From 2220f14ca4f03b248efbe9b122bd6744f243bc56 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy <a@foo.be>
Date: Thu, 18 Jul 2024 12:08:43 +0200
Subject: [PATCH 1/3] new: [ddos-config] generic ddos configuration from ddos
 related binaries

---
 objects/ddos-config/definition.json | 106 ++++++++++++++++++++++++++++
 1 file changed, 106 insertions(+)
 create mode 100644 objects/ddos-config/definition.json

diff --git a/objects/ddos-config/definition.json b/objects/ddos-config/definition.json
new file mode 100644
index 0000000..75de184
--- /dev/null
+++ b/objects/ddos-config/definition.json
@@ -0,0 +1,106 @@
+{
+  "attributes": {
+    "body": {
+      "description": "Payload used for the DDos",
+      "misp-attribute": "text",
+      "multiple": true
+    },
+    "ddos-tool": {
+      "description": "",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "sane_default": [
+        "DDoSia-go",
+        "unknown"
+      ],
+      "ui-priority": 0
+    },
+    "headers": {
+      "description": "Headers used in the DDoS requests",
+      "misp-attribute": "text",
+      "multiple": true
+    },
+    "host": {
+      "description": "Hostname used as target of the DDoS attack",
+      "disable_correlation": true,
+      "misp-attribute": "hostname",
+      "multiple": true,
+      "ui-priority": 0
+    },
+    "ip": {
+      "description": "IP address used as target of the DDoS attack",
+      "misp-attribute": "ip-dst",
+      "multiple": true,
+      "ui-priority": 0
+    },
+    "method": {
+      "description": "Method of DDoS attack used",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "sane_default": [
+        "ack",
+        "GET",
+        "method",
+        "PING",
+        "POST",
+        "syn",
+        "SYN",
+        "syn_ack",
+        "udp_flood"
+      ]
+    },
+    "path": {
+      "description": "URL path used for the DDoS attack (excluded hostname)",
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 0
+    },
+    "port": {
+      "description": "Port used for attack (when the type and method requires it)",
+      "disable_correlation": true,
+      "misp-attribute": "port"
+    },
+    "request-id": {
+      "description": "request id",
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "target-id": {
+      "description": "target id",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "type": {
+      "description": "Type of network protocol used for the DDoS attack",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "sane_default": [
+        "http",
+        "http2",
+        "http3",
+        "nginx_loris",
+        "tcp",
+        "type",
+        "udp"
+      ]
+    },
+    "use-ssl": {
+      "description": "TLS/SSL used for the attack",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "sane_default": [
+        "true",
+        "false"
+      ]
+    }
+  },
+  "description": "DDoS-claim object describes a current claim of DDoS activity.",
+  "meta-category": "network",
+  "name": "ddos-config",
+  "requiredOneOf": [
+    "ddos-tool"
+  ],
+  "uuid": "e56d7f93-258e-4ba5-bd8a-463acd6d98c4",
+  "version": 1
+}
\ No newline at end of file

From 0833c40b05abf1a4855969a2d44cd3ee90e8ae38 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy <a@foo.be>
Date: Thu, 18 Jul 2024 12:16:39 +0200
Subject: [PATCH 2/3] fix: [ddos-config] `ui-priority` added

---
 objects/ddos-config/definition.json | 20 +++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)

diff --git a/objects/ddos-config/definition.json b/objects/ddos-config/definition.json
index 75de184..4573d5a 100644
--- a/objects/ddos-config/definition.json
+++ b/objects/ddos-config/definition.json
@@ -3,7 +3,8 @@
     "body": {
       "description": "Payload used for the DDos",
       "misp-attribute": "text",
-      "multiple": true
+      "multiple": true,
+      "ui-priority": 0
     },
     "ddos-tool": {
       "description": "",
@@ -18,7 +19,8 @@
     "headers": {
       "description": "Headers used in the DDoS requests",
       "misp-attribute": "text",
-      "multiple": true
+      "multiple": true,
+      "ui-priority": 0
     },
     "host": {
       "description": "Hostname used as target of the DDoS attack",
@@ -47,7 +49,8 @@
         "SYN",
         "syn_ack",
         "udp_flood"
-      ]
+      ],
+      "ui-priority": 0
     },
     "path": {
       "description": "URL path used for the DDoS attack (excluded hostname)",
@@ -58,7 +61,8 @@
     "port": {
       "description": "Port used for attack (when the type and method requires it)",
       "disable_correlation": true,
-      "misp-attribute": "port"
+      "misp-attribute": "port",
+      "ui-priority": 0
     },
     "request-id": {
       "description": "request id",
@@ -83,7 +87,8 @@
         "tcp",
         "type",
         "udp"
-      ]
+      ],
+      "ui-priority": 0
     },
     "use-ssl": {
       "description": "TLS/SSL used for the attack",
@@ -92,7 +97,8 @@
       "sane_default": [
         "true",
         "false"
-      ]
+      ],
+      "ui-priority": 0
     }
   },
   "description": "DDoS-claim object describes a current claim of DDoS activity.",
@@ -102,5 +108,5 @@
     "ddos-tool"
   ],
   "uuid": "e56d7f93-258e-4ba5-bd8a-463acd6d98c4",
-  "version": 1
+  "version": 2
 }
\ No newline at end of file

From 454285fea5ad4557986355eea1157828b7dbdf2f Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy <a@foo.be>
Date: Thu, 18 Jul 2024 15:10:13 +0200
Subject: [PATCH 3/3] chg: [ddos-config] as the config is mainly describing
 targets

to_ids and correlation don't make a lot of sense
---
 objects/ddos-config/definition.json | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/objects/ddos-config/definition.json b/objects/ddos-config/definition.json
index 4573d5a..03d4e11 100644
--- a/objects/ddos-config/definition.json
+++ b/objects/ddos-config/definition.json
@@ -2,8 +2,10 @@
   "attributes": {
     "body": {
       "description": "Payload used for the DDos",
+      "disable_correlation": true,
       "misp-attribute": "text",
       "multiple": true,
+      "to_ids": false,
       "ui-priority": 0
     },
     "ddos-tool": {
@@ -18,6 +20,7 @@
     },
     "headers": {
       "description": "Headers used in the DDoS requests",
+      "disable_correlation": true,
       "misp-attribute": "text",
       "multiple": true,
       "ui-priority": 0
@@ -27,12 +30,15 @@
       "disable_correlation": true,
       "misp-attribute": "hostname",
       "multiple": true,
+      "to_ids": false,
       "ui-priority": 0
     },
     "ip": {
       "description": "IP address used as target of the DDoS attack",
+      "disable_correlation": true,
       "misp-attribute": "ip-dst",
       "multiple": true,
+      "to_ids": false,
       "ui-priority": 0
     },
     "method": {
@@ -54,8 +60,10 @@
     },
     "path": {
       "description": "URL path used for the DDoS attack (excluded hostname)",
+      "disable_correlation": true,
       "misp-attribute": "text",
       "multiple": true,
+      "to_ids": false,
       "ui-priority": 0
     },
     "port": {
@@ -66,6 +74,7 @@
     },
     "request-id": {
       "description": "request id",
+      "disable_correlation": true,
       "misp-attribute": "text",
       "ui-priority": 0
     },
@@ -108,5 +117,5 @@
     "ddos-tool"
   ],
   "uuid": "e56d7f93-258e-4ba5-bd8a-463acd6d98c4",
-  "version": 2
+  "version": 3
 }
\ No newline at end of file