4.4.2 release

Author: toddbruner

etc/testlog.conf

@@ -3,5 +3,5 @@ log4perl.appender.FlairLog = Log::Log4perl::Appender::File
 log4perl.appender.FlairLog.mode = append
 log4perl.appender.FlairLog.filename = /var/log/flair/test.log
 log4perl.appender.FlairLog.layout = Log::Log4perl::Layout::PatternLayout
-log4perl.appender.FlairLog.layout.ConversionPattern = %d %7p %10F{1}:%4L %m%n
+log4perl.appender.FlairLog.layout.ConversionPattern = %d %7p %15F{1}:%4L %m%n
 

lib/Flair/Config.pm

@@ -89,7 +89,7 @@ log4perl.appender.FlairLog = Log::Log4perl::Appender::File
 log4perl.appender.FlairLog.mode = append 
 log4perl.appender.FlairLog.filename = $logfile
 log4perl.appender.FlairLog.layout = Log::Log4perl::Layout::PatternLayout
-log4perl.appender.FlairLog.layout.ConversionPattern = %d %5p [%12F:%4L] %m%n
+log4perl.appender.FlairLog.layout.ConversionPattern = %d %5p %15F{1}:%4L %m%n
             },
         },
         hypnotoad   => {

lib/Flair/Parser.pm

@@ -167,6 +167,7 @@ sub post_match_actions ($self, $match, $et, $edb, $falsepos) {
     return $self->domain_action($match, $edb, $falsepos)    if $et eq "domain";
     return $self->ipaddr_action($match, $edb, $falsepos)    if $et eq "ipaddr";
     return $self->ipv6_action($match, $edb, $falsepos)      if $et eq "ipv6";
+    return $self->ipv6mixed_action($match, $edb, $falsepos) if $et eq "ipv6mixed";
     return $self->email_action($match, $edb, $falsepos)     if $et eq "email";
     return $self->cve_action($match, $edb, $falsepos)       if $et eq "cve";
     return $self->internal_link($match, $edb, $falsepos)    if $et eq "internal_link";
@@ -344,6 +345,30 @@ sub ipv6_action ($self, $match, $edb, $falsepos) {
     return $self->create_span($standardized, 'ipv6');
 }
 
+sub ipv6mixed_action ($self, $match, $edb, $falsepos) {
+    # see if Net::IPv6Addr things this is a valid ipv6 address
+    $self->log->debug("Checking $match for IPv6-ness");
+    my $ipobj   = try {
+        return Net::IPv6Addr->new($match);
+    }
+    catch {
+        $self->log->warn("invalid IPv6");
+        return undef;
+    };
+
+    if (not defined $ipobj or ref($ipobj) ne "Net::IPv6Addr") {
+        $self->log->warn("failed to validate potential ipv6: $match: $_");
+        return undef;
+    }
+
+    # it is!
+    my $standardized = $ipobj->to_string_ipv4();
+    $self->log->debug("Standardized as $standardized");
+    $self->add_entity($edb, $standardized, 'ipv6');
+    return $self->create_span($standardized, 'ipv6');
+
+}
+
 sub suricata_ipv6_action ($self, $match, $edb, $falsepos) {
     # suricata puts a :portnum on the end of the ipv6 addr
     my @parts   = split(/:/, $match);
@@ -437,13 +462,19 @@ sub message_id_action ($self, $match, $edb,$falsepos) {
 sub create_span ($self, $match, $et) {
     # wrap match string in a span
     $self->log->debug("creating entity span for $match type $et");
+    my $text = $match;
+    if ($et eq "message_id") {
+        # scot4/scot4 issue #602: <[email protected]> needs to be &lt;[email protected]%gt;
+        $text =~ s/</&lt;/;
+        $text =~ s/>/&gt;/;
+    }
     my $element = HTML::Element->new(
         'span',
         'class'             => "entity $et",
         'data-entity-type'  => $et,
         'data-entity-value' => lc($match),
     );
-    $element->push_content($match);
+    $element->push_content($text);
     return $element;
 }
 

lib/Flair/Processor.pm

@@ -524,7 +524,7 @@ sub class_is ($self, $node, $match) {
 }
 
 sub is_flair_override_span ($self, $node) {
-    # ideas is to detect <span class="flairoverride" data-entity-type="type">sting</span>
+    # ideas is to detect <span class="flairoverride" data-entity-type="type">string</span>
     # and create an entity of type "type" without actually doing the parsing
     if ($self->node_is_span($node)) {
         my $class   = $node->attr('class');
@@ -544,6 +544,7 @@ sub extract_flair_override($self, $node, $edb) {
     my $text    = pop @content;
     # get type
     my $type = $node->attr('data-entity-type');
+    $self->log->debug("Detected Flair Override for $type = $text");
     # add it to edb
     $edb->{$type}->{$text}++;
     # rewrite <span> to be a standard flair span

