MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

UI Logs, documentation, memberslist and fixed bug in highlight

pull/217/head
Christophe Vandeplas 2013-05-31 17:38:46 +02:00
parent e1296bad7e
commit d3db196699
11 changed files with 369 additions and 297 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
app/Controller/LogsController.php
View File

@ -50,8 +50,8 @@ class LogsController extends AppController {
$this->recursive = 0;
$this->paginate = array(
'limit' => 60,
'maxLimit' => 9999, // LATER we will bump here on a problem once we have more than 9999 logs(?)
'conditions' => $conditions
'conditions' => $conditions,
'order' => array('Log.id' => 'DESC')
);
$this->set('list', $this->paginate());
@ -113,12 +113,11 @@ class LogsController extends AppController {
if (isset($change)) {
$conditions['LOWER(Log.change) LIKE'] = '%' . strtolower($change) . '%';
}
//$conditions['COLLATE'] = 'utf_general_ci';
$this->{$this->defaultModel}->recursive = 0;
$this->paginate = array(
'limit' => 60,
'maxLimit' => 9999, // LATER we will bump here on a problem once we have more than 9999 logs(?)
'conditions' => $conditions
'conditions' => $conditions,
'order' => array('Log.id' => 'DESC')
);
$this->set('list', $this->paginate());

18
app/View/Attributes/index.ctp
View File

@ -39,15 +39,13 @@ if ($isSearch == 1) {
<?php
$currentCount = 0;
if ($isSearch == 1) {
// build the $replacePairs variable used to highlight the keywords
$replacementArray = array();
foreach ($keywordArray as &$keywordArrayElement) {
$keywordArrayElement = trim($keywordArrayElement);
if ("" == $keywordArrayElement) continue;
$replacementArray[] = '<span style="color:red">'.$keywordArrayElement.'</span>';
}
if (!empty($replacementArray))
$replacePairs = array_combine($keywordArray, $replacementArray);
// sanitize data
foreach ($keywordArray as &$keywordArrayElement) {
$keywordArrayElement = h($keywordArrayElement);
}
// build the $replacePairs variable used to highlight the keywords
$replacePairs = $this->Highlight->build_replace_pairs($keywordArray);
}
foreach ($attributes as $attribute):
@ -75,7 +73,7 @@ foreach ($attributes as $attribute):
$sigDisplay = nl2br(h($attribute['Attribute']['value']));
if ($isSearch == 1 && !empty($replacePairs)) {
// highlight the keywords if there are any
$sigDisplay = strtr($sigDisplay, $replacePairs);
$sigDisplay = nl2br($this->Highlight->highlighter($sigDisplay, $replacePairs));
}
if ('attachment' == $attribute['Attribute']['type'] || 'malware-sample' == $attribute['Attribute']['type']) {
echo $this->Html->link($sigDisplay, array('controller' => 'attributes', 'action' => 'download', $attribute['Attribute']['id']), array('escape' => FALSE));

32
app/View/Helper/HighlightHelper.php
View File

@ -6,17 +6,33 @@ App::uses('AppHelper', 'View/Helper');
// Used for things such as searches in the logs to highlight found terms
class HighlightHelper extends AppHelper {
public function highlighter($str, $keyWords) {
if (is_array($keyWords)) {
foreach ($keyWords as $keyword) {
$keyword = trim($keyword);
$str = preg_replace('%' . $keyword . '%i', '<span style="color:red">' . $keyword . '</span>', $str);
}
return $str;
/**
* Important: data needs to be sanitized using the h() function before entering this function
* @param unknown_type $keywordArray
*/
public function build_replace_pairs($keywordArray) {
// build the $replacePairs variable used to highlight the keywords
$replacementArray = array();
if (!is_array($keywordArray)) {
$keywordArray = array($keywordArray);
}
foreach ($keywordArray as &$keywordArrayElement) {
$keywordArrayElement = trim($keywordArrayElement);
if ("" == $keywordArrayElement) continue;
$replacementArray[] = '<span style="color:red">'.$keywordArrayElement.'</span>';
}
if (!empty($replacementArray))
return array_combine($keywordArray, $replacementArray);
}
public function highlighter($str, $replacePairs) {
if (is_array($replacePairs)) {
return strtr($str, $replacePairs);
} else {
$str = preg_replace('%' . $keyWords . '%i', '<span style="color:red">' . $keyWords . '</span>', $str);
return $str;
}
}
}
?>

137
app/View/Logs/admin_index.ctp
View File

@ -1,62 +1,109 @@
<div class="logs index">
<h2><?php echo __('Logs');?></h2>
<?php
if ($isSearch == 1) {
echo "<h4>Results for all log entries";
if ($emailSearch != null) echo " for user \"<b>" . h($emailSearch) . "\"</b>";
if ($orgSearch != null) echo " of the organisation \"<b>" . h($orgSearch) . "</b>\"";
if ($actionSearch != "ALL") echo " of type \"<b>" . h($actionSearch) . "</b>\"";
if ($titleSearch != null) echo " with the title \"<b>" . h($titleSearch) . "</b>\"";
if ($changeSearch != null) echo " including the change \"<b>" . h($changeSearch) . "</b>\"";
echo ":</h4>";
}
?>
<table cellpadding="0" cellspacing="0">
<tr>
<h2>Logs</h2>
<?php
if ($isSearch == 1) {
echo "<h4>Results for all log entries";
if ($emailSearch != null) {
echo " for user \"<b>" . h($emailSearch) . "\"</b>";
$emailSearchReplacePairs = $this->Highlight->build_replace_pairs(h($emailSearch));
}
if ($orgSearch != null) {
echo " of the organisation \"<b>" . h($orgSearch) . "</b>\"";
$orgSearchReplacePairs = $this->Highlight->build_replace_pairs(h($orgSearch));
}
if ($actionSearch != "ALL") {
echo " of type \"<b>" . h($actionSearch) . "</b>\"";
$actionSearchReplacePairs = $this->Highlight->build_replace_pairs(h($actionSearch));
}
if ($titleSearch != null) {
echo " with the title \"<b>" . h($titleSearch) . "</b>\"";
$titleSearchReplacePairs = $this->Highlight->build_replace_pairs(h($titleSearch));
}
if ($changeSearch != null) {
echo " including the change \"<b>" . h($changeSearch) . "</b>\"";
$changeSearchReplacePairs = $this->Highlight->build_replace_pairs(h($changeSearch));
}
echo ":</h4>";
}
?>
<div class="pagination">
<ul>
<?php
$this->Paginator->options(array(
'update' => '.span12',
'evalScripts' => true,
'before' => '$(".progress").show()',
'complete' => '$(".progress").hide()',
));
echo $this->Paginator->prev('&laquo; ' . __('previous'), array('tag' => 'li', 'escape' => false), null, array('tag' => 'li', 'class' => 'prev disabled', 'escape' => false, 'disabledTag' => 'span'));
echo $this->Paginator->numbers(array('modulus' => 20, 'separator' => '', 'tag' => 'li', 'currentClass' => 'active', 'currentTag' => 'span'));
echo $this->Paginator->next(__('next') . ' &raquo;', array('tag' => 'li', 'escape' => false), null, array('tag' => 'li', 'class' => 'next disabled', 'escape' => false, 'disabledTag' => 'span'));
?>
</ul>
</div>
<table class="table table-striped table-hover table-condensed">
<tr>
<th><?php echo $this->Paginator->sort('id');?></th>
<!--th><?php echo $this->Paginator->sort('user_id');?></th-->
<th><?php echo $this->Paginator->sort('email');?></th>
<th><?php echo $this->Paginator->sort('org');?></th>
<th><?php echo $this->Paginator->sort('created');?></th>
<th><?php echo $this->Paginator->sort('action');?></th>
<th><?php echo $this->Paginator->sort('title');?></th>
<th><?php echo $this->Paginator->sort('change');?></th>
</tr><?php
foreach ($list as $item): ?>
<tr>
<td class="short"><?php echo h($item['Log']['id']); ?>&nbsp;</td>
<td class="short"><?php
if (isset($emailSearch)) echo ($this->Highlight->highlighter(h($item['Log']['email']), h($emailSearch)));
else echo (h($item['Log']['email'])); ?>&nbsp;</td>
<td class="short"><?php
if (isset($emailSearch)) echo ($this->Highlight->highlighter(h($item['Log']['org']), h($orgSearch)));
else echo (h($item['Log']['org'])); ?>&nbsp;</td>
<td class="short"><?php echo h($item['Log']['created']); ?>&nbsp;</td>
<td class="short"><?php
if (isset($emailSearch)) echo ($this->Highlight->highlighter(h($item['Log']['action']), h($actionSearch)));
else echo (h($item['Log']['action'])); ?>&nbsp;</td>
<td class="short"><?php
if (isset($emailSearch)) echo ($this->Highlight->highlighter(h($item['Log']['title']), h($titleSearch)));
else echo (h($item['Log']['title'])); ?>&nbsp;</td>
<td class="short"><?php
if (isset($changeSearch)) echo $this->Highlight->highlighter(h($item['Log']['change']), h($changeSearch));
else echo h($item['Log']['change']);
?>&nbsp;</td>
</tr><?php
endforeach; ?>
</tr>
<?php foreach ($list as $item): ?>
<tr>
<td class="short"><?php echo h($item['Log']['id']); ?>&nbsp;</td>
<td class="short"><?php
if ($emailSearch != null) echo nl2br($this->Highlight->highlighter(h($item['Log']['email']), $emailSearchReplacePairs));
else echo (h($item['Log']['email'])); ?>&nbsp;</td>
<td class="short"><?php
if ($orgSearch != null) echo nl2br($this->Highlight->highlighter(h($item['Log']['org']), $orgSearchReplacePairs));
else echo (h($item['Log']['org'])); ?>&nbsp;</td>
<td class="short"><?php echo h($item['Log']['created']); ?>&nbsp;</td>
<td class="short"><?php
if ($actionSearch != "ALL") echo nl2br($this->Highlight->highlighter(h($item['Log']['action']), $actionSearchReplacePairs));
else echo (h($item['Log']['action'])); ?>&nbsp;</td>
<td class="short"><?php
if ($titleSearch != null) echo nl2br($this->Highlight->highlighter(h($item['Log']['title']), $titleSearchReplacePairs));
else echo nl2br(h($item['Log']['title'])); ?>&nbsp;</td>
<td class="short"><?php
if ($changeSearch != null) echo nl2br($this->Highlight->highlighter(h($item['Log']['change']), $changeSearchReplacePairs));
else echo nl2br(h($item['Log']['change']));
?>&nbsp;</td>
</tr>
<?php endforeach; ?>
</table>
<p>
<?php
echo $this->Paginator->counter(array(
'format' => __('Page {:page} of {:pages}, showing {:current} records out of {:count} total, starting on record {:start}, ending on {:end}')
));
?> </p>
<div class="paging">
<?php
echo $this->Paginator->prev('< ' . __('previous'), array(), null, array('class' => 'prev disabled'));
echo $this->Paginator->numbers(array('separator' => ''));
echo $this->Paginator->next(__('next') . ' >', array(), null, array('class' => 'next disabled'));
?>
</p>
<div class="pagination">
<ul>
<?php
echo $this->Paginator->prev('&laquo; ' . __('previous'), array('tag' => 'li', 'escape' => false), null, array('tag' => 'li', 'class' => 'prev disabled', 'escape' => false, 'disabledTag' => 'span'));
echo $this->Paginator->numbers(array('modulus' => 20, 'separator' => '', 'tag' => 'li', 'currentClass' => 'active', 'currentTag' => 'span'));
echo $this->Paginator->next(__('next') . ' &raquo;', array('tag' => 'li', 'escape' => false), null, array('tag' => 'li', 'class' => 'next disabled', 'escape' => false, 'disabledTag' => 'span'));
?>
</ul>
</div>
</div>
<div class="actions">
<ul class="nav nav-list">
<?php
if ($isSearch == 1){
$searchClass = 'class="active"';
$listClass = '';
} else {
$searchClass = '';
$listClass = 'class="active"';
}
?>
<li <?php echo $listClass;?>><?php echo $this->Html->link('List Logs', array('admin' => true, 'action' => 'index'));?></li>
<li <?php echo $searchClass;?>><?php echo $this->Html->link('Search Logs', array('admin' => true, 'action' => 'search'));?></li>
</ul>
</div>

25
app/View/Logs/admin_search.ctp
View File

@ -1,18 +1,25 @@
<div class="logs form">
<?php echo $this->Form->create('Log');?>
<fieldset>
<legend><?php echo __('Search Log'); ?></legend>
<legend>Search Logs</legend>
<?php
echo $this->Form->input('email', array( 'label' => 'Email'));
if ($orgRestriction == false) {
echo $this->Form->input('org', array( 'label' => 'Org'));
}
echo $this->Form->input('action', array('between' => $this->Html->div('forminfo', '', array('id' => 'LogActionDiv'))));
echo $this->Form->input('title', array( 'label' => 'Title'));
echo $this->Form->input('change', array( 'label' => 'Change'));
echo $this->Form->input('action', array(
'between' => $this->Html->div('forminfo', '', array('id' => 'LogActionDiv')),
'div' => 'input clear'));
echo $this->Form->input('title', array(
'label' => 'Title',
'div' => 'input clear'));
echo $this->Form->input('change', array('label' => 'Change'));
?>
</fieldset>
<?php echo $this->Form->end(__('Search', true));?>
<?php
echo $this->Form->button('Search', array('class' => 'btn btn-primary'));
echo $this->Form->end();
?>
</div>
<script type="text/javascript">
var formInfoValues = new Array();
@ -42,4 +49,10 @@ function showFormInfo(id) {
$('#LogActionDiv').hide();
</script>
<?php echo $this->Js->writeBuffer();
<?php echo $this->Js->writeBuffer(); ?>
<div class="actions">
<ul class="nav nav-list">
<li ><?php echo $this->Html->link('List Logs', array('admin' => true, 'action' => 'index'));?></li>
<li class="active"><?php echo $this->Html->link('Search Logs', array('admin' => true, 'action' => 'search'));?></li>
</ul>
</div>

220
app/View/Pages/administration.ctp
View File

@ -1,154 +1,158 @@
<div class="index">
<b>Table of contents</b><br />
1. <?php echo $this->Html->link(__('General Layout', true), array('controller' => 'pages', 'action' => 'display', 'documentation')); ?><br />
2. <?php echo $this->Html->link(__('User Management and Global Actions', true), array('controller' => 'pages', 'action' => 'display', 'user_management')); ?><br />
3. <?php echo $this->Html->link(__('Using the system', true), array('controller' => 'pages', 'action' => 'display', 'using_the_system')); ?><br />
4. <?php echo $this->Html->link(__('Administration', true), array('controller' => 'pages', 'action' => 'display', 'administration')); ?><br />
<ul>
<li>a. <a href="#blacklist">Blacklist</a></li>
<li>b. <a href="#regexp">Import Regexp</a></li>
<li>c. <a href="#whitelist">Signature Whitelist</a></li>
<li>d. <a href="#user">User Management</a></li>
<li>e. <a href="#roles">Role Management</a></li>
<li>f. <a href="#logs">Logging</a></li>
</ul>
5. <?php echo $this->Html->link(__('Categories and Types', true), array('controller' => 'pages', 'action' => 'display', 'categories_and_types')); ?>
<br /><br /><hr /><br />
<div class="actions" style="width:15%">
<ol class="nav nav-list">
<li><?php echo $this->Html->link('General Layout', array('controller' => 'pages', 'action' => 'display', 'documentation')); ?></li>
<li><?php echo $this->Html->link('User Management and Global actions', array('controller' => 'pages', 'action' => 'display', 'user_management')); ?></li>
<li><?php echo $this->Html->link('Using the system', array('controller' => 'pages', 'action' => 'display', 'using_the_system')); ?></li>
<li class="active"><?php echo $this->Html->link('Administration', array('controller' => 'pages', 'action' => 'display', 'administration')); ?>
<ul class="nav nav-list">
<li><a href="#blacklist">Blacklist</a></li>
<li><a href="#regexp">Import Regexp</a></li>
<li><a href="#whitelist">Signature Whitelist</a></li>
<li><a href="#user">User Management</a></li>
<li><a href="#roles">Role Management</a></li>
<li><a href="#logs">Logging</a></li>
</ul>
</li>
<li><?php echo $this->Html->link('Categories and Types', array('controller' => 'pages', 'action' => 'display', 'categories_and_types')); ?></li>
</ol>
</div>
<div class="index" style="width:80%">
<h2><a name ="blacklist"></a>Import Blacklist</h2>
It is possible to ban certain values from ever being entered into the system via an event info field or an attribute value. This is done by blacklisting the value in this section.<br /><br />
It is possible to ban certain values from ever being entered into the system via an event info field or an attribute value. This is done by blacklisting the value in this section.<br />
<h3>Adding and modifying entries</h3>
Administrators can add, edit or delete blacklisted items by using the appropriate functions in the list's action menu and the menu on the left.<br />
<br /><hr /><br />
<hr />
<h2><a name ="regexp"></a>Import Regexp</h2>
The system allows administrators to set up rules for regular expressions that will automatically alter newly entered or imported events (from GFI Sandbox).<br /><br />
The system allows administrators to set up rules for regular expressions that will automatically alter newly entered or imported events (from GFI Sandbox).<br />
<h3>The purpose of Import Regexp entries</h3>
They can be used for several things, such as unifying the capitalisation of file paths for more accurate event correlation or to automatically censor the usernames and use system path variable names (changing C:\Users\UserName\Appdata\Roaming\file.exe to %APPDATA%\file.exe).<br />
The second use is blocking, if a regular expression is entered with a blank replacement, any event info or attribute value containing the expression will not be added. Please make sure the entered regexp expression follows the preg_replace pattern rules as described <a href="http://php.net/manual/en/function.preg-replace.php">here</a>.<br /><br />
The second use is blocking, if a regular expression is entered with a blank replacement, any event info or attribute value containing the expression will not be added. Please make sure the entered regexp expression follows the preg_replace pattern rules as described <a href="http://php.net/manual/en/function.preg-replace.php">here</a>.<br />
<h3>Adding and modifying entries</h3>
Administrators can add, edit or delete regular expression rules, which are made up of a regex pattern that the system searches for and a replacement for the detected pattern.<br /><br />
Administrators can add, edit or delete regular expression rules, which are made up of a regex pattern that the system searches for and a replacement for the detected pattern.<br />
<p><img src="/img/doc/regexp.png" alt = "" title = "Add, edit or remove Regexp entries that will affect all newly created attributes here."/></p><br />
<br /><hr /><br />
<hr />
<h2><a name ="whitelist"></a>Managing the Signature whitelist</h2>
The signature whitelist view, accessible through the administration menu on the left, allows administrators to create and maintain a list of addresses that are whitelisted from ever being added to the NIDS signatures. Addresses listed here will be commented out when exporting the NIDS list.<br /><br />
The signature whitelist view, accessible through the administration menu on the left, allows administrators to create and maintain a list of addresses that are whitelisted from ever being added to the NIDS signatures. Addresses listed here will be commented out when exporting the NIDS list.<br />
<h3>Whitelisting an address:</h3>
While in the whitelist view, click on New Whitelist on the left to bring up the add whitelist view to add a new address. <br /><br />
While in the whitelist view, click on New Whitelist on the left to bring up the add whitelist view to add a new address. <br />
<h3>Managing the list:</h3>
When viewing the list of whitelisted addresses, the following pieces of information are shown: The ID of the whitelist entry (assigned automatically when a new address is added), the address itself that is being whitelisted and a set of controls allowing you to delete the entry or edit the address.<br /><br />
<img src="/img/doc/whitelist.png" alt = "Whitelist" title = "You can edit or delete currently white-listed addresses using the action buttons on this list."/><br /><br />
<br /><hr /><br />
When viewing the list of whitelisted addresses, the following pieces of information are shown: The ID of the whitelist entry (assigned automatically when a new address is added), the address itself that is being whitelisted and a set of controls allowing you to delete the entry or edit the address.<br />
<img src="/img/doc/whitelist.png" alt = "Whitelist" title = "You can edit or delete currently white-listed addresses using the action buttons on this list."/><br />
<hr />
<h2><a name ="user"></a>Managing the users:</h2>
As an admin, you can set up new accounts for users, edit the profiles of users, delete them, or just have a look at all the viewers' profiles. Organisation admins are restricted to executing the same actions on their organisation's users only.<br /><br />
As an admin, you can set up new accounts for users, edit the profiles of users, delete them, or just have a look at all the viewers' profiles. Organisation admins are restricted to executing the same actions on their organisation's users only.<br />
<img src="/img/doc/add_user.png" alt = "Add user" style="float:right;" title = "Fill this form out to add a new user. Keep in mind that the drop-down menu titled Role controls the privileges the user will have."/>
<h3>Adding a new user:</h3>
To add a new user, click on the New User button in the administration menu to the left and fill out the following fields in the view that is loaded:<br /><br />
To add a new user, click on the New User button in the administration menu to the left and fill out the following fields in the view that is loaded:<br />
<ul>
<li><em>Email:</em> The user's e-mail address, this will be used as his/her login name and as an address to send all the automatic e-mails and e-mails sent by contacting the user as the reporter of an event.<br /><br /></li>
<li><em>Password:</em> A temporary password for the user that he/she should change after the first login. Make sure that it is at least 6 characters long, includes a digit or a special character and contains at least one upper-case and at least one lower-case character.<br /><br /></li>
<li><em>Confirm Password:</em> This should be an exact copy of the Password field.<br /><br /></li>
<li><em>Org:</em>The organisation of the user. Entering ADMIN into this field will give administrator privileges to the user. If you are an organisation admin, then this field will be unchangeable and be set to your own organisation.<br /><br /></li>
<li><em>Roles:</em> A drop-down list allows you to choose a role-group that the user should belong to. Roles define the privileges of the user. To learn more about roles, <a href=#roles>click here</a>.<br /><br /></li>
<li><em>Receive alerts when events are published:</em> This option will subscribe the new user to automatically generated e-mails whenever an event is published.<br /><br /></li>
<li><em>Receive alerts from "contact reporter" requests:</em> This option will subscribe the new user to e-mails that are generated when another user tries to get in touch with an event's reporting organisation that matches that of the new user.<br /><br /></li>
<li><em>Authkey:</em> This is assigned automatically and is the unique authentication key of the user (he/she will be able to reset this and receive a new key). It is used for exports and for connecting one server to another, but it requires the user to be assigned to a role that has auth permission enabled.<br /><br /></li>
<li><em>NIDS Sid:</em> Nids ID, not yet implemented.<br /><br /></li>
<li><em>Gpgkey:</em> The key used for encrypting e-mails sent through the system. <br /><br /></li>
<li><em>Email:</em> The user's e-mail address, this will be used as his/her login name and as an address to send all the automatic e-mails and e-mails sent by contacting the user as the reporter of an event.<br /></li>
<li><em>Password:</em> A temporary password for the user that he/she should change after the first login. Make sure that it is at least 6 characters long, includes a digit or a special character and contains at least one upper-case and at least one lower-case character.<br /></li>
<li><em>Confirm Password:</em> This should be an exact copy of the Password field.<br /></li>
<li><em>Org:</em>The organisation of the user. Entering ADMIN into this field will give administrator privileges to the user. If you are an organisation admin, then this field will be unchangeable and be set to your own organisation.<br /></li>
<li><em>Roles:</em> A drop-down list allows you to choose a role-group that the user should belong to. Roles define the privileges of the user. To learn more about roles, <a href=#roles>click here</a>.<br /></li>
<li><em>Receive alerts when events are published:</em> This option will subscribe the new user to automatically generated e-mails whenever an event is published.<br /></li>
<li><em>Receive alerts from "contact reporter" requests:</em> This option will subscribe the new user to e-mails that are generated when another user tries to get in touch with an event's reporting organisation that matches that of the new user.<br /></li>
<li><em>Authkey:</em> This is assigned automatically and is the unique authentication key of the user (he/she will be able to reset this and receive a new key). It is used for exports and for connecting one server to another, but it requires the user to be assigned to a role that has auth permission enabled.<br /></li>
<li><em>NIDS Sid:</em> Nids ID, not yet implemented.<br /></li>
<li><em>Gpgkey:</em> The key used for encrypting e-mails sent through the system. <br /></li>
</ul>
<h3>Listing all users:</h3>
To list all current users of the system, just click on List Users under the administration menu to the left. A view will be loaded with a list of all users and the following columns of information:<br /><br />
<img src="/img/doc/list_users.png" alt = "List users" title = "View, Edit or Delete a user using the action buttons to the right."/><br /><br />
To list all current users of the system, just click on List Users under the administration menu to the left. A view will be loaded with a list of all users and the following columns of information:<br />
<img src="/img/doc/list_users.png" alt = "List users" title = "View, Edit or Delete a user using the action buttons to the right."/><br />
<ul>
<li><em>Id:</em> The user's automatically assigned ID number.<br /><br /></li>
<li><em>Org:</em> The organisation that the user belongs to.<br /><br /></li>
<li><em>Email:</em> The e-mail address (and login name) of the user.<br /><br /></li>
<li><em>Autoalert:</em> Shows whether the user has subscribed to auto-alerts and is always receiving the mass-emails regarding newly published events that he/she is eligible for.<br /><br /></li>
<li><em>ontactalert:</em> Shows whether the user has the subscription to contact reporter e-mails directed at his/her organisation turned on or off.<br /><br /></li>
<li><em>Gpgkey:</em> Shows whether the user has entered a Gpgkey yet.<br /><br /></li>
<li><em>Nids Sid:</em> Shows the currently assigned NIDS ID.<br /><br /></li>
<li><em>Termsaccepted:</em> This flag indicates whether the user has accepted the terms of use or not.<br /><br /></li>
<li><em>Newsread:</em> The last point in time when the user has looked at the news section of the system.<br /><br /></li>
<li><em>Action Buttons:</em> Here you can view a detailed view of a user, edit the basic details of a user (same view as the one used for creating a new user, but all the fields come filled out by default) or remove a user completely. <br /><br /></li>
<li><em>Id:</em> The user's automatically assigned ID number.<br /></li>
<li><em>Org:</em> The organisation that the user belongs to.<br /></li>
<li><em>Email:</em> The e-mail address (and login name) of the user.<br /></li>
<li><em>Autoalert:</em> Shows whether the user has subscribed to auto-alerts and is always receiving the mass-emails regarding newly published events that he/she is eligible for.<br /></li>
<li><em>ontactalert:</em> Shows whether the user has the subscription to contact reporter e-mails directed at his/her organisation turned on or off.<br /></li>
<li><em>Gpgkey:</em> Shows whether the user has entered a Gpgkey yet.<br /></li>
<li><em>Nids Sid:</em> Shows the currently assigned NIDS ID.<br /></li>
<li><em>Termsaccepted:</em> This flag indicates whether the user has accepted the terms of use or not.<br /></li>
<li><em>Newsread:</em> The last point in time when the user has looked at the news section of the system.<br /></li>
<li><em>Action Buttons:</em> Here you can view a detailed view of a user, edit the basic details of a user (same view as the one used for creating a new user, but all the fields come filled out by default) or remove a user completely. <br /></li>
</ul>
<h3>Editing a user:</h3>
To add a new user, click on the New User button in the administration menu to the left and fill out the following fields in the view that is loaded:<br /><br />
To add a new user, click on the New User button in the administration menu to the left and fill out the following fields in the view that is loaded:<br />
<ul>
<li><em>Email:</em> The user's e-mail address, this will be used as his/her login name and as an address to send all the automatic e-mails and e-mails sent by contacting the user as the reporter of an event.<br /><br /></li>
<li><em>Password:</em> It is possible to assign a new password manually for a user. For example, in case that he/she forgot the old one a new temporary one can be assigned. Make sure to check the "Change password" field if you do give out a temporary password, so that the user will be forced to change it after login.<br /><br /></li>
<li><em>Confirm Password:</em> This should be an exact copy of the Password field.<br /><br /></li>
<li><em>Org:</em>The organisation of the user. Entering ADMIN into this field will give administrator privileges to the user. If you are an organisation admin, then this field will be unchangeable and be set to your own organisation.<br /><br /></li>
<li><em>Roles:</em> A drop-down list allows you to choose a role-group that the user should belong to. Roles define the privileges of the user. To learn more about roles, <a href=#roles>click here</a>.<br /><br /></li>
<li><em>Receive alerts when events are published:</em> This option will subscribe the user to automatically generated e-mails whenever an event is published.<br /><br /></li>
<li><em>Receive alerts from "contact reporter" requests:</em> This option will subscribe the user to e-mails that are generated when another user tries to get in touch with an event's reporting organisation that matches that of the user.<br /><br /></li>
<li><em>Authkey:</em> It is possible to request a new authentication key for the user. <br /><br /></li>
<li><em>NIDS Sid:</em> Nids ID, not yet implemented.<br /><br /></li>
<li><em>Termsaccepted:</em> Indicates whether the user has accepted the terms of use already or not.<br /><br /></li>
<li><em>Change Password:</em> Setting this flag will require the user to change password after the next login.<br /><br /></li>
<li><em>Gpgkey:</em> The key used for encrypting e-mails sent through the system. <br /><br /></li>
<li><em>Email:</em> The user's e-mail address, this will be used as his/her login name and as an address to send all the automatic e-mails and e-mails sent by contacting the user as the reporter of an event.<br /></li>
<li><em>Password:</em> It is possible to assign a new password manually for a user. For example, in case that he/she forgot the old one a new temporary one can be assigned. Make sure to check the "Change password" field if you do give out a temporary password, so that the user will be forced to change it after login.<br /></li>
<li><em>Confirm Password:</em> This should be an exact copy of the Password field.<br /></li>
<li><em>Org:</em>The organisation of the user. Entering ADMIN into this field will give administrator privileges to the user. If you are an organisation admin, then this field will be unchangeable and be set to your own organisation.<br /></li>
<li><em>Roles:</em> A drop-down list allows you to choose a role-group that the user should belong to. Roles define the privileges of the user. To learn more about roles, <a href=#roles>click here</a>.<br /></li>
<li><em>Receive alerts when events are published:</em> This option will subscribe the user to automatically generated e-mails whenever an event is published.<br /></li>
<li><em>Receive alerts from "contact reporter" requests:</em> This option will subscribe the user to e-mails that are generated when another user tries to get in touch with an event's reporting organisation that matches that of the user.<br /></li>
<li><em>Authkey:</em> It is possible to request a new authentication key for the user. <br /></li>
<li><em>NIDS Sid:</em> Nids ID, not yet implemented.<br /></li>
<li><em>Termsaccepted:</em> Indicates whether the user has accepted the terms of use already or not.<br /></li>
<li><em>Change Password:</em> Setting this flag will require the user to change password after the next login.<br /></li>
<li><em>Gpgkey:</em> The key used for encrypting e-mails sent through the system. <br /></li>
</ul>
<h3>Contacting a user:</h3>
Site admins can use the "Contact users" feature to send all or an individual user an e-mail. Users that have a PGP key set will receive their e-mails encrypted. When clicking this button on the left, you'll be presented with a form that allows you to specify the type of the e-mail, who it should reach and what the content is using the following options:<br /><br />
<img src="/img/doc/contact.png" alt = "Contact" title = "Contact your users here."/><br /><br />
Site admins can use the "Contact users" feature to send all or an individual user an e-mail. Users that have a PGP key set will receive their e-mails encrypted. When clicking this button on the left, you'll be presented with a form that allows you to specify the type of the e-mail, who it should reach and what the content is using the following options:<br />
<img src="/img/doc/contact.png" alt = "Contact" title = "Contact your users here."/><br />
<ul>
<li><em>Action:</em> This defines the type of the e-mail, which can be a custom message or a password reset. Password resets automatically include a new temporary password at the bottom of the message and will automatically change the user's password accordingly.<br /><br /></li>
<li><em>Recipient:</em> The recipient toggle lets you contact all your users, a single user (which creates a second drop-down list with all the e-mail addresses of the users) and potential future users (which opens up a text field for the e-mail address and a text area field for a PGP public key).<br /><br /></li>
<li><em>Subject:</em> In the case of a custom e-mail, you can enter a subject line here.<br /><br /></li>
<li><em>Subject:</em> In the case of a custom e-mail, you can enter a subject line here.<br /><br /></li>
<li><em>Custom message checkbox:</em> This is available for password resets, you can either write your own message (which will be appended with a temporary key and the signature), or let the system generate one automatically.<br /><br /></li>
<li><em>Action:</em> This defines the type of the e-mail, which can be a custom message or a password reset. Password resets automatically include a new temporary password at the bottom of the message and will automatically change the user's password accordingly.<br /></li>
<li><em>Recipient:</em> The recipient toggle lets you contact all your users, a single user (which creates a second drop-down list with all the e-mail addresses of the users) and potential future users (which opens up a text field for the e-mail address and a text area field for a PGP public key).<br /></li>
<li><em>Subject:</em> In the case of a custom e-mail, you can enter a subject line here.<br /></li>
<li><em>Subject:</em> In the case of a custom e-mail, you can enter a subject line here.<br /></li>
<li><em>Custom message checkbox:</em> This is available for password resets, you can either write your own message (which will be appended with a temporary key and the signature), or let the system generate one automatically.<br /></li>
</ul>
Keep in mind that all e-mails sent through this system will, in addition to your own message, will be signed in the name of the instance's host organisation's support team, will include the e-mail address of the instance's support (if the contact field is set in the bootstrap file), and will include the instance's PGP signature for users that have a PGP key set (and thus are eligible for an encrypted e-mail).
<br /><hr /><br />
<hr />
<h2><a name ="roles"></a>Managing the roles</h2>
Privileges are assigned to users by assigning them to rule groups, which use one of four options determining what they can do with events and four additional privilege elevating settings. The four options for event manipulation are: Read Only, Manage My Own Events, Manage Organisation Events, Manage &amp; Publish Organisation Events. The extra privileges are admin, sync, authentication key usage and audit permission<br /><br />
<em>Read Only:</em> This allows the user to browse events that his organisation has access to, but doesn't allow any changes to be made to the database. <br /><br />
<em>Manage My Own Events:</em> The second option, gives its users rights to create, modify or delete their own events, but they cannot publish them. <br /><br />
<em>Manage Organization Events:</em> allows users to create events or modify and delete events created by a member of their organisation. <br /><br />
<em>Manage &amp; Publish Organisation Events:</em> This last setting, gives users the right to do all of the above and also to publish the events of their organisation.<br /><br />
<em>Perm sync:</em> This setting allows the users of the role to be used as a synchronisation user. The authentication key of this user can be handed out to the administrator of a remote MISP instance to allow the synchronisation features to work.<br /><br />
<em>Perm admin:</em> Gives the user administrator privileges, this setting is used for the organisation admins. <br /><br />
<em>Perm audit:</em> Grants access to the logs. With the exception of site admins, only logs generated by the user's own org are visible. <br /><br />
<em>Perm auth:</em> This setting enables the authentication key of the role's users to be used for rest requests. <br /><br />
Privileges are assigned to users by assigning them to rule groups, which use one of four options determining what they can do with events and four additional privilege elevating settings. The four options for event manipulation are: Read Only, Manage My Own Events, Manage Organisation Events, Manage &amp; Publish Organisation Events. The extra privileges are admin, sync, authentication key usage and audit permission<br />
<em>Read Only:</em> This allows the user to browse events that his organisation has access to, but doesn't allow any changes to be made to the database. <br />
<em>Manage My Own Events:</em> The second option, gives its users rights to create, modify or delete their own events, but they cannot publish them. <br />
<em>Manage Organization Events:</em> allows users to create events or modify and delete events created by a member of their organisation. <br />
<em>Manage &amp; Publish Organisation Events:</em> This last setting, gives users the right to do all of the above and also to publish the events of their organisation.<br />
<em>Perm sync:</em> This setting allows the users of the role to be used as a synchronisation user. The authentication key of this user can be handed out to the administrator of a remote MISP instance to allow the synchronisation features to work.<br />
<em>Perm admin:</em> Gives the user administrator privileges, this setting is used for the organisation admins. <br />
<em>Perm audit:</em> Grants access to the logs. With the exception of site admins, only logs generated by the user's own org are visible. <br />
<em>Perm auth:</em> This setting enables the authentication key of the role's users to be used for rest requests. <br />
<h3>Creating roles:</h3>
When creating a new role, you will have to enter a name for the role to be created and set up the permissions (as described above) using the radio toggle and the four check-boxes.<br /><br />
When creating a new role, you will have to enter a name for the role to be created and set up the permissions (as described above) using the radio toggle and the four check-boxes.<br />
<h3>Listing roles:</h3>
By clicking on the List Roles button, you can view a list of all the currently registered roles and a list of the permission flags turned on for each. In addition, you can find buttons that allow you to edit and delete the roles. Keep in mind that you will need to first remove every member from a role before you can delete it.<br /><br />
<img src="/img/doc/list_groups.png" alt = "List roles" title = "You can View, Edit or Delete roles using the action buttons to the right in each row. Keep in mind that a role has to be devoid of members before it can be deleted."/><br /><br />
<br /><hr /><br />
By clicking on the List Roles button, you can view a list of all the currently registered roles and a list of the permission flags turned on for each. In addition, you can find buttons that allow you to edit and delete the roles. Keep in mind that you will need to first remove every member from a role before you can delete it.<br />
<img src="/img/doc/list_groups.png" alt = "List roles" title = "You can View, Edit or Delete roles using the action buttons to the right in each row. Keep in mind that a role has to be devoid of members before it can be deleted."/><br />
<hr />
<h2><a name ="logs"></a>Using the logs of MISP</h2>
Users with audit permissions are able to browse or search the logs that MISP automatically appends each time certain actions are taken (actions that modify data or if a user logs in and out).<br /><br />
Generally, the following actions are logged:<br /><br />
Users with audit permissions are able to browse or search the logs that MISP automatically appends each time certain actions are taken (actions that modify data or if a user logs in and out).<br />
Generally, the following actions are logged:<br />
<ul>
<li><em>User:</em> Creation, deletion, modification, Login / Logout<br /><br /></li>
<li><em>Event:</em>Creation, deletion, modification, publishing<br /><br /></li>
<li><em>Attribute:</em> Creation, deletion, modification<br /><br /></li>
<li><em>Roles:</em> Creation, deletion, modification<br /><br /></li>
<li><em>Blacklist:</em> Creation, deletion, modification<br /><br /></li>
<li><em>Whitelist:</em> Creation, deletion, modification<br /><br /></li>
<li><em>User:</em> Creation, deletion, modification, Login / Logout<br /></li>
<li><em>Event:</em>Creation, deletion, modification, publishing<br /></li>
<li><em>Attribute:</em> Creation, deletion, modification<br /></li>
<li><em>Roles:</em> Creation, deletion, modification<br /></li>
<li><em>Blacklist:</em> Creation, deletion, modification<br /></li>
<li><em>Whitelist:</em> Creation, deletion, modification<br /></li>
<li><em>Regexp:</em> Creation, deletion, modification</li>
</ul>
<br />
<h3>Browsing the logs:</h3>
Listing all the log entries will show the following columns generated by the users of your organisation (or all organisations in the case of site admins):<br /><br />
<img src="/img/doc/list_logs.png" alt = "List logs" title = "Here you can view a list of all logged actions."/><br /><br />
Listing all the log entries will show the following columns generated by the users of your organisation (or all organisations in the case of site admins):<br />
<img src="/img/doc/list_logs.png" alt = "List logs" title = "Here you can view a list of all logged actions."/><br />
<ul>
<li><em>Id:</em> The automatically assigned ID number of the entry.<br /><br /></li>
<li><em>Email:</em> The e-mail address of the user whose actions triggered the entry.<br /><br /></li>
<li><em>Org:</em> The organisation of the above mentioned user.<br /><br /></li>
<li><em>Created:</em> The date and time when the entry originated.<br /><br /></li>
<li><em>Action:</em> The action's type. This can include: login/logout for users, add, edit, delete for events, attributes, users and servers.<br /><br /></li>
<li><em>Title:</em> The title of an event always includes the target type (Event, User, Attribute, Server), the target's ID and the target's name (for example: e-mail address for users, event description for events).<br /><br /></li>
<li><em>Id:</em> The automatically assigned ID number of the entry.<br /></li>
<li><em>Email:</em> The e-mail address of the user whose actions triggered the entry.<br /></li>
<li><em>Org:</em> The organisation of the above mentioned user.<br /></li>
<li><em>Created:</em> The date and time when the entry originated.<br /></li>
<li><em>Action:</em> The action's type. This can include: login/logout for users, add, edit, delete for events, attributes, users and servers.<br /></li>
<li><em>Title:</em> The title of an event always includes the target type (Event, User, Attribute, Server), the target's ID and the target's name (for example: e-mail address for users, event description for events).<br /></li>
<li><em>Change:</em> This field is only filled out for entries with the action being add or edit. The changes are detailed in the following format:<br />
<i>variable (initial_value)</i> =&gt; <i>(new_value)</i>,...<br />
When the entry is about the creation of a new item (such as adding a new event) then the change will look like this for example:<br />
<i>org()</i> =&gt; <i>(ADMIN)</i>, <i>date()</i> =&gt; <i>(20012-10-19)</i>,... <br /><br />
<i>org()</i> =&gt; <i>(ADMIN)</i>, <i>date()</i> =&gt; <i>(20012-10-19)</i>,... <br />
</ul>
<img src="/img/doc/search_log.png" alt = "Search log" style="float:right;" title = "You can search the logs using this form, narrow down your search by filling out several fields."/>
<h3>Searching the Logs:</h3>
Another way to browse the logs is to search it by filtering the results according to the following fields (the search is a sub-string search, the sub-string has to be an exact match for the entry in the field that is being searched for):<br /><br />
Another way to browse the logs is to search it by filtering the results according to the following fields (the search is a sub-string search, the sub-string has to be an exact match for the entry in the field that is being searched for):<br />
<ul>
<li><em>Email:</em> By searching by Email, it is possible to view the log entries of a single user.<br /><br /></li>
<li><em>Org:</em> Searching for an organisation allows you to see all actions taken by any member of the organisation.<br /><br /></li>
<li><em>Action:</em> With the help of this drop down menu, you can search for various types of actions taken (such as logins, deletions, etc).<br /><br /></li>
<li><em>Title:</em> There are several ways in which to use this field, since the title fields contain several bits of information and the search searches for any substrings contained within the field, it is possible to just search for the ID number of a logged event, the username / server's name / event's name / attribute's name of the event target.<br /><br /></li>
<li><em>Change:</em> With the help of this field, you can search for various specific changes or changes to certain variables (such as published will find all the log entries where an event has gotten published, ip-src will find all attributes where a source IP address has been entered / edited, etc).<br /><br /></li>
<li><em>Email:</em> By searching by Email, it is possible to view the log entries of a single user.<br /></li>
<li><em>Org:</em> Searching for an organisation allows you to see all actions taken by any member of the organisation.<br /></li>
<li><em>Action:</em> With the help of this drop down menu, you can search for various types of actions taken (such as logins, deletions, etc).<br /></li>
<li><em>Title:</em> There are several ways in which to use this field, since the title fields contain several bits of information and the search searches for any substrings contained within the field, it is possible to just search for the ID number of a logged event, the username / server's name / event's name / attribute's name of the event target.<br /></li>
<li><em>Change:</em> With the help of this field, you can search for various specific changes or changes to certain variables (such as published will find all the log entries where an event has gotten published, ip-src will find all attributes where a source IP address has been entered / edited, etc).<br /></li>
</ul>
</div>

73
app/View/Pages/categories_and_types.ctp
View File

@ -1,11 +1,13 @@
<div class="index">
<b>Table of contents</b><br />
1. <?php echo $this->Html->link(__('General Layout', true), array('controller' => 'pages', 'action' => 'display', 'documentation')); ?><br />
2. <?php echo $this->Html->link(__('User Management and Global Actions', true), array('controller' => 'pages', 'action' => 'display', 'user_management')); ?><br />
3. <?php echo $this->Html->link(__('Using the system', true), array('controller' => 'pages', 'action' => 'display', 'using_the_system')); ?><br />
4. <?php echo $this->Html->link(__('Administration', true), array('controller' => 'pages', 'action' => 'display', 'administration')); ?><br />
5. <?php echo $this->Html->link(__('Categories and Types', true), array('controller' => 'pages', 'action' => 'display', 'categories_and_types')); ?>
<br /><br /><hr /><br />
<div class="actions" style="width:15%">
<ol class="nav nav-list">
<li><?php echo $this->Html->link('General Layout', array('controller' => 'pages', 'action' => 'display', 'documentation')); ?></li>
<li><?php echo $this->Html->link('User Management and Global actions', array('controller' => 'pages', 'action' => 'display', 'user_management')); ?></li>
<li><?php echo $this->Html->link('Using the system', array('controller' => 'pages', 'action' => 'display', 'using_the_system')); ?></li>
<li><?php echo $this->Html->link('Administration', array('controller' => 'pages', 'action' => 'display', 'administration')); ?></li>
<li class="active"><?php echo $this->Html->link('Categories and Types', array('controller' => 'pages', 'action' => 'display', 'categories_and_types')); ?></li>
</ol>
</div>
<div class="index" style="width:80%">
<?php
// Load the Attribute model to extract the documentation from the defintions
App::import('Model', 'Attribute');
@ -13,83 +15,68 @@ $attr = new Attribute();
?>
<h2>Attribute Categories and Types</h2>
<h3>Attribute Categories vs Types</h3>
<table summary = "">
<table class="table table-striped table-hover table-condensed table-bordered">
<tr>
<th>
Category
</th>
<th>Category</th>
<?php foreach ($attr->categoryDefinitions as $cat => $catDef): ?>
<th style="width:5%; text-align:center; white-space:normal">
<?php echo $cat; ?>
</th>
<?php
endforeach;
?>
<?php endforeach; ?>
<th>Category</th>
</tr>
<?php foreach ($attr->typeDefinitions as $type => $def): ?>
<tr>
<td>
<?php echo $type; ?>
</td>
<?php
foreach ($attr->categoryDefinitions as $cat => $catDef):
?>
<th><?php echo $type; ?></th>
<?php foreach ($attr->categoryDefinitions as $cat => $catDef): ?>
<td style="text-align:center">
<?php echo in_array($type, $catDef['types'])? 'X' : ''; ?>
</td>
<?php
endforeach;
?>
<?php
endforeach;
?>
<?php endforeach; ?>
<th><?php echo $type; ?></th>
<?php endforeach; ?>
</tr>
<tr>
<th>Category</th>
<?php foreach ($attr->categoryDefinitions as $cat => $catDef): ?>
<th style="width:5%; text-align:center; white-space:normal"><?php echo $cat; ?></th>
<?php
endforeach;
?>
<?php endforeach; ?>
<th>Category</th>
</tr>
</table>
<h3>Categories</h3>
<table summary = "">
<table class="table table-striped table-condensed table-bordered">
<tr>
<th>Category</th>
<th>Description</th>
</tr>
<?php foreach ($attr->categoryDefinitions as $cat => $def): ?>
<tr>
<td>
<th>
<?php echo $cat; ?>
</td>
</th>
<td>
<?php echo isset($def['formdesc'])? $def['formdesc'] : $def['desc']; ?>
</td>
</td>
</tr>
<?php
endforeach;
?>
<?php endforeach; ?>
</table>
<h3>Types</h3>
<table summary = "">
<table class="table table-striped table-condensed table-bordered">
<tr>
<th>Type</th>
<th>Description</th>
</tr>
<?php foreach ($attr->typeDefinitions as $type => $def): ?>
<tr>
<td>
<th>
<?php echo $type; ?>
</td>
</th>
<td>
<?php echo isset($def['formdesc'])? $def['formdesc'] : $def['desc']; ?>
</td>
<?php
endforeach;
?>
</tr>
<?php endforeach;?>
</table>

51
app/View/Pages/documentation.ctp
View File

@ -1,54 +1,57 @@
<div class="index">
<b>Table of contents</b><br />
1. <?php echo $this->Html->link(__('General Layout', true), array('controller' => 'pages', 'action' => 'display', 'documentation')); ?><br />
2. <?php echo $this->Html->link(__('User Management and Global actions', true), array('controller' => 'pages', 'action' => 'display', 'user_management')); ?><br />
3. <?php echo $this->Html->link(__('Using the system', true), array('controller' => 'pages', 'action' => 'display', 'using_the_system')); ?><br />
4. <?php echo $this->Html->link(__('Administration', true), array('controller' => 'pages', 'action' => 'display', 'administration')); ?><br />
5. <?php echo $this->Html->link(__('Categories and Types', true), array('controller' => 'pages', 'action' => 'display', 'categories_and_types')); ?><br />
<br /><hr /><br />
<h2>General Layout</h2><br />
<div class="actions" style="width:15%">
<ol class="nav nav-list">
<li class="active"><?php echo $this->Html->link('General Layout', array('controller' => 'pages', 'action' => 'display', 'documentation')); ?></li>
<li><?php echo $this->Html->link('User Management and Global actions', array('controller' => 'pages', 'action' => 'display', 'user_management')); ?></li>
<li><?php echo $this->Html->link('Using the system', array('controller' => 'pages', 'action' => 'display', 'using_the_system')); ?></li>
<li><?php echo $this->Html->link('Administration', array('controller' => 'pages', 'action' => 'display', 'administration')); ?></li>
<li><?php echo $this->Html->link('Categories and Types', array('controller' => 'pages', 'action' => 'display', 'categories_and_types')); ?></li>
</ol>
</div>
<div class="index" style="width:80%">
<h2>General Layout</h2>
<h3>The top bar</h3>
The top bar's only interactive part is a link to the MISP system itself - this will redirect the user to the default view of the site, which is the List Events view.<br /><br />
The top bar's only interactive part is a link to the MISP system itself - this will redirect the user to the default view of the site, which is the List Events view.<br />
<h3>The left menu</h3>
This menu contains all of the main functions of the site as a series of buttons.<br /><br />
This menu contains all of the main functions of the site as a series of buttons.<br />
<p><img src="/img/doc/menu_image.png" alt = "" style="float:right;" title = "This is the main menu that will be accessible from all of the views. In some instances, some additional buttons that will appear on top of these when a view provides it."/></p>
<ul>
<li><em>New Event:</em> Allows you to create a new event.</li>
<li><em>List Events:</em> You can browse all the currently stored events here.</li>
<li><em>List Attributes:</em> You can browse all the currently stored attributes of events here.</li>
<li><em>Search Attributes:</em> Search for and filter a list of attributes.</li>
<li><em>Export:</em> Export various types of data from the system for NIDSs or other uses.<br /><br /></li></ul>
<i><u>Global Actions</u></i><br /><br />
<li><em>Export:</em> Export various types of data from the system for NIDSs or other uses.<br /></li></ul>
<i><u>Global Actions</u></i><br />
<ul>
<li><em>News:</em> Read about the latest news regarding the MISP system</li>
<li><em>My Profile:</em> Manage your user account.</li>
<li><em>Members List:</em> View the number of users per organisation and get some statistics about the currently stored attributes.</li>
<li><em>User Guide:</em> A link to this user guide.</li>
<li><em>Terms &amp; Conditions:</em> View the terms &amp; conditions again.</li>
<li><em>Log out:</em> Logs the current user out.<br /><br /></li></ul>
<i><u>Sync Actions</u></i><br /><br />
<li><em>Log out:</em> Logs the current user out.<br /></li></ul>
<i><u>Sync Actions</u></i><br />
<ul>
<li><em>List Servers:</em> Connect your MISP instance to other instances, or view and modify the currently established connections.<br /><br /></li></ul>
<i><u>Input Filters</u></i><br /><br />
<li><em>List Servers:</em> Connect your MISP instance to other instances, or view and modify the currently established connections.<br /></li></ul>
<i><u>Input Filters</u></i><br />
<ul>
<li><em>Import Blacklist:</em> Create, modify or delete blacklisted strings. These will stop any matching events/attributes from being entered into the system.</li>
<li><em>Import Regexp:</em> Create, modify or delete regular expressions and their replacements. Each time an event / attribute is created or modified, they will be parsed and found expressions will be replaced.</li>
<li><em>Signature Whitelist:</em> View and manage the list of whitelisted addresses. These, if contained in attributes, will be blocked from the NIDS signature exports.<br /><br /></li></ul>
<i><u>Administration</u></i><br /><br />
<li><em>Signature Whitelist:</em> View and manage the list of whitelisted addresses. These, if contained in attributes, will be blocked from the NIDS signature exports.<br /></li></ul>
<i><u>Administration</u></i><br />
<ul>
<li><em>New User:</em> Create an account for a new user.</li>
<li><em>List Users:</em> View, modify or delete the currently registered users.</li>
<li><em>New Role:</em> Create a new role group for the users of this instance, controlling their privileges to create, modify, delete and to publish events.</li>
<li><em>List Roles:</em> List, modify or delete currently existing roles.<br /><br /></li></ul>
<i><u>Audit</u></i><br /><br />
<li><em>List Roles:</em> List, modify or delete currently existing roles.<br /></li></ul>
<i><u>Audit</u></i><br />
<ul>
<li><em>List Logs:</em> View the logs of the instance.</li>
<li><em>Search Logs:</em> Search the logs by various attributes.<br /><br /></li></ul>
<li><em>Search Logs:</em> Search the logs by various attributes.<br /></li></ul>
<h3>The main area</h3>
This is where all the views (navigated to via the menu buttons) will be displayed. In general, there are two main view types, information views (which list the currently stored data and allow you to modify it) and form views (allowing you to enter or alter data). All lists are organised in such a way that all the information columns are on the left and every line of data can be modified or viewed in more detail on the right-most column, titled "Actions". All lists display a certain set number of the most recent items, but page control buttons at the bottom allow you to browse older entries.<br /><br />
This is where all the views (navigated to via the menu buttons) will be displayed. In general, there are two main view types, information views (which list the currently stored data and allow you to modify it) and form views (allowing you to enter or alter data). All lists are organised in such a way that all the information columns are on the left and every line of data can be modified or viewed in more detail on the right-most column, titled "Actions". All lists display a certain set number of the most recent items, but page control buttons at the bottom allow you to browse older entries.<br />
<h3>The bottom bar</h3>
Contains a link to download the gpg key used for encrypting the e-mails sent through the system and the current version number - if you are logged in.<br /><br />
Contains a link to download the gpg key used for encrypting the e-mails sent through the system and the current version number - if you are logged in.<br />
<p><img src="/img/doc/bottom_bar.png" alt = "" style="float:left;" title = "Download your PGP/GPG key using the link on the bottom bar or log out."/></p><br />
</div>

34
app/View/Pages/user_management.ctp
View File

@ -1,18 +1,20 @@
<div class="index">
<b>Table of contents</b><br>
1. <?php echo $this->Html->link(__('General Layout', true),array('controller' => 'pages', 'action' => 'display','documentation')); ?><br>
2. <?php echo $this->Html->link(__('User Management and Global Actions', true), array('controller' => 'pages', 'action' => 'display', 'user_management')); ?><br>
<ul>
<li>a. <a href="#first_run">First run of the system</a></li>
<li>b. <a href="#manage">Managing your account</a></li>
<li>c. <a href="#uptodate">Staying up to date</a></li>
</ul>
3. <?php echo $this->Html->link(__('Using the system', true),array('controller' => 'pages', 'action' => 'display','using_the_system')); ?><br>
4. <?php echo $this->Html->link(__('Administration', true),array('controller' => 'pages', 'action' => 'display','administration')); ?><br>
5. <?php echo $this->Html->link(__('Categories and Types', true),array('controller' => 'pages', 'action' => 'display','categories_and_types')); ?><br>
<br /><hr /><br />
<div class="actions" style="width:15%">
<ol class="nav nav-list">
<li><?php echo $this->Html->link('General Layout', array('controller' => 'pages', 'action' => 'display', 'documentation')); ?></li>
<li class="active"><?php echo $this->Html->link('User Management and Global actions', array('controller' => 'pages', 'action' => 'display', 'user_management')); ?>
<ul class="nav nav-list">
<li><a href="#first_run">First run of the system</a></li>
<li><a href="#manage">Managing your account</a></li>
<li><a href="#uptodate">Staying up to date</a></li>
</ul>
</li>
<li><?php echo $this->Html->link('Using the system', array('controller' => 'pages', 'action' => 'display', 'using_the_system')); ?></li>
<li><?php echo $this->Html->link('Administration', array('controller' => 'pages', 'action' => 'display', 'administration')); ?></li>
<li><?php echo $this->Html->link('Categories and Types', array('controller' => 'pages', 'action' => 'display', 'categories_and_types')); ?></li>
</ol>
</div>
<div class="index" style="width:80%">
<h2>User Management and Global Actions</h2>
<a name="first_run"></a>
<h3>First run of the system:</h3>
When first logging into MISP with the username and password provided by your administrator, there are a number of things that need to be done, before you can start using the system.<br><br>
@ -26,7 +28,7 @@
<li><em>Subscribing to e-mails sent via the "Contact Reporter" functionality:</em> This feature is turned on right below the autoalerts and will allow you to receive e-mails addressed to your organisation whenever a user tries to ask about an event that was posted by a user of your organisation. Keep in mind that you can still be addressed by such a request even when this setting is turned off, if someone tries to contact you as the event creator directly or your organisation for an event that you personally have created then you will be notified.<br /><br />
<li><em>Reviewing the Terms &amp; Conditions:</em> To review the Terms &amp; Conditions or to read the User Guide, use the appropriate button on the left navigation menu.<br /><br /></li>
<li><em>Making sure that compatibility mode is turned off (IE9&amp;IE10):</em>Compatibility mode can cause some elements to appear differently than intended or not appear at all. Make sure you have this option turned off.</li></ul>
<br /><hr /><br />
<hr />
<a name="manage"></a><h3>Managing your account:</h3>
To alter any details regarding your profile, use the "My Profile" menu button to bring up the profile overview and then click on "Edit Profile" in the right upper corner.<br>
<ul>
@ -40,7 +42,7 @@ To alter any details regarding your profile, use the "My Profile" menu button to
<li><em>Setting up the GPG Key:</em> In order for the system to be able to encrypt the messages that you send through it, it needs to know your GPG key. You can acquire this by clicking on the PGP/GPG key link at the bottom left of the screen. Copy the entirety of the key and navigate to the Edit profile view (My Profile on the left -&gt; Edit profile in the top right corner). Paste the key into the Gpgkey field and click submit.<br /><br /></li>
<li><em>Requesting a new authentication key:</em> It is possible to make the system generate a new authentication key for you (for example if your previous one gets compromised. This can be accessed by clicking on the My Profile button and then clicking the reset key next to the currently active authentication code. The old key will become invalid when the new one is generated.<br /><br />
<p><img src="/img/doc/reset.png" alt = "" title="Clicking on reset will generate a new key for you and invalidate the old one, blocking it from being used."></p></li></ul>
<br /><hr /><br />
<hr />
<a name="uptodate"></a><h3>Staying up to date:</h3>
MISP also provides its users with some information about itself and its users through the links provided in the Global Actions menu.<br><br>
<ul>

63
app/View/Pages/using_the_system.ctp
View File

@ -1,21 +1,24 @@
<div class="index">
<b>Table of contents</b><br />
1. <?php echo $this->Html->link(__('General Layout', true), array('controller' => 'pages', 'action' => 'display', 'documentation')); ?><br />
2. <?php echo $this->Html->link(__('User Management and Global actions', true), array('controller' => 'pages', 'action' => 'display', 'user_management')); ?><br />
3. <?php echo $this->Html->link(__('Using the system', true), array('controller' => 'pages', 'action' => 'display', 'using_the_system')); ?><br />
<ul>
<li>a. <a href="#create">Creating an event</a></li>
<li>b. <a href="#browsing_events">Browsing past events</a></li>
<li>c. <a href="#update_events">Updating and modifying events</a></li>
<li>d. <a href="#contact">Contacting the publisher</a></li>
<li>e. <a href="#automation">Automation</a></li>
<li>f. <a href="#export">Exporting data</a></li>
<li>g. <a href="#connect">Connecting to other servers</a></li>
<li>h. <a href="#rest">Rest API</a></li>
</ul>
4. <?php echo $this->Html->link(__('Administration', true), array('controller' => 'pages', 'action' => 'display', 'administration')); ?><br />
5. <?php echo $this->Html->link(__('Categories and Types', true), array('controller' => 'pages', 'action' => 'display', 'categories_and_types')); ?><br />
<br /><hr /><br />
<div class="actions" style="width:15%">
<ol class="nav nav-list">
<li><?php echo $this->Html->link('General Layout', array('controller' => 'pages', 'action' => 'display', 'documentation')); ?></li>
<li><?php echo $this->Html->link('User Management and Global actions', array('controller' => 'pages', 'action' => 'display', 'user_management')); ?></li>
<li class="active"><?php echo $this->Html->link('Using the system', array('controller' => 'pages', 'action' => 'display', 'using_the_system')); ?>
<ul class="nav nav-list">
<li><a href="#create">Creating an event</a></li>
<li><a href="#browsing_events">Browsing past events</a></li>
<li><a href="#update_events">Updating and modifying events</a></li>
<li><a href="#contact">Contacting the publisher</a></li>
<li><a href="#automation">Automation</a></li>
<li><a href="#export">Exporting data</a></li>
<li><a href="#connect">Connecting to other servers</a></li>
<li><a href="#rest">Rest API</a></li>
</ul>
</li>
<li><?php echo $this->Html->link('Administration', array('controller' => 'pages', 'action' => 'display', 'administration')); ?></li>
<li><?php echo $this->Html->link('Categories and Types', array('controller' => 'pages', 'action' => 'display', 'categories_and_types')); ?></li>
</ol>
</div>
<div class="index" style="width:80%">
<h2>Using the system:</h2>
<a name ="create"></a><h3>Creating an event:</h3>
The process of entering an event can be split into 3 phases, the creation of the event itself, populating it with attributes and attachments and finally publishing it.<br /><br />
@ -46,7 +49,7 @@ The process of entering an event can be split into 3 phases, the creation of the
<li><em>Info:</em> The info field, where the malware/incident can get a brief description starting with the internal reference. This field should be as brief and concise as possible, the more detailed description happens through attributes in the next stage of the event's creation. Keep in mind that the system will automatically replace detected text strings that match a regular expression entry set up by your server's administrator(s). <br /><br /></li>
<li><em>GFI Sandbox:</em> It is possible to upload the exported .zip file from GFI sandbox with the help of this tool. These will be dissected by the MISP and a list of attributes and attachments will automatically be generated from the .zip file. Whilst this does most of the work needed to be done in the second step of the event's creation, it is important to manually look over all the data that is being entered. <br /><br /></li>
</ul>
<br /><hr /><br />
<hr />
<a name ="create_attribute"></a><h3>Add attributes to the event:</h3>
The second step of creating an event is to populate it with attributes and attachments. In addition to being able to import the attributes and attachments from GFI, it is also possible to manually add attributes and attachments to an event, by using the two appropriate buttons on the event's page. Let's look at adding attributes first.<br />
When clicking on the add attribute button, you will have to fill out a form with all the data about the attribute.<br /><br />
@ -67,7 +70,7 @@ Keep in mind that the system searches for regular expressions in the value field
<li><em>Value:</em> The actual value of the attribute, enter data about the value based on what is valid for the chosen attribute type. For example, for an attribute of type ip-src (source IP address), 11.11.11.11 would be a valid value. For more information on types and values, <?php echo $this->Html->link(__('click here', true), array('controller' => 'pages', 'action' => 'display', 'categories_and_types')); ?>.<br /><br /></li>
<li><em>Batch import:</em> If there are several attributes of the same type to enter (such as a list of IP addresses, it is possible to enter them all into the same value-field, separated by a line break between each line. This will allow the system to create separate lines for the each attribute. <br /><br /></li>
</ul>
<br /><hr /><br />
<hr />
<h3>Add attachments to the event:</h3>
You can also upload attachments, such as the malware itself, report files from external analysis or simply artifacts dropped by the malware. Clicking on the add attachment button brings up a form that allows you to quickly attach a file to the event. The following fields need to be filled out:<br /><br />
<p><img src="/img/doc/add_attachment.png" alt = "Add attachment" title = "Point the uploader to the file you want to upload. Make sure to mark it as malware if the uploaded file is harmful, that way it will be neutralised."/></p><br />
@ -84,12 +87,12 @@ You can also upload attachments, such as the malware itself, report files from e
<li><i>All:</i> This will share the attachment with all MISP communities, allowing the attachment to be freely propagated from one server to the next.<br /><br /></li>
</ul></li>
</ul>
<br /><hr /><br />
<hr />
<h3>Publish an event:</h3>
<p><img src="/img/doc/publish.png" alt = "Publish" style="float:right;" title = "Only use publish (no email) for minor changes such as the correction of typos."/></p><br />
Once all the attributes and attachments that you want to include with the event are uploaded / set, it is time to finalise its creation by publishing the event (click on publish event in the event view). This will alert the eligible users of it (based on the private-controls of the event and its attributes/attachments and whether they have auto-alert turned on), push the event to instances that your instance connects to and propagate it further based on the distribution rules. It also readies the network related attributes for NIDS signature creation (through the NIDS signature export feature, for more information, go to the export section.).<br /><br />
There is an alternate way of publishing an event without alerting any other users, by using the "publish (no email)" button. This should only be used for minor edits (such as correcting a typo). <br />
<br /><hr /><br />
<hr />
<a name ="browsing_events"></a><h2>Browsing past events:</h2>
The MISP interface allows the user to have an overview over or to search for events and attributes of events that are already stored in the system in various ways.<br /><br />
<h3>To list all events:</h3>
@ -130,7 +133,7 @@ On the left menu bar, the option "List events" will generate a list of the last
<li><em>Attributes:</em> A list of all attributes attached to the event, including its category, type, value, whether the attribute in itself is related to another event, whether the flag signalling that the attribute can be turned into an IDS signature is on, and a field showing the current privacy setting of the attribute.Attributes can also be modified or deleted via the 3 buttons at the end of each line.<br /><br />
Using the modify button will bring up the attribute creation view, with all data filled out with the attribute's currently stored data.<br /><br /></li>
</ul>
<br /><hr /><br />
<hr />
<h3>Listing all attributes:</h3>
Apart from having a list of all the events, it is also possible to get a list of all the stored attributes in the system by clicking on the list attributes button. The produced list of attributes will include the followings fields:<br /><br />
<img src="/img/doc/list_attributes2.png" alt = "" title = "Use the buttons to the right to view the event that this attribute belongs to or to modify/delete the attribute."/><br /><br />
@ -142,25 +145,25 @@ On the left menu bar, the option "List events" will generate a list of the last
<li><em>Signature:</em> Shows whether the attribute has been flagged for NIDS signature generation or not.<br /><br /></li>
<li><em>Actions:</em> A set of buttons that allow you to view the event that the attribute is tied to, to edit the attribute (using the same view as what is used to set up attributes, but filled out with the attribute's current data) and a delete button. <br /><br /></li>
</ul>
<br /><hr /><br />
<hr />
<h3>Searching for attributes:</h3>
Apart from being able to list all events, it is also possible to search for data contained in the value field of an attribute, by clicking on the "Search Attributes" button.<br /><br />
<img src="/img/doc/search_attribute.png" alt = "Search attribute" title = "You can search for attributes by searching for a phrase contained in its value. Narrow your search down by selecting a type and/or a category which the event has to belong to."/><br /><br />
This will bring up a form that lets you enter one or several search strings (separate search strings with line breaks) that will be compared to the values of all attributes, along with options to narrow down the search based on category and type. The entered search string has to be an exact match with (the sub-string of) a value. A second text field makes it possible to enter event IDs for events that should be excluded from the search (again, each line represents an event ID to be excluded).<br /><br />
The list generated by the search will look exactly the same as listing all attributes, except that only the attributes that matched the search criteria will be listed (to find out more about the list attributes view, <?php echo $this->Html->link(__('click here', true), array('controller' => 'pages', 'action' => 'display', 'categories_and_types')); ?>.). The search parameters will be shown above the produced list and the search terms will be highlighted.<br />
<br /><img src="/img/doc/search_attribute_result.png" alt = "" title = "You can view the event that an attribute belongs to with the view button, or you can edit/delete the attribute via the buttons on the right."/><br />
<br /><hr /><br />
<hr />
<a name ="update_events"></a><h2>Updating and modifying events and attributes:</h2>
Every event and attribute can easily be edited. First of all it is important to find the event or attribute that is to be edited, using any of the methods mentioned in the section on <a href="#browsing_events">browsing past events</a>.<br /><br />
Once it is found, the edit button (whether it be under actions when events/attributes get listed or simply on the event view) will bring up the same screen as what is used to create the entry of the same type (for an event it would be the event screen as <a href="#create">seen here</a>, for an attribute the attribute screen as <a href="#create_attribute">described here</a>).<br /><br />
Keep in mind that editing any event (either directly or indirectly through an attribute) will unpublish it, meaning that you'll have to publish it (through the event view) again once you are done.<br /><br />
<br /><hr /><br />
<hr />
<a name ="contact"></a><h2>Contacting the reporter:</h2>
To get in touch with the reporter of a previously registered event, just find the event for which you would like to contact the reporter by either finding it on the list of events, by finding it through one of its attributes or by finding it through a related event.<br /><br />
Once the event is found and the event view opened, click the button titled "Contact Reporter". This will bring up a view where you can enter your message that is to be e-mailed to all members of the reporting organisation that subscribe to receiving such reports or the reporting user himself. Along with your message, the detailed information about the event in question will be included in the e-mail.<br /><br />
<br /><img src="/img/doc/contact_reporter.png" alt = "" title = "Enter your message to the reporter and choose whether his/her entire organisation should get the message or not by ticking the check-box."/><br /><br />
By default, the message will be sent to every member of the organisation that posted the event in the first place, but if you tick the check-box below the message field before sending the mail, only the person that reported the event will get e-mailed. <br />
<br /><hr /><br />
<hr />
<a name ="automation"></a><h2>Automation:</h2>
It is possible to quickly and conveniently export the data contained within the system using the automation features located in the main menu on the left (available to users with authentication key access only). There are various sets of data that can be exported, by using the authentication key provided by the system (also shown on the export page). If for whatever reason you would need to invalidate your current key and get a new one instead (for example due to the old one becoming compromised) just hit the reset link next to the authentication key in the export view or in your "my profile" view.<br /><br />
The following types of export are possible:<br /><br />
@ -178,7 +181,7 @@ The following types of export are possible:<br /><br />
It is also possible to export a list of all eligible attributes that match a specific type into a plain text file. The format to do this is:<br /><br />
<i>&lt;server&gt;/events/text/&lt;authentication_key&gt;/&lt;type&gt;</i><br /><br />
Type could be any valid type (as according to the list of <?php echo $this->Html->link(__('categories and types', true), array('controller' => 'pages', 'action' => 'display', 'categories_and_types')); ?>), for example md5, ip-src or comment.<br />
<br /><hr /><br />
<hr />
<a name ="export"></a><h2>Exporting data:</h2>
For users that do not have authentication key access, an alternate export feature is available that relies on your interactive login to the site. To access these, just use the automation menu button to the left and you'll be presented with a list of export options. The results of the export will automatically be offered as a file download.<br /><br/>
<br /><img src="/img/doc/export.png" alt = "" title = "Use the export features here to quickly download data in various formats"/><br /><br />
@ -186,7 +189,7 @@ Apart from that, it's also possible to export all events involved in a search at
<br /><img src="/img/doc/export_search.png" alt = "" title = "Download a .xml from all the events that are shown through an attribute in the search results."/><br /><br />
Each event's view has its own export feature, both as an XML export and as a .ioc file. To reach these features, just navigate to an event and use the appropriate buttons on the right side.<br /><br />
<br /><img src="/img/doc/export_event.png" alt = "" title = "Download a .xml or a .ioc of the event."/><br /><br />
<br /><hr /><br />
<hr />
<h2><a name ="connect"></a>Connecting to other instances:</h2>
Apart from being a self contained repository of attacks/malware, one of the main features of MISP is its ability to connect to other instances and share (parts of) its information. The following options allow you to set up and maintain such connections.<br /><br />
<h3><a name ="new_server"></a>Setting up a connection to another server:</h3>
@ -213,7 +216,7 @@ If you ever need to change the data about the linked servers or remove any conne
<li><em>Push all:</em> By clicking this button, all events that are eligible to be pushed on the instance you are on will start to be pushed to the remote instance. Events and attributes that exist on the far end will be updated.<br /><br /></li>
<li><em>Pull all:</em> By clicking this button, all events that are set to be pull-able or full access on the remote server will be copied to this instance. Existing events will not be updated.<br /><br /></li>
</ul>
<br /><hr /><br />
<hr />
<a name ="rest"></a><h2>Rest API:</h2>
The platform is also <a href="http://en.wikipedia.org/wiki/Representational_state_transfer">RESTfull</a>, so this means that you can use structured format (XML) to access Events data.<br /><br />
<h3>Requests</h3>

4
app/View/Users/memberslist.ctp
View File

@ -1,6 +1,6 @@
<div class="users index">
<h2>Members</h2>
<table cellpadding="0" cellspacing="0" style="width:300px;">
<table class="table table-striped table-condensed table-bordered" style="width:300px;">
<tr>
<th>Organisation</th>
<th># of members</th>
@ -85,7 +85,7 @@ foreach ($graphData as $row) {
});
</script>
<!-- table cellpadding="0" cellspacing="0" style="width:400px;">
<!-- table class="table table-striped table-condensed table-bordered" style="width:400px;">
<tr>
<th>Org</th>
<th>Type</th>