logstash-filter-empowclassifier 0.3.15

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,46 @@
1
+ require_relative '../spec_helper'
2
+ require "logstash/filters/local-classifier"
3
+ require "logstash/filters/elastic-db"
4
+ require "logstash/filters/classification-request"
5
+
6
+ describe LogStash::Filters::Empow::LocalClassifier do
7
+
8
+ describe "sync'ed local database as a fallback" do
9
+ it "value isn't in memory, later fetched from local db" do
10
+ local_db = instance_double(LogStash::Filters::Empow::PersistentKeyValueDB)
11
+ allow(local_db).to receive(:query).and_return(nil)
12
+ allow(local_db).to receive(:close)
13
+
14
+ classifier = described_class.new(5, 300, false, local_db)
15
+
16
+ key = LogStash::Filters::Empow::ClassificationRequest.new("product_type", "product", "threat", true, true)
17
+
18
+ expect(classifier.classify(key)).to be_nil
19
+
20
+ allow(local_db).to receive(:query).and_return("intent")
21
+
22
+ # allow backend thread to process the request
23
+ res = nil
24
+
25
+ for i in 1..10 do
26
+ sleep 1
27
+
28
+ res = classifier.classify(key)
29
+
30
+ break if !res.nil?
31
+ end
32
+
33
+ expect(res).to eq("intent")
34
+ end
35
+ end
36
+
37
+ describe "no local database configured" do
38
+ it "value isn't in memory" do
39
+ classifier = described_class.new(5, 300, false, nil)
40
+
41
+ key = "key-1"
42
+
43
+ expect(classifier.classify(key)).to be_nil
44
+ end
45
+ end
46
+ end
@@ -0,0 +1,127 @@
1
+ require_relative '../spec_helper'
2
+ require "logstash/event"
3
+ require "logstash/filters/classifier"
4
+ require "logstash/filters/plugin-logic"
5
+
6
+ describe LogStash::Filters::Empow::PluginLogic do
7
+
8
+ let(:intent_res1) { {"p1" => "s1"} }
9
+ let(:response_body1) { {'response' => intent_res1 } }
10
+ let(:sample_response) { LogStash::Filters::Empow::SuccessfulReponse.new(response_body1) }
11
+
12
+ describe "test classification" do
13
+
14
+ it "event with warm classification" do
15
+ event = LogStash::Event.new("my_product_type" => "ids", "my_product" => "some_av", "my_term" => "name1", "my_hash" => "hash1")
16
+
17
+ field_handler = instance_double(LogStash::Filters::Empow::FieldHandler)
18
+ allow(field_handler).to receive(:event_to_classification_request).and_return("request")
19
+
20
+ classifier = instance_double(LogStash::Filters::Empow::Classifier)
21
+ allow(classifier).to receive(:classify).and_return(sample_response)
22
+
23
+ plugin_logic = described_class.new(classifier, field_handler, 60, 1, ['_timeout'], ['_error'])
24
+
25
+ expect(field_handler).to receive(:event_to_classification_request)
26
+ expect(classifier).to receive(:classify)
27
+
28
+ classified_event = plugin_logic.classify(event)
29
+
30
+ expect(classified_event).to eq(event)
31
+ expect(classified_event.get("empow_intent")).to eq(intent_res1)
32
+ end
33
+
34
+ it "event with cold classification is parked and then unparked only once" do
35
+ event = LogStash::Event.new("my_product_type" => "ids", "my_product" => "some_av", "my_term" => "name1", "my_hash" => "hash1")
36
+
37
+ field_handler = instance_double(LogStash::Filters::Empow::FieldHandler)
38
+ allow(field_handler).to receive(:event_to_classification_request).and_return("request")
39
+ allow(Time).to receive(:now).and_return(10)
40
+
41
