From a69fe62363fd2c2376a5e05156b6c37b3dc7989d Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy
Date: Fri, 24 Nov 2017 09:22:03 +0100
Subject: [PATCH] MISP objects updated
---
objects.html | 3454 +-
objects.pdf | 123565 ++++++++++++++++++++++++------------------------
2 files changed, 64351 insertions(+), 62668 deletions(-)
diff --git a/objects.html b/objects.html
index 1e18531..4d1eed3 100755
--- a/objects.html
+++ b/objects.html
@@ -556,6 +556,16 @@ ail-leak is a MISP object available in JSON format at type
text
Type of information leak as discovered and classified by an AIL module. ['Credential', 'CreditCards', 'Mail', 'Onion', 'Phone', 'Keys']
++
duplicate_number
counter
duplicate
sensor
text
Duplicate of the existing leaks.
--
type
text
Type of information leak as discovered and classified by an AIL module. ['Credential', 'CreditCards', 'Mail', 'Onion', 'Phone', 'Keys']
+The AIL sensor uuid where the leak was processed and analysed.
@@ -596,6 +596,16 @@ ail-leak is a MISP object available in JSON format at
duplicate
text
Duplicate of the existing leaks.
++
first-seen
datetime
original-date
datetime
text
text
When the information available in the leak was created. It’s usually before the first-seen.
+A description of the leak which could include the potential victim(s) or description of the leak.
sensor
text
The AIL sensor uuid where the leak was processed and analysed.
--
raw-data
text
attachment
Raw data as received by the AIL sensor compressed and encoded in Base64.
text
-text
original-date
datetime
A description of the leak which could include the potential victim(s) or description of the leak.
+When the information available in the leak was created. It’s usually before the first-seen.
@@ -704,30 +704,10 @@ asn is a MISP object available in JSON format at
mp-export
export
text
This attribute performs the same function as the export attribute above. The difference is that mp-export allows both IPv4 and IPv6 address families to be specified. The export is described in RFC 4012 – Routing Policy Specification Language next generation (RPSLng), section 4.5. format
--
import
text
The inbound IPv4 routing policy of the AS in RFC 2622 – Routing Policy Specification Language (RPSL) format
--
asn
AS
Autonomous System Number
+The outbound routing policy of the AS in RFC 2622 – Routing Policy Specification Language (RPSL) format
@@ -754,6 +734,16 @@ asn is a MISP object available in JSON format at
mp-export
text
This attribute performs the same function as the export attribute above. The difference is that mp-export allows both IPv4 and IPv6 address families to be specified. The export is described in RFC 4012 – Routing Policy Specification Language next generation (RPSLng), section 4.5. format
++
last-seen
datetime
export
text
asn
AS
The outbound routing policy of the AS in RFC 2622 – Routing Policy Specification Language (RPSL) format
+Autonomous System Number
@@ -784,6 +774,16 @@ asn is a MISP object available in JSON format at
import
text
The inbound IPv4 routing policy of the AS in RFC 2622 – Routing Policy Specification Language (RPSL) format
++
first-seen
datetime
software
text
Name of antivirus software
++
datetime
datetime
software
text
Name of antivirus software
--
cookie
-cookie
Full cookie
--
cookie-name
text
Name of the cookie (if splitted)
--
type
text
cookie-value
text
cookie
cookie
Value of the cookie (if splitted)
+Full cookie
cookie-name
text
Name of the cookie (if splitted)
++
cookie-value
text
Value of the cookie (if splitted)
++
format
-text
Format of the password(s) ['clear-text', 'hashed', 'encrypted', 'unknown']
--
notification
text
Mention of any notification(s) towards the potential owner(s) of the credential(s) ['victim-notified', 'service-notified', 'none']
--
type
text
format
text
Format of the password(s) ['clear-text', 'hashed', 'encrypted', 'unknown']
++
text
text
notification
text
Mention of any notification(s) towards the potential owner(s) of the credential(s) ['victim-notified', 'service-notified', 'none']
++
origin
text
version
text
comment
comment
Version of the card.
+A description of the card.
++
issued
datetime
Initial date of validity or issued date.
@@ -1126,10 +1136,20 @@ credit-card is a MISP object available in JSON format at
comment
comment
version
text
A description of the card.
+Version of the card.
++
name
text
Name of the card owner.
issued
datetime
Initial date of validity or issued date.
--
name
text
Name of the card owner.
