MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

Changes to the automation 

- authorization key should be sent through headers.
- passing it in the url is deprecated
- updated automation page to reflect the changes

- csv export now has headers
pull/217/head
iglocska 2014-01-16 17:19:51 +01:00
parent 7bd7405a8f
commit 61753690a1
5 changed files with 209 additions and 207 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

154
app/Controller/AppController.php
View File

@ -87,8 +87,7 @@ class AppController extends Controller {
// User found in the db, add the user info to the session
$this->Session->renew();
$this->Session->write(AuthComponent::$sessionKey, $user['User']);
}
else {
} else {
// User not authenticated correctly
// reset the session information
$this->Session->destroy();
@ -109,6 +108,7 @@ class AppController extends Controller {
// instead of using checkAction(), like we normally do from controllers when trying to find out about a permission flag, we can use getActions()
// getActions returns all the flags in a single SQL query
if ($this->Auth->user()) {
$this->Session->renew();
$role = $this->getActions();
$this->set('me', $this->Auth->user());
$this->set('isAdmin', $role['perm_admin']);
@ -226,99 +226,6 @@ class AppController extends Controller {
$this->Auth->login($user['User']);
}
public function queuegenerateCorrelation() {
if (!$this->_isSiteAdmin()) throw new NotFoundException();
$process_id = CakeResque::enqueue(
'default',
'AdminShell',
array('jobGenerateCorrelation'),
true
);
debug($process_id);
debug(CakeResque::getJobStatus($process_id));
debug(CakeResque::getJobStatus('f80f51ee76dd22194a0dd6cd28c15f46'));
throw new Exception();
$this->Session->setFlash('Job queued.');
$this->redirect(array('controller' => 'pages', 'action' => 'display', 'administration'));
}
public function generateCorrelation() {
$this->loadModel('Correlation');
$this->Correlation->deleteAll(array('id !=' => ''), false);
$this->loadModel('Attribute');
$fields = array('Attribute.id', 'Attribute.event_id', 'Attribute.distribution', 'Attribute.type', 'Attribute.category', 'Attribute.value1', 'Attribute.value2');
// get all attributes..
$attributes = $this->Attribute->find('all', array('recursive' => -1, 'fields' => $fields));
// for all attributes..
foreach ($attributes as $attribute) {
$this->Attribute->__afterSaveCorrelation($attribute['Attribute']);
}
}
/*public function generateCorrelation() {
if (!self::_isSiteAdmin()) throw new NotFoundException();
$this->loadModel('Correlation');
$this->Correlation->deleteAll(array('id !=' => ''), false);
$this->loadModel('Attribute');
$fields = array('Attribute.id', 'Attribute.event_id', 'Attribute.distribution', 'Attribute.cluster', 'Event.date', 'Event.org');
// get all attributes..
$attributes = $this->Attribute->find('all', array('recursive' => -1));
// for all attributes..
foreach ($attributes as $attribute) {
$this->Attribute->__afterSaveCorrelation($attribute['Attribute']);
}
$this->Session->setFlash(__('All done.'));
$this->redirect(array('controller' => 'events', 'action' => 'index', 'admin' => false));
}*/
public function generateLocked() {
if (!self::_isSiteAdmin()) throw new NotFoundException();
$this->loadModel('User');
$this->User->recursive = -1;
$localOrgs = array();
$conditions = array();
$orgs = $this->User->find('all', array('fields' => array('DISTINCT org')));
