sdee 0.0.5 → 0.0.6
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.gitignore +18 -0
- data/Gemfile +3 -0
- data/Gemfile.lock +28 -0
- data/LICENSE +339 -0
- data/README.md +6 -0
- data/Rakefile +5 -0
- data/{example.rb → examples/simple.rb} +3 -3
- data/lib/sdee.rb +4 -167
- data/lib/sdee/alert.rb +93 -0
- data/lib/sdee/poller.rb +82 -0
- data/sdee.gemspec +14 -0
- data/spec/alert_spec.rb +157 -0
- data/spec/data/sample.xml +87 -0
- data/spec/poller_spec.rb +7 -0
- metadata +45 -5
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: d7400ca72437d03e9249f3b91a190fecb02b8a72
|
4
|
+
data.tar.gz: fc34ce94cbd1a08adeb77a30e4941f0bd5e43a35
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: b83055d523805ae87fb1e28791cb292f4891325550e1d202cee1c8b592ca3c8078af65b41465c6629f0cd084f2b67cc68f53e454275e887c33b1b9b711085825
|
7
|
+
data.tar.gz: 6a21642660cbfbfc27d3ed575d6515fc6d1f5300dd7a436205531340411a7f23ecc8b3685bf5699a6eff1c905b1f9e4e7a648477046f7eceee46764eee28c228
|
data/.gitignore
ADDED
data/Gemfile
ADDED
data/Gemfile.lock
ADDED
@@ -0,0 +1,28 @@
|
|
1
|
+
PATH
|
2
|
+
remote: .
|
3
|
+
specs:
|
4
|
+
sdee (0.0.5)
|
5
|
+
json
|
6
|
+
nokogiri (~> 1.5.0, >= 1.5.0)
|
7
|
+
|
8
|
+
GEM
|
9
|
+
remote: https://rubygems.org/
|
10
|
+
specs:
|
11
|
+
diff-lcs (1.2.5)
|
12
|
+
json (1.8.1)
|
13
|
+
nokogiri (1.5.10)
|
14
|
+
rspec (2.14.1)
|
15
|
+
rspec-core (~> 2.14.0)
|
16
|
+
rspec-expectations (~> 2.14.0)
|
17
|
+
rspec-mocks (~> 2.14.0)
|
18
|
+
rspec-core (2.14.7)
|
19
|
+
rspec-expectations (2.14.4)
|
20
|
+
diff-lcs (>= 1.1.3, < 2.0)
|
21
|
+
rspec-mocks (2.14.4)
|
22
|
+
|
23
|
+
PLATFORMS
|
24
|
+
ruby
|
25
|
+
|
26
|
+
DEPENDENCIES
|
27
|
+
rspec
|
28
|
+
sdee!
|
data/LICENSE
ADDED
@@ -0,0 +1,339 @@
|
|
1
|
+
GNU GENERAL PUBLIC LICENSE
|
2
|
+
Version 2, June 1991
|
3
|
+
|
4
|
+
Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
|
5
|
+
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
|
6
|
+
Everyone is permitted to copy and distribute verbatim copies
|
7
|
+
of this license document, but changing it is not allowed.
|
8
|
+
|
9
|
+
Preamble
|
10
|
+
|
11
|
+
The licenses for most software are designed to take away your
|
12
|
+
freedom to share and change it. By contrast, the GNU General Public
|
13
|
+
License is intended to guarantee your freedom to share and change free
|
14
|
+
software--to make sure the software is free for all its users. This
|
15
|
+
General Public License applies to most of the Free Software
|
16
|
+
Foundation's software and to any other program whose authors commit to
|
17
|
+
using it. (Some other Free Software Foundation software is covered by
|
18
|
+
the GNU Lesser General Public License instead.) You can apply it to
|
19
|
+
your programs, too.
|
20
|
+
|
21
|
+
When we speak of free software, we are referring to freedom, not
|
22
|
+
price. Our General Public Licenses are designed to make sure that you
|
23
|
+
have the freedom to distribute copies of free software (and charge for
|
24
|
+
this service if you wish), that you receive source code or can get it
|
25
|
+
if you want it, that you can change the software or use pieces of it
|
26
|
+
in new free programs; and that you know you can do these things.
|
27
|
+
|
28
|
+
To protect your rights, we need to make restrictions that forbid
|
29
|
+
anyone to deny you these rights or to ask you to surrender the rights.
|
30
|
+
These restrictions translate to certain responsibilities for you if you
|
31
|
+
distribute copies of the software, or if you modify it.
|
32
|
+
|
33
|
+
For example, if you distribute copies of such a program, whether
|
34
|
+
gratis or for a fee, you must give the recipients all the rights that
|
35
|
+
you have. You must make sure that they, too, receive or can get the
|
36
|
+
source code. And you must show them these terms so they know their
|
37
|
+
rights.
|
38
|
+
|
39
|
+
We protect your rights with two steps: (1) copyright the software, and
|
40
|
+
(2) offer you this license which gives you legal permission to copy,
|
41
|
+
distribute and/or modify the software.
|
42
|
+
|
43
|
+
Also, for each author's protection and ours, we want to make certain
|
44
|
+
that everyone understands that there is no warranty for this free
|
45
|
+
software. If the software is modified by someone else and passed on, we
|
46
|
+
want its recipients to know that what they have is not the original, so
|
47
|
+
that any problems introduced by others will not reflect on the original
|
48
|
+
authors' reputations.
|
49
|
+
|
50
|
+
Finally, any free program is threatened constantly by software
|
51
|
+
patents. We wish to avoid the danger that redistributors of a free
|
52
|
+
program will individually obtain patent licenses, in effect making the
|
53
|
+
program proprietary. To prevent this, we have made it clear that any
|
54
|
+
patent must be licensed for everyone's free use or not licensed at all.
|
55
|
+
|
56
|
+
The precise terms and conditions for copying, distribution and
|
57
|
+
modification follow.
|
58
|
+
|
59
|
+
GNU GENERAL PUBLIC LICENSE
|
60
|
+
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
|
61
|
+
|
62
|
+
0. This License applies to any program or other work which contains
|
63
|
+
a notice placed by the copyright holder saying it may be distributed
|
64
|
+
under the terms of this General Public License. The "Program", below,
|
65
|
+
refers to any such program or work, and a "work based on the Program"
|
66
|
+
means either the Program or any derivative work under copyright law:
|
67
|
+
that is to say, a work containing the Program or a portion of it,
|
68
|
+
either verbatim or with modifications and/or translated into another
|
69
|
+
language. (Hereinafter, translation is included without limitation in
|
70
|
+
the term "modification".) Each licensee is addressed as "you".
|
71
|
+
|
72
|
+
Activities other than copying, distribution and modification are not
|
73
|
+
covered by this License; they are outside its scope. The act of
|
74
|
+
running the Program is not restricted, and the output from the Program
|
75
|
+
is covered only if its contents constitute a work based on the
|
76
|
+
Program (independent of having been made by running the Program).
