logstash-filter-enrsig 0.9.0 → 0.9.2

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 84e77805192b5d3326e4f53f39d034c33e12769e
4
- data.tar.gz: f4fc00f516082fd074aa015dbe77f45096a2ec5b
3
+ metadata.gz: 5d36b413abe822c6e3563d63382043763773217a
4
+ data.tar.gz: f54d34fe5483edda1d3ef1c5c623eaac7cc1a855
5
5
  SHA512:
6
- metadata.gz: 91ba0adb49f7e2cd18ddcc3f55dac198fda344cd0830b3636f73d654905c9dd511d69a33c3e4d826f152e609c88be8c76aa5cae2280e4f7e5d1e074a288eaa19
7
- data.tar.gz: e795d79d4d2abbefe21f5bf6ee860971af531211ecb05092d40e25b492ef9ed9f0d09a70df4c55761f8f0601990664746c4d4210ee775ae798537c19a722bf01
6
+ metadata.gz: 21a8cd3078bea177dbac55c1320c6a1a0e07510a0a7f7dc955665ffa6fbe7540c25bd26e93c7de244c029c36a01efc434b0bea1d7640ecb2d7af89a7ed3b4a2c
7
+ data.tar.gz: f51b37e27e97fa28e50add3589fa7d19b78b2e3304ec43098f31bc864e899e83f728960300fe87d097cce437a274a4614db4f2edd76d324377488f1319b9fee5
data/CHANGELOG.md CHANGED
@@ -1,3 +1,9 @@
1
+ ## 0.9.2
2
+ - add conf sample nbtscan
3
+ - Correct bug, code work.
4
+ ## 0.9.1
5
+ - Add conf sample for whois
6
+ - Correct code bug
1
7
  ## 0.9.0
2
8
  - Plugins work on logstash 5.4
3
9
 
@@ -19,11 +19,9 @@ class LogStash::Filters::Enrsig < LogStash::Filters::Base
19
19
  #$1$ is first element in element content in query: [{WHOIS: {"id": id_rule, "field": [field_$1$], "name_in_db": "$1$"}},{SSL: {"id": id_rule, "field": [field_$1$,field_$2$], "name_in_db": "https://$1$:$2$"}}]
20
20
  config :conf_enrsig, :validate => :string, :default => "/etc/logstash/db/conf_enrsig.json"
21
21
  # delay to refresh configuration - default all hours
22
- config :refresh_interval_whois, :validate => :number, :default => 3600
22
+ config :refresh_interval, :validate => :number, :default => 3600
23
23
  #field name where you add request for server add information active
24
24
  config :field_enr, :validate => :string, :default => "request_enrichiment"
25
- #enr_tag_response used for identify who is origin of resquest, and send response to good server
26
- config :enr_tag_response, :validate => :string, :required => :true, :default => "ENR_RETURN_TO_JOHN"
27
25
 
