This document describes the MISP core format used to exchange indicators and threat information between MISP (Malware Information and threat Sharing Platform) instances. The JSON format includes the overall structure along with the semantic associated for each respective key. The format is described to support other implementations which reuse the format and ensuring an interoperability with existing MISP [MISP-P] software and other Threat Intelligence Platforms.
+
This document describes the MISP core format used to exchange indicators and threat information between MISP (Open Source Threat Intelligence Sharing Platform formerly known as Malware Information Sharing Platform) instances. The JSON format includes the overall structure along with the semantic associated for each respective key. The format is described to support other implementations which reuse the format and ensuring an interoperability with existing MISP [MISP-P] software and other Threat Intelligence Platforms.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
-
This Internet-Draft will expire on July 25, 2020.
+
This Internet-Draft will expire on November 27, 2020.
Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
diff --git a/rfc/misp-standard-core.txt b/rfc/misp-standard-core.txt
index 4799a34..c45c571 100644
--- a/rfc/misp-standard-core.txt
+++ b/rfc/misp-standard-core.txt
@@ -4,8 +4,8 @@
Network Working Group A. Dulaunoy
Internet-Draft A. Iklody
-Expires: July 25, 2020 CIRCL
- January 22, 2020
+Expires: November 27, 2020 CIRCL
+ May 26, 2020
MISP core format
@@ -13,13 +13,13 @@ Expires: July 25, 2020 CIRCL
Abstract
This document describes the MISP core format used to exchange
- indicators and threat information between MISP (Malware Information
- and threat Sharing Platform) instances. The JSON format includes the
- overall structure along with the semantic associated for each
- respective key. The format is described to support other
- implementations which reuse the format and ensuring an
- interoperability with existing MISP [MISP-P] software and other
- Threat Intelligence Platforms.
+ indicators and threat information between MISP (Open Source Threat
+ Intelligence Sharing Platform formerly known as Malware Information
+ Sharing Platform) instances. The JSON format includes the overall
+ structure along with the semantic associated for each respective key.
+ The format is described to support other implementations which reuse
+ the format and ensuring an interoperability with existing MISP
+ [MISP-P] software and other Threat Intelligence Platforms.
Status of This Memo
@@ -36,7 +36,7 @@ Status of This Memo
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
- This Internet-Draft will expire on July 25, 2020.
+ This Internet-Draft will expire on November 27, 2020.
Copyright Notice
@@ -53,9 +53,9 @@ Copyright Notice
-Dulaunoy & Iklody Expires July 25, 2020 [Page 1]
+Dulaunoy & Iklody Expires November 27, 2020 [Page 1]
-Internet-Draft MISP core format January 2020
+Internet-Draft MISP core format May 2020
the Trust Legal Provisions and are provided without warranty as
@@ -109,9 +109,9 @@ Table of Contents
-Dulaunoy & Iklody Expires July 25, 2020 [Page 2]
+Dulaunoy & Iklody Expires November 27, 2020 [Page 2]
-Internet-Draft MISP core format January 2020
+Internet-Draft MISP core format May 2020
1. Introduction
@@ -165,9 +165,9 @@ Internet-Draft MISP core format January 2020
-Dulaunoy & Iklody Expires July 25, 2020 [Page 3]
+Dulaunoy & Iklody Expires November 27, 2020 [Page 3]
-Internet-Draft MISP core format January 2020
+Internet-Draft MISP core format May 2020
2.2.1.2. id
@@ -221,9 +221,9 @@ Internet-Draft MISP core format January 2020
-Dulaunoy & Iklody Expires July 25, 2020 [Page 4]
+Dulaunoy & Iklody Expires November 27, 2020 [Page 4]
-Internet-Draft MISP core format January 2020
+Internet-Draft MISP core format May 2020
2.2.1.6. analysis
@@ -277,9 +277,9 @@ Internet-Draft MISP core format January 2020
-Dulaunoy & Iklody Expires July 25, 2020 [Page 5]
+Dulaunoy & Iklody Expires November 27, 2020 [Page 5]
-Internet-Draft MISP core format January 2020
+Internet-Draft MISP core format May 2020
2.2.1.10. org_id
@@ -333,9 +333,9 @@ Internet-Draft MISP core format January 2020
-Dulaunoy & Iklody Expires July 25, 2020 [Page 6]
+Dulaunoy & Iklody Expires November 27, 2020 [Page 6]
-Internet-Draft MISP core format January 2020
+Internet-Draft MISP core format May 2020
All Communities
@@ -389,9 +389,9 @@ Internet-Draft MISP core format January 2020
-Dulaunoy & Iklody Expires July 25, 2020 [Page 7]
+Dulaunoy & Iklody Expires November 27, 2020 [Page 7]
-Internet-Draft MISP core format January 2020
+Internet-Draft MISP core format May 2020
"Org": {
@@ -445,9 +445,9 @@ Internet-Draft MISP core format January 2020
-Dulaunoy & Iklody Expires July 25, 2020 [Page 8]
+Dulaunoy & Iklody Expires November 27, 2020 [Page 8]
-Internet-Draft MISP core format January 2020
+Internet-Draft MISP core format May 2020
"Attribute": {
@@ -501,9 +501,9 @@ Internet-Draft MISP core format January 2020
-Dulaunoy & Iklody Expires July 25, 2020 [Page 9]
+Dulaunoy & Iklody Expires November 27, 2020 [Page 9]
-Internet-Draft MISP core format January 2020
+Internet-Draft MISP core format May 2020
Antivirus detection
@@ -546,7 +546,7 @@ Internet-Draft MISP core format January 2020
number, prtn, phone-number, comment, text, other, hex, anonymised
Internal reference
- text, link, comment, other, hex, anonymised
+ text, link, comment, other, hex, anonymised, git-commit-id
Network activity
ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain,
@@ -557,9 +557,9 @@ Internet-Draft MISP core format January 2020
-Dulaunoy & Iklody Expires July 25, 2020 [Page 10]
+Dulaunoy & Iklody Expires November 27, 2020 [Page 10]
-Internet-Draft MISP core format January 2020
+Internet-Draft MISP core format May 2020
sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other,
@@ -613,9 +613,9 @@ Internet-Draft MISP core format January 2020
-Dulaunoy & Iklody Expires July 25, 2020 [Page 11]
+Dulaunoy & Iklody Expires November 27, 2020 [Page 11]
-Internet-Draft MISP core format January 2020
+Internet-Draft MISP core format May 2020
Person
@@ -669,9 +669,9 @@ Internet-Draft MISP core format January 2020
-Dulaunoy & Iklody Expires July 25, 2020 [Page 12]
+Dulaunoy & Iklody Expires November 27, 2020 [Page 12]
-Internet-Draft MISP core format January 2020
+Internet-Draft MISP core format May 2020
2.4.2.6. event_id
@@ -725,9 +725,9 @@ Internet-Draft MISP core format January 2020
-Dulaunoy & Iklody Expires July 25, 2020 [Page 13]
+Dulaunoy & Iklody Expires November 27, 2020 [Page 13]
-Internet-Draft MISP core format January 2020
+Internet-Draft MISP core format May 2020
2.4.2.9. comment
@@ -781,9 +781,9 @@ Internet-Draft MISP core format January 2020
-Dulaunoy & Iklody Expires July 25, 2020 [Page 14]
+Dulaunoy & Iklody Expires November 27, 2020 [Page 14]
-Internet-Draft MISP core format January 2020
+Internet-Draft MISP core format May 2020
2.4.2.14. ShadowAttribute
@@ -837,9 +837,9 @@ Internet-Draft MISP core format January 2020
-Dulaunoy & Iklody Expires July 25, 2020 [Page 15]
+Dulaunoy & Iklody Expires November 27, 2020 [Page 15]
