From 4c661b774761abc6b5999daaf98ccc83ecff1b87 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 4 Apr 2024 16:45:33 +0200 Subject: [PATCH] new: [cert-pl-phishing] first draft of a template for the CERT.PL phishing system --- objects/cert-pl-phishing/definition.json | 42 ++++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 objects/cert-pl-phishing/definition.json diff --git a/objects/cert-pl-phishing/definition.json b/objects/cert-pl-phishing/definition.json new file mode 100644 index 0000000..6f5c12a --- /dev/null +++ b/objects/cert-pl-phishing/definition.json @@ -0,0 +1,42 @@ +{ + "attributes": { + "favicon-mmh3": { + "description": "Favicon of the phishing url in Murmurhash3 format (base64).", + "misp-attribute": "text", + "ui-priority": 0 + }, + "html-structure": { + "description": "HTML tags defining the structure of the HTML page.", + "disable-correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "phash-dct-base64": { + "description": "pHash (DCT hash) - as described in https://github.com/thorn-oss/perception.", + "misp-attribute": "text", + "ui-priority": 0 + }, + "truncated-hash-html-structure": { + "description": "Truncated hash value of the html-structure.", + "misp-attribute": "text", + "ui-priority": 0 + }, + "url": { + "description": "Full URL of the phishing object.", + "misp-attribute": "url", + "ui-priority": 1 + } + }, + "description": "cert.pl phishing object template representing an url along with some metadata as such phash, html-structure or partial-hash", + "meta-category": "network", + "name": "cert-pl-phishing", + "requiredOneOf": [ + "url", + "phash-dct-base64", + "html-structure", + "truncated-hash-html-structure", + "favicon-mmh3" + ], + "uuid": "4c37c9af-ca71-4365-bcfb-6393c22dd88e", + "version": 1 +} \ No newline at end of file