MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

Some UI changes and partial update to the manual

pull/217/head
iglocska 2013-06-13 16:10:28 +02:00
parent d2fcda7cc6
commit 708156ee49
20 changed files with 181 additions and 126 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
app/Controller/ShadowAttributesController.php
View File

@ -163,7 +163,7 @@ class ShadowAttributesController extends AppController {
$this->Event->read();
// Send those away that shouldn't be able to see this
if (!$this->_IsSiteAdmin()) {
if (($this->Event->data['Event']['orgc'] != $this->Auth->user('org')) && ($this->Auth->user('org') != $this->ShadowAttribute->data['ShadowAttribute']['org']) || (!$this->checkAction('perm_modify') || !$this->checkAction('perm_publish'))) {
if (($this->Event->data['Event']['orgc'] != $this->Auth->user('org')) && ($this->Auth->user('org') != $this->ShadowAttribute->data['ShadowAttribute']['org']) && (!$this->checkAction('perm_modify') || !$this->checkAction('perm_publish'))) {
$this->Session->setFlash(__('Invalid attribute.'));
$this->redirect(array('controller' => 'events', 'action' => 'index'));
}
@ -479,7 +479,6 @@ class ShadowAttributesController extends AppController {
}
$uuid = $this->Attribute->data['Attribute']['uuid'];
if (!$this->_IsSiteAdmin()) {
// check for non-private and re-read CHANGE THIS TO NON-PRIVATE AND OTHER ORG
if (($this->Attribute->data['Attribute']['distribution'] == 0) || ($this->Attribute->data['Event']['org'] == $this->Auth->user('org'))) {
$this->Session->setFlash(__('Invalid Attribute.'));
$this->redirect(array('controller' => 'events', 'action' => 'index'));

2
app/View/Attributes/index.ctp
View File

@ -69,7 +69,7 @@ foreach ($attributes as $attribute):
<?php echo $attribute['Attribute']['category']; ?>&nbsp;</td>
<td title="<?php echo $typeDefinitions[$attribute['Attribute']['type']]['desc'];?>" class="short" onclick="document.location='/events/view/<?php echo $attribute['Event']['id'];?>';">
<?php echo $attribute['Attribute']['type']; ?>&nbsp;</td>
<td class="short" onclick="document.location='/events/view/<?php echo $attribute['Event']['id'];?>';">
<td onclick="document.location='/events/view/<?php echo $attribute['Event']['id'];?>';">
<?php
$sigDisplay = nl2br(h($attribute['Attribute']['value']));
if ($isSearch == 1 && !empty($replacePairs)) {

2
app/View/Elements/global_menu.ctp
View File

@ -3,7 +3,7 @@
<div class="navbar-inner">
<?php if ($me != false ):?>
<div class="nav-collapse collapse">
<ul class="nav">
<ul class="nav" style="position:fixed; width:100%; background:black;">
<li class="active"><a href="/">home</a></li>

2
app/View/Events/view.ctp
View File

@ -221,7 +221,7 @@ if (!empty($event['Attribute'])):?>
echo $this->Html->link('', array('controller' => 'attributes', 'action' => 'edit', $attribute['id']), array('class' => 'icon-edit', 'title' => 'Edit'));
echo $this->Form->postLink('', array('controller' => 'attributes', 'action' => 'delete', $attribute['id']), array('class' => 'icon-trash', 'title' => 'Delete'), __('Are you sure you want to delete this attribute? Keep in mind that this will also delete this attribute on remote MISP instances.'));
} else {
echo $this->Html->link('', array('controller' => 'shadow_attributes', 'action' => 'add', $attribute['id']), array('class' => 'icon-edit', 'title' => 'Propose Edit'));
echo $this->Html->link('', array('controller' => 'shadow_attributes', 'action' => 'edit', $attribute['id']), array('class' => 'icon-edit', 'title' => 'Propose Edit'));
}
?>
</td>

1
app/View/Pages/administration.ctp
View File

@ -1,6 +1,7 @@
<div class="actions" style="width:15%">
<ol class="nav nav-list">
<li><?php echo $this->Html->link('General Layout', array('controller' => 'pages', 'action' => 'display', 'documentation')); ?></li>
<li><?php echo $this->Html->link('General Concepts', array('controller' => 'pages', 'action' => 'display', 'concepts')); ?></li>
<li><?php echo $this->Html->link('User Management and Global actions', array('controller' => 'pages', 'action' => 'display', 'user_management')); ?></li>
<li><?php echo $this->Html->link('Using the system', array('controller' => 'pages', 'action' => 'display', 'using_the_system')); ?></li>
<li class="active"><?php echo $this->Html->link('Administration', array('controller' => 'pages', 'action' => 'display', 'administration')); ?>

1
app/View/Pages/categories_and_types.ctp
View File

@ -1,6 +1,7 @@
<div class="actions" style="width:15%">
<ol class="nav nav-list">
<li><?php echo $this->Html->link('General Layout', array('controller' => 'pages', 'action' => 'display', 'documentation')); ?></li>
<li><?php echo $this->Html->link('General Concepts', array('controller' => 'pages', 'action' => 'display', 'concepts')); ?></li>
<li><?php echo $this->Html->link('User Management and Global actions', array('controller' => 'pages', 'action' => 'display', 'user_management')); ?></li>
<li><?php echo $this->Html->link('Using the system', array('controller' => 'pages', 'action' => 'display', 'using_the_system')); ?></li>
<li><?php echo $this->Html->link('Administration', array('controller' => 'pages', 'action' => 'display', 'administration')); ?></li>

71
app/View/Pages/documentation.ctp
View File

@ -1,6 +1,7 @@
<div class="actions" style="width:15%">
<ol class="nav nav-list">
<li class="active"><?php echo $this->Html->link('General Layout', array('controller' => 'pages', 'action' => 'display', 'documentation')); ?></li>
<li><?php echo $this->Html->link('General Concepts', array('controller' => 'pages', 'action' => 'display', 'concepts')); ?></li>
<li><?php echo $this->Html->link('User Management and Global actions', array('controller' => 'pages', 'action' => 'display', 'user_management')); ?></li>
<li><?php echo $this->Html->link('Using the system', array('controller' => 'pages', 'action' => 'display', 'using_the_system')); ?></li>
<li><?php echo $this->Html->link('Administration', array('controller' => 'pages', 'action' => 'display', 'administration')); ?></li>
@ -11,46 +12,59 @@
<div class="index" style="width:80%">
<h2>General Layout</h2>
<h3>The top bar</h3>
<p>This menu contains all of the main functions of the site as a series of buttons.</p>
<p>This menu contains all of the main functions of the site as a series of dropdown menues. These contains all (from the current user's perspective) accessible functions sorted into several groups.</p>
<p><img src="/img/doc/menu_image.png" alt = "" style="float:right;" title = "This is the main menu that will be accessible from all of the views. In some instances, some additional buttons that will appear on top of these when a view provides it."/></p>
<ul>
<li><em>List Events:</em> You can browse all the currently stored events here.</li>
<li><em>Add Event:</em> Allows you to create a new event.</li>
<li><em>List Attributes:</em> You can browse all the currently stored attributes of events here.</li>
<li><em>Search Attributes:</em> Search for and filter a list of attributes.</li>
<li><em>Export:</em> Export various types of data from the system for NIDSs or other uses.</li>
<li><em>Automation:</em> Automation functionality is designed to let tools access the data. </li>
<li><b>Home button:</b> This button will return you to the start screen of the application, which is the event index page (more about this later).</li>
<li><b>Event Actions:</b> All the malware data entered into MISP is made up of an event object that is described by its connected attributes. The Event actions menu gives access to all the functionality that has to do with the creation, modification, deletion, publishing, searching and listing of events and attributes.</li>
<li><b>Input Filters:</b> Input filters alter what and how data can be entered into this instance. Apart from the basic validation of attribute entry by type, it is possible for the site administrators to define regular expression replacements and blacklists for certain values in addition to blocking certain values from being exportable. Users can view these replacement and blacklist rules here whilst administrator can alter them.</li>
<li><b>Global Actions:</b> This menu gives you access to information about MISP and this instance. You can view and edit your own profile, view the manual, read the news or the terms of use again, see a list of the active organisations on this instance and a histogram of their contributions by attribute type.</li>
<li><b>Sync Actions:</b> With administrator access rights, shows a list of the connected instances and allows the initiation of a push and a pull (more about the synchronisation mechanisms later).</li>
<li><b>Administrations:</b> Administrators can add, edit or remove user accounts and user roles. Roles define the access rights to certain features such as publishing of events, usage of the REST interface or synchronisation of any user belonging to the given role. Site administrators can also access a contact form, through which it is possible to reset the passwords of users, or to just get in touch with them via encrypted e-mails.</li>
<li><b>Audit:</b> If you have audit permissions, you can view the logs for your organisation (or for site admins for the entire system) here or even search the logs if you are interested in something specific.</li>
<li><b>Log out:</b> Logs you out of the system.</li>
</ul>
<h5>Input Filters</h5>
<h3>A list of the contents of each of the above drop-down menues</h3>
<h5>Event actions</h5>
<ul>
<li><em>Import Blacklist:</em> Create, modify or delete blacklisted strings. These will stop any matching events/attributes from being entered into the system.</li>
<li><em>Import Regexp:</em> Create, modify or delete regular expressions and their replacements. Each time an event / attribute is created or modified, they will be parsed and found expressions will be replaced.</li>
<li><em>Signature Whitelist:</em> View and manage the list of whitelisted addresses. These, if contained in attributes, will be blocked from the NIDS signature exports.</li>
<li><b>List Events:</b> Lists all the events in the system that are not private or belong to your organisation. You can add, modify, delete, publish or view individual events from this view.</li>
<li><b>Add Event:</b> Allows you to fill out an event creation form and create the event object, which you can start populating with attributes.</li>
<li><b>List Attributes:</b> Lists all the attributes in the system that are not private or belong to your organisation. You can modify, delete or view each individual attribute from this view.</li>
<li><b>Search Attributes:</b> You can set search terms for a filtered attribute index view here.</li>
<li><b>Export:</b> Export the data accessible to you in various formats.</li>
<li><b>Automation:</b> If you have authentication key access, you can view how to use your key to use the REST interface for automation here.</li>
</ul>
<h5>Input filters</h5>
<ul>
<li><b>Import Blacklist:</b> You can view the blacklist rules, which contain the values that are blocked from being entered as attribute values on this instance. As a site administrator you can also alter these rules.</li>
<li><b>Import Whitelist:</b> You can view the whitelist rules, which contain the values that are blocked from being used for exports and automation on this instance. As a site administrator you can also alter these rules.</li>
<li><b>Import Regexp:</b> You can view the Regular Expression rules, which modify the data that can be entered into the system. This can and should be used to help filter out personal information from automatic imports (such as removing the username from windows file paths), having unified representation for certain common values for easier correlation or simply standardising certain input. As a site administrator you can also edit these rules.</li>
</ul>
<h5>Global Actions</h5>
<ul>
<li><em>News:</em> Read about the latest news regarding the MISP system</li>
<li><em>My Profile:</em> Manage your user account.</li>
<li><em>Members List:</em> View the number of users per organisation and get some statistics about the currently stored attributes.</li>
<li><em>User Guide:</em> A link to this user guide.</li>
<li><em>Terms &amp; Conditions:</em> View the terms &amp; conditions again.</li>
<li><em>Log out:</em> Logs the current user out.</li>
<li><b>News:</b> Read about the latest news regarding the MISP system</li>
<li><b>My Profile:</b> Manage your user account.</li>
<li><b>Members List:</b> View the number of users per organisation and get some statistics about the currently stored attributes.</li>
<li><b>User Guide:</b> A link to this user guide.</li>
<li><b>Terms &amp; Conditions:</b> View the terms &amp; conditions again.</li>
<li><b>Log out:</b> Logs the current user out.</li>
</ul>
<h5>Sync Actions</h5>
<ul>
<li><em>List Servers:</em> Connect your MISP instance to other instances, or view and modify the currently established connections.</li></ul>
<li><em>List Servers:</em> Connect your MISP instance to other instances, or view and modify the currently established connections.</li>
</ul>
<h5>Administration</h5>
<ul>
<li><em>New User:</em> Create an account for a new user.</li>
<li><em>New User:</em> Create an account for a new user for your organisation. Site administrators can create users for any organisation.</li>
<li><em>List Users:</em> View, modify or delete the currently registered users.</li>
<li><em>New Role:</em> Create a new role group for the users of this instance, controlling their privileges to create, modify, delete and to publish events.</li>
<li><em>New Role:</em> Create a new role group for the users of this instance, controlling their privileges to create, modify, delete and to publish events and to access certain features such as the logs or automation.</li>
<li><em>List Roles:</em> List, modify or delete currently existing roles.</li>
<li><em>Contact Users:</em> You can use this view to send messages to your current or future users or send them a temporary password.</li>
<li><em>Contact Users:</em> You can use this view to send messages to your current or future users or send them a new temporary password.</li>
</ul>
<h5>Audit</h5>
@ -60,17 +74,4 @@
</ul>
<h3>The left bar</h3>
<p>This bar changes based on each page-group. The blue selection shows you what page you are on.</p>
<h3>The main area</h3>
<p>This is where all the views (navigated to via the menu buttons) will be displayed.
In general, there are two main view types, information views (which list the currently
stored data and allow you to modify it) and form views (allowing you to enter or alter data).
All lists are organised in such a way that all the information columns are on the left and every
line of data can be modified or viewed in more detail on the right-most column, titled "Actions".
All lists display a certain set number of the most recent items, but page control buttons at the
bottom allow you to browse older entries.</p>
<h3>The bottom bar</h3>
<p>Contains a link to download the gpg key used for encrypting the e-mails sent through the system and the current version number - if you are logged in.</p>
<p><img src="/img/doc/bottom_bar.png" alt = "" style="float:left;" title = "Download your PGP/GPG key using the link on the bottom bar or log out."/></p>
</div>

