From bc35cf0030cc0d161122db8b37deca001fbf0efd Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 7 Oct 2018 11:23:53 +0200 Subject: [PATCH] add: [misp-query-format] WiP first introduction and general skeleton --- misp-query-format/Makefile | 9 + misp-query-format/raw.md | 152 ++++++++ misp-query-format/raw.md.html | 652 ++++++++++++++++++++++++++++++++++ misp-query-format/raw.md.txt | 280 +++++++++++++++ misp-query-format/raw.md.xml | 163 +++++++++ 5 files changed, 1256 insertions(+) create mode 100644 misp-query-format/Makefile create mode 100755 misp-query-format/raw.md create mode 100644 misp-query-format/raw.md.html create mode 100644 misp-query-format/raw.md.txt create mode 100644 misp-query-format/raw.md.xml diff --git a/misp-query-format/Makefile b/misp-query-format/Makefile new file mode 100644 index 0000000..210eb88 --- /dev/null +++ b/misp-query-format/Makefile @@ -0,0 +1,9 @@ +MMARK:=/home/adulau/git/mmark/mmark/mmark -xml2 -page + +docs = $(wildcard *.md) + +all: $(docs) + $(MMARK) $< > $<.xml + xml2rfc --text $<.xml + xml2rfc --html $<.xml + diff --git a/misp-query-format/raw.md b/misp-query-format/raw.md new file mode 100755 index 0000000..7cfa0bc --- /dev/null +++ b/misp-query-format/raw.md @@ -0,0 +1,152 @@ +% Title = "MISP query format" +% abbrev = "MISP query format" +% category = "info" +% docName = "draft-dulaunoy-misp-core-format" +% ipr= "trust200902" +% area = "Security" +% +% date = 2018-10-08T00:00:00Z +% +% [[author]] +% initials="A." +% surname="Dulaunoy" +% fullname="Alexandre Dulaunoy" +% abbrev="CIRCL" +% organization = "Computer Incident Response Center Luxembourg" +% [author.address] +% email = "alexandre.dulaunoy@circl.lu" +% phone = "+352 247 88444" +% [author.address.postal] +% street = "16, bd d'Avranches" +% city = "Luxembourg" +% code = "L-1160" +% country = "Luxembourg" +% [[author]] +% initials="A." +% surname="Iklody" +% fullname="Andras Iklody" +% abbrev="CIRCL" +% organization = "Computer Incident Response Center Luxembourg" +% [author.address] +% email = "andras.iklody@circl.lu" +% phone = "+352 247 88444" +% [author.address.postal] +% street = "16, bd d'Avranches" +% city = "Luxembourg" +% code = "L-1160" +% country = "Luxembourg" + +.# Abstract + +This document describes the MISP query format used to search MISP (Malware Information and threat Sharing Platform) [@?MISP-P] threat intelligence instances. +MISP query format is a simple format used to query MISP instances over a REST (Representational State Transfer ) interface. +The query format includes the JSON format to describe the query and the minimal API access to perform the query. The JSON format includes the overall structure along with the semantic associated for each respective key. The goal of the format is to query MISP threat intelligence instances can feed and integrate with network security devices (such as firewall, network intrusion detection system, routers, SIEMs), endpoint security devices or monitoring devices. + +{mainmatter} + +# Introduction + +Sharing threat information became a fundamental requirements in the Internet, security and intelligence community at large. Threat +information can include indicators of compromise, malicious file indicators, financial fraud indicators +or even detailed information about a threat actor. MISP [@?MISP-P] started as an open source project in late 2011 and +the MISP format started to be widely used as an exchange format within the community in the past years. The core format +is described in an Internet-Draft as misp-core-format [@?MISP-C] and contain the standard MISP JSON format used for threat +intelligence. + +The aim of this document is to describe the specification of the MISP query format and how the query can be perform against a REST interface. + +## Conventions and Terminology + +The key words "**MUST**", "**MUST NOT**", "**REQUIRED**", "**SHALL**", "**SHALL NOT**", +"**SHOULD**", "**SHOULD NOT**", "**RECOMMENDED**", "**MAY**", and "**OPTIONAL**" in this +document are to be interpreted as described in RFC 2119 [@!RFC2119]. + +# Format + +## Overview + +The MISP query format is in the JSON [@!RFC4627] format. + + +## query format criteria + +### returnFormat + +returnFormat **MUST** be present. returnFormat sets the type of output format. MISP allows multiple format (depending of the configuration): + +| value | Description | +|---------------|:-------------------------------------------------------------------------:| +| json | MISP JSON core format as described in [@?MISP-C] | +| xml | MISP XML format | +| openioc | OpenIOC format | +| suricata | Suricata NIDS format | +| snort | Snort NIDS format | +| csv | CSV format | + +### limit + +### page + +### value + +### type + +### category + + +# Security Considerations + +MISP threat intelligence instances might contain sensitive or confidential information. Adequate access control and encryption measures shall be implemented to ensure the confidentiality of the threat intelligence. + +Adversaries might include malicious content in MISP queries. Implementation **MUST** consider the input of malicious inputs beside the +standard threat information that might already include malicious intended inputs. + +# Acknowledgements + +The authors wish to thank all the MISP community who are supporting the creation +of open standards in threat intelligence sharing. A special thank to all the committees which +triggered us to come with better and flexible format. + + + + + MISP Project - Malware Information Sharing Platform and Threat Sharing + + + + + + + + MISP core format + + + + + + + + MISP Taxonomies - shared and common vocabularies of tags + + + + + + + + MISP Object Relationship Types - common vocabulary of relationships + + + + + + + + JSON Schema: A Media Type for Describing JSON Documents + + + + + + +{backmatter} diff --git a/misp-query-format/raw.md.html b/misp-query-format/raw.md.html new file mode 100644 index 0000000..cbaa4d3 --- /dev/null +++ b/misp-query-format/raw.md.html @@ -0,0 +1,652 @@ + + + + + + + MISP query format + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Network Working GroupA. Dulaunoy
Internet-DraftA. Iklody
Intended status: InformationalCIRCL
Expires: April 11, 2019October 8, 2018
+ +

