misp-objects/objects/shadowserver-scan-http-proxy/definition.json

{
  "attributes": {
    "asn": {
      "description": "ASN where the IP resides",
      "misp-attribute": "AS",
      "ui-priority": 0
    },
    "city": {
      "description": "City location of the IP in question",
      "disable_correlation": true,
      "misp-attribute": "text",
      "ui-priority": 0
    },
    "connection": {
      "description": "Control options for the current connection and list of hop-by-hop request fields",
      "disable_correlation": true,
      "misp-attribute": "text",
      "multiple": true,
      "ui-priority": 0
    },
    "content_length": {
      "description": "The length of the response body in octets",
      "disable_correlation": true,
      "misp-attribute": "text",
      "multiple": true,
      "ui-priority": 0
    },
    "content_type": {
      "description": "The MIME type of the body of the request",
      "disable_correlation": true,
      "misp-attribute": "text",
      "multiple": true,
      "ui-priority": 0
    },
    "geo": {
      "description": "Country location of the IP",
      "disable_correlation": true,
      "misp-attribute": "text",
      "ui-priority": 0
    },
    "hostname": {
      "description": "Any of the capabilities identified for the malware instance or family.",
      "misp-attribute": "hostname",
      "multiple": true,
      "ui-priority": 0
    },
    "hostname_source": {
      "description": "Hostname source",
      "disable_correlation": true,
      "misp-attribute": "text",
      "multiple": true,
      "ui-priority": 0
    },
    "http": {
      "description": "Hypertext Transfer Protocol Version",
      "disable_correlation": true,
      "misp-attribute": "text",
      "multiple": true,
      "ui-priority": 0
    },
    "http_code": {
      "description": "HTTP Response code: e.g., 200, 401, 404",
      "disable_correlation": true,
      "misp-attribute": "text",
      "multiple": true,
      "ui-priority": 0
    },
    "http_date": {
      "description": "The date and time that the message was sent",
      "disable_correlation": true,
      "misp-attribute": "text",
      "multiple": true,
      "ui-priority": 0
    },
    "http_reason": {
      "description": "The text reason to go with the HTTP Code",
      "disable_correlation": true,
      "misp-attribute": "text",
      "multiple": true,
      "ui-priority": 0
    },
    "ip": {
      "description": "The IP address of the device in question",
      "misp-attribute": "ip-src",
      "multiple": true,
      "ui-priority": 0
    },
    "naics": {
      "description": "North American Industry Classification System Code",
      "disable_correlation": true,
      "misp-attribute": "text",
      "multiple": true,
      "ui-priority": 0
    },
    "port": {
      "description": "Port the response came from",
      "misp-attribute": "port",
      "multiple": true,
      "ui-priority": 0
    },
    "protocol": {
      "description": "Protocol observed in the network traffic",
      "misp-attribute": "text",
      "multiple": true,
      "ui-priority": 0
    },
    "proxy_authenticate": {
      "description": "The authentication method that should be used to gain access to a resource behind a proxy server",
      "disable_correlation": true,
      "misp-attribute": "text",
      "multiple": true,
      "ui-priority": 0
    },
    "region": {
      "description": "Regional location of the IP in question",
      "disable_correlation": true,
      "misp-attribute": "text",
      "ui-priority": 1
    },
    "sector": {
      "description": "Sector of the IP in question",
      "disable_correlation": true,
      "misp-attribute": "text",
      "multiple": true,
      "ui-priority": 0
    },
    "server": {
      "description": "HTTP Server type",
      "disable_correlation": true,
      "misp-attribute": "text",
      "multiple": true,
      "ui-priority": 0
    },
    "severity": {
      "description": "Severity leve",
      "disable_correlation": true,
      "misp-attribute": "text",
      "sane_default": [
        "critical",
        "high",
        "medium",
        "low",
        "info"
      ],
      "ui-priority": 0
    },
    "tag": {
      "description": "Array of tags associated with the URL if any. In this report typically it will be a CVE entry, for example CVE-2021-44228. This allows for better understanding of the URL context observed (ie. usage associated with a particular CVE).",
      "disable_correlation": true,
      "misp-attribute": "text",
      "multiple": true,
      "ui-priority": 0
    },
    "timestamp": {
      "description": "Time that the IP was probed in UTC+0",
      "misp-attribute": "datetime",
      "ui-priority": 0
    },
    "transfer_encoding": {
      "description": "The form of encoding used to safely transfer the entity to the user",
      "disable_correlation": true,
      "misp-attribute": "text",
      "multiple": true,
      "ui-priority": 0
    },
    "via": {
      "description": "General header added by proxies",
      "disable_correlation": true,
      "misp-attribute": "text",
      "multiple": true,
      "ui-priority": 0
    }
  },
  "description": "This report identifies open HTTP proxy servers on multiple ports. While HTTP proxies have legitimate uses, they are also used for attacks or other forms of abuse. https://www.shadowserver.org/what-we-do/network-reporting/open-http-proxy-report/",
  "meta-category": "misc",
  "name": "shadowserver-scan-http-proxy",
  "required": [
    "timestamp",
    "ip",
    "port",
    "tag"
  ],
  "uuid": "ad0c83d5-56bf-4300-8743-ed2b4caf6206",
  "version": 1
}