diff --git a/app/View/Elements/actions_menu.ctp b/app/View/Elements/actions_menu.ctp
index 3e6e938ec..64b4dbf7b 100755
--- a/app/View/Elements/actions_menu.ctp
+++ b/app/View/Elements/actions_menu.ctp
@@ -9,8 +9,8 @@
Html->link(__('News', true), array('controller' => 'users', 'action' => 'news')); ?>
Html->link(__('My Profile', true), array('controller' => 'users', 'action' => 'view', 'me')); ?>
Html->link(__('Members List', true), array('controller' => 'users', 'action' => 'memberslist')); ?>
+ Html->link(__('User Guide', true), array('controller' => 'pages', 'action' => 'display', 'documentation')); ?>
Html->link(__('Terms & Conditions', true), array('controller' => 'users', 'action' => 'terms')); ?>
- Html->link(__('Documentation', true), array('controller' => 'pages', 'action' => 'display', 'documentation')); ?>
diff --git a/app/View/Events/export.ctp b/app/View/Events/export.ctp
index 5e72fc0db..b57ef4659 100755
--- a/app/View/Events/export.ctp
+++ b/app/View/Events/export.ctp
@@ -7,11 +7,12 @@ You can Html->link('reset', array('controller' => 'users', 'ac
XML Export
-An automatic export of all events and attributes is available under a custom XML format.
+An automatic export of all events and attributes (except file attachments) is available under a custom XML format.
You can configure your tools to automatically download the following file:
/events/xml/
If you only want to fetch a specific event append the eventid number:
/events/xml//1
+Also check out the Html->link(__('User Guide', true), array('controller' => 'pages', 'action' => 'display', 'documentation')); ?> to read about the REST API.
NIDS Export
diff --git a/app/View/Pages/documentation.ctp b/app/View/Pages/documentation.ctp
index 3a6eea5f9..b360446eb 100644
--- a/app/View/Pages/documentation.ctp
+++ b/app/View/Pages/documentation.ctp
@@ -1,9 +1,153 @@
-
Documentation
-
-
+
Table of Content
+
+
+
Layout and features
+
Main page:
+
The main page lists the events stored in the
+CyDefSIG site. See data structure section for further details.
+
The site PGP public key and log-out
+button are at the bottom of the page and will be accessible in
+any page of the site.
+
Left Menu
+
The left menu allows the user navigating to the different features/pages of the site:
+
+ - New Event:
+
Allow user to create a new event. See How to share a malware signatures in CyDefSIG
+ section for further details.
+ - List Events:
+
List all events and allows users to
+
+ - display the details of the events
+ - contact the publishing party of an even by clicking Contact Reporter button in the Event page.
+ - Modify or delete an event and attributes you have imported.
+
+
+ - List Attributes:
+
Lists all attributes cross events.
+ - Search Attribute:
+
You can search for attributes based on key words
+ and apply a filtering based on the category and or attribute type.
+ - Export:
+
Different format are supported: XML (all or per
+ event), text (all or per attribute type), and IDS format. Note that
+ only the attributes that have been selected to be in the part of IDS
+ will be included in this latter.
+ - News:
+
Provide the latest news regarding the site like last changes.
+ - My Profile:
+
Allows to setup the user profile:
+
+ - email address to which new events will be sent,
+ - the AuthKey used to automate the export of events/attributes from the application
+ (see Export),
+ - NIDS starting SID,
+ - PGP public key used to encrypt the events sent by email
+
+
+ - Member List
+
Provide statstics about the site.
+
+
How to share a malware/attack attributes in CyDefSIG
+
Data structure
+
The following diagram depicts the data structure to store malware signatures.
+
+
+
Note that it may happen that different events are
+related to a same malware or variants as the data may be imported by
+different groups. The application creates automatically links between
+events with same attributes.
+
+
Sharing malware/attack information steps by steps
+
+
Mandatory fields are marked with *
+
+ - Click on New Event (left menu)
+ - Fill-in the form:
+
+ - Date*: date of the malware was discovered
+ - Risk*: estimated risk level related to the malware.
+ Guideline for risk level:
+
+ - Undefined (default)
+ - Low - TBD
+ - Med - Advanced Persistent Threat
+ - High - Very sophisticated APT (e.g. including 0-day)
+
+
+ - Private*: is the event sharable with other CyDefSIG servers. (only in sync-mode)
+ - Info*: High level information that can help to understand the malware/attack,
+ like title and high level behavior.
+ This field should remain as short as possible (recommended max 50 words).
+ The full description of the malware behavior and its artifacts must
+ be defined as an attribute (other).
+
+
+ - Click Submit
+
+
Note that at this stage, the information is
+ shared on the site but no notification is sent to the other parties
+ yet.
+ - Click Add Attribute or Add Attachment
+
+
+ - Fill-in the form:
+ For Attribute:
+
+
+ - Category*: see Category section below
+ - Type*: see Type section below
+ - Private*: prevent upload of this specific Attribute to other CyDefSIG servers. (only in sync-mode)
+ - IDS Signature?: Check this box if you want
+ the attribute to be part of the IDS signature generated by the site.
+ Make sure that the information in value is usable in an IDS
+ signature, do not check if it is free text, Vulnerability.
+ - Value: enter the attribute value. Note
+ that the value format will be validated for some types like hash and
+ IP addresses.
+ - Batch Import: check this box to import
+ data in batch. Enter an attribute value per line, each entry will be
+ assigned the selected Category and Type.
+ - Click Submit
+
+ - For Attachment:
+
+
+ - Category: see Category section below
+ - Select the file to upload
+ - Malware: Check this box if the file to upload is
+ harmful. The system will then encrypt with zip before storing the
+ file with the default password, "infected". This will protect
+ other systems against accidental infection.
+ Note that a hash will be automatically computed
+ and added to the event as an attribute.
+ - Click Upload
+
+ - Redo steps 5-6 as many time as attributes you need to upload.
+ - Click Publish Event once all attributes are uploaded.
+ The application will then send the event with all uploaded information
+ to all users of the site.
+ In sync-mode the event will also be uploaded to other CyDefSIG servers users have configured in their profile.
+ You can modify, delete or add new attributes after publishing. In that case, any
+ change will be accessible by other users via the GUI and only
+ released by email to all users once you re-Publish the event.
+
+
+
+
+
+
Export and Import
CyDefSIG has full support for automated data export and import.
IDS and script export
diff --git a/app/View/Users/terms.ctp b/app/View/Users/terms.ctp
index 27fea5c12..2602f8928 100644
--- a/app/View/Users/terms.ctp
+++ b/app/View/Users/terms.ctp
@@ -1,15 +1,16 @@