add: [misp-query-format] WiP first introduction and general skeleton

pull/21/head
Alexandre Dulaunoy 2018-10-07 11:23:53 +02:00
parent b501364088
commit bc35cf0030
No known key found for this signature in database
GPG Key ID: 09E2CD4944E6CBCD
5 changed files with 1256 additions and 0 deletions

View File

@ -0,0 +1,9 @@
MMARK:=/home/adulau/git/mmark/mmark/mmark -xml2 -page
docs = $(wildcard *.md)
all: $(docs)
$(MMARK) $< > $<.xml
xml2rfc --text $<.xml
xml2rfc --html $<.xml

152
misp-query-format/raw.md Executable file
View File

@ -0,0 +1,152 @@
% Title = "MISP query format"
% abbrev = "MISP query format"
% category = "info"
% docName = "draft-dulaunoy-misp-core-format"
% ipr= "trust200902"
% area = "Security"
%
% date = 2018-10-08T00:00:00Z
%
% [[author]]
% initials="A."
% surname="Dulaunoy"
% fullname="Alexandre Dulaunoy"
% abbrev="CIRCL"
% organization = "Computer Incident Response Center Luxembourg"
% [author.address]
% email = "alexandre.dulaunoy@circl.lu"
% phone = "+352 247 88444"
% [author.address.postal]
% street = "16, bd d'Avranches"
% city = "Luxembourg"
% code = "L-1160"
% country = "Luxembourg"
% [[author]]
% initials="A."
% surname="Iklody"
% fullname="Andras Iklody"
% abbrev="CIRCL"
% organization = "Computer Incident Response Center Luxembourg"
% [author.address]
% email = "andras.iklody@circl.lu"
% phone = "+352 247 88444"
% [author.address.postal]
% street = "16, bd d'Avranches"
% city = "Luxembourg"
% code = "L-1160"
% country = "Luxembourg"
.# Abstract
This document describes the MISP query format used to search MISP (Malware Information and threat Sharing Platform) [@?MISP-P] threat intelligence instances.
MISP query format is a simple format used to query MISP instances over a REST (Representational State Transfer ) interface.
The query format includes the JSON format to describe the query and the minimal API access to perform the query. The JSON format includes the overall structure along with the semantic associated for each respective key. The goal of the format is to query MISP threat intelligence instances can feed and integrate with network security devices (such as firewall, network intrusion detection system, routers, SIEMs), endpoint security devices or monitoring devices.
{mainmatter}
# Introduction
Sharing threat information became a fundamental requirements in the Internet, security and intelligence community at large. Threat
information can include indicators of compromise, malicious file indicators, financial fraud indicators
or even detailed information about a threat actor. MISP [@?MISP-P] started as an open source project in late 2011 and
the MISP format started to be widely used as an exchange format within the community in the past years. The core format
is described in an Internet-Draft as misp-core-format [@?MISP-C] and contain the standard MISP JSON format used for threat
intelligence.
The aim of this document is to describe the specification of the MISP query format and how the query can be perform against a REST interface.
## Conventions and Terminology
The key words "**MUST**", "**MUST NOT**", "**REQUIRED**", "**SHALL**", "**SHALL NOT**",
"**SHOULD**", "**SHOULD NOT**", "**RECOMMENDED**", "**MAY**", and "**OPTIONAL**" in this
document are to be interpreted as described in RFC 2119 [@!RFC2119].
# Format
## Overview
The MISP query format is in the JSON [@!RFC4627] format.
## query format criteria
### returnFormat
returnFormat **MUST** be present. returnFormat sets the type of output format. MISP allows multiple format (depending of the configuration):
| value | Description |
|---------------|:-------------------------------------------------------------------------:|
| json | MISP JSON core format as described in [@?MISP-C] |
| xml | MISP XML format |
| openioc | OpenIOC format |
| suricata | Suricata NIDS format |
| snort | Snort NIDS format |
| csv | CSV format |
### limit
### page
### value
### type
### category
# Security Considerations
MISP threat intelligence instances might contain sensitive or confidential information. Adequate access control and encryption measures shall be implemented to ensure the confidentiality of the threat intelligence.
Adversaries might include malicious content in MISP queries. Implementation **MUST** consider the input of malicious inputs beside the
standard threat information that might already include malicious intended inputs.
# Acknowledgements
The authors wish to thank all the MISP community who are supporting the creation
of open standards in threat intelligence sharing. A special thank to all the committees which
triggered us to come with better and flexible format.