--
src-port
-port
Port originating the attack
--
ip-src
ip-src
IP address originating the attack
--
dst-port
port
Destination port of the attack
--
first-seen
datetime
Beginning of the attack
--
last-seen
datetime
End of the attack
--
total-bps
counter
ip-dst
ip-dst
domain-dst
domain
Destination ID (victim)
+Destination domain (victim)
@@ -1304,6 +1254,46 @@ ddos is a MISP object available in JSON format at
ip-src
ip-src
IP address originating the attack
++
first-seen
datetime
Beginning of the attack
++
ip-dst
ip-dst
Destination IP (victim)
++
last-seen
datetime
End of the attack
++
text
text
dst-port
port
Destination port of the attack
++
src-port
port
Port originating the attack
++
domain
-domain
Domain name
--
ip
ip-dst
last-seen
first-seen
datetime
Last time the tuple has been seen
+First time the tuple has been seen
++
domain
domain
Domain name
@@ -1392,10 +1402,10 @@ domain-ip is a MISP object available in JSON format at
first-seen
last-seen
datetime
First time the tuple has been seen
+Last time the tuple has been seen
@@ -1440,6 +1450,26 @@ elf is a MISP object available in JSON format at
number-sections
counter
Number of sections
++
arch
text
Architecture of the ELF file ['None', 'M32', 'SPARC', 'i386', 'ARCH_68K', 'ARCH_88K', 'IAMCU', 'ARCH_860', 'MIPS', 'S370', 'MIPS_RS3_LE', 'PARISC', 'VPP500', 'SPARC32PLUS', 'ARCH_960', 'PPC', 'PPC64', 'S390', 'SPU', 'V800', 'FR20', 'RH32', 'RCE', 'ARM', 'ALPHA', 'SH', 'SPARCV9', 'TRICORE', 'ARC', 'H8_300', 'H8_300H', 'H8S', 'H8_500', 'IA_64', 'MIPS_X', 'COLDFIRE', 'ARCH_68HC12', 'MMA', 'PCP', 'NCPU', 'NDR1', 'STARCORE', 'ME16', 'ST100', 'TINYJ', 'x86_64', 'PDSP', 'PDP10', 'PDP11', 'FX66', 'ST9PLUS', 'ST7', 'ARCH_68HC16', 'ARCH_68HC11', 'ARCH_68HC08', 'ARCH_68HC05', 'SVX', 'ST19', 'VAX', 'CRIS', 'JAVELIN', 'FIREPATH', 'ZSP', 'MMIX', 'HUANY', 'PRISM', 'AVR', 'FR30', 'D10V', 'D30V', 'V850', 'M32R', 'MN10300', 'MN10200', 'PJ', 'OPENRISC', 'ARC_COMPACT', 'XTENSA', 'VIDEOCORE', 'TMM_GPP', 'NS32K', 'TPC', 'SNP1K', 'ST200', 'IP2K', 'MAX', 'CR', 'F2MC16', 'MSP430', 'BLACKFIN', 'SE_C33', 'SEP', 'ARCA', 'UNICORE', 'EXCESS', 'DXP', 'ALTERA_NIOS2', 'CRX', 'XGATE', 'C166', 'M16C', 'DSPIC30F', 'CE', 'M32C', 'TSK3000', 'RS08', 'SHARC', 'ECOG2', 'SCORE7', 'DSP24', 'VIDEOCORE3', 'LATTICEMICO32', 'SE_C17', 'TI_C6000', 'TI_C2000', 'TI_C5500', 'MMDSP_PLUS', 'CYPRESS_M8C', 'R32C', 'TRIMEDIA', 'HEXAGON', 'ARCH_8051', 'STXP7X', 'NDS32', 'ECOG1', 'ECOG1X', 'MAXQ30', 'XIMO16', 'MANIK', 'CRAYNV2', 'RX', 'METAG', 'MCST_ELBRUS', 'ECOG16', 'CR16', 'ETPU', 'SLE9X', 'L10M', 'K10M', 'AARCH64', 'AVR32', 'STM8', 'TILE64', 'TILEPRO', 'CUDA', 'TILEGX', 'CLOUDSHIELD', 'COREA_1ST', 'COREA_2ND', 'ARC_COMPACT2', 'OPEN8', 'RL78', 'VIDEOCORE5', 'ARCH_78KOR', 'ARCH_56800EX', 'BA1', 'BA2', 'XCORE', 'MCHP_PIC', 'INTEL205', 'INTEL206', 'INTEL207', 'INTEL208', 'INTEL209', 'KM32', 'KMX32', 'KMX16', 'KMX8', 'KVARC', 'CDP', 'COGE', 'COOL', 'NORC', 'CSR_KALIMBA', 'AMDGPU']
++
type
text
number-sections
counter
Number of sections
--
entrypoint-address
text
arch
text
Architecture of the ELF file ['None', 'M32', 'SPARC', 'i386', 'ARCH_68K', 'ARCH_88K', 'IAMCU', 'ARCH_860', 'MIPS', 'S370', 'MIPS_RS3_LE', 'PARISC', 'VPP500', 'SPARC32PLUS', 'ARCH_960', 'PPC', 'PPC64', 'S390', 'SPU', 'V800', 'FR20', 'RH32', 'RCE', 'ARM', 'ALPHA', 'SH', 'SPARCV9', 'TRICORE', 'ARC', 'H8_300', 'H8_300H', 'H8S', 'H8_500', 'IA_64', 'MIPS_X', 'COLDFIRE', 'ARCH_68HC12', 'MMA', 'PCP', 'NCPU', 'NDR1', 'STARCORE', 'ME16', 'ST100', 'TINYJ', 'x86_64', 'PDSP', 'PDP10', 'PDP11', 'FX66', 'ST9PLUS', 'ST7', 'ARCH_68HC16', 'ARCH_68HC11', 'ARCH_68HC08', 'ARCH_68HC05', 'SVX', 'ST19', 'VAX', 'CRIS', 'JAVELIN', 'FIREPATH', 'ZSP', 'MMIX', 'HUANY', 'PRISM', 'AVR', 'FR30', 'D10V', 'D30V', 'V850', 'M32R', 'MN10300', 'MN10200', 'PJ', 'OPENRISC', 'ARC_COMPACT', 'XTENSA', 'VIDEOCORE', 'TMM_GPP', 'NS32K', 'TPC', 'SNP1K', 'ST200', 'IP2K', 'MAX', 'CR', 'F2MC16', 'MSP430', 'BLACKFIN', 'SE_C33', 'SEP', 'ARCA', 'UNICORE', 'EXCESS', 'DXP', 'ALTERA_NIOS2', 'CRX', 'XGATE', 'C166', 'M16C', 'DSPIC30F', 'CE', 'M32C', 'TSK3000', 'RS08', 'SHARC', 'ECOG2', 'SCORE7', 'DSP24', 'VIDEOCORE3', 'LATTICEMICO32', 'SE_C17', 'TI_C6000', 'TI_C2000', 'TI_C5500', 'MMDSP_PLUS', 'CYPRESS_M8C', 'R32C', 'TRIMEDIA', 'HEXAGON', 'ARCH_8051', 'STXP7X', 'NDS32', 'ECOG1', 'ECOG1X', 'MAXQ30', 'XIMO16', 'MANIK', 'CRAYNV2', 'RX', 'METAG', 'MCST_ELBRUS', 'ECOG16', 'CR16', 'ETPU', 'SLE9X', 'L10M', 'K10M', 'AARCH64', 'AVR32', 'STM8', 'TILE64', 'TILEPRO', 'CUDA', 'TILEGX', 'CLOUDSHIELD', 'COREA_1ST', 'COREA_2ND', 'ARC_COMPACT2', 'OPEN8', 'RL78', 'VIDEOCORE5', 'ARCH_78KOR', 'ARCH_56800EX', 'BA1', 'BA2', 'XCORE', 'MCHP_PIC', 'INTEL205', 'INTEL206', 'INTEL207', 'INTEL208', 'INTEL209', 'KM32', 'KMX32', 'KMX16', 'KMX8', 'KVARC', 'CDP', 'COGE', 'COOL', 'NORC', 'CSR_KALIMBA', 'AMDGPU']
--
sha512
-sha512
Secure Hash Algorithm 2 (512 bits)
--
flag
text
