From cd528865bbc6c3a2997a8e3c4bf0b3d940aaf492 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 22 Jan 2018 13:34:33 +0100 Subject: [PATCH 01/98] add: Object to describe mutual exclusion locks (mutex) as seen in memory or computer program --- objects/mutex/definition.json | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 objects/mutex/definition.json diff --git a/objects/mutex/definition.json b/objects/mutex/definition.json new file mode 100644 index 0000000..f9d23aa --- /dev/null +++ b/objects/mutex/definition.json @@ -0,0 +1,31 @@ +{ + "requiredOneOf": [ + "name" + ], + "attributes": { + "description": { + "description": "Description", + "ui-priority": 0, + "misp-attribute": "text" + }, + "operating-system": { + "description": "Operating system where the mutex has been seen", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "Windows", + "Unix" + ] + }, + "name": { + "description": "name of the mutex", + "ui-priority": 0, + "misp-attribute": "text" + } + }, + "version": 1, + "description": "Object to describe mutual exclusion locks (mutex) as seen in memory or computer program", + "meta-category": "misc", + "uuid": "9f5c1a68-2021-4faa-b409-61c899c86466", + "name": "mutex" +} From 90e72d58953896a6a63f8200607c012f9aa40733 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 22 Jan 2018 14:16:46 +0100 Subject: [PATCH 02/98] fix: person object updated to match AML client record + various fixes --- objects/person/definition.json | 45 ++++++++++++++++++++++++++++------ 1 file changed, 37 insertions(+), 8 deletions(-) diff --git a/objects/person/definition.json b/objects/person/definition.json index 5f7f5ca..484cc99 100644 --- a/objects/person/definition.json +++ b/objects/person/definition.json @@ -16,14 +16,32 @@ "misp-attribute": "last-name" }, "middle-name": { - "description": "Middle name of a natural person", + "description": "Middle name of a natural person.", "ui-priority": 0, "misp-attribute": "middle-name" }, "first-name": { "description": "First name of a natural person.", "ui-priority": 0, - "misp-attribute": "first-name" + "misp-attribute": "first-name", + "disable_correlation": true + }, + "mothers-name": { + "description": "Mother name, father, second name or other names following country's regulation.", + "ui-priority": 1, + "misp-attribute": "text" + }, + "title": { + "description": "Title of the natural person such as Dr. or equivalent.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "alias": { + "description": "Alias name or known as.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true }, "date-of-birth": { "description": "Date of birth of a natural person (in YYYY-MM-DD format).", @@ -33,7 +51,8 @@ "place-of-birth": { "description": "Place of birth of a natural person.", "ui-priority": 0, - "misp-attribute": "place-of-birth" + "misp-attribute": "place-of-birth", + "disable_correlation": true }, "gender": { "description": "The gender of a natural person.", @@ -44,7 +63,8 @@ "Female", "Other", "Prefer not to say" - ] + ], + "disable_correlation": true }, "passport-number": { "description": "The passport number of a natural person.", @@ -54,25 +74,34 @@ "passport-country": { "description": "The country in which the passport was issued.", "ui-priority": 0, - "misp-attribute": "passport-country" + "misp-attribute": "passport-country", + "disable_correlation": true }, "passport-expiration": { "description": "The expiration date of a passport.", "ui-priority": 0, - "misp-attribute": "passport-expiration" + "misp-attribute": "passport-expiration", + "disable_correlation": true }, "redress-number": { "description": "The Redress Control Number is the record identifier for people who apply for redress through the DHS Travel Redress Inquiry Program (DHS TRIP). DHS TRIP is for travelers who have been repeatedly identified for additional screening and who want to file an inquiry to have erroneous information corrected in DHS systems.", "ui-priority": 0, "misp-attribute": "redress-number" }, + "social-security-number": { + "description": "Social security number", + "ui-priority": 0, + "misp-attribute": "text" + }, "nationality": { "description": "The nationality of a natural person.", "ui-priority": 0, - "misp-attribute": "nationality" + "misp-attribute": "nationality", + "multiple": true, + "disable_correlation": true } }, - "version": 2, + "version": 3, "description": "An person which describes a person or an identity.", "meta-category": "misc", "uuid": "a15b0477-e9d1-4b9c-9546-abe78a4f4248", From 0f3b8195f5d483812d28d91f6911428f3fbbb826 Mon Sep 17 00:00:00 2001 From: garanews Date: Tue, 23 Jan 2018 10:12:07 +0100 Subject: [PATCH 03/98] sandbox-signature Added object sb-signature --- objects/sb-signature/definition.json | 50 ++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 objects/sb-signature/definition.json diff --git a/objects/sb-signature/definition.json b/objects/sb-signature/definition.json new file mode 100644 index 0000000..5d8874c --- /dev/null +++ b/objects/sb-signature/definition.json @@ -0,0 +1,50 @@ +{ + "required": [ + "software", + "signature" + ], + "attributes": { + "software": { + "description": "Name of Sandbox software", + "disable_correlation": true, + "categories": [ + "Sandbox detection" + ], + "ui-priority": 1, + "misp-attribute": "text" + }, + "signature": { + "description": "Name of detection signature", + "comment": "Description of detection signature", + "categories": [ + "Sandbox detection" + ], + "ui-priority": 2, + "misp-attribute": "text", + "multiple": true + }, + "text": { + "description": "Additional signature description", + "disable_correlation": true, + "categories": [ + "Other" + ], + "ui-priority": 0, + "misp-attribute": "text" + }, + "datetime": { + "description": "Datetime", + "disable_correlation": true, + "categories": [ + "Other" + ], + "ui-priority": 0, + "misp-attribute": "datetime" + } + }, + "version": 1, + "description": "Sandbox detection signature", + "meta-category": "misc", + "uuid": "984c5c39-be7f-4e1e-b034-d3213bac51cb", + "name": "sb-signature" +} \ No newline at end of file From 8c178fd837b91b62065264bd540c249ebaf164f2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Tue, 23 Jan 2018 10:43:36 +0100 Subject: [PATCH 04/98] fix: Make JQ happy. --- objects/sb-signature/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/sb-signature/definition.json b/objects/sb-signature/definition.json index 5d8874c..2635704 100644 --- a/objects/sb-signature/definition.json +++ b/objects/sb-signature/definition.json @@ -15,7 +15,7 @@ }, "signature": { "description": "Name of detection signature", - "comment": "Description of detection signature", + "comment": "Description of detection signature", "categories": [ "Sandbox detection" ], @@ -47,4 +47,4 @@ "meta-category": "misc", "uuid": "984c5c39-be7f-4e1e-b034-d3213bac51cb", "name": "sb-signature" -} \ No newline at end of file +} From 333f9a46e4bcc96cd2e5f276bff26c9dd9b1524f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Tue, 23 Jan 2018 10:46:15 +0100 Subject: [PATCH 05/98] fix: Make the schema happy. --- objects/sb-signature/definition.json | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/objects/sb-signature/definition.json b/objects/sb-signature/definition.json index 2635704..481d02d 100644 --- a/objects/sb-signature/definition.json +++ b/objects/sb-signature/definition.json @@ -14,8 +14,7 @@ "misp-attribute": "text" }, "signature": { - "description": "Name of detection signature", - "comment": "Description of detection signature", + "description": "Name of detection signature - set the description of the detection signature as a comment", "categories": [ "Sandbox detection" ], From bd508a3455d017ac3976eef3d6fbfe91e736dea6 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 25 Jan 2018 15:07:19 +0100 Subject: [PATCH 06/98] fix: Passive DNS records especially on the disabled_correlation fields --- objects/passive-dns/definition.json | 42 ++++++++++++++++++----------- 1 file changed, 26 insertions(+), 16 deletions(-) diff --git a/objects/passive-dns/definition.json b/objects/passive-dns/definition.json index b832c40..38994ee 100644 --- a/objects/passive-dns/definition.json +++ b/objects/passive-dns/definition.json @@ -6,22 +6,25 @@ ], "attributes": { "zone_time_last": { - "description": "Last time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import", + "description": "Last time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import.", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "text": { - "description": "", + "description": "Description of the passive DNS record.", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "count": { - "description": "How many authoritative DNS answers were received at the Passive DNS Server's collectors with exactly the given set of values as answers", + "description": "How many authoritative DNS answers were received at the Passive DNS Server's collectors with exactly the given set of values as answers.", "ui-priority": 0, - "misp-attribute": "counter" + "misp-attribute": "counter", + "disable_correlation": true }, "rrname": { - "description": "Resource Record name of the queried resource", + "description": "Resource Record name of the queried resource.", "categories": [ "Network activity", "External analysis" @@ -30,7 +33,7 @@ "misp-attribute": "text" }, "rrtype": { - "description": "Resource Record type as seen by the passive DNS", + "description": "Resource Record type as seen by the passive DNS.", "categories": [ "Network activity", "External analysis" @@ -51,7 +54,8 @@ "NAPTR", "HINFO", "A6" - ] + ], + "disable_correlation": true }, "rdata": { "description": "Resource records of the queried resource", @@ -61,35 +65,41 @@ "zone_time_first": { "description": "First time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "origin": { "description": "Origin of the Passive DNS response", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "time_last": { "description": "Last time that the unique tuple (rrname, rrtype, rdata) record has been seen by the passive DNS", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "time_first": { "description": "First time that the unique tuple (rrname, rrtype, rdata) has been seen by the passive DNS", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "bailiwick": { "description": "Best estimate of the apex of the zone where this data is authoritative", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "sensor_id": { "description": "Sensor information where the record was seen", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true } }, - "version": 2, + "version": 3, "description": "Passive DNS records as expressed in draft-dulaunoy-dnsop-passive-dns-cof-01", "meta-category": "network", "uuid": "b77b7b1c-66ab-4a41-8da4-83810f6d2d6c", From f91929738b2e50c4c79447fc23c96d6d2af6d70c Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 29 Jan 2018 07:33:25 +0100 Subject: [PATCH 07/98] add: an object describing bank account information based on account description from goAML 4.0. A generic bank account partially based on the goAML 4.0 standard. The bank account alone can convey information regarding the type of transactions seen or suspected which allow to use the object alone without the need to describe the full list of transactions. Additional objects could be created like report, transactions and like to fully support AML. The existing person in MISP objects was previously updated to include the field missing from AML. A potential evolution is based on the transaction status which can be described as a simple relationship between MISP objects like: Bought, Sold, Let, Hired, Exchanged, Donated, Destroyed and Other --- objects/bank-account/definition.json | 159 +++++++++++++++++++++++++++ 1 file changed, 159 insertions(+) create mode 100644 objects/bank-account/definition.json diff --git a/objects/bank-account/definition.json b/objects/bank-account/definition.json new file mode 100644 index 0000000..46466e9 --- /dev/null +++ b/objects/bank-account/definition.json @@ -0,0 +1,159 @@ +{ + "requiredOneOf": [ + "account" + ], + "attributes": { + "text": { + "description": "A description of the bank account.", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "institution-code": { + "description": "Name of the bank or financial organisation.", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "swift": { + "description": "SWIFT or BIC as defined in ISO 9362.", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "bic" + }, + "branch": { + "description": "Branch code or name", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "non-banking-institution": { + "description": "A flag to define if this account belong to a non-banking organisation. If set to true, it's a non-banking organisation.", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "boolean" + }, + "account": { + "description": "Account number", + "ui-priority": 0, + "misp-attribute": "bank-account-nr" + }, + "currency-code": { + "description": "Currency of the account.", + "ui-priority": 0, + "sane_default": [ + "USD", + "EUR" + ], + "disable_correlation": true, + "misp-attribute": "text" + }, + "account-name": { + "description": "A field to freely describe the bank account details.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "iban": { + "description": "IBAN of the bank account.", + "ui-priority": 0, + "misp-attribute": "iban" + }, + "client-_number": { + "description": "Client number as seen by the bank.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "personal-account-type": { + "description": "Account type.", + "ui-priority": 0, + "sane_default": [ + "A - Business", + "B - Personal Current", + "C - Savings", + "D - Trust Account", + "E - Trading Account", + "O - Other" + ], + "disable_correlation": true, + "misp-attribute": "text" + }, + "opened": { + "description": "When the account was opened.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "closed": { + "description": "When the account was closed.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "balance": { + "description": "The balance of the account after the suspicious transaction was processed.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "date-balance": { + "description": "When the balance was reported.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "status-code": { + "description": "Account status at the time of the transaction processed.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true, + "sane_default": [ + "A - Active", + "B - Inactive", + "C - Dormant" + ] + }, + "beneficiary": { + "description": "Final beneficiary of the bank account.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "beneficiary-comment": { + "description": "Comment about the final beneficiary.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "comments": { + "description": "Comments about the bank account.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "report-code": { + "description": "Report code of the bank account.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true, + "sane_default": [ + "CTR Cash Transaction Report", + "STR Suspicious Transaction Report", + "EFT Electronic Funds Transfer", + "IFT International Funds Transfer", + "TFR Terror Financing Report", + "BCR Border Cash Report", + "UTR Unusual Transaction Report", + "AIF Additional Information File – Can be used for example to get full disclosure of transactions of an account for a period of time without reporting it as a CTR.", + "IRI Incoming Request for Information – International", + "ORI Outgoing Request for Information – International", + "IRD Incoming Request for Information – Domestic", + "ORD Outgoing Request for Information – Domestic" + ] + } + }, + "version": 1, + "description": "An object describing bank account information based on account description from goAML 4.0.", + "meta-category": "financial", + "uuid": "b4712203-95a8-4883-80e9-b566f5df11c9", + "name": "bank-account" +} From 16f01d62a8293797266e9cd076c9a6c6fb846efd Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 29 Jan 2018 07:44:37 +0100 Subject: [PATCH 08/98] add: bank-account added in the list --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index ae6bb52..7ab6f58 100644 --- a/README.md +++ b/README.md @@ -70,6 +70,7 @@ for a specific attribute. * [objects/android-permission](objects/android-permission/definition.json) - A set of android permissions - one or more permission(s) which can be linked to other objects (e.g. file). * [objects/asn](objects/asn/definition.json) - Autonomous system object describing a BGP autonomous system which can include one or more network operators management an entity (e.g. ISP) along with their routing policy, routing prefixes or alike. * [objects/av-signature](objects/av-signature/definition.json) - Antivirus detection signature. +* [objects/bank-account](objects/bank-account/definition.json) - Object describing bank account information based on account description from goAML 4.0. * [objects/coin-address](objects/coin-address/definition.json) - An address used in a cryptocurrency. * [objects/cookie](objects/cookie/definition.json) - A cookie object describes an HTTP cookie including its use in malicious cases. * [objects/ddos](objects/ddos/definition.json) - DDoS object describes a current DDoS activity from a specific or/and to a specific target. From 2f53450e49aaef7169d98bccfe571410f52f1161 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 29 Jan 2018 07:46:13 +0100 Subject: [PATCH 09/98] fix: sandbox report object added in the list --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 7ab6f58..857869c 100644 --- a/README.md +++ b/README.md @@ -95,6 +95,7 @@ for a specific attribute. * [objects/registry-key](objects/registry-key/definition.json) - A registry-key object. * [objects/r2graphity](objects/r2graphity/definition.json) - Indicators extracted from binary files using radare2 and graphml. * [objects/rtir](objects/rtir/definition.json) - RTIR - Request Tracker for Incident Response. +* [objects/sandbox](objects/sandbox/definition.json) - Sandbox report object. * [objects/tor-node](objects/tor-node/definition.json) - Tor node description which are part of the Tor network at a time. * [objects/virustotal-report](objects/virustotal-report/definition.json) - VirusTotal report. * [objects/vulnerability](objects/vulnerability/definition.json) - Vulnerability object to describe software or hardware vulnerability as described in a CVE. From cab597afb2a45c7bdbc8c99000919f999e6cb5bf Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 29 Jan 2018 07:47:19 +0100 Subject: [PATCH 10/98] fix: sandbox signature added. --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 857869c..9dcb503 100644 --- a/README.md +++ b/README.md @@ -96,6 +96,7 @@ for a specific attribute. * [objects/r2graphity](objects/r2graphity/definition.json) - Indicators extracted from binary files using radare2 and graphml. * [objects/rtir](objects/rtir/definition.json) - RTIR - Request Tracker for Incident Response. * [objects/sandbox](objects/sandbox/definition.json) - Sandbox report object. +* [objects/sb-signature](objects/sb-signature/definition.json) - Sandbox detection signature object. * [objects/tor-node](objects/tor-node/definition.json) - Tor node description which are part of the Tor network at a time. * [objects/virustotal-report](objects/virustotal-report/definition.json) - VirusTotal report. * [objects/vulnerability](objects/vulnerability/definition.json) - Vulnerability object to describe software or hardware vulnerability as described in a CVE. From 619c35ea0f6c618c78d8206bfb658ad39f864566 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 29 Jan 2018 08:24:40 +0100 Subject: [PATCH 11/98] fix: sandbox report --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 9dcb503..19ca64a 100644 --- a/README.md +++ b/README.md @@ -95,7 +95,7 @@ for a specific attribute. * [objects/registry-key](objects/registry-key/definition.json) - A registry-key object. * [objects/r2graphity](objects/r2graphity/definition.json) - Indicators extracted from binary files using radare2 and graphml. * [objects/rtir](objects/rtir/definition.json) - RTIR - Request Tracker for Incident Response. -* [objects/sandbox](objects/sandbox/definition.json) - Sandbox report object. +* [objects/sandbox-report](objects/sandbox-report/definition.json) - Sandbox report object. * [objects/sb-signature](objects/sb-signature/definition.json) - Sandbox detection signature object. * [objects/tor-node](objects/tor-node/definition.json) - Tor node description which are part of the Tor network at a time. * [objects/virustotal-report](objects/virustotal-report/definition.json) - VirusTotal report. From 8d7e3b34a731d81d32fae7329e932bb4742cd689 Mon Sep 17 00:00:00 2001 From: David Lord Date: Tue, 30 Jan 2018 10:12:53 +1000 Subject: [PATCH 12/98] Add email-body to the email object definition --- objects/email/definition.json | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/objects/email/definition.json b/objects/email/definition.json index 7b7f45d..10fbc38 100644 --- a/objects/email/definition.json +++ b/objects/email/definition.json @@ -138,6 +138,14 @@ "categories": [ "Payload delivery" ] + }, + "email-body": { + "description": "Body of the email", + "misp-attribute": "email-body", + "ui-priority": 1, + "categories": [ + "Payload delivery" + ] } }, "requiredOneOf": [ From c57b9b867c8d4a0c789269dfe02ea3d80cb0c074 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 30 Jan 2018 08:59:41 +0100 Subject: [PATCH 13/98] fix: increment version of the MISP email object --- objects/email/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/email/definition.json b/objects/email/definition.json index 10fbc38..770850f 100644 --- a/objects/email/definition.json +++ b/objects/email/definition.json @@ -3,7 +3,7 @@ "uuid": "a0c666e0-fc65-4be8-b48f-3423d788b552", "meta-category": "network", "description": "Email object describing an email with meta-information", - "version": 7, + "version": 8, "attributes": { "reply-to": { "description": "Email address the reply will be sent to", From 41b0d33ab354334051ebc784e44449b7930d23df Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 31 Jan 2018 15:05:55 +0100 Subject: [PATCH 14/98] fix: improve ip-port object to add domain instead of IP address --- objects/ip-port/definition.json | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/objects/ip-port/definition.json b/objects/ip-port/definition.json index 528ab7c..b7be390 100644 --- a/objects/ip-port/definition.json +++ b/objects/ip-port/definition.json @@ -1,9 +1,8 @@ { "requiredOneOf": [ "dst-port", - "src-port" - ], - "required": [ + "src-port", + "domain", "ip" ], "attributes": { @@ -43,6 +42,15 @@ "ui-priority": 1, "misp-attribute": "port" }, + "domain": { + "description": "Domain", + "categories": [ + "Network activity", + "External analysis" + ], + "ui-priority": 1, + "misp-attribute": "domain" + }, "ip": { "description": "IP Address", "categories": [ @@ -53,8 +61,8 @@ "misp-attribute": "ip-dst" } }, - "version": 5, - "description": "An IP address and a port seen as a tuple (or as a triple) in a specific time frame.", + "version": 6, + "description": "An IP address (or domain) and a port seen as a tuple (or as a triple) in a specific time frame.", "meta-category": "network", "uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "name": "ip-port" From b09f0453abc1c1c4735b3ec05c0faa61fdfea8a4 Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Mon, 5 Feb 2018 09:26:50 +0100 Subject: [PATCH 15/98] chg: Added identity card number --- objects/person/definition.json | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/objects/person/definition.json b/objects/person/definition.json index 484cc99..6e25459 100644 --- a/objects/person/definition.json +++ b/objects/person/definition.json @@ -66,6 +66,11 @@ ], "disable_correlation": true }, + "id-card-number": { + "description": "The identity card number of a natural person.", + "ui-priority": 0, + "misp-attribute": "id-card-number" + }, "passport-number": { "description": "The passport number of a natural person.", "ui-priority": 0, From f169fbee36050e51056313235c8e07100ae7998d Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Mon, 5 Feb 2018 14:18:21 +0100 Subject: [PATCH 16/98] chg: updated name of the new attribute --- objects/person/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/person/definition.json b/objects/person/definition.json index 6e25459..a882dc8 100644 --- a/objects/person/definition.json +++ b/objects/person/definition.json @@ -66,10 +66,10 @@ ], "disable_correlation": true }, - "id-card-number": { + "identity-card-number": { "description": "The identity card number of a natural person.", "ui-priority": 0, - "misp-attribute": "id-card-number" + "misp-attribute": "identity-card-number" }, "passport-number": { "description": "The passport number of a natural person.", From c11c4a28ab1c6bbe666b4f80be34d21a3a472332 Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Mon, 5 Feb 2018 14:19:58 +0100 Subject: [PATCH 17/98] chg: Added address and zip code attributes --- objects/geolocation/definition.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/objects/geolocation/definition.json b/objects/geolocation/definition.json index ab6ee46..7a4902b 100644 --- a/objects/geolocation/definition.json +++ b/objects/geolocation/definition.json @@ -42,6 +42,16 @@ "ui-priority": 0, "misp-attribute": "float" }, + "address": { + "description": "Address.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "zipcode": { + "description": "Zip Code.", + "misp-attribute": "text", + "ui-priority": 1 + }, "city": { "description": "City.", "misp-attribute": "text", From b92d92764b897bf40ccc83a750b9199679d81c8d Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Mon, 5 Feb 2018 16:10:23 +0100 Subject: [PATCH 18/98] description typo --- objects/person/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/person/definition.json b/objects/person/definition.json index a882dc8..a041ede 100644 --- a/objects/person/definition.json +++ b/objects/person/definition.json @@ -107,7 +107,7 @@ } }, "version": 3, - "description": "An person which describes a person or an identity.", + "description": "An object which describes a person or an identity.", "meta-category": "misc", "uuid": "a15b0477-e9d1-4b9c-9546-abe78a4f4248", "name": "person" From 573873db3b19e7086b8541a0341743a9fa5800cc Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Mon, 5 Feb 2018 17:20:39 +0100 Subject: [PATCH 19/98] First version of the legal-entity object --- objects/legal-entity/definition.json | 38 ++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 objects/legal-entity/definition.json diff --git a/objects/legal-entity/definition.json b/objects/legal-entity/definition.json new file mode 100644 index 0000000..ae37089 --- /dev/null +++ b/objects/legal-entity/definition.json @@ -0,0 +1,38 @@ +{ + "requiredOneOf": [ + "name" + ], + "attributes": { + "text": { + "description": "A description of the entity.", + "disable-correlation": "true", + "ui-priority": 1, + "misp-attribute": "text" + }, + "name": { + "description": "Name of an entity.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "commercial-name": { + "description": "Commercial name of an entity.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "legal-form": { + "description": "Legal form of an entity.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "business": { + "description": "Business area of an entity", + "ui-priority": 0, + "misp-attribute": "text" + } + }, + "version": 1, + "description": "An object to describe a legal entity.", + "meta-category": "misc", + "uuid": "", + "name": "legal-entity" +} From 6b98de1c8600d68ac669de101130dcc289911568 Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Mon, 5 Feb 2018 17:26:13 +0100 Subject: [PATCH 20/98] Updated readme --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 19ca64a..6a5de0a 100644 --- a/README.md +++ b/README.md @@ -82,6 +82,7 @@ for a specific attribute. * [objects/geolocation](objects/geolocation/definition.json) - A geolocation object to describe a location. * [objects/ip-port](objects/ip-port/definition.json) - An IP address and a port seen as a tuple (or as a triple) in a specific time frame. * [objects/ja3](objects/ja3/definition.json) - A ja3 object which describes an SSL client fingerprint in an easy to produce and shareable way. +* [objects/legal-entity](objects/legal-entity/definition.json) - Object describing a legal entity, such as an organisation. * [objects/macho](objects/macho/definition.json) - Object describing a Mach object file format. * [objects/macho-section](objects/macho-section/definition.json) - Object describing a section of a Mach object file format. * [objects/microblog](objects/microblog/definition.json) - Object describing microblog post like Twitter or Facebook. From d250e6254655f1bd5a42d736a53aa8151a566e19 Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Tue, 6 Feb 2018 14:19:04 +0100 Subject: [PATCH 21/98] Added additional attributes --- objects/legal-entity/definition.json | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/objects/legal-entity/definition.json b/objects/legal-entity/definition.json index ae37089..dcac487 100644 --- a/objects/legal-entity/definition.json +++ b/objects/legal-entity/definition.json @@ -24,10 +24,20 @@ "ui-priority": 0, "misp-attribute": "text" }, - "business": { - "description": "Business area of an entity", + "registration-number": { + "description": "Registration number of an entity in the relevant authority.", "ui-priority": 0, "misp-attribute": "text" + }, + "business": { + "description": "Business area of an entity.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "phone-number": { + "description": "Phone number of an entity.", + "ui-priority": 0, + "misp-attribute": "phone-number" } }, "version": 1, From 7966c58db9bcecc6b8baec7729874da78b99c3d2 Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Tue, 6 Feb 2018 15:06:20 +0100 Subject: [PATCH 22/98] typo --- objects/legal-entity/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/legal-entity/definition.json b/objects/legal-entity/definition.json index dcac487..24feeaf 100644 --- a/objects/legal-entity/definition.json +++ b/objects/legal-entity/definition.json @@ -5,7 +5,7 @@ "attributes": { "text": { "description": "A description of the entity.", - "disable-correlation": "true", + "disable_correlation": "true", "ui-priority": 1, "misp-attribute": "text" }, From fd74fac62b2a7f05cf0500bb3fb4aeb07d94eb3b Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Tue, 6 Feb 2018 15:36:57 +0100 Subject: [PATCH 23/98] Fixed disable_correlation variable type --- objects/legal-entity/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/legal-entity/definition.json b/objects/legal-entity/definition.json index 24feeaf..29f89c5 100644 --- a/objects/legal-entity/definition.json +++ b/objects/legal-entity/definition.json @@ -5,7 +5,7 @@ "attributes": { "text": { "description": "A description of the entity.", - "disable_correlation": "true", + "disable_correlation": true, "ui-priority": 1, "misp-attribute": "text" }, @@ -43,6 +43,6 @@ "version": 1, "description": "An object to describe a legal entity.", "meta-category": "misc", - "uuid": "", + "uuid": "14f5688f-d89c-469f-9878-c48bf6c41c65", "name": "legal-entity" } From e1258cd2f72e266526e6fcd7bf8e5e2e0d86f56d Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 7 Feb 2018 14:46:09 +0100 Subject: [PATCH 24/98] Common Alerting Protocol Version (CAP) alert object --- objects/cap-alert/definition.json | 108 ++++++++++++++++++++++++++++++ 1 file changed, 108 insertions(+) create mode 100644 objects/cap-alert/definition.json diff --git a/objects/cap-alert/definition.json b/objects/cap-alert/definition.json new file mode 100644 index 0000000..90017dc --- /dev/null +++ b/objects/cap-alert/definition.json @@ -0,0 +1,108 @@ +{ + "requiredOneOf": [ + "msgType" + ], + "attributes": { + "identifier": { + "description": "The identifier of the alert message in a number or string uniquely identifying this message, assigned by the sender.", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "text" + }, + "sender": { + "description": "The identifier of the sender of the alert message which identifies the originator of this alert. Guaranteed by assigner to be unique globally; e.g., may be based on an Internet domain name.", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "sent": { + "description": "The time and date of the origination of the alert message.", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "status": { + "description": "The code denoting the appropriate handling of the alert message.", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "Actual", + "Exercise", + "System", + "Test", + "Draft" + ] + }, + "msgType": { + "description": "The code denoting the nature of the alert message.", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "Alert", + "Update", + "Cancel", + "Ack", + "Error" + ] + }, + "source": { + "description": "The text identifying the source of the alert message. The particular source of this alert; e.g., an operator or a specific device.", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "text" + }, + "scope": { + "description": "The code denoting the intended distribution of the alert message. ", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true, + "sane_default": [ + "Public", + "Restricted", + "Private" + ] + }, + "restriction": { + "description": "The text describing the rule for limiting distribution of the restricted alert message.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "addresses": { + "description": "The group listing of intended recipients of the alert message. (1) Required when is “Private”, optional when is “Public” or “Restricted”. (2) Each recipient SHALL be identified by an identifier or an address. (3) Multiple space-delimited addresses MAY be included. Addresses including whitespace MUST be enclosed in double-quotes. ", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "code": { + "description": "The code denoting the special handling of the alert message.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "note": { + "description": "The text describing the purpose or significance of the alert message.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "references": { + "description": "The group listing identifying earlier message(s) referenced by the alert message. (1) The extended message identifier(s) (in the form sender,identifier,sent) of an earlier CAP message or messages referenced by this one. (2) If multiple messages are referenced, they SHALL be separated by whitespace.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "incident": { + "description": "The group listing naming the referent incident(s) of the alert message. (1) Used to collate multiple messages referring to different aspects of the same incident. (2) If multiple incident identifiers are referenced, they SHALL be separated by whitespace. Incident names including whitespace SHALL be surrounded by double-quotes.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + } + }, + "version": 1, + "description": "Common Alerting Protocol Version (CAP) alert object.", + "meta-category": "misc", + "uuid": "03b107bb-133d-4180-87ff-e3dbe731f828", + "name": "cap-alert" +} From 31615336926a3d24a7e258e7e2661a57a20af839 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 7 Feb 2018 14:54:15 +0100 Subject: [PATCH 25/98] fix: trailing dot removed --- objects/cap-alert/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/cap-alert/definition.json b/objects/cap-alert/definition.json index 90017dc..c9fe3ac 100644 --- a/objects/cap-alert/definition.json +++ b/objects/cap-alert/definition.json @@ -101,7 +101,7 @@ } }, "version": 1, - "description": "Common Alerting Protocol Version (CAP) alert object.", + "description": "Common Alerting Protocol Version (CAP) alert object", "meta-category": "misc", "uuid": "03b107bb-133d-4180-87ff-e3dbe731f828", "name": "cap-alert" From ad8e01d4c5d6898ebe6f64483e98b3252308519d Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Wed, 7 Feb 2018 15:36:37 +0100 Subject: [PATCH 26/98] Transaction object --- objects/transaction/definition.json | 56 +++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100644 objects/transaction/definition.json diff --git a/objects/transaction/definition.json b/objects/transaction/definition.json new file mode 100644 index 0000000..46fd9e4 --- /dev/null +++ b/objects/transaction/definition.json @@ -0,0 +1,56 @@ +{ + "requiredOneOf": [ + "transaction-number", + "date", + "amount", + "transmode-code" + ], + "attributes": { + "text": { + "description": "A description of the transaction.", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "text" + }, + "transaction-number": { + "description": "A unique number identifying a transaction.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "location": { + "description": "Location where the transaction took place.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "transmode-code": { + "description": "How the transaction was conducted.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "transmode-comment": { + "description": "Comment describing transmode-code, if needed.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "date": { + "description": "Date and time of the transaction.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "amount": { + "description": "The value of the transaction in local currency.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "date-posting": { + "description": "Date of posting, if different from date of transaction.", + "ui-priority": 0, + "misp-attribute": "datetime" + } + }, + "version": 1, + "description": "An object to describe a transaction.", + "meta-category": "misc", + "uuid": "a47fa26a-01b6-4747-a394-5144e34456dc", + "name": "transaction" +} From 9ad2b50895f7cafdb3051eff21d607a82a0f2414 Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Wed, 7 Feb 2018 17:26:09 +0100 Subject: [PATCH 27/98] Updated description and readme --- README.md | 1 + objects/transaction/definition.json | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 6a5de0a..d60eb4b 100644 --- a/README.md +++ b/README.md @@ -99,6 +99,7 @@ for a specific attribute. * [objects/sandbox-report](objects/sandbox-report/definition.json) - Sandbox report object. * [objects/sb-signature](objects/sb-signature/definition.json) - Sandbox detection signature object. * [objects/tor-node](objects/tor-node/definition.json) - Tor node description which are part of the Tor network at a time. +* [objects/transaction](objects/transaction/definition.json) - Object describing a financial transaction. * [objects/virustotal-report](objects/virustotal-report/definition.json) - VirusTotal report. * [objects/vulnerability](objects/vulnerability/definition.json) - Vulnerability object to describe software or hardware vulnerability as described in a CVE. * [objects/url](objects/url/definition.json) - url object describes an url along with its normalized field (e.g. using faup parsing library) and its metadata. diff --git a/objects/transaction/definition.json b/objects/transaction/definition.json index 46fd9e4..11f703e 100644 --- a/objects/transaction/definition.json +++ b/objects/transaction/definition.json @@ -49,7 +49,7 @@ } }, "version": 1, - "description": "An object to describe a transaction.", + "description": "An object to describe a financial transaction.", "meta-category": "misc", "uuid": "a47fa26a-01b6-4747-a394-5144e34456dc", "name": "transaction" From 49f78f067d304536fc057840c67a8f5f8782ce96 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 8 Feb 2018 07:45:41 +0100 Subject: [PATCH 28/98] add: Common Alerting Protocol Version (CAP) info object --- objects/cap-info/definition.json | 171 +++++++++++++++++++++++++++++++ 1 file changed, 171 insertions(+) create mode 100644 objects/cap-info/definition.json diff --git a/objects/cap-info/definition.json b/objects/cap-info/definition.json new file mode 100644 index 0000000..9645f13 --- /dev/null +++ b/objects/cap-info/definition.json @@ -0,0 +1,171 @@ +{ + "requiredOneOf": [ + "category" + ], + "attributes": { + "language": { + "description": "The code denoting the language of the info sub-element of the alert message. ", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "text" + }, + "category": { + "description": "The code denoting the category of the subject event of the alert message.", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "Geo", + "Met", + "Safety", + "Security", + "Rescue", + "Fire", + "Health", + "Env", + "Transport", + "Infra", + "CBRNE", + "Other" + ], + "disable_correlation": true + }, + "event": { + "description": "The text denoting the type of the subject event of the alert message.", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "text" + }, + "responseType": { + "description": "The code denoting the type of action recommended for the target audience.", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "Shelter", + "Evacuate", + "Prepare", + "Execute", + "Avoid", + "Monitor", + "Assess", + "AllClear", + "None" + ] + }, + "urgency": { + "description": "The code denoting the urgency of the subject event of the alert message.", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "Immediate", + "Expected", + "Future", + "Past", + "Unknown" + ] + }, + "severity": { + "description": "The code denoting the severity of the subject event of the alert message.", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "Extreme", + "Severe", + "Moderate", + "Minor", + "Unknown" + ] + }, + "certainty": { + "description": "The code denoting the certainty of the subject event of the alert message. For backward compatibility with CAP 1.0, the deprecated value of “Very Likely” SHOULD be treated as equivalent to “Likely”.", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "Likely", + "Possible", + "Unlikely", + "Unknown" + ] + }, + "audience": { + "description": "The text describing the intended audience of the alert message.", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "text" + }, + "eventCode": { + "description": "A system-specific code identifying the event type of the alert message.", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "text" + }, + "effective": { + "description": "The effective time of the information of the alert message.", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "datetime" + }, + "onset": { + "description": "The expected time of the beginning of the subject event of the alert message.", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "datetime" + }, + "expires": { + "description": "The expiry time of the information of the alert message.", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "datetime" + }, + "senderName": { + "description": "The text naming the originator of the alert message.", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "text" + }, + "headline": { + "description": "The text headline of the alert message.", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "text" + }, + "description": { + "description": "The text describing the subject event of the alert message.", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "text" + }, + "instruction": { + "description": "The text describing the recommended action to be taken by recipients of the alert message.", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "text" + }, + "web": { + "description": "The identifier of the hyperlink associating additional information with the alert message.", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "link" + }, + "contact": { + "description": "The text describing the contact for follow-up and confirmation of the alert message.", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "text" + }, + "parameter": { + "description": "A system-specific additional parameter associated with the alert message.", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "text" + } + }, + "version": 1, + "description": "Common Alerting Protocol Version (CAP) info object", + "meta-category": "misc", + "uuid": "826c25e6-fdd5-4e4a-b081-be5ba3ac2c3d", + "name": "cap-info" +} From b4d433a845872a20b888b9ba913d6b131c0394d2 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 8 Feb 2018 11:53:05 +0100 Subject: [PATCH 29/98] add: Common Alerting Protocol Version (CAP) resource object --- objects/cap-resource/definition.json | 46 ++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 objects/cap-resource/definition.json diff --git a/objects/cap-resource/definition.json b/objects/cap-resource/definition.json new file mode 100644 index 0000000..92502a2 --- /dev/null +++ b/objects/cap-resource/definition.json @@ -0,0 +1,46 @@ +{ + "requiredOneOf": [ + "resourceDesc" + ], + "attributes": { + "resourceDesc": { + "description": "The text describing the type and content of the resource file.", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "text" + }, + "mimeType": { + "description": "The identifier of the MIME content type and sub-type describing the resource file.", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "mime-type" + }, + "size": { + "description": "The integer indicating the size of the resource file.", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "text" + }, + "uri": { + "description": "The identifier of the hyperlink for the resource file.", + "ui-priority": 0, + "misp-attribute": "link" + }, + "derefUri": { + "description": "The base-64 encoded data content of the resource file.", + "ui-priority": 0, + "misp-attribute": "attachment", + "disable_correlation": true + }, + "digest": { + "description": "The code representing the digital digest (“hash”) computed from the resource file (OPTIONAL).", + "ui-priority": 0, + "misp-attribute": "sha1" + } + }, + "version": 1, + "description": "Common Alerting Protocol Version (CAP) resource object", + "meta-category": "misc", + "uuid": "6fddc76b-59fc-49f6-a673-52f8d15149c4", + "name": "cap-resource" +} From 3d2091b33ca8a998673d98c5a28ff10ab08f51dd Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 9 Feb 2018 07:34:58 +0100 Subject: [PATCH 30/98] fix: use new attribute type mime-type instead of text --- objects/file/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/file/definition.json b/objects/file/definition.json index f0f7fe0..7749f45 100644 --- a/objects/file/definition.json +++ b/objects/file/definition.json @@ -138,7 +138,7 @@ "description": "Mime type", "disable_correlation": true, "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "mime-type" }, "state": { "misp-attribute": "text", @@ -156,7 +156,7 @@ ] } }, - "version": 9, + "version": 10, "description": "File object describing a file with meta-information", "meta-category": "file", "uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", From 061c0ae2223fdfb4fb0563b704f15821fd72347d Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 9 Feb 2018 07:38:41 +0100 Subject: [PATCH 31/98] add: Common Alerting Protocol Version (CAP) object templates --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index d60eb4b..9ba5f70 100644 --- a/README.md +++ b/README.md @@ -71,6 +71,9 @@ for a specific attribute. * [objects/asn](objects/asn/definition.json) - Autonomous system object describing a BGP autonomous system which can include one or more network operators management an entity (e.g. ISP) along with their routing policy, routing prefixes or alike. * [objects/av-signature](objects/av-signature/definition.json) - Antivirus detection signature. * [objects/bank-account](objects/bank-account/definition.json) - Object describing bank account information based on account description from goAML 4.0. +* [objects/cap-alert](objects/cap-alert/definition.json) - Common Alerting Protocol Version (CAP) alert object. +* [objects/cap-info](objects/cap-info/definition.json) - Common Alerting Protocol Version (CAP) info object. +* [objects/cap-resource](objects/cap-resource/definition.json) - Common Alerting Protocol Version (CAP) resource object. * [objects/coin-address](objects/coin-address/definition.json) - An address used in a cryptocurrency. * [objects/cookie](objects/cookie/definition.json) - A cookie object describes an HTTP cookie including its use in malicious cases. * [objects/ddos](objects/ddos/definition.json) - DDoS object describes a current DDoS activity from a specific or/and to a specific target. From eef4aab989606c4a9717040bf3048f116f904846 Mon Sep 17 00:00:00 2001 From: Andras Iklody Date: Fri, 9 Feb 2018 09:43:39 +0100 Subject: [PATCH 32/98] Changed http request object template require either uri or url, http method is no longer required. --- objects/http-request/definition.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/objects/http-request/definition.json b/objects/http-request/definition.json index 67f7809..76bb081 100644 --- a/objects/http-request/definition.json +++ b/objects/http-request/definition.json @@ -1,6 +1,6 @@ { - "required": [ - "method", + "requiredOneOf": [ + "url", "uri" ], "attributes": { @@ -111,7 +111,7 @@ "misp-attribute": "user-agent" } }, - "version": 1, + "version": 2, "description": "A single HTTP request header", "meta-category": "network", "uuid": "b4a8d163-8110-4239-bfcf-e08f3a9fdf7b", From 594bf5dcc01282564ab14d09233516a170c48807 Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Tue, 13 Feb 2018 17:53:37 +0100 Subject: [PATCH 33/98] Added attributes for the teller and the authorizer of a transaction --- objects/transaction/definition.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/objects/transaction/definition.json b/objects/transaction/definition.json index 11f703e..184ff55 100644 --- a/objects/transaction/definition.json +++ b/objects/transaction/definition.json @@ -32,6 +32,16 @@ "ui-priority": 0, "misp-attribute": "text" }, + "teller": { + "description": "Person who conducted the transaction.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "authorized": { + "description": "Person who autorized the transaction.", + "ui-priority": 0, + "misp-attribute": "text" + }, "date": { "description": "Date and time of the transaction.", "ui-priority": 0, From 0367068f925431eee9ed4ea981517473133129ce Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Wed, 14 Feb 2018 11:33:37 +0100 Subject: [PATCH 34/98] Added attributes to describe some origin and target fields of a transaction --- objects/transaction/definition.json | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/objects/transaction/definition.json b/objects/transaction/definition.json index 184ff55..4aab1f3 100644 --- a/objects/transaction/definition.json +++ b/objects/transaction/definition.json @@ -56,6 +56,26 @@ "description": "Date of posting, if different from date of transaction.", "ui-priority": 0, "misp-attribute": "datetime" + }, + "from-funds-code": { + "description": "Type of funds used to initiate a transaction.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "to-funds-code": { + "description": "Type of funds used to finalize a transaction.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "from-country": { + "description": "Origin country of a transaction.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "to-country": { + "description": "Target country of a transaction.", + "ui-priority": 0, + "misp-attribute": "text" } }, "version": 1, From 71fa0f66fa48fc6641a6ef3d51387a974f794434 Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Wed, 14 Feb 2018 14:11:42 +0100 Subject: [PATCH 35/98] Added default values of funds code --- objects/transaction/definition.json | 34 +++++++++++++++++++++++++++-- 1 file changed, 32 insertions(+), 2 deletions(-) diff --git a/objects/transaction/definition.json b/objects/transaction/definition.json index 4aab1f3..3cf4beb 100644 --- a/objects/transaction/definition.json +++ b/objects/transaction/definition.json @@ -60,12 +60,42 @@ "from-funds-code": { "description": "Type of funds used to initiate a transaction.", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true, + "sane_default": [ + "A Deposit", + "C Currency exchange", + "D Casino chips", + "E Bank draft", + "F Money order", + "G Traveler’s cheques", + "H Life insurance policy", + "I Real estate", + "J Securities", + "K Cash", + "O Other", + "P Cheque" + ] }, "to-funds-code": { "description": "Type of funds used to finalize a transaction.", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true, + "sane_default": [ + "A Deposit", + "C Currency exchange", + "D Casino chips", + "E Bank draft", + "F Money order", + "G Traveler’s cheques", + "H Life insurance policy", + "I Real estate", + "J Securities", + "K Cash", + "O Other", + "P Cheque" + ] }, "from-country": { "description": "Origin country of a transaction.", From 4cccea8828c3004add34e5acfc3204cf20ceaf53 Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Tue, 20 Feb 2018 15:44:02 +0100 Subject: [PATCH 36/98] Fixed the bank-account meta-category ... which is actually "financial" --- objects/transaction/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/transaction/definition.json b/objects/transaction/definition.json index 3cf4beb..5dc404e 100644 --- a/objects/transaction/definition.json +++ b/objects/transaction/definition.json @@ -110,7 +110,7 @@ }, "version": 1, "description": "An object to describe a financial transaction.", - "meta-category": "misc", + "meta-category": "financial", "uuid": "a47fa26a-01b6-4747-a394-5144e34456dc", "name": "transaction" } From 271c789f9747491d3194258fa1a73297245fc2dd Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Thu, 22 Feb 2018 01:18:15 +0100 Subject: [PATCH 37/98] fix: Fixed somme bank-account fields --- objects/bank-account/definition.json | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/objects/bank-account/definition.json b/objects/bank-account/definition.json index 46466e9..763cec7 100644 --- a/objects/bank-account/definition.json +++ b/objects/bank-account/definition.json @@ -9,12 +9,18 @@ "ui-priority": 0, "misp-attribute": "text" }, - "institution-code": { + "institution-name": { "description": "Name of the bank or financial organisation.", "disable_correlation": true, "ui-priority": 0, "misp-attribute": "text" }, + "institution-code": { + "description": "Institution code of the bank.", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, "swift": { "description": "SWIFT or BIC as defined in ISO 9362.", "disable_correlation": true, @@ -58,7 +64,7 @@ "ui-priority": 0, "misp-attribute": "iban" }, - "client-_number": { + "client-number": { "description": "Client number as seen by the bank.", "ui-priority": 0, "misp-attribute": "text" From 8b1aff81355f345b8fdc30325577dbeb13a9ca4d Mon Sep 17 00:00:00 2001 From: zoomequipd Date: Thu, 22 Feb 2018 16:36:19 -0600 Subject: [PATCH 38/98] add aba-rtn to bank-account object --- objects/bank-account/definition.json | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/objects/bank-account/definition.json b/objects/bank-account/definition.json index 763cec7..528a1a6 100644 --- a/objects/bank-account/definition.json +++ b/objects/bank-account/definition.json @@ -54,6 +54,11 @@ "disable_correlation": true, "misp-attribute": "text" }, + "aba-rbn": { + "description": " ABA routing transit number", + "ui-priority": 0, + "misp-attribute": "aba-rbn" + }, "account-name": { "description": "A field to freely describe the bank account details.", "ui-priority": 0, From 0d31f27efc3dbb866d2163a328348f4ad1e532f9 Mon Sep 17 00:00:00 2001 From: zoomequipd Date: Thu, 22 Feb 2018 16:37:12 -0600 Subject: [PATCH 39/98] correct rbn --> rtn --- objects/bank-account/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/bank-account/definition.json b/objects/bank-account/definition.json index 528a1a6..3c7ecee 100644 --- a/objects/bank-account/definition.json +++ b/objects/bank-account/definition.json @@ -54,10 +54,10 @@ "disable_correlation": true, "misp-attribute": "text" }, - "aba-rbn": { + "aba-rtn": { "description": " ABA routing transit number", "ui-priority": 0, - "misp-attribute": "aba-rbn" + "misp-attribute": "aba-rtn" }, "account-name": { "description": "A field to freely describe the bank account details.", From 73a2b411033dccec3487d50436a73b1d2c154bb7 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 23 Feb 2018 08:25:35 +0100 Subject: [PATCH 40/98] fix: jq all the things --- objects/bank-account/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/bank-account/definition.json b/objects/bank-account/definition.json index 3c7ecee..4952a7e 100644 --- a/objects/bank-account/definition.json +++ b/objects/bank-account/definition.json @@ -58,7 +58,7 @@ "description": " ABA routing transit number", "ui-priority": 0, "misp-attribute": "aba-rtn" - }, + }, "account-name": { "description": "A field to freely describe the bank account details.", "ui-priority": 0, From bdaee9e1c7ba5ba53aeca11d32734f23ad8254f1 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 28 Feb 2018 17:41:29 +0100 Subject: [PATCH 41/98] add: Cowrie honeypot object template --- objects/cowrie/definition.json | 81 ++++++++++++++++++++++++++++++++++ 1 file changed, 81 insertions(+) create mode 100644 objects/cowrie/definition.json diff --git a/objects/cowrie/definition.json b/objects/cowrie/definition.json new file mode 100644 index 0000000..6f8501f --- /dev/null +++ b/objects/cowrie/definition.json @@ -0,0 +1,81 @@ +{ + "requiredOneOf": [ + "session" + ], + "attributes": { + "eventid": { + "description": "Eventid of the session in the cowrie honeypot", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "text" + }, + "system": { + "description": "System origin in cowrie honeypot", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "text" + }, + "username": { + "description": "Username related to the password(s)", + "ui-priority": 1, + "misp-attribute": "text" + }, + "passsword": { + "description": "Password", + "multiple": true, + "ui-priority": 1, + "misp-attribute": "text" + }, + "session": { + "description": "Session id", + "ui-priority": 1, + "misp-attribute": "text" + }, + "timestamp": { + "description": "When the event happened", + "ui-priority": 1, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "message": { + "description": "Message of the cowrie honeypot", + "ui-priority": 1, + "misp-attribute": "text", + "disable_correlation": true + }, + "protocol": { + "description": "Protocol used in the cowrie honeypot", + "ui-priority": 1, + "misp-attribute": "text", + "disable_correlation": true + }, + "sensor": { + "description": "Cowrie sensor name", + "ui-priority": 1, + "misp-attribute": "text", + "disable_correlation": true + }, + "src_ip": { + "description": "Source IP address of the session", + "ui-priority": 1, + "misp-attribute": "ip-src" + }, + "dst_ip": { + "description": "Destionation IP address of the session", + "ui-priority": 1, + "misp-attribute": "ip-dst", + "disable_correlation": true + }, + "isError": { + "description": "isError", + "ui-priority": 1, + "misp-attribute": "text", + "disable_correlation": true + } + }, + "version": 1, + "description": "Cowrie honeypot object template", + "meta-category": "network", + "uuid": "ae085d32-6534-4d52-b3eb-063fccb753e7", + "name": "cowrie" +} From 2f433a5e5c952b74bc60e82629b82c8f63e50da4 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 28 Feb 2018 17:42:56 +0100 Subject: [PATCH 42/98] add: Cowrie object template added --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 9ba5f70..3de8efb 100644 --- a/README.md +++ b/README.md @@ -76,6 +76,7 @@ for a specific attribute. * [objects/cap-resource](objects/cap-resource/definition.json) - Common Alerting Protocol Version (CAP) resource object. * [objects/coin-address](objects/coin-address/definition.json) - An address used in a cryptocurrency. * [objects/cookie](objects/cookie/definition.json) - A cookie object describes an HTTP cookie including its use in malicious cases. +* [objects/cowrie](objects/cowrie/definition.json) - A cowrie object describes cowrie honeypot sessions. * [objects/ddos](objects/ddos/definition.json) - DDoS object describes a current DDoS activity from a specific or/and to a specific target. * [objects/domain-ip](objects/domain-ip/definition.json) - A domain and IP address seen as a tuple in a specific time frame. * [objects/elf](objects/elf/definition.json) - Object describing an Executable and Linkable Format (ELF). From 1fe3e79a0563f6895d2b27541eef205dfc541a57 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 28 Feb 2018 17:47:02 +0100 Subject: [PATCH 43/98] fix: add missing destination and source port --- objects/cowrie/definition.json | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/objects/cowrie/definition.json b/objects/cowrie/definition.json index 6f8501f..609cdee 100644 --- a/objects/cowrie/definition.json +++ b/objects/cowrie/definition.json @@ -61,11 +61,23 @@ "misp-attribute": "ip-src" }, "dst_ip": { - "description": "Destionation IP address of the session", + "description": "Destination IP address of the session", "ui-priority": 1, "misp-attribute": "ip-dst", "disable_correlation": true }, + "src_port": { + "description": "Source port of the session", + "ui-priority": 1, + "misp-attribute": "port", + "disable_correlation": true + }, + "dst_port": { + "description": "Destination port of the session", + "ui-priority": 1, + "misp-attribute": "port", + "disable_correlation": true + }, "isError": { "description": "isError", "ui-priority": 1, From 73aa339ddd5e71cac425f8ad4e1892c4fabd42b9 Mon Sep 17 00:00:00 2001 From: Sami Mokaddem Date: Thu, 1 Mar 2018 16:20:58 +0100 Subject: [PATCH 44/98] typo: passsword -> password --- objects/cowrie/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/cowrie/definition.json b/objects/cowrie/definition.json index 609cdee..815712a 100644 --- a/objects/cowrie/definition.json +++ b/objects/cowrie/definition.json @@ -20,7 +20,7 @@ "ui-priority": 1, "misp-attribute": "text" }, - "passsword": { + "password": { "description": "Password", "multiple": true, "ui-priority": 1, From a93a2851320f0df5cabd2f1309d50b24ec7f41c0 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 1 Mar 2018 21:08:16 +0100 Subject: [PATCH 45/98] fix: Cowrie object - SSH attributes added --- objects/cowrie/definition.json | 34 +++++++++++++++++++++++++++++++++- 1 file changed, 33 insertions(+), 1 deletion(-) diff --git a/objects/cowrie/definition.json b/objects/cowrie/definition.json index 815712a..2016b7b 100644 --- a/objects/cowrie/definition.json +++ b/objects/cowrie/definition.json @@ -83,9 +83,41 @@ "ui-priority": 1, "misp-attribute": "text", "disable_correlation": true + }, + "input": { + "description": "Input of the session", + "ui-priority": 1, + "misp-attribute": "text" + }, + "macCS": { + "description": "SSH MAC supported in the sesssion", + "multiple": true, + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "text" + }, + "keyAlgs": { + "description": "SSH public-key algorithm supported in the session", + "multiple": true, + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "text" + }, + "encCS": { + "description": "SSH symmetric encryption algorithm supported in the session", + "multiple": true, + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "text" + }, + "compCS": { + "description": "SSH compression algorithm supported in the session", + "multiple": true, + "ui-priority": 1, + "misp-attribute": "text" } }, - "version": 1, + "version": 2, "description": "Cowrie honeypot object template", "meta-category": "network", "uuid": "ae085d32-6534-4d52-b3eb-063fccb753e7", From 4ed961f5e65607bdcbf4696a15aa945fc8e471b3 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 1 Mar 2018 21:09:04 +0100 Subject: [PATCH 46/98] fix: disable correlation for compression algorithms --- objects/cowrie/definition.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/objects/cowrie/definition.json b/objects/cowrie/definition.json index 2016b7b..d3926d1 100644 --- a/objects/cowrie/definition.json +++ b/objects/cowrie/definition.json @@ -114,7 +114,8 @@ "description": "SSH compression algorithm supported in the session", "multiple": true, "ui-priority": 1, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true } }, "version": 2, From f7f0a88838e417c7c55451e31cf9ff7967be7b00 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 15 Mar 2018 09:38:53 +0100 Subject: [PATCH 47/98] fix: some parts of the URL can be repeated such as resource path, anchor... multiple flag added to the potential part to be repeated. following a discussion in Gitter with @makflwana --- objects/url/definition.json | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/objects/url/definition.json b/objects/url/definition.json index 368e8f7..10729f9 100644 --- a/objects/url/definition.json +++ b/objects/url/definition.json @@ -6,7 +6,8 @@ "fragment": { "description": "Fragment identifier is a short string of characters that refers to a resource that is subordinate to another, primary resource.", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "multiple": true }, "tld": { "description": "Top-Level Domain", @@ -42,12 +43,14 @@ "resource_path": { "description": "Path (between hostname:port and query)", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "multiple": true }, "query_string": { "description": "Query (after path, preceded by '?')", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "multiple": true }, "url": { "description": "Full URL", @@ -92,7 +95,7 @@ "misp-attribute": "hostname" } }, - "version": 5, + "version": 6, "description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.", "meta-category": "network", "uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5", From cee578dce19f5b4f87af3272e40772d752836c3d Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 16 Mar 2018 11:35:15 +0100 Subject: [PATCH 48/98] add: Connected_To (old STIX 1.1 relationship) --- relationships/definition.json | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/relationships/definition.json b/relationships/definition.json index 5e6083e..ae5f3db 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -25,6 +25,14 @@ "stix-2.0" ] }, + { + "name": "connected-to", + "description": "The referenced source is connected to the target object.", + "format": [ + "misp", + "stix-1.1" + ] + }, { "name": "attributed-to", "description": "This referenced source is attributed to the target object.", From 982e2d8b7587f81d90f8f58e54aeaae9d89e44ee Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 16 Mar 2018 13:13:35 +0100 Subject: [PATCH 49/98] fix: raw whois is also accepted as single attribute in whois object Required for importing STIX CybOX 1.1 object where just a raw whois entry is added in remarks. --- objects/whois/definition.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/objects/whois/definition.json b/objects/whois/definition.json index 320873c..0215a41 100644 --- a/objects/whois/definition.json +++ b/objects/whois/definition.json @@ -4,7 +4,8 @@ "registrant-phone", "creation-date", "registrant-name", - "registrar" + "registrar", + "text" ], "required": [ "domain" @@ -77,7 +78,7 @@ "misp-attribute": "domain" } }, - "version": 7, + "version": 8, "description": "Whois records information for a domain name.", "meta-category": "network", "uuid": "429faea1-34ff-47af-8a00-7c62d3be5a6a", From e7e387804297645064dcc3890b9d90c2cb63fb15 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 16 Mar 2018 13:29:39 +0100 Subject: [PATCH 50/98] fix: whois record object updated to cover both cases: domain or IP address --- objects/whois/definition.json | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-) diff --git a/objects/whois/definition.json b/objects/whois/definition.json index 0215a41..0c4d5b0 100644 --- a/objects/whois/definition.json +++ b/objects/whois/definition.json @@ -5,10 +5,9 @@ "creation-date", "registrant-name", "registrar", - "text" - ], - "required": [ - "domain" + "text", + "domain", + "ip-address" ], "attributes": { "text": { @@ -74,12 +73,22 @@ "Network activity", "External analysis" ], - "ui-priority": 1, + "ui-priority": 0, "misp-attribute": "domain" + }, + "comment": { + "description": "Comment of the whois entry", + "ui-priority": 0, + "misp-attribute": "text" + }, + "ip-address": { + "description": "IP address of the whois entry", + "ui-priority": 0, + "misp-attribute": "ip-src" } }, - "version": 8, - "description": "Whois records information for a domain name.", + "version": 9, + "description": "Whois records information for a domain name or an IP address.", "meta-category": "network", "uuid": "429faea1-34ff-47af-8a00-7c62d3be5a6a", "name": "whois" From c92ee2e46179f2b30ff1011950f16af38e0f94fc Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 19 Mar 2018 17:33:45 +0100 Subject: [PATCH 51/98] fix: version field added if stix2-pattern has multiple version in the future --- objects/stix2-pattern/definition.json | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/objects/stix2-pattern/definition.json b/objects/stix2-pattern/definition.json index 5abd6f0..ab49a22 100644 --- a/objects/stix2-pattern/definition.json +++ b/objects/stix2-pattern/definition.json @@ -12,9 +12,17 @@ "description": "STIX 2 pattern", "ui-priority": 0, "misp-attribute": "stix2-pattern" + }, + "version": { + "description": "Version of STIX 2 pattern.", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "stix 2.0" + ] } }, - "version": 1, + "version": 2, "description": "An object describing a STIX pattern. The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a STIX pattern.", "meta-category": "misc", "uuid": "0c5bd072-7c3e-4d45-86f7-a8104d9143b9", From 1f8a26fa3ee7dac5e015d94d0b8f1280a55f3fa0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Mon, 26 Mar 2018 10:54:44 +0200 Subject: [PATCH 52/98] new: Fail2ban object --- objects/fail2ban/definition.json | 44 ++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 objects/fail2ban/definition.json diff --git a/objects/fail2ban/definition.json b/objects/fail2ban/definition.json new file mode 100644 index 0000000..cfd9757 --- /dev/null +++ b/objects/fail2ban/definition.json @@ -0,0 +1,44 @@ +{ + "required":[ + "banned-ip", + "processing-timestamp", + "attack-type" + ], + "attributes": { + "banned-ip": { + "description": "IP Address banned by fail2ban", + "ui-priority": 1, + "misp-attribute": "ipsrc" + }, + "timestamp": { + "description": "Timestamp of the report", + "ui-priority": 1, + "misp-attribute": "datetime" + }, + "attack-type": { + "description": "Type of the attack", + "ui-priority": 1, + "misp-attribute": "text" + }, + "failures": { + "description": "Amount of failures that lead to the ban.", + "ui-priority": 1, + "misp-attribute": "counter" + }, + "sensor": { + "description": "Identifier of the sensor", + "ui-priority": 1, + "misp-attribute": "text" + }, + "victim": { + "description": "Identifier of the victim", + "ui-priority": 1, + "misp-attribute": "text" + } + }, + "version": 1, + "description": "Fail2ban event", + "meta-category": "network", + "uuid": "8be2271-7326-41a5-a0dd-9b4bec88e1ba", + "name": "fail2ban" +} From aa30a49796eaca04e4e56631cdfe01b403770da8 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 26 Mar 2018 11:28:32 +0200 Subject: [PATCH 53/98] fix: attribute type fixed --- objects/fail2ban/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/fail2ban/definition.json b/objects/fail2ban/definition.json index cfd9757..751833c 100644 --- a/objects/fail2ban/definition.json +++ b/objects/fail2ban/definition.json @@ -8,7 +8,7 @@ "banned-ip": { "description": "IP Address banned by fail2ban", "ui-priority": 1, - "misp-attribute": "ipsrc" + "misp-attribute": "ip-src" }, "timestamp": { "description": "Timestamp of the report", @@ -36,7 +36,7 @@ "misp-attribute": "text" } }, - "version": 1, + "version": 2, "description": "Fail2ban event", "meta-category": "network", "uuid": "8be2271-7326-41a5-a0dd-9b4bec88e1ba", From b0755e3ca858027b6510e2330b9a38ccc1eae2d0 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 26 Mar 2018 11:37:38 +0200 Subject: [PATCH 54/98] jq all --- objects/fail2ban/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/fail2ban/definition.json b/objects/fail2ban/definition.json index 751833c..dd4fc95 100644 --- a/objects/fail2ban/definition.json +++ b/objects/fail2ban/definition.json @@ -1,5 +1,5 @@ { - "required":[ + "required": [ "banned-ip", "processing-timestamp", "attack-type" From 1f8fd57d69a1162a60532ac63f309458f69bec60 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Mon, 26 Mar 2018 11:41:00 +0200 Subject: [PATCH 55/98] chg: Fix&update fail2ban def --- objects/fail2ban/definition.json | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/objects/fail2ban/definition.json b/objects/fail2ban/definition.json index cfd9757..f28ecb1 100644 --- a/objects/fail2ban/definition.json +++ b/objects/fail2ban/definition.json @@ -8,7 +8,7 @@ "banned-ip": { "description": "IP Address banned by fail2ban", "ui-priority": 1, - "misp-attribute": "ipsrc" + "misp-attribute": "ip-src" }, "timestamp": { "description": "Timestamp of the report", @@ -34,6 +34,11 @@ "description": "Identifier of the victim", "ui-priority": 1, "misp-attribute": "text" + }, + "logline": { + "description": "Example log line that caused the ban.", + "ui-priority": 1, + "misp-attribute": "text" } }, "version": 1, From 7c2e07a50b944d265f92cfba712d872091c1c199 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Mon, 26 Mar 2018 12:05:17 +0200 Subject: [PATCH 56/98] fix: wrong attribute name --- objects/fail2ban/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/fail2ban/definition.json b/objects/fail2ban/definition.json index a199f9e..3e5d68a 100644 --- a/objects/fail2ban/definition.json +++ b/objects/fail2ban/definition.json @@ -10,7 +10,7 @@ "ui-priority": 1, "misp-attribute": "ip-src" }, - "timestamp": { + "processing-timestamp": { "description": "Timestamp of the report", "ui-priority": 1, "misp-attribute": "datetime" @@ -41,7 +41,7 @@ "misp-attribute": "text" } }, - "version": 2, + "version": 3, "description": "Fail2ban event", "meta-category": "network", "uuid": "8be2271-7326-41a5-a0dd-9b4bec88e1ba", From 0a0778bb8643d2fbcb7a597f81e84021bd1e9089 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 26 Mar 2018 14:26:15 +0200 Subject: [PATCH 57/98] add: new yara object added with a version number --- objects/yara/definition.json | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 objects/yara/definition.json diff --git a/objects/yara/definition.json b/objects/yara/definition.json new file mode 100644 index 0000000..ed5d310 --- /dev/null +++ b/objects/yara/definition.json @@ -0,0 +1,30 @@ +{ + "requiredOneOf": [ + "yara" + ], + "attributes": { + "comment": { + "description": "A description of the YARA rule.", + "ui-priority": 0, + "misp-attribute": "comment" + }, + "yara": { + "description": "YARA rule.", + "ui-priority": 0, + "misp-attribute": "yara" + }, + "version": { + "sane_default": [ + "3.7.1" + ], + "description": "Version of the YARA rule depending where the yara rule is known to work as expected.", + "ui-priority": 0, + "misp-attribute": "text" + } + }, + "version": 1, + "description": "An object describing a YARA rule along with its version.", + "meta-category": "misc", + "uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", + "name": "misc" +} From 3d0540a6712655b74babebeac5bc67ac7b6871db Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Mon, 26 Mar 2018 17:27:55 +0200 Subject: [PATCH 58/98] chg: disable correlations in fail2ban --- objects/fail2ban/definition.json | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/objects/fail2ban/definition.json b/objects/fail2ban/definition.json index 3e5d68a..a7dfe3b 100644 --- a/objects/fail2ban/definition.json +++ b/objects/fail2ban/definition.json @@ -13,35 +13,41 @@ "processing-timestamp": { "description": "Timestamp of the report", "ui-priority": 1, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "attack-type": { "description": "Type of the attack", "ui-priority": 1, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "failures": { "description": "Amount of failures that lead to the ban.", "ui-priority": 1, - "misp-attribute": "counter" + "misp-attribute": "counter", + "disable_correlation": true }, "sensor": { "description": "Identifier of the sensor", "ui-priority": 1, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "victim": { "description": "Identifier of the victim", "ui-priority": 1, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "logline": { "description": "Example log line that caused the ban.", "ui-priority": 1, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true } }, - "version": 3, + "version": 4, "description": "Fail2ban event", "meta-category": "network", "uuid": "8be2271-7326-41a5-a0dd-9b4bec88e1ba", From b3c348f4ab6f8bc937bc7c600d0ccf230674c64f Mon Sep 17 00:00:00 2001 From: Sheidan Date: Mon, 26 Mar 2018 18:16:29 +0200 Subject: [PATCH 59/98] x509-add-required-one-of-serial-number --- objects/x509/definition.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/objects/x509/definition.json b/objects/x509/definition.json index f87af6d..ad1d1de 100644 --- a/objects/x509/definition.json +++ b/objects/x509/definition.json @@ -2,7 +2,8 @@ "requiredOneOf": [ "x509-fingerprint-md5", "x509-fingerprint-sha1", - "x509-fingerprint-sha256" + "x509-fingerprint-sha256", + "serial-number" ], "attributes": { "subject": { From d87336b5c9488c099e9579d35c0584236c2cba14 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 27 Mar 2018 08:55:02 +0200 Subject: [PATCH 60/98] version fixed for X509 object --- objects/x509/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/x509/definition.json b/objects/x509/definition.json index ad1d1de..a7220b6 100644 --- a/objects/x509/definition.json +++ b/objects/x509/definition.json @@ -84,7 +84,7 @@ "misp-attribute": "text" } }, - "version": 5, + "version": 6, "description": "x509 object describing a X.509 certificate", "meta-category": "network", "uuid": "d1ab756a-26b5-4349-9f43-765630f0911c", From 206da3b10087516c37a895a48d3c2ac1ad25dc09 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Tue, 27 Mar 2018 10:25:54 +0200 Subject: [PATCH 61/98] new: Attach logfile to fail2ban --- objects/fail2ban/definition.json | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/objects/fail2ban/definition.json b/objects/fail2ban/definition.json index a7dfe3b..90b0151 100644 --- a/objects/fail2ban/definition.json +++ b/objects/fail2ban/definition.json @@ -45,9 +45,15 @@ "ui-priority": 1, "misp-attribute": "text", "disable_correlation": true + }, + "logfile": { + "description": "Full logfile related to the attack.", + "ui-priority": 1, + "misp-attribute": "attachment", + "disable_correlation": true } }, - "version": 4, + "version": 5, "description": "Fail2ban event", "meta-category": "network", "uuid": "8be2271-7326-41a5-a0dd-9b4bec88e1ba", From 422a4c3e0ee927abab6032a249f1383b1ab5ac8d Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 27 Mar 2018 11:54:04 +0200 Subject: [PATCH 62/98] fail2ban and yara object template added in list --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 3de8efb..ab3a50a 100644 --- a/README.md +++ b/README.md @@ -82,6 +82,7 @@ for a specific attribute. * [objects/elf](objects/elf/definition.json) - Object describing an Executable and Linkable Format (ELF). * [objects/elf-section](objects/elf-section/definition.json) - Object describing a section of an Executable and Linkable Format (ELF). * [objects/email](objects/email/definition.json) - An email object. +* [objects/fail2ban](objects/fail2ban/definition.json) - A fail2ban object. * [objects/file](objects/file/definition.json) - File object describing a file with meta-information. * [objects/geolocation](objects/geolocation/definition.json) - A geolocation object to describe a location. * [objects/ip-port](objects/ip-port/definition.json) - An IP address and a port seen as a tuple (or as a triple) in a specific time frame. @@ -110,6 +111,7 @@ for a specific attribute. * [objects/victim](objects/victim/definition.json) - a victim object to describe the organisation being targeted or abused. * [objects/whois](objects/whois/definition.json) - Whois records information for a domain name. * [objects/x509](objects/x509/definition.json) - x509 object describing a X.509 certificate. +* [objects/yara](objects/yara/definition.json) - YARA object describing a YARA rule along with the version supported. ## MISP objects relationships From 405d4e6bff5c9bc5ad8378dc8f0f1ba06d44e1e8 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 28 Mar 2018 14:31:32 +0200 Subject: [PATCH 63/98] fix: name of the object template was incorrect --- objects/yara/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/yara/definition.json b/objects/yara/definition.json index ed5d310..4b4724d 100644 --- a/objects/yara/definition.json +++ b/objects/yara/definition.json @@ -22,9 +22,9 @@ "misp-attribute": "text" } }, - "version": 1, + "version": 2, "description": "An object describing a YARA rule along with its version.", "meta-category": "misc", "uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", - "name": "misc" + "name": "yara" } From 62e782b589713758b18bef8bc071c97c050de394 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 28 Mar 2018 14:32:53 +0200 Subject: [PATCH 64/98] add: Suricata object added with context --- objects/suricata/definition.json | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 objects/suricata/definition.json diff --git a/objects/suricata/definition.json b/objects/suricata/definition.json new file mode 100644 index 0000000..ddbe458 --- /dev/null +++ b/objects/suricata/definition.json @@ -0,0 +1,32 @@ +{ + "requiredOneOf": [ + "suricata" + ], + "attributes": { + "comment": { + "description": "A description of the Suricata rule.", + "ui-priority": 0, + "misp-attribute": "comment" + }, + "suricata": { + "description": "Suricata rule.", + "ui-priority": 0, + "misp-attribute": "suricata" + }, + "version": { + "description": "Version of the Suricata rule depending where the suricata rule is known to work as expected.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "ref": { + "description": "Reference to the Suricata rule such as origin of the rule or alike.", + "misp-attribute": "link", + "ui-priority": 0 + } + }, + "version": 1, + "description": "An object describing a Suricata rule along with its version and context", + "meta-category": "network", + "uuid": "3c177337-fb80-405a-a6c1-1b2ddea8684a", + "name": "suricata" +} From c1d266687da53e86f17ba7a73feb48ef11e0c2a0 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 28 Mar 2018 14:33:59 +0200 Subject: [PATCH 65/98] add: Suricata template object added --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index ab3a50a..1f2697e 100644 --- a/README.md +++ b/README.md @@ -103,6 +103,7 @@ for a specific attribute. * [objects/rtir](objects/rtir/definition.json) - RTIR - Request Tracker for Incident Response. * [objects/sandbox-report](objects/sandbox-report/definition.json) - Sandbox report object. * [objects/sb-signature](objects/sb-signature/definition.json) - Sandbox detection signature object. +* [objects/suricata](objects/suricata/definition.json) - Suricata rule with context. * [objects/tor-node](objects/tor-node/definition.json) - Tor node description which are part of the Tor network at a time. * [objects/transaction](objects/transaction/definition.json) - Object describing a financial transaction. * [objects/virustotal-report](objects/virustotal-report/definition.json) - VirusTotal report. From 1ff6cbf67abe0bd92e6b8a0165729dc743578817 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 28 Mar 2018 15:26:35 +0200 Subject: [PATCH 66/98] fix: Feedback from @sheidan --- objects/x509/definition.json | 25 +++++++++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) diff --git a/objects/x509/definition.json b/objects/x509/definition.json index a7220b6..106a90c 100644 --- a/objects/x509/definition.json +++ b/objects/x509/definition.json @@ -49,7 +49,12 @@ "misp-attribute": "x509-fingerprint-sha256" }, "raw-base64": { - "description": "Raw certificate base64 encoded", + "description": "Raw certificate base64 encoded (DER format)", + "ui-priority": 0, + "misp-attribute": "text" + }, + "pem": { + "description": "Raw certificate in PEM formati (Unix-like newlines)", "ui-priority": 0, "misp-attribute": "text" }, @@ -82,9 +87,25 @@ "description": "Version of the certificate", "ui-priority": 0, "misp-attribute": "text" + }, + "self_signed": { + "description": "Self-signed certificate", + "ui-priority": 0, + "misp-attribute": "boolean" + }, + "is_ca": { + "description": "CA certificate", + "ui-priority": 0, + "misp-attribute": "boolean" + }, + "dns_names": { + "description": "DNS names", + "multiple": true, + "misp-attribute": "text", + "ui-priority": 0 } }, - "version": 6, + "version": 7, "description": "x509 object describing a X.509 certificate", "meta-category": "network", "uuid": "d1ab756a-26b5-4349-9f43-765630f0911c", From bd89d1cd0119de08a1d28242b1e4875160abbbff Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 9 Apr 2018 15:56:39 +0200 Subject: [PATCH 67/98] fix: file path added in file object --- objects/file/definition.json | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/objects/file/definition.json b/objects/file/definition.json index 7749f45..4c65a73 100644 --- a/objects/file/definition.json +++ b/objects/file/definition.json @@ -17,7 +17,8 @@ "tlsh", "pattern-in-file", "x509-fingerprint-sha1", - "malware-sample" + "malware-sample", + "path" ], "attributes": { "md5": { @@ -124,6 +125,13 @@ "ui-priority": 1, "misp-attribute": "filename" }, + "path": { + "description": "Path of the filename complete or partial", + "disable_correlation": true, + "multiple": true, + "ui-priority": 0, + "misp-attribute": "text" + }, "tlsh": { "description": "Fuzzy hash by Trend Micro: Locality Sensitive Hash", "ui-priority": 0, @@ -156,7 +164,7 @@ ] } }, - "version": 10, + "version": 11, "description": "File object describing a file with meta-information", "meta-category": "file", "uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", From c8e9155a3eba26696219127d09bcbedf95014416 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 10 Apr 2018 14:46:36 +0200 Subject: [PATCH 68/98] fix: add hostname to ip-port template and make attributes multiple --- objects/ip-port/definition.json | 25 ++++++++++++++++++++----- 1 file changed, 20 insertions(+), 5 deletions(-) diff --git a/objects/ip-port/definition.json b/objects/ip-port/definition.json index b7be390..a91ed90 100644 --- a/objects/ip-port/definition.json +++ b/objects/ip-port/definition.json @@ -3,6 +3,7 @@ "dst-port", "src-port", "domain", + "hostname", "ip" ], "attributes": { @@ -40,7 +41,9 @@ "External analysis" ], "ui-priority": 1, - "misp-attribute": "port" + "misp-attribute": "port", + "disable_correlation": true, + "multiple": true }, "domain": { "description": "Domain", @@ -49,7 +52,18 @@ "External analysis" ], "ui-priority": 1, - "misp-attribute": "domain" + "misp-attribute": "domain", + "multiple": true + }, + "hostname": { + "description": "Hostname", + "categories": [ + "Network activity", + "External analysis" + ], + "ui-priority": 1, + "misp-attribute": "hostname", + "multiple": true }, "ip": { "description": "IP Address", @@ -58,11 +72,12 @@ "External analysis" ], "ui-priority": 1, - "misp-attribute": "ip-dst" + "misp-attribute": "ip-dst", + "multiple": true } }, - "version": 6, - "description": "An IP address (or domain) and a port seen as a tuple (or as a triple) in a specific time frame.", + "version": 7, + "description": "An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame.", "meta-category": "network", "uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "name": "ip-port" From c8e7cea45be5a4f2e1e85142670e9dc5e4d81bc9 Mon Sep 17 00:00:00 2001 From: Dennis Rand Date: Tue, 10 Apr 2018 16:03:05 +0000 Subject: [PATCH 69/98] Added target-system as object --- objects/target-system/definition.json | 39 +++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 objects/target-system/definition.json diff --git a/objects/target-system/definition.json b/objects/target-system/definition.json new file mode 100644 index 0000000..8b9a681 --- /dev/null +++ b/objects/target-system/definition.json @@ -0,0 +1,39 @@ +{ + "name": "target-system", + "uuid": "3110944f-eca0-4c94-9d61-a84d022228a4", + "meta-category": "Targeting data", + "description": "Description about an targeted system, this could potentially be a compromissed internal system", + "version": 1, + "attributes": { + "targeted_machine": { + "description": "Targeted system", + "ui-priority": 1, + "misp-attribute": "target-machine", + "disable_correlation": true, + "categories": [ + "Targeting data" + ] + }, + "targeted_ip_of_system": { + "description": "Targeted system IP address", + "ui-priority": 1, + "misp-attribute": "ip-src", + "disable_correlation": true, + "categories": [ + "Network activity" + ] + }, + "timestamp_seen": { + "description": "Registered date and time", + "ui-priority": 1, + "misp-attribute": "datetime", + "disable_correlation": true, + "categories": [ + "Other" + ] + } + }, + "requiredOneOf": [ + "targeted_machine" + ] +} From 8744ff50a3a7ffa5a9995683cb8cd83d281cb324 Mon Sep 17 00:00:00 2001 From: Dennis Rand Date: Tue, 10 Apr 2018 16:08:04 +0000 Subject: [PATCH 70/98] moved object into internal --- objects/target-system/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/target-system/definition.json b/objects/target-system/definition.json index 8b9a681..6ed6cc0 100644 --- a/objects/target-system/definition.json +++ b/objects/target-system/definition.json @@ -1,7 +1,7 @@ { "name": "target-system", "uuid": "3110944f-eca0-4c94-9d61-a84d022228a4", - "meta-category": "Targeting data", + "meta-category": "internal", "description": "Description about an targeted system, this could potentially be a compromissed internal system", "version": 1, "attributes": { From 05873aefaf4bb9bca363164856b190a775995841 Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Wed, 11 Apr 2018 16:48:05 +0200 Subject: [PATCH 71/98] Course of Action object --- objects/course-of-action/definition.json | 104 +++++++++++++++++++++++ 1 file changed, 104 insertions(+) create mode 100644 objects/course-of-action/definition.json diff --git a/objects/course-of-action/definition.json b/objects/course-of-action/definition.json new file mode 100644 index 0000000..ee5b157 --- /dev/null +++ b/objects/course-of-action/definition.json @@ -0,0 +1,104 @@ +{ + "requiredOneOf": [ + "name", + "type" + ], + "attributes": { + "name": { + "description": "The name used to identify the course of action.", + "misp-attribute": "text", + "ui-priority": 0, + "disable_correlation": true + }, + "type": { + "description": "The type of the course of action.", + "misp-attribute": "text", + "ui-priority": 0, + "disable_correlation": true, + "sane_default": [ + "Perimeter Blocking", + "Internal Blocking", + "Redirection", + "Redirection (Honey Pot)", + "Hardening", + "Patching", + "Eradication", + "Rebuilding", + "Training", + "Monitoring", + "Physical Access Restrictions", + "Logical Access Restrictions", + "Public Disclosure", + "Diplomatic Actions", + "Policy Actions", + "Other" + ] + }, + "description": { + "description": "A description of the course of action.", + "misp-attribute": "text", + "ui-priority": 0, + "disable_correlation": true + }, + "objective": { + "description": "The objective of the course of action.", + "misp-attribute": "text", + "ui-priority": 0, + "disable_correlation": true + }, + "stage": { + "description": "The stage of the threat management lifecycle that the course of action is applicable to.", + "misp-attribute": "text", + "ui-priority": 0, + "disable_correlation": true, + "sane_default": [ + "Remedy", + "Response" + ] + }, + "cost": { + "description": "The estimated cost of applying the course of action.", + "misp-attribute": "text", + "ui-priority": 0, + "disable_correlation": true, + "sane_default": [ + "High", + "Medium", + "Low", + "None", + "Unknown" + ] + }, + "impact": { + "description": "The estimated impact of applying the course of action.", + "misp-attribute": "text", + "ui-priority": 0, + "disable_correlation": true, + "sane_default": [ + "High", + "Medium", + "Low", + "None", + "Unknown" + ] + }, + "efficacy": { + "description": "The estimated efficacy of applying the course of action.", + "misp-attribute": "text", + "ui-priority": 0, + "disable_correlation": true, + "sane_default": [ + "High", + "Medium", + "Low", + "None", + "Unknown" + ] + } + }, + "version": 1, + "description": "An object describing a specific measure taken to prevent or respond to an attack.", + "meta-category": "misc", + "uuid": "3d1c2c06-68a9-4394-8c8d-258d115f796f", + "name": "course-of-action" +} From aa9574cfa90d95e32d7b0abbe6e1ac6c4ad12e3f Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Wed, 11 Apr 2018 16:53:15 +0200 Subject: [PATCH 72/98] add: Course of action description added in readme --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 1f2697e..7452306 100644 --- a/README.md +++ b/README.md @@ -76,6 +76,7 @@ for a specific attribute. * [objects/cap-resource](objects/cap-resource/definition.json) - Common Alerting Protocol Version (CAP) resource object. * [objects/coin-address](objects/coin-address/definition.json) - An address used in a cryptocurrency. * [objects/cookie](objects/cookie/definition.json) - A cookie object describes an HTTP cookie including its use in malicious cases. +* [objects/course-of-action](objects/course-of-action/definition.json) - An object describing a Course of Action. * [objects/cowrie](objects/cowrie/definition.json) - A cowrie object describes cowrie honeypot sessions. * [objects/ddos](objects/ddos/definition.json) - DDoS object describes a current DDoS activity from a specific or/and to a specific target. * [objects/domain-ip](objects/domain-ip/definition.json) - A domain and IP address seen as a tuple in a specific time frame. From 55a5508a767c4634e846638f4088c7ba8209c4c1 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 13 Apr 2018 10:54:28 +0200 Subject: [PATCH 73/98] regexp object - disable correlation on type --- objects/regexp/definition.json | 1 + 1 file changed, 1 insertion(+) diff --git a/objects/regexp/definition.json b/objects/regexp/definition.json index 5f3534c..1baf7a6 100644 --- a/objects/regexp/definition.json +++ b/objects/regexp/definition.json @@ -42,6 +42,7 @@ "windows-scheduled-task" ], "description": "Specify which type corresponds to this regex.", + "disable_correlation": true, "ui-priority": 0, "misp-attribute": "text" } From a3f8b1a0ba287647de2acc5e83df96f7cdb5ebe6 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 13 Apr 2018 10:56:56 +0200 Subject: [PATCH 74/98] regexp object - change version --- objects/regexp/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/regexp/definition.json b/objects/regexp/definition.json index 1baf7a6..5322b71 100644 --- a/objects/regexp/definition.json +++ b/objects/regexp/definition.json @@ -47,7 +47,7 @@ "misp-attribute": "text" } }, - "version": 3, + "version": 4, "description": "An object describing a regular expression (regex or regexp). The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a regular expression.", "meta-category": "misc", "uuid": "ceffad66-71e5-4e20-9370-1b3fb694c648", From da216650d748b03f7c16afbf3d291e99c76dd967 Mon Sep 17 00:00:00 2001 From: ater49 Date: Mon, 23 Apr 2018 11:09:43 +0200 Subject: [PATCH 75/98] dding comment fields in VT report objects --- objects/virustotal-report/definition.json | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/objects/virustotal-report/definition.json b/objects/virustotal-report/definition.json index 5dee6ab..b1c8f41 100644 --- a/objects/virustotal-report/definition.json +++ b/objects/virustotal-report/definition.json @@ -44,6 +44,14 @@ ], "ui-priority": 2, "misp-attribute": "link" + }, + "comment": { + "description": "Comment related to this hash", + "categories": [ + "Exernal analysis" + ], + "misp-attribute": "text", + "multiple": "true" } }, "version": 1, From 24c4a68acdb4387fb0fdbac09cc516e00b48d12b Mon Sep 17 00:00:00 2001 From: ater49 Date: Mon, 23 Apr 2018 11:11:29 +0200 Subject: [PATCH 76/98] Modifying version number --- objects/virustotal-report/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/virustotal-report/definition.json b/objects/virustotal-report/definition.json index b1c8f41..d8af407 100644 --- a/objects/virustotal-report/definition.json +++ b/objects/virustotal-report/definition.json @@ -54,7 +54,7 @@ "multiple": "true" } }, - "version": 1, + "version": 2, "description": "VirusTotal report", "meta-category": "misc", "uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", From df38573a3ec7495fa4eee68e0f9f8954161d8b71 Mon Sep 17 00:00:00 2001 From: ater49 Date: Mon, 23 Apr 2018 11:17:41 +0200 Subject: [PATCH 77/98] Correction for multiple parameter --- objects/virustotal-report/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/virustotal-report/definition.json b/objects/virustotal-report/definition.json index d8af407..9fd302f 100644 --- a/objects/virustotal-report/definition.json +++ b/objects/virustotal-report/definition.json @@ -51,7 +51,7 @@ "Exernal analysis" ], "misp-attribute": "text", - "multiple": "true" + "multiple": true } }, "version": 2, From 2991d58b0b1a5bc14f37688d171d27fcce90cb4f Mon Sep 17 00:00:00 2001 From: ater49 Date: Mon, 23 Apr 2018 11:22:39 +0200 Subject: [PATCH 78/98] Adding ui-priority fields --- objects/virustotal-report/definition.json | 1 + 1 file changed, 1 insertion(+) diff --git a/objects/virustotal-report/definition.json b/objects/virustotal-report/definition.json index 9fd302f..be0dc3e 100644 --- a/objects/virustotal-report/definition.json +++ b/objects/virustotal-report/definition.json @@ -51,6 +51,7 @@ "Exernal analysis" ], "misp-attribute": "text", + "ui-priority": 2, "multiple": true } }, From 3b5db95174a13e20db15eecb7837a4447a08e0dd Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Tue, 24 Apr 2018 15:50:53 +0200 Subject: [PATCH 79/98] add: Added 2 relationships seen on stix --- relationships/definition.json | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/relationships/definition.json b/relationships/definition.json index ae5f3db..d238116 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -33,6 +33,22 @@ "stix-1.1" ] }, + { + "name": "contains", + "description": "The references source is containing the target object.", + "format": [ + "misp", + "stix-1.1" + ] + }, + { + "name": "resolved-to", + "description": "The referenced source is resolved to the target object.", + "format": [ + "misp", + "stix-1.1" + ] + }, { "name": "attributed-to", "description": "This referenced source is attributed to the target object.", From 3d75d48051910aa208ca410faa35add6cd06d36b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Thu, 26 Apr 2018 15:05:19 +0200 Subject: [PATCH 80/98] chg: [email] add email-body in requiredOneOf --- objects/email/definition.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/objects/email/definition.json b/objects/email/definition.json index 770850f..c549f1e 100644 --- a/objects/email/definition.json +++ b/objects/email/definition.json @@ -163,6 +163,7 @@ "thread-index", "header", "x-mailer", - "return-path" + "return-path", + "email-body" ] } From 196991c73fd35fef76822102424c2f65f95443f3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Thu, 26 Apr 2018 15:07:12 +0200 Subject: [PATCH 81/98] fix: Bump email template version --- objects/email/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/email/definition.json b/objects/email/definition.json index c549f1e..946954d 100644 --- a/objects/email/definition.json +++ b/objects/email/definition.json @@ -3,7 +3,7 @@ "uuid": "a0c666e0-fc65-4be8-b48f-3423d788b552", "meta-category": "network", "description": "Email object describing an email with meta-information", - "version": 8, + "version": 9, "attributes": { "reply-to": { "description": "Email address the reply will be sent to", From ef1bcc7067f20b0b0db4a658a80ec0f2c82d4135 Mon Sep 17 00:00:00 2001 From: StefanKelm Date: Thu, 26 Apr 2018 16:50:25 +0200 Subject: [PATCH 82/98] Allow multiple domains and/or IP addresses per object --- objects/whois/definition.json | 2 ++ 1 file changed, 2 insertions(+) diff --git a/objects/whois/definition.json b/objects/whois/definition.json index 0c4d5b0..9e684a9 100644 --- a/objects/whois/definition.json +++ b/objects/whois/definition.json @@ -74,6 +74,7 @@ "External analysis" ], "ui-priority": 0, + "multiple": true, "misp-attribute": "domain" }, "comment": { @@ -84,6 +85,7 @@ "ip-address": { "description": "IP address of the whois entry", "ui-priority": 0, + "multiple": true, "misp-attribute": "ip-src" } }, From f7b17ab62afdde642810605d2789e537c3c37f8f Mon Sep 17 00:00:00 2001 From: StefanKelm Date: Thu, 26 Apr 2018 16:53:24 +0200 Subject: [PATCH 83/98] Update definition.json --- objects/whois/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/whois/definition.json b/objects/whois/definition.json index 9e684a9..ed91c86 100644 --- a/objects/whois/definition.json +++ b/objects/whois/definition.json @@ -89,7 +89,7 @@ "misp-attribute": "ip-src" } }, - "version": 9, + "version": 10, "description": "Whois records information for a domain name or an IP address.", "meta-category": "network", "uuid": "429faea1-34ff-47af-8a00-7c62d3be5a6a", From 1fe1f12026c556f6bd184d439a06d1923cb03d5a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Fri, 27 Apr 2018 14:20:10 +0200 Subject: [PATCH 84/98] new: Add EML to the email template --- objects/email/definition.json | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/objects/email/definition.json b/objects/email/definition.json index 946954d..7551d0c 100644 --- a/objects/email/definition.json +++ b/objects/email/definition.json @@ -3,7 +3,7 @@ "uuid": "a0c666e0-fc65-4be8-b48f-3423d788b552", "meta-category": "network", "description": "Email object describing an email with meta-information", - "version": 9, + "version": 10, "attributes": { "reply-to": { "description": "Email address the reply will be sent to", @@ -146,6 +146,11 @@ "categories": [ "Payload delivery" ] + }, + "eml": { + "description": "Full EML", + "misp-attribute": "attachment", + "ui-priority": 1 } }, "requiredOneOf": [ @@ -164,6 +169,7 @@ "header", "x-mailer", "return-path", - "email-body" + "email-body", + "eml" ] } From 3382e18393781c2802b4fecde9662c87a78e47de Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 30 Apr 2018 16:27:17 +0200 Subject: [PATCH 85/98] add: new timestamp object --- objects/timestamp/definition.json | 45 +++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 objects/timestamp/definition.json diff --git a/objects/timestamp/definition.json b/objects/timestamp/definition.json new file mode 100644 index 0000000..c1a8da0 --- /dev/null +++ b/objects/timestamp/definition.json @@ -0,0 +1,45 @@ +{ + "requiredOneOf": [ + "first-seen", + "last-seen" + ], + "attributes": { + "text": { + "description": "Description of the time object.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "precision": { + "description": "Timestamp precision represents the precision given to first_seen and/or last_seen in this object.", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "year", + "month", + "day", + "hour", + "minute", + "full" + ], + "disable_correlation": true + }, + "first-seen": { + "description": "First time that the linked object or attribute has been seen.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "last-seen": { + "description": "First time that the linked object or attribute has been seen.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + } + }, + "version": 1, + "description": "A generic timestamp object to represent time including first time and last time seen. Relationship will then define the kind of time relationship.", + "meta-category": "misc", + "uuid": "c8c91e23-4221-4533-8bf7-64e12b05f265", + "name": "timestamp" +} From e9e1bdd56cd1fba09a525b1c27434d6ec2b3b9fd Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 1 May 2018 11:21:05 +0200 Subject: [PATCH 86/98] add: Context where the YARA rule can be applied --- objects/yara/definition.json | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/objects/yara/definition.json b/objects/yara/definition.json index 4b4724d..370bfdb 100644 --- a/objects/yara/definition.json +++ b/objects/yara/definition.json @@ -20,9 +20,20 @@ "description": "Version of the YARA rule depending where the yara rule is known to work as expected.", "ui-priority": 0, "misp-attribute": "text" + }, + "context": { + "description": "Context where the YARA rule can be applied", + "sane_default": [ + "all", + "disk", + "memory", + "network" + ], + "misp-attribute": "text", + "ui-priority": 0 } }, - "version": 2, + "version": 3, "description": "An object describing a YARA rule along with its version.", "meta-category": "misc", "uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", From e07f2d5c621ef99289b50518e23b01ed27146ab2 Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Thu, 3 May 2018 14:11:14 +0200 Subject: [PATCH 87/98] Network connection object --- objects/network-connection/definition.json | 86 ++++++++++++++++++++++ 1 file changed, 86 insertions(+) create mode 100644 objects/network-connection/definition.json diff --git a/objects/network-connection/definition.json b/objects/network-connection/definition.json new file mode 100644 index 0000000..ba2aa8f --- /dev/null +++ b/objects/network-connection/definition.json @@ -0,0 +1,86 @@ +{ + "name": "network-connection", + "uuid": "af16764b-f8e5-4603-9de1-de34d272f80b", + "meta-category": "network", + "description": "", + "version": 1, + "attributes":{ + "ip-src": { + "description": "Source IP address of the nework connection.", + "ui-priority": 1, + "categories": [ + "Network activity", + "External analysis" + ], + "misp-attribute": "ip-src" + }, + "ip-dst": { + "description": "Destination IP address of the nework connection.", + "ui-priority": 1, + "categories": [ + "Network activity", + "External analysis" + ], + "misp-attribute": "ip-dst" + }, + "src-port": { + "description": "Source port of the nework connection.", + "ui-priority": 1, + "categories": [ + "Network activity", + "External analysis" + ], + "misp-attribute": "port" + }, + "dst-port": { + "description": "Destination port of the nework connection.", + "ui-priority": 1, + "categories": [ + "Network activity", + "External analysis" + ], + "misp-attribute": "port" + }, + "layer3-protocol": { + "description": "Layer 3 protocol of the network connection.", + "ui-priority": 0, + "sane_default": [ + "IP", + "ICMP", + "ARP" + ], + "misp-attribute": "text" + }, + "layer4-protocol": { + "description": "Layer 4 protocol of the network connection.", + "ui-priority": 0, + "sane_default": [ + "TCP", + "UDP" + ], + "misp-attribute": "text" + }, + "layer7-protocol": { + "description": "Layer 7 protocol of the network connection.", + "ui-priority": 0, + "sane_default": [ + "HTTP", + "HTTPS", + "FTP" + ], + "misp-attribute": "text" + }, + "first-packet-seen": { + "misp-attribute": "datetime", + "ui-priority": 1, + "description": "Datetime of the first packet seen." + } + }, + "requireOneOf": [ + "first-packet-seen", + "ip-src", + "ip-dst", + "src-port", + "dst-port" + ] +} From 453fd31797318f3dd48390333cc89ef5be683ff7 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 3 May 2018 14:18:15 +0200 Subject: [PATCH 88/98] fix: jq all --- objects/network-connection/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/network-connection/definition.json b/objects/network-connection/definition.json index ba2aa8f..e81d72e 100644 --- a/objects/network-connection/definition.json +++ b/objects/network-connection/definition.json @@ -4,7 +4,7 @@ "meta-category": "network", "description": "", "version": 1, - "attributes":{ + "attributes": { "ip-src": { "description": "Source IP address of the nework connection.", "ui-priority": 1, From 554cfe29fe99ab58cb58098325130179dec3dea7 Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Thu, 3 May 2018 14:21:36 +0200 Subject: [PATCH 89/98] Added definition --- objects/network-connection/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/network-connection/definition.json b/objects/network-connection/definition.json index ba2aa8f..62f72ef 100644 --- a/objects/network-connection/definition.json +++ b/objects/network-connection/definition.json @@ -2,7 +2,7 @@ "name": "network-connection", "uuid": "af16764b-f8e5-4603-9de1-de34d272f80b", "meta-category": "network", - "description": "", + "description": "A local or remote network connection.", "version": 1, "attributes":{ "ip-src": { From 4cdfd7b0a019f5cd106d09cc6e63e46b817f4b7d Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Thu, 3 May 2018 14:28:46 +0200 Subject: [PATCH 90/98] fix: RequiredOneOf field Sorry, ate too much ananas in my pizza --- objects/network-connection/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/network-connection/definition.json b/objects/network-connection/definition.json index 26961d3..481c04c 100644 --- a/objects/network-connection/definition.json +++ b/objects/network-connection/definition.json @@ -76,7 +76,7 @@ "description": "Datetime of the first packet seen." } }, - "requireOneOf": [ + "requiredOneOf": [ "first-packet-seen", "ip-src", "ip-dst", From 956e6493158565426c228bf1dadb3c60a738288e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Thu, 3 May 2018 20:49:48 +0200 Subject: [PATCH 91/98] chg: Update email template --- objects/email/definition.json | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/objects/email/definition.json b/objects/email/definition.json index 7551d0c..84c1465 100644 --- a/objects/email/definition.json +++ b/objects/email/definition.json @@ -3,7 +3,7 @@ "uuid": "a0c666e0-fc65-4be8-b48f-3423d788b552", "meta-category": "network", "description": "Email object describing an email with meta-information", - "version": 10, + "version": 11, "attributes": { "reply-to": { "description": "Email address the reply will be sent to", @@ -16,6 +16,7 @@ "message-id": { "description": "Message ID", "misp-attribute": "email-message-id", + "disable_correlation": true, "ui-priority": 0, "categories": [ "Payload delivery" @@ -24,6 +25,7 @@ "to": { "description": "Destination email address", "misp-attribute": "email-dst", + "disable_correlation": true, "ui-priority": 1, "categories": [ "Payload delivery" @@ -33,6 +35,7 @@ "cc": { "description": "Carbon copy", "misp-attribute": "email-dst", + "disable_correlation": true, "ui-priority": 1, "categories": [ "Payload delivery" @@ -59,6 +62,7 @@ "screenshot": { "description": "Screenshot of email", "misp-attribute": "attachment", + "disable_correlation": true, "ui-priority": 1, "categories": [ "External analysis" @@ -76,6 +80,7 @@ "x-mailer": { "description": "X-Mailer generally tells the program that was used to draft and send the original email", "misp-attribute": "email-x-mailer", + "disable_correlation": true, "ui-priority": 0, "categories": [ "Payload delivery" @@ -84,6 +89,7 @@ "header": { "description": "Full headers", "misp-attribute": "email-header", + "disable_correlation": true, "ui-priority": 0, "categories": [ "Payload delivery" @@ -102,6 +108,7 @@ "mime-boundary": { "description": "MIME Boundary", "misp-attribute": "email-mime-boundary", + "disable_correlation": true, "ui-priority": 0, "categories": [ "Payload delivery" @@ -110,6 +117,7 @@ "thread-index": { "description": "Identifies a particular conversation thread", "misp-attribute": "email-thread-index", + "disable_correlation": true, "ui-priority": 0, "categories": [ "Payload delivery" @@ -125,7 +133,7 @@ }, "return-path": { "description": "Message return path", - "misp-attribute": "text", + "misp-attribute": "email-src", "ui-priority": 1, "categories": [ "Payload delivery" @@ -142,14 +150,22 @@ "email-body": { "description": "Body of the email", "misp-attribute": "email-body", + "disable_correlation": true, "ui-priority": 1, "categories": [ "Payload delivery" ] }, + "user-agent": { + "description": "User Agent of the sender", + "misp-attribute": "text", + "ui-priority": 0, + "disable_correlation": true + }, "eml": { "description": "Full EML", "misp-attribute": "attachment", + "disable_correlation": true, "ui-priority": 1 } }, From 6faf42cbd20b00e722671204d757ef89cc5b2f5c Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Fri, 4 May 2018 16:34:35 +0200 Subject: [PATCH 92/98] First version of process object - Potentially more attributes to come --- objects/process/definition.json | 52 +++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 objects/process/definition.json diff --git a/objects/process/definition.json b/objects/process/definition.json new file mode 100644 index 0000000..a213e0d --- /dev/null +++ b/objects/process/definition.json @@ -0,0 +1,52 @@ +{ + "name": "process", + "uuid": "02aeef94-ac23-455c-addb-731757ceafb5", + "meta-category": "misc", + "description": "Object describing a system process.", + "version": 1, + "attributes": { + "creation-time": { + "description": "Local date/time at which the process was created.