mirror of https://github.com/MISP/MISP
Merge remote-tracking branch 'upstream/2.4' into guides
commit
24bbfad29e
|
|
@ -1 +1 @@
|
|||
{"major":2, "minor":4, "hotfix":94}
|
||||
{"major":2, "minor":4, "hotfix":95}
|
||||
|
|
|
|||
|
|
@ -559,6 +559,7 @@ class AppController extends Controller
|
|||
);
|
||||
return false;
|
||||
}
|
||||
$key = 'json';
|
||||
} else {
|
||||
if (!$this->Auth->user('id')) {
|
||||
$exception = $this->RestResponse->throwException(
|
||||
|
|
@ -569,7 +570,6 @@ class AppController extends Controller
|
|||
}
|
||||
$user = $this->Auth->user();
|
||||
}
|
||||
$key = 'json';
|
||||
return $user;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -2112,6 +2112,19 @@ class AttributesController extends AppController
|
|||
if (isset($filters['returnFormat'])) {
|
||||
$returnFormat = $filters['returnFormat'];
|
||||
}
|
||||
if ($returnFormat === 'download') {
|
||||
$returnFormat = 'json';
|
||||
}
|
||||
App::uses($validFormats[$returnFormat][1], 'Export');
|
||||
$exportTool = new $validFormats[$returnFormat][1]();
|
||||
if (empty($exportTool->non_restrictive_export)) {
|
||||
if (!isset($filters['to_ids'])) {
|
||||
$filters['to_ids'] = 1;
|
||||
}
|
||||
if (!isset($filters['published'])) {
|
||||
$filters['published'] = 1;
|
||||
}
|
||||
}
|
||||
$conditions = $this->Attribute->buildFilterConditions($this->Auth->user(), $filters);
|
||||
$params = array(
|
||||
'conditions' => $conditions,
|
||||
|
|
@ -2129,8 +2142,10 @@ class AttributesController extends AppController
|
|||
$params['conditions']['AND'][] = array('Object.deleted' => 1);
|
||||
}
|
||||
}
|
||||
App::uses($validFormats[$returnFormat][1], 'Export');
|
||||
$exportTool = new $validFormats[$returnFormat][1]();
|
||||
if (!isset($validFormats[$returnFormat])) {
|
||||
// this is where the new code path for the export modules will go
|
||||
throw new MethodNotFoundException('Invalid export format.');
|
||||
}
|
||||
$exportToolParams = array(
|
||||
'user' => $this->Auth->user(),
|
||||
'params' => $params,
|
||||
|
|
@ -2140,8 +2155,7 @@ class AttributesController extends AppController
|
|||
if (!empty($exportTool->additional_params)) {
|
||||
$params = array_merge($params, $exportTool->additional_params);
|
||||
}
|
||||
$final = '';
|
||||
$final .= $exportTool->header($exportToolParams);
|
||||
$final = $exportTool->header($exportToolParams);
|
||||
$continue = false;
|
||||
if (empty($params['limit'])) {
|
||||
$params['limit'] = 10000;
|
||||
|
|
@ -3105,10 +3119,6 @@ class AttributesController extends AppController
|
|||
$resultArray[] = array($type => 'Enrichment service not reachable.');
|
||||
continue;
|
||||
}
|
||||
if (!is_array($result)) {
|
||||
$resultArray[] = array($type => $result);
|
||||
continue;
|
||||
}
|
||||
if (!empty($result['results'])) {
|
||||
foreach ($result['results'] as $r) {
|
||||
if (is_array($r['values']) && !empty($r['values'])) {
|
||||
|
|
@ -3117,7 +3127,7 @@ class AttributesController extends AppController
|
|||
if (is_array($v)) {
|
||||
$v = 'Array returned';
|
||||
}
|
||||
$tempArray[] = $k . ': ' . $v;
|
||||
$tempArray[$k] = $v;
|
||||
}
|
||||
$resultArray[] = array($type => $tempArray);
|
||||
} elseif ($r['values'] == null) {
|
||||
|
|
|
|||
|
|
@ -498,7 +498,7 @@ class ACLComponent extends Component
|
|||
// If the requested action has an AND-ed list, iterate through the list. If any of the permissions for the user are not set, turn the check to false. Otherwise return true.
|
||||
// If the requested action has a permission, check if the user's role has it flagged. If yes, return true
|
||||
// If we fall through all of the checks, return an exception.
|
||||
public function checkAccess($user, $controller, $action)
|
||||
public function checkAccess($user, $controller, $action, $soft = false)
|
||||
{
|
||||
$controller = lcfirst(Inflector::camelize($controller));
|
||||
$action = strtolower($action);
|
||||
|
|
@ -510,7 +510,7 @@ class ACLComponent extends Component
|
|||
return true;
|
||||
}
|
||||
if (!isset($aclList[$controller])) {
|
||||
$this->__error(404, 'Invalid controller.');
|
||||
return $this->__error(404, 'Invalid controller.', $soft);
|
||||
}
|
||||
if ($user['Role']['perm_site_admin']) {
|
||||
return true;
|
||||
|
|
@ -539,11 +539,14 @@ class ACLComponent extends Component
|
|||
return true;
|
||||
}
|
||||
}
|
||||
$this->__error(403, 'You do not have permission to use this functionality.');
|
||||
return $this->__error(403, 'You do not have permission to use this functionality.', $soft);
|
||||
}
|
||||
|
||||
private function __error($code, $message)
|
||||
private function __error($code, $message, $soft = false)
|
||||
{
|
||||
if ($soft) {
|
||||
return $code;
|
||||
}
|
||||
switch ($code) {
|
||||
case 404:
|
||||
throw new NotFoundException($message);
|
||||
|
|
|
|||
|
|
@ -35,7 +35,17 @@ class RestResponseComponent extends Component
|
|||
'mandatory' => array('id'),
|
||||
'optional' => array('event_id', 'allow_hard_delete'),
|
||||
'params' => array('event_id')
|
||||
)
|
||||
),
|
||||
'restSearch' => array(
|
||||
'description' => "Search MISP using a list of filter parameters and return the data
|
||||
in the selected format. The search is available on an event and an attribute level,
|
||||
just select the scope via the URL (/events/restSearch vs /attributes/restSearch).
|
||||
Besides the parameters listed, other, format specific ones can be passed along.
|
||||
Accepted return formats are: [json, xml, suricata, snort, text, openioc]",
|
||||
'mandatory' => array('returnFormat'),
|
||||
'optional' => array('value' , 'type', 'category', 'org', 'tags', 'from', 'to', 'last', 'eventid', 'withAttachments', 'uuid', 'publish_timestamp', 'timestamp', 'enforceWarninglist', 'to_ids', 'deleted', 'includeEventUuid', 'event_timestamp', 'threat_level_id'),
|
||||
'params' => array()
|
||||
)
|
||||
),
|
||||
'Event' => array(
|
||||
'add' => array(
|
||||
|
|
@ -49,8 +59,25 @@ class RestResponseComponent extends Component
|
|||
'mandatory' => array(),
|
||||
'optional' => array('info', 'threat_level_id', 'analysis', 'distribution', 'sharing_group_id', 'uuid', 'published', 'timestamp', 'date', 'Attribute', 'Object', 'Shadow_Attribute', 'EventTag'),
|
||||
'params' => array('event_id')
|
||||
)
|
||||
),
|
||||
'restSearch' => array(
|
||||
'description' => "Search MISP using a list of filter parameters and return the data
|
||||
in the selected format. The search is available on an event and an attribute level,
|
||||
just select the scope via the URL (/events/restSearch vs /attributes/restSearch).
|
||||
Besides the parameters listed, other, format specific ones can be passed along.
|
||||
Accepted return formats are: [json, xml, suricata, snort, openioc]",
|
||||
'mandatory' => array('returnFormat'),
|
||||
'optional' => array('value', 'type', 'category', 'org', 'tag', 'tags', 'searchall', 'from', 'to', 'last', 'eventid', 'withAttachments', 'metadata', 'uuid', 'published', 'publish_timestamp', 'timestamp', 'enforceWarninglist', 'sgReferenceOnly'),
|
||||
'params' => array()
|
||||
)
|
||||
),
|
||||
'EventGraph' => array(
|
||||
'add' => array(
|
||||
'description' => "POST a network in JSON format to this API to to keep an history of it",
|
||||
'mandatory' => array('event_id', 'network_json'),
|
||||
'optional' => array('network_name')
|
||||
)
|
||||
),
|
||||
'Feed' => array(
|
||||
'add' => array(
|
||||
'description' => "POST a MISP Feed descriptor JSON to this API to add a Feed.",
|
||||
|
|
@ -82,20 +109,20 @@ class RestResponseComponent extends Component
|
|||
'description' => "POST a Role object in JSON format to this API to create a new role. 'permission' sets the data access permission (0 => read only, 1 => add/edit own, 2 => add/edit org, 3 => publish)",
|
||||
'mandatory' => array('name'),
|
||||
'optional' => array(
|
||||
'perm_delegate',
|
||||
'perm_sync',
|
||||
'perm_admin',
|
||||
'perm_audit',
|
||||
'perm_auth',
|
||||
'perm_site_admin',
|
||||
'perm_regexp_access',
|
||||
'perm_tagger',
|
||||
'perm_template',
|
||||
'perm_sharing_group',
|
||||
'perm_tag_editor',
|
||||
'default_role',
|
||||
'perm_sighting',
|
||||
'permission'
|
||||
'perm_delegate',
|
||||
'perm_sync',
|
||||
'perm_admin',
|
||||
'perm_audit',
|
||||
'perm_auth',
|
||||
'perm_site_admin',
|
||||
'perm_regexp_access',
|
||||
'perm_tagger',
|
||||
'perm_template',
|
||||
'perm_sharing_group',
|
||||
'perm_tag_editor',
|
||||
'default_role',
|
||||
'perm_sighting',
|
||||
'permission'
|
||||
)
|
||||
),
|
||||
'admin_edit' => array(
|
||||
|
|
@ -180,16 +207,55 @@ class RestResponseComponent extends Component
|
|||
'description' => "POST a body and a subject in a JSON to send an e-mail through MISP to the user ID given in the URL",
|
||||
'mandatory' => array('subject', 'body')
|
||||
)
|
||||
),
|
||||
'EventGraph' => array(
|
||||
'add' => array(
|
||||
'description' => "POST a network in JSON format to this API to to keep an history of it",
|
||||
'mandatory' => array('event_id', 'network_json'),
|
||||
'optional' => array('network_name')
|
||||
)
|
||||
)
|
||||
);
|
||||
|
||||
public function getAllApis($user, $Server)
|
||||
{
|
||||
$result = array();
|
||||
foreach ($this->__descriptions as $controller => $actions) {
|
||||
$controller = Inflector::tableize($controller);
|
||||
foreach ($actions as $action => $data) {
|
||||
if ($Server->ACL->checkAccess($user, $controller, $action, true) === true) {
|
||||
$admin_routing = '';
|
||||
if (substr($action, 0, 6) === 'admin_') {
|
||||
$action = substr($action, 6);
|
||||
$admin_routing = 'admin/';
|
||||
}
|
||||
$data['api_name'] = '[' . $controller . '] ' . $action;
|
||||
$data['body'] = array();
|
||||
$filter_types = array('mandatory', 'optional');
|
||||
foreach ($filter_types as $filter_type) {
|
||||
if (!empty($data[$filter_type])) {
|
||||
foreach ($data[$filter_type] as $filter_items) {
|
||||
if (!is_array($filter_items)) {
|
||||
$filter_items = array($filter_items);
|
||||
}
|
||||
foreach ($filter_items as $filter) {
|
||||
if ($filter === lcfirst($filter)) {
|
||||
$data['body'][$filter] = $filter_type;
|
||||
} else {
|
||||
$data['body'][$filter] = array($filter_type);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
$data['body'] = json_encode($data['body'], JSON_PRETTY_PRINT);
|
||||
$url = '/' . $admin_routing . $controller . '/' . $action;
|
||||
$data['url'] = $url;
|
||||
if (!empty($data['params'])) {
|
||||
foreach ($data['params'] as $param) {
|
||||
$data['url'] .= '/[' . $param . ']';
|
||||
}
|
||||
}
|
||||
$result[$url] = $data;
|
||||
}
|
||||
}
|
||||
}
|
||||
return $result;
|
||||
}
|
||||
|
||||
// use a relative path to check if the current api has a description
|
||||
public function getApiInfo($relative_path)
|
||||
{
|
||||
|
|
|
|||
|
|
@ -2268,7 +2268,7 @@ class EventsController extends AppController
|
|||
}
|
||||
}
|
||||
|
||||
public function automation()
|
||||
public function automation($legacy = false)
|
||||
{
|
||||
// Simply display a static view
|
||||
if (!$this->userRole['perm_auth']) {
|
||||
|
|
@ -2294,6 +2294,9 @@ class EventsController extends AppController
|
|||
$rpzSettings = $this->Server->retrieveCurrentSettings('Plugin', 'RPZ_');
|
||||
$this->set('rpzSettings', $rpzSettings);
|
||||
$this->set('hashTypes', array_keys($this->Event->Attribute->hashTypes));
|
||||
if ($legacy) {
|
||||
$this->render('legacy_automation');
|
||||
}
|
||||
}
|
||||
|
||||
public function export()
|
||||
|
|
@ -2768,19 +2771,19 @@ class EventsController extends AppController
|
|||
$params['page'] = 1;
|
||||
$i = 0;
|
||||
$continue = true;
|
||||
$options = array(
|
||||
$params = array_merge($params, array(
|
||||
'requested_obj_attributes' => $requested_obj_attributes,
|
||||
'requested_attributes' => $requested_attributes,
|
||||
'includeContext' => $includeContext
|
||||
);
|
||||
));
|
||||
App::uses('CsvExport', 'Export');
|
||||
$export = new CsvExport();
|
||||
$final = $export->header($options);
|
||||
$final = $export->header($params);
|
||||
while ($continue) {
|
||||
$attributes = $this->Event->csv($user, $params, false, $continue);
|
||||
$params['page'] += 1;
|
||||
$final .= $export->handler($attributes, $final, $options);
|
||||
$final .= $export->separator($attributes, $final);
|
||||
$final .= $export->handler($attributes, $params);
|
||||
$final .= $export->separator($attributes);
|
||||
}
|
||||
$export->footer();
|
||||
$this->response->type('csv'); // set the content type
|
||||
|
|
@ -3015,6 +3018,13 @@ class EventsController extends AppController
|
|||
'paramArray' => $paramArray,
|
||||
'ordered_url_params' => compact($paramArray)
|
||||
);
|
||||
$validFormats = array(
|
||||
'openioc' => array('xml', 'OpeniocExport'),
|
||||
'json' => array('json', 'JsonExport'),
|
||||
'xml' => array('xml', 'XmlExport'),
|
||||
'suricata' => array('txt', 'NidsSuricataExport'),
|
||||
'snort' => array('txt', 'NidsSnortExport')
|
||||
);
|
||||
$exception = false;
|
||||
$filters = $this->_harvestParameters($filterData, $exception);
|
||||
unset($filterData);
|
||||
|
|
@ -3029,23 +3039,31 @@ class EventsController extends AppController
|
|||
if (isset($filters['returnFormat'])) {
|
||||
$returnFormat = $filters['returnFormat'];
|
||||
}
|
||||
if ($returnFormat === 'download') {
|
||||
$returnFormat = 'json';
|
||||
}
|
||||
$eventid = $this->Event->filterEventIds($user, $filters);
|
||||
$responseType = 'json';
|
||||
$converters = array(
|
||||
'xml' => 'XMLConverterTool',
|
||||
'json' => 'JSONConverterTool',
|
||||
'openioc' => 'IOCExportTool'
|
||||
);
|
||||
if (in_array($returnFormat, array('json', 'xml', 'openioc'))) {
|
||||
$responseType = $returnFormat;
|
||||
} elseif (((isset($this->request->params['ext']) && $this->request->params['ext'] == 'xml')) || $this->response->type() == 'application/xml') {
|
||||
$responseType = 'xml';
|
||||
} else {
|
||||
$responseType = 'json';
|
||||
}
|
||||
App::uses($converters[$responseType], 'Tools');
|
||||
$converter = new $converters[$responseType]();
|
||||
$final = $converter->generateTop($this->Auth->user());
|
||||
if (!isset($validFormats[$returnFormat])) {
|
||||
// this is where the new code path for the export modules will go
|
||||
throw new MethodNotFoundException('Invalid export format.');
|
||||
}
|
||||
App::uses($validFormats[$returnFormat][1], 'Export');
|
||||
$exportTool = new $validFormats[$returnFormat][1]();
|
||||
$exportToolParams = array(
|
||||
'user' => $this->Auth->user(),
|
||||
'params' => array(),
|
||||
'returnFormat' => $returnFormat,
|
||||
'scope' => 'Event'
|
||||
);
|
||||
if (empty($exportTool->non_restrictive_export)) {
|
||||
if (!isset($filters['to_ids'])) {
|
||||
$filters['to_ids'] = 1;
|
||||
}
|
||||
if (!isset($filters['published'])) {
|
||||
$filters['published'] = 1;
|
||||
}
|
||||
}
|
||||
$final = $exportTool->header($exportToolParams);
|
||||
$eventCount = count($eventid);
|
||||
$i = 0;
|
||||
foreach ($eventid as $k => $currentEventId) {
|
||||
|
|
@ -3061,30 +3079,19 @@ class EventsController extends AppController
|
|||
if (!empty($result)) {
|
||||
$this->loadModel('Whitelist');
|
||||
$result = $this->Whitelist->removeWhitelistedFromArray($result, false);
|
||||
if ($i != 0) {
|
||||
$final .= ',' . PHP_EOL;
|
||||
}
|
||||
$final .= $converter->convert($result[0]);
|
||||
$temp = $exportTool->handler($result[0], $exportToolParams);
|
||||
if ($temp !== '') {
|
||||
if ($k !== 0) {
|
||||
$final .= $exportTool->separator($exportToolParams);
|
||||
}
|
||||
$final .= $temp;
|
||||
}
|
||||
$i++;
|
||||
}
|
||||
}
|
||||
if ($i > 0) {
|
||||
$final .= PHP_EOL;
|
||||
}
|
||||
$final .= $converter->generateBottom($responseType, $final);
|
||||
$extension = $responseType;
|
||||
if ($returnFormat == 'openioc') {
|
||||
$extension = '.ioc';
|
||||
}
|
||||
if (isset($eventid) && $eventid) {
|
||||
if (is_array($eventid)) {
|
||||
$eventid = 'list';
|
||||
}
|
||||
$final_filename="misp.event." . $eventid . "." . $result[0]['Event']['uuid'] . '.' . $extension;
|
||||
} else {
|
||||
$final_filename="misp.search.events.results." . $extension;
|
||||
};
|
||||
return $this->RestResponse->viewData($final, $this->response->type(), false, true, $final_filename);
|
||||
$final .= $exportTool->footer($exportToolParams);
|
||||
$responseType = $validFormats[$returnFormat][0];
|
||||
return $this->RestResponse->viewData($final, $responseType, false, true);
|
||||
}
|
||||
|
||||
public function downloadOpenIOCEvent($key, $eventid, $enforceWarninglist = false)
|
||||
|
|
|
|||
|
|
@ -105,7 +105,7 @@ class ObjectsController extends AppController
|
|||
$eventFindParams = array(
|
||||
'recursive' => -1,
|
||||
'fields' => array('Event.id', 'Event.uuid', 'Event.orgc_id'),
|
||||
'conditions' => array('Event.id' => $eventId)
|
||||
'conditions' => array()
|
||||
);
|
||||
|
||||
if (!empty($templateId) && Validation::uuid($templateId)) {
|
||||
|
|
|
|||
|
|
@ -1613,6 +1613,7 @@ class ServersController extends AppController
|
|||
|
||||
public function rest()
|
||||
{
|
||||
$allValidApis = $this->RestResponse->getAllApis($this->Auth->user(), $this);
|
||||
if ($this->request->is('post')) {
|
||||
$request = $this->request->data;
|
||||
if (!empty($request['Server'])) {
|
||||
|
|
@ -1630,6 +1631,7 @@ class ServersController extends AppController
|
|||
'Accept: application/json' . PHP_EOL .
