Class: LogStash::Codecs::IDMEF
- Inherits:
-
Base
- Object
- Base
- LogStash::Codecs::IDMEF
- Defined in:
- lib/logstash/codecs/idmef.rb
Overview
Implementation of a Logstash codec for IDMEF based on RFC4765. tools.ietf.org/html/rfc4765
Constant Summary collapse
- IDMEFUserId =
RFC 4765: UserID Class
{ :type => :class, :name => "UserId", "name" => { :type => :list_value, :name => "name" }, "type" => { :type => :attr, :name => "type", :default => "original-user" }, "tty" => { :type => :attr, :name => "tty" }, "number" => { :type => :list_value, :name => "number" } }
- IDMEFUser =
RFC 4765: User Class
{ :type => :class, :name => "User", "category" => { :type => :attr, :name => "category", :default => "unknown" }, "user_id" => { :type => :list_class, :class => IDMEFUserId } }
- IDMEFFileAccess =
RFC 4765: FileAccess Class
{ :type => :class, :name => "FileAccess", "user_id" => { :type => :list_class, :class => IDMEFUserId } }
- IDMEFFile =
RFC 4765: File Class
{ :type => :class, :name => "File", "category" => { :type => :attr, :name => "category" }, "fstype" => { :type => :attr, :name => "fstype" }, "file-type" => { :type => :attr, :name => "file-type" }, "name" => { :type => :list_value, :name => "name" }, "path" => { :type => :list_value, :name => "path" }, "file_access" => { :type => :list_class, :class => IDMEFFileAccess } }
- IDMEFWebService =
RFC 4765: WebService Class
{ :type => :class, :name => "WebService", "url" => { :type => :list_value, :name => "url" } }
- IDMEFSNMPService =
RFC 4765: SNMPService Class
{ :type => :class, :name => "SNMPService", "command" => { :type => :list_value, :name => "command" } }
- IDMEFService =
RFC 4765: Service Class
{ :type => :class, :name => "Service", "ip_version" => { :type => :attr, :name => "ip_version" }, "iana_protocol_number" => { :type => :attr, :name => "iana_protocol_number" }, "iana_protocol_name" => { :type => :attr, :name => "iana_protocol_name" }, "name" => { :type => :list_value, :name => "name" }, "port" => { :type => :list_value, :name => "port" }, "portlist" => { :type => :list_value, :name => "portlist" }, "protocol" => { :type => :list_value, :name => "protocol" }, "web_service" => { :type => :list_class, :class => IDMEFWebService }, "snmp_service" => { :type => :list_class, :class => IDMEFSNMPService } }
- IDMEFAddress =
RFC 4765: Address Class
{ :type => :class, :name => "Address", "category" => { :type => :attr, :name => "category", :default => "unknown" }, "vlan-name" => { :type => :attr, :name => "vlan-name" }, "vlan-num" => { :type => :attr, :name => "vlan-num" }, "address" => { :type => :list_value, :name => "address" }, "netmask" => { :type => :list_value, :name => "netmask" }, }
- IDMEFNode =
RFC 4765: Node Class
{ :type => :class, :name => "Node", "category" => { :type => :attr, :name => "category", :default => "unknown" }, "location" => { :type => :list_value, :name => "location" }, "name" => { :type => :list_value, :name => "name" }, "address" => { :type => :list_class, :class => IDMEFAddress }, }
- IDMEFProcess =
RFC 4765: Process Class
{ :type => :class, :name => "Process", "name" => { :type => :list_value, :name => "name" }, "pid" => { :type => :list_value, :name => "pid" }, "path" => { :type => :list_value, :name => "path" }, "arg" => { :type => :list_value, :name => "arg" }, "env" => { :type => :list_value, :name => "env" }, }
- IDMEFAnalyzer =
RFC 4765: Analyzer Class
{ :type => :class, :name => "Analyzer", "analyzerid" => { :type => :attr, :name => "analyzerid" }, "name" => { :type => :attr, :name => "name" }, "manufacturer" => { :type => :attr, :name => "manufacturer" }, "model" => { :type => :attr, :name => "model" }, "version" => { :type => :attr, :name => "version" }, "class" => { :type => :attr, :name => "class" }, "ostype" => { :type => :attr, :name => "ostype" }, "osversion" => { :type => :attr, :name => "osversion" }, "node" => { :type => :list_class, :class => IDMEFNode }, "process" => { :type => :list_class, :class => IDMEFProcess }, }
- IDMEFSource =
RFC 4765: Source Class
