forked from macar-cm/xarf-schemata
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy patheu.acdc.malicious_uri_1.0.0.json
197 lines (197 loc) · 7.7 KB
/
eu.acdc.malicious_uri_1.0.0.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
{
"title": "Malicious URI",
"description": "A URI pointing to malicious content.",
"properties": {
"Report-Type": {
"title": "Report type: malicious URI",
"description": "The type of the report: a malicious URI.",
"type": "string",
"enum": ["eu.acdc.malicious_uri"]
},
"Report-Description": {
"title": "Report description",
"description": "The description of the report. This is a free text field characterising the report that should be used for a human readable description rather than for automatic processing. As a rule of thumb this should not be longer than one sentence.",
"type": "string"
},
"Date": {
"title": "Time of the reported observation",
"description": "The timestamp when the malicious URI was observed.",
"type": "string",
"format": "date-time"
},
"Source-Type": {
"title": "Type of the reported object: URI",
"description": "The type of the reported object: a URI.",
"type": "string",
"enum": ["uri"]
},
"Source": {
"title": "Malicious URI",
"description": "The URI to the malicious content.",
"type": "string",
"format": "uri"
},
"Confidence-Level": {
"title": "Confidence level of the report",
"description": "The level of confidence put into the accuracy of the report. A number between 0.0 and 1.0 with 0.0 being unreliable and 1.0 being verified to be accurate.",
"type": "number",
"minimum": 0.0,
"maximum": 1.0
},
"Report-ID": {
"title": "Report ID",
"description": "The ID of the report. This is the report ID in the CCH with the suffix @acdc-project.eu.",
"type": "string"
},
"Report-Subcategory": {
"title": "Malicious category",
"description": "The type of the malicious content at the URI.",
"type": "string",
"enum": ["exploit", "malware", "phishing", "other"]
},
"Duration": {
"title": "Duration of the reported observation",
"description": "The duration in seconds during which the malicious URI was observed.",
"type": "integer",
"minimum": 0,
"optional": true
},
"Reported-At": {
"title": "Time of the report's submission",
"description": "The timestamp when the report was submitted to the CCH.",
"type": "string",
"format": "date-time"
},
"Botnet": {
"title": "Botnet of the malicious URI",
"description": "The botnet this malicious URI can be attributed to.",
"type": "string",
"optional": true
},
"Additional-Data": {
"title": "Additional data",
"description": "Additional data for the observation. This allows putting more specific information into a report on a case by case basis in a structured manner. The usage of this field is at the data providers discretion.",
"type": "object",
"optional": true
},
"Alternate-Format-Type": {
"title": "Type of the alternate format",
"description": "The type of the alternate format description of the observation.",
"type": "string",
"enum": ["IDMEF", "STIX"],
"optional": true
},
"Alternate-Format": {
"title": "Alternate format description of the observation",
"description": "A description of the observation in an alternate format.",
"type": "string",
"optional": true,
"requires": "Alternate-Format-Type"
},
"Ip-Version": {
"title": "IP version number",
"description": "The IP version of the IP address belonging to the malicious URI.",
"type": "integer",
"enum": [4, 6],
"optional": true
},
"Src-Ip-V4": {
"title": "Source IPv4 of the URI",
"description": "The source IPv4 associated with the malicious URI.",
"type": "string",
"format": "ipv4",
"optional": true,
"requires": "Src-Mode"
},
"Src-Ip-V6": {
"title": "Source IPv6 of the URI",
"description": "The source IPv6 associated with the malicious URI.",
"type": "string",
"format": "ipv6",
"optional": true,
"requires": "Src-Mode"
},
"Src-Mode": {
"title": "Source IP mode",
"description": "The mode of the source IP. This can be plain for unaltered IPs, anon for anonymised IPs, or pseudo for pseudonymised IPs.",
"type": "string",
"enum": ["plain", "anon", "pseudo"],
"optional": true
},
"Sample-Filename": {
"title": "Malicious content file name",
"description": "The file name of the malicious content if applicable.",
"type": "string",
"optional": true
},
"Sample-Sha256": {
"title": "Hash of the malicious content",
"description": "The SHA256 hash of the malicious content if applicable.",
"type": "string",
"optional": true
},
"Exploits": {
"title": "Exploits in the URI",
"description": "Exploits discovered in the analysed URI. This is an array of objects, each giving an identifier scheme like CVE and an identifier for the actual exploit found.",
"type": "array",
"items": {
"title": "Exploit",
"description": "Indicator for the type and identifier of the given exploit",
"type": "object",
"properties": {
"Type": {
"title": "Identifier scheme",
"description": "Indicate whether a CVE was matched or a heuristic identified the exploit",
"type": "string",
"enum": ["cve", "other"]
},
"Value": {
"title": "Exploit identifier",
"description": "An indicator for the specific CVE or heuristic that was triggered by the file",
"type": "string"
}
}
},
"optional": true
},
"Reported-From": {
"title": "Sending email address",
"type": "string"
},
"Category": {
"title": "The X-ARF category",
"type": "string",
"enum": ["abuse"]
},
"User-Agent": {
"title": "Name and version of the generating software",
"type": "string"
},
"Attachment": {
"title": "Attachment present",
"type": "string"
},
"Schema-URL": {
"title": "URI to the JSON-schema",
"type": "string",
"format": "uri"
},
"Version": {
"title": "Version of the X-ARF specification: 0.2",
"type": "number",
"enum": [0.2],
"optional": true
},
"Occurences": {
"title": "Number of attacks",
"type": "integer",
"optional": true
},
"TLP": {
"title": "Sensitivity of the report in TLP",
"type": "string",
"optional": true
}
},
"additionalProperties": false
}