Merge branch 'MISP:main' into master

Author: Terrtia

README.md

@@ -0,0 +1,143 @@
+{
+  "attributes": {
+    "attack-type": {
+      "description": "Suspected attack or manipulation type affecting this ADS-B observation.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 30,
+      "values_list": [
+        "none",
+        "spoofing",
+        "replay",
+        "jamming",
+        "message-injection",
+        "ghost-aircraft",
+        "position-manipulation",
+        "identity-hijack",
+        "mlat-discrepancy",
+        "other"
+      ]
+    },
+    "barometric-altitude-ft": {
+      "description": "Barometric altitude in feet.",
+      "disable_correlation": true,
+      "misp-attribute": "float",
+      "ui-priority": 95
+    },
+    "callsign": {
+      "description": "Flight callsign observed in ADS-B messages.",
+      "misp-attribute": "text",
+      "ui-priority": 99
+    },
+    "detection-method": {
+      "description": "Method used to detect the anomaly (rule, multilateration, radar cross-check, etc.).",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 28
+    },
+    "discrepancy-detail": {
+      "description": "Structured human-readable details explaining why this observation appears suspicious.",
+      "disable_correlation": true,
+      "misp-attribute": "comment",
+      "multiple": true,
+      "ui-priority": 27
+    },
+    "first-seen": {
+      "description": "First timestamp this observation was seen.",
+      "disable_correlation": true,
+      "misp-attribute": "datetime",
+      "ui-priority": 88
+    },
+    "geometric-altitude-ft": {
+      "description": "Geometric (GNSS) altitude in feet.",
+      "disable_correlation": true,
+      "misp-attribute": "float",
+      "ui-priority": 94
+    },
+    "ground-speed-kt": {
+      "description": "Ground speed in knots.",
+      "disable_correlation": true,
+      "misp-attribute": "float",
+      "ui-priority": 93
+    },
+    "icao24": {
+      "description": "24-bit ICAO aircraft address represented as 6 hexadecimal characters.",
+      "misp-attribute": "text",
+      "ui-priority": 100
+    },
+    "last-seen": {
+      "description": "Last timestamp this observation was seen.",
+      "disable_correlation": true,
+      "misp-attribute": "datetime",
+      "ui-priority": 87
+    },
+    "latitude": {
+      "description": "Observed latitude (WGS84).",
+      "disable_correlation": true,
+      "misp-attribute": "float",
+      "ui-priority": 97
+    },
+    "longitude": {
+      "description": "Observed longitude (WGS84).",
+      "disable_correlation": true,
+      "misp-attribute": "float",
+      "ui-priority": 96
+    },
+    "on-ground": {
+      "description": "True if the aircraft is reported as on ground.",
+      "disable_correlation": true,
+      "misp-attribute": "boolean",
+      "ui-priority": 89
+    },
+    "raw-message": {
+      "description": "Raw ADS-B / Mode-S frame content when available.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 85
+    },
+    "receiver-id": {
+      "description": "Identifier of the receiver or sensor producing this observation.",
+      "misp-attribute": "text",
+      "ui-priority": 86
+    },
+    "registration": {
+      "description": "Aircraft registration (tail number).",
+      "misp-attribute": "text",
+      "ui-priority": 98
+    },
+    "squawk": {
+      "description": "4-digit transponder squawk code.",
+      "misp-attribute": "text",
+      "ui-priority": 90
+    },
+    "suspicion-score": {
+      "description": "Analyst or system confidence score (0-100) that the observation is malicious or manipulated.",
+      "disable_correlation": true,
+      "misp-attribute": "float",
+      "ui-priority": 29
+    },
+    "track-deg": {
+      "description": "Ground track in degrees (0-359).",
+      "disable_correlation": true,
+      "misp-attribute": "float",
+      "ui-priority": 92
+    },
+    "vertical-rate-ft-min": {
+      "description": "Vertical rate in feet per minute.",
+      "disable_correlation": true,
+      "misp-attribute": "float",
+      "ui-priority": 91
+    }
+  },
+  "description": "Observation object for ADS-B telemetry, including fields to flag spoofing and other ADS-B attacks.",
+  "meta-category": "transport",
+  "name": "ads-b-observation",
+  "requiredOneOf": [
+    "icao24"
+  ],
+  "uuid": "e8d9de0f-fb0d-44f4-8d83-7368fb64e9d6",
+  "version": 1
+}

objects/ads-b-observation/definition.json

@@ -41,7 +41,7 @@
       "ui-priority": 1
     }
   },
-  "description": "Automated Indicator Sharing (AIS) Information Source Markings.",
+  "description": "Automated Indicator Sharing (AIS) information source markings. This object complements ais or ais-observation by documenting sharing provenance/context and is not related to maritime Automatic Identification System protocol fields.",
   "meta-category": "misc",
   "name": "ais-info",
   "requiredOneOf": [
@@ -51,5 +51,5 @@
     "country"
   ],
   "uuid": "1f3f466d-465f-4c3a-8cce-933642c9ea83",
-  "version": 1
+  "version": 2
 }

