MISP
/
misp-rfc
mirror of https://github.com/MISP/misp-rfc
2
0
Fork 0
Code Issues Releases Wiki Activity

misp-noticelist-format - first draft [WiP]

pull/16/head
Deborah Servili 2018-06-05 12:21:50 +02:00
parent 37c1c14ad3
commit 143648a54d
1 changed files with 89 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

89
misp-noticelist-format/raw.md Normal file
View File

@ -0,0 +1,89 @@
% Title = "MISP noticelist format"
% abbrev = "MISP noticelist format"
% category = "info"
% docName = "draft-dulaunoy-misp-noticelist-format"
% ipr= "trust200902"
% area = "Security"
%
% date = 2018-04-01T00:00:00Z
%
% [[author]]
% initials="A."
% surname="Dulaunoy"
% fullname="Alexandre Dulaunoy"
% abbrev="CIRCL"
% organization = "Computer Incident Response Center Luxembourg"
% [author.address]
% email = "alexandre.dulaunoy@circl.lu"
% phone = "+352 247 88444"
% [author.address.postal]
% street = "16, bd d'Avranches"
% city = "Luxembourg"
% code = "L-1611"
% country = "Luxembourg"
% [[author]]
% initials="A."
% surname="Iklody"
% fullname="Andras Iklody"
% abbrev="CIRCL"
% organization = "Computer Incident Response Center Luxembourg"
% [author.address]
% email = "andras.iklody@circl.lu"
% phone = "+352 247 88444"
% [author.address.postal]
% street = " 16, bd d'Avranches"
% city = "Luxembourg"
% code = "L-1611"
% country = "Luxembourg"
% [[author]]
% initials="D."
% surname="Servili"
% fullname="Deborah Servili"
% abbrev="CIRCL"
% organization = "Computer Incident Response Center Luxembourg"
% [author.address]
% email = "deborah.servili@circl.lu"
% phone = "+352 247 88444"
% [author.address.postal]
% street = " 16, bd d'Avranches"
% city = "Luxembourg"
% code = "L-1611"
% country = "Luxembourg"
.# Abstract
This document describes the MISP noticelist format which describes a simple JSON format to represent list of elements
represent galaxies and clusters that can be attached to MISP events or attributes. A public directory of MISP galaxies is available and relies on the MISP galaxy format. MISP galaxies are used to add further informations on a MISP event. MISP galaxy is a public repository [@?MISP-G] of known malware, threats actors and various other collections of data that can be used to mark, classify or label data in threat information sharing.
{mainmatter}
# Introduction
Sharing threat information became a fundamental requirements on the Internet, security and intelligence community at large. Threat information can include indicators of compromise, malicious file indicators, financial fraud indicators or even detailed information about a threat actor. Therefore, there are still information that can not be shared freely to everyone, for several reasons, and it is essential for the user to have a way to know about which information he have to be cautious, as well as an easy way for administrators to give user a reminder of it.
MISP noticelist is a public repository of list of notices to show to the user about the information he uses or share.
## Conventions and Terminology
The key words "**MUST**", "**MUST NOT**", "**REQUIRED**", "**SHALL**", "**SHALL NOT**",
"**SHOULD**", "**SHOULD NOT**", "**RECOMMENDED**", "**MAY**", and "**OPTIONAL**" in this
document are to be interpreted as described in RFC 2119 [@!RFC2119].
# Format
Noticelist are represented as a JSON [@!RFC4627] dictionary.
## Overview
The MISP noticelist format uses the JSON [@!RFC4627] format. Each noticelist is represented as a JSON object with meta information including the following fields: name, expended_name, ref, geographical_area and notice.
name defines the name of the noticelist. It **MUST** match the name of the folder containing the list. The name is represented as a string and **MUST** be present. expended_name defines the full name of the noticelist. The expended_name is represented by a string and **MUST** be present. ref defines the references used to create the notice list. ref is represented as an array containing one or more references and **MUST** pe present. Each reference is a string and **MUST** be present. geographical_area defines the geographical area affected by this noticelist. geographical_area is represented as an array containing one or more descriptions of geographical area ans **SHOULD** be present. Each geographical area is a string and **SHOULD** be present.
notice is represented as an array containing one or more values and **MUST** be present. notice defines all values available in the noticelist.
## notice
The notice array contains one or more JSON objects which represent all the possible values in the noticelist. The JSON object contains five fields: scope,
field, value, tags and message.
scope is represented as an array containing one or more scopes to apply the notice ans **MUST** be present. Each scope is a string and **MUST** be present. field is represented as an array containing one or more fields to apply the notice ans **MUST** be present. Each field is a string and **MUST** be present. value is represented as an array containing one or more values and **MUST** be present. Each value is a string and **MUST** be present. tags is represented as an array containing one or more values and **MUST** be present. Each tag is a string and **MUST** be present. message is represented as a JSON dictionary containing one or more messages translated in different languages and **MUST** be present. Each element in the message dictionary is a couple name/value where the name designate a language and the value contains a string representing a message to display to the user. These elements **MUST** be present.