MISP
/
misp-objects
mirror of https://github.com/MISP/misp-objects
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge branch 'master' of github.com:MISP/misp-objects

pull/86/head
Raphaël Vinot 2018-03-26 10:54:52 +02:00
parent 1f8a26fa3e c92ee2e461
commit 61fd6728d9
19 changed files with 904 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
README.md
View File

@ -70,8 +70,13 @@ for a specific attribute.
* [objects/android-permission](objects/android-permission/definition.json) - A set of android permissions - one or more permission(s) which can be linked to other objects (e.g. file). * [objects/android-permission](objects/android-permission/definition.json) - A set of android permissions - one or more permission(s) which can be linked to other objects (e.g. file).
* [objects/asn](objects/asn/definition.json) - Autonomous system object describing a BGP autonomous system which can include one or more network operators management an entity (e.g. ISP) along with their routing policy, routing prefixes or alike. * [objects/asn](objects/asn/definition.json) - Autonomous system object describing a BGP autonomous system which can include one or more network operators management an entity (e.g. ISP) along with their routing policy, routing prefixes or alike.
* [objects/av-signature](objects/av-signature/definition.json) - Antivirus detection signature. * [objects/av-signature](objects/av-signature/definition.json) - Antivirus detection signature.
* [objects/bank-account](objects/bank-account/definition.json) - Object describing bank account information based on account description from goAML 4.0.
* [objects/cap-alert](objects/cap-alert/definition.json) - Common Alerting Protocol Version (CAP) alert object.
* [objects/cap-info](objects/cap-info/definition.json) - Common Alerting Protocol Version (CAP) info object.
* [objects/cap-resource](objects/cap-resource/definition.json) - Common Alerting Protocol Version (CAP) resource object.
* [objects/coin-address](objects/coin-address/definition.json) - An address used in a cryptocurrency. * [objects/coin-address](objects/coin-address/definition.json) - An address used in a cryptocurrency.
* [objects/cookie](objects/cookie/definition.json) - A cookie object describes an HTTP cookie including its use in malicious cases. * [objects/cookie](objects/cookie/definition.json) - A cookie object describes an HTTP cookie including its use in malicious cases.
* [objects/cowrie](objects/cowrie/definition.json) - A cowrie object describes cowrie honeypot sessions.
* [objects/ddos](objects/ddos/definition.json) - DDoS object describes a current DDoS activity from a specific or/and to a specific target. * [objects/ddos](objects/ddos/definition.json) - DDoS object describes a current DDoS activity from a specific or/and to a specific target.
* [objects/domain-ip](objects/domain-ip/definition.json) - A domain and IP address seen as a tuple in a specific time frame. * [objects/domain-ip](objects/domain-ip/definition.json) - A domain and IP address seen as a tuple in a specific time frame.
* [objects/elf](objects/elf/definition.json) - Object describing an Executable and Linkable Format (ELF). * [objects/elf](objects/elf/definition.json) - Object describing an Executable and Linkable Format (ELF).
@ -81,6 +86,7 @@ for a specific attribute.
* [objects/geolocation](objects/geolocation/definition.json) - A geolocation object to describe a location. * [objects/geolocation](objects/geolocation/definition.json) - A geolocation object to describe a location.
* [objects/ip-port](objects/ip-port/definition.json) - An IP address and a port seen as a tuple (or as a triple) in a specific time frame. * [objects/ip-port](objects/ip-port/definition.json) - An IP address and a port seen as a tuple (or as a triple) in a specific time frame.
* [objects/ja3](objects/ja3/definition.json) - A ja3 object which describes an SSL client fingerprint in an easy to produce and shareable way. * [objects/ja3](objects/ja3/definition.json) - A ja3 object which describes an SSL client fingerprint in an easy to produce and shareable way.
* [objects/legal-entity](objects/legal-entity/definition.json) - Object describing a legal entity, such as an organisation.
* [objects/macho](objects/macho/definition.json) - Object describing a Mach object file format. * [objects/macho](objects/macho/definition.json) - Object describing a Mach object file format.
* [objects/macho-section](objects/macho-section/definition.json) - Object describing a section of a Mach object file format. * [objects/macho-section](objects/macho-section/definition.json) - Object describing a section of a Mach object file format.
* [objects/microblog](objects/microblog/definition.json) - Object describing microblog post like Twitter or Facebook. * [objects/microblog](objects/microblog/definition.json) - Object describing microblog post like Twitter or Facebook.
@ -94,7 +100,10 @@ for a specific attribute.
* [objects/registry-key](objects/registry-key/definition.json) - A registry-key object. * [objects/registry-key](objects/registry-key/definition.json) - A registry-key object.
* [objects/r2graphity](objects/r2graphity/definition.json) - Indicators extracted from binary files using radare2 and graphml. * [objects/r2graphity](objects/r2graphity/definition.json) - Indicators extracted from binary files using radare2 and graphml.
* [objects/rtir](objects/rtir/definition.json) - RTIR - Request Tracker for Incident Response. * [objects/rtir](objects/rtir/definition.json) - RTIR - Request Tracker for Incident Response.
* [objects/sandbox-report](objects/sandbox-report/definition.json) - Sandbox report object.
* [objects/sb-signature](objects/sb-signature/definition.json) - Sandbox detection signature object.
* [objects/tor-node](objects/tor-node/definition.json) - Tor node description which are part of the Tor network at a time. * [objects/tor-node](objects/tor-node/definition.json) - Tor node description which are part of the Tor network at a time.
* [objects/transaction](objects/transaction/definition.json) - Object describing a financial transaction.
* [objects/virustotal-report](objects/virustotal-report/definition.json) - VirusTotal report. * [objects/virustotal-report](objects/virustotal-report/definition.json) - VirusTotal report.
* [objects/vulnerability](objects/vulnerability/definition.json) - Vulnerability object to describe software or hardware vulnerability as described in a CVE. * [objects/vulnerability](objects/vulnerability/definition.json) - Vulnerability object to describe software or hardware vulnerability as described in a CVE.
* [objects/url](objects/url/definition.json) - url object describes an url along with its normalized field (e.g. using faup parsing library) and its metadata. * [objects/url](objects/url/definition.json) - url object describes an url along with its normalized field (e.g. using faup parsing library) and its metadata.

170
objects/bank-account/definition.json Normal file
View File

@ -0,0 +1,170 @@
{
"requiredOneOf": [
"account"
],
"attributes": {
"text": {
"description": "A description of the bank account.",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"institution-name": {
"description": "Name of the bank or financial organisation.",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"institution-code": {
"description": "Institution code of the bank.",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"swift": {
"description": "SWIFT or BIC as defined in ISO 9362.",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "bic"
},
"branch": {
"description": "Branch code or name",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"non-banking-institution": {
"description": "A flag to define if this account belong to a non-banking organisation. If set to true, it's a non-banking organisation.",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "boolean"
},
"account": {
"description": "Account number",
"ui-priority": 0,
"misp-attribute": "bank-account-nr"
},
"currency-code": {
"description": "Currency of the account.",
"ui-priority": 0,
"sane_default": [
"USD",
"EUR"
],
"disable_correlation": true,
"misp-attribute": "text"
},
"aba-rtn": {
"description": " ABA routing transit number",
"ui-priority": 0,
"misp-attribute": "aba-rtn"
},
"account-name": {
"description": "A field to freely describe the bank account details.",
"ui-priority": 0,
"misp-attribute": "text"
},
"iban": {
"description": "IBAN of the bank account.",
"ui-priority": 0,
"misp-attribute": "iban"
},
"client-number": {
"description": "Client number as seen by the bank.",
"ui-priority": 0,
"misp-attribute": "text"
},
"personal-account-type": {
"description": "Account type.",
"ui-priority": 0,
"sane_default": [
"A - Business",
"B - Personal Current",
"C - Savings",
"D - Trust Account",
"E - Trading Account",
"O - Other"
],
"disable_correlation": true,
"misp-attribute": "text"
},
"opened": {
"description": "When the account was opened.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"closed": {
"description": "When the account was closed.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"balance": {
"description": "The balance of the account after the suspicious transaction was processed.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"date-balance": {
"description": "When the balance was reported.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"status-code": {
"description": "Account status at the time of the transaction processed.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true,
"sane_default": [
"A - Active",
"B - Inactive",
"C - Dormant"
]
},
"beneficiary": {
"description": "Final beneficiary of the bank account.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"beneficiary-comment": {
"description": "Comment about the final beneficiary.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"comments": {
"description": "Comments about the bank account.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"report-code": {
"description": "Report code of the bank account.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true,
"sane_default": [
"CTR Cash Transaction Report",
"STR Suspicious Transaction Report",
"EFT Electronic Funds Transfer",
"IFT International Funds Transfer",
"TFR Terror Financing Report",
"BCR Border Cash Report",
"UTR Unusual Transaction Report",
"AIF Additional Information File Can be used for example to get full disclosure of transactions of an account for a period of time without reporting it as a CTR.",
"IRI Incoming Request for Information International",
"ORI Outgoing Request for Information International",
"IRD Incoming Request for Information Domestic",
"ORD Outgoing Request for Information Domestic"
]
}
},
"version": 1,
"description": "An object describing bank account information based on account description from goAML 4.0.",
"meta-category": "financial",
"uuid": "b4712203-95a8-4883-80e9-b566f5df11c9",
"name": "bank-account"
}

