logstash-filter-cidrtagmap 1.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: ed725267129ccb6206153486ba1f8d6b7d56a793
+  data.tar.gz: de9e163ce694db757be6ca59b24bf3e87c10a39c
+SHA512:
+  metadata.gz: 975da1ec0f5561934688e60442986832824f973b9ce2c50efe78872aad7ee610acae6ec58a4205978091d693292e2a28d4f74f8b8a4dac534158088ceab97692
+  data.tar.gz: 88a06b2464fa75fd5850fe824d377fb0fbd1f13d26b2bc58434c026b1cb8c9879bc56559f4759aae9ed9ef219961aabb68471d3fc3cf65a99336423c3e559625

data/CHANGELOG.md

@@ -0,0 +1,5 @@
+## 2.0.0
+ - Plugins were updated to follow the new shutdown semantic, this mainly allows Logstash to instruct input plugins to terminate gracefully, 
+   instead of using Thread.raise on the plugins' threads. Ref: https://github.com/elastic/logstash/pull/3895
+ - Dependency on logstash-core update to 2.0
+

data/CONTRIBUTORS

@@ -0,0 +1,11 @@
+The following is a list of people who have contributed ideas, code, bug
+reports, or in general have helped logstash along its way.
+
+Contributors:
+* Aaron Mildenstein (untergeek)
+* Pier-Hugues Pellerin (ph)
+
+Note: If you've sent us patches, bug reports, or otherwise contributed to
+Logstash, and you aren't on the list above and want to be, please let us know
+and we'll make sure you're here. Contributions from folks like you are what make
+open source awesome.

data/DEVELOPER.md

@@ -0,0 +1,2 @@
+# logstash-filter-example
+Example filter plugin. This should help bootstrap your effort to write your own filter plugin!

data/Gemfile

@@ -0,0 +1,2 @@
+source 'https://rubygems.org'
+gemspec

data/LICENSE

@@ -0,0 +1,13 @@
+Copyright (c) 2012–2016 Elasticsearch <http://www.elastic.co>
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

data/NOTICE.TXT

@@ -0,0 +1,5 @@
+Elasticsearch
+Copyright 2012-2015 Elasticsearch
+
+This product includes software developed by The Apache Software
+Foundation (http://www.apache.org/).

data/README.md

@@ -0,0 +1,37 @@
+This logstash filter tags netflow records according to a list of CIDR to tag mappings.
+
+The list is an external / stand alone text file consisting of lines of the form:
+
+```
+<network>/<mask>,<tag>
+```
+
+The filter can be made to re-load its in-memory representation of the contents of the
+map file without interrupting/restarting the logstash instance by touching a flag file.
+
+When a netflow event matches the CIDR spec, two tags are set:
+
+src_tag = the tag associated with the spec that matched
+
+src_tagMatch = the CIDR spec that matched (as rendered by IPAddr.to_s)
+
+
+Configuration:
+
+```
+filter{
+        cidrtagmap {
+                mapfilepath => "cidrmap.txt"
+        }
+}
+```
+
+Tell the filter to reload its map
+
+```
+touch <mapfilepath>.RELOAD
+```
+
+Reloading is thread safe.
+
+Put cidrtagmap.rb in $LOGSTASH/lib/logstash/filters/

