sdee 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. checksums.yaml +7 -0
  2. data/example.rb +10 -0
  3. data/lib/sdee.rb +171 -0
  4. metadata +48 -0
checksums.yaml ADDED
@@ -0,0 +1,7 @@
1
+ ---
2
+ SHA1:
3
+ metadata.gz: b341885807519adf529834f4e2ae227f51afb2c3
4
+ data.tar.gz: a3fa6f0295f7540c8233f53da5b47d8dabdffb52
5
+ SHA512:
6
+ metadata.gz: 065f804f8cb7a11b25fa16f3836059b9c89d6d6d66507d23b3050c02c7261f88efc404f250e09deec6fafa6e06a9b32ed52f70bca500edf6776733e83f806d08
7
+ data.tar.gz: 94c6a956d3492b661123497a259e7f00bea1a58b2d7db7ffbde8a00bc45ac91c92800ce10099f734d47caca1a1a624c6be5ac5045fbf4697f06a46f274036f3d
data/example.rb ADDED
@@ -0,0 +1,10 @@
1
+ require './sdee'
2
+
3
+ # create new SDEE connection
4
+ sdee = SDEE.new(host: 'localhost', user: 'user', pass: 'pass')
5
+
6
+ # login and set subscriptionId, sessionId
7
+ sdee.login
8
+
9
+ # print events every 1 second in JSON format
10
+ sdee.poll_events 1
data/lib/sdee.rb ADDED
@@ -0,0 +1,171 @@
1
+ require 'base64'
2
+ require 'net/https'
3
+ require 'uri'
4
+ require 'nokogiri'
5
+ require 'json'
6
+
7
+ class Alert
8
+ attr_accessor :event_id, :severity, :originator, :alert_time, :risk_rating,
9
+ :protocol, :sig_id, :subsig_id, :sig_version, :sig_detail, :attacker,
10
+ :targets, :attacker_locality, :target_locality, :attacker_port,
11
+ :target_port, :threat_rating
12
+
13
+ def initialize(xml_doc)
14
+ @doc = xml_doc
15
+
16
+ build_alert
17
+ build_sig
18
+ build_participants
19
+ end
20
+
21
+ def to_hash
22
+ vars = {}
23
+
24
+ instance_variables.reject {|var| var == :@doc }.each do |var|
25
+ vars["ids.#{var.to_s[1..-1]}"] = instance_variable_get(var)
26
+ end
27
+
28
+ vars
29
+ end
30
+
31
+ def to_json
32
+ to_hash.to_json
33
+ end
34
+
35
+ private
36
+
37
+ def build_alert
38
+ @event_id = @doc.xpath('//sd:evIdsAlert').first.attribute('eventId').value
39
+ @severity = @doc.xpath('//sd:evIdsAlert').first.attribute('severity').value
40
+ @originator = @doc.xpath('//sd:originator').first.
41
+ xpath('sd:hostId').first.text
42
+ @alert_time = @doc.xpath('//sd:time').first.text
43
+ @risk_rating = @doc.xpath('//cid:riskRatingValue').first.text
44
+ @threat_rating = @doc.xpath('//cid:threatRatingValue').first.text
45
+ @protocol = @doc.xpath('//cid:protocol').first.text
46
+ end
47
+
48
+ def build_sig
49
+ sig = @doc.xpath('//sd:signature').first
50
+
51
+ @sig_id = sig.attribute('id').value
52
+ @sig_version = sig.attribute('version').value
53
+ @subsig_id = sig.xpath('//cid:subsigId').first.text
54
+
55
+ begin
56
+ @sig_detail = sig.xpath('//cid:sigDetails').first.text
57
+ rescue
58
+ @sig_detail = sig.attribute('description').value
59
+ end
60
+ end
61
+
62
+ def build_participants
63
+ @targets = []
64
+
65
+ attacker = @doc.xpath('//sd:attacker').first
66
+ attacker_addr = attacker.xpath('//sd:addr').first
67
+ @attacker_locality = attacker_addr.attribute('locality').value
68
+ @attacker = attacker_addr.text
69
+
70
+ begin
71
+ @attacker_port = attacker.xpath('//sd:port').first.text
72
+ rescue
73
+ @attacker_port = '0'
74
+ end
75
+
76
+ target_list = @doc.xpath('//sd:target')
77
+
78
+ target_list.each do |target|
79
+ data = {}
80
+
81
+ target_addr = target.xpath('//sd:addr').first
82
+
83
+ data['ids.target'] = target_addr.text
84
+ data['ids.target_locality'] = target_addr.attribute('locality').value
85
+
86
+ begin
87
+ data['ids.target_port'] = target.xpath('//sd:port').first.text
88
+ rescue
89
+ data['ids.target_port'] = '0'
90
+ end
91
+
92
+ @targets << data
93
+ end
94
+ end
95
+ end
96
+
97
+ class SDEE
98
+ def initialize(options = {})
99
+ @host = options[:host]
100
+ @path = '/cgi-bin/sdee-server'
101
+ @proto = 'https://'
102
+
103
+ @creds = Base64.encode64("#{options[:user]}:#{options[:pass]}")
104
+ end
105
+
106
+ def login
107
+ params = {
108
+ action: 'open',
109
+ events: 'evIdsAlert',
110
+ force: 'yes'
111
+ }
112
+
113
+ response = request params
114
+ doc = Nokogiri::XML(response.body)
115
+
116
+ @session_id = doc.xpath('//env:Header').first.
117
+ xpath('//sd:oobInfo').first.
118
+ xpath('//sd:sessionId').first.text
119
+
120
+ @subscription_id = doc.xpath('//env:Body').first.
121
+ xpath('//sd:subscriptionId').first.text
122
+
123
+ response
124
+ end
125
+
126
+ def poll_events(sleep_time=1)
127
+ while true do
128
+ get_events
129
+ sleep sleep_time
130
+ end
131
+ end
132
+
133
+ def get_events
134
+ puts "Please login first" unless @subscription_id
135
+
136
+ params = {
137
+ action: 'get',
138
+ confirm: 'yes',
139
+ timeout: 1,
140
+ maxNbrofEvents: 20,
141
+ subscriptionId: @subscription_id,
142
+ sessionId: @session_id
143
+ }
144
+
145
+ res = request params
146
+ doc = Nokogiri::XML(res.body)
147
+
148
+ xml_alerts = doc.xpath("//sd:evIdsAlert")
149
+
150
+ xml_alerts.each do |xml_alert|
151
+ puts Alert.new(xml_alert).to_json
152
+ end
153
+
154
+ xml_alerts
155
+ end
156
+
157
+ def request(params)
158
+ http = Net::HTTP.new(@host, 443)
159
+ http.use_ssl = true
160
+ http.verify_mode = OpenSSL::SSL::VERIFY_NONE
161
+ http.ssl_version = :SSLv3
162
+
163
+ uri = URI(@proto + @host + @path)
164
+ uri.query = URI.encode_www_form(params)
165
+
166
+ req = Net::HTTP::Get.new(uri)
167
+ req['Authorization'] = "BASIC #{@creds}"
168
+
169
+ response = http.request(req)
170
+ end
171
+ end
metadata ADDED
@@ -0,0 +1,48 @@
1
+ --- !ruby/object:Gem::Specification
2
+ name: sdee
3
+ version: !ruby/object:Gem::Version
4
+ version: 0.0.1
5
+ platform: ruby
6
+ authors:
7
+ - Jamil Bou Kheir
8
+ autorequire:
9
+ bindir: bin
10
+ cert_chain: []
11
+ date: 2013-08-16 00:00:00.000000000 Z
12
+ dependencies: []
13
+ description: Secure Device Event Exchange (SDEE) is a simple HTTP-based protocol used
14
+ by security appliances to exchange events and alerts. Resutls are returned in XML.
15
+ This is a very bare-bones ruby implementation to get SDEE events from a Cisco IPS
16
+ in JSON format.
17
+ email: jamil@elbii.com
18
+ executables: []
19
+ extensions: []
20
+ extra_rdoc_files: []
21
+ files:
22
+ - lib/sdee.rb
23
+ - example.rb
24
+ homepage: https://github.com/elbii/ruby-sdee
25
+ licenses:
26
+ - GPL-2
27
+ metadata: {}
28
+ post_install_message:
29
+ rdoc_options: []
30
+ require_paths:
31
+ - lib
32
+ required_ruby_version: !ruby/object:Gem::Requirement
33
+ requirements:
34
+ - - '>='
35
+ - !ruby/object:Gem::Version
36
+ version: '0'
37
+ required_rubygems_version: !ruby/object:Gem::Requirement
38
+ requirements:
39
+ - - '>='
40
+ - !ruby/object:Gem::Version
41
+ version: '0'
42
+ requirements: []
43
+ rubyforge_project:
44
+ rubygems_version: 2.0.3
45
+ signing_key:
46
+ specification_version: 4
47
+ summary: Simple Ruby SDEE Poller
48
+ test_files: []