<reference anchor='MISP-P' target='https://github.com/MISP'>
<front>
<title>MISP Project - Malware Information Sharing Platform and Threat Sharing</title>
<author initials='' surname='MISP' fullname='MISP Community'></author>
<date></date>
</front>
</reference>
<reference anchor='MISP-C' target='https://tools.ietf.org/html/draft-dulaunoy-misp-core-format'>
<front>
<title>MISP core format</title>
<author initials='' surname='MISP' fullname='MISP Community'></author>
<date></date>
</front>
</reference>
<reference anchor='MISP-T' target='https://github.com/MISP/misp-taxonomies'>
<front>
<title>MISP Taxonomies - shared and common vocabularies of tags</title>
<author initials='' surname='MISP' fullname='MISP Community'></author>
<date></date>
</front>
</reference>
<reference anchor='MISP-R' target='https://github.com/MISP/misp-objects/tree/master/relationships'>
<front>
<title>MISP Object Relationship Types - common vocabulary of relationships</title>
<author initials='' surname='MISP' fullname='MISP Community'></author>
<date></date>
</front>
</reference>
<reference anchor='JSON-SCHEMA' target='https://tools.ietf.org/html/draft-wright-json-schema'>
<front>
<title>JSON Schema: A Media Type for Describing JSON Documents</title>
<author initials='' surname='' fullname='Austin Wright'></author>
<date year="2016"></date>
</front>
</reference>
{backmatter}

View File

@ -0,0 +1,652 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en" xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head profile="http://www.w3.org/2006/03/hcard http://dublincore.org/documents/2008/08/04/dc-html/">
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii" />
<title>MISP query format</title>
<style type="text/css" title="Xml2Rfc (sans serif)">
/*<![CDATA[*/
a {
text-decoration: none;
}
/* info code from SantaKlauss at http://www.madaboutstyle.com/tooltip2.html */
a.info {
/* This is the key. */
position: relative;
z-index: 24;
text-decoration: none;
}
a.info:hover {
z-index: 25;
color: #FFF; background-color: #900;
}
a.info span { display: none; }
a.info:hover span.info {
/* The span will display just on :hover state. */
display: block;
position: absolute;
font-size: smaller;
top: 2em; left: -5em; width: 15em;
padding: 2px; border: 1px solid #333;
color: #900; background-color: #EEE;
text-align: left;
}
a.smpl {
color: black;
}
a:hover {
text-decoration: underline;
}
a:active {
text-decoration: underline;
}
address {
margin-top: 1em;
margin-left: 2em;
font-style: normal;
}
body {
color: black;
font-family: verdana, helvetica, arial, sans-serif;
font-size: 10pt;
max-width: 55em;
}
cite {
font-style: normal;
}
dd {
margin-right: 2em;
}
dl {
margin-left: 2em;
}
ul.empty {
list-style-type: none;
}
ul.empty li {
margin-top: .5em;
}
dl p {
margin-left: 0em;
}
dt {
margin-top: .5em;
}
h1 {
font-size: 14pt;
line-height: 21pt;
page-break-after: avoid;
}
h1.np {
page-break-before: always;
}
h1 a {
color: #333333;
}
h2 {
font-size: 12pt;
line-height: 15pt;
page-break-after: avoid;
}
h3, h4, h5, h6 {
font-size: 10pt;
page-break-after: avoid;
}
h2 a, h3 a, h4 a, h5 a, h6 a {
color: black;
}
img {
margin-left: 3em;
}
li {
margin-left: 2em;
margin-right: 2em;
}
ol {
margin-left: 2em;
margin-right: 2em;
}
ol p {
margin-left: 0em;
}
p {
margin-left: 2em;
margin-right: 2em;
}
pre {
margin-left: 3em;
background-color: lightyellow;
padding: .25em;
}
pre.text2 {
border-style: dotted;
border-width: 1px;
background-color: #f0f0f0;
width: 69em;
}
pre.inline {
background-color: white;
padding: 0em;
}
pre.text {
border-style: dotted;
border-width: 1px;
background-color: #f8f8f8;
width: 69em;
}
pre.drawing {
border-style: solid;
border-width: 1px;
background-color: #f8f8f8;
padding: 2em;
}
table {
margin-left: 2em;
}
table.tt {
vertical-align: top;
}
table.full {
border-style: outset;
border-width: 1px;
}
table.headers {
border-style: outset;
border-width: 1px;
}
table.tt td {
vertical-align: top;
}
table.full td {
border-style: inset;
border-width: 1px;
}
table.tt th {
vertical-align: top;
}
table.full th {
border-style: inset;
border-width: 1px;
}
table.headers th {
border-style: none none inset none;
border-width: 1px;
}
table.left {
margin-right: auto;
}
table.right {
margin-left: auto;
}
table.center {
margin-left: auto;
margin-right: auto;
}
caption {
caption-side: bottom;
font-weight: bold;
