MISP
/
misp-standard.org
mirror of https://github.com/MISP/misp-standard.org
2
0
Fork 0
Code Issues Releases Wiki Activity

chg: [misp-standard] updated core-format, galaxy-format and sightingdb-format

pull/2/head
Alexandre Dulaunoy 2020-05-27 14:20:36 +02:00
parent 9c609a4d8a
commit baaa6cc907
No known key found for this signature in database
GPG Key ID: 09E2CD4944E6CBCD
6 changed files with 244 additions and 226 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
rfc/misp-standard-core.html
View File

@ -421,9 +421,9 @@
<meta name="dct.creator" content="Dulaunoy, A. and A. Iklody" />
<meta name="dct.identifier" content="urn:ietf:id:" />
<meta name="dct.issued" scheme="ISO8601" content="2020-01-22" />
<meta name="dct.abstract" content="This document describes the MISP core format used to exchange indicators and threat information between MISP (Malware Information and threat Sharing Platform) instances. The JSON format includes the overall structure along with the semantic associated for each respective key. The format is described to support other implementations which reuse the format and ensuring an interoperability with existing MISP software and other Threat Intelligence Platforms." />
<meta name="description" content="This document describes the MISP core format used to exchange indicators and threat information between MISP (Malware Information and threat Sharing Platform) instances. The JSON format includes the overall structure along with the semantic associated for each respective key. The format is described to support other implementations which reuse the format and ensuring an interoperability with existing MISP software and other Threat Intelligence Platforms." />
<meta name="dct.issued" scheme="ISO8601" content="2020-05-26" />
<meta name="dct.abstract" content="This document describes the MISP core format used to exchange indicators and threat information between MISP (Open Source Threat Intelligence Sharing Platform formerly known as Malware Information Sharing Platform) instances. The JSON format includes the overall structure along with the semantic associated for each respective key. The format is described to support other implementations which reuse the format and ensuring an interoperability with existing MISP software and other Threat Intelligence Platforms." />
<meta name="description" content="This document describes the MISP core format used to exchange indicators and threat information between MISP (Open Source Threat Intelligence Sharing Platform formerly known as Malware Information Sharing Platform) instances. The JSON format includes the overall structure along with the semantic associated for each respective key. The format is described to support other implementations which reuse the format and ensuring an interoperability with existing MISP software and other Threat Intelligence Platforms." />
</head>
@ -441,12 +441,12 @@
<td class="right">A. Iklody</td>
</tr>
<tr>
<td class="left">Expires: July 25, 2020</td>
<td class="left">Expires: November 27, 2020</td>
<td class="right">CIRCL</td>
</tr>
<tr>
<td class="left"></td>
<td class="right">January 22, 2020</td>
<td class="right">May 26, 2020</td>
</tr>
@ -457,12 +457,12 @@
<span class="filename"></span></p>
<h1 id="rfc.abstract"><a href="#rfc.abstract">Abstract</a></h1>
<p>This document describes the MISP core format used to exchange indicators and threat information between MISP (Malware Information and threat Sharing Platform) instances. The JSON format includes the overall structure along with the semantic associated for each respective key. The format is described to support other implementations which reuse the format and ensuring an interoperability with existing MISP <a href="#MISP-P" class="xref">[MISP-P]</a> software and other Threat Intelligence Platforms.</p>
<p>This document describes the MISP core format used to exchange indicators and threat information between MISP (Open Source Threat Intelligence Sharing Platform formerly known as Malware Information Sharing Platform) instances. The JSON format includes the overall structure along with the semantic associated for each respective key. The format is described to support other implementations which reuse the format and ensuring an interoperability with existing MISP <a href="#MISP-P" class="xref">[MISP-P]</a> software and other Threat Intelligence Platforms.</p>
<h1 id="rfc.status"><a href="#rfc.status">Status of This Memo</a></h1>
<p>This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.</p>
<p>Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.</p>
<p>Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."</p>
<p>This Internet-Draft will expire on July 25, 2020.</p>
<p>This Internet-Draft will expire on November 27, 2020.</p>
<h1 id="rfc.copyrightnotice"><a href="#rfc.copyrightnotice">Copyright Notice</a></h1>
<p>Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved.</p>
<p>This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.</p>
@ -804,7 +804,7 @@
<br>btc, dash, xmr, iban, bic, bank-account-nr, aba-rtn, bin, cc-number, prtn, phone-number, comment, text, other, hex, anonymised</dd>
<dt>Internal reference</dt>
<dd style="margin-left: 8">
<br>text, link, comment, other, hex, anonymised</dd>
<br>text, link, comment, other, hex, anonymised, git-commit-id</dd>
<dt>Network activity</dt>
<dd style="margin-left: 8">
<br>ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain, domain|ip, mac-address, mac-eui-64, email-dst, email-src, eppn, url, uri, user-agent, http-method, AS, snort, pattern-in-file, stix2-pattern, pattern-in-traffic, attachment, comment, text, x509-fingerprint-md5, x509-fingerprint-sha1, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other, hex, cookie, hostname|port, bro, zeek, anonymised, community-id, email-subject</dd>
@ -1002,7 +1002,7 @@
<br>btc, dash, xmr, iban, bic, bank-account-nr, aba-rtn, bin, cc-number, prtn, phone-number, comment, text, other, hex, anonymised</dd>
<dt>Internal reference</dt>
<dd style="margin-left: 8">
<br>text, link, comment, other, hex, anonymised</dd>
<br>text, link, comment, other, hex, anonymised, git-commit-id</dd>
<dt>Network activity</dt>
<dd style="margin-left: 8">
<br>ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain, domain|ip, mac-address, mac-eui-64, email-dst, email-src, eppn, url, uri, user-agent, http-method, AS, snort, pattern-in-file, stix2-pattern, pattern-in-traffic, attachment, comment, text, x509-fingerprint-md5, x509-fingerprint-sha1, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other, hex, cookie, hostname|port, bro, zeek, anonymised, community-id, email-subject</dd>
@ -2314,7 +2314,7 @@
<tr>
<td class="reference"><b id="MISP-P">[MISP-P]</b></td>
<td class="top">
<a>Community, M.</a>, "<a href="https://github.com/MISP">MISP Project - Malware Information Sharing Platform and Threat Sharing</a>"</td>
<a>Community, M.</a>, "<a href="https://github.com/MISP">MISP Project - Open Source Threat Intelligence Platform and Open Standards For Threat Information Sharing</a>"</td>
</tr>
<tr>
<td class="reference"><b id="MISP-R">[MISP-R]</b></td>

240
rfc/misp-standard-core.txt
View File

@ -4,8 +4,8 @@
Network Working Group A. Dulaunoy
Internet-Draft A. Iklody
Expires: July 25, 2020 CIRCL
January 22, 2020
Expires: November 27, 2020 CIRCL
May 26, 2020
MISP core format
@ -13,13 +13,13 @@ Expires: July 25, 2020 CIRCL
Abstract
This document describes the MISP core format used to exchange
indicators and threat information between MISP (Malware Information
and threat Sharing Platform) instances. The JSON format includes the
overall structure along with the semantic associated for each
respective key. The format is described to support other
implementations which reuse the format and ensuring an
interoperability with existing MISP [MISP-P] software and other
Threat Intelligence Platforms.
