logstash-filter-decrypt 0.0.2

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 1ffee5f64ee92e1cf2bff9126ec72e8029776015
+  data.tar.gz: d79a89fba3b9bc3a1f0c2c5915301d99418fc0ba
+SHA512:
+  metadata.gz: fdfa04c5a811f139240bfe854e927085a5675b24c4d2f31fb19b2dfd7b1db4591f59c9c1827556a90d56830d101eddc6efe1458204dceac9e4e0c7ac179c8904
+  data.tar.gz: 49a860b321c74b53199d7e1cdb527844106b1777d67525d74695585ca8b4c4d83d6e8f6533393396ae3e3fc06cd541bf2d84696ce7ed293d7c6393e74640b8b8

data/CHANGELOG.md

@@ -0,0 +1,5 @@
+## 2.0.0
+ - Plugins were updated to follow the new shutdown semantic, this mainly allows Logstash to instruct input plugins to terminate gracefully, 
+   instead of using Thread.raise on the plugins' threads. Ref: https://github.com/elastic/logstash/pull/3895
+ - Dependency on logstash-core update to 2.0
+

data/CONTRIBUTORS

@@ -0,0 +1,11 @@
+The following is a list of people who have contributed ideas, code, bug
+reports, or in general have helped logstash along its way.
+
+Contributors:
+* Aaron Mildenstein (untergeek)
+* Pier-Hugues Pellerin (ph)
+
+Note: If you've sent us patches, bug reports, or otherwise contributed to
+Logstash, and you aren't on the list above and want to be, please let us know
+and we'll make sure you're here. Contributions from folks like you are what make
+open source awesome.

data/DEVELOPER.md

@@ -0,0 +1,2 @@
+# logstash-filter-example
+Example filter plugin. This should help bootstrap your effort to write your own filter plugin!

data/Gemfile

@@ -0,0 +1,2 @@
+source 'https://rubygems.org'
+gemspec

data/LICENSE

@@ -0,0 +1,13 @@
+Copyright (c) 2012–2016 Elasticsearch <http://www.elastic.co>
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

data/NOTICE.TXT

@@ -0,0 +1,5 @@
+Elasticsearch
+Copyright 2012-2015 Elasticsearch
+
+This product includes software developed by The Apache Software
+Foundation (http://www.apache.org/).

data/README.md

@@ -0,0 +1,3 @@
+# Logstash Decrypt Filter
+
+Simple Filter to Decrypt XOR and AES Payloads.

data/lib/logstash/filters/aes.rb

@@ -0,0 +1,16 @@
+require 'openssl'
+class Aes < Cipher
+
+  def decrypt(data,key)
+    aes = OpenSSL::Cipher.new('AES-128-CBC')
+    aes.decrypt
+    aes.key = key
+    return aes.update(data)
+  end
+
+  def aesdecrypt
+    return match(@payload,@prefix,@keys,@keywords)
+
+
+  end
+end

data/lib/logstash/filters/cipher.rb

@@ -0,0 +1,44 @@
+# encoding: utf-8
+require 'base64'
+require 'uri'
+class Cipher
+  def initialize(prefix,payload,keys,keywords)
+    @prefix=prefix
+    @payload=payload
+    @keys=keys
+    @keywords=keywords
+  end
+
+  #Extract according to prefix
+  def extract(payload)
+    return payload[@prefix.length..@payload.length]
+  end
+
+  #Decode Payload and unescape Characters
+  def decode(payload)
+    return Base64.decode64(URI.unescape(payload))
+  end
+
+  def match(payload,prefix,keys,keywords)
+    #Match, Payload
+    result = [false,'']
+      payload = decode(extract(payload))
+      keys.each do |key|
+        begin
+          payload = decrypt(payload, Base64.decode64(key))
+          keywords.each do |keyword|
+            if payload.include? keyword
+              result[0] = true
+              result[1] = payload.to_s
+              break
+            end
+          end
+        rescue
+          return result
+        end
+      end
+
+      return result
+  end
+
+end

