MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

Work on the new attribute types

pull/762/head
Iglocska 2015-07-06 18:19:51 +02:00
parent 0481e6eb02
commit 038ccd99bd
4 changed files with 441 additions and 265 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
app/Controller/ServersController.php
View File

@ -631,7 +631,7 @@ class ServersController extends AppController {
if ($afterResult !== true) {
$this->Log->create();
$result = $this->Log->save(array(
'org' => $this->Auth->user('org'),
'org_id' => $this->Auth->user('org_id'),
'model' => 'Server',
'model_id' => 0,
'email' => $this->Auth->user('email'),
@ -659,7 +659,7 @@ class ServersController extends AppController {
$this->Server->serverSettingsSaveValue($setting, $this->request->data['Server']['value']);
$this->Log->create();
$result = $this->Log->save(array(
'org' => $this->Auth->user('org'),
'org_id' => $this->Auth->user('org_id'),
'model' => 'Server',
'model_id' => 0,
'email' => $this->Auth->user('email'),
@ -674,7 +674,7 @@ class ServersController extends AppController {
if ($afterResult !== true) {
$this->Log->create();
$result = $this->Log->save(array(
'org' => $this->Auth->user('org'),
'org_id' => $this->Auth->user('org_id'),
'model' => 'Server',
'model_id' => 0,
'email' => $this->Auth->user('email'),

179
app/Lib/Tools/FinancialTool.php Normal file
View File

@ -0,0 +1,179 @@
<?php
class FinancialTool {
public $ibanLengths = array(
'AD' => '24',
'AE' => '23',
'AL' => '28',
'AO' => '25',
'AT' => '20',
'AZ' => '28',
'BA' => '20',
'BE' => '16',
'BF' => '27',
'BG' => '22',
'BH' => '22',
'BI' => '16',
'BJ' => '28',
'BR' => '29',
'CG' => '27',
'CH' => '21',
'CI' => '28',
'CM' => '27',
'CR' => '21',
'CV' => '25',
'CY' => '28',
'CZ' => '24',
'DE' => '22',
'DK' => '18',
'DO' => '28',
'DZ' => '24',
'EE' => '20',
'EG' => '27',
'ES' => '24',
'FI' => '18',
'FO' => '18',
'FR' => '27',
'GA' => '27',
'GB' => '22',
'GE' => '22',
'GI' => '23',
'GL' => '18',
'GR' => '27',
'GT' => '28',
'HR' => '21',
'HU' => '28',
'IE' => '22',
'IL' => '23',
'IR' => '26',
'IS' => '26',
'IT' => '27',
'JO' => '30',
'KW' => '30',
'KZ' => '20',
'LB' => '28',
'LC' => '32',
'LI' => '21',
'LT' => '20',
'LU' => '20',
'LV' => '21',
'MC' => '27',
'MD' => '24',
'ME' => '22',
'MG' => '27',
'MK' => '19',
'ML' => '28',
'MR' => '27',
'MT' => '31',
'MU' => '30',
'MZ' => '25',
'NL' => '18',
'NO' => '15',
'PK' => '24',
'PL' => '28',
'PS' => '29',
'PT' => '25',
'QA' => '29',
'RO' => '24',
'RS' => '22',
'SA' => '24',
'SE' => '24',
'SI' => '19',
'SK' => '24',
'SM' => '27',
'SN' => '28',
'TN' => '24',
'TR' => '26',
'UA' => '29',
'VG' => '24',
'XK' => '20'
);
// validating using method described on wikipedia @ https://en.wikipedia.org/wiki/International_Bank_Account_Number#Algorithms
public function validateIBAN($iban) {
if (strlen($iban) < 15 || strlen($iban) > 32) return false;
$temp = substr($iban, 4) . substr($iban, 0, 4);
$temp2 = '';
debug($temp);
for ($i = 0; $i < strlen($temp); $i++) {
if (is_numeric($temp[$i])) $temp2 .= $temp[$i];
else $temp2 .= ord(strtolower($temp[$i])) - 87;
}
$temp = bcmod($temp2, 97);
return intval($temp)===1 ? true : false;
}
public function validateBIC($bic) {
if (preg_match('/^([A-Z]{4})([A-Z]){2}([0-9A-Z]){2}([0-9A-Z]{3})?$/i', $bic)) return true;
return false;
}
public function validateBIN($bin) {
if (is_numeric($bin) && strlen($bin) == 6) return true;
return false;
}
// based on the explanation at www.freeformatter.com/credit-card-number-generator-validator.html#validate
public function validateCC($cc) {
debug($cc);
if (is_numeric($cc) && strlen($cc) > 12 && strlen($cc) < 20) {
$lastDigit = substr($cc, strlen($cc) - 1);
$numberArray = str_split($cc);
$lastDigit = $numberArray[count($numberArray) - 1];
unset($numberArray[count($numberArray) - 1]);
$numberArray = array_reverse($numberArray);
$sum = 0;
foreach ($numberArray as $k => &$number) {
$number = intval($number);
if ($k%2 == 0) $number *= 2;
if ($number > 9) $number -=9;
$sum += $number;
}
if ($sum%10 == $lastDigit) return true;
return false;
}
return false;
}
// based on the php implementation of the BTC address validation example from
// http://rosettacode.org/wiki/Bitcoin/address_validation
public function validateBTC($address){
if (strlen($address) < 26 || strlen($address) > 35) return false;
$decoded = $this->__decodeBase58($address);
if ($decoded === false) return false;
$d1 = hash("sha256", substr($decoded,0,21), true);
$d2 = hash("sha256", $d1, true);
if(substr_compare($decoded, $d2, 21, 4)){
return false;
}
return true;
}
private function __decodeBase58($input) {
$alphabet = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz";
$out = array_fill(0, 25, 0);
for($i=0;$i<strlen($input);$i++){
if(($p=strpos($alphabet, $input[$i]))===false){
return false;
}
$c = $p;
for ($j = 25; $j--; ) {
$c += (int)(58 * $out[$j]);
$out[$j] = (int)($c % 256);
$c /= 256;
$c = (int)$c;
}
if($c != 0){
return false;
}
}
$result = "";
foreach($out as $val){
$result .= chr($val);
}
return $result;
}
}

399
app/Model/Attribute.php
View File

@ -3,6 +3,7 @@
App::uses('AppModel', 'Model');
App::uses('Folder', 'Utility');
App::uses('File', 'Utility');
App::uses('FinancialTool', 'Tools');
/**
* Attribute Model
@ -120,7 +121,7 @@ class Attribute extends AppModel {
'attachment' => array('desc' => 'Attachment with external information', 'formdesc' => "Please upload files using the <em>Upload Attachment</em> button."),
'malware-sample' => array('desc' => 'Attachment containing encrypted malware sample', 'formdesc' => "Please upload files using the <em>Upload Attachment</em> button."),
'link' => array('desc' => 'Link to an external information'),
'comment' => array('desc' => 'Comment or description in a human language', 'formdesc' => 'Comment or description in a human language. This will not be correlated with other attributes (NOT IMPLEMENTED YET)'),
'comment' => array('desc' => 'Comment or description in a human language', 'formdesc' => 'Comment or description in a human language. This will not be correlated with other attributes'),
'text' => array('desc' => 'Name, ID or a reference'),
'other' => array('desc' => 'Other attribute'),
'named pipe' => array('desc' => 'Named pipe, use the format \\.\pipe\<PipeName>'),
@ -131,6 +132,46 @@ class Attribute extends AppModel {
'target-org' => array('desc' => 'Attack Targets Department or Orginization(s)'),
'target-location' => array('desc' => 'Attack Targets Physical Location(s)'),
'target-external' => array('desc' => 'External Target Orginizations Affected by this Attack'),
'btc' => array('desc' => 'Bitcoin Address'),//
'iban' => array('desc' => 'International Bank Account Number'),//
'bic' => array('desc' => 'Bank Identifier Code Number'),//
'bin' => array('desc' => 'Bank Identification Number'),//
'cc-number' => array('desc' => 'Credit-Card Number'),//
'prtn' => array('desc' => 'Premium-Rate Telephone Number'),//
'threat-actor' => array('desc' => 'A string identifying the threat actor'),//
'campaign-name' => array('desc' => 'Associated campaign name'),//
'campaign-id' => array('desc' => 'Associated campaign ID'),//
'malware-type' => array('desc' => 'test'),//
'uri' => array('desc' => 'test'),
'authentihash' => array('desc' => 'Authenticode executable signature hash', 'formdesc' => "You are encouraged to use filename|authentihash instead. Authenticode executable signature hash, only use this if you don't know the correct filename"),//x
'ssdeep' => array('desc' => 'A checksum in ssdeep format', 'formdesc' => "You are encouraged to use filename|ssdeep instead. A checksum in the SSDeep format, only use this if you don't know the correct filename"),////x
'imphash' => array('desc' => 'Import hash - a hash created based on the imports in the sample.', 'formdesc' => "You are encouraged to use filename|imphash instead. A hash created based on the imports in the sample, only use this if you don't know the correct filename"),//x
'pehash' => array('desc' => 'test'),//x
'sha-224' => array('desc' => 'A checksum in sha-224 format', 'formdesc' => "You are encouraged to use filename|sha224 instead. A checksum in sha224 format, only use this if you don't know the correct filename"),//x
'sha-384' => array('desc' => 'A checksum in sha-384 format', 'formdesc' => "You are encouraged to use filename|sha384 instead. A checksum in sha384 format, only use this if you don't know the correct filename"),//x
'sha-512' => array('desc' => 'A checksum in sha-512 format', 'formdesc' => "You are encouraged to use filename|sha512 instead. A checksum in sha512 format, only use this if you don't know the correct filename"),//x
'sha-512/224' => array('desc' => 'A checksum in the sha-512/224 format', 'formdesc' => "You are encouraged to use filename|sha512/224 instead. A checksum in sha512/224 format, only use this if you don't know the correct filename"),//x
'sha-512/256' => array('desc' => 'A checksum in the sha-512/256 format', 'formdesc' => "You are encouraged to use filename|sha512/256 instead. A checksum in sha512/256 format, only use this if you don't know the correct filename"),//x
'tlsh' => array('desc' => 'A checksum in the Trend Micro Locality Sensitive Hash format', 'formdesc' => "You are encouraged to use filename|tlsh instead. A checksum in the Trend Micro Locality Sensitive Hash format, only use this if you don't know the correct filename"),//x
'filename|authentihash' => array('desc' => 'A checksum in md5 format'),
'filename|ssdeep' => array('desc' => 'A checksum in ssdeep format'),//x
'filename|imphash' => array('desc' => 'Import hash - a hash created based on the imports in the sample.'),//x
'filename|pehash' => array('desc' => ''),//x
'filename|sha-224' => array('desc' => 'A filename and a sha-224 hash separated by a |'),//x
'filename|sha-384' => array('desc' => 'A filename and a sha-384 hash separated by a |'),//x
'filename|sha-512' => array('desc' => 'A filename and a sha-512 hash separated by a |'),//x
'filename|sha-512/224' => array('desc' => 'A filename and a sha-512/224 hash separated by a |'),//x
'filename|sha-512/256' => array('desc' => 'A filename and a sha-512/256 hash separated by a |'),//x
'filename|tlsh' => array('desc' => 'A filename and a Trend Micro Locality Sensitive Hash separated by a |'),//x
'windows-scheduled-task' => array('desc' => 'A scheduled task in windows'),
'windows-service-name' => array('desc' => 'A windows service name. This is the name used internally by windows. Not to be confused with the windows-service-displayname.'),//x
'windows-service-displayname' => array('desc' => 'A windows service\'s displayname, not to be confused with the windows-service-name. This is the name that applications will generally display as the service\'s name in applications.'),//x
'whois-registrant-email' => array('desc' => 'The e-mail of a domain\'s registrant, obtained from the WHOIS information.'),//x
'whois-registrant-phone' => array('desc' => 'The phone number of a domain\'s registrant, obtained from the WHOIS information.'),//x
'targeted-threat-index' => array('desc' => 'test'),
'mailslot' => array('desc' => 'test'),
'pipe' => array('desc' => 'test'),
'ssl-cert-attributes' => array('desc' => 'test'),
);
// definitions of categories
@ -152,16 +193,16 @@ class Attribute extends AppModel {
'Payload delivery' => array(
'desc' => 'Information about how the malware is delivered',
'formdesc' => 'Information about the way the malware payload is initially delivered, for example information about the email or web-site, vulnerability used, originating IP etc. Malware sample itself should be attached here.',
'types' => array('md5', 'sha1', 'sha256','filename', 'filename|md5', 'filename|sha1', 'filename|sha256', 'ip-src', 'ip-dst', 'hostname', 'domain', 'email-src', 'email-dst', 'email-subject', 'email-attachment', 'url', 'ip-dst', 'user-agent', 'AS', 'pattern-in-file', 'pattern-in-traffic', 'yara', 'attachment', 'malware-sample', 'link', 'comment', 'text', 'vulnerability', 'other')
'types' => array('md5', 'sha1', 'sha224', 'sha256', 'sha384', 'sha512', 'sha512/224', 'sha512/256', 'ssdeep', 'imphash', 'authentihash', 'pehash', 'tlsh', 'filename', 'filename|md5', 'filename|sha1', 'filename|sha224', 'filename|sha256', 'filename|sha384', 'filename|sha512', 'filename|sha512/224', 'filename|sha512/256', 'filename|authentihash', 'filename|ssdeep', 'filename|tlsh', 'filename|imphash', 'filename|pehash', 'ip-src', 'ip-dst', 'hostname', 'domain', 'email-src', 'email-dst', 'email-subject', 'email-attachment', 'url', 'ip-dst', 'user-agent', 'AS', 'pattern-in-file', 'pattern-in-traffic', 'yara', 'attachment', 'malware-sample', 'link', 'malware-type', 'comment', 'text', 'vulnerability', 'other')
),
'Artifacts dropped' => array(
'desc' => 'Any artifact (files, registry keys etc.) dropped by the malware or other modifications to the system',
'types' => array('md5', 'sha1', 'sha256', 'filename', 'filename|md5', 'filename|sha1', 'filename|sha256', 'regkey', 'regkey|value', 'pattern-in-file', 'pattern-in-memory', 'yara', 'attachment', 'malware-sample', 'comment', 'text', 'other', 'named pipe', 'mutex')
'types' => array('md5', 'sha1', 'sha224', 'sha256', 'sha384', 'sha512', 'sha512/224', 'sha512/256', 'ssdeep', 'imphash', 'authentihash', 'filename', 'filename|md5', 'filename|sha1', 'filename|sha224', 'filename|sha256', 'filename|sha384', 'filename|sha512', 'filename|sha512/224', 'filename|sha512/256', 'filename|authentihash', 'filename|ssdeep', 'filename|tlsh', 'filename|imphash', 'filename|pehash', 'regkey', 'regkey|value', 'pattern-in-file', 'pattern-in-memory', 'yara', 'attachment', 'malware-sample', 'named pipe', 'mutex', 'windows-scheduled-task', 'windows-service-name', 'windows-service-displayname', 'comment', 'text', 'other')
),
'Payload installation' => array(
'desc' => 'Info on where the malware gets installed in the system',
'formdesc' => 'Location where the payload was placed in the system and the way it was installed. For example, a filename|md5 type attribute can be added here like this: c:\\windows\\system32\\malicious.exe|41d8cd98f00b204e9800998ecf8427e.',
'types' => array('md5', 'sha1', 'sha256', 'filename', 'filename|md5', 'filename|sha1', 'filename|sha256', 'pattern-in-file', 'pattern-in-traffic', 'pattern-in-memory', 'yara', 'vulnerability', 'attachment', 'malware-sample', 'comment', 'text', 'other')
'types' => array('md5', 'sha1', 'sha224', 'sha256', 'sha384', 'sha512', 'sha512/224', 'sha512/256', 'ssdeep', 'imphash', 'authentihash', 'pehash', 'tlsh', 'filename', 'filename|md5', 'filename|sha1', 'filename|sha224', 'filename|sha256', 'filename|sha384', 'filename|sha512', 'filename|sha512/224', 'filename|sha512/256', 'filename|authentihash', 'filename|ssdeep', 'filename|tlsh', 'filename|imphash', 'filename|pehash', 'pattern-in-file', 'pattern-in-traffic', 'pattern-in-memory', 'yara', 'vulnerability', 'attachment', 'malware-sample', 'malware-type', 'comment', 'text', 'other')
),
'Persistence mechanism' => array(
'desc' => 'Mechanisms used by the malware to start at boot',
@ -170,7 +211,7 @@ class Attribute extends AppModel {
),
'Network activity' => array(
'desc' => 'Information about network traffic generated by the malware',
'types' => array('ip-src', 'ip-dst', 'hostname', 'domain', 'email-dst', 'url', 'user-agent', 'http-method', 'AS', 'snort', 'pattern-in-file', 'pattern-in-traffic', 'attachment', 'comment', 'text', 'other')
'types' => array('ip-src', 'ip-dst', 'hostname', 'domain', 'email-dst', 'url', 'uri', 'user-agent', 'http-method', 'AS', 'snort', 'pattern-in-file', 'pattern-in-traffic', 'attachment', 'comment', 'text', 'other')
),
'Payload type' => array(
'desc' => 'Information about the final payload(s)',
@ -179,13 +220,18 @@ class Attribute extends AppModel {
),
'Attribution' => array(
'desc' => 'Identification of the group, organisation, or country behind the attack',
'types' => array('comment', 'text', 'other')
'types' => array('threat-actor', 'campaign-name', 'campaign-id', 'whois-registrant-phone', 'whois-registrant-email', 'comment', 'text', 'other')
),
'External analysis' => array(
'desc' => 'Any other result from additional analysis of the malware like tools output',
'formdesc' => 'Any other result from additional analysis of the malware like tools output Examples: pdf-parser output, automated sandbox analysis, reverse engineering report.',
'types' => array('md5', 'sha1', 'sha256','filename', 'filename|md5', 'filename|sha1', 'filename|sha256', 'ip-src', 'ip-dst', 'hostname', 'domain', 'url', 'user-agent', 'regkey', 'regkey|value', 'AS', 'snort', 'pattern-in-file', 'pattern-in-traffic', 'pattern-in-memory', 'vulnerability', 'attachment', 'malware-sample', 'link', 'comment', 'text', 'other')
),
'Financial fraud' => array(
'desc' => 'Financial Fraud indicators',
'formdesc' => 'Financial Fraud indicators, for example: IBAN Numbers, BIC codes, Credit card numbers, etc.',
'types' => array('btc', 'iban', 'bic', 'bin', 'cc-number', 'prtn', 'comment', 'text', 'other'),
),
'Other' => array(
'desc' => 'Attributes that are not part of any other category',
'types' => array('comment', 'text', 'other')
@ -234,6 +280,7 @@ class Attribute extends AppModel {
'Payload type',
'Attribution',
'External analysis',
'Financial fraud',
'Other',
'' // FIXME remove this once all attributes have a category. Otherwise sigs without category are not shown in the list
)),
@ -328,8 +375,7 @@ class Attribute extends AppModel {
public function __construct($id = false, $table = null, $ds = null) {
parent::__construct($id, $table, $ds);
}
}
//The Associations below have been created with all possible keys, those that are not needed can be removed
@ -429,24 +475,10 @@ class Attribute extends AppModel {
if (!isset($this->data['Attribute']['type'])) {
return false;
}
switch($this->data['Attribute']['type']) {
// lowercase these things
case 'md5':
case 'sha1':
case 'sha256':
case 'domain':
case 'hostname':
$this->data['Attribute']['value'] = strtolower($this->data['Attribute']['value']);
break;
case 'filename|md5':
case 'filename|sha1':
case 'filename|sha256':
$pieces = explode('|', $this->data['Attribute']['value']);
$this->data['Attribute']['value'] = $pieces[0] . '|' . strtolower($pieces[1]);
break;
}
// make some last changes to the inserted value
$this->data['Attribute']['value'] = $this->modifyBeforeValidation($this->data['Attribute']['type'], $this->data['Attribute']['value']);
// uppercase the following types
switch($this->data['Attribute']['type']) {
case 'http-method':
@ -519,30 +551,61 @@ class Attribute extends AppModel {
return $this->runValidation($value, $this->data['Attribute']['type']);
}
private $__hexHashLengths = array(
'authentihash' => 64,
'md5' => 32,
'imphash' => 32,
'sha1' => 40,
'pehash' => 40,
'sha224' => 56,
'sha256' => 64,
'sha384' => 96,
'sha512' => 128,
'sha512/224' => 56,
'sha512/256' => 64,
);
public function runValidation($value, $type) {
$returnValue = false;
// check data validation
switch($type) {
case 'md5':
if (preg_match("#^[0-9a-f]{32}$#", $value)) {
case 'imphash':
case 'sha1':
case 'sha224':
case 'sha256':
case 'sha384':
case 'sha512':
case 'sha512/224':
case 'sha512/256':
case 'authentihash':
$length = $this->__hexHashLengths[$type];
if (preg_match("#^[0-9a-f]{" . $length . "}$#", $value)) {
$returnValue = true;
} else {
$returnValue = 'Checksum has invalid length or format. Please double check the value or select "other" for a type.';
$returnValue = 'Checksum has invalid length or format (expected: ' . $length . ' hexadecimal characters). Please double check the value or select "other" for a type.';
}
break;
case 'sha1':
case 'tlsh':
if (preg_match("#^[0-9a-f]{35,}$#", $value)) {
$returnValue = true;
} else {
$returnValue = 'Checksum has invalid length or format (expected: at least 35 hexadecimal characters). Please double check the value or select "other" for a type.';
}
break;
case 'pehash':
if (preg_match("#^[0-9a-f]{40}$#", $value)) {
$returnValue = true;
} else {
$returnValue = 'Checksum has invalid length or format. Please double check the value or select "other" for a type.';
$returnValue = 'The input doesn\'t match the expected sha1 format (expected: 40 hexadecimal characters). Keep in mind that MISP currently only supports SHA1 for PEhashes, if you would like to get the support extended to other hash types, make sure to create a github ticket about it at https://github.com/MISP/MISP!';
}
break;
case 'sha256':
if (preg_match("#^[0-9a-f]{64}$#", $value)) {
$returnValue = true;
} else {
$returnValue = 'Checksum has invalid length or format. Please double check the value or select "other" for a type.';
}
case 'ssdeep':
if (substr_count($value, ':') == 2) {
$parts = explode(':', $value);
if (is_numeric($parts[0])) $returnValue = true;
}
if (!$returnValue) $returnValue = 'Invalid SSDeep hash. The format has to be blocksize:hash:hash';
break;
case 'http-method':
if (preg_match("#(OPTIONS|GET|HEAD|POST|PUT|DELETE|TRACE|CONNECT|PROPFIND|PROPPATCH|MKCOL|COPY|MOVE|LOCK|UNLOCK|VERSION-CONTROL|REPORT|CHECKOUT|CHECKIN|UNCHECKOUT|MKWORKSPACE|UPDATE|LABEL|MERGE|BASELINE-CONTROL|MKACTIVITY|ORDERPATCH|ACL|PATCH|SEARCH)#", $value)) {
@ -551,57 +614,52 @@ class Attribute extends AppModel {
$returnValue = 'Unknown HTTP method.';
}
break;
case 'filename':
// no newline
if (!preg_match("#\n#", $value)) {
$returnValue = true;
}
break;
case 'filename|md5':
// no newline
if (preg_match("#^.+\|[0-9a-f]{32}$#", $value)) {
$returnValue = true;
} else {
$returnValue = 'Checksum has invalid length or format. Please double check the value or select "other" for a type.';
}
break;
case 'filename|sha1':
case 'filename|pehash':
// no newline
if (preg_match("#^.+\|[0-9a-f]{40}$#", $value)) {
$returnValue = true;
} else {
$returnValue = 'Checksum has invalid length or format. Please double check the value or select "other" for a type.';
$returnValue = 'The input doesn\'t match the expected filename|sha1 format (expected: filename|40 hexadecimal characters). Keep in mind that MISP currently only supports SHA1 for PEhashes, if you would like to get the support extended to other hash types, make sure to create a github ticket about it at https://github.com/MISP/MISP!';
}
break;
case 'filename|md5':
case 'filename|sha1':
case 'filename|imphash':
case 'filename|sha224':
case 'filename|sha256':
// no newline
if (preg_match("#^.+\|[0-9a-f]{64}$#", $value)) {
case 'filename|sha384':
case 'filename|sha512':
case 'filename|sha512/224':
case 'filename|sha512/256':
case 'filename|authentihash':
$parts = explode('|', $type);
$length = $this->__hexHashLengths[$parts[1]];
if (preg_match("#^.+\|[0-9a-f]{" . $length . "}$#", $value)) {
$returnValue = true;
} else {
$returnValue = 'Checksum has invalid length or format. Please double check the value or select "other" for a type.';
$returnValue = 'Checksum has invalid length or format (expected: filename|' . $length . ' hexadecimal characters). Please double check the value or select "other" for a type.';
}
break;
case 'filename|ssdeep':
if (substr_count($value, '|') != 1 || !preg_match("#^.+\|.+$#", $value)) $returnValue = 'Invalid composite type. The format has to be ' . $type . '.';
else {
$composite = explode('|', $value);
$value = $composite[1];
if (substr_count($value, ':') == 2) {
$parts = explode(':', $value);
if (is_numeric($parts[0])) $returnValue = true;
}
if (!$returnValue) $returnValue = 'Invalid SSDeep hash (expected: blocksize:hash:hash).';
}
break;
case 'filename|tlsh':
if (preg_match("#^.+\|[0-9a-f]{35,}$#", $value)) {
$returnValue = true;
} else {
$returnValue = 'Checksum has invalid length or format (expected: filename|at least 35 hexadecimal characters). Please double check the value or select "other" for a type.';
}
break;
case 'ip-src':
$parts = explode("/", $value);
// [0] = the ip
// [1] = the network address
if (count($parts) <= 2 ) {
// ipv4 and ipv6 matching
if (filter_var($parts[0],FILTER_VALIDATE_IP)) {
// ip is validated, now check if we have a valid network mask
if (empty($parts[1])) {
$returnValue = true;
} else {
if (is_numeric($parts[1]) && $parts[1] < 129) {
$returnValue = true;
}
}
}
}
if (!$returnValue) {
$returnValue = 'IP address has invalid format. Please double check the value or select "other" for a type.';
}
break;
case 'ip-dst':
$parts = explode("/", $value);
// [0] = the ip
@ -632,14 +690,9 @@ class Attribute extends AppModel {
}
break;
case 'email-src':
// we don't use the native function to prevent issues with partial email addresses
if (preg_match("#^[A-Z0-9._%+-]*@[A-Z0-9.\-_]+\.[A-Z]{2,}$#i", $value)) {
$returnValue = true;
} else {
$returnValue = 'Email address has invalid format. Please double check the value or select "other" for a type.';
}
break;
case 'email-dst':
case 'target-email':
case 'whois-registrant-email':
// we don't use the native function to prevent issues with partial email addresses
if (preg_match("#^[A-Z0-9._%+-]*@[A-Z0-9.\-_]+\.[A-Z]{2,}$#i", $value)) {
$returnValue = true;
@ -647,42 +700,6 @@ class Attribute extends AppModel {
$returnValue = 'Email address has invalid format. Please double check the value or select "other" for a type.';
}
break;
case 'email-subject':
// no newline
if (!preg_match("#\n#", $value)) {
$returnValue = true;
}
break;
case 'email-attachment':
// no newline
if (!preg_match("#\n#", $value)) {
$returnValue = true;
}
break;
case 'url':
// no newline
if (!preg_match("#\n#", $value)) {
$returnValue = true;
}
break;
case 'user-agent':
// no newline
if (!preg_match("#\n#", $value)) {
$returnValue = true;
}
break;
case 'regkey':
// no newline
if (!preg_match("#\n#", $value)) {
$returnValue = true;
}
break;
case 'regkey|value':
// no newline
if (preg_match("#(.)+\|(.)+#", $value) && !preg_match("#\n#", $value)) {
$returnValue = true;
}
break;
case 'vulnerability':
if (preg_match("#^(CVE-)[0-9]{4}(-)[0-9]{4,6}$#", $value)) {
$returnValue = true;
@ -695,6 +712,10 @@ class Attribute extends AppModel {
$returnValue = true;
}
break;
case 'windows-service-name':
case 'windows-service-displayname':
if (strlen($value) > 256 || preg_match('#[\\\/]#')) $returnValue = 'Invalid format. Only values shorter than 256 characters that don\'t include any forward or backward slashes are allowed.';
break;
case 'mutex':
case 'AS':
case 'snort':
@ -717,44 +738,130 @@ class Attribute extends AppModel {
$returnValue = true;
break;
case 'target-user':
// no newline
if (!preg_match("#\n#", $value)) {
$returnValue = true;
}
break;
case 'target-email':
if (preg_match("#^[A-Z0-9._%+-]*@[A-Z0-9.-]+\.[A-Z]{2,4}$#i", $value)) {
$returnValue = true;
} else {
$returnValue = 'Email address has invalid format. Please double check the value or select "other" for a type.';
}
break;
case 'campaign-name':
case 'campaign-id':
case 'threat-actor':
case 'target-machine':
// no newline
if (!preg_match("#\n#", $value)) {
$returnValue = true;
}
break;
case 'target-org':
// no newline
if (!preg_match("#\n#", $value)) {
$returnValue = true;
}
break;
case 'target-location':
// no newline
case 'target-external':
case 'email-subject':
case 'email-attachment':
case 'url':
case 'user-agent':
case 'regkey':
case 'regkey|value':
case 'filename':
case 'windows-scheduled-task':
// no newline
if (!preg_match("#\n#", $value)) {
$returnValue = true;
}
break;
case 'target-external':
// no newline
if (!preg_match("#\n#", $value)) {
$returnValue = true;
}
case 'targeted-threat-index':
if (!is_numeric($value) || $value < 0 || $value > 10) $returnValue = 'The value has to be a number between 0 and 10.';
else $returnValue = true;
break;
case 'btc':
$fTool = new FinancialTool();
if ($fTool->validateBTC($value)) {
$returnValue = true;
}
break;
case 'iban':
$fTool = new FinancialTool();
if ($fTool->validateIBAN($value)) {
$returnValue = true;
}
break;
case 'bic':
$fTool = new FinancialTool();
if ($fTool->validateBIC($value)) {
$returnValue = true;
}
break;
case 'bin':
$fTool = new FinancialTool();
if ($fTool->validateBIN($value)) {
$returnValue = true;
}
break;
case 'cc-number':
$fTool = new FinancialTool();
if ($fTool->validateCC($value)) {
$returnValue = true;
}
break;
case 'prtn':
case 'whois-registrant-phone':
if (is_numeric($value)) {
$returnValue = true;
}
break;
}
return $returnValue;
}
// do some last second modifications before the validation
public function modifyBeforeValidation($type, $value) {
switch($type) {
case 'md5':
case 'sha1':
case 'sha224':
case 'sha256':
case 'sha384':
case 'sha512':
case 'sha512/224':
case 'sha512/256':
case 'sha256':
case 'domain':
case 'hostname':
case 'pehash':
case 'authentihash':
case 'imphash':
case 'tlsh':
case 'email-src':
case 'email-dst':
case 'target-email':
case 'whois-registrant-email':
$value = strtolower($value);
break;
case 'filename|md5':
case 'filename|sha1':
case 'filename|imphash':
case 'filename|sha224':
case 'filename|sha256':
case 'filename|sha384':
case 'filename|sha512':
case 'filename|sha512/224':
case 'filename|sha512/256':
case 'filename|authentihash':
case 'filename|pehash':
case 'filename|tlsh':
$pieces = explode('|', $value);
$value = $pieces[0] . '|' . strtolower($pieces[1]);
break;
case 'http-method':
$value = strtoupper($value);
break;
case 'cc-number':
case 'bic':
case 'bin':
$value = preg_replace('/[^0-9]+/', '', $value);
break;
case 'iban':
$value = strtoupper($value);
$value = preg_replace('/[^0-9A-Z]+/', '', $value);
break;
case 'prtn':
case 'whois-registrant-phone':
if (substr($value, 0, 1) == '+') $value = '00' . $value(substr($value, 1));
$value = preg_replace('/[^0-9]+/', '', $value);
break;
}
return $value;
}
public function getCompositeTypes() {
// build the list of composite Attribute.type dynamically by checking if type contains a |

122
app/Model/ShadowAttribute.php
View File

@ -80,107 +80,8 @@ class ShadowAttribute extends AppModel {
'attachment'
);
public $typeDefinitions = array(
'md5' => array('desc' => 'A checksum in md5 format', 'formdesc' => "You are encouraged to use filename|md5 instead. <br/>A checksum in md5 format, only use this if you don't know the correct filename"),
'sha1' => array('desc' => 'A checksum in sha1 format', 'formdesc' => "You are encouraged to use filename|sha1 instead. <br/>A checksum in sha1 format, only use this if you don't know the correct filename"),
'sha256' => array('desc' => 'A checksum in sha256 format', 'formdesc' => "You are encouraged to use filename|sha256 instead. A checksum in sha256 format, o nly use this if you don't know the correct filename"),
'filename' => array('desc' => 'Filename'),
'filename|md5' => array('desc' => 'A filename and an md5 hash separated by a |', 'formdesc' => "A filename and an md5 hash separated by a | (no spaces)"),
'filename|sha1' => array('desc' => 'A filename and an sha1 hash separated by a |', 'formdesc' => "A filename and an sha1 hash separated by a | (no spaces)"),
'ip-src' => array('desc' => "A source IP address of the attacker"),
'ip-dst' => array('desc' => 'A destination IP address of the attacker or C&C server', 'formdesc' => "A destination IP address of the attacker or C&C server. <br/>Also set the IDS flag on when this IP is hardcoded in malware"),
'hostname' => array('desc' => 'A full host/dnsname of an attacker', 'formdesc' => "A full host/dnsname of an attacker. <br/>Also set the IDS flag on when this hostname is hardcoded in malware"),
'domain' => array('desc' => 'A domain name used in the malware', 'formdesc' => "A domain name used in the malware. <br/>Use this instead of hostname when the upper domain is <br/>important or can be used to create links between events."),
'email-src' => array('desc' => "The email address (or domainname) used to send the malware."),
'email-dst' => array('desc' => "A recipient email address", 'formdesc' => "A recipient email address that is not related to your constituency."),
'email-subject' => array('desc' => "The subject of the email"),
'email-attachment' => array('desc' => "File name of the email attachment."),
'url' => array('desc' => 'url'),
'http-method' => array('desc' => "HTTP method used by the malware (e.g. POST, GET, ...)."),
'user-agent' => array('desc' => "The user-agent used by the malware in the HTTP request."),
'regkey' => array('desc' => "Registry key or value"),
'regkey|value' => array('desc' => "Registry value + data separated by |"),
'AS' => array('desc' => 'Autonomous system'),
'snort' => array('desc' => 'An IDS rule in Snort rule-format', 'formdesc' => "An IDS rule in Snort rule-format. <br/>This rule will be automatically rewritten in the NIDS exports."),
'pattern-in-file' => array('desc' => 'Pattern in file that identifies the malware'),
'pattern-in-traffic' => array('desc' => 'Pattern in network traffic that identifies the malware'),
'pattern-in-memory' => array('desc' => 'Pattern in memory dump that identifies the malware'),
'yara' => array('desc' => 'Yara signature'),
'vulnerability' => array('desc' => 'A reference to the vulnerability used in the exploit'),
'attachment' => array('desc' => 'Attachment with external information', 'formdesc' => "Please upload files using the <em>Upload Attachment</em> button."),
'malware-sample' => array('desc' => 'Attachment containing encrypted malware sample', 'formdesc' => "Please upload files using the <em>Upload Attachment</em> button."),
'link' => array('desc' => 'Link to an external information'),
'comment' => array('desc' => 'Comment or description in a human language', 'formdesc' => 'Comment or description in a human language. <br/> This will not be correlated with other attributes (NOT IMPLEMENTED YET)'),
'text' => array('desc' => 'Name, ID or a reference'),
'named pipe' => array('desc' => 'Named pipe, use the format \\.\pipe\<PipeName>'),
'mutex' => array('desc' => 'Mutex, use the format \BaseNamedObjects\<Mutex>'),
'other' => array('desc' => 'Other attribute'),
'target-user' => array('desc' => 'Attack Targets Username(s)'),
'target-email' => array('desc' => 'Attack Targets Email(s)'),
'target-machine' => array('desc' => 'Attack Targets Machine Name(s)'),
'target-org' => array('desc' => 'Attack Targets Department or Orginization(s)'),
'target-location' => array('desc' => 'Attack Targets Physical Location(s)'),
'target-external' => array('desc' => 'External Target Orginizations Affected by this Attack'),
);
// definitions of categories
public $categoryDefinitions = array(
'Internal reference' => array(
'desc' => 'Reference used by the publishing party (e.g. ticket number)',
'types' => array('link', 'comment', 'text', 'other')
),
'Targeting data' => array(
'desc' => 'Internal Attack Targeting and Compromise Information',
'formdesc' => 'Targeting information to include recipient email, infected machines, department, and or locations.<br/>',
'types' => array('target-user', 'target-email', 'target-machine', 'target-org', 'target-location', 'target-external', 'comment')
),
'Antivirus detection' => array(
'desc' => 'All the info about how the malware is detected by the antivirus products',
'formdesc' => 'List of anti-virus vendors detecting the malware or information on detection performance (e.g. 13/43 or 67%).<br/>Attachment with list of detection or link to VirusTotal could be placed here as well.',
'types' => array('link', 'comment', 'text', 'attachment', 'other')
),
'Payload delivery' => array(
'desc' => 'Information about how the malware is delivered',
