mirror of https://github.com/MISP/MISP
start of different structure for multiple rule-formats
Christophe Vandeplas
parent
d7c1e2b10e
commit
29a0f30041
|
|
@ -6,7 +6,11 @@ class NidsExportComponent extends Component {
|
|||
|
||||
public $classtype = 'trojan-activity';
|
||||
|
||||
public $format = ""; // suricata (default), snort
|
||||
|
||||
public function explain() {
|
||||
$this->rules[] = '# MISP export of IDS rules - optimized for '.$this->format;
|
||||
$this->rules[] = '#';
|
||||
$this->rules[] = '# These NIDS rules contain some variables that need to exist in your configuration.';
|
||||
$this->rules[] = '# Make sure you have set:';
|
||||
$this->rules[] = '#';
|
||||
|
|
@ -19,12 +23,15 @@ class NidsExportComponent extends Component {
|
|||
|
||||
private $whitelist = null;
|
||||
|
||||
public function export($items, $startSid) {
|
||||
|
||||
public function export($items, $startSid, $format="suricata") {
|
||||
$this->format = $format;
|
||||
$this->Whitelist = ClassRegistry::init('Whitelist');
|
||||
$this->whitelist = $this->Whitelist->getBlockedValues();
|
||||
|
||||
// output a short explanation
|
||||
$this->explain();
|
||||
|
||||
// generate the rules
|
||||
foreach ($items as &$item) {
|
||||
switch ($item['Event']['risk']) {
|
||||
case 'Undefined':
|
||||
|
|
@ -238,7 +245,7 @@ class NidsExportComponent extends Component {
|
|||
'any', // dst_ip
|
||||
'53', // dst_port
|
||||
'Hostname: ' . $attribute['value'], // msg
|
||||
$content, // rule_content
|
||||
$content. ' flow:established;', // rule_content
|
||||
'', // tag
|
||||
$sid, // sid
|
||||
1 // rev
|
||||
|
|
@ -246,7 +253,7 @@ class NidsExportComponent extends Component {
|
|||
$sid++;
|
||||
// also do http requests
|
||||
// warning: only suricata compatible
|
||||
$content = 'flow:to_server,established; content: "Host: ' . $attribute['value'] . '"; nocase; http_header; pcre: "/[^A-Za-z0-9-]' . preg_quote($attribute['value']) . '[^A-Za-z0-9-]/";';
|
||||
$content = 'flow:to_server,established; content: "Host: ' . $attribute['value'] . '"; nocase; http_header; pcre: "/[^A-Za-z0-9-]' . preg_quote($attribute['value']) . '[^A-Za-z0-9-]/H";';
|
||||
$this->rules[] = sprintf($ruleFormat,
|
||||
($overruled) ? '#OVERRULED BY WHITELIST# ' : '',
|
||||
'http', // proto
|
||||
|
|
@ -290,7 +297,7 @@ class NidsExportComponent extends Component {
|
|||
'any', // dst_ip
|
||||
'53', // dst_port
|
||||
'Domain: ' . $attribute['value'], // msg
|
||||
$content, // rule_content
|
||||
$content. ' flow:established;', // rule_content
|
||||
'', // tag
|
||||
$sid, // sid
|
||||
1 // rev
|
||||
|
|
@ -298,7 +305,7 @@ class NidsExportComponent extends Component {
|
|||
$sid++;
|
||||
// also do http requests,
|
||||
// warning: only suricata compatible
|
||||
$content = 'flow:to_server,established; content: "Host:"; nocase; http_header; content:"' . $attribute['value'] . '"; nocase; http_header; pcre: "/[^A-Za-z0-9-]' . preg_quote($attribute['value']) . '[^A-Za-z0-9-]/";';
|
||||
$content = 'flow:to_server,established; content: "Host:"; nocase; http_header; content:"' . $attribute['value'] . '"; nocase; http_header; pcre: "/[^A-Za-z0-9-]' . preg_quote($attribute['value']) . '[^A-Za-z0-9-]/H";';
|
||||
$this->rules[] = sprintf($ruleFormat,
|
||||
($overruled) ? '#OVERRULED BY WHITELIST# ' : '',
|
||||
'http', // proto
|
||||
|
|
