From cee578dce19f5b4f87af3272e40772d752836c3d Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy
Date: Fri, 16 Mar 2018 11:35:15 +0100
Subject: [PATCH 01/19] add: Connected_To (old STIX 1.1 relationship)
---
relationships/definition.json | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/relationships/definition.json b/relationships/definition.json
index 5e6083e..ae5f3db 100644
--- a/relationships/definition.json
+++ b/relationships/definition.json
@@ -25,6 +25,14 @@
"stix-2.0"
]
},
+ {
+ "name": "connected-to",
+ "description": "The referenced source is connected to the target object.",
+ "format": [
+ "misp",
+ "stix-1.1"
+ ]
+ },
{
"name": "attributed-to",
"description": "This referenced source is attributed to the target object.",
From 982e2d8b7587f81d90f8f58e54aeaae9d89e44ee Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy
Date: Fri, 16 Mar 2018 13:13:35 +0100
Subject: [PATCH 02/19] fix: raw whois is also accepted as single attribute in
whois object
Required for importing STIX CybOX 1.1 object where just a raw whois
entry is added in remarks.
---
objects/whois/definition.json | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/objects/whois/definition.json b/objects/whois/definition.json
index 320873c..0215a41 100644
--- a/objects/whois/definition.json
+++ b/objects/whois/definition.json
@@ -4,7 +4,8 @@
"registrant-phone",
"creation-date",
"registrant-name",
- "registrar"
+ "registrar",
+ "text"
],
"required": [
"domain"
@@ -77,7 +78,7 @@
"misp-attribute": "domain"
}
},
- "version": 7,
+ "version": 8,
"description": "Whois records information for a domain name.",
"meta-category": "network",
"uuid": "429faea1-34ff-47af-8a00-7c62d3be5a6a",
From e7e387804297645064dcc3890b9d90c2cb63fb15 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy
Date: Fri, 16 Mar 2018 13:29:39 +0100
Subject: [PATCH 03/19] fix: whois record object updated to cover both cases:
domain or IP address
---
objects/whois/definition.json | 23 ++++++++++++++++-------
1 file changed, 16 insertions(+), 7 deletions(-)
diff --git a/objects/whois/definition.json b/objects/whois/definition.json
index 0215a41..0c4d5b0 100644
--- a/objects/whois/definition.json
+++ b/objects/whois/definition.json
@@ -5,10 +5,9 @@
"creation-date",
"registrant-name",
"registrar",
- "text"
- ],
- "required": [
- "domain"
+ "text",
+ "domain",
+ "ip-address"
],
"attributes": {
"text": {
@@ -74,12 +73,22 @@
"Network activity",
"External analysis"
],
- "ui-priority": 1,
+ "ui-priority": 0,
"misp-attribute": "domain"
+ },
+ "comment": {
+ "description": "Comment of the whois entry",
+ "ui-priority": 0,
+ "misp-attribute": "text"
+ },
+ "ip-address": {
+ "description": "IP address of the whois entry",
+ "ui-priority": 0,
+ "misp-attribute": "ip-src"
}
},
- "version": 8,
- "description": "Whois records information for a domain name.",
+ "version": 9,
+ "description": "Whois records information for a domain name or an IP address.",
"meta-category": "network",
"uuid": "429faea1-34ff-47af-8a00-7c62d3be5a6a",
"name": "whois"
From c92ee2e46179f2b30ff1011950f16af38e0f94fc Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy
Date: Mon, 19 Mar 2018 17:33:45 +0100
Subject: [PATCH 04/19] fix: version field added if stix2-pattern has multiple
version in the future
---
objects/stix2-pattern/definition.json | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/objects/stix2-pattern/definition.json b/objects/stix2-pattern/definition.json
index 5abd6f0..ab49a22 100644
--- a/objects/stix2-pattern/definition.json
+++ b/objects/stix2-pattern/definition.json
@@ -12,9 +12,17 @@
"description": "STIX 2 pattern",
"ui-priority": 0,
"misp-attribute": "stix2-pattern"
+ },
+ "version": {
+ "description": "Version of STIX 2 pattern.",
+ "ui-priority": 0,
+ "misp-attribute": "text",
+ "sane_default": [
+ "stix 2.0"
+ ]
}
},
- "version": 1,
+ "version": 2,
