MISP
/
misp-taxonomies
mirror of https://github.com/MISP/misp-taxonomies
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #36 from mausding/master 

Domain name abuse taxonomy
pull/37/head
Alexandre Dulaunoy 2016-09-22 15:02:54 +02:00 committed by GitHub
parent ab94a8fb42 99118e55df
commit 5c28042175
3 changed files with 91 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
MANIFEST.json
View File

@ -39,6 +39,11 @@
"description": "ISM (Information Security Marking Metadata) V13 as described by DNI.gov (Director of National Intelligence - US).",
"name": "dni-ism",
"version": 3
},
{
"description": "Taxonomy to tag domain names used for cybercrime.",
"name": "domain-abuse",
"version": 1
},
{
"description": "eCSIRT incident classification Appendix C of the eCSIRT EU project including IntelMQ updates.",

6
README.md
View File

@ -16,6 +16,7 @@ The following taxonomies are described:
- [Cyber Kill Chain](./kill-chain) from Lockheed Martin
- DE German (DE) [Government classification markings (VS)](./de-vs)
- [DHS CIIP Sectors](./dhs-ciip-sectors)
- [Domain Name Abuse](./domain-abuse)
- [eCSIRT](./ecsirt) and IntelMQ incident classification
- [ENISA](./enisa) ENISA Threat Taxonomy
- [Estimative Language](./estimative-language) Estimative Language (ICD 203)
@ -60,6 +61,11 @@ Taxonomy for the handling of protectively marked information in MISP with German
DHS critical sectors as described in https://www.dhs.gov/critical-infrastructure-sectors.
### [Domain Name Abuse](./domain-abuse)
Taxonomy to tag domain names used for cybercrime.
We suggest to use europol-incident(./europol-incident) to tag abuse-activity.
### [eCSIRT](./ecsirt) and IntelMQ incident classification
eCSIRT incident classification Appendix C of the eCSIRT EU project including IntelMQ updates.

80
domain-abuse/machinetag.json Normal file
View File

@ -0,0 +1,80 @@
{
"namespace": "domain-abuse",
"expanded": "Domain Name Abuse",
"description": "Domain Name Abuse - taxonomy to tag domain names used for cybercrime. Use europol-incident to tag abuse-activity",
"version": 1,
"predicates": [
{
"value": "domain-access-method",
"description": "Domain Access - describes how the adversary has gained access to the domain name",
"expanded": "Domain access method"
},
{
"value": "domain-status",
"description": "Domain status - describes the registration status of the domain name",
"expanded": "Domain status"
}
],
"values": [
{
"predicate": "domain-status",
"entry": [
{
"value": "active",
"expanded": "Registered & active",
"description": "Domain name is registered and DNS is delegated"
},
{
"value": "inactive",
"expanded": "Registered & inactive",
"description": "Domain name is registered and DNS is not delegated"
},
{
"value": "suspended",
"expanded": "Registered & suspended",
"description": "Domain name is registered & DNS delegation is temporarily removed by the registry"
},
{
"value": "not-registered",
"expanded": "Not registered",
"description": "Domain name is not registered and open for registration"
},
{
"value": "not-registrable",
"expanded": "Not registrable",
"description": "Domain is not registered and cannot be registered"
},
{
"value": "grace-period",
"expanded": "Grace period",
"description": "Domain is deleted and still reserved for previous owner"
}
]
},
{
"predicate": "domain-access-method",
"entry": [
{
"value": "criminal-registration",
"expanded": "Criminal registration",
"description": "Domain name is registered for criminal purposes"
},
{
"value": "compromised-webserver",
"expanded": "Compromised webserver",
"description": "Webserver is compromised for criminal purposes"
},
{
"value": "compromised-dns",
"expanded": "Compromised DNS",
"description": "Compromised authoritative DNS or compromised delegation"
},
{
"value": "sinkhole",
"expanded": "Sinkhole",
"description": "Domain Name is sinkholed for research, detection, LE"
}
]
}
]
}