mirror of https://github.com/MISP/MISP
new: [event warnings] made modular
- app/Lib/EventWarning contains default warnings - app/Lib/EventWarning/Custom can be used to just drop event warnings - use app/Lib/EventWarning/DefaultWarning as a templatepull/8216/head
parent
2801058bc4
commit
364eaa50c2
|
@ -35,6 +35,8 @@ tools/mkdocs
|
|||
/app/tmp/cache/misp_feed*
|
||||
/app/files/*
|
||||
/app/tmp/cache/feeds/*.cache
|
||||
app/Lib/EventWarning/Custom/*
|
||||
!app/Lib/EventWarning/Custom/empty
|
||||
!/app/files/feed-metadata
|
||||
!/app/files/empty
|
||||
!/app/files/scripts/
|
||||
|
|
|
@ -0,0 +1 @@
|
|||
|
|
@ -0,0 +1,65 @@
|
|||
<?php
|
||||
|
||||
class DefaultWarning
|
||||
{
|
||||
public $description = '';
|
||||
public $name = '';
|
||||
public $functions = [
|
||||
'emptyEventCheck',
|
||||
'contextCheck',
|
||||
'tlpDistributionCheck'
|
||||
];
|
||||
|
||||
function __construct()
|
||||
{
|
||||
$this->name = __('Default');
|
||||
$this->description = __('The default set of warnings included with MISP');
|
||||
}
|
||||
|
||||
public function emptyEventCheck(array $event, array &$warnings)
|
||||
{
|
||||
if (empty($event['Attribute']) && empty($event['objects'])) {
|
||||
$warnings[__('Content')][] = __('Your event has neither attributes nor objects, whilst this can have legitimate reasons (such as purely creating an event with an event report or galaxy clusters), in most cases it\'s a sign that the event has yet to be fleshed out.');
|
||||
}
|
||||
}
|
||||
|
||||
public function contextCheck(array $event, array &$warnings)
|
||||
{
|
||||
if (empty($event['Galaxy']) && empty($event['EventTag'])) {
|
||||
$warnings[__('Contextualisation')][] = __('Your event has neither tags nor galaxy clusters attached - generally adding context to an event allows for quicker decision making and more accurate filtering, it is highly recommended that you label your events to the best of your ability.');
|
||||
}
|
||||
}
|
||||
|
||||
public function tlpDistributionCheck(array $event, array &$warnings)
|
||||
{
|
||||
if (!empty($event['EventTag'])) {
|
||||
foreach ($event['EventTag'] as $eT) {
|
||||
$tagName = $eT['Tag']['name'];
|
||||
$this->__tlpTaxonomyCheck($tagName, $warnings);
|
||||
if ($tagName === 'tlp:white' && $event['Event']['distribution'] != Event::DISTRIBUTION_ALL) {
|
||||
$warnings[__('Distribution')][] = __('The event is tagged as tlp:white, yet the distribution is not set to all. Change the distribution setting to something more lax if you wish for the event to propagate further.');
|
||||
} else if ($tagName === 'tlp:green' && !in_array($event['Event']['distribution'], [Event::DISTRIBUTION_COMMUNITY, Event::DISTRIBUTION_CONNECTED, Event::DISTRIBUTION_ALL])) {
|
||||
$warnings[__('Distribution')][] = __('The event is tagged as tlp:green, yet the distribution is not set to community, connected communities or all. tlp:green assumes sharing with your entire community - make sure that the selected distribution setting covers that.');
|
||||
} else if (in_array($tagName, ['tlp:amber', 'tlp:red'], true) && $event['Event']['distribution'] == Event::DISTRIBUTION_ALL) {
|
||||
$warnings[__('Distribution')][] = __('The event is tagged as %s, yet the distribution is set to all, be aware of potential information leakage.', $tagName);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* @param string $tagName
|
||||
* @return void
|
||||
*/
|
||||
private function __tlpTaxonomyCheck($tagName, array &$warnings)
|
||||
{
|
||||
$lowerTagName = trim(strtolower($tagName));
|
||||
if (substr($lowerTagName, 0, 4) === 'tlp:') {
|
||||
if (!in_array($lowerTagName, ['tlp:white', 'tlp:green', 'tlp:amber', 'tlp:red', 'tlp:ex:chr'], true)) {
|
||||
$warnings['TLP'][] = __('Unknown TLP tag, please refer to the TLP taxonomy as to what is valid, otherwise filtering rules created by your partners may miss your intent.');
|
||||
} else if ($lowerTagName !== $tagName) {
|
||||
$warnings['TLP'][] = __('TLP tag with invalid formatting: Make sure that you only use TLP tags from the taxonomy. Custom tags with invalid capitalisation, white spaces or other artifacts will break synchronisation and filtering rules intended for the correct taxonomy derived tags.');
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
|
@ -5,7 +5,7 @@
|
|||
*/
|
||||
class EventWarningBehavior extends ModelBehavior
|
||||
{
|
||||
private $__warnings = [];
|
||||
