From cee578dce19f5b4f87af3272e40772d752836c3d Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 16 Mar 2018 11:35:15 +0100 Subject: [PATCH 01/19] add: Connected_To (old STIX 1.1 relationship) --- relationships/definition.json | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/relationships/definition.json b/relationships/definition.json index 5e6083e..ae5f3db 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -25,6 +25,14 @@ "stix-2.0" ] }, + { + "name": "connected-to", + "description": "The referenced source is connected to the target object.", + "format": [ + "misp", + "stix-1.1" + ] + }, { "name": "attributed-to", "description": "This referenced source is attributed to the target object.", From 982e2d8b7587f81d90f8f58e54aeaae9d89e44ee Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 16 Mar 2018 13:13:35 +0100 Subject: [PATCH 02/19] fix: raw whois is also accepted as single attribute in whois object Required for importing STIX CybOX 1.1 object where just a raw whois entry is added in remarks. --- objects/whois/definition.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/objects/whois/definition.json b/objects/whois/definition.json index 320873c..0215a41 100644 --- a/objects/whois/definition.json +++ b/objects/whois/definition.json @@ -4,7 +4,8 @@ "registrant-phone", "creation-date", "registrant-name", - "registrar" + "registrar", + "text" ], "required": [ "domain" @@ -77,7 +78,7 @@ "misp-attribute": "domain" } }, - "version": 7, + "version": 8, "description": "Whois records information for a domain name.", "meta-category": "network", "uuid": "429faea1-34ff-47af-8a00-7c62d3be5a6a", From e7e387804297645064dcc3890b9d90c2cb63fb15 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 16 Mar 2018 13:29:39 +0100 Subject: [PATCH 03/19] fix: whois record object updated to cover both cases: domain or IP address --- objects/whois/definition.json | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-) diff --git a/objects/whois/definition.json b/objects/whois/definition.json index 0215a41..0c4d5b0 100644 --- a/objects/whois/definition.json +++ b/objects/whois/definition.json @@ -5,10 +5,9 @@ "creation-date", "registrant-name", "registrar", - "text" - ], - "required": [ - "domain" + "text", + "domain", + "ip-address" ], "attributes": { "text": { @@ -74,12 +73,22 @@ "Network activity", "External analysis" ], - "ui-priority": 1, + "ui-priority": 0, "misp-attribute": "domain" + }, + "comment": { + "description": "Comment of the whois entry", + "ui-priority": 0, + "misp-attribute": "text" + }, + "ip-address": { + "description": "IP address of the whois entry", + "ui-priority": 0, + "misp-attribute": "ip-src" } }, - "version": 8, - "description": "Whois records information for a domain name.", + "version": 9, + "description": "Whois records information for a domain name or an IP address.", "meta-category": "network", "uuid": "429faea1-34ff-47af-8a00-7c62d3be5a6a", "name": "whois" From c92ee2e46179f2b30ff1011950f16af38e0f94fc Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 19 Mar 2018 17:33:45 +0100 Subject: [PATCH 04/19] fix: version field added if stix2-pattern has multiple version in the future --- objects/stix2-pattern/definition.json | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/objects/stix2-pattern/definition.json b/objects/stix2-pattern/definition.json index 5abd6f0..ab49a22 100644 --- a/objects/stix2-pattern/definition.json +++ b/objects/stix2-pattern/definition.json @@ -12,9 +12,17 @@ "description": "STIX 2 pattern", "ui-priority": 0, "misp-attribute": "stix2-pattern" + }, + "version": { + "description": "Version of STIX 2 pattern.", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "stix 2.0" + ] } }, - "version": 1, + "version": 2, "description": "An object describing a STIX pattern. The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a STIX pattern.", "meta-category": "misc", "uuid": "0c5bd072-7c3e-4d45-86f7-a8104d9143b9", From 1f8a26fa3ee7dac5e015d94d0b8f1280a55f3fa0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Mon, 26 Mar 2018 10:54:44 +0200 Subject: [PATCH 05/19] new: Fail2ban object --- objects/fail2ban/definition.json | 44 ++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 objects/fail2ban/definition.json diff --git a/objects/fail2ban/definition.json b/objects/fail2ban/definition.json new file mode 100644 index 0000000..cfd9757 --- /dev/null +++ b/objects/fail2ban/definition.json @@ -0,0 +1,44 @@ +{ + "required":[ + "banned-ip", + "processing-timestamp", + "attack-type" + ], + "attributes": { + "banned-ip": { + "description": "IP Address banned by fail2ban", + "ui-priority": 1, + "misp-attribute": "ipsrc" + }, + "timestamp": { + "description": "Timestamp of the report", + "ui-priority": 1, + "misp-attribute": "datetime" + }, + "attack-type": { + "description": "Type of the