From dd5ebbadd8dd04fb5aa032d59d6ccd7604e4e887 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy
Date: Wed, 6 Sep 2017 09:39:25 +0200
Subject: [PATCH] Objects updated
---
objects.html | 2598 +-
objects.pdf | 68782 ++++++++++++++++++++++++-------------------------
2 files changed, 35370 insertions(+), 36010 deletions(-)
diff --git a/objects.html b/objects.html
index c74ba36..d491366 100755
--- a/objects.html
+++ b/objects.html
@@ -511,6 +511,26 @@ ail-leak is a MISP object available in JSON format at last-seen
datetime
When the leak has been accessible or seen for the last time.
++
text
text
A description of the leak which could include the potential victim(s) or description of the leak.
++
original-date
datetime
first-seen
datetime
When the leak has been accessible or seen for the first time.
++
origin
url
text
text
A description of the leak which could include the potential victim(s) or description of the leak.
--
type
text
first-seen
datetime
When the leak has been accessible or seen for the first time.
--
sensor
text
last-seen
datetime
When the leak has been accessible or seen for the last time.
--
cookie-name
+text
Name of the cookie (if splitted)
++
type
text
cookie-name
text
cookie
cookie
Name of the cookie (if splitted)
+Full cookie
cookie
cookie
Full cookie
--
total-pps
-counter
ip-dst
ip-dst
Packets per second
--
text
text
Description of the DDoS
--
dst-port
port
Destination port of the attack
--
src-port
port
Port originating the attack
--
protocol
text
Protocol used for the attack
+Destination ID (victim)
@@ -767,10 +727,40 @@ ddos is a MISP object available in JSON format at
first-seen
datetime
total-bps
counter
Beginning of the attack
+Bits per second
++
dst-port
port
Destination port of the attack
++
text
text
Description of the DDoS
++
protocol
text
Protocol used for the attack
@@ -787,20 +777,30 @@ ddos is a MISP object available in JSON format at
total-bps
counter
first-seen
datetime
Bits per second
+Beginning of the attack
ip-dst
ip-dst
total-pps
counter
Destination ID (victim)
+Packets per second
++
src-port
port
Port originating the attack
@@ -845,16 +845,6 @@ domain|ip is a MISP object available in JSON format at
domain
domain
Domain name
--
first-seen
datetime
ip
ip-dst
domain
domain
IP Address
+Domain name
++
last-seen
datetime
Last time the tuple has been seen
@@ -885,10 +885,10 @@ domain|ip is a MISP object available in JSON format at
last-seen
datetime
ip
ip-dst
Last time the tuple has been seen
+IP Address
@@ -963,16 +963,6 @@ elf is a MISP object available in JSON format at
type
text
Type of ELF
--
entrypoint-address
text
type
text
Type of ELF
++
sha384
-sha384
md5
md5
Secure Hash Algorithm 2 (384 bits)
--
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
--
name
text
Name of the section
--
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
--
type
text
Type of the section
--
ssdeep
ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
--
entropy
float
Entropy of the whole section
--
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
--
sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
+[Insecure] MD5 hash (128 bits)
@@ -1131,16 +1051,6 @@ elf-section is a MISP object available in JSON format at
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
--
text
text
md5
md5
sha1
sha1
[Insecure] MD5 hash (128 bits)
+[Insecure] Secure Hash Algorithm 1 (160 bits)
++
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
++
entropy
float
Entropy of the whole section
++
sha384
sha384
Secure Hash Algorithm 2 (384 bits)
++
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
@@ -1171,6 +1121,46 @@ elf-section is a MISP object available in JSON format at
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
++
name
text
Name of the section
++
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
++
type
text
Type of the section
++
flag
text
ssdeep
ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
++
x-mailer
-email-x-mailer
attachment
email-attachment
X-Mailer generally tells the program that was used to draft and send the original email
+Attachment
message-id
email-message-id
from
email-src
Message ID
+Sender email address
++
reply-to
email-reply-to
Email address the reply will be sent to
@@ -1249,6 +1259,26 @@ email is a MISP object available in JSON format at
x-mailer
email-x-mailer
X-Mailer generally tells the program that was used to draft and send the original email
++
header
email-header
Full headers
++
thread-index
email-thread-index
subject
email-subject
Subject
--
to
email-dst
reply-to
email-reply-to
to-display-name
email-dst-display-name
Email address the reply will be sent to
+Display name of the receiver
header
email-header
message-id
email-message-id
Full headers
+Message ID
attachment
email-attachment
subject
email-subject
Attachment
+Subject
from
email-src
Sender email address
--
to-display-name
email-dst-display-name
Display name of the receiver
--
sha384
-sha384
md5
md5
Secure Hash Algorithm 2 (384 bits)
--
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
--