private $__warningPackages = [];
|
||||
|
||||
/**
|
||||
* @param Model $Model
|
||||
|
@ -14,56 +14,27 @@ class EventWarningBehavior extends ModelBehavior
|
|||
*/
|
||||
public function generateWarnings(Model $Model, array $event)
|
||||
{
|
||||
$this->__tlpDistributionCheck($event);
|
||||
$this->__contextCheck($event);
|
||||
$this-> __emptyEventCheck($event);
|
||||
return $this->__warnings;
|
||||
$warnings = [];
|
||||
$this->__loadCustomWarningSystems();
|
||||
$this->__loadCustomWarningSystems('Custom');
|
||||
foreach ($this->__warningPackages as $packageName => $package) {
|
||||
foreach ($package->functions as $function) {
|
||||
$package->$function($event, $warnings);
|
||||
}
|
||||
}
|
||||
return $warnings;
|
||||
}
|
||||
|
||||
private function __emptyEventCheck(array $event)
|
||||
private function __loadCustomWarningSystems($subdir = false)
|
||||
{
|
||||
if (empty($event['Attribute']) && empty($event['objects'])) {
|
||||
$this->__warnings[__('Content')][] = __('Your event has neither attributes nor objects, whilst this can have legitimate reasons (such as purely creating an event with an event report or galaxy clusters), in most cases it\'s a sign that the event has yet to be fleshed out.');
|
||||
}
|
||||
}
|
||||
|
||||
private function __contextCheck(array $event)
|
||||
{
|
||||
if (empty($event['Galaxy']) && empty($event['EventTag'])) {
|
||||
$this->__warnings[__('Contextualisation')][] = __('Your event has neither tags nor galaxy clusters attached - generally adding context to an event allows for quicker decision making and more accurate filtering, it is highly recommended that you label your events to the best of your ability.');
|
||||
}
|
||||
}
|
||||
|
||||
private function __tlpDistributionCheck(array $event)
|
||||
{
|
||||
if (!empty($event['EventTag'])) {
|
||||
foreach ($event['EventTag'] as $eT) {
|
||||
$tagName = $eT['Tag']['name'];
|
||||
$this->__tlpTaxonomyCheck($tagName);
|
||||
if ($tagName === 'tlp:white' && $event['Event']['distribution'] != Event::DISTRIBUTION_ALL) {
|
||||
$this->__warnings[__('Distribution')][] = __('The event is tagged as tlp:white, yet the distribution is not set to all. Change the distribution setting to something more lax if you wish for the event to propagate further.');
|
||||
} else if ($tagName === 'tlp:green' && !in_array($event['Event']['distribution'], [Event::DISTRIBUTION_COMMUNITY, Event::DISTRIBUTION_CONNECTED, Event::DISTRIBUTION_ALL])) {
|
||||
$this->__warnings[__('Distribution')][] = __('The event is tagged as tlp:green, yet the distribution is not set to community, connected communities or all. tlp:green assumes sharing with your entire community - make sure that the selected distribution setting covers that.');
|
||||
} else if (in_array($tagName, ['tlp:amber', 'tlp:red'], true) && $event['Event']['distribution'] == Event::DISTRIBUTION_ALL) {
|
||||
$this->__warnings[__('Distribution')][] = __('The event is tagged as %s, yet the distribution is set to all, be aware of potential information leakage.', $tagName);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* @param string $tagName
|
||||
* @return void
|
||||
*/
|
||||
private function __tlpTaxonomyCheck($tagName)
|
||||
{
|
||||
$lowerTagName = trim(strtolower($tagName));
|
||||
if (substr($lowerTagName, 0, 4) === 'tlp:') {
|
||||
if (!in_array($lowerTagName, ['tlp:white', 'tlp:green', 'tlp:amber', 'tlp:red', 'tlp:ex:chr'], true)) {
|
||||
$this->__warnings['TLP'][] = __('Unknown TLP tag, please refer to the TLP taxonomy as to what is valid, otherwise filtering rules created by your partners may miss your intent.');
|
||||
} else if ($lowerTagName !== $tagName) {
|
||||
$this->__warnings['TLP'][] = __('TLP tag with invalid formatting: Make sure that you only use TLP tags from the taxonomy. Custom tags with invalid capitalisation, white spaces or other artifacts will break synchronisation and filtering rules intended for the correct taxonomy derived tags.');
|
||||
}
|
||||
$subDirPath = $subdir ? ('/' . $subdir) : '';
|
||||
$dir = new Folder(APP . 'Lib/EventWarning' . $subDirPath);
|
||||
$files = $dir->find('.*Warning\.php');
|
||||
foreach ($files as $file) {
|
||||
$className = substr($file, 0, -4);
|
||||
$path = 'EventWarning/Custom';
|
||||
App::uses($className, $path);
|
||||
$this->__warningPackages[$className] = new $className();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue