mirror of https://github.com/MISP/misp-website
7332 lines
344 KiB
HTML
Executable File
7332 lines
344 KiB
HTML
Executable File
<!DOCTYPE html>
|
||
<html lang="en">
|
||
<head>
|
||
<meta charset="UTF-8">
|
||
<!--[if IE]><meta http-equiv="X-UA-Compatible" content="IE=edge"><![endif]-->
|
||
<meta name="viewport" content="width=device-width, initial-scale=1.0">
|
||
<meta name="generator" content="Asciidoctor 1.5.6.1">
|
||
<title>MISP Objects</title>
|
||
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Open+Sans:300,300italic,400,400italic,600,600italic%7CNoto+Serif:400,400italic,700,700italic%7CDroid+Sans+Mono:400,700">
|
||
<style>
|
||
/* Asciidoctor default stylesheet | MIT License | http://asciidoctor.org */
|
||
/* Remove comment around @import statement below when using as a custom stylesheet */
|
||
/*@import "https://fonts.googleapis.com/css?family=Open+Sans:300,300italic,400,400italic,600,600italic%7CNoto+Serif:400,400italic,700,700italic%7CDroid+Sans+Mono:400,700";*/
|
||
article,aside,details,figcaption,figure,footer,header,hgroup,main,nav,section,summary{display:block}
|
||
audio,canvas,video{display:inline-block}
|
||
audio:not([controls]){display:none;height:0}
|
||
[hidden],template{display:none}
|
||
script{display:none!important}
|
||
html{font-family:sans-serif;-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%}
|
||
a{background:transparent}
|
||
a:focus{outline:thin dotted}
|
||
a:active,a:hover{outline:0}
|
||
h1{font-size:2em;margin:.67em 0}
|
||
abbr[title]{border-bottom:1px dotted}
|
||
b,strong{font-weight:bold}
|
||
dfn{font-style:italic}
|
||
hr{-moz-box-sizing:content-box;box-sizing:content-box;height:0}
|
||
mark{background:#ff0;color:#000}
|
||
code,kbd,pre,samp{font-family:monospace;font-size:1em}
|
||
pre{white-space:pre-wrap}
|
||
q{quotes:"\201C" "\201D" "\2018" "\2019"}
|
||
small{font-size:80%}
|
||
sub,sup{font-size:75%;line-height:0;position:relative;vertical-align:baseline}
|
||
sup{top:-.5em}
|
||
sub{bottom:-.25em}
|
||
img{border:0}
|
||
svg:not(:root){overflow:hidden}
|
||
figure{margin:0}
|
||
fieldset{border:1px solid silver;margin:0 2px;padding:.35em .625em .75em}
|
||
legend{border:0;padding:0}
|
||
button,input,select,textarea{font-family:inherit;font-size:100%;margin:0}
|
||
button,input{line-height:normal}
|
||
button,select{text-transform:none}
|
||
button,html input[type="button"],input[type="reset"],input[type="submit"]{-webkit-appearance:button;cursor:pointer}
|
||
button[disabled],html input[disabled]{cursor:default}
|
||
input[type="checkbox"],input[type="radio"]{box-sizing:border-box;padding:0}
|
||
input[type="search"]{-webkit-appearance:textfield;-moz-box-sizing:content-box;-webkit-box-sizing:content-box;box-sizing:content-box}
|
||
input[type="search"]::-webkit-search-cancel-button,input[type="search"]::-webkit-search-decoration{-webkit-appearance:none}
|
||
button::-moz-focus-inner,input::-moz-focus-inner{border:0;padding:0}
|
||
textarea{overflow:auto;vertical-align:top}
|
||
table{border-collapse:collapse;border-spacing:0}
|
||
*,*:before,*:after{-moz-box-sizing:border-box;-webkit-box-sizing:border-box;box-sizing:border-box}
|
||
html,body{font-size:100%}
|
||
body{background:#fff;color:rgba(0,0,0,.8);padding:0;margin:0;font-family:"Noto Serif","DejaVu Serif",serif;font-weight:400;font-style:normal;line-height:1;position:relative;cursor:auto;tab-size:4;-moz-osx-font-smoothing:grayscale;-webkit-font-smoothing:antialiased}
|
||
a:hover{cursor:pointer}
|
||
img,object,embed{max-width:100%;height:auto}
|
||
object,embed{height:100%}
|
||
img{-ms-interpolation-mode:bicubic}
|
||
.left{float:left!important}
|
||
.right{float:right!important}
|
||
.text-left{text-align:left!important}
|
||
.text-right{text-align:right!important}
|
||
.text-center{text-align:center!important}
|
||
.text-justify{text-align:justify!important}
|
||
.hide{display:none}
|
||
img,object,svg{display:inline-block;vertical-align:middle}
|
||
textarea{height:auto;min-height:50px}
|
||
select{width:100%}
|
||
.center{margin-left:auto;margin-right:auto}
|
||
.spread{width:100%}
|
||
p.lead,.paragraph.lead>p,#preamble>.sectionbody>.paragraph:first-of-type p{font-size:1.21875em;line-height:1.6}
|
||
.subheader,.admonitionblock td.content>.title,.audioblock>.title,.exampleblock>.title,.imageblock>.title,.listingblock>.title,.literalblock>.title,.stemblock>.title,.openblock>.title,.paragraph>.title,.quoteblock>.title,table.tableblock>.title,.verseblock>.title,.videoblock>.title,.dlist>.title,.olist>.title,.ulist>.title,.qlist>.title,.hdlist>.title{line-height:1.45;color:#7a2518;font-weight:400;margin-top:0;margin-bottom:.25em}
|
||
div,dl,dt,dd,ul,ol,li,h1,h2,h3,#toctitle,.sidebarblock>.content>.title,h4,h5,h6,pre,form,p,blockquote,th,td{margin:0;padding:0;direction:ltr}
|
||
a{color:#2156a5;text-decoration:underline;line-height:inherit}
|
||
a:hover,a:focus{color:#1d4b8f}
|
||
a img{border:none}
|
||
p{font-family:inherit;font-weight:400;font-size:1em;line-height:1.6;margin-bottom:1.25em;text-rendering:optimizeLegibility}
|
||
p aside{font-size:.875em;line-height:1.35;font-style:italic}
|
||
h1,h2,h3,#toctitle,.sidebarblock>.content>.title,h4,h5,h6{font-family:"Open Sans","DejaVu Sans",sans-serif;font-weight:300;font-style:normal;color:#ba3925;text-rendering:optimizeLegibility;margin-top:1em;margin-bottom:.5em;line-height:1.0125em}
|
||
h1 small,h2 small,h3 small,#toctitle small,.sidebarblock>.content>.title small,h4 small,h5 small,h6 small{font-size:60%;color:#e99b8f;line-height:0}
|
||
h1{font-size:2.125em}
|
||
h2{font-size:1.6875em}
|
||
h3,#toctitle,.sidebarblock>.content>.title{font-size:1.375em}
|
||
h4,h5{font-size:1.125em}
|
||
h6{font-size:1em}
|
||
hr{border:solid #ddddd8;border-width:1px 0 0;clear:both;margin:1.25em 0 1.1875em;height:0}
|
||
em,i{font-style:italic;line-height:inherit}
|
||
strong,b{font-weight:bold;line-height:inherit}
|
||
small{font-size:60%;line-height:inherit}
|
||
code{font-family:"Droid Sans Mono","DejaVu Sans Mono",monospace;font-weight:400;color:rgba(0,0,0,.9)}
|
||
ul,ol,dl{font-size:1em;line-height:1.6;margin-bottom:1.25em;list-style-position:outside;font-family:inherit}
|
||
ul,ol{margin-left:1.5em}
|
||
ul li ul,ul li ol{margin-left:1.25em;margin-bottom:0;font-size:1em}
|
||
ul.square li ul,ul.circle li ul,ul.disc li ul{list-style:inherit}
|
||
ul.square{list-style-type:square}
|
||
ul.circle{list-style-type:circle}
|
||
ul.disc{list-style-type:disc}
|
||
ol li ul,ol li ol{margin-left:1.25em;margin-bottom:0}
|
||
dl dt{margin-bottom:.3125em;font-weight:bold}
|
||
dl dd{margin-bottom:1.25em}
|
||
abbr,acronym{text-transform:uppercase;font-size:90%;color:rgba(0,0,0,.8);border-bottom:1px dotted #ddd;cursor:help}
|
||
abbr{text-transform:none}
|
||
blockquote{margin:0 0 1.25em;padding:.5625em 1.25em 0 1.1875em;border-left:1px solid #ddd}
|
||
blockquote cite{display:block;font-size:.9375em;color:rgba(0,0,0,.6)}
|
||
blockquote cite:before{content:"\2014 \0020"}
|
||
blockquote cite a,blockquote cite a:visited{color:rgba(0,0,0,.6)}
|
||
blockquote,blockquote p{line-height:1.6;color:rgba(0,0,0,.85)}
|
||
@media only screen and (min-width:768px){h1,h2,h3,#toctitle,.sidebarblock>.content>.title,h4,h5,h6{line-height:1.2}
|
||
h1{font-size:2.75em}
|
||
h2{font-size:2.3125em}
|
||
h3,#toctitle,.sidebarblock>.content>.title{font-size:1.6875em}
|
||
h4{font-size:1.4375em}}
|
||
table{background:#fff;margin-bottom:1.25em;border:solid 1px #dedede}
|
||
table thead,table tfoot{background:#f7f8f7;font-weight:bold}
|
||
table thead tr th,table thead tr td,table tfoot tr th,table tfoot tr td{padding:.5em .625em .625em;font-size:inherit;color:rgba(0,0,0,.8);text-align:left}
|
||
table tr th,table tr td{padding:.5625em .625em;font-size:inherit;color:rgba(0,0,0,.8)}
|
||
table tr.even,table tr.alt,table tr:nth-of-type(even){background:#f8f8f7}
|
||
table thead tr th,table tfoot tr th,table tbody tr td,table tr td,table tfoot tr td{display:table-cell;line-height:1.6}
|
||
h1,h2,h3,#toctitle,.sidebarblock>.content>.title,h4,h5,h6{line-height:1.2;word-spacing:-.05em}
|
||
h1 strong,h2 strong,h3 strong,#toctitle strong,.sidebarblock>.content>.title strong,h4 strong,h5 strong,h6 strong{font-weight:400}
|
||
.clearfix:before,.clearfix:after,.float-group:before,.float-group:after{content:" ";display:table}
|
||
.clearfix:after,.float-group:after{clear:both}
|
||
*:not(pre)>code{font-size:.9375em;font-style:normal!important;letter-spacing:0;padding:.1em .5ex;word-spacing:-.15em;background-color:#f7f7f8;-webkit-border-radius:4px;border-radius:4px;line-height:1.45;text-rendering:optimizeSpeed;word-wrap:break-word}
|
||
*:not(pre)>code.nobreak{word-wrap:normal}
|
||
*:not(pre)>code.nowrap{white-space:nowrap}
|
||
pre,pre>code{line-height:1.45;color:rgba(0,0,0,.9);font-family:"Droid Sans Mono","DejaVu Sans Mono",monospace;font-weight:400;text-rendering:optimizeSpeed}
|
||
em em{font-style:normal}
|
||
strong strong{font-weight:400}
|
||
.keyseq{color:rgba(51,51,51,.8)}
|
||
kbd{font-family:"Droid Sans Mono","DejaVu Sans Mono",monospace;display:inline-block;color:rgba(0,0,0,.8);font-size:.65em;line-height:1.45;background-color:#f7f7f7;border:1px solid #ccc;-webkit-border-radius:3px;border-radius:3px;-webkit-box-shadow:0 1px 0 rgba(0,0,0,.2),0 0 0 .1em white inset;box-shadow:0 1px 0 rgba(0,0,0,.2),0 0 0 .1em #fff inset;margin:0 .15em;padding:.2em .5em;vertical-align:middle;position:relative;top:-.1em;white-space:nowrap}
|
||
.keyseq kbd:first-child{margin-left:0}
|
||
.keyseq kbd:last-child{margin-right:0}
|
||
.menuseq,.menuref{color:#000}
|
||
.menuseq b:not(.caret),.menuref{font-weight:inherit}
|
||
.menuseq{word-spacing:-.02em}
|
||
.menuseq b.caret{font-size:1.25em;line-height:.8}
|
||
.menuseq i.caret{font-weight:bold;text-align:center;width:.45em}
|
||
b.button:before,b.button:after{position:relative;top:-1px;font-weight:400}
|
||
b.button:before{content:"[";padding:0 3px 0 2px}
|
||
b.button:after{content:"]";padding:0 2px 0 3px}
|
||
p a>code:hover{color:rgba(0,0,0,.9)}
|
||
#header,#content,#footnotes,#footer{width:100%;margin-left:auto;margin-right:auto;margin-top:0;margin-bottom:0;max-width:62.5em;*zoom:1;position:relative;padding-left:.9375em;padding-right:.9375em}
|
||
#header:before,#header:after,#content:before,#content:after,#footnotes:before,#footnotes:after,#footer:before,#footer:after{content:" ";display:table}
|
||
#header:after,#content:after,#footnotes:after,#footer:after{clear:both}
|
||
#content{margin-top:1.25em}
|
||
#content:before{content:none}
|
||
#header>h1:first-child{color:rgba(0,0,0,.85);margin-top:2.25rem;margin-bottom:0}
|
||
#header>h1:first-child+#toc{margin-top:8px;border-top:1px solid #ddddd8}
|
||
#header>h1:only-child,body.toc2 #header>h1:nth-last-child(2){border-bottom:1px solid #ddddd8;padding-bottom:8px}
|
||
#header .details{border-bottom:1px solid #ddddd8;line-height:1.45;padding-top:.25em;padding-bottom:.25em;padding-left:.25em;color:rgba(0,0,0,.6);display:-ms-flexbox;display:-webkit-flex;display:flex;-ms-flex-flow:row wrap;-webkit-flex-flow:row wrap;flex-flow:row wrap}
|
||
#header .details span:first-child{margin-left:-.125em}
|
||
#header .details span.email a{color:rgba(0,0,0,.85)}
|
||
#header .details br{display:none}
|
||
#header .details br+span:before{content:"\00a0\2013\00a0"}
|
||
#header .details br+span.author:before{content:"\00a0\22c5\00a0";color:rgba(0,0,0,.85)}
|
||
#header .details br+span#revremark:before{content:"\00a0|\00a0"}
|
||
#header #revnumber{text-transform:capitalize}
|
||
#header #revnumber:after{content:"\00a0"}
|
||
#content>h1:first-child:not([class]){color:rgba(0,0,0,.85);border-bottom:1px solid #ddddd8;padding-bottom:8px;margin-top:0;padding-top:1rem;margin-bottom:1.25rem}
|
||
#toc{border-bottom:1px solid #efefed;padding-bottom:.5em}
|
||
#toc>ul{margin-left:.125em}
|
||
#toc ul.sectlevel0>li>a{font-style:italic}
|
||
#toc ul.sectlevel0 ul.sectlevel1{margin:.5em 0}
|
||
#toc ul{font-family:"Open Sans","DejaVu Sans",sans-serif;list-style-type:none}
|
||
#toc li{line-height:1.3334;margin-top:.3334em}
|
||
#toc a{text-decoration:none}
|
||
#toc a:active{text-decoration:underline}
|
||
#toctitle{color:#7a2518;font-size:1.2em}
|
||
@media only screen and (min-width:768px){#toctitle{font-size:1.375em}
|
||
body.toc2{padding-left:15em;padding-right:0}
|
||
#toc.toc2{margin-top:0!important;background-color:#f8f8f7;position:fixed;width:15em;left:0;top:0;border-right:1px solid #efefed;border-top-width:0!important;border-bottom-width:0!important;z-index:1000;padding:1.25em 1em;height:100%;overflow:auto}
|
||
#toc.toc2 #toctitle{margin-top:0;margin-bottom:.8rem;font-size:1.2em}
|
||
#toc.toc2>ul{font-size:.9em;margin-bottom:0}
|
||
#toc.toc2 ul ul{margin-left:0;padding-left:1em}
|
||
#toc.toc2 ul.sectlevel0 ul.sectlevel1{padding-left:0;margin-top:.5em;margin-bottom:.5em}
|
||
body.toc2.toc-right{padding-left:0;padding-right:15em}
|
||
body.toc2.toc-right #toc.toc2{border-right-width:0;border-left:1px solid #efefed;left:auto;right:0}}
|
||
@media only screen and (min-width:1280px){body.toc2{padding-left:20em;padding-right:0}
|
||
#toc.toc2{width:20em}
|
||
#toc.toc2 #toctitle{font-size:1.375em}
|
||
#toc.toc2>ul{font-size:.95em}
|
||
#toc.toc2 ul ul{padding-left:1.25em}
|
||
body.toc2.toc-right{padding-left:0;padding-right:20em}}
|
||
#content #toc{border-style:solid;border-width:1px;border-color:#e0e0dc;margin-bottom:1.25em;padding:1.25em;background:#f8f8f7;-webkit-border-radius:4px;border-radius:4px}
|
||
#content #toc>:first-child{margin-top:0}
|
||
#content #toc>:last-child{margin-bottom:0}
|
||
#footer{max-width:100%;background-color:rgba(0,0,0,.8);padding:1.25em}
|
||
#footer-text{color:rgba(255,255,255,.8);line-height:1.44}
|
||
.sect1{padding-bottom:.625em}
|
||
@media only screen and (min-width:768px){.sect1{padding-bottom:1.25em}}
|
||
.sect1+.sect1{border-top:1px solid #efefed}
|
||
#content h1>a.anchor,h2>a.anchor,h3>a.anchor,#toctitle>a.anchor,.sidebarblock>.content>.title>a.anchor,h4>a.anchor,h5>a.anchor,h6>a.anchor{position:absolute;z-index:1001;width:1.5ex;margin-left:-1.5ex;display:block;text-decoration:none!important;visibility:hidden;text-align:center;font-weight:400}
|
||
#content h1>a.anchor:before,h2>a.anchor:before,h3>a.anchor:before,#toctitle>a.anchor:before,.sidebarblock>.content>.title>a.anchor:before,h4>a.anchor:before,h5>a.anchor:before,h6>a.anchor:before{content:"\00A7";font-size:.85em;display:block;padding-top:.1em}
|
||
#content h1:hover>a.anchor,#content h1>a.anchor:hover,h2:hover>a.anchor,h2>a.anchor:hover,h3:hover>a.anchor,#toctitle:hover>a.anchor,.sidebarblock>.content>.title:hover>a.anchor,h3>a.anchor:hover,#toctitle>a.anchor:hover,.sidebarblock>.content>.title>a.anchor:hover,h4:hover>a.anchor,h4>a.anchor:hover,h5:hover>a.anchor,h5>a.anchor:hover,h6:hover>a.anchor,h6>a.anchor:hover{visibility:visible}
|
||
#content h1>a.link,h2>a.link,h3>a.link,#toctitle>a.link,.sidebarblock>.content>.title>a.link,h4>a.link,h5>a.link,h6>a.link{color:#ba3925;text-decoration:none}
|
||
#content h1>a.link:hover,h2>a.link:hover,h3>a.link:hover,#toctitle>a.link:hover,.sidebarblock>.content>.title>a.link:hover,h4>a.link:hover,h5>a.link:hover,h6>a.link:hover{color:#a53221}
|
||
.audioblock,.imageblock,.literalblock,.listingblock,.stemblock,.videoblock{margin-bottom:1.25em}
|
||
.admonitionblock td.content>.title,.audioblock>.title,.exampleblock>.title,.imageblock>.title,.listingblock>.title,.literalblock>.title,.stemblock>.title,.openblock>.title,.paragraph>.title,.quoteblock>.title,table.tableblock>.title,.verseblock>.title,.videoblock>.title,.dlist>.title,.olist>.title,.ulist>.title,.qlist>.title,.hdlist>.title{text-rendering:optimizeLegibility;text-align:left;font-family:"Noto Serif","DejaVu Serif",serif;font-size:1rem;font-style:italic}
|
||
table.tableblock>caption.title{white-space:nowrap;overflow:visible;max-width:0}
|
||
.paragraph.lead>p,#preamble>.sectionbody>.paragraph:first-of-type p{color:rgba(0,0,0,.85)}
|
||
table.tableblock #preamble>.sectionbody>.paragraph:first-of-type p{font-size:inherit}
|
||
.admonitionblock>table{border-collapse:separate;border:0;background:none;width:100%}
|
||
.admonitionblock>table td.icon{text-align:center;width:80px}
|
||
.admonitionblock>table td.icon img{max-width:initial}
|
||
.admonitionblock>table td.icon .title{font-weight:bold;font-family:"Open Sans","DejaVu Sans",sans-serif;text-transform:uppercase}
|
||
.admonitionblock>table td.content{padding-left:1.125em;padding-right:1.25em;border-left:1px solid #ddddd8;color:rgba(0,0,0,.6)}
|
||
.admonitionblock>table td.content>:last-child>:last-child{margin-bottom:0}
|
||
.exampleblock>.content{border-style:solid;border-width:1px;border-color:#e6e6e6;margin-bottom:1.25em;padding:1.25em;background:#fff;-webkit-border-radius:4px;border-radius:4px}
|
||
.exampleblock>.content>:first-child{margin-top:0}
|
||
.exampleblock>.content>:last-child{margin-bottom:0}
|
||
.sidebarblock{border-style:solid;border-width:1px;border-color:#e0e0dc;margin-bottom:1.25em;padding:1.25em;background:#f8f8f7;-webkit-border-radius:4px;border-radius:4px}
|
||
.sidebarblock>:first-child{margin-top:0}
|
||
.sidebarblock>:last-child{margin-bottom:0}
|
||
.sidebarblock>.content>.title{color:#7a2518;margin-top:0;text-align:center}
|
||
.exampleblock>.content>:last-child>:last-child,.exampleblock>.content .olist>ol>li:last-child>:last-child,.exampleblock>.content .ulist>ul>li:last-child>:last-child,.exampleblock>.content .qlist>ol>li:last-child>:last-child,.sidebarblock>.content>:last-child>:last-child,.sidebarblock>.content .olist>ol>li:last-child>:last-child,.sidebarblock>.content .ulist>ul>li:last-child>:last-child,.sidebarblock>.content .qlist>ol>li:last-child>:last-child{margin-bottom:0}
|
||
.literalblock pre,.listingblock pre:not(.highlight),.listingblock pre[class="highlight"],.listingblock pre[class^="highlight "],.listingblock pre.CodeRay,.listingblock pre.prettyprint{background:#f7f7f8}
|
||
.sidebarblock .literalblock pre,.sidebarblock .listingblock pre:not(.highlight),.sidebarblock .listingblock pre[class="highlight"],.sidebarblock .listingblock pre[class^="highlight "],.sidebarblock .listingblock pre.CodeRay,.sidebarblock .listingblock pre.prettyprint{background:#f2f1f1}
|
||
.literalblock pre,.literalblock pre[class],.listingblock pre,.listingblock pre[class]{-webkit-border-radius:4px;border-radius:4px;word-wrap:break-word;padding:1em;font-size:.8125em}
|
||
.literalblock pre.nowrap,.literalblock pre[class].nowrap,.listingblock pre.nowrap,.listingblock pre[class].nowrap{overflow-x:auto;white-space:pre;word-wrap:normal}
