mirror of https://github.com/MISP/misp-rfc
Output added
parent
081b8fffed
commit
a318742bfb
|
@ -71,18 +71,22 @@ Table of Contents
|
||||||
2.2. Event . . . . . . . . . . . . . . . . . . . . . . . . . . 3
|
2.2. Event . . . . . . . . . . . . . . . . . . . . . . . . . . 3
|
||||||
2.2.1. Event Attributes . . . . . . . . . . . . . . . . . . 3
|
2.2.1. Event Attributes . . . . . . . . . . . . . . . . . . 3
|
||||||
2.3. Objects . . . . . . . . . . . . . . . . . . . . . . . . . 6
|
2.3. Objects . . . . . . . . . . . . . . . . . . . . . . . . . 6
|
||||||
2.3.1. Org . . . . . . . . . . . . . . . . . . . . . . . . . 6
|
2.3.1. Org . . . . . . . . . . . . . . . . . . . . . . . . . 7
|
||||||
2.3.2. Orgc . . . . . . . . . . . . . . . . . . . . . . . . 7
|
2.3.2. Orgc . . . . . . . . . . . . . . . . . . . . . . . . 7
|
||||||
2.4. Attribute . . . . . . . . . . . . . . . . . . . . . . . . 7
|
2.4. Attribute . . . . . . . . . . . . . . . . . . . . . . . . 7
|
||||||
2.4.1. Sample Attribute Object . . . . . . . . . . . . . . . 7
|
2.4.1. Sample Attribute Object . . . . . . . . . . . . . . . 8
|
||||||
2.4.2. Attribute Attributes . . . . . . . . . . . . . . . . 8
|
2.4.2. Attribute Attributes . . . . . . . . . . . . . . . . 8
|
||||||
2.5. Tag . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
|
2.5. Tag . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
|
||||||
2.5.1. Sample Tag . . . . . . . . . . . . . . . . . . . . . 12
|
2.5.1. Sample Tag . . . . . . . . . . . . . . . . . . . . . 13
|
||||||
3. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 13
|
3. Manifest . . . . . . . . . . . . . . . . . . . . . . . . . . 13
|
||||||
4. References . . . . . . . . . . . . . . . . . . . . . . . . . 13
|
3.1. Format . . . . . . . . . . . . . . . . . . . . . . . . . 13
|
||||||
4.1. Normative References . . . . . . . . . . . . . . . . . . 13
|
3.1.1. Sample Manifest . . . . . . . . . . . . . . . . . . . 14
|
||||||
4.2. Informative References . . . . . . . . . . . . . . . . . 13
|
4. Security Considerations . . . . . . . . . . . . . . . . . . . 16
|
||||||
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13
|
5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 16
|
||||||
|
6. References . . . . . . . . . . . . . . . . . . . . . . . . . 16
|
||||||
|
6.1. Normative References . . . . . . . . . . . . . . . . . . 16
|
||||||
|
6.2. Informative References . . . . . . . . . . . . . . . . . 16
|
||||||
|
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 17
|
||||||
|
|
||||||
1. Introduction
|
1. Introduction
|
||||||
|
|
||||||
|
@ -105,10 +109,6 @@ Table of Contents
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires April 4, 2017 [Page 2]
|
Dulaunoy & Iklody Expires April 4, 2017 [Page 2]
|
||||||
|
|
||||||
Internet-Draft MISP core format October 2016
|
Internet-Draft MISP core format October 2016
|
||||||
|
@ -200,23 +200,23 @@ Internet-Draft MISP core format October 2016
|
||||||
threat_level_id is represented as a JSON string. threat_level_id
|
threat_level_id is represented as a JSON string. threat_level_id
|
||||||
SHALL be present.
|
SHALL be present.
|
||||||
|
|
||||||
2.2.1.6. date
|
2.2.1.6. analysis
|
||||||
|
|
||||||
date represents a reference date to the event in ISO 8601 format
|
analysis represents the analysis level.
|
||||||
(date only: YYYY-MM-DD). This date corresponds to the date the event
|
|
||||||
occured, which may be in the past.
|
|
||||||
|
|
||||||
date is represented as a JSON string.
