< draft-dulaunoy-misp-core-format-06.txt   draft-dulaunoy-misp-core-format-07.txt >
Network Working Group A. Dulaunoy Network Working Group A. Dulaunoy
Internet-Draft A. Iklody Internet-Draft A. Iklody
Intended status: Informational CIRCL Intended status: Informational CIRCL
Expires: July 3, 2019 December 30, 2018 Expires: August 7, 2019 February 3, 2019
MISP core format MISP core format
draft-dulaunoy-misp-core-format-06 draft-dulaunoy-misp-core-format-07
Abstract Abstract
This document describes the MISP core format used to exchange This document describes the MISP core format used to exchange
indicators and threat information between MISP (Malware Information indicators and threat information between MISP (Malware Information
and threat Sharing Platform) instances. The JSON format includes the and threat Sharing Platform) instances. The JSON format includes the
overall structure along with the semantic associated for each overall structure along with the semantic associated for each
respective key. The format is described to support other respective key. The format is described to support other
implementations which reuse the format and ensuring an implementations which reuse the format and ensuring an
interoperability with existing MISP [MISP-P] software and other interoperability with existing MISP [MISP-P] software and other
skipping to change at page 1, line 37 skipping to change at page 1, line 37
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 3, 2019. This Internet-Draft will expire on August 7, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 2, line 24 skipping to change at page 2, line 24
2.2. Event . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2.2. Event . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.2.1. Event Attributes . . . . . . . . . . . . . . . . . . 3 2.2.1. Event Attributes . . . . . . . . . . . . . . . . . . 3
2.3. Objects . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.3. Objects . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.3.1. Org . . . . . . . . . . . . . . . . . . . . . . . . . 7 2.3.1. Org . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.3.2. Orgc . . . . . . . . . . . . . . . . . . . . . . . . 8 2.3.2. Orgc . . . . . . . . . . . . . . . . . . . . . . . . 8
2.4. Attribute . . . . . . . . . . . . . . . . . . . . . . . . 8 2.4. Attribute . . . . . . . . . . . . . . . . . . . . . . . . 8
2.4.1. Sample Attribute Object . . . . . . . . . . . . . . . 8 2.4.1. Sample Attribute Object . . . . . . . . . . . . . . . 8
2.4.2. Attribute Attributes . . . . . . . . . . . . . . . . 9 2.4.2. Attribute Attributes . . . . . . . . . . . . . . . . 9
2.5. ShadowAttribute . . . . . . . . . . . . . . . . . . . . . 15 2.5. ShadowAttribute . . . . . . . . . . . . . . . . . . . . . 15
2.5.1. Sample Attribute Object . . . . . . . . . . . . . . . 15 2.5.1. Sample Attribute Object . . . . . . . . . . . . . . . 15
2.5.2. ShadowAttribute Attributes . . . . . . . . . . . . . 15 2.5.2. ShadowAttribute Attributes . . . . . . . . . . . . . 16
2.5.3. Org . . . . . . . . . . . . . . . . . . . . . . . . . 21 2.5.3. Org . . . . . . . . . . . . . . . . . . . . . . . . . 21
2.6. Object . . . . . . . . . . . . . . . . . . . . . . . . . 21 2.6. Object . . . . . . . . . . . . . . . . . . . . . . . . . 22
2.6.1. Sample Object object . . . . . . . . . . . . . . . . 22 2.6.1. Sample Object object . . . . . . . . . . . . . . . . 22
2.6.2. Object Attributes . . . . . . . . . . . . . . . . . . 23 2.6.2. Object Attributes . . . . . . . . . . . . . . . . . . 23
2.7. Object References . . . . . . . . . . . . . . . . . . . . 25 2.7. Object References . . . . . . . . . . . . . . . . . . . . 26
2.7.1. Sample ObjectReference object . . . . . . . . . . . . 26 2.7.1. Sample ObjectReference object . . . . . . . . . . . . 26