43
app/View/Pages/user_management.ctp
View File

@ -1,6 +1,7 @@
<div class="actions" style="width:15%">
<ol class="nav nav-list">
<li><?php echo $this->Html->link('General Layout', array('controller' => 'pages', 'action' => 'display', 'documentation')); ?></li>
<li><?php echo $this->Html->link('General Concepts', array('controller' => 'pages', 'action' => 'display', 'concepts')); ?></li>
<li class="active"><?php echo $this->Html->link('User Management and Global actions', array('controller' => 'pages', 'action' => 'display', 'user_management')); ?>
<ul class="nav nav-list">
<li><a href="#first_run">First run of the system</a></li>
@ -19,44 +20,44 @@
<h3>First run of the system:</h3>
When first logging into MISP with the username and password provided by your administrator, there are a number of things that need to be done, before you can start using the system.<br><br>
<ul>
<li><em>Acceping the Terms of use:</em> The terms of use are shown immediately after logging in for the first time, make sure to read through this page before clicking "Accept Terms" at the bottom of the page.<br /><br /></li>
<li><em>Changing the password:</em> After accepting the ToU, you'll be prompted to change your password, but keep in mind that it has to be at least 6 characters long, it has to include at least one upper-case and one lower-case character in addition to a digit or a special character. Enter the same password into the confirm password field, before clicking submit to finalise the change.<br /><br />
<li><b>Acceping the Terms of use:</b> The terms of use are shown immediately after logging in for the first time, make sure to read through this page before clicking "Accept Terms" at the bottom of the page.<br /><br /></li>
<li><b>Changing the password:</b> After accepting the ToU, you'll be prompted to change your password, but keep in mind that it has to be at least 6 characters long, it has to include at least one upper-case and one lower-case character in addition to a digit or a special character. Enter the same password into the confirm password field, before clicking submit to finalise the change.<br /><br />
<p><img src="/img/doc/password.png" alt = "" title="Changing the password"></p><br /></li>
<li><em>Setting up the GPG Key:</em> In order for the system to be able to encrypt the messages that you send through it, it needs to know your GPG key. Navigate to the Edit profile view (My Profile on the left -&gt; Edit profile in the top right corner). Paste the key into the Gpgkey field and click submit.<br /><br />
<li><b>Setting up the GPG Key:</b> In order for the system to be able to encrypt the messages that you send through it, it needs to know your GPG key. Navigate to the Edit profile view (My Profile on the left -&gt; Edit profile in the top right corner). Paste the key into the Gpgkey field and click submit.<br /><br /></li>
<li><b>Subscribing to Auto-alerts:</b> Turning auto-alerts on will allow the system to send you e-mail notifications about any new public events entered into the system by other users and private events added by members of your organisation. To turn this on, navigate to the Edit profile view (My profile on the left navigation menu -&gt; Edit profile in the top right corner). Tick the auto-alert checkbox and click submit to enable this feature.<br /><br />
<p><img src="/img/doc/alerts.png" alt = "" title="Use these checkboxes to subscribe to auto-alerts and contact reporter e-mails."></p><br /></li>
<li><em>Subscribing to Auto-alerts:</em> Turning auto-alerts on will allow the system to send you e-mail notifications about any new public events entered into the system by other users and private events added by members of your organisation. To turn this on, navigate to the Edit profile view (My profile on the left navigation menu -&gt; Edit profile in the top right corner). Tick the auto-alert checkbox and click submit to enable this feature.<br /><br />
<li><em>Subscribing to e-mails sent via the "Contact Reporter" functionality:</em> This feature is turned on right below the autoalerts and will allow you to receive e-mails addressed to your organisation whenever a user tries to ask about an event that was posted by a user of your organisation. Keep in mind that you can still be addressed by such a request even when this setting is turned off, if someone tries to contact you as the event creator directly or your organisation for an event that you personally have created then you will be notified.<br /><br />
<li><em>Reviewing the Terms &amp; Conditions:</em> To review the Terms &amp; Conditions or to read the User Guide, use the appropriate button on the left navigation menu.<br /><br /></li>
<li><em>Making sure that compatibility mode is turned off (IE9&amp;IE10):</em>Compatibility mode can cause some elements to appear differently than intended or not appear at all. Make sure you have this option turned off.</li></ul>
<li><b>Subscribing to e-mails sent via the "Contact Reporter" functionality:</b> This feature is turned on right below the autoalerts and will allow you to receive e-mails addressed to your organisation whenever a user tries to ask about an event that was posted by a user of your organisation. Keep in mind that you can still be addressed by such a request even when this setting is turned off, if someone tries to contact you as the event creator directly or your organisation for an event that you personally have created then you will be notified.<br /><br />
<li><b>Reviewing the Terms &amp; Conditions:</b> To review the Terms &amp; Conditions or to read the User Guide, use the appropriate button on the left navigation menu.<br /><br /></li>
<li><b>Making sure that compatibility mode is turned off (IE9&amp;IE10):</b>Compatibility mode can cause some elements to appear differently than intended or not appear at all. Make sure you have this option turned off.</li></ul>
<hr />
<a id="manage"></a><h3>Managing your account:</h3>
To alter any details regarding your profile, use the "My Profile" menu button to bring up the profile overview and then click on "Edit Profile" in the right upper corner.<br>
<ul>
<li style="list-style: none">
<p><img src="/img/doc/edit_user.png" alt = "" style="float:right;" title="Change any of your profile settings here."></p><br>
<p><img src="/img/doc/edit_user.png" title="Change any of your profile settings here."></p><br>
</li>
<li><em>Changing your e-mail address:</em> Your e-mail address serves as both a login name and as a means of communication with other users of the MISP system via the contact reporter feature. To change your e-mail address, just enter the edit profile menu (My profile on the left navigation menu -&gt; Edit profile in the top right corner) and change the field titled Email.<br /><br /></li>
<li><em>Changing the password:</em> As a next step, change the password provided by your administrator to something of your own choosing. Click on My profile on the left navigation menu, under Global Actions, which will bring up the User view. Click on Edit User on the left navigation menu or Edit Profile in the top right corner. This next screen, allows you to edit your details, including your password, by filling out the password field. Keep in mind that the password has to be at least 6 characters long, has to include at least one upper-case and one lower-case character in addition to a digit or a special character. Enter the same password into the confirm password field, before clicking submit to finalise the change.<br /><br /></li>
<li><em>Subscribing to Auto-alerts:</em> Turning auto-alerts on will allow the system to send you e-mail notifications about any new public events entered into the system by other users and private events added by members of your organisation. To turn this on, navigate to the Edit profile view (My profile on the left navigation menu -&gt; Edit profile in the top right corner). Tick the auto-alert checkbox and click submit to enable this feature.<br /><br /></li>
<li><em>Subscribing to e-mails sent via the "Contact Reporter" functionality:</em> Turning this feature on will allow you to receive e-mails addressed to your organisation whenever a user tries to ask about an event that was posted by a user of your organisation. Keep in mind that you can still be addressed by such a request even when this setting is turned off, if someone tries to contact the person that reported an event that you yourself have created.<br /><br /></li>
<li><em>Setting up the GPG Key:</em> In order for the system to be able to encrypt the messages that you send through it, it needs to know your GPG key. You can acquire this by clicking on the PGP/GPG key link at the bottom left of the screen. Copy the entirety of the key and navigate to the Edit profile view (My Profile on the left -&gt; Edit profile in the top right corner). Paste the key into the Gpgkey field and click submit.<br /><br /></li>
<li><em>Requesting a new authentication key:</em> It is possible to make the system generate a new authentication key for you (for example if your previous one gets compromised. This can be accessed by clicking on the My Profile button and then clicking the reset key next to the currently active authentication code. The old key will become invalid when the new one is generated.<br /><br />
<li><b>Changing your e-mail address:</b> Your e-mail address serves as both a login name and as a means of communication with other users of the MISP system via the contact reporter feature. To change your e-mail address, just enter the edit profile menu (My profile on the left navigation menu -&gt; Edit profile in the top right corner) and change the field titled Email.<br /><br /></li>
<li><b>Changing the password:</b> As a next step, change the password provided by your administrator to something of your own choosing. Click on My profile on the left navigation menu, under Global Actions, which will bring up the User view. Click on Edit User on the left navigation menu or Edit Profile in the top right corner. This next screen, allows you to edit your details, including your password, by filling out the password field. Keep in mind that the password has to be at least 6 characters long, has to include at least one upper-case and one lower-case character in addition to a digit or a special character. Enter the same password into the confirm password field, before clicking submit to finalise the change.<br /><br /></li>
<li><b>Subscribing to Auto-alerts:</b> Turning auto-alerts on will allow the system to send you e-mail notifications about any new public events entered into the system by other users and private events added by members of your organisation. To turn this on, navigate to the Edit profile view (My profile on the left navigation menu -&gt; Edit profile in the top right corner). Tick the auto-alert checkbox and click submit to enable this feature.<br /><br /></li>
<li><b>Subscribing to e-mails sent via the "Contact Reporter" functionality:</b> Turning this feature on will allow you to receive e-mails addressed to your organisation whenever a user tries to ask about an event that was posted by a user of your organisation. Keep in mind that you can still be addressed by such a request even when this setting is turned off, if someone tries to contact the person that reported an event that you yourself have created.<br /><br /></li>
<li><b>Setting up the GPG Key:</b> In order for the system to be able to encrypt the messages that you send through it, it needs to know your GPG key. You can acquire this by clicking on the PGP/GPG key link at the bottom left of the screen. Copy the entirety of the key and navigate to the Edit profile view (My Profile on the left -&gt; Edit profile in the top right corner). Paste the key into the Gpgkey field and click submit.<br /><br /></li>
<li><b>Requesting a new authentication key:</b> It is possible to make the system generate a new authentication key for you (for example if your previous one gets compromised. This can be accessed by clicking on the My Profile button and then clicking the reset key next to the currently active authentication code. The old key will become invalid when the new one is generated.<br /><br />
<p><img src="/img/doc/reset.png" alt = "" title="Clicking on reset will generate a new key for you and invalidate the old one, blocking it from being used."></p></li></ul>
<hr />
<a id="uptodate"></a><h3>Staying up to date:</h3>
MISP also provides its users with some information about itself and its users through the links provided in the Global Actions menu.<br><br>
<ul>
<li><em>News:</em> To read about the news regarding the system itself, click on News on the left menu. This will bring up a list of news items concerning updates and changes to MISP itself.<br /><br /></li>
<li><em>Member statistics:</em> By using the Members List menu button on the left, you can get a quick overview over how many users each organisation has registered on your server, and a histogram, depicting the distribution of attribute types created by each organisation.<br /><br /></li>
<li><em>User Guide:</em> The user guide is also accessible via the Global Actions menu. You can find out more about how to use the system by reading this.<br /><br /></li>
<li><em>Terms &amp; Conditions:</em> It is possible to review the terms &amp; conditions that were shown during the first run of the system by clicking on the terms &amp; conditions link in the Global Actions menu.<br /><br /></li>
<li><b>News:</b> To read about the news regarding the system itself, click on News on the left menu. This will bring up a list of news items concerning updates and changes to MISP itself.<br /><br /></li>
<li><b>Member statistics:</b> By using the Members List menu button on the left, you can get a quick overview over how many users each organisation has registered on your server, and a histogram, depicting the distribution of attribute types created by each organisation.<br /><br /></li>
<li><b>User Guide:</b> The user guide is also accessible via the Global Actions menu. You can find out more about how to use the system by reading this.<br /><br /></li>
<li><b>Terms &amp; Conditions:</b> It is possible to review the terms &amp; conditions that were shown during the first run of the system by clicking on the terms &amp; conditions link in the Global Actions menu.<br /><br /></li>
</ul>
<a id="filters"></a><h3>Inspecting the input filters:</h3>
All the events and attributes that get entered into MISP will be run through a series of input filters. These are defined by the site administrators, but every user can take a look at the currently active lists.<br><br>
<ul>
<li><em>Import Blacklist:</em> Events with the info field containing or Attributes with a value containing any of the items listed in the Import Blacklist will be blocked from being entered.<br /><br /></li>
<li><em>Import Regexp:</em> All Attribute value and Event info fields will be parsed for a set of regular expressions and replaced based on the replacement values contained in this section. This has many uses, such as unifying similar data for better correlation, removing personal data from file-paths or simply for clarity.<br /><br /></li>
<li><em>Signature Whitelist:</em> This list (can) contain a set of addresses that are allowed to be entered as attribute values but will be blocked from being exported to NIDS-es.<br /><br /> </li>
<li><b>Import Blacklist:</b> Events with the info field containing or Attributes with a value containing any of the items listed in the Import Blacklist will be blocked from being entered.<br /><br /></li>
<li><b>Import Regexp:</b> All Attribute value and Event info fields will be parsed for a set of regular expressions and replaced based on the replacement values contained in this section. This has many uses, such as unifying similar data for better correlation, removing personal data from file-paths or simply for clarity.<br /><br /></li>
<li><b>Signature Whitelist:</b> This list (can) contain a set of addresses that are allowed to be entered as attribute values but will be blocked from being exported to NIDS-es.<br /><br /> </li>
</ul>
</div>

133
app/View/Pages/using_the_system.ctp
View File

@ -1,6 +1,7 @@
<div class="actions" style="width:15%">
<ol class="nav nav-list">
<li><?php echo $this->Html->link('General Layout', array('controller' => 'pages', 'action' => 'display', 'documentation')); ?></li>
<li><?php echo $this->Html->link('General Concepts', array('controller' => 'pages', 'action' => 'display', 'concepts')); ?></li>
<li><?php echo $this->Html->link('User Management and Global actions', array('controller' => 'pages', 'action' => 'display', 'user_management')); ?></li>
<li class="active"><?php echo $this->Html->link('Using the system', array('controller' => 'pages', 'action' => 'display', 'using_the_system')); ?>
<ul class="nav nav-list">
@ -26,15 +27,15 @@ and attachments and finally publishing it.<br /><br />
During this first step, you will be create a basic event without any actual attributes, but storing general information such as a description, time and risk level of the incident. To start creating the event, click on the New Event button on the left and fill out the form you are presented with. The following fields need to be filled out:<br /><br />
<p><img src="/img/doc/add_event.png" alt = "" style="float:right;" title = "Fill this form out to create a skeleton event, before proceeding to populate it with attributes and attachments."/></p>
<ul>
<li><em>Date:</em> The date when the incident has happened.<br /><br /></li>
<li><em>Distribution:</em>
<a id="distribution"></a>This setting controls, who will be able to see this event once it becomes published.
<li><b>Date:</b> The date when the incident has happened.<br /><br /></li>
<li><b>Distribution:</b>
<a id="distribution"></a>This setting controls, who will be able to see this event once it becomes published and eventually when it becomes pulled.
Apart from being able to set which users on this server are allowed to see the event, this also controls whether
the event will be synchronised to other servers or not. The distribution is inherited by attributes: the most restrictive setting wins.
The following options are available:<br /><br /></li>
<li style="list-style: none;">
<ul>
<li><i>Your organization only:</i> This setting will only allow members of your organisation on this server to see it.
<li><i>Your organization only:</i> This setting will only allow members of your organisation to see this. It can be pulled to another instance by one of your organisation members where only your organisation will be able to see it.
Events with this setting will not be synchronised.<br />
Upon push: do not push. Upon pull : pull.
<br /><br /></li>
@ -58,20 +59,20 @@ and attachments and finally publishing it.<br /><br />
<br /><br /></li>
</ul>
</li>
<li><em>Risk:</em> This field indicates the risk level of the event. Incidents can be categorised into three different threat categories (low, medium, high). This field can alternatively be left as undefined. The 3 options are:</li>
<li><b>Risk:</b> This field indicates the risk level of the event. Incidents can be categorised into three different threat categories (low, medium, high). This field can alternatively be left as undefined. The 3 options are:</li>
<li style="list-style: none;"><ul>
<li><i>Low:</i> General mass malware.</li>
<li><i>Medium:</i> Advanced Persistent Threats (APT)</li>
<li><i>High:</i> Sophisticated APTs and 0day attacks.<br /><br /></li>
</ul></li>
<li><em>Analysis:</em> Indicates the current stage of the analysis for the event, with the following possible options:</li>
<li><b>Analysis:</b> Indicates the current stage of the analysis for the event, with the following possible options:</li>
<li style="list-style: none;"><ul>
<li><i>Initial:</i> The analysis is just beginning</li>
<li><i>Ongoing:</i> The analysis is in progress</li>
<li><i>Completed:</i> The analysis is complete<br /><br /></li>
</ul></li>
<li><em>Info:</em> The info field, where the malware/incident can get a brief description starting with the internal reference. This field should be as brief and concise as possible, the more detailed description happens through attributes in the next stage of the event's creation. Keep in mind that the system will automatically replace detected text strings that match a regular expression entry set up by your server's administrator(s). <br /><br /></li>
<li><em>GFI Sandbox:</em> It is possible to upload the exported .zip file from GFI sandbox with the help of this tool. These will be dissected by the MISP and a list of attributes and attachments will automatically be generated from the .zip file. Whilst this does most of the work needed to be done in the second step of the event's creation, it is important to manually look over all the data that is being entered. <br /><br /></li>
<li><b>Info:</b> The info field, where the malware/incident can get a brief description starting with the internal reference. This field should be as brief and concise as possible, the more detailed description happens through attributes in the next stage of the event's creation. Keep in mind that the system will automatically replace detected text strings that match a regular expression entry set up by your server's administrator(s). <br /><br /></li>
<li><b>GFI Sandbox:</b> It is possible to upload the exported .zip file from GFI sandbox with the help of this tool. These will be dissected by the MISP and a list of attributes and attachments will automatically be generated from the .zip file. Whilst this does most of the work needed to be done in the second step of the event's creation, it is important to manually look over all the data that is being entered. <br /><br /></li>
</ul>
<hr />
<a id="create_attribute"></a><h3>Add attributes to the event:</h3>
@ -80,29 +81,37 @@ When clicking on the add attribute button, you will have to fill out a form with
Keep in mind that the system searches for regular expressions in the value field of all attributes when entered, replacing detected strings within it as set up by the server's administrator (for example to enforce standardised capitalisation in paths for event correlation or to bring exact paths to a standardised format). The following fields need to be filled out:<br />
<p><img src="/img/doc/add_attribute.png" alt = "Add attribute" style="float:right;" title = "This form allows you to add attributes."/></p><br />
<ul>
<li><em>Category:</em> This drop-down menu explains the category of the attribute, meaning what aspect of the malware this attribute is describing. This could mean the persistence mechanisms of the malware or network activity, etc. For a list of valid categories, <?php echo $this->Html->link(__('click here', true), array('controller' => 'pages', 'action' => 'display', 'categories_and_types')); ?><br /><br /></li>
<li><em>Type:</em> Whilst categories determine what aspect of an event they are describing, the Type explains by what means that aspect is being described. As an example, the source IP address of an attack, a source e-mail address or a file sent through an attachment can all describe the payload delivery of a malware. These would be the types of attributes with the category of payload deliver. For an explanation of what each of the types looks like together with the valid combinations of categories and types, <?php echo $this->Html->link(__('click here', true), array('controller' => 'pages', 'action' => 'display', 'categories_and_types')); ?>.<br /><br /></li>
<li><em>Distribution:</em> This drop-down list allows you to control who will be able to see this attribute.
<li><b>Category:</b> This drop-down menu explains the category of the attribute, meaning what aspect of the malware this attribute is describing. This could mean the persistence mechanisms of the malware or network activity, etc. For a list of valid categories, <?php echo $this->Html->link(__('click here', true), array('controller' => 'pages', 'action' => 'display', 'categories_and_types')); ?><br /><br /></li>
<li><b>Type:</b> Whilst categories determine what aspect of an event they are describing, the Type explains by what means that aspect is being described. As an example, the source IP address of an attack, a source e-mail address or a file sent through an attachment can all describe the payload delivery of a malware. These would be the types of attributes with the category of payload deliver. For an explanation of what each of the types looks like together with the valid combinations of categories and types, <?php echo $this->Html->link(__('click here', true), array('controller' => 'pages', 'action' => 'display', 'categories_and_types')); ?>.<br /><br /></li>
<li><b>Distribution:</b> This drop-down list allows you to control who will be able to see this attribute.
The distribution is inherited by attributes: the most restrictive setting wins.
For more info <a href="#distribution">click here</a>.<br /><br /></li>
<li><em>IDS Signature:</em> This option allows the attribute to be used as an IDS signature when exporting the NIDS data, unless it is being overruled by the white-list. For more information about the whitelist, head over to the <?php echo $this->Html->link(__('administration', true), array('controller' => 'pages', 'action' => 'display', 'administration', '#' => 'whitelist')); ?> section.<br /><br /></li>
<li><em>Value:</em> The actual value of the attribute, enter data about the value based on what is valid for the chosen attribute type. For example, for an attribute of type ip-src (source IP address), 11.11.11.11 would be a valid value. For more information on types and values, <?php echo $this->Html->link(__('click here', true), array('controller' => 'pages', 'action' => 'display', 'categories_and_types')); ?>.<br /><br /></li>
<li><em>Batch import:</em> If there are several attributes of the same type to enter (such as a list of IP addresses, it is possible to enter them all into the same value-field, separated by a line break between each line. This will allow the system to create separate lines for the each attribute. <br /><br /></li>
<li><b>IDS Signature:</b> This option allows the attribute to be used as an IDS signature when exporting the NIDS data, unless it is being overruled by the white-list. For more information about the whitelist, head over to the <?php echo $this->Html->link(__('administration', true), array('controller' => 'pages', 'action' => 'display', 'administration', '#' => 'whitelist')); ?> section.<br /><br /></li>
<li><b>Value:</b> The actual value of the attribute, enter data about the value based on what is valid for the chosen attribute type. For example, for an attribute of type ip-src (source IP address), 11.11.11.11 would be a valid value. For more information on types and values, <?php echo $this->Html->link(__('click here', true), array('controller' => 'pages', 'action' => 'display', 'categories_and_types')); ?>.<br /><br /></li>
<li><b>Batch import:</b> If there are several attributes of the same type to enter (such as a list of IP addresses, it is possible to enter them all into the same value-field, separated by a line break between each line. This will allow the system to create separate lines for the each attribute. <br /><br /></li>
</ul>
<hr />
<h3>Propose a change to an event that belongs to another organisation</h3>
If you would like to propose a modification to an attribute, or to propose some additional attributes to the creating organisation, you can do this with the buttons that replace the add attribute field on the left and the edit icon on the right end of each listed attribute in the event view. The creating organisation of the event will be able to see any proposals and discard or accept the changes.
<p><img src="/img/doc/proposal.png" alt = "Propose attribute" title = "An attribute with a proposal attached will turn blue and the proposal itself will be grey. If there is a grey proposal without a blue attribute infront of it, it means that someone has proposed a new attribute"/></p><br />
<hr />
<h3>Add attachments to the event:</h3>
You can also upload attachments, such as the malware itself, report files from external analysis or simply artifacts dropped by the malware. Clicking on the add attachment button brings up a form that allows you to quickly attach a file to the event. The following fields need to be filled out:<br /><br />
<p><img src="/img/doc/add_attachment.png" alt = "Add attachment" title = "Point the uploader to the file you want to upload. Make sure to mark it as malware if the uploaded file is harmful, that way it will be neutralised."/></p><br />
<ul>
<li><em>Category:</em> The category is the same as with the attributes, it answers the question of what the uploaded file is meant to describe.<br /><br /></li>
<li><em>Upload field:</em> By hitting browse, you can browse your file system and point the uploader to the file that you want to attach to the attribute. This will then be uploaded when the upload button is pushed.<br /><br /></li>
<li><em>Malware:</em> This check-box marks the file as malware and as such it will be zipped and passworded, to protect the users of the system from accidentally downloading and executing the file. Make sure to tick this if you suspect that the filed is infected, before uploading it.<br /><br /></li>
<li><em>Distribution:</em> This drop-down list allows you to control who will be able to see this attachment.
<li><b>Category:</b> The category is the same as with the attributes, it answers the question of what the uploaded file is meant to describe.<br /><br /></li>
<li><b>Upload field:</b> By hitting browse, you can browse your file system and point the uploader to the file that you want to attach to the attribute. This will then be uploaded when the upload button is pushed.<br /><br /></li>
<li><b>Malware:</b> This check-box marks the file as malware and as such it will be zipped and passworded, to protect the users of the system from accidentally downloading and executing the file. Make sure to tick this if you suspect that the filed is infected, before uploading it.<br /><br /></li>
<li><b>Distribution:</b> This drop-down list allows you to control who will be able to see this attachment.
The distribution is inherited by attributes: the most restrictive setting wins.
For more info <a href="#distribution">click here</a>.<br /><br /></li>
</ul>
<hr />
<h3>Populate from IOC</h3>
It is also possible to attempt to import the data contained in a .ioc file, The import tool will attempt to gather as many IndicatorItems within nested logical operators as possible without breaking their validity. After the procedure is done, you'll be presented with a list of successfully created attributes and a list of failed IndicatorItems as well as a graph of the .ioc file.
<p><img src="/img/doc/ioc1.png" alt = "OpenIOC1" title = "The import tool will list the successful and failed entries after the process is done."/></p><br />
<p><img src="/img/doc/ioc2.png" alt = "OpenIOC2" title = "You'll also be able to see a graph of the imported .ioc file and how successful the import was."/></p><br />
<hr />
<h3>Publish an event:</h3>
<p><img src="/img/doc/publish.png" alt = "Publish" style="float:right;" title = "Only use publish (no email) for minor changes such as the correction of typos."/></p><br />
Once all the attributes and attachments that you want to include with the event are uploaded / set, it is time to finalise its creation by publishing the event (click on publish event in the event view). This will alert the eligible users of it (based on the private-controls of the event and its attributes/attachments and whether they have auto-alert turned on), push the event to instances that your instance connects to and propagate it further based on the distribution rules. It also readies the network related attributes for NIDS signature creation (through the NIDS signature export feature, for more information, go to the export section.).<br /><br />
@ -114,38 +123,40 @@ The MISP interface allows the user to have an overview over or to search for eve
On the left menu bar, the option "List events" will generate a list of the last 60 events. While the attributes themselves aren't shown in this view, the following pieces of information can be seen:<br /><br />
<img src="/img/doc/list_events2.png" alt = "List events" title = "This is the list of events in the system. Use the buttons to the right to alter or view any of the events."/><br /><br />
<ul>
<li><em>Valid.:</em> Validation, an event that has been published counts as validated, marked by a checkmark. Unpublished events are marked by a cross.<br /><br /></li>
<li><em>Org:</em> The organisation that created the event.<br /><br /></li>
<li><em>Owner Org:</em> The organisation that owns the event on this instance. This field is only visible to administrators. <br /><br /></li>
<li><em>ID:</em> The event's ID number, assigned by the system when the event was first entered (or in the case of an event that was synchronized, when it was first copied over - more on synchronisation in chapter xy)<br /><br /></li>