|
||
@media only screen and (min-width:768px){.literalblock pre,.literalblock pre[class],.listingblock pre,.listingblock pre[class]{font-size:.90625em}}
|
||
@media only screen and (min-width:1280px){.literalblock pre,.literalblock pre[class],.listingblock pre,.listingblock pre[class]{font-size:1em}}
|
||
.literalblock.output pre{color:#f7f7f8;background-color:rgba(0,0,0,.9)}
|
||
.listingblock pre.highlightjs{padding:0}
|
||
.listingblock pre.highlightjs>code{padding:1em;-webkit-border-radius:4px;border-radius:4px}
|
||
.listingblock pre.prettyprint{border-width:0}
|
||
.listingblock>.content{position:relative}
|
||
.listingblock code[data-lang]:before{display:none;content:attr(data-lang);position:absolute;font-size:.75em;top:.425rem;right:.5rem;line-height:1;text-transform:uppercase;color:#999}
|
||
.listingblock:hover code[data-lang]:before{display:block}
|
||
.listingblock.terminal pre .command:before{content:attr(data-prompt);padding-right:.5em;color:#999}
|
||
.listingblock.terminal pre .command:not([data-prompt]):before{content:"$"}
|
||
table.pyhltable{border-collapse:separate;border:0;margin-bottom:0;background:none}
|
||
table.pyhltable td{vertical-align:top;padding-top:0;padding-bottom:0;line-height:1.45}
|
||
table.pyhltable td.code{padding-left:.75em;padding-right:0}
|
||
pre.pygments .lineno,table.pyhltable td:not(.code){color:#999;padding-left:0;padding-right:.5em;border-right:1px solid #ddddd8}
|
||
pre.pygments .lineno{display:inline-block;margin-right:.25em}
|
||
table.pyhltable .linenodiv{background:none!important;padding-right:0!important}
|
||
.quoteblock{margin:0 1em 1.25em 1.5em;display:table}
|
||
.quoteblock>.title{margin-left:-1.5em;margin-bottom:.75em}
|
||
.quoteblock blockquote,.quoteblock blockquote p{color:rgba(0,0,0,.85);font-size:1.15rem;line-height:1.75;word-spacing:.1em;letter-spacing:0;font-style:italic;text-align:justify}
|
||
.quoteblock blockquote{margin:0;padding:0;border:0}
|
||
.quoteblock blockquote:before{content:"\201c";float:left;font-size:2.75em;font-weight:bold;line-height:.6em;margin-left:-.6em;color:#7a2518;text-shadow:0 1px 2px rgba(0,0,0,.1)}
|
||
.quoteblock blockquote>.paragraph:last-child p{margin-bottom:0}
|
||
.quoteblock .attribution{margin-top:.5em;margin-right:.5ex;text-align:right}
|
||
.quoteblock .quoteblock{margin-left:0;margin-right:0;padding:.5em 0;border-left:3px solid rgba(0,0,0,.6)}
|
||
.quoteblock .quoteblock blockquote{padding:0 0 0 .75em}
|
||
.quoteblock .quoteblock blockquote:before{display:none}
|
||
.verseblock{margin:0 1em 1.25em 1em}
|
||
.verseblock pre{font-family:"Open Sans","DejaVu Sans",sans;font-size:1.15rem;color:rgba(0,0,0,.85);font-weight:300;text-rendering:optimizeLegibility}
|
||
.verseblock pre strong{font-weight:400}
|
||
.verseblock .attribution{margin-top:1.25rem;margin-left:.5ex}
|
||
.quoteblock .attribution,.verseblock .attribution{font-size:.9375em;line-height:1.45;font-style:italic}
|
||
.quoteblock .attribution br,.verseblock .attribution br{display:none}
|
||
.quoteblock .attribution cite,.verseblock .attribution cite{display:block;letter-spacing:-.025em;color:rgba(0,0,0,.6)}
|
||
.quoteblock.abstract{margin:0 0 1.25em 0;display:block}
|
||
.quoteblock.abstract blockquote,.quoteblock.abstract blockquote p{text-align:left;word-spacing:0}
|
||
.quoteblock.abstract blockquote:before,.quoteblock.abstract blockquote p:first-of-type:before{display:none}
|
||
table.tableblock{max-width:100%;border-collapse:separate}
|
||
table.tableblock td>.paragraph:last-child p>p:last-child,table.tableblock th>p:last-child,table.tableblock td>p:last-child{margin-bottom:0}
|
||
table.tableblock,th.tableblock,td.tableblock{border:0 solid #dedede}
|
||
table.grid-all>thead>tr>.tableblock,table.grid-all>tbody>tr>.tableblock{border-width:0 1px 1px 0}
|
||
table.grid-all>tfoot>tr>.tableblock{border-width:1px 1px 0 0}
|
||
table.grid-cols>*>tr>.tableblock{border-width:0 1px 0 0}
|
||
table.grid-rows>thead>tr>.tableblock,table.grid-rows>tbody>tr>.tableblock{border-width:0 0 1px 0}
|
||
table.grid-rows>tfoot>tr>.tableblock{border-width:1px 0 0 0}
|
||
table.grid-all>*>tr>.tableblock:last-child,table.grid-cols>*>tr>.tableblock:last-child{border-right-width:0}
|
||
table.grid-all>tbody>tr:last-child>.tableblock,table.grid-all>thead:last-child>tr>.tableblock,table.grid-rows>tbody>tr:last-child>.tableblock,table.grid-rows>thead:last-child>tr>.tableblock{border-bottom-width:0}
|
||
table.frame-all{border-width:1px}
|
||
table.frame-sides{border-width:0 1px}
|
||
table.frame-topbot{border-width:1px 0}
|
||
th.halign-left,td.halign-left{text-align:left}
|
||
th.halign-right,td.halign-right{text-align:right}
|
||
th.halign-center,td.halign-center{text-align:center}
|
||
th.valign-top,td.valign-top{vertical-align:top}
|
||
th.valign-bottom,td.valign-bottom{vertical-align:bottom}
|
||
th.valign-middle,td.valign-middle{vertical-align:middle}
|
||
table thead th,table tfoot th{font-weight:bold}
|
||
tbody tr th{display:table-cell;line-height:1.6;background:#f7f8f7}
|
||
tbody tr th,tbody tr th p,tfoot tr th,tfoot tr th p{color:rgba(0,0,0,.8);font-weight:bold}
|
||
p.tableblock>code:only-child{background:none;padding:0}
|
||
p.tableblock{font-size:1em}
|
||
td>div.verse{white-space:pre}
|
||
ol{margin-left:1.75em}
|
||
ul li ol{margin-left:1.5em}
|
||
dl dd{margin-left:1.125em}
|
||
dl dd:last-child,dl dd:last-child>:last-child{margin-bottom:0}
|
||
ol>li p,ul>li p,ul dd,ol dd,.olist .olist,.ulist .ulist,.ulist .olist,.olist .ulist{margin-bottom:.625em}
|
||
ul.checklist,ul.none,ol.none,ul.no-bullet,ol.no-bullet,ol.unnumbered,ul.unstyled,ol.unstyled{list-style-type:none}
|
||
ul.no-bullet,ol.no-bullet,ol.unnumbered{margin-left:.625em}
|
||
ul.unstyled,ol.unstyled{margin-left:0}
|
||
ul.checklist{margin-left:.625em}
|
||
ul.checklist li>p:first-child>.fa-square-o:first-child,ul.checklist li>p:first-child>.fa-check-square-o:first-child{width:1.25em;font-size:.8em;position:relative;bottom:.125em}
|
||
ul.checklist li>p:first-child>input[type="checkbox"]:first-child{margin-right:.25em}
|
||
ul.inline{margin:0 auto .625em auto;margin-left:-1.375em;margin-right:0;padding:0;list-style:none;overflow:hidden}
|
||
ul.inline>li{list-style:none;float:left;margin-left:1.375em;display:block}
|
||
ul.inline>li>*{display:block}
|
||
.unstyled dl dt{font-weight:400;font-style:normal}
|
||
ol.arabic{list-style-type:decimal}
|
||
ol.decimal{list-style-type:decimal-leading-zero}
|
||
ol.loweralpha{list-style-type:lower-alpha}
|
||
ol.upperalpha{list-style-type:upper-alpha}
|
||
ol.lowerroman{list-style-type:lower-roman}
|
||
ol.upperroman{list-style-type:upper-roman}
|
||
ol.lowergreek{list-style-type:lower-greek}
|
||
.hdlist>table,.colist>table{border:0;background:none}
|
||
.hdlist>table>tbody>tr,.colist>table>tbody>tr{background:none}
|
||
td.hdlist1,td.hdlist2{vertical-align:top;padding:0 .625em}
|
||
td.hdlist1{font-weight:bold;padding-bottom:1.25em}
|
||
.literalblock+.colist,.listingblock+.colist{margin-top:-.5em}
|
||
.colist>table tr>td:first-of-type{padding:.4em .75em 0 .75em;line-height:1;vertical-align:top}
|
||
.colist>table tr>td:first-of-type img{max-width:initial}
|
||
.colist>table tr>td:last-of-type{padding:.25em 0}
|
||
.thumb,.th{line-height:0;display:inline-block;border:solid 4px #fff;-webkit-box-shadow:0 0 0 1px #ddd;box-shadow:0 0 0 1px #ddd}
|
||
.imageblock.left,.imageblock[style*="float: left"]{margin:.25em .625em 1.25em 0}
|
||
.imageblock.right,.imageblock[style*="float: right"]{margin:.25em 0 1.25em .625em}
|
||
.imageblock>.title{margin-bottom:0}
|
||
.imageblock.thumb,.imageblock.th{border-width:6px}
|
||
.imageblock.thumb>.title,.imageblock.th>.title{padding:0 .125em}
|
||
.image.left,.image.right{margin-top:.25em;margin-bottom:.25em;display:inline-block;line-height:0}
|
||
.image.left{margin-right:.625em}
|
||
.image.right{margin-left:.625em}
|
||
a.image{text-decoration:none;display:inline-block}
|
||
a.image object{pointer-events:none}
|
||
sup.footnote,sup.footnoteref{font-size:.875em;position:static;vertical-align:super}
|
||
sup.footnote a,sup.footnoteref a{text-decoration:none}
|
||
sup.footnote a:active,sup.footnoteref a:active{text-decoration:underline}
|
||
#footnotes{padding-top:.75em;padding-bottom:.75em;margin-bottom:.625em}
|
||
#footnotes hr{width:20%;min-width:6.25em;margin:-.25em 0 .75em 0;border-width:1px 0 0 0}
|
||
#footnotes .footnote{padding:0 .375em 0 .225em;line-height:1.3334;font-size:.875em;margin-left:1.2em;text-indent:-1.05em;margin-bottom:.2em}
|
||
#footnotes .footnote a:first-of-type{font-weight:bold;text-decoration:none}
|
||
#footnotes .footnote:last-of-type{margin-bottom:0}
|
||
#content #footnotes{margin-top:-.625em;margin-bottom:0;padding:.75em 0}
|
||
.gist .file-data>table{border:0;background:#fff;width:100%;margin-bottom:0}
|
||
.gist .file-data>table td.line-data{width:99%}
|
||
div.unbreakable{page-break-inside:avoid}
|
||
.big{font-size:larger}
|
||
.small{font-size:smaller}
|
||
.underline{text-decoration:underline}
|
||
.overline{text-decoration:overline}
|
||
.line-through{text-decoration:line-through}
|
||
.aqua{color:#00bfbf}
|
||
.aqua-background{background-color:#00fafa}
|
||
.black{color:#000}
|
||
.black-background{background-color:#000}
|
||
.blue{color:#0000bf}
|
||
.blue-background{background-color:#0000fa}
|
||
.fuchsia{color:#bf00bf}
|
||
.fuchsia-background{background-color:#fa00fa}
|
||
.gray{color:#606060}
|
||
.gray-background{background-color:#7d7d7d}
|
||
.green{color:#006000}
|
||
.green-background{background-color:#007d00}
|
||
.lime{color:#00bf00}
|
||
.lime-background{background-color:#00fa00}
|
||
.maroon{color:#600000}
|
||
.maroon-background{background-color:#7d0000}
|
||
.navy{color:#000060}
|
||
.navy-background{background-color:#00007d}
|
||
.olive{color:#606000}
|
||
.olive-background{background-color:#7d7d00}
|
||
.purple{color:#600060}
|
||
.purple-background{background-color:#7d007d}
|
||
.red{color:#bf0000}
|
||
.red-background{background-color:#fa0000}
|
||
.silver{color:#909090}
|
||
.silver-background{background-color:#bcbcbc}
|
||
.teal{color:#006060}
|
||
.teal-background{background-color:#007d7d}
|
||
.white{color:#bfbfbf}
|
||
.white-background{background-color:#fafafa}
|
||
.yellow{color:#bfbf00}
|
||
.yellow-background{background-color:#fafa00}
|
||
span.icon>.fa{cursor:default}
|
||
a span.icon>.fa{cursor:inherit}
|
||
.admonitionblock td.icon [class^="fa icon-"]{font-size:2.5em;text-shadow:1px 1px 2px rgba(0,0,0,.5);cursor:default}
|
||
.admonitionblock td.icon .icon-note:before{content:"\f05a";color:#19407c}
|
||
.admonitionblock td.icon .icon-tip:before{content:"\f0eb";text-shadow:1px 1px 2px rgba(155,155,0,.8);color:#111}
|
||
.admonitionblock td.icon .icon-warning:before{content:"\f071";color:#bf6900}
|
||
.admonitionblock td.icon .icon-caution:before{content:"\f06d";color:#bf3400}
|
||
.admonitionblock td.icon .icon-important:before{content:"\f06a";color:#bf0000}
|
||
.conum[data-value]{display:inline-block;color:#fff!important;background-color:rgba(0,0,0,.8);-webkit-border-radius:100px;border-radius:100px;text-align:center;font-size:.75em;width:1.67em;height:1.67em;line-height:1.67em;font-family:"Open Sans","DejaVu Sans",sans-serif;font-style:normal;font-weight:bold}
|
||
.conum[data-value] *{color:#fff!important}
|
||
.conum[data-value]+b{display:none}
|
||
.conum[data-value]:after{content:attr(data-value)}
|
||
pre .conum[data-value]{position:relative;top:-.125em}
|
||
b.conum *{color:inherit!important}
|
||
.conum:not([data-value]):empty{display:none}
|
||
dt,th.tableblock,td.content,div.footnote{text-rendering:optimizeLegibility}
|
||
h1,h2,p,td.content,span.alt{letter-spacing:-.01em}
|
||
p strong,td.content strong,div.footnote strong{letter-spacing:-.005em}
|
||
p,blockquote,dt,td.content,span.alt{font-size:1.0625rem}
|
||
p{margin-bottom:1.25rem}
|
||
.sidebarblock p,.sidebarblock dt,.sidebarblock td.content,p.tableblock{font-size:1em}
|
||
.exampleblock>.content{background-color:#fffef7;border-color:#e0e0dc;-webkit-box-shadow:0 1px 4px #e0e0dc;box-shadow:0 1px 4px #e0e0dc}
|
||
.print-only{display:none!important}
|
||
@media print{@page{margin:1.25cm .75cm}
|
||
*{-webkit-box-shadow:none!important;box-shadow:none!important;text-shadow:none!important}
|
||
a{color:inherit!important;text-decoration:underline!important}
|
||
a.bare,a[href^="#"],a[href^="mailto:"]{text-decoration:none!important}
|
||
a[href^="http:"]:not(.bare):after,a[href^="https:"]:not(.bare):after{content:"(" attr(href) ")";display:inline-block;font-size:.875em;padding-left:.25em}
|
||
abbr[title]:after{content:" (" attr(title) ")"}
|
||
pre,blockquote,tr,img,object,svg{page-break-inside:avoid}
|
||
thead{display:table-header-group}
|
||
svg{max-width:100%}
|
||
p,blockquote,dt,td.content{font-size:1em;orphans:3;widows:3}
|
||
h2,h3,#toctitle,.sidebarblock>.content>.title{page-break-after:avoid}
|
||
#toc,.sidebarblock,.exampleblock>.content{background:none!important}
|
||
#toc{border-bottom:1px solid #ddddd8!important;padding-bottom:0!important}
|
||
.sect1{padding-bottom:0!important}
|
||
.sect1+.sect1{border:0!important}
|
||
#header>h1:first-child{margin-top:1.25rem}
|
||
body.book #header{text-align:center}
|
||
body.book #header>h1:first-child{border:0!important;margin:2.5em 0 1em 0}
|
||
body.book #header .details{border:0!important;display:block;padding:0!important}
|
||
body.book #header .details span:first-child{margin-left:0!important}
|
||
body.book #header .details br{display:block}
|
||
body.book #header .details br+span:before{content:none!important}
|
||
body.book #toc{border:0!important;text-align:left!important;padding:0!important;margin:0!important}
|
||
body.book #toc,body.book #preamble,body.book h1.sect0,body.book .sect1>h2{page-break-before:always}
|
||
.listingblock code[data-lang]:before{display:block}
|
||
#footer{background:none!important;padding:0 .9375em}
|
||
#footer-text{color:rgba(0,0,0,.6)!important;font-size:.9em}
|
||
.hide-on-print{display:none!important}
|
||
.print-only{display:block!important}
|
||
.hide-for-print{display:none!important}
|
||
.show-for-print{display:inherit!important}}
|
||
</style>
|
||
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.6.3/css/font-awesome.min.css">
|
||
</head>
|
||
<body class="article toc2 toc-right">
|
||
<div id="header">
|
||
<h1>MISP Objects</h1>
|
||
<div id="toc" class="toc2">
|
||
<div id="toctitle">MISP Objects</div>
|
||
<ul class="sectlevel0">
|
||
<li><a href="#_introduction">Introduction</a>
|
||
<ul class="sectlevel1">
|
||
<li><a href="#_funding_and_support">Funding and Support</a></li>
|
||
</ul>
|
||
</li>
|
||
<li><a href="#_misp_objects">MISP objects</a>
|
||
<ul class="sectlevel1">
|
||
<li><a href="#_ail_leak">ail-leak</a></li>
|
||
<li><a href="#_android_permission">android-permission</a></li>
|
||
<li><a href="#_annotation">annotation</a></li>
|
||
<li><a href="#_asn">asn</a></li>
|
||
<li><a href="#_av_signature">av-signature</a></li>
|
||
<li><a href="#_coin_address">coin-address</a></li>
|
||
<li><a href="#_cookie">cookie</a></li>
|
||
<li><a href="#_credential">credential</a></li>
|
||
<li><a href="#_credit_card">credit-card</a></li>
|
||
<li><a href="#_ddos">ddos</a></li>
|
||
<li><a href="#_diameter_attack">diameter-attack</a></li>
|
||
<li><a href="#_domain_ip">domain-ip</a></li>
|
||
<li><a href="#_elf">elf</a></li>
|
||
<li><a href="#_elf_section">elf-section</a></li>
|
||
<li><a href="#_email">email</a></li>
|
||
<li><a href="#_file">file</a></li>
|
||
<li><a href="#_geolocation">geolocation</a></li>
|
||
<li><a href="#_gtp_attack">gtp-attack</a></li>
|
||
<li><a href="#_http_request">http-request</a></li>
|
||
<li><a href="#_ip_port">ip-port</a></li>
|
||
<li><a href="#_ja3">ja3</a></li>
|
||
<li><a href="#_macho">macho</a></li>
|
||
<li><a href="#_macho_section">macho-section</a></li>
|
||
<li><a href="#_microblog">microblog</a></li>
|
||
<li><a href="#_netflow">netflow</a></li>
|
||
<li><a href="#_passive_dns">passive-dns</a></li>
|
||
<li><a href="#_paste">paste</a></li>
|
||
<li><a href="#_pe">pe</a></li>
|
||
<li><a href="#_pe_section">pe-section</a></li>
|
||
<li><a href="#_person">person</a></li>
|
||
<li><a href="#_phone">phone</a></li>
|
||
<li><a href="#_r2graphity">r2graphity</a></li>
|
||
<li><a href="#_regexp">regexp</a></li>
|
||
<li><a href="#_registry_key">registry-key</a></li>
|
||
<li><a href="#_report">report</a></li>
|
||
<li><a href="#_rtir">rtir</a></li>
|
||
<li><a href="#_sandbox_report">sandbox-report</a></li>
|
||
<li><a href="#_ss7_attack">ss7-attack</a></li>
|
||
<li><a href="#_stix2_pattern">stix2-pattern</a></li>
|
||
<li><a href="#_tor_node">tor-node</a></li>
|
||
<li><a href="#_url">url</a></li>
|
||
<li><a href="#_victim">victim</a></li>
|
||
<li><a href="#_virustotal_report">virustotal-report</a></li>
|
||
<li><a href="#_vulnerability">vulnerability</a></li>
|
||
<li><a href="#_whois">whois</a></li>
|
||
<li><a href="#_x509">x509</a></li>
|
||
<li><a href="#_yabin">yabin</a></li>
|
||
<li><a href="#_relationships">Relationships</a></li>
|
||
</ul>
|
||
</li>
|
||
</ul>
|
||
</div>
|
||
</div>
|
||
<div id="content">
|
||
<h1 id="_introduction" class="sect0"><a class="anchor" href="#_introduction"></a><a class="link" href="#_introduction">Introduction</a></h1>
|
||
<div class="imageblock">
|
||
<div class="content">
|
||
<img src="https://raw.githubusercontent.com/MISP/MISP/2.4/INSTALL/logos/misp-logo.png" alt="MISP logo">
|
||
</div>
|
||
</div>
|
||
<div class="paragraph">
|
||
<p>The MISP threat sharing platform is a free and open source software helping information sharing of threat intelligence including cyber security indicators, financial fraud or counter-terrorism information. The MISP project includes multiple sub-projects to support the operational requirements of analysts and improve the overall quality of information shared.</p>
|
||
</div>
|
||
<div class="paragraph">
|
||
<p>MISP objects are used in MISP (starting from version 2.4.80) system and can be used by other information sharing tool. MISP objects are in addition to MISP attributes to allow advanced combinations of attributes. The creation of these objects and their associated attributes are based on real cyber security use-cases and existing practices in information sharing. The objects are just shared like any other attributes in MISP even if the other MISP instances don’t have the template of the object.
|
||
The following document is generated from the machine-readable JSON describing the <a href="https://github.com/MISP/misp-objects">MISP objects</a>.</p>
|
||
</div>
|
||
<div style="page-break-after: always;"></div>
|
||
<div class="sect1">
|
||
<h2 id="_funding_and_support"><a class="anchor" href="#_funding_and_support"></a><a class="link" href="#_funding_and_support">Funding and Support</a></h2>
|
||
<div class="sectionbody">
|
||
<div class="paragraph">
|
||
<p>The MISP project is financially and resource supported by <a href="https://www.circl.lu/">CIRCL Computer Incident Response Center Luxembourg </a>.</p>
|
||
</div>
|
||
<div class="paragraph">
|
||
<p><span class="image"><img src="https://www.misp-project.org/assets/images/logo.png" alt="CIRCL logo"></span></p>
|
||
</div>
|
||
<div class="paragraph">
|
||
<p>A CEF (Connecting Europe Facility) funding under CEF-TC-2016-3 - Cyber Security has been granted from 1st September 2017 until 31th August 2019 as <strong><strong>Improving MISP as building blocks for next-generation information sharing</strong></strong>.</p>
|
||
</div>
|
||
<div class="paragraph">
|
||
<p><span class="image"><img src="https://www.misp-project.org/assets/images/en_cef.png" alt="CEF funding"></span></p>
|
||
</div>
|
||
<div class="paragraph">
|
||
<p>If you are interested to co-fund projects around MISP, feel free to get in touch with us.</p>
|
||
</div>
|
||
<div style="page-break-after: always;"></div>
|
||
</div>
|
||
</div>
|
||
<h1 id="_misp_objects" class="sect0"><a class="anchor" href="#_misp_objects"></a><a class="link" href="#_misp_objects">MISP objects</a></h1>
|
||
<div class="sect1">
|
||
<h2 id="_ail_leak"><a class="anchor" href="#_ail_leak"></a><a class="link" href="#_ail_leak">ail-leak</a></h2>
|
||
<div class="sectionbody">
|
||
<div class="paragraph">
|
||
<p>An information leak as defined by the AIL Analysis Information Leak framework..</p>
|
||
</div>
|
||
<div class="admonitionblock note">
|
||
<table>
|
||
<tr>
|
||
<td class="icon">
|
||
<i class="fa icon-note" title="Note"></i>
|
||
</td>
|
||
<td class="content">
|
||
ail-leak is a MISP object available in JSON format at <a href="https://github.com/MISP/misp-objects/blob/master/objects/ail-leak/definition.json"><strong>this location</strong></a> The JSON format can be freely reused in your application or automatically enabled in <a href="https://www.github.com/MISP/MISP">MISP</a>.
|
||
</td>
|
||
</tr>
|
||
</table>
|
||
</div>
|
||
<table class="tableblock frame-all grid-all spread">
|
||
<colgroup>
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
</colgroup>
|
||
<thead>
|
||
<tr>
|
||
<th class="tableblock halign-left valign-top">Object attribute</th>
|
||
<th class="tableblock halign-left valign-top">MISP attribute type</th>
|
||
<th class="tableblock halign-left valign-top">Description</th>
|
||
<th class="tableblock halign-left valign-top">Disable correlation</th>
|
||
</tr>
|
||
</thead>
|
||
<tbody>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">last-seen</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">datetime</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>When the leak has been accessible or seen for the last time.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">type</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Type of information leak as discovered and classified by an AIL module. ['Credential', 'CreditCards', 'Mail', 'Onion', 'Phone', 'Keys']</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">first-seen</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">datetime</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>When the leak has been accessible or seen for the first time.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">raw-data</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">attachment</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Raw data as received by the AIL sensor compressed and encoded in Base64.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">duplicate_number</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">counter</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Number of known duplicates.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">sensor</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>The AIL sensor uuid where the leak was processed and analysed.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>A description of the leak which could include the potential victim(s) or description of the leak.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">duplicate</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Duplicate of the existing leaks.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">original-date</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">datetime</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>When the information available in the leak was created. It’s usually before the first-seen.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">origin</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>The link where the leak is (or was) accessible at first-seen.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
</div>
|
||
</div>
|
||
<div class="sect1">
|
||
<h2 id="_android_permission"><a class="anchor" href="#_android_permission"></a><a class="link" href="#_android_permission">android-permission</a></h2>
|
||
<div class="sectionbody">
|
||
<div class="paragraph">
|
||
<p>A set of android permissions - one or more permission(s) which can be linked to other objects (e.g. malware, app)..</p>
|
||
</div>
|
||
<div class="admonitionblock note">
|
||
<table>
|
||
<tr>
|
||
<td class="icon">
|
||
<i class="fa icon-note" title="Note"></i>
|
||
</td>
|
||
<td class="content">
|
||
android-permission is a MISP object available in JSON format at <a href="https://github.com/MISP/misp-objects/blob/master/objects/android-permission/definition.json"><strong>this location</strong></a> The JSON format can be freely reused in your application or automatically enabled in <a href="https://www.github.com/MISP/MISP">MISP</a>.
|
||
</td>
|
||
</tr>
|
||
</table>
|
||
</div>
|
||
<table class="tableblock frame-all grid-all spread">
|
||
<colgroup>
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
</colgroup>
|
||
<thead>
|
||
<tr>
|
||
<th class="tableblock halign-left valign-top">Object attribute</th>
|
||
<th class="tableblock halign-left valign-top">MISP attribute type</th>
|
||
<th class="tableblock halign-left valign-top">Description</th>
|
||
<th class="tableblock halign-left valign-top">Disable correlation</th>
|
||
</tr>
|
||
</thead>
|
||
<tbody>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">permission</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Android permission ['ACCESS_CHECKIN_PROPERTIES', 'ACCESS_COARSE_LOCATION', 'ACCESS_FINE_LOCATION', 'ACCESS_LOCATION_EXTRA_COMMANDS', 'ACCESS_NETWORK_STATE', 'ACCESS_NOTIFICATION_POLICY', 'ACCESS_WIFI_STATE', 'ACCOUNT_MANAGER', 'ADD_VOICEMAIL', 'ANSWER_PHONE_CALLS', 'BATTERY_STATS', 'BIND_ACCESSIBILITY_SERVICE', 'BIND_APPWIDGET', 'BIND_AUTOFILL_SERVICE', 'BIND_CARRIER_MESSAGING_SERVICE', 'BIND_CHOOSER_TARGET_SERVICE', 'BIND_CONDITION_PROVIDER_SERVICE', 'BIND_DEVICE_ADMIN', 'BIND_DREAM_SERVICE', 'BIND_INCALL_SERVICE', 'BIND_INPUT_METHOD', 'BIND_MIDI_DEVICE_SERVICE', 'BIND_NFC_SERVICE', 'BIND_NOTIFICATION_LISTENER_SERVICE', 'BIND_PRINT_SERVICE', 'BIND_QUICK_SETTINGS_TILE', 'BIND_REMOTEVIEWS', 'BIND_SCREENING_SERVICE', 'BIND_TELECOM_CONNECTION_SERVICE', 'BIND_TEXT_SERVICE', 'BIND_TV_INPUT', 'BIND_VISUAL_VOICEMAIL_SERVICE', 'BIND_VOICE_INTERACTION', 'BIND_VPN_SERVICE', 'BIND_VR_LISTENER_SERVICE', 'BIND_WALLPAPER', 'BLUETOOTH', 'BLUETOOTH_ADMIN', 'BLUETOOTH_PRIVILEGED', 'BODY_SENSORS', 'BROADCAST_PACKAGE_REMOVED', 'BROADCAST_SMS', 'BROADCAST_STICKY', 'BROADCAST_WAP_PUSH', 'CALL_PHONE', 'CALL_PRIVILEGED', 'CAMERA', 'CAPTURE_AUDIO_OUTPUT', 'CAPTURE_SECURE_VIDEO_OUTPUT', 'CAPTURE_VIDEO_OUTPUT', 'CHANGE_COMPONENT_ENABLED_STATE', 'CHANGE_CONFIGURATION', 'CHANGE_NETWORK_STATE', 'CHANGE_WIFI_MULTICAST_STATE', 'CHANGE_WIFI_STATE', 'CLEAR_APP_CACHE', 'CONTROL_LOCATION_UPDATES', 'DELETE_CACHE_FILES', 'DELETE_PACKAGES', 'DIAGNOSTIC', 'DISABLE_KEYGUARD', 'DUMP', 'EXPAND_STATUS_BAR', 'FACTORY_TEST', 'GET_ACCOUNTS', 'GET_ACCOUNTS_PRIVILEGED', 'GET_PACKAGE_SIZE', 'GET_TASKS', 'GLOBAL_SEARCH', 'INSTALL_LOCATION_PROVIDER', 'INSTALL_PACKAGES', 'INSTALL_SHORTCUT', 'INSTANT_APP_FOREGROUND_SERVICE', 'INTERNET', 'KILL_BACKGROUND_PROCESSES', 'LOCATION_HARDWARE', 'MANAGE_DOCUMENTS', 'MANAGE_OWN_CALLS', 'MASTER_CLEAR', 'MEDIA_CONTENT_CONTROL', 'MODIFY_AUDIO_SETTINGS', 'MODIFY_PHONE_STATE', 'MOUNT_FORMAT_FILESYSTEMS', 'MOUNT_UNMOUNT_FILESYSTEMS', 'NFC', 'PACKAGE_USAGE_STATS', 'PERSISTENT_ACTIVITY', 'PROCESS_OUTGOING_CALLS', 'READ_CALENDAR', 'READ_CALL_LOG', 'READ_CONTACTS', 'READ_EXTERNAL_STORAGE', 'READ_FRAME_BUFFER', 'READ_INPUT_STATE', 'READ_LOGS', 'READ_PHONE_NUMBERS', 'READ_PHONE_STATE', 'READ_SMS', 'READ_SYNC_SETTINGS', 'READ_SYNC_STATS', 'READ_VOICEMAIL', 'REBOOT', 'RECEIVE_BOOT_COMPLETED', 'RECEIVE_MMS', 'RECEIVE_SMS', 'RECEIVE_WAP_PUSH', 'RECORD_AUDIO', 'REORDER_TASKS', 'REQUEST_COMPANION_RUN_IN_BACKGROUND', 'REQUEST_COMPANION_USE_DATA_IN_BACKGROUND', 'REQUEST_DELETE_PACKAGES', 'REQUEST_IGNORE_BATTERY_OPTIMIZATIONS', 'REQUEST_INSTALL_PACKAGES', 'RESTART_PACKAGES', 'SEND_RESPOND_VIA_MESSAGE', 'SEND_SMS', 'SET_ALARM', 'SET_ALWAYS_FINISH', 'SET_ANIMATION_SCALE', 'SET_DEBUG_APP', 'SET_PREFERRED_APPLICATIONS', 'SET_PROCESS_LIMIT', 'SET_TIME', 'SET_TIME_ZONE', 'SET_WALLPAPER', 'SET_WALLPAPER_HINTS', 'SIGNAL_PERSISTENT_PROCESSES', 'STATUS_BAR', 'SYSTEM_ALERT_WINDOW', 'TRANSMIT_IR', 'UNINSTALL_SHORTCUT', 'UPDATE_DEVICE_STATS', 'USE_FINGERPRINT', 'USE_SIP', 'VIBRATE', 'WAKE_LOCK', 'WRITE_APN_SETTINGS', 'WRITE_CALENDAR', 'WRITE_CALL_LOG', 'WRITE_CONTACTS', 'WRITE_EXTERNAL_STORAGE', 'WRITE_GSERVICES', 'WRITE_SECURE_SETTINGS', 'WRITE_SETTINGS', 'WRITE_SYNC_SETTINGS', 'WRITE_VOICEMAIL']</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">comment</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">comment</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Comment about the set of android permission(s)</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
</div>
|
||
</div>
|
||
<div class="sect1">
|
||
<h2 id="_annotation"><a class="anchor" href="#_annotation"></a><a class="link" href="#_annotation">annotation</a></h2>
|
||
<div class="sectionbody">
|
||
<div class="paragraph">
|
||
<p>An annotation object allowing analysts to add annotations, comments, executive summary to a MISP event, objects or attributes..</p>
|
||
</div>
|
||
<div class="admonitionblock note">
|
||
<table>
|
||
<tr>
|
||
<td class="icon">
|
||
<i class="fa icon-note" title="Note"></i>
|
||
</td>
|
||
<td class="content">
|
||
annotation is a MISP object available in JSON format at <a href="https://github.com/MISP/misp-objects/blob/master/objects/annotation/definition.json"><strong>this location</strong></a> The JSON format can be freely reused in your application or automatically enabled in <a href="https://www.github.com/MISP/MISP">MISP</a>.
|
||
</td>
|
||
</tr>
|
||
</table>
|
||
</div>
|
||
<table class="tableblock frame-all grid-all spread">
|
||
<colgroup>
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
</colgroup>
|
||
<thead>
|
||
<tr>
|
||
<th class="tableblock halign-left valign-top">Object attribute</th>
|
||
<th class="tableblock halign-left valign-top">MISP attribute type</th>
|
||
<th class="tableblock halign-left valign-top">Description</th>
|
||
<th class="tableblock halign-left valign-top">Disable correlation</th>
|
||
</tr>
|
||
</thead>
|
||
<tbody>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">type</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Type of the annotation ['Annotation', 'Executive Summary', 'Introduction', 'Conclusion', 'Disclaimer', 'Keywords', 'Acknowledgement', 'Other', 'Copyright', 'Authors', 'Logo']</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">ref</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">link</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Reference(s) to the annotation</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">format</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Format of the annotation ['text', 'markdown', 'asciidoctor', 'MultiMarkdown', 'GFM', 'pandoc', 'Fountain', 'CommonWork', 'kramdown-rfc2629', 'rfc7328', 'Extra']</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Raw text of the annotation</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">creation-date</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">datetime</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Initial creation of the annotation</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">modification-date</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">datetime</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Last update of the annotation</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
</div>
|
||
</div>
|
||
<div class="sect1">
|
||
<h2 id="_asn"><a class="anchor" href="#_asn"></a><a class="link" href="#_asn">asn</a></h2>
|
||
<div class="sectionbody">
|
||
<div class="paragraph">
|
||
<p>Autonomous system object describing an autonomous system which can include one or more network operators management an entity (e.g. ISP) along with their routing policy, routing prefixes or alike..</p>
|
||
</div>
|
||
<div class="admonitionblock note">
|
||
<table>
|
||
<tr>
|
||
<td class="icon">
|
||
<i class="fa icon-note" title="Note"></i>
|
||
</td>
|
||
<td class="content">
|
||
asn is a MISP object available in JSON format at <a href="https://github.com/MISP/misp-objects/blob/master/objects/asn/definition.json"><strong>this location</strong></a> The JSON format can be freely reused in your application or automatically enabled in <a href="https://www.github.com/MISP/MISP">MISP</a>.
|
||
</td>
|
||
</tr>
|
||
</table>
|
||
</div>
|
||
<table class="tableblock frame-all grid-all spread">
|
||
<colgroup>
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
</colgroup>
|
||
<thead>
|
||
<tr>
|
||
<th class="tableblock halign-left valign-top">Object attribute</th>
|
||
<th class="tableblock halign-left valign-top">MISP attribute type</th>
|
||
<th class="tableblock halign-left valign-top">Description</th>
|
||
<th class="tableblock halign-left valign-top">Disable correlation</th>
|
||
</tr>
|
||
</thead>
|
||
<tbody>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">export</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>The outbound routing policy of the AS in RFC 2622 – Routing Policy Specification Language (RPSL) format</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">mp-export</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>This attribute performs the same function as the export attribute above. The difference is that mp-export allows both IPv4 and IPv6 address families to be specified. The export is described in RFC 4012 – Routing Policy Specification Language next generation (RPSLng), section 4.5. format</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">last-seen</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">datetime</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Last time the ASN was seen</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">subnet-announced</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">ip-src</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Subnet announced</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">first-seen</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">datetime</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>First time the ASN was seen</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">asn</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">AS</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Autonomous System Number</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">import</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>The inbound IPv4 routing policy of the AS in RFC 2622 – Routing Policy Specification Language (RPSL) format</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">mp-import</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>The inbound IPv4 or IPv6 routing policy of the AS in RFC 4012 – Routing Policy Specification Language next generation (RPSLng), section 4.5. format</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">country</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Country code of the main location of the autonomous system</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">description</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Description of the autonomous system</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
</div>
|
||
</div>
|
||
<div class="sect1">
|
||
<h2 id="_av_signature"><a class="anchor" href="#_av_signature"></a><a class="link" href="#_av_signature">av-signature</a></h2>
|
||
<div class="sectionbody">
|
||
<div class="paragraph">
|
||
<p>Antivirus detection signature.</p>
|
||
</div>
|
||
<div class="admonitionblock note">
|
||
<table>
|
||
<tr>
|
||
<td class="icon">
|
||
<i class="fa icon-note" title="Note"></i>
|
||
</td>
|
||
<td class="content">
|
||
av-signature is a MISP object available in JSON format at <a href="https://github.com/MISP/misp-objects/blob/master/objects/av-signature/definition.json"><strong>this location</strong></a> The JSON format can be freely reused in your application or automatically enabled in <a href="https://www.github.com/MISP/MISP">MISP</a>.
|
||
</td>
|
||
</tr>
|
||
</table>
|
||
</div>
|
||
<table class="tableblock frame-all grid-all spread">
|
||
<colgroup>
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
</colgroup>
|
||
<thead>
|
||
<tr>
|
||
<th class="tableblock halign-left valign-top">Object attribute</th>
|
||
<th class="tableblock halign-left valign-top">MISP attribute type</th>
|
||
<th class="tableblock halign-left valign-top">Description</th>
|
||
<th class="tableblock halign-left valign-top">Disable correlation</th>
|
||
</tr>
|
||
</thead>
|
||
<tbody>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">signature</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Name of detection signature</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">software</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Name of antivirus software</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Free text value to attach to the file</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">datetime</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">datetime</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Datetime</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
</div>
|
||
</div>
|
||
<div class="sect1">
|
||
<h2 id="_coin_address"><a class="anchor" href="#_coin_address"></a><a class="link" href="#_coin_address">coin-address</a></h2>
|
||
<div class="sectionbody">
|
||
<div class="paragraph">
|
||
<p>An address used in a cryptocurrency.</p>
|
||
</div>
|
||
<div class="admonitionblock note">
|
||
<table>
|
||
<tr>
|
||
<td class="icon">
|
||
<i class="fa icon-note" title="Note"></i>
|
||
</td>
|
||
<td class="content">
|
||
coin-address is a MISP object available in JSON format at <a href="https://github.com/MISP/misp-objects/blob/master/objects/coin-address/definition.json"><strong>this location</strong></a> The JSON format can be freely reused in your application or automatically enabled in <a href="https://www.github.com/MISP/MISP">MISP</a>.
|
||
</td>
|
||
</tr>
|
||
</table>
|
||
</div>
|
||
<table class="tableblock frame-all grid-all spread">
|
||
<colgroup>
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
</colgroup>
|
||
<thead>
|
||
<tr>
|
||
<th class="tableblock halign-left valign-top">Object attribute</th>
|
||
<th class="tableblock halign-left valign-top">MISP attribute type</th>
|
||
<th class="tableblock halign-left valign-top">Description</th>
|
||
<th class="tableblock halign-left valign-top">Disable correlation</th>
|
||
</tr>
|
||
</thead>
|
||
<tbody>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">symbol</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>The (uppercase) symbol of the cryptocurrency used. Symbol should be from <a href="https://coinmarketcap.com/all/views/all/" class="bare">https://coinmarketcap.com/all/views/all/</a> ['BTC', 'ETH', 'BCH', 'XRP', 'MIOTA', 'DASH', 'BTG', 'LTC', 'ADA', 'XMR', 'ETC', 'NEO', 'NEM', 'EOS', 'XLM', 'BCC', 'LSK', 'OMG', 'QTUM', 'ZEC', 'USDT', 'HSR', 'STRAT', 'WAVES', 'PPT']</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">last-seen</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">datetime</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Last time this payment destination address has been seen</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">address</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">btc</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Address used as a payment destination in a cryptocurrency</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">first-seen</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">datetime</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>First time this payment destination address has been seen</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Free text value</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
</div>
|
||
</div>
|
||
<div class="sect1">
|
||
<h2 id="_cookie"><a class="anchor" href="#_cookie"></a><a class="link" href="#_cookie">cookie</a></h2>
|
||
<div class="sectionbody">
|
||
<div class="paragraph">
|
||
<p>An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to the user’s web browser. The browser may store it and send it back with the next request to the same server. Typically, it’s used to tell if two requests came from the same browser — keeping a user logged-in, for example. It remembers stateful information for the stateless HTTP protocol. (as defined by the Mozilla foundation..</p>
|
||
</div>
|
||
<div class="admonitionblock note">
|
||
<table>
|
||
<tr>
|
||
<td class="icon">
|
||
<i class="fa icon-note" title="Note"></i>
|
||
</td>
|
||
<td class="content">
|
||
cookie is a MISP object available in JSON format at <a href="https://github.com/MISP/misp-objects/blob/master/objects/cookie/definition.json"><strong>this location</strong></a> The JSON format can be freely reused in your application or automatically enabled in <a href="https://www.github.com/MISP/MISP">MISP</a>.
|
||
</td>
|
||
</tr>
|
||
</table>
|
||
</div>
|
||
<table class="tableblock frame-all grid-all spread">
|
||
<colgroup>
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
</colgroup>
|
||
<thead>
|
||
<tr>
|
||
<th class="tableblock halign-left valign-top">Object attribute</th>
|
||
<th class="tableblock halign-left valign-top">MISP attribute type</th>
|
||
<th class="tableblock halign-left valign-top">Description</th>
|
||
<th class="tableblock halign-left valign-top">Disable correlation</th>
|
||
</tr>
|
||
</thead>
|
||
<tbody>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">type</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Type of cookie and how it’s used in this specific object. ['Session management', 'Personalization', 'Tracking', 'Exfiltration', 'Malicious Payload', 'Beaconing']</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">cookie</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">cookie</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Full cookie</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">cookie-value</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Value of the cookie (if splitted)</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>A description of the cookie.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">cookie-name</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Name of the cookie (if splitted)</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
</div>
|
||
</div>
|
||
<div class="sect1">
|
||
<h2 id="_credential"><a class="anchor" href="#_credential"></a><a class="link" href="#_credential">credential</a></h2>
|
||
<div class="sectionbody">
|
||
<div class="paragraph">
|
||
<p>Credential describes one or more credential(s) including password(s), api key(s) or decryption key(s)..</p>
|
||
</div>
|
||
<div class="admonitionblock note">
|
||
<table>
|
||
<tr>
|
||
<td class="icon">
|
||
<i class="fa icon-note" title="Note"></i>
|
||
</td>
|
||
<td class="content">
|
||
credential is a MISP object available in JSON format at <a href="https://github.com/MISP/misp-objects/blob/master/objects/credential/definition.json"><strong>this location</strong></a> The JSON format can be freely reused in your application or automatically enabled in <a href="https://www.github.com/MISP/MISP">MISP</a>.
|
||
</td>
|
||
</tr>
|
||
</table>
|
||
</div>
|
||
<table class="tableblock frame-all grid-all spread">
|
||
<colgroup>
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
</colgroup>
|
||
<thead>
|
||
<tr>
|
||
<th class="tableblock halign-left valign-top">Object attribute</th>
|
||
<th class="tableblock halign-left valign-top">MISP attribute type</th>
|
||
<th class="tableblock halign-left valign-top">Description</th>
|
||
<th class="tableblock halign-left valign-top">Disable correlation</th>
|
||
</tr>
|
||
</thead>
|
||
<tbody>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">type</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Type of password(s) ['password', 'api-key', 'encryption-key', 'unknown']</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">username</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Username related to the password(s)</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">password</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Password</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">format</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Format of the password(s) ['clear-text', 'hashed', 'encrypted', 'unknown']</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>A description of the credential(s)</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">notification</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Mention of any notification(s) towards the potential owner(s) of the credential(s) ['victim-notified', 'service-notified', 'none']</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">origin</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Origin of the credential(s) ['bruteforce-scanning', 'malware-analysis', 'memory-analysis', 'network-analysis', 'leak', 'unknown']</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
</div>
|
||
</div>
|
||
<div class="sect1">
|
||
<h2 id="_credit_card"><a class="anchor" href="#_credit_card"></a><a class="link" href="#_credit_card">credit-card</a></h2>
|
||
<div class="sectionbody">
|
||
<div class="paragraph">
|
||
<p>A payment card like credit card, debit card or any similar cards which can be used for financial transactions..</p>
|
||
</div>
|
||
<div class="admonitionblock note">
|
||
<table>
|
||
<tr>
|
||
<td class="icon">
|
||
<i class="fa icon-note" title="Note"></i>
|
||
</td>
|
||
<td class="content">
|
||
credit-card is a MISP object available in JSON format at <a href="https://github.com/MISP/misp-objects/blob/master/objects/credit-card/definition.json"><strong>this location</strong></a> The JSON format can be freely reused in your application or automatically enabled in <a href="https://www.github.com/MISP/MISP">MISP</a>.
|
||
</td>
|
||
</tr>
|
||
</table>
|
||
</div>
|
||
<table class="tableblock frame-all grid-all spread">
|
||
<colgroup>
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
</colgroup>
|
||
<thead>
|
||
<tr>
|
||
<th class="tableblock halign-left valign-top">Object attribute</th>
|
||
<th class="tableblock halign-left valign-top">MISP attribute type</th>
|
||
<th class="tableblock halign-left valign-top">Description</th>
|
||
<th class="tableblock halign-left valign-top">Disable correlation</th>
|
||
</tr>
|
||
</thead>
|
||
<tbody>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">card-security-code</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Card security code (CSC, CVD, CVV, CVC and SPC) as embossed or printed on the card.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">name</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Name of the card owner.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">issued</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">datetime</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Initial date of validity or issued date.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">comment</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">comment</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>A description of the card.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">version</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Version of the card.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">cc-number</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">cc-number</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>credit-card number as encoded on the card.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">expiration</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">datetime</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Maximum date of validity</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
</div>
|
||
</div>
|
||
<div class="sect1">
|
||
<h2 id="_ddos"><a class="anchor" href="#_ddos"></a><a class="link" href="#_ddos">ddos</a></h2>
|
||
<div class="sectionbody">
|
||
<div class="paragraph">
|
||
<p>DDoS object describes a current DDoS activity from a specific or/and to a specific target. Type of DDoS can be attached to the object as a taxonomy.</p>
|
||
</div>
|
||
<div class="admonitionblock note">
|
||
<table>
|
||
<tr>
|
||
<td class="icon">
|
||
<i class="fa icon-note" title="Note"></i>
|
||
</td>
|
||
<td class="content">
|
||
ddos is a MISP object available in JSON format at <a href="https://github.com/MISP/misp-objects/blob/master/objects/ddos/definition.json"><strong>this location</strong></a> The JSON format can be freely reused in your application or automatically enabled in <a href="https://www.github.com/MISP/MISP">MISP</a>.
|
||
</td>
|
||
</tr>
|
||
</table>
|
||
</div>
|
||
<table class="tableblock frame-all grid-all spread">
|
||
<colgroup>
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
</colgroup>
|
||
<thead>
|
||
<tr>
|
||
<th class="tableblock halign-left valign-top">Object attribute</th>
|
||
<th class="tableblock halign-left valign-top">MISP attribute type</th>
|
||
<th class="tableblock halign-left valign-top">Description</th>
|
||
<th class="tableblock halign-left valign-top">Disable correlation</th>
|
||
</tr>
|
||
</thead>
|
||
<tbody>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">src-port</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">port</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Port originating the attack</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">domain-dst</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">domain</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Destination domain (victim)</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">ip-dst</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">ip-dst</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Destination IP (victim)</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">first-seen</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">datetime</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Beginning of the attack</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">total-bps</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">counter</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Bits per second</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Description of the DDoS</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">total-pps</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">counter</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Packets per second</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">last-seen</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">datetime</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>End of the attack</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">protocol</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Protocol used for the attack ['TCP', 'UDP', 'ICMP', 'IP']</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">ip-src</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">ip-src</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>IP address originating the attack</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">dst-port</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">port</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Destination port of the attack</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
</div>
|
||
</div>
|
||
<div class="sect1">
|
||
<h2 id="_diameter_attack"><a class="anchor" href="#_diameter_attack"></a><a class="link" href="#_diameter_attack">diameter-attack</a></h2>
|
||
<div class="sectionbody">
|
||
<div class="paragraph">
|
||
<p>Attack as seen on diameter authentication against a GSM, UMTS or LTE network.</p>
|
||
</div>
|
||
<div class="admonitionblock note">
|
||
<table>
|
||
<tr>
|
||
<td class="icon">
|
||
<i class="fa icon-note" title="Note"></i>
|
||
</td>
|
||
<td class="content">
|
||
diameter-attack is a MISP object available in JSON format at <a href="https://github.com/MISP/misp-objects/blob/master/objects/diameter-attack/definition.json"><strong>this location</strong></a> The JSON format can be freely reused in your application or automatically enabled in <a href="https://www.github.com/MISP/MISP">MISP</a>.
|
||
</td>
|
||
</tr>
|
||
</table>
|
||
</div>
|
||
<table class="tableblock frame-all grid-all spread">
|
||
<colgroup>
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
</colgroup>
|
||
<thead>
|
||
<tr>
|
||
<th class="tableblock halign-left valign-top">Object attribute</th>
|
||
<th class="tableblock halign-left valign-top">MISP attribute type</th>
|
||
<th class="tableblock halign-left valign-top">Description</th>
|
||
<th class="tableblock halign-left valign-top">Disable correlation</th>
|
||
</tr>
|
||
</thead>
|
||
<tbody>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">Origin-Host</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Origin-Host.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">first-seen</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">datetime</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>When the attack has been seen for the first time.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">Username</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Username (in this case, usually the IMSI).</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">CmdCode</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>A decimal representation of the diameter Command Code.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>A description of the attack seen.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">Destination-Host</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Destination-Host.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">ApplicationId</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Application-ID is used to identify for which Diameter application the message is applicable. Application-ID is a decimal representation.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">Destination-Realm</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Destination-Realm.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">IdrFlags</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>IDR-Flags.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">SessionId</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Session-ID.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">Origin-Realm</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Origin-Realm.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">category</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Category. ['Cat0', 'Cat1', 'Cat2', 'Cat3', 'CatSMS']</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
</div>
|
||
</div>
|
||
<div class="sect1">
|
||
<h2 id="_domain_ip"><a class="anchor" href="#_domain_ip"></a><a class="link" href="#_domain_ip">domain-ip</a></h2>
|
||
<div class="sectionbody">
|
||
<div class="paragraph">
|
||
<p>A domain and IP address seen as a tuple in a specific time frame..</p>
|
||
</div>
|
||
<div class="admonitionblock note">
|
||
<table>
|
||
<tr>
|
||
<td class="icon">
|
||
<i class="fa icon-note" title="Note"></i>
|
||
</td>
|
||
<td class="content">
|
||
domain-ip is a MISP object available in JSON format at <a href="https://github.com/MISP/misp-objects/blob/master/objects/domain-ip/definition.json"><strong>this location</strong></a> The JSON format can be freely reused in your application or automatically enabled in <a href="https://www.github.com/MISP/MISP">MISP</a>.
|
||
</td>
|
||
</tr>
|
||
</table>
|
||
</div>
|
||
<table class="tableblock frame-all grid-all spread">
|
||
<colgroup>
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
</colgroup>
|
||
<thead>
|
||
<tr>
|
||
<th class="tableblock halign-left valign-top">Object attribute</th>
|
||
<th class="tableblock halign-left valign-top">MISP attribute type</th>
|
||
<th class="tableblock halign-left valign-top">Description</th>
|
||
<th class="tableblock halign-left valign-top">Disable correlation</th>
|
||
</tr>
|
||
</thead>
|
||
<tbody>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">ip</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">ip-dst</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>IP Address</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">domain</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">domain</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Domain name</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>A description of the tuple</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">last-seen</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">datetime</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Last time the tuple has been seen</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">first-seen</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">datetime</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>First time the tuple has been seen</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
</div>
|
||
</div>
|
||
<div class="sect1">
|
||
<h2 id="_elf"><a class="anchor" href="#_elf"></a><a class="link" href="#_elf">elf</a></h2>
|
||
<div class="sectionbody">
|
||
<div class="paragraph">
|
||
<p>Object describing a Executable and Linkable Format.</p>
|
||
</div>
|
||
<div class="admonitionblock note">
|
||
<table>
|
||
<tr>
|
||
<td class="icon">
|
||
<i class="fa icon-note" title="Note"></i>
|
||
</td>
|
||
<td class="content">
|
||
elf is a MISP object available in JSON format at <a href="https://github.com/MISP/misp-objects/blob/master/objects/elf/definition.json"><strong>this location</strong></a> The JSON format can be freely reused in your application or automatically enabled in <a href="https://www.github.com/MISP/MISP">MISP</a>.
|
||
</td>
|
||
</tr>
|
||
</table>
|
||
</div>
|
||
<table class="tableblock frame-all grid-all spread">
|
||
<colgroup>
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
</colgroup>
|
||
<thead>
|
||
<tr>
|
||
<th class="tableblock halign-left valign-top">Object attribute</th>
|
||
<th class="tableblock halign-left valign-top">MISP attribute type</th>
|
||
<th class="tableblock halign-left valign-top">Description</th>
|
||
<th class="tableblock halign-left valign-top">Disable correlation</th>
|
||
</tr>
|
||
</thead>
|
||
<tbody>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">arch</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Architecture of the ELF file ['None', 'M32', 'SPARC', 'i386', 'ARCH_68K', 'ARCH_88K', 'IAMCU', 'ARCH_860', 'MIPS', 'S370', 'MIPS_RS3_LE', 'PARISC', 'VPP500', 'SPARC32PLUS', 'ARCH_960', 'PPC', 'PPC64', 'S390', 'SPU', 'V800', 'FR20', 'RH32', 'RCE', 'ARM', 'ALPHA', 'SH', 'SPARCV9', 'TRICORE', 'ARC', 'H8_300', 'H8_300H', 'H8S', 'H8_500', 'IA_64', 'MIPS_X', 'COLDFIRE', 'ARCH_68HC12', 'MMA', 'PCP', 'NCPU', 'NDR1', 'STARCORE', 'ME16', 'ST100', 'TINYJ', 'x86_64', 'PDSP', 'PDP10', 'PDP11', 'FX66', 'ST9PLUS', 'ST7', 'ARCH_68HC16', 'ARCH_68HC11', 'ARCH_68HC08', 'ARCH_68HC05', 'SVX', 'ST19', 'VAX', 'CRIS', 'JAVELIN', 'FIREPATH', 'ZSP', 'MMIX', 'HUANY', 'PRISM', 'AVR', 'FR30', 'D10V', 'D30V', 'V850', 'M32R', 'MN10300', 'MN10200', 'PJ', 'OPENRISC', 'ARC_COMPACT', 'XTENSA', 'VIDEOCORE', 'TMM_GPP', 'NS32K', 'TPC', 'SNP1K', 'ST200', 'IP2K', 'MAX', 'CR', 'F2MC16', 'MSP430', 'BLACKFIN', 'SE_C33', 'SEP', 'ARCA', 'UNICORE', 'EXCESS', 'DXP', 'ALTERA_NIOS2', 'CRX', 'XGATE', 'C166', 'M16C', 'DSPIC30F', 'CE', 'M32C', 'TSK3000', 'RS08', 'SHARC', 'ECOG2', 'SCORE7', 'DSP24', 'VIDEOCORE3', 'LATTICEMICO32', 'SE_C17', 'TI_C6000', 'TI_C2000', 'TI_C5500', 'MMDSP_PLUS', 'CYPRESS_M8C', 'R32C', 'TRIMEDIA', 'HEXAGON', 'ARCH_8051', 'STXP7X', 'NDS32', 'ECOG1', 'ECOG1X', 'MAXQ30', 'XIMO16', 'MANIK', 'CRAYNV2', 'RX', 'METAG', 'MCST_ELBRUS', 'ECOG16', 'CR16', 'ETPU', 'SLE9X', 'L10M', 'K10M', 'AARCH64', 'AVR32', 'STM8', 'TILE64', 'TILEPRO', 'CUDA', 'TILEGX', 'CLOUDSHIELD', 'COREA_1ST', 'COREA_2ND', 'ARC_COMPACT2', 'OPEN8', 'RL78', 'VIDEOCORE5', 'ARCH_78KOR', 'ARCH_56800EX', 'BA1', 'BA2', 'XCORE', 'MCHP_PIC', 'INTEL205', 'INTEL206', 'INTEL207', 'INTEL208', 'INTEL209', 'KM32', 'KMX32', 'KMX16', 'KMX8', 'KVARC', 'CDP', 'COGE', 'COOL', 'NORC', 'CSR_KALIMBA', 'AMDGPU']</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">type</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Type of ELF ['CORE', 'DYNAMIC', 'EXECUTABLE', 'HIPROC', 'LOPROC', 'NONE', 'RELOCATABLE']</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">number-sections</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">counter</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Number of sections</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">os_abi</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Header operating system application binary interface (ABI) ['AIX', 'ARM', 'AROS', 'C6000_ELFABI', 'C6000_LINUX', 'CLOUDABI', 'FENIXOS', 'FREEBSD', 'GNU', 'HPUX', 'HURD', 'IRIX', 'MODESTO', 'NETBSD', 'NSK', 'OPENBSD', 'OPENVMS', 'SOLARIS', 'STANDALONE', 'SYSTEMV', 'TRU64']</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">entrypoint-address</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Address of the entry point</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Free text value to attach to the ELF</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
</div>
|
||
</div>
|
||
<div class="sect1">
|
||
<h2 id="_elf_section"><a class="anchor" href="#_elf_section"></a><a class="link" href="#_elf_section">elf-section</a></h2>
|
||
<div class="sectionbody">
|
||
<div class="paragraph">
|
||
<p>Object describing a section of an Executable and Linkable Format.</p>
|
||
</div>
|
||
<div class="admonitionblock note">
|
||
<table>
|
||
<tr>
|
||
<td class="icon">
|
||
<i class="fa icon-note" title="Note"></i>
|
||
</td>
|
||
<td class="content">
|
||
elf-section is a MISP object available in JSON format at <a href="https://github.com/MISP/misp-objects/blob/master/objects/elf-section/definition.json"><strong>this location</strong></a> The JSON format can be freely reused in your application or automatically enabled in <a href="https://www.github.com/MISP/MISP">MISP</a>.
|
||
</td>
|
||
</tr>
|
||
</table>
|
||
</div>
|
||
<table class="tableblock frame-all grid-all spread">
|
||
<colgroup>
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
</colgroup>
|
||
<thead>
|
||
<tr>
|
||
<th class="tableblock halign-left valign-top">Object attribute</th>
|
||
<th class="tableblock halign-left valign-top">MISP attribute type</th>
|
||
<th class="tableblock halign-left valign-top">Description</th>
|
||
<th class="tableblock halign-left valign-top">Disable correlation</th>
|
||
</tr>
|
||
</thead>
|
||
<tbody>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">sha1</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">sha1</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>[Insecure] Secure Hash Algorithm 1 (160 bits)</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">type</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Type of the section ['NULL', 'PROGBITS', 'SYMTAB', 'STRTAB', 'RELA', 'HASH', 'DYNAMIC', 'NOTE', 'NOBITS', 'REL', 'SHLIB', 'DYNSYM', 'INIT_ARRAY', 'FINI_ARRAY', 'PREINIT_ARRAY', 'GROUP', 'SYMTAB_SHNDX', 'LOOS', 'GNU_ATTRIBUTES', 'GNU_HASH', 'GNU_VERDEF', 'GNU_VERNEED', 'GNU_VERSYM', 'HIOS', 'LOPROC', 'ARM_EXIDX', 'ARM_PREEMPTMAP', 'HEX_ORDERED', 'X86_64_UNWIND', 'MIPS_REGINFO', 'MIPS_OPTIONS', 'MIPS_ABIFLAGS', 'HIPROC', 'LOUSER', 'HIUSER']</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">sha512/256</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">sha512/256</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Secure Hash Algorithm 2 (256 bits)</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">entropy</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">float</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Entropy of the whole section</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">sha256</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">sha256</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Secure Hash Algorithm 2 (256 bits)</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">ssdeep</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">ssdeep</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Fuzzy hash using context triggered piecewise hashes (CTPH)</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">sha512</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">sha512</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Secure Hash Algorithm 2 (512 bits)</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">sha384</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">sha384</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Secure Hash Algorithm 2 (384 bits)</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">sha512/224</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">sha512/224</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Secure Hash Algorithm 2 (224 bits)</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">name</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Name of the section</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">size-in-bytes</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">size-in-bytes</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Size of the section, in bytes</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">sha224</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">sha224</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Secure Hash Algorithm 2 (224 bits)</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">md5</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">md5</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>[Insecure] MD5 hash (128 bits)</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">flag</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Flag of the section ['ALLOC', 'EXCLUDE', 'EXECINSTR', 'GROUP', 'HEX_GPREL', 'INFO_LINK', 'LINK_ORDER', 'MASKOS', 'MASKPROC', 'MERGE', 'MIPS_ADDR', 'MIPS_LOCAL', 'MIPS_MERGE', 'MIPS_NAMES', 'MIPS_NODUPES', 'MIPS_NOSTRIP', 'NONE', 'OS_NONCONFORMING', 'STRINGS', 'TLS', 'WRITE', 'XCORE_SHF_CP_SECTION']</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Free text value to attach to the section</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
</div>
|
||
</div>
|
||
<div class="sect1">
|
||
<h2 id="_email"><a class="anchor" href="#_email"></a><a class="link" href="#_email">email</a></h2>
|
||
<div class="sectionbody">
|
||
<div class="paragraph">
|
||
<p>Email object describing an email with meta-information.</p>
|
||
</div>
|
||
<div class="admonitionblock note">
|
||
<table>
|
||
<tr>
|
||
<td class="icon">
|
||
<i class="fa icon-note" title="Note"></i>
|
||
</td>
|
||
<td class="content">
|
||
email is a MISP object available in JSON format at <a href="https://github.com/MISP/misp-objects/blob/master/objects/email/definition.json"><strong>this location</strong></a> The JSON format can be freely reused in your application or automatically enabled in <a href="https://www.github.com/MISP/MISP">MISP</a>.
|
||
</td>
|
||
</tr>
|
||
</table>
|
||
</div>
|
||
<table class="tableblock frame-all grid-all spread">
|
||
<colgroup>
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
</colgroup>
|
||
<thead>
|
||
<tr>
|
||
<th class="tableblock halign-left valign-top">Object attribute</th>
|
||
<th class="tableblock halign-left valign-top">MISP attribute type</th>
|
||
<th class="tableblock halign-left valign-top">Description</th>
|
||
<th class="tableblock halign-left valign-top">Disable correlation</th>
|
||
</tr>
|
||
</thead>
|
||
<tbody>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">thread-index</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">email-thread-index</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Identifies a particular conversation thread</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">to-display-name</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">email-dst-display-name</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Display name of the receiver</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">to</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">email-dst</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Destination email address</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">mime-boundary</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">email-mime-boundary</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>MIME Boundary</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">return-path</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Message return path</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">send-date</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">datetime</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Date the email has been sent</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">screenshot</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">attachment</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Screenshot of email</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">from-display-name</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">email-src-display-name</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Display name of the sender</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">message-id</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">email-message-id</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Message ID</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">cc</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">email-dst</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Carbon copy</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">subject</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">email-subject</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Subject</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">x-mailer</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">email-x-mailer</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>X-Mailer generally tells the program that was used to draft and send the original email</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">reply-to</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">email-reply-to</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Email address the reply will be sent to</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">attachment</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">email-attachment</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Attachment</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">header</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">email-header</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Full headers</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">from</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">email-src</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Sender email address</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
</div>
|
||
</div>
|
||
<div class="sect1">
|
||
<h2 id="_file"><a class="anchor" href="#_file"></a><a class="link" href="#_file">file</a></h2>
|
||
<div class="sectionbody">
|
||
<div class="paragraph">
|
||
<p>File object describing a file with meta-information.</p>
|
||
</div>
|
||
<div class="admonitionblock note">
|
||
<table>
|
||
<tr>
|
||
<td class="icon">
|
||
<i class="fa icon-note" title="Note"></i>
|
||
</td>
|
||
<td class="content">
|
||
file is a MISP object available in JSON format at <a href="https://github.com/MISP/misp-objects/blob/master/objects/file/definition.json"><strong>this location</strong></a> The JSON format can be freely reused in your application or automatically enabled in <a href="https://www.github.com/MISP/MISP">MISP</a>.
|
||
</td>
|
||
</tr>
|
||
</table>
|
||
</div>
|
||
<table class="tableblock frame-all grid-all spread">
|
||
<colgroup>
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
</colgroup>
|
||
<thead>
|
||
<tr>
|
||
<th class="tableblock halign-left valign-top">Object attribute</th>
|
||
<th class="tableblock halign-left valign-top">MISP attribute type</th>
|
||
<th class="tableblock halign-left valign-top">Description</th>
|
||
<th class="tableblock halign-left valign-top">Disable correlation</th>
|
||
</tr>
|
||
</thead>
|
||
<tbody>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">sha1</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">sha1</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>[Insecure] Secure Hash Algorithm 1 (160 bits)</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">sha512/256</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">sha512/256</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Secure Hash Algorithm 2 (256 bits)</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">entropy</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">float</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Entropy of the whole file</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">sha256</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">sha256</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Secure Hash Algorithm 2 (256 bits)</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">ssdeep</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">ssdeep</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Fuzzy hash using context triggered piecewise hashes (CTPH)</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">sha512</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">sha512</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Secure Hash Algorithm 2 (512 bits)</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">certificate</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">x509-fingerprint-sha1</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Certificate value if the binary is signed with another authentication scheme than authenticode</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">filename</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">filename</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Filename on disk</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">authentihash</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">authentihash</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Authenticode executable signature hash</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">sha384</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">sha384</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Secure Hash Algorithm 2 (384 bits)</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">mimetype</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Mime type</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">sha512/224</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">sha512/224</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Secure Hash Algorithm 2 (224 bits)</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">pattern-in-file</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">pattern-in-file</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Pattern that can be found in the file</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">size-in-bytes</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">size-in-bytes</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Size of the file, in bytes</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">state</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>State of the file ['Malicious', 'Harmless', 'Signed', 'Revoked', 'Expired', 'Trusted']</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">sha224</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">sha224</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Secure Hash Algorithm 2 (224 bits)</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">md5</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">md5</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>[Insecure] MD5 hash (128 bits)</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">malware-sample</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">malware-sample</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>The file itself (binary)</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Free text value to attach to the file</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">tlsh</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">tlsh</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Fuzzy hash by Trend Micro: Locality Sensitive Hash</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
</div>
|
||
</div>
|
||
<div class="sect1">
|
||
<h2 id="_geolocation"><a class="anchor" href="#_geolocation"></a><a class="link" href="#_geolocation">geolocation</a></h2>
|
||
<div class="sectionbody">
|
||
<div class="paragraph">
|
||
<p>An object to describe a geographic location..</p>
|
||
</div>
|
||
<div class="admonitionblock note">
|
||
<table>
|
||
<tr>
|
||
<td class="icon">
|
||
<i class="fa icon-note" title="Note"></i>
|
||
</td>
|
||
<td class="content">
|
||
geolocation is a MISP object available in JSON format at <a href="https://github.com/MISP/misp-objects/blob/master/objects/geolocation/definition.json"><strong>this location</strong></a> The JSON format can be freely reused in your application or automatically enabled in <a href="https://www.github.com/MISP/MISP">MISP</a>.
|
||
</td>
|
||
</tr>
|
||
</table>
|
||
</div>
|
||
<table class="tableblock frame-all grid-all spread">
|
||
<colgroup>
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
</colgroup>
|
||
<thead>
|
||
<tr>
|
||
<th class="tableblock halign-left valign-top">Object attribute</th>
|
||
<th class="tableblock halign-left valign-top">MISP attribute type</th>
|
||
<th class="tableblock halign-left valign-top">Description</th>
|
||
<th class="tableblock halign-left valign-top">Disable correlation</th>
|
||
</tr>
|
||
</thead>
|
||
<tbody>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">longitude</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">float</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>The longitude is the decimal value of the longitude in the World Geodetic System 84 (WGS84) reference</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">region</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Region.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">last-seen</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">datetime</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>When the location was seen for the last time.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">latitude</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">float</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>The latitude is the decimal value of the latitude in the World Geodetic System 84 (WGS84) reference.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>A generic description of the location.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">city</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>City.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">country</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Country.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">altitude</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">float</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>The altitude is the decimal value of the altitude in the World Geodetic System 84 (WGS84) reference.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">first-seen</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">datetime</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>When the location was seen for the first time.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
</div>
|
||
</div>
|
||
<div class="sect1">
|
||
<h2 id="_gtp_attack"><a class="anchor" href="#_gtp_attack"></a><a class="link" href="#_gtp_attack">gtp-attack</a></h2>
|
||
<div class="sectionbody">
|
||
<div class="paragraph">
|
||
<p>GTP attack object as seen on a GSM, UMTS or LTE network.</p>
|
||
</div>
|
||
<div class="admonitionblock note">
|
||
<table>
|
||
<tr>
|
||
<td class="icon">
|
||
<i class="fa icon-note" title="Note"></i>
|
||
</td>
|
||
<td class="content">
|
||
gtp-attack is a MISP object available in JSON format at <a href="https://github.com/MISP/misp-objects/blob/master/objects/gtp-attack/definition.json"><strong>this location</strong></a> The JSON format can be freely reused in your application or automatically enabled in <a href="https://www.github.com/MISP/MISP">MISP</a>.
|
||
</td>
|
||
</tr>
|
||
</table>
|
||
</div>
|
||
<table class="tableblock frame-all grid-all spread">
|
||
<colgroup>
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
</colgroup>
|
||
<thead>
|
||
<tr>
|
||
<th class="tableblock halign-left valign-top">Object attribute</th>
|
||
<th class="tableblock halign-left valign-top">MISP attribute type</th>
|
||
<th class="tableblock halign-left valign-top">Description</th>
|
||
<th class="tableblock halign-left valign-top">Disable correlation</th>
|
||
</tr>
|
||
</thead>
|
||
<tbody>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">GtpVersion</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>GTP version ['0', '1', '2']</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">first-seen</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">datetime</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>When the attack has been seen for the first time.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">PortSrc</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">port</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Source port.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">PortDest</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Destination port.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">GtpMsisdn</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>GTP MSISDN.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">GtpServingNetwork</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>GTP Serving Network.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">GtpImei</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>GTP IMEI (International Mobile Equipment Identity).</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">ipDest</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">ip-dst</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>IP destination address.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">GtpInterface</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>GTP interface. ['S5', 'S11', 'S10', 'S8', 'Gn', 'Gp']</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">GtpImsi</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>GTP IMSI (International mobile subscriber identity).</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">ipSrc</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">ip-src</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>IP source address.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>A description of the GTP attack.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">GtpMessageType</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>GTP defines a set of messages between two associated GSNs or an SGSN and an RNC. Message type is described as a decimal value.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
</div>
|
||
</div>
|
||
<div class="sect1">
|
||
<h2 id="_http_request"><a class="anchor" href="#_http_request"></a><a class="link" href="#_http_request">http-request</a></h2>
|
||
<div class="sectionbody">
|
||
<div class="paragraph">
|
||
<p>A single HTTP request header.</p>
|
||
</div>
|
||
<div class="admonitionblock note">
|
||
<table>
|
||
<tr>
|
||
<td class="icon">
|
||
<i class="fa icon-note" title="Note"></i>
|
||
</td>
|
||
<td class="content">
|
||
http-request is a MISP object available in JSON format at <a href="https://github.com/MISP/misp-objects/blob/master/objects/http-request/definition.json"><strong>this location</strong></a> The JSON format can be freely reused in your application or automatically enabled in <a href="https://www.github.com/MISP/MISP">MISP</a>.
|
||
</td>
|
||
</tr>
|
||
</table>
|
||
</div>
|
||
<table class="tableblock frame-all grid-all spread">
|
||
<colgroup>
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
</colgroup>
|
||
<thead>
|
||
<tr>
|
||
<th class="tableblock halign-left valign-top">Object attribute</th>
|
||
<th class="tableblock halign-left valign-top">MISP attribute type</th>
|
||
<th class="tableblock halign-left valign-top">Description</th>
|
||
<th class="tableblock halign-left valign-top">Disable correlation</th>
|
||
</tr>
|
||
</thead>
|
||
<tbody>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">uri</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">uri</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Request URI</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">proxy-password</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>HTTP Proxy Password</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">host</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">hostname</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>The domain name of the server</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">url</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">url</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Full HTTP Request URL</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>HTTP Request comment</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">user-agent</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">user-agent</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>The user agent string of the user agent</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">content-type</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">other</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>The MIME type of the body of the request</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">basicauth-user</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>HTTP Basic Authentication Username</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">referer</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">referer</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>This is the address of the previous web page from which a link to the currently requested page was followed</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">basicauth-password</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>HTTP Basic Authentication Password</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">cookie</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>An HTTP cookie previously sent by the server with Set-Cookie</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">method</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">http-method</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>HTTP Method invoked (one of GET, POST, PUT, HEAD, DELETE, OPTIONS, CONNECT)</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">proxy-user</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>HTTP Proxy Username</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
</div>
|
||
</div>
|
||
<div class="sect1">
|
||
<h2 id="_ip_port"><a class="anchor" href="#_ip_port"></a><a class="link" href="#_ip_port">ip-port</a></h2>
|
||
<div class="sectionbody">
|
||
<div class="paragraph">
|
||
<p>An IP address and a port seen as a tuple (or as a triple) in a specific time frame..</p>
|
||
</div>
|
||
<div class="admonitionblock note">
|
||
<table>
|
||
<tr>
|
||
<td class="icon">
|
||
<i class="fa icon-note" title="Note"></i>
|
||
</td>
|
||
<td class="content">
|
||
ip-port is a MISP object available in JSON format at <a href="https://github.com/MISP/misp-objects/blob/master/objects/ip-port/definition.json"><strong>this location</strong></a> The JSON format can be freely reused in your application or automatically enabled in <a href="https://www.github.com/MISP/MISP">MISP</a>.
|
||
</td>
|
||
</tr>
|
||
</table>
|
||
</div>
|
||
<table class="tableblock frame-all grid-all spread">
|
||
<colgroup>
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
</colgroup>
|
||
<thead>
|
||
<tr>
|
||
<th class="tableblock halign-left valign-top">Object attribute</th>
|
||
<th class="tableblock halign-left valign-top">MISP attribute type</th>
|
||
<th class="tableblock halign-left valign-top">Description</th>
|
||
<th class="tableblock halign-left valign-top">Disable correlation</th>
|
||
</tr>
|
||
</thead>
|
||
<tbody>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">src-port</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">port</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Source port</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">last-seen</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">datetime</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Last time the tuple has been seen</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">first-seen</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">datetime</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>First time the tuple has been seen</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">ip</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">ip-dst</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>IP Address</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Description of the tuple</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">dst-port</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">port</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Destination port</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
</div>
|
||
</div>
|
||
<div class="sect1">
|
||
<h2 id="_ja3"><a class="anchor" href="#_ja3"></a><a class="link" href="#_ja3">ja3</a></h2>
|
||
<div class="sectionbody">
|
||
<div class="paragraph">
|
||
<p>JA3 is a new technique for creating SSL client fingerprints that are easy to produce and can be easily shared for threat intelligence. Fingerprints are composed of Client Hello packet; SSL Version, Accepted Ciphers, List of Extensions, Elliptic Curves, and Elliptic Curve Formats. <a href="https://github.com/salesforce/ja3" class="bare">https://github.com/salesforce/ja3</a>.</p>
|
||
</div>
|
||
<div class="admonitionblock note">
|
||
<table>
|
||
<tr>
|
||
<td class="icon">
|
||
<i class="fa icon-note" title="Note"></i>
|
||
</td>
|
||
<td class="content">
|
||
ja3 is a MISP object available in JSON format at <a href="https://github.com/MISP/misp-objects/blob/master/objects/ja3/definition.json"><strong>this location</strong></a> The JSON format can be freely reused in your application or automatically enabled in <a href="https://www.github.com/MISP/MISP">MISP</a>.
|
||
</td>
|
||
</tr>
|
||
</table>
|
||
</div>
|
||
<table class="tableblock frame-all grid-all spread">
|
||
<colgroup>
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
</colgroup>
|
||
<thead>
|
||
<tr>
|
||
<th class="tableblock halign-left valign-top">Object attribute</th>
|
||
<th class="tableblock halign-left valign-top">MISP attribute type</th>
|
||
<th class="tableblock halign-left valign-top">Description</th>
|
||
<th class="tableblock halign-left valign-top">Disable correlation</th>
|
||
</tr>
|
||
</thead>
|
||
<tbody>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">last-seen</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">datetime</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Last seen of the SSL/TLS handshake</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">ip-dst</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">ip-dst</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Destination IP address</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">description</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Type of detected software ie software, malware</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">ja3-fingerprint-md5</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">md5</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Hash identifying source</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">ip-src</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">ip-src</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Source IP Address</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">first-seen</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">datetime</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>First seen of the SSL/TLS handshake</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
</div>
|
||
</div>
|
||
<div class="sect1">
|
||
<h2 id="_macho"><a class="anchor" href="#_macho"></a><a class="link" href="#_macho">macho</a></h2>
|
||
<div class="sectionbody">
|
||
<div class="paragraph">
|
||
<p>Object describing a file in Mach-O format..</p>
|
||
</div>
|
||
<div class="admonitionblock note">
|
||
<table>
|
||
<tr>
|
||
<td class="icon">
|
||
<i class="fa icon-note" title="Note"></i>
|
||
</td>
|
||
<td class="content">
|
||
macho is a MISP object available in JSON format at <a href="https://github.com/MISP/misp-objects/blob/master/objects/macho/definition.json"><strong>this location</strong></a> The JSON format can be freely reused in your application or automatically enabled in <a href="https://www.github.com/MISP/MISP">MISP</a>.
|
||
</td>
|
||
</tr>
|
||
</table>
|
||
</div>
|
||
<table class="tableblock frame-all grid-all spread">
|
||
<colgroup>
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
</colgroup>
|
||
<thead>
|
||
<tr>
|
||
<th class="tableblock halign-left valign-top">Object attribute</th>
|
||
<th class="tableblock halign-left valign-top">MISP attribute type</th>
|
||
<th class="tableblock halign-left valign-top">Description</th>
|
||
<th class="tableblock halign-left valign-top">Disable correlation</th>
|
||
</tr>
|
||
</thead>
|
||
<tbody>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">name</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Binary’s name</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Free text value to attach to the Mach-O file</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">type</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Type of Mach-O ['BUNDLE', 'CORE', 'DSYM', 'DYLIB', 'DYLIB_STUB', 'DYLINKER', 'EXECUTE', 'FVMLIB', 'KEXT_BUNDLE', 'OBJECT', 'PRELOAD']</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">number-sections</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">counter</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Number of sections</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">entrypoint-address</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Address of the entry point</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
</div>
|
||
</div>
|
||
<div class="sect1">
|
||
<h2 id="_macho_section"><a class="anchor" href="#_macho_section"></a><a class="link" href="#_macho_section">macho-section</a></h2>
|
||
<div class="sectionbody">
|
||
<div class="paragraph">
|
||
<p>Object describing a section of a file in Mach-O format..</p>
|
||
</div>
|
||
<div class="admonitionblock note">
|
||
<table>
|
||
<tr>
|
||
<td class="icon">
|
||
<i class="fa icon-note" title="Note"></i>
|
||
</td>
|
||
<td class="content">
|
||
macho-section is a MISP object available in JSON format at <a href="https://github.com/MISP/misp-objects/blob/master/objects/macho-section/definition.json"><strong>this location</strong></a> The JSON format can be freely reused in your application or automatically enabled in <a href="https://www.github.com/MISP/MISP">MISP</a>.
|
||
</td>
|
||
</tr>
|
||
</table>
|
||
</div>
|
||
<table class="tableblock frame-all grid-all spread">
|
||
<colgroup>
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
</colgroup>
|
||
<thead>
|
||
<tr>
|
||
<th class="tableblock halign-left valign-top">Object attribute</th>
|
||
<th class="tableblock halign-left valign-top">MISP attribute type</th>
|
||
<th class="tableblock halign-left valign-top">Description</th>
|
||
<th class="tableblock halign-left valign-top">Disable correlation</th>
|
||
</tr>
|
||
</thead>
|
||
<tbody>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">sha1</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">sha1</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>[Insecure] Secure Hash Algorithm 1 (160 bits)</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">sha512/256</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">sha512/256</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Secure Hash Algorithm 2 (256 bits)</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">entropy</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">float</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Entropy of the whole section</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">sha256</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">sha256</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Secure Hash Algorithm 2 (256 bits)</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">ssdeep</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">ssdeep</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Fuzzy hash using context triggered piecewise hashes (CTPH)</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">sha512</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">sha512</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Secure Hash Algorithm 2 (512 bits)</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">sha384</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">sha384</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Secure Hash Algorithm 2 (384 bits)</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">sha512/224</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">sha512/224</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Secure Hash Algorithm 2 (224 bits)</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">name</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Name of the section</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">size-in-bytes</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">size-in-bytes</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Size of the section, in bytes</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">sha224</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">sha224</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Secure Hash Algorithm 2 (224 bits)</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">md5</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">md5</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>[Insecure] MD5 hash (128 bits)</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Free text value to attach to the section</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
</div>
|
||
</div>
|
||
<div class="sect1">
|
||
<h2 id="_microblog"><a class="anchor" href="#_microblog"></a><a class="link" href="#_microblog">microblog</a></h2>
|
||
<div class="sectionbody">
|
||
<div class="paragraph">
|
||
<p>Microblog post like a Twitter tweet or a post on a Facebook wall..</p>
|
||
</div>
|
||
<div class="admonitionblock note">
|
||
<table>
|
||
<tr>
|
||
<td class="icon">
|
||
<i class="fa icon-note" title="Note"></i>
|
||
</td>
|
||
<td class="content">
|
||
microblog is a MISP object available in JSON format at <a href="https://github.com/MISP/misp-objects/blob/master/objects/microblog/definition.json"><strong>this location</strong></a> The JSON format can be freely reused in your application or automatically enabled in <a href="https://www.github.com/MISP/MISP">MISP</a>.
|
||
</td>
|
||
</tr>
|
||
</table>
|
||
</div>
|
||
<table class="tableblock frame-all grid-all spread">
|
||
<colgroup>
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
</colgroup>
|
||
<thead>
|
||
<tr>
|
||
<th class="tableblock halign-left valign-top">Object attribute</th>
|
||
<th class="tableblock halign-left valign-top">MISP attribute type</th>
|
||
<th class="tableblock halign-left valign-top">Description</th>
|
||
<th class="tableblock halign-left valign-top">Disable correlation</th>
|
||
</tr>
|
||
</thead>
|
||
<tbody>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">type</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Type of the microblog post ['Twitter', 'Facebook', 'LinkedIn', 'Reddit', 'Google+', 'Instagram', 'Forum', 'Other']</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">url</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">url</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Original URL location of the microblog post</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">username</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Username who posted the microblog post</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">link</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">url</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Link into the microblog post</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">removal-date</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">datetime</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>When the microblog post was removed</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">creation-date</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">datetime</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Initial creation of the microblog post</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">username-quoted</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Username who are quoted into the microblog post</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">post</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Raw post</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">modification-date</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">datetime</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Last update of the microblog post</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
</div>
|
||
</div>
|
||
<div class="sect1">
|
||
<h2 id="_netflow"><a class="anchor" href="#_netflow"></a><a class="link" href="#_netflow">netflow</a></h2>
|
||
<div class="sectionbody">
|
||
<div class="paragraph">
|
||
<p>Netflow object describes an network object based on the Netflowv5/v9 minimal definition.</p>
|
||
</div>
|
||
<div class="admonitionblock note">
|
||
<table>
|
||
<tr>
|
||
<td class="icon">
|
||
<i class="fa icon-note" title="Note"></i>
|
||
</td>
|
||
<td class="content">
|
||
netflow is a MISP object available in JSON format at <a href="https://github.com/MISP/misp-objects/blob/master/objects/netflow/definition.json"><strong>this location</strong></a> The JSON format can be freely reused in your application or automatically enabled in <a href="https://www.github.com/MISP/MISP">MISP</a>.
|
||
</td>
|
||
</tr>
|
||
</table>
|
||
</div>
|
||
<table class="tableblock frame-all grid-all spread">
|
||
<colgroup>
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
</colgroup>
|
||
<thead>
|
||
<tr>
|
||
<th class="tableblock halign-left valign-top">Object attribute</th>
|
||
<th class="tableblock halign-left valign-top">MISP attribute type</th>
|
||
<th class="tableblock halign-left valign-top">Description</th>
|
||
<th class="tableblock halign-left valign-top">Disable correlation</th>
|
||
</tr>
|
||
</thead>
|
||
<tbody>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">byte-count</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">counter</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Bytes counted in this flow</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">src-port</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">port</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Source port of the netflow</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">icmp-type</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>ICMP type of the flow (if the traffic is ICMP)</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">ip-dst</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">ip-dst</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>IP address destination of the netflow</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">ip_version</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">counter</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>IP version of this flow</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">src-as</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">AS</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Source AS number for this flow</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">packet-count</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">counter</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Packets counted in this flow</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">ip-src</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">ip-src</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>IP address source of the netflow</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">dst-port</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">port</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Destination port of the netflow</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">protocol</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Protocol used for this flow ['TCP', 'UDP', 'ICMP', 'IP']</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">direction</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Direction of this flow ['Ingress', 'Egress']</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">first-packet-seen</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">datetime</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>First packet seen in this flow</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">ip-protocol-number</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">size-in-bytes</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>IP protocol number of this flow</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">flow-count</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">counter</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Flows counted in this flow</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">last-packet-seen</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">datetime</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Last packet seen in this flow</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">dst-as</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">AS</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Destination AS number for this flow</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">tcp-flags</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>TCP flags of the flow</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
</div>
|
||
</div>
|
||
<div class="sect1">
|
||
<h2 id="_passive_dns"><a class="anchor" href="#_passive_dns"></a><a class="link" href="#_passive_dns">passive-dns</a></h2>
|
||
<div class="sectionbody">
|
||
<div class="paragraph">
|
||
<p>Passive DNS records as expressed in draft-dulaunoy-dnsop-passive-dns-cof-01.</p>
|
||
</div>
|
||
<div class="admonitionblock note">
|
||
<table>
|
||
<tr>
|
||
<td class="icon">
|
||
<i class="fa icon-note" title="Note"></i>
|
||
</td>
|
||
<td class="content">
|
||
passive-dns is a MISP object available in JSON format at <a href="https://github.com/MISP/misp-objects/blob/master/objects/passive-dns/definition.json"><strong>this location</strong></a> The JSON format can be freely reused in your application or automatically enabled in <a href="https://www.github.com/MISP/MISP">MISP</a>.
|
||
</td>
|
||
</tr>
|
||
</table>
|
||
</div>
|
||
<table class="tableblock frame-all grid-all spread">
|
||
<colgroup>
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
</colgroup>
|
||
<thead>
|
||
<tr>
|
||
<th class="tableblock halign-left valign-top">Object attribute</th>
|
||
<th class="tableblock halign-left valign-top">MISP attribute type</th>
|
||
<th class="tableblock halign-left valign-top">Description</th>
|
||
<th class="tableblock halign-left valign-top">Disable correlation</th>
|
||
</tr>
|
||
</thead>
|
||
<tbody>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">sensor_id</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Sensor information where the record was seen</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">zone_time_first</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">datetime</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>First time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">time_first</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">datetime</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>First time that the unique tuple (rrname, rrtype, rdata) has been seen by the passive DNS</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">count</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">counter</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>How many authoritative DNS answers were received at the Passive DNS Server’s collectors with exactly the given set of values as answers</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">bailiwick</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Best estimate of the apex of the zone where this data is authoritative</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">rdata</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Resource records of the queried resource</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">time_last</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">datetime</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Last time that the unique tuple (rrname, rrtype, rdata) record has been seen by the passive DNS</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">zone_time_last</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">datetime</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Last time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">rrtype</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Resource Record type as seen by the passive DNS ['A', 'AAAA', 'CNAME', 'PTR', 'SOA', 'TXT', 'DNAME', 'NS', 'SRV', 'RP', 'NAPTR', 'HINFO', 'A6']</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">rrname</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Resource Record name of the queried resource</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">origin</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Origin of the Passive DNS response</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
</div>
|
||
</div>
|
||
<div class="sect1">
|
||
<h2 id="_paste"><a class="anchor" href="#_paste"></a><a class="link" href="#_paste">paste</a></h2>
|
||
<div class="sectionbody">
|
||
<div class="paragraph">
|
||
<p>Paste or similar post from a website allowing to share privately or publicly posts..</p>
|
||
</div>
|
||
<div class="admonitionblock note">
|
||
<table>
|
||
<tr>
|
||
<td class="icon">
|
||
<i class="fa icon-note" title="Note"></i>
|
||
</td>
|
||
<td class="content">
|
||
paste is a MISP object available in JSON format at <a href="https://github.com/MISP/misp-objects/blob/master/objects/paste/definition.json"><strong>this location</strong></a> The JSON format can be freely reused in your application or automatically enabled in <a href="https://www.github.com/MISP/MISP">MISP</a>.
|
||
</td>
|
||
</tr>
|
||
</table>
|
||
</div>
|
||
<table class="tableblock frame-all grid-all spread">
|
||
<colgroup>
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
</colgroup>
|
||
<thead>
|
||
<tr>
|
||
<th class="tableblock halign-left valign-top">Object attribute</th>
|
||
<th class="tableblock halign-left valign-top">MISP attribute type</th>
|
||
<th class="tableblock halign-left valign-top">Description</th>
|
||
<th class="tableblock halign-left valign-top">Disable correlation</th>
|
||
</tr>
|
||
</thead>
|
||
<tbody>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">last-seen</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">datetime</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>When the paste has been accessible or seen for the last time.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">paste</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Raw text of the paste or post</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">first-seen</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">datetime</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>When the paste has been accessible or seen for the first time.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">url</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">url</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Link to the original source of the paste or post.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">title</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Title of the paste or post.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">origin</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Original source of the paste or post. ['pastebin.com', 'pastebin.com_pro', 'pastie.org', 'slexy.org', 'gist.github.com', 'codepad.org', 'safebin.net', 'hastebin.com', 'ghostbin.com']</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
</div>
|
||
</div>
|
||
<div class="sect1">
|
||
<h2 id="_pe"><a class="anchor" href="#_pe"></a><a class="link" href="#_pe">pe</a></h2>
|
||
<div class="sectionbody">
|
||
<div class="paragraph">
|
||
<p>Object describing a Portable Executable.</p>
|
||
</div>
|
||
<div class="admonitionblock note">
|
||
<table>
|
||
<tr>
|
||
<td class="icon">
|
||
<i class="fa icon-note" title="Note"></i>
|
||
</td>
|
||
<td class="content">
|
||
pe is a MISP object available in JSON format at <a href="https://github.com/MISP/misp-objects/blob/master/objects/pe/definition.json"><strong>this location</strong></a> The JSON format can be freely reused in your application or automatically enabled in <a href="https://www.github.com/MISP/MISP">MISP</a>.
|
||
</td>
|
||
</tr>
|
||
</table>
|
||
</div>
|
||
<table class="tableblock frame-all grid-all spread">
|
||
<colgroup>
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
</colgroup>
|
||
<thead>
|
||
<tr>
|
||
<th class="tableblock halign-left valign-top">Object attribute</th>
|
||
<th class="tableblock halign-left valign-top">MISP attribute type</th>
|
||
<th class="tableblock halign-left valign-top">Description</th>
|
||
<th class="tableblock halign-left valign-top">Disable correlation</th>
|
||
</tr>
|
||
</thead>
|
||
<tbody>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">product-name</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>ProductName in the resources</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">pehash</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">pehash</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Hash of the structural information about a sample. See <a href="https://www.usenix.org/legacy/event/leet09/tech/full_papers/wicherski/wicherski_html/" class="bare">https://www.usenix.org/legacy/event/leet09/tech/full_papers/wicherski/wicherski_html/</a></p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">internal-filename</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">filename</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>InternalFilename in the resources</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">number-sections</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">counter</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Number of sections</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">imphash</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">imphash</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Hash (md5) calculated from the import table</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">entrypoint-address</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Address of the entry point</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">compilation-timestamp</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">datetime</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Compilation timestamp defined in the PE header</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Free text value to attach to the PE</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">legal-copyright</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>LegalCopyright in the resources</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">entrypoint-section-at-position</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Name of the section and position of the section in the PE</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">impfuzzy</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">impfuzzy</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Fuzzy Hash (ssdeep) calculated from the import table</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">type</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Type of PE ['exe', 'dll', 'driver', 'unknown']</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">company-name</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>CompanyName in the resources</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">original-filename</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">filename</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>OriginalFilename in the resources</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">file-version</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>FileVersion in the resources</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">product-version</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>ProductVersion in the resources</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">file-description</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>FileDescription in the resources</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">lang-id</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Lang ID in the resources</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
</div>
|
||
</div>
|
||
<div class="sect1">
|
||
<h2 id="_pe_section"><a class="anchor" href="#_pe_section"></a><a class="link" href="#_pe_section">pe-section</a></h2>
|
||
<div class="sectionbody">
|
||
<div class="paragraph">
|
||
<p>Object describing a section of a Portable Executable.</p>
|
||
</div>
|
||
<div class="admonitionblock note">
|
||
<table>
|
||
<tr>
|
||
<td class="icon">
|
||
<i class="fa icon-note" title="Note"></i>
|
||
</td>
|
||
<td class="content">
|
||
pe-section is a MISP object available in JSON format at <a href="https://github.com/MISP/misp-objects/blob/master/objects/pe-section/definition.json"><strong>this location</strong></a> The JSON format can be freely reused in your application or automatically enabled in <a href="https://www.github.com/MISP/MISP">MISP</a>.
|
||
</td>
|
||
</tr>
|
||
</table>
|
||
</div>
|
||
<table class="tableblock frame-all grid-all spread">
|
||
<colgroup>
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
</colgroup>
|
||
<thead>
|
||
<tr>
|
||
<th class="tableblock halign-left valign-top">Object attribute</th>
|
||
<th class="tableblock halign-left valign-top">MISP attribute type</th>
|
||
<th class="tableblock halign-left valign-top">Description</th>
|
||
<th class="tableblock halign-left valign-top">Disable correlation</th>
|
||
</tr>
|
||
</thead>
|
||
<tbody>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">sha1</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">sha1</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>[Insecure] Secure Hash Algorithm 1 (160 bits)</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">sha512/256</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">sha512/256</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Secure Hash Algorithm 2 (256 bits)</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">entropy</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">float</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Entropy of the whole section</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">sha256</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">sha256</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Secure Hash Algorithm 2 (256 bits)</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">ssdeep</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">ssdeep</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Fuzzy hash using context triggered piecewise hashes (CTPH)</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">sha512</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">sha512</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Secure Hash Algorithm 2 (512 bits)</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">sha384</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">sha384</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Secure Hash Algorithm 2 (384 bits)</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">characteristic</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Characteristic of the section ['read', 'write', 'executable']</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">sha512/224</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">sha512/224</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Secure Hash Algorithm 2 (224 bits)</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">name</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Name of the section ['.rsrc', '.reloc', '.rdata', '.data', '.text']</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">size-in-bytes</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">size-in-bytes</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Size of the section, in bytes</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">sha224</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">sha224</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Secure Hash Algorithm 2 (224 bits)</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">md5</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">md5</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>[Insecure] MD5 hash (128 bits)</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Free text value to attach to the section</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
</div>
|
||
</div>
|
||
<div class="sect1">
|
||
<h2 id="_person"><a class="anchor" href="#_person"></a><a class="link" href="#_person">person</a></h2>
|
||
<div class="sectionbody">
|
||
<div class="paragraph">
|
||
<p>An person which describes a person or an identity..</p>
|
||
</div>
|
||
<div class="admonitionblock note">
|
||
<table>
|
||
<tr>
|
||
<td class="icon">
|
||
<i class="fa icon-note" title="Note"></i>
|
||
</td>
|
||
<td class="content">
|
||
person is a MISP object available in JSON format at <a href="https://github.com/MISP/misp-objects/blob/master/objects/person/definition.json"><strong>this location</strong></a> The JSON format can be freely reused in your application or automatically enabled in <a href="https://www.github.com/MISP/MISP">MISP</a>.
|
||
</td>
|
||
</tr>
|
||
</table>
|
||
</div>
|
||
<table class="tableblock frame-all grid-all spread">
|
||
<colgroup>
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
</colgroup>
|
||
<thead>
|
||
<tr>
|
||
<th class="tableblock halign-left valign-top">Object attribute</th>
|
||
<th class="tableblock halign-left valign-top">MISP attribute type</th>
|
||
<th class="tableblock halign-left valign-top">Description</th>
|
||
<th class="tableblock halign-left valign-top">Disable correlation</th>
|
||
</tr>
|
||
</thead>
|
||
<tbody>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">passport-country</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">passport-country</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>The country in which the passport was issued.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">gender</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">gender</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>The gender of a natural person. ['Male', 'Female', 'Other', 'Prefer not to say']</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">passport-number</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">passport-number</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>The passport number of a natural person.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>A description of the person or identity.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">last-name</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">last-name</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Last name of a natural person.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">passport-expiration</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">passport-expiration</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>The expiration date of a passport.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">date-of-birth</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">date-of-birth</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Date of birth of a natural person (in YYYY-MM-DD format).</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">middle-name</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">middle-name</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Middle name of a natural person</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">nationality</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">nationality</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>The nationality of a natural person.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">place-of-birth</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">place-of-birth</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Place of birth of a natural person.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">first-name</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">first-name</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>First name of a natural person.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">redress-number</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">redress-number</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>The Redress Control Number is the record identifier for people who apply for redress through the DHS Travel Redress Inquiry Program (DHS TRIP). DHS TRIP is for travelers who have been repeatedly identified for additional screening and who want to file an inquiry to have erroneous information corrected in DHS systems.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
</div>
|
||
</div>
|
||
<div class="sect1">
|
||
<h2 id="_phone"><a class="anchor" href="#_phone"></a><a class="link" href="#_phone">phone</a></h2>
|
||
<div class="sectionbody">
|
||
<div class="paragraph">
|
||
<p>A phone or mobile phone object which describe a phone..</p>
|
||
</div>
|
||
<div class="admonitionblock note">
|
||
<table>
|
||
<tr>
|
||
<td class="icon">
|
||
<i class="fa icon-note" title="Note"></i>
|
||
</td>
|
||
<td class="content">
|
||
phone is a MISP object available in JSON format at <a href="https://github.com/MISP/misp-objects/blob/master/objects/phone/definition.json"><strong>this location</strong></a> The JSON format can be freely reused in your application or automatically enabled in <a href="https://www.github.com/MISP/MISP">MISP</a>.
|
||
</td>
|
||
</tr>
|
||
</table>
|
||
</div>
|
||
<table class="tableblock frame-all grid-all spread">
|
||
<colgroup>
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
</colgroup>
|
||
<thead>
|
||
<tr>
|
||
<th class="tableblock halign-left valign-top">Object attribute</th>
|
||
<th class="tableblock halign-left valign-top">MISP attribute type</th>
|
||
<th class="tableblock halign-left valign-top">Description</th>
|
||
<th class="tableblock halign-left valign-top">Disable correlation</th>
|
||
</tr>
|
||
</thead>
|
||
<tbody>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">serial-number</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Serial Number.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">msisdn</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>MSISDN (pronounced as /'em es ai es di en/ or misden) is a number uniquely identifying a subscription in a GSM or a UMTS mobile network. Simply put, it is the mapping of the telephone number to the SIM card in a mobile/cellular phone. This abbreviation has a several interpretations, the most common one being Mobile Station International Subscriber Directory Number.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">last-seen</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">datetime</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>When the phone has been accessible or seen for the last time.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">guti</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Globally Unique Temporary UE Identity (GUTI) is a temporary identification to not reveal the phone (user equipment in 3GPP jargon) composed of GUMMEI and the M-TMSI.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">first-seen</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">datetime</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>When the phone has been accessible or seen for the first time.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">gummei</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Globally Unique MME Identifier (GUMMEI) is composed from MCC, MNC and MME Identifier (MMEI).</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">imei</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>International Mobile Equipment Identity (IMEI) is a number, usually unique, to identify 3GPP and iDEN mobile phones, as well as some satellite phones.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">imsi</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>A usually unique International Mobile Subscriber Identity (IMSI) is allocated to each mobile subscriber in the GSM/UMTS/EPS system. IMSI can also refer to International Mobile Station Identity in the ITU nomenclature.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">tmsi</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Temporary Mobile Subscriber Identities (TMSI) to visiting mobile subscribers can be allocated.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>A description of the phone.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
</div>
|
||
</div>
|
||
<div class="sect1">
|
||
<h2 id="_r2graphity"><a class="anchor" href="#_r2graphity"></a><a class="link" href="#_r2graphity">r2graphity</a></h2>
|
||
<div class="sectionbody">
|
||
<div class="paragraph">
|
||
<p>Indicators extracted from files using radare2 and graphml.</p>
|
||
</div>
|
||
<div class="admonitionblock note">
|
||
<table>
|
||
<tr>
|
||
<td class="icon">
|
||
<i class="fa icon-note" title="Note"></i>
|
||
</td>
|
||
<td class="content">
|
||
r2graphity is a MISP object available in JSON format at <a href="https://github.com/MISP/misp-objects/blob/master/objects/r2graphity/definition.json"><strong>this location</strong></a> The JSON format can be freely reused in your application or automatically enabled in <a href="https://www.github.com/MISP/MISP">MISP</a>.
