MISP
/
misp-rfc
mirror of https://github.com/MISP/misp-rfc
2
0
Fork 0
Code Issues Releases Wiki Activity

misp-core format RFC ascii output generated

pull/10/head
Alexandre Dulaunoy 2018-03-09 08:09:18 +01:00
parent 5da925324a
commit 26e4fc9588
No known key found for this signature in database
GPG Key ID: 09E2CD4944E6CBCD
1 changed files with 155 additions and 155 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

310
misp-core-format/raw.md.txt
View File

@ -96,13 +96,13 @@ Table of Contents
4. Manifest . . . . . . . . . . . . . . . . . . . . . . . . . . 41
4.1. Format . . . . . . . . . . . . . . . . . . . . . . . . . 41
4.1.1. Sample Manifest . . . . . . . . . . . . . . . . . . . 42
5. Implementation . . . . . . . . . . . . . . . . . . . . . . . 44
6. Security Considerations . . . . . . . . . . . . . . . . . . . 44
5. Implementation . . . . . . . . . . . . . . . . . . . . . . . 43
6. Security Considerations . . . . . . . . . . . . . . . . . . . 43
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 44
8. Sample MISP file . . . . . . . . . . . . . . . . . . . . . . 44
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 44
9.1. Normative References . . . . . . . . . . . . . . . . . . 44
9.2. Informative References . . . . . . . . . . . . . . . . . 45
9.2. Informative References . . . . . . . . . . . . . . . . . 44
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 45
@ -173,7 +173,8 @@ Internet-Draft MISP core format February 2018
2.2.1.2. id
id represents the human-readable identifier associated to the event
for a specific MISP instance.
for a specific MISP instance. A human-readable identifier MUST be
represented as an unsigned integer.
id is represented as a JSON string. id SHALL be present.
@ -220,7 +221,6 @@ Internet-Draft MISP core format February 2018
Dulaunoy & Iklody Expires August 13, 2018 [Page 4]
Internet-Draft MISP core format February 2018
@ -248,7 +248,7 @@ Internet-Draft MISP core format February 2018
date represents a reference date to the event in ISO 8601 format
(date only: YYYY-MM-DD). This date corresponds to the date the event
occured, which may be in the past.
occurred, which may be in the past.
date is represented as a JSON string. date MUST be present.
@ -267,16 +267,16 @@ Internet-Draft MISP core format February 2018
published on the instance. published_timestamp is expressed in
seconds (decimal) since 1st of January 1970 (Unix timestamp). At
each publication of an event, publish_timestamp MUST be updated. The
time zone MUST be UTC.
time zone MUST be UTC. If the published_timestamp is present and the
published flag is set to false, the publish_timestamp represents the
previous publication timestamp. If the event was never published,
the published_timestamp MUST be set to 0.
publish_timestamp is represented as a JSON string. publish_timestamp
MUST be present.
Dulaunoy & Iklody Expires August 13, 2018 [Page 5]
Internet-Draft MISP core format February 2018
@ -285,7 +285,8 @@ Internet-Draft MISP core format February 2018
2.2.1.10. org_id
org_id represents a human-readable identifier referencing an Org
object of the organisation which generated the event.
object of the organisation which generated the event. A human-
readable identifier MUST be represented as an unsigned integer.
The org_id MUST be updated when the event is generated by a new
instance.
@ -297,7 +298,7 @@ Internet-Draft MISP core format February 2018
orgc_id represents a human-readable identifier referencing an Orgc
object of the organisation which created the event.
The orgc_id and Orc object MUST be preserved for any updates or
The orgc_id and Org object MUST be preserved for any updates or
transfer of the same event.
orgc_id is represented as a JSON string. orgc_id MUST be present.
@ -329,7 +330,6 @@ Internet-Draft MISP core format February 2018
Connected Communities
3
All Communities
@ -338,6 +338,8 @@ Dulaunoy & Iklody Expires August 13, 2018 [Page 6]
Internet-Draft MISP core format February 2018
All Communities
4
Sharing Group
@ -345,7 +347,8 @@ Internet-Draft MISP core format February 2018
sharing_group_id represents a human-readable identifier referencing a
Sharing Group object that defines the distribution of the event, if
distribution level "4" is set.
distribution level "4" is set. A human-readable identifier MUST be
represented as an unsigned integer.
sharing_group_id is represented by a JSON string and SHOULD be
present. If a distribution level other than "4" is chosen the
@ -363,7 +366,8 @@ Internet-Draft MISP core format February 2018
The name is a readable description of the organisation and SHOULD be
present. The id is a human-readable identifier generated by the
instance and used as reference in the event.
instance and used as reference in the event. A human-readable
identifier MUST be represented as an unsigned integer.
uuid, name and id are represented as a JSON string. uuid, name and id
MUST be present.
@ -382,10 +386,6 @@ Internet-Draft MISP core format February 2018
The uuid MUST be preserved for any updates or transfer of the same
event. UUID version 4 is RECOMMENDED when assigning it to a new
event. The organisation UUID is globally assigned to an organisation
and SHALL be kept overtime.
@ -394,9 +394,13 @@ Dulaunoy & Iklody Expires August 13, 2018 [Page 7]
Internet-Draft MISP core format February 2018
event. The organisation UUID is globally assigned to an organisation
and SHALL be kept overtime.
The name is a readable description of the organisation and SHOULD be
present. The id is a human-readable identifier generated by the
instance and used as reference in the event.
instance and used as reference in the event. A human-readable
identifier MUST be represented as an unsigned integer.
uuid, name and id are represented as a JSON string. uuid, name and id
MUST be present.
@ -434,6 +438,18 @@ Internet-Draft MISP core format February 2018
2.4.2. Attribute Attributes
Dulaunoy & Iklody Expires August 13, 2018 [Page 8]
Internet-Draft MISP core format February 2018
2.4.2.1. uuid
uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of
@ -443,17 +459,11 @@ Internet-Draft MISP core format February 2018
uuid is represented as a JSON string. uuid MUST be present.
Dulaunoy & Iklody Expires August 13, 2018 [Page 8]
Internet-Draft MISP core format February 2018
2.4.2.2. id
id represents the human-readable identifier associated to the event
for a specific MISP instance.
for a specific MISP instance. A human-readable identifier MUST be
represented as an unsigned integer.
id is represented as a JSON string. id SHALL be present.
@ -488,6 +498,14 @@ Internet-Draft MISP core format February 2018
email-dst, email-subject, email-attachment, url, user-agent, AS,
pattern-in-file, pattern-in-traffic, yara, attachment, malware-
sample, link, malware-type, mime-type, comment, text,
Dulaunoy & Iklody Expires August 13, 2018 [Page 9]
Internet-Draft MISP core format February 2018
vulnerability, x509-fingerprint-sha1, other, ip-dst|port, ip-
src|port, hostname|port, email-dst-display-name, email-src-
display-name, email-header, email-reply-to, email-x-mailer, email-
@ -498,14 +516,6 @@ Internet-Draft MISP core format February 2018
md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256,
ssdeep, imphash, impfuzzy, authentihash, filename, filename|md5,
filename|sha1, filename|sha224, filename|sha256, filename|sha384,
Dulaunoy & Iklody Expires August 13, 2018 [Page 9]
Internet-Draft MISP core format February 2018
filename|sha512, filename|sha512/224, filename|sha512/256,
filename|authentihash, filename|ssdeep, filename|tlsh,
filename|imphash, filename|impfuzzy, filename|pehash, regkey,
@ -544,6 +554,14 @@ Internet-Draft MISP core format February 2018
whois-registrant-email, whois-registrant-name, whois-registrar,
whois-creation-date, comment, text, x509-fingerprint-sha1, other
Dulaunoy & Iklody Expires August 13, 2018 [Page 10]
Internet-Draft MISP core format February 2018
External analysis
md5, sha1, sha256, filename, filename|md5, filename|sha1,
filename|sha256, ip-src, ip-dst, hostname, domain, domain|ip, url,
@ -553,15 +571,6 @@ Internet-Draft MISP core format February 2018
github-repository, other
Financial fraud
Dulaunoy & Iklody Expires August 13, 2018 [Page 10]
Internet-Draft MISP core format February 2018
btc, iban, bic, bank-account-nr, aba-rtn, bin, cc-number, prtn,
phone-number, comment, text, other, hex
@ -600,15 +609,6 @@ Internet-Draft MISP core format February 2018
and it MUST be a valid selection for the chosen type. The list of
valid category-type combinations is mentioned above.
