From fe594f98baffaa0f45783a25c8bd616954fe1fa3 Mon Sep 17 00:00:00 2001 From: truckydev Date: Wed, 25 Oct 2017 10:39:39 +0200 Subject: [PATCH 01/31] regex addon Add field to specify which type correspond to this regex. --- objects/regexp/definition.json | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/objects/regexp/definition.json b/objects/regexp/definition.json index 0b95765..94db4ce 100644 --- a/objects/regexp/definition.json +++ b/objects/regexp/definition.json @@ -24,9 +24,29 @@ "description": "regexp", "ui-priority": 0, "misp-attribute": "text" + }, + "type": { + "sane_default": [ + "hostname", + "domain", + "email-src", + "email-dst", + "email-subject", + "url", + "user-agent", + "regkey", + "cookie", + "uri", + "filename", + "windows-service-name", + "windows-scheduled-task" + ], + "description": "Specify which type corresponds to this regex.", + "ui-priority": 0, + "misp-attribute": "text" } }, - "version": 2, + "version": 3, "description": "An object describing a regular expression (regex or regexp). The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a regular expression.", "meta-category": "misc", "uuid": "ceffad66-71e5-4e20-9370-1b3fb694c648", From de36d3b735ad97bc6b03b87d9a1ecb3feec2a733 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 12 Dec 2017 21:57:45 +0100 Subject: [PATCH 02/31] jq all the things! --- objects/regexp/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/regexp/definition.json b/objects/regexp/definition.json index 94db4ce..5f3534c 100644 --- a/objects/regexp/definition.json +++ b/objects/regexp/definition.json @@ -39,7 +39,7 @@ "uri", "filename", "windows-service-name", - "windows-scheduled-task" + "windows-scheduled-task" ], "description": "Specify which type corresponds to this regex.", "ui-priority": 0, From b85438fc45b212a21b72d6d2e0df619758fa1444 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 13 Dec 2017 17:39:59 +0100 Subject: [PATCH 03/31] Fix: x509 object now uses the new and proper fp type --- objects/x509/definition.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/objects/x509/definition.json b/objects/x509/definition.json index ae0a08e..f87af6d 100644 --- a/objects/x509/definition.json +++ b/objects/x509/definition.json @@ -33,19 +33,19 @@ "x509-fingerprint-md5": { "description": "[Insecure] MD5 hash (128 bits)", "ui-priority": 1, - "misp-attribute": "md5", + "misp-attribute": "x509-fingerprint-md5", "recommended": false }, "x509-fingerprint-sha1": { "description": "[Insecure] Secure Hash Algorithm 1 (160 bits)", "ui-priority": 1, - "misp-attribute": "sha1", + "misp-attribute": "x509-fingerprint-sha1", "recommended": false }, "x509-fingerprint-sha256": { "description": "Secure Hash Algorithm 2 (256 bits)", "ui-priority": 1, - "misp-attribute": "sha256" + "misp-attribute": "x509-fingerprint-sha256" }, "raw-base64": { "description": "Raw certificate base64 encoded", @@ -83,7 +83,7 @@ "misp-attribute": "text" } }, - "version": 4, + "version": 5, "description": "x509 object describing a X.509 certificate", "meta-category": "network", "uuid": "d1ab756a-26b5-4349-9f43-765630f0911c", From cf7aa00f98e658aee04c233ca547e1881df0a5fb Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 18 Dec 2017 14:04:53 +0100 Subject: [PATCH 04/31] chg: whois object now includes registrant-org matching new MISP attributes type - whois-registrant-org --- objects/whois/definition.json | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/objects/whois/definition.json b/objects/whois/definition.json index 7aa3ad4..bd8d813 100644 --- a/objects/whois/definition.json +++ b/objects/whois/definition.json @@ -35,6 +35,11 @@ "ui-priority": 1, "misp-attribute": "whois-registrant-email" }, + "registrant-org": { + "description": "Registrant organisation", + "ui-priority": 1, + "misp-attribute": "whois-registrant-org" + }, "creation-date": { "description": "Initial creation of the whois entry", "ui-priority": 0, @@ -60,7 +65,7 @@ "misp-attribute": "domain" } }, - "version": 5, + "version": 6, "description": "Whois records information for a domain name.", "meta-category": "network", "uuid": "429faea1-34ff-47af-8a00-7c62d3be5a6a", From 871b86e35fff0c465725e61d34462e0527d668bd Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 18 Dec 2017 14:16:36 +0100 Subject: [PATCH 05/31] fix: Update registry-key to match correct MISP attributes --- objects/registry-key/definition.json | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/objects/registry-key/definition.json b/objects/registry-key/definition.json index f5ce2c7..d5a74ab 100644 --- a/objects/registry-key/definition.json +++ b/objects/registry-key/definition.json @@ -35,7 +35,8 @@ "REG_QWORD_LITTLE_ENDIAN" ], "ui-priority": 0, - "misp-attribute": "reg-datatype" + "disable_correlation": true, + "misp-attribute": "text" }, "data": { "description": "Data stored in the registry key", @@ -43,7 +44,7 @@ "Persistence mechanism" ], "ui-priority": 1, - "misp-attribute": "reg-data" + "misp-attribute": "text" }, "name": { "description": "Name of the registry key", @@ -51,7 +52,7 @@ "Persistence mechanism" ], "ui-priority": 1, - "misp-attribute": "reg-name" + "misp-attribute": "text" }, "key": { "description": "Full key path", @@ -59,7 +60,7 @@ "Persistence mechanism" ], "ui-priority": 1, - "misp-attribute": "reg-key" + "misp-attribute": "regkey" }, "hive": { "description": "Hive used to store the registry key (file on disk)", @@ -67,10 +68,11 @@ "Persistence mechanism" ], "ui-priority": 1, - "misp-attribute": "reg-hive" + "disable_correlation": true, + "misp-attribute": "text" } }, - "version": 2, + "version": 3, "description": "Registry key object describing a Windows registry key with value and last-modified timestamp", "meta-category": "file", "uuid": "8b3228ad-6d82-4fe6-b2ae-05426308f1d5", From 9de742350109112c85a82bd62a3ba9c2a3d282e2 Mon Sep 17 00:00:00 2001 From: Christophe Vandeplas Date: Wed, 20 Dec 2017 15:22:45 +0100 Subject: [PATCH 06/31] whois - adds nameserver attributes adding nameserver attributes as a whois