MISP
/
misp-objects
mirror of https://github.com/MISP/misp-objects
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge branch 'master' of github.com:MISP/misp-objects

pull/241/head
chrisr3d 2018-09-04 16:16:07 +02:00
parent d84b499d3a 0c98a925f3
commit e04a9a570b
14 changed files with 278 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
README.md
View File

@ -113,11 +113,13 @@ for a specific attribute.
* [objects/sandbox-report](objects/sandbox-report/definition.json) - Sandbox report object.
* [objects/sb-signature](objects/sb-signature/definition.json) - Sandbox detection signature object.
* [objects/script](objects/script/definition.json) - Object describing a computer program written to be run in a special run-time environment. The script or shell script can be used for malicious activities but also as support tools for threat analysts.
* [objects/short-message-service](objects/short-message-service/definition.json) - Short Message Service (SMS) object template describing one or more SMS message(s).
* [objects/shortened-link](objects/shortened-link/definition.json) - Shortened link and its redirect target.
* [objects/ss7-attack](objects/ss7-attack/definition.json) - SS7 object of an attack seen on a GSM, UMTS or LTE network via SS7 logging.
* [objects/stix2-pattern](objects/stix2-pattern/definition.json) - An object describing a STIX pattern. The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a STIX pattern.
* [objects/suricata](objects/suricata/definition.json) - Suricata rule with context.
* [objects/target-system](objects/target-system/definition.json) - Description about an targeted system, this could potentially be a compromissed internal system.
* [objects/target-system](objects/target-system/definition.json) - Description about an targeted system, this could potentially be a compromised internal system.
* [objects/threatgrid-report](objects/threatgrid-report/definition.json) - A threatgrid report object.
* [objects/timecode](objects/timecode/definition.json) - Timecode object to describe a start of video sequence (e.g. CCTV evidence) and the end of the video sequence.
* [objects/timestamp](objects/timestamp/definition.json) - A generic timestamp object to represent time including first time and last time seen. Relationship will then define the kind of time relationship.
* [objects/tor-node](objects/tor-node/definition.json) - Tor node description which are part of the Tor network at a time.
@ -125,6 +127,7 @@ for a specific attribute.
* [objects/virustotal-report](objects/virustotal-report/definition.json) - VirusTotal report.
* [objects/vulnerability](objects/vulnerability/definition.json) - Vulnerability object to describe software or hardware vulnerability as described in a CVE.
* [objects/url](objects/url/definition.json) - url object describes an url along with its normalized field (e.g. using faup parsing library) and its metadata.
* [objects/vehicle](objects/vehicle/definition.json) - Vehicle object template to describe a vehicle information and registration.
* [objects/victim](objects/victim/definition.json) - a victim object to describe the organisation being targeted or abused.
* [objects/whois](objects/whois/definition.json) - Whois records information for a domain name.
* [objects/x509](objects/x509/definition.json) - x509 object describing a X.509 certificate.

5
objects/coin-address/definition.json
View File

@ -44,7 +44,8 @@
"HSR",
"STRAT",
"WAVES",
"PPT"
"PPT",
"ETN"
]
},
"last-seen": {
@ -67,7 +68,7 @@
"recommended": false
}
},
"version": 3,
"version": 4,
"description": "An address used in a cryptocurrency",
"meta-category": "financial",
"uuid": "d0e6997e-78da-4815-a6a1-cfc1c1cb8a46",

5
objects/domain-ip/definition.json
View File

@ -30,7 +30,8 @@
"External analysis"
],
"ui-priority": 1,
"misp-attribute": "domain"
"misp-attribute": "domain",
"multiple": true
},
"ip": {
"description": "IP Address",
@ -43,7 +44,7 @@
"multiple": true
}
},
"version": 5,
"version": 6,
"description": "A domain and IP address seen as a tuple in a specific time frame.",
"meta-category": "network",
"uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",

3
objects/email/definition.json
View File

@ -3,7 +3,7 @@
"uuid": "a0c666e0-fc65-4be8-b48f-3423d788b552",
"meta-category": "network",
"description": "Email object describing an email with meta-information",
"version": 11,
"version": 12,
"attributes": {
"reply-to": {
"description": "Email address the reply will be sent to",
@ -179,7 +179,6 @@
"message-id",
"reply-to",
"send-date",
"url",
"mime-boundary",
"thread-index",
"header",

7
objects/file/definition.json
View File

@ -4,8 +4,6 @@
"size-in-bytes",
"authentihash",
"ssdeep",
"imphash",
"pehash",
"md5",
"sha1",
"sha224",
@ -98,7 +96,8 @@
"External analysis"
],
"ui-priority": 1,
"misp-attribute": "pattern-in-file"
"misp-attribute": "pattern-in-file",
"multiple": true
},
"text": {
"description": "Free text value to attach to the file",
@ -164,7 +163,7 @@
]
}
},
"version": 11,
"version": 13,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",

47
objects/forensic-case/definition.json Normal file
View File

@ -0,0 +1,47 @@
{
"requiredOneOf": [
"case-number"
],
"attributes": {
"case-number": {
"description": "Any unique number assigned to the case for unique identification.",
"ui-priority": 0,
"misp-attribute": "text"
},
"case-name": {
"description": "Name to address the case.",
"ui-priority": 0,
"misp-attribute": "text"
},
"name-of-the-analyst": {
"description": "Name(s) of the analyst assigned to the case.",
"multiple": true,
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"references": {
"description": "External references",
"multiple": true,
"ui-priority": 0,
"misp-attribute": "link"
},
"analysis-start-date": {
"description": "Date when the analysis began.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"additional-comments": {
"description": "Comments.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
}
},
"version": 1,
"description": "An object template to describe a digital forensic case.",
"meta-category": "misc",
"uuid": "3ea36022-ae93-455e-88b1-d43aca789cac",
"name": "forensic-case"
}

14
objects/geolocation/definition.json
View File

@ -41,7 +41,8 @@
"altitude": {
"description": "The altitude is the decimal value of the altitude in the World Geodetic System 84 (WGS84) reference.",
"ui-priority": 0,
"misp-attribute": "float"
"misp-attribute": "float",
"disable_correlation": true
},
"address": {
"description": "Address.",
@ -63,6 +64,12 @@
"misp-attribute": "text",
"ui-priority": 1
},
"accuracy-radius": {
"description": "The approximate accuracy radius, in kilometers, around the latitude and longitude for the geographical entity (country, subdivision, city or postal code) associated with the related object. (based on geoip2 accuracy of maxmind)",
"misp-attribute": "float",
"ui-priority": 1,
"disable_correlation": true
},
"country": {
"description": "Country.",
"misp-attribute": "text",
@ -71,7 +78,8 @@
"epsg": {
"description": "EPSG Geodetic Parameter value. This is an integer value of the EPSG.",
"misp-attribute": "text",
"ui-priority": 70
"ui-priority": 70,
"disable_correlation": true
},
"spacial-reference": {
"description": "Default spacial or projection refence for this object.",
@ -84,7 +92,7 @@
]
}
},
"version": 3,
"version": 5,
"description": "An object to describe a geographic location.",
"meta-category": "misc",
"uuid": "fdd30d5f-6752-45ed-bef2-25e8ce4d8a3",

22
objects/ja3/definition.json
View File

@ -2,43 +2,27 @@
"name": "ja3",
"meta-category": "network",
"description": "JA3 is a new technique for creating SSL client fingerprints that are easy to produce and can be easily shared for threat intelligence. Fingerprints are composed of Client Hello packet; SSL Version, Accepted Ciphers, List of Extensions, Elliptic Curves, and Elliptic Curve Formats. https://github.com/salesforce/ja3",
"version": 2,
"version": 3,
"uuid": "09b45449-5d6e-492c-a68a-cb2e188cbfac",
"attributes": {
"ja3-fingerprint-md5": {
"description": "Hash identifying source",
"misp-attribute": "md5",
"ui-priority": 1,
"categories": [
"Network activity",
"External analysis"
]
"ui-priority": 1
},
"description": {
"description": "Type of detected software ie software, malware",
"misp-attribute": "text",
"ui-priority": 1,
"categories": [
"Network activity",
"External analysis"
]
"ui-priority": 1
},
"ip-src": {
"description": "Source IP Address",
"misp-attribute": "ip-src",
"categories": [
"Network activity",
"External analysis"
],
"ui-priority": 1
},
"ip-dst": {
"description": "Destination IP address",
"misp-attribute": "ip-dst",
"categories": [
"Network activity",
"External analysis"
],
"ui-priority": 1
},
"first-seen": {

13
objects/paste/definition.json
View File

@ -19,7 +19,9 @@
"codepad.org",
"safebin.net",
"hastebin.com",
"ghostbin.com"
"ghostbin.com",
"paste.ee",
"0bin.net"
],
"description": "Original source of the paste or post.",
"ui-priority": 0,
@ -39,7 +41,12 @@
"url": {
"misp-attribute": "url",
"ui-priority": 0,
"description": "Link to the original source of the paste or post."
"description": "Link to the original source of the paste or post (when used maliciously)."
},
"link": {
"misp-attribute": "link,",
"ui-priority": 0,
"description": "Link to the original source of the source or post (when used legitimately for OSINT source or alike)."
},
"last-seen": {
"description": "When the paste has been accessible or seen for the last time.",
@ -54,7 +61,7 @@
"misp-attribute": "datetime"
}
},
"version": 3,
"version": 4,
"description": "Paste or similar post from a website allowing to share privately or publicly posts.",
"meta-category": "misc",
"uuid": "cedc055c-78aa-49a4-bfd7-4cc30cecef12",

47
objects/short-message-service/definition.json Normal file
View File

@ -0,0 +1,47 @@
{
"requiredOneOf": [
"body",
"from"
],
"attributes": {
"body": {
"description": "Message body of the SMS",
"ui-priority": 1,
"misp-attribute": "text"
},
"url-rfc5724": {
"description": "url representing SMS using RFC 5724 (not url contained in the SMS which should use an url object)",
"ui-priority": 6,
"misp-attribute": "url"
},
"from": {
"description": "Phone number used to send the SMS",
"ui-priority": 1,
"misp-attribute": "phone-number",
"multiple": true
},
"to": {
"description": "Phone number receiving the SMS",
"ui-priority": 1,
"misp-attribute": "phone-number",
"multiple": true
},
"sent-date": {
"description": "Initial sent date of the SMS",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"received-date": {
"description": "Received date of the SMS",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
}
},
"version": 1,
"description": "Short Message Service (SMS) object template describing one or more SMS message. Restriction of the initial format 3GPP 23.038 GSM character set doesn't apply.",
"meta-category": "misc",
"uuid": "4851a3dc-e1a6-43ac-9d97-f0d13a099fd2",
"name": "short-message-service"
}

79
objects/threatgrid-report/definition.json Normal file
View File

@ -0,0 +1,79 @@
{
"required": [
"threat_score"
],
"attributes": {
"threat_score": {
"description": "threat_score",
"disable_correlation": true,
"categories": [
"External analysis"
],
"ui-priority": 0,
"misp-attribute": "text"
},
"heuristic_raw_score": {
"description": "heuristic_raw_score",
"disable_correlation": true,
"categories": [
"External analysis"
],
"ui-priority": 1,
"misp-attribute": "text"
},
"heuristic_score": {
"description": "heuristic_score",
"categories": [
"Other"
],
"ui-priority": 0,
"misp-attribute": "text"
},
"analysis_submitted_at": {
"description": "Submission date",
"categories": [
"Other"
],
"ui-priority": 0,
"misp-attribute": "text"
},
"original_filename": {
"description": "Original filename",
"categories": [
"Other"
],
"ui-priority": 0,
"misp-attribute": "text"
},
"permalink": {
"description": "permalink",
"categories": [
"Other"
],
"ui-priority": 0,
"misp-attribute": "text"
},
"id": {
"description": "ThreatGrid ID",
"categories": [
"Other"
],
"ui-priority": 0,
"misp-attribute": "text"
},
"iocs": {
"description": "iocs",
"categories": [
"Other"
],
"ui-priority": 0,
"multiple": true,
"misp-attribute": "text"
}
},
"version": 6,
"description": "ThreatGrid report",
"meta-category": "misc",
"uuid": "23b3576b-2e68-4a86-a103-68820daef1d5",
"name": "threatgrid-report"
}

