add elf,elf-section and number of sections in a pe, and move pehash in pe

pull/8/head
Sébastien Larinier 2017-03-13 17:23:42 +01:00
parent 47725c5742
commit 3ec78c72e4
4 changed files with 131 additions and 4 deletions

View File

@ -0,0 +1,77 @@
{
"name": "elf-section",
"meta-category": "file",
"description": "Object describing a section of an Executable and Linkable Format",
"version": 1,
"attributes": {
"name": {
"misp-attribute": "text",
"misp-usage-frequency": 1,
"disable_correlation": true
},
"Flags": {
"misp-attribute": "text",
"misp-usage-frequency": 0,
"sane_default": [
"W (write)",
"A (alloc)",
"X (execute)",
"M (merge)",
"S (strings)",
"I (info)",
"L (link order)",
"O (extra OS processing required)",
"G (group)",
"T (TLS)",
"C (compressed)",
"x (unknown)",
"o (OS specific)",
"E (exclude)",
"l (large)",
"p (processor specific)"
]
},
"text": {
"misp-attribute": "text",
"misp-usage-frequency": 1,
"disable_correlation": true
},
"size-in-bytes": {
"misp-attribute": "size-in-bytes",
"misp-usage-frequency": 1,
"disable_correlation": true
},
"entropy": {
"misp-attribute": "float",
"misp-usage-frequency": 0,
"disable_correlation": true
},
"md5": {
"misp-attribute": "md5",
"misp-usage-frequency": 1
},
"sha1": {
"misp-attribute": "sha1",
"misp-usage-frequency": 0
},
"sha256": {
"misp-attribute": "sha256",
"misp-usage-frequency": 0
},
"sha512": {
"misp-attribute": "sha512",
"misp-usage-frequency": 0
},
"ssdeep": {
"misp-attribute": "ssdeep",
"misp-usage-frequency": 0
}
},
"requiredOneOf": [
"text",
"name",
"sha1",
"sha256",
"sha512"
]
}

View File

@ -0,0 +1,46 @@
{
"name": "elf",
"meta-category": "file",
"description": "Object describing a Executable and Linkable Format",
"version": 1,
"attributes": {
"text": {
"misp-attribute": "text",
"misp-usage-frequency": 1,
"disable_correlation": true
},
"original-filename": {
"misp-attribute": "filename",
"misp-usage-frequency": 1
},
"internal-filename": {
"misp-attribute": "filename",
"misp-usage-frequency": 0
},
"entrypoint-address": {
"misp-attribute": "text",
"misp-usage-frequency": 0,
"disable_correlation": true
},
"file-description": {
"misp-attribute": "text",
"misp-usage-frequency": 0,
"disable_correlation": true
},
"file-version": {
"misp-attribute": "text",
"misp-usage-frequency": 0,
"disable_correlation": true
},
"elf-type": {
"misp-attribute": "text",
"misp-usage-frequency": 0,
"disable_correlation": true
}
},
"requiredOneOf": [
"text",
"original-filename",
"internal-filename"
]
}

View File

@ -27,10 +27,6 @@
"misp-attribute": "ssdeep", "misp-attribute": "ssdeep",
"misp-usage-frequency": 0 "misp-usage-frequency": 0
}, },
"pehash": {
"misp-attribute": "pehash",
"misp-usage-frequency": 0
},
"sha224": { "sha224": {
"misp-attribute": "sha224", "misp-attribute": "sha224",
"misp-usage-frequency": 0 "misp-usage-frequency": 0

View File

@ -8,11 +8,19 @@
"misp-attribute": "imphash", "misp-attribute": "imphash",
"misp-usage-frequency": 0 "misp-usage-frequency": 0
}, },
"pehash": {
"misp-attribute": "pehash",
"misp-usage-frequency": 0
},
"text": { "text": {
"misp-attribute": "text", "misp-attribute": "text",
"misp-usage-frequency": 1, "misp-usage-frequency": 1,
"disable_correlation": true "disable_correlation": true
}, },
"number of sections": {
"misp-attribute": "text",
"misp-usage-frequency": 0
},
"original-filename": { "original-filename": {
"misp-attribute": "filename", "misp-attribute": "filename",
"misp-usage-frequency": 1 "misp-usage-frequency": 1