MISP/app/Model/CorrelationExclusion.php

<?php
App::uses('AppModel', 'Model');
App::uses('RandomTool', 'Tools');

class CorrelationExclusion extends AppModel
{
    public $recursive = -1;

    public $key = 'misp:correlation_exclusions';

    public $actsAs = array(
        'SysLogLogable.SysLogLogable' => array(
                'userModel' => 'User',
                'userKey' => 'user_id',
                'change' => 'full'),
        'Containable',
    );

    public $validate = [
        'value' => [
            'uniqueValue' => [
                'rule' => 'isUnique',
                'message' => 'Value is already in the exclusion list.'
            ]
        ]
    ];

    public function afterSave($created, $options = array())
    {
        $this->cacheValues();
    }

    public function beforeDelete($cascade = true)
    {
        $exclusion = $this->find('first', [
            'recursive' => -1,
            'conditions' => [
                'id' => $this->id
            ]
        ]);
        $this->Correlation = ClassRegistry::init('Correlation');
        if (!empty($exclusion)) {
            $this->Correlation->correlateValueRouter($exclusion['CorrelationExclusion']['value']);
        }
    }

    public function afterDelete()
    {
        $this->cacheValues();
    }

    public function cacheValues()
    {
        try {
            $redis = $this->setupRedisWithException();
        } catch (Exception $e) {
            return false;
        }
        $redis->del($this->key);
        $exclusions = $this->find('column', [
            'fields' => ['value']
        ]);
        $redis->sAddArray($this->key, $exclusions);
    }

    public function cleanRouter($user)
    {
        if (Configure::read('MISP.background_jobs')) {
            $this->Job = ClassRegistry::init('Job');
            $this->Job->create();
            $data = [
                    'worker' => 'default',
                    'job_type' => 'clean_correlation_exclusions',
                    'job_input' => '',
                    'status' => 0,
                    'retries' => 0,
                    'org' => $user['Organisation']['name'],
                    'message' => __('Cleaning up excluded correlations.'),
            ];
            $this->Job->save($data);
            $jobId = $this->Job->id;
            $process_id = CakeResque::enqueue(
                    'default',
                    'AdminShell',
                    ['cleanExcludedCorrelations', $jobId],
                    true
            );
            $this->Job->saveField('process_id', $process_id);
            $message = __('Cleanup queued for background execution.');
        } else {
            $this->clean();
        }
    }

    public function clean($jobId = false)
    {
        if ($jobId) {
            $this->Job = ClassRegistry::init('Job');
            $this->Job->id = $jobId;
        }
        $query = sprintf(
            'DELETE FROM correlations where (%s) or (%s);',
            sprintf(
                'value IN (%s)',
                'SELECT correlation_exclusions.value FROM correlation_exclusions WHERE correlations.value = correlation_exclusions.value'
            ),
            sprintf(
                'EXISTS (SELECT NULL FROM correlation_exclusions WHERE (%s) OR (%s))',
                "correlations.value LIKE CONCAT('%', correlation_exclusions.value)",
                "correlations.value LIKE CONCAT(correlation_exclusions.value, '%')"
            )
        );
        $this->query($query);
        $this->Job->saveProgress($jobId, 'Job done.', 100);
    }
}
new: [correlation] added system to exclude certain values from the correlation engine - simply add values at /exclude_correlations - new values coming in will not correlate if they trip over the values listed there - to remove existing correlations run the cleaner tool on the above endpoint - values can be 1:1 matches, or substring searches (denoted with a leading, ending, or both '%') - https://www.google.com/% will match anything starting with https://www.google.com/ - %google.com% will match anything that contains google.com 2021-01-07 09:31:38 +01:00			`<?php`
			`App::uses('AppModel', 'Model');`
			`App::uses('RandomTool', 'Tools');`

			`class CorrelationExclusion extends AppModel`
			`{`
			`public $recursive = -1;`

			`public $key = 'misp:correlation_exclusions';`

			`public $actsAs = array(`
			`'SysLogLogable.SysLogLogable' => array(`
			`'userModel' => 'User',`
			`'userKey' => 'user_id',`
			`'change' => 'full'),`
			`'Containable',`
			`);`

new: [Correlations] Added cached toplist - stored via zset in redis - very fast, but needs to be generated - generation background processed 2021-04-27 00:40:40 +02:00			`public $validate = [`
			`'value' => [`
			`'uniqueValue' => [`
			`'rule' => 'isUnique',`
			`'message' => 'Value is already in the exclusion list.'`
			`]`
			`]`
			`];`

new: [correlation] added system to exclude certain values from the correlation engine - simply add values at /exclude_correlations - new values coming in will not correlate if they trip over the values listed there - to remove existing correlations run the cleaner tool on the above endpoint - values can be 1:1 matches, or substring searches (denoted with a leading, ending, or both '%') - https://www.google.com/% will match anything starting with https://www.google.com/ - %google.com% will match anything that contains google.com 2021-01-07 09:31:38 +01:00			`public function afterSave($created, $options = array())`
			`{`
			`$this->cacheValues();`
			`}`

new: [Correlations] refactor / rework - moved to own controller and model - refactored several long incomprehensible functions - extracted reused tasks from functions and made them reusable - added a way to correlate individual values as opposed to attributes - Added top correlations index 2021-04-25 17:36:29 +02:00			`public function beforeDelete($cascade = true)`
			`{`
			`$exclusion = $this->find('first', [`
			`'recursive' => -1,`
			`'conditions' => [`
			`'id' => $this->id`
			`]`
			`]);`
			`$this->Correlation = ClassRegistry::init('Correlation');`
			`if (!empty($exclusion)) {`
			`$this->Correlation->correlateValueRouter($exclusion['CorrelationExclusion']['value']);`
			`}`
			`}`

new: [correlation] added system to exclude certain values from the correlation engine - simply add values at /exclude_correlations - new values coming in will not correlate if they trip over the values listed there - to remove existing correlations run the cleaner tool on the above endpoint - values can be 1:1 matches, or substring searches (denoted with a leading, ending, or both '%') - https://www.google.com/% will match anything starting with https://www.google.com/ - %google.com% will match anything that contains google.com 2021-01-07 09:31:38 +01:00			`public function afterDelete()`
			`{`
			`$this->cacheValues();`
			`}`

			`public function cacheValues()`
			`{`
			`try {`
			`$redis = $this->setupRedisWithException();`
			`} catch (Exception $e) {`
			`return false;`
			`}`
			`$redis->del($this->key);`
chg: [internal] Optimise correlation exclusion 2021-01-29 16:02:24 +01:00			`$exclusions = $this->find('column', [`
			`'fields' => ['value']`
new: [correlation] added system to exclude certain values from the correlation engine - simply add values at /exclude_correlations - new values coming in will not correlate if they trip over the values listed there - to remove existing correlations run the cleaner tool on the above endpoint - values can be 1:1 matches, or substring searches (denoted with a leading, ending, or both '%') - https://www.google.com/% will match anything starting with https://www.google.com/ - %google.com% will match anything that contains google.com 2021-01-07 09:31:38 +01:00			`]);`
			`$redis->sAddArray($this->key, $exclusions);`
			`}`

			`public function cleanRouter($user)`
			`{`
			`if (Configure::read('MISP.background_jobs')) {`
			`$this->Job = ClassRegistry::init('Job');`
			`$this->Job->create();`
			`$data = [`
			`'worker' => 'default',`
			`'job_type' => 'clean_correlation_exclusions',`
			`'job_input' => '',`
			`'status' => 0,`
			`'retries' => 0,`
			`'org' => $user['Organisation']['name'],`
			`'message' => __('Cleaning up excluded correlations.'),`
			`];`
			`$this->Job->save($data);`
			`$jobId = $this->Job->id;`
			`$process_id = CakeResque::enqueue(`
			`'default',`
			`'AdminShell',`
			`['cleanExcludedCorrelations', $jobId],`
			`true`
			`);`
			`$this->Job->saveField('process_id', $process_id);`
			`$message = __('Cleanup queued for background execution.');`
			`} else {`
			`$this->clean();`
			`}`
			`}`

			`public function clean($jobId = false)`
			`{`
			`if ($jobId) {`
			`$this->Job = ClassRegistry::init('Job');`
			`$this->Job->id = $jobId;`
			`}`
new: [Correlation exclusions] clean function reworked - does everything on DB side - no more issues with large lists being passed around - should also be a fair bit faster 2021-04-28 00:39:30 +02:00			`$query = sprintf(`
			`'DELETE FROM correlations where (%s) or (%s);',`
			`sprintf(`
			`'value IN (%s)',`
			`'SELECT correlation_exclusions.value FROM correlation_exclusions WHERE correlations.value = correlation_exclusions.value'`
			`),`
			`sprintf(`
			`'EXISTS (SELECT NULL FROM correlation_exclusions WHERE (%s) OR (%s))',`
			`"correlations.value LIKE CONCAT('%', correlation_exclusions.value)",`
			`"correlations.value LIKE CONCAT(correlation_exclusions.value, '%')"`
			`)`
			`);`
			`$this->query($query);`
			`$this->Job->saveProgress($jobId, 'Job done.', 100);`
new: [correlation] added system to exclude certain values from the correlation engine - simply add values at /exclude_correlations - new values coming in will not correlate if they trip over the values listed there - to remove existing correlations run the cleaner tool on the above endpoint - values can be 1:1 matches, or substring searches (denoted with a leading, ending, or both '%') - https://www.google.com/% will match anything starting with https://www.google.com/ - %google.com% will match anything that contains google.com 2021-01-07 09:31:38 +01:00			`}`
			`}`