|
||||
'Content-Type: application/json';
|
||||
$this->set('header', $header);
|
||||
$this->set('allValidApis', $allValidApis);
|
||||
}
|
||||
|
||||
private function __doRestQuery($request)
|
||||
|
|
@ -1638,7 +1640,8 @@ class ServersController extends AppController
|
|||
$params = array();
|
||||
if (!empty($request['url'])) {
|
||||
$path = preg_replace('#^(://|[^/?])+#', '', $request['url']);
|
||||
$url = Configure::read('MISP.baseurl') . '/' . $path;
|
||||
$url = Configure::read('MISP.baseurl') . $path;
|
||||
unset($request['url']);
|
||||
} else {
|
||||
throw new InvalidArgumentException('Url not set.');
|
||||
}
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@ class CsvExport
|
|||
'event_tag' => array('object' => 'Tag', 'var' => 'name')
|
||||
);
|
||||
|
||||
public function handler($attributes, $final, $options = array())
|
||||
public function handler($attributes, $options = array())
|
||||
{
|
||||
$result = array();
|
||||
foreach ($attributes as $attribute) {
|
||||
|
|
|
|||
|
|
@ -2,6 +2,9 @@
|
|||
|
||||
class JsonExport
|
||||
{
|
||||
private $__converter = false;
|
||||
public $non_restrictive_export = true;
|
||||
|
||||
public function handler($data, $options = array())
|
||||
{
|
||||
if ($options['scope'] === 'Attribute') {
|
||||
|
|
@ -11,6 +14,14 @@ class JsonExport
|
|||
}
|
||||
}
|
||||
|
||||
private function __eventHandler($event, $options = array()) {
|
||||
if ($this->__converter === false) {
|
||||
App::uses('JSONConverterTool', 'Tools');
|
||||
$this->__converter = new JSONConverterTool();
|
||||
}
|
||||
return json_encode($this->__converter->convert($event, false, true));
|
||||
}
|
||||
|
||||
private function __attributeHandler($attribute, $options = array())
|
||||
{
|
||||
$attribute = array_merge($attribute['Attribute'], $attribute);
|
||||
|
|
@ -32,12 +43,21 @@ class JsonExport
|
|||
|
||||
public function header($options = array())
|
||||
{
|
||||
return '{"response": {"Attribute": [';
|
||||
if ($options['scope'] === 'Attribute') {
|
||||
return '{"response": {"Attribute": [';
|
||||
} else {
|
||||
return '{"response": [';
|
||||
}
|
||||
}
|
||||
|
||||
public function footer()
|
||||
public function footer($options = array())
|
||||
{
|
||||
return ']}}' . PHP_EOL;
|
||||
if ($options['scope'] === 'Attribute') {
|
||||
return ']}}' . PHP_EOL;
|
||||
} else {
|
||||
return ']}' . PHP_EOL;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
public function separator()
|
||||
|
|
|
|||
|
|
@ -20,11 +20,8 @@ class NidsExport
|
|||
|
||||
public function handler($data, $options = array())
|
||||
{
|
||||
$continue = true;
|
||||
$continue = empty($format);
|
||||
$this->checkWhitelist = false;
|
||||
if (empty($this->rules)) {
|
||||
$continue = false;
|
||||
}
|
||||
if ($options['scope'] === 'Attribute') {
|
||||
$this->export(
|
||||
array($data),
|
||||
|
|
@ -32,12 +29,49 @@ class NidsExport
|
|||
$options['returnFormat'],
|
||||
$continue
|
||||
);
|
||||
} else if ($options['scope'] === 'Event') {
|
||||
if (!empty($data['EventTag'])) {
|
||||
$data['Event']['EventTag'] = $data['EventTag'];
|
||||
}
|
||||
if (!empty($data['Attribute'])) {
|
||||
$this->__convertFromEventFormat($data['Attribute'], $data, $options, $continue);
|
||||
}
|
||||
if (!empty($data['Object'])) {
|
||||
foreach ($data['Object'] as $object) {
|
||||
$this->__convertFromEventFormat($object['Attribute'], $data, $options, $continue);
|
||||
}
|
||||
}
|
||||
}
|
||||
return '';
|
||||
}
|
||||
|
||||
private function __convertFromEventFormat($attributes, $event, $options = array(), $continue = false) {
|
||||
$rearranged = array();
|
||||
foreach ($attributes as $attribute) {
|
||||
$attributeTag = array();
|
||||
if (!empty($attribute['AttributeTag'])) {
|
||||
$attributeTag = $attribute['AttributeTag'];
|
||||
unset($attribute['AttributeTag']);
|
||||
}
|
||||
$rearranged[] = array(
|
||||
'Attribute' => $attribute,
|
||||
'AttributeTag' => $attributeTag,
|
||||
'Event' => $event['Event']
|
||||
);
|
||||
}
|
||||
$this->export(
|
||||
$rearranged,
|
||||
$options['user']['nids_sid'],
|
||||
$options['returnFormat'],
|
||||
$continue
|
||||
);
|
||||
return true;
|
||||
|
||||
}
|
||||
|
||||
public function header($options = array())
|
||||
{
|
||||
$this->explain();
|
||||
return '';
|
||||
}
|
||||
|
||||
|
|
@ -84,11 +118,20 @@ class NidsExport
|
|||
foreach ($items as $item) {
|
||||
// retrieve all tags for this item to add them to the msg
|
||||
$tagsArray = [];
|
||||
foreach ($item['AttributeTag'] as $tag_attr) {
|
||||
if (array_key_exists('name', $tag_attr['Tag'])) {
|
||||
array_push($tagsArray, $tag_attr['Tag']['name']);
|
||||
}
|
||||
}
|
||||
if (!empty($item['AttributeTag'])) {
|
||||
foreach ($item['AttributeTag'] as $tag_attr) {
|
||||
if (array_key_exists('name', $tag_attr['Tag'])) {
|
||||
array_push($tagsArray, $tag_attr['Tag']['name']);
|
||||
}
|
||||
}
|
||||
}
|
||||
if (!empty($item['Event']['EventTag'])) {
|
||||
foreach ($item['Event']['EventTag'] as $tag_event) {
|
||||
if (array_key_exists('name', $tag_event['Tag'])) {
|
||||
array_push($tagsArray, $tag_event['Tag']['name']);
|
||||
}
|
||||
}
|
||||
}
|
||||
$ruleFormatMsgTags = implode(",", $tagsArray);
|
||||
|
||||
# proto src_ip src_port direction dst_ip dst_port msg rule_content tag sid rev
|
||||
|
|
|
|||
|
|
@ -102,16 +102,14 @@ class OpeniocExport
|
|||
public function checkValidTypeForIOC($attribute)
|
||||
{
|
||||
// categories that should be included
|
||||
$Category = array('Payload delivery', 'Artifacts dropped', 'Payload installation', 'Persistence mechanism', 'Network activity');
|
||||
if (!in_array($attribute['category'], $Category)) {
|
||||
$category = array('Payload delivery', 'Artifacts dropped', 'Payload installation', 'Persistence mechanism', 'Network activity');
|
||||
if (!in_array($attribute['category'], $category)) {
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
|
||||
public function handler($attribute, $options = array())
|
||||
{
|
||||
private function __attributeHandler($attribute, $options = array()) {
|
||||
$temp = '';
|
||||
if (isset($attribute['Attribute'])) {
|
||||
$attribute = $attribute['Attribute'];
|
||||
|
|
@ -133,6 +131,31 @@ class OpeniocExport
|
|||
}
|
||||
}
|
||||
return $temp;
|
||||
}
|
||||
|
||||
|
||||
public function handler($data, $options = array())
|
||||
{
|
||||
if ($options['scope'] === 'Attribute') {
|
||||
return $this->__attributeHandler($data, $options);
|
||||
} else if ($options['scope'] === 'Event') {
|
||||
$result = '';
|
||||
if (!empty($data['Attribute'])) {
|
||||
$first = true;
|
||||
foreach ($data['Attribute'] as $attribute) {
|
||||
$temp = $this->__attributeHandler($attribute, $options);
|
||||
if (!empty($temp)) {
|
||||
if (!$first) {
|
||||
$result .= $this->separator($options);
|
||||
}
|
||||
$result .= $temp;
|
||||
$first = false;
|
||||
}
|
||||
}
|
||||
}
|
||||
return $result;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
public function header($options = array())
|
||||
|
|
@ -166,7 +189,7 @@ class OpeniocExport
|
|||
|
||||
public function separator()
|
||||
{
|
||||
return PHP_EOL;
|
||||
return '';
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2,6 +2,9 @@
|
|||
|
||||
class XmlExport
|
||||
{
|
||||
private $__converter = false;
|
||||
public $non_restrictive_export = true;
|
||||
|
||||
public function handler($data, $options = array())
|
||||
{
|
||||
if ($options['scope'] === 'Attribute') {
|
||||
|
|
@ -11,6 +14,14 @@ class XmlExport
|
|||
}
|
||||
}
|
||||
|
||||
private function __eventHandler($event, $options = array()) {
|
||||
if ($this->__converter === false) {
|
||||
App::uses('XMLConverterTool', 'Tools');
|
||||
$this->__converter = new XMLConverterTool();
|
||||
}
|
||||
return $this->__converter->convert($event, false);
|
||||
}
|
||||
|
||||
private function __attributeHandler($attribute, $options = array())
|
||||
{
|
||||
$attribute = array_merge($attribute['Attribute'], $attribute);
|
||||
|
|
|
|||
|
|
@ -44,13 +44,6 @@ class JSONConverterTool
|
|||
// cleanup the array from things we do not want to expose
|
||||
//
|
||||
unset($event['Event']['user_id']);
|
||||
// hide the org field is we are not in showorg mode
|
||||
if (!Configure::read('MISP.showorg') && !$isSiteAdmin) {
|
||||
unset($event['Event']['org']);
|
||||
unset($event['Event']['orgc']);
|
||||
unset($event['Event']['from']);
|
||||
}
|
||||
|
||||
if (isset($event['Event']['Attribute'])) {
|
||||
$event['Event']['Attribute'] = $this->__cleanAttributes($event['Event']['Attribute']);
|
||||
if (!empty($event['Sighting'])) {
|
||||
|
|
@ -87,10 +80,6 @@ class JSONConverterTool
|
|||
if (isset($event['Event']['RelatedEvent'])) {
|
||||
foreach ($event['Event']['RelatedEvent'] as $key => $value) {
|
||||
unset($event['Event']['RelatedEvent'][$key]['Event']['user_id']);
|
||||
if (!Configure::read('MISP.showorg') && !$isSiteAdmin) {
|
||||
unset($event['Event']['RelatedEvent'][$key]['Event']['org']);
|
||||
unset($event['Event']['RelatedEvent'][$key]['Event']['orgc']);
|
||||
}
|
||||
}
|
||||
}
|
||||
$result = array('Event' => $event['Event']);
|
||||
|
|
|
|||
|
|
@ -1671,11 +1671,14 @@ class AppModel extends Model
|
|||
if (!is_array($keys)) {
|
||||
$keys = array($keys);
|
||||
}
|
||||
if (!isset($filter['OR']) && !isset($filter['AND']) && !isset($filter['OR'])) {
|
||||
if (!isset($filter['OR']) && !isset($filter['AND']) && !isset($filter['NOT'])) {
|
||||
return $conditions;
|
||||
}
|
||||
foreach ($filter as $operator => $filters) {
|
||||
$temp = array();
|
||||
if (!is_array($filters)) {
|
||||
$filters = array($filters);
|
||||
}
|
||||
foreach ($filters as $f) {
|
||||
// split the filter params into two lists, one for substring searches one for exact ones
|
||||
if ($f[strlen($f) - 1] === '%' || $f[0] === '%') {
|
||||
|
|
|
|||
|
|
@ -3011,6 +3011,13 @@ class Event extends AppModel
|
|||
}
|
||||
}
|
||||
}
|
||||
// zeroq: check if sightings are attached and add to event
|
||||
if (isset($data['Sighting']) && !empty($data['Sighting'])) {
|
||||
$this->Sighting = ClassRegistry::init('Sighting');
|
||||
foreach ($data['Sighting'] as $s) {
|
||||
$result = $this->Sighting->saveSightings($s['attribute_uuid'], false, $s['date_sighting'], $user, $s['type'], $s['source'], $s['uuid']);
|
||||
}
|
||||
}
|
||||
if ($fromXml) {
|
||||
$created_id = $this->id;
|
||||
}
|
||||
|
|
@ -3172,6 +3179,13 @@ class Event extends AppModel
|
|||
}
|
||||
}
|
||||
}
|
||||
// zeroq: if sightings then attach to event
|
||||
if (isset($data['Sighting']) && !empty($data['Sighting'])) {
|
||||
$this->Sighting = ClassRegistry::init('Sighting');
|
||||
foreach ($data['Sighting'] as $s) {
|
||||
$result = $this->Sighting->saveSightings($s['attribute_uuid'], false, $s['date_sighting'], $user, $s['type'], $s['source'], $s['uuid']);
|
||||
}
|
||||
}
|
||||
// if published -> do the actual publishing
|
||||
if ((!empty($data['Event']['published']) && 1 == $data['Event']['published'])) {
|
||||
// do the necessary actions to publish the event (email, upload,...)
|
||||
|
|
|
|||
|
|
@ -759,7 +759,7 @@ class Server extends AppModel
|
|||
),
|
||||
'custom_css' => array(
|
||||
'level' => 2,
|
||||
'description' => __('If you would like to customise the css, simply drop a css file in the /var/www/MISP/webroot/css directory and enter the name here.'),
|
||||
'description' => __('If you would like to customise the css, simply drop a css file in the /var/www/MISP/app/webroot/css directory and enter the name here.'),
|
||||
'value' => '',
|
||||
'errorMessage' => '',
|
||||
'test' => 'testForStyleFile',
|
||||
|
|
|
|||
|
|
@ -232,12 +232,16 @@ class Sighting extends AppModel
|
|||
if (isset($sightings[$k]['Organisation'])) {
|
||||
$sightings[$k]['Sighting']['Organisation'] = $sightings[$k]['Organisation'];
|
||||
}
|
||||
// zeroq: add attribute UUID to sighting to make synchronization easier
|
||||
$attribute = $this->Attribute->fetchAttribute($sighting['Sighting']['attribute_id']);
|
||||
$sightings[$k]['Sighting']['attribute_uuid'] = $attribute['Attribute']['uuid'];
|
||||
|
||||
$sightings[$k] = $sightings[$k]['Sighting'] ;
|
||||
}
|
||||
return $sightings;
|
||||
}
|
||||
|
||||
public function saveSightings($id, $values, $timestamp, $user, $type = false, $source = false)
|
||||
public function saveSightings($id, $values, $timestamp, $user, $type = false, $source = false, $sighting_uuid = false)
|
||||
{
|
||||
$conditions = array();
|
||||
if ($id && $id !== 'stix') {
|
||||
|
|
@ -281,6 +285,19 @@ class Sighting extends AppModel
|
|||
'type' => $type,
|
||||
'source' => $source
|
||||
);
|
||||
// zeroq: allow setting a specific uuid
|
||||
if($sighting_uuid) {
|
||||
$sighting['uuid'] = $sighting_uuid;
|
||||
// check if sighting with given uuid already exists
|
||||
$existing_sighting = $this->find('first', array(
|
||||
'recursive' => -1,
|
||||
'conditions' => array('uuid' => $sighting_uuid)
|
||||
));
|
||||
// do not add sighting if already exists
|
||||
if (!empty($existing_sighting)) {
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
$result = $this->save($sighting);
|
||||
if ($result === false) {
|
||||
return json_encode($this->validationErrors);
|
||||
|
|
|
|||
|
|
@ -752,12 +752,15 @@ class User extends AppModel
|
|||
}
|
||||
$failed = false;
|
||||
$failureReason = "";
|
||||
// check if the e-mail can be encrypted
|
||||
$canEncryptGPG = isset($user['User']['gpgkey']) && !empty($user['User']['gpgkey']);
|
||||
$canEncryptSMIME = isset($user['User']['certif_public']) && !empty($user['User']['certif_public']) && Configure::read('SMIME.enabled');
|
||||
|
||||
// check if the e-mail can be signed & encrypted
|
||||
$signEncryptOptions = [
|
||||
"GPGSign" => Configure::read('GnuPG.sign', false),
|
||||
"GPGEncrypt" => isset($user['User']['gpgkey']) && !empty($user['User']['gpgkey']),
|
||||
"SMIMEEncrypt" => isset($user['User']['certif_public']) && !empty($user['User']['certif_public']) && Configure::read('SMIME.enabled'),
|
||||
];
|
||||
|
||||
// If bodyonlyencrypted is enabled and the user has no encryption key, use the alternate body (if it exists)
|
||||
if (Configure::read('GnuPG.bodyonlyencrypted') && !$canEncryptSMIME && !$canEncryptGPG && $bodyNoEnc) {
|
||||
if (Configure::read('GnuPG.bodyonlyencrypted') && !$signEncryptOptions['SMIMEEncrypt'] && !$signEncryptOptions['GPGSign'] && $bodyNoEnc) {
|
||||
$body = $bodyNoEnc;
|
||||
}
|
||||
$body = str_replace('\n', PHP_EOL, $body);
|
||||
|
|
@ -768,26 +771,14 @@ class User extends AppModel
|
|||
$failed = true;
|
||||
$failureReason = " encrypted messages are enforced and the message could not be encrypted for this user as no valid encryption key was found.";
|
||||
}
|
||||
// Let's encrypt the message if we can
|
||||
if (!$failed && $canEncryptGPG) {
|
||||
$encryptionResult = $this->__encryptUsingGPG($Email, $body, $subject, $user);
|
||||
if (isset($encryptionResult['failed'])) {
|
||||
$failed = true;
|
||||
}
|
||||
if (isset($encryptionResult['failureReason'])) {
|
||||
$failureReason = $encryptionResult['failureReason'];
|
||||
}
|
||||
}
|
||||
// SMIME if not GPG key
|
||||
if (!$failed && !$canEncryptGPG && $canEncryptSMIME) {
|
||||
$encryptionResult = $this->__encryptUsingSmime($Email, $body, $subject, $user);
|
||||
if (isset($encryptionResult['failed'])) {
|
||||
$failed = true;
|
||||
}
|
||||
if (isset($encryptionResult['failureReason'])) {
|
||||
$failureReason = $encryptionResult['failureReason'];
|
||||
}
|
||||
|
||||
// split out signing/encryption into its own method
|
||||
if (!$failed) {
|
||||
$signEncryptResult = $this->__handleEncryptionAndSigning($Email, $body, $subject, $user, $signEncryptOptions);
|
||||
$failed = (isset($signEncryptResult['failed'])) ? $signEncryptResult['failed'] : false;
|
||||
$failureReason = (isset($signEncryptResult['failureReason'])) ? $signEncryptResult['failureReason'] : "";
|
||||
}
|
||||
|
||||
$replyToLog = '';
|
||||
if (!$failed) {
|
||||
$result = $this->__finaliseAndSendEmail($replyToUser, $Email, $replyToLog, $user, $subject, $body);
|
||||
|
|
@ -845,48 +836,83 @@ class User extends AppModel
|
|||
return $result;
|
||||
}
|
||||
|
||||
private function __encryptUsingGPG(&$Email, &$body, $subject, $user)
|
||||
private function __handleEncryptionAndSigning(&$Email, &$body, $subject, $user, $signEncryptOptions) {
|
||||
|
||||
$failed = false;
|
||||
$failureReason = "";
|
||||
if (!$failed && $signEncryptOptions['GPGSign']) {
|
||||
$signResult = $this->__signUsingGPG($body);
|
||||
$failed = (isset($signResult['failed'])) ? $signResult['failed'] : false;
|
||||
$failureReason = (isset($signResult['failureReason'])) ? $signResult['failureReason'] : "";
|
||||
}
|
||||
|
||||
if (!$failed && $signEncryptOptions['GPGEncrypt']) {
|
||||
$encryptionResult = $this->__encryptUsingGPG($Email, $body, $subject, $user);
|
||||
$failed = (isset($encryptionResult['failed'])) ? $encryptionResult['failed'] : false;
|
||||
$failureReason = (isset($encryptionResult['failureReason'])) ? $encryptionResult['failureReason'] : "";
|
||||
}
|
||||
|
||||
if (!$failed && !$signEncryptOptions['GPGEncrypt'] && $signEncryptOptions['SMIMEEncrypt']) {
|
||||
$encryptionResult = $this->__encryptUsingSmime($Email, $body, $subject, $user);
|
||||
$failed = (isset($encryptionResult['failed'])) ? $encryptionResult['failed'] : false;
|
||||
$failureReason = (isset($encryptionResult['failureReason'])) ? $encryptionResult['failureReason'] : "";
|
||||
}
|
||||
|
||||
if (!empty($failed)) {
|
||||
return array('failed' => $failed, 'failureReason' => $failureReason);
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
private function __signUsingGPG(&$body)
|
||||
{
|
||||
$failed = false;
|
||||
// Sign the body
|
||||
require_once 'Crypt/GPG.php';
|
||||
try {
|
||||
require_once 'Crypt/GPG.php';
|
||||
$gpg = new Crypt_GPG(array('homedir' => Configure::read('GnuPG.homedir'), 'gpgconf' => Configure::read('GnuPG.gpgconf'), 'binary' => (Configure::read('GnuPG.binary') ? Configure::read('GnuPG.binary') : '/usr/bin/gpg'), 'debug')); // , 'debug' => true
|
||||
if (Configure::read('GnuPG.sign')) {
|
||||
$gpg->addSignKey(Configure::read('GnuPG.email'), Configure::read('GnuPG.password'));
|
||||
$body = $gpg->sign($body, Crypt_GPG::SIGN_MODE_CLEAR);
|
||||
}
|
||||
$gpg->addSignKey(Configure::read('GnuPG.email'), Configure::read('GnuPG.password'));
|
||||
$body = $gpg->sign($body, Crypt_GPG::SIGN_MODE_CLEAR);
|
||||
} catch (Exception $e) {
|
||||
$failureReason = " the message could not be signed. The following error message was returned by gpg: " . $e->getMessage();
|
||||
$this->log($e->getMessage());
|
||||
$failed = true;
|
||||
}
|
||||
if (!$failed) {
|
||||
if (!empty($failed)) {
|
||||
return array('failed' => $failed, 'failureReason' => $failureReason);
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
private function __encryptUsingGPG(&$Email, &$body, $subject, $user)
|
||||
{
|
||||
$failed = false;
|
||||
try {
|
||||
require_once 'Crypt/GPG.php';
|
||||
$gpg = new Crypt_GPG(array('homedir' => Configure::read('GnuPG.homedir'), 'gpgconf' => Configure::read('GnuPG.gpgconf'), 'binary' => (Configure::read('GnuPG.binary') ? Configure::read('GnuPG.binary') : '/usr/bin/gpg'), 'debug')); // , 'debug' => true
|
||||
$keyImportOutput = $gpg->importKey($user['User']['gpgkey']);
|
||||
try {
|
||||
$key = $gpg->getKeys($keyImportOutput['fingerprint']);
|
||||
$subKeys = $key[0]->getSubKeys();
|
||||
$canEncryptGPG = false;
|
||||
$currentTimestamp = time();
|
||||
foreach ($subKeys as $subKey) {
|
||||
$expiration = $subKey->getExpirationDate();
|
||||
if (($expiration == 0 || $currentTimestamp < $expiration) && $subKey->canEncrypt()) {
|
||||
$canEncryptGPG = true;
|
||||
}
|
||||
$key = $gpg->getKeys($keyImportOutput['fingerprint']);
|
||||
$subKeys = $key[0]->getSubKeys();
|
||||
$canEncryptGPG = false;
|
||||
$currentTimestamp = time();
|
||||
foreach ($subKeys as $subKey) {
|
||||
$expiration = $subKey->getExpirationDate();
|
||||
if (($expiration == 0 || $currentTimestamp < $expiration) && $subKey->canEncrypt()) {
|
||||
$canEncryptGPG = true;
|
||||
}
|
||||
if ($canEncryptGPG) {
|
||||
$gpg->addEncryptKey($keyImportOutput['fingerprint']); // use the key that was given in the import
|
||||
$body = $gpg->encrypt($body, true);
|
||||
} else {
|
||||
$failed = true;
|
||||
$failureReason = " the message could not be encrypted because the provided key is either expired or cannot be used for encryption.";
|
||||
}
|
||||
} catch (Exception $e) {
|
||||
// despite the user having a GnuPG key and the signing already succeeding earlier, we get an exception. This must mean that there is an issue with the user's key.
|
||||
$failureReason = " the message could not be encrypted because there was an issue with the user's GnuPG key. The following error message was returned by gpg: " . $e->getMessage();
|
||||
$this->log($e->getMessage());
|
||||
$failed = true;
|
||||
}
|
||||
if ($canEncryptGPG) {
|
||||
$gpg->addEncryptKey($keyImportOutput['fingerprint']); // use the key that was given in the import
|
||||
$body = $gpg->encrypt($body, true);
|
||||
} else {
|
||||
$failed = true;
|
||||
$failureReason = " the message could not be encrypted because the provided key is either expired or cannot be used for encryption.";
|
||||
}
|
||||
} catch (Exception $e) {
|
||||
// despite the user having a GnuPG key and the signing already succeeding earlier, we get an exception. This must mean that there is an issue with the user's key.
|
||||
$failureReason = " the message could not be encrypted because there was an issue with the user's GnuPG key. The following error message was returned by gpg: " . $e->getMessage();
|
||||
$this->log($e->getMessage());
|
||||
$failed = true;
|
||||
}
|
||||
if (!empty($failed)) {
|
||||
return array('failed' => $failed, 'failureReason' => $failureReason);
|
||||
|
|
|
|||
|
|
@ -1,11 +1,17 @@
|
|||
<?php
|
||||
foreach ($results as &$r):
|
||||
foreach ($r as $k => &$v):
|
||||
?>
|
||||
<span class="bold blue"><?php echo h($k);?></span>: <span class="red">
|
||||
<?php echo is_array($v) ? implode('<br />', h($v)) : h($v); ?>
|
||||
</span><br />
|
||||
<?php
|
||||
echo sprintf('<span class="bold blue">%s</span>: <br />', Inflector::humanize(h($k)));
|
||||
if (is_array($v)) {
|
||||
foreach ($v as $key => $value) {
|
||||
if (!is_numeric($key)) {
|
||||
echo '<div class="blue" style="margin-left:10px;">' . h($key) . ':</div>';
|
||||
}
|
||||
echo '<div class="red" style="margin-left:20px;">' . h($value) . '</div>';
|
||||
}
|
||||
} else {
|
||||
echo '<div class="red" style="margin-left:20px;">' . h($v) . '</div>';
|
||||
}
|
||||
endforeach;
|
||||
endforeach;
|
||||
?>
|
||||
|
|
|
|||
|
|
@ -103,10 +103,26 @@
|
|||
else $editable = '';
|
||||
?>
|
||||
<div id = "Attribute_<?php echo $object['id']; ?>_value_solid" class="inline-field-solid" <?php echo $editable; ?>>
|
||||
<span <?php if (Configure::read('Plugin.Enrichment_hover_enable') && isset($modules) && isset($modules['hover_type'][$object['type']])) echo 'class="eventViewAttributeHover" data-object-type="Attribute" data-object-id="' . h($object['id']) . '"'?>>
|
||||
<?php
|
||||
echo $this->element('/Events/View/value_field', array('object' => $object, 'linkClass' => $linkClass));
|
||||
?>
|
||||
<span>
|
||||
<?php
|
||||
$spanExtra = '';
|
||||
$popupButton = '';
|
||||
if (Configure::read('Plugin.Enrichment_hover_enable') && isset($modules) && isset($modules['hover_type'][$object['type']])) {
|
||||
$commonDataFields = sprintf(
|
||||
'data-object-type="%s" data-object-id="%s"',
|
||||
"Attribute",
|
||||
h($object['id'])
|
||||
);
|
||||
$spanExtra = sprintf(' class="eventViewAttributeHover" %s', $commonDataFields);
|
||||
$popupButton = sprintf('<i class="fa fa-search-plus useCursorPointer eventViewAttributePopup" %s></i>', $commonDataFields);
|
||||
}
|
||||
echo sprintf(
|
||||
'<span%s style="white-space: pre-wrap;">%s</span> %s',
|
||||
$spanExtra,
|
||||
$this->element('/Events/View/value_field', array('object' => $object, 'linkClass' => $linkClass)),
|
||||
$popupButton
|
||||
);
|
||||
?>
|
||||
</span>
|
||||
<?php
|
||||
if (isset($object['warnings'])) {
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@
|
|||
$uri = 'data:image/' . strtolower(h($extension)) . ';base64,' . h($object['image']);
|
||||
echo '<img class="screenshot screenshot-collapsed useCursorPointer" src="' . $uri . '" title="' . h($object['value']) . '" />';
|
||||
} else {
|
||||
$filenameHash = explode('|', nl2br(h($object['value'])));
|
||||
$filenameHash = explode('|', h($object['value']));
|
||||
if (strrpos($filenameHash[0], '\\')) {
|
||||
$filepath = substr($filenameHash[0], 0, strrpos($filenameHash[0], '\\'));
|
||||
$filename = substr($filenameHash[0], strrpos($filenameHash[0], '\\'));
|
||||
|
|
@ -39,14 +39,14 @@
|
|||
} else {
|
||||
$sigDisplay = str_replace("\r", '', h($sigDisplay));
|
||||
$sigDisplay = str_replace(" ", ' ', $sigDisplay);
|
||||
echo nl2br($sigDisplay);
|
||||
echo $sigDisplay;
|
||||
}
|
||||
} else if ('hex' == $object['type']) {
|
||||
$sigDisplay = str_replace("\r", '', $sigDisplay);
|
||||
echo '<span class="hex-value" title="' . __('Hexadecimal representation') . '">' . nl2br(h($sigDisplay)) . '</span> <span role="button" tabindex="0" aria-label="' . __('Switch to binary representation') . '" class="icon-repeat hex-value-convert useCursorPointer" title="' . __('Switch to binary representation') . '"></span>';
|
||||
echo '<span class="hex-value" title="' . __('Hexadecimal representation') . '">' . h($sigDisplay) . '</span> <span role="button" tabindex="0" aria-label="' . __('Switch to binary representation') . '" class="icon-repeat hex-value-convert useCursorPointer" title="' . __('Switch to binary representation') . '"></span>';
|
||||
} else {
|
||||
$sigDisplay = str_replace("\r", '', $sigDisplay);
|
||||
echo nl2br(h($sigDisplay));
|
||||
echo h($sigDisplay);
|
||||
}
|
||||
if (isset($object['validationIssue'])) echo ' <span class="icon-warning-sign" title="' . __('Warning, this doesn\'t seem to be a legitimate ') . strtoupper(h($object['type'])) . __(' value') . '"> </span>';
|
||||
?>
|
||||
|
|
|
|||
|
|
@ -1,47 +1,72 @@
|
|||
<div class="event index">
|
||||
<h2><?php echo __('Automation');?></h2>
|
||||
<p><?php echo __('Automation functionality is designed to automatically generate signatures for intrusion detection systems. To enable signature generation for a given attribute, Signature field of this attribute must be set to Yes.
|
||||
Note that not all attribute types are applicable for signature generation, currently we only support NIDS signature generation for IP, domains, host names, user agents etc., and hash list generation for MD5/SHA1 values of file artefacts. Support for more attribute types is planned.
|
||||
To to make this functionality available for automated tools an authentication key is used. This makes it easier for your tools to access the data without further form-based-authentication.');?><br/>
|
||||
<strong><?php echo __('Make sure you keep that key secret as it gives access to the entire database !');?></strong></p>
|
||||
<p><?php echo __('Automation functionality is designed to automatically feed other tools and systems with the data in your MISP repository.
|
||||
To to make this functionality available for automated tools an authentication key is used.');?><br/>
|
||||
<strong><?php echo __('Make sure you keep your API key secret as it gives access to the all of the data that you normally have access to in MISP.');?></strong>
|
||||
To view the old MISP automation page, click <a href="<?php echo $baseurl; ?>/events/automation/1">here</a>.
|
||||
</p>
|
||||
<p><?php echo __('Your current key is: <code>%s</code>.
|
||||
You can %s this key.', $me['authkey'], $this->Html->link(__('reset'), array('controller' => 'users', 'action' => 'resetauthkey', 'me')));?>
|
||||
</p>
|
||||
<p style="color:red;"><?php echo __('Since version 2.2 the usage of the authentication key in the URL is deprecated. Instead, pass the auth key in an Authorization header in the request. The legacy option of having the auth key in the URL is temporarily still supported but not recommended.');?></p>
|
||||
<p><?php echo __('Please use the use the following header');?>:<br />
|
||||
<code><?php echo __('Authorization');?>: <?php echo $me['authkey']; ?></code></p>
|
||||
<h3><?php echo __('XML Export');?></h3>
|
||||
<p><?php echo __('An automatic export of all events and attributes <small>(except file attachments)</small> is available under a custom XML format.');?></p>
|
||||
<p><?php echo __('You can configure your tools to automatically download the following file');?>:</p>
|
||||
<pre><?php echo $baseurl;?>/events/xml/download</pre>
|
||||
<p><?php echo __('If you only want to fetch a specific event append the eventid number');?>:</p>
|
||||
<pre><?php echo $baseurl;?>/events/xml/download/1</pre>
|
||||
<p><?php echo __('You can post an XML or JSON object containing additional parameters in the following formats');?>:</p>
|
||||
<p>JSON:</p>
|
||||
<pre><?php echo $baseurl;?>/events/xml/download.json</pre>
|
||||
<code>{"request": {"eventid":["!51","!62"],"withAttachment":false,"tags":["APT1","!OSINT"],"from":false,"to":"2015-02-15"}}</code><br /><br />
|
||||
<p>XML:</p>
|
||||
<pre><?php echo $baseurl;?>/events/xml/download</pre>
|
||||
<code><request><eventid>!51</eventid><eventid>!62</eventid><withAttachment>false</withAttachment><tags>APT1</tags><tags>!OSINT</tags><from>false</from><to>2015-02-15</to></request></code><br /><br />
|
||||
<p><?php echo __('The xml download also accepts two additional the following optional parameters in the URL');?>: </p>
|
||||
<pre><?php echo $baseurl;?>/events/xml/download/[eventid]/[withattachments]/[tags]/[from]/[to]/[last]</pre>
|
||||
<p>
|
||||
<b>eventid</b>: <?php echo __('Restrict the download to a single event');?><br />
|
||||
<b>withattachments</b>: <?php echo __('A boolean field that determines whether attachments should be encoded and a second parameter that controls the eligible tags.');?><br />
|
||||
<b>tags</b>: <?php echo __('To include a tag in the results just write its names into this parameter. To exclude a tag prepend it with a \'!\'.
|
||||
You can also chain several tag commands together with the \'&&\' operator. Please be aware the colons (:) cannot be used in the tag search.
|
||||
Use semicolons instead (the search will automatically search for colons instead). For example, to include tag1 and tag2 but exclude tag3 you would use');?>:<br />
|
||||
</p>
|
||||
<pre><?php echo $baseurl;?>/events/xml/download/false/true/tag1&&tag2&&!tag3</pre>
|
||||
<p>
|
||||
<b>from</b>: <?php echo __('Events with the date set to a date after the one specified in the from field (format: 2015-02-15). This filter will use the date of the event.');?><br />
|
||||
<b>to</b>: <?php echo __('Events with the date set to a date before the one specified in the to field (format: 2015-02-15). This filter will use the date of the event.');?><br />
|
||||
<b>last</b>: <?php echo __('Events published within the last x amount of time, where x can be defined in days, hours, minutes (for example 5d or 12h or 30m). This filter will use the published timestamp of the event.');?><br />
|
||||
</p>
|
||||
<p><?php echo __('The keywords false or null should be used for optional empty parameters in the URL.');?></p>
|
||||
<?php $userGuideUrl = '<a href="' . $baseurl . '/pages/display/doc/using_the_system#rest">'. __('User Guide') . '</a>'; ?>
|
||||
<p><?php echo __('Also check out the %s to read about the REST API.', $userGuideUrl);?></p>
|
||||
<p></p>
|
||||
<?php
|
||||
$data = array(
|
||||
'description' => array(
|
||||
__('It is possible to search the database for attributes based on a list of criteria.'),
|
||||
__('To return an event or a list of events in a desired format, use the following syntax'),
|
||||
__('Whilst a list of parameters is provided below, it isn\'t necessarily exhaustive, specific export formats could have additional parameters.')
|
||||
),
|
||||
'parameters' => array(
|
||||
"returnFormat" => __('Set the return format of the search (Currently supported: json, xml, openioc, suricata, snort - more formats are being moved to restSearch with the goal being that all searches happen through this API). Can be passed as the first parameter after restSearch or via the JSON payload.'),
|
||||
"value" => __('Search for the given value in the attributes\' value field.'),
|
||||
"type" => __('The attribute type, any valid MISP attribute type is accepted.'),
|
||||
"category" => __('The attribute category, any valid MISP attribute category is accepted.'),
|
||||
"org" => __('Search by the creator organisation by supplying the organisation identifier.'),
|
||||
"tags" => __('To include a tag in the results just write its names into this parameter. To exclude a tag prepend it with a \'!\'.'),
|
||||
"quickfilter" => __('Enabling this (by passing "1" as the argument) will make the search ignore all of the other arguments, except for the auth key and value. MISP will return an xml / json (depending on the header sent) of all events that have a sub-string match on value in the event info, event orgc, or any of the attribute value1 / value2 fields, or in the attribute comment.'),
|
||||
"from" => __('Events with the date set to a date after the one specified in the from field (format: 2015-02-15). This filter will use the date of the event.'),
|
||||
"to" => __('Events with the date set to a date before the one specified in the to field (format: 2015-02-15). This filter will use the date of the event.'),
|
||||
"last" => __('Events published within the last x amount of time, where x can be defined in days, hours, minutes (for example 5d or 12h or 30m). This filter will use the published timestamp of the event.'),
|
||||
"eventid" => __('The events that should be included / excluded from the search'),
|
||||
"withAttachments" => __('If set, encodes the attachments / zipped malware samples as base64 in the data field within each attribute'),
|
||||
"metadata" => __('Only the metadata (event, tags, relations) is returned, attributes and proposals are omitted.'),
|
||||
"uuid" => __('Restrict the results by uuid.'),
|
||||
"publish_timestamp" => __('Restrict the results by the last publish timestamp (newer than).'),
|
||||
"timestamp" => __('Restrict the results by the timestamp (last edit). Any event with a timestamp newer than the given timestamp will be returned. In case you are dealing with /attributes as scope, the attribute\'s timestamp will be used for the lookup.'),
|
||||
"published" => __('Set whether published or unpublished events should be returned. Do not set the parameter if you want both.'),
|
||||
"enforceWarninglist" => __('Remove any attributes from the result that would cause a hit on a warninglist entry.'),
|
||||
"to_ids" => __('By default (0) all attributes are returned that match the other filter parameters, irregardless of their to_ids setting. To restrict the returned data set to to_ids only attributes set this parameter to 1. You can only use the special "exclude" setting to only return attributes that have the to_ids flag disabled.'),
|
||||
"deleted" => __('If this parameter is set to 1, it will return soft-deleted attributes along with active ones. By using "only" as a parameter it will limit the returned data set to soft-deleted data only.'),
|
||||
"includeEventUuid" => __('Instead of just including the event ID, also include the event UUID in each of the attributes.'),
|
||||
"event_timestamp" => __('Only return attributes from events that have received a modification after the given timestamp.')
|
||||
),
|
||||
'url' => array(
|
||||
$baseurl . '/attributes/restSearch',
|
||||
$baseurl . '/events/restSearch'
|
||||
)
|
||||
);
|
||||
echo sprintf('<h3>%s</h3>', __('Search'));
|
||||
echo sprintf('<p>%s</p>', implode(" ", $data['description']));
|
||||
echo sprintf("<pre>%s</pre>", implode("\n", $data['url']));
|
||||
foreach ($data['parameters'] as $k => $v) {
|
||||
echo sprintf('<span class="bold">%s</span>: %s<br />', $k, $v);
|
||||
}
|
||||
$description = 'To export all attributes of types ip-src and ip-dst that have a TLP marking and are not marked TLP:red, use the syntax below. String searches are by default exact lookups, but you can use mysql style "%" wildcards to do substring searches.';
|
||||
$url = $baseurl . '/attributes/restSearch';
|
||||
$headers = array(
|
||||
'Accept: application/json',
|
||||
'Content-type: application/json',
|
||||
'Authorization: ' . $me['authkey']
|
||||
);
|
||||
$headers = implode("\n", $headers);
|
||||
$body = json_encode(
|
||||
array(
|
||||
'returnFormat' => 'json',
|
||||
'type' => array('OR' => array('ip-src', 'ip-dst')),
|
||||
'tags' => array('NOT' => array('tlp:red'), 'OR' => array('tlp:%')),
|
||||
), JSON_PRETTY_PRINT);
|
||||
echo sprintf('<p>%s</p>URL:<pre>%s</pre>Headers:<pre>%s</pre>Body:<pre class="red">%s</pre>', $description, $url, $headers, $body);
|
||||
?>
|
||||
|
||||
<h3><?php echo __('CSV Export');?></h3>
|
||||
<p><?php echo __('An automatic export of attributes is available as CSV. Only attributes that are flagged "to_ids" will get exported.');?></p>
|
||||
<p><?php echo __('You can configure your tools to automatically download the following file');?>:</p>
|
||||
|
|
@ -71,58 +96,6 @@
|
|||
<p><?php echo __('To export the attributes of all events that are of the type "domain", use the following syntax');?>:</p>
|
||||
<pre><?php echo $baseurl;?>/events/csv/download/false/false/false/false/domain</pre>
|
||||
|
||||
<h3><?php echo __('NIDS rules export');?></h3>
|
||||
<p><?php echo __('Automatic export of all network related attributes is available under the Snort rule format. Only <em>published</em> events and attributes marked as <em>IDS Signature</em> are exported.');?></p>
|
||||
<p><?php echo __('You can configure your tools to automatically download the following file');?>:</p>
|
||||
<pre><?php
|
||||
echo $baseurl . '/events/nids/suricata/download' . PHP_EOL;
|
||||
echo $baseurl . '/events/nids/snort/download';
|
||||
?></pre>
|
||||
<p><?php echo __('The full API syntax is as follows');?>:</p>
|
||||
<pre><?php echo $baseurl;?>/events/nids/[format]/download/[eventid]/[frame]/[tags]/[from]/[to]/[last]/[type]/[enforceWarninglist]/[includeAllTags]</pre>
|
||||
<p>
|
||||
<b>format</b>: <?php echo __('The export format, can be "suricata" or "snort"');?><br />
|
||||
<b>eventid</b>: <?php echo __('Restrict the download to a single event');?><br />
|
||||
<b>frame</b>: <?php echo __('Some commented out explanation framing the data. The reason to disable this would be if you would like to concatenate a list of exports from various select events in order to avoid unnecessary duplication of the comments.');?><br />
|
||||
<b>tags</b>: <?php echo __('To include a tag in the results just write its names into this parameter. To exclude a tag prepend it with a \'!\'.
|
||||
You can also chain several tag commands together with the \'&&\' operator. Please be aware the colons (:) cannot be used in the tag search.
|
||||
Use semicolons instead (the search will automatically search for colons instead). For example, to include tag1 and tag2 but exclude tag3 you would use');?>:<br />
|
||||
<pre><?php echo $baseurl;?>/events/nids/snort/download/false/false/tag1&&tag2&&!tag3</pre>
|
||||
<b>from</b>: <?php echo __('Events with the date set to a date after the one specified in the from field (format: 2015-02-15). This filter will use the date of the event.');?><br />
|
||||
<b>to</b>: <?php echo __('Events with the date set to a date before the one specified in the to field (format: 2015-02-15). This filter will use the date of the event.');?><br />
|
||||
<b>last</b>: <?php echo __('Events published within the last x amount of time, where x can be defined in days, hours, minutes (for example 6d or 12h or 30m). This filter will use the published timestamp of the event.');?><br />
|
||||
<b>type</b>: <?php echo __('Restrict the export to only use the given types.');?><br />
|
||||
<b>enforceWarninglist</b>: <?php echo __('All attributes that have a hit on a warninglist will be excluded.');?><br />
|
||||
<b>includeAllTags</b>: <?php echo __('All tags will be included even if not exportable.');?><br />
|
||||
<p><?php echo __('The keywords false or null should be used for optional empty parameters in the URL.');?></p>
|
||||
<p><?php echo __('An example for a suricata export for all events excluding those tagged tag1, without all of the commented information at the start of the file would look like this:');?></p>
|
||||
<pre><?php echo $baseurl;?>/events/nids/suricata/download/null/true/!tag1</pre>
|
||||
<p><?php echo __('Administration is able to maintain a white-list containing host, domain name and IP numbers to exclude from the NIDS export.');?></p>
|
||||
|
||||
<h3><?php echo __('Hash database export');?></h3>
|
||||
<p><?php echo __('Automatic export of MD5/SHA1 checksums contained in file-related attributes. This list can be used to feed forensic software when searching for suspicious files. Only <em>published</em> events and attributes marked as <em>IDS Signature</em> are exported.');?></p>
|
||||
<p><?php echo __('You can configure your tools to automatically download the following files');?>:</p>
|
||||
<h4>md5</h4>
|
||||
<pre><?php echo $baseurl;?>/events/hids/md5/download</pre>
|
||||
<h4>sha1</h4>
|
||||
<pre><?php echo $baseurl;?>/events/hids/sha1/download</pre>
|
||||
<p><?php echo __('The API\'s full format is as follows');?>: </p>
|
||||
<pre><?php echo $baseurl;?>/events/hids/[format]/download/[tags]/[from]/[to]/[last]/[enforceWarninglist]</pre>
|
||||
<b>format</b>: <?php echo __('The export format, can be "md5" or "sha1"');?><br />
|
||||
<b>tags</b>: <?php echo __('To include a tag in the results just write its names into this parameter. To exclude a tag prepend it with a \'!\'.
|
||||
You can also chain several tag commands together with the \'&&\' operator. Please be aware the colons (:) cannot be used in the tag search.
|
||||
Use semicolons instead (the search will automatically search for colons instead). For example, to include tag1 and tag2 but exclude tag3 you would use');?>:<br />
|
||||
<pre><?php echo $baseurl;?>/events/hids/md5/download/tag1&&tag2&&!tag3</pre>
|
||||
<p>
|
||||
<b>from</b>: <?php echo __('Events with the date set to a date after the one specified in the from field (format: 2015-02-15). This filter will use the date of the event.');?> <br />
|
||||
<b>to</b>: <?php echo __('Events with the date set to a date before the one specified in the to field (format: 2015-02-15). This filter will use the date of the event.');?><br />
|
||||
<b>last</b>: <?php echo __('Events published within the last x amount of time, where x can be defined in days, hours, minutes (for example 5d or 12h or 30m). This filter will use the published timestamp of the event.');?><br />
|
||||
<b>enforceWarninglist</b>: <?php echo __('All attributes that have a hit on a warninglist will be excluded.');?><br />
|
||||
</p>
|
||||
<p><?php echo __('The keywords false or null should be used for optional empty parameters in the URL.');?></p>
|
||||
<p><?php echo __('For example, to only show sha1 values from events tagged tag1, use');?>:</p>
|
||||
<pre><?php echo $baseurl;?>/events/hids/sha1/download/tag1</pre>
|
||||
|
||||
<h3><?php echo __('STIX export');?></h3>
|
||||
<p><?php echo __('You can export MISP events in Mitre\'s STIX format (to read more about STIX, click <a href="https://stix.mitre.org/">here</a>). The STIX XML export is currently very slow and can lead to timeouts with larger events or collections of events. The JSON return format does not suffer from this issue. Usage');?>:</p>
|
||||
<pre><?php echo $baseurl;?>/events/stix/download</pre>
|
||||
|
|
@ -183,31 +156,6 @@
|
|||
<code><?php echo h('<request><tags>OSINT&&!OUTDATED</tags><policy>walled-garden</policy><walled_garden>teamliquid.net</walled_garden><refresh>5h</refresh></request>');?></code><br /><br />
|
||||
<code>{"request": {"tags": ["OSINT", "!OUTDATED"], "policy": "walled-garden", "walled_garden": "teamliquid.net", "refresh": "5h"}</code>
|
||||
|
||||
<h3><?php echo __('Text export');?></h3>
|
||||
<p<?php echo __('>An export of all attributes of a specific type to a plain text file. By default only published and IDS flagged attributes are exported.');?></p>
|
||||
<p><?php echo __('You can configure your tools to automatically download the following files');?>:</p>
|
||||
<pre><?php
|
||||
foreach ($sigTypes as $sigType) {
|
||||
echo $baseurl.'/attributes/text/download/'.$sigType . "\n";
|
||||
}
|
||||
?></pre>
|
||||
<p><?php echo __('To restrict the results by tags, use the usual syntax. Please be aware the colons (:) cannot be used in the tag search. Use semicolons instead (the search will automatically search for colons instead). To get ip-src values from events tagged tag1 but not tag2 use');?>:</p>
|
||||
<pre><?php echo $baseurl.'/attributes/text/download/ip-src/tag1&&!tag2'; ?></pre>
|
||||
|
||||
<p><?php echo __('As of version 2.3.38, it is possible to restrict the text exports on two additional flags. The first allows the user to restrict based on event ID, whilst the second is a boolean switch allowing non IDS flagged attributes to be exported. Additionally, choosing "all" in the type field will return all eligible attributes.');?></p>
|
||||
<pre><?php echo $baseurl.'/attributes/text/download/[type]/[tags]/[event_id]/[allowNonIDS]/[from]/[to]/[last]/[enforceWarninglist]/[allowNotPublished]'; ?></pre>
|
||||
<b>type</b>: <?php echo __('The attribute type, any valid MISP attribute type is accepted.');?><br />
|
||||
<b>tags</b>: <?php echo __('To include a tag in the results just write its names into this parameter. To exclude a tag prepend it with a \'!\'.');?>
|
||||
<b>eventId</b>: <?php echo __('Only export the attributes of the given event ID');?><br />
|
||||
<b>allowNonIDS</b>: <?php echo __('Include attributes that are not marked to_ids, even if they would normally be excluded. Also overrides the whitelist functionality.');?><br />
|
||||
<b>from</b>: <?php echo __('Events with the date set to a date after the one specified in the from field (format: 2015-02-15). This filter will use the date of the event.');?> <br />
|
||||
<b>to</b>: <?php echo __('Events with the date set to a date before the one specified in the to field (format: 2015-02-15). This filter will use the date of the event.');?><br />
|
||||
<b>last</b>: <?php echo __('Events published within the last x amount of time, where x can be defined in days, hours, minutes (for example 5d or 12h or 30m). This filter will use the published timestamp of the event.');?><br />
|
||||
<b>enforceWarninglist</b>: <?php echo __('All attributes that have a hit on a warninglist will be excluded.');?><br />
|
||||
<b>allowNotPublished</b>: <?php echo __('Include not published Events.');?></b>
|
||||
<?php echo __('You can also chain several tag commands together with the \'&&\' operator. Please be aware the colons (:) cannot be used in the tag search.
|
||||
Use semicolons instead (the search will automatically search for colons instead). For example, to include tag1 and tag2 but exclude tag3 you would use');?>:<br />
|
||||
<pre><?php echo $baseurl.'/attributes/text/download/all/tag1&&tag2&&!tag3'; ?></pre>
|
||||
<h3><?php echo __('Bro IDS export');?></h3>
|
||||
<p><?php echo __('An export of all attributes of a specific bro type to a formatted plain text file. By default only published and IDS flagged attributes are exported.');?></p>
|
||||
<p><?php echo __('You can configure your tools to automatically download a file one of the Bro types.');?></p>
|
||||
|
|
@ -260,72 +208,6 @@
|
|||
<p><?php echo __('For example, to retrieve all attributes for event #5, including non IDS marked attributes too, use the following line');?>:</p>
|
||||
<pre><?php echo $baseurl.'/attributes/text/download/all/null/5/true'; ?></pre>
|
||||
|
||||
<h3><?php echo __('Searches with JSON/XML/OpenIOC results');?></h3>
|
||||
<p><?php echo __('It is possible to search the database for attributes based on a list of criteria.');?></p>
|
||||
<p><?php echo __('To return an event or a list of events in a desired format, use the following syntax');?>:</p>
|
||||
<pre><?php echo $baseurl.'/events/restSearch/[format]/[value]/[type]/[category]/[org]/[tag]/[quickfilter]/[from]/[to]/[last]/[event_id]/[withAttachments]/[metadata]/[uuid]/[publish_timestamp]/[timestamp]/[published]/[enforceWarninglist]'; ?></pre>
|
||||
<b>format</b>: <?php echo __('Set the return format of the search (Currently supported: json, xml, openioc - more formats coming soon).');?><br />
|
||||
<b>value</b>: <?php echo __('Search for the given value in the attributes\' value field.');?><br />
|
||||
<b>type</b>: <?php echo __('The attribute type, any valid MISP attribute type is accepted.');?><br />
|
||||
<b>category</b>: <?php echo __('The attribute category, any valid MISP attribute category is accepted.');?><br />
|
||||
<b>org</b>: <?php echo __('Search by the creator organisation by supplying the organisation identifier.');?> <br />
|
||||
<b>tags</b>: <?php echo __('To include a tag in the results just write its names into this parameter. To exclude a tag prepend it with a \'!\'.
