From 2d7fcb6ed201f2b2b767eafd1093733600dd42c6 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy
Date: Sun, 3 Dec 2017 11:37:30 +0100
Subject: [PATCH] Objects updated
---
objects.html | 3562 +-
objects.pdf | 136104 ++++++++++++++++++++++++------------------------
2 files changed, 69628 insertions(+), 70038 deletions(-)
diff --git a/objects.html b/objects.html
index 5b78642..e8d852f 100755
--- a/objects.html
+++ b/objects.html
@@ -557,46 +557,6 @@ ail-leak is a MISP object available in JSON format at sensor
text
The AIL sensor uuid where the leak was processed and analysed.
--
text
text
A description of the leak which could include the potential victim(s) or description of the leak.
--
original-date
datetime
When the information available in the leak was created. It’s usually before the first-seen.
--
type
text
Type of information leak as discovered and classified by an AIL module. ['Credential', 'CreditCards', 'Mail', 'Onion', 'Phone', 'Keys']
--
duplicate_number
counter
raw-data
attachment
Raw data as received by the AIL sensor compressed and encoded in Base64.
--
last-seen
datetime
When the leak has been accessible or seen for the last time.
--
origin
text
The link where the leak is (or was) accessible at first-seen.
--
duplicate
text
text
text
A description of the leak which could include the potential victim(s) or description of the leak.
++
last-seen
datetime
When the leak has been accessible or seen for the last time.
++
sensor
text
The AIL sensor uuid where the leak was processed and analysed.
++
original-date
datetime
When the information available in the leak was created. It’s usually before the first-seen.
++
raw-data
attachment
Raw data as received by the AIL sensor compressed and encoded in Base64.
++
origin
text
The link where the leak is (or was) accessible at first-seen.
++
first-seen
datetime
type
text
Type of information leak as discovered and classified by an AIL module. ['Credential', 'CreditCards', 'Mail', 'Onion', 'Phone', 'Keys']
++
country
-text
Country code of the main location of the autonomous system
--
last-seen
datetime
Last time the ASN was seen
--
subnet-announced
ip-src
first-seen
datetime
First time the ASN was seen
--
import
text
The inbound IPv4 routing policy of the AS in RFC 2622 – Routing Policy Specification Language (RPSL) format
--
description
text
country
text
Country code of the main location of the autonomous system
++
mp-import
text
last-seen
datetime
Last time the ASN was seen
++
first-seen
datetime
First time the ASN was seen
++
asn
AS
import
text
The inbound IPv4 routing policy of the AS in RFC 2622 – Routing Policy Specification Language (RPSL) format
++
signature
-text
datetime
datetime
Name of detection signature
+Datetime
+
datetime
-datetime
Datetime
--
text
text
signature
text
Name of detection signature
++
type
+text
Type of cookie and how it’s used in this specific object. ['Session management', 'Personalization', 'Tracking', 'Exfiltration', 'Malicious Payload', 'Beaconing']
++
cookie
cookie
type
text
text
Type of cookie and how it’s used in this specific object. ['Session management', 'Personalization', 'Tracking', 'Exfiltration', 'Malicious Payload', 'Beaconing']
+A description of the cookie.
+
text
text
A description of the cookie.
--
text
-text
A description of the credential(s)
--
password
text
Password
--
notification
text
format
text
Format of the password(s) ['clear-text', 'hashed', 'encrypted', 'unknown']
++
text
text
A description of the credential(s)
++
username
text
type
password
text
Type of password(s) ['password', 'api-key', 'encryption-key', 'unknown']
+Password
@@ -1117,10 +1117,10 @@ credential is a MISP object available in JSON format at
format
type
text
Format of the password(s) ['clear-text', 'hashed', 'encrypted', 'unknown']
+Type of password(s) ['password', 'api-key', 'encryption-key', 'unknown']
@@ -1165,6 +1165,16 @@ credit-card is a MISP object available in JSON format at
issued
datetime
Initial date of validity or issued date.
++
version
text
comment
comment
cc-number
cc-number
A description of the card.
+credit-card number as encoded on the card.
++
expiration
datetime
Maximum date of validity
@@ -1205,30 +1225,10 @@ credit-card is a MISP object available in JSON format at
expiration
datetime
comment
comment
Maximum date of validity
--
cc-number
cc-number
credit-card number as encoded on the card.
--
issued
datetime
Initial date of validity or issued date.
+A description of the card.
