web_test -- test if it works w/ proxy or not

2026-02-21 19:28:02 +00:00 · 2022-07-10 17:27:04 +01:00
parent f7e7747dee
commit dfc73ba2ca
2 changed files with 53 additions and 3 deletions
--- a/lib/helpers/rules.rb
+++ b/lib/helpers/rules.rb
@@ -69,10 +69,11 @@ class Rules
        "filter:\n" +
        "  - query:\n" +
        "      query_string:\n" +
-        # TODO: Test the timing of this simpler rule
-        '        query: "combined_path: \"' + goal['file_path'] + '\" AND auditd.result: success AND event.action: opened-file AND process.executable: \"/bin/cat\")"' + "\n" +
+        '        query: "combined_path: \"' + goal['file_path'] + '\" AND auditd.result: success AND event.action: opened-file AND (process.executable: \"/bin/cat\" OR process.executable: \"/usr/bin/vim.basic\" OR process.executable: \"/bin/less\" OR process.executable: \"/bin/more\" OR process.executable: \"/bin/nano\" OR process.executable: \"/usr/bin/kate\")"' + "\n" +
+        # Different OR clause in EA
+        #
        # TODO: WIP - improve this rule!
-        # The rule with KATE etc in, takes 30 sec ish to run! '        query: "combined_path: \"' + goal['file_path'] + '\" AND auditd.result: success AND event.action: opened-file AND (process.executable: \"/bin/cat\" OR process.executable: \"/usr/bin/vim.basic\" OR process.executable: \"/bin/less\" OR process.executable: \"/bin/more\" OR process.executable: \"/bin/nano\" OR process.executable: \"/usr/bin/kate\")"' + "\n" +
+        #
        #
        # '        query: "combined_path: \"' + goal['file_path'] + '\" AND auditd.result: success AND event.action: opened-file"' + "\n" +
        #
--- a/modules/services/unix/logging/analysis_alert_action_server/files/alert_actioner/web_test.rb
+++ b/modules/services/unix/logging/analysis_alert_action_server/files/alert_actioner/web_test.rb
@@ -0,0 +1,49 @@
+require 'net/http'
+require 'uri'
+
+class WebActioner
+  attr_accessor :url
+  attr_accessor :request_type
+  attr_accessor :data
+
+  def initialize
+    self.url = "http://www.google.com"
+    self.request_type = "GET"
+    self.data = nil
+  end
+
+  def run
+    uri = URI.parse(self.url)
+
+    case self.request_type
+    when 'GET'
+      response = Net::HTTP.get_response(uri)
+    when 'POST'
+      request = Net::HTTP::Post.new(uri.request_uri, 'Content-Type' => 'application/json')
+      request.body = self.data
+      response = Net::HTTP.start(uri.hostname, uri.port) do |http|
+        http.request(request)
+      end
+    when 'PUT'
+      # TODO: later
+      response = ''
+    when 'DELETE'
+      # TODO: later
+      response = ''
+    else
+      response = Net::HTTP.get_response(uri)
+    end
+    puts response.body.to_s
+    puts
+    puts
+    puts "Web Action complete"
+  end
+
+  # TODO: Override me in superclass to print actioner type + all parameters??
+  def to_s
+    "WebActioner:\n  URL: #{self.url}\n  Request Type: #{self.request_type}\n  Data: #{self.data.to_s}"
+  end
+
+end
+
+WebActioner.new.run