data/lib/logstash/filters/decrypt.rb

@@ -0,0 +1,116 @@
+# encoding: utf-8
+require "logstash/filters/base"
+require "logstash/namespace"
+require "logstash/json"
+require "logstash/timestamp"
+require "logstash/filters/cipher"
+require "logstash/filters/xor"
+require "logstash/filters/aes"
+require 'thread'
+
+
+class LogStash::Filters::Decrypt < LogStash::Filters::Base
+
+  # The field to perform filter
+  #
+  # Example, to use the @message field (default) :
+  # [source,ruby]
+  #     filter { decrypt { source => "message" } }
+
+  #Config_name for the Logstash Config
+  config_name "decrypt"
+
+  # Replace the message with this value.
+  config :source, :validate => :string, :required => true
+
+
+  public
+  def register
+    # Add instance variables
+    @campaigns = Dir.glob("campaigns/*.json")
+  end # def register
+
+  public
+  def filter(event)
+
+    if @source
+      source = event.get(@source)
+      # Replace the event message with our message as configured in the
+      # config file.
+      parsed = LogStash::Json.load(source)
+
+      parsed_timestamp = parsed.delete(LogStash::Event::TIMESTAMP)
+      begin
+        timestamp = parsed_timestamp ? LogStash::Timestamp.coerce(parsed_timestamp) : nil
+      rescue LogStash::TimestampParserError => e
+        timestamp = nil
+      end
+
+      threads = []
+
+      @campaigns.each do |file|
+        file = File.read(file)
+        campaign = LogStash::Json.load(file)
+        @keywordstrategy = nil
+        @strategies = campaign['SearchStrategies']
+        @strategies.each do |strategy|
+          if strategy["type"].eql? "KeywordStrategy"
+            @logger.info("Found Keyword Strategy")
+            @keywordstrategy = strategy
+          end
+        end
+        if parsed["body"].nil? || parsed["body"].empty?
+          @logger.info("Empty Body -> Skip")
+        elsif @keywordstrategy.nil?
+          @logger.info("No Keyword Strategy found -> Skip")
+        elsif parsed["body"].include? @keywordstrategy["prefix"]
+          @logger.info("Decrypt Body")
+          threads << Thread.new {
+
+             if campaign["encryption"]["xor"].any?
+               xor=Xor.new(@keywordstrategy["prefix"],parsed["body"],campaign["encryption"]["xor"],@keywordstrategy["keywords"])
+               result = xor.xordecrypt
+               if result[0]
+                 parsed["decrypted"] = result[1]
+                 parsed["tags"] = [campaign["name"],"XOR"]
+               end
+             end
+
+             if campaign["encryption"]["aes"].any?
+               aes=Aes.new(@keywordstrategy["prefix"],parsed["body"],campaign["encryption"]["aes"],@keywordstrategy["keywords"])
+               result = aes.aesdecrypt
+               if result[0]
+                 parsed["decrypted"] = result[1]
+                 parsed["tags"] = [campaign["name"],"AES"]
+               end
+             end
+            }
+        else
+          @logger.info("Prefix not in Payload -> Skip")
+        end
+      end
+
+      threads.each { |thr| thr.join }
+
+      # using the event.set API
+      parsed.each{|k, v| event.set(k, v)}
+
+      if parsed_timestamp
+        if timestamp
+          event.timestamp = timestamp
+        else
+          event.timestamp = LogStash::Timestamp.new
+          @logger.warn("Unrecognized #{LogStash::Event::TIMESTAMP} value, setting current time to #{LogStash::Event::TIMESTAMP}, original in #{LogStash::Event::TIMESTAMP_FAILURE_FIELD} field", :value => parsed_timestamp.inspect)
+          event.tag(LogStash::Event::TIMESTAMP_FAILURE_TAG)
+          event.set(LogStash::Event::TIMESTAMP_FAILURE_FIELD, parsed_timestamp.to_s)
+        end
+      end
+      # correct debugging log statement for reference
+      # using the event.get API
+      @logger.info("Event after filter", :event => event)
+    end
+
+    # filter_matched should go in the last line of our successful code
+    filter_matched(event)
+  end # def filter
+end # class LogStash::Filters::Example

