From b7a60d6b7126e67d34f9cbac78518ce88d632c7b Mon Sep 17 00:00:00 2001 From: Christophe Vandeplas Date: Tue, 11 Jun 2013 00:23:01 +0200 Subject: [PATCH] minor improvements in documentation --- app/View/Pages/administration.ctp | 12 ++--- app/View/Pages/categories_and_types.ctp | 14 +++--- app/View/Pages/documentation.ctp | 63 ++++++++++++++++--------- app/View/Pages/user_management.ctp | 8 ++-- app/View/Pages/using_the_system.ctp | 22 ++++----- 5 files changed, 70 insertions(+), 49 deletions(-) diff --git a/app/View/Pages/administration.ctp b/app/View/Pages/administration.ctp index e8b05c1ec..0c92d1d88 100755 --- a/app/View/Pages/administration.ctp +++ b/app/View/Pages/administration.ctp @@ -18,12 +18,12 @@
-

Import Blacklist

+

Import Blacklist

It is possible to ban certain values from ever being entered into the system via an event info field or an attribute value. This is done by blacklisting the value in this section.

Adding and modifying entries

Administrators can add, edit or delete blacklisted items by using the appropriate functions in the list's action menu and the menu on the left.
-

Import Regexp

+

Import Regexp

The system allows administrators to set up rules for regular expressions that will automatically alter newly entered or imported events (from GFI Sandbox).

The purpose of Import Regexp entries

They can be used for several things, such as unifying the capitalisation of file paths for more accurate event correlation or to automatically censor the usernames and use system path variable names (changing C:\Users\UserName\Appdata\Roaming\file.exe to %APPDATA%\file.exe).
@@ -32,7 +32,7 @@ The second use is blocking, if a regular expression is entered with a blank repl Administrators can add, edit or delete regular expression rules, which are made up of a regex pattern that the system searches for and a replacement for the detected pattern.


-

Managing the Signature whitelist

+

Managing the Signature whitelist

The signature whitelist view, accessible through the administration menu on the left, allows administrators to create and maintain a list of addresses that are whitelisted from ever being added to the NIDS signatures. Addresses listed here will be commented out when exporting the NIDS list.

Whitelisting an address:

While in the whitelist view, click on New Whitelist on the left to bring up the add whitelist view to add a new address.
@@ -40,7 +40,7 @@ The signature whitelist view, accessible through the administration menu on the When viewing the list of whitelisted addresses, the following pieces of information are shown: The ID of the whitelist entry (assigned automatically when a new address is added), the address itself that is being whitelisted and a set of controls allowing you to delete the entry or edit the address.
Whitelist
-

Managing the users:

+

Managing the users:

As an admin, you can set up new accounts for users, edit the profiles of users, delete them, or just have a look at all the viewers' profiles. Organisation admins are restricted to executing the same actions on their organisation's users only.
Add user

Adding a new user:

@@ -100,7 +100,7 @@ Site admins can use the "Contact users" feature to send all or an individual use Keep in mind that all e-mails sent through this system will, in addition to your own message, will be signed in the name of the instance's host organisation's support team, will include the e-mail address of the instance's support (if the contact field is set in the bootstrap file), and will include the instance's PGP signature for users that have a PGP key set (and thus are eligible for an encrypted e-mail).
-

Managing the roles

+

Managing the roles

Privileges are assigned to users by assigning them to rule groups, which use one of four options determining what they can do with events and four additional privilege elevating settings. The four options for event manipulation are: Read Only, Manage My Own Events, Manage Organisation Events, Manage & Publish Organisation Events. The extra privileges are admin, sync, authentication key usage and audit permission
Read Only: This allows the user to browse events that his organisation has access to, but doesn't allow any changes to be made to the database.
Manage My Own Events: The second option, gives its users rights to create, modify or delete their own events, but they cannot publish them.
@@ -116,7 +116,7 @@ When creating a new role, you will have to enter a name for the role to be creat By clicking on the List Roles button, you can view a list of all the currently registered roles and a list of the permission flags turned on for each. In addition, you can find buttons that allow you to edit and delete the roles. Keep in mind that you will need to first remove every member from a role before you can delete it.
List roles
-

Using the logs of MISP

+

Using the logs of MISP

Users with audit permissions are able to browse or search the logs that MISP automatically appends each time certain actions are taken (actions that modify data or if a user logs in and out).
Generally, the following actions are logged:
+ +
Input Filters
+ + +
Global Actions
- Sync Actions
+
  • Log out: Logs the current user out.
    • + + +
    Sync Actions
    - Input Filters
    - - Administration
    +
  • List Servers: Connect your MISP instance to other instances, or view and modify the currently established connections.
    • + + +
    Administration
    - Audit
    +
  • List Roles: List, modify or delete currently existing roles.
    • +
  • Contact Users: You can use this view to send messages to your current or future users or send them a temporary password.
    • + + +
    Audit
    +
  • Search Logs: Search the logs by various attributes.
    • + +

    The left bar

    +

    This bar changes based on each page-group. The blue selection shows you what page you are on.

