From f7da39c5575c237a1e10f194136b2658e77617d7 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 10 Jul 2023 16:38:12 +0200 Subject: [PATCH 1/6] new: [hhhassh object] An object describing a HHHash object with the hash value along with the crawling parameters. For more information: https://www.foo.be/2023/07/HTTP-Headers-Hashing_HHHash --- objects/hhhash/definition.json | 48 ++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 objects/hhhash/definition.json diff --git a/objects/hhhash/definition.json b/objects/hhhash/definition.json new file mode 100644 index 0000000..2f6d976 --- /dev/null +++ b/objects/hhhash/definition.json @@ -0,0 +1,48 @@ +{ + "attributes": { + "comment": { + "description": "A description of the HHHash object.", + "misp-attribute": "comment", + "ui-priority": 0 + }, + "hhhash": { + "description": "HHHash hash in format hhh:version:hash_value", + "misp-attribute": "text", + "ui-priority": 0 + }, + "hhhash-headers": { + "description": "HHHash value before being hash in the format each header is separated by a :.", + "misp-attribute": "text", + "ui-priority": 0 + }, + "hhhash-query-headers": { + "description": "Set of headers used for the query in the format where each header is separated by a : .", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "hhhash-tool": { + "description": "HHHash crawling infrastructure or tool used to produce the HHHash value. ", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "python-hhhash", + "c-hhhash", + "go-hhhash", + "r-hhhash", + "lacus", + "Common Crawl", + "other" + ], + "ui-priority": 0 + } + }, + "description": "An object describing a HHHash object with the hash value along with the crawling parameters. For more information: https://www.foo.be/2023/07/HTTP-Headers-Hashing_HHHash", + "meta-category": "misc", + "name": "hhhash", + "requiredOneOf": [ + "hhhash" + ], + "uuid": "4dbcde93-a4e0-4bee-913c-0988b5259d14", + "version": 1 +} From e6864eb745b0ec9aea6b3ac176aa93b7e6683bf8 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 10 Jul 2023 16:40:22 +0200 Subject: [PATCH 2/6] chg: [hhhash] newline fixed --- objects/hhhash/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/hhhash/definition.json b/objects/hhhash/definition.json index 2f6d976..777b20a 100644 --- a/objects/hhhash/definition.json +++ b/objects/hhhash/definition.json @@ -45,4 +45,4 @@ ], "uuid": "4dbcde93-a4e0-4bee-913c-0988b5259d14", "version": 1 -} +} \ No newline at end of file From 1374b0c7f0a468ab4a47575456159fa3ebdafd75 Mon Sep 17 00:00:00 2001 From: Steph S Date: Mon, 10 Jul 2023 15:22:27 -0400 Subject: [PATCH 3/6] Added AbuseIPDB object template for the AbuseIPDB expansion module --- objects/abuseipdb/definition.json | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 objects/abuseipdb/definition.json diff --git a/objects/abuseipdb/definition.json b/objects/abuseipdb/definition.json new file mode 100644 index 0000000..da5030e --- /dev/null +++ b/objects/abuseipdb/definition.json @@ -0,0 +1,29 @@ +{ + "attributes": { + "abuse-confidence-score": { + "description": "Rating (0-100) of how confident AbuseIPDB is that an IP address is entirely malicious", + "misp-attribute": "counter", + "ui-priority": 0 + }, + "is-public": { + "description": "If an IP is public", + "misp-attribute": "boolean", + "ui-priority": 0 + }, + "is-tor": { + "description": "If Tor (The Onion Router) was used", + "misp-attribute": "boolean", + "ui-priority": 0 + }, + "is-whitelisted": { + "description": "If an IP is spotted in any of AbuseIPDB's whitelists", + "misp-attribute": "boolean", + "ui-priority": 0 + } + }, + "description": "AbuseIPDB checks an ip address, domain name, or subnet against a central blacklist", + "meta-category": "network", + "name": "abuseipdb", + "uuid": "cccdaaf6-c140-461c-8d1c-aa79bbd029e0", + "version": 1 +} \ No newline at end of file From c7bade5c8b88ce6705704851dedc5185db8be7d9 Mon Sep 17 00:00:00 2001 From: Steph S Date: Thu, 13 Jul 2023 09:25:26 -0400 Subject: [PATCH 4/6] Added a is-malicious attribute for abuseipdb and added a google-safe-browsing object for the google-safe-browsing expansion module --- objects/abuseipdb/definition.json | 5 ++++ objects/google-safe-browsing/definition.json | 24 ++++++++++++++++++++ 2 files changed, 29 insertions(+) create mode 100644 objects/google-safe-browsing/definition.json diff --git a/objects/abuseipdb/definition.json b/objects/abuseipdb/definition.json index da5030e..d46536e 100644 --- a/objects/abuseipdb/definition.json +++ b/objects/abuseipdb/definition.json @@ -1,5 +1,10 @@ { "attributes": { + "is-malicious": { + "description": "If the IP is malicious based on the abuse-confidence-score and threshold", + "misp-attribute": "boolean", + "ui-priority": 0 + }, "abuse-confidence-score": { "description": "Rating (0-100) of how confident AbuseIPDB is that an IP address is entirely malicious", "misp-attribute": "counter", diff --git a/objects/google-safe-browsing/definition.json b/objects/google-safe-browsing/definition.json new file mode 100644 index 0000000..2c39a38 --- /dev/null +++ b/objects/google-safe-browsing/definition.json @@ -0,0 +1,24 @@ +{ + "attributes": { + "malicious": { + "description": "If the URL comes back as malicious", + "misp-attribute": "boolean", + "ui-priority": 0 + }, + "platforms": { + "description": "The platform identified (windows, linux, etc...)", + "misp-attribute": "text", + "ui-priority": 0 + }, + "threats": { + "description": "The threat type related to that URL (malware, social engineering, etc...)", + "misp-attribute": "text", + "ui-priority": 0 + } + }, + "description": "Google Safe checks a URL against Google's constantly updated list of unsafe web resources.", + "meta-category": "network", + "name": "google-safe-browsing", + "uuid": "1f8af312-dfbb-4572-b894-dabe7c8798d8", + "version": 1 +} \ No newline at end of file From 32e21c880653b33c3be6beabc1f6affc99802c94 Mon Sep 17 00:00:00 2001 From: Steph S Date: Thu, 13 Jul 2023 09:48:12 -0400 Subject: [PATCH 5/6] Fixed json formatting --- objects/abuseipdb/definition.json | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/objects/abuseipdb/definition.json b/objects/abuseipdb/definition.json index d46536e..6f1b309 100644 --- a/objects/abuseipdb/definition.json +++ b/objects/abuseipdb/definition.json @@ -1,15 +1,15 @@ { "attributes": { - "is-malicious": { - "description": "If the IP is malicious based on the abuse-confidence-score and threshold", - "misp-attribute": "boolean", - "ui-priority": 0 - }, "abuse-confidence-score": { "description": "Rating (0-100) of how confident AbuseIPDB is that an IP address is entirely malicious", "misp-attribute": "counter", "ui-priority": 0 }, + "is-malicious": { + "description": "If the IP is malicious based on the abuse-confidence-score and threshold", + "misp-attribute": "boolean", + "ui-priority": 0 + }, "is-public": { "description": "If an IP is public", "misp-attribute": "boolean", From ab1f97b881c8d3f0035fe93586053860cc12a33a Mon Sep 17 00:00:00 2001 From: 417190e5c48babc7 <417190e5c48babc7@proton.me> Date: Thu, 20 Jul 2023 10:24:42 +0300 Subject: [PATCH 6/6] chg: [ja3s] Add domain and hostname attributes --- objects/ja3s/definition.json | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/objects/ja3s/definition.json b/objects/ja3s/definition.json index e37b883..11c7654 100644 --- a/objects/ja3s/definition.json +++ b/objects/ja3s/definition.json @@ -5,12 +5,22 @@ "misp-attribute": "text", "ui-priority": 1 }, + "domain": { + "description": "Destination domain", + "misp-attribute": "domain", + "ui-priority": 1 + }, "first-seen": { "description": "First seen of the SSL/TLS handshake", "disable_correlation": true, "misp-attribute": "datetime", "ui-priority": 0 }, + "hostname": { + "description": "Destination hostname", + "misp-attribute": "hostname", + "ui-priority": 1 + }, "ip-dst": { "description": "Destination IP address", "misp-attribute": "ip-dst", @@ -46,5 +56,5 @@ "ja3s-fingerprint-md5" ], "uuid": "7f377f66-d128-4b97-897f-592d06ba2ff7", - "version": 4 + "version": 5 } \ No newline at end of file