mirror of https://github.com/MISP/MISP
improved documentation
Christophe Vandeplas
parent
24e7139e45
commit
f35c311651
|
|
@ -71,17 +71,56 @@ class Attribute extends AppModel {
|
|||
|
||||
// definitions of categories
|
||||
public $category_definitions = array(
|
||||
'Internal reference' => array('desc' => 'Reference used by the publishing party (e.g. ticket number)'),
|
||||
'Antivirus detection' => array('desc' => 'All the info about how the malware is detected by the antivirus products', 'formdesc' => 'List of anti-virus vendors detecting the malware or information on detection performance (e.g. 13/43 or 67%).<br/>Attachment with list of detection or link to VirusTotal could be placed here as well.'),
|
||||
'Payload delivery' => array('desc' => 'Information about how the malware is delivered', 'formdesc' => 'Information about the way the malware payload is initially delivered, <br/>for example information about the email or web-site, vulnerability used, originating IP etc. <br/>Malware sample itself should be attached here.'),
|
||||
'Artifacts dropped' => array('desc' => 'Any artifact (files, registry keys etc.) dropped by the malware or other modifications to the system'),
|
||||
'Payload installation' => array('desc' => 'Info on where the malware gets installed in the system', 'formdesc' => 'Location where the payload was placed in the system and the way it was installed.<br/>For example, a filename|md5 type attribute can be added here like this:<br/>c:\\windows\\system32\\malicious.exe|41d8cd98f00b204e9800998ecf8427e.'),
|
||||
'Persistence mechanism' => array('desc' => 'Mechanisms used by the malware to start at boot', 'formdesc' => 'Mechanisms used by the malware to start at boot.<br/>This could be a registry key, legitimate driver modification, LNK file in startup'),
|
||||
'Network activity' => array('desc' => 'Information about network traffic generated by the malware'),
|
||||
'Payload type' => array('desc' => 'Information about the final payload(s)', 'formdesc' => 'Information about the final payload(s).<br/>Can contain a function of the payload, e.g. keylogger, RAT, or a name if identified, such as Poison Ivy.'),
|
||||
'Attribution' => array('desc' => 'Identification of the group, organisation, or coountry behind the attack'),
|
||||
'External analysis' => array('desc' => 'Any other result from additional analysis of the malware like tools output', 'formdesc' => 'Any other result from additional analysis of the malware like tools output<br/>Examples: pdf-parser output, automated sandbox analysis, reverse engineering report.'),
|
||||
'Other' => array('desc' => 'Attributes that are not part of any other category')
|
||||
'Internal reference' => array(
|
||||
'desc' => 'Reference used by the publishing party (e.g. ticket number)',
|
||||
'types' => array('link', 'comment', 'text', 'other')
|
||||
),
|
||||
'Antivirus detection' => array(
|
||||
'desc' => 'All the info about how the malware is detected by the antivirus products',
|
||||
'formdesc' => 'List of anti-virus vendors detecting the malware or information on detection performance (e.g. 13/43 or 67%).<br/>Attachment with list of detection or link to VirusTotal could be placed here as well.',
|
||||
'types' => array('link', 'comment', 'text', 'other')
|
||||
),
|
||||
'Payload delivery' => array(
|
||||
'desc' => 'Information about how the malware is delivered',
|
||||
'formdesc' => 'Information about the way the malware payload is initially delivered, <br/>for example information about the email or web-site, vulnerability used, originating IP etc. <br/>Malware sample itself should be attached here.',
|
||||
'types' => array('md5', 'sha1', 'filename', 'filename|md5', 'filename|sha1', 'ip-src', 'ip-dst', 'hostname', 'domain', 'email-src', 'email-dst', 'email-subject', 'email-attachment', 'url', 'user-agent', 'AS', 'pattern-in-file', 'pattern-in-traffic', 'attachment', 'malware-sample', 'link', 'comment', 'text', 'other')
|
||||
),
|
||||
'Artifacts dropped' => array(
|
||||
'desc' => 'Any artifact (files, registry keys etc.) dropped by the malware or other modifications to the system',
|
||||
'types' => array('md5', 'sha1', 'filename', 'filename|md5', 'filename|sha1', 'regkey', 'regkey|value', 'pattern-in-file', 'pattern-in-memory', 'attachment', 'malware-sample', 'comment', 'text', 'other')
|
||||
),
|
||||
'Payload installation' => array(
|
||||
'desc' => 'Info on where the malware gets installed in the system',
|
||||
'formdesc' => 'Location where the payload was placed in the system and the way it was installed.<br/>For example, a filename|md5 type attribute can be added here like this:<br/>c:\\windows\\system32\\malicious.exe|41d8cd98f00b204e9800998ecf8427e.',
|
||||
'types' => array('md5', 'sha1', 'filename', 'filename|md5', 'filename|sha1', 'pattern-in-file', 'pattern-in-traffic', 'pattern-in-memory', 'vulnerability', 'attachment', 'malware-sample', 'comment', 'text', 'other')
