mirror of https://github.com/MISP/MISP
Attribute http-method added - issue #161 fixed
The attribute HTTP method added. By default, the values must match the known HTTP method from RFC2616, RFC2518, RFC3253, RFC3648, RFC3744, RFC5789, RFC5323. The method is case sensitive.pull/217/head
parent
be316c80a2
commit
a524d95b34
|
@ -107,6 +107,7 @@ class Attribute extends AppModel {
|
|||
'email-subject' => array('desc' => "The subject of the email"),
|
||||
'email-attachment' => array('desc' => "File name of the email attachment."),
|
||||
'url' => array('desc' => 'url'),
|
||||
'http-method' => array('desc' => "HTTP method used by the malware (e.g. POST, GET, ...)."),
|
||||
'user-agent' => array('desc' => "The user-agent used by the malware in the HTTP request."),
|
||||
'regkey' => array('desc' => "Registry key or value"),
|
||||
'regkey|value' => array('desc' => "Registry value + data separated by |"),
|
||||
|
@ -159,7 +160,7 @@ class Attribute extends AppModel {
|
|||
),
|
||||
'Network activity' => array(
|
||||
'desc' => 'Information about network traffic generated by the malware',
|
||||
'types' => array('ip-src', 'ip-dst', 'hostname', 'domain', 'email-dst', 'url', 'user-agent', 'AS', 'snort', 'pattern-in-file', 'pattern-in-traffic', 'attachment', 'comment', 'text', 'other')
|
||||
'types' => array('ip-src', 'ip-dst', 'hostname', 'domain', 'email-dst', 'url', 'user-agent', 'http-method', 'AS', 'snort', 'pattern-in-file', 'pattern-in-traffic', 'attachment', 'comment', 'text', 'other')
|
||||
),
|
||||
'Payload type' => array(
|
||||
'desc' => 'Information about the final payload(s)',
|
||||
|
@ -408,6 +409,13 @@ class Attribute extends AppModel {
|
|||
break;
|
||||
}
|
||||
|
||||
// uppercase the following types
|
||||
switch($this->data['Attribute']['type']) {
|
||||
case 'http-method':
|
||||
$this->data['Attribute']['value'] = strtoupper($this->data['Attribute']['value']);
|
||||
break;
|
||||
}
|
||||
|
||||
// set to_ids if it doesn't exist
|
||||
if (empty($this->data['Attribute']['to_ids'])) {
|
||||
$this->data['Attribute']['to_ids'] = 0;
|
||||
|
@ -495,6 +503,13 @@ class Attribute extends AppModel {
|
|||
$returnValue = 'Checksum has invalid length or format. Please double check the value or select "other" for a type.';
|
||||
}
|
||||
break;
|
||||
case 'http-method':
|
||||
if (preg_match("#(OPTIONS|GET|HEAD|POST|PUT|DELETE|TRACE|CONNECT|PROPFIND|PROPPATCH|MKCOL|COPY|MOVE|LOCK|UNLOCK|VERSION-CONTROL|REPORT|CHECKOUT|CHECKIN|UNCHECKOUT|MKWORKSPACE|UPDATE|LABEL|MERGE|BASELINE-CONTROL|MKACTIVITY|ORDERPATCH|ACL|PATCH|SEARCH)#", $value)) {
|
||||
$returnValue = true;
|
||||
} else {
|
||||
$returnValue = 'Unknown HTTP method.';
|
||||
}
|
||||
break;
|
||||
case 'filename':
|
||||
// no newline
|
||||
if (!preg_match("#\n#", $value)) {
|
||||
|
|
Loading…
Reference in New Issue