Merge pull request #2 from MISP/master

Updated from master
2018-04-05 18:07:52 +02:00 · 2018-04-05 18:07:52 +02:00 · 448867f298
parent 08fc36c8d0 1ff6cbf67a
commit 448867f298
8 changed files with 185 additions and 11 deletions
--- a/README.md
+++ b/README.md
@ -82,6 +82,7 @@ for a specific attribute.
 * [objects/elf](objects/elf/definition.json) - Object describing an Executable and Linkable Format (ELF).
 * [objects/elf-section](objects/elf-section/definition.json) - Object describing a section of an Executable and Linkable Format (ELF).
 * [objects/email](objects/email/definition.json) - An email object.
+* [objects/fail2ban](objects/fail2ban/definition.json) - A fail2ban object.
 * [objects/file](objects/file/definition.json) - File object describing a file with meta-information.
 * [objects/geolocation](objects/geolocation/definition.json) - A geolocation object to describe a location.
 * [objects/ip-port](objects/ip-port/definition.json) - An IP address and a port seen as a tuple (or as a triple) in a specific time frame.
@ -102,6 +103,7 @@ for a specific attribute.
 * [objects/rtir](objects/rtir/definition.json) - RTIR - Request Tracker for Incident Response.
 * [objects/sandbox-report](objects/sandbox-report/definition.json) - Sandbox report object.
 * [objects/sb-signature](objects/sb-signature/definition.json) - Sandbox detection signature object.
+* [objects/suricata](objects/suricata/definition.json) - Suricata rule with context.
 * [objects/tor-node](objects/tor-node/definition.json) - Tor node description which are part of the Tor network at a time.
 * [objects/transaction](objects/transaction/definition.json) - Object describing a financial transaction.
 * [objects/virustotal-report](objects/virustotal-report/definition.json) - VirusTotal report.
@ -110,6 +112,7 @@ for a specific attribute.
 * [objects/victim](objects/victim/definition.json) - a victim object to describe the organisation being targeted or abused.
 * [objects/whois](objects/whois/definition.json) - Whois records information for a domain name.
 * [objects/x509](objects/x509/definition.json) - x509 object describing a X.509 certificate.
+* [objects/yara](objects/yara/definition.json) - YARA object describing a YARA rule along with the version supported.

