sdee 0.0.5 → 0.0.6

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 6c39d248867f7a55a8ea2cbd846691a2f1efb189
4
- data.tar.gz: 322f39dfdae8b005eda45483c08180adbf61b7af
3
+ metadata.gz: d7400ca72437d03e9249f3b91a190fecb02b8a72
4
+ data.tar.gz: fc34ce94cbd1a08adeb77a30e4941f0bd5e43a35
5
5
  SHA512:
6
- metadata.gz: f1bf0f3ebd41dcdda633900f261ea8499e678a96da671def45347251a694a78866e1cd9c6c49209eac99f81e72480ac7a0c1ebae73b5c23728bbef99d6638c53
7
- data.tar.gz: fd59c85676a8d136c2ee729dc29f0a9f708356462541979a964b96cb7de24135c0ee7dfc73fced027c98e3cf644b564762429651617177229d6041e160969d97
6
+ metadata.gz: b83055d523805ae87fb1e28791cb292f4891325550e1d202cee1c8b592ca3c8078af65b41465c6629f0cd084f2b67cc68f53e454275e887c33b1b9b711085825
7
+ data.tar.gz: 6a21642660cbfbfc27d3ed575d6515fc6d1f5300dd7a436205531340411a7f23ecc8b3685bf5699a6eff1c905b1f9e4e7a648477046f7eceee46764eee28c228
@@ -0,0 +1,18 @@
1
+ *.gem
2
+ *.rbc
3
+ .bundle
4
+ .config
5
+ coverage
6
+ InstalledFiles
7
+ lib/bundler/man
8
+ pkg
9
+ rdoc
10
+ spec/reports
11
+ test/tmp
12
+ test/version_tmp
13
+ tmp
14
+
15
+ # YARD artifacts
16
+ .yardoc
17
+ _yardoc
18
+ doc/
data/Gemfile ADDED
@@ -0,0 +1,3 @@
1
+ source 'https://rubygems.org'
2
+
3
+ gemspec
@@ -0,0 +1,28 @@
1
+ PATH
2
+ remote: .
3
+ specs:
4
+ sdee (0.0.5)
5
+ json
6
+ nokogiri (~> 1.5.0, >= 1.5.0)
7
+
8
+ GEM
9
+ remote: https://rubygems.org/
10
+ specs:
11
+ diff-lcs (1.2.5)
12
+ json (1.8.1)
13
+ nokogiri (1.5.10)
14
+ rspec (2.14.1)
15
+ rspec-core (~> 2.14.0)
16
+ rspec-expectations (~> 2.14.0)
17
+ rspec-mocks (~> 2.14.0)
18
+ rspec-core (2.14.7)
19
+ rspec-expectations (2.14.4)
20
+ diff-lcs (>= 1.1.3, < 2.0)
21
+ rspec-mocks (2.14.4)
22
+
23
+ PLATFORMS
24
+ ruby
25
+
26
+ DEPENDENCIES
27
+ rspec
28
+ sdee!
data/LICENSE ADDED
@@ -0,0 +1,339 @@
1
+ GNU GENERAL PUBLIC LICENSE
2
+ Version 2, June 1991
3
+
4
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
5
+ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
6
+ Everyone is permitted to copy and distribute verbatim copies
7
+ of this license document, but changing it is not allowed.
8
+
9
+ Preamble
10
+
11
+ The licenses for most software are designed to take away your
12
+ freedom to share and change it. By contrast, the GNU General Public
13
+ License is intended to guarantee your freedom to share and change free
14
+ software--to make sure the software is free for all its users. This
15
+ General Public License applies to most of the Free Software
16
+ Foundation's software and to any other program whose authors commit to
17
+ using it. (Some other Free Software Foundation software is covered by
18
+ the GNU Lesser General Public License instead.) You can apply it to
19
+ your programs, too.
20
+
21
+ When we speak of free software, we are referring to freedom, not
22
+ price. Our General Public Licenses are designed to make sure that you
23
+ have the freedom to distribute copies of free software (and charge for
24
+ this service if you wish), that you receive source code or can get it
25
+ if you want it, that you can change the software or use pieces of it
26
+ in new free programs; and that you know you can do these things.
27
+
28
+ To protect your rights, we need to make restrictions that forbid
29
+ anyone to deny you these rights or to ask you to surrender the rights.
30
+ These restrictions translate to certain responsibilities for you if you
31
+ distribute copies of the software, or if you modify it.
32
+
33
+ For example, if you distribute copies of such a program, whether
34
+ gratis or for a fee, you must give the recipients all the rights that
35
+ you have. You must make sure that they, too, receive or can get the
36
+ source code. And you must show them these terms so they know their
37
+ rights.
38
+
39
+ We protect your rights with two steps: (1) copyright the software, and
40
+ (2) offer you this license which gives you legal permission to copy,
41
+ distribute and/or modify the software.
42
+
43
+ Also, for each author's protection and ours, we want to make certain
44
+ that everyone understands that there is no warranty for this free
45
+ software. If the software is modified by someone else and passed on, we
46
+ want its recipients to know that what they have is not the original, so
47
+ that any problems introduced by others will not reflect on the original
48
+ authors' reputations.
49
+
50
+ Finally, any free program is threatened constantly by software
51
+ patents. We wish to avoid the danger that redistributors of a free
52
+ program will individually obtain patent licenses, in effect making the
53
+ program proprietary. To prevent this, we have made it clear that any
54
+ patent must be licensed for everyone's free use or not licensed at all.
55
+
56
+ The precise terms and conditions for copying, distribution and
57
+ modification follow.
58
+
59
+ GNU GENERAL PUBLIC LICENSE
60
+ TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
61
+
62
+ 0. This License applies to any program or other work which contains
63
+ a notice placed by the copyright holder saying it may be distributed
64
+ under the terms of this General Public License. The "Program", below,
65
+ refers to any such program or work, and a "work based on the Program"
66
+ means either the Program or any derivative work under copyright law:
67
+ that is to say, a work containing the Program or a portion of it,
68
+ either verbatim or with modifications and/or translated into another
69
+ language. (Hereinafter, translation is included without limitation in
70
+ the term "modification".) Each licensee is addressed as "you".
71
+
72
+ Activities other than copying, distribution and modification are not
73
+ covered by this License; they are outside its scope. The act of
74
+ running the Program is not restricted, and the output from the Program
75
+ is covered only if its contents constitute a work based on the
76
+ Program (independent of having been made by running the Program).
77
+ Whether that is true depends on what the Program does.
78
+
79
+ 1. You may copy and distribute verbatim copies of the Program's
80
+ source code as you receive it, in any medium, provided that you
81
+ conspicuously and appropriately publish on each copy an appropriate
82
+ copyright notice and disclaimer of warranty; keep intact all the
83
+ notices that refer to this License and to the absence of any warranty;
84
+ and give any other recipients of the Program a copy of this License
85
+ along with the Program.
86
+
87
+ You may charge a fee for the physical act of transferring a copy, and
88
+ you may at your option offer warranty protection in exchange for a fee.
89
+
90
+ 2. You may modify your copy or copies of the Program or any portion
91
+ of it, thus forming a work based on the Program, and copy and
92
+ distribute such modifications or work under the terms of Section 1
93
+ above, provided that you also meet all of these conditions:
94
+
95
+ a) You must cause the modified files to carry prominent notices
96
+ stating that you changed the files and the date of any change.
97
+
98
+ b) You must cause any work that you distribute or publish, that in
99
+ whole or in part contains or is derived from the Program or any
100
+ part thereof, to be licensed as a whole at no charge to all third
101
+ parties under the terms of this License.
102
+
103
+ c) If the modified program normally reads commands interactively
104
+ when run, you must cause it, when started running for such
105
+ interactive use in the most ordinary way, to print or display an
106
+ announcement including an appropriate copyright notice and a
107
+ notice that there is no warranty (or else, saying that you provide
108
+ a warranty) and that users may redistribute the program under
109
+ these conditions, and telling the user how to view a copy of this
110
+ License. (Exception: if the Program itself is interactive but
111
+ does not normally print such an announcement, your work based on
112
+ the Program is not required to print an announcement.)
113
+
114
+ These requirements apply to the modified work as a whole. If
115
+ identifiable sections of that work are not derived from the Program,
116
+ and can be reasonably considered independent and separate works in
117
+ themselves, then this License, and its terms, do not apply to those
118
+ sections when you distribute them as separate works. But when you
119
+ distribute the same sections as part of a whole which is a work based
120
+ on the Program, the distribution of the whole must be on the terms of
121
+ this License, whose permissions for other licensees extend to the
122
+ entire whole, and thus to each and every part regardless of who wrote it.
123
+
124
+ Thus, it is not the intent of this section to claim rights or contest
125
+ your rights to work written entirely by you; rather, the intent is to
126
+ exercise the right to control the distribution of derivative or
127
+ collective works based on the Program.
128
+
129
+ In addition, mere aggregation of another work not based on the Program
130
+ with the Program (or with a work based on the Program) on a volume of
131
+ a storage or distribution medium does not bring the other work under
132
+ the scope of this License.
133
+
134
+ 3. You may copy and distribute the Program (or a work based on it,
135
+ under Section 2) in object code or executable form under the terms of
136
+ Sections 1 and 2 above provided that you also do one of the following:
137
+
138
+ a) Accompany it with the complete corresponding machine-readable
139
+ source code, which must be distributed under the terms of Sections
140
+ 1 and 2 above on a medium customarily used for software interchange; or,
141
+
142
+ b) Accompany it with a written offer, valid for at least three
143
+ years, to give any third party, for a charge no more than your
144
+ cost of physically performing source distribution, a complete
145
+ machine-readable copy of the corresponding source code, to be
146
+ distributed under the terms of Sections 1 and 2 above on a medium
147
+ customarily used for software interchange; or,
148
+
149
+ c) Accompany it with the information you received as to the offer
150
+ to distribute corresponding source code. (This alternative is
151
+ allowed only for noncommercial distribution and only if you
152
+ received the program in object code or executable form with such
153
+ an offer, in accord with Subsection b above.)
154
+
155
+ The source code for a work means the preferred form of the work for
156
+ making modifications to it. For an executable work, complete source
157
+ code means all the source code for all modules it contains, plus any
158
+ associated interface definition files, plus the scripts used to
159
+ control compilation and installation of the executable. However, as a
160
+ special exception, the source code distributed need not include
161
+ anything that is normally distributed (in either source or binary
162
+ form) with the major components (compiler, kernel, and so on) of the
163
+ operating system on which the executable runs, unless that component
164
+ itself accompanies the executable.
165
+
166
+ If distribution of executable or object code is made by offering
167
+ access to copy from a designated place, then offering equivalent
168
+ access to copy the source code from the same place counts as
169
+ distribution of the source code, even though third parties are not
170
+ compelled to copy the source along with the object code.
171
+
172
+ 4. You may not copy, modify, sublicense, or distribute the Program
173
+ except as expressly provided under this License. Any attempt
174
+ otherwise to copy, modify, sublicense or distribute the Program is
175
+ void, and will automatically terminate your rights under this License.
176
+ However, parties who have received copies, or rights, from you under
177
+ this License will not have their licenses terminated so long as such
178
+ parties remain in full compliance.
179
+
180
+ 5. You are not required to accept this License, since you have not
181
+ signed it. However, nothing else grants you permission to modify or
182
+ distribute the Program or its derivative works. These actions are
183
+ prohibited by law if you do not accept this License. Therefore, by
184
+ modifying or distributing the Program (or any work based on the
185
+ Program), you indicate your acceptance of this License to do so, and
186
+ all its terms and conditions for copying, distributing or modifying
187
+ the Program or works based on it.
188
+
189
+ 6. Each time you redistribute the Program (or any work based on the
190
+ Program), the recipient automatically receives a license from the
191
+ original licensor to copy, distribute or modify the Program subject to
192
+ these terms and conditions. You may not impose any further
193
+ restrictions on the recipients' exercise of the rights granted herein.
194
+ You are not responsible for enforcing compliance by third parties to
195
+ this License.
196
+
197
+ 7. If, as a consequence of a court judgment or allegation of patent
198
+ infringement or for any other reason (not limited to patent issues),
199
+ conditions are imposed on you (whether by court order, agreement or
200
+ otherwise) that contradict the conditions of this License, they do not
201
+ excuse you from the conditions of this License. If you cannot
202
+ distribute so as to satisfy simultaneously your obligations under this
203
+ License and any other pertinent obligations, then as a consequence you
204
+ may not distribute the Program at all. For example, if a patent
205
+ license would not permit royalty-free redistribution of the Program by
206
+ all those who receive copies directly or indirectly through you, then
207
+ the only way you could satisfy both it and this License would be to
208
+ refrain entirely from distribution of the Program.
209
+
210
+ If any portion of this section is held invalid or unenforceable under
211
+ any particular circumstance, the balance of the section is intended to
212
+ apply and the section as a whole is intended to apply in other
213
+ circumstances.
214
+
215
+ It is not the purpose of this section to induce you to infringe any
216
+ patents or other property right claims or to contest validity of any
217
+ such claims; this section has the sole purpose of protecting the
218
+ integrity of the free software distribution system, which is
219
+ implemented by public license practices. Many people have made
220
+ generous contributions to the wide range of software distributed
221
+ through that system in reliance on consistent application of that
222
+ system; it is up to the author/donor to decide if he or she is willing
223
+ to distribute software through any other system and a licensee cannot
224
+ impose that choice.
225
+
226
+ This section is intended to make thoroughly clear what is believed to
227
+ be a consequence of the rest of this License.
228
+
229
+ 8. If the distribution and/or use of the Program is restricted in
230
+ certain countries either by patents or by copyrighted interfaces, the
231
+ original copyright holder who places the Program under this License
232
+ may add an explicit geographical distribution limitation excluding
233
+ those countries, so that distribution is permitted only in or among
234
+ countries not thus excluded. In such case, this License incorporates
235
+ the limitation as if written in the body of this License.
236
+
237
+ 9. The Free Software Foundation may publish revised and/or new versions
238
+ of the General Public License from time to time. Such new versions will
239
+ be similar in spirit to the present version, but may differ in detail to
240
+ address new problems or concerns.
241
+
242
+ Each version is given a distinguishing version number. If the Program
243
+ specifies a version number of this License which applies to it and "any
244
+ later version", you have the option of following the terms and conditions
245
+ either of that version or of any later version published by the Free
246
+ Software Foundation. If the Program does not specify a version number of
247
+ this License, you may choose any version ever published by the Free Software
248
+ Foundation.
249
+
250
+ 10. If you wish to incorporate parts of the Program into other free
251
+ programs whose distribution conditions are different, write to the author
252
+ to ask for permission. For software which is copyrighted by the Free
253
+ Software Foundation, write to the Free Software Foundation; we sometimes
254
+ make exceptions for this. Our decision will be guided by the two goals
255
+ of preserving the free status of all derivatives of our free software and
256
+ of promoting the sharing and reuse of software generally.
257
+
258
+ NO WARRANTY
259
+
260
+ 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
261
+ FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
262
+ OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
263
+ PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
264
+ OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
265
+ MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
266
+ TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
267
+ PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
268
+ REPAIR OR CORRECTION.
269
+
270
+ 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
271
+ WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
272
+ REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
273
+ INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
274
+ OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
275
+ TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
276
+ YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
277
+ PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
278
+ POSSIBILITY OF SUCH DAMAGES.
279
+
280
+ END OF TERMS AND CONDITIONS
281
+
282
+ How to Apply These Terms to Your New Programs
283
+
284
+ If you develop a new program, and you want it to be of the greatest
285
+ possible use to the public, the best way to achieve this is to make it
286
+ free software which everyone can redistribute and change under these terms.
287
+
288
+ To do so, attach the following notices to the program. It is safest
289
+ to attach them to the start of each source file to most effectively
290
+ convey the exclusion of warranty; and each file should have at least
291
+ the "copyright" line and a pointer to where the full notice is found.
292
+
293
+ Simple ruby SDEE poller
294
+ Copyright (C) 2013 Elbii
295
+
296
+ This program is free software; you can redistribute it and/or modify
297
+ it under the terms of the GNU General Public License as published by
298
+ the Free Software Foundation; either version 2 of the License, or
299
+ (at your option) any later version.
300
+
301
+ This program is distributed in the hope that it will be useful,
302
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
303
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
304
+ GNU General Public License for more details.
305
+
306
+ You should have received a copy of the GNU General Public License along
307
+ with this program; if not, write to the Free Software Foundation, Inc.,
308
+ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
309
+
310
+ Also add information on how to contact you by electronic and paper mail.
311
+
312
+ If the program is interactive, make it output a short notice like this
313
+ when it starts in an interactive mode:
314
+
315
+ Gnomovision version 69, Copyright (C) year name of author
316
+ Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
317
+ This is free software, and you are welcome to redistribute it
318
+ under certain conditions; type `show c' for details.
319
+
320
+ The hypothetical commands `show w' and `show c' should show the appropriate
321
+ parts of the General Public License. Of course, the commands you use may
322
+ be called something other than `show w' and `show c'; they could even be
323
+ mouse-clicks or menu items--whatever suits your program.
324
+
325
+ You should also get your employer (if you work as a programmer) or your
326
+ school, if any, to sign a "copyright disclaimer" for the program, if
327
+ necessary. Here is a sample; alter the names:
328
+
329
+ Yoyodyne, Inc., hereby disclaims all copyright interest in the program
330
+ `Gnomovision' (which makes passes at compilers) written by James Hacker.
331
+
332
+ {signature of Ty Coon}, 1 April 1989
333
+ Ty Coon, President of Vice
334
+
335
+ This General Public License does not permit incorporating your program into
336
+ proprietary programs. If your program is a subroutine library, you may
337
+ consider it more useful to permit linking proprietary applications with the
338
+ library. If this is what you want to do, use the GNU Lesser General
339
+ Public License instead of this License.
@@ -0,0 +1,6 @@
1
+ ruby-sdee
2
+ =========
3
+
4
+ Simple ruby SDEE poller
5
+
6
+ See example.rb for a simple example.
@@ -0,0 +1,5 @@
1
+ require 'rspec/core/rake_task'
2
+
3
+ RSpec::Core::RakeTask.new(:spec)
4
+
5
+ task :default => :spec
@@ -1,10 +1,10 @@
1
1
  require 'sdee'
2
2
 
3
3
  # create new SDEE connection
4
- sdee = SDEE.new(host: 'localhost', user: 'user', pass: 'pass')
4
+ poller = SDEE::Poller.new(host: '10.122.196.67', user: 'cisco', pass: 'MTD@c1sc0')
5
5
 
6
6
  # login and set subscriptionId, sessionId
7
- sdee.login
7
+ poller.login
8
8
 
9
9
  # print events every 1 second in JSON format
10
- sdee.poll_events 1
10
+ poller.poll_events 1
@@ -1,170 +1,7 @@
1
- require 'base64'
2
- require 'net/https'
3
- require 'uri'
4
- require 'nokogiri'
5
- require 'json'
1
+ require 'sdee/poller'
2
+ require 'sdee/alert'
6
3
 
7
- class Alert
8
- attr_accessor :event_id, :severity, :originator, :alert_time, :risk_rating,
9
- :protocol, :sig_id, :subsig_id, :sig_version, :sig_detail, :attacker,
10
- :targets, :attacker_locality, :target_locality, :attacker_port,
11
- :target_port, :threat_rating
12
-
13
- def initialize(xml_doc)
14
- @doc = xml_doc
15
-
16
- build_alert
17
- build_sig
18
- build_participants
19
- end
20
-
21
- def to_hash
22
- vars = {}
23
-
24
- instance_variables.reject {|var| var == :@doc }.each do |var|
25
- vars[var.to_s[1..-1]] = instance_variable_get(var)
26
- end
27
-
28
- vars
29
- end
30
-
31
- def to_json
32
- to_hash.to_json
33
- end
34
-
35
- private
36
-
37
- def build_alert
38
- @event_id = @doc.xpath('//sd:evIdsAlert').first.attribute('eventId').value
39
- @severity = @doc.xpath('//sd:evIdsAlert').first.attribute('severity').value
40
- @originator = @doc.xpath('//sd:originator').first.
41
- xpath('sd:hostId').first.text
42
- @alert_time = @doc.xpath('//sd:time').first.text
43
- @risk_rating = @doc.xpath('//cid:riskRatingValue').first.text
44
- @threat_rating = @doc.xpath('//cid:threatRatingValue').first.text
45
- @protocol = @doc.xpath('//cid:protocol').first.text
46
- end
47
-
48
- def build_sig
49
- sig = @doc.xpath('//sd:signature').first
50
-
51
- @sig_id = sig.attribute('id').value
52
- @sig_version = sig.attribute('version').value
53
- @subsig_id = sig.xpath('//cid:subsigId').first.text
54
-
55
- begin
56
- @sig_detail = sig.xpath('//cid:sigDetails').first.text
57
- rescue
58
- @sig_detail = sig.attribute('description').value
59
- end
60
- end
61
-
62
- def build_participants
63
- @targets = []
64
-
65
- attacker = @doc.xpath('//sd:attacker').first
66
- attacker_addr = attacker.xpath('//sd:addr').first
67
- @attacker_locality = attacker_addr.attribute('locality').value
68
- @attacker = attacker_addr.text
69
-
70
- begin
71
- @attacker_port = attacker.xpath('//sd:port').first.text
72
- rescue
73
- @attacker_port = '0'
74
- end
75
-
76
- target_list = @doc.xpath('//sd:target')
77
-
78
- target_list.each do |target|
79
- data = {}
80
-
81
- target_addr = target.xpath('//sd:addr').first
82
-
83
- data['target'] = target_addr.text
84
- data['target_locality'] = target_addr.attribute('locality').value
85
-
86
- begin
87
- data['target_port'] = target.xpath('//sd:port').first.text
88
- rescue
89
- data['target_port'] = '0'
90
- end
91
-
92
- @targets << data
93
- end
94
- end
95
- end
96
-
97
- class SDEE
98
- def initialize(options = {})
99
- @host = options[:host]
100
- @path = '/cgi-bin/sdee-server'
101
- @proto = 'https://'
102
-
103
- @creds = Base64.encode64("#{options[:user]}:#{options[:pass]}")
104
- end
105
-
106
- def login
107
- params = {
108
- action: 'open',
109
- events: 'evIdsAlert',
110
- force: 'yes'
111
- }
112
-
113
- response = request params
114
- doc = Nokogiri::XML(response.body)
115
-
116
- @session_id = doc.xpath('//env:Header').first.
