logstash-filter-threats_classifier 1.0.4

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 8e639f011ddb86c409900ce85b797485251a1d042b4b1909d333a0abe4144869
+  data.tar.gz: 22650c4aef9462fa2cfb50f37949a8384ddc7a2ae7887996491ec1eacc872b2f
+SHA512:
+  metadata.gz: 2ec63f49cae8ccc6b7f55b709c45cad07d4f565ecc88afe829711f689e89973111d74392689835e42f4a7d2f9d3bf59ab3dd0317311fe0e1d7c0765532644b9a
+  data.tar.gz: e87a67d8b345d894b982c0d1cdaec12eabd43664ed52f86feda3d64a637712ed2901a975a79c82a44905917ec0cd896a9d3552ba1099a9169247276995fca0a4

data/CHANGELOG.md

@@ -0,0 +1,2 @@
+## 0.1.0
+  - Plugin created with the logstash plugin generator

data/CONTRIBUTORS

@@ -0,0 +1,11 @@
+The following is a list of people who have contributed ideas, code, bug
+reports, or in general have helped logstash along its way.
+
+Contributors:
+Assaf Abulafia
+Rami Cohen
+
+Note: If you've sent us patches, bug reports, or otherwise contributed to
+Logstash, and you aren't on the list above and want to be, please let us know
+and we'll make sure you're here. Contributions from folks like you are what make
+open source awesome.

data/Gemfile

@@ -0,0 +1,2 @@
+source 'https://rubygems.org'
+gemspec

data/LICENSE

@@ -0,0 +1,11 @@
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

data/README.md

@@ -0,0 +1,64 @@
+# empow classification plugin
+
+This is a plugin for [Logstash](https://github.com/elastic/logstash).
+
+It is fully free and fully open source. The license is Apache 2.0, meaning you are pretty much free to use it however you want in whatever way.
+
+<a href="https://badge.fury.io/rb/logstash-filter-empowclassifier"><img src="https://badge.fury.io/rb/logstash-filter-empowclassifier.svg" alt="Gem Version" height="18"></a>
+
+# Using the empowclassifier plugin
+
+## Example
+A log may look like this before the classification (in json form):
+```
+{
+	"product_type": "IDS",
+	"product_name": "snort",
+	"threat": { "signature": "1:234" }
+}
+```
+
+After filtering, using the plugin, the response would be contain these fields:
+```
+{
+    "signatureTactics": [
+        {
+            "tactic": "Full compromise - active patterns",
+            "attackStage": "Infiltration",
+            "isSrcPerformer": true
+        }
+    ]
+}
+```
+signatureTactics is an array of the tactics classified by empow.
+
+each result contains the actual tactic, the attack stage empow classified for this log (determined by the tactic and whether the source and dest are within the user’s network), and whether the source was the performer or the victim of this attack.
+
+## Installing the plugin
+```sh
+bin/logstash-plugin install logstash-filter-empowclassifier
+```
+
+## Usage
+```
+input {
+  ...
+}
+
+filter {
+  empowclassifier {
+    username => "cosmo@kramerica.com"
+    password => "12345"
+  }
+}
+
+output {
+  ...
+}
+```
+
+
+
+
+
+I like rice. Rice is great if you're hungry and want 2000 of something.