"description": "An object describing a STIX pattern. The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a STIX pattern.",
"meta-category": "misc",
"uuid": "0c5bd072-7c3e-4d45-86f7-a8104d9143b9",
From 1f8a26fa3ee7dac5e015d94d0b8f1280a55f3fa0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?=
Date: Mon, 26 Mar 2018 10:54:44 +0200
Subject: [PATCH 05/19] new: Fail2ban object
---
objects/fail2ban/definition.json | 44 ++++++++++++++++++++++++++++++++
1 file changed, 44 insertions(+)
create mode 100644 objects/fail2ban/definition.json
diff --git a/objects/fail2ban/definition.json b/objects/fail2ban/definition.json
new file mode 100644
index 0000000..cfd9757
--- /dev/null
+++ b/objects/fail2ban/definition.json
@@ -0,0 +1,44 @@
+{
+ "required":[
+ "banned-ip",
+ "processing-timestamp",
+ "attack-type"
+ ],
+ "attributes": {
+ "banned-ip": {
+ "description": "IP Address banned by fail2ban",
+ "ui-priority": 1,
+ "misp-attribute": "ipsrc"
+ },
+ "timestamp": {
+ "description": "Timestamp of the report",
+ "ui-priority": 1,
+ "misp-attribute": "datetime"
+ },
+ "attack-type": {
+ "description": "Type of the attack",
+ "ui-priority": 1,
+ "misp-attribute": "text"
+ },
+ "failures": {
+ "description": "Amount of failures that lead to the ban.",
+ "ui-priority": 1,
+ "misp-attribute": "counter"
+ },
+ "sensor": {
+ "description": "Identifier of the sensor",
+ "ui-priority": 1,
+ "misp-attribute": "text"
+ },
+ "victim": {
+ "description": "Identifier of the victim",
+ "ui-priority": 1,
+ "misp-attribute": "text"
+ }
+ },
+ "version": 1,
+ "description": "Fail2ban event",
+ "meta-category": "network",
+ "uuid": "8be2271-7326-41a5-a0dd-9b4bec88e1ba",
+ "name": "fail2ban"
+}
From aa30a49796eaca04e4e56631cdfe01b403770da8 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy
Date: Mon, 26 Mar 2018 11:28:32 +0200
Subject: [PATCH 06/19] fix: attribute type fixed
---
objects/fail2ban/definition.json | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/objects/fail2ban/definition.json b/objects/fail2ban/definition.json
index cfd9757..751833c 100644
--- a/objects/fail2ban/definition.json
+++ b/objects/fail2ban/definition.json
@@ -8,7 +8,7 @@
"banned-ip": {
"description": "IP Address banned by fail2ban",
"ui-priority": 1,
- "misp-attribute": "ipsrc"
+ "misp-attribute": "ip-src"
},
"timestamp": {
"description": "Timestamp of the report",
@@ -36,7 +36,7 @@
"misp-attribute": "text"
}
},
- "version": 1,
+ "version": 2,
"description": "Fail2ban event",
"meta-category": "network",
"uuid": "8be2271-7326-41a5-a0dd-9b4bec88e1ba",
From b0755e3ca858027b6510e2330b9a38ccc1eae2d0 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy
Date: Mon, 26 Mar 2018 11:37:38 +0200
Subject: [PATCH 07/19] jq all
---
objects/fail2ban/definition.json | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/objects/fail2ban/definition.json b/objects/fail2ban/definition.json
index 751833c..dd4fc95 100644
--- a/objects/fail2ban/definition.json
+++ b/objects/fail2ban/definition.json
@@ -1,5 +1,5 @@
{
- "required":[
+ "required": [
"banned-ip",
"processing-timestamp",
"attack-type"
From 1f8fd57d69a1162a60532ac63f309458f69bec60 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?=
Date: Mon, 26 Mar 2018 11:41:00 +0200
Subject: [PATCH 08/19] chg: Fix&update fail2ban def
---
objects/fail2ban/definition.json | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/objects/fail2ban/definition.json b/objects/fail2ban/definition.json
index cfd9757..f28ecb1 100644
--- a/objects/fail2ban/definition.json
+++ b/objects/fail2ban/definition.json
@@ -8,7 +8,7 @@
"banned-ip": {
"description": "IP Address banned by fail2ban",
"ui-priority": 1,
- "misp-attribute": "ipsrc"
+ "misp-attribute": "ip-src"
},
"timestamp": {
"description": "Timestamp of the report",
@@ -34,6 +34,11 @@
"description": "Identifier of the victim",
"ui-priority": 1,