117
- xpath('//sd:oobInfo').first.
118
- xpath('//sd:sessionId').first.text
119
-
120
- @subscription_id = doc.xpath('//env:Body').first.
121
- xpath('//sd:subscriptionId').first.text
122
-
123
- response
124
- end
125
-
126
- def poll_events(sleep_time=5)
127
- while true do
128
- get_events
129
- sleep sleep_time
130
- end
131
- end
132
-
133
- def get_events
134
- puts "Please login first" unless @subscription_id
135
-
136
- params = {
137
- action: 'get',
138
- confirm: 'yes',
139
- timeout: 1,
140
- maxNbrofEvents: 20,
141
- subscriptionId: @subscription_id,
142
- sessionId: @session_id
143
- }
144
-
145
- res = request params
146
- doc = Nokogiri::XML(res.body)
147
-
148
- xml_alerts = doc.xpath("//sd:evIdsAlert")
149
- hash_alerts = xml_alerts.collect {|x| Alert.new(x).to_hash }.uniq
150
-
151
- hash_alerts.each {|h| puts h.to_json }
152
-
153
- hash_alerts
154
- end
155
-
156
- def request(params)
157
- http = Net::HTTP.new(@host, 443)
158
- http.use_ssl = true
159
- http.verify_mode = OpenSSL::SSL::VERIFY_NONE
160
- http.ssl_version = :SSLv3
161
-
162
- uri = URI(@proto + @host + @path)
163
- uri.query = URI.encode_www_form(params)
164
-
165
- req = Net::HTTP::Get.new(uri)
166
- req['Authorization'] = "BASIC #{@creds}"
167
-
168
- response = http.request(req)
4
+ module SDEE
5
+ class << self
169
6
  end
170
7
  end
@@ -0,0 +1,93 @@
1
+ require 'json'
2
+
3
+ module SDEE
4
+ class Alert
5
+ attr_accessor :event_id, :severity, :originator, :alert_time, :risk_rating,
6
+ :protocol, :sig_id, :subsig_id, :sig_version, :sig_detail, :attacker,
7
+ :targets, :attacker_locality, :target_locality, :attacker_port,
8
+ :target_port, :threat_rating
9
+
10
+ def initialize(xml_doc)
11
+ @alert_xml = xml_doc
12
+
13
+ build_alert
14
+ build_sig
15
+ build_participants
16
+ end
17
+
18
+ def to_hash
19
+ vars = {}
20
+
21
+ instance_variables.reject {|var| var == :@alert_xml }.each do |var|
22
+ vars[var.to_s[1..-1]] = instance_variable_get(var)
23
+ end
24
+
25
+ vars
26
+ end
27
+
28
+ def to_json
29
+ to_hash.to_json
30
+ end
31
+
32
+ private
33
+
34
+ def build_alert
35
+ @event_id = @alert_xml.attribute('eventId').value
36
+ @severity = @alert_xml.attribute('severity').value
37
+ @originator = @alert_xml.xpath('.//sd:originator').first.
38
+ xpath('sd:hostId').first.text
39
+ @alert_time = @alert_xml.xpath('.//sd:time').first.text
40
+ @risk_rating = @alert_xml.xpath('.//cid:riskRatingValue').first.text
41
+ @threat_rating = @alert_xml.xpath('.//cid:threatRatingValue').first.text
42
+ @protocol = @alert_xml.xpath('.//cid:protocol').first.text
43
+ end
44
+
45
+ def build_sig
46
+ sig = @alert_xml.xpath('.//sd:signature').first
47
+
48
+ @sig_id = sig.attribute('id').value
49
+ @sig_version = sig.attribute('version').value
50
+ @subsig_id = sig.xpath('.//cid:subsigId').first.text
51
+
52
+ begin
53
+ @sig_detail = sig.xpath('.//cid:sigDetails').first.text
54
+ rescue
55
+ @sig_detail = sig.attribute('description').value
56
+ end
57
+ end
58
+
59
+ def build_participants
60
+ @targets = []
61
+
62
+ attacker = @alert_xml.xpath('.//sd:attacker').first
63
+ attacker_addr = attacker.xpath('.//sd:addr').first
64
+ @attacker_locality = attacker_addr.attribute('locality').value
65
+ @attacker = attacker_addr.text
66
+
67
+ begin
68
+ @attacker_port = attacker.xpath('.//sd:port').first.text
69
+ rescue
70
+ @attacker_port = '0'
71
+ end
72
+
73
+ target_list = @alert_xml.xpath('.//sd:target')
74
+
75
+ target_list.each do |target|
76
+ data = {}
77
+
78
+ target_addr = target.xpath('.//sd:addr').first
79
+
80
+ data['target'] = target_addr.text
81
+ data['target_locality'] = target_addr.attribute('locality').value
82
+
83
+ begin
84
+ data['target_port'] = target.xpath('.//sd:port').first.text
85
+ rescue
86
+ data['target_port'] = '0'
87
+ end
88
+
89
+ @targets << data
90
+ end
91
+ end
92
+ end
93
+ end
@@ -0,0 +1,82 @@
1
+ require 'json'
2
+ require 'uri'
3
+ require 'net/https'
4
+ require 'base64'
5
+ require 'nokogiri'
6
+
7
+ module SDEE
8
+ class Poller
9
+ def initialize(options = {})
10
+ @host = options[:host]
11
+ @path = '/cgi-bin/sdee-server'
12
+ @proto = 'https://'
13
+
14
+ @creds = Base64.encode64("#{options[:user]}:#{options[:pass]}")
15
+ end
16
+
17
+ def login
18
+ params = {
19
+ action: 'open',
20
+ events: 'evIdsAlert',
21
+ force: 'yes'
22
+ }
23
+
24
+ response = request params
25
+ doc = Nokogiri::XML(response.body)
26
+
27
+ @session_id = doc.xpath('//env:Header').first.
28
+ xpath('//sd:oobInfo').first.
29
+ xpath('//sd:sessionId').first.text
30
+
31
+ @subscription_id = doc.xpath('//env:Body').first.
32
+ xpath('//sd:subscriptionId').first.text
33
+
34
+ response
35
+ end
36
+
37
+ def poll_events(sleep_time=5)
38
+ while true do
39
+ get_events
40
+ sleep sleep_time
41
+ end
42
+ end
43
+
44
+ def get_events
45
+ puts "Please login first" unless @subscription_id
46
+
47
+ params = {
48
+ action: 'get',
49
+ confirm: 'yes',
50
+ timeout: 1,
51
+ maxNbrofEvents: 20,
52
+ subscriptionId: @subscription_id,
53
+ sessionId: @session_id
54
+ }
55
+
56
+ res = request params
57
+ doc = Nokogiri::XML(res.body)
58
+
59
+ xml_alerts = doc.xpath("//sd:evIdsAlert")
60
+ hash_alerts = xml_alerts.collect {|x| Alert.new(x.to_s).to_hash }.uniq
61
+
62
+ hash_alerts.each {|h| puts h.to_json }
63
+
64
+ hash_alerts
65
+ end
66
+
67
+ def request(params)
68
+ http = Net::HTTP.new(@host, 443)
69
+ http.use_ssl = true
70
+ http.verify_mode = OpenSSL::SSL::VERIFY_NONE
71
+ http.ssl_version = :SSLv3
72
+
73
+ uri = URI(@proto + @host + @path)
74
+ uri.query = URI.encode_www_form(params)
75
+
76
+ req = Net::HTTP::Get.new(uri)
77
+ req['Authorization'] = "BASIC #{@creds}"
78
+
79
+ http.request(req)
80
+ end
81
+ end
82
+ end
@@ -0,0 +1,14 @@
1
+ Gem::Specification.new do |s|
2
+ s.name = 'sdee'
3
+ s.version = '0.0.6'
4
+ s.summary = 'Simple Ruby SDEE Poller'
5
+ s.description = 'Secure Device Event Exchange (SDEE) is a simple HTTP-based protocol used by security appliances to exchange events and alerts. Results are returned in XML. This is a very bare-bones ruby implementation to get SDEE events from a Cisco IPS in JSON format.'
6
+ s.authors = ['Jamil Bou Kheir']
7
+ s.email = 'jamil@elbii.com'
8
+ s.files = `git ls-files`.split("\n")
9
+ s.homepage = 'https://github.com/elbii/ruby-sdee'
10
+ s.license = 'MIT'
11
+ s.add_runtime_dependency 'nokogiri', '~> 1.5.0', '>= 1.5.0'
12
+ s.add_runtime_dependency 'json'
13
+ s.add_development_dependency 'rspec'
14
+ end
@@ -0,0 +1,157 @@
1
+ require 'sdee'
2
+
3
+ describe SDEE::Alert do
4
+ before :all do
5
+ @doc = Nokogiri::XML(File.open('./spec/data/sample.xml'))
6
+ end
7
+
8
+ context 'first alert' do
9
+ before :all do
10
+ alert_xml = @doc.xpath('//sd:evIdsAlert').first
11
+ @alert = SDEE::Alert.new(alert_xml)
12
+ end
13
+
14
+ it 'should parse event_id' do
15
+ @alert.event_id.should eq '6823242457034'
16
+ end
17
+
18
+ it 'should parse severity' do
19
+ @alert.severity.should eq 'informational'
20
+ end
21
+
22
+ it 'should parse originator' do
23
+ @alert.originator.should eq 'sample_host'
24
+ end
25
+
26
+ it 'should parse alert_time' do
27
+ @alert.alert_time.should eq '1385965224300024000'
28
+ end
29
+
30
+ it 'should parse risk_rating' do
31
+ @alert.risk_rating.should eq '15'
32
+ end
33
+
34
+ it 'should parse protocol' do
35
+ @alert.protocol.should eq 'IP protocol 0'
36
+ end
37
+
38
+ it 'should parse sig_id' do
39
+ @alert.sig_id.should eq '1208'
40
+ end
41
+
42
+ it 'should parse subsig_id' do
43
+ @alert.subsig_id.should eq '0'
44
+ end
45
+
46
+ it 'should parse sig_version' do
47
+ @alert.sig_version.should eq 'S212'
48
+ end
49
+
50
+ it 'should parse sig_detail' do
51
+ @alert.sig_detail.should eq 'Fragmented IP Datagram with fragments missing'
52
+ end
53
+
54
+ it 'should parse attacker' do
55
+ @alert.attacker.should eq '0.0.0.0'
56
+ end
57
+
58
+ it 'should parse targets' do
59
+ @alert.targets.first['target'].should include '0.0.0.0'
60
+ end
61
+
62
+ it 'should parse attacker_locality' do
63
+ @alert.attacker_locality.should eq 'OUT'
64
+ end
65
+
66
+ it 'should parse target_locality' do
67
+ @alert.targets.first['target_locality'].should eq 'OUT'
68
+ end
69
+
70
+ it 'should parse attacker_port' do
71
+ @alert.attacker_port.should eq '0'
72
+ end
73
+
74
+ it 'should parse target_port' do
75
+ @alert.targets.first['target_port'].should eq '0'
76
+ end
77
+
78
+ it 'should parse threat_rating' do
79
+ @alert.threat_rating.should eq '15'
80
+ end
81
+ end
82
+
83
+ context 'second alert' do