    The main area

    - This is where all the views (navigated to via the menu buttons) will be displayed. In general, there are two main view types, information views (which list the currently stored data and allow you to modify it) and form views (allowing you to enter or alter data). All lists are organised in such a way that all the information columns are on the left and every line of data can be modified or viewed in more detail on the right-most column, titled "Actions". All lists display a certain set number of the most recent items, but page control buttons at the bottom allow you to browse older entries.
    +

    This is where all the views (navigated to via the menu buttons) will be displayed. + In general, there are two main view types, information views (which list the currently + stored data and allow you to modify it) and form views (allowing you to enter or alter data). + All lists are organised in such a way that all the information columns are on the left and every + line of data can be modified or viewed in more detail on the right-most column, titled "Actions". + All lists display a certain set number of the most recent items, but page control buttons at the + bottom allow you to browse older entries.

    The bottom bar

    - Contains a link to download the gpg key used for encrypting the e-mails sent through the system and the current version number - if you are logged in.
    -


    +

    Contains a link to download the gpg key used for encrypting the e-mails sent through the system and the current version number - if you are logged in.

    +

    diff --git a/app/View/Pages/user_management.ctp b/app/View/Pages/user_management.ctp index 708dfed9a..8a4c7061b 100644 --- a/app/View/Pages/user_management.ctp +++ b/app/View/Pages/user_management.ctp @@ -15,7 +15,7 @@

    User Management and Global Actions

    - +

    First run of the system:

    When first logging into MISP with the username and password provided by your administrator, there are a number of things that need to be done, before you can start using the system.

    -

    Managing your account:

    +

    Managing your account:

    To alter any details regarding your profile, use the "My Profile" menu button to bring up the profile overview and then click on "Edit Profile" in the right upper corner.
    -

    Staying up to date:

    +

    Staying up to date:

    MISP also provides its users with some information about itself and its users through the links provided in the Global Actions menu.

    -

    Inspecting the input filters:

    +

    Inspecting the input filters:

    All the events and attributes that get entered into MISP will be run through a series of input filters. These are defined by the site administrators, but every user can take a look at the currently active lists.

    Using the system:

    -

    Creating an event:

    +

    Creating an event:

    The process of entering an event can be split into 3 phases, the creation of the event itself, populating it with attributes and attachments and finally publishing it.

    During this first step, you will be create a basic event without any actual attributes, but storing general information such as a description, time and risk level of the incident. To start creating the event, click on the New Event button on the left and fill out the form you are presented with. The following fields need to be filled out:

    @@ -28,7 +28,7 @@ and attachments and finally publishing it.

    -

    Add attributes to the event:

    +

    Add attributes to the event:

    The second step of creating an event is to populate it with attributes and attachments. In addition to being able to import the attributes and attachments from GFI, it is also possible to manually add attributes and attachments to an event, by using the two appropriate buttons on the event's page. Let's look at adding attributes first.
    When clicking on the add attribute button, you will have to fill out a form with all the data about the attribute.

    Keep in mind that the system searches for regular expressions in the value field of all attributes when entered, replacing detected strings within it as set up by the server's administrator (for example to enforce standardised capitalisation in paths for event correlation or to bring exact paths to a standardised format). The following fields need to be filled out:
    @@ -108,7 +108,7 @@ You can also upload attachments, such as the malware itself, report files from e Once all the attributes and attachments that you want to include with the event are uploaded / set, it is time to finalise its creation by publishing the event (click on publish event in the event view). This will alert the eligible users of it (based on the private-controls of the event and its attributes/attachments and whether they have auto-alert turned on), push the event to instances that your instance connects to and propagate it further based on the distribution rules. It also readies the network related attributes for NIDS signature creation (through the NIDS signature export feature, for more information, go to the export section.).

