mirror of https://github.com/MISP/MISP
Iglocska
commit
0ada70c146
|
|
@ -54,6 +54,7 @@ cd /var/www/MISP/app/files/scripts
|
|||
git clone https://github.com/CybOXProject/python-cybox.git
|
||||
git clone https://github.com/STIXProject/python-stix.git
|
||||
cd /var/www/MISP/app/files/scripts/python-cybox
|
||||
git checkout v2.1.0.11
|
||||
git config core.filemode false
|
||||
# If you umask is has been changed from the default, it is a good idea to reset it to 0022 before installing python modules
|
||||
UMASK=$(umask)
|
||||
|
|
|
|||
|
|
@ -54,6 +54,7 @@ cd /var/www/MISP/app/files/scripts
|
|||
git clone https://github.com/CybOXProject/python-cybox.git
|
||||
git clone https://github.com/STIXProject/python-stix.git
|
||||
cd /var/www/MISP/app/files/scripts/python-cybox
|
||||
git checkout v2.1.0.11
|
||||
git config core.filemode false
|
||||
# If you umask is has been changed from the default, it is a good idea to reset it to 0022 before installing python modules
|
||||
UMASK=$(umask)
|
||||
|
|
|
|||
|
|
@ -47,6 +47,7 @@ cd /var/www/MISP/app/files/scripts
|
|||
git clone https://github.com/CybOXProject/python-cybox.git
|
||||
git clone https://github.com/STIXProject/python-stix.git
|
||||
cd /var/www/MISP/app/files/scripts/python-cybox
|
||||
git checkout v2.1.0.11
|
||||
python setup.py install
|
||||
cd /var/www/MISP/app/files/scripts/python-stix
|
||||
python setup.py install
|
||||
|
|
|
|||
|
|
@ -1 +1 @@
|
|||
{"major":2, "minor":3, "hotfix":78}
|
||||
{"major":2, "minor":3, "hotfix":79}
|
||||
|
|
|
|||
|
|
@ -1493,7 +1493,7 @@ class AttributesController extends AppController {
|
|||
// the last 4 fields accept the following operators:
|
||||
// && - you can use && between two search values to put a logical OR between them. for value, 1.1.1.1&&2.2.2.2 would find attributes with the value being either of the two.
|
||||
// ! - you can negate a search term. For example: google.com&&!mail would search for all attributes with value google.com but not ones that include mail. www.google.com would get returned, mail.google.com wouldn't.
|
||||
public function restSearch($key='download', $value=false, $type=false, $category=false, $org=false, $tags=false, $from=false, $to=false) {
|
||||
public function restSearch($key='download', $value=false, $type=false, $category=false, $org=false, $tags=false, $from=false, $to=false, $last=false) {
|
||||
if ($tags) $tags = str_replace(';', ':', $tags);
|
||||
if ($key!=null && $key!='download') {
|
||||
$user = $this->checkAuthUser($key);
|
||||
|
|
@ -1519,19 +1519,21 @@ class AttributesController extends AppController {
|
|||
} else {
|
||||
throw new BadRequestException('Either specify the search terms in the url, or POST a json array / xml (with the root element being "request" and specify the correct accept and content type headers.');
|
||||
}
|
||||
$paramArray = array('value', 'type', 'category', 'org', 'tags', 'from', 'to');
|
||||
$paramArray = array('value', 'type', 'category', 'org', 'tags', 'from', 'to', 'last');
|
||||
foreach ($paramArray as $p) {
|
||||
if (isset($data['request'][$p])) ${$p} = $data['request'][$p];
|
||||
else ${$p} = null;
|
||||
}
|
||||
}
|
||||
$simpleFalse = array('value' , 'type', 'category', 'org', 'tags', 'from', 'to');
|
||||
$simpleFalse = array('value' , 'type', 'category', 'org', 'tags', 'from', 'to', 'last');
|
||||
foreach ($simpleFalse as $sF) {
|
||||
if (${$sF} === 'null' || ${$sF} == '0' || ${$sF} === false || strtolower(${$sF}) === 'false') ${$sF} = false;
|
||||
}
|
||||
|
||||
if ($from) $from = $this->Attribute->Event->dateFieldCheck($from);
|
||||
if ($to) $to = $this->Attribute->Event->dateFieldCheck($to);
|
||||
if ($last) $last = $this->Attribute->Event->resolveTimeDelta($last);
|
||||
|
||||
if (!isset($this->request->params['ext']) || $this->request->params['ext'] !== 'json') {
|
||||
$this->response->type('xml'); // set the content type
|
||||
$this->layout = 'xml/default';
|
||||
|
|
@ -1617,6 +1619,7 @@ class AttributesController extends AppController {
|
|||
|
||||
if ($from) $conditions['AND'][] = array('Event.date >=' => $from);
|
||||
if ($to) $conditions['AND'][] = array('Event.date <=' => $to);
|
||||
if ($last) $conditions['AND'][] = array('Event.publish_timestamp >=' => $last);
|
||||
|
||||
// change the fields here for the attribute export!!!! Don't forget to check for the permissions, since you are not going through fetchevent. Maybe create fetchattribute?
