MISP
/
misp-objects
mirror of https://github.com/MISP/misp-objects
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge branch 'LDO-CERT-master'

pull/73/head
Raphaël Vinot 2018-01-23 10:43:52 +01:00
parent 4a7bb59354 8c178fd837
commit 338f7ac85e
20 changed files with 807 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
README.md
View File

@ -139,9 +139,9 @@ The MISP objects model allows to add new combined indicators format based on the
~~~~
Copyright (C) 2016-2017 Andras Iklody
Copyright (C) 2016-2017 Alexandre Dulaunoy
Copyright (C) 2016-2017 CIRCL - Computer Incident Response Center Luxembourg
Copyright (C) 2016-2018 Andras Iklody
Copyright (C) 2016-2018 Alexandre Dulaunoy
Copyright (C) 2016-2018 CIRCL - Computer Incident Response Center Luxembourg
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as published by

71
objects/annotation/definition.json Normal file
View File

@ -0,0 +1,71 @@
{
"requiredOneOf": [
"text"
],
"attributes": {
"text": {
"description": "Raw text of the annotation",
"ui-priority": 0,
"misp-attribute": "text"
},
"ref": {
"description": "Reference(s) to the annotation",
"ui-priority": 0,
"misp-attribute": "link",
"multiple": true
},
"type": {
"description": "Type of the annotation",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true,
"sane_default": [
"Annotation",
"Executive Summary",
"Introduction",
"Conclusion",
"Disclaimer",
"Keywords",
"Acknowledgement",
"Other",
"Copyright",
"Authors",
"Logo"
]
},
"format": {
"description": "Format of the annotation",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true,
"sane_default": [
"text",
"markdown",
"asciidoctor",
"MultiMarkdown",
"GFM",
"pandoc",
"Fountain",
"CommonWork",
"kramdown-rfc2629",
"rfc7328",
"Extra"
]
},
"creation-date": {
"description": "Initial creation of the annotation",
"ui-priority": 0,
"misp-attribute": "datetime"
},
"modification-date": {
"description": "Last update of the annotation",
"ui-priority": 0,
"misp-attribute": "datetime"
}
},
"version": 2,
"description": "An annotation object allowing analysts to add annotations, comments, executive summary to a MISP event, objects or attributes.",
"meta-category": "misc",
"uuid": "5d8dc046-15a1-4ca3-a09f-ed4ede7c4487",
"name": "annotation"
}

89
objects/diameter-attack/definition.json Normal file
View File

@ -0,0 +1,89 @@
{
"requiredOneOf": [
"text"
],
"attributes": {
"category": {
"description": "Category.",
"sane_default": [
"Cat0",
"Cat1",
"Cat2",
"Cat3",
"CatSMS"
],
"misp-attribute": "text",
"disable_correlation": true,
"ui-priority": 0
},
"ApplicationId": {
"description": "Application-ID is used to identify for which Diameter application the message is applicable. Application-ID is a decimal representation.",
"misp-attribute": "text",
"ui-priority": 0
},
"SessionId": {
"description": "Session-ID.",
"misp-attribute": "text",
"ui-priority": 0
},
"CmdCode": {
"description": "A decimal representation of the diameter Command Code.",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
},
"Origin-Host": {
"description": "Origin-Host.",
"misp-attribute": "text",
"multiple": true,
"ui-priority": 0
},
"Destination-Host": {
"description": "Destination-Host.",
"misp-attribute": "text",
"multiple": true,
"ui-priority": 0
},
"Origin-Realm": {
"description": "Origin-Realm.",
"misp-attribute": "text",
"multiple": true,
"ui-priority": 0
},
"Destination-Realm": {
"description": "Destination-Realm.",
"misp-attribute": "text",
"multiple": true,
"ui-priority": 0
},
"Username": {
"description": "Username (in this case, usually the IMSI).",
"misp-attribute": "text",
"multiple": true,
"ui-priority": 0
},
"IdrFlags": {
"description": "IDR-Flags.",
"misp-attribute": "text",
"disable_correlation": true,
"ui-priority": 0
},
"text": {
"description": "A description of the attack seen.",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"first-seen": {
"description": "When the attack has been seen for the first time.",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "datetime"
}
},
"version": 1,
"description": "Attack as seen on diameter authentication against a GSM, UMTS or LTE network",
"meta-category": "network",
"uuid": "a3fdce4c-8e21-4acc-ab8e-9976e9165a12",
"name": "diameter-attack"
}

8
objects/elf/definition.json
View File

@ -210,7 +210,8 @@
"AMDGPU"
],
"ui-priority": 0,
"misp-attribute": "text"
"misp-attribute": "text",
"disable_correlation": true
},
"os_abi": {
"description": "Header operating system application binary interface (ABI)",
@ -238,7 +239,8 @@
"TRU64"
],
"ui-priority": 0,
"misp-attribute": "text"
"misp-attribute": "text",
"disable_correlation": true
},
"text": {
"description": "Free text value to attach to the ELF",
@ -248,7 +250,7 @@
"recommended": false
}
},
"version": 3,
"version": 4,
"description": "Object describing a Executable and Linkable Format",
"meta-category": "file",
"uuid": "fa6534ae-ad74-4ce0-8f23-15a66c82c7fa",

3
objects/file/definition.json
View File

@ -113,6 +113,7 @@
},
"filename": {
"description": "Filename on disk",
"disable_correlation": true,
"multiple": true,
"categories": [
"Payload delivery",
@ -155,7 +156,7 @@
]
}
},
"version": 8,
"version": 9,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",

99
objects/gtp-attack/definition.json Normal file
View File

@ -0,0 +1,99 @@
{
"requiredOneOf": [
"text"
],
"attributes": {
"GtpServingNetwork": {
"description": "GTP Serving Network.",
"misp-attribute": "text",
"disable_correlation": true,
"ui-priority": 1
},
"GtpImei": {
"description": "GTP IMEI (International Mobile Equipment Identity).",
"misp-attribute": "text",
"ui-priority": 1
},
"GtpMsisdn": {
"description": "GTP MSISDN.",
"misp-attribute": "text",
"ui-priority": 1
},
"GtpImsi": {
"description": "GTP IMSI (International mobile subscriber identity).",
"misp-attribute": "text",
"ui-priority": 1
},
"GtpInterface": {
"description": "GTP interface.",
"sane_default": [
"S5",
"S11",
"S10",
"S8",
"Gn",
"Gp"
],
"misp-attribute": "text",
"disable_correlation": true,
"multiple": true,
"ui-priority": 1
},
"GtpMessageType": {
"description": "GTP defines a set of messages between two associated GSNs or an SGSN and an RNC. Message type is described as a decimal value.",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 1
},
"PortDest": {
"description": "Destination port.",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
},
"PortSrc": {
"description": "Source port.",
"disable_correlation": true,
"misp-attribute": "port",
"ui-priority": 0
},
"ipDest": {
"description": "IP destination address.",
"misp-attribute": "ip-dst",
"ui-priority": 0
},
"ipSrc": {
"description": "IP source address.",
"misp-attribute": "ip-src",
"ui-priority": 0
},
"GtpVersion": {
"description": "GTP version",
"sane_default": [
"0",
"1",
"2"
],
"misp-attribute": "text",
"disable_correlation": true,
"ui-priority": 0
},
"text": {
"description": "A description of the GTP attack.",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"first-seen": {
"description": "When the attack has been seen for the first time.",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "datetime"
}
},
"version": 3,
"description": "GTP attack object as seen on a GSM, UMTS or LTE network",
"meta-category": "network",
"uuid": "6b3c48d2-0ca6-4608-9c36-455105439145",
"name": "gtp-attack"
}

3
objects/microblog/definition.json
View File

@ -17,6 +17,7 @@
"description": "Type of the microblog post",
"ui-priority": 1,
"misp-attribute": "text",
"disable_correlation": true,
"sane_default": [
"Twitter",
"Facebook",
@ -61,7 +62,7 @@
"misp-attribute": "text"
}
},
"version": 3,
"version": 4,
"description": "Microblog post like a Twitter tweet or a post on a Facebook wall.",
"meta-category": "misc",
"uuid": "8ec8c911-ddbe-4f5b-895b-fbff70c42a60",

31
objects/mutex/definition.json Normal file
View File

@ -0,0 +1,31 @@
{
"requiredOneOf": [
"name"
],
"attributes": {
"description": {
"description": "Description",
"ui-priority": 0,
"misp-attribute": "text"
},
"operating-system": {
"description": "Operating system where the mutex has been seen",
"ui-priority": 0,
"misp-attribute": "text",
"sane_default": [
"Windows",
"Unix"
]
},
"name": {
"description": "name of the mutex",
"ui-priority": 0,
"misp-attribute": "text"
}
},
"version": 1,
"description": "Object to describe mutual exclusion locks (mutex) as seen in memory or computer program",
"meta-category": "misc",
"uuid": "9f5c1a68-2021-4faa-b409-61c899c86466",
"name": "mutex"
}

8
objects/pe/definition.json
View File

@ -19,12 +19,14 @@
"internal-filename": {
"description": "InternalFilename in the resources",
"ui-priority": 0,
"misp-attribute": "filename"
"misp-attribute": "filename",
"disable_correlation": true
},
"original-filename": {
"description": "OriginalFilename in the resources",
"ui-priority": 1,
"misp-attribute": "filename"
"misp-attribute": "filename",
"disable_correlation": true
},
"number-sections": {
"description": "Number of sections",
@ -116,7 +118,7 @@
"misp-attribute": "text"
}
},
"version": 2,
"version": 3,
"description": "Object describing a Portable Executable",
"meta-category": "file",
"uuid": "cf7adecc-d4f0-4e88-9d90-f978ee151a07",

45
objects/person/definition.json
View File

@ -16,14 +16,32 @@
"misp-attribute": "last-name"
},
"middle-name": {
"description": "Middle name of a natural person",
"description": "Middle name of a natural person.",
"ui-priority": 0,
"misp-attribute": "middle-name"
},
"first-name": {
"description": "First name of a natural person.",
"ui-priority": 0,
"misp-attribute": "first-name"
"misp-attribute": "first-name",
"disable_correlation": true
},
"mothers-name": {
"description": "Mother name, father, second name or other names following country's regulation.",
"ui-priority": 1,
"misp-attribute": "text"
},
"title": {
"description": "Title of the natural person such as Dr. or equivalent.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"alias": {
"description": "Alias name or known as.",
"ui-priority": 0,
"misp-attribute": "text",
"multiple": true
},
"date-of-birth": {
"description": "Date of birth of a natural person (in YYYY-MM-DD format).",
@ -33,7 +51,8 @@
"place-of-birth": {
"description": "Place of birth of a natural person.",
"ui-priority": 0,
"misp-attribute": "place-of-birth"
"misp-attribute": "place-of-birth",
"disable_correlation": true
},
"gender": {
"description": "The gender of a natural person.",
@ -44,7 +63,8 @@
"Female",
"Other",
"Prefer not to say"
]
],
"disable_correlation": true
},
"passport-number": {
"description": "The passport number of a natural person.",
@ -54,25 +74,34 @@
"passport-country": {
"description": "The country in which the passport was issued.",
"ui-priority": 0,
"misp-attribute": "passport-country"
"misp-attribute": "passport-country",
"disable_correlation": true
},
"passport-expiration": {
"description": "The expiration date of a passport.",
"ui-priority": 0,
"misp-attribute": "passport-expiration"
"misp-attribute": "passport-expiration",
"disable_correlation": true
},
"redress-number": {
"description": "The Redress Control Number is the record identifier for people who apply for redress through the DHS Travel Redress Inquiry Program (DHS TRIP). DHS TRIP is for travelers who have been repeatedly identified for additional screening and who want to file an inquiry to have erroneous information corrected in DHS systems.",