|
77
|
+
Whether that is true depends on what the Program does.
|
78
|
+
|
79
|
+
1. You may copy and distribute verbatim copies of the Program's
|
80
|
+
source code as you receive it, in any medium, provided that you
|
81
|
+
conspicuously and appropriately publish on each copy an appropriate
|
82
|
+
copyright notice and disclaimer of warranty; keep intact all the
|
83
|
+
notices that refer to this License and to the absence of any warranty;
|
84
|
+
and give any other recipients of the Program a copy of this License
|
85
|
+
along with the Program.
|
86
|
+
|
87
|
+
You may charge a fee for the physical act of transferring a copy, and
|
88
|
+
you may at your option offer warranty protection in exchange for a fee.
|
89
|
+
|
90
|
+
2. You may modify your copy or copies of the Program or any portion
|
91
|
+
of it, thus forming a work based on the Program, and copy and
|
92
|
+
distribute such modifications or work under the terms of Section 1
|
93
|
+
above, provided that you also meet all of these conditions:
|
94
|
+
|
95
|
+
a) You must cause the modified files to carry prominent notices
|
96
|
+
stating that you changed the files and the date of any change.
|
97
|
+
|
98
|
+
b) You must cause any work that you distribute or publish, that in
|
99
|
+
whole or in part contains or is derived from the Program or any
|
100
|
+
part thereof, to be licensed as a whole at no charge to all third
|
101
|
+
parties under the terms of this License.
|
102
|
+
|
103
|
+
c) If the modified program normally reads commands interactively
|
104
|
+
when run, you must cause it, when started running for such
|
105
|
+
interactive use in the most ordinary way, to print or display an
|
106
|
+
announcement including an appropriate copyright notice and a
|
107
|
+
notice that there is no warranty (or else, saying that you provide
|
108
|
+
a warranty) and that users may redistribute the program under
|
109
|
+
these conditions, and telling the user how to view a copy of this
|
110
|
+
License. (Exception: if the Program itself is interactive but
|
111
|
+
does not normally print such an announcement, your work based on
|
112
|
+
the Program is not required to print an announcement.)
|
113
|
+
|
114
|
+
These requirements apply to the modified work as a whole. If
|
115
|
+
identifiable sections of that work are not derived from the Program,
|
116
|
+
and can be reasonably considered independent and separate works in
|
117
|
+
themselves, then this License, and its terms, do not apply to those
|
118
|
+
sections when you distribute them as separate works. But when you
|
119
|
+
distribute the same sections as part of a whole which is a work based
|
120
|
+
on the Program, the distribution of the whole must be on the terms of
|
121
|
+
this License, whose permissions for other licensees extend to the
|
122
|
+
entire whole, and thus to each and every part regardless of who wrote it.
|
123
|
+
|
124
|
+
Thus, it is not the intent of this section to claim rights or contest
|
125
|
+
your rights to work written entirely by you; rather, the intent is to
|
126
|
+
exercise the right to control the distribution of derivative or
|
127
|
+
collective works based on the Program.
|
128
|
+
|
129
|
+
In addition, mere aggregation of another work not based on the Program
|
130
|
+
with the Program (or with a work based on the Program) on a volume of
|
131
|
+
a storage or distribution medium does not bring the other work under
|
132
|
+
the scope of this License.
|
133
|
+
|
134
|
+
3. You may copy and distribute the Program (or a work based on it,
|
135
|
+
under Section 2) in object code or executable form under the terms of
|
136
|
+
Sections 1 and 2 above provided that you also do one of the following:
|
137
|
+
|
138
|
+
a) Accompany it with the complete corresponding machine-readable
|
139
|
+
source code, which must be distributed under the terms of Sections
|
140
|
+
1 and 2 above on a medium customarily used for software interchange; or,
|
141
|
+
|
142
|
+
b) Accompany it with a written offer, valid for at least three
|
143
|
+
years, to give any third party, for a charge no more than your
|
144
|
+
cost of physically performing source distribution, a complete
|
145
|
+
machine-readable copy of the corresponding source code, to be
|
146
|
+
distributed under the terms of Sections 1 and 2 above on a medium
|
147
|
+
customarily used for software interchange; or,
|
148
|
+
|
149
|
+
c) Accompany it with the information you received as to the offer
|
150
|
+
to distribute corresponding source code. (This alternative is
|
151
|
+
allowed only for noncommercial distribution and only if you
|
152
|
+
received the program in object code or executable form with such
|
153
|
+
an offer, in accord with Subsection b above.)
|
154
|
+
|
155
|
+
The source code for a work means the preferred form of the work for
|
156
|
+
making modifications to it. For an executable work, complete source
|
157
|
+
code means all the source code for all modules it contains, plus any
|
158
|
+
associated interface definition files, plus the scripts used to
|
159
|
+
control compilation and installation of the executable. However, as a
|
160
|
+
special exception, the source code distributed need not include
|
161
|
+
anything that is normally distributed (in either source or binary
|
162
|
+
form) with the major components (compiler, kernel, and so on) of the
|
163
|
+
operating system on which the executable runs, unless that component
|
164
|
+
itself accompanies the executable.
|
165
|
+
|
166
|
+
If distribution of executable or object code is made by offering
|
167
|
+
access to copy from a designated place, then offering equivalent
|
168
|
+
access to copy the source code from the same place counts as
|
169
|
+
distribution of the source code, even though third parties are not
|
170
|
+
compelled to copy the source along with the object code.
|
171
|
+
|
172
|
+
4. You may not copy, modify, sublicense, or distribute the Program
|
173
|
+
except as expressly provided under this License. Any attempt
|
174
|
+
otherwise to copy, modify, sublicense or distribute the Program is
|
175
|
+
void, and will automatically terminate your rights under this License.
|
176
|
+
However, parties who have received copies, or rights, from you under
|
177
|
+
this License will not have their licenses terminated so long as such
|
178
|
+
parties remain in full compliance.
|
179
|
+
|
180
|
+
5. You are not required to accept this License, since you have not
|
181
|
+
signed it. However, nothing else grants you permission to modify or
|
182
|
+
distribute the Program or its derivative works. These actions are
|
183
|
+
prohibited by law if you do not accept this License. Therefore, by
|
184
|
+
modifying or distributing the Program (or any work based on the
|
185
|
+
Program), you indicate your acceptance of this License to do so, and
|
186
|
+
all its terms and conditions for copying, distributing or modifying
|
187
|
+
the Program or works based on it.
|
188
|
+
|
189
|
+
6. Each time you redistribute the Program (or any work based on the
|
190
|
+
Program), the recipient automatically receives a license from the
|
191
|
+
original licensor to copy, distribute or modify the Program subject to
|
192
|
+
these terms and conditions. You may not impose any further
|
193
|
+
restrictions on the recipients' exercise of the rights granted herein.
