MISP
/
misp-objects
mirror of https://github.com/MISP/misp-objects
2
0
Fork 0
Code Issues Releases Wiki Activity

Add descriptions in all the objects

pull/26/merge
Raphaël Vinot 2017-08-29 18:36:46 +02:00
parent b16cdaa137
commit 0445ebd350
15 changed files with 247 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
objects/cookie/definition.json
View File

@ -4,14 +4,17 @@
],
"attributes": {
"cookie": {
"description": "Full cookie",
"ui-priority": 1,
"misp-attribute": "cookie"
},
"cookie-name": {
"description": "Name of the cookie (if splitted)",
"ui-priority": 0,
"misp-attribute": "text"
},
"cookie-value": {
"description": "Value of the cookie (if splitted)",
"ui-priority": 0,
"misp-attribute": "text"
},
@ -35,7 +38,7 @@
"misp-attribute": "text"
}
},
"version": 1,
"version": 2,
"description": "An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to the user's web browser. The browser may store it and send it back with the next request to the same server. Typically, it's used to tell if two requests came from the same browser — keeping a user logged-in, for example. It remembers stateful information for the stateless HTTP protocol. (as defined by the Mozilla foundation.",
"meta-category": "network",
"uuid": "7755ad19-55c7-4da4-805e-197cf81bbcb8",

12
objects/ddos/definition.json
View File

@ -3,17 +3,20 @@
"uuid": "e2f124d6-f57c-4f93-99e6-8450545fa05d",
"meta-category": "network",
"description": "DDoS object describes a current DDoS activity from a specific or/and to a specific target. Type of DDoS can be attached to the object as a taxonomy",
"version": 2,
"version": 3,
"attributes": {
"total-bps": {
"description": "Bits per second",
"misp-attribute": "counter",
"ui-priority": 0
},
"text": {
"description": "Description of the DDoS",
"misp-attribute": "text",
"ui-priority": 0
},
"ip-dst": {
"description": "Destination ID (victim)",
"misp-attribute": "ip-dst",
"ui-priority": 1,
"categories": [
@ -22,6 +25,7 @@
]
},
"ip-src": {
"description": "IP address originating the attack",
"misp-attribute": "ip-src",
"ui-priority": 1,
"categories": [
@ -30,6 +34,7 @@
]
},
"dst-port": {
"description": "Destination port of the attack",
"misp-attribute": "port",
"ui-priority": 0,
"categories": [
@ -38,6 +43,7 @@
]
},
"src-port": {
"description": "Port originating the attack",
"misp-attribute": "port",
"ui-priority": 0,
"categories": [
@ -46,10 +52,12 @@
]
},
"first-seen": {
"description": "Beginning of the attack",
"misp-attribute": "datetime",
"ui-priority": 0
},
"protocol": {
"description": "Protocol used for the attack",
"misp-attribute": "text",
"ui-priority": 0,
"required_value": [
@ -60,10 +68,12 @@
]
},
"total-pps": {
"description": "Packets per second",
"misp-attribute": "counter",
"ui-priority": 0
},
"last-seen": {
"description": "End of the attack",
"misp-attribute": "datetime",
"ui-priority": 0
}

10
objects/domain-ip/definition.json
View File

@ -5,18 +5,23 @@
],
"attributes": {
"text": {
"description": "A description of the tuple",
"ui-priority": 1,
"misp-attribute": "text"
"misp-attribute": "text",
"recommended": false
},
"last-seen": {
"description": "Last time the tuple has been seen",
"ui-priority": 0,
"misp-attribute": "datetime"
},
"first-seen": {
"description": "First time the tuple has been seen",
"ui-priority": 0,
"misp-attribute": "datetime"
},
"domain": {
"description": "Domain name",
"categories": [
"Network activity",
"External analysis"
@ -25,6 +30,7 @@
"misp-attribute": "domain"
},
"ip": {
"description": "IP Address",
"categories": [
"Network activity",
"External analysis"
@ -33,7 +39,7 @@
"misp-attribute": "ip-dst"
}
},
"version": 1,
"version": 2,
"description": "A domain and IP address seen as a tuple in a specific time frame.",
"meta-category": "network",
"uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",

103
objects/elf-section/definition.json
View File

@ -2,25 +2,94 @@
"requiredOneOf": [
"text",
"name",
"md5",
"sha1",
"sha224",
"sha256",
"sha512"
"sha384",
"sha512",
"sha512/224",
"sha512/256"
],
"attributes": {
"sha512": {
"md5": {
"description": "[Insecure] MD5 hash (128 bits)",
"ui-priority": 1,
"misp-attribute": "md5",
"recommended": false
},
"sha1": {
"description": "[Insecure] Secure Hash Algorithm 1 (160 bits)",
"ui-priority": 1,
"misp-attribute": "sha1",
"recommended": false
},
"sha224": {
"description": "Secure Hash Algorithm 2 (224 bits)",
"ui-priority": 0,
"misp-attribute": "sha224",
"recommended": false
},
"sha256": {
"description": "Secure Hash Algorithm 2 (256 bits)",
"ui-priority": 1,
"misp-attribute": "sha256"
},
"sha384": {
"description": "Secure Hash Algorithm 2 (384 bits)",
"ui-priority": 0,
"misp-attribute": "sha384",
"recommended": false
},
"sha512": {
"description": "Secure Hash Algorithm 2 (512 bits)",
"ui-priority": 1,
"misp-attribute": "sha512"
},
"sha512/224": {
"description": "Secure Hash Algorithm 2 (224 bits)",
"ui-priority": 0,
"misp-attribute": "sha512/224",
"recommended": false
},
"sha512/256": {
"description": "Secure Hash Algorithm 2 (256 bits)",
"ui-priority": 0,
"misp-attribute": "sha512/256",
"recommended": false
},
"ssdeep": {
"description": "Fuzzy hash using context triggered piecewise hashes (CTPH)",
"ui-priority": 0,
"misp-attribute": "ssdeep"
},
"entropy": {
"description": "Entropy of the whole section",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "float"
},
"name": {
"description": "Name of the section",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text"
},
"size-in-bytes": {
"description": "Size of the section, in bytes",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "size-in-bytes"
},
"text": {
"description": "Free text value to attach to the section",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text",
"recommended": false
},
"type": {
"description": "Type of the section",
"sane_default": [
"NULL",
"PROGBITS",
@ -61,26 +130,8 @@
"ui-priority": 0,
"misp-attribute": "text"
},
"name": {
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text"
},
"sha256": {
"ui-priority": 0,
"misp-attribute": "sha256"
},
"size-in-bytes": {
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "size-in-bytes"
},
"text": {
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text"
},
"flag": {
"description": "Flag of the section",
"sane_default": [
"ALLOC",
"EXCLUDE",
@ -108,17 +159,9 @@
"ui-priority": 0,
"misp-attribute": "text",
"multiple": true
},
"sha1": {
"ui-priority": 0,
"misp-attribute": "sha1"
},
"md5": {
"ui-priority": 1,
"misp-attribute": "md5"
}
},
"version": 3,
"version": 4,
"description": "Object describing a section of an Executable and Linkable Format",
"meta-category": "file",
"uuid": "ca271f32-1234-4e87-b240-6b6e882de5de",

2
objects/elf/definition.json
View File

@ -248,7 +248,7 @@
"recommended": false
}
},
"version": 2,
"version": 3,
"description": "Object describing a Executable and Linkable Format",
"meta-category": "file",
"uuid": "fa6534ae-ad74-4ce0-8f23-15a66c82c7fa",

23
objects/email/definition.json
View File

@ -3,9 +3,10 @@
"uuid": "a0c666e0-fc65-4be8-b48f-3423d788b552",
"meta-category": "network",
"description": "Email object describing an email with meta-information",
"version": 2,
"version": 3,
"attributes": {
"reply-to": {
"description": "Email address the reply will be sent to",
"misp-attribute": "email-reply-to",
"ui-priority": 1,
"categories": [
@ -13,6 +14,7 @@
]
},
"message-id": {
"description": "Message ID",
"misp-attribute": "email-message-id",
"ui-priority": 0,
"categories": [
@ -20,6 +22,7 @@
]
},
"to": {
"description": "Destination email address",
"misp-attribute": "email-dst",
"ui-priority": 1,
"categories": [
@ -28,6 +31,7 @@
"multiple": true
},
"to-display-name": {
"description": "Display name of the receiver",
"misp-attribute": "email-dst-display-name",
"ui-priority": 1,
"categories": [
@ -36,6 +40,7 @@
"multiple": true
},
"subject": {
"description": "Subject",
"misp-attribute": "email-subject",
"ui-priority": 1,
"categories": [
@ -43,6 +48,7 @@
]
},
"attachment": {
"description": "Attachment",
"misp-attribute": "email-attachment",
"ui-priority": 0,
"categories": [
@ -51,6 +57,7 @@
"multiple": true
},
"x-mailer": {
"description": "X-Mailer generally tells the program that was used to draft and send the original email",
"misp-attribute": "email-x-mailer",
"ui-priority": 0,
"categories": [
@ -58,6 +65,7 @@
]
},
"header": {
"description": "Full headers",
"misp-attribute": "email-header",
"ui-priority": 0,
"categories": [
@ -66,6 +74,7 @@
"multiple": true
},
"send-date": {
"description": "Date the email has been sent",
"misp-attribute": "datetime",
"ui-priority": 0,
"disable_correlation": true,
@ -73,15 +82,8 @@
"Other"
]
},
"url": {
"misp-attribute": "url",
"ui-priority": 0,
"categories": [
"Payload delivery"
],
"multiple": true
},
"mime-boundary": {
"description": "MIME Boundary",
"misp-attribute": "email-mime-boundary",
"ui-priority": 0,
"categories": [
@ -89,6 +91,7 @@
]
},
"thread-index": {
"description": "Identifies a particular conversation thread",
"misp-attribute": "email-thread-index",
"ui-priority": 0,
"categories": [
@ -96,6 +99,7 @@
]
},
"from": {
"description": "Sender email address",
"misp-attribute": "email-src",
"ui-priority": 1,
"categories": [
@ -103,6 +107,7 @@
]
},
"from-display-name": {
"description": "Display name of the sender",
"misp-attribute": "email-src-display-name",
"ui-priority": 1,
"categories": [

8
objects/ip-port/definition.json
View File

@ -8,18 +8,22 @@
],
"attributes": {
"text": {
"description": "Description of the tuple",
"ui-priority": 0,
"misp-attribute": "text"
},
"last-seen": {
"description": "Last time the tuple has been seen",
"ui-priority": 0,
"misp-attribute": "datetime"
},
"first-seen": {
"description": "First time the tuple has been seen",
"ui-priority": 0,
"misp-attribute": "datetime"
},
"src-port": {
"description": "Source port",
"categories": [
"Network activity",
"External analysis"
@ -28,6 +32,7 @@
"misp-attribute": "text"
},
"dst-port": {
"description": "Destination port",
"categories": [
"Network activity",
"External analysis"
@ -36,6 +41,7 @@
"misp-attribute": "text"
},
"ip": {
"description": "IP Address",
"categories": [
"Network activity",
"External analysis"
@ -44,7 +50,7 @@
"misp-attribute": "ip-dst"
}
},
"version": 1,
"version": 2,
"description": "An IP address and a port seen as a tuple (or as a triple) in a specific time frame.",
"meta-category": "network",
"uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6",

2
objects/macho/definition.json
View File

@ -49,7 +49,7 @@
"recommended": false
}
},
"version": 1,
"version": 2,
"description": "Object describing a file in Mach-O format.",
"meta-category": "file",
"uuid": "23fb8371-c7e3-45fe-b897-fdf074f95267",

38
objects/passive-dns/definition.json
View File

@ -1,63 +1,95 @@
{
"required": [
"rrtype",
"rrname"
"rrname",
"rdata"
],
"attributes": {
"zone_time_last": {
"description": "Last time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import",
"ui-priority": 0,
"misp-attribute": "datetime"
},
"text": {
"description": "",
"ui-priority": 0,
"misp-attribute": "text"
},
"count": {
"description": "How many authoritative DNS answers were received at the Passive DNS Server's collectors with exactly the given set of values as answers",
"ui-priority": 0,
"misp-attribute": "counter"
},
"rrname": {
"description": "Resource Record name of the queried resource",
"categories": [
"Network activity",
"External analysis"
],
"ui-priority": 1,
"misp-attribute": "hostname"
"misp-attribute": "text"
},
"rrtype": {
"description": "Resource Record type as seen by the passive DNS",
"categories": [
"Network activity",
"External analysis"
],
"ui-priority": 1,
"misp-attribute": "text",
"sane_default": [
"A",
"AAAA",
"CNAME",
"PTR",
"SOA",
"TXT",
"DNAME",
"NS",
"SRV",
"RP",
"NAPTR",
"HINFO",
"A6"
]
},
"rdata": {
"description": "Resource records of the queried resource",
"ui-priority": 1,
"misp-attribute": "text"
},
"zone_time_first": {
"description": "First time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import",
"ui-priority": 0,
"misp-attribute": "datetime"
},
"origin": {
"description": "Origin of the Passive DNS response",
"ui-priority": 0,
"misp-attribute": "text"
},
"time_last": {
"description": "Last time that the unique tuple (rrname, rrtype, rdata) record has been seen by the passive DNS",
"ui-priority": 0,
"misp-attribute": "datetime"
},
"time_first": {
"description": "First time that the unique tuple (rrname, rrtype, rdata) has been seen by the passive DNS",
"ui-priority": 0,
"misp-attribute": "datetime"
},
"bailiwick": {
"description": "Best estimate of the apex of the zone where this data is authoritative",
"ui-priority": 0,
"misp-attribute": "text"
},
"sensor_id": {
"description": "Sensor information where the record was seen",
"ui-priority": 0,
"misp-attribute": "text"
}
},
"version": 1,
"version": 2,
"description": "Passive DNS records as expressed in draft-dulaunoy-dnsop-passive-dns-cof-01",
"meta-category": "network",
"uuid": "b77b7b1c-66ab-4a41-8da4-83810f6d2d6c",

3
objects/r2graphity/definition.json
View File

@ -85,6 +85,7 @@
"misp-attribute": "text"
},
"text": {
"description": "Description of the r2graphity object",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text"
@ -150,7 +151,7 @@
"misp-attribute": "float"
}
},
"version": 1,
"version": 2,
"description": "Indicators extracted from files using radare2 and graphml",
"meta-category": "file",
"uuid": "b6abe0e0-52ea-4424-ba42-761c2e027b76",

29
objects/registry-key/definition.json
View File

@ -1,10 +1,12 @@
{
"required": [
"requiredOneOf": [
"key",
"name"
"name",
"data"
],
"attributes": {
"last-modified": {
"description": "Last time the registry key has been modified",
"categories": [
"Other"
],
@ -12,13 +14,31 @@
"misp-attribute": "datetime"
},
"data-type": {
"description": "Registry value type",
"categories": [
"Persistence mechanism"
],
"sane_default": [
"REG_NONE",
"REG_SZ",
"REG_EXPAND_SZ",
"REG_BINARY",
"REG_DWORD",
"REG_DWORD_LITTLE_ENDIAN",
"REG_DWORD_BIG_ENDIAN",
"REG_LINK",
"REG_MULTI_SZ",
"REG_RESOURCE_LIST",
"REG_FULL_RESOURCE_DESCRIPTOR",
"REG_RESOURCE_REQUIREMENTS_LIST",
"REG_QWORD",
"REG_QWORD_LITTLE_ENDIAN"
],
"ui-priority": 0,
"misp-attribute": "reg-datatype"
},
"data": {
"description": "Data stored in the registry key",
"categories": [
"Persistence mechanism"
],
@ -26,6 +46,7 @@
"misp-attribute": "reg-data"
},
"name": {
"description": "Name of the registry key",
"categories": [
"Persistence mechanism"
],
@ -33,6 +54,7 @@
"misp-attribute": "reg-name"
},
"key": {
"description": "Full key path",
"categories": [
"Persistence mechanism"
],
@ -40,6 +62,7 @@
"misp-attribute": "reg-key"
},
"hive": {
"description": "Hive used to store the registry key (file on disk)",
"categories": [
"Persistence mechanism"
],
@ -47,7 +70,7 @@
"misp-attribute": "reg-hive"
}
},
"version": 1,
"version": 2,
"description": "Registry key object describing a Windows registry key with value and last-modified timestamp",
"meta-category": "file",
"uuid": "8b3228ad-6d82-4fe6-b2ae-05426308f1d5",

17
objects/url/definition.json
View File

@ -4,18 +4,22 @@
],
"attributes": {
"fragment": {
"description": "Fragment identifier is a short string of characters that refers to a resource that is subordinate to another, primary resource.",
"ui-priority": 0,
"misp-attribute": "text"
},
"tld": {
"description": "Top-Level Domain",
"ui-priority": 0,
"misp-attribute": "text"
},
"port": {
"description": "Port number",
"ui-priority": 0,
"misp-attribute": "text"
},
"scheme": {
"description": "Scheme",
"sane_default": [
"http",
"https",
@ -27,51 +31,62 @@
"misp-attribute": "text"
},
"first-seen": {
"description": "First time this URL has been seen",
"ui-priority": 0,
"misp-attribute": "datetime"
},
"resource_path": {
"description": "Path (between hostname:port and query)",
"ui-priority": 0,
"misp-attribute": "text"
},
"query_string": {
"description": "Query (after path, preceded by '?')",
"ui-priority": 0,
"misp-attribute": "text"
},
"url": {
"description": "Full URL",
"ui-priority": 1,
"misp-attribute": "url"
},
"domain_without_tld": {
"description": "Domain without Top-Level Domain",
"ui-priority": 0,
"misp-attribute": "text"
},
"domain": {
"description": "Full domain",
"ui-priority": 0,
"misp-attribute": "domain"
},
"subdomain": {
"description": "Subdomain",
"ui-priority": 0,
"misp-attribute": "text"
},
"credential": {
"description": "Credential (username, password)",
"ui-priority": 0,
"misp-attribute": "text"
},
"text": {
"description": "Description of the URL ",
"ui-priority": 0,
"misp-attribute": "text"
},
"last-seen": {
"description": "Last time this URL has been seen",
"ui-priority": 0,
"misp-attribute": "datetime"
},
"host": {
"description": "Full hostname",
"ui-priority": 0,
"misp-attribute": "hostname"
}
},
"version": 2,
"version": 3,
"description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.",
"meta-category": "network",
"uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5",

8
objects/vulnerability/definition.json
View File

@ -10,14 +10,17 @@
],
"attributes": {
"id": {
"description": "Vulnerability ID (generally CVE, but not necessarely)",
"ui-priority": 1,
"misp-attribute": "vulnerability"
},
"text": {
"description": "Description of the vulnerability",
"ui-priority": 1,
"misp-attribute": "text"
},
"summary": {
"description": "Summary of the vulnerability",
"ui-priority": 1,
"misp-attribute": "text"
},
@ -28,20 +31,23 @@
"misp-attribute": "text"
},
"modified": {
"description": "Last modification date",
"ui-priority": 0,
"misp-attribute": "datetime"
},
"published": {
"description": "Initial publication date",
"ui-priority": 0,
"misp-attribute": "datetime"
},
"references": {
"description": "External references",
"multiple": true,
"ui-priority": 1,
"misp-attribute": "link"
}
},
"version": 1,
"version": 2,
"description": "Vulnerability object describing common vulnerability enumeration",
"meta-category": "network",
"uuid": "81650945-f186-437b-8945-9f31715d32da",

19
objects/whois/definition.json
View File

@ -11,30 +11,47 @@
],
"attributes": {
"text": {
"description": "Full whois entry",
"ui-priority": 1,
"misp-attribute": "text"
},
"registar": {
"description": "Registar of the whois entry",
"ui-priority": 0,
"misp-attribute": "whois-registar"
},
"registrant-name": {
"description": "Registrant name",
"ui-priority": 0,
"misp-attribute": "whois-registrant-name"
},
"registrant-phone": {
"description": "Registrant phone number",
"ui-priority": 0,
"misp-attribute": "whois-registrant-phone"
},
"registrant-email": {
"description": "Registrant email address",
"ui-priority": 1,
"misp-attribute": "whois-registrant-email"
},
"creation-date": {
"description": "Initial creation of the whois entry",
"ui-priority": 0,
"misp-attribute": "datetime"
},
"modification-date": {
"description": "Last update of the whois entry",
"ui-priority": 0,
"misp-attribute": "datetime"
},
"expiration-date": {
"description": "Expiration of the whois entry",
"ui-priority": 0,
"misp-attribute": "datetime"
},
"domain": {
"description": "Domain of the whois entry",
"categories": [
"Network activity",
"External analysis"
@ -43,7 +60,7 @@
"misp-attribute": "domain"
}
},
"version": 1,
"version": 2,
"description": "Whois records information for a domain name.",
"meta-category": "network",
"uuid": "429faea1-34ff-47af-8a00-7c62d3be5a6a",

29
objects/x509/definition.json
View File

@ -1,70 +1,89 @@
{
"required": [
"x509-fingerprint-sha1"
"requiredOneOf": [
"x509-fingerprint-md5",
"x509-fingerprint-sha1",
"x509-fingerprint-sha256"
],
"attributes": {
"subject": {
"description": "Subject of the certificate",
"ui-priority": 1,
"misp-attribute": "text"
},
"pubkey-info-algorithm": {
"description": "Algorithm of the public key",
"ui-priority": 0,
"misp-attribute": "text"
},
"pubkey-info-size": {
"description": "Length of the public key (in bits)",
"ui-priority": 0,
"misp-attribute": "text"
},
"pubkey-info-exponent": {
"description": "Exponent of the public key",
"ui-priority": 0,
"misp-attribute": "text"
},
"pubkey-info-modulus": {
"description": "Modulus of the public key",
"ui-priority": 0,
"misp-attribute": "text"
},
"x509-fingerprint-md5": {
"description": "[Insecure] MD5 hash (128 bits)",
"ui-priority": 1,
"misp-attribute": "md5"
"misp-attribute": "md5",
"recommended": false
},
"x509-fingerprint-sha1": {
"description": "[Insecure] Secure Hash Algorithm 1 (160 bits)",
"ui-priority": 1,
"misp-attribute": "sha1"
"misp-attribute": "sha1",
"recommended": false
},
"x509-fingerprint-sha256": {
"description": "Secure Hash Algorithm 2 (256 bits)",
"ui-priority": 1,
"misp-attribute": "sha256"
},
"raw-base64": {
"description": "Raw certificate base64 encoded",
"ui-priority": 0,
"misp-attribute": "text"
},
"text": {
"description": "Free text description of hte certificate",
"ui-priority": 1,
"misp-attribute": "text"
},
"validity-not-before": {
"description": "Certificate invalid before that date",
"ui-priority": 0,
"misp-attribute": "datetime"
},
"validity-not-after": {
"description": "Certificate invalid after that date",
"ui-priority": 0,
"misp-attribute": "datetime"
},
"issuer": {
"description": "Issuer of the certificate",
"ui-priority": 0,
"misp-attribute": "text"
},
"serial-number": {
"description": "Serial number of the certificate",
"ui-priority": 0,
"misp-attribute": "text"
},
"version": {
"description": "Version of the certificate",
"ui-priority": 0,
"misp-attribute": "text"
}
},
"version": 3,
"version": 4,
"description": "x509 object describing a X.509 certificate",
"meta-category": "network",
"uuid": "d1ab756a-26b5-4349-9f43-765630f0911c",