From f38d1604f1fbd602d59d5a88fd906a2d7c21dfb3 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy <a@foo.be>
Date: Tue, 27 Aug 2019 08:37:32 +0200
Subject: [PATCH] chg: [release] add the NIDS decaying model, clarify license
 and add some documentation.

---
 LICENSE.md                    | 32 +++++++++++++++++
 README.md                     | 18 ++++++++--
 jq_all_the_things.sh          | 22 ++++++++++++
 models/nids-simple-model.json | 42 ++++++++++++++++++++++
 models/phishing-model.json    | 65 ++++++++++++++++++-----------------
 5 files changed, 146 insertions(+), 33 deletions(-)
 create mode 100644 LICENSE.md
 create mode 100755 jq_all_the_things.sh
 create mode 100644 models/nids-simple-model.json

diff --git a/LICENSE.md b/LICENSE.md
new file mode 100644
index 0000000..54e86e2
--- /dev/null
+++ b/LICENSE.md
@@ -0,0 +1,32 @@
+The MISP decaying models (JSON files) are dual-licensed under:
+
+- [CC0 1.0 Universal](https://creativecommons.org/publicdomain/zero/1.0/legalcode) (CC0 1.0) - Public Domain Dedication.
+
+or
+
+~~~~
+ Copyright (c) 2019 CIRCL - Computer Incident Response Center Luxembourg
+ Copyright (c) 2019 Sami Mokaddem
+ Copyright (c) 2019 Alexandre Dulaunoy - a@foo.be
+ Copyright (c) 2019 Various contributors to MISP Project
+
+ Redistribution and use in source and binary forms, with or without modification,
+ are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice,
+       this list of conditions and the following disclaimer.
+    2. Redistributions in binary form must reproduce the above copyright notice,
+       this list of conditions and the following disclaimer in the documentation
+       and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+ OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ OF THE POSSIBILITY OF SUCH DAMAGE.
+~~~~~
diff --git a/README.md b/README.md
index d288087..b8613d8 100644
--- a/README.md
+++ b/README.md
@@ -1,3 +1,17 @@
-# misp-decaying-models
+# MISP Decaying Models
 
-Test model for DEV and experimentation.
+Starting from MISP 2.4.114, a decaying feature is available to apply decaying on attributes in your MISP instance. MISP comes with a set of default decaying models which
+can be customised by the users. This repository contains all the default models.
+
+## Models
+
+- [nids-simple-model](./models/nids-simple-model.json) - Simple decaying model for Network Intrusion Detection System (NIDS).
+- [phishing-model](./models/phishing-model.json) - Simple model to rapidly decay phishing website.
+
+## How to contribute your decaying model?
+
+It's very easy. Fork the repository, create a new JSON file with your model and make a pull-request.
+
+## License
+
+The MISP decaying models are [dual-licensed](./LICENSE.md) under CC-0 and a simple 2-clause BSD license.
diff --git a/jq_all_the_things.sh b/jq_all_the_things.sh
new file mode 100755
index 0000000..3c58e71
--- /dev/null
+++ b/jq_all_the_things.sh
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+#Validate all Jsons first
+for dir in `find . -name "*.json"`
+do
+  echo validating ${dir}
+  # python3 -c "import json; f_in = open('${dir}'); data = json.load(f_in); f_in.close(); f_out = open('${dir}', 'w'); json.dump(data, f_out, indent=2, sort_keys=True, ensure_ascii=False); f_out.close();"
+  cat ${dir} | jq . >/dev/null
+  rc=$?
+  if [[ $rc != 0 ]]; then exit $rc; fi
+done
+
+set -e
+set -x
+
+# Seeds sponge, from moreutils
+
+for dir in ./models/*.json
+do
+    cat ${dir} | jq . | sponge ${dir}
+done
+
diff --git a/models/nids-simple-model.json b/models/nids-simple-model.json
new file mode 100644
index 0000000..fde595a
--- /dev/null
+++ b/models/nids-simple-model.json
@@ -0,0 +1,42 @@
+{
+  "uuid": "073fae4a-2377-4cfa-bd34-2516830d33c3",
+  "name": "NIDS Simple Decaying Model",
+  "formula": "Polynomial",
+  "ref": [
+    "https://arxiv.org/abs/1902.03914",
+    "https://arxiv.org/abs/1803.11052"
+  ],
+  "authors": [
+    "MISP Project"
+  ],
+  "parameters": {
+    "lifetime": 120,
+    "decay_speed": 2,
+    "threshold": 30,
+    "default_base_score": 80,
+    "base_score_config": {
+      "estimative-language": 0.25,
+      "priority-level": 0.25,
+      "retention": 0.25,
+      "targeted-threat-index": 0.125,
+      "false-positive": 0.125
+    }
+  },
+  "description": "Simple decaying model for Network Intrusion Detection System (NIDS). ",
+  "attribute_types": [
+    "domain",
+    "domain|ip",
+    "hostname",
+    "hostname|port",
+    "ip-dst",
+    "ip-dst|port",
+    "ip-src",
+    "ip-src|port",
+    "url",
+    "snort",
+    "suricata",
+    "zeek",
+    "bro"
+  ],
+  "version": 1
+}
diff --git a/models/phishing-model.json b/models/phishing-model.json
index 194f6bb..4d93c52 100644
--- a/models/phishing-model.json
+++ b/models/phishing-model.json
@@ -1,32 +1,35 @@
 {
-    "uuid":"dbbd7ba7-6559-48fc-ab58-cc499d1b1143",
-    "name":"Phishing model",
-    "formula": "Polynomial",
-    "ref":[
-        "https://arxiv.org/abs/1902.03914",
-        "https://arxiv.org/abs/1803.11052"
-    ],
-    "parameters": {
-        "lifetime": 3,
-        "decay_speed": 2.3,
-        "threshold":30,
-        "default_base_score": 80,
-        "base_score_config":{
-            "estimative-language": 0.5,
-            "phishing": 0.5
-        }
-    },
-    "description":"Simple model to rapidly decay phishing website.",
-    "attribute_types": [
-        "domain",
-        "domain|ip",
-        "hostname",
-        "hostname|port",
-        "ip-dst",
-        "ip-dst|port",
-        "ip-src",
-        "ip-src|port",
-        "url"
-    ],
-    "version":1
-}
\ No newline at end of file
+  "uuid": "dbbd7ba7-6559-48fc-ab58-cc499d1b1143",
+  "name": "Phishing model",
+  "formula": "Polynomial",
+  "authors": [
+    "MISP Project"
+  ],
+  "ref": [
+    "https://arxiv.org/abs/1902.03914",
+    "https://arxiv.org/abs/1803.11052"
+  ],
+  "parameters": {
+    "lifetime": 3,
+    "decay_speed": 2.3,
+    "threshold": 30,
+    "default_base_score": 80,
+    "base_score_config": {
+      "estimative-language": 0.5,
+      "phishing": 0.5
+    }
+  },
+  "description": "Simple model to rapidly decay phishing website.",
+  "attribute_types": [
+    "domain",
+    "domain|ip",
+    "hostname",
+    "hostname|port",
+    "ip-dst",
+    "ip-dst|port",
+    "ip-src",
+    "ip-src|port",
+    "url"
+  ],
+  "version": 1
+}