From 2c83e66d9f96bb898cb9895dfcd46f6a23902426 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy
Date: Tue, 12 Dec 2017 17:25:44 +0100
Subject: [PATCH] Objects updated
---
objects.html | 3460 +-
objects.pdf | 141561 ++++++++++++++++++++++++------------------------
2 files changed, 72486 insertions(+), 72535 deletions(-)
diff --git a/objects.html b/objects.html
index 3136a0b..9e591b9 100755
--- a/objects.html
+++ b/objects.html
@@ -558,26 +558,6 @@ ail-leak is a MISP object available in JSON format at type
text
Type of information leak as discovered and classified by an AIL module. ['Credential', 'CreditCards', 'Mail', 'Onion', 'Phone', 'Keys']
--
origin
text
The link where the leak is (or was) accessible at first-seen.
--
duplicate_number
counter
last-seen
datetime
raw-data
attachment
When the leak has been accessible or seen for the last time.
+Raw data as received by the AIL sensor compressed and encoded in Base64.
@@ -608,16 +588,6 @@ ail-leak is a MISP object available in JSON format at
first-seen
datetime
When the leak has been accessible or seen for the first time.
--
sensor
text
original-date
last-seen
datetime
When the information available in the leak was created. It’s usually before the first-seen.
+When the leak has been accessible or seen for the last time.
first-seen
datetime
When the leak has been accessible or seen for the first time.
++
origin
text
The link where the leak is (or was) accessible at first-seen.
++
type
text
Type of information leak as discovered and classified by an AIL module. ['Credential', 'CreditCards', 'Mail', 'Onion', 'Phone', 'Keys']
++
duplicate
text
raw-data
attachment
original-date
datetime
Raw data as received by the AIL sensor compressed and encoded in Base64.
+When the information available in the leak was created. It’s usually before the first-seen.
@@ -754,80 +754,10 @@ asn is a MISP object available in JSON format at
country
mp-export
text
Country code of the main location of the autonomous system
--
subnet-announced
ip-src
Subnet announced
--
mp-import
text
The inbound IPv4 or IPv6 routing policy of the AS in RFC 4012 – Routing Policy Specification Language next generation (RPSLng), section 4.5. format
--
export
text
The outbound routing policy of the AS in RFC 2622 – Routing Policy Specification Language (RPSL) format
--
last-seen
datetime
Last time the ASN was seen
--
first-seen
datetime
First time the ASN was seen
--
description
text
Description of the autonomous system
--
import
text
The inbound IPv4 routing policy of the AS in RFC 2622 – Routing Policy Specification Language (RPSL) format
+This attribute performs the same function as the export attribute above. The difference is that mp-export allows both IPv4 and IPv6 address families to be specified. The export is described in RFC 4012 – Routing Policy Specification Language next generation (RPSLng), section 4.5. format
@@ -844,10 +774,80 @@ asn is a MISP object available in JSON format at
mp-export
country
text
This attribute performs the same function as the export attribute above. The difference is that mp-export allows both IPv4 and IPv6 address families to be specified. The export is described in RFC 4012 – Routing Policy Specification Language next generation (RPSLng), section 4.5. format
+Country code of the main location of the autonomous system
++
import
text
The inbound IPv4 routing policy of the AS in RFC 2622 – Routing Policy Specification Language (RPSL) format
++
first-seen
datetime
First time the ASN was seen
++
last-seen
datetime
Last time the ASN was seen
++
mp-import
text
The inbound IPv4 or IPv6 routing policy of the AS in RFC 4012 – Routing Policy Specification Language next generation (RPSLng), section 4.5. format
++
subnet-announced
ip-src
Subnet announced
++
description
text
Description of the autonomous system
++
export
text
The outbound routing policy of the AS in RFC 2622 – Routing Policy Specification Language (RPSL) format
@@ -892,6 +892,16 @@ av-signature is a MISP object available in JSON format at
signature
text
Name of detection signature
++
software
text
signature
text
Name of detection signature
--
cookie
+cookie
Full cookie
++
type
text
text
text
A description of the cookie.
++
cookie-name
text
text
text
A description of the cookie.
--
cookie
cookie
Full cookie
--
format
-text
Format of the password(s) ['clear-text', 'hashed', 'encrypted', 'unknown']
--
notification
text
password
text
Password
--
text
text
format
text
Format of the password(s) ['clear-text', 'hashed', 'encrypted', 'unknown']
++
origin
text
password
text
Password
++
name
-text
Name of the card owner.
--
comment
comment
version
text
Version of the card.
--
issued
datetime
Initial date of validity or issued date.
--
cc-number
cc-number
version
text
Version of the card.
++
name
text
Name of the card owner.
++
issued
datetime
Initial date of validity or issued date.
++
ip-src
-ip-src
IP address originating the attack
--
domain-dst
domain
Destination domain (victim)
--
text
protocol
text
Description of the DDoS
+Protocol used for the attack ['TCP', 'UDP', 'ICMP', 'IP']
@@ -1412,12 +1392,42 @@ ddos is a MISP object available in JSON format at
src-port
port
Port originating the attack
++
last-seen
datetime
End of the attack
+
text
text
Description of the DDoS
++
domain-dst
domain
Destination domain (victim)
+
first-seen
-datetime
ip-src
ip-src
Beginning of the attack
--
src-port
port
Port originating the attack
+IP address originating the attack
@@ -1462,13 +1462,13 @@ ddos is a MISP object available in JSON format at
protocol
text
first-seen
datetime
Protocol used for the attack ['TCP', 'UDP', 'ICMP', 'IP']
+Beginning of the attack
+
domain
-domain
Domain name
--
last-seen
datetime
Last time the tuple has been seen
+
domain
domain
Domain name
+
+
+
os_abi
+number-sections
counter
Number of sections
++
arch
text
Header operating system application binary interface (ABI) ['AIX', 'ARM', 'AROS', 'C6000_ELFABI', 'C6000_LINUX', 'CLOUDABI', 'FENIXOS', 'FREEBSD', 'GNU', 'HPUX', 'HURD', 'IRIX', 'MODESTO', 'NETBSD', 'NSK', 'OPENBSD', 'OPENVMS', 'SOLARIS', 'STANDALONE', 'SYSTEMV', 'TRU64']
+Architecture of the ELF file ['None', 'M32', 'SPARC', 'i386', 'ARCH_68K', 'ARCH_88K', 'IAMCU', 'ARCH_860', 'MIPS', 'S370', 'MIPS_RS3_LE', 'PARISC', 'VPP500', 'SPARC32PLUS', 'ARCH_960', 'PPC', 'PPC64', 'S390', 'SPU', 'V800', 'FR20', 'RH32', 'RCE', 'ARM', 'ALPHA', 'SH', 'SPARCV9', 'TRICORE', 'ARC', 'H8_300', 'H8_300H', 'H8S', 'H8_500', 'IA_64', 'MIPS_X', 'COLDFIRE', 'ARCH_68HC12', 'MMA', 'PCP', 'NCPU', 'NDR1', 'STARCORE', 'ME16', 'ST100', 'TINYJ', 'x86_64', 'PDSP', 'PDP10', 'PDP11', 'FX66', 'ST9PLUS', 'ST7', 'ARCH_68HC16', 'ARCH_68HC11', 'ARCH_68HC08', 'ARCH_68HC05', 'SVX', 'ST19', 'VAX', 'CRIS', 'JAVELIN', 'FIREPATH', 'ZSP', 'MMIX', 'HUANY', 'PRISM', 'AVR', 'FR30', 'D10V', 'D30V', 'V850', 'M32R', 'MN10300', 'MN10200', 'PJ', 'OPENRISC', 'ARC_COMPACT', 'XTENSA', 'VIDEOCORE', 'TMM_GPP', 'NS32K', 'TPC', 'SNP1K', 'ST200', 'IP2K', 'MAX', 'CR', 'F2MC16', 'MSP430', 'BLACKFIN', 'SE_C33', 'SEP', 'ARCA', 'UNICORE', 'EXCESS', 'DXP', 'ALTERA_NIOS2', 'CRX', 'XGATE', 'C166', 'M16C', 'DSPIC30F', 'CE', 'M32C', 'TSK3000', 'RS08', 'SHARC', 'ECOG2', 'SCORE7', 'DSP24', 'VIDEOCORE3', 'LATTICEMICO32', 'SE_C17', 'TI_C6000', 'TI_C2000', 'TI_C5500', 'MMDSP_PLUS', 'CYPRESS_M8C', 'R32C', 'TRIMEDIA', 'HEXAGON', 'ARCH_8051', 'STXP7X', 'NDS32', 'ECOG1', 'ECOG1X', 'MAXQ30', 'XIMO16', 'MANIK', 'CRAYNV2', 'RX', 'METAG', 'MCST_ELBRUS', 'ECOG16', 'CR16', 'ETPU', 'SLE9X', 'L10M', 'K10M', 'AARCH64', 'AVR32', 'STM8', 'TILE64', 'TILEPRO', 'CUDA', 'TILEGX', 'CLOUDSHIELD', 'COREA_1ST', 'COREA_2ND', 'ARC_COMPACT2', 'OPEN8', 'RL78', 'VIDEOCORE5', 'ARCH_78KOR', 'ARCH_56800EX', 'BA1', 'BA2', 'XCORE', 'MCHP_PIC', 'INTEL205', 'INTEL206', 'INTEL207', 'INTEL208', 'INTEL209', 'KM32', 'KMX32', 'KMX16', 'KMX8', 'KVARC', 'CDP', 'COGE', 'COOL', 'NORC', 'CSR_KALIMBA', 'AMDGPU']
@@ -1638,20 +1648,10 @@ elf is a MISP object available in JSON format at
number-sections
counter
Number of sections
--
arch
os_abi
text
Architecture of the ELF file ['None', 'M32', 'SPARC', 'i386', 'ARCH_68K', 'ARCH_88K', 'IAMCU', 'ARCH_860', 'MIPS', 'S370', 'MIPS_RS3_LE', 'PARISC', 'VPP500', 'SPARC32PLUS', 'ARCH_960', 'PPC', 'PPC64', 'S390', 'SPU', 'V800', 'FR20', 'RH32', 'RCE', 'ARM', 'ALPHA', 'SH', 'SPARCV9', 'TRICORE', 'ARC', 'H8_300', 'H8_300H', 'H8S', 'H8_500', 'IA_64', 'MIPS_X', 'COLDFIRE', 'ARCH_68HC12', 'MMA', 'PCP', 'NCPU', 'NDR1', 'STARCORE', 'ME16', 'ST100', 'TINYJ', 'x86_64', 'PDSP', 'PDP10', 'PDP11', 'FX66', 'ST9PLUS', 'ST7', 'ARCH_68HC16', 'ARCH_68HC11', 'ARCH_68HC08', 'ARCH_68HC05', 'SVX', 'ST19', 'VAX', 'CRIS', 'JAVELIN', 'FIREPATH', 'ZSP', 'MMIX', 'HUANY', 'PRISM', 'AVR', 'FR30', 'D10V', 'D30V', 'V850', 'M32R', 'MN10300', 'MN10200', 'PJ', 'OPENRISC', 'ARC_COMPACT', 'XTENSA', 'VIDEOCORE', 'TMM_GPP', 'NS32K', 'TPC', 'SNP1K', 'ST200', 'IP2K', 'MAX', 'CR', 'F2MC16', 'MSP430', 'BLACKFIN', 'SE_C33', 'SEP', 'ARCA', 'UNICORE', 'EXCESS', 'DXP', 'ALTERA_NIOS2', 'CRX', 'XGATE', 'C166', 'M16C', 'DSPIC30F', 'CE', 'M32C', 'TSK3000', 'RS08', 'SHARC', 'ECOG2', 'SCORE7', 'DSP24', 'VIDEOCORE3', 'LATTICEMICO32', 'SE_C17', 'TI_C6000', 'TI_C2000', 'TI_C5500', 'MMDSP_PLUS', 'CYPRESS_M8C', 'R32C', 'TRIMEDIA', 'HEXAGON', 'ARCH_8051', 'STXP7X', 'NDS32', 'ECOG1', 'ECOG1X', 'MAXQ30', 'XIMO16', 'MANIK', 'CRAYNV2', 'RX', 'METAG', 'MCST_ELBRUS', 'ECOG16', 'CR16', 'ETPU', 'SLE9X', 'L10M', 'K10M', 'AARCH64', 'AVR32', 'STM8', 'TILE64', 'TILEPRO', 'CUDA', 'TILEGX', 'CLOUDSHIELD', 'COREA_1ST', 'COREA_2ND', 'ARC_COMPACT2', 'OPEN8', 'RL78', 'VIDEOCORE5', 'ARCH_78KOR', 'ARCH_56800EX', 'BA1', 'BA2', 'XCORE', 'MCHP_PIC', 'INTEL205', 'INTEL206', 'INTEL207', 'INTEL208', 'INTEL209', 'KM32', 'KMX32', 'KMX16', 'KMX8', 'KVARC', 'CDP', 'COGE', 'COOL', 'NORC', 'CSR_KALIMBA', 'AMDGPU']
+Header operating system application binary interface (ABI) ['AIX', 'ARM', 'AROS', 'C6000_ELFABI', 'C6000_LINUX', 'CLOUDABI', 'FENIXOS', 'FREEBSD', 'GNU', 'HPUX', 'HURD', 'IRIX', 'MODESTO', 'NETBSD', 'NSK', 'OPENBSD', 'OPENVMS', 'SOLARIS', 'STANDALONE', 'SYSTEMV', 'TRU64']
@@ -1696,60 +1696,10 @@ elf-section is a MISP object available in JSON format at
sha512/224
sha512/224
sha512/256
sha512/256
Secure Hash Algorithm 2 (224 bits)
--
type
text
Type of the section ['NULL', 'PROGBITS', 'SYMTAB', 'STRTAB', 'RELA', 'HASH', 'DYNAMIC', 'NOTE', 'NOBITS', 'REL', 'SHLIB', 'DYNSYM', 'INIT_ARRAY', 'FINI_ARRAY', 'PREINIT_ARRAY', 'GROUP', 'SYMTAB_SHNDX', 'LOOS', 'GNU_ATTRIBUTES', 'GNU_HASH', 'GNU_VERDEF', 'GNU_VERNEED', 'GNU_VERSYM', 'HIOS', 'LOPROC', 'ARM_EXIDX', 'ARM_PREEMPTMAP', 'HEX_ORDERED', 'X86_64_UNWIND', 'MIPS_REGINFO', 'MIPS_OPTIONS', 'MIPS_ABIFLAGS', 'HIPROC', 'LOUSER', 'HIUSER']
--
md5
md5
[Insecure] MD5 hash (128 bits)
--
entropy
float
Entropy of the whole section
--
size-in-bytes
size-in-bytes
Size of the section, in bytes
--
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
+Secure Hash Algorithm 2 (256 bits)
@@ -1766,6 +1716,16 @@ elf-section is a MISP object available in JSON format at
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
++
sha512
sha512
md5
md5
[Insecure] MD5 hash (128 bits)
++
name
text
ssdeep
ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
++
flag
text
ssdeep
ssdeep
sha224
sha224
Fuzzy hash using context triggered piecewise hashes (CTPH)
+Secure Hash Algorithm 2 (224 bits)
@@ -1816,13 +1796,13 @@ elf-section is a MISP object available in JSON format at
sha512/256
sha512/256
entropy
float
Secure Hash Algorithm 2 (256 bits)
+Entropy of the whole section
+
type
+text
Type of the section ['NULL', 'PROGBITS', 'SYMTAB', 'STRTAB', 'RELA', 'HASH', 'DYNAMIC', 'NOTE', 'NOBITS', 'REL', 'SHLIB', 'DYNSYM', 'INIT_ARRAY', 'FINI_ARRAY', 'PREINIT_ARRAY', 'GROUP', 'SYMTAB_SHNDX', 'LOOS', 'GNU_ATTRIBUTES', 'GNU_HASH', 'GNU_VERDEF', 'GNU_VERNEED', 'GNU_VERSYM', 'HIOS', 'LOPROC', 'ARM_EXIDX', 'ARM_PREEMPTMAP', 'HEX_ORDERED', 'X86_64_UNWIND', 'MIPS_REGINFO', 'MIPS_OPTIONS', 'MIPS_ABIFLAGS', 'HIPROC', 'LOUSER', 'HIUSER']
++
sha384
sha384
size-in-bytes
size-in-bytes
Size of the section, in bytes
++
mime-boundary
-email-mime-boundary
MIME Boundary
--
from
email-src
Sender email address
--
send-date
datetime
Date the email has been sent
--
to
email-dst
cc
email-dst
Carbon copy
++
from
email-src
Sender email address
++
to-display-name
email-dst-display-name
attachment
email-attachment
message-id
email-message-id
Attachment
+Message ID
screenshot
attachment
x-mailer
email-x-mailer
Screenshot of email
+X-Mailer generally tells the program that was used to draft and send the original email
@@ -1974,6 +1964,26 @@ email is a MISP object available in JSON format at
mime-boundary
email-mime-boundary
MIME Boundary
++
thread-index
email-thread-index
Identifies a particular conversation thread
++
reply-to
email-reply-to
message-id
email-message-id
screenshot
attachment
Message ID
+Screenshot of email
cc
email-dst
send-date
datetime
Carbon copy
+Date the email has been sent
-
x-mailer
email-x-mailer
X-Mailer generally tells the program that was used to draft and send the original email
--
thread-index
email-thread-index
Identifies a particular conversation thread
-+
attachment
email-attachment
Attachment
++
sha512/224
-sha512/224
tlsh
tlsh
Secure Hash Algorithm 2 (224 bits)
+Fuzzy hash by Trend Micro: Locality Sensitive Hash
@@ -2102,60 +2102,10 @@ file is a MISP object available in JSON format at
state
text
sha512/256
sha512/256
State of the file ['Malicious', 'Harmless', 'Signed', 'Revoked', 'Expired', 'Trusted']
--
filename
filename
Filename on disk
--
md5
md5
[Insecure] MD5 hash (128 bits)
--
entropy
float
Entropy of the whole file
--
tlsh
tlsh
Fuzzy hash by Trend Micro: Locality Sensitive Hash
--
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
+Secure Hash Algorithm 2 (256 bits)
@@ -2172,80 +2122,10 @@ file is a MISP object available in JSON format at
sha384
sha384
sha512/224
sha512/224
Secure Hash Algorithm 2 (384 bits)
--
malware-sample
malware-sample
The file itself (binary)
--
size-in-bytes
size-in-bytes
Size of the file, in bytes
--
mimetype
text
Mime type
--