MISP query format
+ draft-dulaunoy-misp-core-format

+ +

Abstract

+

This document describes the MISP query format used to search MISP (Malware Information and threat Sharing Platform) [MISP-P] threat intelligence instances. MISP query format is a simple format used to query MISP instances over a REST (Representational State Transfer ) interface. The query format includes the JSON format to describe the query and the minimal API access to perform the query. The JSON format includes the overall structure along with the semantic associated for each respective key. The goal of the format is to query MISP threat intelligence instances can feed and integrate with network security devices (such as firewall, network intrusion detection system, routers, SIEMs), endpoint security devices or monitoring devices.

+

Status of This Memo

+

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

+

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

+

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

+

This Internet-Draft will expire on April 11, 2019.

+

Copyright Notice

+

Copyright (c) 2018 IETF Trust and the persons identified as the document authors. All rights reserved.

+

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.

+ + +
+

Table of Contents

+ + +

+1. Introduction +

+

Sharing threat information became a fundamental requirements in the Internet, security and intelligence community at large. Threat information can include indicators of compromise, malicious file indicators, financial fraud indicators or even detailed information about a threat actor. MISP [MISP-P] started as an open source project in late 2011 and the MISP format started to be widely used as an exchange format within the community in the past years. The core format is described in an Internet-Draft as misp-core-format [MISP-C] and contain the standard MISP JSON format used for threat intelligence.

+

The aim of this document is to describe the specification of the MISP query format and how the query can be perform against a REST interface.

+

+1.1. Conventions and Terminology +

+

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].

+

+2. Format +

+

+2.1. Overview +

+

The MISP query format is in the JSON [RFC4627] format.

