From 4c661b774761abc6b5999daaf98ccc83ecff1b87 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy
Date: Thu, 4 Apr 2024 16:45:33 +0200
Subject: [PATCH 1/3] new: [cert-pl-phishing] first draft of a template for the
CERT.PL phishing system
---
objects/cert-pl-phishing/definition.json | 42 ++++++++++++++++++++++++
1 file changed, 42 insertions(+)
create mode 100644 objects/cert-pl-phishing/definition.json
diff --git a/objects/cert-pl-phishing/definition.json b/objects/cert-pl-phishing/definition.json
new file mode 100644
index 0000000..6f5c12a
--- /dev/null
+++ b/objects/cert-pl-phishing/definition.json
@@ -0,0 +1,42 @@
+{
+ "attributes": {
+ "favicon-mmh3": {
+ "description": "Favicon of the phishing url in Murmurhash3 format (base64).",
+ "misp-attribute": "text",
+ "ui-priority": 0
+ },
+ "html-structure": {
+ "description": "HTML tags defining the structure of the HTML page.",
+ "disable-correlation": true,
+ "misp-attribute": "text",
+ "ui-priority": 0
+ },
+ "phash-dct-base64": {
+ "description": "pHash (DCT hash) - as described in https://github.com/thorn-oss/perception.",
+ "misp-attribute": "text",
+ "ui-priority": 0
+ },
+ "truncated-hash-html-structure": {
+ "description": "Truncated hash value of the html-structure.",
+ "misp-attribute": "text",
+ "ui-priority": 0
+ },
+ "url": {
+ "description": "Full URL of the phishing object.",
+ "misp-attribute": "url",
+ "ui-priority": 1
+ }
+ },
+ "description": "cert.pl phishing object template representing an url along with some metadata as such phash, html-structure or partial-hash",
+ "meta-category": "network",
+ "name": "cert-pl-phishing",
+ "requiredOneOf": [
+ "url",
+ "phash-dct-base64",
+ "html-structure",
+ "truncated-hash-html-structure",
+ "favicon-mmh3"
+ ],
+ "uuid": "4c37c9af-ca71-4365-bcfb-6393c22dd88e",
+ "version": 1
+}
\ No newline at end of file
From ea4892144468cc5a61776d05157d3f09b4010f92 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy
Date: Thu, 4 Apr 2024 16:48:33 +0200
Subject: [PATCH 2/3] chg: [cert-pl-phishing] fixed
---
objects/cert-pl-phishing/definition.json | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/objects/cert-pl-phishing/definition.json b/objects/cert-pl-phishing/definition.json
index 6f5c12a..285d624 100644
--- a/objects/cert-pl-phishing/definition.json
+++ b/objects/cert-pl-phishing/definition.json
@@ -7,7 +7,7 @@
},
"html-structure": {
"description": "HTML tags defining the structure of the HTML page.",
- "disable-correlation": true,
+ "disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
},
@@ -39,4 +39,4 @@
],
"uuid": "4c37c9af-ca71-4365-bcfb-6393c22dd88e",
"version": 1
-}
\ No newline at end of file
+}
From dc52c10844cbed9e2f39f0429665b4f9b1caef3e Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy
Date: Thu, 4 Apr 2024 16:53:46 +0200
Subject: [PATCH 3/3] chg: [cert-pl-phishing] fixed
---
objects/cert-pl-phishing/definition.json | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/objects/cert-pl-phishing/definition.json b/objects/cert-pl-phishing/definition.json
index 285d624..50d7023 100644
--- a/objects/cert-pl-phishing/definition.json
+++ b/objects/cert-pl-phishing/definition.json
@@ -39,4 +39,4 @@
],
"uuid": "4c37c9af-ca71-4365-bcfb-6393c22dd88e",
"version": 1
-}
+}
\ No newline at end of file