From e6fbcf9d53e4957edf10d05149cc268daf31e5c2 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 22 Mar 2017 06:54:11 +0100 Subject: [PATCH 01/54] information leak object as defined by the AIL Analysis Information Leak framework. --- objects/ail-leak/definition.json | 66 ++++++++++++++++++++++++++++++++ 1 file changed, 66 insertions(+) create mode 100644 objects/ail-leak/definition.json diff --git a/objects/ail-leak/definition.json b/objects/ail-leak/definition.json new file mode 100644 index 0000000..f454e36 --- /dev/null +++ b/objects/ail-leak/definition.json @@ -0,0 +1,66 @@ +{ + "name": "ail-leak", + "uuid": "dc6a8fa2-0a43-4a0c-a5aa-b1a5336ca80e", + "meta-category": "information leak", + "description": "An information leak as defined by the AIL Analysis Information Leak framework.", + "version": 1, + "attributes": { + "first-seen": { + "misp-attribute": "datetime", + "misp-usage-frequency": 0, + "disable_correlation": true, + "description": "When the leak has been accessible or seen for the first time." + }, + "last-seen": { + "misp-attribute": "datetime", + "misp-usage-frequency": 0, + "disable_correlation": true, + "description": "When the leak has been accessible or seen for the last time." + }, + "type": { + "misp-attribute": "text", + "misp-usage-frequency": 0, + "description": "Type of information leak as discovered and classified by an AIL module.", + "sane_default": [ + "Credential", + "CreditCards", + "Mail", + "Onion", + "Phone", + "Keys" + ] + }, + "original-date": { + "misp-attribute": "datetime", + "misp-usage-frequency": 0, + "disable_correlation": true, + "description": "When the information available in the leak was created. It's usually before the first-seen." + }, + "text": { + "misp-attribute": "text", + "misp-usage-frequency": 1, + "disable_correlation": true, + "description": "A description of the leak which could include the potential victim(s) or description of the leak." + }, + "origin": { + "misp-attribute": "url", + "misp-usage-frequency": 1, + "description": "The link where the leak is (or was) accessible at first-seen." + }, + "sensor": { + "misp-attribute": "text", + "misp-usage-frequency": 0, + "description": "The AIL sensor uuid where the leak was processed and analysed." + } + }, + "required": [ + "type" + ], + "requiredOneOf": [ + "type", + "text", + "first-seen", + "last-seen", + "origin" + ] +} From d413434463f772057575b2c29b883f1bcc539d4c Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 22 Mar 2017 06:55:15 +0100 Subject: [PATCH 02/54] jq of ail-leak --- objects/ail-leak/definition.json | 92 ++++++++++++++++---------------- 1 file changed, 46 insertions(+), 46 deletions(-) diff --git a/objects/ail-leak/definition.json b/objects/ail-leak/definition.json index f454e36..61ed3ca 100644 --- a/objects/ail-leak/definition.json +++ b/objects/ail-leak/definition.json @@ -1,26 +1,38 @@ { - "name": "ail-leak", - "uuid": "dc6a8fa2-0a43-4a0c-a5aa-b1a5336ca80e", - "meta-category": "information leak", - "description": "An information leak as defined by the AIL Analysis Information Leak framework.", - "version": 1, + "requiredOneOf": [ + "type", + "text", + "first-seen", + "last-seen", + "origin" + ], + "required": [ + "type" + ], "attributes": { - "first-seen": { - "misp-attribute": "datetime", + "sensor": { + "description": "The AIL sensor uuid where the leak was processed and analysed.", "misp-usage-frequency": 0, - "disable_correlation": true, - "description": "When the leak has been accessible or seen for the first time." + "misp-attribute": "text" }, - "last-seen": { - "misp-attribute": "datetime", - "misp-usage-frequency": 0, + "origin": { + "description": "The link where the leak is (or was) accessible at first-seen.", + "misp-usage-frequency": 1, + "misp-attribute": "url" + }, + "text": { + "description": "A description of the leak which could include the potential victim(s) or description of the leak.", "disable_correlation": true, - "description": "When the leak has been accessible or seen for the last time." + "misp-usage-frequency": 1, + "misp-attribute": "text" + }, + "original-date": { + "description": "When the information available in the leak was created. It's usually before the first-seen.", + "disable_correlation": true, + "misp-usage-frequency": 0, + "misp-attribute": "datetime" }, "type": { - "misp-attribute": "text", - "misp-usage-frequency": 0, - "description": "Type of information leak as discovered and classified by an AIL module.", "sane_default": [ "Credential", "CreditCards", @@ -28,39 +40,27 @@ "Onion", "Phone", "Keys" - ] - }, - "original-date": { - "misp-attribute": "datetime", + ], + "description": "Type of information leak as discovered and classified by an AIL module.", "misp-usage-frequency": 0, + "misp-attribute": "text" + }, + "last-seen": { + "description": "When the leak has been accessible or seen for the last time.", "disable_correlation": true, - "description": "When the information available in the leak was created. It's usually before the first-seen." - }, - "text": { - "misp-attribute": "text", - "misp-usage-frequency": 1, - "disable_correlation": true, - "description": "A description of the leak which could include the potential victim(s) or description of the leak." - }, - "origin": { - "misp-attribute": "url", - "misp-usage-frequency": 1, - "description": "The link where the leak is (or was) accessible at first-seen." - }, - "sensor": { - "misp-attribute": "text", "misp-usage-frequency": 0, - "description": "The AIL sensor uuid where the leak was processed and analysed." + "misp-attribute": "datetime" + }, + "first-seen": { + "description": "When the leak has been accessible or seen for the first time.", + "disable_correlation": true, + "misp-usage-frequency": 0, + "misp-attribute": "datetime" } }, - "required": [ - "type" - ], - "requiredOneOf": [ - "type", - "text", - "first-seen", - "last-seen", - "origin" - ] + "version": 1, + "description": "An information leak as defined by the AIL Analysis Information Leak framework.", + "meta-category": "information leak", + "uuid": "dc6a8fa2-0a43-4a0c-a5aa-b1a5336ca80e", + "name": "ail-leak" } From 49e3f3f54f373991c9889fc4ddbfdc6459294ee2 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 22 Mar 2017 07:03:59 +0100 Subject: [PATCH 03/54] ail-leak, elf, self-section and r2graphity added to the list of MISP objects --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index 666473c..f8d22e0 100644 --- a/README.md +++ b/README.md @@ -63,8 +63,11 @@ for a specific attribute. ## Existing MISP objects +* [objects/ail-leak](objects/ail-leak/definition.json) - information leak object as defined by the [AIL Analysis Information Leak framework](https://www.github.com/CIRCL/AIL-framework). * [objects/ddos](objects/ddos/definition.json) - DDoS object describes a current DDoS activity from a specific or/and to a specific target. * [objects/domain-ip](objects/domain-ip/definition.json) - A domain and IP address seen as a tuple in a specific time frame. +* [objects/elf](objects/elf/definition.json) - Object describing an Executable and Linkable Format (ELF). +* [objects/elf-section](objects/elf-section/definition.json) - Object describing a section of an Executable and Linkable Format (ELF). * [objects/email](objects/email/definition.json) - An email object. * [objects/file](objects/file/definition.json) - File object describing a file with meta-information. * [objects/ip-port](objects/ip-port/definition.json) - An IP address and a port seen as a tuple (or as a triple) in a specific time frame. @@ -72,6 +75,7 @@ for a specific attribute. * [objects/pe](objects/pe/definition.json) - Portable Executable (PE) object. * [objects/pe-section](objects/pe-section/definition.json) - Portable Executable (PE) object - section description. * [objects/registry-key](objects/registry-key/definition.json) - A registry-key object. +* [objects/r2graphity](objects/r2graphity/definition.json) - Indicators extracted from binary files using radare2 and graphml. * [objects/vulnerability](objects/vulnerability/definition.json) - Vulnerability object to describe software or hardware vulnerability as described in a CVE. * [objects/url](objects/url/definition.json) - url object describes an url along with its normalized field (e.g. using faup parsing library) and its metadata. * [objects/whois](objects/whois/definition.json) - Whois records information for a domain name. From ff8e9c0a36eda6922e762a11f26672e92a22fb38 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 22 Mar 2017 07:30:42 +0100 Subject: [PATCH 04/54] geolocation - an object to describe a geographic location. --- objects/geolocation/definition.json | 64 +++++++++++++++++++++++++++++ 1 file changed, 64 insertions(+) create mode 100644 objects/geolocation/definition.json diff --git a/objects/geolocation/definition.json b/objects/geolocation/definition.json new file mode 100644 index 0000000..020433b --- /dev/null +++ b/objects/geolocation/definition.json @@ -0,0 +1,64 @@ +{ + "requiredOneOf": [ + "latitude", + "longitude", + "country" + ], + "attributes": { + "text": { + "description": "A generic description of the location.", + "disable_correlation": true, + "misp-usage-frequency": 1, + "misp-attribute": "text" + }, + "latitude": { + "description": "The latitude is the decimal value of the latitude in the World Geodetic System 84 (WGS84) reference.", + "disable_correlation": true, + "misp-usage-frequency": 1, + "misp-attribute": "float" + }, + "longitude": { + "description": "The longitude is the decimal value of the longitude in the World Geodetic System 84 (WGS84) reference", + "disable_correlation": true, + "misp-usage-frequency": 1, + "misp-attribute": "float" + }, + "altitude": { + "description": "The altitude is the decimal value of the altitude in the World Geodetic System 84 (WGS84) reference.", + "misp-usage-frequency": 0, + "misp-attribute": "float" + }, + "city": { + "description": "City.", + "misp-attribute": "text", + "misp-usage-frequency": 1 + }, + "region": { + "description": "Region.", + "misp-attribute": "text", + "misp-usage-frequency": 1 + }, + "country": { + "description": "Country.", + "misp-attribute": "text", + "misp-usage-frequency": 1 + }, + "first-seen": { + "description": "When the location was seen for the first time.", + "disable_correlation": true, + "misp-usage-frequency": 0, + "misp-attribute": "datetime" + }, + "last-seen": { + "description": "When the location was seen for the last time.", + "disable_correlation": true, + "misp-usage-frequency": 0, + "misp-attribute": "datetime" + } + }, + "version": 1, + "description": "An object to describe a geographic location.", + "meta-category": "location", + "uuid": "fdd30d5f-6752-45ed-bef2-25e8ce4d8a3", + "name": "geolocation" +} From 3e19326efa6fabf5c1730eb664da2161a4c0e1df Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 22 Mar 2017 07:32:07 +0100 Subject: [PATCH 05/54] jq of geolocation object --- objects/geolocation/definition.json | 28 +++++++++++++++------------- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/objects/geolocation/definition.json b/objects/geolocation/definition.json index 020433b..171eefe 100644 --- a/objects/geolocation/definition.json +++ b/objects/geolocation/definition.json @@ -2,9 +2,23 @@ "requiredOneOf": [ "latitude", "longitude", + "city", + "region", "country" ], "attributes": { + "first-seen": { + "description": "When the location was seen for the first time.", + "disable_correlation": true, + "misp-usage-frequency": 0, + "misp-attribute": "datetime" + }, + "last-seen": { + "description": "When the location was seen for the last time.", + "disable_correlation": true, + "misp-usage-frequency": 0, + "misp-attribute": "datetime" + }, "text": { "description": "A generic description of the location.", "disable_correlation": true, @@ -37,23 +51,11 @@ "description": "Region.", "misp-attribute": "text", "misp-usage-frequency": 1 - }, + }, "country": { "description": "Country.", "misp-attribute": "text", "misp-usage-frequency": 1 - }, - "first-seen": { - "description": "When the location was seen for the first time.", - "disable_correlation": true, - "misp-usage-frequency": 0, - "misp-attribute": "datetime" - }, - "last-seen": { - "description": "When the location was seen for the last time.", - "disable_correlation": true, - "misp-usage-frequency": 0, - "misp-attribute": "datetime" } }, "version": 1, From 72a7b2def065e36239067e1f52dd5030ae63e070 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 22 Mar 2017 07:33:44 +0100 Subject: [PATCH 06/54] geolocation object added --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index f8d22e0..0704e5b 100644 --- a/README.md +++ b/README.md @@ -70,6 +70,7 @@ for a specific attribute. * [objects/elf-section](objects/elf-section/definition.json) - Object describing a section of an Executable and Linkable Format (ELF). * [objects/email](objects/email/definition.json) - An email object. * [objects/file](objects/file/definition.json) - File object describing a file with meta-information. +* [objects/geolocation](objects/geolocation/definition.json) - A geolocation object to describe a location. * [objects/ip-port](objects/ip-port/definition.json) - An IP address and a port seen as a tuple (or as a triple) in a specific time frame. * [objects/passive-dns](objects/passive-dns/definition.json) - Passive DNS records as expressed in [draft-dulaunoy-dnsop-passive-dns-cof-01](https://tools.ietf.org/html/draft-dulaunoy-dnsop-passive-dns-cof-01). * [objects/pe](objects/pe/definition.json) - Portable Executable (PE) object. From 928f7af9533a0a1a16390a7578f45bbc01f0bfbe Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 28 Jun 2017 11:10:48 +0200 Subject: [PATCH 07/54] The list of default meta-category: file, network, financial, misc, internal has been updated --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 0704e5b..fa24131 100644 --- a/README.md +++ b/README.md @@ -45,7 +45,7 @@ Feel free to propose your own MISP objects to be included in MISP. The system is A MISP object is described in a simple JSON file containing the following element. * **name** is the name of the your object. -* **meta-category** is the category where the object falls into. (file, network, financial) +* **meta-category** is the category where the object falls into. (file, network, financial, misc, internal) * **description** is a summary of the object description. * **version** is the version number as a decimal value. * **required** is an array containing the minimal required attributes to describe the object. From c3186cbcb2c6d199a99bc1cbc04e59a7d396b4af Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 28 Jun 2017 11:11:44 +0200 Subject: [PATCH 08/54] Now