certsocietegenerale / fir Goto Github PK

View Code? Open in Web Editor NEW

1.7K 1.7K 508.0 2.14 MB

Fast Incident Response

License: GNU General Public License v3.0

Python 59.17% CSS 6.98% JavaScript 9.75% HTML 23.93% Dockerfile 0.17% Procfile 0.01%

fir's People

Contributors

Stargazers

Watchers

Forkers

noyiba danfelton midnightslacker armuk bzw1377 darkwarriors mayur021 ssanthosh243 gcrahay jlowcz commial p-l- securityigi ltawfall he0x ksmaheshkumar er1x nanocoder gt-cybersecurity aboutsecurity galie-tehtris paranotic mcleodjp byteseclabs mikemackintosh bahtiyarb wroersma securextools aleexandr369 korrosivesec imposter051 savon-noir pienguyen geebeey phulc whiteeyehansel notzippy kayari75 wejhink wizkidnc danmilburn firtest geniuz samsaragit sponce vector-sec kakakacool mikeatm allengaller pythonnuts security-geeks phpsystems yep0 srinath9 humbertcostas loganding bdoyle1987 miguelraulb beefcrack lucabongiorni benfinke kdauler sheltowt suxinging evilbeaver975 ccrossleyoma ttxx9999 ababook infosecb caar2000 chienthan9x cs24 piratefrog kx499-zz rafiot frs2131 cms-carroll jonbardley rungobier mountainman22 batidiane wxdublin mthlvt zeeshan083 jschelert cloudxtreme lrkx lizhen2016 c-khalid blueroutecn caineqt cameldelamotto er587 sphyy mugzy boh cr473 elafonizi socologize derduffy

fir's Issues

Searching on text in nuggets

Should it be possible to search on indicators such as IP addresses and domains using the search box at the top of the screen. This doesn't seem to work for me, although if I go to a case containing the indicator I can search by clicking on it.

The only field which appears to be searchable from the search box is the title field.

Aside from that I think it's a great system. Many thanks for making it available.

ImportError at /

I followed the instructions for a dev / test version. When I go to http://localhost:8000, though, I get the following. (A PR is incoming immediately following this issue!)

ImportError at /
No module named six
Request Method: GET
Request URL:    http://localhost:8000/
Django Version: 1.7.6
Exception Type: ImportError
Exception Value:    
No module named six
Exception Location: /home/kmaxwell/src/FIR/venv/local/lib/python2.7/site-packages/dateutil/relativedelta.py in <module>, line 5
Python Executable:  /home/kmaxwell/src/FIR/venv/bin/python
Python Version: 2.7.6
Python Path:    
['/home/kmaxwell/src/FIR',
 '/home/kmaxwell/src/FIR/venv/lib/python2.7',
 '/home/kmaxwell/src/FIR/venv/lib/python2.7/plat-x86_64-linux-gnu',
 '/home/kmaxwell/src/FIR/venv/lib/python2.7/lib-tk',
 '/home/kmaxwell/src/FIR/venv/lib/python2.7/lib-old',
 '/home/kmaxwell/src/FIR/venv/lib/python2.7/lib-dynload',
 '/usr/lib/python2.7',
 '/usr/lib/python2.7/plat-x86_64-linux-gnu',
 '/usr/lib/python2.7/lib-tk',
 '/home/kmaxwell/src/FIR/venv/local/lib/python2.7/site-packages']
Server time:    Thu, 12 Mar 2015 20:57:49 +0100
Traceback Switch to copy-and-paste view

/home/kmaxwell/src/FIR/venv/local/lib/python2.7/site-packages/django/core/handlers/base.py in get_response
                resolver_match = resolver.resolve(request.path_info) ...
▶ Local vars
/home/kmaxwell/src/FIR/venv/local/lib/python2.7/site-packages/django/core/urlresolvers.py in resolve
            for pattern in self.url_patterns: ...
▶ Local vars
/home/kmaxwell/src/FIR/venv/local/lib/python2.7/site-packages/django/core/urlresolvers.py in url_patterns
        patterns = getattr(self.urlconf_module, "urlpatterns", self.urlconf_module) ...
▶ Local vars
/home/kmaxwell/src/FIR/venv/local/lib/python2.7/site-packages/django/core/urlresolvers.py in urlconf_module
            self._urlconf_module = import_module(self.urlconf_name) ...
▶ Local vars
/usr/lib/python2.7/importlib/__init__.py in import_module
    __import__(name) ...
▶ Local vars
/home/kmaxwell/src/FIR/fir/urls.py in <module>
    url(r'^incidents/', include('incidents.urls', namespace='incidents')), ...
▶ Local vars
/home/kmaxwell/src/FIR/venv/local/lib/python2.7/site-packages/django/conf/urls/__init__.py in include
        urlconf_module = import_module(urlconf_module) ...
▶ Local vars
/usr/lib/python2.7/importlib/__init__.py in import_module
    __import__(name) ...
▶ Local vars
/home/kmaxwell/src/FIR/incidents/urls.py in <module>
from incidents import views ...
▶ Local vars
/home/kmaxwell/src/FIR/incidents/views.py in <module>
from dateutil.relativedelta import * ...
▶ Local vars
/home/kmaxwell/src/FIR/venv/local/lib/python2.7/site-packages/dateutil/relativedelta.py in <module>
from six import integer_types ...
▶ Local vars
Request information