|
||
</td>
|
||
</tr>
|
||
</table>
|
||
</div>
|
||
<table class="tableblock frame-all grid-all spread">
|
||
<colgroup>
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
</colgroup>
|
||
<thead>
|
||
<tr>
|
||
<th class="tableblock halign-left valign-top">Object attribute</th>
|
||
<th class="tableblock halign-left valign-top">MISP attribute type</th>
|
||
<th class="tableblock halign-left valign-top">Description</th>
|
||
<th class="tableblock halign-left valign-top">Disable correlation</th>
|
||
</tr>
|
||
</thead>
|
||
<tbody>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">local-references</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">counter</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Amount of API calls inside a code section</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">r2-commit-version</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Radare2 commit ID used to generate this object</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">memory-allocations</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">counter</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Amount of memory allocations</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">gml</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">attachment</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Graph export in G>raph Modelling Language format</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">referenced-strings</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">counter</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Amount of referenced strings</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">total-api</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">counter</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Total amount of API calls</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">not-referenced-strings</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">counter</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Amount of not referenced strings</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">ratio-string</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">float</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Ratio: amount of referenced strings per kilobyte of code section</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">shortest-path-to-create-thread</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">counter</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Shortest path to the first time the binary calls CreateThread</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">miss-api</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">counter</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Amount of API call reference that does not resolve to a function offset</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">refsglobalvar</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">counter</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Amount of API calls outside of code section (glob var, dynamic API)</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">total-functions</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">counter</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Total amount of functions in the file.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">unknown-references</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">counter</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Amount of API calls not ending in a function (Radare2 bug, probalby)</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">ratio-api</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">float</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Ratio: amount of API calls per kilobyte of code section</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">get-proc-address</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">counter</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Amount of calls to GetProcAddress</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">create-thread</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">counter</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Amount of calls to CreateThread</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">callbacks</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">counter</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Amount of callbacks (functions started as thread)</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">ratio-functions</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">float</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Ratio: amount of functions per kilobyte of code section</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">dangling-strings</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">counter</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Amount of dangling strings (string with a code cross reference, that is not within a function. Radare2 failed to detect that function.)</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">callback-largest</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">counter</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Largest callback</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">callback-average</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">counter</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Average size of a callback</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Description of the r2graphity object</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
</div>
|
||
</div>
|
||
<div class="sect1">
|
||
<h2 id="_regexp"><a class="anchor" href="#_regexp"></a><a class="link" href="#_regexp">regexp</a></h2>
|
||
<div class="sectionbody">
|
||
<div class="paragraph">
|
||
<p>An object describing a regular expression (regex or regexp). The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a regular expression..</p>
|
||
</div>
|
||
<div class="admonitionblock note">
|
||
<table>
|
||
<tr>
|
||
<td class="icon">
|
||
<i class="fa icon-note" title="Note"></i>
|
||
</td>
|
||
<td class="content">
|
||
regexp is a MISP object available in JSON format at <a href="https://github.com/MISP/misp-objects/blob/master/objects/regexp/definition.json"><strong>this location</strong></a> The JSON format can be freely reused in your application or automatically enabled in <a href="https://www.github.com/MISP/MISP">MISP</a>.
|
||
</td>
|
||
</tr>
|
||
</table>
|
||
</div>
|
||
<table class="tableblock frame-all grid-all spread">
|
||
<colgroup>
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
</colgroup>
|
||
<thead>
|
||
<tr>
|
||
<th class="tableblock halign-left valign-top">Object attribute</th>
|
||
<th class="tableblock halign-left valign-top">MISP attribute type</th>
|
||
<th class="tableblock halign-left valign-top">Description</th>
|
||
<th class="tableblock halign-left valign-top">Disable correlation</th>
|
||
</tr>
|
||
</thead>
|
||
<tbody>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">type</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Specify which type corresponds to this regex. ['hostname', 'domain', 'email-src', 'email-dst', 'email-subject', 'url', 'user-agent', 'regkey', 'cookie', 'uri', 'filename', 'windows-service-name', 'windows-scheduled-task']</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">regexp</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>regexp</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">comment</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">comment</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>A description of the regular expression.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">regexp-type</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Type of the regular expression syntax. ['PCRE', 'PCRE2', 'POSIX BRE', 'POSIX ERE']</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
</div>
|
||
</div>
|
||
<div class="sect1">
|
||
<h2 id="_registry_key"><a class="anchor" href="#_registry_key"></a><a class="link" href="#_registry_key">registry-key</a></h2>
|
||
<div class="sectionbody">
|
||
<div class="paragraph">
|
||
<p>Registry key object describing a Windows registry key with value and last-modified timestamp.</p>
|
||
</div>
|
||
<div class="admonitionblock note">
|
||
<table>
|
||
<tr>
|
||
<td class="icon">
|
||
<i class="fa icon-note" title="Note"></i>
|
||
</td>
|
||
<td class="content">
|
||
registry-key is a MISP object available in JSON format at <a href="https://github.com/MISP/misp-objects/blob/master/objects/registry-key/definition.json"><strong>this location</strong></a> The JSON format can be freely reused in your application or automatically enabled in <a href="https://www.github.com/MISP/MISP">MISP</a>.
|
||
</td>
|
||
</tr>
|
||
</table>
|
||
</div>
|
||
<table class="tableblock frame-all grid-all spread">
|
||
<colgroup>
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
</colgroup>
|
||
<thead>
|
||
<tr>
|
||
<th class="tableblock halign-left valign-top">Object attribute</th>
|
||
<th class="tableblock halign-left valign-top">MISP attribute type</th>
|
||
<th class="tableblock halign-left valign-top">Description</th>
|
||
<th class="tableblock halign-left valign-top">Disable correlation</th>
|
||
</tr>
|
||
</thead>
|
||
<tbody>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">data</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Data stored in the registry key</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">root-keys</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Root key of the Windows registry (extracted from the key) ['HKCC', 'HKCR', 'HKCU', 'HKDD', 'HKEY_CLASSES_ROOT', 'HKEY_CURRENT_CONFIG', 'HKEY_CURRENT_USER', 'HKEY_DYN_DATA', 'HKEY_LOCAL_MACHINE', 'HKEY_PERFORMANCE_DATA', 'HKEY_USERS', 'HKLM', 'HKPD', 'HKU']</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">name</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Name of the registry key</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">key</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">regkey</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Full key path</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">hive</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Hive used to store the registry key (file on disk)</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">data-type</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Registry value type ['REG_NONE', 'REG_SZ', 'REG_EXPAND_SZ', 'REG_BINARY', 'REG_DWORD', 'REG_DWORD_LITTLE_ENDIAN', 'REG_DWORD_BIG_ENDIAN', 'REG_LINK', 'REG_MULTI_SZ', 'REG_RESOURCE_LIST', 'REG_FULL_RESOURCE_DESCRIPTOR', 'REG_RESOURCE_REQUIREMENTS_LIST', 'REG_QWORD', 'REG_QWORD_LITTLE_ENDIAN']</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">last-modified</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">datetime</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Last time the registry key has been modified</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
</div>
|
||
</div>
|
||
<div class="sect1">
|
||
<h2 id="_report"><a class="anchor" href="#_report"></a><a class="link" href="#_report">report</a></h2>
|
||
<div class="sectionbody">
|
||
<div class="paragraph">
|
||
<p>Metadata used to generate an executive level report.</p>
|
||
</div>
|
||
<div class="admonitionblock note">
|
||
<table>
|
||
<tr>
|
||
<td class="icon">
|
||
<i class="fa icon-note" title="Note"></i>
|
||
</td>
|
||
<td class="content">
|
||
report is a MISP object available in JSON format at <a href="https://github.com/MISP/misp-objects/blob/master/objects/report/definition.json"><strong>this location</strong></a> The JSON format can be freely reused in your application or automatically enabled in <a href="https://www.github.com/MISP/MISP">MISP</a>.
|
||
</td>
|
||
</tr>
|
||
</table>
|
||
</div>
|
||
<table class="tableblock frame-all grid-all spread">
|
||
<colgroup>
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
</colgroup>
|
||
<thead>
|
||
<tr>
|
||
<th class="tableblock halign-left valign-top">Object attribute</th>
|
||
<th class="tableblock halign-left valign-top">MISP attribute type</th>
|
||
<th class="tableblock halign-left valign-top">Description</th>
|
||
<th class="tableblock halign-left valign-top">Disable correlation</th>
|
||
</tr>
|
||
</thead>
|
||
<tbody>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">summary</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Free text summary of the report</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">case-number</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Case number</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
</div>
|
||
</div>
|
||
<div class="sect1">
|
||
<h2 id="_rtir"><a class="anchor" href="#_rtir"></a><a class="link" href="#_rtir">rtir</a></h2>
|
||
<div class="sectionbody">
|
||
<div class="paragraph">
|
||
<p>RTIR - Request Tracker for Incident Response.</p>
|
||
</div>
|
||
<div class="admonitionblock note">
|
||
<table>
|
||
<tr>
|
||
<td class="icon">
|
||
<i class="fa icon-note" title="Note"></i>
|
||
</td>
|
||
<td class="content">
|
||
rtir is a MISP object available in JSON format at <a href="https://github.com/MISP/misp-objects/blob/master/objects/rtir/definition.json"><strong>this location</strong></a> The JSON format can be freely reused in your application or automatically enabled in <a href="https://www.github.com/MISP/MISP">MISP</a>.
|
||
</td>
|
||
</tr>
|
||
</table>
|
||
</div>
|
||
<table class="tableblock frame-all grid-all spread">
|
||
<colgroup>
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
</colgroup>
|
||
<thead>
|
||
<tr>
|
||
<th class="tableblock halign-left valign-top">Object attribute</th>
|
||
<th class="tableblock halign-left valign-top">MISP attribute type</th>
|
||
<th class="tableblock halign-left valign-top">Description</th>
|
||
<th class="tableblock halign-left valign-top">Disable correlation</th>
|
||
</tr>
|
||
</thead>
|
||
<tbody>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">constituency</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Constituency of the RTIR ticket</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">status</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Status of the RTIR ticket ['new', 'open', 'stalled', 'resolved', 'rejected', 'deleted']</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">subject</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Subject of the RTIR ticket</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">ip</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">ip-dst</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>IPs automatically extracted from the RTIR ticket</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">queue</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Queue of the RTIR ticket ['incident', 'investigations', 'blocks', 'incident reports']</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">classification</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Classification of the RTIR ticket</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">ticket-number</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>ticket-number of the RTIR ticket</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
</div>
|
||
</div>
|
||
<div class="sect1">
|
||
<h2 id="_sandbox_report"><a class="anchor" href="#_sandbox_report"></a><a class="link" href="#_sandbox_report">sandbox-report</a></h2>
|
||
<div class="sectionbody">
|
||
<div class="paragraph">
|
||
<p>Sandbox report.</p>
|
||
</div>
|
||
<div class="admonitionblock note">
|
||
<table>
|
||
<tr>
|
||
<td class="icon">
|
||
<i class="fa icon-note" title="Note"></i>
|
||
</td>
|
||
<td class="content">
|
||
sandbox-report is a MISP object available in JSON format at <a href="https://github.com/MISP/misp-objects/blob/master/objects/sandbox-report/definition.json"><strong>this location</strong></a> The JSON format can be freely reused in your application or automatically enabled in <a href="https://www.github.com/MISP/MISP">MISP</a>.
|
||
</td>
|
||
</tr>
|
||
</table>
|
||
</div>
|
||
<table class="tableblock frame-all grid-all spread">
|
||
<colgroup>
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
</colgroup>
|
||
<thead>
|
||
<tr>
|
||
<th class="tableblock halign-left valign-top">Object attribute</th>
|
||
<th class="tableblock halign-left valign-top">MISP attribute type</th>
|
||
<th class="tableblock halign-left valign-top">Description</th>
|
||
<th class="tableblock halign-left valign-top">Disable correlation</th>
|
||
</tr>
|
||
</thead>
|
||
<tbody>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">on-premise-sandbox</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>The on-premise sandbox used ['cuckoo', 'symantec-cas-on-premise', 'bluecoat-maa', 'trendmicro-deep-discovery-analyzer', 'fireeye-ax', 'vmray', 'joe-sandbox-on-premise']</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">results</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Freetext result values</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">raw-report</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Raw report from sandbox</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">sandbox-type</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>The type of sandbox used ['on-premise', 'web', 'saas']</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">saas-sandbox</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>A non-on-premise sandbox, also results are not publicly available ['forticloud-sandbox', 'joe-sandbox-cloud', 'symantec-cas-cloud']</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">score</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Score</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">permalink</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">link</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Permalink reference</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">web-sandbox</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>A web sandbox where results are publicly available via an URL ['malwr', 'hybrid-analysis']</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
</div>
|
||
</div>
|
||
<div class="sect1">
|
||
<h2 id="_ss7_attack"><a class="anchor" href="#_ss7_attack"></a><a class="link" href="#_ss7_attack">ss7-attack</a></h2>
|
||
<div class="sectionbody">
|
||
<div class="paragraph">
|
||
<p>SS7 object of an attack seen on a GSM, UMTS or LTE network via SS7 logging..</p>
|
||
</div>
|
||
<div class="admonitionblock note">
|
||
<table>
|
||
<tr>
|
||
<td class="icon">
|
||
<i class="fa icon-note" title="Note"></i>
|
||
</td>
|
||
<td class="content">
|
||
ss7-attack is a MISP object available in JSON format at <a href="https://github.com/MISP/misp-objects/blob/master/objects/ss7-attack/definition.json"><strong>this location</strong></a> The JSON format can be freely reused in your application or automatically enabled in <a href="https://www.github.com/MISP/MISP">MISP</a>.
|
||
</td>
|
||
</tr>
|
||
</table>
|
||
</div>
|
||
<table class="tableblock frame-all grid-all spread">
|
||
<colgroup>
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
</colgroup>
|
||
<thead>
|
||
<tr>
|
||
<th class="tableblock halign-left valign-top">Object attribute</th>
|
||
<th class="tableblock halign-left valign-top">MISP attribute type</th>
|
||
<th class="tableblock halign-left valign-top">Description</th>
|
||
<th class="tableblock halign-left valign-top">Disable correlation</th>
|
||
</tr>
|
||
</thead>
|
||
<tbody>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">MapVlrGT</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>MAP VLR GT. Phone number.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">MapImsi</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>MAP IMSI. Phone number starting with MCC/MNC.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">MapMscGT</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>MAP MSC GT. Phone number.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">MapSmsText</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>MAP SMS Text. Important indicators in SMS text.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">Category</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Category ['Cat0', 'Cat1', 'Cat2.1', 'Cat2.2', 'Cat3.1', 'Cat3.2', 'Cat3.3', 'CatSMS', 'CatSpoofing']</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">SccpCgSSN</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Signaling Connection Control Part (SCCP) - Decimal value between 0-255.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">SccpCgGT</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Signaling Connection Control Part (SCCP) CgGT - Phone number.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">SccpCdSSN</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Signaling Connection Control Part (SCCP) - Decimal value between 0-255.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">MapUssdCoding</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>MAP USSD Content.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">MapMsisdn</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>MAP MSISDN. Phone number.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">SccpCdPC</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Signaling Connection Control Part (SCCP) CdPC - Phone number.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">MapUssdContent</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>MAP USSD Content.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">MapGmlc</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>MAP GMLC. Phone number.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">MapGsmscfGT</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>MAP GSMSCF GT. Phone number.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">MapVersion</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Map version. ['1', '2', '3']</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">SccpCdGT</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Signaling Connection Control Part (SCCP) CdGT - Phone number.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">MapOpCode</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>MAP operation codes - Decimal value between 0-99.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">first-seen</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">datetime</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>When the attack has been seen for the first time.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">MapSmsTP-DCS</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>MAP SMS TP-DCS.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>A description of the attack seen via SS7 logging.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">MapSmsTP-OA</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>MAP SMS TP-OA. Phone number.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">MapSmscGT</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>MAP SMSC. Phone number.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">MapApplicationContext</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>MAP application context in OID format.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">SccpCgPC</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Signaling Connection Control Part (SCCP) CgPC - Phone number.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">MapSmsTypeNumber</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>MAP SMS TypeNumber.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">MapSmsTP-PID</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>MAP SMS TP-PID.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
</div>
|
||
</div>
|
||
<div class="sect1">
|
||
<h2 id="_stix2_pattern"><a class="anchor" href="#_stix2_pattern"></a><a class="link" href="#_stix2_pattern">stix2-pattern</a></h2>
|
||
<div class="sectionbody">
|
||
<div class="paragraph">
|
||
<p>An object describing a STIX pattern. The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a STIX pattern..</p>
|
||
</div>
|
||
<div class="admonitionblock note">
|
||
<table>
|
||
<tr>
|
||
<td class="icon">
|
||
<i class="fa icon-note" title="Note"></i>
|
||
</td>
|
||
<td class="content">
|
||
stix2-pattern is a MISP object available in JSON format at <a href="https://github.com/MISP/misp-objects/blob/master/objects/stix2-pattern/definition.json"><strong>this location</strong></a> The JSON format can be freely reused in your application or automatically enabled in <a href="https://www.github.com/MISP/MISP">MISP</a>.
|
||
</td>
|
||
</tr>
|
||
</table>
|
||
</div>
|
||
<table class="tableblock frame-all grid-all spread">
|
||
<colgroup>
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
</colgroup>
|
||
<thead>
|
||
<tr>
|
||
<th class="tableblock halign-left valign-top">Object attribute</th>
|
||
<th class="tableblock halign-left valign-top">MISP attribute type</th>
|
||
<th class="tableblock halign-left valign-top">Description</th>
|
||
<th class="tableblock halign-left valign-top">Disable correlation</th>
|
||
</tr>
|
||
</thead>
|
||
<tbody>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">comment</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">comment</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>A description of the stix2-pattern.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">stix2-pattern</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">stix2-pattern</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>STIX 2 pattern</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
</div>
|
||
</div>
|
||
<div class="sect1">
|
||
<h2 id="_tor_node"><a class="anchor" href="#_tor_node"></a><a class="link" href="#_tor_node">tor-node</a></h2>
|
||
<div class="sectionbody">
|
||
<div class="paragraph">
|
||
<p>Tor node (which protects your privacy on the internet by hiding the connection between users Internet address and the services used by the users) description which are part of the Tor network at a time..</p>
|
||
</div>
|
||
<div class="admonitionblock note">
|
||
<table>
|
||
<tr>
|
||
<td class="icon">
|
||
<i class="fa icon-note" title="Note"></i>
|
||
</td>
|
||
<td class="content">
|
||
tor-node is a MISP object available in JSON format at <a href="https://github.com/MISP/misp-objects/blob/master/objects/tor-node/definition.json"><strong>this location</strong></a> The JSON format can be freely reused in your application or automatically enabled in <a href="https://www.github.com/MISP/MISP">MISP</a>.
|
||
</td>
|
||
</tr>
|
||
</table>
|
||
</div>
|
||
<table class="tableblock frame-all grid-all spread">
|
||
<colgroup>
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
</colgroup>
|
||
<thead>
|
||
<tr>
|
||
<th class="tableblock halign-left valign-top">Object attribute</th>
|
||
<th class="tableblock halign-left valign-top">MISP attribute type</th>
|
||
<th class="tableblock halign-left valign-top">Description</th>
|
||
<th class="tableblock halign-left valign-top">Disable correlation</th>
|
||
</tr>
|
||
</thead>
|
||
<tbody>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">version</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>parsed version of tor, this is None if the relay’s using a new versioning scheme.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">address</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">ip-src</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>IP address of the Tor node seen.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">first-seen</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">datetime</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>When the Tor node designed by the IP address has been seen for the first time.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">version_line</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>versioning information reported by the node.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Tor node comment.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">description</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Tor node description.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">published</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">datetime</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>router’s publication time. This can be different from first-seen and last-seen.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">last-seen</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">datetime</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>When the Tor node designed by the IP address has been seen for the last time.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">nickname</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>router’s nickname.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">fingerprint</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>router’s fingerprint.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">flags</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>list of flag associated with the node.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">document</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Raw document from the consensus.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
</div>
|
||
</div>
|
||
<div class="sect1">
|
||
<h2 id="_url"><a class="anchor" href="#_url"></a><a class="link" href="#_url">url</a></h2>
|
||
<div class="sectionbody">
|
||
<div class="paragraph">
|
||
<p>url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata..</p>
|
||
</div>
|
||
<div class="admonitionblock note">
|
||
<table>
|
||
<tr>
|
||
<td class="icon">
|
||
<i class="fa icon-note" title="Note"></i>
|
||
</td>
|
||
<td class="content">
|
||
url is a MISP object available in JSON format at <a href="https://github.com/MISP/misp-objects/blob/master/objects/url/definition.json"><strong>this location</strong></a> The JSON format can be freely reused in your application or automatically enabled in <a href="https://www.github.com/MISP/MISP">MISP</a>.
|
||
</td>
|
||
</tr>
|
||
</table>
|
||
</div>
|
||
<table class="tableblock frame-all grid-all spread">
|
||
<colgroup>
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
</colgroup>
|
||
<thead>
|
||
<tr>
|
||
<th class="tableblock halign-left valign-top">Object attribute</th>
|
||
<th class="tableblock halign-left valign-top">MISP attribute type</th>
|
||
<th class="tableblock halign-left valign-top">Description</th>
|
||
<th class="tableblock halign-left valign-top">Disable correlation</th>
|
||
</tr>
|
||
</thead>
|
||
<tbody>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">tld</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Top-Level Domain</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">query_string</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Query (after path, preceded by '?')</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">first-seen</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">datetime</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>First time this URL has been seen</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">url</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">url</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Full URL</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">credential</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Credential (username, password)</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">subdomain</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Subdomain</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Description of the URL</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">port</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">port</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Port number</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">scheme</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Scheme ['http', 'https', 'ftp', 'gopher', 'sip']</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">domain</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">domain</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Full domain</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">last-seen</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">datetime</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Last time this URL has been seen</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">host</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">hostname</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Full hostname</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">fragment</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Fragment identifier is a short string of characters that refers to a resource that is subordinate to another, primary resource.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">domain_without_tld</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Domain without Top-Level Domain</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">resource_path</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Path (between hostname:port and query)</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
</div>
|
||
</div>
|
||
<div class="sect1">
|
||
<h2 id="_victim"><a class="anchor" href="#_victim"></a><a class="link" href="#_victim">victim</a></h2>
|
||
<div class="sectionbody">
|
||
<div class="paragraph">
|
||
<p>Victim object describes the target of an attack or abuse..</p>
|
||
</div>
|
||
<div class="admonitionblock note">
|
||
<table>
|
||
<tr>
|
||
<td class="icon">
|
||
<i class="fa icon-note" title="Note"></i>
|
||
</td>
|
||
<td class="content">
|
||
victim is a MISP object available in JSON format at <a href="https://github.com/MISP/misp-objects/blob/master/objects/victim/definition.json"><strong>this location</strong></a> The JSON format can be freely reused in your application or automatically enabled in <a href="https://www.github.com/MISP/MISP">MISP</a>.
