From 4181e6754b5c90f12c247d283736c5f73963f331 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Mon, 11 Sep 2017 16:26:25 +0200 Subject: [PATCH 01/25] remove old text from fdocumentation --- app/View/Pages/doc/using_the_system.ctp | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/app/View/Pages/doc/using_the_system.ctp b/app/View/Pages/doc/using_the_system.ctp index 2e13a7aca..54001c840 100644 --- a/app/View/Pages/doc/using_the_system.ctp +++ b/app/View/Pages/doc/using_the_system.ctp @@ -52,8 +52,7 @@ and attachments and finally publishing it.

This includes all organisations on this MISP server, all organisations on MISP servers synchronising with this server and the hosting organisations of servers that connect to those afore mentioned servers (so basically any server that is 2 hops away from this one). Any other organisations connected to linked - servers that are 2 hops away from this own will be restricted from seeing the event. For more information - on community-related distribution levels, click here.
+ servers that are 2 hops away from this own will be restricted from seeing the event.
Upon push: downgrade to This Community only and push. Upon pull: pull and downgrade to This Community only.
  • All communities: This will share the event with all MISP communities, allowing the event to be From caedc85077541e42d13c1b2d089639d4e80cb6c0 Mon Sep 17 00:00:00 2001 From: truckydev Date: Tue, 19 Sep 2017 09:38:48 +0200 Subject: [PATCH 02/25] bugfix for freetextimport and email Correction for a bug when you add an email in freeTextImport. When you select 'whois-registrant-email' attribut never created and an error is displayed. because : 'whois-registrant-email' not in 'Social network' and 'Payload delivery' but only in 'Attribution'. This PR add the type 'whois-registrant-email' in 'Social network' and 'Payload delivery' category. #### What does it do? no issue has been created. #### Questions - [ ] Does it require a DB change? - [ ] Are you using it in production? - [ ] Does it require a change in the API (PyMISP for example)? #### Release Type: - [ ] Major - [ ] Minor - [X] Patch --- app/Model/Attribute.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/app/Model/Attribute.php b/app/Model/Attribute.php index 51255437b..6c4765760 100644 --- a/app/Model/Attribute.php +++ b/app/Model/Attribute.php @@ -269,7 +269,7 @@ class Attribute extends AppModel { 'Payload delivery' => array( 'desc' => 'Information about how the malware is delivered', 'formdesc' => 'Information about the way the malware payload is initially delivered, for example information about the email or web-site, vulnerability used, originating IP etc. Malware sample itself should be attached here.', - 'types' => array('md5', 'sha1', 'sha224', 'sha256', 'sha384', 'sha512', 'sha512/224', 'sha512/256', 'ssdeep', 'imphash', 'impfuzzy','authentihash', 'pehash', 'tlsh', 'filename', 'filename|md5', 'filename|sha1', 'filename|sha224', 'filename|sha256', 'filename|sha384', 'filename|sha512', 'filename|sha512/224', 'filename|sha512/256', 'filename|authentihash', 'filename|ssdeep', 'filename|tlsh', 'filename|imphash','filename|impfuzzy', 'filename|pehash', 'ip-src', 'ip-dst', 'ip-dst|port', 'ip-src|port', 'hostname', 'domain', 'email-src', 'email-dst', 'email-subject', 'email-attachment', 'email-body', 'url', 'user-agent', 'AS', 'pattern-in-file', 'pattern-in-traffic', 'yara', 'sigma', 'attachment', 'malware-sample', 'link', 'malware-type', 'comment', 'text', 'hex', 'vulnerability', 'x509-fingerprint-sha1', 'other', 'ip-dst|port', 'ip-src|port', 'hostname|port', 'email-dst-display-name', 'email-src-display-name', 'email-header', 'email-reply-to', 'email-x-mailer', 'email-mime-boundary', 'email-thread-index', 'email-message-id', 'mobile-application-id') + 'types' => array('md5', 'sha1', 'sha224', 'sha256', 'sha384', 'sha512', 'sha512/224', 'sha512/256', 'ssdeep', 'imphash', 'impfuzzy','authentihash', 'pehash', 'tlsh', 'filename', 'filename|md5', 'filename|sha1', 'filename|sha224', 'filename|sha256', 'filename|sha384', 'filename|sha512', 'filename|sha512/224', 'filename|sha512/256', 'filename|authentihash', 'filename|ssdeep', 'filename|tlsh', 'filename|imphash','filename|impfuzzy', 'filename|pehash', 'ip-src', 'ip-dst', 'ip-dst|port', 'ip-src|port', 'hostname', 'domain', 'email-src', 'email-dst', 'email-subject', 'email-attachment', 'email-body', 'url', 'user-agent', 'AS', 'pattern-in-file', 'pattern-in-traffic', 'yara', 'sigma', 'attachment', 'malware-sample', 'link', 'malware-type', 'comment', 'text', 'hex', 'vulnerability', 'x509-fingerprint-sha1', 'other', 'ip-dst|port', 'ip-src|port', 'hostname|port', 'email-dst-display-name', 'email-src-display-name', 'email-header', 'email-reply-to', 'email-x-mailer', 'email-mime-boundary', 'email-thread-index', 'email-message-id', 'mobile-application-id', 'whois-registrant-email') ), 'Artifacts dropped' => array( 'desc' => 'Any artifact (files, registry keys etc.) dropped by the malware or other modifications to the system', @@ -315,7 +315,7 @@ class Attribute extends AppModel { 'Social network' => array( 'desc' => 'Social networks and platforms', // email-src and email-dst or should we go with a new email type that is neither / both? - 'types' => array('github-username', 'github-repository', 'github-organisation', 'jabber-id', 'twitter-id', 'email-src', 'email-dst', 'comment', 'text', 'other') + 'types' => array('github-username', 'github-repository', 'github-organisation', 'jabber-id', 'twitter-id', 'email-src', 'email-dst', 'comment', 'text', 'other', 'whois-registrant-email') ), 'Person' => array( 'desc' => 'A human being - natural person', From e9ac667afe53e1e72ff4857c171608e8df53422f Mon Sep 17 00:00:00 2001 From: iglocska Date: Tue, 19 Sep 2017 09:50:05 +0200 Subject: [PATCH 03/25] fix: Fixed no specification of the tinyint length for the objects in MYSQL.sql --- INSTALL/MYSQL.sql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/INSTALL/MYSQL.sql b/INSTALL/MYSQL.sql index 407104ae4..1fa0aa528 100644 --- a/INSTALL/MYSQL.sql +++ b/INSTALL/MYSQL.sql @@ -439,7 +439,7 @@ CREATE TABLE IF NOT EXISTS objects ( `distribution` tinyint(4) NOT NULL DEFAULT 0, `sharing_group_id` int(11), `comment` text COLLATE utf8_bin NOT NULL, - `deleted` TINYINT NOT NULL DEFAULT 0, + `deleted` tinyint(1) NOT NULL DEFAULT 0, PRIMARY KEY (id), INDEX `name` (`name`), INDEX `template_uuid` (`template_uuid`), From 5854a15d4c8f46ce1acd335ff457f270b044772a Mon Sep 17 00:00:00 2001 From: iglocska Date: Tue, 19 Sep 2017 09:51:06 +0200 Subject: [PATCH 04/25] fix: Fixed query string and pymisp version --- app/Controller/AppController.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/app/Controller/AppController.php b/app/Controller/AppController.php index 1c1615827..737fe588b 100755 --- a/app/Controller/AppController.php +++ b/app/Controller/AppController.php @@ -46,8 +46,8 @@ class AppController extends Controller { public $helpers = array('Utility'); - private $__queryVersion = '18'; - public $pyMispVersion = '2.4.79'; + private $__queryVersion = '19'; + public $pyMispVersion = '2.4.80'; public $phpmin = '5.6.5'; public $phprec = '7.0.16'; From 080b1f8a56ed3cdb916c178a86a2ea8478ef49d3 Mon Sep 17 00:00:00 2001 From: Ergin ALTINTAS Date: Tue, 19 Sep 2017 11:35:21 +0300 Subject: [PATCH 05/25] Update README.md Fix the typo: "Network Detection Intrusion System" -> "Network Intrusion Detection System" --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index acd91a044..dff8a9243 100644 --- a/README.md +++ b/README.md @@ -33,7 +33,7 @@ MISP - Malware Information Sharing Platform and Threat Sharing MISP, Malware Information Sharing Platform and Threat Sharing, is an open source software solution for collecting, storing, distributing and sharing cyber security indicators and threat about cyber security incidents analysis and malware analysis. MISP is designed by and for incident analysts, security and ICT professionals or malware reverser to support their day-to-day operations to share structured informations efficiently. -The objective of MISP is to foster the sharing of structured information within the security community and abroad. MISP provides functionalities to support the exchange of information but also the consumption of the information by Network Detection Intrusion System (NIDS), LIDS but also log analysis tools, SIEMs. +The objective of MISP is to foster the sharing of structured information within the security community and abroad. MISP provides functionalities to support the exchange of information but also the consumption of the information by Network Intrusion Detection System (NIDS), LIDS but also log analysis tools, SIEMs. MISP, Malware Information Sharing Platform and Threat Sharing, core functionalities are: From 76ec7f1c1026b8a3094197f451e7cd2ffd415fd3 Mon Sep 17 00:00:00 2001 From: iglocska Date: Tue, 19 Sep 2017 12:05:21 +0200 Subject: [PATCH 06/25] fix: Fixed the XML view - please stop using XML, for your own sanity, I beg of you! --- app/Lib/Tools/XMLConverterTool.php | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/app/Lib/Tools/XMLConverterTool.php b/app/Lib/Tools/XMLConverterTool.php index a493dd8fd..31033a42d 100644 --- a/app/Lib/Tools/XMLConverterTool.php +++ b/app/Lib/Tools/XMLConverterTool.php @@ -126,12 +126,7 @@ class XMLConverterTool { $event['Event']['Tag'][$k] = $tag['Tag']; } } - foreach ($event['Event']['RelatedAttribute'] as &$attribute_w_relation) { - foreach ($attribute_w_relation as &$relation) { - $this->__sanitizeField($relation['info']); - $this->__sanitizeField($relation['value']); - } - } + unset($event['Event']['RelatedAttribute']); // // cleanup the array from things we do not want to expose // @@ -167,6 +162,12 @@ class XMLConverterTool { $event['Event']['RelatedEvent'][$key]['Event'][0] = $temp; unset($event['Event']['RelatedEvent'][$key]['Event'][0]['user_id']); $this->__sanitizeField($event['Event']['RelatedEvent'][$key]['Event'][0]['info']); + if (isset($event['Event']['RelatedEvent'][$key]['Event'][0]['Org'])) { + $event['Event']['RelatedEvent'][$key]['Event'][0]['Org'] = array(0 => $event['Event']['RelatedEvent'][$key]['Event'][0]['Org']); + } + if (isset($event['Event']['RelatedEvent'][$key]['Event'][0]['Orgc'])) { + $event['Event']['RelatedEvent'][$key]['Event'][0]['Orgc'] = array(0 => $event['Event']['RelatedEvent'][$key]['Event'][0]['Orgc']); + } unset($temp); } } From 83dce8191ec74f6d65bc3aa817ff115c8f5ee9e6 Mon Sep 17 00:00:00 2001 From: Richie B2B Date: Tue, 19 Sep 2017 13:40:08 +0200 Subject: [PATCH 07/25] Use sanitized orgname in STIX header --- app/files/scripts/misp2stix_framing.