diff --git a/README.md b/README.md index 3de8efb..1f2697e 100644 --- a/README.md +++ b/README.md @@ -82,6 +82,7 @@ for a specific attribute. * [objects/elf](objects/elf/definition.json) - Object describing an Executable and Linkable Format (ELF). * [objects/elf-section](objects/elf-section/definition.json) - Object describing a section of an Executable and Linkable Format (ELF). * [objects/email](objects/email/definition.json) - An email object. +* [objects/fail2ban](objects/fail2ban/definition.json) - A fail2ban object. * [objects/file](objects/file/definition.json) - File object describing a file with meta-information. * [objects/geolocation](objects/geolocation/definition.json) - A geolocation object to describe a location. * [objects/ip-port](objects/ip-port/definition.json) - An IP address and a port seen as a tuple (or as a triple) in a specific time frame. @@ -102,6 +103,7 @@ for a specific attribute. * [objects/rtir](objects/rtir/definition.json) - RTIR - Request Tracker for Incident Response. * [objects/sandbox-report](objects/sandbox-report/definition.json) - Sandbox report object. * [objects/sb-signature](objects/sb-signature/definition.json) - Sandbox detection signature object. +* [objects/suricata](objects/suricata/definition.json) - Suricata rule with context. * [objects/tor-node](objects/tor-node/definition.json) - Tor node description which are part of the Tor network at a time. * [objects/transaction](objects/transaction/definition.json) - Object describing a financial transaction. * [objects/virustotal-report](objects/virustotal-report/definition.json) - VirusTotal report. @@ -110,6 +112,7 @@ for a specific attribute. * [objects/victim](objects/victim/definition.json) - a victim object to describe the organisation being targeted or abused. * [objects/whois](objects/whois/definition.json) - Whois records information for a domain name. * [objects/x509](objects/x509/definition.json) - x509 object describing a X.509 certificate. +* [objects/yara](objects/yara/definition.json) - YARA object describing a YARA rule along with the version supported. ## MISP objects relationships diff --git a/objects/fail2ban/definition.json b/objects/fail2ban/definition.json new file mode 100644 index 0000000..90b0151 --- /dev/null +++ b/objects/fail2ban/definition.json @@ -0,0 +1,61 @@ +{ + "required": [ + "banned-ip", + "processing-timestamp", + "attack-type" + ], + "attributes": { + "banned-ip": { + "description": "IP Address banned by fail2ban", + "ui-priority": 1, + "misp-attribute": "ip-src" + }, + "processing-timestamp": { + "description": "Timestamp of the report", + "ui-priority": 1, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "attack-type": { + "description": "Type of the attack", + "ui-priority": 1, + "misp-attribute": "text", + "disable_correlation": true + }, + "failures": { + "description": "Amount of failures that lead to the ban.", + "ui-priority": 1, + "misp-attribute": "counter", + "disable_correlation": true + }, + "sensor": { + "description": "Identifier of the sensor", + "ui-priority": 1, + "misp-attribute": "text", + "disable_correlation": true + }, + "victim": { + "description": "Identifier of the victim", + "ui-priority": 1, + "misp-attribute": "text", + "disable_correlation": true + }, + "logline": { + "description": "Example log line that caused the ban.", + "ui-priority": 1, + "misp-attribute": "text", + "disable_correlation": true + }, + "logfile": { + "description": "Full logfile related to the attack.", + "ui-priority": 1, + "misp-attribute": "attachment", + "disable_correlation": true + } + }, + "version": 5, + "description": "Fail2ban event", + "meta-category": "network", + "uuid": "8be2271-7326-41a5-a0dd-9b4bec88e1ba", + "name": "fail2ban" +} diff --git a/objects/stix2-pattern/definition.json b/objects/stix2-pattern/definition.json index 5abd6f0..ab49a22 100644 --- a/objects/stix2-pattern/definition.json +++ b/objects/stix2-pattern/definition.json @@ -12,9 +12,17 @@ "description": "STIX 2 pattern", "ui-priority": 0, "misp-attribute": "stix2-pattern" + }, + "version": { + "description": "Version of STIX 2 pattern.", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "stix 2.0" + ] } }, - "version": 1, + "version": 2, "description": "An object describing a STIX pattern. The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a STIX pattern.", "meta-category": "misc", "uuid": "0c5bd072-7c3e-4d45-86f7-a8104d9143b9", diff --git a/objects/suricata/definition.json b/objects/suricata/definition.json new file mode 100644 index 0000000..ddbe458 --- /dev/null +++ b/objects/suricata/definition.json @@ -0,0 +1,32 @@ +{ + "requiredOneOf": [ + "suricata" + ], + "attributes": { + "comment": { + "description": "A description of the Suricata rule.", + "ui-priority": 0, + "misp-attribute": "comment" + }, + "suricata": { + "description": "Suricata rule.", + "ui-priority": 0, + "misp-attribute": "suricata" + }, + "version": { + "description": "Version of the Suricata rule depending where the suricata rule is known to work as expected.