20 KiB
misp-objects
MISP objects used in MISP (starting from 2.4.80) system and can be used by other information sharing tool. MISP objects are in addition to MISP attributes to allow advanced combinations of attributes. The creation of these objects and their associated attributes are based on real cyber security use-cases and existing practices in information sharing.
Feel free to propose your own MISP objects to be included in MISP. The system is similar to the misp-taxonomies where anyone can contribute their own objects to be included in MISP without modifying software.
Format of MISP objects
{
"name": "domain|ip",
"meta-category": "network",
"description": "A domain and IP address seen as a tuple in a specific time frame.",
"version": 1,
"uuid": "f47559d7-6c16-40e8-a6b0-eda4a008376f",
"attributes" :
{
"ip": {
"misp-attribute": "ip-dst",
"ui-priority": 1,
"categories": ["Network activity","External analysis"]
},
"domain": {
"misp-attribute": "domain",
"ui-priority": 1,
"categories": ["Network activity","External analysis"]
},
"first-seen": {
"misp-attribute": "datetime",
"disable_correlation": true,
"ui-priority": 0
},
"last-seen": {
"misp-attribute": "datetime",
"disable_correlation": true,
"ui-priority": 0
}
},
"required": ["ip","domain"]
}
A MISP object is described in a simple JSON file containing the following element.
- name is the name of the your object.
- meta-category is the category where the object falls into. (file, network, financial, misc, internal)
- description is a summary of the object description.
- version is the version number as a decimal value.
- required is an array containing the minimal required attributes to describe the object.
- requiredOneOf is an array containing the attributes where at least one need to be present to describe the object.
- attributes contains another JSON object listing all the attributes composing the object.
Each attribute must contain a reference misp-attribute to reference an existing attribute definition in MISP (MISP attributes types are case-sensitive). An array categories shall be used to described in which categories the attribute is. The ui-priority describes the usage frequency of an attribute. This helps to only display the most frequently used attributes and allowing advanced users to show all the attributes depending of their configuration. An optional multiple field shall be set to true if multiple elements of the same key can be used in the object. An optional values_list where this list of value can be selected as a value for an attribute. An optional sane_default where this list of value recommend potential a sane default for an attribute. An optional disable_correlation boolean field to suggest the disabling of correlation for a specific attribute. An optional to_ids boolean field to disable the IDS flag of an attribute.
Existing MISP objects
- objects/ail-leak - Information leak object as defined by the AIL Analysis Information Leak framework.
- objects/ais-info - Object describing Automated Indicator Sharing (AIS) information source markings.
- objects/android-permission - A set of android permissions - one or more permission(s) which can be linked to other objects (e.g. file).
- objects/asn - Autonomous system object describing a BGP autonomous system which can include one or more network operators management an entity (e.g. ISP) along with their routing policy, routing prefixes or alike.
- objects/attack-pattern - Attack Pattern object describing a common attack pattern enumeration and classification.
- objects/authenticode-signerinfo - Authenticode signer info.
- objects/av-signature - Antivirus detection signature.
- objects/bank-account - Object describing bank account information based on account description from goAML 4.0.
- objects/bgp-hijack - Object encapsulating BGP Hijack description as specified, for example, by bgpstream.com
- objects/btc-transaction - Object describing BTC transaction (often attached to a btc-wallet object.
- objects/btc-wallet - Object describing a BTC wallet.
- objects/cap-alert - Common Alerting Protocol Version (CAP) alert object.
- objects/cap-info - Common Alerting Protocol Version (CAP) info object.
- objects/cap-resource - Common Alerting Protocol Version (CAP) resource object.
- objects/coin-address - An address used in a cryptocurrency.
- objects/cookie - A cookie object describes an HTTP cookie including its use in malicious cases.
- objects/course-of-action - An object describing a Course of Action such as a specific measure taken to prevent or respond to an attack.
- objects/cowrie - A cowrie object describes cowrie honeypot sessions.
- objects/credential - A credential object describes one or more credential(s) including password(s), api key(s) or decryption key(s).