|
||||
),
|
||||
'Persistence mechanism' => array(
|
||||
'desc' => 'Mechanisms used by the malware to start at boot',
|
||||
'formdesc' => 'Mechanisms used by the malware to start at boot.<br/>This could be a registry key, legitimate driver modification, LNK file in startup',
|
||||
'types' => array('regkey', 'regkey|value', 'comment', 'text', 'other')
|
||||
),
|
||||
'Network activity' => array(
|
||||
'desc' => 'Information about network traffic generated by the malware',
|
||||
'types' => array('ip-src', 'ip-dst', 'hostname', 'domain', 'email-dst', 'url', 'user-agent', 'AS', 'snort', 'pattern-in-file', 'pattern-in-traffic', 'comment', 'text', 'other')
|
||||
),
|
||||
'Payload type' => array(
|
||||
'desc' => 'Information about the final payload(s)',
|
||||
'formdesc' => 'Information about the final payload(s).<br/>Can contain a function of the payload, e.g. keylogger, RAT, or a name if identified, such as Poison Ivy.',
|
||||
'types' => array('comment', 'text', 'other')
|
||||
),
|
||||
'Attribution' => array(
|
||||
'desc' => 'Identification of the group, organisation, or coountry behind the attack',
|
||||
'types' => array('comment', 'text', 'other')
|
||||
),
|
||||
'External analysis' => array(
|
||||
'desc' => 'Any other result from additional analysis of the malware like tools output',
|
||||
'formdesc' => 'Any other result from additional analysis of the malware like tools output<br/>Examples: pdf-parser output, automated sandbox analysis, reverse engineering report.',
|
||||
'types' => array('md5', 'sha1', 'filename', 'filename|md5', 'filename|sha1', 'ip-src', 'ip-dst', 'hostname', 'domain', 'url', 'user-agent', 'regkey', 'regkey|value', 'AS', 'snort', 'pattern-in-file', 'pattern-in-traffic', 'pattern-in-memory', 'vulnerability', 'attachment', 'malware-sample', 'link', 'comment', 'text', 'other')
|
||||
),
|
||||
'Other' => array(
|
||||
'desc' => 'Attributes that are not part of any other category',
|
||||
'types' => array('comment', 'text', 'other')
|
||||
)
|
||||
);
|
||||
|
||||
var $order = array("Attribute.event_id" => "DESC", "Attribute.type" => "ASC");
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
<div class="index">
|
||||
<h2>Table of Content</h2>
|
||||
<div class="toc"></div>
|
||||
|
||||
<hr/>
|
||||
<h2>Layout and features</h2>
|
||||
|
|
@ -152,19 +152,45 @@ App::import('Model', 'Attribute');
|
|||
$attr = new Attribute();
|
||||
//debug($attr);
|
||||
?>
|
||||
|
||||
<h2>Attribute Categories and Types</h2>
|
||||
<h3>Attribute Categories vs Types</h3>
|
||||
<table>
|
||||
<tr>
|
||||
<th>Category</th>
|
||||
<?php foreach ($attr->category_definitions as $cat => $cat_def ): ?>
|
||||
<th style="width:5%; text-align:center; white-space:normal"><?php echo $cat; ?></th>
|
||||
<?php endforeach;?>
|
||||
</tr>
|
||||
<?php foreach ($attr->type_definitions as $type => $def): ?>
|
||||
<tr>
|
||||
<td><?php echo $type; ?></td>
|
||||
<?php foreach ($attr->category_definitions as $cat => $cat_def ): ?>
|
||||
<td style="text-align:center"><?php echo in_array($type, $cat_def['types'])? 'X' : ''; ?></td>
|
||||
<?php endforeach;?>
|
||||
<?php endforeach;?>
|
||||
</tr>
|
||||
<tr>
|
||||
<th>Category</th>
|
||||
<?php foreach ($attr->category_definitions as $cat => $cat_def ): ?>
|
||||
<th style="width:5%; text-align:center; white-space:normal"><?php echo $cat; ?></th>
|
||||
<?php endforeach;?>
|
||||
</tr>
|
||||
</table>
|
||||
<h3>Categories</h3>
|
||||
<table>
|
||||
<tr>
|
||||
<th>Category</th>
|
||||
<th>Description</th>
|
||||
</tr>
|
||||
<?php foreach ($attr->category_definitions as $type => $def): ?>
|
||||
<?php foreach ($attr->category_definitions as $cat => $def): ?>
|
||||
<tr>
|
||||
<td><?php echo $type; ?></td>
|
||||
<td><?php echo (isset($def['formdesc']))? $def['formdesc'] : $def['desc']; ?></td>
|
||||
<td><?php echo $cat; ?></td>
|
||||
<td><?php echo isset($def['formdesc'])? $def['formdesc'] : $def['desc']; ?></td>
|
||||
<?php endforeach;?>
|
||||
</tr>
|
||||
</table>
|
||||
|
||||
<h3>Types</h3>
|
||||
<table>
|
||||
<tr>
|
||||
|
|
@ -174,7 +200,7 @@ $attr = new Attribute();
|
|||
<?php foreach ($attr->type_definitions as $type => $def): ?>
|
||||
<tr>
|
||||
<td><?php echo $type; ?></td>
|
||||
<td><?php echo (isset($def['formdesc']))? $def['formdesc'] : $def['desc']; ?></td>
|
||||
<td><?php echo isset($def['formdesc'])? $def['formdesc'] : $def['desc']; ?></td>
|
||||
<?php endforeach;?>
|
||||
</tr>
|
||||
</table>
|
||||
|
|
@ -314,3 +340,6 @@ Authorization: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX</pre>
|
|||
</ul>
|
||||
</div>
|
||||
|
||||
<script type="text/javascript" src="/js/jquery-toc.js">
|
||||
</script>
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue