From fbccdfef241c146de44407893a1a0aa4f13c0386 Mon Sep 17 00:00:00 2001
From: c-goes <cgo@posteo.de>
Date: Tue, 5 Dec 2017 11:05:56 +0100
Subject: [PATCH] disable correlation for last-seen/first-seen/text

---
 README.md                         | 2 ++
 objects/asn/definition.json       | 4 +++-
 objects/ddos/definition.json      | 5 ++++-
 objects/domain-ip/definition.json | 5 ++++-
 objects/ip-port/definition.json   | 5 ++++-
 objects/ja3/definition.json       | 4 +++-
 objects/url/definition.json       | 4 +++-
 7 files changed, 23 insertions(+), 6 deletions(-)

diff --git a/README.md b/README.md
index 3db35cc..bfde5d2 100644
--- a/README.md
+++ b/README.md
@@ -31,10 +31,12 @@ Feel free to propose your own MISP objects to be included in MISP. The system is
                 },
                 "first-seen": {
                         "misp-attribute": "datetime",
+                        "disable_correlation": true,
                         "ui-priority": 0
                 },
                 "last-seen": {
                         "misp-attribute": "datetime",
+                        "disable_correlation": true,
                         "ui-priority": 0
                 }
 
diff --git a/objects/asn/definition.json b/objects/asn/definition.json
index f38d35b..9f8b1d6 100644
--- a/objects/asn/definition.json
+++ b/objects/asn/definition.json
@@ -26,11 +26,13 @@
     },
     "first-seen": {
       "description": "First time the ASN was seen",
+      "disable_correlation": true,
       "ui-priority": 0,
       "misp-attribute": "datetime"
     },
     "last-seen": {
       "description": "Last time the ASN was seen",
+      "disable_correlation": true,
       "ui-priority": 0,
       "misp-attribute": "datetime"
     },
@@ -59,7 +61,7 @@
       "multiple": true
     }
   },
-  "version": 3,
+  "version": 4,
   "description": "Autonomous system object describing an autonomous system which can include one or more network operators management an entity (e.g. ISP) along with their routing policy, routing prefixes or alike.",
   "meta-category": "network",
   "uuid": "4ec55cc6-9e49-4c64-b794-03c25c1a6587",
diff --git a/objects/ddos/definition.json b/objects/ddos/definition.json
index bcfa7a3..715150c 100644
--- a/objects/ddos/definition.json
+++ b/objects/ddos/definition.json
@@ -3,7 +3,7 @@
   "uuid": "e2f124d6-f57c-4f93-99e6-8450545fa05d",
   "meta-category": "network",
   "description": "DDoS object describes a current DDoS activity from a specific or/and to a specific target. Type of DDoS can be attached to the object as a taxonomy",
-  "version": 5,
+  "version": 6,
   "attributes": {
     "total-bps": {
       "description": "Bits per second",
@@ -12,6 +12,7 @@
     },
     "text": {
       "description": "Description of the DDoS",
+      "disable_correlation": true,
       "misp-attribute": "text",
       "ui-priority": 0
     },
@@ -62,6 +63,7 @@
     },
     "first-seen": {
       "description": "Beginning of the attack",
+      "disable_correlation": true,
       "misp-attribute": "datetime",
       "ui-priority": 0
     },
@@ -83,6 +85,7 @@
     },
     "last-seen": {
       "description": "End of the attack",
+      "disable_correlation": true,
       "misp-attribute": "datetime",
       "ui-priority": 0
     }
diff --git a/objects/domain-ip/definition.json b/objects/domain-ip/definition.json
index 3d6ddc7..7cd4d8a 100644
--- a/objects/domain-ip/definition.json
+++ b/objects/domain-ip/definition.json
@@ -6,17 +6,20 @@
   "attributes": {
     "text": {
       "description": "A description of the tuple",
+      "disable_correlation": true,
       "ui-priority": 1,
       "misp-attribute": "text",
       "recommended": false
     },
     "last-seen": {
       "description": "Last time the tuple has been seen",
+      "disable_correlation": true,
       "ui-priority": 0,
       "misp-attribute": "datetime"
     },
     "first-seen": {
       "description": "First time the tuple has been seen",
+      "disable_correlation": true,
       "ui-priority": 0,
       "misp-attribute": "datetime"
     },
@@ -40,7 +43,7 @@
       "multiple": true
     }
   },
-  "version": 4,
+  "version": 5,
   "description": "A domain and IP address seen as a tuple in a specific time frame.",
   "meta-category": "network",
   "uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
diff --git a/objects/ip-port/definition.json b/objects/ip-port/definition.json
index 8b827ea..528ab7c 100644
--- a/objects/ip-port/definition.json
+++ b/objects/ip-port/definition.json
@@ -9,16 +9,19 @@
   "attributes": {
     "text": {
       "description": "Description of the tuple",
+      "disable_correlation": true,
       "ui-priority": 0,
       "misp-attribute": "text"
     },
     "last-seen": {
       "description": "Last time the tuple has been seen",
+      "disable_correlation": true,
       "ui-priority": 0,
       "misp-attribute": "datetime"
     },
     "first-seen": {
       "description": "First time the tuple has been seen",
+      "disable_correlation": true,
       "ui-priority": 0,
       "misp-attribute": "datetime"
     },
@@ -50,7 +53,7 @@
       "misp-attribute": "ip-dst"
     }
   },
-  "version": 4,
+  "version": 5,
   "description": "An IP address and a port seen as a tuple (or as a triple) in a specific time frame.",
   "meta-category": "network",
   "uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6",
diff --git a/objects/ja3/definition.json b/objects/ja3/definition.json
index 4a8c5fc..fb60f1c 100644
--- a/objects/ja3/definition.json
+++ b/objects/ja3/definition.json
@@ -2,7 +2,7 @@
   "name": "ja3",
   "meta-category": "network",
   "description": "JA3 is a new technique for creating SSL client fingerprints that are easy to produce and can be easily shared for threat intelligence. Fingerprints are composed of Client Hello packet; SSL Version, Accepted Ciphers, List of Extensions, Elliptic Curves, and Elliptic Curve Formats. https://github.com/salesforce/ja3",
-  "version": 1,
+  "version": 2,
   "uuid": "09b45449-5d6e-492c-a68a-cb2e188cbfac",
   "attributes": {
     "ja3-fingerprint-md5": {
@@ -43,11 +43,13 @@
     },
     "first-seen": {
       "misp-attribute": "datetime",
+      "disable_correlation": true,
       "ui-priority": 0,
       "description": "First seen of the SSL/TLS handshake"
     },
     "last-seen": {
       "misp-attribute": "datetime",
+      "disable_correlation": true,
       "description": "Last seen of the SSL/TLS handshake",
       "ui-priority": 0
     }
diff --git a/objects/url/definition.json b/objects/url/definition.json
index 7dc6f48..368e8f7 100644
--- a/objects/url/definition.json
+++ b/objects/url/definition.json
@@ -35,6 +35,7 @@
     },
     "first-seen": {
       "description": "First time this URL has been seen",
+      "disable_correlation": true,
       "ui-priority": 0,
       "misp-attribute": "datetime"
     },
@@ -81,6 +82,7 @@
     },
     "last-seen": {
       "description": "Last time this URL has been seen",
+      "disable_correlation": true,
       "ui-priority": 0,
       "misp-attribute": "datetime"
     },
@@ -90,7 +92,7 @@
       "misp-attribute": "hostname"
     }
   },
-  "version": 4,
+  "version": 5,
   "description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.",
   "meta-category": "network",
   "uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5",