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "start-time": { + "description": "Local date/time at which the process was started.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "name": { + "description": "Name of the process", + "ui-priority": 1, + "misp-attribute": "text" + }, + "pid": { + "description": "Process ID of the process.", + "ui-priority": 1, + "misp-attribute": "text" + }, + "parent_pid": { + "description": "Process ID of the parent process.", + "ui-priority": 1, + "misp-attribute": "text" + }, + "child-pid": { + "description": "Process ID of the child(ren) process.", + "ui-priority": 1, + "misp-attribute": "text", + "multiple": true + }, + "port": { + "description": "Port(s) owned by the process.", + "ui-priority": 1, + "misp-attribute": "src-port", + "multiple": true + } + }, + "requiredOneOf": [ + "name", + "pid" + ] +} From 13ec6018204e7c224bec31e184b22e2c65365514 Mon Sep 17 00:00:00 2001 From: Alexandre De Oliveira Date: Fri, 4 May 2018 19:09:54 +0200 Subject: [PATCH 93/98] Update definition.json To avoid having multiple object for each similar attacks coming from the same source, we allow multiple attack source in the same attack. --- objects/ss7-attack/definition.json | 2 ++ 1 file changed, 2 insertions(+) diff --git a/objects/ss7-attack/definition.json b/objects/ss7-attack/definition.json index 6354c5d..e86cb16 100644 --- a/objects/ss7-attack/definition.json +++ b/objects/ss7-attack/definition.json @@ -34,6 +34,7 @@ }, "SccpCgGT": { "description": "Signaling Connection Control Part (SCCP) CgGT - Phone number.", + "multiple": true, "ui-priority": 0, "misp-attribute": "text" }, @@ -44,6 +45,7 @@ }, "SccpCgPC": { "description": "Signaling Connection Control Part (SCCP) CgPC - Phone number.", + "multiple": true, "ui-priority": 0, "misp-attribute": "text" }, From 443cce07bcd6129faa447f0b700e5bea79dd0e20 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sat, 5 May 2018 12:39:22 +0200 Subject: [PATCH 94/98] Missing objects added --- README.md | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 7452306..c6b11ce 100644 --- a/README.md +++ b/README.md @@ -76,9 +76,11 @@ for a specific attribute. * [objects/cap-resource](objects/cap-resource/definition.json) - Common Alerting Protocol Version (CAP) resource object. * [objects/coin-address](objects/coin-address/definition.json) - An address used in a cryptocurrency. * [objects/cookie](objects/cookie/definition.json) - A cookie object describes an HTTP cookie including its use in malicious cases. -* [objects/course-of-action](objects/course-of-action/definition.json) - An object describing a Course of Action. +* [objects/course-of-action](objects/course-of-action/definition.json) - An object describing a Course of Action such as a specific measure taken to prevent or respond to an attack. * [objects/cowrie](objects/cowrie/definition.json) - A cowrie object describes cowrie honeypot sessions. +* [objects/credential](objects/credential/definition.json) - A credential object describes one or more credential(s) including password(s), api key(s) or decryption key(s). * [objects/ddos](objects/ddos/definition.json) - DDoS object describes a current DDoS activity from a specific or/and to a specific target. +* [objects/diameter-attack](objects/diameter-attack/definition.json) - Attack as seen on diameter authentication against a GSM, UMTS or LTE network. * [objects/domain-ip](objects/domain-ip/definition.json) - A domain and IP address seen as a tuple in a specific time frame. * [objects/elf](objects/elf/definition.json) - Object describing an Executable and Linkable Format (ELF). * [objects/elf-section](objects/elf-section/definition.json) - Object describing a section of an Executable and Linkable Format (ELF). @@ -86,25 +88,34 @@ for a specific attribute. * [objects/fail2ban](objects/fail2ban/definition.json) - A fail2ban object. * [objects/file](objects/file/definition.json) - File object describing a file with meta-information. * [objects/geolocation](objects/geolocation/definition.json) - A geolocation object to describe a location. +* [objects/gtp-attack](objects/gtp-attack/definition.json) - GTP attack object as seen on a GSM, UMTS or LTE network. +* [objects/http-request](objects/http-request/definition.json) - A single HTTP request header object. * [objects/ip-port](objects/ip-port/definition.json) - An IP address and a port seen as a tuple (or as a triple) in a specific time frame. * [objects/ja3](objects/ja3/definition.json) - A ja3 object which describes an SSL client fingerprint in an easy to produce and shareable way. * [objects/legal-entity](objects/legal-entity/definition.json) - Object describing a legal entity, such as an organisation. * [objects/macho](objects/macho/definition.json) - Object describing a Mach object file format. * [objects/macho-section](objects/macho-section/definition.json) - Object describing a section of a Mach object file format. * [objects/microblog](objects/microblog/definition.json) - Object describing microblog post like Twitter or Facebook. +* [objects/mutex](objects/mutex/definition.json) - Object to describe mutual exclusion locks (mutex) as seen in memory or computer program. * [objects/netflow](objects/netflow/definition.json) - Netflow object describes an network object based on the Netflowv5/v9 minimal definition. +* [objects/network](objects/network/definition.json) - Network object describes a local or remote network connection. * [objects/passive-dns](objects/passive-dns/definition.json) - Passive DNS records as expressed in [draft-dulaunoy-dnsop-passive-dns-cof-01](https://tools.ietf.org/html/draft-dulaunoy-dnsop-passive-dns-cof-01). * [objects/paste](objects/paste/definition.json) - Object describing a paste or similar post from a website allowing to share privately or publicly posts. * [objects/pe](objects/pe/definition.json) - Portable Executable (PE) object. * [objects/pe-section](objects/pe-section/definition.json) - Portable Executable (PE) object - section description. * [objects/person](objects/person/definition.json) - A person object which describes a person or an identity. * [objects/phone](objects/phone/definition.json) - A phone or mobile phone object. +* [objects/process](objects/process/definition.json) - A process object. * [objects/registry-key](objects/registry-key/definition.json) - A registry-key object. * [objects/r2graphity](objects/r2graphity/definition.json) - Indicators extracted from binary files using radare2 and graphml. * [objects/rtir](objects/rtir/definition.json) - RTIR - Request Tracker for Incident Response. * [objects/sandbox-report](objects/sandbox-report/definition.json) - Sandbox report object. * [objects/sb-signature](objects/sb-signature/definition.json) - Sandbox detection signature object. +* [objects/ss7-attack](objects/ss7-attack/definition.json) - SS7 object of an attack seen on a GSM, UMTS or LTE network via SS7 logging. +* [objects/stix2-pattern](objects/stix2-pattern/definition.json) - An object describing a STIX pattern. The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a STIX pattern. * [objects/suricata](objects/suricata/definition.json) - Suricata rule with context. +* [objects/target-system](objects/target-system/definition.json) - Description about an targeted system, this could potentially be a compromissed internal system. +* [objects/timestamp](objects/timestamp/definition.json) - A generic timestamp object to represent time including first time and last time seen. Relationship will then define the kind of time relationship. * [objects/tor-node](objects/tor-node/definition.json) - Tor node description which are part of the Tor network at a time. * [objects/transaction](objects/transaction/definition.json) - Object describing a financial transaction. * [objects/virustotal-report](objects/virustotal-report/definition.json) - VirusTotal report. @@ -113,7 +124,7 @@ for a specific attribute. * [objects/victim](objects/victim/definition.json) - a victim object to describe the organisation being targeted or abused. * [objects/whois](objects/whois/definition.json) - Whois records information for a domain name. * [objects/x509](objects/x509/definition.json) - x509 object describing a X.509 certificate. -* [objects/yara](objects/yara/definition.json) - YARA object describing a YARA rule along with the version supported. +* [objects/yara](objects/yara/definition.json) - YARA object describing a YARA rule along with the version supported and context (such as memory, network, disk). ## MISP objects relationships From 8e831d682820bdc9656f4ceb4f132e304972a065 Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Mon, 7 May 2018 09:11:31 +0200 Subject: [PATCH 95/98] Fixed link --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index c6b11ce..d4cbba3 100644 --- a/README.md +++ b/README.md @@ -98,7 +98,7 @@ for a specific attribute. * [objects/microblog](objects/microblog/definition.json) - Object describing microblog post like Twitter or Facebook. * [objects/mutex](objects/mutex/definition.json) - Object to describe mutual exclusion locks (mutex) as seen in memory or computer program. * [objects/netflow](objects/netflow/definition.json) - Netflow object describes an network object based on the Netflowv5/v9 minimal definition. -* [objects/network](objects/network/definition.json) - Network object describes a local or remote network connection. +* [objects/network-connection](objects/network-connection/definition.json) - Network object describes a local or remote network connection. * [objects/passive-dns](objects/passive-dns/definition.json) - Passive DNS records as expressed in [draft-dulaunoy-dnsop-passive-dns-cof-01](https://tools.ietf.org/html/draft-dulaunoy-dnsop-passive-dns-cof-01). * [objects/paste](objects/paste/definition.json) - Object describing a paste or similar post from a website allowing to share privately or publicly posts. * [objects/pe](objects/pe/definition.json) - Portable Executable (PE) object. From 4d47c41f5ef805dcdd8c1a0799de8976e4c3d3a0 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 8 May 2018 07:53:58 +0200 Subject: [PATCH 96/98] Network socket connection template object added --- objects/network-socket/definition.json | 183 +++++++++++++++++++++++++ 1 file changed, 183 insertions(+) create mode 100644 objects/network-socket/definition.json diff --git a/objects/network-socket/definition.json b/objects/network-socket/definition.json new file mode 100644 index 0000000..b702ac7 --- /dev/null +++ b/objects/network-socket/definition.json @@ -0,0 +1,183 @@ +{ + "name": "network-socket", + "uuid": "48bbfd72-ef8e-4649-b14d-41b4b5a0eba2", + "meta-category": "network", + "description": "Network socket object describes a local or remote network connections based on the socket data structure.", + "version": 1, + "attributes": { + "ip-src": { + "description": "Source (local) IP address of the network socket connection.", + "ui-priority": 1, + "categories": [ + "Network activity", + "External analysis" + ], + "misp-attribute": "ip-src" + }, + "hostname-src": { + "description": "Source (local) hostname of the network socket connection.", + "ui-priority": 1, + "misp-attribute": "hostname" + }, + "ip-dst": { + "description": "Destination IP address of the network socket connection.", + "ui-priority": 1, + "categories": [ + "Network activity", + "External analysis" + ], + "misp-attribute": "ip-dst" + }, + "hostname-dst": { + "description": "Destination hostname of the network socket connection.", + "ui-priority": 1, + "misp-attribute": "hostname" + }, + "src-port": { + "description": "Source (local) port of the network socket connection.", + "ui-priority": 1, + "categories": [ + "Network activity", + "External analysis" + ], + "misp-attribute": "port" + }, + "dst-port": { + "description": "Destination port of the network socket connection.", + "ui-priority": 1, + "categories": [ + "Network activity", + "External analysis" + ], + "misp-attribute": "port" + }, + "address-family": { + "description": "Address family who specifies the address family type (AF_*) of the socket connection.", + "ui-priority": 1, + "sane_default": [ + "AF_UNSPEC", + "AF_LOCAL", + "AF_UNIX", + "AF_FILE", + "AF_INET", + "AF_AX25", + "AF_IPX", + "AF_APPLETALK", + "AF_NETROM", + "AF_BRIDGE", + "AF_ATMPVC", + "AF_X25", + "AF_INET6", + "AF_ROSE", + "AF_DECnet", + "AF_NETBEUI", + "AF_SECURITY", + "AF_KEY", + "AF_NETLINK", + "AF_ROUTE", + "AF_PACKET", + "AF_ASH", + "AF_ECONET", + "AF_ATMSVC", + "AF_RDS", + "AF_SNA", + "AF_IRDA", + "AF_PPPOX", + "AF_WANPIPE", + "AF_LLC", + "AF_IB", + "AF_MPLS", + "AF_CAN", + "AF_TIPC", + "AF_BLUETOOTH", + "AF_IUCV", + "AF_RXRPC", + "AF_ISDN", + "AF_PHONET", + "AF_IEEE802154", + "AF_CAIF", + "AF_ALG", + "AF_NFC", + "AF_VSOCK", + "AF_KCM", + "AF_MAX" + ], + "misp-attribute": "text" + }, + "domain-family": { + "description": "Domain family who specifies the communication domain (PF_*) of the socket connection.", + "ui-priority": 1, + "sane_default": [ + "PF_UNSPEC", + "PF_LOCAL", + "PF_UNIX", + "PF_FILE", + "PF_INET", + "PF_AX25", + "PF_IPX", + "PF_APPLETALK", + "PF_NETROM", + "PF_BRIDGE", + "PF_ATMPVC", + "PF_X25", + "PF_INET6", + "PF_ROSE", + "PF_DECnet", + "PF_NETBEUI", + "PF_SECURITY", + "PF_KEY", + "PF_NETLINK", + "PF_ROUTE", + "PF_PACKET", + "PF_ASH", + "PF_ECONET", + "PF_ATMSVC", + "PF_RDS", + "PF_SNA", + "PF_IRDA", + "PF_PPPOX", + "PF_WANPIPE", + "PF_LLC", + "PF_IB", + "PF_MPLS", + "PF_CAN", + "PF_TIPC", + "PF_BLUETOOTH", + "PF_IUCV", + "PF_RXRPC", + "PF_ISDN", + "PF_PHONET", + "PF_IEEE802154", + "PF_CAIF", + "PF_ALG", + "PF_NFC", + "PF_VSOCK", + "PF_KCM", + "PF_MAX" + ], + "misp-attribute": "text" + }, + "state": { + "description": "State of the socket connection.", + "multiple": true, + "sane_default": [ + "blocking", + "listening" + ], + "misp-attribute": "text", + "ui-priority": 1 + }, + "option": { + "description": "Option on the socket connection.", + "multiple": true, + "misp-attribute": "text", + "ui-priority": 1 + } + }, + "requiredOneOf": [ + "ip-src", + "ip-dst", + "src-port", + "dst-port" + ] +} From 536f6471356da25c917c39ad53da08c143d4b173 Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Tue, 8 May 2018 09:03:57 +0200 Subject: [PATCH 97/98] add: Added hostname (src & dst) attributes --- objects/network-connection/definition.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/objects/network-connection/definition.json b/objects/network-connection/definition.json index 481c04c..0aa9cba 100644 --- a/objects/network-connection/definition.json +++ b/objects/network-connection/definition.json @@ -41,6 +41,16 @@ ], "misp-attribute": "port" }, + "hostname-src": { + "description": "Source hostname of the network connection.", + "ui-priority": 1, + "misp-attribute": "hostname" + }, + "hostname-dst": { + "description": "Destination hostname of the network connection.", + "ui-priority": 1, + "misp-attribute": "hostname" + }, "layer3-protocol": { "description": "Layer 3 protocol of the network connection.", "ui-priority": 0, From b5f352e8c219f41557609bd9a1dcccea59a7d89a Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Tue, 8 May 2018 09:26:24 +0200 Subject: [PATCH 98/98] add: Added protocol attribute in the network socket object --- objects/network-socket/definition.json | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/objects/network-socket/definition.json b/objects/network-socket/definition.json index b702ac7..5bbd1ff 100644 --- a/objects/network-socket/definition.json +++ b/objects/network-socket/definition.json @@ -51,6 +51,17 @@ ], "misp-attribute": "port" }, + "protocol": { + "misp-attribute": "text", + "ui-priority": 0, + "values_list": [ + "TCP", + "UDP", + "ICMP", + "IP" + ], + "description": "Protocol used by the network socket." + }, "address-family": { "description": "Address family who specifies the address family type (AF_*) of the socket connection.", "ui-priority": 1,