misp-objects icon indicating copy to clipboard operation
misp-objects copied to clipboard

Published 20 hours ago verified publisher icon MISP

TODO Attacker and victim objects

Open iglocska opened this issue 7 years ago • 4 comments

Attacker:

  • name
  • comment
  • ip
  • asn
  • asn-name
  • geo
  • uri
  • whois-text
  • //source-comment

Victim

  • ip
  • asn
  • asn-name
  • geo
  • uri
  • //comment

iglocska avatar Mar 02 '17 10:03 iglocska

Depending on the attack type, we can include also domain name in the victim. Application layer attacks normally target domains/services that can be hosted in the same IP address.

dr0t avatar Mar 03 '17 20:03 dr0t

The attacker object can be quite complex. I would go for a very minimal one and use the other attributes or objects to link with the attacker object. Like https://github.com/MISP/misp-objects/blob/master/objects/whois/definition.json to avoid describing again the same info in the attacker object.

@iglocska the new proposed database model should work as the object can link to one or more objects or attributes. Correct?

adulau avatar Mar 05 '17 12:03 adulau

Victim also something like name, mail adress, username, location, legal entity / department...

jaegeral avatar Sep 20 '17 14:09 jaegeral

First version of the victim object added https://github.com/MISP/misp-objects/commit/9d146207395d33542d9c8cb815cbf3bc45040af5

adulau avatar Sep 24 '17 19:09 adulau