MISP
/
misp-rfc
mirror of https://github.com/MISP/misp-rfc
2
0
Fork 0
Code Issues Releases Wiki Activity

merging conflict

pull/20/head
Deborah Servili 2018-09-20 14:59:29 +02:00
parent 280c95569b 9a4f035b4b
commit bf497626db
No known key found for this signature in database
GPG Key ID: 7E3A832850D4D7D1
7 changed files with 1004 additions and 473 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@ -11,7 +11,7 @@ All the formats can be freely reused by everyone.
* [misp-core-format](misp-core-format/raw.md.txt) ([markdown source](misp-core-format/raw.md)) which describes the core JSON format of MISP. Current Internet-Draft: [04](https://tools.ietf.org/html/draft-dulaunoy-misp-core-format)
* [misp-taxonomy-format](misp-taxonomy-format/raw.md.txt) ([markdown source](misp-taxonomy-format/raw.md)) which describes the taxonomy JSON format of MISP. Current Internet-Draft: [05](https://tools.ietf.org/html/draft-dulaunoy-misp-taxonomy-format)
* [misp-galaxy-format](misp-galaxy-format/raw.md.txt) which describes the [galaxy](https://github.com/MISP/misp-galaxy) template format used to expand the threat actor modelling of MISP. Current Internet-Draft: [02](https://datatracker.ietf.org/doc/draft-dulaunoy-misp-galaxy-format/)
* [misp-galaxy-format](misp-galaxy-format/raw.md.txt) which describes the [galaxy](https://github.com/MISP/misp-galaxy) template format used to expand the threat actor modelling of MISP. Current Internet-Draft: [04](https://datatracker.ietf.org/doc/draft-dulaunoy-misp-galaxy-format/)
* [misp-object-template-format](misp-object-template-format/raw.md.txt) which describes the [object](https://github.com/MISP/misp-objects) template format to add combinedand composite object to the MISP core format. Current Internet-Draft: [01](https://datatracker.ietf.org/doc/draft-dulaunoy-misp-object-template-format/)
## MISP Format in design phase and implemented in at least one software prototype

126
misp-core-format/raw.md
View File

@ -5,7 +5,7 @@
% ipr= "trust200902"
% area = "Security"
%
% date = 2018-04-10T00:00:00Z
% date = 2018-08-08T00:00:00Z
%
% [[author]]
% initials="A."
@ -305,53 +305,53 @@ type represents the means through which an attribute tries to describe the inten
type is represented as a JSON string. type **MUST** be present and it **MUST** be a valid selection for the chosen category. The list of valid category-type combinations is as follows:
**Internal reference**
: text, link, comment, other, hex
**Targeting data**
: target-user, target-email, target-machine, target-org, target-location, target-external, comment
**Antivirus detection**
: link, comment, text, hex, attachment, other
**Payload delivery**
: md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, ip-src, ip-dst, hostname, domain, email-src, email-dst, email-subject, email-attachment, url, user-agent, AS, pattern-in-file, pattern-in-traffic, yara, attachment, malware-sample, link, malware-type, mime-type, comment, text, vulnerability, x509-fingerprint-sha1, other, ip-dst|port, ip-src|port, hostname|port, email-dst-display-name, email-src-display-name, email-header, email-reply-to, email-x-mailer, email-mime-boundary, email-thread-index, email-message-id, mobile-application-id
**Artifacts dropped**
: md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, impfuzzy, authentihash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, regkey, regkey|value, pattern-in-file, pattern-in-memory, pdb, yara, sigma, stix2-pattern, gene, attachment, malware-sample, mime-type, named pipe, mutex, windows-scheduled-task, windows-service-name, windows-service-displayname, comment, text, hex, x509-fingerprint-sha1, other
: md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, impfuzzy, authentihash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, regkey, regkey|value, pattern-in-file, pattern-in-memory, pdb, stix2-pattern, yara, sigma, attachment, malware-sample, named pipe, mutex, windows-scheduled-task, windows-service-name, windows-service-displayname, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other, cookie, gene, mime-type
**Payload installation**
: md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, authentihash, pehash, tlsh, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|pehash, pattern-in-file, mime-type, pattern-in-traffic, pattern-in-memory, yara, stix2-pattern, vulnerability, attachment, malware-sample, malware-type, comment, text, hex, x509-fingerprint-sha1, mobile-application-id, other
**Attribution**
: threat-actor, campaign-name, campaign-id, whois-registrant-phone, whois-registrant-email, whois-registrant-name, whois-registrant-org, whois-registrar, whois-creation-date, comment, text, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other, dns-soa-email
**Persistence mechanism**
: filename, regkey, regkey|value, comment, text, other, text
**External analysis**
: md5, sha1, sha256, filename, filename|md5, filename|sha1, filename|sha256, ip-src, ip-dst, ip-dst|port, ip-src|port, mac-address, mac-eui-64, hostname, domain, domain|ip, url, user-agent, regkey, regkey|value, AS, snort, bro, pattern-in-file, pattern-in-traffic, pattern-in-memory, vulnerability, attachment, malware-sample, link, comment, text, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, github-repository, other, cortex
**Financial fraud**
: btc, xmr, iban, bic, bank-account-nr, aba-rtn, bin, cc-number, prtn, phone-number, comment, text, other, hex
**Internal reference**
: text, link, comment, other, hex
**Network activity**
: ip-src, ip-dst, hostname, domain, domain|ip, email-dst, url, uri, user-agent, http-method, AS, snort, pattern-in-file, pattern-in-traffic, stix2-pattern, attachment, comment, text, x509-fingerprint-sha1, other, hex, cookie
: ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain, domain|ip, mac-address, mac-eui-64, email-dst, url, uri, user-agent, http-method, AS, snort, pattern-in-file, stix2-pattern, pattern-in-traffic, attachment, comment, text, x509-fingerprint-sha1, other, hex, cookie, hostname|port, bro
**Other**
: comment, text, other, size-in-bytes, counter, datetime, cpe, port, float, hex, phone-number, boolean
**Payload delivery**
: md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip-src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email-src, email-dst, email-subject, email-attachment, email-body, url, user-agent, AS, pattern-in-file, pattern-in-traffic, stix2-pattern, yara, sigma, mime-type, attachment, malware-sample, link, malware-type, comment, text, hex, vulnerability, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other, hostname|port, email-dst-display-name, email-src-display-name, email-header, email-reply-to, email-x-mailer, email-mime-boundary, email-thread-index, email-message-id, mobile-application-id, whois-registrant-email
**Payload installation**
: md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in-traffic, pattern-in-memory, stix2-pattern, yara, sigma, vulnerability, attachment, malware-sample, malware-type, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, mobile-application-id, other, mime-type
**Payload type**
: comment, text, other
**Attribution**
: threat-actor, campaign-name, campaign-id, whois-registrant-phone, whois-registrant-email, whois-registrant-name, whois-registrar, whois-creation-date, comment, text, x509-fingerprint-sha1, other
**External analysis**
: md5, sha1, sha256, filename, filename|md5, filename|sha1, filename|sha256, ip-src, ip-dst, hostname, domain, domain|ip, url, user-agent, regkey, regkey|value, AS, snort, pattern-in-file, pattern-in-traffic, pattern-in-memory, vulnerability, attachment, malware-sample, link, comment, text, x509-fingerprint-sha1, github-repository, other
**Financial fraud**
: btc, iban, bic, bank-account-nr, aba-rtn, bin, cc-number, prtn, phone-number, comment, text, other, hex
**Support tool**
: attachment, link, comment, text, other, hex
**Social network**
: github-username, github-repository, github-organisation, jabber-id, twitter-id, email-src, email-dst, comment, text, other
**Persistence mechanism**
: filename, regkey, regkey|value, comment, text, other, hex
**Person**
: first-name, middle-name, last-name, date-of-birth, place-of-birth, gender, passport-number, passport-country, passport-expiration, redress-number, nationality, visa-number, issue-date-of-the-visa, primary-residence, country-of-residence, special-service-request, frequent-flyer-number, travel-details, payment-details, place-port-of-original-embarkation, place-port-of-clearance, place-port-of-onward-foreign-destination, passenger-name-record-locator-number, comment, text, other, phone-number, identity-card-number
**Other**
: comment, text, other, size-in-bytes, counter, datetime, cpe, port, float, hex, phone-number
**Social network**
: github-username, github-repository, github-organisation, jabber-id, twitter-id, email-src, email-dst, comment, text, other, whois-registrant-email
**Support Tool**
: link, text, attachment, comment, other, hex
**Targeting data**
: target-user, target-email, target-machine, target-org, target-location, target-external, comment
Attributes are based on the usage within their different communities. Attributes can be extended on a regular basis and this reference document is updated accordingly.