data/lib/logstash/filters/center-client.rb

@@ -0,0 +1,213 @@
+require "rest-client"
+require "json"
+require 'aws-sdk'
+require_relative 'cognito-client'
+require_relative 'response'
+require_relative 'utils'
+
+
+module LogStash
+  module Filters
+    module Empow
+      class ClassificationCenterClient
+        include LogStash::Util::Loggable
+
+        def initialize(username, password, aws_client_id, url_base)
+          @logger = self.logger
+
+          @token = nil
+          @url_base = url_base
+          
+          aws_region = 'us-east-2'
+
+          @cognito_client = LogStash::Filters::Empow::CognitoClient.new(username, password, aws_region, aws_client_id)
+
+          @last_authenticate_minute = 0
+        end
+
+        public
+        def authenticate
+          # fixme: should check token expiration and throttle connections on failure
+          
+          @token = nil
+
+          @logger.debug("reconnecting to the classfication center")
+
+          current_minute = (Time.now.to_i / 60)
+          if @last_authenticate_minute < current_minute
+            @last_authenticate_minute = current_minute
+            @last_minute_failed_login_count = 0
+            @last_authentication_error = ''
+          end
+
+          # avoid too many authentication requests
+          if @last_minute_failed_login_count < 3
+            begin
+              @token = @cognito_client.authenticate
+            rescue Aws::CognitoIdentityProvider::Errors::NotAuthorizedException, Aws::CognitoIdentityProvider::Errors::UserNotFoundException, Aws::CognitoIdentityProvider::Errors::UserNotConfirmedException => e
+              @logger.warn("unable to authenticate with classification center", :error => e)
+              @last_authentication_error = e.to_s
+              inc_unsuccessful_logins()
+            rescue StandardError => e
+              @logger.warn("unable to authenticate with classification center", :error => e.class.name)
+              @last_authentication_error = e.class.name.to_s
+              inc_unsuccessful_logins()
+            end
+          end
+
+          return (!@token.nil?)
+        end
+
+        private def inc_unsuccessful_logins()
+          @last_minute_failed_login_count = @last_minute_failed_login_count + 1
+        end
+
+        public
+        def classify(requests)
+          authenticate if @token.nil? # try connecting if not already connected
+
+          res = nil
+
+          begin
+            res = classify_online(requests)
+
+          rescue RestClient::Unauthorized, RestClient::Forbidden, RestClient::UpgradeRequired => err
+            @logger.debug("reconnecting to the empow cloud", :error => err)
+
+            if !authenticate
+              return unauthorized_bulk_response(@last_authentication_error, requests)
+            end
+            
+            begin
+              res = classify_online(requests)
+            rescue StandardError => e
+              @logger.debug("encountered an unexpected error on the 2nd attempt", :error => e, :backtrace => e.backtrace)
+
+              error_message = rescue_http_error_result(e)
+
+              return bulk_error(error_message, requests)
+            end
+
+          rescue StandardError => e
+            @logger.error("encountered an unexpected error while querying the center", :error => e)
+
+            error_message = rescue_http_error_result(e)
+
+            return bulk_error(error_message, requests)
+          end
+
+          if res.nil? || res.strip.length == 0
+            return bulk_error("no content", requests)
+          end
+
+          parsed_json = nil
+
+          begin
+            parsed_json = JSON.parse(res)
+          rescue StandardError => e
+            @logger.error("unable to parse json", :json => res)
+            return bulk_error("invalid request", requests)
+          end
+
+          return successful_response(requests, parsed_json)
+        end
+
+        private
+        def rescue_http_error_result(http_error)
+          if (http_error.nil? \
+            or (!defined?(http_error.http_body) or LogStash::Filters::Empow::Utils.is_blank_string(http_error.http_body)))
+            return http_error.to_s
+          else
+            err = http_error.http_body
+
+            begin
+              res = JSON.parse(err)
+              msg = res['message']
+
+              return err if LogStash::Filters::Empow::Utils.is_blank_string(msg)
+
+              return msg
+            rescue StandardError => e
+              @logger.debug("unable to read message body", :error => e)
+              return http_error.http_body
+            end
+          end
+        end
+
+        private
+        def classify_online(bulk_requests)
+          return nil if bulk_requests.nil? or bulk_requests.size == 0
+
+          payload = Array.new(bulk_requests.size)
+
+          bulk_size = bulk_requests.size
+
+          bulk_size.times do |i|
+            payload[i] = bulk_requests[i].to_h
+          end
+
+          payload_json = payload.to_json
+
+          @logger.debug("before online request", :payload => payload_json)
+
+          return RestClient::Request.execute(
+            method:  :post, 
+            url:     "#{@url_base}/intent",
+            payload: payload_json,
+            timeout: 30,
+            headers: { content_type: 'application/json', accept: 'application/json', authorization: @token, Bulksize: bulk_size }
+          ).body
+        end
+
+        private
+        def unauthorized_bulk_response(error_message, requests)
+          return bulk_error_by_type(LogStash::Filters::Empow::UnauthorizedReponse, error_message, requests)
+        end
+
+        private
+        def bulk_error(error_message, requests)
+          return bulk_error_by_type(LogStash::Filters::Empow::FailureResponse, error_message, requests)
+        end
+
+        private
+        def bulk_error_by_type(my_type, error_message, requests)
+          results = Hash.new
+
+          requests.each do |req|
+            res = my_type.new(error_message)
+            results[req] = res
+          end
+
+          return results
+        end
+
+        def successful_response(requests, responses)
+
+          results = Hash.new
+
+          responses.each_with_index do |response, i|
+            req = requests[i]
+            res = nil
+
+            status = response['responseStatus']
+
+            case status
+            when 'SUCCESS'
+              res = LogStash::Filters::Empow::SuccessfulResponse.new(response)
+            when 'IN_PROGRESS'
+              res = LogStash::Filters::Empow::InProgressResponse.new(response)
+            else
+              failure_reason = response['failedReason']
+              res = LogStash::Filters::Empow::FailureResponse.new(failure_reason)
+            end
+
+            results[req] = res
+          end
+
+          return results
+        end
+
+      end
+    end
+  end
+end

data/lib/logstash/filters/classification-request.rb

@@ -0,0 +1,17 @@
+module LogStash; module Filters; module Empow;
+  class LogStash::Filters::Empow::ClassificationRequest < Struct.new(:product_type, :product, :term, :is_src_internal, :is_dst_internal)
+    def initialize(product_type, product, term, is_src_internal, is_dst_internal)
+      if product_type.nil?
+      	raise ArgumentError, 'product type cannot be empty' 
+      end
+
+      product_type = product_type.upcase.strip
+
+      unless product.nil?
+        product = product.downcase.strip
+      end
+
+      super(product_type, product, term, is_src_internal, is_dst_internal)
+    end
+  end
+end; end; end;

data/lib/logstash/filters/classifier-cache.rb

@@ -0,0 +1,51 @@
+require 'time'
+require "lru_redux"
+
+module LogStash
+  module Filters
+    module Empow
+      class ClassifierCache
+        include LogStash::Util::Loggable
+
+        def initialize(cache_size, ttl)
+          @logger ||= self.logger
+
+          @logger.debug("cache size #{cache_size}")
+
+          @lru_cache ||= LruRedux::TTL::ThreadSafeCache.new(cache_size, ttl)
+        end
+
+        def classify(key)
+          return nil if key.nil?
+
+          tuple = @lru_cache[key]
+
+          return nil if tuple.nil?
+
+          expiration_time = tuple[:expiration_time]
+
+          if Time.now > expiration_time
+            @lru_cache.evict(key)
+            return nil
+          end
+
+          res = tuple[:val]
+
+          return res
+        end
+
+        def put(key, val, expiration_time)
+          return if key.nil?
+
+          @logger.debug("caching new entry", :key => key, :val => val)
+
+          tuple = {}
+          tuple[:val] = val
+          tuple[:expiration_time] = expiration_time
+
+          @lru_cache[key] = tuple
+        end
+      end
+    end
+  end
+end