+

+2.2. query format criteria +

+

+2.2.1. returnFormat +

+

returnFormat MUST be present. returnFormat sets the type of output format. MISP allows multiple format (depending of the configuration):

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
valueDescription
jsonMISP JSON core format as described in [MISP-C] +
xmlMISP XML format
openiocOpenIOC format
suricataSuricata NIDS format
snortSnort NIDS format
csvCSV format
+

+2.2.2. limit +

+

+2.2.3. page +

+

+2.2.4. value +

+

+2.2.5. type +

+

+2.2.6. category +

+

+3. Security Considerations +

+

MISP threat intelligence instances might contain sensitive or confidential information. Adequate access control and encryption measures shall be implemented to ensure the confidentiality of the threat intelligence.

+

Adversaries might include malicious content in MISP queries. Implementation MUST consider the input of malicious inputs beside the standard threat information that might already include malicious intended inputs.

+

+4. Acknowledgements +

+

The authors wish to thank all the MISP community who are supporting the creation of open standards in threat intelligence sharing. A special thank to all the committees which triggered us to come with better and flexible format.

+

+5. References

+

+5.1. Normative References

+ + + + + + + + + +
[RFC2119] +Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997.
[RFC4627] +Crockford, D., "The application/json Media Type for JavaScript Object Notation (JSON)", RFC 4627, DOI 10.17487/RFC4627, July 2006.
+

+5.2. Informative References

+ + + + + + + + + +
[MISP-C] +MISP, "MISP core format"
[MISP-P] +MISP, "MISP Project - Malware Information Sharing Platform and Threat Sharing"
+

