logstash-filter-greynoise 0.1.5 → 0.1.6

Sign up to get free protection for your applications and to get access to all the features.
Files changed (7) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +2 -0
  3. data/CONTRIBUTORS +1 -1
  4. data/README.md +4 -2
  5. data/lib/logstash/filters/greynoise.rb +92 -25
  6. data/logstash-filter-greynoise.gemspec +6 -4
  7. metadata +30 -10
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 2e2c91206c1dad50237898f1b3c001bed7003262e429a6681c84d57cc71ab4f9
4
- data.tar.gz: b257152bd4e2bad9192026b5c7ab8a8fb72788182c775aadb32b0a15929c7e0d
3
+ metadata.gz: 770fe4cfb474728588617ecb1c8c4bbf62e068befba16d9597bf2faa366f0059
4
+ data.tar.gz: 5b412561f650fb8b3d993f418326b634344b4a627d90461250ea822422e80b8c
5
5
  SHA512:
6
- metadata.gz: aad9d6870cbb48d2233e560eb8b331d92440cd4fef1d08c2a783fd6e75a7221d694f1e91fed7282fd8916ae8d0885efa9fce65aa355b389834596e9e37882c91
7
- data.tar.gz: e176f3b484088a02db77786438f420b418d3d19351aa01ef2679e05778b58522ee683cc46766e0f3b5fe8dd57db33a9e7588a427b652f028c0ee87527ca49d21
6
+ metadata.gz: 0b1fddfb2a5509caa5712407c0c1087fe9ebb026605ea7516d4d01d490455bb890a98c9258e59c24325e6db4aed161106cd7231912810346f45b646ac12bd4f6
7
+ data.tar.gz: 25ef1b38d123e1f3ffebead3879083a28ddca0af759dc2b8a57a698a7f81f4a80762a32ef2b51197806f5a85d7532bfa7e8fd4cea5525c7c602d6efbda2d9107
data/CHANGELOG.md CHANGED
@@ -10,4 +10,6 @@
10
10
  - Updated key check for len
11
11
  ## 0.1.5
12
12
  - Fixed nil key error
13
+ ## 0.1.6
14
+ - Added LRU cache options and filter for invalid ips
13
15
 
data/CONTRIBUTORS CHANGED
@@ -2,7 +2,7 @@ The following is a list of people who have contributed ideas, code, bug
2
2
  reports, or in general have helped logstash along its way.
3
3
 
4
4
  Contributors:
5
- * nsherron90 - nsherron90@gmail.com
5
+ * nicksherron - nsherron90@gmail.com
6
6
 
7
7
  Note: If you've sent us patches, bug reports, or otherwise contributed to
8
8
  Logstash, and you aren't on the list above and want to be, please let us know
data/README.md CHANGED
@@ -19,10 +19,10 @@ $LS_HOME/bin/logstash-plugin install logstash-filter-greynoise
19
19
 
20
20
  Or you can build it yourself:
21
21
  ```
22
- git clone https://github.com/nsherron90/logstash-filter-greynoise.git
22
+ git clone https://github.com/nicksherron/logstash-filter-greynoise.git
23
23
  bundle install
24
24
  gem build logstash-filter-greynoise.gemspec
25
- $LS_HOME/bin/logstash-plugin install logstash-filter-greynoise-0.1.4.gem
25
+ $LS_HOME/bin/logstash-plugin install logstash-filter-greynoise-0.1.6.gem
26
26
  ```
27
27
 
