From a755d50e92e94eff92e0de515854adb0caed562c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= <raphael@vinot.info>
Date: Sun, 12 Mar 2017 23:06:39 +0100
Subject: [PATCH] Update file and pe, add pe-section

---
 objects/file/definition.json       | 46 ++++++++++++-----------------
 objects/pe-section/definition.json | 47 ++++++++++++++++++++++++++++++
 objects/pe/definition.json         | 22 +++++++++-----
 3 files changed, 81 insertions(+), 34 deletions(-)
 create mode 100644 objects/pe-section/definition.json

diff --git a/objects/file/definition.json b/objects/file/definition.json
index 89dc5c0..f745adc 100644
--- a/objects/file/definition.json
+++ b/objects/file/definition.json
@@ -26,32 +26,28 @@
       "misp-attribute": "ssdeep",
       "misp-usage-frequency": 0
     },
-    "imphash": {
-      "misp-attribute": "imphash",
-      "misp-usage-frequency": 0
-    },
     "pehash": {
       "misp-attribute": "pehash",
       "misp-usage-frequency": 0
     },
-    "sha-224": {
-      "misp-attribute": "sha-224",
+    "sha224": {
+      "misp-attribute": "sha224",
       "misp-usage-frequency": 0
     },
-    "sha-384": {
-      "misp-attribute": "sha-384",
+    "sha384": {
+      "misp-attribute": "sha384",
       "misp-usage-frequency": 0
     },
-    "sha-512": {
-      "misp-attribute": "sha-512",
+    "sha512": {
+      "misp-attribute": "sha512",
       "misp-usage-frequency": 0
     },
-    "sha-512/224": {
-      "misp-attribute": "sha-512/224",
+    "sha512/224": {
+      "misp-attribute": "sha512/224",
       "misp-usage-frequency": 0
     },
-    "sha-512/256": {
-      "misp-attribute": "sha-512/256",
+    "sha512/256": {
+      "misp-attribute": "sha512/256",
       "misp-usage-frequency": 0
     },
     "tlsh": {
@@ -70,6 +66,10 @@
       "misp-attribute": "sha256",
       "misp-usage-frequency": 1
     },
+    "entropy": {
+      "misp-attribute": "float",
+      "misp-usage-frequency": 1
+    },
     "pattern-in-file": {
       "misp-attribute": "pattern-in-file",
       "misp-usage-frequency": 1,
@@ -82,14 +82,6 @@
     "text": {
       "misp-attribute": "text",
       "misp-usage-frequency": 1
-    },
-    "original-filename": {
-      "misp-attribute": "original-filename",
-      "misp-usage-frequency": 0
-    },
-    "compilation-timestamp": {
-      "misp-attribute": "compilation-timestamp",
-      "misp-usage-frequency": 0
     }
   },
   "requiredOneOf": [
@@ -99,11 +91,11 @@
     "ssdeep",
     "imphash",
     "pehash",
-    "sha-224",
-    "sha-384",
-    "sha-512",
-    "sha-512/224",
-    "sha-512/256",
+    "sha224",
+    "sha384",
+    "sha512",
+    "sha512/224",
+    "sha512/256",
     "tlsh",
     "md5",
     "sha1",
diff --git a/objects/pe-section/definition.json b/objects/pe-section/definition.json
new file mode 100644
index 0000000..2dec02f
--- /dev/null
+++ b/objects/pe-section/definition.json
@@ -0,0 +1,47 @@
+{
+  "name": "pe-section",
+  "meta-category": "file",
+  "description": "Object describing a section of a Portable Executable",
+  "version": 1,
+  "attributes": {
+    "name": {
+      "misp-attribute": "text",
+      "misp-usage-frequency": 1
+    },
+    "text": {
+      "misp-attribute": "text",
+      "misp-usage-frequency": 1
+    },
+    "size-in-bytes": {
+      "misp-attribute": "size-in-bytes",
+      "misp-usage-frequency": 1
+    },
+    "entropy": {
+      "misp-attribute": "float",
+      "misp-usage-frequency": 0
+    },
+    "md5": {
+      "misp-attribute": "md5",
+      "misp-usage-frequency": 1
+    },
+    "sha1": {
+      "misp-attribute": "sha1",
+      "misp-usage-frequency": 0
+    },
+    "sha256": {
+      "misp-attribute": "sha256",
+      "misp-usage-frequency": 0
+    },
+    "sha512": {
+      "misp-attribute": "sha512",
+      "misp-usage-frequency": 0
+    }
+  },
+  "requiredOneOf": [
+    "text",
+    "name",
+    "sha1",
+    "sha256",
+    "sha512"
+  ]
+}
diff --git a/objects/pe/definition.json b/objects/pe/definition.json
index f015a64..47f2b62 100644
--- a/objects/pe/definition.json
+++ b/objects/pe/definition.json
@@ -13,22 +13,18 @@
       "misp-usage-frequency": 1
     },
     "original-filename": {
-      "misp-attribute": "original-filename",
+      "misp-attribute": "text",
       "misp-usage-frequency": 1
     },
     "internal-filename": {
-      "misp-attribute": "original-filename",
+      "misp-attribute": "text",
       "misp-usage-frequency": 0
     },
     "compilation-timestamp": {
       "misp-attribute": "datetime",
       "misp-usage-frequency": 1
     },
-    "entropy": {
-      "misp-attribute": "float",
-      "misp-usage-frequency": 0
-    },
-    "entrypoint-section": {
+    "entrypoint-section|position": {
       "misp-attribute": "text",
       "misp-usage-frequency": 0
     },
@@ -55,6 +51,18 @@
     "product-version": {
       "misp-attribute": "text",
       "misp-usage-frequency": 0
+    },
+    "company-name": {
+      "misp-attribute": "text",
+      "misp-usage-frequency": 0
+    },
+    "legal-copyright": {
+      "misp-attribute": "text",
+      "misp-usage-frequency": 0
+    },
+    "pe-type": {
+      "misp-attribute": "text",
+      "misp-usage-frequency": 0
     }
   },
   "requiredOneOf": [