From 5a54cf6505cd588f7ef559382d1ac1a750cf9c58 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 25 Jun 2024 09:11:17 +0200 Subject: [PATCH 1/6] chg: [phishing] add an IP field for phishing website hosted on IP address or where the IP is important for the analytics --- objects/phishing/definition.json | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/objects/phishing/definition.json b/objects/phishing/definition.json index d8b565e..f870b06 100644 --- a/objects/phishing/definition.json +++ b/objects/phishing/definition.json @@ -14,6 +14,12 @@ "misp-attribute": "text", "ui-priority": 1 }, + "ip": { + "description": "IP address of the phishing website", + "misp-attribute": "ip-dst", + "multiple": true, + "ui-priority": 1 + }, "online": { "description": "If the phishing is online and operational, by default is yes", "disable_correlation": true, @@ -113,5 +119,5 @@ "url" ], "uuid": "2dad6f9d-d425-4217-8fda-0b0a2d815307", - "version": 6 + "version": 7 } \ No newline at end of file From 467c9b43edc877d3d1a3ca31da8dd7a7c3ac89a6 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 26 Jun 2024 18:04:30 +0200 Subject: [PATCH 2/6] new: [ja4-plus] new MISP object template to describe JA4+ fingerprints fix: https://github.com/MISP/MISP/issues/9759 --- objects/ja4-plus/definition.json | 45 ++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 objects/ja4-plus/definition.json diff --git a/objects/ja4-plus/definition.json b/objects/ja4-plus/definition.json new file mode 100644 index 0000000..08ce89c --- /dev/null +++ b/objects/ja4-plus/definition.json @@ -0,0 +1,45 @@ +{ + "attributes": { + "description": { + "description": "Description of the JA4+ fingerprint including scope, collection or specific notes which could help an analyst to reproduce the calculation.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "ip-src": { + "description": "IP address related to this JA4+ fingerprint.", + "misp-attribute": "ip-src", + "ui-priority": 1, + "multiple": true + }, + "ja4-type": { + "description": "One of the JA4+ type expressed as short name.", + "misp-attribute": "text", + "ui-priority": 1, + "sane_default": [ + "JA4", + "JA4S", + "JA4H", + "JA4L", + "JA4X", + "JA4SSH", + "JA4T", + "JA4TS", + "JA4TScan" + ] + }, + "ja4-fingerprint": { + "description": "A JA4+ fingerprint as defined by the JA4+ standard in textual format.", + "misp-attribute": "text", + "ui-priority": 1 + } + }, + "description": "JA4 is a technique for creating network fingerprints that are easy to produce and can be easily shared for threat intelligence. https://github.com/FoxIO-LLC/ja4/blob/main/technical_details/README.md", + "meta-category": "network", + "name": "ja3", + "required": [ + "ja4-fingerprint", + "ja4-type" + ], + "uuid": "2c15c75e-e7db-4b62-8d17-633e7571818f", + "version": 1 +} From 610d5abe348014003008c00ea02ef9ee308f15da Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 26 Jun 2024 18:08:14 +0200 Subject: [PATCH 3/6] chg: [ja4-plus] template name fixed --- objects/ja4-plus/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/ja4-plus/definition.json b/objects/ja4-plus/definition.json index 08ce89c..af48326 100644 --- a/objects/ja4-plus/definition.json +++ b/objects/ja4-plus/definition.json @@ -35,7 +35,7 @@ }, "description": "JA4 is a technique for creating network fingerprints that are easy to produce and can be easily shared for threat intelligence. https://github.com/FoxIO-LLC/ja4/blob/main/technical_details/README.md", "meta-category": "network", - "name": "ja3", + "name": "ja4-plus", "required": [ "ja4-fingerprint", "ja4-type" From f93466cb3ceea71e352eb0fbd1b162e43910107b Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 26 Jun 2024 18:08:59 +0200 Subject: [PATCH 4/6] chg: [ja4-plus] version fixed --- objects/ja4-plus/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/ja4-plus/definition.json b/objects/ja4-plus/definition.json index af48326..16f59a6 100644 --- a/objects/ja4-plus/definition.json +++ b/objects/ja4-plus/definition.json @@ -41,5 +41,5 @@ "ja4-type" ], "uuid": "2c15c75e-e7db-4b62-8d17-633e7571818f", - "version": 1 + "version": 2 } From 5c534d3701b207826fceaba8e7e622345140457a Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 26 Jun 2024 18:15:04 +0200 Subject: [PATCH 5/6] chg: [ja4-plus] jq all the things --- objects/ja4-plus/definition.json | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/objects/ja4-plus/definition.json b/objects/ja4-plus/definition.json index 16f59a6..44e89d4 100644 --- a/objects/ja4-plus/definition.json +++ b/objects/ja4-plus/definition.json @@ -8,13 +8,17 @@ "ip-src": { "description": "IP address related to this JA4+ fingerprint.", "misp-attribute": "ip-src", - "ui-priority": 1, - "multiple": true + "multiple": true, + "ui-priority": 1 + }, + "ja4-fingerprint": { + "description": "A JA4+ fingerprint as defined by the JA4+ standard in textual format.", + "misp-attribute": "text", + "ui-priority": 1 }, "ja4-type": { "description": "One of the JA4+ type expressed as short name.", "misp-attribute": "text", - "ui-priority": 1, "sane_default": [ "JA4", "JA4S", @@ -25,11 +29,7 @@ "JA4T", "JA4TS", "JA4TScan" - ] - }, - "ja4-fingerprint": { - "description": "A JA4+ fingerprint as defined by the JA4+ standard in textual format.", - "misp-attribute": "text", + ], "ui-priority": 1 } }, @@ -42,4 +42,4 @@ ], "uuid": "2c15c75e-e7db-4b62-8d17-633e7571818f", "version": 2 -} +} \ No newline at end of file From 76c334d84bb13369efe6646086944701ebe7a335 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 26 Jun 2024 18:16:51 +0200 Subject: [PATCH 6/6] chg: [README] list updated --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index a904b53..1ad9682 100644 --- a/README.md +++ b/README.md @@ -283,6 +283,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/irc](https://github.com/MISP/misp-objects/blob/main/objects/irc/definition.json) - An IRC object to describe an IRC server and the associated channels. - [objects/ja3](https://github.com/MISP/misp-objects/blob/main/objects/ja3/definition.json) - JA3 is a new technique for creating SSL client fingerprints that are easy to produce and can be easily shared for threat intelligence. Fingerprints are composed of Client Hello packet; SSL Version, Accepted Ciphers, List of Extensions, Elliptic Curves, and Elliptic Curve Formats. https://github.com/salesforce/ja3. - [objects/ja3s](https://github.com/MISP/misp-objects/blob/main/objects/ja3s/definition.json) - JA3S is JA3 for the Server side of the SSL/TLS communication and fingerprints how servers respond to particular clients. JA3S fingerprints are composed of Server Hello packet; SSL Version, Cipher, SSLExtensions. https://github.com/salesforce/ja3. +- [objects/ja4-plus](https://github.com/MISP/misp-objects/blob/main/objects/ja4-plus/definition.json) - JA4 is a technique for creating network fingerprints that are easy to produce and can be easily shared for threat intelligence. https://github.com/FoxIO-LLC/ja4/blob/main/technical_details/README.md. - [objects/jarm](https://github.com/MISP/misp-objects/blob/main/objects/jarm/definition.json) - Jarm object to describe an TLS/SSL implementation used for malicious or legitimate use-case. - [objects/keybase-account](https://github.com/MISP/misp-objects/blob/main/objects/keybase-account/definition.json) - Information related to a keybase account, from API Users Object. - [objects/language-content](https://github.com/MISP/misp-objects/blob/main/objects/language-content/definition.json) - The Language Content object represents text content for objects represented in languages other than that of the original object. Language content may be a translation of the original object by a third-party, a first-source translation by the original publisher, or additional official language content provided at the time of creation. STIX 2.1 ref 7.1.