foreach ($orgs as $k => $org) {
$orgs[$k]['User']['count'] = $this->User->find('count', array(
'conditions' => array(
'org =' => $orgs[$k]['User']['org'],
)));
if ($orgs[$k]['User']['count'] > 1) {
$localOrgs[] = $orgs[$k]['User']['org'];
$conditions['AND'][] = array('orgc !=' => $orgs[$k]['User']['org']);
} else if ($orgs[$k]['User']['count'] == 1) {
// If we only have a single user for an org, check if that user is a sync user. If not, then it is a valid local org and the events created by him/her should be unlocked.
$this->User->recursive = 1;
$user = ($this->User->find('first', array(
'fields' => array('id', 'role_id'),
'conditions' => array('org' => $org['User']['org']),
'contain' => array('Role' => array(
'fields' => array('id', 'perm_sync'),
))
)));
if (!$user['Role']['perm_sync']) {
$conditions['AND'][] = array('orgc !=' => $orgs[$k]['User']['org']);
}
}
}
// Don't lock stuff that's already locked
$conditions['AND'][] = array('locked !=' => true);
$this->loadModel('Event');
$this->Event->recursive = -1;
$toBeUpdated = $this->Event->find('count', array(
'conditions' => $conditions
));
$this->Event->updateAll(
array('Event.locked' => 1),
$conditions
);
$this->Session->setFlash('Events updated, '. $toBeUpdated . ' record(s) altered.');
$this->redirect(array('controller' => 'pages', 'action' => 'display', 'administration'));
}
/**
*
* @param $action
@ -481,61 +388,4 @@ class AppController extends Controller {
//}
return false;
}
public function reportValidationIssuesEvents() {
// search for validation problems in the events
if (!self::_isSiteAdmin()) throw new NotFoundException();
print ("<h2>Listing invalid event validations</h2>");
$this->loadModel('Event');
// first remove executing some Behaviors because of Noud's crappy code
$this->Event->Behaviors->detach('Regexp');
// get all events..
$events = $this->Event->find('all', array('recursive' => -1));
// for all events..
foreach ($events as $event) {
$this->Event->set($event);
if ($this->Event->validates()) {
// validates
} else {
$errors = $this->Event->validationErrors;
print ("<h3>Validation errors for event: " . $event['Event']['id'] . "</h3><pre>");
print_r($errors);
print ("</pre><p>Event details:</p><pre>");
print_r($event);
print ("</pre><br/>");
}
}
}
public function reportValidationIssuesAttributes() {
// TODO improve performance of this function by eliminating the additional SQL query per attribute
// search for validation problems in the attributes
if (!self::_isSiteAdmin()) throw new NotFoundException();
print ("<h2>Listing invalid attribute validations</h2>");
$this->loadModel('Attribute');
// for efficiency reasons remove the unique requirement
$this->Attribute->validator()->remove('value', 'unique');
// get all attributes..
$attributes = $this->Attribute->find('all', array('recursive' => -1));
// for all attributes..
foreach ($attributes as $attribute) {
$this->Attribute->set($attribute);
if ($this->Attribute->validates()) {
// validates
} else {
$errors = $this->Attribute->validationErrors;
print ("<h3>Validation errors for attribute: " . $attribute['Attribute']['id'] . "</h3><pre>");
print_r($errors['value'][0]);
print ("</pre><p>Attribute details:</p><pre>");
print($attribute['Attribute']['event_id']."\n");
print($attribute['Attribute']['category']."\n");
print($attribute['Attribute']['type']."\n");
print($attribute['Attribute']['value']."\n");
print ("</pre><br/>");
}
}
}
}