@@ -1273,70 +1273,10 @@ ddos is a MISP object available in JSON format at
ip-dst
ip-dst
Destination IP (victim)
--
total-bps
total-pps
counter
Bits per second
--
dst-port
port
Destination port of the attack
--
first-seen
datetime
Beginning of the attack
--
protocol
text
Protocol used for the attack ['TCP', 'UDP', 'ICMP', 'IP']
--
ip-src
ip-src
IP address originating the attack
--
src-port
port
Port originating the attack
+Packets per second
@@ -1353,6 +1293,16 @@ ddos is a MISP object available in JSON format at
total-bps
counter
Bits per second
++
text
text
dst-port
port
Destination port of the attack
++
domain-dst
domain
total-pps
counter
first-seen
datetime
Packets per second
+Beginning of the attack
++
ip-src
ip-src
IP address originating the attack
++
protocol
text
Protocol used for the attack ['TCP', 'UDP', 'ICMP', 'IP']
++
ip-dst
ip-dst
Destination IP (victim)
++
src-port
port
Port originating the attack
@@ -1421,20 +1421,10 @@ domain-ip is a MISP object available in JSON format at
text
text
last-seen
datetime
A description of the tuple
--
ip
ip-dst
IP Address
+Last time the tuple has been seen
@@ -1461,10 +1451,20 @@ domain-ip is a MISP object available in JSON format at
last-seen
datetime
text
text
Last time the tuple has been seen
+A description of the tuple
++
ip
ip-dst
IP Address
@@ -1509,6 +1509,26 @@ elf is a MISP object available in JSON format at
os_abi
text
Header operating system application binary interface (ABI) ['AIX', 'ARM', 'AROS', 'C6000_ELFABI', 'C6000_LINUX', 'CLOUDABI', 'FENIXOS', 'FREEBSD', 'GNU', 'HPUX', 'HURD', 'IRIX', 'MODESTO', 'NETBSD', 'NSK', 'OPENBSD', 'OPENVMS', 'SOLARIS', 'STANDALONE', 'SYSTEMV', 'TRU64']
++
entrypoint-address
text
Address of the entry point
++
number-sections
counter
os_abi
arch
text
Header operating system application binary interface (ABI) ['AIX', 'ARM', 'AROS', 'C6000_ELFABI', 'C6000_LINUX', 'CLOUDABI', 'FENIXOS', 'FREEBSD', 'GNU', 'HPUX', 'HURD', 'IRIX', 'MODESTO', 'NETBSD', 'NSK', 'OPENBSD', 'OPENVMS', 'SOLARIS', 'STANDALONE', 'SYSTEMV', 'TRU64']
+Architecture of the ELF file ['None', 'M32', 'SPARC', 'i386', 'ARCH_68K', 'ARCH_88K', 'IAMCU', 'ARCH_860', 'MIPS', 'S370', 'MIPS_RS3_LE', 'PARISC', 'VPP500', 'SPARC32PLUS', 'ARCH_960', 'PPC', 'PPC64', 'S390', 'SPU', 'V800', 'FR20', 'RH32', 'RCE', 'ARM', 'ALPHA', 'SH', 'SPARCV9', 'TRICORE', 'ARC', 'H8_300', 'H8_300H', 'H8S', 'H8_500', 'IA_64', 'MIPS_X', 'COLDFIRE', 'ARCH_68HC12', 'MMA', 'PCP', 'NCPU', 'NDR1', 'STARCORE', 'ME16', 'ST100', 'TINYJ', 'x86_64', 'PDSP', 'PDP10', 'PDP11', 'FX66', 'ST9PLUS', 'ST7', 'ARCH_68HC16', 'ARCH_68HC11', 'ARCH_68HC08', 'ARCH_68HC05', 'SVX', 'ST19', 'VAX', 'CRIS', 'JAVELIN', 'FIREPATH', 'ZSP', 'MMIX', 'HUANY', 'PRISM', 'AVR', 'FR30', 'D10V', 'D30V', 'V850', 'M32R', 'MN10300', 'MN10200', 'PJ', 'OPENRISC', 'ARC_COMPACT', 'XTENSA', 'VIDEOCORE', 'TMM_GPP', 'NS32K', 'TPC', 'SNP1K', 'ST200', 'IP2K', 'MAX', 'CR', 'F2MC16', 'MSP430', 'BLACKFIN', 'SE_C33', 'SEP', 'ARCA', 'UNICORE', 'EXCESS', 'DXP', 'ALTERA_NIOS2', 'CRX', 'XGATE', 'C166', 'M16C', 'DSPIC30F', 'CE', 'M32C', 'TSK3000', 'RS08', 'SHARC', 'ECOG2', 'SCORE7', 'DSP24', 'VIDEOCORE3', 'LATTICEMICO32', 'SE_C17', 'TI_C6000', 'TI_C2000', 'TI_C5500', 'MMDSP_PLUS', 'CYPRESS_M8C', 'R32C', 'TRIMEDIA', 'HEXAGON', 'ARCH_8051', 'STXP7X', 'NDS32', 'ECOG1', 'ECOG1X', 'MAXQ30', 'XIMO16', 'MANIK', 'CRAYNV2', 'RX', 'METAG', 'MCST_ELBRUS', 'ECOG16', 'CR16', 'ETPU', 'SLE9X', 'L10M', 'K10M', 'AARCH64', 'AVR32', 'STM8', 'TILE64', 'TILEPRO', 'CUDA', 'TILEGX', 'CLOUDSHIELD', 'COREA_1ST', 'COREA_2ND', 'ARC_COMPACT2', 'OPEN8', 'RL78', 'VIDEOCORE5', 'ARCH_78KOR', 'ARCH_56800EX', 'BA1', 'BA2', 'XCORE', 'MCHP_PIC', 'INTEL205', 'INTEL206', 'INTEL207', 'INTEL208', 'INTEL209', 'KM32', 'KMX32', 'KMX16', 'KMX8', 'KVARC', 'CDP', 'COGE', 'COOL', 'NORC', 'CSR_KALIMBA', 'AMDGPU']
entrypoint-address
text
Address of the entry point
--
arch
text
Architecture of the ELF file ['None', 'M32', 'SPARC', 'i386', 'ARCH_68K', 'ARCH_88K', 'IAMCU', 'ARCH_860', 'MIPS', 'S370', 'MIPS_RS3_LE', 'PARISC', 'VPP500', 'SPARC32PLUS', 'ARCH_960', 'PPC', 'PPC64', 'S390', 'SPU', 'V800', 'FR20', 'RH32', 'RCE', 'ARM', 'ALPHA', 'SH', 'SPARCV9', 'TRICORE', 'ARC', 'H8_300', 'H8_300H', 'H8S', 'H8_500', 'IA_64', 'MIPS_X', 'COLDFIRE', 'ARCH_68HC12', 'MMA', 'PCP', 'NCPU', 'NDR1', 'STARCORE', 'ME16', 'ST100', 'TINYJ', 'x86_64', 'PDSP', 'PDP10', 'PDP11', 'FX66', 'ST9PLUS', 'ST7', 'ARCH_68HC16', 'ARCH_68HC11', 'ARCH_68HC08', 'ARCH_68HC05', 'SVX', 'ST19', 'VAX', 'CRIS', 'JAVELIN', 'FIREPATH', 'ZSP', 'MMIX', 'HUANY', 'PRISM', 'AVR', 'FR30', 'D10V', 'D30V', 'V850', 'M32R', 'MN10300', 'MN10200', 'PJ', 'OPENRISC', 'ARC_COMPACT', 'XTENSA', 'VIDEOCORE', 'TMM_GPP', 'NS32K', 'TPC', 'SNP1K', 'ST200', 'IP2K', 'MAX', 'CR', 'F2MC16', 'MSP430', 'BLACKFIN', 'SE_C33', 'SEP', 'ARCA', 'UNICORE', 'EXCESS', 'DXP', 'ALTERA_NIOS2', 'CRX', 'XGATE', 'C166', 'M16C', 'DSPIC30F', 'CE', 'M32C', 'TSK3000', 'RS08', 'SHARC', 'ECOG2', 'SCORE7', 'DSP24', 'VIDEOCORE3', 'LATTICEMICO32', 'SE_C17', 'TI_C6000', 'TI_C2000', 'TI_C5500', 'MMDSP_PLUS', 'CYPRESS_M8C', 'R32C', 'TRIMEDIA', 'HEXAGON', 'ARCH_8051', 'STXP7X', 'NDS32', 'ECOG1', 'ECOG1X', 'MAXQ30', 'XIMO16', 'MANIK', 'CRAYNV2', 'RX', 'METAG', 'MCST_ELBRUS', 'ECOG16', 'CR16', 'ETPU', 'SLE9X', 'L10M', 'K10M', 'AARCH64', 'AVR32', 'STM8', 'TILE64', 'TILEPRO', 'CUDA', 'TILEGX', 'CLOUDSHIELD', 'COREA_1ST', 'COREA_2ND', 'ARC_COMPACT2', 'OPEN8', 'RL78', 'VIDEOCORE5', 'ARCH_78KOR', 'ARCH_56800EX', 'BA1', 'BA2', 'XCORE', 'MCHP_PIC', 'INTEL205', 'INTEL206', 'INTEL207', 'INTEL208', 'INTEL209', 'KM32', 'KMX32', 'KMX16', 'KMX8', 'KVARC', 'CDP', 'COGE', 'COOL', 'NORC', 'CSR_KALIMBA', 'AMDGPU']
--
entropy
+float
Entropy of the whole section
++
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
++
size-in-bytes
size-in-bytes
Size of the section, in bytes
++
text
text
sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
--
sha384
sha384
sha512/224
sha512/224
flag
text
Secure Hash Algorithm 2 (224 bits)
+Flag of the section ['ALLOC', 'EXCLUDE', 'EXECINSTR', 'GROUP', 'HEX_GPREL', 'INFO_LINK', 'LINK_ORDER', 'MASKOS', 'MASKPROC', 'MERGE', 'MIPS_ADDR', 'MIPS_LOCAL', 'MIPS_MERGE', 'MIPS_NAMES', 'MIPS_NODUPES', 'MIPS_NOSTRIP', 'NONE', 'OS_NONCONFORMING', 'STRINGS', 'TLS', 'WRITE', 'XCORE_SHF_CP_SECTION']
-
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
-+
type
-text
Type of the section ['NULL', 'PROGBITS', 'SYMTAB', 'STRTAB', 'RELA', 'HASH', 'DYNAMIC', 'NOTE', 'NOBITS', 'REL', 'SHLIB', 'DYNSYM', 'INIT_ARRAY', 'FINI_ARRAY', 'PREINIT_ARRAY', 'GROUP', 'SYMTAB_SHNDX', 'LOOS', 'GNU_ATTRIBUTES', 'GNU_HASH', 'GNU_VERDEF', 'GNU_VERNEED', 'GNU_VERSYM', 'HIOS', 'LOPROC', 'ARM_EXIDX', 'ARM_PREEMPTMAP', 'HEX_ORDERED', 'X86_64_UNWIND', 'MIPS_REGINFO', 'MIPS_OPTIONS', 'MIPS_ABIFLAGS', 'HIPROC', 'LOUSER', 'HIUSER']
--
sha512
sha512
Secure Hash Algorithm 2 (512 bits)
--
entropy
float
Entropy of the whole section
--
md5
md5
ssdeep
ssdeep
sha512/256
sha512/256
Fuzzy hash using context triggered piecewise hashes (CTPH)
+Secure Hash Algorithm 2 (256 bits)
++
sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
@@ -1727,35 +1717,45 @@ elf-section is a MISP object available in JSON format at
flag
text
sha512
sha512
Flag of the section ['ALLOC', 'EXCLUDE', 'EXECINSTR', 'GROUP', 'HEX_GPREL', 'INFO_LINK', 'LINK_ORDER', 'MASKOS', 'MASKPROC', 'MERGE', 'MIPS_ADDR', 'MIPS_LOCAL', 'MIPS_MERGE', 'MIPS_NAMES', 'MIPS_NODUPES', 'MIPS_NOSTRIP', 'NONE', 'OS_NONCONFORMING', 'STRINGS', 'TLS', 'WRITE', 'XCORE_SHF_CP_SECTION']
--
size-in-bytes
size-in-bytes
Size of the section, in bytes
--
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
+Secure Hash Algorithm 2 (512 bits)
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
++
ssdeep
ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
++
type
text
Type of the section ['NULL', 'PROGBITS', 'SYMTAB', 'STRTAB', 'RELA', 'HASH', 'DYNAMIC', 'NOTE', 'NOBITS', 'REL', 'SHLIB', 'DYNSYM', 'INIT_ARRAY', 'FINI_ARRAY', 'PREINIT_ARRAY', 'GROUP', 'SYMTAB_SHNDX', 'LOOS', 'GNU_ATTRIBUTES', 'GNU_HASH', 'GNU_VERDEF', 'GNU_VERNEED', 'GNU_VERSYM', 'HIOS', 'LOPROC', 'ARM_EXIDX', 'ARM_PREEMPTMAP', 'HEX_ORDERED', 'X86_64_UNWIND', 'MIPS_REGINFO', 'MIPS_OPTIONS', 'MIPS_ABIFLAGS', 'HIPROC', 'LOUSER', 'HIUSER']
++
thread-index
-email-thread-index
Identifies a particular conversation thread
--
header
email-header
mime-boundary
email-mime-boundary
subject
email-subject
MIME Boundary
--
message-id
email-message-id
Message ID
+Subject
@@ -1845,23 +1825,13 @@ email is a MISP object available in JSON format at
cc
email-dst
send-date
datetime
Carbon copy
+Date the email has been sent
-
to
email-dst
Destination email address
-+
attachment
-email-attachment
Attachment
--
return-path
text
send-date
datetime
mime-boundary
email-mime-boundary
Date the email has been sent
+MIME Boundary
+
reply-to
email-reply-to
attachment
email-attachment
Email address the reply will be sent to
+Attachment
++
thread-index
email-thread-index
Identifies a particular conversation thread
++
cc
email-dst
Carbon copy
@@ -1925,10 +1905,10 @@ email is a MISP object available in JSON format at
from
email-src
reply-to
email-reply-to
Sender email address
+Email address the reply will be sent to
@@ -1945,10 +1925,30 @@ email is a MISP object available in JSON format at
subject
email-subject
message-id
email-message-id
Subject
+Message ID
++
to
email-dst
Destination email address
++
from
email-src
Sender email address
@@ -1993,106 +1993,6 @@ file is a MISP object available in JSON format at
text
text
Free text value to attach to the file
--
sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
--
sha384
sha384
Secure Hash Algorithm 2 (384 bits)
--
tlsh
tlsh
Fuzzy hash by Trend Micro: Locality Sensitive Hash
--
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
--
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
--
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
--
mimetype
text
Mime type
--
authentihash
authentihash
Authenticode executable signature hash
--
sha512
sha512
Secure Hash Algorithm 2 (512 bits)
--
entropy
float
md5
md5
sha224
sha224
[Insecure] MD5 hash (128 bits)
--
pattern-in-file
pattern-in-file
Pattern that can be found in the file
--
ssdeep
ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
--
malware-sample
malware-sample
The file itself (binary)
+Secure Hash Algorithm 2 (224 bits)
@@ -2153,6 +2023,46 @@ file is a MISP object available in JSON format at
tlsh
tlsh
Fuzzy hash by Trend Micro: Locality Sensitive Hash
++
mimetype
text
Mime type
++
text
text
Free text value to attach to the file
++
sha384
sha384
Secure Hash Algorithm 2 (384 bits)
++
filename
filename
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
++
state
text
State of the file ['Harmless', 'Signed', 'Revoked', 'Expired', 'Trusted', 'Malicious']
++
md5
md5
[Insecure] MD5 hash (128 bits)
++
authentihash
authentihash
Authenticode executable signature hash
++
sha512/256
sha512/256
state
text
sha1
sha1
State of the file ['Harmless', 'Signed', 'Revoked', 'Expired', 'Trusted']
+[Insecure] Secure Hash Algorithm 1 (160 bits)
++
malware-sample
malware-sample
The file itself (binary)
++
sha512
sha512
Secure Hash Algorithm 2 (512 bits)
++
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
++
ssdeep
ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
++
certificate
x509-fingerprint-sha1
Certificate value if the binary is signed with another authentication scheme than authenticode
++
pattern-in-file
pattern-in-file
Pattern that can be found in the file
@@ -2221,36 +2231,16 @@ geolocation is a MISP object available in JSON format at
country
text
latitude
float
Country.
--
last-seen
datetime
When the location was seen for the last time.
+The latitude is the decimal value of the latitude in the World Geodetic System 84 (WGS84) reference.
altitude
float
The altitude is the decimal value of the altitude in the World Geodetic System 84 (WGS84) reference.
--
city
text
first-seen
datetime
text
text
When the location was seen for the first time.
--
longitude
float
The longitude is the decimal value of the longitude in the World Geodetic System 84 (WGS84) reference
+A generic description of the location.
@@ -2291,25 +2271,55 @@ geolocation is a MISP object available in JSON format at
latitude
float
last-seen
datetime
The latitude is the decimal value of the latitude in the World Geodetic System 84 (WGS84) reference.
+When the location was seen for the last time.
text
text
first-seen
datetime
A generic description of the location.
+When the location was seen for the first time.
altitude
float
The altitude is the decimal value of the altitude in the World Geodetic System 84 (WGS84) reference.
++
longitude
float
The longitude is the decimal value of the longitude in the World Geodetic System 84 (WGS84) reference
++
country
text
Country.