GET
No GET data
POST
No POST data
FILES
No FILES data
COOKIES
No cookie data
META
Variable    Value
RUN_MAIN    
'true'
XDG_GREETER_DATA_DIR    
'/var/lib/lightdm-data/kmaxwell'
QT4_IM_MODULE   
'xim'
wsgi.multithread    
True
SERVER_SOFTWARE 
'WSGIServer/0.1 Python/2.7.6'
UPSTART_EVENTS  
'started starting'
SCRIPT_NAME 
u''
REQUEST_METHOD  
'GET'
SERVER_PROTOCOL 
'HTTP/1.1'
HOME    
'/home/kmaxwell'
DISPLAY 
':0'
LANG    
'en_US.UTF-8'
VIRTUAL_ENV 
'/home/kmaxwell/src/FIR/venv'
SHELL   
'/bin/bash'
XDG_DATA_DIRS   
'/usr/share/gnome:/usr/local/share/:/usr/share/'
MANDATORY_PATH  
'/usr/share/gconf/gnome.mandatory.path'
UPSTART_INSTANCE    
''
JOB 
'gnome-session'
TEXTDOMAIN  
'im-config'
SERVER_PORT 
'8000'
XMODIFIERS  
'@im=ibus'
SELINUX_INIT    
'YES'
PATH_INFO   
u'/'
XDG_RUNTIME_DIR 
'/run/user/1000'
COMP_WORDBREAKS 
' \t\n"\'><;|&(:'
VTE_VERSION 
'3409'
HTTP_CONNECTION 
'keep-alive'
HTTP_HOST   
'localhost:8000'
wsgi.version    
(1, 0)
XDG_CURRENT_DESKTOP 
'GNOME'
XDG_SESSION_ID  
'c2'
DBUS_SESSION_BUS_ADDRESS    
'unix:abstract=/tmp/dbus-oMDvpooA3D'
GNOME_KEYRING_PID   
'2227'
HTTP_ACCEPT 
'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8'
DESKTOP_SESSION 
'gnome'
LESSCLOSE   
'/usr/bin/lesspipe %s %s'
DEFAULTS_PATH   
'/usr/share/gconf/gnome.default.path'
wsgi.run_once   
False
wsgi.errors 
<open file '<stderr>', mode 'w' at 0x7fd9167601e0>
wsgi.multiprocess   
False
HTTP_ACCEPT_LANGUAGE    
'en-US,en;q=0.8,es;q=0.6'
INSTANCE    
'GNOME'
PERL_MB_OPT 
'--install_base "/home/kmaxwell/perl5"'
LS_COLORS   
'rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lz=01;31:*.xz=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.axv=01;35:*.anx=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.axa=00;36:*.oga=00;36:*.spx=00;36:*.xspf=00;36:'
XDG_SEAT    
'seat0'
PERL_MM_OPT 
'INSTALL_BASE=/home/kmaxwell/perl5'
GNOME_DESKTOP_SESSION_ID    
'this-is-deprecated'
LESSOPEN    
'| /usr/bin/lesspipe %s'
QUERY_STRING    
''
QT_IM_MODULE    
'ibus'
LOGNAME 
'kmaxwell'
USER    
'kmaxwell'
GNOME_KEYRING_CONTROL   
'/run/user/1000/keyring-1J8pjt'
XDG_VTNR    
'7'
PATH    
'/home/kmaxwell/src/FIR/venv/bin:/home/kmaxwell/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/home/kmaxwell/.local/bin:/home/kmaxwell/.google_appengine'
PS1 
'(venv)\\[\\033[01;32m\\]\\u@\\h\\[\\033[00m\\]:\\[\\033[01;36m\\]\\w\\[\\033[00m\\]$(parse_git_branch)$ '
TERM    
'xterm'
HTTP_USER_AGENT 
'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.89 Safari/537.36'
XDG_SESSION_PATH    
'/org/freedesktop/DisplayManager/Session0'
XAUTHORITY  
'/home/kmaxwell/.Xauthority'
LANGUAGE    
'en_US'
REMOTE_ADDR 
'127.0.0.1'
SHLVL   
'1'
QT_QPA_PLATFORMTHEME    
'appmenu-qt5'
wsgi.url_scheme 
'http'
CLUTTER_IM_MODULE   
'xim'
WINDOWID    
'41943048'
EDITOR  
'vim -f'
SESSIONTYPE 
'gnome-session'
IM_CONFIG_PHASE 
'1'
GPG_AGENT_INFO  
'/run/user/1000/keyring-1J8pjt/gpg:0:1'
CONTENT_LENGTH  
''
CONTENT_TYPE    
'text/plain'
SSH_AUTH_SOCK   
'/run/user/1000/keyring-1J8pjt/ssh'
GDMSESSION  
'gnome'
UPSTART_JOB 
'gnome-settings-daemon'
TEXTDOMAINDIR   
'/usr/share/locale/'
CLICOLOR    
'1'
XDG_SEAT_PATH   
'/org/freedesktop/DisplayManager/Seat0'
TZ  
'Europe/Paris'
_   
'./manage.py'
wsgi.input  
<socket._fileobject object at 0x7fd91233fed0>
GTK_IM_MODULE   
'ibus'
UPSTART_SESSION 
'unix:abstract=/com/ubuntu/upstart-session/1000/2231'
XDG_CONFIG_DIRS 
'/etc/xdg/xdg-gnome:/usr/share/upstart/xdg:/etc/xdg'
SERVER_NAME 
'localhost'
GATEWAY_INTERFACE   
'CGI/1.1'
OLDPWD  
'/home/kmaxwell/src/FIR/docker'
GDM_LANG    
'en_US'
GTK_MODULES 
'overlay-scrollbar'
PWD 
'/home/kmaxwell/src/FIR'
HTTP_DNT    
'1'
DJANGO_SETTINGS_MODULE  
'fir.settings'
COLORTERM   
'gnome-terminal'
wsgi.file_wrapper   
''
REMOTE_HOST 
''
HTTP_ACCEPT_ENCODING    
'gzip, deflate, sdch'
Settings
Using settings module fir.settings
Setting Value
USE_L10N    
True
USE_THOUSAND_SEPARATOR  
False
CSRF_COOKIE_SECURE  
False
LANGUAGE_CODE   
'en-us'
ROOT_URLCONF    
'fir.urls'
MANAGERS    
()
BASE_DIR    
'/home/kmaxwell/src/FIR'
TEST_NON_SERIALIZED_APPS    
[]
DEFAULT_CHARSET 
'utf-8'