|
||||
To filter on several values for the same parameter, simply use arrays, such as in the following example');?>: <br />
|
||||
<code>{"value":["tag1", "tag2", "!tag3"]}</code><br />
|
||||
<?php echo __('You can also chain several tag commands together with the \'&&\' operator. Please be aware the colons (:) cannot be used in the tag search.
|
||||
Use semicolons instead (the search will automatically search for colons instead). For example, to include tag1 and tag2 but exclude tag3 you would use');?>:<br />
|
||||
<pre><?php echo $baseurl.'/events/restSearch/json/null/null/null/null/tag1&&tag2&&!tag3'; ?></pre>
|
||||
<b>quickfilter</b>: <?php echo __('Enabling this (by passing "1" as the argument) will make the search ignore all of the other arguments, except for the auth key and value. MISP will return an xml / json (depending on the header sent) of all events that have a sub-string match on value in the event info, event orgc, or any of the attribute value1 / value2 fields, or in the attribute comment.');?> <br />
|
||||
<b>from</b>: <?php echo __('Events with the date set to a date after the one specified in the from field (format: 2015-02-15). This filter will use the date of the event.');?><br />
|
||||
<b>to</b>: <?php echo __('Events with the date set to a date before the one specified in the to field (format: 2015-02-15). This filter will use the date of the event.');?><br />
|
||||
<b>last</b>: <?php echo __('Events published within the last x amount of time, where x can be defined in days, hours, minutes (for example 5d or 12h or 30m). This filter will use the published timestamp of the event.');?><br />
|
||||
<b>eventid</b>: <?php echo __('The events that should be included / excluded from the search');?><br />
|
||||
<b>withAttachments</b>: <?php echo __('If set, encodes the attachments / zipped malware samples as base64 in the data field within each attribute');?><br />
|
||||
<b>metadata</b>: <?php echo __('Only the metadata (event, tags, relations) is returned, attributes and proposals are omitted.');?><br />
|
||||
<b>uuid</b>: <?php echo __('Restrict the results by uuid.');?><br />
|
||||
<b>publish_timestamp</b>: <?php echo __('Restrict the results by the last publish timestamp (newer than).');?><br />
|
||||
<b>timestamp</b>: <?php echo __('Restrict the results by the timestamp (last edit). Any event with a timestamp newer than the given timestamp will be returned. In case you are dealing with /attributes as scope, the attribute\'s timestamp will be used for the lookup.');?><br />
|
||||
<b>published</b>: <?php echo __('Set whether published or unpublished events should be returned. Do not set the parameter if you want both.');?><br />
|
||||
<b>enforceWarninglist</b>: <?php echo __('Remove any attributes from the result that would cause a hit on a warninglist entry.');?><br />
|
||||
<p><?php echo __('The keywords false or null should be used for optional empty parameters in the URL.');?></p>
|
||||
<p><?php echo __('For example, to find any event with the term "red october" mentioned, use the following syntax (the example is shown as a POST request instead of a GET, which is highly recommended. GET requests are problematic and deprecated.)');?>:</p>
|
||||
<p>POST to:</p>
|
||||
<pre><?php echo $baseurl.'/events/restSearch/json'; ?></pre>
|
||||
<p><?php echo __('POST message payload (json)');?>:</p>
|
||||
<p><code>{"value":"red october","searchall":1,"eventid":"!15"}</code></p>
|
||||
<p><?php echo __('To just return a list of attributes, use the following syntax');?>:</p>
|
||||
<b>value</b>: <?php echo __('Search for the given value in the attributes\' value field.');?><br />
|
||||
<b>type</b>: <?php echo __('The attribute type, any valid MISP attribute type is accepted.');?><br />
|
||||
<b>category</b>: <?php echo __('The attribute category, any valid MISP attribute category is accepted.');?><br />
|
||||
<b>org</b>: <?php echo __('Search by the creator organisation by supplying the organisation identifier.');?> <br />
|
||||
<b>tags</b>: <?php echo __('To include a tag in the results just write its names into this parameter. To exclude a tag prepend it with a \'!\'.
|
||||
You can also chain several tag commands together with the \'&&\' operator. Please be aware the colons (:) cannot be used in the tag search.
|
||||
Use semicolons instead (the search will automatically search for colons instead).');?><br />
|
||||
<b>from</b>: <?php echo __('Events with the date set to a date after the one specified in the from field (format: 2015-02-15)');?><br />
|
||||
<b>to</b>: <?php echo __('Events with the date set to a date before the one specified in the to field (format: 2015-02-15)');?><br />
|
||||
<b>last</b>: <?php echo __('Events published within the last x amount of time, where x can be defined in days, hours, minutes (for example 5d or 12h or 30m). This filter will use the published timestamp of the event.');?><br />
|
||||
<b>eventid</b>: <?php echo __('The events that should be included / excluded from the search');?><br />
|
||||
<b>withAttachments</b>: <?php echo __('If set, encodes the attachments / zipped malware samples as base64 in the data field within each attribute');?><br />
|
||||
<b>uuid</b>: <?php echo __('Restrict the results by uuid.');?><br />
|
||||
<b>publish_timestamp</b>: <?php echo __('Restrict the results by the last publish timestamp (newer than).');?><br />
|
||||
<b>published</b>: <?php echo __('Set whether published or unpublished events should be returned. Do not set the parameter if you want both.');?><br />
|
||||
<b>timestamp</b>: <?php echo __('Restrict the results by the timestamp (of the attribute). Any attributes with a timestamp newer than the given timestamp will be returned.');?><br />
|
||||
<b>enforceWarninglist</b>: <?php echo __('Remove any attributes from the result that would cause a hit on a warninglist entry.');?><br />
|
||||
<b>to_ids</b>: <?php echo __('By default (0) all attributes are returned that match the other filter parameters, irregardless of their to_ids setting. To restrict the returned data set to to_ids only attributes set this parameter to 1. You can only use the special "exclude" setting to only return attributes that have the to_ids flag disabled.'); ?> <br />
|
||||
<b>deleted</b>: <?php echo __('If this parameter is set to 1, it will return soft-deleted attributes along with active ones. By using "only" as a parameter it will limit the returned data set to soft-deleted data only.'); ?> <br />
|
||||
<b>includeEventUuid</b>: <?php echo __('Instead of just including the event ID, also include the event UUID in each of the attributes.'); ?> <br />
|
||||
<b>event_timestamp</b>: <?php echo __('Only return attributes from events that have received a modification after the given timestamp.'); ?> <br /><br />
|
||||
<p>For example, to get all attributes of events modified after a given timestamp, simply POST to:</p>
|
||||
<pre><?php echo $baseurl.'/attributes/restSearch/json'; ?></pre>
|
||||
<p><?php echo __('POST message payload (json)');?>:</p>
|
||||
<p><code>{"event_timestamp":1523521850}</code></p>
|
||||
<p><?php echo __('The keywords false or null should be used for optional empty parameters in the URL. Keep in mind, this is only needed if you use the deprecated URL parameters.');?></p>
|
||||
<pre><?php echo $baseurl.'/attributes/restSearch/json/[value]/[type]/[category]/[org]/[tag]/[from]/[to]/[last]/[eventid]/[withAttachments]'; ?></pre>
|
||||
<p><?php echo __('value, type, category and org are optional. It is possible to search for several terms in each category by joining them with the \'&&\' operator. It is also possible to negate a term with the \'!\' operator. Please be aware the colons (:) cannot be used in the tag search. Use semicolons instead (the search will automatically search for colons instead).
|
||||
For example, in order to search for all attributes created by your organisation that contain 192.168 or 127.0 but not 0.1 and are of the type ip-src, excluding the events that were tagged tag1 use the following syntax');?>:</p>
|
||||
<pre><?php echo $baseurl.'/attributes/restSearch/download/192.168&&127.0&&!0.1/ip-src/false/' . $me['Organisation']['name'] . '/!tag1';?></pre>
|
||||
<p><?php echo __('You can also use search for IP addresses using CIDR. Make sure that you use \'|\' (pipe) instead of \'/\' (slashes). Please be aware the colons (:) cannot be used in the tag search. Use semicolons instead (the search will automatically search for colons instead). See below for an example');?>: </p>
|
||||
<pre><?php echo $baseurl.'/attributes/restSearch/openioc/192.168.1.1|16/ip-src/null/' . $me['Organisation']['name']; ?></pre>
|
||||
<h3><?php echo __('Export attributes of event with specified type as XML');?></h3>
|
||||
<p><?php echo __('If you want to export all attributes of a pre-defined type that belong to an event, use the following syntax');?>:</p>
|
||||
<pre><?php echo $baseurl.'/attributes/returnAttributes/json/[id]/[type]/[sigOnly]'; ?></pre>
|
||||
|
|
|
|||
|
|
@ -0,0 +1,498 @@
|
|||
<div class="event index">
|
||||
<h2><?php echo __('Automation');?></h2>
|
||||
<p><?php echo __('Automation functionality is designed to automatically generate signatures for intrusion detection systems. To enable signature generation for a given attribute, Signature field of this attribute must be set to Yes.
|
||||
Note that not all attribute types are applicable for signature generation, currently we only support NIDS signature generation for IP, domains, host names, user agents etc., and hash list generation for MD5/SHA1 values of file artefacts. Support for more attribute types is planned.
|
||||
To to make this functionality available for automated tools an authentication key is used. This makes it easier for your tools to access the data without further form-based-authentication.');?><br/>
|
||||
<strong><?php echo __('Make sure you keep that key secret as it gives access to the entire database !');?></strong></p>
|
||||
<p><?php echo __('Your current key is: <code>%s</code>.
|
||||
You can %s this key.', $me['authkey'], $this->Html->link(__('reset'), array('controller' => 'users', 'action' => 'resetauthkey', 'me')));?>
|
||||
</p>
|
||||
<p style="color:red;"><?php echo __('Since version 2.2 the usage of the authentication key in the URL is deprecated. Instead, pass the auth key in an Authorization header in the request. The legacy option of having the auth key in the URL is temporarily still supported but not recommended.');?></p>
|
||||
<p><?php echo __('Please use the use the following header');?>:<br />
|
||||
<code><?php echo __('Authorization');?>: <?php echo $me['authkey']; ?></code></p>
|
||||
<h3><?php echo __('XML Export');?></h3>
|
||||
<p><?php echo __('An automatic export of all events and attributes <small>(except file attachments)</small> is available under a custom XML format.');?></p>
|
||||
<p><?php echo __('You can configure your tools to automatically download the following file');?>:</p>
|
||||
<pre><?php echo $baseurl;?>/events/xml/download</pre>
|
||||
<p><?php echo __('If you only want to fetch a specific event append the eventid number');?>:</p>
|
||||
<pre><?php echo $baseurl;?>/events/xml/download/1</pre>
|
||||
<p><?php echo __('You can post an XML or JSON object containing additional parameters in the following formats');?>:</p>
|
||||
<p>JSON:</p>
|
||||
<pre><?php echo $baseurl;?>/events/xml/download.json</pre>
|
||||
<code>{"request": {"eventid":["!51","!62"],"withAttachment":false,"tags":["APT1","!OSINT"],"from":false,"to":"2015-02-15"}}</code><br /><br />
|
||||
<p>XML:</p>
|
||||
<pre><?php echo $baseurl;?>/events/xml/download</pre>
|
||||
<code><request><eventid>!51</eventid><eventid>!62</eventid><withAttachment>false</withAttachment><tags>APT1</tags><tags>!OSINT</tags><from>false</from><to>2015-02-15</to></request></code><br /><br />
|
||||
<p><?php echo __('The xml download also accepts two additional the following optional parameters in the URL');?>: </p>
|
||||
<pre><?php echo $baseurl;?>/events/xml/download/[eventid]/[withattachments]/[tags]/[from]/[to]/[last]</pre>
|
||||
<p>
|
||||
<b>eventid</b>: <?php echo __('Restrict the download to a single event');?><br />
|
||||
<b>withattachments</b>: <?php echo __('A boolean field that determines whether attachments should be encoded and a second parameter that controls the eligible tags.');?><br />
|
||||
<b>tags</b>: <?php echo __('To include a tag in the results just write its names into this parameter. To exclude a tag prepend it with a \'!\'.
|
||||
You can also chain several tag commands together with the \'&&\' operator. Please be aware the colons (:) cannot be used in the tag search.
|
||||
Use semicolons instead (the search will automatically search for colons instead). For example, to include tag1 and tag2 but exclude tag3 you would use');?>:<br />
|
||||
</p>
|
||||
<pre><?php echo $baseurl;?>/events/xml/download/false/true/tag1&&tag2&&!tag3</pre>
|
||||
<p>
|
||||
<b>from</b>: <?php echo __('Events with the date set to a date after the one specified in the from field (format: 2015-02-15). This filter will use the date of the event.');?><br />
|
||||
<b>to</b>: <?php echo __('Events with the date set to a date before the one specified in the to field (format: 2015-02-15). This filter will use the date of the event.');?><br />
|
||||
<b>last</b>: <?php echo __('Events published within the last x amount of time, where x can be defined in days, hours, minutes (for example 5d or 12h or 30m). This filter will use the published timestamp of the event.');?><br />
|
||||
</p>
|
||||
<p><?php echo __('The keywords false or null should be used for optional empty parameters in the URL.');?></p>
|
||||
<?php $userGuideUrl = '<a href="' . $baseurl . '/pages/display/doc/using_the_system#rest">'. __('User Guide') . '</a>'; ?>
|
||||
<p><?php echo __('Also check out the %s to read about the REST API.', $userGuideUrl);?></p>
|
||||
<p></p>
|
||||
<h3><?php echo __('CSV Export');?></h3>
|
||||
<p><?php echo __('An automatic export of attributes is available as CSV. Only attributes that are flagged "to_ids" will get exported.');?></p>
|
||||
<p><?php echo __('You can configure your tools to automatically download the following file');?>:</p>
|
||||
<pre><?php echo $baseurl;?>/events/csv/download/</pre>
|
||||
<p><?php echo __('You can specify additional flags for CSV exports as follows');?>:</p>
|
||||
<pre><?php echo $baseurl;?>/events/csv/download/[eventid]/[ignore]/[tags]/[category]/[type]/[includeContext]/[from]/[to]/[last]/[headerless]/[enforceWarninglist]</pre>
|
||||
<p>
|
||||
<b>eventid</b>: <?php echo __('Restrict the download to a single event');?><br />
|
||||
<b>ignore</b>: <?php echo __('Setting this flag to true will include attributes that are not marked "to_ids".');?><br />
|
||||
<b>tags</b>: <?php echo __('To include a tag in the results just write its names into this parameter. To exclude a tag prepend it with a \'!\'.
|
||||
You can also chain several tag commands together with the \'&&\' operator. Please be aware the colons (:) cannot be used in the tag search.
|
||||
Use semicolons instead (the search will automatically search for colons instead). For example, to include tag1 and tag2 but exclude tag3 you would use');?>:<br />
|
||||
</p>
|
||||
<p><?php echo __('For example, to only download a csv generated of the "domain" type and the "Network activity" category attributes all events except for the one and further restricting it to events that are tagged "tag1" or "tag2" but not "tag3", only allowing attributes that are IDS flagged use the following syntax');?>:</p>
|
||||
<pre><?php echo $baseurl;?>/events/csv/download/false/false/tag1&&tag2&&!tag3/Network%20activity/domain</pre>
|
||||
<p>
|
||||
<b>category</b>: <?php echo __('The attribute category, any valid MISP attribute category is accepted.');?><br />
|
||||
<b>type</b>: <?php echo __('The attribute type, any valid MISP attribute type is accepted.');?><br />
|
||||
<b>includeContext</b>: <?php echo __('Include the event data with each attribute.');?><br />
|
||||
<b>from</b>: <?php echo __('Events with the date set to a date after the one specified in the from field (format: 2015-02-15). This filter will use the date of the event.');?><br />
|
||||
<b>to</b>: <?php echo __('Events with the date set to a date before the one specified in the to field (format: 2015-02-15). This filter will use the date of the event.');?><br />
|
||||
<b>last</b>: <?php echo __('Events published within the last x amount of time, where x can be defined in days, hours, minutes (for example 5d or 12h or 30m).This filter will use the published timestamp of the event.');?><br />
|
||||
<b>headerless</b>: <?php echo __('The CSV created when this setting is set to true will not contain the header row.
