MISP
/
misp-objects
mirror of https://github.com/MISP/misp-objects
2
0
Fork 0
Code Issues Releases Wiki Activity

JQ all the things

pull/7/head
Raphaël Vinot 2017-02-13 11:18:42 +01:00
parent 1f2633c6f1
commit a68e678f50
11 changed files with 595 additions and 475 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
jq_all_the_things.sh
View File

@ -5,7 +5,7 @@ set -x
# Seeds sponge, from moreutils # Seeds sponge, from moreutils
for dir in objects/*/list.json for dir in objects/*/definition.json
do do
cat ${dir} | jq . | sponge ${dir} cat ${dir} | jq . | sponge ${dir}
done done

19
objects/domain-ip/definition.json
View File

@ -3,17 +3,22 @@
"meta-category": "network", "meta-category": "network",
"description": "A domain and IP address seen as a tuple in a specific time frame.", "description": "A domain and IP address seen as a tuple in a specific time frame.",
"version": 1, "version": 1,
"attributes" : "attributes": {
{
"ip": { "ip": {
"misp-attribute": "ip-dst", "misp-attribute": "ip-dst",
"misp-usage-frequency": 1, "misp-usage-frequency": 1,
"categories": ["Network activity","External analysis"] "categories": [
"Network activity",
"External analysis"
]
}, },
"domain": { "domain": {
"misp-attribute": "domain", "misp-attribute": "domain",
"misp-usage-frequency": 1, "misp-usage-frequency": 1,
"categories": ["Network activity","External analysis"] "categories": [
"Network activity",
"External analysis"
]
}, },
"first-seen": { "first-seen": {
"misp-attribute": "datetime", "misp-attribute": "datetime",
@ -27,7 +32,9 @@
"misp-attribute": "text", "misp-attribute": "text",
"misp-usage-frequency": 1 "misp-usage-frequency": 1
} }
}, },
"required": ["ip","domain"] "required": [
"ip",
"domain"
]
} }

77
objects/email/definition.json
View File

@ -3,84 +3,125 @@
"meta-category": "email", "meta-category": "email",
"description": "Email object describing an email with meta-information", "description": "Email object describing an email with meta-information",
"version": 1, "version": 1,
"attributes" : "attributes": {
{
"from": { "from": {
"misp-attribute": "email-src", "misp-attribute": "email-src",
"misp-usage-frequency": 1, "misp-usage-frequency": 1,
"categories": ["Payload delivery"] "categories": [
"Payload delivery"
]
}, },
"from-display-name": { "from-display-name": {
"misp-attribute": "email-src-display-name", "misp-attribute": "email-src-display-name",
"misp-usage-frequency": 1, "misp-usage-frequency": 1,
"categories": ["Payload delivery"] "categories": [
"Payload delivery"
]
}, },
"to": { "to": {
"misp-attribute": "email-dst", "misp-attribute": "email-dst",
"misp-usage-frequency": 1, "misp-usage-frequency": 1,
"categories": ["Payload delivery"], "categories": [
"Payload delivery"
],
"multiple": true "multiple": true
}, },
"to-display-name": { "to-display-name": {
"misp-attribute": "email-dst-display-name", "misp-attribute": "email-dst-display-name",
"misp-usage-frequency": 1, "misp-usage-frequency": 1,
"categories": ["Payload delivery"], "categories": [
"Payload delivery"
],
"multiple": true "multiple": true
}, },
"subject": { "subject": {
"misp-attribute": "email-subject", "misp-attribute": "email-subject",
"misp-usage-frequency": 1, "misp-usage-frequency": 1,
"categories": ["Payload delivery"] "categories": [
"Payload delivery"
]
}, },
"attachment": { "attachment": {
"misp-attribute": "email-attachment", "misp-attribute": "email-attachment",
"misp-usage-frequency": 0, "misp-usage-frequency": 0,
"categories": ["Payload delivery"], "categories": [
"Payload delivery"
],
"multiple": true "multiple": true
}, },
"message-id": { "message-id": {
"misp-attribute": "email-message-id", "misp-attribute": "email-message-id",
"misp-usage-frequency": 0, "misp-usage-frequency": 0,
"categories": ["Payload delivery"] "categories": [
"Payload delivery"
]
}, },
"reply-to": { "reply-to": {
"misp-attribute": "email-reply-to", "misp-attribute": "email-reply-to",
"misp-usage-frequency": 1, "misp-usage-frequency": 1,
"categories": ["Payload delivery"] "categories": [
"Payload delivery"
]
}, },
"send-date": { "send-date": {
"misp-attribute": "datetime", "misp-attribute": "datetime",
"misp-usage-frequency": 0, "misp-usage-frequency": 0,
"categories": ["Other"] "categories": [
"Other"
]
}, },
"url": { "url": {
"misp-attribute": "url", "misp-attribute": "url",
"misp-usage-frequency": 0, "misp-usage-frequency": 0,
"categories": ["Payload delivery"], "categories": [
"Payload delivery"
],
"multiple": true "multiple": true
}, },
"mime-boundary": { "mime-boundary": {
"misp-attribute": "email-mime-boundary", "misp-attribute": "email-mime-boundary",
"misp-usage-frequency": 0, "misp-usage-frequency": 0,
"categories": ["Payload delivery"] "categories": [
"Payload delivery"
]
}, },
"thread-index": { "thread-index": {
"misp-attribute": "email-thread-index", "misp-attribute": "email-thread-index",
"misp-usage-frequency": 0, "misp-usage-frequency": 0,
"categories": ["Payload delivery"] "categories": [
"Payload delivery"
]
}, },
"header": { "header": {
"misp-attribute": "email-header", "misp-attribute": "email-header",
"misp-usage-frequency": 0, "misp-usage-frequency": 0,
"categories": ["Payload delivery"], "categories": [
"Payload delivery"
],
"multiple": true "multiple": true
}, },
"x-mailer": { "x-mailer": {
"misp-attribute": "email-xmailer", "misp-attribute": "email-xmailer",
"misp-usage-frequency": 0, "misp-usage-frequency": 0,
"categories": ["Payload delivery"] "categories": [
"Payload delivery"
]
} }
}, },
"requiredOneOf": ["email-src", "email-src-display-name", "email-dst", "email-dst-display-name", "email-subject", "email-attachment", "email-message-id", "email-reply-to", "send-date", "url", "email-mime-boundary", "email-thread-index", "email-header", "x-mailer"] "requiredOneOf": [
"email-src",
"email-src-display-name",
"email-dst",
"email-dst-display-name",
"email-subject",
"email-attachment",
"email-message-id",
"email-reply-to",
"send-date",
"url",
"email-mime-boundary",
"email-thread-index",
"email-header",
"x-mailer"
]
} }

36
objects/file/definition.json
View File

@ -3,12 +3,16 @@
"meta-category": "file", "meta-category": "file",
"description": "File object describing a file with meta-information", "description": "File object describing a file with meta-information",
"version": 1, "version": 1,
"attributes" : "attributes": {
{
"filename": { "filename": {
"misp-attribute": "filename", "misp-attribute": "filename",
"misp-usage-frequency": 1, "misp-usage-frequency": 1,
"categories": ["Payload delivery","Artifacts dropped","Payload installation","External analysis"] "categories": [
"Payload delivery",
"Artifacts dropped",
"Payload installation",
"External analysis"
]
}, },
"size-in-bytes": { "size-in-bytes": {
"misp-attribute": "size-in-bytes", "misp-attribute": "size-in-bytes",
@ -69,7 +73,11 @@
"pattern-in-file": { "pattern-in-file": {
"misp-attribute": "pattern-in-file", "misp-attribute": "pattern-in-file",
"misp-usage-frequency": 1, "misp-usage-frequency": 1,
"categories": ["Artifacts dropped","Payload installation","External analysis"] "categories": [
"Artifacts dropped",
"Payload installation",
"External analysis"
]
}, },
"text": { "text": {
"misp-attribute": "text", "misp-attribute": "text",
@ -83,7 +91,23 @@
"misp-attribute": "compilation-timestamp", "misp-attribute": "compilation-timestamp",
"misp-usage-frequency": 0 "misp-usage-frequency": 0
} }
}, },
"requiredOneOf": ["filename", "size-in-bytes", "authentihash", "ssdeep", "imphash", "pehash", "sha-224", "sha-384", "sha-512", "sha-512/224", "sha-512/256", "tlsh", "md5", "sha1", "sha256", "pattern-in-file"] "requiredOneOf": [
"filename",
"size-in-bytes",
"authentihash",
"ssdeep",
"imphash",
"pehash",
"sha-224",
"sha-384",
"sha-512",
"sha-512/224",
"sha-512/256",
"tlsh",
"md5",
"sha1",
"sha256",
"pattern-in-file"
]
} }

