siteguard_lite-log-parser 0.1.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml ADDED
@@ -0,0 +1,7 @@
1
+ ---
2
+ SHA256:
3
+ metadata.gz: 201cdadcf28bec2479fd6d3061b6a9029ffccf9d87c26052340084f008f3ffd3
4
+ data.tar.gz: b8084f5ae96fe77ff97d9086aa50ebfb4a978f549a3eb7e811c924f383f0bfa9
5
+ SHA512:
6
+ metadata.gz: 51e3881e30fbc03048081b002f71ee7c4ed009aebb451f8f6ebe905d593dcc2b5f64b491666d6065997a3ebd4cee1185aa80c191b1cba3a6b8d114b15362869d
7
+ data.tar.gz: '0988616d61a22ded28f65ec9d3a270337db73e6291fc6791de62f70d18966534ad7df914564c1bf187001c5d1542c92ec421ff3bc0da140cd45cffad7bb7b985'
data/.gitignore ADDED
@@ -0,0 +1,12 @@
1
+ /Gemfile.lock
2
+ /.bundle/
3
+ /.yardoc
4
+ /_yardoc/
5
+ /coverage/
6
+ /doc/
7
+ /pkg/
8
+ /spec/reports/
9
+ /tmp/
10
+
11
+ # rspec failure tracking
12
+ .rspec_status
data/.rspec ADDED
@@ -0,0 +1,3 @@
1
+ --format documentation
2
+ --color
3
+ --require spec_helper
data/.travis.yml ADDED
@@ -0,0 +1,5 @@
1
+ sudo: false
2
+ language: ruby
3
+ rvm:
4
+ - 2.5.1
5
+ before_install: gem install bundler -v 1.16.1
data/Gemfile ADDED
@@ -0,0 +1,6 @@
1
+ source "https://rubygems.org"
2
+
3
+ git_source(:github) {|repo_name| "https://github.com/#{repo_name}" }
4
+
5
+ # Specify your gem's dependencies in siteguard_lite-log-parser.gemspec
6
+ gemspec
data/LICENSE.txt ADDED
@@ -0,0 +1,21 @@
1
+ The MIT License (MIT)
2
+
3
+ Copyright (c) 2018 GMO Pepabo, Inc.
4
+
5
+ Permission is hereby granted, free of charge, to any person obtaining a copy
6
+ of this software and associated documentation files (the "Software"), to deal
7
+ in the Software without restriction, including without limitation the rights
8
+ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9
+ copies of the Software, and to permit persons to whom the Software is
10
+ furnished to do so, subject to the following conditions:
11
+
12
+ The above copyright notice and this permission notice shall be included in
13
+ all copies or substantial portions of the Software.
14
+
15
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18
+ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20
+ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
21
+ THE SOFTWARE.
data/README.md ADDED
@@ -0,0 +1,106 @@
1
+ # SiteguardLite::Log::Parser
2
+
3
+ A log parser for SiteGuard Lite WAF.
4
+
5
+ ## Installation
6
+
7
+ Add this line to your application's Gemfile:
8
+
9
+ ```ruby
10
+ gem 'siteguard_lite-log-parser'
11
+ ```
12
+
13
+ And then execute:
14
+
15
+ $ bundle
16
+
17
+ Or install it yourself as:
18
+
19
+ $ gem install siteguard_lite-log-parser
20
+
21
+ ## Usage
22
+
23
+ ```ruby
24
+ require 'siteguard_lite/log/parser'
25
+
26
+ parser = SiteguardLiteLogParser.new(log_type)
27
+ log = parser.parse(log_str)
28
+ ```
29
+
30
+ The supported log types are following.
31
+
32
+ - `detect`: Parse a `detect.log` format string
33
+
34
+ The `new` function accepts a optional hash with following keys.
35
+
36
+ - `leading_time`: A time string at the beginning of the line (optional, default: `false`)
37
+ - SiteGuard Liteの管理画面からダウンロードしたログファイルには行頭に`YYYY-MM-DD hh:mm:ss : `という形式の日時文字列が付いているので、このオプションが必要です。
38
+
39
+ ### detect.log
40
+
41
+ The parse result have the following keys.