SESSION_SERIALIZER  
'django.contrib.sessions.serializers.JSONSerializer'
STATIC_ROOT 
'/home/kmaxwell/src/FIR/static'
ALLOWED_HOSTS   
[]
MESSAGE_STORAGE 
'django.contrib.messages.storage.fallback.FallbackStorage'
EMAIL_SUBJECT_PREFIX    
'[Django] '
SEND_BROKEN_LINK_EMAILS 
False
STATICFILES_FINDERS 
('django.contrib.staticfiles.finders.FileSystemFinder',
 'django.contrib.staticfiles.finders.AppDirectoriesFinder')
SESSION_CACHE_ALIAS 
'default'
SESSION_COOKIE_DOMAIN   
None
SESSION_COOKIE_NAME 
'sessionid'
ADMIN_FOR   
()
TIME_INPUT_FORMATS  
('%H:%M:%S', '%H:%M:%S.%f', '%H:%M')
DATABASES   
{'default': {'ATOMIC_REQUESTS': False,
             'AUTOCOMMIT': True,
             'CONN_MAX_AGE': 0,
             'ENGINE': 'django.db.backends.sqlite3',
             'HOST': '',
             'NAME': '/home/kmaxwell/src/FIR/db.sqlite3',
             'OPTIONS': {},
             'PASSWORD': u'********************',
             'PORT': '',
             'TEST': {'CHARSET': None,
                      'COLLATION': None,
                      'MIRROR': None,
                      'NAME': None},
             'TIME_ZONE': 'Europe/Paris',
             'USER': ''}}
FILE_UPLOAD_DIRECTORY_PERMISSIONS   
None
FILE_UPLOAD_PERMISSIONS 
None
FILE_UPLOAD_HANDLERS    
('django.core.files.uploadhandler.MemoryFileUploadHandler',
 'django.core.files.uploadhandler.TemporaryFileUploadHandler')
DEFAULT_CONTENT_TYPE    
'text/html'
APPEND_SLASH    
True
LOCALE_PATHS    
()
DATABASE_ROUTERS    
[]
DEFAULT_TABLESPACE  
''
YEAR_MONTH_FORMAT   
'F Y'
STATICFILES_STORAGE 
'django.contrib.staticfiles.storage.StaticFilesStorage'
CACHES  
{'default': {'BACKEND': 'django.core.cache.backends.locmem.LocMemCache'}}
SERVER_EMAIL    
'root@localhost'
SESSION_COOKIE_PATH 
'/'
SILENCED_SYSTEM_CHECKS  
[]
MIDDLEWARE_CLASSES  
('django.middleware.common.CommonMiddleware',
 'django.contrib.sessions.middleware.SessionMiddleware',
 'django.middleware.csrf.CsrfViewMiddleware',
 'django.contrib.auth.middleware.AuthenticationMiddleware',
 'django.contrib.messages.middleware.MessageMiddleware')
USE_I18N    
True
THOUSAND_SEPARATOR  
','
SECRET_KEY  
u'********************'
LANGUAGE_COOKIE_NAME    
'django_language'
DEFAULT_INDEX_TABLESPACE    
''
TRANSACTIONS_MANAGED    
False
LOGGING_CONFIG  
'logging.config.dictConfig'
TEMPLATE_LOADERS    
('django.template.loaders.filesystem.Loader',
 'django.template.loaders.app_directories.Loader')
FIRST_DAY_OF_WEEK   
0
WSGI_APPLICATION    
'fir.wsgi.application'
TEMPLATE_DEBUG  
True
X_FRAME_OPTIONS 
'SAMEORIGIN'
CSRF_COOKIE_NAME    
'csrftoken'
FORCE_SCRIPT_NAME   
None
USE_X_FORWARDED_HOST    
False
SIGNING_BACKEND 
'django.core.signing.TimestampSigner'
SESSION_COOKIE_SECURE   
False
CSRF_COOKIE_DOMAIN  
None
FILE_CHARSET    
'utf-8'
DEBUG   
True
LANGUAGE_COOKIE_DOMAIN  
None
DEFAULT_FILE_STORAGE    
'django.core.files.storage.FileSystemStorage'
INSTALLED_APPS  
('django.contrib.auth',
 'django.contrib.contenttypes',
 'django.contrib.sessions',
 'django.contrib.sites',
 'django.contrib.messages',
 'django.contrib.staticfiles',
 'incidents',
 'django.contrib.admin',
 'fir_plugins',
 'fir_artifacts')
LANGUAGES   
(('af', 'Afrikaans'),
 ('ar', 'Arabic'),
 ('ast', 'Asturian'),
 ('az', 'Azerbaijani'),
 ('bg', 'Bulgarian'),
 ('be', 'Belarusian'),
 ('bn', 'Bengali'),
 ('br', 'Breton'),
 ('bs', 'Bosnian'),
 ('ca', 'Catalan'),
 ('cs', 'Czech'),
 ('cy', 'Welsh'),
 ('da', 'Danish'),
 ('de', 'German'),
 ('el', 'Greek'),
 ('en', 'English'),
 ('en-au', 'Australian English'),
 ('en-gb', 'British English'),
 ('eo', 'Esperanto'),
 ('es', 'Spanish'),
 ('es-ar', 'Argentinian Spanish'),
 ('es-mx', 'Mexican Spanish'),
 ('es-ni', 'Nicaraguan Spanish'),
 ('es-ve', 'Venezuelan Spanish'),
 ('et', 'Estonian'),
 ('eu', 'Basque'),
 ('fa', 'Persian'),
 ('fi', 'Finnish'),
 ('fr', 'French'),
 ('fy', 'Frisian'),
 ('ga', 'Irish'),
 ('gl', 'Galician'),
 ('he', 'Hebrew'),
 ('hi', 'Hindi'),
 ('hr', 'Croatian'),
 ('hu', 'Hungarian'),
 ('ia', 'Interlingua'),
 ('id', 'Indonesian'),
 ('io', 'Ido'),
 ('is', 'Icelandic'),
 ('it', 'Italian'),
 ('ja', 'Japanese'),
 ('ka', 'Georgian'),