meta category for ail to misc --- objects/ail-leak/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/ail-leak/definition.json b/objects/ail-leak/definition.json index 61ed3ca..eaf83fb 100644 --- a/objects/ail-leak/definition.json +++ b/objects/ail-leak/definition.json @@ -60,7 +60,7 @@ }, "version": 1, "description": "An information leak as defined by the AIL Analysis Information Leak framework.", - "meta-category": "information leak", + "meta-category": "misc", "uuid": "dc6a8fa2-0a43-4a0c-a5aa-b1a5336ca80e", "name": "ail-leak" } From 16af9343866f09c0d699994a4b594412a6e8a175 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Wed, 28 Jun 2017 11:18:10 +0200 Subject: [PATCH 09/54] Enforce meta-category --- objects/email/definition.json | 2 +- objects/geolocation/definition.json | 2 +- schema.json | 9 ++++++++- 3 files changed, 10 insertions(+), 3 deletions(-) diff --git a/objects/email/definition.json b/objects/email/definition.json index ca721c4..72af3a0 100644 --- a/objects/email/definition.json +++ b/objects/email/definition.json @@ -1,7 +1,7 @@ { "name": "email", "uuid": "a0c666e0-fc65-4be8-b48f-3423d788b552", - "meta-category": "email", + "meta-category": "network", "description": "Email object describing an email with meta-information", "version": 1, "attributes": { diff --git a/objects/geolocation/definition.json b/objects/geolocation/definition.json index 171eefe..9de4fa9 100644 --- a/objects/geolocation/definition.json +++ b/objects/geolocation/definition.json @@ -60,7 +60,7 @@ }, "version": 1, "description": "An object to describe a geographic location.", - "meta-category": "location", + "meta-category": "misc", "uuid": "fdd30d5f-6752-45ed-bef2-25e8ce4d8a3", "name": "geolocation" } diff --git a/schema.json b/schema.json index 9382fc5..ca25ba7 100644 --- a/schema.json +++ b/schema.json @@ -57,7 +57,14 @@ "additionalProperties": false, "properties": { "meta-category": { - "type": "string" + "type": "string", + "enum": [ + "file", + "network", + "financial", + "misc", + "internal" + ] }, "name": { "type": "string" From 9186771eb762f803037cd3942dadef8d15a98701 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Wed, 28 Jun 2017 11:57:36 +0200 Subject: [PATCH 10/54] Update versions --- objects/ail-leak/definition.json | 2 +- objects/email/definition.json | 2 +- objects/geolocation/definition.json | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/objects/ail-leak/definition.json b/objects/ail-leak/definition.json index eaf83fb..e26e80c 100644 --- a/objects/ail-leak/definition.json +++ b/objects/ail-leak/definition.json @@ -58,7 +58,7 @@ "misp-attribute": "datetime" } }, - "version": 1, + "version": 2, "description": "An information leak as defined by the AIL Analysis Information Leak framework.", "meta-category": "misc", "uuid": "dc6a8fa2-0a43-4a0c-a5aa-b1a5336ca80e", diff --git a/objects/email/definition.json b/objects/email/definition.json index 72af3a0..aaa768d 100644 --- a/objects/email/definition.json +++ b/objects/email/definition.json @@ -3,7 +3,7 @@ "uuid": "a0c666e0-fc65-4be8-b48f-3423d788b552", "meta-category": "network", "description": "Email object describing an email with meta-information", - "version": 1, + "version": 2, "attributes": { "reply-to": { "misp-attribute": "email-reply-to", diff --git a/objects/geolocation/definition.json b/objects/geolocation/definition.json index 9de4fa9..504dbbd 100644 --- a/objects/geolocation/definition.json +++ b/objects/geolocation/definition.json @@ -58,7 +58,7 @@ "misp-usage-frequency": 1 } }, - "version": 1, + "version": 2, "description": "An object to describe a geographic location.", "meta-category": "misc", "uuid": "fdd30d5f-6752-45ed-bef2-25e8ce4d8a3", From ef05cd5f06860ce3d8146bc66f7458b58c179878 Mon Sep 17 00:00:00 2001 From: Andras Iklody Date: Mon, 3 Jul 2017 06:33:53 +0200 Subject: [PATCH 11/54] Changed DDOS port attributes to port type --- objects/ddos/definition.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/objects/ddos/definition.json b/objects/ddos/definition.json index 9956e9a..5556b8e 100644 --- a/objects/ddos/definition.json +++ b/objects/ddos/definition.json @@ -3,7 +3,7 @@ "uuid": "e2f124d6-f57c-4f93-99e6-8450545fa05d", "meta-category": "network", "description": "DDoS object describes a current DDoS activity from a specific or/and to a specific target. Type of DDoS can be attached to the object as a taxonomy", - "version": 1, + "version": 2, "attributes": { "total-bps": { "misp-attribute": "counter", @@ -30,7 +30,7 @@ ] }, "dst-port": { - "misp-attribute": "text", + "misp-attribute": "port", "misp-usage-frequency": 0, "categories": [ "Network activity", @@ -38,7 +38,7 @@ ] }, "src-port": { - "misp-attribute": "text", + "misp-attribute": "port", "misp-usage-frequency": 0, "categories": [ "Network activity", From 45230db220714c0996edc24ab88881b57d81e94b Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 3 Jul 2017 11:59:25 +0200 Subject: [PATCH 12/54] Fix #14 --- objects/email/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/email/definition.json b/objects/email/definition.json index aaa768d..53853b5 100644 --- a/objects/email/definition.json +++ b/objects/email/definition.json @@ -51,7 +51,7 @@ "multiple": true }, "x-mailer": { - "misp-attribute": "email-xmailer", + "misp-attribute": "email-x-mailer", "misp-usage-frequency": 0, "categories": [ "Payload delivery" From aed89b835d244b0a389d9ac7bc41dd3a98183fd1 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 3 Jul 2017 12:03:18 +0200 Subject: [PATCH 13/54] misp-usage-frequency -> ui-priority --- objects/email/definition.json | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/objects/email/definition.json b/objects/email/definition.json index 53853b5..4eaa8f7 100644 --- a/objects/email/definition.json +++ b/objects/email/definition.json @@ -7,21 +7,21 @@ "attributes": { "reply-to": { "misp-attribute": "email-reply-to", - "misp-usage-frequency": 1, + "ui-frequency": 1, "categories": [ "Payload delivery" ] }, "message-id": { "misp-attribute": "email-message-id", - "misp-usage-frequency": 0, + "ui-frequency": 0, "categories": [ "Payload delivery" ] }, "to": { "misp-attribute": "email-dst", - "misp-usage-frequency": 1, + "ui-frequency": 1, "categories": [ "Payload delivery" ], @@ -29,7 +29,7 @@ }, "to-display-name": { "misp-attribute": "email-dst-display-name", - "misp-usage-frequency": 1, + "ui-frequency": 1, "categories": [ "Payload delivery" ], @@ -37,14 +37,14 @@ }, "subject": { "misp-attribute": "email-subject", - "misp-usage-frequency": 1, + "ui-frequency": 1, "categories": [ "Payload delivery" ] }, "attachment": { "misp-attribute": "email-attachment", - "misp-usage-frequency": 0, + "ui-frequency": 0, "categories": [ "Payload delivery" ], @@ -52,14 +52,14 @@ }, "x-mailer": { "misp-attribute": "email-x-mailer", - "misp-usage-frequency": 0, + "ui-frequency": 0, "categories": [ "Payload delivery" ] }, "header": { "misp-attribute": "email-header", - "misp-usage-frequency": 0, + "ui-frequency": 0, "categories": [ "Payload delivery" ], @@ -67,7 +67,7 @@ }, "send-date": { "misp-attribute": "datetime", - "misp-usage-frequency": 0, + "ui-frequency": 0, "disable_correlation": true, "categories": [ "Other" @@ -75,7 +75,7 @@ }, "url": { "misp-attribute": "url", - "misp-usage-frequency": 0, + "ui-frequency": 0, "categories": [ "Payload delivery" ], @@ -83,28 +83,28 @@ }, "mime-boundary": { "misp-attribute": "email-mime-boundary", - "misp-usage-frequency": 0, + "ui-frequency": 0, "categories": [ "Payload delivery" ] }, "thread-index": { "misp-attribute": "email-thread-index", - "misp-usage-frequency": 0, + "ui-frequency": 0, "categories": [ "Payload delivery" ] }, "from": { "misp-attribute": "email-src", - "misp-usage-frequency": 1, + "ui-frequency": 1, "categories": [ "Payload delivery" ] }, "from-display-name": { "misp-attribute": "email-src-display-name", - "misp-usage-frequency": 1, + "ui-frequency": 1, "categories": [ "Payload delivery" ] From b18eed04aef249b9a51dbcbe8e70429b3a5229cd Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 3 Jul 2017 12:04:56 +0200 Subject: [PATCH 14/54] misp-usage-frequency --- objects/ail-leak/definition.json | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/objects/ail-leak/definition.json b/objects/ail-leak/definition.json index e26e80c..289e87f 100644 --- a/objects/ail-leak/definition.json +++ b/objects/ail-leak/definition.json @@ -12,24 +12,24 @@ "attributes": { "sensor": { "description": "The AIL sensor uuid where the leak was processed and analysed.", - "misp-usage-frequency": 0, + "ui-frequency": 0, "misp-attribute": "text" }, "origin": { "description": "The link where the leak is (or was) accessible at first-seen.", - "misp-usage-frequency": 1, + "ui-frequency": 1, "misp-attribute": "url" }, "text": { "description": "A description of the leak which could include the potential victim(s) or description of the leak.", "disable_correlation": true, - "misp-usage-frequency": 1, + "ui-frequency": 1, "misp-attribute": "text" }, "original-date": { "description": "When the information available in the leak was created. It's usually before the first-seen.", "disable_correlation": true, - "misp-usage-frequency": 0, + "ui-frequency": 0, "misp-attribute": "datetime" }, "type": { @@ -42,19 +42,19 @@ "Keys" ], "description": "Type of information leak as discovered and classified by an AIL module.", - "misp-usage-frequency": 0, + "ui-frequency": 0, "misp-attribute": "text" }, "last-seen": { "description": "When the leak has been accessible or seen for the last time.", "disable_correlation": true, - "misp-usage-frequency": 0, + "ui-frequency": 0, "misp-attribute": "datetime" }, "first-seen": { "description": "When the leak has been accessible or seen for the first time.", "disable_correlation": true, - "misp-usage-frequency": 0, + "ui-frequency": 0, "misp-attribute": "datetime" } }, From a04174c1c11f87332b73cd714ef4098f7234276d Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 3 Jul 2017 12:06:11 +0200 Subject: [PATCH 15/54] misp-usage-frequency updated --- objects/ddos/definition.json | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/objects/ddos/definition.json b/objects/ddos/definition.json index 5556b8e..428fb8e 100644 --- a/objects/ddos/definition.json +++ b/objects/ddos/definition.json @@ -7,15 +7,15 @@ "attributes": { "total-bps": { "misp-attribute": "counter", - "misp-usage-frequency": 0 + "ui-frequency": 0 }, "text": { "misp-attribute": "text", - "misp-usage-frequency": 0 + "ui-frequency": 0 }, "ip-dst": { "misp-attribute": "ip-dst", - "misp-usage-frequency": 1, + "ui-frequency": 1, "categories": [ "Network activity", "External analysis" @@ -23,7 +23,7 @@ }, "ip-src": { "misp-attribute": "ip-src", - "misp-usage-frequency": 1, + "ui-frequency": 1, "categories": [ "Network activity", "External analysis" @@ -31,7 +31,7 @@ }, "dst-port": { "misp-attribute": "port", - "misp-usage-frequency": 0, + "ui-frequency": 0, "categories": [ "Network activity", "External analysis" @@ -39,7 +39,7 @@ }, "src-port": { "misp-attribute": "port", - "misp-usage-frequency": 0, + "ui-frequency": 0, "categories": [ "Network activity", "External analysis" @@ -47,11 +47,11 @@ }, "first-seen": { "misp-attribute": "datetime", - "misp-usage-frequency": 0 + "ui-frequency": 0 }, "protocol": { "misp-attribute": "text", - "misp-usage-frequency": 0, + "ui-frequency": 0, "required_value": [ "TCP", "UDP", @@ -61,11 +61,11 @@ }, "total-pps": { "misp-attribute": "counter", - "misp-usage-frequency": 0 + "ui-frequency": 0 }, "last-seen": { "misp-attribute": "datetime", - "misp-usage-frequency": 0 + "ui-frequency": 0 } }, "requiredOneOf": [ From 0949bd47ca08ef1619d36452f3f54a8be1e3748e Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 3 Jul 2017 12:08:42 +0200 Subject: [PATCH 16/54] misp-usage-frequency updated --- objects/domain-ip/definition.json | 72 +++++++++++++++---------------- 1 file changed, 36 insertions(+), 36 deletions(-) diff --git a/objects/domain-ip/definition.json b/objects/domain-ip/definition.json index 1581500..2c7d2ab 100644 --- a/objects/domain-ip/definition.json +++ b/objects/domain-ip/definition.json @@ -1,41 +1,41 @@ { - "name": "domain|ip", - "uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734", - "meta-category": "network", - "description": "A domain and IP address seen as a tuple in a specific time frame.", - "version": 1, - "attributes": { - "ip": { - "misp-attribute": "ip-dst", - "misp-usage-frequency": 1, - "categories": [ - "Network activity", - "External analysis" - ] - }, - "domain": { - "misp-attribute": "domain", - "misp-usage-frequency": 1, - "categories": [ - "Network activity", - "External analysis" - ] - }, - "first-seen": { - "misp-attribute": "datetime", - "misp-usage-frequency": 0 - }, - "last-seen": { - "misp-attribute": "datetime", - "misp-usage-frequency": 0 - }, - "text": { - "misp-attribute": "text", - "misp-usage-frequency": 1 - } - }, "required": [ "ip", "domain" - ] + ], + "attributes": { + "text": { + "ui-frequency": 1, + "misp-attribute": "text" + }, + "last-seen": { + "ui-frequency": 0, + "misp-attribute": "datetime" + }, + "first-seen": { + "ui-frequency": 0, + "misp-attribute": "datetime" + }, + "domain": { + "categories": [ + "Network activity", + "External analysis" + ], + "ui-frequency": 1, + "misp-attribute": "domain" + }, + "ip": { + "categories": [ + "Network activity", + "External analysis" + ], + "ui-frequency": 1, + "misp-attribute": "ip-dst" + } + }, + "version": 1, + "description": "A domain and IP address seen as a tuple in a specific time frame.", + "meta-category": "network", + "uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734", + "name": "domain|ip" } From a8b1a0a51284889e512ae7b0c050b78bfb8846e7 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 3 Jul 2017 12:09:46 +0200 Subject: [PATCH 17/54] misp-usage-frequency updated --- objects/elf/definition.json | 120 ++++++++++++++++++------------------ 1 file changed, 60 insertions(+), 60 deletions(-) diff --git a/objects/elf/definition.json b/objects/elf/definition.json index 2ca43b8..cab5a10 100644 --- a/objects/elf/definition.json +++ b/objects/elf/definition.json @@ -1,47 +1,28 @@ { - "name": "elf", - "uuid": "fa6534ae-ad74-4ce0-8f23-15a66c82c7fa", - "meta-category": "file", - "description": "Object describing a Executable and Linkable Format", - "version": 1, + "requiredOneOf": [ + "text", + "original-filename", + "internal-filename" + ], "attributes": { - "text": { - "misp-attribute": "text", - "misp-usage-frequency": 1, - "disable_correlation": true - }, - "original-filename": { - "misp-attribute": "filename", - "misp-usage-frequency": 1 - }, - "e_entry": { - "misp-attribute": "text", - "misp-usage-frequency": 0, - "disable_correlation": true - }, - "file-description": { - "misp-attribute": "text", - "misp-usage-frequency": 0, - "disable_correlation": true - }, - "e_version": { - "misp-attribute": "text", - "misp-usage-frequency": 0, - "disable_correlation": true - }, - "e_type": { - "misp-attribute": "text", - "misp-usage-frequency": 0, + "e_machine": { "sane_default": [ - "relocatable", - "executable", - "shared", - "core" - ] + "No specific instruction set", + "SPARC", + "X86", + "MISP", + "PowerPC", + "ARM", + "SuperH", + "IA-64", + "x86-64", + "AArch64", + "RISC-V" + ], + "ui-frequency": 0, + "misp-attribute": "text" }, "e_ident_abi": { - "misp-attribute": "text", - "misp-usage-frequency": 0, "sane_default": [ "System V", "HP_UX", @@ -60,29 +41,48 @@ "Fenis OS", "CloudABI", "Sortix" - ] + ], + "ui-frequency": 0, + "misp-attribute": "text" }, - "e_machine": { - "misp-attribute": "text", - "misp-usage-frequency": 0, + "e_type": { "sane_default": [ - "No specific instruction set", - "SPARC", - "X86", - "MISP", - "PowerPC", - "ARM", - "SuperH", - "IA-64", - "x86-64", - "AArch64", - "RISC-V" - ] + "relocatable", + "executable", + "shared", + "core" + ], + "ui-frequency": 0, + "misp-attribute": "text" + }, + "e_version": { + "disable_correlation": true, + "ui-frequency": 0, + "misp-attribute": "text" + }, + "file-description": { + "disable_correlation": true, + "ui-frequency": 0, + "misp-attribute": "text" + }, + "e_entry": { + "disable_correlation": true, + "ui-frequency": 0, + "misp-attribute": "text" + }, + "original-filename": { + "ui-frequency": 1, + "misp-attribute": "filename" + }, + "text": { + "disable_correlation": true, + "ui-frequency": 1, + "misp-attribute": "text" } }, - "requiredOneOf": [ - "text", - "original-filename", - "internal-filename" - ] + "version": 1, + "description": "Object describing a Executable and Linkable Format", + "meta-category": "file", + "uuid": "fa6534ae-ad74-4ce0-8f23-15a66c82c7fa", + "name": "elf" } From 5f0755859e103561ddde0ff6cbfeaebb9050f5e0 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 3 Jul 2017 12:11:54 +0200 Subject: [PATCH 18/54] misp-usage-frequency updated --- objects/elf-section/definition.json | 108 ++++++++++++++-------------- 1 file changed, 54 insertions(+), 54 deletions(-) diff --git a/objects/elf-section/definition.json b/objects/elf-section/definition.json index 6c7ed82..53662dd 100644 --- a/objects/elf-section/definition.json +++ b/objects/elf-section/definition.json @@ -1,18 +1,26 @@ { - "name": "elf-section", - "uuid": "ca271f32-1234-4e87-b240-6b6e882de5de", - "meta-category": "file", - "description": "Object describing a section of an Executable and Linkable Format", - "version": 1, + "requiredOneOf": [ + "text", + "name", + "sha1", + "sha256", + "sha512" + ], "attributes": { - "sh_name": { - "misp-attribute": "text", - "misp-usage-frequency": 1, - "disable_correlation": true + "sha512": { + "ui-frequency": 0, + "misp-attribute": "sha512" + }, + "ssdeep": { + "ui-frequency": 0, + "misp-attribute": "ssdeep" + }, + "entropy": { + "disable_correlation": true, + "ui-frequency": 0, + "misp-attribute": "float" }, "sh_type": { - "misp-attribute": "text", - "misp-usage-frequency": 0, "sane_default": [ "SHT_NULL", "SHT_PROGBITS", @@ -33,11 +41,30 @@ "SHT_SYMTAB_SHNDX", "SHT_NUM", "SHT_LOOS" - ] + ], + "ui-frequency": 0, + "misp-attribute": "text" + }, + "sh_name": { + "disable_correlation": true, + "ui-frequency": 1, + "misp-attribute": "text" + }, + "sha256": { + "ui-frequency": 0, + "misp-attribute": "sha256" + }, + "sh_size": { + "disable_correlation": true, + "ui-frequency": 1, + "misp-attribute": "size-in-bytes" + }, + "text": { + "disable_correlation": true, + "ui-frequency": 1, + "misp-attribute": "text" }, "sh_flags": { - "misp-attribute": "text", - "misp-usage-frequency": 0, "sane_default": [ "W (write)", "A (alloc)", @@ -55,49 +82,22 @@ "E (exclude)", "l (large)", "p (processor specific)" - ] - }, - "text": { - "misp-attribute": "text", - "misp-usage-frequency": 1, - "disable_correlation": true - }, - "sh_size": { - "misp-attribute": "size-in-bytes", - "misp-usage-frequency": 1, - "disable_correlation": true - }, - "entropy": { - "misp-attribute": "float", - "misp-usage-frequency": 0, - "disable_correlation": true - }, - "md5": { - "misp-attribute": "md5", - "misp-usage-frequency": 1 + ], + "ui-frequency": 0, + "misp-attribute": "text" }, "sha1": { - "misp-attribute": "sha1", - "misp-usage-frequency": 0 + "ui-frequency": 0, + "misp-attribute": "sha1" }, - "sha256": { - "misp-attribute": "sha256", - "misp-usage-frequency": 0 - }, - "sha512": { - "misp-attribute": "sha512", - "misp-usage-frequency": 0 - }, - "ssdeep": { - "misp-attribute": "ssdeep", - "misp-usage-frequency": 0 + "md5": { + "ui-frequency": 1, + "misp-attribute": "md5" } }, - "requiredOneOf": [ - "text", - "name", - "sha1", - "sha256", - "sha512" - ] + "version": 1, + "description": "Object describing a section of an Executable and Linkable Format", + "meta-category": "file", + "uuid": "ca271f32-1234-4e87-b240-6b6e882de5de", + "name": "elf-section" } From 82bdbbbd4f10e9de557c7896da3b73555bfa6e3e Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 3 Jul 2017 12:13:38 +0200 Subject: [PATCH 19/54] misp-usage-frequency updated --- objects/file/definition.json | 180 +++++++++++++++++------------------ 1 file changed, 90 insertions(+), 90 deletions(-) diff --git a/objects/file/definition.json b/objects/file/definition.json index d91c8f9..d3dab39 100644 --- a/objects/file/definition.json +++ b/objects/file/definition.json @@ -1,93 +1,4 @@ { - "name": "file", - "uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", - "meta-category": "file", - "description": "File object describing a file with meta-information", - "version": 1, - "attributes": { - "text": { - "misp-attribute": "text", - "misp-usage-frequency": 1, - "disable_correlation": true - }, - "size-in-bytes": { - "misp-attribute": "size-in-bytes", - "misp-usage-frequency": 0, - "disable_correlation": true - }, - "authentihash": { - "misp-attribute": "authentihash", - "misp-usage-frequency": 0 - }, - "ssdeep": { - "misp-attribute": "ssdeep", - "misp-usage-frequency": 0 - }, - "sha224": { - "misp-attribute": "sha224", - "misp-usage-frequency": 0 - }, - "sha384": { - "misp-attribute": "sha384", - "misp-usage-frequency": 0 - }, - "sha512": { - "misp-attribute": "sha512", - "misp-usage-frequency": 0 - }, - "sha512/224": { - "misp-attribute": "sha512/224", - "misp-usage-frequency": 0 - }, - "malware-sample": { - "misp-attribute": "malware-sample", - "misp-usage-frequency": 1 - }, - "filename": { - "misp-attribute": "filename", - "misp-usage-frequency": 1, - "categories": [ - "Payload delivery", - "Artifacts dropped", - "Payload installation", - "External analysis" - ] - }, - "sha512/256": { - "misp-attribute": "sha512/256", - "misp-usage-frequency": 0 - }, - "tlsh": { - "misp-attribute": "tlsh", - "misp-usage-frequency": 0 - }, - "md5": { - "misp-attribute": "md5", - "misp-usage-frequency": 1 - }, - "sha1": { - "misp-attribute": "sha1", - "misp-usage-frequency": 1 - }, - "sha256": { - "misp-attribute": "sha256", - "misp-usage-frequency": 1 - }, - "entropy": { - "misp-attribute": "float", - "misp-usage-frequency": 1, - "disable_correlation": true - }, - "pattern-in-file": { - "misp-attribute": "pattern-in-file", - "misp-usage-frequency": 1, - "categories": [ - "Artifacts dropped", - "Payload installation", - "External analysis" - ] - } - }, "requiredOneOf": [ "filename", "size-in-bytes", @@ -105,5 +16,94 @@ "sha1", "sha256", "pattern-in-file" - ] + ], + "attributes": { + "md5": { + "misp-usage-frequency": 1, + "misp-attribute": "md5" + }, + "sha512/224": { + "misp-usage-frequency": 0, + "misp-attribute": "sha512/224" + }, + "sha512": { + "misp-usage-frequency": 0, + "misp-attribute": "sha512" + }, + "sha384": { + "misp-usage-frequency": 0, + "misp-attribute": "sha384" + }, + "sha224": { + "misp-usage-frequency": 0, + "misp-attribute": "sha224" + }, + "ssdeep": { + "misp-usage-frequency": 0, + "misp-attribute": "ssdeep" + }, + "authentihash": { + "misp-usage-frequency": 0, + "misp-attribute": "authentihash" + }, + "size-in-bytes": { + "disable_correlation": true, + "misp-usage-frequency": 0, + "misp-attribute": "size-in-bytes" + }, + "sha1": { + "misp-usage-frequency": 1, + "misp-attribute": "sha1" + }, + "sha256": { + "misp-usage-frequency": 1, + "misp-attribute": "sha256" + }, + "entropy": { + "disable_correlation": true, + "misp-usage-frequency": 1, + "misp-attribute": "float" + }, + "pattern-in-file": { + "categories": [ + "Artifacts dropped", + "Payload installation", + "External analysis" + ], + "misp-usage-frequency": 1, + "misp-attribute": "pattern-in-file" + }, + "text": { + "disable_correlation": true, + "misp-usage-frequency": 1, + "misp-attribute": "text" + }, + "malware-sample": { + "misp-usage-frequency": 1, + "misp-attribute": "malware-sample" + }, + "filename": { + "categories": [ + "Payload delivery", + "Artifacts dropped", + "Payload installation", + "External analysis" + ], + "misp-usage-frequency": 1, + "misp-attribute": "filename" + }, + "sha512/256": { + "misp-usage-frequency": 0, + "misp-attribute": "sha512/256" + }, + "tlsh": { + "misp-usage-frequency": 0, + "misp-attribute": "tlsh" + } + }, + "version": 1, + "description": "File object describing a file with meta-information", + "meta-category": "file", + "uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", + "name": "file" } From eff1b8ba392d9fc7b8f8de86c5a813a4227d47b9 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 3 Jul 2017 12:14:13 +0200 Subject: [PATCH 20/54] misp-usage-frequency updated --- objects/geolocation/definition.json | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/objects/geolocation/definition.json b/objects/geolocation/definition.json index 504dbbd..460554a 100644 --- a/objects/geolocation/definition.json +++ b/objects/geolocation/definition.json @@ -10,52 +10,52 @@ "first-seen": { "description": "When the location was seen for the first time.", "disable_correlation": true, - "misp-usage-frequency": 0, + "ui-frequency": 0, "misp-attribute": "datetime" }, "last-seen": { "description": "When the location was seen for the last time.", "disable_correlation": true, - "misp-usage-frequency": 0, + "ui-frequency": 0, "misp-attribute": "datetime" }, "text": { "description": "A generic description of the location.", "disable_correlation": true, - "misp-usage-frequency": 1, + "ui-frequency": 1, "misp-attribute": "text" }, "latitude": { "description": "The latitude is the decimal value of the latitude in the World Geodetic System 84 (WGS84) reference.", "disable_correlation": true, - "misp-usage-frequency": 1, + "ui-frequency": 1, "misp-attribute": "float" }, "longitude": { "description": "The longitude is the decimal value of the longitude in the World Geodetic System 84 (WGS84) reference", "disable_correlation": true, - "misp-usage-frequency": 1, + "ui-frequency": 1, "misp-attribute": "float" }, "altitude": { "description": "The altitude is the decimal value of the altitude in the World Geodetic System 84 (WGS84) reference.", - "misp-usage-frequency": 0, + "ui-frequency": 0, "misp-attribute": "float" }, "city": { "description": "City.", "misp-attribute": "text", - "misp-usage-frequency": 1 + "ui-frequency": 1 }, "region": { "description": "Region.", "misp-attribute": "text", - "misp-usage-frequency": 1 + "ui-frequency": 1 }, "country": { "description": "Country.", "misp-attribute": "text", - "misp-usage-frequency": 1 + "ui-frequency": 1 } }, "version": 2, From edcf0d1a900fcd3697f52bc19c2dd08f6f9dfc70 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 3 Jul 2017 12:14:48 +0200 Subject: [PATCH 21/54] misp-usage-frequency updated --- objects/ip-port/definition.json | 94 ++++++++++++++++----------------- 1 file changed, 47 insertions(+), 47 deletions(-) diff --git a/objects/ip-port/definition.json b/objects/ip-port/definition.json index af49c81..ad37ae2 100644 --- a/objects/ip-port/definition.json +++ b/objects/ip-port/definition.json @@ -1,52 +1,52 @@ { - "name": "ip|port", - "uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", - "meta-category": "network", - "description": "An IP address and a port seen as a tuple (or as a triple) in a specific time frame.", - "version": 1, - "attributes": { - "ip": { - "misp-attribute": "ip-dst", - "misp-usage-frequency": 1, - "categories": [ - "Network activity", - "External analysis" - ] - }, - "dst-port": { - "misp-attribute": "text", - "misp-usage-frequency": 1, - "categories": [ - "Network activity", - "External analysis" - ] - }, - "src-port": { - "misp-attribute": "text", - "misp-usage-frequency": 0, - "categories": [ - "Network activity", - "External analysis" - ] - }, - "first-seen": { - "misp-attribute": "datetime", - "misp-usage-frequency": 0 - }, - "last-seen": { - "misp-attribute": "datetime", - "misp-usage-frequency": 0 - }, - "text": { - "misp-attribute": "text", - "misp-usage-frequency": 0 - } - }, - "required": [ - "ip" - ], "requiredOneOf": [ "dst-port", "src-port" - ] + ], + "required": [ + "ip" + ], + "attributes": { + "text": { + "ui-frequency": 0, + "misp-attribute": "text" + }, + "last-seen": { + "ui-frequency": 0, + "misp-attribute": "datetime" + }, + "first-seen": { + "ui-frequency": 0, + "misp-attribute": "datetime" + }, + "src-port": { + "categories": [ + "Network activity", + "External analysis" + ], + "ui-frequency": 0, + "misp-attribute": "text" + }, + "dst-port": { + "categories": [ + "Network activity", + "External analysis" + ], + "ui-frequency": 1, + "misp-attribute": "text" + }, + "ip": { + "categories": [ + "Network activity", + "External analysis" + ], + "ui-frequency": 1, + "misp-attribute": "ip-dst" + } + }, + "version": 1, + "description": "An IP address and a port seen as a tuple (or as a triple) in a specific time frame.", + "meta-category": "network", + "uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", + "name": "ip|port" } From dc2b6524c1d0149213f090857f39ef58a1759fcb Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 3 Jul 2017 12:15:50 +0200 Subject: [PATCH 22/54] misp-usage-frequency updated --- objects/passive-dns/definition.json | 120 ++++++++++++++-------------- 1 file changed, 60 insertions(+), 60 deletions(-) diff --git a/objects/passive-dns/definition.json b/objects/passive-dns/definition.json index 1450b37..e53133e 100644 --- a/objects/passive-dns/definition.json +++ b/objects/passive-dns/definition.json @@ -1,65 +1,65 @@ { - "name": "passive-dns", - "uuid": "b77b7b1c-66ab-4a41-8da4-83810f6d2d6c", - "meta-category": "network", - "description": "Passive DNS records as expressed in draft-dulaunoy-dnsop-passive-dns-cof-01", - "version": 1, - "attributes": { - "rrtype": { - "misp-attribute": "text", - "misp-usage-frequency": 1, - "categories": [ - "Network activity", - "External analysis" - ] - }, - "rrname": { - "misp-attribute": "hostname", - "misp-usage-frequency": 1, - "categories": [ - "Network activity", - "External analysis" - ] - }, - "time_first": { - "misp-attribute": "datetime", - "misp-usage-frequency": 0 - }, - "time_last": { - "misp-attribute": "datetime", - "misp-usage-frequency": 0 - }, - "origin": { - "misp-attribute": "text", - "misp-usage-frequency": 0 - }, - "count": { - "misp-attribute": "counter", - "misp-usage-frequency": 0 - }, - "sensor_id": { - "misp-attribute": "text", - "misp-usage-frequency": 0 - }, - "bailiwick": { - "misp-attribute": "text", - "misp-usage-frequency": 0 - }, - "zone_time_first": { - "misp-attribute": "datetime", - "misp-usage-frequency": 0 - }, - "zone_time_last": { - "misp-attribute": "datetime", - "misp-usage-frequency": 0 - }, - "text": { - "misp-attribute": "text", - "misp-usage-frequency": 0 - } - }, "required": [ "rrtype", "rrname" - ] + ], + "attributes": { + "zone_time_last": { + "ui-frequency": 0, + "misp-attribute": "datetime" + }, + "text": { + "ui-frequency": 0, + "misp-attribute": "text" + }, + "count": { + "ui-frequency": 0, + "misp-attribute": "counter" + }, + "rrname": { + "categories": [ + "Network activity", + "External analysis" + ], + "ui-frequency": 1, + "misp-attribute": "hostname" + }, + "rrtype": { + "categories": [ + "Network activity", + "External analysis" + ], + "ui-frequency": 1, + "misp-attribute": "text" + }, + "zone_time_first": { + "ui-frequency": 0, + "misp-attribute": "datetime" + }, + "origin": { + "ui-frequency": 0, + "misp-attribute": "text" + }, + "time_last": { + "ui-frequency": 0, + "misp-attribute": "datetime" + }, + "time_first": { + "ui-frequency": 0, + "misp-attribute": "datetime" + }, + "bailiwick": { + "ui-frequency": 0, + "misp-attribute": "text" + }, + "sensor_id": { + "ui-frequency": 0, + "misp-attribute": "text" + } + }, + "version": 1, + "description": "Passive DNS records as expressed in draft-dulaunoy-dnsop-passive-dns-cof-01", + "meta-category": "network", + "uuid": "b77b7b1c-66ab-4a41-8da4-83810f6d2d6c", + "name": "passive-dns" } From 405a5451cc7ebc048491ed607357c4d995f97a80 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 3 Jul 2017 12:17:46 +0200 Subject: [PATCH 23/54] misp-usage-frequency updated --- objects/pe/definition.json | 146 ++++++++++++++++++------------------- 1 file changed, 73 insertions(+), 73 deletions(-) diff --git a/objects/pe/definition.json b/objects/pe/definition.json index 9c9a93c..cfa1998 100644 --- a/objects/pe/definition.json +++ b/objects/pe/definition.json @@ -1,109 +1,109 @@ { - "name": "pe", - "uuid": "cf7adecc-d4f0-4e88-9d90-f978ee151a07", - "meta-category": "file", - "description": "Object describing a Portable Executable", - "version": 1, + "requiredOneOf": [ + "text", + "original-filename", + "internal-filename" + ], "attributes": { - "imphash": { - "misp-attribute": "imphash", - "misp-usage-frequency": 0 - }, "pehash": { - "misp-attribute": "pehash", - "misp-usage-frequency": 0 + "ui-frequency": 0, + "misp-attribute": "pehash" }, "impfuzzy": { - "misp-attribute": "impfuzzy", - "misp-usage-frequency": 0 + "ui-frequency": 0, + "misp-attribute": "impfuzzy" + }, + "pe-type": { + "disable_correlation": true, + "ui-frequency": 0, + "misp-attribute": "text" + }, + "internal-filename": { + "ui-frequency": 0, + "misp-attribute": "filename" + }, + "original-filename": { + "ui-frequency": 1, + "misp-attribute": "filename" + }, + "number-sections": { + "disable_correlation": true, + "ui-frequency": 0, + "misp-attribute": "counter" + }, + "text": { + "disable_correlation": true, + "ui-frequency": 1, + "misp-attribute": "text" }, "type": { - "misp-attribute": "text", - "misp-usage-frequency": 1, - "disable_correlation": true, "sane_default": [ "exe", "dll", "driver", "unknown" - ] + ], + "disable_correlation": true, + "ui-frequency": 1, + "misp-attribute": "text" }, - "text": { - "misp-attribute": "text", - "misp-usage-frequency": 1, - "disable_correlation": true - }, - "number-sections": { - "misp-attribute": "counter", - "misp-usage-frequency": 0, - "disable_correlation": true - }, - "original-filename": { - "misp-attribute": "filename", - "misp-usage-frequency": 1 - }, - "internal-filename": { - "misp-attribute": "filename", - "misp-usage-frequency": 0 + "imphash": { + "ui-frequency": 0, + "misp-attribute": "imphash" }, "compilation-timestamp": { - "misp-attribute": "datetime", - "misp-usage-frequency": 1 + "ui-frequency": 1, + "misp-attribute": "datetime" }, "entrypoint-section|position": { - "misp-attribute": "text", - "misp-usage-frequency": 0, - "disable_correlation": true + "disable_correlation": true, + "ui-frequency": 0, + "misp-attribute": "text" }, "entrypoint-address": { - "misp-attribute": "text", - "misp-usage-frequency": 0, - "disable_correlation": true + "disable_correlation": true, + "ui-frequency": 0, + "misp-attribute": "text" }, "file-description": { - "misp-attribute": "text", - "misp-usage-frequency": 0, - "disable_correlation": true + "disable_correlation": true, + "ui-frequency": 0, + "misp-attribute": "text" }, "file-version": { - "misp-attribute": "text", - "misp-usage-frequency": 0, - "disable_correlation": true + "disable_correlation": true, + "ui-frequency": 0, + "misp-attribute": "text" }, "lang-id": { - "misp-attribute": "text", - "misp-usage-frequency": 0, - "disable_correlation": true + "disable_correlation": true, + "ui-frequency": 0, + "misp-attribute": "text" }, "product-name": { - "misp-attribute": "text", - "misp-usage-frequency": 0, - "disable_correlation": true + "disable_correlation": true, + "ui-frequency": 0, + "misp-attribute": "text" }, "product-version": { - "misp-attribute": "text", - "misp-usage-frequency": 0, - "disable_correlation": true + "disable_correlation": true, + "ui-frequency": 0, + "misp-attribute": "text" }, "company-name": { - "misp-attribute": "text", - "misp-usage-frequency": 0, - "disable_correlation": true + "disable_correlation": true, + "ui-frequency": 0, + "misp-attribute": "text" }, "legal-copyright": { - "misp-attribute": "text", - "misp-usage-frequency": 0, - "disable_correlation": true - }, - "pe-type": { - "misp-attribute": "text", - "misp-usage-frequency": 0, - "disable_correlation": true + "disable_correlation": true, + "ui-frequency": 0, + "misp-attribute": "text" } }, - "requiredOneOf": [ - "text", - "original-filename", - "internal-filename" - ] + "version": 1, + "description": "Object describing a Portable Executable", + "meta-category": "file", + "uuid": "cf7adecc-d4f0-4e88-9d90-f978ee151a07", + "name": "pe" } From 86f8ad974ad22c29ad802e1bac7bc3736c6a419a Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 3 Jul 2017 12:18:25 +0200 Subject: [PATCH 24/54] misp-usage-frequency updated --- objects/pe-section/definition.json | 92 +++++++++++++++--------------- 1 file changed, 46 insertions(+), 46 deletions(-) diff --git a/objects/pe-section/definition.json b/objects/pe-section/definition.json index 85fc90a..b653ac6 100644 --- a/objects/pe-section/definition.json +++ b/objects/pe-section/definition.json @@ -1,13 +1,23 @@ { - "name": "pe-section", - "uuid": "198a17d2-a135-4b25-9a32-5aa4e632014a", - "meta-category": "file", - "description": "Object describing a section of a Portable Executable", - "version": 1, + "requiredOneOf": [ + "text", + "name", + "sha1", + "sha256", + "sha512" + ], "attributes": { + "characteristics": { + "sane_default": [ + "read", + "write", + "executable" + ], + "misp-usage-frequency": 0, + "misp-attribute": "text" + }, "name": { - "misp-attribute": "text", - "misp-usage-frequency": 1, + "disable_correlation": true, "sane_default": [ ".rsrc", ".reloc", @@ -15,58 +25,48 @@ ".data", ".text" ], - "disable_correlation": true - }, - "characteristics": { - "misp-attribute": "text", - "misp-usage-frequency": 0, - "sane_default": [ - "read", - "write", - "executable" - ] - }, - "text": { - "misp-attribute": "text", "misp-usage-frequency": 1, - "disable_correlation": true + "misp-attribute": "text" }, "size-in-bytes": { - "misp-attribute": "size-in-bytes", + "disable_correlation": true, "misp-usage-frequency": 1, - "disable_correlation": true + "misp-attribute": "size-in-bytes" }, - "entropy": { - "misp-attribute": "float", - "misp-usage-frequency": 0, - "disable_correlation": true + "text": { + "disable_correlation": true, + "misp-usage-frequency": 1, + "misp-attribute": "text" }, "md5": { - "misp-attribute": "md5", - "misp-usage-frequency": 1 + "misp-usage-frequency": 1, + "misp-attribute": "md5" }, - "sha1": { - "misp-attribute": "sha1", - "misp-usage-frequency": 0 + "entropy": { + "disable_correlation": true, + "misp-usage-frequency": 0, + "misp-attribute": "float" }, "sha256": { - "misp-attribute": "sha256", - "misp-usage-frequency": 0 + "misp-usage-frequency": 0, + "misp-attribute": "sha256" }, - "sha512": { - "misp-attribute": "sha512", - "misp-usage-frequency": 0 + "sha1": { + "misp-usage-frequency": 0, + "misp-attribute": "sha1" }, "ssdeep": { - "misp-attribute": "ssdeep", - "misp-usage-frequency": 0 + "misp-usage-frequency": 0, + "misp-attribute": "ssdeep" + }, + "sha512": { + "misp-usage-frequency": 0, + "misp-attribute": "sha512" } }, - "requiredOneOf": [ - "text", - "name", - "sha1", - "sha256", - "sha512" - ] + "version": 1, + "description": "Object describing a section of a Portable Executable", + "meta-category": "file", + "uuid": "198a17d2-a135-4b25-9a32-5aa4e632014a", + "name": "pe-section" } From 1f0d512b7d0a2bcf216ede6e137103325eea15cd Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 3 Jul 2017 12:18:47 +0200 Subject: [PATCH 25/54] misp-usage-frequency updated --- objects/r2graphity/definition.json | 278 ++++++++++++++--------------- 1 file changed, 139 insertions(+), 139 deletions(-) diff --git a/objects/r2graphity/definition.json b/objects/r2graphity/definition.json index bf59fe8..e3b0513 100644 --- a/objects/r2graphity/definition.json +++ b/objects/r2graphity/definition.json @@ -1,142 +1,4 @@ { - "name": "r2graphity", - "uuid": "b6abe0e0-52ea-4424-ba42-761c2e027b76", - "meta-category": "file", - "description": "Indicators extracted from files using radare2 and graphml", - "version": 1, - "attributes": { - "total-functions": { - "misp-attribute": "counter", - "misp-usage-frequency": 0, - "disable_correlation": true, - "description": "Total amount of functions in the file." - }, - "local-references": { - "misp-attribute": "counter", - "misp-usage-frequency": 0, - "disable_correlation": true, - "description": "Amount of API calls inside a code section" - }, - "refsglobalvar": { - "misp-attribute": "counter", - "misp-usage-frequency": 0, - "disable_correlation": true, - "description": "Amount of API calls outside of code section (glob var, dynamic API)" - }, - "unknown-references": { - "misp-attribute": "counter", - "misp-usage-frequency": 0, - "disable_correlation": true, - "description": "Amount of API calls not ending in a function (Radare2 bug, probalby)" - }, - "total-api": { - "misp-attribute": "counter", - "misp-usage-frequency": 0, - "disable_correlation": true, - "description": "Total amount of API calls" - }, - "miss-api": { - "misp-attribute": "counter", - "misp-usage-frequency": 0, - "disable_correlation": true, - "description": "Amount of API call reference that does not resolve to a function offset" - }, - "referenced-strings": { - "misp-attribute": "counter", - "misp-usage-frequency": 0, - "disable_correlation": true, - "description": "Amount of referenced strings" - }, - "dangling-strings": { - "misp-attribute": "counter", - "misp-usage-frequency": 0, - "disable_correlation": true, - "description": "Amount of dangling strings (string with a code cross reference, that is not within a function. Radare2 failed to detect that function.)" - }, - "not-referenced-strings": { - "misp-attribute": "counter", - "misp-usage-frequency": 0, - "disable_correlation": true, - "description": "Amount of not referenced strings" - }, - "ratio-functions": { - "misp-attribute": "float", - "misp-usage-frequency": 0, - "disable_correlation": true, - "description": "Ratio: amount of functions per kilobyte of code section" - }, - "ratio-api": { - "misp-attribute": "float", - "misp-usage-frequency": 0, - "disable_correlation": true, - "description": "Ratio: amount of API calls per kilobyte of code section" - }, - "ratio-string": { - "misp-attribute": "float", - "misp-usage-frequency": 0, - "disable_correlation": true, - "description": "Ratio: amount of referenced strings per kilobyte of code section" - }, - "get-proc-address": { - "misp-attribute": "counter", - "misp-usage-frequency": 0, - "disable_correlation": true, - "description": "Amount of calls to GetProcAddress" - }, - "memory-allocations": { - "misp-attribute": "counter", - "misp-usage-frequency": 0, - "disable_correlation": true, - "description": "Amount of memory allocations" - }, - "create-thread": { - "misp-attribute": "counter", - "misp-usage-frequency": 0, - "disable_correlation": true, - "description": "Amount of calls to CreateThread" - }, - "shortest-path-to-create-thread": { - "misp-attribute": "counter", - "misp-usage-frequency": 0, - "disable_correlation": true, - "description": "Shortest path to the first time the binary calls CreateThread" - }, - "callbacks": { - "misp-attribute": "counter", - "misp-usage-frequency": 0, - "disable_correlation": true, - "description": "Amount of callbacks (functions started as thread)" - }, - "callback-average": { - "misp-attribute": "counter", - "misp-usage-frequency": 0, - "disable_correlation": true, - "description": "Average size of a callback" - }, - "callback-largest": { - "misp-attribute": "counter", - "misp-usage-frequency": 0, - "disable_correlation": true, - "description": "Largest callback" - }, - "gml": { - "misp-attribute": "attachment", - "misp-usage-frequency": 0, - "disable_correlation": true, - "description": "Graph export in G>raph Modelling Language format" - }, - "r2-commit-version": { - "misp-attribute": "text", - "misp-usage-frequency": 0, - "disable_correlation": true, - "description": "Radare2 commit ID used to generate this object" - }, - "text": { - "misp-attribute": "text", - "misp-usage-frequency": 1, - "disable_correlation": true - } - }, "requiredOneOf": [ "filename", "size-in-bytes", @@ -154,5 +16,143 @@ "sha1", "sha256", "pattern-in-file" - ] + ], + "attributes": { + "callback-average": { + "description": "Average size of a callback", + "disable_correlation": true, + "ui-frequency": 0, + "misp-attribute": "counter" + }, + "callbacks": { + "description": "Amount of callbacks (functions started as thread)", + "disable_correlation": true, + "ui-frequency": 