@ -501,53 +501,53 @@ type represents the means through which an attribute tries to describe the inten
type is represented as a JSON string. type **MUST** be present and it **MUST** be a valid selection for the chosen category. The list of valid category-type combinations is as follows:
**Internal reference**
: text, link, comment, other, hex
**Targeting data**
: target-user, target-email, target-machine, target-org, target-location, target-external, comment
**Antivirus detection**
: link, comment, text, hex, attachment, other
**Payload delivery**
: md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, ip-src, ip-dst, hostname, domain, email-src, email-dst, email-subject, email-attachment, url, user-agent, AS, pattern-in-file, pattern-in-traffic, yara, attachment, malware-sample, link, malware-type, mime-type, comment, text, vulnerability, x509-fingerprint-sha1, other, ip-dst|port, ip-src|port, hostname|port, email-dst-display-name, email-src-display-name, email-header, email-reply-to, email-x-mailer, email-mime-boundary, email-thread-index, email-message-id, mobile-application-id
**Artifacts dropped**
: md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, impfuzzy, authentihash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, regkey, regkey|value, pattern-in-file, pattern-in-memory, pdb, yara, sigma, gene, stix2-pattern, attachment, malware-sample, mime-type, named pipe, mutex, windows-scheduled-task, windows-service-name, windows-service-displayname, comment, text, hex, x509-fingerprint-sha1, other
: md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, impfuzzy, authentihash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, regkey, regkey|value, pattern-in-file, pattern-in-memory, pdb, stix2-pattern, yara, sigma, attachment, malware-sample, named pipe, mutex, windows-scheduled-task, windows-service-name, windows-service-displayname, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other, cookie, gene, mime-type
**Payload installation**
: md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, authentihash, pehash, tlsh, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|pehash, mime-type, pattern-in-file, pattern-in-traffic, pattern-in-memory, yara, stix2-pattern, vulnerability, attachment, malware-sample, malware-type, comment, text, hex, x509-fingerprint-sha1, mobile-application-id, other
**Attribution**
: threat-actor, campaign-name, campaign-id, whois-registrant-phone, whois-registrant-email, whois-registrant-name, whois-registrant-org, whois-registrar, whois-creation-date, comment, text, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other, dns-soa-email
**Persistence mechanism**
: filename, regkey, regkey|value, comment, text, other, text
**External analysis**
: md5, sha1, sha256, filename, filename|md5, filename|sha1, filename|sha256, ip-src, ip-dst, ip-dst|port, ip-src|port, mac-address, mac-eui-64, hostname, domain, domain|ip, url, user-agent, regkey, regkey|value, AS, snort, bro, pattern-in-file, pattern-in-traffic, pattern-in-memory, vulnerability, attachment, malware-sample, link, comment, text, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, github-repository, other, cortex
**Financial fraud**
: btc, xmr, iban, bic, bank-account-nr, aba-rtn, bin, cc-number, prtn, phone-number, comment, text, other, hex
**Internal reference**
: text, link, comment, other, hex
**Network activity**
: ip-src, ip-dst, hostname, domain, domain|ip, email-dst, url, uri, user-agent, http-method, AS, snort, pattern-in-file, pattern-in-traffic, stix2-pattern, attachment, comment, text, x509-fingerprint-sha1, other, hex, cookie
: ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain, domain|ip, mac-address, mac-eui-64, email-dst, url, uri, user-agent, http-method, AS, snort, pattern-in-file, stix2-pattern, pattern-in-traffic, attachment, comment, text, x509-fingerprint-sha1, other, hex, cookie, hostname|port, bro
**Other**
: comment, text, other, size-in-bytes, counter, datetime, cpe, port, float, hex, phone-number, boolean
**Payload delivery**
: md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip-src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email-src, email-dst, email-subject, email-attachment, email-body, url, user-agent, AS, pattern-in-file, pattern-in-traffic, stix2-pattern, yara, sigma, mime-type, attachment, malware-sample, link, malware-type, comment, text, hex, vulnerability, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other, hostname|port, email-dst-display-name, email-src-display-name, email-header, email-reply-to, email-x-mailer, email-mime-boundary, email-thread-index, email-message-id, mobile-application-id, whois-registrant-email
**Payload installation**
: md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in-traffic, pattern-in-memory, stix2-pattern, yara, sigma, vulnerability, attachment, malware-sample, malware-type, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, mobile-application-id, other, mime-type
**Payload type**
: comment, text, other
**Attribution**
: threat-actor, campaign-name, campaign-id, whois-registrant-phone, whois-registrant-email, whois-registrant-name, whois-registrant-org, whois-registrar, whois-creation-date, comment, text, x509-fingerprint-sha1, other
**External analysis**
: md5, sha1, sha256, filename, filename|md5, filename|sha1, filename|sha256, ip-src, ip-dst, hostname, domain, domain|ip, url, user-agent, regkey, regkey|value, AS, snort, pattern-in-file, pattern-in-traffic, pattern-in-memory, vulnerability, attachment, malware-sample, link, comment, text, x509-fingerprint-sha1, github-repository, other
**Financial fraud**
: btc, iban, bic, bank-account-nr, aba-rtn, bin, cc-number, prtn, phone-number, comment, text, other, hex
**Support tool**
: attachment, link, comment, text, other, hex
**Social network**
: github-username, github-repository, github-organisation, jabber-id, twitter-id, email-src, email-dst, comment, text, other
**Persistence mechanism**
: filename, regkey, regkey|value, comment, text, other, hex
**Person**
: first-name, middle-name, last-name, date-of-birth, place-of-birth, gender, passport-number, passport-country, passport-expiration, redress-number, nationality, visa-number, issue-date-of-the-visa, primary-residence, country-of-residence, special-service-request, frequent-flyer-number, travel-details, payment-details, place-port-of-original-embarkation, place-port-of-clearance, place-port-of-onward-foreign-destination, passenger-name-record-locator-number, comment, text, other, phone-number, identity-card-number
**Other**
: comment, text, other, size-in-bytes, counter, datetime, cpe, port, float, hex, phone-number
**Social network**
: github-username, github-repository, github-organisation, jabber-id, twitter-id, email-src, email-dst, comment, text, other, whois-registrant-email
**Support Tool**
: link, text, attachment, comment, other, hex
**Targeting data**
: target-user, target-email, target-machine, target-org, target-location, target-external, comment
Attributes are based on the usage within their different communities. Attributes can be extended on a regular basis and this reference document is updated accordingly.

