Plugins/view/LS%20Inputs/job/logstash-plugin-input-rabbitmq-unit/)
|
14
|
+
|
3
15
|
This is a plugin for [Logstash](https://github.com/elastic/logstash).
|
4
16
|
|
5
17
|
It is fully free and fully open source. The license is Apache 2.0, meaning you are pretty much free to use it however you want in whatever way.
|
data/lib/logstash/codecs/nmap.rb
CHANGED
@@ -3,12 +3,20 @@ require "logstash/codecs/base"
|
|
3
3
|
require "nmap/xml"
|
4
4
|
require 'securerandom'
|
5
5
|
|
6
|
-
# This codec may be used to decode
|
7
|
-
#
|
6
|
+
# This codec may be used to decode only
|
7
|
+
#
|
8
|
+
# Event types are listed below
|
9
|
+
#
|
10
|
+
# `nmap_scan_metadata`: An object containing top level information about the scan, including how many hosts were up, and how many were down. Useful for the case where you need to check if a DNS based hostname does not resolve, where both those numbers will be zero.
|
11
|
+
# `nmap_host`: One event is created per host. The full data covering an individual host, including open ports and traceroute information as a nested structure.
|
12
|
+
# `nmap_port`: One event is created per host/port. This duplicates data already in `nmap_host`: This was put in for the case where you want to model ports as separate documents in Elasticsearch (which Kibana prefers).
|
13
|
+
# `nmap_traceroute_link`: One of these is output per traceroute 'connection', with a `from` and a `to` object describing each hop. Note that traceroute hop data is not always correct due to the fact that each tracing ICMP packet may take a different route. Also very useful for Kibana visualizations.
|
8
14
|
|
9
15
|
class LogStash::Codecs::Nmap < LogStash::Codecs::Base
|
10
16
|
config_name "nmap"
|
11
17
|
|
18
|
+
# Emit scan metadata
|
19
|
+
config :emit_scan_metadata, :validate => :boolean, :default => true
|
12
20
|
# Emit all host data as a nested document (including ports + traceroutes) with the type 'nmap_fullscan'
|
13
21
|
config :emit_hosts, :validate => :boolean, :default => true
|
14
22
|
# Emit each port as a separate document with type 'nmap_port'
|
@@ -25,25 +33,36 @@ class LogStash::Codecs::Nmap < LogStash::Codecs::Base
|
|
25
33
|
xml = Nmap::XML.parse(data)
|
26
34
|
scan_id = SecureRandom.uuid
|
27
35
|
|
36
|
+
base = {}
|
37
|
+
base['arguments'] = xml.scanner.arguments
|
38
|
+
base['version'] = xml.scanner.version
|
39
|
+
base['scan_id'] = scan_id
|
40
|
+
|
41
|
+
# This really needs to be put into ruby-nmap
|
42
|
+
scan_host_stats = Hash[xml.instance_variable_get(:@doc).xpath('/nmaprun[@scanner="nmap"]/runstats/hosts').first.attributes.map {|k,v| [k,v.value.to_i]}]
|
43
|
+
|
44
|
+
if @emit_scan_metadata
|
45
|
+
yield LogStash::Event.new(base.merge({
|
46
|
+
'type' => 'nmap_scan_metadata',
|
47
|
+
'host_stats' => scan_host_stats,
|
48
|
+
'run_stats' => xml.run_stats.first
|
49
|
+
}))
|
50
|
+
end
|
51
|
+
|
28
52
|
xml.hosts.each_with_index do |host,idx|
|
29
|
-
# Convert the host to a '
|
53
|
+
# Convert the host to a 'host_base' host event
|
30