Flag of the section ['ALLOC', 'EXCLUDE', 'EXECINSTR', 'GROUP', 'HEX_GPREL', 'INFO_LINK', 'LINK_ORDER', 'MASKOS', 'MASKPROC', 'MERGE', 'MIPS_ADDR', 'MIPS_LOCAL', 'MIPS_MERGE', 'MIPS_NAMES', 'MIPS_NODUPES', 'MIPS_NOSTRIP', 'NONE', 'OS_NONCONFORMING', 'STRINGS', 'TLS', 'WRITE', 'XCORE_SHF_CP_SECTION']
--
sha384
sha384
Secure Hash Algorithm 2 (384 bits)
--
sha512/256
sha512/256
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
sha224
-sha224
md5
md5
Secure Hash Algorithm 2 (224 bits)
+[Insecure] MD5 hash (128 bits)
@@ -1598,6 +1578,46 @@ elf-section is a MISP object available in JSON format at
sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
++
sha512
sha512
Secure Hash Algorithm 2 (512 bits)
++
ssdeep
ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
++
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
++
entropy
float
md5
md5
flag
text
[Insecure] MD5 hash (128 bits)
--
size-in-bytes
size-in-bytes
Size of the section, in bytes
+Flag of the section ['ALLOC', 'EXCLUDE', 'EXECINSTR', 'GROUP', 'HEX_GPREL', 'INFO_LINK', 'LINK_ORDER', 'MASKOS', 'MASKPROC', 'MERGE', 'MIPS_ADDR', 'MIPS_LOCAL', 'MIPS_MERGE', 'MIPS_NAMES', 'MIPS_NODUPES', 'MIPS_NOSTRIP', 'NONE', 'OS_NONCONFORMING', 'STRINGS', 'TLS', 'WRITE', 'XCORE_SHF_CP_SECTION']
@@ -1658,30 +1668,30 @@ elf-section is a MISP object available in JSON format at
ssdeep
ssdeep
size-in-bytes
size-in-bytes
Fuzzy hash using context triggered piecewise hashes (CTPH)
+Size of the section, in bytes
++
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
sha256
sha256
sha384
sha384
Secure Hash Algorithm 2 (256 bits)
--
sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
+Secure Hash Algorithm 2 (384 bits)
@@ -1726,6 +1736,36 @@ email is a MISP object available in JSON format at
send-date
datetime
Date the email has been sent
++
header
email-header
Full headers
++
attachment
email-attachment
Attachment
++
thread-index
email-thread-index
to-display-name
email-dst-display-name
to
email-dst
Display name of the receiver
--
reply-to
email-reply-to
Email address the reply will be sent to
+Destination email address
@@ -1766,40 +1796,30 @@ email is a MISP object available in JSON format at
send-date
datetime
mime-boundary
email-mime-boundary
Date the email has been sent
--
attachment
email-attachment
Attachment
+MIME Boundary
x-mailer
email-x-mailer
reply-to
email-reply-to
X-Mailer generally tells the program that was used to draft and send the original email
+Email address the reply will be sent to
from-display-name
email-src-display-name
from
email-src
Display name of the sender
+Sender email address
@@ -1826,20 +1846,20 @@ email is a MISP object available in JSON format at
return-path
text
from-display-name
email-src-display-name
Message return path
+Display name of the sender
to
email-dst
to-display-name
email-dst-display-name
Destination email address
+Display name of the receiver
@@ -1856,30 +1876,20 @@ email is a MISP object available in JSON format at
from
email-src
return-path
text
Sender email address
+Message return path
header
email-header
x-mailer
email-x-mailer
Full headers
--
mime-boundary
email-mime-boundary
MIME Boundary
+X-Mailer generally tells the program that was used to draft and send the original email
@@ -1924,80 +1934,10 @@ file is a MISP object available in JSON format at
sha512
sha512
size-in-bytes
size-in-bytes
Secure Hash Algorithm 2 (512 bits)
--
mimetype
text
Mime type
--
sha384
sha384
Secure Hash Algorithm 2 (384 bits)
--
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
--
malware-sample
malware-sample
The file itself (binary)
--
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
--
tlsh
tlsh
Fuzzy hash by Trend Micro: Locality Sensitive Hash
--
entropy
float
Entropy of the whole file
+Size of the file, in bytes
@@ -2014,23 +1954,103 @@ file is a MISP object available in JSON format at
size-in-bytes
size-in-bytes
malware-sample
malware-sample
Size of the file, in bytes
+The file itself (binary)
++
tlsh
tlsh
Fuzzy hash by Trend Micro: Locality Sensitive Hash
++
sha384
sha384
Secure Hash Algorithm 2 (384 bits)
++
sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
++
filename
filename
Filename on disk
++
sha512
sha512
Secure Hash Algorithm 2 (512 bits)
++
ssdeep
ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
++
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
++
entropy
float
Entropy of the whole file
state
mimetype
text
State of the file ['Harmless', 'Signed', 'Revoked', 'Expired', 'Trusted']
+Mime type
+
authentihash
-authentihash
Authenticode executable signature hash
--
ssdeep
ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
--
sha256
sha256
filename
filename
sha224
sha224
Filename on disk
+Secure Hash Algorithm 2 (224 bits)
sha1
sha1
authentihash
authentihash
[Insecure] Secure Hash Algorithm 1 (160 bits)
+Authenticode executable signature hash
state
text
State of the file ['Harmless', 'Signed', 'Revoked', 'Expired', 'Trusted']
++
region
-text
altitude
float
Region.