548
misp-core-format/raw.md.txt
View File

@ -76,15 +76,15 @@ Table of Contents
2.4. Attribute . . . . . . . . . . . . . . . . . . . . . . . . 8
2.4.1. Sample Attribute Object . . . . . . . . . . . . . . . 8
2.4.2. Attribute Attributes . . . . . . . . . . . . . . . . 9
2.5. ShadowAttribute . . . . . . . . . . . . . . . . . . . . . 14
2.5. ShadowAttribute . . . . . . . . . . . . . . . . . . . . . 15
2.5.1. Sample Attribute Object . . . . . . . . . . . . . . . 15
2.5.2. ShadowAttribute Attributes . . . . . . . . . . . . . 15
2.5.3. Org . . . . . . . . . . . . . . . . . . . . . . . . . 20
2.5.3. Org . . . . . . . . . . . . . . . . . . . . . . . . . 21
2.6. Object . . . . . . . . . . . . . . . . . . . . . . . . . 21
2.6.1. Sample Object object . . . . . . . . . . . . . . . . 21
2.6.2. Object Attributes . . . . . . . . . . . . . . . . . . 22
2.6.1. Sample Object object . . . . . . . . . . . . . . . . 22
2.6.2. Object Attributes . . . . . . . . . . . . . . . . . . 23
2.7. Object References . . . . . . . . . . . . . . . . . . . . 25
2.7.1. Sample ObjectReference object . . . . . . . . . . . . 25
2.7.1. Sample ObjectReference object . . . . . . . . . . . . 26
2.7.2. ObjectReference Attributes . . . . . . . . . . . . . 26
2.8. Tag . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
2.8.1. Sample Tag . . . . . . . . . . . . . . . . . . . . . 28
@ -497,7 +497,7 @@ Internet-Draft MISP core format April 2018
MUST be a valid selection for the chosen category. The list of valid
category-type combinations is as follows:
Internal reference
Antivirus detection
@ -506,32 +506,8 @@ Dulaunoy & Iklody Expires October 12, 2018 [Page 9]
Internet-Draft MISP core format April 2018
text, link, comment, other, hex
Targeting data
target-user, target-email, target-machine, target-org, target-
location, target-external, comment
Antivirus detection
link, comment, text, hex, attachment, other
Payload delivery
md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256,
ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, filename,
filename|md5, filename|sha1, filename|sha224, filename|sha256,
filename|sha384, filename|sha512, filename|sha512/224,
filename|sha512/256, filename|authentihash, filename|ssdeep,
filename|tlsh, filename|imphash, filename|impfuzzy,
filename|pehash, ip-src, ip-dst, hostname, domain, email-src,
email-dst, email-subject, email-attachment, url, user-agent, AS,
pattern-in-file, pattern-in-traffic, yara, attachment, malware-
sample, link, malware-type, mime-type, comment, text,
vulnerability, x509-fingerprint-sha1, other, ip-dst|port, ip-
src|port, hostname|port, email-dst-display-name, email-src-
display-name, email-header, email-reply-to, email-x-mailer, email-
mime-boundary, email-thread-index, email-message-id, mobile-
application-id
Artifacts dropped
md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256,
ssdeep, imphash, impfuzzy, authentihash, filename, filename|md5,
@ -539,21 +515,45 @@ Internet-Draft MISP core format April 2018
filename|sha512, filename|sha512/224, filename|sha512/256,
filename|authentihash, filename|ssdeep, filename|tlsh,
filename|imphash, filename|impfuzzy, filename|pehash, regkey,
regkey|value, pattern-in-file, pattern-in-memory, pdb, yara,
sigma, stix2-pattern, gene, attachment, malware-sample, mime-type,
named pipe, mutex, windows-scheduled-task, windows-service-name,
regkey|value, pattern-in-file, pattern-in-memory, pdb,
stix2-pattern, yara, sigma, attachment, malware-sample, named
pipe, mutex, windows-scheduled-task, windows-service-name,
windows-service-displayname, comment, text, hex, x509-fingerprint-
sha1, other
sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other,
cookie, gene, mime-type
Payload installation
md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256,
ssdeep, imphash, authentihash, pehash, tlsh, filename,
filename|md5, filename|sha1, filename|sha224, filename|sha256,
filename|sha384, filename|sha512, filename|sha512/224,
filename|sha512/256, filename|authentihash, filename|ssdeep,
filename|tlsh, filename|imphash, filename|pehash, pattern-in-file,
mime-type, pattern-in-traffic, pattern-in-memory, yara,
stix2-pattern, vulnerability, attachment, malware-sample, malware-
Attribution
threat-actor, campaign-name, campaign-id, whois-registrant-phone,
whois-registrant-email, whois-registrant-name, whois-registrant-
org, whois-registrar, whois-creation-date, comment, text, x509-
fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256,
other, dns-soa-email
External analysis
md5, sha1, sha256, filename, filename|md5, filename|sha1,
filename|sha256, ip-src, ip-dst, ip-dst|port, ip-src|port, mac-
address, mac-eui-64, hostname, domain, domain|ip, url, user-agent,
regkey, regkey|value, AS, snort, pattern-in-file, pattern-in-
traffic, pattern-in-memory, vulnerability, attachment, malware-
sample, link, comment, text, x509-fingerprint-sha1, x509-
fingerprint-md5, x509-fingerprint-sha256, github-repository,
other, cortex
Financial fraud
btc, xmr, iban, bic, bank-account-nr, aba-rtn, bin, cc-number,
prtn, phone-number, comment, text, other, hex
Internal reference
text, link, comment, other, hex
Network activity
ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain,
domain|ip, mac-address, mac-eui-64, email-dst, url, uri, user-
agent, http-method, AS, snort, pattern-in-file, stix2-pattern,
pattern-in-traffic, attachment, comment, text, x509-fingerprint-
sha1, other, hex, cookie, hostname|port
Other
@ -562,44 +562,46 @@ Dulaunoy & Iklody Expires October 12, 2018 [Page 10]
Internet-Draft MISP core format April 2018
type, comment, text, hex, x509-fingerprint-sha1, mobile-
application-id, other
comment, text, other, size-in-bytes, counter, datetime, cpe, port,
float, hex, phone-number, boolean
Persistence mechanism
filename, regkey, regkey|value, comment, text, other, text
Payload delivery
md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256,
ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, filename,
filename|md5, filename|sha1, filename|sha224, filename|sha256,
filename|sha384, filename|sha512, filename|sha512/224,
filename|sha512/256, filename|authentihash, filename|ssdeep,
filename|tlsh, filename|imphash, filename|impfuzzy,
filename|pehash, mac-address, mac-eui-64, ip-src, ip-dst, ip-
dst|port, ip-src|port, hostname, domain, email-src, email-dst,
email-subject, email-attachment, email-body, url, user-agent, AS,
pattern-in-file, pattern-in-traffic, stix2-pattern, yara, sigma,
mime-type, attachment, malware-sample, link, malware-type,
comment, text, hex, vulnerability, x509-fingerprint-sha1, x509-
fingerprint-md5, x509-fingerprint-sha256, other, hostname|port,
email-dst-display-name, email-src-display-name, email-header,
email-reply-to, email-x-mailer, email-mime-boundary, email-thread-
index, email-message-id, mobile-application-id, whois-registrant-
email
Network activity
ip-src, ip-dst, hostname, domain, domain|ip, email-dst, url, uri,
user-agent, http-method, AS, snort, pattern-in-file, pattern-in-
traffic, stix2-pattern, attachment, comment, text, x509-
fingerprint-sha1, other, hex, cookie
Payload installation
md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256,
ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, filename,
filename|md5, filename|sha1, filename|sha224, filename|sha256,
filename|sha384, filename|sha512, filename|sha512/224,
filename|sha512/256, filename|authentihash, filename|ssdeep,
filename|tlsh, filename|imphash, filename|impfuzzy,
filename|pehash, pattern-in-file, pattern-in-traffic, pattern-in-
memory, stix2-pattern, yara, sigma, vulnerability, attachment,
malware-sample, malware-type, comment, text, hex, x509-
fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256,
mobile-application-id, other, mime-type
Payload type
comment, text, other
Attribution
threat-actor, campaign-name, campaign-id, whois-registrant-phone,
whois-registrant-email, whois-registrant-name, whois-registrar,
whois-creation-date, comment, text, x509-fingerprint-sha1, other
External analysis
md5, sha1, sha256, filename, filename|md5, filename|sha1,
filename|sha256, ip-src, ip-dst, hostname, domain, domain|ip, url,
user-agent, regkey, regkey|value, AS, snort, pattern-in-file,
pattern-in-traffic, pattern-in-memory, vulnerability, attachment,
malware-sample, link, comment, text, x509-fingerprint-sha1,
github-repository, other
Financial fraud
btc, iban, bic, bank-account-nr, aba-rtn, bin, cc-number, prtn,
phone-number, comment, text, other, hex
Support tool
attachment, link, comment, text, other, hex
Social network
github-username, github-repository, github-organisation, jabber-
id, twitter-id, email-src, email-dst, comment, text, other
Persistence mechanism
filename, regkey, regkey|value, comment, text, other, hex
Person
first-name, middle-name, last-name, date-of-birth, place-of-birth,
@ -608,8 +610,6 @@ Internet-Draft MISP core format April 2018
primary-residence, country-of-residence, special-service-request,
frequent-flyer-number, travel-details, payment-details, place-
port-of-original-embarkation, place-port-of-clearance, place-port-
of-onward-foreign-destination, passenger-name-record-locator-
number, comment, text, other, phone-number, identity-card-number
@ -618,9 +618,20 @@ Dulaunoy & Iklody Expires October 12, 2018 [Page 11]
Internet-Draft MISP core format April 2018
Other
comment, text, other, size-in-bytes, counter, datetime, cpe, port,
float, hex, phone-number
of-onward-foreign-destination, passenger-name-record-locator-
number, comment, text, other, phone-number, identity-card-number
Social network
github-username, github-repository, github-organisation, jabber-
id, twitter-id, email-src, email-dst, comment, text, other, whois-
registrant-email
Support Tool
link, text, attachment, comment, other, hex
Targeting data
target-user, target-email, target-machine, target-org, target-
location, target-external, comment
Attributes are based on the usage within their different communities.
Attributes can be extended on a regular basis and this reference
@ -656,6 +667,13 @@ Internet-Draft MISP core format April 2018
event_id is represented as a JSON string. event_id MUST be present.
