logstash-filter-greynoise 0.1.5 → 0.1.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +2 -0
- data/CONTRIBUTORS +1 -1
- data/README.md +4 -2
- data/lib/logstash/filters/greynoise.rb +92 -25
- data/logstash-filter-greynoise.gemspec +6 -4
- metadata +30 -10
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 770fe4cfb474728588617ecb1c8c4bbf62e068befba16d9597bf2faa366f0059
|
|
4
|
+
data.tar.gz: 5b412561f650fb8b3d993f418326b634344b4a627d90461250ea822422e80b8c
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 0b1fddfb2a5509caa5712407c0c1087fe9ebb026605ea7516d4d01d490455bb890a98c9258e59c24325e6db4aed161106cd7231912810346f45b646ac12bd4f6
|
|
7
|
+
data.tar.gz: 25ef1b38d123e1f3ffebead3879083a28ddca0af759dc2b8a57a698a7f81f4a80762a32ef2b51197806f5a85d7532bfa7e8fd4cea5525c7c602d6efbda2d9107
|
data/CHANGELOG.md
CHANGED
data/CONTRIBUTORS
CHANGED
|
@@ -2,7 +2,7 @@ The following is a list of people who have contributed ideas, code, bug
|
|
|
2
2
|
reports, or in general have helped logstash along its way.
|
|
3
3
|
|
|
4
4
|
Contributors:
|
|
5
|
-
*
|
|
5
|
+
* nicksherron - nsherron90@gmail.com
|
|
6
6
|
|
|
7
7
|
Note: If you've sent us patches, bug reports, or otherwise contributed to
|
|
8
8
|
Logstash, and you aren't on the list above and want to be, please let us know
|
data/README.md
CHANGED
|
@@ -19,10 +19,10 @@ $LS_HOME/bin/logstash-plugin install logstash-filter-greynoise
|
|
|
19
19
|
|
|
20
20
|
Or you can build it yourself:
|
|
21
21
|
```
|
|
22
|
-
git clone https://github.com/
|
|
22
|
+
git clone https://github.com/nicksherron/logstash-filter-greynoise.git
|
|
23
23
|
bundle install
|
|
24
24
|
gem build logstash-filter-greynoise.gemspec
|
|
25
|
-
$LS_HOME/bin/logstash-plugin install logstash-filter-greynoise-0.1.
|
|
25
|
+
$LS_HOME/bin/logstash-plugin install logstash-filter-greynoise-0.1.6.gem
|
|
26
26
|
```
|
|
27
27
|
|
|
28
28
|
### 2. Filter Configuration
|
|
@@ -34,6 +34,8 @@ filter {
|
|
|
34
34
|
ip => "ip_value" # string (required, reference to ip address field)
|
|
35
35
|
key => "your_greynoise_key" # string (optional, no default)
|
|
36
36
|
target => "greynoise" # string (optional, default = greynoise)
|
|
37
|
+
hit_cache_size => 100 # number (optional, default = 0)
|
|
38
|
+
hit_cache_ttl => 6 # number (optional, default = 60)
|
|
37
39
|
}
|
|
38
40
|
}
|
|
39
41
|
```
|
|
@@ -1,8 +1,10 @@
|
|
|
1
1
|
# encoding: utf-8
|
|
2
|
-
require
|
|
2
|
+
require 'logstash/filters/base'
|
|
3
3
|
require "json"
|
|
4
4
|
require "logstash/namespace"
|
|
5
|
-
require
|
|
5
|
+
require "faraday"
|
|
6
|
+
require "ipaddr"
|
|
7
|
+
require "lru_redux"
|
|
6
8
|
|
|
7
9
|
|
|
8
10
|
# This filter will replace the contents of the default
|
|
@@ -14,48 +16,113 @@ class LogStash::Filters::Greynoise < LogStash::Filters::Base
|
|
|
14
16
|
# Setting the config_name here is required. This is how you
|
|
15
17
|
# configure this filter from your Logstash config.
|
|
16
18
|
#
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
19
|
+
# filter {
|
|
20
|
+
# greynoise {
|
|
21
|
+
# ip => "ip"
|
|
22
|
+
# }
|
|
23
|
+
# }
|
|
22
24
|
|
|
23
25
|
config_name "greynoise"
|
|
24
26
|
|
|
25
|
-
#
|
|
26
|
-
|
|
27
|
+
# ip address to use for greynoise query
|
|
27
28
|
config :ip, :validate => :string, :required => true
|
|
29
|
+
|
|
30
|
+
# greynoise enterprise api key
|
|
28
31
|
config :key, :validate => :string, :default => ""
|
|
32
|
+
|
|
33
|
+
# target top level key of hash response
|
|
29
34
|
config :target, :validate => :string, :default => "greynoise"
|
|
30
35
|
|
|
36
|
+
# tag if ip address supplied is invalid
|
|
37
|
+
config :tag_on_failure, :validate => :string, :default => '_greynoise_filter_invalid_ip'
|
|
31
38
|
|
|
39
|
+
# set the size of cache for successful requests
|
|
40
|
+
config :hit_cache_size, :validate => :number, :default => 0
|
|
41
|
+
|
|
42
|
+
# how long to cache successful requests (in seconds)
|
|
43
|
+
config :hit_cache_ttl, :validate => :number, :default => 60
|
|
32
44
|
|
|
33
45
|
public
|
|
46
|
+
|
|
34
47
|
def register
|
|
35
|
-
|
|
48
|
+
if @hit_cache_size > 0
|
|
49
|
+
@hit_cache = LruRedux::TTL::ThreadSafeCache.new(@hit_cache_size, @hit_cache_ttl)
|
|
50
|
+
end
|
|
36
51
|
|
|
37
|
-
|
|
38
|
-
def filter(event)
|
|
52
|
+
end # def register
|
|
39
53
|
|
|
40
|
-
|
|
41
|
-
if @key.length >= 25
|
|
42
|
-
url = "https://enterprise.api.greynoise.io/v2/noise/context/" + event.sprintf(ip)
|
|
43
|
-
uri = URI.parse(URI.encode(url.strip))
|
|
54
|
+
private
|
|
44
55
|
|
|
45
|
-
|
|
46
|
-
|
|
56
|
+
def get_free(target_ip)
|
|
57
|
+
url = "https://api.greynoise.io/v1/query/ip"
|
|
58
|
+
response = Faraday.post url, {:ip => target_ip}, 'User-Agent' => 'logstash-filter-greynoise'
|
|
59
|
+
if response.success?
|
|
60
|
+
JSON.parse(response.body)
|
|
47
61
|
else
|
|
48
|
-
|
|
49
|
-
|
|
62
|
+
nil
|
|
63
|
+
end
|
|
64
|
+
end
|
|
65
|
+
|
|
66
|
+
private
|
|
50
67
|
|
|
68
|
+
def get_enterprise(target_ip, api_key)
|
|
69
|
+
url = "https://enterprise.api.greynoise.io/v2/noise/context/" + target_ip
|
|
70
|
+
uri = URI.parse(URI.encode(url.strip))
|
|
71
|
+
response = Faraday.get(uri, nil, 'User-Agent' => 'logstash-filter-greynoise', Key: api_key)
|
|
72
|
+
if response.success?
|
|
73
|
+
JSON.parse(response.body)
|
|
74
|
+
else
|
|
75
|
+
nil
|
|
51
76
|
end
|
|
77
|
+
end
|
|
52
78
|
|
|
53
|
-
|
|
79
|
+
public
|
|
54
80
|
|
|
55
|
-
|
|
56
|
-
|
|
57
|
-
|
|
81
|
+
def filter(event)
|
|
82
|
+
valid = nil
|
|
83
|
+
begin
|
|
84
|
+
IPAddr.new(event.sprintf(ip))
|
|
85
|
+
rescue ArgumentError => e
|
|
86
|
+
valid = e
|
|
87
|
+
end
|
|
58
88
|
|
|
89
|
+
if valid
|
|
90
|
+
@logger.error("Invalid IP address, skipping", :ip => event.sprintf(ip), :event => event.to_hash)
|
|
91
|
+
event.tag(@tag_on_failure)
|
|
92
|
+
else
|
|
93
|
+
if @hit_cache
|
|
94
|
+
result = @hit_cache[event.sprintf(ip)]
|
|
95
|
+
if result
|
|
96
|
+
event.set(@target, result)
|
|
97
|
+
filter_matched(event)
|
|
98
|
+
else
|
|
99
|
+
# check if api key exists and has len of 25 or more to prevent forbidden response
|
|
100
|
+
if @key.length >= 25
|
|
101
|
+
result = get_enterprise(event.sprintf(ip), event.sprintf(key))
|
|
102
|
+
# if no key then use alpha(free) api
|
|
103
|
+
else
|
|
104
|
+
result = get_free(event.sprintf(ip))
|
|
105
|
+
end
|
|
106
|
+
unless result.nil?
|
|
107
|
+
@hit_cache[event.sprintf(ip)] = result
|
|
108
|
+
event.set(@target, result)
|
|
109
|
+
# filter_matched should go in the last line of our successful code
|
|
110
|
+
filter_matched(event)
|
|
111
|
+
end
|
|
112
|
+
end
|
|
113
|
+
else
|
|
114
|
+
if @key.length >= 25
|
|
115
|
+
result = get_enterprise(event.sprintf(ip), event.sprintf(key))
|
|
116
|
+
else
|
|
117
|
+
result = get_free(event.sprintf(ip))
|
|
118
|
+
end
|
|
119
|
+
|
|
120
|
+
unless result.nil?
|
|
121
|
+
event.set(@target, result)
|
|
122
|
+
filter_matched(event)
|
|
123
|
+
end
|
|
124
|
+
end
|
|
125
|
+
end
|
|
59
126
|
end # def filter
|
|
60
|
-
end #
|
|
127
|
+
end # def LogStash::Filters::Greynoise
|
|
61
128
|
|
|
@@ -1,10 +1,10 @@
|
|
|
1
1
|
Gem::Specification.new do |s|
|
|
2
2
|
s.name = 'logstash-filter-greynoise'
|
|
3
|
-
s.version = '0.1.
|
|
3
|
+
s.version = '0.1.6'
|
|
4
4
|
s.licenses = ['Apache-2.0']
|
|
5
5
|
s.summary = 'This greynoise filter takes contents in the ip field and returns greynoise api data (see https://greynoise.io/ for more info).'
|
|
6
6
|
s.description = 'This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install logstash-filter-greynoise. This gem is not a stand-alone program'
|
|
7
|
-
s.homepage = 'https://github.com/
|
|
7
|
+
s.homepage = 'https://github.com/nicksherron/logstash-filter-greynoise'
|
|
8
8
|
s.authors = ['nsherron90']
|
|
9
9
|
s.email = 'nsherron90@gmail.com'
|
|
10
10
|
s.require_paths = ['lib']
|
|
@@ -18,8 +18,10 @@ Gem::Specification.new do |s|
|
|
|
18
18
|
s.metadata = { "logstash_plugin" => "true", "logstash_group" => "filter" }
|
|
19
19
|
|
|
20
20
|
# Gem dependencies
|
|
21
|
-
s.add_runtime_dependency
|
|
21
|
+
s.add_runtime_dependency "logstash-core-plugin-api", ">= 1.60", "<= 2.99"
|
|
22
22
|
s.add_development_dependency 'logstash-devutils'
|
|
23
|
-
s.add_runtime_dependency 'faraday', '
|
|
23
|
+
s.add_runtime_dependency 'faraday', '= 0.17.1'
|
|
24
|
+
s.add_runtime_dependency 'lru_redux', "~> 1.1.0"
|
|
25
|
+
|
|
24
26
|
|
|
25
27
|
end
|
metadata
CHANGED
|
@@ -1,29 +1,35 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: logstash-filter-greynoise
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.1.
