mirror of https://github.com/MISP/MISP
Update to the tag automation tag searches
- A colon in the tag search tag will render the tag search invalid. Since colons are commonly used in tag names, this poses an issue - users should use a semi-colon instead, which gets automatically converted to a colon.pull/219/merge
iglocska
parent
f4911dc034
commit
5796320e84
|
|
@ -1096,6 +1096,7 @@ class AttributesController extends AppController {
|
|||
// && - you can use && between two search values to put a logical OR between them. for value, 1.1.1.1&&2.2.2.2 would find attributes with the value being either of the two.
|
||||
// ! - you can negate a search term. For example: google.com&&!mail would search for all attributes with value google.com but not ones that include mail. www.google.com would get returned, mail.google.com wouldn't.
|
||||
public function restSearch($key='download', $value=null, $type=null, $category=null, $org=null, $tags=null) {
|
||||
if ($tags) $tags = str_replace(';', ':', $tags);
|
||||
if ($value === 'null') $value = null;
|
||||
if ($type === 'null') $type = null;
|
||||
if ($category === 'null') $category = null;
|
||||
|
|
|
|||
|
|
@ -1192,6 +1192,7 @@ class EventsController extends AppController {
|
|||
}
|
||||
|
||||
public function xml($key, $eventid=null, $withAttachment = false, $tags = '') {
|
||||
if ($tags != '') $tags = str_replace(';', ':', $tags);
|
||||
if ($eventid === 'null' || $eventid ==='false') $eventid=null;
|
||||
if ($withAttachment === 'null' || $withAttachment ==='false') $withAttachment = false;
|
||||
if ($key != 'download') {
|
||||
|
|
@ -1256,6 +1257,7 @@ class EventsController extends AppController {
|
|||
}
|
||||
|
||||
public function nids($format = 'suricata', $key = '', $id = null, $continue = false, $tags = '') {
|
||||
if ($tags != '') $tags = str_replace(';', ':', $tags);
|
||||
if ($id === 'null') $id = null;
|
||||
if ($continue === 'false') $continue = false;
|
||||
if ($continue === 'true') $continue = true;
|
||||
|
|
@ -1288,6 +1290,7 @@ class EventsController extends AppController {
|
|||
}
|
||||
|
||||
public function hids($type, $key, $tags = '') {
|
||||
if ($tags != '') $tags = str_replace(';', ':', $tags);
|
||||
$this->response->type('txt'); // set the content type
|
||||
$this->header('Content-Disposition: download; filename="misp.' . $type . '.rules"');
|
||||
$this->layout = 'text/default';
|
||||
|
|
@ -1314,6 +1317,7 @@ class EventsController extends AppController {
|
|||
// Usage: csv($key, $eventid) - key can be a valid auth key or the string 'download'. Download requires the user to be logged in interactively and will generate a .csv file
|
||||
// $eventid can be one of 3 options: left empty it will get all the visible to_ids attributes,
|
||||
public function csv($key, $eventid=0, $ignore=0, $tags = '') {
|
||||
if ($tags != '') $tags = str_replace(';', ':', $tags);
|
||||
$list = array();
|
||||
|
||||
if ($key != 'download') {
|
||||
|
|
@ -1765,6 +1769,7 @@ class EventsController extends AppController {
|
|||
// && - you can use && between two search values to put a logical OR between them. for value, 1.1.1.1&&2.2.2.2 would find attributes with the value being either of the two.
|
||||
// ! - you can negate a search term. For example: google.com&&!mail would search for all attributes with value google.com but not ones that include mail. www.google.com would get returned, mail.google.com wouldn't.
|
||||
public function restSearch($key=null, $value=null, $type=null, $category=null, $org=null, $tags = '') {
|
||||
if ($tags != '') $tags = str_replace(';', ':', $tags);
|
||||
if ($value === 'null') $value = null;
|
||||
if ($type === 'null') $type = null;
|
||||
if ($category === 'null') $category = null;
|
||||
|
|
@ -1851,7 +1856,6 @@ class EventsController extends AppController {
|
|||
}
|
||||
$conditions['AND'][] = $temp;
|
||||
}
|
||||
|
||||
$params = array(
|
||||
'conditions' => $conditions,
|
||||
'fields' => array('Attribute.event_id'),
|
||||
|
|
|
|||
|
|
@ -16,7 +16,7 @@ You can <?php echo $this->Html->link('reset', array('controller' => 'users', 'ac
|
|||
<pre><?php echo Configure::read('MISP.baseurl');?>/events/xml/download</pre>
|
||||
<p>If you only want to fetch a specific event append the eventid number:</p>
|
||||
<pre><?php echo Configure::read('MISP.baseurl');?>/events/xml/download/1</pre>
|
||||
<p>The xml download also accepts two additional (optional) parameters: a boolean field that determines whether attachments should be encoded and a second parameter that controls the eligible tags. To include a tag in the results just write its names into this parameter. To exclude a tag prepend it with a '!'. You can also chain several tag commands together with the '&&' operator. For example, to include tag1 and tag2 but exclude tag3 you would use:</p>
|
||||
<p>The xml download also accepts two additional (optional) parameters: a boolean field that determines whether attachments should be encoded and a second parameter that controls the eligible tags. To include a tag in the results just write its names into this parameter. To exclude a tag prepend it with a '!'. You can also chain several tag commands together with the '&&' operator. Please be aware the colons (:) cannot be used in the tag search. Use semicolons instead (the search will automatically search for colons instead). For example, to include tag1 and tag2 but exclude tag3 you would use:</p>
|
||||
<pre><?php echo Configure::read('MISP.baseurl');?>/events/xml/download/null/true/tag1&&tag2&&!tag3</pre>
|
||||
