diff --git a/rfc/misp-standard-core.html b/rfc/misp-standard-core.html index b0051a7..6a8b3fe 100644 --- a/rfc/misp-standard-core.html +++ b/rfc/misp-standard-core.html @@ -421,9 +421,9 @@ - - - + + + @@ -441,12 +441,12 @@ A. Iklody -Expires: July 25, 2020 +Expires: November 27, 2020 CIRCL -January 22, 2020 +May 26, 2020 @@ -457,12 +457,12 @@

Abstract

-

This document describes the MISP core format used to exchange indicators and threat information between MISP (Malware Information and threat Sharing Platform) instances. The JSON format includes the overall structure along with the semantic associated for each respective key. The format is described to support other implementations which reuse the format and ensuring an interoperability with existing MISP [MISP-P] software and other Threat Intelligence Platforms.

+

This document describes the MISP core format used to exchange indicators and threat information between MISP (Open Source Threat Intelligence Sharing Platform formerly known as Malware Information Sharing Platform) instances. The JSON format includes the overall structure along with the semantic associated for each respective key. The format is described to support other implementations which reuse the format and ensuring an interoperability with existing MISP [MISP-P] software and other Threat Intelligence Platforms.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

-

This Internet-Draft will expire on July 25, 2020.

+

This Internet-Draft will expire on November 27, 2020.

Copyright Notice

Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved.

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.

@@ -804,7 +804,7 @@
btc, dash, xmr, iban, bic, bank-account-nr, aba-rtn, bin, cc-number, prtn, phone-number, comment, text, other, hex, anonymised
Internal reference
-
text, link, comment, other, hex, anonymised
+
text, link, comment, other, hex, anonymised, git-commit-id
Network activity

ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain, domain|ip, mac-address, mac-eui-64, email-dst, email-src, eppn, url, uri, user-agent, http-method, AS, snort, pattern-in-file, stix2-pattern, pattern-in-traffic, attachment, comment, text, x509-fingerprint-md5, x509-fingerprint-sha1, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other, hex, cookie, hostname|port, bro, zeek, anonymised, community-id, email-subject
@@ -1002,7 +1002,7 @@
btc, dash, xmr, iban, bic, bank-account-nr, aba-rtn, bin, cc-number, prtn, phone-number, comment, text, other, hex, anonymised
Internal reference
-
text, link, comment, other, hex, anonymised
+
text, link, comment, other, hex, anonymised, git-commit-id
Network activity

ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain, domain|ip, mac-address, mac-eui-64, email-dst, email-src, eppn, url, uri, user-agent, http-method, AS, snort, pattern-in-file, stix2-pattern, pattern-in-traffic, attachment, comment, text, x509-fingerprint-md5, x509-fingerprint-sha1, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other, hex, cookie, hostname|port, bro, zeek, anonymised, community-id, email-subject
@@ -2314,7 +2314,7 @@ [MISP-P] -Community, M., "MISP Project - Malware Information Sharing Platform and Threat Sharing" +Community, M., "MISP Project - Open Source Threat Intelligence Platform and Open Standards For Threat Information Sharing" [MISP-R] diff --git a/rfc/misp-standard-core.txt b/rfc/misp-standard-core.txt index 4799a34..c45c571 100644 --- a/rfc/misp-standard-core.txt +++ b/rfc/misp-standard-core.txt @@ -4,8 +4,8 @@ Network Working Group A. Dulaunoy Internet-Draft A. Iklody -Expires: July 25, 2020 CIRCL - January 22, 2020 +Expires: November 27, 2020 CIRCL + May 26, 2020 MISP core format @@ -13,13 +13,13 @@ Expires: July 25, 2020 CIRCL Abstract This document describes the MISP core format used to exchange - indicators and threat information between MISP (Malware Information - and threat Sharing Platform) instances. The JSON format includes the - overall structure along with the semantic associated for each - respective key. The format is described to support other - implementations which reuse the format and ensuring an - interoperability with existing MISP [MISP-P] software and other - Threat Intelligence Platforms. + indicators and threat information between MISP (Open Source Threat + Intelligence Sharing Platform formerly known as Malware Information + Sharing Platform) instances. The JSON format includes the overall + structure along with the semantic associated for each respective key. + The format is described to support other implementations which reuse + the format and ensuring an interoperability with existing MISP + [MISP-P] software and other Threat Intelligence Platforms. Status of This Memo @@ -36,7 +36,7 @@ Status of This Memo time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on July 25, 2020. + This Internet-Draft will expire on November 27, 2020. Copyright Notice @@ -53,9 +53,9 @@ Copyright Notice -Dulaunoy & Iklody Expires July 25, 2020 [Page 1] +Dulaunoy & Iklody Expires November 27, 2020 [Page 1] -Internet-Draft MISP core format January 2020 +Internet-Draft MISP core format May 2020 the Trust Legal Provisions and are provided without warranty as @@ -109,9 +109,9 @@ Table of Contents -Dulaunoy & Iklody Expires July 25, 2020 [Page 2] +Dulaunoy & Iklody Expires November 27, 2020 [Page 2] -Internet-Draft MISP core format January 2020 +Internet-Draft MISP core format May 2020 1. Introduction @@ -165,9 +165,9 @@ Internet-Draft MISP core format January 2020 -Dulaunoy & Iklody Expires July 25, 2020 [Page 3] +Dulaunoy & Iklody Expires November 27, 2020 [Page 3] -Internet-Draft MISP core format January 2020 +Internet-Draft MISP core format May 2020 2.2.1.2. id @@ -221,9 +221,9 @@ Internet-Draft MISP core format January 2020 -Dulaunoy & Iklody Expires July 25, 2020 [Page 4] +Dulaunoy & Iklody Expires November 27, 2020 [Page 4] -Internet-Draft MISP core format January 2020 +Internet-Draft MISP core format May 2020 2.2.1.6. analysis @@ -277,9 +277,9 @@ Internet-Draft MISP core format January 2020 -Dulaunoy & Iklody Expires July 25, 2020 [Page 5] +Dulaunoy & Iklody Expires November 27, 2020 [Page 5] -Internet-Draft MISP core format January 2020 +Internet-Draft MISP core format May 2020 2.2.1.10. org_id @@ -333,9 +333,9 @@ Internet-Draft MISP core format January 2020 -Dulaunoy & Iklody Expires July 25, 2020 [Page 6] +Dulaunoy & Iklody Expires November 27, 2020 [Page 6] -Internet-Draft MISP core format January 2020 +Internet-Draft MISP core format May 2020 All Communities @@ -389,9 +389,9 @@ Internet-Draft MISP core format January 2020 -Dulaunoy & Iklody Expires July 25, 2020 [Page 7] +Dulaunoy & Iklody Expires November 27, 2020 [Page 7] -Internet-Draft MISP core format January 2020 +Internet-Draft MISP core format May 2020 "Org": { @@ -445,9 +445,9 @@ Internet-Draft MISP core format January 2020 -Dulaunoy & Iklody Expires July 25, 2020 [Page 8] +Dulaunoy & Iklody Expires November 27, 2020 [Page 8] -Internet-Draft MISP core format January 2020 +Internet-Draft MISP core format May 2020 "Attribute": { @@ -501,9 +501,9 @@ Internet-Draft MISP core format January 2020 -Dulaunoy & Iklody Expires July 25, 2020 [Page 9] +Dulaunoy & Iklody Expires November 27, 2020 [Page 9] -Internet-Draft MISP core format January 2020 +Internet-Draft MISP core format May 2020 Antivirus detection @@ -546,7 +546,7 @@ Internet-Draft MISP core format January 2020 number, prtn, phone-number, comment, text, other, hex, anonymised Internal reference - text, link, comment, other, hex, anonymised + text, link, comment, other, hex, anonymised, git-commit-id Network activity ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain, @@ -557,9 +557,9 @@ Internet-Draft MISP core format January 2020 -Dulaunoy & Iklody Expires July 25, 2020 [Page 10] +Dulaunoy & Iklody Expires November 27, 2020 [Page 10] -Internet-Draft MISP core format January 2020 +Internet-Draft MISP core format May 2020 sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other, @@ -613,9 +613,9 @@ Internet-Draft MISP core format January 2020 -Dulaunoy & Iklody Expires July 25, 2020 [Page 11] +Dulaunoy & Iklody Expires November 27, 2020 [Page 11] -Internet-Draft MISP core format January 2020 +Internet-Draft MISP core format May 2020 Person @@ -669,9 +669,9 @@ Internet-Draft MISP core format January 2020 -Dulaunoy & Iklody Expires July 25, 2020 [Page 12] +Dulaunoy & Iklody Expires November 27, 2020 [Page 12] -Internet-Draft MISP core format January 2020 +Internet-Draft MISP core format May 2020 2.4.2.6. event_id @@ -725,9 +725,9 @@ Internet-Draft MISP