Merge branch 'master' of github.com:MISP/misp-taxonomies
Conflicts: tools/machinetag.pypull/23/head
commit
33ed9b4e83
|
@ -18,6 +18,8 @@ The following taxonomies are described:
|
|||
- [eCSIRT](./ecsirt) and IntelMQ incident classification
|
||||
- [EU critical sectors](./eu-critical-sectors) - EU critical sectors
|
||||
- [EUCI](./euci) - EU classified information marking
|
||||
- [Europol Incident](./europol-incident) - Europol class of incident taxonomy
|
||||
- [Europol Events](./europol-events) - Europol type of events taxonomy
|
||||
- [FIRST CSIRT Case](./first_csirt_case_classification) classification
|
||||
- [Information Security Marking Metadata](./dni-ism) from DNI (Director of National Intelligence - US)
|
||||
- [Malware](./malware) classification based on a SANS document
|
||||
|
|
|
@ -0,0 +1,239 @@
|
|||
{
|
||||
"namespace": "europol-event",
|
||||
"expanded": "Europol type of events taxonomy",
|
||||
"description": "This taxonomy was designed to describe the type of events",
|
||||
"version": 1,
|
||||
"predicates": [
|
||||
{
|
||||
"value": "infected-by-known-malware",
|
||||
"expanded": "System(s) infected by known malware",
|
||||
"description": "The presence of any of the types of malware was detected in a system."
|
||||
},
|
||||
{
|
||||
"value": "dissemination-malware-email",
|
||||
"expanded": "Dissemination of malware by email",
|
||||
"description": "Malware attached to a message or email message containing link to malicious URL."
|
||||
},
|
||||
{
|
||||
"value": "hosting-malware-webpage",
|
||||
"expanded": "Hosting of malware on web page",
|
||||
"description": " Web page disseminating one or various types of malware."
|
||||
},
|
||||
{
|
||||
"value": "c&c-server-hosting",
|
||||
"expanded": "Hosting of malware on web page",
|
||||
"description": "Web page disseminating one or various types of malware."
|
||||
},
|
||||
{
|
||||
"value": "worm-spreading",
|
||||
"expanded": "Replication and spreading of a worm",
|
||||
"description": "System infected by a worm trying to infect other systems."
|
||||
},
|
||||
{
|
||||
"value": "connection-malware-port",
|
||||
"expanded": "Connection to (a) suspicious port(s) linked to specific malware",
|
||||
"description": "System attempting to gain access to a port normally linked to a specific type of malware."
|
||||
},
|
||||
{
|
||||
"value": "connection-malware-system",
|
||||
"expanded": "Connection to (a) suspicious system(s) linked to specific malware",
|
||||
"description": "System attempting to gain access to an IP address or URL normally linked to a specific type of malware, e.g. C&C or a distribution page for components linked to a specific botnet."
|
||||
},
|
||||
{
|
||||
"value": "flood",
|
||||
"expanded": "Flood of requests",
|
||||
"description": "Mass mailing of requests (network packets, emails, etc...) from one single source to a specific service, aimed at affecting its normal functioning."
|
||||
},
|
||||
{
|
||||
"value": "exploit-tool-exhausting-resources",
|
||||
"expanded": "Exploit or tool aimed at exhausting resources (network, processing capacity, sessions, etc...)",
|
||||
"description": "One single source using specially designed software to affect the normal functioning of a specific service, by exploiting a vulnerability."
|
||||
},
|
||||
{
|
||||
"value": "packet-flood",
|
||||
"expanded": "Packet flooding",
|
||||
"description": "Mass mailing of requests (network packets, emails, etc...) from various sources to a specific service, aimed at affecting its normal functioning."
|
||||
},
|
||||
{
|
||||
"value": "exploit-framework-exhausting-resources",
|
||||
"expanded": "Exploit or tool distribution aimed at exhausting resources",
|
||||
"description": "Various sources using specially designed software to affect the normal functioning of a specific service, by exploiting a vulnerability."
|
||||
},
|
||||
{
|
||||
"value": "vandalism",
|
||||
"expanded": "Vandalism",
|
||||
"description": "Logical and physical activities which – although they are not aimed at causing damage to information or at preventing its transmission among systems – have this effect."
|
||||
},
|
||||
{
|
||||
"value": "disruption-data-transmission",
|
||||
"expanded": "Intentional disruption of data transmission and processing mechanisms",
|
||||
"description": "Logical and physical activities aimed at causing damage to information or at preventing its transmission among systems."
|
||||
},
|
||||
{
|
||||
"value": "system-probe",
|
||||
"expanded": "System probe",
|
||||
"description": "Single system scan searching for open ports or services using these ports for responding."
