chg: [release] add the NIDS decaying model, clarify license and add some documentation.

main
Alexandre Dulaunoy 2019-08-27 08:37:32 +02:00
parent 3dc7aa9efa
commit f38d1604f1
No known key found for this signature in database
GPG Key ID: 09E2CD4944E6CBCD
5 changed files with 146 additions and 33 deletions

32
LICENSE.md Normal file
View File

@ -0,0 +1,32 @@
The MISP decaying models (JSON files) are dual-licensed under:
- [CC0 1.0 Universal](https://creativecommons.org/publicdomain/zero/1.0/legalcode) (CC0 1.0) - Public Domain Dedication.
or
~~~~
Copyright (c) 2019 CIRCL - Computer Incident Response Center Luxembourg
Copyright (c) 2019 Sami Mokaddem
Copyright (c) 2019 Alexandre Dulaunoy - a@foo.be
Copyright (c) 2019 Various contributors to MISP Project
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
OF THE POSSIBILITY OF SUCH DAMAGE.
~~~~~

View File

@ -1,3 +1,17 @@
# misp-decaying-models # MISP Decaying Models
Test model for DEV and experimentation. Starting from MISP 2.4.114, a decaying feature is available to apply decaying on attributes in your MISP instance. MISP comes with a set of default decaying models which
can be customised by the users. This repository contains all the default models.
## Models
- [nids-simple-model](./models/nids-simple-model.json) - Simple decaying model for Network Intrusion Detection System (NIDS).
- [phishing-model](./models/phishing-model.json) - Simple model to rapidly decay phishing website.
## How to contribute your decaying model?
It's very easy. Fork the repository, create a new JSON file with your model and make a pull-request.
## License
The MISP decaying models are [dual-licensed](./LICENSE.md) under CC-0 and a simple 2-clause BSD license.

22
jq_all_the_things.sh Executable file
View File

@ -0,0 +1,22 @@
#!/bin/bash
#Validate all Jsons first
for dir in `find . -name "*.json"`
do
echo validating ${dir}
# python3 -c "import json; f_in = open('${dir}'); data = json.load(f_in); f_in.close(); f_out = open('${dir}', 'w'); json.dump(data, f_out, indent=2, sort_keys=True, ensure_ascii=False); f_out.close();"
cat ${dir} | jq . >/dev/null
rc=$?
if [[ $rc != 0 ]]; then exit $rc; fi
done
set -e
set -x
# Seeds sponge, from moreutils
for dir in ./models/*.json
do
cat ${dir} | jq . | sponge ${dir}
done

View File

@ -0,0 +1,42 @@
{
"uuid": "073fae4a-2377-4cfa-bd34-2516830d33c3",
"name": "NIDS Simple Decaying Model",
"formula": "Polynomial",
"ref": [
"https://arxiv.org/abs/1902.03914",
"https://arxiv.org/abs/1803.11052"
],
"authors": [
"MISP Project"
],
"parameters": {
"lifetime": 120,
"decay_speed": 2,
"threshold": 30,
"default_base_score": 80,
"base_score_config": {
"estimative-language": 0.25,
"priority-level": 0.25,
"retention": 0.25,
"targeted-threat-index": 0.125,
"false-positive": 0.125
}
},
"description": "Simple decaying model for Network Intrusion Detection System (NIDS). ",
"attribute_types": [
"domain",
"domain|ip",
"hostname",
"hostname|port",
"ip-dst",
"ip-dst|port",
"ip-src",
"ip-src|port",
"url",
"snort",
"suricata",
"zeek",
"bro"
],
"version": 1
}

View File

@ -1,32 +1,35 @@
{ {
"uuid":"dbbd7ba7-6559-48fc-ab58-cc499d1b1143", "uuid": "dbbd7ba7-6559-48fc-ab58-cc499d1b1143",
"name":"Phishing model", "name": "Phishing model",
"formula": "Polynomial", "formula": "Polynomial",
"ref":[ "authors": [
"https://arxiv.org/abs/1902.03914", "MISP Project"
"https://arxiv.org/abs/1803.11052" ],
], "ref": [
"parameters": { "https://arxiv.org/abs/1902.03914",
"lifetime": 3, "https://arxiv.org/abs/1803.11052"
"decay_speed": 2.3, ],
"threshold":30, "parameters": {
"default_base_score": 80, "lifetime": 3,
"base_score_config":{ "decay_speed": 2.3,
"estimative-language": 0.5, "threshold": 30,
"phishing": 0.5 "default_base_score": 80,
} "base_score_config": {
}, "estimative-language": 0.5,
"description":"Simple model to rapidly decay phishing website.", "phishing": 0.5
"attribute_types": [ }
"domain", },
"domain|ip", "description": "Simple model to rapidly decay phishing website.",
"hostname", "attribute_types": [
"hostname|port", "domain",
"ip-dst", "domain|ip",
"ip-dst|port", "hostname",
"ip-src", "hostname|port",
"ip-src|port", "ip-dst",
"url" "ip-dst|port",
], "ip-src",
"version":1 "ip-src|port",
"url"
],
"version": 1
} }