mirror of https://github.com/MISP/MISP
Further work on the IOCImport
- Also, major performance fix for the event viewpull/64/merge
Iglocska
parent
60e4190b84
commit
9917179656
|
|
@ -18,30 +18,35 @@ class IOCImportComponent extends Component {
|
|||
$event = array();
|
||||
$attributes = array();
|
||||
$fails = array();
|
||||
|
||||
// import XML class
|
||||
App::uses('Xml', 'Utility');
|
||||
|
||||
// now parse it
|
||||
$xml = Xml::build($data);
|
||||
$xmlArray = Xml::toArray($xml);
|
||||
$event['info'] = $xmlArray['ioc']['short_description'] . PHP_EOL . $xmlArray['ioc']['description'] . PHP_EOL . PHP_EOL .'By ' . $xmlArray['ioc']['authored_by'];
|
||||
|
||||
// add an attribute that holds the full description of the imported report.
|
||||
$attributes[] = array(
|
||||
'event_id' => $id,
|
||||
'value' => $xmlArray['ioc']['description'],
|
||||
'to_ids' => false,
|
||||
'uuid' => String::uuid(),
|
||||
'category' => 'Other',
|
||||
'type' => 'comment'
|
||||
);
|
||||
$event['info'] = $xmlArray['ioc']['short_description'] . PHP_EOL .'By ' . $xmlArray['ioc']['authored_by'];
|
||||
$event['date'] = $xmlArray['ioc']['authored_date'];
|
||||
$event['uuid'] = $xmlArray['ioc']['@id'];
|
||||
|
||||
foreach ($xmlArray['ioc']['definition'] as $current) {
|
||||
if($current['@operator'] == 'OR') {
|
||||
foreach ($current['IndicatorItem'] as $ii) {
|
||||
$temp = $this->__analyseIndicator($ii, $id);
|
||||
// if temp!
|
||||
if (substr($temp['type'], 0, 3) == 'temp') {
|
||||
$temp = $this->__convertToOther($temp);
|
||||
}
|
||||
$attributes[] = $temp;
|
||||
}
|
||||
} else {
|
||||
//$this->recursiveGetFailedUuids($current);
|
||||
$fails[] = $current;
|
||||
}
|
||||
// remove the temporary attributes created for possible pairing such as tempRegValue and add it to the fails.
|
||||
}
|
||||
// Check the logical operators, if there are exactly 2 indicators within an AND operator, check if they can be built into an accepted composite attribute type
|
||||
foreach ($xmlArray['ioc']['definition'] as $current) {
|
||||
|
|
@ -60,10 +65,21 @@ class IOCImportComponent extends Component {
|
|||
}
|
||||
}
|
||||
}
|
||||
// remove all the temporary attribute types used for the pairing and turn them all into "other"
|
||||
foreach ($attributes as &$att) {
|
||||
if (substr($att['type'], 0, 3) == 'temp') {
|
||||
$temp = $this->__convertToOther($temp);
|
||||
}
|
||||
}
|
||||
|
||||
// Add the attributes to the event that will be returned
|
||||
$event['Attribute'] = $attributes;
|
||||
|
||||
// Add the failed indicators to the event that will be returned
|
||||
if (!empty($fails)) {
|
||||
$event['Fails'] = $this->__fetchFailedUuids($fails);
|
||||
}
|
||||
// return the event with the attributes and failed indicators
|
||||
return $event;
|
||||
}
|
||||
|
||||
|
|
@ -199,7 +215,9 @@ class IOCImportComponent extends Component {
|
|||
case 'RegistryItem/Text':
|
||||
return array('Persistence mechanism', 'tempRegValue');
|
||||
break;
|
||||
// We don't keep the following, they are often used with AND and a filename. We'll only keep the filename in those cases.
|
||||
case 'FileItem/PEInfo/DigitalSignature/CertificateSubject':
|
||||
case 'FileItem/PEInfo/DigitalSignature/SignatureExists':
|
||||
return array('Payload delivery', 'tempCertificateSubject');
|
||||
break;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -129,6 +129,7 @@ class EventsController extends AppController {
|
|||
*/
|
||||
public function view($id = null) {
|
||||
// If the length of the id provided is 36 then it is most likely a Uuid - find the id of the event, change $id to it and proceed to read the event as if the ID was entered.
|
||||
$perm_publish = $this->checkAction('perm_publish');
|
||||
if (strlen($id) == 36) {
|
||||
$this->Event->recursive = -1;
|
||||
$temp = $this->Event->findByUuid($id);
|
||||
|
|
@ -180,7 +181,7 @@ class EventsController extends AppController {
|
|||
if (!$this->_isRest()) {
|
||||
foreach ($this->Event->data['Attribute'] as &$attribute) {
|
||||
// if the user is of the same org as the event and has publishing rights, just show everything
|
||||
if (($this->Auth->user('org') != $this->Event->data['Event']['org'] || !$this->checkAction('perm_publish')) && !$this->_isSiteAdmin()) {
|
||||
if (($this->Auth->user('org') != $this->Event->data['Event']['org'] || !$perm_publish) && !$this->_isSiteAdmin()) {
|
||||
$counter = 0;
|
||||
foreach ($attribute['ShadowAttribute'] as &$shadow) {
|
||||
if ($shadow['org'] != $this->Auth->user('org')) unset($attribute['ShadowAttribute'][$counter]);
|
||||
|
|
@ -1483,10 +1484,20 @@ class EventsController extends AppController {
|
|||
$this->Attribute->create();
|
||||
$this->Attribute->save($attribute);
|
||||
}
|
||||
|
||||
$updateEvent = $this->Event->read(null, $id);
|
||||
// update the DB to set the published flag
|
||||
$fieldList = array('info', 'uuid');
|
||||
$updateEvent['Event']['uuid'] = $event['uuid'];
|
||||
//$updateEvent['Event']['date'] = $event['date'];
|
||||
$updateEvent['Event']['info'] = $event['info'];
|
||||
$this->Event->save($updateEvent, array('fieldList' => $fieldList));
|
||||
|
||||
//$this->Session->setFlash(__('Import complete. Indicators successfully added: ' . count($event['Attribute']) . '. Indicators that could not be added: ' . count($event['Fails']) . '. To see a of the Uuids of the failed indicators, click here.'));
|
||||
|
||||
$this->set('attributes', $event['Attribute']);
|
||||
$this->set('fails', $event['Fails']);
|
||||
//$this->set('eventId', $this->);
|
||||
$this->set('eventId', $id);
|
||||
$this->render('showIOCResults');
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue