chg: [misp-standard] updated core-format, galaxy-format and sightingdb-format
parent
9c609a4d8a
commit
baaa6cc907
|
@ -421,9 +421,9 @@
|
||||||
|
|
||||||
<meta name="dct.creator" content="Dulaunoy, A. and A. Iklody" />
|
<meta name="dct.creator" content="Dulaunoy, A. and A. Iklody" />
|
||||||
<meta name="dct.identifier" content="urn:ietf:id:" />
|
<meta name="dct.identifier" content="urn:ietf:id:" />
|
||||||
<meta name="dct.issued" scheme="ISO8601" content="2020-01-22" />
|
<meta name="dct.issued" scheme="ISO8601" content="2020-05-26" />
|
||||||
<meta name="dct.abstract" content="This document describes the MISP core format used to exchange indicators and threat information between MISP (Malware Information and threat Sharing Platform) instances. The JSON format includes the overall structure along with the semantic associated for each respective key. The format is described to support other implementations which reuse the format and ensuring an interoperability with existing MISP software and other Threat Intelligence Platforms." />
|
<meta name="dct.abstract" content="This document describes the MISP core format used to exchange indicators and threat information between MISP (Open Source Threat Intelligence Sharing Platform formerly known as Malware Information Sharing Platform) instances. The JSON format includes the overall structure along with the semantic associated for each respective key. The format is described to support other implementations which reuse the format and ensuring an interoperability with existing MISP software and other Threat Intelligence Platforms." />
|
||||||
<meta name="description" content="This document describes the MISP core format used to exchange indicators and threat information between MISP (Malware Information and threat Sharing Platform) instances. The JSON format includes the overall structure along with the semantic associated for each respective key. The format is described to support other implementations which reuse the format and ensuring an interoperability with existing MISP software and other Threat Intelligence Platforms." />
|
<meta name="description" content="This document describes the MISP core format used to exchange indicators and threat information between MISP (Open Source Threat Intelligence Sharing Platform formerly known as Malware Information Sharing Platform) instances. The JSON format includes the overall structure along with the semantic associated for each respective key. The format is described to support other implementations which reuse the format and ensuring an interoperability with existing MISP software and other Threat Intelligence Platforms." />
|
||||||
|
|
||||||
</head>
|
</head>
|
||||||
|
|
||||||
|
@ -441,12 +441,12 @@
|
||||||
<td class="right">A. Iklody</td>
|
<td class="right">A. Iklody</td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
<td class="left">Expires: July 25, 2020</td>
|
<td class="left">Expires: November 27, 2020</td>
|
||||||
<td class="right">CIRCL</td>
|
<td class="right">CIRCL</td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
<td class="left"></td>
|
<td class="left"></td>
|
||||||
<td class="right">January 22, 2020</td>
|
<td class="right">May 26, 2020</td>
|
||||||
</tr>
|
</tr>
|
||||||
|
|
||||||
|
|
||||||
|
@ -457,12 +457,12 @@
|
||||||
<span class="filename"></span></p>
|
<span class="filename"></span></p>
|
||||||
|
|
||||||
<h1 id="rfc.abstract"><a href="#rfc.abstract">Abstract</a></h1>
|
<h1 id="rfc.abstract"><a href="#rfc.abstract">Abstract</a></h1>
|
||||||
<p>This document describes the MISP core format used to exchange indicators and threat information between MISP (Malware Information and threat Sharing Platform) instances. The JSON format includes the overall structure along with the semantic associated for each respective key. The format is described to support other implementations which reuse the format and ensuring an interoperability with existing MISP <a href="#MISP-P" class="xref">[MISP-P]</a> software and other Threat Intelligence Platforms.</p>
|
<p>This document describes the MISP core format used to exchange indicators and threat information between MISP (Open Source Threat Intelligence Sharing Platform formerly known as Malware Information Sharing Platform) instances. The JSON format includes the overall structure along with the semantic associated for each respective key. The format is described to support other implementations which reuse the format and ensuring an interoperability with existing MISP <a href="#MISP-P" class="xref">[MISP-P]</a> software and other Threat Intelligence Platforms.</p>
|
||||||
<h1 id="rfc.status"><a href="#rfc.status">Status of This Memo</a></h1>
|
<h1 id="rfc.status"><a href="#rfc.status">Status of This Memo</a></h1>
|
||||||
<p>This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.</p>
|
<p>This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.</p>
|
||||||
<p>Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.</p>
|
<p>Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.</p>
|
||||||
<p>Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."</p>
|
<p>Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."</p>
|
||||||
<p>This Internet-Draft will expire on July 25, 2020.</p>
|
<p>This Internet-Draft will expire on November 27, 2020.</p>
|
||||||
<h1 id="rfc.copyrightnotice"><a href="#rfc.copyrightnotice">Copyright Notice</a></h1>
|
<h1 id="rfc.copyrightnotice"><a href="#rfc.copyrightnotice">Copyright Notice</a></h1>
|
||||||
<p>Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved.</p>
|
<p>Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved.</p>
|
||||||
<p>This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.</p>
|
<p>This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.</p>
|
||||||
|
@ -804,7 +804,7 @@
|
||||||
<br>btc, dash, xmr, iban, bic, bank-account-nr, aba-rtn, bin, cc-number, prtn, phone-number, comment, text, other, hex, anonymised</dd>
|
<br>btc, dash, xmr, iban, bic, bank-account-nr, aba-rtn, bin, cc-number, prtn, phone-number, comment, text, other, hex, anonymised</dd>
|
||||||
<dt>Internal reference</dt>
|
<dt>Internal reference</dt>
|
||||||
<dd style="margin-left: 8">
|
<dd style="margin-left: 8">
|
||||||
<br>text, link, comment, other, hex, anonymised</dd>
|
<br>text, link, comment, other, hex, anonymised, git-commit-id</dd>
|
||||||
<dt>Network activity</dt>
|
<dt>Network activity</dt>
|
||||||
<dd style="margin-left: 8">
|
<dd style="margin-left: 8">
|
||||||
<br>ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain, domain|ip, mac-address, mac-eui-64, email-dst, email-src, eppn, url, uri, user-agent, http-method, AS, snort, pattern-in-file, stix2-pattern, pattern-in-traffic, attachment, comment, text, x509-fingerprint-md5, x509-fingerprint-sha1, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other, hex, cookie, hostname|port, bro, zeek, anonymised, community-id, email-subject</dd>
|
<br>ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain, domain|ip, mac-address, mac-eui-64, email-dst, email-src, eppn, url, uri, user-agent, http-method, AS, snort, pattern-in-file, stix2-pattern, pattern-in-traffic, attachment, comment, text, x509-fingerprint-md5, x509-fingerprint-sha1, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other, hex, cookie, hostname|port, bro, zeek, anonymised, community-id, email-subject</dd>
|
||||||
|
@ -1002,7 +1002,7 @@
|
||||||
<br>btc, dash, xmr, iban, bic, bank-account-nr, aba-rtn, bin, cc-number, prtn, phone-number, comment, text, other, hex, anonymised</dd>
|
<br>btc, dash, xmr, iban, bic, bank-account-nr, aba-rtn, bin, cc-number, prtn, phone-number, comment, text, other, hex, anonymised</dd>
|
||||||
<dt>Internal reference</dt>
|
<dt>Internal reference</dt>
|
||||||
<dd style="margin-left: 8">
|
<dd style="margin-left: 8">
|
||||||
<br>text, link, comment, other, hex, anonymised</dd>
|
<br>text, link, comment, other, hex, anonymised, git-commit-id</dd>
|
||||||
<dt>Network activity</dt>
|
<dt>Network activity</dt>
|
||||||
<dd style="margin-left: 8">
|
<dd style="margin-left: 8">
|
||||||
<br>ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain, domain|ip, mac-address, mac-eui-64, email-dst, email-src, eppn, url, uri, user-agent, http-method, AS, snort, pattern-in-file, stix2-pattern, pattern-in-traffic, attachment, comment, text, x509-fingerprint-md5, x509-fingerprint-sha1, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other, hex, cookie, hostname|port, bro, zeek, anonymised, community-id, email-subject</dd>
|
<br>ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain, domain|ip, mac-address, mac-eui-64, email-dst, email-src, eppn, url, uri, user-agent, http-method, AS, snort, pattern-in-file, stix2-pattern, pattern-in-traffic, attachment, comment, text, x509-fingerprint-md5, x509-fingerprint-sha1, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other, hex, cookie, hostname|port, bro, zeek, anonymised, community-id, email-subject</dd>
|
||||||
|
@ -2314,7 +2314,7 @@
|
||||||
<tr>
|
<tr>
|
||||||
<td class="reference"><b id="MISP-P">[MISP-P]</b></td>
|
<td class="reference"><b id="MISP-P">[MISP-P]</b></td>
|
||||||
<td class="top">
|
<td class="top">
|
||||||
<a>Community, M.</a>, "<a href="https://github.com/MISP">MISP Project - Malware Information Sharing Platform and Threat Sharing</a>"</td>
|
<a>Community, M.</a>, "<a href="https://github.com/MISP">MISP Project - Open Source Threat Intelligence Platform and Open Standards For Threat Information Sharing</a>"</td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
<td class="reference"><b id="MISP-R">[MISP-R]</b></td>
|
<td class="reference"><b id="MISP-R">[MISP-R]</b></td>
|
||||||
|
|
|
@ -4,8 +4,8 @@
|
||||||
|
|
||||||
Network Working Group A. Dulaunoy
|
Network Working Group A. Dulaunoy
|
||||||
Internet-Draft A. Iklody
|
Internet-Draft A. Iklody
|
||||||
Expires: July 25, 2020 CIRCL
|
Expires: November 27, 2020 CIRCL
|
||||||
January 22, 2020
|
May 26, 2020
|
||||||
|
|
||||||
|
|
||||||
MISP core format
|
MISP core format
|
||||||
|
@ -13,13 +13,13 @@ Expires: July 25, 2020 CIRCL
|
||||||
Abstract
|
Abstract
|
||||||
|
|
||||||
This document describes the MISP core format used to exchange
|
This document describes the MISP core format used to exchange
|
||||||
indicators and threat information between MISP (Malware Information
|
indicators and threat information between MISP (Open Source Threat
|
||||||
and threat Sharing Platform) instances. The JSON format includes the
|
Intelligence Sharing Platform formerly known as Malware Information
|
||||||
overall structure along with the semantic associated for each
|
Sharing Platform) instances. The JSON format includes the overall
|
||||||
respective key. The format is described to support other
|
structure along with the semantic associated for each respective key.
|
||||||
implementations which reuse the format and ensuring an
|
The format is described to support other implementations which reuse
|
||||||
interoperability with existing MISP [MISP-P] software and other
|
the format and ensuring an interoperability with existing MISP
|
||||||
Threat Intelligence Platforms.
|
[MISP-P] software and other Threat Intelligence Platforms.
|
||||||
|
|
||||||
Status of This Memo
|
Status of This Memo
|
||||||
|
|
||||||
|
@ -36,7 +36,7 @@ Status of This Memo
|
||||||
time. It is inappropriate to use Internet-Drafts as reference
|
time. It is inappropriate to use Internet-Drafts as reference
|
||||||
material or to cite them other than as "work in progress."
|
material or to cite them other than as "work in progress."
|
||||||
|
|
||||||
This Internet-Draft will expire on July 25, 2020.
|
This Internet-Draft will expire on November 27, 2020.
|
||||||
|
|
||||||
Copyright Notice
|
Copyright Notice
|
||||||
|
|
||||||
|
@ -53,9 +53,9 @@ Copyright Notice
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires July 25, 2020 [Page 1]
|
Dulaunoy & Iklody Expires November 27, 2020 [Page 1]
|
||||||
|
|
||||||
Internet-Draft MISP core format January 2020
|
Internet-Draft MISP core format May 2020
|
||||||
|
|
||||||
|
|
||||||
the Trust Legal Provisions and are provided without warranty as
|
the Trust Legal Provisions and are provided without warranty as
|
||||||
|
@ -109,9 +109,9 @@ Table of Contents
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires July 25, 2020 [Page 2]
|
Dulaunoy & Iklody Expires November 27, 2020 [Page 2]
|
||||||
|
|
||||||
Internet-Draft MISP core format January 2020
|
Internet-Draft MISP core format May 2020
|
||||||
|
|
||||||
|
|
||||||
1. Introduction
|
1. Introduction
|
||||||
|
@ -165,9 +165,9 @@ Internet-Draft MISP core format January 2020
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires July 25, 2020 [Page 3]
|
Dulaunoy & Iklody Expires November 27, 2020 [Page 3]
|
||||||
|
|
||||||
Internet-Draft MISP core format January 2020
|
Internet-Draft MISP core format May 2020
|
||||||
|
|
||||||
|
|
||||||
2.2.1.2. id
|
2.2.1.2. id
|
||||||
|
@ -221,9 +221,9 @@ Internet-Draft MISP core format January 2020
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires July 25, 2020 [Page 4]
|
Dulaunoy & Iklody Expires November 27, 2020 [Page 4]
|
||||||
|
|
||||||
Internet-Draft MISP core format January 2020
|
Internet-Draft MISP core format May 2020
|
||||||
|
|
||||||
|
|
||||||
2.2.1.6. analysis
|
2.2.1.6. analysis
|
||||||
|
@ -277,9 +277,9 @@ Internet-Draft MISP core format January 2020
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires July 25, 2020 [Page 5]
|
Dulaunoy & Iklody Expires November 27, 2020 [Page 5]
|
||||||
|
|
||||||
Internet-Draft MISP core format January 2020
|
Internet-Draft MISP core format May 2020
|
||||||
|
|
||||||
|
|
||||||
2.2.1.10. org_id
|
2.2.1.10. org_id
|
||||||
|
@ -333,9 +333,9 @@ Internet-Draft MISP core format January 2020
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires July 25, 2020 [Page 6]
|
Dulaunoy & Iklody Expires November 27, 2020 [Page 6]
|
||||||
|
|
||||||
Internet-Draft MISP core format January 2020
|
Internet-Draft MISP core format May 2020
|
||||||
|
|
||||||
|
|
||||||
All Communities
|
All Communities
|
||||||
|
@ -389,9 +389,9 @@ Internet-Draft MISP core format January 2020
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires July 25, 2020 [Page 7]
|
Dulaunoy & Iklody Expires November 27, 2020 [Page 7]
|
||||||
|
|
||||||
Internet-Draft MISP core format January 2020
|
Internet-Draft MISP core format May 2020
|
||||||
|
|
||||||
|
|
||||||
"Org": {
|
"Org": {
|
||||||
|
@ -445,9 +445,9 @@ Internet-Draft MISP core format January 2020
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires July 25, 2020 [Page 8]
|
Dulaunoy & Iklody Expires November 27, 2020 [Page 8]
|
||||||
|
|
||||||
Internet-Draft MISP core format January 2020
|
Internet-Draft MISP core format May 2020
|
||||||
|
|
||||||
|
|
||||||
"Attribute": {
|
"Attribute": {
|
||||||
|
@ -501,9 +501,9 @@ Internet-Draft MISP core format January 2020
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires July 25, 2020 [Page 9]
|
Dulaunoy & Iklody Expires November 27, 2020 [Page 9]
|
||||||
|
|
||||||
Internet-Draft MISP core format January 2020
|
Internet-Draft MISP core format May 2020
|
||||||
|
|
||||||
|
|
||||||
Antivirus detection
|
Antivirus detection
|
||||||
|
@ -546,7 +546,7 @@ Internet-Draft MISP core format January 2020
|
||||||
number, prtn, phone-number, comment, text, other, hex, anonymised
|
number, prtn, phone-number, comment, text, other, hex, anonymised
|
||||||
|
|
||||||
Internal reference
|
Internal reference
|
||||||
text, link, comment, other, hex, anonymised
|
text, link, comment, other, hex, anonymised, git-commit-id
|
||||||
|
|
||||||
Network activity
|
Network activity
|
||||||
ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain,
|
ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain,
|
||||||
|
@ -557,9 +557,9 @@ Internet-Draft MISP core format January 2020
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires July 25, 2020 [Page 10]
|
Dulaunoy & Iklody Expires November 27, 2020 [Page 10]
|
||||||
|
|
||||||
Internet-Draft MISP core format January 2020
|
Internet-Draft MISP core format May 2020
|
||||||
|
|
||||||
|
|
||||||
sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other,
|
sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other,
|
||||||
|
@ -613,9 +613,9 @@ Internet-Draft MISP core format January 2020
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires July 25, 2020 [Page 11]
|
Dulaunoy & Iklody Expires November 27, 2020 [Page 11]
|
||||||
|
|
||||||
Internet-Draft MISP core format January 2020
|
Internet-Draft MISP core format May 2020
|
||||||
|
|
||||||
|
|
||||||
Person
|
Person
|
||||||
|
@ -669,9 +669,9 @@ Internet-Draft MISP core format January 2020
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires July 25, 2020 [Page 12]
|
Dulaunoy & Iklody Expires November 27, 2020 [Page 12]
|
||||||
|
|
||||||
Internet-Draft MISP core format January 2020
|
Internet-Draft MISP core format May 2020
|
||||||
|
|
||||||
|
|
||||||
2.4.2.6. event_id
|
2.4.2.6. event_id
|
||||||
|
@ -725,9 +725,9 @@ Internet-Draft MISP core format January 2020
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires July 25, 2020 [Page 13]
|
Dulaunoy & Iklody Expires November 27, 2020 [Page 13]
|
||||||
|
|
||||||
Internet-Draft MISP core format January 2020
|
Internet-Draft MISP core format May 2020
|
||||||
|
|
||||||
|
|
||||||
2.4.2.9. comment
|
2.4.2.9. comment
|
||||||
|
@ -781,9 +781,9 @@ Internet-Draft MISP core format January 2020
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires July 25, 2020 [Page 14]
|
Dulaunoy & Iklody Expires November 27, 2020 [Page 14]
|
||||||
|
|
||||||
Internet-Draft MISP core format January 2020
|
Internet-Draft MISP core format May 2020
|
||||||
|
|
||||||
|
|
||||||
2.4.2.14. ShadowAttribute
|
2.4.2.14. ShadowAttribute
|
||||||
|
@ -837,9 +837,9 @@ Internet-Draft MISP core format January 2020
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires July 25, 2020 [Page 15]
|
Dulaunoy & Iklody Expires November 27, 2020 [Page 15]
|
||||||
|
|
||||||
Internet-Draft MISP core format January 2020
|
Internet-Draft MISP core format May 2020
|
||||||
|
|
||||||
|
|
||||||
2.5.1. Sample Attribute Object
|
2.5.1. Sample Attribute Object
|
||||||
|
@ -893,9 +893,9 @@ Internet-Draft MISP core format January 2020
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires July 25, 2020 [Page 16]
|
Dulaunoy & Iklody Expires November 27, 2020 [Page 16]
|
||||||
|
|
||||||
Internet-Draft MISP core format January 2020
|
Internet-Draft MISP core format May 2020
|
||||||
|
|
||||||
|
|
||||||
type is represented as a JSON string. type MUST be present and it
|
type is represented as a JSON string. type MUST be present and it
|
||||||
|
@ -942,16 +942,16 @@ Internet-Draft MISP core format January 2020
|
||||||
number, prtn, phone-number, comment, text, other, hex, anonymised
|
number, prtn, phone-number, comment, text, other, hex, anonymised
|
||||||
|
|
||||||
Internal reference
|
Internal reference
|
||||||
text, link, comment, other, hex, anonymised
|
text, link, comment, other, hex, anonymised, git-commit-id
|
||||||
|
|
||||||
Network activity
|
Network activity
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires July 25, 2020 [Page 17]
|
Dulaunoy & Iklody Expires November 27, 2020 [Page 17]
|
||||||
|
|
||||||
Internet-Draft MISP core format January 2020
|
Internet-Draft MISP core format May 2020
|
||||||
|
|
||||||
|
|
||||||
ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain,
|
ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain,
|
||||||
|
@ -1005,9 +1005,9 @@ Internet-Draft MISP core format January 2020
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires July 25, 2020 [Page 18]
|
Dulaunoy & Iklody Expires November 27, 2020 [Page 18]
|
||||||
|
|
||||||
Internet-Draft MISP core format January 2020
|
Internet-Draft MISP core format May 2020
|
||||||
|
|
||||||
|
|
||||||
comment, text, other, anonymised
|
comment, text, other, anonymised
|
||||||
|
@ -1061,9 +1061,9 @@ Internet-Draft MISP core format January 2020
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires July 25, 2020 [Page 19]
|
Dulaunoy & Iklody Expires November 27, 2020 [Page 19]
|
||||||
|
|
||||||
Internet-Draft MISP core format January 2020
|
Internet-Draft MISP core format May 2020
|
||||||
|
|
||||||
|
|
||||||
pattern for detection in Local or Network Intrusion Detection System,
|
pattern for detection in Local or Network Intrusion Detection System,
|
||||||
|
@ -1117,9 +1117,9 @@ Internet-Draft MISP core format January 2020
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires July 25, 2020 [Page 20]
|
Dulaunoy & Iklody Expires November 27, 2020 [Page 20]
|
||||||
|
|
||||||
Internet-Draft MISP core format January 2020
|
Internet-Draft MISP core format May 2020
|
||||||
|
|
||||||
|
|
||||||
2.5.2.10. org_id
|
2.5.2.10. org_id
|
||||||
|
@ -1173,9 +1173,9 @@ Internet-Draft MISP core format January 2020
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires July 25, 2020 [Page 21]
|
Dulaunoy & Iklody Expires November 27, 2020 [Page 21]
|
||||||
|
|
||||||
Internet-Draft MISP core format January 2020
|
Internet-Draft MISP core format May 2020
|
||||||
|
|
||||||
|
|
||||||
first_seen is represented as a JSON string. first_seen MAY be
|
first_seen is represented as a JSON string. first_seen MAY be
|
||||||
|
@ -1229,9 +1229,9 @@ Internet-Draft MISP core format January 2020
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires July 25, 2020 [Page 22]
|
Dulaunoy & Iklody Expires November 27, 2020 [Page 22]
|
||||||
|
|
||||||
Internet-Draft MISP core format January 2020
|
Internet-Draft MISP core format May 2020
|
||||||
|
|
||||||
|
|
||||||
template used for its creation within. Objects belong to a meta-
|
template used for its creation within. Objects belong to a meta-
|
||||||
|
@ -1285,9 +1285,9 @@ Internet-Draft MISP core format January 2020
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires July 25, 2020 [Page 23]
|
Dulaunoy & Iklody Expires November 27, 2020 [Page 23]
|
||||||
|
|
||||||
Internet-Draft MISP core format January 2020
|
Internet-Draft MISP core format May 2020
|
||||||
|
|
||||||
|
|
||||||
"Object": {
|
"Object": {
|
||||||
|
@ -1341,9 +1341,9 @@ Internet-Draft MISP core format January 2020
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires July 25, 2020 [Page 24]
|
Dulaunoy & Iklody Expires November 27, 2020 [Page 24]
|
||||||
|
|
||||||
Internet-Draft MISP core format January 2020
|
Internet-Draft MISP core format May 2020
|
||||||
|
|
||||||
|
|
||||||
2.6.2.1. uuid
|
2.6.2.1. uuid
|
||||||
|
@ -1397,9 +1397,9 @@ Internet-Draft MISP core format January 2020
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires July 25, 2020 [Page 25]
|
Dulaunoy & Iklody Expires November 27, 2020 [Page 25]
|
||||||
|
|
||||||
Internet-Draft MISP core format January 2020
|
Internet-Draft MISP core format May 2020
|
||||||
|
|
||||||
|
|
||||||
2.6.2.7. template_version
|
2.6.2.7. template_version
|
||||||
|
@ -1453,9 +1453,9 @@ Internet-Draft MISP core format January 2020
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires July 25, 2020 [Page 26]
|
Dulaunoy & Iklody Expires November 27, 2020 [Page 26]
|
||||||
|
|
||||||
Internet-Draft MISP core format January 2020
|
Internet-Draft MISP core format May 2020
|
||||||
|
|
||||||
|
|
||||||
Sharing Group
|
Sharing Group
|
||||||
|
@ -1509,9 +1509,9 @@ Internet-Draft MISP core format January 2020
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires July 25, 2020 [Page 27]
|
Dulaunoy & Iklody Expires November 27, 2020 [Page 27]
|
||||||
|
|
||||||
Internet-Draft MISP core format January 2020
|
Internet-Draft MISP core format May 2020
|
||||||
|
|
||||||
|
|
||||||
2.6.2.16. last_seen
|
2.6.2.16. last_seen
|
||||||
|
@ -1565,9 +1565,9 @@ Internet-Draft MISP core format January 2020
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires July 25, 2020 [Page 28]
|
Dulaunoy & Iklody Expires November 27, 2020 [Page 28]
|
||||||
|
|
||||||
Internet-Draft MISP core format January 2020
|
Internet-Draft MISP core format May 2020
|
||||||
|
|
||||||
|
|
||||||
2.7.2.2. id
|
2.7.2.2. id
|
||||||
|
@ -1621,9 +1621,9 @@ Internet-Draft MISP core format January 2020
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires July 25, 2020 [Page 29]
|
Dulaunoy & Iklody Expires November 27, 2020 [Page 29]
|
||||||
|
|
||||||
Internet-Draft MISP core format January 2020
|
Internet-Draft MISP core format May 2020
|
||||||
|
|
||||||
|
|
||||||
2.7.2.8. relationship_type
|
2.7.2.8. relationship_type
|
||||||
|
@ -1677,9 +1677,9 @@ Internet-Draft MISP core format January 2020
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires July 25, 2020 [Page 30]
|
Dulaunoy & Iklody Expires November 27, 2020 [Page 30]
|
||||||
|
|
||||||
Internet-Draft MISP core format January 2020
|
Internet-Draft MISP core format May 2020
|
||||||
|
|
||||||
|
|
||||||
exportable represents a setting if the tag is kept local or
|
exportable represents a setting if the tag is kept local or
|
||||||
|
@ -1733,9 +1733,9 @@ Internet-Draft MISP core format January 2020
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires July 25, 2020 [Page 31]
|
Dulaunoy & Iklody Expires November 27, 2020 [Page 31]
|
||||||
|
|
||||||
Internet-Draft MISP core format January 2020
|
Internet-Draft MISP core format May 2020
|
||||||
|
|
||||||
|
|
||||||
can be a given piece of software (e.g. SIEM), device or a specific
|
can be a given piece of software (e.g. SIEM), device or a specific
|
||||||
|
@ -1789,9 +1789,9 @@ Internet-Draft MISP core format January 2020
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires July 25, 2020 [Page 32]
|
Dulaunoy & Iklody Expires November 27, 2020 [Page 32]
|
||||||
|
|
||||||
Internet-Draft MISP core format January 2020
|
Internet-Draft MISP core format May 2020
|
||||||
|
|
||||||
|
|
||||||
"Sighting": [
|
"Sighting": [
|
||||||
|
@ -1845,9 +1845,9 @@ Internet-Draft MISP core format January 2020
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires July 25, 2020 [Page 33]
|
Dulaunoy & Iklody Expires November 27, 2020 [Page 33]
|
||||||
|
|
||||||
Internet-Draft MISP core format January 2020
|
Internet-Draft MISP core format May 2020
|
||||||
|
|
||||||
|
|
||||||
"Galaxy": [ {
|
"Galaxy": [ {
|
||||||
|
@ -1901,9 +1901,9 @@ Internet-Draft MISP core format January 2020
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires July 25, 2020 [Page 34]
|
Dulaunoy & Iklody Expires November 27, 2020 [Page 34]
|
||||||
|
|
||||||
Internet-Draft MISP core format January 2020
|
Internet-Draft MISP core format May 2020
|
||||||
|
|
||||||
|
|
||||||
3. JSON Schema
|
3. JSON Schema
|
||||||
|
@ -1957,9 +1957,9 @@ Internet-Draft MISP core format January 2020
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires July 25, 2020 [Page 35]
|
Dulaunoy & Iklody Expires November 27, 2020 [Page 35]
|
||||||
|
|
||||||
Internet-Draft MISP core format January 2020
|
Internet-Draft MISP core format May 2020
|
||||||
|
|
||||||
|
|
||||||
"type": "object",
|
"type": "object",
|
||||||
|
@ -2013,9 +2013,9 @@ Internet-Draft MISP core format January 2020
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires July 25, 2020 [Page 36]
|
Dulaunoy & Iklody Expires November 27, 2020 [Page 36]
|
||||||
|
|
||||||
Internet-Draft MISP core format January 2020
|
Internet-Draft MISP core format May 2020
|
||||||
|
|
||||||
|
|
||||||
"items": {
|
"items": {
|
||||||
|
@ -2069,9 +2069,9 @@ Internet-Draft MISP core format January 2020
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires July 25, 2020 [Page 37]
|
Dulaunoy & Iklody Expires November 27, 2020 [Page 37]
|
||||||
|
|
||||||
Internet-Draft MISP core format January 2020
|
Internet-Draft MISP core format May 2020
|
||||||
|
|
||||||
|
|
||||||
"type": "string"
|
"type": "string"
|
||||||
|
@ -2125,9 +2125,9 @@ Internet-Draft MISP core format January 2020
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires July 25, 2020 [Page 38]
|
Dulaunoy & Iklody Expires November 27, 2020 [Page 38]
|
||||||
|
|
||||||
Internet-Draft MISP core format January 2020
|
Internet-Draft MISP core format May 2020
|
||||||
|
|
||||||
|
|
||||||
"type": "string"
|
"type": "string"
|
||||||
|
@ -2181,9 +2181,9 @@ Internet-Draft MISP core format January 2020
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires July 25, 2020 [Page 39]
|
Dulaunoy & Iklody Expires November 27, 2020 [Page 39]
|
||||||
|
|
||||||
Internet-Draft MISP core format January 2020
|
Internet-Draft MISP core format May 2020
|
||||||
|
|
||||||
|
|
||||||
"properties": {
|
"properties": {
|
||||||
|
@ -2237,9 +2237,9 @@ Internet-Draft MISP core format January 2020
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires July 25, 2020 [Page 40]
|
Dulaunoy & Iklody Expires November 27, 2020 [Page 40]
|
||||||
|
|
||||||
Internet-Draft MISP core format January 2020
|
Internet-Draft MISP core format May 2020
|
||||||
|
|
||||||
|
|
||||||
"properties": {
|
"properties": {
|
||||||
|
@ -2293,9 +2293,9 @@ Internet-Draft MISP core format January 2020
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires July 25, 2020 [Page 41]
|
Dulaunoy & Iklody Expires November 27, 2020 [Page 41]
|
||||||
|
|
||||||
Internet-Draft MISP core format January 2020
|
Internet-Draft MISP core format May 2020
|
||||||
|
|
||||||
|
|
||||||
"properties": {
|
"properties": {
|
||||||
|
@ -2349,9 +2349,9 @@ Internet-Draft MISP core format January 2020
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires July 25, 2020 [Page 42]
|
Dulaunoy & Iklody Expires November 27, 2020 [Page 42]
|
||||||
|
|
||||||
Internet-Draft MISP core format January 2020
|
Internet-Draft MISP core format May 2020
|
||||||
|
|
||||||
|
|
||||||
},
|
},
|
||||||
|
@ -2405,9 +2405,9 @@ Internet-Draft MISP core format January 2020
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires July 25, 2020 [Page 43]
|
Dulaunoy & Iklody Expires November 27, 2020 [Page 43]
|
||||||
|
|
||||||
Internet-Draft MISP core format January 2020
|
Internet-Draft MISP core format May 2020
|
||||||
|
|
||||||
|
|
||||||
},
|
},
|
||||||
|
@ -2461,9 +2461,9 @@ Internet-Draft MISP core format January 2020
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires July 25, 2020 [Page 44]
|
Dulaunoy & Iklody Expires November 27, 2020 [Page 44]
|
||||||
|
|
||||||
Internet-Draft MISP core format January 2020
|
Internet-Draft MISP core format May 2020
|
||||||
|
|
||||||
|
|
||||||
"type": "string"
|
"type": "string"
|
||||||
|
@ -2517,9 +2517,9 @@ Internet-Draft MISP core format January 2020
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires July 25, 2020 [Page 45]
|
Dulaunoy & Iklody Expires November 27, 2020 [Page 45]
|
||||||
|
|
||||||
Internet-Draft MISP core format January 2020
|
Internet-Draft MISP core format May 2020
|
||||||
|
|
||||||
|
|
||||||
"uniqueItems": true,
|
"uniqueItems": true,
|
||||||
|
@ -2573,9 +2573,9 @@ Internet-Draft MISP core format January 2020
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires July 25, 2020 [Page 46]
|
Dulaunoy & Iklody Expires November 27, 2020 [Page 46]
|
||||||
|
|
||||||
Internet-Draft MISP core format January 2020
|
Internet-Draft MISP core format May 2020
|
||||||
|
|
||||||
|
|
||||||
"type": "boolean"
|
"type": "boolean"
|
||||||
|
@ -2629,9 +2629,9 @@ Internet-Draft MISP core format January 2020
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires July 25, 2020 [Page 47]
|
Dulaunoy & Iklody Expires November 27, 2020 [Page 47]
|
||||||
|
|
||||||
Internet-Draft MISP core format January 2020
|
Internet-Draft MISP core format May 2020
|
||||||
|
|
||||||
|
|
||||||
"type": "object",
|
"type": "object",
|
||||||
|
@ -2685,9 +2685,9 @@ Internet-Draft MISP core format January 2020
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires July 25, 2020 [Page 48]
|
Dulaunoy & Iklody Expires November 27, 2020 [Page 48]
|
||||||
|
|
||||||
Internet-Draft MISP core format January 2020
|
Internet-Draft MISP core format May 2020
|
||||||
|
|
||||||
|
|
||||||
"Event": {
|
"Event": {
|
||||||
|
@ -2741,9 +2741,9 @@ Internet-Draft MISP core format January 2020
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires July 25, 2020 [Page 49]
|
Dulaunoy & Iklody Expires November 27, 2020 [Page 49]
|
||||||
|
|
||||||
Internet-Draft MISP core format January 2020
|
Internet-Draft MISP core format May 2020
|
||||||
|
|
||||||
|
|
||||||
o integrity:pgp represents a detached PGP signature [RFC4880] of the
|
o integrity:pgp represents a detached PGP signature [RFC4880] of the
