diff --git a/app/Config/Schema/schema_0.2.2.1.php b/app/Config/Schema/schema_0.2.2.1.php index db7fd4c4a..40349e492 100755 --- a/app/Config/Schema/schema_0.2.2.1.php +++ b/app/Config/Schema/schema_0.2.2.1.php @@ -72,6 +72,13 @@ class AppSchema extends CakeSchema { 'indexes' => array('PRIMARY' => array('column' => 'id', 'unique' => 1), 'uuid' => array('column' => 'uuid', 'unique' => 0), 'info' => array('column' => 'info', 'unique' => 0)), 'tableParameters' => array('charset' => 'utf8', 'collate' => 'utf8_bin', 'engine' => 'MyISAM') ); + public $regex = array( + 'id' => array('type' => 'integer', 'null' => false, 'default' => NULL, 'key' => 'primary'), + 'regex' => array('type' => 'string', 'null' => false, 'default' => NULL, 'length' => 255, 'collate' => 'utf8_bin', 'charset' => 'utf8'), + 'replacement' => array('type' => 'string', 'null' => false, 'default' => NULL, 'length' => 255, 'collate' => 'utf8_bin', 'charset' => 'utf8'), + 'indexes' => array('PRIMARY' => array('column' => 'id', 'unique' => 1)), + 'tableParameters' => array('charset' => 'utf8', 'collate' => 'utf8_bin', 'engine' => 'MyISAM') + ); public $servers = array( 'id' => array('type' => 'integer', 'null' => false, 'default' => NULL, 'key' => 'primary'), 'url' => array('type' => 'string', 'null' => false, 'default' => NULL, 'collate' => 'utf8_bin', 'charset' => 'utf8'), diff --git a/app/Controller/EventsController.php b/app/Controller/EventsController.php index 131547199..5ce03af55 100755 --- a/app/Controller/EventsController.php +++ b/app/Controller/EventsController.php @@ -1385,7 +1385,6 @@ class EventsController extends AppController { // write content.. foreach ($files as $key => $val) { $keyName = $key; - $this->replaceWindowsSpecific(&$keyName); if (!strpos($key, $realMalware)) { $itsType = 'malware-sample'; @@ -1446,7 +1445,6 @@ class EventsController extends AppController { if ($key == 'key_name') $arrayItemKey = (string)$val; if ($key == 'data') $arrayItemValue = (string)$val; } - $this->replaceWindowsSpecific(&$arrayItemKey); $regs[$arrayItemKey] = str_replace('(UNICODE_0x00000000)', '', $arrayItemValue); } //$regs = array_unique($regs); @@ -1465,8 +1463,6 @@ class EventsController extends AppController { $itsType = 'regkey|value'; $itsValue = $key . '|' . $val; } else { - $this->replaceWindowsSpecific(&$val); - $itsCategory = 'Artifacts dropped'; // Persistence mechanism $itsType = 'regkey|value'; $itsValue = $key . '|' . $val; @@ -1481,37 +1477,6 @@ class EventsController extends AppController { } } -/** - * Replace Windows specific info in a $string with environment variables en registry keys - * - * @var string - * - * @return string - */ - public function replaceWindowsSpecific($string) { - $string = preg_replace('/C:.Users.(\w+).AppData.Local.Temp./', '%TEMP%\\', $string); - $string = preg_replace('/C:.Users.(\w+).AppData.Local./', ' %LOCALAPPDATA%\\', $string); - $string = preg_replace('/C:.Users.(\w+).AppData.Roaming./', ' %APPDATA%\\', $string); - - $string = preg_replace('/C:.Users.(\w+)./', '%UserProfile%\\', $string); - $string = preg_replace('/C:.Documents and Settings.(\w+) (\w+)./', '%UserProfile%\\', $string); - $string = preg_replace('/C:.DOCUME~1.(\w+)./', '%UserProfile%\\', $string); - - $string = str_replace('C:\Documents and Settings\All Users', '%AllUsersProfile%', $string); - - // HKEY_CURRENT_USER - $string = preg_replace('@\\\REGISTRY\\\USER\\\S(-[0-9]{1}){2}-[0-9]{2}(-[0-9]{9}){1}(-[0-9]{10}){1}-[0-9]{9}-[0-9]{4}@','HKCU', $string); - $string = preg_replace('@\\\REGISTRY\\\USER\\\S(-[0-9]{1}){2}-[0-9]{2}(-[0-9]{10}){2}-[0-9]{9}-[0-9]{4}@','HKCU', $string); - $string = preg_replace('@\\\REGISTRY\\\USER\\\S(-[0-9]{1}){2}-[0-9]{2}(-[0-9]{10}){3}-[0-9]{4}@','HKCU', $string); - // HKEY_LOCAL_MACHINE - $string = preg_replace('@\\\REGISTRY\\\MACHINE\\\@','HKLM\\', $string); - $string = preg_replace('@\\\Registry\\\Machine\\\@','HKLM\\', $string); - - // TODO registry \REGISTRY\A\{52A5DC92-9452-11E1-804B-000C29C043FE}\DefaultObjectStore\LruList\0000000000001DFF - - return $string; - } - public function strposarray($string, $array) { $toReturn = false; foreach ($array as $item) { diff --git a/app/Controller/RegexController.php b/app/Controller/RegexController.php new file mode 100644 index 000000000..a487d5109 --- /dev/null +++ b/app/Controller/RegexController.php @@ -0,0 +1,112 @@ + 60, + 'order' => array( + 'Regex.id' => 'ASC' + ) + ); + public $helpers = array('Js' => array('Jquery')); + + function beforeFilter() { + parent::beforeFilter(); + + // permit reuse of CSRF tokens on the search page. + if ('search' == $this->request->params['action']) { + $this->Security->csrfUseOnce = false; + } + } + + public function isAuthorized($user) { + // Admins can access everything + if (parent::isAuthorized($user)) { + return true; + } + // the other pages are allowed by logged in users + return true; + } + +/** + * admin_index method + * + * @return void + */ + public function admin_index() { + $this->Regex->recursive = 0; + $this->set('regexs', $this->paginate()); + } + +/** + * add method + * + * @return void + */ + public function admin_add() { + if ($this->request->is('post')) { + $this->Regex->create(); + if ($this->Regex->save($this->request->data)) { + $this->Session->setFlash(__('The regex has been saved')); + $this->redirect(array('action' => 'index')); + } else { + $this->Session->setFlash(__('The regex could not be saved. Please, try again.')); + } + } + } + +/** + * edit method + * + * @param string $id + * @return void + * @throws NotFoundException + */ + public function admin_edit($id = null) { + $this->Regex->id = $id; + if (!$this->Regex->exists()) { + throw new NotFoundException(__('Invalid whitelist')); + } + if ($this->request->is('post') || $this->request->is('put')) { + if ($this->Regex->save($this->request->data)) { + $this->Session->setFlash(__('The regex has been saved')); + $this->redirect(array('action' => 'index')); + } else { + $this->Session->setFlash(__('The regex could not be saved. Please, try again.')); + } + } else { + $this->request->data = $this->Regex->read(null, $id); + } + } + +/** + * delete method + * + * @param string $id + * @return void + * @throws MethodNotAllowedException + * @throws NotFoundException + */ + public function admin_delete($id = null) { + if (!$this->request->is('post')) { + throw new MethodNotAllowedException(); + } + $this->Regex->id = $id; + if (!$this->Regex->exists()) { + throw new NotFoundException(__('Invalid regex')); + } + if ($this->Regex->delete()) { + $this->Session->setFlash(__('Regex deleted')); + $this->redirect(array('action' => 'index')); + } + $this->Session->setFlash(__('Regex was not deleted')); + $this->redirect(array('action' => 'index')); + } +} diff --git a/app/MYSQL.txt b/app/MYSQL.txt index 44c3534b9..10a451303 100755 --- a/app/MYSQL.txt +++ b/app/MYSQL.txt @@ -137,6 +137,19 @@ CREATE TABLE `logs` ( -- -------------------------------------------------------- +-- +-- Table structure for table `regex` +-- + +CREATE TABLE `regex` ( + `id` int(11) NOT NULL AUTO_INCREMENT, + `regex` varchar(255) COLLATE utf8_bin NOT NULL, + `replacement` varchar(255) COLLATE utf8_bin NOT NULL, + PRIMARY KEY (`id`) +) ENGINE=MyISAM AUTO_INCREMENT=16 DEFAULT CHARSET=utf8 COLLATE=utf8_bin; + +-- -------------------------------------------------------- + -- -- Table structure for table `servers` -- @@ -197,4 +210,5 @@ CREATE TABLE `whitelist` ( -- Dumping data for table `users` -- -INSERT INTO `users` (`id`, `password`, `org`, `email`, `autoalert`, `authkey`, `invited_by`, `gpgkey`, `nids_sid`, `termsaccepted`, `newsread`, `group_id`) VALUES(1, 'babc86e0869015b3f0b4d48ca48700d3a9d1b9d7', 'ADMIN', 'admin@admin.test', 0, 'vlf4o42bYSVVWLm28jLB85my4HBZWXTri8vGdySb', 1, '', 4000000, 0, '2012-03-13', ''); \ No newline at end of file +INSERT INTO `users` (`id`, `password`, `org`, `email`, `autoalert`, `authkey`, `invited_by`, `gpgkey`, `nids_sid`, `termsaccepted`, `newsread`, `group_id`) VALUES(1, 'babc86e0869015b3f0b4d48ca48700d3a9d1b9d7', 'ADMIN', 'admin@admin.test', 0, 'vlf4o42bYSVVWLm28jLB85my4HBZWXTri8vGdySb', 1, '', 4000000, 0, '2012-03-13', ''); +INSERT INTO `regex` (`id`, `regex`, `replacement`) VALUES (1,'/C:.Users.(\\w+).AppData.Local.Temp./','%TEMP%\\\\'),(3,'/C:.Users.(\\w+).AppData.Local./','%LOCALAPPDATA%\\\\'),(4,'/C:.Users.(\\w+).AppData.Roaming./','%APPDATA%\\\\'),(5,'/C:.Users.(\\w+)./','%UserProfile%\\\\'),(6,'/C:.Documents and Settings.(\\w+) (\\w+)./','%UserProfile%\\\\'),(7,'/C:.DOCUME~1.(\\w+)./','%UserProfile%\\\\'),(8,'/C:.Documents and Settings.All Users/','%AllUsersProfile%'),(9,'/.REGISTRY.USER.S(-[0-9]{1}){2}-[0-9]{2}(-[0-9]{9}){1}(-[0-9]{10}){1}-[0-9]{9}-[0-9]{4}/','HKCU'),(10,'@.REGISTRY.USER.S(-[0-9]{1}){2}-[0-9]{2}(-[0-9]{10}){2}-[0-9]{9}-[0-9]{4}@','HKCU'),(11,'@.REGISTRY.USER.S(-[0-9]{1}){2}-[0-9]{2}(-[0-9]{10}){3}-[0-9]{4}@','HKCU'),(13,'@.REGISTRY.MACHINE.@','HKLM\\\\'),(14,'@.Registry.Machine.@','HKLM\\\\'),(15,'@%allusers%@','%AllUsers%'); \ No newline at end of file diff --git a/app/Model/Attribute.php b/app/Model/Attribute.php index 208e9e3c6..10a69f9e2 100644 --- a/app/Model/Attribute.php +++ b/app/Model/Attribute.php @@ -19,7 +19,8 @@ class Attribute extends AppModel { 'userModel' => 'User', 'userKey' => 'user_id', 'change' => 'full' - ), 'Trim' // => array('fields' => array('value')) + ), 'Trim' + , 'Regex' => array('fields' => array('value', 'value2')) ); /** diff --git a/app/Model/Behavior/RegexBehavior.php b/app/Model/Behavior/RegexBehavior.php new file mode 100644 index 000000000..cbc726fda --- /dev/null +++ b/app/Model/Behavior/RegexBehavior.php @@ -0,0 +1,69 @@ +settings[$Model->alias])) { + $this->settings[$Model->alias] = array( + 'fields' => array(), + ); + } + $this->settings[$Model->alias] = array_merge( + $this->settings[$Model->alias], (array)$settings); + } + +/** + * + * @param $options + */ + public function beforeValidate(Model $Model, $options = array()) { + // process some.. + $this->regexStringFields(&$Model); + + return true; + } + +/** + * Trim String Fields + * + * @param Model $Model + * @param unknown_type $array + */ + public function regexStringFields(Model $Model) { + foreach ($Model->data[$Model->name] as $key => &$field) { + if (in_array($key, $this->settings[$Model->alias]['fields']) && is_string($field)) { + $this->replaceWindowsSpecific($field); + } + } + return true; + } + +/** + * Replace Windows specific info in a $string with environment variables en registry keys + * + * @var string + * + * @return string + */ + public function replaceWindowsSpecific(&$string) { + $regex = new Regex(); + $allRegex = $regex->getAll(); + foreach($allRegex as $regex) { + $string = preg_replace($regex['Regex']['regex'], $regex['Regex']['replacement'], $string); + } + return $string; + } +} diff --git a/app/Model/Event.php b/app/Model/Event.php index 4164536c0..3cd234fa3 100644 --- a/app/Model/Event.php +++ b/app/Model/Event.php @@ -14,7 +14,7 @@ class Event extends AppModel { 'userModel' => 'User', 'userKey' => 'user_id', 'change' => 'full' - ), 'Trim'); + ), 'Trim', 'Regex' => array('fields' => array('info'))); /** * Display field diff --git a/app/Model/Regex.php b/app/Model/Regex.php new file mode 100644 index 000000000..d48113d81 --- /dev/null +++ b/app/Model/Regex.php @@ -0,0 +1,19 @@ +find('all'); + } +} \ No newline at end of file diff --git a/app/View/Elements/actions_menu.ctp b/app/View/Elements/actions_menu.ctp index ddaa81028..79873d693 100755 --- a/app/View/Elements/actions_menu.ctp +++ b/app/View/Elements/actions_menu.ctp @@ -22,6 +22,7 @@
  •  

    • +
  • Html->link(__('Regex', true), array('controller' => 'regex', 'action' => 'index', 'admin' => true)); ?>
  • Html->link(__('Whitelist', true), array('controller' => 'whitelists', 'action' => 'index', 'admin' => true)); ?>
  •  
  • Html->link(__('New User', true), array('controller' => 'users', 'action' => 'add', 'admin' => true)); ?>
    • diff --git a/app/View/Regex/admin_add.ctp b/app/View/Regex/admin_add.ctp new file mode 100644 index 000000000..fce11b7b0 --- /dev/null +++ b/app/View/Regex/admin_add.ctp @@ -0,0 +1,18 @@ +
    +Form->create('Regex');?> +
    + + Form->input('regex'); + echo $this->Form->input('replacement'); + ?> +
    +Form->end(__('Submit'));?> +
    +
    +

    + +
    diff --git a/app/View/Regex/admin_edit.ctp b/app/View/Regex/admin_edit.ctp new file mode 100644 index 000000000..d74695f23 --- /dev/null +++ b/app/View/Regex/admin_edit.ctp @@ -0,0 +1,20 @@ +
    +Form->create('Regex');?> +
    + + Form->input('id'); + echo $this->Form->input('regex'); + echo $this->Form->input('replacement'); + ?> +
    +Form->end(__('Submit'));?> +
    +
    + +
    \ No newline at end of file diff --git a/app/View/Regex/admin_index.ctp b/app/View/Regex/admin_index.ctp new file mode 100644 index 000000000..2dba46d6a --- /dev/null +++ b/app/View/Regex/admin_index.ctp @@ -0,0 +1,44 @@ +
    +

    + + + + + + + + + + + + + + + +
    Paginator->sort('id');?>Paginator->sort('regex');?>Paginator->sort('replacement');?>
        + Html->link(__('Edit'), array('admin' => true, 'action' => 'edit', $regex['Regex']['id'])); ?> + Form->postLink(__('Delete'), array('admin' => true, 'action' => 'delete', $regex['Regex']['id']), null, __('Are you sure you want to delete # %s?', $regex['Regex']['id'])); ?> +
    +

    + Paginator->counter(array( + 'format' => __('Page {:page} of {:pages}, showing {:current} records out of {:count} total, starting on record {:start}, ending on {:end}') + )); + ?>

    + +
    + Paginator->prev('< ' . __('previous'), array(), null, array('class' => 'prev disabled')); + echo $this->Paginator->numbers(array('separator' => '')); + echo $this->Paginator->next(__('next') . ' >', array(), null, array('class' => 'next disabled')); + ?> +
    +
    +
    + +
    diff --git a/app/View/Regex/admin_view.ctp b/app/View/Regex/admin_view.ctp new file mode 100644 index 000000000..5654cb4f3 --- /dev/null +++ b/app/View/Regex/admin_view.ctp @@ -0,0 +1,54 @@ +
    + +

    +
    +
    +
    + +   +
    + +
    +
    + +   +
    +
    +
    + +   +
    +
    +
    + +   +
    +
    +
    + +   +
    +
    +
    + +   +
    +
    +
    + +   +
    +
    +
    +
    +

    + +
    \ No newline at end of file