MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

Regexp validation 

- an invalid regexp entry could block any event/attribute from being
  entered. Introduced a check on regexp entry to block faulty patterns.
pull/63/head
Andras Iklody 2013-03-07 15:19:55 +01:00
parent 83294820bf
commit 3646bca059
2 changed files with 82 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
app/Model/Regexp.php
View File

@ -1,24 +1,31 @@
<?php
App::uses('AppModel', 'Model');
/**
* Regexp Model
*
*/
class Regexp extends AppModel {
<?php
App::uses('AppModel', 'Model');
/**
* Regexp Model
*
*/
class Regexp extends AppModel {
public $actsAs = array(
'SysLogLogable.SysLogLogable' => array( // TODO Audit, logable
'roleModel' => 'Role',
'roleKey' => 'role_id',
'change' => 'full'
),
);
/**
* Use table
*
* @var mixed False or table name
*/
public $useTable = 'regexp';
);
/**
* Use table
*
* @var mixed False or table name
*/
public $useTable = 'regexp';
// this checks whether the regexp would fail and if yes, the entry is blocked from being entered.
public function beforeValidate($options = array()) {
$test = preg_replace($this->data['Regexp']['regexp'], 'success', $this->data['Regexp']['regexp']);
if ($test == null) return false;
return true;
}
}