response contains those --- objects/whois/definition.json | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/objects/whois/definition.json b/objects/whois/definition.json index bd8d813..320873c 100644 --- a/objects/whois/definition.json +++ b/objects/whois/definition.json @@ -12,6 +12,7 @@ "attributes": { "text": { "description": "Full whois entry", + "disable_correlation": true, "ui-priority": 1, "misp-attribute": "text" }, @@ -42,19 +43,30 @@ }, "creation-date": { "description": "Initial creation of the whois entry", + "disable_correlation": true, "ui-priority": 0, "misp-attribute": "datetime" }, "modification-date": { "description": "Last update of the whois entry", + "disable_correlation": true, "ui-priority": 0, "misp-attribute": "datetime" }, "expiration-date": { "description": "Expiration of the whois entry", + "disable_correlation": true, "ui-priority": 0, "misp-attribute": "datetime" }, + "nameserver": { + "description": "Nameserver", + "ui-priority": 0, + "misp-attribute": "hostname", + "disable_correlation": true, + "multiple": true, + "to_ids": false + }, "domain": { "description": "Domain of the whois entry", "categories": [ @@ -65,7 +77,7 @@ "misp-attribute": "domain" } }, - "version": 6, + "version": 7, "description": "Whois records information for a domain name.", "meta-category": "network", "uuid": "429faea1-34ff-47af-8a00-7c62d3be5a6a", From 1460d055a0207668cf1f0e99ff347411038f0113 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 21 Dec 2017 16:16:33 +0100 Subject: [PATCH 07/31] add: new stix2-pattern object to include STIX 2 patterning --- objects/stix2-pattern/definition.json | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 objects/stix2-pattern/definition.json diff --git a/objects/stix2-pattern/definition.json b/objects/stix2-pattern/definition.json new file mode 100644 index 0000000..5abd6f0 --- /dev/null +++ b/objects/stix2-pattern/definition.json @@ -0,0 +1,22 @@ +{ + "requiredOneOf": [ + "stix2-pattern" + ], + "attributes": { + "comment": { + "description": "A description of the stix2-pattern.", + "ui-priority": 0, + "misp-attribute": "comment" + }, + "stix2-pattern": { + "description": "STIX 2 pattern", + "ui-priority": 0, + "misp-attribute": "stix2-pattern" + } + }, + "version": 1, + "description": "An object describing a STIX pattern. The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a STIX pattern.", + "meta-category": "misc", + "uuid": "0c5bd072-7c3e-4d45-86f7-a8104d9143b9", + "name": "stix2-pattern" +} From 3aea2f29508a9b0e6efc8bf2dd875e76dc31743f Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 24 Dec 2017 15:02:47 +0100 Subject: [PATCH 08/31] fix: Disable correlation on filename by default --- objects/file/definition.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/objects/file/definition.json b/objects/file/definition.json index 9fd0d77..f0f7fe0 100644 --- a/objects/file/definition.json +++ b/objects/file/definition.json @@ -113,6 +113,7 @@ }, "filename": { "description": "Filename on disk", + "disable_correlation": true, "multiple": true, "categories": [ "Payload delivery", @@ -155,7 +156,7 @@ ] } }, - "version": 8, + "version": 9, "description": "File object describing a file with meta-information", "meta-category": "file", "uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", From 5cd069acdda441aea62ba190d1b730b54c9ba766 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 24 Dec 2017 15:05:12 +0100 Subject: [PATCH 09/31] fix: disable correlation on all filename-* --- objects/pe/definition.json | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/objects/pe/definition.json b/objects/pe/definition.json index e53d7ea..86f37b5 100644 --- a/objects/pe/definition.json +++ b/objects/pe/definition.json @@ -19,12 +19,14 @@ "internal-filename": { "description": "InternalFilename in the resources", "ui-priority": 0, - "misp-attribute": "filename" + "misp-attribute": "filename", + "disable_correlation": true }, "original-filename": { "description": "OriginalFilename in the resources", "ui-priority": 1, - "misp-attribute": "filename" + "misp-attribute": "filename", + "disable_correlation": true }, "number-sections": { "description": "Number of sections", @@ -116,7 +118,7 @@ "misp-attribute": "text" } }, - "version": 2, + "version": 3, "description": "Object describing a Portable Executable", "meta-category": "file", "uuid": "cf7adecc-d4f0-4e88-9d90-f978ee151a07", From b4d30b1419fa45cd2766bb34acb30189a9d06d2f Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sat, 30 Dec 2017 19:26:48 +0100 Subject: [PATCH 10/31] fix: disable correlation on microblog type (Twitter or alike) --- objects/microblog/definition.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/objects/microblog/definition.json b/objects/microblog/definition.json index 4f2b869..906a03c 100644 --- a/objects/microblog/definition.json +++ b/objects/microblog/definition.json @@ -17,6 +17,7 @@ "description": "Type of the microblog post", "ui-priority": 1, "misp-attribute": "text", + "disable_correlation": true, "sane_default": [ "Twitter", "Facebook", @@ -61,7 +62,7 @@ "misp-attribute": "text" } }, - "version": 3, + "version": 4, "description": "Microblog post like a Twitter tweet or a post on a Facebook wall.", "meta-category": "misc", "uuid": "8ec8c911-ddbe-4f5b-895b-fbff70c42a60", From 7ebda41b4afd16110985eb277c2e678bccad9cf7 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sat, 30 Dec 2017 19:39:55 +0100 Subject: [PATCH 11/31] fix: disable correlation on fields where is not needed --- objects/elf/definition.json | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/objects/elf/definition.json b/objects/elf/definition.json index 3fc090a..7fe59c3 100644 --- a/objects/elf/definition.json +++ b/objects/elf/definition.json @@ -210,7 +210,8 @@ "AMDGPU" ], "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "os_abi": { "description": "Header operating system application binary interface (ABI)", @@ -238,7 +239,8 @@ "TRU64" ], "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "text": { "description": "Free