MISP
/
misp-objects
mirror of https://github.com/MISP/misp-objects
2
0
Fork 0
Code Issues Releases Wiki Activity

Update definitions of binaries

pull/26/merge
Raphaël Vinot 2017-08-29 13:25:58 +02:00
parent d34dd5fb60
commit 9a3974f383
7 changed files with 232 additions and 92 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
objects/elf/definition.json
View File

@ -5,11 +5,13 @@
],
"attributes": {
"entrypoint-address": {
"description": "Address of the entry point",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"type": {
"description": "Type of ELF",
"sane_default": [
"CORE",
"DYNAMIC",
@ -23,11 +25,13 @@
"misp-attribute": "text"
},
"number-sections": {
"description": "Number of sections",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "counter"
},
"arch": {
"description": "Architecture of the ELF file",
"sane_default": [
"None",
"M32",
@ -209,6 +213,7 @@
"misp-attribute": "text"
},
"os_abi": {
"description": "Header operating system application binary interface (ABI)",
"sane_default": [
"AIX",
"ARM",
@ -236,9 +241,11 @@
"misp-attribute": "text"
},
"text": {
"description": "Free text value to attach to the ELF",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text"
"misp-attribute": "text",
"recommended": false
}
},
"version": 2,

88
objects/file/definition.json
View File

@ -6,65 +6,89 @@
"ssdeep",
"imphash",
"pehash",
"md5",
"sha1",
"sha224",
"sha256",
"sha384",
"sha512",
"sha512/224",
"sha512/256",
"tlsh",
"md5",
"sha1",
"sha256",
"pattern-in-file"
],
"attributes": {
"md5": {
"description": "[Insecure] MD5 hash (128 bits)",
"ui-priority": 1,
"misp-attribute": "md5"
"misp-attribute": "md5",
"recommended": false
},
"sha512/224": {
"ui-priority": 0,
"misp-attribute": "sha512/224"
},
"sha512": {
"ui-priority": 0,
"misp-attribute": "sha512"
},
"sha384": {
"ui-priority": 0,
"misp-attribute": "sha384"
"sha1": {
"description": "[Insecure] Secure Hash Algorithm 1 (160 bits)",
"ui-priority": 1,
"misp-attribute": "sha1",
"recommended": false
},
"sha224": {
"description": "Secure Hash Algorithm 2 (224 bits)",
"ui-priority": 0,
"misp-attribute": "sha224"
"misp-attribute": "sha224",
"recommended": false
},
"sha256": {
"description": "Secure Hash Algorithm 2 (256 bits)",
"ui-priority": 1,
"misp-attribute": "sha256"
},
"sha384": {
"description": "Secure Hash Algorithm 2 (384 bits)",
"ui-priority": 0,
"misp-attribute": "sha384",
"recommended": false
},
"sha512": {
"description": "Secure Hash Algorithm 2 (512 bits)",
"ui-priority": 1,
"misp-attribute": "sha512"
},
"sha512/224": {
"description": "Secure Hash Algorithm 2 (224 bits)",
"ui-priority": 0,
"misp-attribute": "sha512/224",
"recommended": false
},
"sha512/256": {
"description": "Secure Hash Algorithm 2 (256 bits)",
"ui-priority": 0,
"misp-attribute": "sha512/256",
"recommended": false
},
"ssdeep": {
"description": "Fuzzy hash using context triggered piecewise hashes (CTPH)",
"ui-priority": 0,
"misp-attribute": "ssdeep"
},
"authentihash": {
"description": "Authenticode executable signature hash",
"ui-priority": 0,
"misp-attribute": "authentihash"
"misp-attribute": "authentihash",
"recommended": false
},
"size-in-bytes": {
"description": "Size of the file, in bytes",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "size-in-bytes"
},
"sha1": {
"ui-priority": 1,
"misp-attribute": "sha1"
},
"sha256": {
"ui-priority": 1,
"misp-attribute": "sha256"
},
"entropy": {
"description": "Entropy of the whole file",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "float"
},
"pattern-in-file": {
"description": "Pattern that can be found in the file",
"categories": [
"Artifacts dropped",
"Payload installation",
@ -74,15 +98,19 @@
"misp-attribute": "pattern-in-file"
},
"text": {
"description": "Free text value to attach to the file",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text"
"misp-attribute": "text",
"recommended": false
},
"malware-sample": {
"description": "The file itself (binary)",
"ui-priority": 1,
"misp-attribute": "malware-sample"
},
"filename": {
"description": "Filename on disk",
"categories": [
"Payload delivery",
"Artifacts dropped",
@ -92,21 +120,19 @@
"ui-priority": 1,
"misp-attribute": "filename"
},
"sha512/256": {
"ui-priority": 0,
"misp-attribute": "sha512/256"
},
"tlsh": {
"description": "Fuzzy hash by Trend Micro: Locality Sensitive Hash",
"ui-priority": 0,
"misp-attribute": "tlsh"
},
"mimetype": {
"description": "Mime type",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
}
},
"version": 2,
"version": 3,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",

