mirror of https://github.com/MISP/MISP
new: [API] Netfilter added as new export format
parent
6a74cb4412
commit
40cf160c53
|
@ -0,0 +1,78 @@
|
|||
<?php
|
||||
|
||||
class NetfilterExport
|
||||
{
|
||||
public $additional_params = array(
|
||||
'flatten' => 1,
|
||||
'conditions' => array(
|
||||
'AND' => array(
|
||||
'Attribute.type' => array(
|
||||
'ip-dst', 'ip-src', 'domain|ip', 'ip-dst|port', 'ip-src|port'
|
||||
)
|
||||
)
|
||||
)
|
||||
);
|
||||
|
||||
public $non_restrictive_export = true;
|
||||
|
||||
private $__attributeTypeMappings = array(
|
||||
'ip-dst' => 'full',
|
||||
'ip-src' => 'full',
|
||||
'domain|ip' => 1,
|
||||
'ip-dst|port' => 0,
|
||||
'ip-src|port' => 0
|
||||
);
|
||||
|
||||
public function handler($data, $options = array())
|
||||
{
|
||||
$action = empty($options['filters']['netfilter_action']) ? 'DROP' : $options['filters']['netfilter_action'];
|
||||
if ($options['scope'] === 'Attribute') {
|
||||
if (in_array($data['Attribute']['type'], array_keys($this->__attributeTypeMappings))) {
|
||||
return $this->__convertToRule($data['Attribute'], $action) . "\n";
|
||||
} else {
|
||||
return '';
|
||||
}
|
||||
}
|
||||
if ($options['scope'] === 'Event') {
|
||||
$result = array();
|
||||
foreach ($data['Attribute'] as $attribute) {
|
||||
if (in_array($data['Attribute']['type'], array_keys($this->__attributeTypeMappings))) {
|
||||
$result[] = $this->__convertToRule($data['Attribute'], $action);
|
||||
}
|
||||
}
|
||||
return implode($this->separator(), $result) . "\n";
|
||||
}
|
||||
return '';
|
||||
}
|
||||
|
||||
private function __convertToRule($attribute, $action)
|
||||
{
|
||||
$ip = false;
|
||||
if ($this->__attributeTypeMappings[$attribute['type']] === 'full') {
|
||||
$ip = $attribute['value'];
|
||||
} else {
|
||||
$ip = explode('|', $attribute['value']);
|
||||
$ip = $ip[$this->__attributeTypeMappings[$attribute['type']]];
|
||||
}
|
||||
return sprintf(
|
||||
'iptables -A INPUT -s %s -j %s',
|
||||
$ip,
|
||||
$action
|
||||
);
|
||||
}
|
||||
|
||||
public function header($options = array())
|
||||
{
|
||||
return '';
|
||||
}
|
||||
|
||||
public function footer()
|
||||
{
|
||||
return "";
|
||||
}
|
||||
|
||||
public function separator()
|
||||
{
|
||||
return "";
|
||||
}
|
||||
}
|
|
@ -70,7 +70,7 @@ class Attribute extends AppModel
|
|||
|
||||
//
|
||||
// NOTE WHEN MODIFYING: please ensure to run the script 'tools/gen_misp_types_categories.py' to update the new definitions everywhere. (docu, website, RFC, ...)
|
||||
//
|
||||
//
|
||||
$this->categoryDefinitions = array(
|
||||
'Internal reference' => array(
|
||||
'desc' => __('Reference used by the publishing party (e.g. ticket number)'),
|
||||
|
@ -149,7 +149,7 @@ class Attribute extends AppModel
|
|||
|
||||
//
|
||||
// NOTE WHEN MODIFYING: please ensure to run the script 'tools/gen_misp_types_categories.py' to update the new definitions everywhere. (docu, website, RFC, ...)
|
||||
//
|
||||
//
|
||||
$this->typeDefinitions = array(
|
||||
'md5' => array('desc' => __('A checksum in md5 format'), 'formdesc' => __("You are encouraged to use filename|md5 instead. A checksum in md5 format, only use this if you don't know the correct filename"), 'default_category' => 'Payload delivery', 'to_ids' => 1),
|
||||
'sha1' => array('desc' => __('A checksum in sha1 format'), 'formdesc' => __("You are encouraged to use filename|sha1 instead. A checksum in sha1 format, only use this if you don't know the correct filename"), 'default_category' => 'Payload delivery', 'to_ids' => 1),
|
||||
|
@ -405,7 +405,8 @@ class Attribute extends AppModel
|
|||
'rpz' => array('txt', 'RPZExport', 'rpz'),
|
||||
'csv' => array('csv', 'CsvExport', 'csv'),
|
||||
'cache' => array('txt', 'CacheExport', 'cache'),
|
||||
'attack-sightings' => array('json', 'AttackSightingsExport', 'json')
|
||||
'attack-sightings' => array('json', 'AttackSightingsExport', 'json'),
|
||||
'netfilter' => array('txt', 'NetfilterExport', 'sh')
|
||||
);
|
||||
|
||||
// FIXME we need a better way to list the defaultCategories knowing that new attribute types will continue to appear in the future. We should generate this dynamically or use a function using the default_category of the $typeDefinitions
|
||||
|
@ -4313,7 +4314,10 @@ class Attribute extends AppModel
|
|||
'filters' => $filters
|
||||
);
|
||||
if (!empty($exportTool->additional_params)) {
|
||||
$params = array_merge($params, $exportTool->additional_params);
|
||||
$params = array_merge_recursive(
|
||||
$params,
|
||||
$exportTool->additional_params
|
||||
);
|
||||
}
|
||||
$tmpfile = tmpfile();
|
||||
fwrite($tmpfile, $exportTool->header($exportToolParams));
|
||||
|
|
|
@ -180,7 +180,8 @@ class Event extends AppModel
|
|||
'yara-json' => array('json', 'YaraExport', 'json'),
|
||||
'cache' => array('txt', 'CacheExport', 'cache'),
|
||||
'attack' => array('html', 'AttackExport', 'html'),
|
||||
'attack-sightings' => array('json', 'AttackSightingsExport', 'json')
|
||||
'attack-sightings' => array('json', 'AttackSightingsExport', 'json'),
|
||||
'netfilter' => array('txt', 'NetfilterExport', 'sh')
|
||||
);
|
||||
|
||||
public $csv_event_context_fields_to_fetch = array(
|
||||
|
|
Loading…
Reference in New Issue