MISP
/
misp-objects
mirror of https://github.com/MISP/misp-objects
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge branch 'master' of github.com:MISP/misp-objects

pull/235/head
Raphaël Vinot 2020-02-27 10:50:58 +01:00
parent 6f5cd0d9d3 2f2315d4e2
commit ef0c95bc9b
15 changed files with 582 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
objects/cookie/definition.json
View File

@ -18,6 +18,30 @@
"ui-priority": 0, "ui-priority": 0,
"misp-attribute": "text" "misp-attribute": "text"
}, },
"path": {
"description": "Path defined in the cookie",
"ui-priority": 0,
"disable_correlation": true,
"misp-attribute": "text"
},
"expires": {
"description": "Expiration date/time of the cookie",
"ui-priority": 0,
"disable_correlation": true,
"misp-attribute": "datetime"
},
"http-only": {
"description": "True if send only through HTTP",
"ui-priority": 0,
"disable_correlation": true,
"misp-attribute": "boolean"
},
"secure": {
"description": "True if cookie is sent over TLS",
"ui-priority": 0,
"disable_correlation": true,
"misp-attribute": "boolean"
},
"text": { "text": {
"description": "A description of the cookie.", "description": "A description of the cookie.",
"disable_correlation": true, "disable_correlation": true,
@ -38,7 +62,7 @@
"misp-attribute": "text" "misp-attribute": "text"
} }
}, },
"version": 2, "version": 3,
"description": "An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to the user's web browser. The browser may store it and send it back with the next request to the same server. Typically, it's used to tell if two requests came from the same browser — keeping a user logged-in, for example. It remembers stateful information for the stateless HTTP protocol. (as defined by the Mozilla foundation.", "description": "An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to the user's web browser. The browser may store it and send it back with the next request to the same server. Typically, it's used to tell if two requests came from the same browser — keeping a user logged-in, for example. It remembers stateful information for the stateless HTTP protocol. (as defined by the Mozilla foundation.",
"meta-category": "network", "meta-category": "network",
"uuid": "7755ad19-55c7-4da4-805e-197cf81bbcb8", "uuid": "7755ad19-55c7-4da4-805e-197cf81bbcb8",

38
objects/domain-crawled/definition.json Normal file
View File

@ -0,0 +1,38 @@
{
"required": [
"domain"
],
"attributes": {
"text": {
"description": "A description of the tuple",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text",
"recommended": false
},
"domain": {
"description": "Domain name",
"categories": [
"Network activity",
"External analysis"
],
"ui-priority": 1,
"misp-attribute": "domain"
},
"url": {
"description": "domain url",
"categories": [
"Network activity",
"External analysis"
],
"ui-priority": 1,
"misp-attribute": "url",
"multiple": true
}
},
"version": 2,
"description": "A domain crawled over time",
"meta-category": "network",
"uuid": "bad4888d-c44e-4612-b08f-3d97c1e0014a",
"name": "domain-crawled"
}

17
objects/email/definition.json
View File

@ -3,7 +3,7 @@
"uuid": "a0c666e0-fc65-4be8-b48f-3423d788b552", "uuid": "a0c666e0-fc65-4be8-b48f-3423d788b552",
"meta-category": "network", "meta-category": "network",
"description": "Email object describing an email with meta-information", "description": "Email object describing an email with meta-information",
"version": 13, "version": 15,
"attributes": { "attributes": {
"reply-to": { "reply-to": {
"description": "Email address the reply will be sent to", "description": "Email address the reply will be sent to",
@ -57,7 +57,8 @@
"ui-priority": 1, "ui-priority": 1,
"categories": [ "categories": [
"Payload delivery" "Payload delivery"
] ],
"multiple": true
}, },
"screenshot": { "screenshot": {
"description": "Screenshot of email", "description": "Screenshot of email",
@ -141,7 +142,8 @@
"ui-priority": 1, "ui-priority": 1,
"categories": [ "categories": [
"Payload delivery" "Payload delivery"
] ],
"multiple": true
}, },
"return-path": { "return-path": {
"description": "Message return path", "description": "Message return path",
@ -157,7 +159,8 @@
"ui-priority": 1, "ui-priority": 1,
"categories": [ "categories": [
"Payload delivery" "Payload delivery"
] ],
"multiple": true
}, },
"email-body": { "email-body": {
"description": "Body of the email", "description": "Body of the email",
@ -174,6 +177,12 @@
"ui-priority": 0, "ui-priority": 0,
"disable_correlation": true "disable_correlation": true
}, },
"ip-src": {
"description": "Source IP address of the email sender",
"misp-attribute": "ip-src",
"ui-priority": 0,
"multiple": true
},
"eml": { "eml": {
"description": "Full EML", "description": "Full EML",
"misp-attribute": "attachment", "misp-attribute": "attachment",

7
objects/file/definition.json
View File

@ -441,18 +441,13 @@
"windows-874" "windows-874"
] ]
}, },
"imphash": {
"description": "Hash (md5) calculated from the import table",
"ui-priority": 0,
"misp-attribute": "imphash"
},
"compilation-timestamp": { "compilation-timestamp": {
"description": "Compilation timestamp", "description": "Compilation timestamp",
"ui-priority": 0, "ui-priority": 0,
"misp-attribute": "datetime" "misp-attribute": "datetime"
} }
}, },
"version": 19, "version": 20,
"description": "File object describing a file with meta-information", "description": "File object describing a file with meta-information",
"meta-category": "file", "meta-category": "file",
"uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",

14
objects/http-request/definition.json
View File

@ -40,7 +40,17 @@
], ],
"description": "An HTTP cookie previously sent by the server with Set-Cookie", "description": "An HTTP cookie previously sent by the server with Set-Cookie",
"ui-priority": 1, "ui-priority": 1,
"misp-attribute": "text" "misp-attribute": "text",
"multiple": true
},
"header": {
"categories": [
"Network activity"
],
"description": "An HTTP header sent during HTTP request",
"ui-priority": 1,
"misp-attribute": "text",
"multiple": true
}, },
"host": { "host": {
"categories": [ "categories": [
@ -120,7 +130,7 @@
"misp-attribute": "user-agent" "misp-attribute": "user-agent"
} }
}, },
"version": 3, "version": 4,
"description": "A single HTTP request header", "description": "A single HTTP request header",
"meta-category": "network", "meta-category": "network",
"uuid": "b4a8d163-8110-4239-bfcf-e08f3a9fdf7b", "uuid": "b4a8d163-8110-4239-bfcf-e08f3a9fdf7b",

80
objects/instant-message-group/definition.json Normal file
View File

@ -0,0 +1,80 @@
{
"requiredOneOf": [
"group-name",
"group-alias",
"archive",
"attachment"
],
"attributes": {
"group-name": {
"description": "The name of the group, channel or community.",
"ui-priority": 1,
"misp-attribute": "text"
},
"group-alias": {
"description": "Aliases of group, channel or community.",
"ui-priority": 1,
"multiple": true,
"misp-attribute": "text"
},
"app-used": {
"description": "The IM application used to send the message.",
"ui-priority": 1,
"misp-attribute": "text",
"disable_correlation": true,
"multiple": true,
"sane_default": [
"WhatsApp",
"Google Hangouts",
"Facebook Messenger",
"Telegram",
"Signal",
"WeChat",
"BlackBerry Messenger",
"TeamSpeak",
"TorChat",
"RetroShare",
"Slack"
]
},
"username": {
"description": "A user account who is a member of the group.",
"ui-priority": 1,
"misp-attribute": "text",
"multiple": true
},
"person-name": {
"description": "A person who is a member of the group.",
"ui-priority": 1,
"misp-attribute": "text",
"multiple": true
},
"url": {
"description": "Original URL location of the group (potentially malicious).",
"ui-priority": 1,
"misp-attribute": "url"
},
"link": {
"description": "Original link into the group (Supposed harmless).",
"ui-priority": 1,
"misp-attribute": "link"
},
"archive": {
"description": "Archive of the original group (Internet Archive, Archive.is, etc).",
"ui-priority": 1,
"multiple": true,
"misp-attribute": "link"
},
"attachment": {
"description": "A screen capture or exported list of contacts, group members, etc.",
"ui-priority": 1,
"multiple": true,
"misp-attribute": "attachment"
}
},
"version": 1,
"description": "Instant Message (IM) group object template describing a public or private IM group, channel or conversation.",
"meta-category": "misc",
"uuid": "e26becca-2149-4bc0-b3fb-7090d43af28f",
"name": "instant-message-group"
}