+The altitude is the decimal value of the altitude in the World Geodetic System 84 (WGS84) reference.
first-seen
datetime
longitude
float
When the location was seen for the first time.
+The longitude is the decimal value of the longitude in the World Geodetic System 84 (WGS84) reference
country
text
Country.
++
last-seen
datetime
altitude
float
first-seen
datetime
The altitude is the decimal value of the altitude in the World Geodetic System 84 (WGS84) reference.
+When the location was seen for the first time.
++
region
text
Region.
country
text
text
Country.
+A generic description of the location.
+
text
text
A generic description of the location.
--
longitude
float
The longitude is the decimal value of the longitude in the World Geodetic System 84 (WGS84) reference
--
content-type
-other
proxy-user
text
The MIME type of the body of the request
+HTTP Proxy Username
method
http-method
HTTP Method invoked (one of GET, POST, PUT, HEAD, DELETE, OPTIONS, CONNECT)
++
host
hostname
text
text
HTTP Request comment
++
basicauth-password
text
user-agent
user-agent
The user agent string of the user agent
++
basicauth-user
text
HTTP Basic Authentication Username
++
content-type
other
The MIME type of the body of the request
++
uri
uri
Request URI
++
url
url
Full HTTP Request URL
++
cookie
text
uri
uri
Request URI
--
user-agent
user-agent
The user agent string of the user agent
--
proxy-password
text
url
url
Full HTTP Request URL
--
basicauth-user
text
HTTP Basic Authentication Username
--
method
http-method
HTTP Method invoked (one of GET, POST, PUT, HEAD, DELETE, OPTIONS, CONNECT)
--
text
text
HTTP Request comment
--
proxy-user
text
HTTP Proxy Username
--
src-port
-port
ip
ip-dst
Source port
--
dst-port
port
Destination port
--
first-seen
datetime
First time the tuple has been seen
+IP Address
@@ -2488,20 +2478,40 @@ ip-port is a MISP object available in JSON format at
ip
ip-dst
text
text
IP Address
+Description of the tuple
text
text
first-seen
datetime
Description of the tuple
+First time the tuple has been seen
++
dst-port
port
Destination port
++
src-port
port
Source port
@@ -2556,26 +2566,6 @@ ja3 is a MISP object available in JSON format at
ja3-fingerprint-md5
md5
Hash identifying source
--
first-seen
datetime
First seen of the SSL/TLS handshake
--
last-seen
datetime
first-seen
datetime
First seen of the SSL/TLS handshake
++
ja3-fingerprint-md5
md5
Hash identifying source
++
entrypoint-address
-text
number-sections
counter
Address of the entry point
+Number of sections
name
text
Binary’s name
++
type
text
name
entrypoint-address
text
Binary’s name
--
number-sections
counter
Number of sections
+Address of the entry point
@@ -2732,28 +2742,8 @@ macho-section is a MISP object available in JSON format at
sha512
sha512
Secure Hash Algorithm 2 (512 bits)
--
sha384
sha384
Secure Hash Algorithm 2 (384 bits)
--
sha512/256
sha512/256
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
sha224
-sha224
md5
md5
Secure Hash Algorithm 2 (224 bits)
+[Insecure] MD5 hash (128 bits)
@@ -2782,30 +2772,50 @@ macho-section is a MISP object available in JSON format at
entropy
float
sha1
sha1
Entropy of the whole section
--
md5
md5
[Insecure] MD5 hash (128 bits)
+[Insecure] Secure Hash Algorithm 1 (160 bits)
size-in-bytes
size-in-bytes
sha512
sha512
Size of the section, in bytes
+Secure Hash Algorithm 2 (512 bits)
++
ssdeep
ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
++
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
++
entropy
float
Entropy of the whole section
@@ -2832,30 +2842,30 @@ macho-section is a MISP object available in JSON format at
ssdeep
ssdeep
size-in-bytes
size-in-bytes
Fuzzy hash using context triggered piecewise hashes (CTPH)
+Size of the section, in bytes
++
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
sha256
sha256
sha384
sha384
Secure Hash Algorithm 2 (256 bits)
--
sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
+Secure Hash Algorithm 2 (384 bits)
@@ -2900,6 +2910,26 @@ microblog is a MISP object available in JSON format at
link
url
Link into the microblog post
++
type
text
Type of the microblog post ['Twitter', 'Facebook', 'LinkedIn', 'Reddit', 'Google+', 'Instagram', 'Forum', 'Other']
++
post
text
type
text