"ui-priority": 0,
"misp-attribute": "redress-number"
},
"social-security-number": {
"description": "Social security number",
"ui-priority": 0,
"misp-attribute": "text"
},
"nationality": {
"description": "The nationality of a natural person.",
"ui-priority": 0,
"misp-attribute": "nationality"
"misp-attribute": "nationality",
"multiple": true,
"disable_correlation": true
}
},
"version": 2,
"version": 3,
"description": "An person which describes a person or an identity.",
"meta-category": "misc",
"uuid": "a15b0477-e9d1-4b9c-9546-abe78a4f4248",

22
objects/regexp/definition.json
View File

@ -24,9 +24,29 @@
"description": "regexp",
"ui-priority": 0,
"misp-attribute": "text"
},
"type": {
"sane_default": [
"hostname",
"domain",
"email-src",
"email-dst",
"email-subject",
"url",
"user-agent",
"regkey",
"cookie",
"uri",
"filename",
"windows-service-name",
"windows-scheduled-task"
],
"description": "Specify which type corresponds to this regex.",
"ui-priority": 0,
"misp-attribute": "text"
}
},
"version": 2,
"version": 3,
"description": "An object describing a regular expression (regex or regexp). The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a regular expression.",
"meta-category": "misc",
"uuid": "ceffad66-71e5-4e20-9370-1b3fb694c648",

36
objects/registry-key/definition.json
View File

@ -35,7 +35,8 @@
"REG_QWORD_LITTLE_ENDIAN"
],
"ui-priority": 0,
"misp-attribute": "reg-datatype"
"disable_correlation": true,
"misp-attribute": "text"
},
"data": {
"description": "Data stored in the registry key",
@ -43,7 +44,7 @@
"Persistence mechanism"
],
"ui-priority": 1,
"misp-attribute": "reg-data"
"misp-attribute": "text"
},
"name": {
"description": "Name of the registry key",
@ -51,7 +52,7 @@
"Persistence mechanism"
],
"ui-priority": 1,
"misp-attribute": "reg-name"
"misp-attribute": "text"
},
"key": {
"description": "Full key path",
@ -59,7 +60,7 @@
"Persistence mechanism"
],
"ui-priority": 1,
"misp-attribute": "reg-key"
"misp-attribute": "regkey"
},
"hive": {
"description": "Hive used to store the registry key (file on disk)",
@ -67,10 +68,33 @@
"Persistence mechanism"
],
"ui-priority": 1,
"misp-attribute": "reg-hive"
"disable_correlation": true,
"misp-attribute": "text"
},
"root-keys": {
"description": "Root key of the Windows registry (extracted from the key)",
"sane_default": [
"HKCC",
"HKCR",
"HKCU",
"HKDD",
"HKEY_CLASSES_ROOT",
"HKEY_CURRENT_CONFIG",
"HKEY_CURRENT_USER",
"HKEY_DYN_DATA",
"HKEY_LOCAL_MACHINE",
"HKEY_PERFORMANCE_DATA",
"HKEY_USERS",
"HKLM",
"HKPD",
"HKU"
],
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
}
},
"version": 2,
"version": 4,
"description": "Registry key object describing a Windows registry key with value and last-modified timestamp",
"meta-category": "file",
"uuid": "8b3228ad-6d82-4fe6-b2ae-05426308f1d5",

100
objects/sandbox-report/definition.json Normal file
View File

@ -0,0 +1,100 @@
{
"required": [
"sandbox-type"
],
"requiredOneOf": [
"web-sandbox",
"on-premise-sandbox",
"saas-sandbox"
],
"attributes": {
"permalink": {
"description": "Permalink reference",
"categories": [
"External analysis"
],
"ui-priority": 2,
"misp-attribute": "link"
},
"score": {
"description": "Score",
"disable_correlation": true,
"categories": [
"External analysis"
],
"ui-priority": 1,
"misp-attribute": "text"
},
"results": {
"description": "Freetext result values",
"disable_correlation": true,
"categories": [
"External analysis"
],
"ui-priority": 1,
"misp-attribute": "text",
"multiple": true
},
"raw-report": {
"description": "Raw report from sandbox",
"disable_correlation": true,
"categories": [
"External analysis"
],
"ui-priority": 0,
"misp-attribute": "text"
},
"sandbox-type": {
"description": "The type of sandbox used",
"misp-attribute": "text",
"disable_correlation": true,
"ui-priority": 1,
"sane_default": [
"on-premise",
"web",
"saas"
]
},
"on-premise-sandbox": {
"description": "The on-premise sandbox used",
"misp-attribute": "text",
"disable_correlation": true,
"ui-priority": 1,
"sane_default": [
"cuckoo",
"symantec-cas-on-premise",
"bluecoat-maa",
"trendmicro-deep-discovery-analyzer",
"fireeye-ax",
"vmray",
"joe-sandbox-on-premise"
]
},
"web-sandbox": {
"description": "A web sandbox where results are publicly available via an URL",
"misp-attribute": "text",
"disable_correlation": true,
"ui-priority": 1,
"sane_default": [
"malwr",
"hybrid-analysis"
]
},
"saas-sandbox": {
"description": "A non-on-premise sandbox, also results are not publicly available",
"misp-attribute": "text",
"disable_correlation": true,
"ui-priority": 1,
"sane_default": [
"forticloud-sandbox",
"joe-sandbox-cloud",
"symantec-cas-cloud"
]
}
},
"version": 1,
"description": "Sandbox report",
"meta-category": "misc",
"uuid": "4d3fffd2-cd07-4357-96e0-a51c988faaef",
"name": "sandbox-report"
}

50
objects/sb-signature/definition.json Normal file
View File

@ -0,0 +1,50 @@
{
"required": [
"software",
"signature"
],
"attributes": {
"software": {
"description": "Name of Sandbox software",
"disable_correlation": true,
"categories": [
"Sandbox detection"
],
"ui-priority": 1,
"misp-attribute": "text"
},
"signature": {
"description": "Name of detection signature",
"comment": "Description of detection signature",
"categories": [
"Sandbox detection"
],
"ui-priority": 2,
"misp-attribute": "text",
"multiple": true
},
"text": {
"description": "Additional signature description",
"disable_correlation": true,
"categories": [
"Other"
],
"ui-priority": 0,
"misp-attribute": "text"
},
"datetime": {
"description": "Datetime",
"disable_correlation": true,
"categories": [
"Other"
],
"ui-priority": 0,
"misp-attribute": "datetime"
}
},
"version": 1,
"description": "Sandbox detection signature",
"meta-category": "misc",
"uuid": "984c5c39-be7f-4e1e-b034-d3213bac51cb",
"name": "sb-signature"
}

175
objects/ss7-attack/definition.json Normal file
View File

@ -0,0 +1,175 @@
{
"requiredOneOf": [
"text"
],
"attributes": {
"Category": {
"description": "Category",
"sane_default": [
"Cat0",
"Cat1",
"Cat2.1",
"Cat2.2",
"Cat3.1",
"Cat3.2",
"Cat3.3",
"CatSMS",
"CatSpoofing"
],
"misp-attribute": "text",
"disable_correlation": true,
"multiple": true,
"ui-priority": 1
},
"MapVersion": {
"description": "Map version.",
"sane_default": [
"1",
"2",
"3"
],
"misp-attribute": "text",
"disable_correlation": true,
"ui-priority": 0
},
"SccpCgGT": {
"description": "Signaling Connection Control Part (SCCP) CgGT - Phone number.",
"ui-priority": 0,
"misp-attribute": "text"
},
"SccpCdGT": {
"description": "Signaling Connection Control Part (SCCP) CdGT - Phone number.",
"ui-priority": 0,
"misp-attribute": "text"
},
"SccpCgPC": {
"description": "Signaling Connection Control Part (SCCP) CgPC - Phone number.",
"ui-priority": 0,
"misp-attribute": "text"
},
"SccpCdPC": {
"description": "Signaling Connection Control Part (SCCP) CdPC - Phone number.",
"ui-priority": 0,
"misp-attribute": "text"
},
"SccpCgSSN": {
"description": "Signaling Connection Control Part (SCCP) - Decimal value between 0-255.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"SccpCdSSN": {
"description": "Signaling Connection Control Part (SCCP) - Decimal value between 0-255.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"MapOpCode": {
"description": "MAP operation codes - Decimal value between 0-99.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"MapApplicationContext": {
"description": "MAP application context in OID format.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"MapImsi": {