78
app/View/Pages/administration.ctp
View File

@ -5,21 +5,27 @@
3. <?php echo $this->Html->link(__('Using the system', true), array('controller' => 'pages', 'action' => 'display', 'using_the_system')); ?><br />
4. <?php echo $this->Html->link(__('Administration', true), array('controller' => 'pages', 'action' => 'display', 'administration')); ?><br />
<ul>
<li>a. <a href="#regexp">Import Regexp</a></li>
<li>b. <a href="#whitelist">Signature Whitelist</a></li>
<li>c. <a href="#user">User Management</a></li>
<li>d. <a href="#roles">Role Management</a></li>
<li>e. <a href="#logs">Logging</a></li>
<li>a. <a href="#blacklist">Blacklist</a></li>
<li>b. <a href="#regexp">Import Regexp</a></li>
<li>c. <a href="#whitelist">Signature Whitelist</a></li>
<li>d. <a href="#user">User Management</a></li>
<li>e. <a href="#roles">Role Management</a></li>
<li>f. <a href="#logs">Logging</a></li>
</ul>
5. <?php echo $this->Html->link(__('Categories and Types', true), array('controller' => 'pages', 'action' => 'display', 'categories_and_types')); ?>
<br /><br /><hr /><br />
<h2><a name ="regexp"></a>Import Regexp</h2>
The system allows administrators to set up rules for regular expressions that will automatically altered newly entered or imported events (from GFI Sandbox).<br /><br />
<h3>The purpose of Import Regexp entries</h3>
They can be used for several things, such as unifying the capitalisation of file paths for more accurate event correlation or to automatically censor the usernames and standardise the file paths (changing C:\Users\UserName\Appdata\Roaming\file.exe to %APPDATA%\Roaming\file.exe).<br />
The second use is blocking, if just the regexp is given and no replacement, any event or attribute containing info or value conform the regexp will not be added.<br /><br />
<h2><a name ="blacklist"></a>Import Blacklist</h2>
It is possible to ban certain values from ever being entered into the system via an event info field or an attribute value. This is done by blacklisting the value in this section.<br /><br />
<h3>Adding and modifying entries</h3>
Administrators can add, edit or delete Import Regexp rules, which are made up of a regexp pattern that the system searches for and a replacement for the detected pattern.<br /><br />
Administrators can add, edit or delete blacklisted items by using the appropriate functions in the list's action menu and the menu on the left.<br />
<br /><hr /><br />
<h2><a name ="regexp"></a>Import Regexp</h2>
The system allows administrators to set up rules for regular expressions that will automatically alter newly entered or imported events (from GFI Sandbox).<br /><br />
<h3>The purpose of Import Regexp entries</h3>
They can be used for several things, such as unifying the capitalisation of file paths for more accurate event correlation or to automatically censor the usernames and use system path variable names (changing C:\Users\UserName\Appdata\Roaming\file.exe to %APPDATA%\file.exe).<br />
The second use is blocking, if a regular expression is entered with a blank replacement, any event info or attribute value containing the expression will not be added. Please make sure the entered regexp expression follows the preg_replace pattern rules as described <a href="http://php.net/manual/en/function.preg-replace.php">here</a>.<br /><br />
<h3>Adding and modifying entries</h3>
Administrators can add, edit or delete regular expression rules, which are made up of a regex pattern that the system searches for and a replacement for the detected pattern.<br /><br />
<p><img src="/img/doc/regexp.png" alt = "" title = "Add, edit or remove Regexp entries that will affect all newly created attributes here."/></p><br />
<br /><hr /><br />
<h2><a name ="whitelist"></a>Managing the Signature whitelist</h2>
@ -31,7 +37,7 @@ The signature whitelist view, accessible through the administration menu on the
<img src="/img/doc/whitelist.png" alt = "Whitelist" title = "You can edit or delete currently white-listed addresses using the action buttons on this list."/><br /><br />
<br /><hr /><br />
<h2><a name ="user"></a>Managing the users:</h2>
As an admin, you can set up new accounts for users, edit the profiles of users, delete them, or just have a look at all the viewers' profiles.<br /><br />
As an admin, you can set up new accounts for users, edit the profiles of users, delete them, or just have a look at all the viewers' profiles. Organisation admins are restricted to executing the same actions on their organisation's users only.<br /><br />
<img src="/img/doc/add_user.png" alt = "Add user" style="float:right;" title = "Fill this form out to add a new user. Keep in mind that the drop-down menu titled Role controls the privileges the user will have."/>
<h3>Adding a new user:</h3>
To add a new user, click on the New User button in the administration menu to the left and fill out the following fields in the view that is loaded:<br /><br />
@ -39,11 +45,12 @@ To add a new user, click on the New User button in the administration menu to th
<li><em>Email:</em> The user's e-mail address, this will be used as his/her login name and as an address to send all the automatic e-mails and e-mails sent by contacting the user as the reporter of an event.<br /><br /></li>
<li><em>Password:</em> A temporary password for the user that he/she should change after the first login. Make sure that it is at least 6 characters long, includes a digit or a special character and contains at least one upper-case and at least one lower-case character.<br /><br /></li>
<li><em>Confirm Password:</em> This should be an exact copy of the Password field.<br /><br /></li>
<li><em>Org:</em>The organisation of the user. Entering ADMIN into this field will give administrator privileges to the user.<br /><br /></li>
<li><em>Roles:</em> A drop-down list allows you to choose a role-roup that the user should belong to. Roles define the privileges of the user. To learn more about roles, <a href=#roles>click here</a>.<br /><br /></li>
<li><em>Authkey:</em> This is assigned automatically and is the unique authentication key of the user (he/she will be able to reset this and receive a new key). It is used for exports and for connecting one server to another (as described in section xxyyzz).<br /><br /></li>
<li><em>Org:</em>The organisation of the user. Entering ADMIN into this field will give administrator privileges to the user. If you are an organisation admin, then this field will be unchangeable and be set to your own organisation.<br /><br /></li>
<li><em>Roles:</em> A drop-down list allows you to choose a role-group that the user should belong to. Roles define the privileges of the user. To learn more about roles, <a href=#roles>click here</a>.<br /><br /></li>
<li><em>Receive alerts when events are published:</em> This option will subscribe the new user to automatically generated e-mails whenever an event is published.<br /><br /></li>
<li><em>Receive alerts from "contact reporter" requests:</em> This option will subscribe the new user to e-mails that are generated when another user tries to get in touch with an event's reporting organisation that matches that of the new user.<br /><br /></li>
<li><em>Authkey:</em> This is assigned automatically and is the unique authentication key of the user (he/she will be able to reset this and receive a new key). It is used for exports and for connecting one server to another, but it requires the user to be assigned to a role that has auth permission enabled.<br /><br /></li>
<li><em>NIDS Sid:</em> Nids ID, not yet implemented.<br /><br /></li>
<li><em>Termsaccepted:</em> Indicates whether the user has accepted the terms of use already or not.<br /><br /></li>
<li><em>Gpgkey:</em> The key used for encrypting e-mails sent through the system. <br /><br /></li>
</ul>
<h3>Listing all users:</h3>
@ -60,23 +67,54 @@ To list all current users of the system, just click on List Users under the admi
<li><em>Newsread:</em> The last point in time when the user has looked at the news section of the system.<br /><br /></li>
<li><em>Action Buttons:</em> Here you can view a detailed view of a user, edit the basic details of a user (same view as the one used for creating a new user, but all the fields come filled out by default) or remove a user completely. <br /><br /></li>
</ul>
<h3>Editing a user:</h3>
To add a new user, click on the New User button in the administration menu to the left and fill out the following fields in the view that is loaded:<br /><br />
<ul>
<li><em>Email:</em> The user's e-mail address, this will be used as his/her login name and as an address to send all the automatic e-mails and e-mails sent by contacting the user as the reporter of an event.<br /><br /></li>
<li><em>Password:</em> It is possible to assign a new password manually for a user. For example, in case that he/she forgot the old one a new temporary one can be assigned. Make sure to check the "Change password" field if you do give out a temporary password, so that the user will be forced to change it after login.<br /><br /></li>
<li><em>Confirm Password:</em> This should be an exact copy of the Password field.<br /><br /></li>
<li><em>Org:</em>The organisation of the user. Entering ADMIN into this field will give administrator privileges to the user. If you are an organisation admin, then this field will be unchangeable and be set to your own organisation.<br /><br /></li>
<li><em>Roles:</em> A drop-down list allows you to choose a role-group that the user should belong to. Roles define the privileges of the user. To learn more about roles, <a href=#roles>click here</a>.<br /><br /></li>
<li><em>Receive alerts when events are published:</em> This option will subscribe the user to automatically generated e-mails whenever an event is published.<br /><br /></li>
<li><em>Receive alerts from "contact reporter" requests:</em> This option will subscribe the user to e-mails that are generated when another user tries to get in touch with an event's reporting organisation that matches that of the user.<br /><br /></li>
<li><em>Authkey:</em> It is possible to request a new authentication key for the user. <br /><br /></li>
<li><em>NIDS Sid:</em> Nids ID, not yet implemented.<br /><br /></li>
<li><em>Termsaccepted:</em> Indicates whether the user has accepted the terms of use already or not.<br /><br /></li>
<li><em>Change Password:</em> Setting this flag will require the user to change password after the next login.<br /><br /></li>
<li><em>Gpgkey:</em> The key used for encrypting e-mails sent through the system. <br /><br /></li>
</ul>
<br /><hr /><br />
<h2><a name ="roles"></a>Managing the roles</h2>
Privileges are assigned to users by assigning them to role-roles, which use one of four options to determine what the users belonging to them are able to do on the site. The four options are: Read Only, Manage My Own Events, Manage Organisation Events, Manage &amp; Publish Organisation Events. <br /><br />
Privileges are assigned to users by assigning them to rule groups, which use one of four options determining what they can do with events and four additional privilege elevating settings. The four options for event manipulation are: Read Only, Manage My Own Events, Manage Organisation Events, Manage &amp; Publish Organisation Events. The extra privileges are admin, sync, authentication key usage and audit permission<br /><br />
<em>Read Only:</em> This allows the user to browse events that his organisation has access to, but doesn't allow any changes to be made to the database. <br /><br />
<em>Manage My Own Events:</em> The second option, gives its users rights to create, modify or delete their own events, but they cannot publish them. <br /><br />
<em>Manage Organization Events:</em> allows users to create events or modify and delete events created by a member of their organisation. <br /><br />
<em>Manage &amp; Publish Organisation Events:</em> This last setting, gives users the right to do all of the above and also to publish the events of their organisation.<br /><br />
<em>Perm sync:</em> This setting allows the users of the role to be used as a synchronisation user. The authentication key of this user can be handed out to the administrator of a remote MISP instance to allow the synchronisation features to work.<br /><br />
<em>Perm admin:</em> Gives the user administrator privileges, this setting is used for the organisation admins. <br /><br />
<em>Perm audit:</em> Grants access to the logs. With the exception of site admins, only logs generated by the user's own org are visible. <br /><br />
<em>Perm auth:</em> This setting enables the authentication key of the role's users to be used for rest requests. <br /><br />
<h3>Creating roles:</h3>
When creating a new role, you will have to enter a name for the role to be created and set up the permissions (as described above) using four check-boxes, one for each permission flag.<br /><br />
When creating a new role, you will have to enter a name for the role to be created and set up the permissions (as described above) using the radio toggle and the four check-boxes.<br /><br />
<h3>Listing roles:</h3>
By clicking on the List Roles button, you can view a list of all the currently registered roles and a list of the permission flags turned on for each. In addition, you can find buttons that allow you to edit and delete the roles. Keep in mind that you will need to first remove every member from a role before you can delete it.<br /><br />
<img src="/img/doc/list_groups.png" alt = "List roles" title = "You can View, Edit or Delete roles using the action buttons to the right in each row. Keep in mind that a role has to be devoid of members before it can be deleted."/><br /><br />
<br /><hr /><br />
<h2><a name ="logs"></a>Using the logs of MISP</h2>
Admins are able to browse or search the logs that MISP automatically appends each time any action is taken that alters the data contained within the system (or if a user logs in and out).<br /><br />
Users with audit permissions are able to browse or search the logs that MISP automatically appends each time certain actions are taken (actions that modify data or if a user logs in and out).<br /><br />
Generally, the following actions are logged:<br /><br />
<ul>
<li><em>User:</em> Creation, deletion, modification, Login / Logout<br /><br /></li>
<li><em>Event:</em>Creation, deletion, modification, publishing<br /><br /></li>
<li><em>Attribute:</em> Creation, deletion, modification<br /><br /></li>
<li><em>Roles:</em> Creation, deletion, modification<br /><br /></li>
<li><em>Blacklist:</em> Creation, deletion, modification<br /><br /></li>
<li><em>Whitelist:</em> Creation, deletion, modification<br /><br /></li>
<li><em>Regexp:</em> Creation, deletion, modification</li>
</ul>
<br />
<h3>Browsing the logs:</h3>
Listing all the log entries will show the following columns:<br /><br />
Listing all the log entries will show the following columns generated by the users of your organisation (or all organisations in the case of site admins):<br /><br />
<img src="/img/doc/list_logs.png" alt = "List logs" title = "Here you can view a list of all logged actions."/><br /><br />
<ul>
<li><em>Id:</em> The automatically assigned ID number of the entry.<br /><br /></li>