mirror of https://github.com/MISP/MISP
commit
3d8e5add03
|
@ -110,6 +110,7 @@ class Attribute extends AppModel {
|
|||
'ip-dst' => array('desc' => 'A destination IP address of the attacker or C&C server', 'formdesc' => "A destination IP address of the attacker or C&C server. Also set the IDS flag on when this IP is hardcoded in malware"),
|
||||
'hostname' => array('desc' => 'A full host/dnsname of an attacker', 'formdesc' => "A full host/dnsname of an attacker. Also set the IDS flag on when this hostname is hardcoded in malware"),
|
||||
'domain' => array('desc' => 'A domain name used in the malware', 'formdesc' => "A domain name used in the malware. Use this instead of hostname when the upper domain is important or can be used to create links between events."),
|
||||
'domain|ip' => array('desc' => 'A domain name and its IP address (as found in DNS lookup) separated by a |','formdesc' => "A domain name and its IP address (as found in DNS lookup) separated by a | (no spaces)"),
|
||||
'email-src' => array('desc' => "The email address (or domainname) used to send the malware."),
|
||||
'email-dst' => array('desc' => "A recipient email address", 'formdesc' => "A recipient email address that is not related to your constituency."),
|
||||
'email-subject' => array('desc' => "The subject of the email"),
|
||||
|
@ -179,7 +180,7 @@ class Attribute extends AppModel {
|
|||
),
|
||||
'Network activity' => array(
|
||||
'desc' => 'Information about network traffic generated by the malware',
|
||||
'types' => array('ip-src', 'ip-dst', 'hostname', 'domain', 'email-dst', 'url', 'user-agent', 'http-method', 'AS', 'snort', 'pattern-in-file', 'pattern-in-traffic', 'attachment', 'comment', 'text', 'other')
|
||||
'types' => array('ip-src', 'ip-dst', 'hostname', 'domain', 'domain|ip', 'email-dst', 'url', 'user-agent', 'http-method', 'AS', 'snort', 'pattern-in-file', 'pattern-in-traffic', 'attachment', 'comment', 'text', 'other')
|
||||
),
|
||||
'Payload type' => array(
|
||||
'desc' => 'Information about the final payload(s)',
|
||||
|
@ -193,7 +194,7 @@ class Attribute extends AppModel {
|
|||
'External analysis' => array(
|
||||
'desc' => 'Any other result from additional analysis of the malware like tools output',
|
||||
'formdesc' => 'Any other result from additional analysis of the malware like tools output Examples: pdf-parser output, automated sandbox analysis, reverse engineering report.',
|
||||
'types' => array('md5', 'sha1', 'sha256','filename', 'filename|md5', 'filename|sha1', 'filename|sha256', 'ip-src', 'ip-dst', 'hostname', 'domain', 'url', 'user-agent', 'regkey', 'regkey|value', 'AS', 'snort', 'pattern-in-file', 'pattern-in-traffic', 'pattern-in-memory', 'vulnerability', 'attachment', 'malware-sample', 'link', 'comment', 'text', 'other')
|
||||
'types' => array('md5', 'sha1', 'sha256','filename', 'filename|md5', 'filename|sha1', 'filename|sha256', 'ip-src', 'ip-dst', 'hostname', 'domain', 'domain|ip', 'url', 'user-agent', 'regkey', 'regkey|value', 'AS', 'snort', 'pattern-in-file', 'pattern-in-traffic', 'pattern-in-memory', 'vulnerability', 'attachment', 'malware-sample', 'link', 'comment', 'text', 'other')
|
||||
),
|
||||
'Other' => array(
|
||||
'desc' => 'Attributes that are not part of any other category',
|
||||
|
@ -459,6 +460,7 @@ class Attribute extends AppModel {
|
|||
case 'sha1':
|
||||
case 'sha256':
|
||||
case 'domain':
|
||||
case 'domain|ip':
|
||||
case 'hostname':
|
||||
$this->data['Attribute']['value'] = strtolower($this->data['Attribute']['value']);
|
||||
break;
|
||||
|
@ -667,6 +669,15 @@ class Attribute extends AppModel {
|
|||
$returnValue = 'Domain name has invalid format. Please double check the value or select "other" for a type.';
|
||||
}
|
||||
break;
|
||||
case 'domain|ip':
|
||||
if (preg_match("#^[A-Z0-9.\-_]+\.[A-Z]{2,}\|.*$#i", $value)) {
|
||||
$parts = explode('|', $value);
|
||||
if (filter_var($parts[1],FILTER_VALIDATE_IP)) {$returnValue = true;}
|
||||
else {$returnValue = 'IP address has invalid format.';}
|
||||
} else {
|
||||
$returnValue = 'Domain name has invalid format.';
|
||||
}
|
||||
break;
|
||||
case 'email-src':
|
||||
// we don't use the native function to prevent issues with partial email addresses
|
||||
if (preg_match("#^[A-Z0-9._%+-]*@[A-Z0-9.\-_]+\.[A-Z]{2,}$#i", $value)) {
|
||||
|
|
Loading…
Reference in New Issue