MISP
/
misp-objects
mirror of https://github.com/MISP/misp-objects
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge branch 'master' of github.com:MISP/misp-objects

pull/17/head
Raphaël Vinot 2017-07-11 13:12:42 +02:00
parent 7e85a53c27 6e88746a67
commit 9256d6e8f8
21 changed files with 1130 additions and 901 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
README.md
View File

@ -20,21 +20,21 @@ Feel free to propose your own MISP objects to be included in MISP. The system is
{
"ip": {
"misp-attribute": "ip-dst",
"misp-usage-frequency": 1,
"ui-priority": 1,
"categories": ["Network activity","External analysis"]
},
"domain": {
"misp-attribute": "domain",
"misp-usage-frequency": 1,
"ui-priority": 1,
"categories": ["Network activity","External analysis"]
},
"first-seen": {
"misp-attribute": "datetime",
"misp-usage-frequency": 0
"ui-priority": 0
},
"last-seen": {
"misp-attribute": "datetime",
"misp-usage-frequency": 0
"ui-priority": 0
}
},
@ -45,7 +45,7 @@ Feel free to propose your own MISP objects to be included in MISP. The system is
A MISP object is described in a simple JSON file containing the following element.
* **name** is the name of the your object.
* **meta-category** is the category where the object falls into. (file, network, financial)
* **meta-category** is the category where the object falls into. (file, network, financial, misc, internal)
* **description** is a summary of the object description.
* **version** is the version number as a decimal value.
* **required** is an array containing the minimal required attributes to describe the object.
@ -53,7 +53,7 @@ A MISP object is described in a simple JSON file containing the following elemen
* **attributes** contains another JSON object listing all the attributes composing the object.
Each attribute must contain a reference **misp-attribute** to reference an existing attribute definition in MISP.
An array **categories** shall be used to described in which categories the attribute is. The **misp-usage-frequency**
An array **categories** shall be used to described in which categories the attribute is. The **ui-priority**
describes the usage frequency of an attribute. This helps to only display the most frequently used attributes and
allowing advanced users to show all the attributes depending of their configuration. An optional **multiple** field
shall be set to true if multiple elements of the same key can be used in the object. An optional **required_value**
@ -63,15 +63,21 @@ for a specific attribute.
## Existing MISP objects
* [objects/ail-leak](objects/ail-leak/definition.json) - information leak object as defined by the [AIL Analysis Information Leak framework](https://www.github.com/CIRCL/AIL-framework).
* [objects/ddos](objects/ddos/definition.json) - DDoS object describes a current DDoS activity from a specific or/and to a specific target.
* [objects/domain-ip](objects/domain-ip/definition.json) - A domain and IP address seen as a tuple in a specific time frame.
* [objects/elf](objects/elf/definition.json) - Object describing an Executable and Linkable Format (ELF).
* [objects/elf-section](objects/elf-section/definition.json) - Object describing a section of an Executable and Linkable Format (ELF).
* [objects/email](objects/email/definition.json) - An email object.
* [objects/file](objects/file/definition.json) - File object describing a file with meta-information.
* [objects/geolocation](objects/geolocation/definition.json) - A geolocation object to describe a location.
* [objects/ip-port](objects/ip-port/definition.json) - An IP address and a port seen as a tuple (or as a triple) in a specific time frame.
* [objects/passive-dns](objects/passive-dns/definition.json) - Passive DNS records as expressed in [draft-dulaunoy-dnsop-passive-dns-cof-01](https://tools.ietf.org/html/draft-dulaunoy-dnsop-passive-dns-cof-01).
* [objects/pe](objects/pe/definition.json) - Portable Executable (PE) object.
* [objects/pe-section](objects/pe-section/definition.json) - Portable Executable (PE) object - section description.
* [objects/registry-key](objects/registry-key/definition.json) - A registry-key object.
* [objects/r2graphity](objects/r2graphity/definition.json) - Indicators extracted from binary files using radare2 and graphml.
* [objects/tor-node](objects/tor-node/definition.json) - Tor node description which are part of the Tor network at a time.
* [objects/vulnerability](objects/vulnerability/definition.json) - Vulnerability object to describe software or hardware vulnerability as described in a CVE.
* [objects/url](objects/url/definition.json) - url object describes an url along with its normalized field (e.g. using faup parsing library) and its metadata.
* [objects/whois](objects/whois/definition.json) - Whois records information for a domain name.
@ -94,7 +100,7 @@ MISP objects are dynamically used objects that are contributed by users of MISP
The aim is to allow a dynamic update of objects definition in operational distributed sharing systems like MISP. Security threats and their related indicators are quite dynamic, standardized formats are quite static and new indicators require a significant time before being standardized.
The MISP objects model allows to add new combined indicators format based on their usage without changing the underlying code base of MISP or other threat sharing platform using it. The definition of the objects is then propagated along with the indicators itself.
The MISP objects model allows to add new combined indicators format based on their usage without changing the underlying code base of MISP or other threat sharing platform using it. The definition of the objects can be then propagated along with the indicators itself.
## License

66
objects/ail-leak/definition.json Normal file
View File

@ -0,0 +1,66 @@
{
"requiredOneOf": [
"type",
"text",
"first-seen",
"last-seen",
"origin"
],
"required": [
"type"
],
"attributes": {
"sensor": {
"description": "The AIL sensor uuid where the leak was processed and analysed.",
"ui-priority": 0,
"misp-attribute": "text"
},
"origin": {
"description": "The link where the leak is (or was) accessible at first-seen.",
"ui-priority": 1,
"misp-attribute": "url"
},
"text": {
"description": "A description of the leak which could include the potential victim(s) or description of the leak.",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text"
},
"original-date": {
"description": "When the information available in the leak was created. It's usually before the first-seen.",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "datetime"
},
"type": {
"sane_default": [
"Credential",
"CreditCards",
"Mail",
"Onion",
"Phone",
"Keys"
],
"description": "Type of information leak as discovered and classified by an AIL module.",
"ui-priority": 0,
"misp-attribute": "text"
},
"last-seen": {
"description": "When the leak has been accessible or seen for the last time.",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "datetime"
},
"first-seen": {
"description": "When the leak has been accessible or seen for the first time.",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "datetime"
}
},
"version": 2,
"description": "An information leak as defined by the AIL Analysis Information Leak framework.",
"meta-category": "misc",
"uuid": "dc6a8fa2-0a43-4a0c-a5aa-b1a5336ca80e",
"name": "ail-leak"
}