 ('kk', 'Kazakh'),
 ('km', 'Khmer'),
 ('kn', 'Kannada'),
 ('ko', 'Korean'),
 ('lb', 'Luxembourgish'),
 ('lt', 'Lithuanian'),
 ('lv', 'Latvian'),
 ('mk', 'Macedonian'),
 ('ml', 'Malayalam'),
 ('mn', 'Mongolian'),
 ('mr', 'Marathi'),
 ('my', 'Burmese'),
 ('nb', 'Norwegian Bokmal'),
 ('ne', 'Nepali'),
 ('nl', 'Dutch'),
 ('nn', 'Norwegian Nynorsk'),
 ('os', 'Ossetic'),
 ('pa', 'Punjabi'),
 ('pl', 'Polish'),
 ('pt', 'Portuguese'),
 ('pt-br', 'Brazilian Portuguese'),
 ('ro', 'Romanian'),
 ('ru', 'Russian'),
 ('sk', 'Slovak'),
 ('sl', 'Slovenian'),
 ('sq', 'Albanian'),
 ('sr', 'Serbian'),
 ('sr-latn', 'Serbian Latin'),
 ('sv', 'Swedish'),
 ('sw', 'Swahili'),
 ('ta', 'Tamil'),
 ('te', 'Telugu'),
 ('th', 'Thai'),
 ('tr', 'Turkish'),
 ('tt', 'Tatar'),
 ('udm', 'Udmurt'),
 ('uk', 'Ukrainian'),
 ('ur', 'Urdu'),
 ('vi', 'Vietnamese'),
 ('zh-cn', 'Simplified Chinese'),
 ('zh-hans', 'Simplified Chinese'),
 ('zh-hant', 'Traditional Chinese'),
 ('zh-tw', 'Traditional Chinese'))
COMMENTS_ALLOW_PROFANITIES  
False
STATICFILES_DIRS    
()
PREPEND_WWW 
False
SECURE_PROXY_SSL_HEADER 
None
LANGUAGE_COOKIE_AGE 
None
SESSION_COOKIE_HTTPONLY 
True
DEBUG_PROPAGATE_EXCEPTIONS  
False
INTERNAL_IPS    
()
MONTH_DAY_FORMAT    
'F j'
LOGIN_URL   
'/login'
SESSION_EXPIRE_AT_BROWSER_CLOSE 
False
TIME_FORMAT 
'P'
AUTH_USER_MODEL 
'auth.User'
DATE_INPUT_FORMATS  
('%Y-%m-%d',
 '%m/%d/%Y',
 '%m/%d/%y',
 '%b %d %Y',
 '%b %d, %Y',
 '%d %b %Y',
 '%d %b, %Y',
 '%B %d %Y',
 '%B %d, %Y',
 '%d %B %Y',
 '%d %B, %Y')
AUTHENTICATION_BACKENDS 
('django.contrib.auth.backends.ModelBackend',)
EMAIL_HOST_PASSWORD 
u'********************'
PASSWORD_RESET_TIMEOUT_DAYS 
u'********************'
SESSION_FILE_PATH   
None
CACHE_MIDDLEWARE_ALIAS  
'default'
SESSION_SAVE_EVERY_REQUEST  
False
NUMBER_GROUPING 
0
SESSION_ENGINE  
'django.contrib.sessions.backends.db'
CSRF_FAILURE_VIEW   
'django.views.csrf.csrf_failure'
CSRF_COOKIE_PATH    
'/'
LOGIN_REDIRECT_URL  
'/accounts/profile/'
DECIMAL_SEPARATOR   
'.'
IGNORABLE_404_URLS  
()
MIGRATION_MODULES   
{}
TEMPLATE_STRING_IF_INVALID  
''
LOGOUT_URL  
'/logout'
EMAIL_USE_TLS   
False
FIXTURE_DIRS    
()
EMAIL_HOST  
'localhost'
DATE_FORMAT 
'N j, Y'
MEDIA_ROOT  
'/home/kmaxwell/src/FIR/uploads'
DEFAULT_EXCEPTION_REPORTER_FILTER   
'django.views.debug.SafeExceptionReporterFilter'
ADMINS  
()
FORMAT_MODULE_PATH  
None
DEFAULT_FROM_EMAIL  
'webmaster@localhost'
MEDIA_URL   
'/files/'
DATETIME_FORMAT 
'N j, Y, P'
TEMPLATE_DIRS   
()
SITE_ID 
1
DISALLOWED_USER_AGENTS  
()
ALLOWED_INCLUDE_ROOTS   
()
LOGGING 
{}
SHORT_DATE_FORMAT   
'm/d/Y'
TEST_RUNNER 
'django.test.runner.DiscoverRunner'
CACHE_MIDDLEWARE_KEY_PREFIX 
u'********************'
TIME_ZONE   
'Europe/Paris'
FILE_UPLOAD_MAX_MEMORY_SIZE 
2621440
EMAIL_BACKEND   
'django.core.mail.backends.console.EmailBackend'
EMAIL_USE_SSL   
False
TEMPLATE_CONTEXT_PROCESSORS 
('django.contrib.auth.context_processors.auth',
 'django.core.context_processors.debug',
 'django.core.context_processors.i18n',
 'django.core.context_processors.media',
 'django.core.context_processors.static',
 'django.core.context_processors.request',
 'django.contrib.messages.context_processors.messages')
SESSION_COOKIE_AGE  
1209600
SETTINGS_MODULE 
'fir.settings'
USE_ETAGS   
False
LANGUAGES_BIDI  
('he', 'ar', 'fa', 'ur')
FILE_UPLOAD_TEMP_DIR    
None
CSRF_COOKIE_AGE 
31449600
STATIC_URL  
'/static/'
EMAIL_PORT  
25
USE_TZ  
False
SHORT_DATETIME_FORMAT   
'm/d/Y P'
PASSWORD_HASHERS    
u'********************'
ABSOLUTE_URL_OVERRIDES  
{}
LANGUAGE_COOKIE_PATH    
'/'
CACHE_MIDDLEWARE_SECONDS    
600
CSRF_COOKIE_HTTPONLY    
False
DATETIME_INPUT_FORMATS  
('%Y-%m-%d %H:%M:%S',
 '%Y-%m-%d %H:%M:%S.%f',
 '%Y-%m-%d %H:%M',
 '%Y-%m-%d',
 '%m/%d/%Y %H:%M:%S',
 '%m/%d/%Y %H:%M:%S.%f',
 '%m/%d/%Y %H:%M',
 '%m/%d/%Y',
 '%m/%d/%y %H:%M:%S',
 '%m/%d/%y %H:%M:%S.%f',
 '%m/%d/%y %H:%M',
 '%m/%d/%y')
EMAIL_HOST_USER 
''
PROFANITIES_LIST    
u'********************'
You're seeing this error because you have DEBUG = True in your Django settings file. Change that to False, and Django will display a standard 500 page.