    There is an alternate way of publishing an event without alerting any other users, by using the "publish (no email)" button. This should only be used for minor edits (such as correcting a typo).
    -

    Browsing past events:

    +

    Browsing past events:

    The MISP interface allows the user to have an overview over or to search for events and attributes of events that are already stored in the system in various ways.

    To list all events:

    On the left menu bar, the option "List events" will generate a list of the last 60 events. While the attributes themselves aren't shown in this view, the following pieces of information can be seen:

    @@ -168,18 +168,18 @@ This will bring up a form that lets you enter one or several search strings (sep The list generated by the search will look exactly the same as listing all attributes, except that only the attributes that matched the search criteria will be listed (to find out more about the list attributes view, Html->link(__('click here', true), array('controller' => 'pages', 'action' => 'display', 'categories_and_types')); ?>.). The search parameters will be shown above the produced list and the search terms will be highlighted.


    -

    Updating and modifying events and attributes:

    +

    Updating and modifying events and attributes:

    Every event and attribute can easily be edited. First of all it is important to find the event or attribute that is to be edited, using any of the methods mentioned in the section on browsing past events.

    Once it is found, the edit button (whether it be under actions when events/attributes get listed or simply on the event view) will bring up the same screen as what is used to create the entry of the same type (for an event it would be the event screen as seen here, for an attribute the attribute screen as described here).

    Keep in mind that editing any event (either directly or indirectly through an attribute) will unpublish it, meaning that you'll have to publish it (through the event view) again once you are done.

    -

    Contacting the reporter:

    +

    Contacting the reporter:

    To get in touch with the reporter of a previously registered event, just find the event for which you would like to contact the reporter by either finding it on the list of events, by finding it through one of its attributes or by finding it through a related event.

    Once the event is found and the event view opened, click the button titled "Contact Reporter". This will bring up a view where you can enter your message that is to be e-mailed to all members of the reporting organisation that subscribe to receiving such reports or the reporting user himself. Along with your message, the detailed information about the event in question will be included in the e-mail.




    By default, the message will be sent to every member of the organisation that posted the event in the first place, but if you tick the check-box below the message field before sending the mail, only the person that reported the event will get e-mailed.
    -

    Automation:

    +

    Automation:

    It is possible to quickly and conveniently export the data contained within the system using the automation features located in the main menu on the left (available to users with authentication key access only). There are various sets of data that can be exported, by using the authentication key provided by the system (also shown on the export page). If for whatever reason you would need to invalidate your current key and get a new one instead (for example due to the old one becoming compromised) just hit the reset link next to the authentication key in the export view or in your "my profile" view.

    The following types of export are possible:

    XML export:

    @@ -197,7 +197,7 @@ The following types of export are possible:

    <server>/events/text/<authentication_key>/<type>

    Type could be any valid type (as according to the list of Html->link(__('categories and types', true), array('controller' => 'pages', 'action' => 'display', 'categories_and_types')); ?>), for example md5, ip-src or comment.
    -

    Exporting data:

    +

    Exporting data:

    For users that do not have authentication key access, an alternate export feature is available that relies on your interactive login to the site. To access these, just use the automation menu button to the left and you'll be presented with a list of export options. The results of the export will automatically be offered as a file download.




    Apart from that, it's also possible to export all events involved in a search attribute result table, by using the "Download results as XML" button on the left menu bar.

    @@ -205,9 +205,9 @@ Apart from that, it's also possible to export all events involved in a search at Each event's view has its own export feature, both as an XML export and as a .ioc file. To reach these features, just navigate to an event and use the appropriate buttons on the right side.




    -

    Connecting to other instances:

    +

    Connecting to other instances:

    Apart from being a self contained repository of attacks/malware, one of the main features of MISP is its ability to connect to other instances and share (parts of) its information. The following options allow you to set up and maintain such connections.

    -

    Setting up a connection to another server:

    +

    Setting up a connection to another server:

    In order to share data with a remote server via pushes and pulls, you need to request a valid authentication key from the hosting organisation of the remote instance. When clicking on List Servers and then on New Server, a form comes up that needs to be filled out in order for your instance to connect to it. The following fields need to be filled out:

    Add server


    -

    Rest API:

    +

    Rest API:

    The platform is also RESTfull, so this means that you can use structured format (XML) to access Events data.

    Requests

    Use any HTTP compliant library to perform requests. However to make clear you are doing a REST request you need to either specify the Accept type to application/xml, or append .xml to the url