From c18a240153cbe9ef68e46f05565d08653c2ad103 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 22 Nov 2023 09:20:56 +0100 Subject: [PATCH] new: [shadowserver-malware-url-report] first version Transposition of the `malware_url` from Shadowserver --- .../definition.json | 97 +++++++++++++++++++ 1 file changed, 97 insertions(+) create mode 100644 objects/shadowserver-malware-url-report/definition.json diff --git a/objects/shadowserver-malware-url-report/definition.json b/objects/shadowserver-malware-url-report/definition.json new file mode 100644 index 0000000..cbe7d12 --- /dev/null +++ b/objects/shadowserver-malware-url-report/definition.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "application": { + "description": "Application layer protocol where occurrence of the URL was observed. Examples: http, https, ssh, telnet. ", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "asn": { + "description": "ASN where the IP resides", + "misp-attribute": "AS", + "ui-priority": 0 + }, + "city": { + "description": "City location of the IP in question", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "geo": { + "description": "Country location of the IP", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "host": { + "description": "Any of the capabilities identified for the malware instance or family.", + "misp-attribute": "hostname", + "multiple": true, + "ui-priority": 0 + }, + "ip": { + "description": "IP of the of the URL", + "misp-attribute": "ip-src", + "multiple": true, + "ui-priority": 0 + }, + "naics": { + "description": "North American Industry Classification System Code", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "region": { + "description": "Regional location of the IP in question", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + }, + "sector": { + "description": "Sector of the IP in question", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "sha256": { + "description": "SHA256 of associated (potentially malicious) payload, if downloaded from the URL", + "misp-attribute": "sha256", + "ui-priority": 0 + }, + "source": { + "description": "Source of information, if public", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "tag": { + "description": "Array of tags associated with the URL if any. In this report typically it will be a CVE entry, for example CVE-2021-44228. This allows for better understanding of the URL context observed (ie. usage associated with a particular CVE).", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "timestamp": { + "description": "Timestamp of when the URL was seen (in the last 24 hours)", + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "url": { + "description": "URL that was extracted from an observed exploitation attempt, assumed to be carrying a malware payload", + "misp-attribute": "url", + "multiple": true, + "ui-priority": 0 + } + }, + "description": "This report identifies URLs that were observed in exploitation attempts in the last 24 hours. They are assumed to contain a malware payload or serve as C2 controllers. If a payload was successfully downloaded in the last 24 hours, it’s SHA256 hash will also be published. The data is primarily sourced from honeypots (in which case they will often be IoT related), but other sources are possible. As always, you only receive information on IPs found on your network/constituency or in the case of a National CSIRT, your country. Ref: https://www.shadowserver.org/what-we-do/network-reporting/malware-url-report/", + "meta-category": "misc", + "name": "shadowserver-malware-url-report", + "required": [ + "url" + ], + "uuid": "0211496c-dbcf-465b-a147-3d965da016cc", + "version": 1 +} \ No newline at end of file