MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

Merge branch 'hotfix-2.3.99'

pull/577/head
Iglocska 2015-07-20 16:28:28 +02:00
parent f628861f2c 684be69ed0
commit c6e4b2dc61
5 changed files with 80 additions and 102 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
VERSION.json
View File

@ -1 +1 @@
{"major":2, "minor":3, "hotfix":98}
{"major":2, "minor":3, "hotfix":99}

5
app/Lib/Export/HidsExport.php
View File

@ -15,7 +15,7 @@ class HidsExport {
array_unshift($this->rules, '# These HIDS export contains ' . $type . ' checksums.');
}
public function export($items, $type = 'MD5') {
public function export($items, $type = 'MD5', $continue = false) {
foreach ($items as &$item) {
# md5
$ruleFormat = '%s';
@ -39,8 +39,7 @@ class HidsExport {
}
}
sort($this->rules);
$this->explain($type);
if (!$continue) $this->explain($type);
return $this->rules;
}
}

16
app/Lib/Export/NidsExport.php
View File

@ -35,22 +35,6 @@ class NidsExport {
}
// generate the rules
foreach ($items as &$item) {
/*switch ($item['Event']['risk']) {
case 'Undefined':
$priority = '4';
break;
case 'Low':
$priority = '3';
break;
case 'Medium':
$priority = '2';
break;
case 'High':
$priority = '1';
break;
default:
$priority = '4';
}*/
# proto src_ip src_port direction dst_ip dst_port msg rule_content tag sid rev
$ruleFormatMsg = 'msg: "MISP e' . $item['Event']['id'] . ' %s"';

