mirror of https://github.com/MISP/misp-rfc
chg: [misp-core] updated to the latest version
parent
45fd0e0c94
commit
5c4002750b
|
@ -9,7 +9,7 @@ submissiontype = "independent"
|
|||
|
||||
[seriesInfo]
|
||||
name = "Internet-Draft"
|
||||
value = "draft-16"
|
||||
value = "draft-17"
|
||||
stream = "independent"
|
||||
status = "informational"
|
||||
|
||||
|
|
|
@ -15,7 +15,7 @@ respective key. The format is described to support other implementations which r
|
|||
format and ensuring an interoperability with existing MISP software and other Threat Intelligence Platforms.
|
||||
" name="description">
|
||||
<meta content="xml2rfc 3.12.1" name="generator">
|
||||
<meta content="draft-00" name="ietf.draft">
|
||||
<meta content="draft-17" name="ietf.draft">
|
||||
<!-- Generator version information:
|
||||
xml2rfc 3.12.1
|
||||
Python 3.8.10
|
||||
|
@ -24,16 +24,16 @@ format and ensuring an interoperability with existing MISP software and other
|
|||
google-i18n-address 2.5.0
|
||||
html5lib 1.1
|
||||
intervaltree 3.1.0
|
||||
Jinja2 2.11.3
|
||||
Jinja2 3.1.2
|
||||
kitchen 1.2.6
|
||||
lxml 4.7.1
|
||||
lxml 4.9.2
|
||||
pycairo 1.16.2
|
||||
pycountry 22.1.10
|
||||
pycountry 22.3.5
|
||||
pyflakes 2.4.0
|
||||
PyYAML 5.4.1
|
||||
requests 2.24.0
|
||||
setuptools 45.2.0
|
||||
six 1.15.0
|
||||
PyYAML 6.0
|
||||
requests 2.31.0
|
||||
setuptools 68.1.2
|
||||
six 1.16.0
|
||||
-->
|
||||
<link href="raw.md.xml" rel="alternate" type="application/rfc+xml">
|
||||
<link href="#copyright" rel="license">
|
||||
|
@ -1190,11 +1190,11 @@ li > p:last-of-type {
|
|||
<thead><tr>
|
||||
<td class="left">Internet-Draft</td>
|
||||
<td class="center">MISP core format</td>
|
||||
<td class="right">February 2022</td>
|
||||
<td class="right">December 2023</td>
|
||||
</tr></thead>
|
||||
<tfoot><tr>
|
||||
<td class="left">Dulaunoy & Iklody</td>
|
||||
<td class="center">Expires 18 August 2022</td>
|
||||
<td class="center">Expires 26 June 2024</td>
|
||||
<td class="right">[Page]</td>
|
||||
</tr></tfoot>
|
||||
</table>
|
||||
|
@ -1204,15 +1204,15 @@ li > p:last-of-type {
|
|||
<dt class="label-workgroup">Workgroup:</dt>
|
||||
<dd class="workgroup">Network Working Group</dd>
|
||||
<dt class="label-internet-draft">Internet-Draft:</dt>
|
||||
<dd class="internet-draft">draft-00</dd>
|
||||
<dd class="internet-draft">draft-17</dd>
|
||||
<dt class="label-published">Published:</dt>
|
||||
<dd class="published">
|
||||
<time datetime="2022-02-14" class="published">14 February 2022</time>
|
||||
<time datetime="2023-12-24" class="published">24 December 2023</time>
|
||||
</dd>
|
||||
<dt class="label-intended-status">Intended Status:</dt>
|
||||
<dd class="intended-status">Informational</dd>
|
||||
<dt class="label-expires">Expires:</dt>
|
||||
<dd class="expires"><time datetime="2022-08-18">18 August 2022</time></dd>
|
||||
<dd class="expires"><time datetime="2024-06-26">26 June 2024</time></dd>
|
||||
<dt class="label-authors">Authors:</dt>
|
||||
<dd class="authors">
|
||||
<div class="author">
|
||||
|
@ -1254,7 +1254,7 @@ format and ensuring an interoperability with existing MISP <span>[<a href="#MISP
|
|||
time. It is inappropriate to use Internet-Drafts as reference
|
||||
material or to cite them other than as "work in progress."<a href="#section-boilerplate.1-3" class="pilcrow">¶</a></p>
|
||||
<p id="section-boilerplate.1-4">
|
||||
This Internet-Draft will expire on 18 August 2022.<a href="#section-boilerplate.1-4" class="pilcrow">¶</a></p>
|
||||
This Internet-Draft will expire on 26 June 2024.<a href="#section-boilerplate.1-4" class="pilcrow">¶</a></p>
|
||||
</section>
|
||||
</div>
|
||||
<div id="copyright">
|
||||
|
@ -1263,7 +1263,7 @@ format and ensuring an interoperability with existing MISP <span>[<a href="#MISP
|
|||
<a href="#name-copyright-notice" class="section-name selfRef">Copyright Notice</a>
|
||||
</h2>
|
||||
<p id="section-boilerplate.2-1">
|
||||
Copyright (c) 2022 IETF Trust and the persons identified as the
|
||||
Copyright (c) 2023 IETF Trust and the persons identified as the
|
||||
document authors. All rights reserved.<a href="#section-boilerplate.2-1" class="pilcrow">¶</a></p>
|
||||
<p id="section-boilerplate.2-2">
|
||||
This document is subject to BCP 78 and the IETF Trust's Legal
|
||||
|
@ -1856,11 +1856,11 @@ represented as an unsigned integer.<a href="#section-2.3.2.2-1" class="pilcrow">
|
|||
</dd>
|
||||
<dd class="break"></dd>
|
||||
<dt id="section-2.3.2.3-3.17">Payload delivery</dt>
|
||||
<dd style="margin-left: 1.5em" id="section-2.3.2.3-3.18">md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip-src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email, email-src, email-dst, email-subject, email-attachment, email-body, url, user-agent, AS, pattern-in-file, pattern-in-traffic, filename-pattern, stix2-pattern, yara, sigma, mime-type, attachment, malware-sample, link, malware-type, comment, text, hex, vulnerability, cpe, weakness, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, jarm-fingerprint, hassh-md5, hasshserver-md5, other, hostname|port, email-dst-display-name, email-src-display-name, email-header, email-reply-to, email-x-mailer, email-mime-boundary, email-thread-index, email-message-id, mobile-application-id, chrome-extension-id, whois-registrant-email, anonymised<a href="#section-2.3.2.3-3.18" class="pilcrow">¶</a>
|
||||
<dd style="margin-left: 1.5em" id="section-2.3.2.3-3.18">md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip-src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email, email-src, email-dst, email-subject, email-attachment, email-body, url, user-agent, AS, pattern-in-file, pattern-in-traffic, filename-pattern, stix2-pattern, yara, sigma, mime-type, attachment, malware-sample, link, malware-type, comment, text, hex, vulnerability, cpe, weakness, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, jarm-fingerprint, hassh-md5, hasshserver-md5, other, hostname|port, email-dst-display-name, email-src-display-name, email-header, email-reply-to, email-x-mailer, email-mime-boundary, email-thread-index, email-message-id, azure-application-id, mobile-application-id, chrome-extension-id, whois-registrant-email, anonymised<a href="#section-2.3.2.3-3.18" class="pilcrow">¶</a>
|
||||
</dd>
|
||||
<dd class="break"></dd>
|
||||
<dt id="section-2.3.2.3-3.19">Payload installation</dt>
|
||||
<dd style="margin-left: 1.5em" id="section-2.3.2.3-3.20">md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in-traffic, pattern-in-memory, filename-pattern, stix2-pattern, yara, sigma, vulnerability, cpe, weakness, attachment, malware-sample, malware-type, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, mobile-application-id, chrome-extension-id, other, mime-type, anonymised<a href="#section-2.3.2.3-3.20" class="pilcrow">¶</a>
|
||||
<dd style="margin-left: 1.5em" id="section-2.3.2.3-3.20">md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in-traffic, pattern-in-memory, filename-pattern, stix2-pattern, yara, sigma, vulnerability, cpe, weakness, attachment, malware-sample, malware-type, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, azure-application-id, azure-application-id, mobile-application-id, chrome-extension-id, other, mime-type, anonymised<a href="#section-2.3.2.3-3.20" class="pilcrow">¶</a>
|
||||
</dd>
|
||||
<dd class="break"></dd>
|
||||
<dt id="section-2.3.2.3-3.21">Payload type</dt>
|
||||
|
@ -2155,11 +2155,11 @@ id is represented as a JSON string. id <span class="bcp14">SHALL</span> be prese
|
|||
</dd>
|
||||
<dd class="break"></dd>
|
||||
<dt id="section-2.4.2.3-3.17">Payload delivery</dt>
|
||||
<dd style="margin-left: 1.5em" id="section-2.4.2.3-3.18">md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip-src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email, email-src, email-dst, email-subject, email-attachment, email-body, url, user-agent, AS, pattern-in-file, pattern-in-traffic, filename-pattern, stix2-pattern, yara, sigma, mime-type, attachment, malware-sample, link, malware-type, comment, text, hex, vulnerability, cpe, weakness, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, jarm-fingerprint, hassh-md5, hasshserver-md5, other, hostname|port, email-dst-display-name, email-src-display-name, email-header, email-reply-to, email-x-mailer, email-mime-boundary, email-thread-index, email-message-id, mobile-application-id, chrome-extension-id, whois-registrant-email, anonymised<a href="#section-2.4.2.3-3.18" class="pilcrow">¶</a>
|
||||
<dd style="margin-left: 1.5em" id="section-2.4.2.3-3.18">md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip-src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email, email-src, email-dst, email-subject, email-attachment, email-body, url, user-agent, AS, pattern-in-file, pattern-in-traffic, filename-pattern, stix2-pattern, yara, sigma, mime-type, attachment, malware-sample, link, malware-type, comment, text, hex, vulnerability, cpe, weakness, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, jarm-fingerprint, hassh-md5, hasshserver-md5, other, hostname|port, email-dst-display-name, email-src-display-name, email-header, email-reply-to, email-x-mailer, email-mime-boundary, email-thread-index, email-message-id, azure-application-id, mobile-application-id, chrome-extension-id, whois-registrant-email, anonymised<a href="#section-2.4.2.3-3.18" class="pilcrow">¶</a>
|
||||
</dd>
|
||||
<dd class="break"></dd>
|
||||
<dt id="section-2.4.2.3-3.19">Payload installation</dt>
|
||||
<dd style="margin-left: 1.5em" id="section-2.4.2.3-3.20">md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in-traffic, pattern-in-memory, filename-pattern, stix2-pattern, yara, sigma, vulnerability, cpe, weakness, attachment, malware-sample, malware-type, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, mobile-application-id, chrome-extension-id, other, mime-type, anonymised<a href="#section-2.4.2.3-3.20" class="pilcrow">¶</a>
|
||||
<dd style="margin-left: 1.5em" id="section-2.4.2.3-3.20">md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in-traffic, pattern-in-memory, filename-pattern, stix2-pattern, yara, sigma, vulnerability, cpe, weakness, attachment, malware-sample, malware-type, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, azure-application-id, azure-application-id, mobile-application-id, chrome-extension-id, other, mime-type, anonymised<a href="#section-2.4.2.3-3.20" class="pilcrow">¶</a>
|
||||
</dd>
|
||||
<dd class="break"></dd>
|
||||
<dt id="section-2.4.2.3-3.21">Payload type</dt>
|
||||
|
@ -2918,6 +2918,10 @@ be anonymised. Sighting is composed of a JSON array in which each element descri
|
|||
<td class="text-left" rowspan="1" colspan="1">2</td>
|
||||
<td class="text-center" rowspan="1" colspan="1">denotes an attribute which will be expired at the time of the sighting</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class="text-left" rowspan="1" colspan="1">3</td>
|
||||
<td class="text-center" rowspan="1" colspan="1">denotes an attribute which has been seen and confirmed as a true-positive</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<p id="section-2.9-4">uuid <span class="bcp14">MUST</span> be present. uuid references the uuid of the sighted attribute.<a href="#section-2.9-4" class="pilcrow">¶</a></p>
|
||||
|
@ -3925,8 +3929,8 @@ for the review of the JSON Schema.<a href="#section-7-1" class="pilcrow">¶</a><
|
|||
<address class="vcard">
|
||||
<div dir="auto" class="left"><span class="fn nameRole">Alexandre Dulaunoy</span></div>
|
||||
<div dir="auto" class="left"><span class="org">Computer Incident Response Center Luxembourg</span></div>
|
||||
<div dir="auto" class="left"><span class="street-address">16, bd d'Avranches</span></div>
|
||||
<div dir="auto" class="left">L-<span class="postal-code">L-1160</span> <span class="locality">Luxembourg</span>
|
||||
<div dir="auto" class="left"><span class="street-address">122, rue Adolphe Fischer</span></div>
|
||||
<div dir="auto" class="left">L-<span class="postal-code">L-1521</span> <span class="locality">Luxembourg</span>
|
||||
</div>
|
||||
<div dir="auto" class="left"><span class="country-name">Luxembourg</span></div>
|
||||
<div class="tel">
|
||||
|
@ -3941,8 +3945,8 @@ for the review of the JSON Schema.<a href="#section-7-1" class="pilcrow">¶</a><
|
|||
<address class="vcard">
|
||||
<div dir="auto" class="left"><span class="fn nameRole">Andras Iklody</span></div>
|
||||
<div dir="auto" class="left"><span class="org">Computer Incident Response Center Luxembourg</span></div>
|
||||
<div dir="auto" class="left"><span class="street-address">16, bd d'Avranches</span></div>
|
||||
<div dir="auto" class="left">L-<span class="postal-code">L-1160</span> <span class="locality">Luxembourg</span>
|
||||
<div dir="auto" class="left"><span class="street-address">122, rue Adolphe Fischer</span></div>
|
||||
<div dir="auto" class="left">L-<span class="postal-code">L-1521</span> <span class="locality">Luxembourg</span>
|
||||
</div>
|
||||
<div dir="auto" class="left"><span class="country-name">Luxembourg</span></div>
|
||||
<div class="tel">
|
||||
|
|
|
@ -5,11 +5,11 @@
|
|||
Network Working Group A. Dulaunoy
|
||||
Internet-Draft A. Iklody
|
||||
Intended status: Informational CIRCL
|
||||
Expires: 18 August 2022 14 February 2022
|
||||
Expires: 26 June 2024 24 December 2023
|
||||
|
||||
|
||||
MISP core format
|
||||
draft-00
|
||||
draft-17
|
||||
|
||||
Abstract
|
||||
|
||||
|
@ -37,11 +37,11 @@ Status of This Memo
|
|||
time. It is inappropriate to use Internet-Drafts as reference
|
||||
material or to cite them other than as "work in progress."
|
||||
|
||||
This Internet-Draft will expire on 18 August 2022.
|
||||
This Internet-Draft will expire on 26 June 2024.
|
||||
|
||||
Copyright Notice
|
||||
|
||||
Copyright (c) 2022 IETF Trust and the persons identified as the
|
||||
Copyright (c) 2023 IETF Trust and the persons identified as the
|
||||
document authors. All rights reserved.
|
||||
|
||||
This document is subject to BCP 78 and the IETF Trust's Legal
|
||||
|
@ -53,9 +53,9 @@ Copyright Notice
|
|||
|
||||
|
||||
|
||||
Dulaunoy & Iklody Expires 18 August 2022 [Page 1]
|
||||
Dulaunoy & Iklody Expires 26 June 2024 [Page 1]
|
||||
|
||||
Internet-Draft MISP core format February 2022
|
||||
Internet-Draft MISP core format December 2023
|
||||
|
||||
|
||||
Table of Contents
|
||||
|
@ -109,9 +109,9 @@ Table of Contents
|
|||
|
||||
|
||||
|
||||
Dulaunoy & Iklody Expires 18 August 2022 [Page 2]
|
||||
Dulaunoy & Iklody Expires 26 June 2024 [Page 2]
|
||||
|
||||
Internet-Draft MISP core format February 2022
|
||||
Internet-Draft MISP core format December 2023
|
||||
|
||||
|
||||
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 53
|
||||
|
@ -165,9 +165,9 @@ Internet-Draft MISP core format February 2022
|
|||
|
||||
|
||||
|
||||
Dulaunoy & Iklody Expires 18 August 2022 [Page 3]
|
||||
Dulaunoy & Iklody Expires 26 June 2024 [Page 3]
|
||||
|
||||
Internet-Draft MISP core format February 2022
|
||||
Internet-Draft MISP core format December 2023
|
||||
|
||||
|
||||
uuid is represented as a JSON string. uuid MUST be present.
|
||||
|
@ -221,9 +221,9 @@ Internet-Draft MISP core format February 2022
|
|||
|
||||
|
||||
|
||||
Dulaunoy & Iklody Expires 18 August 2022 [Page 4]
|
||||
Dulaunoy & Iklody Expires 26 June 2024 [Page 4]
|
||||
|
||||
Internet-Draft MISP core format February 2022
|
||||
Internet-Draft MISP core format December 2023
|
||||
|
||||
|
||||
1: Ongoing
|
||||
|
@ -277,9 +277,9 @@ Internet-Draft MISP core format February 2022
|
|||
|
||||
|
||||
|
||||
Dulaunoy & Iklody Expires 18 August 2022 [Page 5]
|
||||
Dulaunoy & Iklody Expires 26 June 2024 [Page 5]
|
||||
|
||||
Internet-Draft MISP core format February 2022
|
||||
Internet-Draft MISP core format December 2023
|
||||
|
||||
|
||||
org_id is represented as a JSON string. org_id MUST be present.
|
||||
|
@ -333,9 +333,9 @@ Internet-Draft MISP core format February 2022
|
|||
|
||||
|
||||
|
||||
Dulaunoy & Iklody Expires 18 August 2022 [Page 6]
|
||||
Dulaunoy & Iklody Expires 26 June 2024 [Page 6]
|
||||
|
||||
Internet-Draft MISP core format February 2022
|
||||
Internet-Draft MISP core format December 2023
|
||||
|
||||
|
||||
2.2.1.15. extends_uuid
|
||||
|
@ -389,9 +389,9 @@ Internet-Draft MISP core format February 2022
|
|||
|
||||
|
||||
|
||||
Dulaunoy & Iklody Expires 18 August 2022 [Page 7]
|
||||
Dulaunoy & Iklody Expires 26 June 2024 [Page 7]
|
||||
|
||||
Internet-Draft MISP core format February 2022
|
||||
Internet-Draft MISP core format December 2023
|
||||
|
||||
|
||||
uuid, name and id are represented as a JSON string. uuid, name and id
|
||||
|
@ -445,9 +445,9 @@ Internet-Draft MISP core format February 2022
|
|||
|
||||
|
||||
|
||||
Dulaunoy & Iklody Expires 18 August 2022 [Page 8]
|
||||
Dulaunoy & Iklody Expires 26 June 2024 [Page 8]
|
||||
|
||||
Internet-Draft MISP core format February 2022
|
||||
Internet-Draft MISP core format December 2023
|
||||
|
||||
|
||||
2.3.2.2. id
|
||||
|
@ -501,9 +501,9 @@ Internet-Draft MISP core format February 2022
|
|||
|
||||
|
||||
|
||||
Dulaunoy & Iklody Expires 18 August 2022 [Page 9]
|
||||
Dulaunoy & Iklody Expires 26 June 2024 [Page 9]
|
||||
|
||||
Internet-Draft MISP core format February 2022
|
||||
Internet-Draft MISP core format December 2023
|
||||
|
||||
|
||||
pattern-in-traffic, pattern-in-memory, filename-pattern,
|
||||
|
@ -549,17 +549,17 @@ Internet-Draft MISP core format February 2022
|
|||
jarm-fingerprint, hassh-md5, hasshserver-md5, other,
|
||||
hostname|port, email-dst-display-name, email-src-display-name,
|
||||
email-header, email-reply-to, email-x-mailer, email-mime-boundary,
|
||||
email-thread-index, email-message-id, mobile-application-id,
|
||||
chrome-extension-id, whois-registrant-email, anonymised
|
||||
email-thread-index, email-message-id, azure-application-id,
|
||||
mobile-application-id, chrome-extension-id, whois-registrant-
|
||||
email, anonymised
|
||||
Payload installation md5, sha1, sha224, sha256, sha384, sha512,
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Dulaunoy & Iklody Expires 18 August 2022 [Page 10]
|
||||
Dulaunoy & Iklody Expires 26 June 2024 [Page 10]
|
||||
|
||||
Internet-Draft MISP core format February 2022
|
||||
Internet-Draft MISP core format December 2023
|
||||
|
||||
|
||||
sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512,
|
||||
|
@ -574,8 +574,9 @@ Internet-Draft MISP core format February 2022
|
|||
traffic, pattern-in-memory, filename-pattern, stix2-pattern, yara,
|
||||
sigma, vulnerability, cpe, weakness, attachment, malware-sample,
|
||||
malware-type, comment, text, hex, x509-fingerprint-sha1, x509-
|
||||
fingerprint-md5, x509-fingerprint-sha256, mobile-application-id,
|
||||
chrome-extension-id, other, mime-type, anonymised
|
||||
fingerprint-md5, x509-fingerprint-sha256, azure-application-id,
|
||||
azure-application-id, mobile-application-id, chrome-extension-id,
|
||||
other, mime-type, anonymised
|
||||
Payload type comment, text, other, anonymised
|
||||
Persistence mechanism filename, regkey, regkey|value, comment, text,
|
||||
other, hex, anonymised
|
||||
|
@ -607,17 +608,20 @@ Internet-Draft MISP core format February 2022
|
|||
selected by the attribute creator, using a list of pre-defined
|
||||
attribute categories.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Dulaunoy & Iklody Expires 26 June 2024 [Page 11]
|
||||
|
||||
Internet-Draft MISP core format December 2023
|
||||
|
||||
|
||||
category is represented as a JSON string. category MUST be present
|
||||
and it MUST be a valid selection for the chosen type. The list of
|
||||
valid category-type combinations is mentioned above.
|
||||
|
||||
|
||||
|
||||
Dulaunoy & Iklody Expires 18 August 2022 [Page 11]
|
||||
|
||||
Internet-Draft MISP core format February 2022
|
||||
|
||||
|
||||
2.3.2.5. to_ids
|
||||
|
||||
to_ids represents whether the attribute is meant to be actionable.
|
||||
|
@ -662,18 +666,18 @@ Internet-Draft MISP core format February 2022
|
|||
|
||||
timestamp is represented as a JSON string. timestamp MUST be present.
|
||||
|
||||
|
||||
|
||||
|
||||
Dulaunoy & Iklody Expires 26 June 2024 [Page 12]
|
||||
|
||||
Internet-Draft MISP core format December 2023
|
||||
|
||||
|
||||
2.3.2.9. comment
|
||||
|
||||
comment is a contextual comment field.
|
||||
|
||||
|
||||
|
||||
|
||||
Dulaunoy & Iklody Expires 18 August 2022 [Page 12]
|
||||
|
||||
Internet-Draft MISP core format February 2022
|
||||
|
||||
|
||||
comment is represented by a JSON string. comment MAY be present.
|
||||
|
||||
2.3.2.10. sharing_group_id
|
||||
|
@ -721,13 +725,9 @@ Internet-Draft MISP core format February 2022
|
|||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Dulaunoy & Iklody Expires 18 August 2022 [Page 13]
|
||||
Dulaunoy & Iklody Expires 26 June 2024 [Page 13]
|
||||
|
||||
Internet-Draft MISP core format February 2022
|
||||
Internet-Draft MISP core format December 2023
|
||||
|
||||
|
||||
2.3.2.14. ShadowAttribute
|
||||
|
@ -781,9 +781,9 @@ Internet-Draft MISP core format February 2022
|
|||
|
||||
|
||||
|
||||
Dulaunoy & Iklody Expires 18 August 2022 [Page 14]
|
||||
Dulaunoy & Iklody Expires 26 June 2024 [Page 14]
|
||||
|
||||
Internet-Draft MISP core format February 2022
|
||||
Internet-Draft MISP core format December 2023
|
||||
|
||||
|
||||
2.4.1. Sample Attribute Object
|
||||
|
@ -837,9 +837,9 @@ Internet-Draft MISP core format February 2022
|
|||
|
||||
|
||||
|
||||
Dulaunoy & Iklody Expires 18 August 2022 [Page 15]
|
||||
Dulaunoy & Iklody Expires 26 June 2024 [Page 15]
|
||||
|
||||
Internet-Draft MISP core format February 2022
|
||||
Internet-Draft MISP core format December 2023
|
||||
|
||||
|
||||
type is represented as a JSON string. type MUST be present and it
|
||||
|
@ -893,9 +893,9 @@ Internet-Draft MISP core format February 2022
|
|||
|
||||
|
||||
|
||||
Dulaunoy & Iklody Expires 18 August 2022 [Page 16]
|
||||
Dulaunoy & Iklody Expires 26 June 2024 [Page 16]
|
||||
|
||||
Internet-Draft MISP core format February 2022
|
||||
Internet-Draft MISP core format December 2023
|
||||
|
||||
|
||||
hostname, domain, domain|ip, mac-address, mac-eui-64, email,
|
||||
|
@ -929,9 +929,31 @@ Internet-Draft MISP core format February 2022
|
|||
jarm-fingerprint, hassh-md5, hasshserver-md5, other,
|
||||
hostname|port, email-dst-display-name, email-src-display-name,
|
||||
email-header, email-reply-to, email-x-mailer, email-mime-boundary,
|
||||
email-thread-index, email-message-id, mobile-application-id,
|
||||
chrome-extension-id, whois-registrant-email, anonymised
|
||||
email-thread-index, email-message-id, azure-application-id,
|
||||
mobile-application-id, chrome-extension-id, whois-registrant-
|
||||
email, anonymised
|
||||
Payload installation md5, sha1, sha224, sha256, sha384, sha512,
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Dulaunoy & Iklody Expires 26 June 2024 [Page 17]
|
||||
|
||||
Internet-Draft MISP core format December 2023
|
||||
|
||||
|
||||
sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512,
|
||||
ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash,
|
||||
tlsh, cdhash, filename, filename|md5, filename|sha1,
|
||||
|
@ -944,16 +966,9 @@ Internet-Draft MISP core format February 2022
|
|||
traffic, pattern-in-memory, filename-pattern, stix2-pattern, yara,
|
||||
sigma, vulnerability, cpe, weakness, attachment, malware-sample,
|
||||
malware-type, comment, text, hex, x509-fingerprint-sha1, x509-
|
||||
fingerprint-md5, x509-fingerprint-sha256, mobile-application-id,
|
||||
chrome-extension-id, other, mime-type, anonymised
|
||||
|
||||
|
||||
|
||||
Dulaunoy & Iklody Expires 18 August 2022 [Page 17]
|
||||
|
||||
Internet-Draft MISP core format February 2022
|
||||
|
||||
|
||||
fingerprint-md5, x509-fingerprint-sha256, azure-application-id,
|
||||
azure-application-id, mobile-application-id, chrome-extension-id,
|
||||
other, mime-type, anonymised
|
||||
Payload type comment, text, other, anonymised
|
||||
Persistence mechanism filename, regkey, regkey|value, comment, text,
|
||||
other, hex, anonymised
|
||||
|
@ -985,6 +1000,16 @@ Internet-Draft MISP core format February 2022
|
|||
selected by the attribute creator, using a list of pre-defined
|
||||
attribute categories.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Dulaunoy & Iklody Expires 26 June 2024 [Page 18]
|
||||
|
||||
Internet-Draft MISP core format December 2023
|
||||
|
||||
|
||||
category is represented as a JSON string. category MUST be present
|
||||
and it MUST be a valid selection for the chosen type. The list of
|
||||
valid category-type combinations is mentioned above.
|
||||
|
@ -999,17 +1024,6 @@ Internet-Draft MISP core format February 2022
|
|||
|
||||
to_ids is represented as a JSON boolean. to_ids MUST be present.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Dulaunoy & Iklody Expires 18 August 2022 [Page 18]
|
||||
|
||||
Internet-Draft MISP core format February 2022
|
||||
|
||||
|
||||
2.4.2.6. event_id
|
||||
|
||||
event_id represents a human-readable identifier referencing the Event
|
||||
|
@ -1044,6 +1058,14 @@ Internet-Draft MISP core format February 2022
|
|||
|
||||
timestamp is represented as a JSON string. timestamp MUST be present.
|
||||
|
||||
|
||||
|
||||
|
||||
Dulaunoy & Iklody Expires 26 June 2024 [Page 19]
|
||||
|
||||
Internet-Draft MISP core format December 2023
|
||||
|
||||
|
||||
2.4.2.9. comment
|
||||
|
||||
comment is a contextual comment field.
|
||||
|
@ -1056,16 +1078,6 @@ Internet-Draft MISP core format February 2022
|
|||
proposal creator's Organisation object. A human-readable identifier
|
||||
MUST be represented as an unsigned integer.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Dulaunoy & Iklody Expires 18 August 2022 [Page 19]
|
||||
|
||||
Internet-Draft MISP core format February 2022
|
||||
|
||||
|
||||
Whilst attributes can only be created by the event creator
|
||||
organisation, shadow attributes can be created by third parties.
|
||||
org_id tracks the creator organisation.
|
||||
|
@ -1102,6 +1114,14 @@ Internet-Draft MISP core format February 2022
|
|||
data is represented by a JSON string in base64 encoding. data MUST be
|
||||
set for shadow attributes of type malware-sample and attachment.
|
||||
|
||||
|
||||
|
||||
|
||||
Dulaunoy & Iklody Expires 26 June 2024 [Page 20]
|
||||
|
||||
Internet-Draft MISP core format December 2023
|
||||
|
||||
|
||||
2.4.2.14. first_seen
|
||||
|
||||
first_seen represents a reference time when the attribute was first
|
||||
|
@ -1111,17 +1131,6 @@ Internet-Draft MISP core format February 2022
|
|||
first_seen is represented as a JSON string. first_seen MAY be
|
||||
present.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Dulaunoy & Iklody Expires 18 August 2022 [Page 20]
|
||||
|
||||
Internet-Draft MISP core format February 2022
|
||||
|
||||
|
||||
2.4.2.15. last_seen
|
||||
|
||||
last_seen represents a reference time when the attribute was last
|
||||
|
@ -1157,27 +1166,24 @@ Internet-Draft MISP core format February 2022
|
|||
|
||||
2.4.3.1.1. Sample Org Object
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Dulaunoy & Iklody Expires 26 June 2024 [Page 21]
|
||||
|
||||
Internet-Draft MISP core format December 2023
|
||||
|
||||
|
||||
"Org": {
|
||||
"id": "2",
|
||||
"name": "CIRCL",
|
||||
"uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f"
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Dulaunoy & Iklody Expires 18 August 2022 [Page 21]
|
||||
|
||||
Internet-Draft MISP core format February 2022
|
||||
|
||||
|
||||
2.5. Object
|
||||
|
||||
Objects serve as a contextual bond between a list of attributes
|
||||
|
@ -1223,15 +1229,9 @@ Internet-Draft MISP core format February 2022
|
|||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Dulaunoy & Iklody Expires 18 August 2022 [Page 22]
|
||||
Dulaunoy & Iklody Expires 26 June 2024 [Page 22]
|
||||
|
||||
Internet-Draft MISP core format February 2022
|
||||
Internet-Draft MISP core format December 2023
|
||||
|
||||
|
||||
"Object": {
|
||||
|
@ -1285,9 +1285,9 @@ Internet-Draft MISP core format February 2022
|
|||
|
||||
|
||||
|
||||
Dulaunoy & Iklody Expires 18 August 2022 [Page 23]
|
||||
Dulaunoy & Iklody Expires 26 June 2024 [Page 23]
|
||||
|
||||
Internet-Draft MISP core format February 2022
|
||||
Internet-Draft MISP core format December 2023
|
||||
|
||||
|
||||
2.5.2.1. uuid
|
||||
|
@ -1341,9 +1341,9 @@ Internet-Draft MISP core format February 2022
|
|||
|
||||
|
||||
|
||||
Dulaunoy & Iklody Expires 18 August 2022 [Page 24]
|
||||
Dulaunoy & Iklody Expires 26 June 2024 [Page 24]
|
||||
|
||||
Internet-Draft MISP core format February 2022
|
||||
Internet-Draft MISP core format December 2023
|
||||
|
||||
|
||||
template_uuid is represented as a JSON string. template_uuid MUST be
|
||||
|
@ -1397,9 +1397,9 @@ Internet-Draft MISP core format February 2022
|
|||
|
||||
|
||||
|
||||
Dulaunoy & Iklody Expires 18 August 2022 [Page 25]
|
||||
Dulaunoy & Iklody Expires 26 June 2024 [Page 25]
|
||||
|
||||
Internet-Draft MISP core format February 2022
|
||||
Internet-Draft MISP core format December 2023
|
||||
|
||||
|
||||
2.5.2.11. sharing_group_id
|
||||
|
@ -1453,9 +1453,9 @@ Internet-Draft MISP core format February 2022
|
|||
|
||||
|
||||
|
||||
Dulaunoy & Iklody Expires 18 August 2022 [Page 26]
|
||||
Dulaunoy & Iklody Expires 26 June 2024 [Page 26]
|
||||
|
||||
Internet-Draft MISP core format February 2022
|
||||
Internet-Draft MISP core format December 2023
|
||||
|
||||
|
||||
last_seen is represented as a JSON string. last_seen MAY be present.
|
||||
|
@ -1509,9 +1509,9 @@ Internet-Draft MISP core format February 2022
|
|||
|
||||
|
||||
|
||||
Dulaunoy & Iklody Expires 18 August 2022 [Page 27]
|
||||
Dulaunoy & Iklody Expires 26 June 2024 [Page 27]
|
||||
|
||||
Internet-Draft MISP core format February 2022
|
||||
Internet-Draft MISP core format December 2023
|
||||
|
||||
|
||||
2.6.2.3. timestamp
|
||||
|
@ -1565,9 +1565,9 @@ Internet-Draft MISP core format February 2022
|
|||
|
||||
|
||||
|
||||
Dulaunoy & Iklody Expires 18 August 2022 [Page 28]
|
||||
Dulaunoy & Iklody Expires 26 June 2024 [Page 28]
|
||||
|
||||
Internet-Draft MISP core format February 2022
|
||||
Internet-Draft MISP core format December 2023
|
||||
|
||||
|
||||
relationship_type is represented as a JSON string. relationship_type
|
||||
|
@ -1621,9 +1621,9 @@ Internet-Draft MISP core format February 2022
|
|||
|
||||
|
||||
|
||||
Dulaunoy & Iklody Expires 18 August 2022 [Page 29]
|
||||
Dulaunoy & Iklody Expires 26 June 2024 [Page 29]
|
||||
|
||||
Internet-Draft MISP core format February 2022
|
||||
Internet-Draft MISP core format December 2023
|
||||
|
||||
|
||||
2.7.2. UUID
|
||||
|
@ -1677,9 +1677,9 @@ Internet-Draft MISP core format February 2022
|
|||
|
||||
|
||||
|
||||
Dulaunoy & Iklody Expires 18 August 2022 [Page 30]
|
||||
Dulaunoy & Iklody Expires 26 June 2024 [Page 30]
|
||||
|
||||
Internet-Draft MISP core format February 2022
|
||||
Internet-Draft MISP core format December 2023
|
||||
|
||||
|
||||
2 Connected Communities
|
||||
|
@ -1733,9 +1733,9 @@ Internet-Draft MISP core format February 2022
|
|||
|
||||
|
||||
|
||||
Dulaunoy & Iklody Expires 18 August 2022 [Page 31]
|
||||
Dulaunoy & Iklody Expires 26 June 2024 [Page 31]
|
||||
|
||||
Internet-Draft MISP core format February 2022
|
||||
Internet-Draft MISP core format December 2023
|
||||
|
||||
|
||||
2.8.1. Sample Tag
|
||||
|
@ -1768,6 +1768,9 @@ Internet-Draft MISP core format February 2022
|
|||
+---------------+------------------------------------------+
|
||||
| 2 | denotes an attribute which will be |
|
||||
| | expired at the time of the sighting |
|
||||
+---------------+------------------------------------------+
|
||||
| 3 | denotes an attribute which has been seen |
|
||||
| | and confirmed as a true-positive |
|
||||
+---------------+------------------------------------------+
|
||||
|
||||
Table 1
|
||||
|
@ -1780,20 +1783,22 @@ Internet-Draft MISP core format February 2022
|
|||
date_sighting represents when the referenced attribute, designated by
|
||||
its uuid, is sighted.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Dulaunoy & Iklody Expires 26 June 2024 [Page 32]
|
||||
|
||||
Internet-Draft MISP core format December 2023
|
||||
|
||||
|
||||
source MAY be present. source is represented as a JSON string and
|
||||
represents the human-readable version of the sighting source, which
|
||||
can be a given piece of software (e.g. SIEM), device or a specific
|
||||
analytical process.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Dulaunoy & Iklody Expires 18 August 2022 [Page 32]
|
||||
|
||||
Internet-Draft MISP core format February 2022
|
||||
|
||||
|
||||
id, event_id and attribute_id are represented as a JSON string and
|
||||
MAY be present.
|
||||
|
||||
|
@ -1840,14 +1845,9 @@ Internet-Draft MISP core format February 2022
|
|||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Dulaunoy & Iklody Expires 18 August 2022 [Page 33]
|
||||
Dulaunoy & Iklody Expires 26 June 2024 [Page 33]
|
||||
|
||||
Internet-Draft MISP core format February 2022
|
||||
Internet-Draft MISP core format December 2023
|
||||
|
||||
|
||||
"Sighting": [
|
||||
|
@ -1901,9 +1901,9 @@ Internet-Draft MISP core format February 2022
|
|||
|
||||
|
||||
|
||||
Dulaunoy & Iklody Expires 18 August 2022 [Page 34]
|
||||
Dulaunoy & Iklody Expires 26 June 2024 [Page 34]
|
||||
|
||||
Internet-Draft MISP core format February 2022
|
||||
Internet-Draft MISP core format December 2023
|
||||
|
||||
|
||||
"Galaxy": [ {
|
||||
|
@ -1957,9 +1957,9 @@ Internet-Draft MISP core format February 2022
|
|||
|
||||
|
||||
|
||||
Dulaunoy & Iklody Expires 18 August 2022 [Page 35]
|
||||
Dulaunoy & Iklody Expires 26 June 2024 [Page 35]
|
||||
|
||||
Internet-Draft MISP core format February 2022
|
||||
Internet-Draft MISP core format December 2023
|
||||
|
||||
|
||||
3. JSON Schema
|
||||
|
@ -2013,9 +2013,9 @@ Internet-Draft MISP core format February 2022
|
|||
|
||||
|
||||
|
||||
Dulaunoy & Iklody Expires 18 August 2022 [Page 36]
|
||||
Dulaunoy & Iklody Expires 26 June 2024 [Page 36]
|
||||
|
||||
Internet-Draft MISP core format February 2022
|
||||
Internet-Draft MISP core format December 2023
|
||||
|
||||
|
||||
"type": "object",
|
||||
|
@ -2069,9 +2069,9 @@ Internet-Draft MISP core format February 2022
|
|||
|
||||
|
||||
|
||||
Dulaunoy & Iklody Expires 18 August 2022 [Page 37]
|
||||
Dulaunoy & Iklody Expires 26 June 2024 [Page 37]
|
||||
|
||||
Internet-Draft MISP core format February 2022
|
||||
Internet-Draft MISP core format December 2023
|
||||
|
||||
|
||||
"items": {
|
||||
|
@ -2125,9 +2125,9 @@ Internet-Draft MISP core format February 2022
|
|||
|
||||
|
||||
|
||||
Dulaunoy & Iklody Expires 18 August 2022 [Page 38]
|
||||
Dulaunoy & Iklody Expires 26 June 2024 [Page 38]
|
||||
|
||||
Internet-Draft MISP core format February 2022
|
||||
Internet-Draft MISP core format December 2023
|
||||
|
||||
|
||||
"type": "string"
|
||||
|
@ -2181,9 +2181,9 @@ Internet-Draft MISP core format February 2022
|
|||
|
||||
|
||||
|
||||
Dulaunoy & Iklody Expires 18 August 2022 [Page 39]
|
||||
Dulaunoy & Iklody Expires 26 June 2024 [Page 39]
|
||||
|
||||
Internet-Draft MISP core format February 2022
|
||||
Internet-Draft MISP core format December 2023
|
||||
|
||||
|
||||
"type": "string"
|
||||
|
@ -2237,9 +2237,9 @@ Internet-Draft MISP core format February 2022
|
|||
|
||||
|
||||
|
||||
Dulaunoy & Iklody Expires 18 August 2022 [Page 40]
|
||||
Dulaunoy & Iklody Expires 26 June 2024 [Page 40]
|
||||
|
||||
Internet-Draft MISP core format February 2022
|
||||
Internet-Draft MISP core format December 2023
|
||||
|
||||
|
||||
"properties": {
|
||||
|
@ -2293,9 +2293,9 @@ Internet-Draft MISP core format February 2022
|
|||
|
||||
|
||||
|
||||
Dulaunoy & Iklody Expires 18 August 2022 [Page 41]
|
||||
Dulaunoy & Iklody Expires 26 June 2024 [Page 41]
|
||||
|
||||
Internet-Draft MISP core format February 2022
|
||||
Internet-Draft MISP core format December 2023
|
||||
|
||||
|
||||
"properties": {
|
||||
|
@ -2349,9 +2349,9 @@ Internet-Draft MISP core format February 2022
|
|||
|
||||
|
||||
|
||||
Dulaunoy & Iklody Expires 18 August 2022 [Page 42]
|
||||
Dulaunoy & Iklody Expires 26 June 2024 [Page 42]
|
||||
|
||||
Internet-Draft MISP core format February 2022
|
||||
Internet-Draft MISP core format December 2023
|
||||
|
||||
|
||||
"properties": {
|
||||
|
@ -2405,9 +2405,9 @@ Internet-Draft MISP core format February 2022
|
|||
|
||||
|
||||
|
||||
Dulaunoy & Iklody Expires 18 August 2022 [Page 43]
|
||||
Dulaunoy & Iklody Expires 26 June 2024 [Page 43]
|
||||
|
||||
Internet-Draft MISP core format February 2022
|
||||
Internet-Draft MISP core format December 2023
|
||||
|
||||
|
||||
},
|
||||
|
@ -2461,9 +2461,9 @@ Internet-Draft MISP core format February 2022
|
|||
|
||||
|
||||
|
||||
Dulaunoy & Iklody Expires 18 August 2022 [Page 44]
|
||||
Dulaunoy & Iklody Expires 26 June 2024 [Page 44]
|
||||
|
||||
Internet-Draft MISP core format February 2022
|
||||
Internet-Draft MISP core format December 2023
|
||||
|
||||
|
||||
},
|
||||
|
@ -2517,9 +2517,9 @@ Internet-Draft MISP core format February 2022
|
|||
|
||||
|
||||
|
||||
Dulaunoy & Iklody Expires 18 August 2022 [Page 45]
|
||||
Dulaunoy & Iklody Expires 26 June 2024 [Page 45]
|
||||
|
||||
Internet-Draft MISP core format February 2022
|
||||
Internet-Draft MISP core format December 2023
|
||||
|
||||
|
||||
"type": "string"
|
||||
|
@ -2573,9 +2573,9 @@ Internet-Draft MISP core format February 2022
|
|||
|
||||
|
||||
|
||||
Dulaunoy & Iklody Expires 18 August 2022 [Page 46]
|
||||
Dulaunoy & Iklody Expires 26 June 2024 [Page 46]
|
||||
|
||||
Internet-Draft MISP core format February 2022
|
||||
Internet-Draft MISP core format December 2023
|
||||
|
||||
|
||||
"uniqueItems": true,
|
||||
|
@ -2629,9 +2629,9 @@ Internet-Draft MISP core format February 2022
|
|||
|
||||
|
||||
|
||||
Dulaunoy & Iklody Expires 18 August 2022 [Page 47]
|
||||
Dulaunoy & Iklody Expires 26 June 2024 [Page 47]
|
||||
|
||||
Internet-Draft MISP core format February 2022
|
||||
Internet-Draft MISP core format December 2023
|
||||
|
||||
|
||||
"type": "boolean"
|
||||
|
@ -2685,9 +2685,9 @@ Internet-Draft MISP core format February 2022
|
|||
|
||||
|
||||
|
||||
Dulaunoy & Iklody Expires 18 August 2022 [Page 48]
|
||||
Dulaunoy & Iklody Expires 26 June 2024 [Page 48]
|
||||
|
||||
Internet-Draft MISP core format February 2022
|
||||
Internet-Draft MISP core format December 2023