-Internet-Draft MISP core format January 2020
+Internet-Draft MISP core format May 2020
2.5.1. Sample Attribute Object
@@ -893,9 +893,9 @@ Internet-Draft MISP core format January 2020
-Dulaunoy & Iklody Expires July 25, 2020 [Page 16]
+Dulaunoy & Iklody Expires November 27, 2020 [Page 16]
-Internet-Draft MISP core format January 2020
+Internet-Draft MISP core format May 2020
type is represented as a JSON string. type MUST be present and it
@@ -942,16 +942,16 @@ Internet-Draft MISP core format January 2020
number, prtn, phone-number, comment, text, other, hex, anonymised
Internal reference
- text, link, comment, other, hex, anonymised
+ text, link, comment, other, hex, anonymised, git-commit-id
Network activity
-Dulaunoy & Iklody Expires July 25, 2020 [Page 17]
+Dulaunoy & Iklody Expires November 27, 2020 [Page 17]
-Internet-Draft MISP core format January 2020
+Internet-Draft MISP core format May 2020
ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain,
@@ -1005,9 +1005,9 @@ Internet-Draft MISP core format January 2020
-Dulaunoy & Iklody Expires July 25, 2020 [Page 18]
+Dulaunoy & Iklody Expires November 27, 2020 [Page 18]
-Internet-Draft MISP core format January 2020
+Internet-Draft MISP core format May 2020
comment, text, other, anonymised
@@ -1061,9 +1061,9 @@ Internet-Draft MISP core format January 2020
-Dulaunoy & Iklody Expires July 25, 2020 [Page 19]
+Dulaunoy & Iklody Expires November 27, 2020 [Page 19]
-Internet-Draft MISP core format January 2020
+Internet-Draft MISP core format May 2020
pattern for detection in Local or Network Intrusion Detection System,
@@ -1117,9 +1117,9 @@ Internet-Draft MISP core format January 2020
-Dulaunoy & Iklody Expires July 25, 2020 [Page 20]
+Dulaunoy & Iklody Expires November 27, 2020 [Page 20]
-Internet-Draft MISP core format January 2020
+Internet-Draft MISP core format May 2020
2.5.2.10. org_id
@@ -1173,9 +1173,9 @@ Internet-Draft MISP core format January 2020
-Dulaunoy & Iklody Expires July 25, 2020 [Page 21]
+Dulaunoy & Iklody Expires November 27, 2020 [Page 21]
-Internet-Draft MISP core format January 2020
+Internet-Draft MISP core format May 2020
first_seen is represented as a JSON string. first_seen MAY be
@@ -1229,9 +1229,9 @@ Internet-Draft MISP core format January 2020
-Dulaunoy & Iklody Expires July 25, 2020 [Page 22]
+Dulaunoy & Iklody Expires November 27, 2020 [Page 22]
-Internet-Draft MISP core format January 2020
+Internet-Draft MISP core format May 2020
template used for its creation within. Objects belong to a meta-
@@ -1285,9 +1285,9 @@ Internet-Draft MISP core format January 2020
-Dulaunoy & Iklody Expires July 25, 2020 [Page 23]
+Dulaunoy & Iklody Expires November 27, 2020 [Page 23]
-Internet-Draft MISP core format January 2020
+Internet-Draft MISP core format May 2020
"Object": {
@@ -1341,9 +1341,9 @@ Internet-Draft MISP core format January 2020
-Dulaunoy & Iklody Expires July 25, 2020 [Page 24]
+Dulaunoy & Iklody Expires November 27, 2020 [Page 24]
-Internet-Draft MISP core format January 2020
+Internet-Draft MISP core format May 2020
2.6.2.1. uuid
@@ -1397,9 +1397,9 @@ Internet-Draft MISP core format January 2020
-Dulaunoy & Iklody Expires July 25, 2020 [Page 25]
+Dulaunoy & Iklody Expires November 27, 2020 [Page 25]
-Internet-Draft MISP core format January 2020
+Internet-Draft MISP core format May 2020
2.6.2.7. template_version
@@ -1453,9 +1453,9 @@ Internet-Draft MISP core format January 2020
-Dulaunoy & Iklody Expires July 25, 2020 [Page 26]
+Dulaunoy & Iklody Expires November 27, 2020 [Page 26]
-Internet-Draft MISP core format January 2020
+Internet-Draft MISP core format May 2020
Sharing Group
@@ -1509,9 +1509,9 @@ Internet-Draft MISP core format January 2020
-Dulaunoy & Iklody Expires July 25, 2020 [Page 27]
+Dulaunoy & Iklody Expires November 27, 2020 [Page 27]
-Internet-Draft MISP core format January 2020
+Internet-Draft MISP core format May 2020
2.6.2.16. last_seen
@@ -1565,9 +1565,9 @@ Internet-Draft MISP core format January 2020
-Dulaunoy & Iklody Expires July 25, 2020 [Page 28]
+Dulaunoy & Iklody Expires November 27, 2020 [Page 28]
-Internet-Draft MISP core format January 2020
+Internet-Draft MISP core format May 2020
2.7.2.2. id
@@ -1621,9 +1621,9 @@ Internet-Draft MISP core format January 2020
-Dulaunoy & Iklody Expires July 25, 2020 [Page 29]
+Dulaunoy & Iklody Expires November 27, 2020 [Page 29]
-Internet-Draft MISP core format January 2020
+Internet-Draft MISP core format May 2020
2.7.2.8. relationship_type
@@ -1677,9 +1677,9 @@ Internet-Draft MISP core format January 2020
-Dulaunoy & Iklody Expires July 25, 2020 [Page 30]
+Dulaunoy & Iklody Expires November 27, 2020 [Page 30]
-Internet-Draft MISP core format January 2020
+Internet-Draft MISP core format May 2020
exportable represents a setting if the tag is kept local or
@@ -1733,9 +1733,9 @@ Internet-Draft MISP core format January 2020
-Dulaunoy & Iklody Expires July 25, 2020 [Page 31]
+Dulaunoy & Iklody Expires November 27, 2020 [Page 31]
-Internet-Draft MISP core format January 2020
+Internet-Draft MISP core format May 2020
can be a given piece of software (e.g. SIEM), device or a specific
@@ -1789,9 +1789,9 @@ Internet-Draft MISP core format January 2020
-Dulaunoy & Iklody Expires July 25, 2020 [Page 32]
+Dulaunoy & Iklody Expires November 27, 2020 [Page 32]
-Internet-Draft MISP core format January 2020
+Internet-Draft MISP core format May 2020
"Sighting": [
@@ -1845,9 +1845,9 @@ Internet-Draft MISP core format January 2020
-Dulaunoy & Iklody Expires July 25, 2020 [Page 33]
+Dulaunoy & Iklody Expires November 27, 2020 [Page 33]
-Internet-Draft MISP core format January 2020
+Internet-Draft MISP core format May 2020
"Galaxy": [ {
@@ -1901,9 +1901,9 @@ Internet-Draft MISP core format January 2020
-Dulaunoy & Iklody Expires July 25, 2020 [Page 34]
+Dulaunoy & Iklody Expires November 27, 2020 [Page 34]
-Internet-Draft MISP core format January 2020
+Internet-Draft MISP core format May 2020
3. JSON Schema
@@ -1957,9 +1957,9 @@ Internet-Draft MISP core format January 2020
-Dulaunoy & Iklody Expires July 25, 2020 [Page 35]
+Dulaunoy & Iklody Expires November 27, 2020 [Page 35]
-Internet-Draft MISP core format January 2020
+Internet-Draft MISP core format May 2020
"type": "object",
@@ -2013,9 +2013,9 @@ Internet-Draft MISP core format January 2020
-Dulaunoy & Iklody Expires July 25, 2020 [Page 36]
+Dulaunoy & Iklody Expires November 27, 2020 [Page 36]
-Internet-Draft MISP core format January 2020
+Internet-Draft MISP core format May 2020
"items": {
@@ -2069,9 +2069,9 @@ Internet-Draft MISP core format January 2020
-Dulaunoy & Iklody Expires July 25, 2020 [Page 37]
+Dulaunoy & Iklody Expires November 27, 2020 [Page 37]
-Internet-Draft MISP core format January 2020
+Internet-Draft MISP core format May 2020
"type": "string"
@@ -2125,9 +2125,9 @@ Internet-Draft MISP core format January 2020
-Dulaunoy & Iklody Expires July 25, 2020 [Page 38]
+Dulaunoy & Iklody Expires November 27, 2020 [Page 38]
-Internet-Draft MISP core format January 2020
+Internet-Draft MISP core format May 2020
"type": "string"
@@ -2181,9 +2181,9 @@ Internet-Draft MISP core format January 2020
-Dulaunoy & Iklody Expires July 25, 2020 [Page 39]
+Dulaunoy & Iklody Expires November 27, 2020 [Page 39]
-Internet-Draft MISP core format January 2020
+Internet-Draft MISP core format May 2020
"properties": {
@@ -2237,9 +2237,9 @@ Internet-Draft MISP core format January 2020
-Dulaunoy & Iklody Expires July 25, 2020 [Page 40]
+Dulaunoy & Iklody Expires November 27, 2020 [Page 40]
-Internet-Draft MISP core format January 2020
+Internet-Draft MISP core format May 2020
"properties": {
@@ -2293,9 +2293,9 @@ Internet-Draft MISP core format January 2020
-Dulaunoy & Iklody Expires July 25, 2020 [Page 41]
+Dulaunoy & Iklody Expires November 27, 2020 [Page 41]
-Internet-Draft MISP core format January 2020
+Internet-Draft MISP core format May 2020
"properties": {
@@ -2349,9 +2349,9 @@ Internet-Draft MISP core format January 2020
-Dulaunoy & Iklody Expires July 25, 2020 [Page 42]
+Dulaunoy & Iklody Expires November 27, 2020 [Page 42]
-Internet-Draft MISP core format January 2020
+Internet-Draft MISP core format May 2020
},
@@ -2405,9 +2405,9 @@ Internet-Draft MISP core format January 2020
-Dulaunoy & Iklody Expires July 25, 2020 [Page 43]
+Dulaunoy & Iklody Expires November 27, 2020 [Page 43]
-Internet-Draft MISP core format January 2020
+Internet-Draft MISP core format May 2020
},
@@ -2461,9 +2461,9 @@ Internet-Draft MISP core format January 2020
-Dulaunoy & Iklody Expires July 25, 2020 [Page 44]
+Dulaunoy & Iklody Expires November 27, 2020 [Page 44]
-Internet-Draft MISP core format January 2020
+Internet-Draft MISP core format May 2020
"type": "string"
@@ -2517,9 +2517,9 @@ Internet-Draft MISP core format January 2020
-Dulaunoy & Iklody Expires July 25, 2020 [Page 45]
+Dulaunoy & Iklody Expires November 27, 2020 [Page 45]
-Internet-Draft MISP core format January 2020
+Internet-Draft MISP core format May 2020
"uniqueItems": true,
@@ -2573,9 +2573,9 @@ Internet-Draft MISP core format January 2020
-Dulaunoy & Iklody Expires July 25, 2020 [Page 46]
+Dulaunoy & Iklody Expires November 27, 2020 [Page 46]
-Internet-Draft MISP core format January 2020
+Internet-Draft MISP core format May 2020
"type": "boolean"
@@ -2629,9 +2629,9 @@ Internet-Draft MISP core format January 2020
-Dulaunoy & Iklody Expires July 25, 2020 [Page 47]
+Dulaunoy & Iklody Expires November 27, 2020 [Page 47]
-Internet-Draft MISP core format January 2020
+Internet-Draft MISP core format May 2020
"type": "object",
@@ -2685,9 +2685,9 @@ Internet-Draft MISP core format January 2020
-Dulaunoy & Iklody Expires July 25, 2020 [Page 48]
+Dulaunoy & Iklody Expires November 27, 2020 [Page 48]
-Internet-Draft MISP core format January 2020
+Internet-Draft MISP core format May 2020
"Event": {
@@ -2741,9 +2741,9 @@ Internet-Draft MISP core format January 2020
-Dulaunoy & Iklody Expires July 25, 2020 [Page 49]
+Dulaunoy & Iklody Expires November 27, 2020 [Page 49]
-Internet-Draft MISP core format January 2020
+Internet-Draft MISP core format May 2020
o integrity:pgp represents a detached PGP signature [RFC4880] of the
@@ -2797,9 +2797,9 @@ Internet-Draft MISP core format January 2020
-Dulaunoy & Iklody Expires July 25, 2020 [Page 50]
+Dulaunoy & Iklody Expires November 27, 2020 [Page 50]
-Internet-Draft MISP core format January 2020
+Internet-Draft MISP core format May 2020
"name": "circl:incident-classification=\"malware\""
@@ -2853,9 +2853,9 @@ Internet-Draft MISP core format January 2020
-Dulaunoy & Iklody Expires July 25, 2020 [Page 51]
+Dulaunoy & Iklody Expires November 27, 2020 [Page 51]
-Internet-Draft MISP core format January 2020
+Internet-Draft MISP core format May 2020
9.1. Normative References
@@ -2887,8 +2887,9 @@ Internet-Draft MISP core format January 2020
Documents", 2016,
.