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/app/files/scripts/misp2stix_framing.py b/app/files/scripts/misp2stix_framing.py index b62cd6ba5..d10b6f32e 100644 --- a/app/files/scripts/misp2stix_framing.py +++ b/app/files/scripts/misp2stix_framing.py @@ -103,18 +103,18 @@ def main(args): NS_DICT[namespace[0]]=namespace[1] try: - idgen.set_id_namespace({baseURL: orgname}) + idgen.set_id_namespace({baseURL: namespace[1]}) except ValueError: # Some weird stix error that sometimes occurs if the stars # align and Mixbox is being mean to us # Glory to STIX, peace and good xmlns be upon it try: - idgen.set_id_namespace(Namespace(baseURL, orgname)) + idgen.set_id_namespace(Namespace(baseURL, namespace[1])) except TypeError: # Ok this only occurs if the script is being run under py3 # and if we're running a REALLY weird version of stix # May as well catch it - idgen.set_id_namespace(Namespace(baseURL, orgname, "MISP")) + idgen.set_id_namespace(Namespace(baseURL, namespace[1], "MISP")) stix_package = STIXPackage() From 09dfb7aa147a4398141885e7f2fa7576ff89b08f Mon Sep 17 00:00:00 2001 From: iglocska Date: Tue, 19 Sep 2017 15:50:19 +0200 Subject: [PATCH 08/25] fix: Reverted CakePHP version --- app/Lib/cakephp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/Lib/cakephp b/app/Lib/cakephp index c3a612aa9..bfd2d21d7 160000 --- a/app/Lib/cakephp +++ b/app/Lib/cakephp @@ -1 +1 @@ -Subproject commit c3a612aa94d30a4c51653f40f55ce07177300307 +Subproject commit bfd2d21d782a69626bcf1ae2d22aad6e565fb29c From b5c4d0749b3b72781d4c6bd75610d9b213df46f9 Mon Sep 17 00:00:00 2001 From: iglocska Date: Tue, 19 Sep 2017 16:50:56 +0200 Subject: [PATCH 09/25] new: Added object relations to the CSV export --- app/Controller/EventsController.php | 4 ++-- app/Model/Event.php | 13 ++++++++++++- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/app/Controller/EventsController.php b/app/Controller/EventsController.php index cbe527866..1d27fd7ac 100644 --- a/app/Controller/EventsController.php +++ b/app/Controller/EventsController.php @@ -2154,7 +2154,7 @@ class EventsController extends AppController { $attributes = $this->Event->csv($user, $eventid, $ignore, $list, false, $category, $type, $includeContext, $enforceWarninglist); $attributes = $this->Whitelist->removeWhitelistedFromArray($attributes, true); foreach ($attributes as $attribute) { - $line = $attribute['Attribute']['uuid'] . ',' . $attribute['Attribute']['event_id'] . ',' . $attribute['Attribute']['category'] . ',' . $attribute['Attribute']['type'] . ',' . $attribute['Attribute']['value'] . ',' . $attribute['Attribute']['comment'] . ',' . intval($attribute['Attribute']['to_ids']) . ',' . $attribute['Attribute']['timestamp']; + $line = $attribute['Attribute']['uuid'] . ',' . $attribute['Attribute']['event_id'] . ',' . $attribute['Attribute']['category'] . ',' . $attribute['Attribute']['type'] . ',' . $attribute['Attribute']['value'] . ',' . $attribute['Attribute']['comment'] . ',' . intval($attribute['Attribute']['to_ids']) . ',' . $attribute['Attribute']['timestamp'] . ',' . $attribute['Object']['uuid'] . ',' . $attribute['Object']['name'] . ',' . $attribute['Object']['meta-category']; if ($includeContext) { foreach ($this->Event->csv_event_context_fields_to_fetch as $header => $field) { if ($field['object']) $line .= ',' . $attribute['Event'][$field['object']][$field['var']]; @@ -2174,7 +2174,7 @@ class EventsController extends AppController { $filename = "misp.event_" . $exportType . ".csv"; } $this->layout = 'text/default'; - $headers = array('uuid', 'event_id', 'category', 'type', 'value', 'comment', 'to_ids', 'date'); + $headers = array('uuid', 'event_id', 'category', 'type', 'value', 'comment', 'to_ids', 'date', 'object_uuid', 'object_name', 'object_meta_category'); if ($includeContext) $headers = array_merge($headers, array_keys($this->Event->csv_event_context_fields_to_fetch)); $headers = implode(',', $headers); $final = array_merge(array($headers), $final); diff --git a/app/Model/Event.php b/app/Model/Event.php index 3939c28d7..d058564ab 100755 --- a/app/Model/Event.php +++ b/app/Model/Event.php @@ -1761,7 +1761,8 @@ class Event extends AppModel { 'conditions' => $conditions, //array of conditions 'fields' => array('Attribute.event_id', 'Attribute.distribution', 'Attribute.category', 'Attribute.type', 'Attribute.value', 'Attribute.comment', 'Attribute.uuid', 'Attribute.to_ids', 'Attribute.timestamp', 'Attribute.id'), 'order' => array('Attribute.uuid ASC'), - 'enforceWarninglist' => $enforceWarninglist + 'enforceWarninglist' => $enforceWarninglist, + 'flatten' => true ); if ($includeContext) { @@ -1782,6 +1783,7 @@ class Event extends AppModel { ), ); } + $params['contain']['Object'] = array('fields' => array('id', 'uuid', 'name', 'meta-category')); $attributes = $this->Attribute->fetchAttributes($user, $params); if (empty($attributes)) return array(); foreach ($attributes as &$attribute) { @@ -1790,6 +1792,15 @@ class Event extends AppModel { $attribute['Attribute']['comment'] = str_replace(array('"'), '""', $attribute['Attribute']['comment']); $attribute['Attribute']['comment'] = '"' . $attribute['Attribute']['comment'] . '"'; $attribute['Attribute']['timestamp'] = date('Ymd', $attribute['Attribute']['timestamp']); + if (empty($attribute['Object'])) { + $attribute['Object']['uuid'] = '""'; + $attribute['Object']['name'] = ''; + $attribute['Object']['meta-category'] = ''; + } + $attribute['Object']['name'] = str_replace(array('"'), '""', $attribute['Object']['name']); + $attribute['Object']['name'] = '"' . $attribute['Object']['name'] . '"'; + $attribute['Object']['meta-category'] = str_replace(array('"'), '""', $attribute['Object']['meta-category']); + $attribute['Object']['meta-category'] = '"' . $attribute['Object']['meta-category'] . '"'; if ($includeContext) { $attribute['Event']['info'] = str_replace(array('"'), '""', $attribute['Event']['info']); $attribute['Event']['info'] = '"' . $attribute['Event']['info'] . '"'; From c5d3ae7b1fdd696114bbf8c11c1bff5ce77398e2 Mon Sep 17 00:00:00 2001 From: Kyle Parrish Date: Tue, 19 Sep 2017 13:25:17 -0400 Subject: [PATCH 10/25] RPZExport - Alternate NS Added option to add an alternate nameserver to RPZ export. --- app/Console/Command/EventShell.php | 2 +- app/Controller/AttributesController.php | 8 ++++---- app/Lib/Export/RPZExport.php | 9 ++++++++- app/Model/Server.php | 8 ++++++++ 4 files changed, 21 insertions(+), 6 deletions(-) diff --git a/app/Console/Command/EventShell.php b/app/Console/Command/EventShell.php index 2327d58f9..54baf757e 100644 --- a/app/Console/Command/EventShell.php +++ b/app/Console/Command/EventShell.php @@ -209,7 +209,7 @@ class EventShell extends AppShell App::uses('RPZExport', 'Export'); $rpzExport = new RPZExport(); $rpzSettings = array(); - $lookupData = array('policy', 'walled_garden', 'ns', 'email', 'serial', 'refresh', 'retry', 'expiry', 'minimum_ttl', 'ttl'); + $lookupData = array('policy', 'walled_garden', 'ns', 'ns_alt', 'email', 'serial', 'refresh', 'retry', 'expiry', 'minimum_ttl', 'ttl'); foreach ($lookupData as $v) { $tempSetting = Configure::read('Plugin.RPZ_' . $v); if (isset($tempSetting)) $rpzSettings[$v] = Configure::read('Plugin.RPZ_' . $v); diff --git a/app/Controller/AttributesController.php b/app/Controller/AttributesController.php index 27bd870e5..1f1af390d 100644 --- a/app/Controller/AttributesController.php +++ b/app/Controller/AttributesController.php @@ -2017,7 +2017,7 @@ class AttributesController extends AppController { $this->render('/Attributes/text'); } - public function rpz($key='download', $tags=false, $eventId=false, $from=false, $to=false, $policy=false, $walled_garden = false, $ns = false, $email = false, $serial = false, $refresh = false, $retry = false, $expiry = false, $minimum_ttl = false, $ttl = false, $enforceWarninglist = false) { + public function rpz($key='download', $tags=false, $eventId=false, $from=false, $to=false, $policy=false, $walled_garden = false, $ns = false, $ns_alt = false, $email = false, $serial = false, $refresh = false, $retry = false, $expiry = false, $minimum_ttl = false, $ttl = false, $enforceWarninglist = false) { // request handler for POSTed queries. If the request is a post, the parameters (apart from the key) will be ignored and replaced by the terms defined in the posted json or xml object. // The correct format for both is a "request" root element, as shown by the examples below: // For Json: {"request":{"policy": "walled-garden","garden":"garden.example.com"}} @@ -2030,14 +2030,14 @@ class AttributesController extends AppController { $data = $this->request->data; } if (empty($data)) throw new BadRequestException('Either specify the search terms in the url, or POST a json array / xml (with the root element being "request" and specify the correct headers based on content type.'); - $paramArray = array('eventId', 'tags', 'from', 'to', 'policy', 'walled_garden', 'ns', 'email', 'serial', 'refresh', 'retry', 'expiry', 'minimum_ttl', 'ttl', 'enforceWarninglist'); + $paramArray = array('eventId', 'tags', 'from', 'to', 'policy', 'walled_garden', 'ns', 'ns_alt', 'email', 'serial', 'refresh', 'retry', 'expiry', 'minimum_ttl', 'ttl', 'enforceWarninglist'); foreach ($paramArray as $p) { if (isset($data['request'][$p])) ${$p} = $data['request'][$p]; else ${$p} = null; } } - $simpleFalse = array('eventId', 'tags', 'from', 'to', 'policy', 'walled_garden', 'ns', 'email', 'serial', 'refresh', 'retry', 'expiry', 'minimum_ttl', 'ttl', 'enforceWarninglist'); + $simpleFalse = array('eventId', 'tags', 'from', 'to', 'policy', 'walled_garden', 'ns', 'ns_alt', 'email', 'serial', 'refresh', 'retry', 'expiry', 'minimum_ttl', 'ttl', 'enforceWarninglist'); foreach ($simpleFalse as $sF) { if (!is_array(${$sF}) && (${$sF} === 'null' || ${$sF} == '0' || ${$sF} === false || strtolower(${$sF}) === 'false')) ${$sF} = false; } @@ -2048,7 +2048,7 @@ class AttributesController extends AppController { $this->loadModel('Server'); $rpzSettings = array(); - $lookupData = array('policy', 'walled_garden', 'ns', 'email', 'serial', 'refresh', 'retry', 'expiry', 'minimum_ttl', 'ttl'); + $lookupData = array('policy', 'walled_garden', 'ns', 'ns_alt', 'email', 'serial', 'refresh', 'retry', 'expiry', 'minimum_ttl', 'ttl'); foreach ($lookupData as $v) { if (${$v} !== false) $rpzSettings[$v] = ${$v}; else { diff --git a/app/Lib/Export/RPZExport.php b/app/Lib/Export/RPZExport.php index da4edae8e..365594d07 100644 --- a/app/Lib/Export/RPZExport.php +++ b/app/Lib/Export/RPZExport.php @@ -55,7 +55,14 @@ class RPZExport { $header = ''; $header .= '$TTL ' . $rpzSettings['ttl'] . ';' . PHP_EOL; $header .= '@ SOA ' . $rpzSettings['ns'] . ' ' . $rpzSettings['email'] . ' (' . $rpzSettings['serial'] . ' ' . $rpzSettings['refresh'] . ' ' . $rpzSettings['retry'] . ' ' . $rpzSettings['expiry'] . ' ' . $rpzSettings['minimum_ttl'] . ')' . PHP_EOL; - $header .= ' NS ' . $rpzSettings['ns'] . PHP_EOL . PHP_EOL; + + if (!empty($rpzSettings['ns_alt'])){ + $header .= ' NS ' . $rpzSettings['ns'] . PHP_EOL; + $header .= ' NS ' . $rpzSettings['ns_alt'] . PHP_EOL . PHP_EOL; + } else { + $header .= ' NS ' . $rpzSettings['ns'] . PHP_EOL . PHP_EOL; + } + return $header; } diff --git a/app/Model/Server.php b/app/Model/Server.php index 1ad6c4178..cc9278980 100644 --- a/app/Model/Server.php +++ b/app/Model/Server.php @@ -1101,6 +1101,14 @@ class Server extends AppModel { 'test' => 'testForEmpty', 'type' => 'string', ), + 'RPZ_ns_alt' => array( + 'level' => 2, + 'description' => 'Alternate nameserver', + 'value' => '', + 'errorMessage' => '', + 'test' => 'testForEmpty', + 'type' => 'string', + ), 'RPZ_email' => array( 'level' => 2, 'description' => 'The e-mail address specified in the SOA portion of the zone file.', From da573e6ee933f88874c129022e00f8f7d21b8e57 Mon Sep 17 00:00:00 2001 From: iglocska Date: Wed, 20 Sep 2017 15:40:16 +0200 Subject: [PATCH 11/25] fix: Port added to network activity --- app/Model/Attribute.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/Model/Attribute.php b/app/Model/Attribute.php index 6c4765760..10258f17d 100644 --- a/app/Model/Attribute.php +++ b/app/Model/Attribute.php @@ -287,7 +287,7 @@ class Attribute extends AppModel { ), 'Network activity' => array( 'desc' => 'Information about network traffic generated by the malware', - 'types' => array('ip-src', 'ip-dst', 'ip-dst|port', 'ip-src|port', 'hostname', 'domain', 'domain|ip', 'email-dst', 'url', 'uri', 'user-agent', 'http-method', 'AS', 'snort', 'pattern-in-file', 'pattern-in-traffic', 'attachment', 'comment', 'text', 'x509-fingerprint-sha1', 'other', 'hex', 'cookie') + 'types' => array('ip-src', 'ip-dst', 'ip-dst|port', 'ip-src|port', 'port', 'hostname', 'domain', 'domain|ip', 'email-dst', 'url', 'uri', 'user-agent', 'http-method', 'AS', 'snort', 'pattern-in-file', 'pattern-in-traffic', 'attachment', 'comment', 'text', 'x509-fingerprint-sha1', 'other', 'hex', 'cookie') ), 'Payload type' => array( 'desc' => 'Information about the final payload(s)', From 2864b013865780d8f0d16102c850a112912ab27e Mon Sep 17 00:00:00 2001 From: iglocska Date: Wed, 20 Sep 2017 15:43:19 +0200 Subject: [PATCH 12/25] fix: only lower case search terms work in tags/index's filter --- app/Controller/TagsController.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/Controller/TagsController.php b/app/Controller/TagsController.php index ce39737be..49e1b9a80 100644 --- a/app/Controller/TagsController.php +++ b/app/Controller/TagsController.php @@ -45,7 +45,7 @@ class TagsController extends AppController { $this->paginate['conditions']['AND']['Tag.id'] = $tag_id_list; } if (isset($this->params['named']['searchall'])) { - $this->paginate['conditions']['AND']['LOWER(Tag.name) LIKE'] = '%' . $this->params['named']['searchall'] . '%'; + $this->paginate['conditions']['AND']['LOWER(Tag.name) LIKE'] = '%' . strtolower($this->params['named']['searchall']) . '%'; $passedArgsArray['all'] = $this->params['named']['searchall']; } if ($this->_isRest()) { From 1770a501abd37f3bb71c322079e1bd384ff46a98 Mon Sep 17 00:00:00 2001 From: iglocska Date: Wed, 20 Sep 2017 15:47:46 +0200 Subject: [PATCH 13/25] fix: Added ObjectTemplateElements to the objectTemplate view via the API --- app/Controller/ObjectTemplatesController.php | 3 +++ 1 file changed, 3 insertions(+) diff --git a/app/Controller/ObjectTemplatesController.php b/app/Controller/ObjectTemplatesController.php index 9e99423c2..84ed225d2 100644 --- a/app/Controller/ObjectTemplatesController.php +++ b/app/Controller/ObjectTemplatesController.php @@ -51,6 +51,9 @@ class ObjectTemplatesController extends AppController { ), 'conditions' => array('ObjectTemplate.id' => $id) ); + if ($this->_isRest()) { + $params['contain'][] = 'ObjectTemplateElement'; + } if ($this->_isSiteAdmin()) { $params['contain']['User']= array('fields' => array('User.id', 'User.email')); } From 12b1c354fae7705f23529db930d112698dd0e170 Mon Sep 17 00:00:00 2001 From: iglocska Date: Wed, 20 Sep 2017 16:53:54 +0200 Subject: [PATCH 14/25] fix: Fixed a bug where normal users couldn't add object references - as reported by @deralexxx --- app/Controller/ObjectReferencesController.php | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/app/Controller/ObjectReferencesController.php b/app/Controller/ObjectReferencesController.php index 458770f3e..aca419162 100644 --- a/app/Controller/ObjectReferencesController.php +++ b/app/Controller/ObjectReferencesController.php @@ -34,10 +34,7 @@ class ObjectReferencesController extends AppController { ) ) )); - if (!$this->userRole['perm_add']) { - throw new MethodNotAllowedException('You don\'t have the required permissions to add object reference.'); - } - if (empty($object) || (!$this->_isSiteAdmin() && $object['Event']['orgc_id'] != $this->Auth->user('orgc_id'))) { + if (empty($object) || (!$this->_isSiteAdmin() && $object['Event']['orgc_id'] != $this->Auth->user('org_id'))) { throw new MethodNotAllowedException('Invalid object.'); } $this->set('objectId', $objectId); From 85d0ef525e54703358fb22c8b6601be28c82b064 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Wed, 20 Sep 2017 15:45:40 +0100 Subject: [PATCH 15/25] up: test file --- tests/event.csv | 62 ++++++++++++++++++++++++------------------------- 1 file changed, 31 insertions(+), 31 deletions(-) diff --git a/tests/event.csv b/tests/event.csv index cad5d5529..ac8f2fd45 100644 --- a/tests/event.csv +++ b/tests/event.csv @@ -1,31 +1,31 @@ -uuid,event_id,category,type,value,comment,to_ids,date -548847d8-01e0-4231-a739-15bb950d210b,750,Payload installation,md5,"744c07e886497f7b68f6f7fe57b7ab54","Regin samples collected.",1,20141210 -548847d8-05f8-49e7-af79-15bb950d210b,750,Payload installation,md5,"47d0e8f9d7a6429920329207a32ecc2e","Regin samples collected.",1,20141210 -548847d8-3fbc-4a06-ba82-15bb950d210b,750,Payload installation,md5,"2c8b9d2885543d7ade3cae98225e263b","Regin samples collected.",1,20141210 -548847d8-9db0-4df6-8206-15bb950d210b,750,Payload installation,md5,"26297dc3cd0b688de3b846983c5385e5","Regin samples collected.",1,20141210 -548847d8-a33c-41f3-9f7a-15bb950d210b,750,Payload installation,md5,"01c2f321b6bfdb9473c079b0797567ba","Regin samples collected.",1,20141210 -548847d8-c950-48eb-b960-15bb950d210b,750,Payload installation,md5,"4b6b86c7fec1c574706cecedf44abded","Regin samples collected.",1,20141210 -548847d9-1404-4331-ae3c-15bb950d210b,750,Payload installation,md5,"90fecc6a89b2e22d82d58878d93477d4","Regin samples collected.",1,20141210 -548847d9-39dc-4247-b23d-15bb950d210b,750,Payload installation,md5,"06665b96e293b23acc80451abb413e50","Regin