From 3f9aca8e27290cbb859427aeb228bba62adb71e0 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 6 Feb 2020 11:03:33 +0100 Subject: [PATCH 01/23] chg: [email] ip-src added in the email object templated as requested by Norberto Chavez Ref: https://twitter.com/NORBERTOCHAVEZ/status/1225213457429127170 --- objects/email/definition.json | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/objects/email/definition.json b/objects/email/definition.json index fe3553e..d6d7142 100644 --- a/objects/email/definition.json +++ b/objects/email/definition.json @@ -3,7 +3,7 @@ "uuid": "a0c666e0-fc65-4be8-b48f-3423d788b552", "meta-category": "network", "description": "Email object describing an email with meta-information", - "version": 13, + "version": 14, "attributes": { "reply-to": { "description": "Email address the reply will be sent to", @@ -174,6 +174,12 @@ "ui-priority": 0, "disable_correlation": true }, + "ip-src": { + "description": "Source IP address of the email sender", + "misp-attribute": "ip-src", + "ui-priority": 0, + "multiple": true + }, "eml": { "description": "Full EML", "misp-attribute": "attachment", From c32c7f4155e96ed1dcd76e9734c1ce33af73a59d Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 6 Feb 2020 11:36:13 +0100 Subject: [PATCH 02/23] chg: [sms] missing Cellebrite fields added --- objects/short-message-service/definition.json | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/objects/short-message-service/definition.json b/objects/short-message-service/definition.json index 6ad1a92..e065795 100644 --- a/objects/short-message-service/definition.json +++ b/objects/short-message-service/definition.json @@ -37,9 +37,19 @@ "ui-priority": 0, "misp-attribute": "datetime", "disable_correlation": true + }, + "smsc": { + "description": "SMS Message Center", + "ui-priority": 0, + "misp-attribute": "text" + }, + "name": { + "description": "Sender name", + "ui-priority": 0, + "misp-attribute": "text" } }, - "version": 1, + "version": 2, "description": "Short Message Service (SMS) object template describing one or more SMS message. Restriction of the initial format 3GPP 23.038 GSM character set doesn't apply.", "meta-category": "misc", "uuid": "4851a3dc-e1a6-43ac-9d97-f0d13a099fd2", From 371788589cfca236da8984e1c2f4d2a23006e828 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 6 Feb 2020 11:55:27 +0100 Subject: [PATCH 03/23] chg: [rtir] disable correlation on incident state --- objects/rtir/definition.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/objects/rtir/definition.json b/objects/rtir/definition.json index 900bd59..c705b47 100644 --- a/objects/rtir/definition.json +++ b/objects/rtir/definition.json @@ -47,7 +47,8 @@ "resolved", "rejected", "deleted" - ] + ], + "disable_correlation": true }, "ticket-number": { "description": "ticket-number of the RTIR ticket", @@ -55,7 +56,7 @@ "misp-attribute": "text" } }, - "version": 1, + "version": 2, "description": "RTIR - Request Tracker for Incident Response", "meta-category": "misc", "uuid": "7534ee19-0a1f-4f46-a197-e6e73e457943", From 3ba77c9d2cfea5c27bc8935812d83be54c4f0fd4 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 6 Feb 2020 12:06:26 +0100 Subject: [PATCH 04/23] chg: [sms] the SMS center is a phone number --- objects/short-message-service/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/short-message-service/definition.json b/objects/short-message-service/definition.json index e065795..1475aa3 100644 --- a/objects/short-message-service/definition.json +++ b/objects/short-message-service/definition.json @@ -41,7 +41,7 @@ "smsc": { "description": "SMS Message Center", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "phone-number" }, "name": { "description": "Sender name", @@ -49,7 +49,7 @@ "misp-attribute": "text" } }, - "version": 2, + "version": 3, "description": "Short Message Service (SMS) object template describing one or more SMS message. Restriction of the initial format 3GPP 23.038 GSM character set doesn't apply.", "meta-category": "misc", "uuid": "4851a3dc-e1a6-43ac-9d97-f0d13a099fd2", From 1a40095f1ad58a515740038eee797d692d1cc8f5 Mon Sep 17 00:00:00 2001 From: VVX7 Date: Sun, 9 Feb 2020 11:39:36 -0500 Subject: [PATCH 05/23] new: [objects] add instant-message object. add instant-message-group object. --- objects/instant-message-group/definition.json | 80 +++++++++++++ objects/instant-message/definition.json | 113 ++++++++++++++++++ 2 files changed, 193 insertions(+) create mode 100644 objects/instant-message-group/definition.json create mode 100644 objects/instant-message/definition.json diff --git a/objects/instant-message-group/definition.json b/objects/instant-message-group/definition.json new file mode 100644 index 0000000..6232afb --- /dev/null +++ b/objects/instant-message-group/definition.json @@ -0,0 +1,80 @@ +{ + "requiredOneOf": [ + "group-name", + "group-alias", + "archive", + "attachment" + ], + "attributes": { + "group-name": { + "description": "The name of the group, channel or community.", + "ui-priority": 1, + "misp-attribute": "text" + }, + "group-alias": { + "description": "Aliases of group, channel or community.", + "ui-priority": 1, + "multiple": true, + "misp-attribute": "text" + }, + "app-used": { + "description": "The IM application used to send the message.", + "ui-priority": 1, + "misp-attribute": "text", + "disable_correlation": true, + "multiple": true, + "sane_default": [ + "WhatsApp", + "Google Hangouts", + "Facebook Messenger", + "Telegram", + "Signal", + "WeChat", + "BlackBerry Messenger", + "TeamSpeak", + "TorChat", + "RetroShare", + "Slack" + ] + }, + "username": { + "description": "A user account who is a member of the group.", + "ui-priority": 1, + "misp-attribute": "text", + "multiple": true + }, + "person-name": { + "description": "A person who is a member of the group.", + "ui-priority": 1, + "misp-attribute": "text", + "multiple": true + }, + "url": { + "description": "Original URL location of the group (potentially malicious).", + "ui-priority": 1, + "misp-attribute": "url" + }, + "link": { + "description": "Original link into the group (Supposed harmless).", + "ui-priority": 1, + "misp-attribute": "link" + }, + "archive": { + "description": "Archive of the original group (Internet Archive, Archive.is, etc).", + "ui-priority": 1, + "multiple": true, + "misp-attribute": "link" + }, + "attachment": { + "description": "A screen capture or exported list of contacts, group members, etc.", + "ui-priority": 1, + "multiple": true, + "misp-attribute": "attachment" + } + }, + "version": 1, + "description": "Instant Message (IM) group object template describing a public or private IM group, channel or conversation.", + "meta-category": "misc", + "uuid": "e26becca-2149-4bc0-b3fb-7090d43af28f", + "name": "instant-message-group" +} diff --git a/objects/instant-message/definition.json b/objects/instant-message/definition.json new file mode 100644 index 0000000..ecddaa2 --- /dev/null +++ b/objects/instant-message/definition.json @@ -0,0 +1,113 @@ +{ + "requiredOneOf": [ + "body", + "from", + "from-user" + ], + "attributes": { + "body": { + "description": "Message body of the IM.", + "ui-priority": 1, + "misp-attribute": "text" + }, + "from-number": { + "description": "Phone number used to send the message.", + "ui-priority": 1, + "misp-attribute": "phone-number", + "multiple": true + }, + "to-number": { + "description": "Phone number receiving the message.", + "ui-priority": 1, + "misp-attribute": "phone-number", + "multiple": true + }, + "from-user": { + "description": "User account that sent the message.", + "ui-priority": 1, + "misp-attribute": "text", + "multiple": true + }, + "to-user": { + "description": "User account that received the message.", + "ui-priority": 1, + "misp-attribute": "text", + "multiple": true + }, + "from-name": { + "description": "Name of the person that sent the message.", + "ui-priority": 1, + "misp-attribute": "text", + "multiple": true + }, + "to-name": { + "description": "Name of the person that received the message.", + "ui-priority": 1, + "misp-attribute": "text", + "multiple": true + }, + "subject": { + "description": "Subject of the message if any.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "app-used": { + "description": "The IM application used to send the message.", + "ui-priority": 1, + "misp-attribute": "text", + "disable_correlation": true, + "sane_default": [ + "WhatsApp", + "Google Hangouts", + "Facebook Messenger", + "Telegram", + "Signal", + "WeChat", + "BlackBerry Messenger", + "TeamSpeak", + "TorChat", + "RetroShare", + "Slack" + ] + }, + "url": { + "description": "Original URL location of the message (potentially malicious).", + "ui-priority": 1, + "misp-attribute": "url" + }, + "link": { + "description": "Original link into the message (Supposed harmless).", + "ui-priority": 1, + "misp-attribute": "link" + }, + "archive": { + "description": "Archive of the original message (Internet Archive, Archive.is, etc).", + "ui-priority": 1, + "multiple": true, + "misp-attribute": "link" + }, + "attachment": { + "description": "The message file or screen capture.", + "ui-priority": 1, + "multiple": true, + "misp-attribute": "attachment" + }, + "sent-date": { + "description": "Initial sent date of the message.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "received-date": { + "description": "Received date of the message.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + } + }, + "version": 1, + "description": "Instant Message (IM) object template describing one or more IM message.", + "meta-category": "misc", + "uuid": "5fa51a24-f40f-4696-a77e-d31e26bab5fc", + "name": "instant-message" +} From f43c2c2c6e41d8e8f82a1616958561487f3d6a15 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 10 Feb 2020 11:15:17 +0100 Subject: [PATCH 06/23] chg: [relationships] 'knows' relationship added Request: via Twitter DM message --- relationships/definition.json | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/relationships/definition.json b/relationships/definition.json index fae3795..763274f 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -1,5 +1,5 @@ { - "version": 17, + "version": 18, "values": [ { "name": "derived-from", @@ -991,6 +991,13 @@ "format": [ "misp" ] + }, + { + "name": "knows", + "description": "Represents an object having the knowledge of another object.", + "format": [ + "misp" + ] } ], "description": "Default type of relationships in MISP objects.", From 2738648e813b8b5a3a155ce58389682de1abddf8 Mon Sep 17 00:00:00 2001 From: ater49 Date: Mon, 10 Feb 2020 14:59:35 +0100 Subject: [PATCH 07/23] Adding some parts from HAR format description (http://www.softwareishard.com/blog/har-12-spec/) (More to come) --- objects/cookie/definition.json | 26 +++++++++++++++++++++++++- objects/http-request/definition.json | 14 ++++++++++++-- 2 files changed, 37 insertions(+), 3 deletions(-) diff --git a/objects/cookie/definition.json b/objects/cookie/definition.json index dab118f..450e605 100644 --- a/objects/cookie/definition.json +++ b/objects/cookie/definition.json @@ -18,6 +18,30 @@ "ui-priority": 0, "misp-attribute": "text" }, + "path": { + "description": "Path defined in the cookie", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "text" + }, + "expires": { + "description": "Expiration date/time of the cookie", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "datetime" + }, + "http-only": { + "description": "True if send only through HTTP", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "boolean" + }, + "secure": { + "description": "True if cookie is sent over TLS", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "boolean" + }, "text": { "description": "A description of the cookie.", "disable_correlation": true, @@ -38,7 +62,7 @@ "misp-attribute": "text" } }, - "version": 2, + "version": 3, "description": "An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to the user's web browser. The browser may store it and send it back with the next request to the same server. Typically, it's used to tell if two requests came from the same browser — keeping a user logged-in, for example. It remembers stateful information for the stateless HTTP protocol. (as defined by the Mozilla foundation.", "meta-category": "network", "uuid": "7755ad19-55c7-4da4-805e-197cf81bbcb8", diff --git a/objects/http-request/definition.json b/objects/http-request/definition.json index 04c4e6e..32c119d 100644 --- a/objects/http-request/definition.json +++ b/objects/http-request/definition.json @@ -40,7 +40,17 @@ ], "description": "An HTTP cookie previously sent by the server with Set-Cookie", "ui-priority": 1, - "misp-attribute": "text" + "misp-attribute": "text", + "multiple": true + }, + "header": { + "categories": [ + "Network activity" + ], + "description": "An HTTP header sent during HTTP request", + "ui-priority": 1, + "misp-attribute": "text", + "multiple": true }, "host": { "categories": [ @@ -120,7 +130,7 @@ "misp-attribute": "user-agent" } }, - "version": 3, + "version": 4, "description": "A single HTTP request header", "meta-category": "network", "uuid": "b4a8d163-8110-4239-bfcf-e08f3a9fdf7b", From 6380007b10f7f2b146aca8a6e105b7df49a3db62 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Thu, 13 Feb 2020 12:28:47 +0100 Subject: [PATCH 08/23] allow several subjects or sender for email objects --- objects/email/definition.json | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/objects/email/definition.json b/objects/email/definition.json index d6d7142..99122f4 100644 --- a/objects/email/definition.json +++ b/objects/email/definition.json @@ -57,7 +57,8 @@ "ui-priority": 1, "categories": [ "Payload delivery" - ] + ], + "multiple": true }, "screenshot": { "description": "Screenshot of email", @@ -141,7 +142,8 @@ "ui-priority": 1, "categories": [ "Payload delivery" - ] + ], + "multiple": true }, "return-path": { "description": "Message return path", @@ -157,7 +159,8 @@ "ui-priority": 1, "categories": [ "Payload delivery" - ] + ], + "multiple": true }, "email-body": { "description": "Body of the email", From fdc24a8df893e135ebf677345aba871ea75fd347 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Thu, 13 Feb 2020 12:30:08 +0100 Subject: [PATCH 09/23] update version --- objects/email/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/email/definition.json b/objects/email/definition.json index 99122f4..f984e0a 100644 --- a/objects/email/definition.json +++ b/objects/email/definition.json @@ -3,7 +3,7 @@ "uuid": "a0c666e0-fc65-4be8-b48f-3423d788b552", "meta-category": "network", "description": "Email object describing an email with meta-information", - "version": 14, + "version": 15, "attributes": { "reply-to": { "description": "Email address the reply will be sent to", From 5c46a3aad422ee3a64c884e4359846cb003e7320 Mon Sep 17 00:00:00 2001 From: Terrtia Date: Fri, 14 Feb 2020 17:08:37 +0100 Subject: [PATCH 10/23] chg: add domain crawled object --- objects/crawled/definition.json | 39 +++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 objects/crawled/definition.json diff --git a/objects/crawled/definition.json b/objects/crawled/definition.json new file mode 100644 index 0000000..9d255d0 --- /dev/null +++ b/objects/crawled/definition.json @@ -0,0 +1,39 @@ +{ + "required": [ + "domain" + ], + "attributes": { + "text": { + "description": "A description of the tuple", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "text", + "recommended": false + }, + "domain": { + "description": "Domain name", + "categories": [ + "Network activity", + "External analysis" + ], + "ui-priority": 1, + "misp-attribute": "domain", + "multiple": true + }, + "url": { + "description": "domain url", + "categories": [ + "Network activity", + "External analysis" + ], + "ui-priority": 1, + "misp-attribute": "url", + "multiple": true + } + }, + "version": 1, + "description": "A domain crawled over time", + "meta-category": "network", + "uuid": "bad4888d-c44e-4612-b08f-3d97c1e0014a", + "name": "crawled" +} From 42df9d2e2f14543e297e9c041ad41d63edb2e707 Mon Sep 17 00:00:00 2001 From: Terrtia Date: Fri, 14 Feb 2020 17:11:42 +0100 Subject: [PATCH 11/23] chg: [crawled domain] rename object --- objects/{crawled => domain-crawled}/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename objects/{crawled => domain-crawled}/definition.json (96%) diff --git a/objects/crawled/definition.json b/objects/domain-crawled/definition.json similarity index 96% rename from objects/crawled/definition.json rename to objects/domain-crawled/definition.json index 9d255d0..9118600 100644 --- a/objects/crawled/definition.json +++ b/objects/domain-crawled/definition.json @@ -35,5 +35,5 @@ "description": "A domain crawled over time", "meta-category": "network", "uuid": "bad4888d-c44e-4612-b08f-3d97c1e0014a", - "name": "crawled" + "name": "domain-crawled" } From 1d0065e85255d6ebff5dd753d7e7ff3dfdd033a7 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 17 Feb 2020 07:46:58 +0100 Subject: [PATCH 12/23] new: [iot] a first version of the IoT object Ref: based on the workshop discussion in https://github.com/C00kie-/workshop-materials The idea is to have this root object when a new IoT device is documented and further objects will be connected such as firmware or even file object --- objects/iot-device/definition.json | 129 +++++++++++++++++++++++++++++ 1 file changed, 129 insertions(+) create mode 100644 objects/iot-device/definition.json diff --git a/objects/iot-device/definition.json b/objects/iot-device/definition.json new file mode 100644 index 0000000..9a20484 --- /dev/null +++ b/objects/iot-device/definition.json @@ -0,0 +1,129 @@ +{ + "requiredOneOf": [ + "model", + "vendor", + "architecture", + "boot-log", + "picture-pcb", + "picture-device" + ], + "attributes": { + "picture-pcb": { + "description": "Picture of the IoT device PCB", + "ui-priority": 10, + "misp-attribute": "attachment", + "multiple": true + }, + "picture-device": { + "description": "Picture of the IoT device", + "ui-priority": 10, + "misp-attribute": "attachment", + "multiple": true + }, + "fcc-id": { + "description": "FCC-ID of the IoT device", + "ui-priority": 10, + "misp-attribute": "text", + "multiple": true + }, + "boot-log": { + "description": "Boot log of the IoT device", + "ui-priority": 10, + "misp-attribute": "attachment", + "multiple": true + }, + "platform": { + "description": "Platform of of the IoT device", + "ui-priority": 10, + "misp-attribute": "text", + "sane_default": [ + "mach-aspeed", + "mach-at91", + "mach-bcm283x", + "mach-bcmstb", + "mach-cortina", + "mach-davinci", + "mach-exynos", + "mach-highbank", + "mach-imx", + "mach-integrator", + "mach-k3", + "mach-keystone", + "mach-kirkwood", + "mach-mediatek", + "mach-meson", + "mach-mvebu", + "mach-omap2", + "mach-orion5x", + "mach-owl", + "mach-qemu", + "mach-rmobile", + "mach-rockchip", + "mach-s5pc1xx", + "mach-snapdragon", + "mach-socfpga", + "mach-sti", + "mach-stm32", + "mach-stm32mp", + "mach-sunxi", + "mach-tegra", + "mach-u8500", + "mach-uniphier", + "mach-versal", + "mach-versatile", + "mach-zynq", + "mach-zynqmp", + "mach-zynqmp-r5", + "mcf5227x", + "mcf523x", + "mcf52x2", + "mcf530x", + "mcf532x", + "mcf5445x", + "mcf547x_8x", + "mach-ath79", + "mach-bmips", + "mach-jz47xx", + "mach-mscc", + "mach-mtmips", + "mach-pic32" + ] + }, + "architecture": { + "description": "architecture of the IoT device", + "ui-priority": 1, + "misp-attribute": "text", + "sane_default": [ + "ARC", + "ARM", + "M68000", + "MicroBlaze", + "MIPS", + "NSD32", + "Nios II", + "PowerPC", + "RISC-V", + "Sandbox", + "SH", + "x86", + "Xtensa" + ] + }, + "model": { + "description": "Model of the IoT device", + "ui-priority": 1, + "misp-attribute": "text", + "multiple": true + }, + "vendor": { + "description": "Vendor of the IoT device", + "ui-priority": 1, + "misp-attribute": "text" + } + }, + "version": 1, + "description": "An IoT device.", + "meta-category": "iot", + "uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", + "name": "iot-device" +} From e45c2df33adf9e6e20b75971812d6eb0e42f5654 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 17 Feb 2020 08:28:58 +0100 Subject: [PATCH 13/23] chg: [schema] iot category added --- schema_objects.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/schema_objects.json b/schema_objects.json index 91d1d47..98da752 100644 --- a/schema_objects.json +++ b/schema_objects.json @@ -260,7 +260,8 @@ "misc", "internal", "vulnerability", - "climate" + "climate", + "iot" ], "type": "string" }, From cf30efabc6c3940dfe1c21cbef07e9bba9f9c946 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 17 Feb 2020 08:33:51 +0100 Subject: [PATCH 14/23] chg: [iot] because reusing UUID is bad --- objects/iot-device/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/iot-device/definition.json b/objects/iot-device/definition.json index 9a20484..1a9e9bd 100644 --- a/objects/iot-device/definition.json +++ b/objects/iot-device/definition.json @@ -124,6 +124,6 @@ "version": 1, "description": "An IoT device.", "meta-category": "iot", - "uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", + "uuid": "3de3b92a-859b-431b-9c4f-1a81de1d9637", "name": "iot-device" } From 83073d8c65ba735208a64af13097be8ac07317db Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 17 Feb 2020 08:55:47 +0100 Subject: [PATCH 15/23] chg: [iot] add SPI, Serial and JTAG status --- objects/iot-device/definition.json | 38 +++++++++++++++++++++++++++++- 1 file changed, 37 insertions(+), 1 deletion(-) diff --git a/objects/iot-device/definition.json b/objects/iot-device/definition.json index 1a9e9bd..defd997 100644 --- a/objects/iot-device/definition.json +++ b/objects/iot-device/definition.json @@ -119,9 +119,45 @@ "description": "Vendor of the IoT device", "ui-priority": 1, "misp-attribute": "text" + }, + "spi-interface": { + "description": "SPI interface of the IoT device", + "ui-priority": 1, + "misp-attribute": "text", + "disable_correlation": true, + "sane_default": [ + "Yes", + "No", + "Unknown", + "Disabled" + ] + }, + "serial-interface": { + "description": "Serial interface of the IoT device", + "ui-priority": 1, + "misp-attribute": "text", + "disable_correlation": true, + "sane_default": [ + "Yes", + "No", + "Unknown", + "Disabled" + ] + }, + "jtag-interface": { + "description": "JTAG interface of the IoT device", + "ui-priority": 1, + "misp-attribute": "text", + "disable_correlation": true, + "sane_default": [ + "Yes", + "No", + "Unknown", + "Disabled" + ] } }, - "version": 1, + "version": 2, "description": "An IoT device.", "meta-category": "iot", "uuid": "3de3b92a-859b-431b-9c4f-1a81de1d9637", From 566612302f2f17aaf0e4b67ee7502dcd00678965 Mon Sep 17 00:00:00 2001 From: Terrtia Date: Mon, 17 Feb 2020 10:00:21 +0100 Subject: [PATCH 16/23] chg: [domain-crawled] domain shouldn't be a multiple --- objects/domain-crawled/definition.json | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/objects/domain-crawled/definition.json b/objects/domain-crawled/definition.json index 9118600..4c89e6e 100644 --- a/objects/domain-crawled/definition.json +++ b/objects/domain-crawled/definition.json @@ -17,8 +17,7 @@ "External analysis" ], "ui-priority": 1, - "misp-attribute": "domain", - "multiple": true + "misp-attribute": "domain" }, "url": { "description": "domain url", @@ -31,7 +30,7 @@ "multiple": true } }, - "version": 1, + "version": 2, "description": "A domain crawled over time", "meta-category": "network", "uuid": "bad4888d-c44e-4612-b08f-3d97c1e0014a", From 36ae20bf02e1643f2fb2a7426017b0821ababab3 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 17 Feb 2020 14:27:05 +0100 Subject: [PATCH 17/23] chg: [pe] imphash and impfuzzy can be as key attribute --- objects/pe/definition.json | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/objects/pe/definition.json b/objects/pe/definition.json index 1188c48..5b0c0e4 100644 --- a/objects/pe/definition.json +++ b/objects/pe/definition.json @@ -4,7 +4,9 @@ "type", "original-filename", "internal-filename", - "entrypoint-address" + "entrypoint-address", + "imphash", + "impfuzzy" ], "attributes": { "pehash": { @@ -119,7 +121,7 @@ "misp-attribute": "text" } }, - "version": 4, + "version": 5, "description": "Object describing a Portable Executable", "meta-category": "file", "uuid": "cf7adecc-d4f0-4e88-9d90-f978ee151a07", From 8fa25f4f4705c566fcdf10e354af5b7f234be33d Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 17 Feb 2020 14:29:30 +0100 Subject: [PATCH 18/23] chg: [file] imphash removed as it should be at PE level --- objects/file/definition.json | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/objects/file/definition.json b/objects/file/definition.json index 937d407..07897ae 100644 --- a/objects/file/definition.json +++ b/objects/file/definition.json @@ -441,18 +441,13 @@ "windows-874" ] }, - "imphash": { - "description": "Hash (md5) calculated from the import table", - "ui-priority": 0, - "misp-attribute": "imphash" - }, "compilation-timestamp": { "description": "Compilation timestamp", "ui-priority": 0, "misp-attribute": "datetime" } }, - "version": 19, + "version": 20, "description": "File object describing a file with meta-information", "meta-category": "file", "uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", From 6ed76f49481e22b880744cf39f361f4ef51f32e5 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 17 Feb 2020 15:07:49 +0100 Subject: [PATCH 19/23] add: [iot-firmware] new object template to describe IoT firmware The relationship will be often between iot-device and iot-firmware. Ref: https://github.com/C00kie-/workshop-materials --- objects/iot-firmware/definition.json | 99 ++++++++++++++++++++++++++++ 1 file changed, 99 insertions(+) create mode 100644 objects/iot-firmware/definition.json diff --git a/objects/iot-firmware/definition.json b/objects/iot-firmware/definition.json new file mode 100644 index 0000000..4ba6e67 --- /dev/null +++ b/objects/iot-firmware/definition.json @@ -0,0 +1,99 @@ +{ + "requiredOneOf": [ + "firmware", + "filename", + "binwalk-output" + ], + "attributes": { + "firmware": { + "description": "Firmware of the IoT device", + "ui-priority": 10, + "misp-attribute": "attachment", + "multiple": true + }, + "version": { + "description": "Version of the firmware", + "ui-priority": 10, + "misp-attribute": "text", + "multiple": true + }, + "filename": { + "description": "Filename of the firmware", + "ui-priority": 10, + "misp-attribute": "text" + }, + "boot-log": { + "description": "Boot log of the IoT device for this firmware", + "ui-priority": 10, + "misp-attribute": "attachment", + "multiple": true + }, + "binwalk-output": { + "description": "Binwalk output of the firmware image", + "ui-priority": 10, + "misp-attribute": "attachment" + }, + "format": { + "description": "Format of the firmware", + "ui-priority": 10, + "misp-attribute": "text", + "sane_default": [ + "raw", + "Intel hex", + "Motorola S-Record", + "Unknown" + ] + }, + "md5": { + "description": "[Insecure] MD5 hash (128 bits)", + "ui-priority": 1, + "misp-attribute": "md5", + "recommended": false + }, + "sha1": { + "description": "[Insecure] Secure Hash Algorithm 1 (160 bits)", + "ui-priority": 1, + "misp-attribute": "sha1", + "recommended": false + }, + "sha224": { + "description": "Secure Hash Algorithm 2 (224 bits)", + "ui-priority": 0, + "misp-attribute": "sha224", + "recommended": false + }, + "sha256": { + "description": "Secure Hash Algorithm 2 (256 bits)", + "ui-priority": 