data/lib/logstash/filters/classifier.rb

@@ -0,0 +1,335 @@
+require 'thread'
+require 'time'
+java_import java.util.concurrent.ArrayBlockingQueue
+java_import java.util.concurrent.TimeUnit
+java_import java.lang.InterruptedException
+
+require_relative 'response'
+
+module LogStash; module Filters; module Empow;
+	class Classifier
+		include LogStash::Util::Loggable
+
+		MAX_CONCURRENT_REQUESTS = 10000
+		BATCH_TIMEOUT = 10
+
+		def initialize(online_classifer, local_classifier, online_classification_workers, batch_size, batch_interval, max_retries, time_between_queries)
+			@logger ||= self.logger
+
+			@logger.info("initializing classifier")
+
+			@local_classifier = local_classifier
+			@online_classifer = online_classifer
+			@batch_interval = batch_interval
+			@time_between_queries = time_between_queries
+
+			@inflight_requests = Concurrent::Hash.new
+			@new_request_queue = java.util.concurrent.ArrayBlockingQueue.new(MAX_CONCURRENT_REQUESTS)
+
+			@bulk_processor = Classification::BulkProcessor.new(max_retries, batch_size, time_between_queries, @inflight_requests, online_classifer, local_classifier, online_classification_workers)
+
+			@worker_pool = Concurrent::FixedThreadPool.new(1)
+
+			@worker_pool.post do
+				while @worker_pool.running? do
+					begin
+						management_task()
+					rescue StandardError => e
+						@logger.error("encountered an error while running the management task", :error => e, :backtrace => e.backtrace)
+					end
+				end
+			end
+			@logger.debug("classifier initialized")
+
+			@last_action_time = Time.now
+		end
+
+		public
+		def close
+			@logger.info("shutting down empow's classifcation plugin")
+
+			@inflight_requests.clear()
+
+			@bulk_processor.close
+
+			@worker_pool.kill()
+			@worker_pool.wait_for_termination(5)
+
+			@logger.info("empow classifcation plugin closed")
+		end
+
+		private
+		def management_task
+			begin
+				current_time = Time.now
+
+				diff = (current_time - @bulk_processor.get_last_execution_time()).round
+
+				sleep_time = @batch_interval - diff
+
+				sleep_time = 0 if sleep_time < 0 # in case the rounding caused the number to be smaller than zero
+
+				dequeued_request = nil
+				begin
+					dequeued_request = @new_request_queue.poll(sleep_time, TimeUnit::SECONDS)
+				rescue java.lang.InterruptedException => e
+				end
+
+				# if this is a 'tick'
+				if dequeued_request.nil?
+					@bulk_processor.flush_current_batch
+				else
+					@bulk_processor.add_to_batch(dequeued_request)
+				end
+
+				# skip the 'tick' if the timer hasn't expired
+				return if current_time - @last_action_time < @time_between_queries
+
+				@last_action_time = current_time
+						
+				@bulk_processor.retry_queued_requests()
+			rescue StandardError => e
+				@logger.error("encountered an error while running the management task", :error => e, :backtrace => e.backtrace)
+			end
+		end
+
+		public
+		def classify(request)
+			return nil if request.nil?
+			
+			res = @local_classifier.classify(request)
+			
+			@logger.trace("cached result", :request => request, :res => res)
+			
+			return res if !res.nil?
+
+			request_online_classifiction(request)
+
+			return nil
+		end
+
+		private
+		def request_online_classifiction(req)
+			existing_request = @inflight_requests[req]
+			
+			return if !existing_request.nil? # request already handled by a worker
+
+			@logger.debug("adding request to online classification queue", :request => req)
+
+			task = create_task(req)
+
+			# mark request as in progress
+			@inflight_requests[req] = task
+
+			res = @new_request_queue.offer(req)
+
+			@logger.warn("queue full, request reject", :request => req) if !res
+		end
+
+		private
+		def create_task(request)
+			tuple = {}
+			tuple[:retries] = 0
+			tuple[:request] = request
+			tuple[:last_executed] = Time.at(310953600)
+
+			return tuple
+		end
+	end # class Classifier
+
+	module Classification
+
+		class BulkProcessor
+			include LogStash::Util::Loggable
+
+			ERROR_TTL_SECS = 60
+			THREAD_IDLE_TIME = 60
+			BATCH_TIMEOUT = 10
+
+			public
+			def initialize(max_retries, batch_size, sec_between_attempts, requests_queue, online_classifer, local_classifier, max_concurrent_threads)
+				@logger ||= self.logger
+
+				@max_retries = max_retries
+				@max_batch_size = batch_size
+				@sec_between_attempts = sec_between_attempts
+				@requests_queue = requests_queue
+				@online_classifer = online_classifer
+				@local_classifier = local_classifier
+
