From fe594f98baffaa0f45783a25c8bd616954fe1fa3 Mon Sep 17 00:00:00 2001 From: truckydev Date: Wed, 25 Oct 2017 10:39:39 +0200 Subject: [PATCH 01/51] regex addon Add field to specify which type correspond to this regex. --- objects/regexp/definition.json | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/objects/regexp/definition.json b/objects/regexp/definition.json index 0b95765..94db4ce 100644 --- a/objects/regexp/definition.json +++ b/objects/regexp/definition.json @@ -24,9 +24,29 @@ "description": "regexp", "ui-priority": 0, "misp-attribute": "text" + }, + "type": { + "sane_default": [ + "hostname", + "domain", + "email-src", + "email-dst", + "email-subject", + "url", + "user-agent", + "regkey", + "cookie", + "uri", + "filename", + "windows-service-name", + "windows-scheduled-task" + ], + "description": "Specify which type corresponds to this regex.", + "ui-priority": 0, + "misp-attribute": "text" } }, - "version": 2, + "version": 3, "description": "An object describing a regular expression (regex or regexp). The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a regular expression.", "meta-category": "misc", "uuid": "ceffad66-71e5-4e20-9370-1b3fb694c648", From b046eb4ba77ac6f01f99e7c0b62a1d7e85a66e39 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 15 Nov 2017 07:32:49 +0100 Subject: [PATCH 02/51] fix: AIL leak object to include raw-data --- objects/ail-leak/definition.json | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/objects/ail-leak/definition.json b/objects/ail-leak/definition.json index 2641efd..64b450e 100644 --- a/objects/ail-leak/definition.json +++ b/objects/ail-leak/definition.json @@ -55,9 +55,15 @@ "disable_correlation": true, "ui-priority": 0, "misp-attribute": "datetime" + }, + "raw-data": { + "description": "Raw data as received by the AIL sensor compressed and encoded in Base64.", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" } }, - "version": 3, + "version": 4, "description": "An information leak as defined by the AIL Analysis Information Leak framework.", "meta-category": "misc", "uuid": "dc6a8fa2-0a43-4a0c-a5aa-b1a5336ca80e", From dd4e2d19776b9144e06dbf76016da6179cbe4137 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 19 Nov 2017 10:22:32 +0100 Subject: [PATCH 03/51] fix: MISP type are case-sensitive - fixing AS number type --- objects/asn/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/asn/definition.json b/objects/asn/definition.json index 22f7eeb..f38d35b 100644 --- a/objects/asn/definition.json +++ b/objects/asn/definition.json @@ -6,7 +6,7 @@ "asn": { "description": "Autonomous System Number", "ui-priority": 1, - "misp-attribute": "as" + "misp-attribute": "AS" }, "description": { "description": "Description of the autonomous system", @@ -59,7 +59,7 @@ "multiple": true } }, - "version": 2, + "version": 3, "description": "Autonomous system object describing an autonomous system which can include one or more network operators management an entity (e.g. ISP) along with their routing policy, routing prefixes or alike.", "meta-category": "network", "uuid": "4ec55cc6-9e49-4c64-b794-03c25c1a6587", From 0f578a9993873c714c23725583980906d071554b Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 19 Nov 2017 16:49:50 +0100 Subject: [PATCH 04/51] asn added in the default objects --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 4923c9d..a5bfb59 100644 --- a/README.md +++ b/README.md @@ -53,7 +53,7 @@ A MISP object is described in a simple JSON file containing the following elemen * **requiredOneOf** is an array containing the attributes where at least one need to be present to describe the object. * **attributes** contains another JSON object listing all the attributes composing the object. -Each attribute must contain a reference **misp-attribute** to reference an existing attribute definition in MISP. +Each attribute must contain a reference **misp-attribute** to reference an existing attribute definition in MISP (MISP attributes types are case-sensitive). An array **categories** shall be used to described in which categories the attribute is. The **ui-priority** describes the usage frequency of an attribute. This helps to only display the most frequently used attributes and allowing advanced users to show all the attributes depending of their configuration. An optional **multiple** field @@ -65,6 +65,7 @@ for a specific attribute. ## Existing MISP objects * [objects/ail-leak](objects/ail-leak/definition.json) - information leak object as defined by the [AIL Analysis Information Leak framework](https://www.github.com/CIRCL/AIL-framework). +* [objects/asn](objects/asn/definition.json) - Autonomous system object describing a BGP autonomous system which can include one or more network operators management an entity (e.g. ISP) along with their routing policy, routing prefixes or alike. * [objects/av-signature](objects/av-signature/definition.json) - Antivirus detection signature. * [objects/cookie](objects/cookie/definition.json) - A cookie object describes an HTTP cookie including its use in malicious cases. * [objects/ddos](objects/ddos/definition.json) - DDoS object describes a current DDoS activity from a specific or/and to a specific target. From 10028fb521c8b7a64c8096479a2a7383f003b460 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 19 Nov 2017 16:59:39 +0100 Subject: [PATCH 05/51] add: "followed-by" - "preceding-by" added as relationship type when the time is not known --- relationships/definition.json | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/relationships/definition.json b/relationships/definition.json index f7f717f..f9391ca 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -1,5 +1,5 @@ { - "version": 10, + "version": 11, "values": [ { "name": "derived-from", @@ -193,6 +193,20 @@ "misp" ] }, + { + "name": "followed-by", + "description": "This relationship describes an object which is followed by another object. This can be used when a time reference is missing but a sequence is known.", + "format": [ + "misp" + ] + }, + { + "name": "preceding-by", + "description": "This relationship describes an object which is preceded by another object. This can be used when a time reference is missing but a sequence is known.", + "format": [ + "misp" + ] + }, { "name": "triggers", "description": "This relationship describes an object which triggers another object.", From 51e873760e6a7ebaf42c3af413e0a319410b9e27 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 22 Nov 2017 16:38:25 +0100 Subject: [PATCH 06/51] AIL leak template updated to include duplicate of leaks --- objects/ail-leak/definition.json | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/objects/ail-leak/definition.json b/objects/ail-leak/definition.json index 64b450e..f1250f2 100644 --- a/objects/ail-leak/definition.json +++ b/objects/ail-leak/definition.json @@ -14,6 +14,17 @@ "ui-priority": 0, "misp-attribute": "text" }, + "duplicate": { + "description": "Duplicate of the existing leaks.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "duplicate_number": { + "description": "Number of known duplicates.", + "ui-priority": 0, + "misp-attribute": "counter" + }, "origin": { "description": "The link where the leak is (or was) accessible at first-seen.", "ui-priority": 1, @@ -63,7 +74,7 @@ "misp-attribute": "text" } }, - "version": 4, + "version": 5, "description": "An information leak as defined by the AIL Analysis Information Leak framework.", "meta-category": "misc", "uuid": "dc6a8fa2-0a43-4a0c-a5aa-b1a5336ca80e", From b915869ab25403611d9d6a4683e4bccfb6372549 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 22 Nov 2017 17:08:56 +0100 Subject: [PATCH 07/51] being lax on origin to avoid rebuilding url path for unknown services --- objects/ail-leak/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/ail-leak/definition.json b/objects/ail-leak/definition.json index f1250f2..38cb75b 100644 --- a/objects/ail-leak/definition.json +++ b/objects/ail-leak/definition.json @@ -28,7 +28,7 @@ "origin": { "description": "The link where the leak is (or was) accessible at first-seen.", "ui-priority": 1, - "misp-attribute": "link" + "misp-attribute": "text" }, "text": { "description": "A description of the leak which could include the potential victim(s) or description of the leak.", @@ -74,7 +74,7 @@ "misp-attribute": "text" } }, - "version": 5, + "version": 6, "description": "An information leak as defined by the AIL Analysis Information Leak framework.", "meta-category": "misc", "uuid": "dc6a8fa2-0a43-4a0c-a5aa-b1a5336ca80e", From 59edaa978f92015e56efde291baedb8c0f74d888 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 22 Nov 2017 20:52:26 +0100 Subject: [PATCH 08/51] raw data is now an attachment --- objects/ail-leak/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/ail-leak/definition.json b/objects/ail-leak/definition.json index 38cb75b..1243073 100644 --- a/objects/ail-leak/definition.json +++ b/objects/ail-leak/definition.json @@ -71,10 +71,10 @@ "description": "Raw data as received by the AIL sensor compressed and encoded in Base64.", "disable_correlation": true, "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "attachment" } }, - "version": 6, + "version": 7, "description": "An information leak as defined by the AIL Analysis Information Leak framework.", "meta-category": "misc", "uuid": "dc6a8fa2-0a43-4a0c-a5aa-b1a5336ca80e", From 39319e1cd6fda50f5d569ecfa042caad25937b61 Mon Sep 17 00:00:00 2001 From: c-goes Date: Thu, 23 Nov 2017 09:57:49 +0100 Subject: [PATCH 09/51] allow multiple filenames --- objects/file/definition.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/objects/file/definition.json b/objects/file/definition.json index 6107fee..9eeac53 100644 --- a/objects/file/definition.json +++ b/objects/file/definition.json @@ -111,6 +111,7 @@ }, "filename": { "description": "Filename on disk", + "multiple": true, "categories": [ "Payload delivery", "Artifacts dropped", @@ -145,7 +146,7 @@ ] } }, - "version": 4, + "version": 5, "description": "File object describing a file with meta-information", "meta-category": "file", "uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", From 0051ad8167b8185f371b4c1618a5b14697006da9 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Thu, 23 Nov 2017 14:43:04 +0100 Subject: [PATCH 10/51] ddos v5 - add destination domain attribute --- objects/ddos/definition.json | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/objects/ddos/definition.json b/objects/ddos/definition.json index 901d10c..bcfa7a3 100644 --- a/objects/ddos/definition.json +++ b/objects/ddos/definition.json @@ -3,7 +3,7 @@ "uuid": "e2f124d6-f57c-4f93-99e6-8450545fa05d", "meta-category": "network", "description": "DDoS object describes a current DDoS activity from a specific or/and to a specific target. Type of DDoS can be attached to the object as a taxonomy", - "version": 4, + "version": 5, "attributes": { "total-bps": { "description": "Bits per second", @@ -15,8 +15,17 @@ "misp-attribute": "text", "ui-priority": 0 }, + "domain-dst": { + "description": "Destination domain (victim)", + "misp-attribute": "domain", + "ui-priority": 1, + "categories": [ + "Network activity", + "External analysis" + ] + }, "ip-dst": { - "description": "Destination ID (victim)", + "description": "Destination IP (victim)", "misp-attribute": "ip-dst", "ui-priority": 1, "categories": [ @@ -80,6 +89,7 @@ }, "requiredOneOf": [ "ip-dst", - "ip-src" + "ip-src", + "domain-dst" ] } From 2baad824b07335b980668303f4d726d0c20342ba Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 28 Nov 2017 15:24:47 +0100 Subject: [PATCH 11/51] add: first version of an android permission(s) object --- objects/android-permission/definition.json | 349 +++++++++++++++++++++ 1 file changed, 349 insertions(+) create mode 100644 objects/android-permission/definition.json diff --git a/objects/android-permission/definition.json b/objects/android-permission/definition.json new file mode 100644 index 0000000..442a581 --- /dev/null +++ b/objects/android-permission/definition.json @@ -0,0 +1,349 @@ +{ + "requiredOneOf": [ + "permission" + ], + "attributes": { + "permission": { + "description": "Android permission", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true, + "sane_default": [ + "ACCESS_ALL_DOWNLOADS", + "ACCESS_BLUETOOTH_SHARE", + "ACCESS_CACHE_FILESYSTEM", + "ACCESS_CHECKIN_PROPERTIES", + "ACCESS_CONTENT_PROVIDERS_EXTERNALLY", + "ACCESS_DOWNLOAD_MANAGER", + "ACCESS_DOWNLOAD_MANAGER_ADVANCED", + "ACCESS_DRM_CERTIFICATES", + "ACCESS_EPHEMERAL_APPS", + "ACCESS_FM_RADIO", + "ACCESS_INPUT_FLINGER", + "ACCESS_KEYGUARD_SECURE_STORAGE", + "ACCESS_LOCATION_EXTRA_COMMANDS", + "ACCESS_MOCK_LOCATION", + "ACCESS_MTP", + "ACCESS_NETWORK_CONDITIONS", + "ACCESS_NETWORK_STATE", + "ACCESS_NOTIFICATIONS", + "ACCESS_NOTIFICATION_POLICY", + "ACCESS_PDB_STATE", + "ACCESS_SURFACE_FLINGER", + "ACCESS_VOICE_INTERACTION_SERVICE", + "ACCESS_VR_MANAGER", + "ACCESS_WIFI_STATE", + "ACCESS_WIMAX_STATE", + "ACCOUNT_MANAGER", + "ALLOW_ANY_CODEC_FOR_PLAYBACK", + "ASEC_ACCESS", + "ASEC_CREATE", + "ASEC_DESTROY", + "ASEC_MOUNT_UNMOUNT", + "ASEC_RENAME", + "AUTHENTICATE_ACCOUNTS", + "BACKUP", + "BATTERY_STATS", + "BIND_ACCESSIBILITY_SERVICE", + "BIND_APPWIDGET", + "BIND_CARRIER_MESSAGING_SERVICE", + "BIND_CARRIER_SERVICES", + "BIND_CHOOSER_TARGET_SERVICE", + "BIND_CONDITION_PROVIDER_SERVICE", + "BIND_CONNECTION_SERVICE", + "BIND_DEVICE_ADMIN", + "BIND_DIRECTORY_SEARCH", + "BIND_DREAM_SERVICE", + "BIND_INCALL_SERVICE", + "BIND_INPUT_METHOD", + "BIND_INTENT_FILTER_VERIFIER", + "BIND_JOB_SERVICE", + "BIND_KEYGUARD_APPWIDGET", + "BIND_MIDI_DEVICE_SERVICE", + "BIND_NFC_SERVICE", + "BIND_NOTIFICATION_LISTENER_SERVICE", + "BIND_NOTIFICATION_RANKER_SERVICE", + "BIND_PACKAGE_VERIFIER", + "BIND_PRINT_RECOMMENDATION_SERVICE", + "BIND_PRINT_SERVICE", + "BIND_PRINT_SPOOLER_SERVICE", + "BIND_QUICK_SETTINGS_TILE", + "BIND_REMOTEVIEWS", + "BIND_REMOTE_DISPLAY", + "BIND_ROUTE_PROVIDER", + "BIND_RUNTIME_PERMISSION_PRESENTER_SERVICE", + "BIND_SCREENING_SERVICE", + "BIND_TELECOM_CONNECTION_SERVICE", + "BIND_TEXT_SERVICE", + "BIND_TRUST_AGENT", + "BIND_TV_INPUT", + "BIND_TV_REMOTE_SERVICE", + "BIND_VOICE_INTERACTION", + "BIND_VPN_SERVICE", + "BIND_VR_LISTENER_SERVICE", + "BIND_WALLPAPER", + "BLUETOOTH", + "BLUETOOTH_ADMIN", + "BLUETOOTH_MAP", + "BLUETOOTH_PRIVILEGED", + "BLUETOOTH_STACK", + "BRICK", + "BROADCAST_CALLLOG_INFO", + "BROADCAST_NETWORK_PRIVILEGED", + "BROADCAST_PACKAGE_REMOVED", + "BROADCAST_PHONE_ACCOUNT_REGISTRATION", + "BROADCAST_SMS", + "BROADCAST_STICKY", + "BROADCAST_WAP_PUSH", + "CACHE_CONTENT", + "CALL_PRIVILEGED", + "CAMERA_DISABLE_TRANSMIT_LED", + "CAMERA_SEND_SYSTEM_EVENTS", + "CAPTURE_AUDIO_HOTWORD", + "CAPTURE_AUDIO_OUTPUT", + "CAPTURE_SECURE_VIDEO_OUTPUT", + "CAPTURE_TV_INPUT", + "CAPTURE_VIDEO_OUTPUT", + "CARRIER_FILTER_SMS", + "CHANGE_APP_IDLE_STATE", + "CHANGE_BACKGROUND_DATA_SETTING", + "CHANGE_COMPONENT_ENABLED_STATE", + "CHANGE_CONFIGURATION", + "CHANGE_DEVICE_IDLE_TEMP_WHITELIST", + "CHANGE_NETWORK_STATE", + "CHANGE_WIFI_MULTICAST_STATE", + "CHANGE_WIFI_STATE", + "CHANGE_WIMAX_STATE", + "CLEAR_APP_CACHE", + "CLEAR_APP_GRANTED_URI_PERMISSIONS", + "CLEAR_APP_USER_DATA", + "CONFIGURE_DISPLAY_COLOR_TRANSFORM", + "CONFIGURE_WIFI_DISPLAY", + "CONFIRM_FULL_BACKUP", + "CONNECTIVITY_INTERNAL", + "CONTROL_INCALL_EXPERIENCE", + "CONTROL_KEYGUARD", + "CONTROL_LOCATION_UPDATES", + "CONTROL_VPN", + "CONTROL_WIFI_DISPLAY", + "COPY_PROTECTED_DATA", + "CREATE_USERS", + "CRYPT_KEEPER", + "DELETE_CACHE_FILES", + "DELETE_PACKAGES", + "DEVICE_POWER", + "DIAGNOSTIC", + "DISABLE_KEYGUARD", + "DISPATCH_NFC_MESSAGE", + "DISPATCH_PROVISIONING_MESSAGE", + "DOWNLOAD_CACHE_NON_PURGEABLE", + "DUMP", + "DVB_DEVICE", + "EXPAND_STATUS_BAR", + "FACTORY_TEST", + "FILTER_EVENTS", + "FLASHLIGHT", + "FORCE_BACK", + "FORCE_STOP_PACKAGES", + "FRAME_STATS", + "FREEZE_SCREEN", + "GET_ACCOUNTS_PRIVILEGED", + "GET_APP_GRANTED_URI_PERMISSIONS", + "GET_APP_OPS_STATS", + "GET_DETAILED_TASKS", + "GET_INTENT_SENDER_INTENT", + "GET_PACKAGE_IMPORTANCE", + "GET_PACKAGE_SIZE", + "GET_PASSWORD", + "GET_PROCESS_STATE_AND_OOM_SCORE", + "GET_TASKS", + "GET_TOP_ACTIVITY_INFO", + "GLOBAL_SEARCH", + "GLOBAL_SEARCH_CONTROL", + "GRANT_RUNTIME_PERMISSIONS", + "HARDWARE_TEST", + "HDMI_CEC", + "INJECT_EVENTS", + "INSTALL_GRANT_RUNTIME_PERMISSIONS", + "INSTALL_LOCATION_PROVIDER", + "INSTALL_PACKAGES", + "INTENT_FILTER_VERIFICATION_AGENT", + "INTERACT_ACROSS_USERS", + "INTERACT_ACROSS_USERS_FULL", + "INTERNAL_SYSTEM_WINDOW", + "INTERNET", + "INVOKE_CARRIER_SETUP", + "KILL_BACKGROUND_PROCESSES", + "KILL_UID", + "LAUNCH_TRUST_AGENT_SETTINGS", + "LOCAL_MAC_ADDRESS", + "LOCATION_HARDWARE", + "LOOP_RADIO", + "MANAGE_ACCOUNTS", + "MANAGE_ACTIVITY_STACKS", + "MANAGE_APP_OPS_RESTRICTIONS", + "MANAGE_APP_TOKENS", + "MANAGE_CA_CERTIFICATES", + "MANAGE_DEVICE_ADMINS", + "MANAGE_DOCUMENTS", + "MANAGE_FINGERPRINT", + "MANAGE_MEDIA_PROJECTION", + "MANAGE_NETWORK_POLICY", + "MANAGE_NOTIFICATIONS", + "MANAGE_PROFILE_AND_DEVICE_OWNERS", + "MANAGE_SOUND_TRIGGER", + "MANAGE_USB", + "MANAGE_USERS", + "MANAGE_VOICE_KEYPHRASES", + "MASTER_CLEAR", + "MEDIA_CONTENT_CONTROL", + "MODIFY_APPWIDGET_BIND_PERMISSIONS", + "MODIFY_AUDIO_ROUTING", + "MODIFY_AUDIO_SETTINGS", + "MODIFY_CELL_BROADCASTS", + "MODIFY_DAY_NIGHT_MODE", + "MODIFY_NETWORK_ACCOUNTING", + "MODIFY_PARENTAL_CONTROLS", + "MODIFY_PHONE_STATE", + "MOUNT_FORMAT_FILESYSTEMS", + "MOUNT_UNMOUNT_FILESYSTEMS", + "MOVE_PACKAGE", + "NET_ADMIN", + "NET_TUNNELING", + "NFC", + "NFC_HANDOVER_STATUS", + "NOTIFY_PENDING_SYSTEM_UPDATE", + "OBSERVE_GRANT_REVOKE_PERMISSIONS", + "OEM_UNLOCK_STATE", + "OVERRIDE_WIFI_CONFIG", + "PACKAGE_USAGE_STATS", + "PACKAGE_VERIFICATION_AGENT", + "PACKET_KEEPALIVE_OFFLOAD", + "PEERS_MAC_ADDRESS", + "PERFORM_CDMA_PROVISIONING", + "PERFORM_SIM_ACTIVATION", + "PERSISTENT_ACTIVITY", + "PROCESS_CALLLOG_INFO", + "PROCESS_PHONE_ACCOUNT_REGISTRATION", + "PROVIDE_TRUST_AGENT", + "QUERY_DO_NOT_ASK_CREDENTIALS_ON_BOOT", + "READ_BLOCKED_NUMBERS", + "READ_DREAM_STATE", + "READ_FRAME_BUFFER", + "READ_INPUT_STATE", + "READ_INSTALL_SESSIONS", + "READ_LOGS", + "READ_NETWORK_USAGE_HISTORY", + "READ_OEM_UNLOCK_STATE", + "READ_PRECISE_PHONE_STATE", + "READ_PRIVILEGED_PHONE_STATE", + "READ_PROFILE", + "READ_SEARCH_INDEXABLES", + "READ_SOCIAL_STREAM", + "READ_SYNC_SETTINGS", + "READ_SYNC_STATS", + "READ_USER_DICTIONARY", + "READ_WIFI_CREDENTIAL", + "REAL_GET_TASKS", + "REBOOT", + "RECEIVE_BLUETOOTH_MAP", + "RECEIVE_BOOT_COMPLETED", + "RECEIVE_DATA_ACTIVITY_CHANGE", + "RECEIVE_EMERGENCY_BROADCAST", + "RECEIVE_MEDIA_RESOURCE_USAGE", + "RECEIVE_STK_COMMANDS", + "RECEIVE_WIFI_CREDENTIAL_CHANGE", + "RECOVERY", + "REGISTER_CALL_PROVIDER", + "REGISTER_CONNECTION_MANAGER", + "REGISTER_SIM_SUBSCRIPTION", + "REGISTER_WINDOW_MANAGER_LISTENERS", + "REMOTE_AUDIO_PLAYBACK", + "REMOVE_DRM_CERTIFICATES", + "REMOVE_TASKS", + "REORDER_TASKS", + "REQUEST_IGNORE_BATTERY_OPTIMIZATIONS", + "REQUEST_INSTALL_PACKAGES", + "RESET_FINGERPRINT_LOCKOUT", + "RESET_SHORTCUT_MANAGER_THROTTLING", + "RESTART_PACKAGES", + "RETRIEVE_WINDOW_CONTENT", + "RETRIEVE_WINDOW_TOKEN", + "REVOKE_RUNTIME_PERMISSIONS", + "SCORE_NETWORKS", + "SEND_CALL_LOG_CHANGE", + "SEND_DOWNLOAD_COMPLETED_INTENTS", + "SEND_RESPOND_VIA_MESSAGE", + "SEND_SMS_NO_CONFIRMATION", + "SERIAL_PORT", + "SET_ACTIVITY_WATCHER", + "SET_ALWAYS_FINISH", + "SET_ANIMATION_SCALE", + "SET_DEBUG_APP", + "SET_INPUT_CALIBRATION", + "SET_KEYBOARD_LAYOUT", + "SET_ORIENTATION", + "SET_POINTER_SPEED", + "SET_PREFERRED_APPLICATIONS", + "SET_PROCESS_LIMIT", + "SET_SCREEN_COMPATIBILITY", + "SET_TIME", + "SET_TIME_ZONE", + "SET_WALLPAPER", + "SET_WALLPAPER_COMPONENT", + "SET_WALLPAPER_HINTS", + "SHUTDOWN", + "SIGNAL_PERSISTENT_PROCESSES", + "START_ANY_ACTIVITY", + "START_PRINT_SERVICE_CONFIG_ACTIVITY", + "START_TASKS_FROM_RECENTS", + "STATUS_BAR", + "STATUS_BAR_SERVICE", + "STOP_APP_SWITCHES", + "STORAGE_INTERNAL", + "SUBSCRIBED_FEEDS_READ", + "SUBSCRIBED_FEEDS_WRITE", + "SUBSTITUTE_NOTIFICATION_APP_NAME", + "SYSTEM_ALERT_WINDOW", + "TABLET_MODE", + "TEMPORARY_ENABLE_ACCESSIBILITY", + "TETHER_PRIVILEGED", + "TRANSMIT_IR", + "TRUST_LISTENER", + "TV_INPUT_HARDWARE", + "TV_VIRTUAL_REMOTE_CONTROLLER", + "UPDATE_APP_OPS_STATS", + "UPDATE_CONFIG", + "UPDATE_DEVICE_STATS", + "UPDATE_LOCK", + "UPDATE_LOCK_TASK_PACKAGES", + "USER_ACTIVITY", + "USE_CREDENTIALS", + "VIBRATE", + "WAKE_LOCK", + "WRITE_APN_SETTINGS", + "WRITE_BLOCKED_NUMBERS", + "WRITE_DREAM_STATE", + "WRITE_GSERVICES", + "WRITE_MEDIA_STORAGE", + "WRITE_PROFILE", + "WRITE_SECURE_SETTINGS", + "WRITE_SETTINGS", + "WRITE_SMS", + "WRITE_SOCIAL_STREAM", + "WRITE_SYNC_SETTINGS", + "WRITE_USER_DICTIONARY" + ] + }, + "comment": { + "description": "Comment about the set of android permission(s)", + "ui-priority": 0, + "misp-attribute": "comment" + } + }, + "version": 1, + "description": "A set of android permissions - one or more permission(s) which can be linked to other objects (e.g. malware, app).", + "meta-category": "misc", + "uuid": "d81003b2-5c03-4d96-ae30-e6695de1aea2", + "name": "android-permission" +} From 465251bf433d8b3d57e43ba7060eb14241fda49d Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 28 Nov 2017 15:59:01 +0100 Subject: [PATCH 12/51] fix: update android permissions based on Google latest list --- objects/android-permission/definition.json | 258 ++++----------------- 1 file changed, 40 insertions(+), 218 deletions(-) diff --git a/objects/android-permission/definition.json b/objects/android-permission/definition.json index 442a581..0ecf198 100644 --- a/objects/android-permission/definition.json +++ b/objects/android-permission/definition.json @@ -9,330 +9,152 @@ "misp-attribute": "text", "multiple": true, "sane_default": [ - "ACCESS_ALL_DOWNLOADS", - "ACCESS_BLUETOOTH_SHARE", - "ACCESS_CACHE_FILESYSTEM", "ACCESS_CHECKIN_PROPERTIES", - "ACCESS_CONTENT_PROVIDERS_EXTERNALLY", - "ACCESS_DOWNLOAD_MANAGER", - "ACCESS_DOWNLOAD_MANAGER_ADVANCED", - "ACCESS_DRM_CERTIFICATES", - "ACCESS_EPHEMERAL_APPS", - "ACCESS_FM_RADIO", - "ACCESS_INPUT_FLINGER", - "ACCESS_KEYGUARD_SECURE_STORAGE", + "ACCESS_COARSE_LOCATION", + "ACCESS_FINE_LOCATION", "ACCESS_LOCATION_EXTRA_COMMANDS", - "ACCESS_MOCK_LOCATION", - "ACCESS_MTP", - "ACCESS_NETWORK_CONDITIONS", "ACCESS_NETWORK_STATE", - "ACCESS_NOTIFICATIONS", "ACCESS_NOTIFICATION_POLICY", - "ACCESS_PDB_STATE", - "ACCESS_SURFACE_FLINGER", - "ACCESS_VOICE_INTERACTION_SERVICE", - "ACCESS_VR_MANAGER", "ACCESS_WIFI_STATE", - "ACCESS_WIMAX_STATE", "ACCOUNT_MANAGER", - "ALLOW_ANY_CODEC_FOR_PLAYBACK", - "ASEC_ACCESS", - "ASEC_CREATE", - "ASEC_DESTROY", - "ASEC_MOUNT_UNMOUNT", - "ASEC_RENAME", - "AUTHENTICATE_ACCOUNTS", - "BACKUP", + "ADD_VOICEMAIL", + "ANSWER_PHONE_CALLS", "BATTERY_STATS", "BIND_ACCESSIBILITY_SERVICE", "BIND_APPWIDGET", + "BIND_AUTOFILL_SERVICE", "BIND_CARRIER_MESSAGING_SERVICE", - "BIND_CARRIER_SERVICES", "BIND_CHOOSER_TARGET_SERVICE", "BIND_CONDITION_PROVIDER_SERVICE", - "BIND_CONNECTION_SERVICE", "BIND_DEVICE_ADMIN", - "BIND_DIRECTORY_SEARCH", "BIND_DREAM_SERVICE", "BIND_INCALL_SERVICE", "BIND_INPUT_METHOD", - "BIND_INTENT_FILTER_VERIFIER", - "BIND_JOB_SERVICE", - "BIND_KEYGUARD_APPWIDGET", "BIND_MIDI_DEVICE_SERVICE", "BIND_NFC_SERVICE", "BIND_NOTIFICATION_LISTENER_SERVICE", - "BIND_NOTIFICATION_RANKER_SERVICE", - "BIND_PACKAGE_VERIFIER", - "BIND_PRINT_RECOMMENDATION_SERVICE", "BIND_PRINT_SERVICE", - "BIND_PRINT_SPOOLER_SERVICE", "BIND_QUICK_SETTINGS_TILE", "BIND_REMOTEVIEWS", - "BIND_REMOTE_DISPLAY", - "BIND_ROUTE_PROVIDER", - "BIND_RUNTIME_PERMISSION_PRESENTER_SERVICE", "BIND_SCREENING_SERVICE", "BIND_TELECOM_CONNECTION_SERVICE", "BIND_TEXT_SERVICE", - "BIND_TRUST_AGENT", "BIND_TV_INPUT", - "BIND_TV_REMOTE_SERVICE", + "BIND_VISUAL_VOICEMAIL_SERVICE", "BIND_VOICE_INTERACTION", "BIND_VPN_SERVICE", "BIND_VR_LISTENER_SERVICE", "BIND_WALLPAPER", "BLUETOOTH", "BLUETOOTH_ADMIN", - "BLUETOOTH_MAP", "BLUETOOTH_PRIVILEGED", - "BLUETOOTH_STACK", - "BRICK", - "BROADCAST_CALLLOG_INFO", - "BROADCAST_NETWORK_PRIVILEGED", + "BODY_SENSORS", "BROADCAST_PACKAGE_REMOVED", - "BROADCAST_PHONE_ACCOUNT_REGISTRATION", "BROADCAST_SMS", "BROADCAST_STICKY", "BROADCAST_WAP_PUSH", - "CACHE_CONTENT", + "CALL_PHONE", "CALL_PRIVILEGED", - "CAMERA_DISABLE_TRANSMIT_LED", - "CAMERA_SEND_SYSTEM_EVENTS", - "CAPTURE_AUDIO_HOTWORD", + "CAMERA", "CAPTURE_AUDIO_OUTPUT", "CAPTURE_SECURE_VIDEO_OUTPUT", - "CAPTURE_TV_INPUT", "CAPTURE_VIDEO_OUTPUT", - "CARRIER_FILTER_SMS", - "CHANGE_APP_IDLE_STATE", - "CHANGE_BACKGROUND_DATA_SETTING", "CHANGE_COMPONENT_ENABLED_STATE", "CHANGE_CONFIGURATION", - "CHANGE_DEVICE_IDLE_TEMP_WHITELIST", "CHANGE_NETWORK_STATE", "CHANGE_WIFI_MULTICAST_STATE", "CHANGE_WIFI_STATE", - "CHANGE_WIMAX_STATE", "CLEAR_APP_CACHE", - "CLEAR_APP_GRANTED_URI_PERMISSIONS", - "CLEAR_APP_USER_DATA", - "CONFIGURE_DISPLAY_COLOR_TRANSFORM", - "CONFIGURE_WIFI_DISPLAY", - "CONFIRM_FULL_BACKUP", - "CONNECTIVITY_INTERNAL", - "CONTROL_INCALL_EXPERIENCE", - "CONTROL_KEYGUARD", "CONTROL_LOCATION_UPDATES", - "CONTROL_VPN", - "CONTROL_WIFI_DISPLAY", - "COPY_PROTECTED_DATA", - "CREATE_USERS", - "CRYPT_KEEPER", "DELETE_CACHE_FILES", "DELETE_PACKAGES", - "DEVICE_POWER", "DIAGNOSTIC", "DISABLE_KEYGUARD", - "DISPATCH_NFC_MESSAGE", - "DISPATCH_PROVISIONING_MESSAGE", - "DOWNLOAD_CACHE_NON_PURGEABLE", "DUMP", - "DVB_DEVICE", "EXPAND_STATUS_BAR", "FACTORY_TEST", - "FILTER_EVENTS", - "FLASHLIGHT", - "FORCE_BACK", - "FORCE_STOP_PACKAGES", - "FRAME_STATS", - "FREEZE_SCREEN", + "GET_ACCOUNTS", "GET_ACCOUNTS_PRIVILEGED", - "GET_APP_GRANTED_URI_PERMISSIONS", - "GET_APP_OPS_STATS", - "GET_DETAILED_TASKS", - "GET_INTENT_SENDER_INTENT", - "GET_PACKAGE_IMPORTANCE", "GET_PACKAGE_SIZE", - "GET_PASSWORD", - "GET_PROCESS_STATE_AND_OOM_SCORE", "GET_TASKS", - "GET_TOP_ACTIVITY_INFO", "GLOBAL_SEARCH", - "GLOBAL_SEARCH_CONTROL", - "GRANT_RUNTIME_PERMISSIONS", - "HARDWARE_TEST", - "HDMI_CEC", - "INJECT_EVENTS", - "INSTALL_GRANT_RUNTIME_PERMISSIONS", "INSTALL_LOCATION_PROVIDER", "INSTALL_PACKAGES", - "INTENT_FILTER_VERIFICATION_AGENT", - "INTERACT_ACROSS_USERS", - "INTERACT_ACROSS_USERS_FULL", - "INTERNAL_SYSTEM_WINDOW", + "INSTALL_SHORTCUT", + "INSTANT_APP_FOREGROUND_SERVICE", "INTERNET", - "INVOKE_CARRIER_SETUP", "KILL_BACKGROUND_PROCESSES", - "KILL_UID", - "LAUNCH_TRUST_AGENT_SETTINGS", - "LOCAL_MAC_ADDRESS", "LOCATION_HARDWARE", - "LOOP_RADIO", - "MANAGE_ACCOUNTS", - "MANAGE_ACTIVITY_STACKS", - "MANAGE_APP_OPS_RESTRICTIONS", - "MANAGE_APP_TOKENS", - "MANAGE_CA_CERTIFICATES", - "MANAGE_DEVICE_ADMINS", "MANAGE_DOCUMENTS", - "MANAGE_FINGERPRINT", - "MANAGE_MEDIA_PROJECTION", - "MANAGE_NETWORK_POLICY", - "MANAGE_NOTIFICATIONS", - "MANAGE_PROFILE_AND_DEVICE_OWNERS", - "MANAGE_SOUND_TRIGGER", - "MANAGE_USB", - "MANAGE_USERS", - "MANAGE_VOICE_KEYPHRASES", + "MANAGE_OWN_CALLS", "MASTER_CLEAR", "MEDIA_CONTENT_CONTROL", - "MODIFY_APPWIDGET_BIND_PERMISSIONS", - "MODIFY_AUDIO_ROUTING", "MODIFY_AUDIO_SETTINGS", - "MODIFY_CELL_BROADCASTS", - "MODIFY_DAY_NIGHT_MODE", - "MODIFY_NETWORK_ACCOUNTING", - "MODIFY_PARENTAL_CONTROLS", "MODIFY_PHONE_STATE", "MOUNT_FORMAT_FILESYSTEMS", "MOUNT_UNMOUNT_FILESYSTEMS", - "MOVE_PACKAGE", - "NET_ADMIN", - "NET_TUNNELING", "NFC", - "NFC_HANDOVER_STATUS", - "NOTIFY_PENDING_SYSTEM_UPDATE", - "OBSERVE_GRANT_REVOKE_PERMISSIONS", - "OEM_UNLOCK_STATE", - "OVERRIDE_WIFI_CONFIG", "PACKAGE_USAGE_STATS", - "PACKAGE_VERIFICATION_AGENT", - "PACKET_KEEPALIVE_OFFLOAD", - "PEERS_MAC_ADDRESS", - "PERFORM_CDMA_PROVISIONING", - "PERFORM_SIM_ACTIVATION", "PERSISTENT_ACTIVITY", - "PROCESS_CALLLOG_INFO", - "PROCESS_PHONE_ACCOUNT_REGISTRATION", - "PROVIDE_TRUST_AGENT", - "QUERY_DO_NOT_ASK_CREDENTIALS_ON_BOOT", - "READ_BLOCKED_NUMBERS", - "READ_DREAM_STATE", + "PROCESS_OUTGOING_CALLS", + "READ_CALENDAR", + "READ_CALL_LOG", + "READ_CONTACTS", + "READ_EXTERNAL_STORAGE", "READ_FRAME_BUFFER", "READ_INPUT_STATE", - "READ_INSTALL_SESSIONS", "READ_LOGS", - "READ_NETWORK_USAGE_HISTORY", - "READ_OEM_UNLOCK_STATE", - "READ_PRECISE_PHONE_STATE", - "READ_PRIVILEGED_PHONE_STATE", - "READ_PROFILE", - "READ_SEARCH_INDEXABLES", - "READ_SOCIAL_STREAM", + "READ_PHONE_NUMBERS", + "READ_PHONE_STATE", + "READ_SMS", "READ_SYNC_SETTINGS", "READ_SYNC_STATS", - "READ_USER_DICTIONARY", - "READ_WIFI_CREDENTIAL", - "REAL_GET_TASKS", + "READ_VOICEMAIL", "REBOOT", - "RECEIVE_BLUETOOTH_MAP", "RECEIVE_BOOT_COMPLETED", - "RECEIVE_DATA_ACTIVITY_CHANGE", - "RECEIVE_EMERGENCY_BROADCAST", - "RECEIVE_MEDIA_RESOURCE_USAGE", - "RECEIVE_STK_COMMANDS", - "RECEIVE_WIFI_CREDENTIAL_CHANGE", - "RECOVERY", - "REGISTER_CALL_PROVIDER", - "REGISTER_CONNECTION_MANAGER", - "REGISTER_SIM_SUBSCRIPTION", - "REGISTER_WINDOW_MANAGER_LISTENERS", - "REMOTE_AUDIO_PLAYBACK", - "REMOVE_DRM_CERTIFICATES", - "REMOVE_TASKS", + "RECEIVE_MMS", + "RECEIVE_SMS", + "RECEIVE_WAP_PUSH", + "RECORD_AUDIO", "REORDER_TASKS", + "REQUEST_COMPANION_RUN_IN_BACKGROUND", + "REQUEST_COMPANION_USE_DATA_IN_BACKGROUND", + "REQUEST_DELETE_PACKAGES", "REQUEST_IGNORE_BATTERY_OPTIMIZATIONS", "REQUEST_INSTALL_PACKAGES", - "RESET_FINGERPRINT_LOCKOUT", - "RESET_SHORTCUT_MANAGER_THROTTLING", "RESTART_PACKAGES", - "RETRIEVE_WINDOW_CONTENT", - "RETRIEVE_WINDOW_TOKEN", - "REVOKE_RUNTIME_PERMISSIONS", - "SCORE_NETWORKS", - "SEND_CALL_LOG_CHANGE", - "SEND_DOWNLOAD_COMPLETED_INTENTS", "SEND_RESPOND_VIA_MESSAGE", - "SEND_SMS_NO_CONFIRMATION", - "SERIAL_PORT", - "SET_ACTIVITY_WATCHER", + "SEND_SMS", + "SET_ALARM", "SET_ALWAYS_FINISH", "SET_ANIMATION_SCALE", "SET_DEBUG_APP", - "SET_INPUT_CALIBRATION", - "SET_KEYBOARD_LAYOUT", - "SET_ORIENTATION", - "SET_POINTER_SPEED", "SET_PREFERRED_APPLICATIONS", "SET_PROCESS_LIMIT", - "SET_SCREEN_COMPATIBILITY", "SET_TIME", "SET_TIME_ZONE", "SET_WALLPAPER", - "SET_WALLPAPER_COMPONENT", "SET_WALLPAPER_HINTS", - "SHUTDOWN", "SIGNAL_PERSISTENT_PROCESSES", - "START_ANY_ACTIVITY", - "START_PRINT_SERVICE_CONFIG_ACTIVITY", - "START_TASKS_FROM_RECENTS", "STATUS_BAR", - "STATUS_BAR_SERVICE", - "STOP_APP_SWITCHES", - "STORAGE_INTERNAL", - "SUBSCRIBED_FEEDS_READ", - "SUBSCRIBED_FEEDS_WRITE", - "SUBSTITUTE_NOTIFICATION_APP_NAME", "SYSTEM_ALERT_WINDOW", - "TABLET_MODE", - "TEMPORARY_ENABLE_ACCESSIBILITY", - "TETHER_PRIVILEGED", "TRANSMIT_IR", - "TRUST_LISTENER", - "TV_INPUT_HARDWARE", - "TV_VIRTUAL_REMOTE_CONTROLLER", - "UPDATE_APP_OPS_STATS", - "UPDATE_CONFIG", + "UNINSTALL_SHORTCUT", "UPDATE_DEVICE_STATS", - "UPDATE_LOCK", - "UPDATE_LOCK_TASK_PACKAGES", - "USER_ACTIVITY", - "USE_CREDENTIALS", + "USE_FINGERPRINT", + "USE_SIP", "VIBRATE", "WAKE_LOCK", "WRITE_APN_SETTINGS", - "WRITE_BLOCKED_NUMBERS", - "WRITE_DREAM_STATE", + "WRITE_CALENDAR", + "WRITE_CALL_LOG", + "WRITE_CONTACTS", + "WRITE_EXTERNAL_STORAGE", "WRITE_GSERVICES", - "WRITE_MEDIA_STORAGE", - "WRITE_PROFILE", "WRITE_SECURE_SETTINGS", "WRITE_SETTINGS", - "WRITE_SMS", - "WRITE_SOCIAL_STREAM", "WRITE_SYNC_SETTINGS", - "WRITE_USER_DICTIONARY" + "WRITE_VOICEMAIL" ] }, "comment": { @@ -341,7 +163,7 @@ "misp-attribute": "comment" } }, - "version": 1, + "version": 2, "description": "A set of android permissions - one or more permission(s) which can be linked to other objects (e.g. malware, app).", "meta-category": "misc", "uuid": "d81003b2-5c03-4d96-ae30-e6695de1aea2", From 04d38118d1626145ceabed5afbbc17313e5f8b27 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sat, 2 Dec 2017 23:08:56 +0100 Subject: [PATCH 13/51] registar->registrar --- objects/whois/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/whois/definition.json b/objects/whois/definition.json index 9c5d522..7aa3ad4 100644 --- a/objects/whois/definition.json +++ b/objects/whois/definition.json @@ -15,7 +15,7 @@ "ui-priority": 1, "misp-attribute": "text" }, - "registar": { + "registrar": { "description": "Registrar of the whois entry", "ui-priority": 0, "misp-attribute": "whois-registrar" @@ -60,7 +60,7 @@ "misp-attribute": "domain" } }, - "version": 4, + "version": 5, "description": "Whois records information for a domain name.", "meta-category": "network", "uuid": "429faea1-34ff-47af-8a00-7c62d3be5a6a", From e11e95415ae8c81a4724bd97a9cdeecf13ff185a Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 3 Dec 2017 11:36:22 +0100 Subject: [PATCH 14/51] add: x509-fingerprint-sha1 added to file object description (e.g signed APK but not PE) --- objects/file/definition.json | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/objects/file/definition.json b/objects/file/definition.json index 9eeac53..734d6ba 100644 --- a/objects/file/definition.json +++ b/objects/file/definition.json @@ -15,7 +15,8 @@ "sha512/224", "sha512/256", "tlsh", - "pattern-in-file" + "pattern-in-file", + "x509-fingerprint-sha1" ], "attributes": { "md5": { @@ -126,6 +127,11 @@ "ui-priority": 0, "misp-attribute": "tlsh" }, + "certificate": { + "description": "Certificate value if the binary is signed with another authentication scheme than authenticode", + "ui-prioriety": 0, + "misp-attribute": "x509-fingerprint-sha1" + }, "mimetype": { "description": "Mime type", "disable_correlation": true, @@ -142,11 +148,12 @@ "Signed", "Revoked", "Expired", - "Trusted" + "Trusted", + "Malicious" ] } }, - "version": 5, + "version": 6, "description": "File object describing a file with meta-information", "meta-category": "file", "uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", From a258d79fef50ffa6e28231b7f972994d09b4d948 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 3 Dec 2017 11:42:56 +0100 Subject: [PATCH 15/51] Typo fixed --- objects/file/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/file/definition.json b/objects/file/definition.json index 734d6ba..ae61f99 100644 --- a/objects/file/definition.json +++ b/objects/file/definition.json @@ -129,7 +129,7 @@ }, "certificate": { "description": "Certificate value if the binary is signed with another authentication scheme than authenticode", - "ui-prioriety": 0, + "ui-priority": 0, "misp-attribute": "x509-fingerprint-sha1" }, "mimetype": { From 82f440931ccd049411951cdcce467acc61f245c7 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 3 Dec 2017 12:07:54 +0100 Subject: [PATCH 16/51] Disable correlation on classification on the victim object --- objects/victim/definition.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/objects/victim/definition.json b/objects/victim/definition.json index cea12ea..f9342a9 100644 --- a/objects/victim/definition.json +++ b/objects/victim/definition.json @@ -16,6 +16,7 @@ "classification": { "description": "The type of entity being targeted.", "misp-attribute": "text", + "disable_correlation": true, "ui-priority": 1, "sane_default": [ "individual", @@ -74,7 +75,7 @@ "ui-priority": 1 } }, - "version": 1, + "version": 2, "description": "Victim object describes the target of an attack or abuse.", "meta-category": "misc", "uuid": "a8806e40-39ad-435f-be02-ac2a13d6fc7d", From 7fadc89ed87510e7a603e858509232dabfd17291 Mon Sep 17 00:00:00 2001 From: c-goes Date: Mon, 4 Dec 2017 10:48:01 +0100 Subject: [PATCH 17/51] victim object: changed attributes, added object relations --- objects/victim/definition.json | 38 ++++++++++++++++++++++++++++++---- 1 file changed, 34 insertions(+), 4 deletions(-) diff --git a/objects/victim/definition.json b/objects/victim/definition.json index f9342a9..5b776f0 100644 --- a/objects/victim/definition.json +++ b/objects/victim/definition.json @@ -9,9 +9,15 @@ "misp-attribute": "text" }, "name": { - "description": "The name of the victim targeted. The name can be an organisation or a group of organisations.", + "description": "The name of the department(s) or organisation(s) targeted.", "ui-priority": 1, - "misp-attribute": "text" + "misp-attribute": "target-org", + "multiple": true + }, + "external": { + "description": "External target organisations affected by this attack.", + "misp-attribute": "target-external", + "multiple": true }, "classification": { "description": "The type of entity being targeted.", @@ -71,11 +77,35 @@ "regions": { "description": "The list of regions or locations from the victim targeted. ISO 3166 should be used.", "multiple": true, - "misp-attribute": "text", + "misp-attribute": "target-location", "ui-priority": 1 + }, + "user": { + "description": "The username(s) of the user targeted.", + "misp-attribute": "target-user", + "ui-priority": 1, + "multiple": true + }, + "email": { + "description": "The email address(es) of the user targeted.", + "misp-attribute": "target-email", + "ui-priority": 1, + "multiple": true + }, + "node": { + "description": "Name(s) of node that was targeted.", + "misp-attribute": "target-machine", + "ui-priority": 1, + "multiple": true + }, + "ip-address": { + "description": "IP address(es) of the node targeted.", + "misp-attribute": "ip-dst", + "ui-priority": 1, + "multiple": true } }, - "version": 2, + "version": 3, "description": "Victim object describes the target of an attack or abuse.", "meta-category": "misc", "uuid": "a8806e40-39ad-435f-be02-ac2a13d6fc7d", From 3fc7ce2f7d5bb5bb703158d71772835db160c4d0 Mon Sep 17 00:00:00 2001 From: c-goes Date: Mon, 4 Dec 2017 10:49:44 +0100 Subject: [PATCH 18/51] victim object: changed attributes, added object relations(2) --- objects/victim/definition.json | 1 + 1 file changed, 1 insertion(+) diff --git a/objects/victim/definition.json b/objects/victim/definition.json index 5b776f0..efbce16 100644 --- a/objects/victim/definition.json +++ b/objects/victim/definition.json @@ -16,6 +16,7 @@ }, "external": { "description": "External target organisations affected by this attack.", + "ui-priority": 1, "misp-attribute": "target-external", "multiple": true }, From c3f88d6901085c651132d4f40274a219deca5250 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 4 Dec 2017 11:01:56 +0100 Subject: [PATCH 19/51] State of the file is no more correlated - and default state value is Malicious. --- objects/file/definition.json | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/objects/file/definition.json b/objects/file/definition.json index ae61f99..a84a7a3 100644 --- a/objects/file/definition.json +++ b/objects/file/definition.json @@ -143,17 +143,18 @@ "ui-priority": 0, "description": "State of the file", "multiple": true, + "disable_correlation": true, "values_list": [ + "Malicious", "Harmless", "Signed", "Revoked", "Expired", - "Trusted", - "Malicious" + "Trusted" ] } }, - "version": 6, + "version": 7, "description": "File object describing a file with meta-information", "meta-category": "file", "uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", From b4cae643923f3a0811ee767f7067b80f67a51b92 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 4 Dec 2017 15:28:29 +0100 Subject: [PATCH 20/51] Never trust standards using Google docs to store list of machine parsable information. Another good reason, why all open vocabularies in OASIS should be in parsable and validated JSON files. And not *bloody* list of words in a Google doc. --- objects/victim/definition.json | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/objects/victim/definition.json b/objects/victim/definition.json index efbce16..346dc70 100644 --- a/objects/victim/definition.json +++ b/objects/victim/definition.json @@ -55,18 +55,18 @@ "energy", "engineering", "entertainment", - "financial­services", - "government­national", - "government­regional", - "government­local", - "government­public­services", + "financial services", + "government national", + "government regional", + "government local", + "government public services", "healthcare", - "hospitality­leisure", + "hospitality leisure", "infrastructure", "insurance", "manufacturing", "mining", - "non­profit", + "non profit", "pharmaceuticals", "retail", "technology", @@ -106,7 +106,7 @@ "multiple": true } }, - "version": 3, + "version": 4, "description": "Victim object describes the target of an attack or abuse.", "meta-category": "misc", "uuid": "a8806e40-39ad-435f-be02-ac2a13d6fc7d", From bb0788e26705a12080af174f75e6251ba319299c Mon Sep 17 00:00:00 2001 From: c-goes Date: Mon, 4 Dec 2017 15:37:39 +0100 Subject: [PATCH 21/51] added coin-address object --- objects/coin-address/definition.json | 60 ++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100644 objects/coin-address/definition.json diff --git a/objects/coin-address/definition.json b/objects/coin-address/definition.json new file mode 100644 index 0000000..5493414 --- /dev/null +++ b/objects/coin-address/definition.json @@ -0,0 +1,60 @@ +{ + "requiredOneOf": [ + "address" + ], + "attributes": { + "address": { + "description": "Address used as a payment destination in a cryptocurrency", + "ui-priority": 1, + "misp-attribute": "btc" + }, + "symbol": { + "description": "The (uppercase) symbol of the cryptocurrency used. Symbol should be from https://coinmarketcap.com/all/views/all/", + "misp-attribute": "text", + "disable_correlation": true, + "ui-priority": 1, + "sane_default": [ + "BTC", + "ETH", + "BCH", + "XRP", + "MIOTA", + "DASH", + "BTG", + "LTC", + "ADA", + "XMR", + "ETC", + "NEO", + "NEM", + "EOS", + "XLM", + "BCC", + "LSK", + "OMG", + "QTUM", + "ZEC", + "USDT", + "HSR", + "STRAT", + "WAVES", + "PPT" + ] + }, + "last-seen": { + "description": "Last time this payment destination address has been seen", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "first-seen": { + "description": "First time this payment destination address has been seen", + "ui-priority": 0, + "misp-attribute": "datetime" + } + }, + "version": 1, + "description": "An address used in a cryptocurrency", + "meta-category": "financial", + "uuid": "d0e6997e-78da-4815-a6a1-cfc1c1cb8a46", + "name": "coin-address" +} From bc01c0c4b84b26872d7aac1002dad9872485e46a Mon Sep 17 00:00:00 2001 From: c-goes Date: Mon, 4 Dec 2017 15:43:49 +0100 Subject: [PATCH 22/51] added coin-address object(2) --- objects/coin-address/definition.json | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/objects/coin-address/definition.json b/objects/coin-address/definition.json index 5493414..e87b884 100644 --- a/objects/coin-address/definition.json +++ b/objects/coin-address/definition.json @@ -43,16 +43,25 @@ }, "last-seen": { "description": "Last time this payment destination address has been seen", + "disable_correlation": true, "ui-priority": 0, "misp-attribute": "datetime" }, "first-seen": { "description": "First time this payment destination address has been seen", + "disable_correlation": true, "ui-priority": 0, "misp-attribute": "datetime" + }, + "text": { + "description": "Free text value", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "text", + "recommended": false } }, - "version": 1, + "version": 2, "description": "An address used in a cryptocurrency", "meta-category": "financial", "uuid": "d0e6997e-78da-4815-a6a1-cfc1c1cb8a46", From 2caceee940f89e0a05e044ddddd2589dc62e23d6 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 4 Dec 2017 16:15:07 +0100 Subject: [PATCH 23/51] android-permission and coin-address added --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index a5bfb59..3db35cc 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ [![Build Status](https://travis-ci.org/MISP/misp-objects.svg?branch=master)](https://travis-ci.org/MISP/misp-objects) -MISP objects to be used in MISP (2.4.80) system and can be used by other information sharing tool. MISP objects +MISP objects used in MISP (starting from 2.4.80) system and can be used by other information sharing tool. MISP objects are in addition to MISP attributes to allow advanced combinations of attributes. The creation of these objects and their associated attributes are based on real cyber security use-cases and existing practices in information sharing. @@ -65,8 +65,10 @@ for a specific attribute. ## Existing MISP objects * [objects/ail-leak](objects/ail-leak/definition.json) - information leak object as defined by the [AIL Analysis Information Leak framework](https://www.github.com/CIRCL/AIL-framework). +* [objects/android-permission](objects/android-permission/definition.json) - A set of android permissions - one or more permission(s) which can be linked to other objects (e.g. file). * [objects/asn](objects/asn/definition.json) - Autonomous system object describing a BGP autonomous system which can include one or more network operators management an entity (e.g. ISP) along with their routing policy, routing prefixes or alike. * [objects/av-signature](objects/av-signature/definition.json) - Antivirus detection signature. +* [objects/coin-address](objects/coin-address/definition.json) - An address used in a cryptocurrency. * [objects/cookie](objects/cookie/definition.json) - A cookie object describes an HTTP cookie including its use in malicious cases. * [objects/ddos](objects/ddos/definition.json) - DDoS object describes a current DDoS activity from a specific or/and to a specific target. * [objects/domain-ip](objects/domain-ip/definition.json) - A domain and IP address seen as a tuple in a specific time frame. From fbccdfef241c146de44407893a1a0aa4f13c0386 Mon Sep 17 00:00:00 2001 From: c-goes Date: Tue, 5 Dec 2017 11:05:56 +0100 Subject: [PATCH 24/51] disable correlation for last-seen/first-seen/text --- README.md | 2 ++ objects/asn/definition.json | 4 +++- objects/ddos/definition.json | 5 ++++- objects/domain-ip/definition.json | 5 ++++- objects/ip-port/definition.json | 5 ++++- objects/ja3/definition.json | 4 +++- objects/url/definition.json | 4 +++- 7 files changed, 23 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 3db35cc..bfde5d2 100644 --- a/README.md +++ b/README.md @@ -31,10 +31,12 @@ Feel free to propose your own MISP objects to be included in MISP. The system is }, "first-seen": { "misp-attribute": "datetime", + "disable_correlation": true, "ui-priority": 0 }, "last-seen": { "misp-attribute": "datetime", + "disable_correlation": true, "ui-priority": 0 } diff --git a/objects/asn/definition.json b/objects/asn/definition.json index f38d35b..9f8b1d6 100644 --- a/objects/asn/definition.json +++ b/objects/asn/definition.json @@ -26,11 +26,13 @@ }, "first-seen": { "description": "First time the ASN was seen", + "disable_correlation": true, "ui-priority": 