logstash-filter-SDS 1.0.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/CHANGELOG.md +0 -0
- data/CONTRIBUTORS +0 -0
- data/DEVELOPER.md +0 -0
- data/Gemfile +2 -0
- data/LICENSE +14 -0
- data/NOTICE.TXT +5 -0
- data/README.md +106 -0
- data/lib/logstash/filters/SDS.rb +139 -0
- data/logstash-filter-SDS.gemspec +23 -0
- data/spec/filters/SDS_spec.rb +224 -0
- data/spec/spec_helper.rb +1 -0
- metadata +92 -0
checksums.yaml
ADDED
@@ -0,0 +1,7 @@
|
|
1
|
+
---
|
2
|
+
SHA1:
|
3
|
+
metadata.gz: 79283771fe6b695798029ebbcda8c17e0f5593aa
|
4
|
+
data.tar.gz: c3ede4f018deca97ca1a9e543bb7de6ad6fd6fd9
|
5
|
+
SHA512:
|
6
|
+
metadata.gz: 1dc35485dd8900cbe2b8452645936022c53076a5fca5195d7bf27dd1ee06e45e9e2aaf3b59a7c148ae1113f576b9f41d389c82d2f8ff3dadfd5f6fa9b58c08e1
|
7
|
+
data.tar.gz: c696d2dadf29bf9e7bcccb5fe99350ac3b8a638983edeb846b4b64c351448e75e4a6450e3ff9c829b510f045332e645ad166a112d03a1935a192c528a55d199e
|
data/CHANGELOG.md
ADDED
File without changes
|
data/CONTRIBUTORS
ADDED
File without changes
|
data/DEVELOPER.md
ADDED
File without changes
|
data/Gemfile
ADDED
data/LICENSE
ADDED
@@ -0,0 +1,14 @@
|
|
1
|
+
Copyright (c) 2012-2018 Elasticsearch <http://www.elastic.co>
|
2
|
+
Copyright (c) 2018 Stormshield <https://www.stormshield.com>
|
3
|
+
|
4
|
+
Licensed under the Apache License, Version 2.0 (the "License");
|
5
|
+
you may not use this file except in compliance with the License.
|
6
|
+
You may obtain a copy of the License at
|
7
|
+
|
8
|
+
http://www.apache.org/licenses/LICENSE-2.0
|
9
|
+
|
10
|
+
Unless required by applicable law or agreed to in writing, software
|
11
|
+
distributed under the License is distributed on an "AS IS" BASIS,
|
12
|
+
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
13
|
+
See the License for the specific language governing permissions and
|
14
|
+
limitations under the License.
|
data/NOTICE.TXT
ADDED
data/README.md
ADDED
@@ -0,0 +1,106 @@
|
|
1
|
+
# Logstash Stormshield SDS Plugin
|
2
|
+
|
3
|
+
## Developing
|
4
|
+
|
5
|
+
### 1. Plugin Developement and Testing
|
6
|
+
|
7
|
+
#### Code
|
8
|
+
- To get started, you'll need JRuby with the Bundler gem installed.
|
9
|
+
|
10
|
+
- Create a new plugin or clone and existing from the GitHub [logstash-plugins](https://github.com/logstash-plugins) organization. We also provide [example plugins](https://github.com/logstash-plugins?query=example).
|
11
|
+
|
12
|
+
- Install dependencies
|
13
|
+
```sh
|
14
|
+
bundle install
|
15
|
+
```
|
16
|
+
|
17
|
+
#### Test
|
18
|
+
|
19
|
+
- Update your dependencies
|
20
|
+
```sh
|
21
|
+
bundle install
|
22
|
+
```
|
23
|
+
|
24
|
+
- Run tests
|
25
|
+
```sh
|
26
|
+
bundle exec rspec
|
27
|
+
```
|
28
|
+
|
29
|
+
### 2. Running your unpublished Plugin in Logstash
|
30
|
+
|
31
|
+
#### 2.1 Run in a local Logstash clone
|
32
|
+
|
33
|
+
- Edit Logstash `Gemfile` and add the local plugin path, for example:
|
34
|
+
```ruby
|
35
|
+
gem "logstash-filter-awesome", :path => "/your/local/logstash-filter-awesome"
|
36
|
+
```
|
37
|
+
|
38
|
+
- Install plugin
|
39
|
+
```sh
|
40
|
+
bin/plugin install --no-verify
|
41
|
+
```
|
42
|
+
|
43
|
+
- Run Logstash with your plugin
|
44
|
+
```sh
|
45
|
+
bin/logstash -e 'filter {awesome {}}'
|
46
|
+
```
|
47
|
+
|
48
|
+
At this point any modifications to the plugin code will be applied to this local Logstash setup. After modifying the plugin, simply rerun Logstash.
|
49
|
+
|
50
|
+
#### 2.2 Run in an installed Logstash
|
51
|
+
|
52
|
+
You can use the same **2.1** method to run your plugin in an installed Logstash by editing its `Gemfile` and pointing the `:path` to your local plugin development directory or you can build the gem and install it using:
|
53
|
+
|
54
|
+
- Build your plugin gem
|
55
|
+
```sh
|
56
|
+
gem build logstash-filter-awesome.gemspec
|
57
|
+
```
|
58
|
+
|
59
|
+
- Install the plugin from the Logstash home
|
60
|
+
```sh
|
61
|
+
bin/plugin install /your/local/plugin/logstash-filter-awesome.gem
|
62
|
+
```
|
63
|
+
|
64
|
+
- Start Logstash and proceed to test the plugin
|
65
|
+
|
66
|
+
- Run tests
|
67
|
+
```sh
|
68
|
+
bundle exec rspec
|
69
|
+
```
|
70
|
+
|
71
|
+
### 2. Running your unpublished Plugin in Logstash
|
72
|
+
|
73
|
+
#### 2.1 Run in a local Logstash clone
|
74
|
+
|
75
|
+
- Edit Logstash `Gemfile` and add the local plugin path, for example:
|
76
|
+
```ruby
|
77
|
+
gem "logstash-filter-awesome", :path => "/your/local/logstash-filter-awesome"
|
78
|
+
```
|
79
|
+
|
80
|
+
- Install plugin
|
81
|
+
```sh
|
82
|
+
bin/plugin install --no-verify
|
83
|
+
```
|
84
|
+
|
85
|
+
- Run Logstash with your plugin
|
86
|
+
```sh
|
87
|
+
bin/logstash -e 'filter {awesome {}}'
|
88
|
+
```
|
89
|
+
|
90
|
+
At this point any modifications to the plugin code will be applied to this local Logstash setup. After modifying the plugin, simply rerun Logstash.
|
91
|
+
|
92
|
+
#### 2.2 Run in an installed Logstash
|
93
|
+
|
94
|
+
You can use the same **2.1** method to run your plugin in an installed Logstash by editing its `Gemfile` and pointing the `:path` to your local plugin development directory or you can build the gem and install it using:
|
95
|
+
|
96
|
+
- Build your plugin gem
|
97
|
+
```sh
|
98
|
+
gem build logstash-filter-awesome.gemspec
|
99
|
+
```
|
100
|
+
|
101
|
+
- Install the plugin from the Logstash home
|
102
|
+
```sh
|
103
|
+
bin/plugin install /your/local/plugin/logstash-filter-awesome.gem
|
104
|
+
```
|
105
|
+
|
106
|
+
- Start Logstash and proceed to test the plugin
|
@@ -0,0 +1,139 @@
|
|
1
|
+
# encoding: utf-8
|
2
|
+
require 'set'
|
3
|
+
require 'logstash/filters/base'
|
4
|
+
require 'logstash/namespace'
|
5
|
+
|
6
|
+
class LogStash::Filters::SDS < LogStash::Filters::Base
|
7
|
+
config_name 'SDS'
|
8
|
+
|
9
|
+
public
|
10
|
+
|
11
|
+
def register
|
12
|
+
@re_msg = /(?:Stormshield Data Security Login|Identifiant Stormshield Data Security)\s?:\s(?<userFullName>.*[^(?:\s{2}|\r{2})])(?:\s{2}|\r{2}|(?:\\\\r){2})Description\s?:(?:\s|\r|\\\\r)?(?<description>[^"]*)/m