<li><em>#:</em> The number of attributes that the event has.<br /><br /></li>
<li><em>Email:</em> The e-mail address of the event's reporter.<br /><br /></li>
<li><em>Date:</em> The date of the attack.<br /><br /></li>
<li><em>Risk:</em> The risk level of the attack, the following levels are possible:<br /><br /></li>
<li><b>Valid.:</b> Validation, an event that has been published counts as validated, marked by a checkmark. Unpublished events are marked by a cross.<br /><br /></li>
<li><b>Org:</b> The organisation that created the event.<br /><br /></li>
<li><b>Owner Org:</b> The organisation that owns the event on this instance. This field is only visible to administrators. <br /><br /></li>
<li><b>ID:</b> The event's ID number, assigned by the system when the event was first entered (or in the case of an event that was synchronized, when it was first copied over - more on synchronisation in chapter xy)<br /><br /></li>
<li><b>#:</b> The number of attributes that the event has.<br /><br /></li>
<li><b>Email:</b> The e-mail address of the event's reporter.<br /><br /></li>
<li><b>Date:</b> The date of the attack.<br /><br /></li>
<li><b>Risk:</b> The risk level of the attack, the following levels are possible:<br /><br /></li>
<li style="list-style: none;"><ul>
<li><em>Low:</em> General Malware</li>
<li><em>Medium:</em> Advanced Persistent Threats (APTs)</li>
<li><em>High:</em> Sophisticated APTs and 0day exploits</li>
<li><em>Undefined:</em> This field can be left undefined and edited at a later date.<br /><br /></li>
<li><b>Low:</b> General Malware</li>
<li><b>Medium:</b> Advanced Persistent Threats (APTs)</li>
<li><b>High:</b> Sophisticated APTs and 0day exploits</li>
<li><b>Undefined:</b> This field can be left undefined and edited at a later date.<br /><br /></li>
</ul>
<li><em>Analysis:</em> Indicates the current stage of the analysis for the event, with the following possible options:<br /><br /></li>
<li><b>Analysis:</b> Indicates the current stage of the analysis for the event, with the following possible options:<br /><br /></li>
<li style="list-style: none;"><ul>
<li><em>Initial:</em> The analysis is just beginning</li>
<li><em>Ongoing:</em> The analysis is in progress</li>
<li><em>Completed:</em> The analysis is complete<br /><br /></li>
<li><b>Initial:</b> The analysis is just beginning</li>
<li><b>Ongoing:</b> The analysis is in progress</li>
<li><b>Completed:</b> The analysis is complete<br /><br /></li>
</ul></li>
<li><em>Info:</em> A short description of the event, starting with an internal reference number.<br /><br /></li>
<li><em>Distribution:</em> This field indicates what the sharing privileges of the event. The options are described <a href="#distribution">here</a>.<br /><br /></li>
<li><em>Actions:</em> The controls that the user has to view or modify the event. The possible actions that are available (depending on user privileges - <?php echo $this->Html->link(__('click here', true), array('controller' => 'pages', 'action' => 'display', 'administration', '#' => 'roles')); ?> to find out more about privileges):<br /><br /></li>
<li><b>Info:</b> A short description of the event, starting with an internal reference number.<br /><br /></li>
<li><b>Distribution:</b> This field indicates what the sharing privileges of the event. The options are described <a href="#distribution">here</a>.<br /><br /></li>
<li><b>Actions:</b> The controls that the user has to view or modify the event. The possible actions that are available (depending on user privileges - <?php echo $this->Html->link(__('click here', true), array('controller' => 'pages', 'action' => 'display', 'administration', '#' => 'roles')); ?> to find out more about privileges):<br /><br /></li>
<li style="list-style: none;"><ul>
<li><em>Publish:</em> Publishing an event will have several effects: The system will e-mail all eligible users that have auto-alert turned on (and having the needed privileges for the event, depending on its private classification) with a description of your newly published event, it will be flagged as published and it will be pushed to all eligible servers (to read more about synchronisation between servers, have a look at the <?php echo $this->Html->link(__('section on connecting servers', true), array('controller' => 'pages', 'action' => 'display', 'using_the_system', '#' => 'connect')); ?>).</li>
<li><em>Edit:</em> Clicking on the edit button will bring up the same same screen as the one used for creating new events, with the exception that all fields come filled out with the data of the event that is being edited. The distribution of an event can only be edited if you are a user of the creating organisation of the event. For more information on this view, refer to the section on <a href="#create">creating an event</a>.</li>
<li><em>Delete:</em> The system will prompt you before erasing the unwanted event.</li>
<li><em>View:</em> Will bring up the event view, which besides the basic information contained in the event list, will also include the following:<br /><br />
<img src="/img/doc/event_detail.png" alt = "Event" title = "This view includes the basic information about an event, a link to related events, all attributes and attachments with tools to modify or delete them and extra functions for publishing the event or getting in touch with the event's reporter."/><br /><br /></li>
<li><b>Publish:</b> Publishing an event will have several effects: The system will e-mail all eligible users that have auto-alert turned on (and having the needed privileges for the event, depending on its private classification) with a description of your newly published event, it will be flagged as published and it will be pushed to all eligible servers (to read more about synchronisation between servers, have a look at the <?php echo $this->Html->link(__('section on connecting servers', true), array('controller' => 'pages', 'action' => 'display', 'using_the_system', '#' => 'connect')); ?>).</li>
<li><b>Edit:</b> Clicking on the edit button will bring up the same same screen as the one used for creating new events, with the exception that all fields come filled out with the data of the event that is being edited. The distribution of an event can only be edited if you are a user of the creating organisation of the event. For more information on this view, refer to the section on <a href="#create">creating an event</a>.</li>
<li><b>Delete:</b> The system will prompt you before erasing the unwanted event.</li>
<li><b>View:</b> Will bring up the event view, which besides the basic information contained in the event list, will also include the following:<br /><br />
</ul></li>
<li><em>List of related events:</em> Events can be related by having one or more attributes that are exact matches. For example, if two events both contain a source IP attribute of 11.11.11.11 then they are related. The list of events that are related the currently shown one, are listed under "Related Events", as links (titled the related event's date and ID number) to the events themselves.<br /><br /></li>
<li><em>Attributes:</em> A list of all attributes attached to the event, including its category, type, value, whether the attribute in itself is related to another event, whether the flag signalling that the attribute can be turned into an IDS signature is on, and a field showing the current privacy setting of the attribute.Attributes can also be modified or deleted via the 3 buttons at the end of each line.<br /><br />
<h3>Filters</h3>It is also possible to filter the events shown by clicking on the small magnifying glass icons next to the field names and entering a filter term.<br /><br />
<h3>Event view</h3>
<img src="/img/doc/event_detail.png" alt = "Event" title = "This view includes the basic information about an event, a link to related events, all attributes and attachments with tools to modify or delete them and extra functions for publishing the event or getting in touch with the event's reporter."/><br /><br /></li>
<li><b>List of related events:</b> Events can be related by having one or more attributes that are exact matches. For example, if two events both contain a source IP attribute of 11.11.11.11 then they are related. The list of events that are related the currently shown one, are listed under "Related Events", as links (titled the related event's date and ID number) to the events themselves.<br /><br /></li>
<li><b>Attributes:</b> A list of all attributes attached to the event, including its category, type, value, whether the attribute in itself is related to another event, whether the flag signalling that the attribute can be turned into an IDS signature is on, and a field showing the current privacy setting of the attribute.Attributes can also be modified or deleted via the 3 buttons at the end of each line.<br /><br />
Using the modify button will bring up the attribute creation view, with all data filled out with the attribute's currently stored data.<br /><br /></li>
</ul>
<hr />
@ -153,12 +164,12 @@ On the left menu bar, the option "List events" will generate a list of the last
Apart from having a list of all the events, it is also possible to get a list of all the stored attributes in the system by clicking on the list attributes button. The produced list of attributes will include the followings fields:<br /><br />
<img src="/img/doc/list_attributes2.png" alt = "" title = "Use the buttons to the right to view the event that this attribute belongs to or to modify/delete the attribute."/><br /><br />
<ul>
<li><em>Event:</em> This is the ID number of the event that the attribute is tied to.<br /><br /></li>
<li><em>Category:</em> The category of the attribute, showing what the attribute describes (for example the malware's payload). For more information on categories, go to section xy<br /><br /></li>
<li><em>Type:</em> The type of the value contained in the attribute (for example a source IP address). For more information on types, go to section xy<br /><br /></li>
<li><em>Value:</em> The actual value of the attribute, describing an aspect, defined by the category and type fields of the malware (for example 11.11.11.11).<br /><br /></li>
<li><em>Signature:</em> Shows whether the attribute has been flagged for NIDS signature generation or not.<br /><br /></li>
<li><em>Actions:</em> A set of buttons that allow you to view the event that the attribute is tied to, to edit the attribute (using the same view as what is used to set up attributes, but filled out with the attribute's current data) and a delete button. <br /><br /></li>
<li><b>Event:</b> This is the ID number of the event that the attribute is tied to.<br /><br /></li>
<li><b>Category:</b> The category of the attribute, showing what the attribute describes (for example the malware's payload). For more information on categories, go to section xy<br /><br /></li>
<li><b>Type:</b> The type of the value contained in the attribute (for example a source IP address). For more information on types, go to section xy<br /><br /></li>
<li><b>Value:</b> The actual value of the attribute, describing an aspect, defined by the category and type fields of the malware (for example 11.11.11.11).<br /><br /></li>
<li><b>Signature:</b> Shows whether the attribute has been flagged for NIDS signature generation or not.<br /><br /></li>
<li><b>Actions:</b> A set of buttons that allow you to view the event that the attribute is tied to, to edit the attribute (using the same view as what is used to set up attributes, but filled out with the attribute's current data) and a delete button. <br /><br /></li>
</ul>
<hr />
<h3>Searching for attributes:</h3>
@ -211,13 +222,13 @@ Apart from being a self contained repository of attacks/malware, one of the main
In order to share data with a remote server via pushes and pulls, you need to request a valid authentication key from the hosting organisation of the remote instance. When clicking on List Servers and then on New Server, a form comes up that needs to be filled out in order for your instance to connect to it. The following fields need to be filled out:<br /><br />
<p><img src="/img/doc/add_server.png" alt ="Add server" title = "Make sure that you enter the authentication key that you have been given by the hosting organisation of the remote instance, instead of the one you have gotten from this one."/></p><br />
<ul>
<li><em>Base URL:</em> The URL of the remote server.<br /><br /></li>
<li><em>Organization:</em> The organisation that runs the remote server. It is very impoportant that this setting is filled out exactly as the organisation name set up in the bootstrap file of the remote instance.<br /><br /></li>
<li><em>Authkey:</em> The authentication key that you have received from the hosting organisation of the remote instance.<br /><br /></li>
<li><em>Push:</em> This check-box controls whether your server is allowed to push to the remote instance.<br /><br /></li>
<li><em>Pull:</em> This check-box controls whether your server can request to pull all data from the remote instance.<br /><br /></li>
<li><b>Base URL:</b> The URL of the remote server.<br /><br /></li>
<li><b>Organization:</b> The organisation that runs the remote server. It is very impoportant that this setting is filled out exactly as the organisation name set up in the bootstrap file of the remote instance.<br /><br /></li>
<li><b>Authkey:</b> The authentication key that you have received from the hosting organisation of the remote instance.<br /><br /></li>
<li><b>Push:</b> This check-box controls whether your server is allowed to push to the remote instance.<br /><br /></li>
<li><b>Pull:</b> This check-box controls whether your server can request to pull all data from the remote instance.<br /><br /></li>
</ul>
<em>If you are an administrator</em>, trying to allow another instance to connect to your own, it is vital that two rules are followed when setting up a synchronisation account: <br /><br />
<b>If you are an administrator</b>, trying to allow another instance to connect to your own, it is vital that two rules are followed when setting up a synchronisation account: <br /><br />
<ul>
<li>The synchronisation user has to have the sync permission and full read/write/publish privileges turned on<br /><br /></li>
<li>Both the sync user and the organisation setting in your instance's Config/bootstrap.php file have to match the organisation identifier of the hosting organisation.<br /><br /></li>
@ -226,10 +237,10 @@ In order to share data with a remote server via pushes and pulls, you need to re
If you ever need to change the data about the linked servers or remove any connections, you have the following options to view and manipulate the server connections, when clicking on List Servers: (you will be able to see a list of all servers that your server connects to, including the base address, the organisation running the server the last pushed and pulled event IDs and the control buttons.).<br /><br />
<p><img src="/img/doc/list_servers.png" alt = "" title = "Apart from editing / deleting the link to the remote server, you can issue a push all or pull all command from here."/></p><br />
<ul>
<li><em>Editing the connection to the:</em> By clicking edit a view, <a href=#new_server>that is identical to the new instance view</a>, is loaded, with all the current information of the instance pre-entered.<br /><br /></li>
<li><em>Deleting the connection to the instance:</em> Clicking the delete button will delete the link to the instance.<br /><br /></li>
<li><em>Push all:</em> By clicking this button, all events that are eligible to be pushed on the instance you are on will start to be pushed to the remote instance. Events and attributes that exist on the far end will be updated.<br /><br /></li>
<li><em>Pull all:</em> By clicking this button, all events that are set to be pull-able or full access on the remote server will be copied to this instance. Existing events will not be updated.<br /><br /></li>
<li><b>Editing the connection to the:</b> By clicking edit a view, <a href=#new_server>that is identical to the new instance view</a>, is loaded, with all the current information of the instance pre-entered.<br /><br /></li>
<li><b>Deleting the connection to the instance:</b> Clicking the delete button will delete the link to the instance.<br /><br /></li>
<li><b>Push all:</b> By clicking this button, all events that are eligible to be pushed on the instance you are on will start to be pushed to the remote instance. Events and attributes that exist on the far end will be updated.<br /><br /></li>
<li><b>Pull all:</b> By clicking this button, all events that are set to be pull-able or full access on the remote server will be copied to this instance. Existing events will not be updated.<br /><br /></li>
</ul>
<hr />
<a id="rest"></a><h2>Rest API:</h2>

49
app/View/ShadowAttributes/add.ctp
View File

@ -6,12 +6,10 @@
<?php
echo $this->Form->hidden('event_id');
echo $this->Form->input('category', array(
'after' => $this->Html->div('forminfo', '', array('id' => 'ShadowAttributeCategoryDiv')),
'empty' => '(choose one)',
'div' => 'input'
));
echo $this->Form->input('type', array(
'after' => $this->Html->div('forminfo', '', array('id' => 'ShadowAttributeTypeDiv')),
'empty' => '(first choose category)'
));
?>
@ -27,11 +25,9 @@
<?php
echo $this->Form->input('batch_import', array(
'type' => 'checkbox',
'after' => $this->Html->div('forminfo', 'Create multiple attributes one per line'),
));
echo $this->Form->input('to_ids', array(
'checked' => true,
'after' => $this->Html->div('forminfo', isset($attrDescriptions['signature']['formdesc']) ? $attrDescriptions['signature']['formdesc'] : $attrDescriptions['signature']['desc']),
'label' => 'IDS Signature?',
));
// link an onchange event to the form elements
@ -90,6 +86,51 @@ function formCategoryChanged(id) {
$('#ShadowAttributeType').prop('disabled', false);
}
$(document).ready(function() {
$("#ShadowAttributeType, #ShadowAttributeCategory, #ShadowAttribute, #ShadowAttributeDistribution").on('mouseleave', function(e) {
$('#'+e.currentTarget.id).popover('destroy');
});
$("#ShadowAttributeType, #ShadowAttributeCategory, #ShadowAttribute, #ShadowAttributeDistribution").on('mouseover', function(e) {
var $e = $(e.target);
if ($e.is('option')) {
$('#'+e.currentTarget.id).popover('destroy');
$('#'+e.currentTarget.id).popover({
trigger: 'manual',
placement: 'right',
content: formInfoValues[$e.val()],
}).popover('show');
}
});
$("input, label").on('mouseleave', function(e) {
$('#'+e.currentTarget.id).popover('destroy');
});
$("input, label").on('mouseover', function(e) {
var $e = $(e.target);
$('#'+e.currentTarget.id).popover('destroy');
$('#'+e.currentTarget.id).popover({
trigger: 'manual',
placement: 'right',
}).popover('show');
});
// workaround for browsers like IE and Chrome that do now have an onmouseover on the 'options' of a select.
// disadvangate is that user needs to click on the item to see the tooltip.
// no solutions exist, except to generate the select completely using html.
$("#ShadowAttributeType, #ShadowAttributeCategory, #ShadowAttribute, #ShadowAttributeDistribution").on('change', function(e) {
var $e = $(e.target);
$('#'+e.currentTarget.id).popover('destroy');
$('#'+e.currentTarget.id).popover({
trigger: 'manual',
placement: 'right',
content: formInfoValues[$e.val()],
}).popover('show');
});
});
//
// Generate tooltip information

BIN
app/webroot/img/doc/add_attachment.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 20 KiB

After

Width:  |  Height:  |  Size: 22 KiB

BIN
app/webroot/img/doc/add_attribute.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 39 KiB

After

Width:  |  Height:  |  Size: 19 KiB

BIN
app/webroot/img/doc/add_event.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 23 KiB

After

Width:  |  Height:  |  Size: 19 KiB

BIN
app/webroot/img/doc/alerts.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 6.6 KiB

After

Width:  |  Height:  |  Size: 10 KiB

BIN
app/webroot/img/doc/edit_user.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 32 KiB

After

Width:  |  Height:  |  Size: 36 KiB

BIN
app/webroot/img/doc/event_detail.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 121 KiB

After

Width:  |  Height:  |  Size: 76 KiB

BIN
app/webroot/img/doc/list_attributes2.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 26 KiB

After

Width:  |  Height:  |  Size: 11 KiB

BIN
app/webroot/img/doc/list_events2.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 43 KiB

After

Width:  |  Height:  |  Size: 34 KiB

BIN
app/webroot/img/doc/password.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 11 KiB

After

Width:  |  Height:  |  Size: 10 KiB

BIN
app/webroot/img/doc/reset.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 16 KiB

After

Width:  |  Height:  |  Size: 22 KiB