+ classifier = instance_double(LogStash::Filters::Empow::Classifier)
42
+ allow(classifier).to receive(:classify).and_return(nil, nil, sample_response)
43
+
44
+ plugin_logic = described_class.new(classifier, field_handler, 60, 1, ['_timeout'], ['_error'])
45
+
46
+ expect(classifier).to receive(:classify)
47
+
48
+ classified_event = plugin_logic.classify(event)
49
+ expect(classified_event).to be_nil
50
+
51
+ allow(Time).to receive(:now).and_return(20)
52
+
53
+ expect(classifier).to receive(:classify)
54
+ flushed_events = plugin_logic.flush
55
+ expect(flushed_events).to be_empty
56
+
57
+ allow(Time).to receive(:now).and_return(30)
58
+ expect(classifier).to receive(:classify)
59
+
60
+ flushed_events = plugin_logic.flush
61
+ expect(flushed_events).not_to be_empty
62
+ end
63
+
64
+ it "event unparked after time expired" do
65
+ event = LogStash::Event.new("my_product_type" => "ids", "my_product" => "some_av", "my_term" => "name1", "my_hash" => "hash1")
66
+
67
+ field_handler = instance_double(LogStash::Filters::Empow::FieldHandler)
68
+ allow(field_handler).to receive(:event_to_classification_request).and_return("request")
69
+ allow(Time).to receive(:now).and_return(10)
70
+
71
+ classifier = instance_double(LogStash::Filters::Empow::Classifier)
72
+ allow(classifier).to receive(:classify).and_return(nil)
73
+
74
+ plugin_logic = described_class.new(classifier, field_handler, 60, 1, ['_timeout'], ['_error'])
75
+
76
+ expect(classifier).to receive(:classify)
77
+
78
+ classified_event = plugin_logic.classify(event)
79
+ expect(classified_event).to be_nil
80
+
81
+ allow(Time).to receive(:now).and_return(20)
82
+
83
+ expect(classifier).to receive(:classify)
84
+ flushed_events = plugin_logic.flush
85
+ expect(flushed_events).to be_empty
86
+
87
+ allow(Time).to receive(:now).and_return(100)
88
+ expect(classifier).to receive(:classify)
89
+
90
+ flushed_events = plugin_logic.flush
91
+ expect(flushed_events).not_to be_empty
92
+
93
+ insist { flushed_events[0].get("tags") }.include?("_timeout")
94
+ end
95
+
96
+ it "too many parked events" do
97
+ event1 = LogStash::Event.new("my_product_type" => "ids", "my_product" => "some_av", "my_term" => "name1", "my_hash" => "hash1")
98
+ event2 = LogStash::Event.new("my_product_type" => "ids", "my_product" => "some_av", "my_term" => "name2", "my_hash" => "hash2")
99
+
100
+ field_handler = instance_double(LogStash::Filters::Empow::FieldHandler)
101
+ allow(field_handler).to receive(:event_to_classification_request).and_return("request")
102
+ allow(Time).to receive(:now).and_return(10)
103
+
104
+ classifier = instance_double(LogStash::Filters::Empow::Classifier)
105
+ allow(classifier).to receive(:classify).and_return(nil)
106
+
107
+ plugin_logic = described_class.new(classifier, field_handler, 60, 1, ['_timeout'], ['_error'])
108
+
109
+ expect(classifier).to receive(:classify)
110
+
111
+ classified_event = plugin_logic.classify(event1)
112
+ expect(classified_event).to be_nil
113
+
114
+ classified_event = plugin_logic.classify(event2)
115
+ expect(classified_event).to eq(event1)
116
+
117
+ allow(Time).to receive(:now).and_return(20)
118
+ flushed_events = plugin_logic.flush
119
+ expect(flushed_events).to be_empty
120
+
121
+ allow(Time).to receive(:now).and_return(100)
122
+ flushed_events = plugin_logic.flush
123