|
13
|
+
@re_file = /(?:File|fichier|file)\s*'(?<File>.*)'/
|
14
|
+
@re_folder = /(?:Folder|dossier|folder)\s*'(?<Folder>.*)'/
|
15
|
+
@eventId_files_set = Set.new [
|
16
|
+
# "L'utilisateur a chiffré avec succès le fichier '%2' en mode auto-déchiffrable."
|
17
|
+
# "File '%2' has been successfully encrypted (auto-decrypt mode)."
|
18
|
+
18_300,
|
19
|
+
# "Le chiffrement du fichier '%2' en mode auto-déchiffrable a échoué."
|
20
|
+
# "File '%2' encryption (auto-decrypt mode) has failed."
|
21
|
+
18_301,
|
22
|
+
# "File '%2' was successfully encrypted (SmartFILE? mode)."
|
23
|
+
# "L'utilisateur a chiffré avec succès le fichier '%2' en utilisant SecurityBOX? SmartFile?."
|
24
|
+
18_304,
|
25
|
+
# "File '%2' encryption (SmartFILE? mode) has failed."
|
26
|
+
# "Le chiffrement du fichier '%2' en utilisant SecurityBOX? SmartFile? a échoué."
|
27
|
+
18_305,
|
28
|
+
# "L'utilisateur a chiffré avec succès le fichier '%2' pour les correspondants suivants : %r%3."
|
29
|
+
# "File '%2' has been successfully encrypted for the following recipients: %r%3."
|
30
|
+
18_308,
|
31
|
+
# "File '%2' encryption has failed for the following recipients: %r%3."
|
32
|
+
# "Le chiffrement du fichier '%2' pour les correspondants suivants a échoué : %r%3."
|
33
|
+
18_309,
|
34
|
+
# "Les collaborateurs suivants ont été ajoutés avec succès au fichier '%2' :%r%3."
|
35
|
+
# "These coworkers have been added successfully to the file '%2' :%r%3."
|
36
|
+
18_312,
|
37
|
+
# "These coworkers could not be added to the file '%2' : %r%3."
|
38
|
+
# "L'ajout des collaborateurs suivants au fichier '%2' a échoué :%r%3."
|
39
|
+
18_313,
|
40
|
+
# "Les collaborateurs suivants ont été supprimés avec succès du fichier '%2' :%r%3."
|
41
|
+
# "These coworkers have been removed successfully from the file '%2':%r%3."
|
42
|
+
18_314,
|
43
|
+
# "La suppression des collaborateurs suivants du fichier '%2' a échoué : %r%3."
|
44
|
+
# "These coworkers could not be removed from the file '%2': %r%3."
|
45
|
+
18_315,
|
46
|
+
# "L'utilisateur a chiffré le fichier '%2' avec succès."
|
47
|
+
# "File '%2' has been successfully encrypted."
|
48
|
+
18_700,
|
49
|
+
# "Le chiffrement du fichier '%2' a échoué."
|
50
|
+
# "File '%2' encryption has failed."
|
51
|
+
18_701,
|
52
|
+
# "L'utilisateur a déchiffré le fichier '%2' avec succès."
|
53
|
+
# "File '%2' has been successfully decrypted."
|
54
|
+
18_702,
|
55
|
+
# "Le déchiffrement du fichier '%2' a échoué."
|
56
|
+
# "File '%2' decryption has failed."
|
57
|
+
18_703
|
58
|
+
]
|
59
|
+
|
60
|
+
@eventId_folders_set = Set.new [
|
61
|
+
# "L'utilisateur a chiffré avec succès le dossier '%2' en mode auto-déchiffrable."
|
62
|
+
# "Folder '%2' has been successfully encrypted (auto-decrypt mode)."
|
63
|
+
18_302,
|
64
|
+
# "Le chiffrement du dossier '%2' en mode auto-déchiffrable a échoué."
|
65
|
+
# "Folder '%2' decryption (auto-decrypt mode) has failed."
|
66
|
+
18_303,
|
67
|
+
# "Folder '%2' has been successfully encrypted (SmartFILE? mode)."
|
68
|
+
# "L'utilisateur a chiffré avec succès le dossier '%2' en utilisant SecurityBOX? SmartFile?."
|
69
|
+
18_306,
|
70
|
+
# "Folder '%2' encryption (SmartFILE? mode) failed."
|
71
|
+
# "Le chiffrement du dossier '%2' en utilisant SecurityBOX? SmartFile? a échoué."
|
72
|
+
18_307,
|
73
|
+
# "L'utilisateur a chiffré avec succès le dossier '%2' pour les correspondants suivants : %r%3."
|
74
|
+
# "Folder '%2' has been successfully encrypted for the following recipients: %r%3."
|
75
|
+
18_310,
|
76
|
+
# "Le chiffrement du dossier '%2' pour les correspondants suivants a échoué: %r%3."
|
77
|
+
# "Folder '%2' encryption has failed for the following recipients: %r%3."
|
78
|
+
18_311
|
79
|
+
]
|
80
|
+
end # def register
|
81
|
+
|
82
|
+
public
|
83
|
+
|
84
|
+
def filter(event)
|
85
|
+
eventId = event.get('EventID')
|
86
|
+
# Try to extract the header/description
|
87
|
+
m = @re_msg.match(event.get('Message'))
|
88
|
+
if m
|
89
|
+
event.set('userFullName', m['userFullName'])
|
90
|
+
event.set('msg', m['description'])
|
91
|
+
event.remove('Message')
|
92
|
+
end
|
93
|
+
|
94
|
+
# Assign category name in EN function of event id range
|
95
|
+
if eventId
|
96
|
+
eventId = eventId.to_i
|
97
|
+
case eventId
|
98
|
+
when 300..699 then event.set('Category', 'Administration')
|
99
|
+
when 700..1099 then event.set('Category', 'Directory administration')
|
100
|
+
when 1100..1499 then event.set('Category', 'CRL administration')
|
101
|
+
when 8300..8699 then event.set('Category', 'Volume management')
|
102
|
+
when 18_300..18_699 then event.set('Category', 'Encryption / Decryption to')
|
103
|
+
when 18_700..19_099 then event.set('Category', 'Encryption / Decryption')
|
104
|
+
when 25_300..25_699 then event.set('Category', 'Start / Stop')
|
105
|
+
when 25_700..26_099 then event.set('Category', 'Network')
|
106
|
+
when 26_100..26_499 then event.set('Category', 'Card Extension')
|
107
|
+
when 31_300..31_699 then event.set('Category', 'Login / Logout')
|
108
|
+
when 31_700..32_099 then event.set('Category', 'Account administration')
|
109
|
+
when 32_100..32_499 then event.set('Category', 'Key management')
|
110
|
+
when 32_500..32_899 then event.set('Category', 'Keystore administration')
|
111
|
+
when 39_300..39_699 then event.set('Category', 'Send / Receive')
|
112
|
+
when 47_300..47_499 then event.set('Category', 'Sign / Signature')
|
113
|
+
when 49_300..49_699 then event.set('Category', 'Rule management')
|
114
|
+
when 49_700..50_099 then event.set('Category', 'Encryption / Decryption')
|
115
|
+
when 50_100..50_499 then event.set('Category', 'Backup / Restore')
|
116
|
+
when 50_500..50_899 then event.set('Category', 'Driver message')
|
117
|
+
else
|
118
|
+
event.set('Category', "Umanaged category: '" + event.get('Category') + "'")
|
119
|
+
end
|
120
|
+
|
121
|
+
# Capture file or folder name for file events
|
122
|
+
m = nil
|
123
|
+
if @eventId_files_set.include?(eventId)
|
124
|
+
m = @re_file.match(event.get('msg'))
|
125
|
+
if m
|
126
|
+
event.set('file', m['File'])
|
127
|
+
end
|
128
|
+
elsif @eventId_folders_set.include?(eventId)
|
129
|
+
m = @re_folder.match(event.get('msg'))
|
130
|
+
if m
|
131
|
+
event.set('folder', m['Folder'])
|
132
|
+
end
|
133
|
+
end
|
134
|
+
end
|
135
|
+
|
136
|
+
# filter_matched should go in the last line of our successful code
|
137
|
+
filter_matched(event)
|
138
|
+
end # def filter
|
139
|
+
end # class LogStash::Filters::SDS
|
@@ -0,0 +1,23 @@
|
|
1
|
+
Gem::Specification.new do |s|
|
2
|
+
s.name = 'logstash-filter-SDS'
|
3
|
+
s.version = '1.0.0'
|
4
|
+
s.licenses = ['Apache License (2.0)']
|
5
|
+
s.summary = "SDS filter."