112
objects/instant-message/definition.json Normal file
View File

@ -0,0 +1,112 @@
{
"requiredOneOf": [
"body",
"from-user"
],
"attributes": {
"body": {
"description": "Message body of the IM.",
"ui-priority": 1,
"misp-attribute": "text"
},
"from-number": {
"description": "Phone number used to send the message.",
"ui-priority": 1,
"misp-attribute": "phone-number",
"multiple": true
},
"to-number": {
"description": "Phone number receiving the message.",
"ui-priority": 1,
"misp-attribute": "phone-number",
"multiple": true
},
"from-user": {
"description": "User account that sent the message.",
"ui-priority": 1,
"misp-attribute": "text",
"multiple": true
},
"to-user": {
"description": "User account that received the message.",
"ui-priority": 1,
"misp-attribute": "text",
"multiple": true
},
"from-name": {
"description": "Name of the person that sent the message.",
"ui-priority": 1,
"misp-attribute": "text",
"multiple": true
},
"to-name": {
"description": "Name of the person that received the message.",
"ui-priority": 1,
"misp-attribute": "text",
"multiple": true
},
"subject": {
"description": "Subject of the message if any.",
"ui-priority": 0,
"misp-attribute": "text"
},
"app-used": {
"description": "The IM application used to send the message.",
"ui-priority": 1,
"misp-attribute": "text",
"disable_correlation": true,
"sane_default": [
"WhatsApp",
"Google Hangouts",
"Facebook Messenger",
"Telegram",
"Signal",
"WeChat",
"BlackBerry Messenger",
"TeamSpeak",
"TorChat",
"RetroShare",
"Slack"
]
},
"url": {
"description": "Original URL location of the message (potentially malicious).",
"ui-priority": 1,
"misp-attribute": "url"
},
"link": {
"description": "Original link into the message (Supposed harmless).",
"ui-priority": 1,
"misp-attribute": "link"
},
"archive": {
"description": "Archive of the original message (Internet Archive, Archive.is, etc).",
"ui-priority": 1,
"multiple": true,
"misp-attribute": "link"
},
"attachment": {
"description": "The message file or screen capture.",
"ui-priority": 1,
"multiple": true,
"misp-attribute": "attachment"
},
"sent-date": {
"description": "Initial sent date of the message.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"received-date": {
"description": "Received date of the message.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
}
},
"version": 1,
"description": "Instant Message (IM) object template describing one or more IM message.",
"meta-category": "misc",
"uuid": "5fa51a24-f40f-4696-a77e-d31e26bab5fc",
"name": "instant-message"
}

171
objects/iot-device/definition.json Normal file
View File

@ -0,0 +1,171 @@
{
"requiredOneOf": [
"model",
"vendor",
"architecture",
"boot-log",
"picture-pcb",
"picture-device"
],
"attributes": {
"picture-pcb": {
"description": "Picture of the IoT device PCB",
"ui-priority": 10,
"misp-attribute": "attachment",
"multiple": true
},
"picture-device": {
"description": "Picture of the IoT device",
"ui-priority": 10,
"misp-attribute": "attachment",
"multiple": true
},
"fcc-id": {
"description": "FCC-ID of the IoT device",
"ui-priority": 10,
"misp-attribute": "text",
"multiple": true
},
"boot-log": {
"description": "Boot log of the IoT device",
"ui-priority": 10,
"misp-attribute": "attachment",
"multiple": true
},
"platform": {
"description": "Platform of of the IoT device",
"ui-priority": 10,
"misp-attribute": "text",
"sane_default": [
"mach-aspeed",
"mach-at91",
"mach-bcm283x",
"mach-bcmstb",
"mach-cortina",
"mach-davinci",
"mach-exynos",
"mach-highbank",
"mach-imx",
"mach-integrator",
"mach-k3",
"mach-keystone",
"mach-kirkwood",
"mach-mediatek",
"mach-meson",
"mach-mvebu",
"mach-omap2",
"mach-orion5x",
"mach-owl",
"mach-qemu",
"mach-rmobile",
"mach-rockchip",
"mach-s5pc1xx",
"mach-snapdragon",
"mach-socfpga",
"mach-sti",
"mach-stm32",
"mach-stm32mp",
"mach-sunxi",
"mach-tegra",
"mach-u8500",
"mach-uniphier",
"mach-versal",
"mach-versatile",
"mach-zynq",
"mach-zynqmp",
"mach-zynqmp-r5",
"mcf5227x",
"mcf523x",
"mcf52x2",
"mcf530x",
"mcf532x",
"mcf5445x",
"mcf547x_8x",
"mach-ath79",
"mach-bmips",
"mach-jz47xx",
"mach-mscc",
"mach-mtmips",
"mach-pic32"
]
},
"architecture": {
"description": "architecture of the IoT device",
"ui-priority": 1,
"misp-attribute": "text",
"sane_default": [
"ARC",
"ARM",
"M68000",
"MicroBlaze",
"MIPS",
"NSD32",
"Nios II",
"PowerPC",
"RISC-V",
"Sandbox",
"SH",
"x86",
"Xtensa"
]
},
"model": {
"description": "Model of the IoT device",
"ui-priority": 1,
"misp-attribute": "text",
"multiple": true
},
"vendor": {
"description": "Vendor of the IoT device",
"ui-priority": 1,
"misp-attribute": "text"
},
"reference": {
"description": "Reference of the IoT device",
"ui-priority": 1,
"misp-attribute": "link",
"multiple": true
},
"spi-interface": {
"description": "SPI interface of the IoT device",
"ui-priority": 1,
"misp-attribute": "text",
"disable_correlation": true,
"sane_default": [
"Yes",
"No",
"Unknown",
"Disabled"
]
},
"serial-interface": {
"description": "Serial interface of the IoT device",
"ui-priority": 1,
"misp-attribute": "text",
"disable_correlation": true,
"sane_default": [
"Yes",
"No",
"Unknown",
"Disabled"
]
},
"jtag-interface": {
"description": "JTAG interface of the IoT device",
"ui-priority": 1,
"misp-attribute": "text",
"disable_correlation": true,
"sane_default": [
"Yes",
"No",
"Unknown",
"Disabled"
]
}
},
"version": 3,
"description": "An IoT device.",
"meta-category": "iot",
"uuid": "3de3b92a-859b-431b-9c4f-1a81de1d9637",
"name": "iot-device"
}

99
objects/iot-firmware/definition.json Normal file
View File

@ -0,0 +1,99 @@
{
"requiredOneOf": [
"firmware",
"filename",
"binwalk-output"
],
"attributes": {
"firmware": {
"description": "Firmware of the IoT device",
"ui-priority": 10,
"misp-attribute": "attachment",
"multiple": true
},
"version": {
"description": "Version of the firmware",
"ui-priority": 10,
"misp-attribute": "text",
"multiple": true
},
"filename": {
"description": "Filename of the firmware",
"ui-priority": 10,
"misp-attribute": "text"
},
"boot-log": {
"description": "Boot log of the IoT device for this firmware",
"ui-priority": 10,
"misp-attribute": "attachment",
"multiple": true
},
"binwalk-output": {
"description": "Binwalk output of the firmware image",
"ui-priority": 10,
"misp-attribute": "attachment"
},
"format": {
"description": "Format of the firmware",
"ui-priority": 10,
"misp-attribute": "text",
"sane_default": [
"raw",
"Intel hex",
"Motorola S-Record",
"Unknown"
]
},
"md5": {
"description": "[Insecure] MD5 hash (128 bits)",
"ui-priority": 1,
"misp-attribute": "md5",
"recommended": false
},
"sha1": {
"description": "[Insecure] Secure Hash Algorithm 1 (160 bits)",
"ui-priority": 1,
"misp-attribute": "sha1",
"recommended": false
},
"sha224": {
"description": "Secure Hash Algorithm 2 (224 bits)",
"ui-priority": 0,
"misp-attribute": "sha224",
"recommended": false
},
"sha256": {
"description": "Secure Hash Algorithm 2 (256 bits)",
"ui-priority": 1,
"misp-attribute": "sha256"
},
"sha384": {
"description": "Secure Hash Algorithm 2 (384 bits)",
"ui-priority": 0,
"misp-attribute": "sha384",
"recommended": false
},
"sha512": {
"description": "Secure Hash Algorithm 2 (512 bits)",
"ui-priority": 1,
"misp-attribute": "sha512"
},
"size-in-bytes": {
"description": "Size of the file, in bytes",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "size-in-bytes"
},
"binwalk-entropy-graph": {
"description": "Entropy graph of the firmware",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "attachment"
}
},
"version": 1,
"description": "A firmware for an IoT device.",
"meta-category": "iot",
"uuid": "8bafb8fc-d986-4a58-b22b-6b8c7c0e8b70",
"name": "iot-firmware"
}

6
objects/pe/definition.json
View File

@ -4,7 +4,9 @@
"type", "type",
"original-filename", "original-filename",
"internal-filename", "internal-filename",
"entrypoint-address" "entrypoint-address",
"imphash",
"impfuzzy"
], ],
"attributes": { "attributes": {
"pehash": { "pehash": {
@ -119,7 +121,7 @@
"misp-attribute": "text" "misp-attribute": "text"
} }
}, },
"version": 4, "version": 5,
"description": "Object describing a Portable Executable", "description": "Object describing a Portable Executable",
"meta-category": "file", "meta-category": "file",
"uuid": "cf7adecc-d4f0-4e88-9d90-f978ee151a07", "uuid": "cf7adecc-d4f0-4e88-9d90-f978ee151a07",

5
objects/rtir/definition.json
View File

@ -47,7 +47,8 @@
"resolved", "resolved",
"rejected", "rejected",
"deleted" "deleted"
] ],
"disable_correlation": true
}, },
"ticket-number": { "ticket-number": {
"description": "ticket-number of the RTIR ticket", "description": "ticket-number of the RTIR ticket",
@ -55,7 +56,7 @@
"misp-attribute": "text" "misp-attribute": "text"
} }
}, },
"version": 1, "version": 2,
"description": "RTIR - Request Tracker for Incident Response", "description": "RTIR - Request Tracker for Incident Response",
"meta-category": "misc", "meta-category": "misc",
"uuid": "7534ee19-0a1f-4f46-a197-e6e73e457943", "uuid": "7534ee19-0a1f-4f46-a197-e6e73e457943",

12
objects/short-message-service/definition.json
View File

@ -37,9 +37,19 @@
"ui-priority": 0, "ui-priority": 0,
"misp-attribute": "datetime", "misp-attribute": "datetime",
"disable_correlation": true "disable_correlation": true
},
"smsc": {
"description": "SMS Message Center",
"ui-priority": 0,
"misp-attribute": "phone-number"
},
"name": {
"description": "Sender name",
"ui-priority": 0,
"misp-attribute": "text"
} }
}, },
"version": 1, "version": 3,
"description": "Short Message Service (SMS) object template describing one or more SMS message. Restriction of the initial format 3GPP 23.038 GSM character set doesn't apply.", "description": "Short Message Service (SMS) object template describing one or more SMS message. Restriction of the initial format 3GPP 23.038 GSM character set doesn't apply.",
"meta-category": "misc", "meta-category": "misc",
"uuid": "4851a3dc-e1a6-43ac-9d97-f0d13a099fd2", "uuid": "4851a3dc-e1a6-43ac-9d97-f0d13a099fd2",

6
objects/vulnerability/definition.json
View File

@ -3,7 +3,7 @@
"published", "published",
"modified", "modified",
"references", "references",
"vulnerable_configuration", "vulnerable-configuration",
"summary", "summary",
"description", "description",
"id" "id"
@ -25,7 +25,7 @@
"ui-priority": 0, "ui-priority": 0,
"misp-attribute": "text" "misp-attribute": "text"
}, },
"vulnerable_configuration": { "vulnerable-configuration": {
"description": "The vulnerable configuration is described in CPE format", "description": "The vulnerable configuration is described in CPE format",
"multiple": true, "multiple": true,
"ui-priority": 0, "ui-priority": 0,
@ -90,7 +90,7 @@
"multiple": true "multiple": true
} }
}, },
"version": 5, "version": 6,
"description": "Vulnerability object describing a common vulnerability enumeration which can describe published, unpublished, under review or embargo vulnerability for software, equipments or hardware.", "description": "Vulnerability object describing a common vulnerability enumeration which can describe published, unpublished, under review or embargo vulnerability for software, equipments or hardware.",
"meta-category": "vulnerability", "meta-category": "vulnerability",
"uuid": "81650945-f186-437b-8945-9f31715d32da", "uuid": "81650945-f186-437b-8945-9f31715d32da",

9
relationships/definition.json
View File

@ -1,5 +1,5 @@
{ {
"version": 17, "version": 18,
"values": [ "values": [
{ {
"name": "derived-from", "name": "derived-from",
@ -991,6 +991,13 @@
"format": [ "format": [
"misp" "misp"
] ]
},
{
"name": "knows",
"description": "Represents an object having the knowledge of another object.",
"format": [
"misp"
]
} }
], ],
"description": "Default type of relationships in MISP objects.", "description": "Default type of relationships in MISP objects.",

3
schema_objects.json
View File

@ -260,7 +260,8 @@
"misc", "misc",
"internal", "internal",
"vulnerability", "vulnerability",
"climate" "climate",
"iot"
], ],
"type": "string" "type": "string"
}, },