logstash-filter-empowclassifier 1.0.0 → 1.0.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (5) hide show
  1. checksums.yaml +4 -4
  2. data/README.md +38 -64
  3. data/lib/logstash/filters/empowclassifier.rb +3 -3
  4. data/logstash-filter-empowclassifier.gemspec +1 -1
  5. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 74937d8d6662e3b4b2f2823984b751fd8b51446901c591af25b782e8e619c61d
4
- data.tar.gz: 892c0f3f8f7c1a253b96d4fb52f6c8c752dfdbebf939f8d7ec3f99f46f1ac122
3
+ metadata.gz: d2c7138d69ebbe84d65be86b8c7eceac98ca6a786480d6b3ab7b73735351723d
4
+ data.tar.gz: b2b579f47338fe34b6c1b8509ed5e137852c6c63d87cd19a8c4456dfea73914b
5
5
  SHA512:
6
- metadata.gz: 7b37175bd121abb10e9a2904592b3d008b0c4217ee21c7750b8247a5622a74142159fb5363245d06330cd49d824301ed9b2b9a60d76bc6a0d2b6cb2232144091
7
- data.tar.gz: 4827236e9939d9fdb4ef7ed6f5f667f0ce832a6b7e0c443bb8a122d27de5afa0f001605cef232f507623f46780decdf61c2b5d14b3e4d5afeb44df37118340ea
6
+ metadata.gz: 3aa136befd495d8ff94b1df6cf290a437979e03b3a0354caf4ba54ca032d175b230d1d6c22e7da89c1af49c26032065703fceb87c648a92a9f8896e98d0de494
7
+ data.tar.gz: 7762647e4d646869da4da89b303dcaf23465292b59db63fad59a0f2d95088ba2f744ad5c36d2affe6dbb73420bb8c9e4af371029e44a480b54f7a42e855b37cd
data/README.md CHANGED
@@ -6,85 +6,59 @@ It is fully free and fully open source. The license is Apache 2.0, meaning you a
6
6
 
7
7
  <a href="https://badge.fury.io/rb/logstash-filter-empowclassifier"><img src="https://badge.fury.io/rb/logstash-filter-empowclassifier.svg" alt="Gem Version" height="18"></a>
8
8
 
9
- ## Documentation
9
+ # Using the empowclassifier plugin
10
10
 
11
- Logstash provides infrastructure to automatically generate documentation for this plugin. We use the asciidoc format to write documentation so any comments in the source code will be first converted into asciidoc and then into html. All plugin documentation are placed under one [central location](http://www.elastic.co/guide/en/logstash/current/).
12
-
13
- - For formatting code or config example, you can use the asciidoc `[source,ruby]` directive
14
- - For more asciidoc formatting tips, see the excellent reference here https://github.com/elastic/docs#asciidoc-guide
15
-
16
- ## Need Help?
17
-
18
- Need help? Try #logstash on freenode IRC or the https://discuss.elastic.co/c/logstash discussion forum.
19
-
20
- ## Developing
21
-
22
- ### 1. Plugin Developement and Testing
23
-
24
- #### Code
25
- - To get started, you'll need JRuby with the Bundler gem installed.
26
-
27
- - Create a new plugin or clone and existing from the GitHub [logstash-plugins](https://github.com/logstash-plugins) organization. We also provide [example plugins](https://github.com/logstash-plugins?query=example).
28
-
29
- - Install dependencies
30
- ```sh
31
- bundle install
11
+ ## Example
12
+ A log may look like this before the classification (in json form):
32
13
  ```
33
-
34
- #### Test
35
-
36
- - Update your dependencies
37
-
38
- ```sh
39
- bundle install
14
+ {
15
+ "product_type": "IDS",
16
+ "product_name": "snort",
17
+ "threat": { "signature": "1:234" }
18
+ }
40
19
  ```
41
20
 