|
0:
|
||||||
|
Initial
|
||||||
|
|
||||||
2.2.1.7. timestamp
|
1:
|
||||||
|
Ongoing
|
||||||
|
|
||||||
timestamp represents a reference time when the event, or one of the
|
2:
|
||||||
attributes within the event was created, or last updated/edited on
|
Complete
|
||||||
the instance. timestamp is expressed in seconds (decimal) since 1st
|
|
||||||
of January 1970 (Unix timestamp). The time zone MUST be UTC.
|
|
||||||
|
|
||||||
timestamp is represented as a JSON string. timestamp MUST be present.
|
If a higher granularity is required, a MISP taxonomy applied as a Tag
|
||||||
|
SHOULD be preferred.
|
||||||
|
|
||||||
|
analysis is represented as a JSON string. analysis SHALL be present.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
@ -226,7 +226,24 @@ Dulaunoy & Iklody Expires April 4, 2017 [Page 4]
|
||||||
Internet-Draft MISP core format October 2016
|
Internet-Draft MISP core format October 2016
|
||||||
|
|
||||||
|
|
||||||
2.2.1.8. publish_timestamp
|
2.2.1.7. date
|
||||||
|
|
||||||
|
date represents a reference date to the event in ISO 8601 format
|
||||||
|
(date only: YYYY-MM-DD). This date corresponds to the date the event
|
||||||
|
occured, which may be in the past.
|
||||||
|
|
||||||
|
date is represented as a JSON string.
|
||||||
|
|
||||||
|
2.2.1.8. timestamp
|
||||||
|
|
||||||
|
timestamp represents a reference time when the event, or one of the
|
||||||
|
attributes within the event was created, or last updated/edited on
|
||||||
|
the instance. timestamp is expressed in seconds (decimal) since 1st
|
||||||
|
of January 1970 (Unix timestamp). The time zone MUST be UTC.
|
||||||
|
|
||||||
|
timestamp is represented as a JSON string. timestamp MUST be present.
|
||||||
|
|
||||||
|
2.2.1.9. publish_timestamp
|
||||||
|
|
||||||
publish_timestamp represents a reference time when the event was
|
publish_timestamp represents a reference time when the event was
|
||||||
published on the instance. published_timestamp is expressed in
|
published on the instance. published_timestamp is expressed in
|
||||||
|
@ -237,7 +254,7 @@ Internet-Draft MISP core format October 2016
|
||||||
publish_timestamp is represented as a JSON string. publish_timestamp
|
publish_timestamp is represented as a JSON string. publish_timestamp
|
||||||
MUST be present.
|
MUST be present.
|
||||||
|
|
||||||
2.2.1.9. org_id
|
2.2.1.10. org_id
|
||||||
|
|
||||||
org_id represents a human-readable identifier referencing an Org
|
org_id represents a human-readable identifier referencing an Org
|
||||||
object of the organization which generated the event.
|
object of the organization which generated the event.
|
||||||
|
@ -247,7 +264,7 @@ Internet-Draft MISP core format October 2016
|
||||||
|
|
||||||
org_id is represented as a JSON string. org_id MUST be present.
|
org_id is represented as a JSON string. org_id MUST be present.
|
||||||
|
|
||||||
2.2.1.10. orgc_id
|
2.2.1.11. orgc_id
|
||||||
|
|
||||||
orgc_id represents a human-readable identifier referencing an Orgc
|
orgc_id represents a human-readable identifier referencing an Orgc
|
||||||
object of the organization which created the event.
|
object of the organization which created the event.
|
||||||
|
@ -257,23 +274,6 @@ Internet-Draft MISP core format October 2016
|
||||||
|
|
||||||
orgc_id is represented as a JSON string. orgc_id MUST be present.
|
orgc_id is represented as a JSON string. orgc_id MUST be present.
|
||||||
|
|
||||||
2.2.1.11. attribute_count
|
|
||||||
|
|
||||||
attribute_count represents the number of attributes in the event.
|
|
||||||
attribute_count is expressed in decimal.
|
|
||||||
|
|
||||||
attribute_count is represented as a JSON string. attribute_count
|
|
||||||
SHALL be present.
|
|
||||||
|
|
||||||
2.2.1.12. distribution
|
|
||||||
|
|
||||||
distribution represents the basic distribution rules of the event.
|
|
||||||
The system must adhere to the distribution setting for access control
|
|
||||||
and for dissemination of the event.
