From 1a956d596b4252b4d34a03191c9d3054063cb381 Mon Sep 17 00:00:00 2001 From: Chris Clark Date: Thu, 12 Dec 2013 10:37:25 -0500 Subject: [PATCH 1/8] Capitalized Home ... it was killing my OCD. --- app/View/Elements/global_menu.ctp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/app/View/Elements/global_menu.ctp b/app/View/Elements/global_menu.ctp index e7a04c854..d64657eef 100755 --- a/app/View/Elements/global_menu.ctp +++ b/app/View/Elements/global_menu.ctp @@ -4,7 +4,7 @@
- \ No newline at end of file + From 7b1d054ea7db732b33eb6c7077b2fdf9ae226611 Mon Sep 17 00:00:00 2001 From: Chris Clark Date: Mon, 16 Dec 2013 10:19:25 -0500 Subject: [PATCH 2/8] Update to allow clean entry of Whitelist Items Added non alpha delimiters hardcoded so no preg_match errors and entries in whitelist can be human redable w/out extra leading and trailing chars. --- app/Model/Whitelist.php | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/app/Model/Whitelist.php b/app/Model/Whitelist.php index 5b1387545..da56672a7 100755 --- a/app/Model/Whitelist.php +++ b/app/Model/Whitelist.php @@ -67,7 +67,7 @@ class Whitelist extends AppModel { // regexp validation public function validateValue ($fields) { - if (preg_match($fields['name'], 'test') === false) return false; + if (preg_match("/".$fields['name']."/", 'test') === false) return false; return true; } @@ -104,7 +104,7 @@ class Whitelist extends AppModel { foreach ($data as $k => $attribute) { // loop through each whitelist item and run a preg match against the attribute value. If it matches, unset the attribute foreach ($whitelists as $wlitem) { - if (preg_match($wlitem, $attribute['Attribute']['value'])) { + if (preg_match("/".$wlitem."/", $attribute['Attribute']['value'])) { unset($data[$k]); } } @@ -116,7 +116,7 @@ class Whitelist extends AppModel { foreach ($event['Attribute'] as $k => $attribute) { // loop through each whitelist item and run a preg match against the attribute value. If it matches, unset the attribute foreach ($whitelists as $wlitem) { - if (preg_match($wlitem, $attribute['value'])) { + if (preg_match("/".$wlitem."/", $attribute['value'])) { unset($data[$ke]['Attribute'][$k]); } } From 629ab272751208c3ab23b55c5c550e8138e5f8c4 Mon Sep 17 00:00:00 2001 From: Chris Clark Date: Mon, 16 Dec 2013 10:21:08 -0500 Subject: [PATCH 3/8] Update to allow clean entry of Whitelist Items Updated this along with whitelist.php to allow for simple entry of names in the whitelist, this file will allow proper application of those blocked names to exported NIDS sigs. --- app/Controller/Component/NidsExportComponent.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/Controller/Component/NidsExportComponent.php b/app/Controller/Component/NidsExportComponent.php index 2beb4872c..b823e431a 100755 --- a/app/Controller/Component/NidsExportComponent.php +++ b/app/Controller/Component/NidsExportComponent.php @@ -444,7 +444,7 @@ class NidsExportComponent extends Component { public function checkWhitelist($value) { foreach ($this->whitelist as $wlitem) { - if (preg_match($wlitem, $value)) { + if (preg_match("/".$wlitem."/", $value)) { return true; } } From e0dd74a7ba4021b8aa0e08c8b07decfc42c6aa7d Mon Sep 17 00:00:00 2001 From: iglocska Date: Wed, 18 Dec 2013 16:31:42 +0100 Subject: [PATCH 4/8] Update to the GFI import - fixed an issue where a blacklisted value added through uloadattachments would break the import - fixed the distribution level of attributes created by the GFI import always being your org only - removed registry attributes that do not contain a malware sample or a dropped file in the value - fixed a set of regular expressions dealing with the sanitisation of user names that would fail on user names consisting of more than one word - added a few regular expressions --- INSTALL/MYSQL.sql | 59 +++++++++++++++-------------- app/Controller/EventsController.php | 50 ++++++++++++------------ app/Model/Attribute.php | 13 +++---- 3 files changed, 60 insertions(+), 62 deletions(-) diff --git a/INSTALL/MYSQL.sql b/INSTALL/MYSQL.sql index 29fa27f4a..8fab01548 100755 --- a/INSTALL/MYSQL.sql +++ b/INSTALL/MYSQL.sql @@ -239,34 +239,37 @@ CREATE TABLE IF NOT EXISTS `whitelist` ( -- Default values for initial installation -- -INSERT INTO `regexp` - (`regexp`, `replacement`) -VALUES - ('/.:.ProgramData./i','%ALLUSERSPROFILE%\\\\'), - ('/.:.Documents and Settings.All Users./i','%ALLUSERSPROFILE%\\\\'), - ('/.:.Program Files.Common Files./i','%COMMONPROGRAMFILES%\\\\'), - ('/.:.Program Files \(x86\).Common Files./i','%COMMONPROGRAMFILES(x86)%\\\\'), - ('/.:.Users.(\\w+).AppData.Local.Temp./i','%TEMP%\\\\'), - ('/.:.ProgramData./i','%PROGRAMDATA%\\\\'), - ('/.:.Program Files./i','%PROGRAMFILES%\\\\'), - ('/.:.Program Files \(x86\)./i','%PROGRAMFILES(X86)%\\\\'), - ('/.:.Users.Public./i','%PUBLIC%\\\\'), - ('/.:.Documents and Settings.(\\w+).Local Settings.Temp./i','%TEMP%\\\\'), - ('/.:.Users.(\\w+).AppData.Local.Temp./i','%TEMP%\\\\'), - ('/.:.Users.(\\w+).AppData.Local./i','%LOCALAPPDATA%\\\\'), - ('/.:.Users.(\\w+).AppData.Roaming./i','%APPDATA%\\\\'), - ('/.:.Users.(\\w+).Application Data./i','%APPDATA%\\\\'), - ('/.:.Windows.(\\w+).Application Data./i','%APPDATA%\\\\'), - ('/.:.Users.(\\w+)./i','%USERPROFILE%\\\\'), - ('/.:.DOCUME~1.(\\w+)./i','%USERPROFILE%\\\\'), - ('/.:.Documents and Settings.(\\w+)./i','%USERPROFILE%\\\\'), - ('/.:.Windows./i','%WINDIR%\\\\'), - ('/.:.Windows./i','%WINDIR%\\\\'), - ('/.REGISTRY.USER.S(-[0-9]{1}){2}-[0-9]{2}(-[0-9]{9}){1}(-[0-9]{10}){1}-[0-9]{9}-[0-9]{4}/i','HKCU'), - ('/.REGISTRY.USER.S(-[0-9]{1}){2}-[0-9]{2}(-[0-9]{10}){2}-[0-9]{9}-[0-9]{4}/i','HKCU'), - ('/.REGISTRY.USER.S(-[0-9]{1}){2}-[0-9]{2}(-[0-9]{10}){3}-[0-9]{4}/i','HKCU'), - ('/.REGISTRY.MACHINE./i','HKLM\\\\'), - ('/.Registry.Machine./i','HKLM\\\\'); +INSERT INTO `regexp` (`id`, `regexp`, `replacement`, `type`) VALUES +(1, '/.:.ProgramData./i', '%ALLUSERSPROFILE%\\\\', 'ALL'), +(2, '/.:.Documents and Settings.All Users./i', '%ALLUSERSPROFILE%\\\\', 'ALL'), +(3, '/.:.Program Files.Common Files./i', '%COMMONPROGRAMFILES%\\\\', 'ALL'), +(4, '/.:.Program Files (x86).Common Files./i', '%COMMONPROGRAMFILES(x86)%\\\\', 'ALL'), +(5, '/.:.Users\\\\(.*?)\\\\AppData.Local.Temp./i', '%TEMP%\\\\', 'ALL'), +(6, '/.:.ProgramData./i', '%PROGRAMDATA%\\\\', 'ALL'), +(7, '/.:.Program Files./i', '%PROGRAMFILES%\\\\', 'ALL'), +(8, '/.:.Program Files (x86)./i', '%PROGRAMFILES(X86)%\\\\', 'ALL'), +(9, '/.:.Users.Public./i', '%PUBLIC%\\\\', 'ALL'), +(10, '/.:.Documents and Settings\\\\(.*?)\\\\Local Settings.Temp./i', '%TEMP%\\\\', 'ALL'), +(11, '/.:.Users\\\\(.*?)\\\\AppData.Local.Temp./i', '%TEMP%\\\\', 'ALL'), +(12, '/.:.Users\\\\(.*?)\\\\AppData.Local./i', '%LOCALAPPDATA%\\\\', 'ALL'), +(13, '/.:.Users\\\\(.*?)\\\\AppData.Roaming./i', '%APPDATA%\\\\', 'ALL'), +(14, '/.:.Users\\\\(.*?)\\\\Application Data./i', '%APPDATA%\\\\', 'ALL'), +(15, '/.:.Windows\\\\(.*?)\\\\Application Data./i', '%APPDATA%\\\\', 'ALL'), +(16, '/.:.Users\\\\(.*?)\\\\/i', '%USERPROFILE%\\\\', 'ALL'), +(17, '/.:.DOCUME~1.\\\\(.*?)\\\\/i', '%USERPROFILE%\\\\', 'ALL'), +(18, '/.:.Documents and Settings\\\\(.*?)\\\\/i', '%USERPROFILE%\\\\', 'ALL'), +(19, '/.:.Windows./i', '%WINDIR%\\\\', 'ALL'), +(20, '/.:.Windows./i', '%WINDIR%\\\\', 'ALL'), +(21, '/.REGISTRY.USER.S(-[0-9]{1}){2}-[0-9]{2}(-[0-9]{9}){1}(-[0-9]{10}){1}-[0-9]{9}-[0-9]{4}/i', 'HKCU', 'ALL'), +(22, '/.REGISTRY.USER.S(-[0-9]{1}){2}-[0-9]{2}(-[0-9]{10}){2}-[0-9]{9}-[0-9]{4}/i', 'HKCU', 'ALL'), +(23, '/.REGISTRY.USER.S(-[0-9]{1}){2}-[0-9]{2}(-[0-9]{10}){3}-[0-9]{4}/i', 'HKCU', 'ALL'), +(24, '/.REGISTRY.MACHINE./i', 'HKLM\\\\', 'ALL'), +(25, '/.Registry.Machine./i', 'HKLM\\\\', 'ALL'), +(26, '/%USERPROFILE%.Application Data.Microsoft.UProof/i', '', 'ALL'), +(27, '/%USERPROFILE%.Local Settings.History/i', '', 'ALL'), +(28, '/%APPDATA%.Microsoft.UProof/i ', '', 'ALL'), +(29, '/%LOCALAPPDATA%.Microsoft.Windows.Temporary Internet Files/i', '', 'ALL'); + -- -------------------------------------------------------- diff --git a/app/Controller/EventsController.php b/app/Controller/EventsController.php index dbdaaaa06..c32ce46db 100755 --- a/app/Controller/EventsController.php +++ b/app/Controller/EventsController.php @@ -1995,14 +1995,22 @@ class EventsController extends AppController { public function _readGfiXML($data, $id) { $this->loadModel('Attribute'); - + $this->Event->recursive = -1; + $this->Event->read(array('id', 'uuid', 'distribution'), $id); // import XML class App::uses('Xml', 'Utility'); // now parse it $parsedXml = Xml::build($data, array('return' => 'simplexml')); - // xpath.. + if (Configure::read('MISP.default_attribute_distribution') != null) { + if (Configure::read('MISP.default_attribute_distribution') === 'event') { + $dist = $this->Event->data['Event']['distribution']; + } else { + $dist = ''; + $dist .= Configure::read('MISP.default_attribute_distribution'); + } + } //Payload delivery -- malware-sample $results = $parsedXml->xpath('/analysis'); foreach ($results as $result) { @@ -2013,13 +2021,13 @@ class EventsController extends AppController { $realMalware = $realFileName; $rootDir = APP . "files" . DS . $id . DS; $malware = $rootDir . DS . 'sample'; - $this->Event->Attribute->uploadAttachment($malware, $realFileName, true, $id); + $this->Event->Attribute->uploadAttachment($malware, $realFileName, true, $id, null, '', $this->Event->data['Event']['uuid'] . '-sample', $dist); //Network activity -- .pcap $realFileName = 'analysis.pcap'; $rootDir = APP . "files" . DS . $id . DS; $malware = $rootDir . DS . 'Analysis' . DS . 'analysis.pcap'; - $this->Event->Attribute->uploadAttachment($malware, $realFileName, false, $id, 'Network activity'); + $this->Event->Attribute->uploadAttachment($malware, $realFileName, false, $id, 'Network activity', '', $this->Event->data['Event']['uuid'] . '-analysis.pcap', $dist); //Artifacts dropped -- filename|md5 $files = array(); @@ -2068,11 +2076,10 @@ class EventsController extends AppController { $extraPath = 'Analysis' . DS . 'proc_' . $index . DS . 'modified_files' . DS; $file = new File($actualFile); if ($file->exists()) { // TODO put in array for test later - $this->Event->Attribute->uploadAttachment($actualFile, $realFileName, true, $id, null, $extraPath, $keyName); // TODO was false + $this->Event->Attribute->uploadAttachment($actualFile, $realFileName, true, $id, null, $extraPath, $keyName, $dist); // TODO was false } else { } } - //Network activity -- ip-dst $ips = array(); $hostnames = array(); @@ -2093,6 +2100,7 @@ class EventsController extends AppController { 'category' => 'Network activity', 'type' => 'ip-dst', 'value' => $ip, + 'distribution' => $dist, 'to_ids' => false)); } foreach ($hostnames as $hostname) { @@ -2103,6 +2111,7 @@ class EventsController extends AppController { 'category' => 'Network activity', 'type' => 'hostname', 'value' => $hostname, + 'distribution' => $dist, 'to_ids' => false)); } // Persistence mechanism -- regkey|value @@ -2123,27 +2132,16 @@ class EventsController extends AppController { foreach ($regs as $key => $val) { // add attribute.. $this->Attribute->create(); - if ($val == '[binary_data]') { - $itsCategory = 'Artifacts dropped'; - $itsType = 'regkey'; - $itsValue = $key; - } else { - if ($this->strposarray($val,$actualFileNameArray)) { - $itsCategory = 'Persistence mechanism'; - $itsType = 'regkey|value'; - $itsValue = $key . '|' . $val; - } else { - $itsCategory = 'Artifacts dropped'; // Persistence mechanism - $itsType = 'regkey|value'; - $itsValue = $key . '|' . $val; - } - } - $this->Attribute->save(array( + if ($this->strposarray($val,$actualFileNameArray)) { + $this->Attribute->save(array( 'event_id' => $id, - 'category' => $itsCategory, // 'Persistence mechanism' - 'type' => $itsType, - 'value' => $itsValue, - 'to_ids' => false)); + 'category' => 'Persistence mechanism', // 'Persistence mechanism' + 'type' => 'regkey|value', + 'value' => $key . '|' . $val, + 'distribution' => $dist, + 'to_ids' => false + )); + } } } diff --git a/app/Model/Attribute.php b/app/Model/Attribute.php index 8c8b050ba..155bf9a6d 100755 --- a/app/Model/Attribute.php +++ b/app/Model/Attribute.php @@ -795,7 +795,7 @@ class Attribute extends AppModel { * * @return void */ - public function uploadAttachment($fileP, $realFileName, $malware, $eventId = null, $category = null, $extraPath = '', $fullFileName = '') { + public function uploadAttachment($fileP, $realFileName, $malware, $eventId = null, $category = null, $extraPath = '', $fullFileName = '', $dist) { // Check if there were problems with the file upload // only keep the last part of the filename, this should prevent directory attacks $filename = basename($fileP); @@ -804,12 +804,13 @@ class Attribute extends AppModel { // save the file-info in the database $this->create(); $this->data['Attribute']['event_id'] = $eventId; + $this->data['Attribute']['distribution'] = $dist; if ($malware) { $md5 = !$tmpfile->size() ? md5_file($fileP) : $tmpfile->md5(); $this->data['Attribute']['category'] = $category ? $category : "Payload delivery"; $this->data['Attribute']['type'] = "malware-sample"; $this->data['Attribute']['value'] = $fullFileName ? $fullFileName . '|' . $md5 : $filename . '|' . $md5; // TODO gives problems with bigger files - $this->data['Attribute']['to_ids'] = 1; // LATER let user choose to send this to IDS + $this->data['Attribute']['to_ids'] = 0; // LATER let user choose to send this to IDS } else { $this->data['Attribute']['category'] = $category ? $category : "Artifacts dropped"; $this->data['Attribute']['type'] = "attachment"; @@ -820,17 +821,13 @@ class Attribute extends AppModel { if ($this->save($this->data)) { // attribute saved correctly in the db } else { - // do some? + return; } // no errors in file upload, entry already in db, now move the file where needed and zip it if required. // no sanitization is required on the filename, path or type as we save // create directory structure - if (PHP_OS == 'WINNT') { - $rootDir = APP . "files" . DS . $eventId; - } else { - $rootDir = APP . "files" . DS . $eventId; - } + $rootDir = APP . "files" . DS . $eventId; $dir = new Folder($rootDir, true); // move the file to the correct location $destpath = $rootDir . DS . $this->getId(); // id of the new attribute in the database From 31477ac611acc68855b05e0a21dd35d4c674abcc Mon Sep 17 00:00:00 2001 From: iglocska Date: Wed, 18 Dec 2013 17:09:50 +0100 Subject: [PATCH 5/8] Few minor tweaks --- app/Controller/AttributesController.php | 2 +- app/Controller/UsersController.php | 2 +- app/View/Users/login.ctp | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/app/Controller/AttributesController.php b/app/Controller/AttributesController.php index f8ed7ed69..4d1edaf05 100755 --- a/app/Controller/AttributesController.php +++ b/app/Controller/AttributesController.php @@ -589,7 +589,7 @@ class AttributesController extends AppController { else $attribute['type'] = 'comment'; $attribute['value'] = $reference; - $attribute['distribution'] = 3; // 'All communities' + $attribute['distribution'] = '3'; // 'All communities' // add attribute to the array that will be saved $attributes[] = $attribute; } diff --git a/app/Controller/UsersController.php b/app/Controller/UsersController.php index abfd1a380..02b68c229 100755 --- a/app/Controller/UsersController.php +++ b/app/Controller/UsersController.php @@ -424,7 +424,7 @@ class UsersController extends AppController { $params = array('recursive' => 0, 'fields' => $fields, 'group' => array('User.org'), - 'order' => array('User.org'), + 'order' => array('UPPER(User.org)'), ); $orgs = $this->User->find('all', $params); $this->set('orgs', $orgs); diff --git a/app/View/Users/login.ctp b/app/View/Users/login.ctp index 6b0e6ea8f..18471aad2 100755 --- a/app/View/Users/login.ctp +++ b/app/View/Users/login.ctp @@ -2,7 +2,7 @@ Session->flash('auth'); ?> - +
- + Date: Thu, 19 Dec 2013 14:08:35 -0500 Subject: [PATCH 6/8] Error When Exporting as IOC if not Site Admin Fixed Syntax error if not site admin.. also fix in event component which was comparing wrong values to establish ownership of event --- app/Controller/Component/IOCExportComponent.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/Controller/Component/IOCExportComponent.php b/app/Controller/Component/IOCExportComponent.php index a9576ce6a..1c4b8b9a5 100644 --- a/app/Controller/Component/IOCExportComponent.php +++ b/app/Controller/Component/IOCExportComponent.php @@ -7,7 +7,7 @@ class IOCExportComponent extends Component { public function buildAll($event, $isSiteAdmin, $isMyEvent) { $temp = array(); if (!$isSiteAdmin) { - if ($event['Event']['distribution'] == 1 && !$isMyEvent && !isSiteAdmin) { + if (!$isMyEvent) { throw new Exception('Nothing to see here (not authorised)'); } } From 6a4b4d2870d6d7063c3eeb1046732eac76cf6b05 Mon Sep 17 00:00:00 2001 From: Chris Clark Date: Thu, 19 Dec 2013 14:11:17 -0500 Subject: [PATCH 7/8] Error When Exporting as IOC if not Site Admin This was comparing the wrong value to the event org to determine org membership and thus $isMyEvent value for privileges for export of IOCs if not a site admin. --- app/Controller/EventsController.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/Controller/EventsController.php b/app/Controller/EventsController.php index c32ce46db..c2b4779b5 100755 --- a/app/Controller/EventsController.php +++ b/app/Controller/EventsController.php @@ -2201,7 +2201,7 @@ class EventsController extends AppController { //$event['Attribute'] = $this->Whitelist->removeWhitelistedFromArray($event['Attribute'], false); // set up helper variables for the authorisation check in the component $isMyEvent = false; - if ($this->Auth->User == $event['Event']['org']) $isMyEvent = true; + if ($this->Auth->User('org') == $event['Event']['org']) $isMyEvent = true; $isSiteAdmin = $this->_isSiteAdmin(); // send the event and the vars needed to check authorisation to the Component From 8678103d5925bc29c203d8e81b6d5a33c64c4ebb Mon Sep 17 00:00:00 2001 From: Chris Clark Date: Thu, 19 Dec 2013 14:27:53 -0500 Subject: [PATCH 8/8] Tweak to allow IOC Export of events you don't own but are shared --- app/Controller/Component/IOCExportComponent.php | 2 ++ 1 file changed, 2 insertions(+) diff --git a/app/Controller/Component/IOCExportComponent.php b/app/Controller/Component/IOCExportComponent.php index 1c4b8b9a5..c056f0f1b 100644 --- a/app/Controller/Component/IOCExportComponent.php +++ b/app/Controller/Component/IOCExportComponent.php @@ -8,7 +8,9 @@ class IOCExportComponent extends Component { $temp = array(); if (!$isSiteAdmin) { if (!$isMyEvent) { + if ($event['Event']['distribution'] == 0) { throw new Exception('Nothing to see here (not authorised)'); + } } } $this->__buildTop($event);