Class: TCellAgent::SensorEvents::CommandInjectionEvent

Inherits:
TCellSensorEvent show all
Defined in:
lib/tcell_agent/sensor_events/command_injection.rb

Instance Attribute Summary

Attributes inherited from TCellSensorEvent

#ensure, #flush, #send

Class Method Summary collapse

Instance Method Summary collapse

Methods inherited from TCellSensorEvent

#bucket_key, #calculateOffset, #post_process

Constructor Details

#initialize(commands, blocked, matches, method = nil, remote_address = nil, route_id = nil, session_id = nil, user_id = nil, uri = nil, full_commandline = nil) ⇒ CommandInjectionEvent 



56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
 
# File 'lib/tcell_agent/sensor_events/command_injection.rb', line 56

def initialize(commands,
               blocked,
               matches,
               method=nil,
               remote_address=nil,
               route_id=nil,
               session_id=nil,
               user_id=nil,
               uri=nil,
               full_commandline=nil)
  super("cmdi")

  self["commands"] = commands
  self["blocked"] = blocked
  self["matches"] = matches

  if method
    self["m"] = method
  end

  if remote_address
    self["remote_addr"] = remote_address
  end

  if route_id
    self["rid"] = route_id
  end

  if session_id
    self["sid"] = session_id
  end

  if user_id
    self["uid"] = user_id
  end

  if full_commandline
    self["full_commandline"] = full_commandline
  end

  if uri
    self["uri"] = TCellAgent::SensorEvents::Util.strip_uri_values(uri)
  end
end

Class Method Details

.build_from_native_lib_response_and_tcell_context(apply_response, tcell_context) ⇒ Object 



17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
 
# File 'lib/tcell_agent/sensor_events/command_injection.rb', line 17

def self.build_from_native_lib_response_and_tcell_context(apply_response,
                                                          tcell_context)
  matches = apply_response.fetch("matches", [])

  if matches && matches.size > 0
    method, remote_address, route_id, session_id, user_id, uri = nil
    if tcell_context
      method = tcell_context.request_method
      remote_address = tcell_context.ip_address
      route_id = tcell_context.route_id
      session_id = tcell_context.hmac_session_id
      user_id = tcell_context.user_id
      uri = tcell_context.uri
    end

    matches_without_emtpy_values = matches.map do |match|
      CommandInjectionMatchEvent.new(
        match["rule_id"], match["command"]
      )
    end

    CommandInjectionEvent.new(
      apply_response["commands"],
      blocked=apply_response.fetch("blocked", false),
      matches=matches_without_emtpy_values,
      method=method,
      remote_address=remote_address,
      route_id=route_id,
      session_id=session_id,
      user_id=user_id,
      uri=uri,
      full_commandline=apply_response["full_commandline"])

  else
    nil
  end
end