From b90fd9ddc178767b203b4ee9867d9040e1c4299c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Mon, 13 Mar 2017 14:49:25 +0100 Subject: [PATCH] Update file/PE objects * Add sane defaults * Disable correlation when it doesn't make sense --- objects/file/definition.json | 9 +++++--- objects/pe-section/definition.json | 19 +++++++++++---- objects/pe/definition.json | 37 +++++++++++++++++++----------- 3 files changed, 45 insertions(+), 20 deletions(-) diff --git a/objects/file/definition.json b/objects/file/definition.json index f745adc..4ce11a3 100644 --- a/objects/file/definition.json +++ b/objects/file/definition.json @@ -16,7 +16,8 @@ }, "size-in-bytes": { "misp-attribute": "size-in-bytes", - "misp-usage-frequency": 0 + "misp-usage-frequency": 0, + "disable_correlation": true }, "authentihash": { "misp-attribute": "authentihash", @@ -68,7 +69,8 @@ }, "entropy": { "misp-attribute": "float", - "misp-usage-frequency": 1 + "misp-usage-frequency": 1, + "disable_correlation": true }, "pattern-in-file": { "misp-attribute": "pattern-in-file", @@ -81,7 +83,8 @@ }, "text": { "misp-attribute": "text", - "misp-usage-frequency": 1 + "misp-usage-frequency": 1, + "disable_correlation": true } }, "requiredOneOf": [ diff --git a/objects/pe-section/definition.json b/objects/pe-section/definition.json index 2dec02f..2bd1ec6 100644 --- a/objects/pe-section/definition.json +++ b/objects/pe-section/definition.json @@ -6,19 +6,30 @@ "attributes": { "name": { "misp-attribute": "text", - "misp-usage-frequency": 1 + "misp-usage-frequency": 1, + "sane_default": [ + ".rsrc", + ".reloc", + ".rdata", + ".data", + ".text" + ], + "disable_correlation": true }, "text": { "misp-attribute": "text", - "misp-usage-frequency": 1 + "misp-usage-frequency": 1, + "disable_correlation": true }, "size-in-bytes": { "misp-attribute": "size-in-bytes", - "misp-usage-frequency": 1 + "misp-usage-frequency": 1, + "disable_correlation": true }, "entropy": { "misp-attribute": "float", - "misp-usage-frequency": 0 + "misp-usage-frequency": 0, + "disable_correlation": true }, "md5": { "misp-attribute": "md5", diff --git a/objects/pe/definition.json b/objects/pe/definition.json index 47f2b62..89c4b5d 100644 --- a/objects/pe/definition.json +++ b/objects/pe/definition.json @@ -10,14 +10,15 @@ }, "text": { "misp-attribute": "text", - "misp-usage-frequency": 1 + "misp-usage-frequency": 1, + "disable_correlation": true }, "original-filename": { - "misp-attribute": "text", + "misp-attribute": "filename", "misp-usage-frequency": 1 }, "internal-filename": { - "misp-attribute": "text", + "misp-attribute": "filename", "misp-usage-frequency": 0 }, "compilation-timestamp": { @@ -26,43 +27,53 @@ }, "entrypoint-section|position": { "misp-attribute": "text", - "misp-usage-frequency": 0 + "misp-usage-frequency": 0, + "disable_correlation": true }, "entrypoint-address": { "misp-attribute": "text", - "misp-usage-frequency": 0 + "misp-usage-frequency": 0, + "disable_correlation": true }, "file-description": { "misp-attribute": "text", - "misp-usage-frequency": 0 + "misp-usage-frequency": 0, + "disable_correlation": true }, "file-version": { "misp-attribute": "text", - "misp-usage-frequency": 0 + "misp-usage-frequency": 0, + "disable_correlation": true }, "lang-id": { "misp-attribute": "text", - "misp-usage-frequency": 0 + "misp-usage-frequency": 0, + "disable_correlation": true }, "product-name": { "misp-attribute": "text", - "misp-usage-frequency": 0 + "misp-usage-frequency": 0, + "disable_correlation": true }, "product-version": { "misp-attribute": "text", - "misp-usage-frequency": 0 + "misp-usage-frequency": 0, + "disable_correlation": true }, "company-name": { "misp-attribute": "text", - "misp-usage-frequency": 0 + "misp-usage-frequency": 0, + "disable_correlation": true }, "legal-copyright": { "misp-attribute": "text", - "misp-usage-frequency": 0 + "misp-usage-frequency": 0, + "disable_correlation": true }, "pe-type": { "misp-attribute": "text", - "misp-usage-frequency": 0 + "misp-usage-frequency": 0, + "disable_correlation": true } }, "requiredOneOf": [