Merge branch 'main' of github.com:MISP/misp-objects

pull/434/head
Christian Studer 2024-06-29 19:31:13 +02:00
commit 7006ed94cc
No known key found for this signature in database
GPG Key ID: 6BBED1B63A6D639F
3 changed files with 53 additions and 1 deletions

View File

@ -283,6 +283,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
- [objects/irc](https://github.com/MISP/misp-objects/blob/main/objects/irc/definition.json) - An IRC object to describe an IRC server and the associated channels.
- [objects/ja3](https://github.com/MISP/misp-objects/blob/main/objects/ja3/definition.json) - JA3 is a new technique for creating SSL client fingerprints that are easy to produce and can be easily shared for threat intelligence. Fingerprints are composed of Client Hello packet; SSL Version, Accepted Ciphers, List of Extensions, Elliptic Curves, and Elliptic Curve Formats. https://github.com/salesforce/ja3.
- [objects/ja3s](https://github.com/MISP/misp-objects/blob/main/objects/ja3s/definition.json) - JA3S is JA3 for the Server side of the SSL/TLS communication and fingerprints how servers respond to particular clients. JA3S fingerprints are composed of Server Hello packet; SSL Version, Cipher, SSLExtensions. https://github.com/salesforce/ja3.
- [objects/ja4-plus](https://github.com/MISP/misp-objects/blob/main/objects/ja4-plus/definition.json) - JA4 is a technique for creating network fingerprints that are easy to produce and can be easily shared for threat intelligence. https://github.com/FoxIO-LLC/ja4/blob/main/technical_details/README.md.
- [objects/jarm](https://github.com/MISP/misp-objects/blob/main/objects/jarm/definition.json) - Jarm object to describe an TLS/SSL implementation used for malicious or legitimate use-case.
- [objects/keybase-account](https://github.com/MISP/misp-objects/blob/main/objects/keybase-account/definition.json) - Information related to a keybase account, from API Users Object.
- [objects/language-content](https://github.com/MISP/misp-objects/blob/main/objects/language-content/definition.json) - The Language Content object represents text content for objects represented in languages other than that of the original object. Language content may be a translation of the original object by a third-party, a first-source translation by the original publisher, or additional official language content provided at the time of creation. STIX 2.1 ref 7.1.

View File

@ -0,0 +1,45 @@
{
"attributes": {
"description": {
"description": "Description of the JA4+ fingerprint including scope, collection or specific notes which could help an analyst to reproduce the calculation.",
"misp-attribute": "text",
"ui-priority": 1
},
"ip-src": {
"description": "IP address related to this JA4+ fingerprint.",
"misp-attribute": "ip-src",
"multiple": true,
"ui-priority": 1
},
"ja4-fingerprint": {
"description": "A JA4+ fingerprint as defined by the JA4+ standard in textual format.",
"misp-attribute": "text",
"ui-priority": 1
},
"ja4-type": {
"description": "One of the JA4+ type expressed as short name.",
"misp-attribute": "text",
"sane_default": [
"JA4",
"JA4S",
"JA4H",
"JA4L",
"JA4X",
"JA4SSH",
"JA4T",
"JA4TS",
"JA4TScan"
],
"ui-priority": 1
}
},
"description": "JA4 is a technique for creating network fingerprints that are easy to produce and can be easily shared for threat intelligence. https://github.com/FoxIO-LLC/ja4/blob/main/technical_details/README.md",
"meta-category": "network",
"name": "ja4-plus",
"required": [
"ja4-fingerprint",
"ja4-type"
],
"uuid": "2c15c75e-e7db-4b62-8d17-633e7571818f",
"version": 2
}

View File

@ -14,6 +14,12 @@
"misp-attribute": "text",
"ui-priority": 1
},
"ip": {
"description": "IP address of the phishing website",
"misp-attribute": "ip-dst",
"multiple": true,
"ui-priority": 1
},
"online": {
"description": "If the phishing is online and operational, by default is yes",
"disable_correlation": true,
@ -113,5 +119,5 @@
"url"
],
"uuid": "2dad6f9d-d425-4217-8fda-0b0a2d815307",
"version": 6
"version": 7
}