mirror of https://github.com/MISP/MISP
Merge branch 'new_mactime_feature' into mactime_merge
commit
1ca46ea6ff
|
@ -2704,7 +2704,7 @@ class EventsController extends AppController
|
|||
return new CakeResponse(array('body'=> implode(PHP_EOL, $rules), 'status' => 200, 'type' => 'txt'));
|
||||
}
|
||||
|
||||
// csv function ***DEPRECATED***
|
||||
// csv function (DEPCRECATED)
|
||||
// Usage: csv($key, $eventid) - key can be a valid auth key or the string 'download'. Download requires the user to be logged in interactively and will generate a .csv file
|
||||
// $eventid can be one of 3 options: left empty it will get all the visible to_ids attributes,
|
||||
// $ignore is a flag that allows the export tool to ignore the ids flag. 0 = only IDS signatures, 1 = everything.
|
||||
|
@ -2780,12 +2780,12 @@ class EventsController extends AppController
|
|||
$fileAccessTool = new FileAccessTool();
|
||||
$iocData = $fileAccessTool->readFromFile($this->data['Event']['submittedioc']['tmp_name'], $this->data['Event']['submittedioc']['size']);
|
||||
|
||||
// write
|
||||
$attachments_dir = Configure::read('MISP.attachments_dir');
|
||||
// write
|
||||
$attachments_dir = Configure::read('MISP.attachments_dir');
|
||||
if (empty($attachments_dir)) {
|
||||
$attachments_dir = $this->Event->getDefaultAttachments_dir();
|
||||
}
|
||||
$rootDir = $attachments_dir . DS . $id . DS;
|
||||
$attachments_dir = $this->Event->getDefaultAttachments_dir();
|
||||
}
|
||||
$rootDir = $attachments_dir . DS . $id . DS;
|
||||
App::uses('Folder', 'Utility');
|
||||
$dir = new Folder($rootDir . 'ioc', true);
|
||||
$destPath = $rootDir . 'ioc';
|
||||
|
@ -4019,7 +4019,12 @@ class EventsController extends AppController
|
|||
'url' => '/attributes/add_threatconnect/' . $id,
|
||||
'text' => 'ThreatConnect Import',
|
||||
'ajax' => false
|
||||
)
|
||||
),
|
||||
'Forensic analysis' => array(
|
||||
'url' => '/events/upload_analysis_file/'.$id,
|
||||
'text' => 'Forensic analysis - Mactime',
|
||||
'ajax' => false,
|
||||
)
|
||||
);
|
||||
$this->loadModel('Module');
|
||||
$modules = $this->Module->getEnabledModules($this->Auth->user(), false, 'Import');
|
||||
|
@ -5130,4 +5135,125 @@ class EventsController extends AppController
|
|||
}
|
||||
return $this->RestResponse->viewData($response, $this->response->type());
|
||||
}
|
||||
public function upload_analysis_file($eventId)
|
||||
{
|
||||
$data = array();
|
||||
$this->set('eventId', $eventId);
|
||||
$this->set('file_uploaded', "0");
|
||||
$this->set('file_name', "");
|
||||
|
||||
if (!$this->userRole['perm_modify']) {
|
||||
throw new UnauthorizedException('You do not have permission to do that.');
|
||||
}
|
||||
|
||||
if ($this->request->is('post') && !empty($this->request['data']['Event']['analysis_file']['name'])) {
|
||||
$this->set('file_uploaded', "1");
|
||||
$this->set('file_name', $this->request['data']['Event']['analysis_file']['name']);
|
||||
$this->set('file_content', file_get_contents($this->request['data']['Event']['analysis_file']['tmp_name']));
|
||||
|
||||
//$result = $this->Event->upload_mactime($this->Auth->user(), );
|
||||
} elseif ($this->request->is('post') && $this->request['data']['SelectedData']['mactime_data']) {
|
||||
$fileName = $this->request['data']['SelectedData']['mactime_file_name'];
|
||||
$fileData = $this->request['data']['SelectedData']['mactime_file_content'];
|
||||
$object = array();
|
||||
$data = json_decode($this->request['data']['SelectedData']['mactime_data'], true);
|
||||
$firstObject = 1;
|
||||
foreach ($data as $objectData) {
|
||||
$object['Object'] = array(
|
||||
'name' => 'mactime-timeline-analysis',
|
||||
'meta-category' => 'file',
|
||||
'description' => 'Mactime template, used in forensic investigations to describe the timeline of a file activity',
