Class: LogStash::Filters::Empow::FieldHandler
- Inherits:
-
Object
- Object
- LogStash::Filters::Empow::FieldHandler
- Defined in:
- lib/logstash/filters/field-handler.rb
Constant Summary collapse
- IDS =
"IDS"
- AM =
"AM"
- CUSTOM =
"CUSTOM"
Instance Method Summary collapse
- #event_to_classification_request(event) ⇒ Object
-
#initialize(product_type_field, product_name_field, threat_field, src_internal_field, dst_internal_field) ⇒ FieldHandler
constructor
A new instance of FieldHandler.
Constructor Details
#initialize(product_type_field, product_name_field, threat_field, src_internal_field, dst_internal_field) ⇒ FieldHandler
Returns a new instance of FieldHandler.
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 |
# File 'lib/logstash/filters/field-handler.rb', line 11 def initialize(product_type_field, product_name_field, threat_field, src_internal_field, dst_internal_field) @product_type_field = product_type_field @product_name_field = product_name_field if threat_field.nil? || threat_field.strip.length == 0 raise ArgumentError, 'threat field cannot be empty' end @threat_field = '[' + threat_field + ']' @ids_signature_field = @threat_field + '[signature]' @malware_name_field = @threat_field + '[malware_name]' @src_internal_field = @threat_field + '[' + src_internal_field + ']' @dst_internal_field = @threat_field + '[' + dst_internal_field + ']' @blacklisted_fields = [src_internal_field, dst_internal_field] @hash_field = @threat_field + '[hash]' end |
Instance Method Details
#event_to_classification_request(event) ⇒ Object
33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 |
# File 'lib/logstash/filters/field-handler.rb', line 33 def event_to_classification_request(event) product_type = event.get(@product_type_field) product = event.get(@product_name_field) is_src_internal = event.get(@src_internal_field) is_dst_internal = event.get(@dst_internal_field) if product_type.nil? LogStash::Filters::Empow::Utils.add_error(event, "missing_product_type") return nil end is_src_internal = LogStash::Filters::Empow::Utils.convert_to_boolean(is_src_internal) if is_src_internal.nil? is_src_internal = true LogStash::Filters::Empow::Utils.add_warn(event, 'src_internal_wrong_value') end is_dst_internal = LogStash::Filters::Empow::Utils.convert_to_boolean(is_dst_internal) if is_dst_internal.nil? is_dst_internal = true LogStash::Filters::Empow::Utils.add_warn(event, 'dst_internal_wrong_value') end case product_type when IDS return nil if !is_valid_ids_request(product, event) when AM return nil if !is_valid_antimalware_request(product, event) else # others are resolved in the cloud return nil if !is_valid_product(product, event) end original_threat = event.get(@threat_field) threat = copy_threat(original_threat) if (threat.nil?) LogStash::Filters::Empow::Utils.add_error(event, "missing_threat_field") return nil end return LogStash::Filters::Empow::ClassificationRequest.new(product_type, product, threat, is_src_internal, is_dst_internal) end |