From 3ec78c72e4f9bebcd7769566a4e56514cbcbe13b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20Larinier?= Date: Mon, 13 Mar 2017 17:23:42 +0100 Subject: [PATCH] add elf,elf-section and number of sections in a pe, and move pehash in pe --- objects/elf-section/definition.json | 77 +++++++++++++++++++++++++++++ objects/elf/definition.json | 46 +++++++++++++++++ objects/file/definition.json | 4 -- objects/pe/definition.json | 8 +++ 4 files changed, 131 insertions(+), 4 deletions(-) create mode 100644 objects/elf-section/definition.json create mode 100644 objects/elf/definition.json diff --git a/objects/elf-section/definition.json b/objects/elf-section/definition.json new file mode 100644 index 0000000..19a8642 --- /dev/null +++ b/objects/elf-section/definition.json @@ -0,0 +1,77 @@ +{ + "name": "elf-section", + "meta-category": "file", + "description": "Object describing a section of an Executable and Linkable Format", + "version": 1, + "attributes": { + "name": { + "misp-attribute": "text", + "misp-usage-frequency": 1, + "disable_correlation": true + }, + "Flags": { + "misp-attribute": "text", + "misp-usage-frequency": 0, + "sane_default": [ + "W (write)", + "A (alloc)", + "X (execute)", + "M (merge)", + "S (strings)", + "I (info)", + "L (link order)", + "O (extra OS processing required)", + "G (group)", + "T (TLS)", + "C (compressed)", + "x (unknown)", + "o (OS specific)", + "E (exclude)", + "l (large)", + "p (processor specific)" + ] + }, + "text": { + "misp-attribute": "text", + "misp-usage-frequency": 1, + "disable_correlation": true + }, + "size-in-bytes": { + "misp-attribute": "size-in-bytes", + "misp-usage-frequency": 1, + "disable_correlation": true + }, + "entropy": { + "misp-attribute": "float", + "misp-usage-frequency": 0, + "disable_correlation": true + }, + "md5": { + "misp-attribute": "md5", + "misp-usage-frequency": 1 + }, + "sha1": { + "misp-attribute": "sha1", + "misp-usage-frequency": 0 + }, + "sha256": { + "misp-attribute": "sha256", + "misp-usage-frequency": 0 + }, + "sha512": { + "misp-attribute": "sha512", + "misp-usage-frequency": 0 + }, + "ssdeep": { + "misp-attribute": "ssdeep", + "misp-usage-frequency": 0 + } + }, + "requiredOneOf": [ + "text", + "name", + "sha1", + "sha256", + "sha512" + ] +} diff --git a/objects/elf/definition.json b/objects/elf/definition.json new file mode 100644 index 0000000..7677c61 --- /dev/null +++ b/objects/elf/definition.json @@ -0,0 +1,46 @@ +{ + "name": "elf", + "meta-category": "file", + "description": "Object describing a Executable and Linkable Format", + "version": 1, + "attributes": { + "text": { + "misp-attribute": "text", + "misp-usage-frequency": 1, + "disable_correlation": true + }, + "original-filename": { + "misp-attribute": "filename", + "misp-usage-frequency": 1 + }, + "internal-filename": { + "misp-attribute": "filename", + "misp-usage-frequency": 0 + }, + "entrypoint-address": { + "misp-attribute": "text", + "misp-usage-frequency": 0, + "disable_correlation": true + }, + "file-description": { + "misp-attribute": "text", + "misp-usage-frequency": 0, + "disable_correlation": true + }, + "file-version": { + "misp-attribute": "text", + "misp-usage-frequency": 0, + "disable_correlation": true + }, + "elf-type": { + "misp-attribute": "text", + "misp-usage-frequency": 0, + "disable_correlation": true + } + }, + "requiredOneOf": [ + "text", + "original-filename", + "internal-filename" + ] +} diff --git a/objects/file/definition.json b/objects/file/definition.json index 4ce11a3..d3be15e 100644 --- a/objects/file/definition.json +++ b/objects/file/definition.json @@ -27,10 +27,6 @@ "misp-attribute": "ssdeep", "misp-usage-frequency": 0 }, - "pehash": { - "misp-attribute": "pehash", - "misp-usage-frequency": 0 - }, "sha224": { "misp-attribute": "sha224", "misp-usage-frequency": 0 diff --git a/objects/pe/definition.json b/objects/pe/definition.json index 89c4b5d..594693b 100644 --- a/objects/pe/definition.json +++ b/objects/pe/definition.json @@ -8,11 +8,19 @@ "misp-attribute": "imphash", "misp-usage-frequency": 0 }, + "pehash": { + "misp-attribute": "pehash", + "misp-usage-frequency": 0 + }, "text": { "misp-attribute": "text", "misp-usage-frequency": 1, "disable_correlation": true }, + "number of sections": { + "misp-attribute": "text", + "misp-usage-frequency": 0 + }, "original-filename": { "misp-attribute": "filename", "misp-usage-frequency": 1