|
194
|
+
You are not responsible for enforcing compliance by third parties to
|
195
|
+
this License.
|
196
|
+
|
197
|
+
7. If, as a consequence of a court judgment or allegation of patent
|
198
|
+
infringement or for any other reason (not limited to patent issues),
|
199
|
+
conditions are imposed on you (whether by court order, agreement or
|
200
|
+
otherwise) that contradict the conditions of this License, they do not
|
201
|
+
excuse you from the conditions of this License. If you cannot
|
202
|
+
distribute so as to satisfy simultaneously your obligations under this
|
203
|
+
License and any other pertinent obligations, then as a consequence you
|
204
|
+
may not distribute the Program at all. For example, if a patent
|
205
|
+
license would not permit royalty-free redistribution of the Program by
|
206
|
+
all those who receive copies directly or indirectly through you, then
|
207
|
+
the only way you could satisfy both it and this License would be to
|
208
|
+
refrain entirely from distribution of the Program.
|
209
|
+
|
210
|
+
If any portion of this section is held invalid or unenforceable under
|
211
|
+
any particular circumstance, the balance of the section is intended to
|
212
|
+
apply and the section as a whole is intended to apply in other
|
213
|
+
circumstances.
|
214
|
+
|
215
|
+
It is not the purpose of this section to induce you to infringe any
|
216
|
+
patents or other property right claims or to contest validity of any
|
217
|
+
such claims; this section has the sole purpose of protecting the
|
218
|
+
integrity of the free software distribution system, which is
|
219
|
+
implemented by public license practices. Many people have made
|
220
|
+
generous contributions to the wide range of software distributed
|
221
|
+
through that system in reliance on consistent application of that
|
222
|
+
system; it is up to the author/donor to decide if he or she is willing
|
223
|
+
to distribute software through any other system and a licensee cannot
|
224
|
+
impose that choice.
|
225
|
+
|
226
|
+
This section is intended to make thoroughly clear what is believed to
|
227
|
+
be a consequence of the rest of this License.
|
228
|
+
|
229
|
+
8. If the distribution and/or use of the Program is restricted in
|
230
|
+
certain countries either by patents or by copyrighted interfaces, the
|
231
|
+
original copyright holder who places the Program under this License
|
232
|
+
may add an explicit geographical distribution limitation excluding
|
233
|
+
those countries, so that distribution is permitted only in or among
|
234
|
+
countries not thus excluded. In such case, this License incorporates
|
235
|
+
the limitation as if written in the body of this License.
|
236
|
+
|
237
|
+
9. The Free Software Foundation may publish revised and/or new versions
|
238
|
+
of the General Public License from time to time. Such new versions will
|
239
|
+
be similar in spirit to the present version, but may differ in detail to
|
240
|
+
address new problems or concerns.
|
241
|
+
|
242
|
+
Each version is given a distinguishing version number. If the Program
|
243
|
+
specifies a version number of this License which applies to it and "any
|
244
|
+
later version", you have the option of following the terms and conditions
|
245
|
+
either of that version or of any later version published by the Free
|
246
|
+
Software Foundation. If the Program does not specify a version number of
|
247
|
+
this License, you may choose any version ever published by the Free Software
|
248
|
+
Foundation.
|
249
|
+
|
250
|
+
10. If you wish to incorporate parts of the Program into other free
|
251
|
+
programs whose distribution conditions are different, write to the author
|
252
|
+
to ask for permission. For software which is copyrighted by the Free
|
253
|
+
Software Foundation, write to the Free Software Foundation; we sometimes
|
254
|
+
make exceptions for this. Our decision will be guided by the two goals
|
255
|
+
of preserving the free status of all derivatives of our free software and
|
256
|
+
of promoting the sharing and reuse of software generally.
|
257
|
+
|
258
|
+
NO WARRANTY
|
259
|
+
|
260
|
+
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
|
261
|
+
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
|
262
|
+
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
|
263
|
+
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
|
264
|
+
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
|
265
|
+
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
|
266
|
+
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
|
267
|
+
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
|
268
|
+
REPAIR OR CORRECTION.
|
269
|
+
|
270
|
+
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
|
271
|
+
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
|
272
|
+
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
|
273
|
+
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
|
274
|
+
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
|
275
|
+
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
|
276
|
+
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
|
277
|
+
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
|
278
|
+
POSSIBILITY OF SUCH DAMAGES.
|
279
|
+
|
280
|
+
END OF TERMS AND CONDITIONS
|
281
|
+
|
282
|
+
How to Apply These Terms to Your New Programs
|
283
|
+
|
284
|
+
If you develop a new program, and you want it to be of the greatest
|
285
|
+
possible use to the public, the best way to achieve this is to make it
|
286
|
+
free software which everyone can redistribute and change under these terms.
|
287
|
+
|
288
|
+
To do so, attach the following notices to the program. It is safest
|
289
|
+
to attach them to the start of each source file to most effectively
|
290
|
+
convey the exclusion of warranty; and each file should have at least
|
291
|
+
the "copyright" line and a pointer to where the full notice is found.
|
292
|
+
|
293
|
+
Simple ruby SDEE poller
|
294
|
+
Copyright (C) 2013 Elbii
|
295
|
+
|
296
|
+
This program is free software; you can redistribute it and/or modify
|
297
|
+
it under the terms of the GNU General Public License as published by
|
298
|
+
the Free Software Foundation; either version 2 of the License, or
|
299
|
+
(at your option) any later version.
|
300
|
+
|
301
|
+
This program is distributed in the hope that it will be useful,
|
302
|
+
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
303
|
+
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
304
|
+
GNU General Public License for more details.
|
305
|
+
|
306
|
+
You should have received a copy of the GNU General Public License along
|
307
|
+
with this program; if not, write to the Free Software Foundation, Inc.,
|
308
|
+
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
309
|
+
|
310
|
+
Also add information on how to contact you by electronic and paper mail.
|
311
|
+
|
312
|
+
If the program is interactive, make it output a short notice like this
|
313
|
+
when it starts in an interactive mode:
|
314
|
+
|
315
|
+
Gnomovision version 69, Copyright (C) year name of author
|
316
|
+
Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
|
317
|
+
This is free software, and you are welcome to redistribute it
|
318
|
+
under certain conditions; type `show c' for details.
|
319
|
+
|
320
|
+
The hypothetical commands `show w' and `show c' should show the appropriate
|
321
|
+
parts of the General Public License. Of course, the commands you use may
|
322
|
+
be called something other than `show w' and `show c'; they could even be
|
323
|
+
mouse-clicks or menu items--whatever suits your program.
