sdee 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: b341885807519adf529834f4e2ae227f51afb2c3
+  data.tar.gz: a3fa6f0295f7540c8233f53da5b47d8dabdffb52
+SHA512:
+  metadata.gz: 065f804f8cb7a11b25fa16f3836059b9c89d6d6d66507d23b3050c02c7261f88efc404f250e09deec6fafa6e06a9b32ed52f70bca500edf6776733e83f806d08
+  data.tar.gz: 94c6a956d3492b661123497a259e7f00bea1a58b2d7db7ffbde8a00bc45ac91c92800ce10099f734d47caca1a1a624c6be5ac5045fbf4697f06a46f274036f3d

data/example.rb

@@ -0,0 +1,10 @@
+require './sdee'
+
+# create new SDEE connection
+sdee = SDEE.new(host: 'localhost', user: 'user', pass: 'pass')
+
+# login and set subscriptionId, sessionId
+sdee.login
+
+# print events every 1 second in JSON format
+sdee.poll_events 1

data/lib/sdee.rb

@@ -0,0 +1,171 @@
+require 'base64'
+require 'net/https'
+require 'uri'
+require 'nokogiri'
+require 'json'
+
+class Alert
+  attr_accessor :event_id, :severity, :originator, :alert_time, :risk_rating,
+    :protocol, :sig_id, :subsig_id, :sig_version, :sig_detail, :attacker,
+    :targets, :attacker_locality, :target_locality, :attacker_port,
+    :target_port, :threat_rating
+
+  def initialize(xml_doc)
+    @doc = xml_doc
+
+    build_alert
+    build_sig
+    build_participants 
+  end
+
+  def to_hash
+    vars = {}
+
+    instance_variables.reject {|var| var == :@doc }.each do |var|
+      vars["ids.#{var.to_s[1..-1]}"] = instance_variable_get(var)
+    end
+
+    vars
+  end
+
+  def to_json
+    to_hash.to_json
+  end
+
+  private
+
+  def build_alert
+    @event_id = @doc.xpath('//sd:evIdsAlert').first.attribute('eventId').value
+    @severity = @doc.xpath('//sd:evIdsAlert').first.attribute('severity').value
+    @originator = @doc.xpath('//sd:originator').first.
+      xpath('sd:hostId').first.text
+    @alert_time = @doc.xpath('//sd:time').first.text
+    @risk_rating = @doc.xpath('//cid:riskRatingValue').first.text
+    @threat_rating = @doc.xpath('//cid:threatRatingValue').first.text
+    @protocol = @doc.xpath('//cid:protocol').first.text
+  end
+
+  def build_sig
+    sig = @doc.xpath('//sd:signature').first
+
+    @sig_id = sig.attribute('id').value
+    @sig_version = sig.attribute('version').value
+    @subsig_id = sig.xpath('//cid:subsigId').first.text
+
+    begin
+      @sig_detail = sig.xpath('//cid:sigDetails').first.text
+    rescue
+      @sig_detail = sig.attribute('description').value
+    end
+  end
+
+  def build_participants
+    @targets = []
+
+    attacker = @doc.xpath('//sd:attacker').first
+    attacker_addr = attacker.xpath('//sd:addr').first
+    @attacker_locality = attacker_addr.attribute('locality').value
+    @attacker = attacker_addr.text
+
+    begin
+      @attacker_port = attacker.xpath('//sd:port').first.text
+    rescue
+      @attacker_port = '0'
+    end
+
+    target_list = @doc.xpath('//sd:target')
+
+    target_list.each do |target|
+      data = {}
+
+      target_addr = target.xpath('//sd:addr').first
+
+      data['ids.target'] = target_addr.text
+      data['ids.target_locality'] = target_addr.attribute('locality').value
+
+      begin
+        data['ids.target_port'] = target.xpath('//sd:port').first.text
+      rescue
+        data['ids.target_port'] = '0'
+      end
+
+      @targets << data
+    end
+  end
+end
+
+class SDEE
+  def initialize(options = {})
+    @host = options[:host]
+    @path = '/cgi-bin/sdee-server'
+    @proto = 'https://'
+
+    @creds = Base64.encode64("#{options[:user]}:#{options[:pass]}")
+  end
+
+  def login
+    params = {
+      action: 'open',
+      events: 'evIdsAlert',
+      force: 'yes'
+    }
+
+    response = request params
+    doc = Nokogiri::XML(response.body)
+
+    @session_id = doc.xpath('//env:Header').first.
+      xpath('//sd:oobInfo').first.
+      xpath('//sd:sessionId').first.text
+
+    @subscription_id = doc.xpath('//env:Body').first.
+      xpath('//sd:subscriptionId').first.text
+
+    response
+  end
+
+  def poll_events(sleep_time=1)
+    while true do
+      get_events
+      sleep sleep_time
+    end
+  end
+
+  def get_events
+    puts "Please login first" unless @subscription_id
+
+    params = {
+      action: 'get',
+      confirm: 'yes',
+      timeout: 1,
+      maxNbrofEvents: 20,
+      subscriptionId: @subscription_id,
+      sessionId: @session_id
+    }
+
+    res = request params
+    doc = Nokogiri::XML(res.body)
+
+    xml_alerts = doc.xpath("//sd:evIdsAlert")
+
+    xml_alerts.each do |xml_alert|
+      puts Alert.new(xml_alert).to_json
+    end
+
+    xml_alerts
+  end
+
+  def request(params)
+    http = Net::HTTP.new(@host, 443)
+    http.use_ssl = true
+    http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+    http.ssl_version = :SSLv3
+
+    uri = URI(@proto + @host + @path)
+    uri.query = URI.encode_www_form(params)
+
+    req = Net::HTTP::Get.new(uri)
+    req['Authorization'] = "BASIC #{@creds}"
+
+    response = http.request(req)
+  end
+end

metadata

@@ -0,0 +1,48 @@
+--- !ruby/object:Gem::Specification
+name: sdee
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Jamil Bou Kheir
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2013-08-16 00:00:00.000000000 Z
+dependencies: []
+description: Secure Device Event Exchange (SDEE) is a simple HTTP-based protocol used
+  by security appliances to exchange events and alerts. Resutls are returned in XML.
+  This is a very bare-bones ruby implementation to get SDEE events from a Cisco IPS
+  in JSON format.
+email: jamil@elbii.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- lib/sdee.rb
+- example.rb
+homepage: https://github.com/elbii/ruby-sdee
+licenses:
+- GPL-2
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.0.3
+signing_key: 
+specification_version: 4
+summary: Simple Ruby SDEE Poller
+test_files: []