52
objects/vehicle/definition.json Normal file
View File

@ -0,0 +1,52 @@
{
"requiredOneOf": [
"description",
"year",
"make",
"model",
"license-plate-number",
"vin"
],
"attributes": {
"description": {
"description": "Description of the vehicle",
"ui-priority": 1,
"misp-attribute": "text",
"disable_correlation": true
},
"year": {
"description": "Year of manufacturing of the vehicle",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"make": {
"description": "Manufacturer of the vehicle",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"model": {
"description": "Model of the vehicle",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"vin": {
"description": "Vehicle identification number (VIN)",
"ui-priority": 0,
"misp-attribute": "text"
},
"license-plate-number": {
"description": "License plate number",
"ui-priority": 0,
"misp-attribute": "text",
"multiple": true
}
},
"version": 1,
"description": "Vehicle object template to describe a vehicle information and registration",
"meta-category": "misc",
"uuid": "683c076c-f695-4ff2-8efa-e98a418049f4",
"name": "vehicle"
}

9
relationships/definition.json
View File

@ -1,5 +1,5 @@
{
"version": 12,
"version": 13,
"values": [
{
"name": "derived-from",
@ -615,6 +615,13 @@
"format": [
"misp"
]
},
{
"name": "signed-by",
"description": "This relationship describes an object signed by another object.",
"format": [
"misp"
]
}
],
"description": "Default type of relationships in MISP objects.",

10
tools/adoc_objects.py
View File

@ -3,7 +3,7 @@
#
#
# A simple converter of MISP objects to asciidoctor format
# Copyright (C) 2017 Alexandre Dulaunoy
# Copyright (C) 2017-2018 Alexandre Dulaunoy
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
@ -84,14 +84,18 @@ def asciidoc(content=False, adoc=None, t='title',title=''):
#output = '\n{}\n'.format
#output = '[cols=\",a\"]\n'
output = output + '|===\n'
output = output + '|Object attribute | MISP attribute type | Description | Disable correlation\n'
output = output + '|Object attribute | MISP attribute type | Description | Disable correlation | Multiple\n'
adoc = adoc + output
for v in content['attributes']:
disableCorrelation = 'icon:minus[] '
description = 'icon:minus[] '
multiple = 'icon:minus[] '
if 'disable_correlation' in content['attributes'][v]:
if content['attributes'][v]['disable_correlation']:
disableCorrelation = 'icon:check[] '
if 'multiple' in content['attributes'][v]:
if content['attributes'][v]['multiple']:
multiple = 'icon:check[] '
if 'description' in content['attributes'][v]:
if content['attributes'][v]['description']:
description = '{}'.format(content['attributes'][v]['description'])
@ -101,7 +105,7 @@ def asciidoc(content=False, adoc=None, t='title',title=''):
if 'sane_default' in content['attributes'][v]:
values = content['attributes'][v]['sane_default']
description = '{} {}'.format(content['attributes'][v]['description'],values)
output = '\n| {} | {} a| {} a| {}\n'.format(v, content['attributes'][v]['misp-attribute'], description ,disableCorrelation)
output = '\n| {} | {} a| {} a| {} a| {}\n'.format(v, content['attributes'][v]['misp-attribute'], description ,disableCorrelation, multiple)
adoc = adoc + output
output = '\n|===\n'
adoc = adoc + output