font-size: 9pt;
margin-top: .5em;
}
table.header {
border-spacing: 1px;
width: 95%;
font-size: 10pt;
color: white;
}
td.top {
vertical-align: top;
}
td.topnowrap {
vertical-align: top;
white-space: nowrap;
}
table.header td {
background-color: gray;
width: 50%;
}
table.header a {
color: white;
}
td.reference {
vertical-align: top;
white-space: nowrap;
padding-right: 1em;
}
thead {
display:table-header-group;
}
ul.toc, ul.toc ul {
list-style: none;
margin-left: 1.5em;
margin-right: 0em;
padding-left: 0em;
}
ul.toc li {
line-height: 150%;
font-weight: bold;
font-size: 10pt;
margin-left: 0em;
margin-right: 0em;
}
ul.toc li li {
line-height: normal;
font-weight: normal;
font-size: 9pt;
margin-left: 0em;
margin-right: 0em;
}
li.excluded {
font-size: 0pt;
}
ul p {
margin-left: 0em;
}
.comment {
background-color: yellow;
}
.center {
text-align: center;
}
.error {
color: red;
font-style: italic;
font-weight: bold;
}
.figure {
font-weight: bold;
text-align: center;
font-size: 9pt;
}
.filename {
color: #333333;
font-weight: bold;
font-size: 12pt;
line-height: 21pt;
text-align: center;
}
.fn {
font-weight: bold;
}
.hidden {
display: none;
}
.left {
text-align: left;
}
.right {
text-align: right;
}
.title {
color: #990000;
font-size: 18pt;
line-height: 18pt;
font-weight: bold;
text-align: center;
margin-top: 36pt;
}
.vcardline {
display: block;
}
.warning {
font-size: 14pt;
background-color: yellow;
}
@media print {
.noprint {
display: none;
}
a {
color: black;
text-decoration: none;
}
table.header {
width: 90%;
}
td.header {
width: 50%;
color: black;
background-color: white;
vertical-align: top;
font-size: 12pt;
}
ul.toc a::after {
content: leader('.') target-counter(attr(href), page);
}
ul.ind li li a {
content: target-counter(attr(href), page);
}
.print2col {
column-count: 2;
-moz-column-count: 2;
column-fill: auto;
}
}
@page {
@top-left {
content: "Internet-Draft";
}
@top-right {
content: "December 2010";
}
@top-center {
content: "Abbreviated Title";
}
@bottom-left {
content: "Doe";
}
@bottom-center {
content: "Expires June 2011";
}
@bottom-right {
content: "[Page " counter(page) "]";
}
}
@page:first {
@top-left {
content: normal;
}
@top-right {
content: normal;
}
@top-center {
content: normal;
}
}
/*]]>*/
</style>
<link href="#rfc.toc" rel="Contents">
<link href="#rfc.section.1" rel="Chapter" title="1 Introduction">
<link href="#rfc.section.1.1" rel="Chapter" title="1.1 Conventions and Terminology">
<link href="#rfc.section.2" rel="Chapter" title="2 Format">
<link href="#rfc.section.2.1" rel="Chapter" title="2.1 Overview">
<link href="#rfc.section.2.2" rel="Chapter" title="2.2 query format criteria">
<link href="#rfc.section.2.2.1" rel="Chapter" title="2.2.1 returnFormat">
<link href="#rfc.section.2.2.2" rel="Chapter" title="2.2.2 limit">
<link href="#rfc.section.2.2.3" rel="Chapter" title="2.2.3 page">
<link href="#rfc.section.2.2.4" rel="Chapter" title="2.2.4 value">
<link href="#rfc.section.2.2.5" rel="Chapter" title="2.2.5 type">
<link href="#rfc.section.2.2.6" rel="Chapter" title="2.2.6 category">
<link href="#rfc.section.3" rel="Chapter" title="3 Security Considerations">
<link href="#rfc.section.4" rel="Chapter" title="4 Acknowledgements">
<link href="#rfc.references" rel="Chapter" title="5 References">
<link href="#rfc.references.1" rel="Chapter" title="5.1 Normative References">
<link href="#rfc.references.2" rel="Chapter" title="5.2 Informative References">
<link href="#rfc.authors" rel="Chapter">
<meta name="generator" content="xml2rfc version 2.9.6 - https://tools.ietf.org/tools/xml2rfc" />
<link rel="schema.dct" href="http://purl.org/dc/terms/" />
<meta name="dct.creator" content="Dulaunoy, A. and A. Iklody" />
<meta name="dct.identifier" content="urn:ietf:id:draft-dulaunoy-misp-core-format" />
<meta name="dct.issued" scheme="ISO8601" content="2018-10-08" />
<meta name="dct.abstract" content="This document describes the MISP query format used to search MISP (Malware Information and threat Sharing Platform) " />
<meta name="description" content="This document describes the MISP query format used to search MISP (Malware Information and threat Sharing Platform) " />
</head>
<body>
<table class="header">
<tbody>
<tr>
<td class="left">Network Working Group</td>
<td class="right">A. Dulaunoy</td>
</tr>
<tr>
<td class="left">Internet-Draft</td>