"description": "MAP IMSI. Phone number starting with MCC/MNC.",
"multiple": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"MapMsisdn": {
"description": "MAP MSISDN. Phone number.",
"multiple": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"MapMscGT": {
"description": "MAP MSC GT. Phone number.",
"ui-priority": 0,
"misp-attribute": "text"
},
"MapGsmscfGT": {
"description": "MAP GSMSCF GT. Phone number.",
"ui-priority": 0,
"misp-attribute": "text"
},
"MapVlrGT": {
"description": "MAP VLR GT. Phone number.",
"ui-priority": 0,
"misp-attribute": "text"
},
"MapGmlc": {
"description": "MAP GMLC. Phone number.",
"ui-priority": 0,
"misp-attribute": "text"
},
"MapSmscGT": {
"description": "MAP SMSC. Phone number.",
"ui-priority": 0,
"multiple": true,
"misp-attribute": "text"
},
"MapSmsTP-OA": {
"description": "MAP SMS TP-OA. Phone number.",
"ui-priority": 0,
"misp-attribute": "text"
},
"MapSmsText": {
"description": "MAP SMS Text. Important indicators in SMS text.",
"ui-priority": 0,
"misp-attribute": "text"
},
"MapSmsTP-PID": {
"description": "MAP SMS TP-PID.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"MapSmsTP-DCS": {
"description": "MAP SMS TP-DCS.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"MapSmsTypeNumber": {
"description": "MAP SMS TypeNumber.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"MapUssdContent": {
"description": "MAP USSD Content.",
"ui-priority": 0,
"misp-attribute": "text"
},
"MapUssdCoding": {
"description": "MAP USSD Content.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"text": {
"description": "A description of the attack seen via SS7 logging.",
"disable_correlation": true,
"ui-priority": 0,
"multiple": true,
"misp-attribute": "text"
},
"first-seen": {
"description": "When the attack has been seen for the first time.",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "datetime"
}
},
"version": 1,
"description": "SS7 object of an attack seen on a GSM, UMTS or LTE network via SS7 logging.",
"meta-category": "network",
"uuid": "f3493d8b-a7ab-48d0-a775-046c4d64d782",
"name": "ss7-attack"
}

22
objects/stix2-pattern/definition.json Normal file
View File

@ -0,0 +1,22 @@
{
"requiredOneOf": [
"stix2-pattern"
],
"attributes": {
"comment": {
"description": "A description of the stix2-pattern.",
"ui-priority": 0,
"misp-attribute": "comment"
},
"stix2-pattern": {
"description": "STIX 2 pattern",
"ui-priority": 0,
"misp-attribute": "stix2-pattern"
}
},
"version": 1,
"description": "An object describing a STIX pattern. The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a STIX pattern.",
"meta-category": "misc",
"uuid": "0c5bd072-7c3e-4d45-86f7-a8104d9143b9",
"name": "stix2-pattern"
}

46
objects/vulnerability/definition.json
View File

@ -10,45 +10,69 @@
],
"attributes": {
"id": {
"description": "Vulnerability ID (generally CVE, but not necessarely)",
"ui-priority": 1,
"misp-attribute": "vulnerability"
"description": "Vulnerability ID (generally CVE, but not necessarely). The id is not required as the object itself has an UUID and the CVE id can updated later.",
"ui-priority": 0,
"misp-attribute": "vulnerability",
"multiple": true
},
"text": {
"description": "Description of the vulnerability",
"ui-priority": 1,
"ui-priority": 0,
"misp-attribute": "text"
},
"summary": {
"description": "Summary of the vulnerability",
"ui-priority": 1,
"ui-priority": 0,
"misp-attribute": "text"
},
"vulnerable_configuration": {
"description": "The vulnerable configuration is described in CPE format",
"multiple": true,
"ui-priority": 1,
"ui-priority": 0,
"misp-attribute": "text"
},
"modified": {
"description": "Last modification date",
"ui-priority": 0,
"misp-attribute": "datetime"
"misp-attribute": "datetime",
"disable_correlation": true