ssdeep
ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
--
text
text
Free text value to attach to the file
--
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
--
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
+Secure Hash Algorithm 2 (224 bits)
@@ -2262,10 +2142,20 @@ file is a MISP object available in JSON format at
authentihash
authentihash
state
text
Authenticode executable signature hash
+State of the file ['Malicious', 'Harmless', 'Signed', 'Revoked', 'Expired', 'Trusted']
++
md5
md5
[Insecure] MD5 hash (128 bits)
ssdeep
ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
++
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
++
text
text
Free text value to attach to the file
++
filename
filename
Filename on disk
++
entropy
float
Entropy of the whole file
++
authentihash
authentihash
Authenticode executable signature hash
++
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
++
malware-sample
malware-sample
The file itself (binary)
++
mimetype
text
Mime type
++
sha384
sha384
Secure Hash Algorithm 2 (384 bits)
++
size-in-bytes
size-in-bytes
Size of the file, in bytes
++
city
-text
City.
--
altitude
float
The altitude is the decimal value of the altitude in the World Geodetic System 84 (WGS84) reference.
--
longitude
float
region
text
latitude
float
Region.
+The latitude is the decimal value of the latitude in the World Geodetic System 84 (WGS84) reference.
+
latitude
-float
first-seen
datetime
The latitude is the decimal value of the latitude in the World Geodetic System 84 (WGS84) reference.
+When the location was seen for the first time.
altitude
float
The altitude is the decimal value of the altitude in the World Geodetic System 84 (WGS84) reference.
++
country
text
first-seen
datetime
region
text
When the location was seen for the first time.
+Region.
+
+
city
text
City.
+
host
-hostname
content-type
other
The domain name of the server
+The MIME type of the body of the request
@@ -2468,20 +2468,20 @@ http-request is a MISP object available in JSON format at
proxy-password
basicauth-user
text
HTTP Proxy Password
+HTTP Basic Authentication Username
user-agent
user-agent
proxy-user
text
The user agent string of the user agent
+HTTP Proxy Username
@@ -2498,20 +2498,10 @@ http-request is a MISP object available in JSON format at
url
url
Full HTTP Request URL
--
basicauth-password
proxy-password
text
HTTP Basic Authentication Password
+HTTP Proxy Password
@@ -2528,10 +2518,20 @@ http-request is a MISP object available in JSON format at
basicauth-user
basicauth-password
text
HTTP Basic Authentication Username
+HTTP Basic Authentication Password
++
host
hostname
The domain name of the server
@@ -2548,20 +2548,10 @@ http-request is a MISP object available in JSON format at
proxy-user
text
user-agent
user-agent
HTTP Proxy Username
--
content-type
other
The MIME type of the body of the request
+The user agent string of the user agent
url
url
Full HTTP Request URL
++
+
+
+
ip-src
-ip-src
ip-dst
ip-dst
Source IP Address
+Destination IP address
@@ -2740,7 +2740,7 @@ ja3 is a MISP object available in JSON format at
+
+
ip-src
ip-src
Source IP Address
+
ip-dst
ip-dst
Destination IP address
--
name
-text
number-sections
counter
Binary’s name
--
entrypoint-address
text
Address of the entry point
+Number of sections
@@ -2842,20 +2832,30 @@ macho is a MISP object available in JSON format at
number-sections
counter
text
text
Number of sections
+Free text value to attach to the Mach-O file
text
name
text
Free text value to attach to the Mach-O file
+Binary’s name
++
entrypoint-address
text
Address of the entry point
@@ -2900,50 +2900,10 @@ macho-section is a MISP object available in JSON format at
sha512/224
sha512/224
sha512/256
sha512/256
Secure Hash Algorithm 2 (224 bits)
--
md5
md5
[Insecure] MD5 hash (128 bits)
--
entropy
float
Entropy of the whole section
--
size-in-bytes
size-in-bytes
Size of the section, in bytes
--
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
+Secure Hash Algorithm 2 (256 bits)
@@ -2960,6 +2920,16 @@ macho-section is a MISP object available in JSON format at
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
++
sha512
sha512
md5
md5
[Insecure] MD5 hash (128 bits)
++
name
text
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
++
text
text
sha512/256
sha512/256
entropy
float
Secure Hash Algorithm 2 (256 bits)
+Entropy of the whole section
+
size-in-bytes
size-in-bytes
Size of the section, in bytes
++
username-quoted
-text
Username who are quoted into the microblog post
--
url
url
creation-date
datetime
Initial creation of the microblog post
--
modification-date
datetime
Last update of the microblog post
--
post
text
Raw post
--
username
text
type
username-quoted
text
Type of the microblog post ['Twitter', 'Facebook', 'LinkedIn', 'Reddit', 'Google+', 'Instagram', 'Forum', 'Other']
+Username who are quoted into the microblog post
++
creation-date
datetime
Initial creation of the microblog post
@@ -3148,6 +3118,16 @@ microblog is a MISP object available in JSON format at
modification-date
datetime
Last update of the microblog post
++
removal-date
datetime
type
text
Type of the microblog post ['Twitter', 'Facebook', 'LinkedIn', 'Reddit', 'Google+', 'Instagram', 'Forum', 'Other']
++
post
text
Raw post
++
byte-count
-counter
Bytes counted in this flow
--
icmp-type
text
ICMP type of the flow (if the traffic is ICMP)
--
src-as
dst-as
AS
Source AS number for this flow
+Destination AS number for this flow
ip-src
ip-src
IP address source of the netflow
--
packet-count
ip_version
counter
Packets counted in this flow
+IP version of this flow
src-port
port
Source port of the netflow
--
ip-dst
ip-dst
dst-port
port
Destination port of the netflow
--
last-packet-seen
datetime
Last packet seen in this flow
--
first-packet-seen
datetime
First packet seen in this flow
--
protocol
icmp-type
text
Protocol used for this flow ['TCP', 'UDP', 'ICMP', 'IP']
--
flow-count
counter
Flows counted in this flow
+ICMP type of the flow (if the traffic is ICMP)
ip_version
byte-count
counter
IP version of this flow
+Bytes counted in this flow
@@ -3336,16 +3256,6 @@ netflow is a MISP object available in JSON format at
direction
text
Direction of this flow ['Ingress', 'Egress']
--
tcp-flags
text
dst-as
direction
text
Direction of this flow ['Ingress', 'Egress']
++
flow-count
counter
Flows counted in this flow
++
src-as
AS
Destination AS number for this flow
+Source AS number for this flow
++
packet-count
counter
Packets counted in this flow
++
protocol
text
Protocol used for this flow ['TCP', 'UDP', 'ICMP', 'IP']
++
last-packet-seen
datetime
Last packet seen in this flow
++
ip-src
ip-src
IP address source of the netflow
++
dst-port
port
Destination port of the netflow
++
src-port
port
Source port of the netflow
++
first-packet-seen
datetime
First packet seen in this flow
@@ -3404,16 +3404,6 @@ passive-dns is a MISP object available in JSON format at
bailiwick
text
Best estimate of the apex of the zone where this data is authoritative
--
zone_time_first
datetime
time_last
datetime
Last time that the unique tuple (rrname, rrtype, rdata) record has been seen by the passive DNS
--
origin
text
Origin of the Passive DNS response
--
rdata
text
Resource records of the queried resource
--
text
text
-
-
sensor_id
text
Sensor information where the record was seen
--
time_first
datetime
sensor_id
text
Sensor information where the record was seen
++
bailiwick
text
Best estimate of the apex of the zone where this data is authoritative
++
rdata
text
Resource records of the queried resource
++
rrname
text
count
counter
rrtype
text
How many authoritative DNS answers were received at the Passive DNS Server’s collectors with exactly the given set of values as answers
+Resource Record type as seen by the passive DNS ['A', 'AAAA', 'CNAME', 'PTR', 'SOA', 'TXT', 'DNAME', 'NS', 'SRV', 'RP', 'NAPTR', 'HINFO', 'A6']
++
text
text
+
+
time_last
datetime
Last time that the unique tuple (rrname, rrtype, rdata) record has been seen by the passive DNS
@@ -3514,10 +3504,20 @@ passive-dns is a MISP object available in JSON format at
rrtype
origin
text
Resource Record type as seen by the passive DNS ['A', 'AAAA', 'CNAME', 'PTR', 'SOA', 'TXT', 'DNAME', 'NS', 'SRV', 'RP', 'NAPTR', 'HINFO', 'A6']
+Origin of the Passive DNS response
++
count
counter
How many authoritative DNS answers were received at the Passive DNS Server’s collectors with exactly the given set of values as answers
@@ -3562,20 +3562,10 @@ paste is a MISP object available in JSON format at
title
text
url
url
Title of the paste or post.
--
origin
text
Original source of the paste or post. ['pastebin.com', 'pastebin.com_pro', 'pastie.org', 'slexy.org', 'gist.github.com', 'codepad.org', 'safebin.net', 'hastebin.com', 'ghostbin.com']
+Link to the original source of the paste or post.
@@ -3592,20 +3582,10 @@ paste is a MISP object available in JSON format at
first-seen
datetime
title
text
When the paste has been accessible or seen for the first time.
--
url
url
Link to the original source of the paste or post.
+Title of the paste or post.
first-seen
datetime
When the paste has been accessible or seen for the first time.
++
origin
text
Original source of the paste or post. ['pastebin.com', 'pastebin.com_pro', 'pastie.org', 'slexy.org', 'gist.github.com', 'codepad.org', 'safebin.net', 'hastebin.com', 'ghostbin.com']
++
product-name
-text
number-sections
counter
ProductName in the resources
--
entrypoint-section-at-position
text
Name of the section and position of the section in the PE
--
product-version
text
ProductVersion in the resources
--
file-description
text
FileDescription in the resources
--
internal-filename
filename
InternalFilename in the resources
--
entrypoint-address
text
Address of the entry point
--
type
text
Type of PE ['exe', 'dll', 'driver', 'unknown']
--
impfuzzy
impfuzzy
Fuzzy Hash (ssdeep) calculated from the import table
--
compilation-timestamp
datetime
Compilation timestamp defined in the PE header
--
imphash
imphash
Hash (md5) calculated from the import table
--
file-version
text
FileVersion in the resources
+Number of sections
@@ -3780,6 +3680,66 @@ pe is a MISP object available in JSON format at
internal-filename
filename
InternalFilename in the resources
++
entrypoint-section-at-position
text
Name of the section and position of the section in the PE
++
entrypoint-address
text
Address of the entry point
++
lang-id
text
Lang ID in the resources
++
file-version
text
FileVersion in the resources
++
product-version
text
ProductVersion in the resources
++
pehash
pehash
file-description
text
FileDescription in the resources
++
compilation-timestamp
datetime
Compilation timestamp defined in the PE header
++
text
text
original-filename
filename
OriginalFilename in the resources
--
lang-id
text
Lang ID in the resources
--
number-sections
counter
Number of sections
--
company-name
text
product-name
text
ProductName in the resources
++
impfuzzy
impfuzzy
Fuzzy Hash (ssdeep) calculated from the import table
++
type
text
Type of PE ['exe', 'dll', 'driver', 'unknown']
++
imphash
imphash
Hash (md5) calculated from the import table
++
original-filename
filename
OriginalFilename in the resources
++
sha512/224
-sha512/224
sha512/256
sha512/256
Secure Hash Algorithm 2 (224 bits)
--
md5
md5
[Insecure] MD5 hash (128 bits)
--
entropy
float
Entropy of the whole section
--
size-in-bytes
size-in-bytes
Size of the section, in bytes
--
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
--
characteristic
text
Characteristic of the section ['read', 'write', 'executable']
+Secure Hash Algorithm 2 (256 bits)
@@ -3948,6 +3898,16 @@ pe-section is a MISP object available in JSON format at
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
++
sha512
sha512
md5
md5
[Insecure] MD5 hash (128 bits)
++
name
text
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
++
characteristic
text
Characteristic of the section ['read', 'write', 'executable']
++
text
text
sha512/256
sha512/256
entropy
float
Secure Hash Algorithm 2 (256 bits)
+Entropy of the whole section
+
size-in-bytes
size-in-bytes
Size of the section, in bytes
++
passport-number
-passport-number
redress-number
redress-number
The passport number of a natural person.
+The Redress Control Number is the record identifier for people who apply for redress through the DHS Travel Redress Inquiry Program (DHS TRIP). DHS TRIP is for travelers who have been repeatedly identified for additional screening and who want to file an inquiry to have erroneous information corrected in DHS systems.
redress-number
redress-number
passport-country
passport-country
The Redress Control Number is the record identifier for people who apply for redress through the DHS Travel Redress Inquiry Program (DHS TRIP). DHS TRIP is for travelers who have been repeatedly identified for additional screening and who want to file an inquiry to have erroneous information corrected in DHS systems.
+The country in which the passport was issued.
@@ -4096,16 +4096,6 @@ person is a MISP object available in JSON format at
nationality
nationality
The nationality of a natural person.
--
middle-name
middle-name
passport-expiration
passport-expiration
The expiration date of a passport.
--
text
text
A description of the person or identity.
--
first-name
first-name
First name of a natural person.
--
last-name
last-name
Last name of a natural person.
--
gender
gender
passport-country
passport-country
last-name
last-name
The country in which the passport was issued.
+Last name of a natural person.
++
nationality
nationality
The nationality of a natural person.
++
text
text
A description of the person or identity.
++
passport-expiration
passport-expiration
The expiration date of a passport.
++
first-name
first-name
First name of a natural person.
++
passport-number
passport-number
The passport number of a natural person.
@@ -4224,6 +4224,26 @@ phone is a MISP object available in JSON format at
guti
text
Globally Unique Temporary UE Identity (GUTI) is a temporary identification to not reveal the phone (user equipment in 3GPP jargon) composed of GUMMEI and the M-TMSI.
++
imei
text
International Mobile Equipment Identity (IMEI) is a number, usually unique, to identify 3GPP and iDEN mobile phones, as well as some satellite phones.
++
last-seen
datetime
imsi
text
A usually unique International Mobile Subscriber Identity (IMSI) is allocated to each mobile subscriber in the GSM/UMTS/EPS system. IMSI can also refer to International Mobile Station Identity in the ITU nomenclature.
--
serial-number
text
imei
imsi
text
International Mobile Equipment Identity (IMEI) is a number, usually unique, to identify 3GPP and iDEN mobile phones, as well as some satellite phones.
+A usually unique International Mobile Subscriber Identity (IMSI) is allocated to each mobile subscriber in the GSM/UMTS/EPS system. IMSI can also refer to International Mobile Station Identity in the ITU nomenclature.
@@ -4294,16 +4304,6 @@ phone is a MISP object available in JSON format at
guti
text
Globally Unique Temporary UE Identity (GUTI) is a temporary identification to not reveal the phone (user equipment in 3GPP jargon) composed of GUMMEI and the M-TMSI.
--
msisdn
text
dangling-strings
callback-average
counter
Amount of dangling strings (string with a code cross reference, that is not within a function. Radare2 failed to detect that function.)
--
ratio-string
float
Ratio: amount of referenced strings per kilobyte of code section
--
refsglobalvar
counter
Amount of API calls outside of code section (glob var, dynamic API)
--
get-proc-address
counter
Amount of calls to GetProcAddress
--
text
text
Description of the r2graphity object
--
ratio-api
float
Ratio: amount of API calls per kilobyte of code section
--
total-functions
counter
Total amount of functions in the file.
--
create-thread
counter
Amount of calls to CreateThread
--
local-references
counter
Amount of API calls inside a code section
--
ratio-functions
float
Ratio: amount of functions per kilobyte of code section
+Average size of a callback
@@ -4462,30 +4372,10 @@ r2graphity is a MISP object available in JSON format at
referenced-strings
miss-api
counter
Amount of referenced strings
--
total-api
counter
Total amount of API calls
--
callback-largest
counter
Largest callback
+Amount of API call reference that does not resolve to a function offset
@@ -4502,10 +4392,50 @@ r2graphity is a MISP object available in JSON format at
unknown-references
memory-allocations
counter
Amount of API calls not ending in a function (Radare2 bug, probalby)
+Amount of memory allocations
++
ratio-api
float
Ratio: amount of API calls per kilobyte of code section
++
local-references
counter
Amount of API calls inside a code section
++
referenced-strings
counter
Amount of referenced strings
++
ratio-string
float
Ratio: amount of referenced strings per kilobyte of code section
@@ -4522,20 +4452,20 @@ r2graphity is a MISP object available in JSON format at
memory-allocations
total-functions
counter
Amount of memory allocations
+Total amount of functions in the file.
gml
attachment
total-api
counter
Graph export in G>raph Modelling Language format
+Total amount of API calls
@@ -4552,20 +4482,90 @@ r2graphity is a MISP object available in JSON format at
miss-api
get-proc-address
counter
Amount of API call reference that does not resolve to a function offset
+Amount of calls to GetProcAddress
callback-average
gml
attachment
Graph export in G>raph Modelling Language format
++
create-thread
counter
Average size of a callback
+Amount of calls to CreateThread
++
refsglobalvar
counter
Amount of API calls outside of code section (glob var, dynamic API)
++
callback-largest
counter
Largest callback
++
text
text
Description of the r2graphity object
++
unknown-references
counter
Amount of API calls not ending in a function (Radare2 bug, probalby)
++
dangling-strings
counter
Amount of dangling strings (string with a code cross reference, that is not within a function. Radare2 failed to detect that function.)
++
ratio-functions
float
Ratio: amount of functions per kilobyte of code section
@@ -4620,16 +4620,6 @@ regexp is a MISP object available in JSON format at
regexp-type
text
Type of the regular expression syntax. ['PCRE', 'PCRE2', 'POSIX BRE', 'POSIX ERE']
--
regexp
text
regexp-type
text
Type of the regular expression syntax. ['PCRE', 'PCRE2', 'POSIX BRE', 'POSIX ERE']
++
data-type
+reg-datatype
Registry value type ['REG_NONE', 'REG_SZ', 'REG_EXPAND_SZ', 'REG_BINARY', 'REG_DWORD', 'REG_DWORD_LITTLE_ENDIAN', 'REG_DWORD_BIG_ENDIAN', 'REG_LINK', 'REG_MULTI_SZ', 'REG_RESOURCE_LIST', 'REG_FULL_RESOURCE_DESCRIPTOR', 'REG_RESOURCE_REQUIREMENTS_LIST', 'REG_QWORD', 'REG_QWORD_LITTLE_ENDIAN']
++
data
reg-data
Data stored in the registry key
++
hive
reg-hive
Hive used to store the registry key (file on disk)
++
last-modified
datetime
data-type
reg-datatype
Registry value type ['REG_NONE', 'REG_SZ', 'REG_EXPAND_SZ', 'REG_BINARY', 'REG_DWORD', 'REG_DWORD_LITTLE_ENDIAN', 'REG_DWORD_BIG_ENDIAN', 'REG_LINK', 'REG_MULTI_SZ', 'REG_RESOURCE_LIST', 'REG_FULL_RESOURCE_DESCRIPTOR', 'REG_RESOURCE_REQUIREMENTS_LIST', 'REG_QWORD', 'REG_QWORD_LITTLE_ENDIAN']
--
key
reg-key
hive
reg-hive
Hive used to store the registry key (file on disk)
--
data
reg-data
Data stored in the registry key
--
case-number
+summary
text
Case number
+Free text summary of the report
summary
case-number
text
Free text summary of the report
+Case number
@@ -4834,16 +4834,6 @@ rtir is a MISP object available in JSON format at
ticket-number
text
ticket-number of the RTIR ticket
--
constituency
text
ip
ip-dst
IPs automatically extracted from the RTIR ticket
--
queue
ticket-number
text
Queue of the RTIR ticket ['incident', 'investigations', 'blocks', 'incident reports']
--
classification
text
Classification of the RTIR ticket
+ticket-number of the RTIR ticket
ip
ip-dst
IPs automatically extracted from the RTIR ticket
++
classification
text
Classification of the RTIR ticket
++
queue
text
Queue of the RTIR ticket ['incident', 'investigations', 'blocks', 'incident reports']
++
version_line
+nickname
text
versioning information reported by the node.
+router’s nickname.
@@ -4962,20 +4962,10 @@ tor-node is a MISP object available in JSON format at
version
flags
text
parsed version of tor, this is None if the relay’s using a new versioning scheme.
--
address
ip-src
IP address of the Tor node seen.
+list of flag associated with the node.
@@ -4992,16 +4982,36 @@ tor-node is a MISP object available in JSON format at
nickname
document
text
router’s nickname.
+Raw document from the consensus.
++
address
ip-src
IP address of the Tor node seen.
description
text
Tor node description.
++
last-seen
datetime
version_line
text
versioning information reported by the node.
++
text
text
description
version
text
Tor node description.
--
document
text
Raw document from the consensus.
--
flags
text
list of flag associated with the node.
+parsed version of tor, this is None if the relay’s using a new versioning scheme.
@@ -5100,6 +5100,26 @@ url is a MISP object available in JSON format at
resource_path
text
Path (between hostname:port and query)
++
domain_without_tld
text
Domain without Top-Level Domain
++
tld
text
subdomain
credential
text
Subdomain
--
domain
domain
Full domain
--
query_string
text
Query (after path, preceded by '?')
--
resource_path
text
Path (between hostname:port and query)
+Credential (username, password)
@@ -5160,36 +5150,6 @@ url is a MISP object available in JSON format at
port
port
Port number
--
domain_without_tld
text
Domain without Top-Level Domain
--
scheme
text
Scheme ['http', 'https', 'ftp', 'gopher', 'sip']
--
url
url
port
port
Port number
++
last-seen
datetime
Last time this URL has been seen
+
domain
domain
Full domain
+
+
+
subdomain
text
Subdomain
+
credential
+scheme
text
Credential (username, password)
+Scheme ['http', 'https', 'ftp', 'gopher', 'sip']
++
query_string
text
Query (after path, preceded by '?')
@@ -5288,50 +5288,10 @@ victim is a MISP object available in JSON format at
roles
text
external
target-external
The list of roles targeted within the victim.
--
name
target-org
The name of the department(s) or organisation(s) targeted.
--
ip-address
ip-dst
IP address(es) of the node targeted.
--
target-email
The email address(es) of the user targeted.
--
sectors
text
The list of sectors that the victim belong to ['agriculture', 'aerospace', 'automotive', 'communications', 'construction', 'defence', 'education', 'energy', 'engineering', 'entertainment', 'financial services', 'government national', 'government regional', 'government local', 'government public services', 'healthcare', 'hospitality leisure', 'infrastructure', 'insurance', 'manufacturing', 'mining', 'non profit', 'pharmaceuticals', 'retail', 'technology', 'telecommunications', 'transportation', 'utilities']
+External target organisations affected by this attack.
@@ -5348,13 +5308,23 @@ victim is a MISP object available in JSON format at
classification
text
target-email
The type of entity being targeted. ['individual', 'group', 'organization', 'class', 'unknown']
+The email address(es) of the user targeted.
+
+
user
target-user
The username(s) of the user targeted.
+
external
-target-external
roles
text
External target organisations affected by this attack.
+The list of roles targeted within the victim.
++
sectors
text
The list of sectors that the victim belong to ['agriculture', 'aerospace', 'automotive', 'communications', 'construction', 'defence', 'education', 'energy', 'engineering', 'entertainment', 'financial services', 'government national', 'government regional', 'government local', 'government public services', 'healthcare', 'hospitality leisure', 'infrastructure', 'insurance', 'manufacturing', 'mining', 'non profit', 'pharmaceuticals', 'retail', 'technology', 'telecommunications', 'transportation', 'utilities']
++
ip-address
ip-dst
IP address(es) of the node targeted.
++
classification
text
The type of entity being targeted. ['individual', 'group', 'organization', 'class', 'unknown']
++
name
target-org
The name of the department(s) or organisation(s) targeted.
user
target-user
The username(s) of the user targeted.
--
detection-ratio
-text
permalink
link
Detection Ratio
+Permalink Reference
+
permalink
-link
Permalink Reference
--
community-score
text
detection-ratio
text
Detection Ratio
++
last-submission
datetime
vulnerable_configuration
text
modified
datetime
The vulnerable configuration is described in CPE format
+Last modification date
@@ -5554,20 +5554,10 @@ vulnerability is a MISP object available in JSON format at
summary
vulnerable_configuration
text
Summary of the vulnerability
--
modified
datetime
Last modification date
+The vulnerable configuration is described in CPE format
@@ -5584,6 +5574,16 @@ vulnerability is a MISP object available in JSON format at
summary
text
Summary of the vulnerability
++
id
vulnerability
creation-date
datetime
text
text
Initial creation of the whois entry
--
registrant-phone
whois-registrant-phone
Registrant phone number
--
registrar
whois-registrar
Registrar of the whois entry
--
registrant-email
whois-registrant-email
Registrant email address
+Full whois entry
@@ -5682,10 +5652,40 @@ whois is a MISP object available in JSON format at
text
text
creation-date
datetime
Full whois entry
+Initial creation of the whois entry
++
registrant-email
whois-registrant-email
Registrant email address
++
domain
domain
Domain of the whois entry
++
registrant-phone
whois-registrant-phone
Registrant phone number
@@ -5702,20 +5702,20 @@ whois is a MISP object available in JSON format at
expiration-date
datetime
registrar
whois-registrar
Expiration of the whois entry
+Registrar of the whois entry
domain
domain
expiration-date
datetime
Domain of the whois entry
+Expiration of the whois entry
@@ -5760,46 +5760,6 @@ x509 is a MISP object available in JSON format at
raw-base64
text
Raw certificate base64 encoded
--
validity-not-after
datetime
Certificate invalid after that date
--
pubkey-info-exponent
text
Exponent of the public key
--
version
text
Version of the certificate
--
x509-fingerprint-sha256
sha256
subject
text
Subject of the certificate
--
issuer
text
Issuer of the certificate
--
serial-number
text
Serial number of the certificate
--
pubkey-info-modulus
text
Modulus of the public key
--
x509-fingerprint-md5
md5
[Insecure] MD5 hash (128 bits)
--
validity-not-before
datetime
Certificate invalid before that date
--
text
text
Free text description of hte certificate
--
x509-fingerprint-sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
--
pubkey-info-size
text
subject
text
Subject of the certificate
++
pubkey-info-exponent
text
Exponent of the public key
++
serial-number
text
Serial number of the certificate
++
x509-fingerprint-md5
md5
[Insecure] MD5 hash (128 bits)
++
pubkey-info-algorithm
text
issuer
text
Issuer of the certificate
++
validity-not-before
datetime
Certificate invalid before that date
++
validity-not-after
datetime
Certificate invalid after that date
++
x509-fingerprint-sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
++
text
text
Free text description of hte certificate
++
raw-base64
text
Raw certificate base64 encoded
++
version
text
Version of the certificate
++
pubkey-info-modulus
text
Modulus of the public key
++
yara
-yara
Yara rule generated from -y.
--
comment
comment
yara
yara
Yara rule generated from -y.
++
yara-hunt
yara