MISP
/
misp-objects
mirror of https://github.com/MISP/misp-objects
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge remote-tracking branch 'upstream/master'

pull/193/head
kx499 2018-01-18 10:49:57 -05:00
parent 01df8c715e c75015e1a6
commit 1f061ce2ed
27 changed files with 1058 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
README.md
View File

@ -2,7 +2,7 @@
[![Build Status](https://travis-ci.org/MISP/misp-objects.svg?branch=master)](https://travis-ci.org/MISP/misp-objects)
MISP objects to be used in MISP (2.4.80) system and can be used by other information sharing tool. MISP objects
MISP objects used in MISP (starting from 2.4.80) system and can be used by other information sharing tool. MISP objects
are in addition to MISP attributes to allow advanced combinations of attributes. The creation of these objects
and their associated attributes are based on real cyber security use-cases and existing practices in information sharing.
@ -31,10 +31,12 @@ Feel free to propose your own MISP objects to be included in MISP. The system is
},
"first-seen": {
"misp-attribute": "datetime",
"disable_correlation": true,
"ui-priority": 0
},
"last-seen": {
"misp-attribute": "datetime",
"disable_correlation": true,
"ui-priority": 0
}
@ -53,7 +55,7 @@ A MISP object is described in a simple JSON file containing the following elemen
* **requiredOneOf** is an array containing the attributes where at least one need to be present to describe the object.
* **attributes** contains another JSON object listing all the attributes composing the object.
Each attribute must contain a reference **misp-attribute** to reference an existing attribute definition in MISP.
Each attribute must contain a reference **misp-attribute** to reference an existing attribute definition in MISP (MISP attributes types are case-sensitive).
An array **categories** shall be used to described in which categories the attribute is. The **ui-priority**
describes the usage frequency of an attribute. This helps to only display the most frequently used attributes and
allowing advanced users to show all the attributes depending of their configuration. An optional **multiple** field
@ -65,7 +67,10 @@ for a specific attribute.
## Existing MISP objects
* [objects/ail-leak](objects/ail-leak/definition.json) - information leak object as defined by the [AIL Analysis Information Leak framework](https://www.github.com/CIRCL/AIL-framework).
* [objects/android-permission](objects/android-permission/definition.json) - A set of android permissions - one or more permission(s) which can be linked to other objects (e.g. file).
* [objects/asn](objects/asn/definition.json) - Autonomous system object describing a BGP autonomous system which can include one or more network operators management an entity (e.g. ISP) along with their routing policy, routing prefixes or alike.
* [objects/av-signature](objects/av-signature/definition.json) - Antivirus detection signature.
* [objects/coin-address](objects/coin-address/definition.json) - An address used in a cryptocurrency.
* [objects/cookie](objects/cookie/definition.json) - A cookie object describes an HTTP cookie including its use in malicious cases.
* [objects/ddos](objects/ddos/definition.json) - DDoS object describes a current DDoS activity from a specific or/and to a specific target.
* [objects/domain-ip](objects/domain-ip/definition.json) - A domain and IP address seen as a tuple in a specific time frame.
@ -134,9 +139,9 @@ The MISP objects model allows to add new combined indicators format based on the
~~~~
Copyright (C) 2016-2017 Andras Iklody
Copyright (C) 2016-2017 Alexandre Dulaunoy
Copyright (C) 2016-2017 CIRCL - Computer Incident Response Center Luxembourg
Copyright (C) 2016-2018 Andras Iklody
Copyright (C) 2016-2018 Alexandre Dulaunoy
Copyright (C) 2016-2018 CIRCL - Computer Incident Response Center Luxembourg
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as published by

21
objects/ail-leak/definition.json
View File

@ -14,10 +14,21 @@
"ui-priority": 0,
"misp-attribute": "text"
},
"duplicate": {
"description": "Duplicate of the existing leaks.",
"ui-priority": 0,
"misp-attribute": "text",
"multiple": true
},
"duplicate_number": {
"description": "Number of known duplicates.",
"ui-priority": 0,
"misp-attribute": "counter"
},
"origin": {
"description": "The link where the leak is (or was) accessible at first-seen.",
"ui-priority": 1,
"misp-attribute": "link"
"misp-attribute": "text"
},
"text": {
"description": "A description of the leak which could include the potential victim(s) or description of the leak.",
@ -55,9 +66,15 @@
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "datetime"
},
"raw-data": {
"description": "Raw data as received by the AIL sensor compressed and encoded in Base64.",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "attachment"
}
},
"version": 3,
"version": 7,
"description": "An information leak as defined by the AIL Analysis Information Leak framework.",
"meta-category": "misc",
"uuid": "dc6a8fa2-0a43-4a0c-a5aa-b1a5336ca80e",

171
objects/android-permission/definition.json Normal file
View File

@ -0,0 +1,171 @@
{
"requiredOneOf": [
"permission"
],
"attributes": {
"permission": {
"description": "Android permission",
"ui-priority": 0,
"misp-attribute": "text",
"multiple": true,
"sane_default": [
"ACCESS_CHECKIN_PROPERTIES",
"ACCESS_COARSE_LOCATION",
"ACCESS_FINE_LOCATION",
"ACCESS_LOCATION_EXTRA_COMMANDS",
"ACCESS_NETWORK_STATE",
"ACCESS_NOTIFICATION_POLICY",
"ACCESS_WIFI_STATE",
"ACCOUNT_MANAGER",
"ADD_VOICEMAIL",
"ANSWER_PHONE_CALLS",
"BATTERY_STATS",
"BIND_ACCESSIBILITY_SERVICE",
"BIND_APPWIDGET",
"BIND_AUTOFILL_SERVICE",
"BIND_CARRIER_MESSAGING_SERVICE",
"BIND_CHOOSER_TARGET_SERVICE",
"BIND_CONDITION_PROVIDER_SERVICE",
"BIND_DEVICE_ADMIN",
"BIND_DREAM_SERVICE",
"BIND_INCALL_SERVICE",
"BIND_INPUT_METHOD",
"BIND_MIDI_DEVICE_SERVICE",
"BIND_NFC_SERVICE",
"BIND_NOTIFICATION_LISTENER_SERVICE",
"BIND_PRINT_SERVICE",
"BIND_QUICK_SETTINGS_TILE",
"BIND_REMOTEVIEWS",
"BIND_SCREENING_SERVICE",
"BIND_TELECOM_CONNECTION_SERVICE",
"BIND_TEXT_SERVICE",
"BIND_TV_INPUT",
"BIND_VISUAL_VOICEMAIL_SERVICE",
"BIND_VOICE_INTERACTION",
"BIND_VPN_SERVICE",
"BIND_VR_LISTENER_SERVICE",
"BIND_WALLPAPER",
"BLUETOOTH",
"BLUETOOTH_ADMIN",
"BLUETOOTH_PRIVILEGED",
"BODY_SENSORS",
"BROADCAST_PACKAGE_REMOVED",
"BROADCAST_SMS",
"BROADCAST_STICKY",
"BROADCAST_WAP_PUSH",
"CALL_PHONE",
"CALL_PRIVILEGED",
"CAMERA",
"CAPTURE_AUDIO_OUTPUT",
"CAPTURE_SECURE_VIDEO_OUTPUT",
"CAPTURE_VIDEO_OUTPUT",
"CHANGE_COMPONENT_ENABLED_STATE",
"CHANGE_CONFIGURATION",
"CHANGE_NETWORK_STATE",
"CHANGE_WIFI_MULTICAST_STATE",
"CHANGE_WIFI_STATE",
"CLEAR_APP_CACHE",
"CONTROL_LOCATION_UPDATES",
"DELETE_CACHE_FILES",
"DELETE_PACKAGES",
"DIAGNOSTIC",
"DISABLE_KEYGUARD",
"DUMP",
"EXPAND_STATUS_BAR",
"FACTORY_TEST",
"GET_ACCOUNTS",
"GET_ACCOUNTS_PRIVILEGED",
"GET_PACKAGE_SIZE",
"GET_TASKS",
"GLOBAL_SEARCH",
"INSTALL_LOCATION_PROVIDER",
"INSTALL_PACKAGES",
"INSTALL_SHORTCUT",
"INSTANT_APP_FOREGROUND_SERVICE",
"INTERNET",
"KILL_BACKGROUND_PROCESSES",
"LOCATION_HARDWARE",
"MANAGE_DOCUMENTS",
"MANAGE_OWN_CALLS",
"MASTER_CLEAR",
"MEDIA_CONTENT_CONTROL",
"MODIFY_AUDIO_SETTINGS",
"MODIFY_PHONE_STATE",
"MOUNT_FORMAT_FILESYSTEMS",
"MOUNT_UNMOUNT_FILESYSTEMS",
"NFC",
"PACKAGE_USAGE_STATS",
"PERSISTENT_ACTIVITY",
"PROCESS_OUTGOING_CALLS",
"READ_CALENDAR",
"READ_CALL_LOG",
"READ_CONTACTS",
"READ_EXTERNAL_STORAGE",
"READ_FRAME_BUFFER",
"READ_INPUT_STATE",
"READ_LOGS",
"READ_PHONE_NUMBERS",
"READ_PHONE_STATE",
"READ_SMS",
"READ_SYNC_SETTINGS",
"READ_SYNC_STATS",
"READ_VOICEMAIL",
"REBOOT",
"RECEIVE_BOOT_COMPLETED",
"RECEIVE_MMS",
"RECEIVE_SMS",
"RECEIVE_WAP_PUSH",
"RECORD_AUDIO",
"REORDER_TASKS",
"REQUEST_COMPANION_RUN_IN_BACKGROUND",
"REQUEST_COMPANION_USE_DATA_IN_BACKGROUND",
"REQUEST_DELETE_PACKAGES",
"REQUEST_IGNORE_BATTERY_OPTIMIZATIONS",
"REQUEST_INSTALL_PACKAGES",
"RESTART_PACKAGES",
"SEND_RESPOND_VIA_MESSAGE",
"SEND_SMS",
"SET_ALARM",
"SET_ALWAYS_FINISH",
"SET_ANIMATION_SCALE",
"SET_DEBUG_APP",
"SET_PREFERRED_APPLICATIONS",
"SET_PROCESS_LIMIT",
"SET_TIME",
"SET_TIME_ZONE",
"SET_WALLPAPER",
"SET_WALLPAPER_HINTS",
"SIGNAL_PERSISTENT_PROCESSES",
"STATUS_BAR",
"SYSTEM_ALERT_WINDOW",
"TRANSMIT_IR",
"UNINSTALL_SHORTCUT",
"UPDATE_DEVICE_STATS",
"USE_FINGERPRINT",
"USE_SIP",
"VIBRATE",
"WAKE_LOCK",
"WRITE_APN_SETTINGS",
"WRITE_CALENDAR",
"WRITE_CALL_LOG",
"WRITE_CONTACTS",
"WRITE_EXTERNAL_STORAGE",
"WRITE_GSERVICES",
"WRITE_SECURE_SETTINGS",
"WRITE_SETTINGS",
"WRITE_SYNC_SETTINGS",
"WRITE_VOICEMAIL"
]
},
"comment": {
"description": "Comment about the set of android permission(s)",
"ui-priority": 0,
"misp-attribute": "comment"
}
},
"version": 2,
"description": "A set of android permissions - one or more permission(s) which can be linked to other objects (e.g. malware, app).",
"meta-category": "misc",
"uuid": "d81003b2-5c03-4d96-ae30-e6695de1aea2",
"name": "android-permission"
}

71
objects/annotation/definition.json Normal file
View File

@ -0,0 +1,71 @@
{
"requiredOneOf": [
"text"
],
"attributes": {
"text": {
"description": "Raw text of the annotation",
"ui-priority": 0,
"misp-attribute": "text"
},
"ref": {
"description": "Reference(s) to the annotation",
"ui-priority": 0,
"misp-attribute": "link",
"multiple": true
},
"type": {
"description": "Type of the annotation",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true,
"sane_default": [
"Annotation",
"Executive Summary",
"Introduction",
"Conclusion",
"Disclaimer",
"Keywords",
"Acknowledgement",
"Other",
"Copyright",
"Authors",
"Logo"
]
},
"format": {
"description": "Format of the annotation",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true,
"sane_default": [
"text",
"markdown",
"asciidoctor",
"MultiMarkdown",
"GFM",
"pandoc",
"Fountain",
"CommonWork",
"kramdown-rfc2629",
"rfc7328",
"Extra"
]
},
"creation-date": {
"description": "Initial creation of the annotation",
"ui-priority": 0,
"misp-attribute": "datetime"
},