2.7.2. ObjectReference Attributes . . . . . . . . . . . . . 26 2.7.2. ObjectReference Attributes . . . . . . . . . . . . . 27
2.8. Tag . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 2.8. Tag . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
2.8.1. Sample Tag . . . . . . . . . . . . . . . . . . . . . 28 2.8.1. Sample Tag . . . . . . . . . . . . . . . . . . . . . 29
2.9. Sighting . . . . . . . . . . . . . . . . . . . . . . . . 28 2.9. Sighting . . . . . . . . . . . . . . . . . . . . . . . . 29
2.9.1. Sample Sighting . . . . . . . . . . . . . . . . . . . 30 2.9.1. Sample Sighting . . . . . . . . . . . . . . . . . . . 31
2.10. Galaxy . . . . . . . . . . . . . . . . . . . . . . . . . 30 2.10. Galaxy . . . . . . . . . . . . . . . . . . . . . . . . . 31
2.10.1. Sample Galaxy . . . . . . . . . . . . . . . . . . . 30 2.10.1. Sample Galaxy . . . . . . . . . . . . . . . . . . . 31
3. JSON Schema . . . . . . . . . . . . . . . . . . . . . . . . . 32 3. JSON Schema . . . . . . . . . . . . . . . . . . . . . . . . . 33
4. Manifest . . . . . . . . . . . . . . . . . . . . . . . . . . 46 4. Manifest . . . . . . . . . . . . . . . . . . . . . . . . . . 47
4.1. Format . . . . . . . . . . . . . . . . . . . . . . . . . 46 4.1. Format . . . . . . . . . . . . . . . . . . . . . . . . . 47
4.1.1. Sample Manifest . . . . . . . . . . . . . . . . . . . 47 4.1.1. Sample Manifest . . . . . . . . . . . . . . . . . . . 48
5. Implementation . . . . . . . . . . . . . . . . . . . . . . . 48 5. Implementation . . . . . . . . . . . . . . . . . . . . . . . 49
6. Security Considerations . . . . . . . . . . . . . . . . . . . 48 6. Security Considerations . . . . . . . . . . . . . . . . . . . 49
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 48 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 49
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 48 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 49
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 48 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 49
9.1. Normative References . . . . . . . . . . . . . . . . . . 48 9.1. Normative References . . . . . . . . . . . . . . . . . . 49
9.2. Informative References . . . . . . . . . . . . . . . . . 49 9.2. Informative References . . . . . . . . . . . . . . . . . 50
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 49 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 50
1. Introduction 1. Introduction
Sharing threat information became a fundamental requirements in the Sharing threat information became a fundamental requirements in the
Internet, security and intelligence community at large. Threat Internet, security and intelligence community at large. Threat
information can include indicators of compromise, malicious file information can include indicators of compromise, malicious file
indicators, financial fraud indicators or even detailed information indicators, financial fraud indicators or even detailed information
about a threat actor. MISP [MISP-P] started as an open source about a threat actor. MISP [MISP-P] started as an open source
project in late 2011 and the MISP format started to be widely used as project in late 2011 and the MISP format started to be widely used as
an exchange format within the community in the past years. The aim an exchange format within the community in the past years. The aim
skipping to change at page 10, line 4 skipping to change at page 10, line 4
type represents the means through which an attribute tries to type represents the means through which an attribute tries to
describe the intent of the attribute creator, using a list of pre- describe the intent of the attribute creator, using a list of pre-
defined attribute types. defined attribute types.
