MISP
/
misp-rfc
mirror of https://github.com/MISP/misp-rfc
2
0
Fork 0
Code Issues Releases Wiki Activity

Updated version including JSON schema reviewed

pull/17/head
Alexandre Dulaunoy 2018-06-17 20:39:57 +02:00
parent f3ae6a7f1f
commit bbfe417dc6
No known key found for this signature in database
GPG Key ID: 09E2CD4944E6CBCD
1 changed files with 356 additions and 132 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

488
misp-core-format/raw.md.txt
View File

@ -30,7 +30,7 @@ Status of This Memo
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
@ -46,7 +46,7 @@ Copyright Notice
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
@ -93,17 +93,17 @@ Table of Contents
2.10. Galaxy . . . . . . . . . . . . . . . . . . . . . . . . . 30 2.10. Galaxy . . . . . . . . . . . . . . . . . . . . . . . . . 30
2.10.1. Sample Galaxy . . . . . . . . . . . . . . . . . . . 30 2.10.1. Sample Galaxy . . . . . . . . . . . . . . . . . . . 30
3. JSON Schema . . . . . . . . . . . . . . . . . . . . . . . . . 32 3. JSON Schema . . . . . . . . . . . . . . . . . . . . . . . . . 32
4. Manifest . . . . . . . . . . . . . . . . . . . . . . . . . . 41 4. Manifest . . . . . . . . . . . . . . . . . . . . . . . . . . 46
4.1. Format . . . . . . . . . . . . . . . . . . . . . . . . . 41 4.1. Format . . . . . . . . . . . . . . . . . . . . . . . . . 46
4.1.1. Sample Manifest . . . . . . . . . . . . . . . . . . . 42 4.1.1. Sample Manifest . . . . . . . . . . . . . . . . . . . 47
5. Implementation . . . . . . . . . . . . . . . . . . . . . . . 43 5. Implementation . . . . . . . . . . . . . . . . . . . . . . . 48
6. Security Considerations . . . . . . . . . . . . . . . . . . . 43 6. Security Considerations . . . . . . . . . . . . . . . . . . . 48
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 44 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 48
8. Sample MISP file . . . . . . . . . . . . . . . . . . . . . . 44 8. Sample MISP file . . . . . . . . . . . . . . . . . . . . . . 48
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 44 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 48
9.1. Normative References . . . . . . . . . . . . . . . . . . 44 9.1. Normative References . . . . . . . . . . . . . . . . . . 48
9.2. Informative References . . . . . . . . . . . . . . . . . 44 9.2. Informative References . . . . . . . . . . . . . . . . . 49
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 45 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 49
@ -1194,6 +1194,7 @@ Internet-Draft MISP core format April 2018
"deleted": false, "deleted": false,
"ObjectReference": [], "ObjectReference": [],
"Attribute": [ "Attribute": [
{
"id": "7822", "id": "7822",
"type": "filename", "type": "filename",
"category": "Payload delivery", "category": "Payload delivery",
@ -1210,7 +1211,8 @@ Internet-Draft MISP core format April 2018
"object_relation": "filename", "object_relation": "filename",
"value": "StarCraft.exe", "value": "StarCraft.exe",
"ShadowAttribute": [] "ShadowAttribute": []
] }
]
} }
2.6.2. Object Attributes 2.6.2. Object Attributes
@ -1227,8 +1229,6 @@ Internet-Draft MISP core format April 2018
Dulaunoy & Iklody Expires October 12, 2018 [Page 22] Dulaunoy & Iklody Expires October 12, 2018 [Page 22]
Internet-Draft MISP core format April 2018 Internet-Draft MISP core format April 2018
@ -1934,12 +1934,202 @@ Internet-Draft MISP core format April 2018
} }
} }
}, },
"object": {
"type": "object",
"additionalProperties": false,
"properties": {
"uuid": {
"type": "string"
},
"name": {
"type": "string"
},
"event_id": {
"type": "string"
},
"description": {
"type": "string"
},
"template_uuid": {
"type": "string"
},
"template_version": {
Dulaunoy & Iklody Expires October 12, 2018 [Page 35]
Internet-Draft MISP core format April 2018
"type": "string"
},
"id": {
"type": "string"
},
"meta-category": {
"type": "string"
},
"deleted": {
"type": "boolean"
},
"timestamp": {
"type": "string"
},
"distribution": {
"type": "string"
},
"sharing_group_id": {
"type": "string"
},
"comment": {
"type": "string"
},
"ObjectReference": {
"type": "array",
"uniqueItems": true,
"items": {
"$ref": "#/defs/objectreference"
}
},
"Attribute": {
"type": "array",
"uniqueItems": true,
"items": {
"$ref": "#/defs/attribute"
}
}
}
},
"sighthing": {
"type": "object",
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"attribute_id": {
"type": "string"
Dulaunoy & Iklody Expires October 12, 2018 [Page 36]
Internet-Draft MISP core format April 2018
},
"event_id": {
"type": "string"
},
"source": {
"type": "string"
},
"type": {
"type": "string"
},
"org_id": {
"type": "string"
},
"date_sighting": {
"type": "string"
},
"uuid": {
"type": "string"
},
"Organisation": {
"$ref": "#/defs/organisation"
}
}
},
"organisation": {
"type": "object",
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"uuid": {
"type": "string"
},
"name": {
"type": "string"
}
}
},
"objectreference": {
"type": "object",
"additionalProperties": false,
"properties": {
"deleted": {
"type": "boolean"
},
"object_id": {
"type": "string"
Dulaunoy & Iklody Expires October 12, 2018 [Page 37]
Internet-Draft MISP core format April 2018
},
"event_id": {
"type": "string"
},
"timestamp": {
"type": "string"
},
"id": {
"type": "string"
},
"uuid": {
"type": "string"
},
"type": {
"type": "string"
},
"referenced_id": {
"type": "string"
},
"referenced_uuid": {
"type": "string"
},
"referenced_type": {
"type": "string"
},
"relationship_type": {
"type": "string"
},
"object_uuid": {
"type": "string"
},
"comment": {
"type": "string"
},
"Object": {
"$ref": "#/defs/object"
}
}
},
"attribute": { "attribute": {
"type": "object", "type": "object",
"additionalProperties": false, "additionalProperties": false,
"properties": { "properties": {
"id": { "id": {
"type": "string" "type": "string"
},
"old_id": {
"type": "string"
Dulaunoy & Iklody Expires October 12, 2018 [Page 38]
Internet-Draft MISP core format April 2018
}, },
"type": { "type": {
"type": "string" "type": "string"
@ -1954,14 +2144,21 @@ Internet-Draft MISP core format April 2018
"type": "string" "type": "string"
}, },
"event_id": { "event_id": {
"type": "string"
},
"event_uuid": {
Dulaunoy & Iklody Expires October 12, 2018 [Page 35] "type": "string"
},
Internet-Draft MISP core format April 2018 "proposal_to_delete": {
"type": "boolean"
},
"validationIssue": {
"type": "boolean"
},
"Org": {
"$ref": "#/defs/organisation"
},
"org_id": {
"type": "string" "type": "string"
}, },
"distribution": { "distribution": {
@ -1981,6 +2178,14 @@ Internet-Draft MISP core format April 2018
}, },
"disable_correlation": { "disable_correlation": {
"type": "boolean" "type": "boolean"
Dulaunoy & Iklody Expires October 12, 2018 [Page 39]
Internet-Draft MISP core format April 2018
}, },
"value": { "value": {
"type": "string" "type": "string"
@ -1988,6 +2193,12 @@ Internet-Draft MISP core format April 2018
"data": { "data": {
"type": "string" "type": "string"
}, },
"object_relation": {
"type": ["string", "null"]
},
"object_id": {
"type": "string"
},
"SharingGroup": { "SharingGroup": {
"$ref": "#/defs/sharing_group" "$ref": "#/defs/sharing_group"
}, },
@ -1998,9 +2209,23 @@ Internet-Draft MISP core format April 2018
"$ref": "#/defs/attribute" "$ref": "#/defs/attribute"
} }
}, },
"Tag": { "Sighting": {
"type": "array",
"uniqueItems": true,
"items": {
"$ref": "#/defs/sighthing"
}
},
"Galaxy": {
"type": "array", "type": "array",
"uniqueItems": true, "uniqueItems": true,
"items": {
"$ref": "#/defs/galaxy"
}
},
"Tag": {
"uniqueItems": true,
"type": "array",
"items": { "items": {
"$ref": "#/defs/tag" "$ref": "#/defs/tag"
} }
@ -2009,15 +2234,15 @@ Internet-Draft MISP core format April 2018
}, },
"event": { "event": {
"type": "object", "type": "object",
"additionalProperties": false,
Dulaunoy & Iklody Expires October 12, 2018 [Page 36] Dulaunoy & Iklody Expires October 12, 2018 [Page 40]
Internet-Draft MISP core format April 2018 Internet-Draft MISP core format April 2018
"additionalProperties": false,
"properties": { "properties": {
"id": { "id": {
"type": "string" "type": "string"
@ -2031,6 +2256,9 @@ Internet-Draft MISP core format April 2018
"date": { "date": {
"type": "string" "type": "string"
}, },
"extends_uuid": {
"type": "string"
},
"threat_level_id": { "threat_level_id": {
"type": "string" "type": "string"
}, },
@ -2062,18 +2290,18 @@ Internet-Draft MISP core format April 2018
"type": "boolean" "type": "boolean"
}, },
"publish_timestamp": { "publish_timestamp": {
"type": "string"
},
"sharing_group_id": {
"type": "string"
Dulaunoy & Iklody Expires October 12, 2018 [Page 37] Dulaunoy & Iklody Expires October 12, 2018 [Page 41]
Internet-Draft MISP core format April 2018 Internet-Draft MISP core format April 2018
"type": "string"
},
"sharing_group_id": {
"type": "string"
}, },
"disable_correlation": { "disable_correlation": {
"type": "boolean" "type": "boolean"
@ -2118,20 +2346,27 @@ Internet-Draft MISP core format April 2018
} }
}, },
"Galaxy": { "Galaxy": {
"type": "array",
"uniqueItems": true,
"items": {
"$ref": "#/defs/galaxy"
Dulaunoy & Iklody Expires October 12, 2018 [Page 38] Dulaunoy & Iklody Expires October 12, 2018 [Page 42]
Internet-Draft MISP core format April 2018 Internet-Draft MISP core format April 2018
"type": "array",
"uniqueItems": true,
"items": {
"$ref": "#/defs/galaxy"
} }
}, },
"Object": {
"type": "array",
"uniqueItems": true,
"items": {
"$ref": "#/defs/object"
}
},
"Tag": { "Tag": {
"type": "array", "type": "array",
"uniqueItems": true, "uniqueItems": true,
@ -2159,11 +2394,22 @@ Internet-Draft MISP core format April 2018
}, },
"hide_tag": { "hide_tag": {
"type": "boolean" "type": "boolean"
},
"user_id": {
"type": "string"
} }
} }
}, },
"galaxy": { "galaxy": {
"type": "object", "type": "object",
Dulaunoy & Iklody Expires October 12, 2018 [Page 43]
Internet-Draft MISP core format April 2018
"additionalProperties": false, "additionalProperties": false,
"properties": { "properties": {
"id": { "id": {
@ -2178,20 +2424,18 @@ Internet-Draft MISP core format April 2018
"type": { "type": {
"type": "string" "type": "string"
}, },
Dulaunoy & Iklody Expires October 12, 2018 [Page 39]
Internet-Draft MISP core format April 2018
"description": { "description": {
"type": "string" "type": "string"
}, },
"version": { "version": {
"type": "string" "type": "string"
}, },
"icon": {
"type": "string"
},
"namespace": {
"type": "string"
},
"GalaxyCluster": { "GalaxyCluster": {
"type": "array", "type": "array",
"uniqueItems": true, "uniqueItems": true,
@ -2214,6 +2458,14 @@ Internet-Draft MISP core format April 2018
"type": { "type": {
"type": "string" "type": "string"
}, },
Dulaunoy & Iklody Expires October 12, 2018 [Page 44]
Internet-Draft MISP core format April 2018
"value": { "value": {
"type": "string" "type": "string"
}, },
@ -2226,6 +2478,9 @@ Internet-Draft MISP core format April 2018
"galaxy_id": { "galaxy_id": {
"type": "string" "type": "string"
}, },
"version": {
"type": "string"
},
"source": { "source": {
"type": "string" "type": "string"
}, },
@ -2234,14 +2489,6 @@ Internet-Draft MISP core format April 2018
"uniqueItems": true, "uniqueItems": true,
"items": { "items": {
"type": "string" "type": "string"
Dulaunoy & Iklody Expires October 12, 2018 [Page 40]
Internet-Draft MISP core format April 2018
} }
}, },
"tag_id": { "tag_id": {
@ -2264,6 +2511,17 @@ Internet-Draft MISP core format April 2018
] ]
} }
Dulaunoy & Iklody Expires October 12, 2018 [Page 45]
Internet-Draft MISP core format April 2018
4. Manifest 4. Manifest
MISP events can be shared over an HTTP repository, a file package or MISP events can be shared over an HTTP repository, a file package or
@ -2290,14 +2548,6 @@ Internet-Draft MISP core format April 2018
o analysis (SHALL) o analysis (SHALL)
Dulaunoy & Iklody Expires October 12, 2018 [Page 41]
Internet-Draft MISP core format April 2018
o timestamp (MUST) o timestamp (MUST)
o date (MUST) o date (MUST)
@ -2320,6 +2570,14 @@ Internet-Draft MISP core format April 2018
detached PGP signature for a manifest file is a manifest.json.asc detached PGP signature for a manifest file is a manifest.json.asc
file containing the PGP signature. file containing the PGP signature.
Dulaunoy & Iklody Expires October 12, 2018 [Page 46]
Internet-Draft MISP core format April 2018
4.1.1. Sample Manifest 4.1.1. Sample Manifest
{ {
@ -2346,14 +2604,6 @@ Internet-Draft MISP core format April 2018
"threat_level_id": "3" "threat_level_id": "3"
}, },
"5720accd-dd28-45f8-80e5-4605950d210f": { "5720accd-dd28-45f8-80e5-4605950d210f": {
Dulaunoy & Iklody Expires October 12, 2018 [Page 42]
Internet-Draft MISP core format April 2018
"info": "Malspam 2016-04-27 - Locky", "info": "Malspam 2016-04-27 - Locky",
"Orgc": { "Orgc": {
"id": "2", "id": "2",
@ -2376,6 +2626,14 @@ Internet-Draft MISP core format April 2018
], ],
"timestamp": "1461764231", "timestamp": "1461764231",
"date": "2016-04-27", "date": "2016-04-27",
Dulaunoy & Iklody Expires October 12, 2018 [Page 47]
Internet-Draft MISP core format April 2018
"threat_level_id": "3" "threat_level_id": "3"
} }
} }
@ -2401,19 +2659,11 @@ Internet-Draft MISP core format April 2018
inputs beside the standard threat information that might already inputs beside the standard threat information that might already
include malicious intended inputs. include malicious intended inputs.
Dulaunoy & Iklody Expires October 12, 2018 [Page 43]
Internet-Draft MISP core format April 2018
7. Acknowledgements 7. Acknowledgements
The authors wish to thank all the MISP community who are supporting The authors wish to thank all the MISP community who are supporting
the creation of open standards in threat intelligence sharing. the creation of open standards in threat intelligence sharing. A
special thank to Nicolas Bareil for the review of the JSON Schema.
8. Sample MISP file 8. Sample MISP file
@ -2423,48 +2673,49 @@ Internet-Draft MISP core format April 2018
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, <https://www.rfc- DOI 10.17487/RFC2119, March 1997,
editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally [RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally
Unique IDentifier (UUID) URN Namespace", RFC 4122, Unique IDentifier (UUID) URN Namespace", RFC 4122,
DOI 10.17487/RFC4122, July 2005, <https://www.rfc- DOI 10.17487/RFC4122, July 2005,
editor.org/info/rfc4122>. <https://www.rfc-editor.org/info/rfc4122>.
Dulaunoy & Iklody Expires October 12, 2018 [Page 48]
Internet-Draft MISP core format April 2018
[RFC4627] Crockford, D., "The application/json Media Type for [RFC4627] Crockford, D., "The application/json Media Type for
JavaScript Object Notation (JSON)", RFC 4627, JavaScript Object Notation (JSON)", RFC 4627,
DOI 10.17487/RFC4627, July 2006, <https://www.rfc- DOI 10.17487/RFC4627, July 2006,
editor.org/info/rfc4627>. <https://www.rfc-editor.org/info/rfc4627>.
[RFC4880] Callas, J., Donnerhacke, L., Finney, H., Shaw, D., and R. [RFC4880] Callas, J., Donnerhacke, L., Finney, H., Shaw, D., and R.
Thayer, "OpenPGP Message Format", RFC 4880, Thayer, "OpenPGP Message Format", RFC 4880,
DOI 10.17487/RFC4880, November 2007, <https://www.rfc- DOI 10.17487/RFC4880, November 2007,
editor.org/info/rfc4880>. <https://www.rfc-editor.org/info/rfc4880>.
9.2. Informative References 9.2. Informative References
[JSON-SCHEMA] [JSON-SCHEMA]
"JSON Schema: A Media Type for Describing JSON Documents", "JSON Schema: A Media Type for Describing JSON Documents",
2016, <https://tools.ietf.org/html/draft-wright-json- 2016,
schema>. <https://tools.ietf.org/html/draft-wright-json-schema>.
[MISP-P] MISP, , "MISP Project - Malware Information Sharing [MISP-P] MISP, "MISP Project - Malware Information Sharing Platform
Platform and Threat Sharing", <https://github.com/MISP>. and Threat Sharing", <https://github.com/MISP>.
[MISP-R] MISP, , "MISP Object Relationship Types - common [MISP-R] MISP, "MISP Object Relationship Types - common vocabulary
vocabulary of relationships", <https://github.com/MISP/ of relationships", <https://github.com/MISP/misp-
misp-objects/tree/master/relationships>. objects/tree/master/relationships>.
[MISP-T] MISP, , "MISP Taxonomies - shared and common vocabularies
of tags", <https://github.com/MISP/misp-taxonomies>.
Dulaunoy & Iklody Expires October 12, 2018 [Page 44]
Internet-Draft MISP core format April 2018
[MISP-T] MISP, "MISP Taxonomies - shared and common vocabularies of
tags", <https://github.com/MISP/misp-taxonomies>.
Authors' Addresses Authors' Addresses
@ -2490,31 +2741,4 @@ Authors' Addresses
Dulaunoy & Iklody Expires October 12, 2018 [Page 49]
Dulaunoy & Iklody Expires October 12, 2018 [Page 45]