|
324
|
+
|
325
|
+
You should also get your employer (if you work as a programmer) or your
|
326
|
+
school, if any, to sign a "copyright disclaimer" for the program, if
|
327
|
+
necessary. Here is a sample; alter the names:
|
328
|
+
|
329
|
+
Yoyodyne, Inc., hereby disclaims all copyright interest in the program
|
330
|
+
`Gnomovision' (which makes passes at compilers) written by James Hacker.
|
331
|
+
|
332
|
+
{signature of Ty Coon}, 1 April 1989
|
333
|
+
Ty Coon, President of Vice
|
334
|
+
|
335
|
+
This General Public License does not permit incorporating your program into
|
336
|
+
proprietary programs. If your program is a subroutine library, you may
|
337
|
+
consider it more useful to permit linking proprietary applications with the
|
338
|
+
library. If this is what you want to do, use the GNU Lesser General
|
339
|
+
Public License instead of this License.
|
data/README.md
ADDED
data/Rakefile
ADDED
@@ -1,10 +1,10 @@
|
|
1
1
|
require 'sdee'
|
2
2
|
|
3
3
|
# create new SDEE connection
|
4
|
-
|
4
|
+
poller = SDEE::Poller.new(host: '10.122.196.67', user: 'cisco', pass: 'MTD@c1sc0')
|
5
5
|
|
6
6
|
# login and set subscriptionId, sessionId
|
7
|
-
|
7
|
+
poller.login
|
8
8
|
|
9
9
|
# print events every 1 second in JSON format
|
10
|
-
|
10
|
+
poller.poll_events 1
|
data/lib/sdee.rb
CHANGED
@@ -1,170 +1,7 @@
|
|
1
|
-
require '
|
2
|
-
require '
|
3
|
-
require 'uri'
|
4
|
-
require 'nokogiri'
|
5
|
-
require 'json'
|
1
|
+
require 'sdee/poller'
|
2
|
+
require 'sdee/alert'
|
6
3
|
|
7
|
-
|
8
|
-
|
9
|
-
:protocol, :sig_id, :subsig_id, :sig_version, :sig_detail, :attacker,
|
10
|
-
:targets, :attacker_locality, :target_locality, :attacker_port,
|
11
|
-
:target_port, :threat_rating
|
12
|
-
|
13
|
-
def initialize(xml_doc)
|
14
|
-
@doc = xml_doc
|
15
|
-
|
16
|
-
build_alert
|
17
|
-
build_sig
|
18
|
-
build_participants
|
19
|
-
end
|
20
|
-
|
21
|
-
def to_hash
|
22
|
-
vars = {}
|
23
|
-
|
24
|
-
instance_variables.reject {|var| var == :@doc }.each do |var|
|
25
|
-
vars[var.to_s[1..-1]] = instance_variable_get(var)
|
26
|
-
end
|
27
|
-
|
28
|
-
vars
|
29
|
-
end
|
30
|
-
|
31
|
-
def to_json
|
32
|
-
to_hash.to_json
|
33
|
-
end
|
34
|
-
|
35
|
-
private
|
36
|
-
|
37
|
-
def build_alert
|
38
|
-
@event_id = @doc.xpath('//sd:evIdsAlert').first.attribute('eventId').value
|
39
|
-
@severity = @doc.xpath('//sd:evIdsAlert').first.attribute('severity').value
|
40
|
-
@originator = @doc.xpath('//sd:originator').first.
|
41
|
-
xpath('sd:hostId').first.text
|
42
|
-
@alert_time = @doc.xpath('//sd:time').first.text
|
43
|
-
@risk_rating = @doc.xpath('//cid:riskRatingValue').first.text
|
44
|
-
@threat_rating = @doc.xpath('//cid:threatRatingValue').first.text
|
45
|
-
@protocol = @doc.xpath('//cid:protocol').first.text
|
46
|
-
end
|
47
|
-
|
48
|
-
def build_sig
|
49
|
-
sig = @doc.xpath('//sd:signature').first
|
50
|
-
|
51
|
-
@sig_id = sig.attribute('id').value
|
52
|
-
@sig_version = sig.attribute('version').value
|
53
|
-
@subsig_id = sig.xpath('//cid:subsigId').first.text
|
54
|
-
|
55
|
-
begin
|
56
|
-
@sig_detail = sig.xpath('//cid:sigDetails').first.text
|
57
|
-
rescue
|
58
|
-
@sig_detail = sig.attribute('description').value
|
59
|
-
end
|
60
|
-
end
|
61
|
-
|
62
|
-
def build_participants
|
63
|
-
@targets = []
|
64
|
-
|
65
|
-
attacker = @doc.xpath('//sd:attacker').first
|
66
|
-
attacker_addr = attacker.xpath('//sd:addr').first
|
67
|
-
@attacker_locality = attacker_addr.attribute('locality').value
|
68
|
-
@attacker = attacker_addr.text
|
69
|
-
|
70
|
-
begin
|
71
|
-
@attacker_port = attacker.xpath('//sd:port').first.text
|
72
|
-
rescue
|
73
|
-
@attacker_port = '0'
|
74
|
-
end
|
75
|
-
|
76
|
-
target_list = @doc.xpath('//sd:target')
|
77
|
-
|
78
|
-
target_list.each do |target|
|
79
|
-
data = {}
|
80
|
-
|
81
|
-
target_addr = target.xpath('//sd:addr').first
|
82
|
-
|
83
|
-
data['target'] = target_addr.text
|
84
|
-
data['target_locality'] = target_addr.attribute('locality').value
|
85
|
-
|
86
|
-
begin
|
87
|
-
data['target_port'] = target.xpath('//sd:port').first.text
|
88
|
-
rescue
|
89
|
-
data['target_port'] = '0'
|
90
|
-
end
|
91
|
-
|
92
|
-
@targets << data
|
93
|
-
end
|
94
|
-
end
|
95
|
-
end
|
96
|
-
|
97
|
-
class SDEE
|
98
|
-
def initialize(options = {})
|
99
|
-
@host = options[:host]
|
100
|
-
@path = '/cgi-bin/sdee-server'
|
101
|
-
@proto = 'https://'
|
102
|
-
|
103
|
-
@creds = Base64.encode64("#{options[:user]}:#{options[:pass]}")
|
104
|
-
end
|
105
|
-
|
106
|
-
def login
|
107
|
-
params = {
|
108
|
-
action: 'open',
|
109
|
-
events: 'evIdsAlert',
|
110
|
-
force: 'yes'
|
111
|
-
}
|
112
|
-
|
113
|
-
response = request params
|
114
|
-
doc = Nokogiri::XML(response.body)
|
115
|
-
|
116
|
-
@session_id = doc.xpath('//env:Header').first.
|
117
|
-
xpath('//sd:oobInfo').first.
|
118
|
-
xpath('//sd:sessionId').first.text
|
119
|
-
|
120
|
-
@subscription_id = doc.xpath('//env:Body').first.