|
||||
|
||||
|
||||
"type": "object",
|
||||
|
@ -2741,9 +2741,9 @@ Internet-Draft MISP core format February 2022
|
|||
|
||||
|
||||
|
||||
Dulaunoy & Iklody Expires 18 August 2022 [Page 49]
|
||||
Dulaunoy & Iklody Expires 26 June 2024 [Page 49]
|
||||
|
||||
Internet-Draft MISP core format February 2022
|
||||
Internet-Draft MISP core format December 2023
|
||||
|
||||
|
||||
"Event": {
|
||||
|
@ -2797,9 +2797,9 @@ Internet-Draft MISP core format February 2022
|
|||
|
||||
|
||||
|
||||
Dulaunoy & Iklody Expires 18 August 2022 [Page 50]
|
||||
Dulaunoy & Iklody Expires 26 June 2024 [Page 50]
|
||||
|
||||
Internet-Draft MISP core format February 2022
|
||||
Internet-Draft MISP core format December 2023
|
||||
|
||||
|
||||
If a detached PGP signature is used for each MISP event, a detached
|
||||
|
@ -2853,9 +2853,9 @@ Internet-Draft MISP core format February 2022
|
|||
|
||||
|
||||
|
||||
Dulaunoy & Iklody Expires 18 August 2022 [Page 51]
|
||||
Dulaunoy & Iklody Expires 26 June 2024 [Page 51]
|
||||
|
||||
Internet-Draft MISP core format February 2022
|
||||
Internet-Draft MISP core format December 2023
|
||||
|
||||
|
||||
"name": "malware_classification:malware-category=\"Ransomware\""
|
||||
|
@ -2909,9 +2909,9 @@ Internet-Draft MISP core format February 2022
|
|||
|
||||
|
||||
|
||||
Dulaunoy & Iklody Expires 18 August 2022 [Page 52]
|
||||
Dulaunoy & Iklody Expires 26 June 2024 [Page 52]
|
||||
|
||||
Internet-Draft MISP core format February 2022
|
||||
Internet-Draft MISP core format December 2023
|
||||
|
||||
|
||||
[RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally
|
||||
|
@ -2952,8 +2952,8 @@ Authors' Addresses
|
|||
|
||||
Alexandre Dulaunoy
|
||||
Computer Incident Response Center Luxembourg
|
||||
16, bd d'Avranches
|
||||
L-L-1160 Luxembourg
|
||||
122, rue Adolphe Fischer
|
||||
L-L-1521 Luxembourg
|
||||
Luxembourg
|
||||
|
||||
Phone: +352 247 88444
|
||||
|
@ -2965,15 +2965,15 @@ Authors' Addresses
|
|||
|
||||
|
||||
|
||||
Dulaunoy & Iklody Expires 18 August 2022 [Page 53]
|
||||
Dulaunoy & Iklody Expires 26 June 2024 [Page 53]
|
||||
|
||||
Internet-Draft MISP core format February 2022
|
||||
Internet-Draft MISP core format December 2023
|
||||
|
||||
|
||||
Andras Iklody
|
||||
Computer Incident Response Center Luxembourg
|
||||
16, bd d'Avranches
|
||||
L-L-1160 Luxembourg
|
||||
122, rue Adolphe Fischer
|
||||
L-L-1521 Luxembourg
|
||||
Luxembourg
|
||||
|
||||
Phone: +352 247 88444
|
||||
|
@ -3021,4 +3021,4 @@ Internet-Draft MISP core format February 2022
|
|||
|
||||
|
||||
|
||||
Dulaunoy & Iklody Expires 18 August 2022 [Page 54]
|
||||
Dulaunoy & Iklody Expires 26 June 2024 [Page 54]
|
||||
|
|
|
@ -1,18 +1,18 @@
|
|||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<!-- name="GENERATOR" content="github.com/mmarkdown/mmark Mmark Markdown Processor - mmark.miek.nl" -->
|
||||
<rfc version="3" ipr="trust200902" docName="draft-00" submissionType="independent" category="info" xml:lang="en" xmlns:xi="http://www.w3.org/2001/XInclude" indexInclude="true">
|
||||
<rfc version="3" ipr="trust200902" docName="draft-17" submissionType="independent" category="info" xml:lang="en" xmlns:xi="http://www.w3.org/2001/XInclude" indexInclude="true">
|
||||
|
||||
<front>
|
||||
<title abbrev="MISP core format">MISP core format</title><seriesInfo value="draft-00" stream="independent" status="informational" name="Internet-Draft"></seriesInfo>
|
||||
<author initials="A." surname="Dulaunoy" fullname="Alexandre Dulaunoy"><organization abbrev="CIRCL">Computer Incident Response Center Luxembourg</organization><address><postal><street>16, bd d'Avranches</street>
|
||||
<title abbrev="MISP core format">MISP core format</title><seriesInfo value="draft-17" stream="independent" status="informational" name="Internet-Draft"></seriesInfo>
|
||||
<author initials="A." surname="Dulaunoy" fullname="Alexandre Dulaunoy"><organization abbrev="CIRCL">Computer Incident Response Center Luxembourg</organization><address><postal><street>122, rue Adolphe Fischer</street>
|
||||
<city>Luxembourg</city>
|
||||
<code>L-1160</code>
|
||||
<code>L-1521</code>
|
||||
<country>Luxembourg</country>
|
||||
</postal><phone>+352 247 88444</phone>
|
||||
<email>alexandre.dulaunoy@circl.lu</email>
|
||||
</address></author><author initials="A." surname="Iklody" fullname="Andras Iklody"><organization abbrev="CIRCL">Computer Incident Response Center Luxembourg</organization><address><postal><street>16, bd d'Avranches</street>
|
||||
</address></author><author initials="A." surname="Iklody" fullname="Andras Iklody"><organization abbrev="CIRCL">Computer Incident Response Center Luxembourg</organization><address><postal><street>122, rue Adolphe Fischer</street>
|
||||
<city>Luxembourg</city>
|
||||
<code>L-1160</code>
|
||||
<code>L-1521</code>
|
||||
<country>Luxembourg</country>
|
||||
</postal><phone>+352 247 88444</phone>
|
||||
<email>andras.iklody@circl.lu</email>
|
||||
|
@ -278,9 +278,9 @@ represented as an unsigned integer.</t>
|
|||
<dt>Other</dt>
|
||||
<dd>comment, text, other, size-in-bytes, counter, datetime, cpe, port, float, hex, phone-number, boolean, anonymised, pgp-public-key, pgp-private-key</dd>
|
||||
<dt>Payload delivery</dt>
|
||||
<dd>md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip-src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email, email-src, email-dst, email-subject, email-attachment, email-body, url, user-agent, AS, pattern-in-file, pattern-in-traffic, filename-pattern, stix2-pattern, yara, sigma, mime-type, attachment, malware-sample, link, malware-type, comment, text, hex, vulnerability, cpe, weakness, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, jarm-fingerprint, hassh-md5, hasshserver-md5, other, hostname|port, email-dst-display-name, email-src-display-name, email-header, email-reply-to, email-x-mailer, email-mime-boundary, email-thread-index, email-message-id, mobile-application-id, chrome-extension-id, whois-registrant-email, anonymised</dd>
|
||||
<dd>md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip-src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email, email-src, email-dst, email-subject, email-attachment, email-body, url, user-agent, AS, pattern-in-file, pattern-in-traffic, filename-pattern, stix2-pattern, yara, sigma, mime-type, attachment, malware-sample, link, malware-type, comment, text, hex, vulnerability, cpe, weakness, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, jarm-fingerprint, hassh-md5, hasshserver-md5, other, hostname|port, email-dst-display-name, email-src-display-name, email-header, email-reply-to, email-x-mailer, email-mime-boundary, email-thread-index, email-message-id, azure-application-id, mobile-application-id, chrome-extension-id, whois-registrant-email, anonymised</dd>
|
||||
<dt>Payload installation</dt>
|
||||
<dd>md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in-traffic, pattern-in-memory, filename-pattern, stix2-pattern, yara, sigma, vulnerability, cpe, weakness, attachment, malware-sample, malware-type, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, mobile-application-id, chrome-extension-id, other, mime-type, anonymised</dd>
|
||||
<dd>md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in-traffic, pattern-in-memory, filename-pattern, stix2-pattern, yara, sigma, vulnerability, cpe, weakness, attachment, malware-sample, malware-type, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, azure-application-id, azure-application-id, mobile-application-id, chrome-extension-id, other, mime-type, anonymised</dd>
|
||||
<dt>Payload type</dt>
|
||||
<dd>comment, text, other, anonymised</dd>
|
||||
<dt>Persistence mechanism</dt>
|
||||
|
@ -454,9 +454,9 @@ id is represented as a JSON string. id <bcp14>SHALL</bcp14> be present.</t>
|
|||
<dt>Other</dt>
|
||||
<dd>comment, text, other, size-in-bytes, counter, datetime, cpe, port, float, hex, phone-number, boolean, anonymised, pgp-public-key, pgp-private-key</dd>
|
||||
<dt>Payload delivery</dt>
|
||||
<dd>md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip-src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email, email-src, email-dst, email-subject, email-attachment, email-body, url, user-agent, AS, pattern-in-file, pattern-in-traffic, filename-pattern, stix2-pattern, yara, sigma, mime-type, attachment, malware-sample, link, malware-type, comment, text, hex, vulnerability, cpe, weakness, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, jarm-fingerprint, hassh-md5, hasshserver-md5, other, hostname|port, email-dst-display-name, email-src-display-name, email-header, email-reply-to, email-x-mailer, email-mime-boundary, email-thread-index, email-message-id, mobile-application-id, chrome-extension-id, whois-registrant-email, anonymised</dd>
|
||||
<dd>md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip-src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email, email-src, email-dst, email-subject, email-attachment, email-body, url, user-agent, AS, pattern-in-file, pattern-in-traffic, filename-pattern, stix2-pattern, yara, sigma, mime-type, attachment, malware-sample, link, malware-type, comment, text, hex, vulnerability, cpe, weakness, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, jarm-fingerprint, hassh-md5, hasshserver-md5, other, hostname|port, email-dst-display-name, email-src-display-name, email-header, email-reply-to, email-x-mailer, email-mime-boundary, email-thread-index, email-message-id, azure-application-id, mobile-application-id, chrome-extension-id, whois-registrant-email, anonymised</dd>
|
||||
<dt>Payload installation</dt>
|
||||
<dd>md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in-traffic, pattern-in-memory, filename-pattern, stix2-pattern, yara, sigma, vulnerability, cpe, weakness, attachment, malware-sample, malware-type, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, mobile-application-id, chrome-extension-id, other, mime-type, anonymised</dd>
|
||||
<dd>md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|sha3-224, filename|sha3-256, filename|sha3-384, filename|sha3-512, filename|authentihash, filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in-traffic, pattern-in-memory, filename-pattern, stix2-pattern, yara, sigma, vulnerability, cpe, weakness, attachment, malware-sample, malware-type, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, azure-application-id, azure-application-id, mobile-application-id, chrome-extension-id, other, mime-type, anonymised</dd>
|
||||
<dt>Payload type</dt>
|
||||
<dd>comment, text, other, anonymised</dd>
|
||||
<dt>Persistence mechanism</dt>
|
||||
|
@ -923,6 +923,11 @@ be anonymised. Sighting is composed of a JSON array in which each element descri
|
|||
<td>2</td>
|
||||
<td align="center">denotes an attribute which will be expired at the time of the sighting</td>
|
||||
</tr>
|
||||
|
||||
<tr>
|
||||
<td>3</td>
|
||||
<td align="center">denotes an attribute which has been seen and confirmed as a true-positive</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table><t>uuid <bcp14>MUST</bcp14> be present. uuid references the uuid of the sighted attribute.</t>
|
||||
<t>date_sighting <bcp14>MUST</bcp14> be present. date_sighting is expressed in seconds (decimal) elapsed since 1st of January 1970 (Unix timestamp). date_sighting represents when the referenced attribute, designated by its uuid, is sighted.</t>
|
||||
|
|
Loading…
Reference in New Issue