'formdesc' => 'Information about the way the malware payload is initially delivered, <br/>for example information about the email or web-site, vulnerability used, originating IP etc. <br/>Malware sample itself should be attached here.',
'types' => array('md5', 'sha1', 'sha256', 'filename', 'filename|md5', 'filename|sha1', 'filename|sha256', 'ip-src', 'ip-dst', 'hostname', 'domain', 'email-src', 'email-dst', 'email-subject', 'email-attachment', 'url', 'ip-dst', 'user-agent', 'http-method', 'AS', 'pattern-in-file', 'pattern-in-traffic', 'yara', 'attachment', 'malware-sample', 'link', 'comment', 'text', 'vulnerability', 'other')
),
'Artifacts dropped' => array(
'desc' => 'Any artifact (files, registry keys etc.) dropped by the malware or other modifications to the system',
'types' => array('md5', 'sha1', 'sha256', 'filename', 'filename|md5', 'filename|sha256', 'filename|sha1', 'regkey', 'regkey|value', 'pattern-in-file', 'pattern-in-memory', 'yara', 'attachment', 'malware-sample', 'comment', 'text', 'other', 'named pipe', 'mutex')
),
'Payload installation' => array(
'desc' => 'Info on where the malware gets installed in the system',
'formdesc' => 'Location where the payload was placed in the system and the way it was installed.<br/>For example, a filename|md5 type attribute can be added here like this:<br/>c:\\windows\\system32\\malicious.exe|41d8cd98f00b204e9800998ecf8427e.',
'types' => array('md5', 'sha1', 'sha256', 'filename', 'filename|md5', 'filename|sha1', 'filename|sha256', 'pattern-in-file', 'pattern-in-traffic', 'pattern-in-memory', 'yara', 'vulnerability', 'attachment', 'malware-sample', 'comment', 'text', 'other')
),
'Persistence mechanism' => array(
'desc' => 'Mechanisms used by the malware to start at boot',
'formdesc' => 'Mechanisms used by the malware to start at boot.<br/>This could be a registry key, legitimate driver modification, LNK file in startup',
'types' => array('filename', 'regkey', 'regkey|value', 'comment', 'text', 'other')
),
'Network activity' => array(
'desc' => 'Information about network traffic generated by the malware',
'types' => array('ip-src', 'ip-dst', 'hostname', 'domain', 'email-dst', 'url', 'user-agent', 'http-method','AS', 'snort', 'pattern-in-file', 'pattern-in-traffic', 'attachment', 'comment', 'text', 'other')
),
'Payload type' => array(
'desc' => 'Information about the final payload(s)',
'formdesc' => 'Information about the final payload(s).<br/>Can contain a function of the payload, e.g. keylogger, RAT, or a name if identified, such as Poison Ivy.',
'types' => array('comment', 'text', 'other')
),
'Attribution' => array(
'desc' => 'Identification of the group, organisation, or country behind the attack',
'types' => array('comment', 'text', 'other')
),
'External analysis' => array(
'desc' => 'Any other result from additional analysis of the malware like tools output',
'formdesc' => 'Any other result from additional analysis of the malware like tools output<br/>Examples: pdf-parser output, automated sandbox analysis, reverse engineering report.',
'types' => array('md5', 'sha1', 'sha256', 'filename', 'filename|md5', 'filename|sha1', 'filename|sha256', 'ip-src', 'ip-dst', 'hostname', 'domain', 'url', 'user-agent', 'http-method', 'regkey', 'regkey|value', 'AS', 'snort', 'pattern-in-file', 'pattern-in-traffic', 'pattern-in-memory', 'vulnerability', 'attachment', 'malware-sample', 'link', 'comment', 'text', 'other')
),
'Other' => array(
'desc' => 'Attributes that are not part of any other category',
'types' => array('comment', 'text', 'other')
)
);
public $categoryDefinitions;
public $order = array("ShadowAttribute.event_id" => "DESC", "ShadowAttribute.type" => "ASC");
@ -278,11 +179,12 @@ class ShadowAttribute extends AppModel {
$this->fieldDescriptions = Set::merge($this->fieldDescriptions,array(
//'distribution' => array('desc' => 'This fields indicates the intended distribution of the attribute (same as when adding an event, see Add Event)'),
));
$this->categoryDefinitions = $this->Event->Attribute->categoryDefinitions;
$this->typeDefinitions = $this->Event->Attribute->typeDefinitions;
}
//The Associations below have been created with all possible keys, those that are not needed can be removed
/**
* beforeSave
*
@ -355,20 +257,8 @@ class ShadowAttribute extends AppModel {
$this->data['ShadowAttribute']['timestamp'] = $date->getTimestamp();
}
switch($this->data['ShadowAttribute']['type']) {
// lowercase these things
case 'md5':
case 'sha1':
case 'domain':
case 'hostname':
$this->data['ShadowAttribute']['value'] = strtolower($this->data['ShadowAttribute']['value']);
break;
case 'filename|md5':
case 'filename|sha1':
$pieces = explode('|', $this->data['ShadowAttribute']['value']);
$this->data['ShadowAttribute']['value'] = $pieces[0] . '|' . strtolower($pieces[1]);
break;
}
// make some last changes to the inserted value
$this->data['ShadowAttribute']['value'] = $this->Event->Attribute->modifyBeforeValidation($this->data['ShadowAttribute']['type'], $this->data['ShadowAttribute']['value']);
// generate UUID if it doesn't exist
if (empty($this->data['ShadowAttribute']['uuid'])) {