|
||||
'template_version' => 1,
|
||||
'template_uuid' => '9297982e-be62-4772-a665-c91f5a8d639'
|
||||
);
|
||||
|
||||
$object['Attribute'] = array(
|
||||
[
|
||||
"event_id" => $eventId,
|
||||
"category"=> "Other",
|
||||
"type" => "text",
|
||||
"to_ids" => false,
|
||||
"distribution" => "5",
|
||||
"object_relation" => "filepath",
|
||||
"value" => $objectData['filepath']
|
||||
],
|
||||
[
|
||||
"event_id" => $eventId,
|
||||
"category" => "Other",
|
||||
"type" => "datetime",
|
||||
"to_ids" => false,
|
||||
"distribution" => "5",
|
||||
"object_relation" => "datetime",
|
||||
"value" => $objectData['time_accessed']
|
||||
],
|
||||
[
|
||||
"event_id" => $eventId,
|
||||
"category" => "Other",
|
||||
"type" => "text",
|
||||
"to_ids" => false,
|
||||
"distribution" => "5",
|
||||
"object_relation" => "fileSize",
|
||||
"value" => $objectData['file_size']
|
||||
],
|
||||
[
|
||||
"event_id" => $eventId,
|
||||
"category" => "Other",
|
||||
"type" => "text",
|
||||
"to_ids" => false,
|
||||
"distribution" => "5",
|
||||
"object_relation" => "activityType",
|
||||
"value" => $objectData['activity_type']
|
||||
],
|
||||
[
|
||||
"event_id" => $eventId,
|
||||
"category" => "Other",
|
||||
"type" => "text",
|
||||
"to_ids" => false,
|
||||
"distribution" => "5",
|
||||
"object_relation" => "filePermissions",
|
||||
"value" => $objectData['permissions']
|
||||
],
|
||||
[
|
||||
"event_id" => $eventId,
|
||||
"category" => "External analysis",
|
||||
"type" => "attachment",
|
||||
"to_ids" => false,
|
||||
"distribution" => "5",
|
||||
"object_relation" => "file",
|
||||
"value" => $fileName,
|
||||
"data" => base64_encode($fileData),
|
||||
"comment" => "Mactime source file"
|
||||
]
|
||||
|
||||
);
|
||||
$this->loadModel('MispObject');
|
||||
$ObjectResult = $this->MispObject->saveObject($object, $eventId, "", "");
|
||||
$temp = $this->MispObject->ObjectReference->Object->find('first', array(
|
||||
'recursive' => -1,
|
||||
'fields' => array('Object.uuid','Object.id'),
|
||||
'conditions' => array('Object.id' =>$ObjectResult)
|
||||
));
|
||||
|
||||
if ($firstObject === 0) {
|
||||
$objectRef['referenced_id'] = $PreviousObjRef['Object']['id'];
|
||||
$objectRef['referenced_uuid'] = $PreviousObjRef['Object']['uuid'];
|
||||
$objectRef['object_id'] = $ObjectResult;
|
||||
$objectRef['relationship_type'] = "preceded-by";
|
||||
$this->loadModel('MispObject');
|
||||
$result = $this->MispObject->ObjectReference->captureReference($objectRef, $eventId, $this->Auth->user(), false);
|
||||
$objectRef['referenced_id'] = $temp['Object']['id'];
|
||||
$objectRef['referenced_uuid'] = $temp['Object']['uuid'];
|
||||
$objectRef['object_id'] = $PreviousObjRef['Object']['id'];
|
||||
$objectRef['relationship_type'] = "followed-by";
|
||||
$this->loadModel('MispObject');
|
||||
$result = $this->MispObject->ObjectReference->captureReference($objectRef, $eventId, $this->Auth->user(), false);
|
||||
$PreviousObjRef = $temp;
|
||||
} else {
|
||||
$PreviousObjRef = $temp;
|
||||
$firstObject = 0;
|
||||
}
|
||||
}
|
||||
$this->redirect('/events/view/' . $eventId);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -0,0 +1,256 @@
|
|||
<div class="events form">
|
||||
<?php
|
||||
echo $this->Form->create('Event', array('type' => 'file'));
|
||||
?>
|
||||
<fieldset>
|
||||
<legend><?php echo __('Import analysis file'); ?></legend>
|
||||
<?php
|
||||
echo $this->Form->input('analysis_file', array(
|
||||
'label' => '<b>Analysis file</b>',
|
||||
'type' => 'file',
|
||||
));
|
||||
?>
|
||||
<div class="input clear"></div>
|
||||
<?php
|
||||
// echo $this->Form->input('publish', array(
|
||||
// 'checked' => false,
|
||||
// 'label' => __('Publish imported events'),
|
||||
// ));
|
||||
?>
|
||||
</fieldset>
|
||||
<?php
|
||||