{ :type => :class, :name => "Source", "spoofed" => { :type => :attr, :name => "spoofed", :default => "unknown" }, "interface" => { :type => :attr, :name => "interface" }, "node" => { :type => :list_class, :class => IDMEFNode }, "user" => { :type => :list_class, :class => IDMEFUser }, "process" => { :type => :list_class, :class => IDMEFProcess }, "service" => { :type => :list_class, :class => IDMEFService }, }
- IDMEFTarget =
RFC 4765: Target Class
{ :type => :class, :name => "Target", "decoy" => { :type => :attr, :name => "decoy", :default => "unknown" }, "interface" => { :type => :attr, :name => "interface" }, "node" => { :type => :list_class, :class => IDMEFNode }, "user" => { :type => :list_class, :class => IDMEFUser }, "process" => { :type => :list_class, :class => IDMEFProcess }, "service" => { :type => :list_class, :class => IDMEFService }, "file" => { :type => :list_class, :class => IDMEFFile } }
- IDMEFImpact =
RFC 4765: Impact Class
{ :type => :class, :name => "Impact", "severity" => { :type => :attr, :name => "severity" }, "completion" => { :type => :attr, :name => "completion" }, "type" => { :type => :attr, :name => "type", :default => "other" }, }
- IDMEFAction =
RFC 4765: Action Class
{ :type => :class, :name => "Action", "category" => { :type => :attr, :name => "category", :default => "other" }, "description" => { :type => :value }, }
- IDMEFConfidence =
RFC 4765: Confidence Class
{ :type => :class, :name => "Confidence", "rating" => { :type => :attr, :name => "rating", :default => "numeric" }, "confidence" => { :type => :value }, }
- IDMEFReference =
RFC 4765: Reference Class
{ :type => :class, :name => "Reference", "origin" => { :type => :attr, :name => "origin", :default => "unknown" }, "meaning" => { :type => :attr, :name => "meaning" }, "name" => { :type => :list_value, :name => "name" }, "url" => { :type => :list_value, :name => "url" } }
- IDMEFAdditionalData =
RFC 4765: AdditionalData Class
{ :type => :class, :name => "AdditionalData", "meaning" => { :type => :attr, :name => "meaning" }, "type" => { :type => :attr, :name => "type" }, "data" => { :type => :list_value, :name => :type } }
- IDMEFCorrelationAlert =
RFC 4765: CorrelationAlert Class
{ :type => :class, :name => "CorrelationAlert", "name" => { :type => :list_value, :name => "name" }, "alertident" => { :type => :list_value, :name => "alertident" } }
- IDMEFAssessment =
RFC 4765: Assessment Class
{ :type => :class, :name => "Assessment", "impact" => { :type => :list_class, :class => IDMEFImpact }, "action" => { :type => :list_class, :class => IDMEFAction }, "confidence" => { :type => :list_class, :class => IDMEFConfidence } }
- IDMEFClassification =
RFC 4765: Classification Class
{ :type => :class, :name => "Classification", "text" => { :type => :attr, :name => "text" }, "reference" => { :type => :list_class, :class => IDMEFReference } }
- IDMEFAlert =
RFC 4765: Alert Class
{ :type => :class, :name => "Alert", "messageid" => { :type => :attr, :name => "messageid" }, "create_time" => { :type => :list_value, :name => "CreateTime", :format => :datetime}, "detect_time" => { :type => :list_value, :name => "DetectTime", :format => :datetime }, "analyzer_time" => { :type => :list_value, :name => "AnalyzerTime", :format => :datetime }, "analyzer" => { :type => :list_class, :class => IDMEFAnalyzer }, "classification" => { :type => :list_class, :class => IDMEFClassification }, "source" => { :type => :list_class, :class => IDMEFSource }, "target" => { :type => :list_class, :class => IDMEFTarget }, "assessment" => { :type => :list_class, :class => IDMEFAssessment }, "additional_data" => { :type => :list_class, :class => IDMEFAdditionalData }, "correlation_alert" => { :type => :list_class, :class => IDMEFCorrelationAlert }, }
- IDMEFMessage =
RFC 4765: Message Class
{ :type => :class, :name => "IDMEF-Message", "alert" => { :type => :list_class, :class => IDMEFAlert }, }
Instance Method Summary collapse
- #encode(event) ⇒ Object
-
#initialize(params = {}) ⇒ IDMEF
constructor
A new instance of IDMEF.