84
+ before :all do
85
+ alert_xml = @doc.xpath('//sd:evIdsAlert').last
86
+ @alert = SDEE::Alert.new(alert_xml)
87
+ end
88
+
89
+ it 'should parse event_id' do
90
+ @alert.event_id.should eq '6823242457036'
91
+ end
92
+
93
+ it 'should parse severity' do
94
+ @alert.severity.should eq 'high'
95
+ end
96
+
97
+ it 'should parse originator' do
98
+ @alert.originator.should eq 'sample_host'
99
+ end
100
+
101
+ it 'should parse alert_time' do
102
+ @alert.alert_time.should eq '1385965230914381000'
103
+ end
104
+
105
+ it 'should parse risk_rating' do
106
+ @alert.risk_rating.should eq '100'
107
+ end
108
+
109
+ it 'should parse protocol' do
110
+ @alert.protocol.should eq 'tcp'
111
+ end
112
+
113
+ it 'should parse sig_id' do
114
+ @alert.sig_id.should eq '3250'
115
+ end
116
+
117
+ it 'should parse subsig_id' do
118
+ @alert.subsig_id.should eq '0'
119
+ end
120
+
121
+ it 'should parse sig_version' do
122
+ @alert.sig_version.should eq 'S739'
123
+ end
124
+
125
+ it 'should parse sig_detail' do
126
+ @alert.sig_detail.should eq 'TCP Hijack'
127
+ end
128
+
129
+ it 'should parse attacker' do
130
+ @alert.attacker.should eq '10.0.0.2'
131
+ end
132
+
133
+ it 'should parse targets' do
134
+ @alert.targets.first['target'].should eq '10.1.0.8'
135
+ end
136
+
137
+ it 'should parse attacker_locality' do
138
+ @alert.attacker_locality.should eq 'OUT'
139
+ end
140
+
141
+ it 'should parse target_locality' do
142
+ @alert.targets.first['target_locality'].should eq 'OUT'
143
+ end
144
+
145
+ it 'should parse attacker_port' do
146
+ @alert.attacker_port.should eq '59433'
147
+ end
148
+
149
+ it 'should parse target_port' do
150
+ @alert.targets.first['target_port'].should eq '443'
151
+ end
152
+
153
+ it 'should parse threat_rating' do
154
+ @alert.threat_rating.should eq '100'
155
+ end
156
+ end
157
+ end
@@ -0,0 +1,87 @@
1
+ <?xml version="1.0" encoding="UTF-8"?>
2
+ <env:Envelope xmlns="http://www.cisco.com/cids/2006/08/cidee" xmlns:env="http://www.w3.org/2003/05/soap-envelope" xmlns:sd="http://example.org/2003/08/sdee" xmlns:cid="http://www.cisco.com/cids/2006/08/cidee">
3
+ <env:Header>
4
+ <sd:oobInfo>
5
+ <sd:sessionId>5e5885fc07977bd48ea352344c7230de</sd:sessionId>
6
+ </sd:oobInfo>
7
+ </env:Header>
8
+ <env:Body>
9
+ <sd:events>
10
+ <sd:evIdsAlert eventId="6823242457034" vendor="Cisco" severity="informational">
11
+ <sd:originator>
12
+ <sd:hostId>sample_host</sd:hostId>
13
+ <cid:appName>sensorApp</cid:appName>
14
+ <cid:appInstanceId>27807</cid:appInstanceId>
15
+ </sd:originator>
16
+ <sd:time offset="0" timeZone="UTC">1385965224300024000</sd:time>
17
+ <sd:signature description="IP Fragment Incomplete Datagram" id="1208" cid:version="S212" cid:type="anomaly" cid:created="20030801">
18
+ <cid:subsigId>0</cid:subsigId>
19
+ <cid:sigDetails>Fragmented IP Datagram with fragments missing</cid:sigDetails>
20
+ </sd:signature>
21
+ <sd:interfaceGroup>vs0</sd:interfaceGroup>
22
+ <sd:vlan>0</sd:vlan>
23
+ <sd:participants>
24
+ <sd:attacker>
25
+ <sd:addr cid:locality="OUT">0.0.0.0</sd:addr>
26
+ </sd:attacker>
27
+ <sd:target>
28
+ <sd:addr cid:locality="OUT">0.0.0.0</sd:addr>
29
+ <cid:os idSource="unknown" type="unknown" relevance="unknown"/>
30
+ </sd:target>
31
+ </sd:participants>
32
+ <sd:actions>
33
+ <cid:denyPacketRequestedNotPerformed>true</cid:denyPacketRequestedNotPerformed>
34
+ </sd:actions>
35
+ <cid:riskRatingValue targetValueRating="medium">15</cid:riskRatingValue>
36
+ <cid:threatRatingValue>15</cid:threatRatingValue>
37
+ <cid:interface>Unknown</cid:interface>
38
+ <cid:protocol>IP protocol 0</cid:protocol>
39
+ </sd:evIdsAlert>
40
+ <evStatus eventId="6823242457035" vendor="Cisco">
41
+ <originator>
42
+ <hostId>sample_host</hostId>
43
+ <appName>cidwebserver</appName>
44
+ <appInstanceId>27425</appInstanceId>
45
+ </originator>
46
+ <time offset="0" timeZone="UTC">1385965228211631000</time>
47
+ <loginAction action="loggedIn">
48
+ <description>User logged into HTTP server</description>
49
+ <userName>admin</userName>
50
