From b19e405b32e56e7e508a1fe09482c54a50ae4533 Mon Sep 17 00:00:00 2001 From: Daniel Roethlisberger Date: Thu, 23 Aug 2018 18:35:21 +0200 Subject: [PATCH 1/8] Fix broken timestamps by using 24 hour clock and ISO 8601 date format The event view shows a wrong "Last change", e.g. "2018/08/23 06:01:45" for "2018/08/23 18:01:45". The same problem affects the timestamp in the XML generated by IOCExportTool.php. Fix by correcting the PHP date() code "h" to "H". While here, also switch to a clearer ISO 8601 date representation for "Last change", using dashes instead of slashes for separation of year, month and day. --- app/Lib/Tools/IOCExportTool.php | 2 +- app/View/Events/view.ctp | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/app/Lib/Tools/IOCExportTool.php b/app/Lib/Tools/IOCExportTool.php index 024dafab0..382438a91 100644 --- a/app/Lib/Tools/IOCExportTool.php +++ b/app/Lib/Tools/IOCExportTool.php @@ -55,7 +55,7 @@ class IOCExportTool { $temp = ''; // We will start adding all the components that will be in the xml file here - $date = date("Y-m-d\Th:i:s"); + $date = date("Y-m-d\TH:i:s"); $temp .= '' . PHP_EOL; $temp .= '' . PHP_EOL; $temp .= ' Filtered indicator list' . PHP_EOL; diff --git a/app/View/Events/view.ctp b/app/View/Events/view.ctp index e0bbdf150..0232e6f4f 100644 --- a/app/View/Events/view.ctp +++ b/app/View/Events/view.ctp @@ -170,7 +170,7 @@
- +  
From 1b7254efae1b0374ba79991fe4c8486039669e46 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 28 Aug 2018 14:42:52 +0200 Subject: [PATCH 2/8] chg: [misp-objects] updated to the latest version --- app/files/misp-objects | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/files/misp-objects b/app/files/misp-objects index 3036ec875..e90b1ce45 160000 --- a/app/files/misp-objects +++ b/app/files/misp-objects @@ -1 +1 @@ -Subproject commit 3036ec875c3f82d2284dff8b858d2d6474f8a175 +Subproject commit e90b1ce4575c122d410f143d5205771614004d9f From cc437a2a07a8be5d872a00ba7d01a19884488c5f Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 28 Aug 2018 20:42:10 +0200 Subject: [PATCH 3/8] chg: [data-model] new bro attribute type to store rule in Bro rule-format Fixed #3584 --- app/Model/Attribute.php | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/app/Model/Attribute.php b/app/Model/Attribute.php index 234826c49..bbabccf36 100644 --- a/app/Model/Attribute.php +++ b/app/Model/Attribute.php @@ -144,6 +144,7 @@ class Attribute extends AppModel 'regkey|value' => array('desc' => "Registry value + data separated by |", 'default_category' => 'Persistence mechanism', 'to_ids' => 1), 'AS' => array('desc' => 'Autonomous system', 'default_category' => 'Network activity', 'to_ids' => 0), 'snort' => array('desc' => 'An IDS rule in Snort rule-format', 'formdesc' => "An IDS rule in Snort rule-format. This rule will be automatically rewritten in the NIDS exports.", 'default_category' => 'Network activity', 'to_ids' => 1), + 'bro' => array('desc' => 'An NIDS rule in the Bro rule-format', 'formdesc' => "An NIDS rule in the Bro rule-format.", 'default_category' => 'Network activity', 'to_ids' => 1), 'pattern-in-file' => array('desc' => 'Pattern in file that identifies the malware', 'default_category' => 'Payload installation', 'to_ids' => 1), 'pattern-in-traffic' => array('desc' => 'Pattern in network traffic that identifies the malware', 'default_category' => 'Network activity', 'to_ids' => 1), 'pattern-in-memory' => array('desc' => 'Pattern in memory dump that identifies the