tlsh
tlsh
Fuzzy hash by Trend Micro: Locality Sensitive Hash
--
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
--
ssdeep
ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
--
entropy
float
Entropy of the whole file
--
pattern-in-file
pattern-in-file
Pattern that can be found in the file
--
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
--
malware-sample
malware-sample
The file itself (binary)
--
sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
+[Insecure] MD5 hash (128 bits)
@@ -1497,10 +1407,10 @@ file is a MISP object available in JSON format at
sha512/256
sha512/256
authentihash
authentihash
Secure Hash Algorithm 2 (256 bits)
+Authenticode executable signature hash
@@ -1517,10 +1427,60 @@ file is a MISP object available in JSON format at
md5
md5
entropy
float
[Insecure] MD5 hash (128 bits)
+Entropy of the whole file
++
sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
++
sha384
sha384
Secure Hash Algorithm 2 (384 bits)
++
malware-sample
malware-sample
The file itself (binary)
++
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
++
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
@@ -1537,20 +1497,30 @@ file is a MISP object available in JSON format at
filename
filename
pattern-in-file
pattern-in-file
Filename on disk
+Pattern that can be found in the file
authentihash
authentihash
tlsh
tlsh
Authenticode executable signature hash
+Fuzzy hash by Trend Micro: Locality Sensitive Hash
++
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
++
filename
filename
Filename on disk
++
ssdeep
ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
++
longitude
-float
The longitude is the decimal value of the longitude in the World Geodetic System 84 (WGS84) reference
--
region
city
text
Region.
+City.
@@ -1635,6 +1625,26 @@ geolocation is a MISP object available in JSON format at
altitude
float
The altitude is the decimal value of the altitude in the World Geodetic System 84 (WGS84) reference.
++
last-seen
datetime
When the location was seen for the last time.
++
text
text
city
text
longitude
float
City.
+The longitude is the decimal value of the longitude in the World Geodetic System 84 (WGS84) reference
+
altitude
float
region
text
The altitude is the decimal value of the altitude in the World Geodetic System 84 (WGS84) reference.
+Region.
last-seen
datetime
When the location was seen for the last time.
--
user-agent
-user-agent
The user agent string of the user agent
--
host
hostname
The domain name of the server
--
proxy-user
text
HTTP Proxy Username
--
content-type
other
url
url
Full HTTP Request URL
--
proxy-password
text
HTTP Proxy Password
--
referer
referer
This is the address of the previous web page from which a link to the currently requested page was followed
--
method
http-method
HTTP Method invoked (one of GET, POST, PUT, HEAD, DELETE, OPTIONS, CONNECT)
--
cookie
text
An HTTP cookie previously sent by the server with Set-Cookie
--
basicauth-password
text
HTTP Basic Authentication Password
--
uri
uri
Request URI
--
text
text
user-agent
user-agent
The user agent string of the user agent
++
proxy-user
text
HTTP Proxy Username
++
method
http-method
HTTP Method invoked (one of GET, POST, PUT, HEAD, DELETE, OPTIONS, CONNECT)
++
host
hostname
The domain name of the server
++
proxy-password
text
HTTP Proxy Password
++
basicauth-password
text
HTTP Basic Authentication Password
++
referer
referer
This is the address of the previous web page from which a link to the currently requested page was followed
++
cookie
text
An HTTP cookie previously sent by the server with Set-Cookie
++
url
url
Full HTTP Request URL
++
uri
uri
Request URI
++
ip
+ip-dst
IP Address
++
text
text
dst-port
text
last-seen
datetime
Destination port
--
src-port
text
Source port
+Last time the tuple has been seen
@@ -1941,20 +1941,20 @@ ip|port is a MISP object available in JSON format at
ip
ip-dst
src-port
text
IP Address
+Source port
last-seen
datetime
dst-port
text
Last time the tuple has been seen
+Destination port
@@ -1999,16 +1999,6 @@ macho is a MISP object available in JSON format at
number-sections
counter
Number of sections
--
name
text
entrypoint-address
text
number-sections
counter
Address of the entry point
--
text
text
Free text value to attach to the Mach-O file
+Number of sections
text
text
Free text value to attach to the Mach-O file
++
entrypoint-address
text
Address of the entry point
++
sha384
-sha384
md5
md5
Secure Hash Algorithm 2 (384 bits)
--
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
--
name
text
Name of the section
--
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
--
ssdeep
ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
--
entropy
float
Entropy of the whole section
--
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
--
sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
+[Insecure] MD5 hash (128 bits)
@@ -2177,16 +2107,6 @@ macho-section is a MISP object available in JSON format at
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
--
text
text
md5
md5
sha1
sha1