82
app/Controller/AttributesController.php
View File

@ -1095,8 +1095,13 @@ class AttributesController extends AppController {
// the last 4 fields accept the following operators:
// && - you can use && between two search values to put a logical OR between them. for value, 1.1.1.1&&2.2.2.2 would find attributes with the value being either of the two.
// ! - you can negate a search term. For example: google.com&&!mail would search for all attributes with value google.com but not ones that include mail. www.google.com would get returned, mail.google.com wouldn't.
public function restSearch($key, $value=null, $type=null, $category=null, $org=null) {
$user = $this->checkAuthUser($key);
public function restSearch($key='download', $value=null, $type=null, $category=null, $org=null) {
if ($key!=null && $key!='download') {
$user = $this->checkAuthUser($key);
} else {
if (!$this->Auth->user()) throw new UnauthorizedException('You are not authorized. Please send the Authorization header with your auth key along with an Accept header for application/xml.');
$user = $this->checkAuthUser($this->Auth->user('authkey'));
}
if (!$user) {
throw new UnauthorizedException('This authentication key is not authorized to be used for exports. Contact your administrator.');
}
@ -1168,6 +1173,7 @@ class AttributesController extends AppController {
$results = $this->Attribute->find('all', $params);
$this->loadModel('Whitelist');
$this->response->type('xml');
$results = $this->Whitelist->removeWhitelistedFromArray($results, false);
if (empty($results)) throw new NotFoundException('No matches.');
$this->set('results', $results);
@ -1258,8 +1264,13 @@ class AttributesController extends AppController {
$this->set('results', $attributes);
}
public function downloadAttachment($key, $id) {
$user = $this->checkAuthUser($key);
public function downloadAttachment($key='download', $id) {
if ($key!=null && $key!='download') {
$user = $this->checkAuthUser($key);
} else {
if (!$this->Auth->user()) throw new UnauthorizedException('You are not authorized. Please send the Authorization header with your auth key along with an Accept header for application/xml.');
$user = $this->checkAuthUser($this->Auth->user('authkey'));
}
// if the user is authorised to use the api key then user will be populated with the user's account
// in addition we also set a flag indicating whether the user is a site admin or not.
if (!$user) {
@ -1280,7 +1291,7 @@ class AttributesController extends AppController {
$this->__downloadAttachment($this->Attribute->data['Attribute']);
}
public function text($key, $type="") {
public function text($key='download', $type="") {
if ($key != 'download') {
// check if the key is valid -> search for users based on key
$user = $this->checkAuthUser($key);
@ -1301,4 +1312,65 @@ class AttributesController extends AppController {
$attributes = $this->Whitelist->removeWhitelistedFromArray($attributes, true);
$this->set('attributes', $attributes);
}
public function reportValidationIssuesAttributes() {
// TODO improve performance of this function by eliminating the additional SQL query per attribute
// search for validation problems in the attributes
if (!self::_isSiteAdmin()) throw new NotFoundException();
print ("<h2>Listing invalid attribute validations</h2>");
$this->loadModel('Attribute');
// for efficiency reasons remove the unique requirement
$this->Attribute->validator()->remove('value', 'unique');
// get all attributes..
$attributes = $this->Attribute->find('all', array('recursive' => -1));
// for all attributes..
foreach ($attributes as $attribute) {
$this->Attribute->set($attribute);
if ($this->Attribute->validates()) {
// validates
} else {
$errors = $this->Attribute->validationErrors;
print ("<h3>Validation errors for attribute: " . $attribute['Attribute']['id'] . "</h3><pre>");
print_r($errors['value'][0]);
print ("</pre><p>Attribute details:</p><pre>");
print($attribute['Attribute']['event_id']."\n");
print($attribute['Attribute']['category']."\n");
print($attribute['Attribute']['type']."\n");
print($attribute['Attribute']['value']."\n");
print ("</pre><br/>");
}
}
}
/*
public function generateCorrelation() {
$this->loadModel('Correlation');
$this->Correlation->deleteAll(array('id !=' => ''), false);
$this->loadModel('Attribute');
$fields = array('Attribute.id', 'Attribute.event_id', 'Attribute.distribution', 'Attribute.type', 'Attribute.category', 'Attribute.value1', 'Attribute.value2');
// get all attributes..
$attributes = $this->Attribute->find('all', array('recursive' => -1, 'fields' => $fields));
// for all attributes..
foreach ($attributes as $attribute) {
$this->Attribute->__afterSaveCorrelation($attribute['Attribute']);
}
}
*/
public function generateCorrelation() {
if (!self::_isSiteAdmin()) throw new NotFoundException();
$this->loadModel('Correlation');
$this->Correlation->deleteAll(array('id !=' => ''), false);
$this->loadModel('Attribute');
$fields = array('Attribute.id', 'Attribute.event_id', 'Attribute.distribution', 'Attribute.cluster', 'Event.date', 'Event.org');
// get all attributes..
$attributes = $this->Attribute->find('all', array('recursive' => -1));
// for all attributes..
foreach ($attributes as $attribute) {
$this->Attribute->__afterSaveCorrelation($attribute['Attribute']);
}
$this->Session->setFlash(__('All done.'));
$this->redirect(array('controller' => 'events', 'action' => 'index', 'admin' => false));
}
}

142
app/Controller/EventsController.php
View File

@ -1169,6 +1169,12 @@ class EventsController extends AppController {
// Whitelist check
$this->loadModel('Whitelist');
$results = $this->Whitelist->removeWhitelistedFromArray($results, false);
if ($eventid) {
$this->header('Content-Disposition: download; filename="misp.event' . $eventid . '.export.xml"');
} else {
$this->header('Content-Disposition: download; filename="misp.export.xml"');
}
$this->response->type('xml');
$this->set('results', $results);
}
@ -1195,26 +1201,21 @@ class EventsController extends AppController {
$key = $format;
$format = 'suricata'; // default format
}
$this->response->type('txt'); // set the content type
$this->header('Content-Disposition: download; filename="misp.rules"');
$this->layout = 'text/default';
if ($key != 'download') {
$this->response->type('txt'); // set the content type
$this->header('Content-Disposition: download; filename="misp.rules"');
$this->layout = 'text/default';
// check if the key is valid -> search for users based on key
$user = $this->checkAuthUser($key);
if (!$user) {
throw new UnauthorizedException('This authentication key is not authorized to be used for exports. Contact your administrator.');
}
} else {
//$this->autoRender = false;
$this->response->type('txt'); // set the content type
$this->header('Content-Disposition: download; filename="misp.nids.rules"');
$this->layout = 'text/default';
// check if there's a user logged in or not
if (!$this->Auth->user('id')) {
throw new UnauthorizedException('You have to be logged in to do that.');
}
$user = $this->Auth->user;
$user = $this->checkAuthUser($this->Auth->user('authkey'));
}
// display the full snort rulebase
@ -1224,24 +1225,21 @@ class EventsController extends AppController {
}
public function hids($type, $key) {
$this->response->type('txt'); // set the content type
$this->header('Content-Disposition: download; filename="misp.' . $type . '.rules"');
$this->layout = 'text/default';
if ($key != 'download') {
// check if the key is valid -> search for users based on key
$user = $this->checkAuthUser($key);
if (!$user) {
throw new UnauthorizedException('This authentication key is not authorized to be used for exports. Contact your administrator.');
}
$this->response->type('txt'); // set the content type
$this->header('Content-Disposition: download; filename="misp.' . $type . '.rules"');
$this->layout = 'text/default';
} else {
// check if there's a user logged in or not
if (!$this->Auth->user('id')) {
throw new UnauthorizedException('You have to be logged in to do that.');
}
$user = $this->Auth->user;
$this->response->type(array('txt' => 'text/html')); // set the content type
$this->header('Content-Disposition: download; filename="misp.' . $type . '.rules"');
$this->layout = 'text/default';
$user = $this->checkAuthUser($this->Auth->user('authkey'));
}
$this->loadModel('Attribute');
@ -1254,37 +1252,23 @@ class EventsController extends AppController {
// $eventid can be one of 3 options: left empty it will get all the visible to_ids attributes,
public function csv($key, $eventid=0, $ignore=0) {
$list = array();
if ($key != 'download') {
// check if the key is valid -> search for users based on key
$user = $this->checkAuthUser($key);
if (!$user) {
throw new UnauthorizedException('This authentication key is not authorized to be used for exports. Contact your administrator.');
}
$this->response->type('csv'); // set the content type
if ($eventid == 0) {
$this->header('Content-Disposition: download; filename="misp.all_attributes.csv"');
} else if ($eventid === 'search') {
$this->header('Content-Disposition: download; filename="misp.search_result.csv"');
} else {
$this->header('Content-Disposition: download; filename="misp.event_' . $eventid . '.csv"');
}
$this->layout = 'text/default';
$isSiteAdmin = $user['User']['siteAdmin'];
$org = $user['User']['org'];
} else {
if (!$this->Auth->user('id')) {
throw new UnauthorizedException('You have to be logged in to do that.');
}
$this->response->type('csv'); // set the content type
if ($eventid == 0) {
$this->header('Content-Disposition: download; filename="misp.all_attributes.csv"');
} else {
$this->header('Content-Disposition: download; filename="misp.event_' . $eventid . '.csv"');
}
$this->layout = 'text/default';
$isSiteAdmin = $this->_isSiteAdmin();
$org = $this->Auth->user('org');
}
}
// if it's a search, grab the attributeIDList from the session and get the IDs from it. Use those as the condition
// We don't need to look out for permissions since that's filtered by the search itself
// We just want all the attributes found by the search
@ -1298,6 +1282,17 @@ class EventsController extends AppController {
foreach ($attributes as $attribute) {
