MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

Merge branch 'new_mactime_feature' into mactime_merge

pull/3910/head
iglocska 2018-11-23 14:52:43 +01:00
parent 2d0259ce13 65da1e8fa8
commit 1ca46ea6ff
4 changed files with 392 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

140
app/Controller/EventsController.php
View File

@ -2704,7 +2704,7 @@ class EventsController extends AppController
return new CakeResponse(array('body'=> implode(PHP_EOL, $rules), 'status' => 200, 'type' => 'txt'));
}
// csv function ***DEPRECATED***
// csv function (DEPCRECATED)
// Usage: csv($key, $eventid) - key can be a valid auth key or the string 'download'. Download requires the user to be logged in interactively and will generate a .csv file
// $eventid can be one of 3 options: left empty it will get all the visible to_ids attributes,
// $ignore is a flag that allows the export tool to ignore the ids flag. 0 = only IDS signatures, 1 = everything.
@ -2780,12 +2780,12 @@ class EventsController extends AppController
$fileAccessTool = new FileAccessTool();
$iocData = $fileAccessTool->readFromFile($this->data['Event']['submittedioc']['tmp_name'], $this->data['Event']['submittedioc']['size']);
// write
$attachments_dir = Configure::read('MISP.attachments_dir');
// write
$attachments_dir = Configure::read('MISP.attachments_dir');
if (empty($attachments_dir)) {
$attachments_dir = $this->Event->getDefaultAttachments_dir();
}
$rootDir = $attachments_dir . DS . $id . DS;
$attachments_dir = $this->Event->getDefaultAttachments_dir();
}
$rootDir = $attachments_dir . DS . $id . DS;
App::uses('Folder', 'Utility');
$dir = new Folder($rootDir . 'ioc', true);
$destPath = $rootDir . 'ioc';
@ -4019,7 +4019,12 @@ class EventsController extends AppController
'url' => '/attributes/add_threatconnect/' . $id,
'text' => 'ThreatConnect Import',
'ajax' => false
)
),
'Forensic analysis' => array(
'url' => '/events/upload_analysis_file/'.$id,
'text' => 'Forensic analysis - Mactime',
'ajax' => false,
)
);
$this->loadModel('Module');
$modules = $this->Module->getEnabledModules($this->Auth->user(), false, 'Import');
@ -5130,4 +5135,125 @@ class EventsController extends AppController
}
return $this->RestResponse->viewData($response, $this->response->type());
}
public function upload_analysis_file($eventId)
{
$data = array();
$this->set('eventId', $eventId);
$this->set('file_uploaded', "0");
$this->set('file_name', "");
if (!$this->userRole['perm_modify']) {
throw new UnauthorizedException('You do not have permission to do that.');
}
if ($this->request->is('post') && !empty($this->request['data']['Event']['analysis_file']['name'])) {
$this->set('file_uploaded', "1");
$this->set('file_name', $this->request['data']['Event']['analysis_file']['name']);
$this->set('file_content', file_get_contents($this->request['data']['Event']['analysis_file']['tmp_name']));
//$result = $this->Event->upload_mactime($this->Auth->user(), );
} elseif ($this->request->is('post') && $this->request['data']['SelectedData']['mactime_data']) {
$fileName = $this->request['data']['SelectedData']['mactime_file_name'];
$fileData = $this->request['data']['SelectedData']['mactime_file_content'];
$object = array();
$data = json_decode($this->request['data']['SelectedData']['mactime_data'], true);
$firstObject = 1;
foreach ($data as $objectData) {
$object['Object'] = array(
'name' => 'mactime-timeline-analysis',
'meta-category' => 'file',
'description' => 'Mactime template, used in forensic investigations to describe the timeline of a file activity',
'template_version' => 1,
'template_uuid' => '9297982e-be62-4772-a665-c91f5a8d639'
);
$object['Attribute'] = array(
[
"event_id" => $eventId,
"category"=> "Other",
"type" => "text",
"to_ids" => false,
"distribution" => "5",
"object_relation" => "filepath",
"value" => $objectData['filepath']
],
[
"event_id" => $eventId,
"category" => "Other",
"type" => "datetime",
"to_ids" => false,
"distribution" => "5",
"object_relation" => "datetime",
"value" => $objectData['time_accessed']
],
[
"event_id" => $eventId,
"category" => "Other",
"type" => "text",
"to_ids" => false,
"distribution" => "5",
"object_relation" => "fileSize",
"value" => $objectData['file_size']
],
[
"event_id" => $eventId,
"category" => "Other",
"type" => "text",
"to_ids" => false,
"distribution" => "5",
"object_relation" => "activityType",
"value" => $objectData['activity_type']
],
[
"event_id" => $eventId,
"category" => "Other",
"type" => "text",
"to_ids" => false,
"distribution" => "5",
"object_relation" => "filePermissions",
"value" => $objectData['permissions']
],
[
"event_id" => $eventId,
"category" => "External analysis",
"type" => "attachment",
"to_ids" => false,
"distribution" => "5",
"object_relation" => "file",
"value" => $fileName,
"data" => base64_encode($fileData),
"comment" => "Mactime source file"
]
);
$this->loadModel('MispObject');
$ObjectResult = $this->MispObject->saveObject($object, $eventId, "", "");
$temp = $this->MispObject->ObjectReference->Object->find('first', array(
'recursive' => -1,
'fields' => array('Object.uuid','Object.id'),
'conditions' => array('Object.id' =>$ObjectResult)
));
if ($firstObject === 0) {
$objectRef['referenced_id'] = $PreviousObjRef['Object']['id'];
$objectRef['referenced_uuid'] = $PreviousObjRef['Object']['uuid'];
$objectRef['object_id'] = $ObjectResult;
$objectRef['relationship_type'] = "preceded-by";
$this->loadModel('MispObject');
$result = $this->MispObject->ObjectReference->captureReference($objectRef, $eventId, $this->Auth->user(), false);
$objectRef['referenced_id'] = $temp['Object']['id'];
$objectRef['referenced_uuid'] = $temp['Object']['uuid'];
$objectRef['object_id'] = $PreviousObjRef['Object']['id'];
$objectRef['relationship_type'] = "followed-by";
$this->loadModel('MispObject');
$result = $this->MispObject->ObjectReference->captureReference($objectRef, $eventId, $this->Auth->user(), false);
$PreviousObjRef = $temp;
} else {
$PreviousObjRef = $temp;
$firstObject = 0;
}
}
$this->redirect('/events/view/' . $eventId);
}
}
}