|
||||
},
|
||||
{
|
||||
"value": "network-scanning",
|
||||
"expanded": "Network scanning",
|
||||
"description": "Scanning a network aimed at identifying systems which are active in the same network."
|
||||
},
|
||||
{
|
||||
"value": "dns-zone-transfer",
|
||||
"expanded": "DNS zone transfer",
|
||||
"description": "Transfer of a specific DNS zone."
|
||||
},
|
||||
{
|
||||
"value": "wiretapping",
|
||||
"expanded": "Wiretapping",
|
||||
"description": "Logical or physical interception of communications."
|
||||
},
|
||||
{
|
||||
"value": "dissemination-phishing-emails",
|
||||
"expanded": "Dissemination of phishing emails",
|
||||
"description": "Mass emailing aimed at collecting data for phishing purposes with regard to the victims."
|
||||
},
|
||||
{
|
||||
"value": "hosting-phishing-sites",
|
||||
"expanded": "Hosting phishing sites",
|
||||
"description": "Hosting web sites for phishing purposes."
|
||||
},
|
||||
{
|
||||
"value": "aggregation-information-phishing-schemes",
|
||||
"expanded": "Aggregation of information gathered through phishing schemes",
|
||||
"description": "Collecting data obtained through phishing attacks on web pages, email accounts, etc..."
|
||||
},
|
||||
{
|
||||
"value": "exploit-attempt",
|
||||
"expanded": "Exploit attempt",
|
||||
"description": "Unsuccessful use of a tool exploiting a specific vulnerability of the system."
|
||||
},
|
||||
{
|
||||
"value": "sql-injection-attempt",
|
||||
"expanded": "SQL injection attempt",
|
||||
"description": "Unsuccessful attempt to manipulate or read the information of a database by using the SQL injection technique."
|
||||
},
|
||||
{
|
||||
"value": "xss-attempt",
|
||||
"expanded": "XSS attempt",
|
||||
"description": "Unsuccessful attempts to perform attacks by using cross-site scripting techniques."
|
||||
},
|
||||
{
|
||||
"value": "file-inclusion-attempt",
|
||||
"expanded": "File inclusion attempt",
|
||||
"description": "Unsuccessful attempt to include files in the system under attack by using file inclusion techniques."
|
||||
},
|
||||
{
|
||||
"value": "brute-force-attempt",
|
||||
"expanded": "Brute force attempt",
|
||||
"description": "Unsuccessful login attempt by using sequential credentials for gaining access to the system."
|
||||
},
|
||||
{
|
||||
"value": "password-cracking-attempt",
|
||||
"expanded": "Password cracking attempt",
|
||||
"description": "Attempt to acquire access credentials by breaking the protective cryptographic keys."
|
||||
},
|
||||
{
|
||||
"value": "dictionary-attack-attempt",
|
||||
"expanded": "Dictionary attack attempt",
|
||||
"description": "Unsuccessful login attempt by using system access credentials previously loaded into a dictionary."
|
||||
},
|
||||
{
|
||||
"value": "exploit",
|
||||
"expanded": "Use of a local or remote exploit",
|
||||
"description": "Successful use of a tool exploiting a specific vulnerability of the system."
|
||||
},
|
||||
{
|
||||
"value": "sql-injection",
|
||||
"expanded": "SQL injection",
|
||||
"description": "Manipulation or reading of information contained in a database by using the SQL injection technique."
|
||||
},
|
||||
{
|
||||
"value": "xss",
|
||||
"expanded": "XSS",
|
||||
"description": "Attacks performed with the use of cross-site scripting techniques."
|
||||
},
|
||||
{
|
||||
"value": "file-inclusion",
|
||||
"expanded": "File inclusion",
|
||||
"description": "Inclusion of files into a system under attack with the use of file inclusion techniques."
|
||||
},
|
||||
{
|
||||
"value": "control-system-bypass",
|
||||
"expanded": "Control system bypass",
|
||||
"description": "Unauthorised access to a system or component by bypassing an access control system in place."
|
||||
},
|
||||
{
|
||||
"value": "theft-access-credentials",
|
||||
"expanded": "Theft of access credentials",
|
||||
"description": "Unauthorised access to a system or component by using stolen access credentials."
|
||||
},
|
||||
{
|
||||
"value": "unauthorized-access-system",
|
||||
"expanded": "Unauthorised access to a system",
|
||||
"description": "Unauthorised access to a system or component."
|
||||
},
|
||||
{
|
||||
"value": "unauthorized-access-information",
|
||||
"expanded": "Unauthorised access to information",
|
||||
"description": "Unauthorised access to a set of information."
|
||||
},
|
||||
{
|
||||
"value": "data-exfiltration",
|
||||
"expanded": "Data exfiltration",
|
||||
"description": "Unauthorised access to and sharing of a specific set of information."
|
||||
},
|
||||
{
|
||||
"value": "modification-information",
|
||||
"expanded": "Modification of information",
|
||||
"description": "Unauthorised changes to a specific set of information."
|
||||
},
|
||||
{
|
||||
"value": "deletion-information",
|
||||
"expanded": "Deletion of information",
|
||||
"description": "Unauthorised deleting of a specific set of information."
|
||||
},
|
||||
{
|
||||
"value": "illegitimate-use-resources",
|
||||
"expanded": "Misuse or unauthorised use of resources",
|
||||
"description": "Use of institutional resources for purposes other than those intended."
|
||||
},
|
||||
{
|
||||
"value": "illegitimate-use-name",
|
||||
"expanded": "Illegitimate use of the name of an institution or third party",
|
||||
"description": "Using the name of an institution without permission to do so."
|
||||
},
|
||||
{
|
||||
"value": "email-flooding",
|
||||
"expanded": "Email flooding",
|
||||
"description": "Sending an unusually large quantity of email messages."
|
||||
},
|
||||
{
|
||||
"value": "spam",
|
||||
"expanded": "Sending an unsolicited message",
|
||||
"description": "Sending an email message that was unsolicited or unwanted by the recipient."
|
||||
},
|
||||
{
|
||||
"value": "copyrighted-content",
|
||||
"expanded": "Distribution or sharing of copyright protected content",
|
||||
"description": "Distribution or sharing of content protected by copyright and related rights."
|
||||
},
|
||||
{
|
||||
"value": "content-forbidden-by-law",
|
||||
"expanded": "Dissemination of content forbidden by law (publicly prosecuted offences)",
|
||||
"description": "Distribution or sharing of illegal content such as child pornography, racism, xenophobia, etc..."
|
||||
},
|
||||
{
|
||||
"value": "unspecified",
|
||||
"expanded": "Other unspecified event",
|
||||
"description": "Other unlisted events."
|
||||
},
|
||||
{
|
||||
"value": "undetermined",
|
||||
"expanded": "Undetermined",
|
||||
"description": "Field aimed at the classification of unprocessed events, which have remained undetermined from the beginning."
|
||||
}
|
||||
],
|
||||
"values": null
|
||||
}
|
|
@ -0,0 +1,195 @@
|
|||
{
|
||||
"version": 1,
|
||||
"description": "This taxonomy was designed to describe the type of incidents by class.",
|
||||
"expanded": "Europol class of incidents taxonomy",
|
||||
"namespace": "europol-incident",
|
||||
"predicates": [
|
||||
{
|
||||
"value": "malware",
|
||||
"expanded": "Malware"
|
||||
},
|
||||
{
|
||||
"value": "availability",
|
||||
"expanded": "Availability"
|
||||
},
|
||||
{
|
||||
"value": "information-gathering",
|
||||
"expanded": "Gathering of information"
|
||||
},
|
||||
{
|
||||
"value": "intrusion-attempt",
|
||||
"expanded": "Intrusion attempt"
|
||||
},
|
||||
{
|
||||
"value": "intrusion",
|
||||
"expanded": "Intrusion"
|
||||
},
|
||||
{
|
||||
"value": "information-security",
|
||||
"expanded": "Information security"
|
||||
},
|
||||
{
|
||||
"value": "fraud",
|
||||
"expanded": "Fraud"
|
||||
},
|
||||
{
|
||||
"value": "abusive-content",
|
||||
"expanded": "Abusive content"
|
||||
},
|
||||
{
|
||||
"value": "other",
|
||||
"expanded": "Other"
|
||||
}
|
||||
],
|
||||
"values": [
|
||||
{
|
||||
"predicate": "malware",
|
||||
"entry": [
|
||||
{
|
||||
"value": "infection",
|
||||
"expanded": "Infection",
|
||||
"description": "Infecting one or various systems with a specific type of malware."
|
||||
},
|
||||
{
|
||||
"value": "distribution",
|
||||
"expanded": "Distribution",
|
||||
"description": "Infecting one or various systems with a specific type of malware."
|
||||
},
|
||||
{
|
||||
"value": "c&c",
|
||||
"expanded": "C&C",
|
||||
"description": "Infecting one or various systems with a specific type of malware."
|
||||
},
|
||||
{
|
||||
"value": "undetermined",
|
||||
"expanded": "Undetermined"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"predicate": "availability",
|
||||
"entry": [
|
||||
{
|
||||
"value": "dos-ddos",
|
||||
"expanded": "DoS/DDoS",
|
||||
"description": "Disruption of the processing and response capacity of systems and networks in order to render them inoperative."
|
||||
},
|
||||
{
|
||||
"value": "sabotage",
|
||||
"expanded": "Sabotage",
|
||||
"description": "Premeditated action to damage a system, interrupt a process, change or delete information, etc."
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"predicate": "information-gathering",
|
||||
"entry": [
|
||||
{
|
||||
"value": "scanning",
|
||||
"expanded": "Scanning",
|
||||
"description": "Active and passive gathering of information on systems or networks."
|
||||
},
|
||||
{
|
||||
"value": "sniffing",
|
||||
"expanded": "Sniffing",
|
||||
"description": "Unauthorised monitoring and reading of network traffic."
|
||||
},
|
||||
{
|
||||
"value": "phishing",
|
||||
"expanded": "Phishing",
|
||||
"description": "Attempt to gather information on a user or a system through phishing methods."
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"predicate": "intrusion-attempt",
|
||||
"entry": [
|
||||
{
|
||||
"value": "exploitation-vulnerability",
|
||||
"expanded": "Exploitation of vulnerability",
|
||||
"description": "Attempt to intrude by exploiting a vulnerability in a system, component or network."
|
||||
},
|
||||
{
|
||||
"value": "login-attempt",
|
||||
"expanded": "Login attempt",
|
||||
"description": "Attempt to log in to services or authentication / access control mechanisms."
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"predicate": "intrusion",
|
||||
"entry": [
|
||||
{
|
||||
"value": "exploitation-vulnerability",
|
||||
"expanded": "Exploitation of vulnerability",
|
||||
"description": "Actual intrusion by exploiting a vulnerability in the system, component or network."
|
||||
},
|
||||
{
|
||||
"value": "compromising-account",
|
||||
"expanded": "Compromising an account",
|
||||
"description": "Actual intrusion in a system, component or network by compromising a user or administrator account."
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"predicate": "information-security",
|
||||
"entry": [
|
||||
{
|
||||
"value": "unauthorized-access",
|
||||
"expanded": "Unauthorised access",
|
||||
"description": "Unauthorised access to a particular set of information"
|
||||
},
|
||||
{
|
||||
"value": "unauthorized-modification",
|
||||
"expanded": "Unauthorised modification/deletion",
|
||||
"description": "Unauthorised change or elimination of a particular set of information"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"predicate": "fraud",
|
||||
"entry": [
|
||||
{
|
||||
"value": "illegitimate-use-resources",
|
||||
"expanded": "Misuse or unauthorised use of resources",
|
||||
"description": "Use of institutional resources for purposes other than those intended."
|
||||
},
|
||||
{
|
||||
"value": "illegitimate-use-name",
|
||||
"expanded": "Illegitimate use of the name of a third party",
|
||||
"description": "Use of the name of an institution without permission to do so."
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"predicate": "abusive-content",
|
||||
"entry": [
|
||||
{
|
||||
"value": "spam",
|
||||
"expanded": "SPAM",
|
||||
"description": " Sending SPAM messages."
|
||||
},
|
||||
{
|
||||
"value": "copyright",
|
||||
"expanded": "Copyright",
|
||||
"description": "Distribution and sharing of copyright protected content."
|
||||
},
|
||||
{
|
||||
"value": "content-forbidden-by-law",
|
||||
"expanded": "Dissemination of content forbidden by law.",
|
||||
"description": "Child pornography, racism and apology of violence."
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"predicate": "other",
|
||||
"entry": [
|
||||
{
|
||||
"value": "other",
|
||||
"expanded": "Other",
|
||||
"description": " Other type of unspecified incident"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
|
@ -30,7 +30,7 @@ import json
|
|||
import os.path
|
||||
import argparse
|
||||
|
||||
taxonomies = ['admiralty-scale', 'adversary', 'tlp', 'circl', 'veris', 'ecsirt', 'enisa', 'dni-ism', 'nato', 'euci', 'osint', 'first_csirt_case_classification', 'malware', 'de-vs', 'fr-classification','eu-critical-sectors','dhs-ciip-sectors']
|
||||
taxonomies = ['admiralty-scale', 'adversary', 'tlp', 'circl', 'veris', 'ecsirt', 'enisa', 'dni-ism', 'europol-events', 'europol-incident', 'nato', 'euci', 'osint', 'first_csirt_case_classification', 'malware', 'de-vs', 'fr-classification','eu-critical-sectors','dhs-ciip-sectors']
|
||||
argParser = argparse.ArgumentParser(description='Dump Machine Tags (Triple Tags) from MISP taxonomies', epilog='Available taxonomies are {0}'.format(taxonomies))
|
||||
argParser.add_argument('-e', action='store_true', help='Include expanded tags')
|
||||
argParser.add_argument('-a', action='store_true', help='Generate asciidoctor document from MISP taxonomies')
|
||||
|
|
Loading…
Reference in New Issue