From 7b4c9cd6df1c10cc44aa3ef18e5d5a1902ff9d9b Mon Sep 17 00:00:00 2001 From: aaronkaplan Date: Sun, 2 May 2021 15:57:54 +0200 Subject: [PATCH 1/3] As discussed with @rafiot, we can't simply add rdata and rrname as text only into MISP objects. Why? Because otherwise we can't use MISP's correlation engine to correlate attributes (rrname, rdata) inside these MISP objects with other events. Because "text" would not correlate with other "ip-src" or "domain" types in other objects/attributes. Kind of sucks to duplicate the rrname and rdata entries, but that's the only solution we came up with. The COF2MISP module will populate both the rrname,rdata as well as the rrname_{domain,ip} and rdata_{domain,ip} attributes. Checked with jq_all_the_things.sh. Thanks for your consideration. --- objects/passive-dns/definition.json | 44 ++++++++++++++++++++++++++--- 1 file changed, 40 insertions(+), 4 deletions(-) diff --git a/objects/passive-dns/definition.json b/objects/passive-dns/definition.json index ba3d000..7f03bba 100644 --- a/objects/passive-dns/definition.json +++ b/objects/passive-dns/definition.json @@ -3,7 +3,7 @@ "bailiwick": { "description": "Best estimate of the apex of the zone where this data is authoritative", "disable_correlation": true, - "misp-attribute": "text", + "misp-attribute": "domain", "ui-priority": 0 }, "count": { @@ -19,15 +19,33 @@ "ui-priority": 0 }, "raw_rdata": { - "description": "Resource records of the queried resource, in hexadecimal", + "description": "Resource records of the queried resource, in hexadecimal. *All* rdata entries at once.", "misp-attribute": "text", "ui-priority": 0 }, "rdata": { - "description": "Resource records of the queried resource", + "description": "Resource records of the queried resource. Note that this field is added for *each* rdata entry in the rrset.", "misp-attribute": "text", "ui-priority": 1 }, + "rdata_ip": { + "categories": [ + "Network activity", + "External analysis" + ], + "description": "Resource records of the queried resource. Mapped to MISP 'ip' address type. Valid for rrtypes (A, AAAA, A6, ...).", + "misp-attribute": "ip-src", + "ui-priority": 1 + }, + "rdata_domain": { + "categories": [ + "Network activity", + "External analysis" + ], + "description": "Resource records of the queried resource. Mapped to MISP 'domain' address type. Valid for rrtypes (CNAME, etc.).", + "misp-attribute": "domain", + "ui-priority": 1 + }, "rrname": { "categories": [ "Network activity", @@ -37,6 +55,24 @@ "misp-attribute": "text", "ui-priority": 1 }, + "rrname_domain": { + "categories": [ + "Network activity", + "External analysis" + ], + "description": "Resource Record name of the queried resource. Same as the field 'rrname', however already mapped to the MISP 'domain' type so that we can correlate.", + "misp-attribute": "domain", + "ui-priority": 1 + }, + "rrname_ip": { + "categories": [ + "Network activity", + "External analysis" + ], + "description": "Resource Record name of the queried resource. Same as the field 'rrname', however already mapped to the MISP 'ip' type so that we can correlate. Note that this is only valid if 'rrtype' is 'PTR'.", + "misp-attribute": "ip-src", + "ui-priority": 1 + }, "rrtype": { "categories": [ "Network activity", @@ -109,4 +145,4 @@ ], "uuid": "b77b7b1c-66ab-4a41-8da4-83810f6d2d6c", "version": 3 -} \ No newline at end of file +} From b728ed3e29907fc9d3b306b6410de9c870481c81 Mon Sep 17 00:00:00 2001 From: aaronkaplan Date: Mon, 3 May 2021 00:57:14 +0200 Subject: [PATCH 2/3] Re-Do the definition.json, according to the results of the discussion in https://github.com/MISP/misp-objects/pull/314 Removing *_ip and *_domain Keeping bailiwick a domain type --- objects/passive-dns/definition.json | 36 ----------------------------- 1 file changed, 36 deletions(-) diff --git a/objects/passive-dns/definition.json b/objects/passive-dns/definition.json index 52fa46a..f2cf7d8 100644 --- a/objects/passive-dns/definition.json +++ b/objects/passive-dns/definition.json @@ -28,24 +28,6 @@ "misp-attribute": "text", "ui-priority": 1 }, - "rdata_ip": { - "categories": [ - "Network activity", - "External analysis" - ], - "description": "Resource records of the queried resource. Mapped to MISP 'ip' address type. Valid for rrtypes (A, AAAA, A6, ...).", - "misp-attribute": "ip-src", - "ui-priority": 1 - }, - "rdata_domain": { - "categories": [ - "Network activity", - "External analysis" - ], - "description": "Resource records of the queried resource. Mapped to MISP 'domain' address type. Valid for rrtypes (CNAME, etc.).", - "misp-attribute": "domain", - "ui-priority": 1 - }, "rrname": { "categories": [ "Network activity", @@ -55,24 +37,6 @@ "misp-attribute": "text", "ui-priority": 1 }, - "rrname_domain": { - "categories": [ - "Network activity", - "External analysis" - ], - "description": "Resource Record name of the queried resource. Same as the field 'rrname', however already mapped to the MISP 'domain' type so that we can correlate.", - "misp-attribute": "domain", - "ui-priority": 1 - }, - "rrname_ip": { - "categories": [ - "Network activity", - "External analysis" - ], - "description": "Resource Record name of the queried resource. Same as the field 'rrname', however already mapped to the MISP 'ip' type so that we can correlate. Note that this is only valid if 'rrtype' is 'PTR'.", - "misp-attribute": "ip-src", - "ui-priority": 1 - }, "rrtype": { "categories": [ "Network activity", From 7a476ec4efda4819d5e6fd437685d70253f75a1a Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 3 May 2021 07:20:51 +0200 Subject: [PATCH 3/3] chg: [passive-dns] jq --- objects/passive-dns/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/passive-dns/definition.json b/objects/passive-dns/definition.json index f2cf7d8..fc5878a 100644 --- a/objects/passive-dns/definition.json +++ b/objects/passive-dns/definition.json @@ -121,4 +121,4 @@ ], "uuid": "b77b7b1c-66ab-4a41-8da4-83810f6d2d6c", "version": 5 -} +} \ No newline at end of file