mirror of https://github.com/MISP/MISP
Work on the new attribute types
parent
0481e6eb02
commit
038ccd99bd
|
@ -631,7 +631,7 @@ class ServersController extends AppController {
|
|||
if ($afterResult !== true) {
|
||||
$this->Log->create();
|
||||
$result = $this->Log->save(array(
|
||||
'org' => $this->Auth->user('org'),
|
||||
'org_id' => $this->Auth->user('org_id'),
|
||||
'model' => 'Server',
|
||||
'model_id' => 0,
|
||||
'email' => $this->Auth->user('email'),
|
||||
|
@ -659,7 +659,7 @@ class ServersController extends AppController {
|
|||
$this->Server->serverSettingsSaveValue($setting, $this->request->data['Server']['value']);
|
||||
$this->Log->create();
|
||||
$result = $this->Log->save(array(
|
||||
'org' => $this->Auth->user('org'),
|
||||
'org_id' => $this->Auth->user('org_id'),
|
||||
'model' => 'Server',
|
||||
'model_id' => 0,
|
||||
'email' => $this->Auth->user('email'),
|
||||
|
@ -674,7 +674,7 @@ class ServersController extends AppController {
|
|||
if ($afterResult !== true) {
|
||||
$this->Log->create();
|
||||
$result = $this->Log->save(array(
|
||||
'org' => $this->Auth->user('org'),
|
||||
'org_id' => $this->Auth->user('org_id'),
|
||||
'model' => 'Server',
|
||||
'model_id' => 0,
|
||||
'email' => $this->Auth->user('email'),
|
||||
|
|
|
@ -0,0 +1,179 @@
|
|||
<?php
|
||||
class FinancialTool {
|
||||
public $ibanLengths = array(
|
||||
'AD' => '24',
|
||||
'AE' => '23',
|
||||
'AL' => '28',
|
||||
'AO' => '25',
|
||||
'AT' => '20',
|
||||
'AZ' => '28',
|
||||
'BA' => '20',
|
||||
'BE' => '16',
|
||||
'BF' => '27',
|
||||
'BG' => '22',
|
||||
'BH' => '22',
|
||||
'BI' => '16',
|
||||
'BJ' => '28',
|
||||
'BR' => '29',
|
||||
'CG' => '27',
|
||||
'CH' => '21',
|
||||
'CI' => '28',
|
||||
'CM' => '27',
|
||||
'CR' => '21',
|
||||
'CV' => '25',
|
||||
'CY' => '28',
|
||||
'CZ' => '24',
|
||||
'DE' => '22',
|
||||
'DK' => '18',
|
||||
'DO' => '28',
|
||||
'DZ' => '24',
|
||||
'EE' => '20',
|
||||
'EG' => '27',
|
||||
'ES' => '24',
|
||||
'FI' => '18',
|
||||
'FO' => '18',
|
||||
'FR' => '27',
|
||||
'GA' => '27',
|
||||
'GB' => '22',
|
||||
'GE' => '22',
|
||||
'GI' => '23',
|
||||
'GL' => '18',
|
||||
'GR' => '27',
|
||||
'GT' => '28',
|
||||
'HR' => '21',
|
||||
'HU' => '28',
|
||||
'IE' => '22',
|
||||
'IL' => '23',
|
||||
'IR' => '26',
|
||||
'IS' => '26',
|
||||
'IT' => '27',
|
||||
'JO' => '30',
|
||||
'KW' => '30',
|
||||
'KZ' => '20',
|
||||
'LB' => '28',
|
||||
'LC' => '32',
|
||||
'LI' => '21',
|
||||
'LT' => '20',
|
||||
'LU' => '20',
|
||||
'LV' => '21',
|
||||
'MC' => '27',
|
||||
'MD' => '24',
|
||||
'ME' => '22',
|
||||
'MG' => '27',
|
||||
'MK' => '19',
|
||||
'ML' => '28',
|
||||
'MR' => '27',
|
||||
'MT' => '31',
|
||||
'MU' => '30',
|
||||
'MZ' => '25',
|
||||
'NL' => '18',
|
||||
'NO' => '15',
|
||||
'PK' => '24',
|
||||
'PL' => '28',
|
||||
'PS' => '29',
|
||||
'PT' => '25',
|
||||
'QA' => '29',
|
||||
'RO' => '24',
|
||||
'RS' => '22',
|
||||
'SA' => '24',
|
||||
'SE' => '24',
|
||||
'SI' => '19',
|
||||
'SK' => '24',
|
||||
'SM' => '27',
|
||||
'SN' => '28',
|
||||
'TN' => '24',
|
||||
'TR' => '26',
|
||||
'UA' => '29',
|
||||
'VG' => '24',
|
||||
'XK' => '20'
|
||||
);
|
||||
// validating using method described on wikipedia @ https://en.wikipedia.org/wiki/International_Bank_Account_Number#Algorithms
|
||||
public function validateIBAN($iban) {
|
||||
if (strlen($iban) < 15 || strlen($iban) > 32) return false;
|
||||
$temp = substr($iban, 4) . substr($iban, 0, 4);
|
||||
$temp2 = '';
|
||||
debug($temp);
|
||||
for ($i = 0; $i < strlen($temp); $i++) {
|
||||
if (is_numeric($temp[$i])) $temp2 .= $temp[$i];
|
||||
else $temp2 .= ord(strtolower($temp[$i])) - 87;
|
||||
}
|
||||
$temp = bcmod($temp2, 97);
|
||||
return intval($temp)===1 ? true : false;
|
||||
}
|
||||
|
||||
public function validateBIC($bic) {
|
||||
if (preg_match('/^([A-Z]{4})([A-Z]){2}([0-9A-Z]){2}([0-9A-Z]{3})?$/i', $bic)) return true;
|
||||
return false;
|
||||
}
|
||||
|
||||
public function validateBIN($bin) {
|
||||
if (is_numeric($bin) && strlen($bin) == 6) return true;
|
||||
return false;
|
||||
}
|
||||
|
||||
// based on the explanation at www.freeformatter.com/credit-card-number-generator-validator.html#validate
|
||||
public function validateCC($cc) {
|
||||
debug($cc);
|
||||
if (is_numeric($cc) && strlen($cc) > 12 && strlen($cc) < 20) {
|
||||
$lastDigit = substr($cc, strlen($cc) - 1);
|
||||
$numberArray = str_split($cc);
|
||||
$lastDigit = $numberArray[count($numberArray) - 1];
|
||||
unset($numberArray[count($numberArray) - 1]);
|
||||
$numberArray = array_reverse($numberArray);
|
||||
$sum = 0;
|
||||
foreach ($numberArray as $k => &$number) {
|
||||
$number = intval($number);
|
||||
if ($k%2 == 0) $number *= 2;
|
||||
if ($number > 9) $number -=9;
|
||||
$sum += $number;
|
||||
}
|
||||
if ($sum%10 == $lastDigit) return true;
|
||||
return false;
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
// based on the php implementation of the BTC address validation example from
|
||||
// http://rosettacode.org/wiki/Bitcoin/address_validation
|
||||
public function validateBTC($address){
|
||||
if (strlen($address) < 26 || strlen($address) > 35) return false;
|
||||
$decoded = $this->__decodeBase58($address);
|
||||
if ($decoded === false) return false;
|
||||
|
||||
$d1 = hash("sha256", substr($decoded,0,21), true);
|
||||
$d2 = hash("sha256", $d1, true);
|
||||
|
||||
if(substr_compare($decoded, $d2, 21, 4)){
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
private function __decodeBase58($input) {
|
||||
$alphabet = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz";
|
||||
|
||||
$out = array_fill(0, 25, 0);
|
||||
for($i=0;$i<strlen($input);$i++){
|
||||
if(($p=strpos($alphabet, $input[$i]))===false){
|
||||
return false;
|
||||
}
|
||||
$c = $p;
|
||||
for ($j = 25; $j--; ) {
|
||||
$c += (int)(58 * $out[$j]);
|
||||
$out[$j] = (int)($c % 256);
|
||||
$c /= 256;
|
||||
$c = (int)$c;
|
||||
}
|
||||
if($c != 0){
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
$result = "";
|
||||
foreach($out as $val){
|
||||
$result .= chr($val);
|
||||
}
|
||||
|
||||
return $result;
|
||||
}
|
||||
}
|
|
@ -3,6 +3,7 @@
|
|||
App::uses('AppModel', 'Model');
|
||||
App::uses('Folder', 'Utility');
|
||||
App::uses('File', 'Utility');
|
||||
App::uses('FinancialTool', 'Tools');
|
||||
|
||||
/**
|
||||
* Attribute Model
|
||||
|
@ -120,7 +121,7 @@ class Attribute extends AppModel {
|
|||
'attachment' => array('desc' => 'Attachment with external information', 'formdesc' => "Please upload files using the <em>Upload Attachment</em> button."),
|
||||
'malware-sample' => array('desc' => 'Attachment containing encrypted malware sample', 'formdesc' => "Please upload files using the <em>Upload Attachment</em> button."),
|
||||
'link' => array('desc' => 'Link to an external information'),
|
||||
'comment' => array('desc' => 'Comment or description in a human language', 'formdesc' => 'Comment or description in a human language. This will not be correlated with other attributes (NOT IMPLEMENTED YET)'),
|
||||
'comment' => array('desc' => 'Comment or description in a human language', 'formdesc' => 'Comment or description in a human language. This will not be correlated with other attributes'),
|
||||
'text' => array('desc' => 'Name, ID or a reference'),
|
||||
'other' => array('desc' => 'Other attribute'),
|
||||
'named pipe' => array('desc' => 'Named pipe, use the format \\.\pipe\<PipeName>'),
|
||||
|
@ -131,6 +132,46 @@ class Attribute extends AppModel {
|
|||
'target-org' => array('desc' => 'Attack Targets Department or Orginization(s)'),
|
||||
'target-location' => array('desc' => 'Attack Targets Physical Location(s)'),
|
||||
'target-external' => array('desc' => 'External Target Orginizations Affected by this Attack'),
|
||||
'btc' => array('desc' => 'Bitcoin Address'),//
|
||||
'iban' => array('desc' => 'International Bank Account Number'),//
|
||||
'bic' => array('desc' => 'Bank Identifier Code Number'),//
|
||||
'bin' => array('desc' => 'Bank Identification Number'),//
|
||||
'cc-number' => array('desc' => 'Credit-Card Number'),//
|
||||
'prtn' => array('desc' => 'Premium-Rate Telephone Number'),//
|
||||
'threat-actor' => array('desc' => 'A string identifying the threat actor'),//
|
||||
'campaign-name' => array('desc' => 'Associated campaign name'),//
|
||||
'campaign-id' => array('desc' => 'Associated campaign ID'),//
|
||||
'malware-type' => array('desc' => 'test'),//
|
||||
'uri' => array('desc' => 'test'),
|
||||
'authentihash' => array('desc' => 'Authenticode executable signature hash', 'formdesc' => "You are encouraged to use filename|authentihash instead. Authenticode executable signature hash, only use this if you don't know the correct filename"),//x
|
||||
'ssdeep' => array('desc' => 'A checksum in ssdeep format', 'formdesc' => "You are encouraged to use filename|ssdeep instead. A checksum in the SSDeep format, only use this if you don't know the correct filename"),////x
|
||||
'imphash' => array('desc' => 'Import hash - a hash created based on the imports in the sample.', 'formdesc' => "You are encouraged to use filename|imphash instead. A hash created based on the imports in the sample, only use this if you don't know the correct filename"),//x
|
||||
'pehash' => array('desc' => 'test'),//x
|
||||
'sha-224' => array('desc' => 'A checksum in sha-224 format', 'formdesc' => "You are encouraged to use filename|sha224 instead. A checksum in sha224 format, only use this if you don't know the correct filename"),//x
|
||||
'sha-384' => array('desc' => 'A checksum in sha-384 format', 'formdesc' => "You are encouraged to use filename|sha384 instead. A checksum in sha384 format, only use this if you don't know the correct filename"),//x
|
||||
'sha-512' => array('desc' => 'A checksum in sha-512 format', 'formdesc' => "You are encouraged to use filename|sha512 instead. A checksum in sha512 format, only use this if you don't know the correct filename"),//x
|
||||
'sha-512/224' => array('desc' => 'A checksum in the sha-512/224 format', 'formdesc' => "You are encouraged to use filename|sha512/224 instead. A checksum in sha512/224 format, only use this if you don't know the correct filename"),//x
|
||||
'sha-512/256' => array('desc' => 'A checksum in the sha-512/256 format', 'formdesc' => "You are encouraged to use filename|sha512/256 instead. A checksum in sha512/256 format, only use this if you don't know the correct filename"),//x
|
||||
'tlsh' => array('desc' => 'A checksum in the Trend Micro Locality Sensitive Hash format', 'formdesc' => "You are encouraged to use filename|tlsh instead. A checksum in the Trend Micro Locality Sensitive Hash format, only use this if you don't know the correct filename"),//x
|
||||
'filename|authentihash' => array('desc' => 'A checksum in md5 format'),
|
||||
'filename|ssdeep' => array('desc' => 'A checksum in ssdeep format'),//x
|
||||
'filename|imphash' => array('desc' => 'Import hash - a hash created based on the imports in the sample.'),//x
|
||||
'filename|pehash' => array('desc' => ''),//x
|
||||
'filename|sha-224' => array('desc' => 'A filename and a sha-224 hash separated by a |'),//x
|
||||
'filename|sha-384' => array('desc' => 'A filename and a sha-384 hash separated by a |'),//x
|
||||
'filename|sha-512' => array('desc' => 'A filename and a sha-512 hash separated by a |'),//x
|
||||
'filename|sha-512/224' => array('desc' => 'A filename and a sha-512/224 hash separated by a |'),//x
|
||||
'filename|sha-512/256' => array('desc' => 'A filename and a sha-512/256 hash separated by a |'),//x
|
||||
'filename|tlsh' => array('desc' => 'A filename and a Trend Micro Locality Sensitive Hash separated by a |'),//x
|
||||
'windows-scheduled-task' => array('desc' => 'A scheduled task in windows'),
|
||||
'windows-service-name' => array('desc' => 'A windows service name. This is the name used internally by windows. Not to be confused with the windows-service-displayname.'),//x
|
||||
'windows-service-displayname' => array('desc' => 'A windows service\'s displayname, not to be confused with the windows-service-name. This is the name that applications will generally display as the service\'s name in applications.'),//x
|
||||
'whois-registrant-email' => array('desc' => 'The e-mail of a domain\'s registrant, obtained from the WHOIS information.'),//x
|
||||
'whois-registrant-phone' => array('desc' => 'The phone number of a domain\'s registrant, obtained from the WHOIS information.'),//x
|
||||
'targeted-threat-index' => array('desc' => 'test'),
|
||||
'mailslot' => array('desc' => 'test'),
|
||||
'pipe' => array('desc' => 'test'),
|
||||
'ssl-cert-attributes' => array('desc' => 'test'),
|
||||
);
|
||||
|
||||
// definitions of categories
|
||||
|
@ -152,16 +193,16 @@ class Attribute extends AppModel {
|
|||
'Payload delivery' => array(
|
||||
'desc' => 'Information about how the malware is delivered',
|
||||
'formdesc' => 'Information about the way the malware payload is initially delivered, for example information about the email or web-site, vulnerability used, originating IP etc. Malware sample itself should be attached here.',
|
||||
'types' => array('md5', 'sha1', 'sha256','filename', 'filename|md5', 'filename|sha1', 'filename|sha256', 'ip-src', 'ip-dst', 'hostname', 'domain', 'email-src', 'email-dst', 'email-subject', 'email-attachment', 'url', 'ip-dst', 'user-agent', 'AS', 'pattern-in-file', 'pattern-in-traffic', 'yara', 'attachment', 'malware-sample', 'link', 'comment', 'text', 'vulnerability', 'other')
|
||||
'types' => array('md5', 'sha1', 'sha224', 'sha256', 'sha384', 'sha512', 'sha512/224', 'sha512/256', 'ssdeep', 'imphash', 'authentihash', 'pehash', 'tlsh', 'filename', 'filename|md5', 'filename|sha1', 'filename|sha224', 'filename|sha256', 'filename|sha384', 'filename|sha512', 'filename|sha512/224', 'filename|sha512/256', 'filename|authentihash', 'filename|ssdeep', 'filename|tlsh', 'filename|imphash', 'filename|pehash', 'ip-src', 'ip-dst', 'hostname', 'domain', 'email-src', 'email-dst', 'email-subject', 'email-attachment', 'url', 'ip-dst', 'user-agent', 'AS', 'pattern-in-file', 'pattern-in-traffic', 'yara', 'attachment', 'malware-sample', 'link', 'malware-type', 'comment', 'text', 'vulnerability', 'other')
|
||||
),
|
||||
'Artifacts dropped' => array(
|
||||
'desc' => 'Any artifact (files, registry keys etc.) dropped by the malware or other modifications to the system',
|
||||
'types' => array('md5', 'sha1', 'sha256', 'filename', 'filename|md5', 'filename|sha1', 'filename|sha256', 'regkey', 'regkey|value', 'pattern-in-file', 'pattern-in-memory', 'yara', 'attachment', 'malware-sample', 'comment', 'text', 'other', 'named pipe', 'mutex')
|
||||
'types' => array('md5', 'sha1', 'sha224', 'sha256', 'sha384', 'sha512', 'sha512/224', 'sha512/256', 'ssdeep', 'imphash', 'authentihash', 'filename', 'filename|md5', 'filename|sha1', 'filename|sha224', 'filename|sha256', 'filename|sha384', 'filename|sha512', 'filename|sha512/224', 'filename|sha512/256', 'filename|authentihash', 'filename|ssdeep', 'filename|tlsh', 'filename|imphash', 'filename|pehash', 'regkey', 'regkey|value', 'pattern-in-file', 'pattern-in-memory', 'yara', 'attachment', 'malware-sample', 'named pipe', 'mutex', 'windows-scheduled-task', 'windows-service-name', 'windows-service-displayname', 'comment', 'text', 'other')
|
||||
),
|
||||
'Payload installation' => array(
|
||||
'desc' => 'Info on where the malware gets installed in the system',
|
||||
'formdesc' => 'Location where the payload was placed in the system and the way it was installed. For example, a filename|md5 type attribute can be added here like this: c:\\windows\\system32\\malicious.exe|41d8cd98f00b204e9800998ecf8427e.',
|
||||
'types' => array('md5', 'sha1', 'sha256', 'filename', 'filename|md5', 'filename|sha1', 'filename|sha256', 'pattern-in-file', 'pattern-in-traffic', 'pattern-in-memory', 'yara', 'vulnerability', 'attachment', 'malware-sample', 'comment', 'text', 'other')
|
||||
'types' => array('md5', 'sha1', 'sha224', 'sha256', 'sha384', 'sha512', 'sha512/224', 'sha512/256', 'ssdeep', 'imphash', 'authentihash', 'pehash', 'tlsh', 'filename', 'filename|md5', 'filename|sha1', 'filename|sha224', 'filename|sha256', 'filename|sha384', 'filename|sha512', 'filename|sha512/224', 'filename|sha512/256', 'filename|authentihash', 'filename|ssdeep', 'filename|tlsh', 'filename|imphash', 'filename|pehash', 'pattern-in-file', 'pattern-in-traffic', 'pattern-in-memory', 'yara', 'vulnerability', 'attachment', 'malware-sample', 'malware-type', 'comment', 'text', 'other')
|
||||
),
|
||||
'Persistence mechanism' => array(
|
||||
'desc' => 'Mechanisms used by the malware to start at boot',
|
||||
|
@ -170,7 +211,7 @@ class Attribute extends AppModel {
|
|||
),
|
||||
'Network activity' => array(
|
||||
'desc' => 'Information about network traffic generated by the malware',
|
||||
'types' => array('ip-src', 'ip-dst', 'hostname', 'domain', 'email-dst', 'url', 'user-agent', 'http-method', 'AS', 'snort', 'pattern-in-file', 'pattern-in-traffic', 'attachment', 'comment', 'text', 'other')
|
||||
'types' => array('ip-src', 'ip-dst', 'hostname', 'domain', 'email-dst', 'url', 'uri', 'user-agent', 'http-method', 'AS', 'snort', 'pattern-in-file', 'pattern-in-traffic', 'attachment', 'comment', 'text', 'other')
|
||||
),
|
||||
'Payload type' => array(
|
||||
'desc' => 'Information about the final payload(s)',
|
||||
|
@ -179,13 +220,18 @@ class Attribute extends AppModel {
|
|||
),
|
||||
'Attribution' => array(
|
||||
'desc' => 'Identification of the group, organisation, or country behind the attack',
|
||||
'types' => array('comment', 'text', 'other')
|
||||
'types' => array('threat-actor', 'campaign-name', 'campaign-id', 'whois-registrant-phone', 'whois-registrant-email', 'comment', 'text', 'other')
|
||||
),
|
||||
'External analysis' => array(
|
||||
'desc' => 'Any other result from additional analysis of the malware like tools output',
|
||||
'formdesc' => 'Any other result from additional analysis of the malware like tools output Examples: pdf-parser output, automated sandbox analysis, reverse engineering report.',
|
||||
'types' => array('md5', 'sha1', 'sha256','filename', 'filename|md5', 'filename|sha1', 'filename|sha256', 'ip-src', 'ip-dst', 'hostname', 'domain', 'url', 'user-agent', 'regkey', 'regkey|value', 'AS', 'snort', 'pattern-in-file', 'pattern-in-traffic', 'pattern-in-memory', 'vulnerability', 'attachment', 'malware-sample', 'link', 'comment', 'text', 'other')
|
||||
),
|
||||
'Financial fraud' => array(
|
||||
'desc' => 'Financial Fraud indicators',
|
||||
'formdesc' => 'Financial Fraud indicators, for example: IBAN Numbers, BIC codes, Credit card numbers, etc.',
|
||||
'types' => array('btc', 'iban', 'bic', 'bin', 'cc-number', 'prtn', 'comment', 'text', 'other'),
|
||||
),
|
||||
'Other' => array(
|
||||
'desc' => 'Attributes that are not part of any other category',
|
||||
'types' => array('comment', 'text', 'other')
|
||||
|
@ -234,6 +280,7 @@ class Attribute extends AppModel {
|
|||
'Payload type',
|
||||
'Attribution',
|
||||
'External analysis',
|
||||
'Financial fraud',
|
||||
'Other',
|
||||
'' // FIXME remove this once all attributes have a category. Otherwise sigs without category are not shown in the list
|
||||
)),
|
||||
|
@ -328,8 +375,7 @@ class Attribute extends AppModel {
|
|||
|
||||
public function __construct($id = false, $table = null, $ds = null) {
|
||||
parent::__construct($id, $table, $ds);
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
//The Associations below have been created with all possible keys, those that are not needed can be removed
|
||||
|
||||
|
@ -429,24 +475,10 @@ class Attribute extends AppModel {
|
|||
if (!isset($this->data['Attribute']['type'])) {
|
||||
return false;
|
||||
}
|
||||
|
||||
switch($this->data['Attribute']['type']) {
|
||||
// lowercase these things
|
||||
case 'md5':
|
||||
case 'sha1':
|
||||
case 'sha256':
|
||||
case 'domain':
|
||||
case 'hostname':
|
||||
$this->data['Attribute']['value'] = strtolower($this->data['Attribute']['value']);
|
||||
break;
|
||||
case 'filename|md5':
|
||||
case 'filename|sha1':
|
||||
case 'filename|sha256':
|
||||
$pieces = explode('|', $this->data['Attribute']['value']);
|
||||
$this->data['Attribute']['value'] = $pieces[0] . '|' . strtolower($pieces[1]);
|
||||
break;
|
||||
}
|
||||
|
||||
|
||||
// make some last changes to the inserted value
|
||||
$this->data['Attribute']['value'] = $this->modifyBeforeValidation($this->data['Attribute']['type'], $this->data['Attribute']['value']);
|
||||
|
||||
// uppercase the following types
|
||||
switch($this->data['Attribute']['type']) {
|
||||
case 'http-method':
|
||||
|
@ -519,30 +551,61 @@ class Attribute extends AppModel {
|
|||
return $this->runValidation($value, $this->data['Attribute']['type']);
|
||||
}
|
||||
|
||||
private $__hexHashLengths = array(
|
||||
'authentihash' => 64,
|
||||
'md5' => 32,
|
||||
'imphash' => 32,
|
||||
'sha1' => 40,
|
||||
'pehash' => 40,
|
||||
'sha224' => 56,
|
||||
'sha256' => 64,
|
||||
'sha384' => 96,
|
||||
'sha512' => 128,
|
||||
'sha512/224' => 56,
|
||||
'sha512/256' => 64,
|
||||
);
|
||||
|
||||
public function runValidation($value, $type) {
|
||||
$returnValue = false;
|
||||
// check data validation
|
||||
switch($type) {
|
||||
case 'md5':
|
||||
if (preg_match("#^[0-9a-f]{32}$#", $value)) {
|
||||
case 'imphash':
|
||||
case 'sha1':
|
||||
case 'sha224':
|
||||
case 'sha256':
|
||||
case 'sha384':
|
||||
case 'sha512':
|
||||
case 'sha512/224':
|
||||
case 'sha512/256':
|
||||
case 'authentihash':
|
||||
$length = $this->__hexHashLengths[$type];
|
||||
if (preg_match("#^[0-9a-f]{" . $length . "}$#", $value)) {
|
||||
$returnValue = true;
|
||||
} else {
|
||||
$returnValue = 'Checksum has invalid length or format. Please double check the value or select "other" for a type.';
|
||||
$returnValue = 'Checksum has invalid length or format (expected: ' . $length . ' hexadecimal characters). Please double check the value or select "other" for a type.';
|
||||
}
|
||||
break;
|
||||
case 'sha1':
|
||||
case 'tlsh':
|
||||
if (preg_match("#^[0-9a-f]{35,}$#", $value)) {
|
||||
$returnValue = true;
|
||||
} else {
|
||||
$returnValue = 'Checksum has invalid length or format (expected: at least 35 hexadecimal characters). Please double check the value or select "other" for a type.';
|
||||
}
|
||||
break;
|
||||
case 'pehash':
|
||||
if (preg_match("#^[0-9a-f]{40}$#", $value)) {
|
||||
$returnValue = true;
|
||||
} else {
|
||||
$returnValue = 'Checksum has invalid length or format. Please double check the value or select "other" for a type.';
|
||||
$returnValue = 'The input doesn\'t match the expected sha1 format (expected: 40 hexadecimal characters). Keep in mind that MISP currently only supports SHA1 for PEhashes, if you would like to get the support extended to other hash types, make sure to create a github ticket about it at https://github.com/MISP/MISP!';
|
||||
}
|
||||
break;
|
||||
case 'sha256':
|
||||
if (preg_match("#^[0-9a-f]{64}$#", $value)) {
|
||||
$returnValue = true;
|
||||
} else {
|
||||