type is represented as a JSON string. type MUST be present and it type is represented as a JSON string. type MUST be present and it
MUST be a valid selection for the chosen category. The list of valid MUST be a valid selection for the chosen category. The list of valid
category-type combinations is as follows: category-type combinations is as follows:
Antivirus detection Antivirus detection
link, comment, text, hex, attachment, other link, comment, text, hex, attachment, other, anonymised
Artifacts dropped Artifacts dropped
md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256,
ssdeep, imphash, impfuzzy, authentihash, cdhash, filename, ssdeep, imphash, impfuzzy, authentihash, cdhash, filename,
filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|md5, filename|sha1, filename|sha224, filename|sha256,
filename|sha384, filename|sha512, filename|sha512/224, filename|sha384, filename|sha512, filename|sha512/224,
filename|sha512/256, filename|authentihash, filename|ssdeep, filename|sha512/256, filename|authentihash, filename|ssdeep,
filename|tlsh, filename|imphash, filename|impfuzzy, filename|tlsh, filename|imphash, filename|impfuzzy,
filename|pehash, regkey, regkey|value, pattern-in-file, pattern- filename|pehash, regkey, regkey|value, pattern-in-file, pattern-
in-memory, pdb, stix2-pattern, yara, sigma, attachment, malware- in-memory, pdb, stix2-pattern, yara, sigma, attachment, malware-
sample, named pipe, mutex, windows-scheduled-task, windows- sample, named pipe, mutex, windows-scheduled-task, windows-
service-name, windows-service-displayname, comment, text, hex, service-name, windows-service-displayname, comment, text, hex,
x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint- x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-
sha256, other, cookie, gene, mime-type sha256, other, cookie, gene, mime-type, anonymised
Attribution Attribution
threat-actor, campaign-name, campaign-id, whois-registrant-phone, threat-actor, campaign-name, campaign-id, whois-registrant-phone,
whois-registrant-email, whois-registrant-name, whois-registrant- whois-registrant-email, whois-registrant-name, whois-registrant-
org, whois-registrar, whois-creation-date, comment, text, x509- org, whois-registrar, whois-creation-date, comment, text, x509-
fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256,
other, dns-soa-email other, dns-soa-email, anonymised
External analysis External analysis
md5, sha1, sha256, filename, filename|md5, filename|sha1, md5, sha1, sha256, filename, filename|md5, filename|sha1,
filename|sha256, ip-src, ip-dst, ip-dst|port, ip-src|port, mac- filename|sha256, ip-src, ip-dst, ip-dst|port, ip-src|port, mac-
address, mac-eui-64, hostname, domain, domain|ip, url, user-agent, address, mac-eui-64, hostname, domain, domain|ip, url, user-agent,
regkey, regkey|value, AS, snort, bro, pattern-in-file, pattern-in- regkey, regkey|value, AS, snort, bro, zeek, pattern-in-file,
traffic, pattern-in-memory, vulnerability, attachment, malware- pattern-in-traffic, pattern-in-memory, vulnerability, attachment,
sample, link, comment, text, x509-fingerprint-sha1, x509- malware-sample, link, comment, text, x509-fingerprint-sha1, x509-
fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5,
github-repository, other, cortex hassh-md5, hasshserver-md5, github-repository, other, cortex,
anonymised
Financial fraud Financial fraud
btc, xmr, iban, bic, bank-account-nr, aba-rtn, bin, cc-number, btc, xmr, iban, bic, bank-account-nr, aba-rtn, bin, cc-number,
prtn, phone-number, comment, text, other, hex prtn, phone-number, comment, text, other, hex, anonymised
Internal reference Internal reference
text, link, comment, other, hex text, link, comment, other, hex, anonymised
Network activity Network activity
ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain, ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain,
domain|ip, mac-address, mac-eui-64, email-dst, url, uri, user- domain|ip, mac-address, mac-eui-64, email-dst, url, uri, user-
agent, http-method, AS, snort, pattern-in-file, stix2-pattern, agent, http-method, AS, snort, pattern-in-file, stix2-pattern,
pattern-in-traffic, attachment, comment, text, x509-fingerprint- pattern-in-traffic, attachment, comment, text, x509-fingerprint-
md5, x509-fingerprint-sha1, x509-fingerprint-sha256, ja3- md5, x509-fingerprint-sha1, x509-fingerprint-sha256, ja3-
fingerprint-md5, other, hex, cookie, hostname|port, bro fingerprint-md5, hassh-md5, hasshserver-md5, other, hex, cookie,
hostname|port, bro, zeek, anonymised
Other Other
comment, text, other, size-in-bytes, counter, datetime, cpe, port, comment, text, other, size-in-bytes, counter, datetime, cpe, port,
float, hex, phone-number, boolean float, hex, phone-number, boolean, anonymised
Payload delivery Payload delivery
md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256,
ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, cdhash, ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, cdhash,
filename, filename|md5, filename|sha1, filename|sha224, filename, filename|md5, filename|sha1, filename|sha224,
