Class: LogStash::Codecs::Nmap

Inherits:

Base

• Object
• Base
• LogStash::Codecs::Nmap

Defined in:

lib/logstash/codecs/nmap.rb

Overview

This codec may be used to decode (via inputs) only. It decodes nmap generated XML and outputs each host as its own event

Instance Method Summary

• #de_keyword(value) ⇒ Object
• #decode(data) ⇒ Object
• #hashify_hostname(hostname) ⇒ Object
• #hashify_os(os) ⇒ Object
• #hashify_os_classes(classes) ⇒ Object
• #hashify_port(port) ⇒ Object
• #hashify_service(service) ⇒ Object
• #hashify_status(status) ⇒ Object
• #hashify_struct(struct) ⇒ Object
• #hashify_structs(structs) ⇒ Object
• #hashify_traceroute(traceroute) ⇒ Object
• #hashify_uptime(uptime) ⇒ Object
• #host_to_event(host) ⇒ Object
• #register ⇒ Object
• #timeify(time) ⇒ Object

Instance Method Details

#de_keyword(value) ⇒ Object

# File 'lib/logstash/codecs/nmap.rb', line 163

def de_keyword(value)
  value.is_a?(Symbol) ? value.to_s : value
end

#decode(data) ⇒ Object

# File 'lib/logstash/codecs/nmap.rb', line 16

def decode(data)
  xml = Nmap::XML.parse(data)
  xml.each_host do |host|
    event = host_to_event(host)

    event['arguments'.freeze] = xml.scanner.arguments
    event['version'.freeze] = xml.scanner.version

    yield event
  end
rescue StandardError => e
  @logger.warn("An unexpected error occurred parsing nmap XML",
               :input => data,
               :message => e.message,
               :class => e.class.name,
               :backtrace => e.backtrace)
end

#hashify_hostname(hostname) ⇒ Object

# File 'lib/logstash/codecs/nmap.rb', line 67

def hashify_hostname(hostname)
  return unless hostname

  {
    'name'.freeze => hostname.name, # str
    'type'.freeze => hostname.type, # str
  }
end

#hashify_os(os) ⇒ Object

# File 'lib/logstash/codecs/nmap.rb', line 76

def hashify_os(os)
  return unless os

  {
    'ports_used'.freeze => os.ports_used,
    'fingerprint'.freeze => os.fingerprint,
    'classes'.freeze => hashify_os_matches(os.classes),
    'matches'.freeze => hashify_structs(os_matches)
  }
end

#hashify_os_classes(classes) ⇒ Object

# File 'lib/logstash/codecs/nmap.rb', line 87

def hashify_os_classes(classes)
  return if !classes || classes.empty?

  classes.each do |klass|
    {
      'type'.freeze => klass.type.to_s, # returned as sym originally
      'vendor'.freeze => klass.vendor.to_s,
      'family'.freeze => klass.family.to_s,
      'gen'.freeze => klass.gen.to_s,
      'accuracy'.freeze => klass.accuracy # int
    }
  end
end

#hashify_port(port) ⇒ Object

# File 'lib/logstash/codecs/nmap.rb', line 126

def hashify_port(port)
  return unless port

  {
    'number'.freeze => port.number,
    'reason'.freeze => port.reason,
    'protocol'.freeze => port.protocol.to_s,
    'service'.freeze => hashify_service(port.service),
    'state'.freeze => port.state
  }
end

#hashify_service(service) ⇒ Object

# File 'lib/logstash/codecs/nmap.rb', line 110

def hashify_service(service)
  return unless service

  {
    'name'.freeze => service.name,
    'ssl'.freeze => service.ssl?,
    'protocol'.freeze => service.protocol,
    'product'.freeze => service.product,
    'hostname'.freeze => service.hostname, # This is just a string
    'device_type'.freeze => service.device_type,
    'fingerprint_method'.freeze => service.fingerprint_method,
    'fingerprint'.freeze => service.fingerprint,
    'confidence'.freeze => service.confidence
  }
end

#hashify_status(status) ⇒ Object

# File 'lib/logstash/codecs/nmap.rb', line 58

def hashify_status(status)
  return unless status

  {
    'state'.freeze => status.state.to_s, # str
    'reason'.freeze => status.reason # str
  }
end

#hashify_struct(struct) ⇒ Object

# File 'lib/logstash/codecs/nmap.rb', line 159

def hashify_struct(struct)
  Hash[struct.each_pair.map {|k,v| [k, de_keyword(v)]}]
end

#hashify_structs(structs) ⇒ Object

# File 'lib/logstash/codecs/nmap.rb', line 155

def hashify_structs(structs)
  structs.map {|s| hashify_struct(s)}
end

#hashify_traceroute(traceroute) ⇒ Object

# File 'lib/logstash/codecs/nmap.rb', line 138

def hashify_traceroute(traceroute)
  return unless traceroute

  {
    'port'.freeze => traceroute.port, # int
    'protocol'.freeze => traceroute.protocol.to_s,
    'hops' => traceroute.map.with_index do |hop, idx|
      {
        'address'.freeze => hop.addr, # str
        'hostname'.freeze => hop.host, # str
        'ttl'.freeze => hop.ttl.to_i, # int
        'index' => idx # int (for searching by distance)
      }
    end
  }
end

#hashify_uptime(uptime) ⇒ Object

# File 'lib/logstash/codecs/nmap.rb', line 101

def hashify_uptime(uptime)
  return unless uptime

  {
    'seconds'.freeze => uptime.seconds,
    'last_boot'.freeze => timeify(uptime.last_boot)
  }
end

#host_to_event(host) ⇒ Object

# File 'lib/logstash/codecs/nmap.rb', line 34

def host_to_event(host)
  event = LogStash::Event.new()
  event['start_time'.freeze] = timeify(host.start_time)
  event['end_time'.freeze] = timeify(host.end_time)

  # These two are actually different.
  # Address may contain a MAC, addresses will not AFAICT
  event['addresses'.freeze] = hashify_structs(host.addresses)
  event['address'.freeze] = host.address # str

  event['ip'.freeze] = host.ip # str
  event['ipv4'.freeze] = host.ipv4 # str
  event['ipv6'.freeze] = host.ipv6 # str
  event['ports'.freeze] = host.ports.map {|p| hashify_port(p)}
  event['mac'.freeze] = host.mac # str
  event['status'.freeze] = hashify_status(host.status)
  event['hostname'.freeze] = hashify_hostname(host.hostname)
  event['uptime'.freeze] = hashify_uptime(host.uptime)
  event['os'.freeze] = hashify_os(host.os)
  event['traceroute'.freeze] = hashify_traceroute(host.traceroute)

  event
end

#register ⇒ Object

# File 'lib/logstash/codecs/nmap.rb', line 12

def register
end

#timeify(time) ⇒ Object

# File 'lib/logstash/codecs/nmap.rb', line 167

def timeify(time)
  time ? LogStash::Timestamp.new(time) : nil
end