initial commit
This commit is contained in:
commit
3a33f6725f
|
@ -0,0 +1,11 @@
|
||||||
|
/target
|
||||||
|
/classes
|
||||||
|
/checkouts
|
||||||
|
pom.xml
|
||||||
|
pom.xml.asc
|
||||||
|
*.jar
|
||||||
|
*.class
|
||||||
|
/.lein-*
|
||||||
|
/.nrepl-port
|
||||||
|
.hgignore
|
||||||
|
.hg/
|
|
@ -0,0 +1,24 @@
|
||||||
|
# Change Log
|
||||||
|
All notable changes to this project will be documented in this file. This change log follows the conventions of [keepachangelog.com](http://keepachangelog.com/).
|
||||||
|
|
||||||
|
## [Unreleased]
|
||||||
|
### Changed
|
||||||
|
- Add a new arity to `make-widget-async` to provide a different widget shape.
|
||||||
|
|
||||||
|
## [0.1.1] - 2016-07-04
|
||||||
|
### Changed
|
||||||
|
- Documentation on how to make the widgets.
|
||||||
|
|
||||||
|
### Removed
|
||||||
|
- `make-widget-sync` - we're all async, all the time.
|
||||||
|
|
||||||
|
### Fixed
|
||||||
|
- Fixed widget maker to keep working when daylight savings switches over.
|
||||||
|
|
||||||
|
## 0.1.0 - 2016-07-04
|
||||||
|
### Added
|
||||||
|
- Files from the new template.
|
||||||
|
- Widget maker public API - `make-widget-sync`.
|
||||||
|
|
||||||
|
[Unreleased]: https://github.com/your-name/cef-parser/compare/0.1.1...HEAD
|
||||||
|
[0.1.1]: https://github.com/your-name/cef-parser/compare/0.1.0...0.1.1
|
|
@ -0,0 +1,214 @@
|
||||||
|
THE ACCOMPANYING PROGRAM IS PROVIDED UNDER THE TERMS OF THIS ECLIPSE PUBLIC
|
||||||
|
LICENSE ("AGREEMENT"). ANY USE, REPRODUCTION OR DISTRIBUTION OF THE PROGRAM
|
||||||
|
CONSTITUTES RECIPIENT'S ACCEPTANCE OF THIS AGREEMENT.
|
||||||
|
|
||||||
|
1. DEFINITIONS
|
||||||
|
|
||||||
|
"Contribution" means:
|
||||||
|
|
||||||
|
a) in the case of the initial Contributor, the initial code and
|
||||||
|
documentation distributed under this Agreement, and
|
||||||
|
|
||||||
|
b) in the case of each subsequent Contributor:
|
||||||
|
|
||||||
|
i) changes to the Program, and
|
||||||
|
|
||||||
|
ii) additions to the Program;
|
||||||
|
|
||||||
|
where such changes and/or additions to the Program originate from and are
|
||||||
|
distributed by that particular Contributor. A Contribution 'originates' from
|
||||||
|
a Contributor if it was added to the Program by such Contributor itself or
|
||||||
|
anyone acting on such Contributor's behalf. Contributions do not include
|
||||||
|
additions to the Program which: (i) are separate modules of software
|
||||||
|
distributed in conjunction with the Program under their own license
|
||||||
|
agreement, and (ii) are not derivative works of the Program.
|
||||||
|
|
||||||
|
"Contributor" means any person or entity that distributes the Program.
|
||||||
|
|
||||||
|
"Licensed Patents" mean patent claims licensable by a Contributor which are
|
||||||
|
necessarily infringed by the use or sale of its Contribution alone or when
|
||||||
|
combined with the Program.
|
||||||
|
|
||||||
|
"Program" means the Contributions distributed in accordance with this
|
||||||
|
Agreement.
|
||||||
|
|
||||||
|
"Recipient" means anyone who receives the Program under this Agreement,
|
||||||
|
including all Contributors.
