MISP
/
misp-objects
mirror of https://github.com/MISP/misp-objects
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge remote-tracking branch 'upstream/master'

pull/193/head
kx1499 2019-07-09 22:13:31 -04:00
parent e61344c981 0caf4a9edc
commit c8f6c97da0
35 changed files with 1365 additions and 55 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
README.md
View File

@ -70,6 +70,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
* [objects/ais-info](objects/ais-info/definition.json) - Object describing Automated Indicator Sharing (AIS) information source markings.
* [objects/android-permission](objects/android-permission/definition.json) - A set of android permissions - one or more permission(s) which can be linked to other objects (e.g. file).
* [objects/asn](objects/asn/definition.json) - Autonomous system object describing a BGP autonomous system which can include one or more network operators management an entity (e.g. ISP) along with their routing policy, routing prefixes or alike.
* [objects/authenticode-signerinfo](objects/authenticode-signerinfo/definition.json) - Authenticode signer info.
* [objects/av-signature](objects/av-signature/definition.json) - Antivirus detection signature.
* [objects/bank-account](objects/bank-account/definition.json) - Object describing bank account information based on account description from goAML 4.0.
* [objects/bgp-hijack](objects/bgp-hijack/definition.json) - Object encapsulating BGP Hijack description as specified, for example, by bgpstream.com
@ -82,6 +83,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
* [objects/cowrie](objects/cowrie/definition.json) - A cowrie object describes cowrie honeypot sessions.
* [objects/credential](objects/credential/definition.json) - A credential object describes one or more credential(s) including password(s), api key(s) or decryption key(s).
* [objects/ddos](objects/ddos/definition.json) - DDoS object describes a current DDoS activity from a specific or/and to a specific target.
* [objects/device](objects/device/definition.json) - An object to describe a device such as a computer, laptop or alike.
* [objects/diameter-attack](objects/diameter-attack/definition.json) - Attack as seen on diameter authentication against a GSM, UMTS or LTE network.
* [objects/domain-ip](objects/domain-ip/definition.json) - A domain and IP address seen as a tuple in a specific time frame.
* [objects/elf](objects/elf/definition.json) - Object describing an Executable and Linkable Format (ELF).
@ -101,6 +103,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
* [objects/ip-port](objects/ip-port/definition.json) - An IP address and a port seen as a tuple (or as a triple) in a specific time frame.
* [objects/ja3](objects/ja3/definition.json) - A ja3 object which describes an SSL client fingerprint in an easy to produce and shareable way.
* [objects/legal-entity](objects/legal-entity/definition.json) - Object describing a legal entity, such as an organisation.
* [objects/lnk](objects/lnk/definition.json) - Object describing a Windows LNK (Windows Shortcut) file.
* [objects/macho](objects/macho/definition.json) - Object describing a Mach object file format.
* [objects/macho-section](objects/macho-section/definition.json) - Object describing a section of a Mach object file format.
* [objects/mactime-timeline-analysis](objects/mactime-timeline-analysis/definition.json) - Mactime template, used in forensic investigations to describe the timeline of a file activity.
@ -111,12 +114,14 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
* [objects/network-connection](objects/network-connection/definition.json) - Network object describes a local or remote network connection.
* [objects/network-socket](objects/network-socket/definition.json) - Object to describe a local or remote network connections based on the socket data structure.
* [objects/original-imported-file](objects/original-imported-file/definition.json) - Object to describe the original files used to import data in MISP.
* [objects/organization](objects/organization/definition.json) - An object which describes an organization.
* [objects/passive-dns](objects/passive-dns/definition.json) - Passive DNS records as expressed in [draft-dulaunoy-dnsop-passive-dns-cof-01](https://tools.ietf.org/html/draft-dulaunoy-dnsop-passive-dns-cof-01).
* [objects/paste](objects/paste/definition.json) - Object describing a paste or similar post from a website allowing to share privately or publicly posts.
* [objects/pe](objects/pe/definition.json) - Portable Executable (PE) object.
* [objects/pe-section](objects/pe-section/definition.json) - Portable Executable (PE) object - section description.
* [objects/person](objects/person/definition.json) - A person object which describes a person or an identity.
* [objects/phishing](objects/phishing/definition.json) - Phishing template to describe a phishing website and its analysis.
* [objects/phishing-kit](objects/phishing-kit/definition.json) - Object to describe a phishing kit.
* [objects/phone](objects/phone/definition.json) - A phone or mobile phone object.
* [objects/process](objects/process/definition.json) - A process object.
* [objects/regexp](objects/regexp/definition.json) - An object describing a regular expression (regex or regexp). The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a regular expression.
@ -128,20 +133,24 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
* [objects/sandbox-report](objects/sandbox-report/definition.json) - Sandbox report object.
* [objects/sb-signature](objects/sb-signature/definition.json) - Sandbox detection signature object.
* [objects/script](objects/script/definition.json) - Object describing a computer program written to be run in a special run-time environment. The script or shell script can be used for malicious activities but also as support tools for threat analysts.
* [objects/shell-commands](objects/shell-commands/definition.json) - Object describing a series of shell commands executed. This object can be linked with malicious files in order to describe a specific execution of shell commands.
* [objects/shortened-link](objects/shortened-link/definition.json) - Shortened link and its redirect target.
* [objects/short-message-service](objects/short-message-service/definition.json) - Short Message Service (SMS) object template describing one or more SMS message(s).
* [objects/ss7-attack](objects/ss7-attack/definition.json) - SS7 object of an attack seen on a GSM, UMTS or LTE network via SS7 logging.
* [objects/stix2-pattern](objects/stix2-pattern/definition.json) - An object describing a STIX pattern. The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a STIX pattern.
* [objects/ssh-authorized-keys](objects/ssh-authorized-keys/definition.json) - SSH authorized keys object to store keys and option from SSH authorized_keys file.
* [objects/suricata](objects/suricata/definition.json) - Suricata rule with context.
* [objects/target-system](objects/target-system/definition.json) - Description about an targeted system, this could potentially be a compromised internal system.
* [objects/threatgrid-report](objects/threatgrid-report/definition.json) - A threatgrid report object.
* [objects/timecode](objects/timecode/definition.json) - Timecode object to describe a start of video sequence (e.g. CCTV evidence) and the end of the video sequence.
* [objects/timesketch-timeline](objects/timesketch-timeline/definition.json) - A timesketch timeline object based on mandatory field in timesketch to describe a log entry.
* [objects/timestamp](objects/timestamp/definition.json) - A generic timestamp object to represent time including first time and last time seen. Relationship will then define the kind of time relationship.
* [objects/tor-hiddenservice](objects/tor-hiddenservice/definition.json) - Tor hidden service (Onion Service) object to describe a Tor hidden service.
* [objects/tor-node](objects/tor-node/definition.json) - Tor node description which are part of the Tor network at a time.
* [objects/tracking-id](objects/tracking-id/definition.json) - Analytics and tracking ID such as used in Google Analytics or other analytic platform.
* [objects/transaction](objects/transaction/definition.json) - Object describing a financial transaction.
* [objects/url](objects/url/definition.json) - url object describes an url along with its normalized field (e.g. using faup parsing library) and its metadata.
* [objects/user-account](objects/user-account/definition.json) - Object describing a user account (UNIX, Windows, etc).
* [objects/vehicle](objects/vehicle/definition.json) - Vehicle object template to describe a vehicle information and registration.
* [objects/victim](objects/victim/definition.json) - a victim object to describe the organisation being targeted or abused.
* [objects/virustotal-report](objects/virustotal-report/definition.json) - VirusTotal report.

6
objects/annotation/definition.json
View File

@ -61,6 +61,12 @@
"description": "Last update of the annotation",
"ui-priority": 0,
"misp-attribute": "datetime"
},
"attachment": {
"description": "An attachment to support the annotation",
"ui-priority": 0,
"misp-attribute": "attachment",
"multiple": true
}
},
"version": 2,

62
objects/authenticode-signerinfo/definition.json Normal file
View File

@ -0,0 +1,62 @@
{
"requiredOneOf": [
"url",
"program-name"
],
"attributes": {
"text": {
"description": "Free text description of the signer info",
"ui-priority": 1,
"misp-attribute": "text"
},
"issuer": {
"description": "Issuer of the certificate",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"version": {
"description": "Version of the certificate",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"url": {
"description": "Url",
"multiple": true,
"misp-attribute": "url",
"ui-priority": 0
},
"content-type": {
"description": "Content type",
"misp-attribute": "text",
"ui-priority": 0
},
"program-name": {
"description": "Program name",
"misp-attribute": "text",
"ui-priority": 0
},
"digest_algorithm": {
"description": "Digest algorithm",
"misp-attribute": "text",
"ui-priority": 0,
"disable_correlation": true
},
"signature_algorithm": {
"description": "Signature algorithm",
"misp-attribute": "text",
"ui-priority": 0,
"disable_correlation": true,
"sane_default": [
"SHA1_WITH_RSA_ENCRYPTION",
"SHA256_WITH_RSA_ENCRYPTION"
]
}
},
"version": 1,
"description": "Authenticode Signer Info",
"meta-category": "file",
"uuid": "965cb0aa-baf1-4cc6-9070-68f5c1698c1e",
"name": "authenticode-signerinfo"
}

3
objects/course-of-action/definition.json
View File

@ -53,7 +53,8 @@
"disable_correlation": true,
"sane_default": [
"Remedy",
"Response"
"Response",
"Further Analysis Required"
]
},
"cost": {

5
objects/credential/definition.json
View File

@ -1,6 +1,7 @@
{
"requiredOneOf": [
"password"
"password",
"username"
],
"attributes": {
"text": {
@ -67,7 +68,7 @@
]
}
},
"version": 2,
"version": 3,
"description": "Credential describes one or more credential(s) including password(s), api key(s) or decryption key(s).",
"meta-category": "misc",
"uuid": "a27e98c9-9b0e-414c-8076-d201e039ca09",

12
objects/credit-card/definition.json
View File

@ -3,6 +3,16 @@
"cc-number"
],
"attributes": {
"iin": {
"description": "International Issuer Number (First eight digits of the credit card number",
"ui-priority": 0,
"misp-attribute": "text"
},
"bank_name": {
"description": "Name of the bank which have issued the card",
"ui-priority": 0,
"misp-attribute": "text"
},
"version": {
"description": "Version of the card.",
"ui-priority": 0,
@ -39,7 +49,7 @@
"misp-attribute": "cc-number"
}
},
"version": 2,
"version": 3,
"description": "A payment card like credit card, debit card or any similar cards which can be used for financial transactions.",
"meta-category": "financial",
"uuid": "2b9c57aa-daba-4330-a738-56f18743b0c7",

87
objects/device/definition.json Normal file
View File

@ -0,0 +1,87 @@
{
"requiredOneOf": [
"name",
"alias"
],
"attributes": {
"description": {
"description": "Description of the Device",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"name": {
"description": "Name of the Device",
"ui-priority": 101,
"misp-attribute": "text"
},
"alias": {
"description": "Alias of the Device",
"ui-priority": 100,
"misp-attribute": "text",
"multiple": true
},
"device-type": {
"description": "Type of the device",
"ui-priority": 99,
"misp-attribute": "text",
"disable_correlation": true,
"sane_default": [
"PC",
"Mobile",
"Laptop",
"HID",
"TV",
"IoT",
"Hardware",
"Other"
]
},
"OS": {
"description": "OS of the device",
"ui-priority": 98,
"misp-attribute": "text",
"disable_correlation": true,
"multiple": true
},
"version": {
"description": "Version of the device/ OS",
"ui-priority": 97,
"misp-attribute": "text",
"disable_correlation": true
},
"ip-address": {
"description": "Device IP address",
"ui-priority": 0,
"misp-attribute": "ip-src",
"multiple": true
},
"dns-name": {
"description": "Device DNS Name",
"ui-priority": 0,
"misp-attribute": "text",
"multiple": true
},
"MAC-address": {
"description": "Device MAC address",
"ui-priority": 0,
"misp-attribute": "mac-address"
},
"analysis-date": {
"description": "Date of device analysis",
"ui-priority": 0,
"misp-attribute": "datetime"
},
"attachment": {
"description": "An attachment",
"ui-priority": 0,
"misp-attribute": "attachment",
"multiple": true
}
},
"version": 7,
"description": "An object to define a device",
"meta-category": "misc",
"uuid": "0c64b41a-e583-4f4d-ac92-d484163b9e52",
"name": "device"
}

6
objects/domain-ip/definition.json
View File

@ -23,6 +23,12 @@
"ui-priority": 0,
"misp-attribute": "datetime"
},
"registration-date": {
"description": "Registration date of domain",
"disable_correlation": false,
"ui-priority": 0,
"misp-attribute": "datetime"
},
"domain": {
"description": "Domain name",
"categories": [

10
objects/file/definition.json
View File

@ -14,8 +14,9 @@
"sha512/256",
"tlsh",
"pattern-in-file",
"x509-fingerprint-sha1",
"certificate",
"malware-sample",
"attachment",
"path",
"fullpath"
],
@ -112,6 +113,11 @@
"ui-priority": 1,
"misp-attribute": "malware-sample"
},
"attachment": {
"description": "A non-malicious file.",
"ui-priority": 1,
"misp-attribute": "attachment"
},
"filename": {
"description": "Filename on disk",
"disable_correlation": true,
@ -436,7 +442,7 @@
]
}
},
"version": 16,
"version": 17,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",

89
objects/imsi-catcher/definition.json Normal file
View File

@ -0,0 +1,89 @@
{
"requiredOneOf": [
"text",
"first-seen",
"imsi"
],
"attributes": {
"imsi": {
"description": "A usually unique International Mobile Subscriber Identity (IMSI) is allocated to each mobile subscriber in the GSM/UMTS/EPS system. IMSI can also refer to International Mobile Station Identity in the ITU nomenclature.",
"misp-attribute": "text",
"ui-priority": 1
},
"tmsi-1": {
"description": "Temporary Mobile Subscriber Identities (TMSI) to visiting mobile subscribers can be allocated.",
"misp-attribute": "text",
"ui-priority": 0
},
"tmsi-2": {
"description": "Temporary Mobile Subscriber Identities (TMSI) to visiting mobile subscribers can be allocated.",
"misp-attribute": "text",
"ui-priority": 0
},
"country": {
"description": "Country where the IMSI is registered.",
"misp-attribute": "text",
"ui-priority": 0,
"disable_correlation": true
},
"brand": {
"description": "Brand associated with the IMSI registration.",
"misp-attribute": "text",
"ui-priority": 0,
"disable_correlation": true
},
"operator": {
"description": "Operator associated with the IMSI registration.",
"misp-attribute": "text",
"ui-priority": 0,
"disable_correlation": true
},
"mcc": {
"description": "MCC - Mobile Country Code",
"misp-attribute": "text",
"ui-priority": 0,
"disable_correlation": true
},
"mnc": {
"description": "MNC - Mobile Network Code",
"misp-attribute": "text",
"ui-priority": 0,
"disable_correlation": true
},
"lac": {
"description": "LAC - Location Area Code",
"misp-attribute": "text",
"ui-priority": 0,
"disable_correlation": true
},
"cellid": {
"description": "CellID",
"misp-attribute": "text",
"ui-priority": 0,
"disable_correlation": true
},
"text": {
"description": "A description of the IMSI record.",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text"
},
"first-seen": {
"description": "When the IMSI has been accessible or seen for the first time.",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "datetime"
},
"seq": {
"description": "A sequence number for the collection",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "counter"
}
},
"version": 1,
"description": "IMSI Catcher entry object based on the open source IMSI cather",
"meta-category": "misc",
"uuid": "a64f21b1-2f1b-4298-8243-c45db2c4aa7c",
"name": "imsi-catcher"
}

26
objects/ip-port/definition.json
View File

@ -4,7 +4,9 @@
"src-port",
"domain",
"hostname",
"ip"
"ip",
"ip-src",
"ip-dst"
],
"attributes": {
"text": {
@ -74,9 +76,29 @@
"ui-priority": 1,
"misp-attribute": "ip-dst",
"multiple": true
},
"ip-src": {
"description": "source IP address",
"categories": [
"Network activity",
"External analysis"
],
"ui-priority": 1,
"misp-attribute": "ip-src",
"multiple": true
},
"ip-dst": {
"description": "destination IP address",
"categories": [
"Network activity",
"External analysis"
],
"ui-priority": 1,
"misp-attribute": "ip-dst",
"multiple": true
}
},
"version": 7,
"version": 8,
"description": "An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame.",
"meta-category": "network",
"uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6",

76
objects/irc/definition.json Normal file
View File

@ -0,0 +1,76 @@
{
"requiredOneOf": [
"ip",
"hostname",
"channel",
"nickname"
],
"attributes": {
"text": {
"description": "Description of the IRC server",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"last-seen": {
"description": "Last time the IRC server with the associated channels has been seen",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "datetime"
},
"first-seen": {
"description": "First time the IRC server with the associated channels has been seen",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "datetime"
},
"dst-port": {
"description": "Destination port to reach the IRC server",
"categories": [
"Network activity",
"External analysis"
],
"ui-priority": 1,
"misp-attribute": "port",
"disable_correlation": true,
"multiple": true
},
"channel": {
"description": "IRC channel associated to the IRC server",
"ui-priority": 1,
"misp-attribute": "text",
"multiple": true
},
"nickname": {
"description": "IRC nickname used to connect to the associated IRC server and channels",
"ui-priority": 1,
"misp-attribute": "text",
"multiple": true
},
"hostname": {
"description": "Hostname of the IRC server",
"categories": [
"Network activity",
"External analysis"
],
"ui-priority": 1,
"misp-attribute": "hostname",
"multiple": true
},
"ip": {
"description": "IP address of the IRC server",
"categories": [
"Network activity",
"External analysis"
],
"ui-priority": 1,
"misp-attribute": "ip-dst",
"multiple": true
}
},
"version": 2,
"description": "An IRC object to describe an IRC server and the associated channels.",
"meta-category": "network",
"uuid": "4bbbc004-c344-4b20-8672-b41102177fc7",
"name": "irc"
}

279
objects/lnk/definition.json Normal file
View File

@ -0,0 +1,279 @@
{
"requiredOneOf": [
"filename",
"ssdeep",
"md5",
"sha1",
"sha224",
"sha256",
"sha384",
"sha512",
"sha512/224",
"sha512/256"
],
"attributes": {
"md5": {
"description": "[Insecure] MD5 hash (128 bits)",
"ui-priority": 1,
"misp-attribute": "md5",
"recommended": false
},
"sha1": {
"description": "[Insecure] Secure Hash Algorithm 1 (160 bits)",
"ui-priority": 1,
"misp-attribute": "sha1",
"recommended": false
},
"sha224": {
"description": "Secure Hash Algorithm 2 (224 bits)",
"ui-priority": 0,
"misp-attribute": "sha224",
"recommended": false
},
"sha256": {
"description": "Secure Hash Algorithm 2 (256 bits)",
"ui-priority": 1,
"misp-attribute": "sha256"
},
"sha384": {
"description": "Secure Hash Algorithm 2 (384 bits)",
"ui-priority": 0,
"misp-attribute": "sha384",
"recommended": false
},
"sha512": {
"description": "Secure Hash Algorithm 2 (512 bits)",
"ui-priority": 1,
"misp-attribute": "sha512"
},
"sha512/224": {
"description": "Secure Hash Algorithm 2 (224 bits)",
"ui-priority": 0,
"misp-attribute": "sha512/224",
"recommended": false
},
"sha512/256": {
"description": "Secure Hash Algorithm 2 (256 bits)",
"ui-priority": 0,
"misp-attribute": "sha512/256",
"recommended": false
},
"ssdeep": {
"description": "Fuzzy hash using context triggered piecewise hashes (CTPH)",
"ui-priority": 0,
"misp-attribute": "ssdeep"
},
"size-in-bytes": {
"description": "Size of the LNK file, in bytes",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "size-in-bytes"
},
"entropy": {
"description": "Entropy of the whole file",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "float"
},
"pattern-in-file": {
"description": "Pattern that can be found in the file",
"categories": [
"Artifacts dropped",
"Payload installation",
"External analysis"
],
"ui-priority": 1,
"misp-attribute": "pattern-in-file",
"multiple": true
},
"text": {
"description": "Free text value to attach to the file",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text",
"recommended": false
},
"malware-sample": {
"description": "The LNK file itself (binary)",
"ui-priority": 1,
"misp-attribute": "malware-sample"
},
"filename": {
"description": "Filename on disk",
"disable_correlation": true,
"multiple": true,
"categories": [
"Payload delivery",
"Artifacts dropped",
"Payload installation",
"External analysis"
],
"ui-priority": 1,
"misp-attribute": "filename"
},
"path": {
"description": "Path of the LNK filename complete or partial",
"disable_correlation": true,
"multiple": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"fullpath": {
"description": "Complete path of the LNK filename including the filename",
"multiple": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"tlsh": {
"description": "Fuzzy hash by Trend Micro: Locality Sensitive Hash",
"ui-priority": 0,
"misp-attribute": "tlsh"
},
"state": {
"misp-attribute": "text",
"ui-priority": 0,
"description": "State of the LNK file",
"multiple": true,
"disable_correlation": true,
"values_list": [
"Malicious",
"Harmless",
"Trusted"
]
},
"lnk-creation-time": {
"description": "Creation time of the LNK",
"categories": [
"Other"
],
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"lnk-modification-time": {
"description": "Modification time of the LNK",
"categories": [
"Other"
],
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"lnk-access-time": {
"description": "Access time of the LNK",
"categories": [
"Other"
],
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"lnk-file-size": {
"description": "Size of the target file, in bytes",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "size-in-bytes"
},
"lnk-icon-index": {
"description": "Icon index",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"lnk-show-window-value": {
"description": "Show Window value",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"lnk-hot-key-value": {
"description": "Hot Key value",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"lnk-file-attribute-flags": {
"description": "File attribute flags",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"lnk-drive-type": {
"description": "Drive type",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"lnk-drive-serial-number": {
"description": "Drive serial number",
"ui-priority": 0,
"misp-attribute": "text"
},
"lnk-volume-label": {
"description": "Volume label",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"lnk-local-path": {
"description": "Local path",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"lnk-description": {
"description": "LNK description",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"lnk-relative-path": {
"description": "Relative path",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"lnk-working-directory": {
"description": "LNK working path",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"lnk-command-line-arguments": {
"description": "LNK command line arguments",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"machine-identifier": {
"description": "Machine identifier",
"ui-priority": 0,
"misp-attribute": "text"
},
"droid-volume-identifier": {
"description": "Droid volume identifier",
"ui-priority": 0,
"misp-attribute": "text"
},
"droid-file-identifier": {
"description": "Droid file identifier (UUIDv1 where MAC can be extracted)",
"ui-priority": 0,
"misp-attribute": "text"
},
"birth-droid-volume-identifier": {
"description": "Droid volume identifier",
"ui-priority": 0,
"misp-attribute": "text"
},
"birth-droid-file-identifier": {
"description": "Birth droid volume identifier (UUIDv1 where MAC can be extracted)",
"ui-priority": 0,
"misp-attribute": "text"
}
},
"version": 1,
"description": "LNK object describing a Windows LNK binary file (aka Windows shortcut)",
"meta-category": "file",
"uuid": "ad13533e-1853-4da0-a111-33a7ce7e6c09",
"name": "lnk"
}

4
objects/mactime-timeline-analysis/definition.json
View File

@ -1,7 +1,7 @@
{
"requiredOneOf": [
"filepath",
"file_activity",
"file-path",
"activityType",
"datetime"
],
"attributes": {

13
objects/microblog/definition.json
View File

@ -29,6 +29,17 @@
"Other"
]
},
"state": {
"misp-attribute": "text",
"ui-priority": 0,
"description": "State of the microblog post",
"disable_correlation": true,
"values_list": [
"Informative",
"Malicious",
"Unknown"
]
},
"username": {
"description": "Username who posted the microblog post (without the @ prefix)",
"ui-priority": 0,
@ -62,7 +73,7 @@
"misp-attribute": "text"
}
},
"version": 5,
"version": 6,
"description": "Microblog post like a Twitter tweet or a post on a Facebook wall.",
"meta-category": "misc",
"uuid": "8ec8c911-ddbe-4f5b-895b-fbff70c42a60",

75
objects/organization/definition.json Normal file
View File

@ -0,0 +1,75 @@
{
"requiredOneOf": [
"name",
"alias"
],
"attributes": {
"name": {
"description": "Name of the organization",
"disable_correlation": false,
"ui-priority": 100,
"misp-attribute": "text"
},
"alias": {
"description": "Alias of the organization",
"ui-priority": 99,
"misp-attribute": "text",
"multiple": true
},
"type-of-organizarion": {
"description": "Type of the organization",
"ui-priority": 97,
"misp-attribute": "text"
},
"date-of-inception": {
"description": "Date of inception of the organization",
"ui-priority": 0,
"misp-attribute": "date-of-birth"
},
"phone-number": {
"description": "Phone number of the organization.",
"ui-priority": 10,
"misp-attribute": "phone-number",
"multiple": true
},
"fax-number": {
"description": "Fax number of the organization.",
"ui-priority": 10,
"misp-attribute": "phone-number",
"multiple": true
},
"address": {
"description": "Postal address of the organization.",
"ui-priority": 10,
"misp-attribute": "text",
"multiple": true
},
"e-mail": {
"description": "Email address of the organization.",
"ui-priority": 10,
"misp-attribute": "email-src",
"multiple": true
},
"role": {
"description": "The role of the organization.",
"ui-priority": 0,
"misp-attribute": "text",
"multiple": true,
"values_list": [
"Suspect",
"Victim",
"Defendent",
"Accused",
"Culprit",
"Accomplice",
"Target"
],
"disable_correlation": true
}
},
"version": 1,
"description": "An object which describes an organization.",
"meta-category": "misc",
"uuid": "f750e12b-127a-432c-b022-b3f9153c4e2a",
"name": "misc"
}

2
objects/original-imported-file/definition.json
View File

@ -1,7 +1,7 @@
{
"requiredOneOf": [
"imported-sample",
"type"
"format"
],
"attributes": {
"imported-sample": {

20
objects/pe-section/definition.json
View File

@ -88,6 +88,24 @@
"ui-priority": 1,
"misp-attribute": "size-in-bytes"
},
"offset": {
"description": "Sections offset",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "hex"
},
"virtual_address": {
"description": "Sections virtual address",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "hex"
},
"virtual_size": {
"description": "Sections virtual size",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "size-in-bytes"
},
"text": {
"description": "Free text value to attach to the section",
"disable_correlation": true,
@ -106,7 +124,7 @@
"misp-attribute": "text"
}
},
"version": 2,
"version": 3,
"description": "Object describing a section of a Portable Executable",
"meta-category": "file",
"uuid": "198a17d2-a135-4b25-9a32-5aa4e632014a",

36
objects/person/definition.json
View File

@ -13,17 +13,17 @@
},
"last-name": {
"description": "Last name of a natural person.",
"ui-priority": 0,
"ui-priority": 100,
"misp-attribute": "last-name"
},
"middle-name": {
"description": "Middle name of a natural person.",
"ui-priority": 0,
"ui-priority": 99,
"misp-attribute": "middle-name"
},
"first-name": {
"description": "First name of a natural person.",
"ui-priority": 0,
"ui-priority": 98,
"misp-attribute": "first-name",
"disable_correlation": true
},
@ -34,13 +34,13 @@
},
"title": {
"description": "Title of the natural person such as Dr. or equivalent.",
"ui-priority": 0,
"ui-priority": 101,
"misp-attribute": "text",
"disable_correlation": true
},
"alias": {
"description": "Alias name or known as.",
"ui-priority": 0,
"ui-priority": 97,
"misp-attribute": "text",
"multiple": true
},
@ -63,7 +63,8 @@
"Male",
"Female",
"Other",
"Prefer not to say"
"Prefer not to say",
"Unknown"
],
"disable_correlation": true
},
@ -140,6 +141,24 @@
"misp-attribute": "text",
"multiple": true
},
"dni": {
"description": "Spanish National ID",
"ui-priority": 10,
"misp-attribute": "text",
"multiple": true
},
"nie": {
"description": "Foreign National ID (Spain)",
"ui-priority": 10,
"misp-attribute": "text",
"multiple": true
},
"nif": {
"description": "Tax ID Number (Spain)",
"ui-priority": 10,
"misp-attribute": "text",
"multiple": true
},
"e-mail": {
"description": "Email address of the person.",
"ui-priority": 10,
@ -164,12 +183,13 @@
"Accused",
"Culprit",
"Accomplice",
"Witness"
"Witness",
"Target"
],
"disable_correlation": true
}
},
"version": 8,
"version": 10,
"description": "An object which describes a person or an identity.",
"meta-category": "misc",
"uuid": "a15b0477-e9d1-4b9c-9546-abe78a4f4248",

95
objects/phishing-kit/definition.json Normal file
View File

@ -0,0 +1,95 @@
{
"name": "phishing-kit",
"uuid": "f452c16b-12fa-4f87-84a2-15a9e8ca6e7c",
"meta-category": "network",
"description": "Object to describe a phishing-kit.",
"version": 3,
"attributes": {
"internal reference": {
"categories": [
"Internal reference"
],
"misp-attribute": "text",
"ui-priority": 1,
"description": "Internal reference such as ticket ID"
},
"date-found": {
"multiple": true,
"misp-attribute": "datetime",
"ui-priority": 0,
"description": "Date when the phishing kit was found",
"to_ids": false,
"disable_correlation": true
},
"reference-link": {
"to_ids": false,
"multiple": true,
"ui-priority": 1,
"misp-attribute": "link",
"description": "Link where the Phishing Kit was observed"
},
"threat-actor-email": {
"description": "Email of the Threat Actor",
"multiple": true,
"ui-priority": 0,
"misp-attribute": "email-src"
},
"email-type": {
"description": "Type of the Email",
"multiple": false,
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"kit-mailer": {
"description": "Mailer Kit Used",
"multiple": true,
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"target": {
"description": "What was targeted using this phishing kit",
"multiple": true,
"ui-priority": 1,
"misp-attribute": "text"
},
"phishing-domain": {
"description": "Domain used for Phishing",
"multiple": true,
"ui-priority": 1,
"misp-attribute": "url"
},
"online": {
"disable_correlation": true,
"misp-attribute": "text",
"values_list": [
"Yes",
"No"
],
"ui-priority": 0,
"description": "If the phishing kit is online and operational, by default is yes"
},
"kit-url": {
"misp-attribute": "url",
"ui-priority": 1,
"description": "URL of Phishing Kit"
},
"threat-actor": {
"description": "Identified threat actor",
"ui-priority": 0,
"multiple": true,
"misp-attribute": "text"
},
"kit-name": {
"description": "Name of the Phishing Kit",
"ui-priority": 10,
"misp-attribute": "text"
}
},
"requiredOneOf": [
"kit-url",
"reference-link",
"kit-name"
]
}

7
objects/process/definition.json
View File

@ -3,7 +3,7 @@
"uuid": "02aeef94-ac23-455c-addb-731757ceafb5",
"meta-category": "misc",
"description": "Object describing a system process.",
"version": 3,
"version": 5,
"attributes": {
"creation-time": {
"description": "Local date/time at which the process was created.",
@ -56,7 +56,7 @@
"current-directory": {
"description": "Current working directory of the process",
"ui-priority": 2,
"misp-attribute": "filename",
"misp-attribute": "text",
"disable_correlation": true
},
"image": {
@ -91,6 +91,7 @@
"name",
"pid",
"image",
"command-line"
"command-line",
"current-directory"
]
}

2
objects/python-etvx-event-log/definition.json
View File

@ -1,7 +1,7 @@
{
"required": [
"source",
"type",
"event-type",
"name"
],
"attributes": {

4
objects/regripper-system-hive-general-configuration/definition.json
View File

@ -77,11 +77,11 @@
"comment": {
"description": "Additional comments.",
"ui-priority": 0,
"misp-attribute": "",
"misp-attribute": "text",
"disable_correlation": true
}
},
"version": 1,
"version": 2,
"description": "Regripper Object template designed to present general system properties extracted from the system-hive.",
"meta-category": "misc",
"uuid": "5ac85401-cbf1-4d05-a85e-1784546881e4",

4
objects/regripper-system-hive-service-drivers/definition.json
View File

@ -86,11 +86,11 @@
"comment": {
"description": "Additional comments.",
"ui-priority": 0,
"misp-attribute": "",
"misp-attribute": "text",
"disable_correlation": true
}
},
"version": 1,
"version": 2,
"description": "Regripper Object template designed to gather information regarding the services/drivers from the system-hive.",
"meta-category": "misc",
"uuid": "78cdae45-2061-4b49-b1d6-71f562094a73",

8
objects/report/definition.json
View File

@ -5,7 +5,7 @@
"attributes": {
"summary": {
"description": "Free text summary of the report",
"ui-priority": 1,
"ui-priority": 100,
"misp-attribute": "text",
"categories": [
"Other",
@ -21,6 +21,12 @@
"Internal reference",
"Other"
]
},
"report-file(s)": {
"description": "Attachment(s) that is related to the report",
"ui-priority": 99,
"misp-attribute": "attachment",
"multiple": true
}
},
"version": 1,

46
objects/rogue-dns/definition.json Normal file
View File

@ -0,0 +1,46 @@
{
"required": [
"rogue-dns"
],
"attributes": {
"timestamp": {
"description": "Last time that the rogue DNS value was seen.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"rogue-dns": {
"description": "IP address of the rogue DNS",
"ui-priority": 0,
"misp-attribute": "ip-dst"
},
"status": {
"description": "How many authoritative DNS answers were received at the Passive DNS Server's collectors with exactly the given set of values as answers.",
"ui-priority": 0,
"misp-attribute": "text",
"sane_default": [
"ROGUE DNS",
"Unknown"
],
"disable_correlation": true
},
"hijacked-domain": {
"description": "Domain/hostname hijacked by the the rogue DNS",
"categories": [
"Network activity"
],
"ui-priority": 1,
"misp-attribute": "hostname"
},
"phishing-ip": {
"description": "Resource records returns by the rogue DNS",
"ui-priority": 1,
"misp-attribute": "ip-dst"
}
},
"version": 1,
"description": "Rogue DNS as defined by CERT.br",
"meta-category": "network",
"uuid": "b7e7859b-6872-4fd2-ac49-f66ccb904505",
"name": "rogue-dns"
}

7
objects/script/definition.json
View File

@ -1,6 +1,7 @@
{
"required": [
"script"
"requiredOneOf": [
"script",
"filename"
],
"attributes": {
"script": {
@ -55,7 +56,7 @@
]
}
},
"version": 2,
"version": 4,
"description": "Object describing a computer program written to be run in a special run-time environment. The script or shell script can be used for malicious activities but also as support tools for threat analysts.",
"meta-category": "misc",
"uuid": "6bce7d01-dbec-4054-b3c2-3655a19382e2",

62
objects/shell-commands/definition.json Normal file
View File

@ -0,0 +1,62 @@
{
"requiredOneOf": [
"shell-command"
],
"attributes": {
"script": {
"description": "Free text of the script if available which executed the shell commands.",
"ui-priority": 10,
"misp-attribute": "text"
},
"comment": {
"description": "Comment associated to the shell commands executed.",
"ui-priority": 1,
"misp-attribute": "text"
},
"language": {
"description": "Scripting language used for the shell commands executed.",
"ui-priority": 9,
"misp-attribute": "text",
"disable_correlation": true,
"sane_default": [
"PowerShell",
"VBScript",
"Bash",
"Lua",
"JavaScript",
"AppleScript",
"AWK",
"Python",
"Perl",
"Ruby",
"Winbatch",
"AutoIt",
"PHP"
]
},
"shell-command": {
"description": "",
"ui-priority": 0,
"misp-attribute": "text",
"multiple": true
},
"state": {
"misp-attribute": "text",
"ui-priority": 0,
"description": "Known state of the script.",
"multiple": true,
"disable_correlation": true,
"values_list": [
"Malicious",
"Unknown",
"Harmless",
"Trusted"
]
}
},
"version": 1,
"description": "Object describing a series of shell commands executed. This object can be linked with malicious files in order to describe a specific execution of shell commands.",
"meta-category": "misc",
"uuid": "fee65efa-eb64-4516-8611-1db76c589f79",
"name": "shell-commands"
}

72
objects/ssh-authorized-keys/definition.json Normal file
View File

@ -0,0 +1,72 @@
{
"requiredOneOf": [
"ip",
"hostname",
"full-line",
"key"
],
"attributes": {
"text": {
"description": "A description of the ssh authorized keys",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text",
"recommended": false
},
"last-seen": {
"description": "Last time the ssh authorized keys file has been seen",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "datetime"
},
"first-seen": {
"description": "First time the ssh authorized keys file has been seen",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "datetime"
},
"full-line": {
"description": "One full-line of the authorized key file",
"ui-priority": 0,
"misp-attribute": "text",
"multiple": true
},
"key": {
"description": "Public key in base64 as found in the authorized key file",
"ui-priority": 0,
"misp-attribute": "text",
"multiple": true
},
"key-id": {
"description": "Key-id and option part of the public key line",
"ui-priority": 0,
"misp-attribute": "text",
"multiple": true
},
"hostname": {
"description": "hostname",
"categories": [
"Network activity",
"External analysis"
],
"ui-priority": 1,
"misp-attribute": "hostname",
"multiple": true
},
"ip": {
"description": "IP Address",
"categories": [
"Network activity",
"External analysis"
],
"ui-priority": 1,
"misp-attribute": "ip-dst",
"multiple": true
}
},
"version": 1,
"description": "An object to store ssh authorized keys file.",
"meta-category": "network",
"uuid": "d1db3e4d-c932-4d8b-a915-4cff088cb678",
"name": "ssh-authorized-keys"
}

41
objects/tor-hiddenservice/definition.json Normal file
View File

@ -0,0 +1,41 @@
{
"requiredOneOf": [
"address",
"first-seen",
"last-seen",
"description"
],
"required": [
"address"
],
"attributes": {
"description": {
"description": "Tor onion service comment.",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text"
},
"address": {
"description": "onion address of the Tor node seen.",
"ui-priority": 1,
"misp-attribute": "text"
},
"last-seen": {
"description": "When the Tor hidden service was seen for the last time.",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "datetime"
},
"first-seen": {
"description": "When the Tor hidden service was been seen for the first time.",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "datetime"
}
},
"version": 1,
"description": "Tor hidden service (onion service) object.",
"meta-category": "misc",
"uuid": "cbac07d6-fbe9-43b8-8d91-d515812ce330",
"name": "tor-hiddenservice"
}

137
objects/user-account/definition.json Normal file
View File

@ -0,0 +1,137 @@
{
"name": "user-account",
"uuid": "49606b06-22f0-4ac8-8eee-2f12ad46f3d3",
"meta-category": "misc",
"description": "",
"version": 1,
"requiredOneOf": [
"password",
"username",
"user-id"
],
"attributes": {
"text": {
"description": "A description of the user account.",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text"
},
"username": {
"description": "Username related to the password.",
"ui-priority": 1,
"misp-attribute": "text"
},
"user-id": {
"description": "Identifier of the account.",
"ui-priority": 1,
"misp-attribute": "text"
},
"password": {
"description": "Password related to the username.",
"ui-priority": 1,
"misp-attribute": "text"
},
"display-name": {
"description": "Display name of the account.",
"ui-priority": 1,
"misp-attribute": "text"
},
"account-type": {
"description": "Type of the account.",
"ui-priority": 1,
"misp-attribute": "text",
"sane_default": [
"facebook",
"ldap",
"nis",
"openid",
"radius",
"skype",
"tacacs",
"twitter",
"unix",
"windows-local",
"windows-domain"
]
},
"is_service_account": {
"description": "Specifies if the account is associated with a network service.",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "boolean"
},
"privileged": {
"description": "Specifies if the account has privileges such as root rights.",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "boolean"
},
"can_escalate_privs": {
"description": "Specifies if the account has the ability to escalate privileges.",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "boolean"
},
"disabled": {
"description": "Specifies if the account is desabled.",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "boolean"
},
"created": {
"description": "Creation time of the account.",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "datetime"
},
"expires": {
"description": "Expiration time of the account",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "datetime"
},
"first_login": {
"description": "First time someone logged in to the account.",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "datetime"
},
"last_login": {
"description": "Last time someone logged in to the account.",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "datetime"
},
"password_last_changed": {
"description": "Last time the password has been changed.",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "datetime"
},
"group-id": {
"description": "Identifier of the primary group of the account, in case of a UNIX account.",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text"
},
"group": {
"description": "UNIX group(s) the account is member of.",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text",
"multiple": true
},
"home_dir": {
"description": "Home directory of the UNIX account.",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text"
},
"shell": {
"description": "UNIX command shell of the account.",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text"
}
}
}

