forked from macar-cm/xarf-schemata
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy patheu.acdc.attack_1.0.0.json
226 lines (226 loc) · 9.44 KB
/
eu.acdc.attack_1.0.0.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
{
"title": "Attack",
"description": "A host performing an attack.",
"properties": {
"Report-Type": {
"title": "Report type: attack",
"description": "The type of the report: an attack on a system.",
"type": "string",
"enum": ["eu.acdc.attack"]
},
"Report-Description": {
"title": "Report description",
"description": "The description of the report. This is a free text field characterising the report that should be used for a human readable description rather than for automatic processing. As a rule of thumb this should not be longer than one sentence.",
"type": "string"
},
"Date": {
"title": "Time of the attack observation",
"description": "The timestamp when the attack took place.",
"type": "string",
"format": "date-time"
},
"Source-Type": {
"title": "Type of the reported object: IP",
"description": "The type of the reported object: an IP.",
"type": "string",
"enum": ["ipv4", "ipv6"]
},
"Source": {
"title": "Attacking IP",
"description": "The IP of the system performing the attack.",
"type": "string"
},
"Confidence-Level": {
"title": "Confidence level of the report",
"description": "The level of confidence put into the accuracy of the report. A number between 0.0 and 1.0 with 0.0 being unreliable and 1.0 being verified to be accurate.",
"type": "number",
"minimum": 0.0,
"maximum": 1.0
},
"Report-Subcategory": {
"title": "Attack category",
"description": "The type of attack performed.",
"type": "string",
"enum": ["abuse", "compromise", "data", "dos", "dos.dns", "dos.http", "dos.tcp", "dos.udp", "login", "malware", "other"]
},
"Ip-Protocol-Number": {
"title": "IP protocol number",
"description": "The IANA assigned decimal internet protocol number of the attack connection.",
"type": "integer",
"minimum": 0,
"maximum": 255
},
"Ip-Version": {
"title": "IP version number",
"description": "The IP version of the attack connection.",
"type": "integer",
"enum": [4, 6]
},
"Report-ID": {
"title": "Report ID",
"description": "The ID of the report. This is the report ID in the CCH with the suffix @acdc-project.eu.",
"type": "string"
},
"Duration": {
"title": "The duration of the attack",
"description": "The duration of the attack in seconds.",
"type": "integer",
"minimum": 0,
"optional": true
},
"Reported-At": {
"title": "Time of the report's submission",
"description": "The timestamp when the report was submitted to the CCH.",
"type": "string",
"format": "date-time"
},
"Botnet": {
"title": "Botnet responsible for attack",
"description": "The botnet this attack can be attributed to.",
"type": "string",
"optional": true
},
"Additional-Data": {
"title": "Additional data",
"description": "Additional data for the observation. This allows putting more specific information into a report on a case by case basis in a structured manner. The usage of this field is at the data providers discretion.",
"type": "object",
"optional": true
},
"Alternate-Format-Type": {
"title": "Type of the alternate format",
"description": "The type of the alternate format description of the observation.",
"type": "string",
"enum": ["IDMEF", "STIX"],
"optional": true
},
"Alternate-Format": {
"title": "Alternate format description of the observation",
"description": "A description of the observation in an alternate format.",
"type": "string",
"optional": true,
"requires": "Alternate-Format-Type"
},
"Src-Ip-V4": {
"title": "Source IPv4 of the attack",
"description": "The source IPv4 of the attack connection. This is always the IP of the attacking system (i.e., the one identified by Source). If set, this field equals Source.",
"type": "string",
"format": "ipv4",
"optional": true,
"requires": "Src-Mode"
},
"Src-Ip-V6": {
"title": "Source IPv6 of the attack",
"description": "The source IPv6 of the attack connection. This is always the IP of the attacking system (i.e., the one identified by Source). If set, this field equals Source.",
"type": "string",
"format": "ipv6",
"optional": true,
"requires": "Src-Mode"
},
"Src-Mode": {
"title": "Source IP mode",
"description": "The mode of the source IP. This can be plain for unaltered IPs, anon for anonymised IPs, or pseudo for pseudonymised IPs.",
"type": "string",
"enum": ["plain", "anon", "pseudo"],
"optional": true
},
"Dst-Ip-V4": {
"title": "Destination IPv4 of the attack",
"description": "The destination IPv4 of the attack connection. This is always the IP of the attacked system.",
"type": "string",
"format": "ipv4",
"optional": true,
"requires": "Dst-Mode"
},
"Dst-Ip-V6": {
"title": "Destination IPv6 of the attack",
"description": "The destination IPv6 of the attack connection. This is always the IP of the attacked system.",
"type": "string",
"format": "ipv6",
"optional": true,
"requires": "Dst-Mode"
},
"Dst-Mode": {
"title": "Destination IP mode",
"description": "The mode of the destination IP. This can be plain for unaltered IPs, anon for anonymised IPs, or pseudo for pseudonymised IPs.",
"type": "string",
"enum": ["plain", "anon", "pseudo"],
"optional": true
},
"Src-Port": {
"title": "Source port of the attack",
"description": "The source port of the attack connection. This is always the port on the attacking system (i.e., the one identified by Source).",
"type": "integer",
"optional": true
},
"Dst-Port": {
"title": "Destination port of the attack",
"description": "The destination port of the attack connection. This is always the port on the attacked system.",
"type": "integer",
"optional": true
},
"Sample-Filename": {
"title": "Filename of the payload",
"description": "The filename used for the payload that the attack tried to install or run on the attacked system. This should only be used if the payload is uploaded to the attacked system directly. Otherwise, Malicious-Uri should be used to link this report to an eu.acdc.malicious_uri report that in turn contains the SHA256 hash.",
"type": "string",
"optional": true
},
"Sample-Sha256": {
"title": "Hash of the payload",
"description": "The SHA256 hash of the payload that the attack tried to install or run on the attacked system.",
"type": "string",
"optional": true
},
"Malicious-Uri": {
"title": "URI of the payload",
"description": "The URI of the payload in the wild that the attack tried to install or run on the attacked system. This can for example be the location of a malware offered as a download or a webshell offered as a remote include during an attack.",
"type": "string",
"format": "uri",
"optional": true
},
"Subject-Text": {
"title": "Subject of spam email",
"description": "The subject of an email sent in a report of subcategory abuse.",
"type": "string",
"optional": true
},
"Reported-From": {
"title": "Sending email address",
"type": "string"
},
"Category": {
"title": "The X-ARF category",
"type": "string",
"enum": ["abuse"]
},
"User-Agent": {
"title": "Name and version of the generating software",
"type": "string"
},
"Attachment": {
"title": "Attachment present",
"type": "string"
},
"Schema-URL": {
"title": "URI to the JSON-schema",
"type": "string",
"format": "uri"
},
"Version": {
"title": "Version of the X-ARF specification: 0.2",
"type": "number",
"enum": [0.2],
"optional": true
},
"Occurences": {
"title": "Number of attacks",
"type": "integer",
"optional": true
},
"TLP": {
"title": "Sensitivity of the report in TLP",
"type": "string",
"optional": true
}
},
"additionalProperties": false
}