Dulaunoy & Iklody Expires October 12, 2018 [Page 12]
Internet-Draft MISP core format April 2018
2.4.2.7. distribution
distribution represents the basic distribution rules of the
@ -666,14 +684,6 @@ Internet-Draft MISP core format April 2018
present and be one of the following options:
0
Dulaunoy & Iklody Expires October 12, 2018 [Page 12]
Internet-Draft MISP core format April 2018
Your Organisation Only
1
@ -712,6 +722,14 @@ Internet-Draft MISP core format April 2018
if distribution level "4" is set. A human-readable identifier MUST
be represented as an unsigned integer.
Dulaunoy & Iklody Expires October 12, 2018 [Page 13]
Internet-Draft MISP core format April 2018
sharing_group_id is represented by a JSON string and SHOULD be
present. If a distribution level other than "4" is chosen the
sharing_group_id MUST be set to "0".
@ -722,14 +740,6 @@ Internet-Draft MISP core format April 2018
Revoked attributes are not actionable and exist merely to inform
other instances of a revocation.
Dulaunoy & Iklody Expires October 12, 2018 [Page 13]
Internet-Draft MISP core format April 2018
deleted is represented by a JSON boolean. deleted MUST be present.
2.4.2.12. data
@ -766,6 +776,16 @@ Internet-Draft MISP core format April 2018
containing attribute's ID in the old_id field and the event's ID in
the event_id field.
Dulaunoy & Iklody Expires October 12, 2018 [Page 14]
Internet-Draft MISP core format April 2018
2.4.2.15. value
value represents the payload of an attribute. The format of the
@ -778,14 +798,6 @@ Internet-Draft MISP core format April 2018
ShadowAttributes are 3rd party created attributes that either propose
to add new information to an event or modify existing information.
They are not meant to be actionable until the event creator accepts
Dulaunoy & Iklody Expires October 12, 2018 [Page 14]
Internet-Draft MISP core format April 2018
them - at which point they will be converted into attributes or
modify an existing attribute.
@ -818,6 +830,18 @@ Internet-Draft MISP core format April 2018
2.5.2. ShadowAttribute Attributes
Dulaunoy & Iklody Expires October 12, 2018 [Page 15]
Internet-Draft MISP core format April 2018
2.5.2.1. uuid
uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of
@ -834,14 +858,6 @@ Internet-Draft MISP core format April 2018
represented as an unsigned integer. id is represented as a JSON
string. id SHALL be present.
Dulaunoy & Iklody Expires October 12, 2018 [Page 15]
Internet-Draft MISP core format April 2018
2.5.2.3. type
type represents the means through which an attribute tries to
@ -852,33 +868,9 @@ Internet-Draft MISP core format April 2018
MUST be a valid selection for the chosen category. The list of valid
category-type combinations is as follows:
Internal reference
text, link, comment, other, hex
Targeting data
target-user, target-email, target-machine, target-org, target-
location, target-external, comment
Antivirus detection
link, comment, text, hex, attachment, other
Payload delivery
md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256,
ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, filename,
filename|md5, filename|sha1, filename|sha224, filename|sha256,
filename|sha384, filename|sha512, filename|sha512/224,
filename|sha512/256, filename|authentihash, filename|ssdeep,
filename|tlsh, filename|imphash, filename|impfuzzy,
filename|pehash, ip-src, ip-dst, hostname, domain, email-src,
email-dst, email-subject, email-attachment, url, user-agent, AS,
pattern-in-file, pattern-in-traffic, yara, attachment, malware-
sample, link, malware-type, mime-type, comment, text,
vulnerability, x509-fingerprint-sha1, other, ip-dst|port, ip-
src|port, hostname|port, email-dst-display-name, email-src-
display-name, email-header, email-reply-to, email-x-mailer, email-
mime-boundary, email-thread-index, email-message-id, mobile-
application-id
Artifacts dropped
md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256,
ssdeep, imphash, impfuzzy, authentihash, filename, filename|md5,
@ -886,9 +878,17 @@ Internet-Draft MISP core format April 2018
filename|sha512, filename|sha512/224, filename|sha512/256,
filename|authentihash, filename|ssdeep, filename|tlsh,
filename|imphash, filename|impfuzzy, filename|pehash, regkey,
regkey|value, pattern-in-file, pattern-in-memory, pdb, yara,
sigma, gene, stix2-pattern, attachment, malware-sample, mime-type,
named pipe, mutex, windows-scheduled-task, windows-service-name,
regkey|value, pattern-in-file, pattern-in-memory, pdb,
stix2-pattern, yara, sigma, attachment, malware-sample, named
pipe, mutex, windows-scheduled-task, windows-service-name,
windows-service-displayname, comment, text, hex, x509-fingerprint-
sha1, x509-fingerprint-md5, x509-fingerprint-sha256, other,
cookie, gene, mime-type
Attribution
threat-actor, campaign-name, campaign-id, whois-registrant-phone,
whois-registrant-email, whois-registrant-name, whois-registrant-
org, whois-registrar, whois-creation-date, comment, text, x509-
@ -898,53 +898,53 @@ Dulaunoy & Iklody Expires October 12, 2018 [Page 16]
Internet-Draft MISP core format April 2018
windows-service-displayname, comment, text, hex, x509-fingerprint-
sha1, other
Payload installation
md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256,
ssdeep, imphash, authentihash, pehash, tlsh, filename,
filename|md5, filename|sha1, filename|sha224, filename|sha256,
filename|sha384, filename|sha512, filename|sha512/224,
filename|sha512/256, filename|authentihash, filename|ssdeep,
filename|tlsh, filename|imphash, filename|pehash, mime-type,
pattern-in-file, pattern-in-traffic, pattern-in-memory, yara,
stix2-pattern, vulnerability, attachment, malware-sample, malware-
type, comment, text, hex, x509-fingerprint-sha1, mobile-
application-id, other
Persistence mechanism
filename, regkey, regkey|value, comment, text, other, text
Network activity
ip-src, ip-dst, hostname, domain, domain|ip, email-dst, url, uri,
user-agent, http-method, AS, snort, pattern-in-file, pattern-in-
traffic, stix2-pattern, attachment, comment, text, x509-
fingerprint-sha1, other, hex, cookie
Payload type
comment, text, other
Attribution
threat-actor, campaign-name, campaign-id, whois-registrant-phone,
whois-registrant-email, whois-registrant-name, whois-registrant-
org, whois-registrar, whois-creation-date, comment, text, x509-
fingerprint-sha1, other
fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256,
other, dns-soa-email
External analysis
md5, sha1, sha256, filename, filename|md5, filename|sha1,
filename|sha256, ip-src, ip-dst, hostname, domain, domain|ip, url,
user-agent, regkey, regkey|value, AS, snort, pattern-in-file,
pattern-in-traffic, pattern-in-memory, vulnerability, attachment,
malware-sample, link, comment, text, x509-fingerprint-sha1,
github-repository, other
filename|sha256, ip-src, ip-dst, ip-dst|port, ip-src|port, mac-
address, mac-eui-64, hostname, domain, domain|ip, url, user-agent,
regkey, regkey|value, AS, snort, pattern-in-file, pattern-in-
traffic, pattern-in-memory, vulnerability, attachment, malware-
sample, link, comment, text, x509-fingerprint-sha1, x509-
fingerprint-md5, x509-fingerprint-sha256, github-repository,
other, cortex
Financial fraud
btc, iban, bic, bank-account-nr, aba-rtn, bin, cc-number, prtn,
phone-number, comment, text, other, hex
btc, xmr, iban, bic, bank-account-nr, aba-rtn, bin, cc-number,
prtn, phone-number, comment, text, other, hex
Support tool
attachment, link, comment, text, other, hex
Internal reference
text, link, comment, other, hex
Network activity
ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain,
domain|ip, mac-address, mac-eui-64, email-dst, url, uri, user-
agent, http-method, AS, snort, pattern-in-file, stix2-pattern,
pattern-in-traffic, attachment, comment, text, x509-fingerprint-
sha1, other, hex, cookie, hostname|port
Other
comment, text, other, size-in-bytes, counter, datetime, cpe, port,
float, hex, phone-number, boolean
Payload delivery
md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256,
ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, filename,
filename|md5, filename|sha1, filename|sha224, filename|sha256,
filename|sha384, filename|sha512, filename|sha512/224,
filename|sha512/256, filename|authentihash, filename|ssdeep,
filename|tlsh, filename|imphash, filename|impfuzzy,
filename|pehash, mac-address, mac-eui-64, ip-src, ip-dst, ip-
dst|port, ip-src|port, hostname, domain, email-src, email-dst,
email-subject, email-attachment, email-body, url, user-agent, AS,
pattern-in-file, pattern-in-traffic, stix2-pattern, yara, sigma,
mime-type, attachment, malware-sample, link, malware-type,
comment, text, hex, vulnerability, x509-fingerprint-sha1, x509-
fingerprint-md5, x509-fingerprint-sha256, other, hostname|port,
email-dst-display-name, email-src-display-name, email-header,
email-reply-to, email-x-mailer, email-mime-boundary, email-thread-
@ -954,9 +954,27 @@ Dulaunoy & Iklody Expires October 12, 2018 [Page 17]
Internet-Draft MISP core format April 2018
Social network
github-username, github-repository, github-organisation, jabber-
id, twitter-id, email-src, email-dst, comment, text, other
index, email-message-id, mobile-application-id, whois-registrant-
email
Payload installation
md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256,
ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, filename,
filename|md5, filename|sha1, filename|sha224, filename|sha256,
filename|sha384, filename|sha512, filename|sha512/224,
filename|sha512/256, filename|authentihash, filename|ssdeep,
filename|tlsh, filename|imphash, filename|impfuzzy,
filename|pehash, pattern-in-file, pattern-in-traffic, pattern-in-
memory, stix2-pattern, yara, sigma, vulnerability, attachment,
malware-sample, malware-type, comment, text, hex, x509-
fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256,
mobile-application-id, other, mime-type
Payload type
comment, text, other
Persistence mechanism
filename, regkey, regkey|value, comment, text, other, hex
Person
first-name, middle-name, last-name, date-of-birth, place-of-birth,
@ -968,14 +986,30 @@ Internet-Draft MISP core format April 2018
of-onward-foreign-destination, passenger-name-record-locator-
number, comment, text, other, phone-number, identity-card-number
Other
comment, text, other, size-in-bytes, counter, datetime, cpe, port,
float, hex, phone-number
Social network
github-username, github-repository, github-organisation, jabber-
id, twitter-id, email-src, email-dst, comment, text, other, whois-
registrant-email
Support Tool
link, text, attachment, comment, other, hex
Targeting data
target-user, target-email, target-machine, target-org, target-
location, target-external, comment
Attributes are based on the usage within their different communities.
Attributes can be extended on a regular basis and this reference
document is updated accordingly.
Dulaunoy & Iklody Expires October 12, 2018 [Page 18]
Internet-Draft MISP core format April 2018
2.5.2.4. category
category represents the intent of what the attribute is describing as
@ -1001,15 +1035,6 @@ Internet-Draft MISP core format April 2018
event_id represents a human-readable identifier referencing the Event
object that the ShadowAttribute belongs to.
Dulaunoy & Iklody Expires October 12, 2018 [Page 18]
Internet-Draft MISP core format April 2018
The event_id SHOULD be updated when the event is imported to reflect
the newly created event's id on the instance.
@ -1031,6 +1056,16 @@ Internet-Draft MISP core format April 2018
old_id is represented as a JSON string. old_id MUST be present.
Dulaunoy & Iklody Expires October 12, 2018 [Page 19]
Internet-Draft MISP core format April 2018
2.5.2.8. timestamp
timestamp represents a reference time when the attribute was created
@ -1057,15 +1092,6 @@ Internet-Draft MISP core format April 2018
org_id is represented by a JSON string and MUST be present.
Dulaunoy & Iklody Expires October 12, 2018 [Page 19]
Internet-Draft MISP core format April 2018
2.5.2.11. proposal_to_delete
proposal_to_delete is a boolean flag that sets whether the shadow
@ -1086,6 +1112,16 @@ Internet-Draft MISP core format April 2018
deleted is represented by a JSON boolean. deleted SHOULD be present.
Dulaunoy & Iklody Expires October 12, 2018 [Page 20]
Internet-Draft MISP core format April 2018
2.5.2.13. data
data contains the base64 encoded contents of an attachment or a
@ -1112,16 +1148,6 @@ Internet-Draft MISP core format April 2018
uuid, name and id are represented as a JSON string. uuid, name and id
MUST be present.
Dulaunoy & Iklody Expires October 12, 2018 [Page 20]
Internet-Draft MISP core format April 2018
2.5.3.1. Sample Org Object
"Org": {
@ -1143,6 +1169,15 @@ Internet-Draft MISP core format April 2018
within an event. Their main purpose is to describe more complex
structures than can be described by a single attribute Each object is
created using an Object Template and carries the meta-data of the
Dulaunoy & Iklody Expires October 12, 2018 [Page 21]
Internet-Draft MISP core format April 2018
template used for its creation within. Objects belong to a meta-
category and are defined by a name.
@ -1155,29 +1190,6 @@ Internet-Draft MISP core format April 2018
2.6.1. Sample Object object
Dulaunoy & Iklody Expires October 12, 2018 [Page 21]
Internet-Draft MISP core format April 2018
"Object": {
"id": "588",
"name": "file",
@ -1215,6 +1227,13 @@ Internet-Draft MISP core format April 2018
]
}
Dulaunoy & Iklody Expires October 12, 2018 [Page 22]
Internet-Draft MISP core format April 2018
2.6.2. Object Attributes
2.6.2.1. uuid
@ -1224,16 +1243,6 @@ Internet-Draft MISP core format April 2018
of the same object. UUID version 4 is RECOMMENDED when assigning it
to a new object.
Dulaunoy & Iklody Expires October 12, 2018 [Page 22]
Internet-Draft MISP core format April 2018
2.6.2.2. id
id represents the human-readable identifier associated to the object
@ -1273,6 +1282,14 @@ Internet-Draft MISP core format April 2018
for creation. UUID version 4 is RECOMMENDED when assigning it to a
new object.
Dulaunoy & Iklody Expires October 12, 2018 [Page 23]
Internet-Draft MISP core format April 2018
2.6.2.7. template_version
template_version represents a numeric incrementing version of the
@ -1283,13 +1300,6 @@ Internet-Draft MISP core format April 2018
version is represented as a JSON string. version MUST be present.
Dulaunoy & Iklody Expires October 12, 2018 [Page 23]
Internet-Draft MISP core format April 2018
2.6.2.8. event_id
event_id represents the human-readable identifier of the event that
@ -1328,6 +1338,14 @@ Internet-Draft MISP core format April 2018
All Communities
4
Dulaunoy & Iklody Expires October 12, 2018 [Page 24]
Internet-Draft MISP core format April 2018
Sharing Group
2.6.2.11. sharing_group_id
@ -1337,15 +1355,6 @@ Internet-Draft MISP core format April 2018
distribution level "4" is set. A human-readable identifier MUST be
represented as an unsigned integer.
Dulaunoy & Iklody Expires October 12, 2018 [Page 24]
Internet-Draft MISP core format April 2018
sharing_group_id is represented by a JSON string and SHOULD be
present. If a distribution level other than "4" is chosen the
sharing_group_id MUST be set to "0".
@ -1385,15 +1394,6 @@ Internet-Draft MISP core format April 2018
All Object References MUST contain an object_uuid, a referenced_uuid
and a relationship type.
2.7.1. Sample ObjectReference object
@ -1402,6 +1402,8 @@ Dulaunoy & Iklody Expires October 12, 2018 [Page 25]
Internet-Draft MISP core format April 2018
2.7.1. Sample ObjectReference object
"ObjectReference": {
"id": "195",
"uuid": "59c21a2c-c0ac-4083-93b3-363da07724d1",
@ -1451,8 +1453,6 @@ Internet-Draft MISP core format April 2018
Dulaunoy & Iklody Expires October 12, 2018 [Page 26]
Internet-Draft MISP core format April 2018

205
misp-galaxy-format/raw.md
View File

@ -5,7 +5,7 @@
% ipr= "trust200902"
% area = "Security"
%
% date = 2018-04-01T00:00:00Z
% date = 2018-09-20T00:00:00Z
%
% [[author]]
% initials="A."
@ -54,7 +54,7 @@
.# Abstract
This document describes the MISP galaxy format which describes a simple JSON format to represent galaxies and clusters that can be attached to MISP events or attributes. A public directory of MISP galaxies is available and relies on the MISP galaxy format. MISP galaxies are used to add further informations on a MISP event. MISP galaxy is a public repository [@?MISP-G] of known malware, threats actors and various other collections of data that can be used to mark, classify or label data in threat information sharing.
This document describes the MISP galaxy format which describes a simple JSON format to represent galaxies and clusters that can be attached to MISP events or attributes. A public directory of MISP galaxies is available and relies on the MISP galaxy format. MISP galaxies are used to add further informations on a MISP event. MISP galaxy is a public repository [@?MISP-G] [@?MISP-G-DOC] of known malware, threats actors and various other collections of data that can be used to mark, classify or label data in threat information sharing.
{mainmatter}
@ -90,9 +90,21 @@ The values array contains one or more JSON objects which represent all the possi
The value is represented as a string and **MUST** be present. The description is represented as a string and **SHOULD** be present. The meta or metadata is represented as a JSON list and **SHOULD** be present.