 ## MISP objects relationships

--- a/objects/fail2ban/definition.json
+++ b/objects/fail2ban/definition.json
@ -0,0 +1,61 @@
+{
+  "required": [
+    "banned-ip",
+    "processing-timestamp",
+    "attack-type"
+  ],
+  "attributes": {
+    "banned-ip": {
+      "description": "IP Address banned by fail2ban",
+      "ui-priority": 1,
+      "misp-attribute": "ip-src"
+    },
+    "processing-timestamp": {
+      "description": "Timestamp of the report",
+      "ui-priority": 1,
+      "misp-attribute": "datetime",
+      "disable_correlation": true
+    },
+    "attack-type": {
+      "description": "Type of the attack",
+      "ui-priority": 1,
+      "misp-attribute": "text",
+      "disable_correlation": true
+    },
+    "failures": {
+      "description": "Amount of failures that lead to the ban.",
+      "ui-priority": 1,
+      "misp-attribute": "counter",
+      "disable_correlation": true
+    },
+    "sensor": {
+      "description": "Identifier of the sensor",
+      "ui-priority": 1,
+      "misp-attribute": "text",
+      "disable_correlation": true
+    },
+    "victim": {
+      "description": "Identifier of the victim",
+      "ui-priority": 1,
+      "misp-attribute": "text",
+      "disable_correlation": true
+    },
+    "logline": {
+      "description": "Example log line that caused the ban.",
+      "ui-priority": 1,
+      "misp-attribute": "text",
+      "disable_correlation": true
+    },
+    "logfile": {
+      "description": "Full logfile related to the attack.",
+      "ui-priority": 1,
+      "misp-attribute": "attachment",
+      "disable_correlation": true
+    }
+  },
+  "version": 5,
+  "description": "Fail2ban event",
+  "meta-category": "network",
+  "uuid": "8be2271-7326-41a5-a0dd-9b4bec88e1ba",
+  "name": "fail2ban"
+}
--- a/objects/stix2-pattern/definition.json
+++ b/objects/stix2-pattern/definition.json
@ -12,9 +12,17 @@
      "description": "STIX 2 pattern",
      "ui-priority": 0,
      "misp-attribute": "stix2-pattern"
+    },
+    "version": {
+      "description": "Version of STIX 2 pattern.",
+      "ui-priority": 0,
+      "misp-attribute": "text",
+      "sane_default": [
+        "stix 2.0"
+      ]
    }
  },
-  "version": 1,
+  "version": 2,
  "description": "An object describing a STIX pattern. The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a STIX pattern.",
  "meta-category": "misc",
  "uuid": "0c5bd072-7c3e-4d45-86f7-a8104d9143b9",
--- a/objects/suricata/definition.json
+++ b/objects/suricata/definition.json
@ -0,0 +1,32 @@
+{
+  "requiredOneOf": [
+    "suricata"
+  ],
+  "attributes": {
+    "comment": {
+      "description": "A description of the Suricata rule.",
+      "ui-priority": 0,
+      "misp-attribute": "comment"
+    },
+    "suricata": {
+      "description": "Suricata rule.",
+      "ui-priority": 0,
+      "misp-attribute": "suricata"
+    },
+    "version": {
+      "description": "Version of the Suricata rule depending where the suricata rule is known to work as expected.",
+      "ui-priority": 0,
+      "misp-attribute": "text"
+    },
+    "ref": {
+      "description": "Reference to the Suricata rule such as origin of the rule or alike.",
+      "misp-attribute": "link",
+      "ui-priority": 0
+    }
+  },
+  "version": 1,
+  "description": "An object describing a Suricata rule along with its version and context",
+  "meta-category": "network",
+  "uuid": "3c177337-fb80-405a-a6c1-1b2ddea8684a",
+  "name": "suricata"
+}
--- a/objects/whois/definition.json
+++ b/objects/whois/definition.json
@ -4,10 +4,10 @@
    "registrant-phone",
    "creation-date",
    "registrant-name",
-    "registrar"
-  ],
-  "required": [
-    "domain"
+    "registrar",
+    "text",
+    "domain",
+    "ip-address"
  ],
  "attributes": {
    "text": {
@ -73,12 +73,22 @@
        "Network activity",
        "External analysis"
      ],
-      "ui-priority": 1,
+      "ui-priority": 0,
      "misp-attribute": "domain"
+    },
+    "comment": {
+      "description": "Comment of the whois entry",
+      "ui-priority": 0,
+      "misp-attribute": "text"
+    },
+    "ip-address": {
+      "description": "IP address of the whois entry",
+      "ui-priority": 0,
+      "misp-attribute": "ip-src"
    }
  },
-  "version": 7,
-  "description": "Whois records information for a domain name.",
+  "version": 9,
+  "description": "Whois records information for a domain name or an IP address.",
  "meta-category": "network",
  "uuid": "429faea1-34ff-47af-8a00-7c62d3be5a6a",
  "name": "whois"
--- a/objects/x509/definition.json
+++ b/objects/x509/definition.json
@ -2,7 +2,8 @@
  "requiredOneOf": [
    "x509-fingerprint-md5",
    "x509-fingerprint-sha1",
-    "x509-fingerprint-sha256"
+    "x509-fingerprint-sha256",
+    "serial-number"
  ],
  "attributes": {
    "subject": {
@ -48,7 +49,12 @@
      "misp-attribute": "x509-fingerprint-sha256"
    },
    "raw-base64": {
-      "description": "Raw certificate base64 encoded",
+      "description": "Raw certificate base64 encoded (DER format)",
+      "ui-priority": 0,
+      "misp-attribute": "text"
+    },
+    "pem": {
+      "description": "Raw certificate in PEM formati (Unix-like newlines)",
      "ui-priority": 0,
      "misp-attribute": "text"
    },
@ -81,9 +87,25 @@
      "description": "Version of the certificate",
      "ui-priority": 0,
      "misp-attribute": "text"
+    },
+    "self_signed": {
+      "description": "Self-signed certificate",
+      "ui-priority": 0,
+      "misp-attribute": "boolean"
+    },
+    "is_ca": {
+      "description": "CA certificate",
+      "ui-priority": 0,
+      "misp-attribute": "boolean"
+    },
+    "dns_names": {
+      "description": "DNS names",
+      "multiple": true,
+      "misp-attribute": "text",
+      "ui-priority": 0
    }
  },
-  "version": 5,
+  "version": 7,
  "description": "x509 object describing a X.509 certificate",
  "meta-category": "network",
  "uuid": "d1ab756a-26b5-4349-9f43-765630f0911c",
--- a/objects/yara/definition.json
+++ b/objects/yara/definition.json
@ -0,0 +1,30 @@
+{
+  "requiredOneOf": [
+    "yara"
+  ],
+  "attributes": {
+    "comment": {
+      "description": "A description of the YARA rule.",
+      "ui-priority": 0,
+      "misp-attribute": "comment"
+    },
+    "yara": {
+      "description": "YARA rule.",
+      "ui-priority": 0,
+      "misp-attribute": "yara"
+    },
+    "version": {
+      "sane_default": [
+        "3.7.1"
+      ],
+      "description": "Version of the YARA rule depending where the yara rule is known to work as expected.",
+      "ui-priority": 0,
+      "misp-attribute": "text"
+    }
+  },
+  "version": 2,
+  "description": "An object describing a YARA rule along with its version.",
+  "meta-category": "misc",
+  "uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
+  "name": "yara"
+}
--- a/relationships/definition.json
+++ b/relationships/definition.json
@ -25,6 +25,14 @@
        "stix-2.0"
      ]
    },
+    {
+      "name": "connected-to",
+      "description": "The referenced source is connected to the target object.",
+      "format": [
+        "misp",
+        "stix-1.1"
+      ]
+    },
    {
      "name": "attributed-to",
      "description": "This referenced source is attributed to the target object.",