42
+
43
+ - `time`: クライアントから接続された時刻です。`YYYY-MM-DD hh:mm:ss`形式で表示します。(optional)
44
+ - `time_epoch`: クライアントから接続された時刻です。エポックタイム (1970/01/01 00:00:00(UTC)) からの秒数をミリ秒単位で表示します。
45
+ - `conn_time`: クライアントとの接続時間をミリ秒単位で表示します。
46
+ - `client_ip`: クライアントの IP アドレスを表示します。
47
+ - `file_size`: 転送したファイルのサイズです。
48
+ - `http_method`: HTTP の要求メソッド (GET, POST 等) です。
49
+ - `url`: 接続先の URL です。
50
+ - `hierarchy_code`: "DIRECT/本製品をインストールしているサーバーの IP アドレス" を表示します。
51
+ - `content_type`: 送受信するファイルの Content-Type を表示します。利用できない場合は "-" となります。
52
+ - `detect_stat`: 検出情報。`DETECT-STAT:WAF:[detect_name]::[detect_str]:[detect_str_all]:`を表示します。
53
+ - `detect_name`: 検出名。以下のいずれかです。
54
+ - シグネチャ検査: `RULE_SIG/[rule_sig_part]/[rule_sig_name]/[rule_sig_file]/[rule_sig_id]/[rule_sig_signature_name]`
55
+ - `detect_name_rule`: RULE_SIG
56
+ - `rule_sig_part`: 検出箇所
57
+ - `rule_sig_name`: 名前。パラメータ変数、ヘッダフィールド名を表示します。
58
+ - `rule_sig_file`: シグネチャファイル。OFFICIAL(トラステッド・シグネチャ)、CUSTOM(カスタム・シグネチャ) のいずれかです。
59
+ - `rule_sig_id`: シグネチャID
60
+ - `rule_sig_signature_name`: シグネチャ名
61
+ - フィルタ: `WAF_FILTER/[IP アドレス]` **(NOT SUPPORTED)**
62
+ - URL デコードエラー: `RULE_URLDECODE/[検出箇所]/[名前]` **(NOT SUPPORTED)**
63
+ - パラメータ数の上限値の制限: `RULE_PARAMS_NUM/[rule_params_num_part/[rule_params_num_threshold]`
64
+ - `detect_name_rule`: RULE_PARAMS_NUM
65
+ - `rule_params_num_part`: 検出箇所
66
+ - `rule_params_num_threshold`: パラメータ数の上限値
67
+ - `detect_str`: 検出文字列
68
+ - `detect_str_all`: 検出文字列(全体)
69
+ - `action`: 動作。`ACTION:[action_str]:`を表示します。
70
+ - `action_str`: 動作。MONITOR, BLOCK, FILTERのいずれかです。
71
+ - `judge`: `JUDGE:[judge_str]:[monitor_url]:`を表示します。
72
+ - `judge_str`: 判定。MONITOR, BLOCK, FILTERのいずれかです。
73
+ - `monitor_url`: 監視 URL の設定。0(監視 URL に該当しない)、1(監視 URL に該当する)のいずれかです。
74
+ - `search_key`: 検索キー。`SEARCH-KEY:[search_key_time_epock.seach_key_nginx_request_id]:`を表示します。
75
+ - `search_key_time_epoch`: 時刻(エポックタイム)
76
+ - `search_key_nginx_request_id`: nginx リクエスト ID
77
+
78
+ ## siteguard_lite-log
79
+
80
+ The command line tool to parse logs. This tool output as LTSV format.
81
+
82
+ ```
83
+ cat detect.log | siteguard_lite-log
84
+ ```
85
+
86
+ Usage:
87
+ ```
88
+ $ siteguard_lite-log --help
89
+ Usage: siteguard_lite-log [options]
90
+ --type VAL Specify log type. (default: detect)
91
+ --leading-time The log have the time string at heading of the line
92
+ ```
93
+
94
+ ## Development
95
+
96
+ After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
97
+
98
+ To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
99
+
100
+ ## Contributing
101
+
102
+ Bug reports and pull requests are welcome on GitHub at https://github.com/pepabo/siteguard_lite-log-parser.
103
+
104
+ ## License
105
+
106
+ The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).
data/Rakefile ADDED
@@ -0,0 +1,6 @@
1
+ require "bundler/gem_tasks"
2
+ require "rspec/core/rake_task"
3
+
4
+ RSpec::Core::RakeTask.new(:spec)
5
+
6
+ task :default => :spec
data/bin/console ADDED
@@ -0,0 +1,14 @@
1
+ #!/usr/bin/env ruby
2
+
3
+ require "bundler/setup"
4
+ require "siteguard_lite/log/parser"
5
+
6
+ # You can add fixtures and/or initialization code here to make experimenting
7
+ # with your gem easier. You can also use a different console, if you like.
