logstash-input-honeydb 1.0.0

Sign up to get free protection for your applications and to get access to all the features.
@@ -0,0 +1,7 @@
1
+ ---
2
+ SHA1:
3
+ metadata.gz: c5816dadb61a267e74f65b0890e536e6735b8202
4
+ data.tar.gz: eeefa5008a64a0d0ea81f7f9d577634aee795fe4
5
+ SHA512:
6
+ metadata.gz: 7c567f39a0c7b94ca6f638ab651947f48a6295892dfd7063af112c71a8b93c59a8af484af89cd9e65f0c07c6cb93b242d20f0fb11aa24c88c7e835d5f97beeaa
7
+ data.tar.gz: faccf31cf7f7dbcbc6d409681ed868c374e37303736f8b2bfef4f8ed7f1b556a80af70c523a65d7e2749d7f54ff541338821cf830446c023006b9b4e6b12a0ba
@@ -0,0 +1,5 @@
1
+ # Changelog
2
+
3
+ ## 1.0.0
4
+
5
+ - Initial release
data/Gemfile ADDED
@@ -0,0 +1,2 @@
1
+ source 'https://rubygems.org'
2
+ gemspec
data/LICENSE ADDED
@@ -0,0 +1,21 @@
1
+ MIT License
2
+
3
+ Copyright (c) 2020 HoneyDB
4
+
5
+ Permission is hereby granted, free of charge, to any person obtaining a copy
6
+ of this software and associated documentation files (the "Software"), to deal
7
+ in the Software without restriction, including without limitation the rights
8
+ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9
+ copies of the Software, and to permit persons to whom the Software is
10
+ furnished to do so, subject to the following conditions:
11
+
12
+ The above copyright notice and this permission notice shall be included in all
13
+ copies or substantial portions of the Software.
14
+
15
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18
+ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20
+ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21
+ SOFTWARE.
@@ -0,0 +1,3 @@
1
+ # logstash-input-honeydb
2
+
3
+ Logstash Input Plugin for HoneyDB
@@ -0,0 +1,142 @@
1
+ # encoding: utf-8
2
+ require "logstash/inputs/base"
3
+ require "logstash/namespace"
4
+ require "stud/interval"
5
+ require "socket" # for Socket.gethostname
6
+ require "json"
7
+ require "date"
8
+ require "rubygems"
9
+
10
+ # Fetch HoneyDB data.
11
+ #
12
+ class LogStash::Inputs::Honeydb < LogStash::Inputs::Base
13
+ config_name "honeydb"
14
+
15
+ # If undefined, Logstash will complain, even if codec is unused.
16
+ default :codec, "json"
17
+
18
+ # Configurable variables
19
+ # HoneyDB API ID.
20
+ config :api_id, :validate => :string, :default => "invalid"
21
+ # HoneyDB Threat Information API Secret Key.
22
+ config :secret_key, :validate => :string, :default => "invalid"
23
+ # The default, `300`, means fetch data every 5 minutes.
24
+ config :interval, :validate => :number, :default => 300
25
+ # Debug for plugin development.
26
+ config :debug, :validate => :boolean, :default => false
27
+
28
+ public
29
+ def register
30
+ @host = Socket.gethostname
31
+ @http = Net::HTTP.new('honeydb.io', 443)
32
+ @http.set_debug_output($stdout) if @debug
33
+ @http.use_ssl = true
34
+ @latest_from_id = 0
35
+
36
+ # check if interval value is less than 5 minutes
37
+ if @interval < 300
38
+ @logger.warn("interval value is less than 5 minutes, setting interval to 5 minutes.")
39
+ @interval = 300
40
+ end
41
+
42
+ # get version for UA string
43
+ spec = Gem::Specification::load("logstash-input-honeydb.gemspec")
44
+ @version = spec.version
45
+
46
+ @logger.info("Fetching HoneyDB data every #{interval / 60} minutes.")
47
+ end # def register
48
+
49
+ def run(queue)
50
+ # we can abort the loop if stop? becomes true
51
+ while !stop?
52
+ if fetch(queue)
53
+ @logger.info("Data retreived successfully.")