"modification-date": {
"description": "Last update of the annotation",
"ui-priority": 0,
"misp-attribute": "datetime"
}
},
"version": 2,
"description": "An annotation object allowing analysts to add annotations, comments, executive summary to a MISP event, objects or attributes.",
"meta-category": "misc",
"uuid": "5d8dc046-15a1-4ca3-a09f-ed4ede7c4487",
"name": "annotation"
}

6
objects/asn/definition.json
View File

@ -6,7 +6,7 @@
"asn": {
"description": "Autonomous System Number",
"ui-priority": 1,
"misp-attribute": "as"
"misp-attribute": "AS"
},
"description": {
"description": "Description of the autonomous system",
@ -26,11 +26,13 @@
},
"first-seen": {
"description": "First time the ASN was seen",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "datetime"
},
"last-seen": {
"description": "Last time the ASN was seen",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "datetime"
},
@ -59,7 +61,7 @@
"multiple": true
}
},
"version": 2,
"version": 4,
"description": "Autonomous system object describing an autonomous system which can include one or more network operators management an entity (e.g. ISP) along with their routing policy, routing prefixes or alike.",
"meta-category": "network",
"uuid": "4ec55cc6-9e49-4c64-b794-03c25c1a6587",

69
objects/coin-address/definition.json Normal file
View File

@ -0,0 +1,69 @@
{
"requiredOneOf": [
"address"
],
"attributes": {
"address": {
"description": "Address used as a payment destination in a cryptocurrency",
"ui-priority": 1,
"misp-attribute": "btc"
},
"symbol": {
"description": "The (uppercase) symbol of the cryptocurrency used. Symbol should be from https://coinmarketcap.com/all/views/all/",
"misp-attribute": "text",
"disable_correlation": true,
"ui-priority": 1,
"sane_default": [
"BTC",
"ETH",
"BCH",
"XRP",
"MIOTA",
"DASH",
"BTG",
"LTC",
"ADA",
"XMR",
"ETC",
"NEO",
"NEM",
"EOS",
"XLM",
"BCC",
"LSK",
"OMG",
"QTUM",
"ZEC",
"USDT",
"HSR",
"STRAT",
"WAVES",
"PPT"
]
},
"last-seen": {
"description": "Last time this payment destination address has been seen",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "datetime"
},
"first-seen": {
"description": "First time this payment destination address has been seen",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "datetime"
},
"text": {
"description": "Free text value",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text",
"recommended": false
}
},
"version": 2,
"description": "An address used in a cryptocurrency",
"meta-category": "financial",
"uuid": "d0e6997e-78da-4815-a6a1-cfc1c1cb8a46",
"name": "coin-address"
}

19
objects/ddos/definition.json
View File

@ -3,7 +3,7 @@
"uuid": "e2f124d6-f57c-4f93-99e6-8450545fa05d",
"meta-category": "network",
"description": "DDoS object describes a current DDoS activity from a specific or/and to a specific target. Type of DDoS can be attached to the object as a taxonomy",
"version": 4,
"version": 6,
"attributes": {
"total-bps": {
"description": "Bits per second",
@ -12,11 +12,21 @@
},
"text": {
"description": "Description of the DDoS",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
},
"domain-dst": {
"description": "Destination domain (victim)",
"misp-attribute": "domain",
"ui-priority": 1,
"categories": [
"Network activity",
"External analysis"
]
},
"ip-dst": {
"description": "Destination ID (victim)",
"description": "Destination IP (victim)",
"misp-attribute": "ip-dst",
"ui-priority": 1,
"categories": [
@ -53,6 +63,7 @@
},
"first-seen": {
"description": "Beginning of the attack",
"disable_correlation": true,
"misp-attribute": "datetime",
"ui-priority": 0
},
@ -74,12 +85,14 @@
},
"last-seen": {
"description": "End of the attack",
"disable_correlation": true,
"misp-attribute": "datetime",
"ui-priority": 0
}
},
"requiredOneOf": [
"ip-dst",
"ip-src"
"ip-src",
"domain-dst"
]
}

89
objects/diameter-attack/definition.json Normal file
View File

@ -0,0 +1,89 @@
{
"requiredOneOf": [
"text"
],
"attributes": {
"category": {
"description": "Category.",
"sane_default": [
"Cat0",
"Cat1",
"Cat2",
"Cat3",
"CatSMS"
],
"misp-attribute": "text",
"disable_correlation": true,
"ui-priority": 0
},
"ApplicationId": {
"description": "Application-ID is used to identify for which Diameter application the message is applicable. Application-ID is a decimal representation.",
"misp-attribute": "text",
"ui-priority": 0
},
"SessionId": {
"description": "Session-ID.",
"misp-attribute": "text",
"ui-priority": 0
},
"CmdCode": {
"description": "A decimal representation of the diameter Command Code.",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
},
"Origin-Host": {
"description": "Origin-Host.",
"misp-attribute": "text",
"multiple": true,
"ui-priority": 0
},
"Destination-Host": {
"description": "Destination-Host.",
"misp-attribute": "text",
"multiple": true,
"ui-priority": 0
},
"Origin-Realm": {
"description": "Origin-Realm.",
"misp-attribute": "text",
"multiple": true,
"ui-priority": 0
},
"Destination-Realm": {
"description": "Destination-Realm.",
"misp-attribute": "text",
"multiple": true,
"ui-priority": 0
},
"Username": {
"description": "Username (in this case, usually the IMSI).",
"misp-attribute": "text",
"multiple": true,
"ui-priority": 0
},
"IdrFlags": {
"description": "IDR-Flags.",
"misp-attribute": "text",
"disable_correlation": true,
"ui-priority": 0
},
"text": {
"description": "A description of the attack seen.",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"first-seen": {
"description": "When the attack has been seen for the first time.",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "datetime"
}
},
"version": 1,
"description": "Attack as seen on diameter authentication against a GSM, UMTS or LTE network",
"meta-category": "network",
"uuid": "a3fdce4c-8e21-4acc-ab8e-9976e9165a12",
"name": "diameter-attack"
}

5
objects/domain-ip/definition.json
View File

@ -6,17 +6,20 @@
"attributes": {
"text": {
"description": "A description of the tuple",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text",
"recommended": false
},
"last-seen": {
"description": "Last time the tuple has been seen",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "datetime"
},
"first-seen": {
"description": "First time the tuple has been seen",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "datetime"
},
@ -40,7 +43,7 @@
"multiple": true
}
},
"version": 4,
"version": 5,
"description": "A domain and IP address seen as a tuple in a specific time frame.",
"meta-category": "network",
"uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",

8
objects/elf/definition.json
View File

@ -210,7 +210,8 @@
"AMDGPU"
],
"ui-priority": 0,
"misp-attribute": "text"
"misp-attribute": "text",
"disable_correlation": true
},
"os_abi": {
"description": "Header operating system application binary interface (ABI)",
@ -238,7 +239,8 @@
"TRU64"
],
"ui-priority": 0,
"misp-attribute": "text"
"misp-attribute": "text",
"disable_correlation": true
},
"text": {
"description": "Free text value to attach to the ELF",
@ -248,7 +250,7 @@
"recommended": false
}
},
"version": 3,
"version": 4,
"description": "Object describing a Executable and Linkable Format",
"meta-category": "file",
"uuid": "fa6534ae-ad74-4ce0-8f23-15a66c82c7fa",

15
objects/file/definition.json
View File

@ -15,7 +15,9 @@
"sha512/224",
"sha512/256",
"tlsh",
"pattern-in-file"
"pattern-in-file",
"x509-fingerprint-sha1",
"malware-sample"
],
"attributes": {
"md5": {
@ -111,6 +113,8 @@
},
"filename": {
"description": "Filename on disk",
"disable_correlation": true,
"multiple": true,
"categories": [
"Payload delivery",
"Artifacts dropped",
@ -125,6 +129,11 @@
"ui-priority": 0,
"misp-attribute": "tlsh"
},
"certificate": {
"description": "Certificate value if the binary is signed with another authentication scheme than authenticode",
"ui-priority": 0,
"misp-attribute": "x509-fingerprint-sha1"
},
"mimetype": {
"description": "Mime type",
"disable_correlation": true,
@ -136,7 +145,9 @@
"ui-priority": 0,
"description": "State of the file",
"multiple": true,
"disable_correlation": true,
"values_list": [
"Malicious",
"Harmless",
"Signed",
"Revoked",
@ -145,7 +156,7 @@
]
}
},
"version": 4,
"version": 9,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",

99
objects/gtp-attack/definition.json Normal file
View File

@ -0,0 +1,99 @@
{
"requiredOneOf": [
"text"
],
"attributes": {
"GtpServingNetwork": {
"description": "GTP Serving Network.",
"misp-attribute": "text",
"disable_correlation": true,
"ui-priority": 1
},
"GtpImei": {
"description": "GTP IMEI (International Mobile Equipment Identity).",
"misp-attribute": "text",
"ui-priority": 1
},
"GtpMsisdn": {
"description": "GTP MSISDN.",
"misp-attribute": "text",
"ui-priority": 1
},
"GtpImsi": {
"description": "GTP IMSI (International mobile subscriber identity).",
"misp-attribute": "text",
"ui-priority": 1
},
"GtpInterface": {
"description": "GTP interface.",
"sane_default": [
"S5",
"S11",
"S10",
"S8",
"Gn",
"Gp"
],
"misp-attribute": "text",
"disable_correlation": true,
"multiple": true,
"ui-priority": 1
},
"GtpMessageType": {
"description": "GTP defines a set of messages between two associated GSNs or an SGSN and an RNC. Message type is described as a decimal value.",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 1
},
"PortDest": {
"description": "Destination port.",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
},
"PortSrc": {
"description": "Source port.",
"disable_correlation": true,
"misp-attribute": "port",
"ui-priority": 0
},
"ipDest": {
"description": "IP destination address.",
"misp-attribute": "ip-dst",
"ui-priority": 0
},
"ipSrc": {
"description": "IP source address.",
"misp-attribute": "ip-src",
"ui-priority": 0
},
"GtpVersion": {
"description": "GTP version",
"sane_default": [
"0",
"1",
"2"
],
"misp-attribute": "text",
"disable_correlation": true,
"ui-priority": 0
},
"text": {
"description": "A description of the GTP attack.",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"first-seen": {
