release xarf v3

README.md

@@ -19,9 +19,9 @@ Find the latest schema release [on the releases page](https://github.com/abusix/
 
 ## Current Version
 
-`2`
+`3`
 
-[Up-To-Date Tested Sample XARF Reports](samples/positive/2)
+[Up-To-Date Tested Sample XARF Reports](samples/positive/3)
 
 ## Build status
 

samples/negative/3/harassment_sample_no_description.json

@@ -0,0 +1,18 @@
+{
+  "Version": "3",
+  "ReporterInfo": {
+    "ReporterType": "Person",
+    "ReporterContactEmail": "[email protected]",
+    "ReporterContactName": "Harassed McPerson",
+    "ReporterContactPhone": "+ 01 555 1234567"
+  },
+  "Disclosure": true,
+  "Report": {
+    "ReportClass": "Activity",
+    "ReportType": "Harassed",
+    "Date": "2022-09-09T14:17:10Z",
+    "SourceUrl": "192.168.0.11",
+    "Ongoing": true,
+    "Harasser": "x.X.Fl4m3r.X.x"
+  }
+}

samples/negative/3/harassment_sample_no_harasser.json

@@ -0,0 +1,18 @@
+{
+  "Version": "3",
+  "ReporterInfo": {
+    "ReporterType": "Person",
+    "ReporterContactEmail": "[email protected]",
+    "ReporterContactName": "Harassed McPerson",
+    "ReporterContactPhone": "+ 01 555 1234567"
+  },
+  "Disclosure": true,
+  "Report": {
+    "ReportClass": "Activity",
+    "ReportType": "Harassed",
+    "Date": "2022-09-09T14:17:10Z",
+    "SourceUrl": "192.168.0.11",
+    "Ongoing": true,
+    "HarassmentDescription": "The user called me a bunch of slurs."
+  }
+}

samples/negative/3/invalid_additional_fields.json

@@ -0,0 +1,26 @@
+{
+  "Version": "3",
+  "ReporterInfo": {
+    "ReporterOrg": "Example",
+    "ReporterOrgDomain": "example.de",
+    "ReporterOrgEmail": "[email protected]",
+    "ReporterContactEmail": "[email protected]",
+    "ReporterContactName": "Abuse-Desk"
+  },
+  "Disclosure": true,
+  "Report": {
+    "ReportClass": "Activity",
+    "ReportType": "Malware",
+    "ReportSubType": "RPZ-Rewrite",
+    "Date": "2020-07-19T19:39:54Z",
+    "SourceIp": "2001:db8:1300:9:3949:9d93:bd2:9da5",
+    "SourcePort": 48107,
+    "RpzDomain": "example.net",
+    "Custom": {
+      "DNSResolver": "de-example-dnsres-07",
+      "MalwareName": "suppobox",
+      "NumberOfIncidents": [5],
+      "TimeframeSeconds": { "no": 600 }
+    }
+  }
+}

samples/negative/3/invalid_b64_flag.json

@@ -0,0 +1,31 @@
+{
+  "Version": "3",
+  "ReporterInfo": {
+    "ReporterOrg": "ExampleOrg",
+    "ReporterOrgDomain": "example.com",
+    "ReporterOrgEmail": "[email protected]",
+    "ReporterContactEmail": "[email protected]",
+    "ReporterContactName": "Mr. Example",
+    "ReporterContactPhone": "+ 01 000 1234567"
+  },
+  "Disclosure": true,
+  "Report": {
+    "ReportClass": "Activity",
+    "ReportType": "Spam",
+    "ReportSubType": "Trap",
+    "Date": "2018-02-05T14:17:10Z",
+    "SourceIp": "192.0.2.55",
+    "SourcePort": 54321,
+    "DestinationIp": "198.51.100.33",
+    "DestinationPort": 25,
+    "SmtpMailFromAddress": "[email protected]",
+    "Samples": [
+      {
+        "ContentType": "message/rfc822",
+        "Base64Encoded": "yes not I don't know",
+        "Description": "The spam mail",
+        "Payload": "bWFpbA=="
+      }
+    ]
+  }
+}

samples/negative/3/invalid_byte_count.json

@@ -0,0 +1,32 @@
+{
+  "Version": "3",
+  "ReporterInfo": {
+    "ReporterOrg": "ExampleOrg",
+    "ReporterOrgDomain": "example.com",
+    "ReporterOrgEmail": "[email protected]",
+    "ReporterContactEmail": "[email protected]",
+    "ReporterContactName": "Mr. Example",
+    "ReporterContactPhone": "+ 01 000 1234567"
+  },
+  "Disclosure": true,
+  "Report": {
+    "ReportClass": "Activity",
+    "ReportType": "PortScan",
+    "Date": "2018-02-05T14:17:10Z",
+    "SourceIp": "192.0.2.55",
+    "SourcePort": 54321,
+    "DestinationIp": "198.51.100.33",
+    "DestinationPort": 80,
+    "Ongoing": true,
+    "ByteCount": true,
+    "PacketCount": "stringy",
+    "Samples": [
+      {
+        "ContentType": "text/plain",
+        "Base64Encoded": false,
+        "Description": "Just a test sample",
+        "Payload": "bla bla bla bla"
+      }
+    ]
+  }
+}