++
referer
+referer
This is the address of the previous web page from which a link to the currently requested page was followed
++
text
text
basicauth-password
text
HTTP Basic Authentication Password
--
user-agent
user-agent
The user agent string of the user agent
--
host
hostname
The domain name of the server
--
content-type
other
proxy-password
text
method
http-method
HTTP Proxy Password
+HTTP Method invoked (one of GET, POST, PUT, HEAD, DELETE, OPTIONS, CONNECT)
-
uri
uri
Request URI
-+
url
-url
Full HTTP Request URL
--
proxy-user
text
host
hostname
The domain name of the server
++
url
url
Full HTTP Request URL
++
user-agent
user-agent
The user agent string of the user agent
++
cookie
text
referer
referer
uri
uri
This is the address of the previous web page from which a link to the currently requested page was followed
+Request URI
method
http-method
proxy-password
text
HTTP Method invoked (one of GET, POST, PUT, HEAD, DELETE, OPTIONS, CONNECT)
+HTTP Proxy Password
+
+
basicauth-password
text
HTTP Basic Authentication Password
+
src-port
+port
Source port
++
text
text
first-seen
datetime
First time the tuple has been seen
--
last-seen
datetime
src-port
port
first-seen
datetime
Source port
+First time the tuple has been seen
@@ -2615,20 +2625,20 @@ ja3 is a MISP object available in JSON format at
ip-dst
ip-dst
description
text
Destination IP address
+Type of detected software ie software, malware
ip-src
ip-src
ja3-fingerprint-md5
md5
Source IP Address
+Hash identifying source
@@ -2655,20 +2665,20 @@ ja3 is a MISP object available in JSON format at
ja3-fingerprint-md5
md5
ip-src
ip-src
Hash identifying source
+Source IP Address
description
text
ip-dst
ip-dst
Type of detected software ie software, malware
+Destination IP address
@@ -2713,6 +2723,16 @@ macho is a MISP object available in JSON format at
name
text
Binary’s name
++
entrypoint-address
text
number-sections
counter
Number of sections
--
text
text
name
text
number-sections
counter
Binary’s name
+Number of sections
+
entropy
+float
Entropy of the whole section
++
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
++
size-in-bytes
size-in-bytes
Size of the section, in bytes
++
text
text
sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
--
sha384
sha384
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
--
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
--
sha256
sha256
sha512
sha512
Secure Hash Algorithm 2 (512 bits)
--
entropy
float
Entropy of the whole section
--
md5
md5
ssdeep
ssdeep
sha512/256
sha512/256
Fuzzy hash using context triggered piecewise hashes (CTPH)
+Secure Hash Algorithm 2 (256 bits)
++
sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
@@ -2911,20 +2911,30 @@ macho-section is a MISP object available in JSON format at
size-in-bytes
size-in-bytes
sha512
sha512
Size of the section, in bytes
+Secure Hash Algorithm 2 (512 bits)
+
sha512/256
sha512/256
sha512/224
sha512/224
Secure Hash Algorithm 2 (256 bits)
+Secure Hash Algorithm 2 (224 bits)
++
ssdeep
ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
@@ -2969,60 +2979,10 @@ microblog is a MISP object available in JSON format at
link
url
Link into the microblog post
--
username
text
Username who posted the microblog post
--
type
text
Type of the microblog post ['Twitter', 'Facebook', 'LinkedIn', 'Reddit', 'Google+', 'Instagram', 'Forum', 'Other']
--
post
text
Raw post
--
url
url
Original URL location of the microblog post
--
modification-date
creation-date
datetime
Last update of the microblog post
+Initial creation of the microblog post
@@ -3039,10 +2999,20 @@ microblog is a MISP object available in JSON format at
creation-date
link
url
Link into the microblog post
++
modification-date
datetime
Initial creation of the microblog post
+Last update of the microblog post
username
text
Username who posted the microblog post
++
post
text
Raw post
++
type
text
Type of the microblog post ['Twitter', 'Facebook', 'LinkedIn', 'Reddit', 'Google+', 'Instagram', 'Forum', 'Other']
++
url
url
Original URL location of the microblog post
++
ip-src
-ip-src
first-packet-seen
datetime
IP address source of the netflow
+First packet seen in this flow
++
tcp-flags
text
TCP flags of the flow
++
src-port
port
Source port of the netflow
++
icmp-type
text
ICMP type of the flow (if the traffic is ICMP)
++
last-packet-seen
datetime
Last packet seen in this flow
++
direction
text
Direction of this flow ['Ingress', 'Egress']
++
ip-dst
ip-dst
IP address destination of the netflow
++
flow-count
counter
Flows counted in this flow
++
packet-count
counter
Packets counted in this flow
++
src-as
AS
Source AS number for this flow
++
ip-protocol-number
size-in-bytes
IP protocol number of this flow
++
dst-as
AS
Destination AS number for this flow
@@ -3127,116 +3247,16 @@ netflow is a MISP object available in JSON format at
flow-count
counter
ip-src
ip-src
Flows counted in this flow
--
ip-protocol-number
size-in-bytes
IP protocol number of this flow
--
icmp-type
text
ICMP type of the flow (if the traffic is ICMP)
--
first-packet-seen
datetime
First packet seen in this flow
+IP address source of the netflow
src-as
AS
Source AS number for this flow
--
ip-dst
ip-dst
IP address destination of the netflow
--
src-port
port
Source port of the netflow
--
direction
text
Direction of this flow ['Ingress', 'Egress']
--
dst-as
AS
Destination AS number for this flow
--
last-packet-seen
datetime
Last packet seen in this flow
--
ip_version
counter
IP version of this flow
--
byte-count
counter
tcp-flags
text
TCP flags of the flow
--
packet-count
ip_version
counter
Packets counted in this flow
+IP version of this flow
@@ -3315,6 +3325,16 @@ passive-dns is a MISP object available in JSON format at
rrtype
text
Resource Record type as seen by the passive DNS ['A', 'AAAA', 'CNAME', 'PTR', 'SOA', 'TXT', 'DNAME', 'NS', 'SRV', 'RP', 'NAPTR', 'HINFO', 'A6']
++
text
text
zone_time_last
datetime
Last time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import
--
origin
text
Origin of the Passive DNS response
--
time_last
datetime
Last time that the unique tuple (rrname, rrtype, rdata) record has been seen by the passive DNS
--
zone_time_first
datetime
First time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import
--
time_first
datetime
rrtype
text
zone_time_last
datetime
Resource Record type as seen by the passive DNS ['A', 'AAAA', 'CNAME', 'PTR', 'SOA', 'TXT', 'DNAME', 'NS', 'SRV', 'RP', 'NAPTR', 'HINFO', 'A6']
+Last time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import
rdata
sensor_id
text
Resource records of the queried resource
+Sensor information where the record was seen
rrname
text
zone_time_first
datetime
Resource Record name of the queried resource
+First time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import
++
time_last
datetime
Last time that the unique tuple (rrname, rrtype, rdata) record has been seen by the passive DNS
@@ -3415,10 +3405,30 @@ passive-dns is a MISP object available in JSON format at
sensor_id
origin
text
Sensor information where the record was seen
+Origin of the Passive DNS response
++
rrname
text
Resource Record name of the queried resource
++
rdata
text
Resource records of the queried resource
@@ -3463,46 +3473,16 @@ paste is a MISP object available in JSON format at
title
paste
text
Title of the paste or post.
+Raw text of the paste or post
origin
text
Original source of the paste or post. ['pastebin.com', 'pastebin.com_pro', 'pastie.org', 'slexy.org', 'gist.github.com', 'codepad.org', 'safebin.net', 'hastebin.com', 'ghostbin.com']
--
url
url
Link to the original source of the paste or post.
--
first-seen
datetime
When the paste has been accessible or seen for the first time.
--
last-seen
datetime
paste
first-seen
datetime
When the paste has been accessible or seen for the first time.
++
origin
text
Raw text of the paste or post
+Original source of the paste or post. ['pastebin.com', 'pastebin.com_pro', 'pastie.org', 'slexy.org', 'gist.github.com', 'codepad.org', 'safebin.net', 'hastebin.com', 'ghostbin.com']
++
title
text
Title of the paste or post.
++
url
url
Link to the original source of the paste or post.
@@ -3561,50 +3571,20 @@ pe is a MISP object available in JSON format at
lang-id
legal-copyright
text
Lang ID in the resources
+LegalCopyright in the resources
text
entrypoint-address
text
Free text value to attach to the PE
--
pehash
pehash
Hash of the structural information about a sample. See https://www.usenix.org/legacy/event/leet09/tech/full_papers/wicherski/wicherski_html/
--
original-filename
filename
OriginalFilename in the resources
--
file-description
text
FileDescription in the resources
+Address of the entry point
@@ -3621,46 +3601,6 @@ pe is a MISP object available in JSON format at
type
text
Type of PE ['exe', 'dll', 'driver', 'unknown']
--
imphash
imphash
Hash (md5) calculated from the import table
--
product-version
text
ProductVersion in the resources
--
entrypoint-section-at-position
text
Name of the section and position of the section in the PE
--
number-sections
counter
legal-copyright
text
text
LegalCopyright in the resources
--
company-name
text
CompanyName in the resources
+Free text value to attach to the PE
@@ -3701,6 +3631,76 @@ pe is a MISP object available in JSON format at
lang-id
text
Lang ID in the resources
++
product-name
text
ProductName in the resources
++
company-name
text
CompanyName in the resources
++
imphash
imphash
Hash (md5) calculated from the import table
++
original-filename
filename
OriginalFilename in the resources
++
pehash
pehash
Hash of the structural information about a sample. See https://www.usenix.org/legacy/event/leet09/tech/full_papers/wicherski/wicherski_html/
++
entrypoint-section-at-position
text
Name of the section and position of the section in the PE
++
impfuzzy
impfuzzy
entrypoint-address
product-version
text
Address of the entry point
+ProductVersion in the resources
@@ -3731,10 +3731,20 @@ pe is a MISP object available in JSON format at
product-name
file-description
text
ProductName in the resources
+FileDescription in the resources
++
type
text
Type of PE ['exe', 'dll', 'driver', 'unknown']
@@ -3779,6 +3789,36 @@ pe-section is a MISP object available in JSON format at
entropy
float
Entropy of the whole section
++
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
++
size-in-bytes
size-in-bytes
Size of the section, in bytes
++
text
text
sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
--
sha384
sha384
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
--
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
--
sha256
sha256
characteristic
text
Characteristic of the section ['read', 'write', 'executable']
--
sha512
sha512
Secure Hash Algorithm 2 (512 bits)
--
entropy
float
Entropy of the whole section
--
md5
md5
ssdeep
ssdeep
sha512/256
sha512/256
Fuzzy hash using context triggered piecewise hashes (CTPH)
+Secure Hash Algorithm 2 (256 bits)
++
sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
@@ -3899,20 +3889,40 @@ pe-section is a MISP object available in JSON format at
size-in-bytes
size-in-bytes
sha512
sha512
Size of the section, in bytes
+Secure Hash Algorithm 2 (512 bits)
+
sha512/256
sha512/256
sha512/224
sha512/224
Secure Hash Algorithm 2 (256 bits)
+Secure Hash Algorithm 2 (224 bits)
++
ssdeep
ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
++
characteristic
text
Characteristic of the section ['read', 'write', 'executable']
@@ -3957,10 +3967,10 @@ person is a MISP object available in JSON format at
date-of-birth
date-of-birth
middle-name
middle-name
Date of birth of a natural person (in YYYY-MM-DD format).
+Middle name of a natural person
@@ -3997,30 +4007,10 @@ person is a MISP object available in JSON format at
passport-expiration
passport-expiration
last-name
last-name
The expiration date of a passport.
--
nationality
nationality
The nationality of a natural person.
--
gender
gender
The gender of a natural person. ['Male', 'Female', 'Other', 'Prefer not to say']
+Last name of a natural person.
@@ -4037,26 +4027,6 @@ person is a MISP object available in JSON format at
passport-country
passport-country
The country in which the passport was issued.
--
middle-name
middle-name
Middle name of a natural person
--
redress-number
redress-number
last-name
last-name
passport-country
passport-country
Last name of a natural person.
+The country in which the passport was issued.
++
nationality
nationality
The nationality of a natural person.
++
date-of-birth
date-of-birth
Date of birth of a natural person (in YYYY-MM-DD format).
++
passport-expiration
passport-expiration
The expiration date of a passport.
++
gender
gender
The gender of a natural person. ['Male', 'Female', 'Other', 'Prefer not to say']
@@ -4115,16 +4125,6 @@ phone is a MISP object available in JSON format at
gummei
text
Globally Unique MME Identifier (GUMMEI) is composed from MCC, MNC and MME Identifier (MMEI).
--
guti
text
imsi
text
text
A usually unique International Mobile Subscriber Identity (IMSI) is allocated to each mobile subscriber in the GSM/UMTS/EPS system. IMSI can also refer to International Mobile Station Identity in the ITU nomenclature.
--
first-seen
datetime
When the phone has been accessible or seen for the first time.
+A description of the phone.
gummei
text
Globally Unique MME Identifier (GUMMEI) is composed from MCC, MNC and MME Identifier (MMEI).
++
tmsi
text
imsi
text
A usually unique International Mobile Subscriber Identity (IMSI) is allocated to each mobile subscriber in the GSM/UMTS/EPS system. IMSI can also refer to International Mobile Station Identity in the ITU nomenclature.
++
first-seen
datetime
When the phone has been accessible or seen for the first time.
++
serial-number
text
text
text
A description of the phone.
--
text
-text
Description of the r2graphity object
--
referenced-strings
counter
Amount of referenced strings
--
dangling-strings
counter
Amount of dangling strings (string with a code cross reference, that is not within a function. Radare2 failed to detect that function.)
--
callback-average
counter
Average size of a callback
--
callback-largest
counter
total-api
counter
Total amount of API calls
--
ratio-api
float
Ratio: amount of API calls per kilobyte of code section
--
r2-commit-version
text
memory-allocations
counter
Amount of memory allocations
--
not-referenced-strings
counter
total-functions
counter
ratio-string
float
Total amount of functions in the file.
+Ratio: amount of referenced strings per kilobyte of code section
ratio-string
float
miss-api
counter
Ratio: amount of referenced strings per kilobyte of code section
+Amount of API call reference that does not resolve to a function offset
++
shortest-path-to-create-thread
counter
Shortest path to the first time the binary calls CreateThread
++
unknown-references
counter
Amount of API calls not ending in a function (Radare2 bug, probalby)
++
refsglobalvar
counter
Amount of API calls outside of code section (glob var, dynamic API)
@@ -4393,10 +4363,30 @@ r2graphity is a MISP object available in JSON format at
miss-api
total-api
counter
Amount of API call reference that does not resolve to a function offset
+Total amount of API calls
++
memory-allocations
counter
Amount of memory allocations
++
dangling-strings
counter
Amount of dangling strings (string with a code cross reference, that is not within a function. Radare2 failed to detect that function.)
@@ -4413,6 +4403,46 @@ r2graphity is a MISP object available in JSON format at
callback-average
counter
Average size of a callback
++
text
text
Description of the r2graphity object
++
ratio-api
float
Ratio: amount of API calls per kilobyte of code section
++
total-functions
counter
Total amount of functions in the file.
++
gml
attachment
refsglobalvar
referenced-strings
counter
Amount of API calls outside of code section (glob var, dynamic API)
--
shortest-path-to-create-thread
counter
Shortest path to the first time the binary calls CreateThread
--
callbacks
counter
Amount of callbacks (functions started as thread)
--
unknown-references
counter
Amount of API calls not ending in a function (Radare2 bug, probalby)
+Amount of referenced strings
callbacks
counter
Amount of callbacks (functions started as thread)
++
data
-reg-data
last-modified
datetime
Data stored in the registry key
--
name
reg-name
Name of the registry key
+Last time the registry key has been modified
@@ -4629,10 +4629,20 @@ registry-key is a MISP object available in JSON format at
last-modified
datetime
data
reg-data
Last time the registry key has been modified
+Data stored in the registry key
++
name
reg-name
Name of the registry key
@@ -4677,20 +4687,20 @@ report is a MISP object available in JSON format at
case-number
summary
text
Case number
+Free text summary of the report
summary
case-number
text
Free text summary of the report
+Case number
@@ -4745,10 +4755,20 @@ rtir is a MISP object available in JSON format at
constituency
classification
text
Constituency of the RTIR ticket
+Classification of the RTIR ticket
++
subject
text
Subject of the RTIR ticket
@@ -4765,20 +4785,10 @@ rtir is a MISP object available in JSON format at
classification
constituency
text
Classification of the RTIR ticket
--
ip
ip-dst
IPs automatically extracted from the RTIR ticket
+Constituency of the RTIR ticket
@@ -4795,10 +4805,10 @@ rtir is a MISP object available in JSON format at
subject
text
ip
ip-dst
Subject of the RTIR ticket
+IPs automatically extracted from the RTIR ticket
@@ -4843,76 +4853,6 @@ tor-node is a MISP object available in JSON format at
text
text
Tor node comment.
--
address
ip-src
IP address of the Tor node seen.
--
first-seen
datetime
When the Tor node designed by the IP address has been seen for the first time.
--
last-seen
datetime
When the Tor node designed by the IP address has been seen for the last time.
--
flags
text
list of flag associated with the node.
--
version_line
text
versioning information reported by the node.
--
published
datetime
router’s publication time. This can be different from first-seen and last-seen.
--
version
text
document
text
Raw document from the consensus.
--
nickname
text
text
text
Tor node comment.
++
description
text
document
text
Raw document from the consensus.
++
address
ip-src
IP address of the Tor node seen.
++
published
datetime
router’s publication time. This can be different from first-seen and last-seen.
++
flags
text
list of flag associated with the node.
++
last-seen
datetime
When the Tor node designed by the IP address has been seen for the last time.
++
first-seen
datetime
When the Tor node designed by the IP address has been seen for the first time.
++
version_line
text
versioning information reported by the node.
++
credential
+tld
text
Credential (username, password)
+Top-Level Domain
+
first-seen
-datetime
query_string
text
First time this URL has been seen
+Query (after path, preceded by '?')
++
fragment
text
Fragment identifier is a short string of characters that refers to a resource that is subordinate to another, primary resource.
++
credential
text
Credential (username, password)
++
host
hostname
Full hostname
++
domain
domain
Full domain
++
url
url
Full URL
@@ -5051,26 +5111,6 @@ url is a MISP object available in JSON format at
fragment
text
Fragment identifier is a short string of characters that refers to a resource that is subordinate to another, primary resource.
--
host
hostname
Full hostname
--
scheme
text
subdomain
text
Subdomain
--
tld
text
Top-Level Domain
--
port
port
url
url
first-seen
datetime
Full URL
+First time this URL has been seen
@@ -5131,23 +5151,13 @@ url is a MISP object available in JSON format at
domain
domain
Full domain
--
query_string
subdomain
text
Query (after path, preceded by '?')
+Subdomain
+
sectors
-text
The list of sectors that the victim belong to ['agriculture', 'aerospace', 'automotive', 'communications', 'construction', 'defence', 'education', 'energy', 'engineering', 'entertainment', 'financial\xadservices', 'government\xadnational', 'government\xadregional', 'government\xadlocal', 'government\xadpublic\xadservices', 'healthcare', 'hospitality\xadleisure', 'infrastructure', 'insurance', 'manufacturing', 'mining', 'non\xadprofit', 'pharmaceuticals', 'retail', 'technology', 'telecommunications', 'transportation', 'utilities']
--
name
text
The name of the victim targeted. The name can be an organisation or a group of organisations.
--
roles
text
regions
text
The list of regions or locations from the victim targeted. ISO 3166 should be used.
--
description
text
sectors
text
The list of sectors that the victim belong to ['agriculture', 'aerospace', 'automotive', 'communications', 'construction', 'defence', 'education', 'energy', 'engineering', 'entertainment', 'financial\xadservices', 'government\xadnational', 'government\xadregional', 'government\xadlocal', 'government\xadpublic\xadservices', 'healthcare', 'hospitality\xadleisure', 'infrastructure', 'insurance', 'manufacturing', 'mining', 'non\xadprofit', 'pharmaceuticals', 'retail', 'technology', 'telecommunications', 'transportation', 'utilities']
++
name
text
The name of the victim targeted. The name can be an organisation or a group of organisations.
++
regions
text
The list of regions or locations from the victim targeted. ISO 3166 should be used.
++
permalink
-link
Permalink Reference
--
community-score
text
Community Score
--
detection-ratio
text
permalink
link
Permalink Reference
++
community-score
text
Community Score
++
id
-vulnerability
published
datetime
Vulnerability ID (generally CVE, but not necessarely)
+Initial publication date
++
summary
text
Summary of the vulnerability
@@ -5395,16 +5415,6 @@ vulnerability is a MISP object available in JSON format at
references
link
External references
--
modified
datetime
published
datetime
Initial publication date
--
vulnerable_configuration
text
summary
text
id
vulnerability
Summary of the vulnerability
+Vulnerability ID (generally CVE, but not necessarely)
++
references
link
External references
@@ -5483,40 +5493,20 @@ whois is a MISP object available in JSON format at
text
text
Full whois entry
--
modification-date
creation-date
datetime
Last update of the whois entry
+Initial creation of the whois entry
registrant-name
whois-registrant-name
domain
domain
Registrant name
--
expiration-date
datetime
Expiration of the whois entry
+Domain of the whois entry
@@ -5533,6 +5523,46 @@ whois is a MISP object available in JSON format at
modification-date
datetime
Last update of the whois entry
++
text
text
Full whois entry
++
expiration-date
datetime
Expiration of the whois entry
++
registrant-name
whois-registrant-name
Registrant name
++
registrant-email
whois-registrant-email
creation-date
datetime
Initial creation of the whois entry
--
registar
registrar
whois-registrar
domain
domain
Domain of the whois entry
--
text
-text
x509-fingerprint-sha1
sha1
Free text description of hte certificate
--
pubkey-info-algorithm
text
Algorithm of the public key
--
version
text
Version of the certificate
--
raw-base64
text
Raw certificate base64 encoded
--
x509-fingerprint-md5
md5
[Insecure] MD5 hash (128 bits)
--
issuer
text
Issuer of the certificate
--
pubkey-info-exponent
text
Exponent of the public key
+[Insecure] Secure Hash Algorithm 1 (160 bits)
@@ -5691,40 +5641,20 @@ x509 is a MISP object available in JSON format at
pubkey-info-modulus
subject
text
Modulus of the public key
+Subject of the certificate
serial-number
text
text
Serial number of the certificate
--
x509-fingerprint-sha256
sha256
Secure Hash Algorithm 2 (256 bits)
--
x509-fingerprint-sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
+Free text description of hte certificate
@@ -5741,6 +5671,26 @@ x509 is a MISP object available in JSON format at
issuer
text
Issuer of the certificate
++
raw-base64
text
Raw certificate base64 encoded
++
validity-not-after
datetime
subject
pubkey-info-modulus
text
Subject of the certificate
+Modulus of the public key
++
version
text
Version of the certificate
++
x509-fingerprint-sha256
sha256
Secure Hash Algorithm 2 (256 bits)
++
pubkey-info-algorithm
text
Algorithm of the public key
++
x509-fingerprint-md5
md5
[Insecure] MD5 hash (128 bits)
++
pubkey-info-exponent
text
Exponent of the public key
++
serial-number
text
Serial number of the certificate
@@ -5809,6 +5819,16 @@ yabin is a MISP object available in JSON format at
whitelist
comment
Whitelist name used to generate the rules.
++
comment
comment
whitelist
comment
Whitelist name used to generate the rules.
--