@ -438,7 +445,7 @@ class NidsExportComponent extends Component {
|
|||
}
|
||||
// put all together
|
||||
$rawName .= '(0)';
|
||||
// and append |00| to terminate the name
|
||||
// and append (0) to terminate the name
|
||||
return $rawName;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -0,0 +1,16 @@
|
|||
<?php
|
||||
|
||||
App::uses('NidsExportComponent', 'Controller/Component');
|
||||
|
||||
|
||||
class NidsSuricataExportComponent extends NidsExportComponent {
|
||||
|
||||
public function export($items, $startSid) {
|
||||
// set the specific format
|
||||
$this->format = 'suricata';
|
||||
// call the generic function
|
||||
return parent::export(&$items, $startSid);
|
||||
}
|
||||
|
||||
|
||||
}
|
||||
|
|
@ -20,7 +20,7 @@ class EventsController extends AppController {
|
|||
'RequestHandler',
|
||||
'HidsMd5Export',
|
||||
'HidsSha1Export',
|
||||
'NidsExport',
|
||||
'NidsSuricataExport',
|
||||
'IOCExport',
|
||||
'IOCImport'
|
||||
);
|
||||
|
|
@ -264,7 +264,7 @@ class EventsController extends AppController {
|
|||
}
|
||||
$this->Session->write('pivot_thread', $pivot);
|
||||
}
|
||||
|
||||
|
||||
private function __insertPivot($pivot, $oldId, $newPivot, $depth) {
|
||||
$depth++;
|
||||
if ($pivot['id'] == $oldId) {
|
||||
|
|
@ -277,7 +277,7 @@ class EventsController extends AppController {
|
|||
}
|
||||
return $pivot;
|
||||
}
|
||||
|
||||
|
||||
private function __checkForPivot($pivot, $id) {
|
||||
if ($id == $pivot['id']) return true;
|
||||
foreach ($pivot['children'] as $k => $v) {
|
||||
|
|
@ -287,7 +287,7 @@ class EventsController extends AppController {
|
|||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
|
||||
private function __arrangePivotVertical(&$pivot) {
|
||||
if (empty($pivot)) return null;
|
||||
$max = count($pivot['children']) - 1;
|
||||
|
|
@ -301,7 +301,7 @@ class EventsController extends AppController {
|
|||
}
|
||||
return $temp;
|
||||
}
|
||||
|
||||
|
||||
public function removePivot($id, $eventId, $self = false) {
|
||||
$pivot = $this->Session->read('pivot_thread');
|
||||
if ($pivot['id'] == $id) {
|
||||
|
|
@ -315,7 +315,7 @@ class EventsController extends AppController {
|
|||
$pivot = $this->__arrangePivotVertical($pivot);
|
||||
$this->redirect(array('controller' => 'events', 'action' => 'view', $eventId, true, $eventId));
|
||||
}
|
||||
|
||||
|
||||
private function __removeChildren(&$pivot, $id) {
|
||||
if ($pivot['id'] == $id) {
|
||||
$pivot['children'] = array();
|
||||
|
|
@ -325,7 +325,7 @@ class EventsController extends AppController {
|
|||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
private function __doRemove(&$pivot, $id) {
|
||||
foreach ($pivot['children'] as $k => $v) {
|
||||
if ($v['id'] == $id) {
|
||||
|
|
@ -337,7 +337,7 @@ class EventsController extends AppController {
|
|||
}
|
||||
return $pivot;
|
||||
}
|
||||
|
||||
|
||||
private function __setDeletable(&$pivot, $id, $root=false) {
|
||||
if ($pivot['id'] == $id && !$root) {
|
||||
$pivot['deletable'] = false;
|
||||
|
|
@ -350,7 +350,7 @@ class EventsController extends AppController {
|
|||
}
|
||||
return !$pivot['deletable'];
|
||||
}
|
||||
|
||||
|
||||
/*
|
||||
public function view($id = null) {
|
||||
// If the length of the id provided is 36 then it is most likely a Uuid - find the id of the event, change $id to it and proceed to read the event as if the ID was entered.