|
121
|
-
xpath('//sd:subscriptionId').first.text
|
122
|
-
|
123
|
-
response
|
124
|
-
end
|
125
|
-
|
126
|
-
def poll_events(sleep_time=5)
|
127
|
-
while true do
|
128
|
-
get_events
|
129
|
-
sleep sleep_time
|
130
|
-
end
|
131
|
-
end
|
132
|
-
|
133
|
-
def get_events
|
134
|
-
puts "Please login first" unless @subscription_id
|
135
|
-
|
136
|
-
params = {
|
137
|
-
action: 'get',
|
138
|
-
confirm: 'yes',
|
139
|
-
timeout: 1,
|
140
|
-
maxNbrofEvents: 20,
|
141
|
-
subscriptionId: @subscription_id,
|
142
|
-
sessionId: @session_id
|
143
|
-
}
|
144
|
-
|
145
|
-
res = request params
|
146
|
-
doc = Nokogiri::XML(res.body)
|
147
|
-
|
148
|
-
xml_alerts = doc.xpath("//sd:evIdsAlert")
|
149
|
-
hash_alerts = xml_alerts.collect {|x| Alert.new(x).to_hash }.uniq
|
150
|
-
|
151
|
-
hash_alerts.each {|h| puts h.to_json }
|
152
|
-
|
153
|
-
hash_alerts
|
154
|
-
end
|
155
|
-
|
156
|
-
def request(params)
|
157
|
-
http = Net::HTTP.new(@host, 443)
|
158
|
-
http.use_ssl = true
|
159
|
-
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
|
160
|
-
http.ssl_version = :SSLv3
|
161
|
-
|
162
|
-
uri = URI(@proto + @host + @path)
|
163
|
-
uri.query = URI.encode_www_form(params)
|
164
|
-
|
165
|
-
req = Net::HTTP::Get.new(uri)
|
166
|
-
req['Authorization'] = "BASIC #{@creds}"
|
167
|
-
|
168
|
-
response = http.request(req)
|
4
|
+
module SDEE
|
5
|
+
class << self
|
169
6
|
end
|
170
7
|
end
|
data/lib/sdee/alert.rb
ADDED
@@ -0,0 +1,93 @@
|
|
1
|
+
require 'json'
|
2
|
+
|
3
|
+
module SDEE
|
4
|
+
class Alert
|
5
|
+
attr_accessor :event_id, :severity, :originator, :alert_time, :risk_rating,
|
6
|
+
:protocol, :sig_id, :subsig_id, :sig_version, :sig_detail, :attacker,
|
7
|
+
:targets, :attacker_locality, :target_locality, :attacker_port,
|
8
|
+
:target_port, :threat_rating
|
9
|
+
|
10
|
+
def initialize(xml_doc)
|
11
|
+
@alert_xml = xml_doc
|
12
|
+
|
13
|
+
build_alert
|
14
|
+
build_sig
|
15
|
+
build_participants
|
16
|
+
end
|
17
|
+
|
18
|
+
def to_hash
|
19
|
+
vars = {}
|
20
|
+
|
21
|
+
instance_variables.reject {|var| var == :@alert_xml }.each do |var|
|
22
|
+
vars[var.to_s[1..-1]] = instance_variable_get(var)
|
23
|
+
end
|
24
|
+
|
25
|
+
vars
|
26
|
+
end
|
27
|
+
|
28
|
+
def to_json
|
29
|
+
to_hash.to_json
|
30
|
+
end
|
31
|
+
|
32
|
+
private
|
33
|
+
|
34
|
+
def build_alert
|
35
|
+
@event_id = @alert_xml.attribute('eventId').value
|
36
|
+
@severity = @alert_xml.attribute('severity').value
|
37
|
+
@originator = @alert_xml.xpath('.//sd:originator').first.
|
38
|
+
xpath('sd:hostId').first.text
|
39
|
+
@alert_time = @alert_xml.xpath('.//sd:time').first.text
|
40
|
+
@risk_rating = @alert_xml.xpath('.//cid:riskRatingValue').first.text
|
41
|
+
@threat_rating = @alert_xml.xpath('.//cid:threatRatingValue').first.text
|
42
|
+
@protocol = @alert_xml.xpath('.//cid:protocol').first.text
|
43
|
+
end
|
44
|
+
|
45
|
+
def build_sig
|
46
|
+
sig = @alert_xml.xpath('.//sd:signature').first
|
47
|
+
|
48
|
+
@sig_id = sig.attribute('id').value
|
49
|
+
@sig_version = sig.attribute('version').value
|
50
|
+
@subsig_id = sig.xpath('.//cid:subsigId').first.text
|
51
|
+
|
52
|
+
begin
|
53
|
+
@sig_detail = sig.xpath('.//cid:sigDetails').first.text
|
54
|
+
rescue
|
55
|
+
@sig_detail = sig.attribute('description').value
|
56
|
+
end
|
57
|
+
end
|
58
|
+
|
59
|
+
def build_participants
|
60
|
+
@targets = []
|
61
|
+
|
62
|
+
attacker = @alert_xml.xpath('.//sd:attacker').first
|
63
|
+
attacker_addr = attacker.xpath('.//sd:addr').first
|
64
|
+
@attacker_locality = attacker_addr.attribute('locality').value
|
65
|
+
@attacker = attacker_addr.text
|
66
|
+
|
67
|
+
begin
|
68
|
+
@attacker_port = attacker.xpath('.//sd:port').first.text
|
69
|
+
rescue
|
70
|
+
@attacker_port = '0'
|
71
|
+
end
|
72
|
+
|
73
|
+
target_list = @alert_xml.xpath('.//sd:target')
|
74
|
+
|
75
|
+
target_list.each do |target|
|
76
|
+
data = {}
|
77
|
+
|
78
|
+
target_addr = target.xpath('.//sd:addr').first
|
79
|
+
|
80
|
+
data['target'] = target_addr.text
|
81
|
+
data['target_locality'] = target_addr.attribute('locality').value
|
82
|
+
|
83
|
+
begin
|
84
|
+
data['target_port'] = target.xpath('.//sd:port').first.text
|
85
|
+
rescue
|
86
|
+
data['target_port'] = '0'
|
87
|
+
end
|
88
|
+
|
89
|
+
@targets << data
|
90
|
+
end
|
91
|
+
end
|
92
|
+
end
|
93
|
+
end
|
data/lib/sdee/poller.rb
ADDED
@@ -0,0 +1,82 @@
|
|
1
|
+
require 'json'
|
2
|
+
require 'uri'
|
3
|
+
require 'net/https'
|
4
|
+
require 'base64'
|
5
|
+
require 'nokogiri'
|
6
|
+
|
7
|
+
module SDEE
|
8
|
+
class Poller
|
9
|
+
def initialize(options = {})
|
10
|
+
@host = options[:host]
|
11
|
+
@path = '/cgi-bin/sdee-server'
|
12
|
+
@proto = 'https://'
|
13
|
+
|
14
|
+
@creds = Base64.encode64("#{options[:user]}:#{options[:pass]}")
|
15
|
+
end
|
16
|
+
|
17
|
+
def login
|
18
|
+
params = {
|
19
|
+
action: 'open',
|
20
|
+
events: 'evIdsAlert',
|
21
|
+
force: 'yes'
|
22
|
+
}
|
23
|
+
|
24
|
+
response = request params
|
25
|
+
doc = Nokogiri::XML(response.body)
|
26
|
+
|
27
|
+
@session_id = doc.xpath('//env:Header').first.
