mirror of https://github.com/MISP/MISP
new: [training] Added nibbler export
parent
4f646d41c0
commit
bc3e6d34d1
|
@ -0,0 +1,110 @@
|
||||||
|
<?php
|
||||||
|
|
||||||
|
class NibblerExport
|
||||||
|
{
|
||||||
|
public $additional_params = array(
|
||||||
|
'flatten' => 1
|
||||||
|
);
|
||||||
|
|
||||||
|
private $__mapping = array(
|
||||||
|
'ip-dst' => 'IP',
|
||||||
|
'ip-src' => 'IP',
|
||||||
|
'domain' => 'Domain',
|
||||||
|
'domain|ip' => ['Domain', 'IP'],
|
||||||
|
'hostname' => 'Hostname',
|
||||||
|
'md5' => 'MD5',
|
||||||
|
'sha1' => 'SHA1',
|
||||||
|
'sha256' => 'SHA256',
|
||||||
|
'filename|md5' => array('Filename', 'MD5'),
|
||||||
|
'malware-sample' => array('Filename', 'MD5'),
|
||||||
|
'filename|sha1' => array('Filename', 'SHA1'),
|
||||||
|
'filename|sha256' => array('Filename', 'SHA256')
|
||||||
|
);
|
||||||
|
|
||||||
|
private function __escapeSpecialChars($value)
|
||||||
|
{
|
||||||
|
$value = preg_replace("/\r|\n/", "##LINEBREAK##", $value );
|
||||||
|
$value = preg_replace("/,/", "##COMMA##", $value );
|
||||||
|
$value = preg_replace("/\|/", "##PIPE##", $value );
|
||||||
|
return $value;
|
||||||
|
}
|
||||||
|
|
||||||
|
private function __convertAttribute($attribute, $event)
|
||||||
|
{
|
||||||
|
if (empty($this->__mapping[$attribute['type']])) {
|
||||||
|
return '';
|
||||||
|
}
|
||||||
|
$result = array();
|
||||||
|
$attributes = array();
|
||||||
|
if (is_array($this->__mapping[$attribute['type']])) {
|
||||||
|
$attribute['value'] = explode('|', $attribute['value']);
|
||||||
|
foreach (array(0,1) as $part) {
|
||||||
|
$result[] = sprintf(
|
||||||
|
'%s|%s|%s|%s|%s',
|
||||||
|
$this->__escapeSpecialChars($attribute['value'][$part]),
|
||||||
|
$this->__mapping[$attribute['type']][$part],
|
||||||
|
'/events/view/' . $event['uuid'],
|
||||||
|
$this->__escapeSpecialChars($event['info']),
|
||||||
|
$this->__decideOnAction($attribute['AttributeTag'])
|
||||||
|
);
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
$result[] = sprintf(
|
||||||
|
'%s|%s|%s|%s|%s',
|
||||||
|
$this->__escapeSpecialChars($attribute['value']),
|
||||||
|
$this->__mapping[$attribute['type']],
|
||||||
|
'/events/view/' . $event['uuid'],
|
||||||
|
$this->__escapeSpecialChars($event['info']),
|
||||||
|
$this->__decideOnAction($attribute['AttributeTag'])
|
||||||
|
);
|
||||||
|
}
|
||||||
|
return implode($this->separator(), $result);
|
||||||
|
}
|
||||||
|
|
||||||
|
private function __decideOnAction($attributeTags)
|
||||||
|
{
|
||||||
|
foreach($attributeTags as $attributeTag) {
|
||||||
|
if (
|
||||||
|
$attributeTag['Tag']['name'] === 'nibbler:block'
|
||||||
|
) {
|
||||||
|
return 'BLOCK';
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return 'ALERT';
|
||||||
|
}
|
||||||
|
|
||||||
|
public function handler($data, $options = array())
|
||||||
|
{
|
||||||
|
if ($options['scope'] === 'Attribute') {
|
||||||
|
$data['Attribute']['AttributeTag'] = $data['AttributeTag'];
|
||||||
|
return $this->__convertAttribute($data['Attribute'], $data['Event']);
|
||||||
|
}
|
||||||
|
if ($options['scope'] === 'Event') {
|
||||||
|
$result = array();
|
||||||
|
foreach ($data['Attribute'] as $attribute) {
|
||||||
|
$temp = $this->__convertAttribute($attribute, $data['Event']);
|
||||||
|
if ($temp) $result[] = $temp;
|
||||||
|
}
|
||||||
|
return implode($this->separator(), $result);
|
||||||
|
}
|
||||||
|
return '';
|
||||||
|
}
|
||||||
|
|
||||||
|
public function header($options = array())
|
||||||
|
{
|
||||||
|
return sprintf(
|
||||||
|
"# Nibbler rules generated by MISP at %s\n",
|
||||||
|
date('Y-m-d H:i:s')
|
||||||
|
);
|
||||||
|
}
|
||||||
|
|
||||||
|
public function footer()
|
||||||
|
{
|
||||||
|
return "\n";
|
||||||
|
}
|
||||||
|
|
||||||
|
public function separator()
|
||||||
|
{
|
||||||
|
return "\n";
|
||||||
|
}
|
||||||
|
}
|
|
@ -408,7 +408,8 @@ class Attribute extends AppModel
|
||||||
'csv' => array('csv', 'CsvExport', 'csv'),
|
'csv' => array('csv', 'CsvExport', 'csv'),
|
||||||
'cache' => array('txt', 'CacheExport', 'cache'),
|
'cache' => array('txt', 'CacheExport', 'cache'),
|
||||||
'attack-sightings' => array('json', 'AttackSightingsExport', 'json'),
|
'attack-sightings' => array('json', 'AttackSightingsExport', 'json'),
|
||||||
'netfilter' => array('txt', 'NetfilterExport', 'sh')
|
'netfilter' => array('txt', 'NetfilterExport', 'sh'),
|
||||||
|
'nibbler' => array('nibbler', 'NibblerExport', 'nibbler')
|
||||||
);
|
);
|
||||||
|
|
||||||
// FIXME we need a better way to list the defaultCategories knowing that new attribute types will continue to appear in the future. We should generate this dynamically or use a function using the default_category of the $typeDefinitions
|
// FIXME we need a better way to list the defaultCategories knowing that new attribute types will continue to appear in the future. We should generate this dynamically or use a function using the default_category of the $typeDefinitions
|
||||||
|
@ -4395,8 +4396,9 @@ class Attribute extends AppModel
|
||||||
$temp = '';
|
$temp = '';
|
||||||
foreach ($results as $attribute) {
|
foreach ($results as $attribute) {
|
||||||
$elementCounter++;
|
$elementCounter++;
|
||||||
$temp .= $exportTool->handler($attribute, $exportToolParams);
|
$handlerResult = $exportTool->handler($attribute, $exportToolParams);
|
||||||
if ($temp !== '') {
|
$temp .= $handlerResult;
|
||||||
|
if ($handlerResult !== '') {
|
||||||
if ($i != count($results) -1) {
|
if ($i != count($results) -1) {
|
||||||
$temp .= $exportTool->separator($exportToolParams);
|
$temp .= $exportTool->separator($exportToolParams);
|
||||||
}
|
}
|
||||||
|
|
|
@ -169,7 +169,7 @@ class Event extends AppModel
|
||||||
'requiresPublished' => 1,
|
'requiresPublished' => 1,
|
||||||
'params' => array('returnFormat' => 'yara-json'),
|
'params' => array('returnFormat' => 'yara-json'),
|
||||||
'description' => 'Click this to download Yara rules generated from all relevant attributes. Rules are returned in a JSON format with information about origin (generated or parsed) and validity.'
|
'description' => 'Click this to download Yara rules generated from all relevant attributes. Rules are returned in a JSON format with information about origin (generated or parsed) and validity.'
|
||||||
),
|
)
|
||||||
);
|
);
|
||||||
|
|
||||||
public $validFormats = array(
|
public $validFormats = array(
|
||||||
|
@ -190,7 +190,8 @@ class Event extends AppModel
|
||||||
'cache' => array('txt', 'CacheExport', 'cache'),
|
'cache' => array('txt', 'CacheExport', 'cache'),
|
||||||
'attack' => array('html', 'AttackExport', 'html'),
|
'attack' => array('html', 'AttackExport', 'html'),
|
||||||
'attack-sightings' => array('json', 'AttackSightingsExport', 'json'),
|
'attack-sightings' => array('json', 'AttackSightingsExport', 'json'),
|
||||||
'netfilter' => array('txt', 'NetfilterExport', 'sh')
|
'netfilter' => array('txt', 'NetfilterExport', 'sh'),
|
||||||
|
'nibbler' => array('nibbler', 'NibblerExport', 'nibbler')
|
||||||
);
|
);
|
||||||
|
|
||||||
public $csv_event_context_fields_to_fetch = array(
|
public $csv_event_context_fields_to_fetch = array(
|
||||||
|
|
Loading…
Reference in New Issue