core format January 2020 -Dulaunoy & Iklody Expires July 25, 2020 [Page 13] +Dulaunoy & Iklody Expires November 27, 2020 [Page 13] -Internet-Draft MISP core format January 2020 +Internet-Draft MISP core format May 2020 2.4.2.9. comment @@ -781,9 +781,9 @@ Internet-Draft MISP core format January 2020 -Dulaunoy & Iklody Expires July 25, 2020 [Page 14] +Dulaunoy & Iklody Expires November 27, 2020 [Page 14] -Internet-Draft MISP core format January 2020 +Internet-Draft MISP core format May 2020 2.4.2.14. ShadowAttribute @@ -837,9 +837,9 @@ Internet-Draft MISP core format January 2020 -Dulaunoy & Iklody Expires July 25, 2020 [Page 15] +Dulaunoy & Iklody Expires November 27, 2020 [Page 15] -Internet-Draft MISP core format January 2020 +Internet-Draft MISP core format May 2020 2.5.1. Sample Attribute Object @@ -893,9 +893,9 @@ Internet-Draft MISP core format January 2020 -Dulaunoy & Iklody Expires July 25, 2020 [Page 16] +Dulaunoy & Iklody Expires November 27, 2020 [Page 16] -Internet-Draft MISP core format January 2020 +Internet-Draft MISP core format May 2020 type is represented as a JSON string. type MUST be present and it @@ -942,16 +942,16 @@ Internet-Draft MISP core format January 2020 number, prtn, phone-number, comment, text, other, hex, anonymised Internal reference - text, link, comment, other, hex, anonymised + text, link, comment, other, hex, anonymised, git-commit-id Network activity -Dulaunoy & Iklody Expires July 25, 2020 [Page 17] +Dulaunoy & Iklody Expires November 27, 2020 [Page 17] -Internet-Draft MISP core format January 2020 +Internet-Draft MISP core format May 2020 ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain, @@ -1005,9 +1005,9 @@ Internet-Draft MISP core format January 2020 -Dulaunoy & Iklody Expires July 25, 2020 [Page 18] +Dulaunoy & Iklody Expires November 27, 2020 [Page 18] -Internet-Draft MISP core format January 2020 +Internet-Draft MISP core format May 2020 comment, text, other, anonymised @@ -1061,9 +1061,9 @@ Internet-Draft MISP core format January 2020 -Dulaunoy & Iklody Expires July 25, 2020 [Page 19] +Dulaunoy & Iklody Expires November 27, 2020 [Page 19] -Internet-Draft MISP core format January 2020 +Internet-Draft MISP core format May 2020 pattern for detection in Local or Network Intrusion Detection System, @@ -1117,9 +1117,9 @@ Internet-Draft MISP core format January 2020 -Dulaunoy & Iklody Expires July 25, 2020 [Page 20] +Dulaunoy & Iklody Expires November 27, 2020 [Page 20] -Internet-Draft MISP core format January 2020 +Internet-Draft MISP core format May 2020 2.5.2.10. org_id @@ -1173,9 +1173,9 @@ Internet-Draft MISP core format January 2020 -Dulaunoy & Iklody Expires July 25, 2020 [Page 21] +Dulaunoy & Iklody Expires November 27, 2020 [Page 21] -Internet-Draft MISP core format January 2020 +Internet-Draft MISP core format May 2020 first_seen is represented as a JSON string. first_seen MAY be @@ -1229,9 +1229,9 @@ Internet-Draft MISP core format January 2020 -Dulaunoy & Iklody Expires July 25, 2020 [Page 22] +Dulaunoy & Iklody Expires November 27, 2020 [Page 22] -Internet-Draft MISP core format January 2020 +Internet-Draft MISP core format May 2020 template used for its creation within. Objects belong to a meta- @@ -1285,9 +1285,9 @@ Internet-Draft MISP core format January 2020 -Dulaunoy & Iklody Expires July 25, 2020 [Page 23] +Dulaunoy & Iklody Expires November 27, 2020 [Page 23] -Internet-Draft MISP core format January 2020 +Internet-Draft MISP core format May 2020 "Object": { @@ -1341,9 +1341,9 @@ Internet-Draft MISP core format January 2020 -Dulaunoy & Iklody Expires July 25, 2020 [Page 24] +Dulaunoy & Iklody Expires November 27, 2020 [Page 24] -Internet-Draft MISP core format January 2020 +Internet-Draft MISP core format May 2020 2.6.2.1. uuid @@ -1397,9 +1397,9 @@ Internet-Draft MISP core format January 2020 -Dulaunoy & Iklody Expires July 25, 2020 [Page 25] +Dulaunoy & Iklody Expires November 27, 2020 [Page 25] -Internet-Draft MISP core format January 2020 +Internet-Draft MISP core format May 2020 2.6.2.7. template_version @@ -1453,9 +1453,9 @@ Internet-Draft MISP core format January 2020 -Dulaunoy & Iklody Expires July 25, 2020 [Page 26] +Dulaunoy & Iklody Expires November 27, 2020 [Page 26] -Internet-Draft MISP core format January 2020 +Internet-Draft MISP core format May 2020 Sharing Group @@ -1509,9 +1509,9 @@ Internet-Draft MISP core format January 2020 -Dulaunoy & Iklody Expires July 25, 2020 [Page 27] +Dulaunoy & Iklody Expires November 27, 2020 [Page 27] -Internet-Draft MISP core format January 2020 +Internet-Draft MISP core format May 2020 2.6.2.16. last_seen @@ -1565,9 +1565,9 @@ Internet-Draft MISP core format January 2020 -Dulaunoy & Iklody Expires July 25, 2020 [Page 28] +Dulaunoy & Iklody Expires November 27, 2020 [Page 28] -Internet-Draft MISP core format January 2020 +Internet-Draft MISP core format May 2020 2.7.2.2. id @@ -1621,9 +1621,9 @@ Internet-Draft MISP core format January 2020 -Dulaunoy & Iklody Expires July 25, 2020 [Page 29] +Dulaunoy & Iklody Expires November 27, 2020 [Page 29] -Internet-Draft MISP core format January 2020 +Internet-Draft MISP core format May 2020 2.7.2.8. relationship_type @@ -1677,9 +1677,9 @@ Internet-Draft MISP core format January 2020 -Dulaunoy & Iklody Expires July 25, 2020 [Page 30] +Dulaunoy & Iklody Expires November 27, 2020 [Page 30] -Internet-Draft MISP core format January 2020 +Internet-Draft MISP core format May 2020 exportable represents a setting if the tag is kept local or @@ -1733,9 +1733,9 @@ Internet-Draft MISP core format January 2020 -Dulaunoy & Iklody Expires July 25, 2020 [Page 31] +Dulaunoy & Iklody Expires November 27, 2020 [Page 31] -Internet-Draft MISP core format January 2020 +Internet-Draft MISP core format May 2020 can be a given piece of software (e.g. SIEM), device or a specific @@ -1789,9 +1789,9 @@ Internet-Draft MISP core format January 2020 -Dulaunoy & Iklody Expires July 25, 2020 [Page 32] +Dulaunoy & Iklody Expires November 27, 2020 [Page 32] -Internet-Draft MISP core format January 2020 +Internet-Draft MISP core format May 2020 "Sighting": [ @@ -1845,9 +1845,9 @@ Internet-Draft MISP core format January 2020 -Dulaunoy & Iklody Expires July 25, 2020 [Page 33] +Dulaunoy & Iklody Expires November 27, 2020 [Page 33] -Internet-Draft MISP core format January 2020 +Internet-Draft MISP core format May 2020 "Galaxy": [ { @@ -1901,9 +1901,9 @@ Internet-Draft MISP core format January 2020 -Dulaunoy & Iklody Expires July 25, 2020 [Page 34] +Dulaunoy & Iklody Expires November 27, 2020 [Page 34] -Internet-Draft MISP core format January 2020 +Internet-Draft MISP core format May 2020 3. JSON Schema @@ -1957,9 +1957,9 @@ Internet-Draft MISP core format January 2020 -Dulaunoy & Iklody Expires July 25, 2020 [Page 35] +Dulaunoy & Iklody Expires November 27, 2020 [Page 35] -Internet-Draft MISP core format January 2020 +Internet-Draft MISP core format May 2020 "type": "object", @@ -2013,9 +2013,9 @@ Internet-Draft MISP core format January 2020 -Dulaunoy & Iklody Expires July 25, 2020 [Page 36] +Dulaunoy & Iklody Expires November 27, 2020 [Page 36] -Internet-Draft MISP core format January 2020 +Internet-Draft MISP core format May 2020 "items": { @@ -2069,9 +2069,9 @@ Internet-Draft MISP core format January 2020 -Dulaunoy & Iklody Expires July 25, 2020 [Page 37] +Dulaunoy & Iklody Expires November 27, 2020 [Page 37] -Internet-Draft MISP core format January 2020 +Internet-Draft MISP core format May 2020 "type": "string" @@ -2125,9 +2125,9 @@ Internet-Draft MISP core format January 2020 -Dulaunoy & Iklody Expires July 25, 2020 [Page 38] +Dulaunoy & Iklody Expires November 27, 2020 [Page 38] -Internet-Draft MISP core format January 2020 +Internet-Draft MISP core format May 2020 "type": "string" @@ -2181,9 +2181,9 @@ Internet-Draft MISP core format January 2020 -Dulaunoy & Iklody Expires July 25, 2020 [Page 39] +Dulaunoy & Iklody Expires November 27, 2020 [Page 39] -Internet-Draft MISP core format January 2020 +Internet-Draft MISP core format May 2020 "properties": { @@ -2237,9 +2237,9 @@ Internet-Draft MISP core format January 2020 -Dulaunoy & Iklody Expires July 25, 2020 [Page 40] +Dulaunoy & Iklody Expires November 27, 2020 [Page 40] -Internet-Draft MISP core format January 2020 +Internet-Draft MISP core format May 2020 "properties": { @@ -2293,9 +2293,9 @@ Internet-Draft MISP core format January 2020 -Dulaunoy & Iklody Expires July 25, 2020 [Page 41] +Dulaunoy & Iklody Expires November 27, 2020 [Page 41] -Internet-Draft MISP core format January 2020 +Internet-Draft MISP core format May 2020 "properties": { @@ -2349,9 +2349,9 @@ Internet-Draft MISP core format January 2020 -Dulaunoy & Iklody Expires July 25, 2020 [Page 42] +Dulaunoy & Iklody Expires November 27, 2020 [Page 42] -Internet-Draft MISP core format January 2020 +Internet-Draft MISP core format May 2020 }, @@ -2405,9 +2405,9 @@ Internet-Draft MISP core format January 2020 -Dulaunoy & Iklody Expires July 25, 2020 [Page 43] +Dulaunoy & Iklody Expires November 27, 2020 [Page 43] -Internet-Draft MISP core format January 2020 +Internet-Draft MISP core format May 2020 }, @@ -2461,9 +2461,9 @@ Internet-Draft MISP core format January 2020 -Dulaunoy & Iklody Expires July 25, 2020 [Page 44] +Dulaunoy & Iklody Expires November 27, 2020 [Page 44] -Internet-Draft MISP core format January 2020 +Internet-Draft MISP core format May 2020 "type": "string" @@ -2517,9 +2517,9 @@ Internet-Draft MISP core format January 2020 -Dulaunoy & Iklody Expires July 25, 2020 [Page 45] +Dulaunoy & Iklody Expires November 27, 2020 [Page 45] -Internet-Draft MISP core format January 2020 +Internet-Draft MISP core format May 2020 "uniqueItems": true, @@ -2573,9 +2573,9 @@ Internet-Draft MISP core format January 2020 -Dulaunoy & Iklody Expires July 25, 2020 [Page 46] +Dulaunoy & Iklody Expires November 27, 2020 [Page 46] -Internet-Draft MISP core format January 2020 +Internet-Draft MISP core format May 2020 "type": "boolean" @@ -2629,9 +2629,9 @@ Internet-Draft MISP core format January 2020 -Dulaunoy & Iklody Expires July 25, 2020 [Page 47] +Dulaunoy & Iklody Expires November 27, 2020 [Page 47] -Internet-Draft MISP core format January 2020 +Internet-Draft MISP core format May 2020 "type": "object", @@ -2685,9 +2685,9 @@ Internet-Draft MISP core format January 2020 -Dulaunoy & Iklody Expires July 25, 2020 [Page 48] +Dulaunoy & Iklody Expires November 27, 2020 [Page 48] -Internet-Draft MISP core format January 2020 +Internet-Draft MISP core format May 2020 "Event": { @@ -2741,9 +2741,9 @@ Internet-Draft MISP core format January 2020 -Dulaunoy & Iklody Expires July 25, 2020 [Page 49] +Dulaunoy & Iklody Expires November 27, 2020 [Page 49] -Internet-Draft MISP core format January 2020 +Internet-Draft MISP core format May 2020 o integrity:pgp represents a detached PGP signature [RFC4880] of the @@ -2797,9 +2797,9 @@ Internet-Draft MISP core format January 2020 -Dulaunoy & Iklody Expires July 25, 2020 [Page 50] +Dulaunoy & Iklody Expires November 27, 2020 [Page 50] -Internet-Draft MISP core format January 2020 +Internet-Draft MISP core format May 2020 "name": "circl:incident-classification=\"malware\"" @@ -2853,9 +2853,9 @@ Internet-Draft MISP core format January 2020 -Dulaunoy & Iklody Expires July 25, 2020 [Page 51] +Dulaunoy & Iklody Expires November 27, 2020 [Page 51] -Internet-Draft MISP core format January 2020 +Internet-Draft MISP core format May 2020 9.1. Normative References @@ -2887,8 +2887,9 @@ Internet-Draft MISP core format January 2020 Documents", 2016, . - [MISP-P] Community, M., "MISP Project - Malware Information Sharing - Platform and Threat Sharing", . + [MISP-P] Community, M., "MISP Project - Open Source Threat + Intelligence Platform and Open Standards For Threat + Information Sharing", . [MISP-R] Community, M., "MISP Object Relationship Types - common vocabulary of relationships", 2.4. meta -

