chg: [release] add the NIDS decaying model, clarify license and add some documentation.
parent
3dc7aa9efa
commit
f38d1604f1
|
@ -0,0 +1,32 @@
|
||||||
|
The MISP decaying models (JSON files) are dual-licensed under:
|
||||||
|
|
||||||
|
- [CC0 1.0 Universal](https://creativecommons.org/publicdomain/zero/1.0/legalcode) (CC0 1.0) - Public Domain Dedication.
|
||||||
|
|
||||||
|
or
|
||||||
|
|
||||||
|
~~~~
|
||||||
|
Copyright (c) 2019 CIRCL - Computer Incident Response Center Luxembourg
|
||||||
|
Copyright (c) 2019 Sami Mokaddem
|
||||||
|
Copyright (c) 2019 Alexandre Dulaunoy - a@foo.be
|
||||||
|
Copyright (c) 2019 Various contributors to MISP Project
|
||||||
|
|
||||||
|
Redistribution and use in source and binary forms, with or without modification,
|
||||||
|
are permitted provided that the following conditions are met:
|
||||||
|
|
||||||
|
1. Redistributions of source code must retain the above copyright notice,
|
||||||
|
this list of conditions and the following disclaimer.
|
||||||
|
2. Redistributions in binary form must reproduce the above copyright notice,
|
||||||
|
this list of conditions and the following disclaimer in the documentation
|
||||||
|
and/or other materials provided with the distribution.
|
||||||
|
|
||||||
|
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
|
||||||
|
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
|
||||||
|
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
||||||
|
IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
|
||||||
|
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
|
||||||
|
BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||||
|
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
|
||||||
|
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
|
||||||
|
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
||||||
|
OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||||
|
~~~~~
|
18
README.md
18
README.md
|
@ -1,3 +1,17 @@
|
||||||
# misp-decaying-models
|
# MISP Decaying Models
|
||||||
|
|
||||||
Test model for DEV and experimentation.
|
Starting from MISP 2.4.114, a decaying feature is available to apply decaying on attributes in your MISP instance. MISP comes with a set of default decaying models which
|
||||||
|
can be customised by the users. This repository contains all the default models.
|
||||||
|
|
||||||
|
## Models
|
||||||
|
|
||||||
|
- [nids-simple-model](./models/nids-simple-model.json) - Simple decaying model for Network Intrusion Detection System (NIDS).
|
||||||
|
- [phishing-model](./models/phishing-model.json) - Simple model to rapidly decay phishing website.
|
||||||
|
|
||||||
|
## How to contribute your decaying model?
|
||||||
|
|
||||||
|
It's very easy. Fork the repository, create a new JSON file with your model and make a pull-request.
|
||||||
|
|
||||||
|
## License
|
||||||
|
|
||||||
|
The MISP decaying models are [dual-licensed](./LICENSE.md) under CC-0 and a simple 2-clause BSD license.
|
||||||
|
|
|
@ -0,0 +1,22 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#Validate all Jsons first
|
||||||
|
for dir in `find . -name "*.json"`
|
||||||
|
do
|
||||||
|
echo validating ${dir}
|
||||||
|
# python3 -c "import json; f_in = open('${dir}'); data = json.load(f_in); f_in.close(); f_out = open('${dir}', 'w'); json.dump(data, f_out, indent=2, sort_keys=True, ensure_ascii=False); f_out.close();"
|
||||||
|
cat ${dir} | jq . >/dev/null
|
||||||
|
rc=$?
|
||||||
|
if [[ $rc != 0 ]]; then exit $rc; fi
|
||||||
|
done
|
||||||
|
|
||||||
|
set -e
|
||||||
|
set -x
|
||||||
|
|
||||||
|
# Seeds sponge, from moreutils
|
||||||
|
|
||||||
|
for dir in ./models/*.json
|
||||||
|
do
|
||||||
|
cat ${dir} | jq . | sponge ${dir}
|
||||||
|
done
|
||||||
|
|
|
@ -0,0 +1,42 @@
|
||||||
|
{
|
||||||
|
"uuid": "073fae4a-2377-4cfa-bd34-2516830d33c3",
|
||||||
|
"name": "NIDS Simple Decaying Model",
|
||||||
|
"formula": "Polynomial",
|
||||||
|
"ref": [
|
||||||
|
"https://arxiv.org/abs/1902.03914",
|
||||||
|
"https://arxiv.org/abs/1803.11052"
|
||||||
|
],
|
||||||
|
"authors": [
|
||||||
|
"MISP Project"
|
||||||
|
],
|
||||||
|
"parameters": {
|
||||||
|
"lifetime": 120,
|
||||||
|
"decay_speed": 2,
|
||||||
|
"threshold": 30,
|
||||||
|
"default_base_score": 80,
|
||||||
|
"base_score_config": {
|
||||||
|
"estimative-language": 0.25,
|
||||||
|
"priority-level": 0.25,
|
||||||
|
"retention": 0.25,
|
||||||
|
"targeted-threat-index": 0.125,
|
||||||
|
"false-positive": 0.125
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"description": "Simple decaying model for Network Intrusion Detection System (NIDS). ",
|
||||||
|
"attribute_types": [
|
||||||
|
"domain",
|
||||||
|
"domain|ip",
|
||||||
|
"hostname",
|
||||||
|
"hostname|port",
|
||||||
|
"ip-dst",
|
||||||
|
"ip-dst|port",
|
||||||
|
"ip-src",
|
||||||
|
"ip-src|port",
|
||||||
|
"url",
|
||||||
|
"snort",
|
||||||
|
"suricata",
|
||||||
|
"zeek",
|
||||||
|
"bro"
|
||||||
|
],
|
||||||
|
"version": 1
|
||||||
|
}
|
|
@ -1,32 +1,35 @@
|
||||||
{
|
{
|
||||||
"uuid":"dbbd7ba7-6559-48fc-ab58-cc499d1b1143",
|
"uuid": "dbbd7ba7-6559-48fc-ab58-cc499d1b1143",
|
||||||
"name":"Phishing model",
|
"name": "Phishing model",
|
||||||
"formula": "Polynomial",
|
"formula": "Polynomial",
|
||||||
"ref":[
|
"authors": [
|
||||||
"https://arxiv.org/abs/1902.03914",
|
"MISP Project"
|
||||||
"https://arxiv.org/abs/1803.11052"
|
],
|
||||||
],
|
"ref": [
|
||||||
"parameters": {
|
"https://arxiv.org/abs/1902.03914",
|
||||||
"lifetime": 3,
|
"https://arxiv.org/abs/1803.11052"
|
||||||
"decay_speed": 2.3,
|
],
|
||||||
"threshold":30,
|
"parameters": {
|
||||||
"default_base_score": 80,
|
"lifetime": 3,
|
||||||
"base_score_config":{
|
"decay_speed": 2.3,
|
||||||
"estimative-language": 0.5,
|
"threshold": 30,
|
||||||
"phishing": 0.5
|
"default_base_score": 80,
|
||||||
}
|
"base_score_config": {
|
||||||
},
|
"estimative-language": 0.5,
|
||||||
"description":"Simple model to rapidly decay phishing website.",
|
"phishing": 0.5
|
||||||
"attribute_types": [
|
}
|
||||||
"domain",
|
},
|
||||||
"domain|ip",
|
"description": "Simple model to rapidly decay phishing website.",
|
||||||
"hostname",
|
"attribute_types": [
|
||||||
"hostname|port",
|
"domain",
|
||||||
"ip-dst",
|
"domain|ip",
|
||||||
"ip-dst|port",
|
"hostname",
|
||||||
"ip-src",
|
"hostname|port",
|
||||||
"ip-src|port",
|
"ip-dst",
|
||||||
"url"
|
"ip-dst|port",
|
||||||
],
|
"ip-src",
|
||||||
"version":1
|
"ip-src|port",
|
||||||
|
"url"
|
||||||
|
],
|
||||||
|
"version": 1
|
||||||
}
|
}
|
Loading…
Reference in New Issue