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "ref": { + "description": "Reference to the Suricata rule such as origin of the rule or alike.", + "misp-attribute": "link", + "ui-priority": 0 + } + }, + "version": 1, + "description": "An object describing a Suricata rule along with its version and context", + "meta-category": "network", + "uuid": "3c177337-fb80-405a-a6c1-1b2ddea8684a", + "name": "suricata" +} diff --git a/objects/whois/definition.json b/objects/whois/definition.json index 320873c..0c4d5b0 100644 --- a/objects/whois/definition.json +++ b/objects/whois/definition.json @@ -4,10 +4,10 @@ "registrant-phone", "creation-date", "registrant-name", - "registrar" - ], - "required": [ - "domain" + "registrar", + "text", + "domain", + "ip-address" ], "attributes": { "text": { @@ -73,12 +73,22 @@ "Network activity", "External analysis" ], - "ui-priority": 1, + "ui-priority": 0, "misp-attribute": "domain" + }, + "comment": { + "description": "Comment of the whois entry", + "ui-priority": 0, + "misp-attribute": "text" + }, + "ip-address": { + "description": "IP address of the whois entry", + "ui-priority": 0, + "misp-attribute": "ip-src" } }, - "version": 7, - "description": "Whois records information for a domain name.", + "version": 9, + "description": "Whois records information for a domain name or an IP address.", "meta-category": "network", "uuid": "429faea1-34ff-47af-8a00-7c62d3be5a6a", "name": "whois" diff --git a/objects/x509/definition.json b/objects/x509/definition.json index f87af6d..106a90c 100644 --- a/objects/x509/definition.json +++ b/objects/x509/definition.json @@ -2,7 +2,8 @@ "requiredOneOf": [ "x509-fingerprint-md5", "x509-fingerprint-sha1", - "x509-fingerprint-sha256" + "x509-fingerprint-sha256", + "serial-number" ], "attributes": { "subject": { @@ -48,7 +49,12 @@ "misp-attribute": "x509-fingerprint-sha256" }, "raw-base64": { - "description": "Raw certificate base64 encoded", + "description": "Raw certificate base64 encoded (DER format)", + "ui-priority": 0, + "misp-attribute": "text" + }, + "pem": { + "description": "Raw certificate in PEM formati (Unix-like newlines)", "ui-priority": 0, "misp-attribute": "text" }, @@ -81,9 +87,25 @@ "description": "Version of the certificate", "ui-priority": 0, "misp-attribute": "text" + }, + "self_signed": { + "description": "Self-signed certificate", + "ui-priority": 0, + "misp-attribute": "boolean" + }, + "is_ca": { + "description": "CA certificate", + "ui-priority": 0, + "misp-attribute": "boolean" + }, + "dns_names": { + "description": "DNS names", + "multiple": true, + "misp-attribute": "text", + "ui-priority": 0 } }, - "version": 5, + "version": 7, "description": "x509 object describing a X.509 certificate", "meta-category": "network", "uuid": "d1ab756a-26b5-4349-9f43-765630f0911c", diff --git a/objects/yara/definition.json b/objects/yara/definition.json new file mode 100644 index 0000000..4b4724d --- /dev/null +++ b/objects/yara/definition.json @@ -0,0 +1,30 @@ +{ + "requiredOneOf": [ + "yara" + ], + "attributes": { + "comment": { + "description": "A description of the YARA rule.", + "ui-priority": 0, + "misp-attribute": "comment" + }, + "yara": { + "description": "YARA rule.", + "ui-priority": 0, + "misp-attribute": "yara" + }, + "version": { + "sane_default": [ + "3.7.1" + ], + "description": "Version of the YARA rule depending where the yara rule is known to work as expected.", + "ui-priority": 0, + "misp-attribute": "text" + } + }, + "version": 2, + "description": "An object describing a YARA rule along with its version.", + "meta-category": "misc", + "uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", + "name": "yara" +} diff --git a/relationships/definition.json b/relationships/definition.json index 5e6083e..ae5f3db 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -25,6 +25,14 @@ "stix-2.0" ] }, + { + "name": "connected-to", + "description": "The referenced source is connected to the target object.", + "format": [ + "misp", + "stix-1.1" + ] + }, { "name": "attributed-to", "description": "This referenced source is attributed to the target object.",