|
|
4
|
+
version: 0.1.6
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- nsherron90
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2020-01-24 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
requirement: !ruby/object:Gem::Requirement
|
|
15
15
|
requirements:
|
|
16
|
-
- - "
|
|
16
|
+
- - ">="
|
|
17
|
+
- !ruby/object:Gem::Version
|
|
18
|
+
version: '1.60'
|
|
19
|
+
- - "<="
|
|
17
20
|
- !ruby/object:Gem::Version
|
|
18
|
-
version: '2.
|
|
21
|
+
version: '2.99'
|
|
19
22
|
name: logstash-core-plugin-api
|
|
20
23
|
prerelease: false
|
|
21
24
|
type: :runtime
|
|
22
25
|
version_requirements: !ruby/object:Gem::Requirement
|
|
23
26
|
requirements:
|
|
24
|
-
- - "
|
|
27
|
+
- - ">="
|
|
25
28
|
- !ruby/object:Gem::Version
|
|
26
|
-
version: '
|
|
29
|
+
version: '1.60'
|
|
30
|
+
- - "<="
|
|
31
|
+
- !ruby/object:Gem::Version
|
|
32
|
+
version: '2.99'
|
|
27
33
|
- !ruby/object:Gem::Dependency
|
|
28
34
|
requirement: !ruby/object:Gem::Requirement
|
|
29
35
|
requirements:
|
|
@@ -41,17 +47,31 @@ dependencies:
|
|
|
41
47
|
- !ruby/object:Gem::Dependency
|
|
42
48
|
requirement: !ruby/object:Gem::Requirement
|
|
43
49
|
requirements:
|
|
44
|
-
- -
|
|
50
|
+
- - '='
|
|
45
51
|
- !ruby/object:Gem::Version
|
|
46
|
-
version: 0.
|
|
52
|
+
version: 0.17.1
|
|
47
53
|
name: faraday
|
|
48
54
|
prerelease: false
|
|
49
55
|
type: :runtime
|
|
56
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
57
|
+
requirements:
|
|
58
|
+
- - '='
|
|
59
|
+
- !ruby/object:Gem::Version
|
|
60
|
+
version: 0.17.1
|
|
61
|
+
- !ruby/object:Gem::Dependency
|
|
62
|
+
requirement: !ruby/object:Gem::Requirement
|
|
63
|
+
requirements:
|
|
64
|
+
- - "~>"
|
|
65
|
+
- !ruby/object:Gem::Version
|
|
66
|
+
version: 1.1.0
|
|
67
|
+
name: lru_redux
|
|
68
|
+
prerelease: false
|
|
69
|
+
type: :runtime
|
|
50
70
|
version_requirements: !ruby/object:Gem::Requirement
|
|
51
71
|
requirements:
|
|
52
72
|
- - "~>"
|
|
53
73
|
- !ruby/object:Gem::Version
|
|
54
|
-
version:
|
|
74
|
+
version: 1.1.0
|
|
55
75
|
description: This gem is a Logstash plugin required to be installed on top of the
|
|
56
76
|
Logstash core pipeline using $LS_HOME/bin/logstash-plugin install logstash-filter-greynoise.
|
|
57
77
|
This gem is not a stand-alone program
|
|
@@ -70,7 +90,7 @@ files:
|
|
|
70
90
|
- logstash-filter-greynoise.gemspec
|
|
71
91
|
- spec/filters/greynoise_spec.rb
|
|
72
92
|
- spec/spec_helper.rb
|
|
73
|
-
homepage: https://github.com/
|
|
93
|
+
homepage: https://github.com/nicksherron/logstash-filter-greynoise
|
|
74
94
|
licenses:
|
|
75
95
|
- Apache-2.0
|
|
76
96
|
metadata:
|