samples/negative/3/invalid_date.json

@@ -0,0 +1,29 @@
+{
+  "Version": "3",
+  "ReporterInfo": {
+    "ReporterOrg": "ExampleOrg",
+    "ReporterOrgDomain": "example.com",
+    "ReporterOrgEmail": "[email protected]",
+    "ReporterContactEmail": "[email protected]",
+    "ReporterContactName": "Mr. Example",
+    "ReporterContactPhone": "+ 01 000 1234567"
+  },
+  "Disclosure": true,
+  "Report": {
+    "ReportClass": "Content",
+    "ReportType": "Phishing",
+    "Date": "This is not a date",
+    "SourceIp": "192.0.2.55",
+    "SourcePort": 80,
+    "SourceUrl": "http://phish.example.org/index.html",
+    "Ongoing": true,
+    "Samples": [
+      {
+        "ContentType": "text/html",
+        "Base64Encoded": false,
+        "Description": "Just a test sample",
+        "Payload": "<html>Phishy</html>"
+      }
+    ]
+  }
+}

samples/negative/3/invalid_destination.json

@@ -0,0 +1,31 @@
+{
+  "Version": "3",
+  "ReporterInfo": {
+    "ReporterOrg": "ExampleOrg",
+    "ReporterOrgDomain": "example.com",
+    "ReporterOrgEmail": "[email protected]",
+    "ReporterContactEmail": "[email protected]",
+    "ReporterContactName": "Mr. Example",
+    "ReporterContactPhone": "+ 01 000 1234567"
+  },
+  "Disclosure": true,
+  "Report": {
+    "ReportClass": "Activity",
+    "ReportType": "Spam",
+    "ReportSubType": "Trap",
+    "Date": "2018-02-05T14:17:10Z",
+    "SourceIp": "192.0.2.55",
+    "SourcePort": 54321,
+    "DestinationIp": "198",
+    "DestinationPort": 8000000,
+    "SmtpMailFromAddress": "[email protected]",
+    "Samples": [
+      {
+        "ContentType": "message/rfc822",
+        "Base64Encoded": true,
+        "Description": "The spam mail",
+        "Payload": "bWFpbA=="
+      }
+    ]
+  }
+}

samples/negative/3/invalid_destination2.json

@@ -0,0 +1,31 @@
+{
+  "Version": "3",
+  "ReporterInfo": {
+    "ReporterOrg": "ExampleOrg",
+    "ReporterOrgDomain": "example.com",
+    "ReporterOrgEmail": "[email protected]",
+    "ReporterContactEmail": "[email protected]",
+    "ReporterContactName": "Mr. Example",
+    "ReporterContactPhone": "+ 01 000 1234567"
+  },
+  "Disclosure": true,
+  "Report": {
+    "ReportClass": "Activity",
+    "ReportType": "Spam",
+    "ReportSubType": "Trap",
+    "Date": "2018-02-05T14:17:10Z",
+    "SourceIp": "192.0.2.55",
+    "SourcePort": 54321,
+    "DestinationIp": 45,
+    "DestinationPort": "mh",
+    "SmtpMailFromAddress": "[email protected]",
+    "Samples": [
+      {
+        "ContentType": "message/rfc822",
+        "Base64Encoded": true,
+        "Description": "The spam mail",
+        "Payload": "bWFpbA=="
+      }
+    ]
+  }
+}

samples/negative/3/invalid_email_as_identifier_potentially_compromised_account.json

@@ -0,0 +1,34 @@
+{
+  "Version": "3",
+  "ReporterInfo": {
+    "ReporterOrg": "ExampleOrg",
+    "ReporterOrgDomain": "example.com",
+    "ReporterOrgEmail": "[email protected]",
+    "ReporterContactEmail": "[email protected]",
+    "ReporterContactName": "Mr. Example",
+    "ReporterContactPhone": "+ 01 000 1234567"
+  },
+  "Disclosure": true,
+  "Report": {
+    "ReportClass": "Activity",
+    "ReportType": "PotentiallyCompromisedAccount",
+    "Date": "2018-02-05T14:17:10Z",
+    "DestinationIp": "198.51.100.33",
+    "DestinationPort": 80,
+    "Ongoing": true,
+    "SourceIp": "192.0.2.55",
+    "SourcePort": 54321,
+    "Account": {
+      "AccountIdentifier": "[email protected]",
+      "AccountEmail": "[email protected]"
+    },
+    "Samples": [
+      {
+        "ContentType": "text/plain",
+        "Base64Encoded": false,
+        "Description": "Log entry",
+        "Payload": "User at 192.0.2.55:54321 tried to log in unsuccessfully 123 times."
+      }
+    ]
+  }
+}

