mirror of https://github.com/MISP/MISP
247 lines
13 KiB
SQL
247 lines
13 KiB
SQL
-- Copyright (c) 2009 www.cryer.co.uk
|
|
-- Script is free to use provided this copyright header is included.
|
|
drop procedure if exists AddColumnUnlessExists;
|
|
delimiter '//'
|
|
|
|
create procedure AddColumnUnlessExists(
|
|
IN dbName tinytext,
|
|
IN tableName tinytext,
|
|
IN fieldName tinytext,
|
|
IN fieldDef text)
|
|
begin
|
|
IF NOT EXISTS (
|
|
SELECT * FROM information_schema.COLUMNS
|
|
WHERE column_name=fieldName
|
|
and table_name=tableName
|
|
and table_schema=dbName
|
|
)
|
|
THEN
|
|
set @ddl=CONCAT('ALTER TABLE ',dbName,'.',tableName,
|
|
' ADD COLUMN ',fieldName,' ',fieldDef);
|
|
prepare stmt from @ddl;
|
|
execute stmt;
|
|
END IF;
|
|
end;
|
|
//
|
|
|
|
delimiter ';'
|
|
|
|
call AddColumnUnlessExists(Database(), 'roles', 'perm_template', 'TINYINT( 1 ) NOT NULL DEFAULT 0');
|
|
call AddColumnUnlessExists(Database(), 'shadow_attributes', 'deleted', 'TINYINT( 1 ) NOT NULL DEFAULT 0');
|
|
call AddColumnUnlessExists(Database(), 'shadow_attributes', 'timestamp', 'INT( 11 ) NOT NULL DEFAULT 0');
|
|
-- --------------------------------------------------------
|
|
|
|
--
|
|
-- Table structure for table `templates`
|
|
--
|
|
|
|
CREATE TABLE IF NOT EXISTS `templates` (
|
|
`id` int(11) NOT NULL AUTO_INCREMENT,
|
|
`name` varchar(255) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
|
|
`description` varchar(255) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
|
|
`org` varchar(255) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
|
|
`share` tinyint(1) NOT NULL,
|
|
PRIMARY KEY (`id`)
|
|
) ENGINE=InnoDB DEFAULT CHARSET=latin1;
|
|
|
|
-- --------------------------------------------------------
|
|
|
|
--
|
|
-- Table structure for table `template_elements`
|
|
--
|
|
|
|
CREATE TABLE IF NOT EXISTS `template_elements` (
|
|
`id` int(11) NOT NULL AUTO_INCREMENT,
|
|
`template_id` int(11) NOT NULL,
|
|
`position` int(11) NOT NULL,
|
|
`element_definition` varchar(255) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
|
|
PRIMARY KEY (`id`)
|
|
) ENGINE=InnoDB DEFAULT CHARSET=latin1;
|
|
|
|
-- --------------------------------------------------------
|
|
|
|
--
|
|
-- Table structure for table `template_element_attributes`
|
|
--
|
|
|
|
CREATE TABLE IF NOT EXISTS `template_element_attributes` (
|
|
`id` int(11) NOT NULL AUTO_INCREMENT,
|
|
`template_element_id` int(11) NOT NULL,
|
|
`name` varchar(255) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
|
|
`description` text CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
|
|
`to_ids` tinyint(1) NOT NULL DEFAULT '1',
|
|
`category` varchar(255) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
|
|
`complex` tinyint(1) NOT NULL,
|
|
`type` varchar(255) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
|
|
`mandatory` tinyint(1) NOT NULL,
|
|
`batch` tinyint(1) NOT NULL,
|
|
PRIMARY KEY (`id`)
|
|
) ENGINE=InnoDB DEFAULT CHARSET=latin1;
|
|
|
|
-- --------------------------------------------------------
|
|
|
|
--
|
|
-- Table structure for table `template_element_files`
|
|
--
|
|
|
|
CREATE TABLE IF NOT EXISTS `template_element_files` (
|
|
`id` int(11) NOT NULL AUTO_INCREMENT,
|
|
`template_element_id` int(11) NOT NULL,
|
|
`name` varchar(255) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
|
|
`description` text CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
|
|
`category` varchar(255) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
|
|
`malware` tinyint(1) NOT NULL,
|
|
`mandatory` tinyint(1) NOT NULL,
|
|
`batch` tinyint(1) NOT NULL,
|
|
PRIMARY KEY (`id`)
|
|
) ENGINE=InnoDB DEFAULT CHARSET=latin1;
