mirror of https://github.com/MISP/MISP
new: [API] NIDS exports now correctly support event and attribute level exports
- also, suricata/snort rules now include both the event and the attribute tags in the metadatapull/3626/head
iglocska
parent
ba5bafd13f
commit
7c3ddacd1e
|
|
@ -20,11 +20,8 @@ class NidsExport
|
|||
|
||||
public function handler($data, $options = array())
|
||||
{
|
||||
$continue = true;
|
||||
$continue = empty($format);
|
||||
$this->checkWhitelist = false;
|
||||
if (empty($this->rules)) {
|
||||
$continue = false;
|
||||
}
|
||||
if ($options['scope'] === 'Attribute') {
|
||||
$this->export(
|
||||
array($data),
|
||||
|
|
@ -32,12 +29,49 @@ class NidsExport
|
|||
$options['returnFormat'],
|
||||
$continue
|
||||
);
|
||||
} else if ($options['scope'] === 'Event') {
|
||||
if (!empty($data['EventTag'])) {
|
||||
$data['Event']['EventTag'] = $data['EventTag'];
|
||||
}
|
||||
if (!empty($data['Attribute'])) {
|
||||
$this->__convertFromEventFormat($data['Attribute'], $data, $options, $continue);
|
||||
}
|
||||
if (!empty($data['Object'])) {
|
||||
foreach ($data['Object'] as $object) {
|
||||
$this->__convertFromEventFormat($object['Attribute'], $data, $options, $continue);
|
||||
}
|
||||
}
|
||||
}
|
||||
return '';
|
||||
}
|
||||
|
||||
private function __convertFromEventFormat($attributes, $event, $options = array(), $continue = false) {
|
||||
$rearranged = array();
|
||||
foreach ($attributes as $attribute) {
|
||||
$attributeTag = array();
|
||||
if (!empty($attribute['AttributeTag'])) {
|
||||
$attributeTag = $attribute['AttributeTag'];
|
||||
unset($attribute['AttributeTag']);
|
||||
}
|
||||
$rearranged[] = array(
|
||||
'Attribute' => $attribute,
|
||||
'AttributeTag' => $attributeTag,
|
||||
'Event' => $event['Event']
|
||||
);
|
||||
}
|
||||
$this->export(
|
||||
$rearranged,
|
||||
$options['user']['nids_sid'],
|
||||
$options['returnFormat'],
|
||||
$continue
|
||||
);
|
||||
return true;
|
||||
|
||||
}
|
||||
|
||||
public function header($options = array())
|
||||
{
|
||||
$this->explain();
|
||||
return '';
|
||||
}
|
||||
|
||||
|
|
@ -84,11 +118,20 @@ class NidsExport
|
|||
foreach ($items as $item) {
|
||||
// retrieve all tags for this item to add them to the msg
|
||||
$tagsArray = [];
|
||||
foreach ($item['AttributeTag'] as $tag_attr) {
|
||||
if (array_key_exists('name', $tag_attr['Tag'])) {
|
||||
array_push($tagsArray, $tag_attr['Tag']['name']);
|
||||
}
|
||||
}
|
||||
if (!empty($item['AttributeTag'])) {
|
||||
foreach ($item['AttributeTag'] as $tag_attr) {
|
||||
if (array_key_exists('name', $tag_attr['Tag'])) {
|
||||
array_push($tagsArray, $tag_attr['Tag']['name']);
|
||||
}
|
||||
}
|
||||
}
|
||||
if (!empty($item['Event']['EventTag'])) {
|
||||
foreach ($item['Event']['EventTag'] as $tag_event) {
|
||||
if (array_key_exists('name', $tag_event['Tag'])) {
|
||||
array_push($tagsArray, $tag_event['Tag']['name']);
|
||||
}
|
||||
}
|
||||
}
|
||||
$ruleFormatMsgTags = implode(",", $tagsArray);
|
||||
|
||||
# proto src_ip src_port direction dst_ip dst_port msg rule_content tag sid rev
|
||||
|
|
|
|||
Loading…
Reference in New Issue