28
28
  ### 2. Filter Configuration
@@ -34,6 +34,8 @@ filter {
34
34
  ip => "ip_value" # string (required, reference to ip address field)
35
35
  key => "your_greynoise_key" # string (optional, no default)
36
36
  target => "greynoise" # string (optional, default = greynoise)
37
+ hit_cache_size => 100 # number (optional, default = 0)
38
+ hit_cache_ttl => 6 # number (optional, default = 60)
37
39
  }
38
40
  }
39
41
  ```
data/lib/logstash/filters/greynoise.rb CHANGED
@@ -1,8 +1,10 @@
1
1
  # encoding: utf-8
2
- require "logstash/filters/base"
2
+ require 'logstash/filters/base'
3
3
  require "json"
4
4
  require "logstash/namespace"
5
- require 'faraday'
5
+ require "faraday"
6
+ require "ipaddr"
7
+ require "lru_redux"
6
8
 
7
9
 
8
10
  # This filter will replace the contents of the default
@@ -14,48 +16,113 @@ class LogStash::Filters::Greynoise < LogStash::Filters::Base
14
16
  # Setting the config_name here is required. This is how you
15
17
  # configure this filter from your Logstash config.
16
18
  #
17
- # filter {
18
- # greynoise {
19
- # ip => "ip"
20
- # }
21
- # }
19
+ # filter {
20
+ # greynoise {
21
+ # ip => "ip"
22
+ # }
23
+ # }
22
24
 
23
25
  config_name "greynoise"
24
26
 
25
- # Replace the message with this value.
26
-
27
+ # ip address to use for greynoise query
27
28
  config :ip, :validate => :string, :required => true
29
+
30
+ # greynoise enterprise api key
28
31
  config :key, :validate => :string, :default => ""
32
+
33
+ # target top level key of hash response
29
34
  config :target, :validate => :string, :default => "greynoise"
30
35
 
36
+ # tag if ip address supplied is invalid
37
+ config :tag_on_failure, :validate => :string, :default => '_greynoise_filter_invalid_ip'
31
38
 
39
+ # set the size of cache for successful requests
40
+ config :hit_cache_size, :validate => :number, :default => 0
41
+
42
+ # how long to cache successful requests (in seconds)
43
+ config :hit_cache_ttl, :validate => :number, :default => 60
32
44
 
33
45
  public
46
+
34
47
  def register
35
- end # def register
48
+ if @hit_cache_size > 0
49
+ @hit_cache = LruRedux::TTL::ThreadSafeCache.new(@hit_cache_size, @hit_cache_ttl)
50
+ end
36
51
 
37
- public
38
- def filter(event)
52
+ end # def register
39
53
 
40
- # check if api key exists and has len of 25 or more to prevent forbidden response
41
- if @key.length >= 25
42
- url = "https://enterprise.api.greynoise.io/v2/noise/context/" + event.sprintf(ip)
43
- uri = URI.parse(URI.encode(url.strip))
54
+ private
44
55
 
45
- response = Faraday.get(uri, nil, 'User-Agent' => 'logstash-filter-greynoise', Key: event.sprintf(key))
46
- # if no key then use alpha(free) api
56
+ def get_free(target_ip)
57
+ url = "https://api.greynoise.io/v1/query/ip"
58
+ response = Faraday.post url, {:ip => target_ip}, 'User-Agent' => 'logstash-filter-greynoise'
59
+ if response.success?
60
+ JSON.parse(response.body)
47
61
  else
48
- url = "https://api.greynoise.io/v1/query/ip"
49
- response = Faraday.post url, { :ip => event.sprintf(ip) }, 'User-Agent' => 'logstash-filter-greynoise'
62
+ nil
63
+ end
64
+ end
65
+
66
+ private
50
67
 
68
+ def get_enterprise(target_ip, api_key)
69
+ url = "https://enterprise.api.greynoise.io/v2/noise/context/" + target_ip
70
+ uri = URI.parse(URI.encode(url.strip))
71
+ response = Faraday.get(uri, nil, 'User-Agent' => 'logstash-filter-greynoise', Key: api_key)
72
+ if response.success?
73
+ JSON.parse(response.body)
74
+ else
75
+ nil
51
76
  end
77
+ end
52
78
 
53
- result = JSON.parse(response.body)
79
+ public
54
80
 
55
- event.set(@target, result)
56
- # filter_matched should go in the last line of our successful code
57
- filter_matched(event)
81
+ def filter(event)
82
+ valid = nil
83
+ begin
84
+ IPAddr.new(event.sprintf(ip))
85
+ rescue ArgumentError => e
86
+ valid = e
87
+ end
58
88
 
89
+ if valid
90
+ @logger.error("Invalid IP address, skipping", :ip => event.sprintf(ip), :event => event.to_hash)
91
+ event.tag(@tag_on_failure)
92
+ else
93
+ if @hit_cache
94
+ result = @hit_cache[event.sprintf(ip)]
95
+ if result
96
+ event.set(@target, result)
97
+ filter_matched(event)
98
+ else
99
+ # check if api key exists and has len of 25 or more to prevent forbidden response
100
+ if @key.length >= 25
101
+ result = get_enterprise(event.sprintf(ip), event.sprintf(key))
102
+ # if no key then use alpha(free) api
103
+ else
104
+ result = get_free(event.sprintf(ip))
105
+ end
106
+ unless result.nil?
107
+ @hit_cache[event.sprintf(ip)] = result
