From c1a5a52155d565b734d857fe7907f3e3f3a5c556 Mon Sep 17 00:00:00 2001 From: Steve Clement Date: Fri, 12 Jul 2019 14:33:51 +0900 Subject: [PATCH 1/5] chg: [process] Updated process object --- objects/process/definition.json | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/objects/process/definition.json b/objects/process/definition.json index 9246a49..c56e00c 100644 --- a/objects/process/definition.json +++ b/objects/process/definition.json @@ -3,7 +3,7 @@ "uuid": "02aeef94-ac23-455c-addb-731757ceafb5", "meta-category": "misc", "description": "Object describing a system process.", - "version": 5, + "version": 6, "attributes": { "creation-time": { "description": "Local date/time at which the process was created.", @@ -41,6 +41,20 @@ "multiple": true, "disable_correlation": true }, + "process-state": { + "description": "State of process. (ps codes R/S/Z...)", + "ui-priority": 1, + "misp-attribute": "text", + "multiple": false, + "disable_correlation": true + }, + "fake-process-name": { + "description": "Is the process spawned under a false name.", + "ui-priority": 1, + "misp-attribute": "boolean", + "multiple": false, + "disable_correlation": true + }, "port": { "description": "Port(s) owned by the process.", "ui-priority": 1, From eaf0301fe3f31d4ce4a0033b54698be2f836c75a Mon Sep 17 00:00:00 2001 From: Steve Clement Date: Fri, 12 Jul 2019 16:04:38 +0900 Subject: [PATCH 2/5] chg: [process] Added sane defaults. --- objects/process/definition.json | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/objects/process/definition.json b/objects/process/definition.json index c56e00c..8a832fe 100644 --- a/objects/process/definition.json +++ b/objects/process/definition.json @@ -42,7 +42,23 @@ "disable_correlation": true }, "process-state": { - "description": "State of process. (ps codes R/S/Z...)", + "description": "State of process.", + "sane_default": [ + "D uninterruptible sleep (usually IO)", + "R running or runnable (on run queue)", + "S interruptible sleep (waiting for an event to complete)", + "T stopped by job control signal", + "t stopped by debugger during the tracing", + "W paging (not valid since the 2.6.xx kernel)", + "X dead (should never be seen)", + "Z defunct ('zombie') process, terminated but not reaped by its parent", + "< high-priority (not nice to other users)", + "N low-priority (nice to other users)", + "L has pages locked into memory (for real-time and custom IO)", + "s is a session leader", + "l is multi-threaded (using CLONE_THREAD, like NPTL pthreads do)", + "+ is in the foreground process group" + ], "ui-priority": 1, "misp-attribute": "text", "multiple": false, @@ -50,6 +66,10 @@ }, "fake-process-name": { "description": "Is the process spawned under a false name.", + "sane_default": [ + "1", + "0" + ], "ui-priority": 1, "misp-attribute": "boolean", "multiple": false, From e67b937f7323e01a36b99959a17bcbe2f523b4fd Mon Sep 17 00:00:00 2001 From: Steve Clement Date: Sat, 13 Jul 2019 12:28:31 +0900 Subject: [PATCH 3/5] chg: [process] revert back to single char in light of the new process-attribute --- objects/process/definition.json | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/objects/process/definition.json b/objects/process/definition.json index 8a832fe..b188c93 100644 --- a/objects/process/definition.json +++ b/objects/process/definition.json @@ -44,23 +44,23 @@ "process-state": { "description": "State of process.", "sane_default": [ - "D uninterruptible sleep (usually IO)", - "R running or runnable (on run queue)", - "S interruptible sleep (waiting for an event to complete)", - "T stopped by job control signal", - "t stopped by debugger during the tracing", - "W paging (not valid since the 2.6.xx kernel)", - "X dead (should never be seen)", - "Z defunct ('zombie') process, terminated but not reaped by its parent", - "< high-priority (not nice to other users)", - "N low-priority (nice to other users)", - "L has pages locked into memory (for real-time and custom IO)", - "s is a session leader", - "l is multi-threaded (using CLONE_THREAD, like NPTL pthreads do)", - "+ is in the foreground process group" + "D", + "R", + "S", + "T", + "t", + "W", + "X", + "Z", + "<", + "N", + "L", + "s", + "l", + "+" ], "ui-priority": 1, - "misp-attribute": "text", + "misp-attribute": "process-state", "multiple": false, "disable_correlation": true }, From dd6ebe538555b51b327127bb761aeed945b5f0b1 Mon Sep 17 00:00:00 2001 From: Steve Clement Date: Tue, 24 Nov 2020 14:55:47 +0900 Subject: [PATCH 4/5] new: [sh] Added process state --- objects/process/definition.json | 77 +++++++++++++++------------------ 1 file changed, 35 insertions(+), 42 deletions(-) diff --git a/objects/process/definition.json b/objects/process/definition.json index 1d95afe..7d19efb 100644 --- a/objects/process/definition.json +++ b/objects/process/definition.json @@ -14,47 +14,6 @@ "disable_correlation": true, "ui-priority": 1 }, - "process-state": { - "description": "State of process.", - "sane_default": [ - "D", - "R", - "S", - "T", - "t", - "W", - "X", - "Z", - "<", - "N", - "L", - "s", - "l", - "+" - ], - "ui-priority": 1, - "misp-attribute": "process-state", - "multiple": false, - "disable_correlation": true - }, - "fake-process-name": { - "description": "Is the process spawned under a false name.", - "sane_default": [ - "1", - "0" - ], - "ui-priority": 1, - "misp-attribute": "boolean", - "multiple": false, - "disable_correlation": true - }, - "port": { - "description": "Port(s) owned by the process", - "misp-attribute": "port", - "multiple": true, - "disable_correlation": true, - "ui-priority": 1 - }, "command-line": { "description": "Command line of the process", "misp-attribute": "text", @@ -72,6 +31,17 @@ "misp-attribute": "text", "ui-priority": 2 }, + "fake-process-name": { + "description": "Is the process spawned under a false name.", + "sane_default": [ + "1", + "0" + ], + "ui-priority": 1, + "misp-attribute": "boolean", + "multiple": false, + "disable_correlation": true + }, "guid": { "description": "The globally unique identifier of the assigned by the vendor product", "misp-attribute": "text", @@ -156,6 +126,29 @@ "multiple": true, "ui-priority": 1 }, + "process-state": { + "description": "State of process.", + "disable_correlation": true, + "misp-attribute": "process-state", + "multiple": false, + "sane_default": [ + "D", + "R", + "S", + "T", + "t", + "W", + "X", + "Z", + "<", + "N", + "L", + "s", + "l", + "+" + ], + "ui-priority": 1 + }, "start-time": { "description": "Local date/time at which the process was started", "disable_correlation": true, @@ -180,5 +173,5 @@ "current-directory" ], "uuid": "02aeef94-ac23-455c-addb-731757ceafb5", - "version": 7 + "version": 8 } From 506116f0acb73d484dd3cd0b3a383d74bd2b8971 Mon Sep 17 00:00:00 2001 From: Steve Clement Date: Tue, 24 Nov 2020 14:58:19 +0900 Subject: [PATCH 5/5] chg: [json] sort --- objects/process/definition.json | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/objects/process/definition.json b/objects/process/definition.json index 7d19efb..4af8ab1 100644 --- a/objects/process/definition.json +++ b/objects/process/definition.json @@ -11,7 +11,6 @@ "disable_correlation": true, "misp-attribute": "text", "multiple": true, - "disable_correlation": true, "ui-priority": 1 }, "command-line": { @@ -33,14 +32,14 @@ }, "fake-process-name": { "description": "Is the process spawned under a false name.", + "disable_correlation": true, + "misp-attribute": "boolean", + "multiple": false, "sane_default": [ "1", "0" ], - "ui-priority": 1, - "misp-attribute": "boolean", - "multiple": false, - "disable_correlation": true + "ui-priority": 1 }, "guid": { "description": "The globally unique identifier of the assigned by the vendor product",