|
|
||||||
|
|
||||||
distribution is represented by a JSON string. distribution MUST be
|
|
||||||
present and be one of the following options:
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
@ -282,6 +282,23 @@ Dulaunoy & Iklody Expires April 4, 2017 [Page 5]
|
||||||
Internet-Draft MISP core format October 2016
|
Internet-Draft MISP core format October 2016
|
||||||
|
|
||||||
|
|
||||||
|
2.2.1.12. attribute_count
|
||||||
|
|
||||||
|
attribute_count represents the number of attributes in the event.
|
||||||
|
attribute_count is expressed in decimal.
|
||||||
|
|
||||||
|
attribute_count is represented as a JSON string. attribute_count
|
||||||
|
SHALL be present.
|
||||||
|
|
||||||
|
2.2.1.13. distribution
|
||||||
|
|
||||||
|
distribution represents the basic distribution rules of the event.
|
||||||
|
The system must adhere to the distribution setting for access control
|
||||||
|
and for dissemination of the event.
|
||||||
|
|
||||||
|
distribution is represented by a JSON string. distribution MUST be
|
||||||
|
present and be one of the following options:
|
||||||
|
|
||||||
0
|
0
|
||||||
Your Organisation Only
|
Your Organisation Only
|
||||||
|
|
||||||
|
@ -297,7 +314,7 @@ Internet-Draft MISP core format October 2016
|
||||||
4
|
4
|
||||||
Sharing Group
|
Sharing Group
|
||||||
|
|
||||||
2.2.1.13. sharing_group_id
|
2.2.1.14. sharing_group_id
|
||||||
|
|
||||||
sharing_group_id represents a human-readable identifier referencing a
|
sharing_group_id represents a human-readable identifier referencing a
|
||||||
Sharing Group object that defines the distribution of the event, if
|
Sharing Group object that defines the distribution of the event, if
|
||||||
|
@ -309,6 +326,18 @@ Internet-Draft MISP core format October 2016
|
||||||
|
|
||||||
2.3. Objects
|
2.3. Objects
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Dulaunoy & Iklody Expires April 4, 2017 [Page 6]
|
||||||
|
|
||||||
|
Internet-Draft MISP core format October 2016
|
||||||
|
|
||||||
|
|
||||||
2.3.1. Org
|
2.3.1. Org
|
||||||
|
|
||||||
An Org object is composed of an uuid, name and id.
|
An Org object is composed of an uuid, name and id.
|
||||||
|
@ -326,18 +355,6 @@ Internet-Draft MISP core format October 2016
|
||||||
|
|
||||||
2.3.1.1. Sample Org Object
|
2.3.1.1. Sample Org Object
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires April 4, 2017 [Page 6]
|
|
||||||
|
|
||||||
Internet-Draft MISP core format October 2016
|
|
||||||
|
|
||||||
|
|
||||||
"Org": {
|
"Org": {
|
||||||
"id": "2",
|
"id": "2",
|
||||||
"name": "CIRCL",
|
"name": "CIRCL",
|
||||||
|
@ -368,23 +385,6 @@ Internet-Draft MISP core format October 2016
|
||||||
meaning and context to the value. Through the various category-type
|
meaning and context to the value. Through the various category-type
|
||||||
combinations a wide range of information can be conveyed.
|
combinations a wide range of information can be conveyed.
|
||||||
|
|
||||||
A MISP document MUST at least includes category-type-value triplet
|
|
||||||
described in section "Attribute Attributes".
|
|
||||||
|
|
||||||
2.4.1. Sample Attribute Object
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
@ -394,6 +394,11 @@ Dulaunoy & Iklody Expires April 4, 2017 [Page 7]
|
||||||
Internet-Draft MISP core format October 2016
|
Internet-Draft MISP core format October 2016
|
||||||
|
|
||||||
|
|
||||||
|
A MISP document MUST at least includes category-type-value triplet
|
||||||
|
described in section "Attribute Attributes".
|
||||||
|
|
||||||
|
2.4.1. Sample Attribute Object
|
||||||
|
|
||||||
"Attribute": {
|
"Attribute": {
|
||||||
"id": "346056",
|
"id": "346056",
|
||||||
"type": "comment",
|
"type": "comment",
|
||||||
|
@ -408,7 +413,8 @@ Internet-Draft MISP core format October 2016
|
||||||
"deleted": false,
|
"deleted": false,
|
||||||
"value": "Hello world",
|
"value": "Hello world",
|
||||||
"SharingGroup": [],
|
"SharingGroup": [],
|
||||||
"ShadowAttribute": []
|
"ShadowAttribute": [],
|
||||||
|
"RelatedAttribute": []
|
||||||
}
|
}
|
||||||
|
|
||||||
2.4.2. Attribute Attributes
|
2.4.2. Attribute Attributes
|
||||||
|
@ -435,12 +441,6 @@ Internet-Draft MISP core format October 2016
|
||||||
describe the intent of the attribute creator, using a list of pre-
|
describe the intent of the attribute creator, using a list of pre-
|
||||||
defined attribute types.
