mirror of https://github.com/MISP/MISP
noud
parent
b9fb6e95c4
commit
2af02aa100
|
|
@ -72,6 +72,13 @@ class AppSchema extends CakeSchema {
|
|||
'indexes' => array('PRIMARY' => array('column' => 'id', 'unique' => 1), 'uuid' => array('column' => 'uuid', 'unique' => 0), 'info' => array('column' => 'info', 'unique' => 0)),
|
||||
'tableParameters' => array('charset' => 'utf8', 'collate' => 'utf8_bin', 'engine' => 'MyISAM')
|
||||
);
|
||||
public $regex = array(
|
||||
'id' => array('type' => 'integer', 'null' => false, 'default' => NULL, 'key' => 'primary'),
|
||||
'regex' => array('type' => 'string', 'null' => false, 'default' => NULL, 'length' => 255, 'collate' => 'utf8_bin', 'charset' => 'utf8'),
|
||||
'replacement' => array('type' => 'string', 'null' => false, 'default' => NULL, 'length' => 255, 'collate' => 'utf8_bin', 'charset' => 'utf8'),
|
||||
'indexes' => array('PRIMARY' => array('column' => 'id', 'unique' => 1)),
|
||||
'tableParameters' => array('charset' => 'utf8', 'collate' => 'utf8_bin', 'engine' => 'MyISAM')
|
||||
);
|
||||
public $servers = array(
|
||||
'id' => array('type' => 'integer', 'null' => false, 'default' => NULL, 'key' => 'primary'),
|
||||
'url' => array('type' => 'string', 'null' => false, 'default' => NULL, 'collate' => 'utf8_bin', 'charset' => 'utf8'),
|
||||
|
|
|
|||
|
|
@ -1385,7 +1385,6 @@ class EventsController extends AppController {
|
|||
// write content..
|
||||
foreach ($files as $key => $val) {
|
||||
$keyName = $key;
|
||||
$this->replaceWindowsSpecific(&$keyName);
|
||||
|
||||
if (!strpos($key, $realMalware)) {
|
||||
$itsType = 'malware-sample';
|
||||
|
|
@ -1446,7 +1445,6 @@ class EventsController extends AppController {
|
|||
if ($key == 'key_name') $arrayItemKey = (string)$val;
|
||||
if ($key == 'data') $arrayItemValue = (string)$val;
|
||||
}
|
||||
$this->replaceWindowsSpecific(&$arrayItemKey);
|
||||
$regs[$arrayItemKey] = str_replace('(UNICODE_0x00000000)', '', $arrayItemValue);
|
||||
}
|
||||
//$regs = array_unique($regs);
|
||||
|
|
@ -1465,8 +1463,6 @@ class EventsController extends AppController {
|
|||
$itsType = 'regkey|value';
|
||||
$itsValue = $key . '|' . $val;
|
||||
} else {
|
||||
$this->replaceWindowsSpecific(&$val);
|
||||
|
||||
$itsCategory = 'Artifacts dropped'; // Persistence mechanism
|
||||
$itsType = 'regkey|value';
|
||||
$itsValue = $key . '|' . $val;
|
||||
|
|
@ -1481,37 +1477,6 @@ class EventsController extends AppController {
|
|||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Replace Windows specific info in a $string with environment variables en registry keys
|
||||
*
|
||||
* @var string
|
||||
*
|
||||
* @return string
|
||||
*/
|
||||
public function replaceWindowsSpecific($string) {
|
||||
$string = preg_replace('/C:.Users.(\w+).AppData.Local.Temp./', '%TEMP%\\', $string);
|
||||
$string = preg_replace('/C:.Users.(\w+).AppData.Local./', ' %LOCALAPPDATA%\\', $string);
|
||||
$string = preg_replace('/C:.Users.(\w+).AppData.Roaming./', ' %APPDATA%\\', $string);
|
||||
|
||||