+				@online_classification_workers = Concurrent::ThreadPoolExecutor.new(min_threads: 1, max_threads: max_concurrent_threads, idletime: THREAD_IDLE_TIME)
+
+				clear_batch(Time.now)
+			end
+
+			public
+			def close
+				@online_classification_workers.kill()
+				@online_classification_workers.wait_for_termination(10)
+			end
+
+			public
+			def add_to_batch(request)				
+				# add the new request to the batch
+				@current_batch_size = @current_batch_size + 1
+				@current_batch << request
+
+				flush_current_batch
+			end
+
+			public
+			def flush_current_batch
+				current_time = Time.now
+
+				# check if the current batch is full or timed out
+				if (@current_batch_size == @max_batch_size \
+					or (@current_batch_size > 0 and (current_time - @last_execution_time) > BATCH_TIMEOUT))
+
+					bulk_size = @current_batch_size
+					batch = @current_batch
+
+					@online_classification_workers.post do
+						st = Time.now
+						classify_online(batch)
+						et = Time.now
+						diff = (et - st)
+
+						@logger.debug("response received", :bulk_size => bulk_size, :time => diff)
+					end
+					
+					clear_batch(current_time)
+				elsif @current_batch_size == 0
+					@last_execution_time = current_time
+				end
+			end
+
+			public
+			def get_last_execution_time
+				return @last_execution_time
+			end
+
+			private
+			def clear_batch(current_time)
+				@current_batch = Array.new
+				@current_batch_size = 0
+				@last_execution_time = current_time
+			end
+
+			public
+			def retry_queued_requests
+				@logger.debug("retrying queued requests")
+
+				current_time = Time.now
+				batch_size = 0
+				batch = Array.new
+
+				@requests_queue.each do |k, v|
+					last_execution_time = v[:last_executed]
+
+					if batch_size == @max_batch_size
+						@online_classification_workers.post do
+							classify_online(batch)
+						end
+						
+						batch_size = 0
+						batch = Array.new
+					end
+
+					if last_execution_time + @sec_between_attempts > current_time
+						next
+					end
+
+					batch << k
+
+					v[:last_executed] = current_time
+					v[:retries] = v[:retries] + 1
+
+					batch_size = batch_size + 1
+				end
+
+				if batch_size > 0
+					@online_classification_workers.post do
+						classify_online(batch)
+					end
+				end
+
+				# remove requests that were in the queue for too long
+				@requests_queue.delete_if {|key, value| value[:retries] >= @max_retries }
+			end
+
+			private
+			def classify_online(bulk_request)
+
+				results = nil
+				current_time = Time.now
+
+				batch = Array.new
+
+				bulk_request.each do |req|
+					task = @requests_queue[req]
+
+					next if task.nil? # resolved by an earlier thread
+
+					task[:last_executed] = current_time
+					task[:retries] = task[:retries] + 1
+
+					batch << req
+				end
+
+				begin
+					results = @online_classifer.classify(batch)
+				rescue StandardError => e
+					@logger.debug("bulk request ended with a failure, all requests will be removed from queue", :error => e, :backtrace => e.backtrace)
+					
+					batch.each do |req|
+						@requests_queue.delete(request)
+					end
+				end
+
+				if results.size != batch.size
+					@logger.warn("response array isn't the same size as result array. requests: #{batch.size}. results: #{results.size}")
+					return
+				end
+
+				results.each do |request, res|
+					@logger.debug("processing response", :request => request, :response => res)
+					
+					begin
+						expiration_time = Time.now + get_response_ttl(res)
+
+						if res.is_successful
+							# validate the response if needed
+							# put the result in memory and in the local db
+							@local_classifier.save_to_cache_and_db(request, res, expiration_time)
+						else
+							@local_classifier.add_to_cache(request, res, expiration_time) # log the failed result for tagging
+						end
+					rescue StandardError => e
+						@logger.error("encountered an error while trying to process result", :request => request, :error => e, :backtrace => e.backtrace)
+					end
+
+					if res.is_final # in case of anti-malware, the result may change till the classification process is done
+						@requests_queue.delete(request)
+					end
+				end
+			end
+
+			private def get_response_ttl(res)
+				return ERROR_TTL_SECS if !res.is_successful
+
+				responseBody = res.response
+
+				ttl = responseBody['ttlseconds']
+
+				if ttl.nil? or ttl < 0
+					ttl = 60
+				end
+
+				return ttl
+			end
+
+		end # class BulkProcessor
+
+	end # module Classification
+
+end; end; end