$final[] = $attribute['Attribute']['uuid'] . ',' . $attribute['Attribute']['event_id'] . ',' . $attribute['Attribute']['category'] . ',' . $attribute['Attribute']['type'] . ',' . $attribute['Attribute']['value'];
}
$this->response->type('csv'); // set the content type
if ($eventid == 0) {
$this->header('Content-Disposition: download; filename="misp.all_attributes.csv"');
} else if ($eventid === 'search') {
$this->header('Content-Disposition: download; filename="misp.search_result.csv"');
} else {
$this->header('Content-Disposition: download; filename="misp.event_' . $eventid . '.csv"');
}
$this->layout = 'text/default';
$this->set('headers', array('uuid', 'event_id', 'category', 'type', 'value'));
$this->set('final', $final);
}
@ -1703,8 +1698,13 @@ class EventsController extends AppController {
// the last 4 fields accept the following operators:
// && - you can use && between two search values to put a logical OR between them. for value, 1.1.1.1&&2.2.2.2 would find attributes with the value being either of the two.
// ! - you can negate a search term. For example: google.com&&!mail would search for all attributes with value google.com but not ones that include mail. www.google.com would get returned, mail.google.com wouldn't.
public function restSearch($key, $value=null, $type=null, $category=null, $org=null) {
$user = $this->checkAuthUser($key);
public function restSearch($key=null, $value=null, $type=null, $category=null, $org=null) {
if ($key!=null && $key!='download') {
$user = $this->checkAuthUser($key);
} else {
if (!$this->Auth->user()) throw new UnauthorizedException('You are not authorized. Please send the Authorization header with your auth key along with an Accept header for application/xml.');
$user = $this->checkAuthUser($this->Auth->user('authkey'));
}
if (!$user) {
throw new UnauthorizedException('This authentication key is not authorized to be used for exports. Contact your administrator.');
}
@ -1782,6 +1782,7 @@ class EventsController extends AppController {
}
$this->loadModel('Whitelist');
$results = $this->Whitelist->removeWhitelistedFromArray($results, true);
$this->response->type('xml');
$this->set('results', $results);
}
@ -1925,4 +1926,75 @@ class EventsController extends AppController {
$this->response->header('Location', Configure::read('CyDefSIG.baseurl') . '/events/' . $eventId);
$this->response->send();
}
public function reportValidationIssuesEvents() {
// search for validation problems in the events
if (!self::_isSiteAdmin()) throw new NotFoundException();
print ("<h2>Listing invalid event validations</h2>");
$this->loadModel('Event');
// first remove executing some Behaviors because of Noud's crappy code
$this->Event->Behaviors->detach('Regexp');
// get all events..
$events = $this->Event->find('all', array('recursive' => -1));
// for all events..
foreach ($events as $event) {
$this->Event->set($event);
if ($this->Event->validates()) {
// validates
} else {
$errors = $this->Event->validationErrors;
print ("<h3>Validation errors for event: " . $event['Event']['id'] . "</h3><pre>");
print_r($errors);
print ("</pre><p>Event details:</p><pre>");
print_r($event);
print ("</pre><br/>");
}
}
}
public function generateLocked() {
if (!self::_isSiteAdmin()) throw new NotFoundException();
$this->loadModel('User');
$this->User->recursive = -1;
$localOrgs = array();
$conditions = array();
$orgs = $this->User->find('all', array('fields' => array('DISTINCT org')));
foreach ($orgs as $k => $org) {
$orgs[$k]['User']['count'] = $this->User->find('count', array(
'conditions' => array(
'org =' => $orgs[$k]['User']['org'],
)));
if ($orgs[$k]['User']['count'] > 1) {
$localOrgs[] = $orgs[$k]['User']['org'];
$conditions['AND'][] = array('orgc !=' => $orgs[$k]['User']['org']);
} else if ($orgs[$k]['User']['count'] == 1) {
// If we only have a single user for an org, check if that user is a sync user. If not, then it is a valid local org and the events created by him/her should be unlocked.
$this->User->recursive = 1;
$user = ($this->User->find('first', array(
'fields' => array('id', 'role_id'),
'conditions' => array('org' => $org['User']['org']),
'contain' => array('Role' => array(
'fields' => array('id', 'perm_sync'),
))
)));
if (!$user['Role']['perm_sync']) {
$conditions['AND'][] = array('orgc !=' => $orgs[$k]['User']['org']);
}
}
}
// Don't lock stuff that's already locked
$conditions['AND'][] = array('locked !=' => true);
$this->loadModel('Event');
$this->Event->recursive = -1;
$toBeUpdated = $this->Event->find('count', array(
'conditions' => $conditions
));
$this->Event->updateAll(
array('Event.locked' => 1),
$conditions
);
$this->Session->setFlash('Events updated, '. $toBeUpdated . ' record(s) altered.');
$this->redirect(array('controller' => 'pages', 'action' => 'display', 'administration'));
}
}

32
app/View/Events/automation.ctp
View File

@ -7,21 +7,23 @@ To to make this functionality available for automated tools an authentication ke
<p>Your current key is: <code><?php echo $me['authkey'];?></code>.
You can <?php echo $this->Html->link('reset', array('controller' => 'users', 'action' => 'resetauthkey', 'me'));?> this key.
</p>
<p style="color:red;">Since version 2.2 the usage of the authentication key in the url is deprecated. Instead, pass the auth key in an Authorization header in the request. The legacy option of having the auth key in the url is temporarily still supported but not recommended.</p>
<p>Please use the use the following header:<br />
<code>Authorization: <?php echo $me['authkey']; ?></code></p>
<h3>XML Export</h3>
<p>An automatic export of all events and attributes <small>(except file attachments)</small> is available under a custom XML format.</p>
<p>You can configure your tools to automatically download the following file:</p>
<pre><?php echo Configure::read('CyDefSIG.baseurl');?>/events/xml/<?php echo $me['authkey']; ?></pre>
<pre><?php echo Configure::read('CyDefSIG.baseurl');?>/events/xml/download</pre>
<p>If you only want to fetch a specific event append the eventid number:</p>
<pre><?php echo Configure::read('CyDefSIG.baseurl');?>/events/xml/<?php echo $me['authkey']; ?>/1</pre>
<pre><?php echo Configure::read('CyDefSIG.baseurl');?>/events/xml/download/1</pre>
<p>Also check out the <?php echo $this->Html->link(__('User Guide', true), array('controller' => 'pages', 'action' => 'display', 'using_the_system', '#' => 'rest')); ?> to read about the REST API.</p>
<p></p>
<h3>NIDS rules export</h3>
<p>Automatic export of all network related attributes is available under the Snort rule format. Only <em>published</em> events and attributes marked as <em>IDS Signature</em> are exported.</p>
<p>You can configure your tools to automatically download the following file:</p>
<pre><?php echo Configure::read('CyDefSIG.baseurl');?>/events/nids/suricata/<?php echo $me['authkey']."\n"; ?>
<?php echo Configure::read('CyDefSIG.baseurl');?>/events/nids/snort/<?php echo $me['authkey']; ?></pre>
<pre><?php echo Configure::read('CyDefSIG.baseurl');?>/events/nids/suricata/download
<?php echo Configure::read('CyDefSIG.baseurl');?>/events/nids/snort/download</pre>
<p></p>
<p>Administration is able to maintain a white-list containing host, domain name and IP numbers to exclude from the NIDS export.</p>
@ -29,9 +31,9 @@ You can <?php echo $this->Html->link('reset', array('controller' => 'users', 'ac
<p>Automatic export of MD5/SHA1 checksums contained in file-related attributes. This list can be used to feed forensic software when searching for suspicious files. Only <em>published</em> events and attributes marked as <em>IDS Signature</em> are exported.</p>
<p>You can configure your tools to automatically download the following files:</p>
<h4>md5</h4>
<pre><?php echo Configure::read('CyDefSIG.baseurl');?>/events/hids/md5/<?php echo $me['authkey']; ?></pre>
<pre><?php echo Configure::read('CyDefSIG.baseurl');?>/events/hids/md5/download</pre>
<h4>sha1</h4>
<pre><?php echo Configure::read('CyDefSIG.baseurl');?>/events/hids/sha1/<?php echo $me['authkey']; ?></pre>
<pre><?php echo Configure::read('CyDefSIG.baseurl');?>/events/hids/sha1/download</pre>
<p></p>
<h3>Text export</h3>
@ -40,7 +42,7 @@ You can <?php echo $this->Html->link('reset', array('controller' => 'users', 'ac
<pre>
<?php
foreach ($sigTypes as $sigType) {
echo Configure::read('CyDefSIG.baseurl').'/attributes/text/'.$me['authkey'].'/'.$sigType . "\n";
echo Configure::read('CyDefSIG.baseurl').'/attributes/text/download/'.$sigType . "\n";
