logstash-filter-SES 2.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: f99a2c1549f84f79343c4142d810209f27923251
+  data.tar.gz: 6a3f87ae148e8004b99596817746e5a7a51c48ae
+SHA512:
+  metadata.gz: 540ff2577e55f8956c889dd1cdf7b8a68050284a67dea256333a735d321d2ea30e5340b58f0f49ad874209c7940068c5edaf6f8ff273526cdfb9f2629c6df072
+  data.tar.gz: b358dbc754aa49ad35cb5c1a1bed993a9d1cec3cacbb931733fc19c19971b31a0a217eb1b322663d2875bcf8725352dbae69629eacec8398c2316c0aec06aff3

data/Gemfile

@@ -0,0 +1,2 @@
+source 'https://rubygems.org'
+gemspec

data/LICENSE

@@ -0,0 +1,14 @@
+Copyright (c) 2012-2018 Elasticsearch <http://www.elastic.co>
+Copyright (c) 2018 Stormshield <https://www.stormshield.com>
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

data/NOTICE.TXT

@@ -0,0 +1,5 @@
+Elasticsearch
+Copyright 2012-2015 Elasticsearch
+
+This product includes software developed by The Apache Software
+Foundation (http://www.apache.org/).

data/README.md

@@ -0,0 +1,71 @@
+# Logstash Stormshield SES Plugin
+
+## Documentation
+
+This logstash plugin provides support for Stormshield Endpoint Security logs:
+ - On _EXT-BLK_ event status, split source and destination file extension into two keys:
+   - *source_extension*
+   - *target_extension*
+
+## Developing
+
+### 1. Plugin Developement and Testing
+
+#### Code
+- To get started, you'll need JRuby with the Bundler gem installed.
+- If you work behind a proxy:
+  - add the environment variable `export HTTP_PROXY=http://<hostname>:<port>`
+  - add the environment variable `export HTTPS_PROXY=http://<hostname>:<port>`
+
+- Create a new plugin or clone and existing from the GitHub [logstash-plugins](https://github.com/logstash-plugins) organization. We also provide [example plugins](https://github.com/logstash-plugins?query=example).
+
+- Install dependencies
+```sh
+bundle install
+```
+
+#### Test
+
+- Update your dependencies
+
+```sh
+bundle install
+```
+
+- Run tests
+
+```sh
+bundle exec rspec
+```
+
+### 2. Running your unpublished Plugin in Logstash
+
+#### 2.1 Run in a local Logstash clone
+
+- Edit Logstash `Gemfile` and add the local plugin path, for example:
+```ruby
+gem "logstash-filter-SES", :path => "/your/local/logstash-filter-SES"
+```
+- Install plugin
+```sh
+bin/plugin install --no-verify
+```
+- Run Logstash with your plugin
+```sh
+bin/logstash -e 'filter {SES {}}'
+```
+At this point any modifications to the plugin code will be applied to this local Logstash setup. After modifying the plugin, simply rerun Logstash.
+
+#### 2.2 Run in an installed Logstash
+
+You can use the same **2.1** method to run your plugin in an installed Logstash by editing its `Gemfile` and pointing the `:path` to your local plugin development directory or you can build the gem and install it using:
+
+- Build your plugin gem
+```sh
+gem build logstash-filter-SES.gemspec
+```
+- Install the plugin from the Logstash home
+```sh
+bin/plugin install /your/local/plugin/logstash-filter-SES.gem
+```
+- Start Logstash and proceed to test the plugin

data/lib/logstash/filters/SES.rb

@@ -0,0 +1,33 @@
+# encoding: utf-8
+require 'set'
+require 'logstash/filters/base'
+require 'logstash/namespace'
+
+class LogStash::Filters::SES < LogStash::Filters::Base
+  config_name 'SES'
+
+  public
+  def register
+    @re_source = /\.(?<extension>[^\.\<]*)\<(?<certificat>[^\>]*)\>\<(?<md5>[^\>]*)\>\<(?<sha1>[^\>]*)\>/
+    @re_destination = /\.(?<extension>[^\.]*)$/
+  end # def register
+
+  public
+  def filter(event)
+
+    if event.get('status') == 'EXT-BLK'
+      # Try to extract the file extensions
+      m = @re_source.match(event.get('source'))
+      if m
+        event.set('source_extension', m['extension'])
+      end
+      m = @re_destination.match(event.get('dest'))
+      if m
+        event.set('target_extension', m['extension'])
+      end
+    end
+
+    # filter_matched should go in the last line of our successful code
+    filter_matched(event)
+  end # def filter
+end # class LogStash::Filters::SES

