logstash-filter-spamhaus 1.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 57ef1072ecdea8b4c4f5ef566ce7b2abd4bff8a2
+  data.tar.gz: 6fbabf9d0a966f85130bf6b7a0cf7c2e718c4104
+SHA512:
+  metadata.gz: e2e89dab957e11cd0c067ae70076d776cf3dfb8e45f0717059a45bcbb7df468c8a211efa747fd5a81cf1ec98c196530d323b45af36465b2dbf7eb27da3736c53
+  data.tar.gz: 6d4c7d27f5f75b2513ec2a2d35b49849d3086cca92304f3b5259dcf36c508023d5f82db4dd8e550fef088e87b6b3f0ffc7b2dcbe8e91dafb8d745b0f54f37f7c

data/CHANGELOG.md

@@ -0,0 +1,3 @@
+## 1.0.0
+ - First Release
+

data/CONTRIBUTORS

@@ -0,0 +1,10 @@
+The following is a list of people who have contributed ideas, code, bug
+reports, or in general have helped logstash along its way.
+
+Contributors:
+* Fabio 'MrWHO' Torchetti (fabbari)
+
+Note: If you've sent us patches, bug reports, or otherwise contributed to
+Logstash, and you aren't on the list above and want to be, please let us know
+and we'll make sure you're here. Contributions from folks like you are what make
+open source awesome.

data/DEVELOPER.md

@@ -0,0 +1,2 @@
+# logstash-filter-spamhaus
+This filter allows the querying the SpamHaus Zen list for a specific IP.

data/Gemfile

@@ -0,0 +1,2 @@
+source 'https://rubygems.org'
+gemspec

data/LICENSE

@@ -0,0 +1,13 @@
+Copyright (c) 2015–2015 ElaWedjaa Inc <http://www.wedjaa.net>
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

data/NOTICE.TXT

@@ -0,0 +1,5 @@
+Logstash SpamHaus Filter
+Copyright 2015-2015 Wedjaa Inc
+
+This product includes software developed by The Apache Software
+Foundation (http://www.apache.org/).

data/README.md

@@ -0,0 +1,79 @@
+# Logstash SpamHaus Plugin
+
+This is a plugin for [Logstash](https://github.com/elastic/logstash).
+
+It is fully free and fully open source. The license is Apache 2.0, meaning you are pretty much free to use it however you want in whatever way.
+
+## Documentation
+
+This filter allows you to lookup an IP address in the SpamHaus ZEN list. This list includes all of the SpamHaus blacklists.
+
+This filter can be used in the simplest form as follows:
+
+```
+	spamhaus {}
+```
+
+It will run with the following defaults:
+
+ * It will loookup the IP address in the `clientip` field
+ * It will tag IPs in the blacklist as `spamhaus_blacklisted`
+ * It will tag IPs not in the blacklist as `spamhaus_whitelisted`
+
+If an IP is blacklisted it will add a `spamhaus` object to the event with the following properties:
+ * `code`: it's the SpamHaus code for the blocking reason
+ * `blocklist`: it's the SpamHaus blacklist name where this IP was found
+
+## Configuration
+
+The filter accepts the following configuration options:
+
+  * `ip` - It's the field that contains the IP address to resolve. *Default: `clientip`*.
+  * `tag_blacklisted` - The tag to add to the event in case the IP is blacklisted. *Default: `spamhaus_blacklisted`*.
+  * `tag_whitelisted` - The tag to add to the event in case the IP is not in any blacklist. *Default: `spamhaus_whitelisted`*.
+
+A more involved filter configuration could look like:
+
+```
+  spamhaus {
+    ip => 'client_ip'
+    tag_blacklisted => 'blacklisted'
+    tag_whitelisted => 'whitelisted'
+  }
+```
+
+## Missing functionality
+
+This is a bare minimum implementation of the filter. Some things could be good to implement:
+
+  * Lookup multiple IPs
+  * Select the blacklists to lookup
+
+## Compiling and testing
+
+Compiling, deploying and testing this plugin requires JRuby. Not only - you want to make sure that the bundle, rake and rspec commands are run using JRuby.
+
+If you start seeing errors that look like:
+
+```
+Could not find gem 'logstash-devutils (>= 0.0.18) ruby' in any of the gem sources listed in your Gemfile or available on this machine.
+```
+
+*notice the `ruby` bit after the version* - try and make it explicit that you want to use the JRuby versions of the commands:
+
+```
+alias rspec="jruby -S rspec"
+alias rake="jruby -S rake"
+alias bundle="jruby -S bundle"
+```
+
+Once you specified these aliases things should start working as expected -- unless you don't have jruby in your path.
+
+Test it our by running `bundle install && bundle exec rspec` - it should produce some output, ending with the test results:
+
+```
+Finished in 0.382 seconds (files took 4.03 seconds to load)
+2 examples, 0 failures
+
+Randomized with seed xxxxx
+```