|
||
</td>
|
||
</tr>
|
||
</table>
|
||
</div>
|
||
<table class="tableblock frame-all grid-all spread">
|
||
<colgroup>
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
</colgroup>
|
||
<thead>
|
||
<tr>
|
||
<th class="tableblock halign-left valign-top">Object attribute</th>
|
||
<th class="tableblock halign-left valign-top">MISP attribute type</th>
|
||
<th class="tableblock halign-left valign-top">Description</th>
|
||
<th class="tableblock halign-left valign-top">Disable correlation</th>
|
||
</tr>
|
||
</thead>
|
||
<tbody>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">node</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">target-machine</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Name(s) of node that was targeted.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">ip-address</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">ip-dst</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>IP address(es) of the node targeted.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">name</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">target-org</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>The name of the department(s) or organisation(s) targeted.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">regions</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">target-location</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>The list of regions or locations from the victim targeted. ISO 3166 should be used.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">classification</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>The type of entity being targeted. ['individual', 'group', 'organization', 'class', 'unknown']</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">email</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">target-email</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>The email address(es) of the user targeted.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">user</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">target-user</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>The username(s) of the user targeted.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">sectors</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>The list of sectors that the victim belong to ['agriculture', 'aerospace', 'automotive', 'communications', 'construction', 'defence', 'education', 'energy', 'engineering', 'entertainment', 'financial services', 'government national', 'government regional', 'government local', 'government public services', 'healthcare', 'hospitality leisure', 'infrastructure', 'insurance', 'manufacturing', 'mining', 'non profit', 'pharmaceuticals', 'retail', 'technology', 'telecommunications', 'transportation', 'utilities']</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">roles</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>The list of roles targeted within the victim.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">description</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Description of the victim</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">external</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">target-external</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>External target organisations affected by this attack.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
</div>
|
||
</div>
|
||
<div class="sect1">
|
||
<h2 id="_virustotal_report"><a class="anchor" href="#_virustotal_report"></a><a class="link" href="#_virustotal_report">virustotal-report</a></h2>
|
||
<div class="sectionbody">
|
||
<div class="paragraph">
|
||
<p>VirusTotal report.</p>
|
||
</div>
|
||
<div class="admonitionblock note">
|
||
<table>
|
||
<tr>
|
||
<td class="icon">
|
||
<i class="fa icon-note" title="Note"></i>
|
||
</td>
|
||
<td class="content">
|
||
virustotal-report is a MISP object available in JSON format at <a href="https://github.com/MISP/misp-objects/blob/master/objects/virustotal-report/definition.json"><strong>this location</strong></a> The JSON format can be freely reused in your application or automatically enabled in <a href="https://www.github.com/MISP/MISP">MISP</a>.
|
||
</td>
|
||
</tr>
|
||
</table>
|
||
</div>
|
||
<table class="tableblock frame-all grid-all spread">
|
||
<colgroup>
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
</colgroup>
|
||
<thead>
|
||
<tr>
|
||
<th class="tableblock halign-left valign-top">Object attribute</th>
|
||
<th class="tableblock halign-left valign-top">MISP attribute type</th>
|
||
<th class="tableblock halign-left valign-top">Description</th>
|
||
<th class="tableblock halign-left valign-top">Disable correlation</th>
|
||
</tr>
|
||
</thead>
|
||
<tbody>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">last-submission</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">datetime</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Last Submission</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">detection-ratio</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Detection Ratio</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">community-score</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Community Score</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">first-submission</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">datetime</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>First Submission</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">permalink</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">link</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Permalink Reference</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
</div>
|
||
</div>
|
||
<div class="sect1">
|
||
<h2 id="_vulnerability"><a class="anchor" href="#_vulnerability"></a><a class="link" href="#_vulnerability">vulnerability</a></h2>
|
||
<div class="sectionbody">
|
||
<div class="paragraph">
|
||
<p>Vulnerability object describing a common vulnerability enumeration which can describe unpublished, under review or embargo vulnerability for software, equipments or hardware..</p>
|
||
</div>
|
||
<div class="admonitionblock note">
|
||
<table>
|
||
<tr>
|
||
<td class="icon">
|
||
<i class="fa icon-note" title="Note"></i>
|
||
</td>
|
||
<td class="content">
|
||
vulnerability is a MISP object available in JSON format at <a href="https://github.com/MISP/misp-objects/blob/master/objects/vulnerability/definition.json"><strong>this location</strong></a> The JSON format can be freely reused in your application or automatically enabled in <a href="https://www.github.com/MISP/MISP">MISP</a>.
|
||
</td>
|
||
</tr>
|
||
</table>
|
||
</div>
|
||
<table class="tableblock frame-all grid-all spread">
|
||
<colgroup>
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
</colgroup>
|
||
<thead>
|
||
<tr>
|
||
<th class="tableblock halign-left valign-top">Object attribute</th>
|
||
<th class="tableblock halign-left valign-top">MISP attribute type</th>
|
||
<th class="tableblock halign-left valign-top">Description</th>
|
||
<th class="tableblock halign-left valign-top">Disable correlation</th>
|
||
</tr>
|
||
</thead>
|
||
<tbody>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">modified</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">datetime</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Last modification date</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">published</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">datetime</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Initial publication date</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">references</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">link</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>External references</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">state</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>State of the vulnerability. A vulnerability can have multiple states depending of the current actions performed. ['Published', 'Embargo', 'Reviewed', 'Vulnerability ID Assigned', 'Reported', 'Fixed']</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">summary</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Summary of the vulnerability</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Description of the vulnerability</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">id</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">vulnerability</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Vulnerability ID (generally CVE, but not necessarely). The id is not required as the object itself has an UUID and the CVE id can updated later.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">vulnerable_configuration</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>The vulnerable configuration is described in CPE format</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">created</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">datetime</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>First time when the vulnerability was discovered</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
</div>
|
||
</div>
|
||
<div class="sect1">
|
||
<h2 id="_whois"><a class="anchor" href="#_whois"></a><a class="link" href="#_whois">whois</a></h2>
|
||
<div class="sectionbody">
|
||
<div class="paragraph">
|
||
<p>Whois records information for a domain name..</p>
|
||
</div>
|
||
<div class="admonitionblock note">
|
||
<table>
|
||
<tr>
|
||
<td class="icon">
|
||
<i class="fa icon-note" title="Note"></i>
|
||
</td>
|
||
<td class="content">
|
||
whois is a MISP object available in JSON format at <a href="https://github.com/MISP/misp-objects/blob/master/objects/whois/definition.json"><strong>this location</strong></a> The JSON format can be freely reused in your application or automatically enabled in <a href="https://www.github.com/MISP/MISP">MISP</a>.
|
||
</td>
|
||
</tr>
|
||
</table>
|
||
</div>
|
||
<table class="tableblock frame-all grid-all spread">
|
||
<colgroup>
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
</colgroup>
|
||
<thead>
|
||
<tr>
|
||
<th class="tableblock halign-left valign-top">Object attribute</th>
|
||
<th class="tableblock halign-left valign-top">MISP attribute type</th>
|
||
<th class="tableblock halign-left valign-top">Description</th>
|
||
<th class="tableblock halign-left valign-top">Disable correlation</th>
|
||
</tr>
|
||
</thead>
|
||
<tbody>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">expiration-date</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">datetime</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Expiration of the whois entry</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">registrant-email</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">whois-registrant-email</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Registrant email address</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">registrar</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">whois-registrar</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Registrar of the whois entry</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">creation-date</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">datetime</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Initial creation of the whois entry</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">registrant-org</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">whois-registrant-org</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Registrant organisation</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">domain</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">domain</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Domain of the whois entry</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">registrant-phone</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">whois-registrant-phone</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Registrant phone number</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Full whois entry</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">registrant-name</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">whois-registrant-name</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Registrant name</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">nameserver</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">hostname</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Nameserver</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">modification-date</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">datetime</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Last update of the whois entry</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
</div>
|
||
</div>
|
||
<div class="sect1">
|
||
<h2 id="_x509"><a class="anchor" href="#_x509"></a><a class="link" href="#_x509">x509</a></h2>
|
||
<div class="sectionbody">
|
||
<div class="paragraph">
|
||
<p>x509 object describing a X.509 certificate.</p>
|
||
</div>
|
||
<div class="admonitionblock note">
|
||
<table>
|
||
<tr>
|
||
<td class="icon">
|
||
<i class="fa icon-note" title="Note"></i>
|
||
</td>
|
||
<td class="content">
|
||
x509 is a MISP object available in JSON format at <a href="https://github.com/MISP/misp-objects/blob/master/objects/x509/definition.json"><strong>this location</strong></a> The JSON format can be freely reused in your application or automatically enabled in <a href="https://www.github.com/MISP/MISP">MISP</a>.
|
||
</td>
|
||
</tr>
|
||
</table>
|
||
</div>
|
||
<table class="tableblock frame-all grid-all spread">
|
||
<colgroup>
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
</colgroup>
|
||
<thead>
|
||
<tr>
|
||
<th class="tableblock halign-left valign-top">Object attribute</th>
|
||
<th class="tableblock halign-left valign-top">MISP attribute type</th>
|
||
<th class="tableblock halign-left valign-top">Description</th>
|
||
<th class="tableblock halign-left valign-top">Disable correlation</th>
|
||
</tr>
|
||
</thead>
|
||
<tbody>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">serial-number</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Serial number of the certificate</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">x509-fingerprint-sha1</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">x509-fingerprint-sha1</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>[Insecure] Secure Hash Algorithm 1 (160 bits)</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">pubkey-info-algorithm</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Algorithm of the public key</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">pubkey-info-modulus</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Modulus of the public key</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">x509-fingerprint-md5</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">x509-fingerprint-md5</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>[Insecure] MD5 hash (128 bits)</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">raw-base64</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Raw certificate base64 encoded</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">validity-not-before</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">datetime</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Certificate invalid before that date</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">pubkey-info-size</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Length of the public key (in bits)</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">validity-not-after</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">datetime</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Certificate invalid after that date</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">version</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Version of the certificate</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">x509-fingerprint-sha256</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">x509-fingerprint-sha256</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Secure Hash Algorithm 2 (256 bits)</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">issuer</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Issuer of the certificate</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">subject</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Subject of the certificate</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">pubkey-info-exponent</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Exponent of the public key</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">text</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Free text description of hte certificate</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
</div>
|
||
</div>
|
||
<div class="sect1">
|
||
<h2 id="_yabin"><a class="anchor" href="#_yabin"></a><a class="link" href="#_yabin">yabin</a></h2>
|
||
<div class="sectionbody">
|
||
<div class="paragraph">
|
||
<p>yabin.py generates Yara rules from function prologs, for matching and hunting binaries. ref: <a href="https://github.com/AlienVault-OTX/yabin" class="bare">https://github.com/AlienVault-OTX/yabin</a>.</p>
|
||
</div>
|
||
<div class="admonitionblock note">
|
||
<table>
|
||
<tr>
|
||
<td class="icon">
|
||
<i class="fa icon-note" title="Note"></i>
|
||
</td>
|
||
<td class="content">
|
||
yabin is a MISP object available in JSON format at <a href="https://github.com/MISP/misp-objects/blob/master/objects/yabin/definition.json"><strong>this location</strong></a> The JSON format can be freely reused in your application or automatically enabled in <a href="https://www.github.com/MISP/MISP">MISP</a>.
|
||
</td>
|
||
</tr>
|
||
</table>
|
||
</div>
|
||
<table class="tableblock frame-all grid-all spread">
|
||
<colgroup>
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
<col style="width: 25%;">
|
||
</colgroup>
|
||
<thead>
|
||
<tr>
|
||
<th class="tableblock halign-left valign-top">Object attribute</th>
|
||
<th class="tableblock halign-left valign-top">MISP attribute type</th>
|
||
<th class="tableblock halign-left valign-top">Description</th>
|
||
<th class="tableblock halign-left valign-top">Disable correlation</th>
|
||
</tr>
|
||
</thead>
|
||
<tbody>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">whitelist</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">comment</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Whitelist name used to generate the rules.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">version</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">comment</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>yabin.py and regex.txt version used for the generation of the yara rules.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">comment</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">comment</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>A description of Yara rule generated.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-minus"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">yara</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">yara</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Yara rule generated from -y.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">yara-hunt</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">yara</p></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p>Wide yara rule generated from -yh.</p>
|
||
</div></div></td>
|
||
<td class="tableblock halign-left valign-top"><div><div class="paragraph">
|
||
<p><span class="icon"><i class="fa fa-check"></i></span></p>
|
||
</div></div></td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
</div>
|
||
</div>
|
||
<div class="sect1">
|
||
<h2 id="_relationships"><a class="anchor" href="#_relationships"></a><a class="link" href="#_relationships">Relationships</a></h2>
|
||
<div class="sectionbody">
|
||
<div class="paragraph">
|
||
<p>Default type of relationships in MISP objects.</p>
|
||
</div>
|
||
<div class="paragraph">
|
||
<p>Relationships are part of MISP object and available in JSON format at <a href="https://github.com/MISP/misp-objects/blob/master/relationships/definition.json">this location</a>. The JSON format can be freely reused in your application or automatically enabled in <a href="https://www.github.com/MISP/MISP">MISP</a>.</p>
|
||
</div>
|
||
<table class="tableblock frame-all grid-all spread">
|
||
<colgroup>
|
||
<col style="width: 33.3333%;">
|
||
<col style="width: 33.3333%;">
|
||
<col style="width: 33.3334%;">
|
||
</colgroup>
|
||
<thead>
|
||
<tr>
|
||
<th class="tableblock halign-left valign-top">Name of relationship</th>
|
||
<th class="tableblock halign-left valign-top">Description</th>
|
||
<th class="tableblock halign-left valign-top">Format</th>
|
||
</tr>
|
||
</thead>
|
||
<tbody>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">derived-from</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">The information in the target object is based on information from the source object.</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">['misp', 'stix-2.0']</p></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">duplicate-of</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">The referenced source and target objects are semantically duplicates of each other.</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">['misp', 'stix-2.0']</p></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">related-to</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">The referenced source is related to the target object.</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">['misp', 'stix-2.0']</p></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">attributed-to</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">This referenced source is attributed to the target object.</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">['misp', 'stix-2.0']</p></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">targets</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">This relationship describes that the source object targets the target object.</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">['misp', 'stix-2.0']</p></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">uses</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">This relationship describes the use by the source object of the target object.</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">['misp', 'stix-2.0']</p></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">indicates</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">This relationships describes that the source object indicates the target object.</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">['misp', 'stix-2.0']</p></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">mitigates</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">This relationship describes a source object which mitigates the target object.</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">['misp', 'stix-2.0']</p></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">variant-of</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">This relationship describes a source object which is a variant of the target object</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">['misp', 'stix-2.0']</p></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">impersonates</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">This relationship describe a source object which impersonates the target object</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">['misp', 'stix-2.0']</p></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">authored-by</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">This relationship describes the author of a specific object.</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">['misp']</p></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">located</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">This relationship describes the location (of any type) of a specific object.</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">['misp']</p></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">included-in</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">This relationship describes an object included in another object.</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">['misp']</p></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">analysed-with</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">This relationship describes an object analysed by another object.</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">['misp']</p></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">claimed-by</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">This relationship describes an object claimed by another object.</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">['misp']</p></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">communicates-with</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">This relationship describes an object communicating with another object.</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">['misp']</p></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">dropped-by</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">This relationship describes an object dropped by another object.</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">['misp']</p></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">drops</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">This relationship describes an object which drops another object</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">['misp']</p></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">executed-by</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">This relationship describes an object executed by another object.</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">['misp']</p></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">affects</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">This relationship describes an object affected by another object.</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">['misp']</p></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">beacons-to</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">This relationship describes an object beaconing to another object.</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">['misp']</p></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">abuses</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">This relationship describes an object which abuses another object.</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">['misp']</p></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">exfiltrates-to</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">This relationship describes an object exfiltrating to another object.</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">['misp']</p></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">identifies</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">This relationship describes an object which identifies another object.</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">['misp']</p></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">intercepts</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">This relationship describes an object which intercepts another object.</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">['misp']</p></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">calls</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">This relationship describes an object which calls another objects.</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">['misp']</p></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">detected-as</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">This relationship describes an object which is detected as another object.</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">['misp']</p></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">followed-by</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">This relationship describes an object which is followed by another object. This can be used when a time reference is missing but a sequence is known.</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">['misp']</p></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">preceding-by</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">This relationship describes an object which is preceded by another object. This can be used when a time reference is missing but a sequence is known.</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">['misp']</p></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">triggers</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">This relationship describes an object which triggers another object.</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">['misp']</p></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">vulnerability-of</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">This relationship describes an object which is a vulnerability of another object.</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">['cert-eu']</p></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">works-like</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">This relationship describes an object which works like another object.</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">['cert-eu']</p></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">seller-of</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">This relationship describes an object which is selling another object.</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">['cert-eu']</p></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">seller-on</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">This relationship describes an object which is selling on another object.</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">['cert-eu']</p></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">trying-to-obtain-the-exploit</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">This relationship describes an object which is trying to obtain the exploit described by another object</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">['cert-eu']</p></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">used-by</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">This relationship describes an object which is used by another object.</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">['cert-eu']</p></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">affiliated</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">This relationship describes an object which is affiliated with another object.</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">['cert-eu']</p></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">alleged-founder-of</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">This relationship describes an object which is the alleged founder of another object.</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">['cert-eu']</p></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">attacking-other-group</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">This relationship describes an object which attacks another object.</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">['cert-eu']</p></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">belongs-to</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">This relationship describes an object which belongs to another object.</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">['cert-eu']</p></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">business-relations</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">This relationship describes an object which has business relations with another object.</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">['cert-eu']</p></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">claims-to-be-the-founder-of</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">This relationship describes an object which claims to be the founder of another object.</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">['cert-eu']</p></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">cooperates-with</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">This relationship describes an object which cooperates with another object.</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">['cert-eu']</p></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">former-member-of</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">This relationship describes an object which is a former member of another object.</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">['cert-eu']</p></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">successor-of</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">This relationship describes an object which is a successor of another object.</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">['cert-eu']</p></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">has-joined</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">This relationship describes an object which has joined another object.</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">['cert-eu']</p></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">member-of</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">This relationship describes an object which is a member of another object.</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">['cert-eu']</p></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">primary-member-of</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">This relationship describes an object which is a primary member of another object.</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">['cert-eu']</p></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">administrator-of</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">This relationship describes an object which is an administrator of another object.</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">['cert-eu']</p></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">is-in-relation-with</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">This relationship describes an object which is in relation with another object,</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">['cert-eu']</p></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">provide-support-to</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">This relationship describes an object which provides support to another object.</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">['cert-eu']</p></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">regional-branch</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">This relationship describes an object which is a regional branch of another object.</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">['cert-eu']</p></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">similar</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">This relationship describes an object which is similar to another object.</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">['cert-eu']</p></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">subgroup</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">This relationship describes an object which is a subgroup of another object.</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">['cert-eu']</p></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">suspected-link</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">This relationship describes an object which is suspected to be linked with another object.</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">['misp']</p></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">same-as</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">This relationship describes an object which is the same as another object.</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">['misp']</p></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">creator-of</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">This relationship describes an object which is the creator of another object.</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">['cert-eu']</p></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">developer-of</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">This relationship describes an object which is a developer of another object.</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">['cert-eu']</p></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">uses-for-recon</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">This relationship describes an object which uses another object for recon.</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">['cert-eu']</p></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">operator-of</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">This relationship describes an object which is an operator of another object.</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">['cert-eu']</p></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">overlaps</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">This relationship describes an object which overlaps another object.</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">['cert-eu']</p></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">owner-of</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">This relationship describes an object which owns another object.</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">['cert-eu']</p></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">publishes-method-for</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">This relationship describes an object which publishes method for another object.</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">['cert-eu']</p></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">recommends-use-of</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">This relationship describes an object which recommends the use of another object.</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">['cert-eu']</p></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">released-source-code</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">This relationship describes an object which released source code of another object.</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">['cert-eu']</p></td>
|
||
</tr>
|
||
<tr>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">released</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">This relationship describes an object which release another object.</p></td>
|
||
<td class="tableblock halign-left valign-top"><p class="tableblock">['cert-eu']</p></td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
</div>
|
||
</div>
|
||
</div>
|
||
<div id="footer">
|
||
<div id="footer-text">
|
||
Last updated 2018-01-18 14:18:54 CET
|
||
</div>
|
||
</div>
|
||
</body>
|
||
</html> |