|
||||||
|
|
||||||
|
2. GRANT OF RIGHTS
|
||||||
|
|
||||||
|
a) Subject to the terms of this Agreement, each Contributor hereby grants
|
||||||
|
Recipient a non-exclusive, worldwide, royalty-free copyright license to
|
||||||
|
reproduce, prepare derivative works of, publicly display, publicly perform,
|
||||||
|
distribute and sublicense the Contribution of such Contributor, if any, and
|
||||||
|
such derivative works, in source code and object code form.
|
||||||
|
|
||||||
|
b) Subject to the terms of this Agreement, each Contributor hereby grants
|
||||||
|
Recipient a non-exclusive, worldwide, royalty-free patent license under
|
||||||
|
Licensed Patents to make, use, sell, offer to sell, import and otherwise
|
||||||
|
transfer the Contribution of such Contributor, if any, in source code and
|
||||||
|
object code form. This patent license shall apply to the combination of the
|
||||||
|
Contribution and the Program if, at the time the Contribution is added by the
|
||||||
|
Contributor, such addition of the Contribution causes such combination to be
|
||||||
|
covered by the Licensed Patents. The patent license shall not apply to any
|
||||||
|
other combinations which include the Contribution. No hardware per se is
|
||||||
|
licensed hereunder.
|
||||||
|
|
||||||
|
c) Recipient understands that although each Contributor grants the licenses
|
||||||
|
to its Contributions set forth herein, no assurances are provided by any
|
||||||
|
Contributor that the Program does not infringe the patent or other
|
||||||
|
intellectual property rights of any other entity. Each Contributor disclaims
|
||||||
|
any liability to Recipient for claims brought by any other entity based on
|
||||||
|
infringement of intellectual property rights or otherwise. As a condition to
|
||||||
|
exercising the rights and licenses granted hereunder, each Recipient hereby
|
||||||
|
assumes sole responsibility to secure any other intellectual property rights
|
||||||
|
needed, if any. For example, if a third party patent license is required to
|
||||||
|
allow Recipient to distribute the Program, it is Recipient's responsibility
|
||||||
|
to acquire that license before distributing the Program.
|
||||||
|
|
||||||
|
d) Each Contributor represents that to its knowledge it has sufficient
|
||||||
|
copyright rights in its Contribution, if any, to grant the copyright license
|
||||||
|
set forth in this Agreement.
|
||||||
|
|
||||||
|
3. REQUIREMENTS
|
||||||
|
|
||||||
|
A Contributor may choose to distribute the Program in object code form under
|
||||||
|
its own license agreement, provided that:
|
||||||
|
|
||||||
|
a) it complies with the terms and conditions of this Agreement; and
|
||||||
|
|
||||||
|
b) its license agreement:
|
||||||
|
|
||||||
|
i) effectively disclaims on behalf of all Contributors all warranties and
|
||||||
|
conditions, express and implied, including warranties or conditions of title
|
||||||
|
and non-infringement, and implied warranties or conditions of merchantability
|
||||||
|
and fitness for a particular purpose;
|
||||||
|
|
||||||
|
ii) effectively excludes on behalf of all Contributors all liability for
|
||||||
|
damages, including direct, indirect, special, incidental and consequential
|
||||||
|
damages, such as lost profits;
|
||||||
|
|
||||||
|
iii) states that any provisions which differ from this Agreement are offered
|
||||||
|
by that Contributor alone and not by any other party; and
|
||||||
|
|
||||||
|
iv) states that source code for the Program is available from such
|
||||||
|
Contributor, and informs licensees how to obtain it in a reasonable manner on
|
||||||
|
or through a medium customarily used for software exchange.
|
||||||
|
|
||||||
|
When the Program is made available in source code form:
|
||||||
|
|
||||||
|
a) it must be made available under this Agreement; and
|
||||||
|
|
||||||
|
b) a copy of this Agreement must be included with each copy of the Program.
|
||||||
|
|
||||||
|
Contributors may not remove or alter any copyright notices contained within
|
||||||
|
the Program.
|
||||||
|
|
||||||
|
Each Contributor must identify itself as the originator of its Contribution,
|
||||||
|
if any, in a manner that reasonably allows subsequent Recipients to identify
|
||||||
|
the originator of the Contribution.
