Class: LogStash::Filters::Empow::FieldHandler

Inherits:
Object
  • Object
show all
Defined in:
lib/logstash/filters/field-handler.rb

Constant Summary collapse

IDS = 
"IDS"
AM = 
"AM"
CUSTOM = 
"CUSTOM"

Instance Method Summary collapse

Constructor Details

#initialize(product_type_field, product_name_field, threat_field, src_internal_field, dst_internal_field) ⇒ FieldHandler

Returns a new instance of FieldHandler.



11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
 
# File 'lib/logstash/filters/field-handler.rb', line 11

def initialize(product_type_field, product_name_field, threat_field, src_internal_field, dst_internal_field)
  @product_type_field = product_type_field
  @product_name_field = product_name_field

  if threat_field.nil? || threat_field.strip.length == 0
    raise ArgumentError, 'threat field cannot be empty'
  end

  @threat_field = '[' + threat_field + ']'

  @ids_signature_field = @threat_field + '[signature]'
  @malware_name_field = @threat_field + '[malware_name]'

  @src_internal_field = @threat_field + '[' + src_internal_field + ']'
  @dst_internal_field = @threat_field + '[' + dst_internal_field + ']'

  @blacklisted_fields = [src_internal_field, dst_internal_field]

  @hash_field = @threat_field + '[hash]'
end

Instance Method Details

#event_to_classification_request(event) ⇒ Object 



33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
 
# File 'lib/logstash/filters/field-handler.rb', line 33

def event_to_classification_request(event)
  product_type = event.get(@product_type_field)
  product = event.get(@product_name_field)
  is_src_internal = event.get(@src_internal_field)
  is_dst_internal = event.get(@dst_internal_field)

  if product_type.nil?
    LogStash::Filters::Empow::Utils.add_error(event, "missing_product_type")
    return nil
  end

  is_src_internal = LogStash::Filters::Empow::Utils.convert_to_boolean(is_src_internal)

  if is_src_internal.nil?
    is_src_internal = true
    LogStash::Filters::Empow::Utils.add_warn(event, 'src_internal_wrong_value')
  end

  is_dst_internal = LogStash::Filters::Empow::Utils.convert_to_boolean(is_dst_internal)

  if is_dst_internal.nil?
    is_dst_internal = true
    LogStash::Filters::Empow::Utils.add_warn(event, 'dst_internal_wrong_value')
  end

  case product_type
  when IDS
    return nil if !is_valid_ids_request(product, event)
  when AM
    return nil if !is_valid_antimalware_request(product, event)
  else # others are resolved in the cloud
    return nil if !is_valid_product(product, event)
  end

  original_threat = event.get(@threat_field)

  threat = copy_threat(original_threat)

  if (threat.nil?)
    LogStash::Filters::Empow::Utils.add_error(event, "missing_threat_field")
    return nil
  end

  return LogStash::Filters::Empow::ClassificationRequest.new(product_type, product, threat, is_src_internal, is_dst_internal)
end