+ expect(flushed_events).not_to be_empty
124
+ expect(flushed_events.length).to eq(1)
125
+ end
126
+ end
127
+ end
@@ -0,0 +1,74 @@
1
+ require_relative '../spec_helper'
2
+ require "logstash/event"
3
+ require "logstash/filters/utils"
4
+
5
+ describe LogStash::Filters::Empow::Utils do
6
+
7
+ describe "test internal tagging" do
8
+ it "test error" do
9
+ event = LogStash::Event.new("data" => "a b c")
10
+
11
+ LogStash::Filters::Empow::Utils.add_error(event, "my_msg")
12
+
13
+ expect(event.get("empow_errors")).to contain_exactly("my_msg")
14
+ end
15
+
16
+ it "test warn" do
17
+ event = LogStash::Event.new("data" => "a b c")
18
+
19
+ LogStash::Filters::Empow::Utils.add_warn(event, "my_msg")
20
+
21
+ expect(event.get("empow_warnings")).to contain_exactly("my_msg")
22
+ end
23
+ end
24
+ #json = '{ "a": "True", "b": "true", "c": "1", "d": 1, "e": "False", "f": "0", "g": "TRUE" }'
25
+ describe "test is truthy" do
26
+ it "string TRUE" do
27
+ expect(LogStash::Filters::Empow::Utils.convert_to_boolean("TRUE")).to eq(true)
28
+ end
29
+
30
+ it "string true" do
31
+ expect(LogStash::Filters::Empow::Utils.convert_to_boolean("true")).to eq(true)
32
+ end
33
+
34
+ it "string 1" do
35
+ expect(LogStash::Filters::Empow::Utils.convert_to_boolean("1")).to eq(true)
36
+ end
37
+
38
+ it "string 11" do
39
+ expect(LogStash::Filters::Empow::Utils.convert_to_boolean("11")).to be_nil
40
+ end
41
+
42
+ it "string 0" do
43
+ expect(LogStash::Filters::Empow::Utils.convert_to_boolean('0')).to eq(false)
44
+ end
45
+
46
+ it "int 0" do
47
+ expect(LogStash::Filters::Empow::Utils.convert_to_boolean(0)).to eq(false)
48
+ end
49
+
50
+ it "int 1" do
51
+ expect(LogStash::Filters::Empow::Utils.convert_to_boolean(1)).to eq(true)
52
+ end
53
+
54
+ it "int 11" do
55
+ expect(LogStash::Filters::Empow::Utils.convert_to_boolean(11)).to be_nil
56
+ end
57
+
58
+ it "boolean true" do
59
+ expect(LogStash::Filters::Empow::Utils.convert_to_boolean(true)).to eq(true)
60
+ end
61
+
62
+ it "boolean false" do
63
+ expect(LogStash::Filters::Empow::Utils.convert_to_boolean(false)).to eq(false)
64
+ end
65
+
66
+ it "nil" do
67
+ expect(LogStash::Filters::Empow::Utils.convert_to_boolean(nil)).to be_nil
68
+ end
69
+
70
+ it "empty string" do
71
+ expect(LogStash::Filters::Empow::Utils.convert_to_boolean('')).to be_nil
72
+ end
73
+ end
74
+ end
@@ -0,0 +1,2 @@
1
+ # encoding: utf-8
2
+ require "logstash/devutils/rspec/spec_helper"
metadata ADDED
@@ -0,0 +1,260 @@
1
+ --- !ruby/object:Gem::Specification
2
+ name: logstash-filter-empowclassifier
3
+ version: !ruby/object:Gem::Version
4
+ version: 0.3.15
5
+ platform: ruby
6
+ authors:
7
+ - empow
8
+ - Assaf Abulafia
9
+ - Rami Cohen
10
+ autorequire:
11
+ bindir: bin
12
+ cert_chain: []
13
+ date: 2019-01-30 00:00:00.000000000 Z
14
+ dependencies:
15
+ - !ruby/object:Gem::Dependency
16
+ requirement: !ruby/object:Gem::Requirement
17
+ requirements:
18
+ - - ">="
19
+ - !ruby/object:Gem::Version
20
+ version: '1.60'
21
+ - - "<="
22
+ - !ruby/object:Gem::Version
23
+ version: '2.99'
24
+ name: logstash-core-plugin-api
25
+ prerelease: false
26
+ type: :runtime
27
+ version_requirements: !ruby/object:Gem::Requirement
28
+ requirements:
29
+ - - ">="
30
+ - !ruby/object:Gem::Version
31
+ version: '1.60'
32
+ - - "<="
33
+ - !ruby/object:Gem::Version
34