$string = preg_replace('/C:.Users.(\w+)./', '%UserProfile%\\', $string);
|
||||
$string = preg_replace('/C:.Documents and Settings.(\w+) (\w+)./', '%UserProfile%\\', $string);
|
||||
$string = preg_replace('/C:.DOCUME~1.(\w+)./', '%UserProfile%\\', $string);
|
||||
|
||||
$string = str_replace('C:\Documents and Settings\All Users', '%AllUsersProfile%', $string);
|
||||
|
||||
// HKEY_CURRENT_USER
|
||||
$string = preg_replace('@\\\REGISTRY\\\USER\\\S(-[0-9]{1}){2}-[0-9]{2}(-[0-9]{9}){1}(-[0-9]{10}){1}-[0-9]{9}-[0-9]{4}@','HKCU', $string);
|
||||
$string = preg_replace('@\\\REGISTRY\\\USER\\\S(-[0-9]{1}){2}-[0-9]{2}(-[0-9]{10}){2}-[0-9]{9}-[0-9]{4}@','HKCU', $string);
|
||||
$string = preg_replace('@\\\REGISTRY\\\USER\\\S(-[0-9]{1}){2}-[0-9]{2}(-[0-9]{10}){3}-[0-9]{4}@','HKCU', $string);
|
||||
// HKEY_LOCAL_MACHINE
|
||||
$string = preg_replace('@\\\REGISTRY\\\MACHINE\\\@','HKLM\\', $string);
|
||||
$string = preg_replace('@\\\Registry\\\Machine\\\@','HKLM\\', $string);
|
||||
|
||||
// TODO registry \REGISTRY\A\{52A5DC92-9452-11E1-804B-000C29C043FE}\DefaultObjectStore\LruList\0000000000001DFF
|
||||
|
||||
return $string;
|
||||
}
|
||||
|
||||
public function strposarray($string, $array) {
|
||||
$toReturn = false;
|
||||
foreach ($array as $item) {
|
||||
|
|
|
|||
|
|
@ -0,0 +1,112 @@
|
|||
<?php
|
||||
App::uses('AppController', 'Controller');
|
||||
/**
|
||||
* Logs Controller
|
||||
*
|
||||
* @property Log $Log
|
||||
*/
|
||||
class RegexController extends AppController {
|
||||
|
||||
public $components = array('Security', 'RequestHandler');
|
||||
|
||||
public $paginate = array(
|
||||
'limit' => 60,
|
||||
'order' => array(
|
||||
'Regex.id' => 'ASC'
|
||||
)
|
||||
);
|
||||
public $helpers = array('Js' => array('Jquery'));
|
||||
|
||||
function beforeFilter() {
|
||||
parent::beforeFilter();
|
||||
|
||||
// permit reuse of CSRF tokens on the search page.
|
||||
if ('search' == $this->request->params['action']) {
|
||||
$this->Security->csrfUseOnce = false;
|
||||
}
|
||||
}
|
||||
|
||||
public function isAuthorized($user) {
|
||||
// Admins can access everything
|
||||
if (parent::isAuthorized($user)) {
|
||||
return true;
|
||||
}
|
||||
// the other pages are allowed by logged in users
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* admin_index method
|
||||
*
|
||||
* @return void
|
||||
*/
|
||||
public function admin_index() {
|
||||
$this->Regex->recursive = 0;
|
||||
$this->set('regexs', $this->paginate());
|
||||
}
|
||||
|
||||
/**
|
||||
* add method
|
||||
*
|
||||
* @return void
|
||||
*/
|
||||
public function admin_add() {
|
||||
if ($this->request->is('post')) {
|
||||
$this->Regex->create();
|
||||
if ($this->Regex->save($this->request->data)) {
|
||||
$this->Session->setFlash(__('The regex has been saved'));
|
||||
$this->redirect(array('action' => 'index'));
|
||||
} else {
|
||||
$this->Session->setFlash(__('The regex could not be saved. Please, try again.'));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* edit method
|
||||
*
|
||||
* @param string $id
|
||||
* @return void
|
||||
* @throws NotFoundException
|
||||
*/
|
||||
public function admin_edit($id = null) {
|
||||
$this->Regex->id = $id;
|
||||
if (!$this->Regex->exists()) {
|
||||
throw new NotFoundException(__('Invalid whitelist'));
|
||||
}
|
||||
if ($this->request->is('post') || $this->request->is('put')) {
|
||||
if ($this->Regex->save($this->request->data)) {
|
||||
$this->Session->setFlash(__('The regex has been saved'));
|
||||
$this->redirect(array('action' => 'index'));
|
||||
} else {
|
||||
$this->Session->setFlash(__('The regex could not be saved. Please, try again.'));
|
||||
}
|
||||
} else {
|
||||
$this->request->data = $this->Regex->read(null, $id);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* delete method
|
||||
*
|
||||
* @param string $id
|
||||
* @return void
|
||||
* @throws MethodNotAllowedException
|
||||
* @throws NotFoundException
|
||||
*/
|
||||
public function admin_delete($id = null) {
|
||||
if (!$this->request->is('post')) {
|
||||
throw new MethodNotAllowedException();
|
||||
}
|
||||
$this->Regex->id = $id;
|
||||
if (!$this->Regex->exists()) {
|
||||
throw new NotFoundException(__('Invalid regex'));
|
||||
}
|
||||
if ($this->Regex->delete()) {
|
||||
$this->Session->setFlash(__('Regex deleted'));
|
||||
$this->redirect(array('action' => 'index'));
|
||||
}
|
||||
$this->Session->setFlash(__('Regex was not deleted'));
|
||||
$this->redirect(array('action' => 'index'));
|
||||
}
|
||||
}
|
||||
|
|
@ -137,6 +137,19 @@ CREATE TABLE `logs` (
|
|||
|
||||
-- --------------------------------------------------------
|
||||
|
||||
--
|
||||
-- Table structure for table `regex`
|
||||
--
|
||||
|
||||
CREATE TABLE `regex` (
|
||||
`id` int(11) NOT NULL AUTO_INCREMENT,
|
||||
`regex` varchar(255) COLLATE utf8_bin NOT NULL,
|
||||
`replacement` varchar(255) COLLATE utf8_bin NOT NULL,
|
||||
PRIMARY KEY (`id`)
|
||||
) ENGINE=MyISAM AUTO_INCREMENT=16 DEFAULT CHARSET=utf8 COLLATE=utf8_bin;
|
||||
|
||||
-- --------------------------------------------------------
|
||||
|
||||
--
|
||||
-- Table structure for table `servers`
|
||||
--
|
||||
|
|
@ -197,4 +210,5 @@ CREATE TABLE `whitelist` (
|
|||
-- Dumping data for table `users`
|
||||
--
|
||||
|
||||
INSERT INTO `users` (`id`, `password`, `org`, `email`, `autoalert`, `authkey`, `invited_by`, `gpgkey`, `nids_sid`, `termsaccepted`, `newsread`, `group_id`) VALUES(1, 'babc86e0869015b3f0b4d48ca48700d3a9d1b9d7', 'ADMIN', 'admin@admin.test', 0, 'vlf4o42bYSVVWLm28jLB85my4HBZWXTri8vGdySb', 1, '', 4000000, 0, '2012-03-13', '');
|
||||
INSERT INTO `users` (`id`, `password`, `org`, `email`, `autoalert`, `authkey`, `invited_by`, `gpgkey`, `nids_sid`, `termsaccepted`, `newsread`, `group_id`) VALUES(1, 'babc86e0869015b3f0b4d48ca48700d3a9d1b9d7', 'ADMIN', 'admin@admin.test', 0, 'vlf4o42bYSVVWLm28jLB85my4HBZWXTri8vGdySb', 1, '', 4000000, 0, '2012-03-13', '');
|
||||
INSERT INTO `regex` (`id`, `regex`, `replacement`) VALUES (1,'/C:.Users.(\\w+).AppData.Local.Temp./','%TEMP%\\\\'),(3,'/C:.Users.(\\w+).AppData.Local./','%LOCALAPPDATA%\\\\'),(4,'/C:.Users.(\\w+).AppData.Roaming./','%APPDATA%\\\\'),(5,'/C:.Users.(\\w+)./','%UserProfile%\\\\'),(6,'/C:.Documents and Settings.(\\w+) (\\w+)./','%UserProfile%\\\\'),(7,'/C:.DOCUME~1.(\\w+)./','%UserProfile%\\\\'),(8,'/C:.Documents and Settings.All Users/','%AllUsersProfile%'),(9,'/.REGISTRY.USER.S(-[0-9]{1}){2}-[0-9]{2}(-[0-9]{9}){1}(-[0-9]{10}){1}-[0-9]{9}-[0-9]{4}/','HKCU'),(10,'@.REGISTRY.USER.S(-[0-9]{1}){2}-[0-9]{2}(-[0-9]{10}){2}-[0-9]{9}-[0-9]{4}@','HKCU'),(11,'@.REGISTRY.USER.S(-[0-9]{1}){2}-[0-9]{2}(-[0-9]{10}){3}-[0-9]{4}@','HKCU'),(13,'@.REGISTRY.MACHINE.@','HKLM\\\\'),(14,'@.Registry.Machine.@','HKLM\\\\'),(15,'@%allusers%@','%AllUsers%');
|
||||
|
|
@ -19,7 +19,8 @@ class Attribute extends AppModel {
|
|||
'userModel' => 'User',
|
||||
'userKey' => 'user_id',
|
||||
'change' => 'full'
|
||||
), 'Trim' // => array('fields' => array('value'))
|
||||
), 'Trim'
|
||||
, 'Regex' => array('fields' => array('value', 'value2'))
|
||||
);
|
||||
|
||||
/**
|
||||
|
|
|
|||
|
|
@ -0,0 +1,69 @@
|
|||
<?php
|
||||
|
||||
App::uses('Regex', 'Model');
|
||||
|
||||
/**
|
||||
* Behavior to trim all string fields in a model
|
||||
*
|
||||
* @author noud
|
||||
*
|
||||
*/
|
||||
class RegexBehavior extends ModelBehavior {
|
||||
|
||||
/**
|
||||
*
|
||||
* @param Model $Model
|
||||
* @param unknown_type $settings
|
||||
*/
|
||||
public function setup(Model $Model, $settings = array()) {
|
||||
if (!isset($this->settings[$Model->alias])) {
|
||||
$this->settings[$Model->alias] = array(
|
||||
'fields' => array(),
|
||||
);
|
||||
}
|
||||
$this->settings[$Model->alias] = array_merge(
|
||||
$this->settings[$Model->alias], (array)$settings);
|
||||
}
|
||||
|
||||
/**
|
||||
*
|
||||
* @param $options
|
||||
*/
|
||||
public function beforeValidate(Model $Model, $options = array()) {
|
||||
// process some..
|
||||
$this->regexStringFields(&$Model);
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* Trim String Fields
|
||||
*
|
||||
* @param Model $Model
|
||||
* @param unknown_type $array
|
||||
*/
|
||||
public function regexStringFields(Model $Model) {
|
||||
foreach ($Model->data[$Model->name] as $key => &$field) {
|
||||
if (in_array($key, $this->settings[$Model->alias]['fields']) && is_string($field)) {
|
||||
$this->replaceWindowsSpecific($field);
|
||||
}
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* Replace Windows specific info in a $string with environment variables en registry keys
|
||||
*
|
||||
* @var string
|
||||
*
|
||||
* @return string
|
||||
*/
|
||||
public function replaceWindowsSpecific(&$string) {
|
||||
$regex = new Regex();
|
||||
$allRegex = $regex->getAll();
|
||||
foreach($allRegex as $regex) {
|
||||
$string = preg_replace($regex['Regex']['regex'], $regex['Regex']['replacement'], $string);
|
||||
}
|
||||
return $string;
|
||||
}
|
||||
}
|
||||
|
|
@ -14,7 +14,7 @@ class Event extends AppModel {
|
|||
'userModel' => 'User',
|
||||
'userKey' => 'user_id',
|
||||
'change' => 'full'
|
||||
), 'Trim');
|
||||
), 'Trim', 'Regex' => array('fields' => array('info')));
|
||||
|
||||
/**
|
||||
* Display field
|
||||
|
|
|
|||
|
|
@ -0,0 +1,19 @@
|
|||
<?php
|
||||
App::uses('AppModel', 'Model');
|
||||
/**
|
||||
* Log Model
|
||||
*
|
||||
*/
|
||||
class Regex extends AppModel {
|
||||
|
||||
/**
|
||||
* Use table
|
||||
*
|
||||
* @var mixed False or table name
|
||||
*/
|
||||
public $useTable = 'regex';
|
||||
|
||||
public function getAll() {
|
||||
return $this->find('all');
|
||||
}
|
||||
}
|
||||
|
|
@ -22,6 +22,7 @@
|
|||
<?php if($isAdmin): ?>
|
||||
<li> </li>
|
||||
<h3><?php echo __('Administration'); ?></h3>
|
||||
<li><?php echo $this->Html->link(__('Regex', true), array('controller' => 'regex', 'action' => 'index', 'admin' => true)); ?> </li>
|
||||
<li><?php echo $this->Html->link(__('Whitelist', true), array('controller' => 'whitelists', 'action' => 'index', 'admin' => true)); ?> </li>
|
||||
<li> </li>
|
||||
<li><?php echo $this->Html->link(__('New User', true), array('controller' => 'users', 'action' => 'add', 'admin' => true)); ?> </li>
|
||||
|
|
|
|||
|
|
@ -0,0 +1,18 @@
|
|||
<div class="whitelists form">
|
||||
<?php echo $this->Form->create('Regex');?>
|
||||
<fieldset>
|
||||
<legend><?php echo __('Add Regex'); ?></legend>
|
||||
<?php
|
||||
echo $this->Form->input('regex');
|
||||
echo $this->Form->input('replacement');
|
||||
?>
|
||||
</fieldset>
|
||||
<?php echo $this->Form->end(__('Submit'));?>
|
||||
</div>
|
||||
<div class="actions">
|
||||
<h3><?php echo __('Actions'); ?></h3>
|
||||
<ul>
|
||||
|
||||
<li><?php echo $this->Html->link(__('List Regexs'), array('admin' => true, 'action' => 'index'));?></li>
|
||||
</ul>
|
||||
</div>
|
||||
|
|
@ -0,0 +1,20 @@
|
|||
<div class="whitelists form">
|
||||
<?php echo $this->Form->create('Regex');?>
|
||||
<fieldset>
|
||||
<legend><?php echo __('Edit Regex'); ?></legend>
|
||||
<?php
|
||||
echo $this->Form->input('id');
|
||||
echo $this->Form->input('regex');
|
||||
echo $this->Form->input('replacement');
|
||||
?>
|
||||
</fieldset>
|
||||
<?php echo $this->Form->end(__('Submit'));?>
|
||||
</div>
|
||||
<div class="actions">
|
||||
<ul>
|
||||
|
||||
<li><?php echo $this->Form->postLink(__('Delete Regex'), array('admin' => true, 'action' => 'delete', $this->Form->value('Whitelist.id')), null, __('Are you sure you want to delete # %s?', $this->Form->value('Whitelist.id'))); ?></li>
|
||||
<li> </li>
|
||||
<?php echo $this->element('actions_menu'); ?>
|
||||
</ul>
|
||||
</div>
|
||||
|
|
@ -0,0 +1,44 @@
|
|||
<div class="logs index">
|
||||
<h2><?php echo __('Regex');?></h2>
|
||||
<table cellpadding="0" cellspacing="0">
|
||||
<tr>
|
||||
<th><?php echo $this->Paginator->sort('id');?></th>
|
||||
<th><?php echo $this->Paginator->sort('regex');?></th>
|
||||
<th><?php echo $this->Paginator->sort('replacement');?></th>
|
||||
<th class="actions"><?php echo __('Actions');?></th>
|
||||
</tr>
|
||||
<?php
|
||||
foreach ($regexs as $regex): ?>
|
||||
<tr>
|
||||
<td class="short"><?php echo h($regex['Regex']['id']); ?> </td>
|
||||
<td class="short"><?php echo h($regex['Regex']['regex']); ?> </td>
|
||||
<td class="short"><?php echo h($regex['Regex']['replacement']); ?> </td>
|
||||
<td class="actions">
|
||||
<?php echo $this->Html->link(__('Edit'), array('admin' => true, 'action' => 'edit', $regex['Regex']['id'])); ?>
|
||||
<?php echo $this->Form->postLink(__('Delete'), array('admin' => true, 'action' => 'delete', $regex['Regex']['id']), null, __('Are you sure you want to delete # %s?', $regex['Regex']['id'])); ?>
|
||||
</td>
|
||||
</tr>
|
||||
<?php endforeach; ?>
|
||||
</table>
|
||||
<p>
|
||||
<?php
|
||||
echo $this->Paginator->counter(array(
|
||||
'format' => __('Page {:page} of {:pages}, showing {:current} records out of {:count} total, starting on record {:start}, ending on {:end}')
|
||||
));
|
||||
?> </p>
|
||||
|
||||
<div class="paging">
|
||||
<?php
|
||||
echo $this->Paginator->prev('< ' . __('previous'), array(), null, array('class' => 'prev disabled'));
|
||||
echo $this->Paginator->numbers(array('separator' => ''));
|
||||
echo $this->Paginator->next(__('next') . ' >', array(), null, array('class' => 'next disabled'));
|
||||
?>
|
||||
</div>
|
||||
</div>
|
||||
<div class="actions">
|
||||
<ul>
|
||||
<li><?php echo $this->Html->link(__('New Regex'), array('admin' => true, 'action' => 'add')); ?></li>
|
||||
<li> </li>
|
||||
<?php echo $this->element('actions_menu'); ?>
|
||||
</ul>
|
||||
</div>
|
||||
|
|
@ -0,0 +1,54 @@
|
|||
<div class="logs view">
|
||||
<!--div class="actions" style="float:right;">
|
||||
<ul><li><?php echo $this->Html->link(__('Edit Profile', true), array('admin' => true, 'action' => 'edit', $log['Log']['id'])); ?> </li></ul>
|
||||
</div-->
|
||||
<h2><?php echo __('Log');?></h2>
|
||||
<dl>
|
||||
<dt><?php echo __('Id'); ?></dt>
|
||||
<dd>
|
||||
<?php echo h($log['Log']['id']); ?>
|
||||
|
||||
</dd>
|
||||
<!--dt><?php echo __('User'); ?></dt>
|
||||
<dd>
|
||||
<?php echo h($log['Log']['user_id']); ?>
|
||||
|
||||
</dd-->
|
||||
<dt><?php echo __('Org'); ?></dt>
|
||||
<dd>
|
||||
<?php echo h($log['Log']['org']); ?>
|
||||
|
||||
</dd>
|
||||
<dt><?php echo __('Email'); ?></dt>
|
||||
<dd>
|
||||
<?php echo h($log['Log']['email']); ?>
|
||||
|
||||
</dd>
|
||||
<dt><?php echo __('Date'); ?></dt>
|
||||
<dd>
|
||||
<?php echo h($log['Log']['created']); ?>
|
||||
|
||||
</dd>
|
||||
<dt><?php echo __('Action'); ?></dt>
|
||||
<dd>
|
||||
<?php echo h($log['Log']['action']); ?>
|
||||
|
||||
</dd>
|
||||
<dt><?php echo __('Title'); ?></dt>
|
||||
<dd>
|
||||
<?php echo h($log['Log']['title']); ?>
|
||||
|
||||
</dd>
|
||||
<dt><?php echo __('Change'); ?></dt>
|
||||
<dd>
|
||||
<?php echo h($log['Log']['change']); ?>
|
||||
|
||||
</dd>
|
||||
</dl>
|
||||
</div>
|
||||
<div class="actions">
|
||||
<h3><?php echo __('Actions'); ?></h3>
|
||||
<ul>
|
||||
<li><?php echo $this->Html->link(__('List Logs'), array('admin' => true, 'action' => 'index')); ?> </li>
|
||||
</ul>
|
||||
</div>
|
||||
Loading…
Reference in New Issue