logstash-filter-virustotal 0.1.2

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 5c7d554b9fcd4f6f4b101702b2290861e4a3ef45
+  data.tar.gz: d7bd4ef5214b25ad168a3f99f84f518921babac3
+SHA512:
+  metadata.gz: 7a19b7b82ea169a2a5ee9f89c5b619a445d6c28a7af3a1fe2bb51a871e9892e08978f12333a94503cab5df1a90f044eee60d65b5c5751fa8bbd2c30aff15ebd4
+  data.tar.gz: e38b330dab8deb515cbf750b6281fc23255d7ad3455b55b7b80766981a7278e8bc68c25e09215af4b9754906aead07b104ad197a4508003f84bb6baa5816f187

data/DEVELOPER.md

@@ -0,0 +1,2 @@
+# logstash-filter-example
+Example filter plugin. This should help bootstrap your effort to write your own filter plugin!

data/Gemfile

@@ -0,0 +1,3 @@
+source 'https://rubygems.org'
+gemspec
+gem "logstash", :github => "elasticsearch/logstash", :branch => "1.5"

data/LICENSE

@@ -0,0 +1,13 @@
+Copyright (c) 2012-2015 Elasticsearch <http://www.elasticsearch.org>
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

data/README.md

@@ -0,0 +1,122 @@
+# Logstash Plugin
+
+This is a plugin for [Logstash](https://github.com/elasticsearch/logstash).
+
+It is fully free and fully open source. The license is Apache 2.0, meaning you are pretty much free to use it however you want in whatever way.
+
+## Documentation
+
+Options:
+
+apikey - This is your API Key from Virustotal
+field - the field that contains the resource you want to query for 
+lookup_type - The lookup type, either 'url' or 'hash' for a URL or File hash. Default: hash
+target - Where you want the data to go within the event structure. Default: virustotal
+
+```
+input {
+  generator {
+    type => "generated"
+    #message => '99017f6eebbac24f351415dd410d522d'
+    message => "http://www.google.com"
+    count => 1
+  }
+}
+
+filter {
+  virustotal {
+    apikey => '[API KEY]'
+    field => "message"
+    lookup_type => "url"
+  }
+}
+
+output {
+    stdout { codec => rubydebug }
+}
+```
+
+## Need Help?
+
+Need help? Try #logstash on freenode IRC or the logstash-users@googlegroups.com mailing list.
+
+Need help specificly to this plugin? Find @coolacid on Freenode IRC or twitter.
+
+## Developing
+
+### 1. Plugin Developement and Testing
+
+#### Code
+- To get started, you'll need JRuby with the Bundler gem installed.
+
+- Create a new plugin or clone and existing from the GitHub [logstash-plugins](https://github.com/logstash-plugins) organization.
+
+- Install dependencies
+```sh
+bundle install
+```
+
+#### Test
+
+```sh
+bundle exec rspec
+```
+
+The Logstash code required to run the tests/specs is specified in the `Gemfile` by the line similar to:
+```ruby
+gem "logstash", :github => "elasticsearch/logstash", :branch => "1.5"
+```
+To test against another version or a local Logstash, edit the `Gemfile` to specify an alternative location, for example:
+```ruby
+gem "logstash", :github => "elasticsearch/logstash", :ref => "master"
+```
+```ruby
+gem "logstash", :path => "/your/local/logstash"
+```
+
+Then update your dependencies and run your tests:
+
+```sh
+bundle install
+bundle exec rspec
+```
+
+### 2. Running your unpublished Plugin in Logstash
+
+#### 2.1 Run in a local Logstash clone
+
+- Edit Logstash `tools/Gemfile` and add the local plugin path, for example:
+```ruby
+gem "logstash-filter-awesome", :path => "/your/local/logstash-filter-awesome"
+```
+- Update Logstash dependencies
+```sh
+rake vendor:gems
+```
+- Run Logstash with your plugin
+```sh
+bin/logstash -e 'filter {awesome {}}'
+```
+At this point any modifications to the plugin code will be applied to this local Logstash setup. After modifying the plugin, simply rerun Logstash.
+
+#### 2.2 Run in an installed Logstash
+
+- Build your plugin gem
+```sh
+gem build logstash-filter-awesome.gemspec
+```
+- Install the plugin from the Logstash home
+```sh
+bin/plugin install /your/local/plugin/logstash-filter-awesome.gem
+```
+- Start Logstash and proceed to test the plugin
+
+## Contributing
+
+All contributions are welcome: ideas, patches, documentation, bug reports, complaints, and even something you drew up on a napkin.
+
+Programming is not a required skill. Whatever you've seen about open source and maintainers or community members  saying "send patches or die" - you will not see that here.
+
+It is more important to me that you are able to contribute.
+
+For more information about contributing, see the [CONTRIBUTING](https://github.com/elasticsearch/logstash/blob/master/CONTRIBUTING.md) file.

