logstash-filter-virustotal 0.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml ADDED
@@ -0,0 +1,7 @@
1
+ ---
2
+ SHA1:
3
+ metadata.gz: 5c7d554b9fcd4f6f4b101702b2290861e4a3ef45
4
+ data.tar.gz: d7bd4ef5214b25ad168a3f99f84f518921babac3
5
+ SHA512:
6
+ metadata.gz: 7a19b7b82ea169a2a5ee9f89c5b619a445d6c28a7af3a1fe2bb51a871e9892e08978f12333a94503cab5df1a90f044eee60d65b5c5751fa8bbd2c30aff15ebd4
7
+ data.tar.gz: e38b330dab8deb515cbf750b6281fc23255d7ad3455b55b7b80766981a7278e8bc68c25e09215af4b9754906aead07b104ad197a4508003f84bb6baa5816f187
data/DEVELOPER.md ADDED
@@ -0,0 +1,2 @@
1
+ # logstash-filter-example
2
+ Example filter plugin. This should help bootstrap your effort to write your own filter plugin!
data/Gemfile ADDED
@@ -0,0 +1,3 @@
1
+ source 'https://rubygems.org'
2
+ gemspec
3
+ gem "logstash", :github => "elasticsearch/logstash", :branch => "1.5"
data/LICENSE ADDED
@@ -0,0 +1,13 @@
1
+ Copyright (c) 2012-2015 Elasticsearch <http://www.elasticsearch.org>
2
+
3
+ Licensed under the Apache License, Version 2.0 (the "License");
4
+ you may not use this file except in compliance with the License.
5
+ You may obtain a copy of the License at
6
+
7
+ http://www.apache.org/licenses/LICENSE-2.0
8
+
9
+ Unless required by applicable law or agreed to in writing, software
10
+ distributed under the License is distributed on an "AS IS" BASIS,
11
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12
+ See the License for the specific language governing permissions and
13
+ limitations under the License.
data/README.md ADDED
@@ -0,0 +1,122 @@
1
+ # Logstash Plugin
2
+
3
+ This is a plugin for [Logstash](https://github.com/elasticsearch/logstash).
4
+
5
+ It is fully free and fully open source. The license is Apache 2.0, meaning you are pretty much free to use it however you want in whatever way.
6
+
7
+ ## Documentation
8
+
9
+ Options:
10
+
11
+ apikey - This is your API Key from Virustotal
12
+ field - the field that contains the resource you want to query for
13
+ lookup_type - The lookup type, either 'url' or 'hash' for a URL or File hash. Default: hash
14
+ target - Where you want the data to go within the event structure. Default: virustotal
15
+
16
+ ```
17
+ input {
18
+ generator {
19
+ type => "generated"
20
+ #message => '99017f6eebbac24f351415dd410d522d'
21
+ message => "http://www.google.com"
22
+ count => 1
23
+ }
24
+ }
25
+
26
+ filter {
27
+ virustotal {
28
+ apikey => '[API KEY]'
29
+ field => "message"
30
+ lookup_type => "url"
31
+ }
32
+ }
33
+
34
+ output {
35
+ stdout { codec => rubydebug }
36
+ }
37
+ ```
38
+
39
+ ## Need Help?
40
+
41
+ Need help? Try #logstash on freenode IRC or the logstash-users@googlegroups.com mailing list.
42
+
43
+ Need help specificly to this plugin? Find @coolacid on Freenode IRC or twitter.
44
+
45
+ ## Developing
46
+
47
+ ### 1. Plugin Developement and Testing
48
+
49
+ #### Code
50
+ - To get started, you'll need JRuby with the Bundler gem installed.
51
+
52
+ - Create a new plugin or clone and existing from the GitHub [logstash-plugins](https://github.com/logstash-plugins) organization.
53
+
54
+ - Install dependencies
55
+ ```sh
56
+ bundle install
57
+ ```
58
+
59
+ #### Test
60
+
61
+ ```sh
62
+ bundle exec rspec
63
+ ```
64
+
65
+ The Logstash code required to run the tests/specs is specified in the `Gemfile` by the line similar to:
66
+ ```ruby
67
+ gem "logstash", :github => "elasticsearch/logstash", :branch => "1.5"
68
+ ```
69
+ To test against another version or a local Logstash, edit the `Gemfile` to specify an alternative location, for example:
70
+ ```ruby
71
+ gem "logstash", :github => "elasticsearch/logstash", :ref => "master"
72
+ ```
73
+ ```ruby
74
+ gem "logstash", :path => "/your/local/logstash"
75
+ ```
76
+
77
+ Then update your dependencies and run your tests:
78
+
79
+ ```sh
80
+ bundle install
81
+ bundle exec rspec
82
+ ```
83
+
84
+ ### 2. Running your unpublished Plugin in Logstash
85
+
86
+ #### 2.1 Run in a local Logstash clone
87
+
88
+ - Edit Logstash `tools/Gemfile` and add the local plugin path, for example:
89
+ ```ruby
90
+ gem "logstash-filter-awesome", :path => "/your/local/logstash-filter-awesome"
91
+ ```
92
+ - Update Logstash dependencies
93
+ ```sh
94
+ rake vendor:gems
95
+ ```
96
+ - Run Logstash with your plugin
97
+ ```sh
98
+ bin/logstash -e 'filter {awesome {}}'
99
+ ```
100
+ At this point any modifications to the plugin code will be applied to this local Logstash setup. After modifying the plugin, simply rerun Logstash.
101
+
102
+ #### 2.2 Run in an installed Logstash
103
+
104
+ - Build your plugin gem
105
+ ```sh
106
+ gem build logstash-filter-awesome.gemspec
107
+ ```
108
+ - Install the plugin from the Logstash home
109
+ ```sh
110
+ bin/plugin install /your/local/plugin/logstash-filter-awesome.gem
111
+ ```
112
+ - Start Logstash and proceed to test the plugin
113
+
114
+ ## Contributing
115
+
116
+ All contributions are welcome: ideas, patches, documentation, bug reports, complaints, and even something you drew up on a napkin.
117
+
118
+ Programming is not a required skill. Whatever you've seen about open source and maintainers or community members saying "send patches or die" - you will not see that here.
119
+
120
+ It is more important to me that you are able to contribute.
121
+
122
+ For more information about contributing, see the [CONTRIBUTING](https://github.com/elasticsearch/logstash/blob/master/CONTRIBUTING.md) file.
data/Rakefile ADDED
@@ -0,0 +1 @@
1
+ require "logstash/devutils/rake"
@@ -0,0 +1,64 @@
1
+ # encoding: utf-8
2
+ require "logstash/filters/base"
3
+ require "logstash/namespace"
4
+ require "json"
5
+
6
+ # This example filter will replace the contents of the default
7
+ # message field with whatever you specify in the configuration.
8
+ #
9
+ # It is only intended to be used as an example.
10
+ class LogStash::Filters::VirusTotal < LogStash::Filters::Base
11
+
12
+ config_name "virustotal"
13
+
14
+ # Your VirusTotal API Key
15
+ config :apikey, :validate => :string, :required => true
16
+
17
+ # For filed containing the item to lookup. This can point to a field ontaining a File Hash or URL
18
+ config :field, :validate => :string, :required => true
19
+
20
+ # Lookup type
21
+ config :lookup_type, :validate => :string, :default => "hash"
22
+
23
+ # Where you want the data to be placed
24
+ config :target, :validate => :string, :default => "virustotal"
25
+
26
+ # Timeout waiting for resopnse
27
+ config :timeout, :validate => :number, :default => 5
28
+
29
+ public
30
+ def register
31
+ require "faraday"
32
+ end # def register
33
+
34
+ public
35
+ def filter(event)
36
+
37
+ baseurl = "https://www.virustotal.com"
38
+
39
+ if @lookup_type == "hash"
40
+ url = "/vtapi/v2/file/report"
41
+ elsif @lookup_type == "url"
42
+ url = "/vtapi/v2/url/report"
43
+ end
44
+
45
+ connection = Faraday.new baseurl
46
+ begin
47
+ response = connection.get url do |req|
48
+ req.params[:resource] = event[@field]
49
+ req.params[:apikey] = @apikey
50
+ req.options.timeout = @timeout