samples/negative/3/invalid_emails.json

@@ -0,0 +1,32 @@
+{
+  "Version": "3",
+  "ReporterInfo": {
+    "ReporterOrg": "ExampleOrg",
+    "ReporterOrgDomain": "example.com",
+    "ReporterOrgEmail": "[email protected]",
+    "ReporterContactEmail": "[email protected]",
+    "ReporterContactName": "Mr. Example",
+    "ReporterContactPhone": "+ 01 000 1234567"
+  },
+  "Disclosure": true,
+  "Report": {
+    "ReportClass": "Activity",
+    "ReportType": "Spam",
+    "ReportSubType": "Trap",
+    "Date": "2018-02-05T14:17:10Z",
+    "SourceIp": "192.0.2.55",
+    "SourcePort": 54321,
+    "DestinationIp": "198.51.100.33",
+    "DestinationPort": 25,
+    "SmtpMailFromAddress": "spamexample.com",
+    "SmtpRcptToAddress": "0012345678",
+    "Samples": [
+      {
+        "ContentType": "message/rfc822",
+        "Base64Encoded": true,
+        "Description": "The spam mail",
+        "Payload": "bWFpbA=="
+      }
+    ]
+  }
+}

samples/negative/3/invalid_empty.json

@@ -0,0 +1,3 @@
+{
+  "Version": "3"
+}

samples/negative/3/invalid_empty_account.json

@@ -0,0 +1,29 @@
+{
+  "Version": "3",
+  "ReporterInfo": {
+    "ReporterOrg": "ExampleOrg",
+    "ReporterOrgDomain": "example.com",
+    "ReporterOrgEmail": "[email protected]",
+    "ReporterContactEmail": "[email protected]",
+    "ReporterContactName": "Mr. Example",
+    "ReporterContactPhone": "+ 01 000 1234567"
+  },
+  "Disclosure": true,
+  "Report": {
+    "ReportClass": "Activity",
+    "ReportType": "PotentiallyCompromisedAccount",
+    "Date": "2018-02-05T14:17:10Z",
+    "DestinationIp": "198.51.100.33",
+    "DestinationPort": 80,
+    "Ongoing": true,
+    "Account": {},
+    "Samples": [
+      {
+        "ContentType": "text/plain",
+        "Base64Encoded": false,
+        "Description": "Log entry",
+        "Payload": "User at 192.0.2.55:54321 tried to log in unsuccessfully 123 times."
+      }
+    ]
+  }
+}

samples/negative/3/invalid_exploit_wrong_cve.json

@@ -0,0 +1,21 @@
+{
+  "Version": "3",
+  "ReporterInfo": {
+    "ReporterOrg": "ExampleOrg",
+    "ReporterOrgDomain": "example.com",
+    "ReporterOrgEmail": "[email protected]",
+    "ReporterContactEmail": "[email protected]",
+    "ReporterContactName": "Mr. Example",
+    "ReporterContactPhone": "+ 01 000 1234567"
+  },
+  "Disclosure": true,
+  "Report": {
+    "ReportType": "Exploit",
+    "ReportClass": "Activity",
+    "FirstSeen": "2022-08-22T15:17:10Z",
+    "Date": "2022-08-24T11:21:10Z",
+    "SourceIp": "192.0.2.55",
+    "SourcePort": 54321,
+    "CVE": "CVE-NOW-23112"
+  }
+}

samples/negative/3/invalid_exploit_wrong_vector.json

@@ -0,0 +1,24 @@
+{
+  "Version": "3",
+  "ReporterInfo": {
+    "ReporterOrg": "ExampleOrg",
+    "ReporterOrgDomain": "example.com",
+    "ReporterOrgEmail": "[email protected]",
+    "ReporterContactEmail": "[email protected]",
+    "ReporterContactName": "Mr. Example",
+    "ReporterContactPhone": "+ 01 000 1234567"
+  },
+  "Disclosure": true,
+  "Report": {
+    "ReportType": "Exploit",
+    "ReportClass": "Activity",
+    "FirstSeen": "2022-08-22T15:17:10Z",
+    "Date": "2022-08-24T11:21:10Z",
+    "SourceIp": "192.0.2.55",
+    "SourcePort": 54321,
+    "CVSS": {
+      "Version": "2",
+      "Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
+    }
+  }
+}