chg: [device] added hits, status and infection_type (from ShadowServer)

- request for VarIOT project
2021-10-25 15:52:34 +02:00 · 2021-10-25 15:52:34 +02:00 · dcc9e4c8be
parent 960a03be22
commit dcc9e4c8be
1 changed files with 285 additions and 1 deletions
--- a/objects/device/definition.json
+++ b/objects/device/definition.json
@ -57,6 +57,279 @@
      "multiple": true,
      "ui-priority": 0
    },
+    "hits": {
+      "description": "Number of hits for the device",
+      "disable_correlation": true,
+      "misp-attribute": "counter",
+      "ui-priority": 0
+    },
+    "infection_type": {
+      "description": "Type of infection if the device is in Infected status",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "sane_default": [
+        "android_spams",
+        "android.bakdoor.prizmes",
+        "android.bankbot",
+        "android.banker.anubis",
+        "android.bankspy",
+        "android.cliaid",
+        "android.darksilent",
+        "android.fakeav",
+        "android.fakebank",
+        "android.fakedoc",
+        "android.fakeinst",
+        "android.fakemart",
+        "android.faketoken",
+        "android.fobus",
+        "android.fungram",
+        "android.geost",
+        "android.gopl",
+        "android.hiddad",
+        "android.hqwar",
+        "android.hummer",
+        "android.infosteal",
+        "android.iop",
+        "android.lockdroid",
+        "android.milipnot",
+        "android.nitmo",
+        "android.opfake",
+        "android.premiumtext",
+        "android.provar",
+        "android.pwstealer",
+        "android.rootnik",
+        "android.skyfin",
+        "android.smsbot",
+        "android.smssilence",
+        "android.smsspy",
+        "android.smsspy.be24",
+        "android.sssaaa",
+        "android.teleplus",
+        "android.uupay",
+        "android.voxv",
+        "avalanche-andromeda",
+        "banatrix",
+        "bankpatch",
+        "bebloh",
+        "bedep",
+        "betabot",
+        "bitcoinminer",
+        "blackbeard",
+        "blakamba",
+        "boinberg",
+        "buhtrap",
+        "caphaw",
+        "carberp",
+        "chafer",
+        "changeup",
+        "chinad",
+        "citadel",
+        "cobint",
+        "coinminer",
+        "conficker",
+        "cryptowall",
+        "cutwail",
+        "cycbot",
+        "diaminer",
+        "dimnie",
+        "dipverdle",
+        "dircrypt",
+        "dirtjumper",
+        "disorderstatus",
+        "dmsniff",
+        "dofoil",
+        "domreg",
+        "dorkbot",
+        "dorkbot-ssl",
+        "dresscode",
+        "dybalom",
+        "ek.fallout",
+        "emoted",
+        "emotet",
+        "esfury",
+        "expiro",
+        "exploitkit.fallout",
+        "extenbro",
+        "fake_cs_updater",
+        "fakerean",
+        "fallout.exploitkit",
+        "fast-flux",
+        "fast-flux-double",
+        "fast-flux;fast-flux-double",
+        "fleercivet",
+        "fobber",
+        "foxbantrix",
+        "foxbantrix-unknown",
+        "generic.malware",
+        "geodo",
+        "gonderici",
+        "gootkit",
+        "gozi",
+        "gspy",
+        "gtfobot",
+        "hancitor",
+        "harnig",
+        "htm5player.vast",
+        "ibanking",
+        "icedid",
+        "infected",
+        "iotreaper",
+        "ip-spoofer",
+        "ircbot",
+        "isfb",
+        "jadtre",
+        "jdk-update-apt",
+        "js.worm.bondat",
+        "junk-domains",
+        "kasidet",
+        "kbot",
+        "kelihos",
+        "kelihos.e",
+        "keylogger",
+        "keylogger-ftp",
+        "keylogger-vbklip",
+        "kidminer",
+        "kingminer",
+        "koobface",
+        "kraken",
+        "kronos",
+        "kwampirs",
+        "lethic",
+        "linux.backdoor.setag",
+        "linux.ngioweb",
+        "litemanager",
+        "loader",
+        "locky",
+        "loki",
+        "lokibot",
+        "luminositylink",
+        "lurkbanker",
+        "madominer",
+        "magecart",
+        "maliciouswebsites",
+        "malvertising.doubleclick",
+        "malwaretom",
+        "marcher",
+        "matrix",
+        "matsnu",
+        "menupass",
+        "mewsspy",
+        "miner.monero",
+        "minr",
+        "mirai",
+        "mix2",
+        "mkero",
+        "monero",
+        "mozi",
+        "muddywater",
+        "murofet",
+        "mysafeproxymonitor",
+        "nametrick",
+        "necurs",
+        "netsupport",
+        "nettraveler",
+        "neurevt",
+        "nitol",
+        "nivdort",
+        "nukebot",
+        "null",
+        "nymaim",
+        "nymain",
+        "osx.fakeflash",
+        "palevo",
+        "pawnstorm",
+        "phishing",
+        "phishing.cobalt",
+        "phishing.cobalt_dickens",
+        "phorpiex",
+        "pitou",
+        "plasma-tomas",
+        "ponmocup",
+        "pony",
+        "poseidon",
+        "powerstats",
+        "proxyback",
+        "pushdo",
+        "pws.pony",
+        "pykspa",
+        "qadars",
+        "qakbot",
+        "qqblack",
+        "qrypter.rat",
+        "qsnatch",
+        "racoon",
+        "ramdo",
+        "ramnit",
+        "ranbyus",
+        "ransom.cerber",
+        "ransomware",
+        "ransomware.shade",
+        "rat.vermin",
+        "renocide",
+        "revil",
+        "rodecap",
+        "sality",
+        "sality-p2p",
+        "servhelper",
+        "sgminer",
+        "shifu",
+        "shiz",
+        "sinowal",
+        "sisron",
+        "sodinokibi",
+        "spam",
+        "sphinx",
+        "spyeye",
+        "ssh-brute-force",
+        "ssl",
+        "ssl-az7",
+        "ssl-unknown-bot-test",
+        "ssl-vmzeus",
+        "stantinko",
+        "tdss",
+        "teleru",
+        "telnet-brute-force",
+        "tinba",
+        "tinba-dga",
+        "trickbot",
+        "triton",
+        "trojan.click3",
+        "trojan.fakeav",
+        "trojan.includer",
+        "trojan.win32.razy.gen",
+        "unknown",
+        "unknown-bot-test",
+        "valak",
+        "vawtrak",
+        "vbklip",
+        "verst",
+        "victorygate.a",
+        "victorygate.b",
+        "victorygate.c",
+        "virut",
+        "vmzeus",
+        "vobfus",
+        "volatile_cedar",
+        "vpnfilter_stage3",
+        "wannacrypt",
+        "wauchos",
+        "webminer.cdn",
+        "win.neurevt",
+        "worm.kasidet",
+        "worm.phorpiex",
+        "wowlik",
+        "wrokni",
+        "xbash",
+        "xmrminer",
+        "xpaj",
+        "xshellghost",
+        "yoddos",
+        "zeus",
+        "zeus_gameover",
+        "zeus_panda",
+        "zloader"
+      ]
+    },
    "ip-address": {
      "description": "Device IP address",
      "misp-attribute": "ip-src",
@ -68,6 +341,17 @@
      "misp-attribute": "text",
      "ui-priority": 101
    },
+    "status": {
+      "description": "Status of the device",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "sane_default": [
+        "Infected",
+        "Exposed",
+        "Unknown",
+        "Clean"
+      ]
+    },
    "version": {
      "description": "Version of the device/ OS",
      "disable_correlation": true,
@ -83,5 +367,5 @@
    "alias"
  ],
  "uuid": "0c64b41a-e583-4f4d-ac92-d484163b9e52",
-  "version": 7
+  "version": 9
 }