indicators and threat information between MISP (Open Source Threat
Intelligence Sharing Platform formerly known as Malware Information
Sharing Platform) instances. The JSON format includes the overall
structure along with the semantic associated for each respective key.
The format is described to support other implementations which reuse
the format and ensuring an interoperability with existing MISP
[MISP-P] software and other Threat Intelligence Platforms.
Status of This Memo
@ -36,7 +36,7 @@ Status of This Memo
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 25, 2020.
This Internet-Draft will expire on November 27, 2020.
Copyright Notice
@ -53,9 +53,9 @@ Copyright Notice
Dulaunoy & Iklody Expires July 25, 2020 [Page 1]
Dulaunoy & Iklody Expires November 27, 2020 [Page 1]
Internet-Draft MISP core format January 2020
Internet-Draft MISP core format May 2020
the Trust Legal Provisions and are provided without warranty as
@ -109,9 +109,9 @@ Table of Contents
Dulaunoy & Iklody Expires July 25, 2020 [Page 2]
Dulaunoy & Iklody Expires November 27, 2020 [Page 2]
Internet-Draft MISP core format January 2020
Internet-Draft MISP core format May 2020
1. Introduction
@ -165,9 +165,9 @@ Internet-Draft MISP core format January 2020
Dulaunoy & Iklody Expires July 25, 2020 [Page 3]
Dulaunoy & Iklody Expires November 27, 2020 [Page 3]
Internet-Draft MISP core format January 2020
Internet-Draft MISP core format May 2020
2.2.1.2. id
@ -221,9 +221,9 @@ Internet-Draft MISP core format January 2020
Dulaunoy & Iklody Expires July 25, 2020 [Page 4]
Dulaunoy & Iklody Expires November 27, 2020 [Page 4]
Internet-Draft MISP core format January 2020
Internet-Draft MISP core format May 2020
2.2.1.6. analysis
@ -277,9 +277,9 @@ Internet-Draft MISP core format January 2020
Dulaunoy & Iklody Expires July 25, 2020 [Page 5]
Dulaunoy & Iklody Expires November 27, 2020 [Page 5]
Internet-Draft MISP core format January 2020
Internet-Draft MISP core format May 2020
2.2.1.10. org_id
@ -333,9 +333,9 @@ Internet-Draft MISP core format January 2020
Dulaunoy & Iklody Expires July 25, 2020 [Page 6]
Dulaunoy & Iklody Expires November 27, 2020 [Page 6]
Internet-Draft MISP core format January 2020
Internet-Draft MISP core format May 2020
All Communities
@ -389,9 +389,9 @@ Internet-Draft MISP core format January 2020
Dulaunoy & Iklody Expires July 25, 2020 [Page 7]
Dulaunoy & Iklody Expires November 27, 2020 [Page 7]
Internet-Draft MISP core format January 2020
Internet-Draft MISP core format May 2020
"Org": {
@ -445,9 +445,9 @@ Internet-Draft MISP core format January 2020
Dulaunoy & Iklody Expires July 25, 2020 [Page 8]
Dulaunoy & Iklody Expires November 27, 2020 [Page 8]
Internet-Draft MISP core format January 2020
Internet-Draft MISP core format May 2020
"Attribute": {
@ -501,9 +501,9 @@ Internet-Draft MISP core format January 2020
Dulaunoy & Iklody Expires July 25, 2020 [Page 9]
Dulaunoy & Iklody Expires November 27, 2020 [Page 9]
Internet-Draft MISP core format January 2020
Internet-Draft MISP core format May 2020
Antivirus detection
@ -546,7 +546,7 @@ Internet-Draft MISP core format January 2020
number, prtn, phone-number, comment, text, other, hex, anonymised
Internal reference
text, link, comment, other, hex, anonymised
text, link, comment, other, hex, anonymised, git-commit-id
Network activity
ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain,
@ -557,9 +557,9 @@ Internet-Draft MISP core format January 2020
Dulaunoy & Iklody Expires July 25, 2020 [Page 10]
Dulaunoy & Iklody Expires November 27, 2020 [Page 10]
Internet-Draft MISP core format January 2020
Internet-Draft MISP core format May 2020
sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other,
@ -613,9 +613,9 @@ Internet-Draft MISP core format January 2020
Dulaunoy & Iklody Expires July 25, 2020 [Page 11]
Dulaunoy & Iklody Expires November 27, 2020 [Page 11]
Internet-Draft MISP core format January 2020
Internet-Draft MISP core format May 2020
Person
@ -669,9 +669,9 @@ Internet-Draft MISP core format January 2020
Dulaunoy & Iklody Expires July 25, 2020 [Page 12]
Dulaunoy & Iklody Expires November 27, 2020 [Page 12]
Internet-Draft MISP core format January 2020
Internet-Draft MISP core format May 2020
2.4.2.6. event_id
@ -725,9 +725,9 @@ Internet-Draft MISP core format January 2020
Dulaunoy & Iklody Expires July 25, 2020 [Page 13]
Dulaunoy & Iklody Expires November 27, 2020 [Page 13]
Internet-Draft MISP core format January 2020
Internet-Draft MISP core format May 2020
2.4.2.9. comment
@ -781,9 +781,9 @@ Internet-Draft MISP core format January 2020
Dulaunoy & Iklody Expires July 25, 2020 [Page 14]
Dulaunoy & Iklody Expires November 27, 2020 [Page 14]
Internet-Draft MISP core format January 2020
Internet-Draft MISP core format May 2020
2.4.2.14. ShadowAttribute
@ -837,9 +837,9 @@ Internet-Draft MISP core format January 2020
Dulaunoy & Iklody Expires July 25, 2020 [Page 15]
Dulaunoy & Iklody Expires November 27, 2020 [Page 15]
Internet-Draft MISP core format January 2020
Internet-Draft MISP core format May 2020
2.5.1. Sample Attribute Object
@ -893,9 +893,9 @@ Internet-Draft MISP core format January 2020
Dulaunoy & Iklody Expires July 25, 2020 [Page 16]
Dulaunoy & Iklody Expires November 27, 2020 [Page 16]
Internet-Draft MISP core format January 2020
Internet-Draft MISP core format May 2020
type is represented as a JSON string. type MUST be present and it
@ -942,16 +942,16 @@ Internet-Draft MISP core format January 2020
number, prtn, phone-number, comment, text, other, hex, anonymised
Internal reference
text, link, comment, other, hex, anonymised
text, link, comment, other, hex, anonymised, git-commit-id
Network activity
Dulaunoy & Iklody Expires July 25, 2020 [Page 17]
Dulaunoy & Iklody Expires November 27, 2020 [Page 17]
Internet-Draft MISP core format January 2020
Internet-Draft MISP core format May 2020
ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain,
@ -1005,9 +1005,9 @@ Internet-Draft MISP core format January 2020
Dulaunoy & Iklody Expires July 25, 2020 [Page 18]
Dulaunoy & Iklody Expires November 27, 2020 [Page 18]
Internet-Draft MISP core format January 2020
Internet-Draft MISP core format May 2020
comment, text, other, anonymised
@ -1061,9 +1061,9 @@ Internet-Draft MISP core format January 2020
Dulaunoy & Iklody Expires July 25, 2020 [Page 19]
Dulaunoy & Iklody Expires November 27, 2020 [Page 19]
Internet-Draft MISP core format January 2020
Internet-Draft MISP core format May 2020
pattern for detection in Local or Network Intrusion Detection System,
@ -1117,9 +1117,9 @@ Internet-Draft MISP core format January 2020
Dulaunoy & Iklody Expires July 25, 2020 [Page 20]
Dulaunoy & Iklody Expires November 27, 2020 [Page 20]
Internet-Draft MISP core format January 2020
Internet-Draft MISP core format May 2020
2.5.2.10. org_id
@ -1173,9 +1173,9 @@ Internet-Draft MISP core format January 2020
Dulaunoy & Iklody Expires July 25, 2020 [Page 21]
Dulaunoy & Iklody Expires November 27, 2020 [Page 21]
Internet-Draft MISP core format January 2020
Internet-Draft MISP core format May 2020
first_seen is represented as a JSON string. first_seen MAY be
@ -1229,9 +1229,9 @@ Internet-Draft MISP core format January 2020
Dulaunoy & Iklody Expires July 25, 2020 [Page 22]
Dulaunoy & Iklody Expires November 27, 2020 [Page 22]
Internet-Draft MISP core format January 2020
Internet-Draft MISP core format May 2020
template used for its creation within. Objects belong to a meta-
@ -1285,9 +1285,9 @@ Internet-Draft MISP core format January 2020
Dulaunoy & Iklody Expires July 25, 2020 [Page 23]
Dulaunoy & Iklody Expires November 27, 2020 [Page 23]
Internet-Draft MISP core format January 2020
Internet-Draft MISP core format May 2020
"Object": {
@ -1341,9 +1341,9 @@ Internet-Draft MISP core format January 2020
Dulaunoy & Iklody Expires July 25, 2020 [Page 24]
Dulaunoy & Iklody Expires November 27, 2020 [Page 24]
Internet-Draft MISP core format January 2020
Internet-Draft MISP core format May 2020
2.6.2.1. uuid
@ -1397,9 +1397,9 @@ Internet-Draft MISP core format January 2020
Dulaunoy & Iklody Expires July 25, 2020 [Page 25]
Dulaunoy & Iklody Expires November 27, 2020 [Page 25]
Internet-Draft MISP core format January 2020
Internet-Draft MISP core format May 2020
2.6.2.7. template_version
@ -1453,9 +1453,9 @@ Internet-Draft MISP core format January 2020
Dulaunoy & Iklody Expires July 25, 2020 [Page 26]
Dulaunoy & Iklody Expires November 27, 2020 [Page 26]
Internet-Draft MISP core format January 2020
Internet-Draft MISP core format May 2020
Sharing Group
@ -1509,9 +1509,9 @@ Internet-Draft MISP core format January 2020
Dulaunoy & Iklody Expires July 25, 2020 [Page 27]
Dulaunoy & Iklody Expires November 27, 2020 [Page 27]
Internet-Draft MISP core format January 2020
Internet-Draft MISP core format May 2020
2.6.2.16. last_seen
@ -1565,9 +1565,9 @@ Internet-Draft MISP core format January 2020
Dulaunoy & Iklody Expires July 25, 2020 [Page 28]
Dulaunoy & Iklody Expires November 27, 2020 [Page 28]
Internet-Draft MISP core format January 2020
Internet-Draft MISP core format May 2020
2.7.2.2. id
@ -1621,9 +1621,9 @@ Internet-Draft MISP core format January 2020
Dulaunoy & Iklody Expires July 25, 2020 [Page 29]
Dulaunoy & Iklody Expires November 27, 2020 [Page 29]
Internet-Draft MISP core format January 2020
Internet-Draft MISP core format May 2020
2.7.2.8. relationship_type
@ -1677,9 +1677,9 @@ Internet-Draft MISP core format January 2020
Dulaunoy & Iklody Expires July 25, 2020 [Page 30]
Dulaunoy & Iklody Expires November 27, 2020 [Page 30]
Internet-Draft MISP core format January 2020
Internet-Draft MISP core format May 2020
exportable represents a setting if the tag is kept local or
@ -1733,9 +1733,9 @@ Internet-Draft MISP core format January 2020
Dulaunoy & Iklody Expires July 25, 2020 [Page 31]