+ version: '2.99'
35
+ - !ruby/object:Gem::Dependency
36
+ requirement: !ruby/object:Gem::Requirement
37
+ requirements:
38
+ - - "~>"
39
+ - !ruby/object:Gem::Version
40
+ version: '1.8'
41
+ - - ">="
42
+ - !ruby/object:Gem::Version
43
+ version: 1.8.0
44
+ name: rest-client
45
+ prerelease: false
46
+ type: :runtime
47
+ version_requirements: !ruby/object:Gem::Requirement
48
+ requirements:
49
+ - - "~>"
50
+ - !ruby/object:Gem::Version
51
+ version: '1.8'
52
+ - - ">="
53
+ - !ruby/object:Gem::Version
54
+ version: 1.8.0
55
+ - !ruby/object:Gem::Dependency
56
+ requirement: !ruby/object:Gem::Requirement
57
+ requirements:
58
+ - - "~>"
59
+ - !ruby/object:Gem::Version
60
+ version: '1.1'
61
+ - - ">="
62
+ - !ruby/object:Gem::Version
63
+ version: 1.1.0
64
+ name: lru_redux
65
+ prerelease: false
66
+ type: :runtime
67
+ version_requirements: !ruby/object:Gem::Requirement
68
+ requirements:
69
+ - - "~>"
70
+ - !ruby/object:Gem::Version
71
+ version: '1.1'
72
+ - - ">="
73
+ - !ruby/object:Gem::Version
74
+ version: 1.1.0
75
+ - !ruby/object:Gem::Dependency
76
+ requirement: !ruby/object:Gem::Requirement
77
+ requirements:
78
+ - - "~>"
79
+ - !ruby/object:Gem::Version
80
+ version: '1.8'
81
+ - - ">="
82
+ - !ruby/object:Gem::Version
83
+ version: '1.8'
84
+ name: json
85
+ prerelease: false
86
+ type: :runtime
87
+ version_requirements: !ruby/object:Gem::Requirement
88
+ requirements:
89
+ - - "~>"
90
+ - !ruby/object:Gem::Version
91
+ version: '1.8'
92
+ - - ">="
93
+ - !ruby/object:Gem::Version
94
+ version: '1.8'
95
+ - !ruby/object:Gem::Dependency
96
+ requirement: !ruby/object:Gem::Requirement
97
+ requirements:
98
+ - - ">="
99
+ - !ruby/object:Gem::Version
100
+ version: '0'
101
+ name: hashie
102
+ prerelease: false
103
+ type: :runtime
104
+ version_requirements: !ruby/object:Gem::Requirement
105
+ requirements:
106
+ - - ">="
107
+ - !ruby/object:Gem::Version
108
+ version: '0'
109
+ - !ruby/object:Gem::Dependency
110
+ requirement: !ruby/object:Gem::Requirement
111
+ requirements:
112
+ - - "~>"
113
+ - !ruby/object:Gem::Version
114
+ version: '3'
115
+ name: aws-sdk
116
+ prerelease: false
117
+ type: :development
118
+ version_requirements: !ruby/object:Gem::Requirement
119
+ requirements:
120
+ - - "~>"
121
+ - !ruby/object:Gem::Version
122
+ version: '3'
123
+ - !ruby/object:Gem::Dependency
124
+ requirement: !ruby/object:Gem::Requirement
125
+ requirements:
126
+ - - ">="
127
+ - !ruby/object:Gem::Version
128
+ version: '0'
129
+ name: logstash-devutils
130
+ prerelease: false
131
+ type: :development
132
+ version_requirements: !ruby/object:Gem::Requirement
133
+ requirements:
134
+ - - ">="
135
+ - !ruby/object:Gem::Version
136
+ version: '0'
137
+ - !ruby/object:Gem::Dependency
138
+ requirement: !ruby/object:Gem::Requirement
139
+ requirements:
140
+ - - "~>"
141
+ - !ruby/object:Gem::Version
142
+ version: '0.7'
143
+ name: timecop
144
+ prerelease: false
145
+ type: :development
146
+ version_requirements: !ruby/object:Gem::Requirement
147
+ requirements:
148
+ - - "~>"
149
+ - !ruby/object:Gem::Version
150
+ version: '0.7'
151
+ - !ruby/object:Gem::Dependency
152
+ requirement: !ruby/object:Gem::Requirement
153
+ requirements:
154
+ - - "~>"
155
+ - !ruby/object:Gem::Version
156
+ version: '1.22'
157
+ - - ">="
158
