Class: Threshold::Parser
- Inherits:
-
Object
- Object
- Threshold::Parser
- Defined in:
- lib/threshold/parser.rb
Overview
Returns an Array of Grok Captures from the input file matching Threshold Conf standards
Instance Attribute Summary collapse
-
#caps ⇒ Object
readonly
Returns the value of attribute caps.
-
#filehash ⇒ Object
readonly
Returns the value of attribute filehash.
Instance Method Summary collapse
-
#initialize(file) ⇒ Parser
constructor
A new instance of Parser.
Constructor Details
#initialize(file) ⇒ Parser
Returns a new instance of Parser.
8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 |
# File 'lib/threshold/parser.rb', line 8 def initialize(file) @file = file @caps = [] patterns = {} patterns["SUPPRESSION"] = "^suppress gen_id %{ID:GID}, sig_id %{ID:SID}(%{SUPPRESSIONOPTIONS})?(%{COMMENT})?" patterns["EVENTFILTER"] = "^event_filter gen_id %{ID:GID}, sig_id %{ID:SID}, type %{ETYPE}, track %{TRACK}, count %{COUNT}, seconds %{SECONDS}(%{COMMENT})?" patterns["RATEFILTER"] = "^rate_filter gen_id %{ID:GID}, sig_id %{ID:SID}, track %{TRACK}, count %{COUNT}, seconds %{SECONDS}, new_action %{NEW_ACTION}, timeout %{COUNT:TIMEOUT}(%{RATEFILTEROPTIONS})?(%{COMMENT})?" patterns["SUPPRESSIONOPTIONS"] = ", track %{TRACK}, ip %{IP}" patterns["RATEFILTEROPTIONS"] = ", apply_to %{IPCIDR}" patterns["ID"] = '\\d+' patterns["ETYPE"] = "limit|threshold|both" patterns["COUNT"] = "\\d+" patterns["SECONDS"] = "\\d+" patterns["TRACK"] = "by_src|by_dst|by_rule" patterns["COMMENT"] = "\s*?#.*" patterns["NEW_ACTION"] = 'alert|drop|pass|log|sdrop|reject' patterns["IPCIDR"] = '(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]).){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([1-9]|[1-2][0-9]|3[0-2]))?' @grok = Grok.new patterns.each {|k,v| @grok.add_pattern(k,v)} custom_path = File.join(File.dirname(File.(__FILE__)), "patterns/base") @grok.add_patterns_from_file(custom_path) # Remember to call result["GID"].compact because of the PIPE or below in grok compile @grok.compile("^%{SUPPRESSION}|%{EVENTFILTER}|%{RATEFILTER}") loadfile(@file) end |
Instance Attribute Details
#caps ⇒ Object (readonly)
Returns the value of attribute caps.
6 7 8 |
# File 'lib/threshold/parser.rb', line 6 def caps @caps end |
#filehash ⇒ Object (readonly)
Returns the value of attribute filehash.
6 7 8 |
# File 'lib/threshold/parser.rb', line 6 def filehash @filehash end |