|
||||
<b>enforceWarninglist</b>: All attributes that have a hit on a warninglist will be excluded.');?>
|
||||
</p>
|
||||
<p><?php echo __('The keywords false or null should be used for optional empty parameters in the URL.');?></p>
|
||||
<p><?php echo __('To export the attributes of all events that are of the type "domain", use the following syntax');?>:</p>
|
||||
<pre><?php echo $baseurl;?>/events/csv/download/false/false/false/false/domain</pre>
|
||||
|
||||
<h3><?php echo __('NIDS rules export');?></h3>
|
||||
<p><?php echo __('Automatic export of all network related attributes is available under the Snort rule format. Only <em>published</em> events and attributes marked as <em>IDS Signature</em> are exported.');?></p>
|
||||
<p><?php echo __('You can configure your tools to automatically download the following file');?>:</p>
|
||||
<pre><?php
|
||||
echo $baseurl . '/events/nids/suricata/download' . PHP_EOL;
|
||||
echo $baseurl . '/events/nids/snort/download';
|
||||
?></pre>
|
||||
<p><?php echo __('The full API syntax is as follows');?>:</p>
|
||||
<pre><?php echo $baseurl;?>/events/nids/[format]/download/[eventid]/[frame]/[tags]/[from]/[to]/[last]/[type]/[enforceWarninglist]/[includeAllTags]</pre>
|
||||
<p>
|
||||
<b>format</b>: <?php echo __('The export format, can be "suricata" or "snort"');?><br />
|
||||
<b>eventid</b>: <?php echo __('Restrict the download to a single event');?><br />
|
||||
<b>frame</b>: <?php echo __('Some commented out explanation framing the data. The reason to disable this would be if you would like to concatenate a list of exports from various select events in order to avoid unnecessary duplication of the comments.');?><br />
|
||||
<b>tags</b>: <?php echo __('To include a tag in the results just write its names into this parameter. To exclude a tag prepend it with a \'!\'.
|
||||
You can also chain several tag commands together with the \'&&\' operator. Please be aware the colons (:) cannot be used in the tag search.
|
||||
Use semicolons instead (the search will automatically search for colons instead). For example, to include tag1 and tag2 but exclude tag3 you would use');?>:<br />
|
||||
<pre><?php echo $baseurl;?>/events/nids/snort/download/false/false/tag1&&tag2&&!tag3</pre>
|
||||
<b>from</b>: <?php echo __('Events with the date set to a date after the one specified in the from field (format: 2015-02-15). This filter will use the date of the event.');?><br />
|
||||
<b>to</b>: <?php echo __('Events with the date set to a date before the one specified in the to field (format: 2015-02-15). This filter will use the date of the event.');?><br />
|
||||
<b>last</b>: <?php echo __('Events published within the last x amount of time, where x can be defined in days, hours, minutes (for example 6d or 12h or 30m). This filter will use the published timestamp of the event.');?><br />
|
||||
<b>type</b>: <?php echo __('Restrict the export to only use the given types.');?><br />
|
||||
<b>enforceWarninglist</b>: <?php echo __('All attributes that have a hit on a warninglist will be excluded.');?><br />
|
||||
<b>includeAllTags</b>: <?php echo __('All tags will be included even if not exportable.');?><br />
|
||||
<p><?php echo __('The keywords false or null should be used for optional empty parameters in the URL.');?></p>
|
||||
<p><?php echo __('An example for a suricata export for all events excluding those tagged tag1, without all of the commented information at the start of the file would look like this:');?></p>
|
||||
<pre><?php echo $baseurl;?>/events/nids/suricata/download/null/true/!tag1</pre>
|
||||
<p><?php echo __('Administration is able to maintain a white-list containing host, domain name and IP numbers to exclude from the NIDS export.');?></p>
|
||||
|
||||
<h3><?php echo __('Hash database export');?></h3>
|
||||
<p><?php echo __('Automatic export of MD5/SHA1 checksums contained in file-related attributes. This list can be used to feed forensic software when searching for suspicious files. Only <em>published</em> events and attributes marked as <em>IDS Signature</em> are exported.');?></p>
|
||||
<p><?php echo __('You can configure your tools to automatically download the following files');?>:</p>
|
||||
<h4>md5</h4>
|
||||
<pre><?php echo $baseurl;?>/events/hids/md5/download</pre>
|
||||
<h4>sha1</h4>
|
||||
<pre><?php echo $baseurl;?>/events/hids/sha1/download</pre>
|
||||
<p><?php echo __('The API\'s full format is as follows');?>: </p>
|
||||
<pre><?php echo $baseurl;?>/events/hids/[format]/download/[tags]/[from]/[to]/[last]/[enforceWarninglist]</pre>
|
||||
<b>format</b>: <?php echo __('The export format, can be "md5" or "sha1"');?><br />
|
||||
<b>tags</b>: <?php echo __('To include a tag in the results just write its names into this parameter. To exclude a tag prepend it with a \'!\'.
|
||||
You can also chain several tag commands together with the \'&&\' operator. Please be aware the colons (:) cannot be used in the tag search.
|
||||
Use semicolons instead (the search will automatically search for colons instead). For example, to include tag1 and tag2 but exclude tag3 you would use');?>:<br />
|
||||
<pre><?php echo $baseurl;?>/events/hids/md5/download/tag1&&tag2&&!tag3</pre>
|
||||
<p>
|
||||
<b>from</b>: <?php echo __('Events with the date set to a date after the one specified in the from field (format: 2015-02-15). This filter will use the date of the event.');?> <br />
|
||||
<b>to</b>: <?php echo __('Events with the date set to a date before the one specified in the to field (format: 2015-02-15). This filter will use the date of the event.');?><br />
|
||||
<b>last</b>: <?php echo __('Events published within the last x amount of time, where x can be defined in days, hours, minutes (for example 5d or 12h or 30m). This filter will use the published timestamp of the event.');?><br />
|
||||
<b>enforceWarninglist</b>: <?php echo __('All attributes that have a hit on a warninglist will be excluded.');?><br />
|
||||
</p>
|
||||
<p><?php echo __('The keywords false or null should be used for optional empty parameters in the URL.');?></p>
|
||||
<p><?php echo __('For example, to only show sha1 values from events tagged tag1, use');?>:</p>
|
||||
<pre><?php echo $baseurl;?>/events/hids/sha1/download/tag1</pre>
|
||||
|
||||
<h3><?php echo __('STIX export');?></h3>
|
||||
<p><?php echo __('You can export MISP events in Mitre\'s STIX format (to read more about STIX, click <a href="https://stix.mitre.org/">here</a>). The STIX XML export is currently very slow and can lead to timeouts with larger events or collections of events. The JSON return format does not suffer from this issue. Usage');?>:</p>
|
||||
<pre><?php echo $baseurl;?>/events/stix/download</pre>
|
||||
<p><?php echo __('Search parameters can be passed to the function via URL parameters or by POSTing an XML or JSON object (depending on the return type). The following parameters can be passed to the STIX export tool: <code>id</code>, <code>withAttachments</code>, <code>tags</code>. Both <code>id</code> and <code>tags</code> can use the <code>&&</code> (and) and <code>!</code> (not) operators to build queries. Using the URL parameters, the syntax is as follows');?>:</p>
|
||||
<pre><?php echo $baseurl;?>/events/stix/download/[id]/[withAttachments]/[tags]/[from]/[to]/[last]</pre>
|
||||
<p>
|
||||
<b>id</b>: <?php echo __('The event\'s ID');?><br />
|
||||
<b>withAttachments</b>: <?php echo __('Encode attachments where applicable');?><br />
|
||||
<b>tags</b>: <?php echo __('To include a tag in the results just write its names into this parameter. To exclude a tag prepend it with a \'!\'.
|
||||
You can also chain several tag commands together with the \'&&\' operator. Please be aware the colons (:) cannot be used in the tag search.
|
||||
Use semicolons instead (the search will automatically search for colons instead). For example, to include tag1 and tag2 but exclude tag3 you would use');?>:<br />
|
||||
</p>
|
||||
<pre><?php echo $baseurl;?>/events/stix/download/false/true/tag1&&tag2&&!tag3</pre>
|
||||
<p>
|
||||
<b>from</b>: <?php echo __('Events with the date set to a date after the one specified in the from field (format: 2015-02-15). This filter will use the date of the event.');?><br />
|
||||
<b>to</b>: <?php echo __('Events with the date set to a date before the one specified in the to field (format: 2015-02-15). This filter will use the date of the event.');?><br />
|
||||
<b>last</b>: <?php echo __('Events published within the last x amount of time, where x can be defined in days, hours, minutes (for example 5d or 12h or 30m). This filter will use the published timestamp of the event.');?><br />
|
||||
</p>
|
||||
<p><?php echo __('You can post an XML or JSON object containing additional parameters in the following formats');?>:</p>
|
||||
<p>JSON:</p>
|
||||
<pre><?php echo $baseurl;?>/events/stix/download.json</pre>
|
||||
<code>{"request": {"id":["!51","!62"],"withAttachment":false,"tags":["APT1","!OSINT"],"from":false,"to":"2015-02-15"}}</code><br /><br />
|
||||
<p>XML:</p>
|
||||
<pre><?php echo $baseurl;?>/events/stix/download</pre>
|
||||
<code><request><id>!51</id><id>!62</id><withAttachment>false</withAttachment><tags>APT1</tags><tags>!OSINT</tags><from>false</from><to>2015-02-15</to></request></code><br /><br />
|
||||
<h4><?php echo __('Various ways to narrow down the search results of the STIX export');?></h4>
|
||||
<p><?php echo __('For example, to retrieve all events tagged "APT1" but excluding events tagged "OSINT" and excluding events #51 and #62 without any attachments');?>:
|
||||
<pre><?php echo $baseurl;?>/events/stix/download/!51&&!62/false/APT1&&!OSINT/2015-02-15</pre>
|
||||
<p><?php echo __('To export the same events using a POST request use');?>:</p>
|
||||
<pre><?php echo $baseurl;?>/events/stix/download.json</pre>
|
||||
<p><?php echo __('Together with this JSON object in the POST message');?>:</p>
|
||||
<code>{"request": {"id":["!51","!62"],"tags":["APT1","!OSINT"],"from":"2015-02-15"}}</code><br /><br />
|
||||
<p><?php echo __('XML is automagically assumed when using the stix export');?>:</p>
|
||||
<pre><?php echo $baseurl;?>/events/stix/download</pre>
|
||||
<p><?php echo __('The same search could be accomplished using the following POSTed XML object (note that ampersands need to be escaped, or alternatively separate id and tag elements can be used)');?>: </p>
|
||||
<code><request><id>!51</id><id>!62</id><tags>APT1</tags><tags>!OSINT</tags><from>2015-02-15</from></request></code>
|
||||
|
||||
<h3><?php echo __('RPZ export');?></h3>
|
||||
<p<?php echo __('>You can export RPZ zone files for DNS level firewalling by using the RPZ export functionality of MISP. The file generated will include all of the IDS flagged domain, hostname and IP-src/IP-dst attribute values that you have access to.');?></p>
|
||||
<p><?php echo __('It is possible to further restrict the exported values using the following filters');?>:</p>
|
||||
<p>
|
||||
<b>tags</b>: <?php echo __('To include a tag in the results just write its names into this parameter. To exclude a tag prepend it with a \'!\'.
|
||||
You can also chain several tag commands together with the \'&&\' operator. Please be aware the colons (:) cannot be used in the tag search when passed through the url.
|
||||
');?>
|
||||
<?php echo __('Use semicolons instead (the search will automatically search for colons instead)');?>.<br />
|
||||
<b>id</b>: <?php echo __('The event\'s ID');?><br />
|
||||
<b>from</b>: <?php echo __('Events with the date set to a date after the one specified in the from field (format: 2015-02-03)');?><br />
|
||||
<b>to</b>: <?php echo __('Events with the date set to a date before the one specified in the to field (format: 2015-02-03)');?><br />
|
||||
<b>enforceWarninglist</b>: <?php echo __('All attributes that have a hit on a warninglist will be excluded.');?>
|
||||
</p>
|
||||
<p><?php echo __('MISP will inject header values into the zone file as well as define the action taken for each of the values that can all be overriden. By default these values are either the default values shipped with the application, or ones that are overriden by your site administrator. The values are as follows');?>:</p>
|
||||
<?php foreach ($rpzSettings as $k => $v): ?>
|
||||
<b><?php echo h($k);?></b>: <?php echo h($v);?><br />
|
||||
<?php endforeach; ?>
|
||||
<p><?php echo __('To override the above values, either use the url parameters as described below');?>:</p>
|
||||
<pre><?php echo $baseurl;?>/attributes/rpz/download/[tags]/[eventId]/[from]/[to]/[policy]/[walled_garden]/[ns]/[email]/[serial]/[refresh]/[retry]/[expiry]/[minimum_ttl]/[ttl]</pre>
|
||||
<p><?php echo __('or POST an XML or JSON object with the above listed options');?>: </p>
|
||||
<code><?php echo h('<request><tags>OSINT&&!OUTDATED</tags><policy>walled-garden</policy><walled_garden>teamliquid.net</walled_garden><refresh>5h</refresh></request>');?></code><br /><br />
|
||||
<code>{"request": {"tags": ["OSINT", "!OUTDATED"], "policy": "walled-garden", "walled_garden": "teamliquid.net", "refresh": "5h"}</code>
|
||||
|
||||
<h3><?php echo __('Text export');?></h3>
|
||||
<p<?php echo __('>An export of all attributes of a specific type to a plain text file. By default only published and IDS flagged attributes are exported.');?></p>
|
||||
<p><?php echo __('You can configure your tools to automatically download the following files');?>:</p>
|
||||
<pre><?php
|
||||
foreach ($sigTypes as $sigType) {
|
||||
echo $baseurl.'/attributes/text/download/'.$sigType . "\n";
|
||||
}
|
||||
?></pre>
|
||||
<p><?php echo __('To restrict the results by tags, use the usual syntax. Please be aware the colons (:) cannot be used in the tag search. Use semicolons instead (the search will automatically search for colons instead). To get ip-src values from events tagged tag1 but not tag2 use');?>:</p>
|
||||
<pre><?php echo $baseurl.'/attributes/text/download/ip-src/tag1&&!tag2'; ?></pre>
|
||||
|
||||
<p><?php echo __('As of version 2.3.38, it is possible to restrict the text exports on two additional flags. The first allows the user to restrict based on event ID, whilst the second is a boolean switch allowing non IDS flagged attributes to be exported. Additionally, choosing "all" in the type field will return all eligible attributes.');?></p>
|
||||
<pre><?php echo $baseurl.'/attributes/text/download/[type]/[tags]/[event_id]/[allowNonIDS]/[from]/[to]/[last]/[enforceWarninglist]/[allowNotPublished]'; ?></pre>
|
||||
<b>type</b>: <?php echo __('The attribute type, any valid MISP attribute type is accepted.');?><br />
|
||||
<b>tags</b>: <?php echo __('To include a tag in the results just write its names into this parameter. To exclude a tag prepend it with a \'!\'.');?>
|
||||
<b>eventId</b>: <?php echo __('Only export the attributes of the given event ID');?><br />
|
||||
<b>allowNonIDS</b>: <?php echo __('Include attributes that are not marked to_ids, even if they would normally be excluded. Also overrides the whitelist functionality.');?><br />
|
||||
<b>from</b>: <?php echo __('Events with the date set to a date after the one specified in the from field (format: 2015-02-15). This filter will use the date of the event.');?> <br />
|
||||
<b>to</b>: <?php echo __('Events with the date set to a date before the one specified in the to field (format: 2015-02-15). This filter will use the date of the event.');?><br />
|
||||
<b>last</b>: <?php echo __('Events published within the last x amount of time, where x can be defined in days, hours, minutes (for example 5d or 12h or 30m). This filter will use the published timestamp of the event.');?><br />
|
||||
<b>enforceWarninglist</b>: <?php echo __('All attributes that have a hit on a warninglist will be excluded.');?><br />
|
||||
<b>allowNotPublished</b>: <?php echo __('Include not published Events.');?></b>
|
||||
<?php echo __('You can also chain several tag commands together with the \'&&\' operator. Please be aware the colons (:) cannot be used in the tag search.
|
||||
Use semicolons instead (the search will automatically search for colons instead). For example, to include tag1 and tag2 but exclude tag3 you would use');?>:<br />
|
||||
<pre><?php echo $baseurl.'/attributes/text/download/all/tag1&&tag2&&!tag3'; ?></pre>
|
||||
<h3><?php echo __('Bro IDS export');?></h3>
|
||||
<p><?php echo __('An export of all attributes of a specific bro type to a formatted plain text file. By default only published and IDS flagged attributes are exported.');?></p>
|
||||
<p><?php echo __('You can configure your tools to automatically download a file one of the Bro types.');?></p>
|
||||
<pre><?php
|
||||
foreach (array_keys($broTypes) as $broType) {
|
||||
echo $baseurl.'/attributes/bro/download/'.$broType . "\n";
|
||||
}
|
||||
?></pre>
|
||||
<p><?php echo __('To restrict the results by tags, use the usual syntax. Please be aware the colons (:) cannot be used in the tag search. Use semicolons instead (the search will automatically search for colons instead). To get ip values from events tagged tag1 but not tag2 use');?>:</p>
|
||||
<pre><?php echo $baseurl.'/attributes/bro/download/ip/tag1&&!tag2'; ?></pre>
|
||||
|
||||
<p><?php echo __('It is possible to restrict the bro exports on based on a set of filters. POST a JSON object or an XML at the Bro API to filter the results.');?></p>
|
||||
<pre><?php echo $baseurl.'/attributes/bro/download'; ?></pre>
|
||||
<p>JSON:</p>
|
||||
<pre><?php
|
||||
echo 'Headers' . PHP_EOL;
|
||||
echo 'Authorization: ' . h($me['authkey']) . PHP_EOL;
|
||||
echo 'Accept: application/json' . PHP_EOL;
|
||||
echo 'Content-type: application/json';
|
||||
?></pre>
|
||||
<code>{"request": {"type":"ip", "eventid":["!51","!62"],"withAttachment":false,"tags":["APT1","!OSINT"],"from":false,"to":"2015-02-15"}}</code><br /><br />
|
||||
<p>XML:</p>
|
||||
<pre><?php
|
||||
echo 'Headers' . PHP_EOL;
|
||||
echo 'Authorization: ' . h($me['authkey']) . PHP_EOL;
|
||||
echo 'Accept: application/json' . PHP_EOL;
|
||||
echo 'Content-type: application/json';
|
||||
?></pre>
|
||||
<code><request><type>ip</type><eventid>!51</eventid><eventid>!62</eventid><withAttachment>false</withAttachment><tags>APT1</tags><tags>!OSINT</tags><from>false</from><to>2015-02-15</to></request></code><br /><br />
|
||||
<p><?php echo __('Alternatively, it is also possible to pass the filters via the parameters in the URL, though it is highly advised to use POST requests with JSON objects instead. The format is as described below');?>:</p>
|
||||
<pre><?php echo $baseurl.'/attributes/bro/download/[type]/[tags]/[event_id]/[allowNonIDS]/[from]/[to]/[last]'; ?></pre>
|
||||
<b>type</b>: <?php echo __('The Bro type, any valid Bro type is accepted. The mapping between Bro and MISP types is as follows');?>:<br />
|
||||
<pre><?php
|
||||
foreach ($broTypes as $key => $value) {
|
||||
echo '<b>' . h($key) . '</b>: ' . h($value) . PHP_EOL;
|
||||
}
|
||||
?></pre>
|
||||
<p>
|
||||
<b>tags</b>: <?php echo __('To include a tag in the results just write its names into this parameter. To exclude a tag prepend it with a \'!\'.
