MISP
/
misp-objects
mirror of https://github.com/MISP/misp-objects
2
0
Fork 0
Code Issues Releases Wiki Activity

Update ELF definitions, add MachO.

pull/26/merge
Raphaël Vinot 2017-08-25 15:20:18 +02:00
parent 96d7aeb072
commit 7c3aaa30c2
4 changed files with 388 additions and 98 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

102
objects/elf-section/definition.json
View File

@ -20,32 +20,48 @@
"ui-priority": 0,
"misp-attribute": "float"
},
"sh_type": {
"type": {
"sane_default": [
"SHT_NULL",
"SHT_PROGBITS",
"SHT_SYMTAB",
"SHT_STRTAB",
"SHT_RELA",
"SHT_HASH",
"SHT_DYNAMIC",
"SHT_NOTE",
"SHT_NOBITS",
"SHT_REL",
"SHT_SHLIB",
"SHT_DYNSYM",
"SHT_INIT_ARRAY",
"SHT_FINI_ARRAY",
"SHT_PREINIT_ARRAY",
"SHT_GROUP",
"SHT_SYMTAB_SHNDX",
"SHT_NUM",
"SHT_LOOS"
"NULL",
"PROGBITS",
"SYMTAB",
"STRTAB",
"RELA",
"HASH",
"DYNAMIC",
"NOTE",
"NOBITS",
"REL",
"SHLIB",
"DYNSYM",
"INIT_ARRAY",
"FINI_ARRAY",
"PREINIT_ARRAY",
"GROUP",
"SYMTAB_SHNDX",
"LOOS",
"GNU_ATTRIBUTES",
"GNU_HASH",
"GNU_VERDEF",
"GNU_VERNEED",
"GNU_VERSYM",
"HIOS",
"LOPROC",
"ARM_EXIDX",
"ARM_PREEMPTMAP",
"HEX_ORDERED",
"X86_64_UNWIND",
"MIPS_REGINFO",
"MIPS_OPTIONS",
"MIPS_ABIFLAGS",
"HIPROC",
"LOUSER",
"HIUSER"
],
"ui-priority": 0,
"misp-attribute": "text"
},
"sh_name": {
"name": {
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text"
@ -54,7 +70,7 @@
"ui-priority": 0,
"misp-attribute": "sha256"
},
"sh_size": {
"size-in-bytes": {
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "size-in-bytes"
@ -64,24 +80,30 @@
"ui-priority": 1,
"misp-attribute": "text"
},
"sh_flags": {
"flag": {
"sane_default": [
"W (write)",
"A (alloc)",
"X (execute)",
"M (merge)",
"S (strings)",
"I (info)",
"L (link order)",
"O (extra OS processing required)",
"G (group)",
"T (TLS)",
"C (compressed)",
"x (unknown)",
"o (OS specific)",
"E (exclude)",
"l (large)",
"p (processor specific)"
"ALLOC",
"EXCLUDE",
"EXECINSTR",
"GROUP",
"HEX_GPREL",
"INFO_LINK",
"LINK_ORDER",
"MASKOS",
"MASKPROC",
"MERGE",
"MIPS_ADDR",
"MIPS_LOCAL",
"MIPS_MERGE",
"MIPS_NAMES",
"MIPS_NODUPES",
"MIPS_NOSTRIP",
"NONE",
"OS_NONCONFORMING",
"STRINGS",
"TLS",
"WRITE",
"XCORE_SHF_CP_SECTION"
],
"ui-priority": 0,
"misp-attribute": "text"
@ -95,7 +117,7 @@
"misp-attribute": "md5"
}
},
"version": 1,
"version": 2,
"description": "Object describing a section of an Executable and Linkable Format",
"meta-category": "file",
"uuid": "ca271f32-1234-4e87-b240-6b6e882de5de",

277
objects/elf/definition.json
View File

@ -1,86 +1,247 @@
{
"requiredOneOf": [
"text",
"original-filename",
"internal-filename"
"entrypoint-address"
],
"attributes": {
"e_machine": {
"entrypoint-address": {
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"type": {
"sane_default": [
"No specific instruction set",
"CORE",
"DYNAMIC",
"EXECUTABLE",
"HIPROC",
"LOPROC",
"NONE",
"RELOCATABLE"
],
"ui-priority": 0,
"misp-attribute": "text"
},
"number-sections": {
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "counter"
},
"arch": {
"sane_default": [
"None",
"M32",
"SPARC",
"X86",
"MISP",
"PowerPC",
"i386",
"ARCH_68K",
"ARCH_88K",
"IAMCU",
"ARCH_860",
"MIPS",
"S370",
"MIPS_RS3_LE",
"PARISC",
"VPP500",
"SPARC32PLUS",
"ARCH_960",
"PPC",
"PPC64",
"S390",
"SPU",
"V800",
"FR20",
"RH32",
"RCE",
"ARM",
"SuperH",
"IA-64",
"x86-64",
"AArch64",
"RISC-V"
"ALPHA",
"SH",
"SPARCV9",
"TRICORE",
"ARC",
"H8_300",
"H8_300H",
"H8S",
"H8_500",
"IA_64",
"MIPS_X",
"COLDFIRE",
"ARCH_68HC12",
"MMA",
"PCP",
"NCPU",
"NDR1",
"STARCORE",
"ME16",
"ST100",
"TINYJ",
"x86_64",
"PDSP",
"PDP10",
"PDP11",
"FX66",
"ST9PLUS",
"ST7",
"ARCH_68HC16",
"ARCH_68HC11",
"ARCH_68HC08",
"ARCH_68HC05",
"SVX",
"ST19",
"VAX",
"CRIS",
"JAVELIN",
"FIREPATH",
"ZSP",
"MMIX",
"HUANY",
"PRISM",
"AVR",
"FR30",
"D10V",
"D30V",
"V850",
"M32R",
"MN10300",
"MN10200",
"PJ",
"OPENRISC",
"ARC_COMPACT",
"XTENSA",
"VIDEOCORE",
"TMM_GPP",
"NS32K",
"TPC",
"SNP1K",
"ST200",
"IP2K",
"MAX",
"CR",
"F2MC16",
"MSP430",
"BLACKFIN",
"SE_C33",
"SEP",
"ARCA",
"UNICORE",
"EXCESS",
"DXP",
"ALTERA_NIOS2",
"CRX",
"XGATE",
"C166",
"M16C",
"DSPIC30F",
"CE",
"M32C",
"TSK3000",
"RS08",
"SHARC",
"ECOG2",
"SCORE7",
"DSP24",
"VIDEOCORE3",
"LATTICEMICO32",
"SE_C17",
"TI_C6000",
"TI_C2000",
"TI_C5500",
"MMDSP_PLUS",
"CYPRESS_M8C",
"R32C",
"TRIMEDIA",
"HEXAGON",
"ARCH_8051",
"STXP7X",
"NDS32",
"ECOG1",
"ECOG1X",
"MAXQ30",
"XIMO16",
"MANIK",
"CRAYNV2",
"RX",
"METAG",
"MCST_ELBRUS",
"ECOG16",
"CR16",
"ETPU",
"SLE9X",
"L10M",
"K10M",
"AARCH64",
"AVR32",
"STM8",
"TILE64",
"TILEPRO",
"CUDA",
"TILEGX",
"CLOUDSHIELD",
"COREA_1ST",
"COREA_2ND",
"ARC_COMPACT2",
"OPEN8",
"RL78",
"VIDEOCORE5",
"ARCH_78KOR",
"ARCH_56800EX",
"BA1",
"BA2",
"XCORE",
"MCHP_PIC",
"INTEL205",
"INTEL206",
"INTEL207",
"INTEL208",
"INTEL209",
"KM32",
"KMX32",
"KMX16",
"KMX8",
"KVARC",
"CDP",
"COGE",
"COOL",
"NORC",
"CSR_KALIMBA",
"AMDGPU"
],
"ui-priority": 0,
"misp-attribute": "text"
},
"e_ident_abi": {
"os_abi": {
"sane_default": [
"System V",
"HP_UX",
"NetBSD",
"Linux",
"Solaris",
"AIX",
"IRIX",
"FreeBSD",
"True64",
"Novell Modesto",
"OpenBSD",
"OpenVMS",
"NonStop Kernel",
"ARM",
"AROS",
"Fenis OS",
"CloudABI",
"Sortix"
"C6000_ELFABI",
"C6000_LINUX",
"CLOUDABI",
"FENIXOS",
"FREEBSD",
"GNU",
"HPUX",
"HURD",
"IRIX",
"MODESTO",
"NETBSD",
"NSK",
"OPENBSD",
"OPENVMS",
"SOLARIS",
"STANDALONE",
"SYSTEMV",
"TRU64"
],
"ui-priority": 0,
"misp-attribute": "text"
},
"e_type": {
"sane_default": [
"relocatable",
"executable",
"shared",
"core"
],
"ui-priority": 0,
"misp-attribute": "text"
},
"e_version": {
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"file-description": {
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"e_entry": {
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"original-filename": {
"ui-priority": 1,
"misp-attribute": "filename"
},
"text": {
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text"
}
},
"version": 1,
"version": 2,
"description": "Object describing a Executable and Linkable Format",
"meta-category": "file",
"uuid": "fa6534ae-ad74-4ce0-8f23-15a66c82c7fa",

56
objects/macho-section/definition.json Normal file
View File

@ -0,0 +1,56 @@
{
"requiredOneOf": [
"text",
"name",
"sha1",
"sha256",
"sha512"
],
"attributes": {
"sha512": {
"ui-priority": 0,
"misp-attribute": "sha512"
},
"ssdeep": {
"ui-priority": 0,
"misp-attribute": "ssdeep"
},
"entropy": {
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "float"
},
"name": {
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text"
},
"sha256": {
"ui-priority": 0,
"misp-attribute": "sha256"
},
"size-in-bytes": {
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "size-in-bytes"
},
"text": {
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text"
},
"sha1": {
"ui-priority": 0,
"misp-attribute": "sha1"
},
"md5": {
"ui-priority": 1,
"misp-attribute": "md5"
}
},
"version": 1,
"description": "Object describing a section of a file in Mach-O format.",
"meta-category": "file",
"uuid": "fca3c534-d188-4964-9c6e-9922e1dfe66e",
"name": "macho-section"
}

51
objects/macho/definition.json Normal file
View File

@ -0,0 +1,51 @@
{
"requiredOneOf": [
"text",
"name",
"entrypoint-address"
],
"attributes": {
"entrypoint-address": {
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"type": {
"sane_default": [
"BUNDLE",
"CORE",
"DSYM",
"DYLIB",
"DYLIB_STUB",
"DYLINKER",
"EXECUTE",
"FVMLIB",
"KEXT_BUNDLE",
"OBJECT",
"PRELOAD"
],
"ui-priority": 0,
"misp-attribute": "text"
},
"number-sections": {
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "counter"
},
"name": {
"disable_correlation": false,
"ui-priority": 1,
"misp-attribute": "text"
},
"text": {
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text"
}
},
"version": 1,
"description": "Object describing a file in Mach-O format.",
"meta-category": "file",
"uuid": "23fb8371-c7e3-45fe-b897-fdf074f95267",
"name": "macho"
}