sdee 0.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +7 -0
- data/example.rb +10 -0
- data/lib/sdee.rb +171 -0
- metadata +48 -0
checksums.yaml
ADDED
|
@@ -0,0 +1,7 @@
|
|
|
1
|
+
---
|
|
2
|
+
SHA1:
|
|
3
|
+
metadata.gz: b341885807519adf529834f4e2ae227f51afb2c3
|
|
4
|
+
data.tar.gz: a3fa6f0295f7540c8233f53da5b47d8dabdffb52
|
|
5
|
+
SHA512:
|
|
6
|
+
metadata.gz: 065f804f8cb7a11b25fa16f3836059b9c89d6d6d66507d23b3050c02c7261f88efc404f250e09deec6fafa6e06a9b32ed52f70bca500edf6776733e83f806d08
|
|
7
|
+
data.tar.gz: 94c6a956d3492b661123497a259e7f00bea1a58b2d7db7ffbde8a00bc45ac91c92800ce10099f734d47caca1a1a624c6be5ac5045fbf4697f06a46f274036f3d
|
data/example.rb
ADDED
data/lib/sdee.rb
ADDED
|
@@ -0,0 +1,171 @@
|
|
|
1
|
+
require 'base64'
|
|
2
|
+
require 'net/https'
|
|
3
|
+
require 'uri'
|
|
4
|
+
require 'nokogiri'
|
|
5
|
+
require 'json'
|
|
6
|
+
|
|
7
|
+
class Alert
|
|
8
|
+
attr_accessor :event_id, :severity, :originator, :alert_time, :risk_rating,
|
|
9
|
+
:protocol, :sig_id, :subsig_id, :sig_version, :sig_detail, :attacker,
|
|
10
|
+
:targets, :attacker_locality, :target_locality, :attacker_port,
|
|
11
|
+
:target_port, :threat_rating
|
|
12
|
+
|
|
13
|
+
def initialize(xml_doc)
|
|
14
|
+
@doc = xml_doc
|
|
15
|
+
|
|
16
|
+
build_alert
|
|
17
|
+
build_sig
|
|
18
|
+
build_participants
|
|
19
|
+
end
|
|
20
|
+
|
|
21
|
+
def to_hash
|
|
22
|
+
vars = {}
|
|
23
|
+
|
|
24
|
+
instance_variables.reject {|var| var == :@doc }.each do |var|
|
|
25
|
+
vars["ids.#{var.to_s[1..-1]}"] = instance_variable_get(var)
|
|
26
|
+
end
|
|
27
|
+
|
|
28
|
+
vars
|
|
29
|
+
end
|
|
30
|
+
|
|
31
|
+
def to_json
|
|
32
|
+
to_hash.to_json
|
|
33
|
+
end
|
|
34
|
+
|
|
35
|
+
private
|
|
36
|
+
|
|
37
|
+
def build_alert
|
|
38
|
+
@event_id = @doc.xpath('//sd:evIdsAlert').first.attribute('eventId').value
|
|
39
|
+
@severity = @doc.xpath('//sd:evIdsAlert').first.attribute('severity').value
|
|
40
|
+
@originator = @doc.xpath('//sd:originator').first.