|
28
|
+
xpath('//sd:oobInfo').first.
|
29
|
+
xpath('//sd:sessionId').first.text
|
30
|
+
|
31
|
+
@subscription_id = doc.xpath('//env:Body').first.
|
32
|
+
xpath('//sd:subscriptionId').first.text
|
33
|
+
|
34
|
+
response
|
35
|
+
end
|
36
|
+
|
37
|
+
def poll_events(sleep_time=5)
|
38
|
+
while true do
|
39
|
+
get_events
|
40
|
+
sleep sleep_time
|
41
|
+
end
|
42
|
+
end
|
43
|
+
|
44
|
+
def get_events
|
45
|
+
puts "Please login first" unless @subscription_id
|
46
|
+
|
47
|
+
params = {
|
48
|
+
action: 'get',
|
49
|
+
confirm: 'yes',
|
50
|
+
timeout: 1,
|
51
|
+
maxNbrofEvents: 20,
|
52
|
+
subscriptionId: @subscription_id,
|
53
|
+
sessionId: @session_id
|
54
|
+
}
|
55
|
+
|
56
|
+
res = request params
|
57
|
+
doc = Nokogiri::XML(res.body)
|
58
|
+
|
59
|
+
xml_alerts = doc.xpath("//sd:evIdsAlert")
|
60
|
+
hash_alerts = xml_alerts.collect {|x| Alert.new(x.to_s).to_hash }.uniq
|
61
|
+
|
62
|
+
hash_alerts.each {|h| puts h.to_json }
|
63
|
+
|
64
|
+
hash_alerts
|
65
|
+
end
|
66
|
+
|
67
|
+
def request(params)
|
68
|
+
http = Net::HTTP.new(@host, 443)
|
69
|
+
http.use_ssl = true
|
70
|
+
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
|
71
|
+
http.ssl_version = :SSLv3
|
72
|
+
|
73
|
+
uri = URI(@proto + @host + @path)
|
74
|
+
uri.query = URI.encode_www_form(params)
|
75
|
+
|
76
|
+
req = Net::HTTP::Get.new(uri)
|
77
|
+
req['Authorization'] = "BASIC #{@creds}"
|
78
|
+
|
79
|
+
http.request(req)
|
80
|
+
end
|
81
|
+
end
|
82
|
+
end
|
data/sdee.gemspec
ADDED
@@ -0,0 +1,14 @@
|
|
1
|
+
Gem::Specification.new do |s|
|
2
|
+
s.name = 'sdee'
|
3
|
+
s.version = '0.0.6'
|
4
|
+
s.summary = 'Simple Ruby SDEE Poller'
|
5
|
+
s.description = 'Secure Device Event Exchange (SDEE) is a simple HTTP-based protocol used by security appliances to exchange events and alerts. Results are returned in XML. This is a very bare-bones ruby implementation to get SDEE events from a Cisco IPS in JSON format.'
|
6
|
+
s.authors = ['Jamil Bou Kheir']
|
7
|
+
s.email = 'jamil@elbii.com'
|
8
|
+
s.files = `git ls-files`.split("\n")
|
9
|
+
s.homepage = 'https://github.com/elbii/ruby-sdee'
|
10
|
+
s.license = 'MIT'
|
11
|
+
s.add_runtime_dependency 'nokogiri', '~> 1.5.0', '>= 1.5.0'
|
12
|
+
s.add_runtime_dependency 'json'
|
13
|
+
s.add_development_dependency 'rspec'
|
14
|
+
end
|
data/spec/alert_spec.rb
ADDED
@@ -0,0 +1,157 @@
|
|
1
|
+
require 'sdee'
|
2
|
+
|
3
|
+
describe SDEE::Alert do
|
4
|
+
before :all do
|
5
|
+
@doc = Nokogiri::XML(File.open('./spec/data/sample.xml'))
|
6
|
+
end
|
7
|
+
|
8
|
+
context 'first alert' do
|
9
|
+
before :all do
|
10
|
+
alert_xml = @doc.xpath('//sd:evIdsAlert').first
|
11
|
+
@alert = SDEE::Alert.new(alert_xml)
|
12
|
+
end
|
13
|
+
|
14
|
+
it 'should parse event_id' do
|
15
|
+
@alert.event_id.should eq '6823242457034'
|
16
|
+
end
|
17
|
+
|
18
|
+
it 'should parse severity' do
|
19
|
+
@alert.severity.should eq 'informational'
|
20
|
+
end
|
21
|
+
|
22
|
+
it 'should parse originator' do
|
23
|
+
@alert.originator.should eq 'sample_host'
|
24
|
+
end
|
25
|
+
|
26
|
+
it 'should parse alert_time' do
|
27
|
+
@alert.alert_time.should eq '1385965224300024000'
|
28
|
+
end
|
29
|
+
|
30
|
+
it 'should parse risk_rating' do
|
31
|
+
@alert.risk_rating.should eq '15'
|
32
|
+
end
|
33
|
+
|
34
|
+
it 'should parse protocol' do
|
35
|
+
@alert.protocol.should eq 'IP protocol 0'
|
36
|
+
end
|
37
|
+
|
38
|
+
it 'should parse sig_id' do
|
39
|
+
@alert.sig_id.should eq '1208'
|
40
|
+
end
|
41
|
+
|
42
|
+
it 'should parse subsig_id' do
|
43
|
+
@alert.subsig_id.should eq '0'
|
44
|
+
end
|
45
|
+
|
46
|
+
it 'should parse sig_version' do
|
47
|
+
@alert.sig_version.should eq 'S212'
|
48
|
+
end
|
49
|
+
|
50
|
+
it 'should parse sig_detail' do
|
51
|
+
@alert.sig_detail.should eq 'Fragmented IP Datagram with fragments missing'
|
52
|
+
end
|
53
|
+
|
54
|
+
it 'should parse attacker' do
|
55
|
+
@alert.attacker.should eq '0.0.0.0'
|
56
|
+
end
|
57
|
+
|
58
|
+
it 'should parse targets' do
|
59
|
+
@alert.targets.first['target'].should include '0.0.0.0'
|
60
|
+
end
|
61
|
+
|
62
|
+
it 'should parse attacker_locality' do
|
63
|
+
@alert.attacker_locality.should eq 'OUT'
|
64
|
+
end
|
65
|
+
|
66
|
+
it 'should parse target_locality' do
|
67
|
+
@alert.targets.first['target_locality'].should eq 'OUT'
|
68
|
+
end
|
69
|
+
|
70
|
+
it 'should parse attacker_port' do
|
71
|
+
@alert.attacker_port.should eq '0'
|
72
|
+
end
|
73
|
+
|
74
|
+
it 'should parse target_port' do
|
75
|
+