+ <userAddress port="59344">192.168.1.1</userAddress>
51
+ </loginAction>
52
+ </evStatus>
53
+ <sd:evIdsAlert eventId="6823242457036" vendor="Cisco" severity="high" cid:alarmTraits="32768">
54
+ <sd:originator>
55
+ <sd:hostId>sample_host</sd:hostId>
56
+ <cid:appName>sensorApp</cid:appName>
57
+ <cid:appInstanceId>27807</cid:appInstanceId>
58
+ </sd:originator>
59
+ <sd:time offset="0" timeZone="UTC">1385965230914381000</sd:time>
60
+ <sd:signature description="TCP Hijack" id="3250" cid:version="S739" cid:type="anomaly" cid:created="20010202">
61
+ <cid:subsigId>0</cid:subsigId>
62
+ <cid:sigDetails>TCP Hijack</cid:sigDetails>
63
+ </sd:signature>
64
+ <sd:interfaceGroup>vs0</sd:interfaceGroup>
65
+ <sd:vlan>0</sd:vlan>
66
+ <sd:participants>
67
+ <sd:attacker>
68
+ <sd:addr cid:locality="OUT">10.0.0.2</sd:addr>
69
+ <sd:port>59433</sd:port>
70
+ </sd:attacker>
71
+ <sd:target>
72
+ <sd:addr cid:locality="OUT">10.1.0.8</sd:addr>
73
+ <sd:port>443</sd:port>
74
+ <cid:os idSource="unknown" type="unknown" relevance="relevant"/>
75
+ </sd:target>
76
+ </sd:participants>
77
+ <sd:actions>
78
+ <cid:denyPacketRequestedNotPerformed>true</cid:denyPacketRequestedNotPerformed>
79
+ </sd:actions>
80
+ <cid:riskRatingValue targetValueRating="medium" attackRelevanceRating="relevant">100</cid:riskRatingValue>
81
+ <cid:threatRatingValue>100</cid:threatRatingValue>
82
+ <cid:interface>te0_0</cid:interface>
83
+ <cid:protocol>tcp</cid:protocol>
84
+ </sd:evIdsAlert>
85
+ </sd:events>
86
+ </env:Body>
87
+ </env:Envelope>
@@ -0,0 +1,7 @@
1
+ require 'sdee'
2
+
3
+ describe SDEE::Poller do
4
+ it 'should eval' do
5
+ SDEE::Poller.should_not be_nil
6
+ end
7
+ end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: sdee
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.0.5
4
+ version: 0.0.6
5
5
  platform: ruby
6
6
  authors:
7
7
  - Jamil Bou Kheir
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2013-09-24 00:00:00.000000000 Z
11
+ date: 2013-12-02 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: nokogiri
@@ -30,6 +30,34 @@ dependencies:
30
30
  - - '>='
31
31
  - !ruby/object:Gem::Version
32
32
  version: 1.5.0
33
+ - !ruby/object:Gem::Dependency
34
+ name: json
35
+ requirement: !ruby/object:Gem::Requirement
36
+ requirements:
37
+ - - '>='
38
+ - !ruby/object:Gem::Version
39
+ version: '0'
40
+ type: :runtime
41
+ prerelease: false
42
+ version_requirements: !ruby/object:Gem::Requirement
43
+ requirements:
44
+ - - '>='
45
+ - !ruby/object:Gem::Version
46
+ version: '0'
47
+ - !ruby/object:Gem::Dependency
48
+ name: rspec
49
+ requirement: !ruby/object:Gem::Requirement
50
+ requirements:
51
+ - - '>='
52
+ - !ruby/object:Gem::Version
53
+ version: '0'
54
+ type: :development
55
+ prerelease: false
56
+ version_requirements: !ruby/object:Gem::Requirement
57
+ requirements:
58
+ - - '>='
59
+ - !ruby/object:Gem::Version
60
+ version: '0'
33
61
  description: Secure Device Event Exchange (SDEE) is a simple HTTP-based protocol used
34
62
  by security appliances to exchange events and alerts. Results are returned in XML.
35
63
  This is a very bare-bones ruby implementation to get SDEE events from a Cisco IPS
@@ -39,11 +67,23 @@ executables: []
39
67
  extensions: []
40
68
  extra_rdoc_files: []
41
69
  files:
70
+ - .gitignore
71
+ - Gemfile
72
+ - Gemfile.lock
73
+ - LICENSE
74
+ - README.md
75
+ - Rakefile
76
+ - examples/simple.rb
42
77
  - lib/sdee.rb
43
- - example.rb
78
+ - lib/sdee/alert.rb
79
+ - lib/sdee/poller.rb
80
+ - sdee.gemspec
81
+ - spec/alert_spec.rb
82
+ - spec/data/sample.xml
83
+ - spec/poller_spec.rb
44
84
  homepage: https://github.com/elbii/ruby-sdee
45
85
  licenses:
46
- - GPL-2
86
+ - MIT
47
87
  metadata: {}
48
88
  post_install_message:
49
89
  rdoc_options: []
@@ -61,7 +101,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
61
101
  version: '0'
62
102
  requirements: []
63
103
  rubyforge_project:
64
- rubygems_version: 2.1.3
104
+ rubygems_version: 2.1.11
65
105
  signing_key:
66
106
  specification_version: 4
67
107
  summary: Simple Ruby SDEE Poller