Merge pull request #8 from sebdraven/master

add elf,elf-section and number of sections in a pe, and move pehash in pe object

objects/elf-section/definition.json

@@ -0,0 +1,77 @@
+{
+  "name": "elf-section",
+  "meta-category": "file",
+  "description": "Object describing a section of an Executable and Linkable Format",
+  "version": 1,
+  "attributes": {
+    "name": {
+      "misp-attribute": "text",
+      "misp-usage-frequency": 1,
+      "disable_correlation": true
+    },
+    "Flags": {
+      "misp-attribute": "text",
+      "misp-usage-frequency": 0,
+      "sane_default": [
+        "W (write)",
+        "A (alloc)",
+        "X (execute)",
+        "M (merge)",
+        "S (strings)",
+        "I (info)",
+        "L (link order)",
+        "O (extra OS processing required)",
+        "G (group)",
+        "T (TLS)",
+        "C (compressed)",
+        "x (unknown)",
+        "o (OS specific)",
+        "E (exclude)",
+        "l (large)",
+        "p (processor specific)"
+      ]
+    },
+    "text": {
+      "misp-attribute": "text",
+      "misp-usage-frequency": 1,
+      "disable_correlation": true
+    },
+    "size-in-bytes": {
+      "misp-attribute": "size-in-bytes",
+      "misp-usage-frequency": 1,
+      "disable_correlation": true
+    },
+    "entropy": {
+      "misp-attribute": "float",
+      "misp-usage-frequency": 0,
+      "disable_correlation": true
+    },
+    "md5": {
+      "misp-attribute": "md5",
+      "misp-usage-frequency": 1
+    },
+    "sha1": {
+      "misp-attribute": "sha1",
+      "misp-usage-frequency": 0
+    },
+    "sha256": {
+      "misp-attribute": "sha256",
+      "misp-usage-frequency": 0
+    },
+    "sha512": {
+      "misp-attribute": "sha512",
+      "misp-usage-frequency": 0
+    },
+    "ssdeep": {
+      "misp-attribute": "ssdeep",
+      "misp-usage-frequency": 0
+    }
+  },
+  "requiredOneOf": [
+    "text",
+    "name",
+    "sha1",
+    "sha256",
+    "sha512"
+  ]
+}

objects/elf/definition.json

@@ -0,0 +1,46 @@
+{
+  "name": "elf",
+  "meta-category": "file",
+  "description": "Object describing a Executable and Linkable Format",
+  "version": 1,
+  "attributes": {
+    "text": {
+      "misp-attribute": "text",
+      "misp-usage-frequency": 1,
+      "disable_correlation": true
+    },
+    "original-filename": {
+      "misp-attribute": "filename",
+      "misp-usage-frequency": 1
+    },
+    "internal-filename": {
+      "misp-attribute": "filename",
+      "misp-usage-frequency": 0
+    },
+    "entrypoint-address": {
+      "misp-attribute": "text",
+      "misp-usage-frequency": 0,
+      "disable_correlation": true
+    },
+    "file-description": {
+      "misp-attribute": "text",
+      "misp-usage-frequency": 0,
+      "disable_correlation": true
+    },
+    "file-version": {
+      "misp-attribute": "text",
+      "misp-usage-frequency": 0,
+      "disable_correlation": true
+    },
+    "elf-type": {
+      "misp-attribute": "text",
+      "misp-usage-frequency": 0,
+      "disable_correlation": true
+    }
+  },
+  "requiredOneOf": [
+    "text",
+    "original-filename",
+    "internal-filename"
+  ]
+}

objects/file/definition.json

@@ -27,10 +27,6 @@
       "misp-attribute": "ssdeep",
       "misp-usage-frequency": 0
     },
-    "pehash": {
-      "misp-attribute": "pehash",
-      "misp-usage-frequency": 0
-    },
     "sha224": {
       "misp-attribute": "sha224",
       "misp-usage-frequency": 0

objects/pe/definition.json

@@ -8,11 +8,19 @@
       "misp-attribute": "imphash",
       "misp-usage-frequency": 0
     },
+    "pehash": {
+      "misp-attribute": "pehash",
+      "misp-usage-frequency": 0
+    },
     "text": {
       "misp-attribute": "text",
       "misp-usage-frequency": 1,
       "disable_correlation": true
     },
+    "number of sections": {
+      "misp-attribute": "text",
+      "misp-usage-frequency": 0
+    },
     "original-filename": {
       "misp-attribute": "filename",
       "misp-usage-frequency": 1