mirror of https://github.com/MISP/MISP
New attribute type - yara sig
parent
899ef6300b
commit
0402c291a2
|
@ -79,6 +79,7 @@ IF (Attribute.category="External analysis", "j", "k"))))))))))'); // TODO hardc
|
|||
'pattern-in-file' => array('desc' => 'Pattern in file that identifies the malware'),
|
||||
'pattern-in-traffic' => array('desc' => 'Pattern in network traffic that identifies the malware'),
|
||||
'pattern-in-memory' => array('desc' => 'Pattern in memory dump that identifies the malware'),
|
||||
'yara' => array('desc' => 'Yara signature'),
|
||||
'vulnerability' => array('desc' => 'A reference to the vulnerability used in the exploit'),
|
||||
'attachment' => array('desc' => 'Attachment with external information', 'formdesc' => "Please upload files using the <em>Upload Attachment</em> button."),
|
||||
'malware-sample' => array('desc' => 'Attachment containing encrypted malware sample', 'formdesc' => "Please upload files using the <em>Upload Attachment</em> button."),
|
||||
|
@ -102,16 +103,16 @@ IF (Attribute.category="External analysis", "j", "k"))))))))))'); // TODO hardc
|
|||
'Payload delivery' => array(
|
||||
'desc' => 'Information about how the malware is delivered',
|
||||
'formdesc' => 'Information about the way the malware payload is initially delivered, <br/>for example information about the email or web-site, vulnerability used, originating IP etc. <br/>Malware sample itself should be attached here.',
|
||||
'types' => array('md5', 'sha1', 'filename', 'filename|md5', 'filename|sha1', 'ip-src', 'ip-dst', 'hostname', 'domain', 'email-src', 'email-dst', 'email-subject', 'email-attachment', 'url', 'ip-dst', 'user-agent', 'AS', 'pattern-in-file', 'pattern-in-traffic', 'attachment', 'malware-sample', 'link', 'comment', 'text', 'vulnerability', 'other')
|
||||
'types' => array('md5', 'sha1', 'filename', 'filename|md5', 'filename|sha1', 'ip-src', 'ip-dst', 'hostname', 'domain', 'email-src', 'email-dst', 'email-subject', 'email-attachment', 'url', 'ip-dst', 'user-agent', 'AS', 'pattern-in-file', 'pattern-in-traffic', 'yara', 'attachment', 'malware-sample', 'link', 'comment', 'text', 'vulnerability', 'other')
|
||||
),
|
||||
'Artifacts dropped' => array(
|
||||
'desc' => 'Any artifact (files, registry keys etc.) dropped by the malware or other modifications to the system',
|
||||
'types' => array('md5', 'sha1', 'filename', 'filename|md5', 'filename|sha1', 'regkey', 'regkey|value', 'pattern-in-file', 'pattern-in-memory', 'attachment', 'malware-sample', 'comment', 'text', 'other')
|
||||
'types' => array('md5', 'sha1', 'filename', 'filename|md5', 'filename|sha1', 'regkey', 'regkey|value', 'pattern-in-file', 'pattern-in-memory', 'yara', 'attachment', 'malware-sample', 'comment', 'text', 'other')
|
||||
),
|
||||
'Payload installation' => array(
|
||||
'desc' => 'Info on where the malware gets installed in the system',
|
||||
'formdesc' => 'Location where the payload was placed in the system and the way it was installed.<br/>For example, a filename|md5 type attribute can be added here like this:<br/>c:\\windows\\system32\\malicious.exe|41d8cd98f00b204e9800998ecf8427e.',
|
||||
'types' => array('md5', 'sha1', 'filename', 'filename|md5', 'filename|sha1', 'pattern-in-file', 'pattern-in-traffic', 'pattern-in-memory', 'vulnerability', 'attachment', 'malware-sample', 'comment', 'text', 'other')
|
||||
'types' => array('md5', 'sha1', 'filename', 'filename|md5', 'filename|sha1', 'pattern-in-file', 'pattern-in-traffic', 'pattern-in-memory', 'yara', 'vulnerability', 'attachment', 'malware-sample', 'comment', 'text', 'other')
|
||||
),
|
||||
'Persistence mechanism' => array(
|
||||
'desc' => 'Mechanisms used by the malware to start at boot',
|
||||
|
|
Loading…
Reference in New Issue