text value to attach to the ELF", @@ -248,7 +250,7 @@ "recommended": false } }, - "version": 3, + "version": 4, "description": "Object describing a Executable and Linkable Format", "meta-category": "file", "uuid": "fa6534ae-ad74-4ce0-8f23-15a66c82c7fa", From 875f97dce128a94d53ad13ae85c3d5e413cf1dab Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 4 Jan 2018 14:41:40 +0100 Subject: [PATCH 12/31] add: new relationship "drops" - This relationship describes an object which drops another object --- relationships/definition.json | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/relationships/definition.json b/relationships/definition.json index f9391ca..5e6083e 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -1,5 +1,5 @@ { - "version": 11, + "version": 12, "values": [ { "name": "derived-from", @@ -130,6 +130,13 @@ "misp" ] }, + { + "name": "drops", + "description": "This relationship describes an object which drops another object", + "format": [ + "misp" + ] + }, { "name": "executed-by", "description": "This relationship describes an object executed by another object.", From 60d5767e8b2ad5322b3c3a3ec0cab7fbcf8fc961 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 5 Jan 2018 13:37:54 +0100 Subject: [PATCH 13/31] add: first version of a MISP object to describe GTP attack on GSM/UTMS/3G network. --- objects/gtp-attack/definition.json | 96 ++++++++++++++++++++++++++++++ 1 file changed, 96 insertions(+) create mode 100644 objects/gtp-attack/definition.json diff --git a/objects/gtp-attack/definition.json b/objects/gtp-attack/definition.json new file mode 100644 index 0000000..292974d --- /dev/null +++ b/objects/gtp-attack/definition.json @@ -0,0 +1,96 @@ +{ + "requiredOneOf": [ + "text" + ], + "attributes": { + "GtpServingNetwork": { + "description": "GTP Serving Network.", + "misp-attribute": "text", + "disable_correlation": true, + "ui-priority": 1 + }, + "GtpImei": { + "description": "GTP IMEI (International Mobile Equipment Identity).", + "misp-attribute": "text", + "ui-priority": 1 + }, + "GtpMsisdn": { + "description": "GTP MSISDN.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "GtpImsi": { + "description": "GTP IMSI (International mobile subscriber identity).", + "misp-attribute": "text", + "ui-priority": 1 + }, + "GtpInterface": { + "description": "GTP interface.", + "sane_default": [ + "S5", + "S11", + "S10", + "S8" + ], + "misp-attribute": "text", + "disable_correlation": true, + "ui-priority": 1 + }, + "GtpMessageType": { + "description": "GTP defines a set of messages between two associated GSNs or an SGSN and an RNC. Message type is described as a decimal value.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + }, + "PortDest": { + "description": "Destination port.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "PortSrc": { + "description": "Source port.", + "disable_correlation": true, + "misp-attribute": "port", + "ui-priority": 0 + }, + "ipDest": { + "description": "IP destination address.", + "misp-attribute": "ip-dst", + "ui-priority": 0 + }, + "ipSrc": { + "description": "IP source address.", + "misp-attribute": "ip-src", + "ui-priority": 0 + }, + "GtpVersion": { + "description": "GTP version", + "sane_default": [ + "0", + "1", + "2" + ], + "misp-attribute": "text", + "disable_correlation": true, + "ui-priority": 0 + }, + "text": { + "description": "A description of the GTP attack.", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "first-seen": { + "description": "When the attack has been seen for the first time.", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "datetime" + } + }, + "version": 1, + "description": "GTP attack object as seen on a GSM, UMTS or LTE network", + "meta-category": "network", + "uuid": "6b3c48d2-0ca6-4608-9c36-455105439145", + "name": "gtp-attack" +} From 93f8c7e9d321820ef6b1bcac260e86b754b44813 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 5 Jan 2018 14:10:05 +0100 Subject: [PATCH 14/31] fix: GTP attack - multiple on GTP interface --- objects/gtp-attack/definition.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/objects/gtp-attack/definition.json b/objects/gtp-attack/definition.json index 292974d..62b3e7b 100644 --- a/objects/gtp-attack/definition.json +++ b/objects/gtp-attack/definition.json @@ -34,6 +34,7 @@ ], "misp-attribute": "text", "disable_correlation": true, + "multiple": true, "ui-priority": 1 }, "GtpMessageType": { @@ -88,7 +89,7 @@ "misp-attribute": "datetime" } }, - "version": 1, + "version": 2, "description": "GTP attack object as seen on a GSM, UMTS or LTE network", "meta-category": "network", "uuid": "6b3c48d2-0ca6-4608-9c36-455105439145", From 17373f61302cab9e32da2f90473d62d18cbf6fdc Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 5 Jan 2018 14:26:28 +0100 Subject: [PATCH 15/31] fix: GTPInterface updated --- objects/gtp-attack/definition.json | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/objects/gtp-attack/definition.json b/objects/gtp-attack/definition.json index 62b3e7b..6f6cc78 100644 --- a/objects/gtp-attack/definition.json +++ b/objects/gtp-attack/definition.json @@ -30,7 +30,9 @@ "S5", "S11", "S10", - "S8" + "S8", + "Gn", + "Gp" ], "misp-attribute": "text", "disable_correlation": true, @@ -89,7 +91,7 @@ "misp-attribute": "datetime" } }, - "version": 2, + "version": 3, "description": "GTP attack object as seen on a GSM, UMTS or LTE network", "meta-category": "network", "uuid": "6b3c48d2-0ca6-4608-9c36-455105439145", From 8f9c7b1ae127703a7429401d1c5546a17d4323aa Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 5 Jan 2018 14:34:20 +0100 Subject: [PATCH 16/31] add: Diameter attack object targeting GSM, UMTS and 4G networks. --- objects/diameter-attack/definition.json | 89 +++++++++++++++++++++++++ 1 file changed, 89 insertions(+) create mode 100644 objects/diameter-attack/definition.json diff --git a/objects/diameter-attack/definition.json b/objects/diameter-attack/definition.json new file mode 100644 index 0000000..71c2766 --- /dev/null +++ b/objects/diameter-attack/definition.json @@ -0,0 +1,89 @@ +{ + "requiredOneOf": [ + "text" + ], + "attributes": { + "category": { + "description": "Category.", + "sane_default": [ + "Cat0", + "Cat1", + "Cat2", + "Cat3", + "CatSMS" + ], + "misp-attribute": "text", + "disable_correlation": true, + "ui-priority": 0 + }, + "ApplicationId": { + "description": "Application-ID is used to identify for which Diameter application the message is applicable. Application-ID is a decimal representation.", + "misp-attribute": "text", + "ui-priority": 0 + }, + "SessionId": { + "description": "Session-ID.", + "misp-attribute": "text", + "ui-priority": 0 + }, + "CmdCode": { + "description": "A decimal representation of the diameter Command Code.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "Origin-Host": { + "description": "Origin-Host.", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "Destination-Host": { + "description": "Destination-Host.", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "Origin-Realm": { + "description": "Origin-Realm.", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "Destination-Realm": { + "description": "Destination-Realm.", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "Username": { + "description": "Username (in this case, usually the IMSI).", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "IdrFlags": { + "description": "IDR-Flags.", + "misp-attribute": "text", + "disable_correlation": true, + "ui-priority": 0 + }, + "text": { + "description": "A description of the attack seen.", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "first-seen": { + "description": "When the attack has been seen for the first time.", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "datetime" + } + }, + "version": 1, + "description": "Attack as seen on diameter authentication against a GSM, UMTS or LTE network", + "meta-category": "network", + "uuid": "a3fdce4c-8e21-4acc-ab8e-9976e9165a12", + "name": "diameter-attack" +} From 60279184ddfaf07c37f7ea2e76b5b282a5c7d9c2 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 5 Jan 2018 16:17:23 +0100 Subject: [PATCH 17/31] add: ss7-attack object for the attack against GSM/UMTS networks seen in SS7 logging. --- objects/ss7-attack/definition.json | 168 +++++++++++++++++++++++++++++ 1 file changed, 168 insertions(+) create mode 100644 objects/ss7-attack/definition.json diff --git a/objects/ss7-attack/definition.json b/objects/ss7-attack/definition.json new file mode 100644 index 0000000..c16d99b --- /dev/null +++ b/objects/ss7-attack/definition.json @@ -0,0 +1,168 @@ +{ + "requiredOneOf": [ + "text" + ], + "attributes": { + "Category": { + "description": "Category", + "sane_default": [ + "Cat0", + "Cat1", + "Cat2.1", + "Cat2.2", + "Cat3.1", + "Cat3.2", + "Cat3.3", + "CatSMS", + "CatSpoofing" + ], + "misp-attribute": "text", + "disable_correlation": true, + "multiple": true, + "ui-priority": 1 + }, + "MapVersion": { + "description": "Map version.", + "sane_default": [ + "1", + "2", + "3" + ], + "misp-attribute": "text", + "disable_correlation": true, + "ui-priority": 0 + }, + "SccpCgGT": { + "description": "Signaling Connection Control Part (SCCP) CgGT - Phone number.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "SccpCdGT": { + "description": "Signaling Connection Control Part (SCCP) CdGT - Phone number.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "SccpCgPC": { + "description": "Signaling Connection Control Part (SCCP) CgPC - Phone number.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "SccpCdPC": { + "description": "Signaling Connection Control Part (SCCP) CdPC - Phone number.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "SccpCgSSN": { + "description": "Signaling Connection Control Part (SCCP) - Decimal value between 0-255.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "SccpCdSSN": { + "description": "Signaling Connection Control Part (SCCP) - Decimal value between 0-255.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "MapOpCode": { + "description": "MAP operation codes - Decimal value between 0-99.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "MapApplicationContext": { + "description": "MAP application context in OID format.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "MapImsi": { + "description": "MAP IMSI. Phone number starting with MCC/MNC.", + "multiple": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "MapMsisdn": { + "description": "MAP MSISDN. Phone number.", + "multiple": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "MapMscGT": { + "description": "MAP MSC GT. Phone number.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "MapGsmscfGT": { + "description": "MAP GSMSCF GT. Phone number.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "MapVlrGT": { + "description": "MAP VLR GT. Phone number.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "MapGmlc": { + "description": "MAP GMLC. Phone number.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "MapSmscGT": { + "description": "MAP SMSC. Phone number.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "MapSmsTP-OA": { + "description": "MAP SMS TP-OA. Phone number.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "MapSmsTP-PID": { + "description": "MAP SMS TP-PID.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "MapSmsTP-DCS": { + "description": "MAP SMS TP-DCS.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "MapSmsTypeNumber": { + "description": "MAP SMS TypeNumber.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "MapUssdContent": { + "description": "MAP USSD Content.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "MapUssdCoding": { + "description": "MAP USSD Content.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "text": { + "description": "A description of the attack seen via SS7 logging.", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "first-seen": { + "description": "When the attack has been seen for the first time.", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "datetime" + } + }, + "version": 1, + "description": "SS7 object of an attack seen on a GSM, UMTS or LTE network via SS7 logging.", + "meta-category": "network", + "uuid": "f3493d8b-a7ab-48d0-a775-046c4d64d782", + "name": "ss7-attack" +} From 71c0ae1e6cc2de2698c2aeb1b3cd1043f28b6143 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 8 Jan 2018 07:48:32 +0100 Subject: [PATCH 18/31] fix: Vulnerability object improved to include the case of unpublished security vulnerability --- objects/vulnerability/definition.json | 45 ++++++++++++++++++++------- 1 file changed, 34 insertions(+), 11 deletions(-) diff --git a/objects/vulnerability/definition.json b/objects/vulnerability/definition.json index 338b78a..5630f2c 100644 --- a/objects/vulnerability/definition.json +++ b/objects/vulnerability/definition.json @@ -10,45 +10,68 @@ ], "attributes": { "id": { - "description": "Vulnerability ID (generally CVE, but not necessarely)", - "ui-priority": 1, - "misp-attribute": "vulnerability" + "description": "Vulnerability ID (generally CVE, but not necessarely). The id is not required as the object itself has an UUID and the CVE id can updated later.", + "ui-priority": 0, + "misp-attribute": "vulnerability", + "multiple": true }, "text": { "description": "Description of the vulnerability", - "ui-priority": 1, + "ui-priority": 0, "misp-attribute": "text" }, "summary": { "description": "Summary of the vulnerability", - "ui-priority": 1, + "ui-priority": 0, "misp-attribute": "text" }, "vulnerable_configuration": { "description": "The vulnerable configuration is described in CPE format", "multiple": true, - "ui-priority": 1, + "ui-priority": 0, "misp-attribute": "text" }, "modified": { "description": "Last modification date", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "published": { "description": "Initial publication date", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true + }, + "created": { + "description": "First time when the vulnerability was discovered", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true }, "references": { "description": "External references", "multiple": true, - "ui-priority": 1, + "ui-priority": 0, "misp-attribute": "link" + }, + "state": { + "description": "State of the vulnerability. A vulnerability can have multiple states depending of the current actions performed.", + "multiple": true, + "ui-priority": 0, + "sane_default": [ + "Published", + "Embargo", + "Reviewed", + "Vulnerability ID Assigned", + "Reported", + "Fixed" + ], + "disable_correlation": true } }, - "version": 2, - "description": "Vulnerability object describing common vulnerability enumeration", + "version": 3, + "description": "Vulnerability object describing a common vulnerability enumeration which can describe unpublished, under review or embargo vulnerability for software, equipments or hardware.", "meta-category": "network", "uuid": "81650945-f186-437b-8945-9f31715d32da", "name": "vulnerability" From 100842847654cc5b3e8f51758b28b276b3316a90 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 8 Jan 2018 08:15:43 +0100 Subject: [PATCH 19/31] fix: add missing attribute type for the state --- objects/vulnerability/definition.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/objects/vulnerability/definition.json b/objects/vulnerability/definition.json index 5630f2c..88f0604 100644 --- a/objects/vulnerability/definition.json +++ b/objects/vulnerability/definition.json @@ -67,10 +67,11 @@ "Reported", "Fixed" ], - "disable_correlation": true + "disable_correlation": true, + "misp-attribute": "text" } }, - "version": 3, + "version": 4, "description": "Vulnerability object describing a common vulnerability enumeration which can describe unpublished, under review or embargo vulnerability for software, equipments or hardware.", "meta-category": "network", "uuid": "81650945-f186-437b-8945-9f31715d32da", From eafb54fd0738aedb56323da67377f083d1a1e211 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 8 Jan 2018 11:28:11 +0100 Subject: [PATCH 20/31] add: An annotation object allowing analysts to add annotations, comments, executive summary to a MISP event, objects or attributes. --- objects/annotation/definition.json | 71 ++++++++++++++++++++++++++++++ 1 file changed, 71 insertions(+) create mode 100644 objects/annotation/definition.json diff --git a/objects/annotation/definition.json b/objects/annotation/definition.json new file mode 100644 index 0000000..9b5ab81 --- /dev/null +++ b/objects/annotation/definition.json @@ -0,0 +1,71 @@ +{ + "requiredOneOf": [ + "post" + ], + "attributes": { + "text": { + "description": "Raw text of the annotation", + "ui-priority": 0, + "misp-attribute": "text" + }, + "ref": { + "description": "Reference(s) to the annotation", + "ui-priority": 0, + "misp-attribute": "link", + "multiple": true + }, + "type": { + "description": "Type of the annotation", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true, + "sane_default": [ + "Annotation", + "Executive Summary", + "Introduction", + "Conclusion", + "Disclaimer", + "Keywords", + "Acknowledgement", + "Other", + "Copyright", + "Authors", + "Logo" + ] + }, + "format": { + "description": "Format of the annotation", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true, + "sane_default": [ + "text", + "markdown", + "asciidoctor", + "MultiMarkdown", + "GFM", + "pandoc", + "Fountain", + "CommonWork", + "kramdown-rfc2629", + "rfc7328", + "Extra" + ] + }, + "creation-date": { + "description": "Initial creation of the annotation", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "modification-date": { + "description": "Last update of the annotation", + "ui-priority": 0, + "misp-attribute": "datetime" + } + }, + "version": 1, + "description": "An annotation object allowing analysts to add annotations, comments, executive summary to a MISP event, objects or attributes.", + "meta-category": "misc", + "uuid": "5d8dc046-15a1-4ca3-a09f-ed4ede7c4487", + "name": "annotation" +} From 735ebf26bc59fb49e22a03f69d975cebe7482785 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 8 Jan 2018 11:47:19 +0100 Subject: [PATCH 21/31] fix: annotation object --- objects/annotation/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/annotation/definition.json b/objects/annotation/definition.json index 9b5ab81..d062eca 100644 --- a/objects/annotation/definition.json +++ b/objects/annotation/definition.json @@ -1,6 +1,6 @@ { "requiredOneOf": [ - "post" + "text" ], "attributes": { "text": { @@ -63,7 +63,7 @@ "misp-attribute": "datetime" } }, - "version": 1, + "version": 2, "description": "An annotation object allowing analysts to add annotations, comments, executive summary to a MISP event, objects or attributes.", "meta-category": "misc", "uuid": "5d8dc046-15a1-4ca3-a09f-ed4ede7c4487", From f92eb6e1b7f4f02f69f7ac985a86a28ee0b51075 Mon Sep 17 00:00:00 2001 From: c-goes Date: Mon, 8 Jan 2018 17:28:21 +0100 Subject: [PATCH 22/31] added sandbox-report object --- objects/sandbox-report/definition.json | 100 +++++++++++++++++++++++++ 1 file changed, 100 insertions(+) create mode 100644 objects/sandbox-report/definition.json diff --git a/objects/sandbox-report/definition.json b/objects/sandbox-report/definition.json new file mode 100644 index 0000000..b294575 --- /dev/null +++ b/objects/sandbox-report/definition.json @@ -0,0 +1,100 @@ +{ + "required": [ + "sandbox-type" + ], + "requiredOneOf": [ + "web-sandbox", + "on-premise-sandbox", + "saas-sandbox" + ], + "attributes": { + "permalink": { + "description": "Permalink reference", + "categories": [ + "External analysis" + ], + "ui-priority": 2, + "misp-attribute": "link" + }, + "score": { + "description": "Score", + "disable_correlation": true, + "categories": [ + "External analysis" + ], + "ui-priority": 1, + "misp-attribute": "text" + }, + "results": { + "description": "Freetext result values", + "disable_correlation": true, + "categories": [ + "External analysis" + ], + "ui-priority": 1, + "misp-attribute": "text", + "multiple": true + }, + "raw-report": { + "description": "Raw report from sandbox", + "disable_correlation": true, + "categories": [ + "External analysis" + ], + "ui-priority": 0, + "misp-attribute": "text" + }, + "sandbox-type": { + "description": "The type of sandbox used", + "misp-attribute": "text", + "disable_correlation": true, + "ui-priority": 1, + "sane_default": [ + "on-premise", + "web", + "saas" + ] + }, + "on-premise-sandbox": { + "description": "The on-premise sandbox used", + "misp-attribute": "text", + "disable_correlation": true, + "ui-priority": 1, + "sane_default": [ + "cuckoo", + "symantec-cas-on-premise", + "bluecoat-maa", + "trendmicro-deep-discovery-analyzer", + "fireeye-ax", + "vmray", + "joe-sandbox-on-premise" + ] + }, + "web-sandbox": { + "description": "A web sandbox where results are publicly available via an URL", + "misp-attribute": "text", + "disable_correlation": true, + "ui-priority": 1, + "sane_default": [ + "malwr", + "hybrid-analysis" + ] + }, + "saas-sandbox": { + "description": "A non-on-premise sandbox, also results are not publicly available", + "misp-attribute": "text", + "disable_correlation": true, + "ui-priority": 1, + "sane_default": [ + "forticloud-sandbox", + "joe-sandbox-cloud", + "symantec-cas-cloud" + ] + } + }, + "version": 1, + "description": "Sandbox report", + "meta-category": "misc", + "uuid": "4d3fffd2-cd07-4357-96e0-a51c988faaef", + "name": "sandbox-report" +} From 1b42b02c99136da88252beb9c204e339ff3498ce Mon Sep 17 00:00:00 2001 From: Alexandre De Oliveira Date: Thu, 11 Jan 2018 11:52:11 +0100 Subject: [PATCH 23/31] Update definition.json Adding the multiple possibility for SMSC GT to cover SMS Spaming case. Also text field for multiple details if needed. Adding "MapSmsText" attribute to help matching malicious URL, keywords or MSISDN inside SMS. --- objects/ss7-attack/definition.json | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/objects/ss7-attack/definition.json b/objects/ss7-attack/definition.json index c16d99b..6354c5d 100644 --- a/objects/ss7-attack/definition.json +++ b/objects/ss7-attack/definition.json @@ -111,6 +111,7 @@ "MapSmscGT": { "description": "MAP SMSC. Phone number.", "ui-priority": 0, + "multiple": true, "misp-attribute": "text" }, "MapSmsTP-OA": { @@ -118,6 +119,11 @@ "ui-priority": 0, "misp-attribute": "text" }, + "MapSmsText": { + "description": "MAP SMS Text. Important indicators in SMS text.", + "ui-priority": 0, + "misp-attribute": "text" + }, "MapSmsTP-PID": { "description": "MAP SMS TP-PID.", "ui-priority": 0, @@ -151,6 +157,7 @@ "description": "A description of the attack seen via SS7 logging.", "disable_correlation": true, "ui-priority": 0, + "multiple": true, "misp-attribute": "text" }, "first-seen": { From 90475bcf9c818b967e35a1d0bb4709b3aab703ab Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 14 Jan 2018 23:40:32 +0100 Subject: [PATCH 24/31] fix: We are in 2018 --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index bfde5d2..ae6bb52 100644 --- a/README.md +++ b/README.md @@ -139,9 +139,9 @@ The MISP objects model allows to add new combined indicators format based on the ~~~~ -Copyright (C) 2016-2017 Andras Iklody -Copyright (C) 2016-2017 Alexandre Dulaunoy -Copyright (C) 2016-2017 CIRCL - Computer Incident Response Center Luxembourg +Copyright (C) 2016-2018 Andras Iklody +Copyright (C) 2016-2018 Alexandre Dulaunoy +Copyright (C) 2016-2018 CIRCL - Computer Incident Response Center Luxembourg This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General Public License as published by From 94cfc57e1667afe56590da1412dae16c1302cce5 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 18 Jan 2018 12:54:01 +0100 Subject: [PATCH 25/31] add: registry-hive object describing a Windows registry hive including key, subkey and value (and associated data if any) --- objects/registry-hive/definition.json | 77 +++++++++++++++++++++++++++ 1 file changed, 77 insertions(+) create mode 100644 objects/registry-hive/definition.json diff --git a/objects/registry-hive/definition.json