Type of the microblog post ['Twitter', 'Facebook', 'LinkedIn', 'Reddit', 'Google+', 'Instagram', 'Forum', 'Other']
--
username
text
removal-date
datetime
When the microblog post was removed
--
link
url
Link into the microblog post
--
url
url
removal-date
datetime
When the microblog post was removed
++
username-quoted
text
ip-protocol-number
size-in-bytes
IP protocol number of this flow
++
protocol
text
Protocol used for this flow ['TCP', 'UDP', 'ICMP', 'IP']
++
last-packet-seen
datetime
Last packet seen in this flow
++
tcp-flags
text
dst-port
port
dst-as
AS
Destination port of the netflow
+Destination AS number for this flow
packet-count
byte-count
counter
Packets counted in this flow
+Bytes counted in this flow
@@ -3068,6 +3108,66 @@ netflow is a MISP object available in JSON format at
dst-port
port
Destination port of the netflow
++
icmp-type
text
ICMP type of the flow (if the traffic is ICMP)
++
src-port
port
Source port of the netflow
++
direction
text
Direction of this flow ['Ingress', 'Egress']
++
first-packet-seen
datetime
First packet seen in this flow
++
packet-count
counter
Packets counted in this flow
++
ip_version
counter
direction
text
ip-dst
ip-dst
Direction of this flow ['Ingress', 'Egress']
--
protocol
text
Protocol used for this flow ['TCP', 'UDP', 'ICMP', 'IP']
+IP address destination of the netflow
src-port
port
Source port of the netflow
--
ip-protocol-number
size-in-bytes
IP protocol number of this flow
--
last-packet-seen
datetime
Last packet seen in this flow
--
dst-as
AS
Destination AS number for this flow
--
icmp-type
text
ICMP type of the flow (if the traffic is ICMP)
--
byte-count
counter
Bytes counted in this flow
--
ip-dst
ip-dst
IP address destination of the netflow
--
first-packet-seen
datetime
First packet seen in this flow
--
rrtype
-text
Resource Record type as seen by the passive DNS ['A', 'AAAA', 'CNAME', 'PTR', 'SOA', 'TXT', 'DNAME', 'NS', 'SRV', 'RP', 'NAPTR', 'HINFO', 'A6']
--
zone_time_last
zone_time_first
datetime
Last time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import
+First time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import
@@ -3266,30 +3266,20 @@ passive-dns is a MISP object available in JSON format at
bailiwick
rrname
text
Best estimate of the apex of the zone where this data is authoritative
+Resource Record name of the queried resource
sensor_id
rrtype
text
Sensor information where the record was seen
--
origin
text
Origin of the Passive DNS response
+Resource Record type as seen by the passive DNS ['A', 'AAAA', 'CNAME', 'PTR', 'SOA', 'TXT', 'DNAME', 'NS', 'SRV', 'RP', 'NAPTR', 'HINFO', 'A6']
@@ -3306,10 +3296,20 @@ passive-dns is a MISP object available in JSON format at
time_last
datetime
text
text
Last time that the unique tuple (rrname, rrtype, rdata) record has been seen by the passive DNS
++
+
sensor_id
text
Sensor information where the record was seen
@@ -3326,30 +3326,40 @@ passive-dns is a MISP object available in JSON format at
rrname
text
Resource Record name of the queried resource
--
text
text
-
-
zone_time_first
time_last
datetime
First time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import
+Last time that the unique tuple (rrname, rrtype, rdata) record has been seen by the passive DNS
++
zone_time_last
datetime
Last time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import
++
bailiwick
text
Best estimate of the apex of the zone where this data is authoritative
++
origin
text
Origin of the Passive DNS response
@@ -3394,23 +3404,23 @@ paste is a MISP object available in JSON format at
paste
title
text
Raw text of the paste or post
+Title of the paste or post.
first-seen
datetime
origin
text
When the paste has been accessible or seen for the first time.
+Original source of the paste or post. ['pastebin.com', 'pastebin.com_pro', 'pastie.org', 'slexy.org', 'gist.github.com', 'codepad.org', 'safebin.net', 'hastebin.com', 'ghostbin.com']
+
title
+paste
text
Title of the paste or post.
+Raw text of the paste or post
origin
text
first-seen
datetime
Original source of the paste or post. ['pastebin.com', 'pastebin.com_pro', 'pastie.org', 'slexy.org', 'gist.github.com', 'codepad.org', 'safebin.net', 'hastebin.com', 'ghostbin.com']
+When the paste has been accessible or seen for the first time.
+
impfuzzy
-impfuzzy
Fuzzy Hash (ssdeep) calculated from the import table
--
product-version
legal-copyright
text
ProductVersion in the resources
--
number-sections
counter
Number of sections
--
imphash
imphash
Hash (md5) calculated from the import table
--
internal-filename
filename
InternalFilename in the resources
--
entrypoint-address
text
Address of the entry point
--
product-name
text
ProductName in the resources
--
file-version
text
FileVersion in the resources
+LegalCopyright in the resources
@@ -3582,16 +3522,126 @@ pe is a MISP object available in JSON format at
lang-id
file-description
text
Lang ID in the resources
+FileDescription in the resources
entrypoint-address
text
Address of the entry point
++
internal-filename
filename
InternalFilename in the resources
++
entrypoint-section-at-position
text
Name of the section and position of the section in the PE
++
product-version
text
ProductVersion in the resources
++
text
text
Free text value to attach to the PE
++
file-version
text
FileVersion in the resources
++
original-filename
filename
OriginalFilename in the resources
++
number-sections
counter
Number of sections
++
product-name
text
ProductName in the resources
++
type
text
Type of PE ['exe', 'dll', 'driver', 'unknown']
++
imphash
imphash
Hash (md5) calculated from the import table
++
compilation-timestamp
datetime
file-description
text
impfuzzy
impfuzzy
FileDescription in the resources
--
original-filename
filename
OriginalFilename in the resources
+Fuzzy Hash (ssdeep) calculated from the import table
type
lang-id
text
Type of PE ['exe', 'dll', 'driver', 'unknown']
--
entrypoint-section-at-position
text
Name of the section and position of the section in the PE
--
text
text
Free text value to attach to the PE
--
legal-copyright
text
LegalCopyright in the resources
+Lang ID in the resources
@@ -3710,28 +3720,8 @@ pe-section is a MISP object available in JSON format at
sha512
sha512
Secure Hash Algorithm 2 (512 bits)
--
sha384
sha384
Secure Hash Algorithm 2 (384 bits)
--
sha512/256
sha512/256
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
sha224
-sha224
md5
md5
Secure Hash Algorithm 2 (224 bits)
+[Insecure] MD5 hash (128 bits)
@@ -3770,30 +3760,50 @@ pe-section is a MISP object available in JSON format at
entropy
float
sha1
sha1
Entropy of the whole section
--
md5
md5
[Insecure] MD5 hash (128 bits)
+[Insecure] Secure Hash Algorithm 1 (160 bits)
size-in-bytes
size-in-bytes
sha512
sha512
Size of the section, in bytes
+Secure Hash Algorithm 2 (512 bits)
++
ssdeep
ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
++
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
++
entropy
float
Entropy of the whole section
@@ -3820,30 +3830,30 @@ pe-section is a MISP object available in JSON format at
ssdeep
ssdeep
size-in-bytes
size-in-bytes
Fuzzy hash using context triggered piecewise hashes (CTPH)
+Size of the section, in bytes
++
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
sha256
sha256
sha384
sha384
Secure Hash Algorithm 2 (256 bits)
--
sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
+Secure Hash Algorithm 2 (384 bits)
@@ -3898,46 +3908,6 @@ person is a MISP object available in JSON format at
gender
gender
The gender of a natural person. ['Male', 'Female', 'Other', 'Prefer not to say']
--
passport-expiration
passport-expiration
The expiration date of a passport.
--
middle-name
middle-name
Middle name of a natural person
--
last-name
last-name
Last name of a natural person.
--
first-name
first-name
date-of-birth
date-of-birth
Date of birth of a natural person (in YYYY-MM-DD format).
--
nationality
nationality
The nationality of a natural person.
--
passport-number
passport-number
The passport number of a natural person.
--
place-of-birth
place-of-birth
Place of birth of a natural person.
--
text
text
date-of-birth
date-of-birth
Date of birth of a natural person (in YYYY-MM-DD format).
++
passport-country
passport-country
nationality
nationality
The nationality of a natural person.
++
middle-name
middle-name
Middle name of a natural person
++
place-of-birth
place-of-birth
Place of birth of a natural person.
++
passport-expiration
passport-expiration
The expiration date of a passport.
++
last-name
last-name
Last name of a natural person.
++
passport-number
passport-number
The passport number of a natural person.
++
gender
gender
The gender of a natural person. ['Male', 'Female', 'Other', 'Prefer not to say']
++
msisdn
+text
MSISDN (pronounced as /'em es ai es di en/ or misden) is a number uniquely identifying a subscription in a GSM or a UMTS mobile network. Simply put, it is the mapping of the telephone number to the SIM card in a mobile/cellular phone. This abbreviation has a several interpretations, the most common one being Mobile Station International Subscriber Directory Number.
++
guti
text
Globally Unique Temporary UE Identity (GUTI) is a temporary identification to not reveal the phone (user equipment in 3GPP jargon) composed of GUMMEI and the M-TMSI.
++
serial-number
text
Serial Number.
++
text
text
A description of the phone.
++
imsi
text
A usually unique International Mobile Subscriber Identity (IMSI) is allocated to each mobile subscriber in the GSM/UMTS/EPS system. IMSI can also refer to International Mobile Station Identity in the ITU nomenclature.
++
last-seen
datetime
When the phone has been accessible or seen for the last time.
++
tmsi
text
last-seen
datetime
When the phone has been accessible or seen for the last time.
--
msisdn
text
MSISDN (pronounced as /'em es ai es di en/ or misden) is a number uniquely identifying a subscription in a GSM or a UMTS mobile network. Simply put, it is the mapping of the telephone number to the SIM card in a mobile/cellular phone. This abbreviation has a several interpretations, the most common one being Mobile Station International Subscriber Directory Number.
--
imsi
text
A usually unique International Mobile Subscriber Identity (IMSI) is allocated to each mobile subscriber in the GSM/UMTS/EPS system. IMSI can also refer to International Mobile Station Identity in the ITU nomenclature.
--
gummei
text
serial-number
text
Serial Number.
--
guti
text
Globally Unique Temporary UE Identity (GUTI) is a temporary identification to not reveal the phone (user equipment in 3GPP jargon) composed of GUMMEI and the M-TMSI.
--
text
text
A description of the phone.