8
+
9
+ # (If you use this, don't forget to add pry to your Gemfile!)
10
+ # require "pry"
11
+ # Pry.start
12
+
13
+ require "irb"
14
+ IRB.start(__FILE__)
data/bin/setup ADDED
@@ -0,0 +1,8 @@
1
+ #!/usr/bin/env bash
2
+ set -euo pipefail
3
+ IFS=$'\n\t'
4
+ set -vx
5
+
6
+ bundle install
7
+
8
+ # Do any other automated setup that you need to do here
@@ -0,0 +1,22 @@
1
+ #!/usr/bin/env ruby
2
+
3
+ require 'optparse'
4
+ require 'siteguard_lite/log/cli'
5
+ require 'siteguard_lite/log/parser'
6
+
7
+ options = {
8
+ type: 'detect',
9
+ format: 'ltsv',
10
+ leading_time: false,
11
+ }
12
+
13
+ opt = OptionParser.new
14
+ opt.on('--type VAL', 'Specify log type. (default: detect)') { |v|
15
+ options[:type] = v
16
+ }
17
+ opt.on('--leading-time', 'The log have the time string at heading of the line') { |v|
18
+ options[:leading_time] = true
19
+ }
20
+ opt.parse!(ARGV)
21
+
22
+ SiteguardLite::Log::CLI.new(options).run
@@ -0,0 +1,31 @@
1
+ module SiteguardLite
2
+ module Log
3
+ class CLI
4
+ def initialize(options)
5
+ @type = options.delete(:type)
6
+ @format = options.delete(:format)
7
+ @parser = SiteguardLiteLogParser.new(@type, options)
8
+ end
9
+
10
+ def run
11
+ while line = STDIN.gets
12
+ line.chomp!
13
+ result = @parser.parse(line)
14
+ puts format(result)
15
+ end
16
+ end
17
+
18
+ private
19
+
20
+ def format(h)
21
+ case @format
22
+ when 'ltsv'
23
+ require 'ltsv'
24
+ LTSV.dump(h)
25
+ else
26
+ raise ArgumentError, "Unexpected output format: #{@format}"
27
+ end
28
+ end
29
+ end
30
+ end
31
+ end
@@ -0,0 +1,69 @@
1
+ module SiteguardLite
2
+ module Log
3
+ class Detect
4
+ TIME = '(?<time>\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2})'.freeze
5
+ TIME_EPOCH = '(?<time_epoch>\d+\.\d+)'.freeze
6
+ CONN_TIME = '(?<conn_time>\d+)'.freeze
7
+ CLIENT_IP = '(?<client_ip>[\da-f.:]+)'.freeze
8
+ RESULT = 'TCP_MISS\/000'.freeze
9
+ FILE_SIZE = '(?<file_size>\d+)'.freeze
10
+ HTTP_METHOD = '(?<http_method>[A-Z]+)'.freeze
11
+ URL = '(?<url>[^\s]+)'.freeze
12
+ USER = '-'.freeze
13
+ HIERARCHY_CODE = '(?<hierarchy_code>[^\s]+)'.freeze
14
+ CONTENT_TYPE = '(?<content_type>[^\s]+)'.freeze
15
+
16
+ RULE_SIG = '(?<detect_name_rule>RULE_SIG)\/(?<rule_sig_part>[^\/]+)\/(?<rule_sig_name>[^\/]+)\/(?<rule_sig_file>(?:OFFICIAL|CUSTOM))\/(?<rule_sig_id>[^\/]+)\/(?<rule_sig_signature_name>[\w\d-]+)'.freeze
17
+ WAF_FILTER = '(?<detect_name_rule>WAF_FILTER)'.freeze
18
+ RULE_URLDECODE = '(?<detect_name_rule>RULE_URLDECODE)'.freeze
19
+ RULE_PARAMS_NUM = '(?<detect_name_rule>RULE_PARAMS_NUM)\/(?<rule_params_num_part>[^\/]+)\/(?<rule_params_num_threshold>\d+)'.freeze
20
+ DETECT_NAME = "(?<detect_name>(?:#{RULE_SIG}|#{WAF_FILTER}|#{RULE_URLDECODE}|#{RULE_PARAMS_NUM}))".freeze
21
+ DETECT_STAT = "(?<detect_stat>DETECT-STAT:WAF:#{DETECT_NAME}::(?<detect_str>[^:]*):(?<detect_str_all>[^:]+):)".freeze
22
+
23
+ ACTION = '(?<action>ACTION:(?<action_str>[A-Z]+):)'.freeze
24
+ JUDGE = '(?<judge>JUDGE:(?<judge_str>[A-Z]+):(?<monitor_url>0|1):)'.freeze
25
