Class: Fluent::Plugin::NginxNapDecodeFilter

Inherits:
Filter
  • Object
show all
Defined in:
lib/fluent/plugin/filter_nginx_nap_decode.rb

Instance Method Summary collapse

Instance Method Details

#filter(tag, time, record) ⇒ Object 



26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
 
# File 'lib/fluent/plugin/filter_nginx_nap_decode.rb', line 26

def filter(tag, time, record)
  
  case record['violations']['violation']['name']

    when 'VIOL_ATTACK_SIGNATURE'
      #Based on observedEntity we will determined if it is cookie/header/url/parameter/etc
      if record['violations'].has_key?('observedEntity')
          #If attack signature is found on cookies

          if record['violations']['policyEntity'].has_key?('cookies')
            record['violations']['context']='cookies' #Create context that is missing
            record['violations']['observedEntity']['value-decode']=Base64.decode64(record['violations']['observedEntity']['value'])
            record['violations']['snippet']['buffer-decode']=Base64.decode64(record['violations']['snippet']['buffer']) if record['violations'].has_key?('snippet')
            
            # If header is explicit then the NAP does NOT provide the "observedEntity". This creates a problem with reporting later on, so we added the record "name"
            if record['violations']['policyEntity']['cookies'][0]['type']=="wildcard"
                record['violations']['observedEntity']['name-decode']=Base64.decode64(record['violations']['observedEntity']['name']) 
            else
                record['violations']['observedEntity']['name-decode']=record['violations']['policyEntity']['cookies'][0]['name']
            end
          end

          if record['violations']['policyEntity'].has_key?('headers')
            record['violations']['context']='headers' #Create context that is missing
            record['violations']['observedEntity']['value-decode']=Base64.decode64(record['violations']['observedEntity']['value'])
            record['violations']['snippet']['buffer-decode']=Base64.decode64(record['violations']['snippet']['buffer']) if record['violations'].has_key?('snippet')

            # If header is explicit then the NAP does NOT provide the "observedEntity". This creates a problem with reporting later on, so we added the record "name"
            if record['violations']['policyEntity']['headers'][0]['type']=="wildcard"
                record['violations']['observedEntity']['name-decode']=Base64.decode64(record['violations']['observedEntity']['name'])
            else
                record['violations']['observedEntity']['name-decode']=record['violations']['policyEntity']['headers'][0]['name']
            end
          end

          if record['violations']['policyEntity'].has_key?('parameters')
            record['violations']['context']='parameters' #Create context that is missing
            
            record['violations']['observedEntity']['value-decode']=Base64.decode64(record['violations']['observedEntity']['value']) 
            record['violations']['snippet']['buffer-decode']=Base64.decode64(record['violations']['snippet']['buffer']) if record['violations'].has_key?('snippet')
            
            # If parameter is explicit then the NAP does NOT provide the "observedEntity". This creates a problem with reporting later on, so we added the record "name"
            if record['violations']['policyEntity']['parameters'][0]['type']=="wildcard"
                record['violations']['observedEntity']['name-decode']=Base64.decode64(record['violations']['observedEntity']['name']) 
            else
                record['violations']['observedEntity']['name-decode']=record['violations']['policyEntity']['parameters'][0]['name']
            end
          end

          if record['violations']['policyEntity'].has_key?('urls')
            record['violations']['context']='urls' #Create context that is missing
            record['violations']['snippet']['buffer-decode']=Base64.decode64(record['violations']['snippet']['buffer']) if record['violations'].has_key?('snippet')
            record['violations']['observedEntity']['name-decode']=Base64.decode64(record['violations']['observedEntity']['name'])
          end
      else
          record['violations']['context']='request'
          record['violations']['snippet']['buffer-decode']=Base64.decode64(record['violations']['snippet']['buffer']) if record['violations'].has_key?('snippet')
      end


    when 'VIOL_COOKIE_LENGTH', 'VIOL_HEADER_LENGTH', 'VIOL_URL_METACHAR'
      record['violations']['observedEntity']['name-decode']=Base64.decode64(record['violations']['observedEntity']['name']) #base64 decode

    when 'VIOL_PARAMETER_VALUE_METACHAR', 'VIOL_PARAMETER_NAME_METACHAR', 'VIOL_PARAMETER_DATA_TYPE', 'VIOL_PARAMETER_NUMERIC_VALUE', 'VIOL_PARAMETER_VALUE_LENGTH', 'VIOL_PARAMETER_ARRAY_VALUE', 'VIOL_PARAMETER_LOCATION', 'VIOL_PARAMETER_STATIC_VALUE'
      record['violations']['observedEntity']['value-decode']=Base64.decode64(record['violations']['observedEntity']['value']) #base64 decode
      # If parameter is explicit then the NAP does NOT provide the "observedEntity". This creates a problem with reporting later on, so we added the record "name"
      # Notes: Why is parameters an array!!
      if record['violations']['policyEntity']['parameters'][0]['type']=="wildcard"
          record['violations']['observedEntity']['name-decode']=Base64.decode64(record['violations']['observedEntity']['name']) #base64 decode
      else
          record['violations']['observedEntity']['name-decode']=record['violations']['policyEntity']['parameters'][0]['name']
      end
    when 'VIOL_PARAMETER_EMPTY_VALUE', 'VIOL_PARAMETER'
      # If filetype is explicit then the NAP does NOT provide the "observedEntity". This creates a problem with reporting later on, so we added the record "name"
      # Notes: Why is filetypes an array!!
      if record['violations']['policyEntity']['parameters'][0]['type']=="wildcard"
          record['violations']['observedEntity']['name-decode']=Base64.decode64(record['violations']['observedEntity']['name']) #base64 decode
      else
          record['violations']['observedEntity']['name-decode']=record['violations']['policyEntity']['parameters'][0]['name']
      end  
    when 'VIOL_URL_LENGTH', 'VIOL_POST_DATA_LENGTH', 'VIOL_QUERY_STRING_LENGTH', 'VIOL_REQUEST_LENGTH', 'VIOL_COOKIE_LENGTH', 'VIOL_HEADER_LENGTH'
      # If filetype is explicit then the NAP does NOT provide the "observedEntity". This creates a problem with reporting later on, so we added the record "name"
      # Notes: Why is filetypes an array!!
      if record['violations']['policyEntity']['filetypes'][0]['type']=="wildcard"
          record['violations']['observedEntity']['name-decode']=Base64.decode64(record['violations']['observedEntity']['name']) #base64 decode
      else
          record['violations']['observedEntity']['name-decode']=record['violations']['policyEntity']['filetypes'][0]['name']
      end            
    when 'VIOL_EVASION'
      # if the observed entity is parameter then base64-decode the parameter
      if record['violations']['observedEntity']['scope']=="parameter"
        record['violations']['observedEntity']['name-decode']=Base64.decode64(record['violations']['observedEntity']['name']) #base64 decode
        record['violations']['observedEntity']['value-decode']=Base64.decode64(record['violations']['observedEntity']['value']) #base64 decode
      
        record['violations']['snippet']['buffer-decode']=Base64.decode64(record['violations']['snippet']['buffer']) if record['violations'].has_key?('snippet')

      end
  end
  record
end