--
r2-commit-version
-text
Radare2 commit ID used to generate this object
--
callbacks
memory-allocations
counter
Amount of callbacks (functions started as thread)
--
create-thread
counter
Amount of calls to CreateThread
--
refsglobalvar
counter
Amount of API calls outside of code section (glob var, dynamic API)
--
ratio-string
float
Ratio: amount of referenced strings per kilobyte of code section
+Amount of memory allocations
@@ -4244,20 +4214,30 @@ r2graphity is a MISP object available in JSON format at
text
text
callback-largest
counter
Description of the r2graphity object
+Largest callback
ratio-functions
float
r2-commit-version
text
Ratio: amount of functions per kilobyte of code section
+Radare2 commit ID used to generate this object
++
text
text
Description of the r2graphity object
@@ -4274,30 +4254,30 @@ r2graphity is a MISP object available in JSON format at
callback-largest
referenced-strings
counter
Largest callback
+Amount of referenced strings
gml
attachment
total-functions
counter
Graph export in G>raph Modelling Language format
+Total amount of functions in the file.
local-references
get-proc-address
counter
Amount of API calls inside a code section
+Amount of calls to GetProcAddress
@@ -4324,60 +4304,10 @@ r2graphity is a MISP object available in JSON format at
dangling-strings
refsglobalvar
counter
Amount of dangling strings (string with a code cross reference, that is not within a function. Radare2 failed to detect that function.)
--
unknown-references
counter
Amount of API calls not ending in a function (Radare2 bug, probalby)
--
total-functions
counter
Total amount of functions in the file.
--
memory-allocations
counter
Amount of memory allocations
--
referenced-strings
counter
Amount of referenced strings
--
get-proc-address
counter
Amount of calls to GetProcAddress
+Amount of API calls outside of code section (glob var, dynamic API)
@@ -4394,6 +4324,36 @@ r2graphity is a MISP object available in JSON format at
ratio-string
float
Ratio: amount of referenced strings per kilobyte of code section
++
gml
attachment
Graph export in G>raph Modelling Language format
++
ratio-functions
float
Ratio: amount of functions per kilobyte of code section
++
total-api
counter
dangling-strings
counter
Amount of dangling strings (string with a code cross reference, that is not within a function. Radare2 failed to detect that function.)
++
local-references
counter
Amount of API calls inside a code section
++
unknown-references
counter
Amount of API calls not ending in a function (Radare2 bug, probalby)
++
create-thread
counter
Amount of calls to CreateThread
++
callbacks
counter
Amount of callbacks (functions started as thread)
++
regexp-type
-text
comment
comment
Type of the regular expression syntax. ['PCRE', 'PCRE2', 'POSIX BRE', 'POSIX ERE']
+A description of the regular expression.
+
comment
-comment
regexp-type
text
A description of the regular expression.
+Type of the regular expression syntax. ['PCRE', 'PCRE2', 'POSIX BRE', 'POSIX ERE']
+
data-type
+reg-datatype
Registry value type ['REG_NONE', 'REG_SZ', 'REG_EXPAND_SZ', 'REG_BINARY', 'REG_DWORD', 'REG_DWORD_LITTLE_ENDIAN', 'REG_DWORD_BIG_ENDIAN', 'REG_LINK', 'REG_MULTI_SZ', 'REG_RESOURCE_LIST', 'REG_FULL_RESOURCE_DESCRIPTOR', 'REG_RESOURCE_REQUIREMENTS_LIST', 'REG_QWORD', 'REG_QWORD_LITTLE_ENDIAN']
++
name
reg-name
Name of the registry key
++
last-modified
datetime
data-type
reg-datatype
Registry value type ['REG_NONE', 'REG_SZ', 'REG_EXPAND_SZ', 'REG_BINARY', 'REG_DWORD', 'REG_DWORD_LITTLE_ENDIAN', 'REG_DWORD_BIG_ENDIAN', 'REG_LINK', 'REG_MULTI_SZ', 'REG_RESOURCE_LIST', 'REG_FULL_RESOURCE_DESCRIPTOR', 'REG_RESOURCE_REQUIREMENTS_LIST', 'REG_QWORD', 'REG_QWORD_LITTLE_ENDIAN']
--
name
reg-name
Name of the registry key
--
case-number
+summary
text
Case number
+Free text summary of the report
summary
case-number
text
Free text summary of the report
+Case number
@@ -4666,16 +4676,6 @@ rtir is a MISP object available in JSON format at
classification
text
Classification of the RTIR ticket
--
ip
ip-dst
constituency
status
text
Constituency of the RTIR ticket
+Status of the RTIR ticket ['new', 'open', 'stalled', 'resolved', 'rejected', 'deleted']
@@ -4706,10 +4706,20 @@ rtir is a MISP object available in JSON format at
subject
constituency
text
Subject of the RTIR ticket
+Constituency of the RTIR ticket
++
classification
text
Classification of the RTIR ticket
@@ -4726,10 +4736,10 @@ rtir is a MISP object available in JSON format at
status
subject
text
Status of the RTIR ticket ['new', 'open', 'stalled', 'resolved', 'rejected', 'deleted']
+Subject of the RTIR ticket
@@ -4774,6 +4784,16 @@ tor-node is a MISP object available in JSON format at
fingerprint
text
router’s fingerprint.
++
description
text
nickname
text
router’s nickname.
--
first-seen
datetime
When the Tor node designed by the IP address has been seen for the first time.
--
last-seen
datetime
When the Tor node designed by the IP address has been seen for the last time.
--
version_line
text
versioning information reported by the node.
--
version
text
parsed version of tor, this is None if the relay’s using a new versioning scheme.
--
flags
text
list of flag associated with the node.
--
address
ip-src
IP address of the Tor node seen.
--
document
text
Raw document from the consensus.
--
published
datetime
fingerprint
version_line
text
router’s fingerprint.
+versioning information reported by the node.
last-seen
datetime
When the Tor node designed by the IP address has been seen for the last time.
++
text
text
flags
text
list of flag associated with the node.
++
document
text
Raw document from the consensus.
++
nickname
text
router’s nickname.
++
version
text
parsed version of tor, this is None if the relay’s using a new versioning scheme.
++
first-seen
datetime
When the Tor node designed by the IP address has been seen for the first time.
++
address
ip-src
IP address of the Tor node seen.
