mirror of https://github.com/MISP/MISP
fix: Some changes to the bro export
- moved the whitelisting out of the plugin - source now contains the instance host org name (if applicable), the event UUID and the creator org namepull/1544/head
Iglocska
parent
2cede15e68
commit
1991f7a208
|
|
@ -79,9 +79,7 @@ class BroExport {
|
|||
|
||||
private $whitelist = null;
|
||||
|
||||
public function export($items, $orgs, $valueField, $intel) {
|
||||
$this->Whitelist = ClassRegistry::init('Whitelist');
|
||||
$this->whitelist = $this->Whitelist->getBlockedValues();
|
||||
public function export($items, $orgs, $valueField, $intel, $whitelist, $instanceString) {
|
||||
//For bro format organisation
|
||||
$orgsName = array();
|
||||
// generate the rules
|
||||
|
|
@ -89,11 +87,11 @@ class BroExport {
|
|||
if (!isset($orgs[$item['Event']['orgc_id']])) {
|
||||
continue;
|
||||
} else {
|
||||
$orgName = $orgs[$item['Event']['orgc_id']];
|
||||
$orgName = $instanceString . ' (' . $item['Event']['uuid'] . ')' . ' - ' . $orgs[$item['Event']['orgc_id']];
|
||||
}
|
||||
$ruleFormatReference = Configure::read('MISP.baseurl') . '/events/view/' . $item['Event']['id'];
|
||||
$ruleFormat = "%s\t%s\t" . $orgName . "\t" . $ruleFormatReference . "\t%s\t%s";
|
||||
$rule = $this->__generateRule($item['Attribute'], $ruleFormat, $valueField);
|
||||
$rule = $this->__generateRule($item['Attribute'], $ruleFormat, $valueField, $whitelist);
|
||||
if (!empty($rule)) {
|
||||
if (!in_array($rule, $intel)) {
|
||||
$intel[] = $rule;
|
||||
|
|
@ -103,10 +101,10 @@ class BroExport {
|
|||
return $intel;
|
||||
}
|
||||
|
||||
private function __generateRule($attribute, $ruleFormat, $valueField) {
|
||||
private function __generateRule($attribute, $ruleFormat, $valueField, $whitelist) {
|
||||
if (isset($this->mapping[$attribute['type']])) {
|
||||
$brotype = $this->mapping[$attribute['type']]['brotype'];
|
||||
$overruled = $this->checkWhitelist($attribute['value']);
|
||||
$overruled = $this->checkWhitelist($attribute['value'], $whitelist);
|
||||
if (isset($this->mapping[$attribute['type']]['alternate'])) {
|
||||
if (preg_match($this->mapping[$attribute['type']]['alternate'][0], $attribute['value'])) {
|
||||
$brotype = $this->mapping[$attribute['type']]['alternate'][1];
|
||||
|
|
@ -151,8 +149,8 @@ class BroExport {
|
|||
return strtr($value, $replace_pairs);
|
||||
}
|
||||
|
||||
public function checkWhitelist($value) {
|
||||
foreach ($this->whitelist as $wlitem) {
|
||||
public function checkWhitelist($value, $whitelist) {
|
||||
foreach ($whitelist as $wlitem) {
|
||||
if (preg_match($wlitem, $value)) {
|
||||
return true;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1439,29 +1439,38 @@ class Attribute extends AppModel {
|
|||
|
||||
App::uses('BroExport', 'Export');
|
||||
$export = new BroExport();
|
||||
$this->Whitelist = ClassRegistry::init('Whitelist');
|
||||
$this->whitelist = $this->Whitelist->getBlockedValues();
|
||||
$instanceString = 'MISP';
|
||||
if (Configure::read('MISP.host_org_id') && Configure::read('MISP.host_org_id') > 0) {
|
||||
$this->Event->Orgc->id = Configure::read('MISP.host_org_id');
|
||||
if ($this->Event->Orgc->exists()) {
|
||||
$instanceString = $this->Event->Orgc->field('name') . ' MISP';
|
||||
}
|
||||
}
|
||||
$mispTypes = $export->getMispTypes($type);
|
||||
$intel = array();
|
||||
foreach($mispTypes as $mispType) {
|
||||
$conditions['AND']['Attribute.type'] = $mispType[0];
|
||||
$intel = $this->__bro($intel, $user, $conditions, $mispType[1], $export);
|
||||
$intel = $this->__bro($intel, $user, $conditions, $mispType[1], $export, $this->whitelist, $instanceString);
|
||||
}
|
||||
return $intel;
|
||||
}
|
||||
|
||||
private function __bro($intel, $user, $conditions, $valueField, $export) {
|
||||
private function __bro($intel, $user, $conditions, $valueField, $export, $whitelist, $instanceString) {
|
||||
$attributes = $this->fetchAttributes($user, array(
|
||||
'conditions' => $conditions, // array of conditions
|
||||
'order' => 'Attribute.value' . $valueField . ' ASC',
|
||||
'recursive' => -1, // int
|
||||
'fields' => array('Attribute.id', 'Attribute.event_id', 'Attribute.type', 'Attribute.value' . $valueField . " as value"),
|
||||
'contain' => array('Event' => array('fields' => array('Event.id', 'Event.threat_level_id', 'Event.orgc_id'))),
|
||||
'contain' => array('Event' => array('fields' => array('Event.id', 'Event.threat_level_id', 'Event.orgc_id', 'Event.uuid'))),
|
||||
'group' => array('Attribute.type', 'Attribute.value' . $valueField), // fields to GROUP BY
|
||||
)
|
||||
);
|
||||
$orgs = $this->Event->Orgc->find('list', array(
|
||||
'fields' => array('Orgc.id', 'Orgc.name')
|
||||
));
|
||||
return $export->export($attributes, $orgs, $valueField, $intel);
|
||||
return $export->export($attributes, $orgs, $valueField, $intel, $whitelist, $instanceString);
|
||||
}
|
||||
|
||||
public function generateCorrelation($jobId = false, $startPercentage = 0) {
|
||||
|
|
|
|||
Loading…
Reference in New Issue