<td class="right">A. Iklody</td>
</tr>
<tr>
<td class="left">Intended status: Informational</td>
<td class="right">CIRCL</td>
</tr>
<tr>
<td class="left">Expires: April 11, 2019</td>
<td class="right">October 8, 2018</td>
</tr>
</tbody>
</table>
<p class="title">MISP query format<br />
<span class="filename">draft-dulaunoy-misp-core-format</span></p>
<h1 id="rfc.abstract"><a href="#rfc.abstract">Abstract</a></h1>
<p>This document describes the MISP query format used to search MISP (Malware Information and threat Sharing Platform) <a href="#MISP-P" class="xref">[MISP-P]</a> threat intelligence instances. MISP query format is a simple format used to query MISP instances over a REST (Representational State Transfer ) interface. The query format includes the JSON format to describe the query and the minimal API access to perform the query. The JSON format includes the overall structure along with the semantic associated for each respective key. The goal of the format is to query MISP threat intelligence instances can feed and integrate with network security devices (such as firewall, network intrusion detection system, routers, SIEMs), endpoint security devices or monitoring devices. </p>
<h1 id="rfc.status"><a href="#rfc.status">Status of This Memo</a></h1>
<p>This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.</p>
<p>Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.</p>
<p>Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."</p>
<p>This Internet-Draft will expire on April 11, 2019.</p>
<h1 id="rfc.copyrightnotice"><a href="#rfc.copyrightnotice">Copyright Notice</a></h1>
<p>Copyright (c) 2018 IETF Trust and the persons identified as the document authors. All rights reserved.</p>
<p>This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.</p>
<hr class="noprint" />
<h1 class="np" id="rfc.toc"><a href="#rfc.toc">Table of Contents</a></h1>
<ul class="toc">
<li>1. <a href="#rfc.section.1">Introduction</a>
</li>
<ul><li>1.1. <a href="#rfc.section.1.1">Conventions and Terminology</a>
</li>
</ul><li>2. <a href="#rfc.section.2">Format</a>
</li>
<ul><li>2.1. <a href="#rfc.section.2.1">Overview</a>
</li>
<li>2.2. <a href="#rfc.section.2.2">query format criteria</a>
</li>
<ul><li>2.2.1. <a href="#rfc.section.2.2.1">returnFormat</a>
</li>
<li>2.2.2. <a href="#rfc.section.2.2.2">limit</a>
</li>
<li>2.2.3. <a href="#rfc.section.2.2.3">page</a>
</li>
<li>2.2.4. <a href="#rfc.section.2.2.4">value</a>
</li>
<li>2.2.5. <a href="#rfc.section.2.2.5">type</a>
</li>
<li>2.2.6. <a href="#rfc.section.2.2.6">category</a>
</li>
</ul></ul><li>3. <a href="#rfc.section.3">Security Considerations</a>
</li>
<li>4. <a href="#rfc.section.4">Acknowledgements</a>
</li>
<li>5. <a href="#rfc.references">References</a>
</li>
<ul><li>5.1. <a href="#rfc.references.1">Normative References</a>
</li>
<li>5.2. <a href="#rfc.references.2">Informative References</a>
</li>
</ul><li><a href="#rfc.authors">Authors' Addresses</a>
</li>
</ul>
<h1 id="rfc.section.1">
<a href="#rfc.section.1">1.</a> <a href="#introduction" id="introduction">Introduction</a>
</h1>
<p id="rfc.section.1.p.1">Sharing threat information became a fundamental requirements in the Internet, security and intelligence community at large. Threat information can include indicators of compromise, malicious file indicators, financial fraud indicators or even detailed information about a threat actor. MISP <a href="#MISP-P" class="xref">[MISP-P]</a> started as an open source project in late 2011 and the MISP format started to be widely used as an exchange format within the community in the past years. The core format is described in an Internet-Draft as misp-core-format <a href="#MISP-C" class="xref">[MISP-C]</a> and contain the standard MISP JSON format used for threat intelligence. </p>
<p id="rfc.section.1.p.2">The aim of this document is to describe the specification of the MISP query format and how the query can be perform against a REST interface. </p>
<h1 id="rfc.section.1.1">
<a href="#rfc.section.1.1">1.1.</a> <a href="#conventions-and-terminology" id="conventions-and-terminology">Conventions and Terminology</a>
</h1>
<p id="rfc.section.1.1.p.1">The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 <a href="#RFC2119" class="xref">[RFC2119]</a>. </p>
<h1 id="rfc.section.2">
<a href="#rfc.section.2">2.</a> <a href="#format" id="format">Format</a>
</h1>
<h1 id="rfc.section.2.1">
<a href="#rfc.section.2.1">2.1.</a> <a href="#overview" id="overview">Overview</a>
</h1>
<p id="rfc.section.2.1.p.1">The MISP query format is in the JSON <a href="#RFC4627" class="xref">[RFC4627]</a> format. </p>
<h1 id="rfc.section.2.2">
<a href="#rfc.section.2.2">2.2.</a> <a href="#query-format-criteria" id="query-format-criteria">query format criteria</a>
</h1>
<h1 id="rfc.section.2.2.1">
<a href="#rfc.section.2.2.1">2.2.1.</a> <a href="#returnformat" id="returnformat">returnFormat</a>
</h1>
<p id="rfc.section.2.2.1.p.1">returnFormat MUST be present. returnFormat sets the type of output format. MISP allows multiple format (depending of the configuration): </p>
<table cellpadding="3" cellspacing="0" class="tt full center">
<thead><tr>
<th class="center">value</th>
<th class="center">Description</th>
</tr></thead>
<tbody>
<tr>
<td class="center">json</td>
<td class="center">MISP JSON core format as described in <a href="#MISP-C" class="xref">[MISP-C]</a>
</td>
</tr>
<tr>
<td class="center">xml</td>
<td class="center">MISP XML format</td>
</tr>
<tr>
<td class="center">openioc</td>
<td class="center">OpenIOC format</td>
</tr>
<tr>
<td class="center">suricata</td>
<td class="center">Suricata NIDS format</td>
</tr>
<tr>
<td class="center">snort</td>
<td class="center">Snort NIDS format</td>
</tr>
<tr>
<td class="center">csv</td>
<td class="center">CSV format</td>
</tr>
</tbody>
</table>
<h1 id="rfc.section.2.2.2">
<a href="#rfc.section.2.2.2">2.2.2.</a> <a href="#limit" id="limit">limit</a>
</h1>
<h1 id="rfc.section.2.2.3">
<a href="#rfc.section.2.2.3">2.2.3.</a> <a href="#page" id="page">page</a>
</h1>
<h1 id="rfc.section.2.2.4">
<a href="#rfc.section.2.2.4">2.2.4.</a> <a href="#value" id="value">value</a>
</h1>
<h1 id="rfc.section.2.2.5">
<a href="#rfc.section.2.2.5">2.2.5.</a> <a href="#type" id="type">type</a>
</h1>
<h1 id="rfc.section.2.2.6">
<a href="#rfc.section.2.2.6">2.2.6.</a> <a href="#category" id="category">category</a>
</h1>
<h1 id="rfc.section.3">
<a href="#rfc.section.3">3.</a> <a href="#security-considerations" id="security-considerations">Security Considerations</a>
</h1>
<p id="rfc.section.3.p.1">MISP threat intelligence instances might contain sensitive or confidential information. Adequate access control and encryption measures shall be implemented to ensure the confidentiality of the threat intelligence. </p>
<p id="rfc.section.3.p.2">Adversaries might include malicious content in MISP queries. Implementation MUST consider the input of malicious inputs beside the standard threat information that might already include malicious intended inputs. </p>
<h1 id="rfc.section.4">
<a href="#rfc.section.4">4.</a> <a href="#acknowledgements" id="acknowledgements">Acknowledgements</a>
</h1>
<p id="rfc.section.4.p.1">The authors wish to thank all the MISP community who are supporting the creation of open standards in threat intelligence sharing. A special thank to all the committees which triggered us to come with better and flexible format. </p>
<h1 id="rfc.references">
<a href="#rfc.references">5.</a> References</h1>
<h1 id="rfc.references.1">
<a href="#rfc.references.1">5.1.</a> Normative References</h1>
<table><tbody>
<tr>
<td class="reference"><b id="RFC2119">[RFC2119]</b></td>
<td class="top">
<a>Bradner, S.</a>, "<a href="https://tools.ietf.org/html/rfc2119">Key words for use in RFCs to Indicate Requirement Levels</a>", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997.</td>
</tr>
<tr>
<td class="reference"><b id="RFC4627">[RFC4627]</b></td>
<td class="top">
<a>Crockford, D.</a>, "<a href="https://tools.ietf.org/html/rfc4627">The application/json Media Type for JavaScript Object Notation (JSON)</a>", RFC 4627, DOI 10.17487/RFC4627, July 2006.</td>
</tr>
</tbody></table>
<h1 id="rfc.references.2">
<a href="#rfc.references.2">5.2.</a> Informative References</h1>
<table><tbody>
<tr>
<td class="reference"><b id="MISP-C">[MISP-C]</b></td>
<td class="top">
<a>MISP</a>, "<a href="https://tools.ietf.org/html/draft-dulaunoy-misp-core-format">MISP core format</a>"</td>
</tr>
<tr>
<td class="reference"><b id="MISP-P">[MISP-P]</b></td>
<td class="top">
<a>MISP</a>, "<a href="https://github.com/MISP">MISP Project - Malware Information Sharing Platform and Threat Sharing</a>"</td>
</tr>
</tbody></table>
<h1 id="rfc.authors"><a href="#rfc.authors">Authors' Addresses</a></h1>
<div class="avoidbreak">
<address class="vcard">
<span class="vcardline">
<span class="fn">Alexandre Dulaunoy</span>
<span class="n hidden">
<span class="family-name">Dulaunoy</span>
</span>
</span>
<span class="org vcardline">Computer Incident Response Center Luxembourg</span>
<span class="adr">
<span class="vcardline">16, bd d'Avranches</span>
<span class="vcardline">
<span class="locality">Luxembourg</span>,
<span class="region"></span>
<span class="code">L-1160</span>
</span>
<span class="country-name vcardline">Luxembourg</span>
</span>
<span class="vcardline">Phone: +352 247 88444</span>
<span class="vcardline">EMail: <a href="mailto:alexandre.dulaunoy@circl.lu">alexandre.dulaunoy@circl.lu</a></span>
</address>
</div><div class="avoidbreak">
<address class="vcard">
<span class="vcardline">
<span class="fn">Andras Iklody</span>
<span class="n hidden">
<span class="family-name">Iklody</span>
</span>
</span>
<span class="org vcardline">Computer Incident Response Center Luxembourg</span>
<span class="adr">
<span class="vcardline">16, bd d'Avranches</span>
<span class="vcardline">
<span class="locality">Luxembourg</span>,
<span class="region"></span>
<span class="code">L-1160</span>
</span>
<span class="country-name vcardline">Luxembourg</span>
</span>
<span class="vcardline">Phone: +352 247 88444</span>
<span class="vcardline">EMail: <a href="mailto:andras.iklody@circl.lu">andras.iklody@circl.lu</a></span>
</address>
</div>
</body>
</html>

View File

@ -0,0 +1,280 @@
Network Working Group A. Dulaunoy
Internet-Draft A. Iklody
Intended status: Informational CIRCL
Expires: April 11, 2019 October 8, 2018
MISP query format
draft-dulaunoy-misp-core-format
Abstract
This document describes the MISP query format used to search MISP
(Malware Information and threat Sharing Platform) [MISP-P] threat
intelligence instances. MISP query format is a simple format used to
query MISP instances over a REST (Representational State Transfer )
interface. The query format includes the JSON format to describe the
query and the minimal API access to perform the query. The JSON
format includes the overall structure along with the semantic
associated for each respective key. The goal of the format is to
query MISP threat intelligence instances can feed and integrate with
network security devices (such as firewall, network intrusion
detection system, routers, SIEMs), endpoint security devices or
monitoring devices.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 11, 2019.
Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
Dulaunoy & Iklody Expires April 11, 2019 [Page 1]
Internet-Draft MISP query format October 2018
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Conventions and Terminology . . . . . . . . . . . . . . . 3
2. Format . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 3
2.2. query format criteria . . . . . . . . . . . . . . . . . . 3
2.2.1. returnFormat . . . . . . . . . . . . . . . . . . . . 3
2.2.2. limit . . . . . . . . . . . . . . . . . . . . . . . . 3
2.2.3. page . . . . . . . . . . . . . . . . . . . . . . . . 3
2.2.4. value . . . . . . . . . . . . . . . . . . . . . . . . 3
2.2.5. type . . . . . . . . . . . . . . . . . . . . . . . . 3
2.2.6. category . . . . . . . . . . . . . . . . . . . . . . 3
3. Security Considerations . . . . . . . . . . . . . . . . . . . 3
4. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 4
5. References . . . . . . . . . . . . . . . . . . . . . . . . . 4
5.1. Normative References . . . . . . . . . . . . . . . . . . 4
5.2. Informative References . . . . . . . . . . . . . . . . . 4
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 4
1. Introduction
Sharing threat information became a fundamental requirements in the
Internet, security and intelligence community at large. Threat
information can include indicators of compromise, malicious file
indicators, financial fraud indicators or even detailed information
about a threat actor. MISP [MISP-P] started as an open source
project in late 2011 and the MISP format started to be widely used as
an exchange format within the community in the past years. The core
format is described in an Internet-Draft as misp-core-format [MISP-C]
and contain the standard MISP JSON format used for threat
intelligence.
The aim of this document is to describe the specification of the MISP
query format and how the query can be perform against a REST
interface.
Dulaunoy & Iklody Expires April 11, 2019 [Page 2]
Internet-Draft MISP query format October 2018
1.1. Conventions and Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
2. Format
2.1. Overview
The MISP query format is in the JSON [RFC4627] format.
2.2. query format criteria
2.2.1. returnFormat
returnFormat MUST be present. returnFormat sets the type of output
format. MISP allows multiple format (depending of the
configuration):
+----------+------------------------------------------------+
| value | Description |
+----------+------------------------------------------------+
| json | MISP JSON core format as described in [MISP-C] |
| xml | MISP XML format |
| openioc | OpenIOC format |
| suricata | Suricata NIDS format |
| snort | Snort NIDS format |
| csv | CSV format |
+----------+------------------------------------------------+
2.2.2. limit
2.2.3. page
2.2.4. value
2.2.5. type
2.2.6. category
3. Security Considerations
MISP threat intelligence instances might contain sensitive or
confidential information. Adequate access control and encryption
measures shall be implemented to ensure the confidentiality of the
threat intelligence.
Dulaunoy & Iklody Expires April 11, 2019 [Page 3]
Internet-Draft MISP query format October 2018
Adversaries might include malicious content in MISP queries.
Implementation MUST consider the input of malicious inputs beside the
standard threat information that might already include malicious
intended inputs.
4. Acknowledgements
The authors wish to thank all the MISP community who are supporting
the creation of open standards in threat intelligence sharing. A
special thank to all the committees which triggered us to come with
better and flexible format.
5. References
5.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC4627] Crockford, D., "The application/json Media Type for
JavaScript Object Notation (JSON)", RFC 4627,
DOI 10.17487/RFC4627, July 2006,
<https://www.rfc-editor.org/info/rfc4627>.
5.2. Informative References
[MISP-C] MISP, "MISP core format", <https://tools.ietf.org/html/
draft-dulaunoy-misp-core-format>.
[MISP-P] MISP, "MISP Project - Malware Information Sharing Platform
and Threat Sharing", <https://github.com/MISP>.
Authors' Addresses
Alexandre Dulaunoy
Computer Incident Response Center Luxembourg
16, bd d'Avranches
Luxembourg L-1160
Luxembourg
Phone: +352 247 88444
Email: alexandre.dulaunoy@circl.lu
Dulaunoy & Iklody Expires April 11, 2019 [Page 4]
Internet-Draft MISP query format October 2018
Andras Iklody
Computer Incident Response Center Luxembourg
16, bd d'Avranches
Luxembourg L-1160
Luxembourg
Phone: +352 247 88444
Email: andras.iklody@circl.lu
Dulaunoy & Iklody Expires April 11, 2019 [Page 5]

View File

@ -0,0 +1,163 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE rfc SYSTEM 'rfc2629.dtd' []>
<rfc ipr="trust200902" category="info" docName="draft-dulaunoy-misp-core-format">
<?rfc toc="yes"?>
<?rfc symrefs="yes"?>
<?rfc sortrefs="yes"?>
<?rfc compact="yes"?>
<?rfc subcompact="no"?>
<?rfc private=""?>
<?rfc topblock="yes"?>
<?rfc comments="no"?>
<front>
<title abbrev="MISP query format">MISP query format</title>
<author initials="A." surname="Dulaunoy" fullname="Alexandre Dulaunoy">
<organization abbrev="CIRCL">Computer Incident Response Center Luxembourg</organization>
<address>
<postal>
<street>16, bd d'Avranches</street>
<city>Luxembourg</city>
<code>L-1160</code>
<country>Luxembourg</country>
<region></region>
</postal>
<phone>+352 247 88444</phone>
<email>alexandre.dulaunoy@circl.lu</email>
<uri></uri>
</address>
</author>
<author initials="A." surname="Iklody" fullname="Andras Iklody">
<organization abbrev="CIRCL">Computer Incident Response Center Luxembourg</organization>
<address>
<postal>
<street>16, bd d'Avranches</street>
<city>Luxembourg</city>
<code>L-1160</code>
<country>Luxembourg</country>
<region></region>
</postal>
<phone>+352 247 88444</phone>
<email>andras.iklody@circl.lu</email>
<uri></uri>
</address>
</author>
<date year="2018" month="October" day="8"/>
<area>Security</area>
<workgroup></workgroup>
<abstract>
<t>This document describes the MISP query format used to search MISP (Malware Information and threat Sharing Platform) <xref target="MISP-P"/> threat intelligence instances.
MISP query format is a simple format used to query MISP instances over a REST (Representational State Transfer ) interface.
The query format includes the JSON format to describe the query and the minimal API access to perform the query. The JSON format includes the overall structure along with the semantic associated for each respective key. The goal of the format is to query MISP threat intelligence instances can feed and integrate with network security devices (such as firewall, network intrusion detection system, routers, SIEMs), endpoint security devices or monitoring devices.
</t>
</abstract>
</front>
<middle>
<section anchor="introduction" title="Introduction">
<t>Sharing threat information became a fundamental requirements in the Internet, security and intelligence community at large. Threat
information can include indicators of compromise, malicious file indicators, financial fraud indicators
or even detailed information about a threat actor. MISP <xref target="MISP-P"/> started as an open source project in late 2011 and
the MISP format started to be widely used as an exchange format within the community in the past years. The core format
is described in an Internet-Draft as misp-core-format <xref target="MISP-C"/> and contain the standard MISP JSON format used for threat
intelligence.
</t>
<t>The aim of this document is to describe the specification of the MISP query format and how the query can be perform against a REST interface.
</t>
<section anchor="conventions-and-terminology" title="Conventions and Terminology">
<t>The key words &quot;MUST&quot;, &quot;MUST NOT&quot;, &quot;REQUIRED&quot;, &quot;SHALL&quot;, &quot;SHALL NOT&quot;,
&quot;SHOULD&quot;, &quot;SHOULD NOT&quot;, &quot;RECOMMENDED&quot;, &quot;MAY&quot;, and &quot;OPTIONAL&quot; in this
document are to be interpreted as described in RFC 2119 <xref target="RFC2119"/>.
</t>
</section>
</section>
<section anchor="format" title="Format">
<section anchor="overview" title="Overview">
<t>The MISP query format is in the JSON <xref target="RFC4627"/> format.
</t>
</section>
<section anchor="query-format-criteria" title="query format criteria">
<section anchor="returnformat" title="returnFormat">
<t>returnFormat MUST be present. returnFormat sets the type of output format. MISP allows multiple format (depending of the configuration):
</t>
<texttable>
<ttcol align="center">value</ttcol>
<ttcol align="center">Description</ttcol>
<c>json</c><c>MISP JSON core format as described in <xref target="MISP-C"/></c>
<c>xml</c><c>MISP XML format</c>
<c>openioc</c><c>OpenIOC format</c>
<c>suricata</c><c>Suricata NIDS format</c>
<c>snort</c><c>Snort NIDS format</c>
<c>csv</c><c>CSV format</c>
</texttable>
</section>
<section anchor="limit" title="limit">
</section>
<section anchor="page" title="page">
</section>
<section anchor="value" title="value">
</section>
<section anchor="type" title="type">
</section>
<section anchor="category" title="category">
</section>
</section>
</section>
<section anchor="security-considerations" title="Security Considerations">
<t>MISP threat intelligence instances might contain sensitive or confidential information. Adequate access control and encryption measures shall be implemented to ensure the confidentiality of the threat intelligence.
</t>
<t>Adversaries might include malicious content in MISP queries. Implementation MUST consider the input of malicious inputs beside the
standard threat information that might already include malicious intended inputs.
</t>
</section>
<section anchor="acknowledgements" title="Acknowledgements">
<t>The authors wish to thank all the MISP community who are supporting the creation
of open standards in threat intelligence sharing. A special thank to all the committees which
triggered us to come with better and flexible format.
</t>
</section>
</middle>
<back>
<references title="Normative References">
<?rfc include="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"?>
<?rfc include="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.4627.xml"?>
</references>
<references title="Informative References">
<reference anchor='MISP-C' target='https://tools.ietf.org/html/draft-dulaunoy-misp-core-format'>
<front>
<title>MISP core format</title>
<author initials='' surname='MISP' fullname='MISP Community'></author>
<date></date>
</front>
</reference>
<reference anchor='MISP-P' target='https://github.com/MISP'>
<front>
<title>MISP Project - Malware Information Sharing Platform and Threat Sharing</title>
<author initials='' surname='MISP' fullname='MISP Community'></author>
<date></date>
</front>
</reference>
</references>
</back>
</rfc>