26
objects/ddos/definition.json
View File

@ -3,19 +3,19 @@
"uuid": "e2f124d6-f57c-4f93-99e6-8450545fa05d",
"meta-category": "network",
"description": "DDoS object describes a current DDoS activity from a specific or/and to a specific target. Type of DDoS can be attached to the object as a taxonomy",
"version": 1,
"version": 2,
"attributes": {
"total-bps": {
"misp-attribute": "counter",
"misp-usage-frequency": 0
"ui-priority": 0
},
"text": {
"misp-attribute": "text",
"misp-usage-frequency": 0
"ui-priority": 0
},
"ip-dst": {
"misp-attribute": "ip-dst",
"misp-usage-frequency": 1,
"ui-priority": 1,
"categories": [
"Network activity",
"External analysis"
@ -23,23 +23,23 @@
},
"ip-src": {
"misp-attribute": "ip-src",
"misp-usage-frequency": 1,
"ui-priority": 1,
"categories": [
"Network activity",
"External analysis"
]
},
"dst-port": {
"misp-attribute": "text",
"misp-usage-frequency": 0,
"misp-attribute": "port",
"ui-priority": 0,
"categories": [
"Network activity",
"External analysis"
]
},
"src-port": {
"misp-attribute": "text",
"misp-usage-frequency": 0,
"misp-attribute": "port",
"ui-priority": 0,
"categories": [
"Network activity",
"External analysis"
@ -47,11 +47,11 @@
},
"first-seen": {
"misp-attribute": "datetime",
"misp-usage-frequency": 0
"ui-priority": 0
},
"protocol": {
"misp-attribute": "text",
"misp-usage-frequency": 0,
"ui-priority": 0,
"required_value": [
"TCP",
"UDP",
@ -61,11 +61,11 @@
},
"total-pps": {
"misp-attribute": "counter",
"misp-usage-frequency": 0
"ui-priority": 0
},
"last-seen": {
"misp-attribute": "datetime",
"misp-usage-frequency": 0
"ui-priority": 0
}
},
"requiredOneOf": [

72
objects/domain-ip/definition.json
View File

@ -1,41 +1,41 @@
{
"name": "domain|ip",
"uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
"meta-category": "network",
"description": "A domain and IP address seen as a tuple in a specific time frame.",
"version": 1,
"attributes": {
"ip": {
"misp-attribute": "ip-dst",
"misp-usage-frequency": 1,
"categories": [
"Network activity",
"External analysis"
]
},
"domain": {
"misp-attribute": "domain",
"misp-usage-frequency": 1,
"categories": [
"Network activity",
"External analysis"
]
},
"first-seen": {
"misp-attribute": "datetime",
"misp-usage-frequency": 0
},
"last-seen": {
"misp-attribute": "datetime",
"misp-usage-frequency": 0
},
"text": {
"misp-attribute": "text",
"misp-usage-frequency": 1
}
},
"required": [
"ip",
"domain"
]
],
"attributes": {
"text": {
"ui-priority": 1,
"misp-attribute": "text"
},
"last-seen": {
"ui-priority": 0,
"misp-attribute": "datetime"
},
"first-seen": {
"ui-priority": 0,
"misp-attribute": "datetime"
},
"domain": {
"categories": [
"Network activity",
"External analysis"
],
"ui-priority": 1,
"misp-attribute": "domain"
},
"ip": {
"categories": [
"Network activity",
"External analysis"
],
"ui-priority": 1,
"misp-attribute": "ip-dst"
}
},
"version": 1,
"description": "A domain and IP address seen as a tuple in a specific time frame.",
"meta-category": "network",
"uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
"name": "domain|ip"
}

108
objects/elf-section/definition.json
View File

@ -1,18 +1,26 @@
{
"name": "elf-section",
"uuid": "ca271f32-1234-4e87-b240-6b6e882de5de",
"meta-category": "file",
"description": "Object describing a section of an Executable and Linkable Format",
"version": 1,
"requiredOneOf": [
"text",
"name",
"sha1",
"sha256",
"sha512"
],
"attributes": {
"sh_name": {
"misp-attribute": "text",
"misp-usage-frequency": 1,
"disable_correlation": true
"sha512": {
"ui-priority": 0,
"misp-attribute": "sha512"
},
"ssdeep": {
"ui-priority": 0,
"misp-attribute": "ssdeep"
},
"entropy": {
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "float"
},
"sh_type": {
"misp-attribute": "text",
"misp-usage-frequency": 0,
"sane_default": [
"SHT_NULL",
"SHT_PROGBITS",
@ -33,11 +41,30 @@
"SHT_SYMTAB_SHNDX",
"SHT_NUM",
"SHT_LOOS"
]
],
"ui-priority": 0,
"misp-attribute": "text"
},
"sh_name": {
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text"
},
"sha256": {
"ui-priority": 0,
"misp-attribute": "sha256"
},
"sh_size": {
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "size-in-bytes"
},
"text": {
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text"
},
"sh_flags": {
"misp-attribute": "text",
"misp-usage-frequency": 0,
"sane_default": [
"W (write)",
"A (alloc)",
@ -55,49 +82,22 @@
"E (exclude)",
"l (large)",
"p (processor specific)"
]
},
"text": {
"misp-attribute": "text",
"misp-usage-frequency": 1,
"disable_correlation": true
},
"sh_size": {
"misp-attribute": "size-in-bytes",
"misp-usage-frequency": 1,
"disable_correlation": true
},
"entropy": {
"misp-attribute": "float",
"misp-usage-frequency": 0,
"disable_correlation": true
},
"md5": {
"misp-attribute": "md5",
"misp-usage-frequency": 1
],
"ui-priority": 0,
"misp-attribute": "text"
},
"sha1": {
"misp-attribute": "sha1",
"misp-usage-frequency": 0
"ui-priority": 0,
"misp-attribute": "sha1"
},
"sha256": {
"misp-attribute": "sha256",
"misp-usage-frequency": 0
},
"sha512": {
"misp-attribute": "sha512",
"misp-usage-frequency": 0
},
"ssdeep": {
"misp-attribute": "ssdeep",
"misp-usage-frequency": 0
"md5": {
"ui-priority": 1,
"misp-attribute": "md5"
}
},
"requiredOneOf": [
"text",
"name",
"sha1",
"sha256",
"sha512"
]
"version": 1,
"description": "Object describing a section of an Executable and Linkable Format",
"meta-category": "file",
"uuid": "ca271f32-1234-4e87-b240-6b6e882de5de",
"name": "elf-section"
}

