logstash-input-honeydb 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: c5816dadb61a267e74f65b0890e536e6735b8202
+  data.tar.gz: eeefa5008a64a0d0ea81f7f9d577634aee795fe4
+SHA512:
+  metadata.gz: 7c567f39a0c7b94ca6f638ab651947f48a6295892dfd7063af112c71a8b93c59a8af484af89cd9e65f0c07c6cb93b242d20f0fb11aa24c88c7e835d5f97beeaa
+  data.tar.gz: faccf31cf7f7dbcbc6d409681ed868c374e37303736f8b2bfef4f8ed7f1b556a80af70c523a65d7e2749d7f54ff541338821cf830446c023006b9b4e6b12a0ba

data/CHANGELOG.md

@@ -0,0 +1,5 @@
+# Changelog
+
+## 1.0.0
+
+- Initial release

data/Gemfile

@@ -0,0 +1,2 @@
+source 'https://rubygems.org'
+gemspec

data/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2020 HoneyDB
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,3 @@
+# logstash-input-honeydb
+
+Logstash Input Plugin for HoneyDB

data/lib/logstash/inputs/honeydb.rb

@@ -0,0 +1,142 @@
+# encoding: utf-8
+require "logstash/inputs/base"
+require "logstash/namespace"
+require "stud/interval"
+require "socket" # for Socket.gethostname
+require "json"
+require "date"
+require "rubygems"
+
+# Fetch HoneyDB data.
+#
+class LogStash::Inputs::Honeydb < LogStash::Inputs::Base
+  config_name "honeydb"
+
+  # If undefined, Logstash will complain, even if codec is unused.
+  default :codec, "json"
+
+  # Configurable variables
+  # HoneyDB API ID.
+  config :api_id, :validate => :string, :default => "invalid"
+  # HoneyDB Threat Information API Secret Key.
+  config :secret_key, :validate => :string, :default => "invalid" 
+  # The default, `300`, means fetch data every 5 minutes.
+  config :interval, :validate => :number, :default => 300
+  # Debug for plugin development.
+  config :debug, :validate => :boolean, :default => false
+
+  public
+  def register
+    @host = Socket.gethostname
+    @http = Net::HTTP.new('honeydb.io', 443)
+    @http.set_debug_output($stdout) if @debug
+    @http.use_ssl = true
+    @latest_from_id = 0
+
+    # check if interval value is less than 5 minutes
+    if @interval < 300
+      @logger.warn("interval value is less than 5 minutes, setting interval to 5 minutes.")
+      @interval = 300
+    end
+
+    # get version for UA string
+    spec = Gem::Specification::load("logstash-input-honeydb.gemspec")
+    @version = spec.version
+
+    @logger.info("Fetching HoneyDB data every #{interval / 60} minutes.")
+  end # def register
+
+  def run(queue)
+    # we can abort the loop if stop? becomes true
+    while !stop?
+      if fetch(queue)
+        @logger.info("Data retreived successfully.")
+      end
+
+      # because the sleep interval can be big, when shutdown happens
+      # we want to be able to abort the sleep
+      # Stud.stoppable_sleep will frequently evaluate the given block
+      # and abort the sleep(@interval) if the return value is true
+      #Stud.stoppable_sleep(@interval) { stop? }
+      Stud.stoppable_sleep(@interval) { stop? }
+    end # loop
+  end # def run
+
+  def fetch(queue)
+    # get today's date for sensor-data-date parameter
+    today = Time.now.utc.strftime("%Y-%m-%d")
+
+    # Set up iniital get request and initial next_uri
+    get = Net::HTTP::Get.new("/api/sensor-data/mydata?sensor-data-date=#{today}&from-id=#{@latest_from_id}")
+    from_id = "not zero"
+
+    # Loop through results until next_uri is empty.
+    while from_id != 0
+      if @debug
+        @logger.info("Today: #{today} From: #{from_id} Latest from ID: #{@latest_from_id}")
+      end
+
+      get["X-HoneyDb-ApiId"] = "#{@api_id}"
+      get["X-HoneyDb-ApiKey"] = "#{@secret_key}"
+      get['User-Agent'] = "logstash-honeydb/#{@version}"
+
+      begin
+        response = @http.request(get)
+      rescue
+        @logger.warn("Could not reach API endpoint to retreive data!")
+        return false
+      end
+
+      if response.code == "524"
+        @logger.warn("524 - Origin Timeout!")
+        @logger.info("Another attempt will be made later.")
+        return false
+      end
+
+      if response.code == "429"
+        @logger.warn("429 - Too Many Requests!")
+        @logger.info("You may have reached your requests per month limit, contact HoneyDB for options to increase your limit.")
+        return false
+      end
+
+      if response.code == "404"
+        @logger.warn("404 - Not Found!")
+        return false
+      end
+
+      if response.code == "401"
+        @logger.warn("401 - Unauthorized!")
+        return false
+      end
+
+      json = JSON.parse(response.body)
+
+      # loop through json payloads
+      json[0]['data'].each do |payload|
+        # add the event
+        event = LogStash::Event.new("honeydb" => payload, "host" => @host)
+        decorate(event)
+        queue << event
+      end
+
+      # get the next from_id
+      from_id = json[1]['from_id']
+
+      # continue retreiving from_id if not zero
+      if from_id != 0
+        @latest_from_id = from_id
+        get = Net::HTTP::Get.new("/api/sensor-data/mydata?sensor-data-date=#{today}&from-id=#{@latest_from_id}")
+      end
+    end
+
+    return true
+  end
+
+  def stop
+    # nothing to do in this case so it is not necessary to define stop
+    # examples of common "stop" tasks:
+    #  * close sockets (unblocking blocking reads/accepts)
+    #  * cleanup temporary files
+    #  * terminate spawned threads
+  end
+end # class LogStash::Inputs::Honeydb

data/logstash-input-honeydb.gemspec

@@ -0,0 +1,24 @@
+Gem::Specification.new do |s|
+  s.name          = 'logstash-input-honeydb'
+  s.version       = '1.0.0'
+  s.licenses      = ['Apache-2.0']
+  s.summary       = 'Logstash input plugin for HoneyDB.'
+  s.description   = 'Logstash input plugin for the HoneyDB Threat Information API https://honeydb.io/threats'
+  s.homepage      = 'https://github.com/honeydbio'
+  s.authors       = ['honeydbio']
+  s.email         = 'honeydbio@users.noreply.github.com'
+  s.require_paths = ['lib']
+
+  # Files
+  s.files = Dir['lib/**/*','spec/**/*','vendor/**/*','*.gemspec','*.md','CONTRIBUTORS','Gemfile','LICENSE','NOTICE.TXT']
+   # Tests
+  s.test_files = s.files.grep(%r{^(test|spec|features)/})
+
+  # Special flag to let us know this is actually a logstash plugin
+  s.metadata = { "logstash_plugin" => "true", "logstash_group" => "input" }
+
+  # Gem dependencies
+  s.add_runtime_dependency "logstash-core-plugin-api", "~> 2.0"
+  s.add_runtime_dependency 'stud', '~> 0.0', '>= 0.0.22'
+  s.add_development_dependency 'logstash-devutils', '~> 0.0', '>= 0.0.16'
+end

data/spec/inputs/honeydb_spec.rb

@@ -0,0 +1,11 @@
+# encoding: utf-8
+require "logstash/devutils/rspec/spec_helper"
+require "logstash/inputs/honeydb"
+
+describe LogStash::Inputs::honeydb do
+
+  it_behaves_like "an interruptible input plugin" do
+    let(:config) { { "interval" => 300 } }
+  end
+
+end

metadata

@@ -0,0 +1,107 @@
+--- !ruby/object:Gem::Specification
+name: logstash-input-honeydb
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- honeydbio
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2020-01-25 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: logstash-core-plugin-api
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: stud
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.0'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.0.22
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.0'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.0.22
+- !ruby/object:Gem::Dependency
+  name: logstash-devutils
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.0'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.0.16
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.0'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.0.16
+description: Logstash input plugin for the HoneyDB Threat Information API https://honeydb.io/threats
+email: honeydbio@users.noreply.github.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- CHANGELOG.md
+- Gemfile
+- LICENSE
+- README.md
+- lib/logstash/inputs/honeydb.rb
+- logstash-input-honeydb.gemspec
+- spec/inputs/honeydb_spec.rb
+homepage: https://github.com/honeydbio
+licenses:
+- Apache-2.0
+metadata:
+  logstash_plugin: 'true'
+  logstash_group: input
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.6.14
+signing_key: 
+specification_version: 4
+summary: Logstash input plugin for HoneyDB.
+test_files:
+- spec/inputs/honeydb_spec.rb