2016-10-01 12:18:59 +02:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Network Working Group M. Dulaunoy
|
|
|
|
|
Internet-Draft CIRCL
|
|
|
|
|
Intended status: Informational October 1, 2016
|
|
|
|
|
Expires: April 4, 2017
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
MISP core format
|
|
|
|
|
draft-dulaunoy-misp-core-format
|
|
|
|
|
|
|
|
|
|
Abstract
|
|
|
|
|
|
|
|
|
|
This document describes the MISP core format used to exchange
|
|
|
|
|
indicators and threat information between MISP (Malware Information
|
|
|
|
|
and threat Sharing Platform) instances. The JSON format includes the
|
|
|
|
|
overall structure along with the semantic associated for each
|
|
|
|
|
respective key. The format is described to support other
|
|
|
|
|
implementations which reuse the format and ensuring an
|
|
|
|
|
interoperability with existing MISP [MISP-P] software and other
|
2016-10-01 12:47:20 +02:00
|
|
|
|
Threat Intelligence Platforms.
|
2016-10-01 12:18:59 +02:00
|
|
|
|
|
|
|
|
|
Status of This Memo
|
|
|
|
|
|
|
|
|
|
This Internet-Draft is submitted in full conformance with the
|
|
|
|
|
provisions of BCP 78 and BCP 79.
|
|
|
|
|
|
|
|
|
|
Internet-Drafts are working documents of the Internet Engineering
|
|
|
|
|
Task Force (IETF). Note that other groups may also distribute
|
|
|
|
|
working documents as Internet-Drafts. The list of current Internet-
|
|
|
|
|
Drafts is at http://datatracker.ietf.org/drafts/current/.
|
|
|
|
|
|
|
|
|
|
Internet-Drafts are draft documents valid for a maximum of six months
|
|
|
|
|
and may be updated, replaced, or obsoleted by other documents at any
|
|
|
|
|
time. It is inappropriate to use Internet-Drafts as reference
|
|
|
|
|
material or to cite them other than as "work in progress."
|
|
|
|
|
|
|
|
|
|
This Internet-Draft will expire on April 4, 2017.
|
|
|
|
|
|
|
|
|
|
Copyright Notice
|
|
|
|
|
|
|
|
|
|
Copyright (c) 2016 IETF Trust and the persons identified as the
|
|
|
|
|
document authors. All rights reserved.
|
|
|
|
|
|
|
|
|
|
This document is subject to BCP 78 and the IETF Trust's Legal
|
|
|
|
|
Provisions Relating to IETF Documents
|
|
|
|
|
(http://trustee.ietf.org/license-info) in effect on the date of
|
|
|
|
|
publication of this document. Please review these documents
|
|
|
|
|
carefully, as they describe your rights and restrictions with respect
|
|
|
|
|
to this document. Code Components extracted from this document must
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Dulaunoy Expires April 4, 2017 [Page 1]
|
|
|
|
|
|
|
|
|
|
Internet-Draft MISP core format October 2016
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
include Simplified BSD License text as described in Section 4.e of
|
|
|
|
|
the Trust Legal Provisions and are provided without warranty as
|
|
|
|
|
described in the Simplified BSD License.
|
|
|
|
|
|
|
|
|
|
Table of Contents
|
|
|
|
|
|
|
|
|
|
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
|
|
|
|
|
2. Format . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
|
|
|
|
|
2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 2
|
|
|
|
|
2.2. Event . . . . . . . . . . . . . . . . . . . . . . . . . . 2
|
|
|
|
|
3. References . . . . . . . . . . . . . . . . . . . . . . . . . 2
|
2016-10-01 12:47:20 +02:00
|
|
|
|
3.1. Normative References . . . . . . . . . . . . . . . . . . 3
|
2016-10-01 12:18:59 +02:00
|
|
|
|
3.2. Informative References . . . . . . . . . . . . . . . . . 3
|
|
|
|
|
Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 3
|
|
|
|
|
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 3
|
|
|
|
|
|
|
|
|
|
1. Introduction
|
|
|
|
|
|
|
|
|
|
Sharing threat information became a fundamental requirements in the
|
|
|
|
|
Internet, security and intelligence community at large. Threat
|
|
|
|
|
information can include indicators of compromise, malicious file
|
|
|
|
|
indicators, financial fraud indicators or even detailed information
|
|
|
|
|
about a threat actor. MISP started as an open source project in late
|
2016-10-01 12:47:20 +02:00
|
|
|
|
2011 and the MISP format started to be widely used as an exchange
|
|
|
|
|
format within the community in the past years. The aim of this
|
|
|
|
|
document is to describe the specification and the MISP core format.
|
2016-10-01 12:18:59 +02:00
|
|
|
|
|
|
|
|
|
2. Format
|
|
|
|
|
|
|
|
|
|
2.1. Overview
|
|
|
|
|
|
|
|
|
|
The MISP core format is in the JSON [RFC4627] format. In MISP, an
|
|
|
|
|
event is composed of a single JSON object.
|
|
|
|
|
|
|
|
|
|
2.2. Event
|
|
|
|
|
|
2016-10-01 12:47:20 +02:00
|
|
|
|
An event is a simple meta structure scheme where attributes and meta-
|
|
|
|
|
data are embedded to compose a coherent set of indicators. An event
|
|
|
|
|
can be composed from an incident, a security analysis report or a
|
|
|
|
|
specific threat actor analysis. The meaning of an event only depends
|
|
|
|
|
of the information embedded in the event.
|
2016-10-01 12:18:59 +02:00
|
|
|
|
|
|
|
|
|
3. References
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Dulaunoy Expires April 4, 2017 [Page 2]
|
|
|
|
|
|
|
|
|
|
Internet-Draft MISP core format October 2016
|
|
|
|
|
|
|
|
|
|
|
2016-10-01 12:47:20 +02:00
|
|
|
|
3.1. Normative References
|
|
|
|
|
|
|
|
|
|
[RFC4627] Crockford, D., "The application/json Media Type for
|
|
|
|
|
JavaScript Object Notation (JSON)", RFC 4627,
|
|
|
|
|
DOI 10.17487/RFC4627, July 2006,
|
|
|
|
|
<http://www.rfc-editor.org/info/rfc4627>.
|
|
|
|
|
|
2016-10-01 12:18:59 +02:00
|
|
|
|
3.2. Informative References
|
|
|
|
|
|
|
|
|
|
[MISP-P] MISP, , "MISP Project - Malware Information Sharing
|
|
|
|
|
Platform and Threat Sharing", <https://github.com/MISP>.
|
|
|
|
|
|
|
|
|
|
Appendix A. Acknowledgements
|
|
|
|
|
|
|
|
|
|
The authors wish to thank all the MISP community to support the
|
|
|
|
|
creation of open standards in threat intelligence sharing.
|
|
|
|
|
|
|
|
|
|
Author's Address
|
|
|
|
|
|
|
|
|
|
Alexandre Dulaunoy
|
|
|
|
|
Computer Incident Response Center Luxembourg
|
|
|
|
|
41, avenue de la gare
|
|
|
|
|
Luxembourg L-1611
|
|
|
|
|
Luxembourg
|
|
|
|
|
|
|
|
|
|
Phone: +352 247 88444
|
|
|
|
|
Email: alexandre.dulaunoy@circl.lu
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Dulaunoy Expires April 4, 2017 [Page 3]
|