From bd508a3455d017ac3976eef3d6fbfe91e736dea6 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 25 Jan 2018 15:07:19 +0100 Subject: [PATCH 01/46] fix: Passive DNS records especially on the disabled_correlation fields --- objects/passive-dns/definition.json | 42 ++++++++++++++++++----------- 1 file changed, 26 insertions(+), 16 deletions(-) diff --git a/objects/passive-dns/definition.json b/objects/passive-dns/definition.json index b832c40..38994ee 100644 --- a/objects/passive-dns/definition.json +++ b/objects/passive-dns/definition.json @@ -6,22 +6,25 @@ ], "attributes": { "zone_time_last": { - "description": "Last time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import", + "description": "Last time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import.", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "text": { - "description": "", + "description": "Description of the passive DNS record.", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "count": { - "description": "How many authoritative DNS answers were received at the Passive DNS Server's collectors with exactly the given set of values as answers", + "description": "How many authoritative DNS answers were received at the Passive DNS Server's collectors with exactly the given set of values as answers.", "ui-priority": 0, - "misp-attribute": "counter" + "misp-attribute": "counter", + "disable_correlation": true }, "rrname": { - "description": "Resource Record name of the queried resource", + "description": "Resource Record name of the queried resource.", "categories": [ "Network activity", "External analysis" @@ -30,7 +33,7 @@ "misp-attribute": "text" }, "rrtype": { - "description": "Resource Record type as seen by the passive DNS", + "description": "Resource Record type as seen by the passive DNS.", "categories": [ "Network activity", "External analysis" @@ -51,7 +54,8 @@ "NAPTR", "HINFO", "A6" - ] + ], + "disable_correlation": true }, "rdata": { "description": "Resource records of the queried resource", @@ -61,35 +65,41 @@ "zone_time_first": { "description": "First time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "origin": { "description": "Origin of the Passive DNS response", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "time_last": { "description": "Last time that the unique tuple (rrname, rrtype, rdata) record has been seen by the passive DNS", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "time_first": { "description": "First time that the unique tuple (rrname, rrtype, rdata) has been seen by the passive DNS", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "bailiwick": { "description": "Best estimate of the apex of the zone where this data is authoritative", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "sensor_id": { "description": "Sensor information where the record was seen", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true } }, - "version": 2, + "version": 3, "description": "Passive DNS records as expressed in draft-dulaunoy-dnsop-passive-dns-cof-01", "meta-category": "network", "uuid": "b77b7b1c-66ab-4a41-8da4-83810f6d2d6c", From f91929738b2e50c4c79447fc23c96d6d2af6d70c Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 29 Jan 2018 07:33:25 +0100 Subject: [PATCH 02/46] add: an object describing bank account information based on account description from goAML 4.0. A generic bank account partially based on the goAML 4.0 standard. The bank account alone can convey information regarding the type of transactions seen or suspected which allow to use the object alone without the need to describe the full list of transactions. Additional objects could be created like report, transactions and like to fully support AML. The existing person in MISP objects was previously updated to include the field missing from AML. A potential evolution is based on the transaction status which can be described as a simple relationship between MISP objects like: Bought, Sold, Let, Hired, Exchanged, Donated, Destroyed and Other --- objects/bank-account/definition.json | 159 +++++++++++++++++++++++++++ 1 file changed, 159 insertions(+) create mode 100644 objects/bank-account/definition.json diff --git a/objects/bank-account/definition.json b/objects/bank-account/definition.json new file mode 100644 index 0000000..46466e9 --- /dev/null +++ b/objects/bank-account/definition.json @@ -0,0 +1,159 @@ +{ + "requiredOneOf": [ + "account" + ], + "attributes": { + "text": { + "description": "A description of the bank account.", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "institution-code": { + "description": "Name of the bank or financial organisation.", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "swift": { + "description": "SWIFT or BIC as defined in ISO 9362.", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "bic" + }, + "branch": { + "description": "Branch code or name", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "non-banking-institution": { + "description": "A flag to define if this account belong to a non-banking organisation. If set to true, it's a non-banking organisation.", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "boolean" + }, + "account": { + "description": "Account number", + "ui-priority": 0, + "misp-attribute": "bank-account-nr" + }, + "currency-code": { + "description": "Currency of the account.", + "ui-priority": 0, + "sane_default": [ + "USD", + "EUR" + ], + "disable_correlation": true, + "misp-attribute": "text" + }, + "account-name": { + "description": "A field to freely describe the bank account details.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "iban": { + "description": "IBAN of the bank account.", + "ui-priority": 0, + "misp-attribute": "iban" + }, + "client-_number": { + "description": "Client number as seen by the bank.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "personal-account-type": { + "description": "Account type.", + "ui-priority": 0, + "sane_default": [ + "A - Business", + "B - Personal Current", + "C - Savings", + "D - Trust Account", + "E - Trading Account", + "O - Other" + ], + "disable_correlation": true, + "misp-attribute": "text" + }, + "opened": { + "description": "When the account was opened.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "closed": { + "description": "When the account was closed.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "balance": { + "description": "The balance of the account after the suspicious transaction was processed.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "date-balance": { + "description": "When the balance was reported.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "status-code": { + "description": "Account status at the time of the transaction processed.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true, + "sane_default": [ + "A - Active", + "B - Inactive", + "C - Dormant" + ] + }, + "beneficiary": { + "description": "Final beneficiary of the bank account.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "beneficiary-comment": { + "description": "Comment about the final beneficiary.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "comments": { + "description": "Comments about the bank account.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "report-code": { + "description": "Report code of the bank account.