|
||||||
|
|
||||||
|
4. COMMERCIAL DISTRIBUTION
|
||||||
|
|
||||||
|
Commercial distributors of software may accept certain responsibilities with
|
||||||
|
respect to end users, business partners and the like. While this license is
|
||||||
|
intended to facilitate the commercial use of the Program, the Contributor who
|
||||||
|
includes the Program in a commercial product offering should do so in a
|
||||||
|
manner which does not create potential liability for other Contributors.
|
||||||
|
Therefore, if a Contributor includes the Program in a commercial product
|
||||||
|
offering, such Contributor ("Commercial Contributor") hereby agrees to defend
|
||||||
|
and indemnify every other Contributor ("Indemnified Contributor") against any
|
||||||
|
losses, damages and costs (collectively "Losses") arising from claims,
|
||||||
|
lawsuits and other legal actions brought by a third party against the
|
||||||
|
Indemnified Contributor to the extent caused by the acts or omissions of such
|
||||||
|
Commercial Contributor in connection with its distribution of the Program in
|
||||||
|
a commercial product offering. The obligations in this section do not apply
|
||||||
|
to any claims or Losses relating to any actual or alleged intellectual
|
||||||
|
property infringement. In order to qualify, an Indemnified Contributor must:
|
||||||
|
a) promptly notify the Commercial Contributor in writing of such claim, and
|
||||||
|
b) allow the Commercial Contributor tocontrol, and cooperate with the
|
||||||
|
Commercial Contributor in, the defense and any related settlement
|
||||||
|
negotiations. The Indemnified Contributor may participate in any such claim
|
||||||
|
at its own expense.
|
||||||
|
|
||||||
|
For example, a Contributor might include the Program in a commercial product
|
||||||
|
offering, Product X. That Contributor is then a Commercial Contributor. If
|
||||||
|
that Commercial Contributor then makes performance claims, or offers
|
||||||
|
warranties related to Product X, those performance claims and warranties are
|
||||||
|
such Commercial Contributor's responsibility alone. Under this section, the
|
||||||
|
Commercial Contributor would have to defend claims against the other
|
||||||
|
Contributors related to those performance claims and warranties, and if a
|
||||||
|
court requires any other Contributor to pay any damages as a result, the
|
||||||
|
Commercial Contributor must pay those damages.
|
||||||
|
|
||||||
|
5. NO WARRANTY
|
||||||
|
|
||||||
|
EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, THE PROGRAM IS PROVIDED ON
|
||||||
|
AN "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, EITHER
|
||||||
|
EXPRESS OR IMPLIED INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OR
|
||||||
|
CONDITIONS OF TITLE, NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A
|
||||||
|
PARTICULAR PURPOSE. Each Recipient is solely responsible for determining the
|
||||||
|
appropriateness of using and distributing the Program and assumes all risks
|
||||||
|
associated with its exercise of rights under this Agreement , including but
|
||||||
|
not limited to the risks and costs of program errors, compliance with
|
||||||
|
applicable laws, damage to or loss of data, programs or equipment, and
|
||||||
|
unavailability or interruption of operations.
|
||||||
|
|
||||||
|
6. DISCLAIMER OF LIABILITY
|
||||||
|
|
||||||
|
EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, NEITHER RECIPIENT NOR ANY
|
||||||
|
CONTRIBUTORS SHALL HAVE ANY LIABILITY FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||||
|
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING WITHOUT LIMITATION
|
||||||
|
LOST PROFITS), HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
||||||
|
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||||
|
ARISING IN ANY WAY OUT OF THE USE OR DISTRIBUTION OF THE PROGRAM OR THE
|
||||||
|
EXERCISE OF ANY RIGHTS GRANTED HEREUNDER, EVEN IF ADVISED OF THE POSSIBILITY
|
||||||
|
OF SUCH DAMAGES.
|
||||||
|
|
||||||
|
7. GENERAL
|
||||||
|
|
||||||
|
If any provision of this Agreement is invalid or unenforceable under
|
||||||
|
applicable law, it shall not affect the validity or enforceability of the
|
||||||
|
remainder of the terms of this Agreement, and without further action by the
|
||||||
|
parties hereto, such provision shall be reformed to the minimum extent
|
||||||
|
necessary to make such provision valid and enforceable.
|
||||||
|
|
||||||
|
If Recipient institutes patent litigation against any entity (including a
|
||||||
|
cross-claim or counterclaim in a lawsuit) alleging that the Program itself
|
||||||
|
(excluding combinations of the Program with other software or hardware)
|
||||||
|
infringes such Recipient's patent(s), then such Recipient's rights granted
|
||||||
|
under Section 2(b) shall terminate as of the date such litigation is filed.
|
||||||
|
|
||||||
|
All Recipient's rights under this Agreement shall terminate if it fails to
|
||||||
|
comply with any of the material terms or conditions of this Agreement and
|
||||||
|
does not cure such failure in a reasonable period of time after becoming
|
||||||
|
aware of such noncompliance. If all Recipient's rights under this Agreement
|
||||||
|
terminate, Recipient agrees to cease use and distribution of the Program as
|
||||||
|
soon as reasonably practicable. However, Recipient's obligations under this
|
||||||
|
Agreement and any licenses granted by Recipient relating to the Program shall
|
||||||
|
continue and survive.
|
||||||
|
|
||||||
|
Everyone is permitted to copy and distribute copies of this Agreement, but in
|
||||||
|
order to avoid inconsistency the Agreement is copyrighted and may only be
|
||||||
|
modified in the following manner. The Agreement Steward reserves the right to
|
||||||
|
publish new versions (including revisions) of this Agreement from time to
|
||||||
|
time. No one other than the Agreement Steward has the right to modify this
|
||||||
|
Agreement. The Eclipse Foundation is the initial Agreement Steward. The
|
||||||
|
Eclipse Foundation may assign the responsibility to serve as the Agreement
|
||||||
|
Steward to a suitable separate entity. Each new version of the Agreement will
|
||||||
|
be given a distinguishing version number. The Program (including
|
||||||
|
Contributions) may always be distributed subject to the version of the
|
||||||
|
Agreement under which it was received. In addition, after a new version of
|
||||||
|
the Agreement is published, Contributor may elect to distribute the Program
|
||||||
|
(including its Contributions) under the new version. Except as expressly
|
||||||
|
stated in Sections 2(a) and 2(b) above, Recipient receives no rights or
|
||||||
|
licenses to the intellectual property of any Contributor under this
|
||||||
|
Agreement, whether expressly, by implication, estoppel or otherwise. All
|
||||||
|
rights in the Program not expressly granted under this Agreement are
|
||||||
|
reserved.
|
||||||
|
|
||||||
|
This Agreement is governed by the laws of the State of New York and the
|
||||||
|
intellectual property laws of the United States of America. No party to this
|
||||||
|
Agreement will bring a legal action under this Agreement more than one year
|
||||||
|
after the cause of action arose. Each party waives its rights to a jury trial
|
||||||
|
in any resulting litigation.
|
|
@ -0,0 +1,31 @@
|
||||||
|
# cef-parser
|
||||||
|
|
||||||
|
A Clojure library designed to parse CEF.
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
|
||||||
|
~~~clojure
|
||||||
|
> (require '[cef-parser.core :refer :all])
|
||||||
|
> (parse-cef (str "2016-07-04T10:09:33 CEF:0|Sec\\|urity|threat\\\\manager|1.0|100|worm successfully stopped|10|"
|
||||||
|
~ "src\\\\he=10.0.0.1 dst=2.1.2.2 spt=1232 filePath=/user/username/dir/my file name.txt "
|
||||||
|
~ "E\\=mc2=Einstein formula my\\ file=foo bar"))
|
||||||
|
{:version "Sec|urity"
|
||||||
|
:device-vendor "threat\\manager"
|
||||||
|
:device-product "1.0"
|
||||||
|
:device_event_class_id "100"
|
||||||
|
:name "worm successfully stopped"
|
||||||
|
:severity "10"
|
||||||
|
:extension {"spt" "1232"
|
||||||
|
"dst" "2.1.2.2"
|
||||||
|
"filePath" "/user/username/dir/my file name.txt"
|
||||||
|
"src\\he" "10.0.0.1"
|
||||||
|
"my file" "foo bar"
|
||||||
|
"E=mc2" "Einstein formula"}}
|
||||||
|
~~~
|
||||||
|
|
||||||
|
## License
|
||||||
|
|
||||||
|
Copyright © 2016 Cisco
|
||||||
|
|
||||||
|
Distributed under the Eclipse Public License either version 1.0 or (at
|
||||||
|
your option) any later version.