|
|
41
|
+
xpath('sd:hostId').first.text
|
|
42
|
+
@alert_time = @doc.xpath('//sd:time').first.text
|
|
43
|
+
@risk_rating = @doc.xpath('//cid:riskRatingValue').first.text
|
|
44
|
+
@threat_rating = @doc.xpath('//cid:threatRatingValue').first.text
|
|
45
|
+
@protocol = @doc.xpath('//cid:protocol').first.text
|
|
46
|
+
end
|
|
47
|
+
|
|
48
|
+
def build_sig
|
|
49
|
+
sig = @doc.xpath('//sd:signature').first
|
|
50
|
+
|
|
51
|
+
@sig_id = sig.attribute('id').value
|
|
52
|
+
@sig_version = sig.attribute('version').value
|
|
53
|
+
@subsig_id = sig.xpath('//cid:subsigId').first.text
|
|
54
|
+
|
|
55
|
+
begin
|
|
56
|
+
@sig_detail = sig.xpath('//cid:sigDetails').first.text
|
|
57
|
+
rescue
|
|
58
|
+
@sig_detail = sig.attribute('description').value
|
|
59
|
+
end
|
|
60
|
+
end
|
|
61
|
+
|
|
62
|
+
def build_participants
|
|
63
|
+
@targets = []
|
|
64
|
+
|
|
65
|
+
attacker = @doc.xpath('//sd:attacker').first
|
|
66
|
+
attacker_addr = attacker.xpath('//sd:addr').first
|
|
67
|
+
@attacker_locality = attacker_addr.attribute('locality').value
|
|
68
|
+
@attacker = attacker_addr.text
|
|
69
|
+
|
|
70
|
+
begin
|
|
71
|
+
@attacker_port = attacker.xpath('//sd:port').first.text
|
|
72
|
+
rescue
|
|
73
|
+
@attacker_port = '0'
|
|
74
|
+
end
|
|
75
|
+
|
|
76
|
+
target_list = @doc.xpath('//sd:target')
|
|
77
|
+
|
|
78
|
+
target_list.each do |target|
|
|
79
|
+
data = {}
|
|
80
|
+
|
|
81
|
+
target_addr = target.xpath('//sd:addr').first
|
|
82
|
+
|
|
83
|
+
data['ids.target'] = target_addr.text
|
|
84
|
+
data['ids.target_locality'] = target_addr.attribute('locality').value
|
|
85
|
+
|
|
86
|
+
begin
|
|
87
|
+
data['ids.target_port'] = target.xpath('//sd:port').first.text
|
|
88
|
+
rescue
|
|
89
|
+
data['ids.target_port'] = '0'
|
|
90
|
+
end
|
|
91
|
+
|
|
92
|
+
@targets << data
|
|
93
|
+
end
|
|
94
|
+
end
|
|
95
|
+
end
|
|
96
|
+
|
|
97
|
+
class SDEE
|
|
98
|
+
def initialize(options = {})
|
|
99
|
+
@host = options[:host]
|
|
100
|
+
@path = '/cgi-bin/sdee-server'
|
|
101
|
+
@proto = 'https://'
|
|
102
|
+
|
|
103
|
+
@creds = Base64.encode64("#{options[:user]}:#{options[:pass]}")
|
|
104
|
+
end
|
|
105
|
+
|
|
106
|
+
def login
|
|
107
|
+
params = {
|
|
108
|
+
action: 'open',
|
|
109
|
+
events: 'evIdsAlert',
|
|
110
|
+
force: 'yes'
|
|
111
|
+
}
|
|
112
|
+
|
|
113
|
+
response = request params
|
|
114
|
+
doc = Nokogiri::XML(response.body)
|
|
115
|
+
|
|
116
|
+
@session_id = doc.xpath('//env:Header').first.
|
|
117
|
+
xpath('//sd:oobInfo').first.
|
|
118
|
+
xpath('//sd:sessionId').first.text
|
|
119
|
+
|
|
120
|
+
@subscription_id = doc.xpath('//env:Body').first.