data/lib/logstash/filters/xor.rb

@@ -0,0 +1,16 @@
+# encoding: utf-8
+class Xor < Cipher
+
+  def decrypt(data, key)
+    data.length.times { |e|
+      data[e] = (key[e % key.length].ord ^ data[e].ord).chr;
+    }
+    return data
+  end
+
+  #Decrypt Payload and match it against Keywords
+  def xordecrypt
+    return match(@payload,@prefix,@keys,@keywords)
+  end
+
+end

data/logstash-filter-decrypt.gemspec

@@ -0,0 +1,23 @@
+Gem::Specification.new do |s|
+  s.name = 'logstash-filter-decrypt'
+  s.version = '0.0.2'
+  s.licenses = ['Apache License (2.0)']
+  s.summary = "Decrypt Filter for XOR Trojan"
+  s.description     = "This is a Logstash Filter to be installed on a logstash instance"
+  s.authors = ["Silvan Adrian, Fabian Binna"]
+  s.email = 'silvan.adrian@gmail.com'
+  s.homepage = ""
+  s.require_paths = ["lib"]
+
+  # Files
+  s.files = Dir['lib/**/*','spec/**/*','vendor/**/*','*.gemspec','*.md','CONTRIBUTORS','Gemfile','LICENSE','NOTICE.TXT']
+   # Tests
+  s.test_files = s.files.grep(%r{^(test|spec|features)/})
+
+  # Special flag to let us know this is actually a logstash plugin
+  s.metadata = { "logstash_plugin" => "true", "logstash_group" => "filter" }
+
+  # Gem dependencies
+  s.add_runtime_dependency "logstash-core-plugin-api", "~> 2.0"
+  s.add_development_dependency 'logstash-devutils' , '~> 0'
+end

data/spec/filters/decrypt_spec.rb

@@ -0,0 +1,20 @@
+# encoding: utf-8
+require 'spec_helper'
+require "logstash/filters/decrypt"
+
+describe LogStash::Filters::Decrypt do
+  describe "Set to Hello World" do
+    let(:config) do <<-CONFIG
+      filter {
+        decrypt {
+          message => "Hello World"
+        }
+      }
+    CONFIG
+    end
+
+    sample("message" => "some text") do
+      expect(subject.get("message")).to eq('Hello World')
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,2 @@
+# encoding: utf-8
+require "logstash/devutils/rspec/spec_helper"

metadata

@@ -0,0 +1,89 @@
+--- !ruby/object:Gem::Specification
+name: logstash-filter-decrypt
+version: !ruby/object:Gem::Version
+  version: 0.0.2
+platform: ruby
+authors:
+- Silvan Adrian, Fabian Binna
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2017-03-11 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: logstash-core-plugin-api
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: logstash-devutils
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0'
+description: This is a Logstash Filter to be installed on a logstash instance
+email: silvan.adrian@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- CHANGELOG.md
+- CONTRIBUTORS
+- DEVELOPER.md
+- Gemfile
+- LICENSE
+- NOTICE.TXT
+- README.md
+- lib/logstash/filters/aes.rb
+- lib/logstash/filters/cipher.rb
+- lib/logstash/filters/decrypt.rb
+- lib/logstash/filters/xor.rb
+- logstash-filter-decrypt.gemspec
+- spec/filters/decrypt_spec.rb
+- spec/spec_helper.rb
+homepage: ''
+licenses:
+- Apache License (2.0)
+metadata:
+  logstash_plugin: 'true'
+  logstash_group: filter
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.6.4
+signing_key: 
+specification_version: 4
+summary: Decrypt Filter for XOR Trojan
+test_files:
+- spec/filters/decrypt_spec.rb
+- spec/spec_helper.rb