Authors' Addresses

+
+
+ + Alexandre Dulaunoy + + + Computer Incident Response Center Luxembourg + + 16, bd d'Avranches + + + Luxembourg, + + L-1160 + + Luxembourg + + Phone: +352 247 88444 + +EMail: alexandre.dulaunoy@circl.lu + +
+
+
+ + Andras Iklody + + + Computer Incident Response Center Luxembourg + + 16, bd d'Avranches + + + Luxembourg, + + L-1160 + + Luxembourg + + Phone: +352 247 88444 + +EMail: andras.iklody@circl.lu + +
+
+ + + diff --git a/misp-query-format/raw.md.txt b/misp-query-format/raw.md.txt new file mode 100644 index 0000000..ddcb824 --- /dev/null +++ b/misp-query-format/raw.md.txt @@ -0,0 +1,280 @@ + + + + +Network Working Group A. Dulaunoy +Internet-Draft A. Iklody +Intended status: Informational CIRCL +Expires: April 11, 2019 October 8, 2018 + + + MISP query format + draft-dulaunoy-misp-core-format + +Abstract + + This document describes the MISP query format used to search MISP + (Malware Information and threat Sharing Platform) [MISP-P] threat + intelligence instances. MISP query format is a simple format used to + query MISP instances over a REST (Representational State Transfer ) + interface. The query format includes the JSON format to describe the + query and the minimal API access to perform the query. The JSON + format includes the overall structure along with the semantic + associated for each respective key. The goal of the format is to + query MISP threat intelligence instances can feed and integrate with + network security devices (such as firewall, network intrusion + detection system, routers, SIEMs), endpoint security devices or + monitoring devices. + +Status of This Memo + + This Internet-Draft is submitted in full conformance with the + provisions of BCP 78 and BCP 79. + + Internet-Drafts are working documents of the Internet Engineering + Task Force (IETF). Note that other groups may also distribute + working documents as Internet-Drafts. The list of current Internet- + Drafts is at https://datatracker.ietf.org/drafts/current/. + + Internet-Drafts are draft documents valid for a maximum of six months + and may be updated, replaced, or obsoleted by other documents at any + time. It is inappropriate to use Internet-Drafts as reference + material or to cite them other than as "work in progress." + + This Internet-Draft will expire on April 11, 2019. + +Copyright Notice + + Copyright (c) 2018 IETF Trust and the persons identified as the + document authors. All rights reserved. + + This document is subject to BCP 78 and the IETF Trust's Legal + Provisions Relating to IETF Documents + + + +Dulaunoy & Iklody Expires April 11, 2019 [Page 1] + +Internet-Draft MISP query format October 2018 + + + (https://trustee.ietf.org/license-info) in effect on the date of + publication of this document. Please review these documents + carefully, as they describe your rights and restrictions with respect + to this document. Code Components extracted from this document must + include Simplified BSD License text as described in Section 4.e of + the Trust Legal Provisions and are provided without warranty as + described in the Simplified BSD License. + +Table of Contents + + 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 + 1.1. Conventions and Terminology . . . . . . . . . . . . . . . 3 + 2. Format . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 + 2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 3 + 2.2. query format criteria . . . . . . . . . . . . . . . . . . 3 + 2.2.1. returnFormat . . . . . . . . . . . . . . . . . . . . 3 + 2.2.2. limit . . . . . . . . . . . . . . . . . . . . . . . . 3 + 2.2.3. page . . . . . . . . . . . . . . . . . . . . . . . . 3 + 2.2.4. value . . . . . . . . . . . . . . . . . . . . . . . . 3 + 2.2.5. type . . . . . . . . . . . . . . . . . . . . . . . . 3 + 2.2.6. category . . . . . . . . . . . . . . . . . . . . . . 3 + 3. Security Considerations . . . . . . . . . . . . . . . . . . . 3 + 4. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 4 + 5. References . . . . . . . . . . . . . . . . . . . . . . . . . 4 + 5.1. Normative References . . . . . . . . . . . . . . . . . . 4 + 5.2. Informative References . . . . . . . . . . . . . . . . . 4 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 4 + +1. Introduction + + Sharing threat information became a fundamental requirements in the + Internet, security and intelligence community at large. Threat + information can include indicators of compromise, malicious file + indicators, financial fraud indicators or even detailed information + about a threat actor. MISP [MISP-P] started as an open source + project in late 2011 and the MISP format started to be widely used as + an exchange format within the community in the past years. The core + format is described in an Internet-Draft as misp-core-format [MISP-C] + and contain the standard MISP JSON format used for threat + intelligence. + + The aim of this document is to describe the specification of the MISP + query format and how the query can be perform against a REST + interface. + + + + + + + +Dulaunoy & Iklody Expires April 11, 2019 [Page 2] + +Internet-Draft MISP query format October 2018 + + +1.1. Conventions and Terminology + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this + document are to be interpreted as described in RFC 2119 [RFC2119]. + +2. Format + +2.1. Overview + + The MISP query format is in the JSON [RFC4627] format. + +2.2. query format criteria + +2.2.1. returnFormat + + returnFormat MUST be present. returnFormat sets the type of output + format. MISP allows multiple format (depending of the + configuration): + + +----------+------------------------------------------------+ + | value | Description | + +----------+------------------------------------------------+ + | json | MISP JSON core format