|
|
|
|
-- --------------------------------------------------------
|
|
|
|
--
|
|
-- Table structure for table `template_element_texts`
|
|
--
|
|
|
|
CREATE TABLE IF NOT EXISTS `template_element_texts` (
|
|
`id` int(11) NOT NULL AUTO_INCREMENT,
|
|
`name` varchar(255) CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
|
|
`template_element_id` int(11) NOT NULL,
|
|
`text` text CHARACTER SET utf8 COLLATE utf8_bin NOT NULL,
|
|
PRIMARY KEY (`id`)
|
|
) ENGINE=InnoDB DEFAULT CHARSET=latin1;
|
|
|
|
-- --------------------------------------------------------
|
|
|
|
--
|
|
-- Table structure for table `template_tags`
|
|
--
|
|
|
|
CREATE TABLE IF NOT EXISTS `template_tags` (
|
|
`id` int(11) NOT NULL AUTO_INCREMENT,
|
|
`template_id` int(11) NOT NULL,
|
|
`tag_id` int(11) NOT NULL,
|
|
PRIMARY KEY (`id`)
|
|
) ENGINE=InnoDB DEFAULT CHARSET=latin1;
|
|
|
|
-- --------------------------------------------------------
|
|
|
|
--
|
|
-- Change in the servers table and the logs table, addressing
|
|
-- hotfixes 2.3.57 and 2.3.78
|
|
--
|
|
|
|
ALTER TABLE `servers` MODIFY COLUMN `organization` varchar(255) NOT NULL;
|
|
ALTER TABLE `logs` MODIFY COLUMN `title` text, MODIFY COLUMN `change` text;
|
|
|
|
-- --------------------------------------------------------
|
|
|
|
--
|
|
-- Default templates
|
|
--
|
|
|
|
INSERT INTO `templates` (`id`, `name`, `description`, `org`, `share`) VALUES
|
|
(1, 'Phishing E-mail', 'Create a MISP event about a Phishing E-mail.', 'MISP', 1),
|
|
(2, 'Phishing E-mail with malicious attachment', 'A MISP event based on Spear-phishing containing a malicious attachment. This event can include anything from the description of the e-mail itself, the malicious attachment and its description as well as the results of the analysis done on the malicious f', 'MISP', 1),
|
|
(3, 'Malware Report', 'This is a template for a generic malware report. ', 'MISP', 1),
|
|
(4, 'Indicator List', 'A simple template for indicator lists.', 'MISP', 1);
|
|
|
|
INSERT INTO `template_elements` (`id`, `template_id`, `position`, `element_definition`) VALUES
|
|
(1, 1, 2, 'attribute'),
|
|
(2, 1, 3, 'attribute'),
|
|
(3, 1, 1, 'text'),
|
|
(4, 1, 4, 'attribute'),
|
|
(5, 1, 5, 'text'),
|
|
(6, 1, 6, 'attribute'),
|
|
(7, 1, 7, 'attribute'),
|
|
(8, 1, 8, 'attribute'),
|
|
(11, 2, 1, 'text'),
|
|
(12, 2, 2, 'attribute'),
|
|
(13, 2, 3, 'text'),
|
|
(14, 2, 4, 'file'),
|
|
(15, 2, 5, 'attribute'),
|
|
(16, 2, 10, 'text'),
|
|
(17, 2, 6, 'attribute'),
|
|
(18, 2, 7, 'attribute'),
|
|
(19, 2, 8, 'attribute'),
|
|
(20, 2, 9, 'attribute'),
|
|
(21, 2, 11, 'file'),
|
|
(22, 2, 12, 'attribute'),
|
|
(23, 2, 13, 'attribute'),
|
|
(24, 2, 14, 'attribute'),
|
|
(25, 2, 15, 'attribute'),
|
|
(26, 2, 16, 'attribute'),
|
|
(27, 2, 17, 'attribute'),
|
|
(28, 2, 18, 'attribute'),
|
|
(29, 3, 1, 'text'),
|
|
(30, 3, 2, 'file'),
|
|
(31, 3, 4, 'text'),
|
|
(32, 3, 9, 'text'),
|
|
(33, 3, 11, 'text'),
|
|
(34, 3, 10, 'attribute'),
|
|
(35, 3, 12, 'attribute'),
|
|
(36, 3, 3, 'attribute'),
|
|
(37, 3, 5, 'attribute'),
|
|
(38, 3, 6, 'attribute'),
|
|
(39, 3, 7, 'attribute'),
|
|
(40, 3, 8, 'file'),
|
|
(41, 3, 13, 'text'),
|
|
(42, 3, 14, 'attribute'),
|
|
(43, 3, 15, 'attribute'),
|
|
(44, 3, 16, 'attribute'),
|
|
(45, 4, 1, 'text'),
|
|
(46, 4, 2, 'attribute'),
|
|
(47, 4, 3, 'attribute');
|
|
|
|
INSERT INTO `template_element_attributes` (`id`, `template_element_id`, `name`, `description`, `to_ids`, `category`, `complex`, `type`, `mandatory`, `batch`) VALUES
|
|
(1, 1, 'From address', 'The source address from which the e-mail was sent.', 1, 'Payload delivery', 0, 'email-src', 1, 1),
|
|
(2, 2, 'Malicious url', 'The malicious url in the e-mail body.', 1, 'Payload delivery', 0, 'url', 1, 1),
|
|
(3, 4, 'E-mail subject', 'The subject line of the e-mail.', 0, 'Payload delivery', 0, 'email-subject', 1, 0),
|
|
(4, 6, 'Spoofed source address', 'If an e-mail address was spoofed, specify which.', 1, 'Payload delivery', 0, 'email-src', 0, 0),
|
|
(5, 7, 'Source IP', 'The source IP from which the e-mail was sent', 1, 'Payload delivery', 0, 'ip-src', 0, 1),
|
|
(6, 8, 'X-mailer header', 'It could be useful to capture which application and which version thereof was used to send the message, as described by the X-mailer header.', 1, 'Payload delivery', 0, 'text', 0, 1),
|
|
(7, 12, 'From address', 'The source address from which the e-mail was sent', 1, 'Payload delivery', 0, 'email-src', 1, 1),
|
|
(8, 15, 'Spoofed From Address', 'The spoofed source address from which the e-mail appears to be sent.', 1, 'Payload delivery', 0, 'email-src', 0, 1),
|
|
(9, 17, 'E-mail Source IP', 'The IP address from which the e-mail was sent.', 1, 'Payload delivery', 0, 'ip-src', 0, 1),
|
|
(10, 18, 'X-mailer header', 'It could be useful to capture which application and which version thereof was used to send the message, as described by the X-mailer header.', 1, 'Payload delivery', 0, 'text', 0, 0),
|
|
(11, 19, 'Malicious URL in the e-mail', 'If there was a malicious URL (or several), please specify it here', 1, 'Payload delivery', 0, 'ip-dst', 0, 1),
|
|
(12, 20, 'Exploited vulnerablity', 'The vulnerabilities exploited during the payload delivery.', 0, 'Payload delivery', 0, 'vulnerability', 0, 1),
|
|
(13, 22, 'C2 information', 'Command and Control information detected during the analysis.', 1, 'Network activity', 1, 'CnC', 0, 1),
|
|
(14, 23, 'Artifacts dropped (File)', 'Any information about the files dropped during the analysis', 1, 'Artifacts dropped', 1, 'File', 0, 1),
|
|
(15, 24, 'Artifacts dropped (Registry key)', 'Any registry keys touched during the analysis', 1, 'Artifacts dropped', 0, 'regkey', 0, 1),
|
|
(16, 25, 'Artifacts dropped (Registry key + value)', 'Any registry keys created or altered together with the value.', 1, 'Artifacts dropped', 0, 'regkey|value', 0, 1),
|
|
(17, 26, 'Persistance mechanism (filename)', 'Filenames (or filenames with filepaths) used as a persistence mechanism', 1, 'Persistence mechanism', 0, 'regkey|value', 0, 1),
|
|
(18, 27, 'Persistence mechanism (Registry key)', 'Any registry keys touched as part of the persistence mechanism during the analysis ', 1, 'Persistence mechanism', 0, 'regkey', 0, 1),
|
|
(19, 28, 'Persistence mechanism (Registry key + value)', 'Any registry keys created or modified together with their values used by the persistence mechanism', 1, 'Persistence mechanism', 0, 'regkey|value', 0, 1),
|
|
(20, 34, 'C2 Information', 'You can drop any urls, domains, hostnames or IP addresses that were detected as the Command and Control during the analysis here. ', 1, 'Network activity', 1, 'CnC', 0, 1),
|
|
(21, 35, 'Other Network Activity', 'Drop any applicable information about other network activity here. The attributes created here will NOT be marked for IDS exports.', 0, 'Network activity', 1, 'CnC', 0, 1),
|
|
(22, 36, 'Vulnerability', 'The vulnerability or vulnerabilities that the sample exploits', 0, 'Payload delivery', 0, 'vulnerability', 0, 1),
|
|
(23, 37, 'Artifacts Dropped (File)', 'Insert any data you have on dropped files here.', 1, 'Artifacts dropped', 1, 'File', 0, 1),
|
|
(24, 38, 'Artifacts dropped (Registry key)', 'Any registry keys touched during the analysis', 1, 'Artifacts dropped', 0, 'regkey', 0, 1),
|
|
(25, 39, 'Artifacts dropped (Registry key + value)', 'Any registry keys created or altered together with the value.', 1, 'Artifacts dropped', 0, 'regkey|value', 0, 1),
|
|
(26, 42, 'Persistence mechanism (filename)', 'Insert any filenames used by the persistence mechanism.', 1, 'Persistence mechanism', 0, 'filename', 0, 1),
|
|
(27, 43, 'Persistence Mechanism (Registry key)', 'Paste any registry keys that were created or modified as part of the persistence mechanism', 1, 'Persistence mechanism', 0, 'regkey', 0, 1),
|
|
(28, 44, 'Persistence Mechanism (Registry key and value)', 'Paste any registry keys together with the values contained within created or modified by the persistence mechanism', 1, 'Persistence mechanism', 0, 'regkey|value', 0, 1),
|
|
(29, 46, 'Network Indicators', 'Paste any combination of IP addresses, hostnames, domains or URL', 1, 'Network activity', 1, 'CnC', 0, 1),
|
|
(30, 47, 'File Indicators', 'Paste any file hashes that you have (MD5, SHA1, SHA256) or filenames below. You can also add filename and hash pairs by using the following syntax for each applicable column: filename|hash ', 1, 'Payload installation', 1, 'File', 0, 1);
|
|
|
|
INSERT INTO `template_element_files` (`id`, `template_element_id`, `name`, `description`, `category`, `malware`, `mandatory`, `batch`) VALUES
|
|
(1, 14, 'Malicious Attachment', 'The file (or files) that was (were) attached to the e-mail itself.', 'Payload delivery', 1, 0, 1),
|
|
(2, 21, 'Payload installation', 'Payload installation detected during the analysis', 'Payload installation', 1, 0, 1),
|
|
(3, 30, 'Malware sample', 'The sample that the report is based on', 'Payload delivery', 1, 0, 0),
|
|
(4, 40, 'Artifacts dropped (Sample)', 'Upload any files that were dropped during the analysis.', 'Artifacts dropped', 1, 0, 1);
|
|
|
|
INSERT INTO `template_element_texts` (`id`, `name`, `template_element_id`, `text`) VALUES
|
|
(1, 'Required fields', 3, 'The fields below are mandatory.'),
|
|
(2, 'Optional information', 5, 'All of the fields below are optional, please fill out anything that''s applicable.'),
|
|
(4, 'Required Fields', 11, 'The following fields are mandatory'),
|
|
(5, 'Optional information about the payload delivery', 13, 'All of the fields below are optional, please fill out anything that''s applicable. This section describes the payload delivery, including the e-mail itself, the attached file, the vulnerability it is exploiting and any malicious urls in the e-mail.'),
|
|
(6, 'Optional information obtained from analysing the malicious file', 16, 'Information about the analysis of the malware (if applicable). This can include C2 information, artifacts dropped during the analysis, persistance mechanism, etc.'),
|
|
(7, 'Malware Sample', 29, 'If you can, please upload the sample that the report revolves around.'),
|
|
(8, 'Dropped Artifacts', 31, 'Describe any dropped artifacts that you have encountered during your analysis'),
|
|
(9, 'C2 Information', 32, 'The following field deals with Command and Control information obtained during the analysis. All fields are optional.'),
|
|
(10, 'Other Network Activity', 33, 'If any other Network activity (such as an internet connection test) was detected during the analysis, please specify it using the following fields'),
|
|
(11, 'Persistence mechanism', 41, 'The following fields allow you to describe the persistence mechanism used by the malware'),
|
|
(12, 'Indicators', 45, 'Just paste your list of indicators based on type into the appropriate field. All of the fields are optional, so inputting a list of IP addresses into the Network indicator field for example is sufficient to complete this template.');
|
|
|
|
|