diff --git a/lib/src/modules/protos/vt/analysis.proto b/lib/src/modules/protos/vt/analysis.proto new file mode 100644 index 00000000..f6a7b190 --- /dev/null +++ b/lib/src/modules/protos/vt/analysis.proto @@ -0,0 +1,17 @@ +// THIS FILE IS GENERATED AUTOMATICALLY. DO NOT EDIT. +// LINT: LEGACY_NAMES + +syntax = "proto3"; + +package vt.analysis; + +import "yara.proto"; + +message AnalysisStats { + int32 malicious = 1; + int32 suspicious = 2; + int32 undetected = 3; + int32 harmless = 4; + int32 failure = 5; + int32 type_unsupported = 6; +} diff --git a/lib/src/modules/protos/vt/filetypes.proto b/lib/src/modules/protos/vt/filetypes.proto new file mode 100644 index 00000000..de2c2158 --- /dev/null +++ b/lib/src/modules/protos/vt/filetypes.proto @@ -0,0 +1,191 @@ +// THIS FILE IS GENERATED AUTOMATICALLY. DO NOT EDIT. +// LINT: LEGACY_NAMES + +syntax = "proto3"; + +package vt.fileanalysis; + +enum FileType { + UNKNOWN = 0; + PE_EXE = 1; + PE_DLL = 2; + MSI = 3; + NE_EXE = 10; + NE_DLL = 11; + DOS_EXE = 20; + DOS_COM = 21; + COFF = 30; + ELF = 31; + LINUX_KERNEL = 32; + RPM = 33; + LINUX = 34; + MACH_O = 35; + JAVA_BYTECODE = 36; + DMG = 37; + DEB = 38; + PKG = 39; + PYC = 40; + LNK = 50; + DESKTOP_ENTRY = 51; + JPEG = 100; + TIFF = 101; + GIF = 102; + PNG = 103; + BMP = 104; + GIMP = 105; + IN_DESIGN = 106; + PSD = 107; + TARGA = 108; + XWD = 109; + DIB = 110; + JNG = 111; + ICO = 112; + FPX = 113; + EPS = 114; + SVG = 115; + EMF = 116; + WEBP = 117; + DWG = 118; + DXF = 119; + UNUSED_THREEDS = 120; + OGG = 150; + FLC = 151; + FLI = 152; + MP3 = 153; + FLAC = 154; + WAV = 155; + MIDI = 156; + AVI = 157; + MPEG = 158; + QUICKTIME = 159; + ASF = 160; + DIVX = 161; + FLV = 162; + WMA = 163; + WMV = 164; + RM = 165; + MOV = 166; + MP4 = 167; + T3GP = 168; + WEBM = 169; + MKV = 170; + PDF = 200; + PS = 201; + DOC = 202; + DOCX = 203; + PPT = 204; + PPTX = 205; + PPSX = 209; + XLS = 206; + XLSX = 207; + RTF = 208; + ODP = 250; + ODS = 251; + ODT = 252; + HWP = 253; + GUL = 254; + ODF = 255; + ODG = 256; + ONE_NOTE = 257; + UNUSED_OOXML = 258; + SLK = 259; + EBOOK = 260; + LATEX = 261; + TTF = 262; + EOT = 263; + WOFF = 264; + CHM = 265; + ZIP = 300; + GZIP = 301; + BZIP = 302; + RZIP = 303; + DZIP = 304; + SEVENZIP = 305; + CAB = 306; + JAR = 307; + RAR = 308; + MSCOMPRESS = 309; + ACE = 310; + ARC = 311; + ARJ = 312; + ASD = 313; + BLACKHOLE = 314; + KGB = 315; + ZLIB = 316; + TAR = 317; + ZST = 318; + LZFSE = 319; + PYTHON_WHL = 320; + PYTHON_PKG = 321; + MSIX = 322; + TEXT = 400; + SCRIPT = 401; + PHP = 402; + PYTHON = 403; + PERL = 404; + RUBY = 405; + C = 406; + CPP = 407; + JAVA = 408; + SHELLSCRIPT = 409; + PASCAL = 410; + AWK = 411; + DYALOG = 412; + FORTRAN = 413; + JAVASCRIPT = 414; + POWERSHELL = 415; + VBA = 416; + M4 = 417; + OBJETIVEC = 418; + JMOD = 419; + MAKEFILE = 420; + INI = 421; + UNUSED_CLJ = 422; + UNUSED_PDB = 425; + SQL = 426; + UNUSED_NEKO = 427; + UNUSED_WER = 428; + GOLANG = 429; + M3U = 430; + BAT = 431; + MSC = 432; + RDP = 433; + SYMBIAN = 500; + PALMOS = 501; + WINCE = 502; + ANDROID = 503; + IPHONE = 504; + HTML = 600; + XML = 601; + SWF = 602; + FLA = 603; + COOKIE = 604; + TORRENT = 605; + EMAIL = 606; + OUTLOOK = 607; + SGML = 608; + JSON = 609; + CSV = 610; + HTA = 611; + INTERNET_SHORTCUT = 612; + CAP = 700; + ISOIMAGE = 800; + SQUASHFS = 801; + VHD = 802; + APPLE = 1000; + MACINTOSH = 1001; + APPLESINGLE = 1002; + APPLEDOUBLE = 1003; + MACINTOSH_HFS = 1004; + APPLE_PLIST = 1005; + MACINTOSH_LIB = 1006; + APPLESCRIPT = 1007; + APPLESCRIPT_COMPILED = 1008; + CRX = 1100; + XPI = 1101; + ROM = 1200; + IPS = 1201; + PEM = 1300; + PGP = 1301; + CRT = 1302; +} diff --git a/lib/src/modules/protos/vt/gti_score.proto b/lib/src/modules/protos/vt/gti_score.proto new file mode 100644 index 00000000..f0ea77b5 --- /dev/null +++ b/lib/src/modules/protos/vt/gti_score.proto @@ -0,0 +1,32 @@ +// THIS FILE IS GENERATED AUTOMATICALLY. DO NOT EDIT. +// LINT: LEGACY_NAMES + +syntax = "proto3"; + +package vt.gti_score; + +import "yara.proto"; + +enum Verdict { + option (yara.enum_options) = { + name: "GtiVerdict" + }; + + VERDICT_UNKNOWN = 0; + VERDICT_BENIGN = 4; + VERDICT_UNDETECTED = 8; + VERDICT_SUSPICIOUS = 12; + VERDICT_MALICIOUS = 16; +} + +enum Severity { + option (yara.enum_options) = { + name: "GtiSeverity" + }; + + SEVERITY_UNKNOWN = 0; + SEVERITY_NONE = 4; + SEVERITY_LOW = 8; + SEVERITY_MEDIUM = 12; + SEVERITY_HIGH = 16; +} diff --git a/lib/src/modules/protos/vt/hunting_gti_score.proto b/lib/src/modules/protos/vt/hunting_gti_score.proto new file mode 100644 index 00000000..74bfab9d --- /dev/null +++ b/lib/src/modules/protos/vt/hunting_gti_score.proto @@ -0,0 +1,26 @@ +// THIS FILE IS GENERATED AUTOMATICALLY. DO NOT EDIT. +// LINT: LEGACY_NAMES + +syntax = "proto3"; + +package vt.hunting_gti_score; + +import "gti_score.proto"; + +message HuntingGtiVerdict { + vt.gti_score.Verdict value = 1; +} + +message HuntingGtiThreatScore { + int32 value = 1; +} + +message HuntingGtiSeverity { + vt.gti_score.Severity value = 1; +} + +message HuntingGtiScore { + HuntingGtiVerdict verdict = 1; + HuntingGtiThreatScore threat_score = 2; + HuntingGtiSeverity severity = 3; +} diff --git a/lib/src/modules/protos/vt/sandbox.proto b/lib/src/modules/protos/vt/sandbox.proto new file mode 100644 index 00000000..b2cdb6ff --- /dev/null +++ b/lib/src/modules/protos/vt/sandbox.proto @@ -0,0 +1,350 @@ +// THIS FILE IS GENERATED AUTOMATICALLY. DO NOT EDIT. +// LINT: LEGACY_NAMES + +syntax = "proto3"; + +package vt.fileanalysis; + +import "filetypes.proto"; +import "sigma.proto"; +import "tools/net_analysis.proto"; +import "yara.proto"; + +enum BehaviourTag { + option (yara.enum_options) = { + name: "BehaviourTrait" + }; + + UNKNOWN_BEHAVIOUR = 0; + DETECT_DEBUG_ENVIRONMENT = 1; + DIRECT_CPU_CLOCK_ACCESS = 2; + LONG_SLEEPS = 3; + SELF_DELETE = 4; + HOSTS_MODIFIER = 5; + INSTALLS_BROWSER_EXTENSION = 6; + PASSWORD_DIALOG = 7; + SUDO = 8; + PERSISTENCE = 9; + SENDS_SMS = 10; + CHECKS_GPS = 11; + FTP_COMMUNICATION = 12; + SSH_COMMUNICATION = 13; + TELNET_COMMUNICATION = 14; + SMTP_COMMUNICATION = 15; + MYSQL_COMMUNICATION = 26; + IRC_COMMUNICATION = 17; + SUSPICIOUS_DNS = 18; + SUSPICIOUS_UDP = 19; + BIG_UPSTREAM = 20; + TUNNELING = 21; + CRYPTO = 22; + TELEPHONY = 23; + RUNTIME_MODULES = 24; + REFLECTION = 25; + DECRYPTS_EXE = 27; + MACRO_ENVIRON = 28; + MACRO_OPEN_FILE = 29; + MACRO_WRITE_FILE = 30; + MACRO_HANDLE_FILE = 31; + MACRO_COPY_FILE = 32; + MACRO_CREATE_FILE = 33; + MACRO_RUN_FILE = 34; + MACRO_HIDE_APP = 35; + MACRO_POWERSHELL = 36; + MACRO_CREATE_DIR = 37; + MACRO_SAVE_WORKBOOK = 38; + MACRO_CREATE_OLE = 39; + MACRO_ENUM_WINDOWS = 40; + MACRO_RUN_DLL = 41; + MACRO_DOWNLOAD_URL = 42; + MACRO_SEND_KEYS = 43; + MACRO_REGISTRY = 44; + MACRO_ANTI_ANALYSIS = 45; + OBFUSCATED = 46; + CLIPBOARD = 47; + CHECKS_CPU_NAME = 48; + CHECKS_DISK_SPACE = 49; + CHECKS_MEMORY_AVAILABLE = 50; + CHECKS_HOSTNAME = 51; + CHECKS_NETWORK_ADAPTERS = 52; + CHECKS_BIOS = 53; + CHECKS_PCI_BUS = 54; + CHECKS_USB_BUS = 55; + EXECUTES_DROPPED_FILE = 56; + REPEATED_CLOCK_ACCESS = 57; + CHECKS_USER_INPUT = 58; + CALLS_WMI = 59; + EVAL_FUNCTION = 60; + IDLE = 61; + SERVICE_SCAN = 62; + LISTENS = 63; + SETS_PROCESS_NAME = 64; + QR_CODE = 65; +} + +enum VerdictTag { + option (yara.enum_options) = { + name: "BehaviourVerdict" + }; + + UNKNOWN_VERDICT = 0; + CLEAN = 1; + MALWARE = 2; + GREYWARE = 3; + RANSOM = 4; + PHISHING = 5; + BANKER = 6; + ADWARE = 7; + EXPLOIT = 8; + EVADER = 9; + RAT = 10; + TROJAN = 11; + SPREADER = 12; + STEALER = 13; +} + +enum ImpactSeverity { + IMPACT_SEVERITY_UNKNOWN = 0; + IMPACT_SEVERITY_INFO = 1; + IMPACT_SEVERITY_LOW = 2; + IMPACT_SEVERITY_MEDIUM = 3; + IMPACT_SEVERITY_HIGH = 4; +} + +message BehaviourSummary { + repeated string files_opened = 1; + repeated string files_written = 2; + repeated string files_deleted = 3; + repeated FileCopy files_copied = 4; + repeated string files_attribute_changed = 5; + repeated DroppedFile files_dropped = 6; + string hosts_file = 7; + repeated ProcessItem processes_list = 75; + repeated string processes_created = 9; + repeated string processes_terminated = 10; + repeated string processes_killed = 11; + repeated string processes_injected = 12; + repeated string command_executions = 13; + repeated string services_opened = 14; + repeated string services_created = 15; + repeated string services_started = 16; + repeated string services_stopped = 17; + repeated string services_deleted = 18; + repeated string services_bound = 19; + repeated string windows_searched = 20; + repeated string windows_hidden = 21; + repeated PermissionCheck permissions_checked = 22; + repeated string permissions_requested = 23; + repeated string mutexes_opened = 24; + repeated string mutexes_created = 25; + repeated string signals_observed = 26; + repeated string signals_hooked = 27; + repeated string modules_loaded = 28; + repeated string calls_highlighted = 29; + repeated string invokes = 30; + repeated string crypto_algorithms_observed = 31; + repeated string crypto_keys = 32; + repeated string crypto_plain_text = 33; + repeated string encoding_algorithms_observed = 34; + repeated string text_decoded = 35; + repeated string text_highlighted = 36; + repeated BehaviourTag tags = 37 [(yara.field_options) = { name: "traits" }]; + repeated string databases_opened = 55; + repeated string databases_deleted = 56; + repeated string registry_keys_opened = 38; + repeated KeyValue registry_keys_set = 39; + repeated string registry_keys_deleted = 40; + repeated string system_property_lookups = 41; + repeated KeyValue system_property_sets = 42; + repeated string shared_preferences_lookups = 43; + repeated KeyValue shared_preferences_sets = 44; + repeated string content_model_observers = 45; + repeated KeyValue content_model_sets = 46; + repeated string activities_started = 47; + repeated HttpConversation http_conversations = 48; + repeated DnsLookup dns_lookups = 49; + repeated IpTraffic ip_traffic = 50; + repeated Sms sms_sent = 51; + repeated VerdictTag verdicts = 52; + int32 verdict_confidence = 61; + repeated string verdict_labels = 65; + repeated string ja3_digests = 57; + repeated string memory_pattern_ips = 58; + repeated string memory_pattern_domains = 59; + repeated string memory_pattern_urls = 60; + repeated SmtpConversation smtp_conversations = 64; + repeated vt.tools.net_analysis.CrowdSourcedIdsResults ids_alerts = 68; + repeated TLS tls = 69; + repeated MitreAttackTechnique mitre_attack_techniques = 70; + repeated vt.sigma.SigmaMatch sigma_analysis_results = 71; + repeated SignatureMatch signature_matches = 72; + repeated MalwareBehaviorCatalog mbc = 74; +} + +message TLS { + map subject = 1; + map issuer = 2; + string serial_number = 3; + string thumbprint = 4; + string version = 5; + string sni = 6; + string ja3 = 7; + string ja3s = 8; + string ja4 = 10; +} + +message FileCopy { + string source = 1; + string destination = 2; +} + +message DroppedFile { + string path = 1; + string sha256 = 2; + vt.fileanalysis.FileType type = 3; + string download_url = 5; + string process_name = 6; + string process_id = 7; +} + +message PermissionCheck { + string permission = 1; + string owner = 2; +} + +message KeyValue { + string key = 1; + string value = 2; +} + +message HttpConversation { + enum RequestMethod { + option (yara.enum_options) = { + name: "Method" + }; + + UNKNOWN = 0; + GET = 1; + HEAD = 2; + POST = 3; + PUT = 4; + DELETE = 5; + TRACE = 6; + OPTIONS = 7; + CONNECT = 8; + PATCH = 9; + PROPFIND = 10; + SETUP = 11; + UNLOCK = 12; + } + + string url = 1; + vt.fileanalysis.HttpConversation.RequestMethod request_method = 2; + map request_headers = 3; + map response_headers = 4; + int32 response_status_code = 5; + vt.fileanalysis.FileType response_body_filetype = 6; + bytes response_body_first_ten_bytes = 7; +} + +message DnsLookup { + string hostname = 1; + repeated string resolved_ips = 2; + repeated string txt_records = 3; +} + +message IpTraffic { + enum TransportLayerProtocol { + option (yara.enum_options) = { + name: "Protocol" + }; + + UNKNOWN = 0; + ICMP = 1; + IGMP = 2; + TCP = 6; + UDP = 17; + ESP = 50; + AH = 51; + L2TP = 115; + SCTP = 132; + } + + string destination_ip = 1; + int32 destination_port = 2; + vt.fileanalysis.IpTraffic.TransportLayerProtocol transport_layer_protocol = 3; + int64 destination_ip_asn = 4; + int64 destination_ip_as_int = 5; +} + +message SmtpConversation { + string hostname = 1; + string destination_ip = 2; + uint32 destination_port = 3; + string smtp_from = 4; + repeated string smtp_to = 5; + repeated string message_from = 6; + repeated string message_to = 7; + repeated string message_cc = 8; + repeated string message_bcc = 9; + string timestamp = 10; + string subject = 11; + string html_body = 12; + string txt_body = 13; + string auth_user = 14; + string auth_pass = 15; + repeated KeyValue headers = 16; + repeated DroppedFile attachments = 17; + string x_mailer = 18; +} + +message Sms { + string destination = 1; + string body = 2; +} + +message SignatureMatch { + enum SignatureFormat { + SIG_FORMAT_UNKNOWN = 0; + SIG_FORMAT_YARA = 1; + SIG_FORMAT_SIGMA = 2; + SIG_FORMAT_CAPA = 3; + SIG_FORMAT_OPENIOC = 4; + SIG_FORMAT_KEYWORD = 5; + } + + string id = 1; + vt.fileanalysis.SignatureMatch.SignatureFormat format = 2; + string name = 3; + string description = 4; + repeated string authors = 5; + repeated string events = 6; + repeated string match_data = 7; + string rule_src = 8; + ImpactSeverity severity = 9; +} + +message MitreAttackTechnique { + string id = 1; + ImpactSeverity severity = 2; + string signature_description = 3; +} + +message MalwareBehaviorCatalog { + string id = 1; + string objective = 2; + string behavior = 3; + string method = 4; +} + +message ProcessItem { + string process_id = 1; + string parent_process_id = 2; + string name = 3; + uint64 start_time = 4; + uint64 termination_time = 5; + repeated string files_opened = 6; + repeated string files_written = 7; + repeated string files_deleted = 8; + repeated FileCopy files_copied = 9; +} diff --git a/lib/src/modules/protos/vt/sigma.proto b/lib/src/modules/protos/vt/sigma.proto new file mode 100644 index 00000000..3423dfdc --- /dev/null +++ b/lib/src/modules/protos/vt/sigma.proto @@ -0,0 +1,59 @@ +// THIS FILE IS GENERATED AUTOMATICALLY. DO NOT EDIT. +// LINT: LEGACY_NAMES + +syntax = "proto3"; + +package vt.sigma; + +import "filetypes.proto"; + +message SigmaMatch { + repeated SigmaMatchContext match_context = 1; + vt.sigma.SigmaRule.Level rule_level = 2; + string rule_id = 3; + string rule_source = 4; + string rule_title = 5; + string rule_description = 6; + string rule_author = 7; +} + +message SigmaMatchContext { + map values = 1; +} + +message SigmaRule { + enum Level { + unknown = 0; + low = 1; + medium = 2; + high = 3; + critical = 4; + } + + string rule = 1; + string title = 2; + LogSource log_source = 3; + string status = 4; + string description = 5; + repeated string references = 6; + repeated string fields = 7; + repeated string false_positives = 8; + vt.sigma.SigmaRule.Level level = 9; + string source = 10; + repeated string tags = 11; + Detection detection = 12; + string author = 13; + string source_url = 14; +} + +message LogSource { + string category = 1; + string product = 2; + string service = 3; + string definition = 4; +} + +message Detection { + string condition = 1; + map details = 2; +} diff --git a/lib/src/modules/protos/vt/submitter.proto b/lib/src/modules/protos/vt/submitter.proto new file mode 100644 index 00000000..a468aff1 --- /dev/null +++ b/lib/src/modules/protos/vt/submitter.proto @@ -0,0 +1,13 @@ +// THIS FILE IS GENERATED AUTOMATICALLY. DO NOT EDIT. +// LINT: LEGACY_NAMES + +syntax = "proto3"; + +package vt.submitter; + +import "yara.proto"; + +message Submitter { + string city = 6; + string country = 8; +} diff --git a/lib/src/modules/protos/vt/titan.proto b/lib/src/modules/protos/vt/titan.proto new file mode 100644 index 00000000..7f9a050d --- /dev/null +++ b/lib/src/modules/protos/vt/titan.proto @@ -0,0 +1,117 @@ +// THIS FILE IS GENERATED AUTOMATICALLY. DO NOT EDIT. +// LINT: LEGACY_NAMES + +syntax = "proto3"; + +package vt.titan; + +import "analysis.proto"; +import "filetypes.proto"; +import "hunting_gti_score.proto"; +import "sandbox.proto"; +import "submitter.proto"; +import "vtnet.proto"; +import "yara.proto"; + +option (yara.module_options) = { + name: "vt" + root_message: "vt.titan.LiveHuntData" + rust_module: "vt" +}; + +message LiveHuntData { + FileMetadata meta = 1 [(yara.field_options) = { + name: "metadata" + acl: [ { + error_title: "vt.metadata is supported only in rulesets matching against files" + error_label: "this field is supported for files only" + accept_if: [ "file" ] + } ] + }]; + vt.fileanalysis.BehaviourSummary behaviour = 2 [(yara.field_options) = { + acl: [ { + error_title: "vt.behaviour is supported only in rulesets matching against files" + error_label: "this field is supported for files only" + accept_if: [ "file" ] + } ] + }]; + vt.net.EnrichedNetloc net = 3 [(yara.field_options) = { + acl: [ { + error_title: "vt.net is not supported in rulesets matching against files" + error_label: "this field is not supported for files, consider using `vt.metadata.itw`" + accept_if: [ "url", "domain", "ip_address" ] + } ] + }]; +} + +message MainIcon { + string dhash = 1; + string raw_md5 = 2; +} + +message GoReSym { + message BuildInfo { + string path = 1; + map dependencies = 2; + map settings = 3; + } + + message Summary { + int64 num_user_functions = 1; + int64 num_std_functions = 2; + int64 num_interfaces = 3; + int64 num_types = 4; + int64 num_dependencies = 5; + } + + string version = 1; + string arch = 2; + string os = 3; + string build_id = 4; + vt.titan.GoReSym.BuildInfo build_info = 5; + vt.titan.GoReSym.Summary summary = 6; +} + +message FileMetadata { + string sha256 = 1; + string sha1 = 2; + string md5 = 3; + string ssdeep = 4; + string imphash = 5; + string vhash = 6; + string telfhash = 27; + string file_name = 7; + vt.fileanalysis.FileType file_type = 8; + int64 file_size = 9; + int32 times_submitted = 10; + bool new_file = 11; + repeated string tags = 12; + map signatures = 13; + vt.submitter.Submitter submitter = 15 [(yara.field_options) = { + acl: [ { + error_title: "vt.metadata.submitter is not supported in Retrohunt" + error_label: "this field is not supported in Retrohunt" + reject_if: [ "retrohunt" ] + } ] + }]; + bool subfile = 16; + int32 unique_sources = 17; + vt.analysis.AnalysisStats analysis_stats = 18; + string magic = 19; + repeated string file_type_tags = 20; + int64 first_submission_date = 22; + map exiftool = 25; + MainIcon main_icon = 26; + GoReSym goresym = 28; + repeated string malware_families = 30; + string tlsh = 31; + vt.net.EnrichedNetloc itw = 32; + vt.hunting_gti_score.HuntingGtiScore gti_assessment = 36 + [(yara.field_options) = { + acl: [ { + error_title: "unknown field or method `gti_assessment`" + error_label: "this field or method doesn't exist" + accept_if: [ "gti", "staff" ] + } ] + }]; +} diff --git a/lib/src/modules/protos/vt/vtnet.proto b/lib/src/modules/protos/vt/vtnet.proto new file mode 100644 index 00000000..dcea31c1 --- /dev/null +++ b/lib/src/modules/protos/vt/vtnet.proto @@ -0,0 +1,228 @@ +// THIS FILE IS GENERATED AUTOMATICALLY. DO NOT EDIT. +// LINT: LEGACY_NAMES + +syntax = "proto3"; + +package vt.net; + +import "analysis.proto"; +import "filetypes.proto"; +import "hunting_gti_score.proto"; +import "sandbox.proto"; +import "submitter.proto"; +import "yara.proto"; + +message Subject { + string common_name = 1; + string country = 2; + string organization = 3; + string organizational_unit = 4; + string locality = 5; + string state = 6; +} + +message Validity { + int64 not_after = 1; + int64 not_before = 2; +} + +message SSLCertificate { + string thumbprint = 1; + Subject subject = 2; + Validity validity = 3; + repeated string subject_alternative_name = 4; + string signature = 5; + string serial_number = 6; + Subject issuer = 7; +} + +message Tracker { + string name = 1; + string id = 2; + string url = 3; +} + +message DNSRecord { + string type = 2; + string dns_class = 3; + int64 ttl = 4; + string mname = 5; + string rname = 6; + int64 priority = 7; + int64 serial = 8; + int64 retry = 9; + int64 refresh = 10; + int64 expire = 11; + int64 minimum = 12; + string value = 13; +} + +message Favicon { + string raw_md5 = 1; + string dhash = 2; +} + +message KeyValue { + string key = 1; + repeated string values = 2; +} + +message FileMetadata { + string sha256 = 1; + bool new_for_vt = 3; + vt.analysis.AnalysisStats analysis_stats = 5; + vt.fileanalysis.FileType file_type = 6; + bool new_for_url = 7; + bool new_for_ip = 8; + bool new_for_domain = 9; + map signatures = 10; +} + +message ResourceFileMetadata { + string sha256 = 1; + vt.analysis.AnalysisStats analysis_stats = 2; + vt.fileanalysis.FileType file_type = 3; + bool new_for_url = 4; + map signatures = 5; +} + +message PopularityRank { + int64 position = 1; + int64 ingestion_time = 2; + string rank = 3; +} + +message EnrichedURL { + int64 port = 3; + repeated Tracker trackers = 4; + map response_headers = 5; + int64 number_of_response_headers = 33; + int64 response_code = 6; + map cookies = 7; + Favicon favicon = 8; + repeated string outgoing_links = 9; + repeated string redirects = 10; + string html_title = 11; + repeated KeyValue html_meta_tags = 12; + bool new_url = 17; + vt.analysis.AnalysisStats analysis_stats = 18; + int64 first_submission_date = 19; + map signatures = 20; + vt.submitter.Submitter submitter = 21; + repeated string tags = 24; + string query = 34; + map params = 25; + string path = 26; + string hostname = 27; + string raw = 28; + FileMetadata downloaded_file = 29; + FileMetadata communicating_file = 30; + repeated ResourceFileMetadata embedded_resources = 31; + map categories = 35; + vt.hunting_gti_score.HuntingGtiScore gti_assessment = 39 + [(yara.field_options) = { + acl: [ { + error_title: "unknown field or method `gti_assessment`" + error_label: "this field or method doesn't exist" + accept_if: [ "gti", "staff" ] + } ] + }]; +} + +message EnrichedIP { + map whois = 3; + string whois_raw = 22; + SSLCertificate https_certificate = 4; + string jarm = 5; + string ip_as_owner = 6; + int64 ip_asn = 7; + string ip_country = 8; + vt.analysis.AnalysisStats analysis_stats = 13; + map signatures = 14; + repeated string tags = 17; + string raw = 18; + FileMetadata downloaded_file = 19; + FileMetadata communicating_file = 20; + int64 ip_as_int = 23; + bool first_whois = 24 [(yara.field_options) = { + acl: [ { + error_title: "vt.net.ip.first_whois is supported in rulesets matching against IPs" + error_label: "this field is supported for IPs only" + accept_if: [ "ip_address" ] + } ] + }]; + bool new_whois = 25 [(yara.field_options) = { + acl: [ { + error_title: "vt.net.ip.new_whois is supported in rulesets matching against IPs" + error_label: "this field is supported for IPs only" + accept_if: [ "ip_address" ] + } ] + }]; + string reverse_lookup = 26; + vt.hunting_gti_score.HuntingGtiScore gti_assessment = 30 + [(yara.field_options) = { + acl: [ { + error_title: "unknown field or method `gti_assessment`" + error_label: "this field or method doesn't exist" + accept_if: [ "gti", "staff" ] + } ] + }]; +} + +message EnrichedDomain { + string raw = 18; + string root = 27; + map whois = 3; + string whois_raw = 26; + SSLCertificate https_certificate = 4; + string jarm = 5; + repeated DNSRecord dns_records = 6; + Favicon favicon = 7; + vt.analysis.AnalysisStats analysis_stats = 12; + map signatures = 13; + bool new_domain = 16; + repeated string tags = 17; + FileMetadata downloaded_file = 19; + FileMetadata communicating_file = 20; + bool first_whois = 21; + bool new_whois = 22; + bool first_resolution = 23; + bool new_resolution = 24; + map categories = 28; + repeated PopularityRank popularity_ranks = 30; + int64 number_of_popularity_ranks = 31; + repeated PopularityRank root_popularity_ranks = 32; + int64 number_of_root_popularity_ranks = 33; + vt.hunting_gti_score.HuntingGtiScore gti_assessment = 37 + [(yara.field_options) = { + acl: [ { + error_title: "unknown field or method `gti_assessment`" + error_label: "this field or method doesn't exist" + accept_if: [ "gti", "staff" ] + } ] + }]; +} + +message EnrichedNetloc { + EnrichedURL url = 1 [(yara.field_options) = { + acl: [ { + error_title: "vt.net.url is supported only in rulesets matching against URLs" + error_label: "this field is supported for URLs only" + accept_if: [ "url", "file" ] + } ] + }]; + EnrichedIP ip = 2 [(yara.field_options) = { + acl: [ { + error_title: "vt.net.ip is supported only in rulesets matching against URLs, domains or IPs" + error_label: "this field is supported for URLs, domains and IPs only" + accept_if: [ "url", "domain", "ip_address", "file" ] + } ] + }]; + EnrichedDomain domain = 3 [(yara.field_options) = { + acl: [ { + error_title: "vt.net.domain is supported only in rulesets matching against URLs or domains" + error_label: "this field is supported for URLs and domains only" + accept_if: [ "url", "domain", "file" ] + } ] + }]; +}