From b65bf7b8ecf2e58ba3a5b0fcf8368a4dfab3b05d Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sat, 1 Oct 2016 12:18:59 +0200 Subject: [PATCH] Initial skeleton for the MISP core format Internet-Draft --- README.md | 5 ++ misp-core-format/Makefile | 8 ++ misp-core-format/raw.md | 67 ++++++++++++++ misp-core-format/raw.md.txt | 168 ++++++++++++++++++++++++++++++++++++ 4 files changed, 248 insertions(+) create mode 100644 README.md create mode 100644 misp-core-format/Makefile create mode 100644 misp-core-format/raw.md create mode 100644 misp-core-format/raw.md.txt diff --git a/README.md b/README.md new file mode 100644 index 0000000..0f9c6b1 --- /dev/null +++ b/README.md @@ -0,0 +1,5 @@ +# MISP formats + +This repository is the official source of the standard MISP formats. + +* [misp-core-format](misp-core-format/raw.md.txt) [markdown source](misp-core-format/raw.md) which describes the core JSON format of MISP. diff --git a/misp-core-format/Makefile b/misp-core-format/Makefile new file mode 100644 index 0000000..4c6cd06 --- /dev/null +++ b/misp-core-format/Makefile @@ -0,0 +1,8 @@ +MMARK:=/home/adulau/git/mmark/mmark/mmark -xml2 -page + +docs = $(wildcard *.md) + +all: $(docs) + $(MMARK) $< > $<.xml + xml2rfc --text $<.xml + diff --git a/misp-core-format/raw.md b/misp-core-format/raw.md new file mode 100644 index 0000000..7e250cd --- /dev/null +++ b/misp-core-format/raw.md @@ -0,0 +1,67 @@ +% Title = "MISP core format" +% abbrev = "MISP core format" +% category = "info" +% docName = "draft-dulaunoy-misp-core-format" +% ipr= "trust200902" +% area = "Security" +% +% date = 2016-10-01T00:00:00Z +% +% [[author]] +% initials="M." +% surname="Dulaunoy" +% fullname="Alexandre Dulaunoy" +% abbrev="CIRCL" +% organization = "Computer Incident Response Center Luxembourg" +% [author.address] +% email = "alexandre.dulaunoy@circl.lu" +% phone = "+352 247 88444" +% [author.address.postal] +% street = "41, avenue de la gare" +% city = "Luxembourg" +% code = "L-1611" +% country = "Luxembourg" + +.# Abstract + +This document describes the MISP core format used to exchange indicators and threat information between +MISP (Malware Information and threat Sharing Platform) instances. +The JSON format includes the overall structure along with the semantic associated for each +respective key. The format is described to support other implementations which reuse the +format and ensuring an interoperability with existing MISP [@?MISP-P] software and other Threat Intelligence Platform. + +{mainmatter} + +# Introduction + +Sharing threat information became a fundamental requirements in the Internet, security and intelligence community at large. Threat +information can include indicators of compromise, malicious file indicators, financial fraud indicators +or even detailed information about a threat actor. MISP started as an open source project in late 2011 + +# Format + +## Overview + +The MISP core format is in the JSON [@!RFC4627] format. In MISP, an event is composed of a single JSON object. + +## Event + +An event is a simple meta structure scheme where attributes are embedded + + + + + MISP Project - Malware Information Sharing Platform and Threat Sharing + + + + + +{backmatter} + +# Acknowledgements + +The authors wish to thank all the MISP community to support the creation +of open standards in threat intelligence sharing. + + diff --git a/misp-core-format/raw.md.txt b/misp-core-format/raw.md.txt new file mode 100644 index 0000000..d241402 --- /dev/null +++ b/misp-core-format/raw.md.txt @@ -0,0 +1,168 @@ + + + + +Network Working Group M. Dulaunoy +Internet-Draft CIRCL +Intended status: Informational October 1, 2016 +Expires: April 4, 2017 + + + MISP core format + draft-dulaunoy-misp-core-format + +Abstract + + This document describes the MISP core format used to exchange + indicators and threat information between MISP (Malware Information + and threat Sharing Platform) instances. The JSON format includes the + overall structure along with the semantic associated for each + respective key. The format is described to support other + implementations which reuse the format and ensuring an + interoperability with existing MISP [MISP-P] software and other + Threat Intelligence Platform. + +Status of This Memo + + This Internet-Draft is submitted in full conformance with the + provisions of BCP 78 and BCP 79. + + Internet-Drafts are working documents of the Internet Engineering + Task Force (IETF). Note that other groups may also distribute + working documents as Internet-Drafts. The list of current Internet- + Drafts is at http://datatracker.ietf.org/drafts/current/. + + Internet-Drafts are draft documents valid for a maximum of six months + and may be updated, replaced, or obsoleted by other documents at any + time. It is inappropriate to use Internet-Drafts as reference + material or to cite them other than as "work in progress." + + This Internet-Draft will expire on April 4, 2017. + +Copyright Notice + + Copyright (c) 2016 IETF Trust and the persons identified as the + document authors. All rights reserved. + + This document is subject to BCP 78 and the IETF Trust's Legal + Provisions Relating to IETF Documents + (http://trustee.ietf.org/license-info) in effect on the date of + publication of this document. Please review these documents + carefully, as they describe your rights and restrictions with respect + to this document. Code Components extracted from this document must + + + +Dulaunoy Expires April 4, 2017 [Page 1] + +Internet-Draft MISP core format October 2016 + + + include Simplified BSD License text as described in Section 4.e of + the Trust Legal Provisions and are provided without warranty as + described in the Simplified BSD License. + +Table of Contents + + 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 + 2. Format . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 + 2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 2 + 2.2. Event . . . . . . . . . . . . . . . . . . . . . . . . . . 2 + 3. References . . . . . . . . . . . . . . . . . . . . . . . . . 2 + 3.1. Normative References . . . . . . . . . . . . . . . . . . 2 + 3.2. Informative References . . . . . . . . . . . . . . . . . 3 + Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 3 + Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 3 + +1. Introduction + + Sharing threat information became a fundamental requirements in the + Internet, security and intelligence community at large. Threat + information can include indicators of compromise, malicious file + indicators, financial fraud indicators or even detailed information + about a threat actor. MISP started as an open source project in late + 2011 + +2. Format + +2.1. Overview + + The MISP core format is in the JSON [RFC4627] format. In MISP, an + event is composed of a single JSON object. + +2.2. Event + + An event is a simple meta structure scheme where attributes are + embedded + +3. References + +3.1. Normative References + + [RFC4627] Crockford, D., "The application/json Media Type for + JavaScript Object Notation (JSON)", RFC 4627, + DOI 10.17487/RFC4627, July 2006, + . + + + + + + +Dulaunoy Expires April 4, 2017 [Page 2] + +Internet-Draft MISP core format October 2016 + + +3.2. Informative References + + [MISP-P] MISP, , "MISP Project - Malware Information Sharing + Platform and Threat Sharing", . + +Appendix A. Acknowledgements + + The authors wish to thank all the MISP community to support the + creation of open standards in threat intelligence sharing. + +Author's Address + + Alexandre Dulaunoy + Computer Incident Response Center Luxembourg + 41, avenue de la gare + Luxembourg L-1611 + Luxembourg + + Phone: +352 247 88444 + Email: alexandre.dulaunoy@circl.lu + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Dulaunoy Expires April 4, 2017 [Page 3]