logstash-filter-enrsig 0.9.0 → 0.9.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +6 -0
- data/lib/logstash/filters/enrsig.rb +40 -18
- data/logstash-filter-enrsig.gemspec +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 5d36b413abe822c6e3563d63382043763773217a
|
|
4
|
+
data.tar.gz: f54d34fe5483edda1d3ef1c5c623eaac7cc1a855
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 21a8cd3078bea177dbac55c1320c6a1a0e07510a0a7f7dc955665ffa6fbe7540c25bd26e93c7de244c029c36a01efc434b0bea1d7640ecb2d7af89a7ed3b4a2c
|
|
7
|
+
data.tar.gz: f51b37e27e97fa28e50add3589fa7d19b78b2e3304ec43098f31bc864e899e83f728960300fe87d097cce437a274a4614db4f2edd76d324377488f1319b9fee5
|
data/CHANGELOG.md
CHANGED
|
@@ -19,11 +19,9 @@ class LogStash::Filters::Enrsig < LogStash::Filters::Base
|
|
|
19
19
|
#$1$ is first element in element content in query: [{WHOIS: {"id": id_rule, "field": [field_$1$], "name_in_db": "$1$"}},{SSL: {"id": id_rule, "field": [field_$1$,field_$2$], "name_in_db": "https://$1$:$2$"}}]
|
|
20
20
|
config :conf_enrsig, :validate => :string, :default => "/etc/logstash/db/conf_enrsig.json"
|
|
21
21
|
# delay to refresh configuration - default all hours
|
|
22
|
-
config :
|
|
22
|
+
config :refresh_interval, :validate => :number, :default => 3600
|
|
23
23
|
#field name where you add request for server add information active
|
|
24
24
|
config :field_enr, :validate => :string, :default => "request_enrichiment"
|
|
25
|
-
#enr_tag_response used for identify who is origin of resquest, and send response to good server
|
|
26
|
-
config :enr_tag_response, :validate => :string, :required => :true, :default => "ENR_RETURN_TO_JOHN"
|
|
27
25
|
|
|
28
26
|
public
|
|
29
27
|
def register
|
|
@@ -58,15 +56,16 @@ class LogStash::Filters::Enrsig < LogStash::Filters::Base
|
|
|
58
56
|
cnt_ea=0
|
|
59
57
|
for request_cmd in event.get(@field_enr)
|
|
60
58
|
if request_cmd.is_a?(Hash) and not request_cmd.empty?
|
|
61
|
-
|
|
59
|
+
#verify if command in request, exist in db
|
|
60
|
+
if @conf_enr[request_cmd.keys[0]].is_a?(Hash)
|
|
62
61
|
#verify if answer already present in db
|
|
63
62
|
if not @cmd_db[request_cmd.keys[0]].is_a?(Hash) and @cmd_db[request_cmd.keys[0]][request_cmd[request_cmd.keys[0]]['name_in_db']].is_a?(Hash)
|
|
64
63
|
#add info
|
|
65
64
|
response[cnt_ea][request_cmd.keys[0]]['response']=@cmd_db[request_cmd.keys[0]][request_cmd[request_cmd.keys[0]]['name_in_db']]
|
|
66
65
|
else
|
|
67
66
|
#verify if field is present in event
|
|
68
|
-
next if
|
|
69
|
-
syntax_cmd=@conf_enr[request_cmd.keys[0]][
|
|
67
|
+
next if @conf_enr[request_cmd.keys[0]]['value_format'].length != request_cmd[request_cmd.keys[0]]['field'].length
|
|
68
|
+
syntax_cmd=@conf_enr[request_cmd.keys[0]]['command_syntax'].dup
|
|
70
69
|
#if field link not present, next!
|
|
71
70
|
pnext=false
|
|
72
71
|
cnt_e=1
|
|
@@ -79,23 +78,40 @@ class LogStash::Filters::Enrsig < LogStash::Filters::Base
|
|
|
79
78
|
value_e=event.get(flval.to_s)
|
|
80
79
|
pvf=cnt_e-1
|
|
81
80
|
#verify format (avoid vulnerability escape) || FILTER
|
|
82
|
-
|
|
83
|
-
|
|
84
|
-
|
|
81
|
+
begin
|
|
82
|
+
if value_e =~ /#{@conf_enr[request_cmd.keys[0]]['value_format'][pvf]}/i
|
|
83
|
+
syntax_cmd.gsub! '$'+cnt_e.to_s+'$', value_e
|
|
84
|
+
cnt_e+=1
|
|
85
|
+
else
|
|
86
|
+
@logger.warn("Format of syntaxe command is bad with filter #{Regexp.escape(@conf_enr[request_cmd.keys[0]]['value_format'][pvf])}", :cmd => value_e)
|
|
87
|
+
end
|
|
88
|
+
rescue
|
|
89
|
+
@logger.warn("Regexp error", :regexp => @conf_enr[request_cmd.keys[0]]['value_format'][pvf])
|
|
85
90
|
end
|
|
91
|
+
|
|
86
92
|
end
|
|
87
93
|
end
|
|
88
94
|
next if pnext
|
|
89
|
-
|
|
95
|
+
#verify if format valid is ok on all field
|
|
96
|
+
next if cnt_e != request_cmd[request_cmd.keys[0]]['field'].length+1 or syntax_cmd =~ /\$\d+\$/
|
|
90
97
|
#run cmd
|
|
91
|
-
output_cmd = `#{@conf_enr[request_cmd.keys[0]][
|
|
92
|
-
#
|
|
93
|
-
|
|
94
|
-
|
|
95
|
-
|
|
96
|
-
|
|
97
|
-
|
|
98
|
-
|
|
98
|
+
output_cmd = `#{@conf_enr[request_cmd.keys[0]]['command_path']} #{syntax_cmd}`
|
|
99
|
+
#transform "output_cmd" value to HASH with ERB
|
|
100
|
+
begin
|
|
101
|
+
result=ERB.new(@conf_enr[request_cmd.keys[0]]['template_erb']).result(binding)
|
|
102
|
+
result=JSON.parse result.gsub('=>', ':')
|
|
103
|
+
if result.is_a?(Hash)
|
|
104
|
+
#insert in response
|
|
105
|
+
response[cnt_ea][request_cmd.keys[0]]['response']=result
|
|
106
|
+
#insert in db
|
|
107
|
+
@cmd_db[request_cmd.keys[0]][request_cmd[request_cmd.keys[0]]['name_in_db']] = {} if @cmd_db[request_cmd.keys[0]][request_cmd[request_cmd.keys[0]]['name_in_db']].nil?
|
|
108
|
+
@cmd_db[request_cmd.keys[0]][request_cmd[request_cmd.keys[0]]['name_in_db']]=result
|
|
109
|
+
else
|
|
110
|
+
@logger.warn("Command and ERB dont create HASH result!!", :result => result)
|
|
111
|
+
end
|
|
112
|
+
rescue
|
|
113
|
+
@logger.warn("ERB/JSON parse error", :result => output_cmd)
|
|
114
|
+
end
|
|
99
115
|
end
|
|
100
116
|
#finish (resend to origin)
|
|
101
117
|
event.set(@field_enr,response)
|
|
@@ -123,6 +139,12 @@ class LogStash::Filters::Enrsig < LogStash::Filters::Base
|
|
|
123
139
|
@conf_enr = tmp_enr
|
|
124
140
|
@conf_enr.each do |k,v|
|
|
125
141
|
@cmd_db[k]={} if @cmd_db[k].nil?
|
|
142
|
+
if File.file?(@conf_enr[k]['result_parse'].to_s)
|
|
143
|
+
@conf_enr[k]['template_erb']=File.read(@conf_enr[k]['result_parse'].to_s)
|
|
144
|
+
else
|
|
145
|
+
@logger.warn("Template parse for rules #{k.to_s} not find...", :path => @conf_enr[k]['result_parse'])
|
|
146
|
+
@conf_enr[k]['template_erb']=""
|
|
147
|
+
end
|
|
126
148
|
end
|
|
127
149
|
rescue
|
|
128
150
|
@logger.error("JSON CONF ENR_SIG -- PARSE ERROR")
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
Gem::Specification.new do |s|
|
|
2
2
|
s.name = 'logstash-filter-enrsig'
|
|
3
|
-
s.version = '0.9.
|
|
3
|
+
s.version = '0.9.2'
|
|
4
4
|
s.licenses = ['Apache License (2.0)']
|
|
5
5
|
s.summary = "This enrsig filter execute request (command) for enrich event."
|
|
6
6
|
s.description = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: logstash-filter-enrsig
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.9.
|
|
4
|
+
version: 0.9.2
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Lionel PRAT
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2017-06-
|
|
11
|
+
date: 2017-06-12 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
requirement: !ruby/object:Gem::Requirement
|