Constructor Details
#initialize(params = {}) ⇒ IDMEF
Returns a new instance of IDMEF.
411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 |
# File 'lib/logstash/codecs/idmef.rb', line 411 def initialize(params={}) super(params) @utf8_charset = LogStash::Util::Charset.new('UTF-8') @utf8_charset.logger = self.logger @local_paths = { "alert.analyzer(0).name" => ["$product", "$devname"], "alert.analyzer(0).manufacturer" => "$vendor", "alert.create_time" => "$@timestamp", "alert.detect_time" => "$@timestamp", "alert.analyzer_time" => "$@timestamp", "alert.source(0).node.address(0).address" => ["$srcip", "$src"], "alert.source(0).node.name" => ["$shost", "$srchost", "$shostname", "$srchostname", "$sname", "$srcname"], "alert.source(0).service.port" => ["$spt", "$sport", "$s_port"], "alert.source(0).service.name" => ["$sservice", "$srcservice"], "alert.target(0).node.address(0).address" => ["$hostip", "$dstip", "$dst", "$ip"], "alert.target(0).node.name" => ["$host", "$hostname", "$shost", "$srchost", "$shostname", "$srchostname", "$sname", "$srcname"], "alert.target(0).service.port" => ["$dpt", "$dport", "$d_port"], "alert.target(0).service.name" => ["$service", "$service_id", "$dservice", "$dstservice",], "alert.target(0).user.user_id(0).name" => ["$user", "$dstuser", "$duser"], "alert.target(0).user.user_id(0).number" => ["$uid", "$dstuid", "$duid"], "alert.target(0).process.name" => ["$proc", "$process"], "alert.target(0).process.pid" => ["$dpid", "$pid"], "alert.classification.text" => ["$rule_name", "$event", "$message"], "alert.assessment.impact.severity" => ["$severity", "$level"], "alert.assessment.action.description" => ["$action"], } if @defaults @allpaths = @local_paths.merge(@paths) else @allpaths = @paths end end |
Instance Method Details
#encode(event) ⇒ Object
446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 |
# File 'lib/logstash/codecs/idmef.rb', line 446 def encode(event) # Reload configuration @allpaths = @allpaths.merge(@paths) # Copy event e = event.clone # Set messageid and analyzerid p = { "%s.messageid" % @type => java.util.UUID.randomUUID.to_s, "%s.analyzer(0).analyzerid" % @type => Socket.gethostname.to_s } xml = idmefpaths_to_xml(e, p) # Set paths xml = idmefpaths_to_xml(e, @allpaths, xml) # Set Additional data if @additionaldata idx = xml.xpath('/IDMEF-Message/Alert/AddionnalData').length e.to_hash.each do |key, value| if value.kind_of?(Integer) t = "integer" elsif value.kind_of?(Float) t = "real" else t = "string" end p = { "alert.additional_data(%d).meaning" % idx => key, "alert.additional_data(%d).type" % idx => t, "alert.additional_data(%d).data" % idx => value.to_s, } xml = idmefpaths_to_xml(e, p , xml) idx = idx + 1 end end # Create the XML @on_event.call(event, xml_to_string(xml) + NL) end |