as described in [MISP-C] | + | xml | MISP XML format | + | openioc | OpenIOC format | + | suricata | Suricata NIDS format | + | snort | Snort NIDS format | + | csv | CSV format | + +----------+------------------------------------------------+ + +2.2.2. limit + +2.2.3. page + +2.2.4. value + +2.2.5. type + +2.2.6. category + +3. Security Considerations + + MISP threat intelligence instances might contain sensitive or + confidential information. Adequate access control and encryption + measures shall be implemented to ensure the confidentiality of the + threat intelligence. + + + + +Dulaunoy & Iklody Expires April 11, 2019 [Page 3] + +Internet-Draft MISP query format October 2018 + + + Adversaries might include malicious content in MISP queries. + Implementation MUST consider the input of malicious inputs beside the + standard threat information that might already include malicious + intended inputs. + +4. Acknowledgements + + The authors wish to thank all the MISP community who are supporting + the creation of open standards in threat intelligence sharing. A + special thank to all the committees which triggered us to come with + better and flexible format. + +5. References + +5.1. Normative References + + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate + Requirement Levels", BCP 14, RFC 2119, + DOI 10.17487/RFC2119, March 1997, + . + + [RFC4627] Crockford, D., "The application/json Media Type for + JavaScript Object Notation (JSON)", RFC 4627, + DOI 10.17487/RFC4627, July 2006, + . + +5.2. Informative References + + [MISP-C] MISP, "MISP core format", . + + [MISP-P] MISP, "MISP Project - Malware Information Sharing Platform + and Threat Sharing", . + +Authors' Addresses + + Alexandre Dulaunoy + Computer Incident Response Center Luxembourg + 16, bd d'Avranches + Luxembourg L-1160 + Luxembourg + + Phone: +352 247 88444 + Email: alexandre.dulaunoy@circl.lu + + + + + + + +Dulaunoy & Iklody Expires April 11, 2019 [Page 4] + +Internet-Draft MISP query format October 2018 + + + Andras Iklody + Computer Incident Response Center Luxembourg + 16, bd d'Avranches + Luxembourg L-1160 + Luxembourg + + Phone: +352 247 88444 + Email: andras.iklody@circl.lu + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Dulaunoy & Iklody Expires April 11, 2019 [Page 5] diff --git a/misp-query-format/raw.md.xml b/misp-query-format/raw.md.xml new file mode 100644 index 0000000..7761c11 --- /dev/null +++ b/misp-query-format/raw.md.xml @@ -0,0 +1,163 @@ + + + + + + + + + + + + +MISP query format + + +Computer Incident Response Center Luxembourg +
+ +16, bd d'Avranches +Luxembourg +L-1160 +Luxembourg + + ++352 247 88444 +alexandre.dulaunoy@circl.lu + +
+ + +Computer Incident Response Center Luxembourg +
+ +16, bd d'Avranches +Luxembourg +L-1160 +Luxembourg + + ++352 247 88444 +andras.iklody@circl.lu + +
+ + + +Security + + + + +This document describes the MISP query format used to search MISP (Malware Information and threat Sharing Platform) threat intelligence instances. +MISP query format is a simple format used to query MISP instances over a REST (Representational State Transfer ) interface. +The query format includes the JSON format to describe the query and the minimal API access to perform the query. The JSON format includes the overall structure along with the semantic associated for each respective key. The goal of the format is to query MISP threat intelligence instances can feed and integrate with network security devices (such as firewall, network intrusion detection system, routers, SIEMs), endpoint security devices or monitoring devices. + + + + + + + + +
+Sharing threat information became a fundamental requirements in the Internet, security and intelligence community at large. Threat +information can include indicators of compromise, malicious file indicators, financial fraud indicators +or even detailed information about a threat actor. MISP started as an open source project in late 2011 and +the MISP format started to be widely used as an exchange format within the community in the past years. The core format +is described in an Internet-Draft as misp-core-format and contain the standard MISP JSON format used for threat +intelligence. + +The aim of this document is to describe the specification of the MISP query format and how the query can be perform against a REST interface. + + +
+The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", +"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this +document are to be interpreted as described in RFC 2119 . + +
+
+ +
+ +
+The MISP query format is in the JSON format. + +
+ +
+ +
+returnFormat MUST be present. returnFormat sets the type of output format. MISP allows multiple format (depending of the configuration): + + +value +Description + +jsonMISP JSON core format as described in +xmlMISP XML format +openiocOpenIOC format +suricataSuricata NIDS format +snortSnort NIDS format +csvCSV format + +
+ +
+
+ +
+
+ +
+
+ +
+
+ +
+
+
+
+ +
+MISP threat intelligence instances might contain sensitive or confidential information. Adequate access control and encryption measures shall be implemented to ensure the confidentiality of the threat intelligence. + +Adversaries might include malicious content in MISP queries. Implementation MUST consider the input of malicious inputs beside the +standard threat information that might already include malicious intended inputs. + +
+ +
+The authors wish to thank all the MISP community who are supporting the creation +of open standards in threat intelligence sharing. A special thank to all the committees which +triggered us to come with better and flexible format. + +
+ + + + + + + + + + + MISP core format + + + + + + + MISP Project - Malware Information Sharing Platform and Threat Sharing + + + + + + + +