108
objects/cap-alert/definition.json Normal file
View File

@ -0,0 +1,108 @@
{
"requiredOneOf": [
"msgType"
],
"attributes": {
"identifier": {
"description": "The identifier of the alert message in a number or string uniquely identifying this message, assigned by the sender.",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text"
},
"sender": {
"description": "The identifier of the sender of the alert message which identifies the originator of this alert. Guaranteed by assigner to be unique globally; e.g., may be based on an Internet domain name.",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"sent": {
"description": "The time and date of the origination of the alert message.",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "datetime"
},
"status": {
"description": "The code denoting the appropriate handling of the alert message.",
"ui-priority": 0,
"misp-attribute": "text",
"sane_default": [
"Actual",
"Exercise",
"System",
"Test",
"Draft"
]
},
"msgType": {
"description": "The code denoting the nature of the alert message.",
"ui-priority": 0,
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"Alert",
"Update",
"Cancel",
"Ack",
"Error"
]
},
"source": {
"description": "The text identifying the source of the alert message. The particular source of this alert; e.g., an operator or a specific device.",
"ui-priority": 0,
"disable_correlation": true,
"misp-attribute": "text"
},
"scope": {
"description": "The code denoting the intended distribution of the alert message. ",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true,
"sane_default": [
"Public",
"Restricted",
"Private"
]
},
"restriction": {
"description": "The text describing the rule for limiting distribution of the restricted alert message.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"addresses": {
"description": "The group listing of intended recipients of the alert message. (1) Required when <scope> is “Private”, optional when <scope> is “Public” or “Restricted”. (2) Each recipient SHALL be identified by an identifier or an address. (3) Multiple space-delimited addresses MAY be included. Addresses including whitespace MUST be enclosed in double-quotes. ",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"code": {
"description": "The code denoting the special handling of the alert message.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"note": {
"description": "The text describing the purpose or significance of the alert message.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"references": {
"description": "The group listing identifying earlier message(s) referenced by the alert message. (1) The extended message identifier(s) (in the form sender,identifier,sent) of an earlier CAP message or messages referenced by this one. (2) If multiple messages are referenced, they SHALL be separated by whitespace.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"incident": {
"description": "The group listing naming the referent incident(s) of the alert message. (1) Used to collate multiple messages referring to different aspects of the same incident. (2) If multiple incident identifiers are referenced, they SHALL be separated by whitespace. Incident names including whitespace SHALL be surrounded by double-quotes.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
}
},
"version": 1,
"description": "Common Alerting Protocol Version (CAP) alert object",
"meta-category": "misc",
"uuid": "03b107bb-133d-4180-87ff-e3dbe731f828",
"name": "cap-alert"
}

171
objects/cap-info/definition.json Normal file
View File

@ -0,0 +1,171 @@
{
"requiredOneOf": [
"category"
],
"attributes": {
"language": {
"description": "The code denoting the language of the info sub-element of the alert message. ",
"ui-priority": 0,
"disable_correlation": true,
"misp-attribute": "text"
},
"category": {
"description": "The code denoting the category of the subject event of the alert message.",
"ui-priority": 0,
"misp-attribute": "text",
"sane_default": [
"Geo",
"Met",
"Safety",
"Security",
"Rescue",
"Fire",
"Health",
"Env",
"Transport",
"Infra",
"CBRNE",
"Other"
],
"disable_correlation": true
},
"event": {
"description": "The text denoting the type of the subject event of the alert message.",
"ui-priority": 0,
"disable_correlation": true,
"misp-attribute": "text"
},
"responseType": {
"description": "The code denoting the type of action recommended for the target audience.",
"ui-priority": 0,
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"Shelter",
"Evacuate",
"Prepare",
"Execute",
"Avoid",
"Monitor",
"Assess",
"AllClear",
"None"
]
},
"urgency": {
"description": "The code denoting the urgency of the subject event of the alert message.",
"ui-priority": 0,
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"Immediate",
"Expected",
"Future",
"Past",
"Unknown"
]
},
"severity": {
"description": "The code denoting the severity of the subject event of the alert message.",
"ui-priority": 0,
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"Extreme",
"Severe",
"Moderate",
"Minor",
"Unknown"
]
},
"certainty": {
"description": "The code denoting the certainty of the subject event of the alert message. For backward compatibility with CAP 1.0, the deprecated value of “Very Likely” SHOULD be treated as equivalent to “Likely”.",
"ui-priority": 0,
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"Likely",
"Possible",
"Unlikely",
"Unknown"
]
},
"audience": {
"description": "The text describing the intended audience of the alert message.",
"ui-priority": 0,
"disable_correlation": true,
"misp-attribute": "text"
},
"eventCode": {
"description": "A system-specific code identifying the event type of the alert message.",
"ui-priority": 0,
"disable_correlation": true,
"misp-attribute": "text"
},
"effective": {
"description": "The effective time of the information of the alert message.",
"ui-priority": 0,
"disable_correlation": true,
"misp-attribute": "datetime"
},
"onset": {
"description": "The expected time of the beginning of the subject event of the alert message.",
"ui-priority": 0,
"disable_correlation": true,
"misp-attribute": "datetime"
},
"expires": {
"description": "The expiry time of the information of the alert message.",
"ui-priority": 0,
"disable_correlation": true,
"misp-attribute": "datetime"
},
"senderName": {
"description": "The text naming the originator of the alert message.",
"ui-priority": 0,
"disable_correlation": true,
"misp-attribute": "text"
},
"headline": {
"description": "The text headline of the alert message.",
"ui-priority": 0,
"disable_correlation": true,
"misp-attribute": "text"
},
"description": {
"description": "The text describing the subject event of the alert message.",
"ui-priority": 0,
"disable_correlation": true,
"misp-attribute": "text"
},
"instruction": {
"description": "The text describing the recommended action to be taken by recipients of the alert message.",
"ui-priority": 0,
"disable_correlation": true,
"misp-attribute": "text"
},
"web": {
"description": "The identifier of the hyperlink associating additional information with the alert message.",
"ui-priority": 0,
"disable_correlation": true,
"misp-attribute": "link"
},
"contact": {
"description": "The text describing the contact for follow-up and confirmation of the alert message.",
"ui-priority": 0,
"disable_correlation": true,
"misp-attribute": "text"
},
"parameter": {
"description": "A system-specific additional parameter associated with the alert message.",
"ui-priority": 0,
"disable_correlation": true,
"misp-attribute": "text"
}
},
"version": 1,
"description": "Common Alerting Protocol Version (CAP) info object",
"meta-category": "misc",
"uuid": "826c25e6-fdd5-4e4a-b081-be5ba3ac2c3d",
"name": "cap-info"
}

46
objects/cap-resource/definition.json Normal file
View File

@ -0,0 +1,46 @@
{
"requiredOneOf": [
"resourceDesc"
],
"attributes": {
"resourceDesc": {
"description": "The text describing the type and content of the resource file.",
"ui-priority": 0,
"disable_correlation": true,
"misp-attribute": "text"
},
"mimeType": {
"description": "The identifier of the MIME content type and sub-type describing the resource file.",
"ui-priority": 0,
"disable_correlation": true,
"misp-attribute": "mime-type"
},
"size": {
"description": "The integer indicating the size of the resource file.",
"ui-priority": 0,
"disable_correlation": true,
"misp-attribute": "text"
},
"uri": {
"description": "The identifier of the hyperlink for the resource file.",
"ui-priority": 0,
"misp-attribute": "link"
},
"derefUri": {
"description": "The base-64 encoded data content of the resource file.",
"ui-priority": 0,
"misp-attribute": "attachment",
"disable_correlation": true
},
"digest": {
"description": "The code representing the digital digest (“hash”) computed from the resource file (OPTIONAL).",
"ui-priority": 0,
"misp-attribute": "sha1"
}
},
"version": 1,
"description": "Common Alerting Protocol Version (CAP) resource object",
"meta-category": "misc",
"uuid": "6fddc76b-59fc-49f6-a673-52f8d15149c4",
"name": "cap-resource"
}

126
objects/cowrie/definition.json Normal file
View File

@ -0,0 +1,126 @@
{
"requiredOneOf": [
"session"
],
"attributes": {
"eventid": {
"description": "Eventid of the session in the cowrie honeypot",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text"
},
"system": {
"description": "System origin in cowrie honeypot",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text"
},
"username": {
"description": "Username related to the password(s)",
"ui-priority": 1,
"misp-attribute": "text"
},
"password": {
"description": "Password",
"multiple": true,
"ui-priority": 1,
"misp-attribute": "text"
},
"session": {
"description": "Session id",
"ui-priority": 1,
"misp-attribute": "text"
},
"timestamp": {
"description": "When the event happened",
"ui-priority": 1,
"misp-attribute": "datetime",
"disable_correlation": true
},
"message": {
"description": "Message of the cowrie honeypot",
"ui-priority": 1,
"misp-attribute": "text",
"disable_correlation": true
},
"protocol": {
"description": "Protocol used in the cowrie honeypot",
"ui-priority": 1,
"misp-attribute": "text",
"disable_correlation": true
},
"sensor": {
"description": "Cowrie sensor name",
"ui-priority": 1,
"misp-attribute": "text",
"disable_correlation": true
},
"src_ip": {
"description": "Source IP address of the session",
"ui-priority": 1,
"misp-attribute": "ip-src"
},
"dst_ip": {
"description": "Destination IP address of the session",
"ui-priority": 1,
"misp-attribute": "ip-dst",
"disable_correlation": true
},
"src_port": {
"description": "Source port of the session",
"ui-priority": 1,
"misp-attribute": "port",
"disable_correlation": true
},
"dst_port": {
"description": "Destination port of the session",
"ui-priority": 1,
"misp-attribute": "port",
"disable_correlation": true
},
"isError": {
"description": "isError",
"ui-priority": 1,
"misp-attribute": "text",
"disable_correlation": true
},
"input": {
"description": "Input of the session",
"ui-priority": 1,
"misp-attribute": "text"
},
"macCS": {
"description": "SSH MAC supported in the sesssion",
"multiple": true,
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text"
},
"keyAlgs": {
"description": "SSH public-key algorithm supported in the session",
"multiple": true,
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text"
},
"encCS": {
"description": "SSH symmetric encryption algorithm supported in the session",
"multiple": true,
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text"
},
"compCS": {
"description": "SSH compression algorithm supported in the session",
"multiple": true,
"ui-priority": 1,
"misp-attribute": "text",
"disable_correlation": true
}
},
"version": 2,
"description": "Cowrie honeypot object template",
"meta-category": "network",
"uuid": "ae085d32-6534-4d52-b3eb-063fccb753e7",
"name": "cowrie"
}

10
objects/email/definition.json
View File

@ -3,7 +3,7 @@
"uuid": "a0c666e0-fc65-4be8-b48f-3423d788b552", "uuid": "a0c666e0-fc65-4be8-b48f-3423d788b552",
"meta-category": "network", "meta-category": "network",
"description": "Email object describing an email with meta-information", "description": "Email object describing an email with meta-information",
"version": 7, "version": 8,
"attributes": { "attributes": {
"reply-to": { "reply-to": {
"description": "Email address the reply will be sent to", "description": "Email address the reply will be sent to",
@ -138,6 +138,14 @@
"categories": [ "categories": [
"Payload delivery" "Payload delivery"
] ]
},
"email-body": {
"description": "Body of the email",
"misp-attribute": "email-body",
"ui-priority": 1,
"categories": [
"Payload delivery"
]
} }
}, },
"requiredOneOf": [ "requiredOneOf": [

4
objects/file/definition.json
View File

@ -138,7 +138,7 @@
"description": "Mime type", "description": "Mime type",
"disable_correlation": true, "disable_correlation": true,
"ui-priority": 0, "ui-priority": 0,
"misp-attribute": "text" "misp-attribute": "mime-type"
}, },
"state": { "state": {
"misp-attribute": "text", "misp-attribute": "text",
@ -156,7 +156,7 @@
] ]
} }
}, },
"version": 9, "version": 10,
"description": "File object describing a file with meta-information", "description": "File object describing a file with meta-information",
"meta-category": "file", "meta-category": "file",
"uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",

10
objects/geolocation/definition.json
View File

@ -42,6 +42,16 @@
"ui-priority": 0, "ui-priority": 0,
"misp-attribute": "float" "misp-attribute": "float"
}, },
"address": {
"description": "Address.",
"misp-attribute": "text",
"ui-priority": 1
},
"zipcode": {
"description": "Zip Code.",
"misp-attribute": "text",
"ui-priority": 1
},
"city": { "city": {
"description": "City.", "description": "City.",
"misp-attribute": "text", "misp-attribute": "text",

6
objects/http-request/definition.json
View File

@ -1,6 +1,6 @@
{ {
"required": [ "requiredOneOf": [
"method", "url",
"uri" "uri"
], ],
"attributes": { "attributes": {
@ -111,7 +111,7 @@
"misp-attribute": "user-agent" "misp-attribute": "user-agent"
} }
}, },
"version": 1, "version": 2,
"description": "A single HTTP request header", "description": "A single HTTP request header",
"meta-category": "network", "meta-category": "network",
"uuid": "b4a8d163-8110-4239-bfcf-e08f3a9fdf7b", "uuid": "b4a8d163-8110-4239-bfcf-e08f3a9fdf7b",

18
objects/ip-port/definition.json
View File

@ -1,9 +1,8 @@
{ {
"requiredOneOf": [ "requiredOneOf": [
"dst-port", "dst-port",
"src-port" "src-port",
], "domain",
"required": [
"ip" "ip"
], ],
"attributes": { "attributes": {
@ -43,6 +42,15 @@
"ui-priority": 1, "ui-priority": 1,
"misp-attribute": "port" "misp-attribute": "port"
}, },
"domain": {
"description": "Domain",
"categories": [
"Network activity",
"External analysis"
],
"ui-priority": 1,
"misp-attribute": "domain"
},
"ip": { "ip": {
"description": "IP Address", "description": "IP Address",
"categories": [ "categories": [
@ -53,8 +61,8 @@
"misp-attribute": "ip-dst" "misp-attribute": "ip-dst"
} }
}, },
"version": 5, "version": 6,
"description": "An IP address and a port seen as a tuple (or as a triple) in a specific time frame.", "description": "An IP address (or domain) and a port seen as a tuple (or as a triple) in a specific time frame.",
"meta-category": "network", "meta-category": "network",
"uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6",
"name": "ip-port" "name": "ip-port"

48
objects/legal-entity/definition.json Normal file
View File

@ -0,0 +1,48 @@
{
"requiredOneOf": [
"name"
],
"attributes": {
"text": {
"description": "A description of the entity.",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text"
},
"name": {
"description": "Name of an entity.",
"ui-priority": 0,
"misp-attribute": "text"
},
"commercial-name": {
"description": "Commercial name of an entity.",
"ui-priority": 0,
"misp-attribute": "text"
},
"legal-form": {
"description": "Legal form of an entity.",
"ui-priority": 0,
"misp-attribute": "text"
},
"registration-number": {
"description": "Registration number of an entity in the relevant authority.",
"ui-priority": 0,
"misp-attribute": "text"
},
"business": {
"description": "Business area of an entity.",
"ui-priority": 0,
"misp-attribute": "text"
},
"phone-number": {
"description": "Phone number of an entity.",
"ui-priority": 0,
"misp-attribute": "phone-number"
}
},
"version": 1,
"description": "An object to describe a legal entity.",
"meta-category": "misc",
"uuid": "14f5688f-d89c-469f-9878-c48bf6c41c65",
"name": "legal-entity"
}

42
objects/passive-dns/definition.json
View File

@ -6,22 +6,25 @@
], ],
"attributes": { "attributes": {
"zone_time_last": { "zone_time_last": {
"description": "Last time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import", "description": "Last time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import.",
"ui-priority": 0, "ui-priority": 0,
"misp-attribute": "datetime" "misp-attribute": "datetime",
"disable_correlation": true
}, },
"text": { "text": {
"description": "", "description": "Description of the passive DNS record.",
"ui-priority": 0, "ui-priority": 0,
"misp-attribute": "text" "misp-attribute": "text",
"disable_correlation": true
}, },
"count": { "count": {
"description": "How many authoritative DNS answers were received at the Passive DNS Server's collectors with exactly the given set of values as answers", "description": "How many authoritative DNS answers were received at the Passive DNS Server's collectors with exactly the given set of values as answers.",
"ui-priority": 0, "ui-priority": 0,
"misp-attribute": "counter" "misp-attribute": "counter",
"disable_correlation": true
}, },
"rrname": { "rrname": {
"description": "Resource Record name of the queried resource", "description": "Resource Record name of the queried resource.",
"categories": [ "categories": [
"Network activity", "Network activity",
"External analysis" "External analysis"
@ -30,7 +33,7 @@
"misp-attribute": "text" "misp-attribute": "text"
}, },
"rrtype": { "rrtype": {
"description": "Resource Record type as seen by the passive DNS", "description": "Resource Record type as seen by the passive DNS.",
"categories": [ "categories": [
"Network activity", "Network activity",
"External analysis" "External analysis"
@ -51,7 +54,8 @@
"NAPTR", "NAPTR",
"HINFO", "HINFO",
"A6" "A6"
] ],
"disable_correlation": true
}, },
"rdata": { "rdata": {
"description": "Resource records of the queried resource", "description": "Resource records of the queried resource",
@ -61,35 +65,41 @@
"zone_time_first": { "zone_time_first": {
"description": "First time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import", "description": "First time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import",
"ui-priority": 0, "ui-priority": 0,
"misp-attribute": "datetime" "misp-attribute": "datetime",
"disable_correlation": true
}, },
"origin": { "origin": {
"description": "Origin of the Passive DNS response", "description": "Origin of the Passive DNS response",
"ui-priority": 0, "ui-priority": 0,
"misp-attribute": "text" "misp-attribute": "text",
"disable_correlation": true
}, },
"time_last": { "time_last": {
"description": "Last time that the unique tuple (rrname, rrtype, rdata) record has been seen by the passive DNS", "description": "Last time that the unique tuple (rrname, rrtype, rdata) record has been seen by the passive DNS",
"ui-priority": 0, "ui-priority": 0,
"misp-attribute": "datetime" "misp-attribute": "datetime",
"disable_correlation": true
}, },
"time_first": { "time_first": {
"description": "First time that the unique tuple (rrname, rrtype, rdata) has been seen by the passive DNS", "description": "First time that the unique tuple (rrname, rrtype, rdata) has been seen by the passive DNS",
"ui-priority": 0, "ui-priority": 0,
"misp-attribute": "datetime" "misp-attribute": "datetime",
"disable_correlation": true
}, },
"bailiwick": { "bailiwick": {
"description": "Best estimate of the apex of the zone where this data is authoritative", "description": "Best estimate of the apex of the zone where this data is authoritative",
"ui-priority": 0, "ui-priority": 0,
"misp-attribute": "text" "misp-attribute": "text",
"disable_correlation": true
}, },
"sensor_id": { "sensor_id": {
"description": "Sensor information where the record was seen", "description": "Sensor information where the record was seen",
"ui-priority": 0, "ui-priority": 0,
"misp-attribute": "text" "misp-attribute": "text",
"disable_correlation": true
} }
}, },
"version": 2, "version": 3,
"description": "Passive DNS records as expressed in draft-dulaunoy-dnsop-passive-dns-cof-01", "description": "Passive DNS records as expressed in draft-dulaunoy-dnsop-passive-dns-cof-01",
"meta-category": "network", "meta-category": "network",
"uuid": "b77b7b1c-66ab-4a41-8da4-83810f6d2d6c", "uuid": "b77b7b1c-66ab-4a41-8da4-83810f6d2d6c",

7
objects/person/definition.json
View File

@ -66,6 +66,11 @@
], ],
"disable_correlation": true "disable_correlation": true
}, },
"identity-card-number": {
"description": "The identity card number of a natural person.",
"ui-priority": 0,
"misp-attribute": "identity-card-number"
},
"passport-number": { "passport-number": {
"description": "The passport number of a natural person.", "description": "The passport number of a natural person.",
"ui-priority": 0, "ui-priority": 0,
@ -102,7 +107,7 @@
} }
}, },
"version": 3, "version": 3,
"description": "An person which describes a person or an identity.", "description": "An object which describes a person or an identity.",
"meta-category": "misc", "meta-category": "misc",
"uuid": "a15b0477-e9d1-4b9c-9546-abe78a4f4248", "uuid": "a15b0477-e9d1-4b9c-9546-abe78a4f4248",
"name": "person" "name": "person"

10
objects/stix2-pattern/definition.json
View File

@ -12,9 +12,17 @@
"description": "STIX 2 pattern", "description": "STIX 2 pattern",
"ui-priority": 0, "ui-priority": 0,
"misp-attribute": "stix2-pattern" "misp-attribute": "stix2-pattern"
},
"version": {
"description": "Version of STIX 2 pattern.",
"ui-priority": 0,
"misp-attribute": "text",
"sane_default": [
"stix 2.0"
]
} }
}, },
"version": 1, "version": 2,
"description": "An object describing a STIX pattern. The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a STIX pattern.", "description": "An object describing a STIX pattern. The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a STIX pattern.",
"meta-category": "misc", "meta-category": "misc",
"uuid": "0c5bd072-7c3e-4d45-86f7-a8104d9143b9", "uuid": "0c5bd072-7c3e-4d45-86f7-a8104d9143b9",

116
objects/transaction/definition.json Normal file
View File

@ -0,0 +1,116 @@
{
"requiredOneOf": [
"transaction-number",
"date",
"amount",
"transmode-code"
],
"attributes": {
"text": {
"description": "A description of the transaction.",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text"
},
"transaction-number": {
"description": "A unique number identifying a transaction.",
"ui-priority": 0,
"misp-attribute": "text"
},
"location": {
"description": "Location where the transaction took place.",
"ui-priority": 0,
"misp-attribute": "text"
},
"transmode-code": {
"description": "How the transaction was conducted.",
"ui-priority": 0,
"misp-attribute": "text"
},
"transmode-comment": {
"description": "Comment describing transmode-code, if needed.",
"ui-priority": 0,
"misp-attribute": "text"
},
"teller": {
"description": "Person who conducted the transaction.",
"ui-priority": 0,
"misp-attribute": "text"
},
"authorized": {
"description": "Person who autorized the transaction.",
"ui-priority": 0,
"misp-attribute": "text"
},
"date": {
"description": "Date and time of the transaction.",
"ui-priority": 0,
"misp-attribute": "datetime"
},
"amount": {
"description": "The value of the transaction in local currency.",
"ui-priority": 0,
"misp-attribute": "text"
},
"date-posting": {
"description": "Date of posting, if different from date of transaction.",
"ui-priority": 0,
"misp-attribute": "datetime"
},
"from-funds-code": {
"description": "Type of funds used to initiate a transaction.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true,
"sane_default": [
"A Deposit",
"C Currency exchange",
"D Casino chips",
"E Bank draft",
"F Money order",
"G Travelers cheques",
"H Life insurance policy",
"I Real estate",
"J Securities",
"K Cash",
"O Other",
"P Cheque"
]
},
"to-funds-code": {
"description": "Type of funds used to finalize a transaction.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true,
"sane_default": [
"A Deposit",
"C Currency exchange",
"D Casino chips",
"E Bank draft",
"F Money order",
"G Travelers cheques",
"H Life insurance policy",
"I Real estate",
"J Securities",
"K Cash",
"O Other",
"P Cheque"
]
},
"from-country": {
"description": "Origin country of a transaction.",
"ui-priority": 0,
"misp-attribute": "text"
},
"to-country": {
"description": "Target country of a transaction.",
"ui-priority": 0,
"misp-attribute": "text"
}
},
"version": 1,
"description": "An object to describe a financial transaction.",
"meta-category": "financial",
"uuid": "a47fa26a-01b6-4747-a394-5144e34456dc",
"name": "transaction"
}

11
objects/url/definition.json
View File

@ -6,7 +6,8 @@
"fragment": { "fragment": {
"description": "Fragment identifier is a short string of characters that refers to a resource that is subordinate to another, primary resource.", "description": "Fragment identifier is a short string of characters that refers to a resource that is subordinate to another, primary resource.",
"ui-priority": 0, "ui-priority": 0,
"misp-attribute": "text" "misp-attribute": "text",
"multiple": true
}, },
"tld": { "tld": {
"description": "Top-Level Domain", "description": "Top-Level Domain",
@ -42,12 +43,14 @@
"resource_path": { "resource_path": {
"description": "Path (between hostname:port and query)", "description": "Path (between hostname:port and query)",
"ui-priority": 0, "ui-priority": 0,
"misp-attribute": "text" "misp-attribute": "text",
"multiple": true
}, },
"query_string": { "query_string": {
"description": "Query (after path, preceded by '?')", "description": "Query (after path, preceded by '?')",
"ui-priority": 0, "ui-priority": 0,
"misp-attribute": "text" "misp-attribute": "text",
"multiple": true
}, },
"url": { "url": {
"description": "Full URL", "description": "Full URL",
@ -92,7 +95,7 @@
"misp-attribute": "hostname" "misp-attribute": "hostname"
} }
}, },
"version": 5, "version": 6,
"description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.", "description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.",
"meta-category": "network", "meta-category": "network",
"uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5", "uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5",

24
objects/whois/definition.json
View File

@ -4,10 +4,10 @@
"registrant-phone", "registrant-phone",
"creation-date", "creation-date",
"registrant-name", "registrant-name",
"registrar" "registrar",
], "text",
"required": [ "domain",
"domain" "ip-address"
], ],
"attributes": { "attributes": {
"text": { "text": {
@ -73,12 +73,22 @@
"Network activity", "Network activity",
"External analysis" "External analysis"
], ],
"ui-priority": 1, "ui-priority": 0,
"misp-attribute": "domain" "misp-attribute": "domain"
},
"comment": {
"description": "Comment of the whois entry",
"ui-priority": 0,
"misp-attribute": "text"
},
"ip-address": {
"description": "IP address of the whois entry",
"ui-priority": 0,
"misp-attribute": "ip-src"
} }
}, },
"version": 7, "version": 9,
"description": "Whois records information for a domain name.", "description": "Whois records information for a domain name or an IP address.",
"meta-category": "network", "meta-category": "network",
"uuid": "429faea1-34ff-47af-8a00-7c62d3be5a6a", "uuid": "429faea1-34ff-47af-8a00-7c62d3be5a6a",
"name": "whois" "name": "whois"

8
relationships/definition.json
View File

@ -25,6 +25,14 @@
"stix-2.0" "stix-2.0"
] ]
}, },
{
"name": "connected-to",
"description": "The referenced source is connected to the target object.",
"format": [
"misp",
"stix-1.1"
]
},
{ {
"name": "attributed-to", "name": "attributed-to",
"description": "This referenced source is attributed to the target object.", "description": "This referenced source is attributed to the target object.",