0, "misp-attribute": "datetime" }, "last-seen": { "description": "Last time the ASN was seen", + "disable_correlation": true, "ui-priority": 0, "misp-attribute": "datetime" }, @@ -59,7 +61,7 @@ "multiple": true } }, - "version": 3, + "version": 4, "description": "Autonomous system object describing an autonomous system which can include one or more network operators management an entity (e.g. ISP) along with their routing policy, routing prefixes or alike.", "meta-category": "network", "uuid": "4ec55cc6-9e49-4c64-b794-03c25c1a6587", diff --git a/objects/ddos/definition.json b/objects/ddos/definition.json index bcfa7a3..715150c 100644 --- a/objects/ddos/definition.json +++ b/objects/ddos/definition.json @@ -3,7 +3,7 @@ "uuid": "e2f124d6-f57c-4f93-99e6-8450545fa05d", "meta-category": "network", "description": "DDoS object describes a current DDoS activity from a specific or/and to a specific target. Type of DDoS can be attached to the object as a taxonomy", - "version": 5, + "version": 6, "attributes": { "total-bps": { "description": "Bits per second", @@ -12,6 +12,7 @@ }, "text": { "description": "Description of the DDoS", + "disable_correlation": true, "misp-attribute": "text", "ui-priority": 0 }, @@ -62,6 +63,7 @@ }, "first-seen": { "description": "Beginning of the attack", + "disable_correlation": true, "misp-attribute": "datetime", "ui-priority": 0 }, @@ -83,6 +85,7 @@ }, "last-seen": { "description": "End of the attack", + "disable_correlation": true, "misp-attribute": "datetime", "ui-priority": 0 } diff --git a/objects/domain-ip/definition.json b/objects/domain-ip/definition.json index 3d6ddc7..7cd4d8a 100644 --- a/objects/domain-ip/definition.json +++ b/objects/domain-ip/definition.json @@ -6,17 +6,20 @@ "attributes": { "text": { "description": "A description of the tuple", + "disable_correlation": true, "ui-priority": 1, "misp-attribute": "text", "recommended": false }, "last-seen": { "description": "Last time the tuple has been seen", + "disable_correlation": true, "ui-priority": 0, "misp-attribute": "datetime" }, "first-seen": { "description": "First time the tuple has been seen", + "disable_correlation": true, "ui-priority": 0, "misp-attribute": "datetime" }, @@ -40,7 +43,7 @@ "multiple": true } }, - "version": 4, + "version": 5, "description": "A domain and IP address seen as a tuple in a specific time frame.", "meta-category": "network", "uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734", diff --git a/objects/ip-port/definition.json b/objects/ip-port/definition.json index 8b827ea..528ab7c 100644 --- a/objects/ip-port/definition.json +++ b/objects/ip-port/definition.json @@ -9,16 +9,19 @@ "attributes": { "text": { "description": "Description of the tuple", + "disable_correlation": true, "ui-priority": 0, "misp-attribute": "text" }, "last-seen": { "description": "Last time the tuple has been seen", + "disable_correlation": true, "ui-priority": 0, "misp-attribute": "datetime" }, "first-seen": { "description": "First time the tuple has been seen", + "disable_correlation": true, "ui-priority": 0, "misp-attribute": "datetime" }, @@ -50,7 +53,7 @@ "misp-attribute": "ip-dst" } }, - "version": 4, + "version": 5, "description": "An IP address and a port seen as a tuple (or as a triple) in a specific time frame.", "meta-category": "network", "uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", diff --git a/objects/ja3/definition.json b/objects/ja3/definition.json index 4a8c5fc..fb60f1c 100644 --- a/objects/ja3/definition.json +++ b/objects/ja3/definition.json @@ -2,7 +2,7 @@ "name": "ja3", "meta-category": "network", "description": "JA3 is a new technique for creating SSL client fingerprints that are easy to produce and can be easily shared for threat intelligence. Fingerprints are composed of Client Hello packet; SSL Version, Accepted Ciphers, List of Extensions, Elliptic Curves, and Elliptic Curve Formats. https://github.com/salesforce/ja3", - "version": 1, + "version": 2, "uuid": "09b45449-5d6e-492c-a68a-cb2e188cbfac", "attributes": { "ja3-fingerprint-md5": { @@ -43,11 +43,13 @@ }, "first-seen": { "misp-attribute": "datetime", + "disable_correlation": true, "ui-priority": 0, "description": "First seen of the SSL/TLS handshake" }, "last-seen": { "misp-attribute": "datetime", + "disable_correlation": true, "description": "Last seen of the SSL/TLS handshake", "ui-priority": 0 } diff --git a/objects/url/definition.json b/objects/url/definition.json index 7dc6f48..368e8f7 100644 --- a/objects/url/definition.json +++ b/objects/url/definition.json @@ -35,6 +35,7 @@ }, "first-seen": { "description": "First time this URL has been seen", + "disable_correlation": true, "ui-priority": 0, "misp-attribute": "datetime" }, @@ -81,6 +82,7 @@ }, "last-seen": { "description": "Last time this URL has been seen", + "disable_correlation": true, "ui-priority": 0, "misp-attribute": "datetime" }, @@ -90,7 +92,7 @@ "misp-attribute": "hostname" } }, - "version": 4, + "version": 5, "description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.", "meta-category": "network", "uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5", From 4a7bb593540cd0a04c683700a8897698bb37302c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Tue, 12 Dec 2017 17:16:47 +0100 Subject: [PATCH 25/51] chg: Allow malware-sample as only attribute in file. --- objects/file/definition.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/objects/file/definition.json b/objects/file/definition.json index a84a7a3..9fd0d77 100644 --- a/objects/file/definition.json +++ b/objects/file/definition.json @@ -16,7 +16,8 @@ "sha512/256", "tlsh", "pattern-in-file", - "x509-fingerprint-sha1" + "x509-fingerprint-sha1", + "malware-sample" ], "attributes": { "md5": { @@ -154,7 +155,7 @@ ] } }, - "version": 7, + "version": 8, "description": "File object describing a file with meta-information", "meta-category": "file", "uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", From de36d3b735ad97bc6b03b87d9a1ecb3feec2a733 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 12 Dec 2017 21:57:45 +0100 Subject: [PATCH 26/51] jq all the things! --- objects/regexp/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/regexp/definition.json b/objects/regexp/definition.json index 94db4ce..5f3534c 100644 --- a/objects/regexp/definition.json +++ b/objects/regexp/definition.json @@ -39,7 +39,7 @@ "uri", "filename", "windows-service-name", - "windows-scheduled-task" + "windows-scheduled-task" ], "description": "Specify which type corresponds to this regex.", "ui-priority": 0, From b85438fc45b212a21b72d6d2e0df619758fa1444 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 13 Dec 2017 17:39:59 +0100 Subject: [PATCH 27/51] Fix: x509 object now uses the new and proper fp type --- objects/x509/definition.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/objects/x509/definition.json b/objects/x509/definition.json index ae0a08e..f87af6d 100644 --- a/objects/x509/definition.json +++ b/objects/x509/definition.json @@ -33,19 +33,19 @@ "x509-fingerprint-md5": { "description": "[Insecure] MD5 hash (128 bits)", "ui-priority": 1, - "misp-attribute": "md5", + "misp-attribute": "x509-fingerprint-md5", "recommended": false }, "x509-fingerprint-sha1": { "description": "[Insecure] Secure Hash Algorithm 1 (160 bits)", "ui-priority": 1, - "misp-attribute": "sha1", + "misp-attribute": "x509-fingerprint-sha1", "recommended": false }, "x509-fingerprint-sha256": { "description": "Secure Hash Algorithm 2 (256 bits)", "ui-priority": 1, - "misp-attribute": "sha256" + "misp-attribute": "x509-fingerprint-sha256" }, "raw-base64": { "description": "Raw certificate base64 encoded", @@ -83,7 +83,7 @@ "misp-attribute": "text" } }, - "version": 4, + "version": 5, "description": "x509 object describing a X.509 certificate", "meta-category": "network", "uuid": "d1ab756a-26b5-4349-9f43-765630f0911c", From cf7aa00f98e658aee04c233ca547e1881df0a5fb Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 18 Dec 2017 14:04:53 +0100 Subject: [PATCH 28/51] chg: whois object now includes registrant-org matching new MISP attributes type - whois-registrant-org --- objects/whois/definition.json | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/objects/whois/definition.json b/objects/whois/definition.json index 7aa3ad4..bd8d813 100644 --- a/objects/whois/definition.json +++ b/objects/whois/definition.json @@ -35,6 +35,11 @@ "ui-priority": 1, "misp-attribute": "whois-registrant-email" }, + "registrant-org": { + "description": "Registrant organisation", + "ui-priority": 1, + "misp-attribute": "whois-registrant-org" + }, "creation-date": { "description": "Initial creation of the whois entry", "ui-priority": 0, @@ -60,7 +65,7 @@ "misp-attribute": "domain" } }, - "version": 5, + "version": 6, "description": "Whois records information for a domain name.", "meta-category": "network", "uuid": "429faea1-34ff-47af-8a00-7c62d3be5a6a", From 871b86e35fff0c465725e61d34462e0527d668bd Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 18 Dec 2017 14:16:36 +0100 Subject: [PATCH 29/51] fix: Update registry-key to match correct MISP attributes --- objects/registry-key/definition.json | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/objects/registry-key/definition.json b/objects/registry-key/definition.json index f5ce2c7..d5a74ab 100644 --- a/objects/registry-key/definition.json +++ b/objects/registry-key/definition.json @@ -35,7 +35,8 @@ "REG_QWORD_LITTLE_ENDIAN" ], "ui-priority": 0, - "misp-attribute": "reg-datatype" + "disable_correlation": true, + "misp-attribute": "text" }, "data": { "description": "Data stored in the registry key", @@ -43,7 +44,7 @@ "Persistence mechanism" ], "ui-priority": 1, - "misp-attribute": "reg-data" + "misp-attribute": "text" }, "name": { "description": "Name of the registry key", @@ -51,7 +52,7 @@ "Persistence mechanism" ], "ui-priority": 1, - "misp-attribute": "reg-name" + "misp-attribute": "text" }, "key": { "description": "Full key path", @@ -59,7 +60,7 @@ "Persistence mechanism" ], "ui-priority": 1, - "misp-attribute": "reg-key" + "misp-attribute": "regkey" }, "hive": { "description": "Hive used to store the registry key (file on disk)", @@ -67,10 +68,11 @@ "Persistence mechanism" ], "ui-priority": 1, - "misp-attribute": "reg-hive" + "disable_correlation": true, + "misp-attribute": "text" } }, - "version": 2, + "version": 3, "description": "Registry key object describing a Windows registry key with value and last-modified timestamp", "meta-category": "file", "uuid": "8b3228ad-6d82-4fe6-b2ae-05426308f1d5", From 9de742350109112c85a82bd62a3ba9c2a3d282e2 Mon Sep 17 00:00:00 2001 From: Christophe Vandeplas Date: Wed, 20 Dec 2017 15:22:45 +0100 Subject: [PATCH 30/51] whois - adds nameserver attributes adding nameserver attributes as a whois response contains those --- objects/whois/definition.json | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/objects/whois/definition.json b/objects/whois/definition.json index bd8d813..320873c 100644 --- a/objects/whois/definition.json +++ b/objects/whois/definition.json @@ -12,6 +12,7 @@ "attributes": { "text": { "description": "Full whois entry", + "disable_correlation": true, "ui-priority": 1, "misp-attribute": "text" }, @@ -42,19 +43,30 @@ }, "creation-date": { "description": "Initial creation of the whois entry", + "disable_correlation": true, "ui-priority": 0, "misp-attribute": "datetime" }, "modification-date": { "description": "Last update of the whois entry", + "disable_correlation": true, "ui-priority": 