sdee 0.0.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (4) hide show
  1. checksums.yaml +7 -0
  2. data/example.rb +10 -0
  3. data/lib/sdee.rb +171 -0
  4. metadata +48 -0
checksums.yaml ADDED
@@ -0,0 +1,7 @@
1
+ ---
2
+ SHA1:
3
+ metadata.gz: b341885807519adf529834f4e2ae227f51afb2c3
4
+ data.tar.gz: a3fa6f0295f7540c8233f53da5b47d8dabdffb52
5
+ SHA512:
6
+ metadata.gz: 065f804f8cb7a11b25fa16f3836059b9c89d6d6d66507d23b3050c02c7261f88efc404f250e09deec6fafa6e06a9b32ed52f70bca500edf6776733e83f806d08
7
+ data.tar.gz: 94c6a956d3492b661123497a259e7f00bea1a58b2d7db7ffbde8a00bc45ac91c92800ce10099f734d47caca1a1a624c6be5ac5045fbf4697f06a46f274036f3d
data/example.rb ADDED
@@ -0,0 +1,10 @@
1
+ require './sdee'
2
+
3
+ # create new SDEE connection
4
+ sdee = SDEE.new(host: 'localhost', user: 'user', pass: 'pass')
5
+
6
+ # login and set subscriptionId, sessionId
7
+ sdee.login
8
+
9
+ # print events every 1 second in JSON format
10
+ sdee.poll_events 1
data/lib/sdee.rb ADDED
@@ -0,0 +1,171 @@
1
+ require 'base64'
2
+ require 'net/https'
3
+ require 'uri'
4
+ require 'nokogiri'
5
+ require 'json'
6
+
7
+ class Alert
8
+ attr_accessor :event_id, :severity, :originator, :alert_time, :risk_rating,
9
+ :protocol, :sig_id, :subsig_id, :sig_version, :sig_detail, :attacker,
10
+ :targets, :attacker_locality, :target_locality, :attacker_port,
11
+ :target_port, :threat_rating
12
+
13
+ def initialize(xml_doc)
14
+ @doc = xml_doc
15
+
16
+ build_alert
17
+ build_sig
18
+ build_participants
19
+ end
20
+
21
+ def to_hash
22
+ vars = {}
23
+
24
+ instance_variables.reject {|var| var == :@doc }.each do |var|
25
+ vars["ids.#{var.to_s[1..-1]}"] = instance_variable_get(var)
26
+ end
27
+
28
+ vars
29
+ end
30
+
31
+ def to_json
32
+ to_hash.to_json
33
+ end
34
+
35
+ private
36
+
37
+ def build_alert
38
+ @event_id = @doc.xpath('//sd:evIdsAlert').first.attribute('eventId').value
39
+ @severity = @doc.xpath('//sd:evIdsAlert').first.attribute('severity').value
40
+ @originator = @doc.xpath('//sd:originator').first.
41
+ xpath('sd:hostId').first.text
42
+ @alert_time = @doc.xpath('//sd:time').first.text
43
+ @risk_rating = @doc.xpath('//cid:riskRatingValue').first.text
44
+ @threat_rating = @doc.xpath('//cid:threatRatingValue').first.text
45
+ @protocol = @doc.xpath('//cid:protocol').first.text
46
+ end
47
+
48
+ def build_sig
49
+ sig = @doc.xpath('//sd:signature').first
50
+
51
+ @sig_id = sig.attribute('id').value
52
+ @sig_version = sig.attribute('version').value
53
+ @subsig_id = sig.xpath('//cid:subsigId').first.text
54
+
55
+ begin
56
+ @sig_detail = sig.xpath('//cid:sigDetails').first.text
57
+ rescue
58
+ @sig_detail = sig.attribute('description').value
59
+ end
60
+ end
61
+
62
+ def build_participants
63
+ @targets = []
64
+
65
+ attacker = @doc.xpath('//sd:attacker').first
66
+ attacker_addr = attacker.xpath('//sd:addr').first
67
+ @attacker_locality = attacker_addr.attribute('locality').value
68
+ @attacker = attacker_addr.text
69
+
70
+ begin
71
+ @attacker_port = attacker.xpath('//sd:port').first.text
72
+ rescue
73
+ @attacker_port = '0'
74
+ end
75
+
76
+ target_list = @doc.xpath('//sd:target')
77
+
78
+ target_list.each do |target|
79
+ data = {}
80
+
81
+ target_addr = target.xpath('//sd:addr').first
82
+
83
+ data['ids.target'] = target_addr.text
84
+ data['ids.target_locality'] = target_addr.attribute('locality').value
85
+
86
+ begin
87
+ data['ids.target_port'] = target.xpath('//sd:port').first.text
88
+ rescue
89
+ data['ids.target_port'] = '0'
90
+ end
91
+
92
+ @targets << data
93
+ end
94
+ end
95
+ end
96
+
97
+ class SDEE
98
+ def initialize(options = {})
99
+ @host = options[:host]
100
+ @path = '/cgi-bin/sdee-server'
101
+ @proto = 'https://'
102
+
103
+ @creds = Base64.encode64("#{options[:user]}:#{options[:pass]}")
104
+ end
105
+
106
+ def login
107
+ params = {
108
+ action: 'open',
109
+ events: 'evIdsAlert',
110
+ force: 'yes'
111
+ }
112
+
113
+ response = request params
114
+ doc = Nokogiri::XML(response.body)
115
+
116
+ @session_id = doc.xpath('//env:Header').first.
