MISP
/
misp-objects
mirror of https://github.com/MISP/misp-objects
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge branch 'master' of github.com:MISP/misp-objects

pull/53/head
Raphaël Vinot 2017-11-10 13:29:03 -08:00
parent b4b3e685ea 66c4578f08
commit dade532c1f
7 changed files with 355 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
README.md
View File

@ -65,6 +65,7 @@ for a specific attribute.
## Existing MISP objects
* [objects/ail-leak](objects/ail-leak/definition.json) - information leak object as defined by the [AIL Analysis Information Leak framework](https://www.github.com/CIRCL/AIL-framework).
* [objects/av-signature](objects/av-signature/definition.json) - Antivirus detection signature.
* [objects/cookie](objects/cookie/definition.json) - A cookie object describes an HTTP cookie including its use in malicious cases.
* [objects/ddos](objects/ddos/definition.json) - DDoS object describes a current DDoS activity from a specific or/and to a specific target.
* [objects/domain-ip](objects/domain-ip/definition.json) - A domain and IP address seen as a tuple in a specific time frame.
@ -78,6 +79,7 @@ for a specific attribute.
* [objects/macho](objects/macho/definition.json) - Object describing a Mach object file format.
* [objects/macho-section](objects/macho-section/definition.json) - Object describing a section of a Mach object file format.
* [objects/microblog](objects/microblog/definition.json) - Object describing microblog post like Twitter or Facebook.
* [objects/netflow](objects/netflow/definition.json) - Netflow object describes an network object based on the Netflowv5/v9 minimal definition.
* [objects/passive-dns](objects/passive-dns/definition.json) - Passive DNS records as expressed in [draft-dulaunoy-dnsop-passive-dns-cof-01](https://tools.ietf.org/html/draft-dulaunoy-dnsop-passive-dns-cof-01).
* [objects/paste](objects/paste/definition.json) - Object describing a paste or similar post from a website allowing to share privately or publicly posts.
* [objects/pe](objects/pe/definition.json) - Portable Executable (PE) object.
@ -88,6 +90,7 @@ for a specific attribute.
* [objects/r2graphity](objects/r2graphity/definition.json) - Indicators extracted from binary files using radare2 and graphml.
* [objects/rtir](objects/rtir/definition.json) - RTIR - Request Tracker for Incident Response.
* [objects/tor-node](objects/tor-node/definition.json) - Tor node description which are part of the Tor network at a time.
* [objects/virustotal-report](objects/virustotal-report/definition.json) - VirusTotal report.
* [objects/vulnerability](objects/vulnerability/definition.json) - Vulnerability object to describe software or hardware vulnerability as described in a CVE.
* [objects/url](objects/url/definition.json) - url object describes an url along with its normalized field (e.g. using faup parsing library) and its metadata.
* [objects/victim](objects/victim/definition.json) - a victim object to describe the organisation being targeted or abused.

5
objects/ail-leak/definition.json
View File

@ -1,6 +1,5 @@
{
"requiredOneOf": [
"type",
"text",
"first-seen",
"last-seen",
@ -18,7 +17,7 @@
"origin": {
"description": "The link where the leak is (or was) accessible at first-seen.",
"ui-priority": 1,
"misp-attribute": "url"
"misp-attribute": "link"
},
"text": {
"description": "A description of the leak which could include the potential victim(s) or description of the leak.",
@ -58,7 +57,7 @@
"misp-attribute": "datetime"
}
},
"version": 2,
"version": 3,
"description": "An information leak as defined by the AIL Analysis Information Leak framework.",
"meta-category": "misc",
"uuid": "dc6a8fa2-0a43-4a0c-a5aa-b1a5336ca80e",

75
objects/credential/definition.json Normal file
View File

@ -0,0 +1,75 @@
{
"requiredOneOf": [
"password"
],
"attributes": {
"text": {
"description": "A description of the credential(s)",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text"
},
"username": {
"description": "Username related to the password(s)",
"ui-priority": 1,
"misp-attribute": "text"
},
"password": {
"description": "Password",
"multiple": true,
"ui-priority": 1,
"misp-attribute": "text"
},
"type": {
"description": "Type of password(s)",
"ui-priority": 1,
"misp-attribute": "text",
"values_list": [
"password",
"api-key",
"encryption-key",
"unknown"
]
},
"origin": {
"description": "Origin of the credential(s)",
"ui-priority": 1,
"misp-attribute": "text",
"sane_default": [
"bruteforce-scanning",
"malware-analysis",
"memory-analysis",
"network-analysis",
"leak",
"unknown"
]
},
"format": {
"description": "Format of the password(s)",
"ui-priority": 1,
"misp-attribute": "text",
"values_list": [
"clear-text",
"hashed",
"encrypted",
"unknown"
]
},
"notification": {
"description": "Mention of any notification(s) towards the potential owner(s) of the credential(s)",
"ui-priority": 1,
"misp-attribute": "text",
"multiple": true,
"values_list": [
"victim-notified",
"service-notified",
"none"
]
}
},
"version": 2,
"description": "Credential describes one or more credential(s) including password(s), api key(s) or decryption key(s).",
"meta-category": "misc",
"uuid": "a27e98c9-9b0e-414c-8076-d201e039ca09",
"name": "credential"
}

5
objects/domain-ip/definition.json
View File

@ -36,10 +36,11 @@
"External analysis"
],
"ui-priority": 1,
"misp-attribute": "ip-dst"
"misp-attribute": "ip-dst",
"multiple": true
}
},
"version": 3,
"version": 4,
"description": "A domain and IP address seen as a tuple in a specific time frame.",
"meta-category": "network",
"uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",

10
objects/email/definition.json
View File

@ -3,7 +3,7 @@
"uuid": "a0c666e0-fc65-4be8-b48f-3423d788b552",
"meta-category": "network",
"description": "Email object describing an email with meta-information",
"version": 6,
"version": 7,
"attributes": {
"reply-to": {
"description": "Email address the reply will be sent to",
@ -56,6 +56,14 @@
"Payload delivery"
]
},
"screenshot": {
"description": "Screenshot of email",
"misp-attribute": "attachment",
"ui-priority": 1,
"categories": [
"External analysis"
]
},
"attachment": {
"description": "Attachment",
"misp-attribute": "email-attachment",

252
relationships/definition.json
View File

@ -199,6 +199,258 @@
"format": [
"misp"
]
},
{
"name": "vulnerability-of",
"description": "This relationship describes an object which is a vulnerability of another object.",
"format": [
"cert-eu"
]
},
{
"name": "works-like",
"description": "This relationship describes an object which works like another object.",
"format": [
"cert-eu"
]
},
{
"name": "seller-of",
"description": "This relationship describes an object which is selling another object.",
"format": [
"cert-eu"
]
},
{
"name": "seller-on",
"description": "This relationship describes an object which is selling on another object.",
"format": [
"cert-eu"
]
},
{
"name": "trying-to-obtain-the-exploit",
"description": "This relationship describes an object which is trying to obtain the exploit described by another object",
"format": [
"cert-eu"
]
},
{
"name": "used-by",
"description": "This relationship describes an object which is used by another object.",
"format": [
"cert-eu"
]
},
{
"name": "affiliated",
"description": "This relationship describes an object which is affiliated with another object.",
"format": [
"cert-eu"
]
},
{
"name": "alleged-founder-of",
"description": "This relationship describes an object which is the alleged founder of another object.",
"format": [
"cert-eu"
]
},
{
"name": "attacking-other-group",
"description": "This relationship describes an object which attacks another object.",
"format": [
"cert-eu"
]
},
{
"name": "belongs-to",
"description": "This relationship describes an object which belongs to another object.",
"format": [
"cert-eu"
]
},
{
"name": "business-relations",
"description": "This relationship describes an object which has business relations with another object.",
"format": [
"cert-eu"
]
},
{
"name": "claims-to-be-the-founder-of",
"description": "This relationship describes an object which claims to be the founder of another object.",
"format": [
"cert-eu"
]
},
{
"name": "cooperates-with",
"description": "This relationship describes an object which cooperates with another object.",
"format": [
"cert-eu"
]
},
{
"name": "former-member-of",
"description": "This relationship describes an object which is a former member of another object.",
"format": [
"cert-eu"
]
},
{
"name": "successor-of",
"description": "This relationship describes an object which is a successor of another object.",
"format": [
"cert-eu"
]
},
{
"name": "has-joined",
"description": "This relationship describes an object which has joined another object.",
"format": [
"cert-eu"
]
},
{
"name": "member-of",
"description": "This relationship describes an object which is a member of another object.",
"format": [
"cert-eu"
]
},
{
"name": "primary-member-of",
"description": "This relationship describes an object which is a primary member of another object.",
"format": [
"cert-eu"
]
},
{
"name": "administrator-of",
"description": "This relationship describes an object which is an administrator of another object.",
"format": [
"cert-eu"
]
},
{
"name": "is-in-relation-with",
"description": "This relationship describes an object which is in relation with another object,",
"format": [
"cert-eu"
]
},
{
"name": "provide-support-to",
"description": "This relationship describes an object which provides support to another object.",
"format": [
"cert-eu"
]
},
{
"name": "regional-branch",
"description": "This relationship describes an object which is a regional branch of another object.",
"format": [
"cert-eu"
]
},
{
"name": "similar",
"description": "This relationship describes an object which is similar to another object.",
"format": [
"cert-eu"
]
},
{
"name": "subgroup",
"description": "This relationship describes an object which is a subgroup of another object.",
"format": [
"cert-eu"
]
},
{
"name": "suspected-link",
"description": "This relationship describes an object which is suspected to be linked with another object.",
"format": [
"misp"
]
},
{
"name": "same-as",
"description": "This relationship describes an object which is the same as another object.",
"format": [
"misp"
]
},
{
"name": "creator-of",
"description": "This relationship describes an object which is the creator of another object.",
"format": [
"cert-eu"
]
},
{
"name": "developer-of",
"description": "This relationship describes an object which is a developer of another object.",
"format": [
"cert-eu"
]
},
{
"name": "uses-for-recon",
"description": "This relationship describes an object which uses another object for recon.",
"format": [
"cert-eu"
]
},
{
"name": "operator-of",
"description": "This relationship describes an object which is an operator of another object.",
"format": [
"cert-eu"
]
},
{
"name": "overlaps",
"description": "This relationship describes an object which overlaps another object.",
"format": [
"cert-eu"
]
},
{
"name": "owner-of",
"description": "This relationship describes an object which owns another object.",
"format": [
"cert-eu"
]
},
{
"name": "publishes-method-for",
"description": "This relationship describes an object which publishes method for another object.",
"format": [
"cert-eu"
]
},
{
"name": "recommends-use-of",
"description": "This relationship describes an object which recommends the use of another object.",
"format": [
"cert-eu"
]
},
{
"name": "released-source-code",
"description": "This relationship describes an object which released source code of another object.",
"format": [
"cert-eu"
]
},
{
"name": "released",
"description": "This relationship describes an object which release another object.",
"format": [
"cert-eu"
]
}
],
"description": "Default type of relationships in MISP objects.",