data/lib/logstash/filters/cidrtagmap.rb

@@ -0,0 +1,167 @@
+require "logstash/filters/base"
+require "logstash/namespace"
+require 'ipaddr'
+
+class MapEntry
+	attr_reader :range,:tag
+	def initialize(spec = "")
+		begin
+			parts = spec.split(',')
+			@range = IPAddr.new(parts[0])
+			@tag = parts[1]
+			return self
+		rescue
+			@logger.warn("cidrtagmap: error parsing map entry #{spec}")
+			return nil
+		end
+	end
+
+	def includesAddress?(ipaddr)
+		return @range.include?(ipaddr)
+	end
+end
+
+class LogStash::Filters::CIDRTagMap < LogStash::Filters::Base
+
+	config_name "cidrtagmap"
+
+	milestone 1
+
+	config :mapfilepath, :validate => :string, :default => 'cidrmap.txt'
+	config :asnmapfilepath, :validate => :string, :default => 'asn.txt'
+
+
+	private
+
+	def loadLatestMap
+		if File.exist?(@reloadFlagPath) or @cidrMap.nil?
+			@logger.debug("cidrtagmap: need to load, getting mutex")
+			@mutex.synchronize {
+				# Test again now that we have the floor just in case someone else did it already
+				# This is because we might have blocked on the mutex when we first encountered the condition
+				# We don't wrap the initial test because that'd have the effect of serializing every single
+				# netflow event through the test, which defeats the purpose of multiple threads.
+				# But we acknowledge that there's room for a race here so test again to be sure.
+				if File.exist?(@reloadFlagPath) or @cidrMap.nil?
+					if File.exist?(@reloadFlagPath)
+						begin
+							# This thread wins, clear the flag file.  If someone else is waiting
+							# on the mutex they'll see that it's already done when they get in here.
+							# We want to do this right away because the longer we wait the more likely
+							# it is that other threads are piling up behind the mutex.
+							File.delete(@reloadFlagPath)
+							@logger.info("cidrtagmap: cleared reload flag")
+						rescue
+							@logger.warn("cidrtagmap: unable to remove #{@reloadFlagPath} - I'm probably gonna loop in a bad way")
+						end
+					end
+					@logger.info("cidrtagmap: loading map into memory")
+					begin
+						@mapFile = File.new(@mapfilepath,'r')
+						@cidrMap = @mapFile.readlines.map {
+							|line|
+							MapEntry.new(line.chomp)
+						}
+						@mapFile.close
+						@cidrMap = @cidrMap.reject { |item| item.nil? }
+						@logger.info("cidrtagmap: loaded #{@cidrMap.inspect}")
+					rescue
+						@logger.warn("cidrtagmap: error opening map file #{@mapfilepath}\n")
+						@mapFile = nil
+					end
+					begin
+						asntable = File.readlines(@asnmapfilepath)
+						regex = /^ (\d+?)\s+(.+?)\s+/
+						@asnmap = Hash[asntable.collect { |line| line.match(regex)}.select {|each| not each.nil?}.collect{|each| [each[1],each[2]] }]
+					rescue Exception => e
+						@logger.warn("cidrtagmap: error loading asn map file #{@asnmapfilepath}\n")
+						@logger.warn("cidrtagmap: #{e.inspect}")
+					end
+				else
+					@logger.debug("cidrtagmap: someone already loaded the map - I'm outta here")
+				end
+			}
+		end
+	end
+
+	def mapForIp(addrString = "")
+		begin
+			address = IPAddr.new(addrString.to_s)
+			matchIndex = @cidrMap.index{
+				|range|
+				range.includesAddress?(address)
+			}
+			if matchIndex
+				@logger.debug("cidrtagmap: match for #{address} at #{matchIndex}")
+				return @cidrMap[matchIndex]
+			else
+				return nil
+			end
+		rescue
+			@logger.warn("cidrtagmap: error attempting to map #{addrString}\n")
+		end
+	end
+
+	def asNameForNumber(as = 0)
+		begin
+			return @asnmap[as.to_s] || "UNKNOWN"
+		rescue
+			return "MAPERROR"
+		end
+	end
+
+	public
+	def register
+		@mutex = Mutex.new
+		@reloadFlagPath = "#{@mapfilepath}.RELOAD"
+		@logger.info("cidrtagmap: NOTE: touch #{@reloadFlagPath} to force map reload")
+		loadLatestMap
+	end
+
+	public
+	def filter(event)
+		return unless filter?(event)
+		if event['netflow']
+			loadLatestMap
+			netflow = event['netflow']
+			if netflow["ipv4_src_addr"]
+				@logger.debug("cidrtagmap: checking for src #{netflow['ipv4_src_addr']}")
+				src_map = mapForIp(netflow["ipv4_src_addr"])
+				if src_map
+					@logger.debug("cidrtagmap: tagging src #{netflow['ipv4_src_addr']} with #{src_map.tag}")
+					netflow["src_tag"] = src_map.tag
+					netflow['src_tagMatch'] = src_map.range.to_s
+					filter_matched(event)
+				end
+			end
+			if netflow["ipv4_dst_addr"]
+				@logger.debug("cidrtagmap: checking for dst #{netflow['ipv4_dst_addr']}")
+				dst_map = mapForIp(netflow["ipv4_dst_addr"])
+				if dst_map
+					@logger.debug("cidrtagmap: tagging dst #{netflow['ipv4_dst_addr']} with #{dst_map.tag}")
+					netflow["dst_tag"] = dst_map.tag
+					netflow["dst_tagMatch"] = dst_map.range.to_s
+					filter_matched(event)
+				end
+			end
+			if netflow["dst_as"]
+				@logger.debug("cidrtagmap: checking for dst_as #{netflow['dst_as']}")
+				dst_asname = asNameForNumber(netflow["dst_as"])
+				if dst_asname
+					@logger.debug("cidrtagmap: tagging dst_as #{netflow['dst_as']} with #{dst_asname}")
+					netflow["dst_as_name"] = dst_asname
+					filter_matched(event)
+				end
+			end
+			if netflow["src_as"]
+				@logger.debug("cidrtagmap: checking for src_as #{netflow['src_as']}")
+				src_asname = asNameForNumber(netflow["src_as"])
+				if src_asname
+					@logger.debug("cidrtagmap: tagging src_as #{netflow['src_as']} with #{src_asname}")
+					netflow["src_as_name"] = src_asname
+					filter_matched(event)
+				end
+			end
+		end
+	end
+end 