@alert.targets.first['target_port'].should eq '0'
|
76
|
+
end
|
77
|
+
|
78
|
+
it 'should parse threat_rating' do
|
79
|
+
@alert.threat_rating.should eq '15'
|
80
|
+
end
|
81
|
+
end
|
82
|
+
|
83
|
+
context 'second alert' do
|
84
|
+
before :all do
|
85
|
+
alert_xml = @doc.xpath('//sd:evIdsAlert').last
|
86
|
+
@alert = SDEE::Alert.new(alert_xml)
|
87
|
+
end
|
88
|
+
|
89
|
+
it 'should parse event_id' do
|
90
|
+
@alert.event_id.should eq '6823242457036'
|
91
|
+
end
|
92
|
+
|
93
|
+
it 'should parse severity' do
|
94
|
+
@alert.severity.should eq 'high'
|
95
|
+
end
|
96
|
+
|
97
|
+
it 'should parse originator' do
|
98
|
+
@alert.originator.should eq 'sample_host'
|
99
|
+
end
|
100
|
+
|
101
|
+
it 'should parse alert_time' do
|
102
|
+
@alert.alert_time.should eq '1385965230914381000'
|
103
|
+
end
|
104
|
+
|
105
|
+
it 'should parse risk_rating' do
|
106
|
+
@alert.risk_rating.should eq '100'
|
107
|
+
end
|
108
|
+
|
109
|
+
it 'should parse protocol' do
|
110
|
+
@alert.protocol.should eq 'tcp'
|
111
|
+
end
|
112
|
+
|
113
|
+
it 'should parse sig_id' do
|
114
|
+
@alert.sig_id.should eq '3250'
|
115
|
+
end
|
116
|
+
|
117
|
+
it 'should parse subsig_id' do
|
118
|
+
@alert.subsig_id.should eq '0'
|
119
|
+
end
|
120
|
+
|
121
|
+
it 'should parse sig_version' do
|
122
|
+
@alert.sig_version.should eq 'S739'
|
123
|
+
end
|
124
|
+
|
125
|
+
it 'should parse sig_detail' do
|
126
|
+
@alert.sig_detail.should eq 'TCP Hijack'
|
127
|
+
end
|
128
|
+
|
129
|
+
it 'should parse attacker' do
|
130
|
+
@alert.attacker.should eq '10.0.0.2'
|
131
|
+
end
|
132
|
+
|
133
|
+
it 'should parse targets' do
|
134
|
+
@alert.targets.first['target'].should eq '10.1.0.8'
|
135
|
+
end
|
136
|
+
|
137
|
+
it 'should parse attacker_locality' do
|
138
|
+
@alert.attacker_locality.should eq 'OUT'
|
139
|
+
end
|
140
|
+
|
141
|
+
it 'should parse target_locality' do
|
142
|
+
@alert.targets.first['target_locality'].should eq 'OUT'
|
143
|
+
end
|
144
|
+
|
145
|
+
it 'should parse attacker_port' do
|
146
|
+
@alert.attacker_port.should eq '59433'
|
147
|
+
end
|
148
|
+
|
149
|
+
it 'should parse target_port' do
|
150
|
+
@alert.targets.first['target_port'].should eq '443'
|
151
|
+
end
|
152
|
+
|
153
|
+
it 'should parse threat_rating' do
|
154
|
+
@alert.threat_rating.should eq '100'
|
155
|
+
end
|
156
|
+
end
|
157
|
+
end
|
@@ -0,0 +1,87 @@
|
|
1
|
+
<?xml version="1.0" encoding="UTF-8"?>
|
2
|
+
<env:Envelope xmlns="http://www.cisco.com/cids/2006/08/cidee" xmlns:env="http://www.w3.org/2003/05/soap-envelope" xmlns:sd="http://example.org/2003/08/sdee" xmlns:cid="http://www.cisco.com/cids/2006/08/cidee">
|
3
|
+
<env:Header>
|
4
|
+
<sd:oobInfo>
|
5
|
+
<sd:sessionId>5e5885fc07977bd48ea352344c7230de</sd:sessionId>
|
6
|
+
</sd:oobInfo>
|
7
|
+
</env:Header>
|
8
|
+
<env:Body>
|
9
|
+
<sd:events>
|
10
|
+
<sd:evIdsAlert eventId="6823242457034" vendor="Cisco" severity="informational">
|
11
|
+
<sd:originator>
|
12
|
+
<sd:hostId>sample_host</sd:hostId>
|
13
|
+
<cid:appName>sensorApp</cid:appName>
|
14
|
+
<cid:appInstanceId>27807</cid:appInstanceId>
|
15
|
+
</sd:originator>
|
16
|
+
<sd:time offset="0" timeZone="UTC">1385965224300024000</sd:time>
|
17
|
+
<sd:signature description="IP Fragment Incomplete Datagram" id="1208" cid:version="S212" cid:type="anomaly" cid:created="20030801">
|
18
|
+
<cid:subsigId>0</cid:subsigId>
|
19
|
+
<cid:sigDetails>Fragmented IP Datagram with fragments missing</cid:sigDetails>
|
20
|
+
</sd:signature>
|
21
|
+
<sd:interfaceGroup>vs0</sd:interfaceGroup>
|
22
|
+
<sd:vlan>0</sd:vlan>
|
23
|
+
<sd:participants>
|
24
|
+
<sd:attacker>
|
25
|
+
<sd:addr cid:locality="OUT">0.0.0.0</sd:addr>
|
26
|
+
</sd:attacker>
|
27
|
+
<sd:target>
|
28
|
+
<sd:addr cid:locality="OUT">0.0.0.0</sd:addr>
|
29
|
+
<cid:os idSource="unknown" type="unknown" relevance="unknown"/>
|
30
|
+
</sd:target>
|
31
|
+
</sd:participants>
|
32
|
+
<sd:actions>
|
33
|
+
<cid:denyPacketRequestedNotPerformed>true</cid:denyPacketRequestedNotPerformed>
|
34
|
+
</sd:actions>
|
35
|
+
<cid:riskRatingValue targetValueRating="medium">15</cid:riskRatingValue>
|
36
|
+
<cid:threatRatingValue>15</cid:threatRatingValue>
|
37
|
+
<cid:interface>Unknown</cid:interface>
|
38
|
+
<cid:protocol>IP protocol 0</cid:protocol>
|
39
|
+
</sd:evIdsAlert>
|
40
|
+
<evStatus eventId="6823242457035" vendor="Cisco">
|
41
|
+
<originator>
|
42
|
+
<hostId>sample_host</hostId>
|
43
|
+
<appName>cidwebserver</appName>
|
44
|
+
<appInstanceId>27425</appInstanceId>
|
45
|
+
</originator>