lib/Flair/Regex.pm

@@ -11,11 +11,11 @@ sub core_regex_names ($self) {
     my @list    = (qw(
         cve 
         cidr 
+        ipv6_mixed 
         ipv6_suricata 
         ipv6_standard 
         ipv6_compressed 
         ipv6_cmp8colons 
-        ipv6_mixed 
         ipv4 
         uuid1 
         clsid 
@@ -37,6 +37,9 @@ sub core_regex_names ($self) {
         sid
         useragent
         snumber
+        suser
+        snlserver1
+        snlserver2
     ));
     # omitted uri on purpose, not ready for prime time
     return wantarray ? @list : \@list;
@@ -151,7 +154,7 @@ sub ipv6_compressed ($self) {
         }xims,
         entity_type => 'ipv6',
         regex_type  => 'core',
-        re_order    => 33,
+        re_order    => 34,
         multiword   => 0,
     };
 }
@@ -165,7 +168,7 @@ sub ipv6_cmp8colons ($self ) {
         }xims,
         entity_type => 'ipv6',
         regex_type  => 'core',
-        re_order    => 33,
+        re_order    => 35,
         multiword   => 0,
     };
 }
@@ -193,7 +196,7 @@ sub ipv6_mixed ($self ) {
           # 255
           (?:25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])
         }xims,
-        entity_type => 'ipv6',
+        entity_type => 'ipv6mixed',
         regex_type  => 'core',
         re_order    => 33,
         multiword   => 0,
@@ -593,6 +596,54 @@ sub snumber ($self) {
     };
 }
 
+sub suser ($self) {
+    return {
+        name    => 'suser',
+        description => 'Sandia Username',
+        regex       => qr{
+            \b
+            SANDIA\\\S+
+            \b
+        }xims,
+        entity_type => 'suser',
+        regex_type  => 'core',
+        re_order    => 210,
+        multiword   => 1,
+    };
+}
+
+sub snlserver1 ($self) {
+    return {
+        name    => 'snlserver1',
+        description => 'Sandia Server Name',
+        regex   => qr{
+            \b
+            as\d+snllx
+            \b
+        }xims,
+        entity_type => 'sandiaserver',
+        regex_type  => 'core',
+        re_order    => 300,
+        multiword   => 0,
+    };
+}
+
+sub snlserver2 ($self) {
+    return {
+        name    => 'snlserver2',
+        description => 'Sandia Server Name',
+        regex   => qr{
+            \b
+            as\d+mcslx
+            \b
+        }xims,
+        entity_type => 'sandiaserver',
+        regex_type  => 'core',
+        re_order    => 300,
+        multiword   => 0,
+    };
+}
+
 # RE{URI} from REGEX::COMMON can not handle URI's with # in them
 # which renders it kind of useless.
 #sub uri ($self) {

lib/Flair/Util/HTML.pm

@@ -37,9 +37,23 @@ sub build_html_tree ($text) {
        $tree    ->ignore_unknown(0);     # allow stuff like <figure/>
        $tree    ->parse_content($text);
        $tree    ->elementify;
+    ##
+    ## when dumping the tree as plain text, any tables will have cells 
+    ## smashed together.  This function will add some spaces to tree 
+    ## and will fix this
+    insert_table_element_spaces($tree);
     return $tree;
 }
 
+sub insert_table_element_spaces ($tree) {
+    foreach my $td ($tree->look_down('_tag', 'td')) {
+        $td->preinsert(" ");
+    }
+    foreach my $th ($tree->look_down('_tag', 'th')) {
+        $th->preinsert(" ");
+    }
+}
+
 sub output_tree_html ($tree) {
     # a $tree is full document, we really only want body
     my $body    = $tree->look_down('_tag', 'body');

t/parser.t

@@ -50,7 +50,7 @@ ok ($db->dbh->migrations->from_file($migfile)->migrate(0)->migrate,
 
 # need to populate flair table
 # only if we want to test user defined flair
-# $db->regex->populate_regex_table($config->{database}->{udef_file});
+$db->regex->populate_regex_table($config->{database}->{udef_file});
 
 my $parser  = Flair::Parser->new(log => $log, db => $db, scot_external_hostname => 'scot.watermelon.com');
 ok(defined $parser, "Parser instantiated") or die "Failed to instantiate parser";
@@ -83,7 +83,7 @@ foreach my $df (@data_files) {
     delete $edb->{cache};
 
     is ($result, $test->{expect}, "Flaired Text Correctly in $df")
-    or hdiff($result, $test->{expect});
+    or xdiff($result, $test->{expect});
 
     cmp_deeply($edb, $test->{entities}, "EDB Correct in $df")
     or die "EDB Differs: ".Dumper($edb, $test);
@@ -108,6 +108,28 @@ sub hdiff {
     die "Produced HTML differs";
 }
 
+sub xdiff {
+    my $g   = shift;
+    my $e   = shift;
+
+    for (my $i = 0; $i < length($g); $i++) {
+        my $gchar = substr($g, $i, 1);
+        my $echar = substr($e, $i, 1);
+
+        if ($gchar eq $echar) {
+            print $gchar;
+            next;
+        }
+
+        print "\n at char $i, test output differs from expected output\n";
+        print "[test] = $gchar\n";
+        print "[exp ] = $echar\n";
+        last;
+    }
+    die "Produced HTML differs";
+}
+
+
 
 
 

t/parser_test_data/cap_1

@@ -0,0 +1,15 @@
+{
+    text    => <<~'EOF',
+        This APT5 looks weird.
+        EOF
+
+    expect  => <<~'EOF',
+        This <span class="entity threat-actor" data-entity-type="threat-actor" data-entity-value="apt5">APT5</span> looks weird.
+        EOF
+
+    entities    => {
+        "threat-actor"    => {
+            "apt5" => 1,
+        },
+    },
+}

t/parser_test_data/email_header_1

@@ -10,17 +10,17 @@
             <CC6PR09MB885690CE7881A6F17EDB745EBCB1A@CO6PR09MB8856.namprd0.prod.outlook.com>
         References:
         EOF
-    # note: these should be emails, but I'm doing message-ids because I have 
+    # note: these should be emails, but I'm doing message-ids because I have not
     # fixed this yet but need this test to pass
     expect  => <<~'EOF',
-        From: "Benz, Mercedes" <span class="entity message_id" data-entity-type="message_id" data-entity-value="<[email protected]>"><[email protected]></span>
-        To: "Qzzzz, Alll A." <span class="entity message_id" data-entity-type="message_id" data-entity-value="<[email protected]>"><[email protected]></span>, "Blue, Bird"
-            <span class="entity message_id" data-entity-type="message_id" data-entity-value="<[email protected]>"><[email protected]></span>
-        CC: HoneyBear <span class="entity message_id" data-entity-type="message_id" data-entity-value="<[email protected]>"><[email protected]></span>
+        From: "Benz, Mercedes" <span class="entity message_id" data-entity-type="message_id" data-entity-value="<[email protected]>">&lt;[email protected]&gt;</span>
+        To: "Qzzzz, Alll A." <span class="entity message_id" data-entity-type="message_id" data-entity-value="<[email protected]>">&lt;[email protected]&gt;</span>, "Blue, Bird"
+            <span class="entity message_id" data-entity-type="message_id" data-entity-value="<[email protected]>">&lt;[email protected]&gt;</span>
+        CC: HoneyBear <span class="entity message_id" data-entity-type="message_id" data-entity-value="<[email protected]>">&lt;[email protected]&gt;</span>
         Subject: Re: Cyber Incident Reported
         Thread-Topic: Cyber Incident Reported
         Message-ID:
-            <span class="entity message_id" data-entity-type="message_id" data-entity-value="<cc6pr09mb885690ce7881a6f17edb745ebcb1a@co6pr09mb8856.namprd0.prod.outlook.com>"><CC6PR09MB885690CE7881A6F17EDB745EBCB1A@CO6PR09MB8856.namprd0.prod.outlook.com></span>
+            <span class="entity message_id" data-entity-type="message_id" data-entity-value="<cc6pr09mb885690ce7881a6f17edb745ebcb1a@co6pr09mb8856.namprd0.prod.outlook.com>">&lt;CC6PR09MB885690CE7881A6F17EDB745EBCB1A@CO6PR09MB8856.namprd0.prod.outlook.com&gt;</span>
         References:
         EOF
 

t/parser_test_data/file_3

@@ -4,12 +4,15 @@
         EOF
 
     expect  => <<~'EOF',
-        Sep 10, 2018 07:33:38 AM Error [ajp-nio-8016-exec-6] - Error Executing Database Query.[Macromedia][SQLServer JDBC Driver][SQLServer]Incorrect syntax near '='. The specific sequence of files included or processed is: /mnt/gfs/cfdocs/eCATT/templates/<span class="entity file" data-entity-type="file" data-entity-value="pgas_rslts.cfm">pgas_rslts.cfm</span>, line: 235
+        Sep 10, 2018 07:33:38 AM Error [ajp-nio-8016-exec-6] - Error Executing Database Query.[Macromedia][SQLServer JDBC Driver][SQLServer]Incorrect syntax near '='. The specific sequence of files included or processed is: /mnt/gfs<span class="entity cf_site" data-entity-type="cf_site" data-entity-value="/cfdocs/ecatt/">/cfdocs/eCATT/</span>templates/<span class="entity file" data-entity-type="file" data-entity-value="pgas_rslts.cfm">pgas_rslts.cfm</span>, line: 235
         EOF
 
     entities    => {
         file    => {
             'pgas_rslts.cfm' => 1,
         },
+        cf_site => {
+            '/cfdocs/ecatt/' => 1,
+        },
     },
 }