$returnValue = 'Checksum has invalid length or format. Please double check the value or select "other" for a type.';
|
||||
}
|
||||
case 'ssdeep':
|
||||
if (substr_count($value, ':') == 2) {
|
||||
$parts = explode(':', $value);
|
||||
if (is_numeric($parts[0])) $returnValue = true;
|
||||
}
|
||||
if (!$returnValue) $returnValue = 'Invalid SSDeep hash. The format has to be blocksize:hash:hash';
|
||||
break;
|
||||
case 'http-method':
|
||||
if (preg_match("#(OPTIONS|GET|HEAD|POST|PUT|DELETE|TRACE|CONNECT|PROPFIND|PROPPATCH|MKCOL|COPY|MOVE|LOCK|UNLOCK|VERSION-CONTROL|REPORT|CHECKOUT|CHECKIN|UNCHECKOUT|MKWORKSPACE|UPDATE|LABEL|MERGE|BASELINE-CONTROL|MKACTIVITY|ORDERPATCH|ACL|PATCH|SEARCH)#", $value)) {
|
||||
|
@ -551,57 +614,52 @@ class Attribute extends AppModel {
|
|||
$returnValue = 'Unknown HTTP method.';
|
||||
}
|
||||
break;
|
||||
case 'filename':
|
||||
// no newline
|
||||
if (!preg_match("#\n#", $value)) {
|
||||
$returnValue = true;
|
||||
}
|
||||
break;
|
||||
case 'filename|md5':
|
||||
// no newline
|
||||
if (preg_match("#^.+\|[0-9a-f]{32}$#", $value)) {
|
||||
$returnValue = true;
|
||||
} else {
|
||||
$returnValue = 'Checksum has invalid length or format. Please double check the value or select "other" for a type.';
|
||||
}
|
||||
break;
|
||||
case 'filename|sha1':
|
||||
case 'filename|pehash':
|
||||
// no newline
|
||||
if (preg_match("#^.+\|[0-9a-f]{40}$#", $value)) {
|
||||
$returnValue = true;
|
||||
} else {
|
||||
$returnValue = 'Checksum has invalid length or format. Please double check the value or select "other" for a type.';
|
||||
$returnValue = 'The input doesn\'t match the expected filename|sha1 format (expected: filename|40 hexadecimal characters). Keep in mind that MISP currently only supports SHA1 for PEhashes, if you would like to get the support extended to other hash types, make sure to create a github ticket about it at https://github.com/MISP/MISP!';
|
||||
}
|
||||
break;
|
||||
case 'filename|md5':
|
||||
case 'filename|sha1':
|
||||
case 'filename|imphash':
|
||||
case 'filename|sha224':
|
||||
case 'filename|sha256':
|
||||
// no newline
|
||||
if (preg_match("#^.+\|[0-9a-f]{64}$#", $value)) {
|
||||
case 'filename|sha384':
|
||||
case 'filename|sha512':
|
||||
case 'filename|sha512/224':
|
||||
case 'filename|sha512/256':
|
||||
case 'filename|authentihash':
|
||||
$parts = explode('|', $type);
|
||||
$length = $this->__hexHashLengths[$parts[1]];
|
||||
if (preg_match("#^.+\|[0-9a-f]{" . $length . "}$#", $value)) {
|
||||
$returnValue = true;
|
||||
} else {
|
||||
$returnValue = 'Checksum has invalid length or format. Please double check the value or select "other" for a type.';
|
||||
$returnValue = 'Checksum has invalid length or format (expected: filename|' . $length . ' hexadecimal characters). Please double check the value or select "other" for a type.';
|
||||
}
|
||||
break;
|
||||
case 'filename|ssdeep':
|
||||
if (substr_count($value, '|') != 1 || !preg_match("#^.+\|.+$#", $value)) $returnValue = 'Invalid composite type. The format has to be ' . $type . '.';
|
||||
else {
|
||||
$composite = explode('|', $value);
|
||||
$value = $composite[1];
|
||||
if (substr_count($value, ':') == 2) {
|
||||
$parts = explode(':', $value);
|
||||
if (is_numeric($parts[0])) $returnValue = true;
|
||||
}
|
||||
if (!$returnValue) $returnValue = 'Invalid SSDeep hash (expected: blocksize:hash:hash).';
|
||||
}
|
||||
break;
|
||||
case 'filename|tlsh':
|
||||
if (preg_match("#^.+\|[0-9a-f]{35,}$#", $value)) {
|
||||
$returnValue = true;
|
||||
} else {
|
||||
$returnValue = 'Checksum has invalid length or format (expected: filename|at least 35 hexadecimal characters). Please double check the value or select "other" for a type.';
|
||||
}
|
||||
break;
|
||||
case 'ip-src':
|
||||
$parts = explode("/", $value);
|
||||
// [0] = the ip
|
||||
// [1] = the network address
|
||||
if (count($parts) <= 2 ) {
|
||||
// ipv4 and ipv6 matching
|
||||
if (filter_var($parts[0],FILTER_VALIDATE_IP)) {
|
||||
// ip is validated, now check if we have a valid network mask
|
||||
if (empty($parts[1])) {
|
||||
$returnValue = true;
|
||||
} else {
|
||||
if (is_numeric($parts[1]) && $parts[1] < 129) {
|
||||
$returnValue = true;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
if (!$returnValue) {
|
||||
$returnValue = 'IP address has invalid format. Please double check the value or select "other" for a type.';
|
||||
}
|
||||
break;
|
||||
case 'ip-dst':
|
||||
$parts = explode("/", $value);
|
||||
// [0] = the ip
|
||||
|
@ -632,14 +690,9 @@ class Attribute extends AppModel {
|
|||
}
|
||||
break;
|
||||
case 'email-src':
|
||||
// we don't use the native function to prevent issues with partial email addresses
|
||||
if (preg_match("#^[A-Z0-9._%+-]*@[A-Z0-9.\-_]+\.[A-Z]{2,}$#i", $value)) {
|
||||
$returnValue = true;
|
||||
} else {
|
||||
$returnValue = 'Email address has invalid format. Please double check the value or select "other" for a type.';
|
||||
}
|
||||
break;
|
||||
case 'email-dst':
|
||||
case 'target-email':
|
||||
case 'whois-registrant-email':
|
||||
// we don't use the native function to prevent issues with partial email addresses
|
||||
if (preg_match("#^[A-Z0-9._%+-]*@[A-Z0-9.\-_]+\.[A-Z]{2,}$#i", $value)) {
|
||||
$returnValue = true;
|
||||
|
@ -647,42 +700,6 @@ class Attribute extends AppModel {
|
|||
$returnValue = 'Email address has invalid format. Please double check the value or select "other" for a type.';
|
||||
}
|
||||
break;
|
||||
case 'email-subject':
|
||||
// no newline
|
||||
if (!preg_match("#\n#", $value)) {
|
||||
$returnValue = true;
|
||||
}
|
||||
break;
|
||||
case 'email-attachment':
|
||||
// no newline
|
||||
if (!preg_match("#\n#", $value)) {
|
||||
$returnValue = true;
|
||||
}
|
||||
break;
|
||||
case 'url':
|
||||
// no newline
|
||||
if (!preg_match("#\n#", $value)) {