54
+ end
55
+
56
+ # because the sleep interval can be big, when shutdown happens
57
+ # we want to be able to abort the sleep
58
+ # Stud.stoppable_sleep will frequently evaluate the given block
59
+ # and abort the sleep(@interval) if the return value is true
60
+ #Stud.stoppable_sleep(@interval) { stop? }
61
+ Stud.stoppable_sleep(@interval) { stop? }
62
+ end # loop
63
+ end # def run
64
+
65
+ def fetch(queue)
66
+ # get today's date for sensor-data-date parameter
67
+ today = Time.now.utc.strftime("%Y-%m-%d")
68
+
69
+ # Set up iniital get request and initial next_uri
70
+ get = Net::HTTP::Get.new("/api/sensor-data/mydata?sensor-data-date=#{today}&from-id=#{@latest_from_id}")
71
+ from_id = "not zero"
72
+
73
+ # Loop through results until next_uri is empty.
74
+ while from_id != 0
75
+ if @debug
76
+ @logger.info("Today: #{today} From: #{from_id} Latest from ID: #{@latest_from_id}")
77
+ end
78
+
79
+ get["X-HoneyDb-ApiId"] = "#{@api_id}"
80
+ get["X-HoneyDb-ApiKey"] = "#{@secret_key}"
81
+ get['User-Agent'] = "logstash-honeydb/#{@version}"
82
+
83
+ begin
84
+ response = @http.request(get)
85
+ rescue
86
+ @logger.warn("Could not reach API endpoint to retreive data!")
87
+ return false
88
+ end
89
+
90
+ if response.code == "524"
91
+ @logger.warn("524 - Origin Timeout!")
92
+ @logger.info("Another attempt will be made later.")
93
+ return false
94
+ end
95
+
96
+ if response.code == "429"
97
+ @logger.warn("429 - Too Many Requests!")
98
+ @logger.info("You may have reached your requests per month limit, contact HoneyDB for options to increase your limit.")
99
+ return false
100
+ end
101
+
102
+ if response.code == "404"
103
+ @logger.warn("404 - Not Found!")
104
+ return false
105
+ end
106
+
107
+ if response.code == "401"
108
+ @logger.warn("401 - Unauthorized!")
109
+ return false
110
+ end
111
+
112
+ json = JSON.parse(response.body)
113
+
114
+ # loop through json payloads
115
+ json[0]['data'].each do |payload|
116
+ # add the event
117
+ event = LogStash::Event.new("honeydb" => payload, "host" => @host)
118
+ decorate(event)
119
+ queue << event
120
+ end
121
+
122
+ # get the next from_id
123
+ from_id = json[1]['from_id']
124
+
125
+ # continue retreiving from_id if not zero
126
+ if from_id != 0
127
+ @latest_from_id = from_id
128
+ get = Net::HTTP::Get.new("/api/sensor-data/mydata?sensor-data-date=#{today}&from-id=#{@latest_from_id}")
129
+ end
130
+ end
131
+
132
+ return true
133
+ end
134
+
135
+ def stop
136
+ # nothing to do in this case so it is not necessary to define stop
137
+ # examples of common "stop" tasks:
138
+ # * close sockets (unblocking blocking reads/accepts)
139
+ # * cleanup temporary files
140
+ # * terminate spawned threads
141
+ end
142
+ end # class LogStash::Inputs::Honeydb
@@ -0,0 +1,24 @@
1
+ Gem::Specification.new do |s|
2
+ s.name = 'logstash-input-honeydb'
3
+ s.version = '1.0.0'
4
+ s.licenses = ['Apache-2.0']
5
+ s.summary = 'Logstash input plugin for HoneyDB.'