malware', 'default_category' => 'Payload installation', 'to_ids' => 1), @@ -318,7 +319,7 @@ class Attribute extends AppModel ), 'Network activity' => array( 'desc' => 'Information about network traffic generated by the malware', - 'types' => array('ip-src', 'ip-dst', 'ip-dst|port', 'ip-src|port', 'port', 'hostname', 'domain', 'domain|ip', 'mac-address', 'mac-eui-64', 'email-dst', 'url', 'uri', 'user-agent', 'http-method', 'AS', 'snort', 'pattern-in-file', 'stix2-pattern', 'pattern-in-traffic', 'attachment', 'comment', 'text', 'x509-fingerprint-sha1', 'other', 'hex', 'cookie', 'hostname|port') + 'types' => array('ip-src', 'ip-dst', 'ip-dst|port', 'ip-src|port', 'port', 'hostname', 'domain', 'domain|ip', 'mac-address', 'mac-eui-64', 'email-dst', 'url', 'uri', 'user-agent', 'http-method', 'AS', 'snort', 'pattern-in-file', 'stix2-pattern', 'pattern-in-traffic', 'attachment', 'comment', 'text', 'x509-fingerprint-sha1', 'other', 'hex', 'cookie', 'hostname|port', 'bro') ), 'Payload type' => array( 'desc' => 'Information about the final payload(s)', @@ -332,7 +333,7 @@ class Attribute extends AppModel 'External analysis' => array( 'desc' => 'Any other result from additional analysis of the malware like tools output', 'formdesc' => 'Any other result from additional analysis of the malware like tools output Examples: pdf-parser output, automated sandbox analysis, reverse engineering report.', - 'types' => array('md5', 'sha1', 'sha256','filename', 'filename|md5', 'filename|sha1', 'filename|sha256', 'ip-src', 'ip-dst', 'ip-dst|port', 'ip-src|port', 'mac-address', 'mac-eui-64', 'hostname', 'domain', 'domain|ip', 'url', 'user-agent', 'regkey', 'regkey|value', 'AS', 'snort', 'pattern-in-file', 'pattern-in-traffic', 'pattern-in-memory', 'vulnerability', 'attachment', 'malware-sample', 'link', 'comment', 'text', 'x509-fingerprint-sha1', 'x509-fingerprint-md5', 'x509-fingerprint-sha256', 'github-repository', 'other', 'cortex') + 'types' => array('md5', 'sha1', 'sha256','filename', 'filename|md5', 'filename|sha1', 'filename|sha256', 'ip-src', 'ip-dst', 'ip-dst|port', 'ip-src|port', 'mac-address', 'mac-eui-64', 'hostname', 'domain', 'domain|ip', 'url', 'user-agent', 'regkey', 'regkey|value', 'AS', 'snort', 'bro','pattern-in-file', 'pattern-in-traffic', 'pattern-in-memory', 'vulnerability', 'attachment', 'malware-sample', 'link', 'comment', 'text', 'x509-fingerprint-sha1', 'x509-fingerprint-md5', 'x509-fingerprint-sha256', 'github-repository', 'other', 'cortex') ), 'Financial fraud' => array( 'desc' => 'Financial Fraud indicators', @@ -403,7 +404,7 @@ class Attribute extends AppModel // This helps generate quick filtering for the event view, but we may reuse this and enhance it in the future for other uses (such as the API?) public $typeGroupings = array( 'file' => array('attachment', 'pattern-in-file', 'md5', 'sha1', 'sha224', 'sha256', 'sha384', 'sha512', 'sha512/224', 'sha512/256', 'ssdeep', 'imphash', 'impfuzzy','authentihash', 'pehash', 'tlsh', 'filename', 'filename|md5', 'filename|sha1', 'filename|sha224', 'filename|sha256', 'filename|sha384', 'filename|sha512', 'filename|sha512/224', 'filename|sha512/256', 'filename|authentihash', 'filename|ssdeep', 'filename|tlsh', 'filename|imphash', 'filename|pehash', 'malware-sample', 'x509-fingerprint-sha1', 'x509-fingerprint-sha256', 'x509-fingerprint-md5'), - 'network' => array('ip-src', 'ip-dst', 'ip-src|port', 'ip-dst|port', 'mac-address', 'mac-eui-64', 'hostname', 'hostname|port', 'domain', 'domain|ip', 'email-dst', 'url', 'uri', 'user-agent', 'http-method', 'AS', 'snort', 'pattern-in-traffic', 'x509-fingerprint-md5', 'x509-fingerprint-sha1', 'x509-fingerprint-sha256'), + 'network' => array('ip-src', 'ip-dst', 'ip-src|port', 'ip-dst|port', 'mac-address', 'mac-eui-64', 'hostname', 'hostname|port', 'domain', 'domain|ip', 'email-dst', 'url', 'uri', 'user-agent', 'http-method', 'AS', 'snort', 'bro','pattern-in-traffic', 'x509-fingerprint-md5', 'x509-fingerprint-sha1', 'x509-fingerprint-sha256'), 'financial' => array('btc', 'xmr', 'iban', 'bic', 'bank-account-nr', 'aba-rtn', 'bin', 'cc-number', 'prtn', 'phone-number') ); @@ -1123,6 +1124,7 @@ class Attribute extends AppModel case 'mutex': case 'AS': case 'snort': + case 'bro' : case 'pattern-in-file': case 'pattern-in-traffic': case 'pattern-in-memory': From 4eedf1dfd4c64deee5072f1fa59ba392510710e0 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 28 Aug 2018 20:47:44 +0200 Subject: [PATCH 4/8] chg: [PyMISP] updated to the latest version --- PyMISP | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/PyMISP b/PyMISP index 5d16c9717..926072369 160000 --- a/PyMISP +++ b/PyMISP @@ -1 +1 @@ -Subproject commit 5d16c97178453f2624ad0ffdccb06b16578401af +Subproject commit 9260723696cee3f6caacfb5795422bbf98262589 From 4ff5f4d1abd4b8c03a35fb0233250b867c19c94d Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 28 Aug 2018 21:08:44 +0200 Subject: [PATCH 5/8] chg: [PyMISP] updated to the latest version --- PyMISP | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/PyMISP b/PyMISP index 926072369..7e0d91af2 160000 --- a/PyMISP +++ b/PyMISP @@ -1 +1 @@ -Subproject commit 9260723696cee3f6caacfb5795422bbf98262589 +Subproject commit 7e0d91af2ba3dd454d135a50e375eff7c328d097 From 923ab1bd4b9412818cb22dd19a4e5f32fe39e05a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Tue, 28 Aug 2018 16:31:33 -0400 Subject: [PATCH 6/8] fix: Old python crap. --- PyMISP | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/PyMISP b/PyMISP index 7e0d91af2..f4c0b9230 160000 --- a/PyMISP +++ b/PyMISP @@ -1 +1 @@ -Subproject commit 7e0d91af2ba3dd454d135a50e375eff7c328d097 +Subproject commit f4c0b923054c275d405f9d5034124b0a3672e06c From 0245d42549c8135075b8eb8a972fd088ce26ed29 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Tue, 28 Aug 2018 17:34:01 -0400 Subject: [PATCH 7/8] chg: Bump PyMISP --- PyMISP | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/PyMISP b/PyMISP index f4c0b9230..8b8459ce5 160000 --- a/PyMISP +++ b/PyMISP @@ -1 +1 @@ -Subproject commit f4c0b923054c275d405f9d5034124b0a3672e06c +Subproject commit 8b8459ce5322a205454d87f0cf95ff042c9eb53a From b34d99aa63a74c20582b44730e5f803a5f7995c1 Mon Sep 17 00:00:00 2001 From: iglocska Date: Wed, 29 Aug 2018 09:56:14 +0200 Subject: [PATCH 8/8] fix: [feeds] Custom headers / authorization broken on csv/freetext feeds, fixes #3581 --- app/Model/Feed.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/app/Model/Feed.php b/app/Model/Feed.php index 7d7f3394c..4e9676b53 100644 --- a/app/Model/Feed.php +++ b/app/Model/Feed.php @@ -229,7 +229,8 @@ class Feed extends AppModel if ($doFetch) { $fetchIssue = false; try { - $response = $this->__getRecursive($feed['Feed']['url'], '', array()); + $request = $this->__createFeedRequest($feed['Feed']['headers']); + $response = $this->__getRecursive($feed['Feed']['url'], '', $request); //$response = $HttpSocket->get($feed['Feed']['url'], '', array()); } catch (Exception $e) { return $e->getMessage();