MISP
/
misp-rfc
mirror of https://github.com/MISP/misp-rfc
2
0
Fork 0
Code Issues Releases Wiki Activity

chg: [misp-galaxy-format] JSON reference is now RFC 8259 - Comment from Carsten Bormann

pull/28/head
Alexandre Dulaunoy 2019-06-23 17:18:56 +02:00
parent 8885fa2f49
commit a11090c9be
No known key found for this signature in database
GPG Key ID: 09E2CD4944E6CBCD
2 changed files with 109 additions and 53 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
misp-galaxy-format/raw.md
View File

@ -74,11 +74,11 @@ document are to be interpreted as described in RFC 2119 [@!RFC2119].
A cluster is composed of a value (**MUST**), a description (**OPTIONAL**) and metadata (**OPTIONAL**). A cluster is composed of a value (**MUST**), a description (**OPTIONAL**) and metadata (**OPTIONAL**).
Clusters are represented as a JSON [@!RFC4627] dictionary. Clusters are represented as a JSON [@!RFC8259] dictionary.
## Overview ## Overview
The MISP galaxy format uses the JSON [@!RFC4627] format. Each galaxy is represented as a JSON object with meta information including the following fields: name, uuid, description, version, type, authors, source, values, category. The MISP galaxy format uses the JSON [@!RFC8259] format. Each galaxy is represented as a JSON object with meta information including the following fields: name, uuid, description, version, type, authors, source, values, category.
name defines the name of the galaxy. The name is represented as a string and **MUST** be present. The uuid represents the Universally Unique IDentifier (UUID) [@!RFC4122] of the object reference. The uuid **MUST** be preserved. For any updates or transfer of the same object reference. UUID version 4 is **RECOMMENDED** when assigning it to a new object reference and **MUST** be present. The description is represented as a string and **MUST** be present. The uuid is represented as a string and **MUST** be present. The version is represented as a decimal and **MUST** be present. The type is represented as a string and **MUST** be present and **MUST** match the name of the galaxy file. The source is represented as a string and **MUST** be present. Authors are represented as an array containing one or more authors and **MUST** be present. The category is represented as a string and **MUST** be present and describes the overall category of the galaxy such as tool or actor. name defines the name of the galaxy. The name is represented as a string and **MUST** be present. The uuid represents the Universally Unique IDentifier (UUID) [@!RFC4122] of the object reference. The uuid **MUST** be preserved. For any updates or transfer of the same object reference. UUID version 4 is **RECOMMENDED** when assigning it to a new object reference and **MUST** be present. The description is represented as a string and **MUST** be present. The uuid is represented as a string and **MUST** be present. The version is represented as a decimal and **MUST** be present. The type is represented as a string and **MUST** be present and **MUST** match the name of the galaxy file. The source is represented as a string and **MUST** be present. Authors are represented as an array containing one or more authors and **MUST** be present. The category is represented as a string and **MUST** be present and describes the overall category of the galaxy such as tool or actor.

158
misp-galaxy-format/raw.md.txt
View File

@ -72,14 +72,14 @@ Table of Contents
2.2. values . . . . . . . . . . . . . . . . . . . . . . . . . 3 2.2. values . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.3. related . . . . . . . . . . . . . . . . . . . . . . . . . 3 2.3. related . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.4. meta . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2.4. meta . . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. JSON Schema . . . . . . . . . . . . . . . . . . . . . . . . . 8 3. JSON Schema . . . . . . . . . . . . . . . . . . . . . . . . . 9
3.1. MISP galaxy format - galaxy . . . . . . . . . . . . . . . 9 3.1. MISP galaxy format - galaxy . . . . . . . . . . . . . . . 9
3.2. MISP galaxy format - clusters . . . . . . . . . . . . . . 9 3.2. MISP galaxy format - clusters . . . . . . . . . . . . . . 10
4. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 13 4. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 14
5. References . . . . . . . . . . . . . . . . . . . . . . . . . 13 5. References . . . . . . . . . . . . . . . . . . . . . . . . . 14
5.1. Normative References . . . . . . . . . . . . . . . . . . 13 5.1. Normative References . . . . . . . . . . . . . . . . . . 14
5.2. Informative References . . . . . . . . . . . . . . . . . 13 5.2. Informative References . . . . . . . . . . . . . . . . . 14
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 14 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15
1. Introduction 1. Introduction
@ -119,11 +119,11 @@ Internet-Draft MISP galaxy format September 2018
A cluster is composed of a value (MUST), a description (OPTIONAL) and A cluster is composed of a value (MUST), a description (OPTIONAL) and
metadata (OPTIONAL). metadata (OPTIONAL).
Clusters are represented as a JSON [RFC4627] dictionary. Clusters are represented as a JSON [RFC8259] dictionary.
2.1. Overview 2.1. Overview
The MISP galaxy format uses the JSON [RFC4627] format. Each galaxy The MISP galaxy format uses the JSON [RFC8259] format. Each galaxy
is represented as a JSON object with meta information including the is represented as a JSON object with meta information including the
following fields: name, uuid, description, version, type, authors, following fields: name, uuid, description, version, type, authors,
source, values, category. source, values, category.
@ -195,7 +195,8 @@ Internet-Draft MISP galaxy format September 2018
filenames, ransomnotes-refs, suspected-victims, suspected-state- filenames, ransomnotes-refs, suspected-victims, suspected-state-
sponsor, type-of-incident, target-category, cfr-suspected-victims, sponsor, type-of-incident, target-category, cfr-suspected-victims,
cfr-suspected-state-sponsor, cfr-type-of-incident, cfr-target- cfr-suspected-state-sponsor, cfr-type-of-incident, cfr-target-
category, attribution-confidence wherever applicable. category, attribution-confidence, payment-method, price wherever
applicable.
refs, synonyms SHALL be used to give further informations. refs is refs, synonyms SHALL be used to give further informations. refs is
represented as an array containing one or more strings and SHALL be represented as an array containing one or more strings and SHALL be
@ -217,7 +218,6 @@ Internet-Draft MISP galaxy format September 2018
give further information in preventive-measure galaxy. complexity is give further information in preventive-measure galaxy. complexity is
represented by an enumerated value from a fixed vocabulary and SHALL represented by an enumerated value from a fixed vocabulary and SHALL
be present. effectiveness is represented by an enumerated value from be present. effectiveness is represented by an enumerated value from
a fixed vocabulary and SHALL be present. impact is represented by an
@ -226,6 +226,7 @@ Dulaunoy, et al. Expires March 24, 2019 [Page 4]
Internet-Draft MISP galaxy format September 2018 Internet-Draft MISP galaxy format September 2018
a fixed vocabulary and SHALL be present. impact is represented by an
enumerated value from a fixed vocabulary and SHALL be present. enumerated value from a fixed vocabulary and SHALL be present.
possible_issues is represented as a string and SHOULD be present. possible_issues is represented as a string and SHOULD be present.
@ -274,7 +275,6 @@ Internet-Draft MISP galaxy format September 2018
Dulaunoy, et al. Expires March 24, 2019 [Page 5] Dulaunoy, et al. Expires March 24, 2019 [Page 5]
@ -303,14 +303,16 @@ Internet-Draft MISP galaxy format September 2018
} }
encryption, extensions, ransomnotes, ransomnotes-filenames, encryption, extensions, ransomnotes, ransomnotes-filenames,
ransomnotes-refs MAY be used to give further information in ransomnotes-refs, payment-method, price MAY be used to give further
ransomware galaxy. encryption is represented as a string and SHALL be information in ransomware galaxy. encryption is represented as a
present. extensions is represented as an array containing one or more string and SHALL be present. extensions is represented as an array
strings and SHALL be present. ransomnotes is represented as an array containing one or more strings and SHALL be present. ransomnotes is
containing one or more strings ans SHALL be present. ransomnotes- represented as an array containing one or more strings ans SHALL be
filenames is represented as an array containing one or more strings present. ransomnotes-filenames is represented as an array containing
ans SHALL be present. ransomnotes-refs is represented as an array one or more strings ans SHALL be present. ransomnotes-refs is
containing one or more strings ans SHALL be present. represented as an array containing one or more strings ans SHALL be
present. payment-method is represented as a string and SHALL be
present. price is represented as a string and SHALL be present.
Example use of the encryption, extensions, ransomnotes fields in the Example use of the encryption, extensions, ransomnotes fields in the
ransomware galaxy: ransomware galaxy:
@ -331,8 +333,6 @@ Internet-Draft MISP galaxy format September 2018
Dulaunoy, et al. Expires March 24, 2019 [Page 6] Dulaunoy, et al. Expires March 24, 2019 [Page 6]
Internet-Draft MISP galaxy format September 2018 Internet-Draft MISP galaxy format September 2018
@ -356,11 +356,44 @@ Internet-Draft MISP galaxy format September 2018
"value": "Ryuk ransomware" "value": "Ryuk ransomware"
} }
Example use of the payment-method, price fields in the ransomware
galaxy:
{
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..",
"meta": {
"date": "March 2017",
"encryption": "AES-128",
"extensions": [
".enc"
],
"payment-method": "Bitcoin",
"price": "0.1",
"ransomnotes": [
"Blocked Your computer has been blocked All your files are encrypted. To access your PC, you need to send to Bitcoin at the address below loading Step 1: Go to xxxxs : //wvw.coinbase.com/ siqnup Step 2: Create an account and follow the instructions Step 3: Go to the \"Buy Bitcoins\" section and then buy Bitcoin Step 4: Go to the \"Send\" section, enter the address above and the amount (0.1 Bitcoin) Step 5: Click on the button below to verify the payment, your files will be decrypted and the virus will disappear 'Check' If you try to bypass the lock, all files will be published on the Internet, as well as your login for all sites."
],
"refs": [
"https://id-ransomware.blogspot.co.il/2017/03/cryptomeister-ransomware.html"
]
},
"uuid": "4c76c845-c5eb-472c-93a1-4178f86c319b",
"value": "CryptoMeister Ransomware"
}
source-uuid, target-uuid SHALL be used to describe relationships. source-uuid, target-uuid SHALL be used to describe relationships.
source-uuid and target-uuid represent the Universally Unique source-uuid and target-uuid represent the Universally Unique
IDentifier (UUID) [RFC4122] of the value reference. source-uuid and IDentifier (UUID) [RFC4122] of the value reference. source-uuid and
target-uuid MUST be preserved. target-uuid MUST be preserved.
Dulaunoy, et al. Expires March 24, 2019 [Page 7]
Internet-Draft MISP galaxy format September 2018
Example use of the source-uuid, target-uuid fields in the mitre- Example use of the source-uuid, target-uuid fields in the mitre-
enterprise-attack-relationship galaxy: enterprise-attack-relationship galaxy:
@ -387,17 +420,36 @@ Internet-Draft MISP galaxy format September 2018
exhaustive list of possible values for cfr-target-category includes exhaustive list of possible values for cfr-target-category includes
"Private sector", "Government", "Civil society", "Military". "Private sector", "Government", "Civil society", "Military".
Dulaunoy, et al. Expires March 24, 2019 [Page 7]
Internet-Draft MISP galaxy format September 2018
Example use of the cfr-suspected-victims, cfr-suspected-state- Example use of the cfr-suspected-victims, cfr-suspected-state-
sponsor, cfr-type-of-incident, cfr-target-category fields in the sponsor, cfr-type-of-incident, cfr-target-category fields in the
threat-actor galaxy: threat-actor galaxy:
Dulaunoy, et al. Expires March 24, 2019 [Page 8]
Internet-Draft MISP galaxy format September 2018
{ {
"meta": { "meta": {
"country": "CN", "country": "CN",
@ -441,17 +493,19 @@ Internet-Draft MISP galaxy format September 2018
formats. The main format is the MISP galaxy format used for the formats. The main format is the MISP galaxy format used for the
clusters. clusters.
3.1. MISP galaxy format - galaxy
Dulaunoy, et al. Expires March 24, 2019 [Page 8]
Dulaunoy, et al. Expires March 24, 2019 [Page 9]
Internet-Draft MISP galaxy format September 2018 Internet-Draft MISP galaxy format September 2018
3.1. MISP galaxy format - galaxy
{ {
"$schema": "http://json-schema.org/schema#", "$schema": "http://json-schema.org/schema#",
"title": "Validator for misp-galaxies - Galaxies", "title": "Validator for misp-galaxies - Galaxies",
@ -498,16 +552,16 @@ Internet-Draft MISP galaxy format September 2018
{ {
"$schema": "http://json-schema.org/schema#", "$schema": "http://json-schema.org/schema#",
"title": "Validator for misp-galaxies - Clusters", "title": "Validator for misp-galaxies - Clusters",
"id": "https://www.github.com/MISP/misp-galaxies/schema_clusters.json",
"type": "object",
Dulaunoy, et al. Expires March 24, 2019 [Page 9] Dulaunoy, et al. Expires March 24, 2019 [Page 10]
Internet-Draft MISP galaxy format September 2018 Internet-Draft MISP galaxy format September 2018
"id": "https://www.github.com/MISP/misp-galaxies/schema_clusters.json",
"type": "object",
"additionalProperties": false, "additionalProperties": false,
"properties": { "properties": {
"description": { "description": {
@ -554,16 +608,16 @@ Internet-Draft MISP galaxy format September 2018
"type": "object" "type": "object"
}, },
"properties": { "properties": {
"dest-uuid": {
"type": "string"
Dulaunoy, et al. Expires March 24, 2019 [Page 10] Dulaunoy, et al. Expires March 24, 2019 [Page 11]
Internet-Draft MISP galaxy format September 2018 Internet-Draft MISP galaxy format September 2018
"dest-uuid": {
"type": "string"
}, },
"type": { "type": {
"type": "string" "type": "string"
@ -610,16 +664,16 @@ Internet-Draft MISP galaxy format September 2018
"type": "string" "type": "string"
}, },
"refs": { "refs": {
"type": "array",
"uniqueItems": true,
Dulaunoy, et al. Expires March 24, 2019 [Page 11] Dulaunoy, et al. Expires March 24, 2019 [Page 12]
Internet-Draft MISP galaxy format September 2018 Internet-Draft MISP galaxy format September 2018
"type": "array",
"uniqueItems": true,
"items": { "items": {
"type": "string" "type": "string"
} }
@ -666,16 +720,16 @@ Internet-Draft MISP galaxy format September 2018
"type": "array", "type": "array",
"uniqueItems": true, "uniqueItems": true,
"items": { "items": {
"type": "string"
}
Dulaunoy, et al. Expires March 24, 2019 [Page 12] Dulaunoy, et al. Expires March 24, 2019 [Page 13]
Internet-Draft MISP galaxy format September 2018 Internet-Draft MISP galaxy format September 2018
"type": "string"
}
} }
}, },
"required": [ "required": [
@ -710,10 +764,10 @@ Internet-Draft MISP galaxy format September 2018
DOI 10.17487/RFC4122, July 2005, DOI 10.17487/RFC4122, July 2005,
<https://www.rfc-editor.org/info/rfc4122>. <https://www.rfc-editor.org/info/rfc4122>.
[RFC4627] Crockford, D., "The application/json Media Type for [RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data
JavaScript Object Notation (JSON)", RFC 4627, Interchange Format", STD 90, RFC 8259,
DOI 10.17487/RFC4627, July 2006, DOI 10.17487/RFC8259, December 2017,
<https://www.rfc-editor.org/info/rfc4627>. <https://www.rfc-editor.org/info/rfc8259>.
5.2. Informative References 5.2. Informative References
@ -725,7 +779,9 @@ Internet-Draft MISP galaxy format September 2018
Dulaunoy, et al. Expires March 24, 2019 [Page 13]
Dulaunoy, et al. Expires March 24, 2019 [Page 14]
Internet-Draft MISP galaxy format September 2018 Internet-Draft MISP galaxy format September 2018
@ -781,7 +837,7 @@ Authors' Addresses
Dulaunoy, et al. Expires March 24, 2019 [Page 14] Dulaunoy, et al. Expires March 24, 2019 [Page 15]
Internet-Draft MISP galaxy format September 2018 Internet-Draft MISP galaxy format September 2018
@ -837,4 +893,4 @@ Internet-Draft MISP galaxy format September 2018
Dulaunoy, et al. Expires March 24, 2019 [Page 15] Dulaunoy, et al. Expires March 24, 2019 [Page 16]