From 097ea8c76c098e2447cfed9673a633a1501a1a49 Mon Sep 17 00:00:00 2001 From: Emil Henry Flakk Date: Sat, 15 Aug 2020 14:57:53 +0200 Subject: [PATCH 1/4] Add more rrtypes to dns-record --- objects/dns-record/definition.json | 89 ++++++++++++++++++++++++++++-- 1 file changed, 83 insertions(+), 6 deletions(-) diff --git a/objects/dns-record/definition.json b/objects/dns-record/definition.json index 12ef92a..0f94875 100644 --- a/objects/dns-record/definition.json +++ b/objects/dns-record/definition.json @@ -5,17 +5,37 @@ "Network activity", "External analysis" ], - "description": "IP Address sassociated with A Records", + "description": "IPv4 address associated with A record", "misp-attribute": "ip-dst", "multiple": true, "ui-priority": 1 }, + "aaaa-record": { + "categories": [ + "Network activity", + "External analysis" + ], + "description": "IPv6 address associated with AAAA record", + "misp-attribute": "ip-dst", + "multiple": true, + "ui-priority": 1 + }, + "cname-record": { + "categories": [ + "Network activity", + "External analysis" + ], + "description": "Domain associated with CNAME record", + "misp-attribute": "domain", + "multiple": true, + "ui-priority": 1 + }, "mx-record": { "categories": [ "Network activity", "External analysis" ], - "description": "Domain associated with MX Record", + "description": "Domain associated with MX record", "misp-attribute": "domain", "multiple": true, "ui-priority": 1 @@ -25,7 +45,17 @@ "Network activity", "External analysis" ], - "description": "Domain associated with NS Records", + "description": "Domain associated with NS record", + "misp-attribute": "domain", + "multiple": true, + "ui-priority": 1 + }, + "ptr-record": { + "categories": [ + "Network activity", + "External analysis" + ], + "description": "Domain associated with PTR record", "misp-attribute": "domain", "multiple": true, "ui-priority": 1 @@ -39,14 +69,54 @@ "misp-attribute": "domain", "ui-priority": 1 }, + "soa-record": { + "categories": [ + "Network activity", + "External analysis" + ], + "description": "Domain associated with SOA record", + "misp-attribute": "domain", + "multiple": true, + "ui-priority": 1 + }, + "spf-record": { + "categories": [ + "Network activity", + "External analysis" + ], + "description": "IP addresses associated with SPF record", + "misp-attribute": "ip-dst", + "multiple": true, + "ui-priority": 1 + }, + "srv-record": { + "categories": [ + "Network activity", + "External analysis" + ], + "description": "Domain associated with SRV record", + "misp-attribute": "domain", + "multiple": true, + "ui-priority": 1 + }, "text": { "description": "A description of the records", "misp-attribute": "text", "recommended": false, "ui-priority": 1 + }, + "txt-record": { + "categories": [ + "Network activity", + "External analysis" + ], + "description": "Content associated with TXT record", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 1 } }, - "description": "A set of dns records observed for a specific domain.", + "description": "A set of DNS records observed for a specific domain.", "meta-category": "network", "name": "dns-record", "required": [ @@ -54,9 +124,16 @@ ], "requiredOneOf": [ "a-record", + "aaaa-record", + "cname-record", "mx-record", - "ns-record" + "ns-record", + "ptr-record", + "soa-record", + "spf-record", + "srv-record", + "txt-record" ], "uuid": "f023c8f0-81ab-41f3-9f5d-fa597a34a9b9", - "version": 1 + "version": 2 } \ No newline at end of file From 5bdc6c65926a53b67dbbfa5101ed367e58341154 Mon Sep 17 00:00:00 2001 From: rmkml Date: Mon, 17 Aug 2020 17:35:58 +0200 Subject: [PATCH 2/4] add vhash (VirusTotal Hash) on definition.json --- objects/file/definition.json | 9 +++++++-- schema_objects.json | 2 ++ 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/objects/file/definition.json b/objects/file/definition.json index eed1408..b2ec95a 100644 --- a/objects/file/definition.json +++ b/objects/file/definition.json @@ -424,6 +424,11 @@ "description": "Fuzzy hash by Trend Micro: Locality Sensitive Hash", "misp-attribute": "tlsh", "ui-priority": 0 + }, + "vhash": { + "description": "vhash by VirusTotal", + "misp-attribute": "vhash", + "ui-priority": 0 } }, "description": "File object describing a file with meta-information", @@ -450,6 +455,6 @@ "path", "fullpath" ], - "uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", - "version": 20 + "uuid": "688c36fb-4edb-41a3-7273-1af8923e2215", + "version": 21 } \ No newline at end of file diff --git a/schema_objects.json b/schema_objects.json index 2d6300a..cd7a646 100644 --- a/schema_objects.json +++ b/schema_objects.json @@ -96,6 +96,7 @@ "filename|sha512/256", "filename|ssdeep", "filename|tlsh", + "filename|vhash", "first-name", "float", "frequent-flyer-number", @@ -180,6 +181,7 @@ "text", "threat-actor", "tlsh", + "vhash", "travel-details", "twitter-id", "uri", From 7fdfbd411084fdfa6531e240cb32ed443960ec00 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 18 Aug 2020 07:44:12 +0200 Subject: [PATCH 3/4] UUID must be the same --- objects/file/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/file/definition.json b/objects/file/definition.json index b2ec95a..03e9759 100644 --- a/objects/file/definition.json +++ b/objects/file/definition.json @@ -455,6 +455,6 @@ "path", "fullpath" ], - "uuid": "688c36fb-4edb-41a3-7273-1af8923e2215", + "uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "version": 21 -} \ No newline at end of file +} From bfec61d8b0692e2c722f48c7e26fb81e2aaa7faa Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 18 Aug 2020 07:54:42 +0200 Subject: [PATCH 4/4] chg: [file] jq --- objects/file/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/file/definition.json b/objects/file/definition.json index 03e9759..1f29876 100644 --- a/objects/file/definition.json +++ b/objects/file/definition.json @@ -457,4 +457,4 @@ ], "uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "version": 21 -} +} \ No newline at end of file