MISP
/
misp-objects
mirror of https://github.com/MISP/misp-objects
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #200 from cvandeplas/master 

adds validation on type/categories and fixes an incorrect one
pull/204/head
Christophe Vandeplas 2019-08-08 14:03:37 +02:00 committed by GitHub
parent 3560b86101 a347aa78fe
commit 81c37aff51
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 248 additions and 66 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
objects/timesketch-timeline/definition.json
View File

@ -12,7 +12,7 @@
"timestamp": {
"description": "When the log entry was seen in microseconds since Unix epoch",
"ui-priority": 0,
"misp-attribute": "timestamp-microsec"
"misp-attribute": "text"
},
"timestamp_desc": {
"description": "Text explaining what type of timestamp is it",
@ -25,7 +25,7 @@
"misp-attribute": "datetime"
}
},
"version": 2,
"version": 3,
"description": "A timesketch timeline object based on mandatory field in timesketch to describe a log entry.",
"meta-category": "misc",
"uuid": "06db0221-cbc0-4ffc-ad98-7f34549310f1",

4
objects/virustotal-report/definition.json
View File

@ -48,14 +48,14 @@
"comment": {
"description": "Comment related to this hash",
"categories": [
"Exernal analysis"
"External analysis"
],
"misp-attribute": "text",
"ui-priority": 2,
"multiple": true
}
},
"version": 2,
"version": 3,
"description": "VirusTotal report",
"meta-category": "misc",
"uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",

300
schema_objects.json
View File

@ -1,67 +1,254 @@
{
"$schema": "http://json-schema.org/schema#",
"title": "Validator for misp-objects",
"id": "https://www.github.com/MISP/misp-objects/schema.json",
"additionalProperties": false,
"defs": {
"attribute": {
"type": "object",
"additionalProperties": false,
"properties": {
"misp-attribute": {
"type": "string"
},
"ui-priority": {
"type": "number"
},
"categories": {
"type": "array",
"uniqueItems": true,
"items": {
"enum": [
"Antivirus detection",
"Artifacts dropped",
"Attribution",
"External analysis",
"Financial fraud",
"Internal reference",
"Network activity",
"Other",
"Payload delivery",
"Payload installation",
"Payload type",
"Persistence mechanism",
"Person",
"Social network",
"Support Tool",
"Targeting data"
],
"type": "string"
}
},
"values_list": {
},
"type": "array",
"uniqueItems": true,
"items": {
"type": "string"
}
"uniqueItems": true
},
"sane_default": {
"type": "array",
"uniqueItems": true,
"items": {
"type": "string"
}
},
"multiple": {
"type": "boolean"
"description": {
"type": "string"
},
"disable_correlation": {
"type": "boolean"
},
"to_ids": {
"misp-attribute": {
"enum": [
"AS",
"aba-rtn",
"anonymised",
"attachment",
"authentihash",
"bank-account-nr",
"bic",
"bin",
"boolean",
"bro",
"btc",
"campaign-id",
"campaign-name",
"cc-number",
"cdhash",
"comment",
"community-id",
"cookie",
"cortex",
"counter",
"country-of-residence",
"cpe",
"date-of-birth",
"datetime",
"dns-soa-email",
"domain",
"domain|ip",
"email-attachment",
"email-body",
"email-dst",
"email-dst-display-name",
"email-header",
"email-message-id",
"email-mime-boundary",
"email-reply-to",
"email-src",
"email-src-display-name",
"email-subject",
"email-thread-index",
"email-x-mailer",
"filename",
"filename|authentihash",
"filename|impfuzzy",
"filename|imphash",
"filename|md5",
"filename|pehash",
"filename|sha1",
"filename|sha224",
"filename|sha256",
"filename|sha384",
"filename|sha512",
"filename|sha512/224",
"filename|sha512/256",
"filename|ssdeep",
"filename|tlsh",
"first-name",
"float",
"frequent-flyer-number",
"gender",
"gene",
"github-organisation",
"github-repository",
"github-username",
"hassh-md5",
"hasshserver-md5",
"hex",
"hostname",
"hostname|port",
"http-method",
"iban",
"identity-card-number",
"impfuzzy",
"imphash",
"ip-dst",
"ip-dst|port",
"ip-src",
"ip-src|port",
"issue-date-of-the-visa",
"ja3-fingerprint-md5",
"jabber-id",
"last-name",
"link",
"mac-address",
"mac-eui-64",
"malware-sample",
"malware-type",
"md5",
"middle-name",
"mime-type",
"mobile-application-id",
"mutex",
"named pipe",
"nationality",
"other",
"passenger-name-record-locator-number",
"passport-country",
"passport-expiration",
"passport-number",
"pattern-in-file",
"pattern-in-memory",
"pattern-in-traffic",
"payment-details",
"pdb",
"pehash",
"phone-number",
"place-of-birth",
"place-port-of-clearance",
"place-port-of-onward-foreign-destination",
"place-port-of-original-embarkation",
"port",
"primary-residence",
"prtn",
"redress-number",
"regkey",
"regkey|value",
"sha1",
"sha224",
"sha256",
"sha384",
"sha512",
"sha512/224",
"sha512/256",
"sigma",
"size-in-bytes",
"snort",
"special-service-request",
"ssdeep",
"stix2-pattern",
"target-email",
"target-external",
"target-location",
"target-machine",
"target-org",
"target-user",
"text",
"threat-actor",
"tlsh",
"travel-details",
"twitter-id",
"uri",
"url",
"user-agent",
"visa-number",
"vulnerability",
"weakness",
"whois-creation-date",
"whois-registrant-email",
"whois-registrant-name",
"whois-registrant-org",
"whois-registrant-phone",
"whois-registrar",
"windows-scheduled-task",
"windows-service-displayname",
"windows-service-name",
"x509-fingerprint-md5",
"x509-fingerprint-sha1",
"x509-fingerprint-sha256",
"xmr",
"yara",
"zeek"
],
"type": "string"
},
"multiple": {
"type": "boolean"
},
"recommended": {
"type": "boolean"
},
"description": {
"type": "string"
"sane_default": {
"items": {
"type": "string"
},
"type": "array",
"uniqueItems": true
},
"to_ids": {
"type": "boolean"
},
"ui-priority": {
"type": "number"
},
"values_list": {
"items": {
"type": "string"
},
"type": "array",
"uniqueItems": true
}
},
"required": [
"misp-attribute",
"ui-priority",
"description"
]
],
"type": "object"
}
},
"type": "object",
"additionalProperties": false,
"id": "https://www.github.com/MISP/misp-objects/schema.json",
"properties": {
"attributes": {
"additionalProperties": {
"$ref": "#/defs/attribute",
"type": "object"
},
"type": "object"
},
"description": {
"type": "string"
},
"meta-category": {
"type": "string",
"enum": [
"file",
"network",
@ -70,40 +257,31 @@
"internal",
"vulnerability",
"climate"
]
],
"type": "string"
},
"name": {
"type": "string"
},
"description": {
"type": "string"
"required": {
"items": {
"type": "string"
},
"type": "array",
"uniqueItems": true
},
"version": {
"type": "integer"
"requiredOneOf": {
"items": {
"type": "string"
},
"type": "array",
"uniqueItems": true
},
"uuid": {
"type": "string"
},
"attributes": {
"type": "object",
"additionalProperties": {
"type": "object",
"$ref": "#/defs/attribute"
}
},
"requiredOneOf": {
"type": "array",
"uniqueItems": true,
"items": {
"type": "string"
}
},
"required": {
"type": "array",
"uniqueItems": true,
"items": {
"type": "string"
}
"version": {
"type": "integer"
}
},
"required": [
@ -113,5 +291,7 @@
"meta-category",
"name",
"uuid"
]
],
"title": "Validator for misp-objects",
"type": "object"
}

6
validate_all.sh
View File

@ -8,7 +8,7 @@ set -x
diffs=`git status --porcelain | wc -l`
if ! [ $diffs -eq 0 ]; then
echo "Please make sure you run ./jq_all_the_things.sh before commiting."
echo "ERROR: Please make sure you run ./jq_all_the_things.sh before doing a PR."
exit 1
fi
@ -18,7 +18,7 @@ find -name "*.json" -exec chmod -x "{}" \;
diffs=`git status --porcelain | wc -l`
if ! [ $diffs -eq 0 ]; then
echo "Please make sure you run remove the executable flag on the json files before commiting: find -name "*.json" -exec chmod -x \"{}\" \\;"
echo "ERROR: Please make sure you run remove the executable flag on the json files before doing a PR: find -name "*.json" -exec chmod -x \"{}\" \\;"
exit 1
fi
@ -33,3 +33,5 @@ done
jsonschema -i relationships/definition.json schema_relationships.json
./unique_uuid.py
echo "Success: All is fine, please go ahead.".