logstash-filter-cidr 0.1.0

checksums.yaml

@@ -0,0 +1,15 @@
+---
+!binary "U0hBMQ==":
+  metadata.gz: !binary |-
+    ZmQ1MGUyNGEwYjAzOTYwYmRlMDlmNjRhNTUzNzkzNmExYWU2YTdlZg==
+  data.tar.gz: !binary |-
+    NDEwNTllZTczYzNiZThjZTYzYWNlMmMzZmM3ZmYzNmM0MTFmZDg1Mg==
+SHA512:
+  metadata.gz: !binary |-
+    MzMxMzBiZmFjMWFkM2EzYTliOGM3ZjlmN2Y0Y2RkZTFjNWEzODc1ZThjYWY2
+    NGIzNTI5MGY5MTllOGQ0MjM2Y2UyY2Y5NDFhYTJiZTIwYjg4MzEzOTdjZDRm
+    Yjk1YTA1MzQ4NzBhNGY1OTVkMmIwMDZjZmFlYWVhZGRlN2Q4NmY=
+  data.tar.gz: !binary |-
+    ODU0NTRjMzgwYTljYzhlNjBiYWEwNDk2YjlkM2NiNmU3MTQzNjg5MDc4Yzkw
+    N2ZjMjg4NmRjNmNiOGJhNzNmZmFiMGM2MzA5ODk3M2VlNWYzMmM5ZTMxN2E1
+    ZjI4Mzk2Njg1MTY3OTJjODkyNzE0ZjlkODMwMzFkNTE5NGY4NjI=

data/.gitignore

@@ -0,0 +1,3 @@
+*.gem
+Gemfile.lock
+.bundle

data/Gemfile

@@ -0,0 +1,3 @@
+source 'http://rubygems.org'
+gem 'rake'
+gem 'gem_publisher'

data/Rakefile

@@ -0,0 +1,12 @@
+require "gem_publisher"
+
+desc "Publish gem to RubyGems.org"
+task :publish_gem do |t|
+  gem = GemPublisher.publish_if_updated("logstash-filter-cidr.gemspec", :rubygems)
+  puts "Published #{gem}" if gem
+end
+
+task :default do
+  system("rake -T")
+end
+

data/lib/logstash/filters/cidr.rb

@@ -0,0 +1,77 @@
+# encoding: utf-8
+require "logstash/filters/base"
+require "logstash/namespace"
+require "ipaddr"
+
+
+# The CIDR filter is for checking IP addresses in events against a list of
+# network blocks that might contain it. Multiple addresses can be checked
+# against multiple networks, any match succeeds. Upon success additional tags
+# and/or fields can be added to the event.
+
+class LogStash::Filters::CIDR < LogStash::Filters::Base
+
+  config_name "cidr"
+  milestone 1
+
+  # The IP address(es) to check with. Example:
+  #
+  #     filter {
+  #       %PLUGIN% {
+  #         add_tag => [ "testnet" ]
+  #         address => [ "%{src_ip}", "%{dst_ip}" ]
+  #         network => [ "192.0.2.0/24" ]
+  #       }
+  #     }
+  config :address, :validate => :array, :default => []
+
+  # The IP network(s) to check against. Example:
+  #
+  #     filter {
+  #       %PLUGIN% {
+  #         add_tag => [ "linklocal" ]
+  #         address => [ "%{clientip}" ]
+  #         network => [ "169.254.0.0/16", "fe80::/64" ]
+  #       }
+  #     }
+  config :network, :validate => :array, :default => []
+
+  public
+  def register
+    # Nothing
+  end # def register
+
+  public
+  def filter(event)
+    return unless filter?(event)
+
+    address = @address.collect do |a|
+      begin
+        IPAddr.new(event.sprintf(a))
+      rescue ArgumentError => e
+        @logger.warn("Invalid IP address, skipping", :address => a, :event => event)
+        nil
+      end
+    end
+    address.compact!
+
+    network = @network.collect do |n|
+      begin
+        IPAddr.new(event.sprintf(n))
+      rescue ArgumentError => e
+        @logger.warn("Invalid IP network, skipping", :network => n, :event => event)
+        nil
+      end
+    end
+    network.compact!
+
+    # Try every combination of address and network, first match wins
+    address.product(network).each do |a, n|
+      @logger.debug("Checking IP inclusion", :address => a, :network => n)
+      if n.include?(a)
+        filter_matched(event)
+        return
+      end
+    end
+  end # def filter
+end # class LogStash::Filters::CIDR