2.4.2.5. to_ids
to_ids represents whether the attribute is meant to be actionable.
Actionable defined attributes that can be used in automated processes
as a pattern for detection in Local or Network Intrusion Detection
System, log analysis tools or even filtering mechanisms.
to_ids is represented as a JSON boolean. to_ids MUST be present.
@ -618,10 +618,20 @@ Dulaunoy & Iklody Expires August 13, 2018 [Page 11]
Internet-Draft MISP core format February 2018
2.4.2.5. to_ids
to_ids represents whether the attribute is meant to be actionable.
Actionable defined attributes that can be used in automated processes
as a pattern for detection in Local or Network Intrusion Detection
System, log analysis tools or even filtering mechanisms.
to_ids is represented as a JSON boolean. to_ids MUST be present.
2.4.2.6. event_id
event_id represents a human-readable identifier referencing the Event
object that the attribute belongs to.
object that the attribute belongs to. A human-readable identifier
MUST be represented as an unsigned integer.
The event_id SHOULD be updated when the event is imported to reflect
the newly created event's id on the instance.
@ -655,16 +665,6 @@ Internet-Draft MISP core format February 2018
5
Inherit Event
2.4.2.8. timestamp
timestamp represents a reference time when the attribute was created
or last modified. timestamp is expressed in seconds (decimal) since
1st of January 1970 (Unix timestamp). The time zone MUST be UTC.
timestamp is represented as a JSON string. timestamp MUST be present.
@ -674,6 +674,14 @@ Dulaunoy & Iklody Expires August 13, 2018 [Page 12]
Internet-Draft MISP core format February 2018
2.4.2.8. timestamp
timestamp represents a reference time when the attribute was created
or last modified. timestamp is expressed in seconds (decimal) since
1st of January 1970 (Unix timestamp). The time zone MUST be UTC.
timestamp is represented as a JSON string. timestamp MUST be present.
2.4.2.9. comment
comment is a contextual comment field.
@ -684,7 +692,8 @@ Internet-Draft MISP core format February 2018
sharing_group_id represents a human-readable identifier referencing a
Sharing Group object that defines the distribution of the attribute,
if distribution level "4" is set.
if distribution level "4" is set. A human-readable identifier MUST
be represented as an unsigned integer.
sharing_group_id is represented by a JSON string and SHOULD be
present. If a distribution level other than "4" is chosen the
@ -713,15 +722,6 @@ Internet-Draft MISP core format February 2018
RelatedAttribute is an array of attributes correlating with the
current attribute. Each element in the array represents an JSON
object which contains an Attribute dictionnary with the external
attributes who correlate. Each Attribute MUST include the id,
org_id, info and a value. Only the correlations found on the local
instance are shown in RelatedAttribute.
RelatedAttribute MAY be present.
@ -730,6 +730,12 @@ Dulaunoy & Iklody Expires August 13, 2018 [Page 13]
Internet-Draft MISP core format February 2018
attributes who correlate. Each Attribute MUST include the id,
org_id, info and a value. Only the correlations found on the local
instance are shown in RelatedAttribute.
RelatedAttribute MAY be present.