|
||||||
|
@ -2797,9 +2797,9 @@ Internet-Draft MISP core format January 2020
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires July 25, 2020 [Page 50]
|
Dulaunoy & Iklody Expires November 27, 2020 [Page 50]
|
||||||
|
|
||||||
Internet-Draft MISP core format January 2020
|
Internet-Draft MISP core format May 2020
|
||||||
|
|
||||||
|
|
||||||
"name": "circl:incident-classification=\"malware\""
|
"name": "circl:incident-classification=\"malware\""
|
||||||
|
@ -2853,9 +2853,9 @@ Internet-Draft MISP core format January 2020
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires July 25, 2020 [Page 51]
|
Dulaunoy & Iklody Expires November 27, 2020 [Page 51]
|
||||||
|
|
||||||
Internet-Draft MISP core format January 2020
|
Internet-Draft MISP core format May 2020
|
||||||
|
|
||||||
|
|
||||||
9.1. Normative References
|
9.1. Normative References
|
||||||
|
@ -2887,8 +2887,9 @@ Internet-Draft MISP core format January 2020
|
||||||
Documents", 2016,
|
Documents", 2016,
|
||||||
<https://tools.ietf.org/html/draft-wright-json-schema>.
|
<https://tools.ietf.org/html/draft-wright-json-schema>.
|
||||||
|
|
||||||
[MISP-P] Community, M., "MISP Project - Malware Information Sharing
|
[MISP-P] Community, M., "MISP Project - Open Source Threat
|
||||||
Platform and Threat Sharing", <https://github.com/MISP>.
|
Intelligence Platform and Open Standards For Threat
|
||||||
|
Information Sharing", <https://github.com/MISP>.
|
||||||
|
|
||||||
[MISP-R] Community, M., "MISP Object Relationship Types - common
|
[MISP-R] Community, M., "MISP Object Relationship Types - common
|
||||||
vocabulary of relationships", <https://github.com/MISP/
|
vocabulary of relationships", <https://github.com/MISP/
|
||||||
|
@ -2908,10 +2909,9 @@ Authors' Addresses
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Dulaunoy & Iklody Expires November 27, 2020 [Page 52]
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires July 25, 2020 [Page 52]
|
Internet-Draft MISP core format May 2020
|
||||||
|
|
||||||
Internet-Draft MISP core format January 2020
|
|
||||||
|
|
||||||
|
|
||||||
Alexandre Dulaunoy
|
Alexandre Dulaunoy
|
||||||
|
@ -2965,4 +2965,4 @@ Internet-Draft MISP core format January 2020
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Dulaunoy & Iklody Expires July 25, 2020 [Page 53]
|
Dulaunoy & Iklody Expires November 27, 2020 [Page 53]
|
||||||
|
|
|
@ -522,7 +522,7 @@
|
||||||
<h1 id="rfc.section.2.4">
|
<h1 id="rfc.section.2.4">
|
||||||
<a href="#rfc.section.2.4">2.4.</a> <a href="#meta" id="meta">meta</a>
|
<a href="#rfc.section.2.4">2.4.</a> <a href="#meta" id="meta">meta</a>
|
||||||
</h1>
|
</h1>
|
||||||
<p id="rfc.section.2.4.p.1">Meta contains a list of custom defined JSON key value pairs. Users SHOULD reuse commonly used keys such as complexity, effectiveness, country, possible_issues, colour, motive, impact, refs, synonyms, status, date, encryption, extensions, ransomnotes, ransomnotes-filenames, ransomnotes-refs, suspected-victims, suspected-state-sponsor, type-of-incident, target-category, cfr-suspected-victims, cfr-suspected-state-sponsor, cfr-type-of-incident, cfr-target-category, attribution-confidence, payment-method, price, spoken-language, official-refs wherever applicable. Additional meta field MAY be added without the need to be referenced or registered in advance.</p>
|
<p id="rfc.section.2.4.p.1">Meta contains a list of custom defined JSON key value pairs. Users SHOULD reuse commonly used keys such as complexity, effectiveness, country, possible_issues, colour, motive, impact, refs, synonyms, status, date, encryption, extensions, ransomnotes, ransomnotes-filenames, ransomnotes-refs, suspected-victims, suspected-state-sponsor, type-of-incident, target-category, cfr-suspected-victims, cfr-suspected-state-sponsor, cfr-type-of-incident, cfr-target-category, suspected-victims, suspected-state-sponsor, attribution-confidence, payment-method, price, spoken-language, official-refs wherever applicable. Additional meta field MAY be added without the need to be referenced or registered in advance.</p>
|
||||||
<p id="rfc.section.2.4.p.2">refs, synonyms, official-refs SHALL be used to give further informations. refs is represented as an array containing one or more strings and SHALL be present. synonyms is represented as an array containing one or more strings and SHALL be present. official-refs is represented as an array containing one or more strings and SHALL be present.</p>
|
<p id="rfc.section.2.4.p.2">refs, synonyms, official-refs SHALL be used to give further informations. refs is represented as an array containing one or more strings and SHALL be present. synonyms is represented as an array containing one or more strings and SHALL be present. official-refs is represented as an array containing one or more strings and SHALL be present.</p>
|
||||||
<p id="rfc.section.2.4.p.3">date, status MAY be used to give time information about an cluster. date is represented as a string describing a time or period and SHALL be present. status is represented as a string describing the current status of the clusters. It MAY also describe a time or period and SHALL be present.</p>
|
<p id="rfc.section.2.4.p.3">date, status MAY be used to give time information about an cluster. date is represented as a string describing a time or period and SHALL be present. status is represented as a string describing the current status of the clusters. It MAY also describe a time or period and SHALL be present.</p>
|
||||||
<p id="rfc.section.2.4.p.4">colour fields MAY be used at predicates or values level to set a specify colour that MAY be used by the implementation. The colour field is described as an RGB colour fill in hexadecimal representation.</p>
|
<p id="rfc.section.2.4.p.4">colour fields MAY be used at predicates or values level to set a specify colour that MAY be used by the implementation. The colour field is described as an RGB colour fill in hexadecimal representation.</p>
|
||||||
|
|
|
@ -195,10 +195,10 @@ Internet-Draft MISP galaxy format October 2019
|
||||||
filenames, ransomnotes-refs, suspected-victims, suspected-state-
|
filenames, ransomnotes-refs, suspected-victims, suspected-state-
|
||||||
sponsor, type-of-incident, target-category, cfr-suspected-victims,
|
sponsor, type-of-incident, target-category, cfr-suspected-victims,
|
||||||
cfr-suspected-state-sponsor, cfr-type-of-incident, cfr-target-
|
cfr-suspected-state-sponsor, cfr-type-of-incident, cfr-target-
|
||||||
category, attribution-confidence, payment-method, price, spoken-
|
category, suspected-victims, suspected-state-sponsor, attribution-
|
||||||
language, official-refs wherever applicable. Additional meta field
|
confidence, payment-method, price, spoken-language, official-refs
|
||||||
MAY be added without the need to be referenced or registered in
|
wherever applicable. Additional meta field MAY be added without the
|
||||||
advance.
