MISP
/
misp-standard.org
mirror of https://github.com/MISP/misp-standard.org
2
0
Fork 0
Code Issues Releases Wiki Activity

chg: [misp-standards] updated to the latest version

pull/2/head
Alexandre Dulaunoy 2019-12-30 11:52:34 +01:00
parent c1ba65cc2f
commit 55f6d63494
No known key found for this signature in database
GPG Key ID: 09E2CD4944E6CBCD
4 changed files with 65 additions and 65 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
rfc/misp-standard-core.html
View File

@ -792,7 +792,7 @@
<br>link, comment, text, hex, attachment, other, anonymised</dd>
<dt>Artifacts dropped</dt>
<dd style="margin-left: 8">
<br>md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, impfuzzy, authentihash, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, regkey, regkey|value, pattern-in-file, pattern-in-memory, pdb, stix2-pattern, yara, sigma, attachment, malware-sample, named pipe, mutex, windows-scheduled-task, windows-service-name, windows-service-displayname, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other, cookie, gene, mime-type, anonymised</dd>
<br>md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, impfuzzy, authentihash, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, regkey, regkey|value, pattern-in-file, pattern-in-memory, pdb, stix2-pattern, yara, sigma, attachment, malware-sample, named pipe, mutex, windows-scheduled-task, windows-service-name, windows-service-displayname, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other, cookie, gene, kusto-query, mime-type, anonymised</dd>
<dt>Attribution</dt>
<dd style="margin-left: 8">
<br>threat-actor, campaign-name, campaign-id, whois-registrant-phone, whois-registrant-email, whois-registrant-name, whois-registrant-org, whois-registrar, whois-creation-date, comment, text, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other, dns-soa-email, anonymised</dd>
@ -807,7 +807,7 @@
<br>text, link, comment, other, hex, anonymised</dd>
<dt>Network activity</dt>
<dd style="margin-left: 8">
<br>ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain, domain|ip, mac-address, mac-eui-64, email-dst, url, uri, user-agent, http-method, AS, snort, pattern-in-file, stix2-pattern, pattern-in-traffic, attachment, comment, text, x509-fingerprint-md5, x509-fingerprint-sha1, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other, hex, cookie, hostname|port, bro, zeek, anonymised, community-id, email-subject</dd>
<br>ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain, domain|ip, mac-address, mac-eui-64, email-dst, email-src, eppn, url, uri, user-agent, http-method, AS, snort, pattern-in-file, stix2-pattern, pattern-in-traffic, attachment, comment, text, x509-fingerprint-md5, x509-fingerprint-sha1, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other, hex, cookie, hostname|port, bro, zeek, anonymised, community-id, email-subject</dd>
<dt>Other</dt>
<dd style="margin-left: 8">
<br>comment, text, other, size-in-bytes, counter, datetime, cpe, port, float, hex, phone-number, boolean, anonymised</dd>
@ -828,7 +828,7 @@
<br>first-name, middle-name, last-name, date-of-birth, place-of-birth, gender, passport-number, passport-country, passport-expiration, redress-number, nationality, visa-number, issue-date-of-the-visa, primary-residence, country-of-residence, special-service-request, frequent-flyer-number, travel-details, payment-details, place-port-of-original-embarkation, place-port-of-clearance, place-port-of-onward-foreign-destination, passenger-name-record-locator-number, comment, text, other, phone-number, identity-card-number, anonymised</dd>
<dt>Social network</dt>
<dd style="margin-left: 8">
<br>github-username, github-repository, github-organisation, jabber-id, twitter-id, email-src, email-dst, comment, text, other, whois-registrant-email, anonymised</dd>
<br>github-username, github-repository, github-organisation, jabber-id, twitter-id, email-src, email-dst, eppn, comment, text, other, whois-registrant-email, anonymised</dd>
<dt>Support Tool</dt>
<dd style="margin-left: 8">
<br>link, text, attachment, comment, other, hex, anonymised</dd>
@ -990,7 +990,7 @@
<br>link, comment, text, hex, attachment, other, anonymised</dd>
<dt>Artifacts dropped</dt>
<dd style="margin-left: 8">
<br>md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, impfuzzy, authentihash, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, regkey, regkey|value, pattern-in-file, pattern-in-memory, pdb, stix2-pattern, yara, sigma, attachment, malware-sample, named pipe, mutex, windows-scheduled-task, windows-service-name, windows-service-displayname, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other, cookie, gene, mime-type, anonymised</dd>
<br>md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, impfuzzy, authentihash, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, regkey, regkey|value, pattern-in-file, pattern-in-memory, pdb, stix2-pattern, yara, sigma, attachment, malware-sample, named pipe, mutex, windows-scheduled-task, windows-service-name, windows-service-displayname, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other, cookie, gene, kusto-query, mime-type, anonymised</dd>
<dt>Attribution</dt>
<dd style="margin-left: 8">
<br>threat-actor, campaign-name, campaign-id, whois-registrant-phone, whois-registrant-email, whois-registrant-name, whois-registrant-org, whois-registrar, whois-creation-date, comment, text, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other, dns-soa-email, anonymised</dd>
@ -1005,7 +1005,7 @@
<br>text, link, comment, other, hex, anonymised</dd>
<dt>Network activity</dt>
<dd style="margin-left: 8">
<br>ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain, domain|ip, mac-address, mac-eui-64, email-dst, url, uri, user-agent, http-method, AS, snort, pattern-in-file, stix2-pattern, pattern-in-traffic, attachment, comment, text, x509-fingerprint-md5, x509-fingerprint-sha1, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other, hex, cookie, hostname|port, bro, zeek, anonymised, community-id, email-subject</dd>
<br>ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain, domain|ip, mac-address, mac-eui-64, email-dst, email-src, eppn, url, uri, user-agent, http-method, AS, snort, pattern-in-file, stix2-pattern, pattern-in-traffic, attachment, comment, text, x509-fingerprint-md5, x509-fingerprint-sha1, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other, hex, cookie, hostname|port, bro, zeek, anonymised, community-id, email-subject</dd>
<dt>Other</dt>
<dd style="margin-left: 8">
<br>comment, text, other, size-in-bytes, counter, datetime, cpe, port, float, hex, phone-number, boolean, anonymised</dd>
@ -1026,7 +1026,7 @@
<br>first-name, middle-name, last-name, date-of-birth, place-of-birth, gender, passport-number, passport-country, passport-expiration, redress-number, nationality, visa-number, issue-date-of-the-visa, primary-residence, country-of-residence, special-service-request, frequent-flyer-number, travel-details, payment-details, place-port-of-original-embarkation, place-port-of-clearance, place-port-of-onward-foreign-destination, passenger-name-record-locator-number, comment, text, other, phone-number, identity-card-number, anonymised</dd>
<dt>Social network</dt>
<dd style="margin-left: 8">
<br>github-username, github-repository, github-organisation, jabber-id, twitter-id, email-src, email-dst, comment, text, other, whois-registrant-email, anonymised</dd>
<br>github-username, github-repository, github-organisation, jabber-id, twitter-id, email-src, email-dst, eppn, comment, text, other, whois-registrant-email, anonymised</dd>
<dt>Support Tool</dt>
<dd style="margin-left: 8">
<br>link, text, attachment, comment, other, hex, anonymised</dd>

76
rfc/misp-standard-core.txt
View File

@ -521,7 +521,7 @@ Internet-Draft MISP core format August 2018
sample, named pipe, mutex, windows-scheduled-task, windows-
service-name, windows-service-displayname, comment, text, hex,
x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-
sha256, other, cookie, gene, mime-type, anonymised
sha256, other, cookie, gene, kusto-query, mime-type, anonymised
Attribution
threat-actor, campaign-name, campaign-id, whois-registrant-phone,
@ -550,10 +550,10 @@ Internet-Draft MISP core format August 2018
Network activity
ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain,
domain|ip, mac-address, mac-eui-64, email-dst, url, uri, user-
agent, http-method, AS, snort, pattern-in-file, stix2-pattern,
pattern-in-traffic, attachment, comment, text, x509-fingerprint-
md5, x509-fingerprint-sha1, x509-fingerprint-sha256, ja3-
domain|ip, mac-address, mac-eui-64, email-dst, email-src, eppn,
url, uri, user-agent, http-method, AS, snort, pattern-in-file,
stix2-pattern, pattern-in-traffic, attachment, comment, text,
x509-fingerprint-md5, x509-fingerprint-sha1, x509-fingerprint-
@ -562,8 +562,9 @@ Dulaunoy & Iklody Expires February 9, 2019 [Page 10]
Internet-Draft MISP core format August 2018
fingerprint-md5, hassh-md5, hasshserver-md5, other, hex, cookie,
hostname|port, bro, zeek, anonymised, community-id, email-subject
sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other,
hex, cookie, hostname|port, bro, zeek, anonymised, community-id,
email-subject
Other
comment, text, other, size-in-bytes, counter, datetime, cpe, port,
@ -612,7 +613,6 @@ Internet-Draft MISP core format August 2018
Dulaunoy & Iklody Expires February 9, 2019 [Page 11]
Internet-Draft MISP core format August 2018
@ -631,8 +631,8 @@ Internet-Draft MISP core format August 2018
Social network
github-username, github-repository, github-organisation, jabber-
id, twitter-id, email-src, email-dst, comment, text, other, whois-
registrant-email, anonymised
id, twitter-id, email-src, email-dst, eppn, comment, text, other,
whois-registrant-email, anonymised
Support Tool
link, text, attachment, comment, other, hex, anonymised
@ -917,7 +917,7 @@ Internet-Draft MISP core format August 2018
sample, named pipe, mutex, windows-scheduled-task, windows-
service-name, windows-service-displayname, comment, text, hex,
x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-
sha256, other, cookie, gene, mime-type, anonymised
sha256, other, cookie, gene, kusto-query, mime-type, anonymised
Attribution
threat-actor, campaign-name, campaign-id, whois-registrant-phone,
@ -955,12 +955,13 @@ Internet-Draft MISP core format August 2018
ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain,
domain|ip, mac-address, mac-eui-64, email-dst, url, uri, user-
agent, http-method, AS, snort, pattern-in-file, stix2-pattern,
pattern-in-traffic, attachment, comment, text, x509-fingerprint-
md5, x509-fingerprint-sha1, x509-fingerprint-sha256, ja3-
fingerprint-md5, hassh-md5, hasshserver-md5, other, hex, cookie,
hostname|port, bro, zeek, anonymised, community-id, email-subject
domain|ip, mac-address, mac-eui-64, email-dst, email-src, eppn,
url, uri, user-agent, http-method, AS, snort, pattern-in-file,
stix2-pattern, pattern-in-traffic, attachment, comment, text,
x509-fingerprint-md5, x509-fingerprint-sha1, x509-fingerprint-
sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other,
hex, cookie, hostname|port, bro, zeek, anonymised, community-id,
email-subject
Other
comment, text, other, size-in-bytes, counter, datetime, cpe, port,
@ -1001,7 +1002,6 @@ Internet-Draft MISP core format August 2018
anonymised
Payload type
comment, text, other, anonymised
@ -1010,6 +1010,8 @@ Dulaunoy & Iklody Expires February 9, 2019 [Page 18]
Internet-Draft MISP core format August 2018
comment, text, other, anonymised
Persistence mechanism
filename, regkey, regkey|value, comment, text, other, hex,
anonymised
@ -1027,8 +1029,8 @@ Internet-Draft MISP core format August 2018
Social network
github-username, github-repository, github-organisation, jabber-
id, twitter-id, email-src, email-dst, comment, text, other, whois-
registrant-email, anonymised
id, twitter-id, email-src, email-dst, eppn, comment, text, other,
whois-registrant-email, anonymised
Support Tool
link, text, attachment, comment, other, hex, anonymised
@ -1056,8 +1058,6 @@ Internet-Draft MISP core format August 2018
to_ids represents whether the Attribute to be created if the
ShadowAttribute is accepted is meant to be actionable. Actionable
defined attributes that can be used in automated processes as a
pattern for detection in Local or Network Intrusion Detection System,
log analysis tools or even filtering mechanisms.
@ -1066,6 +1066,9 @@ Dulaunoy & Iklody Expires February 9, 2019 [Page 19]
Internet-Draft MISP core format August 2018
pattern for detection in Local or Network Intrusion Detection System,
log analysis tools or even filtering mechanisms.
to_ids is represented as a JSON boolean. to_ids MUST be present.
2.5.2.6. event_id
@ -1108,11 +1111,8 @@ Internet-Draft MISP core format August 2018
comment is represented by a JSON string. comment MAY be present.
2.5.2.10. org_id
org_id represents a human-readable identifier referencing the
proposal creator's Organisation object. A human-readable identifier
MUST be represented as an unsigned integer.
@ -1122,6 +1122,12 @@ Dulaunoy & Iklody Expires February 9, 2019 [Page 20]
Internet-Draft MISP core format August 2018
2.5.2.10. org_id
org_id represents a human-readable identifier referencing the
proposal creator's Organisation object. A human-readable identifier
MUST be represented as an unsigned integer.
Whilst attributes can only be created by the event creator
organisation, shadow attributes can be created by third parties.
org_id tracks the creator organisation.
@ -1164,12 +1170,6 @@ Internet-Draft MISP core format August 2018
seen. first_seen as an ISO 8601 datetime up to the micro-second with
time zone support.
first_seen is represented as a JSON string. first_seen MAY be
present.
@ -1178,6 +1178,9 @@ Dulaunoy & Iklody Expires February 9, 2019 [Page 21]
Internet-Draft MISP core format August 2018
first_seen is represented as a JSON string. first_seen MAY be
present.
2.5.2.15. last_seen
last_seen represents a reference time when the attribute was last
@ -1223,9 +1226,6 @@ Internet-Draft MISP core format August 2018
within an event. Their main purpose is to describe more complex
structures than can be described by a single attribute Each object is
created using an Object Template and carries the meta-data of the
template used for its creation within. Objects belong to a meta-
category and are defined by a name.
@ -1234,6 +1234,9 @@ Dulaunoy & Iklody Expires February 9, 2019 [Page 22]
Internet-Draft MISP core format August 2018
template used for its creation within. Objects belong to a meta-
category and are defined by a name.
The schema used is described by the template_uuid and
template_version fields.
@ -1262,9 +1265,6 @@ Internet-Draft MISP core format August 2018

6
rfc/misp-standard-galaxy-format.html
View File

@ -522,8 +522,8 @@
<h1 id="rfc.section.2.4">
<a href="#rfc.section.2.4">2.4.</a> <a href="#meta" id="meta">meta</a>
</h1>
<p id="rfc.section.2.4.p.1">Meta contains a list of custom defined JSON key value pairs. Users SHOULD reuse commonly used keys such as complexity, effectiveness, country, possible_issues, colour, motive, impact, refs, synonyms, status, date, encryption, extensions, ransomnotes, ransomnotes-filenames, ransomnotes-refs, suspected-victims, suspected-state-sponsor, type-of-incident, target-category, cfr-suspected-victims, cfr-suspected-state-sponsor, cfr-type-of-incident, cfr-target-category, attribution-confidence, payment-method, price wherever applicable. Additional meta field MAY be added without the need to be referenced or registered in advance.</p>
<p id="rfc.section.2.4.p.2">refs, synonyms SHALL be used to give further informations. refs is represented as an array containing one or more strings and SHALL be present. synonyms is represented as an array containing one or more strings and SHALL be present.</p>
<p id="rfc.section.2.4.p.1">Meta contains a list of custom defined JSON key value pairs. Users SHOULD reuse commonly used keys such as complexity, effectiveness, country, possible_issues, colour, motive, impact, refs, synonyms, status, date, encryption, extensions, ransomnotes, ransomnotes-filenames, ransomnotes-refs, suspected-victims, suspected-state-sponsor, type-of-incident, target-category, cfr-suspected-victims, cfr-suspected-state-sponsor, cfr-type-of-incident, cfr-target-category, attribution-confidence, payment-method, price, spoken-language, official-refs wherever applicable. Additional meta field MAY be added without the need to be referenced or registered in advance.</p>
<p id="rfc.section.2.4.p.2">refs, synonyms, official-refs SHALL be used to give further informations. refs is represented as an array containing one or more strings and SHALL be present. synonyms is represented as an array containing one or more strings and SHALL be present. official-refs is represented as an array containing one or more strings and SHALL be present.</p>
<p id="rfc.section.2.4.p.3">date, status MAY be used to give time information about an cluster. date is represented as a string describing a time or period and SHALL be present. status is represented as a string describing the current status of the clusters. It MAY also describe a time or period and SHALL be present.</p>
<p id="rfc.section.2.4.p.4">colour fields MAY be used at predicates or values level to set a specify colour that MAY be used by the implementation. The colour field is described as an RGB colour fill in hexadecimal representation.</p>
<p id="rfc.section.2.4.p.5">complexity, effectiveness, impact, possible<em>issues MAY be used to give further information in preventive-measure galaxy. complexity is represented by an enumerated value from a fixed vocabulary and SHALL be present. effectiveness is represented by an enumerated value from a fixed vocabulary and SHALL be present. impact is represented by an enumerated value from a fixed vocabulary and SHALL be present. possible</em>issues is represented as a string and SHOULD be present.</p>
@ -546,7 +546,7 @@
"uuid": "e6df1619-f8b3-476c-b5cf-22b4c9e9dd7f"
}
</pre>
<p id="rfc.section.2.4.p.7">country, motive MAY be used to give further information in threat-actor galaxy. country is represented as a string and SHOULD be present. motive is represented as a string and SHOULD be present.</p>
<p id="rfc.section.2.4.p.7">country, motive, spoken-language MAY be used to give further information in threat-actor galaxy. country is represented as a string and SHOULD be present. motive is represented as a string and SHOULD be present. spoken-language is represented as an array containing one or more strings describing a language using ISO 639-2 code and SHALL be present.</p>
<p id="rfc.section.2.4.p.8">Example use of the country, motive fields in the threat-actor galaxy:</p>
<pre>{
"meta": {

36
rfc/misp-standard-galaxy-format.txt
View File

@ -195,14 +195,17 @@ Internet-Draft MISP galaxy format October 2019
filenames, ransomnotes-refs, suspected-victims, suspected-state-
sponsor, type-of-incident, target-category, cfr-suspected-victims,
cfr-suspected-state-sponsor, cfr-type-of-incident, cfr-target-
category, attribution-confidence, payment-method, price wherever
applicable. Additional meta field MAY be added without the need to
be referenced or registered in advance.
category, attribution-confidence, payment-method, price, spoken-
language, official-refs wherever applicable. Additional meta field
MAY be added without the need to be referenced or registered in
advance.
refs, synonyms SHALL be used to give further informations. refs is
refs, synonyms, official-refs SHALL be used to give further
informations. refs is represented as an array containing one or more
strings and SHALL be present. synonyms is represented as an array
containing one or more strings and SHALL be present. official-refs is
represented as an array containing one or more strings and SHALL be
present. synonyms is represented as an array containing one or more
strings and SHALL be present.
present.
date, status MAY be used to give time information about an cluster.
date is represented as a string describing a time or period and SHALL
@ -215,9 +218,6 @@ Internet-Draft MISP galaxy format October 2019
field is described as an RGB colour fill in hexadecimal
representation.
complexity, effectiveness, impact, possible_issues MAY be used to
give further information in preventive-measure galaxy. complexity is
represented by an enumerated value from a fixed vocabulary and SHALL
@ -226,6 +226,9 @@ Dulaunoy, et al. Expires April 6, 2020 [Page 4]
Internet-Draft MISP galaxy format October 2019
complexity, effectiveness, impact, possible_issues MAY be used to
give further information in preventive-measure galaxy. complexity is
represented by an enumerated value from a fixed vocabulary and SHALL
be present. effectiveness is represented by an enumerated value from
a fixed vocabulary and SHALL be present. impact is represented by an
enumerated value from a fixed vocabulary and SHALL be present.
@ -252,9 +255,12 @@ Internet-Draft MISP galaxy format October 2019
"uuid": "e6df1619-f8b3-476c-b5cf-22b4c9e9dd7f"
}
country, motive MAY be used to give further information in threat-
actor galaxy. country is represented as a string and SHOULD be
present. motive is represented as a string and SHOULD be present.
country, motive, spoken-language MAY be used to give further
information in threat-actor galaxy. country is represented as a
string and SHOULD be present. motive is represented as a string and
SHOULD be present. spoken-language is represented as an array
containing one or more strings describing a language using ISO 639-2
code and SHALL be present.
Example use of the country, motive fields in the threat-actor galaxy:
@ -271,12 +277,6 @@ Internet-Draft MISP galaxy format October 2019
Dulaunoy, et al. Expires April 6, 2020 [Page 5]
Internet-Draft MISP galaxy format October 2019