Dulaunoy & Iklody Expires November 27, 2020 [Page 31]
Internet-Draft MISP core format January 2020
Internet-Draft MISP core format May 2020
can be a given piece of software (e.g. SIEM), device or a specific
@ -1789,9 +1789,9 @@ Internet-Draft MISP core format January 2020
Dulaunoy & Iklody Expires July 25, 2020 [Page 32]
Dulaunoy & Iklody Expires November 27, 2020 [Page 32]
Internet-Draft MISP core format January 2020
Internet-Draft MISP core format May 2020
"Sighting": [
@ -1845,9 +1845,9 @@ Internet-Draft MISP core format January 2020
Dulaunoy & Iklody Expires July 25, 2020 [Page 33]
Dulaunoy & Iklody Expires November 27, 2020 [Page 33]
Internet-Draft MISP core format January 2020
Internet-Draft MISP core format May 2020
"Galaxy": [ {
@ -1901,9 +1901,9 @@ Internet-Draft MISP core format January 2020
Dulaunoy & Iklody Expires July 25, 2020 [Page 34]
Dulaunoy & Iklody Expires November 27, 2020 [Page 34]
Internet-Draft MISP core format January 2020
Internet-Draft MISP core format May 2020
3. JSON Schema
@ -1957,9 +1957,9 @@ Internet-Draft MISP core format January 2020
Dulaunoy & Iklody Expires July 25, 2020 [Page 35]
Dulaunoy & Iklody Expires November 27, 2020 [Page 35]
Internet-Draft MISP core format January 2020
Internet-Draft MISP core format May 2020
"type": "object",
@ -2013,9 +2013,9 @@ Internet-Draft MISP core format January 2020
Dulaunoy & Iklody Expires July 25, 2020 [Page 36]
Dulaunoy & Iklody Expires November 27, 2020 [Page 36]
Internet-Draft MISP core format January 2020
Internet-Draft MISP core format May 2020
"items": {
@ -2069,9 +2069,9 @@ Internet-Draft MISP core format January 2020
Dulaunoy & Iklody Expires July 25, 2020 [Page 37]
Dulaunoy & Iklody Expires November 27, 2020 [Page 37]
Internet-Draft MISP core format January 2020
Internet-Draft MISP core format May 2020
"type": "string"
@ -2125,9 +2125,9 @@ Internet-Draft MISP core format January 2020
Dulaunoy & Iklody Expires July 25, 2020 [Page 38]
Dulaunoy & Iklody Expires November 27, 2020 [Page 38]
Internet-Draft MISP core format January 2020
Internet-Draft MISP core format May 2020
"type": "string"
@ -2181,9 +2181,9 @@ Internet-Draft MISP core format January 2020
Dulaunoy & Iklody Expires July 25, 2020 [Page 39]
Dulaunoy & Iklody Expires November 27, 2020 [Page 39]
Internet-Draft MISP core format January 2020
Internet-Draft MISP core format May 2020
"properties": {
@ -2237,9 +2237,9 @@ Internet-Draft MISP core format January 2020
Dulaunoy & Iklody Expires July 25, 2020 [Page 40]
Dulaunoy & Iklody Expires November 27, 2020 [Page 40]
Internet-Draft MISP core format January 2020
Internet-Draft MISP core format May 2020
"properties": {
@ -2293,9 +2293,9 @@ Internet-Draft MISP core format January 2020
Dulaunoy & Iklody Expires July 25, 2020 [Page 41]
Dulaunoy & Iklody Expires November 27, 2020 [Page 41]
Internet-Draft MISP core format January 2020
Internet-Draft MISP core format May 2020
"properties": {
@ -2349,9 +2349,9 @@ Internet-Draft MISP core format January 2020
Dulaunoy & Iklody Expires July 25, 2020 [Page 42]
Dulaunoy & Iklody Expires November 27, 2020 [Page 42]
Internet-Draft MISP core format January 2020
Internet-Draft MISP core format May 2020
},
@ -2405,9 +2405,9 @@ Internet-Draft MISP core format January 2020
Dulaunoy & Iklody Expires July 25, 2020 [Page 43]
Dulaunoy & Iklody Expires November 27, 2020 [Page 43]
Internet-Draft MISP core format January 2020
Internet-Draft MISP core format May 2020
},
@ -2461,9 +2461,9 @@ Internet-Draft MISP core format January 2020
Dulaunoy & Iklody Expires July 25, 2020 [Page 44]
Dulaunoy & Iklody Expires November 27, 2020 [Page 44]
Internet-Draft MISP core format January 2020
Internet-Draft MISP core format May 2020
"type": "string"
@ -2517,9 +2517,9 @@ Internet-Draft MISP core format January 2020
Dulaunoy & Iklody Expires July 25, 2020 [Page 45]
Dulaunoy & Iklody Expires November 27, 2020 [Page 45]
Internet-Draft MISP core format January 2020
Internet-Draft MISP core format May 2020
"uniqueItems": true,
@ -2573,9 +2573,9 @@ Internet-Draft MISP core format January 2020
Dulaunoy & Iklody Expires July 25, 2020 [Page 46]
Dulaunoy & Iklody Expires November 27, 2020 [Page 46]
Internet-Draft MISP core format January 2020
Internet-Draft MISP core format May 2020
"type": "boolean"
@ -2629,9 +2629,9 @@ Internet-Draft MISP core format January 2020
Dulaunoy & Iklody Expires July 25, 2020 [Page 47]
Dulaunoy & Iklody Expires November 27, 2020 [Page 47]
Internet-Draft MISP core format January 2020
Internet-Draft MISP core format May 2020
"type": "object",
@ -2685,9 +2685,9 @@ Internet-Draft MISP core format January 2020
Dulaunoy & Iklody Expires July 25, 2020 [Page 48]
Dulaunoy & Iklody Expires November 27, 2020 [Page 48]
Internet-Draft MISP core format January 2020
Internet-Draft MISP core format May 2020
"Event": {
@ -2741,9 +2741,9 @@ Internet-Draft MISP core format January 2020