Error when trying to download an attachment with long filename

To reproduce:

upload attachment with long filename (> 111 chars)
try to download attachment

Question: Incident ID

Hi,
Is there a way to display the ID of each incident on the "dashboard" page or "incident" page at least ?

fir_api how to upload files?

Is it possible to upload files and attach them to an incident using the API?
Thanks

Prerequisites for production

python-pip and python-dev prerequisites are given twice.

Feature request: Ability to export stats

Good morning,
It would be most useful if stats results (mainly the list of matching incidents) could be exported as an excel/csv/pdf or any other format file.
Also if this option would be available in the incidents/events tab.
If not possible/feasible I will try to implement it myself.
Thank you very much for this excellent solution.
Claudiu

Doc for installing FIR in a production environnement with nginx, gunicorn, django 1.9 on centos 7

Hi,

As github doesn't seem to provide an easy way for issuing pull requests to wiki, here is the doc I wrote in attachment.
Please don't hesitate to have e correct it if needed.

fir_doc.zip

Thx for your work

Feature Request: External Authentication

Please consider adding External Authentication (LDAP, AD, Kerberos, etc.) to your roadmap.

Don't find the default username and password

Hello,

I've just installed FIR in development version.
However I can't find the default username/password to use, do you have it?

Regards

Question on production install

I will not be using a virtual environment, so after step:
$ git clone https://github.com//FIR.git

I'm guessing I mv the fir directory to say /var/html/www?

Also, is there a ready this says yourhandle instead of:
https://github.com/certsocietegenerale/FIR.git

Thank you.

User permissions

Hi,
I tried to create 2 users to check if I can manage their permissions. I would like that user2 can't modify incidents created by user1 (for example, user2 could add some comments, artefact etc.. but couldn't modify some important information like date / log / artefact etc... added by user1. Only user1 or the "super user" could).
It seems that user with the "incident handler" persmission can do everything: add, edit, delete all objects.
I check permissions in the admin panel, but after having tried many configuration, i never succeed to have the behavior I expect.
Moreover, when a user does not have the "incident handler" permission but has others permission like "add incident", he can't access to the "Incident page".

Maybe it's not in your inention to handle a such small granularity of permissions. Or maybe i have to check more information about Django / FIR code.

Feature Request: Restrict Business Line Access

Hi,

This tool is fantastic! We are looking at giving member of various business units access to FIR. But we don't want them to see everything, just the incidents for their Business Unit. A feature where we could restrict that access would be fantastic.

Thanks,
Ben

Make the pop-up window movable

Idea: VERIS fields

Have you considered adding fields for VERIS, similar to what MozDef has done?

Typo: "Commentss" under Incidents on Site Administration

To reproduce:

Click Admin in the top right.
Look at the 5th item under Incidents

Bad Request (400) after installing FIR

I followed the instructions in the production installation part, and when I'm trying to access the webpage I getting Bad Request (400) error. No clues in Nginx log files.

Delete incident comments

When a user delete all the incident comments, you can't load the incident list.
The graphical interface says : "loading...".

The user only needs to do it for 1 incident among all incidents to get this issue.

No errors are present in the logs.

If you need anything else don't hesitate to ask !

Issue running ./manage.py syncdb for Development Install

Running into an issue when I get to the step of ./manage.py syncdb it would appear that syncdb is no longer an option based on what I'm seeing in the help. Also found an article in stack overflow stating that syncdb has gone away and to use migrate.

When I run ./manage.py migrate instead I get an error of:

File "./manage.py", line 8 in
from django.core.management import execute_from_command_line
ImportError: no module named django.core.management

then dumps me back to my virtual environment.

Question: requirements

Some requirements (/requirements.txt) seem unused, such as:

pymongo
argparse
lxml

Did I missed something ?

EDIT: (It seems to be related to #3 )
EDIT2: pymongo is used for bson, my bad.

Localization: Missing English Translations for the "Bale Categories"

There are no English translations for the Bale Categories.

Install trouble

Well...I followed everything pretty much to the letter. I'm greeted with:

Bad Request (400)

When I try anything, so I think this is an nginx issue. Things I need clarification on:
production.py - ALLOWED_HOSTS = ['localhost'] <- what is this for?

This is the first time I've EVER used nginx, so I'm not sure what I need to do.
in file /etc/nginx/sites-available/fir

I have
server {
server_name ip.address;

This server is internal and will be accessed by IP. I'd like to ideally have:

http://server.ip.address/fir

As the link. I'm getting close, but right now all I get is the Bad Request (400) as above. Thanks for any help.

External auth system integration

Error(s) on Setting up a development environment steps

Under the step Fork the GitHub repo and clone it the instructions state to:

$ git clone https://github.com/<yourhandlehere>/FIR.git

which should read:

$ git clone https://github.com/certsocietegenerale/FIR.git

^ This is also how it's stated within https://github.com/certsocietegenerale/FIR/wiki/Installation-on-a-production-environment
2. Under the step Create the tables in the database the instructions state to:

$ ./manage.py syncdb --noinput
$ ./manage.py migrate

however, running migrate prior to/without makemigrations resulted in the following error:

(env-FIR)hithere@yourhouse:~/Desktop/FIR# ./manage.py migrate
Operations to perform:
  Synchronize unmigrated apps: fir_alerting
  Apply all migrations: fir_nuggets, fir_artifacts, sessions, admin, sites, auth, fir_todos, contenttypes, incidents
Synchronizing apps without migrations:
  Creating tables...
  Installing custom SQL...
  Installing indexes...
Running migrations:
  No migrations to apply.
  Your models have changes that are not yet reflected in a migration, and so won't be applied.
  Run 'manage.py makemigrations' to make new migrations, and then re-run 'manage.py migrate' to apply them.

Feature Request: Create Events without logging in

Hi,

would it be possible to add the possibility for anyone to create Events (by filling in a basic form with certain mandatory fields) without having an account on the tool?
The idea is that anyone should be able to report security events, that after review, are escalated to incidents or not...

artifact hostname.py TLDs list is outdated

The list of TLDs in fir_artifacts/hostname.py doesn't contain recently added top level domains as reported by IANA http://data.iana.org/TLD/tlds-alpha-by-domain.txt

I'll make a pull request

Production Install: Superuser Credentials

I have probably missed something obvious here, but when I get to the ...

"Point your web browser to http://fir.domain.com/admin/ and log in with the superuser credentials you specified during install."

... step, I don't remember specifying any credentials.

I looked back and the earlier steps and tried the admin:admin credentials that worked in the development install.

Can whatever I missed be better emphasized in the Production Install instructions.

Let me know.

Thanks.

Stored XSS in the comment field

Comment is vulnerable to XSS

PoC: submit following as POST request body:

csrfmiddlewaretoken=9zdYmbOteXVHKiJBezS05DT23diCYDwU&action=6&date=2015-12-18+13%3A41&comment=“><script>alert(1)</script>

Subsequent visit of the event will result in popup

Unicode filenames are not handled properly

Unicode filenames are not handled properly in attached files and Todo.

Questions and feature request

So....what's a "Blocked" incident? And is there a way to get Events to show up in the Dashboard and in the Stats page? I currently have added just a test Event only which is closed and I don't see it in either of the above. Thank you.

Quarterly Stats: different numbers between total incident bar chart and variation chart

The variation chart displays incidents on the last month (floating), when the bar chart displays incidents for last month.

Bar chart will display incidents for M-1
Variation chart will display incidents for (M-1)-D / (M)-D

Timezone issues

When I create a new incident, it appears to get stored in the DB with the wrong TZ (UTC+1?). This throws off my dashboard and incident views by 6 hours (which will of course vary for anyone not in UTC+1).

Below are screenshots of incidents I just created in a test instance at about 1320 local time, not 1920 as the DB seems to have.

Question: Listening Interface

Question

is there anyway to have the Dev install listen on more than the 127.0.0.1:8000 interface? I installed the app on unbuntu server but cant access it from outside of the server,

Firewall has been enabled to allow access to port 8000 from anywhere. Small Lab enviroment

@ubuntu:~$ sudo ufw status
Status: active

To Action From

8000 ALLOW Anywhere
22 ALLOW Anywhere
8000 (v6) ALLOW Anywhere (v6)
22 (v6) ALLOW Anywhere (v6)

@ubuntu:~$ netstat -ltn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:8000 0.0.0.0:* LISTEN
tcp6 0 0 :::22 :::* LISTEN

Feature Request: Template Tasks list by incident type

For each incident type, the list of tasks to be done and who should do it in a team are the very similar from one incident to the next one.
Each incident type should have a template that contains the basic list of tasks that an organization follows to handle an incident (based on NIST maybe ?)

Production installation page

Under "Install MySQL", the apt-get install line should add the python-dev package or the pip install mysql-python will fail with an error.

https://github.com/certsocietegenerale/FIR/wiki/Installation-on-a-production-environment

Feature Request: Incident ID field

Hello, I notice in the URL that there is an incident/event ID. However this is not displayed on the ticket or the list of incidents/events. for deploying this in a SOC where there are lots of events and incidents it would be useful to search via an incident/event ID

Thanks

how to make a localized from English into Russian ?

how to make a localized from English into Russian

Broken build using Dockerfile

Step 14 : RUN ./manage.py migrate && ./manage.py loaddata incidents/fixtures/seed_data.json && ./manage.py loaddata incidents/fixtures/dev_users.json && cp fir/urls.py.sample fir/urls.py
---> Running in 4c4f1d21688a

Traceback (most recent call last):
  File "./manage.py", line 10, in <module>
    execute_from_command_line(sys.argv)
  File "/usr/local/lib/python2.7/dist-packages/django/core/management/__init__.py", line 353, in execute_from_command_line
    utility.execute()
  File "/usr/local/lib/python2.7/dist-packages/django/core/management/__init__.py", line 345, in execute
    self.fetch_command(subcommand).run_from_argv(self.argv)
  File "/usr/local/lib/python2.7/dist-packages/django/core/management/base.py", line 348, in run_from_argv
    self.execute(*args, **cmd_options)
  File "/usr/local/lib/python2.7/dist-packages/django/core/management/base.py", line 398, in execute
    self.check()
  File "/usr/local/lib/python2.7/dist-packages/django/core/management/base.py", line 426, in check
    include_deployment_checks=include_deployment_checks,
  File "/usr/local/lib/python2.7/dist-packages/django/core/checks/registry.py", line 75, in run_checks
    new_errors = check(app_configs=app_configs)
  File "/usr/local/lib/python2.7/dist-packages/django/core/checks/urls.py", line 10, in check_url_config
    return check_resolver(resolver)
  File "/usr/local/lib/python2.7/dist-packages/django/core/checks/urls.py", line 19, in check_resolver
    for pattern in resolver.url_patterns:
  File "/usr/local/lib/python2.7/dist-packages/django/utils/functional.py", line 33, in __get__
    res = instance.__dict__[self.name] = self.func(instance)
  File "/usr/local/lib/python2.7/dist-packages/django/core/urlresolvers.py", line 417, in url_patterns
    patterns = getattr(self.urlconf_module, "urlpatterns", self.urlconf_module)
  File "/usr/local/lib/python2.7/dist-packages/django/utils/functional.py", line 33, in __get__
    res = instance.__dict__[self.name] = self.func(instance)
  File "/usr/local/lib/python2.7/dist-packages/django/core/urlresolvers.py", line 410, in urlconf_module
    return import_module(self.urlconf_name)
  File "/usr/lib/python2.7/importlib/__init__.py", line 37, in import_module
    __import__(name)
  File "/home/fir/fir/urls.py", line 6, in <module>
    from incidents import views
  File "/home/fir/incidents/views.py", line 39, in <module>
    from fir_todos.models import TodoListTemplate
  File "/home/fir/fir_todos/models.py", line 6, in <module>
    class TodoItem(models.Model):
  File "/usr/local/lib/python2.7/dist-packages/django/db/models/base.py", line 102, in __new__
    "INSTALLED_APPS." % (module, name)
RuntimeError: Model class fir_todos.models.TodoItem doesn't declare an explicit app_label and isn't in an application in INSTALLED_APPS.

Wrong action label 'Closed' when using 'Block' or 'Open' buttons

On an incident view, usage of the 'Block' or 'Open' buttons create a comment with the wrong action label: 'Closed'.

#tab_open only show loading

I got the tab show Loading.... only.

Can't log in

I've got a very strange issue, since I just can't connect to the FIR dashboard... ("Wrong username/password combination" message).
I had a working install with django 1.7 & the appropriate FIR git repository, thus I could make everything run fine before.

I re-installed django, all python modules, and FIR, and my database from scratch, in a virtual environnement.
I am working with Centos 7 + Nginx + Gunicorn + Django (forwarding communications from nginx to gunicorn through a unix socket, but I doubt this should have any consequence on my current issue).

When I migrated, everything worked fine:
(env-FIR)@:[env-FIR]: python manage.py migrate --settings fir.config.production Operations to perform: Apply all migrations: fir_nuggets, fir_alerting, fir_artifacts, sessions, admin, sites, auth, fir_todos, contenttypes, incidents Running migrations: Rendering model states... DONE Applying contenttypes.0001_initial... OK […] Applying sites.0002_alter_domain_unique... OK

I have loaded both incidents/fixtures/seed_data.json & incidents/fixtures/dev_users.json (latter of which isn't mentionned in the production install, by the way^^).
I have created a superuser.