51
+ req.options.open_timeout = @timeout
52
+ end
53
+ result = JSON.parse(response.body)
54
+ event[@target] = result
55
+ # filter_matched should go in the last line of our successful code
56
+ filter_matched(event)
57
+
58
+ rescue Faraday::TimeoutError
59
+ @logger.error("Timeout trying to contact virustotal")
60
+
61
+ end
62
+
63
+ end # def filter
64
+ end # class LogStash::Filters::Example
@@ -0,0 +1,23 @@
1
+ Gem::Specification.new do |s|
2
+ s.name = 'logstash-filter-virustotal'
3
+ s.version = '0.1.2'
4
+ s.licenses = ['Apache License (2.0)']
5
+ s.summary = "This filter queries the Virustotal API"
6
+ s.description = "This gem is a logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/plugin install gemname. This gem is not a stand-alone program"
7
+ s.authors = ["CoolAcid"]
8
+ s.email = 'jakendall@gmail.com'
9
+ s.homepage = "http://www.coolacid.net"
10
+ s.require_paths = ["lib"]
11
+
12
+ # Files
13
+ s.files = `git ls-files`.split($\)
14
+ # Tests
15
+ s.test_files = s.files.grep(%r{^(test|spec|features)/})
16
+
17
+ # Special flag to let us know this is actually a logstash plugin
18
+ s.metadata = { "logstash_plugin" => "true", "logstash_group" => "filter" }
19
+
20
+ # Gem dependencies
21
+ s.add_runtime_dependency 'logstash-core', '>= 1.4.0', '< 2.0.0'
22
+ s.add_development_dependency 'logstash-devutils'
23
+ end
@@ -0,0 +1,3 @@
1
+ require "logstash/devutils/rspec/spec_helper"
2
+ require "logstash/filters/example"
3
+
metadata ADDED
@@ -0,0 +1,88 @@
1
+ --- !ruby/object:Gem::Specification
2
+ name: logstash-filter-virustotal
3
+ version: !ruby/object:Gem::Version
4
+ version: 0.1.2
5
+ platform: ruby
6
+ authors:
7
+ - CoolAcid
8
+ autorequire:
9
+ bindir: bin
10
+ cert_chain: []
11
+ date: 2015-08-14 00:00:00.000000000 Z
12
+ dependencies:
13
+ - !ruby/object:Gem::Dependency
14
+ name: logstash-core
15
+ version_requirements: !ruby/object:Gem::Requirement
16
+ requirements:
17
+ - - '>='
18
+ - !ruby/object:Gem::Version
19
+ version: 1.4.0
20
+ - - <
21
+ - !ruby/object:Gem::Version
22
+ version: 2.0.0
23
+ requirement: !ruby/object:Gem::Requirement
24
+ requirements:
25
+ - - '>='
26
+ - !ruby/object:Gem::Version
27
+ version: 1.4.0
28
+ - - <
29
+ - !ruby/object:Gem::Version
30
+ version: 2.0.0
31
+ prerelease: false
32
+ type: :runtime
33
+ - !ruby/object:Gem::Dependency
34
+ name: logstash-devutils
35
+ version_requirements: !ruby/object:Gem::Requirement
36
+ requirements:
37
+ - - '>='
38
+ - !ruby/object:Gem::Version
39
+ version: '0'
40
+ requirement: !ruby/object:Gem::Requirement
41
+ requirements:
42
+ - - '>='
43
+ - !ruby/object:Gem::Version
44
+ version: '0'
45
+ prerelease: false
46
+ type: :development
47
+ description: This gem is a logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/plugin install gemname. This gem is not a stand-alone program
48
+ email: jakendall@gmail.com
49
+ executables: []
50
+ extensions: []
51
+ extra_rdoc_files: []
52
+ files:
53
+ - DEVELOPER.md
54
+ - Gemfile
55
+ - LICENSE
56
+ - README.md
57
+ - Rakefile
58
+ - lib/logstash/filters/virustotal.rb
59
+ - logstash-filter-virustotal.gemspec
60
+ - spec/filters/virustotal_spec.rb
61
+ homepage: http://www.coolacid.net
62
+ licenses:
63
+ - Apache License (2.0)
64
+ metadata:
65
+ logstash_plugin: 'true'
66
+ logstash_group: filter
67
+ post_install_message:
68
+ rdoc_options: []
69
+ require_paths:
70
+ - lib
71
+ required_ruby_version: !ruby/object:Gem::Requirement
72
+ requirements:
73
+ - - '>='
74
+ - !ruby/object:Gem::Version
75
+ version: '0'
76
+ required_rubygems_version: !ruby/object:Gem::Requirement
77
+ requirements:
78
+ - - '>='
79
+ - !ruby/object:Gem::Version
80
+ version: '0'
81
+ requirements: []
82
+ rubyforge_project:
83
+ rubygems_version: 2.1.9
84
+ signing_key:
85
+ specification_version: 4
86
+ summary: This filter queries the Virustotal API
87
+ test_files:
88
+ - spec/filters/virustotal_spec.rb