filename|sha256, filename|sha384, filename|sha512, filename|sha256, filename|sha384, filename|sha512,
filename|sha512/224, filename|sha512/256, filename|authentihash, filename|sha512/224, filename|sha512/256, filename|authentihash,
filename|ssdeep, filename|tlsh, filename|imphash, filename|ssdeep, filename|tlsh, filename|imphash,
filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip- filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip-
src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email- src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email-
src, email-dst, email-subject, email-attachment, email-body, url, src, email-dst, email-subject, email-attachment, email-body, url,
user-agent, AS, pattern-in-file, pattern-in-traffic, user-agent, AS, pattern-in-file, pattern-in-traffic,
stix2-pattern, yara, sigma, mime-type, attachment, malware-sample, stix2-pattern, yara, sigma, mime-type, attachment, malware-sample,
link, malware-type, comment, text, hex, vulnerability, x509- link, malware-type, comment, text, hex, vulnerability, x509-
fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256,
ja3-fingerprint-md5, other, hostname|port, email-dst-display-name, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other,
email-src-display-name, email-header, email-reply-to, email- hostname|port, email-dst-display-name, email-src-display-name,
x-mailer, email-mime-boundary, email-thread-index, email-message- email-header, email-reply-to, email-x-mailer, email-mime-boundary,
id, mobile-application-id, whois-registrant-email email-thread-index, email-message-id, mobile-application-id,
whois-registrant-email, anonymised
Payload installation Payload installation
md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256,
ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, cdhash, ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, cdhash,
filename, filename|md5, filename|sha1, filename|sha224, filename, filename|md5, filename|sha1, filename|sha224,
filename|sha256, filename|sha384, filename|sha512, filename|sha256, filename|sha384, filename|sha512,
filename|sha512/224, filename|sha512/256, filename|authentihash, filename|sha512/224, filename|sha512/256, filename|authentihash,
filename|ssdeep, filename|tlsh, filename|imphash, filename|ssdeep, filename|tlsh, filename|imphash,
filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in- filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in-
traffic, pattern-in-memory, stix2-pattern, yara, sigma, traffic, pattern-in-memory, stix2-pattern, yara, sigma,
vulnerability, attachment, malware-sample, malware-type, comment, vulnerability, attachment, malware-sample, malware-type, comment,
text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509- text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-
fingerprint-sha256, mobile-application-id, other, mime-type fingerprint-sha256, mobile-application-id, other, mime-type,
anonymised
Payload type Payload type
comment, text, other comment, text, other, anonymised
Persistence mechanism Persistence mechanism
filename, regkey, regkey|value, comment, text, other, hex filename, regkey, regkey|value, comment, text, other, hex,
anonymised
Person Person
first-name, middle-name, last-name, date-of-birth, place-of-birth, first-name, middle-name, last-name, date-of-birth, place-of-birth,
gender, passport-number, passport-country, passport-expiration, gender, passport-number, passport-country, passport-expiration,
redress-number, nationality, visa-number, issue-date-of-the-visa, redress-number, nationality, visa-number, issue-date-of-the-visa,
primary-residence, country-of-residence, special-service-request, primary-residence, country-of-residence, special-service-request,
frequent-flyer-number, travel-details, payment-details, place- frequent-flyer-number, travel-details, payment-details, place-
port-of-original-embarkation, place-port-of-clearance, place-port- port-of-original-embarkation, place-port-of-clearance, place-port-
of-onward-foreign-destination, passenger-name-record-locator- of-onward-foreign-destination, passenger-name-record-locator-
number, comment, text, other, phone-number, identity-card-number number, comment, text, other, phone-number, identity-card-number,
anonymised
Social network Social network
github-username, github-repository, github-organisation, jabber- github-username, github-repository, github-organisation, jabber-
id, twitter-id, email-src, email-dst, comment, text, other, whois- id, twitter-id, email-src, email-dst, comment, text, other, whois-
registrant-email registrant-email, anonymised
Support Tool Support Tool
link, text, attachment, comment, other, hex link, text, attachment, comment, other, hex, anonymised
Targeting data Targeting data
target-user, target-email, target-machine, target-org, target- target-user, target-email, target-machine, target-org, target-
location, target-external, comment location, target-external, comment, anonymised
Attributes are based on the usage within their different communities. Attributes are based on the usage within their different communities.
Attributes can be extended on a regular basis and this reference Attributes can be extended on a regular basis and this reference
document is updated accordingly. document is updated accordingly.
2.4.2.4. category 2.4.2.4. category
category represents the intent of what the attribute is describing as category represents the intent of what the attribute is describing as
selected by the attribute creator, using a list of pre-defined selected by the attribute creator, using a list of pre-defined
attribute categories. attribute categories.
skipping to change at page 16, line 31 skipping to change at page 17, line 6
type represents the means through which an attribute tries to type represents the means through which an attribute tries to
describe the intent of the attribute creator, using a list of pre- describe the intent of the attribute creator, using a list of pre-
defined attribute types. defined attribute types.
type is represented as a JSON string. type MUST be present and it type is represented as a JSON string. type MUST be present and it
MUST be a valid selection for the chosen category. The list of valid MUST be a valid selection for the chosen category. The list of valid
category-type combinations is as follows: category-type combinations is as follows:
Antivirus detection Antivirus detection
link, comment, text, hex, attachment, other link, comment, text, hex, attachment, other, anonymised
Artifacts dropped Artifacts dropped
md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256,
ssdeep, imphash, impfuzzy, authentihash, cdhash, filename, ssdeep, imphash, impfuzzy, authentihash, cdhash, filename,
filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|md5, filename|sha1, filename|sha224, filename|sha256,
filename|sha384, filename|sha512, filename|sha512/224, filename|sha384, filename|sha512, filename|sha512/224,
filename|sha512/256, filename|authentihash, filename|ssdeep, filename|sha512/256, filename|authentihash, filename|ssdeep,
filename|tlsh, filename|imphash, filename|impfuzzy, filename|tlsh, filename|imphash, filename|impfuzzy,
filename|pehash, regkey, regkey|value, pattern-in-file, pattern- filename|pehash, regkey, regkey|value, pattern-in-file, pattern-
in-memory, pdb, stix2-pattern, yara, sigma, attachment, malware- in-memory, pdb, stix2-pattern, yara, sigma, attachment, malware-
sample, named pipe, mutex, windows-scheduled-task, windows- sample, named pipe, mutex, windows-scheduled-task, windows-
service-name, windows-service-displayname, comment, text, hex, service-name, windows-service-displayname, comment, text, hex,
x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint- x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-
sha256, other, cookie, gene, mime-type sha256, other, cookie, gene, mime-type, anonymised
Attribution Attribution
threat-actor, campaign-name, campaign-id, whois-registrant-phone, threat-actor, campaign-name, campaign-id, whois-registrant-phone,
whois-registrant-email, whois-registrant-name, whois-registrant- whois-registrant-email, whois-registrant-name, whois-registrant-
org, whois-registrar, whois-creation-date, comment, text, x509- org, whois-registrar, whois-creation-date, comment, text, x509-
fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256,
other, dns-soa-email other, dns-soa-email, anonymised
External analysis External analysis
md5, sha1, sha256, filename, filename|md5, filename|sha1, md5, sha1, sha256, filename, filename|md5, filename|sha1,
filename|sha256, ip-src, ip-dst, ip-dst|port, ip-src|port, mac- filename|sha256, ip-src, ip-dst, ip-dst|port, ip-src|port, mac-
address, mac-eui-64, hostname, domain, domain|ip, url, user-agent, address, mac-eui-64, hostname, domain, domain|ip, url, user-agent,
regkey, regkey|value, AS, snort, bro, pattern-in-file, pattern-in- regkey, regkey|value, AS, snort, bro, zeek, pattern-in-file,
traffic, pattern-in-memory, vulnerability, attachment, malware- pattern-in-traffic, pattern-in-memory, vulnerability, attachment,
sample, link, comment, text, x509-fingerprint-sha1, x509- malware-sample, link, comment, text, x509-fingerprint-sha1, x509-
fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5,
github-repository, other, cortex hassh-md5, hasshserver-md5, github-repository, other, cortex,
anonymised
Financial fraud Financial fraud
btc, xmr, iban, bic, bank-account-nr, aba-rtn, bin, cc-number, btc, xmr, iban, bic, bank-account-nr, aba-rtn, bin, cc-number,
prtn, phone-number, comment, text, other, hex prtn, phone-number, comment, text, other, hex, anonymised
Internal reference Internal reference
text, link, comment, other, hex text, link, comment, other, hex, anonymised
Network activity Network activity
ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain, ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain,
domain|ip, mac-address, mac-eui-64, email-dst, url, uri, user- domain|ip, mac-address, mac-eui-64, email-dst, url, uri, user-
agent, http-method, AS, snort, pattern-in-file, stix2-pattern, agent, http-method, AS, snort, pattern-in-file, stix2-pattern,
pattern-in-traffic, attachment, comment, text, x509-fingerprint- pattern-in-traffic, attachment, comment, text, x509-fingerprint-
md5, x509-fingerprint-sha1, x509-fingerprint-sha256, ja3- md5, x509-fingerprint-sha1, x509-fingerprint-sha256, ja3-
fingerprint-md5, other, hex, cookie, hostname|port, bro fingerprint-md5, hassh-md5, hasshserver-md5, other, hex, cookie,
hostname|port, bro, zeek, anonymised
Other Other
comment, text, other, size-in-bytes, counter, datetime, cpe, port, comment, text, other, size-in-bytes, counter, datetime, cpe, port,
float, hex, phone-number, boolean float, hex, phone-number, boolean, anonymised
Payload delivery Payload delivery
md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256,
ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, cdhash, ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, cdhash,
filename, filename|md5, filename|sha1, filename|sha224, filename, filename|md5, filename|sha1, filename|sha224,
filename|sha256, filename|sha384, filename|sha512, filename|sha256, filename|sha384, filename|sha512,
filename|sha512/224, filename|sha512/256, filename|authentihash, filename|sha512/224, filename|sha512/256, filename|authentihash,
filename|ssdeep, filename|tlsh, filename|imphash, filename|ssdeep, filename|tlsh, filename|imphash,
filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip- filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip-
src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email- src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email-
src, email-dst, email-subject, email-attachment, email-body, url, src, email-dst, email-subject, email-attachment, email-body, url,
user-agent, AS, pattern-in-file, pattern-in-traffic, user-agent, AS, pattern-in-file, pattern-in-traffic,
stix2-pattern, yara, sigma, mime-type, attachment, malware-sample, stix2-pattern, yara, sigma, mime-type, attachment, malware-sample,
link, malware-type, comment, text, hex, vulnerability, x509- link, malware-type, comment, text, hex, vulnerability, x509-
fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256,
ja3-fingerprint-md5, other, hostname|port, email-dst-display-name, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other,
email-src-display-name, email-header, email-reply-to, email- hostname|port, email-dst-display-name, email-src-display-name,
x-mailer, email-mime-boundary, email-thread-index, email-message- email-header, email-reply-to, email-x-mailer, email-mime-boundary,
id, mobile-application-id, whois-registrant-email email-thread-index, email-message-id, mobile-application-id,
whois-registrant-email, anonymised
Payload installation Payload installation
md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256,
ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, cdhash, ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, cdhash,