I can see users admin, dev, and my superuser when I connect manually to the database.

I do see the POST infos (whith my credentials being posted, then), but nothing in the logs...

This is a good exercise to track aaall the way the credentials go... but a bit of help would be much appreciated :)

Thx to all, great FIR team !

SQLite backend does not support timezone-aware datetimes when USE_TZ is False

I was following the instructions in the Wiki to setup a dev environment. Everything went fine until I tried to create the dev test accounts:

$ ./manage.py loaddata incidents/fixtures/dev_users.json

  File "/home/j/.local/lib/python2.7/site-packages/django/db/backends/sqlite3/base.py", line 248, in value_to_db_datetime
    raise ValueError("SQLite backend does not support timezone-aware datetimes when USE_TZ is False.")
ValueError: Problem installing fixture '/home/j/src/FIR/incidents/fixtures/dev_users.json': SQLite backend does not support timezone-aware datetimes when USE_TZ is False.

Setting USE_TZ in fir/config/base.py obviously fixed it.

Typo on "Setting up a development environment" Wiki Page

sudo apt-get udpate

should be:

sudo apt-get update

RelatedObjectDoesNotExist

After following the dev environment setup guide, the dashboard doesn't seem to properly show up.

Calls to /dashboard/blocked/ and /dashboard/open/ end up with a 500 return code:

Environment:


Request Method: GET
Request URL: http://REDACTED:8000/dashboard/blocked/?order_by=date&asc=false&page=1

Django Version: 1.7.6
Python Version: 2.7.9
Installed Applications:
('django.contrib.auth',
 'django.contrib.contenttypes',
 'django.contrib.sessions',
 'django.contrib.sites',
 'django.contrib.messages',
 'django.contrib.staticfiles',
 'incidents',
 'django.contrib.admin',
 'fir_plugins',
 'fir_artifacts')
Installed Middleware:
('django.middleware.common.CommonMiddleware',
 'django.contrib.sessions.middleware.SessionMiddleware',
 'django.middleware.csrf.CsrfViewMiddleware',
 'django.contrib.auth.middleware.AuthenticationMiddleware',
 'django.contrib.messages.middleware.MessageMiddleware')


Traceback:
File "/home/j/.local/lib/python2.7/site-packages/django/core/handlers/base.py" in get_response
  111.                     response = wrapped_callback(request, *callback_args, **callback_kwargs)
File "/home/j/.local/lib/python2.7/site-packages/django/contrib/auth/decorators.py" in _wrapped_view
  21.                 return view_func(request, *args, **kwargs)
File "/home/j/.local/lib/python2.7/site-packages/django/contrib/auth/decorators.py" in _wrapped_view
  21.                 return view_func(request, *args, **kwargs)
File "/home/j/src/FIR/incidents/views.py" in dashboard_blocked
  2029.     return incident_display(request, Q(status='B'))
File "/home/j/src/FIR/incidents/views.py" in incident_display
  1992.         incidents_per_page = request.user.profile.incident_number
File "/home/j/.local/lib/python2.7/site-packages/django/utils/functional.py" in inner
  225.         return func(self._wrapped, *args)
File "/home/j/.local/lib/python2.7/site-packages/django/db/models/fields/related.py" in __get__
  428.                     self.related.get_accessor_name()

Exception Type: RelatedObjectDoesNotExist at /dashboard/blocked/
Exception Value: User has no profile.

Removing business lines causes traceback

When trying to remove business lines via the admin page, a traceback occurs with the following error:
no such table: incidents_recipienttemplate

Issues Installing From Wiki Procedure (runfcgi is missing)

I am following the wiki installation guide and when I get to the FGCI portion, I configure the fir.config file as per instructions but when I try to run FIR with the "sudo start fir" the process starts but dies immediately.

I tried to troubleshoot by running the command manually and get this error:

admin@AJS-FIR:/opt/FIR$ sudo /opt/FIR/manage.py runfcgi --settings fir.config.production daemonize=false protocol=fcgi host=127.0.0.1 port=54584
Unknown command: 'runfcgi'

Suggesting that runfastcgi is not installed.

Scrolling back through my installation I see these errors which may be related after running: "sudo pip install -r requirements.txt"

Compiling /tmp/pip_build_root/django/django/conf/app_template/apps.py ...
  File "/tmp/pip_build_root/django/django/conf/app_template/apps.py", line 1
    {{ unicode_literals }}from django.apps import AppConfig
                             ^
SyntaxError: invalid syntax

Compiling /tmp/pip_build_root/django/django/conf/app_template/models.py ...
  File "/tmp/pip_build_root/django/django/conf/app_template/models.py", line 1
    {{ unicode_literals }}from django.db import models
                             ^
SyntaxError: invalid syntax

Other Info: Running clean Ubuntu 14.04 server

Im excited to check this out and I am hoping to get this running to teach my students in my class. Is there a stable OVA floating around?

Feature Request: Event system for integration patterns

Hello,

It would be great to have an integration bus (a broker) or webhooks that broadcast events from system such as :

Incident created, updated, deleted, closed, etc.

I'm currently working on a wallboard for all product we use, and integration is the key problem to all products.

Not necessarily a complex broker (RabbitMQ) but something light (Redis PUB/SUB, 0MQ, Webhooks).

Regards.