Class: TCellAgent::SensorEvents::CommandInjectionEvent

Inherits:
TCellSensorEvent show all
Defined in:
lib/tcell_agent/sensor_events/command_injection.rb

Instance Attribute Summary

Attributes inherited from TCellSensorEvent

#ensure, #flush, #send

Class Method Summary collapse

Instance Method Summary collapse

Methods inherited from TCellSensorEvent

#bucket_key, #calculate_offset, #post_process

Constructor Details

#initialize(commands, blocked, matches, method = nil, remote_address = nil, route_id = nil, session_id = nil, user_id = nil, uri = nil, full_commandline = nil) ⇒ CommandInjectionEvent

Returns a new instance of CommandInjectionEvent.



49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
 
# File 'lib/tcell_agent/sensor_events/command_injection.rb', line 49

def initialize(commands,
               blocked,
               matches,
               method = nil,
               remote_address = nil,
               route_id = nil,
               session_id = nil,
               user_id = nil,
               uri = nil,
               full_commandline = nil)
  super('cmdi')

  self['commands'] = commands
  self['blocked'] = blocked
  self['matches'] = matches
  self['m'] = method if method

  self['remote_addr'] = remote_address if remote_address
  self['rid'] = route_id if route_id
  self['sid'] = session_id if session_id
  self['uid'] = user_id if user_id
  self['full_commandline'] = full_commandline if full_commandline
  self['uri'] = TCellAgent::SensorEvents::Util.strip_uri_values(uri) if uri
end

Class Method Details

.build_from_native_lib_response_and_tcell_context(apply_response, tcell_context) ⇒ Object 



13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
 
# File 'lib/tcell_agent/sensor_events/command_injection.rb', line 13

def self.build_from_native_lib_response_and_tcell_context(apply_response,
                                                          tcell_context)
  matches = apply_response.fetch('matches', [])

  return nil if !matches || matches.empty?

  method, remote_address, route_id, session_id, user_id, uri = nil
  if tcell_context
    method = tcell_context.request_method
    remote_address = tcell_context.ip_address
    route_id = tcell_context.route_id
    session_id = tcell_context.hmac_session_id
    user_id = tcell_context.user_id
    uri = tcell_context.uri
  end

  matches_without_emtpy_values = matches.map do |match|
    CommandInjectionMatchEvent.new(
      match['rule_id'], match['command']
    )
  end

  CommandInjectionEvent.new(
    apply_response['commands'],
    apply_response.fetch('blocked', false),
    matches_without_emtpy_values,
    method,
    remote_address,
    route_id,
    session_id,
    user_id,
    uri,
    apply_response['full_commandline']
  )
end