chg: [ddos] Updated DDoS object template to include more details and clarification

- Clarify that the field of pps/bps are peak values;
- New fields for total number of packets or bytes;
- Type of DDoS added in the object;
- How the capture of the DDoS evidences were collected;
pull/347/head
Alexandre Dulaunoy 2022-02-17 07:38:35 +01:00
parent 363f90f789
commit b741142e2c
No known key found for this signature in database
GPG Key ID: 09E2CD4944E6CBCD
1 changed files with 60 additions and 4 deletions

View File

@ -1,5 +1,17 @@
{ {
"attributes": { "attributes": {
"capture-origin": {
"description": "Origin of the (D)DoS evidences",
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"Direct network capture",
"Logs",
"Indirect network capture (e.g. backscatter)",
"Unknown"
],
"ui-priority": 0
},
"domain-dst": { "domain-dst": {
"categories": [ "categories": [
"Network activity", "Network activity",
@ -52,6 +64,7 @@
}, },
"protocol": { "protocol": {
"description": "Protocol used for the attack", "description": "Protocol used for the attack",
"disable_correlation": true,
"misp-attribute": "text", "misp-attribute": "text",
"ui-priority": 0, "ui-priority": 0,
"values_list": [ "values_list": [
@ -78,17 +91,60 @@
"ui-priority": 0 "ui-priority": 0
}, },
"total-bps": { "total-bps": {
"description": "Bits per second", "description": "Bits per second (maximum rate of bits per second measured)",
"disable_correlation": true,
"misp-attribute": "counter",
"ui-priority": 0
},
"total-bytes-sent": {
"description": "Total number of bytes sent by the sources mentioned",
"disable_correlation": true,
"misp-attribute": "counter",
"ui-priority": 0
},
"total-packets-sent": {
"description": "Total number of packets sent by the source mentioned",
"disable_correlation": true,
"misp-attribute": "counter", "misp-attribute": "counter",
"ui-priority": 0 "ui-priority": 0
}, },
"total-pps": { "total-pps": {
"description": "Packets per second", "description": "Packets per second (maximum rate of packets per second measured)",
"disable_correlation": true,
"misp-attribute": "counter", "misp-attribute": "counter",
"ui-priority": 0 "ui-priority": 0
},
"type": {
"description": "Type(s) or Technique(s) of Denial of Service",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"sane_default": [
"amplification-attack",
"reflected-spoofed-attack",
"slow-read-attack",
"flooding-attack",
"post-attack",
"chargen-amplification",
"dns",
"dns-amplification",
"ip-fragmentation",
"ip-private",
"icmp",
"memcached-amplification",
"ms-sql-rs-amplification",
"ntp-amplification",
"snmp-amplification",
"ssdp-amplification",
"tcp-null",
"tcp-rst",
"tcp-syn",
"udp"
],
"ui-priority": 0
} }
}, },
"description": "DDoS object describes a current DDoS activity from a specific or/and to a specific target. Type of DDoS can be attached to the object as a taxonomy", "description": "DDoS object describes a current DDoS activity from a specific or/and to a specific target. Type of DDoS can be attached to the object as a taxonomy or using the type field.",
"meta-category": "network", "meta-category": "network",
"name": "ddos", "name": "ddos",
"requiredOneOf": [ "requiredOneOf": [
@ -97,5 +153,5 @@
"domain-dst" "domain-dst"
], ],
"uuid": "e2f124d6-f57c-4f93-99e6-8450545fa05d", "uuid": "e2f124d6-f57c-4f93-99e6-8450545fa05d",
"version": 7 "version": 8
} }