"misp-attribute": "text"
+ },
+ "logline": {
+ "description": "Example log line that caused the ban.",
+ "ui-priority": 1,
+ "misp-attribute": "text"
}
},
"version": 1,
From 7c2e07a50b944d265f92cfba712d872091c1c199 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?=
Date: Mon, 26 Mar 2018 12:05:17 +0200
Subject: [PATCH 09/19] fix: wrong attribute name
---
objects/fail2ban/definition.json | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/objects/fail2ban/definition.json b/objects/fail2ban/definition.json
index a199f9e..3e5d68a 100644
--- a/objects/fail2ban/definition.json
+++ b/objects/fail2ban/definition.json
@@ -10,7 +10,7 @@
"ui-priority": 1,
"misp-attribute": "ip-src"
},
- "timestamp": {
+ "processing-timestamp": {
"description": "Timestamp of the report",
"ui-priority": 1,
"misp-attribute": "datetime"
@@ -41,7 +41,7 @@
"misp-attribute": "text"
}
},
- "version": 2,
+ "version": 3,
"description": "Fail2ban event",
"meta-category": "network",
"uuid": "8be2271-7326-41a5-a0dd-9b4bec88e1ba",
From 0a0778bb8643d2fbcb7a597f81e84021bd1e9089 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy
Date: Mon, 26 Mar 2018 14:26:15 +0200
Subject: [PATCH 10/19] add: new yara object added with a version number
---
objects/yara/definition.json | 30 ++++++++++++++++++++++++++++++
1 file changed, 30 insertions(+)
create mode 100644 objects/yara/definition.json
diff --git a/objects/yara/definition.json b/objects/yara/definition.json
new file mode 100644
index 0000000..ed5d310
--- /dev/null
+++ b/objects/yara/definition.json
@@ -0,0 +1,30 @@
+{
+ "requiredOneOf": [
+ "yara"
+ ],
+ "attributes": {
+ "comment": {
+ "description": "A description of the YARA rule.",
+ "ui-priority": 0,
+ "misp-attribute": "comment"
+ },
+ "yara": {
+ "description": "YARA rule.",
+ "ui-priority": 0,
+ "misp-attribute": "yara"
+ },
+ "version": {
+ "sane_default": [
+ "3.7.1"
+ ],
+ "description": "Version of the YARA rule depending where the yara rule is known to work as expected.",
+ "ui-priority": 0,
+ "misp-attribute": "text"
+ }
+ },
+ "version": 1,
+ "description": "An object describing a YARA rule along with its version.",
+ "meta-category": "misc",
+ "uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
+ "name": "misc"
+}
From 3d0540a6712655b74babebeac5bc67ac7b6871db Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?=
Date: Mon, 26 Mar 2018 17:27:55 +0200
Subject: [PATCH 11/19] chg: disable correlations in fail2ban
---
objects/fail2ban/definition.json | 20 +++++++++++++-------
1 file changed, 13 insertions(+), 7 deletions(-)
diff --git a/objects/fail2ban/definition.json b/objects/fail2ban/definition.json
index 3e5d68a..a7dfe3b 100644
--- a/objects/fail2ban/definition.json
+++ b/objects/fail2ban/definition.json
@@ -13,35 +13,41 @@
"processing-timestamp": {
"description": "Timestamp of the report",
"ui-priority": 1,
- "misp-attribute": "datetime"
+ "misp-attribute": "datetime",
+ "disable_correlation": true
},
"attack-type": {
"description": "Type of the attack",
"ui-priority": 1,
- "misp-attribute": "text"
+ "misp-attribute": "text",
+ "disable_correlation": true
},
"failures": {
"description": "Amount of failures that lead to the ban.",
"ui-priority": 1,
- "misp-attribute": "counter"
+ "misp-attribute": "counter",
+ "disable_correlation": true
},
"sensor": {
"description": "Identifier of the sensor",
"ui-priority": 1,
- "misp-attribute": "text"
+ "misp-attribute": "text",
+ "disable_correlation": true
},
"victim": {
"description": "Identifier of the victim",
"ui-priority": 1,
- "misp-attribute": "text"
+ "misp-attribute": "text",
+ "disable_correlation": true
},
"logline": {
"description": "Example log line that caused the ban.",
"ui-priority": 1,
- "misp-attribute": "text"
+ "misp-attribute": "text",
+ "disable_correlation": true
}
},
- "version": 3,
+ "version": 4,
"description": "Fail2ban event",
"meta-category": "network",
"uuid": "8be2271-7326-41a5-a0dd-9b4bec88e1ba",
From b3c348f4ab6f8bc937bc7c600d0ccf230674c64f Mon Sep 17 00:00:00 2001
From: Sheidan
Date: Mon, 26 Mar 2018 18:16:29 +0200
Subject: [PATCH 12/19] x509-add-required-one-of-serial-number
---
objects/x509/definition.json | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/objects/x509/definition.json b/objects/x509/definition.json
index f87af6d..ad1d1de 100644
--- a/objects/x509/definition.json
+++ b/objects/x509/definition.json
@@ -2,7 +2,8 @@
"requiredOneOf": [
"x509-fingerprint-md5",
"x509-fingerprint-sha1",
- "x509-fingerprint-sha256"
+ "x509-fingerprint-sha256",
+ "serial-number"
],
"attributes": {
"subject": {
From d87336b5c9488c099e9579d35c0584236c2cba14 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy
Date: Tue, 27 Mar 2018 08:55:02 +0200
Subject: [PATCH 13/19] version fixed for X509 object
---
objects/x509/definition.json | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/objects/x509/definition.json b/objects/x509/definition.json
index ad1d1de..a7220b6 100644
--- a/objects/x509/definition.json
+++ b/objects/x509/definition.json
@@ -84,7 +84,7 @@
"misp-attribute": "text"
}
},
- "version": 5,
+ "version": 6,
"description": "x509 object describing a X.509 certificate",
"meta-category": "network",
"uuid": "d1ab756a-26b5-4349-9f43-765630f0911c",
From 206da3b10087516c37a895a48d3c2ac1ad25dc09 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?=
Date: Tue, 27 Mar 2018 10:25:54 +0200
Subject: [PATCH 14/19] new: Attach logfile to fail2ban
---
objects/fail2ban/definition.json | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/objects/fail2ban/definition.json b/objects/fail2ban/definition.json
index a7dfe3b..90b0151 100644
--- a/objects/fail2ban/definition.json
+++ b/objects/fail2ban/definition.json
@@ -45,9 +45,15 @@
"ui-priority": 1,
"misp-attribute": "text",
"disable_correlation": true
+ },
+ "logfile": {
+ "description": "Full logfile related to the attack.",
+ "ui-priority": 1,
+ "misp-attribute": "attachment",
+ "disable_correlation": true
}
},
- "version": 4,
+ "version": 5,
"description": "Fail2ban event",
"meta-category": "network",
"uuid": "8be2271-7326-41a5-a0dd-9b4bec88e1ba",
From 422a4c3e0ee927abab6032a249f1383b1ab5ac8d Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy
Date: Tue, 27 Mar 2018 11:54:04 +0200
Subject: [PATCH 15/19] fail2ban and yara object template added in list
---
README.md | 2 ++
1 file changed, 2 insertions(+)
diff --git a/README.md b/README.md
index 3de8efb..ab3a50a 100644
--- a/README.md
+++ b/README.md
@@ -82,6 +82,7 @@ for a specific attribute.
* [objects/elf](objects/elf/definition.json) - Object describing an Executable and Linkable Format (ELF).
* [objects/elf-section](objects/elf-section/definition.json) - Object describing a section of an Executable and Linkable Format (ELF).
* [objects/email](objects/email/definition.json) - An email object.
+* [objects/fail2ban](objects/fail2ban/definition.json) - A fail2ban object.
* [objects/file](objects/file/definition.json) - File object describing a file with meta-information.
* [objects/geolocation](objects/geolocation/definition.json) - A geolocation object to describe a location.
* [objects/ip-port](objects/ip-port/definition.json) - An IP address and a port seen as a tuple (or as a triple) in a specific time frame.
@@ -110,6 +111,7 @@ for a specific attribute.
* [objects/victim](objects/victim/definition.json) - a victim object to describe the organisation being targeted or abused.
* [objects/whois](objects/whois/definition.json) - Whois records information for a domain name.
* [objects/x509](objects/x509/definition.json) - x509 object describing a X.509 certificate.
+* [objects/yara](objects/yara/definition.json) - YARA object describing a YARA rule along with the version supported.
## MISP objects relationships
From 405d4e6bff5c9bc5ad8378dc8f0f1ba06d44e1e8 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy
Date: Wed, 28 Mar 2018 14:31:32 +0200
Subject: [PATCH 16/19] fix: name of the object template was incorrect
---
objects/yara/definition.json | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/objects/yara/definition.json b/objects/yara/definition.json
index ed5d310..4b4724d 100644
--- a/objects/yara/definition.json
+++ b/objects/yara/definition.json
@@ -22,9 +22,9 @@
"misp-attribute": "text"
}
},
- "version": 1,
+ "version": 2,
"description": "An object describing a YARA rule along with its version.",
"meta-category": "misc",
"uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
- "name": "misc"
+ "name": "yara"
}
From 62e782b589713758b18bef8bc071c97c050de394 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy
Date: Wed, 28 Mar 2018 14:32:53 +0200
Subject: [PATCH 17/19] add: Suricata object added with context
---
objects/suricata/definition.json | 32 ++++++++++++++++++++++++++++++++
1 file changed, 32 insertions(+)
create mode 100644 objects/suricata/definition.json
diff --git a/objects/suricata/definition.json b/objects/suricata/definition.json
new file mode 100644
index 0000000..ddbe458
--- /dev/null
+++ b/objects/suricata/definition.json
@@ -0,0 +1,32 @@
+{
+ "requiredOneOf": [
+ "suricata"
+ ],
+ "attributes": {
+ "comment": {
+ "description": "A description of the Suricata rule.",
+ "ui-priority": 0,
+ "misp-attribute": "comment"
+ },
+ "suricata": {
+ "description": "Suricata rule.",
+ "ui-priority": 0,
+ "misp-attribute": "suricata"
+ },
+ "version": {
+ "description": "Version of the Suricata rule depending where the suricata rule is known to work as expected.",
+ "ui-priority": 0,
+ "misp-attribute": "text"
+ },
+ "ref": {
+ "description": "Reference to the Suricata rule such as origin of the rule or alike.",
+ "misp-attribute": "link",
+ "ui-priority": 0
+ }
+ },
+ "version": 1,
+ "description": "An object describing a Suricata rule along with its version and context",
+ "meta-category": "network",
+ "uuid": "3c177337-fb80-405a-a6c1-1b2ddea8684a",
+ "name": "suricata"
+}
From c1d266687da53e86f17ba7a73feb48ef11e0c2a0 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy
Date: Wed, 28 Mar 2018 14:33:59 +0200
Subject: [PATCH 18/19] add: Suricata template object added
---
README.md | 1 +
1 file changed, 1 insertion(+)
diff --git a/README.md b/README.md
index ab3a50a..1f2697e 100644
--- a/README.md
+++ b/README.md
@@ -103,6 +103,7 @@ for a specific attribute.
* [objects/rtir](objects/rtir/definition.json) - RTIR - Request Tracker for Incident Response.
* [objects/sandbox-report](objects/sandbox-report/definition.json) - Sandbox report object.
* [objects/sb-signature](objects/sb-signature/definition.json) - Sandbox detection signature object.
+* [objects/suricata](objects/suricata/definition.json) - Suricata rule with context.
* [objects/tor-node](objects/tor-node/definition.json) - Tor node description which are part of the Tor network at a time.
* [objects/transaction](objects/transaction/definition.json) - Object describing a financial transaction.
* [objects/virustotal-report](objects/virustotal-report/definition.json) - VirusTotal report.
From 1ff6cbf67abe0bd92e6b8a0165729dc743578817 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy
Date: Wed, 28 Mar 2018 15:26:35 +0200
Subject: [PATCH 19/19] fix: Feedback from @sheidan
---
objects/x509/definition.json | 25 +++++++++++++++++++++++--
1 file changed, 23 insertions(+), 2 deletions(-)
diff --git a/objects/x509/definition.json b/objects/x509/definition.json
index a7220b6..106a90c 100644
--- a/objects/x509/definition.json
+++ b/objects/x509/definition.json
@@ -49,7 +49,12 @@
"misp-attribute": "x509-fingerprint-sha256"
},
"raw-base64": {
- "description": "Raw certificate base64 encoded",
+ "description": "Raw certificate base64 encoded (DER format)",
+ "ui-priority": 0,
+ "misp-attribute": "text"
+ },
+ "pem": {
+ "description": "Raw certificate in PEM formati (Unix-like newlines)",
"ui-priority": 0,
"misp-attribute": "text"
},
@@ -82,9 +87,25 @@
"description": "Version of the certificate",
"ui-priority": 0,
"misp-attribute": "text"
+ },
+ "self_signed": {
+ "description": "Self-signed certificate",
+ "ui-priority": 0,
+ "misp-attribute": "boolean"
+ },
+ "is_ca": {
+ "description": "CA certificate",
+ "ui-priority": 0,
+ "misp-attribute": "boolean"
+ },
+ "dns_names": {
+ "description": "DNS names",
+ "multiple": true,
+ "misp-attribute": "text",
+ "ui-priority": 0
}
},
- "version": 6,
+ "version": 7,
"description": "x509 object describing a X.509 certificate",
"meta-category": "network",
"uuid": "d1ab756a-26b5-4349-9f43-765630f0911c",