Properly fix manifest.

pull/75/head
Raphaël Vinot 2017-09-01 00:49:13 +02:00
parent 8d4bc5fc26
commit e89715212c
4 changed files with 51 additions and 138 deletions

View File

@ -5,6 +5,11 @@
"name": "accessnow", "name": "accessnow",
"description": "Access Now" "description": "Access Now"
}, },
{
"version": 1,
"name": "action-taken",
"description": "Action taken."
},
{ {
"version": 1, "version": 1,
"name": "admiralty-scale", "name": "admiralty-scale",
@ -40,6 +45,11 @@
"name": "cssa", "name": "cssa",
"description": "" "description": ""
}, },
{
"version": 1,
"name": "ddos",
"description": "Distributed Denial of Service - or short: DDoS - taxonomy supports the description of Denial of Service attacks and especially the types they belong too."
},
{ {
"version": 1, "version": 1,
"name": "de-vs", "name": "de-vs",
@ -55,6 +65,11 @@
"name": "diamond-model", "name": "diamond-model",
"description": "The Diamond Model for Intrusion Analysis, a phase-based model developed by Lockheed Martin, aims to help categorise and identify the stage of an attack." "description": "The Diamond Model for Intrusion Analysis, a phase-based model developed by Lockheed Martin, aims to help categorise and identify the stage of an attack."
}, },
{
"version": 1,
"name": "DML",
"description": "The Detection Maturity Level (DML) model is a capability maturity model for referencing ones maturity in detecting cyber attacks. It's designed for organizations who perform intel-driven detection and response and who put an emphasis on having a mature detection program."
},
{ {
"version": 3, "version": 3,
"name": "dni-ism", "name": "dni-ism",
@ -100,6 +115,11 @@
"name": "europol-incident", "name": "europol-incident",
"description": "EUROPOL class of incident taxonomy." "description": "EUROPOL class of incident taxonomy."
}, },
{
"version": 1,
"name": "event-assessment",
"description": "A series of assessment predicates describing the event assessment performed to make judgement(s) under a certain level of uncertainty."
},
{ {
"version": 1, "version": 1,
"name": "fr-classif", "name": "fr-classif",
@ -160,85 +180,50 @@
"name": "PAP", "name": "PAP",
"description": "The Permissible Actions Protocol - or short: PAP - was designed to indicate how the received information can be used." "description": "The Permissible Actions Protocol - or short: PAP - was designed to indicate how the received information can be used."
}, },
{
"version": 3,
"name": "tlp",
"description": "The Traffic Light Protocol - or short: TLP - was designed with the objective to create a favorable classification scheme for sharing sensitive information while keeping the control over its distribution at the same time. Extended with TLP:EX:CHR."
},
{
"version": 2,
"name": "veris",
"description": "Vocabulary for Event Recording and Incident Sharing (VERIS)."
},
{
"version": 1,
"name": "stealth_malware",
"description": "Classification based on malware stealth techniques."
},
{
"version": 1,
"name": "targeted-threat-index",
"description": "The Targeted Threat Index is a metric for assigning an overall threat ranking score to email messages that deliver malware to a victims computer. The TTI metric was first introduced at SecTor 2013 by Seth Hardy as part of the talk “RATastrophe: Monitoring a Malware Menagerie” along with Katie Kleemola and Greg Wiseman."
},
{
"version": 1,
"name": "stix-ttp",
"description": "Representation of the behavior or modus operandi of cyber adversaries (a.k.a TTP) as normalized in STIX"
},
{
"version": 1,
"name": "accessnow",
"description": "AccessNow Taxonomy"
},
{ {
"version": 1, "version": 1,
"name": "passivetotal", "name": "passivetotal",
"description": "Tags for RiskIQ's passivetotal service" "description": "Tags for RiskIQ's passivetotal service"
}, },
{
"version": 1,
"name": "vocabulaire-des-probabilites-estimatives",
"description": "Vocabulaire des probabilités estimatives"
},
{
"version": 1,
"name": "DML",
"description": "The Detection Maturity Level (DML) model is a capability maturity model for referencing ones maturity in detecting cyber attacks. It's designed for organizations who perform intel-driven detection and response and who put an emphasis on having a mature detection program."
},
{
"version": 1,
"name": "action-taken",
"description": "Action taken"
},
{
"version": 2,
"name": "analyst-assessment",
"description": "A series of assessment predicates describing the analyst capabilities to perform analysis. These assessment can be assigned by the analyst him/herself or by another party evaluating the analyst."
},
{
"version": 1,
"name": "binary-class",
"description": "Custom taxonomy for types of binary file."
},
{
"version": 1,
"name": "ddos",
"description": "Distributed Denial of Service - or short: DDoS - taxonomy supports the description of Denial of Service attacks and especially the types they belong too."
},
{
"version": 1,
"name": "event-assessment",
"description": "A series of assessment predicates describing the event assessment performed to make judgement(s) under a certain level of uncertainty."
},
{ {
"version": 1, "version": 1,
"name": "rt_event_status", "name": "rt_event_status",
"description": "Status of events used in Request Tracker." "description": "Status of events used in Request Tracker."
}, },
{
"version": 1,
"name": "stealth_malware",
"description": "Classification based on malware stealth techniques."
},
{
"version": 1,
"name": "stix-ttp",
"description": "Representation of the behavior or modus operandi of cyber adversaries (a.k.a TTP) as normalized in STIX"
},
{
"version": 1,
"name": "targeted-threat-index",
"description": "The Targeted Threat Index is a metric for assigning an overall threat ranking score to email messages that deliver malware to a victims computer. The TTI metric was first introduced at SecTor 2013 by Seth Hardy as part of the talk “RATastrophe: Monitoring a Malware Menagerie” along with Katie Kleemola and Greg Wiseman."
},
{
"version": 3,
"name": "tlp",
"description": "The Traffic Light Protocol - or short: TLP - was designed with the objective to create a favorable classification scheme for sharing sensitive information while keeping the control over its distribution at the same time. Extended with TLP:EX:CHR."
},
{ {
"version": 1, "version": 1,
"name": "tor", "name": "tor",
"description": "Taxonomy to describe Tor network infrastructure" "description": "Taxonomy to describe Tor network infrastructure"
},
{
"version": 2,
"name": "veris",
"description": "Vocabulary for Event Recording and Incident Sharing (VERIS)."
},
{
"version": 1,
"name": "vocabulaire-des-probabilites-estimatives",
"description": "Vocabulaire des probabilités estimatives"
} }
], ],
"path": "machinetag.json", "path": "machinetag.json",

View File

@ -1,35 +0,0 @@
# Stealth Malware Taxonomy
## Malware Types
All malware samples should be classified into one of the categories listed in the table below.
<dl>
<dt>Type 0</dt>
<dd>No OS or system compromise. The malware runs as a normal user process using only official API calls.<dd>
<dt>Type I</dt>
<dd>The malware modifies constant sections of the kernel and/or processes such as code sections.<dd>
<dt>Type II</dt>
<dd>The malware does not modify constant sections but only the dynamic sections of the kernel and/or processes such as data sections.<dd>
<dt>Type III</dt>
<dd>The malware does not modify any sections of the kernel and/or processes but influences the system without modifying the OS. For example using hardware virtualization techniques.<dd>
</dl>
# Machine-parsable Stealth Malware Taxonomy
The repository contains a [JSON file including the machine-parsable tags](machinetag.json)
along with their human-readable description. The software can use both
representation on the user-interface and store the tag as machine-parsable.
~~~~
stealth_malware:type="II"
~~~~
Based on:
https://vxheaven.org/lib/pdf/Introducing%20Stealth%20Malware%20Taxonomy.pdf

View File

@ -1,37 +0,0 @@
{
"namespace": "stealth_malware",
"description": "Classification based on malware stealth techniques. Described in https://vxheaven.org/lib/pdf/Introducing%20Stealth%20Malware%20Taxonomy.pdf",
"version": 1,
"refs": [
"https://vxheaven.org/lib/pdf/Introducing%20Stealth%20Malware%20Taxonomy.pdf"
],
"predicates": [
{
"value": "type",
"expanded": "Stealth technique type"
}
],
"values": [
{
"predicate": "type",
"entry": [
{
"value": "0",
"expanded": "No OS or system compromise. The malware runs as a normal user process using only official API calls."
},
{
"value": "I",
"expanded": "The malware modifies constant sections of the kernel and/or processes such as code sections."
},
{
"value": "II",
"expanded": "The malware does not modify constant sections but only the dynamic sections of the kernel and/or processes such as data sections."
},
{
"value": "III",
"expanded": "The malware does not modify any sections of the kernel and/or processes but influences the system without modifying the OS. For example using hardware virtualization techniques."
}
]
}
]
}

View File

@ -15,7 +15,7 @@ fi
directories=`ls -d */ | wc -w` directories=`ls -d */ | wc -w`
manifest_entries=`cat MANIFEST.json | jq '.taxonomies | length'` manifest_entries=`cat MANIFEST.json | jq '.taxonomies | length'`
if ! [ $directories -eq $manifest_entries ]; then if ! [ $((directories-2)) -eq $manifest_entries ]; then
echo "MANIFEST isn't up-to-date." echo "MANIFEST isn't up-to-date."
exit 1 exit 1
fi fi