28
objects/ip-port/definition.json
View File

@ -3,22 +3,30 @@
"meta-category": "network", "meta-category": "network",
"description": "An IP address and a port seen as a tuple (or as a triple) in a specific time frame.", "description": "An IP address and a port seen as a tuple (or as a triple) in a specific time frame.",
"version": 1, "version": 1,
"attributes" : "attributes": {
{
"ip": { "ip": {
"misp-attribute": "ip-dst", "misp-attribute": "ip-dst",
"misp-usage-frequency": 1, "misp-usage-frequency": 1,
"categories": ["Network activity","External analysis"] "categories": [
"Network activity",
"External analysis"
]
}, },
"dst-port": { "dst-port": {
"misp-attribute": "text", "misp-attribute": "text",
"misp-usage-frequency": 1, "misp-usage-frequency": 1,
"categories": ["Network activity","External analysis"] "categories": [
"Network activity",
"External analysis"
]
}, },
"src-port": { "src-port": {
"misp-attribute": "text", "misp-attribute": "text",
"misp-usage-frequency": 0, "misp-usage-frequency": 0,
"categories": ["Network activity","External analysis"] "categories": [
"Network activity",
"External analysis"
]
}, },
"first-seen": { "first-seen": {
"misp-attribute": "datetime", "misp-attribute": "datetime",
@ -32,8 +40,12 @@
"misp-attribute": "text", "misp-attribute": "text",
"misp-usage-frequency": 0 "misp-usage-frequency": 0
} }
}, },
"required": ["ip"], "required": [
"requiredOneOf": ["dst-port", "src-port"] "ip"
],
"requiredOneOf": [
"dst-port",
"src-port"
]
} }

18
objects/passive-dns/definition.json
View File

@ -3,17 +3,22 @@
"meta-category": "network", "meta-category": "network",
"description": "Passive DNS records as expressed in draft-dulaunoy-dnsop-passive-dns-cof-01", "description": "Passive DNS records as expressed in draft-dulaunoy-dnsop-passive-dns-cof-01",
"version": 1, "version": 1,
"attributes" : "attributes": {
{
"rrtype": { "rrtype": {
"misp-attribute": "text", "misp-attribute": "text",
"misp-usage-frequency": 1, "misp-usage-frequency": 1,
"categories": ["Network activity","External analysis"] "categories": [
"Network activity",
"External analysis"
]
}, },
"rrname": { "rrname": {
"misp-attribute": "hostname", "misp-attribute": "hostname",
"misp-usage-frequency": 1, "misp-usage-frequency": 1,
"categories": ["Network activity","External analysis"] "categories": [
"Network activity",
"External analysis"
]
}, },
"time_first": { "time_first": {
"misp-attribute": "datetime", "misp-attribute": "datetime",
@ -52,5 +57,8 @@
"misp-usage-frequency": 0 "misp-usage-frequency": 0
} }
}, },
"required": ["rrtype","rrname"] "required": [
"rrtype",
"rrname"
]
} }

32
objects/registry-key/definition.json
View File

@ -3,38 +3,52 @@
"meta-category": "file", "meta-category": "file",
"description": "Registry key object describing a Windows registry key with value and last-modified timestamp", "description": "Registry key object describing a Windows registry key with value and last-modified timestamp",
"version": 1, "version": 1,
"attributes" : "attributes": {
{
"hive": { "hive": {
"misp-attribute": "reg-hive", "misp-attribute": "reg-hive",
"misp-usage-frequency": 1, "misp-usage-frequency": 1,
"categories": ["Persistence mechanism"] "categories": [
"Persistence mechanism"
]
}, },
"key": { "key": {
"misp-attribute": "reg-key", "misp-attribute": "reg-key",
"misp-usage-frequency": 1, "misp-usage-frequency": 1,
"categories": ["Persistence mechanism"] "categories": [
"Persistence mechanism"
]
}, },
"name": { "name": {
"misp-attribute": "reg-name", "misp-attribute": "reg-name",
"misp-usage-frequency": 1, "misp-usage-frequency": 1,
"categories": ["Persistence mechanism"] "categories": [
"Persistence mechanism"
]
}, },
"data": { "data": {
"misp-attribute": "reg-data", "misp-attribute": "reg-data",
"misp-usage-frequency": 1, "misp-usage-frequency": 1,
"categories": ["Persistence mechanism"] "categories": [
"Persistence mechanism"
]
}, },
"data-type": { "data-type": {
"misp-attribute": "reg-datatype", "misp-attribute": "reg-datatype",
"misp-usage-frequency": 0, "misp-usage-frequency": 0,
"categories": ["Persistence mechanism"] "categories": [
"Persistence mechanism"
]
}, },
"last-modified": { "last-modified": {
"misp-attribute": "datetime", "misp-attribute": "datetime",
"misp-usage-frequency": 0, "misp-usage-frequency": 0,
"categories": ["Other"] "categories": [
"Other"
]
} }
}, },
"required": ["key", "name"] "required": [
"key",
"name"
]
} }

14
objects/vulnerability/definition.json
View File

@ -3,8 +3,7 @@
"meta-category": "network", "meta-category": "network",
"description": "Vulnerability object describing common vulnerability enumeration", "description": "Vulnerability object describing common vulnerability enumeration",
"version": 1, "version": 1,
"attributes" : "attributes": {
{
"references": { "references": {
"misp-attribute": "link", "misp-attribute": "link",
"misp-usage-frequency": 1, "misp-usage-frequency": 1,
@ -36,7 +35,14 @@
"misp-attribute": "vulnerability", "misp-attribute": "vulnerability",
"misp-usage-frequency": 1 "misp-usage-frequency": 1
} }
}, },
"requiredOneOf": ["published", "modified", "references", "vulnerable_configuration", "summary", "text", "id"] "requiredOneOf": [
"published",
"modified",
"references",
"vulnerable_configuration",
"summary",
"text",
"id"
]
} }

22
objects/whois/definition.json
View File

@ -3,12 +3,14 @@
"meta-category": "network", "meta-category": "network",
"description": "Whois records information for a domain name.", "description": "Whois records information for a domain name.",
"version": 1, "version": 1,
"attributes" : "attributes": {
{
"domain": { "domain": {
"misp-attribute": "domain", "misp-attribute": "domain",
"misp-usage-frequency": 1, "misp-usage-frequency": 1,
"categories": ["Network activity","External analysis"] "categories": [
"Network activity",
"External analysis"
]
}, },
"creation-date": { "creation-date": {
"misp-attribute": "datetime", "misp-attribute": "datetime",
@ -34,9 +36,15 @@
"misp-attribute": "text", "misp-attribute": "text",
"misp-usage-frequency": 1 "misp-usage-frequency": 1
} }
}, },
"required": ["domain"], "required": [
"requiredOneOf": ["registrant-email", "registrant-phone", "creation-date", "registrant-name", "registar"] "domain"
],
"requiredOneOf": [
"registrant-email",
"registrant-phone",
"creation-date",
"registrant-name",
"registar"
]
} }

8
objects/x509/definition.json
View File

@ -3,8 +3,7 @@
"meta-category": "network", "meta-category": "network",
"description": "x509 object describing a X.509 certificate", "description": "x509 object describing a X.509 certificate",
"version": 1, "version": 1,
"attributes" : "attributes": {
{
"version": { "version": {
"misp-attribute": "text", "misp-attribute": "text",
"misp-usage-frequency": 0 "misp-usage-frequency": 0
@ -57,7 +56,8 @@
"misp-attribute": "text", "misp-attribute": "text",
"misp-usage-frequency": 1 "misp-usage-frequency": 1
} }
}, },
"required": ["x509-fingerprint-sha1"] "required": [
"x509-fingerprint-sha1"
]
} }

2
validate_all.sh
View File

@ -12,7 +12,7 @@ if ![ $diffs -eq 0 ]; then
exit 1 exit 1
fi fi
for dir in objects/*/list.json for dir in objects/*/definition.json
do do
echo -n "${dir}: " echo -n "${dir}: "
jsonschema -i ${dir} schema.json jsonschema -i ${dir} schema.json