|
defined attribute types.
|
||||||
|
|
||||||
type is represented as a JSON string. type MUST be present and it
|
|
||||||
MUST be a valid selection for the chosen category. The list of valid
|
|
||||||
category-type combinations is as follows:
|
|
||||||
|
|
||||||
Internal reference
|
|
||||||
text, link, comment, other
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
@ -450,6 +450,13 @@ Dulaunoy & Iklody Expires April 4, 2017 [Page 8]
|
||||||
Internet-Draft MISP core format October 2016
|
Internet-Draft MISP core format October 2016
|
||||||
|
|
||||||
|
|
||||||
|
type is represented as a JSON string. type MUST be present and it
|
||||||
|
MUST be a valid selection for the chosen category. The list of valid
|
||||||
|
category-type combinations is as follows:
|
||||||
|
|
||||||
|
Internal reference
|
||||||
|
text, link, comment, other
|
||||||
|
|
||||||
Targeting data
|
Targeting data
|
||||||
target-user, target-email, target-machine, target-org, target-
|
target-user, target-email, target-machine, target-org, target-
|
||||||
location, target-external, comment
|
location, target-external, comment
|
||||||
|
@ -492,13 +499,6 @@ Internet-Draft MISP core format October 2016
|
||||||
attachment, malware-sample, malware-type, comment, text, x509-
|
attachment, malware-sample, malware-type, comment, text, x509-
|
||||||
fingerprint-sha1, other
|
fingerprint-sha1, other
|
||||||
|
|
||||||
Persistence mechanism
|
|
||||||
filename, regkey, regkey|value, comment, text, other
|
|
||||||
|
|
||||||
Network activity
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires April 4, 2017 [Page 9]
|
Dulaunoy & Iklody Expires April 4, 2017 [Page 9]
|
||||||
|
@ -506,6 +506,10 @@ Dulaunoy & Iklody Expires April 4, 2017 [Page 9]
|
||||||
Internet-Draft MISP core format October 2016
|
Internet-Draft MISP core format October 2016
|
||||||
|
|
||||||
|
|
||||||
|
Persistence mechanism
|
||||||
|
filename, regkey, regkey|value, comment, text, other
|
||||||
|
|
||||||
|
Network activity
|
||||||
ip-src, ip-dst, hostname, domain, domain|ip, email-dst, url, uri,
|
ip-src, ip-dst, hostname, domain, domain|ip, email-dst, url, uri,
|
||||||
user-agent, http-method, AS, snort, pattern-in-file, pattern-in-
|
user-agent, http-method, AS, snort, pattern-in-file, pattern-in-
|
||||||
traffic, attachment, comment, text, x509-fingerprint-sha1, other
|
traffic, attachment, comment, text, x509-fingerprint-sha1, other
|
||||||
|
@ -548,10 +552,6 @@ Internet-Draft MISP core format October 2016
|
||||||
|
|
||||||
to_ids is represented as a JSON boolean. to_ids MUST be present.
|
to_ids is represented as a JSON boolean. to_ids MUST be present.
|
||||||
|
|
||||||
2.4.2.6. event_id
|
|
||||||
|
|
||||||
event_id represents a human-readable identifier referencing the Event
|
|
||||||
object that the attribute belongs to.
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
@ -562,6 +562,11 @@ Dulaunoy & Iklody Expires April 4, 2017 [Page 10]
|
||||||
Internet-Draft MISP core format October 2016
|
Internet-Draft MISP core format October 2016
|
||||||
|
|
||||||
|
|
||||||
|
2.4.2.6. event_id
|
||||||
|
|
||||||
|
event_id represents a human-readable identifier referencing the Event
|
||||||
|
object that the attribute belongs to.
|
||||||
|
|
||||||
The event_id SHOULD be updated when the event is imported to reflect
|
The event_id SHOULD be updated when the event is imported to reflect
|
||||||
the newly created event's id on the instance.
|
the newly created event's id on the instance.
|
||||||
|
|
||||||
|
@ -602,11 +607,6 @@ Internet-Draft MISP core format October 2016
|
||||||
|
|
||||||
timestamp is represented as a JSON string. timestamp MUST be present.
|
timestamp is represented as a JSON string. timestamp MUST be present.
|
||||||
|
|
||||||
2.4.2.9. comment
|
|
||||||
|
|
||||||
comment is a contextual comment field.
|
|
||||||
|
|
||||||
comment is represented by a JSON string. comment MAY be present.
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
@ -618,6 +618,12 @@ Dulaunoy & Iklody Expires April 4, 2017 [Page 11]
|
||||||
Internet-Draft MISP core format October 2016
|
Internet-Draft MISP core format October 2016
|
||||||
|
|
||||||
|
|
||||||
|
2.4.2.9. comment
|
||||||
|
|
||||||
|
comment is a contextual comment field.
|
||||||
|
|
||||||
|
comment is represented by a JSON string. comment MAY be present.
|
||||||
|
|
||||||
2.4.2.10. sharing_group_id
|
2.4.2.10. sharing_group_id
|
||||||
|
|
||||||
sharing_group_id represents a human-readable identifier referencing a
|
sharing_group_id represents a human-readable identifier referencing a
|
||||||
|
@ -636,7 +642,16 @@ Internet-Draft MISP core format October 2016
|
||||||
|
|
||||||
deleted is represented by a JSON boolean. deleted MUST be present.
|
deleted is represented by a JSON boolean. deleted MUST be present.
|
||||||
|
|
||||||
2.4.2.12. value
|
2.4.2.12. RelatedAttribute
|
||||||
|
|
||||||
|
RelatedAttribute is an array of attributes correlating with the
|
||||||
|
current attribute. Each element in the array represents an JSON
|
||||||
|
object which contains an Attribute dictionnary with the external
|
||||||
|
attributes correlating. Each Attribute MUST include the id, org_id,
|
||||||
|
info and a value. Only the correlations found on the local instance
|
||||||
|
are shown in RelatedAttribute.
|
||||||
|
|
||||||
|
2.4.2.13. value
|
||||||
|
|
||||||
value represents the payload of an attribute. The format of the
|
value represents the payload of an attribute. The format of the
|
||||||
value is dependent on the type of the attribute.
|
value is dependent on the type of the attribute.
|
||||||
|
@ -650,21 +665,6 @@ Internet-Draft MISP core format October 2016
|
||||||
from a fixed machine-tag vocabulary called MISP taxonomies[[MISP-T]].
|
from a fixed machine-tag vocabulary called MISP taxonomies[[MISP-T]].
|
||||||
A Tag is represented as a JSON array where each element describes
|
A Tag is represented as a JSON array where each element describes
|
||||||
each tag associated. A Tag array SHALL be, at least, at Event level.
|
each tag associated. A Tag array SHALL be, at least, at Event level.
|
||||||
A tag element is described with a name, id, colour, exportable flag
|
|
||||||
and org_id.
|
|
||||||
|
|
||||||
exportable represents a setting if the tag is kept local or
|
|
||||||
exportable to other MISP instances. exportable is represented by a
|
|
||||||
JSON boolean.
|
|
||||||
|
|
||||||
name MUST be present. exportable SHALL be present.
|
|
||||||
|
|
||||||
2.5.1. Sample Tag
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
@ -674,21 +674,193 @@ Dulaunoy & Iklody Expires April 4, 2017 [Page 12]
|
||||||
Internet-Draft MISP core format October 2016
|
Internet-Draft MISP core format October 2016
|
||||||
|
|
||||||
|
|
||||||
|
A tag element is described with a name, id, colour and exportable
|
||||||
|
flag.
|
||||||
|
|
||||||
|
exportable represents a setting if the tag is kept local or
|
||||||
|
exportable to other MISP instances. exportable is represented by a
|
||||||
|
JSON boolean. id is a human-readable identifier that references the
|
||||||
|
tag on the local instance. colour represents an RGB value of the tag.
|
||||||
|
|
||||||
|
name MUST be present. colour, id and exportable SHALL be present.