|
||||
$returnValue = true;
|
||||
}
|
||||
break;
|
||||
case 'user-agent':
|
||||
// no newline
|
||||
if (!preg_match("#\n#", $value)) {
|
||||
$returnValue = true;
|
||||
}
|
||||
break;
|
||||
case 'regkey':
|
||||
// no newline
|
||||
if (!preg_match("#\n#", $value)) {
|
||||
$returnValue = true;
|
||||
}
|
||||
break;
|
||||
case 'regkey|value':
|
||||
// no newline
|
||||
if (preg_match("#(.)+\|(.)+#", $value) && !preg_match("#\n#", $value)) {
|
||||
$returnValue = true;
|
||||
}
|
||||
break;
|
||||
case 'vulnerability':
|
||||
if (preg_match("#^(CVE-)[0-9]{4}(-)[0-9]{4,6}$#", $value)) {
|
||||
$returnValue = true;
|
||||
|
@ -695,6 +712,10 @@ class Attribute extends AppModel {
|
|||
$returnValue = true;
|
||||
}
|
||||
break;
|
||||
case 'windows-service-name':
|
||||
case 'windows-service-displayname':
|
||||
if (strlen($value) > 256 || preg_match('#[\\\/]#')) $returnValue = 'Invalid format. Only values shorter than 256 characters that don\'t include any forward or backward slashes are allowed.';
|
||||
break;
|
||||
case 'mutex':
|
||||
case 'AS':
|
||||
case 'snort':
|
||||
|
@ -717,44 +738,130 @@ class Attribute extends AppModel {
|
|||
$returnValue = true;
|
||||
break;
|
||||
case 'target-user':
|
||||
// no newline
|
||||
if (!preg_match("#\n#", $value)) {
|
||||
$returnValue = true;
|
||||
}
|
||||
break;
|
||||
case 'target-email':
|
||||
if (preg_match("#^[A-Z0-9._%+-]*@[A-Z0-9.-]+\.[A-Z]{2,4}$#i", $value)) {
|
||||
$returnValue = true;
|
||||
} else {
|
||||
$returnValue = 'Email address has invalid format. Please double check the value or select "other" for a type.';
|
||||
}
|
||||
break;
|
||||
case 'campaign-name':
|
||||
case 'campaign-id':
|
||||
case 'threat-actor':
|
||||
case 'target-machine':
|
||||
// no newline
|
||||
if (!preg_match("#\n#", $value)) {
|
||||
$returnValue = true;
|
||||
}
|
||||
break;
|
||||
case 'target-org':
|
||||
// no newline
|
||||
if (!preg_match("#\n#", $value)) {
|
||||
$returnValue = true;
|
||||
}
|
||||
break;
|
||||
case 'target-location':
|
||||
// no newline
|
||||
case 'target-external':
|
||||
case 'email-subject':
|
||||
case 'email-attachment':
|
||||
case 'url':
|
||||
case 'user-agent':
|
||||
case 'regkey':
|
||||
case 'regkey|value':
|
||||
case 'filename':
|
||||
case 'windows-scheduled-task':
|
||||
// no newline
|
||||
if (!preg_match("#\n#", $value)) {
|
||||
$returnValue = true;
|
||||
}
|
||||
break;
|
||||
case 'target-external':
|
||||
// no newline
|
||||
if (!preg_match("#\n#", $value)) {
|
||||
$returnValue = true;
|
||||
}
|
||||
case 'targeted-threat-index':
|
||||
if (!is_numeric($value) || $value < 0 || $value > 10) $returnValue = 'The value has to be a number between 0 and 10.';
|
||||
else $returnValue = true;
|
||||
break;
|
||||
case 'btc':
|
||||
$fTool = new FinancialTool();
|
||||
if ($fTool->validateBTC($value)) {
|
||||
$returnValue = true;
|
||||
}
|
||||
break;
|
||||
case 'iban':
|
||||
$fTool = new FinancialTool();
|
||||
if ($fTool->validateIBAN($value)) {
|
||||
$returnValue = true;
|
||||
}
|
||||
break;
|
||||
case 'bic':
|
||||
$fTool = new FinancialTool();
|
||||
if ($fTool->validateBIC($value)) {
|
||||
$returnValue = true;
|
||||
}
|
||||
break;
|
||||
case 'bin':
|
||||
$fTool = new FinancialTool();
|
||||
if ($fTool->validateBIN($value)) {
|
||||
$returnValue = true;
|
||||
}
|
||||
break;
|
||||
case 'cc-number':
|
||||
$fTool = new FinancialTool();
|
||||
if ($fTool->validateCC($value)) {
|
||||
$returnValue = true;
|
||||
}
|
||||
break;
|
||||
case 'prtn':
|
||||
case 'whois-registrant-phone':
|
||||
if (is_numeric($value)) {
|
||||
$returnValue = true;
|
||||
}
|
||||
break;
|
||||
}
|
||||
return $returnValue;
|
||||
}
|
||||
|
||||
// do some last second modifications before the validation
|
||||
public function modifyBeforeValidation($type, $value) {
|
||||
switch($type) {
|
||||
case 'md5':
|
||||
case 'sha1':
|
||||
case 'sha224':
|
||||
case 'sha256':
|
||||
case 'sha384':
|
||||
case 'sha512':
|
||||
case 'sha512/224':
|
||||
case 'sha512/256':
|
||||
case 'sha256':
|
||||
case 'domain':
|
||||
case 'hostname':
|
||||
case 'pehash':
|
||||
case 'authentihash':
|
||||
case 'imphash':
|
||||
case 'tlsh':
|
||||
case 'email-src':
|
||||
case 'email-dst':
|
||||
case 'target-email':
|
||||
case 'whois-registrant-email':
|
||||
$value = strtolower($value);
|
||||
break;
|
||||
case 'filename|md5':
|
||||
case 'filename|sha1':
|
||||
case 'filename|imphash':
|
||||
case 'filename|sha224':
|
||||
case 'filename|sha256':
|
||||
case 'filename|sha384':
|
||||
case 'filename|sha512':
|
||||
case 'filename|sha512/224':
|
||||
case 'filename|sha512/256':
|
||||
case 'filename|authentihash':
|
||||
case 'filename|pehash':
|
||||
case 'filename|tlsh':
|
||||
$pieces = explode('|', $value);
|
||||
$value = $pieces[0] . '|' . strtolower($pieces[1]);
|
||||
break;
|
||||
case 'http-method':
|
||||
$value = strtoupper($value);
|
||||
break;
|
||||
case 'cc-number':
|
||||
case 'bic':
|
||||
case 'bin':
|
||||
$value = preg_replace('/[^0-9]+/', '', $value);
|
||||
break;
|
||||
case 'iban':
|
||||
$value = strtoupper($value);
|
||||
$value = preg_replace('/[^0-9A-Z]+/', '', $value);
|
||||
break;
|
||||
case 'prtn':
|
||||
case 'whois-registrant-phone':
|
||||
if (substr($value, 0, 1) == '+') $value = '00' . $value(substr($value, 1));
|
||||
$value = preg_replace('/[^0-9]+/', '', $value);
|
||||
break;
|
||||
|
||||
}
|
||||
return $value;
|
||||
}
|
||||
|
||||
public function getCompositeTypes() {
|
||||
// build the list of composite Attribute.type dynamically by checking if type contains a |
|
||||
|
|
|
@ -80,107 +80,8 @@ class ShadowAttribute extends AppModel {
|
|||
'attachment'
|
||||
);
|
||||
|
||||
public $typeDefinitions = array(
|
||||