The uuid represents the Universally Unique IDentifier (UUID) [@!RFC4122] of the value reference. The uuid **SHOULD** can be present and **MUST** be preserved.
## related
Related contains a list of JSON key value pairs which describe the related values in this galaxy cluster or to other galaxy clusters. The JSON object contains three fields, dest-uuid, type and tags. The dest-uuid represents the target UUID which encompasses a relation of some type. The dest-uuid is represented as a string and **MUST** be present. The type is represented as a string and **MUST** be present and **SHOULD** be selected from the relationship types available in MISP objects [@?MISP-R]. The tags is a list of string which labels the related relationship such as the level of similarities, level of certainty, trust or confidence in the relationship, false-positive. A tag is represented in machine tag format which is a string an **SHOULD** be present.
~~~~
"related": [ {
"dest-uuid": "f873db71-3d53-41d5-b141-530675ade27a",
"type": "similar",
"tags": ["estimative-language:likelihood-probability=\"very-likely\""]
} ]
~~~~
## meta
Meta contains a list of custom defined JSON key value pairs. Users **SHOULD** reuse commonly used keys such as complexity, effectiveness, country, possible_issues, colour, motive, impact, refs, synonyms, status, date, encryption, extensions, ransomnotes, cfr-suspected-victims, cfr-suspected-state-sponsor, cfr-type-of-incident, cfr-target-category wherever applicable.
Meta contains a list of custom defined JSON key value pairs. Users **SHOULD** reuse commonly used keys such as complexity, effectiveness, country, possible_issues, colour, motive, impact, refs, synonyms, status, date, encryption, extensions, ransomnotes, suspected-victims, suspected-state-sponsor, type-of-incident, target-category, cfr-suspected-victims, cfr-suspected-state-sponsor, cfr-type-of-incident, cfr-target-category wherever applicable.
refs, synonyms **SHALL** be used to give further informations. refs is represented as an array containing one or more strings and **SHALL** be present. synonyms is represented as an array containing one or more strings and **SHALL** be present.
@ -191,7 +203,7 @@ Example use of the source-uuid, target-uuid fields in the mitre-enterprise-attac
}
~~~~
cfr-suspected-victims, cfr-suspected-state-sponsor, cfr-type-of-incident and cfr-target-category **MAY** be used to report information gathered from CFR's (Council on Foreign Relations) Cyber Operations Tracker. cfr-suspected-victims is represented as an array containing one or more strings and **SHALL** be present. cfr-suspected-state-sponsor is represented as a string and **SHALL** be present. cfr-type-of-incident is represented as a string and **SHALL** be present. cfr-target-category is represented as an array containing one or more strings ans **SHALL** be present.
cfr-suspected-victims, cfr-suspected-state-sponsor, cfr-type-of-incident and cfr-target-category **MAY** be used to report information gathered from CFR's (Council on Foreign Relations) [@?CFR] Cyber Operations Tracker. cfr-suspected-victims is represented as an array containing one or more strings and **SHALL** be present. cfr-suspected-state-sponsor is represented as a string and **SHALL** be present. cfr-type-of-incident is represented as a string and **SHALL** be present. cfr-target-category is represented as an array containing one or more strings ans **SHALL** be present.
Example use of the cfr-suspected-victims, cfr-suspected-state-sponsor, cfr-type-of-incident, cfr-target-category fields in the threat-actor galaxy:
~~~~
@ -217,6 +229,173 @@ Example use of the cfr-suspected-victims, cfr-suspected-state-sponsor, cfr-type-
},
~~~~
# JSON Schema
The JSON Schema [@?JSON-SCHEMA] below defines the overall MISP galaxy formats. The main format is the MISP galaxy format used for the clusters.
## MISP galaxy format - clusters
~~~~
{
"$schema": "http://json-schema.org/schema#",
"title": "Validator for misp-galaxies - Clusters",
"id": "https://www.github.com/MISP/misp-galaxies/schema_clusters.json",
"type": "object",
"additionalProperties": false,
"properties": {
"description": {
"type": "string"
},
"type": {
"type": "string"
},
"version": {
"type": "integer"
},
"name": {
"type": "string"
},
"uuid": {
"type": "string"
},
"source": {
"type": "string"
},
"values": {
"type": "array",
"uniqueItems": true,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"description": {
"type": "string"
},
"value": {
"type": "string"
},
"uuid": {
"type": "string"
},
"related": {
"type": "array",
"additionalProperties": false,
"items": {
"type": "object"
},
"properties": {
"dest-uuid": {
"type": "string"
},
"type": {
"type": "string"
},
"tags": {
"type": "array",
"uniqueItems": true,
"items": {
"type": "string"
}
}
}
},
"meta": {
"type": "object",
"additionalProperties": true,
"properties": {
"type": {
"type": "array",
"uniqueItems": true,
"items": {
"type": "string"
}
},
"complexity": {
"type": "string"
},
"effectiveness": {
"type": "string"
},
"country": {
"type": "string"
},
"possible_issues": {
"type": "string"
},
"colour": {
"type": "string"
},
"motive": {
"type": "string"
},
"impact": {
"type": "string"
},
"refs": {
"type": "array",
"uniqueItems": true,
"items": {
"type": "string"
}
},
"synonyms": {
"type": "array",
"uniqueItems": true,
"items": {
"type": "string"
}
},
"status": {
"type": "string"
},
"date": {
"type": "string"
},
"encryption": {
"type": "string"
},
"extensions": {
"type": "array",
"uniqueItems": true,
"items": {
"type": "string"
}
},
"ransomnotes": {
"type": "array",
"uniqueItems": true,
"items": {
"type": "string"
}
}
}
}
},
"required": [
"value"
]
}
},
"authors": {
"type": "array",
"uniqueItems": true,
"items": {
"type": "string"
}
}
},
"required": [
"description",
"type",
"version",
"name",
"uuid",
"values",
"authors",
"source"
]
}
~~~~
# Acknowledgements
@ -241,12 +420,21 @@ of open standards in threat intelligence sharing.
<reference anchor='MISP-G' target='https://github.com/MISP/misp-galaxy'>
<front>
<title>MISP Galaxy -</title>
<title>MISP Galaxy - Public Repository</title>
<author initials='' surname='MISP' fullname='MISP Community'></author>
<date></date>
</front>
</reference>
<reference anchor='MISP-G-DOC' target='https://www.misp-project.org/galaxy.html'>
<front>
<title>MISP Galaxy - Documentation of the Public Repository</title>
<author initials='' surname='MISP' fullname='MISP Community'></author>
<date></date>
</front>
</reference>
<reference anchor='MISP-R' target='https://github.com/MISP/misp-objects/tree/master/relationships'>
<front>
<title>MISP Object Relationship Types - common vocabulary of relationships</title>
@ -263,5 +451,12 @@ of open standards in threat intelligence sharing.
</front>
</reference>
<reference anchor='CFR' target='https://www.cfr.org/interactive/cyber-operations'>
<front>
<title>Cyber Operations Tracker - Council on Foreign Relations</title>
<author initials='' surname='CFR' fullname='Council on Foreign Relations'></author>
<date year="2018"></date>
</front>
</reference>
{backmatter}

590
misp-galaxy-format/raw.md.txt
View File

@ -19,9 +19,9 @@ Abstract
attached to MISP events or attributes. A public directory of MISP
galaxies is available and relies on the MISP galaxy format. MISP
galaxies are used to add further informations on a MISP event. MISP
galaxy is a public repository [MISP-G] of known malware, threats
actors and various other collections of data that can be used to
mark, classify or label data in threat information sharing.
galaxy is a public repository [MISP-G] [MISP-G-DOC] of known malware,
threats actors and various other collections of data that can be used
to mark, classify or label data in threat information sharing.
Status of This Memo
@ -31,7 +31,7 @@ Status of This Memo
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
@ -47,7 +47,7 @@ Copyright Notice
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
@ -67,15 +67,18 @@ Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Conventions and Terminology . . . . . . . . . . . . . . . 2
2. Format . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Format . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 3
2.2. values . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.3. meta . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 4
4. References . . . . . . . . . . . . . . . . . . . . . . . . . 4
4.1. Normative References . . . . . . . . . . . . . . . . . . 4
4.2. Informative References . . . . . . . . . . . . . . . . . 5
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 5
2.3. related . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.4. meta . . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. JSON Schema . . . . . . . . . . . . . . . . . . . . . . . . . 7
3.1. MISP galaxy format - clusters . . . . . . . . . . . . . . 7
4. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 11
5. References . . . . . . . . . . . . . . . . . . . . . . . . . 11
5.1. Normative References . . . . . . . . . . . . . . . . . . 11
5.2. Informative References . . . . . . . . . . . . . . . . . 11
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12
1. Introduction
@ -101,10 +104,7 @@ Table of Contents
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
2. Format
A cluster is composed of a value (MUST), a description (OPTIONAL) and
metadata (OPTIONAL).
