From 5f7f4b8e50eb5325ba6f681d562a7b561c25acf9 Mon Sep 17 00:00:00 2001 From: Christophe Vandeplas Date: Thu, 8 Aug 2019 11:30:47 +0200 Subject: [PATCH 1/5] sort schema_objects --- schema_objects.json | 120 ++++++++++++++++++++++---------------------- 1 file changed, 60 insertions(+), 60 deletions(-) diff --git a/schema_objects.json b/schema_objects.json index 9c1e073..0df52de 100644 --- a/schema_objects.json +++ b/schema_objects.json @@ -1,67 +1,74 @@ { "$schema": "http://json-schema.org/schema#", - "title": "Validator for misp-objects", - "id": "https://www.github.com/MISP/misp-objects/schema.json", + "additionalProperties": false, "defs": { "attribute": { - "type": "object", "additionalProperties": false, "properties": { - "misp-attribute": { - "type": "string" - }, - "ui-priority": { - "type": "number" - }, "categories": { - "type": "array", - "uniqueItems": true, "items": { "type": "string" - } - }, - "values_list": { + }, "type": "array", - "uniqueItems": true, - "items": { - "type": "string" - } + "uniqueItems": true }, - "sane_default": { - "type": "array", - "uniqueItems": true, - "items": { - "type": "string" - } - }, - "multiple": { - "type": "boolean" + "description": { + "type": "string" }, "disable_correlation": { "type": "boolean" }, - "to_ids": { + "misp-attribute": { + "type": "string" + }, + "multiple": { "type": "boolean" }, "recommended": { "type": "boolean" }, - "description": { - "type": "string" + "sane_default": { + "items": { + "type": "string" + }, + "type": "array", + "uniqueItems": true + }, + "to_ids": { + "type": "boolean" + }, + "ui-priority": { + "type": "number" + }, + "values_list": { + "items": { + "type": "string" + }, + "type": "array", + "uniqueItems": true } }, "required": [ "misp-attribute", "ui-priority", "description" - ] + ], + "type": "object" } }, - "type": "object", - "additionalProperties": false, + "id": "https://www.github.com/MISP/misp-objects/schema.json", "properties": { + "attributes": { + "additionalProperties": { + "$ref": "#/defs/attribute", + "type": "object" + }, + "type": "object" + }, + "description": { + "type": "string" + }, "meta-category": { - "type": "string", "enum": [ "file", "network", @@ -70,40 +77,31 @@ "internal", "vulnerability", "climate" - ] + ], + "type": "string" }, "name": { "type": "string" }, - "description": { - "type": "string" + "required": { + "items": { + "type": "string" + }, + "type": "array", + "uniqueItems": true }, - "version": { - "type": "integer" + "requiredOneOf": { + "items": { + "type": "string" + }, + "type": "array", + "uniqueItems": true }, "uuid": { "type": "string" }, - "attributes": { - "type": "object", - "additionalProperties": { - "type": "object", - "$ref": "#/defs/attribute" - } - }, - "requiredOneOf": { - "type": "array", - "uniqueItems": true, - "items": { - "type": "string" - } - }, - "required": { - "type": "array", - "uniqueItems": true, - "items": { - "type": "string" - } + "version": { + "type": "integer" } }, "required": [ @@ -113,5 +111,7 @@ "meta-category", "name", "uuid" - ] + ], + "title": "Validator for misp-objects", + "type": "object" } From 6a852e49e8d35c2f5723b0d3cdafb747421dcc17 Mon Sep 17 00:00:00 2001 From: Christophe Vandeplas Date: Thu, 8 Aug 2019 11:45:29 +0200 Subject: [PATCH 2/5] chg: [validation] improve validation script --- validate_all.sh | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/validate_all.sh b/validate_all.sh index 1ed700c..0d8b9d1 100755 --- a/validate_all.sh +++ b/validate_all.sh @@ -8,7 +8,7 @@ set -x diffs=`git status --porcelain | wc -l` if ! [ $diffs -eq 0 ]; then - echo "Please make sure you run ./jq_all_the_things.sh before commiting." + echo "ERROR: Please make sure you run ./jq_all_the_things.sh before doing a PR." exit 1 fi @@ -18,7 +18,7 @@ find -name "*.json" -exec chmod -x "{}" \; diffs=`git status --porcelain | wc -l` if ! [ $diffs -eq 0 ]; then - echo "Please make sure you run remove the executable flag on the json files before commiting: find -name "*.json" -exec chmod -x \"{}\" \\;" + echo "ERROR: Please make sure you run remove the executable flag on the json files before doing a PR: find -name "*.json" -exec chmod -x \"{}\" \\;" exit 1 fi @@ -33,3 +33,5 @@ done jsonschema -i relationships/definition.json schema_relationships.json ./unique_uuid.py + +echo "Success: All is fine, please go ahead.". From 7dc65e5fe07100dec815d7c15c3ad3a0068f7ddb Mon Sep 17 00:00:00 2001 From: Christophe Vandeplas Date: Thu, 8 Aug 2019 11:46:54 +0200 Subject: [PATCH 3/5] chg: [validation] complement schema with categories/types --- schema_objects.json | 180 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 180 insertions(+) diff --git a/schema_objects.json b/schema_objects.json index 0df52de..916bc58 100644 --- a/schema_objects.json +++ b/schema_objects.json @@ -7,6 +7,24 @@ "properties": { "categories": { "items": { + "enum": [ + "Antivirus detection", + "Artifacts dropped", + "Attribution", + "External analysis", + "Financial fraud", + "Internal reference", + "Network activity", + "Other", + "Payload delivery", + "Payload installation", + "Payload type", + "Persistence mechanism", + "Person", + "Social network", + "Support Tool", + "Targeting data" + ], "type": "string" }, "type": "array", @@ -19,6 +37,168 @@ "type": "boolean" }, "misp-attribute": { + "enum": [ + "AS", + "aba-rtn", + "anonymised", + "attachment", + "authentihash", + "bank-account-nr", + "bic", + "bin", + "boolean", + "bro", + "btc", + "campaign-id", + "campaign-name", + "cc-number", + "cdhash", + "comment", + "community-id", + "cookie", + "cortex", + "counter", + "country-of-residence", + "cpe", + "date-of-birth", + "datetime", + "dns-soa-email", + "domain", + "domain|ip", + "email-attachment", + "email-body", + "email-dst", + "email-dst-display-name", + "email-header", + "email-message-id", + "email-mime-boundary", + "email-reply-to", + "email-src", + "email-src-display-name", + "email-subject", + "email-thread-index", + "email-x-mailer", + "filename", + "filename|authentihash", + "filename|impfuzzy", + "filename|imphash", + "filename|md5", + "filename|pehash", + "filename|sha1", + "filename|sha224", + "filename|sha256", + "filename|sha384", + "filename|sha512", + "filename|sha512/224", + "filename|sha512/256", + "filename|ssdeep", + "filename|tlsh", + "first-name", + "float", + "frequent-flyer-number", + "gender", + "gene", + "github-organisation", + "github-repository", + "github-username", + "hassh-md5", + "hasshserver-md5", + "hex", + "hostname", + "hostname|port", + "http-method", + "iban", + "identity-card-number", + "impfuzzy", + "imphash", + "ip-dst", + "ip-dst|port", + "ip-src", + "ip-src|port", + "issue-date-of-the-visa", + "ja3-fingerprint-md5", + "jabber-id", + "last-name", + "link", + "mac-address", + "mac-eui-64", + "malware-sample", + "malware-type", + "md5", + "middle-name", + "mime-type", + "mobile-application-id", + "mutex", + "named pipe", + "nationality", + "other", + "passenger-name-record-locator-number", + "passport-country", + "passport-expiration", + "passport-number", + "pattern-in-file", + "pattern-in-memory", + "pattern-in-traffic", + "payment-details", + "pdb", + "pehash", + "phone-number", + "place-of-birth", + "place-port-of-clearance", + "place-port-of-onward-foreign-destination", + "place-port-of-original-embarkation", + "port", + "primary-residence", + "prtn", + "redress-number", + "regkey", + "regkey|value", + "sha1", + "sha224", + "sha256", + "sha384", + "sha512", + "sha512/224", + "sha512/256", + "sigma", + "size-in-bytes", + "snort", + "special-service-request", + "ssdeep", + "stix2-pattern", + "target-email", + "target-external", + "target-location", + "target-machine", + "target-org", + "target-user", + "text", + "threat-actor", + "tlsh", + "travel-details", + "twitter-id", + "uri", + "url", + "user-agent", + "visa-number", + "vulnerability", + "weakness", + "whois-creation-date", + "whois-registrant-email", + "whois-registrant-name", + "whois-registrant-org", + "whois-registrant-phone", + "whois-registrar", + "windows-scheduled-task", + "windows-service-displayname", + "windows-service-name", + "x509-fingerprint-md5", + "x509-fingerprint-sha1", + "x509-fingerprint-sha256", + "xmr", + "yara", + "zeek" + ], "type": "string" }, "multiple": { From 7c3ee740fa95b7f378ac5fb4b7930df42a47d242 Mon Sep 17 00:00:00 2001 From: Christophe Vandeplas Date: Thu, 8 Aug 2019 12:11:13 +0200 Subject: [PATCH 4/5] fix: [timesketch] fix incorrect attribute type --- objects/timesketch-timeline/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/timesketch-timeline/definition.json b/objects/timesketch-timeline/definition.json index 994015f..02d76bd 100644 --- a/objects/timesketch-timeline/definition.json +++ b/objects/timesketch-timeline/definition.json @@ -12,7 +12,7 @@ "timestamp": { "description": "When the log entry was seen in microseconds since Unix epoch", "ui-priority": 0, - "misp-attribute": "timestamp-microsec" + "misp-attribute": "text" }, "timestamp_desc": { "description": "Text explaining what type of timestamp is it", @@ -25,7 +25,7 @@ "misp-attribute": "datetime" } }, - "version": 2, + "version": 3, "description": "A timesketch timeline object based on mandatory field in timesketch to describe a log entry.", "meta-category": "misc", "uuid": "06db0221-cbc0-4ffc-ad98-7f34549310f1", From a347aa78fea21c70f6679ad67c0a5a62774de2cb Mon Sep 17 00:00:00 2001 From: Christophe Vandeplas Date: Thu, 8 Aug 2019 14:01:09 +0200 Subject: [PATCH 5/5] fix: [virustotal] corrected typo in category --- objects/virustotal-report/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/virustotal-report/definition.json b/objects/virustotal-report/definition.json index be0dc3e..bc07cca 100644 --- a/objects/virustotal-report/definition.json +++ b/objects/virustotal-report/definition.json @@ -48,14 +48,14 @@ "comment": { "description": "Comment related to this hash", "categories": [ - "Exernal analysis" + "External analysis" ], "misp-attribute": "text", "ui-priority": 2, "multiple": true } }, - "version": 2, + "version": 3, "description": "VirusTotal report", "meta-category": "misc", "uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",