- objects/ddos - DDoS object describes a current DDoS activity from a specific or/and to a specific target.
- objects/device - An object to describe a device such as a computer, laptop or alike.
- objects/diameter-attack - Attack as seen on diameter authentication against a GSM, UMTS or LTE network.
- objects/dns-record - A DNS record object to describe the associated records for a domain.
- objects/domain-ip - A domain and IP address seen as a tuple in a specific time frame.
- objects/elf - Object describing an Executable and Linkable Format (ELF).
- objects/elf-section - Object describing a section of an Executable and Linkable Format (ELF).
- objects/email - An email object.
- objects/employee - An employee object.
- objects/exploit-poc - Exploit-poc object describing a proof of concept or exploit of a vulnerability. This object has often a relationship with a vulnerability object.
- objects/facial-composite A facial composite object.
- objects/fail2ban - A fail2ban object.
- objects/file - File object describing a file with meta-information.
- objects/forensic-case - An object template to describe a digital forensic case.
- objects/forensic-evidence - An object template to describe a digital forensic evidence.
- objects/geolocation - A geolocation object to describe a location.
- objects/gtp-attack - GTP attack object as seen on a GSM, UMTS or LTE network.
- objects/http-request - A single HTTP request header object.
- objects/imsi-catcher - Object describing IMSI catcher associated event.
- objects/interpol-notice - Object used to represent an Interpol notice
- objects/ip-api-address - Object describing IP Address information, as defined in ip-api.com.
- objects/ip-port - An IP address and a port seen as a tuple (or as a triple) in a specific time frame.
- objects/ja3 - A ja3 object which describes an SSL client fingerprint in an easy to produce and shareable way.
- objects/legal-entity - Object describing a legal entity, such as an organisation.
- objects/lnk - Object describing a Windows LNK (Windows Shortcut) file.
- objects/macho - Object describing a Mach object file format.
- objects/macho-section - Object describing a section of a Mach object file format.
- objects/mactime-timeline-analysis - Mactime template, used in forensic investigations to describe the timeline of a file activity.
- objects/malware-config - Object describing a malware configuration recovered or extracted from a malicious binary.
- objects/microblog - Object describing microblog post like Twitter or Facebook.
- objects/mutex - Object to describe mutual exclusion locks (mutex) as seen in memory or computer program.
- objects/netflow - Netflow object describes an network object based on the Netflowv5/v9 minimal definition.
- objects/network-connection - Network object describes a local or remote network connection.
- objects/network-socket - Object to describe a local or remote network connections based on the socket data structure.
- objects/original-imported-file - Object to describe the original files used to import data in MISP.
- objects/organization - An object which describes an organization.
- objects/passive-dns - Passive DNS records as expressed in draft-dulaunoy-dnsop-passive-dns-cof-01.
- objects/paste - Object describing a paste or similar post from a website allowing to share privately or publicly posts.
- objects/pe - Portable Executable (PE) object.
- objects/pe-section - Portable Executable (PE) object - section description.
- objects/person - A person object which describes a person or an identity.
- objects/phishing - Phishing template to describe a phishing website and its analysis.
- objects/phishing-kit - Object to describe a phishing kit.
- objects/phone - A phone or mobile phone object.
- objects/process - A process object.
- objects/regexp - An object describing a regular expression (regex or regexp). The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a regular expression.
- objects/registry-key - A registry-key object.
- objects/r2graphity - Indicators extracted from binary files using radare2 and graphml.
- objects/report - Object to describe metadata used to generate an executive level report.
- objects/research-scanner - Information related to known scanning activity (e.g. from research projects)
- objects/rtir - RTIR - Request Tracker for Incident Response.
- objects/sandbox-report - Sandbox report object.
- objects/sb-signature - Sandbox detection signature object.
- objects/script - Object describing a computer program written to be run in a special run-time environment. The script or shell script can be used for malicious activities but also as support tools for threat analysts.
- objects/shell-commands - Object describing a series of shell commands executed. This object can be linked with malicious files in order to describe a specific execution of shell commands.
- objects/shodan - A shodan object to describe a shodan report.
- objects/shortened-link - Shortened link and its redirect target.
- objects/short-message-service - Short Message Service (SMS) object template describing one or more SMS message(s).
- objects/ss7-attack - SS7 object of an attack seen on a GSM, UMTS or LTE network via SS7 logging.
- objects/stix2-pattern - An object describing a STIX pattern. The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a STIX pattern.
- objects/ssh-authorized-keys - SSH authorized keys object to store keys and option from SSH authorized_keys file.
- objects/suricata - Suricata rule with context.
- objects/target-system - Description about an targeted system, this could potentially be a compromised internal system.
- objects/threatgrid-report - A threatgrid report object.
- objects/timecode - Timecode object to describe a start of video sequence (e.g. CCTV evidence) and the end of the video sequence.
- objects/timesketch-timeline - A timesketch timeline object based on mandatory field in timesketch to describe a log entry.
- objects/timestamp - A generic timestamp object to represent time including first time and last time seen. Relationship will then define the kind of time relationship.
- objects/tor-hiddenservice - Tor hidden service (Onion Service) object to describe a Tor hidden service.
- objects/tor-node - Tor node description which are part of the Tor network at a time.
- objects/tracking-id - Analytics and tracking ID such as used in Google Analytics or other analytic platform.
- objects/transaction - Object describing a financial transaction.
- objects/url - url object describes an url along with its normalized field (e.g. using faup parsing library) and its metadata.
- objects/user-account - Object describing a user account (UNIX, Windows, etc).
- objects/vehicle - Vehicle object template to describe a vehicle information and registration.
- objects/victim - a victim object to describe the organisation being targeted or abused.
- objects/virustotal-graph - VirusTotal graph.
- objects/virustotal-report - VirusTotal report.
- objects/vulnerability - Vulnerability object to describe software or hardware vulnerability as described in a CVE.
- objects/weakness - Weakness object as described in a CWE.
- objects/whois - Whois records information for a domain name.
- objects/x509 - x509 object describing a X.509 certificate.
- objects/yabin - yabin.py generates Yara rules from function prologs, for matching and hunting binaries. ref: yabin.
- objects/yara - YARA object describing a YARA rule along with the version supported and context (such as memory, network, disk).
MISP objects relationships
The MISP object model is open and allows user to use their own relationships. MISP provides a list of default relationships that can be used if you plan to share your events with other MISP communities.
- relationships - list of predefined default relationships which can be used to link MISP objects together and explain the context of the relationship.
How to contribute MISP objects?
Fork the project, create a new directory in the objects directory matching your object name. Objects must be composed of existing MISP attributes. If you are missing a specific attributes, feel free to open an issue in the MISP project.
We recommend to add a text attribute in a object to allow users to add comments or correlating text.
If the unparsed object can be included, a raw-base64 attribute can be used in the object to import the whole object.
Every object needs a uuid which can be created using uuidgen -r on a linux command line.
When the object is created, pull a request on this project. We usually merge the objects if it fits existing use-cases.
MISP objects documentation
The MISP objects are documented at the following location in HTML and PDF.
The documentation is automatically generated from the MISP objects template expressed in JSON.
What are the advantages of MISP objects versus existing standards?
MISP objects are dynamically used objects that are contributed by users of MISP (the threat sharing platform) or other information sharing platforms.
The aim is to allow a dynamic update of objects definition in operational distributed sharing systems like MISP. Security threats and their related indicators are quite dynamic, standardized formats are quite static and new indicators require a significant time before being standardized.
The MISP objects model allows to add new combined indicators format based on their usage without changing the underlying code base of MISP or other threat sharing platform using it. The definition of the objects can be then propagated along with the indicators itself.
License
Copyright (C) 2016-2019 Andras Iklody
Copyright (C) 2016-2019 Alexandre Dulaunoy
Copyright (C) 2016-2019 CIRCL - Computer Incident Response Center Luxembourg
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.