data/lib/logstash/filters/spamhaus.rb

@@ -0,0 +1,46 @@
+# encoding: utf-8
+require "logstash/filters/base"
+require "logstash/namespace"
+require 'charon'
+
+# This filter will populate the 'spamhaus' field in the event
+# with information about the IP extracted from the event. The
+# IP field can be specified in the configuration of the filter
+# by setting 'ip' to the field name. 
+class LogStash::Filters::SpamHaus < LogStash::Filters::Base
+
+  config_name "spamhaus"
+  
+  config :ip, :validate => :string, :default => "clientip"
+  config :tag_blacklisted, :validate => :string, :default => "spamhaus_blacklisted"
+  config :tag_notfound, :validate => :string, :default => "spamhaus_whitelisted"
+  
+
+  public
+  def register
+    # Add instance variables 
+  end # def register
+
+  public
+  def filter(event)
+
+    if @ip
+      lookupip = event[@ip]
+      if lookupip && lookupip =~ /^(\d{1,3}[\.]{0,1}){4}$/
+	event['tags'] ||= [] 
+	result = Charon.query lookupip
+	if result
+		event['spamhaus'] = {
+			"code" => result[0],
+			"blocklist" => result[1]
+		}
+		event['tags'] << @tag_blacklisted
+	else
+		event['tags'] << @tag_notfound
+	end
+      end
+    end
+
+    filter_matched(event)
+  end # def filter
+end # class LogStash::Filters::SpamHaus

data/logstash-filter-spamhaus.gemspec

@@ -0,0 +1,25 @@
+Gem::Specification.new do |s|
+  s.name = 'logstash-filter-spamhaus'
+#  s.platform = 'java'
+  s.version = '1.0.1'
+  s.licenses = ['Apache License (2.0)']
+  s.summary = "This filter will lookup a given IP in the SpamHaus ZEN list and populate the event with the information found on the list."
+  s.description = "This gem is a logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/plugin install gemname. This gem is not a stand-alone program"
+  s.authors = ["Wedjaa"]
+  s.email = 'info@wedjaa.net'
+  s.homepage = "http://github.com/WedjaaOpen/logstash-filter-spamhaus"
+  s.require_paths = ["lib"]
+
+  # Files
+  s.files = Dir['lib/**/*','spec/**/*','vendor/**/*','*.gemspec','*.md','CONTRIBUTORS','Gemfile','LICENSE','NOTICE.TXT']
+   # Tests
+  s.test_files = s.files.grep(%r{^(test|spec|features)/})
+
+  # Special flag to let us know this is actually a logstash plugin
+  s.metadata = { "logstash_plugin" => "true", "logstash_group" => "filter" }
+
+  # Gem dependencies
+  s.add_runtime_dependency "logstash-core", ">= 2.0.0", "< 3.0.0"
+  s.add_runtime_dependency "charon", "~> 1.0"
+  s.add_development_dependency 'logstash-devutils', '>= 0.0.18'
+end

data/spec/filters/spamhaus_spec.rb

@@ -0,0 +1,47 @@
+# encoding: utf-8
+require 'spec_helper'
+require "logstash/filters/spamhaus"
+
+describe LogStash::Filters::SpamHaus do
+  describe "Spamhaus should fail on local addresses" do
+    let(:config) do <<-CONFIG
+      filter {
+        spamhaus {
+          ip => "client_ip"
+        }
+      }
+    CONFIG
+    end
+
+    sample('client_ip' => '192.168.66.1' ) do
+        expect(subject).to include("client_ip")
+        expect(subject['client_ip']).to eq('192.168.66.1')
+	expect(subject).to include("tags")
+	expect(subject['tags']).to include('spamhaus_whitelisted')
+    end
+  end
+
+  describe "Spamhaus should report 185.106.92.33 as blacklisted" do
+    let(:config) do <<-CONFIG
+      filter {
+        spamhaus {
+          ip => "client_ip"
+        }
+      }
+    CONFIG
+    end
+
+    sample('client_ip' => '185.106.92.33' ) do
+        expect(subject).to include("client_ip")
+        expect(subject['client_ip']).to eq('185.106.92.33')
+	expect(subject).to include('spamhaus')
+	expect(subject['spamhaus']).to include('code')
+	expect(subject['spamhaus']['code']).to eq(4)
+	expect(subject['spamhaus']).to include('blocklist')
+	expect(subject['spamhaus']['blocklist']).to eq('Exploits Block List')
+	expect(subject).to include("tags")
+	expect(subject['tags']).to include('spamhaus_blacklisted')
+    end
+  end
+
+end

data/spec/spec_helper.rb

@@ -0,0 +1,2 @@
+# encoding: utf-8
+require "logstash/devutils/rspec/spec_helper"

metadata

@@ -0,0 +1,109 @@
+--- !ruby/object:Gem::Specification
+name: logstash-filter-spamhaus
+version: !ruby/object:Gem::Version
+  version: 1.0.1
+platform: ruby
+authors:
+- Wedjaa
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2015-12-29 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: logstash-core
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.0.0
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: 3.0.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 2.0.0
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: 3.0.0
+- !ruby/object:Gem::Dependency
+  name: charon
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+- !ruby/object:Gem::Dependency
+  name: logstash-devutils
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.0.18
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.0.18
+description: This gem is a logstash plugin required to be installed on top of the
+  Logstash core pipeline using $LS_HOME/bin/plugin install gemname. This gem is not
+  a stand-alone program
+email: info@wedjaa.net
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- CHANGELOG.md
+- CONTRIBUTORS
+- DEVELOPER.md
+- Gemfile
+- LICENSE
+- NOTICE.TXT
+- README.md
+- lib/logstash/filters/spamhaus.rb
+- logstash-filter-spamhaus.gemspec
+- spec/filters/spamhaus_spec.rb
+- spec/spec_helper.rb
+homepage: http://github.com/WedjaaOpen/logstash-filter-spamhaus
+licenses:
+- Apache License (2.0)
+metadata:
+  logstash_plugin: 'true'
+  logstash_group: filter
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.2.2
+signing_key: 
+specification_version: 4
+summary: This filter will lookup a given IP in the SpamHaus ZEN list and populate
+  the event with the information found on the list.
+test_files:
+- spec/filters/spamhaus_spec.rb
+- spec/spec_helper.rb