samples collected.",1,20141210 -548847d9-3b28-449e-b527-15bb950d210b,750,Payload installation,md5,"e94393561901895cb0783edc34740fd4","Regin samples collected.",1,20141210 -548847d9-4020-41da-b5f3-15bb950d210b,750,Payload installation,md5,"db405ad775ac887a337b02ea8b07fddc","Regin samples collected.",1,20141210 -548847d9-6340-44a0-8f33-15bb950d210b,750,Payload installation,md5,"ffb0b9b5b610191051a7bdf0806e1e47","Regin samples collected.",1,20141210 -548847d9-8b18-4654-9766-15bb950d210b,750,Payload installation,md5,"f3ffc2aaaa1e2ab55ec26ff098653347","Regin samples collected.",1,20141210 -548847d9-a564-4178-b8e6-15bb950d210b,750,Payload installation,md5,"6662c390b2bbbd291ec7987388fc75d7","Regin samples collected.",1,20141210 -548847d9-afe0-4531-a4b0-15bb950d210b,750,Payload installation,md5,"187044596bc1328efa0ed636d8aa4a5c","Regin samples collected.",1,20141210 -548847d9-b63c-4c95-a2bd-15bb950d210b,750,Payload installation,md5,"1800def71006ca6790767e202fae9b9a","Regin samples collected.",1,20141210 -548847d9-e6fc-4b93-a773-15bb950d210b,750,Payload installation,md5,"bfbe8c3ee78750c3a520480700e440f8","Regin samples collected.",1,20141210 -548847d9-fd54-4e49-909b-15bb950d210b,750,Payload installation,md5,"89003e9a1ae635c97ebad07aebc67f00","Regin samples collected.",1,20141210 -548847da-1660-4562-a1f8-15bb950d210b,750,Payload installation,md5,"b505d65721bb2453d5039a389113b566","Regin samples collected.",1,20141210 -548847da-2134-43d7-ba22-15bb950d210b,750,Payload installation,md5,"8fcf4e53ece6111758a1dd3139dc7cad","Regin samples collected.",1,20141210 -548847da-3e40-4ab2-a5eb-15bb950d210b,750,Payload installation,md5,"1c024e599ac055312a4ab75b3950040a","Regin samples collected.",1,20141210 -548847da-49c0-404d-ae42-15bb950d210b,750,Payload installation,md5,"d240f06e98c8d3e647cbf4d442d79475","Regin samples collected.",1,20141210 -548847da-71ec-4b2b-bae5-15bb950d210b,750,Payload installation,md5,"148c1bb9d405d717252c77593aff4bd8","Regin samples collected.",1,20141210 -548847da-9798-4b6d-b422-15bb950d210b,750,Payload installation,md5,"ba7bb65634ce1e30c1e5415be3d1db1d","Regin samples collected.",1,20141210 -548847da-ac78-474c-86fe-15bb950d210b,750,Payload installation,md5,"b29ca4f22ae7b7b25f79c1d4a421139d","Regin samples collected.",1,20141210 -548847da-c2d0-4d24-821e-15bb950d210b,750,Payload installation,md5,"b269894f434657db2b15949641a67532","Regin samples collected.",1,20141210 -548847da-ffe4-4a90-9f2a-15bb950d210b,750,Payload installation,md5,"22bfc970f707fd775d49e875b63c2f0c","Regin samples collected.",1,20141210 -548847db-060c-4275-a0c7-15bb950d210b,750,Payload installation,md5,"049436bb90f71cf38549817d9b90e2da","Regin samples collected.",1,20141210 -5488486c-1418-4624-b87c-15ba950d210b,750,Artifacts dropped,regkey,"Class\{4F20E605-9452-4787-B793-D0204917CA58}","",1,20141210 -5488486c-47ec-4952-8e60-15ba950d210b,750,Artifacts dropped,regkey,"Class\{9B9A8ADB-8864-4BC4-8AD5-B17DFDBB9F58}","",1,20141210 -5488486c-a044-4c31-830c-15ba950d210b,750,Artifacts dropped,regkey,"HKLM\System\CurrentControlSet\Control\","",1,20141210 +uuid,event_id,category,type,value,comment,to_ids,date,object_uuid,object_name,object_meta_category +548847d8-01e0-4231-a739-15bb950d210b,750,Payload installation,md5,"744c07e886497f7b68f6f7fe57b7ab54","Regin samples collected.",1,20141210,,"","" +548847d8-05f8-49e7-af79-15bb950d210b,750,Payload installation,md5,"47d0e8f9d7a6429920329207a32ecc2e","Regin samples collected.",1,20141210,,"","" +548847d8-3fbc-4a06-ba82-15bb950d210b,750,Payload installation,md5,"2c8b9d2885543d7ade3cae98225e263b","Regin samples collected.",1,20141210,,"","" +548847d8-9db0-4df6-8206-15bb950d210b,750,Payload installation,md5,"26297dc3cd0b688de3b846983c5385e5","Regin samples collected.",1,20141210,,"","" +548847d8-a33c-41f3-9f7a-15bb950d210b,750,Payload installation,md5,"01c2f321b6bfdb9473c079b0797567ba","Regin samples collected.",1,20141210,,"","" +548847d8-c950-48eb-b960-15bb950d210b,750,Payload installation,md5,"4b6b86c7fec1c574706cecedf44abded","Regin samples collected.",1,20141210,,"","" +548847d9-1404-4331-ae3c-15bb950d210b,750,Payload installation,md5,"90fecc6a89b2e22d82d58878d93477d4","Regin samples collected.",1,20141210,,"","" +548847d9-39dc-4247-b23d-15bb950d210b,750,Payload installation,md5,"06665b96e293b23acc80451abb413e50","Regin samples collected.",1,20141210,,"","" +548847d9-3b28-449e-b527-15bb950d210b,750,Payload installation,md5,"e94393561901895cb0783edc34740fd4","Regin samples collected.",1,20141210,,"","" +548847d9-4020-41da-b5f3-15bb950d210b,750,Payload installation,md5,"db405ad775ac887a337b02ea8b07fddc","Regin samples collected.",1,20141210,,"","" +548847d9-6340-44a0-8f33-15bb950d210b,750,Payload installation,md5,"ffb0b9b5b610191051a7bdf0806e1e47","Regin samples collected.",1,20141210,,"","" +548847d9-8b18-4654-9766-15bb950d210b,750,Payload installation,md5,"f3ffc2aaaa1e2ab55ec26ff098653347","Regin samples collected.",1,20141210,,"","" +548847d9-a564-4178-b8e6-15bb950d210b,750,Payload installation,md5,"6662c390b2bbbd291ec7987388fc75d7","Regin samples collected.",1,20141210,,"","" +548847d9-afe0-4531-a4b0-15bb950d210b,750,Payload installation,md5,"187044596bc1328efa0ed636d8aa4a5c","Regin samples collected.",1,20141210,,"","" +548847d9-b63c-4c95-a2bd-15bb950d210b,750,Payload installation,md5,"1800def71006ca6790767e202fae9b9a","Regin samples collected.",1,20141210,,"","" +548847d9-e6fc-4b93-a773-15bb950d210b,750,Payload installation,md5,"bfbe8c3ee78750c3a520480700e440f8","Regin samples collected.",1,20141210,,"","" +548847d9-fd54-4e49-909b-15bb950d210b,750,Payload installation,md5,"89003e9a1ae635c97ebad07aebc67f00","Regin samples collected.",1,20141210,,"","" +548847da-1660-4562-a1f8-15bb950d210b,750,Payload installation,md5,"b505d65721bb2453d5039a389113b566","Regin samples collected.",1,20141210,,"","" +548847da-2134-43d7-ba22-15bb950d210b,750,Payload installation,md5,"8fcf4e53ece6111758a1dd3139dc7cad","Regin samples collected.",1,20141210,,"","" +548847da-3e40-4ab2-a5eb-15bb950d210b,750,Payload installation,md5,"1c024e599ac055312a4ab75b3950040a","Regin samples collected.",1,20141210,,"","" +548847da-49c0-404d-ae42-15bb950d210b,750,Payload installation,md5,"d240f06e98c8d3e647cbf4d442d79475","Regin samples collected.",1,20141210,,"","" +548847da-71ec-4b2b-bae5-15bb950d210b,750,Payload installation,md5,"148c1bb9d405d717252c77593aff4bd8","Regin samples collected.",1,20141210,,"","" +548847da-9798-4b6d-b422-15bb950d210b,750,Payload installation,md5,"ba7bb65634ce1e30c1e5415be3d1db1d","Regin samples collected.",1,20141210,,"","" +548847da-ac78-474c-86fe-15bb950d210b,750,Payload installation,md5,"b29ca4f22ae7b7b25f79c1d4a421139d","Regin samples collected.",1,20141210,,"","" +548847da-c2d0-4d24-821e-15bb950d210b,750,Payload installation,md5,"b269894f434657db2b15949641a67532","Regin samples collected.",1,20141210,,"","" +548847da-ffe4-4a90-9f2a-15bb950d210b,750,Payload installation,md5,"22bfc970f707fd775d49e875b63c2f0c","Regin samples collected.",1,20141210,,"","" +548847db-060c-4275-a0c7-15bb950d210b,750,Payload installation,md5,"049436bb90f71cf38549817d9b90e2da","Regin samples collected.",1,20141210,,"","" +5488486c-1418-4624-b87c-15ba950d210b,750,Artifacts dropped,regkey,"Class\{4F20E605-9452-4787-B793-D0204917CA58}","",1,20141210,,"","" +5488486c-47ec-4952-8e60-15ba950d210b,750,Artifacts dropped,regkey,"Class\{9B9A8ADB-8864-4BC4-8AD5-B17DFDBB9F58}","",1,20141210,,"","" +5488486c-a044-4c31-830c-15ba950d210b,750,Artifacts dropped,regkey,"HKLM\System\CurrentControlSet\Control\","",1,20141210,,"","" From 5a462cf502f1b7ad6b02a2b84788ce4073167202 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Wed, 20 Sep 2017 15:59:23 +0100 Subject: [PATCH 16/25] up: Bump PyMISP --- PyMISP | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/PyMISP b/PyMISP index 6eb807381..7e797e5f6 160000 --- a/PyMISP +++ b/PyMISP @@ -1 +1 @@ -Subproject commit 6eb807381dfa3d2a9dd2a42fdd219d6f3cdfd1ff +Subproject commit 7e797e5f6f2263a467fccf550575118a6d4848e9 From 6d11f1eeccd3d2c964fe6bb70556561febad7e73 Mon Sep 17 00:00:00 2001 From: iglocska Date: Wed, 20 Sep 2017 17:13:33 +0200 Subject: [PATCH 17/25] new: Allow POSTing search parameters to the /tags/index API - to filter the tags index simply POST to /tags/index the following payload: {"filter": "malware_classification:malware-category"} --- app/Controller/TagsController.php | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/app/Controller/TagsController.php b/app/Controller/TagsController.php index 49e1b9a80..03108b827 100644 --- a/app/Controller/TagsController.php +++ b/app/Controller/TagsController.php @@ -45,8 +45,18 @@ class TagsController extends AppController { $this->paginate['conditions']['AND']['Tag.id'] = $tag_id_list; } if (isset($this->params['named']['searchall'])) { - $this->paginate['conditions']['AND']['LOWER(Tag.name) LIKE'] = '%' . strtolower($this->params['named']['searchall']) . '%'; $passedArgsArray['all'] = $this->params['named']['searchall']; + } else if ($this->request->is('post')) { + $validNames = array('filter', 'searchall', 'name', 'search'); + foreach ($validNames as $vn) { + if (!empty($this->request->data[$vn])) { + $passedArgsArray['all'] = $this->request->data[$vn]; + continue; + } + } + } + if (!empty($passedArgsArray['all'])) { + $this->paginate['conditions']['AND']['LOWER(Tag.name) LIKE'] = '%' . strtolower($passedArgsArray['all']) . '%'; } if ($this->_isRest()) { unset($this->paginate['limit']); From 164a94fc4998ebf814637219f2f94eda67eb0ca4 Mon Sep 17 00:00:00 2001 From: Alexandre Parriel Date: Thu, 21 Sep 2017 10:25:11 +0200 Subject: [PATCH 18/25] Add Tag field for restSearch on attributes, Fixes #2497 --- app/Controller/AttributesController.php | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/app/Controller/AttributesController.php b/app/Controller/AttributesController.php index 27bd870e5..a7f5dfb6e 100644 --- a/app/Controller/AttributesController.php +++ b/app/Controller/AttributesController.php @@ -1820,7 +1820,8 @@ class AttributesController extends AppController { 'conditions' => $conditions, 'fields' => array('Attribute.*', 'Event.org_id', 'Event.distribution'), 'withAttachments' => $withAttachments, - 'enforceWarninglist' => $enforceWarninglist + 'enforceWarninglist' => $enforceWarninglist, + 'includeAllTags' => true ); if ($deleted) { $params['deleted'] = 1; @@ -1839,6 +1840,12 @@ class AttributesController extends AppController { if (!empty($results)) { $results = array('response' => array('Attribute' => $results)); foreach ($results['response']['Attribute'] as $k => $v) { + if (isset($results['response']['Attribute'][$k]['AttributeTag'])) { + foreach ($results['response']['Attribute'][$k]['AttributeTag'] as $tk => $tag) { + $results['response']['Attribute'][$k]['Attribute']['Tag'][$tk] = $tag; + + } + } $results['response']['Attribute'][$k] = $results['response']['Attribute'][$k]['Attribute']; unset( $results['response']['Attribute'][$k]['value1'], From 3ba6636bd5d015a4a3d6dfda4d103573d8d4a955 Mon Sep 17 00:00:00 2001 From: iglocska Date: Thu, 21 Sep 2017 12:10:22 +0200 Subject: [PATCH 19/25] new: change server settings via the API Usage: Viewing current setting value: GET /servers/serverSettingsEdit/[mysetting] Accept: application/json Content-type: application/json Authorization: [mykey] Altering setting value: POST /servers/serverSettingsEdit/[mysetting] Accept: application/json Content-type: application/json Authorization: [mykey] Body: {"value":"My new value"} As a reminder, get all settings and diagnostics via: GET /servers/serverSettings/download Accept: application/json Content-type: application/json Authorization: [mykey] --- app/Controller/ServersController.php | 55 +++++++++++++++++++++++----- 1 file changed, 45 insertions(+), 10 deletions(-) diff --git a/app/Controller/ServersController.php b/app/Controller/ServersController.php index c5eb2c75c..e1c57de21 100644 --- a/app/Controller/ServersController.php +++ b/app/Controller/ServersController.php @@ -938,7 +938,7 @@ class ServersController extends AppController { } } - public function serverSettingsEdit($setting, $id, $forceSave = false) { + public function serverSettingsEdit($setting, $id = false, $forceSave = false) { if (!$this->_isSiteAdmin()) throw new MethodNotAllowedException(); if (!isset($setting) || !isset($id)) throw new MethodNotAllowedException(); $this->set('id', $id); @@ -981,13 +981,28 @@ class ServersController extends AppController { } else { $subGroup = 'general'; } - $this->set('subGroup', $subGroup); - $this->set('setting', $found); - $this->render('ajax/server_settings_edit'); + if ($this->_isRest()) { + return $this->RestResponse->viewData(array($setting => $found['value'])); + } else { + $this->set('subGroup', $subGroup); + $this->set('setting', $found); + $this->render('ajax/server_settings_edit'); + } + } if ($this->request->is('post')) { + if (!isset($this->request->data['Server'])) $this->request->data = array('Server' => $this->request->data); + if (!isset($this->request->data['Server']['value'])) { + if ($this->_isRest()) { + return $this->RestResponse->saveFailResponse('Servers', 'serverSettingsEdit', false, 'Invalid input. Expected: {"value": "new_setting"}', $this->response->type()); + } + } if (trim($this->request->data['Server']['value']) === '*****') { - return new CakeResponse(array('body'=> json_encode(array('saved' => false, 'errors' => 'No change.')), 'status'=>200, 'type' => 'json')); + if ($this->_isRest()) { + return $this->RestResponse->saveFailResponse('Servers', 'serverSettingsEdit', false, 'No change.', $this->response->type()); + } else { + return new CakeResponse(array('body'=> json_encode(array('saved' => false, 'errors' => 'No change.')), 'status'=>200, 'type' => 'json')); + } } $this->autoRender = false; $this->loadModel('Log'); @@ -1003,7 +1018,11 @@ class ServersController extends AppController { 'title' => 'Server setting issue', 'change' => 'There was an issue witch changing ' . $setting . ' to ' . $this->request->data['Server']['value'] . '. The error message returned is: app/Config.config.php is not writeable to the apache user. No changes were made.', )); - return new CakeResponse(array('body'=> json_encode(array('saved' => false, 'errors' => 'app/Config.config.php is not writeable to the apache user.')), 'status'=>200, 'type' => 'json')); + if ($this->_isRest()) { + return $this->RestResponse->saveFailResponse('Servers', 'serverSettingsEdit', false, 'app/Config.config.php is not writeable to the apache user.', $this->response->type()); + } else { + return new CakeResponse(array('body'=> json_encode(array('saved' => false, 'errors' => 'app/Config.config.php is not writeable to the apache user.')), 'status'=>200, 'type' => 'json')); + } } if (isset($found['beforeHook'])) { @@ -1020,7 +1039,11 @@ class ServersController extends AppController { 'title' => 'Server setting issue', 'change' => 'There was an issue witch changing ' . $setting . ' to ' . $this->request->data['Server']['value'] . '. The error message returned is: ' . $beforeResult . 'No changes were made.', )); - return new CakeResponse(array('body'=> json_encode(array('saved' => false, 'errors' => $beforeResult)), 'status'=>200, 'type' => 'json')); + if ($this->_isRest) { + return $this->RestResponse->saveFailResponse('Servers', 'serverSettingsEdit', false, $beforeResult, $this->response->type()); + } else { + return new CakeResponse(array('body'=> json_encode(array('saved' => false, 'errors' => $beforeResult)), 'status'=>200, 'type' => 'json')); + } } } $this->request->data['Server']['value'] = trim($this->request->data['Server']['value']); @@ -1038,7 +1061,11 @@ class ServersController extends AppController { if (!$forceSave && $testResult !== true) { if ($testResult === false) $errorMessage = $found['errorMessage']; else $errorMessage = $testResult; - return new CakeResponse(array('body'=> json_encode(array('saved' => false, 'errors' => $errorMessage)), 'status'=>200, 'type' => 'json')); + if ($this->_isRest) { + return $this->RestResponse->saveFailResponse('Servers', 'serverSettingsEdit', false, $errorMessage, $this->response->type()); + } else { + return new CakeResponse(array('body'=> json_encode(array('saved' => false, 'errors' => $errorMessage)), 'status'=>200, 'type' => 'json')); + } } else { $oldValue = Configure::read($setting); $this->Server->serverSettingsSaveValue($setting, $this->request->data['Server']['value']); @@ -1068,10 +1095,18 @@ class ServersController extends AppController { 'title' => 'Server setting issue', 'change' => 'There was an issue after setting a new setting. The error message returned is: ' . $afterResult, )); - return new CakeResponse(array('body'=> json_encode(array('saved' => false, 'errors' => $afterResult)), 'status'=>200, 'type' => 'json')); + if ($this->_isRest) { + return $this->RestResponse->saveFailResponse('Servers', 'serverSettingsEdit', false, $afterResult, $this->response->type()); + } else { + return new CakeResponse(array('body'=> json_encode(array('saved' => false, 'errors' => $afterResult)), 'status'=>200, 'type' => 'json')); + } } } - return new CakeResponse(array('body'=> json_encode(array('saved' => true, 'success' => 'Field updated.')), 'status'=>200, 'type' => 'json')); + if ($this->_isRest) { + return $this->RestResponse->saveSuccessResponse('Servers', 'serverSettingsEdit', false, $this->response->type(), 'Field updated'); + } else { + return new CakeResponse(array('body'=> json_encode(array('saved' => true, 'success' => 'Field updated.')), 'status'=>200, 'type' => 'json')); + } } } } From 20ff380e17ce6c092465ce688dc9fc07957b086d Mon Sep 17 00:00:00 2001 From: arnydo Date: Thu, 21 Sep 2017 11:11:30 -0400 Subject: [PATCH 20/25] move ns_alt parameter to end of api list --- app/Console/Command/EventShell.php | 2 +- app/Controller/AttributesController.php | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/app/Console/Command/EventShell.php b/app/Console/Command/EventShell.php index 54baf757e..67bf70ae4 100644 --- a/app/Console/Command/EventShell.php +++ b/app/Console/Command/EventShell.php @@ -209,7 +209,7 @@ class EventShell extends AppShell App::uses('RPZExport', 'Export'); $rpzExport = new RPZExport(); $rpzSettings = array(); - $lookupData = array('policy', 'walled_garden', 'ns', 'ns_alt', 'email', 'serial', 'refresh', 'retry', 'expiry', 'minimum_ttl', 'ttl'); + $lookupData = array('policy', 'walled_garden', 'ns', 'email', 'serial', 'refresh', 'retry', 'expiry', 'minimum_ttl', 'ttl', 'ns_alt'); foreach ($lookupData as $v) { $tempSetting = Configure::read('Plugin.RPZ_' . $v); if (isset($tempSetting)) $rpzSettings[$v] = Configure::read('Plugin.RPZ_' . $v); diff --git a/app/Controller/AttributesController.php b/app/Controller/AttributesController.php index 1f1af390d..5bc9e879a 100644 --- a/app/Controller/AttributesController.php +++ b/app/Controller/AttributesController.php @@ -2017,7 +2017,7 @@ class AttributesController extends AppController { $this->render('/Attributes/text'); } - public function rpz($key='download', $tags=false, $eventId=false, $from=false, $to=false, $policy=false, $walled_garden = false, $ns = false, $ns_alt = false, $email = false, $serial = false, $refresh = false, $retry = false, $expiry = false, $minimum_ttl = false, $ttl = false, $enforceWarninglist = false) { + public function rpz($key='download', $tags=false, $eventId=false, $from=false, $to=false, $policy=false, $walled_garden = false, $ns = false, $email = false, $serial = false, $refresh = false, $retry = false, $expiry = false, $minimum_ttl = false, $ttl = false, $enforceWarninglist = false, $ns_alt = false) { // request handler for POSTed queries. If the request is a post, the parameters (apart from the key) will be ignored and replaced by the terms defined in the posted json or xml object. // The correct format for both is a "request" root element, as shown by the examples below: // For Json: {"request":{"policy": "walled-garden","garden":"garden.example.com"}} @@ -2030,14 +2030,14 @@ class AttributesController extends AppController { $data = $this->request->data; } if (empty($data)) throw new BadRequestException('Either specify the search terms in the url, or POST a json array / xml (with the root element being "request" and specify the correct headers based on content type.'); - $paramArray = array('eventId', 'tags', 'from', 'to', 'policy', 'walled_garden', 'ns', 'ns_alt', 'email', 'serial', 'refresh', 'retry', 'expiry', 'minimum_ttl', 'ttl', 'enforceWarninglist'); + $paramArray = array('eventId', 'tags', 'from', 'to', 'policy', 'walled_garden', 'ns', 'email', 'serial', 'refresh', 'retry', 'expiry', 'minimum_ttl', 'ttl', 'enforceWarninglist', 'ns_alt'); foreach ($paramArray as $p) { if (isset($data['request'][$p])) ${$p} = $data['request'][$p]; else ${$p} = null; } } - $simpleFalse = array('eventId', 'tags', 'from', 'to', 'policy', 'walled_garden', 'ns', 'ns_alt', 'email', 'serial', 'refresh', 'retry', 'expiry', 'minimum_ttl', 'ttl', 'enforceWarninglist'); + $simpleFalse = array('eventId', 'tags', 'from', 'to', 'policy', 'walled_garden', 'ns', 'email', 'serial', 'refresh', 'retry', 'expiry', 'minimum_ttl', 'ttl', 'enforceWarninglist', 'ns_alt'); foreach ($simpleFalse as $sF) { if (!is_array(${$sF}) && (${$sF} === 'null' || ${$sF} == '0' || ${$sF} === false || strtolower(${$sF}) === 'false')) ${$sF} = false; } From dcc0393c6bdb7f20bd21819696d409d7bba6fba7 Mon Sep 17 00:00:00 2001 From: Alexandre Parriel Date: Fri, 22 Sep 2017 15:36:41 +0200 Subject: [PATCH 21/25] Fix Tag json format --- app/Controller/AttributesController.php | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/app/Controller/AttributesController.php b/app/Controller/AttributesController.php index a7f5dfb6e..08528140f 100644 --- a/app/Controller/AttributesController.php +++ b/app/Controller/AttributesController.php @@ -1842,8 +1842,7 @@ class AttributesController extends AppController { foreach ($results['response']['Attribute'] as $k => $v) { if (isset($results['response']['Attribute'][$k]['AttributeTag'])) { foreach ($results['response']['Attribute'][$k]['AttributeTag'] as $tk => $tag) { - $results['response']['Attribute'][$k]['Attribute']['Tag'][$tk] = $tag; - + $results['response']['Attribute'][$k]['Attribute']['Tag'][$tk] = $tag['Tag']; } } $results['response']['Attribute'][$k] = $results['response']['Attribute'][$k]['Attribute']; From 3f76fd6ea748a6aa1ff36f37f5169313509f4f32 Mon Sep 17 00:00:00 2001 From: iglocska Date: Mon, 25 Sep 2017 12:22:19 +0200 Subject: [PATCH 22/25] new: Rework of the attachment uploader - add attachments and upload_sample now share code - allow the same features via upload_sample (object creation / use of advanced add attachments) - new flag: advanced - example: POST to mymisp/events/upload_sample BODY: {"request":{"files": [{"filename": "bla.exe", "data": "U3RhckNyYWZ0IElJIGZvcmV2ZXI="}], "distribution": 1, "advanced":1, "info":"bla"}} - this commit was brought to you by CEF and MMMH$= - ., ,,. %H++ ,= %%$$$$X+ ;=== .= :+HHHMMMHMMM####MMH@@@@@@HHH$= HHH@HHHHH+XXX$$$$$$$$XXXXXXX+ MMH = -. . ,-,,-,. :H@H =;;++$HH+XX$%+X%+$++=:=.XH@@@HMMMMMMMMH@@@@@@@HHX$ ,X@@@@@@@HHHHHHHHHHXXXXXXXXXXXXXX . ---, - ,,, +@ .. ;++$HH+HHH++$+++HH+++, .+%HHMHHHHHHHHH+%%%++++$+ +++HHHHHHH+++++++++HHHHHHHHHHHHHH - -- ,,, --,. - , ,; +$XHH@@@@HHH@@@HHHH+$+$X+HH+$$+ ; ;= . % + ,+$X+++XXXXXXXXXXXXX++HH+++++++ ---==,,--,-,-., : . -,,:/ $XHH@HMMMMMMMMMM@HHX$H@MHHHHX+H%%$%+H/:.%. $. @,,,. $$XXXXXXXXXXXXXXXXXXXXXXXXXX+ = - --,, , -- .. =/ +$+H@@HMMMMMMMMH+H+++HHHHHHHH@+++++H+X++X+$$ = ,,, - $$XXXXX$$$$X$$$$$$$$$$$$$$X ====== --,,,, ,= = ,==== ++$$+HHMMM####MH+$$+++HH@+HH@MHMMH@@H@@@HH+$+ ,,, ,. $$+$++$$$$$$$$$$++$$$$$$$X :==-===-,. ,., == . :;; +++%$+H@HMMMMMMM%$%$$$+H@@+HH@MMMMMM@@@@HHH++H. .,,-,,--=/+$$%%%%%%%%$+%%$$$$$XXXXX , = ==- - . == . =; ++++%++HHHHHHHHHH++%$$X+@@H+HHHMMMMMMHH@@@+X+ , ,,,,- , ,$$$$$$$+++++$$$$XXXXX$$ ,,- , --= .. . ;/ ++++%$X+HHHHHHH ++$++X+HH+X+H@HMMHHHHHHHH+. ,, ,, , . +$$$$+%+$$$$$$$$$$ ,-----=-=--, ,== ..;/ +% +%$XX+HH++HH+/+$%++H@@HHXHHH@@@@@@@@HXX . .,,,. ,,,, ,-=$$$$$$$$$$$$$$$$$ - ,- -- -, ,-= . =/++%++%+++++XXXXX$$+. +HHH@+$XHHHHHHHHH++$ -,,, ,, ,,,. ,+$$$$$$$$$$$$ ---,-----, . == =/+%+++%++$$+++$X$$$$++,$$+++XXHHHHHHHH+X$+% ,-,-, ,, . . ,+$$+++++++ == --, -- =--, ,,= . ./++$$++$+X$+/++$$XXXX$$$$XXXXXXH+HH+H+X$%%/ .,,,,,, .. .. ,. ,,,-=+%+++ /++ + -- - -,,- ., . . . = +$$++++HH+. ,+$$+++++++$XX$X$XHHH+X$$+ ..--,- .. . . ,-, = ====== MH - ---- --,,, . .. , %++$$X++++ +%++++++++%++$$$$$+H++X$$+ --, . . . = .==== MM=,-, ---,,,,, . . ...,,, =/++%$$XXXX+/+++@@H@HX$+%$$+HHHHH$$$+: ,-- . ,. .. .. ==::;=-:;;; MM+ ,----,,,, , .. ,. +++X+HH+++++%++$++++$$+HHH+++$$ ,- , . . : ;/ +%+. MMH ,-,-,, ,,. . -, = = +$+H@HH++++$$X$$+++HHH+++$ , .. , +++++++%%+%+ MM@,--,-,,,,,. . ,, . ,-, .=+$XHHHXXHHHHHHHH@@@@HX$%+: ,, . ..,, ..... ...%%%%++%%%%%%%% M@@== ,,, , ++++XX++HHHHHH++HHH+, , , . .... . +$+%%%%%%+%%%%% H@H+=,,, .. ,,+%$+H@HHHXX++, , ,, . ... . ,$$$$$%%%%%+%+%%%% @H+,-,,..... . .,.;; ++$$X+%+:- , . .,,, . ... . XXX$$$%%%%%%+%%%%% +++ -, . ... . .======== === , ,, . . .. . -,XXX$X$+$+%%%%%%%%% $+ . ===:; ++++ ++++-,. , ,-, . $X+XX+XXX$$+%++%%%%% ++: ,. . ,-,,-==:; %%%%%+%$$%$$X$$$+%+:== . . ,, ..+X$XXXXXX$$$+%%$$%%%% =: ,,, == ++++++$+$$%+++$$$++$+ . == . .,,, +$$$$$$$$$$$$$$+$%%%+ , ,---, =:;/++$$XX$$$$$$X+H@H@HHH$%%%$X$++;===== . ., .. +%%+$++$%$$$$$$%%++%+ ===; +++$$$$+ +%+++%+HH@@@@HH+++ ++%+$+, === .. ,=; +++++++++.. :;; . =:; /++%$$++, ,++HHMMHH@@@@HHHH@HH++++++ ,+$$+ . .. :=;;:;;;;;========== .,,-==;;;+% %%+$$$$ /+++@@@@@@@@@@HH@M@MH@@@HHHHH$$% /%$XXX$X . -=====::::=========:: . =; ++++++$+++ , +%H@@@HHH@HH++HHH@MHHH@HHHHHH++++ , +%%+$ ,, - --- ==:=: ====; ++++$$+% ++H@HHHHHHH+X++X++@@@HHH@MMMMHHHHHH@HHHH+++++. ,,,,-,--- =:==;; .,., ==;// / ++++%+%+%+++$$+@H@@@@H@HHH+XXX$%+HHHH@@HH@HMMMMMMMMMMMMMMH@+%; ...,,,,,--==;;;/; . ...= .,+%$++%+$XXX$++%+++H@@@@HHH@HHH+++. ++++H+HHHHHHHMMMMMMMMMMMM@++: ,,, ===;;;;; ==: . ++++++++HH%H+++X++HH+H@HHHH@HHHHHHH+++++%++%%+%%++ . , = ++$H@@HMHMMH%= . ..,,= +++%$XXHHHHHH@H@@@@@H@HH@MMM@@HH@HH+HXH@HH%%+HH+XX$$$+++/;:=== ,,,,,, = ::; % :, ...,, %+++HHH@HHH@@HMHHHH@HHHMHMHHHHHH+XH+HHH++++HHHH@HHHHH++%+ -, = ,=== ,, ,,, . H@HHHH#M#M#MHHHM#MMMMMMMHHHH@H@H++@H$+++HHM#MMMMHMMH@@HHHHHH%+++++%%%+++ , . %%%%%%%%%%%%%%++++%%++ .. ... .. . +++%+++++++%++++%+++++++++%+%++%+%%++%++++++% --- app/Controller/AttributesController.php | 21 ++-- app/Controller/EventsController.php | 127 +++++++++++++----------- app/Lib/Tools/FileAccessTool.php | 5 + app/Model/Attribute.php | 51 ++++++++-- 4 files changed, 122 insertions(+), 82 deletions(-) diff --git a/app/Controller/AttributesController.php b/app/Controller/AttributesController.php index a7f5dfb6e..3d992627f 100644 --- a/app/Controller/AttributesController.php +++ b/app/Controller/AttributesController.php @@ -361,16 +361,18 @@ class AttributesController extends AppController { if ($this->request->data['Attribute']['malware']) { if ($this->request->data['Attribute']['advanced']) { - $result = $this->Attribute->advancedAddMalwareSample($tmpfile); + $result = $this->Attribute->advancedAddMalwareSample( + $eventId, + $this->request->data['Attribute'], + $filename, + $tmpfile + ); if ($result) $success++; else $fails[] = $filename; } else { $result = $this->Attribute->simpleAddMalwareSample( $eventId, - $this->request->data['Attribute']['category'], - $this->request->data['Attribute']['distribution'], - $this->request->data['Attribute']['distribution'] == 4 ? $this->request->data['Attribute']['sharing_group_id'] : 0, - $this->request->data['Attribute']['comment'], + $this->request->data['Attribute'], $filename, $tmpfile ); @@ -379,13 +381,6 @@ class AttributesController extends AppController { } if (!empty($result)) { foreach ($result['Object'] as $object) { - $object['distribution'] = $this->request->data['Attribute']['distribution']; - $object['sharing_group_id'] = isset($this->request->data['Attribute']['distribution']) ? $this->request->data['Attribute']['distribution'] : 0; - if (!empty($object['Attribute'])) { - foreach ($object['Attribute'] as $k => $attribute) { - if ($attribute['value'] == $tmpfile->name) $object['Attribute'][$k]['value'] = $value['name']; - } - } $this->loadModel('MispObject'); $this->MispObject->captureObject(array('Object' => $object), $eventId, $this->Auth->user()); } @@ -1843,7 +1838,7 @@ class AttributesController extends AppController { if (isset($results['response']['Attribute'][$k]['AttributeTag'])) { foreach ($results['response']['Attribute'][$k]['AttributeTag'] as $tk => $tag) { $results['response']['Attribute'][$k]['Attribute']['Tag'][$tk] = $tag; - + } } $results['response']['Attribute'][$k] = $results['response']['Attribute'][$k]['Attribute']; diff --git a/app/Controller/EventsController.php b/app/Controller/EventsController.php index 1d27fd7ac..021420551 100644 --- a/app/Controller/EventsController.php +++ b/app/Controller/EventsController.php @@ -3662,7 +3662,7 @@ class EventsController extends AppController { // API for pushing samples to MISP // Either send it to an existing event, or let MISP create a new one automatically - public function upload_sample($event_id = null) { + public function upload_sample($event_id = null, $advanced = false) { $this->loadModel('Log'); $hashes = array('md5' => 'malware-sample', 'sha1' => 'filename|sha1', 'sha256' => 'filename|sha256'); $categoryDefinitions = $this->Event->Attribute->categoryDefinitions; @@ -3697,13 +3697,15 @@ class EventsController extends AppController { foreach ($parameter_options as $k => $v) { if (isset($data[$k])) { if (isset($v['valid_options']) && !in_array($data[$k], $v['valid_options'])) { - $data[$k] = $v['default']; + $data['settings'][$k] = $v['default']; + } else { + $data['settings'][$k] = $data[$k]; } + unset($data[$k]); } else { - $data[$k] = $v['default']; + $data['settings'][$k] = $v['default']; } } - if (isset($data['files'])) { foreach ($data['files'] as $k => $file) { if (!isset($file['filename']) || !isset($file['data'])) { @@ -3717,16 +3719,17 @@ class EventsController extends AppController { if (empty($data['files'])) { throw new BadRequestException('No samples received, or samples not in the correct format. Please refer to the API documentation on the automation page.'); } - if (isset($event_id)) $data['event_id'] = $event_id; - if (isset($data['event_id'])) { - $this->Event->id = $data['event_id']; + if (isset($event_id)) $data['settings']['event_id'] = $event_id; + if (isset($data['settings']['event_id'])) { + $this->Event->id = $data['settings']['event_id']; if (!$this->Event->exists()) throw new NotFoundException('Event not found'); } + if (isset($data['advanced'])) $advanced = $data['advanced']; // check if the user has permission to create attributes for an event, if the event ID has been passed // If not, create an event - if (isset($data['event_id']) && !empty($data['event_id']) && is_numeric($data['event_id'])) { - $conditions = array('Event.id' => $data['event_id']); + if (isset($data['settings']['event_id']) && !empty($data['settings']['event_id']) && is_numeric($data['settings']['event_id'])) { + $conditions = array('Event.id' => $data['settings']['event_id']); if (!$this->_isSiteAdmin()) { $conditions[] = array('Event.orgc_id' => $this->Auth->user('org_id')); if (!$this->userRole['perm_modify_org']) { @@ -3739,19 +3742,19 @@ class EventsController extends AppController { 'fields' => array('id'), )); if (empty($event)) throw new NotFoundException('Event not found.'); - $this->Event->id = $data['event_id']; + $this->Event->id = $data['settings']['event_id']; $date = new DateTime(); $this->Event->saveField('timestamp', $date->getTimestamp()); $this->Event->saveField('published', 0); } else { $this->Event->create(); - if ($data['distribution'] == 5) throw new BadRequestException('Distribution level 5 is not supported when uploading a sample without passing an event ID. Distribution level 5 is meant to take on the distribution level of an existing event.'); + if ($data['settings']['distribution'] == 5) throw new BadRequestException('Distribution level 5 is not supported when uploading a sample without passing an event ID. Distribution level 5 is meant to take on the distribution level of an existing event.'); $result = $this->Event->save( array( - 'info' => $data['info'], - 'analysis' => $data['analysis'], - 'threat_level_id' => $data['threat_level_id'], - 'distribution' => $data['distribution'], + 'info' => $data['settings']['info'], + 'analysis' => $data['settings']['analysis'], + 'threat_level_id' => $data['settings']['threat_level_id'], + 'distribution' => $data['settings']['distribution'], 'date' => date('Y-m-d'), 'orgc_id' => $this->Auth->user('org_id'), 'org_id' => $this->Auth->user('org_id'), @@ -3767,64 +3770,72 @@ class EventsController extends AppController { 'action' => 'upload_sample', 'user_id' => $this->Auth->user('id'), 'title' => 'Error: Failed to create event using the upload sample functionality', - 'change' => 'There was an issue creating an event (' . $data['info'] . '). The validation errors were: ' . json_encode($this->Event->validationErrors), + 'change' => 'There was an issue creating an event (' . $data['settings']['info'] . '). The validation errors were: ' . json_encode($this->Event->validationErrors), )); throw new BadRequestException('The creation of a new event with the supplied information has failed.'); } - $data['event_id'] = $this->Event->id; + $data['settings']['event_id'] = $this->Event->id; + $event_id = $this->Event->id; } - if (!isset($data['to_ids']) || !in_array($data['to_ids'], array('0', '1', 0, 1))) $data['to_ids'] = 1; + if (!isset($data['settings']['to_ids']) || !in_array($data['settings']['to_ids'], array('0', '1', 0, 1))) $data['settings']['to_ids'] = 1; $successCount = 0; $errors = array(); + App::uses('FileAccessTool', 'Tools'); + $fileAccessTool = new FileAccessTool(); foreach ($data['files'] as $file) { - $temp = $this->Event->Attribute->handleMaliciousBase64($data['event_id'], $file['filename'], $file['data'], array_keys($hashes)); - if ($temp['success']) { - foreach ($hashes as $hash => $typeName) { - if ($temp[$hash] == false) continue; - $file[$hash] = $temp[$hash]; - $file['data'] = $temp['data']; - $this->Event->Attribute->create(); - $attribute = array( - 'value' => $file['filename'] . '|' . $file[$hash], - 'distribution' => $data['distribution'], - 'category' => $data['category'], - 'type' => $typeName, - 'event_id' => $data['event_id'], - 'to_ids' => $data['to_ids'], - 'comment' => $data['comment'] - ); - if ($hash == 'md5') $attribute['data'] = $file['data']; - $result = $this->Event->Attribute->save($attribute); - if (!$result) { - $this->Log->save(array( - 'org' => $this->Auth->user('Organisation')['name'], - 'model' => 'Event', - 'model_id' => $data['event_id'], - 'email' => $this->Auth->user('email'), - 'action' => 'upload_sample', - 'user_id' => $this->Auth->user('id'), - 'title' => 'Error: Failed to create attribute using the upload sample functionality', - 'change' => 'There was an issue creating an attribute (' . $typeName . ': ' . $file['filename'] . '|' . $file[$hash] . '). ' . 'The validation errors were: ' . json_encode($this->Event->Attribute->validationErrors), - )); - if ($typeName == 'malware-sample') { - $errors[] = array('filename' => $file['filename'], 'hash' => $file[$hash], 'error' => $this->Event->Attribute->validationErrors); + $tmpdir = Configure::read('MISP.tmpdir') ? Configure::read('MISP.tmpdir') : '/var/www/MISP/app/tmp'; + $tmpfile = $fileAccessTool->createTempFile($tmpdir, $prefix = 'MISP_upload'); + $fileAccessTool->writeToFile($tmpfile, base64_decode($file['data'])); + $tmpfile = new File($tmpfile); + if ($advanced) { + $result = $this->Event->Attribute->advancedAddMalwareSample( + $event_id, + $data['settings'], + $file['filename'], + $tmpfile + ); + if ($result) $successCount++; + else $errors[] = $file['filename']; + } else { + $result = $this->Event->Attribute->simpleAddMalwareSample( + $event_id, + $data['settings'], + $file['filename'], + $tmpfile + ); + if ($result) $successCount++; + else $errors[] = $file['filename']; + } + if (!empty($result)) { + foreach ($result['Object'] as $object) { + $object['distribution'] = $data['settings']['distribution']; + $object['sharing_group_id'] = isset($data['settings']['distribution']) ? $data['settings']['distribution'] : 0; + if (!empty($object['Attribute'])) { + foreach ($object['Attribute'] as $k => $attribute) { + if ($attribute['value'] == $tmpfile->name) { + $object['Attribute'][$k]['value'] = $file['filename']; + } } - } else if ($typeName == 'malware-sample') { - $successCount++; + } + $this->loadModel('MispObject'); + $this->MispObject->captureObject(array('Object' => $object), $event_id, $this->Auth->user()); + } + if (!empty($result['ObjectReference'])) { + foreach ($result['ObjectReference'] as $reference) { + $this->MispObject->ObjectReference->smartSave($reference, $event_id); } } - } else { - $errors[] = array('filename' => $file['filename'], 'hash' => $file['hash'], 'error' => 'Failed to encrypt and compress the file.'); } + $fileAccessTool->deleteFile($tmpfile->path); } if (!empty($errors)) { $this->set('errors', $errors); if ($successCount > 0) { $this->set('name', 'Partial success'); $this->set('message', 'Successfuly saved ' . $successCount . ' sample(s), but some samples could not be saved.'); - $this->set('url', '/events/view/' . $data['event_id']); - $this->set('id', $data['event_id']); + $this->set('url', '/events/view/' . $data['settings']['event_id']); + $this->set('id', $data['settings']['event_id']); $this->set('_serialize', array('name', 