"description": "When the attack has been seen for the first time.",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "datetime"
}
},
"version": 3,
"description": "GTP attack object as seen on a GSM, UMTS or LTE network",
"meta-category": "network",
"uuid": "6b3c48d2-0ca6-4608-9c36-455105439145",
"name": "gtp-attack"
}

5
objects/ip-port/definition.json
View File

@ -9,16 +9,19 @@
"attributes": {
"text": {
"description": "Description of the tuple",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"last-seen": {
"description": "Last time the tuple has been seen",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "datetime"
},
"first-seen": {
"description": "First time the tuple has been seen",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "datetime"
},
@ -50,7 +53,7 @@
"misp-attribute": "ip-dst"
}
},
"version": 4,
"version": 5,
"description": "An IP address and a port seen as a tuple (or as a triple) in a specific time frame.",
"meta-category": "network",
"uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6",

4
objects/ja3/definition.json
View File

@ -2,7 +2,7 @@
"name": "ja3",
"meta-category": "network",
"description": "JA3 is a new technique for creating SSL client fingerprints that are easy to produce and can be easily shared for threat intelligence. Fingerprints are composed of Client Hello packet; SSL Version, Accepted Ciphers, List of Extensions, Elliptic Curves, and Elliptic Curve Formats. https://github.com/salesforce/ja3",
"version": 1,
"version": 2,
"uuid": "09b45449-5d6e-492c-a68a-cb2e188cbfac",
"attributes": {
"ja3-fingerprint-md5": {
@ -43,11 +43,13 @@
},
"first-seen": {
"misp-attribute": "datetime",
"disable_correlation": true,
"ui-priority": 0,
"description": "First seen of the SSL/TLS handshake"
},
"last-seen": {
"misp-attribute": "datetime",
"disable_correlation": true,
"description": "Last seen of the SSL/TLS handshake",
"ui-priority": 0
}

3
objects/microblog/definition.json
View File

@ -17,6 +17,7 @@
"description": "Type of the microblog post",
"ui-priority": 1,
"misp-attribute": "text",
"disable_correlation": true,
"sane_default": [
"Twitter",
"Facebook",
@ -61,7 +62,7 @@
"misp-attribute": "text"
}
},
"version": 3,
"version": 4,
"description": "Microblog post like a Twitter tweet or a post on a Facebook wall.",
"meta-category": "misc",
"uuid": "8ec8c911-ddbe-4f5b-895b-fbff70c42a60",

8
objects/pe/definition.json
View File

@ -19,12 +19,14 @@
"internal-filename": {
"description": "InternalFilename in the resources",
"ui-priority": 0,
"misp-attribute": "filename"
"misp-attribute": "filename",
"disable_correlation": true
},
"original-filename": {
"description": "OriginalFilename in the resources",
"ui-priority": 1,
"misp-attribute": "filename"
"misp-attribute": "filename",
"disable_correlation": true
},
"number-sections": {
"description": "Number of sections",
@ -116,7 +118,7 @@
"misp-attribute": "text"
}
},
"version": 2,
"version": 3,
"description": "Object describing a Portable Executable",
"meta-category": "file",
"uuid": "cf7adecc-d4f0-4e88-9d90-f978ee151a07",

22
objects/regexp/definition.json
View File

@ -24,9 +24,29 @@
"description": "regexp",
"ui-priority": 0,
"misp-attribute": "text"
},
"type": {
"sane_default": [
"hostname",
"domain",
"email-src",
"email-dst",
"email-subject",
"url",
"user-agent",
"regkey",
"cookie",
"uri",
"filename",
"windows-service-name",
"windows-scheduled-task"
],
"description": "Specify which type corresponds to this regex.",
"ui-priority": 0,
"misp-attribute": "text"
}
},
"version": 2,
"version": 3,
"description": "An object describing a regular expression (regex or regexp). The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a regular expression.",
"meta-category": "misc",
"uuid": "ceffad66-71e5-4e20-9370-1b3fb694c648",

36
objects/registry-key/definition.json
View File

@ -35,7 +35,8 @@
"REG_QWORD_LITTLE_ENDIAN"
],
"ui-priority": 0,
"misp-attribute": "reg-datatype"
"disable_correlation": true,
"misp-attribute": "text"
},
"data": {
"description": "Data stored in the registry key",
@ -43,7 +44,7 @@
"Persistence mechanism"
],
"ui-priority": 1,
"misp-attribute": "reg-data"
"misp-attribute": "text"
},
"name": {
"description": "Name of the registry key",
@ -51,7 +52,7 @@
"Persistence mechanism"
],
"ui-priority": 1,
"misp-attribute": "reg-name"
"misp-attribute": "text"
},
"key": {
"description": "Full key path",
@ -59,7 +60,7 @@
"Persistence mechanism"
],
"ui-priority": 1,
"misp-attribute": "reg-key"
"misp-attribute": "regkey"
},
"hive": {
"description": "Hive used to store the registry key (file on disk)",
@ -67,10 +68,33 @@
"Persistence mechanism"
],
"ui-priority": 1,
"misp-attribute": "reg-hive"
"disable_correlation": true,
"misp-attribute": "text"
},
"root-keys": {
"description": "Root key of the Windows registry (extracted from the key)",
"sane_default": [
"HKCC",
"HKCR",
"HKCU",
"HKDD",
"HKEY_CLASSES_ROOT",
"HKEY_CURRENT_CONFIG",
"HKEY_CURRENT_USER",
"HKEY_DYN_DATA",
"HKEY_LOCAL_MACHINE",
"HKEY_PERFORMANCE_DATA",
"HKEY_USERS",
