diff --git a/app/Controller/EventsController.php b/app/Controller/EventsController.php
index c4dd85ded..fe3eb8870 100755
--- a/app/Controller/EventsController.php
+++ b/app/Controller/EventsController.php
@@ -1334,10 +1334,12 @@ class EventsController extends AppController {
// csv function
// Usage: csv($key, $eventid) - key can be a valid auth key or the string 'download'. Download requires the user to be logged in interactively and will generate a .csv file
// $eventid can be one of 3 options: left empty it will get all the visible to_ids attributes,
- public function csv($key, $eventid=0, $ignore=0, $tags = '') {
+ public function csv($key, $eventid=0, $ignore=0, $tags = '', $category=null, $type=null) {
+ if ($category == 'null') $category = null;
+ if ($type == 'null') $type = null;
+ if ($tags == 'null') $tags = '';
if ($tags != '') $tags = str_replace(';', ':', $tags);
$list = array();
-
if ($key != 'download') {
// check if the key is valid -> search for users based on key
$user = $this->checkAuthUser($key);
@@ -1353,14 +1355,13 @@ class EventsController extends AppController {
$isSiteAdmin = $this->_isSiteAdmin();
$org = $this->Auth->user('org');
}
-
// if it's a search, grab the attributeIDList from the session and get the IDs from it. Use those as the condition
// We don't need to look out for permissions since that's filtered by the search itself
// We just want all the attributes found by the search
if ($eventid === 'search') {
$list = $this->Session->read('search_find_attributeidlist');
}
- $attributes = $this->Event->csv($org, $isSiteAdmin, $eventid, $ignore, $list, $tags);
+ $attributes = $this->Event->csv($org, $isSiteAdmin, $eventid, $ignore, $list, $tags, $category, $type);
$this->loadModel('Whitelist');
$final = array();
$attributes = $this->Whitelist->removeWhitelistedFromArray($attributes, true);
diff --git a/app/Model/Event.php b/app/Model/Event.php
index 5af9622ca..5bfc32998 100755
--- a/app/Model/Event.php
+++ b/app/Model/Event.php
@@ -941,9 +941,8 @@ class Event extends AppModel {
}
return $results;
}
- public function csv($org, $isSiteAdmin, $eventid=0, $ignore=0, $attributeIDList = array(), $tags = '') {
+ public function csv($org, $isSiteAdmin, $eventid=0, $ignore=0, $attributeIDList = array(), $tags = '', $category = null, $type = null) {
$final = array();
-
$attributeList = array();
$conditions = array();
$econditions = array();
@@ -997,6 +996,15 @@ class Event extends AppModel {
if ($ignore == 0) {
$conditions['AND'][] = array('Attribute.to_ids =' => 1);
}
+
+ if ($type!=null) {
+ $conditions['AND'][] = array('Attribute.type' => $type);
+ }
+
+ if ($category!=null) {
+ $conditions['AND'][] = array('Attribute.category' => $category);
+ }
+
if (!$isSiteAdmin) {
$temp = array();
$distribution = array();
@@ -1015,9 +1023,8 @@ class Event extends AppModel {
'fields' => array('Attribute.event_id', 'Attribute.distribution', 'Attribute.category', 'Attribute.type', 'Attribute.value', 'Attribute.uuid'),
);
$attributes = $this->Attribute->find('all', $params);
- foreach ($attributes as $attribute) {
- $attribute['Attribute']['value'] = str_replace("\r", "", $attribute['Attribute']['value']);
- $attribute['Attribute']['value'] = str_replace("\n", "", $attribute['Attribute']['value']);
+ foreach ($attributes as &$attribute) {
+ $attribute['Attribute']['value'] = str_replace(array("\r\n", "\n", "\r"), "", $attribute['Attribute']['value']);
}
return $attributes;
}
diff --git a/app/View/Events/automation.ctp b/app/View/Events/automation.ctp
index 6878015c5..095cf01dd 100644
--- a/app/View/Events/automation.ctp
+++ b/app/View/Events/automation.ctp
@@ -18,9 +18,18 @@ You can Html->link('reset', array('controller' => 'users', 'ac
/events/xml/download/1
The xml download also accepts two additional (optional) parameters: a boolean field that determines whether attachments should be encoded and a second parameter that controls the eligible tags. To include a tag in the results just write its names into this parameter. To exclude a tag prepend it with a '!'. You can also chain several tag commands together with the '&&' operator. Please be aware the colons (:) cannot be used in the tag search. Use semicolons instead (the search will automatically search for colons instead). For example, to include tag1 and tag2 but exclude tag3 you would use:
/events/xml/download/null/true/tag1&&tag2&&!tag3
-Also check out the Html->link(__('User Guide', true), array('controller' => 'pages', 'action' => 'display', 'using_the_system', '#' => 'rest')); ?> to read about the REST API.
+Also check out the User Guide to read about the REST API.
-
+CSV Export
+An automatic export of attributes is available as CSV. Only attributes that are flagged "to_ids" will get exported.
+You can configure your tools to automatically download the following file:
+/events/csv/download/
+You can specify additional flags for CSV exports as follows::
+/events/csv/download/[event_id]/[event_id_ignore]/[tags]/[type]
+For example, to only download a csv generated of the "domain" type and the "Network Activity" category attributes all events except for the one with ID 7 and further restricting it to events that are tagged "tag1" or "tag2" but not "tag3", use the following syntax:
+/events/csv/download/0/7/tag1&&tag2&&!tag3/Network%20Activity/domain
+To export the attributes of all events that are of the type "domain", use the following syntax:
+/events/csv/download/0/0/null/null/domain
NIDS rules export
Automatic export of all network related attributes is available under the Snort rule format. Only published events and attributes marked as IDS Signature are exported.
You can configure your tools to automatically download the following file: