@Override public Object apply(String s) { return deserialize(s); }
/** * Writes all config content to the provided print stream. * * @param out stream to use as output * @param client zk client * @throws Exception */ public static void dumpConfigs(PrintStream out, CuratorFramework client) throws Exception { ConfigurationsUtils.visitConfigs(client, (type, name, data) -> { type.deserialize(data); out.println(type + " Config: " + name + System.lineSeparator() + data); }); }
public static void writeProfilerConfigToZookeeper(byte[] config, CuratorFramework client) throws Exception { PROFILER.deserialize(new String(config)); writeToZookeeper(PROFILER.getZookeeperRoot(), config, client); }
public static void writeSensorIndexingConfigToZookeeper(String sensorType, byte[] configData, CuratorFramework client) throws Exception { INDEXING.deserialize(new String(configData)); writeToZookeeper(INDEXING.getZookeeperRoot() + "/" + sensorType, configData, client); }
public static void writeGlobalConfigToZookeeper(byte[] globalConfig, CuratorFramework client) throws Exception { GLOBAL.deserialize(new String(globalConfig)); writeToZookeeper(GLOBAL.getZookeeperRoot(), globalConfig, client); }
public static void writeSensorEnrichmentConfigToZookeeper(String sensorType, byte[] configData, CuratorFramework client) throws Exception { ENRICHMENT.deserialize(new String(configData)); writeToZookeeper(ENRICHMENT.getZookeeperRoot() + "/" + sensorType, configData, client); }
@Override public Object apply(List<Object> args, Context context) throws ParseException { String config = (String) args.get(0); if(config == null) { return null; } SensorParserConfig configObj = (SensorParserConfig) PARSER.deserialize(config); FieldTransformer stellarTransformer = getStellarTransformer(configObj); String[] headers = new String[] { "Field", "Transformation"}; String[][] data = new String[stellarTransformer.getConfig().size()][2]; int i = 0; for(Map.Entry<String, Object> kv : stellarTransformer.getConfig().entrySet()) { data[i++] = new String[] {kv.getKey(), kv.getValue().toString()}; } return FlipTable.of(headers, data); }
/** * Writes config content for a specific config type to the provided print stream. Optionally * provide a config name in addition to the config type and it will only print the json for a * specific config, e.g. bro, yaf, snort, etc. * * @param out stream to use as output * @param client zk client * @param configType GLOBAL, PARSER, ENRICHMENT, etc. * @param configName Typically a sensor name like bro, snort, yaf, etc. * @throws Exception */ public static void dumpConfigs(PrintStream out, CuratorFramework client, ConfigurationType configType, Optional<String> configName) throws Exception { ConfigurationsUtils.visitConfigs(client, (type, name, data) -> { setupStellarStatically(client, Optional.ofNullable(data)); type.deserialize(data); out.println(type + " Config: " + name + System.lineSeparator() + data); }, configType, configName); }
public static void writeSensorParserConfigToZookeeper(String sensorType, byte[] configData, CuratorFramework client) throws Exception { SensorParserConfig c = (SensorParserConfig) PARSER.deserialize(new String(configData)); c.init(); writeToZookeeper(PARSER.getZookeeperRoot() + "/" + sensorType, configData, client); }
@Override public Object apply(List<Object> args, Context context) throws ParseException { String config = (String) args.get(0); if(config == null) { return null; } SensorParserConfig configObj = (SensorParserConfig) PARSER.deserialize(config); FieldTransformer stellarTransformer = getStellarTransformer(configObj); Map<String, String> additionalTransforms = (Map<String, String>) args.get(1); if(additionalTransforms == null || additionalTransforms.isEmpty()) { return config; } for(Map.Entry<String, String> kv : additionalTransforms.entrySet()) { stellarTransformer.getConfig().put(kv.getKey(), kv.getValue()); } List<String> output = new ArrayList<>(); output.addAll(stellarTransformer.getConfig().keySet()); stellarTransformer.setOutput(output); try { return JSONUtils.INSTANCE.toJSON(configObj, true); } catch (JsonProcessingException e) { LOG.error("Unable to convert object to JSON: {}", configObj, e); return config; } }
configObj = (SensorEnrichmentConfig) ENRICHMENT.deserialize(config);
configObj = (Map<String, Object>) INDEXING.deserialize(config);
