misp-taxonomies/honeypot-basic/machinetag.json

175 lines
5.9 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

{
"namespace": "honeypot-basic",
"description": "Updated (CIRCL, Seamus Dowling and EURECOM) from Christian Seifert, Ian Welch, Peter Komisarczuk, Taxonomy of Honeypots, Technical Report CS-TR-06/12, VICTORIA UNIVERSITY OF WELLINGTON, School of Mathematical and Computing Sciences, June 2006, http://www.mcs.vuw.ac.nz/comp/Publications/archive/CS-TR-06/CS-TR-06-12.pdf",
"version": 4,
"predicates": [
{
"value": "interaction-level",
"expanded": "Interaction Level",
"description": "Describes whether the exposed functionality of a honeypot is limited in some way, which is usually the case for honeypots that simulate services."
},
{
"value": "data-capture",
"expanded": "Data Capture",
"description": "Describes the type of data a honeypot is able to capture"
},
{
"value": "containment",
"expanded": "Containment",
"description": "Classifies the measures a honeypot takes to defend against malicious activity spreading from itself."
},
{
"value": "distribution-appearance",
"expanded": "Distribution Appearance",
"description": "Describes whether the honeypot system appears to be confined to one system or multiple systems."
},
{
"value": "communication-interface",
"expanded": "Communication Interface",
"description": "Describes the interfaces one can use to interact directly with the honeypot."
},
{
"value": "role",
"expanded": "Role in Multi-tier Architecture",
"description": "Describes in what role the honeypot acts within a multi-tier architecture."
}
],
"values": [
{
"predicate": "interaction-level",
"entry": [
{
"value": "high",
"expanded": "High Interaction Level",
"description": "Exposed functionality of the honeypot is not limited."
},
{
"value": "medium",
"expanded": "Medium Interaction Level",
"description": "Exposed functionality of the honeypot is limited to the service without exposing the full operating system."
},
{
"value": "low",
"expanded": "low Interaction Level",
"description": "Exposed functionality being limited. For example, a simulated SSH server of a honeypot is not able to authenticate against a valid login/password combination."
},
{
"value": "none",
"expanded": "No interaction capabilities",
"description": "No exposed functionality in the honeypot."
},
{
"value": "adaptive",
"expanded": "Learns from attack interaction",
"description": "Learns from attack interaction"
}
]
},
{
"predicate": "data-capture",
"entry": [
{
"value": "network-capture",
"expanded": "Network capture",
"description": "The honeypot collects raw network capture."
},
{
"value": "events",
"expanded": "Events",
"description": "The honeypot collects data about something that has happened or took place, a change in state."
},
{
"value": "attacks",
"expanded": "Attacks",
"description": "The honeypot collects malicious activity."
},
{
"value": "intrusions",
"expanded": "Intrusions",
"description": "The honeypot collects malicious activity that leads to a security failure."
},
{
"value": "none",
"expanded": "None",
"description": "The honeypot does not collect events, attacks, or intrusions."
}
]
},
{
"predicate": "containment",
"entry": [
{
"value": "block",
"expanded": "Block",
"description": "Attackers actions are identified and blocked. The attack never reaches the target."
},
{
"value": "defuse",
"expanded": "Defuse",
"description": "The attack reaches the target, but is manipulated in a way that it fails against the target."
},
{
"value": "slow-down",
"expanded": "Slow Down",
"description": "Attacker is slowed down in his actions of spreading malicious activity."
},
{
"value": "none",
"expanded": "None",
"description": "No action is taken to limit the intruders spread of malicious activity against other systems."
}
]
},
{
"predicate": "distribution-appearance",
"entry": [
{
"value": "distributed",
"expanded": "Distributed",
"description": "The honeypot is or appears to be composed of multiple systems."
},
{
"value": "stand-alone",
"expanded": "Stand-Alone",
"description": "The honeypot is or appears to be one system."
}
]
},
{
"predicate": "communication-interface",
"entry": [
{
"value": "network-interface",
"expanded": "Network Interface",
"description": "The honeypot can be directly communicated with via a network interface."
},
{
"value": "hardware-interface",
"expanded": "Non-Network Hardware Interface",
"description": "Examples: Printer port, CDROM drives, USB connections."
},
{
"value": "software-api",
"expanded": "Software API",
"description": "The honeypot can be interacted with via a software API."
}
]
},
{
"predicate": "role",
"entry": [
{
"value": "server",
"expanded": "Server",
"description": "The honeypot is passively awaiting requests from clients."
},
{
"value": "client",
"expanded": "Client",
"description": "The honeypot is actively initiating requests to servers."
}
]
}
]
}