|
6
|
+
s.description = "SDS filter"
|
7
|
+
s.authors = ["Stormshield"]
|
8
|
+
s.email = 'svc@stormshield.eu'
|
9
|
+
s.homepage = "https://www.stormshield.eu"
|
10
|
+
s.require_paths = ["lib"]
|
11
|
+
|
12
|
+
# Files
|
13
|
+
s.files = Dir['lib/**/*','spec/**/*','vendor/**/*','*.gemspec','*.md','CONTRIBUTORS','Gemfile','LICENSE','NOTICE.TXT']
|
14
|
+
# Tests
|
15
|
+
s.test_files = s.files.grep(%r{^(test|spec|features)/})
|
16
|
+
|
17
|
+
# Special flag to let us know this is actually a logstash plugin
|
18
|
+
s.metadata = { "logstash_plugin" => "true", "logstash_group" => "filter" }
|
19
|
+
|
20
|
+
# Gem dependencies
|
21
|
+
s.add_runtime_dependency 'logstash-core-plugin-api', '>= 1.60', '<= 2.99'
|
22
|
+
s.add_development_dependency "logstash-devutils", "= 1.3.4"
|
23
|
+
end
|
@@ -0,0 +1,224 @@
|
|
1
|
+
# encoding: utf-8
|
2
|
+
|
3
|
+
require 'logstash/devutils/rspec/spec_helper'
|
4
|
+
require 'logstash/filters/SDS'
|
5
|
+
|
6
|
+
describe LogStash::Filters::SDS do
|
7
|
+
describe 'SDS log analyser' do
|
8
|
+
unmanagedCategory = 'an unmanaged category'
|
9
|
+
let(:config) do
|
10
|
+
<<-CONFIG
|
11
|
+
filter {
|
12
|
+
SDS {
|
13
|
+
}
|
14
|
+
}
|
15
|
+
CONFIG
|
16
|
+
end
|
17
|
+
|
18
|
+
# Test re_msg
|
19
|
+
[
|
20
|
+
{
|
21
|
+
'message' => "Message=\"Stormshield Data Security Login: Amelia\r\rDescription:\rCOMMON_NAME_REVOKE option: Value: ALL Access FALSE",
|
22
|
+
'expectedUserFullName' => 'Amelia',
|
23
|
+
'expectedMsg' => 'COMMON_NAME_REVOKE option: Value: ALL Access FALSE'
|
24
|
+
},
|
25
|
+
{
|
26
|
+
'message' => "Message=\"Stormshield Data Security Login: Emily\r\rDescription:\rThe Stormshield Data Security account or card is blocked.\" Category=\"Login / Logout\" Opcode=ERROR EventReceivedTime=1458835949 SourceModuleName=SDS_events SourceModuleType=im_msvistalog",
|
27
|
+
'expectedUserFullName' => 'Emily',
|
28
|
+
'expectedMsg' => 'The Stormshield Data Security account or card is blocked.'
|
29
|
+
},
|
30
|
+
{
|
31
|
+
'message' => "Message=\"Identifiant Stormshield Data Security : Emily\r\rDescription :\rThe Stormshield Data Security account or card is blocked.\" Category=\"Login / Logout\" Opcode=ERROR EventReceivedTime=1458835949 SourceModuleName=SDS_events SourceModuleType=im_msvistalog",
|
32
|
+
'expectedUserFullName' => 'Emily',
|
33
|
+
'expectedMsg' => 'The Stormshield Data Security account or card is blocked.'
|
34
|
+
},
|
35
|
+
{
|
36
|
+
'message' => "Stormshield Data Security Login: Bruno THILL\r\rDescription:\rUpdate of the CRL C:\\ProgramData\\Arkoon\\Security BOX\\Users\\bruno thill\\bruno thill.bcrl has been successful.",
|
37
|
+
'expectedUserFullName' => 'Bruno THILL',
|
38
|
+
'expectedMsg' => 'Update of the CRL C:\\ProgramData\\Arkoon\\Security BOX\\Users\\bruno thill\\bruno thill.bcrl has been successful.'