108
+ event.set(@target, result)
109
+ # filter_matched should go in the last line of our successful code
110
+ filter_matched(event)
111
+ end
112
+ end
113
+ else
114
+ if @key.length >= 25
115
+ result = get_enterprise(event.sprintf(ip), event.sprintf(key))
116
+ else
117
+ result = get_free(event.sprintf(ip))
118
+ end
119
+
120
+ unless result.nil?
121
+ event.set(@target, result)
122
+ filter_matched(event)
123
+ end
124
+ end
125
+ end
59
126
  end # def filter
60
- end # class LogStash::Filters::Greynoise
127
+ end # def LogStash::Filters::Greynoise
61
128
 
data/logstash-filter-greynoise.gemspec CHANGED
@@ -1,10 +1,10 @@
1
1
  Gem::Specification.new do |s|
2
2
  s.name = 'logstash-filter-greynoise'
3
- s.version = '0.1.5'
3
+ s.version = '0.1.6'
4
4
  s.licenses = ['Apache-2.0']
5
5
  s.summary = 'This greynoise filter takes contents in the ip field and returns greynoise api data (see https://greynoise.io/ for more info).'
6
6
  s.description = 'This gem is a Logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/logstash-plugin install logstash-filter-greynoise. This gem is not a stand-alone program'
7
- s.homepage = 'https://github.com/nsherron90/logstash-filter-greynoise'
7
+ s.homepage = 'https://github.com/nicksherron/logstash-filter-greynoise'
8
8
  s.authors = ['nsherron90']
9
9
  s.email = 'nsherron90@gmail.com'
10
10
  s.require_paths = ['lib']
@@ -18,8 +18,10 @@ Gem::Specification.new do |s|
18
18
  s.metadata = { "logstash_plugin" => "true", "logstash_group" => "filter" }
19
19
 
20
20
  # Gem dependencies
21
- s.add_runtime_dependency 'logstash-core-plugin-api', '~> 2.0'
21
+ s.add_runtime_dependency "logstash-core-plugin-api", ">= 1.60", "<= 2.99"
22
22
  s.add_development_dependency 'logstash-devutils'
23
- s.add_runtime_dependency 'faraday', '~> 0.9.2'
23
+ s.add_runtime_dependency 'faraday', '= 0.17.1'
24
+ s.add_runtime_dependency 'lru_redux', "~> 1.1.0"
25
+
24
26
 
25
27
  end
metadata CHANGED
@@ -1,29 +1,35 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: logstash-filter-greynoise
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.1.5
4
+ version: 0.1.6
5
5
  platform: ruby
6
6
  authors:
7
7
  - nsherron90
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2019-05-14 00:00:00.000000000 Z
11
+ date: 2020-01-24 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  requirement: !ruby/object:Gem::Requirement
15
15
  requirements:
16
- - - "~>"
16
+ - - ">="
17
+ - !ruby/object:Gem::Version
18
+ version: '1.60'
19
+ - - "<="
17
20
  - !ruby/object:Gem::Version
18
- version: '2.0'
21
+ version: '2.99'
19
22
  name: logstash-core-plugin-api
20
23
  prerelease: false
21
24
  type: :runtime
22
25
  version_requirements: !ruby/object:Gem::Requirement
23
26
  requirements:
24
- - - "~>"
27
+ - - ">="
25
28
  - !ruby/object:Gem::Version
26
- version: '2.0'
29
+ version: '1.60'
30
+ - - "<="
31
+ - !ruby/object:Gem::Version
32
+ version: '2.99'
27
33
  - !ruby/object:Gem::Dependency
28
34
  requirement: !ruby/object:Gem::Requirement
29
35
  requirements:
@@ -41,17 +47,31 @@ dependencies:
41
47
  - !ruby/object:Gem::Dependency
42
48
  requirement: !ruby/object:Gem::Requirement
43
49
  requirements:
44
- - - "~>"
50
+ - - '='
45
51
  - !ruby/object:Gem::Version
46
- version: 0.9.2
52
+ version: 0.17.1
47
53
  name: faraday
48
54
  prerelease: false
49
55
  type: :runtime
56
+ version_requirements: !ruby/object:Gem::Requirement
57
+ requirements:
58
+ - - '='
59
+ - !ruby/object:Gem::Version
60
+ version: 0.17.1
61
+ - !ruby/object:Gem::Dependency
62
+ requirement: !ruby/object:Gem::Requirement
63
+ requirements:
64
+ - - "~>"
65
+ - !ruby/object:Gem::Version
66
+ version: 1.1.0
67
+ name: lru_redux
68
+ prerelease: false
69
+ type: :runtime
50
70
  version_requirements: !ruby/object:Gem::Requirement
51
71
  requirements:
52
72
  - - "~>"
53
73
  - !ruby/object:Gem::Version
54
- version: 0.9.2
74
+ version: 1.1.0
55
75
  description: This gem is a Logstash plugin required to be installed on top of the
56
76
  Logstash core pipeline using $LS_HOME/bin/logstash-plugin install logstash-filter-greynoise.
57
77
  This gem is not a stand-alone program
@@ -70,7 +90,7 @@ files:
70
90
  - logstash-filter-greynoise.gemspec
71
91
  - spec/filters/greynoise_spec.rb
72
92
  - spec/spec_helper.rb
73
- homepage: https://github.com/nsherron90/logstash-filter-greynoise
93
+ homepage: https://github.com/nicksherron/logstash-filter-greynoise
74
94
  licenses:
75
95
  - Apache-2.0
76
96
  metadata: