From bbfe417dc6e8f43433ae182234e7a2815221456d Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 17 Jun 2018 20:39:57 +0200 Subject: [PATCH] Updated version including JSON schema reviewed --- misp-core-format/raw.md.txt | 488 ++++++++++++++++++++++++++---------- 1 file changed, 356 insertions(+), 132 deletions(-) diff --git a/misp-core-format/raw.md.txt b/misp-core-format/raw.md.txt index faf7703..6618c89 100755 --- a/misp-core-format/raw.md.txt +++ b/misp-core-format/raw.md.txt @@ -30,7 +30,7 @@ Status of This Memo Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- - Drafts is at http://datatracker.ietf.org/drafts/current/. + Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any @@ -46,7 +46,7 @@ Copyright Notice This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents - (http://trustee.ietf.org/license-info) in effect on the date of + (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must @@ -93,17 +93,17 @@ Table of Contents 2.10. Galaxy . . . . . . . . . . . . . . . . . . . . . . . . . 30 2.10.1. Sample Galaxy . . . . . . . . . . . . . . . . . . . 30 3. JSON Schema . . . . . . . . . . . . . . . . . . . . . . . . . 32 - 4. Manifest . . . . . . . . . . . . . . . . . . . . . . . . . . 41 - 4.1. Format . . . . . . . . . . . . . . . . . . . . . . . . . 41 - 4.1.1. Sample Manifest . . . . . . . . . . . . . . . . . . . 42 - 5. Implementation . . . . . . . . . . . . . . . . . . . . . . . 43 - 6. Security Considerations . . . . . . . . . . . . . . . . . . . 43 - 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 44 - 8. Sample MISP file . . . . . . . . . . . . . . . . . . . . . . 44 - 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 44 - 9.1. Normative References . . . . . . . . . . . . . . . . . . 44 - 9.2. Informative References . . . . . . . . . . . . . . . . . 44 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 45 + 4. Manifest . . . . . . . . . . . . . . . . . . . . . . . . . . 46 + 4.1. Format . . . . . . . . . . . . . . . . . . . . . . . . . 46 + 4.1.1. Sample Manifest . . . . . . . . . . . . . . . . . . . 47 + 5. Implementation . . . . . . . . . . . . . . . . . . . . . . . 48 + 6. Security Considerations . . . . . . . . . . . . . . . . . . . 48 + 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 48 + 8. Sample MISP file . . . . . . . . . . . . . . . . . . . . . . 48 + 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 48 + 9.1. Normative References . . . . . . . . . . . . . . . . . . 48 + 9.2. Informative References . . . . . . . . . . . . . . . . . 49 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 49 @@ -1194,6 +1194,7 @@ Internet-Draft MISP core format April 2018 "deleted": false, "ObjectReference": [], "Attribute": [ + { "id": "7822", "type": "filename", "category": "Payload delivery", @@ -1210,7 +1211,8 @@ Internet-Draft MISP core format April 2018 "object_relation": "filename", "value": "StarCraft.exe", "ShadowAttribute": [] - ] + } + ] } 2.6.2. Object Attributes @@ -1227,8 +1229,6 @@ Internet-Draft MISP core format April 2018 - - Dulaunoy & Iklody Expires October 12, 2018 [Page 22] Internet-Draft MISP core format April 2018 @@ -1934,12 +1934,202 @@ Internet-Draft MISP core format April 2018 } } }, + "object": { + "type": "object", + "additionalProperties": false, + "properties": { + "uuid": { + "type": "string" + }, + "name": { + "type": "string" + }, + "event_id": { + "type": "string" + }, + "description": { + "type": "string" + }, + "template_uuid": { + "type": "string" + }, + "template_version": { + + + +Dulaunoy & Iklody Expires October 12, 2018 [Page 35] + +Internet-Draft MISP core format April 2018 + + + "type": "string" + }, + "id": { + "type": "string" + }, + "meta-category": { + "type": "string" + }, + "deleted": { + "type": "boolean" + }, + "timestamp": { + "type": "string" + }, + "distribution": { + "type": "string" + }, + "sharing_group_id": { + "type": "string" + }, + "comment": { + "type": "string" + }, + "ObjectReference": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/defs/objectreference" + } + }, + "Attribute": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/defs/attribute" + } + } + } + }, + "sighthing": { + "type": "object", + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "attribute_id": { + "type": "string" + + + +Dulaunoy & Iklody Expires October 12, 2018 [Page 36] + +Internet-Draft MISP core format April 2018 + + + }, + "event_id": { + "type": "string" + }, + "source": { + "type": "string" + }, + "type": { + "type": "string" + }, + "org_id": { + "type": "string" + }, + "date_sighting": { + "type": "string" + }, + "uuid": { + "type": "string" + }, + "Organisation": { + "$ref": "#/defs/organisation" + } + } + }, + "organisation": { + "type": "object", + "additionalProperties": false, + "properties": { + "id": { + "type": "string" + }, + "uuid": { + "type": "string" + }, + "name": { + "type": "string" + } + } + }, + "objectreference": { + "type": "object", + "additionalProperties": false, + "properties": { + "deleted": { + "type": "boolean" + }, + "object_id": { + "type": "string" + + + +Dulaunoy & Iklody Expires October 12, 2018 [Page 37] + +Internet-Draft MISP core format April 2018 + + + }, + "event_id": { + "type": "string" + }, + "timestamp": { + "type": "string" + }, + "id": { + "type": "string" + }, + "uuid": { + "type": "string" + }, + "type": { + "type": "string" + }, + "referenced_id": { + "type": "string" + }, + "referenced_uuid": { + "type": "string" + }, + "referenced_type": { + "type": "string" + }, + "relationship_type": { + "type": "string" + }, + "object_uuid": { + "type": "string" + }, + "comment": { + "type": "string" + }, + "Object": { + "$ref": "#/defs/object" + } + } + }, "attribute": { "type": "object", "additionalProperties": false, "properties": { "id": { "type": "string" + }, + "old_id": { + "type": "string" + + + +Dulaunoy & Iklody Expires October 12, 2018 [Page 38] + +Internet-Draft MISP core format April 2018 + + }, "type": { "type": "string" @@ -1954,14 +2144,21 @@ Internet-Draft MISP core format April 2018 "type": "string" }, "event_id": { - - - -Dulaunoy & Iklody Expires October 12, 2018 [Page 35] - -Internet-Draft MISP core format April 2018 - - + "type": "string" + }, + "event_uuid": { + "type": "string" + }, + "proposal_to_delete": { + "type": "boolean" + }, + "validationIssue": { + "type": "boolean" + }, + "Org": { + "$ref": "#/defs/organisation" + }, + "org_id": { "type": "string" }, "distribution": { @@ -1981,6 +2178,14 @@ Internet-Draft MISP core format April 2018 }, "disable_correlation": { "type": "boolean" + + + +Dulaunoy & Iklody Expires October 12, 2018 [Page 39] + +Internet-Draft MISP core format April 2018 + + }, "value": { "type": "string" @@ -1988,6 +2193,12 @@ Internet-Draft MISP core format April 2018 "data": { "type": "string" }, + "object_relation": { + "type": ["string", "null"] + }, + "object_id": { + "type": "string" + }, "SharingGroup": { "$ref": "#/defs/sharing_group" }, @@ -1998,9 +2209,23 @@ Internet-Draft MISP core format April 2018 "$ref": "#/defs/attribute" } }, - "Tag": { + "Sighting": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/defs/sighthing" + } + }, + "Galaxy": { "type": "array", "uniqueItems": true, + "items": { + "$ref": "#/defs/galaxy" + } + }, + "Tag": { + "uniqueItems": true, + "type": "array", "items": { "$ref": "#/defs/tag" } @@ -2009,15 +2234,15 @@ Internet-Draft MISP core format April 2018 }, "event": { "type": "object", - "additionalProperties": false, -Dulaunoy & Iklody Expires October 12, 2018 [Page 36] +Dulaunoy & Iklody Expires October 12, 2018 [Page 40] Internet-Draft MISP core format April 2018 + "additionalProperties": false, "properties": { "id": { "type": "string" @@ -2031,6 +2256,9 @@ Internet-Draft MISP core format April 2018 "date": { "type": "string" }, + "extends_uuid": { + "type": "string" + }, "threat_level_id": { "type": "string" }, @@ -2062,18 +2290,18 @@ Internet-Draft MISP core format April 2018 "type": "boolean" }, "publish_timestamp": { - "type": "string" - }, - "sharing_group_id": { - "type": "string" -Dulaunoy & Iklody Expires October 12, 2018 [Page 37] +Dulaunoy & Iklody Expires October 12, 2018 [Page 41] Internet-Draft MISP core format April 2018 + "type": "string" + }, + "sharing_group_id": { + "type": "string" }, "disable_correlation": { "type": "boolean" @@ -2118,20 +2346,27 @@ Internet-Draft MISP core format April 2018 } }, "Galaxy": { - "type": "array", - "uniqueItems": true, - "items": { - "$ref": "#/defs/galaxy" -Dulaunoy & Iklody Expires October 12, 2018 [Page 38] +Dulaunoy & Iklody Expires October 12, 2018 [Page 42] Internet-Draft MISP core format April 2018 + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/defs/galaxy" } }, + "Object": { + "type": "array", + "uniqueItems": true, + "items": { + "$ref": "#/defs/object" + } + }, "Tag": { "type": "array", "uniqueItems": true, @@ -2159,11 +2394,22 @@ Internet-Draft MISP core format April 2018 }, "hide_tag": { "type": "boolean" + }, + "user_id": { + "type": "string" } } }, "galaxy": { "type": "object", + + + +Dulaunoy & Iklody Expires October 12, 2018 [Page 43] + +Internet-Draft MISP core format April 2018 + + "additionalProperties": false, "properties": { "id": { @@ -2178,20 +2424,18 @@ Internet-Draft MISP core format April 2018 "type": { "type": "string" }, - - - -Dulaunoy & Iklody Expires October 12, 2018 [Page 39] - -Internet-Draft MISP core format April 2018 - - "description": { "type": "string" }, "version": { "type": "string" }, + "icon": { + "type": "string" + }, + "namespace": { + "type": "string" + }, "GalaxyCluster": { "type": "array", "uniqueItems": true, @@ -2214,6 +2458,14 @@ Internet-Draft MISP core format April 2018 "type": { "type": "string" }, + + + +Dulaunoy & Iklody Expires October 12, 2018 [Page 44] + +Internet-Draft MISP core format April 2018 + + "value": { "type": "string" }, @@ -2226,6 +2478,9 @@ Internet-Draft MISP core format April 2018 "galaxy_id": { "type": "string" }, + "version": { + "type": "string" + }, "source": { "type": "string" }, @@ -2234,14 +2489,6 @@ Internet-Draft MISP core format April 2018 "uniqueItems": true, "items": { "type": "string" - - - -Dulaunoy & Iklody Expires October 12, 2018 [Page 40] - -Internet-Draft MISP core format April 2018 - - } }, "tag_id": { @@ -2264,6 +2511,17 @@ Internet-Draft MISP core format April 2018 ] } + + + + + + +Dulaunoy & Iklody Expires October 12, 2018 [Page 45] + +Internet-Draft MISP core format April 2018 + + 4. Manifest MISP events can be shared over an HTTP repository, a file package or @@ -2290,14 +2548,6 @@ Internet-Draft