echo $this->Form->button(__('Upload'), array('class' => 'btn btn-primary'));
|
||||
echo $this->Form->end();
|
||||
?>
|
||||
<div id="afterUpload" style="display:none;">
|
||||
<div id="object_templates" style="display:none;">
|
||||
<div class="">
|
||||
<?php
|
||||
echo $this->Form->create('SelectedData', array('enctype' => 'application/Json'));
|
||||
?>
|
||||
<div style="display:none;">
|
||||
<fieldset>
|
||||
<?php
|
||||
echo $this->Form->input('mactime_data', array(
|
||||
'type' => 'text'
|
||||
));
|
||||
?>
|
||||
<div class="input clear"></div>
|
||||
<?php
|
||||
?>
|
||||
<?php
|
||||
echo $this->Form->input('mactime_file_content', array(
|
||||
'type' => 'text'
|
||||
));
|
||||
?>
|
||||
<div class="input clear"></div>
|
||||
<?php
|
||||
?>
|
||||
<?php
|
||||
echo $this->Form->input('mactime_file_name', array(
|
||||
'type' => 'text'
|
||||
));
|
||||
?>
|
||||
<div class="input clear"></div>
|
||||
<?php
|
||||
?>
|
||||
</fieldset>
|
||||
</div>
|
||||
|
||||
<?php
|
||||
echo $this->Form->button(__('Create Objects'), array('class' => 'btn btn-primary'));
|
||||
echo $this->Form->end();
|
||||
?>
|
||||
</div>
|
||||
</div>
|
||||
<div style="clear:both;"></div>
|
||||
<input id="file_name" type="hidden" value="<?php if($file_uploaded == "1") { echo h($file_name); } ?>">
|
||||
<div id="accordion1" style="">
|
||||
<h3>Select text for further analysis</h3>
|
||||
<div id="textToSelect" class="raisedbox noselect">
|
||||
<div id="fileContent" style="display:none;">
|
||||
<p>
|
||||
<?php
|
||||
if($file_uploaded == "1")
|
||||
{
|
||||
echo h(nl2br($file_content));
|
||||
}
|
||||
?>
|
||||
</p>
|
||||
</div>
|
||||
<table id="individualLines" class="selectedLines">
|
||||
<thead>
|
||||
<th>Select</th>
|
||||
<th>Filepath</th>
|
||||
<th>File Size</th>
|
||||
<th>Activity Type</th>
|
||||
<th>Time Accessed</th>
|
||||
<th>Permissions</th>
|
||||
</thead>
|
||||
<tbody></tbody>
|
||||
</table>
|
||||
</div>
|
||||
|
||||
</div>
|
||||
<div style="clear:both;"></div>
|
||||
</div>
|
||||
|
||||
</div>
|
||||
|
||||
<?php
|
||||
echo $eventId;
|
||||
$event['Event']['id'] = $eventId;
|
||||
echo $this->element('side_menu', array('menuList' => 'event', 'menuItem' => 'addAttribute', 'event' => $event));
|
||||
?>
|
||||
<style>
|
||||
.selectedLines td,
|
||||
.selectedLines th {
|
||||
border:solid 2px #0044cc;
|
||||
}
|
||||
.selectedLines
|
||||
{
|
||||
width: 100%;
|
||||
}
|
||||
.noselect {
|
||||
cursor: default;
|
||||
-webkit-touch-callout: none;
|
||||
-webkit-user-select: none;
|
||||
-khtml-user-select: none;
|
||||
-moz-user-select: none;
|
||||
-ms-user-select: none;
|
||||
user-select: none;
|
||||
}
|
||||
</style>
|
||||
<script>
|
||||
var afterUpload = "<?php echo $file_uploaded; ?>";
|
||||
var selText = clearText =fileContent = '';
|
||||
var linesArray = [];
|
||||
var rowSelected;
|
||||
$("#accordion1").accordion({
|
||||
heightStyle: "content"
|
||||
})
|
||||
$("#accordion2").accordion({
|
||||
heightStyle: "content"
|
||||
})
|
||||
if(afterUpload == 1)
|
||||
{
|
||||
$('#afterUpload').show();
|
||||
fileContent = $("#fileContent").text()
|
||||
$('#SelectedDataMactimeFileContent').val(fileContent);
|
||||
$('#SelectedDataMactimeFileName').val($("#file_name").val());
|
||||
linesArray = $("#fileContent").text().trim().split("<br />");
|
||||
$("#fileContent").empty();
|
||||
for(var i=0; i<linesArray.length;i++)
|
||||
{
|
||||
processString(linesArray[i]);
|
||||
|
||||
}
|
||||
}
|
||||
$("input[type='checkbox']").change(function (e) {
|
||||
|
||||
var SelectedData = new Array();
|
||||
var i = 0;
|
||||
$('#individualLines').find('tr').each(function () {
|
||||
var row = $(this);
|
||||
if (row.find('input[type="checkbox"]').is(':checked')) {
|
||||
|
||||
SelectedData[i]={
|
||||
