Merge remote-tracking branch 'upstream/master'

pull/193/head
kx499 2018-05-08 14:42:00 -04:00
commit b5da300852
34 changed files with 1808 additions and 58 deletions

View File

@ -70,37 +70,61 @@ for a specific attribute.
* [objects/android-permission](objects/android-permission/definition.json) - A set of android permissions - one or more permission(s) which can be linked to other objects (e.g. file).
* [objects/asn](objects/asn/definition.json) - Autonomous system object describing a BGP autonomous system which can include one or more network operators management an entity (e.g. ISP) along with their routing policy, routing prefixes or alike.
* [objects/av-signature](objects/av-signature/definition.json) - Antivirus detection signature.
* [objects/bank-account](objects/bank-account/definition.json) - Object describing bank account information based on account description from goAML 4.0.
* [objects/cap-alert](objects/cap-alert/definition.json) - Common Alerting Protocol Version (CAP) alert object.
* [objects/cap-info](objects/cap-info/definition.json) - Common Alerting Protocol Version (CAP) info object.
* [objects/cap-resource](objects/cap-resource/definition.json) - Common Alerting Protocol Version (CAP) resource object.
* [objects/coin-address](objects/coin-address/definition.json) - An address used in a cryptocurrency.
* [objects/cookie](objects/cookie/definition.json) - A cookie object describes an HTTP cookie including its use in malicious cases.
* [objects/course-of-action](objects/course-of-action/definition.json) - An object describing a Course of Action such as a specific measure taken to prevent or respond to an attack.
* [objects/cowrie](objects/cowrie/definition.json) - A cowrie object describes cowrie honeypot sessions.
* [objects/credential](objects/credential/definition.json) - A credential object describes one or more credential(s) including password(s), api key(s) or decryption key(s).
* [objects/ddos](objects/ddos/definition.json) - DDoS object describes a current DDoS activity from a specific or/and to a specific target.
* [objects/diameter-attack](objects/diameter-attack/definition.json) - Attack as seen on diameter authentication against a GSM, UMTS or LTE network.
* [objects/domain-ip](objects/domain-ip/definition.json) - A domain and IP address seen as a tuple in a specific time frame.
* [objects/elf](objects/elf/definition.json) - Object describing an Executable and Linkable Format (ELF).
* [objects/elf-section](objects/elf-section/definition.json) - Object describing a section of an Executable and Linkable Format (ELF).
* [objects/email](objects/email/definition.json) - An email object.
* [objects/fail2ban](objects/fail2ban/definition.json) - A fail2ban object.
* [objects/file](objects/file/definition.json) - File object describing a file with meta-information.
* [objects/geolocation](objects/geolocation/definition.json) - A geolocation object to describe a location.
* [objects/gtp-attack](objects/gtp-attack/definition.json) - GTP attack object as seen on a GSM, UMTS or LTE network.
* [objects/http-request](objects/http-request/definition.json) - A single HTTP request header object.
* [objects/ip-port](objects/ip-port/definition.json) - An IP address and a port seen as a tuple (or as a triple) in a specific time frame.
* [objects/ja3](objects/ja3/definition.json) - A ja3 object which describes an SSL client fingerprint in an easy to produce and shareable way.
* [objects/legal-entity](objects/legal-entity/definition.json) - Object describing a legal entity, such as an organisation.
* [objects/macho](objects/macho/definition.json) - Object describing a Mach object file format.
* [objects/macho-section](objects/macho-section/definition.json) - Object describing a section of a Mach object file format.
* [objects/microblog](objects/microblog/definition.json) - Object describing microblog post like Twitter or Facebook.
* [objects/mutex](objects/mutex/definition.json) - Object to describe mutual exclusion locks (mutex) as seen in memory or computer program.
* [objects/netflow](objects/netflow/definition.json) - Netflow object describes an network object based on the Netflowv5/v9 minimal definition.
* [objects/network-connection](objects/network-connection/definition.json) - Network object describes a local or remote network connection.
* [objects/passive-dns](objects/passive-dns/definition.json) - Passive DNS records as expressed in [draft-dulaunoy-dnsop-passive-dns-cof-01](https://tools.ietf.org/html/draft-dulaunoy-dnsop-passive-dns-cof-01).
* [objects/paste](objects/paste/definition.json) - Object describing a paste or similar post from a website allowing to share privately or publicly posts.
* [objects/pe](objects/pe/definition.json) - Portable Executable (PE) object.
* [objects/pe-section](objects/pe-section/definition.json) - Portable Executable (PE) object - section description.
* [objects/person](objects/person/definition.json) - A person object which describes a person or an identity.
* [objects/phone](objects/phone/definition.json) - A phone or mobile phone object.
* [objects/process](objects/process/definition.json) - A process object.
* [objects/registry-key](objects/registry-key/definition.json) - A registry-key object.
* [objects/r2graphity](objects/r2graphity/definition.json) - Indicators extracted from binary files using radare2 and graphml.
* [objects/rtir](objects/rtir/definition.json) - RTIR - Request Tracker for Incident Response.
* [objects/sandbox-report](objects/sandbox-report/definition.json) - Sandbox report object.
* [objects/sb-signature](objects/sb-signature/definition.json) - Sandbox detection signature object.
* [objects/ss7-attack](objects/ss7-attack/definition.json) - SS7 object of an attack seen on a GSM, UMTS or LTE network via SS7 logging.
* [objects/stix2-pattern](objects/stix2-pattern/definition.json) - An object describing a STIX pattern. The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a STIX pattern.
* [objects/suricata](objects/suricata/definition.json) - Suricata rule with context.
* [objects/target-system](objects/target-system/definition.json) - Description about an targeted system, this could potentially be a compromissed internal system.
* [objects/timestamp](objects/timestamp/definition.json) - A generic timestamp object to represent time including first time and last time seen. Relationship will then define the kind of time relationship.
* [objects/tor-node](objects/tor-node/definition.json) - Tor node description which are part of the Tor network at a time.
* [objects/transaction](objects/transaction/definition.json) - Object describing a financial transaction.
* [objects/virustotal-report](objects/virustotal-report/definition.json) - VirusTotal report.
* [objects/vulnerability](objects/vulnerability/definition.json) - Vulnerability object to describe software or hardware vulnerability as described in a CVE.
* [objects/url](objects/url/definition.json) - url object describes an url along with its normalized field (e.g. using faup parsing library) and its metadata.
* [objects/victim](objects/victim/definition.json) - a victim object to describe the organisation being targeted or abused.
* [objects/whois](objects/whois/definition.json) - Whois records information for a domain name.
* [objects/x509](objects/x509/definition.json) - x509 object describing a X.509 certificate.
* [objects/yara](objects/yara/definition.json) - YARA object describing a YARA rule along with the version supported and context (such as memory, network, disk).
## MISP objects relationships

View File

@ -0,0 +1,170 @@
{
"requiredOneOf": [
"account"
],
"attributes": {
"text": {
"description": "A description of the bank account.",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"institution-name": {
"description": "Name of the bank or financial organisation.",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"institution-code": {
"description": "Institution code of the bank.",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"swift": {
"description": "SWIFT or BIC as defined in ISO 9362.",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "bic"
},
"branch": {
"description": "Branch code or name",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"non-banking-institution": {
"description": "A flag to define if this account belong to a non-banking organisation. If set to true, it's a non-banking organisation.",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "boolean"
},
"account": {
"description": "Account number",
"ui-priority": 0,
"misp-attribute": "bank-account-nr"
},
"currency-code": {
"description": "Currency of the account.",
"ui-priority": 0,
"sane_default": [
"USD",
"EUR"
],
"disable_correlation": true,
"misp-attribute": "text"
},
"aba-rtn": {
"description": " ABA routing transit number",
"ui-priority": 0,
"misp-attribute": "aba-rtn"
},
"account-name": {
"description": "A field to freely describe the bank account details.",
"ui-priority": 0,
"misp-attribute": "text"
},
"iban": {
"description": "IBAN of the bank account.",
"ui-priority": 0,
"misp-attribute": "iban"
},
"client-number": {
"description": "Client number as seen by the bank.",
"ui-priority": 0,
"misp-attribute": "text"
},
"personal-account-type": {
"description": "Account type.",
"ui-priority": 0,
"sane_default": [
"A - Business",
"B - Personal Current",
"C - Savings",
"D - Trust Account",
"E - Trading Account",
"O - Other"
],
"disable_correlation": true,
"misp-attribute": "text"
},
"opened": {
"description": "When the account was opened.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"closed": {
"description": "When the account was closed.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"balance": {
"description": "The balance of the account after the suspicious transaction was processed.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"date-balance": {
"description": "When the balance was reported.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"status-code": {
"description": "Account status at the time of the transaction processed.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true,
"sane_default": [
"A - Active",
"B - Inactive",
"C - Dormant"
]
},
"beneficiary": {
"description": "Final beneficiary of the bank account.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"beneficiary-comment": {
"description": "Comment about the final beneficiary.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"comments": {
"description": "Comments about the bank account.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"report-code": {
"description": "Report code of the bank account.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true,
"sane_default": [
"CTR Cash Transaction Report",
"STR Suspicious Transaction Report",
"EFT Electronic Funds Transfer",
"IFT International Funds Transfer",
"TFR Terror Financing Report",
"BCR Border Cash Report",
"UTR Unusual Transaction Report",
"AIF Additional Information File Can be used for example to get full disclosure of transactions of an account for a period of time without reporting it as a CTR.",
"IRI Incoming Request for Information International",
"ORI Outgoing Request for Information International",
"IRD Incoming Request for Information Domestic",
"ORD Outgoing Request for Information Domestic"
]
}
},
"version": 1,
"description": "An object describing bank account information based on account description from goAML 4.0.",
"meta-category": "financial",
"uuid": "b4712203-95a8-4883-80e9-b566f5df11c9",
"name": "bank-account"
}

View File

@ -0,0 +1,108 @@
{
"requiredOneOf": [
"msgType"
],
"attributes": {
"identifier": {
"description": "The identifier of the alert message in a number or string uniquely identifying this message, assigned by the sender.",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text"
},
"sender": {
"description": "The identifier of the sender of the alert message which identifies the originator of this alert. Guaranteed by assigner to be unique globally; e.g., may be based on an Internet domain name.",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"sent": {
"description": "The time and date of the origination of the alert message.",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "datetime"
},
"status": {
"description": "The code denoting the appropriate handling of the alert message.",
"ui-priority": 0,
"misp-attribute": "text",
"sane_default": [
"Actual",
"Exercise",
"System",
"Test",
"Draft"
]
},
"msgType": {
"description": "The code denoting the nature of the alert message.",
"ui-priority": 0,
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"Alert",
"Update",
"Cancel",
"Ack",
"Error"
]
},
"source": {
"description": "The text identifying the source of the alert message. The particular source of this alert; e.g., an operator or a specific device.",
"ui-priority": 0,
"disable_correlation": true,
"misp-attribute": "text"
},
"scope": {
"description": "The code denoting the intended distribution of the alert message. ",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true,
"sane_default": [
"Public",
"Restricted",
"Private"
]
},
"restriction": {
"description": "The text describing the rule for limiting distribution of the restricted alert message.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"addresses": {
"description": "The group listing of intended recipients of the alert message. (1) Required when <scope> is “Private”, optional when <scope> is “Public” or “Restricted”. (2) Each recipient SHALL be identified by an identifier or an address. (3) Multiple space-delimited addresses MAY be included. Addresses including whitespace MUST be enclosed in double-quotes. ",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"code": {
"description": "The code denoting the special handling of the alert message.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"note": {
"description": "The text describing the purpose or significance of the alert message.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"references": {
"description": "The group listing identifying earlier message(s) referenced by the alert message. (1) The extended message identifier(s) (in the form sender,identifier,sent) of an earlier CAP message or messages referenced by this one. (2) If multiple messages are referenced, they SHALL be separated by whitespace.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"incident": {
"description": "The group listing naming the referent incident(s) of the alert message. (1) Used to collate multiple messages referring to different aspects of the same incident. (2) If multiple incident identifiers are referenced, they SHALL be separated by whitespace. Incident names including whitespace SHALL be surrounded by double-quotes.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
}
},
"version": 1,
"description": "Common Alerting Protocol Version (CAP) alert object",
"meta-category": "misc",
"uuid": "03b107bb-133d-4180-87ff-e3dbe731f828",
"name": "cap-alert"
}

View File

@ -0,0 +1,171 @@
{
"requiredOneOf": [
"category"
],
"attributes": {
"language": {
"description": "The code denoting the language of the info sub-element of the alert message. ",
"ui-priority": 0,
"disable_correlation": true,
"misp-attribute": "text"
},
"category": {
"description": "The code denoting the category of the subject event of the alert message.",
"ui-priority": 0,
"misp-attribute": "text",
"sane_default": [
"Geo",
"Met",
"Safety",
"Security",
"Rescue",
"Fire",
"Health",
"Env",
"Transport",
"Infra",
"CBRNE",
"Other"
],
"disable_correlation": true
},
"event": {
"description": "The text denoting the type of the subject event of the alert message.",
"ui-priority": 0,
"disable_correlation": true,
"misp-attribute": "text"
},
"responseType": {
"description": "The code denoting the type of action recommended for the target audience.",
"ui-priority": 0,
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"Shelter",
"Evacuate",
"Prepare",
"Execute",
"Avoid",
"Monitor",
"Assess",
"AllClear",
"None"
]
},
"urgency": {
"description": "The code denoting the urgency of the subject event of the alert message.",
"ui-priority": 0,
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"Immediate",
"Expected",
"Future",
"Past",
"Unknown"
]
},
"severity": {
"description": "The code denoting the severity of the subject event of the alert message.",
"ui-priority": 0,
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"Extreme",
"Severe",
"Moderate",
"Minor",
"Unknown"
]
},
"certainty": {
"description": "The code denoting the certainty of the subject event of the alert message. For backward compatibility with CAP 1.0, the deprecated value of “Very Likely” SHOULD be treated as equivalent to “Likely”.",
"ui-priority": 0,
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"Likely",
"Possible",
"Unlikely",
"Unknown"
]
},
"audience": {
"description": "The text describing the intended audience of the alert message.",
"ui-priority": 0,
"disable_correlation": true,
"misp-attribute": "text"
},
"eventCode": {
"description": "A system-specific code identifying the event type of the alert message.",
"ui-priority": 0,
"disable_correlation": true,
"misp-attribute": "text"
},
"effective": {
"description": "The effective time of the information of the alert message.",
"ui-priority": 0,
"disable_correlation": true,
"misp-attribute": "datetime"
},
"onset": {
"description": "The expected time of the beginning of the subject event of the alert message.",
"ui-priority": 0,
"disable_correlation": true,
"misp-attribute": "datetime"
},
"expires": {
"description": "The expiry time of the information of the alert message.",
"ui-priority": 0,
"disable_correlation": true,
"misp-attribute": "datetime"
},
"senderName": {
"description": "The text naming the originator of the alert message.",
"ui-priority": 0,
"disable_correlation": true,
"misp-attribute": "text"
},
"headline": {
"description": "The text headline of the alert message.",
"ui-priority": 0,
"disable_correlation": true,
"misp-attribute": "text"
},
"description": {
"description": "The text describing the subject event of the alert message.",
"ui-priority": 0,
"disable_correlation": true,
"misp-attribute": "text"
},
"instruction": {
"description": "The text describing the recommended action to be taken by recipients of the alert message.",
"ui-priority": 0,
"disable_correlation": true,
"misp-attribute": "text"
},
"web": {
"description": "The identifier of the hyperlink associating additional information with the alert message.",
"ui-priority": 0,
"disable_correlation": true,
"misp-attribute": "link"
},
"contact": {
"description": "The text describing the contact for follow-up and confirmation of the alert message.",
"ui-priority": 0,
"disable_correlation": true,
"misp-attribute": "text"
},
"parameter": {
"description": "A system-specific additional parameter associated with the alert message.",
"ui-priority": 0,
"disable_correlation": true,
"misp-attribute": "text"
}
},
"version": 1,
"description": "Common Alerting Protocol Version (CAP) info object",
"meta-category": "misc",
"uuid": "826c25e6-fdd5-4e4a-b081-be5ba3ac2c3d",
"name": "cap-info"
}

