-
Notifications
You must be signed in to change notification settings - Fork 131
Expand file tree
/
Copy pathdefinition.json
More file actions
185 lines (185 loc) · 5.44 KB
/
definition.json
File metadata and controls
185 lines (185 loc) · 5.44 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
{
"attributes": {
"asn": {
"description": "ASN where the IP resides",
"misp-attribute": "AS",
"ui-priority": 0
},
"city": {
"description": "City location of the IP in question",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
},
"connection": {
"description": "Control options for the current connection and list of hop-by-hop request fields",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 0
},
"content_length": {
"description": "The length of the response body in octets",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 0
},
"content_type": {
"description": "The MIME type of the body of the request",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 0
},
"geo": {
"description": "Country location of the IP",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
},
"hostname": {
"description": "Any of the capabilities identified for the malware instance or family.",
"misp-attribute": "hostname",
"multiple": true,
"ui-priority": 0
},
"hostname_source": {
"description": "Hostname source",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 0
},
"http": {
"description": "Hypertext Transfer Protocol Version",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 0
},
"http_code": {
"description": "HTTP Response code: e.g., 200, 401, 404",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 0
},
"http_date": {
"description": "The date and time that the message was sent",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 0
},
"http_reason": {
"description": "The text reason to go with the HTTP Code",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 0
},
"ip": {
"description": "The IP address of the device in question",
"misp-attribute": "ip-src",
"multiple": true,
"ui-priority": 0
},
"naics": {
"description": "North American Industry Classification System Code",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 0
},
"port": {
"description": "Port the response came from",
"misp-attribute": "port",
"multiple": true,
"ui-priority": 0
},
"protocol": {
"description": "Protocol observed in the network traffic",
"misp-attribute": "text",
"multiple": true,
"ui-priority": 0
},
"proxy_authenticate": {
"description": "The authentication method that should be used to gain access to a resource behind a proxy server",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 0
},
"region": {
"description": "Regional location of the IP in question",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 1
},
"sector": {
"description": "Sector of the IP in question",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 0
},
"server": {
"description": "HTTP Server type",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 0
},
"severity": {
"description": "Severity leve",
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"critical",
"high",
"medium",
"low",
"info"
],
"ui-priority": 0
},
"tag": {
"description": "Array of tags associated with the URL if any. In this report typically it will be a CVE entry, for example CVE-2021-44228. This allows for better understanding of the URL context observed (ie. usage associated with a particular CVE).",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 0
},
"timestamp": {
"description": "Time that the IP was probed in UTC+0",
"misp-attribute": "datetime",
"ui-priority": 0
},
"transfer_encoding": {
"description": "The form of encoding used to safely transfer the entity to the user",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 0
},
"via": {
"description": "General header added by proxies",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 0
}
},
"description": "This report identifies open HTTP proxy servers on multiple ports. While HTTP proxies have legitimate uses, they are also used for attacks or other forms of abuse. https://www.shadowserver.org/what-we-do/network-reporting/open-http-proxy-report/",
"meta-category": "misc",
"name": "shadowserver-scan-http-proxy",
"required": [
"timestamp",
"ip",
"port",
"tag"
],
"uuid": "ad0c83d5-56bf-4300-8743-ed2b4caf6206",
"version": 1
}