15
tools/adoc_objects.py
View File

@ -43,20 +43,27 @@ def header(adoc=False):
if adoc is False:
return False
doc = adoc
dedication = "\n[dedication]\n== Funding and Support\nThe MISP project is financially and resource supported by https://www.circl.lu/[CIRCL Computer Incident Response Center Luxembourg ].\n\nimage:{images-misp}logo.png[CIRCL logo]\n\nA CEF (Connecting Europe Facility) funding under CEF-TC-2016-3 - Cyber Security has been granted from 1st September 2017 until 31th August 2019 as ***Improving MISP as building blocks for next-generation information sharing***.\n\nimage:{images-misp}en_cef.png[CEF funding]\n\nIf you are interested to co-fund projects around MISP, feel free to get in touch with us.\n\n"
doc = doc + ":toc: right\n"
# doc = doc + ":doctype: book\n"
doc = doc + ":toclevels: 1\n"
doc = doc + ":toc-title: MISP Objects\n"
doc = doc + ":icons: font\n"
doc = doc + ":sectanchors:\n"
doc = doc + ":sectlinks:\n"
doc = doc + ":images-cdn: https://raw.githubusercontent.com/MISP/MISP/2.4/INSTALL/logos/\n"
doc = doc + ":images-misp: https://www.misp-project.org/assets/images/\n"
doc = doc + "\n= MISP Objects\n\n"
doc = doc + "Generated from https://github.com/MISP/misp-objects.\n\n"
doc = doc + "= Introduction\n"
doc = doc + "\nimage::{images-cdn}misp-logo.png[MISP logo]\n"
doc = "{}{}".format(doc, "\nMISP MISP objects to be used in MISP (2.4.80) system and can be used by other information sharing tool. MISP objects are in addition to MISP attributes to allow advanced combinations of attributes. The creation of these objects and their associated attributes are based on real cyber security use-cases and existing practices in information sharing.\n")
doc = doc + "The MISP threat sharing platform is a free and open source software helping information sharing of threat intelligence including cyber security indicators, financial fraud or counter-terrorism information. The MISP project includes multiple sub-projects to support the operational requirements of analysts and improve the overall quality of information shared.\n\n"
doc = doc + ""
doc = "{}{}".format(doc, "\nMISP objects are used in MISP (starting from version 2.4.80) system and can be used by other information sharing tool. MISP objects are in addition to MISP attributes to allow advanced combinations of attributes. The creation of these objects and their associated attributes are based on real cyber security use-cases and existing practices in information sharing. The objects are just shared like any other attributes in MISP even if the other MISP instances don't have the template of the object.\n")
doc = doc + "The following document is generated from the machine-readable JSON describing the https://github.com/MISP/misp-objects[MISP objects]."
doc = doc + "\n\n"
doc = doc + "<<<\n"
doc = doc + dedication
doc = doc + "<<<\n"
doc = doc + "= MISP objects\n"
return doc
def asciidoc(content=False, adoc=None, t='title',title=''):