|
||||
|
||||
|
|
@ -1764,14 +1767,16 @@ class AttributesController extends AppController {
|
|||
$this->__downloadAttachment($this->Attribute->data['Attribute']);
|
||||
}
|
||||
|
||||
public function text($key='download', $type='all', $tags=false, $eventId=false, $allowNonIDS=false, $from=false, $to=false) {
|
||||
$simpleFalse = array('eventId', 'allowNonIDS', 'tags', 'from', 'to');
|
||||
public function text($key='download', $type='all', $tags=false, $eventId=false, $allowNonIDS=false, $from=false, $to=false, $last=false) {
|
||||
$simpleFalse = array('eventId', 'allowNonIDS', 'tags', 'from', 'to', 'last');
|
||||
foreach ($simpleFalse as $sF) {
|
||||
if (${$sF} === 'null' || ${$sF} == '0' || ${$sF} === false || strtolower(${$sF}) === 'false') ${$sF} = false;
|
||||
}
|
||||
if ($type === 'null' || $type === '0' || $type === 'false') $type = 'all';
|
||||
if ($from) $from = $this->Attribute->Event->dateFieldCheck($from);
|
||||
if ($to) $to = $this->Attribute->Event->dateFieldCheck($to);
|
||||
if ($last) $last = $this->Attribute->Event->resolveTimeDelta($last);
|
||||
|
||||
if ($key != 'download') {
|
||||
// check if the key is valid -> search for users based on key
|
||||
$user = $this->checkAuthUser($key);
|
||||
|
|
@ -1786,7 +1791,7 @@ class AttributesController extends AppController {
|
|||
$this->response->type('txt'); // set the content type
|
||||
$this->header('Content-Disposition: download; filename="misp.' . $type . '.txt"');
|
||||
$this->layout = 'text/default';
|
||||
$attributes = $this->Attribute->text($this->_checkOrg(), $this->_isSiteAdmin(), $type, $tags, $eventId, $allowNonIDS, $from, $to);
|
||||
$attributes = $this->Attribute->text($this->_checkOrg(), $this->_isSiteAdmin(), $type, $tags, $eventId, $allowNonIDS, $from, $to, $last);
|
||||
$this->loadModel('Whitelist');
|
||||
$attributes = $this->Whitelist->removeWhitelistedFromArray($attributes, true);
|
||||
$this->set('attributes', $attributes);
|
||||
|
|
|
|||
|
|
@ -1707,7 +1707,7 @@ class EventsController extends AppController {
|
|||
return $difference . " " . $periods[$j] . " ago";
|
||||
}
|
||||
|
||||
public function xml($key, $eventid=null, $withAttachment = false, $tags = false, $from = false, $to = false) {
|
||||
public function xml($key, $eventid=null, $withAttachment = false, $tags = false, $from = false, $to = false, $last = false) {
|
||||
App::uses('XMLConverterTool', 'Tools');
|
||||
$converter = new XMLConverterTool();
|
||||
$this->loadModel('Whitelist');
|
||||
|
|
@ -1721,20 +1721,21 @@ class EventsController extends AppController {
|
|||
} else {
|
||||
$data = $this->request->data;
|
||||
}
|
||||
$paramArray = array('eventid', 'withAttachment', 'tags', 'from', 'to');
|
||||
$paramArray = array('eventid', 'withAttachment', 'tags', 'from', 'to', 'last');
|
||||
foreach ($paramArray as $p) {
|
||||
if (isset($data['request'][$p])) ${$p} = $data['request'][$p];
|
||||
else ${$p} = null;
|
||||
}
|
||||
}
|
||||
|
||||
$simpleFalse = array('tags', 'eventid', 'withAttachment', 'from', 'to');
|
||||
$simpleFalse = array('tags', 'eventid', 'withAttachment', 'from', 'to', 'last');
|
||||
foreach ($simpleFalse as $sF) {
|
||||
if (${$sF} === 'null' || ${$sF} == '0' || ${$sF} === false || strtolower(${$sF}) === 'false') ${$sF} = false;
|
||||
}
|
||||
if ($from) $from = $this->Event->dateFieldCheck($from);
|
||||
if ($to) $to = $this->Event->dateFieldCheck($to);
|
||||
if ($tags) $tags = str_replace(';', ':', $tags);
|
||||
if ($last) $last = $this->Event->resolveTimeDelta($last);
|
||||
|
||||
$eventIdArray = array();
|
||||
|
||||
|
|
@ -1768,7 +1769,7 @@ class EventsController extends AppController {
|
|||
$final .= '<?xml version="1.0" encoding="UTF-8"?>' . PHP_EOL . '<response>' . PHP_EOL;
|
||||
|
||||
if (!$eventid) {
|
||||
$events = $this->Event->fetchEventIds($org, $isSiteAdmin, $from, $to);
|
||||
$events = $this->Event->fetchEventIds($org, $isSiteAdmin, $from, $to, $last);
|
||||
foreach ($events as $event) $eventIdArray[] = $event['Event']['id'];
|
||||
}
|
||||
|
||||
|
|
@ -1806,8 +1807,8 @@ class EventsController extends AppController {
|
|||
return $results;
|
||||
}
|
||||
|
||||
public function nids($format = 'suricata', $key = 'download', $id = false, $continue = false, $tags = false, $from = false, $to = false) {
|
||||
$simpleFalse = array('id', 'continue', 'tags', 'from', 'to');
|
||||
public function nids($format = 'suricata', $key = 'download', $id = false, $continue = false, $tags = false, $from = false, $to = false, $last = false) {
|
||||
$simpleFalse = array('id', 'continue', 'tags', 'from', 'to', 'last');
|
||||
foreach ($simpleFalse as $sF) {
|
||||
if (${$sF} === 'null' || ${$sF} == '0' || ${$sF} === false || strtolower(${$sF}) === 'false') ${$sF} = false;
|
||||
}
|
||||
|
|
@ -1815,6 +1816,7 @@ class EventsController extends AppController {
|
|||
if ($from) $from = $this->Event->dateFieldCheck($from);
|
||||
if ($to) $to = $this->Event->dateFieldCheck($to);
