From 3e3800a3d53fbb6372b88ab85415db48ba13598a Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy
Date: Sun, 24 Sep 2017 20:26:46 +0200
Subject: [PATCH] Objects updated
---
objects.html | 2717 ++++++++++++++++++++++++++------------------------
1 file changed, 1408 insertions(+), 1309 deletions(-)
diff --git a/objects.html b/objects.html
index faaf213..02d1efc 100755
--- a/objects.html
+++ b/objects.html
@@ -444,6 +444,7 @@ body.book #toc,body.book #preamble,body.book h1.sect0,body.book .sect1>h2{page-b
origin
url
original-date
datetime
+
text
text
+
first-seen
datetime
+
+
last-seen
text
-text
-
-
original-date
datetime
-
-
type
text
origin
url
first-seen
-datetime
type
text
+
cookie-value
+text
+
+
text
text
cookie
cookie
-
-
cookie-name
text
cookie-value
text
cookie
cookie
comment
-comment
-
-
expiration
datetime
version
text
issued
+card-security-code
text
+
+
expiration
datetime
@@ -761,7 +762,7 @@ credit-card is a MISP object available in JSON format at
version
comment
comment
@@ -771,8 +772,8 @@ credit-card is a MISP object available in JSON format at
card-security-code
text
issued
datetime
text
-text
-
-
ip-dst
ip-dst
total-bps
counter
last-seen
+datetime
+
+
text
text
+
+
total-pps
counter
+
+
dst-port
port
+
+
ip-dst
ip-dst
+
+
protocol
text
total-pps
counter
-
-
total-bps
counter
-
-
last-seen
datetime
-
-
dst-port
port
-
-
first-seen
datetime
ip
ip-dst
+
+
domain
domain
ip
ip-dst
-
-
text
-text
number-sections
counter
os_abi
+arch
text
@@ -1075,17 +1076,7 @@ elf is a MISP object available in JSON format at
number-sections
counter
-
-
arch
os_abi
text
@@ -1095,6 +1086,16 @@ elf is a MISP object available in JSON format at
text
text
+
+
type
text
entropy
float
-
-
sha512/224
sha512/224
sha1
sha1
sha384
-sha384
-
-
sha512/256
sha512/256
-
-
type
name
text
@@ -1193,6 +1164,46 @@ elf-section is a MISP object available in JSON format at
text
text
+
+
sha384
sha384
+
+
sha512/224
sha512/224
+
+
size-in-bytes
size-in-bytes
+
+
ssdeep
ssdeep
sha512
sha512
+
+
sha256
sha256
md5
md5
sha512/256
sha512/256
name
-text
-
-
sha224
sha224
sha512
sha512
entropy
float
+
sha1
sha1
-
-
text
type
text
@@ -1283,13 +1284,13 @@ elf-section is a MISP object available in JSON format at
size-in-bytes
size-in-bytes
md5
md5
+
thread-index
-email-thread-index
x-mailer
email-x-mailer
header
+email-header
+
+
from-display-name
email-src-display-name
+
+
from
email-src
+
+
thread-index
email-thread-index
+
+
send-date
datetime
+
+
to
email-dst
+
+
reply-to
email-reply-to
mime-boundary
email-mime-boundary
-
-
from
email-src
-
-
from-display-name
email-src-display-name
-
-
message-id
email-message-id
to
email-dst
-
-
send-date
datetime
-
-
header
email-header
-
-
x-mailer
email-x-mailer
mime-boundary
email-mime-boundary
entropy
-float
sha1
sha1
+
+
text
text
authentihash
-authentihash
-
-
sha512/224
sha512/224
-
-
filename
filename
-
-
tlsh
tlsh
-
-
sha384
sha384
sha512/256
sha512/256
-
-
ssdeep
ssdeep
-
-
sha256
sha256
-
-
pattern-in-file
pattern-in-file
-
-
md5
md5
-
-
malware-sample
malware-sample
-
-
sha224
sha224
-
-
sha512
sha512
-
-
sha1
sha1
tlsh
tlsh
text
-text
sha512/224
sha512/224
+
+
authentihash
authentihash
+
ssdeep
ssdeep
+
+
sha512
sha512
+
+
pattern-in-file
pattern-in-file
+
+
sha256
sha256
+
+
malware-sample
malware-sample
+
+
sha512/256
sha512/256
+
+
sha224
sha224
+
+
filename
filename
+
+
entropy
float
+
+
md5
md5
+
+
region
-text
altitude
float
text
+text
+
+
first-seen
datetime
+
+
longitude
float
+
+
latitude
float
+
+
country
text
altitude
float
-
-
latitude
float
-
-
text
region
text
+
first-seen
datetime
-
-
longitude
float
-
-
user-agent
-user-agent
text
text
+
cookie
basicauth-user
text
@@ -1875,16 +1876,6 @@ http-request is a MISP object available in JSON format at
url
url
-
-
method
http-method
proxy-password
text
-
-
host
hostname
basicauth-user
cookie
text
@@ -1925,6 +1906,26 @@ http-request is a MISP object available in JSON format at
proxy-password
text
+
+
referer
referer
+
+
uri
uri
url
url
+
+
content-type
other
+
+
basicauth-password
text
text
text
-
-
content-type
other
-
-
referer
referer
user-agent
user-agent
dst-port
-port
text
text
text
+first-seen
datetime
+
+
dst-port
port
+
+
JA3 is a new technique for creating SSL client fingerprints that are easy to produce and can be easily shared for threat intelligence. Fingerprints are composed of Client Hello packet; SSL Version, Accepted Ciphers, List of Extensions, Elliptic Curves, and Elliptic Curve Formats. https://github.com/salesforce/ja3.
++ + | ++ja3 is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. + | +
Object attribute | +MISP attribute type | +Description | +Disable correlation | +
---|---|---|---|
description |
text |
||
ip-dst |
+ip-dst |
+
+ + |
+
+ + |
+
ja3-fingerprint-md5 |
+md5 |
+
+ + |
+
+ + |
+
ip-src |
+ip-src |
+
+ + |
+
+ + |
+
last-seen |
+datetime |
+
+ + |
+
+ + |
+
number-sections
+counter
+
+
text
text
+
+
entrypoint-address
text
text
text
-
-
number-sections
counter
-
-
entropy
-float
-
-
sha512/224
sha512/224
-
-
sha384
sha384
-
-
sha512/256
sha512/256
-
-
ssdeep
ssdeep
-
-
sha256
sha256
-
-
md5
md5
sha1
sha1
sha224
-sha224
text
text
+
+
sha384
sha384
+
+
sha512/224
sha512/224
+
+
size-in-bytes
size-in-bytes
+
+
ssdeep
ssdeep
sha1
-sha1
sha256
sha256
text
-text
sha512/256
sha512/256
+
+
sha224
sha224
+
+
entropy
float
size-in-bytes
-size-in-bytes
md5
md5
+
time_first
-datetime
rrname
text
+
+
text
text
rrname
+rdata
text
@@ -2397,17 +2506,7 @@ passive-dns is a MISP object available in JSON format at
rrtype
text
-
-
zone_time_first
time_first
datetime
@@ -2417,7 +2516,27 @@ passive-dns is a MISP object available in JSON format at
rdata
time_last
datetime
+
+
zone_time_last
datetime
+
+
rrtype
text
@@ -2437,8 +2556,8 @@ passive-dns is a MISP object available in JSON format at
bailiwick
text
zone_time_first
datetime
text
+bailiwick
text
zone_time_last
datetime
-
-
time_last
datetime
-
-
company-name
+legal-copyright
text
@@ -2535,7 +2634,7 @@ pe is a MISP object available in JSON format at
entrypoint-section-at-position
product-version
text
@@ -2545,23 +2644,23 @@ pe is a MISP object available in JSON format at
compilation-timestamp
datetime
number-sections
counter
+
impfuzzy
impfuzzy
text
text
+
company-name
+text
+
+
pehash
pehash
+
+
entrypoint-section-at-position
text
+
+
original-filename
filename
imphash
imphash
+
+
type
text
pehash
pehash
compilation-timestamp
datetime
file-version
-text
-
-
legal-copyright
text
-
-
entrypoint-address
text
lang-id
file-version
text
@@ -2655,7 +2774,17 @@ pe is a MISP object available in JSON format at
text
impfuzzy
impfuzzy
+
+
lang-id
text
number-sections
counter
-
-
imphash
imphash
-
-
product-version
text
-
-
entropy
-float
-
-
sha512/224
sha512/224
-
-
characteristic
text
-
-
sha384
sha384
-
-
sha512/256
sha512/256
-
-
ssdeep
ssdeep
-
-
sha256
sha256
-
-
md5
md5
sha1
sha1
sha224
-sha224
text
text
+
+
sha384
sha384
+
+
sha512/224
sha512/224
+
+
size-in-bytes
size-in-bytes
+
+
ssdeep
ssdeep
sha1
-sha1
sha256
sha256
sha512/256
+sha512/256
+
+
sha224
sha224
+
+
characteristic
text
text
+
+
entropy
float
size-in-bytes
-size-in-bytes
md5
md5
+
passport-country
-passport-country
text
text
-
nationality
nationality
-
+
first-name
-first-name
place-of-birth
place-of-birth
redress-number
-redress-number
-
-
date-of-birth
date-of-birth
first-name
first-name
place-of-birth
-place-of-birth
-
-
text
text
-
-
passport-expiration
passport-expiration
date-of-birth
date-of-birth
+
+
passport-number
passport-number
nationality
nationality
+
+
redress-number
redress-number
+
+
passport-country
passport-country
+
+
imsi
+gummei
text
@@ -3089,7 +3188,7 @@ phone is a MISP object available in JSON format at
msisdn
guti
text
@@ -3119,7 +3218,27 @@ phone is a MISP object available in JSON format at
gummei
serial-number
text
+
+
first-seen
datetime
+
+
imsi
text
@@ -3139,7 +3258,7 @@ phone is a MISP object available in JSON format at
serial-number
msisdn
text
first-seen
datetime
-
-
guti
text
-
-
ratio-api
+float
+
+
callback-average
counter
callbacks
counter
+
+
memory-allocations
counter
get-proc-address
not-referenced-strings
counter
@@ -3257,26 +3376,6 @@ r2graphity is a MISP object available in JSON format at
total-api
counter
-
-
refsglobalvar
counter
-
-
referenced-strings
counter
ratio-string
float
-
-
text
text
-
-
callbacks
get-proc-address
counter
@@ -3327,17 +3406,7 @@ r2graphity is a MISP object available in JSON format at
ratio-api
float
-
-
unknown-references
dangling-strings
counter
@@ -3357,7 +3426,67 @@ r2graphity is a MISP object available in JSON format at
not-referenced-strings
text
text
+
+
ratio-functions
float
+
+
shortest-path-to-create-thread
counter
+
+
unknown-references
counter
+
+
ratio-string
float
+
+
gml
attachment
+
+
refsglobalvar
counter
@@ -3377,47 +3506,7 @@ r2graphity is a MISP object available in JSON format at
gml
attachment
-
-
total-functions
counter
-
-
shortest-path-to-create-thread
counter
-
-
ratio-functions
float
-
-
dangling-strings
total-api
counter
total-functions
counter
+
+
regexp-type
+text
Type of the regular expression syntax. ['PCRE', 'PCRE2', 'POSIX BRE', 'POSIX ERE']
++
comment
comment
regexp-type
text
Type of the regular expression syntax. ['PCRE', 'PCRE2', 'POSIX BRE', 'POSIX ERE']
--
data
-reg-data
-
-
last-modified
datetime
-
-
hive
reg-hive
-
-
name
reg-name
data
reg-data
+
+
hive
reg-hive
+
+
last-modified
datetime
+
+
description
-text
-
-
flags
text
-
-
version
text
-
-
document
text
-
-
first-seen
datetime
-
-
address
ip-src
text
text
+
+
version_line
text
fingerprint
first-seen
datetime
+
+
published
datetime
+
+
document
text
+
+
version
text
@@ -3721,7 +3810,7 @@ tor-node is a MISP object available in JSON format at
text
description
text
@@ -3731,6 +3820,16 @@ tor-node is a MISP object available in JSON format at
fingerprint
text
+
+
nickname
text
last-seen
datetime
flags
text
+
published
last-seen
datetime
@@ -3799,86 +3898,6 @@ url is a MISP object available in JSON format at
domain
domain
-
-
url
url
-
-
port
port
-
-
tld
text
-
-
first-seen
datetime
-
-
host
hostname
-
-
scheme
text
-
-
resource_path
text
-
-
credential
text
domain_without_tld
text
-
-
subdomain
text
-
-
fragment
text
-
-
text
text
first-seen
datetime
+
+
fragment
text
+
+
host
hostname
+
+
subdomain
text
+
+
resource_path
text
+
+
tld
text
+
+
domain
domain
+
+
url
url
+
+
port
port
+
+
scheme
text
+
+
domain_without_tld
text
+
+
query_string
text
modified
datetime
-
-
id
vulnerability
references
link
-
-
vulnerable_configuration
text
-
-
summary
text
references
link
+
+
published
datetime
modified
datetime
+
+
vulnerable_configuration
text
+
+
expiration-date
-datetime
-
-
modification-date
datetime
-
-
registrant-name
whois-registrant-name
-
-
registrant-phone
whois-registrant-phone
-
-
creation-date
datetime
registar
whois-registrar
+
+
expiration-date
datetime
+
+
registrant-phone
whois-registrant-phone
+
+
registrant-email
whois-registrant-email
registar
whois-registar
modification-date
datetime
+
+
registrant-name
whois-registrant-name
issuer
-text
-
-
x509-fingerprint-md5
md5
-
-
raw-base64
text
-
-
subject
text
x509-fingerprint-sha1
sha1
-
-
x509-fingerprint-sha256
sha256
-
-
pubkey-info-exponent
text
-
-
validity-not-before
datetime
-
-
version
text
-
-
pubkey-info-modulus
text
-
-
pubkey-info-size
text
pubkey-info-algorithm
x509-fingerprint-sha256
sha256
+
+
validity-not-after
datetime
+
+
version
text
@@ -4343,7 +4372,17 @@ x509 is a MISP object available in JSON format at
text
x509-fingerprint-sha1
sha1
+
+
pubkey-info-exponent
text
@@ -4363,7 +4402,57 @@ x509 is a MISP object available in JSON format at
validity-not-after
raw-base64
text
+
+
pubkey-info-modulus
text
+
+
issuer
text
+
+
text
text
+
+
pubkey-info-algorithm
text
+
+
validity-not-before
datetime
x509-fingerprint-md5
md5
+
+
comment
+version
comment
@@ -4421,7 +4520,27 @@ yabin is a MISP object available in JSON format at
version
yara
yara
+
+
yara-hunt
yara
+
+
comment
comment
yara-hunt
yara
-
-
yara
yara
-
-