MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

new: [UI] Attachment scan diagnostic

pull/6488/head
Jakub Onderka 2020-10-22 23:59:49 +02:00
parent c5e0671de9
commit 3ff4dd530f
3 changed files with 69 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
app/Controller/ServersController.php
View File

@ -1121,7 +1121,14 @@ class ServersController extends AppController
$sessionStatus = $this->Server->sessionDiagnostics($diagnostic_errors, $sessionCount);
$this->set('sessionCount', $sessionCount);
$additionalViewVars = array('gpgStatus', 'sessionErrors', 'proxyStatus', 'sessionStatus', 'zmqStatus', 'stixVersion', 'cyboxVersion', 'mixboxVersion', 'maecVersion', 'stix2Version', 'pymispVersion', 'moduleStatus', 'yaraStatus', 'gpgErrors', 'proxyErrors', 'zmqErrors', 'stixOperational', 'stix', 'moduleErrors', 'moduleTypes', 'dbDiagnostics', 'dbSchemaDiagnostics', 'redisInfo');
$this->loadModel('AttachmentScan');
try {
$attachmentScan = ['status' => true, 'software' => $this->AttachmentScan->diagnostic()];
} catch (Exception $e) {
$attachmentScan = ['status' => false, 'error' => $e->getMessage()];
}
$additionalViewVars = array('gpgStatus', 'sessionErrors', 'proxyStatus', 'sessionStatus', 'zmqStatus', 'stixVersion', 'cyboxVersion', 'mixboxVersion', 'maecVersion', 'stix2Version', 'pymispVersion', 'moduleStatus', 'yaraStatus', 'gpgErrors', 'proxyErrors', 'zmqErrors', 'stixOperational', 'stix', 'moduleErrors', 'moduleTypes', 'dbDiagnostics', 'dbSchemaDiagnostics', 'redisInfo', 'attachmentScan');
}
// check whether the files are writeable
$writeableDirs = $this->Server->writeableDirsDiagnostics($diagnostic_errors);

56
app/Model/AttachmentScan.php
View File

@ -1,12 +1,14 @@
<?php
App::uses('AppModel', 'Model');
App::uses('ClamAvTool', 'Tools');
class AttachmentScan extends AppModel
{
const TYPE_ATTRIBUTE = 'Attribute',
TYPE_SHADOW_ATTRIBUTE = 'ShadowAttribute';
// base64 encoded eicar.exe
const EICAR = 'WDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVElWSVJVUy1URVNULUZJTEUhJEgrSCo=';
/** @var AttachmentTool */
private $attachmentTool;
@ -57,6 +59,50 @@ class AttachmentScan extends AppModel
}
}
/**
* Checks configuration and connection to module wth AV engine and returns an array of scanning software.
*
* @return array
* @throws Exception
*/
public function diagnostic()
{
if (!$this->isEnabled()) {
throw new Exception("Malware scanning module is not configured.");
}
if ($this->attachmentTool()->attachmentDirIsS3()) {
throw new Exception("S3 attachment storage is not supported now for malware scanning.");
}
$moduleInfo = $this->loadModuleInfo($this->attachmentScanModuleName);
if (in_array('attachment', $moduleInfo['types'])) {
$fakeAttribute = [
'uuid' => CakeText::uuid(),
'event_id' => 1,
'type' => 'attachment',
'value' => 'eicar.com',
'data' => self::EICAR,
];
} else {
$hashAlgo = $moduleInfo['types'][0];
$hash = hash($hashAlgo, base64_decode(self::EICAR));
$fakeAttribute = [
'uuid' => CakeText::uuid(),
'event_id' => 1,
'type' => $hashAlgo,
'value' => $hash,
];
}
$results = $this->sendToModule($fakeAttribute, $moduleInfo['config']);
if (empty($results)) {
throw new Exception("Eicar test file was not detected.");
}
return array_column($results, 'software');
}
/**
* @return bool
*/
@ -151,7 +197,7 @@ class AttachmentScan extends AppModel
}
if ($this->attachmentTool()->attachmentDirIsS3()) {
throw new Exception("S3 attachment storage is not supported now for AV scanning.");
throw new Exception("S3 attachment storage is not supported now for malware scanning.");
}
$fields = ['id', 'uuid', 'type', 'value', 'event_id'];
@ -190,7 +236,7 @@ class AttachmentScan extends AppModel
}
try {
$moduleOptions = $this->loadModuleInfo($this->attachmentScanModuleName);
$moduleInfo = $this->loadModuleInfo($this->attachmentScanModuleName);
} catch (Exception $e) {
$job->saveStatus($jobId, false, 'Could not connect to attachment scan module.');
$this->logException('Could not connect to attachment scan module.', $e);
@ -203,7 +249,7 @@ class AttachmentScan extends AppModel
foreach ($attributes as $attribute) {
$type = isset($attribute['Attribute']) ? self::TYPE_ATTRIBUTE : self::TYPE_SHADOW_ATTRIBUTE;
try {
$infected = $this->scanAttachment($type, $attribute[$type], $moduleOptions);
$infected = $this->scanAttachment($type, $attribute[$type], $moduleInfo);
if ($infected === true) {
$virusFound++;
}
@ -307,7 +353,7 @@ class AttachmentScan extends AppModel
} else {
// Instead of sending whole file to module, just generate file hash and send that hash as fake attribute.
$hashAlgo = $moduleInfo['types'][0];
$hash = hash_file($moduleInfo['types'][0], $file->pwd());
$hash = hash_file($hashAlgo, $file->pwd());
if (!$hash) {
throw new Exception("Could not generate $hashAlgo hash for file '$file->path'.");
}

10
app/View/Elements/healthElements/diagnostics.ctp
View File

@ -274,6 +274,16 @@
endif;
?>
</div>
<h3><?= __('Attachment scan module') ?></h3>
<div style="background-color:#f7f7f9;width:400px;">
<?php if ($attachmentScan['status']): ?>
<b>Status:</b> <span class="green bold"><?= __('OK') ?></span><br>
<b>Software</b>: <?= implode(", ", $attachmentScan['software']) ?>
<?php else: ?>
<b>Status:</b> <span class="red bold"><?= __('Not available.') ?></span>
<b>Reason:</b> <?= $attachmentScan['error'] ?>
<?php endif; ?>
</div>
<h3><?php echo __('STIX and Cybox libraries');?></h3>
<p><?php echo __('Mitre\'s STIX and Cybox python libraries have to be installed in order for MISP\'s STIX export to work. Make sure that you install them (as described in the MISP installation instructions) if you receive an error below.');?><br />
<?php echo __('If you run into any issues here, make sure that both STIX and CyBox are installed as described in the INSTALL.txt file. The required versions are');?>:<br />