0, "misp-attribute": "datetime" }, "expiration-date": { "description": "Expiration of the whois entry", + "disable_correlation": true, "ui-priority": 0, "misp-attribute": "datetime" }, + "nameserver": { + "description": "Nameserver", + "ui-priority": 0, + "misp-attribute": "hostname", + "disable_correlation": true, + "multiple": true, + "to_ids": false + }, "domain": { "description": "Domain of the whois entry", "categories": [ @@ -65,7 +77,7 @@ "misp-attribute": "domain" } }, - "version": 6, + "version": 7, "description": "Whois records information for a domain name.", "meta-category": "network", "uuid": "429faea1-34ff-47af-8a00-7c62d3be5a6a", From 1460d055a0207668cf1f0e99ff347411038f0113 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 21 Dec 2017 16:16:33 +0100 Subject: [PATCH 31/51] add: new stix2-pattern object to include STIX 2 patterning --- objects/stix2-pattern/definition.json | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 objects/stix2-pattern/definition.json diff --git a/objects/stix2-pattern/definition.json b/objects/stix2-pattern/definition.json new file mode 100644 index 0000000..5abd6f0 --- /dev/null +++ b/objects/stix2-pattern/definition.json @@ -0,0 +1,22 @@ +{ + "requiredOneOf": [ + "stix2-pattern" + ], + "attributes": { + "comment": { + "description": "A description of the stix2-pattern.", + "ui-priority": 0, + "misp-attribute": "comment" + }, + "stix2-pattern": { + "description": "STIX 2 pattern", + "ui-priority": 0, + "misp-attribute": "stix2-pattern" + } + }, + "version": 1, + "description": "An object describing a STIX pattern. The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a STIX pattern.", + "meta-category": "misc", + "uuid": "0c5bd072-7c3e-4d45-86f7-a8104d9143b9", + "name": "stix2-pattern" +} From 3aea2f29508a9b0e6efc8bf2dd875e76dc31743f Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 24 Dec 2017 15:02:47 +0100 Subject: [PATCH 32/51] fix: Disable correlation on filename by default --- objects/file/definition.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/objects/file/definition.json b/objects/file/definition.json index 9fd0d77..f0f7fe0 100644 --- a/objects/file/definition.json +++ b/objects/file/definition.json @@ -113,6 +113,7 @@ }, "filename": { "description": "Filename on disk", + "disable_correlation": true, "multiple": true, "categories": [ "Payload delivery", @@ -155,7 +156,7 @@ ] } }, - "version": 8, + "version": 9, "description": "File object describing a file with meta-information", "meta-category": "file", "uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", From 5cd069acdda441aea62ba190d1b730b54c9ba766 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 24 Dec 2017 15:05:12 +0100 Subject: [PATCH 33/51] fix: disable correlation on all filename-* --- objects/pe/definition.json | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/objects/pe/definition.json b/objects/pe/definition.json index e53d7ea..86f37b5 100644 --- a/objects/pe/definition.json +++ b/objects/pe/definition.json @@ -19,12 +19,14 @@ "internal-filename": { "description": "InternalFilename in the resources", "ui-priority": 0, - "misp-attribute": "filename" + "misp-attribute": "filename", + "disable_correlation": true }, "original-filename": { "description": "OriginalFilename in the resources", "ui-priority": 1, - "misp-attribute": "filename" + "misp-attribute": "filename", + "disable_correlation": true }, "number-sections": { "description": "Number of sections", @@ -116,7 +118,7 @@ "misp-attribute": "text" } }, - "version": 2, + "version": 3, "description": "Object describing a Portable Executable", "meta-category": "file", "uuid": "cf7adecc-d4f0-4e88-9d90-f978ee151a07", From b4d30b1419fa45cd2766bb34acb30189a9d06d2f Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sat, 30 Dec 2017 19:26:48 +0100 Subject: [PATCH 34/51] fix: disable correlation on microblog type (Twitter or alike) --- objects/microblog/definition.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/objects/microblog/definition.json b/objects/microblog/definition.json index 4f2b869..906a03c 100644 --- a/objects/microblog/definition.json +++ b/objects/microblog/definition.json @@ -17,6 +17,7 @@ "description": "Type of the microblog post", "ui-priority": 1, "misp-attribute": "text", + "disable_correlation": true, "sane_default": [ "Twitter", "Facebook", @@ -61,7 +62,7 @@ "misp-attribute": "text" } }, - "version": 3, + "version": 4, "description": "Microblog post like a Twitter tweet or a post on a Facebook wall.", "meta-category": "misc", "uuid": "8ec8c911-ddbe-4f5b-895b-fbff70c42a60", From 7ebda41b4afd16110985eb277c2e678bccad9cf7 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sat, 30 Dec 2017 19:39:55 +0100 Subject: [PATCH 35/51] fix: disable correlation on fields where is not needed --- objects/elf/definition.json | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/objects/elf/definition.json b/objects/elf/definition.json index 3fc090a..7fe59c3 100644 --- a/objects/elf/definition.json +++ b/objects/elf/definition.json @@ -210,7 +210,8 @@ "AMDGPU" ], "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "os_abi": { "description": "Header operating system application binary interface (ABI)", @@ -238,7 +239,8 @@ "TRU64" ], "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "text": { "description": "Free text value to attach to the ELF", @@ -248,7 +250,7 @@ "recommended": false } }, - "version": 3, + "version": 4, "description": "Object describing a Executable and Linkable Format", "meta-category": "file", "uuid": "fa6534ae-ad74-4ce0-8f23-15a66c82c7fa", From 875f97dce128a94d53ad13ae85c3d5e413cf1dab Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 4 Jan 2018 14:41:40 +0100 Subject: [PATCH 36/51] add: new relationship "drops" - This relationship describes an object which drops another object --- relationships/definition.json | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/relationships/definition.json b/relationships/definition.json index f9391ca..5e6083e 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -1,5 +1,5 @@ { - "version": 11, + "version": 12, "values": [ { "name": "derived-from", @@ -130,6 +130,13 @@ "misp" ] }, + { + "name": "drops", + "description": "This relationship describes an object which drops another object", + "format": [ + "misp" + ] + }, { "name": "executed-by", "description": "This relationship describes an object executed by another object.", From 60d5767e8b2ad5322b3c3a3ec0cab7fbcf8fc961 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 5 Jan 2018 13:37:54 +0100 Subject: [PATCH 37/51] add: first version of a MISP object to describe GTP attack on GSM/UTMS/3G network. --- objects/gtp-attack/definition.json | 96 ++++++++++++++++++++++++++++++ 1 file changed, 96 insertions(+) create mode 100644 objects/gtp-attack/definition.json diff --git a/objects/gtp-attack/definition.json b/objects/gtp-attack/definition.json new file mode 100644 index 0000000..292974d --- /dev/null +++ b/objects/gtp-attack/definition.json @@ -0,0 +1,96 @@ +{ + "requiredOneOf": [ + "text" + ], + "attributes": { + "GtpServingNetwork": { + "description": "GTP Serving Network.", + "misp-attribute": "text", + "disable_correlation": true, + "ui-priority": 1 + }, + "GtpImei": { + "description": "GTP IMEI (International Mobile Equipment Identity).", + "misp-attribute": "text", + "ui-priority": 1 + }, + "GtpMsisdn": { + "description": "GTP MSISDN.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "GtpImsi": { + "description": "GTP IMSI (International mobile subscriber identity).", + "misp-attribute": "text", + "ui-priority": 1 + }, + "GtpInterface": { + "description": "GTP interface.", + "sane_default": [ + "S5", + "S11", + "S10", + "S8" + ], + "misp-attribute": "text", + "disable_correlation": true, + "ui-priority": 1 + }, + "GtpMessageType": { + "description": "GTP defines a set of messages between two associated GSNs or an SGSN and an RNC. Message type is described as a decimal value.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + }, + "PortDest": { + "description": "Destination port.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "PortSrc": { + "description": "Source port.", + "disable_correlation": true, + "misp-attribute": "port", + "ui-priority": 0 + }, + "ipDest": { + "description": "IP destination address.", + "misp-attribute": "ip-dst", + "ui-priority": 0 + }, + "ipSrc": { + "description": "IP source address.", + "misp-attribute": "ip-src", + "ui-priority": 0 + }, + "GtpVersion": { + "description": "GTP version", + "sane_default": [ + "0", + "1", + "2" + ], + "misp-attribute": "text", + "disable_correlation": true, + "ui-priority": 0 + }, + "text": { + "description": "A description of the GTP attack.", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "first-seen": { + "description": "When the attack has been seen for the first time.", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "datetime" + } + }, + "version": 1, + "description": "GTP attack object as seen on a GSM, UMTS or LTE network", + "meta-category": "network", + "uuid": "6b3c48d2-0ca6-4608-9c36-455105439145", + "name": "gtp-attack" +} From 93f8c7e9d321820ef6b1bcac260e86b754b44813 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 5 Jan 2018 14:10:05 +0100 Subject: [PATCH 38/51] fix: GTP attack - multiple on GTP interface --- objects/gtp-attack/definition.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/objects/gtp-attack/definition.json b/objects/gtp-attack/definition.json index 292974d..62b3e7b 100644 --- a/objects/gtp-attack/definition.json +++ b/objects/gtp-attack/definition.json @@ -34,6 +34,7 @@ ], "misp-attribute": "text", "disable_correlation": true, + "multiple": true, "ui-priority": 1 }, "GtpMessageType": { @@ -88,7 +89,7 @@ "misp-attribute": "datetime" } }, - "version": 1, + "version": 2, "description": "GTP attack object as seen on a GSM, UMTS or LTE network", "meta-category": "network", "uuid": "6b3c48d2-0ca6-4608-9c36-455105439145", From 17373f61302cab9e32da2f90473d62d18cbf6fdc Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 5 Jan 2018 14:26:28 +0100 Subject: [PATCH 39/51] fix: GTPInterface updated --- objects/gtp-attack/definition.json | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/objects/gtp-attack/definition.json b/objects/gtp-attack/definition.json index 62b3e7b..6f6cc78 100644 --- a/objects/gtp-attack/definition.json +++ b/objects/gtp-attack/definition.json @@ -30,7 +30,9 @@ "S5", "S11", "S10", - "S8" + "S8", + "Gn", + "Gp" ], "misp-attribute": "text", "disable_correlation": true, @@ -89,7 +91,7 @@ "misp-attribute": "datetime" } }, - "version": 2, + "version": 3, "description": "GTP attack object as seen on a GSM, UMTS or LTE network", "meta-category": "network", "uuid": "6b3c48d2-0ca6-4608-9c36-455105439145", From 8f9c7b1ae127703a7429401d1c5546a17d4323aa Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 5 Jan 2018 14:34:20 +0100 Subject: [PATCH 40/51] add: Diameter attack object targeting GSM, UMTS and 4G networks. --- objects/diameter-attack/definition.json | 89 +++++++++++++++++++++++++ 1 file changed, 89 insertions(+) create mode 100644 objects/diameter-attack/definition.json diff --git a/objects/diameter-attack/definition.json b/objects/diameter-attack/definition.json new file mode 100644 index 0000000..71c2766 --- /dev/null +++ b/objects/diameter-attack/definition.json @@ -0,0 +1,89 @@ +{ + "requiredOneOf": [ + "text" + ], + "attributes": { + "category": { + "description": "Category.", + "sane_default": [ + "Cat0", + "Cat1", + "Cat2", + "Cat3", + "CatSMS" + ], + "misp-attribute": "text", + "disable_correlation": true, + "ui-priority": 0 + }, + "ApplicationId": { + "description": "Application-ID is used to identify for which Diameter application the message is applicable. Application-ID is a decimal representation.", + "misp-attribute": "text", + "ui-priority": 0 + }, + "SessionId": { + "description": "Session-ID.", + "misp-attribute": "text", + "ui-priority": 0 + }, + "CmdCode": { + "description": "A decimal representation of the diameter Command Code.