6
+ s.description = 'Logstash input plugin for the HoneyDB Threat Information API https://honeydb.io/threats'
7
+ s.homepage = 'https://github.com/honeydbio'
8
+ s.authors = ['honeydbio']
9
+ s.email = 'honeydbio@users.noreply.github.com'
10
+ s.require_paths = ['lib']
11
+
12
+ # Files
13
+ s.files = Dir['lib/**/*','spec/**/*','vendor/**/*','*.gemspec','*.md','CONTRIBUTORS','Gemfile','LICENSE','NOTICE.TXT']
14
+ # Tests
15
+ s.test_files = s.files.grep(%r{^(test|spec|features)/})
16
+
17
+ # Special flag to let us know this is actually a logstash plugin
18
+ s.metadata = { "logstash_plugin" => "true", "logstash_group" => "input" }
19
+
20
+ # Gem dependencies
21
+ s.add_runtime_dependency "logstash-core-plugin-api", "~> 2.0"
22
+ s.add_runtime_dependency 'stud', '~> 0.0', '>= 0.0.22'
23
+ s.add_development_dependency 'logstash-devutils', '~> 0.0', '>= 0.0.16'
24
+ end
@@ -0,0 +1,11 @@
1
+ # encoding: utf-8
2
+ require "logstash/devutils/rspec/spec_helper"
3
+ require "logstash/inputs/honeydb"
4
+
5
+ describe LogStash::Inputs::honeydb do
6
+
7
+ it_behaves_like "an interruptible input plugin" do
8
+ let(:config) { { "interval" => 300 } }
9
+ end
10
+
11
+ end
metadata ADDED
@@ -0,0 +1,107 @@
1
+ --- !ruby/object:Gem::Specification
2
+ name: logstash-input-honeydb
3
+ version: !ruby/object:Gem::Version
4
+ version: 1.0.0
5
+ platform: ruby
6
+ authors:
7
+ - honeydbio
8
+ autorequire:
9
+ bindir: bin
10
+ cert_chain: []
11
+ date: 2020-01-25 00:00:00.000000000 Z
12
+ dependencies:
13
+ - !ruby/object:Gem::Dependency
14
+ name: logstash-core-plugin-api
15
+ requirement: !ruby/object:Gem::Requirement
16
+ requirements:
17
+ - - "~>"
18
+ - !ruby/object:Gem::Version
19
+ version: '2.0'
20
+ type: :runtime
21
+ prerelease: false
22
+ version_requirements: !ruby/object:Gem::Requirement
23
+ requirements:
24
+ - - "~>"
25
+ - !ruby/object:Gem::Version
26
+ version: '2.0'
27
+ - !ruby/object:Gem::Dependency
28
+ name: stud
29
+ requirement: !ruby/object:Gem::Requirement
30
+ requirements:
31
+ - - "~>"
32
+ - !ruby/object:Gem::Version
33
+ version: '0.0'
34
+ - - ">="
35
+ - !ruby/object:Gem::Version
36
+ version: 0.0.22
37
+ type: :runtime
38
+ prerelease: false
39
+ version_requirements: !ruby/object:Gem::Requirement
40
+ requirements:
41
+ - - "~>"
42
+ - !ruby/object:Gem::Version
43
+ version: '0.0'
44
+ - - ">="
45
+ - !ruby/object:Gem::Version
46
+ version: 0.0.22
47
+ - !ruby/object:Gem::Dependency
48
+ name: logstash-devutils
49
+ requirement: !ruby/object:Gem::Requirement
50
+ requirements:
51
+ - - "~>"
52
+ - !ruby/object:Gem::Version
53
+ version: '0.0'
54
+ - - ">="
55
+ - !ruby/object:Gem::Version
56
+ version: 0.0.16
57
+ type: :development
58
+ prerelease: false
59
+ version_requirements: !ruby/object:Gem::Requirement
60
+ requirements:
61
+ - - "~>"
62
+ - !ruby/object:Gem::Version
63
+ version: '0.0'
64
+ - - ">="
65
+ - !ruby/object:Gem::Version
66
+ version: 0.0.16
67
+ description: Logstash input plugin for the HoneyDB Threat Information API https://honeydb.io/threats
68
+ email: honeydbio@users.noreply.github.com
69
+ executables: []
70
+ extensions: []
71
+ extra_rdoc_files: []
72
+ files:
73
+ - CHANGELOG.md
74
+ - Gemfile
75
+ - LICENSE
76
+ - README.md
77
+ - lib/logstash/inputs/honeydb.rb
78
+ - logstash-input-honeydb.gemspec
79
+ - spec/inputs/honeydb_spec.rb
80
+ homepage: https://github.com/honeydbio
81
+ licenses:
82
+ - Apache-2.0
83
+ metadata:
84
+ logstash_plugin: 'true'
85
+ logstash_group: input
86
+ post_install_message:
87
+ rdoc_options: []
88
+ require_paths:
89
+ - lib
90
+ required_ruby_version: !ruby/object:Gem::Requirement
91
+ requirements:
92
+ - - ">="
93
+ - !ruby/object:Gem::Version
94
+ version: '0'
95
+ required_rubygems_version: !ruby/object:Gem::Requirement
96
+ requirements:
97
+ - - ">="
98
+ - !ruby/object:Gem::Version
99
+ version: '0'
100
+ requirements: []
101
+ rubyforge_project:
102
+ rubygems_version: 2.6.14
103
+ signing_key:
104
+ specification_version: 4
105
+ summary: Logstash input plugin for HoneyDB.
106
+ test_files:
107
+ - spec/inputs/honeydb_spec.rb