"HKLM",
"HKPD",
"HKU"
],
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
}
},
"version": 2,
"version": 4,
"description": "Registry key object describing a Windows registry key with value and last-modified timestamp",
"meta-category": "file",
"uuid": "8b3228ad-6d82-4fe6-b2ae-05426308f1d5",

100
objects/sandbox-report/definition.json Normal file
View File

@ -0,0 +1,100 @@
{
"required": [
"sandbox-type"
],
"requiredOneOf": [
"web-sandbox",
"on-premise-sandbox",
"saas-sandbox"
],
"attributes": {
"permalink": {
"description": "Permalink reference",
"categories": [
"External analysis"
],
"ui-priority": 2,
"misp-attribute": "link"
},
"score": {
"description": "Score",
"disable_correlation": true,
"categories": [
"External analysis"
],
"ui-priority": 1,
"misp-attribute": "text"
},
"results": {
"description": "Freetext result values",
"disable_correlation": true,
"categories": [
"External analysis"
],
"ui-priority": 1,
"misp-attribute": "text",
"multiple": true
},
"raw-report": {
"description": "Raw report from sandbox",
"disable_correlation": true,
"categories": [
"External analysis"
],
"ui-priority": 0,
"misp-attribute": "text"
},
"sandbox-type": {
"description": "The type of sandbox used",
"misp-attribute": "text",
"disable_correlation": true,
"ui-priority": 1,
"sane_default": [
"on-premise",
"web",
"saas"
]
},
"on-premise-sandbox": {
"description": "The on-premise sandbox used",
"misp-attribute": "text",
"disable_correlation": true,
"ui-priority": 1,
"sane_default": [
"cuckoo",
"symantec-cas-on-premise",
"bluecoat-maa",
"trendmicro-deep-discovery-analyzer",
"fireeye-ax",
"vmray",
"joe-sandbox-on-premise"
]
},
"web-sandbox": {
"description": "A web sandbox where results are publicly available via an URL",
"misp-attribute": "text",
"disable_correlation": true,
"ui-priority": 1,
"sane_default": [
"malwr",
"hybrid-analysis"
]
},
"saas-sandbox": {
"description": "A non-on-premise sandbox, also results are not publicly available",
"misp-attribute": "text",
"disable_correlation": true,
"ui-priority": 1,
"sane_default": [
"forticloud-sandbox",
"joe-sandbox-cloud",
"symantec-cas-cloud"
]
}
},
"version": 1,
"description": "Sandbox report",
"meta-category": "misc",
"uuid": "4d3fffd2-cd07-4357-96e0-a51c988faaef",
"name": "sandbox-report"
}

175
objects/ss7-attack/definition.json Normal file
View File

@ -0,0 +1,175 @@
{
"requiredOneOf": [
"text"
],
"attributes": {
"Category": {
"description": "Category",
"sane_default": [
"Cat0",
"Cat1",
"Cat2.1",
"Cat2.2",
"Cat3.1",
"Cat3.2",
"Cat3.3",
"CatSMS",
"CatSpoofing"
],
"misp-attribute": "text",
"disable_correlation": true,
"multiple": true,
"ui-priority": 1
},
"MapVersion": {
"description": "Map version.",
"sane_default": [
"1",
"2",
"3"
],
"misp-attribute": "text",
"disable_correlation": true,
"ui-priority": 0
},
"SccpCgGT": {
"description": "Signaling Connection Control Part (SCCP) CgGT - Phone number.",
"ui-priority": 0,
"misp-attribute": "text"
},
"SccpCdGT": {
"description": "Signaling Connection Control Part (SCCP) CdGT - Phone number.",
"ui-priority": 0,
"misp-attribute": "text"
},
"SccpCgPC": {
"description": "Signaling Connection Control Part (SCCP) CgPC - Phone number.",
"ui-priority": 0,
"misp-attribute": "text"
},
"SccpCdPC": {
"description": "Signaling Connection Control Part (SCCP) CdPC - Phone number.",
"ui-priority": 0,
"misp-attribute": "text"
},
"SccpCgSSN": {
"description": "Signaling Connection Control Part (SCCP) - Decimal value between 0-255.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"SccpCdSSN": {
"description": "Signaling Connection Control Part (SCCP) - Decimal value between 0-255.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"MapOpCode": {
"description": "MAP operation codes - Decimal value between 0-99.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"MapApplicationContext": {
"description": "MAP application context in OID format.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"MapImsi": {
"description": "MAP IMSI. Phone number starting with MCC/MNC.",
"multiple": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"MapMsisdn": {
"description": "MAP MSISDN. Phone number.",
"multiple": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"MapMscGT": {
"description": "MAP MSC GT. Phone number.",
"ui-priority": 0,
"misp-attribute": "text"
},
"MapGsmscfGT": {
"description": "MAP GSMSCF GT. Phone number.",
"ui-priority": 0,
"misp-attribute": "text"
},
"MapVlrGT": {
"description": "MAP VLR GT. Phone number.",
"ui-priority": 0,
"misp-attribute": "text"
},
"MapGmlc": {
"description": "MAP GMLC. Phone number.",
"ui-priority": 0,
"misp-attribute": "text"
},
"MapSmscGT": {
"description": "MAP SMSC. Phone number.",
"ui-priority": 0,
"multiple": true,
"misp-attribute": "text"
},
"MapSmsTP-OA": {
"description": "MAP SMS TP-OA. Phone number.",
"ui-priority": 0,
"misp-attribute": "text"
},
"MapSmsText": {
"description": "MAP SMS Text. Important indicators in SMS text.",
"ui-priority": 0,
"misp-attribute": "text"
},
"MapSmsTP-PID": {
"description": "MAP SMS TP-PID.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"MapSmsTP-DCS": {
"description": "MAP SMS TP-DCS.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"MapSmsTypeNumber": {
"description": "MAP SMS TypeNumber.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"MapUssdContent": {
"description": "MAP USSD Content.",
"ui-priority": 0,
"misp-attribute": "text"
},
"MapUssdCoding": {
"description": "MAP USSD Content.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"text": {
"description": "A description of the attack seen via SS7 logging.",
"disable_correlation": true,
"ui-priority": 0,
"multiple": true,
"misp-attribute": "text"
},
"first-seen": {
"description": "When the attack has been seen for the first time.",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "datetime"
}
},
"version": 1,
"description": "SS7 object of an attack seen on a GSM, UMTS or LTE network via SS7 logging.",
"meta-category": "network",
"uuid": "f3493d8b-a7ab-48d0-a775-046c4d64d782",
"name": "ss7-attack"
}

22
objects/stix2-pattern/definition.json Normal file
View File

@ -0,0 +1,22 @@
{
"requiredOneOf": [
"stix2-pattern"
],
"attributes": {
"comment": {
"description": "A description of the stix2-pattern.",
"ui-priority": 0,
"misp-attribute": "comment"
},
"stix2-pattern": {
"description": "STIX 2 pattern",
"ui-priority": 0,
"misp-attribute": "stix2-pattern"
}
},
"version": 1,
"description": "An object describing a STIX pattern. The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a STIX pattern.",
"meta-category": "misc",
"uuid": "0c5bd072-7c3e-4d45-86f7-a8104d9143b9",
"name": "stix2-pattern"
}

4
objects/url/definition.json
View File

@ -35,6 +35,7 @@
},
"first-seen": {
"description": "First time this URL has been seen",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "datetime"
},
@ -81,6 +82,7 @@
},
"last-seen": {
"description": "Last time this URL has been seen",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "datetime"
},
@ -90,7 +92,7 @@
"misp-attribute": "hostname"
}
},
"version": 4,
"version": 5,
"description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.",
"meta-category": "network",
"uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5",

54
objects/victim/definition.json
View File

@ -9,13 +9,21 @@
"misp-attribute": "text"
},
"name": {
"description": "The name of the victim targeted. The name can be an organisation or a group of organisations.",
"description": "The name of the department(s) or organisation(s) targeted.",
"ui-priority": 1,
"misp-attribute": "text"
"misp-attribute": "target-org",
"multiple": true
},
"external": {
"description": "External target organisations affected by this attack.",
"ui-priority": 1,
"misp-attribute": "target-external",
"multiple": true
},
"classification": {
"description": "The type of entity being targeted.",
"misp-attribute": "text",
"disable_correlation": true,
"ui-priority": 1,
"sane_default": [
"individual",
@ -47,18 +55,18 @@
"energy",
"engineering",
"entertainment",
"financial­services",
"government­national",
"government­regional",
"government­local",
"government­public­services",
"financial services",
"government national",
"government regional",
"government local",
"government public services",
"healthcare",
"hospitality­leisure",
"hospitality leisure",
"infrastructure",
"insurance",
"manufacturing",
"mining",
"non­profit",
"non profit",
"pharmaceuticals",
"retail",
"technology",
@ -70,11 +78,35 @@
"regions": {
"description": "The list of regions or locations from the victim targeted. ISO 3166 should be used.",
"multiple": true,
"misp-attribute": "text",
"misp-attribute": "target-location",
"ui-priority": 1
},
"user": {
"description": "The username(s) of the user targeted.",
"misp-attribute": "target-user",
"ui-priority": 1,
"multiple": true
},
"email": {
"description": "The email address(es) of the user targeted.",
"misp-attribute": "target-email",
"ui-priority": 1,
"multiple": true
},
"node": {
"description": "Name(s) of node that was targeted.",
"misp-attribute": "target-machine",
"ui-priority": 1,
"multiple": true
},
"ip-address": {
"description": "IP address(es) of the node targeted.",
"misp-attribute": "ip-dst",
"ui-priority": 1,
"multiple": true
}
},
"version": 1,
"version": 4,
"description": "Victim object describes the target of an attack or abuse.",
"meta-category": "misc",
"uuid": "a8806e40-39ad-435f-be02-ac2a13d6fc7d",

46
objects/vulnerability/definition.json
View File

@ -10,45 +10,69 @@
],
"attributes": {
"id": {
"description": "Vulnerability ID (generally CVE, but not necessarely)",
"ui-priority": 1,
"misp-attribute": "vulnerability"
"description": "Vulnerability ID (generally CVE, but not necessarely). The id is not required as the object itself has an UUID and the CVE id can updated later.",
"ui-priority": 0,
"misp-attribute": "vulnerability",
"multiple": true
},
"text": {
"description": "Description of the vulnerability",
"ui-priority": 1,
"ui-priority": 0,
"misp-attribute": "text"
},
"summary": {
"description": "Summary of the vulnerability",
"ui-priority": 1,
"ui-priority": 0,
"misp-attribute": "text"
},
"vulnerable_configuration": {
"description": "The vulnerable configuration is described in CPE format",
"multiple": true,
"ui-priority": 1,
"ui-priority": 0,
"misp-attribute": "text"
},
"modified": {
"description": "Last modification date",
"ui-priority": 0,
"misp-attribute": "datetime"
"misp-attribute": "datetime",
"disable_correlation": true
},
"published": {
"description": "Initial publication date",
"ui-priority": 0,
"misp-attribute": "datetime"
"misp-attribute": "datetime",
"disable_correlation": true
},
"created": {
"description": "First time when the vulnerability was discovered",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"references": {
"description": "External references",
"multiple": true,
"ui-priority": 1,
"ui-priority": 0,
"misp-attribute": "link"
},
"state": {
"description": "State of the vulnerability. A vulnerability can have multiple states depending of the current actions performed.",
"multiple": true,
"ui-priority": 0,
"sane_default": [
"Published",
"Embargo",
"Reviewed",
"Vulnerability ID Assigned",
"Reported",
"Fixed"
],
"disable_correlation": true,
"misp-attribute": "text"
}
},
"version": 2,
"description": "Vulnerability object describing common vulnerability enumeration",
"version": 4,
"description": "Vulnerability object describing a common vulnerability enumeration which can describe unpublished, under review or embargo vulnerability for software, equipments or hardware.",
"meta-category": "network",
"uuid": "81650945-f186-437b-8945-9f31715d32da",
"name": "vulnerability"

21
objects/whois/definition.json
View File

@ -12,10 +12,11 @@
"attributes": {
"text": {
"description": "Full whois entry",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text"
},
"registar": {
"registrar": {
"description": "Registrar of the whois entry",
"ui-priority": 0,
"misp-attribute": "whois-registrar"
@ -35,21 +36,37 @@
"ui-priority": 1,
"misp-attribute": "whois-registrant-email"
},
"registrant-org": {
"description": "Registrant organisation",
"ui-priority": 1,
"misp-attribute": "whois-registrant-org"
},
"creation-date": {
"description": "Initial creation of the whois entry",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "datetime"
},
"modification-date": {
"description": "Last update of the whois entry",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "datetime"
},
"expiration-date": {
"description": "Expiration of the whois entry",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "datetime"
},
"nameserver": {
"description": "Nameserver",
"ui-priority": 0,
"misp-attribute": "hostname",
"disable_correlation": true,
"multiple": true,
"to_ids": false
},
"domain": {
"description": "Domain of the whois entry",
"categories": [
@ -60,7 +77,7 @@
"misp-attribute": "domain"
}
},
"version": 4,
"version": 7,
"description": "Whois records information for a domain name.",
"meta-category": "network",
"uuid": "429faea1-34ff-47af-8a00-7c62d3be5a6a",

8
objects/x509/definition.json
View File

@ -33,19 +33,19 @@
"x509-fingerprint-md5": {
"description": "[Insecure] MD5 hash (128 bits)",
"ui-priority": 1,
"misp-attribute": "md5",
"misp-attribute": "x509-fingerprint-md5",
"recommended": false
},
"x509-fingerprint-sha1": {
"description": "[Insecure] Secure Hash Algorithm 1 (160 bits)",
"ui-priority": 1,
"misp-attribute": "sha1",
"misp-attribute": "x509-fingerprint-sha1",
"recommended": false
},
"x509-fingerprint-sha256": {
"description": "Secure Hash Algorithm 2 (256 bits)",
"ui-priority": 1,
"misp-attribute": "sha256"
"misp-attribute": "x509-fingerprint-sha256"
},
"raw-base64": {
"description": "Raw certificate base64 encoded",
@ -83,7 +83,7 @@
"misp-attribute": "text"
}
},
"version": 4,
"version": 5,
"description": "x509 object describing a X.509 certificate",
"meta-category": "network",
"uuid": "d1ab756a-26b5-4349-9f43-765630f0911c",

23
relationships/definition.json
View File

@ -1,5 +1,5 @@
{
"version": 10,
"version": 12,
"values": [
{
"name": "derived-from",
@ -130,6 +130,13 @@
"misp"
]
},
{
"name": "drops",
"description": "This relationship describes an object which drops another object",
"format": [
"misp"
]
},
{
"name": "executed-by",
"description": "This relationship describes an object executed by another object.",
@ -193,6 +200,20 @@
"misp"
]
},
{
"name": "followed-by",
"description": "This relationship describes an object which is followed by another object. This can be used when a time reference is missing but a sequence is known.",
"format": [
"misp"
]
},
{
"name": "preceding-by",
"description": "This relationship describes an object which is preceded by another object. This can be used when a time reference is missing but a sequence is known.",
"format": [
"misp"
]
},
{
"name": "triggers",
"description": "This relationship describes an object which triggers another object.",