- [MISP-P] Community, M., "MISP Project - Malware Information Sharing
- Platform and Threat Sharing", .
+ [MISP-P] Community, M., "MISP Project - Open Source Threat
+ Intelligence Platform and Open Standards For Threat
+ Information Sharing", .
[MISP-R] Community, M., "MISP Object Relationship Types - common
vocabulary of relationships", 2.4.meta
-
Meta contains a list of custom defined JSON key value pairs. Users SHOULD reuse commonly used keys such as complexity, effectiveness, country, possible_issues, colour, motive, impact, refs, synonyms, status, date, encryption, extensions, ransomnotes, ransomnotes-filenames, ransomnotes-refs, suspected-victims, suspected-state-sponsor, type-of-incident, target-category, cfr-suspected-victims, cfr-suspected-state-sponsor, cfr-type-of-incident, cfr-target-category, attribution-confidence, payment-method, price, spoken-language, official-refs wherever applicable. Additional meta field MAY be added without the need to be referenced or registered in advance.
+
Meta contains a list of custom defined JSON key value pairs. Users SHOULD reuse commonly used keys such as complexity, effectiveness, country, possible_issues, colour, motive, impact, refs, synonyms, status, date, encryption, extensions, ransomnotes, ransomnotes-filenames, ransomnotes-refs, suspected-victims, suspected-state-sponsor, type-of-incident, target-category, cfr-suspected-victims, cfr-suspected-state-sponsor, cfr-type-of-incident, cfr-target-category, suspected-victims, suspected-state-sponsor, attribution-confidence, payment-method, price, spoken-language, official-refs wherever applicable. Additional meta field MAY be added without the need to be referenced or registered in advance.
refs, synonyms, official-refs SHALL be used to give further informations. refs is represented as an array containing one or more strings and SHALL be present. synonyms is represented as an array containing one or more strings and SHALL be present. official-refs is represented as an array containing one or more strings and SHALL be present.
date, status MAY be used to give time information about an cluster. date is represented as a string describing a time or period and SHALL be present. status is represented as a string describing the current status of the clusters. It MAY also describe a time or period and SHALL be present.
colour fields MAY be used at predicates or values level to set a specify colour that MAY be used by the implementation. The colour field is described as an RGB colour fill in hexadecimal representation.
diff --git a/rfc/misp-standard-galaxy-format.txt b/rfc/misp-standard-galaxy-format.txt
index 5562262..7a09ab0 100644
--- a/rfc/misp-standard-galaxy-format.txt
+++ b/rfc/misp-standard-galaxy-format.txt
@@ -195,10 +195,10 @@ Internet-Draft MISP galaxy format October 2019
filenames, ransomnotes-refs, suspected-victims, suspected-state-
sponsor, type-of-incident, target-category, cfr-suspected-victims,
cfr-suspected-state-sponsor, cfr-type-of-incident, cfr-target-
- category, attribution-confidence, payment-method, price, spoken-
- language, official-refs wherever applicable. Additional meta field
- MAY be added without the need to be referenced or registered in
- advance.
+ category, suspected-victims, suspected-state-sponsor, attribution-
+ confidence, payment-method, price, spoken-language, official-refs
+ wherever applicable. Additional meta field MAY be added without the
+ need to be referenced or registered in advance.
refs, synonyms, official-refs SHALL be used to give further
informations. refs is represented as an array containing one or more
diff --git a/rfc/sightingdb-format.html b/rfc/sightingdb-format.html
index e4c67c1..4103933 100644
--- a/rfc/sightingdb-format.html
+++ b/rfc/sightingdb-format.html
@@ -385,7 +385,8 @@
-
+
+
@@ -397,7 +398,7 @@
-
+
@@ -417,8 +418,8 @@
Devo Inc.
-
Expires: May 6, 2020
-
November 3, 2019
+
Expires: October 15, 2020
+
April 13, 2020
@@ -434,9 +435,9 @@
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
-
This Internet-Draft will expire on May 6, 2020.
+
This Internet-Draft will expire on October 15, 2020.
Copyright (c) 2019 IETF Trust and the persons identified as the document authors. All rights reserved.
