From 645b0dc5ed2bd7c7c9e1afb7e54e15b28fd614a8 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 13 Mar 2017 07:19:09 +0100 Subject: [PATCH 1/6] PE section added --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index e9b9a80..6129a44 100644 --- a/README.md +++ b/README.md @@ -69,6 +69,7 @@ potential a sane default for an attribute. * [objects/ip-port](objects/ip-port/definition.json) - An IP address and a port seen as a tuple (or as a triple) in a specific time frame. * [objects/passive-dns](objects/passive-dns/definition.json) - Passive DNS records as expressed in [draft-dulaunoy-dnsop-passive-dns-cof-01](https://tools.ietf.org/html/draft-dulaunoy-dnsop-passive-dns-cof-01). * [objects/pe](objects/pe/definition.json) - Portable Executable (PE) object. +* [objects/pe-section](objects/pe-section/definition.json) - Portable Executable (PE) object - section description. * [objects/registry-key](objects/registry-key/definition.json) - A registry-key object. * [objects/vulnerability](objects/vulnerability/definition.json) - Vulnerability object to describe software or hardware vulnerability as described in a CVE. * [objects/whois](objects/whois/definition.json) - Whois records information for a domain name. From 1da88ddb99d6efad7a596be4bcb66ef5721319ff Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 13 Mar 2017 07:45:06 +0100 Subject: [PATCH 2/6] url object describes an url along with its normalized field (e.g. using faup parsing library) and its metadata. --- objects/url/definition.json | 78 +++++++++++++++++++++++++++++++++++++ 1 file changed, 78 insertions(+) create mode 100644 objects/url/definition.json diff --git a/objects/url/definition.json b/objects/url/definition.json new file mode 100644 index 0000000..87eae51 --- /dev/null +++ b/objects/url/definition.json @@ -0,0 +1,78 @@ +{ + "name": "url", + "meta-category": "network", + "description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.", + "version": 1, + "attributes": { + "url": { + "misp-attribute": "url", + "misp-usage-frequency": 1 + }, + "last-seen": { + "misp-attribute": "datetime", + "misp-usage-frequency": 0 + }, + "text": { + "misp-attribute": "text", + "misp-usage-frequency": 0 + }, + "credential": { + "misp-attribute": "text", + "misp-usage-frequency": 0 + }, + "subdomain": { + "misp-attribute": "text", + "misp-usage-frequency": 0 + }, + "domain": { + "misp-attribute": "domain", + "misp-usage-frequency": 0 + }, + "domain_without_tld": { + "misp-attribute": "text", + "misp-usage-frequency": 0 + }, + "host": { + "misp-attribute": "hostname", + "misp-usage-frequency": 0 + }, + "tld": { + "misp-attribute": "tld", + "misp-usage-frequency": 0 + }, + "port": { + "misp-attribute": "text", + "misp-usage-frequency": 0 + }, + "scheme": { + "misp-attribute": "text", + "misp-usage-frequency": 0, + "sane_default": [ + "http", + "https", + "ftp", + "gopher", + "sip" + ] + }, + "first-seen": { + "misp-attribute": "datetime", + "misp-usage-frequency": 0 + }, + "resource_path": { + "misp-attribute": "text", + "misp-usage-frequency": 0 + }, + "query_string": { + "misp-attribute": "text", + "misp-usage-frequency": 0 + }, + "fragment": { + "misp-attribute": "text", + "misp-usage-frequency": 0 + } + }, + "requiredOneOf": [ + "url" + ] +} From 8685efd1362db517ee1793e258a66e6858b9726e Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 13 Mar 2017 07:45:38 +0100 Subject: [PATCH 3/6] url object JQified --- objects/url/definition.json | 70 ++++++++++++++++++------------------- 1 file changed, 35 insertions(+), 35 deletions(-) diff --git a/objects/url/definition.json b/objects/url/definition.json index 87eae51..7aaac1f 100644 --- a/objects/url/definition.json +++ b/objects/url/definition.json @@ -4,23 +4,11 @@ "description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.", "version": 1, "attributes": { - "url": { - "misp-attribute": "url", - "misp-usage-frequency": 1 - }, - "last-seen": { - "misp-attribute": "datetime", + "host": { + "misp-attribute": "hostname", "misp-usage-frequency": 0 }, - "text": { - "misp-attribute": "text", - "misp-usage-frequency": 0 - }, - "credential": { - "misp-attribute": "text", - "misp-usage-frequency": 0 - }, - "subdomain": { + "domain_without_tld": { "misp-attribute": "text", "misp-usage-frequency": 0 }, @@ -28,22 +16,38 @@ "misp-attribute": "domain", "misp-usage-frequency": 0 }, - "domain_without_tld": { + "subdomain": { "misp-attribute": "text", "misp-usage-frequency": 0 }, - "host": { - "misp-attribute": "hostname", - "misp-usage-frequency": 0 - }, - "tld": { - "misp-attribute": "tld", - "misp-usage-frequency": 0 - }, - "port": { + "credential": { "misp-attribute": "text", "misp-usage-frequency": 0 }, + "text": { + "misp-attribute": "text", + "misp-usage-frequency": 0 + }, + "last-seen": { + "misp-attribute": "datetime", + "misp-usage-frequency": 0 + }, + "fragment": { + "misp-attribute": "text", + "misp-usage-frequency": 0 + }, + "query_string": { + "misp-attribute": "text", + "misp-usage-frequency": 0 + }, + "resource_path": { + "misp-attribute": "text", + "misp-usage-frequency": 0 + }, + "first-seen": { + "misp-attribute": "datetime", + "misp-usage-frequency": 0 + }, "scheme": { "misp-attribute": "text", "misp-usage-frequency": 0, @@ -55,21 +59,17 @@ "sip" ] }, - "first-seen": { - "misp-attribute": "datetime", - "misp-usage-frequency": 0 - }, - "resource_path": { + "port": { "misp-attribute": "text", "misp-usage-frequency": 0 }, - "query_string": { - "misp-attribute": "text", + "tld": { + "misp-attribute": "tld", "misp-usage-frequency": 0 }, - "fragment": { - "misp-attribute": "text", - "misp-usage-frequency": 0 + "url": { + "misp-attribute": "url", + "misp-usage-frequency": 1 } }, "requiredOneOf": [ From 92710e85ad5ff9a66311267c8d5f6abc36f273ff Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 13 Mar 2017 07:46:51 +0100 Subject: [PATCH 4/6] url object added --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 6129a44..a2a76c3 100644 --- a/README.md +++ b/README.md @@ -72,6 +72,7 @@ potential a sane default for an attribute. * [objects/pe-section](objects/pe-section/definition.json) - Portable Executable (PE) object - section description. * [objects/registry-key](objects/registry-key/definition.json) - A registry-key object. * [objects/vulnerability](objects/vulnerability/definition.json) - Vulnerability object to describe software or hardware vulnerability as described in a CVE. +* [objects/url](objects/url/definition.json) - url object describes an url along with its normalized field (e.g. using faup parsing library) and its metadata. * [objects/whois](objects/whois/definition.json) - Whois records information for a domain name. * [objects/x509](objects/x509/definition.json) - x509 object describing a X.509 certificate. From 6185e68498c285862656d6bc1c27f60da96a69fa Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 13 Mar 2017 08:19:27 +0100 Subject: [PATCH 5/6] JQifized --- objects/ddos/definition.json | 42 ++++++++++++++++++------------------ 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/objects/ddos/definition.json b/objects/ddos/definition.json index 0e7cd4c..b72debd 100644 --- a/objects/ddos/definition.json +++ b/objects/ddos/definition.json @@ -4,30 +4,14 @@ "description": "DDoS object describes a current DDoS activity from a specific or/and to a specific target. Type of DDoS can be attached to the object as a taxonomy", "version": 1, "attributes": { - "total-pps": { + "total-bps": { "misp-attribute": "counter", "misp-usage-frequency": 0 }, - "last-seen": { - "misp-attribute": "datetime", - "misp-usage-frequency": 0 - }, "text": { "misp-attribute": "text", "misp-usage-frequency": 0 }, - "total-bps": { - "misp-attribute": "counter", - "misp-usage-frequency": 0 - }, - "ip-src": { - "misp-attribute": "ip-src", - "misp-usage-frequency": 1, - "categories": [ - "Network activity", - "External analysis" - ] - }, "ip-dst": { "misp-attribute": "ip-dst", "misp-usage-frequency": 1, @@ -36,9 +20,9 @@ "External analysis" ] }, - "src-port": { - "misp-attribute": "text", - "misp-usage-frequency": 0, + "ip-src": { + "misp-attribute": "ip-src", + "misp-usage-frequency": 1, "categories": [ "Network activity", "External analysis" @@ -52,6 +36,18 @@ "External analysis" ] }, + "src-port": { + "misp-attribute": "text", + "misp-usage-frequency": 0, + "categories": [ + "Network activity", + "External analysis" + ] + }, + "first-seen": { + "misp-attribute": "datetime", + "misp-usage-frequency": 0 + }, "protocol": { "misp-attribute": "text", "misp-usage-frequency": 0, @@ -62,7 +58,11 @@ "IP" ] }, - "first-seen": { + "total-pps": { + "misp-attribute": "counter", + "misp-usage-frequency": 0 + }, + "last-seen": { "misp-attribute": "datetime", "misp-usage-frequency": 0 } From bd79ee42241f5b7eb7991fffb36b2887dd1374b0 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 13 Mar 2017 08:22:28 +0100 Subject: [PATCH 6/6] Add sane_default to the schema --- schema.json | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/schema.json b/schema.json index d5defa4..f3e1082 100644 --- a/schema.json +++ b/schema.json @@ -27,6 +27,13 @@ "type": "string" } }, + "sane_default": { + "type": "array", + "uniqueItems": true, + "items": { + "type": "string" + } + }, "multiple": { "type": "boolean" },