0, + "misp-attribute": "counter" + }, + "shortest-path-to-create-thread": { + "description": "Shortest path to the first time the binary calls CreateThread", + "disable_correlation": true, + "ui-frequency": 0, + "misp-attribute": "counter" + }, + "create-thread": { + "description": "Amount of calls to CreateThread", + "disable_correlation": true, + "ui-frequency": 0, + "misp-attribute": "counter" + }, + "memory-allocations": { + "description": "Amount of memory allocations", + "disable_correlation": true, + "ui-frequency": 0, + "misp-attribute": "counter" + }, + "get-proc-address": { + "description": "Amount of calls to GetProcAddress", + "disable_correlation": true, + "ui-frequency": 0, + "misp-attribute": "counter" + }, + "dangling-strings": { + "description": "Amount of dangling strings (string with a code cross reference, that is not within a function. Radare2 failed to detect that function.)", + "disable_correlation": true, + "ui-frequency": 0, + "misp-attribute": "counter" + }, + "referenced-strings": { + "description": "Amount of referenced strings", + "disable_correlation": true, + "ui-frequency": 0, + "misp-attribute": "counter" + }, + "callback-largest": { + "description": "Largest callback", + "disable_correlation": true, + "ui-frequency": 0, + "misp-attribute": "counter" + }, + "gml": { + "description": "Graph export in G>raph Modelling Language format", + "disable_correlation": true, + "ui-frequency": 0, + "misp-attribute": "attachment" + }, + "r2-commit-version": { + "description": "Radare2 commit ID used to generate this object", + "disable_correlation": true, + "ui-frequency": 0, + "misp-attribute": "text" + }, + "text": { + "disable_correlation": true, + "ui-frequency": 1, + "misp-attribute": "text" + }, + "miss-api": { + "description": "Amount of API call reference that does not resolve to a function offset", + "disable_correlation": true, + "ui-frequency": 0, + "misp-attribute": "counter" + }, + "total-api": { + "description": "Total amount of API calls", + "disable_correlation": true, + "ui-frequency": 0, + "misp-attribute": "counter" + }, + "unknown-references": { + "description": "Amount of API calls not ending in a function (Radare2 bug, probalby)", + "disable_correlation": true, + "ui-frequency": 0, + "misp-attribute": "counter" + }, + "refsglobalvar": { + "description": "Amount of API calls outside of code section (glob var, dynamic API)", + "disable_correlation": true, + "ui-frequency": 0, + "misp-attribute": "counter" + }, + "local-references": { + "description": "Amount of API calls inside a code section", + "disable_correlation": true, + "ui-frequency": 0, + "misp-attribute": "counter" + }, + "total-functions": { + "description": "Total amount of functions in the file.", + "disable_correlation": true, + "ui-frequency": 0, + "misp-attribute": "counter" + }, + "not-referenced-strings": { + "description": "Amount of not referenced strings", + "disable_correlation": true, + "ui-frequency": 0, + "misp-attribute": "counter" + }, + "ratio-functions": { + "description": "Ratio: amount of functions per kilobyte of code section", + "disable_correlation": true, + "ui-frequency": 0, + "misp-attribute": "float" + }, + "ratio-api": { + "description": "Ratio: amount of API calls per kilobyte of code section", + "disable_correlation": true, + "ui-frequency": 0, + "misp-attribute": "float" + }, + "ratio-string": { + "description": "Ratio: amount of referenced strings per kilobyte of code section", + "disable_correlation": true, + "ui-frequency": 0, + "misp-attribute": "float" + } + }, + "version": 1, + "description": "Indicators extracted from files using radare2 and graphml", + "meta-category": "file", + "uuid": "b6abe0e0-52ea-4424-ba42-761c2e027b76", + "name": "r2graphity" } From ce9f50013c86a7e9b24ec7841f90430515f53285 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 3 Jul 2017 12:19:04 +0200 Subject: [PATCH 26/54] misp-usage-frequency updated --- objects/registry-key/definition.json | 100 +++++++++++++-------------- 1 file changed, 50 insertions(+), 50 deletions(-) diff --git a/objects/registry-key/definition.json b/objects/registry-key/definition.json index 8e77664..bc9389c 100644 --- a/objects/registry-key/definition.json +++ b/objects/registry-key/definition.json @@ -1,55 +1,55 @@ { - "name": "registry-key", - "uuid": "8b3228ad-6d82-4fe6-b2ae-05426308f1d5", - "meta-category": "file", - "description": "Registry key object describing a Windows registry key with value and last-modified timestamp", - "version": 1, - "attributes": { - "hive": { - "misp-attribute": "reg-hive", - "misp-usage-frequency": 1, - "categories": [ - "Persistence mechanism" - ] - }, - "key": { - "misp-attribute": "reg-key", - "misp-usage-frequency": 1, - "categories": [ - "Persistence mechanism" - ] - }, - "name": { - "misp-attribute": "reg-name", - "misp-usage-frequency": 1, - "categories": [ - "Persistence mechanism" - ] - }, - "data": { - "misp-attribute": "reg-data", - "misp-usage-frequency": 1, - "categories": [ - "Persistence mechanism" - ] - }, - "data-type": { - "misp-attribute": "reg-datatype", - "misp-usage-frequency": 0, - "categories": [ - "Persistence mechanism" - ] - }, - "last-modified": { - "misp-attribute": "datetime", - "misp-usage-frequency": 0, - "categories": [ - "Other" - ] - } - }, "required": [ "key", "name" - ] + ], + "attributes": { + "last-modified": { + "categories": [ + "Other" + ], + "misp-usage-frequency": 0, + "misp-attribute": "datetime" + }, + "data-type": { + "categories": [ + "Persistence mechanism" + ], + "misp-usage-frequency": 0, + "misp-attribute": "reg-datatype" + }, + "data": { + "categories": [ + "Persistence mechanism" + ], + "misp-usage-frequency": 1, + "misp-attribute": "reg-data" + }, + "name": { + "categories": [ + "Persistence mechanism" + ], + "misp-usage-frequency": 1, + "misp-attribute": "reg-name" + }, + "key": { + "categories": [ + "Persistence mechanism" + ], + "misp-usage-frequency": 1, + "misp-attribute": "reg-key" + }, + "hive": { + "categories": [ + "Persistence mechanism" + ], + "misp-usage-frequency": 1, + "misp-attribute": "reg-hive" + } + }, + "version": 1, + "description": "Registry key object describing a Windows registry key with value and last-modified timestamp", + "meta-category": "file", + "uuid": "8b3228ad-6d82-4fe6-b2ae-05426308f1d5", + "name": "registry-key" } From fb18a4ec2920a0f40971b62e9256059f52727b05 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 3 Jul 2017 12:24:21 +0200 Subject: [PATCH 27/54] ui-priority is now the new frequency --- objects/url/definition.json | 118 ++++++++++++++++++------------------ 1 file changed, 59 insertions(+), 59 deletions(-) diff --git a/objects/url/definition.json b/objects/url/definition.json index 2c33b32..310d643 100644 --- a/objects/url/definition.json +++ b/objects/url/definition.json @@ -1,79 +1,79 @@ { - "name": "url", - "uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5", - "meta-category": "network", - "description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.", - "version": 1, + "requiredOneOf": [ + "url" + ], "attributes": { - "host": { - "misp-attribute": "hostname", - "misp-usage-frequency": 0 - }, - "domain_without_tld": { - "misp-attribute": "text", - "misp-usage-frequency": 0 - }, - "domain": { - "misp-attribute": "domain", - "misp-usage-frequency": 0 - }, - "subdomain": { - "misp-attribute": "text", - "misp-usage-frequency": 0 - }, - "credential": { - "misp-attribute": "text", - "misp-usage-frequency": 0 - }, - "text": { - "misp-attribute": "text", - "misp-usage-frequency": 0 - }, - "last-seen": { - "misp-attribute": "datetime", - "misp-usage-frequency": 0 - }, "fragment": { - "misp-attribute": "text", - "misp-usage-frequency": 0 + "ui-frequency": 0, + "misp-attribute": "text" }, - "query_string": { - "misp-attribute": "text", - "misp-usage-frequency": 0 + "tld": { + "ui-frequency": 0, + "misp-attribute": "tld" }, - "resource_path": { - "misp-attribute": "text", - "misp-usage-frequency": 0 - }, - "first-seen": { - "misp-attribute": "datetime", - "misp-usage-frequency": 0 + "port": { + "ui-frequency": 0, + "misp-attribute": "text" }, "scheme": { - "misp-attribute": "text", - "misp-usage-frequency": 0, "sane_default": [ "http", "https", "ftp", "gopher", "sip" - ] + ], + "ui-frequency": 0, + "misp-attribute": "text" }, - "port": { - "misp-attribute": "text", - "misp-usage-frequency": 0 + "first-seen": { + "ui-frequency": 0, + "misp-attribute": "datetime" }, - "tld": { - "misp-attribute": "tld", - "misp-usage-frequency": 0 + "resource_path": { + "ui-frequency": 0, + "misp-attribute": "text" + }, + "query_string": { + "ui-frequency": 0, + "misp-attribute": "text" }, "url": { - "misp-attribute": "url", - "misp-usage-frequency": 1 + "ui-frequency": 1, + "misp-attribute": "url" + }, + "domain_without_tld": { + "ui-frequency": 0, + "misp-attribute": "text" + }, + "domain": { + "ui-frequency": 0, + "misp-attribute": "domain" + }, + "subdomain": { + "ui-frequency": 0, + "misp-attribute": "text" + }, + "credential": { + "ui-frequency": 0, + "misp-attribute": "text" + }, + "text": { + "ui-frequency": 0, + "misp-attribute": "text" + }, + "last-seen": { + "ui-frequency": 0, + "misp-attribute": "datetime" + }, + "host": { + "ui-frequency": 0, + "misp-attribute": "hostname" } }, - "requiredOneOf": [ - "url" - ] + "version": 1, + "description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.", + "meta-category": "network", + "uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5", + "name": "url" } From 17d4fab43e4582bc3935e848ac7df605ba043f46 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 3 Jul 2017 12:25:06 +0200 Subject: [PATCH 28/54] ui-priority is now the King! --- objects/vulnerability/definition.json | 78 +++++++++++++-------------- 1 file changed, 39 insertions(+), 39 deletions(-) diff --git a/objects/vulnerability/definition.json b/objects/vulnerability/definition.json index 17d9fe1..e1e5e09 100644 --- a/objects/vulnerability/definition.json +++ b/objects/vulnerability/definition.json @@ -1,42 +1,4 @@ { - "name": "vulnerability", - "uuid": "81650945-f186-437b-8945-9f31715d32da", - "meta-category": "network", - "description": "Vulnerability object describing common vulnerability enumeration", - "version": 1, - "attributes": { - "references": { - "misp-attribute": "link", - "misp-usage-frequency": 1, - "multiple": true - }, - "published": { - "misp-attribute": "datetime", - "misp-usage-frequency": 0 - }, - "modified": { - "misp-attribute": "datetime", - "misp-usage-frequency": 0 - }, - "vulnerable_configuration": { - "misp-attribute": "text", - "misp-usage-frequency": 1, - "multiple": true, - "description": "The vulnerable configuration is described in CPE format" - }, - "summary": { - "misp-attribute": "text", - "misp-usage-frequency": 1 - }, - "text": { - "misp-attribute": "text", - "misp-usage-frequency": 1 - }, - "id": { - "misp-attribute": "vulnerability", - "misp-usage-frequency": 1 - } - }, "requiredOneOf": [ "published", "modified", @@ -45,5 +7,43 @@ "summary", "text", "id" - ] + ], + "attributes": { + "id": { + "ui-frequency": 1, + "misp-attribute": "vulnerability" + }, + "text": { + "ui-frequency": 1, + "misp-attribute": "text" + }, + "summary": { + "ui-frequency": 1, + "misp-attribute": "text" + }, + "vulnerable_configuration": { + "description": "The vulnerable configuration is described in CPE format", + "multiple": true, + "ui-frequency": 1, + "misp-attribute": "text" + }, + "modified": { + "ui-frequency": 0, + "misp-attribute": "datetime" + }, + "published": { + "ui-frequency": 0, + "misp-attribute": "datetime" + }, + "references": { + "multiple": true, + "ui-frequency": 1, + "misp-attribute": "link" + } + }, + "version": 1, + "description": "Vulnerability object describing common vulnerability enumeration", + "meta-category": "network", + "uuid": "81650945-f186-437b-8945-9f31715d32da", + "name": "vulnerability" } From 4915d6688d18f7eff93b69f200c742b8b42f2fb0 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 3 Jul 2017 12:26:40 +0200 Subject: [PATCH 29/54] ui-frequency is the one! --- objects/whois/definition.json | 86 +++++++++++++++++------------------ 1 file changed, 43 insertions(+), 43 deletions(-) diff --git a/objects/whois/definition.json b/objects/whois/definition.json index 93ea5d2..96cf730 100644 --- a/objects/whois/definition.json +++ b/objects/whois/definition.json @@ -1,51 +1,51 @@ { - "name": "whois", - "uuid": "429faea1-34ff-47af-8a00-7c62d3be5a6a", - "meta-category": "network", - "description": "Whois records information for a domain name.", - "version": 1, - "attributes": { - "domain": { - "misp-attribute": "domain", - "misp-usage-frequency": 1, - "categories": [ - "Network activity", - "External analysis" - ] - }, - "creation-date": { - "misp-attribute": "datetime", - "misp-usage-frequency": 0 - }, - "registrant-email": { - "misp-attribute": "whois-registrant-email", - "misp-usage-frequency": 1 - }, - "registrant-phone": { - "misp-attribute": "whois-registrant-phone", - "misp-usage-frequency": 0 - }, - "registrant-name": { - "misp-attribute": "whois-registrant-name", - "misp-usage-frequency": 0 - }, - "registar": { - "misp-attribute": "whois-registar", - "misp-usage-frequency": 0 - }, - "text": { - "misp-attribute": "text", - "misp-usage-frequency": 1 - } - }, - "required": [ - "domain" - ], "requiredOneOf": [ "registrant-email", "registrant-phone", "creation-date", "registrant-name", "registar" - ] + ], + "required": [ + "domain" + ], + "attributes": { + "text": { + "ui-frequency": 1, + "misp-attribute": "text" + }, + "registar": { + "ui-frequency": 0, + "misp-attribute": "whois-registar" + }, + "registrant-name": { + "ui-frequency": 0, + "misp-attribute": "whois-registrant-name" + }, + "registrant-phone": { + "ui-frequency": 0, + "misp-attribute": "whois-registrant-phone" + }, + "registrant-email": { + "ui-frequency": 1, + "misp-attribute": "whois-registrant-email" + }, + "creation-date": { + "ui-frequency": 0, + "misp-attribute": "datetime" + }, + "domain": { + "categories": [ + "Network activity", + "External analysis" + ], + "ui-frequency": 1, + "misp-attribute": "domain" + } + }, + "version": 1, + "description": "Whois records information for a domain name.", + "meta-category": "network", + "uuid": "429faea1-34ff-47af-8a00-7c62d3be5a6a", + "name": "whois" } From e9859c4746509ceaba4164e0952ec165cbc5afb2 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 3 Jul 2017 12:27:16 +0200 Subject: [PATCH 30/54] ui-frequency updated --- objects/x509/definition.json | 120 +++++++++++++++++------------------ 1 file changed, 60 insertions(+), 60 deletions(-) diff --git a/objects/x509/definition.json b/objects/x509/definition.json index cd55db2..e9cbf54 100644 --- a/objects/x509/definition.json +++ b/objects/x509/definition.json @@ -1,64 +1,64 @@ { - "name": "x509", - "uuid": "d1ab756a-26b5-4349-9f43-765630f0911c", - "meta-category": "network", - "description": "x509 object describing a X.509 certificate", - "version": 1, - "attributes": { - "version": { - "misp-attribute": "text", - "misp-usage-frequency": 0 - }, - "serial-number": { - "misp-attribute": "text", - "misp-usage-frequency": 0 - }, - "issuer": { - "misp-attribute": "text", - "misp-usage-frequency": 0 - }, - "validity-not-before": { - "misp-attribute": "datetime", - "misp-usage-frequency": 0 - }, - "validity-not-after": { - "misp-attribute": "datetime", - "misp-usage-frequency": 0 - }, - "subject": { - "misp-attribute": "text", - "misp-usage-frequency": 1 - }, - "pubkey-info-algorithm": { - "misp-attribute": "text", - "misp-usage-frequency": 0 - }, - "pubkey-info-seize": { - "misp-attribute": "text", - "misp-usage-frequency": 0 - }, - "pubkey-info-modulus": { - "misp-attribute": "text", - "misp-usage-frequency": 0 - }, - "pubkey-info-exponent": { - "misp-attribute": "text", - "misp-usage-frequency": 0 - }, - "x509-fingerprint-sha1": { - "misp-attribute": "sha1", - "misp-usage-frequency": 1 - }, - "raw-base64": { - "misp-attribute": "text", - "misp-usage-frequency": 0 - }, - "text": { - "misp-attribute": "text", - "misp-usage-frequency": 1 - } - }, "required": [ "x509-fingerprint-sha1" - ] + ], + "attributes": { + "subject": { + "ui-frequency": 1, + "misp-attribute": "text" + }, + "pubkey-info-algorithm": { + "ui-frequency": 0, + "misp-attribute": "text" + }, + "pubkey-info-seize": { + "ui-frequency": 0, + "misp-attribute": "text" + }, + "pubkey-info-exponent": { + "ui-frequency": 0, + "misp-attribute": "text" + }, + "pubkey-info-modulus": { + "ui-frequency": 0, + "misp-attribute": "text" + }, + "x509-fingerprint-sha1": { + "ui-frequency": 1, + "misp-attribute": "sha1" + }, + "raw-base64": { + "ui-frequency": 0, + "misp-attribute": "text" + }, + "text": { + "ui-frequency": 1, + "misp-attribute": "text" + }, + "validity-not-before": { + "ui-frequency": 0, + "misp-attribute": "datetime" + }, + "validity-not-after": { + "ui-frequency": 0, + "misp-attribute": "datetime" + }, + "issuer": { + "ui-frequency": 0, + "misp-attribute": "text" + }, + "serial-number": { + "ui-frequency": 0, + "misp-attribute": "text" + }, + "version": { + "ui-frequency": 0, + "misp-attribute": "text" + } + }, + "version": 1, + "description": "x509 object describing a X.509 certificate", + "meta-category": "network", + "uuid": "d1ab756a-26b5-4349-9f43-765630f0911c", + "name": "x509" } From 6626ae8360bc555d89a8e9bb4521f47b02548736 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 3 Jul 2017 16:32:11 +0200 Subject: [PATCH 31/54] ui-priority updated --- schema.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/schema.json b/schema.json index ca25ba7..aa52400 100644 --- a/schema.json +++ b/schema.json @@ -10,7 +10,7 @@ "misp-attribute": { "type": "string" }, - "misp-usage-frequency": { + "ui-priority": { "type": "number" }, "categories": { @@ -49,7 +49,7 @@ }, "required": [ "misp-attribute", - "misp-usage-frequency" + "ui-priority" ] } }, From 7e2214f9e9753cfdcecc0d3f1a02a3e0814a5e94 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 3 Jul 2017 16:40:42 +0200 Subject: [PATCH 32/54] ui-priority --- objects/ail-leak/definition.json | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/objects/ail-leak/definition.json b/objects/ail-leak/definition.json index 289e87f..b7247ce 100644 --- a/objects/ail-leak/definition.json +++ b/objects/ail-leak/definition.json @@ -12,24 +12,24 @@ "attributes": { "sensor": { "description": "The AIL sensor uuid where the leak was processed and analysed.", - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "text" }, "origin": { "description": "The link where the leak is (or was) accessible at first-seen.", - "ui-frequency": 1, + "ui-priority": 1, "misp-attribute": "url" }, "text": { "description": "A description of the leak which could include the potential victim(s) or description of the leak.", "disable_correlation": true, - "ui-frequency": 1, + "ui-priority": 1, "misp-attribute": "text" }, "original-date": { "description": "When the information available in the leak was created. It's usually before the first-seen.", "disable_correlation": true, - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "datetime" }, "type": { @@ -42,19 +42,19 @@ "Keys" ], "description": "Type of information leak as discovered and classified by an AIL module.", - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "text" }, "last-seen": { "description": "When the leak has been accessible or seen for the last time.", "disable_correlation": true, - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "datetime" }, "first-seen": { "description": "When the leak has been accessible or seen for the first time.", "disable_correlation": true, - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "datetime" } }, From c0a78b1b255777037f4f26dc2ac1448a2e85e0d0 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 3 Jul 2017 16:41:16 +0200 Subject: [PATCH 33/54] ui-priority --- objects/ddos/definition.json | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/objects/ddos/definition.json b/objects/ddos/definition.json index 428fb8e..6d9ac07 100644 --- a/objects/ddos/definition.json +++ b/objects/ddos/definition.json @@ -7,15 +7,15 @@ "attributes": { "total-bps": { "misp-attribute": "counter", - "ui-frequency": 0 + "ui-priority": 0 }, "text": { "misp-attribute": "text", - "ui-frequency": 0 + "ui-priority": 0 }, "ip-dst": { "misp-attribute": "ip-dst", - "ui-frequency": 1, + "ui-priority": 1, "categories": [ "Network activity", "External analysis" @@ -23,7 +23,7 @@ }, "ip-src": { "misp-attribute": "ip-src", - "ui-frequency": 1, + "ui-priority": 1, "categories": [ "Network activity", "External analysis" @@ -31,7 +31,7 @@ }, "dst-port": { "misp-attribute": "port", - "ui-frequency": 0, + "ui-priority": 0, "categories": [ "Network activity", "External analysis" @@ -39,7 +39,7 @@ }, "src-port": { "misp-attribute": "port", - "ui-frequency": 0, + "ui-priority": 0, "categories": [ "Network activity", "External analysis" @@ -47,11 +47,11 @@ }, "first-seen": { "misp-attribute": "datetime", - "ui-frequency": 0 + "ui-priority": 0 }, "protocol": { "misp-attribute": "text", - "ui-frequency": 0, + "ui-priority": 0, "required_value": [ "TCP", "UDP", @@ -61,11 +61,11 @@ }, "total-pps": { "misp-attribute": "counter", - "ui-frequency": 0 + "ui-priority": 0 }, "last-seen": { "misp-attribute": "datetime", - "ui-frequency": 0 + "ui-priority": 0 } }, "requiredOneOf": [ From 48b17a11ed45fca8406eaaa136c96e07f4a14475 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 3 Jul 2017 16:41:53 +0200 Subject: [PATCH 34/54] ui-priority --- objects/domain-ip/definition.json | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/objects/domain-ip/definition.json b/objects/domain-ip/definition.json index 2c7d2ab..59a04af 100644 --- a/objects/domain-ip/definition.json +++ b/objects/domain-ip/definition.json @@ -5,15 +5,15 @@ ], "attributes": { "text": { - "ui-frequency": 1, + "ui-priority": 1, "misp-attribute": "text" }, "last-seen": { - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "datetime" }, "first-seen": { - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "datetime" }, "domain": { @@ -21,7 +21,7 @@ "Network activity", "External analysis" ], - "ui-frequency": 1, + "ui-priority": 1, "misp-attribute": "domain" }, "ip": { @@ -29,7 +29,7 @@ "Network activity", "External analysis" ], - "ui-frequency": 1, + "ui-priority": 1, "misp-attribute": "ip-dst" } }, From 5615f18767637f13b61600c23448eeb98086d816 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 3 Jul 2017 16:42:07 +0200 Subject: [PATCH 35/54] ui-priority --- objects/elf/definition.json | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/objects/elf/definition.json b/objects/elf/definition.json index cab5a10..933414c 100644 --- a/objects/elf/definition.json +++ b/objects/elf/definition.json @@ -19,7 +19,7 @@ "AArch64", "RISC-V" ], - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "text" }, "e_ident_abi": { @@ -42,7 +42,7 @@ "CloudABI", "Sortix" ], - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "text" }, "e_type": { @@ -52,31 +52,31 @@ "shared", "core" ], - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "text" }, "e_version": { "disable_correlation": true, - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "text" }, "file-description": { "disable_correlation": true, - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "text" }, "e_entry": { "disable_correlation": true, - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "text" }, "original-filename": { - "ui-frequency": 1, + "ui-priority": 1, "misp-attribute": "filename" }, "text": { "disable_correlation": true, - "ui-frequency": 1, + "ui-priority": 1, "misp-attribute": "text" } }, From 13c7d100d0de85f1fdc01b65b44d4fe3dbabd528 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 3 Jul 2017 16:42:26 +0200 Subject: [PATCH 36/54] ui-priority --- objects/elf-section/definition.json | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/objects/elf-section/definition.json b/objects/elf-section/definition.json index 53662dd..e5e7c86 100644 --- a/objects/elf-section/definition.json +++ b/objects/elf-section/definition.json @@ -8,16 +8,16 @@ ], "attributes": { "sha512": { - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "sha512" }, "ssdeep": { - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "ssdeep" }, "entropy": { "disable_correlation": true, - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "float" }, "sh_type": { @@ -42,26 +42,26 @@ "SHT_NUM", "SHT_LOOS" ], - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "text" }, "sh_name": { "disable_correlation": true, - "ui-frequency": 1, + "ui-priority": 1, "misp-attribute": "text" }, "sha256": { - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "sha256" }, "sh_size": { "disable_correlation": true, - "ui-frequency": 1, + "ui-priority": 1, "misp-attribute": "size-in-bytes" }, "text": { "disable_correlation": true, - "ui-frequency": 1, + "ui-priority": 1, "misp-attribute": "text" }, "sh_flags": { @@ -83,15 +83,15 @@ "l (large)", "p (processor specific)" ], - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "text" }, "sha1": { - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "sha1" }, "md5": { - "ui-frequency": 1, + "ui-priority": 1, "misp-attribute": "md5" } }, From 89858f8f72f417944929fa27d73a3ad70577e5bf Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 3 Jul 2017 16:42:40 +0200 Subject: [PATCH 37/54] ui-priority --- objects/email/definition.json | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/objects/email/definition.json b/objects/email/definition.json index 4eaa8f7..decc1e2 100644 --- a/objects/email/definition.json +++ b/objects/email/definition.json @@ -7,21 +7,21 @@ "attributes": { "reply-to": { "misp-attribute": "email-reply-to", - "ui-frequency": 1, + "ui-priority": 1, "categories": [ "Payload delivery" ] }, "message-id": { "misp-attribute": "email-message-id", - "ui-frequency": 0, + "ui-priority": 0, "categories": [ "Payload delivery" ] }, "to": { "misp-attribute": "email-dst", - "ui-frequency": 1, + "ui-priority": 1, "categories": [ "Payload delivery" ], @@ -29,7 +29,7 @@ }, "to-display-name": { "misp-attribute": "email-dst-display-name", - "ui-frequency": 1, + "ui-priority": 1, "categories": [ "Payload delivery" ], @@ -37,14 +37,14 @@ }, "subject": { "misp-attribute": "email-subject", - "ui-frequency": 1, + "ui-priority": 1, "categories": [ "Payload delivery" ] }, "attachment": { "misp-attribute": "email-attachment", - "ui-frequency": 0, + "ui-priority": 0, "categories": [ "Payload delivery" ], @@ -52,14 +52,14 @@ }, "x-mailer": { "misp-attribute": "email-x-mailer", - "ui-frequency": 0, + "ui-priority": 0, "categories": [ "Payload delivery" ] }, "header": { "misp-attribute": "email-header", - "ui-frequency": 0, + "ui-priority": 0, "categories": [ "Payload delivery" ], @@ -67,7 +67,7 @@ }, "send-date": { "misp-attribute": "datetime", - "ui-frequency": 0, + "ui-priority": 0, "disable_correlation": true, "categories": [ "Other" @@ -75,7 +75,7 @@ }, "url": { "misp-attribute": "url", - "ui-frequency": 0, + "ui-priority": 0, "categories": [ "Payload delivery" ], @@ -83,28 +83,28 @@ }, "mime-boundary": { "misp-attribute": "email-mime-boundary", - "ui-frequency": 0, + "ui-priority": 0, "categories": [ "Payload delivery" ] }, "thread-index": { "misp-attribute": "email-thread-index", - "ui-frequency": 0, + "ui-priority": 0, "categories": [ "Payload delivery" ] }, "from": { "misp-attribute": "email-src", - "ui-frequency": 1, + "ui-priority": 1, "categories": [ "Payload delivery" ] }, "from-display-name": { "misp-attribute": "email-src-display-name", - "ui-frequency": 1, + "ui-priority": 1, "categories": [ "Payload delivery" ] From 65ec7b18a7531882d1f2d1c5e5d4cb9c5184eef9 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 3 Jul 2017 16:43:12 +0200 Subject: [PATCH 38/54] ui-priority --- objects/geolocation/definition.json | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/objects/geolocation/definition.json b/objects/geolocation/definition.json index 460554a..ab6ee46 100644 --- a/objects/geolocation/definition.json +++ b/objects/geolocation/definition.json @@ -10,52 +10,52 @@ "first-seen": { "description": "When the location was seen for the first time.", "disable_correlation": true, - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "datetime" }, "last-seen": { "description": "When the location was seen for the last time.", "disable_correlation": true, - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "datetime" }, "text": { "description": "A generic description of the location.", "disable_correlation": true, - "ui-frequency": 1, + "ui-priority": 1, "misp-attribute": "text" }, "latitude": { "description": "The latitude is the decimal value of the latitude in the World Geodetic System 84 (WGS84) reference.", "disable_correlation": true, - "ui-frequency": 1, + "ui-priority": 1, "misp-attribute": "float" }, "longitude": { "description": "The longitude is the decimal value of the longitude in the World Geodetic System 84 (WGS84) reference", "disable_correlation": true, - "ui-frequency": 1, + "ui-priority": 1, "misp-attribute": "float" }, "altitude": { "description": "The altitude is the decimal value of the altitude in the World Geodetic System 84 (WGS84) reference.", - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "float" }, "city": { "description": "City.", "misp-attribute": "text", - "ui-frequency": 1 + "ui-priority": 1 }, "region": { "description": "Region.", "misp-attribute": "text", - "ui-frequency": 1 + "ui-priority": 1 }, "country": { "description": "Country.", "misp-attribute": "text", - "ui-frequency": 1 + "ui-priority": 1 } }, "version": 2, From eab13ff63ce2c49100dd2d9a9a07d1164baa30f6 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 3 Jul 2017 16:43:25 +0200 Subject: [PATCH 39/54] ui-priority --- objects/ip-port/definition.json | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/objects/ip-port/definition.json b/objects/ip-port/definition.json index ad37ae2..9775575 100644 --- a/objects/ip-port/definition.json +++ b/objects/ip-port/definition.json @@ -8,15 +8,15 @@ ], "attributes": { "text": { - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "text" }, "last-seen": { - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "datetime" }, "first-seen": { - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "datetime" }, "src-port": { @@ -24,7 +24,7 @@ "Network activity", "External analysis" ], - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "text" }, "dst-port": { @@ -32,7 +32,7 @@ "Network activity", "External analysis" ], - "ui-frequency": 1, + "ui-priority": 1, "misp-attribute": "text" }, "ip": { @@ -40,7 +40,7 @@ "Network activity", "External analysis" ], - "ui-frequency": 1, + "ui-priority": 1, "misp-attribute": "ip-dst" } }, From c59ed7394a0952ddd05ee1322edbdf56b2a9261d Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 3 Jul 2017 16:43:57 +0200 Subject: [PATCH 40/54] ui-priority --- objects/passive-dns/definition.json | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/objects/passive-dns/definition.json b/objects/passive-dns/definition.json index e53133e..1249302 100644 --- a/objects/passive-dns/definition.json +++ b/objects/passive-dns/definition.json @@ -5,15 +5,15 @@ ], "attributes": { "zone_time_last": { - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "datetime" }, "text": { - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "text" }, "count": { - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "counter" }, "rrname": { @@ -21,7 +21,7 @@ "Network activity", "External analysis" ], - "ui-frequency": 1, + "ui-priority": 1, "misp-attribute": "hostname" }, "rrtype": { @@ -29,31 +29,31 @@ "Network activity", "External analysis" ], - "ui-frequency": 1, + "ui-priority": 1, "misp-attribute": "text" }, "zone_time_first": { - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "datetime" }, "origin": { - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "text" }, "time_last": { - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "datetime" }, "time_first": { - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "datetime" }, "bailiwick": { - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "text" }, "sensor_id": { - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "text" } }, From a0a922ee61ffb85e89c7adeb4111e4603c83c9c2 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 3 Jul 2017 16:44:11 +0200 Subject: [PATCH 41/54] ui-priority --- objects/pe/definition.json | 38 +++++++++++++++++++------------------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/objects/pe/definition.json b/objects/pe/definition.json index cfa1998..a8235b2 100644 --- a/objects/pe/definition.json +++ b/objects/pe/definition.json @@ -6,34 +6,34 @@ ], "attributes": { "pehash": { - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "pehash" }, "impfuzzy": { - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "impfuzzy" }, "pe-type": { "disable_correlation": true, - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "text" }, "internal-filename": { - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "filename" }, "original-filename": { - "ui-frequency": 1, + "ui-priority": 1, "misp-attribute": "filename" }, "number-sections": { "disable_correlation": true, - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "counter" }, "text": { "disable_correlation": true, - "ui-frequency": 1, + "ui-priority": 1, "misp-attribute": "text" }, "type": { @@ -44,60 +44,60 @@ "unknown" ], "disable_correlation": true, - "ui-frequency": 1, + "ui-priority": 1, "misp-attribute": "text" }, "imphash": { - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "imphash" }, "compilation-timestamp": { - "ui-frequency": 1, + "ui-priority": 1, "misp-attribute": "datetime" }, "entrypoint-section|position": { "disable_correlation": true, - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "text" }, "entrypoint-address": { "disable_correlation": true, - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "text" }, "file-description": { "disable_correlation": true, - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "text" }, "file-version": { "disable_correlation": true, - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "text" }, "lang-id": { "disable_correlation": true, - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "text" }, "product-name": { "disable_correlation": true, - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "text" }, "product-version": { "disable_correlation": true, - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "text" }, "company-name": { "disable_correlation": true, - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "text" }, "legal-copyright": { "disable_correlation": true, - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "text" } }, From 60ebdfc3e7378527a18d1fe464c206135ca47086 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 3 Jul 2017 16:44:39 +0200 Subject: [PATCH 42/54] ui-priority --- objects/r2graphity/definition.json | 44 +++++++++++++++--------------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/objects/r2graphity/definition.json b/objects/r2graphity/definition.json index e3b0513..b4c3eeb 100644 --- a/objects/r2graphity/definition.json +++ b/objects/r2graphity/definition.json @@ -21,132 +21,132 @@ "callback-average": { "description": "Average size of a callback", "disable_correlation": true, - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "counter" }, "callbacks": { "description": "Amount of callbacks (functions started as thread)", "disable_correlation": true, - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "counter" }, "shortest-path-to-create-thread": { "description": "Shortest path to the first time the binary calls CreateThread", "disable_correlation": true, - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "counter" }, "create-thread": { "description": "Amount of calls to CreateThread", "disable_correlation": true, - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "counter" }, "memory-allocations": { "description": "Amount of memory allocations", "disable_correlation": true, - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "counter" }, "get-proc-address": { "description": "Amount of calls to GetProcAddress", "disable_correlation": true, - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "counter" }, "dangling-strings": { "description": "Amount of dangling strings (string with a code cross reference, that is not within a function. Radare2 failed to detect that function.)", "disable_correlation": true, - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "counter" }, "referenced-strings": { "description": "Amount of referenced strings", "disable_correlation": true, - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "counter" }, "callback-largest": { "description": "Largest callback", "disable_correlation": true, - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "counter" }, "gml": { "description": "Graph export in G>raph Modelling Language format", "disable_correlation": true, - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "attachment" }, "r2-commit-version": { "description": "Radare2 commit ID used to generate this object", "disable_correlation": true, - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "text" }, "text": { "disable_correlation": true, - "ui-frequency": 1, + "ui-priority": 1, "misp-attribute": "text" }, "miss-api": { "description": "Amount of API call reference that does not resolve to a function offset", "disable_correlation": true, - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "counter" }, "total-api": { "description": "Total amount of API calls", "disable_correlation": true, - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "counter" }, "unknown-references": { "description": "Amount of API calls not ending in a function (Radare2 bug, probalby)", "disable_correlation": true, - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "counter" }, "refsglobalvar": { "description": "Amount of API calls outside of code section (glob var, dynamic API)", "disable_correlation": true, - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "counter" }, "local-references": { "description": "Amount of API calls inside a code section", "disable_correlation": true, - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "counter" }, "total-functions": { "description": "Total amount of functions in the file.", "disable_correlation": true, - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "counter" }, "not-referenced-strings": { "description": "Amount of not referenced strings", "disable_correlation": true, - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "counter" }, "ratio-functions": { "description": "Ratio: amount of functions per kilobyte of code section", "disable_correlation": true, - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "float" }, "ratio-api": { "description": "Ratio: amount of API calls per kilobyte of code section", "disable_correlation": true, - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "float" }, "ratio-string": { "description": "Ratio: amount of referenced strings per kilobyte of code section", "disable_correlation": true, - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "float" } }, From 611c0b8f5518ed831510f895c8bfe943b3ccbcc3 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 3 Jul 2017 16:45:25 +0200 Subject: [PATCH 43/54] ui-priority --- objects/vulnerability/definition.json | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/objects/vulnerability/definition.json b/objects/vulnerability/definition.json index e1e5e09..0413b90 100644 --- a/objects/vulnerability/definition.json +++ b/objects/vulnerability/definition.json @@ -10,34 +10,34 @@ ], "attributes": { "id": { - "ui-frequency": 1, + "ui-priority": 1, "misp-attribute": "vulnerability" }, "text": { - "ui-frequency": 1, + "ui-priority": 1, "misp-attribute": "text" }, "summary": { - "ui-frequency": 1, + "ui-priority": 1, "misp-attribute": "text" }, "vulnerable_configuration": { "description": "The vulnerable configuration is described in CPE format", "multiple": true, - "ui-frequency": 1, + "ui-priority": 1, "misp-attribute": "text" }, "modified": { - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "datetime" }, "published": { - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "datetime" }, "references": { "multiple": true, - "ui-frequency": 1, + "ui-priority": 1, "misp-attribute": "link" } }, From d2568c922e1dbb19fe373a1e789323427d821975 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 3 Jul 2017 16:45:41 +0200 Subject: [PATCH 44/54] ui-priority --- objects/whois/definition.json | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/objects/whois/definition.json b/objects/whois/definition.json index 96cf730..37eb806 100644 --- a/objects/whois/definition.json +++ b/objects/whois/definition.json @@ -11,27 +11,27 @@ ], "attributes": { "text": { - "ui-frequency": 1, + "ui-priority": 1, "misp-attribute": "text" }, "registar": { - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "whois-registar" }, "registrant-name": { - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "whois-registrant-name" }, "registrant-phone": { - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "whois-registrant-phone" }, "registrant-email": { - "ui-frequency": 1, + "ui-priority": 1, "misp-attribute": "whois-registrant-email" }, "creation-date": { - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "datetime" }, "domain": { @@ -39,7 +39,7 @@ "Network activity", "External analysis" ], - "ui-frequency": 1, + "ui-priority": 1, "misp-attribute": "domain" } }, From cb4af3ffce4bd3aabca4712c0432d8be4a7861d6 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 3 Jul 2017 16:45:54 +0200 Subject: [PATCH 45/54] ui-priority --- objects/x509/definition.json | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/objects/x509/definition.json b/objects/x509/definition.json index e9cbf54..263c90c 100644 --- a/objects/x509/definition.json +++ b/objects/x509/definition.json @@ -4,55 +4,55 @@ ], "attributes": { "subject": { - "ui-frequency": 1, + "ui-priority": 1, "misp-attribute": "text" }, "pubkey-info-algorithm": { - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "text" }, "pubkey-info-seize": { - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "text" }, "pubkey-info-exponent": { - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "text" }, "pubkey-info-modulus": { - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "text" }, "x509-fingerprint-sha1": { - "ui-frequency": 1, + "ui-priority": 1, "misp-attribute": "sha1" }, "raw-base64": { - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "text" }, "text": { - "ui-frequency": 1, + "ui-priority": 1, "misp-attribute": "text" }, "validity-not-before": { - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "datetime" }, "validity-not-after": { - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "datetime" }, "issuer": { - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "text" }, "serial-number": { - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "text" }, "version": { - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "text" } }, From 17e57b4a59b4a971419e48bd8c583d5ba3acd007 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 3 Jul 2017 16:49:43 +0200 Subject: [PATCH 46/54] ui-priority --- objects/pe-section/definition.json | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/objects/pe-section/definition.json b/objects/pe-section/definition.json index b653ac6..68b2e9e 100644 --- a/objects/pe-section/definition.json +++ b/objects/pe-section/definition.json @@ -13,7 +13,7 @@ "write", "executable" ], - "misp-usage-frequency": 0, + "ui-priority": 0, "misp-attribute": "text" }, "name": { @@ -25,42 +25,42 @@ ".data", ".text" ], - "misp-usage-frequency": 1, + "ui-priority": 1, "misp-attribute": "text" }, "size-in-bytes": { "disable_correlation": true, - "misp-usage-frequency": 1, + "ui-priority": 1, "misp-attribute": "size-in-bytes" }, "text": { "disable_correlation": true, - "misp-usage-frequency": 1, + "ui-priority": 1, "misp-attribute": "text" }, "md5": { - "misp-usage-frequency": 1, + "ui-priority": 1, "misp-attribute": "md5" }, "entropy": { "disable_correlation": true, - "misp-usage-frequency": 0, + "ui-priority": 0, "misp-attribute": "float" }, "sha256": { - "misp-usage-frequency": 0, + "ui-priority": 0, "misp-attribute": "sha256" }, "sha1": { - "misp-usage-frequency": 0, + "ui-priority": 0, "misp-attribute": "sha1" }, "ssdeep": { - "misp-usage-frequency": 0, + "ui-priority": 0, "misp-attribute": "ssdeep" }, "sha512": { - "misp-usage-frequency": 0, + "ui-priority": 0, "misp-attribute": "sha512" } }, From ea8885f3174bcfe36e0deaaba620fc3fc0512edb Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 3 Jul 2017 16:50:00 +0200 Subject: [PATCH 47/54] ui-priority --- objects/registry-key/definition.json | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/objects/registry-key/definition.json b/objects/registry-key/definition.json index bc9389c..cdca57b 100644 --- a/objects/registry-key/definition.json +++ b/objects/registry-key/definition.json @@ -8,42 +8,42 @@ "categories": [ "Other" ], - "misp-usage-frequency": 0, + "ui-priority": 0, "misp-attribute": "datetime" }, "data-type": { "categories": [ "Persistence mechanism" ], - "misp-usage-frequency": 0, + "ui-priority": 0, "misp-attribute": "reg-datatype" }, "data": { "categories": [ "Persistence mechanism" ], - "misp-usage-frequency": 1, + "ui-priority": 1, "misp-attribute": "reg-data" }, "name": { "categories": [ "Persistence mechanism" ], - "misp-usage-frequency": 1, + "ui-priority": 1, "misp-attribute": "reg-name" }, "key": { "categories": [ "Persistence mechanism" ], - "misp-usage-frequency": 1, + "ui-priority": 1, "misp-attribute": "reg-key" }, "hive": { "categories": [ "Persistence mechanism" ], - "misp-usage-frequency": 1, + "ui-priority": 1, "misp-attribute": "reg-hive" } }, From e8c74fbccc33e726fd4e929260592f51609b135e Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 3 Jul 2017 16:50:13 +0200 Subject: [PATCH 48/54] ui-priority --- objects/file/definition.json | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/objects/file/definition.json b/objects/file/definition.json index d3dab39..766701b 100644 --- a/objects/file/definition.json +++ b/objects/file/definition.json @@ -19,49 +19,49 @@ ], "attributes": { "md5": { - "misp-usage-frequency": 1, + "ui-priority": 1, "misp-attribute": "md5" }, "sha512/224": { - "misp-usage-frequency": 0, + "ui-priority": 0, "misp-attribute": "sha512/224" }, "sha512": { - "misp-usage-frequency": 0, + "ui-priority": 0, "misp-attribute": "sha512" }, "sha384": { - "misp-usage-frequency": 0, + "ui-priority": 0, "misp-attribute": "sha384" }, "sha224": { - "misp-usage-frequency": 0, + "ui-priority": 0, "misp-attribute": "sha224" }, "ssdeep": { - "misp-usage-frequency": 0, + "ui-priority": 0, "misp-attribute": "ssdeep" }, "authentihash": { - "misp-usage-frequency": 0, + "ui-priority": 0, "misp-attribute": "authentihash" }, "size-in-bytes": { "disable_correlation": true, - "misp-usage-frequency": 0, + "ui-priority": 0, "misp-attribute": "size-in-bytes" }, "sha1": { - "misp-usage-frequency": 1, + "ui-priority": 1, "misp-attribute": "sha1" }, "sha256": { - "misp-usage-frequency": 1, + "ui-priority": 1, "misp-attribute": "sha256" }, "entropy": { "disable_correlation": true, - "misp-usage-frequency": 1, + "ui-priority": 1, "misp-attribute": "float" }, "pattern-in-file": { @@ -70,16 +70,16 @@ "Payload installation", "External analysis" ], - "misp-usage-frequency": 1, + "ui-priority": 1, "misp-attribute": "pattern-in-file" }, "text": { "disable_correlation": true, - "misp-usage-frequency": 1, + "ui-priority": 1, "misp-attribute": "text" }, "malware-sample": { - "misp-usage-frequency": 1, + "ui-priority": 1, "misp-attribute": "malware-sample" }, "filename": { @@ -89,15 +89,15 @@ "Payload installation", "External analysis" ], - "misp-usage-frequency": 1, + "ui-priority": 1, "misp-attribute": "filename" }, "sha512/256": { - "misp-usage-frequency": 0, + "ui-priority": 0, "misp-attribute": "sha512/256" }, "tlsh": { - "misp-usage-frequency": 0, + "ui-priority": 0, "misp-attribute": "tlsh" } }, From f700e9ea525e1c7ce9a776f93ef60763cf302a39 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 3 Jul 2017 16:51:54 +0200 Subject: [PATCH 49/54] ui-priority --- README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index fa24131..ffec79e 100644 --- a/README.md +++ b/README.md @@ -20,21 +20,21 @@ Feel free to propose your own MISP objects to be included in MISP. The system is { "ip": { "misp-attribute": "ip-dst", - "misp-usage-frequency": 1, + "ui-priority": 1, "categories": ["Network activity","External analysis"] }, "domain": { "misp-attribute": "domain", - "misp-usage-frequency": 1, + "ui-priority": 1, "categories": ["Network activity","External analysis"] }, "first-seen": { "misp-attribute": "datetime", - "misp-usage-frequency": 0 + "ui-priority": 0 }, "last-seen": { "misp-attribute": "datetime", - "misp-usage-frequency": 0 + "ui-priority": 0 } }, @@ -53,7 +53,7 @@ A MISP object is described in a simple JSON file containing the following elemen * **attributes** contains another JSON object listing all the attributes composing the object. Each attribute must contain a reference **misp-attribute** to reference an existing attribute definition in MISP. -An array **categories** shall be used to described in which categories the attribute is. The **misp-usage-frequency** +An array **categories** shall be used to described in which categories the attribute is. The **ui-priority** describes the usage frequency of an attribute. This helps to only display the most frequently used attributes and allowing advanced users to show all the attributes depending of their configuration. An optional **multiple** field shall be set to true if multiple elements of the same key can be used in the object. An optional **required_value** From 9a1c5511f46ccebbfedf245d101c2f4b518365d6 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 3 Jul 2017 16:55:14 +0200 Subject: [PATCH 50/54] ui-priority --- objects/url/definition.json | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/objects/url/definition.json b/objects/url/definition.json index 310d643..8fcca69 100644 --- a/objects/url/definition.json +++ b/objects/url/definition.json @@ -4,15 +4,15 @@ ], "attributes": { "fragment": { - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "text" }, "tld": { - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "tld" }, "port": { - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "text" }, "scheme": { @@ -23,51 +23,51 @@ "gopher", "sip" ], - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "text" }, "first-seen": { - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "datetime" }, "resource_path": { - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "text" }, "query_string": { - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "text" }, "url": { - "ui-frequency": 1, + "ui-priority": 1, "misp-attribute": "url" }, "domain_without_tld": { - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "text" }, "domain": { - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "domain" }, "subdomain": { - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "text" }, "credential": { - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "text" }, "text": { - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "text" }, "last-seen": { - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "datetime" }, "host": { - "ui-frequency": 0, + "ui-priority": 0, "misp-attribute": "hostname" } }, From 30976be5919605045861a65d5631aa238c3271bb Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 5 Jul 2017 07:33:35 +0200 Subject: [PATCH 51/54] Tor node object template which are part of the Tor network at a time. --- README.md | 1 + objects/tor-node/definition.json | 41 ++++++++++++++++++++++++++++++++ 2 files changed, 42 insertions(+) create mode 100644 objects/tor-node/definition.json diff --git a/README.md b/README.md index ffec79e..bdc74c2 100644 --- a/README.md +++ b/README.md @@ -77,6 +77,7 @@ for a specific attribute. * [objects/pe-section](objects/pe-section/definition.json) - Portable Executable (PE) object - section description. * [objects/registry-key](objects/registry-key/definition.json) - A registry-key object. * [objects/r2graphity](objects/r2graphity/definition.json) - Indicators extracted from binary files using radare2 and graphml. +* [objects/tor-node](objects/tor-node/definition.json) - Tor node description which are part of the Tor network at a time. * [objects/vulnerability](objects/vulnerability/definition.json) - Vulnerability object to describe software or hardware vulnerability as described in a CVE. * [objects/url](objects/url/definition.json) - url object describes an url along with its normalized field (e.g. using faup parsing library) and its metadata. * [objects/whois](objects/whois/definition.json) - Whois records information for a domain name. diff --git a/objects/tor-node/definition.json b/objects/tor-node/definition.json new file mode 100644 index 0000000..2e7d108 --- /dev/null +++ b/objects/tor-node/definition.json @@ -0,0 +1,41 @@ +{ + "requiredOneOf": [ + "address", + "first-seen", + "last-seen", + "text" + ], + "required": [ + "address" + ], + "attributes": { + "text": { + "description": "Tor node description.", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "text" + }, + "address": { + "description": "IP address of the Tor node seen.", + "ui-priority": 1, + "misp-attribute": "ip-src" + }, + "last-seen": { + "description": "When the Tor node designed by the IP address has been seen for the last time.", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "first-seen": { + "description": "When the Tor node designed by the IP address has been seen for the first time.", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "datetime" + } + }, + "version": 1, + "description": "Tor node (which protects your privacy on the internet by hiding the connection between users Internet address and the services used by the users) description which are part of the Tor network at a time.", + "meta-category": "misc", + "uuid": "a5fde1c8-318e-4658-a3ea-85ea000bdd33", + "name": "tor-node" +} From afaf0d0e198726f633679380efae4202832174c8 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 5 Jul 2017 07:41:07 +0200 Subject: [PATCH 52/54] add a comment field --- objects/tor-node/definition.json | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/objects/tor-node/definition.json b/objects/tor-node/definition.json index 2e7d108..dea20c2 100644 --- a/objects/tor-node/definition.json +++ b/objects/tor-node/definition.json @@ -3,18 +3,25 @@ "address", "first-seen", "last-seen", + "description", "text" ], "required": [ "address" ], "attributes": { - "text": { + "description": { "description": "Tor node description.", "disable_correlation": true, "ui-priority": 1, "misp-attribute": "text" }, + "text": { + "description": "Tor node comment", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "text" + }, "address": { "description": "IP address of the Tor node seen.", "ui-priority": 1, From 92fbb386168f6dea9e1e885f5f1f585a11925b86 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 5 Jul 2017 07:41:48 +0200 Subject: [PATCH 53/54] Template definitions are not always distributed along with the objects --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index bdc74c2..7cf6b58 100644 --- a/README.md +++ b/README.md @@ -100,7 +100,7 @@ MISP objects are dynamically used objects that are contributed by users of MISP The aim is to allow a dynamic update of objects definition in operational distributed sharing systems like MISP. Security threats and their related indicators are quite dynamic, standardized formats are quite static and new indicators require a significant time before being standardized. -The MISP objects model allows to add new combined indicators format based on their usage without changing the underlying code base of MISP or other threat sharing platform using it. The definition of the objects is then propagated along with the indicators itself. +The MISP objects model allows to add new combined indicators format based on their usage without changing the underlying code base of MISP or other threat sharing platform using it. The definition of the objects can be then propagated along with the indicators itself. ## License From 6e88746a67aa5daa23e9ed620a2f2d6f3b3ad4af Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 6 Jul 2017 14:57:32 +0200 Subject: [PATCH 54/54] Improved Tor node object to include support of the new Tor monitoring --- objects/tor-node/definition.json | 43 ++++++++++++++++++++++++++++++-- 1 file changed, 41 insertions(+), 2 deletions(-) diff --git a/objects/tor-node/definition.json b/objects/tor-node/definition.json index dea20c2..c5d218b 100644 --- a/objects/tor-node/definition.json +++ b/objects/tor-node/definition.json @@ -16,8 +16,20 @@ "ui-priority": 1, "misp-attribute": "text" }, + "nickname": { + "description": "router's nickname.", + "disable_correlation": false, + "ui-priority": 0, + "misp-attribute": "text" + }, + "fingerprint": { + "description": "router's fingerprint.", + "disable_correlation": false, + "ui-priority": 0, + "misp-attribute": "text" + }, "text": { - "description": "Tor node comment", + "description": "Tor node comment.", "disable_correlation": true, "ui-priority": 1, "misp-attribute": "text" @@ -27,6 +39,27 @@ "ui-priority": 1, "misp-attribute": "ip-src" }, + "flags": { + "description": "list of flag associated with the node.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "version": { + "description": "parsed version of tor, this is None if the relay's using a new versioning scheme.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "version_line": { + "description": "versioning information reported by the node.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "published": { + "description": "router's publication time. This can be different from first-seen and last-seen.", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "datetime" + }, "last-seen": { "description": "When the Tor node designed by the IP address has been seen for the last time.", "disable_correlation": true, @@ -38,9 +71,15 @@ "disable_correlation": true, "ui-priority": 0, "misp-attribute": "datetime" + }, + "document": { + "description": "Raw document from the consensus.", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" } }, - "version": 1, + "version": 2, "description": "Tor node (which protects your privacy on the internet by hiding the connection between users Internet address and the services used by the users) description which are part of the Tor network at a time.", "meta-category": "misc", "uuid": "a5fde1c8-318e-4658-a3ea-85ea000bdd33",