28
26
  public
29
27
  def register
@@ -58,15 +56,16 @@ class LogStash::Filters::Enrsig < LogStash::Filters::Base
58
56
  cnt_ea=0
59
57
  for request_cmd in event.get(@field_enr)
60
58
  if request_cmd.is_a?(Hash) and not request_cmd.empty?
61
- unless @conf_enr[request_cmd.keys[0]].is_a?(Hash)
59
+ #verify if command in request, exist in db
60
+ if @conf_enr[request_cmd.keys[0]].is_a?(Hash)
62
61
  #verify if answer already present in db
63
62
  if not @cmd_db[request_cmd.keys[0]].is_a?(Hash) and @cmd_db[request_cmd.keys[0]][request_cmd[request_cmd.keys[0]]['name_in_db']].is_a?(Hash)
64
63
  #add info
65
64
  response[cnt_ea][request_cmd.keys[0]]['response']=@cmd_db[request_cmd.keys[0]][request_cmd[request_cmd.keys[0]]['name_in_db']]
66
65
  else
67
66
  #verify if field is present in event
68
- next if request_cmd[request_cmd.keys[0]]['value_format'].length != request_cmd[request_cmd.keys[0]]['field'].length
69
- syntax_cmd=@conf_enr[request_cmd.keys[0]][request_cmd[request_cmd.keys[0]]['command_syntax']].dup
67
+ next if @conf_enr[request_cmd.keys[0]]['value_format'].length != request_cmd[request_cmd.keys[0]]['field'].length
68
+ syntax_cmd=@conf_enr[request_cmd.keys[0]]['command_syntax'].dup
70
69
  #if field link not present, next!
71
70
  pnext=false
72
71
  cnt_e=1
@@ -79,23 +78,40 @@ class LogStash::Filters::Enrsig < LogStash::Filters::Base
79
78
  value_e=event.get(flval.to_s)
80
79
  pvf=cnt_e-1
81
80
  #verify format (avoid vulnerability escape) || FILTER
82
- if value_e =~ /#{request_cmd[request_cmd.keys[0]]['value_format'][pvf]}/i
83
- syntax_cmd.gsub! '$'+cnt_e.to_s+'$', value_e
84
- cnt_e+=1
81
+ begin
82
+ if value_e =~ /#{@conf_enr[request_cmd.keys[0]]['value_format'][pvf]}/i
83
+ syntax_cmd.gsub! '$'+cnt_e.to_s+'$', value_e
84
+ cnt_e+=1
85
+ else
86
+ @logger.warn("Format of syntaxe command is bad with filter #{Regexp.escape(@conf_enr[request_cmd.keys[0]]['value_format'][pvf])}", :cmd => value_e)
87
+ end
88
+ rescue
89
+ @logger.warn("Regexp error", :regexp => @conf_enr[request_cmd.keys[0]]['value_format'][pvf])
85
90
  end
91
+
86
92
  end
87
93
  end
88
94
  next if pnext
89
- next if cnt_e != request_cmd[request_cmd.keys[0]]['field'].length or syntax_cmd =~ /\$\d+\$/
95
+ #verify if format valid is ok on all field
96
+ next if cnt_e != request_cmd[request_cmd.keys[0]]['field'].length+1 or syntax_cmd =~ /\$\d+\$/
90
97
  #run cmd
91
- output_cmd = `#{@conf_enr[request_cmd.keys[0]][request_cmd[request_cmd.keys[0]]['command_path']]} #{syntax_cmd}`
92
- #collect result and format
93
- result=JSON.parse(ERB.new(@conf_enr[request_cmd.keys[0]][request_cmd[request_cmd.keys[0]]['command_syntax']]).result(binding))
94
- #insert in response
95
- response[cnt_ea][request_cmd.keys[0]]['response']=result
96
- #insert in db
97
- @cmd_db[request_cmd.keys[0]][request_cmd[request_cmd.keys[0]]['name_in_db']] = {} if @cmd_db[request_cmd.keys[0]][request_cmd[request_cmd.keys[0]]['name_in_db']].nil?
98
- @cmd_db[request_cmd.keys[0]][request_cmd[request_cmd.keys[0]]['name_in_db']]=result
98
+ output_cmd = `#{@conf_enr[request_cmd.keys[0]]['command_path']} #{syntax_cmd}`
99
+ #transform "output_cmd" value to HASH with ERB
100
+ begin
101
+ result=ERB.new(@conf_enr[request_cmd.keys[0]]['template_erb']).result(binding)
102
+ result=JSON.parse result.gsub('=>', ':')
103
+ if result.is_a?(Hash)
104
+ #insert in response
105
+ response[cnt_ea][request_cmd.keys[0]]['response']=result
106
+ #insert in db
107
+ @cmd_db[request_cmd.keys[0]][request_cmd[request_cmd.keys[0]]['name_in_db']] = {} if @cmd_db[request_cmd.keys[0]][request_cmd[request_cmd.keys[0]]['name_in_db']].nil?
108
+ @cmd_db[request_cmd.keys[0]][request_cmd[request_cmd.keys[0]]['name_in_db']]=result
109
+ else
110
+ @logger.warn("Command and ERB dont create HASH result!!", :result => result)
111
+ end
112
+ rescue
113
+ @logger.warn("ERB/JSON parse error", :result => output_cmd)
114
+ end
99
115
  end
100
116
  #finish (resend to origin)
101
117
  event.set(@field_enr,response)
@@ -123,6 +139,12 @@ class LogStash::Filters::Enrsig < LogStash::Filters::Base
123
139
  @conf_enr = tmp_enr
124
140
  @conf_enr.each do |k,v|
125
141
  @cmd_db[k]={} if @cmd_db[k].nil?
142
+ if File.file?(@conf_enr[k]['result_parse'].to_s)
143
+ @conf_enr[k]['template_erb']=File.read(@conf_enr[k]['result_parse'].to_s)
144
+ else
145
+ @logger.warn("Template parse for rules #{k.to_s} not find...", :path => @conf_enr[k]['result_parse'])
146
+ @conf_enr[k]['template_erb']=""
147
+ end
126
148
  end
127
149
  rescue
128
150
  @logger.error("JSON CONF ENR_SIG -- PARSE ERROR")
@@ -1,6 +1,6 @@
1
1
  Gem::Specification.new do |s|
2
2
  s.name = 'logstash-filter-enrsig'
3
- s.version = '0.9.0'
3
+ s.version = '0.9.2'
4
4
  s.licenses = ['Apache License (2.0)']
5
5
  s.summary = "This enrsig filter execute request (command) for enrich event."
6
6
  s.description = "This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install gemname. This gem is not a stand-alone program"
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: logstash-filter-enrsig
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.9.0
4
+ version: 0.9.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - Lionel PRAT
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2017-06-02 00:00:00.000000000 Z
11
+ date: 2017-06-12 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  requirement: !ruby/object:Gem::Requirement