|
39
|
+
},
|
40
|
+
{
|
41
|
+
'message' => "Stormshield Data Security Login: Bruno THILL\r\rDescription:\rDownload of the security policy from 'http://sbam.arkoon.net/update-users-fr/Bruno%20THILL/Bruno%20THILL.usx'.",
|
42
|
+
'expectedUserFullName' => 'Bruno THILL',
|
43
|
+
'expectedMsg' => "Download of the security policy from 'http://sbam.arkoon.net/update-users-fr/Bruno%20THILL/Bruno%20THILL.usx'."
|
44
|
+
},
|
45
|
+
{
|
46
|
+
'message' => "Stormshield Data Security Login: THILL Bruno\r\rDescription:\rError while trying to open the file 'E:\\USERS\\BTHILL\\DOCUMENTS\\TESTS VERSION 9.1\\屜尯CARACTÈRES UNICODE - UTF-16 - あいおと - NOMS LONGS TEAM 8.0.6\\尯屜あいお尯あうおあい - COPIE - COPI - COPIE (68).DOC' using 'SBKRNL.EXE'.",
|
47
|
+
'expectedUserFullName' => 'THILL Bruno',
|
48
|
+
'expectedMsg' => "Error while trying to open the file 'E:\\USERS\\BTHILL\\DOCUMENTS\\TESTS VERSION 9.1\\屜尯CARACTÈRES UNICODE - UTF-16 - あいおと - NOMS LONGS TEAM 8.0.6\\尯屜あいお尯あうおあい - COPIE - COPI - COPIE (68).DOC' using 'SBKRNL.EXE'."
|
49
|
+
},
|
50
|
+
{
|
51
|
+
'message' => "Stormshield Data Security Login: N/A\r\rDescription:\rCOMMON_NAME_REVOKE option: Value: ALL Access FALSE",
|
52
|
+
'expectedUserFullName' => 'N/A',
|
53
|
+
'expectedMsg' => 'COMMON_NAME_REVOKE option: Value: ALL Access FALSE'
|
54
|
+
},
|
55
|
+
{
|
56
|
+
'message' => "Stormshield Data Security Login: N/A\r\rDescription:%COMMON_NAME_NOT_ON_LDAP option: Value: ALL Access FALSE",
|
57
|
+
'expectedUserFullName' => 'N/A',
|
58
|
+
'expectedMsg' => '%COMMON_NAME_NOT_ON_LDAP option: Value: ALL Access FALSE'
|
59
|
+
},
|
60
|
+
{
|
61
|
+
'message' => "Stormshield Data Security Login: Bruno THILL\r\rDescription:\rThe user logged out its Stormshield Data Security keystore.",
|
62
|
+
'expectedUserFullName' => 'Bruno THILL',
|
63
|
+
'expectedMsg' => 'The user logged out its Stormshield Data Security keystore.'
|
64
|
+
},
|
65
|
+
{
|
66
|
+
'message' => "Stormshield Data Security Login: Bruno THILL\r\rDescription:\rThe user logged on its Stormshield Data Security keystore.",
|
67
|
+
'expectedUserFullName' => 'Bruno THILL',
|
68
|
+
'expectedMsg' => 'The user logged on its Stormshield Data Security keystore.'
|
69
|
+
},
|
70
|
+
{
|
71
|
+
'message' => "Stormshield Data Security Login: THILL Bruno\r\rDescription:\rTeam service request failed: 'C:\\TMP\\TESTTEST\\CHALLENGE.DOCX.SBCLOUD|TEAMOFB (4)' using 'explorer.exe'.",
|
72
|
+
'expectedUserFullName' => 'THILL Bruno',
|
73
|
+
'expectedMsg' => "Team service request failed: 'C:\\TMP\\TESTTEST\\CHALLENGE.DOCX.SBCLOUD|TEAMOFB (4)' using 'explorer.exe'."
|
74
|
+
},
|
75
|
+
{
|
76
|
+
'message' => "Stormshield Data Security Login: THILL Bruno\r\rDescription:\rAutomatic volume mounting'E:\\Users\\bthill\\Documents\\Tests Version 9.1\\9.1.vbox' has been successfully operated on 'Z:\\' in 'RW' mode.",
|
77
|
+
'expectedUserFullName' => 'THILL Bruno',
|
78
|
+
'expectedMsg' => "Automatic volume mounting'E:\\Users\\bthill\\Documents\\Tests Version 9.1\\9.1.vbox' has been successfully operated on 'Z:\\' in 'RW' mode."
|
79
|
+
},
|
80
|
+
{
|
81
|
+
'message' => "Identifiant Stormshield Data Security : Jocelyn KRYSTLIK\r\rDescription :\rLe déverrouillage de la session Stormshield Data Security de l'utilisateur s'est déroulé normalement.",
|
82
|
+
'expectedUserFullName' => 'Jocelyn KRYSTLIK',
|
83
|
+
'expectedMsg' => "Le déverrouillage de la session Stormshield Data Security de l'utilisateur s'est déroulé normalement."