'md5' => array('desc' => 'A checksum in md5 format', 'formdesc' => "You are encouraged to use filename|md5 instead. <br/>A checksum in md5 format, only use this if you don't know the correct filename"),
|
||||
'sha1' => array('desc' => 'A checksum in sha1 format', 'formdesc' => "You are encouraged to use filename|sha1 instead. <br/>A checksum in sha1 format, only use this if you don't know the correct filename"),
|
||||
'sha256' => array('desc' => 'A checksum in sha256 format', 'formdesc' => "You are encouraged to use filename|sha256 instead. A checksum in sha256 format, o nly use this if you don't know the correct filename"),
|
||||
'filename' => array('desc' => 'Filename'),
|
||||
'filename|md5' => array('desc' => 'A filename and an md5 hash separated by a |', 'formdesc' => "A filename and an md5 hash separated by a | (no spaces)"),
|
||||
'filename|sha1' => array('desc' => 'A filename and an sha1 hash separated by a |', 'formdesc' => "A filename and an sha1 hash separated by a | (no spaces)"),
|
||||
'ip-src' => array('desc' => "A source IP address of the attacker"),
|
||||
'ip-dst' => array('desc' => 'A destination IP address of the attacker or C&C server', 'formdesc' => "A destination IP address of the attacker or C&C server. <br/>Also set the IDS flag on when this IP is hardcoded in malware"),
|
||||
'hostname' => array('desc' => 'A full host/dnsname of an attacker', 'formdesc' => "A full host/dnsname of an attacker. <br/>Also set the IDS flag on when this hostname is hardcoded in malware"),
|
||||
'domain' => array('desc' => 'A domain name used in the malware', 'formdesc' => "A domain name used in the malware. <br/>Use this instead of hostname when the upper domain is <br/>important or can be used to create links between events."),
|
||||
'email-src' => array('desc' => "The email address (or domainname) used to send the malware."),
|
||||
'email-dst' => array('desc' => "A recipient email address", 'formdesc' => "A recipient email address that is not related to your constituency."),
|
||||
'email-subject' => array('desc' => "The subject of the email"),
|
||||
'email-attachment' => array('desc' => "File name of the email attachment."),
|
||||
'url' => array('desc' => 'url'),
|
||||
'http-method' => array('desc' => "HTTP method used by the malware (e.g. POST, GET, ...)."),
|
||||
'user-agent' => array('desc' => "The user-agent used by the malware in the HTTP request."),
|
||||
'regkey' => array('desc' => "Registry key or value"),
|
||||
'regkey|value' => array('desc' => "Registry value + data separated by |"),
|
||||
'AS' => array('desc' => 'Autonomous system'),
|
||||
'snort' => array('desc' => 'An IDS rule in Snort rule-format', 'formdesc' => "An IDS rule in Snort rule-format. <br/>This rule will be automatically rewritten in the NIDS exports."),
|
||||
'pattern-in-file' => array('desc' => 'Pattern in file that identifies the malware'),
|
||||
'pattern-in-traffic' => array('desc' => 'Pattern in network traffic that identifies the malware'),
|
||||
'pattern-in-memory' => array('desc' => 'Pattern in memory dump that identifies the malware'),
|
||||
'yara' => array('desc' => 'Yara signature'),
|
||||
'vulnerability' => array('desc' => 'A reference to the vulnerability used in the exploit'),
|
||||
'attachment' => array('desc' => 'Attachment with external information', 'formdesc' => "Please upload files using the <em>Upload Attachment</em> button."),
|
||||
'malware-sample' => array('desc' => 'Attachment containing encrypted malware sample', 'formdesc' => "Please upload files using the <em>Upload Attachment</em> button."),
|
||||
'link' => array('desc' => 'Link to an external information'),
|
||||
'comment' => array('desc' => 'Comment or description in a human language', 'formdesc' => 'Comment or description in a human language. <br/> This will not be correlated with other attributes (NOT IMPLEMENTED YET)'),
|
||||
'text' => array('desc' => 'Name, ID or a reference'),
|
||||
'named pipe' => array('desc' => 'Named pipe, use the format \\.\pipe\<PipeName>'),
|
||||
'mutex' => array('desc' => 'Mutex, use the format \BaseNamedObjects\<Mutex>'),
|
||||
'other' => array('desc' => 'Other attribute'),
|
||||
'target-user' => array('desc' => 'Attack Targets Username(s)'),
|
||||
'target-email' => array('desc' => 'Attack Targets Email(s)'),
|
||||
'target-machine' => array('desc' => 'Attack Targets Machine Name(s)'),
|
||||
'target-org' => array('desc' => 'Attack Targets Department or Orginization(s)'),
|
||||
'target-location' => array('desc' => 'Attack Targets Physical Location(s)'),
|
||||
'target-external' => array('desc' => 'External Target Orginizations Affected by this Attack'),
|
||||
);
|
||||
|
||||
// definitions of categories
|
||||
public $categoryDefinitions = array(
|
||||
'Internal reference' => array(
|
||||
'desc' => 'Reference used by the publishing party (e.g. ticket number)',
|
||||
'types' => array('link', 'comment', 'text', 'other')
|
||||
),
|
||||
'Targeting data' => array(
|
||||
'desc' => 'Internal Attack Targeting and Compromise Information',
|
||||
'formdesc' => 'Targeting information to include recipient email, infected machines, department, and or locations.<br/>',
|
||||
'types' => array('target-user', 'target-email', 'target-machine', 'target-org', 'target-location', 'target-external', 'comment')
|
||||
),
|
||||
'Antivirus detection' => array(
|
||||
'desc' => 'All the info about how the malware is detected by the antivirus products',
|
||||
'formdesc' => 'List of anti-virus vendors detecting the malware or information on detection performance (e.g. 13/43 or 67%).<br/>Attachment with list of detection or link to VirusTotal could be placed here as well.',
|
||||
'types' => array('link', 'comment', 'text', 'attachment', 'other')
|
||||
),
|
||||
'Payload delivery' => array(
|