|
||||
|
|
@ -1494,7 +1494,7 @@ class EventsController extends AppController {
|
|||
} else {
|
||||
$conditions = array();
|
||||
}
|
||||
// if we come from automation, we may not be logged in - instead we used an auth key in the URL.
|
||||
// if we come from automation, we may not be logged in - instead we used an auth key in the URL.
|
||||
if (!empty($orgFromFetch)) {
|
||||
$org = $orgFromFetch;
|
||||
if ($orgFromFetch == 'ADMIN') $isSiteAdmin = true;
|
||||
|
|
@ -1503,7 +1503,7 @@ class EventsController extends AppController {
|
|||
$org = $this->_checkOrg();
|
||||
$isSiteAdmin = $this->_isSiteAdmin();
|
||||
}
|
||||
|
||||
|
||||
$conditionsAttributes = array();
|
||||
$conditionsShadowAttributes = array();
|
||||
//restricting to non-private or same org if the user is not a site-admin.
|
||||
|
|
@ -1526,7 +1526,7 @@ class EventsController extends AppController {
|
|||
array('ShadowAttribute.org LIKE' => $org),
|
||||
);
|
||||
}
|
||||
|
||||
|
||||
if ($idList) {
|
||||
$conditions['AND'][] = array('Event.id' => $idList);
|
||||
}
|
||||
|
|
@ -1623,7 +1623,9 @@ class EventsController extends AppController {
|
|||
unset($this->Attribute->virtualFields['category_order']); // not needed for IDS export and speeds things up
|
||||
$items = $this->Attribute->find('all', $params);
|
||||
|
||||
$rules = $this->NidsExport->export($items, $user['User']['nids_sid']);
|
||||
// TODO chri - export depending of the requested type
|
||||
$rules = $this->NidsSuricataExport->export(&$items, $user['User']['nids_sid']);
|
||||
|
||||
$this->set('rules', $rules);
|
||||
}
|
||||
|
||||
|
|
@ -2205,7 +2207,7 @@ class EventsController extends AppController {
|
|||
// add the values as specified in the 2nd parameter to the conditions
|
||||
$values = explode('&&', $value);
|
||||
$parameters = array('value', 'type', 'category', 'org');
|
||||
|
||||
|
||||
foreach ($parameters as $k => $param) {
|
||||
if (isset(${$parameters[$k]})) {
|
||||
$elements = explode('&&', ${$parameters[$k]});
|
||||
|
|
@ -2220,9 +2222,9 @@ class EventsController extends AppController {
|
|||
$subcondition = array();
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
// If we are looking for an attribute, we want to retrieve some extra data about the event to be able to check for the permissions.
|
||||
|
||||
|
||||
if (!$user['User']['siteAdmin']) {
|
||||
$temp = array();
|
||||
$temp['AND'] = array('Event.distribution >' => 0, 'Attribute.distribution >' => 0);
|
||||
|
|
@ -2230,7 +2232,7 @@ class EventsController extends AppController {
|
|||
$subcondition['OR'][] = array('Event.org' => $user['User']['org']);
|
||||
array_push($conditions['AND'], $subcondition);
|
||||
}
|
||||
|
||||
|
||||
$params = array(
|
||||
'conditions' => $conditions,
|
||||
'fields' => array('Attribute.event_id'),
|
||||
|
|
@ -2249,7 +2251,7 @@ class EventsController extends AppController {
|
|||
$results = $this->Whitelist->removeWhitelistedFromArray($results, true);
|
||||
$this->set('results', $results);
|
||||
}
|
||||
|
||||
|
||||
public function downloadOpenIOCEvent($eventid) {
|
||||
|
||||
// return a downloadable text file called misp.openIOC.<eventId>.ioc for individual events
|
||||
|
|
|
|||
Loading…
Reference in New Issue