mirror of https://github.com/MISP/MISP
Update to the GFI import
- fixed an issue where a blacklisted value added through uloadattachments would break the import - fixed the distribution level of attributes created by the GFI import always being your org only - removed registry attributes that do not contain a malware sample or a dropped file in the value - fixed a set of regular expressions dealing with the sanitisation of user names that would fail on user names consisting of more than one word - added a few regular expressionspull/198/head
iglocska
parent
9cc497bf06
commit
e0dd74a7ba
|
|
@ -239,34 +239,37 @@ CREATE TABLE IF NOT EXISTS `whitelist` (
|
|||
-- Default values for initial installation
|
||||
--
|
||||
|
||||
INSERT INTO `regexp`
|
||||
(`regexp`, `replacement`)
|
||||
VALUES
|
||||
('/.:.ProgramData./i','%ALLUSERSPROFILE%\\\\'),
|
||||
('/.:.Documents and Settings.All Users./i','%ALLUSERSPROFILE%\\\\'),
|
||||
('/.:.Program Files.Common Files./i','%COMMONPROGRAMFILES%\\\\'),
|
||||
('/.:.Program Files \(x86\).Common Files./i','%COMMONPROGRAMFILES(x86)%\\\\'),
|
||||
('/.:.Users.(\\w+).AppData.Local.Temp./i','%TEMP%\\\\'),
|
||||
('/.:.ProgramData./i','%PROGRAMDATA%\\\\'),
|
||||
('/.:.Program Files./i','%PROGRAMFILES%\\\\'),
|
||||
('/.:.Program Files \(x86\)./i','%PROGRAMFILES(X86)%\\\\'),
|
||||
('/.:.Users.Public./i','%PUBLIC%\\\\'),
|
||||
('/.:.Documents and Settings.(\\w+).Local Settings.Temp./i','%TEMP%\\\\'),
|
||||
('/.:.Users.(\\w+).AppData.Local.Temp./i','%TEMP%\\\\'),
|
||||
('/.:.Users.(\\w+).AppData.Local./i','%LOCALAPPDATA%\\\\'),
|
||||
('/.:.Users.(\\w+).AppData.Roaming./i','%APPDATA%\\\\'),
|
||||
('/.:.Users.(\\w+).Application Data./i','%APPDATA%\\\\'),
|
||||
('/.:.Windows.(\\w+).Application Data./i','%APPDATA%\\\\'),
|
||||
('/.:.Users.(\\w+)./i','%USERPROFILE%\\\\'),
|
||||
('/.:.DOCUME~1.(\\w+)./i','%USERPROFILE%\\\\'),
|
||||
('/.:.Documents and Settings.(\\w+)./i','%USERPROFILE%\\\\'),
|
||||
('/.:.Windows./i','%WINDIR%\\\\'),
|
||||
('/.:.Windows./i','%WINDIR%\\\\'),
|
||||
('/.REGISTRY.USER.S(-[0-9]{1}){2}-[0-9]{2}(-[0-9]{9}){1}(-[0-9]{10}){1}-[0-9]{9}-[0-9]{4}/i','HKCU'),
|
||||
('/.REGISTRY.USER.S(-[0-9]{1}){2}-[0-9]{2}(-[0-9]{10}){2}-[0-9]{9}-[0-9]{4}/i','HKCU'),
|
||||
('/.REGISTRY.USER.S(-[0-9]{1}){2}-[0-9]{2}(-[0-9]{10}){3}-[0-9]{4}/i','HKCU'),
|
||||
('/.REGISTRY.MACHINE./i','HKLM\\\\'),
|
||||
('/.Registry.Machine./i','HKLM\\\\');
|
||||
INSERT INTO `regexp` (`id`, `regexp`, `replacement`, `type`) VALUES
|
||||
(1, '/.:.ProgramData./i', '%ALLUSERSPROFILE%\\\\', 'ALL'),
|
||||
(2, '/.:.Documents and Settings.All Users./i', '%ALLUSERSPROFILE%\\\\', 'ALL'),
|
||||
(3, '/.:.Program Files.Common Files./i', '%COMMONPROGRAMFILES%\\\\', 'ALL'),
|
||||
(4, '/.:.Program Files (x86).Common Files./i', '%COMMONPROGRAMFILES(x86)%\\\\', 'ALL'),
|
||||
(5, '/.:.Users\\\\(.*?)\\\\AppData.Local.Temp./i', '%TEMP%\\\\', 'ALL'),
|
||||
(6, '/.:.ProgramData./i', '%PROGRAMDATA%\\\\', 'ALL'),
|
||||
(7, '/.:.Program Files./i', '%PROGRAMFILES%\\\\', 'ALL'),
|
||||
(8, '/.:.Program Files (x86)./i', '%PROGRAMFILES(X86)%\\\\', 'ALL'),
|
||||
(9, '/.:.Users.Public./i', '%PUBLIC%\\\\', 'ALL'),
|
||||
(10, '/.:.Documents and Settings\\\\(.*?)\\\\Local Settings.Temp./i', '%TEMP%\\\\', 'ALL'),
|
||||
(11, '/.:.Users\\\\(.*?)\\\\AppData.Local.Temp./i', '%TEMP%\\\\', 'ALL'),
|
||||
(12, '/.:.Users\\\\(.*?)\\\\AppData.Local./i', '%LOCALAPPDATA%\\\\', 'ALL'),
|
||||
(13, '/.:.Users\\\\(.*?)\\\\AppData.Roaming./i', '%APPDATA%\\\\', 'ALL'),
|
||||
(14, '/.:.Users\\\\(.*?)\\\\Application Data./i', '%APPDATA%\\\\', 'ALL'),
|
||||
(15, '/.:.Windows\\\\(.*?)\\\\Application Data./i', '%APPDATA%\\\\', 'ALL'),
|
||||
(16, '/.:.Users\\\\(.*?)\\\\/i', '%USERPROFILE%\\\\', 'ALL'),
|
||||
(17, '/.:.DOCUME~1.\\\\(.*?)\\\\/i', '%USERPROFILE%\\\\', 'ALL'),
|
||||
(18, '/.:.Documents and Settings\\\\(.*?)\\\\/i', '%USERPROFILE%\\\\', 'ALL'),
|
||||
(19, '/.:.Windows./i', '%WINDIR%\\\\', 'ALL'),
|
||||
(20, '/.:.Windows./i', '%WINDIR%\\\\', 'ALL'),
|
||||
(21, '/.REGISTRY.USER.S(-[0-9]{1}){2}-[0-9]{2}(-[0-9]{9}){1}(-[0-9]{10}){1}-[0-9]{9}-[0-9]{4}/i', 'HKCU', 'ALL'),
|
||||
(22, '/.REGISTRY.USER.S(-[0-9]{1}){2}-[0-9]{2}(-[0-9]{10}){2}-[0-9]{9}-[0-9]{4}/i', 'HKCU', 'ALL'),
|
||||
(23, '/.REGISTRY.USER.S(-[0-9]{1}){2}-[0-9]{2}(-[0-9]{10}){3}-[0-9]{4}/i', 'HKCU', 'ALL'),
|
||||
(24, '/.REGISTRY.MACHINE./i', 'HKLM\\\\', 'ALL'),
|
||||
(25, '/.Registry.Machine./i', 'HKLM\\\\', 'ALL'),
|
||||
(26, '/%USERPROFILE%.Application Data.Microsoft.UProof/i', '', 'ALL'),
|
||||
(27, '/%USERPROFILE%.Local Settings.History/i', '', 'ALL'),
|
||||
(28, '/%APPDATA%.Microsoft.UProof/i ', '', 'ALL'),
|
||||
(29, '/%LOCALAPPDATA%.Microsoft.Windows.Temporary Internet Files/i', '', 'ALL');
|
||||
|
||||
|
||||
-- --------------------------------------------------------
|
||||
|
||||
|
|
|
|||
|
|
@ -1995,14 +1995,22 @@ class EventsController extends AppController {
|
|||
|
||||
public function _readGfiXML($data, $id) {
|
||||
$this->loadModel('Attribute');
|
||||
|
||||
$this->Event->recursive = -1;
|
||||
$this->Event->read(array('id', 'uuid', 'distribution'), $id);
|
||||
// import XML class
|
||||
App::uses('Xml', 'Utility');
|
||||
// now parse it
|
||||
$parsedXml = Xml::build($data, array('return' => 'simplexml'));
|
||||
|
||||
// xpath..
|
||||
|
||||
if (Configure::read('MISP.default_attribute_distribution') != null) {
|
||||
if (Configure::read('MISP.default_attribute_distribution') === 'event') {
|
||||
$dist = $this->Event->data['Event']['distribution'];
|
||||
} else {
|
||||
$dist = '';
|
||||
$dist .= Configure::read('MISP.default_attribute_distribution');
|
||||
}
|
||||
}
|
||||
//Payload delivery -- malware-sample
|
||||
$results = $parsedXml->xpath('/analysis');
|
||||
foreach ($results as $result) {
|
||||
|
|
@ -2013,13 +2021,13 @@ class EventsController extends AppController {
|
|||
$realMalware = $realFileName;
|
||||
$rootDir = APP . "files" . DS . $id . DS;
|
||||
$malware = $rootDir . DS . 'sample';
|
||||
$this->Event->Attribute->uploadAttachment($malware, $realFileName, true, $id);
|
||||
$this->Event->Attribute->uploadAttachment($malware, $realFileName, true, $id, null, '', $this->Event->data['Event']['uuid'] . '-sample', $dist);
|
||||
|
||||
//Network activity -- .pcap
|
||||
$realFileName = 'analysis.pcap';
|
||||
$rootDir = APP . "files" . DS . $id . DS;
|
||||
$malware = $rootDir . DS . 'Analysis' . DS . 'analysis.pcap';
|
||||
$this->Event->Attribute->uploadAttachment($malware, $realFileName, false, $id, 'Network activity');
|
||||
$this->Event->Attribute->uploadAttachment($malware, $realFileName, false, $id, 'Network activity', '', $this->Event->data['Event']['uuid'] . '-analysis.pcap', $dist);
|
||||
|
||||
//Artifacts dropped -- filename|md5
|
||||
$files = array();
|
||||
|
|
@ -2068,11 +2076,10 @@ class EventsController extends AppController {
|
|||
$extraPath = 'Analysis' . DS . 'proc_' . $index . DS . 'modified_files' . DS;
|
||||
$file = new File($actualFile);
|
||||
if ($file->exists()) { // TODO put in array for test later
|
||||
$this->Event->Attribute->uploadAttachment($actualFile, $realFileName, true, $id, null, $extraPath, $keyName); // TODO was false
|
||||
$this->Event->Attribute->uploadAttachment($actualFile, $realFileName, true, $id, null, $extraPath, $keyName, $dist); // TODO was false
|
||||
} else {
|
||||
}
|
||||
}
|
||||
|
||||
//Network activity -- ip-dst
|
||||
$ips = array();
|
||||
$hostnames = array();
|
||||
|
|
@ -2093,6 +2100,7 @@ class EventsController extends AppController {
|
|||
'category' => 'Network activity',
|
||||
'type' => 'ip-dst',
|
||||
'value' => $ip,
|
||||
'distribution' => $dist,
|
||||
'to_ids' => false));
|
||||
}
|
||||
foreach ($hostnames as $hostname) {
|
||||
|
|
@ -2103,6 +2111,7 @@ class EventsController extends AppController {
|
|||
'category' => 'Network activity',
|
||||
'type' => 'hostname',
|
||||
'value' => $hostname,
|
||||
'distribution' => $dist,
|
||||
'to_ids' => false));
|
||||
}
|
||||
// Persistence mechanism -- regkey|value
|
||||
|
|
@ -2123,27 +2132,16 @@ class EventsController extends AppController {
|
|||
foreach ($regs as $key => $val) {
|
||||
// add attribute..
|
||||
$this->Attribute->create();
|
||||
if ($val == '[binary_data]') {
|
||||
$itsCategory = 'Artifacts dropped';
|
||||
$itsType = 'regkey';
|
||||
$itsValue = $key;
|
||||
} else {
|
||||
if ($this->strposarray($val,$actualFileNameArray)) {
|
||||
$itsCategory = 'Persistence mechanism';
|
||||
$itsType = 'regkey|value';
|
||||
$itsValue = $key . '|' . $val;
|
||||
} else {
|
||||
$itsCategory = 'Artifacts dropped'; // Persistence mechanism
|
||||
$itsType = 'regkey|value';
|
||||
$itsValue = $key . '|' . $val;
|
||||
}
|
||||
}
|
||||
$this->Attribute->save(array(
|
||||
if ($this->strposarray($val,$actualFileNameArray)) {
|
||||
$this->Attribute->save(array(
|
||||
'event_id' => $id,
|
||||
'category' => $itsCategory, // 'Persistence mechanism'
|
||||
'type' => $itsType,
|
||||
'value' => $itsValue,
|
||||
'to_ids' => false));
|
||||
'category' => 'Persistence mechanism', // 'Persistence mechanism'
|
||||
'type' => 'regkey|value',
|
||||
'value' => $key . '|' . $val,
|
||||
'distribution' => $dist,
|
||||
'to_ids' => false
|
||||
));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -795,7 +795,7 @@ class Attribute extends AppModel {
|
|||
*
|
||||
* @return void
|
||||
*/
|
||||
public function uploadAttachment($fileP, $realFileName, $malware, $eventId = null, $category = null, $extraPath = '', $fullFileName = '') {
|
||||
public function uploadAttachment($fileP, $realFileName, $malware, $eventId = null, $category = null, $extraPath = '', $fullFileName = '', $dist) {
|
||||
// Check if there were problems with the file upload
|
||||
// only keep the last part of the filename, this should prevent directory attacks
|
||||
$filename = basename($fileP);
|
||||
|
|
@ -804,12 +804,13 @@ class Attribute extends AppModel {
|
|||
// save the file-info in the database
|
||||
$this->create();
|
||||
$this->data['Attribute']['event_id'] = $eventId;
|
||||
$this->data['Attribute']['distribution'] = $dist;
|
||||
if ($malware) {
|
||||
$md5 = !$tmpfile->size() ? md5_file($fileP) : $tmpfile->md5();
|
||||
$this->data['Attribute']['category'] = $category ? $category : "Payload delivery";
|
||||
$this->data['Attribute']['type'] = "malware-sample";
|
||||
$this->data['Attribute']['value'] = $fullFileName ? $fullFileName . '|' . $md5 : $filename . '|' . $md5; // TODO gives problems with bigger files
|
||||
$this->data['Attribute']['to_ids'] = 1; // LATER let user choose to send this to IDS
|
||||
$this->data['Attribute']['to_ids'] = 0; // LATER let user choose to send this to IDS
|
||||
} else {
|
||||
$this->data['Attribute']['category'] = $category ? $category : "Artifacts dropped";
|
||||
$this->data['Attribute']['type'] = "attachment";
|
||||
|
|
@ -820,17 +821,13 @@ class Attribute extends AppModel {
|
|||
if ($this->save($this->data)) {
|
||||
// attribute saved correctly in the db
|
||||
} else {
|
||||
// do some?
|
||||
return;
|
||||
}
|
||||
|
||||
// no errors in file upload, entry already in db, now move the file where needed and zip it if required.
|
||||
// no sanitization is required on the filename, path or type as we save
|
||||
// create directory structure
|
||||
if (PHP_OS == 'WINNT') {
|
||||
$rootDir = APP . "files" . DS . $eventId;
|
||||
} else {
|
||||
$rootDir = APP . "files" . DS . $eventId;
|
||||
}
|
||||
$rootDir = APP . "files" . DS . $eventId;
|
||||
$dir = new Folder($rootDir, true);
|
||||
// move the file to the correct location
|
||||
$destpath = $rootDir . DS . $this->getId(); // id of the new attribute in the database
|
||||
|
|
|
|||
Loading…
Reference in New Issue