|
||||
You can also chain several tag commands together with the \'&&\' operator. Please be aware the colons (:) cannot be used in the tag search.
|
||||
Use semicolons instead (the search will automatically search for colons instead).');?><br />
|
||||
<b>event_id</b>: <?php echo __('Restrict the results to the given event IDs.');?> <br />
|
||||
<b>allowNonIDS</b>: <?php echo __('Allow attributes to be exported that are not marked as "to_ids".');?><br />
|
||||
<b>from</b>: <?php echo __('Events with the date set to a date after the one specified in the from field (format: 2015-02-15). This filter will use the date of the event.');?><br />
|
||||
<b>to</b>: <?php echo __('Events with the date set to a date before the one specified in the to field (format: 2015-02-15). This filter will use the date of the event.');?><br />
|
||||
<b>last</b>: <?php echo __('Events published within the last x amount of time, where x can be defined in days, hours, minutes (for example 5d or 12h or 30m). This filter will use the published timestamp of the event.');?><br />
|
||||
<b>enforceWarninglist</b>: <?php echo __('All attributes that have a hit on a warninglist will be excluded.');?><br />
|
||||
</p>
|
||||
<p><?php echo __('The keywords false or null should be used for optional empty parameters in the URL.');?></p>
|
||||
<p><?php echo __('For example, to retrieve all attributes for event #5, including non IDS marked attributes too, use the following line');?>:</p>
|
||||
<pre><?php echo $baseurl.'/attributes/text/download/all/null/5/true'; ?></pre>
|
||||
|
||||
<h3><?php echo __('Searches with JSON/XML/OpenIOC results');?></h3>
|
||||
<p><?php echo __('It is possible to search the database for attributes based on a list of criteria.');?></p>
|
||||
<p><?php echo __('To return an event or a list of events in a desired format, use the following syntax');?>:</p>
|
||||
<pre><?php echo $baseurl.'/events/restSearch/[format]/[value]/[type]/[category]/[org]/[tag]/[quickfilter]/[from]/[to]/[last]/[event_id]/[withAttachments]/[metadata]/[uuid]/[publish_timestamp]/[timestamp]/[published]/[enforceWarninglist]'; ?></pre>
|
||||
<b>format</b>: <?php echo __('Set the return format of the search (Currently supported: json, xml, openioc - more formats coming soon).');?><br />
|
||||
<b>value</b>: <?php echo __('Search for the given value in the attributes\' value field.');?><br />
|
||||
<b>type</b>: <?php echo __('The attribute type, any valid MISP attribute type is accepted.');?><br />
|
||||
<b>category</b>: <?php echo __('The attribute category, any valid MISP attribute category is accepted.');?><br />
|
||||
<b>org</b>: <?php echo __('Search by the creator organisation by supplying the organisation identifier.');?> <br />
|
||||
<b>tags</b>: <?php echo __('To include a tag in the results just write its names into this parameter. To exclude a tag prepend it with a \'!\'.
|
||||
To filter on several values for the same parameter, simply use arrays, such as in the following example');?>: <br />
|
||||
<code>{"value":["tag1", "tag2", "!tag3"]}</code><br />
|
||||
<?php echo __('You can also chain several tag commands together with the \'&&\' operator. Please be aware the colons (:) cannot be used in the tag search.
|
||||
Use semicolons instead (the search will automatically search for colons instead). For example, to include tag1 and tag2 but exclude tag3 you would use');?>:<br />
|
||||
<pre><?php echo $baseurl.'/events/restSearch/json/null/null/null/null/tag1&&tag2&&!tag3'; ?></pre>
|
||||
<b>quickfilter</b>: <?php echo __('Enabling this (by passing "1" as the argument) will make the search ignore all of the other arguments, except for the auth key and value. MISP will return an xml / json (depending on the header sent) of all events that have a sub-string match on value in the event info, event orgc, or any of the attribute value1 / value2 fields, or in the attribute comment.');?> <br />
|
||||
<b>from</b>: <?php echo __('Events with the date set to a date after the one specified in the from field (format: 2015-02-15). This filter will use the date of the event.');?><br />
|
||||
<b>to</b>: <?php echo __('Events with the date set to a date before the one specified in the to field (format: 2015-02-15). This filter will use the date of the event.');?><br />
|
||||
<b>last</b>: <?php echo __('Events published within the last x amount of time, where x can be defined in days, hours, minutes (for example 5d or 12h or 30m). This filter will use the published timestamp of the event.');?><br />
|
||||
<b>eventid</b>: <?php echo __('The events that should be included / excluded from the search');?><br />
|
||||
<b>withAttachments</b>: <?php echo __('If set, encodes the attachments / zipped malware samples as base64 in the data field within each attribute');?><br />
|
||||
<b>metadata</b>: <?php echo __('Only the metadata (event, tags, relations) is returned, attributes and proposals are omitted.');?><br />
|
||||
<b>uuid</b>: <?php echo __('Restrict the results by uuid.');?><br />
|
||||
<b>publish_timestamp</b>: <?php echo __('Restrict the results by the last publish timestamp (newer than).');?><br />
|
||||
<b>timestamp</b>: <?php echo __('Restrict the results by the timestamp (last edit). Any event with a timestamp newer than the given timestamp will be returned. In case you are dealing with /attributes as scope, the attribute\'s timestamp will be used for the lookup.');?><br />
|
||||
<b>published</b>: <?php echo __('Set whether published or unpublished events should be returned. Do not set the parameter if you want both.');?><br />
|
||||
<b>enforceWarninglist</b>: <?php echo __('Remove any attributes from the result that would cause a hit on a warninglist entry.');?><br />
|
||||
<p><?php echo __('The keywords false or null should be used for optional empty parameters in the URL.');?></p>
|
||||
<p><?php echo __('For example, to find any event with the term "red october" mentioned, use the following syntax (the example is shown as a POST request instead of a GET, which is highly recommended. GET requests are problematic and deprecated.)');?>:</p>
|
||||
<p>POST to:</p>
|
||||
<pre><?php echo $baseurl.'/events/restSearch/json'; ?></pre>
|
||||
<p><?php echo __('POST message payload (json)');?>:</p>
|
||||
<p><code>{"value":"red october","searchall":1,"eventid":"!15"}</code></p>
|
||||
<p><?php echo __('To just return a list of attributes, use the following syntax');?>:</p>
|
||||
<b>value</b>: <?php echo __('Search for the given value in the attributes\' value field.');?><br />
|
||||
<b>type</b>: <?php echo __('The attribute type, any valid MISP attribute type is accepted.');?><br />
|
||||
<b>category</b>: <?php echo __('The attribute category, any valid MISP attribute category is accepted.');?><br />
|
||||
<b>org</b>: <?php echo __('Search by the creator organisation by supplying the organisation identifier.');?> <br />
|
||||
<b>tags</b>: <?php echo __('To include a tag in the results just write its names into this parameter. To exclude a tag prepend it with a \'!\'.
|
||||
You can also chain several tag commands together with the \'&&\' operator. Please be aware the colons (:) cannot be used in the tag search.
|
||||
Use semicolons instead (the search will automatically search for colons instead).');?><br />
|
||||
<b>from</b>: <?php echo __('Events with the date set to a date after the one specified in the from field (format: 2015-02-15)');?><br />
|
||||
<b>to</b>: <?php echo __('Events with the date set to a date before the one specified in the to field (format: 2015-02-15)');?><br />
|
||||
<b>last</b>: <?php echo __('Events published within the last x amount of time, where x can be defined in days, hours, minutes (for example 5d or 12h or 30m). This filter will use the published timestamp of the event.');?><br />
|
||||
<b>eventid</b>: <?php echo __('The events that should be included / excluded from the search');?><br />
|
||||
<b>withAttachments</b>: <?php echo __('If set, encodes the attachments / zipped malware samples as base64 in the data field within each attribute');?><br />
|
||||
<b>uuid</b>: <?php echo __('Restrict the results by uuid.');?><br />
|
||||
<b>publish_timestamp</b>: <?php echo __('Restrict the results by the last publish timestamp (newer than).');?><br />
|
||||
<b>published</b>: <?php echo __('Set whether published or unpublished events should be returned. Do not set the parameter if you want both.');?><br />
|
||||
<b>timestamp</b>: <?php echo __('Restrict the results by the timestamp (of the attribute). Any attributes with a timestamp newer than the given timestamp will be returned.');?><br />
|
||||
<b>enforceWarninglist</b>: <?php echo __('Remove any attributes from the result that would cause a hit on a warninglist entry.');?><br />
|
||||
<b>to_ids</b>: <?php echo __('By default (0) all attributes are returned that match the other filter parameters, irregardless of their to_ids setting. To restrict the returned data set to to_ids only attributes set this parameter to 1. You can only use the special "exclude" setting to only return attributes that have the to_ids flag disabled.'); ?> <br />
|
||||
<b>deleted</b>: <?php echo __('If this parameter is set to 1, it will return soft-deleted attributes along with active ones. By using "only" as a parameter it will limit the returned data set to soft-deleted data only.'); ?> <br />
|
||||
<b>includeEventUuid</b>: <?php echo __('Instead of just including the event ID, also include the event UUID in each of the attributes.'); ?> <br />
|
||||
<b>event_timestamp</b>: <?php echo __('Only return attributes from events that have received a modification after the given timestamp.'); ?> <br /><br />
|
||||
<p>For example, to get all attributes of events modified after a given timestamp, simply POST to:</p>
|
||||
<pre><?php echo $baseurl.'/attributes/restSearch/json'; ?></pre>
|
||||
<p><?php echo __('POST message payload (json)');?>:</p>
|
||||
<p><code>{"event_timestamp":1523521850}</code></p>
|
||||
<p><?php echo __('The keywords false or null should be used for optional empty parameters in the URL. Keep in mind, this is only needed if you use the deprecated URL parameters.');?></p>
|
||||
<pre><?php echo $baseurl.'/attributes/restSearch/json/[value]/[type]/[category]/[org]/[tag]/[from]/[to]/[last]/[eventid]/[withAttachments]'; ?></pre>
|
||||
<p><?php echo __('value, type, category and org are optional. It is possible to search for several terms in each category by joining them with the \'&&\' operator. It is also possible to negate a term with the \'!\' operator. Please be aware the colons (:) cannot be used in the tag search. Use semicolons instead (the search will automatically search for colons instead).
|
||||
For example, in order to search for all attributes created by your organisation that contain 192.168 or 127.0 but not 0.1 and are of the type ip-src, excluding the events that were tagged tag1 use the following syntax');?>:</p>
|
||||
<pre><?php echo $baseurl.'/attributes/restSearch/download/192.168&&127.0&&!0.1/ip-src/false/' . $me['Organisation']['name'] . '/!tag1';?></pre>
|
||||
<p><?php echo __('You can also use search for IP addresses using CIDR. Make sure that you use \'|\' (pipe) instead of \'/\' (slashes). Please be aware the colons (:) cannot be used in the tag search. Use semicolons instead (the search will automatically search for colons instead). See below for an example');?>: </p>
|
||||
<pre><?php echo $baseurl.'/attributes/restSearch/openioc/192.168.1.1|16/ip-src/null/' . $me['Organisation']['name']; ?></pre>
|
||||
<h3><?php echo __('Export attributes of event with specified type as XML');?></h3>
|
||||
<p><?php echo __('If you want to export all attributes of a pre-defined type that belong to an event, use the following syntax');?>:</p>
|
||||
<pre><?php echo $baseurl.'/attributes/returnAttributes/json/[id]/[type]/[sigOnly]'; ?></pre>
|
||||
<p><?php echo __('sigOnly is an optional flag that will block all attributes from being exported that don\'t have the IDS flag turned on.
|
||||
It is possible to search for several types with the \'&&\' operator and to exclude values with the \'!\' operator.
|
||||
For example, to get all IDS signature attributes of type md5 and sha256, but not filename|md5 and filename|sha256 from event 25, use the following');?>: </p>
|
||||
<pre><?php echo $baseurl.'/attributes/returnAttributes/download/25/md5&&sha256&&!filename/true';?></pre>
|
||||
|
||||
<h3><?php echo __('Download attachment or malware sample');?></h3>
|
||||
<p><?php echo __('If you know the attribute ID of a malware-sample or an attachment, you can download it with the following syntax');?>:</p>
|
||||
<pre><?php echo $baseurl.'/attributes/downloadAttachment/download/[Attribute_id]';?></pre>
|
||||
<h3><?php echo __('Download malware sample by hash');?></h3>
|
||||
<p><?php echo __('You can also download samples by knowing its MD5 hash. Simply pass the hash along as a JSON/XML object or in the URL (with the URL having overruling the passed objects) to receive a JSON/XML object back with the zipped sample base64 encoded along with some contextual information.');?></p>
|
||||
<p><?php echo __('You can also use this API to get all samples from events that contain the passed hash. For this functionality, just pass the "allSamples" flag along. Note that if you are getting all samples from matching events, you can use all supported hash types (%s) for the lookup.</p>', h(implode(', ', $hashTypes)));?>
|
||||
<p><?php echo __('You can also get all the samples from an event with a given event ID, by passing along the eventID parameter. Make sure that either an event ID or a hash is passed along, otherwise an error message will be returned. Also, if no hash is set, the allSamples flag will get set automatically.');?></p>
|
||||
<pre><?php echo $baseurl.'/attributes/downloadSample/[hash]/[allSamples]/[eventID]';?></pre>
|
||||
<p><?php echo __('POST message payload (XML)');?>:</p>
|
||||
<p><code>
|
||||
<?php echo h("<request><hash>7c12772809c1c0c3deda6103b10fdfa0</hash><allSamples>1</allSamples><eventID>13</eventID</request>"); ?>
|
||||
</code></p>
|
||||
<p><?php echo __('POST message payload (json)');?>:</p>
|
||||
<p><code>
|
||||
{"request": {"hash": "7c12772809c1c0c3deda6103b10fdfa0", "allSamples": 1, "eventID": 13}}
|
||||
</code></p>
|
||||
<p><?php echo __('A quick description of all the parameters in the passed object');?>:</p>
|
||||
<b>hash</b>: <?php echo __('A hash in MD5 format. If allSamples is set, this can be any one of the following: %s', h(implode(', ', $hashTypes)));?><br />
|
||||
<b>allSamples</b>: <?php echo __('If set, it will return all samples from events that have a match for the hash provided above.');?><br />
|
||||
<b>eventID</b>: <?php echo __('If set, it will only fetch data from the given event ID.');?><br />
|
||||
<h3><?php echo __('Upload malware samples using the "Upload Sample" API');?></h3>
|
||||
<pre><?php echo $baseurl.'/events/upload_sample/[Event_id]';?></pre>
|
||||
<p><?php echo __('This API will allow you to populate an event that you have modify rights to with malware samples (and all related hashes). Alternatively, if you do not supply an event ID, it will create a new event for you.');?><br />
|
||||
<?php echo __('The files have to be base64 encoded and POSTed as explained below. All samples will be zipped and password protected (with the password being "infected"). The hashes of the original file will be captured as additional attributes.');?><br />
|
||||
<?php echo __('The event ID is optional. MISP will accept either a JSON or an XML object posted to the above URL.');?></p>
|
||||
<p><b><?php echo __('The general structure of the expected objects is as follows');?>:</b></p>
|
||||
<code>{"request": {"files": [{"filename": filename1, "data": base64encodedfile1}, {"filename": filename2, "data": base64encodedfile2}], "optional_parameter1", "optional_parameter2", "optional_parameter3"}}</code>
|
||||
<br /><br />
|
||||
<p><b>JSON:</b></p>
|
||||
<code>{"request":{"files": [{"filename": "test1.txt", "data": "dGVzdA=="}, {"filename": "test2.txt", "data": "dGVzdDI="}], "distribution": 1, "info" : "test", "event_id": 15}}</code>
|
||||
<br /><br />
|
||||
<p><b>XML:</b></p>
|
||||
<code><?php echo h("<request><files><filename>test3.txt</filename><data>dGVzdA==</data></files><files><filename>test4.txt</filename><data>dGVzdDI=</data></files><info>test</info><distribution>1</distribution><event_id>15</event_id></request>");?></code>
|
||||
<br /><br />
|
||||
<p><b><?php echo __('The following optional parameters are expected');?>:</b></p>
|
||||
<p><b>event_id</b>: <?php echo __('The Event\'s ID is optional. It can be either supplied via the URL or the POSTed object, but the URL has priority if both are provided. Not supplying an event ID will cause MISP to create a single new event for all of the POSTed malware samples. You can define the default settings for the event, otherwise a set of default settings will be used.');?><br />
