From 661c71e35e5453c77102cc21833a6bfbd7ac1ec0 Mon Sep 17 00:00:00 2001 From: Christian Studer Date: Wed, 10 Apr 2024 11:13:16 +0200 Subject: [PATCH 1/3] add: [network-traffic] Generic Network Traffic object - Following the STIX 2.1 spec --- objects/network-traffic/definition.json | 108 ++++++++++++++++++++++++ 1 file changed, 108 insertions(+) create mode 100644 objects/network-traffic/definition.json diff --git a/objects/network-traffic/definition.json b/objects/network-traffic/definition.json new file mode 100644 index 0000000..b85d0c1 --- /dev/null +++ b/objects/network-traffic/definition.json @@ -0,0 +1,108 @@ +{ + "attributes": { + "dst_bytes_count": { + "description": "Number of bytes sent from the destination to the source", + "misp-attribute": "size-in-bytes", + "ui-priority": 0 + }, + "dst_hostname": { + "description": "Destination hostname of the network traffic", + "misp-attribute": "hostname", + "ui-priority": 1 + }, + "dst_ip": { + "description": "Destination IP address of the network traffic", + "misp-attribute": "ip-dst", + "ui-priority": 1 + }, + "dst_mac": { + "description": "Destination MAC address of the network traffic", + "misp-attribute": "mac-address", + "ui-priority": 1 + }, + "dst_packets": { + "description": "Number of packets sent from the destination to the source", + "misp-attribute": "counter", + "ui-priority": 0 + }, + "dst_port": { + "categories": [ + "Network activity", + "External analysis" + ], + "description": "Destination port of the nework connection", + "misp-attribute": "port", + "ui-priority": 1 + }, + "end_time": { + "description": "Time the network traffic ended", + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "is_active": { + "description": "Indicates whether the network traffic is still ongoing. Must be False if the end_time attribute is present", + "misp-attribute": "boolean", + "ui-priority": 0 + }, + "protocols": { + "description": "Protocols observed in the network traffic", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "src_bytes_count": { + "description": "Number of bytes sent from the source to the destination", + "misp-attribute": "size-in-bytes", + "ui-priority": 0 + }, + "src_hostname": { + "description": "Destination hostname of the network traffic", + "misp-attribute": "hostname", + "ui-priority": 1 + }, + "src_ip": { + "description": "Source IP address of the network traffic", + "misp-attribute": "ip-dst", + "ui-priority": 1 + }, + "src_mac": { + "description": "Source MAC address of the network traffic", + "misp-attribute": "mac-address", + "ui-priority": 1 + }, + "src_packets": { + "description": "Number of packets sent from the source to the destination", + "misp-attribute": "counter", + "ui-priority": 0 + }, + "src_port": { + "categories": [ + "Network activity", + "External analysis" + ], + "description": "Source port of the nework connection", + "misp-attribute": "port", + "ui-priority": 1 + }, + "start_time": { + "description": "Time the network traffic started", + "misp-attribute": "datetime", + "ui-priority": 0 + } + }, + "description": "Generic network traffic that originates from a source and is addressed to a destination.", + "meta-category": "network", + "name": "network-traffic", + "requiredOneOf": [ + "dst_hostname", + "dst_ip", + "dst_mac", + "dst_port", + "src_hostname", + "src_ip", + "src_mac", + "src_port" + ], + "uuid": "16290b18-9af5-4a43-b195-75fe1eef0c35", + "version": 1 +} \ No newline at end of file From 712ab7f10a6fe3e97f7a4ecff7ad8a8cf54e2aed Mon Sep 17 00:00:00 2001 From: Christian Studer Date: Thu, 11 Apr 2024 09:42:06 +0200 Subject: [PATCH 2/3] fix: [network-connection] Using the `size-in-bytes` attribute type for information expressed in bytes --- objects/network-connection/definition.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/objects/network-connection/definition.json b/objects/network-connection/definition.json index 75a6567..ff0205d 100644 --- a/objects/network-connection/definition.json +++ b/objects/network-connection/definition.json @@ -13,7 +13,7 @@ "dst-bytes-count": { "description": "Number of bytes sent from the source to the destination.", "disable_correlation": true, - "misp-attribute": "counter", + "misp-attribute": "size-in-bytes", "ui-priority": 0 }, "dst-packets-count": { @@ -116,7 +116,7 @@ "src-bytes-count": { "description": "Number of bytes sent from the destination to the source.", "disable_correlation": true, - "misp-attribute": "counter", + "misp-attribute": "size-in-bytes", "ui-priority": 0 }, "src-packets-count": { @@ -147,5 +147,5 @@ "community-id" ], "uuid": "af16764b-f8e5-4603-9de1-de34d272f80b", - "version": 6 + "version": 7 } \ No newline at end of file From b2de8dd7c701756c4f4abf848a773ddd669f3ba1 Mon Sep 17 00:00:00 2001 From: Christian Studer Date: Thu, 11 Apr 2024 12:04:55 +0200 Subject: [PATCH 3/3] chg: [network-traffic] Going for the `protocol` attribute in singular --- objects/network-traffic/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/network-traffic/definition.json b/objects/network-traffic/definition.json index b85d0c1..2865355 100644 --- a/objects/network-traffic/definition.json +++ b/objects/network-traffic/definition.json @@ -44,8 +44,8 @@ "misp-attribute": "boolean", "ui-priority": 0 }, - "protocols": { - "description": "Protocols observed in the network traffic", + "protocol": { + "description": "Protocol observed in the network traffic", "misp-attribute": "text", "multiple": true, "ui-priority": 0