objects/ais-info/definition.json

@@ -0,0 +1,162 @@
+{
+  "attributes": {
+    "ETA": {
+      "description": "Estimated time of arrival at destination.",
+      "disable_correlation": true,
+      "misp-attribute": "datetime",
+      "ui-priority": 89
+    },
+    "IMO-number": {
+      "description": "IMO ship identification number.",
+      "misp-attribute": "text",
+      "ui-priority": 99
+    },
+    "MMSI": {
+      "description": "Maritime Mobile Service Identity (MMSI): unique 9-digit vessel identity.",
+      "misp-attribute": "text",
+      "ui-priority": 100
+    },
+    "attack-type": {
+      "description": "Suspected attack or manipulation type affecting this AIS observation.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 30,
+      "values_list": [
+        "none",
+        "spoofing",
+        "replay",
+        "jamming",
+        "message-injection",
+        "ghost-vessel",
+        "position-manipulation",
+        "identity-hijack",
+        "route-manipulation",
+        "other"
+      ]
+    },
+    "call-sign": {
+      "description": "International radio call-sign.",
+      "misp-attribute": "text",
+      "ui-priority": 97
+    },
+    "course-over-ground": {
+      "description": "Observed course over ground in degrees.",
+      "disable_correlation": true,
+      "misp-attribute": "float",
+      "ui-priority": 93
+    },
+    "destination": {
+      "description": "Destination declared in AIS static/voyage data.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 90
+    },
+    "detection-method": {
+      "description": "Method used to detect the anomaly (geofence, impossible movement, sensor fusion, etc.).",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 28
+    },
+    "discrepancy-detail": {
+      "description": "Structured human-readable details explaining why this observation appears suspicious.",
+      "disable_correlation": true,
+      "misp-attribute": "comment",
+      "multiple": true,
+      "ui-priority": 27
+    },
+    "first-seen": {
+      "description": "First timestamp this observation was seen.",
+      "disable_correlation": true,
+      "misp-attribute": "datetime",
+      "ui-priority": 88
+    },
+    "last-seen": {
+      "description": "Last timestamp this observation was seen.",
+      "disable_correlation": true,
+      "misp-attribute": "datetime",
+      "ui-priority": 87
+    },
+    "latitude": {
+      "description": "Observed latitude (WGS84).",
+      "disable_correlation": true,
+      "misp-attribute": "float",
+      "ui-priority": 96
+    },
+    "longitude": {
+      "description": "Observed longitude (WGS84).",
+      "disable_correlation": true,
+      "misp-attribute": "float",
+      "ui-priority": 95
+    },
+    "name": {
+      "description": "Vessel name as broadcast over AIS.",
+      "misp-attribute": "text",
+      "ui-priority": 98
+    },
+    "navigational-status": {
+      "description": "Navigational status transmitted by AIS.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 91
+    },
+    "observation-type": {
+      "description": "Classification of the shared record to distinguish routine telemetry from security-focused observations.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 84,
+      "values_list": [
+        "telemetry-snapshot",
+        "security-alert",
+        "correlation-result"
+      ]
+    },
+    "raw-message": {
+      "description": "Raw NMEA AIS message payload when available.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 85
+    },
+    "receiver-id": {
+      "description": "Identifier of the receiver or sensor producing this observation.",
+      "misp-attribute": "text",
+      "ui-priority": 86
+    },
+    "related-ais-object-uuid": {
+      "description": "UUID of a related ais object containing baseline vessel telemetry context for this observation.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 83
+    },
+    "speed-over-ground": {
+      "description": "Observed speed over ground in knots.",
+      "disable_correlation": true,
+      "misp-attribute": "float",
+      "ui-priority": 94
+    },
+    "suspicion-score": {
+      "description": "Analyst or system confidence score (0-100) that the observation is malicious or manipulated.",
+      "disable_correlation": true,
+      "misp-attribute": "float",
+      "ui-priority": 29
+    },
+    "true-heading": {
+      "description": "Observed true heading in degrees.",
+      "disable_correlation": true,
+      "misp-attribute": "float",
+      "ui-priority": 92
+    }
+  },
+  "description": "Observation object for AIS telemetry and security anomalies, including spoofing and other AIS attacks. This template complements ais (baseline vessel data) and ais-info (source/provenance markings).",
+  "meta-category": "marine",
+  "name": "ais-observation",
+  "requiredOneOf": [
+    "MMSI",
+    "IMO-number",
+    "raw-message"
+  ],
+  "uuid": "7aef2fc4-6d89-4293-94f2-f2010b7e3ad0",
+  "version": 2
+}

objects/ais-observation/definition.json

@@ -124,12 +124,12 @@
       "ui-priority": 91
     }
   },
-  "description": "Automatic Identification System (AIS) is an automatic tracking system that uses transceivers on ships.",
+  "description": "Automatic Identification System (AIS) baseline vessel telemetry object (identity, voyage and navigation data). Use together with ais-observation when sharing suspicious/spoofed AIS observations.",
   "meta-category": "marine",
   "name": "ais",
   "requiredOneOf": [
     "MMSI"
   ],
   "uuid": "ef90551a-ff34-472c-9fba-c272c4435baa",
-  "version": 3
+  "version": 4
 }