|
||||||
|
|
||||||
|
2.5.1. Sample Tag
|
||||||
|
|
||||||
"Tag": [{
|
"Tag": [{
|
||||||
"org_id": "0",
|
|
||||||
"exportable": true,
|
"exportable": true,
|
||||||
"colour": "#ffffff",
|
"colour": "#ffffff",
|
||||||
"name": "tlp:white",
|
"name": "tlp:white",
|
||||||
"id": "2" }]
|
"id": "2" }]
|
||||||
|
|
||||||
3. Acknowledgements
|
3. Manifest
|
||||||
|
|
||||||
|
MISP events can be shared over an HTTP repository, a file package or
|
||||||
|
USB key. A manifest file is used to provide an index of MISP events
|
||||||
|
allowing to only fetch the recently updated files without the need to
|
||||||
|
parse each json file.
|
||||||
|
|
||||||
|
3.1. Format
|
||||||
|
|
||||||
|
A manifest file is a simple JSON file named manifest.json in a
|
||||||
|
directory where the MISP events are located. Each MISP event is a
|
||||||
|
file located in the same directory with the event uuid as filename
|
||||||
|
with the json extension.
|
||||||
|
|
||||||
|
The manifest format is a JSON object composed of a dictionary where
|
||||||
|
the field is the uuid of the event.
|
||||||
|
|
||||||
|
Each uuid is composed of a JSON object with the following fields
|
||||||
|
which came from the original event referenced by the same uuid:
|
||||||
|
|
||||||
|
o info (MUST)
|
||||||
|
|
||||||
|
o Orgc object (MUST)
|
||||||
|
|
||||||
|
o analysis (SHALL)
|
||||||
|
|
||||||
|
o timestamp (MUST)
|
||||||
|
|
||||||
|
o date (MUST)
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Dulaunoy & Iklody Expires April 4, 2017 [Page 13]
|
||||||
|
|
||||||
|
Internet-Draft MISP core format October 2016
|
||||||
|
|
||||||
|
|
||||||
|
o threat_level_id (SHALL)
|
||||||
|
|
||||||
|
In addition to the fields originating from the event, the following
|
||||||
|
fields can be added:
|
||||||
|
|
||||||
|
o integrity:sha256 represents the SHA256 value in hexadecimal
|
||||||
|
representation of the associated MISP event file to ensure
|
||||||
|
integrity of the file. (SHOULD)
|
||||||
|
|
||||||
|
o integrity:pgp represents a detached PGP signature [RFC4880] of the
|
||||||
|
associated MISP event file to ensure integrity of the file.
|
||||||
|
(SHOULD)
|
||||||
|
|
||||||
|
If a detached PGP signature is used for each MISP event, a detached
|
||||||
|
PGP signature is a MUST to ensure integrity of the manifest file. A
|
||||||
|
detached PGP signature for a manifest file is a manifest.json.pgp
|
||||||
|
file containing the PGP signature.
|
||||||
|
|
||||||
|
3.1.1. Sample Manifest
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Dulaunoy & Iklody Expires April 4, 2017 [Page 14]
|
||||||
|
|
||||||
|
Internet-Draft MISP core format October 2016
|
||||||
|
|
||||||
|
|
||||||
|
{
|
||||||
|
"57c6ac4c-c60c-4f79-a38f-b666950d210f": {
|
||||||
|
"info": "Malspam 2016-08-31 (.wsf in .zip) - campaign: Photo",
|
||||||
|
"Orgc": {
|
||||||
|
"id": "2",
|
||||||
|
"name": "CIRCL"
|
||||||
|
},
|
||||||
|
"analysis": "0",
|
||||||
|
"Tag": [
|
||||||
|
{
|
||||||
|
"colour": "#3d7a00",
|
||||||
|
"name": "circl:incident-classification=\"malware\""
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"colour": "#ffffff",
|
||||||
|
"name": "tlp:white"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"timestamp": "1472638251",
|
||||||
|
"date": "2016-08-31",
|
||||||
|
"threat_level_id": "3"
|
||||||
|
},
|
||||||
|
"5720accd-dd28-45f8-80e5-4605950d210f": {
|
||||||
|
"info": "Malspam 2016-04-27 - Locky",
|
||||||
|
"Orgc": {
|
||||||
|
"id": "2",
|
||||||
|
"name": "CIRCL"
|
||||||
|
},
|
||||||
|
"analysis": "2",
|
||||||
|
"Tag": [
|
||||||
|
{
|
||||||
|
"colour": "#ffffff",
|
||||||
|
"name": "tlp:white"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"colour": "#3d7a00",
|
||||||
|
"name": "circl:incident-classification=\"malware\""
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"colour": "#2c4f00",
|
||||||
|
"name": "malware_classification:malware-category=\"Ransomware\""
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"timestamp": "1461764231",
|
||||||
|
"date": "2016-04-27",
|
||||||
|
"threat_level_id": "3"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Dulaunoy & Iklody Expires April 4, 2017 [Page 15]
|
||||||
|
|
||||||
|
Internet-Draft MISP core format October 2016
|
||||||
|
|
||||||
|
|
||||||
|
4. Security Considerations
|
||||||
|
|
||||||
|
MISP events might contain sensitive or confidential information.
