mirror of https://github.com/MISP/misp-rfc
Initial skeleton for the MISP core format Internet-Draft
commit
b65bf7b8ec
|
@ -0,0 +1,5 @@
|
||||||
|
# MISP formats
|
||||||
|
|
||||||
|
This repository is the official source of the standard MISP formats.
|
||||||
|
|
||||||
|
* [misp-core-format](misp-core-format/raw.md.txt) [markdown source](misp-core-format/raw.md) which describes the core JSON format of MISP.
|
|
@ -0,0 +1,8 @@
|
||||||
|
MMARK:=/home/adulau/git/mmark/mmark/mmark -xml2 -page
|
||||||
|
|
||||||
|
docs = $(wildcard *.md)
|
||||||
|
|
||||||
|
all: $(docs)
|
||||||
|
$(MMARK) $< > $<.xml
|
||||||
|
xml2rfc --text $<.xml
|
||||||
|
|
|
@ -0,0 +1,67 @@
|
||||||
|
% Title = "MISP core format"
|
||||||
|
% abbrev = "MISP core format"
|
||||||
|
% category = "info"
|
||||||
|
% docName = "draft-dulaunoy-misp-core-format"
|
||||||
|
% ipr= "trust200902"
|
||||||
|
% area = "Security"
|
||||||
|
%
|
||||||
|
% date = 2016-10-01T00:00:00Z
|
||||||
|
%
|
||||||
|
% [[author]]
|
||||||
|
% initials="M."
|
||||||
|
% surname="Dulaunoy"
|
||||||
|
% fullname="Alexandre Dulaunoy"
|
||||||
|
% abbrev="CIRCL"
|
||||||
|
% organization = "Computer Incident Response Center Luxembourg"
|
||||||
|
% [author.address]
|
||||||
|
% email = "alexandre.dulaunoy@circl.lu"
|
||||||
|
% phone = "+352 247 88444"
|
||||||
|
% [author.address.postal]
|
||||||
|
% street = "41, avenue de la gare"
|
||||||
|
% city = "Luxembourg"
|
||||||
|
% code = "L-1611"
|
||||||
|
% country = "Luxembourg"
|
||||||
|
|
||||||
|
.# Abstract
|
||||||
|
|
||||||
|
This document describes the MISP core format used to exchange indicators and threat information between
|
||||||
|
MISP (Malware Information and threat Sharing Platform) instances.
|
||||||
|
The JSON format includes the overall structure along with the semantic associated for each
|
||||||
|
respective key. The format is described to support other implementations which reuse the
|
||||||
|
format and ensuring an interoperability with existing MISP [@?MISP-P] software and other Threat Intelligence Platform.
|
||||||
|
|
||||||
|
{mainmatter}
|
||||||
|
|
||||||
|
# Introduction
|
||||||
|
|
||||||
|
Sharing threat information became a fundamental requirements in the Internet, security and intelligence community at large. Threat
|
||||||
|
information can include indicators of compromise, malicious file indicators, financial fraud indicators
|
||||||
|
or even detailed information about a threat actor. MISP started as an open source project in late 2011
|
||||||
|
|
||||||
|
# Format
|
||||||
|
|
||||||
|
## Overview
|
||||||
|
|
||||||
|
The MISP core format is in the JSON [@!RFC4627] format. In MISP, an event is composed of a single JSON object.
|
||||||
|
|
||||||
|
## Event
|
||||||
|
|
||||||
|
An event is a simple meta structure scheme where attributes are embedded
|
||||||
|
|
||||||
|
|
||||||
|
<reference anchor='MISP-P' target='https://github.com/MISP'>
|
||||||
|
<front>
|
||||||
|
<title>MISP Project - Malware Information Sharing Platform and Threat Sharing</title>
|
||||||
|
<author initials='' surname='MISP' fullname='MISP Community'></author>
|
||||||
|
<date></date>
|
||||||
|
</front>
|
||||||
|
</reference>
|
||||||
|
|
||||||
|
{backmatter}
|
||||||
|
|
||||||
|
# Acknowledgements
|
||||||
|
|
||||||
|
The authors wish to thank all the MISP community to support the creation
|
||||||
|
of open standards in threat intelligence sharing.
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,168 @@
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Network Working Group M. Dulaunoy
|
||||||
|
Internet-Draft CIRCL
|
||||||
|
Intended status: Informational October 1, 2016
|
||||||
|
Expires: April 4, 2017
|
||||||
|
|
||||||
|
|
||||||
|
MISP core format
|
||||||
|
draft-dulaunoy-misp-core-format
|
||||||
|
|
||||||
|
Abstract
|
||||||
|
|
||||||
|
This document describes the MISP core format used to exchange
|
||||||
|
indicators and threat information between MISP (Malware Information
|
||||||
|
and threat Sharing Platform) instances. The JSON format includes the
|
||||||
|
overall structure along with the semantic associated for each
|
||||||
|
respective key. The format is described to support other
|
||||||
|
implementations which reuse the format and ensuring an
|
||||||
|
interoperability with existing MISP [MISP-P] software and other
|
||||||
|
Threat Intelligence Platform.