152
app/Model/Attribute.php
View File

@ -1172,104 +1172,98 @@ class Attribute extends AppModel {
}
$typeArray = array($type, 'filename|' . $type);
if ($type == 'md5') $typeArray[] = 'malware-sample';
//restricting to non-private or same org if the user is not a site-admin.
$conditions['AND'] = array('Attribute.to_ids' => 1, 'Event.published' => 1, 'Attribute.type' => $typeArray);
if (!$isSiteAdmin) {
$temp = array();
$distribution = array();
array_push($temp, array('Attribute.distribution >' => 0));
array_push($temp, array('AND' => array('Attribute.distribution >' => 0, 'Event.distribution >' => 0)));
array_push($temp, array('(SELECT events.org FROM events WHERE events.id = Attribute.event_id) LIKE' => $org));
$conditions['OR'] = $temp;
}
// If we sent any tags along, load the associated tag names for each attribute
$rules = array();
$eventIds = $this->Event->fetchEventIds($org, $isSiteAdmin, $from, $to, $last);
if ($tags !== '') {
$tag = ClassRegistry::init('Tag');
$args = $this->dissectArgs($tags);
$tagArray = $tag->fetchEventTagIds($args[0], $args[1]);
$temp = array();
foreach ($tagArray[0] as $accepted) {
$temp['OR'][] = array('Event.id' => $accepted);
if (!empty($tagArray[0])) {
foreach ($eventIds as $k => $v) {
if (!in_array($v['Event']['id'], $tagArray[0])) unset($eventIds[$k]);
}
}
$conditions['AND'][] = $temp;
$temp = array();
foreach ($tagArray[1] as $rejected) {
$temp['AND'][] = array('Event.id !=' => $rejected);
if (!empty($tagArray[1])) {
foreach ($eventIds as $k => $v) {
if (in_array($v['Event']['id'], $tagArray[1])) unset($eventIds[$k]);
}
}
$conditions['AND'][] = $temp;
}
if ($last) $conditions['AND'][] = array('Event.publish_timestamp >=' => $last);
if ($from) $conditions['AND'][] = array('Event.date >=' => $from);
if ($to) $conditions['AND'][] = array('Event.date <=' => $to);
$params = array(
'conditions' => $conditions, //array of conditions
'recursive' => 0, //int
'fields' => array('Attribute.type', 'Attribute.value1', 'Attribute.value2'),
'group' => array('Attribute.type', 'Attribute.value1'), //fields to GROUP BY
);
$items = $this->find('all', $params);
App::uses('HidsExport', 'Export');
$export = new HidsExport();
$rules = $export->export($items, strtoupper($type));
$continue = false;
foreach ($eventIds as $event) {
//restricting to non-private or same org if the user is not a site-admin.
$conditions['AND'] = array('Attribute.to_ids' => 1, 'Event.published' => 1, 'Attribute.type' => $typeArray, 'Attribute.event_id' => $event['Event']['id']);
if (!$isSiteAdmin && ($org !== $event['Event']['org'])) $conditions['AND']['Attribute.distribution >'] = 0;
$params = array(
'conditions' => $conditions, //array of conditions
'recursive' => 0, //int
'fields' => array('Attribute.type', 'Attribute.value1', 'Attribute.value2'),
'group' => array('Attribute.type', 'Attribute.value1'), //fields to GROUP BY
);
$items = $this->find('all', $params);
App::uses('HidsExport', 'Export');
$export = new HidsExport();
$rules = array_merge($rules, $export->export($items, strtoupper($type), $continue));
$continue = true;
}
return $rules;
}
public function nids($isSiteAdmin, $org, $format, $sid, $id = false, $continue = false, $tags = false, $from = false, $to = false, $last = false) {
if (empty($org)) throw new MethodNotAllowedException('No org supplied.');
//restricting to non-private or same org if the user is not a site-admin.
$conditions['AND'] = array('Attribute.to_ids' => 1, "Event.published" => 1);
$valid_types = array('ip-dst', 'ip-src', 'email-src', 'email-dst', 'email-subject', 'email-attachment', 'domain', 'hostname', 'url', 'user-agent', 'snort');
$conditions['AND']['Attribute.type'] = $valid_types;
if (!$isSiteAdmin) {
$temp = array();
$distribution = array();
array_push($temp, array('AND' => array('Attribute.distribution >' => 0, 'Event.distribution >' => 0)));
array_push($temp, array('(SELECT events.org FROM events WHERE events.id = Attribute.event_id) LIKE' => $org));
$conditions['OR'] = $temp;
}
if ($id) array_push($conditions['AND'], array('Event.id' => $id));
if ($from) array_push($conditions['AND'], array('Event.date >=' => $from));
if ($to) array_push($conditions['AND'], array('Event.date <=' => $to));
if ($last) array_push($conditions['AND'], array('Event.publish_timestamp >=' => $last));
// If we sent any tags along, load the associated tag names for each attribute
if ($tags) {
$eventIds = $this->Event->fetchEventIds($org, $isSiteAdmin, $from, $to, $last);
if ($tags !== '') {
$tag = ClassRegistry::init('Tag');
$args = $this->dissectArgs($tags);
$tagArray = $tag->fetchEventTagIds($args[0], $args[1]);
$temp = array();
foreach ($tagArray[0] as $accepted) {
$temp['OR'][] = array('Event.id' => $accepted);
if ($id) {
foreach ($eventIds as $k => $v) {
//if ($)
}
}
$conditions['AND'][] = $temp;
$temp = array();
foreach ($tagArray[1] as $rejected) {
$temp['AND'][] = array('Event.id !=' => $rejected);
if (!empty($tagArray[0])) {
foreach ($eventIds as $k => $v) {
if (!in_array($v['Event']['id'], $tagArray[0])) unset($eventIds[$k]);
}
}
if (!empty($tagArray[1])) {
foreach ($eventIds as $k => $v) {
if (in_array($v['Event']['id'], $tagArray[1])) unset($eventIds[$k]);
}
}
$conditions['AND'][] = $temp;
}
$params = array(
'conditions' => $conditions, //array of conditions
'recursive' => 0, //int
'group' => array('Attribute.type', 'Attribute.value1'), //fields to GROUP BY
);
unset($this->virtualFields['category_order']); // not needed for IDS export and speeds things up
$items = $this->find('all', $params);
// export depending of the requested type
switch ($format) {
case 'suricata':
- App::uses('NidsSuricataExport', 'Export');
$export = new NidsSuricataExport();
break;
case 'snort':
App::uses('NidsSnortExport', 'Export');
$export = new NidsSnortExport();
break;
$rules = array();
foreach ($eventIds as $event) {
$conditions['AND'] = array('Attribute.to_ids' => 1, "Event.published" => 1, 'Attribute.event_id' => $event['Event']['id']);
$valid_types = array('ip-dst', 'ip-src', 'email-src', 'email-dst', 'email-subject', 'email-attachment', 'domain', 'hostname', 'url', 'user-agent', 'snort');
$conditions['AND']['Attribute.type'] = $valid_types;
if (!$isSiteAdmin && ($org !== $event['Event']['org'])) $conditions['AND']['Attribute.distribution >'] = 0;
$params = array(
'conditions' => $conditions, //array of conditions
'recursive' => 0, //int
'group' => array('Attribute.type', 'Attribute.value1'), //fields to GROUP BY
);
unset($this->virtualFields['category_order']); // not needed for IDS export and speeds things up
$items = $this->find('all', $params);
// export depending of the requested type
switch ($format) {
case 'suricata':
- App::uses('NidsSuricataExport', 'Export');
$export = new NidsSuricataExport();
break;
case 'snort':
App::uses('NidsSnortExport', 'Export');
$export = new NidsSnortExport();
break;
}
$rules = array_merge($rules, $export->export($items, $sid, $format, $continue));
// Only pre-pend the comments once
$continue = true;
}
$rules = $export->export($items, $sid, $format, $continue);
return $rules;
}

7
app/View/Events/export_alternate.ctp
View File

@ -28,10 +28,11 @@
</div>
<div class="row bottom-buffer">
<div class="span3">
<?php echo $this->Html->link('Download NIDS signatures', array('action' => 'nids', 'download'), array('class' => 'btn btn-block full-width')); ?>
<?php echo $this->Html->link('Download Suricata signatures', array('action' => 'nids', 'suricata', 'download'), array('class' => 'btn btn-block full-width')); ?>
<?php echo $this->Html->link('Download Snort signatures', array('action' => 'nids', 'snort', 'download'), array('class' => 'btn btn-block full-width')); ?>
</div>
<div class="span9">Click this to download all network related attributes that you
have access to under the Snort rule format. Only <em>published</em>
<div class="span9">Click these to download all network related attributes that you
have access to under the Suricata or Snort rule format. Only <em>published</em>
events and attributes marked as <em>IDS Signature</em> are exported.
Administration is able to maintain a whitelist containing host,
domain name and IP numbers to exclude from the NIDS export.