"filepath" : $(row).find('td:eq(1)').text(),
|
||||
"file_size" :$(row).find('td:eq(2)').text(),
|
||||
"activity_type" : $(row).find('td:eq(3)').text(),
|
||||
"time_accessed" : $(row).find('td:eq(4)').text(),
|
||||
"permissions" : $(row).find('td:eq(5)').text(),
|
||||
"file_name" : $("#file_name").val()
|
||||
}
|
||||
i++;
|
||||
}
|
||||
|
||||
});
|
||||
if(i > 0)
|
||||
{
|
||||
$('#object_templates').show();
|
||||
SelectedData =JSON.stringify(SelectedData);
|
||||
$('#SelectedDataMactimeData').val(SelectedData);
|
||||
}
|
||||
else
|
||||
$('#object_templates').hide();
|
||||
|
||||
|
||||
|
||||
});
|
||||
|
||||
|
||||
function processString(text)
|
||||
{
|
||||
var time_accessed = "";
|
||||
var size =activity_type = permissions = file_path = activity = time_accessed = "";
|
||||
//full date and time expression
|
||||
var Regx1 = /(Mon|Tue|Wed|Thu|Fri|Sat|Sun)\s(Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\s(\d\d?).+?(\d\d\d\d)\s([01]?[0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9]/;
|
||||
//time expressions
|
||||
var Regx2 = new RegExp("([01]?[0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9]");
|
||||
var arr = Regx1.exec(text);
|
||||
|
||||
if(Regx2.exec(text) != null)
|
||||
{
|
||||
if(arr != null)
|
||||
{
|
||||
time_accessed = arr[0];
|
||||
text = text.replace(arr[0],'').trim();
|
||||
}
|
||||
|
||||
text = text.replace(/[\n\r]/g, '').trim();
|
||||
seperate_analysis = text.split(/[ ]+/);
|
||||
size = seperate_analysis[0];
|
||||
activity_type = seperate_analysis[1];
|
||||
if(activity_type.includes('a'))
|
||||
{
|
||||
activity = "Accessed";
|
||||
}
|
||||
if(activity_type.includes('b'))
|
||||
{
|
||||
activity += (activity != '')?',':'';
|
||||
activity += "Created";
|
||||
}
|
||||
if(activity_type.includes('c'))
|
||||
{
|
||||
activity += (activity != '')?',':'';
|
||||
activity += "Changed";
|
||||
}
|
||||
if(activity_type.includes('m'))
|
||||
{
|
||||
activity += (activity != '')?',':'';
|
||||
activity += "Modified";
|
||||
}
|
||||
|
||||
permissions = seperate_analysis[2];
|
||||
filepath = seperate_analysis[6]
|
||||
if(seperate_analysis[7])
|
||||
{
|
||||
filepath += seperate_analysis[7];
|
||||
}
|
||||
$("#individualLines").find('tbody')
|
||||
.append($('<tr>')
|
||||
.append($('<td>').html('<input type="checkbox" class="select"></input>'))
|
||||
.append($('<td>').text(filepath))
|
||||
.append($('<td>').text(size))
|
||||
.append($('<td>').text(activity))
|
||||
.append($('<td>').text(time_accessed))
|
||||
.append($('<td>').text(permissions))
|
||||
|
||||
|
||||
);
|
||||
}
|
||||
|
||||
|
||||
}
|
||||
function unhighlight(){
|
||||
var fileTable = document.getElementById('individualLines');
|
||||
for (var i=0;i < fileTable.rows.length;i++){
|
||||
var row = fileTable.rows[i];
|
||||
row.style.backgroundColor='transparent';
|
||||
row.hilite = false;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
</script>
|
|
@ -25,13 +25,10 @@
|
|||
echo $this->Html->css($css);
|
||||
}
|
||||
echo $this->Html->css('print', 'stylesheet', array('media' => 'print'));
|
||||
|
||||
echo $this->fetch('meta');
|
||||
echo $this->fetch('css');
|
||||
echo $this->fetch('script');
|
||||
|
||||
echo $this->Html->css('jquery-ui');
|
||||
echo $this->Html->script('jquery'); // Include jQuery library
|
||||
echo $this->Html->script('misp-touch'); // touch interface support
|
||||
echo $this->Html->script('jquery-ui'); // UI support
|
||||
?>
|
||||
|
||||
</head>
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
"prefer-stable": true,
|
||||
"minimum-stability": "dev",
|
||||
"require": {
|
||||
"kamisama/cake-resque": "@stable",
|
||||
"kamisama/cake-resque": "4.1.2",
|
||||
"pear/crypt_gpg": "@stable",
|
||||
"pear/net_geoip": "@dev"
|
||||
},
|
||||
|
|
Loading…
Reference in New Issue