dfir-iris / iris-web Goto Github PK

Describe the bug
When an IOC is wrapped on multiple lines the IOC matching does not take place.

To Reproduce
Steps to reproduce the behavior:

1. Add a timeline event with a line: |2021-02-17 17:48:39.000000|10.2.17.101:49729->131.253.33.254:443| [] | dst_ip= 131.253.33.254 src_ip= 10.2.17.101 |B7DJqn4B50m0jzjJbkvQ|
2. In the output of the timeline events, this line is split into two lines. <span>|2021-02-17 17:48:39.000000|10.2.17.101:49729-&gt;131.253.33.254:443| [] | dst_ip= 131.25<div class="collapse show" id="collapseContent-3380" style=""> 3.33.254 src_ip= 10.2.17.101 |B7DJqn4B50m0jzjJbkvQ| </div> <a class="btn btn-link btn-sm" data-toggle="collapse" href="#collapseContent-3380" role="button" aria-expanded="true" aria-controls="collapseContent">&gt; See more</a></span>
3. The IOC 131.253.33.254 is not matched because it's split over two lines.

Expected behavior
Have IOC matched regardless if they are split over two lines

Screenshots

**Version **

• Version 1.3.0

After many requests, we should add some screenshots + direct links to videos in the readme

Add a new tasklog on certain pages fails due to CSRF token not being sent.

Is your feature request related to a problem? Please describe.
Instead of only having an ID ("case id"), use a UUID. This makes cases transportable across multiple instances of IRIS. This should not replace the ID displayed in the UI, but underneath (ie. export, API), the UUID can be used as reference.

Is your feature request related to a problem? Please describe.
Screenshots are often used as a form of evidence. It would be great if you can add screenshots to notes. Currently you have to reference another (external) file in the MD. Ideal solution allows to upload an image/screenshot to a note and then have it displayed within the note.

Describe the solution you'd like

• Upload screenshot in note
• • From file on disk
• • Or from clipboard (similar to Github issues)
• Include screenshot in the notes in a generated report

When an IOC is referenced in an event timeline there should be a warning when you try to delete the IOC.

According to https://dfir-iris.github.io/_static/iris_api_reference.html#operation/post-case-asset-add the fields asset_type_id and analysis_status_id require a string. However the API returns
"data": {"analysis_status_id": ["Not a valid integer."], "asset_type_id": ["Not a valid integer."]}

Supplying integers in the POST results in a successful request.

Also see #20 and #21

This is just a request for TODO, OAUTH2 and LDAP would be nice features in the future.

Thanks and look forward to this project in the future.

Sanitations improvement is needed

Python API client is on its way and needs some additional API endpoints such as :

• Fetch of API version for compatibilities
• List of IOC types
• List of TLPs, etc.

Describe the bug
I am following your steps as documented, however, it seems like there is a cross-dependency mismatch within your libraries.

I may not be entirely familiar with this process, however, the pip installation has failed because:

ERROR: Cannot install -r requirements.txt (line 11) and -r requirements.txt (line 28) because these package versions have conflicting dependencies.                                                                                                                                           
                                                                                                                                               
The conflict is caused by:
    gunicorn 20.1.0 depends on setuptools>=3.0
    evtx2splunk 2.0.1 depends on setuptools~=47.1.3

To fix this you could try to:
1. loosen the range of package versions you've specified
2. remove package versions to allow pip attempt to solve the dependency conflict

ERROR: ResolutionImpossible: for help visit https://pip.pypa.io/en/latest/topics/dependency-resolution/#dealing-with-dependency-conflicts
The command '/bin/sh -c pip3 install -r requirements.txt' returned a non-zero code: 1                                                          
ERROR: Service 'app' failed to build : Build failed

To Reproduce
Steps to reproduce the behavior:

1. git clone https://github.com/dfir-iris/iris-web.git
2. cd iris-web
3. sudo docker-compose build
4. See error

Expected behavior
I was not expecting a build error from pip installation.

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

• Linux user 5.4.0-89-generic #100-Ubuntu SMP Fri Sep 24 14:50:10 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
• REMnux VM

Additional context
I suspect that this error might have occurred because the wheel dependencies (evtx2splunk*.whl) are hardcoded/fixed and it might have failed to recognized the changes in some of the current libraries that are required to be installed from pip.

I am not entirely sure if my suspicion holds any water or not, but I do hope that I am not the only one facing this problem right now, and if I am the only one facing this problem, I wish someone would point me in the right direction to fix the issue. thank you! :)

Instead of creating a new case, create a fork of an existing case.

Use: sometimes during IR you encounter cases where you discover there are two incidents taking place at the same time. Have an option where you create a fork (or a duplicate) of a case. Optionally, there should be a link from the fork to the "parent" case (and maybe in the parent links to all the 'children').

When you try to delete a template it does not work, because the form is missing the csrf token
2022-01-04 12:24:25 :: INFO :: csrf :: validate_csrf_token :: The CSRF token is missing.

I'm a newbie with gnuicorn.

Can you add a configuration where it's possible to develop this project on-the-fly and with breakpoint into PyCharm ? Or a documentation/video ?

Thanks

Describe the bug
The docs show a wrong configuration:

You should change
EVTXDump Configuration file : /dependencies/evtxdump_binaries/event_bind.json
to
EVTXDump Configuration file : /iriswebapp/dependencies/evtxdump_binaries/event_bind.json

The first path is not a full path of the directory in the docker container

Have an API endpoint that returns the list of defined analysis_status ("id", "value") and the list of defined asset_type ("id","value").

Describe the bug
When you abort the "Switch context" screen, the icon stays grey.

To Reproduce
Steps to reproduce the behavior:

1. Click on the "Switch case" button
2. In the pop-up, click "close"
3. See error

Expected behavior
The icon should not stay grey ;).

Screenshots

Desktop

• OS: Windows 11
• Browser: Firefox
• Version: 97.0.2

Additional context
Not related to the bug itself but it is very confusing to have the "abort" operation on the right side. Also it's style is more visual cognizable than the "save" operation. I think it should be the other way around.

Oh and the template misses double-points at "Browser" and "Version" in the Desktop and Smartphone section.

Addition of a customer in the dashboard uses client/add while the manage customers section uses manage/clients/add.
Both endpoints do not return the same data, while doint the same thing.

Proposition:
Dashboard page should use the manage endpoint.

Add a field for file type and use the file command to process it automatically.
It's common to have a file with the wrong extension and could be useful.

Hi,

It would be great to have some sort of dashboard to keep track of the tasks that are assigned to an analyst.
As an example, as an analyst working in a CSIRT that manages multiple cases at a time, I could receive different tasks coming from different cases.
At the moment, if I want to know what my tasks are, I need to browse to every case (even if there is no task for me in that case).

Thanks !

Is your feature request related to a problem? Please describe.
The CSV export of the events in the timeline does not contain the user/analyst who added the event. The data can be found via the activity log but it would be great if this is also included in the export.

Describe the solution you'd like
Add "username" to the CSV export in event timeline

Hi,
do you plan to add possibility to upload screenshot into note/comment (Case Notes)? I usually upload screenshots with various comments. So it would be very useful.

Thanks
Ondrej

The API end point case/assets/list returns the string values for analysis_status and asset_type.
However if you submit a new asset then you have to supply an integer. This is not consistent.

Export the timeline as JPEG/PNG or foresee the option to include it in a report.
(maybe something similar as the MISP Relations tab where you can export the 'view'? https://www.misp-project.org/assets/images/misp/blog/anothergraph.png)

Describe the bug
When I use the default investigation report template the placeholder {{ case.description|markdown }} is replaced with "Empty description", although there is a case description added.

Not sure if it's related, but when I remove the MD part in the template

##BEGIN STYLE default##
•	##ul##
1.	##ol##
##table_header##
##table_cell##

##paragraph##
##code##
##strong##
##italic##
##END STYLE##
...

there is an error

app_1 | 2022-01-26 16:59:39 :: ERROR :: rendering_error :: __init__ :: An error occurred during rendering. Style default not defined (fsvmxdlmztkdqejiib)

Can you add user authorization for cases. When we create a customer for cases, different customers can show other cases. You can create role based cases. Hence we can separate our customers and cases.

Is your feature request related to a problem? Please describe.
Currently you can only add a title, description or SOC ticket number. It would be great if there is a feature to add custom fields. These custom fields can for example be used for filtering or statistics (fe. 'type of case/investigation').

Describe the solution you'd like

• Add one or more custom fields
• • fieldname
• • fieldtype (string, integer, list)
• • • list comes from a predefined list (can for example be added when user defines/add the custom field); lists are represented in a dropdown list
      -- mandatory yes/no

Is your feature request related to a problem? Please describe.
It's hard to track, which methods and TTPs attacker used in an incident. Defenders need to have a clear understanding of the used TTPs in order to choose proper remediation techniques.

Describe the solution you'd like
I'd like to see a MITRE ATT&CK implementation for the case, where analysts can note all used TTPs according to the matrix.
An editor should show the analyst all possible TTPs, the analyst should be able to click on the used ones and the case page should show only the selected TTPs.

Describe alternatives you've considered
An other possibility would be, that the analysts could select a TTP for every timeline event and IRIS could render a matrix for the whole case instead of the "free editor" described above.

Additional context
I suspect, that this feature needs huge implementation effort. Not sure, but it could be possible to leverage https://github.com/mitre-attack/attack-navigator/ or the Python lib https://github.com/mitre-attack/attack-scripts/.
I'd love to see an offline version, which would not be dependant on an internet API of MITRE.

Hey guys,

I was just wondering, what happens to the database during an container update. As far as I can see, it is not planned to ever update the database container in a pain free manner?
So if I want to update the database container (because of security fixes or so), I should make a pg_dump and then import it back?

Wouldn't it be a bit nicer to create an own volume for the database?

I think the database scheme migrations between IRIS updates are handled in the web app, right? So this shouldn't create any issues?

Not sure, if this is a feature request by the meaning or just me overseeing something obvious. Not sure as well, if this would qualify as FR, so I didn't use the template.

Cheers,
Matthias

Pushing a new asset through API with description set to null breaks the GUI as the JS does not expect this field to be null.

Proposition:
Add a JS side verification to not parse the data description if null.

Adding Tags to Assets would enable the use to filter for them.
This could be usefulll to tag if a system has edr etc

In the same way as it is possible to indicate linked assets, it could be interesting to be able to add linked iocs (ideally with a visible link in the graph mode)

Describe the bug
The API documentation https://dfir-iris.github.io/_static/iris_api_reference.html#operation/post-customer-add refers to the endpoint http://127.0.0.1:8000/customer/add to add customers. This is not correct.
The correct endpoint is /manage/customers/add

Additional context

• Version Iris Build 1.2.1

Describe the bug
When a case is created and a user switches context to said case, if the case is deleted and the user attempts to log back in under this deleted case context, the account attempts to query non-existent data in the app, causing usually a 500 error at login and will cause the browser to throw a "Too Many Redirects" error till their cache is cleared and they attempt to login again, which will repeat said process. The work around is to change the uri at the 500 error page at /login to dashboard?cid=1 which the default case which has to exist.

To Reproduce
Steps to reproduce the behavior:

1. Create a case
2. Have user switch context to that case and exit the app
3. Have admin delete case
4. User will attempt to login and run into errors.

Expected behavior
User is redirected to either the default case or last known valid case if the app fails to load current case context during the login. While you can workaround by either knowing or fuzzing cids, its will not be intuitive for more non-technical users.

Desktop (please complete the following information):

• OS: Windows 10
• Browser: Chrome/Firefox
• Version 98.0.4758.81 (Official Build) (64-bit)

The field name used to get the PG Password when not set by the environment variable is wrong: https://github.com/dfir-iris/iris-web/blob/develop/source/app/configuration.py#L42

PG_PASSWD_ = os.environ.get('DB_PASS', config.get('POSTGRES', 'PG_ACCOUNT'))

'PG_ACCOUNT' should be 'PG_PASSWD' as specified in https://github.com/dfir-iris/iris-web/blob/develop/source/app/config.model.ini

In the .env file and docker-compose, add the possibility for admins to specify the TMPDIR environment variable.

Use case: the tempfile package is used (either in IRIS source code or its dependencies), and some filesystem configurations may have a short /tmp partition which can raise a "No space left on device" issue.

According to tempfile documentation, TMPDIR env variable is the first way to get the temporary directory: https://docs.python.org/2/library/tempfile.html#tempfile.tempdir

With this customization, admins could specify a better fitted temporary directory for their systems like /var/tmp, /opt/iris/tmp, or whatever.

Describe the solution you'd like
Have a flag in the overview task logs that differentiates between actions done via the web user interface and via the API.
Maybe the "user input" column is supposed to cover this? But in the latest version this is always set to false, regardless of actions via UI or API.

Following a feedback: addition of a time converter in the event modal (timeline page), so time format can be quickly input in an event (eg timestamps, weird formats, etc) without having to manually convert them.

Describe the bug

From branch develop, the upgrade on Python 3.9 and sqlalchemy package leads to some compatibility bugs related to Row type

To Reproduce

            ur.role_id = Role.query.with_entities(Role.id).filter(Role.name == 'administrator').first()
            db.session.add(ur)

==> sqlalchemy.exc.ProgrammingError: (psycopg2.ProgrammingError) can't adapt type 'Row'

Branch
develop

Describe the bug
If you post an event to the timeline (/case/timeline/event/add) and set the event_category to 0 there's an HTTP/500 error message.

The container log give this output

app_1       |   File "/opt/venv/lib/python3.7/site-packages/sqlalchemy/engine/default.py", line 608, in do_execute
app_1       |     cursor.execute(statement, parameters)
app_1       | sqlalchemy.exc.IntegrityError: (psycopg2.errors.ForeignKeyViolation) insert or update on table "case_events_category" violates foreign key constraint "case_events_category_category_id_fkey"
app_1       | DETAIL:  Key (category_id)=(0) is not present in table "event_category".

The event is added however to the database!

To Reproduce
Code to reproduce:

event_category = 0
iris_data=json.dumps({"event_color": default_event_colour, "event_title": event_title, "event_content": line, "event_raw": line, "event_source": label, "event_assets": [], "event_category": event_category, "event_date": event_date, "event_time": event_time, "event_tz": event_tz, "event_in_graph": True, "event_in_summary": True,  "event_tags": "timesketch",  "cid": cid })
result = requests.post("{}/case/timeline/event/add".format(iris_host), headers=iris_headers, data=iris_data, verify=iris_verify)

Hey guys,

maybe I just missed it, but it would be really awesome, if the timeline would be exportable to CSV like the asset list.

Thanks,
Matthias

Hi,
im having the follow issue when i try to build the db:

Building db
Sending build context to Docker daemon 4.096kB
Step 1/5 : FROM postgres:12-alpine
---> 71f18539f112
Step 2/5 : RUN apk add --update --no-cache clang clang-dev llvm
---> Using cache
---> 1fad64366555
Step 3/5 : RUN apk add --update --no-cache clang-extra-tools
---> Using cache
---> 2f5aeee954fd
Step 4/5 : RUN apk add --update --no-cache git build-base && git clone https://github.com/eulerto/pg_similarity.git && cd pg_similarity && USE_PGXS=1 make && USE_PGXS=1 make install && apk del git build-base && rm -rf /var/cache/apk/*
---> Running in 4165589e2fc2
fetch https://dl-cdn.alpinelinux.org/alpine/v3.15/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.15/community/x86_64/APKINDEX.tar.gz
(1/25) Installing binutils (2.37-r3)
(2/25) Installing libmagic (5.41-r0)
(3/25) Installing file (5.41-r0)
(4/25) Installing libgomp (10.3.1_git20211027-r0)
(5/25) Installing libatomic (10.3.1_git20211027-r0)
(6/25) Installing libgphobos (10.3.1_git20211027-r0)
(7/25) Installing gmp (6.2.1-r0)
(8/25) Installing isl22 (0.22-r0)
(9/25) Installing mpfr4 (4.1.0-r0)
(10/25) Installing mpc1 (1.2.1-r0)
(11/25) Installing gcc (10.3.1_git20211027-r0)
(12/25) Installing musl-dev (1.2.2-r7)
(13/25) Installing libc-dev (0.7.2-r3)
(14/25) Installing g++ (10.3.1_git20211027-r0)
(15/25) Installing make (4.3-r0)
(16/25) Installing fortify-headers (1.1-r1)
(17/25) Installing patch (2.7.6-r7)
(18/25) Installing build-base (0.5-r2)
(19/25) Installing ca-certificates (20191127-r7)
(20/25) Installing brotli-libs (1.0.9-r5)
(21/25) Installing nghttp2-libs (1.46.0-r0)
(22/25) Installing libcurl (7.80.0-r0)
(23/25) Installing expat (2.4.1-r0)
(24/25) Installing pcre2 (10.39-r0)
(25/25) Installing git (2.34.1-r0)
Executing busybox-1.34.1-r3.trigger
Executing ca-certificates-20191127-r7.trigger
OK: 560 MiB in 71 packages
Cloning into 'pg_similarity'...
make: pg_config: Operation not permitted
make: *** No targets. Stop.
The command '/bin/sh -c apk add --update --no-cache git build-base && git clone https://github.com/eulerto/pg_similarity.git && cd pg_similarity && USE_PGXS=1 make && USE_PGXS=1 make install && apk del git build-base && rm -rf /var/cache/apk/*' returned a non-zero code: 2
ERROR: Service 'db' failed to build : Build failed

Thanks!

Hi, by default the repo doesn't have a .env file but a .env.model file. The docs basically just say that we can :

• clone the repo
• move to the repo directory
• execute docker-compose

But, if we do just that, the services won't start correctly because of the missing .env file.
I know this is not very hard to understand what is going on :) I can see two solutions :

• edit the docs
• add a default .env file tome life easier (but less secure) for first timers.

For now IOCs are very basic. Management and taxonomies need improvement for further integration with existing tools

Create the possiblity to add hooks upon creation or updates of case objects. For example, this would allow to :

• Automatically enhance an IOC with third-party sources (VT, MISP, etc)
• Automatically push an object (IOC, assets, event, notes, etc) to a third party platform
• And much more

When hovering over "See more" in the timeline narrative, some HTML bleeds into the tooltip.

Describe the bug
The API documentation at https://dfir-iris.github.io/_static/iris_api_reference_v1.0.1.html#operation/post-case-ioc-add mentions to use ioc_type. This returns an error. The correct field is ioc_type_id

The example in the documentation is correct, it's only the list of parameters (middle section of the page) that is incorrect.

To Reproduce
Documentation at https://dfir-iris.github.io/_static/iris_api_reference_v1.0.1.html#operation/post-case-ioc-add

Is your feature request related to a problem? Please describe.
Have an option to export and import all case details.

Describe the solution you'd like

• Export all case details in JSON file
• • ID, summary, notes, events, assets, ...
• • In structured JSON format
• • Also see #66 for export
• Import case details from a JSON file

After multiple feedbacks, add the possibility to add assets from a CSV

Hey guys,

first of all let me say "thank you" for your work! I think IRIS will become a great and handy tool and I appreciate the fresh start.

I have a feature request: custom asset types will get an empty icon on the Graph. On the creation of the custom asset type, I want to upload an icon for it.

As a side note: is it on purpose, that the type "Windows - DC" does not have an icon as well?

Thanks once again,
Matthias