2.4.2.14. ShadowAttribute
ShadowAttribute is an array of shadow attributes that serve as
@ -775,12 +781,6 @@ Internet-Draft MISP core format February 2018
Dulaunoy & Iklody Expires August 13, 2018 [Page 14]
Internet-Draft MISP core format February 2018
@ -821,9 +821,9 @@ Internet-Draft MISP core format February 2018
2.5.2.2. id
id represents the human-readable identifier associated to the event
for a specific MISP instance.
id is represented as a JSON string. id SHALL be present.
for a specific MISP instance. human-readable identifier MUST be
represented as an unsigned integer. id is represented as a JSON
string. id SHALL be present.
2.5.2.3. type
@ -1037,7 +1037,8 @@ Internet-Draft MISP core format February 2018
2.5.2.10. org_id
org_id represents a human-readable identifier referencing the
proposal creator's Organisation object.
proposal creator's Organisation object. A human-readable identifier
MUST be represented as an unsigned integer.
Whilst attributes can only be created by the event creator
organisation, shadow attributes can be created by third parties.
@ -1060,7 +1061,6 @@ Internet-Draft MISP core format February 2018
Dulaunoy & Iklody Expires August 13, 2018 [Page 19]
Internet-Draft MISP core format February 2018
@ -1094,7 +1094,8 @@ Internet-Draft MISP core format February 2018
The name is a readable description of the organization and SHOULD be
present. The id is a human-readable identifier generated by the
instance and used as reference in the event.
instance and used as reference in the event. A human-readable
identifier MUST be represented as an unsigned integer.
uuid, name and id are represented as a JSON string. uuid, name and id
MUST be present.
@ -1116,7 +1117,6 @@ Internet-Draft MISP core format February 2018
Dulaunoy & Iklody Expires August 13, 2018 [Page 20]
Internet-Draft MISP core format February 2018
@ -1237,7 +1237,8 @@ Internet-Draft MISP core format February 2018
2.6.2.2. id
id represents the human-readable identifier associated to the object
for a specific MISP instance.
for a specific MISP instance. A human-readable identifier MUST be
represented as an unsigned integer.
id is represented as a JSON string. id SHALL be present.
@ -1284,7 +1285,6 @@ Internet-Draft MISP core format February 2018
Dulaunoy & Iklody Expires August 13, 2018 [Page 23]
Internet-Draft MISP core format February 2018
@ -1293,7 +1293,8 @@ Internet-Draft MISP core format February 2018
2.6.2.8. event_id
event_id represents the human-readable identifier of the event that
the object belongs to on a specific MISP instance.
the object belongs to on a specific MISP instance. A human-readable
identifier MUST be represented as an unsigned integer.
event_id is represented as a JSON string. event_id SHALL be present.
@ -1333,11 +1334,10 @@ Internet-Draft MISP core format February 2018
sharing_group_id represents a human-readable identifier referencing a
Sharing Group object that defines the distribution of the object, if
distribution level "4" is set.
distribution level "4" is set. A human-readable identifier MUST be
represented as an unsigned integer.
sharing_group_id is represented by a JSON string and SHOULD be
present. If a distribution level other than "4" is chosen the
sharing_group_id MUST be set to "0".
@ -1346,6 +1346,10 @@ Dulaunoy & Iklody Expires August 13, 2018 [Page 24]
Internet-Draft MISP core format February 2018
sharing_group_id is represented by a JSON string and SHOULD be
present. If a distribution level other than "4" is chosen the
sharing_group_id MUST be set to "0".
2.6.2.12. comment
comment is a contextual comment field.
@ -1393,10 +1397,6 @@ Internet-Draft MISP core format February 2018
Dulaunoy & Iklody Expires August 13, 2018 [Page 25]
Internet-Draft MISP core format February 2018
@ -1444,7 +1444,8 @@ Internet-Draft MISP core format February 2018
2.7.2.4. object_id
object_id represents the human-readable identifier of the object that
the object reference belongs to on a specific MISP instance.
the object reference belongs to on a specific MISP instance. A
human-readable identifier MUST be represented as an unsigned integer.
event_id is represented as a JSON string. event_id SHALL be present.