46
objects/vehicle/definition.json
View File

@ -1,11 +1,15 @@
{
"requiredOneOf": [
"description",
"year",
"make",
"model",
"license-plate-number",
"vin"
"vin",
"dyno-power",
"date-first-registration",
"image-url",
"gearbox",
"indicative-value"
],
"attributes": {
"description": {
@ -14,12 +18,6 @@
"misp-attribute": "text",
"disable_correlation": true
},
"year": {
"description": "Year of manufacturing of the vehicle",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"make": {
"description": "Manufacturer of the vehicle",
"ui-priority": 0,
@ -42,9 +40,39 @@
"ui-priority": 0,
"misp-attribute": "text",
"multiple": true
},
"dyno-power": {
"description": "Dyno power output",
"ui-priority": 0,
"misp-attribute": "text",
"multiple": true
},
"date-first-registration": {
"description": "Date of first registration",
"ui-priority": 0,
"misp-attribute": "text",
"multiple": true
},
"image-url": {
"description": "Image URL",
"ui-priority": 0,
"misp-attribute": "text",
"multiple": true
},
"gearbox": {
"description": "Gearbox",
"ui-priority": 0,
"misp-attribute": "text",
"multiple": true
},
"indicative-value": {
"description": "Indicative value",
"ui-priority": 0,
"misp-attribute": "text",
"multiple": true
}
},
"version": 1,
"version": 2,
"description": "Vehicle object template to describe a vehicle information and registration",
"meta-category": "misc",
"uuid": "683c076c-f695-4ff2-8efa-e98a418049f4",

41
objects/x509/definition.json
View File

@ -3,7 +3,8 @@
"x509-fingerprint-md5",
"x509-fingerprint-sha1",
"x509-fingerprint-sha256",
"serial-number"
"serial-number",
"issuer"
],
"attributes": {
"subject": {
@ -14,12 +15,14 @@
"pubkey-info-algorithm": {
"description": "Algorithm of the public key",
"ui-priority": 0,
"misp-attribute": "text"
"misp-attribute": "text",
"disable_correlation": true
},
"pubkey-info-size": {
"description": "Length of the public key (in bits)",
"ui-priority": 0,
"misp-attribute": "text"
"misp-attribute": "text",
"disable_correlation": true
},
"pubkey-info-exponent": {
"description": "Exponent of the public key",
@ -59,24 +62,27 @@
"misp-attribute": "text"
},
"text": {
"description": "Free text description of hte certificate",
"description": "Free text description of the certificate",
"ui-priority": 1,
"misp-attribute": "text"
},
"validity-not-before": {
"description": "Certificate invalid before that date",
"ui-priority": 0,
"misp-attribute": "datetime"
"misp-attribute": "datetime",
"disable_correlation": true
},
"validity-not-after": {
"description": "Certificate invalid after that date",
"ui-priority": 0,
"misp-attribute": "datetime"
"misp-attribute": "datetime",
"disable_correlation": true
},
"issuer": {
"description": "Issuer of the certificate",
"ui-priority": 0,
"misp-attribute": "text"
"misp-attribute": "text",
"disable_correlation": true
},
"serial-number": {
"description": "Serial number of the certificate",
@ -86,26 +92,39 @@
"version": {
"description": "Version of the certificate",
"ui-priority": 0,
"misp-attribute": "text"
"misp-attribute": "text",
"disable_correlation": true
},
"self_signed": {
"description": "Self-signed certificate",
"ui-priority": 0,
"misp-attribute": "boolean"
"misp-attribute": "boolean",
"disable_correlation": true
},
"is_ca": {
"description": "CA certificate",
"ui-priority": 0,
"misp-attribute": "boolean"
"misp-attribute": "boolean",
"disable_correlation": true
},
"dns_names": {
"description": "DNS names",
"multiple": true,
"misp-attribute": "text",
"ui-priority": 0
},
"signature_algorithm": {
"description": "Signature algorithm",
"misp-attribute": "text",
"ui-priority": 0,
"disable_correlation": true,
"sane_default": [
"SHA1_WITH_RSA_ENCRYPTION",
"SHA256_WITH_RSA_ENCRYPTION"
]
}
},
"version": 7,
"version": 9,
"description": "x509 object describing a X.509 certificate",
"meta-category": "network",
"uuid": "d1ab756a-26b5-4349-9f43-765630f0911c",

24
relationships/definition.json
View File

@ -1,5 +1,5 @@
{
"version": 14,
"version": 15,
"values": [
{
"name": "derived-from",
@ -10,6 +10,13 @@
"alfred"
]
},
{
"name": "executes",
"description": "This relationship describes an object which executes another object",
"format": [
"misp"
]
},
{
"name": "duplicate-of",
"description": "The referenced source and target objects are semantically duplicates of each other.",
@ -934,6 +941,21 @@
"format": [
"misp"
]
},
{
"name": "creates",
"description": "Represents an object that creates something.",
"format": [
"misp",
"haxpak"
]
},
{
"name": "screenshot-of",
"description": "Represents an object being the screenshot of something.",
"format": [
"misp"
]
}
],
"description": "Default type of relationships in MISP objects.",

4
tools/adoc_objects.py
View File

@ -3,7 +3,7 @@
#
#
# A simple converter of MISP objects to asciidoctor format
# Copyright (C) 2017-2018 Alexandre Dulaunoy
# Copyright (C) 2017-2019 Alexandre Dulaunoy
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
@ -73,12 +73,14 @@ def asciidoc(content=False, adoc=None, t='title',title=''):
if t == 'title':
output = '== ' + content
elif t == 'info':
content = content.rstrip('\.')
output = "\n{}.\n\n{} {} {}{}/definition.json[*this location*] {}.\n".format(content, 'NOTE: ', title, 'is a MISP object available in JSON format at https://github.com/MISP/misp-objects/blob/master/objects/',title.lower(),' The JSON format can be freely reused in your application or automatically enabled in https://www.github.com/MISP/MISP[MISP]')
elif t == 'author':
output = '\nauthors:: {}\n'.format(' - '.join(content))
elif t == 'value':
output = '=== ' + content
elif t == 'description':
content = content.rstrip('\.')
output = '\n{}\n'.format(content)
elif t == 'attributes':
#output = '\n{}\n'.format