117
+ xpath('//sd:oobInfo').first.
118
+ xpath('//sd:sessionId').first.text
119
+
120
+ @subscription_id = doc.xpath('//env:Body').first.
121
+ xpath('//sd:subscriptionId').first.text
122
+
123
+ response
124
+ end
125
+
126
+ def poll_events(sleep_time=1)
127
+ while true do
128
+ get_events
129
+ sleep sleep_time
130
+ end
131
+ end
132
+
133
+ def get_events
134
+ puts "Please login first" unless @subscription_id
135
+
136
+ params = {
137
+ action: 'get',
138
+ confirm: 'yes',
139
+ timeout: 1,
140
+ maxNbrofEvents: 20,
141
+ subscriptionId: @subscription_id,
142
+ sessionId: @session_id
143
+ }
144
+
145
+ res = request params
146
+ doc = Nokogiri::XML(res.body)
147
+
148
+ xml_alerts = doc.xpath("//sd:evIdsAlert")
149
+
150
+ xml_alerts.each do |xml_alert|
151
+ puts Alert.new(xml_alert).to_json
152
+ end
153
+
154
+ xml_alerts
155
+ end
156
+
157
+ def request(params)
158
+ http = Net::HTTP.new(@host, 443)
159
+ http.use_ssl = true
160
+ http.verify_mode = OpenSSL::SSL::VERIFY_NONE
161
+ http.ssl_version = :SSLv3
162
+
163
+ uri = URI(@proto + @host + @path)
164
+ uri.query = URI.encode_www_form(params)
165
+
166
+ req = Net::HTTP::Get.new(uri)
167
+ req['Authorization'] = "BASIC #{@creds}"
168
+
169
+ response = http.request(req)
170
+ end
171
+ end
metadata ADDED
@@ -0,0 +1,48 @@
1
+ --- !ruby/object:Gem::Specification
2
+ name: sdee
3
+ version: !ruby/object:Gem::Version
4
+ version: 0.0.1
5
+ platform: ruby
6
+ authors:
7
+ - Jamil Bou Kheir
8
+ autorequire:
9
+ bindir: bin
10
+ cert_chain: []
11
+ date: 2013-08-16 00:00:00.000000000 Z
12
+ dependencies: []
13
+ description: Secure Device Event Exchange (SDEE) is a simple HTTP-based protocol used
14
+ by security appliances to exchange events and alerts. Resutls are returned in XML.
15
+ This is a very bare-bones ruby implementation to get SDEE events from a Cisco IPS
16
+ in JSON format.
17
+ email: jamil@elbii.com
18
+ executables: []
19
+ extensions: []
20
+ extra_rdoc_files: []
21
+ files:
22
+ - lib/sdee.rb
23
+ - example.rb
24
+ homepage: https://github.com/elbii/ruby-sdee
25
+ licenses:
26
+ - GPL-2
27
+ metadata: {}
28
+ post_install_message:
29
+ rdoc_options: []
30
+ require_paths:
31
+ - lib
32
+ required_ruby_version: !ruby/object:Gem::Requirement
33
+ requirements:
34
+ - - '>='
35
+ - !ruby/object:Gem::Version
36
+ version: '0'
37
+ required_rubygems_version: !ruby/object:Gem::Requirement
38
+ requirements:
39
+ - - '>='
40
+ - !ruby/object:Gem::Version
41
+ version: '0'
42
+ requirements: []
43
+ rubyforge_project:
44
+ rubygems_version: 2.0.3
45
+ signing_key:
46
+ specification_version: 4
47
+ summary: Simple Ruby SDEE Poller
48
+ test_files: []