|
46
|
+
<time offset="0" timeZone="UTC">1385965228211631000</time>
|
47
|
+
<loginAction action="loggedIn">
|
48
|
+
<description>User logged into HTTP server</description>
|
49
|
+
<userName>admin</userName>
|
50
|
+
<userAddress port="59344">192.168.1.1</userAddress>
|
51
|
+
</loginAction>
|
52
|
+
</evStatus>
|
53
|
+
<sd:evIdsAlert eventId="6823242457036" vendor="Cisco" severity="high" cid:alarmTraits="32768">
|
54
|
+
<sd:originator>
|
55
|
+
<sd:hostId>sample_host</sd:hostId>
|
56
|
+
<cid:appName>sensorApp</cid:appName>
|
57
|
+
<cid:appInstanceId>27807</cid:appInstanceId>
|
58
|
+
</sd:originator>
|
59
|
+
<sd:time offset="0" timeZone="UTC">1385965230914381000</sd:time>
|
60
|
+
<sd:signature description="TCP Hijack" id="3250" cid:version="S739" cid:type="anomaly" cid:created="20010202">
|
61
|
+
<cid:subsigId>0</cid:subsigId>
|
62
|
+
<cid:sigDetails>TCP Hijack</cid:sigDetails>
|
63
|
+
</sd:signature>
|
64
|
+
<sd:interfaceGroup>vs0</sd:interfaceGroup>
|
65
|
+
<sd:vlan>0</sd:vlan>
|
66
|
+
<sd:participants>
|
67
|
+
<sd:attacker>
|
68
|
+
<sd:addr cid:locality="OUT">10.0.0.2</sd:addr>
|
69
|
+
<sd:port>59433</sd:port>
|
70
|
+
</sd:attacker>
|
71
|
+
<sd:target>
|
72
|
+
<sd:addr cid:locality="OUT">10.1.0.8</sd:addr>
|
73
|
+
<sd:port>443</sd:port>
|
74
|
+
<cid:os idSource="unknown" type="unknown" relevance="relevant"/>
|
75
|
+
</sd:target>
|
76
|
+
</sd:participants>
|
77
|
+
<sd:actions>
|
78
|
+
<cid:denyPacketRequestedNotPerformed>true</cid:denyPacketRequestedNotPerformed>
|
79
|
+
</sd:actions>
|
80
|
+
<cid:riskRatingValue targetValueRating="medium" attackRelevanceRating="relevant">100</cid:riskRatingValue>
|
81
|
+
<cid:threatRatingValue>100</cid:threatRatingValue>
|
82
|
+
<cid:interface>te0_0</cid:interface>
|
83
|
+
<cid:protocol>tcp</cid:protocol>
|
84
|
+
</sd:evIdsAlert>
|
85
|
+
</sd:events>
|
86
|
+
</env:Body>
|
87
|
+
</env:Envelope>
|
data/spec/poller_spec.rb
ADDED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: sdee
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.0.
|
4
|
+
version: 0.0.6
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Jamil Bou Kheir
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2013-
|
11
|
+
date: 2013-12-02 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: nokogiri
|
@@ -30,6 +30,34 @@ dependencies:
|
|
30
30
|
- - '>='
|
31
31
|
- !ruby/object:Gem::Version
|
32
32
|
version: 1.5.0
|
33
|
+
- !ruby/object:Gem::Dependency
|
34
|
+
name: json
|
35
|
+
requirement: !ruby/object:Gem::Requirement
|
36
|
+
requirements:
|
37
|
+
- - '>='
|
38
|
+
- !ruby/object:Gem::Version
|
39
|
+
version: '0'
|
40
|
+
type: :runtime
|
41
|
+
prerelease: false
|
42
|
+
version_requirements: !ruby/object:Gem::Requirement
|
43
|
+
requirements:
|
44
|
+
- - '>='
|
45
|
+
- !ruby/object:Gem::Version
|
46
|
+
version: '0'
|
47
|
+
- !ruby/object:Gem::Dependency
|
48
|
+
name: rspec
|
49
|
+
requirement: !ruby/object:Gem::Requirement
|
50
|
+
requirements:
|
51
|
+
- - '>='
|
52
|
+
- !ruby/object:Gem::Version
|
53
|
+
version: '0'
|
54
|
+
type: :development
|
55
|
+
prerelease: false
|
56
|
+
version_requirements: !ruby/object:Gem::Requirement
|
57
|
+
requirements:
|
58
|
+
- - '>='
|
59
|
+
- !ruby/object:Gem::Version
|
60
|
+
version: '0'
|
33
61
|
description: Secure Device Event Exchange (SDEE) is a simple HTTP-based protocol used
|
34
62
|
by security appliances to exchange events and alerts. Results are returned in XML.
|
35
63
|
This is a very bare-bones ruby implementation to get SDEE events from a Cisco IPS
|
@@ -39,11 +67,23 @@ executables: []
|
|
39
67
|
extensions: []
|
40
68
|
extra_rdoc_files: []
|
41
69
|
files:
|
70
|
+
- .gitignore
|
71
|
+
- Gemfile
|
72
|
+
- Gemfile.lock
|
73
|
+
- LICENSE
|
74
|
+
- README.md
|
75
|
+
- Rakefile
|
76
|
+
- examples/simple.rb
|
42
77
|
- lib/sdee.rb
|
43
|
-
-
|
78
|
+
- lib/sdee/alert.rb
|
79
|
+
- lib/sdee/poller.rb
|
80
|
+
- sdee.gemspec
|
81
|
+
- spec/alert_spec.rb
|
82
|
+
- spec/data/sample.xml
|
83
|
+
- spec/poller_spec.rb
|
44
84
|
homepage: https://github.com/elbii/ruby-sdee
|
45
85
|
licenses:
|
46
|
-
-
|
86
|
+
- MIT
|
47
87
|
metadata: {}
|
48
88
|
post_install_message:
|
49
89
|
rdoc_options: []
|
@@ -61,7 +101,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
61
101
|
version: '0'
|
62
102
|
requirements: []
|
63
103
|
rubyforge_project:
|
64
|
-
rubygems_version: 2.1.
|
104
|
+
rubygems_version: 2.1.11
|
65
105
|
signing_key:
|
66
106
|
specification_version: 4
|
67
107
|
summary: Simple Ruby SDEE Poller
|