256
app/View/Events/upload_analysis_file.ctp Normal file
View File

@ -0,0 +1,256 @@
<div class="events form">
<?php
echo $this->Form->create('Event', array('type' => 'file'));
?>
<fieldset>
<legend><?php echo __('Import analysis file'); ?></legend>
<?php
echo $this->Form->input('analysis_file', array(
'label' => '<b>Analysis file</b>',
'type' => 'file',
));
?>
<div class="input clear"></div>
<?php
// echo $this->Form->input('publish', array(
// 'checked' => false,
// 'label' => __('Publish imported events'),
// ));
?>
</fieldset>
<?php
echo $this->Form->button(__('Upload'), array('class' => 'btn btn-primary'));
echo $this->Form->end();
?>
<div id="afterUpload" style="display:none;">
<div id="object_templates" style="display:none;">
<div class="">
<?php
echo $this->Form->create('SelectedData', array('enctype' => 'application/Json'));
?>
<div style="display:none;">
<fieldset>
<?php
echo $this->Form->input('mactime_data', array(
'type' => 'text'
));
?>
<div class="input clear"></div>
<?php
?>
<?php
echo $this->Form->input('mactime_file_content', array(
'type' => 'text'
));
?>
<div class="input clear"></div>
<?php
?>
<?php
echo $this->Form->input('mactime_file_name', array(
'type' => 'text'
));
?>
<div class="input clear"></div>
<?php
?>
</fieldset>
</div>
<?php
echo $this->Form->button(__('Create Objects'), array('class' => 'btn btn-primary'));
echo $this->Form->end();
?>
</div>
</div>
<div style="clear:both;"></div>
<input id="file_name" type="hidden" value="<?php if($file_uploaded == "1") { echo h($file_name); } ?>">
<div id="accordion1" style="">
<h3>Select text for further analysis</h3>
<div id="textToSelect" class="raisedbox noselect">
<div id="fileContent" style="display:none;">
<p>
<?php
if($file_uploaded == "1")
{
echo h(nl2br($file_content));
}
?>
</p>
</div>
<table id="individualLines" class="selectedLines">
<thead>
<th>Select</th>
<th>Filepath</th>
<th>File Size</th>
<th>Activity Type</th>
<th>Time Accessed</th>
<th>Permissions</th>
</thead>
<tbody></tbody>
</table>
</div>
</div>
<div style="clear:both;"></div>
</div>
</div>
<?php
echo $eventId;
$event['Event']['id'] = $eventId;
echo $this->element('side_menu', array('menuList' => 'event', 'menuItem' => 'addAttribute', 'event' => $event));
?>
<style>
.selectedLines td,
.selectedLines th {
border:solid 2px #0044cc;
}
.selectedLines
{
width: 100%;
}
.noselect {
cursor: default;
-webkit-touch-callout: none;
-webkit-user-select: none;
-khtml-user-select: none;
-moz-user-select: none;
-ms-user-select: none;
user-select: none;
}
</style>
<script>
var afterUpload = "<?php echo $file_uploaded; ?>";
var selText = clearText =fileContent = '';
var linesArray = [];
var rowSelected;
$("#accordion1").accordion({
heightStyle: "content"
})
$("#accordion2").accordion({
heightStyle: "content"
})
if(afterUpload == 1)
{
$('#afterUpload').show();
fileContent = $("#fileContent").text()
$('#SelectedDataMactimeFileContent').val(fileContent);
$('#SelectedDataMactimeFileName').val($("#file_name").val());
linesArray = $("#fileContent").text().trim().split("<br />");
$("#fileContent").empty();
for(var i=0; i<linesArray.length;i++)
{
processString(linesArray[i]);
}
}