data/Rakefile

@@ -0,0 +1 @@
+require "logstash/devutils/rake"

data/lib/logstash/filters/virustotal.rb

@@ -0,0 +1,64 @@
+# encoding: utf-8
+require "logstash/filters/base"
+require "logstash/namespace"
+require "json"
+
+# This example filter will replace the contents of the default 
+# message field with whatever you specify in the configuration.
+#
+# It is only intended to be used as an example.
+class LogStash::Filters::VirusTotal < LogStash::Filters::Base
+
+  config_name "virustotal"
+  
+  # Your VirusTotal API Key
+  config :apikey, :validate => :string, :required => true
+  
+  # For filed containing the item to lookup. This can point to a field ontaining a File Hash or URL
+  config :field, :validate => :string, :required => true
+
+  # Lookup type
+  config :lookup_type, :validate => :string, :default => "hash"
+
+  # Where you want the data to be placed
+  config :target, :validate => :string, :default => "virustotal"
+
+  # Timeout waiting for resopnse
+  config :timeout, :validate => :number, :default => 5
+
+  public
+  def register
+    require "faraday"
+  end # def register
+
+  public
+  def filter(event)
+
+    baseurl = "https://www.virustotal.com"
+
+    if @lookup_type == "hash"
+      url = "/vtapi/v2/file/report"
+    elsif @lookup_type == "url"
+      url = "/vtapi/v2/url/report"
+    end
+
+    connection = Faraday.new baseurl
+    begin
+      response = connection.get url do |req|
+        req.params[:resource] = event[@field]
+        req.params[:apikey] = @apikey
+        req.options.timeout = @timeout
+        req.options.open_timeout = @timeout
+      end
+      result = JSON.parse(response.body)
+      event[@target] = result
+      # filter_matched should go in the last line of our successful code
+      filter_matched(event)
+
+    rescue Faraday::TimeoutError
+      @logger.error("Timeout trying to contact virustotal")
+
+    end
+
+  end # def filter
+end # class LogStash::Filters::Example

data/logstash-filter-virustotal.gemspec

@@ -0,0 +1,23 @@
+Gem::Specification.new do |s|
+  s.name = 'logstash-filter-virustotal'
+  s.version         = '0.1.2'
+  s.licenses = ['Apache License (2.0)']
+  s.summary = "This filter queries the Virustotal API"
+  s.description = "This gem is a logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/plugin install gemname. This gem is not a stand-alone program"
+  s.authors = ["CoolAcid"]
+  s.email = 'jakendall@gmail.com'
+  s.homepage = "http://www.coolacid.net"
+  s.require_paths = ["lib"]
+
+  # Files
+  s.files = `git ls-files`.split($\)
+   # Tests
+  s.test_files = s.files.grep(%r{^(test|spec|features)/})
+
+  # Special flag to let us know this is actually a logstash plugin
+  s.metadata = { "logstash_plugin" => "true", "logstash_group" => "filter" }
+
+  # Gem dependencies
+  s.add_runtime_dependency 'logstash-core', '>= 1.4.0', '< 2.0.0'
+  s.add_development_dependency 'logstash-devutils'
+end

data/spec/filters/virustotal_spec.rb

@@ -0,0 +1,3 @@
+require "logstash/devutils/rspec/spec_helper"
+require "logstash/filters/example"
+

metadata

@@ -0,0 +1,88 @@
+--- !ruby/object:Gem::Specification
+name: logstash-filter-virustotal
+version: !ruby/object:Gem::Version
+  version: 0.1.2
+platform: ruby
+authors:
+- CoolAcid
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2015-08-14 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: logstash-core
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: 1.4.0
+    - - <
+      - !ruby/object:Gem::Version
+        version: 2.0.0
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: 1.4.0
+    - - <
+      - !ruby/object:Gem::Version
+        version: 2.0.0
+  prerelease: false
+  type: :runtime
+- !ruby/object:Gem::Dependency
+  name: logstash-devutils
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  prerelease: false
+  type: :development
+description: This gem is a logstash plugin required to be installed on top of the Logstash core pipeline using $LS_HOME/bin/plugin install gemname. This gem is not a stand-alone program
+email: jakendall@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- DEVELOPER.md
+- Gemfile
+- LICENSE
+- README.md
+- Rakefile
+- lib/logstash/filters/virustotal.rb
+- logstash-filter-virustotal.gemspec
+- spec/filters/virustotal_spec.rb
+homepage: http://www.coolacid.net
+licenses:
+- Apache License (2.0)
+metadata:
+  logstash_plugin: 'true'
+  logstash_group: filter
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project:
+rubygems_version: 2.1.9
+signing_key:
+specification_version: 4
+summary: This filter queries the Virustotal API
+test_files:
+- spec/filters/virustotal_spec.rb