|
||||
if ($tags) $tags = str_replace(';', ':', $tags);
|
||||
if ($last) $last = $this->Event->resolveTimeDelta($last);
|
||||
// backwards compatibility, swap key and format
|
||||
if ($format != 'snort' && $format != 'suricata') {
|
||||
$key = $format;
|
||||
|
|
@ -1842,12 +1844,12 @@ class EventsController extends AppController {
|
|||
|
||||
// display the full snort rulebase
|
||||
$this->loadModel('Attribute');
|
||||
$rules = $this->Attribute->nids($user['User']['siteAdmin'], $user['User']['org'], $format, $user['User']['nids_sid'], $id, $continue, $tags, $from, $to);
|
||||
$rules = $this->Attribute->nids($user['User']['siteAdmin'], $user['User']['org'], $format, $user['User']['nids_sid'], $id, $continue, $tags, $from, $to, $last);
|
||||
$this->set('rules', $rules);
|
||||
}
|
||||
|
||||
public function hids($type, $key='download', $tags = false, $from = false, $to = false) {
|
||||
$simpleFalse = array('tags', 'from', 'to');
|
||||
public function hids($type, $key='download', $tags = false, $from = false, $to = false, $last = false) {
|
||||
$simpleFalse = array('tags', 'from', 'to', 'last');
|
||||
foreach ($simpleFalse as $sF) {
|
||||
if (${$sF} === 'null' || ${$sF} == '0' || ${$sF} === false || strtolower(${$sF}) === 'false') ${$sF} = false;
|
||||
}
|
||||
|
|
@ -1855,6 +1857,7 @@ class EventsController extends AppController {
|
|||
if ($from) $from = $this->Event->dateFieldCheck($from);
|
||||
if ($to) $to = $this->Event->dateFieldCheck($to);
|
||||
if ($tags) $tags = str_replace(';', ':', $tags);
|
||||
if ($last) $last = $this->Event->resolveTimeDelta($last);
|
||||
$this->response->type('txt'); // set the content type
|
||||
$this->header('Content-Disposition: download; filename="misp.' . $type . '.rules"');
|
||||
$this->layout = 'text/default';
|
||||
|
|
@ -1874,15 +1877,15 @@ class EventsController extends AppController {
|
|||
}
|
||||
$this->loadModel('Attribute');
|
||||
|
||||
$rules = $this->Attribute->hids($user['User']['siteAdmin'], $user['User']['org'], $type, $tags, $from, $to);
|
||||
$rules = $this->Attribute->hids($user['User']['siteAdmin'], $user['User']['org'], $type, $tags, $from, $to, $last);
|
||||
$this->set('rules', $rules);
|
||||
}
|
||||
// csv function
|
||||
// Usage: csv($key, $eventid) - key can be a valid auth key or the string 'download'. Download requires the user to be logged in interactively and will generate a .csv file
|
||||
// $eventid can be one of 3 options: left empty it will get all the visible to_ids attributes,
|
||||
// $ignore is a flag that allows the export tool to ignore the ids flag. 0 = only IDS signatures, 1 = everything.
|
||||
public function csv($key, $eventid=false, $ignore=false, $tags = false, $category=false, $type=false, $includeContext=false, $from=false, $to=false) {
|
||||
$simpleFalse = array('eventid', 'ignore', 'tags', 'category', 'type', 'includeContext', 'from', 'to');
|
||||
public function csv($key, $eventid=false, $ignore=false, $tags = false, $category=false, $type=false, $includeContext=false, $from=false, $to=false, $last = false) {
|
||||
$simpleFalse = array('eventid', 'ignore', 'tags', 'category', 'type', 'includeContext', 'from', 'to', 'last');
|
||||
foreach ($simpleFalse as $sF) {
|
||||
if (${$sF} === 'null' || ${$sF} == '0' || ${$sF} === false || strtolower(${$sF}) === 'false') ${$sF} = false;
|
||||
}
|
||||
|
|
@ -1890,6 +1893,7 @@ class EventsController extends AppController {
|
|||
if ($from) $from = $this->Event->dateFieldCheck($from);
|
||||
if ($to) $to = $this->Event->dateFieldCheck($to);
|
||||
if ($tags) $tags = str_replace(';', ':', $tags);
|
||||
if ($last) $last = $this->Event->resolveTimeDelta($last);
|
||||
$list = array();
|
||||
if ($key != 'download') {
|
||||
// check if the key is valid -> search for users based on key
|
||||
|
|
@ -1926,7 +1930,7 @@ class EventsController extends AppController {
|
|||
$list[] = $attribute['Attribute']['id'];
|
||||
}
|
||||
}
|
||||
$attributes = $this->Event->csv($org, $isSiteAdmin, $eventid, $ignore, $list, $tags, $category, $type, $includeContext, $from, $to);
|
||||
$attributes = $this->Event->csv($org, $isSiteAdmin, $eventid, $ignore, $list, $tags, $category, $type, $includeContext, $from, $to, $last);
|
||||
$this->loadModel('Whitelist');
|
||||
$final = array();
|
||||
$attributes = $this->Whitelist->removeWhitelistedFromArray($attributes, true);
|
||||
|
|
@ -2384,7 +2388,7 @@ class EventsController extends AppController {
|
|||
// the last 4 fields accept the following operators:
|
||||
// && - you can use && between two search values to put a logical OR between them. for value, 1.1.1.1&&2.2.2.2 would find attributes with the value being either of the two.
|
||||
// ! - you can negate a search term. For example: google.com&&!mail would search for all attributes with value google.com but not ones that include mail. www.google.com would get returned, mail.google.com wouldn't.
|
||||
public function restSearch($key='download', $value=false, $type=false, $category=false, $org=false, $tags = false, $searchall=false, $from=false, $to=false) {
|
||||
public function restSearch($key='download', $value=false, $type=false, $category=false, $org=false, $tags = false, $searchall=false, $from=false, $to=false, $last = false) {
|
||||
if ($key!='download') {
|
||||
$user = $this->checkAuthUser($key);
|
||||
} else {
|
||||
|
|
@ -2408,14 +2412,14 @@ class EventsController extends AppController {
|
|||
} else {
|
||||
throw new BadRequestException('Either specify the search terms in the url, or POST a json array / xml (with the root element being "request" and specify the correct headers based on content type.');
|
||||
}
|
||||
$paramArray = array('value', 'type', 'category', 'org', 'tags', 'searchall', 'from', 'to');
|
||||
$paramArray = array('value', 'type', 'category', 'org', 'tags', 'searchall', 'from', 'to', 'last');
|
||||
foreach ($paramArray as $p) {
|
||||
if (isset($data['request'][$p])) ${$p} = $data['request'][$p];
|
||||
else ${$p} = null;
|
||||
}
|
||||
}
|
||||
|
||||
$simpleFalse = array('value' , 'type', 'category', 'org', 'tags', 'searchall', 'from', 'to');
|
||||
$simpleFalse = array('value' , 'type', 'category', 'org', 'tags', 'searchall', 'from', 'to', 'last');
|
||||
foreach ($simpleFalse as $sF) {
|
||||
if (${$sF} === 'null' || ${$sF} == '0' || ${$sF} === false || strtolower(${$sF}) === 'false') ${$sF} = false;
|
||||
}
|
||||
|
|
@ -2423,6 +2427,7 @@ class EventsController extends AppController {
|
|||
if ($from) $from = $this->Event->dateFieldCheck($from);
|
||||
if ($to) $to = $this->Event->dateFieldCheck($to);
|
||||
if ($tags) $tags = str_replace(';', ':', $tags);
|
||||
if ($last) $last = $this->Event->resolveTimeDelta($last);
|
||||
if ($searchall === 'true') $searchall = "1";
|
||||
|
||||
$conditions['AND'] = array();
|
||||
|
|
@ -2504,6 +2509,7 @@ class EventsController extends AppController {
|
|||
|
||||
if ($from) $conditions['AND'][] = array('Event.date >=' => $from);
|
||||
if ($to) $conditions['AND'][] = array('Event.date <=' => $to);
|
||||
if ($last) $conditions['AND'][] = array('Event.publish_timestamp >=' => $last);
|
||||
|
||||
$params = array(
|
||||
'conditions' => $conditions,
|
||||
|
|
@ -2723,7 +2729,7 @@ class EventsController extends AppController {
|
|||
$conditions['OR'][] = array('Event.id =' => -1);
|
||||
}
|
||||
$this->paginate = array(
|
||||
'fields' => array('Event.id', 'Event.org', 'Event.orgc', 'Event.timestamp', 'Event.distribution', 'Event.info', 'Event.date', 'Event.published'),
|
||||
'fields' => array('Event.id', 'Event.org', 'Event.orgc', 'Event.publish_timestamp', 'Event.distribution', 'Event.info', 'Event.date', 'Event.published'),
|
||||
'conditions' => $conditions,
|
||||
'contain' => array(
|
||||
'User' => array(
|
||||
|
|
@ -2966,7 +2972,7 @@ class EventsController extends AppController {
|
|||
}
|
||||
}
|
||||
|
||||
public function stix($key, $id = false, $withAttachments = false, $tags = false, $from = false, $to = false) {
|
||||
public function stix($key, $id = false, $withAttachments = false, $tags = false, $from = false, $to = false, $last = false) {
|
||||
if ($key != 'download') {
|
||||
// check if the key is valid -> search for users based on key
|
||||
$user = $this->checkAuthUser($key);
|
||||
|
|
@ -2993,20 +2999,21 @@ class EventsController extends AppController {
|
|||
} else {
|
||||
$data = $this->request->data;
|
||||
}
|
||||
$paramArray = array('id', 'withAttachment', 'tags', 'from', 'to');
|
||||
$paramArray = array('id', 'withAttachment', 'tags', 'from', 'to', 'last');
|
||||
foreach ($paramArray as $p) {
|
||||
if (isset($data['request'][$p])) ${$p} = $data['request'][$p];
|
||||
else ${$p} = null;
|
||||
}
|
||||
}
|
||||
|
||||
$simpleFalse = array('id', 'withAttachments', 'tags', 'from', 'to');
|
||||
$simpleFalse = array('id', 'withAttachments', 'tags', 'from', 'to', 'last');
|
||||
foreach ($simpleFalse as $sF) {
|
||||
if (${$sF} === 'null' || ${$sF} == '0' || ${$sF} === false || strtolower(${$sF}) === 'false') ${$sF} = false;
|
||||
}
|
||||
if ($from) $from = $this->Event->dateFieldCheck($from);
|
||||
if ($to) $to = $this->Event->dateFieldCheck($to);
|
||||
|
||||
if ($last) $last = $this->Event->resolveTimeDelta($last);
|
||||
|
||||
// set null if a null string is passed
|
||||
$numeric = false;
|
||||
if (is_numeric($id)) $numeric = true;
|
||||
|
|
@ -3017,7 +3024,7 @@ class EventsController extends AppController {
|
|||
$this->response->type('xml'); // set the content type
|
||||
$this->layout = 'xml/default';
|
||||
}
|
||||
$result = $this->Event->stix($id, $tags, $withAttachments, $org, $isSiteAdmin, $returnType, $from, $to);
|
||||
$result = $this->Event->stix($id, $tags, $withAttachments, $org, $isSiteAdmin, $returnType, $from, $to, $last);
|
||||
|
||||
if ($result['success'] == 1) {
|
||||
// read the output file and pass it to the view
|
||||
|
|
|
|||
|
|
@ -1164,7 +1164,7 @@ class Attribute extends AppModel {
|
|||
return $fails;
|
||||
}
|
||||
|
||||
public function hids($isSiteAdmin, $org ,$type, $tags = '') {
|
||||
public function hids($isSiteAdmin, $org ,$type, $tags = '', $from, $to, $last) {
|
||||
if (empty($org)) throw new MethodNotAllowedException('No org supplied.');
|
||||
// check if it's a valid type
|
||||
if ($type != 'md5' && $type != 'sha1') {
|
||||
|
|
@ -1197,6 +1197,9 @@ class Attribute extends AppModel {
|
|||
}
|
||||
$conditions['AND'][] = $temp;
|
||||
}
|
||||
if ($last) $conditions['AND'][] = array('Event.publish_timestamp >=' => $last);
|
||||
if ($from) $conditions['AND'][] = array('Event.date >=' => $from);
|
||||
if ($to) $conditions['AND'][] = array('Event.date <=' => $to);
|
||||
|
||||
$params = array(
|
||||
'conditions' => $conditions, //array of conditions
|
||||
|
|
@ -1210,7 +1213,7 @@ class Attribute extends AppModel {
|
|||
return $rules;
|
||||
}
|
||||
|
||||
public function nids($isSiteAdmin, $org, $format, $sid, $id = false, $continue = false, $tags = false, $from = false, $to = false) {
|
||||
public function nids($isSiteAdmin, $org, $format, $sid, $id = false, $continue = false, $tags = false, $from = false, $to = false, $last) {
|
||||
//restricting to non-private or same org if the user is not a site-admin.
|
||||
$conditions['AND'] = array('Attribute.to_ids' => 1, "Event.published" => 1);
|
||||
$valid_types = array('ip-dst', 'ip-src', 'email-src', 'email-dst', 'email-subject', 'email-attachment', 'domain', 'hostname', 'url', 'user-agent', 'snort');
|
||||
|
|
@ -1226,6 +1229,7 @@ class Attribute extends AppModel {
|
|||
if ($id) array_push($conditions['AND'], array('Event.id' => $id));
|
||||
if ($from) array_push($conditions['AND'], array('Event.date >=' => $from));
|
||||
if ($to) array_push($conditions['AND'], array('Event.date <=' => $to));
|
||||
if ($last) array_push($conditions['AND'], array('Event.publish_timestamp >=' => $last));
|
||||
|
||||
// If we sent any tags along, load the associated tag names for each attribute
|
||||
if ($tags) {
|
||||
|
|
@ -1266,13 +1270,14 @@ class Attribute extends AppModel {
|
|||
return $rules;
|
||||
}
|
||||
|
||||
public function text($org, $isSiteAdmin, $type, $tags = false, $eventId = false, $allowNonIDS = false, $from = false, $to = false) {
|
||||
public function text($org, $isSiteAdmin, $type, $tags = false, $eventId = false, $allowNonIDS = false, $from = false, $to = false, $last = false) {
|
||||
//restricting to non-private or same org if the user is not a site-admin.
|
||||
$conditions['AND'] = array();
|
||||
if (defined($allowNonIDS) && $allowNonIDS === false) $conditions['AND'] = array('Attribute.to_ids =' => 1, 'Event.published =' => 1);
|
||||
if ($type !== 'all') $conditions['AND']['Attribute.type'] = $type;
|
||||
if ($from) $conditions['AND']['Event.date >='] = $from;
|
||||
if ($to) $conditions['AND']['Event.date <='] = $to;
|
||||
if ($last) $conditions['AND']['Event.publish_timestamp >='] = $last;
|
||||
if (!$isSiteAdmin) {
|
||||
$temp = array();
|
||||
$distribution = array();
|
||||
|
|
@ -1306,10 +1311,9 @@ class Attribute extends AppModel {
|
|||
'order' => array('Attribute.value'), //string or array defining order
|
||||
'group' => array('Attribute.value'), //fields to GROUP BY
|
||||
'contain' => array('Event' => array(
|
||||
'fields' => array('Event.id', 'Event.published', 'Event.date'),
|
||||
'fields' => array('Event.id', 'Event.published', 'Event.date', 'Event.publish_timestamp'),
|
||||
|
||||
)));
|
||||
|
||||
$attributes = $this->find('all', $params);
|
||||
return $attributes;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -810,7 +810,7 @@ class Event extends AppModel {
|
|||
return null;
|
||||
}
|
||||
|
||||
public function fetchEventIds($org, $isSiteAdmin, $from = false, $to = false) {
|
||||
public function fetchEventIds($org, $isSiteAdmin, $from = false, $to = false, $last = false) {
|
||||
$conditions = array();
|
||||
if (!$isSiteAdmin) {
|
||||
$conditions['OR'] = array(
|
||||
|
|
@ -825,6 +825,7 @@ class Event extends AppModel {
|
|||
|
||||
if ($from) $conditions['AND'][] = array('Event.date >=' => $from);
|
||||
if ($to) $conditions['AND'][] = array('Event.date <=' => $to);
|
||||
if ($last) $conditions['AND'][] = array('Event.publish_timestamp >=' => $last);
|
||||
|
||||
$params = array(
|
||||
'conditions' => $conditions,
|
||||
|
|
@ -836,7 +837,7 @@ class Event extends AppModel {
|
|||
}
|
||||
|
||||
//Once the data about the user is gathered from the appropriate sources, fetchEvent is called from the controller.
|
||||
public function fetchEvent($eventid = false, $idList = false, $org, $isSiteAdmin = false, $bkgrProcess = false, $tags = false, $from = false, $to = false) {
|
||||
public function fetchEvent($eventid = false, $idList = false, $org, $isSiteAdmin = false, $bkgrProcess = false, $tags = false, $from = false, $to = false, $last = false) {
|
||||
if ($eventid) {
|
||||
$this->id = $eventid;
|
||||
if (!$this->exists()) {
|
||||
|
|
@ -867,6 +868,7 @@ class Event extends AppModel {
|
|||
|
||||
if ($from) $conditions['AND'][] = array('Event.date >=' => $from);
|
||||
if ($to) $conditions['AND'][] = array('Event.date <=' => $to);
|
||||
if ($last) $conditions['AND'][] = array('Event.publish_timestamp >=' => $last);
|
||||
|
||||
if ($idList && !$tags) {
|
||||
$conditions['AND'][] = array('Event.id' => $idList);
|
||||
|
|
@ -941,7 +943,7 @@ class Event extends AppModel {
|
|||
}
|
||||
return $results;
|
||||
}
|
||||
public function csv($org, $isSiteAdmin, $eventid=false, $ignore=false, $attributeIDList = array(), $tags = false, $category = false, $type = false, $includeContext = false, $from = false, $to = false) {
|
||||
public function csv($org, $isSiteAdmin, $eventid=false, $ignore=false, $attributeIDList = array(), $tags = false, $category = false, $type = false, $includeContext = false, $from = false, $to = false, $last) {
|
||||
$final = array();
|
||||
$attributeList = array();
|
||||
$conditions = array();
|
||||
|
|
@ -952,6 +954,7 @@ class Event extends AppModel {
|
|||
if ($eventid !== 'search') {
|
||||
if ($from) $econditions['AND'][] = array('Event.date >=' => $from);
|
||||
if ($to) $econditions['AND'][] = array('Event.date <=' => $to);
|
||||
if ($last) $econditions['AND'][] = array('Event.publish_timestamp >=' => $last);
|
||||
// This is for both single event downloads and for full downloads. Org has to be the same as the user's or distribution not org only - if the user is no siteadmin
|
||||
if(!$isSiteAdmin) $econditions['AND']['OR'] = array(
|
||||
"AND" => array(
|
||||
|
|
@ -987,6 +990,7 @@ class Event extends AppModel {
|
|||
'fields' => array('id', 'distribution', 'org', 'published', 'date'),
|
||||
);
|
||||
$events = $this->find('all', $params);
|
||||
if (empty($events)) return array();
|
||||
}
|
||||
// if we have items in events, add their IDs to the conditions. If we're a site admin, or we have a single event selected for download, this should be empty
|
||||
if (isset($events)) {
|
||||
|
|
@ -1722,11 +1726,11 @@ class Event extends AppModel {
|
|||
return false;
|
||||
}
|
||||
|
||||
public function stix($id, $tags, $attachments, $org, $isSiteAdmin, $returnType) {
|
||||
public function stix($id, $tags, $attachments, $org, $isSiteAdmin, $returnType, $last) {
|
||||
$eventIDs = $this->Attribute->dissectArgs($id);
|
||||
$tagIDs = $this->Attribute->dissectArgs($tags);
|
||||
$idList = $this->getAccessibleEventIds($eventIDs[0], $eventIDs[1], $tagIDs[0], $tagIDs[1]);
|
||||
$events = $this->fetchEvent(null, $idList, $org, $isSiteAdmin);
|
||||
$events = $this->fetchEvent(null, $idList, $org, $isSiteAdmin, false, false, false, false, $last);
|
||||
// If a second argument is passed (and it is either "yes", "true", or 1) base64 encode all of the attachments
|
||||
if ($attachments == "yes" || $attachments == "true" || $attachments == 1) {
|
||||
foreach ($events as &$event) {
|
||||
|
|
@ -1745,10 +1749,10 @@ class Event extends AppModel {
|
|||
// save the json_encoded event(s) to the temporary file
|
||||
$result = $tempFile->write(json_encode($events));
|
||||
$scriptFile = APP . "files" . DS . "scripts" . DS . "misp2stix.py";
|
||||
|
||||
|
||||
// Execute the python script and point it to the temporary filename
|
||||
$result = shell_exec('python ' . $scriptFile . ' ' . $randomFileName . ' ' . $returnType . ' ' . Configure::read('MISP.baseurl') . ' "' . Configure::read('MISP.org') . '"');
|
||||
|
||||
|
||||
// The result of the script will be a returned JSON object with 2 variables: success (boolean) and message
|
||||
// If success = 1 then the temporary output file was successfully written, otherwise an error message is passed along
|
||||
$decoded = json_decode($result);
|
||||
|
|
@ -1808,4 +1812,17 @@ class Event extends AppModel {
|
|||
// regex check for from / to field by stevengoossensB
|
||||
return (preg_match('/^[0-9]{4}-(0[1-9]|1[012])-(0[1-9]|1[0-9]|2[0-9]|3[01])$/', $date)) ? $date : false;
|
||||
}
|
||||
|
||||
//
|
||||
public function resolveTimeDelta($delta) {
|
||||
$multiplierArray = array('d' => 86400, 'h' => 3600, 'm' => 60);
|
||||
$multiplier = $multiplierArray['d'];
|
||||
$lastChar = strtolower(substr($delta, -1));
|
||||
if (!is_numeric($lastChar) && array_key_exists($lastChar, $multiplierArray)) {
|
||||
$multiplier = $multiplierArray[$lastChar];
|
||||
$delta = substr($delta, 0, -1);
|
||||
}
|
||||
if (!is_numeric($delta)) return false;
|
||||
return time() - ($delta * $multiplier);
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -24,7 +24,7 @@ You can <?php echo $this->Html->link('reset', array('controller' => 'users', 'ac
|
|||
<pre><?php echo Configure::read('MISP.baseurl');?>/events/xml/download</pre>
|
||||
<code><request><eventid>!51</eventid><eventid>!62</eventid><withAttachment>false</withAttachment><tags>APT1</tags><tags>!OSINT</tags><from>false</from><to>2015-01-01</to></request></code><br /><br />
|
||||
<p>The xml download also accepts two additional the following optional parameters in the url: </p>
|
||||
<pre><?php echo Configure::read('MISP.baseurl');?>/events/xml/download/[eventid]/[withattachments]/[tags]/[from]/[to]</pre>
|
||||
<pre><?php echo Configure::read('MISP.baseurl');?>/events/xml/download/[eventid]/[withattachments]/[tags]/[from]/[to]/[last]</pre>
|
||||
<p>
|
||||
<b>eventid</b>: Restrict the download to a single event<br />
|
||||
<b>withattachments</b>: A boolean field that determines whether attachments should be encoded and a second parameter that controls the eligible tags. <br />
|
||||
|
|
@ -33,6 +33,7 @@ You can also chain several tag commands together with the '&&' operator.
|
|||
Use semicolons instead (the search will automatically search for colons instead). For example, to include tag1 and tag2 but exclude tag3 you would use:<br />
|
||||
<b>from</b>: Events with the date set to a date after the one specified in the from field (format: 2015-02-03)<br />
|
||||
<b>to</b>: Events with the date set to a date before the one specified in the to field (format: 2015-02-03)<br />
|
||||
<b>last</b>: Events published within the last x amount of time, where x can be defined in days, hours, minutes (for example 5d or 12h or 30m)<br />
|
||||
</p>
|
||||
|
||||
<pre><?php echo Configure::read('MISP.baseurl');?>/events/xml/download/false/true/tag1&&tag2&&!tag3</pre>
|
||||
|
|
@ -43,7 +44,7 @@ Use semicolons instead (the search will automatically search for colons instead)
|
|||
<p>You can configure your tools to automatically download the following file:</p>
|
||||
<pre><?php echo Configure::read('MISP.baseurl');?>/events/csv/download/</pre>
|
||||
<p>You can specify additional flags for CSV exports as follows::</p>
|
||||
<pre><?php echo Configure::read('MISP.baseurl');?>/events/csv/download/[eventid]/[ignore]/[tags]/[category]/[type]/[includeContext]/[from]/[to]</pre>
|
||||
<pre><?php echo Configure::read('MISP.baseurl');?>/events/csv/download/[eventid]/[ignore]/[tags]/[category]/[type]/[includeContext]/[from]/[to]/[last]</pre>
|
||||
<p>
|
||||
<b>eventid</b>: Restrict the download to a single event<br />
|
||||
<b>ignore</b>: Setting this flag to true will include attributes that are not marked "to_ids".<br />
|
||||
|
|
@ -55,6 +56,7 @@ Use semicolons instead (the search will automatically search for colons instead)
|
|||
<b>includeContext</b>: Include the event data with each attribute.<br />
|
||||
<b>from</b>: Events with the date set to a date after the one specified in the from field (format: 2015-02-03)<br />
|
||||
<b>to</b>: Events with the date set to a date before the one specified in the to field (format: 2015-02-03)<br />
|
||||
<b>last</b>: Events published within the last x amount of time, where x can be defined in days, hours, minutes (for example 5d or 12h or 30m)<br />
|
||||
</p>
|
||||
<p>For example, to only download a csv generated of the "domain" type and the "Network Activity" category attributes all events except for the one and further restricting it to events that are tagged "tag1" or "tag2" but not "tag3", only allowing attributes that are IDS flagged use the following syntax:</p>
|
||||
<pre><?php echo Configure::read('MISP.baseurl');?>/events/csv/download/false/false/tag1&&tag2&&!tag3/Network%20Activity/domain</pre>
|
||||
|
|
@ -67,7 +69,7 @@ Use semicolons instead (the search will automatically search for colons instead)
|
|||
<pre><?php echo Configure::read('MISP.baseurl');?>/events/nids/suricata/download
|
||||
<?php echo Configure::read('MISP.baseurl');?>/events/nids/snort/download</pre>
|
||||
<p>The full API syntax is as follows:</p>
|
||||
<pre><?php echo Configure::read('MISP.baseurl');?>/events/nids/[format]/download/[eventid]/[frame]/[tags]/[from]/[to]</pre>
|
||||
<pre><?php echo Configure::read('MISP.baseurl');?>/events/nids/[format]/download/[eventid]/[frame]/[tags]/[from]/[to]/[last]</pre>
|
||||
<p>
|
||||
<b>format</b>: The export format, can be "suricata" or "snort"<br />
|
||||
<b>eventid</b>: Restrict the download to a single event<br />
|
||||
|
|
@ -77,6 +79,7 @@ You can also chain several tag commands together with the '&&' operator.
|
|||
Use semicolons instead (the search will automatically search for colons instead). For example, to include tag1 and tag2 but exclude tag3 you would use:<br />
|
||||
<b>from</b>: Events with the date set to a date after the one specified in the from field (format: 2015-02-03)<br />
|
||||
<b>to</b>: Events with the date set to a date before the one specified in the to field (format: 2015-02-03)<br />
|
||||
<b>last</b>: Events published within the last x amount of time, where x can be defined in days, hours, minutes (for example 5d or 12h or 30m)<br />
|
||||
</p>
|
||||
<p>An example for a suricata export for all events excluding those tagged tag1, without all of the commented information at the start of the file would look like this:</p>
|
||||
<pre><?php echo Configure::read('MISP.baseurl');?>/events/nids/suricata/download/null/true/!tag1</pre>
|
||||
|
|
@ -90,13 +93,14 @@ Use semicolons instead (the search will automatically search for colons instead)
|
|||
<h4>sha1</h4>
|
||||
<pre><?php echo Configure::read('MISP.baseurl');?>/events/hids/sha1/download</pre>
|
||||
<p>The API's full format is as follows: </p>
|
||||
<pre><?php echo Configure::read('MISP.baseurl');?>/events/hids/[format]/download/[tags]/[from]/[to]</pre>
|
||||
<pre><?php echo Configure::read('MISP.baseurl');?>/events/hids/[format]/download/[tags]/[from]/[to]/[last]</pre>
|
||||
<b>format</b>: The export format, can be "md5" or "sha1"<br />
|
||||
<b>tags</b>: To include a tag in the results just write its names into this parameter. To exclude a tag prepend it with a '!'.
|
||||
You can also chain several tag commands together with the '&&' operator. Please be aware the colons (:) cannot be used in the tag search.
|
||||
Use semicolons instead (the search will automatically search for colons instead). For example, to include tag1 and tag2 but exclude tag3 you would use:<br />
|
||||
<b>from</b>: Events with the date set to a date after the one specified in the from field (format: 2015-02-03)<br />
|
||||
<b>to</b>: Events with the date set to a date before the one specified in the to field (format: 2015-02-03)<br /><br />
|
||||
<b>to</b>: Events with the date set to a date before the one specified in the to field (format: 2015-02-03)<br />
|
||||
<b>last</b>: Events published within the last x amount of time, where x can be defined in days, hours, minutes (for example 5d or 12h or 30m)<br /><br />
|
||||
<p>For example, to only show sha1 values from events tagged tag1, use:</p>
|
||||
<pre><?php echo Configure::read('MISP.baseurl');?>/events/hids/sha1/download/tag1</pre>
|
||||
|
||||
|
|
@ -104,7 +108,7 @@ Use semicolons instead (the search will automatically search for colons instead)
|
|||
<p>You can export MISP events in Mitre's STIX format (to read more about STIX, click <a href="https://stix.mitre.org/">here</a>). The STIX XML export is currently very slow and can lead to timeouts with larger events or collections of events. The JSON return format does not suffer from this issue. Usage:</p>
|
||||
<pre><?php echo Configure::read('MISP.baseurl');?>/events/stix/download</pre>
|
||||
<p>Search parameters can be passed to the function via url parameters or by POSTing an xml or json object (depending on the return type). The following parameters can be passed to the STIX export tool: <code>id</code>, <code>withAttachments</code>, <code>tags</code>. Both <code>id</code> and <code>tags</code> can use the <code>&&</code> (and) and <code>!</code> (not) operators to build queries. Using the url parameters, the syntax is as follows:</p>
|
||||
<pre><?php echo Configure::read('MISP.baseurl');?>/events/stix/download/[id]/[withAttachments]/[tags]/[from]/[to]</pre>
|
||||
<pre><?php echo Configure::read('MISP.baseurl');?>/events/stix/download/[id]/[withAttachments]/[tags]/[from]/[to]/[last]</pre>
|
||||
<p>
|
||||
<b>id</b>: The event's ID<br />
|
||||
<b>withAttachments</b>: Encode attachments where applicable<br />
|
||||
|
|
@ -112,7 +116,8 @@ Use semicolons instead (the search will automatically search for colons instead)
|
|||
You can also chain several tag commands together with the '&&' operator. Please be aware the colons (:) cannot be used in the tag search.