$("input[type='checkbox']").change(function (e) {
var SelectedData = new Array();
var i = 0;
$('#individualLines').find('tr').each(function () {
var row = $(this);
if (row.find('input[type="checkbox"]').is(':checked')) {
SelectedData[i]={
"filepath" : $(row).find('td:eq(1)').text(),
"file_size" :$(row).find('td:eq(2)').text(),
"activity_type" : $(row).find('td:eq(3)').text(),
"time_accessed" : $(row).find('td:eq(4)').text(),
"permissions" : $(row).find('td:eq(5)').text(),
"file_name" : $("#file_name").val()
}
i++;
}
});
if(i > 0)
{
$('#object_templates').show();
SelectedData =JSON.stringify(SelectedData);
$('#SelectedDataMactimeData').val(SelectedData);
}
else
$('#object_templates').hide();
});
function processString(text)
{
var time_accessed = "";
var size =activity_type = permissions = file_path = activity = time_accessed = "";
//full date and time expression
var Regx1 = /(Mon|Tue|Wed|Thu|Fri|Sat|Sun)\s(Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\s(\d\d?).+?(\d\d\d\d)\s([01]?[0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9]/;
//time expressions
var Regx2 = new RegExp("([01]?[0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9]");
var arr = Regx1.exec(text);
if(Regx2.exec(text) != null)
{
if(arr != null)
{
time_accessed = arr[0];
text = text.replace(arr[0],'').trim();
}
text = text.replace(/[\n\r]/g, '').trim();
seperate_analysis = text.split(/[ ]+/);
size = seperate_analysis[0];
activity_type = seperate_analysis[1];
if(activity_type.includes('a'))
{
activity = "Accessed";
}
if(activity_type.includes('b'))
{
activity += (activity != '')?',':'';
activity += "Created";
}
if(activity_type.includes('c'))
{
activity += (activity != '')?',':'';
activity += "Changed";
}
if(activity_type.includes('m'))
{
activity += (activity != '')?',':'';
activity += "Modified";
}
permissions = seperate_analysis[2];
filepath = seperate_analysis[6]
if(seperate_analysis[7])
{
filepath += seperate_analysis[7];
}
$("#individualLines").find('tbody')
.append($('<tr>')
.append($('<td>').html('<input type="checkbox" class="select"></input>'))
.append($('<td>').text(filepath))
.append($('<td>').text(size))
.append($('<td>').text(activity))
.append($('<td>').text(time_accessed))
.append($('<td>').text(permissions))
);
}
}
function unhighlight(){
var fileTable = document.getElementById('individualLines');
for (var i=0;i < fileTable.rows.length;i++){
var row = fileTable.rows[i];
row.style.backgroundColor='transparent';
row.hilite = false;
}
}
</script>

7
app/View/Layouts/default.ctp
View File

@ -25,13 +25,10 @@
echo $this->Html->css($css);
}
echo $this->Html->css('print', 'stylesheet', array('media' => 'print'));
echo $this->fetch('meta');
echo $this->fetch('css');
echo $this->fetch('script');
echo $this->Html->css('jquery-ui');
echo $this->Html->script('jquery'); // Include jQuery library
echo $this->Html->script('misp-touch'); // touch interface support
echo $this->Html->script('jquery-ui'); // UI support
?>
</head>

2
app/composer.json
View File

@ -2,7 +2,7 @@
"prefer-stable": true,
"minimum-stability": "dev",
"require": {
"kamisama/cake-resque": "@stable",
"kamisama/cake-resque": "4.1.2",
"pear/crypt_gpg": "@stable",
"pear/net_geoip": "@dev"
},