|
84
|
+
},
|
85
|
+
{
|
86
|
+
'message' => "Identifiant Stormshield Data Security : Jocelyn KRYSTLIK Description : La demande au service Team a échoué : ''\\\\ARKOON.NET\\BAOBAB\\SHARE\\JPC\\SECURED\\SBOXTEAM.SBT|TEAMOFB (7)'' par ''SBKRNL.EXE''.",
|
87
|
+
'expectedUserFullName' => 'Jocelyn KRYSTLIK',
|
88
|
+
'expectedMsg' => "La demande au service Team a échoué : ''\\\\ARKOON.NET\\BAOBAB\\SHARE\\JPC\\SECURED\\SBOXTEAM.SBT|TEAMOFB (7)'' par ''SBKRNL.EXE''."
|
89
|
+
},
|
90
|
+
{
|
91
|
+
'message' => "Stormshield Data Security Login: Oscar\\\\r\\\\rDescription:\\\\rRépertoire d'installation : C:\\Program Files\\Arkoon\\Security BOX",
|
92
|
+
'expectedUserFullName' => 'Oscar',
|
93
|
+
'expectedMsg' => "Répertoire d'installation : C:\\Program Files\\Arkoon\\Security BOX"
|
94
|
+
},
|
95
|
+
].each do |test|
|
96
|
+
sample('Message' => test['message']) do
|
97
|
+
expect(subject.get('userFullName')).to eq(test['expectedUserFullName'])
|
98
|
+
expect(subject.get('msg')).to eq test['expectedMsg']
|
99
|
+
end
|
100
|
+
end
|
101
|
+
|
102
|
+
# Test that category is well replaced by EN value
|
103
|
+
sample(
|
104
|
+
'Category' => 'Installation de la Suite Stormshield Data Security',
|
105
|
+
'EventID' => '301',
|
106
|
+
) do
|
107
|
+
expect(subject.get('Category')).to eq('Administration')
|
108
|
+
end
|
109
|
+
|
110
|
+
# Test a full syslog message
|
111
|
+
sample('Message' => "id=datasecurity AccountName=\"Amelia\" AccountType=User Category=\"Directory administration\" Channel=\"Stormshield Data Security\" Domain=domain.local EventID=728 EventReceivedTime=1471940690 EventTime=\"2016-08-23 08:24:50\" EventType=INFO HostIP=\"10.0.100.11\" Hostname=\"pc11\" Keywords=36028797018963968 Message=\"Stormshield Data Security Login: Amelia\r\rDescription:\rCOMMON_NAME_REVOKE option: Value: ALL Access FALSE\" Opcode=Informations ProcessID=0 RecordNumber=541 Severity=INFO SeverityValue=2 SourceModuleName=SDS_events SourceModuleType=im_msvistalog SourceName=\"Administration\" Task=6 ThreadID=0 UserID=S-1-5-21-1986321934-3787518990-59020978-1000\"") do
|
112
|
+
expect(subject.get('userFullName')).to eq('Amelia')
|
113
|
+
expect(subject.get('msg')).to eq 'COMMON_NAME_REVOKE option: Value: ALL Access FALSE'
|
114
|
+
end
|
115
|
+
|
116
|
+
# Test categories from event id
|
117
|
+
{
|
118
|
+
"300" => "Administration",
|
119
|
+
"699'" => "Administration",
|
120
|
+
"700'" => "Directory administration",
|
121
|
+
"1099'" => "Directory administration",
|
122
|
+
"1100'" => "CRL administration",
|
123
|
+
"1499'" => "CRL administration",
|
124
|
+
"8300'" => "Volume management",
|
125
|
+
"8699'" => "Volume management",
|
126
|
+
"18300" => "Encryption / Decryption to",
|
127
|
+
"18699" => "Encryption / Decryption to",
|
128
|
+
"18700" => "Encryption / Decryption",
|
129
|
+
"19099" => "Encryption / Decryption",
|
130
|
+
"25300" => "Start / Stop",
|
131
|
+
"25699" => "Start / Stop",
|
132
|
+
"25700" => "Network",
|
133
|
+
"26099" => "Network",
|
134
|
+
"26100" => "Card Extension",
|
135
|
+
"26499" => "Card Extension",
|
136
|
+
"31300" => "Login / Logout",
|
137
|
+
"31699" => "Login / Logout",
|
138
|
+
"31700" => "Account administration",
|
139
|
+
"32099" => "Account administration",
|
140
|
+
"32100" => "Key management",
|
141
|
+
"32499" => "Key management",
|
142
|
+
"32500" => "Keystore administration",
|
143
|
+
"32899" => "Keystore administration",
|
144
|
+
"39300" => "Send / Receive",
|
145
|
+
"39699" => "Send / Receive",
|
146
|
+
"47300" => "Sign / Signature",
|
147
|
+
"47499" => "Sign / Signature",
|
148
|
+
"49300" => "Rule management",
|
149
|
+
"49699" => "Rule management",
|
150
|
+
"49700" => "Encryption / Decryption",
|
151
|
+
"50099" => "Encryption / Decryption",
|
152
|
+
"50100" => "Backup / Restore",
|
153
|
+
"50499" => "Backup / Restore",
|
154
|
+
"50500" => "Driver message",
|
155
|
+
"50899" => "Driver message"
|
156
|
+