@ -114,6 +114,11 @@ Dulaunoy, et al. Expires October 3, 2018 [Page 2]
Internet-Draft MISP galaxy format April 2018
2. Format
A cluster is composed of a value (MUST), a description (OPTIONAL) and
metadata (OPTIONAL).
Clusters are represented as a JSON [RFC4627] dictionary.
2.1. Overview
@ -131,16 +136,17 @@ Internet-Draft MISP galaxy format April 2018
object reference and MUST be present. The description is represented
as a string and MUST be present. The uuid is represented as a string
and MUST be present. The version is represented as a decimal and
MUST be present. The source is represented as a string and MUST be
present. Authors are represented as an array containing one or more
authors and MUST be present.
MUST be present. The type is represented as a string and MUST be
present and MUST match the name of the galaxy file. The source is
represented as a string and MUST be present. Authors are represented
as an array containing one or more authors and MUST be present.
Values are represented as an array containing one or more values and
MUST be present. Values defines all values available in the galaxy.
2.2. values
The values array contains one or more JSON objects which represents
The values array contains one or more JSON objects which represent
all the possible values in the galaxy. The JSON object contains four
fields: value, description, uuid and meta. The value is represented
as a string and MUST be present. The description is represented as a
@ -149,19 +155,13 @@ Internet-Draft MISP galaxy format April 2018
Universally Unique IDentifier (UUID) [RFC4122] of the value
reference. The uuid SHOULD can be present and MUST be preserved.
2.3. meta
Meta contains a list of custom defined JSON key value pairs. Users
SHOULD reuse commonly used keys such as 'properties, complexity,
effectiveness, country, possible_issues, colour, motive, impact,
refs, synonyms, derivated_from, status, date, encryption, extensions,
ransomnotes' wherever applicable.
properties is used to provide clusters with additional properties.
Properties are represented as an array containing one or more strings
ans MAY be present.
2.3. related
Related contains a list of JSON key value pairs which describe the
related values in this galaxy cluster or to other galaxy clusters.
The JSON object contains three fields, dest-uuid, type and tags. The
dest-uuid represents the target UUID which encompasses a relation of
some type. The dest-uuid is represented as a string and MUST be
@ -170,6 +170,44 @@ Dulaunoy, et al. Expires October 3, 2018 [Page 3]
Internet-Draft MISP galaxy format April 2018
present. The type is represented as a string and MUST be present and
SHOULD be selected from the relationship types available in MISP
objects [MISP-R]. The tags is a list of string which labels the
related relationship such as the level of similarities, level of
certainty, trust or confidence in the relationship, false-positive.
A tag is represented in machine tag format which is a string an
SHOULD be present.
"related": [ {
"dest-uuid": "f873db71-3d53-41d5-b141-530675ade27a",
"type": "similar",
"tags": ["estimative-language:likelihood-probability=\"very-likely\""]
} ]
2.4. meta
Meta contains a list of custom defined JSON key value pairs. Users
SHOULD reuse commonly used keys such as properties, complexity,
effectiveness, country, possible_issues, colour, motive, impact,
refs, synonyms, status, date, encryption, extensions, ransomnotes,
cfr-suspected-victims, cfr-suspected-state-sponsor, cfr-type-of-
incident, cfr-target-category wherever applicable.
properties is used to provide clusters with additional properties.
Properties are represented as an array containing one or more strings
ans MAY be present.
date, status MAY be used to give time information about an cluster.
date is represented as a string describing a time or period and SHALL
be present. status is represented as a string describing the current
status of the clusters. It MAY also describe a time or period and
SHALL be present.
colour fields MAY be used at predicates or values level to set a
specify colour that MAY be used by the implementation. The colour
field is described as an RGB colour fill in hexadecimal
representation.
complexity, effectiveness, impact, possible_issues MAY be used to
give further information in preventive-measure galaxy. complexity is
represented by an enumerated value from a fixed vocabulary and SHALL
@ -178,46 +216,8 @@ Internet-Draft MISP galaxy format April 2018
enumerated value from a fixed vocabulary and SHALL be present.
possible_issues is represented as a string and SHOULD be present.
country, motive MAY be used to give further information in threat-
actor galaxy. country is represented as a string and SHOULD be
present. motive is represented as a string and SHOULD be present.
colour fields MAY be used at predicates or values level to set a
specify colour that MAY be used by the implementation. The colour
field is described as an RGB colour fill in hexadecimal
representation.
encryption, extensions, ransomnotes MAY be used to give further
information in ransomware galaxy. encryption is represented as a
string and SHALL be present. extensions is represented as an array
containing one or more strings and SHALL be present. ransomnotes is
represented as an array containing one or more strings ans SHALL be
present.
date, status MAY be used to give time information about an cluster.
date is represented as a string describing a time or period and SHALL
be present. status is represented as a string describing the current
status of the clusters. It MAY also describe a time or period and
SHALL be present.
derivated_from, refs, synonyms SHALL be used to give further
informations. refs is represented as an containing one or ore string
and SHALL be present. synonyms is represented as an containing one or
ore string and SHALL be present. derivated_from is represented as an
containing one or ore string and SHALL be present.
3. Acknowledgements
The authors wish to thank all the MISP community who are supporting
the creation of open standards in threat intelligence sharing.
4. References
4.1. Normative References
Example use of the complexity, effectiveness, impact, possible_issues
fields in the preventive-measure galaxy:
@ -226,28 +226,408 @@ Dulaunoy, et al. Expires October 3, 2018 [Page 4]
Internet-Draft MISP galaxy format April 2018
{
"meta": {
"refs": [
"http://www.windowsnetworking.com/kbase/WindowsTips/WindowsXP/AdminTips/Customization/DisableWindowsScriptingHostWSH.html"
],
"complexity": "Low",
"effectiveness": "Medium",
"impact": "Medium",
"type": [
"GPO"
],
"possible_issues": "Administrative VBS scripts on Workstations"
},
"value": "Disable WSH",
"description": "Disable Windows Script Host",
"uuid": "e6df1619-f8b3-476c-b5cf-22b4c9e9dd7f"
}
country, motive MAY be used to give further information in threat-
actor galaxy. country is represented as a string and SHOULD be
present. motive is represented as a string and SHOULD be present.
Example use of the country, motive fields in the threat-actor galaxy:
{
"meta": {
"country": "CN",
"synonyms": [
"APT14",
"APT 14",
"QAZTeam",
"ALUMINUM"
],
"refs": [
"http://www.crowdstrike.com/blog/whois-anchor-panda/"
],
"motive": "Espionage"
},
"value": "Anchor Panda",
"description": "PLA Navy",
"uuid": "c82c904f-b3b4-40a2-bf0d-008912953104"
}
encryption, extensions, ransomnotes MAY be used to give further
information in ransomware galaxy. encryption is represented as a
string and SHALL be present. extensions is represented as an array
containing one or more strings and SHALL be present. ransomnotes is
Dulaunoy, et al. Expires October 3, 2018 [Page 5]
Internet-Draft MISP galaxy format April 2018
represented as an array containing one or more strings ans SHALL be
present.
Example use of the encryption, extensions, ransomnotes fields in the
ransomware galaxy:
{
"meta": {
"refs": [
"https://www.bleepingcomputer.com/news/security/revenge-ransomware-a-cryptomix-variant-being-distributed-by-rig-exploit-kit/",
"https://id-ransomware.blogspot.co.il/2017/03/revenge-ransomware.html"
],
"ransomnotes": [
"https://2.bp.blogspot.com/-KkPVDxjy8tk/WM7LtYHmuAI/AAAAAAAAEUw/kDJghaq-j1AZuqjzqk2Fkxpp4yr9Yeb5wCLcB/s1600/revenge-note-2.jpg",
"===ENGLISH=== All of your files were encrypted using REVENGE Ransomware. The action required to restore the files. Your files are not lost, they can be returned to their normal state by decoding them. The only way to do this is to get the software and your personal decryption key. Using any other software that claims to be able to recover your files will result in corrupted or destroyed files. You can purchase the software and the decryption key by sending us an email with your ID. And we send instructions for payment. After payment, you receive the software to return all files. For proof, we can decrypt one file for free. Attach it to an e-mail.",
"# !!!HELP_FILE!!! #.txt"
],
"encryption": "AES-256 + RSA-1024",
"extensions": [
".REVENGE"
],
"date": "March 2017"
},
"description": "This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. CryptoMix / CryptFile2 Variant",
"value": "Revenge Ransomware",
"uuid": "987d36d5-6ba8-484d-9e0b-7324cc886b0e"
}
source-uuid, target-uuid SHALL be used to describe relationships.
source-uuid and target-uuid represent the Universally Unique
IDentifier (UUID) [RFC4122] of the value reference. source-uuid and
target-uuid MUST be preserved.