attack", + "ui-priority": 1, + "misp-attribute": "text" + }, + "failures": { + "description": "Amount of failures that lead to the ban.", + "ui-priority": 1, + "misp-attribute": "counter" + }, + "sensor": { + "description": "Identifier of the sensor", + "ui-priority": 1, + "misp-attribute": "text" + }, + "victim": { + "description": "Identifier of the victim", + "ui-priority": 1, + "misp-attribute": "text" + } + }, + "version": 1, + "description": "Fail2ban event", + "meta-category": "network", + "uuid": "8be2271-7326-41a5-a0dd-9b4bec88e1ba", + "name": "fail2ban" +} From aa30a49796eaca04e4e56631cdfe01b403770da8 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 26 Mar 2018 11:28:32 +0200 Subject: [PATCH 06/19] fix: attribute type fixed --- objects/fail2ban/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/fail2ban/definition.json b/objects/fail2ban/definition.json index cfd9757..751833c 100644 --- a/objects/fail2ban/definition.json +++ b/objects/fail2ban/definition.json @@ -8,7 +8,7 @@ "banned-ip": { "description": "IP Address banned by fail2ban", "ui-priority": 1, - "misp-attribute": "ipsrc" + "misp-attribute": "ip-src" }, "timestamp": { "description": "Timestamp of the report", @@ -36,7 +36,7 @@ "misp-attribute": "text" } }, - "version": 1, + "version": 2, "description": "Fail2ban event", "meta-category": "network", "uuid": "8be2271-7326-41a5-a0dd-9b4bec88e1ba", From b0755e3ca858027b6510e2330b9a38ccc1eae2d0 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 26 Mar 2018 11:37:38 +0200 Subject: [PATCH 07/19] jq all --- objects/fail2ban/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/fail2ban/definition.json b/objects/fail2ban/definition.json index 751833c..dd4fc95 100644 --- a/objects/fail2ban/definition.json +++ b/objects/fail2ban/definition.json @@ -1,5 +1,5 @@ { - "required":[ + "required": [ "banned-ip", "processing-timestamp", "attack-type" From 1f8fd57d69a1162a60532ac63f309458f69bec60 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Mon, 26 Mar 2018 11:41:00 +0200 Subject: [PATCH 08/19] chg: Fix&update fail2ban def --- objects/fail2ban/definition.json | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/objects/fail2ban/definition.json b/objects/fail2ban/definition.json index cfd9757..f28ecb1 100644 --- a/objects/fail2ban/definition.json +++ b/objects/fail2ban/definition.json @@ -8,7 +8,7 @@ "banned-ip": { "description": "IP Address banned by fail2ban", "ui-priority": 1, - "misp-attribute": "ipsrc" + "misp-attribute": "ip-src" }, "timestamp": { "description": "Timestamp of the report", @@ -34,6 +34,11 @@ "description": "Identifier of the victim", "ui-priority": 1, "misp-attribute": "text" + }, + "logline": { + "description": "Example log line that caused the ban.", + "ui-priority": 1, + "misp-attribute": "text" } }, "version": 1, From 7c2e07a50b944d265f92cfba712d872091c1c199 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Mon, 26 Mar 2018 12:05:17 +0200 Subject: [PATCH 09/19] fix: wrong attribute name --- objects/fail2ban/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/fail2ban/definition.json b/objects/fail2ban/definition.json index a199f9e..3e5d68a 100644 --- a/objects/fail2ban/definition.json +++ b/objects/fail2ban/definition.json @@ -10,7 +10,7 @@ "ui-priority": 1, "misp-attribute": "ip-src" }, - "timestamp": { + "processing-timestamp": { "description": "Timestamp of the report", "ui-priority": 1, "misp-attribute": "datetime" @@ -41,7 +41,7 @@ "misp-attribute": "text" } }, - "version": 2, + "version": 3, "description": "Fail2ban event", "meta-category": "network", "uuid": "8be2271-7326-41a5-a0dd-9b4bec88e1ba", From 0a0778bb8643d2fbcb7a597f81e84021bd1e9089 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 26 Mar 2018 14:26:15 +0200 Subject: [PATCH 10/19] add: new yara object added with a version number --- objects/yara/definition.json | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 objects/yara/definition.json diff --git a/objects/yara/definition.json b/objects/yara/definition.json new file mode 100644 index 0000000..ed5d310 --- /dev/null +++ b/objects/yara/definition.json @@ -0,0 +1,30 @@ +{ + "requiredOneOf": [ + "yara" + ], + "attributes": { + "comment": { + "description": "A description of the YARA rule.", + "ui-priority": 0, + "misp-attribute": "comment" + }, + "yara": { + "description": "YARA rule.", + "ui-priority": 0, + "misp-attribute": "yara" + }, + "version": { + "sane_default": [ + "3.7.1" + ], + "description": "Version of the YARA rule depending where the yara rule is known to work as expected.", + "ui-priority": 0, + "misp-attribute": "text" + } + }, + "version": 1, + "description": "An object describing a YARA rule along with its version.", + "meta-category": "misc", + "uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", + "name": "misc" +} From 3d0540a6712655b74babebeac5bc67ac7b6871db Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Mon, 26 Mar 2018 17:27:55 +0200 Subject: [PATCH 11/19] chg: disable correlations in fail2ban --- objects/fail2ban/definition.json | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/objects/fail2ban/definition.json b/objects/fail2ban/definition.json index 3e5d68a..a7dfe3b 100644 --- a/objects/fail2ban/definition.json +++ b/objects/fail2ban/definition.json @@ -13,35 +13,41 @@ "processing-timestamp": { "description": "Timestamp of the report", "ui-priority": 1, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "attack-type": { "description": "Type of the attack", "ui-priority": 1, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "failures": { "description": "Amount of failures that lead to the ban.", "ui-priority": 1, - "misp-attribute": "counter" + "misp-attribute": "counter", + "disable_correlation": true }, "sensor": { "description": "Identifier of the sensor", "ui-priority": 1, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "victim": { "description": "Identifier of the victim", "ui-priority": 1, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "logline": { "description": "Example log line that caused the ban.", "ui-priority": 1, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true } }, - "version": 3, + "version": 4, "description": "Fail2ban event", "meta-category": "network", "uuid": "8be2271-7326-41a5-a0dd-9b4bec88e1ba", From b3c348f4ab6f8bc937bc7c600d0ccf230674c64f Mon Sep 17 00:00:00 2001 From: Sheidan Date: Mon, 26 Mar 2018 18:16:29 +0200 Subject: [PATCH 12/19] x509-add-required-one-of-serial-number --- objects/x509/definition.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/objects/x509/definition.json b/objects/x509/definition.json index f87af6d..ad1d1de 100644 --- a/objects/x509/definition.json +++ b/objects/x509/definition.json @@ -2,7 +2,8 @@ "requiredOneOf": [ "x509-fingerprint-md5", "x509-fingerprint-sha1", - "x509-fingerprint-sha256" + "x509-fingerprint-sha256", + "serial-number" ], "attributes": { "subject": { From d87336b5c9488c099e9579d35c0584236c2cba14 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 27 Mar 2018 08:55:02 +0200 Subject: [PATCH 13/19] version fixed for X509 object --- objects/x509/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/x509/definition.json b/objects/x509/definition.json index ad1d1de..a7220b6 100644 --- a/objects/x509/definition.json +++ b/objects/x509/definition.json @@ -84,7 +84,7 @@ "misp-attribute": "text" } }, - "version": 5, + "version": 6, "description": "x509 object describing a X.509 certificate", "meta-category": "network", "uuid": "d1ab756a-26b5-4349-9f43-765630f0911c", From 206da3b10087516c37a895a48d3c2ac1ad25dc09 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Tue, 27 Mar 2018 10:25:54 +0200 Subject: [PATCH 14/19] new: Attach logfile to fail2ban --- objects/fail2ban/definition.json | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/objects/fail2ban/definition.json b/objects/fail2ban/definition.json index a7dfe3b..90b0151 100644 --- a/objects/fail2ban/definition.json +++ b/objects/fail2ban/definition.json @@ -45,9 +45,15 @@ "ui-priority": 1, "misp-attribute": "text", "disable_correlation": true + }, + "logfile": { + "description": "Full logfile related to the attack.", + "ui-priority": 1, + "misp-attribute": "attachment", + "disable_correlation": true } }, - "version": 4, + "version": 5, "description": "Fail2ban event", "meta-category": "network", "uuid": "8be2271-7326-41a5-a0dd-9b4bec88e1ba", From 422a4c3e0ee927abab6032a249f1383b1ab5ac8d Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 27 Mar 2018 11:54:04 +0200 Subject: [PATCH 15/19] fail2ban and yara object template added in list --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 3de8efb..ab3a50a 100644 --- a/README.md +++ b/README.md @@ -82,6 +82,7 @@ for a specific attribute. * [objects/elf](objects/elf/definition.json) - Object describing an Executable and Linkable Format (ELF). * [objects/elf-section](objects/elf-section/definition.json) - Object describing a section of an Executable and Linkable Format (ELF). * [objects/email](objects/email/definition.json) - An email object. +* [objects/fail2ban](objects/fail2ban/definition.json) - A fail2ban object. * [objects/file](objects/file/definition.json) - File object describing a file with meta-information. * [objects/geolocation](objects/geolocation/definition.json) - A geolocation object to describe a location. * [objects/ip-port](objects/ip-port/definition.json) - An IP address and a port seen as a tuple (or as a triple) in a specific time frame. @@ -110,6 +111,7 @@ for a specific attribute. * [objects/victim](objects/victim/definition.json) - a victim object to describe the organisation being targeted or abused. * [objects/whois](objects/whois/definition.json) - Whois records information for a domain name. * [objects/x509](objects/x509/definition.json) - x509 object describing a X.509 certificate. +* [objects/yara](objects/yara/definition.json) - YARA object describing a YARA rule along with the version supported. ## MISP objects relationships From 405d4e6bff5c9bc5ad8378dc8f0f1ba06d44e1e8 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 28 Mar 2018 14:31:32 +0200 Subject: [PATCH 16/19] fix: name of the object template was incorrect --- objects/yara/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/yara/definition.json b/objects/yara/definition.json index ed5d310..4b4724d 100644 --- a/objects/yara/definition.json +++ b/objects/yara/definition.json @@ -22,9 +22,9 @@ "misp-attribute": "text" } }, - "version": 1, + "version": 2, "description": "An object describing a YARA rule along with its version.", "meta-category": "misc", "uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", - "name": "misc" + "name": "yara" } From 62e782b589713758b18bef8bc071c97c050de394 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 28 Mar 2018 14:32:53 +0200 Subject: [PATCH 17/19] add: Suricata object added with context --- objects/suricata/definition.json | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 objects/suricata/definition.json diff --git a/objects/suricata/definition.json b/objects/suricata/definition.json new file mode 100644 index 0000000..ddbe458 --- /dev/null +++ b/objects/suricata/definition.json @@ -0,0 +1,32 @@ +{ + "requiredOneOf": [ + "suricata" + ], + "attributes": { + "comment": { + "description": "A description of the Suricata rule.", + "ui-priority": 0, + "misp-attribute": "comment" + }, + "suricata": { + "description": "Suricata rule.", + "ui-priority": 0, + "misp-attribute": "suricata" + }, + "version": { + "description": "Version of the Suricata rule depending where the suricata rule is known to work as expected.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "ref": { + "description": "Reference to the Suricata rule such as origin of the rule or alike.", + "misp-attribute": "link", + "ui-priority": 0 + } + }, + "version": 1, + "description": "An object describing a Suricata rule along with its version and context", + "meta-category": "network", + "uuid": "3c177337-fb80-405a-a6c1-1b2ddea8684a", + "name": "suricata" +} From c1d266687da53e86f17ba7a73feb48ef11e0c2a0 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 28 Mar 2018 14:33:59 +0200 Subject: [PATCH 18/19] add: Suricata template object added --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index ab3a50a..1f2697e 100644 --- a/README.md +++ b/README.md @@ -103,6 +103,7 @@ for a specific attribute. * [objects/rtir](objects/rtir/definition.json) - RTIR - Request Tracker for Incident Response. * [objects/sandbox-report](objects/sandbox-report/definition.json) - Sandbox report object. * [objects/sb-signature](objects/sb-signature/definition.json) - Sandbox detection signature object. +* [objects/suricata](objects/suricata/definition.json) - Suricata rule with context. * [objects/tor-node](objects/tor-node/definition.json) - Tor node description which are part of the Tor network at a time. * [objects/transaction](objects/transaction/definition.json) - Object describing a financial transaction. * [objects/virustotal-report](objects/virustotal-report/definition.json) - VirusTotal report. From 1ff6cbf67abe0bd92e6b8a0165729dc743578817 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 28 Mar 2018 15:26:35 +0200 Subject: [PATCH 19/19] fix: Feedback from @sheidan --- objects/x509/definition.json | 25 +++++++++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) diff --git a/objects/x509/definition.json b/objects/x509/definition.json index a7220b6..106a90c 100644 --- a/objects/x509/definition.json +++ b/objects/x509/definition.json @@ -49,7 +49,12 @@ "misp-attribute": "x509-fingerprint-sha256" }, "raw-base64": { - "description": "Raw certificate base64 encoded", + "description": "Raw certificate base64 encoded (DER format)", + "ui-priority": 0, + "misp-attribute": "text" + }, + "pem": { + "description": "Raw certificate in PEM formati (Unix-like newlines)", "ui-priority": 0, "misp-attribute": "text" }, @@ -82,9 +87,25 @@ "description": "Version of the certificate", "ui-priority": 0, "misp-attribute": "text" + }, + "self_signed": { + "description": "Self-signed certificate", + "ui-priority": 0, + "misp-attribute": "boolean" + }, + "is_ca": { + "description": "CA certificate", + "ui-priority": 0, + "misp-attribute": "boolean" + }, + "dns_names": { + "description": "DNS names", + "multiple": true, + "misp-attribute": "text", + "ui-priority": 0 } }, - "version": 6, + "version": 7, "description": "x509 object describing a X.509 certificate", "meta-category": "network", "uuid": "d1ab756a-26b5-4349-9f43-765630f0911c",