logstash-filter-SES 2.0.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml ADDED
@@ -0,0 +1,7 @@
1
+ ---
2
+ SHA1:
3
+ metadata.gz: f99a2c1549f84f79343c4142d810209f27923251
4
+ data.tar.gz: 6a3f87ae148e8004b99596817746e5a7a51c48ae
5
+ SHA512:
6
+ metadata.gz: 540ff2577e55f8956c889dd1cdf7b8a68050284a67dea256333a735d321d2ea30e5340b58f0f49ad874209c7940068c5edaf6f8ff273526cdfb9f2629c6df072
7
+ data.tar.gz: b358dbc754aa49ad35cb5c1a1bed993a9d1cec3cacbb931733fc19c19971b31a0a217eb1b322663d2875bcf8725352dbae69629eacec8398c2316c0aec06aff3
data/CHANGELOG.md ADDED
File without changes
data/CONTRIBUTORS ADDED
File without changes
data/DEVELOPER.md ADDED
File without changes
data/Gemfile ADDED
@@ -0,0 +1,2 @@
1
+ source 'https://rubygems.org'
2
+ gemspec
data/LICENSE ADDED
@@ -0,0 +1,14 @@
1
+ Copyright (c) 2012-2018 Elasticsearch <http://www.elastic.co>
2
+ Copyright (c) 2018 Stormshield <https://www.stormshield.com>
3
+
4
+ Licensed under the Apache License, Version 2.0 (the "License");
5
+ you may not use this file except in compliance with the License.
6
+ You may obtain a copy of the License at
7
+
8
+ http://www.apache.org/licenses/LICENSE-2.0
9
+
10
+ Unless required by applicable law or agreed to in writing, software
11
+ distributed under the License is distributed on an "AS IS" BASIS,
12
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13
+ See the License for the specific language governing permissions and
14
+ limitations under the License.
data/NOTICE.TXT ADDED
@@ -0,0 +1,5 @@
1
+ Elasticsearch
2
+ Copyright 2012-2015 Elasticsearch
3
+
4
+ This product includes software developed by The Apache Software
5
+ Foundation (http://www.apache.org/).
data/README.md ADDED
@@ -0,0 +1,71 @@
1
+ # Logstash Stormshield SES Plugin
2
+
3
+ ## Documentation
4
+
5
+ This logstash plugin provides support for Stormshield Endpoint Security logs:
6
+ - On _EXT-BLK_ event status, split source and destination file extension into two keys:
7
+ - *source_extension*
8
+ - *target_extension*
9
+
10
+ ## Developing
11
+
12
+ ### 1. Plugin Developement and Testing
13
+
14
+ #### Code
15
+ - To get started, you'll need JRuby with the Bundler gem installed.
16
+ - If you work behind a proxy:
17
+ - add the environment variable `export HTTP_PROXY=http://<hostname>:<port>`
18
+ - add the environment variable `export HTTPS_PROXY=http://<hostname>:<port>`
19
+
20
+ - Create a new plugin or clone and existing from the GitHub [logstash-plugins](https://github.com/logstash-plugins) organization. We also provide [example plugins](https://github.com/logstash-plugins?query=example).
21
+
22
+ - Install dependencies
23
+ ```sh
24
+ bundle install
25
+ ```
26
+
27
+ #### Test
28
+
29
+ - Update your dependencies
30
+
31
+ ```sh
32
+ bundle install
33
+ ```
34
+
35
+ - Run tests
36
+
37
+ ```sh
38
+ bundle exec rspec
39
+ ```
40
+
41
+ ### 2. Running your unpublished Plugin in Logstash
42
+
43
+ #### 2.1 Run in a local Logstash clone
44
+
45
+ - Edit Logstash `Gemfile` and add the local plugin path, for example:
46
+ ```ruby
47
+ gem "logstash-filter-SES", :path => "/your/local/logstash-filter-SES"
48
+ ```
49
+ - Install plugin
50
+ ```sh
51
+ bin/plugin install --no-verify
52
+ ```
53
+ - Run Logstash with your plugin
54
+ ```sh
55
+ bin/logstash -e 'filter {SES {}}'
56
+ ```
57
+ At this point any modifications to the plugin code will be applied to this local Logstash setup. After modifying the plugin, simply rerun Logstash.
58
+
59
+ #### 2.2 Run in an installed Logstash
60
+
61
+ You can use the same **2.1** method to run your plugin in an installed Logstash by editing its `Gemfile` and pointing the `:path` to your local plugin development directory or you can build the gem and install it using:
62
+
63
+ - Build your plugin gem
64
+ ```sh
65
+ gem build logstash-filter-SES.gemspec
66
+ ```
67
+ - Install the plugin from the Logstash home
68
+ ```sh
69
+ bin/plugin install /your/local/plugin/logstash-filter-SES.gem
70
+ ```
71
+ - Start Logstash and proceed to test the plugin
@@ -0,0 +1,33 @@
1
+ # encoding: utf-8
2
+ require 'set'
3
+ require 'logstash/filters/base'
4
+ require 'logstash/namespace'
5
+
6
+ class LogStash::Filters::SES < LogStash::Filters::Base
7
+ config_name 'SES'
8
+
9
+ public
10
+ def register
11
+ @re_source = /\.(?<extension>[^\.\<]*)\<(?<certificat>[^\>]*)\>\<(?<md5>[^\>]*)\>\<(?<sha1>[^\>]*)\>/
12
+ @re_destination = /\.(?<extension>[^\.]*)$/
13
+ end # def register
14
+
15
+ public
16
+ def filter(event)
17
+
18
+ if event.get('status') == 'EXT-BLK'
19
+ # Try to extract the file extensions
20
+ m = @re_source.match(event.get('source'))
21
+ if m
22
+ event.set('source_extension', m['extension'])
23
+ end
24
+ m = @re_destination.match(event.get('dest'))
25
+ if m
26
+ event.set('target_extension', m['extension'])
27
+ end
28
+ end
29
+
30
+ # filter_matched should go in the last line of our successful code
31
+ filter_matched(event)
32
+ end # def filter
33
+ end # class LogStash::Filters::SES
@@ -0,0 +1,23 @@
1
+ Gem::Specification.new do |s|
2
+ s.name = 'logstash-filter-SES'
3
+ s.version = '2.0.0'
4
+ s.licenses = ['Stormshield']
5
+ s.summary = "SES filter."
6
+ s.description = "SES filter"
7
+ s.authors = ["Apache License (2.0)"]
8
+ s.email = 'svc@stormshield.eu'
9
+ s.homepage = "https://www.stormshield.eu"
10
+ s.require_paths = ["lib"]
11
+
12
+ # Files
13
+ s.files = Dir['lib/**/*','spec/**/*','vendor/**/*','*.gemspec','*.md','CONTRIBUTORS','Gemfile','LICENSE','NOTICE.TXT']
14
+ # Tests
15
+ s.test_files = s.files.grep(%r{^(test|spec|features)/})
16
+
17
+ # Special flag to let us know this is actually a logstash plugin
18
+ s.metadata = { "logstash_plugin" => "true", "logstash_group" => "filter" }
19
+
20
+ # Gem dependencies
21
+ s.add_runtime_dependency 'logstash-core-plugin-api', '>= 1.60', '<= 2.99'
22
+ s.add_development_dependency "logstash-devutils", "= 1.3.4"
23
+ end
@@ -0,0 +1,62 @@
1
+ # encoding: utf-8
2
+
3
+ require 'logstash/devutils/rspec/spec_helper'
4
+ require 'logstash/filters/SES'
5
+
6
+ describe LogStash::Filters::SES do
7
+ describe "should extract source and target extension if status is EXT-BLK" do
8
+ let(:config) do <<-CONFIG
9
+ filter {
10
+ SES {
11
+ }
12
+ }
13
+ CONFIG
14
+ end
15
+
16
+ sample(
17
+ 'status' => "EXT-BLK",
18
+ 'source' => "c:\\windows\\system32\\sndvol.exe<><><>",
19
+ 'dest' => "c:\\windows\\media\\windows ding.wav"
20
+ ) do
21
+ expect(subject.get("source_extension")).to eq("exe")
22
+ expect(subject.get("target_extension")).to eq("wav")
23
+ end
24
+ end
25
+
26
+ describe "should extract last extension if dot present in string" do
27
+ let(:config) do <<-CONFIG
28
+ filter {
29
+ SES {
30
+ }
31
+ }
32
+ CONFIG
33
+ end
34
+
35
+ sample(
36
+ 'status' => "EXT-BLK",
37
+ 'source' => "c:\\windows\\system.32\\sndvol.exe<><><>",
38
+ 'dest' => "c:\\windows.net\\media\\windows ding.wav"
39
+ ) do
40
+ expect(subject.get("source_extension")).to eq("exe")
41
+ expect(subject.get("target_extension")).to eq("wav")
42
+ end
43
+ end
44
+
45
+ describe "should do nothing if status is not EXT-BLK" do
46
+ let(:config) do <<-CONFIG
47
+ filter {
48
+ SES {
49
+ }
50
+ }
51
+ CONFIG
52
+ end
53
+
54
+ sample(
55
+ 'status' => "PROFIL-BLK",
56
+ 'source' => "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer"
57
+ ) do
58
+ expect(subject.get("source_extension")).to be_nil
59
+ expect(subject.get("target_extension")).to be_nil
60
+ end
61
+ end
62
+ end
@@ -0,0 +1 @@
1
+ require "logstash/devutils/rspec/spec_helper"
metadata ADDED
@@ -0,0 +1,92 @@
1
+ --- !ruby/object:Gem::Specification
2
+ name: logstash-filter-SES
3
+ version: !ruby/object:Gem::Version
4
+ version: 2.0.0
5
+ platform: ruby
6
+ authors:
7
+ - Apache License (2.0)
8
+ autorequire:
9
+ bindir: bin
10
+ cert_chain: []
11
+ date: 2018-11-20 00:00:00.000000000 Z
12
+ dependencies:
13
+ - !ruby/object:Gem::Dependency
14
+ requirement: !ruby/object:Gem::Requirement
15
+ requirements:
16
+ - - ">="
17
+ - !ruby/object:Gem::Version
18
+ version: '1.60'
19
+ - - "<="
20
+ - !ruby/object:Gem::Version
21
+ version: '2.99'
22
+ name: logstash-core-plugin-api
23
+ prerelease: false
24
+ type: :runtime
25
+ version_requirements: !ruby/object:Gem::Requirement
26
+ requirements:
27
+ - - ">="
28
+ - !ruby/object:Gem::Version
29
+ version: '1.60'
30
+ - - "<="
31
+ - !ruby/object:Gem::Version
32
+ version: '2.99'
33
+ - !ruby/object:Gem::Dependency
34
+ requirement: !ruby/object:Gem::Requirement
35
+ requirements:
36
+ - - '='
37
+ - !ruby/object:Gem::Version
38
+ version: 1.3.4
39
+ name: logstash-devutils
40
+ prerelease: false
41
+ type: :development
42
+ version_requirements: !ruby/object:Gem::Requirement
43
+ requirements:
44
+ - - '='
45
+ - !ruby/object:Gem::Version
46
+ version: 1.3.4
47
+ description: SES filter
48
+ email: svc@stormshield.eu
49
+ executables: []
50
+ extensions: []
51
+ extra_rdoc_files: []
52
+ files:
53
+ - CHANGELOG.md
54
+ - CONTRIBUTORS
55
+ - DEVELOPER.md
56
+ - Gemfile
57
+ - LICENSE
58
+ - NOTICE.TXT
59
+ - README.md
60
+ - lib/logstash/filters/SES.rb
61
+ - logstash-filter-SES.gemspec
62
+ - spec/filters/SES_spec.rb
63
+ - spec/spec_helper.rb
64
+ homepage: https://www.stormshield.eu
65
+ licenses:
66
+ - Stormshield
67
+ metadata:
68
+ logstash_plugin: 'true'
69
+ logstash_group: filter
70
+ post_install_message:
71
+ rdoc_options: []
72
+ require_paths:
73
+ - lib
74
+ required_ruby_version: !ruby/object:Gem::Requirement
75
+ requirements:
76
+ - - ">="
77
+ - !ruby/object:Gem::Version
78
+ version: '0'
79
+ required_rubygems_version: !ruby/object:Gem::Requirement
80
+ requirements:
81
+ - - ">="
82
+ - !ruby/object:Gem::Version
83
+ version: '0'
84
+ requirements: []
85
+ rubyforge_project:
86
+ rubygems_version: 2.4.8
87
+ signing_key:
88
+ specification_version: 4
89
+ summary: SES filter.
90
+ test_files:
91
+ - spec/filters/SES_spec.rb
92
+ - spec/spec_helper.rb