@ -1452,7 +1453,6 @@ Internet-Draft MISP core format February 2018
Dulaunoy & Iklody Expires August 13, 2018 [Page 26]
Internet-Draft MISP core format February 2018
@ -1461,7 +1461,8 @@ Internet-Draft MISP core format February 2018
2.7.2.5. event_id
event_id represents the human-readable identifier of the event that
the object reference belongs to on a specific MISP instance.
the object reference belongs to on a specific MISP instance. A
human-readable identifier MUST be represented as an unsigned integer.
event_id is represented as a JSON string. event_id SHALL be present.
@ -1508,7 +1509,6 @@ Internet-Draft MISP core format February 2018
Dulaunoy & Iklody Expires August 13, 2018 [Page 27]
Internet-Draft MISP core format February 2018
@ -1616,8 +1616,8 @@ Internet-Draft MISP core format February 2018
org_id represents the human-readable identifier of the organisation
which did the sighting and belongs to a specific MISP instance.
A human-readable identifier MUST be represented as an unsigned
integer.
@ -2317,49 +2317,18 @@ Internet-Draft MISP core format February 2018
If a detached PGP signature is used for each MISP event, a detached
PGP signature is a MUST to ensure integrity of the manifest file. A
detached PGP signature for a manifest file is a manifest.json.pgp
detached PGP signature for a manifest file is a manifest.json.asc
file containing the PGP signature.
4.1.1. Sample Manifest
Dulaunoy & Iklody Expires August 13, 2018 [Page 42]
Internet-Draft MISP core format February 2018
{
"57c6ac4c-c60c-4f79-a38f-b666950d210f": {
"info": "Malspam 2016-08-31 (.wsf in .zip) - campaign: Photo",
"Orgc": {
"id": "2",
"name": "CIRCL"
"name": "CIRCL",
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
},
"analysis": "0",
"Tag": [
@ -2377,6 +2346,14 @@ Internet-Draft MISP core format February 2018
"threat_level_id": "3"
},
"5720accd-dd28-45f8-80e5-4605950d210f": {
Dulaunoy & Iklody Expires August 13, 2018 [Page 42]
Internet-Draft MISP core format February 2018
"info": "Malspam 2016-04-27 - Locky",
"Orgc": {
"id": "2",
@ -2403,13 +2380,6 @@ Internet-Draft MISP core format February 2018
}
}
Dulaunoy & Iklody Expires August 13, 2018 [Page 43]
Internet-Draft MISP core format February 2018
5. Implementation
MISP format is implemented by different software including the MISP
@ -2431,6 +2401,15 @@ Internet-Draft MISP core format February 2018
inputs beside the standard threat information that might already
include malicious intended inputs.
Dulaunoy & Iklody Expires August 13, 2018 [Page 43]
Internet-Draft MISP core format February 2018
7. Acknowledgements
The authors wish to thank all the MISP community who are supporting
@ -2457,15 +2436,6 @@ Internet-Draft MISP core format February 2018
DOI 10.17487/RFC4627, July 2006, <https://www.rfc-
editor.org/info/rfc4627>.
Dulaunoy & Iklody Expires August 13, 2018 [Page 44]
Internet-Draft MISP core format February 2018
[RFC4880] Callas, J., Donnerhacke, L., Finney, H., Shaw, D., and R.
Thayer, "OpenPGP Message Format", RFC 4880,
DOI 10.17487/RFC4880, November 2007, <https://www.rfc-
@ -2488,6 +2458,14 @@ Internet-Draft MISP core format February 2018
[MISP-T] MISP, , "MISP Taxonomies - shared and common vocabularies
of tags", <https://github.com/MISP/misp-taxonomies>.
Dulaunoy & Iklody Expires August 13, 2018 [Page 44]
Internet-Draft MISP core format February 2018
Authors' Addresses
Alexandre Dulaunoy
@ -2517,4 +2495,26 @@ Authors' Addresses
Dulaunoy & Iklody Expires August 13, 2018 [Page 45]