data/logstash-filter-cidr.gemspec

@@ -0,0 +1,26 @@
+Gem::Specification.new do |s|
+
+  s.name            = 'logstash-filter-cidr'
+  s.version         = '0.1.0'
+  s.licenses        = ['Apache License (2.0)']
+  s.summary         = "The CIDR filter is for checking IP addresses in events against a list of network blocks that might contain it."
+  s.description     = "The CIDR filter is for checking IP addresses in events against a list of network blocks that might contain it. Multiple addresses can be checked against multiple networks, any match succeeds. Upon success additional tags and/or fields can be added to the event."
+  s.authors         = ["Elasticsearch"]
+  s.email           = 'richard.pijnenburg@elasticsearch.com'
+  s.homepage        = "http://logstash.net/"
+  s.require_paths = ["lib"]
+
+  # Files
+  s.files = `git ls-files`.split($\)
+
+  # Tests
+  s.test_files = s.files.grep(%r{^(test|spec|features)/})
+
+  # Special flag to let us know this is actually a logstash plugin
+  s.metadata = { "logstash_plugin" => "true", "group" => "filter" }
+
+  # Gem dependencies
+  s.add_runtime_dependency 'logstash', '>= 1.4.0', '< 2.0.0'
+
+end
+

data/spec/filters/cidr.rb

@@ -0,0 +1,71 @@
+require "test_utils"
+require "logstash/filters/cidr"
+
+describe LogStash::Filters::CIDR do
+  extend LogStash::RSpec
+
+  describe "IPV4 match test" do
+    config <<-CONFIG
+      filter {
+        cidr {
+          address => [ "%{clientip}" ]
+          network => [ "192.168.0.0/24" ]
+          add_tag => [ "matched" ]
+        }
+      }
+    CONFIG
+
+    sample("clientip" => "192.168.0.30") do
+      insist { subject["tags"] }.include?("matched") 
+    end
+  end
+
+  describe "IPV4 non match" do
+   config <<-CONFIG
+       filter {
+        cidr {
+          address => [ "%{clientip}" ]
+          network => [ "192.168.0.0/24" ]
+          add_tag => [ "matched" ]
+        }
+      }
+    CONFIG
+
+    sample("clientip" => "123.52.122.33") do
+       insist { subject["tags"] }.nil?
+    end
+  end
+
+  describe "IPV6 match test" do
+    config <<-CONFIG
+      filter {
+        cidr {
+          address => [ "%{clientip}" ]
+          network => [ "fe80::/64" ]
+          add_tag => [ "matched" ]
+        }
+      }
+    CONFIG
+
+    sample("clientip" => "fe80:0:0:0:0:0:0:1") do
+      insist { subject["tags"] }.include?("matched") 
+    end
+  end
+
+  describe "IPV6 non match" do
+   config <<-CONFIG
+       filter {
+        cidr {
+          address => [ "%{clientip}" ]
+          network => [ "fe80::/64" ]
+          add_tag => [ "matched" ]
+        }
+      }
+    CONFIG
+
+    sample("clientip" => "fd82:0:0:0:0:0:0:1") do
+       insist { subject["tags"] }.nil?
+    end
+  end
+
+end

metadata

@@ -0,0 +1,78 @@
+--- !ruby/object:Gem::Specification
+name: logstash-filter-cidr
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Elasticsearch
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2014-09-16 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: logstash
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: !binary |-
+          MS40LjA=
+    - - <
+      - !ruby/object:Gem::Version
+        version: 2.0.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: !binary |-
+          MS40LjA=
+    - - <
+      - !ruby/object:Gem::Version
+        version: 2.0.0
+description: The CIDR filter is for checking IP addresses in events against a list
+  of network blocks that might contain it. Multiple addresses can be checked against
+  multiple networks, any match succeeds. Upon success additional tags and/or fields
+  can be added to the event.
+email: richard.pijnenburg@elasticsearch.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- Gemfile
+- Rakefile
+- lib/logstash/filters/cidr.rb
+- logstash-filter-cidr.gemspec
+- spec/filters/cidr.rb
+homepage: http://logstash.net/
+licenses:
+- Apache License (2.0)
+metadata:
+  logstash_plugin: 'true'
+  group: filter
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.1
+signing_key: 
+specification_version: 4
+summary: The CIDR filter is for checking IP addresses in events against a list of
+  network blocks that might contain it.
+test_files:
+- spec/filters/cidr.rb