mirror of https://github.com/MISP/misp-rfc
misp-core format RFC ascii output generated
parent
5da925324a
commit
26e4fc9588
|
@ -96,13 +96,13 @@ Table of Contents
|
||||||
4. Manifest . . . . . . . . . . . . . . . . . . . . . . . . . . 41
|
4. Manifest . . . . . . . . . . . . . . . . . . . . . . . . . . 41
|
||||||
4.1. Format . . . . . . . . . . . . . . . . . . . . . . . . . 41
|
4.1. Format . . . . . . . . . . . . . . . . . . . . . . . . . 41
|
||||||
4.1.1. Sample Manifest . . . . . . . . . . . . . . . . . . . 42
|
4.1.1. Sample Manifest . . . . . . . . . . . . . . . . . . . 42
|
||||||
5. Implementation . . . . . . . . . . . . . . . . . . . . . . . 44
|
5. Implementation . . . . . . . . . . . . . . . . . . . . . . . 43
|
||||||
6. Security Considerations . . . . . . . . . . . . . . . . . . . 44
|
6. Security Considerations . . . . . . . . . . . . . . . . . . . 43
|
||||||
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 44
|
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 44
|
||||||
8. Sample MISP file . . . . . . . . . . . . . . . . . . . . . . 44
|
8. Sample MISP file . . . . . . . . . . . . . . . . . . . . . . 44
|
||||||
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 44
|
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 44
|
||||||
9.1. Normative References . . . . . . . . . . . . . . . . . . 44
|
9.1. Normative References . . . . . . . . . . . . . . . . . . 44
|
||||||
9.2. Informative References . . . . . . . . . . . . . . . . . 45
|
9.2. Informative References . . . . . . . . . . . . . . . . . 44
|
||||||
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 45
|
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 45
|
||||||
|
|
||||||
|
|
||||||
|
@ -173,7 +173,8 @@ Internet-Draft MISP core format February 2018
|
||||||
2.2.1.2. id
|
2.2.1.2. id
|
||||||
|
|
||||||
id represents the human-readable identifier associated to the event
|
id represents the human-readable identifier associated to the event
|
||||||
for a specific MISP instance.
|
for a specific MISP instance. A human-readable identifier MUST be
|
||||||
|
represented as an unsigned integer.
|
||||||
|
|
||||||
id is represented as a JSON string. id SHALL be present.
|
id is represented as a JSON string. id SHALL be present.
|
||||||
|
|
||||||
|
@ -220,7 +221,6 @@ Internet-Draft MISP core format February 2018
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires August 13, 2018 [Page 4]
|
Dulaunoy & Iklody Expires August 13, 2018 [Page 4]
|
||||||
|
|
||||||
Internet-Draft MISP core format February 2018
|
Internet-Draft MISP core format February 2018
|
||||||
|
@ -248,7 +248,7 @@ Internet-Draft MISP core format February 2018
|
||||||
|
|
||||||
date represents a reference date to the event in ISO 8601 format
|
date represents a reference date to the event in ISO 8601 format
|
||||||
(date only: YYYY-MM-DD). This date corresponds to the date the event
|
(date only: YYYY-MM-DD). This date corresponds to the date the event
|
||||||
occured, which may be in the past.
|
occurred, which may be in the past.
|
||||||
|
|
||||||
date is represented as a JSON string. date MUST be present.
|
date is represented as a JSON string. date MUST be present.
|
||||||
|
|
||||||
|
@ -267,16 +267,16 @@ Internet-Draft MISP core format February 2018
|
||||||
published on the instance. published_timestamp is expressed in
|
published on the instance. published_timestamp is expressed in
|
||||||
seconds (decimal) since 1st of January 1970 (Unix timestamp). At
|
seconds (decimal) since 1st of January 1970 (Unix timestamp). At
|
||||||
each publication of an event, publish_timestamp MUST be updated. The
|
each publication of an event, publish_timestamp MUST be updated. The
|
||||||
time zone MUST be UTC.
|
time zone MUST be UTC. If the published_timestamp is present and the
|
||||||
|
published flag is set to false, the publish_timestamp represents the
|
||||||
|
previous publication timestamp. If the event was never published,
|
||||||
|
the published_timestamp MUST be set to 0.
|
||||||
|
|
||||||
publish_timestamp is represented as a JSON string. publish_timestamp
|
publish_timestamp is represented as a JSON string. publish_timestamp
|
||||||
MUST be present.
|
MUST be present.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires August 13, 2018 [Page 5]
|
Dulaunoy & Iklody Expires August 13, 2018 [Page 5]
|
||||||
|
|
||||||
Internet-Draft MISP core format February 2018
|
Internet-Draft MISP core format February 2018
|
||||||
|
@ -285,7 +285,8 @@ Internet-Draft MISP core format February 2018
|
||||||
2.2.1.10. org_id
|
2.2.1.10. org_id
|
||||||
|
|
||||||
org_id represents a human-readable identifier referencing an Org
|
org_id represents a human-readable identifier referencing an Org
|
||||||
object of the organisation which generated the event.
|
object of the organisation which generated the event. A human-
|
||||||
|
readable identifier MUST be represented as an unsigned integer.
|
||||||
|
|
||||||
The org_id MUST be updated when the event is generated by a new
|
The org_id MUST be updated when the event is generated by a new
|
||||||
instance.
|
instance.
|
||||||
|
@ -297,7 +298,7 @@ Internet-Draft MISP core format February 2018
|
||||||
orgc_id represents a human-readable identifier referencing an Orgc
|
orgc_id represents a human-readable identifier referencing an Orgc
|
||||||
object of the organisation which created the event.
|
object of the organisation which created the event.
|
||||||
|
|
||||||
The orgc_id and Orc object MUST be preserved for any updates or
|
The orgc_id and Org object MUST be preserved for any updates or
|
||||||
transfer of the same event.
|
transfer of the same event.
|
||||||
|
|
||||||
orgc_id is represented as a JSON string. orgc_id MUST be present.
|
orgc_id is represented as a JSON string. orgc_id MUST be present.
|
||||||
|
@ -329,7 +330,6 @@ Internet-Draft MISP core format February 2018
|
||||||
Connected Communities
|
Connected Communities
|
||||||
|
|
||||||
3
|
3
|
||||||
All Communities
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
@ -338,6 +338,8 @@ Dulaunoy & Iklody Expires August 13, 2018 [Page 6]
|
||||||
Internet-Draft MISP core format February 2018
|
Internet-Draft MISP core format February 2018
|
||||||
|
|
||||||
|
|
||||||
|
All Communities
|
||||||
|
|
||||||
4
|
4
|
||||||
Sharing Group
|
Sharing Group
|
||||||
|
|
||||||
|
@ -345,7 +347,8 @@ Internet-Draft MISP core format February 2018
|
||||||
|
|
||||||
sharing_group_id represents a human-readable identifier referencing a
|
sharing_group_id represents a human-readable identifier referencing a
|
||||||
Sharing Group object that defines the distribution of the event, if
|
Sharing Group object that defines the distribution of the event, if
|
||||||
distribution level "4" is set.
|
distribution level "4" is set. A human-readable identifier MUST be
|
||||||
|
represented as an unsigned integer.
|
||||||
|
|
||||||
sharing_group_id is represented by a JSON string and SHOULD be
|
sharing_group_id is represented by a JSON string and SHOULD be
|
||||||
present. If a distribution level other than "4" is chosen the
|
present. If a distribution level other than "4" is chosen the
|
||||||
|
@ -363,7 +366,8 @@ Internet-Draft MISP core format February 2018
|
||||||
|
|
||||||
The name is a readable description of the organisation and SHOULD be
|
The name is a readable description of the organisation and SHOULD be
|
||||||
present. The id is a human-readable identifier generated by the
|
present. The id is a human-readable identifier generated by the
|
||||||
instance and used as reference in the event.
|
instance and used as reference in the event. A human-readable
|
||||||
|
identifier MUST be represented as an unsigned integer.
|
||||||
|
|
||||||
uuid, name and id are represented as a JSON string. uuid, name and id
|
uuid, name and id are represented as a JSON string. uuid, name and id
|
||||||
MUST be present.
|
MUST be present.
|
||||||
|
@ -382,10 +386,6 @@ Internet-Draft MISP core format February 2018
|
||||||
|
|
||||||
The uuid MUST be preserved for any updates or transfer of the same
|
The uuid MUST be preserved for any updates or transfer of the same
|
||||||
event. UUID version 4 is RECOMMENDED when assigning it to a new
|
event. UUID version 4 is RECOMMENDED when assigning it to a new
|
||||||
event. The organisation UUID is globally assigned to an organisation
|
|
||||||
and SHALL be kept overtime.
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
@ -394,9 +394,13 @@ Dulaunoy & Iklody Expires August 13, 2018 [Page 7]
|
||||||
Internet-Draft MISP core format February 2018
|
Internet-Draft MISP core format February 2018
|
||||||
|
|
||||||
|
|
||||||
|
event. The organisation UUID is globally assigned to an organisation
|
||||||
|
and SHALL be kept overtime.
|
||||||
|
|
||||||
The name is a readable description of the organisation and SHOULD be
|
The name is a readable description of the organisation and SHOULD be
|
||||||
present. The id is a human-readable identifier generated by the
|
present. The id is a human-readable identifier generated by the
|
||||||
instance and used as reference in the event.
|
instance and used as reference in the event. A human-readable
|
||||||
|
identifier MUST be represented as an unsigned integer.
|
||||||
|
|
||||||
uuid, name and id are represented as a JSON string. uuid, name and id
|
uuid, name and id are represented as a JSON string. uuid, name and id
|
||||||
MUST be present.
|
MUST be present.
|
||||||
|
@ -434,6 +438,18 @@ Internet-Draft MISP core format February 2018
|
||||||
|
|
||||||
2.4.2. Attribute Attributes
|
2.4.2. Attribute Attributes
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Dulaunoy & Iklody Expires August 13, 2018 [Page 8]
|
||||||
|
|
||||||
|
Internet-Draft MISP core format February 2018
|
||||||
|
|
||||||
|
|
||||||
2.4.2.1. uuid
|
2.4.2.1. uuid
|
||||||
|
|
||||||
uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of
|
uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of
|
||||||
|
@ -443,17 +459,11 @@ Internet-Draft MISP core format February 2018
|
||||||
|
|
||||||
uuid is represented as a JSON string. uuid MUST be present.
|
uuid is represented as a JSON string. uuid MUST be present.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires August 13, 2018 [Page 8]
|
|
||||||
|
|
||||||
Internet-Draft MISP core format February 2018
|
|
||||||
|
|
||||||
|
|
||||||
2.4.2.2. id
|
2.4.2.2. id
|
||||||
|
|
||||||
id represents the human-readable identifier associated to the event
|
id represents the human-readable identifier associated to the event
|
||||||
for a specific MISP instance.
|
for a specific MISP instance. A human-readable identifier MUST be
|
||||||
|
represented as an unsigned integer.
|
||||||
|
|
||||||
id is represented as a JSON string. id SHALL be present.
|
id is represented as a JSON string. id SHALL be present.
|
||||||
|
|
||||||
|
@ -488,6 +498,14 @@ Internet-Draft MISP core format February 2018
|
||||||
email-dst, email-subject, email-attachment, url, user-agent, AS,
|
email-dst, email-subject, email-attachment, url, user-agent, AS,
|
||||||
pattern-in-file, pattern-in-traffic, yara, attachment, malware-
|
pattern-in-file, pattern-in-traffic, yara, attachment, malware-
|
||||||
sample, link, malware-type, mime-type, comment, text,
|
sample, link, malware-type, mime-type, comment, text,
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Dulaunoy & Iklody Expires August 13, 2018 [Page 9]
|
||||||
|
|
||||||
|
Internet-Draft MISP core format February 2018
|
||||||
|
|
||||||
|
|
||||||
vulnerability, x509-fingerprint-sha1, other, ip-dst|port, ip-
|
vulnerability, x509-fingerprint-sha1, other, ip-dst|port, ip-
|
||||||
src|port, hostname|port, email-dst-display-name, email-src-
|
src|port, hostname|port, email-dst-display-name, email-src-
|
||||||
display-name, email-header, email-reply-to, email-x-mailer, email-
|
display-name, email-header, email-reply-to, email-x-mailer, email-
|
||||||
|
@ -498,14 +516,6 @@ Internet-Draft MISP core format February 2018
|
||||||
md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256,
|
md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256,
|
||||||
ssdeep, imphash, impfuzzy, authentihash, filename, filename|md5,
|
ssdeep, imphash, impfuzzy, authentihash, filename, filename|md5,
|
||||||
filename|sha1, filename|sha224, filename|sha256, filename|sha384,
|
filename|sha1, filename|sha224, filename|sha256, filename|sha384,
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires August 13, 2018 [Page 9]
|
|
||||||
|
|
||||||
Internet-Draft MISP core format February 2018
|
|
||||||
|
|
||||||
|
|
||||||
filename|sha512, filename|sha512/224, filename|sha512/256,
|
filename|sha512, filename|sha512/224, filename|sha512/256,
|
||||||
filename|authentihash, filename|ssdeep, filename|tlsh,
|
filename|authentihash, filename|ssdeep, filename|tlsh,
|
||||||
filename|imphash, filename|impfuzzy, filename|pehash, regkey,
|
filename|imphash, filename|impfuzzy, filename|pehash, regkey,
|
||||||
|
@ -544,6 +554,14 @@ Internet-Draft MISP core format February 2018
|
||||||
whois-registrant-email, whois-registrant-name, whois-registrar,
|
whois-registrant-email, whois-registrant-name, whois-registrar,
|
||||||
whois-creation-date, comment, text, x509-fingerprint-sha1, other
|
whois-creation-date, comment, text, x509-fingerprint-sha1, other
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Dulaunoy & Iklody Expires August 13, 2018 [Page 10]
|
||||||
|
|
||||||
|
Internet-Draft MISP core format February 2018
|
||||||
|
|
||||||
|
|
||||||
External analysis
|
External analysis
|
||||||
md5, sha1, sha256, filename, filename|md5, filename|sha1,
|
md5, sha1, sha256, filename, filename|md5, filename|sha1,
|
||||||
filename|sha256, ip-src, ip-dst, hostname, domain, domain|ip, url,
|
filename|sha256, ip-src, ip-dst, hostname, domain, domain|ip, url,
|
||||||
|
@ -553,15 +571,6 @@ Internet-Draft MISP core format February 2018
|
||||||
github-repository, other
|
github-repository, other
|
||||||
|
|
||||||
Financial fraud
|
Financial fraud
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires August 13, 2018 [Page 10]
|
|
||||||
|
|
||||||
Internet-Draft MISP core format February 2018
|
|
||||||
|
|
||||||
|
|
||||||
btc, iban, bic, bank-account-nr, aba-rtn, bin, cc-number, prtn,
|
btc, iban, bic, bank-account-nr, aba-rtn, bin, cc-number, prtn,
|
||||||
phone-number, comment, text, other, hex
|
phone-number, comment, text, other, hex
|
||||||
|
|
||||||
|
@ -600,15 +609,6 @@ Internet-Draft MISP core format February 2018
|
||||||
and it MUST be a valid selection for the chosen type. The list of
|
and it MUST be a valid selection for the chosen type. The list of
|
||||||
valid category-type combinations is mentioned above.
|
valid category-type combinations is mentioned above.
|
||||||
|
|
||||||
2.4.2.5. to_ids
|
|
||||||
|
|
||||||
to_ids represents whether the attribute is meant to be actionable.
|
|
||||||
Actionable defined attributes that can be used in automated processes
|
|
||||||
as a pattern for detection in Local or Network Intrusion Detection
|
|
||||||
System, log analysis tools or even filtering mechanisms.
|
|
||||||
|
|
||||||
to_ids is represented as a JSON boolean. to_ids MUST be present.
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
@ -618,10 +618,20 @@ Dulaunoy & Iklody Expires August 13, 2018 [Page 11]
|
||||||
Internet-Draft MISP core format February 2018
|
Internet-Draft MISP core format February 2018
|
||||||
|
|
||||||
|
|
||||||
|
2.4.2.5. to_ids
|
||||||
|
|
||||||
|
to_ids represents whether the attribute is meant to be actionable.
|
||||||
|
Actionable defined attributes that can be used in automated processes
|
||||||
|
as a pattern for detection in Local or Network Intrusion Detection
|
||||||
|
System, log analysis tools or even filtering mechanisms.
|
||||||
|
|
||||||
|
to_ids is represented as a JSON boolean. to_ids MUST be present.
|
||||||
|
|
||||||
2.4.2.6. event_id
|
2.4.2.6. event_id
|
||||||
|
|
||||||
event_id represents a human-readable identifier referencing the Event
|
event_id represents a human-readable identifier referencing the Event
|
||||||
object that the attribute belongs to.
|
object that the attribute belongs to. A human-readable identifier
|
||||||
|
MUST be represented as an unsigned integer.
|
||||||
|
|
||||||
The event_id SHOULD be updated when the event is imported to reflect
|
The event_id SHOULD be updated when the event is imported to reflect
|
||||||
the newly created event's id on the instance.
|
the newly created event's id on the instance.
|
||||||
|
@ -655,16 +665,6 @@ Internet-Draft MISP core format February 2018
|
||||||
5
|
5
|
||||||
Inherit Event
|
Inherit Event
|
||||||
|
|
||||||
2.4.2.8. timestamp
|
|
||||||
|
|
||||||
timestamp represents a reference time when the attribute was created
|
|
||||||
or last modified. timestamp is expressed in seconds (decimal) since
|
|
||||||
1st of January 1970 (Unix timestamp). The time zone MUST be UTC.
|
|
||||||
|
|
||||||
timestamp is represented as a JSON string. timestamp MUST be present.
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
@ -674,6 +674,14 @@ Dulaunoy & Iklody Expires August 13, 2018 [Page 12]
|
||||||
Internet-Draft MISP core format February 2018
|
Internet-Draft MISP core format February 2018
|
||||||
|
|
||||||
|
|
||||||
|
2.4.2.8. timestamp
|
||||||
|
|
||||||
|
timestamp represents a reference time when the attribute was created
|
||||||
|
or last modified. timestamp is expressed in seconds (decimal) since
|
||||||
|
1st of January 1970 (Unix timestamp). The time zone MUST be UTC.
|
||||||
|
|
||||||
|
timestamp is represented as a JSON string. timestamp MUST be present.
|
||||||
|
|
||||||
2.4.2.9. comment
|
2.4.2.9. comment
|
||||||
|
|
||||||
comment is a contextual comment field.
|
comment is a contextual comment field.
|
||||||
|
@ -684,7 +692,8 @@ Internet-Draft MISP core format February 2018
|
||||||
|
|
||||||
sharing_group_id represents a human-readable identifier referencing a
|
sharing_group_id represents a human-readable identifier referencing a
|
||||||
Sharing Group object that defines the distribution of the attribute,
|
Sharing Group object that defines the distribution of the attribute,
|
||||||
if distribution level "4" is set.
|
if distribution level "4" is set. A human-readable identifier MUST
|
||||||
|
be represented as an unsigned integer.
|
||||||
|
|
||||||
sharing_group_id is represented by a JSON string and SHOULD be
|
sharing_group_id is represented by a JSON string and SHOULD be
|
||||||
present. If a distribution level other than "4" is chosen the
|
present. If a distribution level other than "4" is chosen the
|
||||||
|
@ -713,15 +722,6 @@ Internet-Draft MISP core format February 2018
|
||||||
RelatedAttribute is an array of attributes correlating with the
|
RelatedAttribute is an array of attributes correlating with the
|
||||||
current attribute. Each element in the array represents an JSON
|
current attribute. Each element in the array represents an JSON
|
||||||
object which contains an Attribute dictionnary with the external
|
object which contains an Attribute dictionnary with the external
|
||||||
attributes who correlate. Each Attribute MUST include the id,
|
|
||||||
org_id, info and a value. Only the correlations found on the local
|
|
||||||
instance are shown in RelatedAttribute.
|
|
||||||
|
|
||||||
RelatedAttribute MAY be present.
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
@ -730,6 +730,12 @@ Dulaunoy & Iklody Expires August 13, 2018 [Page 13]
|
||||||
Internet-Draft MISP core format February 2018
|
Internet-Draft MISP core format February 2018
|
||||||
|
|
||||||
|
|
||||||
|
attributes who correlate. Each Attribute MUST include the id,
|
||||||
|
org_id, info and a value. Only the correlations found on the local
|
||||||
|
instance are shown in RelatedAttribute.
|
||||||
|
|
||||||
|
RelatedAttribute MAY be present.
|
||||||
|
|
||||||
2.4.2.14. ShadowAttribute
|
2.4.2.14. ShadowAttribute
|
||||||
|
|
||||||
ShadowAttribute is an array of shadow attributes that serve as
|
ShadowAttribute is an array of shadow attributes that serve as
|
||||||
|
@ -775,12 +781,6 @@ Internet-Draft MISP core format February 2018
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires August 13, 2018 [Page 14]
|
Dulaunoy & Iklody Expires August 13, 2018 [Page 14]
|
||||||
|
|
||||||
Internet-Draft MISP core format February 2018
|
Internet-Draft MISP core format February 2018
|
||||||
|
@ -821,9 +821,9 @@ Internet-Draft MISP core format February 2018
|
||||||
2.5.2.2. id
|
2.5.2.2. id
|
||||||
|
|
||||||
id represents the human-readable identifier associated to the event
|
id represents the human-readable identifier associated to the event
|
||||||
for a specific MISP instance.
|
for a specific MISP instance. human-readable identifier MUST be
|
||||||
|
represented as an unsigned integer. id is represented as a JSON
|
||||||
id is represented as a JSON string. id SHALL be present.
|
string. id SHALL be present.
|
||||||
|
|
||||||
2.5.2.3. type
|
2.5.2.3. type
|
||||||
|
|
||||||
|
@ -1037,7 +1037,8 @@ Internet-Draft MISP core format February 2018
|
||||||
2.5.2.10. org_id
|
2.5.2.10. org_id
|
||||||
|
|
||||||
org_id represents a human-readable identifier referencing the
|
org_id represents a human-readable identifier referencing the
|
||||||
proposal creator's Organisation object.
|
proposal creator's Organisation object. A human-readable identifier
|
||||||
|
MUST be represented as an unsigned integer.
|
||||||
|
|
||||||
Whilst attributes can only be created by the event creator
|
Whilst attributes can only be created by the event creator
|
||||||
organisation, shadow attributes can be created by third parties.
|
organisation, shadow attributes can be created by third parties.
|
||||||
|
@ -1060,7 +1061,6 @@ Internet-Draft MISP core format February 2018
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires August 13, 2018 [Page 19]
|
Dulaunoy & Iklody Expires August 13, 2018 [Page 19]
|
||||||
|
|
||||||
Internet-Draft MISP core format February 2018
|
Internet-Draft MISP core format February 2018
|
||||||
|
@ -1094,7 +1094,8 @@ Internet-Draft MISP core format February 2018
|
||||||
|
|
||||||
The name is a readable description of the organization and SHOULD be
|
The name is a readable description of the organization and SHOULD be
|
||||||
present. The id is a human-readable identifier generated by the
|
present. The id is a human-readable identifier generated by the
|
||||||
instance and used as reference in the event.
|
instance and used as reference in the event. A human-readable
|
||||||
|
identifier MUST be represented as an unsigned integer.
|
||||||
|
|
||||||
uuid, name and id are represented as a JSON string. uuid, name and id
|
uuid, name and id are represented as a JSON string. uuid, name and id
|
||||||
MUST be present.
|
MUST be present.
|
||||||
|
@ -1116,7 +1117,6 @@ Internet-Draft MISP core format February 2018
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires August 13, 2018 [Page 20]
|
Dulaunoy & Iklody Expires August 13, 2018 [Page 20]
|
||||||
|
|
||||||
Internet-Draft MISP core format February 2018
|
Internet-Draft MISP core format February 2018
|
||||||
|
@ -1237,7 +1237,8 @@ Internet-Draft MISP core format February 2018
|
||||||
2.6.2.2. id
|
2.6.2.2. id
|
||||||
|
|
||||||
id represents the human-readable identifier associated to the object
|
id represents the human-readable identifier associated to the object
|
||||||
for a specific MISP instance.
|
for a specific MISP instance. A human-readable identifier MUST be
|
||||||
|
represented as an unsigned integer.
|
||||||
|
|
||||||
id is represented as a JSON string. id SHALL be present.
|
id is represented as a JSON string. id SHALL be present.
|
||||||
|
|
||||||
|
@ -1284,7 +1285,6 @@ Internet-Draft MISP core format February 2018
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires August 13, 2018 [Page 23]
|
Dulaunoy & Iklody Expires August 13, 2018 [Page 23]
|
||||||
|
|
||||||
Internet-Draft MISP core format February 2018
|
Internet-Draft MISP core format February 2018
|
||||||
|
@ -1293,7 +1293,8 @@ Internet-Draft MISP core format February 2018
|
||||||
2.6.2.8. event_id
|
2.6.2.8. event_id
|
||||||
|
|
||||||
event_id represents the human-readable identifier of the event that
|
event_id represents the human-readable identifier of the event that
|
||||||
the object belongs to on a specific MISP instance.
|
the object belongs to on a specific MISP instance. A human-readable
|
||||||
|
identifier MUST be represented as an unsigned integer.
|
||||||
|
|
||||||
event_id is represented as a JSON string. event_id SHALL be present.
|
event_id is represented as a JSON string. event_id SHALL be present.
|
||||||
|
|
||||||
|
@ -1333,11 +1334,10 @@ Internet-Draft MISP core format February 2018
|
||||||
|
|
||||||
sharing_group_id represents a human-readable identifier referencing a
|
sharing_group_id represents a human-readable identifier referencing a
|
||||||
Sharing Group object that defines the distribution of the object, if
|
Sharing Group object that defines the distribution of the object, if
|
||||||
distribution level "4" is set.
|
distribution level "4" is set. A human-readable identifier MUST be
|
||||||
|
represented as an unsigned integer.
|
||||||
|
|
||||||
|
|
||||||
sharing_group_id is represented by a JSON string and SHOULD be
|
|
||||||
present. If a distribution level other than "4" is chosen the
|
|
||||||
sharing_group_id MUST be set to "0".
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
@ -1346,6 +1346,10 @@ Dulaunoy & Iklody Expires August 13, 2018 [Page 24]
|
||||||
Internet-Draft MISP core format February 2018
|
Internet-Draft MISP core format February 2018
|
||||||
|
|
||||||
|
|
||||||
|
sharing_group_id is represented by a JSON string and SHOULD be
|
||||||
|
present. If a distribution level other than "4" is chosen the
|
||||||
|
sharing_group_id MUST be set to "0".
|
||||||
|
|
||||||
2.6.2.12. comment
|
2.6.2.12. comment
|
||||||
|
|
||||||
comment is a contextual comment field.
|
comment is a contextual comment field.
|
||||||
|
@ -1393,10 +1397,6 @@ Internet-Draft MISP core format February 2018
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires August 13, 2018 [Page 25]
|
Dulaunoy & Iklody Expires August 13, 2018 [Page 25]
|
||||||
|
|
||||||
Internet-Draft MISP core format February 2018
|
Internet-Draft MISP core format February 2018
|
||||||
|
@ -1444,7 +1444,8 @@ Internet-Draft MISP core format February 2018
|
||||||
2.7.2.4. object_id
|
2.7.2.4. object_id
|
||||||
|
|
||||||
object_id represents the human-readable identifier of the object that
|
object_id represents the human-readable identifier of the object that
|
||||||
the object reference belongs to on a specific MISP instance.
|
the object reference belongs to on a specific MISP instance. A
|
||||||
|
human-readable identifier MUST be represented as an unsigned integer.
|
||||||
|
|
||||||
event_id is represented as a JSON string. event_id SHALL be present.
|
event_id is represented as a JSON string. event_id SHALL be present.
|
||||||
|
|
||||||
|
@ -1452,7 +1453,6 @@ Internet-Draft MISP core format February 2018
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires August 13, 2018 [Page 26]
|
Dulaunoy & Iklody Expires August 13, 2018 [Page 26]
|
||||||
|
|
||||||
Internet-Draft MISP core format February 2018
|
Internet-Draft MISP core format February 2018
|
||||||
|
@ -1461,7 +1461,8 @@ Internet-Draft MISP core format February 2018
|
||||||
2.7.2.5. event_id
|
2.7.2.5. event_id
|
||||||
|
|
||||||
event_id represents the human-readable identifier of the event that
|
event_id represents the human-readable identifier of the event that
|
||||||
the object reference belongs to on a specific MISP instance.
|
the object reference belongs to on a specific MISP instance. A
|
||||||
|
human-readable identifier MUST be represented as an unsigned integer.
|
||||||
|
|
||||||
event_id is represented as a JSON string. event_id SHALL be present.
|
event_id is represented as a JSON string. event_id SHALL be present.
|
||||||
|
|
||||||
|
@ -1508,7 +1509,6 @@ Internet-Draft MISP core format February 2018
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires August 13, 2018 [Page 27]
|
Dulaunoy & Iklody Expires August 13, 2018 [Page 27]
|
||||||
|
|
||||||
Internet-Draft MISP core format February 2018
|
Internet-Draft MISP core format February 2018
|
||||||
|
@ -1616,8 +1616,8 @@ Internet-Draft MISP core format February 2018
|
||||||
org_id represents the human-readable identifier of the organisation
|
org_id represents the human-readable identifier of the organisation
|
||||||
which did the sighting and belongs to a specific MISP instance.
|
which did the sighting and belongs to a specific MISP instance.
|
||||||
|
|
||||||
|
A human-readable identifier MUST be represented as an unsigned
|
||||||
|
integer.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
@ -2317,49 +2317,18 @@ Internet-Draft MISP core format February 2018
|
||||||
|
|
||||||
If a detached PGP signature is used for each MISP event, a detached
|
If a detached PGP signature is used for each MISP event, a detached
|
||||||
PGP signature is a MUST to ensure integrity of the manifest file. A
|
PGP signature is a MUST to ensure integrity of the manifest file. A
|
||||||
detached PGP signature for a manifest file is a manifest.json.pgp
|
detached PGP signature for a manifest file is a manifest.json.asc
|
||||||
file containing the PGP signature.
|
file containing the PGP signature.
