diff --git a/README.md b/README.md index 7e5424b..dd87bb5 100644 --- a/README.md +++ b/README.md @@ -113,11 +113,13 @@ for a specific attribute. * [objects/sandbox-report](objects/sandbox-report/definition.json) - Sandbox report object. * [objects/sb-signature](objects/sb-signature/definition.json) - Sandbox detection signature object. * [objects/script](objects/script/definition.json) - Object describing a computer program written to be run in a special run-time environment. The script or shell script can be used for malicious activities but also as support tools for threat analysts. +* [objects/short-message-service](objects/short-message-service/definition.json) - Short Message Service (SMS) object template describing one or more SMS message(s). * [objects/shortened-link](objects/shortened-link/definition.json) - Shortened link and its redirect target. * [objects/ss7-attack](objects/ss7-attack/definition.json) - SS7 object of an attack seen on a GSM, UMTS or LTE network via SS7 logging. * [objects/stix2-pattern](objects/stix2-pattern/definition.json) - An object describing a STIX pattern. The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a STIX pattern. * [objects/suricata](objects/suricata/definition.json) - Suricata rule with context. -* [objects/target-system](objects/target-system/definition.json) - Description about an targeted system, this could potentially be a compromissed internal system. +* [objects/target-system](objects/target-system/definition.json) - Description about an targeted system, this could potentially be a compromised internal system. +* [objects/threatgrid-report](objects/threatgrid-report/definition.json) - A threatgrid report object. * [objects/timecode](objects/timecode/definition.json) - Timecode object to describe a start of video sequence (e.g. CCTV evidence) and the end of the video sequence. * [objects/timestamp](objects/timestamp/definition.json) - A generic timestamp object to represent time including first time and last time seen. Relationship will then define the kind of time relationship. * [objects/tor-node](objects/tor-node/definition.json) - Tor node description which are part of the Tor network at a time. @@ -125,6 +127,7 @@ for a specific attribute. * [objects/virustotal-report](objects/virustotal-report/definition.json) - VirusTotal report. * [objects/vulnerability](objects/vulnerability/definition.json) - Vulnerability object to describe software or hardware vulnerability as described in a CVE. * [objects/url](objects/url/definition.json) - url object describes an url along with its normalized field (e.g. using faup parsing library) and its metadata. +* [objects/vehicle](objects/vehicle/definition.json) - Vehicle object template to describe a vehicle information and registration. * [objects/victim](objects/victim/definition.json) - a victim object to describe the organisation being targeted or abused. * [objects/whois](objects/whois/definition.json) - Whois records information for a domain name. * [objects/x509](objects/x509/definition.json) - x509 object describing a X.509 certificate. diff --git a/objects/coin-address/definition.json b/objects/coin-address/definition.json index 343f337..51876e7 100644 --- a/objects/coin-address/definition.json +++ b/objects/coin-address/definition.json @@ -44,7 +44,8 @@ "HSR", "STRAT", "WAVES", - "PPT" + "PPT", + "ETN" ] }, "last-seen": { @@ -67,7 +68,7 @@ "recommended": false } }, - "version": 3, + "version": 4, "description": "An address used in a cryptocurrency", "meta-category": "financial", "uuid": "d0e6997e-78da-4815-a6a1-cfc1c1cb8a46", diff --git a/objects/domain-ip/definition.json b/objects/domain-ip/definition.json index 7cd4d8a..8e56f07 100644 --- a/objects/domain-ip/definition.json +++ b/objects/domain-ip/definition.json @@ -30,7 +30,8 @@ "External analysis" ], "ui-priority": 1, - "misp-attribute": "domain" + "misp-attribute": "domain", + "multiple": true }, "ip": { "description": "IP Address", @@ -43,7 +44,7 @@ "multiple": true } }, - "version": 5, + "version": 6, "description": "A domain and IP address seen as a tuple in a specific time frame.", "meta-category": "network", "uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734", diff --git a/objects/email/definition.json b/objects/email/definition.json index 84c1465..a5099a6 100644 --- a/objects/email/definition.json +++ b/objects/email/definition.json @@ -3,7 +3,7 @@ "uuid": "a0c666e0-fc65-4be8-b48f-3423d788b552", "meta-category": "network", "description": "Email object describing an email with meta-information", - "version": 11, + "version": 12, "attributes": { "reply-to": { "description": "Email address the reply will be sent to", @@ -179,7 +179,6 @@ "message-id", "reply-to", "send-date", - "url", "mime-boundary", "thread-index", "header", diff --git a/objects/file/definition.json b/objects/file/definition.json index 4c65a73..49bbc28 100644 --- a/objects/file/definition.json +++ b/objects/file/definition.json @@ -4,8 +4,6 @@ "size-in-bytes", "authentihash", "ssdeep", - "imphash", - "pehash", "md5", "sha1", "sha224", @@ -98,7 +96,8 @@ "External analysis" ], "ui-priority": 1, - "misp-attribute": "pattern-in-file" + "misp-attribute": "pattern-in-file", + "multiple": true }, "text": { "description": "Free text value to attach to the file", @@ -164,7 +163,7 @@ ] } }, - "version": 11, + "version": 13, "description": "File object describing a file with meta-information", "meta-category": "file", "uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", diff --git a/objects/forensic-case/definition.json b/objects/forensic-case/definition.json new file mode 100644 index 0000000..a15b7c2 --- /dev/null +++ b/objects/forensic-case/definition.json @@ -0,0 +1,47 @@ +{ + "requiredOneOf": [ + "case-number" + ], + "attributes": { + "case-number": { + "description": "Any unique number assigned to the case for unique identification.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "case-name": { + "description": "Name to address the case.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "name-of-the-analyst": { + "description": "Name(s) of the analyst assigned to the case.", + "multiple": true, + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "references": { + "description": "External references", + "multiple": true, + "ui-priority": 0, + "misp-attribute": "link" + }, + "analysis-start-date": { + "description": "Date when the analysis began.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "additional-comments": { + "description": "Comments.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + } + }, + "version": 1, + "description": "An object template to describe a digital forensic case.", + "meta-category": "misc", + "uuid": "3ea36022-ae93-455e-88b1-d43aca789cac", + "name": "forensic-case" +} diff --git a/objects/geolocation/definition.json b/objects/geolocation/definition.json index 9a129c3..1189994 100644 --- a/objects/geolocation/definition.json +++ b/objects/geolocation/definition.json @@ -41,7 +41,8 @@ "altitude": { "description": "The altitude is the decimal value of the altitude in the World Geodetic System 84 (WGS84) reference.", "ui-priority": 0, - "misp-attribute": "float" + "misp-attribute": "float", + "disable_correlation": true }, "address": { "description": "Address.", @@ -63,6 +64,12 @@ "misp-attribute": "text", "ui-priority": 1 }, + "accuracy-radius": { + "description": "The approximate accuracy radius, in kilometers, around the latitude and longitude for the geographical entity (country, subdivision, city or postal code) associated with the related object. (based on geoip2 accuracy of maxmind)", + "misp-attribute": "float", + "ui-priority": 1, + "disable_correlation": true + }, "country": { "description": "Country.", "misp-attribute": "text", @@ -71,7 +78,8 @@ "epsg": { "description": "EPSG Geodetic Parameter value. This is an integer value of the EPSG.", "misp-attribute": "text", - "ui-priority": 70 + "ui-priority": 70, + "disable_correlation": true }, "spacial-reference": { "description": "Default spacial or projection refence for this object.", @@ -84,7 +92,7 @@ ] } }, - "version": 3, + "version": 5, "description": "An object to describe a geographic location.", "meta-category": "misc", "uuid": "fdd30d5f-6752-45ed-bef2-25e8ce4d8a3", diff --git a/objects/ja3/definition.json b/objects/ja3/definition.json index fb60f1c..6dcee9f 100644 --- a/objects/ja3/definition.json +++ b/objects/ja3/definition.json @@ -2,43 +2,27 @@ "name": "ja3", "meta-category": "network", "description": "JA3 is a new technique for creating SSL client fingerprints that are easy to produce and can be easily shared for threat intelligence. Fingerprints are composed of Client Hello packet; SSL Version, Accepted Ciphers, List of Extensions, Elliptic Curves, and Elliptic Curve Formats. https://github.com/salesforce/ja3", - "version": 2, + "version": 3, "uuid": "09b45449-5d6e-492c-a68a-cb2e188cbfac", "attributes": { "ja3-fingerprint-md5": { "description": "Hash identifying source", "misp-attribute": "md5", - "ui-priority": 1, - "categories": [ - "Network activity", - "External analysis" - ] + "ui-priority": 1 }, "description": { "description": "Type of detected software ie software, malware", "misp-attribute": "text", - "ui-priority": 1, - "categories": [ - "Network activity", - "External analysis" - ] + "ui-priority": 1 }, "ip-src": { "description": "Source IP Address", "misp-attribute": "ip-src", - "categories": [ - "Network activity", - "External analysis" - ], "ui-priority": 1 }, "ip-dst": { "description": "Destination IP address", "misp-attribute": "ip-dst", - "categories": [ - "Network activity", - "External analysis" - ], "ui-priority": 1 }, "first-seen": { diff --git a/objects/paste/definition.json b/objects/paste/definition.json index a7c31b0..09c5adf 100644 --- a/objects/paste/definition.json +++ b/objects/paste/definition.json @@ -19,7 +19,9 @@ "codepad.org", "safebin.net", "hastebin.com", - "ghostbin.com" + "ghostbin.com", + "paste.ee", + "0bin.net" ], "description": "Original source of the paste or post.", "ui-priority": 0, @@ -39,7 +41,12 @@ "url": { "misp-attribute": "url", "ui-priority": 0, - "description": "Link to the original source of the paste or post." + "description": "Link to the original source of the paste or post (when used maliciously)." + }, + "link": { + "misp-attribute": "link,", + "ui-priority": 0, + "description": "Link to the original source of the source or post (when used legitimately for OSINT source or alike)." }, "last-seen": { "description": "When the paste has been accessible or seen for the last time.", @@ -54,7 +61,7 @@ "misp-attribute": "datetime" } }, - "version": 3, + "version": 4, "description": "Paste or similar post from a website allowing to share privately or publicly posts.", "meta-category": "misc", "uuid": "cedc055c-78aa-49a4-bfd7-4cc30cecef12", diff --git a/objects/short-message-service/definition.json b/objects/short-message-service/definition.json new file mode 100644 index 0000000..6ad1a92 --- /dev/null +++ b/objects/short-message-service/definition.json @@ -0,0 +1,47 @@ +{ + "requiredOneOf": [ + "body", + "from" + ], + "attributes": { + "body": { + "description": "Message body of the SMS", + "ui-priority": 1, + "misp-attribute": "text" + }, + "url-rfc5724": { + "description": "url representing SMS using RFC 5724 (not url contained in the SMS which should use an url object)", + "ui-priority": 6, + "misp-attribute": "url" + }, + "from": { + "description": "Phone number used to send the SMS", + "ui-priority": 1, + "misp-attribute": "phone-number", + "multiple": true + }, + "to": { + "description": "Phone number receiving the SMS", + "ui-priority": 1, + "misp-attribute": "phone-number", + "multiple": true + }, + "sent-date": { + "description": "Initial sent date of the SMS", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "received-date": { + "description": "Received date of the SMS", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + } + }, + "version": 1, + "description": "Short Message Service (SMS) object template describing one or more SMS message. Restriction of the initial format 3GPP 23.038 GSM character set doesn't apply.", + "meta-category": "misc", + "uuid": "4851a3dc-e1a6-43ac-9d97-f0d13a099fd2", + "name": "short-message-service" +} diff --git a/objects/threatgrid-report/definition.json b/objects/threatgrid-report/definition.json new file mode 100644 index 0000000..e98da6b --- /dev/null +++ b/objects/threatgrid-report/definition.json @@ -0,0 +1,79 @@ +{ + "required": [ + "threat_score" + ], + "attributes": { + "threat_score": { + "description": "threat_score", + "disable_correlation": true, + "categories": [ + "External analysis" + ], + "ui-priority": 0, + "misp-attribute": "text" + }, + "heuristic_raw_score": { + "description": "heuristic_raw_score", + "disable_correlation": true, + "categories": [ + "External analysis" + ], + "ui-priority": 1, + "misp-attribute": "text" + }, + "heuristic_score": { + "description": "heuristic_score", + "categories": [ + "Other" + ], + "ui-priority": 0, + "misp-attribute": "text" + }, + "analysis_submitted_at": { + "description": "Submission date", + "categories": [ + "Other" + ], + "ui-priority": 0, + "misp-attribute": "text" + }, + "original_filename": { + "description": "Original filename", + "categories": [ + "Other" + ], + "ui-priority": 0, + "misp-attribute": "text" + }, + "permalink": { + "description": "permalink", + "categories": [ + "Other" + ], + "ui-priority": 0, + "misp-attribute": "text" + }, + "id": { + "description": "ThreatGrid ID", + "categories": [ + "Other" + ], + "ui-priority": 0, + "misp-attribute": "text" + }, + "iocs": { + "description": "iocs", + "categories": [ + "Other" + ], + "ui-priority": 0, + "multiple": true, + "misp-attribute": "text" + } + }, + "version": 6, + "description": "ThreatGrid report", + "meta-category": "misc", + "uuid": "23b3576b-2e68-4a86-a103-68820daef1d5", + "name": "threatgrid-report" +} diff --git a/objects/vehicle/definition.json b/objects/vehicle/definition.json new file mode 100644 index 0000000..cc302f0 --- /dev/null +++ b/objects/vehicle/definition.json @@ -0,0 +1,52 @@ +{ + "requiredOneOf": [ + "description", + "year", + "make", + "model", + "license-plate-number", + "vin" + ], + "attributes": { + "description": { + "description": "Description of the vehicle", + "ui-priority": 1, + "misp-attribute": "text", + "disable_correlation": true + }, + "year": { + "description": "Year of manufacturing of the vehicle", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "make": { + "description": "Manufacturer of the vehicle", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "model": { + "description": "Model of the vehicle", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "vin": { + "description": "Vehicle identification number (VIN)", + "ui-priority": 0, + "misp-attribute": "text" + }, + "license-plate-number": { + "description": "License plate number", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + } + }, + "version": 1, + "description": "Vehicle object template to describe a vehicle information and registration", + "meta-category": "misc", + "uuid": "683c076c-f695-4ff2-8efa-e98a418049f4", + "name": "vehicle" +} diff --git a/relationships/definition.json b/relationships/definition.json index 2e35d42..f91926f 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -1,5 +1,5 @@ { - "version": 12, + "version": 13, "values": [ { "name": "derived-from", @@ -615,6 +615,13 @@ "format": [ "misp" ] + }, + { + "name": "signed-by", + "description": "This relationship describes an object signed by another object.", + "format": [ + "misp" + ] } ], "description": "Default type of relationships in MISP objects.", diff --git a/tools/adoc_objects.py b/tools/adoc_objects.py index de43cd2..c75e282 100755 --- a/tools/adoc_objects.py +++ b/tools/adoc_objects.py @@ -3,7 +3,7 @@ # # # A simple converter of MISP objects to asciidoctor format -# Copyright (C) 2017 Alexandre Dulaunoy +# Copyright (C) 2017-2018 Alexandre Dulaunoy # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU Affero General Public License as @@ -84,14 +84,18 @@ def asciidoc(content=False, adoc=None, t='title',title=''): #output = '\n{}\n'.format #output = '[cols=\",a\"]\n' output = output + '|===\n' - output = output + '|Object attribute | MISP attribute type | Description | Disable correlation\n' + output = output + '|Object attribute | MISP attribute type | Description | Disable correlation | Multiple\n' adoc = adoc + output for v in content['attributes']: disableCorrelation = 'icon:minus[] ' description = 'icon:minus[] ' + multiple = 'icon:minus[] ' if 'disable_correlation' in content['attributes'][v]: if content['attributes'][v]['disable_correlation']: disableCorrelation = 'icon:check[] ' + if 'multiple' in content['attributes'][v]: + if content['attributes'][v]['multiple']: + multiple = 'icon:check[] ' if 'description' in content['attributes'][v]: if content['attributes'][v]['description']: description = '{}'.format(content['attributes'][v]['description']) @@ -101,7 +105,7 @@ def asciidoc(content=False, adoc=None, t='title',title=''): if 'sane_default' in content['attributes'][v]: values = content['attributes'][v]['sane_default'] description = '{} {}'.format(content['attributes'][v]['description'],values) - output = '\n| {} | {} a| {} a| {}\n'.format(v, content['attributes'][v]['misp-attribute'], description ,disableCorrelation) + output = '\n| {} | {} a| {} a| {} a| {}\n'.format(v, content['attributes'][v]['misp-attribute'], description ,disableCorrelation, multiple) adoc = adoc + output output = '\n|===\n' adoc = adoc + output