MISP core format April 2018 o analysis (SHALL) - - - -Dulaunoy & Iklody Expires October 12, 2018 [Page 41] - -Internet-Draft MISP core format April 2018 - - o timestamp (MUST) o date (MUST) @@ -2320,6 +2570,14 @@ Internet-Draft MISP core format April 2018 detached PGP signature for a manifest file is a manifest.json.asc file containing the PGP signature. + + + +Dulaunoy & Iklody Expires October 12, 2018 [Page 46] + +Internet-Draft MISP core format April 2018 + + 4.1.1. Sample Manifest { @@ -2346,14 +2604,6 @@ Internet-Draft MISP core format April 2018 "threat_level_id": "3" }, "5720accd-dd28-45f8-80e5-4605950d210f": { - - - -Dulaunoy & Iklody Expires October 12, 2018 [Page 42] - -Internet-Draft MISP core format April 2018 - - "info": "Malspam 2016-04-27 - Locky", "Orgc": { "id": "2", @@ -2376,6 +2626,14 @@ Internet-Draft MISP core format April 2018 ], "timestamp": "1461764231", "date": "2016-04-27", + + + +Dulaunoy & Iklody Expires October 12, 2018 [Page 47] + +Internet-Draft MISP core format April 2018 + + "threat_level_id": "3" } } @@ -2401,19 +2659,11 @@ Internet-Draft MISP core format April 2018 inputs beside the standard threat information that might already include malicious intended inputs. - - - - -Dulaunoy & Iklody Expires October 12, 2018 [Page 43] - -Internet-Draft MISP core format April 2018 - - 7. Acknowledgements The authors wish to thank all the MISP community who are supporting - the creation of open standards in threat intelligence sharing. + the creation of open standards in threat intelligence sharing. A + special thank to Nicolas Bareil for the review of the JSON Schema. 8. Sample MISP file @@ -2423,48 +2673,49 @@ Internet-Draft MISP core format April 2018 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, - DOI 10.17487/RFC2119, March 1997, . + DOI 10.17487/RFC2119, March 1997, + . [RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally Unique IDentifier (UUID) URN Namespace", RFC 4122, - DOI 10.17487/RFC4122, July 2005, . + DOI 10.17487/RFC4122, July 2005, + . + + + + + +Dulaunoy & Iklody Expires October 12, 2018 [Page 48] + +Internet-Draft MISP core format April 2018 + [RFC4627] Crockford, D., "The application/json Media Type for JavaScript Object Notation (JSON)", RFC 4627, - DOI 10.17487/RFC4627, July 2006, . + DOI 10.17487/RFC4627, July 2006, + . [RFC4880] Callas, J., Donnerhacke, L., Finney, H., Shaw, D., and R. Thayer, "OpenPGP Message Format", RFC 4880, - DOI 10.17487/RFC4880, November 2007, . + DOI 10.17487/RFC4880, November 2007, + . 9.2. Informative References [JSON-SCHEMA] "JSON Schema: A Media Type for Describing JSON Documents", - 2016, . + 2016, + . - [MISP-P] MISP, , "MISP Project - Malware Information Sharing - Platform and Threat Sharing", . + [MISP-P] MISP, "MISP Project - Malware Information Sharing Platform + and Threat Sharing", . - [MISP-R] MISP, , "MISP Object Relationship Types - common - vocabulary of relationships", . - - [MISP-T] MISP, , "MISP Taxonomies - shared and common vocabularies - of tags", . - - - - -Dulaunoy & Iklody Expires October 12, 2018 [Page 44] - -Internet-Draft MISP core format April 2018 + [MISP-R] MISP, "MISP Object Relationship Types - common vocabulary + of relationships", . + [MISP-T] MISP, "MISP Taxonomies - shared and common vocabularies of + tags", . Authors' Addresses @@ -2490,31 +2741,4 @@ Authors' Addresses - - - - - - - - - - - - - - - - - - - - - - - - - - - -Dulaunoy & Iklody Expires October 12, 2018 [Page 45] +Dulaunoy & Iklody Expires October 12, 2018 [Page 49]