mirror of https://github.com/MISP/MISP
Fixing bug when exporting to Bro MISP attributes from events that contain a percentage sign inside the event info
parent
9a863b3bb2
commit
4656a5c1fa
|
@ -162,8 +162,8 @@ class BroExport
|
||||||
$orgName = $instanceString . ' (' . $item['Event']['uuid'] . ')' . ' - ' . $orgs[$item['Event']['orgc_id']];
|
$orgName = $instanceString . ' (' . $item['Event']['uuid'] . ')' . ' - ' . $orgs[$item['Event']['orgc_id']];
|
||||||
}
|
}
|
||||||
$ruleFormatReference = Configure::read('MISP.baseurl') . '/events/view/' . $item['Event']['id'];
|
$ruleFormatReference = Configure::read('MISP.baseurl') . '/events/view/' . $item['Event']['id'];
|
||||||
$ruleFormat = "%s\t%s\t" . $orgName . "\t" . $this->replaceIllegalChars($item['Event']['info']) . ". %s" . "\t" . $ruleFormatReference . "\t%s\t%s";
|
$ruleFormat = "%s\t%s\t" . $orgName . "\t%s. %s\t" . $ruleFormatReference . "\t%s\t%s";
|
||||||
$rule = $this->__generateRule($item['Attribute'], $ruleFormat, $valueField, $whitelist);
|
$rule = $this->__generateRule($item, $ruleFormat, $valueField, $whitelist);
|
||||||
if (!empty($rule)) {
|
if (!empty($rule)) {
|
||||||
$intel[] = $rule;
|
$intel[] = $rule;
|
||||||
}
|
}
|
||||||
|
@ -171,32 +171,33 @@ class BroExport
|
||||||
return $intel;
|
return $intel;
|
||||||
}
|
}
|
||||||
|
|
||||||
private function __generateRule($attribute, $ruleFormat, $valueField, $whitelist = array())
|
private function __generateRule($item, $ruleFormat, $valueField, $whitelist = array())
|
||||||
{
|
{
|
||||||
if (isset($this->mapping[$attribute['type']])) {
|
if (isset($this->mapping[$item['Attribute']['type']])) {
|
||||||
if (empty($whitelist) || !$this->checkWhitelist($attribute['value'], $whitelist)) {
|
if (empty($whitelist) || !$this->checkWhitelist($item['Attribute']['value' . $valueField], $whitelist)) {
|
||||||
$brotype = $this->mapping[$attribute['type']]['brotype'];
|
$brotype = $this->mapping[$item['Attribute']['type']]['brotype'];
|
||||||
if (isset($this->mapping[$attribute['type']]['alternate'])) {
|
if (isset($this->mapping[$item['Attribute']['type']]['alternate'])) {
|
||||||
if (preg_match($this->mapping[$attribute['type']]['alternate'][0], $attribute['value'])) {
|
if (preg_match($this->mapping[$item['Attribute']['type']]['alternate'][0], $item['Attribute']['value' . $valueField])) {
|
||||||
$brotype = $this->mapping[$attribute['type']]['alternate'][1];
|
$brotype = $this->mapping[$item['Attribute']['type']]['alternate'][1];
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if ($valueField == 2 && isset($this->mapping[$attribute['type']]['composite'])) {
|
if ($valueField == 2 && isset($this->mapping[$item['Attribute']['type']]['composite'])) {
|
||||||
$brotype = $this->mapping[$attribute['type']]['composite'];
|
$brotype = $this->mapping[$item['Attribute']['type']]['composite'];
|
||||||
}
|
}
|
||||||
$attribute['value'] = $this->replaceIllegalChars($attribute['value']); // substitute chars not allowed in rule
|
$item['Attribute']['value' . $valueField] = $this->replaceIllegalChars($item['Attribute']['value' . $valueField]); // substitute chars not allowed in rule
|
||||||
if (isset($this->mapping[$attribute['type']]['replace'])) {
|
if (isset($this->mapping[$item['Attribute']['type']]['replace'])) {
|
||||||
$attribute['value'] = preg_replace(
|
$item['Attribute']['value' . $valueField] = preg_replace(
|
||||||
$this->mapping[$attribute['type']]['replace'][0],
|
$this->mapping[$item['Attribute']['type']]['replace'][0],
|
||||||
$this->mapping[$attribute['type']]['replace'][1],
|
$this->mapping[$item['Attribute']['type']]['replace'][1],
|
||||||
$attribute['value']
|
$item['Attribute']['value' . $valueField]
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
return sprintf(
|
return sprintf(
|
||||||
$ruleFormat,
|
$ruleFormat,
|
||||||
$this->replaceIllegalChars($attribute['value']), // value - for composite values only the relevant element is taken
|
$this->replaceIllegalChars($item['Attribute']['value' . $valueField]), // value - for composite values only the relevant element is taken
|
||||||
'Intel::' . $brotype, // type
|
'Intel::' . $brotype, // type
|
||||||
$this->replaceIllegalChars($attribute['comment']),
|
$this->replaceIllegalChars($item['Event']['info'])
|
||||||
|
$this->replaceIllegalChars($item['Attribute']['comment']),
|
||||||
'T', // meta.do_notice
|
'T', // meta.do_notice
|
||||||
'-' // meta.if_in
|
'-' // meta.if_in
|
||||||
);
|
);
|
||||||
|
|
|
@ -2390,7 +2390,7 @@ class Attribute extends AppModel
|
||||||
'conditions' => $conditions, // array of conditions
|
'conditions' => $conditions, // array of conditions
|
||||||
'order' => 'Attribute.value' . $valueField . ' ASC',
|
'order' => 'Attribute.value' . $valueField . ' ASC',
|
||||||
'recursive' => -1, // int
|
'recursive' => -1, // int
|
||||||
'fields' => array('Attribute.id', 'Attribute.event_id', 'Attribute.type', 'Attribute.comment', 'Attribute.value' . $valueField . " as value"),
|
'fields' => array('Attribute.id', 'Attribute.event_id', 'Attribute.type', 'Attribute.category', 'Attribute.comment', 'Attribute.to_ids', 'Attribute.value', 'Attribute.value' . $valueField),
|
||||||
'contain' => array('Event' => array('fields' => array('Event.id', 'Event.threat_level_id', 'Event.orgc_id', 'Event.uuid'))),
|
'contain' => array('Event' => array('fields' => array('Event.id', 'Event.threat_level_id', 'Event.orgc_id', 'Event.uuid'))),
|
||||||
'group' => array('Attribute.type', 'Attribute.value' . $valueField), // fields to GROUP BY
|
'group' => array('Attribute.type', 'Attribute.value' . $valueField), // fields to GROUP BY
|
||||||
'enforceWarninglist' => $enforceWarninglist
|
'enforceWarninglist' => $enforceWarninglist
|
||||||
|
|
Loading…
Reference in New Issue