new: [API] Netfilter added as new export format

app/Lib/Export/NetfilterExport.php

@@ -0,0 +1,78 @@
+<?php
+
+class NetfilterExport
+{
+    public $additional_params = array(
+        'flatten' => 1,
+        'conditions' => array(
+            'AND' => array(
+                'Attribute.type' => array(
+                    'ip-dst', 'ip-src', 'domain|ip', 'ip-dst|port', 'ip-src|port'
+                )
+            )
+        )
+    );
+
+    public $non_restrictive_export = true;
+
+    private $__attributeTypeMappings = array(
+        'ip-dst' => 'full',
+        'ip-src' => 'full',
+        'domain|ip' => 1,
+        'ip-dst|port' => 0,
+        'ip-src|port' => 0
+    );
+
+    public function handler($data, $options = array())
+    {
+        $action = empty($options['filters']['netfilter_action']) ? 'DROP' : $options['filters']['netfilter_action'];
+        if ($options['scope'] === 'Attribute') {
+            if (in_array($data['Attribute']['type'], array_keys($this->__attributeTypeMappings))) {
+                return $this->__convertToRule($data['Attribute'], $action) . "\n";
+            } else {
+                return '';
+            }
+        }
+        if ($options['scope'] === 'Event') {
+            $result = array();
+            foreach ($data['Attribute'] as $attribute) {
+                if (in_array($data['Attribute']['type'], array_keys($this->__attributeTypeMappings))) {
+                    $result[] = $this->__convertToRule($data['Attribute'], $action);
+                }
+            }
+            return implode($this->separator(), $result) . "\n";
+        }
+        return '';
+    }
+
+    private function __convertToRule($attribute, $action)
+    {
+        $ip = false;
+        if ($this->__attributeTypeMappings[$attribute['type']] === 'full') {
+            $ip = $attribute['value'];
+        } else {
+            $ip = explode('|', $attribute['value']);
+            $ip = $ip[$this->__attributeTypeMappings[$attribute['type']]];
+        }
+        return sprintf(
+            'iptables -A INPUT -s %s -j %s',
+            $ip,
+            $action
+        );
+    }
+
+    public function header($options = array())
+    {
+        return '';
+    }
+
+    public function footer()
+    {
+        return "";
+    }
+
+    public function separator()
+    {
+        return "";
+    }
+}

app/Model/Attribute.php

@@ -70,7 +70,7 @@ class Attribute extends AppModel
 
         //
         // NOTE WHEN MODIFYING: please ensure to run the script 'tools/gen_misp_types_categories.py' to update the new definitions everywhere. (docu, website, RFC, ...)
-        //  
+        //
         $this->categoryDefinitions = array(
             'Internal reference' => array(
                     'desc' => __('Reference used by the publishing party (e.g. ticket number)'),
@@ -149,7 +149,7 @@ class Attribute extends AppModel
 
         //
         // NOTE WHEN MODIFYING: please ensure to run the script 'tools/gen_misp_types_categories.py' to update the new definitions everywhere. (docu, website, RFC, ...)
-        //  
+        //
         $this->typeDefinitions = array(
             'md5' => array('desc' => __('A checksum in md5 format'), 'formdesc' => __("You are encouraged to use filename|md5 instead. A checksum in md5 format, only use this if you don't know the correct filename"), 'default_category' => 'Payload delivery', 'to_ids' => 1),
             'sha1' => array('desc' => __('A checksum in sha1 format'), 'formdesc' => __("You are encouraged to use filename|sha1 instead. A checksum in sha1 format, only use this if you don't know the correct filename"), 'default_category' => 'Payload delivery', 'to_ids' => 1),
@@ -405,7 +405,8 @@ class Attribute extends AppModel
         'rpz' => array('txt', 'RPZExport', 'rpz'),
         'csv' => array('csv', 'CsvExport', 'csv'),
         'cache' => array('txt', 'CacheExport', 'cache'),
-        'attack-sightings' => array('json', 'AttackSightingsExport', 'json')
+        'attack-sightings' => array('json', 'AttackSightingsExport', 'json'),
+        'netfilter' => array('txt', 'NetfilterExport', 'sh')
     );
 
     // FIXME we need a better way to list the defaultCategories knowing that new attribute types will continue to appear in the future. We should generate this dynamically or use a function using the default_category of the $typeDefinitions
@@ -4313,7 +4314,10 @@ class Attribute extends AppModel
             'filters' => $filters
         );
         if (!empty($exportTool->additional_params)) {
-            $params = array_merge($params, $exportTool->additional_params);
+            $params = array_merge_recursive(
+                $params,
+                $exportTool->additional_params
+            );
         }
         $tmpfile = tmpfile();
         fwrite($tmpfile, $exportTool->header($exportToolParams));

app/Model/Event.php

@@ -180,7 +180,8 @@ class Event extends AppModel
         'yara-json' => array('json', 'YaraExport', 'json'),
         'cache' => array('txt', 'CacheExport', 'cache'),
         'attack' => array('html', 'AttackExport', 'html'),
-        'attack-sightings' => array('json', 'AttackSightingsExport', 'json')
+        'attack-sightings' => array('json', 'AttackSightingsExport', 'json'),
+        'netfilter' => array('txt', 'NetfilterExport', 'sh')
     );
 
     public $csv_event_context_fields_to_fetch = array(