54
|
# This will be used for the later port/hop types
|
31
|
-
|
55
|
+
host_base = hashify_host(host, xml).merge(base)
|
32
56
|
|
33
|
-
# Add some scanner-wide attributes
|
34
|
-
base['arguments'] = xml.scanner.arguments
|
35
|
-
base['version'] = xml.scanner.version
|
36
|
-
base['scan_id'] = scan_id
|
37
57
|
|
38
58
|
# Pull out the detail
|
39
59
|
ports = host.ports.map {|p| hashify_port(p)}
|
40
60
|
traceroute = hashify_traceroute(host.traceroute)
|
41
|
-
|
42
61
|
scan_host_id = scan_id + "-h#{idx}"
|
43
62
|
|
44
63
|
if @emit_ports && ports
|
45
64
|
ports.each.with_index do |port,idx|
|
46
|
-
yield LogStash::Event.new(
|
65
|
+
yield LogStash::Event.new(host_base.merge(
|
47
66
|
'type' => 'nmap_port',
|
48
67
|
'port' => port,
|
49
68
|
'scan_host_id' => scan_host_id,
|
@@ -55,7 +74,7 @@ class LogStash::Codecs::Nmap < LogStash::Codecs::Base
|
|
55
74
|
if @emit_traceroute_links && traceroute && (hops = traceroute['hops'])
|
56
75
|
hops.each_with_index do |hop,idx|
|
57
76
|
next_hop = hops[idx+1]
|
58
|
-
yield LogStash::Event.new(
|
77
|
+
yield LogStash::Event.new(host_base.merge(
|
59
78
|
'type' =>'nmap_traceroute_link',
|
60
79
|
'from' => hop,
|
61
80
|
'to' => next_hop,
|
@@ -67,7 +86,7 @@ class LogStash::Codecs::Nmap < LogStash::Codecs::Base
|
|
67
86
|
end
|
68
87
|
|
69
88
|
if @emit_hosts
|
70
|
-
yield LogStash::Event.new(
|
89
|
+
yield LogStash::Event.new(host_base.merge(
|
71
90
|
'type' => 'nmap_host',
|
72
91
|
'ports' => ports,
|
73
92
|
'traceroute' => traceroute,
|
data/logstash-codec-nmap.gemspec
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
Gem::Specification.new do |s|
|
2
2
|
|
3
3
|
s.name = 'logstash-codec-nmap'
|
4
|
-
s.version = '0.0.
|
4
|
+
s.version = '0.0.10'
|
5
5
|
s.licenses = ['Apache License (2.0)']
|
6
6
|
s.summary = "This codec may be used to decode Nmap XML"
|
7
7
|
s.description = "This gem is a logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/plugin install gemname. This gem is not a stand-alone program"
|
data/spec/codecs/nmap_spec.rb
CHANGED
@@ -46,7 +46,6 @@ describe LogStash::Codecs::Nmap do
|
|
46
46
|
it_should_behave_like "a valid parse"
|
47
47
|
end
|
48
48
|
|
49
|
-
|
50
49
|
describe "localscan.xml" do
|
51
50
|
let(:xml_string) { File.open("spec/fixtures/localscan.xml").read }
|
52
51
|
it_should_behave_like "a valid parse"
|
@@ -57,12 +56,21 @@ describe LogStash::Codecs::Nmap do
|
|
57
56
|
it_should_behave_like "a valid parse"
|
58
57
|
end
|
59
58
|
|
60
|
-
|
61
59
|
describe "full_scan.xml" do
|
62
60
|
let(:xml_string) { File.open("spec/fixtures/full_scan.xml").read }
|
63
61
|
it_should_behave_like "a valid parse"
|
64
62
|
end
|
65
63
|
|
64
|
+
describe "nothingup.xml" do
|
65
|
+
let(:xml_string) { File.open("spec/fixtures/nothingup.xml").read }
|
66
|
+
it_should_behave_like "a valid parse"
|
67
|
+
end
|
68
|
+
|
69
|
+
describe "ip_down.xml" do
|
70
|
+
let(:xml_string) { File.open("spec/fixtures/ip_down.xml").read }
|
71
|
+
it_should_behave_like "a valid parse"
|
72
|
+
end
|
73
|
+
|
66
74
|
end
|
67
75
|
|
68
76
|
end
|
@@ -0,0 +1,10 @@
|
|
1
|
+
<?xml version="1.0" encoding="UTF-8"?>
|
2
|
+
<!DOCTYPE nmaprun>
|
3
|
+
<?xml-stylesheet href="file:///usr/local/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
|
4
|
+
<!-- Nmap 7.01 scan initiated Tue Jan 26 15:54:25 2016 as: nmap -sP -oX - 192.168.88.88 -->
|
5
|
+
<nmaprun scanner="nmap" args="nmap -sP -oX - 192.168.88.88" start="1453845265" startstr="Tue Jan 26 15:54:25 2016" version="7.01" xmloutputversion="1.04">
|
6
|
+
<verbose level="0"/>
|
7
|
+
<debugging level="0"/>
|
8
|
+
<runstats><finished time="1453845268" timestr="Tue Jan 26 15:54:28 2016" elapsed="3.01" summary="Nmap done at Tue Jan 26 15:54:28 2016; 1 IP address (0 hosts up) scanned in 3.01 seconds" exit="success"/><hosts up="0" down="1" total="1"/>
|
9
|
+
</runstats>
|
10
|
+
</nmaprun>
|
@@ -0,0 +1,10 @@
|
|
1
|
+
<?xml version="1.0" encoding="UTF-8"?>
|
2
|
+
<!DOCTYPE nmaprun>
|
3
|
+
<?xml-stylesheet href="file:///usr/local/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
|
4
|
+
<!-- Nmap 7.01 scan initiated Tue Jan 26 15:53:54 2016 as: nmap -sP -oX - ouercheuonheuonctueo.net -->
|
5
|
+
<nmaprun scanner="nmap" args="nmap -sP -oX - ouercheuonheuonctueo.net" start="1453845234" startstr="Tue Jan 26 15:53:54 2016" version="7.01" xmloutputversion="1.04">
|
6
|
+
<verbose level="0"/>
|
7
|
+
<debugging level="0"/>
|
8
|
+
<runstats><finished time="1453845234" timestr="Tue Jan 26 15:53:54 2016" elapsed="0.00" summary="Nmap done at Tue Jan 26 15:53:54 2016; 0 IP addresses (0 hosts up) scanned in 0.00 seconds" exit="success"/><hosts up="0" down="0" total="0"/>
|
9
|
+
</runstats>
|
10
|
+
</nmaprun>
|
metadata
CHANGED
@@ -1,17 +1,18 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: logstash-codec-nmap
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.0.
|
4
|
+
version: 0.0.10
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Elastic
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2016-01-
|
11
|
+
date: 2016-01-27 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
|
-
|
14
|
+
name: logstash-core
|
15
|
+
version_requirements: !ruby/object:Gem::Requirement
|
15
16
|
requirements:
|
16
17
|
- - '>='
|
17
18
|
- !ruby/object:Gem::Version
|
@@ -19,10 +20,7 @@ dependencies:
|
|
19
20
|
- - <
|
20
21
|
- !ruby/object:Gem::Version
|
21
22
|
version: 3.0.0
|
22
|
-
|
23
|
-
prerelease: false
|
24
|
-
type: :runtime
|
25
|
-
version_requirements: !ruby/object:Gem::Requirement
|
23
|
+
requirement: !ruby/object:Gem::Requirement
|
26
24
|
requirements:
|
27
25
|
- - '>='
|
28
26
|
- !ruby/object:Gem::Version
|
@@ -30,34 +28,36 @@ dependencies:
|
|
30
28
|
- - <
|
31
29
|
- !ruby/object:Gem::Version
|
32
30
|
version: 3.0.0
|
31
|
+
prerelease: false
|
32
|
+
type: :runtime
|
33
33
|
- !ruby/object:Gem::Dependency
|
34
|
+
name: ruby-nmap
|
35
|
+
version_requirements: !ruby/object:Gem::Requirement
|
36
|
+
requirements:
|
37
|
+
- - '>='
|
38
|
+
- !ruby/object:Gem::Version
|
39
|
+
version: '0'
|
34
40
|
requirement: !ruby/object:Gem::Requirement
|
35
41
|
requirements:
|
36
42
|
- - '>='
|
37
43
|
- !ruby/object:Gem::Version
|
38
44
|
version: '0'
|
39
|
-
name: ruby-nmap
|
40
45
|
prerelease: false
|
41
46
|
type: :runtime
|
47
|
+
- !ruby/object:Gem::Dependency
|
48
|
+
name: logstash-devutils
|
42
49
|
version_requirements: !ruby/object:Gem::Requirement
|
43
50
|
requirements:
|
44
51
|
- - '>='
|
45
52
|
- !ruby/object:Gem::Version
|
46
53
|
version: '0'
|
47
|
-
- !ruby/object:Gem::Dependency
|
48
54
|
requirement: !ruby/object:Gem::Requirement
|
49
55
|
requirements:
|
50
56
|
- - '>='
|
51
57
|
- !ruby/object:Gem::Version
|
52
58
|
version: '0'
|
53
|
-
name: logstash-devutils
|
54
59
|
prerelease: false
|
55
60
|
type: :development
|
56
|
-
version_requirements: !ruby/object:Gem::Requirement
|
57
|
-
requirements:
|
58
|
-
- - '>='
|
59
|
-
- !ruby/object:Gem::Version
|
60
|
-
version: '0'
|
61
61
|
description: This gem is a logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/plugin install gemname. This gem is not a stand-alone program
|
62
62
|
email: info@elastic.co
|
63
63
|
executables: []
|
@@ -65,7 +65,6 @@ extensions: []
|
|
65
65
|
extra_rdoc_files: []
|
66
66
|
files:
|
67
67
|
- CHANGELOG.md
|
68
|
-
- CONTRIBUTORS
|
69
68
|
- Gemfile
|
70
69
|
- LICENSE
|
71
70
|
- NOTICE.TXT
|
@@ -74,8 +73,10 @@ files:
|
|
74
73
|
- logstash-codec-nmap.gemspec
|
75
74
|
- spec/codecs/nmap_spec.rb
|
76
75
|
- spec/fixtures/full_scan.xml
|
76
|
+
- spec/fixtures/ip_down.xml
|
77
77
|
- spec/fixtures/ipv6_all.xml
|
78
78
|
- spec/fixtures/localscan.xml
|
79
|
+
- spec/fixtures/nothingup.xml
|
79
80
|
- spec/fixtures/pingsweep.xml
|
80
81
|
- spec/fixtures/scanme.nmap.org
|
81
82
|
- spec/fixtures/scanme_A.xml
|
@@ -110,8 +111,10 @@ summary: This codec may be used to decode Nmap XML
|
|
110
111
|
test_files:
|
111
112
|
- spec/codecs/nmap_spec.rb
|
112
113
|
- spec/fixtures/full_scan.xml
|
114
|
+
- spec/fixtures/ip_down.xml
|
113
115
|
- spec/fixtures/ipv6_all.xml
|
114
116
|
- spec/fixtures/localscan.xml
|
117
|
+
- spec/fixtures/nothingup.xml
|
115
118
|
- spec/fixtures/pingsweep.xml
|
116
119
|
- spec/fixtures/scanme.nmap.org
|
117
120
|
- spec/fixtures/scanme_A.xml
|
data/CONTRIBUTORS
DELETED
@@ -1,17 +0,0 @@
|
|
1
|
-
The following is a list of people who have contributed ideas, code, bug
|
2
|
-
reports, or in general have helped logstash along its way.
|
3
|
-
|
4
|
-
Contributors:
|
5
|
-
* Colin Surprenant (colinsurprenant)
|
6
|
-
* Jordan Sissel (jordansissel)
|
7
|
-
* João Duarte (jsvd)
|
8
|
-
* Kurt Hurtado (kurtado)
|
9
|
-
* Nick Ethier (nickethier)
|
10
|
-
* Pier-Hugues Pellerin (ph)
|
11
|
-
* Richard Pijnenburg (electrical)
|
12
|
-
* Tal Levy (talevy)
|
13
|
-
|
14
|
-
Note: If you've sent us patches, bug reports, or otherwise contributed to
|
15
|
-
Logstash, and you aren't on the list above and want to be, please let us know
|
16
|
-
and we'll make sure you're here. Contributions from folks like you are what make
|
17
|
-
open source awesome.
|