|
||||||
|
|
||||||
4.1.1. Sample Manifest
|
4.1.1. Sample Manifest
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires August 13, 2018 [Page 42]
|
|
||||||
|
|
||||||
Internet-Draft MISP core format February 2018
|
|
||||||
|
|
||||||
|
|
||||||
{
|
{
|
||||||
"57c6ac4c-c60c-4f79-a38f-b666950d210f": {
|
"57c6ac4c-c60c-4f79-a38f-b666950d210f": {
|
||||||
"info": "Malspam 2016-08-31 (.wsf in .zip) - campaign: Photo",
|
"info": "Malspam 2016-08-31 (.wsf in .zip) - campaign: Photo",
|
||||||
"Orgc": {
|
"Orgc": {
|
||||||
"id": "2",
|
"id": "2",
|
||||||
"name": "CIRCL"
|
"name": "CIRCL",
|
||||||
|
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
||||||
},
|
},
|
||||||
"analysis": "0",
|
"analysis": "0",
|
||||||
"Tag": [
|
"Tag": [
|
||||||
|
@ -2377,6 +2346,14 @@ Internet-Draft MISP core format February 2018
|
||||||
"threat_level_id": "3"
|
"threat_level_id": "3"
|
||||||
},
|
},
|
||||||
"5720accd-dd28-45f8-80e5-4605950d210f": {
|
"5720accd-dd28-45f8-80e5-4605950d210f": {
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Dulaunoy & Iklody Expires August 13, 2018 [Page 42]
|
||||||
|
|
||||||
|
Internet-Draft MISP core format February 2018
|
||||||
|
|
||||||
|
|
||||||
"info": "Malspam 2016-04-27 - Locky",
|
"info": "Malspam 2016-04-27 - Locky",
|
||||||
"Orgc": {
|
"Orgc": {
|
||||||
"id": "2",
|
"id": "2",
|
||||||
|
@ -2403,13 +2380,6 @@ Internet-Draft MISP core format February 2018
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires August 13, 2018 [Page 43]
|
|
||||||
|
|
||||||
Internet-Draft MISP core format February 2018
|
|
||||||
|
|
||||||
|
|
||||||
5. Implementation
|
5. Implementation
|
||||||
|
|
||||||
MISP format is implemented by different software including the MISP
|
MISP format is implemented by different software including the MISP
|
||||||
|
@ -2431,6 +2401,15 @@ Internet-Draft MISP core format February 2018
|
||||||
inputs beside the standard threat information that might already
|
inputs beside the standard threat information that might already
|
||||||
include malicious intended inputs.
|
include malicious intended inputs.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Dulaunoy & Iklody Expires August 13, 2018 [Page 43]
|
||||||
|
|
||||||
|
Internet-Draft MISP core format February 2018
|
||||||
|
|
||||||
|
|
||||||
7. Acknowledgements
|
7. Acknowledgements
|
||||||
|
|
||||||
The authors wish to thank all the MISP community who are supporting
|
The authors wish to thank all the MISP community who are supporting
|
||||||
|
@ -2457,15 +2436,6 @@ Internet-Draft MISP core format February 2018
|
||||||
DOI 10.17487/RFC4627, July 2006, <https://www.rfc-
|
DOI 10.17487/RFC4627, July 2006, <https://www.rfc-
|
||||||
editor.org/info/rfc4627>.
|
editor.org/info/rfc4627>.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires August 13, 2018 [Page 44]
|
|
||||||
|
|
||||||
Internet-Draft MISP core format February 2018
|
|
||||||
|
|
||||||
|
|
||||||
[RFC4880] Callas, J., Donnerhacke, L., Finney, H., Shaw, D., and R.
|
[RFC4880] Callas, J., Donnerhacke, L., Finney, H., Shaw, D., and R.
|
||||||
Thayer, "OpenPGP Message Format", RFC 4880,
|
Thayer, "OpenPGP Message Format", RFC 4880,
|
||||||
DOI 10.17487/RFC4880, November 2007, <https://www.rfc-
|
DOI 10.17487/RFC4880, November 2007, <https://www.rfc-
|
||||||
|
@ -2488,6 +2458,14 @@ Internet-Draft MISP core format February 2018
|
||||||
[MISP-T] MISP, , "MISP Taxonomies - shared and common vocabularies
|
[MISP-T] MISP, , "MISP Taxonomies - shared and common vocabularies
|
||||||
of tags", <https://github.com/MISP/misp-taxonomies>.
|
of tags", <https://github.com/MISP/misp-taxonomies>.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Dulaunoy & Iklody Expires August 13, 2018 [Page 44]
|
||||||
|
|
||||||
|
Internet-Draft MISP core format February 2018
|
||||||
|
|
||||||
|
|
||||||
Authors' Addresses
|
Authors' Addresses
|
||||||
|
|
||||||
Alexandre Dulaunoy
|
Alexandre Dulaunoy
|
||||||
|
@ -2517,4 +2495,26 @@ Authors' Addresses
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires August 13, 2018 [Page 45]
|
Dulaunoy & Iklody Expires August 13, 2018 [Page 45]
|
||||||
|
|
Loading…
Reference in New Issue