filename, filename|md5, filename|sha1, filename|sha224, filename, filename|md5, filename|sha1, filename|sha224,
filename|sha256, filename|sha384, filename|sha512, filename|sha256, filename|sha384, filename|sha512,
filename|sha512/224, filename|sha512/256, filename|authentihash, filename|sha512/224, filename|sha512/256, filename|authentihash,
filename|ssdeep, filename|tlsh, filename|imphash, filename|ssdeep, filename|tlsh, filename|imphash,
filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in- filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in-
traffic, pattern-in-memory, stix2-pattern, yara, sigma, traffic, pattern-in-memory, stix2-pattern, yara, sigma,
vulnerability, attachment, malware-sample, malware-type, comment, vulnerability, attachment, malware-sample, malware-type, comment,
text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509- text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-
fingerprint-sha256, mobile-application-id, other, mime-type fingerprint-sha256, mobile-application-id, other, mime-type,
anonymised
Payload type Payload type
comment, text, other comment, text, other, anonymised
Persistence mechanism Persistence mechanism
filename, regkey, regkey|value, comment, text, other, hex filename, regkey, regkey|value, comment, text, other, hex,
anonymised
Person Person
first-name, middle-name, last-name, date-of-birth, place-of-birth, first-name, middle-name, last-name, date-of-birth, place-of-birth,
gender, passport-number, passport-country, passport-expiration, gender, passport-number, passport-country, passport-expiration,
redress-number, nationality, visa-number, issue-date-of-the-visa, redress-number, nationality, visa-number, issue-date-of-the-visa,
primary-residence, country-of-residence, special-service-request, primary-residence, country-of-residence, special-service-request,
frequent-flyer-number, travel-details, payment-details, place- frequent-flyer-number, travel-details, payment-details, place-
port-of-original-embarkation, place-port-of-clearance, place-port- port-of-original-embarkation, place-port-of-clearance, place-port-
of-onward-foreign-destination, passenger-name-record-locator- of-onward-foreign-destination, passenger-name-record-locator-
number, comment, text, other, phone-number, identity-card-number number, comment, text, other, phone-number, identity-card-number,
anonymised
Social network Social network
github-username, github-repository, github-organisation, jabber- github-username, github-repository, github-organisation, jabber-
id, twitter-id, email-src, email-dst, comment, text, other, whois- id, twitter-id, email-src, email-dst, comment, text, other, whois-
registrant-email registrant-email, anonymised
Support Tool Support Tool
link, text, attachment, comment, other, hex link, text, attachment, comment, other, hex, anonymised
Targeting data Targeting data
target-user, target-email, target-machine, target-org, target- target-user, target-email, target-machine, target-org, target-
location, target-external, comment location, target-external, comment, anonymised
Attributes are based on the usage within their different communities. Attributes are based on the usage within their different communities.
Attributes can be extended on a regular basis and this reference Attributes can be extended on a regular basis and this reference
document is updated accordingly. document is updated accordingly.
2.5.2.4. category 2.5.2.4. category
category represents the intent of what the attribute is describing as category represents the intent of what the attribute is describing as
selected by the attribute creator, using a list of pre-defined selected by the attribute creator, using a list of pre-defined
attribute categories. attribute categories.
 End of changes. 42 change blocks. 
70 lines changed or deleted 82 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/