Dulaunoy & Iklody Expires July 25, 2020 [Page 49]
Dulaunoy & Iklody Expires November 27, 2020 [Page 49]
Internet-Draft MISP core format January 2020
Internet-Draft MISP core format May 2020
o integrity:pgp represents a detached PGP signature [RFC4880] of the
@ -2797,9 +2797,9 @@ Internet-Draft MISP core format January 2020
Dulaunoy & Iklody Expires July 25, 2020 [Page 50]
Dulaunoy & Iklody Expires November 27, 2020 [Page 50]
Internet-Draft MISP core format January 2020
Internet-Draft MISP core format May 2020
"name": "circl:incident-classification=\"malware\""
@ -2853,9 +2853,9 @@ Internet-Draft MISP core format January 2020
Dulaunoy & Iklody Expires July 25, 2020 [Page 51]
Dulaunoy & Iklody Expires November 27, 2020 [Page 51]
Internet-Draft MISP core format January 2020
Internet-Draft MISP core format May 2020
9.1. Normative References
@ -2887,8 +2887,9 @@ Internet-Draft MISP core format January 2020
Documents", 2016,
<https://tools.ietf.org/html/draft-wright-json-schema>.
[MISP-P] Community, M., "MISP Project - Malware Information Sharing
Platform and Threat Sharing", <https://github.com/MISP>.
[MISP-P] Community, M., "MISP Project - Open Source Threat
Intelligence Platform and Open Standards For Threat
Information Sharing", <https://github.com/MISP>.
[MISP-R] Community, M., "MISP Object Relationship Types - common
vocabulary of relationships", <https://github.com/MISP/
@ -2908,10 +2909,9 @@ Authors' Addresses
Dulaunoy & Iklody Expires July 25, 2020 [Page 52]
Dulaunoy & Iklody Expires November 27, 2020 [Page 52]
Internet-Draft MISP core format January 2020
Internet-Draft MISP core format May 2020
Alexandre Dulaunoy
@ -2965,4 +2965,4 @@ Internet-Draft MISP core format January 2020
Dulaunoy & Iklody Expires July 25, 2020 [Page 53]
Dulaunoy & Iklody Expires November 27, 2020 [Page 53]

2
rfc/misp-standard-galaxy-format.html
View File

@ -522,7 +522,7 @@
<h1 id="rfc.section.2.4">
<a href="#rfc.section.2.4">2.4.</a> <a href="#meta" id="meta">meta</a>
</h1>
<p id="rfc.section.2.4.p.1">Meta contains a list of custom defined JSON key value pairs. Users SHOULD reuse commonly used keys such as complexity, effectiveness, country, possible_issues, colour, motive, impact, refs, synonyms, status, date, encryption, extensions, ransomnotes, ransomnotes-filenames, ransomnotes-refs, suspected-victims, suspected-state-sponsor, type-of-incident, target-category, cfr-suspected-victims, cfr-suspected-state-sponsor, cfr-type-of-incident, cfr-target-category, attribution-confidence, payment-method, price, spoken-language, official-refs wherever applicable. Additional meta field MAY be added without the need to be referenced or registered in advance.</p>
<p id="rfc.section.2.4.p.1">Meta contains a list of custom defined JSON key value pairs. Users SHOULD reuse commonly used keys such as complexity, effectiveness, country, possible_issues, colour, motive, impact, refs, synonyms, status, date, encryption, extensions, ransomnotes, ransomnotes-filenames, ransomnotes-refs, suspected-victims, suspected-state-sponsor, type-of-incident, target-category, cfr-suspected-victims, cfr-suspected-state-sponsor, cfr-type-of-incident, cfr-target-category, suspected-victims, suspected-state-sponsor, attribution-confidence, payment-method, price, spoken-language, official-refs wherever applicable. Additional meta field MAY be added without the need to be referenced or registered in advance.</p>
<p id="rfc.section.2.4.p.2">refs, synonyms, official-refs SHALL be used to give further informations. refs is represented as an array containing one or more strings and SHALL be present. synonyms is represented as an array containing one or more strings and SHALL be present. official-refs is represented as an array containing one or more strings and SHALL be present.</p>
<p id="rfc.section.2.4.p.3">date, status MAY be used to give time information about an cluster. date is represented as a string describing a time or period and SHALL be present. status is represented as a string describing the current status of the clusters. It MAY also describe a time or period and SHALL be present.</p>
<p id="rfc.section.2.4.p.4">colour fields MAY be used at predicates or values level to set a specify colour that MAY be used by the implementation. The colour field is described as an RGB colour fill in hexadecimal representation.</p>

8
rfc/misp-standard-galaxy-format.txt
View File

@ -195,10 +195,10 @@ Internet-Draft MISP galaxy format October 2019
filenames, ransomnotes-refs, suspected-victims, suspected-state-
sponsor, type-of-incident, target-category, cfr-suspected-victims,
cfr-suspected-state-sponsor, cfr-type-of-incident, cfr-target-
category, attribution-confidence, payment-method, price, spoken-
language, official-refs wherever applicable. Additional meta field
MAY be added without the need to be referenced or registered in
advance.