120
objects/elf/definition.json
View File

@ -1,47 +1,28 @@
{
"name": "elf",
"uuid": "fa6534ae-ad74-4ce0-8f23-15a66c82c7fa",
"meta-category": "file",
"description": "Object describing a Executable and Linkable Format",
"version": 1,
"requiredOneOf": [
"text",
"original-filename",
"internal-filename"
],
"attributes": {
"text": {
"misp-attribute": "text",
"misp-usage-frequency": 1,
"disable_correlation": true
},
"original-filename": {
"misp-attribute": "filename",
"misp-usage-frequency": 1
},
"e_entry": {
"misp-attribute": "text",
"misp-usage-frequency": 0,
"disable_correlation": true
},
"file-description": {
"misp-attribute": "text",
"misp-usage-frequency": 0,
"disable_correlation": true
},
"e_version": {
"misp-attribute": "text",
"misp-usage-frequency": 0,
"disable_correlation": true
},
"e_type": {
"misp-attribute": "text",
"misp-usage-frequency": 0,
"e_machine": {
"sane_default": [
"relocatable",
"executable",
"shared",
"core"
]
"No specific instruction set",
"SPARC",
"X86",
"MISP",
"PowerPC",
"ARM",
"SuperH",
"IA-64",
"x86-64",
"AArch64",
"RISC-V"
],
"ui-priority": 0,
"misp-attribute": "text"
},
"e_ident_abi": {
"misp-attribute": "text",
"misp-usage-frequency": 0,
"sane_default": [
"System V",
"HP_UX",
@ -60,29 +41,48 @@
"Fenis OS",
"CloudABI",
"Sortix"
]
],
"ui-priority": 0,
"misp-attribute": "text"
},
"e_machine": {
"misp-attribute": "text",
"misp-usage-frequency": 0,
"e_type": {
"sane_default": [
"No specific instruction set",
"SPARC",
"X86",
"MISP",
"PowerPC",
"ARM",
"SuperH",
"IA-64",
"x86-64",
"AArch64",
"RISC-V"
]
"relocatable",
"executable",
"shared",
"core"
],
"ui-priority": 0,
"misp-attribute": "text"
},
"e_version": {
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"file-description": {
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"e_entry": {
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"original-filename": {
"ui-priority": 1,
"misp-attribute": "filename"
},
"text": {
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text"
}
},
"requiredOneOf": [
"text",
"original-filename",
"internal-filename"
]
"version": 1,
"description": "Object describing a Executable and Linkable Format",
"meta-category": "file",
"uuid": "fa6534ae-ad74-4ce0-8f23-15a66c82c7fa",
"name": "elf"
}

34
objects/email/definition.json
View File

@ -1,27 +1,27 @@
{
"name": "email",
"uuid": "a0c666e0-fc65-4be8-b48f-3423d788b552",
"meta-category": "email",
"meta-category": "network",
"description": "Email object describing an email with meta-information",
"version": 1,
"version": 2,
"attributes": {
"reply-to": {
"misp-attribute": "email-reply-to",
"misp-usage-frequency": 1,
"ui-priority": 1,
"categories": [
"Payload delivery"
]
},
"message-id": {
"misp-attribute": "email-message-id",
"misp-usage-frequency": 0,
"ui-priority": 0,
"categories": [
"Payload delivery"
]
},
"to": {
"misp-attribute": "email-dst",
"misp-usage-frequency": 1,
"ui-priority": 1,
"categories": [
"Payload delivery"
],
@ -29,7 +29,7 @@
},
"to-display-name": {
"misp-attribute": "email-dst-display-name",
"misp-usage-frequency": 1,
"ui-priority": 1,
"categories": [
"Payload delivery"
],
@ -37,29 +37,29 @@
},
"subject": {
"misp-attribute": "email-subject",
"misp-usage-frequency": 1,
"ui-priority": 1,
"categories": [
"Payload delivery"
]
},
"attachment": {
"misp-attribute": "email-attachment",
"misp-usage-frequency": 0,
"ui-priority": 0,
"categories": [
"Payload delivery"
],
"multiple": true
},
"x-mailer": {
"misp-attribute": "email-xmailer",
"misp-usage-frequency": 0,
"misp-attribute": "email-x-mailer",
"ui-priority": 0,
"categories": [
"Payload delivery"
]
},
"header": {
"misp-attribute": "email-header",
"misp-usage-frequency": 0,
"ui-priority": 0,
"categories": [
"Payload delivery"
],
@ -67,7 +67,7 @@
},
"send-date": {
"misp-attribute": "datetime",
"misp-usage-frequency": 0,
"ui-priority": 0,
"disable_correlation": true,
"categories": [
"Other"
@ -75,7 +75,7 @@
},
"url": {
"misp-attribute": "url",
"misp-usage-frequency": 0,
"ui-priority": 0,
"categories": [
"Payload delivery"
],
@ -83,28 +83,28 @@
},
"mime-boundary": {
"misp-attribute": "email-mime-boundary",
"misp-usage-frequency": 0,
"ui-priority": 0,
"categories": [
"Payload delivery"
]
},
"thread-index": {
"misp-attribute": "email-thread-index",
"misp-usage-frequency": 0,
"ui-priority": 0,
"categories": [
"Payload delivery"
]
},
"from": {
"misp-attribute": "email-src",
"misp-usage-frequency": 1,
"ui-priority": 1,
"categories": [
"Payload delivery"
]
},
"from-display-name": {
"misp-attribute": "email-src-display-name",
"misp-usage-frequency": 1,
"ui-priority": 1,
"categories": [
"Payload delivery"
]

180
objects/file/definition.json
View File

@ -1,93 +1,4 @@
{
"name": "file",
"uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"meta-category": "file",
"description": "File object describing a file with meta-information",
"version": 1,
"attributes": {
"text": {
"misp-attribute": "text",
"misp-usage-frequency": 1,
"disable_correlation": true
},
"size-in-bytes": {
"misp-attribute": "size-in-bytes",
"misp-usage-frequency": 0,
"disable_correlation": true
},
"authentihash": {
"misp-attribute": "authentihash",
"misp-usage-frequency": 0
},
"ssdeep": {
"misp-attribute": "ssdeep",
"misp-usage-frequency": 0
},
"sha224": {
"misp-attribute": "sha224",
"misp-usage-frequency": 0
},
"sha384": {
"misp-attribute": "sha384",
"misp-usage-frequency": 0
},
"sha512": {
"misp-attribute": "sha512",
"misp-usage-frequency": 0
},
"sha512/224": {
"misp-attribute": "sha512/224",
"misp-usage-frequency": 0
},
"malware-sample": {
"misp-attribute": "malware-sample",
"misp-usage-frequency": 1
},
"filename": {
"misp-attribute": "filename",
"misp-usage-frequency": 1,
"categories": [
"Payload delivery",
"Artifacts dropped",
"Payload installation",
"External analysis"
]
},
"sha512/256": {
"misp-attribute": "sha512/256",
"misp-usage-frequency": 0
},
"tlsh": {
"misp-attribute": "tlsh",
"misp-usage-frequency": 0
},
"md5": {
"misp-attribute": "md5",
"misp-usage-frequency": 1
},
"sha1": {
"misp-attribute": "sha1",
"misp-usage-frequency": 1
},
"sha256": {
"misp-attribute": "sha256",
"misp-usage-frequency": 1
},
"entropy": {
"misp-attribute": "float",
"misp-usage-frequency": 1,
"disable_correlation": true
},
"pattern-in-file": {
"misp-attribute": "pattern-in-file",
"misp-usage-frequency": 1,
"categories": [
"Artifacts dropped",
"Payload installation",
"External analysis"
]
}
},
"requiredOneOf": [
"filename",
"size-in-bytes",
@ -105,5 +16,94 @@
"sha1",
"sha256",
"pattern-in-file"
]
],
"attributes": {
"md5": {
"ui-priority": 1,
"misp-attribute": "md5"
},
"sha512/224": {
"ui-priority": 0,
"misp-attribute": "sha512/224"
},
"sha512": {
"ui-priority": 0,
"misp-attribute": "sha512"
},
"sha384": {
"ui-priority": 0,
"misp-attribute": "sha384"
},
"sha224": {
"ui-priority": 0,
"misp-attribute": "sha224"
},
"ssdeep": {
"ui-priority": 0,
"misp-attribute": "ssdeep"
},
"authentihash": {
"ui-priority": 0,
"misp-attribute": "authentihash"
},
"size-in-bytes": {
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "size-in-bytes"
},
"sha1": {
"ui-priority": 1,
"misp-attribute": "sha1"
},
"sha256": {
"ui-priority": 1,
"misp-attribute": "sha256"
},
"entropy": {
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "float"
},
"pattern-in-file": {
"categories": [
"Artifacts dropped",
"Payload installation",
"External analysis"
],
"ui-priority": 1,
"misp-attribute": "pattern-in-file"
},
"text": {
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text"
},
"malware-sample": {
"ui-priority": 1,
"misp-attribute": "malware-sample"
},
"filename": {
"categories": [
"Payload delivery",
"Artifacts dropped",
"Payload installation",
"External analysis"
],
"ui-priority": 1,
"misp-attribute": "filename"
},
"sha512/256": {
"ui-priority": 0,
"misp-attribute": "sha512/256"
},
"tlsh": {
"ui-priority": 0,
"misp-attribute": "tlsh"
}
},
"version": 1,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",
"name": "file"
}

66
objects/geolocation/definition.json Normal file
View File

@ -0,0 +1,66 @@
{
"requiredOneOf": [
"latitude",
"longitude",
"city",
"region",
"country"
],
"attributes": {
"first-seen": {
"description": "When the location was seen for the first time.",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "datetime"
},
"last-seen": {
"description": "When the location was seen for the last time.",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "datetime"
},
"text": {
"description": "A generic description of the location.",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text"
},
"latitude": {
"description": "The latitude is the decimal value of the latitude in the World Geodetic System 84 (WGS84) reference.",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "float"
},
"longitude": {
"description": "The longitude is the decimal value of the longitude in the World Geodetic System 84 (WGS84) reference",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "float"
},
"altitude": {
"description": "The altitude is the decimal value of the altitude in the World Geodetic System 84 (WGS84) reference.",
"ui-priority": 0,
"misp-attribute": "float"
},
"city": {
"description": "City.",
"misp-attribute": "text",
"ui-priority": 1
},
"region": {
"description": "Region.",
"misp-attribute": "text",
"ui-priority": 1
},
"country": {
"description": "Country.",
"misp-attribute": "text",
"ui-priority": 1
}
},
"version": 2,
"description": "An object to describe a geographic location.",
"meta-category": "misc",
"uuid": "fdd30d5f-6752-45ed-bef2-25e8ce4d8a3",
"name": "geolocation"
}

94
objects/ip-port/definition.json
View File

@ -1,52 +1,52 @@
{
"name": "ip|port",
"uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6",
"meta-category": "network",
"description": "An IP address and a port seen as a tuple (or as a triple) in a specific time frame.",
"version": 1,
"attributes": {
"ip": {
"misp-attribute": "ip-dst",
"misp-usage-frequency": 1,
"categories": [
"Network activity",
"External analysis"
]
},
"dst-port": {
"misp-attribute": "text",
"misp-usage-frequency": 1,
"categories": [
"Network activity",
"External analysis"
]
},
"src-port": {
"misp-attribute": "text",
"misp-usage-frequency": 0,
"categories": [
"Network activity",
"External analysis"
]
},
"first-seen": {
"misp-attribute": "datetime",
"misp-usage-frequency": 0
},
"last-seen": {
"misp-attribute": "datetime",
"misp-usage-frequency": 0
},
"text": {
"misp-attribute": "text",
"misp-usage-frequency": 0
}
},
"required": [
"ip"
],
"requiredOneOf": [
"dst-port",
"src-port"
]
],
"required": [
"ip"
],
"attributes": {
"text": {
"ui-priority": 0,
"misp-attribute": "text"
},
"last-seen": {
"ui-priority": 0,
"misp-attribute": "datetime"
},
"first-seen": {
"ui-priority": 0,
"misp-attribute": "datetime"
},
"src-port": {
"categories": [
"Network activity",
"External analysis"
],
"ui-priority": 0,
"misp-attribute": "text"
},
"dst-port": {
"categories": [
"Network activity",
"External analysis"
],
"ui-priority": 1,
"misp-attribute": "text"
},
"ip": {
"categories": [
"Network activity",
"External analysis"
],
"ui-priority": 1,
"misp-attribute": "ip-dst"
}
},
"version": 1,
"description": "An IP address and a port seen as a tuple (or as a triple) in a specific time frame.",
"meta-category": "network",
"uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6",
"name": "ip|port"
}

120
objects/passive-dns/definition.json
View File

@ -1,65 +1,65 @@
{
"name": "passive-dns",
"uuid": "b77b7b1c-66ab-4a41-8da4-83810f6d2d6c",
"meta-category": "network",
"description": "Passive DNS records as expressed in draft-dulaunoy-dnsop-passive-dns-cof-01",
"version": 1,
"attributes": {
"rrtype": {
"misp-attribute": "text",
"misp-usage-frequency": 1,
"categories": [
"Network activity",
"External analysis"
]
},
"rrname": {
"misp-attribute": "hostname",
"misp-usage-frequency": 1,
"categories": [
"Network activity",
"External analysis"
]
},
"time_first": {
"misp-attribute": "datetime",
"misp-usage-frequency": 0
},
"time_last": {
"misp-attribute": "datetime",
"misp-usage-frequency": 0
},
"origin": {
"misp-attribute": "text",
"misp-usage-frequency": 0
},
"count": {
"misp-attribute": "counter",
"misp-usage-frequency": 0
},
"sensor_id": {
"misp-attribute": "text",
"misp-usage-frequency": 0
},
"bailiwick": {
"misp-attribute": "text",
"misp-usage-frequency": 0
},
"zone_time_first": {
"misp-attribute": "datetime",
"misp-usage-frequency": 0
},
"zone_time_last": {
"misp-attribute": "datetime",
"misp-usage-frequency": 0
},
"text": {
"misp-attribute": "text",
"misp-usage-frequency": 0
}
},
"required": [
"rrtype",
"rrname"
]
],
"attributes": {
"zone_time_last": {
"ui-priority": 0,
"misp-attribute": "datetime"
},
"text": {
"ui-priority": 0,
"misp-attribute": "text"
},
"count": {
"ui-priority": 0,
"misp-attribute": "counter"
},
"rrname": {
"categories": [
"Network activity",
"External analysis"
],
"ui-priority": 1,
"misp-attribute": "hostname"
},
"rrtype": {
"categories": [
"Network activity",
"External analysis"
],
"ui-priority": 1,
"misp-attribute": "text"
},
"zone_time_first": {
"ui-priority": 0,
"misp-attribute": "datetime"
},
"origin": {
"ui-priority": 0,
"misp-attribute": "text"
},
"time_last": {
"ui-priority": 0,
"misp-attribute": "datetime"
},
"time_first": {
"ui-priority": 0,
"misp-attribute": "datetime"
},
"bailiwick": {
"ui-priority": 0,
"misp-attribute": "text"
},
"sensor_id": {
"ui-priority": 0,
"misp-attribute": "text"
}
},
"version": 1,
"description": "Passive DNS records as expressed in draft-dulaunoy-dnsop-passive-dns-cof-01",
"meta-category": "network",
"uuid": "b77b7b1c-66ab-4a41-8da4-83810f6d2d6c",
"name": "passive-dns"
}

96
objects/pe-section/definition.json
View File

@ -1,13 +1,23 @@
{
"name": "pe-section",
"uuid": "198a17d2-a135-4b25-9a32-5aa4e632014a",
"meta-category": "file",
"description": "Object describing a section of a Portable Executable",
"version": 1,
"requiredOneOf": [
"text",
"name",
"sha1",
"sha256",
"sha512"
],
"attributes": {
"characteristics": {
"sane_default": [
"read",
"write",
"executable"
],
"ui-priority": 0,
"misp-attribute": "text"
},
"name": {
"misp-attribute": "text",
"misp-usage-frequency": 1,
"disable_correlation": true,
"sane_default": [
".rsrc",
".reloc",
@ -15,58 +25,48 @@
".data",
".text"
],
"disable_correlation": true
},
"characteristics": {
"misp-attribute": "text",
"misp-usage-frequency": 0,
"sane_default": [
"read",
"write",
"executable"
]
},
"text": {
"misp-attribute": "text",
"misp-usage-frequency": 1,
"disable_correlation": true
"ui-priority": 1,
"misp-attribute": "text"
},
"size-in-bytes": {
"misp-attribute": "size-in-bytes",
"misp-usage-frequency": 1,
"disable_correlation": true
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "size-in-bytes"
},
"entropy": {
"misp-attribute": "float",
"misp-usage-frequency": 0,
"disable_correlation": true
"text": {
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text"
},
"md5": {
"misp-attribute": "md5",
"misp-usage-frequency": 1
"ui-priority": 1,
"misp-attribute": "md5"
},
"sha1": {
"misp-attribute": "sha1",
"misp-usage-frequency": 0
"entropy": {
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "float"
},
"sha256": {
"misp-attribute": "sha256",
"misp-usage-frequency": 0
"ui-priority": 0,
"misp-attribute": "sha256"
},
"sha512": {
"misp-attribute": "sha512",
"misp-usage-frequency": 0
"sha1": {
"ui-priority": 0,
"misp-attribute": "sha1"
},
"ssdeep": {
"misp-attribute": "ssdeep",
"misp-usage-frequency": 0
"ui-priority": 0,
"misp-attribute": "ssdeep"
},
"sha512": {
"ui-priority": 0,
"misp-attribute": "sha512"
}
},
"requiredOneOf": [
"text",
"name",
"sha1",
"sha256",
"sha512"
]
"version": 1,
"description": "Object describing a section of a Portable Executable",
"meta-category": "file",
"uuid": "198a17d2-a135-4b25-9a32-5aa4e632014a",
"name": "pe-section"
}

149
objects/pe/definition.json
View File

@ -1,112 +1,109 @@
{
"name": "pe",
"uuid": "cf7adecc-d4f0-4e88-9d90-f978ee151a07",
"meta-category": "file",
"description": "Object describing a Portable Executable",
"version": 1,
"requiredOneOf": [
"text",
"original-filename",
"internal-filename"
],
"attributes": {
"imphash": {
"misp-attribute": "imphash",
"misp-usage-frequency": 0
},
"pehash": {
"misp-attribute": "pehash",
"misp-usage-frequency": 0
"ui-priority": 0,
"misp-attribute": "pehash"
},
"impfuzzy": {
"misp-attribute": "impfuzzy",
"misp-usage-frequency": 0
"ui-priority": 0,
"misp-attribute": "impfuzzy"
},
"pe-type": {
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"internal-filename": {
"ui-priority": 0,
"misp-attribute": "filename"
},
"original-filename": {
"ui-priority": 1,
"misp-attribute": "filename"
},
"number-sections": {
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "counter"
},
"text": {
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text"
},
"type": {
"misp-attribute": "text",
"misp-usage-frequency": 1,
"disable_correlation": true,
"sane_default": [
"exe",
"dll",
"driver",
"unknown"
]
],
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text"
},
"text": {
"misp-attribute": "text",
"misp-usage-frequency": 1,
"disable_correlation": true
},
"number-sections": {
"misp-attribute": "counter",
"misp-usage-frequency": 0,
"disable_correlation": true
},
"original-filename": {
"misp-attribute": "filename",
"misp-usage-frequency": 1
},
"internal-filename": {
"misp-attribute": "filename",
"misp-usage-frequency": 0
"imphash": {
"ui-priority": 0,
"misp-attribute": "imphash"
},
"compilation-timestamp": {
"misp-attribute": "datetime",
"misp-usage-frequency": 1
"ui-priority": 1,
"misp-attribute": "datetime"
},
"entrypoint-section|position": {
"misp-attribute": "text",
"misp-usage-frequency": 0,
"disable_correlation": true
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"entrypoint-address": {
"misp-attribute": "text",
"misp-usage-frequency": 0,
"disable_correlation": true
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"file-description": {
"misp-attribute": "text",
"misp-usage-frequency": 0,
"disable_correlation": true
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"file-version": {
"misp-attribute": "text",
"misp-usage-frequency": 0,
"disable_correlation": true
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"lang-id": {
"misp-attribute": "text",
"misp-usage-frequency": 0,
"disable_correlation": true
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"product-name": {
"misp-attribute": "text",
"misp-usage-frequency": 0,
"disable_correlation": true
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"product-version": {
"misp-attribute": "text",
"misp-usage-frequency": 0,
"disable_correlation": true
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"company-name": {
"misp-attribute": "text",
"misp-usage-frequency": 0,
"disable_correlation": true
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"legal-copyright": {
"misp-attribute": "text",
"misp-usage-frequency": 0,
"disable_correlation": true
},
"pe-type": {
"misp-attribute": "text",
"misp-usage-frequency": 0,
"disable_correlation": true
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
}
},
"requiredOneOf": [
"text",
"original-filename",
"internal-filename",
"imphash",
"pehash",
"impfuzzy"
]
"version": 1,
"description": "Object describing a Portable Executable",
"meta-category": "file",
"uuid": "cf7adecc-d4f0-4e88-9d90-f978ee151a07",
"name": "pe"
}

278
objects/r2graphity/definition.json
View File

@ -1,142 +1,4 @@
{
"name": "r2graphity",
"uuid": "b6abe0e0-52ea-4424-ba42-761c2e027b76",
"meta-category": "file",
"description": "Indicators extracted from files using radare2 and graphml",
"version": 1,
"attributes": {
"total-functions": {
"misp-attribute": "counter",
"misp-usage-frequency": 0,
"disable_correlation": true,
"description": "Total amount of functions in the file."
},
"local-references": {
"misp-attribute": "counter",
"misp-usage-frequency": 0,
"disable_correlation": true,
"description": "Amount of API calls inside a code section"
},
"refsglobalvar": {
"misp-attribute": "counter",
"misp-usage-frequency": 0,
"disable_correlation": true,
"description": "Amount of API calls outside of code section (glob var, dynamic API)"
},
"unknown-references": {
"misp-attribute": "counter",
"misp-usage-frequency": 0,
"disable_correlation": true,
"description": "Amount of API calls not ending in a function (Radare2 bug, probalby)"
},
"total-api": {
"misp-attribute": "counter",
"misp-usage-frequency": 0,
"disable_correlation": true,
"description": "Total amount of API calls"
},
"miss-api": {
"misp-attribute": "counter",
"misp-usage-frequency": 0,
"disable_correlation": true,
"description": "Amount of API call reference that does not resolve to a function offset"
},
"referenced-strings": {
"misp-attribute": "counter",
"misp-usage-frequency": 0,
"disable_correlation": true,
"description": "Amount of referenced strings"
},
"dangling-strings": {
"misp-attribute": "counter",
"misp-usage-frequency": 0,
"disable_correlation": true,
"description": "Amount of dangling strings (string with a code cross reference, that is not within a function. Radare2 failed to detect that function.)"
},
"not-referenced-strings": {
"misp-attribute": "counter",
"misp-usage-frequency": 0,
"disable_correlation": true,
"description": "Amount of not referenced strings"
},
"ratio-functions": {
"misp-attribute": "float",
"misp-usage-frequency": 0,
"disable_correlation": true,
"description": "Ratio: amount of functions per kilobyte of code section"
},
"ratio-api": {
"misp-attribute": "float",
"misp-usage-frequency": 0,
"disable_correlation": true,
"description": "Ratio: amount of API calls per kilobyte of code section"
},
"ratio-string": {
"misp-attribute": "float",
"misp-usage-frequency": 0,
"disable_correlation": true,
"description": "Ratio: amount of referenced strings per kilobyte of code section"
},
"get-proc-address": {
"misp-attribute": "counter",
"misp-usage-frequency": 0,
"disable_correlation": true,
"description": "Amount of calls to GetProcAddress"
},
"memory-allocations": {
"misp-attribute": "counter",
"misp-usage-frequency": 0,
"disable_correlation": true,
"description": "Amount of memory allocations"
},
"create-thread": {
"misp-attribute": "counter",
"misp-usage-frequency": 0,
"disable_correlation": true,
"description": "Amount of calls to CreateThread"
},
"shortest-path-to-create-thread": {
"misp-attribute": "counter",
"misp-usage-frequency": 0,
"disable_correlation": true,
"description": "Shortest path to the first time the binary calls CreateThread"
},
"callbacks": {
"misp-attribute": "counter",
"misp-usage-frequency": 0,
"disable_correlation": true,
"description": "Amount of callbacks (functions started as thread)"
},
"callback-average": {
"misp-attribute": "counter",
"misp-usage-frequency": 0,
"disable_correlation": true,
"description": "Average size of a callback"
},
"callback-largest": {
"misp-attribute": "counter",
"misp-usage-frequency": 0,
"disable_correlation": true,
"description": "Largest callback"
},
"gml": {
"misp-attribute": "attachment",
"misp-usage-frequency": 0,
"disable_correlation": true,
"description": "Graph export in G>raph Modelling Language format"
},
"r2-commit-version": {
"misp-attribute": "text",
"misp-usage-frequency": 0,
"disable_correlation": true,
"description": "Radare2 commit ID used to generate this object"
},
"text": {
"misp-attribute": "text",
"misp-usage-frequency": 1,
"disable_correlation": true
}
},
"requiredOneOf": [
"filename",
"size-in-bytes",
@ -154,5 +16,143 @@
"sha1",
"sha256",
"pattern-in-file"
]
],
"attributes": {
"callback-average": {
"description": "Average size of a callback",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "counter"
},
"callbacks": {
"description": "Amount of callbacks (functions started as thread)",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "counter"
},
"shortest-path-to-create-thread": {
"description": "Shortest path to the first time the binary calls CreateThread",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "counter"
},
"create-thread": {
"description": "Amount of calls to CreateThread",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "counter"
},
"memory-allocations": {
"description": "Amount of memory allocations",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "counter"
},
"get-proc-address": {
"description": "Amount of calls to GetProcAddress",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "counter"
},
"dangling-strings": {
"description": "Amount of dangling strings (string with a code cross reference, that is not within a function. Radare2 failed to detect that function.)",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "counter"
},
"referenced-strings": {
"description": "Amount of referenced strings",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "counter"
},
"callback-largest": {
"description": "Largest callback",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "counter"
},
"gml": {
"description": "Graph export in G>raph Modelling Language format",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "attachment"
},
"r2-commit-version": {
"description": "Radare2 commit ID used to generate this object",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"text": {
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text"
},
"miss-api": {
"description": "Amount of API call reference that does not resolve to a function offset",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "counter"
},
"total-api": {
"description": "Total amount of API calls",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "counter"
},
"unknown-references": {
"description": "Amount of API calls not ending in a function (Radare2 bug, probalby)",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "counter"
},
"refsglobalvar": {
"description": "Amount of API calls outside of code section (glob var, dynamic API)",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "counter"
},
"local-references": {
"description": "Amount of API calls inside a code section",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "counter"
},
"total-functions": {
"description": "Total amount of functions in the file.",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "counter"
},
"not-referenced-strings": {
"description": "Amount of not referenced strings",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "counter"
},
"ratio-functions": {
"description": "Ratio: amount of functions per kilobyte of code section",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "float"
},
"ratio-api": {
"description": "Ratio: amount of API calls per kilobyte of code section",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "float"
},
"ratio-string": {
"description": "Ratio: amount of referenced strings per kilobyte of code section",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "float"
}
},
"version": 1,
"description": "Indicators extracted from files using radare2 and graphml",
"meta-category": "file",
"uuid": "b6abe0e0-52ea-4424-ba42-761c2e027b76",
"name": "r2graphity"
}

100
objects/registry-key/definition.json
View File

@ -1,55 +1,55 @@
{
"name": "registry-key",
"uuid": "8b3228ad-6d82-4fe6-b2ae-05426308f1d5",
"meta-category": "file",
"description": "Registry key object describing a Windows registry key with value and last-modified timestamp",
"version": 1,
"attributes": {
"hive": {
"misp-attribute": "reg-hive",
"misp-usage-frequency": 1,
"categories": [
"Persistence mechanism"
]
},
"key": {
"misp-attribute": "reg-key",
"misp-usage-frequency": 1,
"categories": [
"Persistence mechanism"
]
},
"name": {
"misp-attribute": "reg-name",
"misp-usage-frequency": 1,
"categories": [
"Persistence mechanism"
]
},
"data": {
"misp-attribute": "reg-data",
"misp-usage-frequency": 1,
"categories": [
"Persistence mechanism"
]
},
"data-type": {
"misp-attribute": "reg-datatype",
"misp-usage-frequency": 0,
"categories": [
"Persistence mechanism"
]
},
"last-modified": {
"misp-attribute": "datetime",
"misp-usage-frequency": 0,
"categories": [
"Other"
]
}
},
"required": [
"key",
"name"
]
],
"attributes": {
"last-modified": {
"categories": [
"Other"
],
"ui-priority": 0,
"misp-attribute": "datetime"
},
"data-type": {
"categories": [
"Persistence mechanism"
],
"ui-priority": 0,
"misp-attribute": "reg-datatype"
},
"data": {
"categories": [
"Persistence mechanism"
],
"ui-priority": 1,
"misp-attribute": "reg-data"
},
"name": {
"categories": [
"Persistence mechanism"
],
"ui-priority": 1,
"misp-attribute": "reg-name"
},
"key": {
"categories": [
"Persistence mechanism"
],
"ui-priority": 1,
"misp-attribute": "reg-key"
},
"hive": {
"categories": [
"Persistence mechanism"
],
"ui-priority": 1,
"misp-attribute": "reg-hive"
}
},
"version": 1,
"description": "Registry key object describing a Windows registry key with value and last-modified timestamp",
"meta-category": "file",
"uuid": "8b3228ad-6d82-4fe6-b2ae-05426308f1d5",
"name": "registry-key"
}

87
objects/tor-node/definition.json Normal file
View File

@ -0,0 +1,87 @@
{
"requiredOneOf": [
"address",
"first-seen",
"last-seen",
"description",
"text"
],
"required": [
"address"
],
"attributes": {
"description": {
"description": "Tor node description.",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text"
},
"nickname": {
"description": "router's nickname.",
"disable_correlation": false,
"ui-priority": 0,
"misp-attribute": "text"
},
"fingerprint": {
"description": "router's fingerprint.",
"disable_correlation": false,
"ui-priority": 0,
"misp-attribute": "text"
},
"text": {
"description": "Tor node comment.",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text"
},
"address": {
"description": "IP address of the Tor node seen.",
"ui-priority": 1,
"misp-attribute": "ip-src"
},
"flags": {
"description": "list of flag associated with the node.",
"ui-priority": 0,
"misp-attribute": "text"
},
"version": {
"description": "parsed version of tor, this is None if the relay's using a new versioning scheme.",
"ui-priority": 0,
"misp-attribute": "text"
},
"version_line": {
"description": "versioning information reported by the node.",
"ui-priority": 0,
"misp-attribute": "text"
},
"published": {
"description": "router's publication time. This can be different from first-seen and last-seen.",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "datetime"
},
"last-seen": {
"description": "When the Tor node designed by the IP address has been seen for the last time.",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "datetime"
},
"first-seen": {
"description": "When the Tor node designed by the IP address has been seen for the first time.",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "datetime"
},
"document": {
"description": "Raw document from the consensus.",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
}
},
"version": 2,
"description": "Tor node (which protects your privacy on the internet by hiding the connection between users Internet address and the services used by the users) description which are part of the Tor network at a time.",
"meta-category": "misc",
"uuid": "a5fde1c8-318e-4658-a3ea-85ea000bdd33",
"name": "tor-node"
}

118
objects/url/definition.json
View File

@ -1,79 +1,79 @@
{
"name": "url",
"uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5",
"meta-category": "network",
"description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.",
"version": 1,
"requiredOneOf": [
"url"
],
"attributes": {
"host": {
"misp-attribute": "hostname",
"misp-usage-frequency": 0
},
"domain_without_tld": {
"misp-attribute": "text",
"misp-usage-frequency": 0
},
"domain": {
"misp-attribute": "domain",
"misp-usage-frequency": 0
},
"subdomain": {
"misp-attribute": "text",
"misp-usage-frequency": 0
},
"credential": {
"misp-attribute": "text",
"misp-usage-frequency": 0
},
"text": {
"misp-attribute": "text",
"misp-usage-frequency": 0
},
"last-seen": {
"misp-attribute": "datetime",
"misp-usage-frequency": 0
},
"fragment": {
"misp-attribute": "text",
"misp-usage-frequency": 0
"ui-priority": 0,
"misp-attribute": "text"
},
"query_string": {
"misp-attribute": "text",
"misp-usage-frequency": 0
"tld": {
"ui-priority": 0,
"misp-attribute": "tld"
},
"resource_path": {
"misp-attribute": "text",
"misp-usage-frequency": 0
},
"first-seen": {
"misp-attribute": "datetime",
"misp-usage-frequency": 0
"port": {
"ui-priority": 0,
"misp-attribute": "text"
},
"scheme": {
"misp-attribute": "text",
"misp-usage-frequency": 0,
"sane_default": [
"http",
"https",
"ftp",
"gopher",
"sip"
]
],
"ui-priority": 0,
"misp-attribute": "text"
},
"port": {
"misp-attribute": "text",
"misp-usage-frequency": 0
"first-seen": {
"ui-priority": 0,
"misp-attribute": "datetime"
},
"tld": {
"misp-attribute": "tld",
"misp-usage-frequency": 0
"resource_path": {
"ui-priority": 0,
"misp-attribute": "text"
},
"query_string": {
"ui-priority": 0,
"misp-attribute": "text"
},
"url": {
"misp-attribute": "url",
"misp-usage-frequency": 1
"ui-priority": 1,
"misp-attribute": "url"
},
"domain_without_tld": {
"ui-priority": 0,
"misp-attribute": "text"
},
"domain": {
"ui-priority": 0,
"misp-attribute": "domain"
},
"subdomain": {
"ui-priority": 0,
"misp-attribute": "text"
},
"credential": {
"ui-priority": 0,
"misp-attribute": "text"
},
"text": {
"ui-priority": 0,
"misp-attribute": "text"
},
"last-seen": {
"ui-priority": 0,
"misp-attribute": "datetime"
},
"host": {
"ui-priority": 0,
"misp-attribute": "hostname"
}
},
"requiredOneOf": [
"url"
]
"version": 1,
"description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.",
"meta-category": "network",
"uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5",
"name": "url"
}

78
objects/vulnerability/definition.json
View File

@ -1,42 +1,4 @@
{
"name": "vulnerability",
"uuid": "81650945-f186-437b-8945-9f31715d32da",
"meta-category": "network",
"description": "Vulnerability object describing common vulnerability enumeration",
"version": 1,
"attributes": {
"references": {
"misp-attribute": "link",
"misp-usage-frequency": 1,
"multiple": true
},
"published": {
"misp-attribute": "datetime",
"misp-usage-frequency": 0
},
"modified": {
"misp-attribute": "datetime",
"misp-usage-frequency": 0
},
"vulnerable_configuration": {
"misp-attribute": "text",
"misp-usage-frequency": 1,
"multiple": true,
"description": "The vulnerable configuration is described in CPE format"
},
"summary": {
"misp-attribute": "text",
"misp-usage-frequency": 1
},
"text": {
"misp-attribute": "text",
"misp-usage-frequency": 1
},
"id": {
"misp-attribute": "vulnerability",
"misp-usage-frequency": 1
}
},
"requiredOneOf": [
"published",
"modified",
@ -45,5 +7,43 @@
"summary",
"text",
"id"
]
],
"attributes": {
"id": {
"ui-priority": 1,
"misp-attribute": "vulnerability"
},
"text": {
"ui-priority": 1,
"misp-attribute": "text"
},
"summary": {
"ui-priority": 1,
"misp-attribute": "text"
},
"vulnerable_configuration": {
"description": "The vulnerable configuration is described in CPE format",
"multiple": true,
"ui-priority": 1,
"misp-attribute": "text"
},
"modified": {
"ui-priority": 0,
"misp-attribute": "datetime"
},
"published": {
"ui-priority": 0,
"misp-attribute": "datetime"
},
"references": {
"multiple": true,
"ui-priority": 1,
"misp-attribute": "link"
}
},
"version": 1,
"description": "Vulnerability object describing common vulnerability enumeration",
"meta-category": "network",
"uuid": "81650945-f186-437b-8945-9f31715d32da",
"name": "vulnerability"
}

86
objects/whois/definition.json
View File

@ -1,51 +1,51 @@
{
"name": "whois",
"uuid": "429faea1-34ff-47af-8a00-7c62d3be5a6a",
"meta-category": "network",
"description": "Whois records information for a domain name.",
"version": 1,
"attributes": {
"domain": {
"misp-attribute": "domain",
"misp-usage-frequency": 1,
"categories": [
"Network activity",
"External analysis"
]
},
"creation-date": {
"misp-attribute": "datetime",
"misp-usage-frequency": 0
},
"registrant-email": {
"misp-attribute": "whois-registrant-email",
"misp-usage-frequency": 1
},
"registrant-phone": {
"misp-attribute": "whois-registrant-phone",
"misp-usage-frequency": 0
},
"registrant-name": {
"misp-attribute": "whois-registrant-name",
"misp-usage-frequency": 0
},
"registar": {
"misp-attribute": "whois-registar",
"misp-usage-frequency": 0
},
"text": {
"misp-attribute": "text",
"misp-usage-frequency": 1
}
},
"required": [
"domain"
],
"requiredOneOf": [
"registrant-email",
"registrant-phone",
"creation-date",
"registrant-name",
"registar"
]
],
"required": [
"domain"
],
"attributes": {
"text": {
"ui-priority": 1,
"misp-attribute": "text"
},
"registar": {
"ui-priority": 0,
"misp-attribute": "whois-registar"
},
"registrant-name": {
"ui-priority": 0,
"misp-attribute": "whois-registrant-name"
},
"registrant-phone": {
"ui-priority": 0,
"misp-attribute": "whois-registrant-phone"
},
"registrant-email": {
"ui-priority": 1,
"misp-attribute": "whois-registrant-email"
},
"creation-date": {
"ui-priority": 0,
"misp-attribute": "datetime"
},
"domain": {
"categories": [
"Network activity",
"External analysis"
],
"ui-priority": 1,
"misp-attribute": "domain"
}
},
"version": 1,
"description": "Whois records information for a domain name.",
"meta-category": "network",
"uuid": "429faea1-34ff-47af-8a00-7c62d3be5a6a",
"name": "whois"
}

120
objects/x509/definition.json
View File

@ -1,64 +1,64 @@
{
"name": "x509",
"uuid": "d1ab756a-26b5-4349-9f43-765630f0911c",
"meta-category": "network",
"description": "x509 object describing a X.509 certificate",
"version": 1,
"attributes": {
"version": {
"misp-attribute": "text",
"misp-usage-frequency": 0
},
"serial-number": {
"misp-attribute": "text",
"misp-usage-frequency": 0
},
"issuer": {
"misp-attribute": "text",
"misp-usage-frequency": 0
},
"validity-not-before": {
"misp-attribute": "datetime",
"misp-usage-frequency": 0
},
"validity-not-after": {
"misp-attribute": "datetime",
"misp-usage-frequency": 0
},
"subject": {
"misp-attribute": "text",
"misp-usage-frequency": 1
},
"pubkey-info-algorithm": {
"misp-attribute": "text",
"misp-usage-frequency": 0
},
"pubkey-info-seize": {
"misp-attribute": "text",
"misp-usage-frequency": 0
},
"pubkey-info-modulus": {
"misp-attribute": "text",
"misp-usage-frequency": 0
},
"pubkey-info-exponent": {
"misp-attribute": "text",
"misp-usage-frequency": 0
},
"x509-fingerprint-sha1": {
"misp-attribute": "sha1",
"misp-usage-frequency": 1
},
"raw-base64": {
"misp-attribute": "text",
"misp-usage-frequency": 0
},
"text": {
"misp-attribute": "text",
"misp-usage-frequency": 1
}
},
"required": [
"x509-fingerprint-sha1"
]
],
"attributes": {
"subject": {
"ui-priority": 1,
"misp-attribute": "text"
},
"pubkey-info-algorithm": {
"ui-priority": 0,
"misp-attribute": "text"
},
"pubkey-info-seize": {
"ui-priority": 0,
"misp-attribute": "text"
},
"pubkey-info-exponent": {
"ui-priority": 0,
"misp-attribute": "text"
},
"pubkey-info-modulus": {
"ui-priority": 0,
"misp-attribute": "text"
},
"x509-fingerprint-sha1": {
"ui-priority": 1,
"misp-attribute": "sha1"
},
"raw-base64": {
"ui-priority": 0,
"misp-attribute": "text"
},
"text": {
"ui-priority": 1,
"misp-attribute": "text"
},
"validity-not-before": {
"ui-priority": 0,
"misp-attribute": "datetime"
},
"validity-not-after": {
"ui-priority": 0,
"misp-attribute": "datetime"
},
"issuer": {
"ui-priority": 0,
"misp-attribute": "text"
},
"serial-number": {
"ui-priority": 0,
"misp-attribute": "text"
},
"version": {
"ui-priority": 0,
"misp-attribute": "text"
}
},
"version": 1,
"description": "x509 object describing a X.509 certificate",
"meta-category": "network",
"uuid": "d1ab756a-26b5-4349-9f43-765630f0911c",
"name": "x509"
}

13
schema.json
View File

@ -10,7 +10,7 @@
"misp-attribute": {
"type": "string"
},
"misp-usage-frequency": {
"ui-priority": {
"type": "number"
},
"categories": {
@ -49,7 +49,7 @@
},
"required": [
"misp-attribute",
"misp-usage-frequency"
"ui-priority"
]
}
},
@ -57,7 +57,14 @@
"additionalProperties": false,
"properties": {
"meta-category": {
"type": "string"
"type": "string",
"enum": [
"file",
"network",
"financial",
"misc",
"internal"
]
},
"name": {
"type": "string"