Example use of the source-uuid, target-uuid fields in the mitre-
enterprise-attack-relationship galaxy:
{
"meta": {
"source-uuid": "222fbd21-fc4f-4b7e-9f85-0e6e3a76c33f",
"target-uuid": "2f1a9fd0-3b7c-4d77-a358-78db13adbe78"
},
"uuid": "cfc7da70-d7c5-4508-8f50-1c3107269633",
"value": "menuPass (G0045) uses EvilGrab (S0152)"
}
cfr-suspected-victims, cfr-suspected-state-sponsor, cfr-type-of-
incident and cfr-target-category MAY be used to report information
gathered from CFR's (Council on Foreign Relations) [CFR] Cyber
Dulaunoy, et al. Expires October 3, 2018 [Page 6]
Internet-Draft MISP galaxy format April 2018
Operations Tracker. cfr-suspected-victims is represented as an array
containing one or more strings and SHALL be present. cfr-suspected-
state-sponsor is represented as a string and SHALL be present. cfr-
type-of-incident is represented as a string and SHALL be present.
cfr-target-category is represented as an array containing one or more
strings ans SHALL be present.
Example use of the cfr-suspected-victims, cfr-suspected-state-
sponsor, cfr-type-of-incident, cfr-target-category fields in the
threat-actor galaxy:
{
"meta": {
"country": "CN",
"refs": [
"https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html",
"https://www.cfr.org/interactive/cyber-operations/apt-16"
],
"cfr-suspected-victims": [
"Japan",
"Taiwan"
],
"cfr-suspected-state-sponsor": "China",
"cfr-type-of-incident": "Espionage",
"cfr-target-category": [
"Private sector"
]
},
"value": "APT 16",
"uuid": "1f73e14f-b882-4032-a565-26dc653b0daf"
},
3. JSON Schema
The JSON Schema [JSON-SCHEMA] below defines the overall MISP galaxy
formats. The main format is the MISP galaxy format used for the
clusters.
3.1. MISP galaxy format - clusters
{
"$schema": "http://json-schema.org/schema#",
"title": "Validator for misp-galaxies - Clusters",
"id": "https://www.github.com/MISP/misp-galaxies/schema_clusters.json",
"type": "object",
"additionalProperties": false,
"properties": {
"description": {
Dulaunoy, et al. Expires October 3, 2018 [Page 7]
Internet-Draft MISP galaxy format April 2018
"type": "string"
},
"type": {
"type": "string"
},
"version": {
"type": "integer"
},
"name": {
"type": "string"
},
"uuid": {
"type": "string"
},
"source": {
"type": "string"
},
"values": {
"type": "array",
"uniqueItems": true,
"items": {
"type": "object",
"additionalProperties": false,
"properties": {
"description": {
"type": "string"
},
"value": {
"type": "string"
},
"uuid": {
"type": "string"
},
"related": {
"type": "array",
"additionalProperties": false,
"items": {
"type": "object"
},
"properties": {
"dest-uuid": {
"type": "string"
},
"type": {
"type": "string"
},
"tags": {
"type": "array",
Dulaunoy, et al. Expires October 3, 2018 [Page 8]
Internet-Draft MISP galaxy format April 2018
"uniqueItems": true,
"items": {
"type": "string"
}
}
}
},
"meta": {
"type": "object",
"additionalProperties": true,
"properties": {
"type": {
"type": "array",
"uniqueItems": true,
"items": {
"type": "string"
}
},
"complexity": {
"type": "string"
},
"effectiveness": {
"type": "string"
},
"country": {
"type": "string"
},
"possible_issues": {
"type": "string"
},
"colour": {
"type": "string"
},
"motive": {
"type": "string"
},
"impact": {
"type": "string"
},
"refs": {
"type": "array",
"uniqueItems": true,
"items": {
"type": "string"
}
},
"synonyms": {
"type": "array",
Dulaunoy, et al. Expires October 3, 2018 [Page 9]
Internet-Draft MISP galaxy format April 2018
"uniqueItems": true,
"items": {
"type": "string"
}
},
"status": {
"type": "string"
},
"date": {
"type": "string"
},
"encryption": {
"type": "string"
},
"extensions": {
"type": "array",
"uniqueItems": true,
"items": {
"type": "string"
}
},
"ransomnotes": {
"type": "array",
"uniqueItems": true,
"items": {
"type": "string"
}
}
}
}
},
"required": [
"value"
]
}
},
"authors": {
"type": "array",
"uniqueItems": true,
"items": {
"type": "string"
}
}
},
"required": [
"description",
"type",
"version",
Dulaunoy, et al. Expires October 3, 2018 [Page 10]
Internet-Draft MISP galaxy format April 2018
"name",
"uuid",
"values",
"authors",
"source"
]
}
4. Acknowledgements
The authors wish to thank all the MISP community who are supporting
the creation of open standards in threat intelligence sharing.
5. References
5.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, <https://www.rfc-
editor.org/info/rfc2119>.
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally
Unique IDentifier (UUID) URN Namespace", RFC 4122,
DOI 10.17487/RFC4122, July 2005, <https://www.rfc-
editor.org/info/rfc4122>.
DOI 10.17487/RFC4122, July 2005,
<https://www.rfc-editor.org/info/rfc4122>.
[RFC4627] Crockford, D., "The application/json Media Type for
JavaScript Object Notation (JSON)", RFC 4627,
DOI 10.17487/RFC4627, July 2006, <https://www.rfc-
editor.org/info/rfc4627>.
DOI 10.17487/RFC4627, July 2006,
<https://www.rfc-editor.org/info/rfc4627>.
4.2. Informative References
5.2. Informative References
[MISP-G] MISP, , "MISP Galaxy -", <https://github.com/MISP/misp-
galaxy>.
[CFR] CFR, "Cyber Operations Tracker - Council on Foreign
Relations", 2018,
<https://www.cfr.org/interactive/cyber-operations>.
[MISP-P] MISP, , "MISP Project - Malware Information Sharing
Platform and Threat Sharing", <https://github.com/MISP>.
[JSON-SCHEMA]
"JSON Schema: A Media Type for Describing JSON Documents",
2016,
<https://tools.ietf.org/html/draft-wright-json-schema>.
[MISP-G] MISP, "MISP Galaxy - Public Repository",
<https://github.com/MISP/misp-galaxy>.
Dulaunoy, et al. Expires October 3, 2018 [Page 11]
Internet-Draft MISP galaxy format April 2018
[MISP-G-DOC]
MISP, "MISP Galaxy - Documentation of the Public
Repository", <https://www.misp-project.org/galaxy.html>.
[MISP-P] MISP, "MISP Project - Malware Information Sharing Platform
and Threat Sharing", <https://github.com/MISP>.
[MISP-R] MISP, "MISP Object Relationship Types - common vocabulary
of relationships", <https://github.com/MISP/misp-
objects/tree/master/relationships>.
Authors' Addresses
@ -271,17 +651,6 @@ Authors' Addresses
Email: andras.iklody@circl.lu
Dulaunoy, et al. Expires October 3, 2018 [Page 5]
Internet-Draft MISP galaxy format April 2018
Deborah Servili
Computer Incident Response Center Luxembourg
16, bd d'Avranches
@ -300,37 +669,4 @@ Internet-Draft MISP galaxy format April 2018
Dulaunoy, et al. Expires October 3, 2018 [Page 6]
Dulaunoy, et al. Expires October 3, 2018 [Page 12]

2
misp-object-template-format/raw.md
View File

@ -99,7 +99,7 @@ version is represented as a JSON string. version **MUST** be present.
meta-category represents the sub-category of objects that the given object template belongs to. meta-categories are not tied to a fixed list of options but can be created on the fly.
meta-category is represented as a JSON string. meta-category **MUST** be present
meta-category is represented as a JSON string. meta-category **MUST** be present.
#### name

4
misp-warninglist-format/raw.md
View File

@ -1,5 +1,5 @@
% Title = "MISP galaxy format"
% abbrev = "MISP galaxy format"
% Title = "MISP warning lists format"
% abbrev = "MISP warning lists format"
% category = "info"
% docName = "draft-dulaunoy-misp-warninglists-format"
% ipr= "trust200902"