data/logstash-filter-SES.gemspec

@@ -0,0 +1,23 @@
+Gem::Specification.new do |s|
+  s.name = 'logstash-filter-SES'
+  s.version = '2.0.0'
+  s.licenses = ['Stormshield']
+  s.summary = "SES filter."
+  s.description = "SES filter"
+  s.authors = ["Apache License (2.0)"]
+  s.email = 'svc@stormshield.eu'
+  s.homepage = "https://www.stormshield.eu"
+  s.require_paths = ["lib"]
+
+  # Files
+  s.files = Dir['lib/**/*','spec/**/*','vendor/**/*','*.gemspec','*.md','CONTRIBUTORS','Gemfile','LICENSE','NOTICE.TXT']
+   # Tests
+  s.test_files = s.files.grep(%r{^(test|spec|features)/})
+
+  # Special flag to let us know this is actually a logstash plugin
+  s.metadata = { "logstash_plugin" => "true", "logstash_group" => "filter" }
+
+  # Gem dependencies
+  s.add_runtime_dependency 'logstash-core-plugin-api', '>= 1.60', '<= 2.99'
+  s.add_development_dependency "logstash-devutils", "= 1.3.4"
+end

data/spec/filters/SES_spec.rb

@@ -0,0 +1,62 @@
+# encoding: utf-8
+
+require 'logstash/devutils/rspec/spec_helper'
+require 'logstash/filters/SES'
+
+describe LogStash::Filters::SES do
+  describe "should extract source and target extension if status is EXT-BLK" do
+    let(:config) do <<-CONFIG
+    filter {
+      SES {
+      }
+    }
+    CONFIG
+    end
+
+    sample(
+    'status' => "EXT-BLK",
+    'source' => "c:\\windows\\system32\\sndvol.exe<><><>",
+    'dest' => "c:\\windows\\media\\windows ding.wav"
+    ) do
+      expect(subject.get("source_extension")).to eq("exe")
+      expect(subject.get("target_extension")).to eq("wav")
+    end
+  end
+
+  describe "should extract last extension if dot present in string" do
+    let(:config) do <<-CONFIG
+    filter {
+      SES {
+      }
+    }
+    CONFIG
+    end
+
+    sample(
+    'status' => "EXT-BLK",
+    'source' => "c:\\windows\\system.32\\sndvol.exe<><><>",
+    'dest' => "c:\\windows.net\\media\\windows ding.wav"
+    ) do
+      expect(subject.get("source_extension")).to eq("exe")
+      expect(subject.get("target_extension")).to eq("wav")
+    end
+  end
+
+  describe "should do nothing if status is not EXT-BLK" do
+    let(:config) do <<-CONFIG
+    filter {
+      SES {
+      }
+    }
+    CONFIG
+    end
+
+    sample(
+    'status' => "PROFIL-BLK",
+    'source' => "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer"
+    ) do
+      expect(subject.get("source_extension")).to be_nil
+      expect(subject.get("target_extension")).to be_nil
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1 @@
+require "logstash/devutils/rspec/spec_helper"

metadata

@@ -0,0 +1,92 @@
+--- !ruby/object:Gem::Specification
+name: logstash-filter-SES
+version: !ruby/object:Gem::Version
+  version: 2.0.0
+platform: ruby
+authors:
+- Apache License (2.0)
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2018-11-20 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.60'
+    - - "<="
+      - !ruby/object:Gem::Version
+        version: '2.99'
+  name: logstash-core-plugin-api
+  prerelease: false
+  type: :runtime
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '1.60'
+    - - "<="
+      - !ruby/object:Gem::Version
+        version: '2.99'
+- !ruby/object:Gem::Dependency
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 1.3.4
+  name: logstash-devutils
+  prerelease: false
+  type: :development
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 1.3.4
+description: SES filter
+email: svc@stormshield.eu
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- CHANGELOG.md
+- CONTRIBUTORS
+- DEVELOPER.md
+- Gemfile
+- LICENSE
+- NOTICE.TXT
+- README.md
+- lib/logstash/filters/SES.rb
+- logstash-filter-SES.gemspec
+- spec/filters/SES_spec.rb
+- spec/spec_helper.rb
+homepage: https://www.stormshield.eu
+licenses:
+- Stormshield
+metadata:
+  logstash_plugin: 'true'
+  logstash_group: filter
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project:
+rubygems_version: 2.4.8
+signing_key:
+specification_version: 4
+summary: SES filter.
+test_files:
+- spec/filters/SES_spec.rb
+- spec/spec_helper.rb