}
?>
</pre>
@ -51,26 +53,26 @@ foreach ($sigTypes as $sigType) {
<p>To return an event with all of its attributes, relations, shadowAttributes, use the following syntax:</p>
<pre>
<?php
echo Configure::read('CyDefSIG.baseurl').'/events/restSearch/'.$me['authkey'].'/[value]/[type]/[category]/[org]';
echo Configure::read('CyDefSIG.baseurl').'/events/restSearch/download/[value]/[type]/[category]/[org]';
?>
</pre>
<p>To just return a list of attributes, use the following syntax:</p>
<pre>
<?php
echo Configure::read('CyDefSIG.baseurl').'/attributes/restSearch/'.$me['authkey'].'/[value]/[type]/[category]/[org]';
echo Configure::read('CyDefSIG.baseurl').'/attributes/restSearch/download/[value]/[type]/[category]/[org]';
?>
</pre>
<p>value, type, category and org are optional. It is possible to search for several terms in each category by joining them with the '&amp;&amp;' operator. It is also possible to negate a term with the '!' operator.
For example, in order to search for all attributes created by your organisation that contain 192.168 or 127.0 but not 0.1 and are of the type ip-src use the following syntax:</p>
<pre>
<?php
echo Configure::read('CyDefSIG.baseurl').'/attributes/restSearch/'.$me['authkey'].'/192.168&&127.0&&!0.1/ip-src/null/' . $me['org'];
echo Configure::read('CyDefSIG.baseurl').'/attributes/restSearch/download/192.168&&127.0&&!0.1/ip-src/null/' . $me['org'];
?>
</pre>
<p>You can also use search for IP addresses using CIDR. Make sure that you use '|' (pipe) instead of '/' (slashes). See below for an example: </p>
<pre>
<?php
echo Configure::read('CyDefSIG.baseurl').'/attributes/restSearch/'.$me['authkey'].'/192.168.1.1|16/ip-src/null/' . $me['org'];
echo Configure::read('CyDefSIG.baseurl').'/attributes/restSearch/download/192.168.1.1|16/ip-src/null/' . $me['org'];
?>
</pre>
@ -78,7 +80,7 @@ For example, in order to search for all attributes created by your organisation
<p>If you want to export all attributes of a pre-defined type that belong to an event, use the following syntax:</p>
<pre>
<?php
echo Configure::read('CyDefSIG.baseurl').'/attributes/returnAttributes/'.$me['authkey'].'/[id]/[type]/[sigOnly]';
echo Configure::read('CyDefSIG.baseurl').'/attributes/returnAttributes/download/[id]/[type]/[sigOnly]';
?>
</pre>
<p>sigOnly is an optional flag that will block all attributes from being exported that don't have the IDS flag turned on.
@ -86,7 +88,7 @@ It is possible to search for several types with the '&amp;&amp;' operator and to
For example, to get all IDS signature attributes of type md5 and sha256, but not filename|md5 and filename|sha256 from event 25, use the following: </p>
<pre>
<?php
echo Configure::read('CyDefSIG.baseurl').'/attributes/returnAttributes/'.$me['authkey'].'/25/md5&&sha256&&!filename/true';
echo Configure::read('CyDefSIG.baseurl').'/attributes/returnAttributes/download/25/md5&&sha256&&!filename/true';
?>
</pre>
@ -94,7 +96,7 @@ For example, to get all IDS signature attributes of type md5 and sha256, but not
<p>If you know the attribute ID of a malware-sample or an attachment, you can download it with the following syntax:</p>
<pre>
<?php
echo Configure::read('CyDefSIG.baseurl').'/attributes/downloadAttachment/'.$me['authkey'].'/[Attribute_id]';
echo Configure::read('CyDefSIG.baseurl').'/attributes/downloadAttachment/download/[Attribute_id]';
?>
</pre>
</div>

6
app/View/Events/csv.ctp
View File

@ -1,4 +1,10 @@
<?php
$size = sizeof($headers);
foreach ($headers as $k => $header) {
echo $header;
if ($k != ($size-1)) echo ',';
}
echo PHP_EOL;
foreach ($final as $line) {
echo $line;
echo PHP_EOL;