'message', 'url', 'id', 'errors')); } else { $this->set('name', 'Failed'); @@ -3834,11 +3845,11 @@ class EventsController extends AppController { } else { $this->set('name', 'Success'); $this->set('message', 'Success, saved all attributes.'); - $this->set('url', '/events/view/' . $data['event_id']); - $this->set('id', $data['event_id']); + $this->set('url', '/events/view/' . $data['settings']['event_id']); + $this->set('id', $data['settings']['event_id']); $this->set('_serialize', array('name', 'message', 'url', 'id')); } - $this->view($data['event_id']); + $this->view($data['settings']['event_id']); $this->render('view'); } diff --git a/app/Lib/Tools/FileAccessTool.php b/app/Lib/Tools/FileAccessTool.php index fe4012da4..d7cd7ad4e 100644 --- a/app/Lib/Tools/FileAccessTool.php +++ b/app/Lib/Tools/FileAccessTool.php @@ -38,4 +38,9 @@ class FileAccessTool { throw new MethodNotAllowedException($this->__fileErrorMsgPrefix . $errorMsgPart . '".'); } } + + public function deleteFile($file) { + unlink($file); + return true; + } } diff --git a/app/Model/Attribute.php b/app/Model/Attribute.php index 10258f17d..9427663cf 100644 --- a/app/Model/Attribute.php +++ b/app/Model/Attribute.php @@ -2690,7 +2690,7 @@ class Attribute extends AppModel { return array('sgs' => $sgs, 'levels' => $distributionLevels, 'initial' => $initialDistribution); } - public function simpleAddMalwareSample($event_id, $category, $distribution, $sharing_group_id, $comment, $filename, $tmpfile) { + public function simpleAddMalwareSample($event_id, $attribute_settings, $filename, $tmpfile) { $attributes = array( 'malware-sample' => array('type' => 'malware-sample', 'data' => 1, 'category' => '', 'to_ids' => 1, 'disable_correlation' => 0, 'object_relation' => 'malware-sample'), 'filename' => array('type' => 'filename', 'category' => '', 'to_ids' => 0, 'disable_correlation' => 0, 'object_relation' => 'filename'), @@ -2702,12 +2702,21 @@ class Attribute extends AppModel { $hashes = array('md5', 'sha1', 'sha256'); $this->Object = ClassRegistry::init('Object'); $this->ObjectTemplate = ClassRegistry::init('ObjectTemplate'); - $object_template = $this->ObjectTemplate->find('first', array( - 'conditions' => array( - 'ObjectTemplate.uuid' => '688c46fb-5edb-40a3-8273-1af7923e2215' - ), - 'recursive' => -1 + $current = $this->ObjectTemplate->find('first', array( + 'fields' => array('MAX(version) AS version', 'uuid'), + 'conditions' => array('uuid' => '688c46fb-5edb-40a3-8273-1af7923e2215'), + 'recursive' => -1, + 'group' => array('uuid') )); + if (!empty($current)) { + $object_template = $this->ObjectTemplate->find('first', array( + 'conditions' => array( + 'ObjectTemplate.uuid' => '688c46fb-5edb-40a3-8273-1af7923e2215', + 'ObjectTemplate.version' => $current[0]['version'] + ), + 'recursive' => -1 + )); + } if (empty($object_template)) { $object_template = array( 'ObjectTemplate' => array( @@ -2720,21 +2729,21 @@ class Attribute extends AppModel { ); } $object = array( - 'distribution' => $distribution, - 'sharing_group_id' => $sharing_group_id, + 'distribution' => $attribute_settings['distribution'], + 'sharing_group_id' => isset($attribute_settings['sharing_group_id']) ? $attribute_settings['sharing_group_id'] : 0, 'meta-category' => $object_template['ObjectTemplate']['meta-category'], 'name' => $object_template['ObjectTemplate']['name'], 'template_version' => $object_template['ObjectTemplate']['version'], 'description' => $object_template['ObjectTemplate']['description'], 'template_uuid' => $object_template['ObjectTemplate']['uuid'], 'event_id' => $event_id, - 'comment' => $comment + 'comment' => !empty($attribute_settings['comment']) ? $attribute_settings['comment'] : '' ); $result = $this->Event->Attribute->handleMaliciousBase64($event_id, $filename, base64_encode($tmpfile->read()), $hashes); foreach ($attributes as $k => $v) { $attribute = array( 'distribution' => 5, - 'category' => empty($v['category']) ? $category : $v['category'], + 'category' => empty($v['category']) ? $attribute_settings['category'] : $v['category'], 'type' => $v['type'], 'to_ids' => $v['to_ids'], 'disable_correlation' => $v['disable_correlation'], @@ -2759,7 +2768,7 @@ class Attribute extends AppModel { return array('Object' => array($object)); } - public function advancedAddMalwareSample($tmpfile) { + public function advancedAddMalwareSample($event_id, $attribute_settings, $filename, $tmpfile) { $execRetval = ''; $execOutput = array(); $result = shell_exec('python ' . APP . 'files/scripts/generate_file_objects.py -p ' . $tmpfile->path); @@ -2773,6 +2782,26 @@ class Attribute extends AppModel { $result['ObjectReference'] = $result['references']; unset($result['references']); } + foreach ($result['Object'] as $k => $object) { + $result['Object'][$k]['distribution'] = $attribute_settings['distribution']; + $result['Object'][$k]['sharing_group_id'] = isset($attribute_settings['distribution']) ? $attribute_settings['distribution'] : 0; + if (!empty($result['Object'][$k]['Attribute'])) { + foreach ($result['Object'][$k]['Attribute'] as $k2 => $attribute) { + if ($attribute['value'] == $tmpfile->name) { + $result['Object'][$k]['Attribute'][$k2]['value'] = $filename; + } + if (!empty($attribute['encrypt'])) { + if (!empty($attribute['encrypt']) && $attribute['encrypt']) { + $encrypted = $this->handleMaliciousBase64($event_id, $filename, $attribute['data'], array('md5')); + $result['Object'][$k]['Attribute'][$k2]['data'] = $encrypted['data']; + $result['Object'][$k]['Attribute'][$k2]['value'] = $filename . '|' . $encrypted['md5']; + } + } + } + } + } + } else { + $result = $this->simpleAddMalwareSample($event_id, $attribute_settings, $filename, $tmpfile); } return $result; } From a61b5007cf9eb434a2e8a2d8f75a0b7026ff70a7 Mon Sep 17 00:00:00 2001 From: iglocska Date: Mon, 25 Sep 2017 13:08:26 +0200 Subject: [PATCH 23/25] fix: Fixed an issue with pushing a sample via the API / add attachments when no object templates are loaded --- app/Model/Attribute.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/Model/Attribute.php b/app/Model/Attribute.php index 9427663cf..fec567c3a 100644 --- a/app/Model/Attribute.php +++ b/app/Model/Attribute.php @@ -2722,7 +2722,7 @@ class Attribute extends AppModel { 'ObjectTemplate' => array( 'meta-category' => 'file', 'name' => 'file', - 'template_uuid' => '688c46fb-5edb-40a3-8273-1af7923e2215', + 'uuid' => '688c46fb-5edb-40a3-8273-1af7923e2215', 'version' => 1, 'description' => 'File object describing a file with meta-information' ) From 9e71fbb5f74b7c438eadc349499387a555971620 Mon Sep 17 00:00:00 2001 From: iglocska Date: Mon, 25 Sep 2017 14:00:17 +0200 Subject: [PATCH 24/25] fix: flatten the events for the restSearch API's lookup functions - otherwise valid events that only contain objects get blocked --- app/Controller/AttributesController.php | 3 ++- app/Controller/EventsController.php | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/app/Controller/AttributesController.php b/app/Controller/AttributesController.php index 0fd272b43..eb941b1dc 100644 --- a/app/Controller/AttributesController.php +++ b/app/Controller/AttributesController.php @@ -1816,7 +1816,8 @@ class AttributesController extends AppController { 'fields' => array('Attribute.*', 'Event.org_id', 'Event.distribution'), 'withAttachments' => $withAttachments, 'enforceWarninglist' => $enforceWarninglist, - 'includeAllTags' => true + 'includeAllTags' => true, + 'flatten' => 1 ); if ($deleted) { $params['deleted'] = 1; diff --git a/app/Controller/EventsController.php b/app/Controller/EventsController.php index 021420551..90b3a30cc 100644 --- a/app/Controller/EventsController.php +++ b/app/Controller/EventsController.php @@ -2684,7 +2684,8 @@ class EventsController extends AppController { 'contain' => array(), 'recursive' => -1, 'list' => true, - 'event_ids' => true + 'event_ids' => true, + 'flatten' => 1 ); $attributes = $this->Event->Attribute->fetchAttributes($this->Auth->user(), $params); $eventIds = array(); From ec8d283ff5bfa980bcfdb6f74d47e39260afa22c Mon Sep 17 00:00:00 2001 From: iglocska Date: Mon, 25 Sep 2017 15:24:58 +0200 Subject: [PATCH 25/25] fix: IP|Port in Gui, fixes #2505 --- app/View/Elements/Events/View/value_field.ctp | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/app/View/Elements/Events/View/value_field.ctp b/app/View/Elements/Events/View/value_field.ctp index d03e2e911..e38d50c35 100644 --- a/app/View/Elements/Events/View/value_field.ctp +++ b/app/View/Elements/Events/View/value_field.ctp @@ -20,9 +20,12 @@ } } else if (strpos($object['type'], '|') !== false) { $separator = in_array($object['type'], array('ip-dst|port', 'ip-src|port')) ? ':' : '
    '; - $separator_pos = strpos('|', $object['value']); - $final_value = h($object['value']); - echo substr_replace(h($object['value']), $separator, $separator_pos, strlen($separator)); + $value_pieces = explode('|', $object['value']); + foreach ($value_pieces as $k => $v) { + $value_pieces[$k] = h($v); + } + $object['value'] = implode($separator, $value_pieces); + echo ($object['value']); } else if ('vulnerability' == $object['type']) { $cveUrl = (is_null(Configure::read('MISP.cveurl'))) ? "http://www.google.com/search?q=" : Configure::read('MISP.cveurl'); echo $this->Html->link($sigDisplay, $cveUrl . $sigDisplay, array('target' => '_blank', 'class' => $linkClass));