|
|
121
|
+
xpath('//sd:subscriptionId').first.text
|
|
122
|
+
|
|
123
|
+
response
|
|
124
|
+
end
|
|
125
|
+
|
|
126
|
+
def poll_events(sleep_time=1)
|
|
127
|
+
while true do
|
|
128
|
+
get_events
|
|
129
|
+
sleep sleep_time
|
|
130
|
+
end
|
|
131
|
+
end
|
|
132
|
+
|
|
133
|
+
def get_events
|
|
134
|
+
puts "Please login first" unless @subscription_id
|
|
135
|
+
|
|
136
|
+
params = {
|
|
137
|
+
action: 'get',
|
|
138
|
+
confirm: 'yes',
|
|
139
|
+
timeout: 1,
|
|
140
|
+
maxNbrofEvents: 20,
|
|
141
|
+
subscriptionId: @subscription_id,
|
|
142
|
+
sessionId: @session_id
|
|
143
|
+
}
|
|
144
|
+
|
|
145
|
+
res = request params
|
|
146
|
+
doc = Nokogiri::XML(res.body)
|
|
147
|
+
|
|
148
|
+
xml_alerts = doc.xpath("//sd:evIdsAlert")
|
|
149
|
+
|
|
150
|
+
xml_alerts.each do |xml_alert|
|
|
151
|
+
puts Alert.new(xml_alert).to_json
|
|
152
|
+
end
|
|
153
|
+
|
|
154
|
+
xml_alerts
|
|
155
|
+
end
|
|
156
|
+
|
|
157
|
+
def request(params)
|
|
158
|
+
http = Net::HTTP.new(@host, 443)
|
|
159
|
+
http.use_ssl = true
|
|
160
|
+
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
|
|
161
|
+
http.ssl_version = :SSLv3
|
|
162
|
+
|
|
163
|
+
uri = URI(@proto + @host + @path)
|
|
164
|
+
uri.query = URI.encode_www_form(params)
|
|
165
|
+
|
|
166
|
+
req = Net::HTTP::Get.new(uri)
|
|
167
|
+
req['Authorization'] = "BASIC #{@creds}"
|
|
168
|
+
|
|
169
|
+
response = http.request(req)
|
|
170
|
+
end
|
|
171
|
+
end
|
metadata
ADDED
|
@@ -0,0 +1,48 @@
|
|
|
1
|
+
--- !ruby/object:Gem::Specification
|
|
2
|
+
name: sdee
|
|
3
|
+
version: !ruby/object:Gem::Version
|
|
4
|
+
version: 0.0.1
|
|
5
|
+
platform: ruby
|
|
6
|
+
authors:
|
|
7
|
+
- Jamil Bou Kheir
|
|
8
|
+
autorequire:
|
|
9
|
+
bindir: bin
|
|
10
|
+
cert_chain: []
|
|
11
|
+
date: 2013-08-16 00:00:00.000000000 Z
|
|
12
|
+
dependencies: []
|
|
13
|
+
description: Secure Device Event Exchange (SDEE) is a simple HTTP-based protocol used
|
|
14
|
+
by security appliances to exchange events and alerts. Resutls are returned in XML.
|
|
15
|
+
This is a very bare-bones ruby implementation to get SDEE events from a Cisco IPS
|
|
16
|
+
in JSON format.
|
|
17
|
+
email: jamil@elbii.com
|
|
18
|
+
executables: []
|
|
19
|
+
extensions: []
|
|
20
|
+
extra_rdoc_files: []
|
|
21
|
+
files:
|
|
22
|
+
- lib/sdee.rb
|
|
23
|
+
- example.rb
|
|
24
|
+
homepage: https://github.com/elbii/ruby-sdee
|
|
25
|
+
licenses:
|
|
26
|
+
- GPL-2
|
|
27
|
+
metadata: {}
|
|
28
|
+
post_install_message:
|
|
29
|
+
rdoc_options: []
|
|
30
|
+
require_paths:
|
|
31
|
+
- lib
|
|
32
|
+
required_ruby_version: !ruby/object:Gem::Requirement
|
|
33
|
+
requirements:
|
|
34
|
+
- - '>='
|
|
35
|
+
- !ruby/object:Gem::Version
|
|
36
|
+
version: '0'
|
|
37
|
+
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
38
|
+
requirements:
|
|
39
|
+
- - '>='
|
|
40
|
+
- !ruby/object:Gem::Version
|
|
41
|
+
version: '0'
|
|
42
|
+
requirements: []
|
|
43
|
+
rubyforge_project:
|
|
44
|
+
rubygems_version: 2.0.3
|
|
45
|
+
signing_key:
|
|
46
|
+
specification_version: 4
|
|
47
|
+
summary: Simple Ruby SDEE Poller
|
|
48
|
+
test_files: []
|