42
- - Run tests
43
-
44
- ```sh
45
- bundle exec rspec
21
+ After filtering, using the plugin, the response would be contain these fields:
46
22
  ```
23
+ {
24
+ "signatureTactics": [
25
+ {
26
+ "tactic": "Full compromise - active patterns",
27
+ "attackStage": "Infiltration",
28
+ "isSrcPerformer": true
29
+ }
30
+ ]
31
+ }
32
+ ```
33
+ signatureTactics is an array of the tactics classified by empow.
47
34
 
48
- ### 2. Running your unpublished Plugin in Logstash
49
-
50
- #### 2.1 Run in a local Logstash clone
35
+ each result contains the actual tactic, the attack stage empow classified for this log (determined by the tactic and whether the source and dest are within the user’s network), and whether the source was the performer or the victim of this attack.
51
36
 
52
- - Edit Logstash `Gemfile` and add the local plugin path, for example:
53
- ```ruby
54
- gem "logstash-filter-awesome", :path => "/your/local/logstash-filter-awesome"
55
- ```
56
- - Install plugin
57
- ```sh
58
- bin/logstash-plugin install --no-verify
59
- ```
60
- - Run Logstash with your plugin
37
+ ## Installing the plugin
61
38
  ```sh
62
- bin/logstash -e 'filter {awesome {}}'
39
+ bin/logstash-plugin install logstash-filter-empowclassifier
63
40
  ```
64
- At this point any modifications to the plugin code will be applied to this local Logstash setup. After modifying the plugin, simply rerun Logstash.
65
-
66
- #### 2.2 Run in an installed Logstash
67
-
68
- You can use the same **2.1** method to run your plugin in an installed Logstash by editing its `Gemfile` and pointing the `:path` to your local plugin development directory or you can build the gem and install it using:
69
41
 
70
- - Build your plugin gem
71
- ```sh
72
- gem build logstash-filter-awesome.gemspec
42
+ ## Usage
73
43
  ```
74
- - Install the plugin from the Logstash home
75
- ```sh
76
- bin/logstash-plugin install /your/local/plugin/logstash-filter-awesome.gem
44
+ input {
45
+ ...
46
+ }
47
+
48
+ filter {
49
+ empowclassifier {
50
+ username => "cosmo@kramerica.com"
51
+ password => "12345"
52
+ }
53
+ }
54
+
55
+ output {
56
+ ...
57
+ }
77
58
  ```
78
- - Start Logstash and proceed to test the plugin
79
-
80
- ## Contributing
81
59
 
82
- All contributions are welcome: ideas, patches, documentation, bug reports, complaints, and even something you drew up on a napkin.
83
60
 
84
- Programming is not a required skill. Whatever you've seen about open source and maintainers or community members saying "send patches or die" - you will not see that here.
85
61
 
86
- It is more important to the community that you are able to contribute.
87
62
 
88
- For more information about contributing, see the [CONTRIBUTING](https://github.com/elastic/logstash/blob/master/CONTRIBUTING.md) file.
89
63
 
90
64
  I like rice. Rice is great if you're hungry and want 2000 of something.
data/lib/logstash/filters/empowclassifier.rb CHANGED
@@ -100,8 +100,8 @@ class LogStash::Filters::EmpowClassifier < LogStash::Filters::Base
100
100
  ###############
101
101
  config :tag_on_product_type_failure, :validate => :array, :default => ['_empow_no_product_type']
102
102
  config :tag_on_signature_failure, :validate => :array, :default => ['_empow_no_signature']
103
- config :tag_on_timeout, :validate => :array, :default => ['_empow_classifer_timeout']
104
- config :tag_on_error, :validate => :array, :default => ['_empow_classifer_error']
103
+ config :tag_on_timeout, :validate => :array, :default => ['_empow_classifier_timeout']
104
+ config :tag_on_error, :validate => :array, :default => ['_empow_classifier_error']
105
105
 
106
106
  CLASSIFICATION_URL = 'https://intent.cloud.empow.co'
107
107
  CACHE_TTL = (24*60*60)
@@ -227,4 +227,4 @@ class LogStash::Filters::EmpowClassifier < LogStash::Filters::Base
227
227
 
228
228
  return nil
229
229
  end
230
- end
230
+ end
data/logstash-filter-empowclassifier.gemspec CHANGED
@@ -1,6 +1,6 @@
1
1
  Gem::Specification.new do |s|
2
2
  s.name = 'logstash-filter-empowclassifier'
3
- s.version = '1.0.0'
3
+ s.version = '1.0.1'
4
4
  s.licenses = ['Apache-2.0']
5
5
  s.summary = 'Returns classification information for attacks from the empow classification center, based on information in log strings'
6
6
  #s.description = 'Write a longer description or delete this line.'
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: logstash-filter-empowclassifier
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.0.0
4
+ version: 1.0.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - empow
@@ -10,7 +10,7 @@ authors:
10
10
  autorequire:
11
11
  bindir: bin
12
12
  cert_chain: []
13
- date: 2019-02-13 00:00:00.000000000 Z
13
+ date: 2019-02-27 00:00:00.000000000 Z
14
14
  dependencies:
15
15
  - !ruby/object:Gem::Dependency
16
16
  requirement: !ruby/object:Gem::Requirement