|
||||
Use semicolons instead (the search will automatically search for colons instead). For example, to include tag1 and tag2 but exclude tag3 you would use:<br />
|
||||
<b>from</b>: Events with the date set to a date after the one specified in the from field (format: 2015-02-03)<br />
|
||||
<b>to</b>: Events with the date set to a date before the one specified in the to field (format: 2015-02-03)
|
||||
<b>to</b>: Events with the date set to a date before the one specified in the to field (format: 2015-02-03)<br />
|
||||
<b>last</b>: Events published within the last x amount of time, where x can be defined in days, hours, minutes (for example 5d or 12h or 30m)
|
||||
</p>
|
||||
<p>You can post an XML or JSON object containing additional parameters in the following formats:</p>
|
||||
<p>JSON:</p>
|
||||
|
|
@ -153,7 +158,7 @@ foreach ($sigTypes as $sigType) {
|
|||
<p>As of version 2.3.38, it is possible to restrict the text exports on two additional flags. The first allows the user to restrict based on event ID, whilst the second is a boolean switch allowing non IDS flagged attributes to be exported. Additionally, choosing "all" in the type field will return all eligible attributes. </p>
|
||||
<pre>
|
||||
<?php
|
||||
echo Configure::read('MISP.baseurl').'/attributes/text/download/[type]/[tags]/[event_id]/[allowNonIDS]/[from]/[to]';
|
||||
echo Configure::read('MISP.baseurl').'/attributes/text/download/[type]/[tags]/[event_id]/[allowNonIDS]/[from]/[to]/[last]';
|
||||
?>
|
||||
</pre>
|
||||
<b>type</b>: The attribute type, any valid MISP attribute type is accepted.<br />
|
||||
|
|
@ -164,6 +169,7 @@ Use semicolons instead (the search will automatically search for colons instead)
|
|||
<b>allowNonIDS</b>: Allow attributes to be exported that are not marked as "to_ids".<br />
|
||||
<b>from</b>: Events with the date set to a date after the one specified in the from field (format: 2015-02-03)<br />
|
||||
<b>to</b>: Events with the date set to a date before the one specified in the to field (format: 2015-02-03)<br />
|
||||
<b>last</b>: Events published within the last x amount of time, where x can be defined in days, hours, minutes (for example 5d or 12h or 30m)<br />
|
||||
<p>For example, to retrieve all attributes for event #5, including non IDS marked attributes too, use the following line:</p>
|
||||
<pre>
|
||||
<?php
|
||||
|
|
@ -176,7 +182,7 @@ Use semicolons instead (the search will automatically search for colons instead)
|
|||
<p>To return an event with all of its attributes, relations, shadowAttributes, use the following syntax:</p>
|
||||
<pre>
|
||||
<?php
|
||||
echo Configure::read('MISP.baseurl').'/events/restSearch/download/[value]/[type]/[category]/[org]/[tag]/[quickfilter]/[from]/[to]';
|
||||
echo Configure::read('MISP.baseurl').'/events/restSearch/download/[value]/[type]/[category]/[org]/[tag]/[quickfilter]/[from]/[to]/[last]';
|
||||
?>
|
||||
</pre>
|
||||
<b>value</b>: Search for the given value in the attributes' value field.<br />
|
||||
|
|
@ -188,7 +194,8 @@ You can also chain several tag commands together with the '&&' operator.
|
|||
Use semicolons instead (the search will automatically search for colons instead). For example, to include tag1 and tag2 but exclude tag3 you would use:<br />
|
||||
<b>quickfilter</b>: Enabling this (by passing "1" as the argument) will make the search ignore all of the other arguments, except for the auth key and value. MISP will return an xml / json (depending on the header sent) of all events that have a sub-string match on value in the event info, event orgc, or any of the attribute value1 / value2 fields, or in the attribute comment. <br />
|
||||
<b>from</b>: Events with the date set to a date after the one specified in the from field (format: 2015-02-03)<br />
|
||||
<b>to</b>: Events with the date set to a date before the one specified in the to field (format: 2015-02-03)<br /><br />
|
||||
<b>to</b>: Events with the date set to a date before the one specified in the to field (format: 2015-02-03)<br />
|
||||
<b>last</b>: Events published within the last x amount of time, where x can be defined in days, hours, minutes (for example 5d or 12h or 30m)<br /><br />
|
||||
<p>For example, to find any event with the term "red october" mentioned, use the following syntax (the example is shown as a POST request instead of a GET, which is highly recommended):</p>
|
||||
<p>POST to:</p>
|
||||
<pre>
|
||||
|
|
@ -213,10 +220,11 @@ Use semicolons instead (the search will automatically search for colons instead)
|
|||
You can also chain several tag commands together with the '&&' operator. Please be aware the colons (:) cannot be used in the tag search.
|
||||
Use semicolons instead (the search will automatically search for colons instead). For example, to include tag1 and tag2 but exclude tag3 you would use:<br />
|
||||
<b>from</b>: Events with the date set to a date after the one specified in the from field (format: 2015-02-03)<br />
|
||||
<b>to</b>: Events with the date set to a date before the one specified in the to field (format: 2015-02-03)<br /><br />
|
||||
<b>to</b>: Events with the date set to a date before the one specified in the to field (format: 2015-02-03)<br />
|
||||
<b>last</b>: Events published within the last x amount of time, where x can be defined in days, hours, minutes (for example 5d or 12h or 30m)<br /><br />
|
||||
<pre>
|
||||
<?php
|
||||
echo Configure::read('MISP.baseurl').'/attributes/restSearch/download/[value]/[type]/[category]/[org]/[tag]/[from]/[to]';
|
||||
echo Configure::read('MISP.baseurl').'/attributes/restSearch/download/[value]/[type]/[category]/[org]/[tag]/[from]/[to]/[last]';
|
||||
?>
|
||||
</pre>
|
||||
<p>value, type, category and org are optional. It is possible to search for several terms in each category by joining them with the '&&' operator. It is also possible to negate a term with the '!' operator. Please be aware the colons (:) cannot be used in the tag search. Use semicolons instead (the search will automatically search for colons instead).
|
||||
|
|
|
|||
Loading…
Reference in New Issue