class LogStash::Filters::Decrypt
Public Instance Methods
filter(event)
click to toggle source
# File lib/logstash/filters/decrypt.rb, line 34 def filter(event) if @source source = event.get(@source) # Replace the event message with our message as configured in the # config file. parsed = LogStash::Json.load(source) parsed_timestamp = parsed.delete(LogStash::Event::TIMESTAMP) begin timestamp = parsed_timestamp ? LogStash::Timestamp.coerce(parsed_timestamp) : nil rescue LogStash::TimestampParserError => e timestamp = nil end threads = [] @campaigns.each do |file| file = File.read(file) campaign = LogStash::Json.load(file) @keywordstrategy = nil @strategies = campaign['SearchStrategies'] @strategies.each do |strategy| if strategy["type"].eql? "KeywordStrategy" @logger.info("Found Keyword Strategy") @keywordstrategy = strategy end end if parsed["body"].nil? || parsed["body"].empty? @logger.info("Empty Body -> Skip") elsif @keywordstrategy.nil? @logger.info("No Keyword Strategy found -> Skip") elsif parsed["body"].include? @keywordstrategy["prefix"] @logger.info("Decrypt Body") threads << Thread.new { if campaign["encryption"]["xor"].any? xor=Xor.new(@keywordstrategy["prefix"],parsed["body"],campaign["encryption"]["xor"],@keywordstrategy["keywords"]) result = xor.xordecrypt if result[0] parsed["decrypted"] = result[1] parsed["tags"] = [campaign["name"],"XOR"] end end if campaign["encryption"]["aes"].any? aes=Aes.new(@keywordstrategy["prefix"],parsed["body"],campaign["encryption"]["aes"],@keywordstrategy["keywords"]) result = aes.aesdecrypt if result[0] parsed["decrypted"] = result[1] parsed["tags"] = [campaign["name"],"AES"] end end } else @logger.info("Prefix not in Payload -> Skip") end end threads.each { |thr| thr.join } # using the event.set API parsed.each{|k, v| event.set(k, v)} if parsed_timestamp if timestamp event.timestamp = timestamp else event.timestamp = LogStash::Timestamp.new @logger.warn("Unrecognized #{LogStash::Event::TIMESTAMP} value, setting current time to #{LogStash::Event::TIMESTAMP}, original in #{LogStash::Event::TIMESTAMP_FAILURE_FIELD} field", :value => parsed_timestamp.inspect) event.tag(LogStash::Event::TIMESTAMP_FAILURE_TAG) event.set(LogStash::Event::TIMESTAMP_FAILURE_FIELD, parsed_timestamp.to_s) end end # correct debugging log statement for reference # using the event.get API @logger.info("Event after filter", :event => event) end # filter_matched should go in the last line of our successful code filter_matched(event) end
register()
click to toggle source
# File lib/logstash/filters/decrypt.rb, line 28 def register # Add instance variables @campaigns = Dir.glob("campaigns/*.json") end