||||
'desc' => 'Information about how the malware is delivered',
|
||||
'formdesc' => 'Information about the way the malware payload is initially delivered, <br/>for example information about the email or web-site, vulnerability used, originating IP etc. <br/>Malware sample itself should be attached here.',
|
||||
'types' => array('md5', 'sha1', 'sha256', 'filename', 'filename|md5', 'filename|sha1', 'filename|sha256', 'ip-src', 'ip-dst', 'hostname', 'domain', 'email-src', 'email-dst', 'email-subject', 'email-attachment', 'url', 'ip-dst', 'user-agent', 'http-method', 'AS', 'pattern-in-file', 'pattern-in-traffic', 'yara', 'attachment', 'malware-sample', 'link', 'comment', 'text', 'vulnerability', 'other')
|
||||
),
|
||||
'Artifacts dropped' => array(
|
||||
'desc' => 'Any artifact (files, registry keys etc.) dropped by the malware or other modifications to the system',
|
||||
'types' => array('md5', 'sha1', 'sha256', 'filename', 'filename|md5', 'filename|sha256', 'filename|sha1', 'regkey', 'regkey|value', 'pattern-in-file', 'pattern-in-memory', 'yara', 'attachment', 'malware-sample', 'comment', 'text', 'other', 'named pipe', 'mutex')
|
||||
),
|
||||
'Payload installation' => array(
|
||||
'desc' => 'Info on where the malware gets installed in the system',
|
||||
'formdesc' => 'Location where the payload was placed in the system and the way it was installed.<br/>For example, a filename|md5 type attribute can be added here like this:<br/>c:\\windows\\system32\\malicious.exe|41d8cd98f00b204e9800998ecf8427e.',
|
||||
'types' => array('md5', 'sha1', 'sha256', 'filename', 'filename|md5', 'filename|sha1', 'filename|sha256', 'pattern-in-file', 'pattern-in-traffic', 'pattern-in-memory', 'yara', 'vulnerability', 'attachment', 'malware-sample', 'comment', 'text', 'other')
|
||||
),
|
||||
'Persistence mechanism' => array(
|
||||
'desc' => 'Mechanisms used by the malware to start at boot',
|
||||
'formdesc' => 'Mechanisms used by the malware to start at boot.<br/>This could be a registry key, legitimate driver modification, LNK file in startup',
|
||||
'types' => array('filename', 'regkey', 'regkey|value', 'comment', 'text', 'other')
|
||||
),
|
||||
'Network activity' => array(
|
||||
'desc' => 'Information about network traffic generated by the malware',
|
||||
'types' => array('ip-src', 'ip-dst', 'hostname', 'domain', 'email-dst', 'url', 'user-agent', 'http-method','AS', 'snort', 'pattern-in-file', 'pattern-in-traffic', 'attachment', 'comment', 'text', 'other')
|
||||
),
|
||||
'Payload type' => array(
|
||||
'desc' => 'Information about the final payload(s)',
|
||||
'formdesc' => 'Information about the final payload(s).<br/>Can contain a function of the payload, e.g. keylogger, RAT, or a name if identified, such as Poison Ivy.',
|
||||
'types' => array('comment', 'text', 'other')
|
||||
),
|
||||
'Attribution' => array(
|
||||
'desc' => 'Identification of the group, organisation, or country behind the attack',
|
||||
'types' => array('comment', 'text', 'other')
|
||||
),
|
||||
'External analysis' => array(
|
||||
'desc' => 'Any other result from additional analysis of the malware like tools output',
|
||||
'formdesc' => 'Any other result from additional analysis of the malware like tools output<br/>Examples: pdf-parser output, automated sandbox analysis, reverse engineering report.',
|
||||
'types' => array('md5', 'sha1', 'sha256', 'filename', 'filename|md5', 'filename|sha1', 'filename|sha256', 'ip-src', 'ip-dst', 'hostname', 'domain', 'url', 'user-agent', 'http-method', 'regkey', 'regkey|value', 'AS', 'snort', 'pattern-in-file', 'pattern-in-traffic', 'pattern-in-memory', 'vulnerability', 'attachment', 'malware-sample', 'link', 'comment', 'text', 'other')
|
||||
),
|
||||
'Other' => array(
|
||||
'desc' => 'Attributes that are not part of any other category',
|
||||
'types' => array('comment', 'text', 'other')
|
||||
)
|
||||
);
|
||||
public $categoryDefinitions;
|
||||
|
||||
public $order = array("ShadowAttribute.event_id" => "DESC", "ShadowAttribute.type" => "ASC");
|
||||
|
||||
|
@ -278,11 +179,12 @@ class ShadowAttribute extends AppModel {
|
|||
$this->fieldDescriptions = Set::merge($this->fieldDescriptions,array(
|
||||
//'distribution' => array('desc' => 'This fields indicates the intended distribution of the attribute (same as when adding an event, see Add Event)'),
|
||||
));
|
||||
$this->categoryDefinitions = $this->Event->Attribute->categoryDefinitions;
|
||||
$this->typeDefinitions = $this->Event->Attribute->typeDefinitions;
|
||||
}
|
||||
|
||||
//The Associations below have been created with all possible keys, those that are not needed can be removed
|
||||
|
||||
|
||||
|
||||
/**
|
||||
* beforeSave
|
||||
*
|
||||
|
@ -355,20 +257,8 @@ class ShadowAttribute extends AppModel {
|
|||
$this->data['ShadowAttribute']['timestamp'] = $date->getTimestamp();
|
||||
}
|
||||
|
||||
switch($this->data['ShadowAttribute']['type']) {
|
||||
// lowercase these things
|
||||
case 'md5':
|
||||
case 'sha1':
|
||||
case 'domain':
|
||||
case 'hostname':
|
||||
$this->data['ShadowAttribute']['value'] = strtolower($this->data['ShadowAttribute']['value']);
|
||||
break;
|
||||
case 'filename|md5':
|
||||
case 'filename|sha1':
|
||||
$pieces = explode('|', $this->data['ShadowAttribute']['value']);
|
||||
$this->data['ShadowAttribute']['value'] = $pieces[0] . '|' . strtolower($pieces[1]);
|
||||
break;
|
||||
}
|
||||
// make some last changes to the inserted value
|
||||
$this->data['ShadowAttribute']['value'] = $this->Event->Attribute->modifyBeforeValidation($this->data['ShadowAttribute']['type'], $this->data['ShadowAttribute']['value']);
|
||||
|
||||
// generate UUID if it doesn't exist
|
||||
if (empty($this->data['ShadowAttribute']['uuid'])) {
|
||||
|
|
Loading…
Reference in New Issue