[Insecure] MD5 hash (128 bits)
+[Insecure] Secure Hash Algorithm 1 (160 bits)
++
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
++
entropy
float
Entropy of the whole section
++
sha384
sha384
Secure Hash Algorithm 2 (384 bits)
++
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
++
name
text
Name of the section
++
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
++
ssdeep
ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
++
time_last
+zone_time_first
datetime
Last time that the unique tuple (rrname, rrtype, rdata) record has been seen by the passive DNS
--
rrtype
text
Resource Record type as seen by the passive DNS
--
origin
text
Origin of the Passive DNS response
+First time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import
@@ -2295,10 +2275,10 @@ passive-dns is a MISP object available in JSON format at
sensor_id
rrtype
text
Sensor information where the record was seen
+Resource Record type as seen by the passive DNS
@@ -2325,30 +2305,10 @@ passive-dns is a MISP object available in JSON format at
zone_time_first
datetime
First time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import
--
text
bailiwick
text
-
-
time_first
datetime
First time that the unique tuple (rrname, rrtype, rdata) has been seen by the passive DNS
+Best estimate of the apex of the zone where this data is authoritative
@@ -2365,10 +2325,50 @@ passive-dns is a MISP object available in JSON format at
bailiwick
time_first
datetime
First time that the unique tuple (rrname, rrtype, rdata) has been seen by the passive DNS
++
sensor_id
text
Best estimate of the apex of the zone where this data is authoritative
+Sensor information where the record was seen
++
origin
text
Origin of the Passive DNS response
++
text
text
+
+
time_last
datetime
Last time that the unique tuple (rrname, rrtype, rdata) record has been seen by the passive DNS
@@ -2413,10 +2413,30 @@ pe is a MISP object available in JSON format at
company-name
imphash
imphash
Hash (md5) calculated from the import table
++
pehash
pehash
Hash of the structural information about a sample. See https://www.usenix.org/legacy/event/leet09/tech/full_papers/wicherski/wicherski_html/
++
text
text
CompanyName in the resources
+Free text value to attach to the PE
@@ -2433,6 +2453,16 @@ pe is a MISP object available in JSON format at
original-filename
filename
OriginalFilename in the resources
++
internal-filename
filename
lang-id
company-name
text
Lang ID in the resources
--
type
text
Type of PE
--
original-filename
filename
OriginalFilename in the resources
--
entrypoint-address
text
Address of the entry point
--
impfuzzy
impfuzzy
Fuzzy Hash (ssdeep) calculated from the import table
--
number-sections
counter
Number of sections
--
imphash
imphash
Hash (md5) calculated from the import table
--
legal-copyright
text
LegalCopyright in the resources
--
text
text
Free text value to attach to the PE
--
pehash
pehash
Hash of the structural information about a sample. See https://www.usenix.org/legacy/event/leet09/tech/full_papers/wicherski/wicherski_html/
--
entrypoint-section-at-position
text
Name of the section and position of the section in the PE
+CompanyName in the resources
@@ -2573,10 +2503,10 @@ pe is a MISP object available in JSON format at
file-version
lang-id
text
FileVersion in the resources
+Lang ID in the resources
number-sections
counter
Number of sections
++
entrypoint-section-at-position
text
Name of the section and position of the section in the PE
++
entrypoint-address
text
Address of the entry point
++
file-version
text
FileVersion in the resources
++
type
text
Type of PE
++
impfuzzy
impfuzzy
Fuzzy Hash (ssdeep) calculated from the import table
++
legal-copyright
text
LegalCopyright in the resources
++
sha384
-sha384
md5
md5
Secure Hash Algorithm 2 (384 bits)
--
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
--
name
text
Name of the section
--
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
--
ssdeep
ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
--
characteristic
text
Characteristic of the section
--
entropy
float
Entropy of the whole section
--
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
--
sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
+[Insecure] MD5 hash (128 bits)
@@ -2731,16 +2651,6 @@ pe-section is a MISP object available in JSON format at
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
--
text
text
md5
md5
sha1
sha1
[Insecure] MD5 hash (128 bits)
+[Insecure] Secure Hash Algorithm 1 (160 bits)
++
characteristic
text
Characteristic of the section
++
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
++
entropy
float
Entropy of the whole section
++
sha384
sha384
Secure Hash Algorithm 2 (384 bits)
++
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
++
name
text
Name of the section
++
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
++
ssdeep
ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
++
tmsi
-text
Temporary Mobile Subscriber Identities (TMSI) to visiting mobile subscribers can be allocated.
--
text
text
A description of the phone.
--
first-seen
datetime
When the phone has been accessible or seen for the first time.
--
guti
text
imei
text
International Mobile Equipment Identity (IMEI) is a number, usually unique, to identify 3GPP and iDEN mobile phones, as well as some satellite phones.
--
gummei
text
serial-number
text
text
Serial Number.
+A description of the phone.
+
tmsi
text
Temporary Mobile Subscriber Identities (TMSI) to visiting mobile subscribers can be allocated.
++
serial-number
text
Serial Number.
++
first-seen
datetime
When the phone has been accessible or seen for the first time.
++
imei
text
International Mobile Equipment Identity (IMEI) is a number, usually unique, to identify 3GPP and iDEN mobile phones, as well as some satellite phones.
++
gml
-attachment
Graph export in G>raph Modelling Language format
--
shortest-path-to-create-thread
dangling-strings
counter
Shortest path to the first time the binary calls CreateThread
--
callbacks
counter
Amount of callbacks (functions started as thread)
--
miss-api
counter
Amount of API call reference that does not resolve to a function offset
--
referenced-strings
counter
Amount of referenced strings
--
total-api
counter
Total amount of API calls
--
not-referenced-strings
counter
Amount of not referenced strings
+Amount of dangling strings (string with a code cross reference, that is not within a function. Radare2 failed to detect that function.)
@@ -3037,10 +2977,10 @@ r2graphity is a MISP object available in JSON format at
get-proc-address
referenced-strings
counter
Amount of calls to GetProcAddress
+Amount of referenced strings
@@ -3057,20 +2997,20 @@ r2graphity is a MISP object available in JSON format at
create-thread
counter
ratio-api
float
Amount of calls to CreateThread
+Ratio: amount of API calls per kilobyte of code section
total-functions
get-proc-address
counter
Total amount of functions in the file.
+Amount of calls to GetProcAddress
@@ -3087,26 +3027,6 @@ r2graphity is a MISP object available in JSON format at
callback-average
counter
Average size of a callback
--
local-references
counter
Amount of API calls inside a code section
--
r2-commit-version
text
ratio-api
float
gml
attachment
Ratio: amount of API calls per kilobyte of code section
+Graph export in G>raph Modelling Language format
unknown-references
callback-average
counter
Amount of API calls not ending in a function (Radare2 bug, probalby)
+Average size of a callback
dangling-strings
create-thread
counter
Amount of dangling strings (string with a code cross reference, that is not within a function. Radare2 failed to detect that function.)
+Amount of calls to CreateThread
++
callbacks
counter
Amount of callbacks (functions started as thread)
++
not-referenced-strings
counter
Amount of not referenced strings
++
local-references
counter
Amount of API calls inside a code section
miss-api
counter
Amount of API call reference that does not resolve to a function offset
++
unknown-references
counter
Amount of API calls not ending in a function (Radare2 bug, probalby)
++
shortest-path-to-create-thread
counter
Shortest path to the first time the binary calls CreateThread
++
total-api
counter
Total amount of API calls
++
total-functions
counter
Total amount of functions in the file.
++
name
-reg-name
Name of the registry key
--
hive
reg-hive
last-modified
datetime
Last time the registry key has been modified
--
data-type
reg-datatype
key
reg-key
name
reg-name
Full key path
+Name of the registry key
key
reg-key
Full key path
++
last-modified
datetime
Last time the registry key has been modified
++
address
-ip-src
IP address of the Tor node seen.
--
version
text
parsed version of tor, this is None if the relay’s using a new versioning scheme.
--
published
datetime
fingerprint
text
text
router’s fingerprint.
--
description
text
Tor node description.
+Tor node comment.
@@ -3373,16 +3343,6 @@ tor-node is a MISP object available in JSON format at
text
text
Tor node comment.
--
first-seen
datetime
version
text
parsed version of tor, this is None if the relay’s using a new versioning scheme.
++
description
text
Tor node description.
++
address
ip-src
IP address of the Tor node seen.
++
last-seen
datetime
When the Tor node designed by the IP address has been seen for the last time.
++
fingerprint
text
router’s fingerprint.
++
version_line
text
last-seen
datetime
When the Tor node designed by the IP address has been seen for the last time.
--
domain
-domain
Full domain
--
fragment
text
Fragment identifier is a short string of characters that refers to a resource that is subordinate to another, primary resource.
--
query_string
text
url
url
Full URL
--
port
text
domain_without_tld
text
Domain without Top-Level Domain
--
subdomain
text
Subdomain
--
resource_path
text
Path (between hostname:port and query)
--
credential
text
Credential (username, password)
--
text
text
Description of the URL
--
first-seen
datetime
scheme
text
Scheme
--
last-seen
datetime
Last time this URL has been seen
--
host
hostname
credential
text
Credential (username, password)
++
domain_without_tld
text
Domain without Top-Level Domain
++
fragment
text
Fragment identifier is a short string of characters that refers to a resource that is subordinate to another, primary resource.
++
last-seen
datetime
Last time this URL has been seen
++
resource_path
text
Path (between hostname:port and query)
++
domain
domain
Full domain
++
text
text
Description of the URL
++
url
url
Full URL
++
subdomain
text
Subdomain
++
scheme
text
Scheme
++
summary
-text
published
datetime
Summary of the vulnerability
+Initial publication date
@@ -3679,10 +3679,10 @@ vulnerability is a MISP object available in JSON format at
references
link
vulnerable_configuration
text
External references
+The vulnerable configuration is described in CPE format
@@ -3699,20 +3699,20 @@ vulnerability is a MISP object available in JSON format at
vulnerable_configuration
summary
text
The vulnerable configuration is described in CPE format
+Summary of the vulnerability
published
datetime
references
link
Initial publication date
+External references
@@ -3757,6 +3757,26 @@ whois is a MISP object available in JSON format at
creation-date
datetime
Initial creation of the whois entry
++
expiration-date
datetime
Expiration of the whois entry
++
registar
whois-registar
creation-date
datetime
text
text
Initial creation of the whois entry
+Full whois entry
@@ -3797,26 +3817,6 @@ whois is a MISP object available in JSON format at
text
text
Full whois entry
--
registrant-phone
whois-registrant-phone
Registrant phone number
--
registrant-email
whois-registrant-email
expiration-date
datetime
registrant-phone
whois-registrant-phone
Expiration of the whois entry
+Registrant phone number
@@ -3885,40 +3885,10 @@ x509 is a MISP object available in JSON format at
pubkey-info-algorithm
text
validity-not-before
datetime
Algorithm of the public key
--
pubkey-info-exponent
text
Exponent of the public key
--
text
text
Free text description of hte certificate
--
pubkey-info-size
text
Length of the public key (in bits)
+Certificate invalid before that date
@@ -3935,50 +3905,20 @@ x509 is a MISP object available in JSON format at
subject
pubkey-info-algorithm
text
Subject of the certificate
+Algorithm of the public key
version
text
text
Version of the certificate
--
serial-number
text
Serial number of the certificate
--
issuer
text
Issuer of the certificate
--
x509-fingerprint-sha256
sha256
Secure Hash Algorithm 2 (256 bits)
+Free text description of hte certificate
@@ -3995,6 +3935,46 @@ x509 is a MISP object available in JSON format at
pubkey-info-size
text
Length of the public key (in bits)
++
issuer
text
Issuer of the certificate
++
serial-number
text
Serial number of the certificate
++
version
text
Version of the certificate
++
x509-fingerprint-md5
md5
validity-not-before
datetime
pubkey-info-exponent
text
Certificate invalid before that date
+Exponent of the public key
raw-base64
subject
text
Raw certificate base64 encoded
+Subject of the certificate
++
x509-fingerprint-sha256
sha256
Secure Hash Algorithm 2 (256 bits)
raw-base64
text
Raw certificate base64 encoded
++
Relationships are part of MISP object and available in JSON format at this location. The JSON format can be freely reused in your application or automatically enabled in MISP.
+Relationships are part of MISP object and available in JSON format at this location. The JSON format can be freely reused in your application or automatically enabled in MISP.