+
Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
The SightingDB format is in JSON [RFC8259] format and used to query a SightingDB compatible connector. In SightingDB, a Sighting Object is composed of a single JSON object. This object contains the following fields: value, firstseen, lastseen, count, tags, ttl and manifold.
+
The SightingDB format is in JSON [RFC8259] format and used to query a SightingDB compatible connector. In SightingDB, a Sighting Object is composed of a single JSON object. This object contains the following fields: value, firstseen, lastseen, count, tags, ttl and consensus.
When a given Attribute Value is stored in different namespaces, the manifold field keeps track of them so it returns in how many different places this attributes exists. This is a simple counter.
+
When a given Attribute Value is stored in different namespaces, the consensus field keeps track of them so it returns in how many different places this attributes exists. This is a simple counter.
When data must be sent and received in large amounts, it is preferable to embed in JSON all the objects at once. As such, for reading and writing, the format is the following:
diff --git a/rfc/sightingdb-format.txt b/rfc/sightingdb-format.txt
index 86f2576..3ffcb00 100644
--- a/rfc/sightingdb-format.txt
+++ b/rfc/sightingdb-format.txt
@@ -4,7 +4,7 @@
Network Working Group S. Tricaud
Internet-Draft Devo Inc.
-Expires: May 6, 2020 November 3, 2019
+Expires: October 15, 2020 April 13, 2020
SightingDB query format
@@ -31,11 +31,11 @@ Status of This Memo
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
- This Internet-Draft will expire on May 6, 2020.
+ This Internet-Draft will expire on October 15, 2020.
Copyright Notice
- Copyright (c) 2019 IETF Trust and the persons identified as the
+ Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
@@ -53,9 +53,9 @@ Copyright Notice
-Tricaud Expires May 6, 2020 [Page 1]
+Tricaud Expires October 15, 2020 [Page 1]
-Internet-Draft SightingDB query format November 2019
+Internet-Draft SightingDB query format April 2020
Table of Contents
@@ -71,11 +71,12 @@ Table of Contents
2.3. Value . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.3.1. Configuring the value format for a Namespace . . . . 5
2.4. Bulk . . . . . . . . . . . . . . . . . . . . . . . . . . 5
- 2.4.1. Response . . . . . . . . . . . . . . . . . . . . . . 6
+ 2.4.1. Request . . . . . . . . . . . . . . . . . . . . . . . 6
+ 2.4.2. Response . . . . . . . . . . . . . . . . . . . . . . 6
3. Security Considerations . . . . . . . . . . . . . . . . . . . 6
4. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6
- 5. Normative References . . . . . . . . . . . . . . . . . . . . 6
- Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 6
+ 5. Normative References . . . . . . . . . . . . . . . . . . . . 7
+ Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 7
1. Introduction
@@ -98,22 +99,24 @@ Table of Contents
The SightingDB format is in JSON [RFC8259] format and used to query a
SightingDB compatible connector. In SightingDB, a Sighting Object is
composed of a single JSON object. This object contains the following
- fields: value, first_seen, last_seen, count, tags, ttl and manifold.
+ fields: value, first_seen, last_seen, count, tags, ttl and consensus.
2.1.1. Attribute Storage
The fields described previously describe an Attribute and all the
required characteristics. However they are stored in a Namespace. A
+
+
+
+
+Tricaud Expires October 15, 2020 [Page 2]
+
+Internet-Draft SightingDB query format April 2020
+
+
Namespace is similar to a path in a file-system where the same file
can be stored in multiple places.
-
-
-Tricaud Expires May 6, 2020 [Page 2]
-
-Internet-Draft SightingDB query format November 2019
-
-
2.1.2. Namespace
A Namespace with multiple levels MUST be separated with the slash '/'
@@ -132,12 +135,10 @@ Internet-Draft SightingDB query format November 2019
_shadow/: When a value is searched and does not exists, it
is stored there
- _stats: Statistics
-
_config: Configuration
_all: All the Attributes in one place, used to retrieve the
- 'manifold' property.
+ 'consensus' property.
The Attribute Key MUST always be the last part of the Namespace.
@@ -164,10 +165,9 @@ Internet-Draft SightingDB query format November 2019
-
-Tricaud Expires May 6, 2020 [Page 3]
+Tricaud Expires October 15, 2020 [Page 3]
-Internet-Draft SightingDB query format November 2019
+Internet-Draft SightingDB query format April 2020
2.1.3.2. first_seen
@@ -199,10 +199,10 @@ Internet-Draft SightingDB query format November 2019
When an Attribute has this field set to a number greater than 0, the
expiration status is computed only at retrieval time.
-2.1.3.7. manifold
+2.1.3.7. consensus
When a given Attribute Value is stored in different namespaces, the
- manifold field keeps track of them so it returns in how many
+ consensus field keeps track of them so it returns in how many
different places this attributes exists. This is a simple counter.
2.2. SightingDB Format - One Attribute
@@ -214,16 +214,16 @@ Internet-Draft SightingDB query format November 2019
"count":578391,
"tags":"",
"ttl":0,
- "manifold": 17
+ "consensus": 17
}
-Tricaud Expires May 6, 2020 [Page 4]
+Tricaud Expires October 15, 2020 [Page 4]
-Internet-Draft SightingDB query format November 2019
+Internet-Draft SightingDB query format April 2020
2.3. Value
@@ -263,34 +263,54 @@ Internet-Draft SightingDB query format November 2019
preferable to embed in JSON all the objects at once. As such, for
reading and writing, the format is the following:
+ {
+ "items": [
+ { "": "" },
+ { "": "", "timestamp": }
+ ]
+ }
+
+ Where:
+
+ namespace: is the wanted namespace where to store the value
+
+
+
+
+Tricaud Expires October 15, 2020 [Page 5]
+
+Internet-Draft SightingDB query format April 2020
+
+
+ value: the value one want to track
+
+ timestamp: OPTIONAL epoch timestamp to set the value at.
+
+ The timestamp is how one can use SightingDB and use old datasets
+ where the first seen and last seen is not relative to "right now".
+
+2.4.1. Request
+
+ A Proper request with two items is made like this:
+
{
"items": [
{ "/your/namespace": "127.0.0.1" },
- { "/your/other/namespace": "110812f67fa1e1f0117f6f3d70241c1a42a7b07711a93c2477cc516d9042f9db" }
+ { "/your/other/namespace": "110812f67fa1e1f0117f6f3d70241c1a42a7b07711a93c2477cc516d9042f9db", "timestamp": 1586825229 }
]
}
Which will either store or retrieve the wanted data.
-
-
-
-
-
-Tricaud Expires May 6, 2020 [Page 5]
-
-Internet-Draft SightingDB query format November 2019
-
-
-2.4.1. Response
+2.4.2. Response
The response when retrieving sightings also has the list of items, in
order, one per line of the results:
{
"items": [
- { "first_seen":1530337182, "last_seen":1573110615, "count":93021, "tags":"", "ttl":0, "manifold": 1 },
- { "first_seen":1562930418, "last_seen":1573110404, "count":1020492, "tags":"", "ttl":8912, "manifold": 3 }
+ {"value": "Octave_Hergebel", "first_seen":1530337182, "last_seen":1573110615, "count":93021, "tags":"", "ttl":0, "consensus": 1},
+ {"value": "127.0.0.1", "first_seen":1562930418, "last_seen":1573110404, "count":1020492, "tags":"", "ttl":8912, "consensus": 3}
]
}
@@ -311,6 +331,13 @@ Internet-Draft SightingDB query format November 2019
well as amazing feedback gathered during the MISP Summit 2019 in
Luxembourg, in particular with Alexandre Dulaunoy and Andras Iklody.
+
+
+Tricaud Expires October 15, 2020 [Page 6]
+
+Internet-Draft SightingDB query format April 2020
+
+
5. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
@@ -325,19 +352,6 @@ Internet-Draft SightingDB query format November 2019
Author's Address
-
-
-
-
-
-
-
-
-Tricaud Expires May 6, 2020 [Page 6]
-
-Internet-Draft SightingDB query format November 2019
-
-
Sebastien Tricaud
Devo Inc.
150 Cambridgepark Drive
@@ -375,18 +389,4 @@ Internet-Draft SightingDB query format November 2019
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Tricaud Expires May 6, 2020 [Page 7]
+Tricaud Expires October 15, 2020 [Page 7]