mirror of https://github.com/MISP/misp-rfc
169 lines
4.7 KiB
Plaintext
169 lines
4.7 KiB
Plaintext
|
||
|
||
|
||
|
||
Network Working Group M. Dulaunoy
|
||
Internet-Draft CIRCL
|
||
Intended status: Informational October 1, 2016
|
||
Expires: April 4, 2017
|
||
|
||
|
||
MISP core format
|
||
draft-dulaunoy-misp-core-format
|
||
|
||
Abstract
|
||
|
||
This document describes the MISP core format used to exchange
|
||
indicators and threat information between MISP (Malware Information
|
||
and threat Sharing Platform) instances. The JSON format includes the
|
||
overall structure along with the semantic associated for each
|
||
respective key. The format is described to support other
|
||
implementations which reuse the format and ensuring an
|
||
interoperability with existing MISP [MISP-P] software and other
|
||
Threat Intelligence Platform.
|
||
|
||
Status of This Memo
|
||
|
||
This Internet-Draft is submitted in full conformance with the
|
||
provisions of BCP 78 and BCP 79.
|
||
|
||
Internet-Drafts are working documents of the Internet Engineering
|
||
Task Force (IETF). Note that other groups may also distribute
|
||
working documents as Internet-Drafts. The list of current Internet-
|
||
Drafts is at http://datatracker.ietf.org/drafts/current/.
|
||
|
||
Internet-Drafts are draft documents valid for a maximum of six months
|
||
and may be updated, replaced, or obsoleted by other documents at any
|
||
time. It is inappropriate to use Internet-Drafts as reference
|
||
material or to cite them other than as "work in progress."
|
||
|
||
This Internet-Draft will expire on April 4, 2017.
|
||
|
||
Copyright Notice
|
||
|
||
Copyright (c) 2016 IETF Trust and the persons identified as the
|
||
document authors. All rights reserved.
|
||
|
||
This document is subject to BCP 78 and the IETF Trust's Legal
|
||
Provisions Relating to IETF Documents
|
||
(http://trustee.ietf.org/license-info) in effect on the date of
|
||
publication of this document. Please review these documents
|
||
carefully, as they describe your rights and restrictions with respect
|
||
to this document. Code Components extracted from this document must
|
||
|
||
|
||
|
||
Dulaunoy Expires April 4, 2017 [Page 1]
|
||
|
||
Internet-Draft MISP core format October 2016
|
||
|
||
|
||
include Simplified BSD License text as described in Section 4.e of
|
||
the Trust Legal Provisions and are provided without warranty as
|
||
described in the Simplified BSD License.
|
||
|
||
Table of Contents
|
||
|
||
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
|
||
2. Format . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
|
||
2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 2
|
||
2.2. Event . . . . . . . . . . . . . . . . . . . . . . . . . . 2
|
||
3. References . . . . . . . . . . . . . . . . . . . . . . . . . 2
|
||
3.1. Normative References . . . . . . . . . . . . . . . . . . 2
|
||
3.2. Informative References . . . . . . . . . . . . . . . . . 3
|
||
Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 3
|
||
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 3
|
||
|
||
1. Introduction
|
||
|
||
Sharing threat information became a fundamental requirements in the
|
||
Internet, security and intelligence community at large. Threat
|
||
information can include indicators of compromise, malicious file
|
||
indicators, financial fraud indicators or even detailed information
|
||
about a threat actor. MISP started as an open source project in late
|
||
2011
|
||
|
||
2. Format
|
||
|
||
2.1. Overview
|
||
|
||
The MISP core format is in the JSON [RFC4627] format. In MISP, an
|
||
event is composed of a single JSON object.
|
||
|
||
2.2. Event
|
||
|
||
An event is a simple meta structure scheme where attributes are
|
||
embedded
|
||
|
||
3. References
|
||
|
||
3.1. Normative References
|
||
|
||
[RFC4627] Crockford, D., "The application/json Media Type for
|
||
JavaScript Object Notation (JSON)", RFC 4627,
|
||
DOI 10.17487/RFC4627, July 2006,
|
||
<http://www.rfc-editor.org/info/rfc4627>.
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Dulaunoy Expires April 4, 2017 [Page 2]
|
||
|
||
Internet-Draft MISP core format October 2016
|
||
|
||
|
||
3.2. Informative References
|
||
|
||
[MISP-P] MISP, , "MISP Project - Malware Information Sharing
|
||
Platform and Threat Sharing", <https://github.com/MISP>.
|
||
|
||
Appendix A. Acknowledgements
|
||
|
||
The authors wish to thank all the MISP community to support the
|
||
creation of open standards in threat intelligence sharing.
|
||
|
||
Author's Address
|
||
|
||
Alexandre Dulaunoy
|
||
Computer Incident Response Center Luxembourg
|
||
41, avenue de la gare
|
||
Luxembourg L-1611
|
||
Luxembourg
|
||
|
||
Phone: +352 247 88444
|
||
Email: alexandre.dulaunoy@circl.lu
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
Dulaunoy Expires April 4, 2017 [Page 3]
|