}.each do |eventID, category|
|
157
|
+
sample('EventID' => eventID) do
|
158
|
+
expect(subject.get('Category')).to eq(category)
|
159
|
+
end
|
160
|
+
end
|
161
|
+
|
162
|
+
# Test unmamaged category
|
163
|
+
sample('EventID' => '50900', 'Category' => unmanagedCategory) do
|
164
|
+
expect(subject.get('Category')).to eq("Umanaged category: '" + unmanagedCategory + "'")
|
165
|
+
end
|
166
|
+
|
167
|
+
# Test file events
|
168
|
+
{
|
169
|
+
"18703" => "File 'A fake file' decryption has failed.",
|
170
|
+
"18301" => "File 'A fake file' encryption (auto-decrypt mode) has failed.",
|
171
|
+
"18305" => "File 'A fake file' encryption (SmartFILE? mode) has failed.",
|
172
|
+
"18309" => "File 'A fake file' encryption has failed for the following recipients: %r%3.",
|
173
|
+
"18701" => "File 'A fake file' encryption has failed.",
|
174
|
+
"18702" => "File 'A fake file' has been successfully decrypted.",
|
175
|
+
"18300" => "File 'A fake file' has been successfully encrypted (auto-decrypt mode).",
|
176
|
+
"18308" => "File 'A fake file' has been successfully encrypted for the following recipients: %r%3.",
|
177
|
+
"18700" => "File 'A fake file' has been successfully encrypted.",
|
178
|
+
"18304" => "File 'A fake file' was successfully encrypted (SmartFILE? mode).",
|
179
|
+
"18313" => "L'ajout des collaborateurs suivants au fichier 'A fake file' a échoué :%r%3.",
|
180
|
+
"18300" => "L'utilisateur a chiffré avec succès le fichier 'A fake file' en mode auto-déchiffrable.",
|
181
|
+
"18304" => "L'utilisateur a chiffré avec succès le fichier 'A fake file' en utilisant SecurityBOX? SmartFile?.",
|
182
|
+
"18308" => "L'utilisateur a chiffré avec succès le fichier 'A fake file' pour les correspondants suivants : %r%3.",
|
183
|
+
"18700" => "L'utilisateur a chiffré le fichier 'A fake file' avec succès.",
|
184
|
+
"18702" => "L'utilisateur a déchiffré le fichier 'A fake file' avec succès.",
|
185
|
+
"18315" => "La suppression des collaborateurs suivants du fichier 'A fake file' a échoué : %r%3.",
|
186
|
+
"18701" => "Le chiffrement du fichier 'A fake file' a échoué.",
|
187
|
+
"18301" => "Le chiffrement du fichier 'A fake file' en mode auto-déchiffrable a échoué.",
|
188
|
+
"18305" => "Le chiffrement du fichier 'A fake file' en utilisant SecurityBOX? SmartFile? a échoué.",
|
189
|
+
"18309" => "Le chiffrement du fichier 'A fake file' pour les correspondants suivants a échoué : %r%3.",
|
190
|
+
"18703" => "Le déchiffrement du fichier 'A fake file' a échoué.",
|
191
|
+
"18312" => "Les collaborateurs suivants ont été ajoutés avec succès au fichier 'A fake file' :%r%3.",
|
192
|
+
"18314" => "Les collaborateurs suivants ont été supprimés avec succès du fichier 'A fake file' :%r%3.",
|
193
|
+
"18313" => "These coworkers could not be added to the file 'A fake file' : %r%3.",
|
194
|
+
"18315" => "These coworkers could not be removed from the file 'A fake file': %r%3.",
|
195
|
+
"18312" => "These coworkers have been added successfully to the file 'A fake file' :%r%3.",
|
196
|
+
"18314" => "These coworkers have been removed successfully from the file 'A fake file':%r%3.",
|
197
|
+
}.each do |eventID, message|
|
198
|
+
sample('EventID' => eventID, 'Message' => "Stormshield Data Security Login: A fake login\r\rDescription:\r" + message) do
|
199
|
+
expect(subject.get('file')).to eq('A fake file')
|
200
|
+
end
|
201
|
+
end
|
202
|
+
|
203
|
+
# Test folder events
|
204
|
+
{
|
205
|
+
"18303" => "Folder 'A fake folder' decryption (auto-decrypt mode) has failed.",
|
206
|
+
"18307" => "Folder 'A fake folder' encryption (SmartFILE? mode) failed.",
|
207
|
+
"18311" => "Folder 'A fake folder' encryption has failed for the following recipients: %r%3.",
|
208
|
+
"18302" => "Folder 'A fake folder' has been successfully encrypted (auto-decrypt mode).",
|
209
|
+
"18306" => "Folder 'A fake folder' has been successfully encrypted (SmartFILE? mode).",
|
210
|
+
