Part of the documentation added - docu written by Miguel Soria Machado

(CERT-EU)

app/View/Elements/actions_menu.ctp

@@ -9,8 +9,8 @@
 		<li><?php echo $this->Html->link(__('News', true), array('controller' => 'users', 'action' => 'news')); ?> </li>
 		<li><?php echo $this->Html->link(__('My Profile', true), array('controller' => 'users', 'action' => 'view', 'me')); ?> </li>
 		<li><?php echo $this->Html->link(__('Members List', true), array('controller' => 'users', 'action' => 'memberslist')); ?> </li>
+		<li><?php echo $this->Html->link(__('User Guide', true), array('controller' => 'pages', 'action' => 'display', 'documentation')); ?> </li>
 		<li><?php echo $this->Html->link(__('Terms & Conditions', true), array('controller' => 'users', 'action' => 'terms')); ?> </li>
-		<li><?php echo $this->Html->link(__('Documentation', true), array('controller' => 'pages', 'action' => 'display', 'documentation')); ?> </li>
 
 		<?php if ('true' == Configure::read('CyDefSIG.sync')): ?>
 		<li>&nbsp;</li>

app/View/Events/export.ctp

@@ -7,11 +7,12 @@ You can <?php echo $this->Html->link('reset', array('controller' => 'users', 'ac
 </p>
 
 <h3>XML Export</h3>
-<p>An automatic export of all events and attributes is available under a custom XML format.</p>
+<p>An automatic export of all events and attributes <small>(except file attachments)</small> is available under a custom XML format.</p>
 <p>You can configure your tools to automatically download the following file:</p>
 <pre><?php echo Configure::read('CyDefSIG.baseurl');?>/events/xml/<?php echo $me['authkey']; ?></pre>
 <p>If you only want to fetch a specific event append the eventid number:</p>
 <pre><?php echo Configure::read('CyDefSIG.baseurl');?>/events/xml/<?php echo $me['authkey']; ?>/1</pre>
+<p>Also check out the <?php echo $this->Html->link(__('User Guide', true), array('controller' => 'pages', 'action' => 'display', 'documentation')); ?> to read about the REST API.</p>
 <p></p>
 
 <h3>NIDS Export</h3>

app/View/Pages/documentation.ctp

@@ -1,9 +1,153 @@
 <div class="index">
-<h2>Documentation</h2>
-<p>
-</p>
+<h2>Table of Content</h2>
+
+<hr/>
+<h2>Layout and features</h2>
+<h3>Main page:</h3>
+<p>The main page lists the events stored in the
+CyDefSIG site. See data structure section for further details.</p>
+<p>The <b>site PGP public key</b> and <b>log-out
+button</b> are at the bottom of the page and will be accessible in
+any page of the site.</p>
+<h3>Left Menu</h3>
+<p>The left menu allows the user navigating to the different features/pages of the site:</p>
+<ul>
+	<li><em>New Event:</em>
+	    <p>Allow user to create a new event. See How to share a malware signatures in CyDefSIG
+	    section for further details.</p></li>
+	<li><em>List Events: </em>
+    	<p>List all events and allows users to </p>
+    	<ul>
+    	    <li>display the details of the events</li>
+    	    <li>contact the publishing party of an even by clicking <b>Contact Reporter </b>button in the Event page.</li>
+    	    <li>Modify or delete an event and attributes you have imported.</li>
+    	</ul>
+    	<p></p></li>
+	<li><em>List Attributes:</em>
+	    <p>Lists all attributes cross events.</p></li>
+	<li><em>Search Attribute:</em>
+    	<p>You can search for attributes based on key words
+    	and apply a filtering based on the category and or attribute type.</p></li>
+	<li><em>Export:</em>
+    	<p>Different format are supported: XML (all or per
+    	event), text (all or per attribute type), and IDS format. Note that
+    	only the attributes that have been selected to be in the part of IDS
+    	will be included in this latter.</p></li>
+	<li><em>News:</em>
+	    <p>Provide the latest news regarding the site like last changes.</p></li>
+	<li><em>My Profile:</em>
+    	<p>Allows to setup the user profile:</p>
+    	<ul>
+    		<li>email address to which new events will be sent,</li>
+    		<li>the AuthKey used to automate the export of events/attributes from the application
+    		(see Export),</li>
+    		<li>NIDS starting SID,</li>
+    		<li>PGP public key used to encrypt the events sent by email</li>
+    	</ul>
+    	<p></p></li>
+	<li><em>Member List</em>
+	    <p>Provide statstics about the site.</p></li>
+</ul>
 
 
+<h2><a name="how_to_share"></A>How to share a malware/attack attributes in CyDefSIG</h2>
+<h3>Data structure</h3>
+<p>The following diagram depicts the data structure to store malware signatures.</p>
+<p><img src="/img/doc/data-structure.gif"></p>
+<ul>
+	<li>An <em>Event</em> is a containers that hosts
+	one or more <em>attributes</em> of a malware. This is the main data
+	structure that host the signatures of a malware. An event is
+	identified by a unique id number automatically assigned by the
+	system.</li>
+	<li><p>An <em>Attribute</em> is a characteristic of
+	malware that can be used as a descriptor. Attributes are categorised
+	and always linked to an Event via the Event id.</p>
+</ul>
+<p>Note that it may happen that different events are
+related to a same malware or variants as the data may be imported by
+different groups. The application creates automatically links between
+events with same attributes.</p>
+
+<h3>Sharing malware/attack information steps by steps</h3>
+<img src="/img/doc/add-event.png" style="float:right;" />
+<p>Mandatory fields are marked with *</p>
+<ol>
+	<li>Click on <em>New Event</em> (left menu)</li>
+	<li>Fill-in the form:
+    	<ul>
+    	<li><em>Date*:</em> date of the malware was discovered</li>
+    	<li><em>Risk*:</em> estimated risk level related to the malware.<br/>
+	        Guideline for risk level:
+		    <ul>
+    			<li>Undefined (default)</li>
+    			<li>Low - TBD</li>
+    			<li>Med - Advanced Persistent Threat</li>
+    			<li>High - Very sophisticated APT (e.g. including 0-day)</li>
+		    </ul>
+		</li>
+		<li><em>Private*:</em> is the event sharable with other CyDefSIG servers. <small>(only in sync-mode)</small></li>
+        <li><em>Info*:</em> High level information that can help to understand the malware/attack,
+            like title and high level behavior.<br/>
+            This field should remain as short as possible (recommended max 50 words).
+            The full description of the malware behavior and its artifacts must
+            be defined as an attribute (other).</li>
+        </ul>
+    </li>
+	<li>Click <em>Submit</em>
+    	<img src="/img/doc/add-event-done.png" style="float:right;" />
+    	<p>Note that at this stage, the information is
+    	shared on the site but no notification is sent to the other parties
+    	yet.</p></li>
+	<li>Click <em>Add Attribute</em> or <em>Add Attachment</em>
+	</li>
+
+	<li>Fill-in the form:<br/>
+    	For Attribute:
+    	<img src="/img/doc/add-attribute.png" style="float:right;" />
+    	<ul>
+        	<li><em>Category*</em>: see Category section below</li>
+        	<li><em>Type*:</em> see Type section below</li>
+        	<li><em>Private*:</em> prevent upload of this specific Attribute to other CyDefSIG servers. <small>(only in sync-mode)</small></li>
+        	<li><em>IDS Signature?</em>: Check this box if you want
+        	the attribute to be part of the IDS signature generated by the site.
+        	Make sure that the information in value is usable in an IDS
+        	signature, do not check if it is free text, Vulnerability.</li>
+        	<li><em>Value:</em> enter the attribute value. Note
+        	that the value format will be validated for some types like hash and
+        	IP addresses.</li>
+        	<li><em>Batch Import:</em> check this box to import
+        	data in batch. Enter an attribute value per line, each entry will be
+        	assigned the selected Category and Type.</li>
+        	<li>Click <em>Submit</em></li>
+        </ul>
+    <li>For Attachment:
+        <img src="/img/doc/add-attachment.png" style="float:right;" />
+        <ul>
+        	<li><em>Category:</em> see Category section below</li>
+        	<li>Select the file to upload</li>
+        	<li><em>Malware:</em> Check this box if the file to upload is
+        	harmful. The system will then encrypt with zip before storing the
+        	file with the default password, <em>"infected"</em>. This will protect
+        	other systems against accidental infection.<br/>
+        	Note that a hash will be automatically computed
+        	and added to the event as an attribute.</li>
+        	<li>Click <em>Upload</em></li>
+        </ul>
+    <li>Redo steps 5-6 as many time as attributes you need to upload.</li>
+    <li>Click <em>Publish Event</em> once all attributes are uploaded.<br/>
+        <p>The application will then send the event with all uploaded information
+        to all users of the site.<br/>
+        In sync-mode the event will also be uploaded to other CyDefSIG servers users have configured in their profile.</p>
+        <p>You can modify, delete or add new attributes after publishing. In that case, any
+        change will be accessible by other users via the GUI and only
+        released by email to all users once you re-Publish the event.</p>
+</li>
+</ol>
+
+
+
+<hr/>
 <h2>Export and Import</h2>
 <p>CyDefSIG has full support for automated data export and import.</p>
 <h3>IDS and script export</h3>

app/View/Users/terms.ctp

@@ -1,15 +1,16 @@
 <div class="users form">
 <h2>CyDefSIG Terms and Conditions</h2>
+<?php
+if (!isset($termsaccepted)) {
+    echo $this->Form->create('User');
+    echo $this->Form->hidden('termsaccepted', array('default'=> '1'));
+    echo $this->Form->end(__('Accept Terms', true));
+}
+?>
 <p><i>CyDefSIG is a platform for a trusted official service to share Malware signatures with the Belgian Defence ADIV/SGRS.</i></p>
 <p>As a member of CyDefSIG you accept all the following:</p>
 <ul>
-<li>Members accept their commitment to share signature information <small>(about new/unknown malware and attacks they have detected)</small> into the CyDefSIG system.</li>
-<li>The Belgian Defense can't be held liable or responsible in any way for
-    <ul>
-    <li>the quality of information published in the CyDefSIG system or for the (in)proper functioning of the CyDefSIG system</li>
-    <li>accidental or fraudulent misuse of CyDefSIG</li>
-    </ul>
-<li>All systems that handle information from CyDefSIG must be properly secured using the best practices.</li>
+<li>Members accept their intention to share signature information <small>(about new/unknown malware and attacks they have detected)</small> into the CyDefSIG system.</li>
 <li>All information from CyDefSIG must be treated as Unclassified or Restricted <em>only releasable to the CyDefSIG registered parties</em> (comparable to TLP amber), and should thus <em>never be further distributed without prior approval by the publishing party</em>.</li>
 <li>Members are required to report any known security issue or vulnerability with the CyDefSIG system to the Belgian Defence ADIV/SGRS.</li>
 <li>CyDefSIG may be terminated by either Party by giving the other Party a seven (7) days notice. Shared information can never be reclaimed.</li>
@@ -17,27 +18,27 @@
 </ul>
 &nbsp;
 <h3>Disclaimer of Warranty.</h3>
-<ul><li>There is no warranty for the system, to the extent permitted by applicable law. 
+<ul><li>There is no warranty for the system, to the extent permitted by applicable law.
 The Belgian Defence and services provide the system "as is" without warranty of any kind,
- either expressed or implied, including, but not limited to, the implied warranties of 
- merchantability and fitness for a particular purpose. The entire risk as to the quality 
- and performance of the system is with you (any user of the system). 
- Should the system prove defective, you any user of the system, assume all your resulting 
+ either expressed or implied, including, but not limited to, the implied warranties of
+ merchantability and fitness for a particular purpose. The entire risk as to the quality
+ and performance of the system is with you (any user of the system).
+ Should the system prove defective, you any user of the system, assume all your resulting
  costs and consequences.</li></ul>
 &nbsp;
 <h3>Limitation of liability.</h3>
 <ul>
-<li>No Party or its affiliates, agents or representatives shall be liable to the other Party 
-or its affiliates agents or representatives for any indirect, incidental, consequential, 
-exemplary, punitive or special damages in connection with anything that is undertaken by the 
-parties under the use of this system, or anything arising out of this use. This Section 
-applies to the maximum extent permitted by applicable law and regardless of whether the liability 
+<li>No Party or its affiliates, agents or representatives shall be liable to the other Party
+or its affiliates agents or representatives for any indirect, incidental, consequential,
+exemplary, punitive or special damages in connection with anything that is undertaken by the
+parties under the use of this system, or anything arising out of this use. This Section
+applies to the maximum extent permitted by applicable law and regardless of whether the liability
 is based on breach of these terms, tort, or any other legal theory</li>
-<li>In no event will the Belgian Defence, or any other party providing the system, be liable 
-to you (any user of the system) for damages, including any general, special, incidental or 
-consequential damages arising out of the use or inability to use the system (including but 
-not limited to loss of data or data being rendered inaccurate or losses sustained by you or 
-third parties or a failure of the system to operate with any other systems), even if such 
+<li>In no event will the Belgian Defence, or any other party providing the system, be liable
+to you (any user of the system) for damages, including any general, special, incidental or
+consequential damages arising out of the use or inability to use the system (including but
+not limited to loss of data or data being rendered inaccurate or losses sustained by you or
+third parties or a failure of the system to operate with any other systems), even if such
 holder or other party has been advised of the possibility of such damages.</li>
 </ul>