From 41a6d596ff2ca0605e719e8af054efb7d06dce06 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy <a@foo.be>
Date: Tue, 18 Jun 2019 17:38:45 +0200
Subject: [PATCH] chg: [rogue-dns] new object template expressing rogue dns

Thanks to CERT.br for the contribution
---
 objects/rogue-dns/definition.json | 46 +++++++++++++++++++++++++++++++
 1 file changed, 46 insertions(+)
 create mode 100644 objects/rogue-dns/definition.json

diff --git a/objects/rogue-dns/definition.json b/objects/rogue-dns/definition.json
new file mode 100644
index 0000000..3e6e4a9
--- /dev/null
+++ b/objects/rogue-dns/definition.json
@@ -0,0 +1,46 @@
+{
+  "required": [
+    "rogue-dns"
+  ],
+  "attributes": {
+    "timestamp": {
+      "description": "Last time that the rogue DNS value was seen.",
+      "ui-priority": 0,
+      "misp-attribute": "datetime",
+      "disable_correlation": true
+    },
+    "rogue-dns": {
+      "description": "IP address of the rogue DNS",
+      "ui-priority": 0,
+      "misp-attribute": "ip-dst"
+    },
+    "status": {
+      "description": "How many authoritative DNS answers were received at the Passive DNS Server's collectors with exactly the given set of values as answers.",
+      "ui-priority": 0,
+      "misp-attribute": "text",
+      "sane_default": [
+        "ROGUE DNS",
+        "Unknown"
+      ],
+      "disable_correlation": true
+    },
+    "hijacked-domain": {
+      "description": "Domain/hostname hijacked by the the rogue DNS",
+      "categories": [
+        "Network activity"
+      ],
+      "ui-priority": 1,
+      "misp-attribute": "hostname"
+    },
+    "phishing-ip": {
+      "description": "Resource records returns by the rogue DNS",
+      "ui-priority": 1,
+      "misp-attribute": "ip-dst"
+    }
+  },
+  "version": 1,
+  "description": "Rogue DNS as defined by CERT.br",
+  "meta-category": "network",
+  "uuid": "b7e7859b-6872-4fd2-ac49-f66ccb904505",
+  "name": "rogue-dns"
+}