Merge branch 'main' of github.com:MISP/misp-objects

2024-06-29 19:31:13 +02:00 · 2024-06-29 19:31:13 +02:00 · 7006ed94cc
parent 90cc2dfac2 76c334d84b
commit 7006ed94cc
3 changed files with 53 additions and 1 deletions
--- a/README.md
+++ b/README.md
@ -283,6 +283,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
 - [objects/irc](https://github.com/MISP/misp-objects/blob/main/objects/irc/definition.json) - An IRC object to describe an IRC server and the associated channels.
 - [objects/ja3](https://github.com/MISP/misp-objects/blob/main/objects/ja3/definition.json) - JA3 is a new technique for creating SSL client fingerprints that are easy to produce and can be easily shared for threat intelligence. Fingerprints are composed of Client Hello packet; SSL Version, Accepted Ciphers, List of Extensions, Elliptic Curves, and Elliptic Curve Formats. https://github.com/salesforce/ja3.
 - [objects/ja3s](https://github.com/MISP/misp-objects/blob/main/objects/ja3s/definition.json) - JA3S is JA3 for the Server side of the SSL/TLS communication and fingerprints how servers respond to particular clients. JA3S fingerprints are composed of Server Hello packet; SSL Version, Cipher, SSLExtensions. https://github.com/salesforce/ja3.
+- [objects/ja4-plus](https://github.com/MISP/misp-objects/blob/main/objects/ja4-plus/definition.json) - JA4 is a technique for creating network fingerprints that are easy to produce and can be easily shared for threat intelligence. https://github.com/FoxIO-LLC/ja4/blob/main/technical_details/README.md.
 - [objects/jarm](https://github.com/MISP/misp-objects/blob/main/objects/jarm/definition.json) - Jarm object to describe an TLS/SSL implementation used for malicious or legitimate use-case.
 - [objects/keybase-account](https://github.com/MISP/misp-objects/blob/main/objects/keybase-account/definition.json) - Information related to a keybase account, from API Users Object.
 - [objects/language-content](https://github.com/MISP/misp-objects/blob/main/objects/language-content/definition.json) - The Language Content object represents text content for objects represented in languages other than that of the original object. Language content may be a translation of the original object by a third-party, a first-source translation by the original publisher, or additional official language content provided at the time of creation. STIX 2.1 ref 7.1.
--- a/objects/ja4-plus/definition.json
+++ b/objects/ja4-plus/definition.json
@ -0,0 +1,45 @@
+{
+  "attributes": {
+    "description": {
+      "description": "Description of the JA4+ fingerprint including scope, collection or specific notes which could help an analyst to reproduce the calculation.",
+      "misp-attribute": "text",
+      "ui-priority": 1
+    },
+    "ip-src": {
+      "description": "IP address related to this JA4+ fingerprint.",
+      "misp-attribute": "ip-src",
+      "multiple": true,
+      "ui-priority": 1
+    },
+    "ja4-fingerprint": {
+      "description": "A JA4+ fingerprint as defined by the JA4+ standard in textual format.",
+      "misp-attribute": "text",
+      "ui-priority": 1
+    },
+    "ja4-type": {
+      "description": "One of the JA4+ type expressed as short name.",
+      "misp-attribute": "text",
+      "sane_default": [
+        "JA4",
+        "JA4S",
+        "JA4H",
+        "JA4L",
+        "JA4X",
+        "JA4SSH",
+        "JA4T",
+        "JA4TS",
+        "JA4TScan"
+      ],
+      "ui-priority": 1
+    }
+  },
+  "description": "JA4 is a technique for creating network fingerprints that are easy to produce and can be easily shared for threat intelligence. https://github.com/FoxIO-LLC/ja4/blob/main/technical_details/README.md",
+  "meta-category": "network",
+  "name": "ja4-plus",
+  "required": [
+    "ja4-fingerprint",
+    "ja4-type"
+  ],
+  "uuid": "2c15c75e-e7db-4b62-8d17-633e7571818f",
+  "version": 2
+}
--- a/objects/phishing/definition.json
+++ b/objects/phishing/definition.json
@ -14,6 +14,12 @@
      "misp-attribute": "text",
      "ui-priority": 1
    },
+    "ip": {
+      "description": "IP address of the phishing website",
+      "misp-attribute": "ip-dst",
+      "multiple": true,
+      "ui-priority": 1
+    },
    "online": {
      "description": "If the phishing is online and operational, by default is yes",
      "disable_correlation": true,
@ -113,5 +119,5 @@
    "url"
  ],
  "uuid": "2dad6f9d-d425-4217-8fda-0b0a2d815307",
-  "version": 6
+  "version": 7
 }