Initial skeleton for the MISP core format Internet-Draft

5 years ago · b65bf7b8ec
4 changed files with 248 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -0,0 +1,5 @@
+# MISP formats
+
+This repository is the official source of the standard MISP formats.
+
+* [misp-core-format](misp-core-format/raw.md.txt) [markdown source](misp-core-format/raw.md) which describes the core JSON format of MISP.
--- a/misp-core-format/Makefile
+++ b/misp-core-format/Makefile
@ -0,0 +1,8 @@
+MMARK:=/home/adulau/git/mmark/mmark/mmark -xml2 -page
+
+docs = $(wildcard *.md)
+
+all: $(docs)
+		$(MMARK) $< > $<.xml
+		xml2rfc --text $<.xml
+
--- a/misp-core-format/raw.md
+++ b/misp-core-format/raw.md
@ -0,0 +1,67 @@
+% Title = "MISP core format"
+% abbrev = "MISP core format"
+% category = "info"
+% docName = "draft-dulaunoy-misp-core-format"
+% ipr= "trust200902"
+% area = "Security"
+%
+% date = 2016-10-01T00:00:00Z
+%
+% [[author]]
+% initials="M."
+% surname="Dulaunoy"
+% fullname="Alexandre Dulaunoy"
+% abbrev="CIRCL"
+% organization = "Computer Incident Response Center Luxembourg"
+%  [author.address]
+%  email = "alexandre.dulaunoy@circl.lu"
+%  phone = "+352 247 88444"
+%   [author.address.postal]
+%   street = "41, avenue de la gare"
+%   city = "Luxembourg"
+%   code = "L-1611"
+%   country = "Luxembourg"
+
+.# Abstract
+
+This document describes the MISP core format used to exchange indicators and threat information between
+MISP (Malware Information and threat Sharing Platform) instances.
+The JSON format includes the overall structure along with the semantic associated for each
+respective key. The format is described to support other implementations which reuse the
+format and ensuring an interoperability with existing MISP [@?MISP-P] software and other Threat Intelligence Platform.
+
+{mainmatter}
+
+# Introduction
+
+Sharing threat information became a fundamental requirements in the Internet, security and intelligence community at large. Threat
+information can include indicators of compromise, malicious file indicators, financial fraud indicators
+or even detailed information about a threat actor. MISP started as an open source project in late 2011
+
+# Format
+
+## Overview
+
+The MISP core format is in the JSON [@!RFC4627] format. In MISP, an event is composed of a single JSON object.
+
+## Event
+
+An event is a simple meta structure scheme where attributes are embedded 
+
+
+<reference anchor='MISP-P' target='https://github.com/MISP'>
+  <front>
+   <title>MISP Project - Malware Information Sharing Platform and Threat Sharing</title>
+   <author initials='' surname='MISP' fullname='MISP Community'></author>
+   <date></date>
+  </front>
+</reference>
+
+{backmatter}
+
+# Acknowledgements
+
+The authors wish to thank all the MISP community to support the creation
+of open standards in threat intelligence sharing.
+
+
--- a/misp-core-format/raw.md.txt
+++ b/misp-core-format/raw.md.txt
@ -0,0 +1,168 @@
+
+
+
+
+Network Working Group                                        M. Dulaunoy
+Internet-Draft                                                     CIRCL
+Intended status: Informational                           October 1, 2016
+Expires: April 4, 2017
+
+
+                            MISP core format
+                    draft-dulaunoy-misp-core-format
+
+Abstract
+
+   This document describes the MISP core format used to exchange
+   indicators and threat information between MISP (Malware Information
+   and threat Sharing Platform) instances.  The JSON format includes the
+   overall structure along with the semantic associated for each
+   respective key.  The format is described to support other
+   implementations which reuse the format and ensuring an
+   interoperability with existing MISP [MISP-P] software and other
+   Threat Intelligence Platform.
+
+Status of This Memo
+
+   This Internet-Draft is submitted in full conformance with the
+   provisions of BCP 78 and BCP 79.
+
+   Internet-Drafts are working documents of the Internet Engineering
+   Task Force (IETF).  Note that other groups may also distribute
+   working documents as Internet-Drafts.  The list of current Internet-
+   Drafts is at http://datatracker.ietf.org/drafts/current/.
+
+   Internet-Drafts are draft documents valid for a maximum of six months
+   and may be updated, replaced, or obsoleted by other documents at any
+   time.  It is inappropriate to use Internet-Drafts as reference
+   material or to cite them other than as "work in progress."
+
+   This Internet-Draft will expire on April 4, 2017.
+
+Copyright Notice
+
+   Copyright (c) 2016 IETF Trust and the persons identified as the
+   document authors.  All rights reserved.
+
+   This document is subject to BCP 78 and the IETF Trust's Legal
+   Provisions Relating to IETF Documents
+   (http://trustee.ietf.org/license-info) in effect on the date of
+   publication of this document.  Please review these documents
+   carefully, as they describe your rights and restrictions with respect
+   to this document.  Code Components extracted from this document must
+
+
+
+Dulaunoy                  Expires April 4, 2017                 [Page 1]
+
+Internet-Draft              MISP core format                October 2016
+
+
+   include Simplified BSD License text as described in Section 4.e of
+   the Trust Legal Provisions and are provided without warranty as
+   described in the Simplified BSD License.
+
+Table of Contents
+
+   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
+   2.  Format  . . . . . . . . . . . . . . . . . . . . . . . . . . .   2
+     2.1.  Overview  . . . . . . . . . . . . . . . . . . . . . . . .   2
+     2.2.  Event . . . . . . . . . . . . . . . . . . . . . . . . . .   2
+   3.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   2
+     3.1.  Normative References  . . . . . . . . . . . . . . . . . .   2
+     3.2.  Informative References  . . . . . . . . . . . . . . . . .   3
+   Appendix A.  Acknowledgements . . . . . . . . . . . . . . . . . .   3
+   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .   3
+
+1.  Introduction
+
+   Sharing threat information became a fundamental requirements in the
+   Internet, security and intelligence community at large.  Threat
+   information can include indicators of compromise, malicious file
+   indicators, financial fraud indicators or even detailed information
+   about a threat actor.  MISP started as an open source project in late
+   2011
+
+2.  Format
+
+2.1.  Overview
+
+   The MISP core format is in the JSON [RFC4627] format.  In MISP, an
+   event is composed of a single JSON object.
+
+2.2.  Event
+
+   An event is a simple meta structure scheme where attributes are
+   embedded
+
+3.  References
+
+3.1.  Normative References
+
+   [RFC4627]  Crockford, D., "The application/json Media Type for
+              JavaScript Object Notation (JSON)", RFC 4627,
+              DOI 10.17487/RFC4627, July 2006,
+              <http://www.rfc-editor.org/info/rfc4627>.
+
+
+
+
+
+
+Dulaunoy                  Expires April 4, 2017                 [Page 2]
+
+Internet-Draft              MISP core format                October 2016
+
+
+3.2.  Informative References
+
+   [MISP-P]   MISP, , "MISP Project - Malware Information Sharing
+              Platform and Threat Sharing", <https://github.com/MISP>.
+
+Appendix A.  Acknowledgements
+
+   The authors wish to thank all the MISP community to support the
+   creation of open standards in threat intelligence sharing.
+
+Author's Address
+
+   Alexandre Dulaunoy
+   Computer Incident Response Center Luxembourg
+   41, avenue de la gare
+   Luxembourg  L-1611
+   Luxembourg
+
+   Phone: +352 247 88444
+   Email: alexandre.dulaunoy@circl.lu
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Dulaunoy                  Expires April 4, 2017                 [Page 3]