Meta contains a list of custom defined JSON key value pairs. Users SHOULD reuse commonly used keys such as complexity, effectiveness, country, possible_issues, colour, motive, impact, refs, synonyms, status, date, encryption, extensions, ransomnotes, ransomnotes-filenames, ransomnotes-refs, suspected-victims, suspected-state-sponsor, type-of-incident, target-category, cfr-suspected-victims, cfr-suspected-state-sponsor, cfr-type-of-incident, cfr-target-category, attribution-confidence, payment-method, price, spoken-language, official-refs wherever applicable. Additional meta field MAY be added without the need to be referenced or registered in advance.

+

Meta contains a list of custom defined JSON key value pairs. Users SHOULD reuse commonly used keys such as complexity, effectiveness, country, possible_issues, colour, motive, impact, refs, synonyms, status, date, encryption, extensions, ransomnotes, ransomnotes-filenames, ransomnotes-refs, suspected-victims, suspected-state-sponsor, type-of-incident, target-category, cfr-suspected-victims, cfr-suspected-state-sponsor, cfr-type-of-incident, cfr-target-category, suspected-victims, suspected-state-sponsor, attribution-confidence, payment-method, price, spoken-language, official-refs wherever applicable. Additional meta field MAY be added without the need to be referenced or registered in advance.

refs, synonyms, official-refs SHALL be used to give further informations. refs is represented as an array containing one or more strings and SHALL be present. synonyms is represented as an array containing one or more strings and SHALL be present. official-refs is represented as an array containing one or more strings and SHALL be present.

date, status MAY be used to give time information about an cluster. date is represented as a string describing a time or period and SHALL be present. status is represented as a string describing the current status of the clusters. It MAY also describe a time or period and SHALL be present.

colour fields MAY be used at predicates or values level to set a specify colour that MAY be used by the implementation. The colour field is described as an RGB colour fill in hexadecimal representation.

diff --git a/rfc/misp-standard-galaxy-format.txt b/rfc/misp-standard-galaxy-format.txt index 5562262..7a09ab0 100644 --- a/rfc/misp-standard-galaxy-format.txt +++ b/rfc/misp-standard-galaxy-format.txt @@ -195,10 +195,10 @@ Internet-Draft MISP galaxy format October 2019 filenames, ransomnotes-refs, suspected-victims, suspected-state- sponsor, type-of-incident, target-category, cfr-suspected-victims, cfr-suspected-state-sponsor, cfr-type-of-incident, cfr-target- - category, attribution-confidence, payment-method, price, spoken- - language, official-refs wherever applicable. Additional meta field - MAY be added without the need to be referenced or registered in - advance. + category, suspected-victims, suspected-state-sponsor, attribution- + confidence, payment-method, price, spoken-language, official-refs + wherever applicable. Additional meta field MAY be added without the + need to be referenced or registered in advance. refs, synonyms, official-refs SHALL be used to give further informations. refs is represented as an array containing one or more diff --git a/rfc/sightingdb-format.html b/rfc/sightingdb-format.html index e4c67c1..4103933 100644 --- a/rfc/sightingdb-format.html +++ b/rfc/sightingdb-format.html @@ -385,7 +385,8 @@ - + + @@ -397,7 +398,7 @@ - + @@ -417,8 +418,8 @@ Devo Inc. -Expires: May 6, 2020 -November 3, 2019 +Expires: October 15, 2020 +April 13, 2020 @@ -434,9 +435,9 @@

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

-

This Internet-Draft will expire on May 6, 2020.

+

This Internet-Draft will expire on October 15, 2020.

Copyright Notice

-

Copyright (c) 2019 IETF Trust and the persons identified as the document authors. All rights reserved.

+

Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved.

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.

@@ -466,7 +467,9 @@
  • 2.4. Bulk
    • -
  • 3. Security Considerations
    • @@ -494,7 +497,7 @@

    2.1. Overview

    -

    The SightingDB format is in JSON [RFC8259] format and used to query a SightingDB compatible connector. In SightingDB, a Sighting Object is composed of a single JSON object. This object contains the following fields: value, firstseen, lastseen, count, tags, ttl and manifold.

    +

    The SightingDB format is in JSON [RFC8259] format and used to query a SightingDB compatible connector. In SightingDB, a Sighting Object is composed of a single JSON object. This object contains the following fields: value, firstseen, lastseen, count, tags, ttl and consensus.

    2.1.1. Attribute Storage

    @@ -507,10 +510,9 @@

    Reserved namespaces are:

    _expired/<namespace>: Which contains all the attributes that expired, preserving the origin namespace

    _shadow/<namespace>: When a value is searched and does not exists, it is stored there

    -

    _stats: Statistics

    -

    _config: Configuration

    -

    _all: All the Attributes in one place, used to retrieve the 'manifold' property.

    -

    The Attribute Key MUST always be the last part of the Namespace.

    +

    _config: Configuration

    +

    _all: All the Attributes in one place, used to retrieve the 'consensus' property.

    +

    The Attribute Key MUST always be the last part of the Namespace.

    2.1.2.1. Sample Namespaces

    @@ -547,9 +549,9 @@

    When an Attribute has this field set to 0, it means it is not set to expired. This is the default behavior.

    When an Attribute has this field set to a number greater than 0, the expiration status is computed only at retrieval time.

    -2.1.3.7. manifold +2.1.3.7. consensus

    -

    When a given Attribute Value is stored in different namespaces, the manifold field keeps track of them so it returns in how many different places this attributes exists. This is a simple counter.