data/logstash-filter-cidrtagmap.gemspec

@@ -0,0 +1,23 @@
+Gem::Specification.new do |s|
+  s.name = 'logstash-filter-cidrtagmap'
+  s.version         = '1.1.0'
+  s.licenses = ['Apache License (2.0)']
+  s.summary = "This cidrtagmap filter replaces the contents of the message field with the specified value."
+  s.description     = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
+  s.authors = ["svdasein"]
+  s.email = 'daveparker01@gmail.com'
+  s.homepage = "http://www.elastic.co/guide/en/logstash/current/index.html"
+  s.require_paths = ["lib"]
+
+  # Files
+  s.files = Dir['lib/**/*','spec/**/*','vendor/**/*','*.gemspec','*.md','CONTRIBUTORS','Gemfile','LICENSE','NOTICE.TXT']
+   # Tests
+  s.test_files = s.files.grep(%r{^(test|spec|features)/})
+
+  # Special flag to let us know this is actually a logstash plugin
+  s.metadata = { "logstash_plugin" => "true", "logstash_group" => "filter" }
+
+  # Gem dependencies
+  s.add_runtime_dependency "logstash-core-plugin-api", "~> 1.8"
+  s.add_development_dependency 'logstash-devutils'
+end

data/spec/filters/example_spec.rb

@@ -0,0 +1,20 @@
+# encoding: utf-8
+require 'spec_helper'
+require "logstash/filters/example"
+
+describe LogStash::Filters::Example do
+  describe "Set to Hello World" do
+    let(:config) do <<-CONFIG
+      filter {
+        example {
+          message => "Hello World"
+        }
+      }
+    CONFIG
+    end
+
+    sample("message" => "some text") do
+      expect(subject.get("message")).to eq('Hello World')
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,2 @@
+# encoding: utf-8
+require "logstash/devutils/rspec/spec_helper"

metadata

@@ -0,0 +1,89 @@
+--- !ruby/object:Gem::Specification
+name: logstash-filter-cidrtagmap
+version: !ruby/object:Gem::Version
+  version: 1.1.0
+platform: ruby
+authors:
+- svdasein
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2017-06-30 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: logstash-core-plugin-api
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.8'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.8'
+- !ruby/object:Gem::Dependency
+  name: logstash-devutils
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: This gem is a Logstash plugin required to be installed on top of the
+  Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This
+  gem is not a stand-alone program
+email: daveparker01@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- CHANGELOG.md
+- CONTRIBUTORS
+- DEVELOPER.md
+- Gemfile
+- LICENSE
+- NOTICE.TXT
+- README.md
+- lib/logstash/filters/cidrtagmap.rb
+- logstash-filter-cidrtagmap.gemspec
+- spec/filters/example_spec.rb
+- spec/spec_helper.rb
+homepage: http://www.elastic.co/guide/en/logstash/current/index.html
+licenses:
+- Apache License (2.0)
+metadata:
+  logstash_plugin: 'true'
+  logstash_group: filter
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.8
+signing_key: 
+specification_version: 4
+summary: This cidrtagmap filter replaces the contents of the message field with the
+  specified value.
+test_files:
+- spec/filters/example_spec.rb
+- spec/spec_helper.rb