category, suspected-victims, suspected-state-sponsor, attribution-
confidence, payment-method, price, spoken-language, official-refs
wherever applicable. Additional meta field MAY be added without the
need to be referenced or registered in advance.
refs, synonyms, official-refs SHALL be used to give further
informations. refs is represented as an array containing one or more

62
rfc/sightingdb-format.html
View File

@ -385,7 +385,8 @@
<link href="#rfc.section.2.3" rel="Chapter" title="2.3 Value">
<link href="#rfc.section.2.3.1" rel="Chapter" title="2.3.1 Configuring the value format for a Namespace">
<link href="#rfc.section.2.4" rel="Chapter" title="2.4 Bulk">
<link href="#rfc.section.2.4.1" rel="Chapter" title="2.4.1 Response">
<link href="#rfc.section.2.4.1" rel="Chapter" title="2.4.1 Request">
<link href="#rfc.section.2.4.2" rel="Chapter" title="2.4.2 Response">
<link href="#rfc.section.3" rel="Chapter" title="3 Security Considerations">
<link href="#rfc.section.4" rel="Chapter" title="4 Acknowledgements">
<link href="#rfc.references" rel="Chapter" title="5 Normative References">
@ -397,7 +398,7 @@
<meta name="dct.creator" content="Tricaud, S." />
<meta name="dct.identifier" content="urn:ietf:id:" />
<meta name="dct.issued" scheme="ISO8601" content="2019-11-03" />
<meta name="dct.issued" scheme="ISO8601" content="2020-04-13" />
<meta name="dct.abstract" content="This document describes the format used by SightingDB to give automated context to a given Attribute by counting occurrences and tracking times of observability. SightingDB was designed to provide to MISP a Scalable and Fast way to store and retrieve Attributes." />
<meta name="description" content="This document describes the format used by SightingDB to give automated context to a given Attribute by counting occurrences and tracking times of observability. SightingDB was designed to provide to MISP a Scalable and Fast way to store and retrieve Attributes." />
@ -417,8 +418,8 @@
<td class="right">Devo Inc.</td>
</tr>
<tr>
<td class="left">Expires: May 6, 2020</td>
<td class="right">November 3, 2019</td>
<td class="left">Expires: October 15, 2020</td>
<td class="right">April 13, 2020</td>
</tr>
@ -434,9 +435,9 @@
<p>This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.</p>
<p>Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.</p>
<p>Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."</p>
<p>This Internet-Draft will expire on May 6, 2020.</p>
<p>This Internet-Draft will expire on October 15, 2020.</p>
<h1 id="rfc.copyrightnotice"><a href="#rfc.copyrightnotice">Copyright Notice</a></h1>
<p>Copyright (c) 2019 IETF Trust and the persons identified as the document authors. All rights reserved.</p>
<p>Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved.</p>
<p>This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.</p>
@ -466,7 +467,9 @@
</li>
</ul><li>2.4. <a href="#rfc.section.2.4">Bulk</a>
</li>
<ul><li>2.4.1. <a href="#rfc.section.2.4.1">Response</a>
<ul><li>2.4.1. <a href="#rfc.section.2.4.1">Request</a>
</li>
<li>2.4.2. <a href="#rfc.section.2.4.2">Response</a>
</li>
</ul></ul><li>3. <a href="#rfc.section.3">Security Considerations</a>
</li>
@ -494,7 +497,7 @@
<h1 id="rfc.section.2.1">
<a href="#rfc.section.2.1">2.1.</a> <a href="#overview" id="overview">Overview</a>
</h1>
<p id="rfc.section.2.1.p.1">The SightingDB format is in JSON <a href="#RFC8259" class="xref">[RFC8259]</a> format and used to query a SightingDB compatible connector. In SightingDB, a Sighting Object is composed of a single JSON object. This object contains the following fields: value, first<em>seen, last</em>seen, count, tags, ttl and manifold.</p>
<p id="rfc.section.2.1.p.1">The SightingDB format is in JSON <a href="#RFC8259" class="xref">[RFC8259]</a> format and used to query a SightingDB compatible connector. In SightingDB, a Sighting Object is composed of a single JSON object. This object contains the following fields: value, first<em>seen, last</em>seen, count, tags, ttl and consensus.</p>
<h1 id="rfc.section.2.1.1">
<a href="#rfc.section.2.1.1">2.1.1.</a> <a href="#attribute-storage" id="attribute-storage">Attribute Storage</a>
</h1>
@ -507,10 +510,9 @@
<p id="rfc.section.2.1.2.p.3">Reserved namespaces are:</p>
<p id="rfc.section.2.1.2.p.4">_expired/&lt;namespace&gt;: Which contains all the attributes that expired, preserving the origin namespace</p>
<p id="rfc.section.2.1.2.p.5">_shadow/&lt;namespace&gt;: When a value is searched and does not exists, it is stored there</p>
<p id="rfc.section.2.1.2.p.6">_stats: Statistics</p>
<p id="rfc.section.2.1.2.p.7">_config: Configuration</p>
<p id="rfc.section.2.1.2.p.8">_all: All the Attributes in one place, used to retrieve the 'manifold' property.</p>