|
||||
<b>distribution</b>: <?php echo __('The distribution setting used for the attributes and for the newly created event, if relevant. [0-3]');?><br />
|
||||
<b>to_ids</b>: <?php echo __('You can flag all attributes created during the transaction to be marked as "to_ids" or not.');?><br />
|
||||
<b>category</b>: <?php echo __('The category that will be assigned to the uploaded samples. Valid options are: Payload delivery, Artefacts dropped, Payload Installation, External Analysis.');?><br />
|
||||
<b>info</b>: <?php echo __('Used to populate the event info field if no event ID supplied. Alternatively, if not set, MISP will simply generate a message showing that it\'s a malware sample collection generated on the given day.');?><br />
|
||||
<b>analysis</b>: <?php echo __('The analysis level of the newly created event, if applicable. [0-2]');?><br />
|
||||
<b>threat_level_id</b>: <?php echo __('The threat level ID of the newly created event, if applicable. [0-3]');?><br />
|
||||
<b>comment</b>: <?php echo __('This will populate the comment field of any attribute created using this API.');?><br />
|
||||
<h3><?php echo __('Add or remove tags from events');?></h3>
|
||||
<p><?php echo __('You can add or remove an existing tag from an event in the following way');?>:</p>
|
||||
<pre><?php echo $baseurl.'/events/addTag'; ?></pre>
|
||||
<pre><?php echo $baseurl.'/events/removeTag'; ?></pre>
|
||||
<p><?php echo __('Just POST a json object in the following format (to the appropriate API depending on whether you want to add or delete a tag from an event)');?>:</p>
|
||||
<code>{"event":228, "tag":8}</code><br /><br />
|
||||
<p><?php echo __('Where "tag" is the ID of the tag. You can also use the name of the tag the following way');?>:</p>
|
||||
<code>{"event":228, "tag":"OSINT"}</code>
|
||||
<h3><?php echo __('Proposals and the API');?></h3>
|
||||
<p><?php echo __('You can interact with the proposals via the API directly since version 2.3.148');?></p>
|
||||
|
||||
<table style="width:900px;">
|
||||
<tr>
|
||||
<th style="text-align:left;"><?php echo __('HTTP');?></th>
|
||||
<th style="text-align:left;"><?php echo __('URL');?></th>
|
||||
<th style="text-align:left;"><?php echo __('Explanation');?></th>
|
||||
<th style="text-align:left;"><?php echo __('Expected Payload');?></th>
|
||||
<th style="text-align:left;"><?php echo __('Response');?></th>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="width:45px;">GET</td>
|
||||
<td style="width:250px;">/shadow_attributes/view/[proposal_id]</td>
|
||||
<td><?php echo __('View a proposal');?></td>
|
||||
<td><?php echo __('N/A');?></td>
|
||||
<td><?php echo __('ShadowAttribute object');?></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="width:45px;">GET</td>
|
||||
<td style="width:250px;">/shadow_attributes/index</td>
|
||||
<td><?php echo __('View all proposal of my org\'s events');?></td>
|
||||
<td><?php echo __('N/A');?></td>
|
||||
<td><?php echo __('ShadowAttribute objects');?></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="width:45px;">GET</td>
|
||||
<td style="width:250px;">/shadow_attributes/index/[event_id]</td>
|
||||
<td><?php echo __('View all proposals of an event');?></td>
|
||||
<td><?php echo __('N/A');?></td>
|
||||
<td><?php echo __('ShadowAttribute objects');?></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="width:45px;">POST</td>
|
||||
<td style="width:250px;">/shadow_attributes/add/[event_id]</td>
|
||||
<td style="width:250px;"><?php echo __('Propose a new attribute to an event');?></td>
|
||||
<td><?php echo __('ShadowAttribute object');?></td>
|
||||
<td><?php echo __('ShadowAttribute object');?></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="width:45px;">POST</td>
|
||||
<td style="width:250px;">/shadow_attributes/edit/[attribute_id]</td>
|
||||
<td style="width:250px;"><?php echo __('Propose an edit to an attribute');?></td>
|
||||
<td><?php echo __('ShadowAttribute object');?></td>
|
||||
<td><?php echo __('ShadowAttribute object');?></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="width:45px;">POST</td>
|
||||
<td style="width:250px;">/shadow_attributes/accept/[proposal_id]</td>
|
||||
<td style="width:250px;"><?php echo __('Accept a proposal');?></td>
|
||||
<td><?php echo __('N/A');?></td>
|
||||
<td><?php echo __('Message');?></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="width:45px;">POST</td>
|
||||
<td style="width:250px;">/shadow_attributes/discard/[proposal_id]</td>
|
||||
<td style="width:250px;"><?php echo __('Discard a proposal');?></td>
|
||||
<td><?php echo __('N/A');?></td>
|
||||
<td><?php echo __('Message');?></td>
|
||||
</tr>
|
||||
</table><br />
|
||||
<p><?php echo __('When posting a shadow attribute object, use the following formats');?></p>
|
||||
<p><b>JSON</b></p>
|
||||
<code><?php echo h('{"request": {"ShadowAttribute": {"value": "5.5.5.5", "to_ids": false, "type": "ip-dst", "category": "Network activity"}}}');?></code><br /><br />
|
||||
<p><b>XML</b></p>
|
||||
<code><?php echo h('<request><ShadowAttribute><value>5.5.5.5</value><to_ids>0</to_ids><type>ip-src</type><category>Network activity</category></ShadowAttribute></request>');?></code><br /><br />
|
||||
<p><?php echo __('None of the above fields are mandatory, but at least one of them has to be provided.');?></p>
|
||||
|
||||
<h3><?php echo __('Filtering event metadata');?></h3>
|
||||
<p><?php echo __('As described in the REST section, it is possible to retrieve a list of events along with their metadata by sending a GET request to the /events API. However, this API in particular is a bit more versatile. You can pass search parameters along to search among the events on various fields and retrieve a list of matching events (along with their metadata). Use the following URL');?>:<br />
|
||||
<?php
|
||||
echo $baseurl.'/events/index';
|
||||
?>
|
||||
<?php echo __('POST a JSON object with the desired lookup fields and values to receive a JSON back.<br />
|
||||
An example for a valid lookup');?>:</p>
|
||||
<b>URL</b>: <?php echo $baseurl.'/events/index'; ?><br />
|
||||
<b>Headers</b>:<br />
|
||||
<pre><?php
|
||||
echo 'Authorization: ' . $me['authkey'] . PHP_EOL;
|
||||
echo 'Accept: application/json' . PHP_EOL;
|
||||
echo 'Content-type: application/json';
|
||||
?></pre>
|
||||
<b>Body</b>:
|
||||
<code>{"searcheventinfo":"Locky", "searchpublished":1, "searchdistribution":!0}</code><br /><br />
|
||||
<p><?php echo __('The above would return any event that is published, not restricted to your organisation only that has the term "Locky" in its event description. You can use exclamation marks to negate a value wherever appropriate.');?></p>
|
||||
<p><b><?php echo __('The list of valid parameters');?>:</b></p>
|
||||
<p><b>searchpublished</b>: <?php echo __('Filters on published or unpublished events [0,1] - negatable');?><br />
|
||||
<b>searcheventinfo</b>: <?php echo __('Filters on strings found in the event info - negatable');?><br />
|
||||
<b>searchtag</b>: <?php echo __('Filters on attached tag names - negatable');?><br />
|
||||
<b>searcheventid</b>: <?php echo __('Filters on specific event IDs - negatable');?><br />
|
||||
<b>searchthreatlevel</b>: <?php echo __('Filters on a given event threat level [1,2,3,4] - negatable');?><br />
|
||||
<b>searchdistribution</b>: <?php echo __('Filters on the distribution level [0,1,2,3] - negatable');?><br />
|
||||
<b>searchanalysis</b>: <?php echo __('Filters on the given analysis phase of the event [0,1,2] - negatable');?><br />
|
||||
<b>searchattribute</b>: <?php echo __('Filters on a contained attribute value - negatable');?><br />
|
||||
<b>searchorg</b>: <?php echo __('Filters on the creator organisation - negatable');?><br />
|
||||
<b>searchemail</b>: <?php echo __('Filters on the creator user\'s email address (admin only) - negatable');?><br />
|
||||
<b>searchDatefrom</b>: <?php echo __('Filters on the date, anything newer than the given date in YYYY-MM-DD format is taken - non-negatable');?><br />
|
||||
<b>searchDateuntil</b>: <?php echo __('Filters on the date, anything older than the given date in YYYY-MM-DD format is taken - non-negatable');?><br /></p>
|
||||
<?php
|
||||
foreach ($command_line_functions as $clusterRef => $cluster) {
|
||||
echo sprintf('<a id="%s"></a><h3>%s</h3>', $clusterRef, $cluster['header']);
|
||||
echo sprintf('<p>%s:<br />', $cluster['description']);
|
||||
foreach ($cluster['data'] as $commandName => $command) {
|
||||
echo '<b>' . Inflector::humanize($commandName) . '</b>: <code>' . $command . '</code><br />';
|
||||
}
|
||||
}
|
||||
?>
|
||||
</div>
|
||||
<?php
|
||||
echo $this->element('side_menu', array('menuList' => 'event-collection', 'menuItem' => 'automation'));
|
||||
?>
|
||||
|
|
@ -1,8 +1,18 @@
|
|||
<div class="servers form">
|
||||
<div style="position:absolute;right:40px;width:300px;top:90px;">
|
||||
<label for="TemplateSelect">Templates</label>
|
||||
<?php
|
||||
$options = '<option value="">None</option>';
|
||||
foreach ($allValidApis as $endpoint_url => $endpoint_data) {
|
||||
$options .= sprintf('<option value="%s">%s</option>', $endpoint_url, $endpoint_data['api_name']);
|
||||
}
|
||||
echo sprintf('<select id="TemplateSelect">%s</select>', $options);
|
||||
?>
|
||||
<div id="apiInfo"></div>
|
||||
</div>
|
||||
<?php echo $this->Form->create('Server');?>
|
||||
<fieldset>
|
||||
<legend><?php echo __('REST client');?></legend>
|
||||
<div style="position:absolute;right:40px;width:300px;" id="apiInfo"></div>
|
||||
<?php
|
||||
echo $this->Form->input('method', array(
|
||||
'label' => __('Relative path to query'),
|
||||
|
|
@ -47,6 +57,7 @@
|
|||
));
|
||||
?>
|
||||
<div class="input clear" style="width:100%;">
|
||||
<div id="template_description" style="display:none;width:700px;" class="alert alert-error">Fill out the JSON template above, make sure to replace all placeholder values. Fields with the value "optional" can be removed.</div>
|
||||
<?php
|
||||
echo $this->Form->submit('Run query', array('class' => 'btn btn-primary'));
|
||||
echo $this->Form->end();
|
||||
|
|
@ -88,7 +99,34 @@
|
|||
?>
|
||||
<script type="text/javascript">
|
||||
// tooltips
|
||||
var thread = null;
|
||||
function setApiInfoBox() {
|
||||
clearTimeout(thread);
|
||||
var $this = $(this);
|
||||
var payload = {
|
||||
"url": $('#ServerUrl').val()
|
||||
};
|
||||
if (payload) {
|
||||
thread = setTimeout(
|
||||
function() {
|
||||
$.ajax({
|
||||
type: "POST",
|
||||
url: '/servers/getApiInfo',
|
||||
data: payload,
|
||||
success:function (data, textStatus) {
|
||||
$('#apiInfo').html(data);
|
||||
}
|
||||
});
|
||||
},
|
||||
1000
|
||||
);
|
||||
} else {
|
||||
$('#apiInfo').empty();
|
||||
}
|
||||
}
|
||||
|
||||
$(document).ready(function () {
|
||||
var allValidApis = <?php echo json_encode($allValidApis); ?>;
|
||||
insertRawRestResponse();
|
||||
$('.format-toggle-button').bind('click', function() {
|
||||
$('#rest-response-container').empty();
|
||||
|
|
@ -100,29 +138,17 @@
|
|||
insertJSONRestResponse();
|
||||
}
|
||||
});
|
||||
var thread = null;
|
||||
$('#ServerUrl').keyup(function() {
|
||||
clearTimeout(thread);
|
||||
var $this = $(this);
|
||||
var payload = {
|
||||
"url": $('#ServerUrl').val()
|
||||
};
|
||||
if (payload) {
|
||||
thread = setTimeout(
|
||||
function() {
|
||||
$.ajax({
|
||||
type: "POST",
|
||||
url: '/servers/getApiInfo',
|
||||
data: payload,
|
||||
success:function (data, textStatus) {
|
||||
$('#apiInfo').html(data);
|
||||
}
|
||||
});
|
||||
},
|
||||
1000
|
||||
);
|
||||
} else {
|
||||
$('#apiInfo').empty();
|
||||
setApiInfoBox();
|
||||
});
|
||||
$('#TemplateSelect').change(function() {
|
||||
var selected_template = $('#TemplateSelect').val();
|
||||
if (selected_template !== '') {
|
||||
$('#template_description').show();
|
||||
$('#ServerMethod').val('POST');
|
||||
$('#ServerUrl').val(allValidApis[selected_template].url);
|
||||
$('#ServerBody').val(allValidApis[selected_template].body);
|
||||
setApiInfoBox();
|
||||
}
|
||||
});
|
||||
});
|
||||
|
|
|
|||
|
|
@ -1497,5 +1497,31 @@
|
|||
"lookup_visible": false,
|
||||
"headers": ""
|
||||
}
|
||||
},
|
||||
{
|
||||
"Feed": {
|
||||
"id": "75",
|
||||
"name": "ipspamlist",
|
||||
"provider": "ipspamlist",
|
||||
"url": "http:\/\/www.ipspamlist.com\/public_feeds.csv",
|
||||
"rules": "",
|
||||
"enabled": true,
|
||||
"distribution": "3",
|
||||
"sharing_group_id": "0",
|
||||
"tag_id": "0",
|
||||
"default": false,
|
||||
"source_format": "csv",
|
||||
"fixed_event": false,
|
||||
"delta_merge": false,
|
||||
"event_id": "0",
|
||||
"publish": false,
|
||||
"override_ids": false,
|
||||
"settings": "{\"csv\":{\"value\":\"3\",\"delimiter\":\",\"},\"common\":{\"excluderegex\":\"\"}}",
|
||||
"input_source": "network",
|
||||
"delete_local_file": false,
|
||||
"lookup_visible": true,
|
||||
"headers": "",
|
||||
"caching_enabled": true
|
||||
}
|
||||
}
|
||||
]
|
||||
|
|
|
|||
|
|
@ -81,6 +81,9 @@
|
|||
},
|
||||
"headers": {
|
||||
"type": "string"
|
||||
},
|
||||
"caching_enabled": {
|
||||
"type": "boolean"
|
||||
}
|
||||
},
|
||||
"required": [
|
||||
|
|
|
|||
|
|
@ -1 +1 @@
|
|||
Subproject commit 0acc41131daaedbfdb94c068607c06db6c5ce293
|
||||
Subproject commit 6ab7eac3708f3647abc0b1d8f26ac0647204a3c4
|
||||
|
|
@ -962,7 +962,7 @@ class StixBuilder(object):
|
|||
n_attribute = len(attributes_dict)
|
||||
whois_object = WhoisEntry()
|
||||
for attribute in attributes_dict:
|
||||
if "registrant-" in attribute:
|
||||
if attribute and "registrant-" in attribute:
|
||||
whois_object.registrants = self.fill_whois_registrants(attributes_dict)
|
||||
break
|
||||
if 'registrar' in attributes_dict:
|
||||
|
|
|
|||
|
|
@ -458,7 +458,7 @@ class StixBuilder():
|
|||
if hasattr(attribute, 'Sighting'):
|
||||
for sighting in attribute.Sighting:
|
||||
if sighting['Organisation']['name'] == self.misp_event.Orgc.name and sighting['type'] == "2":
|
||||
indicator_args['valid_until'] = datetime.datetime.fromtimestamp(int(sighting['date_sighting'])).isoformat()
|
||||
indicator_args['valid_until'] = datetime.datetime.fromtimestamp(int(sighting['date_sighting']), datetime.timezone.utc).isoformat()
|
||||
break
|
||||
if hasattr(attribute, 'comment') and attribute.comment:
|
||||
indicator_args['description'] = attribute.comment
|
||||
|
|
|
|||
|
|
@ -251,8 +251,8 @@ class StixParser():
|
|||
if stix_type == 'indicator':
|
||||
if hasattr(o, 'valid_until'):
|
||||
org_uuid = o['created_by_ref'].split('--')[1]
|
||||
attribute['Sighting'] = {'type': '2', 'date_sighting': str(self.getTimestampfromDate(o['valid_until'])),
|
||||
'Organisation': {'uuid': org_uuid, 'name': self.event['identity'][org_uuid]['name']}}
|
||||
attribute['Sighting'] = [{'type': '2', 'date_sighting': str(self.getTimestampfromDate(o['valid_until'])),
|
||||
'Organisation': {'uuid': org_uuid, 'name': self.event['identity'][org_uuid]['name']}}]
|
||||
pattern = o.get('pattern').replace('\\\\', '\\')
|
||||
value = self.parse_pattern_with_data(pattern) if attribute_type in ('malware-sample', 'attachment') else self.parse_pattern(pattern)
|
||||
attribute['to_ids'] = True
|
||||
|
|
|
|||
|
|
@ -2786,6 +2786,41 @@ function runHoverLookup(type, id) {
|
|||
});
|
||||
}
|
||||
|
||||
$(".cortex-json").click(function() {
|
||||
var cortex_data = $(this).data('cortex-json');
|
||||
cortex_data = htmlEncode(JSON.stringify(cortex_data, null, 2));
|
||||
var popupHtml = '<pre class="simplepre">' + cortex_data + '</pre>';
|
||||
popupHtml += '<div class="close-icon useCursorPointer" onClick="closeScreenshot();"></div>';
|
||||
|
||||
});
|
||||
|
||||
|
||||
// add the same as below for click popup
|
||||
$(".eventViewAttributePopup").click(function() {
|
||||
type = $(this).attr('data-object-type');
|
||||
id = $(this).attr('data-object-id');
|
||||
if (!(type + "_" + id in ajaxResults)) {
|
||||
$.ajax({
|
||||
success:function (html) {
|
||||
ajaxResults[type + "_" + id] = html;
|
||||
},
|
||||
cache: false,
|
||||
url:"/attributes/hoverEnrichment/" + id,
|
||||
});
|
||||
}
|
||||
if (type + "_" + id in ajaxResults) {
|
||||
var enrichment_popover = ajaxResults[type + "_" + id];
|
||||
enrichment_popover += '<div class="close-icon useCursorPointer" onClick="closeScreenshot();"></div>';
|
||||
$('#screenshot_box').html(enrichment_popover);
|
||||
$('#screenshot_box').show();
|
||||
$("#gray_out").fadeIn();
|
||||
$('#screenshot_box').css({'padding': '5px'});
|
||||
$('#screenshot_box').css( "maxWidth", ( $( window ).width() * 0.9 | 0 ) + "px" );
|
||||
left = ($(window).width() / 2) - ($('#screenshot_box').width() / 2);
|
||||
$('#screenshot_box').css({'left': left + 'px'});
|
||||
}
|
||||
});
|
||||
|
||||
$(".eventViewAttributeHover").mouseenter(function() {
|
||||
$('.popover').remove();
|
||||
type = $(this).attr('data-object-type');
|
||||
|
|
|
|||
Loading…
Reference in New Issue