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true, + "sane_default": [ + "CTR Cash Transaction Report", + "STR Suspicious Transaction Report", + "EFT Electronic Funds Transfer", + "IFT International Funds Transfer", + "TFR Terror Financing Report", + "BCR Border Cash Report", + "UTR Unusual Transaction Report", + "AIF Additional Information File – Can be used for example to get full disclosure of transactions of an account for a period of time without reporting it as a CTR.", + "IRI Incoming Request for Information – International", + "ORI Outgoing Request for Information – International", + "IRD Incoming Request for Information – Domestic", + "ORD Outgoing Request for Information – Domestic" + ] + } + }, + "version": 1, + "description": "An object describing bank account information based on account description from goAML 4.0.", + "meta-category": "financial", + "uuid": "b4712203-95a8-4883-80e9-b566f5df11c9", + "name": "bank-account" +} From 16f01d62a8293797266e9cd076c9a6c6fb846efd Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 29 Jan 2018 07:44:37 +0100 Subject: [PATCH 03/46] add: bank-account added in the list --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index ae6bb52..7ab6f58 100644 --- a/README.md +++ b/README.md @@ -70,6 +70,7 @@ for a specific attribute. * [objects/android-permission](objects/android-permission/definition.json) - A set of android permissions - one or more permission(s) which can be linked to other objects (e.g. file). * [objects/asn](objects/asn/definition.json) - Autonomous system object describing a BGP autonomous system which can include one or more network operators management an entity (e.g. ISP) along with their routing policy, routing prefixes or alike. * [objects/av-signature](objects/av-signature/definition.json) - Antivirus detection signature. +* [objects/bank-account](objects/bank-account/definition.json) - Object describing bank account information based on account description from goAML 4.0. * [objects/coin-address](objects/coin-address/definition.json) - An address used in a cryptocurrency. * [objects/cookie](objects/cookie/definition.json) - A cookie object describes an HTTP cookie including its use in malicious cases. * [objects/ddos](objects/ddos/definition.json) - DDoS object describes a current DDoS activity from a specific or/and to a specific target. From 2f53450e49aaef7169d98bccfe571410f52f1161 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 29 Jan 2018 07:46:13 +0100 Subject: [PATCH 04/46] fix: sandbox report object added in the list --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 7ab6f58..857869c 100644 --- a/README.md +++ b/README.md @@ -95,6 +95,7 @@ for a specific attribute. * [objects/registry-key](objects/registry-key/definition.json) - A registry-key object. * [objects/r2graphity](objects/r2graphity/definition.json) - Indicators extracted from binary files using radare2 and graphml. * [objects/rtir](objects/rtir/definition.json) - RTIR - Request Tracker for Incident Response. +* [objects/sandbox](objects/sandbox/definition.json) - Sandbox report object. * [objects/tor-node](objects/tor-node/definition.json) - Tor node description which are part of the Tor network at a time. * [objects/virustotal-report](objects/virustotal-report/definition.json) - VirusTotal report. * [objects/vulnerability](objects/vulnerability/definition.json) - Vulnerability object to describe software or hardware vulnerability as described in a CVE. From cab597afb2a45c7bdbc8c99000919f999e6cb5bf Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 29 Jan 2018 07:47:19 +0100 Subject: [PATCH 05/46] fix: sandbox signature added. --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 857869c..9dcb503 100644 --- a/README.md +++ b/README.md @@ -96,6 +96,7 @@ for a specific attribute. * [objects/r2graphity](objects/r2graphity/definition.json) - Indicators extracted from binary files using radare2 and graphml. * [objects/rtir](objects/rtir/definition.json) - RTIR - Request Tracker for Incident Response. * [objects/sandbox](objects/sandbox/definition.json) - Sandbox report object. +* [objects/sb-signature](objects/sb-signature/definition.json) - Sandbox detection signature object. * [objects/tor-node](objects/tor-node/definition.json) - Tor node description which are part of the Tor network at a time. * [objects/virustotal-report](objects/virustotal-report/definition.json) - VirusTotal report. * [objects/vulnerability](objects/vulnerability/definition.json) - Vulnerability object to describe software or hardware vulnerability as described in a CVE. From 619c35ea0f6c618c78d8206bfb658ad39f864566 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 29 Jan 2018 08:24:40 +0100 Subject: [PATCH 06/46] fix: sandbox report --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 9dcb503..19ca64a 100644 --- a/README.md +++ b/README.md @@ -95,7 +95,7 @@ for a specific attribute. * [objects/registry-key](objects/registry-key/definition.json) - A registry-key object. * [objects/r2graphity](objects/r2graphity/definition.json) - Indicators extracted from binary files using radare2 and graphml. * [objects/rtir](objects/rtir/definition.json) - RTIR - Request Tracker for Incident Response. -* [objects/sandbox](objects/sandbox/definition.json) - Sandbox report object. +* [objects/sandbox-report](objects/sandbox-report/definition.json) - Sandbox report object. * [objects/sb-signature](objects/sb-signature/definition.json) - Sandbox detection signature object. * [objects/tor-node](objects/tor-node/definition.json) - Tor node description which are part of the Tor network at a time. * [objects/virustotal-report](objects/virustotal-report/definition.json) - VirusTotal report. From 8d7e3b34a731d81d32fae7329e932bb4742cd689 Mon Sep 17 00:00:00 2001 From: David Lord Date: Tue, 30 Jan 2018 10:12:53 +1000 Subject: [PATCH 07/46] Add email-body to the email object definition --- objects/email/definition.json | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/objects/email/definition.json b/objects/email/definition.json index 7b7f45d..10fbc38 100644 --- a/objects/email/definition.json +++ b/objects/email/definition.json @@ -138,6 +138,14 @@ "categories": [ "Payload delivery" ] + }, + "email-body": { + "description": "Body of the email", + "misp-attribute": "email-body", + "ui-priority": 1, + "categories": [ + "Payload delivery" + ] } }, "requiredOneOf": [ From c57b9b867c8d4a0c789269dfe02ea3d80cb0c074 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 30 Jan 2018 08:59:41 +0100 Subject: [PATCH 08/46] fix: increment version of the MISP email object --- objects/email/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/email/definition.json b/objects/email/definition.json index 10fbc38..770850f 100644 --- a/objects/email/definition.json +++ b/objects/email/definition.json @@ -3,7 +3,7 @@ "uuid": "a0c666e0-fc65-4be8-b48f-3423d788b552", "meta-category": "network", "description": "Email object describing an email with meta-information", - "version": 7, + "version": 8, "attributes": { "reply-to": { "description": "Email address the reply will be sent to", From 41b0d33ab354334051ebc784e44449b7930d23df Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 31 Jan 2018 15:05:55 +0100 Subject: [PATCH 09/46] fix: improve ip-port object to add domain instead of IP address --- objects/ip-port/definition.json | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/objects/ip-port/definition.json b/objects/ip-port/definition.json index 528ab7c..b7be390 100644 --- a/objects/ip-port/definition.json +++ b/objects/ip-port/definition.json @@ -1,9 +1,8 @@ { "requiredOneOf": [ "dst-port", - "src-port" - ], - "required": [ + "src-port", + "domain", "ip" ], "attributes": { @@ -43,6 +42,15 @@ "ui-priority": 1, "misp-attribute": "port" }, + "domain": { + "description": "Domain", + "categories": [ + "Network activity", + "External analysis" + ], + "ui-priority": 1, + "misp-attribute": "domain" + }, "ip": { "description": "IP Address", "categories": [ @@ -53,8 +61,8 @@ "misp-attribute": "ip-dst" } }, - "version": 5, - "description": "An IP address and a port seen as a tuple (or as a triple) in a specific time frame.", + "version": 6, + "description": "An IP address (or domain) and a port seen as a tuple (or as a triple) in a specific time frame.", "meta-category": "network", "uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "name": "ip-port" From b09f0453abc1c1c4735b3ec05c0faa61fdfea8a4 Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Mon, 5 Feb 2018 09:26:50 +0100 Subject: [PATCH 10/46] chg: Added identity card number --- objects/person/definition.json | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/objects/person/definition.json b/objects/person/definition.json index 484cc99..6e25459 100644 --- a/objects/person/definition.json +++ b/objects/person/definition.json @@ -66,6 +66,11 @@ ], "disable_correlation": true }, + "id-card-number": { + "description": "The identity card number of a natural person.", + "ui-priority": 0, + "misp-attribute": "id-card-number" + }, "passport-number": { "description": "The passport number of a natural person.", "ui-priority": 0, From f169fbee36050e51056313235c8e07100ae7998d Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Mon, 5 Feb 2018 14:18:21 +0100 Subject: [PATCH 11/46] chg: updated name of the new attribute --- objects/person/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/person/definition.json b/objects/person/definition.json index 6e25459..a882dc8 100644 --- a/objects/person/definition.json +++ b/objects/person/definition.json @@ -66,10 +66,10 @@ ], "disable_correlation": true }, - "id-card-number": { + "identity-card-number": { "description": "The identity card number of a natural person.", "ui-priority": 0, - "misp-attribute": "id-card-number" + "misp-attribute": "identity-card-number" }, "passport-number": { "description": "The passport number of a natural person.", From c11c4a28ab1c6bbe666b4f80be34d21a3a472332 Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Mon, 5 Feb 2018 14:19:58 +0100 Subject: [PATCH 12/46] chg: Added address and zip code attributes --- objects/geolocation/definition.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/objects/geolocation/definition.json b/objects/geolocation/definition.json index ab6ee46..7a4902b 100644 --- a/objects/geolocation/definition.json +++ b/objects/geolocation/definition.json @@ -42,6 +42,16 @@ "ui-priority": 0, "misp-attribute": "float" }, + "address": { + "description": "Address.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "zipcode": { + "description": "Zip Code.", + "misp-attribute": "text", + "ui-priority": 1 + }, "city": { "description": "City.", "misp-attribute": "text", From b92d92764b897bf40ccc83a750b9199679d81c8d Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Mon, 5 Feb 2018 16:10:23 +0100 Subject: [PATCH 13/46] description typo --- objects/person/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/person/definition.json b/objects/person/definition.json index a882dc8..a041ede 100644 --- a/objects/person/definition.json +++ b/objects/person/definition.json @@ -107,7 +107,7 @@ } }, "version": 3, - "description": "An person which describes a person or an identity.", + "description": "An object which describes a person or an identity.", "meta-category": "misc", "uuid": "a15b0477-e9d1-4b9c-9546-abe78a4f4248", "name": "person" From 573873db3b19e7086b8541a0341743a9fa5800cc Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Mon, 5 Feb 2018 17:20:39 +0100 Subject: [PATCH 14/46] First version of the legal-entity object --- objects/legal-entity/definition.json | 38 ++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 objects/legal-entity/definition.json diff --git a/objects/legal-entity/definition.json b/objects/legal-entity/definition.json new file mode 100644 index 0000000..ae37089 --- /dev/null +++ b/objects/legal-entity/definition.json @@ -0,0 +1,38 @@ +{ + "requiredOneOf": [ + "name" + ], + "attributes": { + "text": { + "description": "A description of the entity.", + "disable-correlation": "true", + "ui-priority": 1, + "misp-attribute": "text" + }, + "name": { + "description": "Name of an entity.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "commercial-name": { + "description": "Commercial name of an entity.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "legal-form": { + "description": "Legal form of an entity.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "business": { + "description": "Business area of an entity", + "ui-priority": 0, + "misp-attribute": "text" + } + }, + "version": 1, + "description": "An object to describe a legal entity.", + "meta-category": "misc", + "uuid": "", + "name": "legal-entity" +} From 6b98de1c8600d68ac669de101130dcc289911568 Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Mon, 5 Feb 2018 17:26:13 +0100 Subject: [PATCH 15/46] Updated readme --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 19ca64a..6a5de0a 100644 --- a/README.md +++ b/README.md @@ -82,6 +82,7 @@ for a specific attribute. * [objects/geolocation](objects/geolocation/definition.json) - A geolocation object to describe a location. * [objects/ip-port](objects/ip-port/definition.json) - An IP address and a port seen as a tuple (or as a triple) in a specific time frame. * [objects/ja3](objects/ja3/definition.json) - A ja3 object which describes an SSL client fingerprint in an easy to produce and shareable way. +* [objects/legal-entity](objects/legal-entity/definition.json) - Object describing a legal entity, such as an organisation. * [objects/macho](objects/macho/definition.json) - Object describing a Mach object file format. * [objects/macho-section](objects/macho-section/definition.json) - Object describing a section of a Mach object file format. * [objects/microblog](objects/microblog/definition.json) - Object describing microblog post like Twitter or Facebook. From d250e6254655f1bd5a42d736a53aa8151a566e19 Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Tue, 6 Feb 2018 14:19:04 +0100 Subject: [PATCH 16/46] Added additional attributes --- objects/legal-entity/definition.json | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/objects/legal-entity/definition.json b/objects/legal-entity/definition.json index ae37089..dcac487 100644 --- a/objects/legal-entity/definition.json +++ b/objects/legal-entity/definition.json @@ -24,10 +24,20 @@ "ui-priority": 0, "misp-attribute": "text" }, - "business": { - "description": "Business area of an entity", + "registration-number": { + "description": "Registration number of an entity in the relevant authority.", "ui-priority": 0, "misp-attribute": "text" + }, + "business": { + "description": "Business area of an entity.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "phone-number": { + "description": "Phone number of an entity.", + "ui-priority": 0, + "misp-attribute": "phone-number" } }, "version": 1, From 7966c58db9bcecc6b8baec7729874da78b99c3d2 Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Tue, 6 Feb 2018 15:06:20 +0100 Subject: [PATCH 17/46] typo --- objects/legal-entity/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/legal-entity/definition.json b/objects/legal-entity/definition.json index dcac487..24feeaf 100644 --- a/objects/legal-entity/definition.json +++ b/objects/legal-entity/definition.json @@ -5,7 +5,7 @@ "attributes": { "text": { "description": "A description of the entity.", - "disable-correlation": "true", + "disable_correlation": "true", "ui-priority": 1, "misp-attribute": "text" }, From fd74fac62b2a7f05cf0500bb3fb4aeb07d94eb3b Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Tue, 6 Feb 2018 15:36:57 +0100 Subject: [PATCH 18/46] Fixed disable_correlation variable type --- objects/legal-entity/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/legal-entity/definition.json b/objects/legal-entity/definition.json index 24feeaf..29f89c5 100644 --- a/objects/legal-entity/definition.json +++ b/objects/legal-entity/definition.json @@ -5,7 +5,7 @@ "attributes": { "text": { "description": "A description of the entity.", - "disable_correlation": "true", + "disable_correlation": true, "ui-priority": 1, "misp-attribute": "text" }, @@ -43,6 +43,6 @@ "version": 1, "description": "An object to describe a legal entity.", "meta-category": "misc", - "uuid": "", + "uuid": "14f5688f-d89c-469f-9878-c48bf6c41c65", "name": "legal-entity" } From e1258cd2f72e266526e6fcd7bf8e5e2e0d86f56d Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 7 Feb 2018 14:46:09 +0100 Subject: [PATCH 19/46] Common Alerting Protocol Version (CAP) alert object --- objects/cap-alert/definition.json | 108 ++++++++++++++++++++++++++++++ 1 file changed, 108 insertions(+) create mode 100644 objects/cap-alert/definition.json diff --git a/objects/cap-alert/definition.json b/objects/cap-alert/definition.json new file mode 100644 index 0000000..90017dc --- /dev/null +++ b/objects/cap-alert/definition.json @@ -0,0 +1,108 @@ +{ + "requiredOneOf": [ + "msgType" + ], + "attributes": { + "identifier": { + "description": "The identifier of the alert message in a number or string uniquely identifying this message, assigned by the sender.", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "text" + }, + "sender": { + "description": "The identifier of the sender of the alert message which identifies the originator of this alert. Guaranteed by assigner to be unique globally; e.g., may be based on an Internet domain name.", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "sent": { + "description": "The time and date of the origination of the alert message.", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "status": { + "description": "The code denoting the appropriate handling of the alert message.", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "Actual", + "Exercise", + "System", + "Test", + "Draft" + ] + }, + "msgType": { + "description": "The code denoting the nature of the alert message.", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "Alert", + "Update", + "Cancel", + "Ack", + "Error" + ] + }, + "source": { + "description": "The text identifying the source of the alert message. The particular source of this alert; e.g., an operator or a specific device.", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "text" + }, + "scope": { + "description": "The code denoting the intended distribution of the alert message. ", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true, + "sane_default": [ + "Public", + "Restricted", + "Private" + ] + }, + "restriction": { + "description": "The text describing the rule for limiting distribution of the restricted alert message.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "addresses": { + "description": "The group listing of intended recipients of the alert message. (1) Required when is “Private”, optional when is “Public” or “Restricted”. (2) Each recipient SHALL be identified by an identifier or an address. (3) Multiple space-delimited addresses MAY be included. Addresses including whitespace MUST be enclosed in double-quotes. ", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "code": { + "description": "The code denoting the special handling of the alert message.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "note": { + "description": "The text describing the purpose or significance of the alert message.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "references": { + "description": "The group listing identifying earlier message(s) referenced by the alert message. (1) The extended message identifier(s) (in the form sender,identifier,sent) of an earlier CAP message or messages referenced by this one. (2) If multiple messages are referenced, they SHALL be separated by whitespace.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "incident": { + "description": "The group listing naming the referent incident(s) of the alert message. (1) Used to collate multiple messages referring to different aspects of the same incident. (2) If multiple incident identifiers are referenced, they SHALL be separated by whitespace. Incident names including whitespace SHALL be surrounded by double-quotes.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + } + }, + "version": 1, + "description": "Common Alerting Protocol Version (CAP) alert object.", + "meta-category": "misc", + "uuid": "03b107bb-133d-4180-87ff-e3dbe731f828", + "name": "cap-alert" +} From 31615336926a3d24a7e258e7e2661a57a20af839 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 7 Feb 2018 14:54:15 +0100 Subject: [PATCH 20/46] fix: trailing dot removed --- objects/cap-alert/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/cap-alert/definition.json b/objects/cap-alert/definition.json index 90017dc..c9fe3ac 100644 --- a/objects/cap-alert/definition.json +++ b/objects/cap-alert/definition.json @@ -101,7 +101,7 @@ } }, "version": 1, - "description": "Common Alerting Protocol Version (CAP) alert object.", + "description": "Common Alerting Protocol Version (CAP) alert object", "meta-category": "misc", "uuid": "03b107bb-133d-4180-87ff-e3dbe731f828", "name": "cap-alert" From ad8e01d4c5d6898ebe6f64483e98b3252308519d Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Wed, 7 Feb 2018 15:36:37 +0100 Subject: [PATCH 21/46] Transaction object --- objects/transaction/definition.json | 56 +++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100644 objects/transaction/definition.json diff --git a/objects/transaction/definition.json b/objects/transaction/definition.json new file mode 100644 index 0000000..46fd9e4 --- /dev/null +++ b/objects/transaction/definition.json @@ -0,0 +1,56 @@ +{ + "requiredOneOf": [ + "transaction-number", + "date", + "amount", + "transmode-code" + ], + "attributes": { + "text": { + "description": "A description of the transaction.", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "text" + }, + "transaction-number": { + "description": "A unique number identifying a transaction.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "location": { + "description": "Location where the transaction took place.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "transmode-code": { + "description": "How the transaction was conducted.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "transmode-comment": { + "description": "Comment describing transmode-code, if needed.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "date": { + "description": "Date and time of the transaction.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "amount": { + "description": "The value of the transaction in local currency.