@Override public Object apply(List<Object> args, Context context) throws ParseException { String config = (String) args.get(0); if(config == null) { return null; } SensorParserConfig configObj = (SensorParserConfig) PARSER.deserialize(config); FieldTransformer stellarTransformer = getStellarTransformer(configObj); List<String> removals = (List<String>)args.get(1); if(removals == null || removals.isEmpty()) { return config; } for(String removal : removals) { stellarTransformer.getConfig().remove(removal); } List<String> output = new ArrayList<>(); output.addAll(stellarTransformer.getConfig().keySet()); stellarTransformer.setOutput(output); pruneEmptyStellarTransformers(configObj); try { return JSONUtils.INSTANCE.toJSON(configObj, true); } catch (JsonProcessingException e) { LOG.error("Unable to convert object to JSON: {}", configObj, e); return config; } }
private void validateConfig(String name, ConfigurationType type, String data) { try { type.deserialize(data); } catch (Exception e) { fail("Unable to load config " + name + ": " + data); } }
@Override public Object apply(List<Object> args, Context context) throws ParseException { ThreatTriageProcessor processor; SensorEnrichmentConfig config = new SensorEnrichmentConfig(); // the user can provide an initial config if(args.size() > 0) { String json = Util.getArg(0, String.class, args); if (json != null) { config = (SensorEnrichmentConfig) ENRICHMENT.deserialize(json); } else { throw new IllegalArgumentException(format("Invalid configuration: unable to deserialize '%s'", json)); } } processor = new ThreatTriageProcessor(config, new ClasspathFunctionResolver(), context); return processor; }
public static void setupStellarStatically(CuratorFramework client, Optional<String> globalConfig) { /* In order to validate stellar functions, the function resolver must be initialized. Otherwise, those utilities that require validation cannot validate the stellar expressions necessarily. */ Context.Builder builder = new Context.Builder() .with(Context.Capabilities.ZOOKEEPER_CLIENT, () -> client); if(globalConfig.isPresent()) { builder = builder .with(Context.Capabilities.GLOBAL_CONFIG, () -> GLOBAL.deserialize(globalConfig.get())) .with(Context.Capabilities.STELLAR_CONFIG, () -> GLOBAL.deserialize(globalConfig.get())); } else { builder = builder .with(Context.Capabilities.STELLAR_CONFIG, () -> new HashMap<>()); } Context stellarContext = builder.build(); StellarFunctions.FUNCTION_RESOLVER().initialize(stellarContext); }
/** * Reads Json data for the specified config type and config name (if applicable) from zookeeper, * applies the patch from patchData, and writes it back to Zookeeper in a pretty print format. * Patching JSON flattens existing formatting, so this will keep configs readable. The * curatorclient should be started already. * * @param configurationType GLOBAL, PARSER, etc. * @param configName e.g. bro, yaf, snort * @param patchData a JSON patch in the format specified by RFC 6902 * @param client access to zookeeeper */ public static void applyConfigPatchToZookeeper( ConfigurationType configurationType, Optional<String> configName, byte[] patchData, CuratorFramework client) throws Exception { byte[] configData = readConfigBytesFromZookeeper(configurationType, configName, client); byte[] prettyPatchedConfig = JSONUtils.INSTANCE.applyPatch(patchData, configData); // ensure the patch produces a valid result; otherwise exception thrown during deserialization String prettyPatchedConfigStr = new String(prettyPatchedConfig); configurationType.deserialize(prettyPatchedConfigStr); writeConfigToZookeeper(configurationType, configName, prettyPatchedConfig, client); }
config = (SensorEnrichmentConfig) ENRICHMENT.deserialize(json);
@Test public void shouldAllowNumericRuleScore() throws Exception { // deserialize SensorEnrichmentConfig enrichment = (SensorEnrichmentConfig) ENRICHMENT.deserialize(triageRuleWithNumericScore); ThreatTriageConfig threatTriage = enrichment.getThreatIntel().getTriageConfig(); assertNotNull(threatTriage); List<RiskLevelRule> rules = threatTriage.getRiskLevelRules(); assertEquals(1, rules.size()); RiskLevelRule rule = rules.get(0); assertEquals("Rule Name", rule.getName()); assertEquals("Rule Comment", rule.getComment()); assertEquals("ip_src_addr == '10.0.2.3'", rule.getRule()); assertEquals("'Rule Reason'", rule.getReason()); assertEquals("10", rule.getScoreExpression()); }
@Test public void shouldAllowScoreAsStellarExpression() throws Exception { // deserialize the enrichment configuration SensorEnrichmentConfig enrichment = (SensorEnrichmentConfig) ENRICHMENT.deserialize(triageRuleWithScoreExpression); ThreatTriageConfig threatTriage = enrichment.getThreatIntel().getTriageConfig(); assertNotNull(threatTriage); List<RiskLevelRule> rules = threatTriage.getRiskLevelRules(); assertEquals(1, rules.size()); RiskLevelRule rule = rules.get(0); assertEquals("Rule Name", rule.getName()); assertEquals("Rule Comment", rule.getComment()); assertEquals("'Rule Reason'", rule.getReason()); assertEquals("ip_src_addr == '10.0.2.3'", rule.getRule()); assertEquals("10 + 10", rule.getScoreExpression()); } }