From c90ec416f09c13f8d60290db082e1e5fa914c269 Mon Sep 17 00:00:00 2001 From: Andrzej Dereszowski Date: Tue, 9 Oct 2012 14:44:25 +0200 Subject: [PATCH 1/2] Configuration files renamed to better handle git merges on production systems. Please add new features with their default values. Their should contain only example values. renamed: app/Config/bootstrap.php -> app/Config/bootstrap.default.php renamed: app/Config/core.php -> app/Config/core.default.php renamed: app/Config/database.php -> app/Config/database.default.php --- app/Config/{bootstrap.php => bootstrap.default.php} | 0 app/Config/{core.php => core.default.php} | 0 app/Config/{database.php => database.default.php} | 0 3 files changed, 0 insertions(+), 0 deletions(-) rename app/Config/{bootstrap.php => bootstrap.default.php} (100%) rename app/Config/{core.php => core.default.php} (100%) rename app/Config/{database.php => database.default.php} (100%) diff --git a/app/Config/bootstrap.php b/app/Config/bootstrap.default.php similarity index 100% rename from app/Config/bootstrap.php rename to app/Config/bootstrap.default.php diff --git a/app/Config/core.php b/app/Config/core.default.php similarity index 100% rename from app/Config/core.php rename to app/Config/core.default.php diff --git a/app/Config/database.php b/app/Config/database.default.php similarity index 100% rename from app/Config/database.php rename to app/Config/database.default.php From 6698e4c05e280e300c69444ae93bb4862907adcb Mon Sep 17 00:00:00 2001 From: Andrzej Dereszowski Date: Tue, 9 Oct 2012 16:08:38 +0200 Subject: [PATCH 2/2] Cosmetic changes Descriptions in the export functionality polished. --- app/Controller/EventsController.php | 2 +- app/View/Events/export.ctp | 16 +++++++++------- 2 files changed, 10 insertions(+), 8 deletions(-) diff --git a/app/Controller/EventsController.php b/app/Controller/EventsController.php index 022be5dcc..fb65ced72 100644 --- a/app/Controller/EventsController.php +++ b/app/Controller/EventsController.php @@ -923,7 +923,7 @@ class EventsController extends AppController { $items = $this->Attribute->find('all', $params); $rules = $this->NidsExport->suricataRules($items, $user['User']['nids_sid']); - print ("#

This part is not finished and might be buggy. Please report any issues.

\n"); + print ("#

This part might still contain bugs, use and your own risk and report any issues.

\n"); print "#
 \n";
 		foreach ($rules as &$rule)
diff --git a/app/View/Events/export.ctp b/app/View/Events/export.ctp
index 0d9b2203d..758f61ec0 100755
--- a/app/View/Events/export.ctp
+++ b/app/View/Events/export.ctp
@@ -1,6 +1,8 @@
 

 
Export

-
To make exports available for automated tools an authentication key is used. This makes it easier for your tools to access the data without further form-based-authentiation.

+
Export functionality is designed to automatically generate signatures for intrusion detection systems. To enable signature generation for a given attribute, Signature field of this attribute must be set to Yes.
+Note that not all attribute types are applicable for signature generation, currently we only support NIDS signature generation for IP, domains, host names, user agents etc., and hash list generation for MD5/SHA1 values of file artifacts. Support for more attribute types is planned.
+To to make this functionality available for automated tools an authentication key is used. This makes it easier for your tools to access the data without further form-based-authentiation.

 Make sure you keep that key secret as it gives access to the entire database !

 
Your current key is: .
 You can Html->link('reset', array('controller' => 'users', 'action' => 'resetauthkey', 'me'));?> this key.
@@ -15,15 +17,15 @@ You can Html->link('reset', array('controller' => 'users', 'ac
 
Also check out the Html->link(__('User Guide', true), array('controller' => 'pages', 'action' => 'display', 'documentation')); ?> to read about the REST API.

 

 
-
NIDS Export

-
An automatic export of all network related attributes is available under the Snort rule format. Only published events and attributes marked as IDS Signature are exported.

+
NIDS signatures export

+
Automatic export of all network related attributes is available under the Snort rule format. Only published events and attributes marked as IDS Signature are exported.

 
You can configure your tools to automatically download the following file:

 
/events/nids/

 

 
Administration is able to maintain a whitelist containing host, domain name and IP numbers to exclude from the NIDS export.

 
-
HIDS Export

-
An automatic export of all host related attributes is available, containing MD5 checksums. Only published events and attributes marked as IDS Signature are exported.

+
Hash datatabse export

+
Automatic export of MD5/SHA1 checksums contained in file-related attributes. This list can be used to feed forensic software when searching for susipicious files. Only published events and attributes marked as IDS Signature are exported.

 
You can configure your tools to automatically download the following files:

 
md5

 
/events/hids_md5/

@@ -31,7 +33,7 @@ You can Html->link('reset', array('controller' => 'users', 'ac
 
/events/hids_sha1/

 

 
-
Text Export

+
Text export

 
An automatic export of all attributes of a specific type to a plain text file.

 
You can configure your tools to automatically download the following files:

 
@@ -41,7 +43,7 @@ You can Html->link('reset', array('controller' => 'users', 'ac
 

 

 
-
Saved search XML Export

+
Saved search XML export

 
We plan to make it possible to export data using searchpatterns.

 This would enable you to export: