From 4e10e5501ed718127bd8de06551ec5b1a32cb0d4 Mon Sep 17 00:00:00 2001 From: Martin Waleczek Date: Tue, 19 Sep 2023 16:31:10 +0200 Subject: [PATCH 1/3] add definition.json for c2-list --- objects/c2-list/definition.json | 40 +++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 objects/c2-list/definition.json diff --git a/objects/c2-list/definition.json b/objects/c2-list/definition.json new file mode 100644 index 0000000..b47ea30 --- /dev/null +++ b/objects/c2-list/definition.json @@ -0,0 +1,40 @@ +{ + "attributes": { + "c2": { + "categories": [ + "Network activity" + ], + "description": "IP:Port of C2 server", + "misp-attribute": "ip-src|port", + "multiple": true, + "ui-priority": 1 + }, + "report-url": { + "description": "URL of source of information, e.g. blog post, ransomware analysis", + "disable_correlation": true, + "misp-attribute": "link", + "multiple": true, + "ui-priority": 1 + }, + "threat": { + "categories": [ + "Attribution", + "Payload type" + ], + "description": "threat actor or malware", + "misp-attribute": "text", + "ui-priority": 1 + } + }, + "description": "List of C2-servers with common ground, e.g. extracted from a blog post or ransomware analysis", + "meta-category": "network", + "name": "c2-list", + "required": [ + "threat" + ], + "requiredOneOf": [ + "c2" + ], + "uuid": "12456351-ceb7-4d43-9a7e-d2275d8b5785", + "version": 20230919 +} \ No newline at end of file From aa3bbd44faf137d3fd83afadca5b133f58151a90 Mon Sep 17 00:00:00 2001 From: Martin Waleczek Date: Tue, 19 Sep 2023 16:58:06 +0200 Subject: [PATCH 2/3] add c2-ip to definition.json --- objects/c2-list/definition.json | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/objects/c2-list/definition.json b/objects/c2-list/definition.json index b47ea30..bf6a19f 100644 --- a/objects/c2-list/definition.json +++ b/objects/c2-list/definition.json @@ -1,6 +1,6 @@ { "attributes": { - "c2": { + "c2-ipport": { "categories": [ "Network activity" ], @@ -9,6 +9,15 @@ "multiple": true, "ui-priority": 1 }, + "c2-ip": { + "categories": [ + "Network activity" + ], + "description": "IP of C2 server with unknown port", + "misp-attribute": "ip-src", + "multiple": true, + "ui-priority": 1 + }, "report-url": { "description": "URL of source of information, e.g. blog post, ransomware analysis", "disable_correlation": true, @@ -33,7 +42,8 @@ "threat" ], "requiredOneOf": [ - "c2" + "c2-ipport", + "c2-ip" ], "uuid": "12456351-ceb7-4d43-9a7e-d2275d8b5785", "version": 20230919 From 652f0f7120928eaae5a6567130c2d8151b20fcc8 Mon Sep 17 00:00:00 2001 From: Martin Waleczek Date: Tue, 19 Sep 2023 17:05:06 +0200 Subject: [PATCH 3/3] reorder elements --- objects/c2-list/definition.json | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/objects/c2-list/definition.json b/objects/c2-list/definition.json index bf6a19f..bc2e6ed 100644 --- a/objects/c2-list/definition.json +++ b/objects/c2-list/definition.json @@ -1,5 +1,14 @@ { "attributes": { + "c2-ip": { + "categories": [ + "Network activity" + ], + "description": "IP of C2 server with unknown port", + "misp-attribute": "ip-src", + "multiple": true, + "ui-priority": 1 + }, "c2-ipport": { "categories": [ "Network activity" @@ -9,15 +18,6 @@ "multiple": true, "ui-priority": 1 }, - "c2-ip": { - "categories": [ - "Network activity" - ], - "description": "IP of C2 server with unknown port", - "misp-attribute": "ip-src", - "multiple": true, - "ui-priority": 1 - }, "report-url": { "description": "URL of source of information, e.g. blog post, ransomware analysis", "disable_correlation": true,