|
|
@ -0,0 +1,3 @@
|
||||||
|
# Introduction to cef-parser
|
||||||
|
|
||||||
|
TODO: write [great documentation](http://jacobian.org/writing/what-to-write/)
|
|
@ -0,0 +1,7 @@
|
||||||
|
(defproject cef-parser "0.1.0-SNAPSHOT"
|
||||||
|
:description "CEF Parser"
|
||||||
|
:url "http://example.com/FIXME"
|
||||||
|
:license {:name "Eclipse Public License"
|
||||||
|
:url "http://www.eclipse.org/legal/epl-v10.html"}
|
||||||
|
:dependencies [[org.clojure/clojure "1.8.0"]
|
||||||
|
[instaparse "1.4.2"]])
|
|
@ -0,0 +1,67 @@
|
||||||
|
(ns cef-parser.core
|
||||||
|
(:require [instaparse.core :as insta]))
|
||||||
|
|
||||||
|
(def cef-grammar
|
||||||
|
"CEF Grammar"
|
||||||
|
(insta/parser
|
||||||
|
"cef = #'.*?CEF:' version <'|'> device_vendor <'|'> device_product <'|'> device_version <'|'> device_event_class_id <'|'> name <'|'> severity (<'|'> extension)?
|
||||||
|
version = #'\\d+'
|
||||||
|
device_vendor = string
|
||||||
|
device_product = string
|
||||||
|
device_version = string
|
||||||
|
device_event_class_id = string
|
||||||
|
name = string
|
||||||
|
severity = #'(?i)(unknown|low|medium|high|very-high)'| #'[1-9]'|'10'
|
||||||
|
extension = (key <'='> value <' '>?)*
|
||||||
|
|
||||||
|
<string> = (#'[^\\\\]' | escaped-char)+
|
||||||
|
escaped-char = (<'\\\\'> ('|' | '\\\\' | 'n' | 'r'))
|
||||||
|
key = (#'[^\\\\ ]' | escaped-char-key)(#'[^\\\\ ]' | escaped-char-key)*
|
||||||
|
escaped-char-key = (<'\\\\'> ('=' | '\\\\' | ' ' | 'n' | 'r' ) )
|
||||||
|
value = ((#'[^\\\\ ]*' | escaped-char-key) (' '|Epsilon))+
|
||||||
|
"))
|
||||||
|
|
||||||
|
(defn parse-cef [txt]
|
||||||
|
(insta/transform
|
||||||
|
{:string str
|
||||||
|
:escaped-char (fn [& args]
|
||||||
|
(case (first args)
|
||||||
|
"n" "\n"
|
||||||
|
"r" "\r"
|
||||||
|
(apply str args)))
|
||||||
|
:escaped-char-key (fn [& args]
|
||||||
|
(case (first args)
|
||||||
|
"n" "\n"
|
||||||
|
"r" "\r"
|
||||||
|
(apply str args)))
|
||||||
|
:device_vendor str
|
||||||
|
:device_product str
|
||||||
|
:device_version str
|
||||||
|
:device_event_class_id str
|
||||||
|
:name str
|
||||||
|
:severity str
|
||||||
|
:extension hash-map
|
||||||
|
:key str
|
||||||
|
:version str
|
||||||
|
:value str
|
||||||
|
:cef (fn
|
||||||
|
([_ _ version device-vendor device-product device-event-class-id name severity]
|
||||||
|
(merge
|
||||||
|
{:version version
|
||||||
|
:device-vendor device-vendor
|
||||||
|
:device-product device-product
|
||||||
|
:device_event_class_id device-event-class-id
|
||||||
|
:name name
|
||||||
|
:severity severity}))
|
||||||
|
([_ _ version device-vendor device-product device-event-class-id name severity extension]
|
||||||
|
(merge
|
||||||
|