b/objects/registry-hive/definition.json new file mode 100644 index 0000000..45ada47 --- /dev/null +++ b/objects/registry-hive/definition.json @@ -0,0 +1,77 @@ +{ + "requiredOneOf": [ + "text", + "key", + "value", + "data" + ], + "attributes": { + "key": { + "description": "Key of the registry hive", + "misp-attribute": "text", + "ui-priority": 0 + }, + "value": { + "description": "Value of the registry hive", + "misp-attribute": "text", + "ui-priority": 0 + }, + "data-type": { + "sane_default": [ + "REG_NONE", + "REG_SZ", + "REG_EXPAND_SZ", + "REG_BINARY", + "REG_DWORD", + "REG_DWORD_BIG_ENDIAN", + "REG_LINK", + "REG_MULTI_SZ", + "REG_RESOURCE_LIST", + "REG_FULL_RESOURCE_DESCRIPTOR", + "REG_RESOURCE_REQUIREMENTS_LIST", + "REG_QWORD" + ], + "description": "Type of the data in the registry hive", + "misp-attribute": "text", + "ui-priority": 0 + }, + "data": { + "ui-priority": 0, + "description": "Data in the registry hive", + "misp-attribute": "text" + }, + "root-keys": { + "description": "Root key of the Windows registry (extracted from the key)", + "sane_default": [ + "HKCC", + "HKCR", + "HKCU", + "HKDD", + "HKEY_CLASSES_ROOT", + "HKEY_CURRENT_CONFIG", + "HKEY_CURRENT_USER", + "HKEY_DYN_DATA", + "HKEY_LOCAL_MACHINE", + "HKEY_PERFORMANCE_DATA", + "HKEY_USERS", + "HKLM", + "HKPD", + "HKU" + ], + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "text": { + "description": "Free text value to attach to the registry hive", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "text" + } + }, + "version": 1, + "description": "Object describing a Windows registry hive including key, subkey and value (and associated data if any)", + "meta-category": "file", + "uuid": "9640285f-f9b9-4bab-92d0-353f97543655", + "name": "registry-hive" +} From c04d56d7cdb4c3a956418d7ccbeb76e5c354b4cb Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 18 Jan 2018 13:47:57 +0100 Subject: [PATCH 26/31] remove registry hive because registry-key is enough --- objects/registry-hive/definition.json | 77 --------------------------- 1 file changed, 77 deletions(-) delete mode 100644 objects/registry-hive/definition.json diff --git a/objects/registry-hive/definition.json b/objects/registry-hive/definition.json deleted file mode 100644 index 45ada47..0000000 --- a/objects/registry-hive/definition.json +++ /dev/null @@ -1,77 +0,0 @@ -{ - "requiredOneOf": [ - "text", - "key", - "value", - "data" - ], - "attributes": { - "key": { - "description": "Key of the registry hive", - "misp-attribute": "text", - "ui-priority": 0 - }, - "value": { - "description": "Value of the registry hive", - "misp-attribute": "text", - "ui-priority": 0 - }, - "data-type": { - "sane_default": [ - "REG_NONE", - "REG_SZ", - "REG_EXPAND_SZ", - "REG_BINARY", - "REG_DWORD", - "REG_DWORD_BIG_ENDIAN", - "REG_LINK", - "REG_MULTI_SZ", - "REG_RESOURCE_LIST", - "REG_FULL_RESOURCE_DESCRIPTOR", - "REG_RESOURCE_REQUIREMENTS_LIST", - "REG_QWORD" - ], - "description": "Type of the data in the registry hive", - "misp-attribute": "text", - "ui-priority": 0 - }, - "data": { - "ui-priority": 0, - "description": "Data in the registry hive", - "misp-attribute": "text" - }, - "root-keys": { - "description": "Root key of the Windows registry (extracted from the key)", - "sane_default": [ - "HKCC", - "HKCR", - "HKCU", - "HKDD", - "HKEY_CLASSES_ROOT", - "HKEY_CURRENT_CONFIG", - "HKEY_CURRENT_USER", - "HKEY_DYN_DATA", - "HKEY_LOCAL_MACHINE", - "HKEY_PERFORMANCE_DATA", - "HKEY_USERS", - "HKLM", - "HKPD", - "HKU" - ], - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, - "text": { - "description": "Free text value to attach to the registry hive", - "disable_correlation": true, - "ui-priority": 1, - "misp-attribute": "text" - } - }, - "version": 1, - "description": "Object describing a Windows registry hive including key, subkey and value (and associated data if any)", - "meta-category": "file", - "uuid": "9640285f-f9b9-4bab-92d0-353f97543655", - "name": "registry-hive" -} From c75015e1a69303a4bb091ddb351ebb7156a28c7a Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 18 Jan 2018 13:49:03 +0100 Subject: [PATCH 27/31] fix: registry-key updated --- objects/registry-key/definition.json | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/objects/registry-key/definition.json b/objects/registry-key/definition.json index d5a74ab..ce8ca1c 100644 --- a/objects/registry-key/definition.json +++ b/objects/registry-key/definition.json @@ -70,9 +70,31 @@ "ui-priority": 1, "disable_correlation": true, "misp-attribute": "text" + }, + "root-keys": { + "description": "Root key of the Windows registry (extracted from the key)", + "sane_default": [ + "HKCC", + "HKCR", + "HKCU", + "HKDD", + "HKEY_CLASSES_ROOT", + "HKEY_CURRENT_CONFIG", + "HKEY_CURRENT_USER", + "HKEY_DYN_DATA", + "HKEY_LOCAL_MACHINE", + "HKEY_PERFORMANCE_DATA", + "HKEY_USERS", + "HKLM", + "HKPD", + "HKU" + ], + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true } }, - "version": 3, + "version": 4, "description": "Registry key object describing a Windows registry key with value and last-modified timestamp", "meta-category": "file", "uuid": "8b3228ad-6d82-4fe6-b2ae-05426308f1d5", From cd528865bbc6c3a2997a8e3c4bf0b3d940aaf492 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 22 Jan 2018 13:34:33 +0100 Subject: [PATCH 28/31] add: Object to describe mutual exclusion locks (mutex) as seen in memory or computer program --- objects/mutex/definition.json | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 objects/mutex/definition.json diff --git a/objects/mutex/definition.json b/objects/mutex/definition.json new file mode 100644 index 0000000..f9d23aa --- /dev/null +++ b/objects/mutex/definition.json @@ -0,0 +1,31 @@ +{ + "requiredOneOf": [ + "name" + ], + "attributes": { + "description": { + "description": "Description", + "ui-priority": 0, + "misp-attribute": "text" + }, + "operating-system": { + "description": "Operating system where the mutex has been seen", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "Windows", + "Unix" + ] + }, + "name": { + "description": "name of the mutex", + "ui-priority": 0, + "misp-attribute": "text" + } + }, + "version": 1, + "description": "Object to describe mutual exclusion locks (mutex) as seen in memory or computer program", + "meta-category": "misc", + "uuid": "9f5c1a68-2021-4faa-b409-61c899c86466", + "name": "mutex" +} From 90e72d58953896a6a63f8200607c012f9aa40733 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 22 Jan 2018 14:16:46 +0100 Subject: [PATCH 29/31] fix: person object updated to match AML client record + various fixes --- objects/person/definition.json | 45 ++++++++++++++++++++++++++++------ 1 file changed, 37 insertions(+), 8 deletions(-) diff --git a/objects/person/definition.json b/objects/person/definition.json index 5f7f5ca..484cc99 100644 --- a/objects/person/definition.json +++ b/objects/person/definition.json @@ -16,14 +16,32 @@ "misp-attribute": "last-name" }, "middle-name": { - "description": "Middle name of a natural person", + "description": "Middle name of a natural person.", "ui-priority": 0, "misp-attribute": "middle-name" }, "first-name": { "description": "First name of a natural person.", "ui-priority": 0, - "misp-attribute": "first-name" + "misp-attribute": "first-name", + "disable_correlation": true + }, + "mothers-name": { + "description": "Mother name, father, second name or other names following country's regulation.", + "ui-priority": 1, + "misp-attribute": "text" + }, + "title": { + "description": "Title of the natural person such as Dr. or equivalent.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "alias": { + "description": "Alias name or known as.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true }, "date-of-birth": { "description": "Date of birth of a natural person (in YYYY-MM-DD format).", @@ -33,7 +51,8 @@ "place-of-birth": { "description": "Place of birth of a natural person.", "ui-priority": 0, - "misp-attribute": "place-of-birth" + "misp-attribute": "place-of-birth", + "disable_correlation": true }, "gender": { "description": "The gender of a natural person.", @@ -44,7 +63,8 @@ "Female", "Other", "Prefer not to say" - ] + ], + "disable_correlation": true }, "passport-number": { "description": "The passport number of a natural person.", @@ -54,25 +74,34 @@ "passport-country": { "description": "The country in which the passport was issued.", "ui-priority": 0, - "misp-attribute": "passport-country" + "misp-attribute": "passport-country", + "disable_correlation": true }, "passport-expiration": { "description": "The expiration date of a passport.", "ui-priority": 0, - "misp-attribute": "passport-expiration" + "misp-attribute": "passport-expiration", + "disable_correlation": true }, "redress-number": { "description": "The Redress Control Number is the record identifier for people who apply for redress through the DHS Travel Redress Inquiry Program (DHS TRIP). DHS TRIP is for travelers who have been repeatedly identified for additional screening and who want to file an inquiry to have erroneous information corrected in DHS systems.", "ui-priority": 0, "misp-attribute": "redress-number" }, + "social-security-number": { + "description": "Social security number", + "ui-priority": 0, + "misp-attribute": "text" + }, "nationality": { "description": "The nationality of a natural person.", "ui-priority": 0, - "misp-attribute": "nationality" + "misp-attribute": "nationality", + "multiple": true, + "disable_correlation": true } }, - "version": 2, + "version": 3, "description": "An person which describes a person or an identity.", "meta-category": "misc", "uuid": "a15b0477-e9d1-4b9c-9546-abe78a4f4248", From 0f3b8195f5d483812d28d91f6911428f3fbbb826 Mon Sep 17 00:00:00 2001 From: garanews Date: Tue, 23 Jan 2018 10:12:07 +0100 Subject: [PATCH 30/31] sandbox-signature Added object sb-signature --- objects/sb-signature/definition.json | 50 ++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 objects/sb-signature/definition.json diff --git a/objects/sb-signature/definition.json b/objects/sb-signature/definition.json new file mode 100644 index 0000000..5d8874c --- /dev/null +++ b/objects/sb-signature/definition.json @@ -0,0 +1,50 @@ +{ + "required": [ + "software", + "signature" + ], + "attributes": { + "software": { + "description": "Name of Sandbox software", + "disable_correlation": true, + "categories": [ + "Sandbox detection" + ], + "ui-priority": 1, + "misp-attribute": "text" + }, + "signature": { + "description": "Name of detection signature", + "comment": "Description of detection signature", + "categories": [ + "Sandbox detection" + ], + "ui-priority": 2, + "misp-attribute": "text", + "multiple": true + }, + "text": { + "description": "Additional signature description", + "disable_correlation": true, + "categories": [ + "Other" + ], + "ui-priority": 0, + "misp-attribute": "text" + }, + "datetime": { + "description": "Datetime", + "disable_correlation": true, + "categories": [ + "Other" + ], + "ui-priority": 0, + "misp-attribute": "datetime" + } + }, + "version": 1, + "description": "Sandbox detection signature", + "meta-category": "misc", + "uuid": "984c5c39-be7f-4e1e-b034-d3213bac51cb", + "name": "sb-signature" +} \ No newline at end of file From 8c178fd837b91b62065264bd540c249ebaf164f2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Tue, 23 Jan 2018 10:43:36 +0100 Subject: [PATCH 31/31] fix: Make JQ happy. --- objects/sb-signature/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/sb-signature/definition.json b/objects/sb-signature/definition.json index 5d8874c..2635704 100644 --- a/objects/sb-signature/definition.json +++ b/objects/sb-signature/definition.json @@ -15,7 +15,7 @@ }, "signature": { "description": "Name of detection signature", - "comment": "Description of detection signature", + "comment": "Description of detection signature", "categories": [ "Sandbox detection" ], @@ -47,4 +47,4 @@ "meta-category": "misc", "uuid": "984c5c39-be7f-4e1e-b034-d3213bac51cb", "name": "sb-signature" -} \ No newline at end of file +}