<p>Also check out the <?php echo $this->Html->link(__('User Guide', true), array('controller' => 'pages', 'action' => 'display', 'using_the_system', '#' => 'rest')); ?> to read about the REST API.</p>
|
||||
<p></p>
|
||||
|
|
@ -26,7 +26,7 @@ You can <?php echo $this->Html->link('reset', array('controller' => 'users', 'ac
|
|||
<p>You can configure your tools to automatically download the following file:</p>
|
||||
<pre><?php echo Configure::read('MISP.baseurl');?>/events/nids/suricata/download
|
||||
<?php echo Configure::read('MISP.baseurl');?>/events/nids/snort/download</pre>
|
||||
<p>In addition to the above mentioned, the NIDS exports can accept several additional parameters: an event ID to only create the signature based on a single event (null will still include every event), a boolean flag that determines whether it should be a standalone file with all the descriptions at the start (false) or whether it should just be the signature lines (true). The last parameter is the tagging syntax, as described for the XML export. An example for a suricata export for all events excluding those tagged tag1, without all of the commented information at the start of the file would look like this:</p>
|
||||
<p>In addition to the above mentioned, the NIDS exports can accept several additional parameters: an event ID to only create the signature based on a single event (null will still include every event), a boolean flag that determines whether it should be a standalone file with all the descriptions at the start (false) or whether it should just be the signature lines (true). The last parameter is the tagging syntax, as described for the XML export. Please be aware the colons (:) cannot be used in the tag search. Use semicolons instead (the search will automatically search for colons instead). An example for a suricata export for all events excluding those tagged tag1, without all of the commented information at the start of the file would look like this:</p>
|
||||
<pre><?php echo Configure::read('MISP.baseurl');?>/events/nids/suricata/download/null/true/!tag1</pre>
|
||||
<p>Administration is able to maintain a white-list containing host, domain name and IP numbers to exclude from the NIDS export.</p>
|
||||
|
||||
|
|
@ -37,7 +37,7 @@ You can <?php echo $this->Html->link('reset', array('controller' => 'users', 'ac
|
|||
<pre><?php echo Configure::read('MISP.baseurl');?>/events/hids/md5/download</pre>
|
||||
<h4>sha1</h4>
|
||||
<pre><?php echo Configure::read('MISP.baseurl');?>/events/hids/sha1/download</pre>
|
||||
<p>You can also use the tag syntax similar to the XML import. For example, to only show sha1 values from events tagged tag1, use:</p>
|
||||
<p>You can also use the tag syntax similar to the XML import. Please be aware the colons (:) cannot be used in the tag search. Use semicolons instead (the search will automatically search for colons instead). For example, to only show sha1 values from events tagged tag1, use:</p>
|
||||
<pre><?php echo Configure::read('MISP.baseurl');?>/events/hids/sha1/download/tag1</pre>
|
||||
|
||||
<h3>Text export</h3>
|
||||
|
|
@ -50,7 +50,7 @@ foreach ($sigTypes as $sigType) {
|
|||
}
|
||||
?>
|
||||
</pre>
|
||||
<p>To restrict the results by tags, use the usual syntax. To get ip-src values from events tagged tag1 but not tag2 use:</p>
|
||||
<p>To restrict the results by tags, use the usual syntax. Please be aware the colons (:) cannot be used in the tag search. Use semicolons instead (the search will automatically search for colons instead). To get ip-src values from events tagged tag1 but not tag2 use:</p>
|
||||
<pre>
|
||||
<?php
|
||||
echo Configure::read('MISP.baseurl').'/attributes/text/download/ip-src/tag1&&!tag2';
|
||||
|
|
@ -71,14 +71,14 @@ echo Configure::read('MISP.baseurl').'/attributes/text/download/ip-src/tag1&&!ta
|
|||
echo Configure::read('MISP.baseurl').'/attributes/restSearch/download/[value]/[type]/[category]/[org]/[tag]';
|
||||
?>
|
||||
</pre>
|
||||
<p>value, type, category and org are optional. It is possible to search for several terms in each category by joining them with the '&&' operator. It is also possible to negate a term with the '!' operator.
|
||||
<p>value, type, category and org are optional. It is possible to search for several terms in each category by joining them with the '&&' operator. It is also possible to negate a term with the '!' operator. Please be aware the colons (:) cannot be used in the tag search. Use semicolons instead (the search will automatically search for colons instead).
|
||||
For example, in order to search for all attributes created by your organisation that contain 192.168 or 127.0 but not 0.1 and are of the type ip-src, excluding the events that were tagged tag1 use the following syntax:</p>
|
||||
<pre>
|
||||
<?php
|
||||
echo Configure::read('MISP.baseurl').'/attributes/restSearch/download/192.168&&127.0&&!0.1/ip-src/null/' . $me['org'] . '/!tag1';
|
||||
?>
|
||||
</pre>
|
||||
<p>You can also use search for IP addresses using CIDR. Make sure that you use '|' (pipe) instead of '/' (slashes). See below for an example: </p>
|
||||
<p>You can also use search for IP addresses using CIDR. Make sure that you use '|' (pipe) instead of '/' (slashes). Please be aware the colons (:) cannot be used in the tag search. Use semicolons instead (the search will automatically search for colons instead). See below for an example: </p>
|
||||
<pre>
|
||||
<?php
|
||||
echo Configure::read('MISP.baseurl').'/attributes/restSearch/download/192.168.1.1|16/ip-src/null/' . $me['org'];
|
||||
|
|
|
|||
Loading…
Reference in New Issue