|
||||||
|
Adequate access control and encryption measures shall be implemented
|
||||||
|
to ensure the confidentiality of the MISP events.
|
||||||
|
|
||||||
|
Adversaries might include malicious content in MISP events and
|
||||||
|
attributes. Implementation MUST consider the input of malicious
|
||||||
|
inputs beside the standard threat information that might already
|
||||||
|
include malicious intended inputs.
|
||||||
|
|
||||||
|
5. Acknowledgements
|
||||||
|
|
||||||
The authors wish to thank all the MISP community to support the
|
The authors wish to thank all the MISP community to support the
|
||||||
creation of open standards in threat intelligence sharing.
|
creation of open standards in threat intelligence sharing.
|
||||||
|
|
||||||
4. References
|
6. References
|
||||||
|
|
||||||
4.1. Normative References
|
6.1. Normative References
|
||||||
|
|
||||||
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
|
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
|
||||||
Requirement Levels", BCP 14, RFC 2119,
|
Requirement Levels", BCP 14, RFC 2119,
|
||||||
|
@ -705,7 +877,12 @@ Internet-Draft MISP core format October 2016
|
||||||
DOI 10.17487/RFC4627, July 2006,
|
DOI 10.17487/RFC4627, July 2006,
|
||||||
<http://www.rfc-editor.org/info/rfc4627>.
|
<http://www.rfc-editor.org/info/rfc4627>.
|
||||||
|
|
||||||
4.2. Informative References
|
[RFC4880] Callas, J., Donnerhacke, L., Finney, H., Shaw, D., and R.
|
||||||
|
Thayer, "OpenPGP Message Format", RFC 4880,
|
||||||
|
DOI 10.17487/RFC4880, November 2007,
|
||||||
|
<http://www.rfc-editor.org/info/rfc4880>.
|
||||||
|
|
||||||
|
6.2. Informative References
|
||||||
|
|
||||||
[MISP-P] MISP, , "MISP Project - Malware Information Sharing
|
[MISP-P] MISP, , "MISP Project - Malware Information Sharing
|
||||||
Platform and Threat Sharing", <https://github.com/MISP>.
|
Platform and Threat Sharing", <https://github.com/MISP>.
|
||||||
|
@ -713,23 +890,16 @@ Internet-Draft MISP core format October 2016
|
||||||
[MISP-T] MISP, , "MISP Taxonomies - shared and common vocabularies
|
[MISP-T] MISP, , "MISP Taxonomies - shared and common vocabularies
|
||||||
of tags", <https://github.com/MISP/misp-taxonomies>.
|
of tags", <https://github.com/MISP/misp-taxonomies>.
|
||||||
|
|
||||||
Authors' Addresses
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Dulaunoy & Iklody Expires April 4, 2017 [Page 16]
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires April 4, 2017 [Page 13]
|
|
||||||
|
|
||||||
Internet-Draft MISP core format October 2016
|
Internet-Draft MISP core format October 2016
|
||||||
|
|
||||||
|
|
||||||
|
Authors' Addresses
|
||||||
|
|
||||||
Alexandre Dulaunoy
|
Alexandre Dulaunoy
|
||||||
Computer Incident Response Center Luxembourg
|
Computer Incident Response Center Luxembourg
|
||||||
41, avenue de la gare
|
41, avenue de la gare
|
||||||
|
@ -779,6 +949,4 @@ Internet-Draft MISP core format October 2016
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Dulaunoy & Iklody Expires April 4, 2017 [Page 17]
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires April 4, 2017 [Page 14]
|
|
||||||
|
|
Loading…
Reference in New Issue