1, + "misp-attribute": "sha256" + }, + "sha384": { + "description": "Secure Hash Algorithm 2 (384 bits)", + "ui-priority": 0, + "misp-attribute": "sha384", + "recommended": false + }, + "sha512": { + "description": "Secure Hash Algorithm 2 (512 bits)", + "ui-priority": 1, + "misp-attribute": "sha512" + }, + "size-in-bytes": { + "description": "Size of the file, in bytes", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "size-in-bytes" + }, + "binwalk-entropy-graph": { + "description": "Entropy graph of the firmware", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "attachment" + } + }, + "version": 1, + "description": "A firmware for an IoT device.", + "meta-category": "iot", + "uuid": "8bafb8fc-d986-4a58-b22b-6b8c7c0e8b70", + "name": "iot-firmware" +} From 8de8d85979e3ecf3c426c660f58400a48695e42e Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 17 Feb 2020 23:12:09 +0100 Subject: [PATCH 20/23] chg: [iot-device] reference added --- objects/iot-device/definition.json | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/objects/iot-device/definition.json b/objects/iot-device/definition.json index defd997..0aac22f 100644 --- a/objects/iot-device/definition.json +++ b/objects/iot-device/definition.json @@ -120,6 +120,12 @@ "ui-priority": 1, "misp-attribute": "text" }, + "reference": { + "description": "Reference of the IoT device", + "ui-priority": 1, + "misp-attribute": "link", + "multiple": true + }, "spi-interface": { "description": "SPI interface of the IoT device", "ui-priority": 1, @@ -157,7 +163,7 @@ ] } }, - "version": 2, + "version": 3, "description": "An IoT device.", "meta-category": "iot", "uuid": "3de3b92a-859b-431b-9c4f-1a81de1d9637", From d110657604615be05759b290f106677c3c8db1c9 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 25 Feb 2020 10:53:17 +0100 Subject: [PATCH 21/23] chg: [vulnerability] remove underscore from the object --- objects/vulnerability/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/vulnerability/definition.json b/objects/vulnerability/definition.json index bc5513e..0849928 100644 --- a/objects/vulnerability/definition.json +++ b/objects/vulnerability/definition.json @@ -25,7 +25,7 @@ "ui-priority": 0, "misp-attribute": "text" }, - "vulnerable_configuration": { + "vulnerable-configuration": { "description": "The vulnerable configuration is described in CPE format", "multiple": true, "ui-priority": 0, @@ -90,7 +90,7 @@ "multiple": true } }, - "version": 5, + "version": 6, "description": "Vulnerability object describing a common vulnerability enumeration which can describe published, unpublished, under review or embargo vulnerability for software, equipments or hardware.", "meta-category": "vulnerability", "uuid": "81650945-f186-437b-8945-9f31715d32da", From d9226e0f5a535e253e1b7b5c3dc7b30441f819f4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Wed, 26 Feb 2020 14:49:59 +0100 Subject: [PATCH 22/23] fix: Typo in requiredOneOf --- objects/vulnerability/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/vulnerability/definition.json b/objects/vulnerability/definition.json index 0849928..d381ffd 100644 --- a/objects/vulnerability/definition.json +++ b/objects/vulnerability/definition.json @@ -3,7 +3,7 @@ "published", "modified", "references", - "vulnerable_configuration", + "vulnerable-configuration", "summary", "description", "id" From 2f2315d4e23e7f66ea0faf1da02d4a7a4214ab1d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Wed, 26 Feb 2020 14:52:06 +0100 Subject: [PATCH 23/23] fix: Typo in requiredOneOf --- objects/instant-message/definition.json | 1 - 1 file changed, 1 deletion(-) diff --git a/objects/instant-message/definition.json b/objects/instant-message/definition.json index ecddaa2..802b0a8 100644 --- a/objects/instant-message/definition.json +++ b/objects/instant-message/definition.json @@ -1,7 +1,6 @@ { "requiredOneOf": [ "body", - "from", "from-user" ], "attributes": {