"18310" => "Folder 'A fake folder' has been successfully encrypted for the following recipients: %r%3.",
|
211
|
+
"18302" => "L'utilisateur a chiffré avec succès le dossier 'A fake folder' en mode auto-déchiffrable.",
|
212
|
+
"18306" => "L'utilisateur a chiffré avec succès le dossier 'A fake folder' en utilisant SecurityBOX? SmartFile?.",
|
213
|
+
"18310" => "L'utilisateur a chiffré avec succès le dossier 'A fake folder' pour les correspondants suivants : %r%3.",
|
214
|
+
"18303" => "Le chiffrement du dossier 'A fake folder' en mode auto-déchiffrable a échoué.",
|
215
|
+
"18307" => "Le chiffrement du dossier 'A fake folder' en utilisant SecurityBOX? SmartFile? a échoué.",
|
216
|
+
"18311" => "Le chiffrement du dossier 'A fake folder' pour les correspondants suivants a échoué: %r%3.",
|
217
|
+
}.each do |eventID, message|
|
218
|
+
sample('EventID' => eventID, 'Message' => "Stormshield Data Security Login: A fake login\r\rDescription:\r" + message) do
|
219
|
+
expect(subject.get('folder')).to eq('A fake folder')
|
220
|
+
end
|
221
|
+
end
|
222
|
+
|
223
|
+
end
|
224
|
+
end
|
data/spec/spec_helper.rb
ADDED
@@ -0,0 +1 @@
|
|
1
|
+
require "logstash/devutils/rspec/spec_helper"
|
metadata
ADDED
@@ -0,0 +1,92 @@
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
2
|
+
name: logstash-filter-SDS
|
3
|
+
version: !ruby/object:Gem::Version
|
4
|
+
version: 1.0.0
|
5
|
+
platform: ruby
|
6
|
+
authors:
|
7
|
+
- Stormshield
|
8
|
+
autorequire:
|
9
|
+
bindir: bin
|
10
|
+
cert_chain: []
|
11
|
+
date: 2018-09-17 00:00:00.000000000 Z
|
12
|
+
dependencies:
|
13
|
+
- !ruby/object:Gem::Dependency
|
14
|
+
requirement: !ruby/object:Gem::Requirement
|
15
|
+
requirements:
|
16
|
+
- - ">="
|
17
|
+
- !ruby/object:Gem::Version
|
18
|
+
version: '1.60'
|
19
|
+
- - "<="
|
20
|
+
- !ruby/object:Gem::Version
|
21
|
+
version: '2.99'
|
22
|
+
name: logstash-core-plugin-api
|
23
|
+
prerelease: false
|
24
|
+
type: :runtime
|
25
|
+
version_requirements: !ruby/object:Gem::Requirement
|
26
|
+
requirements:
|
27
|
+
- - ">="
|
28
|
+
- !ruby/object:Gem::Version
|
29
|
+
version: '1.60'
|
30
|
+
- - "<="
|
31
|
+
- !ruby/object:Gem::Version
|
32
|
+
version: '2.99'
|
33
|
+
- !ruby/object:Gem::Dependency
|
34
|
+
requirement: !ruby/object:Gem::Requirement
|
35
|
+
requirements:
|
36
|
+
- - '='
|
37
|
+
- !ruby/object:Gem::Version
|
38
|
+
version: 1.3.4
|
39
|
+
name: logstash-devutils
|
40
|
+
prerelease: false
|
41
|
+
type: :development
|
42
|
+
version_requirements: !ruby/object:Gem::Requirement
|
43
|
+
requirements:
|
44
|
+
- - '='
|
45
|
+
- !ruby/object:Gem::Version
|
46
|
+
version: 1.3.4
|
47
|
+
description: SDS filter
|
48
|
+
email: svc@stormshield.eu
|
49
|
+
executables: []
|
50
|
+
extensions: []
|
51
|
+
extra_rdoc_files: []
|
52
|
+
files:
|
53
|
+
- CHANGELOG.md
|
54
|
+
- CONTRIBUTORS
|
55
|
+
- DEVELOPER.md
|
56
|
+
- Gemfile
|
57
|
+
- LICENSE
|
58
|
+
- NOTICE.TXT
|
59
|
+
- README.md
|
60
|
+
- lib/logstash/filters/SDS.rb
|
61
|
+
- logstash-filter-SDS.gemspec
|
62
|
+
- spec/filters/SDS_spec.rb
|
63
|
+
- spec/spec_helper.rb
|
64
|
+
homepage: https://www.stormshield.eu
|
65
|
+
licenses:
|
66
|
+
- Apache License (2.0)
|
67
|
+
metadata:
|
68
|
+
logstash_plugin: 'true'
|
69
|
+
logstash_group: filter
|
70
|
+
post_install_message:
|
71
|
+
rdoc_options: []
|
72
|
+
require_paths:
|
73
|
+
- lib
|
74
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
75
|
+
requirements:
|
76
|
+
- - ">="
|
77
|
+
- !ruby/object:Gem::Version
|
78
|
+
version: '0'
|
79
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
80
|
+
requirements:
|
81
|
+
- - ">="
|
82
|
+
- !ruby/object:Gem::Version
|
83
|
+
version: '0'
|
84
|
+
requirements: []
|
85
|
+
rubyforge_project:
|
86
|
+
rubygems_version: 2.4.8
|
87
|
+
signing_key:
|
88
|
+
specification_version: 4
|
89
|
+
summary: SDS filter.
|
90
|
+
test_files:
|
91
|
+
- spec/filters/SDS_spec.rb
|
92
|
+
- spec/spec_helper.rb
|