class TCellAgent::Instrumentation::TCellData
Attributes
context_filters_by_term[RW]
csrf_exception_name[RW]
database_filters[RW]
database_result_sizes[RW]
fullpath[RW]
grape_mount_endpoint[RW]
hmac_session_id[RW]
password[RW]
patches_blocking_triggered[RW]
path[RW]
path_parameters[RW]
referrer[RW]
remote_address[RW]
request_method[RW]
reverse_proxy_header_value[RW]
route_id[RW]
session_id[RW]
sql_exceptions[RW]
transaction_id[RW]
uri[RW]
user_agent[RW]
user_id[RW]
Public Class Methods
filterx(sanitize_string, event_flag, replace_flag, term)
click to toggle source
# File lib/tcell_agent/instrumentation.rb, line 71 def self.filterx(sanitize_string, event_flag, replace_flag, term) send_event = false sanitize_string.gsub!(term) do |m| if replace_flag m = '[redacted]' send_event = true elsif event_flag # m = "[hash]" send_event = true end m end send_event end
new()
click to toggle source
# File lib/tcell_agent/instrumentation.rb, line 86 def initialize @patches_blocking_triggered = false @context_filters_by_term = Hash.new { |h, k| h[k] = Set.new } @sql_exceptions = [] @database_result_sizes = [] end
Public Instance Methods
add_filter_for_header_value(term, rule, header_name)
click to toggle source
# File lib/tcell_agent/instrumentation.rb, line 111 def add_filter_for_header_value(term, rule, header_name) return unless valid_term?(term) context_filters_by_term[term.to_s].add(ContextFilter.new.for_request('header', header_name, rule)) end
add_filter_for_request_parameter(term, rule, parameter_name)
click to toggle source
# File lib/tcell_agent/instrumentation.rb, line 105 def add_filter_for_request_parameter(term, rule, parameter_name) return unless valid_term?(term) context_filters_by_term[term.to_s].add(ContextFilter.new.for_request('form', parameter_name, rule)) end
add_response_db_filter(term, action_obj, database, schema, table, field)
click to toggle source
# File lib/tcell_agent/instrumentation.rb, line 99 def add_response_db_filter(term, action_obj, database, schema, table, field) return unless valid_term?(term) context_filters_by_term[term.to_s].add(ContextFilter.new.for_database(database, schema, table, field, action_obj)) end
filter_body!(body)
click to toggle source
# File lib/tcell_agent/instrumentation.rb, line 123 def filter_body!(body) dlp_policy = TCellAgent.policy(TCellAgent::PolicyTypes::DATALOSS) if dlp_policy && session_id session_id_actions = dlp_policy.get_actions_for_session_id if session_id_actions send_flag = TCellData.filterx(body, session_id_actions.body_event, session_id_actions.body_redact, session_id) if send_flag TCellAgent.send_event( TCellAgent::SensorEvents::DlpEvent.new( route_id, uri, TCellAgent::SensorEvents::DlpEvent::FOUND_IN_BODY, session_id_actions.action_id ).for_framework(TCellAgent::SensorEvents::DlpEvent::FRAMEWORK_VARIABLE_SESSION_ID) ) end end end context_filters_by_term.sort_by { |term, _context_filters| -term.length }.each do |term, context_filters| replace_filters = (context_filters.select { |context_filter| context_filter.rule.body_redact == true }) event_filters = (context_filters.select { |context_filter| (context_filter.rule.body_redact != true && context_filter.rule.body_event == true) }) send_flag = TCellData.filterx(body, !event_filters.empty?, !replace_filters.empty?, term) send_flag ||= TCellData.filterx(body, !event_filters.empty?, !replace_filters.empty?, CGI.escapeHTML(term)) next unless send_flag (replace_filters + event_filters).each do |filter| base_event = TCellAgent::SensorEvents::DlpEvent.new( route_id, uri, TCellAgent::SensorEvents::DlpEvent::FOUND_IN_BODY, filter.rule.action_id ) if filter.type == ContextFilter::DATABASE TCellAgent.send_event( base_event.for_database(filter.database, filter.schema, filter.table, filter.field) ) elsif filter.type == ContextFilter::REQUEST TCellAgent.send_event( base_event.for_request(filter.context, filter.parameter) ) end end end body end
filter_log(log_msg)
click to toggle source
# File lib/tcell_agent/instrumentation.rb, line 170 def filter_log(log_msg) dlp_policy = TCellAgent.policy(TCellAgent::PolicyTypes::DATALOSS) if dlp_policy && session_id session_id_actions = dlp_policy.get_actions_for_session_id if session_id_actions send_flag = TCellData.filterx(log_msg, session_id_actions.log_event, session_id_actions.log_redact, session_id) if send_flag TCellAgent.send_event( TCellAgent::SensorEvents::DlpEvent.new( route_id, uri, TCellAgent::SensorEvents::DlpEvent::FOUND_IN_LOG, session_id_actions.action_id ).for_framework(TCellAgent::SensorEvents::DlpEvent::FRAMEWORK_VARIABLE_SESSION_ID) ) end end end context_filters_by_term.sort_by { |term, _context_filters| -term.length }.each do |term, context_filters| replace_filters = (context_filters.select { |context_filter| context_filter.rule.log_redact == true }) event_filters = (context_filters.select { |context_filter| (context_filter.rule.log_redact != true && context_filter.rule.log_event == true) }) send_flag = TCellData.filterx(log_msg, !event_filters.empty?, !replace_filters.empty?, term) next unless send_flag (replace_filters + event_filters).each do |filter| base_event = TCellAgent::SensorEvents::DlpEvent.new( route_id, uri, TCellAgent::SensorEvents::DlpEvent::FOUND_IN_LOG, filter.rule.action_id ) if filter.type == ContextFilter::DATABASE TCellAgent.send_event( base_event.for_database(filter.database, filter.schema, filter.table, filter.field) ) elsif filter.type == ContextFilter::REQUEST TCellAgent.send_event( base_event.for_request(filter.context, filter.parameter) ) end end end log_msg end
to_s()
click to toggle source
# File lib/tcell_agent/instrumentation.rb, line 215 def to_s "<#{self.class.name} transaction_id: #{transaction_id} session_id: #{session_id} " \ "hmac_session_id: #{hmac_session_id} user_id: #{user_id} route_id: #{route_id} " \ "uri: #{uri} context_filters_by_term: #{context_filters_by_term} " \ "database_filters: #{database_filters} remote_address: #{remote_address} user_agent: #{user_agent} " \ "request_method: #{@request_method} path_parameters: #{@path_parameters}>" end
valid_term?(term)
click to toggle source
# File lib/tcell_agent/instrumentation.rb, line 93 def valid_term?(term) return true if !term.nil? && term != '' && term.to_s.length >= 5 false end