|
||||||
|
|
||||||
|
Status of This Memo
|
||||||
|
|
||||||
|
This Internet-Draft is submitted in full conformance with the
|
||||||
|
provisions of BCP 78 and BCP 79.
|
||||||
|
|
||||||
|
Internet-Drafts are working documents of the Internet Engineering
|
||||||
|
Task Force (IETF). Note that other groups may also distribute
|
||||||
|
working documents as Internet-Drafts. The list of current Internet-
|
||||||
|
Drafts is at http://datatracker.ietf.org/drafts/current/.
|
||||||
|
|
||||||
|
Internet-Drafts are draft documents valid for a maximum of six months
|
||||||
|
and may be updated, replaced, or obsoleted by other documents at any
|
||||||
|
time. It is inappropriate to use Internet-Drafts as reference
|
||||||
|
material or to cite them other than as "work in progress."
|
||||||
|
|
||||||
|
This Internet-Draft will expire on April 4, 2017.
|
||||||
|
|
||||||
|
Copyright Notice
|
||||||
|
|
||||||
|
Copyright (c) 2016 IETF Trust and the persons identified as the
|
||||||
|
document authors. All rights reserved.
|
||||||
|
|
||||||
|
This document is subject to BCP 78 and the IETF Trust's Legal
|
||||||
|
Provisions Relating to IETF Documents
|
||||||
|
(http://trustee.ietf.org/license-info) in effect on the date of
|
||||||
|
publication of this document. Please review these documents
|
||||||
|
carefully, as they describe your rights and restrictions with respect
|
||||||
|
to this document. Code Components extracted from this document must
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Dulaunoy Expires April 4, 2017 [Page 1]
|
||||||
|
|
||||||
|
Internet-Draft MISP core format October 2016
|
||||||
|
|
||||||
|
|
||||||
|
include Simplified BSD License text as described in Section 4.e of
|
||||||
|
the Trust Legal Provisions and are provided without warranty as
|
||||||
|
described in the Simplified BSD License.
|
||||||
|
|
||||||
|
Table of Contents
|
||||||
|
|
||||||
|
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
|
||||||
|
2. Format . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
|
||||||
|
2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 2
|
||||||
|
2.2. Event . . . . . . . . . . . . . . . . . . . . . . . . . . 2
|
||||||
|
3. References . . . . . . . . . . . . . . . . . . . . . . . . . 2
|
||||||
|
3.1. Normative References . . . . . . . . . . . . . . . . . . 2
|
||||||
|
3.2. Informative References . . . . . . . . . . . . . . . . . 3
|
||||||
|
Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 3
|
||||||
|
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 3
|
||||||
|
|
||||||
|
1. Introduction
|
||||||
|
|
||||||
|
Sharing threat information became a fundamental requirements in the
|
||||||
|
Internet, security and intelligence community at large. Threat
|
||||||
|
information can include indicators of compromise, malicious file
|
||||||
|
indicators, financial fraud indicators or even detailed information
|
||||||
|
about a threat actor. MISP started as an open source project in late
|
||||||
|
2011
|
||||||
|
|
||||||
|
2. Format
|
||||||
|
|
||||||
|
2.1. Overview
|
||||||
|
|
||||||
|
The MISP core format is in the JSON [RFC4627] format. In MISP, an
|
||||||
|
event is composed of a single JSON object.
|
||||||
|
|
||||||
|
2.2. Event
|
||||||
|
|
||||||
|
An event is a simple meta structure scheme where attributes are
|
||||||
|
embedded
|
||||||
|
|
||||||
|
3. References
|
||||||
|
|
||||||
|
3.1. Normative References
|
||||||
|
|
||||||
|
[RFC4627] Crockford, D., "The application/json Media Type for
|
||||||
|
JavaScript Object Notation (JSON)", RFC 4627,
|
||||||
|
DOI 10.17487/RFC4627, July 2006,
|
||||||
|
<http://www.rfc-editor.org/info/rfc4627>.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Dulaunoy Expires April 4, 2017 [Page 2]
|
||||||
|
|
||||||
|
Internet-Draft MISP core format October 2016
|
||||||
|
|
||||||
|
|
||||||
|
3.2. Informative References
|
||||||
|
|
||||||
|
[MISP-P] MISP, , "MISP Project - Malware Information Sharing
|
||||||
|
Platform and Threat Sharing", <https://github.com/MISP>.
|
||||||
|
|
||||||
|
Appendix A. Acknowledgements
|
||||||
|
|
||||||
|
The authors wish to thank all the MISP community to support the
|
||||||
|
creation of open standards in threat intelligence sharing.
|
||||||
|
|
||||||
|
Author's Address
|
||||||
|
|
||||||
|
Alexandre Dulaunoy
|
||||||
|
Computer Incident Response Center Luxembourg
|
||||||
|
41, avenue de la gare
|
||||||
|
Luxembourg L-1611
|
||||||
|
Luxembourg
|
||||||
|
|
||||||
|
Phone: +352 247 88444
|
||||||
|
Email: alexandre.dulaunoy@circl.lu
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Dulaunoy Expires April 4, 2017 [Page 3]
|
Loading…
Reference in New Issue