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "Origin-Host": { + "description": "Origin-Host.", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "Destination-Host": { + "description": "Destination-Host.", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "Origin-Realm": { + "description": "Origin-Realm.", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "Destination-Realm": { + "description": "Destination-Realm.", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "Username": { + "description": "Username (in this case, usually the IMSI).", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "IdrFlags": { + "description": "IDR-Flags.", + "misp-attribute": "text", + "disable_correlation": true, + "ui-priority": 0 + }, + "text": { + "description": "A description of the attack seen.", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "first-seen": { + "description": "When the attack has been seen for the first time.", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "datetime" + } + }, + "version": 1, + "description": "Attack as seen on diameter authentication against a GSM, UMTS or LTE network", + "meta-category": "network", + "uuid": "a3fdce4c-8e21-4acc-ab8e-9976e9165a12", + "name": "diameter-attack" +} From 60279184ddfaf07c37f7ea2e76b5b282a5c7d9c2 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 5 Jan 2018 16:17:23 +0100 Subject: [PATCH 41/51] add: ss7-attack object for the attack against GSM/UMTS networks seen in SS7 logging. --- objects/ss7-attack/definition.json | 168 +++++++++++++++++++++++++++++ 1 file changed, 168 insertions(+) create mode 100644 objects/ss7-attack/definition.json diff --git a/objects/ss7-attack/definition.json b/objects/ss7-attack/definition.json new file mode 100644 index 0000000..c16d99b --- /dev/null +++ b/objects/ss7-attack/definition.json @@ -0,0 +1,168 @@ +{ + "requiredOneOf": [ + "text" + ], + "attributes": { + "Category": { + "description": "Category", + "sane_default": [ + "Cat0", + "Cat1", + "Cat2.1", + "Cat2.2", + "Cat3.1", + "Cat3.2", + "Cat3.3", + "CatSMS", + "CatSpoofing" + ], + "misp-attribute": "text", + "disable_correlation": true, + "multiple": true, + "ui-priority": 1 + }, + "MapVersion": { + "description": "Map version.", + "sane_default": [ + "1", + "2", + "3" + ], + "misp-attribute": "text", + "disable_correlation": true, + "ui-priority": 0 + }, + "SccpCgGT": { + "description": "Signaling Connection Control Part (SCCP) CgGT - Phone number.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "SccpCdGT": { + "description": "Signaling Connection Control Part (SCCP) CdGT - Phone number.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "SccpCgPC": { + "description": "Signaling Connection Control Part (SCCP) CgPC - Phone number.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "SccpCdPC": { + "description": "Signaling Connection Control Part (SCCP) CdPC - Phone number.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "SccpCgSSN": { + "description": "Signaling Connection Control Part (SCCP) - Decimal value between 0-255.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "SccpCdSSN": { + "description": "Signaling Connection Control Part (SCCP) - Decimal value between 0-255.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "MapOpCode": { + "description": "MAP operation codes - Decimal value between 0-99.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "MapApplicationContext": { + "description": "MAP application context in OID format.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "MapImsi": { + "description": "MAP IMSI. Phone number starting with MCC/MNC.", + "multiple": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "MapMsisdn": { + "description": "MAP MSISDN. Phone number.", + "multiple": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "MapMscGT": { + "description": "MAP MSC GT. Phone number.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "MapGsmscfGT": { + "description": "MAP GSMSCF GT. Phone number.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "MapVlrGT": { + "description": "MAP VLR GT. Phone number.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "MapGmlc": { + "description": "MAP GMLC. Phone number.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "MapSmscGT": { + "description": "MAP SMSC. Phone number.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "MapSmsTP-OA": { + "description": "MAP SMS TP-OA. Phone number.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "MapSmsTP-PID": { + "description": "MAP SMS TP-PID.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "MapSmsTP-DCS": { + "description": "MAP SMS TP-DCS.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "MapSmsTypeNumber": { + "description": "MAP SMS TypeNumber.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "MapUssdContent": { + "description": "MAP USSD Content.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "MapUssdCoding": { + "description": "MAP USSD Content.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "text": { + "description": "A description of the attack seen via SS7 logging.", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "first-seen": { + "description": "When the attack has been seen for the first time.", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "datetime" + } + }, + "version": 1, + "description": "SS7 object of an attack seen on a GSM, UMTS or LTE network via SS7 logging.", + "meta-category": "network", + "uuid": "f3493d8b-a7ab-48d0-a775-046c4d64d782", + "name": "ss7-attack" +} From 71c0ae1e6cc2de2698c2aeb1b3cd1043f28b6143 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 8 Jan 2018 07:48:32 +0100 Subject: [PATCH 42/51] fix: Vulnerability object improved to include the case of unpublished security vulnerability --- objects/vulnerability/definition.json | 45 ++++++++++++++++++++------- 1 file changed, 34 insertions(+), 11 deletions(-) diff --git a/objects/vulnerability/definition.json b/objects/vulnerability/definition.json index 338b78a..5630f2c 100644 --- a/objects/vulnerability/definition.json +++ b/objects/vulnerability/definition.json @@ -10,45 +10,68 @@ ], "attributes": { "id": { - "description": "Vulnerability ID (generally CVE, but not necessarely)", - "ui-priority": 1, - "misp-attribute": "vulnerability" + "description": "Vulnerability ID (generally CVE, but not necessarely). The id is not required as the object itself has an UUID and the CVE id can updated later.", + "ui-priority": 0, + "misp-attribute": "vulnerability", + "multiple": true }, "text": { "description": "Description of the vulnerability", - "ui-priority": 1, + "ui-priority": 0, "misp-attribute": "text" }, "summary": { "description": "Summary of the vulnerability", - "ui-priority": 1, + "ui-priority": 0, "misp-attribute": "text" }, "vulnerable_configuration": { "description": "The vulnerable configuration is described in CPE format", "multiple": true, - "ui-priority": 1, + "ui-priority": 0, "misp-attribute": "text" }, "modified": { "description": "Last modification date", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "published": { "description": "Initial publication date", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true + }, + "created": { + "description": "First time when the vulnerability was discovered", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true }, "references": { "description": "External references", "multiple": true, - "ui-priority": 1, + "ui-priority": 0, "misp-attribute": "link" + }, + "state": { + "description": "State of the vulnerability. A vulnerability can have multiple states depending of the current actions performed.", + "multiple": true, + "ui-priority": 0, + "sane_default": [ + "Published", + "Embargo", + "Reviewed", + "Vulnerability ID Assigned", + "Reported", + "Fixed" + ], + "disable_correlation": true } }, - "version": 2, - "description": "Vulnerability object describing common vulnerability enumeration", + "version": 3, + "description": "Vulnerability object describing a common vulnerability enumeration which can describe unpublished, under review or embargo vulnerability for software, equipments or hardware.", "meta-category": "network", "uuid": "81650945-f186-437b-8945-9f31715d32da", "name": "vulnerability" From 100842847654cc5b3e8f51758b28b276b3316a90 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 8 Jan 2018 08:15:43 +0100 Subject: [PATCH 43/51] fix: add missing attribute type for the state --- objects/vulnerability/definition.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/objects/vulnerability/definition.json b/objects/vulnerability/definition.json index 5630f2c..88f0604 100644 --- a/objects/vulnerability/definition.json +++ b/objects/vulnerability/definition.json @@ -67,10 +67,11 @@ "Reported", "Fixed" ], - "disable_correlation": true + "disable_correlation": true, + "misp-attribute": "text" } }, - "version": 3, + "version": 4, "description": "Vulnerability object describing a common vulnerability enumeration which can describe unpublished, under review or embargo vulnerability for software, equipments or hardware.", "meta-category": "network", "uuid": "81650945-f186-437b-8945-9f31715d32da", From eafb54fd0738aedb56323da67377f083d1a1e211 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 8 Jan 2018 11:28:11 +0100 Subject: [PATCH 44/51] add: An annotation object allowing analysts to add annotations, comments, executive summary to a MISP event, objects or attributes. --- objects/annotation/definition.json | 71 ++++++++++++++++++++++++++++++ 1 file changed, 71 insertions(+) create mode 100644 objects/annotation/definition.json diff --git a/objects/annotation/definition.json b/objects/annotation/definition.json new file mode 100644 index 0000000..9b5ab81 --- /dev/null +++ b/objects/annotation/definition.json @@ -0,0 +1,71 @@ +{ + "requiredOneOf": [ + "post" + ], + "attributes": { + "text": { + "description": "Raw text of the annotation", + "ui-priority": 0, + "misp-attribute": "text" + }, + "ref": { + "description": "Reference(s) to the annotation", + "ui-priority": 0, + "misp-attribute": "link", + "multiple": true + }, + "type": { + "description": "Type of the annotation", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true, + "sane_default": [ + "Annotation", + "Executive Summary", + "Introduction", + "Conclusion", + "Disclaimer", + "Keywords", + "Acknowledgement", + "Other", + "Copyright", + "Authors", + "Logo" + ] + }, + "format": { + "description": "Format of the annotation", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true, + "sane_default": [ + "text", + "markdown", + "asciidoctor", + "MultiMarkdown", + "GFM", + "pandoc", + "Fountain", + "CommonWork", + "kramdown-rfc2629", + "rfc7328", + "Extra" + ] + }, + "creation-date": { + "description": "Initial creation of the annotation", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "modification-date": { + "description": "Last update of the annotation", + "ui-priority": 