    +

    When a given Attribute Value is stored in different namespaces, the consensus field keeps track of them so it returns in how many different places this attributes exists. This is a simple counter.

    2.2. SightingDB Format - One Attribute

    @@ -560,7 +562,7 @@ "count":578391, "tags":"", "ttl":0, - "manifold": 17 + "consensus": 17 }

    @@ -586,20 +588,36 @@

    When data must be sent and received in large amounts, it is preferable to embed in JSON all the objects at once. As such, for reading and writing, the format is the following:

    {
   "items": [
-    { "/your/namespace": "127.0.0.1" },
-    { "/your/other/namespace": "110812f67fa1e1f0117f6f3d70241c1a42a7b07711a93c2477cc516d9042f9db" }
+    { "<namespace>": "<value>" },
+    { "<namespace>": "<value>", "timestamp": <epoch> }
   ]
 }
    -

    Which will either store or retrieve the wanted data.

    +

    Where:

    +

    namespace: is the wanted namespace where to store the value

    +

    value: the value one want to track

    +

    timestamp: OPTIONAL epoch timestamp to set the value at.

    +

    The timestamp is how one can use SightingDB and use old datasets where the first seen and last seen is not relative to "right now".

    -2.4.1. Response +2.4.1. Request

    -

    The response when retrieving sightings also has the list of items, in order, one per line of the results:

    +

    A Proper request with two items is made like this:

    {
   "items": [
-    { "first_seen":1530337182, "last_seen":1573110615, "count":93021, "tags":"", "ttl":0, "manifold": 1 },
-    { "first_seen":1562930418, "last_seen":1573110404, "count":1020492, "tags":"", "ttl":8912, "manifold": 3 }
+    { "/your/namespace": "127.0.0.1" },
+    { "/your/other/namespace": "110812f67fa1e1f0117f6f3d70241c1a42a7b07711a93c2477cc516d9042f9db", "timestamp": 1586825229 }
+  ]
+}
+
    +

    Which will either store or retrieve the wanted data.

    +

    +2.4.2. Response +

    +

    The response when retrieving sightings also has the list of items, in order, one per line of the results:

    +
    {
+  "items": [
+    {"value": "Octave_Hergebel", "first_seen":1530337182, "last_seen":1573110615, "count":93021, "tags":"", "ttl":0, "consensus": 1},
+    {"value": "127.0.0.1", "first_seen":1562930418, "last_seen":1573110404, "count":1020492, "tags":"", "ttl":8912, "consensus": 3}
   ]
 }
    diff --git a/rfc/sightingdb-format.txt b/rfc/sightingdb-format.txt index 86f2576..3ffcb00 100644 --- a/rfc/sightingdb-format.txt +++ b/rfc/sightingdb-format.txt @@ -4,7 +4,7 @@ Network Working Group S. Tricaud Internet-Draft Devo Inc. -Expires: May 6, 2020 November 3, 2019 +Expires: October 15, 2020 April 13, 2020 SightingDB query format @@ -31,11 +31,11 @@ Status of This Memo time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on May 6, 2020. + This Internet-Draft will expire on October 15, 2020. Copyright Notice - Copyright (c) 2019 IETF Trust and the persons identified as the + Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal @@ -53,9 +53,9 @@ Copyright Notice -Tricaud Expires May 6, 2020 [Page 1] +Tricaud Expires October 15, 2020 [Page 1] -Internet-Draft SightingDB query format November 2019 +Internet-Draft SightingDB query format April 2020 Table of Contents @@ -71,11 +71,12 @@ Table of Contents 2.3. Value . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2.3.1. Configuring the value format for a Namespace . . . . 5 2.4. Bulk . . . . . . . . . . . . . . . . . . . . . . . . . . 5 - 2.4.1. Response . . . . . . . . . . . . . . . . . . . . . . 6 + 2.4.1. Request . . . . . . . . . . . . . . . . . . . . . . . 6 + 2.4.2. Response . . . . . . . . . . . . . . . . . . . . . . 6 3. Security Considerations . . . . . . . . . . . . . . . . . . . 6 4. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6 - 5. Normative References . . . . . . . . . . . . . . . . . . . . 6 - Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 6 + 5. Normative References . . . . . . . . . . . . . . . . . . . . 7 + Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 7 1. Introduction @@ -98,22 +99,24 @@ Table of Contents The SightingDB format is in JSON [RFC8259] format and used to query a SightingDB compatible connector. In SightingDB, a Sighting Object is composed of a single JSON object. This object contains the following - fields: value, first_seen, last_seen, count, tags, ttl and manifold. + fields: value, first_seen, last_seen, count, tags, ttl and consensus. 2.1.1. Attribute Storage The fields described previously describe an Attribute and all the required characteristics. However they are stored in a Namespace. A + + + + +Tricaud Expires October 15, 2020 [Page 2] + +Internet-Draft SightingDB query format April 2020 + + Namespace is similar to a path in a file-system where the same file can be stored in multiple places. - - -Tricaud Expires May 6, 2020 [Page 2] - -Internet-Draft SightingDB query format November 2019 - - 2.1.2. Namespace A Namespace with multiple levels MUST be separated with the slash '/' @@ -132,12 +135,10 @@ Internet-Draft SightingDB query format November 2019 _shadow/: When a value is searched and does not exists, it is stored there - _stats: Statistics - _config: Configuration _all: All the Attributes in one place, used to retrieve the - 'manifold' property. + 'consensus' property. The Attribute Key MUST always be the last part of the Namespace. @@ -164,10 +165,9 @@ Internet-Draft SightingDB query format November 2019 - -Tricaud Expires May 6, 2020 [Page 3] +Tricaud Expires October 15, 2020 [Page 3] -Internet-Draft SightingDB query format November 2019 +Internet-Draft SightingDB query format April 2020 2.1.3.2. first_seen @@ -199,10 +199,10 @@ Internet-Draft SightingDB query format November 2019 When an Attribute has this field set to a number greater than 0, the expiration status is computed only at retrieval time. -2.1.3.7. manifold +2.1.3.7. consensus When a given Attribute Value is stored in different namespaces, the - manifold field keeps track of them so it returns in how many + consensus field keeps track of them so it returns in how many different places this attributes exists. This is a simple counter. 2.2. SightingDB Format - One Attribute @@ -214,16 +214,16 @@ Internet-Draft SightingDB query format November 2019 "count":578391, "tags":"", "ttl":0, - "manifold": 17 + "consensus": 17 } -Tricaud Expires May 6, 2020 [Page 4] +Tricaud Expires October 15, 2020 [Page 4] -Internet-Draft SightingDB query format November 2019 +Internet-Draft SightingDB query format April 2020 2.3. Value @@ -263,34 +263,54 @@ Internet-Draft SightingDB query format November 2019 preferable to embed in JSON all the objects at once. As such, for reading and writing, the format is the following: + { + "items": [ + { "": "" }, + { "": "", "timestamp": } + ] + } + + Where: + + namespace: is the wanted namespace where to store the value + + + + +Tricaud Expires October 15, 2020 [Page 5] + +Internet-Draft SightingDB query format April 2020 + + + value: the value one want to track + + timestamp: OPTIONAL epoch timestamp to set the value at. + + The timestamp is how one can use SightingDB and use old datasets + where the first seen and last seen is not relative to "right now". + +2.4.1. Request + + A Proper request with two items is made like this: + { "items": [ { "/your/namespace": "127.0.0.1" }, - { "/your/other/namespace": "110812f67fa1e1f0117f6f3d70241c1a42a7b07711a93c2477cc516d9042f9db" } + { "/your/other/namespace": "110812f67fa1e1f0117f6f3d70241c1a42a7b07711a93c2477cc516d9042f9db", "timestamp": 1586825229 } ] } Which will either store or retrieve the wanted data. - - - - - -Tricaud Expires May 6, 2020 [Page 5] - -Internet-Draft SightingDB query format November 2019 - - -2.4.1. Response +2.4.2. Response The response when retrieving sightings also has the list of items, in order, one per line of the results: { "items": [ - { "first_seen":1530337182, "last_seen":1573110615, "count":93021, "tags":"", "ttl":0, "manifold": 1 }, - { "first_seen":1562930418, "last_seen":1573110404, "count":1020492, "tags":"", "ttl":8912, "manifold": 3 } + {"value": "Octave_Hergebel", "first_seen":1530337182, "last_seen":1573110615, "count":93021, "tags":"", "ttl":0, "consensus": 1}, + {"value": "127.0.0.1", "first_seen":1562930418, "last_seen":1573110404, "count":1020492, "tags":"", "ttl":8912, "consensus": 3} ] } @@ -311,6 +331,13 @@ Internet-Draft SightingDB query format November 2019 well as amazing feedback gathered during the MISP Summit 2019 in Luxembourg, in particular with Alexandre Dulaunoy and Andras Iklody. + + +Tricaud Expires October 15, 2020 [Page 6] + +Internet-Draft SightingDB query format April 2020 + + 5. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate @@ -325,19 +352,6 @@ Internet-Draft SightingDB query format November 2019 Author's Address - - - - - - - - -Tricaud Expires May 6, 2020 [Page 6] - -Internet-Draft SightingDB query format November 2019 - - Sebastien Tricaud Devo Inc. 150 Cambridgepark Drive @@ -375,18 +389,4 @@ Internet-Draft SightingDB query format November 2019 - - - - - - - - - - - - - - -Tricaud Expires May 6, 2020 [Page 7] +Tricaud Expires October 15, 2020 [Page 7]