View File

@ -0,0 +1,46 @@
{
"requiredOneOf": [
"resourceDesc"
],
"attributes": {
"resourceDesc": {
"description": "The text describing the type and content of the resource file.",
"ui-priority": 0,
"disable_correlation": true,
"misp-attribute": "text"
},
"mimeType": {
"description": "The identifier of the MIME content type and sub-type describing the resource file.",
"ui-priority": 0,
"disable_correlation": true,
"misp-attribute": "mime-type"
},
"size": {
"description": "The integer indicating the size of the resource file.",
"ui-priority": 0,
"disable_correlation": true,
"misp-attribute": "text"
},
"uri": {
"description": "The identifier of the hyperlink for the resource file.",
"ui-priority": 0,
"misp-attribute": "link"
},
"derefUri": {
"description": "The base-64 encoded data content of the resource file.",
"ui-priority": 0,
"misp-attribute": "attachment",
"disable_correlation": true
},
"digest": {
"description": "The code representing the digital digest (“hash”) computed from the resource file (OPTIONAL).",
"ui-priority": 0,
"misp-attribute": "sha1"
}
},
"version": 1,
"description": "Common Alerting Protocol Version (CAP) resource object",
"meta-category": "misc",
"uuid": "6fddc76b-59fc-49f6-a673-52f8d15149c4",
"name": "cap-resource"
}

View File

@ -0,0 +1,104 @@
{
"requiredOneOf": [
"name",
"type"
],
"attributes": {
"name": {
"description": "The name used to identify the course of action.",
"misp-attribute": "text",
"ui-priority": 0,
"disable_correlation": true
},
"type": {
"description": "The type of the course of action.",
"misp-attribute": "text",
"ui-priority": 0,
"disable_correlation": true,
"sane_default": [
"Perimeter Blocking",
"Internal Blocking",
"Redirection",
"Redirection (Honey Pot)",
"Hardening",
"Patching",
"Eradication",
"Rebuilding",
"Training",
"Monitoring",
"Physical Access Restrictions",
"Logical Access Restrictions",
"Public Disclosure",
"Diplomatic Actions",
"Policy Actions",
"Other"
]
},
"description": {
"description": "A description of the course of action.",
"misp-attribute": "text",
"ui-priority": 0,
"disable_correlation": true
},
"objective": {
"description": "The objective of the course of action.",
"misp-attribute": "text",
"ui-priority": 0,
"disable_correlation": true
},
"stage": {
"description": "The stage of the threat management lifecycle that the course of action is applicable to.",
"misp-attribute": "text",
"ui-priority": 0,
"disable_correlation": true,
"sane_default": [
"Remedy",
"Response"
]
},
"cost": {
"description": "The estimated cost of applying the course of action.",
"misp-attribute": "text",
"ui-priority": 0,
"disable_correlation": true,
"sane_default": [
"High",
"Medium",
"Low",
"None",
"Unknown"
]
},
"impact": {
"description": "The estimated impact of applying the course of action.",
"misp-attribute": "text",
"ui-priority": 0,
"disable_correlation": true,
"sane_default": [
"High",
"Medium",
"Low",
"None",
"Unknown"
]
},
"efficacy": {
"description": "The estimated efficacy of applying the course of action.",
"misp-attribute": "text",
"ui-priority": 0,
"disable_correlation": true,
"sane_default": [
"High",
"Medium",
"Low",
"None",
"Unknown"
]
}
},
"version": 1,
"description": "An object describing a specific measure taken to prevent or respond to an attack.",
"meta-category": "misc",
"uuid": "3d1c2c06-68a9-4394-8c8d-258d115f796f",
"name": "course-of-action"
}

View File

@ -0,0 +1,126 @@
{
"requiredOneOf": [
"session"
],
"attributes": {
"eventid": {
"description": "Eventid of the session in the cowrie honeypot",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text"
},
"system": {
"description": "System origin in cowrie honeypot",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text"
},
"username": {
"description": "Username related to the password(s)",
"ui-priority": 1,
"misp-attribute": "text"
},
"password": {
"description": "Password",
"multiple": true,
"ui-priority": 1,
"misp-attribute": "text"
},
"session": {
"description": "Session id",
"ui-priority": 1,
"misp-attribute": "text"
},
"timestamp": {
"description": "When the event happened",
"ui-priority": 1,
"misp-attribute": "datetime",
"disable_correlation": true
},
"message": {
"description": "Message of the cowrie honeypot",
"ui-priority": 1,
"misp-attribute": "text",
"disable_correlation": true
},
"protocol": {
"description": "Protocol used in the cowrie honeypot",
"ui-priority": 1,
"misp-attribute": "text",
"disable_correlation": true
},
"sensor": {
"description": "Cowrie sensor name",
"ui-priority": 1,
"misp-attribute": "text",
"disable_correlation": true
},
"src_ip": {
"description": "Source IP address of the session",
"ui-priority": 1,
"misp-attribute": "ip-src"
},
"dst_ip": {
"description": "Destination IP address of the session",
"ui-priority": 1,
"misp-attribute": "ip-dst",
"disable_correlation": true
},
"src_port": {
"description": "Source port of the session",
"ui-priority": 1,
"misp-attribute": "port",
"disable_correlation": true
},
"dst_port": {
"description": "Destination port of the session",
"ui-priority": 1,
"misp-attribute": "port",
"disable_correlation": true
},
"isError": {
"description": "isError",
"ui-priority": 1,
"misp-attribute": "text",
"disable_correlation": true
},
"input": {
"description": "Input of the session",
"ui-priority": 1,
"misp-attribute": "text"
},
"macCS": {
"description": "SSH MAC supported in the sesssion",
"multiple": true,
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text"
},
"keyAlgs": {
"description": "SSH public-key algorithm supported in the session",
"multiple": true,
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text"
},
"encCS": {
"description": "SSH symmetric encryption algorithm supported in the session",
"multiple": true,
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text"
},
"compCS": {
"description": "SSH compression algorithm supported in the session",
"multiple": true,
"ui-priority": 1,
"misp-attribute": "text",
"disable_correlation": true
}
},
"version": 2,
"description": "Cowrie honeypot object template",
"meta-category": "network",
"uuid": "ae085d32-6534-4d52-b3eb-063fccb753e7",
"name": "cowrie"
}

View File

@ -3,7 +3,7 @@
"uuid": "a0c666e0-fc65-4be8-b48f-3423d788b552",
"meta-category": "network",
"description": "Email object describing an email with meta-information",
"version": 7,
"version": 11,
"attributes": {
"reply-to": {
"description": "Email address the reply will be sent to",
@ -16,6 +16,7 @@
"message-id": {
"description": "Message ID",
"misp-attribute": "email-message-id",
"disable_correlation": true,
"ui-priority": 0,
"categories": [
"Payload delivery"
@ -24,6 +25,7 @@
"to": {
"description": "Destination email address",
"misp-attribute": "email-dst",
"disable_correlation": true,
"ui-priority": 1,
"categories": [
"Payload delivery"
@ -33,6 +35,7 @@
"cc": {
"description": "Carbon copy",
"misp-attribute": "email-dst",
"disable_correlation": true,
"ui-priority": 1,
"categories": [
"Payload delivery"
@ -59,6 +62,7 @@
"screenshot": {
"description": "Screenshot of email",
"misp-attribute": "attachment",
"disable_correlation": true,
"ui-priority": 1,
"categories": [
"External analysis"
@ -76,6 +80,7 @@
"x-mailer": {
"description": "X-Mailer generally tells the program that was used to draft and send the original email",
"misp-attribute": "email-x-mailer",
"disable_correlation": true,
"ui-priority": 0,
"categories": [
"Payload delivery"
@ -84,6 +89,7 @@
"header": {
"description": "Full headers",
"misp-attribute": "email-header",
"disable_correlation": true,
"ui-priority": 0,
"categories": [
"Payload delivery"
@ -102,6 +108,7 @@
"mime-boundary": {
"description": "MIME Boundary",
"misp-attribute": "email-mime-boundary",
"disable_correlation": true,
"ui-priority": 0,
"categories": [
"Payload delivery"
@ -110,6 +117,7 @@
"thread-index": {
"description": "Identifies a particular conversation thread",
"misp-attribute": "email-thread-index",
"disable_correlation": true,
"ui-priority": 0,
"categories": [
"Payload delivery"
@ -125,7 +133,7 @@
},
"return-path": {
"description": "Message return path",
"misp-attribute": "text",
"misp-attribute": "email-src",
"ui-priority": 1,
"categories": [
"Payload delivery"
@ -138,6 +146,27 @@
"categories": [
"Payload delivery"
]
},
"email-body": {
"description": "Body of the email",
"misp-attribute": "email-body",
"disable_correlation": true,
"ui-priority": 1,
"categories": [
"Payload delivery"
]
},
"user-agent": {
"description": "User Agent of the sender",
"misp-attribute": "text",
"ui-priority": 0,
"disable_correlation": true
},
"eml": {
"description": "Full EML",
"misp-attribute": "attachment",
"disable_correlation": true,
"ui-priority": 1
}
},
"requiredOneOf": [
@ -155,6 +184,8 @@
"thread-index",
"header",
"x-mailer",
"return-path"
"return-path",
"email-body",
"eml"
]
}

View File

@ -0,0 +1,61 @@
{
"required": [
"banned-ip",
"processing-timestamp",
"attack-type"
],
"attributes": {
"banned-ip": {
"description": "IP Address banned by fail2ban",
"ui-priority": 1,
"misp-attribute": "ip-src"
},
"processing-timestamp": {
"description": "Timestamp of the report",
"ui-priority": 1,
"misp-attribute": "datetime",
"disable_correlation": true
},
"attack-type": {
"description": "Type of the attack",
"ui-priority": 1,
"misp-attribute": "text",
"disable_correlation": true
},
"failures": {
"description": "Amount of failures that lead to the ban.",
"ui-priority": 1,
"misp-attribute": "counter",
"disable_correlation": true
},
"sensor": {
"description": "Identifier of the sensor",
"ui-priority": 1,
"misp-attribute": "text",
"disable_correlation": true
},
"victim": {
"description": "Identifier of the victim",
"ui-priority": 1,
"misp-attribute": "text",
"disable_correlation": true
},
"logline": {
"description": "Example log line that caused the ban.",
"ui-priority": 1,
"misp-attribute": "text",
"disable_correlation": true
},
"logfile": {
"description": "Full logfile related to the attack.",
"ui-priority": 1,
"misp-attribute": "attachment",
"disable_correlation": true
}
},
"version": 5,
"description": "Fail2ban event",
"meta-category": "network",
"uuid": "8be2271-7326-41a5-a0dd-9b4bec88e1ba",
"name": "fail2ban"
}

View File

@ -17,7 +17,8 @@
"tlsh",
"pattern-in-file",
"x509-fingerprint-sha1",
"malware-sample"
"malware-sample",
"path"
],
"attributes": {
"md5": {
@ -124,6 +125,13 @@
"ui-priority": 1,
"misp-attribute": "filename"
},
"path": {
"description": "Path of the filename complete or partial",
"disable_correlation": true,
"multiple": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"tlsh": {
"description": "Fuzzy hash by Trend Micro: Locality Sensitive Hash",
"ui-priority": 0,
@ -138,7 +146,7 @@
"description": "Mime type",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
"misp-attribute": "mime-type"
},
"state": {
"misp-attribute": "text",
@ -156,7 +164,7 @@
]
}
},
"version": 9,
"version": 11,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",

View File

@ -42,6 +42,16 @@
"ui-priority": 0,
"misp-attribute": "float"
},
"address": {
"description": "Address.",
"misp-attribute": "text",
"ui-priority": 1
},
"zipcode": {
"description": "Zip Code.",
"misp-attribute": "text",
"ui-priority": 1
},
"city": {
"description": "City.",
"misp-attribute": "text",

View File

@ -1,6 +1,6 @@
{
"required": [
"method",
"requiredOneOf": [
"url",
"uri"
],
"attributes": {
@ -111,7 +111,7 @@
"misp-attribute": "user-agent"
}
},
"version": 1,
"version": 2,
"description": "A single HTTP request header",
"meta-category": "network",
"uuid": "b4a8d163-8110-4239-bfcf-e08f3a9fdf7b",

View File

@ -1,9 +1,9 @@
{
"requiredOneOf": [
"dst-port",
"src-port"
],
"required": [
"src-port",
"domain",
"hostname",
"ip"
],
"attributes": {
@ -41,7 +41,29 @@
"External analysis"
],
"ui-priority": 1,
"misp-attribute": "port"
"misp-attribute": "port",
"disable_correlation": true,
"multiple": true
},
"domain": {
"description": "Domain",
"categories": [
"Network activity",
"External analysis"
],
"ui-priority": 1,
"misp-attribute": "domain",
"multiple": true
},
"hostname": {
"description": "Hostname",
"categories": [
"Network activity",
"External analysis"
],
"ui-priority": 1,
"misp-attribute": "hostname",
"multiple": true
},
"ip": {
"description": "IP Address",
@ -50,11 +72,12 @@
"External analysis"
],
"ui-priority": 1,
"misp-attribute": "ip-dst"
"misp-attribute": "ip-dst",
"multiple": true
}
},
"version": 5,
"description": "An IP address and a port seen as a tuple (or as a triple) in a specific time frame.",
"version": 7,
"description": "An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame.",
"meta-category": "network",
"uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6",
"name": "ip-port"

View File

@ -0,0 +1,48 @@
{
"requiredOneOf": [
"name"
],
"attributes": {
"text": {
"description": "A description of the entity.",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text"
},
"name": {
"description": "Name of an entity.",
"ui-priority": 0,
"misp-attribute": "text"
},
"commercial-name": {
"description": "Commercial name of an entity.",
"ui-priority": 0,
"misp-attribute": "text"
},
"legal-form": {
"description": "Legal form of an entity.",
"ui-priority": 0,
"misp-attribute": "text"
},
"registration-number": {
"description": "Registration number of an entity in the relevant authority.",
"ui-priority": 0,
"misp-attribute": "text"
},
"business": {
"description": "Business area of an entity.",
"ui-priority": 0,
"misp-attribute": "text"
},
"phone-number": {
"description": "Phone number of an entity.",
"ui-priority": 0,
"misp-attribute": "phone-number"
}
},
"version": 1,
"description": "An object to describe a legal entity.",
"meta-category": "misc",
"uuid": "14f5688f-d89c-469f-9878-c48bf6c41c65",
"name": "legal-entity"
}

View File

@ -0,0 +1,31 @@
{
"requiredOneOf": [
"name"
],
"attributes": {
"description": {
"description": "Description",
"ui-priority": 0,
"misp-attribute": "text"
},
"operating-system": {
"description": "Operating system where the mutex has been seen",
"ui-priority": 0,
"misp-attribute": "text",
"sane_default": [
"Windows",
"Unix"
]
},
"name": {
"description": "name of the mutex",
"ui-priority": 0,
"misp-attribute": "text"
}
},
"version": 1,
"description": "Object to describe mutual exclusion locks (mutex) as seen in memory or computer program",
"meta-category": "misc",
"uuid": "9f5c1a68-2021-4faa-b409-61c899c86466",
"name": "mutex"
}

View File

@ -0,0 +1,96 @@
{
"name": "network-connection",
"uuid": "af16764b-f8e5-4603-9de1-de34d272f80b",
"meta-category": "network",
"description": "A local or remote network connection.",
"version": 1,
"attributes": {
"ip-src": {
"description": "Source IP address of the nework connection.",
"ui-priority": 1,
"categories": [
"Network activity",
"External analysis"
],
"misp-attribute": "ip-src"
},
"ip-dst": {
"description": "Destination IP address of the nework connection.",
"ui-priority": 1,
"categories": [
"Network activity",
"External analysis"
],
"misp-attribute": "ip-dst"
},
"src-port": {
"description": "Source port of the nework connection.",
"ui-priority": 1,
"categories": [
"Network activity",
"External analysis"
],
"misp-attribute": "port"
},
"dst-port": {
"description": "Destination port of the nework connection.",
"ui-priority": 1,
"categories": [
"Network activity",
"External analysis"
],
"misp-attribute": "port"
},
"hostname-src": {
"description": "Source hostname of the network connection.",
"ui-priority": 1,
"misp-attribute": "hostname"
},
"hostname-dst": {
"description": "Destination hostname of the network connection.",
"ui-priority": 1,
"misp-attribute": "hostname"
},
"layer3-protocol": {
"description": "Layer 3 protocol of the network connection.",
"ui-priority": 0,
"sane_default": [
"IP",
"ICMP",
"ARP"
],
"misp-attribute": "text"
},
"layer4-protocol": {
"description": "Layer 4 protocol of the network connection.",
"ui-priority": 0,
"sane_default": [
"TCP",
"UDP"
],
"misp-attribute": "text"
},
"layer7-protocol": {
"description": "Layer 7 protocol of the network connection.",
"ui-priority": 0,
"sane_default": [
"HTTP",
"HTTPS",
"FTP"
],
"misp-attribute": "text"
},
"first-packet-seen": {
"misp-attribute": "datetime",
"ui-priority": 1,
"description": "Datetime of the first packet seen."
}
},
"requiredOneOf": [
"first-packet-seen",
"ip-src",
"ip-dst",
"src-port",
"dst-port"
]
}

View File

@ -0,0 +1,194 @@
{
"name": "network-socket",
"uuid": "48bbfd72-ef8e-4649-b14d-41b4b5a0eba2",
"meta-category": "network",
"description": "Network socket object describes a local or remote network connections based on the socket data structure.",
"version": 1,
"attributes": {
"ip-src": {
"description": "Source (local) IP address of the network socket connection.",
"ui-priority": 1,
"categories": [
"Network activity",
"External analysis"
],
"misp-attribute": "ip-src"
},
"hostname-src": {
"description": "Source (local) hostname of the network socket connection.",
"ui-priority": 1,
"misp-attribute": "hostname"
},
"ip-dst": {
"description": "Destination IP address of the network socket connection.",
"ui-priority": 1,
"categories": [
"Network activity",
"External analysis"
],
"misp-attribute": "ip-dst"
},
"hostname-dst": {
"description": "Destination hostname of the network socket connection.",
"ui-priority": 1,
"misp-attribute": "hostname"
},
"src-port": {
"description": "Source (local) port of the network socket connection.",
"ui-priority": 1,
"categories": [
"Network activity",
"External analysis"
],
"misp-attribute": "port"
},
"dst-port": {
"description": "Destination port of the network socket connection.",
"ui-priority": 1,
"categories": [
"Network activity",
"External analysis"
],
"misp-attribute": "port"
},
"protocol": {
"misp-attribute": "text",
"ui-priority": 0,
"values_list": [
"TCP",
"UDP",
"ICMP",
"IP"
],
"description": "Protocol used by the network socket."
},
"address-family": {
"description": "Address family who specifies the address family type (AF_*) of the socket connection.",
"ui-priority": 1,
"sane_default": [
"AF_UNSPEC",
"AF_LOCAL",
"AF_UNIX",
"AF_FILE",
"AF_INET",
"AF_AX25",
"AF_IPX",
"AF_APPLETALK",
"AF_NETROM",
"AF_BRIDGE",
"AF_ATMPVC",
"AF_X25",
"AF_INET6",
"AF_ROSE",
"AF_DECnet",
"AF_NETBEUI",
"AF_SECURITY",
"AF_KEY",
"AF_NETLINK",
"AF_ROUTE",
"AF_PACKET",
"AF_ASH",
"AF_ECONET",
"AF_ATMSVC",
"AF_RDS",
"AF_SNA",
"AF_IRDA",
"AF_PPPOX",
"AF_WANPIPE",
"AF_LLC",
"AF_IB",
"AF_MPLS",
"AF_CAN",
"AF_TIPC",
"AF_BLUETOOTH",
"AF_IUCV",
"AF_RXRPC",
"AF_ISDN",
"AF_PHONET",
"AF_IEEE802154",
"AF_CAIF",
"AF_ALG",
"AF_NFC",
"AF_VSOCK",
"AF_KCM",
"AF_MAX"
],
"misp-attribute": "text"
},
"domain-family": {
"description": "Domain family who specifies the communication domain (PF_*) of the socket connection.",
"ui-priority": 1,
"sane_default": [
"PF_UNSPEC",
"PF_LOCAL",
"PF_UNIX",
"PF_FILE",
"PF_INET",
"PF_AX25",
"PF_IPX",
"PF_APPLETALK",
"PF_NETROM",
"PF_BRIDGE",
"PF_ATMPVC",
"PF_X25",
"PF_INET6",
"PF_ROSE",
"PF_DECnet",
"PF_NETBEUI",
"PF_SECURITY",
"PF_KEY",
"PF_NETLINK",
"PF_ROUTE",
"PF_PACKET",
"PF_ASH",
"PF_ECONET",
"PF_ATMSVC",
"PF_RDS",
"PF_SNA",
"PF_IRDA",
"PF_PPPOX",
"PF_WANPIPE",
"PF_LLC",
"PF_IB",
"PF_MPLS",
"PF_CAN",
"PF_TIPC",
"PF_BLUETOOTH",
"PF_IUCV",
"PF_RXRPC",
"PF_ISDN",
"PF_PHONET",
"PF_IEEE802154",
"PF_CAIF",
"PF_ALG",
"PF_NFC",
"PF_VSOCK",
"PF_KCM",
"PF_MAX"
],
"misp-attribute": "text"
},
"state": {
"description": "State of the socket connection.",
"multiple": true,
"sane_default": [
"blocking",
"listening"
],
"misp-attribute": "text",
"ui-priority": 1
},
"option": {
"description": "Option on the socket connection.",
"multiple": true,
"misp-attribute": "text",
"ui-priority": 1
}
},
"requiredOneOf": [
"ip-src",
"ip-dst",
"src-port",
"dst-port"
]
}

View File

@ -6,22 +6,25 @@
],
"attributes": {
"zone_time_last": {
"description": "Last time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import",
"description": "Last time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import.",
"ui-priority": 0,
"misp-attribute": "datetime"
"misp-attribute": "datetime",
"disable_correlation": true
},
"text": {
"description": "",
"description": "Description of the passive DNS record.",
"ui-priority": 0,
"misp-attribute": "text"
"misp-attribute": "text",
"disable_correlation": true
},
"count": {
"description": "How many authoritative DNS answers were received at the Passive DNS Server's collectors with exactly the given set of values as answers",
"description": "How many authoritative DNS answers were received at the Passive DNS Server's collectors with exactly the given set of values as answers.",
"ui-priority": 0,
"misp-attribute": "counter"
"misp-attribute": "counter",
"disable_correlation": true
},
"rrname": {
"description": "Resource Record name of the queried resource",
"description": "Resource Record name of the queried resource.",
"categories": [
"Network activity",
"External analysis"
@ -30,7 +33,7 @@
"misp-attribute": "text"
},
"rrtype": {
"description": "Resource Record type as seen by the passive DNS",
"description": "Resource Record type as seen by the passive DNS.",
"categories": [
"Network activity",
"External analysis"
@ -51,7 +54,8 @@
"NAPTR",
"HINFO",
"A6"
]
],
"disable_correlation": true
},
"rdata": {
"description": "Resource records of the queried resource",
@ -61,35 +65,41 @@
"zone_time_first": {
"description": "First time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import",
"ui-priority": 0,
"misp-attribute": "datetime"
"misp-attribute": "datetime",
"disable_correlation": true
},
"origin": {
"description": "Origin of the Passive DNS response",
"ui-priority": 0,
"misp-attribute": "text"
"misp-attribute": "text",
"disable_correlation": true
},
"time_last": {
"description": "Last time that the unique tuple (rrname, rrtype, rdata) record has been seen by the passive DNS",
"ui-priority": 0,
"misp-attribute": "datetime"
"misp-attribute": "datetime",
"disable_correlation": true
},
"time_first": {
"description": "First time that the unique tuple (rrname, rrtype, rdata) has been seen by the passive DNS",
"ui-priority": 0,
"misp-attribute": "datetime"
"misp-attribute": "datetime",
"disable_correlation": true
},
"bailiwick": {
"description": "Best estimate of the apex of the zone where this data is authoritative",
"ui-priority": 0,
"misp-attribute": "text"
"misp-attribute": "text",
"disable_correlation": true
},
"sensor_id": {
"description": "Sensor information where the record was seen",
"ui-priority": 0,
"misp-attribute": "text"
"misp-attribute": "text",
"disable_correlation": true
}
},
"version": 2,
"version": 3,
"description": "Passive DNS records as expressed in draft-dulaunoy-dnsop-passive-dns-cof-01",
"meta-category": "network",
"uuid": "b77b7b1c-66ab-4a41-8da4-83810f6d2d6c",

View File

@ -16,14 +16,32 @@
"misp-attribute": "last-name"
},
"middle-name": {
"description": "Middle name of a natural person",
"description": "Middle name of a natural person.",
"ui-priority": 0,
"misp-attribute": "middle-name"
},
"first-name": {
"description": "First name of a natural person.",
"ui-priority": 0,
"misp-attribute": "first-name"
"misp-attribute": "first-name",
"disable_correlation": true
},
"mothers-name": {
"description": "Mother name, father, second name or other names following country's regulation.",
"ui-priority": 1,
"misp-attribute": "text"
},
"title": {
"description": "Title of the natural person such as Dr. or equivalent.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"alias": {
"description": "Alias name or known as.",
"ui-priority": 0,
"misp-attribute": "text",
"multiple": true
},
"date-of-birth": {
"description": "Date of birth of a natural person (in YYYY-MM-DD format).",
@ -33,7 +51,8 @@
"place-of-birth": {
"description": "Place of birth of a natural person.",
"ui-priority": 0,
"misp-attribute": "place-of-birth"
"misp-attribute": "place-of-birth",
"disable_correlation": true
},
"gender": {
"description": "The gender of a natural person.",
@ -44,7 +63,13 @@
"Female",
"Other",
"Prefer not to say"
]
],
"disable_correlation": true
},
"identity-card-number": {
"description": "The identity card number of a natural person.",
"ui-priority": 0,
"misp-attribute": "identity-card-number"
},
"passport-number": {
"description": "The passport number of a natural person.",
@ -54,26 +79,35 @@
"passport-country": {
"description": "The country in which the passport was issued.",
"ui-priority": 0,
"misp-attribute": "passport-country"
"misp-attribute": "passport-country",
"disable_correlation": true
},
"passport-expiration": {
"description": "The expiration date of a passport.",
"ui-priority": 0,
"misp-attribute": "passport-expiration"
"misp-attribute": "passport-expiration",
"disable_correlation": true
},
"redress-number": {
"description": "The Redress Control Number is the record identifier for people who apply for redress through the DHS Travel Redress Inquiry Program (DHS TRIP). DHS TRIP is for travelers who have been repeatedly identified for additional screening and who want to file an inquiry to have erroneous information corrected in DHS systems.",
"ui-priority": 0,
"misp-attribute": "redress-number"
},
"social-security-number": {
"description": "Social security number",
"ui-priority": 0,
"misp-attribute": "text"
},
"nationality": {
"description": "The nationality of a natural person.",
"ui-priority": 0,
"misp-attribute": "nationality"
"misp-attribute": "nationality",
"multiple": true,
"disable_correlation": true
}
},
"version": 2,
"description": "An person which describes a person or an identity.",
"version": 3,
"description": "An object which describes a person or an identity.",
"meta-category": "misc",
"uuid": "a15b0477-e9d1-4b9c-9546-abe78a4f4248",
"name": "person"

View File

@ -0,0 +1,52 @@
{
"name": "process",
"uuid": "02aeef94-ac23-455c-addb-731757ceafb5",
"meta-category": "misc",
"description": "Object describing a system process.",
"version": 1,
"attributes": {
"creation-time": {
"description": "Local date/time at which the process was created.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"start-time": {
"description": "Local date/time at which the process was started.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"name": {
"description": "Name of the process",
"ui-priority": 1,
"misp-attribute": "text"
},
"pid": {
"description": "Process ID of the process.",
"ui-priority": 1,
"misp-attribute": "text"
},
"parent_pid": {
"description": "Process ID of the parent process.",
"ui-priority": 1,
"misp-attribute": "text"
},
"child-pid": {
"description": "Process ID of the child(ren) process.",
"ui-priority": 1,
"misp-attribute": "text",
"multiple": true
},
"port": {
"description": "Port(s) owned by the process.",
"ui-priority": 1,
"misp-attribute": "src-port",
"multiple": true
}
},
"requiredOneOf": [
"name",
"pid"
]
}

View File

@ -42,11 +42,12 @@
"windows-scheduled-task"
],
"description": "Specify which type corresponds to this regex.",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
}
},
"version": 3,
"version": 4,
"description": "An object describing a regular expression (regex or regexp). The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a regular expression.",
"meta-category": "misc",
"uuid": "ceffad66-71e5-4e20-9370-1b3fb694c648",

View File

@ -0,0 +1,49 @@
{
"required": [
"software",
"signature"
],
"attributes": {
"software": {
"description": "Name of Sandbox software",
"disable_correlation": true,
"categories": [
"Sandbox detection"
],
"ui-priority": 1,
"misp-attribute": "text"
},
"signature": {
"description": "Name of detection signature - set the description of the detection signature as a comment",
"categories": [
"Sandbox detection"
],
"ui-priority": 2,
"misp-attribute": "text",
"multiple": true
},
"text": {
"description": "Additional signature description",
"disable_correlation": true,
"categories": [
"Other"
],
"ui-priority": 0,
"misp-attribute": "text"
},
"datetime": {
"description": "Datetime",
"disable_correlation": true,
"categories": [
"Other"
],
"ui-priority": 0,
"misp-attribute": "datetime"
}
},
"version": 1,
"description": "Sandbox detection signature",
"meta-category": "misc",
"uuid": "984c5c39-be7f-4e1e-b034-d3213bac51cb",
"name": "sb-signature"
}

View File

@ -34,6 +34,7 @@
},
"SccpCgGT": {
"description": "Signaling Connection Control Part (SCCP) CgGT - Phone number.",
"multiple": true,
"ui-priority": 0,
"misp-attribute": "text"
},
@ -44,6 +45,7 @@
},
"SccpCgPC": {
"description": "Signaling Connection Control Part (SCCP) CgPC - Phone number.",
"multiple": true,
"ui-priority": 0,
"misp-attribute": "text"
},

View File

@ -12,9 +12,17 @@
"description": "STIX 2 pattern",
"ui-priority": 0,
"misp-attribute": "stix2-pattern"
},
"version": {
"description": "Version of STIX 2 pattern.",
"ui-priority": 0,
"misp-attribute": "text",
"sane_default": [
"stix 2.0"
]
}
},
"version": 1,
"version": 2,
"description": "An object describing a STIX pattern. The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a STIX pattern.",
"meta-category": "misc",
"uuid": "0c5bd072-7c3e-4d45-86f7-a8104d9143b9",

View File

@ -0,0 +1,32 @@
{
"requiredOneOf": [
"suricata"
],
"attributes": {
"comment": {
"description": "A description of the Suricata rule.",
"ui-priority": 0,
"misp-attribute": "comment"
},
"suricata": {
"description": "Suricata rule.",
"ui-priority": 0,
"misp-attribute": "suricata"
},
"version": {
"description": "Version of the Suricata rule depending where the suricata rule is known to work as expected.",
"ui-priority": 0,
"misp-attribute": "text"
},
"ref": {
"description": "Reference to the Suricata rule such as origin of the rule or alike.",
"misp-attribute": "link",
"ui-priority": 0
}
},
"version": 1,
"description": "An object describing a Suricata rule along with its version and context",
"meta-category": "network",
"uuid": "3c177337-fb80-405a-a6c1-1b2ddea8684a",
"name": "suricata"
}

View File

@ -0,0 +1,39 @@
{
"name": "target-system",
"uuid": "3110944f-eca0-4c94-9d61-a84d022228a4",
"meta-category": "internal",
"description": "Description about an targeted system, this could potentially be a compromissed internal system",
"version": 1,
"attributes": {
"targeted_machine": {
"description": "Targeted system",
"ui-priority": 1,
"misp-attribute": "target-machine",
"disable_correlation": true,
"categories": [
"Targeting data"
]
},
"targeted_ip_of_system": {
"description": "Targeted system IP address",
"ui-priority": 1,
"misp-attribute": "ip-src",
"disable_correlation": true,
"categories": [
"Network activity"
]
},
"timestamp_seen": {
"description": "Registered date and time",
"ui-priority": 1,
"misp-attribute": "datetime",
"disable_correlation": true,
"categories": [
"Other"
]
}
},
"requiredOneOf": [
"targeted_machine"
]
}

View File

@ -0,0 +1,45 @@
{
"requiredOneOf": [
"first-seen",
"last-seen"
],
"attributes": {
"text": {
"description": "Description of the time object.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"precision": {
"description": "Timestamp precision represents the precision given to first_seen and/or last_seen in this object.",
"ui-priority": 0,
"misp-attribute": "text",
"sane_default": [
"year",
"month",
"day",
"hour",
"minute",
"full"
],
"disable_correlation": true
},
"first-seen": {
"description": "First time that the linked object or attribute has been seen.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"last-seen": {
"description": "First time that the linked object or attribute has been seen.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
}
},
"version": 1,
"description": "A generic timestamp object to represent time including first time and last time seen. Relationship will then define the kind of time relationship.",
"meta-category": "misc",
"uuid": "c8c91e23-4221-4533-8bf7-64e12b05f265",
"name": "timestamp"
}