+ SEARCH_KEY = '(?<search_key>SEARCH-KEY:(?<search_key_time_epoch>\d+\.\d+)\.(?<search_key_nginx_request_id>[^:]+):)'.freeze
26
+
27
+ def initialize(leading_time: false)
28
+ @leading_time = leading_time
29
+ end
30
+
31
+ def parse(line_str)
32
+ if m = line_str.match(pattern)
33
+ m.named_captures
34
+ else
35
+ {}
36
+ end
37
+ end
38
+
39
+ private
40
+
41
+ def pattern
42
+ @pattern ||= if @leading_time
43
+ /\A#{TIME} : #{pattern_parts.join('\s+')}/
44
+ else
45
+ /\A#{pattern_parts.join('\s+')}/
46
+ end
47
+ end
48
+
49
+ def pattern_parts
50
+ [
51
+ TIME_EPOCH,
52
+ CONN_TIME,
53
+ CLIENT_IP,
54
+ RESULT,
55
+ FILE_SIZE,
56
+ HTTP_METHOD,
57
+ URL,
58
+ USER,
59
+ HIERARCHY_CODE,
60
+ CONTENT_TYPE,
61
+ DETECT_STAT,
62
+ ACTION,
63
+ JUDGE,
64
+ SEARCH_KEY,
65
+ ]
66
+ end
67
+ end
68
+ end
69
+ end
@@ -0,0 +1,10 @@
1
+ require "siteguard_lite/log/parser/version"
2
+ require "siteguard_lite_log_parser"
3
+
4
+ module SiteguardLite
5
+ module Log
6
+ module Parser
7
+ # Your code goes here...
8
+ end
9
+ end
10
+ end
@@ -0,0 +1,7 @@
1
+ module SiteguardLite
2
+ module Log
3
+ module Parser
4
+ VERSION = "0.1.0"
5
+ end
6
+ end
7
+ end
@@ -0,0 +1,29 @@
1
+ require 'siteguard_lite/log/detect'
2
+
3
+ class SiteguardLiteLogParser
4
+ def initialize(type, options = {})
5
+ @type = type
6
+ @options = options
7
+
8
+ @parser = get_parser(type)
9
+ end
10
+
11
+ def parse(line_str)
12
+ @parser.parse(line_str)
13
+ end
14
+
15
+ private
16
+
17
+ def get_parser(type)
18
+ case type
19
+ when 'detect'
20
+ SiteguardLite::Log::Detect.new(leading_time: leading_time)
21
+ else
22
+ raise ArgumentError, "Unexpected log type: #{type}"
23
+ end
24
+ end
25
+
26
+ def leading_time
27
+ @options[:leading_time]
28
+ end
29
+ end
@@ -0,0 +1,29 @@
1
+
2
+ lib = File.expand_path("../lib", __FILE__)
3
+ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
4
+ require "siteguard_lite/log/parser/version"
5
+
6
+ Gem::Specification.new do |spec|
7
+ spec.name = "siteguard_lite-log-parser"
8
+ spec.version = SiteguardLite::Log::Parser::VERSION
9
+ spec.authors = ["Takatoshi Ono"]
10
+ spec.email = ["takatoshi.ono@gmail.com"]
11
+
12
+ spec.summary = %q{A log parser for SiteGuard Lite WAF}
13
+ spec.description = %q{A log parser for SiteGuard Lite WAF}
14
+ spec.homepage = "https://github.com/pepabo/siteguard_lite-log-parser"
15
+ spec.license = "MIT"
16
+
17
+ spec.files = `git ls-files -z`.split("\x0").reject do |f|
18
+ f.match(%r{^(test|spec|features)/})
19
+ end
20
+ spec.bindir = "exe"
21
+ spec.executables = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
22
+ spec.require_paths = ["lib"]
23
+
24
+ spec.add_dependency "ltsv"
25
+
26
+ spec.add_development_dependency "bundler", "~> 1.16"
27
+ spec.add_development_dependency "rake", "~> 10.0"
28
+ spec.add_development_dependency "rspec", "~> 3.0"
29
+ end
metadata ADDED
@@ -0,0 +1,117 @@
1
+ --- !ruby/object:Gem::Specification
2
+ name: siteguard_lite-log-parser
3
+ version: !ruby/object:Gem::Version
4
+ version: 0.1.0
5
+ platform: ruby
6
+ authors:
7
+ - Takatoshi Ono
8
+ autorequire:
9
+ bindir: exe
10
+ cert_chain: []
11
+ date: 2018-07-24 00:00:00.000000000 Z
12
+ dependencies:
13
+ - !ruby/object:Gem::Dependency
14
+ name: ltsv
15
+ requirement: !ruby/object:Gem::Requirement
16
+ requirements:
17
+ - - ">="
18
+ - !ruby/object:Gem::Version
19
+ version: '0'
20
+ type: :runtime
21
+ prerelease: false
22
+ version_requirements: !ruby/object:Gem::Requirement
23
+ requirements:
24
+ - - ">="
25
+ - !ruby/object:Gem::Version
26
+ version: '0'
27
+ - !ruby/object:Gem::Dependency
28
+ name: bundler
29
+ requirement: !ruby/object:Gem::Requirement
30
+ requirements:
31
+ - - "~>"
32
+ - !ruby/object:Gem::Version
33
+ version: '1.16'
34
+ type: :development
35
+ prerelease: false
36
+ version_requirements: !ruby/object:Gem::Requirement
37
+ requirements:
38
+ - - "~>"
39
+ - !ruby/object:Gem::Version
40
+ version: '1.16'
41
+ - !ruby/object:Gem::Dependency
42
+ name: rake
43
+ requirement: !ruby/object:Gem::Requirement
44
+ requirements:
45
+ - - "~>"
46
+ - !ruby/object:Gem::Version
47
+ version: '10.0'
48
+ type: :development
49
+ prerelease: false
50
+ version_requirements: !ruby/object:Gem::Requirement
51
+ requirements:
52
+ - - "~>"
53
+ - !ruby/object:Gem::Version
54
+ version: '10.0'
55
+ - !ruby/object:Gem::Dependency
56
+ name: rspec
57
+ requirement: !ruby/object:Gem::Requirement
58
+ requirements:
59
+ - - "~>"
60
+ - !ruby/object:Gem::Version
61
+ version: '3.0'
62
+ type: :development
63
+ prerelease: false
64
+ version_requirements: !ruby/object:Gem::Requirement
65
+ requirements:
66
+ - - "~>"
67
+ - !ruby/object:Gem::Version
68
+ version: '3.0'
69
+ description: A log parser for SiteGuard Lite WAF
70
+ email:
71
+ - takatoshi.ono@gmail.com
72
+ executables:
73
+ - siteguard_lite-log
74
+ extensions: []
75
+ extra_rdoc_files: []
76
+ files:
77
+ - ".gitignore"
78
+ - ".rspec"
79
+ - ".travis.yml"
80
+ - Gemfile
81
+ - LICENSE.txt
82
+ - README.md
83
+ - Rakefile
84
+ - bin/console
85
+ - bin/setup
86
+ - exe/siteguard_lite-log
87
+ - lib/siteguard_lite/log/cli.rb
88
+ - lib/siteguard_lite/log/detect.rb
89
+ - lib/siteguard_lite/log/parser.rb
90
+ - lib/siteguard_lite/log/parser/version.rb
91
+ - lib/siteguard_lite_log_parser.rb
92
+ - siteguard_lite-log-parser.gemspec
93
+ homepage: https://github.com/pepabo/siteguard_lite-log-parser
94
+ licenses:
95
+ - MIT
96
+ metadata: {}
97
+ post_install_message:
98
+ rdoc_options: []
99
+ require_paths:
100
+ - lib
101
+ required_ruby_version: !ruby/object:Gem::Requirement
102
+ requirements:
103
+ - - ">="
104
+ - !ruby/object:Gem::Version
105
+ version: '0'
106
+ required_rubygems_version: !ruby/object:Gem::Requirement
107
+ requirements:
108
+ - - ">="
109
+ - !ruby/object:Gem::Version
110
+ version: '0'
111
+ requirements: []
112
+ rubyforge_project:
113
+ rubygems_version: 2.7.6
114
+ signing_key:
115
+ specification_version: 4
116
+ summary: A log parser for SiteGuard Lite WAF
117
+ test_files: []