0, + "misp-attribute": "datetime" + } + }, + "version": 1, + "description": "An annotation object allowing analysts to add annotations, comments, executive summary to a MISP event, objects or attributes.", + "meta-category": "misc", + "uuid": "5d8dc046-15a1-4ca3-a09f-ed4ede7c4487", + "name": "annotation" +} From 735ebf26bc59fb49e22a03f69d975cebe7482785 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 8 Jan 2018 11:47:19 +0100 Subject: [PATCH 45/51] fix: annotation object --- objects/annotation/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/annotation/definition.json b/objects/annotation/definition.json index 9b5ab81..d062eca 100644 --- a/objects/annotation/definition.json +++ b/objects/annotation/definition.json @@ -1,6 +1,6 @@ { "requiredOneOf": [ - "post" + "text" ], "attributes": { "text": { @@ -63,7 +63,7 @@ "misp-attribute": "datetime" } }, - "version": 1, + "version": 2, "description": "An annotation object allowing analysts to add annotations, comments, executive summary to a MISP event, objects or attributes.", "meta-category": "misc", "uuid": "5d8dc046-15a1-4ca3-a09f-ed4ede7c4487", From f92eb6e1b7f4f02f69f7ac985a86a28ee0b51075 Mon Sep 17 00:00:00 2001 From: c-goes Date: Mon, 8 Jan 2018 17:28:21 +0100 Subject: [PATCH 46/51] added sandbox-report object --- objects/sandbox-report/definition.json | 100 +++++++++++++++++++++++++ 1 file changed, 100 insertions(+) create mode 100644 objects/sandbox-report/definition.json diff --git a/objects/sandbox-report/definition.json b/objects/sandbox-report/definition.json new file mode 100644 index 0000000..b294575 --- /dev/null +++ b/objects/sandbox-report/definition.json @@ -0,0 +1,100 @@ +{ + "required": [ + "sandbox-type" + ], + "requiredOneOf": [ + "web-sandbox", + "on-premise-sandbox", + "saas-sandbox" + ], + "attributes": { + "permalink": { + "description": "Permalink reference", + "categories": [ + "External analysis" + ], + "ui-priority": 2, + "misp-attribute": "link" + }, + "score": { + "description": "Score", + "disable_correlation": true, + "categories": [ + "External analysis" + ], + "ui-priority": 1, + "misp-attribute": "text" + }, + "results": { + "description": "Freetext result values", + "disable_correlation": true, + "categories": [ + "External analysis" + ], + "ui-priority": 1, + "misp-attribute": "text", + "multiple": true + }, + "raw-report": { + "description": "Raw report from sandbox", + "disable_correlation": true, + "categories": [ + "External analysis" + ], + "ui-priority": 0, + "misp-attribute": "text" + }, + "sandbox-type": { + "description": "The type of sandbox used", + "misp-attribute": "text", + "disable_correlation": true, + "ui-priority": 1, + "sane_default": [ + "on-premise", + "web", + "saas" + ] + }, + "on-premise-sandbox": { + "description": "The on-premise sandbox used", + "misp-attribute": "text", + "disable_correlation": true, + "ui-priority": 1, + "sane_default": [ + "cuckoo", + "symantec-cas-on-premise", + "bluecoat-maa", + "trendmicro-deep-discovery-analyzer", + "fireeye-ax", + "vmray", + "joe-sandbox-on-premise" + ] + }, + "web-sandbox": { + "description": "A web sandbox where results are publicly available via an URL", + "misp-attribute": "text", + "disable_correlation": true, + "ui-priority": 1, + "sane_default": [ + "malwr", + "hybrid-analysis" + ] + }, + "saas-sandbox": { + "description": "A non-on-premise sandbox, also results are not publicly available", + "misp-attribute": "text", + "disable_correlation": true, + "ui-priority": 1, + "sane_default": [ + "forticloud-sandbox", + "joe-sandbox-cloud", + "symantec-cas-cloud" + ] + } + }, + "version": 1, + "description": "Sandbox report", + "meta-category": "misc", + "uuid": "4d3fffd2-cd07-4357-96e0-a51c988faaef", + "name": "sandbox-report" +} From 1b42b02c99136da88252beb9c204e339ff3498ce Mon Sep 17 00:00:00 2001 From: Alexandre De Oliveira Date: Thu, 11 Jan 2018 11:52:11 +0100 Subject: [PATCH 47/51] Update definition.json Adding the multiple possibility for SMSC GT to cover SMS Spaming case. Also text field for multiple details if needed. Adding "MapSmsText" attribute to help matching malicious URL, keywords or MSISDN inside SMS. --- objects/ss7-attack/definition.json | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/objects/ss7-attack/definition.json b/objects/ss7-attack/definition.json index c16d99b..6354c5d 100644 --- a/objects/ss7-attack/definition.json +++ b/objects/ss7-attack/definition.json @@ -111,6 +111,7 @@ "MapSmscGT": { "description": "MAP SMSC. Phone number.", "ui-priority": 0, + "multiple": true, "misp-attribute": "text" }, "MapSmsTP-OA": { @@ -118,6 +119,11 @@ "ui-priority": 0, "misp-attribute": "text" }, + "MapSmsText": { + "description": "MAP SMS Text. Important indicators in SMS text.", + "ui-priority": 0, + "misp-attribute": "text" + }, "MapSmsTP-PID": { "description": "MAP SMS TP-PID.", "ui-priority": 0, @@ -151,6 +157,7 @@ "description": "A description of the attack seen via SS7 logging.", "disable_correlation": true, "ui-priority": 0, + "multiple": true, "misp-attribute": "text" }, "first-seen": { From 90475bcf9c818b967e35a1d0bb4709b3aab703ab Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 14 Jan 2018 23:40:32 +0100 Subject: [PATCH 48/51] fix: We are in 2018 --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index bfde5d2..ae6bb52 100644 --- a/README.md +++ b/README.md @@ -139,9 +139,9 @@ The MISP objects model allows to add new combined indicators format based on the ~~~~ -Copyright (C) 2016-2017 Andras Iklody -Copyright (C) 2016-2017 Alexandre Dulaunoy -Copyright (C) 2016-2017 CIRCL - Computer Incident Response Center Luxembourg +Copyright (C) 2016-2018 Andras Iklody +Copyright (C) 2016-2018 Alexandre Dulaunoy +Copyright (C) 2016-2018 CIRCL - Computer Incident Response Center Luxembourg This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General Public License as published by From 94cfc57e1667afe56590da1412dae16c1302cce5 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 18 Jan 2018 12:54:01 +0100 Subject: [PATCH 49/51] add: registry-hive object describing a Windows registry hive including key, subkey and value (and associated data if any) --- objects/registry-hive/definition.json | 77 +++++++++++++++++++++++++++ 1 file changed, 77 insertions(+) create mode 100644 objects/registry-hive/definition.json diff --git a/objects/registry-hive/definition.json b/objects/registry-hive/definition.json new file mode 100644 index 0000000..45ada47 --- /dev/null +++ b/objects/registry-hive/definition.json @@ -0,0 +1,77 @@ +{ + "requiredOneOf": [ + "text", + "key", + "value", + "data" + ], + "attributes": { + "key": { + "description": "Key of the registry hive", + "misp-attribute": "text", + "ui-priority": 0 + }, + "value": { + "description": "Value of the registry hive", + "misp-attribute": "text", + "ui-priority": 0 + }, + "data-type": { + "sane_default": [ + "REG_NONE", + "REG_SZ", + "REG_EXPAND_SZ", + "REG_BINARY", + "REG_DWORD", + "REG_DWORD_BIG_ENDIAN", + "REG_LINK", + "REG_MULTI_SZ", + "REG_RESOURCE_LIST", + "REG_FULL_RESOURCE_DESCRIPTOR", + "REG_RESOURCE_REQUIREMENTS_LIST", + "REG_QWORD" + ], + "description": "Type of the data in the registry hive", + "misp-attribute": "text", + "ui-priority": 0 + }, + "data": { + "ui-priority": 0, + "description": "Data in the registry hive", + "misp-attribute": "text" + }, + "root-keys": { + "description": "Root key of the Windows registry (extracted from the key)", + "sane_default": [ + "HKCC", + "HKCR", + "HKCU", + "HKDD", + "HKEY_CLASSES_ROOT", + "HKEY_CURRENT_CONFIG", + "HKEY_CURRENT_USER", + "HKEY_DYN_DATA", + "HKEY_LOCAL_MACHINE", + "HKEY_PERFORMANCE_DATA", + "HKEY_USERS", + "HKLM", + "HKPD", + "HKU" + ], + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "text": { + "description": "Free text value to attach to the registry hive", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "text" + } + }, + "version": 1, + "description": "Object describing a Windows registry hive including key, subkey and value (and associated data if any)", + "meta-category": "file", + "uuid": "9640285f-f9b9-4bab-92d0-353f97543655", + "name": "registry-hive" +} From c04d56d7cdb4c3a956418d7ccbeb76e5c354b4cb Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 18 Jan 2018 13:47:57 +0100 Subject: [PATCH 50/51] remove registry hive because registry-key is enough --- objects/registry-hive/definition.json | 77 --------------------------- 1 file changed, 77 deletions(-) delete mode 100644 objects/registry-hive/definition.json diff --git a/objects/registry-hive/definition.json b/objects/registry-hive/definition.json deleted file mode 100644 index 45ada47..0000000 --- a/objects/registry-hive/definition.json +++ /dev/null @@ -1,77 +0,0 @@ -{ - "requiredOneOf": [ - "text", - "key", - "value", - "data" - ], - "attributes": { - "key": { - "description": "Key of the registry hive", - "misp-attribute": "text", - "ui-priority": 0 - }, - "value": { - "description": "Value of the registry hive", - "misp-attribute": "text", - "ui-priority": 0 - }, - "data-type": { - "sane_default": [ - "REG_NONE", - "REG_SZ", - "REG_EXPAND_SZ", - "REG_BINARY", - "REG_DWORD", - "REG_DWORD_BIG_ENDIAN", - "REG_LINK", - "REG_MULTI_SZ", - "REG_RESOURCE_LIST", - "REG_FULL_RESOURCE_DESCRIPTOR", - "REG_RESOURCE_REQUIREMENTS_LIST", - "REG_QWORD" - ], - "description": "Type of the data in the registry hive", - "misp-attribute": "text", - "ui-priority": 0 - }, - "data": { - "ui-priority": 0, - "description": "Data in the registry hive", - "misp-attribute": "text" - }, - "root-keys": { - "description": "Root key of the Windows registry (extracted from the key)", - "sane_default": [ - "HKCC", - "HKCR", - "HKCU", - "HKDD", - "HKEY_CLASSES_ROOT", - "HKEY_CURRENT_CONFIG", - "HKEY_CURRENT_USER", - "HKEY_DYN_DATA", - "HKEY_LOCAL_MACHINE", - "HKEY_PERFORMANCE_DATA", - "HKEY_USERS", - "HKLM", - "HKPD", - "HKU" - ], - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "text": { - "description": "Free text value to attach to the registry hive", - "disable_correlation": true, - "ui-priority": 1, - "misp-attribute": "text" - } - }, - "version": 1, - "description": "Object describing a Windows registry hive including key, subkey and value (and associated data if any)", - "meta-category": "file", - "uuid": "9640285f-f9b9-4bab-92d0-353f97543655", - "name": "registry-hive" -} From c75015e1a69303a4bb091ddb351ebb7156a28c7a Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 18 Jan 2018 13:49:03 +0100 Subject: [PATCH 51/51] fix: registry-key updated --- objects/registry-key/definition.json | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/objects/registry-key/definition.json b/objects/registry-key/definition.json index d5a74ab..ce8ca1c 100644 --- a/objects/registry-key/definition.json +++ b/objects/registry-key/definition.json @@ -70,9 +70,31 @@ "ui-priority": 1, "disable_correlation": true, "misp-attribute": "text" + }, + "root-keys": { + "description": "Root key of the Windows registry (extracted from the key)", + "sane_default": [ + "HKCC", + "HKCR", + "HKCU", + "HKDD", + "HKEY_CLASSES_ROOT", + "HKEY_CURRENT_CONFIG", + "HKEY_CURRENT_USER", + "HKEY_DYN_DATA", + "HKEY_LOCAL_MACHINE", + "HKEY_PERFORMANCE_DATA", + "HKEY_USERS", + "HKLM", + "HKPD", + "HKU" + ], + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true } }, - "version": 3, + "version": 4, "description": "Registry key object describing a Windows registry key with value and last-modified timestamp", "meta-category": "file", "uuid": "8b3228ad-6d82-4fe6-b2ae-05426308f1d5",