View File

@ -0,0 +1,116 @@
{
"requiredOneOf": [
"transaction-number",
"date",
"amount",
"transmode-code"
],
"attributes": {
"text": {
"description": "A description of the transaction.",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text"
},
"transaction-number": {
"description": "A unique number identifying a transaction.",
"ui-priority": 0,
"misp-attribute": "text"
},
"location": {
"description": "Location where the transaction took place.",
"ui-priority": 0,
"misp-attribute": "text"
},
"transmode-code": {
"description": "How the transaction was conducted.",
"ui-priority": 0,
"misp-attribute": "text"
},
"transmode-comment": {
"description": "Comment describing transmode-code, if needed.",
"ui-priority": 0,
"misp-attribute": "text"
},
"teller": {
"description": "Person who conducted the transaction.",
"ui-priority": 0,
"misp-attribute": "text"
},
"authorized": {
"description": "Person who autorized the transaction.",
"ui-priority": 0,
"misp-attribute": "text"
},
"date": {
"description": "Date and time of the transaction.",
"ui-priority": 0,
"misp-attribute": "datetime"
},
"amount": {
"description": "The value of the transaction in local currency.",
"ui-priority": 0,
"misp-attribute": "text"
},
"date-posting": {
"description": "Date of posting, if different from date of transaction.",
"ui-priority": 0,
"misp-attribute": "datetime"
},
"from-funds-code": {
"description": "Type of funds used to initiate a transaction.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true,
"sane_default": [
"A Deposit",
"C Currency exchange",
"D Casino chips",
"E Bank draft",
"F Money order",
"G Travelers cheques",
"H Life insurance policy",
"I Real estate",
"J Securities",
"K Cash",
"O Other",
"P Cheque"
]
},
"to-funds-code": {
"description": "Type of funds used to finalize a transaction.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true,
"sane_default": [
"A Deposit",
"C Currency exchange",
"D Casino chips",
"E Bank draft",
"F Money order",
"G Travelers cheques",
"H Life insurance policy",
"I Real estate",
"J Securities",
"K Cash",
"O Other",
"P Cheque"
]
},
"from-country": {
"description": "Origin country of a transaction.",
"ui-priority": 0,
"misp-attribute": "text"
},
"to-country": {
"description": "Target country of a transaction.",
"ui-priority": 0,
"misp-attribute": "text"
}
},
"version": 1,
"description": "An object to describe a financial transaction.",
"meta-category": "financial",
"uuid": "a47fa26a-01b6-4747-a394-5144e34456dc",
"name": "transaction"
}

View File

@ -6,7 +6,8 @@
"fragment": {
"description": "Fragment identifier is a short string of characters that refers to a resource that is subordinate to another, primary resource.",
"ui-priority": 0,
"misp-attribute": "text"
"misp-attribute": "text",
"multiple": true
},
"tld": {
"description": "Top-Level Domain",
@ -42,12 +43,14 @@
"resource_path": {
"description": "Path (between hostname:port and query)",
"ui-priority": 0,
"misp-attribute": "text"
"misp-attribute": "text",
"multiple": true
},
"query_string": {
"description": "Query (after path, preceded by '?')",
"ui-priority": 0,
"misp-attribute": "text"
"misp-attribute": "text",
"multiple": true
},
"url": {
"description": "Full URL",
@ -92,7 +95,7 @@
"misp-attribute": "hostname"
}
},
"version": 5,
"version": 6,
"description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.",
"meta-category": "network",
"uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5",

View File

@ -44,9 +44,18 @@
],
"ui-priority": 2,
"misp-attribute": "link"
},
"comment": {
"description": "Comment related to this hash",
"categories": [
"Exernal analysis"
],
"misp-attribute": "text",
"ui-priority": 2,
"multiple": true
}
},
"version": 1,
"version": 2,
"description": "VirusTotal report",
"meta-category": "misc",
"uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",

View File

@ -4,10 +4,10 @@
"registrant-phone",
"creation-date",
"registrant-name",
"registrar"
],
"required": [
"domain"
"registrar",
"text",
"domain",
"ip-address"
],
"attributes": {
"text": {
@ -73,12 +73,24 @@
"Network activity",
"External analysis"
],
"ui-priority": 1,
"ui-priority": 0,
"multiple": true,
"misp-attribute": "domain"
},
"comment": {
"description": "Comment of the whois entry",
"ui-priority": 0,
"misp-attribute": "text"
},
"ip-address": {
"description": "IP address of the whois entry",
"ui-priority": 0,
"multiple": true,
"misp-attribute": "ip-src"
}
},
"version": 7,
"description": "Whois records information for a domain name.",
"version": 10,
"description": "Whois records information for a domain name or an IP address.",
"meta-category": "network",
"uuid": "429faea1-34ff-47af-8a00-7c62d3be5a6a",
"name": "whois"

View File

@ -2,7 +2,8 @@
"requiredOneOf": [
"x509-fingerprint-md5",
"x509-fingerprint-sha1",
"x509-fingerprint-sha256"
"x509-fingerprint-sha256",
"serial-number"
],
"attributes": {
"subject": {
@ -48,7 +49,12 @@
"misp-attribute": "x509-fingerprint-sha256"
},
"raw-base64": {
"description": "Raw certificate base64 encoded",
"description": "Raw certificate base64 encoded (DER format)",
"ui-priority": 0,
"misp-attribute": "text"
},
"pem": {
"description": "Raw certificate in PEM formati (Unix-like newlines)",
"ui-priority": 0,
"misp-attribute": "text"
},
@ -81,9 +87,25 @@
"description": "Version of the certificate",
"ui-priority": 0,
"misp-attribute": "text"
},
"self_signed": {
"description": "Self-signed certificate",
"ui-priority": 0,
"misp-attribute": "boolean"
},
"is_ca": {
"description": "CA certificate",
"ui-priority": 0,
"misp-attribute": "boolean"
},
"dns_names": {
"description": "DNS names",
"multiple": true,
"misp-attribute": "text",
"ui-priority": 0
}
},
"version": 5,
"version": 7,
"description": "x509 object describing a X.509 certificate",
"meta-category": "network",
"uuid": "d1ab756a-26b5-4349-9f43-765630f0911c",

View File

@ -0,0 +1,41 @@
{
"requiredOneOf": [
"yara"
],
"attributes": {
"comment": {
"description": "A description of the YARA rule.",
"ui-priority": 0,
"misp-attribute": "comment"
},
"yara": {
"description": "YARA rule.",
"ui-priority": 0,
"misp-attribute": "yara"
},
"version": {
"sane_default": [
"3.7.1"
],
"description": "Version of the YARA rule depending where the yara rule is known to work as expected.",
"ui-priority": 0,
"misp-attribute": "text"
},
"context": {
"description": "Context where the YARA rule can be applied",
"sane_default": [
"all",
"disk",
"memory",
"network"
],
"misp-attribute": "text",
"ui-priority": 0
}
},
"version": 3,
"description": "An object describing a YARA rule along with its version.",
"meta-category": "misc",
"uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"name": "yara"
}

View File

@ -25,6 +25,30 @@
"stix-2.0"
]
},
{
"name": "connected-to",
"description": "The referenced source is connected to the target object.",
"format": [
"misp",
"stix-1.1"
]
},
{
"name": "contains",
"description": "The references source is containing the target object.",
"format": [
"misp",
"stix-1.1"
]
},
{
"name": "resolved-to",
"description": "The referenced source is resolved to the target object.",
"format": [
"misp",
"stix-1.1"
]
},
{
"name": "attributed-to",
"description": "This referenced source is attributed to the target object.",