<p id="rfc.section.2.1.2.p.9">The Attribute Key MUST always be the last part of the Namespace.</p>
<p id="rfc.section.2.1.2.p.6">_config: Configuration</p>
<p id="rfc.section.2.1.2.p.7">_all: All the Attributes in one place, used to retrieve the 'consensus' property.</p>
<p id="rfc.section.2.1.2.p.8">The Attribute Key MUST always be the last part of the Namespace.</p>
<h1 id="rfc.section.2.1.2.1">
<a href="#rfc.section.2.1.2.1">2.1.2.1.</a> <a href="#sample-namespaces" id="sample-namespaces">Sample Namespaces</a>
</h1>
@ -547,9 +549,9 @@
<p id="rfc.section.2.1.3.6.p.2">When an Attribute has this field set to 0, it means it is not set to expired. This is the default behavior.</p>
<p id="rfc.section.2.1.3.6.p.3">When an Attribute has this field set to a number greater than 0, the expiration status is computed only at retrieval time.</p>
<h1 id="rfc.section.2.1.3.7">
<a href="#rfc.section.2.1.3.7">2.1.3.7.</a> <a href="#manifold" id="manifold">manifold</a>
<a href="#rfc.section.2.1.3.7">2.1.3.7.</a> <a href="#consensus" id="consensus">consensus</a>
</h1>
<p id="rfc.section.2.1.3.7.p.1">When a given Attribute Value is stored in different namespaces, the manifold field keeps track of them so it returns in how many different places this attributes exists. This is a simple counter.</p>
<p id="rfc.section.2.1.3.7.p.1">When a given Attribute Value is stored in different namespaces, the consensus field keeps track of them so it returns in how many different places this attributes exists. This is a simple counter.</p>
<h1 id="rfc.section.2.2">
<a href="#rfc.section.2.2">2.2.</a> <a href="#sightingdb-format-one-attribute" id="sightingdb-format-one-attribute">SightingDB Format - One Attribute</a>
</h1>
@ -560,7 +562,7 @@
"count":578391,
"tags":"",
"ttl":0,
"manifold": 17
"consensus": 17
}
</pre>
<h1 id="rfc.section.2.3">
@ -586,20 +588,36 @@
<p id="rfc.section.2.4.p.1">When data must be sent and received in large amounts, it is preferable to embed in JSON all the objects at once. As such, for reading and writing, the format is the following:</p>
<pre>{
"items": [
{ "/your/namespace": "127.0.0.1" },
{ "/your/other/namespace": "110812f67fa1e1f0117f6f3d70241c1a42a7b07711a93c2477cc516d9042f9db" }
{ "&lt;namespace&gt;": "&lt;value&gt;" },
{ "&lt;namespace&gt;": "&lt;value&gt;", "timestamp": &lt;epoch&gt; }
]
}
</pre>
<p id="rfc.section.2.4.p.2">Which will either store or retrieve the wanted data.</p>
<p id="rfc.section.2.4.p.2">Where:</p>
<p id="rfc.section.2.4.p.3">namespace: is the wanted namespace where to store the value</p>
<p id="rfc.section.2.4.p.4">value: the value one want to track</p>
<p id="rfc.section.2.4.p.5">timestamp: OPTIONAL epoch timestamp to set the value at.</p>
<p id="rfc.section.2.4.p.6">The timestamp is how one can use SightingDB and use old datasets where the first seen and last seen is not relative to "right now".</p>
<h1 id="rfc.section.2.4.1">
<a href="#rfc.section.2.4.1">2.4.1.</a> <a href="#response" id="response">Response</a>
<a href="#rfc.section.2.4.1">2.4.1.</a> <a href="#request" id="request">Request</a>
</h1>
<p id="rfc.section.2.4.1.p.1">The response when retrieving sightings also has the list of items, in order, one per line of the results:</p>
<p id="rfc.section.2.4.1.p.1">A Proper request with two items is made like this:</p>
<pre>{
"items": [
{ "first_seen":1530337182, "last_seen":1573110615, "count":93021, "tags":"", "ttl":0, "manifold": 1 },
{ "first_seen":1562930418, "last_seen":1573110404, "count":1020492, "tags":"", "ttl":8912, "manifold": 3 }
{ "/your/namespace": "127.0.0.1" },
{ "/your/other/namespace": "110812f67fa1e1f0117f6f3d70241c1a42a7b07711a93c2477cc516d9042f9db", "timestamp": 1586825229 }
]
}
</pre>
<p id="rfc.section.2.4.1.p.2">Which will either store or retrieve the wanted data.</p>
<h1 id="rfc.section.2.4.2">
<a href="#rfc.section.2.4.2">2.4.2.</a> <a href="#response" id="response">Response</a>
</h1>
<p id="rfc.section.2.4.2.p.1">The response when retrieving sightings also has the list of items, in order, one per line of the results:</p>
<pre>{
"items": [
{"value": "Octave_Hergebel", "first_seen":1530337182, "last_seen":1573110615, "count":93021, "tags":"", "ttl":0, "consensus": 1},
{"value": "127.0.0.1", "first_seen":1562930418, "last_seen":1573110404, "count":1020492, "tags":"", "ttl":8912, "consensus": 3}
]
}
</pre>

138
rfc/sightingdb-format.txt
View File

@ -4,7 +4,7 @@
Network Working Group S. Tricaud
Internet-Draft Devo Inc.
Expires: May 6, 2020 November 3, 2019
Expires: October 15, 2020 April 13, 2020
SightingDB query format
@ -31,11 +31,11 @@ Status of This Memo
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 6, 2020.
This Internet-Draft will expire on October 15, 2020.
Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the
Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
@ -53,9 +53,9 @@ Copyright Notice
Tricaud Expires May 6, 2020 [Page 1]
Tricaud Expires October 15, 2020 [Page 1]
Internet-Draft SightingDB query format November 2019
Internet-Draft SightingDB query format April 2020
Table of Contents
@ -71,11 +71,12 @@ Table of Contents
2.3. Value . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.3.1. Configuring the value format for a Namespace . . . . 5
2.4. Bulk . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.4.1. Response . . . . . . . . . . . . . . . . . . . . . . 6
2.4.1. Request . . . . . . . . . . . . . . . . . . . . . . . 6
2.4.2. Response . . . . . . . . . . . . . . . . . . . . . . 6
3. Security Considerations . . . . . . . . . . . . . . . . . . . 6
4. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6
5. Normative References . . . . . . . . . . . . . . . . . . . . 6
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 6
5. Normative References . . . . . . . . . . . . . . . . . . . . 7
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 7
1. Introduction
@ -98,22 +99,24 @@ Table of Contents
The SightingDB format is in JSON [RFC8259] format and used to query a
SightingDB compatible connector. In SightingDB, a Sighting Object is
composed of a single JSON object. This object contains the following
fields: value, first_seen, last_seen, count, tags, ttl and manifold.
fields: value, first_seen, last_seen, count, tags, ttl and consensus.
2.1.1. Attribute Storage
The fields described previously describe an Attribute and all the
required characteristics. However they are stored in a Namespace. A
Tricaud Expires October 15, 2020 [Page 2]
Internet-Draft SightingDB query format April 2020
Namespace is similar to a path in a file-system where the same file
can be stored in multiple places.
Tricaud Expires May 6, 2020 [Page 2]
Internet-Draft SightingDB query format November 2019
2.1.2. Namespace
A Namespace with multiple levels MUST be separated with the slash '/'
@ -132,12 +135,10 @@ Internet-Draft SightingDB query format November 2019
_shadow/<namespace>: When a value is searched and does not exists, it
is stored there
_stats: Statistics
_config: Configuration
_all: All the Attributes in one place, used to retrieve the
'manifold' property.
'consensus' property.
The Attribute Key MUST always be the last part of the Namespace.
@ -164,10 +165,9 @@ Internet-Draft SightingDB query format November 2019
Tricaud Expires May 6, 2020 [Page 3]
Tricaud Expires October 15, 2020 [Page 3]
Internet-Draft SightingDB query format November 2019
Internet-Draft SightingDB query format April 2020
2.1.3.2. first_seen
@ -199,10 +199,10 @@ Internet-Draft SightingDB query format November 2019
When an Attribute has this field set to a number greater than 0, the
expiration status is computed only at retrieval time.
2.1.3.7. manifold
2.1.3.7. consensus
When a given Attribute Value is stored in different namespaces, the
manifold field keeps track of them so it returns in how many
consensus field keeps track of them so it returns in how many
different places this attributes exists. This is a simple counter.
2.2. SightingDB Format - One Attribute
@ -214,16 +214,16 @@ Internet-Draft SightingDB query format November 2019
"count":578391,
"tags":"",
"ttl":0,
"manifold": 17
"consensus": 17
}
Tricaud Expires May 6, 2020 [Page 4]
Tricaud Expires October 15, 2020 [Page 4]
Internet-Draft SightingDB query format November 2019
Internet-Draft SightingDB query format April 2020
2.3. Value
@ -263,34 +263,54 @@ Internet-Draft SightingDB query format November 2019
preferable to embed in JSON all the objects at once. As such, for
reading and writing, the format is the following:
{
"items": [
{ "<namespace>": "<value>" },
{ "<namespace>": "<value>", "timestamp": <epoch> }
]
}
Where:
namespace: is the wanted namespace where to store the value
Tricaud Expires October 15, 2020 [Page 5]
Internet-Draft SightingDB query format April 2020
value: the value one want to track
timestamp: OPTIONAL epoch timestamp to set the value at.
The timestamp is how one can use SightingDB and use old datasets
where the first seen and last seen is not relative to "right now".
2.4.1. Request
A Proper request with two items is made like this:
{
"items": [
{ "/your/namespace": "127.0.0.1" },
{ "/your/other/namespace": "110812f67fa1e1f0117f6f3d70241c1a42a7b07711a93c2477cc516d9042f9db" }
{ "/your/other/namespace": "110812f67fa1e1f0117f6f3d70241c1a42a7b07711a93c2477cc516d9042f9db", "timestamp": 1586825229 }
]
}
Which will either store or retrieve the wanted data.
Tricaud Expires May 6, 2020 [Page 5]
Internet-Draft SightingDB query format November 2019
2.4.1. Response
2.4.2. Response
The response when retrieving sightings also has the list of items, in
order, one per line of the results:
{
"items": [
{ "first_seen":1530337182, "last_seen":1573110615, "count":93021, "tags":"", "ttl":0, "manifold": 1 },
{ "first_seen":1562930418, "last_seen":1573110404, "count":1020492, "tags":"", "ttl":8912, "manifold": 3 }
{"value": "Octave_Hergebel", "first_seen":1530337182, "last_seen":1573110615, "count":93021, "tags":"", "ttl":0, "consensus": 1},
{"value": "127.0.0.1", "first_seen":1562930418, "last_seen":1573110404, "count":1020492, "tags":"", "ttl":8912, "consensus": 3}
]
}
@ -311,6 +331,13 @@ Internet-Draft SightingDB query format November 2019
well as amazing feedback gathered during the MISP Summit 2019 in
Luxembourg, in particular with Alexandre Dulaunoy and Andras Iklody.
Tricaud Expires October 15, 2020 [Page 6]
Internet-Draft SightingDB query format April 2020
5. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
@ -325,19 +352,6 @@ Internet-Draft SightingDB query format November 2019
Author's Address
Tricaud Expires May 6, 2020 [Page 6]
Internet-Draft SightingDB query format November 2019
Sebastien Tricaud
Devo Inc.
150 Cambridgepark Drive
@ -375,18 +389,4 @@ Internet-Draft SightingDB query format November 2019
Tricaud Expires May 6, 2020 [Page 7]
Tricaud Expires October 15, 2020 [Page 7]