73
objects/macho-section/definition.json
View File

@ -2,53 +2,94 @@
"requiredOneOf": [
"text",
"name",
"md5",
"sha1",
"sha224",
"sha256",
"sha512"
"sha384",
"sha512",
"sha512/224",
"sha512/256"
],
"attributes": {
"sha512": {
"md5": {
"description": "[Insecure] MD5 hash (128 bits)",
"ui-priority": 1,
"misp-attribute": "md5",
"recommended": false
},
"sha1": {
"description": "[Insecure] Secure Hash Algorithm 1 (160 bits)",
"ui-priority": 1,
"misp-attribute": "sha1",
"recommended": false
},
"sha224": {
"description": "Secure Hash Algorithm 2 (224 bits)",
"ui-priority": 0,
"misp-attribute": "sha224",
"recommended": false
},
"sha256": {
"description": "Secure Hash Algorithm 2 (256 bits)",
"ui-priority": 1,
"misp-attribute": "sha256"
},
"sha384": {
"description": "Secure Hash Algorithm 2 (384 bits)",
"ui-priority": 0,
"misp-attribute": "sha384",
"recommended": false
},
"sha512": {
"description": "Secure Hash Algorithm 2 (512 bits)",
"ui-priority": 1,
"misp-attribute": "sha512"
},
"sha512/224": {
"description": "Secure Hash Algorithm 2 (224 bits)",
"ui-priority": 0,
"misp-attribute": "sha512/224",
"recommended": false
},
"sha512/256": {
"description": "Secure Hash Algorithm 2 (256 bits)",
"ui-priority": 0,
"misp-attribute": "sha512/256",
"recommended": false
},
"ssdeep": {
"description": "Fuzzy hash using context triggered piecewise hashes (CTPH)",
"ui-priority": 0,
"misp-attribute": "ssdeep"
},
"entropy": {
"description": "Entropy of the whole section",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "float"
},
"name": {
"description": "Name of the section",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text"
},
"sha256": {
"ui-priority": 0,
"misp-attribute": "sha256"
},
"size-in-bytes": {
"description": "Size of the section, in bytes",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "size-in-bytes"
},
"text": {
"description": "Free text value to attach to the section",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text"
},
"sha1": {
"ui-priority": 0,
"misp-attribute": "sha1"
},
"md5": {
"ui-priority": 1,
"misp-attribute": "md5"
"misp-attribute": "text",
"recommended": false
}
},
"version": 1,
"version": 2,
"description": "Object describing a section of a file in Mach-O format.",
"meta-category": "file",
"uuid": "fca3c534-d188-4964-9c6e-9922e1dfe66e",

8
objects/macho/definition.json
View File

@ -6,11 +6,13 @@
],
"attributes": {
"entrypoint-address": {
"description": "Address of the entry point",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"type": {
"description": "Type of Mach-O",
"sane_default": [
"BUNDLE",
"CORE",
@ -28,19 +30,23 @@
"misp-attribute": "text"
},
"number-sections": {
"description": "Number of sections",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "counter"
},
"name": {
"description": "Binary's name",
"disable_correlation": false,
"ui-priority": 1,
"misp-attribute": "text"
},
"text": {
"description": "Free text value to attach to the ELF",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text"
"misp-attribute": "text",
"recommended": false
}
},
"version": 1,

110
objects/pe-section/definition.json
View File

@ -2,21 +2,75 @@
"requiredOneOf": [
"text",
"name",
"md5",
"sha1",
"sha224",
"sha256",
"sha512"
"sha384",
"sha512",
"sha512/224",
"sha512/256"
],
"attributes": {
"characteristics": {
"sane_default": [
"read",
"write",
"executable"
],
"md5": {
"description": "[Insecure] MD5 hash (128 bits)",
"ui-priority": 1,
"misp-attribute": "md5",
"recommended": false
},
"sha1": {
"description": "[Insecure] Secure Hash Algorithm 1 (160 bits)",
"ui-priority": 1,
"misp-attribute": "sha1",
"recommended": false
},
"sha224": {
"description": "Secure Hash Algorithm 2 (224 bits)",
"ui-priority": 0,
"misp-attribute": "text"
"misp-attribute": "sha224",
"recommended": false
},
"sha256": {
"description": "Secure Hash Algorithm 2 (256 bits)",
"ui-priority": 1,
"misp-attribute": "sha256"
},
"sha384": {
"description": "Secure Hash Algorithm 2 (384 bits)",
"ui-priority": 0,
"misp-attribute": "sha384",
"recommended": false
},
"sha512": {
"description": "Secure Hash Algorithm 2 (512 bits)",
"ui-priority": 1,
"misp-attribute": "sha512"
},
"sha512/224": {
"description": "Secure Hash Algorithm 2 (224 bits)",
"ui-priority": 0,
"misp-attribute": "sha512/224",
"recommended": false
},
"sha512/256": {
"description": "Secure Hash Algorithm 2 (256 bits)",
"ui-priority": 0,
"misp-attribute": "sha512/256",
"recommended": false
},
"ssdeep": {
"description": "Fuzzy hash using context triggered piecewise hashes (CTPH)",
"ui-priority": 0,
"misp-attribute": "ssdeep"
},
"entropy": {
"description": "Entropy of the whole section",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "float"
},
"name": {
"description": "Name of the section",
"disable_correlation": true,
"sane_default": [
".rsrc",
@ -29,42 +83,30 @@
"misp-attribute": "text"
},
"size-in-bytes": {
"description": "Size of the section, in bytes",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "size-in-bytes"
},
"text": {
"description": "Free text value to attach to the section",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text",
"recommended": false
},
"characteristic": {
"description": "Characteristic of the section",
"sane_default": [
"read",
"write",
"executable"
],
"ui-priority": 0,
"misp-attribute": "text"
},
"md5": {
"ui-priority": 1,
"misp-attribute": "md5"
},
"entropy": {
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "float"
},
"sha256": {
"ui-priority": 0,
"misp-attribute": "sha256"
},
"sha1": {
"ui-priority": 0,
"misp-attribute": "sha1"
},
"ssdeep": {
"ui-priority": 0,
"misp-attribute": "ssdeep"
},
"sha512": {
"ui-priority": 0,
"misp-attribute": "sha512"
}
},
"version": 1,
"version": 2,
"description": "Object describing a section of a Portable Executable",
"meta-category": "file",
"uuid": "198a17d2-a135-4b25-9a32-5aa4e632014a",

30
objects/pe/definition.json
View File

@ -7,37 +7,40 @@
],
"attributes": {
"pehash": {
"description": "Hash of the structural information about a sample. See https://www.usenix.org/legacy/event/leet09/tech/full_papers/wicherski/wicherski_html/",
"ui-priority": 0,
"misp-attribute": "pehash"
},
"impfuzzy": {
"description": "Fuzzy Hash (ssdeep) calculated from the import table",
"ui-priority": 0,
"misp-attribute": "impfuzzy"
},
"pe-type": {
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"internal-filename": {
"description": "InternalFilename in the resources",
"ui-priority": 0,
"misp-attribute": "filename"
},
"original-filename": {
"description": "OriginalFilename in the resources",
"ui-priority": 1,
"misp-attribute": "filename"
},
"number-sections": {
"description": "Number of sections",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "counter"
},
"text": {
"description": "Free text value to attach to the PE",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text"
"misp-attribute": "text",
"recommended": false
},
"type": {
"description": "Type of PE",
"sane_default": [
"exe",
"dll",
@ -49,60 +52,71 @@
"misp-attribute": "text"
},
"imphash": {
"description": "Hash (md5) calculated from the import table",
"ui-priority": 0,
"misp-attribute": "imphash"
},
"compilation-timestamp": {
"description": "Compilation timestamp defined in the PE header",
"ui-priority": 1,
"misp-attribute": "datetime"
},
"entrypoint-section|position": {
"entrypoint-section-at-position": {
"description": "Name of the section and position of the section in the PE",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"entrypoint-address": {
"description": "Address of the entry point",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"file-description": {
"description": "FileDescription in the resources",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"file-version": {
"description": "FileVersion in the resources",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"lang-id": {
"description": "Lang ID in the resources",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"product-name": {
"description": "ProductName in the resources",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"product-version": {
"description": "ProductVersion in the resources",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"company-name": {
"description": "CompanyName in the resources",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"legal-copyright": {
"description": "LegalCopyright in the resources",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
}
},
"version": 1,
"version": 2,
"description": "Object describing a Portable Executable",
"meta-category": "file",
"uuid": "cf7adecc-d4f0-4e88-9d90-f978ee151a07",

6
schema_objects.json
View File

@ -43,13 +43,17 @@
"to_ids": {
"type": "boolean"
},
"recommended": {
"type": "boolean"
},
"description": {
"type": "string"
}
},
"required": [
"misp-attribute",
"ui-priority"
"ui-priority",
"description"
]
}
},