|
Protocol
|
The Network Communication Protocol used. For example Transmission Control Protocol (TCP). Follow this link for a listing of different protocols and their decimal equivilant.
|
|
Port
|
The port number used by the application or noted during the network communications. Not all protocols use ports so this field may be a null value. Keep in mind that a port can be
changed and some programs use a range of ports. Try to find the default port used by the application for entry into the database if at all possible.
|
|
Application
|
The application that may have been used. For Remote Procedure Calls (RPC) the Program ID is listed in this field.
|
|
Version
|
What version of the application or malware caused you to make this database entry? If it was the BioNET trojan, was it version 3.13 (Millenium Edition)?
|
|
Aliases
|
This field is used to identify another common name an application is known by. An example might be “Sub7” for the trojan “Sub Seven”.
|
|
Description
|
A description of the application or stimulus that caused the network traffic and the targeted application or operating system.
|
|
Files
|
Submit a list of the files found in the rootkit or application here, including file sizes and perhaps even creation/modification dates.
|
|
Operating Systems
|
Enter the Operating System affected, for instance if the exploit only affects Solaris 2.6 unpatched distributions you would put this here.
|
|
Dependancies
|
If the malware or application require dependancies or other software in order to exist this should be entered here. An example would be a worm that requires PERL in order to
propagate further after infection of the current host.
|
|
Registers
|
Pretty much a Windows © specific field. What registry entries were made or modified by the application or malware?
|
|
Programmed In
|
What programming language was the application or malware written in? Was it C or Pascal?
|
|
Source
|
Credit to the source of the database entry or a contact that allows further follow-up on the topic. Common sources include individuals, The Internet Assigned Numbers Authority, various trojan and malware lists maintained by other parties as well as
lists of programs and their specs from corporate entities and organizations. The information from major lists like IANA will be updated approximately every 6 months as it does not
change drastically.
|
|
Source CVE
|
Correlation to Common Vulnerabilities and Exposures listed in the MITRE database. For example CVE-1999-0009 would be entered if the entry was related to “Inverse query buffer overflow in BIND 4.9 and BIND 8 Releases”.
|
|
Date of Entry
|
The date this entry was made into the database.
|
|
Log Type
|
Insert the name of the application that created this log, for instance “Apache web logs” or “CISCO PIX firewall logs”.
|
|
Sample Logs
|
A sample of the traffic or even the code that caused the network traffic. Traffic should be submitted in verbose mode with hex and ascii breakout being the most useful. Higher
fidelity logs are more helpful. Only a sample is needed so please only submit relevant logs. Feel free to sanitize your logs prior to submission.
|
|
Country of Origin
|
If you have actually determined where the application was developed or have a good guess, it can be entered here. For traffic specific entries the whois country of origin is good
enough.
|