+ - !ruby/object:Gem::Version
159
+ version: 1.21.0
160
+ name: webmock
161
+ prerelease: false
162
+ type: :development
163
+ version_requirements: !ruby/object:Gem::Requirement
164
+ requirements:
165
+ - - "~>"
166
+ - !ruby/object:Gem::Version
167
+ version: '1.22'
168
+ - - ">="
169
+ - !ruby/object:Gem::Version
170
+ version: 1.21.0
171
+ - !ruby/object:Gem::Dependency
172
+ requirement: !ruby/object:Gem::Requirement
173
+ requirements:
174
+ - - ">="
175
+ - !ruby/object:Gem::Version
176
+ version: '0'
177
+ name: elasticsearch
178
+ prerelease: false
179
+ type: :development
180
+ version_requirements: !ruby/object:Gem::Requirement
181
+ requirements:
182
+ - - ">="
183
+ - !ruby/object:Gem::Version
184
+ version: '0'
185
+ description:
186
+ email: ''
187
+ executables: []
188
+ extensions: []
189
+ extra_rdoc_files: []
190
+ files:
191
+ - CHANGELOG.md
192
+ - CONTRIBUTORS
193
+ - Gemfile
194
+ - LICENSE
195
+ - README.md
196
+ - lib/logstash/filters/center-client.rb
197
+ - lib/logstash/filters/classification-request.rb
198
+ - lib/logstash/filters/classifier-cache.rb
199
+ - lib/logstash/filters/classifier.rb
200
+ - lib/logstash/filters/cognito-client.rb
201
+ - lib/logstash/filters/elastic-db.rb
202
+ - lib/logstash/filters/empowclassifier.rb
203
+ - lib/logstash/filters/field-handler.rb
204
+ - lib/logstash/filters/local-classifier.rb
205
+ - lib/logstash/filters/plugin-logic.rb
206
+ - lib/logstash/filters/response.rb
207
+ - lib/logstash/filters/utils.rb
208
+ - logstash-filter-empowclassifier.gemspec
209
+ - spec/filters/bulk-processor_spec.rb
210
+ - spec/filters/center-client_spec.rb
211
+ - spec/filters/classifier-cache_spec.rb
212
+ - spec/filters/classifier_spec.rb
213
+ - spec/filters/cognito-client_spec.rb
214
+ - spec/filters/elastic-db_spec.rb
215
+ - spec/filters/empowclassifier_spec.rb
216
+ - spec/filters/field-handler_spec.rb
217
+ - spec/filters/local-classifier_spec.rb
218
+ - spec/filters/plugin-logic_spec.rb
219
+ - spec/filters/utils_spec.rb
220
+ - spec/spec_helper.rb
221
+ homepage: http://www.empowcybersecurity.com
222
+ licenses:
223
+ - Apache-2.0
224
+ metadata:
225
+ logstash_plugin: 'true'
226
+ logstash_group: filter
227
+ post_install_message:
228
+ rdoc_options: []
229
+ require_paths:
230
+ - lib
231
+ required_ruby_version: !ruby/object:Gem::Requirement
232
+ requirements:
233
+ - - ">="
234
+ - !ruby/object:Gem::Version
235
+ version: '0'
236
+ required_rubygems_version: !ruby/object:Gem::Requirement
237
+ requirements:
238
+ - - ">="
239
+ - !ruby/object:Gem::Version
240
+ version: '0'
241
+ requirements: []
242
+ rubyforge_project:
243
+ rubygems_version: 2.6.13
244
+ signing_key:
245
+ specification_version: 4
246
+ summary: Logstash intent classification plugin client for accessing empows classifiction
247
+ cloud
248
+ test_files:
249
+ - spec/filters/bulk-processor_spec.rb
250
+ - spec/filters/center-client_spec.rb
251
+ - spec/filters/classifier-cache_spec.rb
252
+ - spec/filters/classifier_spec.rb
253
+ - spec/filters/cognito-client_spec.rb
254
+ - spec/filters/elastic-db_spec.rb
255
+ - spec/filters/empowclassifier_spec.rb
256
+ - spec/filters/field-handler_spec.rb
257
+ - spec/filters/local-classifier_spec.rb
258
+ - spec/filters/plugin-logic_spec.rb
259
+ - spec/filters/utils_spec.rb
260
+ - spec/spec_helper.rb