MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

Named pipes and mutex 

- added the 2 types under the artifacts dropped category
pull/195/head
iglocska 2013-05-29 16:53:01 +02:00
parent 5f476fa957
commit a5bbfeaaed
1 changed files with 14 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
app/Model/Attribute.php
View File

@ -116,7 +116,9 @@ class Attribute extends AppModel {
'link' => array('desc' => 'Link to an external information'),
'comment' => array('desc' => 'Comment or description in a human language', 'formdesc' => 'Comment or description in a human language. <br/> This will not be correlated with other attributes (NOT IMPLEMENTED YET)'),
'text' => array('desc' => 'Name, ID or a reference'),
'other' => array('desc' => 'Other attribute')
'other' => array('desc' => 'Other attribute'),
'named pipe' => array('desc' => 'Named pipe, use the format \\.\pipe\<PipeName>'),
'mutex' => array('desc' => 'Mutex, use the format \BaseNamedObjects\<Mutex>'),
);
// definitions of categories
@ -137,7 +139,7 @@ class Attribute extends AppModel {
),
'Artifacts dropped' => array(
'desc' => 'Any artifact (files, registry keys etc.) dropped by the malware or other modifications to the system',
'types' => array('md5', 'sha1', 'filename', 'filename|md5', 'filename|sha1', 'regkey', 'regkey|value', 'pattern-in-file', 'pattern-in-memory', 'yara', 'attachment', 'malware-sample', 'comment', 'text', 'other')
'types' => array('md5', 'sha1', 'filename', 'filename|md5', 'filename|sha1', 'regkey', 'regkey|value', 'pattern-in-file', 'pattern-in-memory', 'yara', 'attachment', 'malware-sample', 'comment', 'text', 'other', 'named pipe', 'mutex')
),
'Payload installation' => array(
'desc' => 'Info on where the malware gets installed in the system',
@ -671,6 +673,16 @@ class Attribute extends AppModel {
$returnValue = 'Invalid format. Expected: CVE-xxxx-xxxx.';
}
break;
case 'named pipe':
if (preg_match('#^(\\\\\\\\.\\\\pipe\\\\)#', $value) && !preg_match("#\n#", $value)) {
$returnValue = true;
}
break;
case 'mutex':
if (preg_match('#^(\\\\BaseNamedObjects\\\\)#', $value) && !preg_match("#\n#", $value)) {
$returnValue = true;
}
break;
case 'AS':
case 'snort':
case 'pattern-in-file':