MISP
/
misp-rfc
mirror of https://github.com/MISP/misp-rfc
2
0
Fork 0
Code Issues Releases Wiki Activity
misp-rfc/misp-noticelist-format/raw.md

5.1 KiB
Raw Blame History

% Title = "MISP noticelist format" % abbrev = "MISP noticelist format" % category = "info" % docName = "draft-dulaunoy-misp-noticelist-format" % ipr= "trust200902" % area = "Security" % % date = 2018-04-01T00:00:00Z % % author % initials="A." % surname="Dulaunoy" % fullname="Alexandre Dulaunoy" % abbrev="CIRCL" % organization = "Computer Incident Response Center Luxembourg" % [author.address] % email = "alexandre.dulaunoy@circl.lu" % phone = "+352 247 88444" % [author.address.postal] % street = "16, bd d'Avranches" % city = "Luxembourg" % code = "L-1611" % country = "Luxembourg" % author % initials="A." % surname="Iklody" % fullname="Andras Iklody" % abbrev="CIRCL" % organization = "Computer Incident Response Center Luxembourg" % [author.address] % email = "andras.iklody@circl.lu" % phone = "+352 247 88444" % [author.address.postal] % street = " 16, bd d'Avranches" % city = "Luxembourg" % code = "L-1611" % country = "Luxembourg" % author % initials="D." % surname="Servili" % fullname="Deborah Servili" % abbrev="CIRCL" % organization = "Computer Incident Response Center Luxembourg" % [author.address] % email = "deborah.servili@circl.lu" % phone = "+352 247 88444" % [author.address.postal] % street = " 16, bd d'Avranches" % city = "Luxembourg" % code = "L-1611" % country = "Luxembourg"

.# Abstract

This document describes the MISP noticelist format which describes a simple JSON format to represent list of elements

represent galaxies and clusters that can be attached to MISP events or attributes. A public directory of MISP galaxies is available and relies on the MISP galaxy format. MISP galaxies are used to add further informations on a MISP event. MISP galaxy is a public repository [@?MISP-G] of known malware, threats actors and various other collections of data that can be used to mark, classify or label data in threat information sharing.

{mainmatter}

Introduction

Sharing threat information became a fundamental requirements on the Internet, security and intelligence community at large. Threat information can include indicators of compromise, malicious file indicators, financial fraud indicators or even detailed information about a threat actor. Therefore, there are still information that can not be shared freely to everyone, for several reasons, and it is essential for the user to have a way to know about which information he have to be cautious, as well as an easy way for administrators to give user a reminder of it.

MISP noticelist is a public repository of list of notices to show to the user about the information he uses or share.

Conventions and Terminology

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [@!RFC2119].

Format

Noticelist are represented as a JSON [@!RFC4627] dictionary.

Overview

The MISP noticelist format uses the JSON [@!RFC4627] format. Each noticelist is represented as a JSON object with meta information including the following fields: name, expended_name, ref, geographical_area and notice.

name defines the name of the noticelist. It MUST match the name of the folder containing the list. The name is represented as a string and MUST be present. expended_name defines the full name of the noticelist. The expended_name is represented by a string and MUST be present. ref defines the references used to create the notice list. ref is represented as an array containing one or more references and MUST pe present. Each reference is a string and MUST be present. geographical_area defines the geographical area affected by this noticelist. geographical_area is represented as an array containing one or more descriptions of geographical area ans SHOULD be present. Each geographical area is a string and SHOULD be present.

notice is represented as an array containing one or more values and MUST be present. notice defines all values available in the noticelist.

notice

The notice array contains one or more JSON objects which represent all the possible values in the noticelist. The JSON object contains five fields: scope, field, value, tags and message.

scope is represented as an array containing one or more scopes to apply the notice ans MUST be present. Each scope is a string and MUST be present. field is represented as an array containing one or more fields to apply the notice ans MUST be present. Each field is a string and MUST be present. value is represented as an array containing one or more values and MUST be present. Each value is a string and MUST be present. tags is represented as an array containing one or more values and MUST be present. Each tag is a string and MUST be present. message is represented as a JSON dictionary containing one or more messages translated in different languages and MUST be present. Each element in the message dictionary is a couple name/value where the name designate a language and the value contains a string representing a message to display to the user. These elements MUST be present.