From 8b5b5df77c8105152799dc6faf4d36fce6fbc158 Mon Sep 17 00:00:00 2001 From: Stefan Kelm Date: Thu, 13 Sep 2018 14:05:45 +0200 Subject: [PATCH 1/3] bgp-hijack --- objects/bgp-hijack/definition.json | 53 ++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 objects/bgp-hijack/definition.json diff --git a/objects/bgp-hijack/definition.json b/objects/bgp-hijack/definition.json new file mode 100644 index 0000000..952ade7 --- /dev/null +++ b/objects/bgp-hijack/definition.json @@ -0,0 +1,53 @@ +{ + "required": [ + "expected-asn", + "detected-asn", + "start", + "subnet-announced" + ], + "attributes": { + "expected-asn": { + "description": "Expected Autonomous System Number", + "ui-priority": 1, + "misp-attribute": "AS" + }, + "detected-asn": { + "description": "Detected Autonomous System Number", + "ui-priority": 1, + "misp-attribute": "AS" + }, + "description": { + "description": "BGP Hijack details", + "ui-priority": 1, + "misp-attribute": "text" + }, + "country": { + "description": "Country code of the main location of the attacking autonomous system", + "ui-priority": 1, + "misp-attribute": "text" + }, + "subnet-announced": { + "description": "Subnet announced", + "ui-priority": 0, + "misp-attribute": "ip-src", + "multiple": true + }, + "start": { + "description": "First time the Prefix hijack was seen", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "end": { + "description": "Last time the Prefix hijack was seen", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "datetime" + } + }, + "version": 1, + "description": "Object encapsulating BGP Hijack description as specified, for example, by bgpstream.com", + "meta-category": "network", + "uuid": "42355673-1fab-4908-8045-00bebd91c389", + "name": "bgp-hijack" +} From 76553f176c0421fe2d783e411bafb444fbef275e Mon Sep 17 00:00:00 2001 From: Stefan Kelm Date: Thu, 13 Sep 2018 14:10:52 +0200 Subject: [PATCH 2/3] bgp-hijack --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index f41ccdf..fe29188 100644 --- a/README.md +++ b/README.md @@ -71,6 +71,7 @@ for a specific attribute. * [objects/asn](objects/asn/definition.json) - Autonomous system object describing a BGP autonomous system which can include one or more network operators management an entity (e.g. ISP) along with their routing policy, routing prefixes or alike. * [objects/av-signature](objects/av-signature/definition.json) - Antivirus detection signature. * [objects/bank-account](objects/bank-account/definition.json) - Object describing bank account information based on account description from goAML 4.0. +* [objects/bgp-hijack](objects/bgp-hijack/definition.json) - Object encapsulating BGP Hijack description as specified, for example, by bgpstream.com * [objects/cap-alert](objects/cap-alert/definition.json) - Common Alerting Protocol Version (CAP) alert object. * [objects/cap-info](objects/cap-info/definition.json) - Common Alerting Protocol Version (CAP) info object. * [objects/cap-resource](objects/cap-resource/definition.json) - Common Alerting Protocol Version (CAP) resource object. From 00184b6fc0b06f8c78d37e2fc7f9e8084c37209b Mon Sep 17 00:00:00 2001 From: Stefan Kelm Date: Thu, 13 Sep 2018 14:13:33 +0200 Subject: [PATCH 3/3] bgp-hijack --- objects/bgp-hijack/definition.json | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/objects/bgp-hijack/definition.json b/objects/bgp-hijack/definition.json index 952ade7..1955f9a 100644 --- a/objects/bgp-hijack/definition.json +++ b/objects/bgp-hijack/definition.json @@ -1,9 +1,9 @@ { "required": [ - "expected-asn", - "detected-asn", - "start", - "subnet-announced" + "expected-asn", + "detected-asn", + "start", + "subnet-announced" ], "attributes": { "expected-asn": { @@ -42,7 +42,7 @@ "description": "Last time the Prefix hijack was seen", "disable_correlation": true, "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime" } }, "version": 1,