{:version version
|
||||||
|
:device-vendor device-vendor
|
||||||
|
:device-product device-product
|
||||||
|
:device_event_class_id device-event-class-id
|
||||||
|
:name name
|
||||||
|
:severity severity
|
||||||
|
:extension extension})))}
|
||||||
|
(cef-grammar txt)))
|
||||||
|
|
||||||
|
(defn tst [] (parse-cef excef))
|
|
@ -0,0 +1,49 @@
|
||||||
|
(ns cef-parser.core-test
|
||||||
|
(:require [clojure.test :refer :all]
|
||||||
|
[cef-parser.core :refer :all]))
|
||||||
|
|
||||||
|
;; Most examples can be found in page 8 of
|
||||||
|
;; https://www.protect724.hpe.com/docs/DOC-1072
|
||||||
|
|
||||||
|
(deftest pipe-test
|
||||||
|
(let [cef (parse-cef
|
||||||
|
"Sep 19 08:26:10 host CEF:0|security|threatmanager|1.0|100|detected a \\| in message|10|src=10.0.0.1 act=blocked a | dst=1.1.1.1")]
|
||||||
|
(is (= (:name cef)
|
||||||
|
"detected a | in message"))))
|
||||||
|
|
||||||
|
(deftest backslash-test
|
||||||
|
(let [cef (parse-cef
|
||||||
|
"Sep 19 08:26:10 host CEF:0|security|threatmanager|1.0|100|detected a \\\\ in packet|10|src=10.0.0.1 act=blocked a \\\\ dst=1.1.1.1")]
|
||||||
|
(is (= (get-in cef [:extension "act"])
|
||||||
|
"blocked a \\"))))
|
||||||
|
|
||||||
|
(deftest equal-sign-test
|
||||||
|
(let [cef (parse-cef
|
||||||
|
"Sep 19 08:26:10 host CEF:0|security|threatmanager|1.0|100|detected a = in message|10|src=10.0.0.1 act=blocked a \\= dst=1.1.1.1")]
|
||||||
|
(is (= (get-in cef [:extension "act"])
|
||||||
|
"blocked a ="))))
|
||||||
|
|
||||||
|
(deftest multi-line-ex-test
|
||||||
|
(let [cef (parse-cef
|
||||||
|
"Sep 19 08:26:10 host CEF:0|security|threatmanager|1.0|100|Detected a threat. No action needed.|10|src=10.0.0.1 msg=Detected a threat.\\n No action needed.")]
|
||||||
|
(is (= (get-in cef [:extension "msg"])
|
||||||
|
"Detected a threat.\n No action needed."))))
|
||||||
|
|
||||||
|
(deftest tricky-CEF-test
|
||||||
|
(let [cef (parse-cef
|
||||||
|
(str "2016-07-04T10:09:33 CEF:0|Sec\\|urity|threat\\\\manager|1.0|100|worm successfully stopped|10|"
|
||||||
|
"src\\\\he=10.0.0.1 dst=2.1.2.2 spt=1232 filePath=/user/username/dir/my file name.txt "
|
||||||
|
"E\\=mc2=Einstein formula my\\ file=foo bar"))]
|
||||||
|
(is (= {:version "Sec|urity"
|
||||||
|
:device-vendor "threat\\manager"
|
||||||
|
:device-product "1.0"
|
||||||
|
:device_event_class_id "100"
|
||||||
|
:name "worm successfully stopped"
|
||||||
|
:severity "10"
|
||||||
|
:extension {"spt" "1232"
|
||||||
|
"dst" "2.1.2.2"
|
||||||
|
"filePath" "/user/username/dir/my file name.txt"
|
||||||
|
"src\\he" "10.0.0.1"
|
||||||
|
"my file" "foo bar"
|
||||||
|
"E=mc2" "Einstein formula"}}
|
||||||
|
cef))))
|
Loading…
Reference in New Issue