},
"published": {
"description": "Initial publication date",
"ui-priority": 0,
"misp-attribute": "datetime"
"misp-attribute": "datetime",
"disable_correlation": true
},
"created": {
"description": "First time when the vulnerability was discovered",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"references": {
"description": "External references",
"multiple": true,
"ui-priority": 1,
"ui-priority": 0,
"misp-attribute": "link"
},
"state": {
"description": "State of the vulnerability. A vulnerability can have multiple states depending of the current actions performed.",
"multiple": true,
"ui-priority": 0,
"sane_default": [
"Published",
"Embargo",
"Reviewed",
"Vulnerability ID Assigned",
"Reported",
"Fixed"
],
"disable_correlation": true,
"misp-attribute": "text"
}
},
"version": 2,
"description": "Vulnerability object describing common vulnerability enumeration",
"version": 4,
"description": "Vulnerability object describing a common vulnerability enumeration which can describe unpublished, under review or embargo vulnerability for software, equipments or hardware.",
"meta-category": "network",
"uuid": "81650945-f186-437b-8945-9f31715d32da",
"name": "vulnerability"

19
objects/whois/definition.json
View File

@ -12,6 +12,7 @@
"attributes": {
"text": {
"description": "Full whois entry",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text"
},
@ -35,21 +36,37 @@
"ui-priority": 1,
"misp-attribute": "whois-registrant-email"
},
"registrant-org": {
"description": "Registrant organisation",
"ui-priority": 1,
"misp-attribute": "whois-registrant-org"
},
"creation-date": {
"description": "Initial creation of the whois entry",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "datetime"
},
"modification-date": {
"description": "Last update of the whois entry",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "datetime"
},
"expiration-date": {
"description": "Expiration of the whois entry",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "datetime"
},
"nameserver": {
"description": "Nameserver",
"ui-priority": 0,
"misp-attribute": "hostname",
"disable_correlation": true,
"multiple": true,
"to_ids": false
},
"domain": {
"description": "Domain of the whois entry",
"categories": [
@ -60,7 +77,7 @@
"misp-attribute": "domain"
}
},
"version": 5,
"version": 7,
"description": "Whois records information for a domain name.",
"meta-category": "network",
"uuid": "429faea1-34ff-47af-8a00-7c62d3be5a6a",

8
objects/x509/definition.json
View File

@ -33,19 +33,19 @@
"x509-fingerprint-md5": {
"description": "[Insecure] MD5 hash (128 bits)",
"ui-priority": 1,
"misp-attribute": "md5",
"misp-attribute": "x509-fingerprint-md5",
"recommended": false
},
"x509-fingerprint-sha1": {
"description": "[Insecure] Secure Hash Algorithm 1 (160 bits)",
"ui-priority": 1,
"misp-attribute": "sha1",
"misp-attribute": "x509-fingerprint-sha1",
"recommended": false
},
"x509-fingerprint-sha256": {
"description": "Secure Hash Algorithm 2 (256 bits)",
"ui-priority": 1,
"misp-attribute": "sha256"
"misp-attribute": "x509-fingerprint-sha256"
},
"raw-base64": {
"description": "Raw certificate base64 encoded",
@ -83,7 +83,7 @@
"misp-attribute": "text"
}
},
"version": 4,
"version": 5,
"description": "x509 object describing a X.509 certificate",
"meta-category": "network",
"uuid": "d1ab756a-26b5-4349-9f43-765630f0911c",

9
relationships/definition.json
View File

@ -1,5 +1,5 @@
{
"version": 11,
"version": 12,
"values": [
{
"name": "derived-from",
@ -130,6 +130,13 @@
"misp"
]
},
{
"name": "drops",
"description": "This relationship describes an object which drops another object",
"format": [
"misp"
]
},
{
"name": "executed-by",
"description": "This relationship describes an object executed by another object.",