From d2b66e23892c46c9731a885083bba19c2cf9d102 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy <a@foo.be>
Date: Thu, 27 Oct 2016 07:38:17 +0200
Subject: [PATCH] New mapping taxonomy library added

A simple JSON format where a vernacular/common name describes
all the potential associated machine tags.

The format is a simple JSON object with a key for the common name
which references a list of potential associated machine tags.

The usage (in a first step) in MISP will be the following:

- The replacement in the index UI of the corresponding list of machine
  tags by the vernacular/common name.

- The ability to add automatically associated machine tags when tagging with the
  vernacular/common name.

Even if the machine tags is not enabled in MISP, the tag will be added.
---
 mapping/mapping.json | 44 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)
 create mode 100644 mapping/mapping.json

diff --git a/mapping/mapping.json b/mapping/mapping.json
new file mode 100644
index 0000000..bf39f41
--- /dev/null
+++ b/mapping/mapping.json
@@ -0,0 +1,44 @@
+{
+  "ransomware": [
+    "veris:action:malware:variety=\"Ransomware\"",
+    "ecsirt:malicious-code=\"ransomware\"",
+    "enisa:nefarious-activity-abuse=\"ransomware\"",
+    "malware_classification:malware-category=\"Ransomware\"",
+    "ms-caro-malware:malware-type=\"Ransom\"",
+    "veris:action:malware:variety=\"Ransomware\""
+  ],
+  "Remote Access Tool": [
+    "enisa:nefarious-activity-abuse=\"remote-access-tool\"",
+    "ms-caro-malware:malware-type=\"RemoteAccess\""
+  ],
+  "malware": [
+    "ecsirt:malicious-code=\"malware\"",
+    "circl:incident-classification=\"malware\""
+  ],
+  "exploit": [
+    "veris:action:malware:variety=\"Exploit vuln\"",
+    "ecsirt:intrusion-attempts=\"exploit\"",
+    "europol-event:exploit",
+    "europol-incident:intrusion=\"exploitation-vulnerability\"",
+    "ms-caro-malware:malware-type=\"Exploit\""
+  ],
+  "rootkit": [
+   "veris:action:malware:variety=\"Rootkit\"",
+   "enisa:nefarious-activity-abuse=\"rootkits\"",
+   "malware_classification:malware-category=\"Rootkit\""
+  ],
+  "SQLi": [
+   "circl:incident-classification=\"sql-injection\"",
+   "veris:action:malware:variety=\"SQL injection\"",
+   "veris:action:hacking:variety=\"SQLi\"",
+   "enisa:nefarious-activity-abuse=\"web-application-attacks-injection-attacks-code-injection-SQL-XSS\"",
+   "europol-event:sql-injection"
+  ],
+  "DDoS": [
+   "ecsirt:availability=\"ddos\"",
+   "europol-incident:availability=\"dos-ddos\"",
+   "ms-caro-malware:malware-type=\"DDoS\"",
+   "circl:incident-classification=\"denial-of-service\"",
+   "enisa:nefarious-activity-abuse=\"denial-of-service\""
+  ]
+}