From 8f9c7b1ae127703a7429401d1c5546a17d4323aa Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy <a@foo.be>
Date: Fri, 5 Jan 2018 14:34:20 +0100
Subject: [PATCH] add: Diameter attack object targeting GSM, UMTS and 4G
 networks.

---
 objects/diameter-attack/definition.json | 89 +++++++++++++++++++++++++
 1 file changed, 89 insertions(+)
 create mode 100644 objects/diameter-attack/definition.json

diff --git a/objects/diameter-attack/definition.json b/objects/diameter-attack/definition.json
new file mode 100644
index 0000000..71c2766
--- /dev/null
+++ b/objects/diameter-attack/definition.json
@@ -0,0 +1,89 @@
+{
+  "requiredOneOf": [
+    "text"
+  ],
+  "attributes": {
+    "category": {
+      "description": "Category.",
+      "sane_default": [
+        "Cat0",
+        "Cat1",
+        "Cat2",
+        "Cat3",
+        "CatSMS"
+      ],
+      "misp-attribute": "text",
+      "disable_correlation": true,
+      "ui-priority": 0
+    },
+    "ApplicationId": {
+      "description": "Application-ID is used to identify for which Diameter application the message is applicable. Application-ID is a decimal representation.",
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "SessionId": {
+      "description": "Session-ID.",
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "CmdCode": {
+      "description": "A decimal representation of the diameter Command Code.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "Origin-Host": {
+      "description": "Origin-Host.",
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 0
+    },
+    "Destination-Host": {
+      "description": "Destination-Host.",
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 0
+    },
+    "Origin-Realm": {
+      "description": "Origin-Realm.",
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 0
+    },
+    "Destination-Realm": {
+      "description": "Destination-Realm.",
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 0
+    },
+    "Username": {
+      "description": "Username (in this case, usually the IMSI).",
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 0
+    },
+    "IdrFlags": {
+      "description": "IDR-Flags.",
+      "misp-attribute": "text",
+      "disable_correlation": true,
+      "ui-priority": 0
+    },
+    "text": {
+      "description": "A description of the attack seen.",
+      "disable_correlation": true,
+      "ui-priority": 0,
+      "misp-attribute": "text"
+    },
+    "first-seen": {
+      "description": "When the attack has been seen for the first time.",
+      "disable_correlation": true,
+      "ui-priority": 0,
+      "misp-attribute": "datetime"
+    }
+  },
+  "version": 1,
+  "description": "Attack as seen on diameter authentication against a GSM, UMTS or LTE network",
+  "meta-category": "network",
+  "uuid": "a3fdce4c-8e21-4acc-ab8e-9976e9165a12",
+  "name": "diameter-attack"
+}