++
domain
-domain
scheme
text
Full domain
+Scheme ['http', 'https', 'ftp', 'gopher', 'sip']
+
first-seen
datetime
domain_without_tld
text
First time this URL has been seen
+Domain without Top-Level Domain
@@ -4962,76 +4972,6 @@ url is a MISP object available in JSON format at
fragment
text
Fragment identifier is a short string of characters that refers to a resource that is subordinate to another, primary resource.
--
tld
text
Top-Level Domain
--
scheme
text
Scheme ['http', 'https', 'ftp', 'gopher', 'sip']
--
host
hostname
Full hostname
--
resource_path
text
Path (between hostname:port and query)
--
subdomain
text
Subdomain
--
credential
text
Credential (username, password)
--
text
text
port
port
Port number
--
url
url
Full URL
--
query_string
text
domain_without_tld
tld
text
Domain without Top-Level Domain
+Top-Level Domain
++
domain
domain
Full domain
port
port
Port number
++
credential
text
Credential (username, password)
++
resource_path
text
Path (between hostname:port and query)
++
url
url
Full URL
++
host
hostname
Full hostname
++
fragment
text
Fragment identifier is a short string of characters that refers to a resource that is subordinate to another, primary resource.
++
first-seen
datetime
First time this URL has been seen
++
subdomain
text
Subdomain
++
roles
+text
The list of roles targeted within the victim.
++
description
text
sectors
text
The list of sectors that the victim belong to ['agriculture', 'aerospace', 'automotive', 'communications', 'construction', 'defence', 'education', 'energy', 'engineering', 'entertainment', 'financial\xadservices', 'government\xadnational', 'government\xadregional', 'government\xadlocal', 'government\xadpublic\xadservices', 'healthcare', 'hospitality\xadleisure', 'infrastructure', 'insurance', 'manufacturing', 'mining', 'non\xadprofit', 'pharmaceuticals', 'retail', 'technology', 'telecommunications', 'transportation', 'utilities']
++
name
text
The name of the victim targeted. The name can be an organisation or a group of organisations.
++
classification
text
sectors
text
The list of sectors that the victim belong to ['agriculture', 'aerospace', 'automotive', 'communications', 'construction', 'defence', 'education', 'energy', 'engineering', 'entertainment', 'financial\xadservices', 'government\xadnational', 'government\xadregional', 'government\xadlocal', 'government\xadpublic\xadservices', 'healthcare', 'hospitality\xadleisure', 'infrastructure', 'insurance', 'manufacturing', 'mining', 'non\xadprofit', 'pharmaceuticals', 'retail', 'technology', 'telecommunications', 'transportation', 'utilities']
--
roles
text
The list of roles targeted within the victim.
--
name
text
The name of the victim targeted. The name can be an organisation or a group of organisations.
--
first-submission
+last-submission
datetime
First Submission
+Last Submission
last-submission
community-score
text
Community Score
++
first-submission
datetime
Last Submission
+First Submission
community-score
text
Community Score
--
id
-vulnerability
Vulnerability ID (generally CVE, but not necessarely)
--
summary
text
id
vulnerability
Vulnerability ID (generally CVE, but not necessarely)
++
modification-date
-datetime
registar
whois-registrar
Last update of the whois entry
--
registrant-phone
whois-registrant-phone
Registrant phone number
--
creation-date
datetime
Initial creation of the whois entry
+Registrar of the whois entry
@@ -5454,30 +5444,30 @@ whois is a MISP object available in JSON format at
registrant-name
whois-registrant-name
registrant-phone
whois-registrant-phone
Registrant name
+Registrant phone number
expiration-date
modification-date
datetime
Expiration of the whois entry
+Last update of the whois entry
registar
whois-registrar
creation-date
datetime
Registrar of the whois entry
+Initial creation of the whois entry
expiration-date
datetime
Expiration of the whois entry
++
registrant-name
whois-registrant-name
Registrant name
++
pubkey-info-exponent
-text
Exponent of the public key
--
subject
text
Subject of the certificate
--
validity-not-before
datetime
Certificate invalid before that date
--
x509-fingerprint-sha256
sha256
Secure Hash Algorithm 2 (256 bits)
--
x509-fingerprint-md5
md5
version
text
Version of the certificate
--
pubkey-info-size
text
Length of the public key (in bits)
--
raw-base64
text
Raw certificate base64 encoded
--
pubkey-info-modulus
text
Modulus of the public key
--
pubkey-info-algorithm
text
Algorithm of the public key
--
x509-fingerprint-sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
--
serial-number
text
subject
text
Subject of the certificate
++
issuer
text
validity-not-before
datetime
Certificate invalid before that date
++
pubkey-info-modulus
text
Modulus of the public key
++
x509-fingerprint-sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
++
x509-fingerprint-sha256
sha256
Secure Hash Algorithm 2 (256 bits)
++
pubkey-info-exponent
text
Exponent of the public key
++
raw-base64
text
Raw certificate base64 encoded
++
version
text
Version of the certificate
++
pubkey-info-size
text
Length of the public key (in bits)
++
pubkey-info-algorithm
text
Algorithm of the public key
++
yara
-yara
Yara rule generated from -y.
--
yara-hunt
yara
Wide yara rule generated from -yh.
--
whitelist
version
comment
Whitelist name used to generate the rules.
+yabin.py and regex.txt version used for the generation of the yara rules.
@@ -5770,15 +5760,35 @@ yabin is a MISP object available in JSON format at
version
whitelist
comment
yabin.py and regex.txt version used for the generation of the yara rules.
+Whitelist name used to generate the rules.
yara-hunt
yara
Wide yara rule generated from -yh.
++
yara
yara
Yara rule generated from -y.
++