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "date-posting": { + "description": "Date of posting, if different from date of transaction.", + "ui-priority": 0, + "misp-attribute": "datetime" + } + }, + "version": 1, + "description": "An object to describe a transaction.", + "meta-category": "misc", + "uuid": "a47fa26a-01b6-4747-a394-5144e34456dc", + "name": "transaction" +} From 9ad2b50895f7cafdb3051eff21d607a82a0f2414 Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Wed, 7 Feb 2018 17:26:09 +0100 Subject: [PATCH 22/46] Updated description and readme --- README.md | 1 + objects/transaction/definition.json | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 6a5de0a..d60eb4b 100644 --- a/README.md +++ b/README.md @@ -99,6 +99,7 @@ for a specific attribute. * [objects/sandbox-report](objects/sandbox-report/definition.json) - Sandbox report object. * [objects/sb-signature](objects/sb-signature/definition.json) - Sandbox detection signature object. * [objects/tor-node](objects/tor-node/definition.json) - Tor node description which are part of the Tor network at a time. +* [objects/transaction](objects/transaction/definition.json) - Object describing a financial transaction. * [objects/virustotal-report](objects/virustotal-report/definition.json) - VirusTotal report. * [objects/vulnerability](objects/vulnerability/definition.json) - Vulnerability object to describe software or hardware vulnerability as described in a CVE. * [objects/url](objects/url/definition.json) - url object describes an url along with its normalized field (e.g. using faup parsing library) and its metadata. diff --git a/objects/transaction/definition.json b/objects/transaction/definition.json index 46fd9e4..11f703e 100644 --- a/objects/transaction/definition.json +++ b/objects/transaction/definition.json @@ -49,7 +49,7 @@ } }, "version": 1, - "description": "An object to describe a transaction.", + "description": "An object to describe a financial transaction.", "meta-category": "misc", "uuid": "a47fa26a-01b6-4747-a394-5144e34456dc", "name": "transaction" From 49f78f067d304536fc057840c67a8f5f8782ce96 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 8 Feb 2018 07:45:41 +0100 Subject: [PATCH 23/46] add: Common Alerting Protocol Version (CAP) info object --- objects/cap-info/definition.json | 171 +++++++++++++++++++++++++++++++ 1 file changed, 171 insertions(+) create mode 100644 objects/cap-info/definition.json diff --git a/objects/cap-info/definition.json b/objects/cap-info/definition.json new file mode 100644 index 0000000..9645f13 --- /dev/null +++ b/objects/cap-info/definition.json @@ -0,0 +1,171 @@ +{ + "requiredOneOf": [ + "category" + ], + "attributes": { + "language": { + "description": "The code denoting the language of the info sub-element of the alert message. ", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "text" + }, + "category": { + "description": "The code denoting the category of the subject event of the alert message.", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "Geo", + "Met", + "Safety", + "Security", + "Rescue", + "Fire", + "Health", + "Env", + "Transport", + "Infra", + "CBRNE", + "Other" + ], + "disable_correlation": true + }, + "event": { + "description": "The text denoting the type of the subject event of the alert message.", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "text" + }, + "responseType": { + "description": "The code denoting the type of action recommended for the target audience.", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "Shelter", + "Evacuate", + "Prepare", + "Execute", + "Avoid", + "Monitor", + "Assess", + "AllClear", + "None" + ] + }, + "urgency": { + "description": "The code denoting the urgency of the subject event of the alert message.", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "Immediate", + "Expected", + "Future", + "Past", + "Unknown" + ] + }, + "severity": { + "description": "The code denoting the severity of the subject event of the alert message.", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "Extreme", + "Severe", + "Moderate", + "Minor", + "Unknown" + ] + }, + "certainty": { + "description": "The code denoting the certainty of the subject event of the alert message. For backward compatibility with CAP 1.0, the deprecated value of “Very Likely” SHOULD be treated as equivalent to “Likely”.", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "Likely", + "Possible", + "Unlikely", + "Unknown" + ] + }, + "audience": { + "description": "The text describing the intended audience of the alert message.", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "text" + }, + "eventCode": { + "description": "A system-specific code identifying the event type of the alert message.", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "text" + }, + "effective": { + "description": "The effective time of the information of the alert message.", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "datetime" + }, + "onset": { + "description": "The expected time of the beginning of the subject event of the alert message.", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "datetime" + }, + "expires": { + "description": "The expiry time of the information of the alert message.", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "datetime" + }, + "senderName": { + "description": "The text naming the originator of the alert message.", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "text" + }, + "headline": { + "description": "The text headline of the alert message.", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "text" + }, + "description": { + "description": "The text describing the subject event of the alert message.", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "text" + }, + "instruction": { + "description": "The text describing the recommended action to be taken by recipients of the alert message.", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "text" + }, + "web": { + "description": "The identifier of the hyperlink associating additional information with the alert message.", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "link" + }, + "contact": { + "description": "The text describing the contact for follow-up and confirmation of the alert message.", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "text" + }, + "parameter": { + "description": "A system-specific additional parameter associated with the alert message.", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "text" + } + }, + "version": 1, + "description": "Common Alerting Protocol Version (CAP) info object", + "meta-category": "misc", + "uuid": "826c25e6-fdd5-4e4a-b081-be5ba3ac2c3d", + "name": "cap-info" +} From b4d433a845872a20b888b9ba913d6b131c0394d2 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 8 Feb 2018 11:53:05 +0100 Subject: [PATCH 24/46] add: Common Alerting Protocol Version (CAP) resource object --- objects/cap-resource/definition.json | 46 ++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 objects/cap-resource/definition.json diff --git a/objects/cap-resource/definition.json b/objects/cap-resource/definition.json new file mode 100644 index 0000000..92502a2 --- /dev/null +++ b/objects/cap-resource/definition.json @@ -0,0 +1,46 @@ +{ + "requiredOneOf": [ + "resourceDesc" + ], + "attributes": { + "resourceDesc": { + "description": "The text describing the type and content of the resource file.", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "text" + }, + "mimeType": { + "description": "The identifier of the MIME content type and sub-type describing the resource file.", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "mime-type" + }, + "size": { + "description": "The integer indicating the size of the resource file.", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "text" + }, + "uri": { + "description": "The identifier of the hyperlink for the resource file.", + "ui-priority": 0, + "misp-attribute": "link" + }, + "derefUri": { + "description": "The base-64 encoded data content of the resource file.", + "ui-priority": 0, + "misp-attribute": "attachment", + "disable_correlation": true + }, + "digest": { + "description": "The code representing the digital digest (“hash”) computed from the resource file (OPTIONAL).", + "ui-priority": 0, + "misp-attribute": "sha1" + } + }, + "version": 1, + "description": "Common Alerting Protocol Version (CAP) resource object", + "meta-category": "misc", + "uuid": "6fddc76b-59fc-49f6-a673-52f8d15149c4", + "name": "cap-resource" +} From 3d2091b33ca8a998673d98c5a28ff10ab08f51dd Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 9 Feb 2018 07:34:58 +0100 Subject: [PATCH 25/46] fix: use new attribute type mime-type instead of text --- objects/file/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/file/definition.json b/objects/file/definition.json index f0f7fe0..7749f45 100644 --- a/objects/file/definition.json +++ b/objects/file/definition.json @@ -138,7 +138,7 @@ "description": "Mime type", "disable_correlation": true, "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "mime-type" }, "state": { "misp-attribute": "text", @@ -156,7 +156,7 @@ ] } }, - "version": 9, + "version": 10, "description": "File object describing a file with meta-information", "meta-category": "file", "uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", From 061c0ae2223fdfb4fb0563b704f15821fd72347d Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 9 Feb 2018 07:38:41 +0100 Subject: [PATCH 26/46] add: Common Alerting Protocol Version (CAP) object templates --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index d60eb4b..9ba5f70 100644 --- a/README.md +++ b/README.md @@ -71,6 +71,9 @@ for a specific attribute. * [objects/asn](objects/asn/definition.json) - Autonomous system object describing a BGP autonomous system which can include one or more network operators management an entity (e.g. ISP) along with their routing policy, routing prefixes or alike. * [objects/av-signature](objects/av-signature/definition.json) - Antivirus detection signature. * [objects/bank-account](objects/bank-account/definition.json) - Object describing bank account information based on account description from goAML 4.0. +* [objects/cap-alert](objects/cap-alert/definition.json) - Common Alerting Protocol Version (CAP) alert object. +* [objects/cap-info](objects/cap-info/definition.json) - Common Alerting Protocol Version (CAP) info object. +* [objects/cap-resource](objects/cap-resource/definition.json) - Common Alerting Protocol Version (CAP) resource object. * [objects/coin-address](objects/coin-address/definition.json) - An address used in a cryptocurrency. * [objects/cookie](objects/cookie/definition.json) - A cookie object describes an HTTP cookie including its use in malicious cases. * [objects/ddos](objects/ddos/definition.json) - DDoS object describes a current DDoS activity from a specific or/and to a specific target. From eef4aab989606c4a9717040bf3048f116f904846 Mon Sep 17 00:00:00 2001 From: Andras Iklody Date: Fri, 9 Feb 2018 09:43:39 +0100 Subject: [PATCH 27/46] Changed http request object template require either uri or url, http method is no longer required. --- objects/http-request/definition.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/objects/http-request/definition.json b/objects/http-request/definition.json index 67f7809..76bb081 100644 --- a/objects/http-request/definition.json +++ b/objects/http-request/definition.json @@ -1,6 +1,6 @@ { - "required": [ - "method", + "requiredOneOf": [ + "url", "uri" ], "attributes": { @@ -111,7 +111,7 @@ "misp-attribute": "user-agent" } }, - "version": 1, + "version": 2, "description": "A single HTTP request header", "meta-category": "network", "uuid": "b4a8d163-8110-4239-bfcf-e08f3a9fdf7b", From 594bf5dcc01282564ab14d09233516a170c48807 Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Tue, 13 Feb 2018 17:53:37 +0100 Subject: [PATCH 28/46] Added attributes for the teller and the authorizer of a transaction --- objects/transaction/definition.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/objects/transaction/definition.json b/objects/transaction/definition.json index 11f703e..184ff55 100644 --- a/objects/transaction/definition.json +++ b/objects/transaction/definition.json @@ -32,6 +32,16 @@ "ui-priority": 0, "misp-attribute": "text" }, + "teller": { + "description": "Person who conducted the transaction.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "authorized": { + "description": "Person who autorized the transaction.", + "ui-priority": 0, + "misp-attribute": "text" + }, "date": { "description": "Date and time of the transaction.", "ui-priority": 0, From 0367068f925431eee9ed4ea981517473133129ce Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Wed, 14 Feb 2018 11:33:37 +0100 Subject: [PATCH 29/46] Added attributes to describe some origin and target fields of a transaction --- objects/transaction/definition.json | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/objects/transaction/definition.json b/objects/transaction/definition.json index 184ff55..4aab1f3 100644 --- a/objects/transaction/definition.json +++ b/objects/transaction/definition.json @@ -56,6 +56,26 @@ "description": "Date of posting, if different from date of transaction.", "ui-priority": 0, "misp-attribute": "datetime" + }, + "from-funds-code": { + "description": "Type of funds used to initiate a transaction.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "to-funds-code": { + "description": "Type of funds used to finalize a transaction.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "from-country": { + "description": "Origin country of a transaction.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "to-country": { + "description": "Target country of a transaction.", + "ui-priority": 0, + "misp-attribute": "text" } }, "version": 1, From 71fa0f66fa48fc6641a6ef3d51387a974f794434 Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Wed, 14 Feb 2018 14:11:42 +0100 Subject: [PATCH 30/46] Added default values of funds code --- objects/transaction/definition.json | 34 +++++++++++++++++++++++++++-- 1 file changed, 32 insertions(+), 2 deletions(-) diff --git a/objects/transaction/definition.json b/objects/transaction/definition.json index 4aab1f3..3cf4beb 100644 --- a/objects/transaction/definition.json +++ b/objects/transaction/definition.json @@ -60,12 +60,42 @@ "from-funds-code": { "description": "Type of funds used to initiate a transaction.", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true, + "sane_default": [ + "A Deposit", + "C Currency exchange", + "D Casino chips", + "E Bank draft", + "F Money order", + "G Traveler’s cheques", + "H Life insurance policy", + "I Real estate", + "J Securities", + "K Cash", + "O Other", + "P Cheque" + ] }, "to-funds-code": { "description": "Type of funds used to finalize a transaction.", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true, + "sane_default": [ + "A Deposit", + "C Currency exchange", + "D Casino chips", + "E Bank draft", + "F Money order", + "G Traveler’s cheques", + "H Life insurance policy", + "I Real estate", + "J Securities", + "K Cash", + "O Other", + "P Cheque" + ] }, "from-country": { "description": "Origin country of a transaction.", From 4cccea8828c3004add34e5acfc3204cf20ceaf53 Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Tue, 20 Feb 2018 15:44:02 +0100 Subject: [PATCH 31/46] Fixed the bank-account meta-category ... which is actually "financial" --- objects/transaction/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/transaction/definition.json b/objects/transaction/definition.json index 3cf4beb..5dc404e 100644 --- a/objects/transaction/definition.json +++ b/objects/transaction/definition.json @@ -110,7 +110,7 @@ }, "version": 1, "description": "An object to describe a financial transaction.", - "meta-category": "misc", + "meta-category": "financial", "uuid": "a47fa26a-01b6-4747-a394-5144e34456dc", "name": "transaction" } From 271c789f9747491d3194258fa1a73297245fc2dd Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Thu, 22 Feb 2018 01:18:15 +0100 Subject: [PATCH 32/46] fix: Fixed somme bank-account fields --- objects/bank-account/definition.json | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/objects/bank-account/definition.json b/objects/bank-account/definition.json index 46466e9..763cec7 100644 --- a/objects/bank-account/definition.json +++ b/objects/bank-account/definition.json @@ -9,12 +9,18 @@ "ui-priority": 0, "misp-attribute": "text" }, - "institution-code": { + "institution-name": { "description": "Name of the bank or financial organisation.", "disable_correlation": true, "ui-priority": 0, "misp-attribute": "text" }, + "institution-code": { + "description": "Institution code of the bank.", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, "swift": { "description": "SWIFT or BIC as defined in ISO 9362.", "disable_correlation": true, @@ -58,7 +64,7 @@ "ui-priority": 0, "misp-attribute": "iban" }, - "client-_number": { + "client-number": { "description": "Client number as seen by the bank.", "ui-priority": 0, "misp-attribute": "text" From 8b1aff81355f345b8fdc30325577dbeb13a9ca4d Mon Sep 17 00:00:00 2001 From: zoomequipd Date: Thu, 22 Feb 2018 16:36:19 -0600 Subject: [PATCH 33/46] add aba-rtn to bank-account object --- objects/bank-account/definition.json | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/objects/bank-account/definition.json b/objects/bank-account/definition.json index 763cec7..528a1a6 100644 --- a/objects/bank-account/definition.json +++ b/objects/bank-account/definition.json @@ -54,6 +54,11 @@ "disable_correlation": true, "misp-attribute": "text" }, + "aba-rbn": { + "description": " ABA routing transit number", + "ui-priority": 0, + "misp-attribute": "aba-rbn" + }, "account-name": { "description": "A field to freely describe the bank account details.", "ui-priority": 0, From 0d31f27efc3dbb866d2163a328348f4ad1e532f9 Mon Sep 17 00:00:00 2001 From: zoomequipd Date: Thu, 22 Feb 2018 16:37:12 -0600 Subject: [PATCH 34/46] correct rbn --> rtn --- objects/bank-account/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/bank-account/definition.json b/objects/bank-account/definition.json index 528a1a6..3c7ecee 100644 --- a/objects/bank-account/definition.json +++ b/objects/bank-account/definition.json @@ -54,10 +54,10 @@ "disable_correlation": true, "misp-attribute": "text" }, - "aba-rbn": { + "aba-rtn": { "description": " ABA routing transit number", "ui-priority": 0, - "misp-attribute": "aba-rbn" + "misp-attribute": "aba-rtn" }, "account-name": { "description": "A field to freely describe the bank account details.", From 73a2b411033dccec3487d50436a73b1d2c154bb7 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 23 Feb 2018 08:25:35 +0100 Subject: [PATCH 35/46] fix: jq all the things --- objects/bank-account/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/bank-account/definition.json b/objects/bank-account/definition.json index 3c7ecee..4952a7e 100644 --- a/objects/bank-account/definition.json +++ b/objects/bank-account/definition.json @@ -58,7 +58,7 @@ "description": " ABA routing transit number", "ui-priority": 0, "misp-attribute": "aba-rtn" - }, + }, "account-name": { "description": "A field to freely describe the bank account details.", "ui-priority": 0, From bdaee9e1c7ba5ba53aeca11d32734f23ad8254f1 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 28 Feb 2018 17:41:29 +0100 Subject: [PATCH 36/46] add: Cowrie honeypot object template --- objects/cowrie/definition.json | 81 ++++++++++++++++++++++++++++++++++ 1 file changed, 81 insertions(+) create mode 100644 objects/cowrie/definition.json diff --git a/objects/cowrie/definition.json b/objects/cowrie/definition.json new file mode 100644 index 0000000..6f8501f --- /dev/null +++ b/objects/cowrie/definition.json @@ -0,0 +1,81 @@ +{ + "requiredOneOf": [ + "session" + ], + "attributes": { + "eventid": { + "description": "Eventid of the session in the cowrie honeypot", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "text" + }, + "system": { + "description": "System origin in cowrie honeypot", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "text" + }, + "username": { + "description": "Username related to the password(s)", + "ui-priority": 1, + "misp-attribute": "text" + }, + "passsword": { + "description": "Password", + "multiple": true, + "ui-priority": 1, + "misp-attribute": "text" + }, + "session": { + "description": "Session id", + "ui-priority": 1, + "misp-attribute": "text" + }, + "timestamp": { + "description": "When the event happened", + "ui-priority": 1, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "message": { + "description": "Message of the cowrie honeypot", + "ui-priority": 1, + "misp-attribute": "text", + "disable_correlation": true + }, + "protocol": { + "description": "Protocol used in the cowrie honeypot", + "ui-priority": 1, + "misp-attribute": "text", + "disable_correlation": true + }, + "sensor": { + "description": "Cowrie sensor name", + "ui-priority": 1, + "misp-attribute": "text", + "disable_correlation": true + }, + "src_ip": { + "description": "Source IP address of the session", + "ui-priority": 1, + "misp-attribute": "ip-src" + }, + "dst_ip": { + "description": "Destionation IP address of the session", + "ui-priority": 1, + "misp-attribute": "ip-dst", + "disable_correlation": true + }, + "isError": { + "description": "isError", + "ui-priority": 1, + "misp-attribute": "text", + "disable_correlation": true + } + }, + "version": 1, + "description": "Cowrie honeypot object template", + "meta-category": "network", + "uuid": "ae085d32-6534-4d52-b3eb-063fccb753e7", + "name": "cowrie" +} From 2f433a5e5c952b74bc60e82629b82c8f63e50da4 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 28 Feb 2018 17:42:56 +0100 Subject: [PATCH 37/46] add: Cowrie object template added --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 9ba5f70..3de8efb 100644 --- a/README.md +++ b/README.md @@ -76,6 +76,7 @@ for a specific attribute. * [objects/cap-resource](objects/cap-resource/definition.json) - Common Alerting Protocol Version (CAP) resource object. * [objects/coin-address](objects/coin-address/definition.json) - An address used in a cryptocurrency. * [objects/cookie](objects/cookie/definition.json) - A cookie object describes an HTTP cookie including its use in malicious cases. +* [objects/cowrie](objects/cowrie/definition.json) - A cowrie object describes cowrie honeypot sessions. * [objects/ddos](objects/ddos/definition.json) - DDoS object describes a current DDoS activity from a specific or/and to a specific target. * [objects/domain-ip](objects/domain-ip/definition.json) - A domain and IP address seen as a tuple in a specific time frame. * [objects/elf](objects/elf/definition.json) - Object describing an Executable and Linkable Format (ELF). From 1fe3e79a0563f6895d2b27541eef205dfc541a57 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 28 Feb 2018 17:47:02 +0100 Subject: [PATCH 38/46] fix: add missing destination and source port --- objects/cowrie/definition.json | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/objects/cowrie/definition.json b/objects/cowrie/definition.json index 6f8501f..609cdee 100644 --- a/objects/cowrie/definition.json +++ b/objects/cowrie/definition.json @@ -61,11 +61,23 @@ "misp-attribute": "ip-src" }, "dst_ip": { - "description": "Destionation IP address of the session", + "description": "Destination IP address of the session", "ui-priority": 1, "misp-attribute": "ip-dst", "disable_correlation": true }, + "src_port": { + "description": "Source port of the session", + "ui-priority": 1, + "misp-attribute": "port", + "disable_correlation": true + }, + "dst_port": { + "description": "Destination port of the session", + "ui-priority": 1, + "misp-attribute": "port", + "disable_correlation": true + }, "isError": { "description": "isError", "ui-priority": 1, From 73aa339ddd5e71cac425f8ad4e1892c4fabd42b9 Mon Sep 17 00:00:00 2001 From: Sami Mokaddem Date: Thu, 1 Mar 2018 16:20:58 +0100 Subject: [PATCH 39/46] typo: passsword -> password --- objects/cowrie/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/cowrie/definition.json b/objects/cowrie/definition.json index 609cdee..815712a 100644 --- a/objects/cowrie/definition.json +++ b/objects/cowrie/definition.json @@ -20,7 +20,7 @@ "ui-priority": 1, "misp-attribute": "text" }, - "passsword": { + "password": { "description": "Password", "multiple": true, "ui-priority": 1, From a93a2851320f0df5cabd2f1309d50b24ec7f41c0 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 1 Mar 2018 21:08:16 +0100 Subject: [PATCH 40/46] fix: Cowrie object - SSH attributes added --- objects/cowrie/definition.json | 34 +++++++++++++++++++++++++++++++++- 1 file changed, 33 insertions(+), 1 deletion(-) diff --git a/objects/cowrie/definition.json b/objects/cowrie/definition.json index 815712a..2016b7b 100644 --- a/objects/cowrie/definition.json +++ b/objects/cowrie/definition.json @@ -83,9 +83,41 @@ "ui-priority": 1, "misp-attribute": "text", "disable_correlation": true + }, + "input": { + "description": "Input of the session", + "ui-priority": 1, + "misp-attribute": "text" + }, + "macCS": { + "description": "SSH MAC supported in the sesssion", + "multiple": true, + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "text" + }, + "keyAlgs": { + "description": "SSH public-key algorithm supported in the session", + "multiple": true, + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "text" + }, + "encCS": { + "description": "SSH symmetric encryption algorithm supported in the session", + "multiple": true, + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "text" + }, + "compCS": { + "description": "SSH compression algorithm supported in the session", + "multiple": true, + "ui-priority": 1, + "misp-attribute": "text" } }, - "version": 1, + "version": 2, "description": "Cowrie honeypot object template", "meta-category": "network", "uuid": "ae085d32-6534-4d52-b3eb-063fccb753e7", From 4ed961f5e65607bdcbf4696a15aa945fc8e471b3 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 1 Mar 2018 21:09:04 +0100 Subject: [PATCH 41/46] fix: disable correlation for compression algorithms --- objects/cowrie/definition.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/objects/cowrie/definition.json b/objects/cowrie/definition.json index 2016b7b..d3926d1 100644 --- a/objects/cowrie/definition.json +++ b/objects/cowrie/definition.json @@ -114,7 +114,8 @@ "description": "SSH compression algorithm supported in the session", "multiple": true, "ui-priority": 1, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true } }, "version": 2, From f7f0a88838e417c7c55451e31cf9ff7967be7b00 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 15 Mar 2018 09:38:53 +0100 Subject: [PATCH 42/46] fix: some parts of the URL can be repeated such as resource path, anchor... multiple flag added to the potential part to be repeated. following a discussion in Gitter with @makflwana --- objects/url/definition.json | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/objects/url/definition.json b/objects/url/definition.json index 368e8f7..10729f9 100644 --- a/objects/url/definition.json +++ b/objects/url/definition.json @@ -6,7 +6,8 @@ "fragment": { "description": "Fragment identifier is a short string of characters that refers to a resource that is subordinate to another, primary resource.", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "multiple": true }, "tld": { "description": "Top-Level Domain", @@ -42,12 +43,14 @@ "resource_path": { "description": "Path (between hostname:port and query)", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "multiple": true }, "query_string": { "description": "Query (after path, preceded by '?')", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "multiple": true }, "url": { "description": "Full URL", @@ -92,7 +95,7 @@ "misp-attribute": "hostname" } }, - "version": 5, + "version": 6, "description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.", "meta-category": "network", "uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5", From cee578dce19f5b4f87af3272e40772d752836c3d Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 16 Mar 2018 11:35:15 +0100 Subject: [PATCH 43/46] add: Connected_To (old STIX 1.1 relationship) --- relationships/definition.json | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/relationships/definition.json b/relationships/definition.json index 5e6083e..ae5f3db 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -25,6 +25,14 @@ "stix-2.0" ] }, + { + "name": "connected-to", + "description": "The referenced source is connected to the target object.", + "format": [ + "misp", + "stix-1.1" + ] + }, { "name": "attributed-to", "description": "This referenced source is attributed to the target object.", From 982e2d8b7587f81d90f8f58e54aeaae9d89e44ee Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 16 Mar 2018 13:13:35 +0100 Subject: [PATCH 44/46] fix: raw whois is also accepted as single attribute in whois object Required for importing STIX CybOX 1.1 object where just a raw whois entry is added in remarks. --- objects/whois/definition.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/objects/whois/definition.json b/objects/whois/definition.json index 320873c..0215a41 100644 --- a/objects/whois/definition.json +++ b/objects/whois/definition.json @@ -4,7 +4,8 @@ "registrant-phone", "creation-date", "registrant-name", - "registrar" + "registrar", + "text" ], "required": [ "domain" @@ -77,7 +78,7 @@ "misp-attribute": "domain" } }, - "version": 7, + "version": 8, "description": "Whois records information for a domain name.", "meta-category": "network", "uuid": "429faea1-34ff-47af-8a00-7c62d3be5a6a", From e7e387804297645064dcc3890b9d90c2cb63fb15 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 16 Mar 2018 13:29:39 +0100 Subject: [PATCH 45/46] fix: whois record object updated to cover both cases: domain or IP address --- objects/whois/definition.json | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-) diff --git a/objects/whois/definition.json b/objects/whois/definition.json index 0215a41..0c4d5b0 100644 --- a/objects/whois/definition.json +++ b/objects/whois/definition.json @@ -5,10 +5,9 @@ "creation-date", "registrant-name", "registrar", - "text" - ], - "required": [ - "domain" + "text", + "domain", + "ip-address" ], "attributes": { "text": { @@ -74,12 +73,22 @@ "Network activity", "External analysis" ], - "ui-priority": 1, + "ui-priority": 0, "misp-attribute": "domain" + }, + "comment": { + "description": "Comment of the whois entry", + "ui-priority": 0, + "misp-attribute": "text" + }, + "ip-address": { + "description": "IP address of the whois entry", + "ui-priority": 0, + "misp-attribute": "ip-src" } }, - "version": 8, - "description": "Whois records information for a domain name.", + "version": 9, + "description": "Whois records information for a domain name or an IP address.", "meta-category": "network", "uuid": "429faea1-34ff-47af-8a00-7c62d3be5a6a", "name": "whois" From c92ee2e46179f2b30ff1011950f16af38e0f94fc Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 19 Mar 2018 17:33:45 +0100 Subject: [PATCH 46/46] fix: version field added if stix2-pattern has multiple version in the future --- objects/stix2-pattern/definition.json | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/objects/stix2-pattern/definition.json b/objects/stix2-pattern/definition.json index 5abd6f0..ab49a22 100644 --- a/objects/stix2-pattern/definition.json +++ b/objects/stix2-pattern/definition.json @@ -12,9 +12,17 @@ "description": "STIX 2 pattern", "ui-priority": 0, "misp-attribute": "stix2-pattern" + }, + "version": { + "description": "Version of STIX 2 pattern.", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "stix 2.0" + ] } }, - "version": 1, + "version": 2, "description": "An object describing a STIX pattern. The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a STIX pattern.", "meta-category": "misc", "uuid": "0c5bd072-7c3e-4d45-86f7-a8104d9143b9",