Class: TCellAgent::SensorEvents::CommandInjectionEvent

Inherits:
TCellSensorEvent show all
Defined in:
lib/tcell_agent/sensor_events/command_injection.rb

Instance Attribute Summary

Attributes inherited from TCellSensorEvent

#ensure, #flush, #send

Class Method Summary collapse

Instance Method Summary collapse

Methods inherited from TCellSensorEvent

#bucket_key, #calculateOffset, #post_process

Constructor Details

#initialize(commands, blocked, matches, method = nil, remote_address = nil, route_id = nil, session_id = nil, user_id = nil, uri = nil, full_commandline = nil) ⇒ CommandInjectionEvent

Returns a new instance of CommandInjectionEvent.



56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
 
# File 'lib/tcell_agent/sensor_events/command_injection.rb', line 56

def initialize(commands,
               blocked,
               matches,
               method=nil,
               remote_address=nil,
               route_id=nil,
               session_id=nil,
               user_id=nil,
               uri=nil,
               full_commandline=nil)
  super("cmdi")

  self["commands"] = commands
  self["blocked"] = blocked
  self["matches"] = matches

  if method
    self["m"] = method
  end

  if remote_address
    self["remote_addr"] = remote_address
  end

  if route_id
    self["rid"] = route_id
  end

  if session_id
    self["sid"] = session_id
  end

  if user_id
    self["uid"] = user_id
  end

  if full_commandline
    self["full_commandline"] = full_commandline
  end

  if uri
    self["uri"] = TCellAgent::SensorEvents::Util.strip_uri_values(uri)
  end
end

Class Method Details

.build_from_native_lib_response_and_tcell_context(apply_response, tcell_context) ⇒ Object 



17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
 
# File 'lib/tcell_agent/sensor_events/command_injection.rb', line 17

def self.build_from_native_lib_response_and_tcell_context(apply_response,
                                                          tcell_context)
  matches = apply_response.fetch("matches", [])

  if matches && matches.size > 0
    method, remote_address, route_id, session_id, user_id, uri = nil
    if tcell_context
      method = tcell_context.request_method
      remote_address = tcell_context.ip_address
      route_id = tcell_context.route_id
      session_id = tcell_context.hmac_session_id
      user_id = tcell_context.user_id
      uri = tcell_context.uri
    end

    matches_without_emtpy_values = matches.map do |match|
      CommandInjectionMatchEvent.new(
        match["rule_id"], match["command"]
      )
    end

    CommandInjectionEvent.new(
      apply_response["commands"],
      blocked=apply_response.fetch("blocked", false),
      matches=matches_without_emtpy_values,
      method=method,
      remote_address=remote_address,
      route_id=route_id,
      session_id=session_id,
      user_id=user_id,
      uri=uri,
      full_commandline=apply_response["full_commandline"])

  else
    nil
  end
end