|
need to be referenced or registered in advance.
|
||||||
|
|
||||||
refs, synonyms, official-refs SHALL be used to give further
|
refs, synonyms, official-refs SHALL be used to give further
|
||||||
informations. refs is represented as an array containing one or more
|
informations. refs is represented as an array containing one or more
|
||||||
|
|
|
@ -385,7 +385,8 @@
|
||||||
<link href="#rfc.section.2.3" rel="Chapter" title="2.3 Value">
|
<link href="#rfc.section.2.3" rel="Chapter" title="2.3 Value">
|
||||||
<link href="#rfc.section.2.3.1" rel="Chapter" title="2.3.1 Configuring the value format for a Namespace">
|
<link href="#rfc.section.2.3.1" rel="Chapter" title="2.3.1 Configuring the value format for a Namespace">
|
||||||
<link href="#rfc.section.2.4" rel="Chapter" title="2.4 Bulk">
|
<link href="#rfc.section.2.4" rel="Chapter" title="2.4 Bulk">
|
||||||
<link href="#rfc.section.2.4.1" rel="Chapter" title="2.4.1 Response">
|
<link href="#rfc.section.2.4.1" rel="Chapter" title="2.4.1 Request">
|
||||||
|
<link href="#rfc.section.2.4.2" rel="Chapter" title="2.4.2 Response">
|
||||||
<link href="#rfc.section.3" rel="Chapter" title="3 Security Considerations">
|
<link href="#rfc.section.3" rel="Chapter" title="3 Security Considerations">
|
||||||
<link href="#rfc.section.4" rel="Chapter" title="4 Acknowledgements">
|
<link href="#rfc.section.4" rel="Chapter" title="4 Acknowledgements">
|
||||||
<link href="#rfc.references" rel="Chapter" title="5 Normative References">
|
<link href="#rfc.references" rel="Chapter" title="5 Normative References">
|
||||||
|
@ -397,7 +398,7 @@
|
||||||
|
|
||||||
<meta name="dct.creator" content="Tricaud, S." />
|
<meta name="dct.creator" content="Tricaud, S." />
|
||||||
<meta name="dct.identifier" content="urn:ietf:id:" />
|
<meta name="dct.identifier" content="urn:ietf:id:" />
|
||||||
<meta name="dct.issued" scheme="ISO8601" content="2019-11-03" />
|
<meta name="dct.issued" scheme="ISO8601" content="2020-04-13" />
|
||||||
<meta name="dct.abstract" content="This document describes the format used by SightingDB to give automated context to a given Attribute by counting occurrences and tracking times of observability. SightingDB was designed to provide to MISP a Scalable and Fast way to store and retrieve Attributes." />
|
<meta name="dct.abstract" content="This document describes the format used by SightingDB to give automated context to a given Attribute by counting occurrences and tracking times of observability. SightingDB was designed to provide to MISP a Scalable and Fast way to store and retrieve Attributes." />
|
||||||
<meta name="description" content="This document describes the format used by SightingDB to give automated context to a given Attribute by counting occurrences and tracking times of observability. SightingDB was designed to provide to MISP a Scalable and Fast way to store and retrieve Attributes." />
|
<meta name="description" content="This document describes the format used by SightingDB to give automated context to a given Attribute by counting occurrences and tracking times of observability. SightingDB was designed to provide to MISP a Scalable and Fast way to store and retrieve Attributes." />
|
||||||
|
|
||||||
|
@ -417,8 +418,8 @@
|
||||||
<td class="right">Devo Inc.</td>
|
<td class="right">Devo Inc.</td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr>
|
<tr>
|
||||||
<td class="left">Expires: May 6, 2020</td>
|
<td class="left">Expires: October 15, 2020</td>
|
||||||
<td class="right">November 3, 2019</td>
|
<td class="right">April 13, 2020</td>
|
||||||
</tr>
|
</tr>
|
||||||
|
|
||||||
|
|
||||||
|
@ -434,9 +435,9 @@
|
||||||
<p>This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.</p>
|
<p>This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.</p>
|
||||||
<p>Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.</p>
|
<p>Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.</p>
|
||||||
<p>Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."</p>
|
<p>Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."</p>
|
||||||
<p>This Internet-Draft will expire on May 6, 2020.</p>
|
<p>This Internet-Draft will expire on October 15, 2020.</p>
|
||||||
<h1 id="rfc.copyrightnotice"><a href="#rfc.copyrightnotice">Copyright Notice</a></h1>
|
<h1 id="rfc.copyrightnotice"><a href="#rfc.copyrightnotice">Copyright Notice</a></h1>
|
||||||
<p>Copyright (c) 2019 IETF Trust and the persons identified as the document authors. All rights reserved.</p>
|
<p>Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved.</p>
|
||||||
<p>This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.</p>
|
<p>This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.</p>
|
||||||
|
|
||||||
|
|
||||||
|
@ -466,7 +467,9 @@
|
||||||
</li>
|
</li>
|
||||||
</ul><li>2.4. <a href="#rfc.section.2.4">Bulk</a>
|
</ul><li>2.4. <a href="#rfc.section.2.4">Bulk</a>
|
||||||
</li>
|
</li>
|
||||||
<ul><li>2.4.1. <a href="#rfc.section.2.4.1">Response</a>
|
<ul><li>2.4.1. <a href="#rfc.section.2.4.1">Request</a>
|
||||||
|
</li>
|
||||||
|
<li>2.4.2. <a href="#rfc.section.2.4.2">Response</a>
|
||||||
</li>
|
</li>
|
||||||
</ul></ul><li>3. <a href="#rfc.section.3">Security Considerations</a>
|
</ul></ul><li>3. <a href="#rfc.section.3">Security Considerations</a>
|
||||||
</li>
|
</li>
|
||||||
|
@ -494,7 +497,7 @@
|
||||||
<h1 id="rfc.section.2.1">
|
<h1 id="rfc.section.2.1">
|
||||||
<a href="#rfc.section.2.1">2.1.</a> <a href="#overview" id="overview">Overview</a>
|
<a href="#rfc.section.2.1">2.1.</a> <a href="#overview" id="overview">Overview</a>
|
||||||
</h1>
|
</h1>
|
||||||
<p id="rfc.section.2.1.p.1">The SightingDB format is in JSON <a href="#RFC8259" class="xref">[RFC8259]</a> format and used to query a SightingDB compatible connector. In SightingDB, a Sighting Object is composed of a single JSON object. This object contains the following fields: value, first<em>seen, last</em>seen, count, tags, ttl and manifold.</p>
|
<p id="rfc.section.2.1.p.1">The SightingDB format is in JSON <a href="#RFC8259" class="xref">[RFC8259]</a> format and used to query a SightingDB compatible connector. In SightingDB, a Sighting Object is composed of a single JSON object. This object contains the following fields: value, first<em>seen, last</em>seen, count, tags, ttl and consensus.</p>
|
||||||
<h1 id="rfc.section.2.1.1">
|
<h1 id="rfc.section.2.1.1">
|
||||||
<a href="#rfc.section.2.1.1">2.1.1.</a> <a href="#attribute-storage" id="attribute-storage">Attribute Storage</a>
|
<a href="#rfc.section.2.1.1">2.1.1.</a> <a href="#attribute-storage" id="attribute-storage">Attribute Storage</a>
|
||||||
</h1>
|
</h1>
|
||||||
|
@ -507,10 +510,9 @@
|
||||||
<p id="rfc.section.2.1.2.p.3">Reserved namespaces are:</p>
|
<p id="rfc.section.2.1.2.p.3">Reserved namespaces are:</p>
|
||||||
<p id="rfc.section.2.1.2.p.4">_expired/<namespace>: Which contains all the attributes that expired, preserving the origin namespace</p>
|
<p id="rfc.section.2.1.2.p.4">_expired/<namespace>: Which contains all the attributes that expired, preserving the origin namespace</p>
|
||||||
<p id="rfc.section.2.1.2.p.5">_shadow/<namespace>: When a value is searched and does not exists, it is stored there</p>
|
<p id="rfc.section.2.1.2.p.5">_shadow/<namespace>: When a value is searched and does not exists, it is stored there</p>
|
||||||
<p id="rfc.section.2.1.2.p.6">_stats: Statistics</p>
|
<p id="rfc.section.2.1.2.p.6">_config: Configuration</p>
|
||||||
<p id="rfc.section.2.1.2.p.7">_config: Configuration</p>
|
<p id="rfc.section.2.1.2.p.7">_all: All the Attributes in one place, used to retrieve the 'consensus' property.</p>
|
||||||
<p id="rfc.section.2.1.2.p.8">_all: All the Attributes in one place, used to retrieve the 'manifold' property.</p>
|
<p id="rfc.section.2.1.2.p.8">The Attribute Key MUST always be the last part of the Namespace.</p>
|
||||||
<p id="rfc.section.2.1.2.p.9">The Attribute Key MUST always be the last part of the Namespace.</p>
|
|
||||||
<h1 id="rfc.section.2.1.2.1">
|
<h1 id="rfc.section.2.1.2.1">
|
||||||
<a href="#rfc.section.2.1.2.1">2.1.2.1.</a> <a href="#sample-namespaces" id="sample-namespaces">Sample Namespaces</a>
|
<a href="#rfc.section.2.1.2.1">2.1.2.1.</a> <a href="#sample-namespaces" id="sample-namespaces">Sample Namespaces</a>
|
||||||
</h1>
|
</h1>
|
||||||
|
@ -547,9 +549,9 @@
|
||||||
<p id="rfc.section.2.1.3.6.p.2">When an Attribute has this field set to 0, it means it is not set to expired. This is the default behavior.</p>
|
<p id="rfc.section.2.1.3.6.p.2">When an Attribute has this field set to 0, it means it is not set to expired. This is the default behavior.</p>
|
||||||
<p id="rfc.section.2.1.3.6.p.3">When an Attribute has this field set to a number greater than 0, the expiration status is computed only at retrieval time.</p>
|
<p id="rfc.section.2.1.3.6.p.3">When an Attribute has this field set to a number greater than 0, the expiration status is computed only at retrieval time.</p>
|
||||||
<h1 id="rfc.section.2.1.3.7">
|
<h1 id="rfc.section.2.1.3.7">
|
||||||
<a href="#rfc.section.2.1.3.7">2.1.3.7.</a> <a href="#manifold" id="manifold">manifold</a>
|
<a href="#rfc.section.2.1.3.7">2.1.3.7.</a> <a href="#consensus" id="consensus">consensus</a>
|
||||||
</h1>
|
</h1>
|
||||||
<p id="rfc.section.2.1.3.7.p.1">When a given Attribute Value is stored in different namespaces, the manifold field keeps track of them so it returns in how many different places this attributes exists. This is a simple counter.</p>
|
<p id="rfc.section.2.1.3.7.p.1">When a given Attribute Value is stored in different namespaces, the consensus field keeps track of them so it returns in how many different places this attributes exists. This is a simple counter.</p>
|
||||||
<h1 id="rfc.section.2.2">
|
<h1 id="rfc.section.2.2">
|
||||||
<a href="#rfc.section.2.2">2.2.</a> <a href="#sightingdb-format-one-attribute" id="sightingdb-format-one-attribute">SightingDB Format - One Attribute</a>
|
<a href="#rfc.section.2.2">2.2.</a> <a href="#sightingdb-format-one-attribute" id="sightingdb-format-one-attribute">SightingDB Format - One Attribute</a>
|
||||||
</h1>
|
</h1>
|
||||||
|
@ -560,7 +562,7 @@
|
||||||
"count":578391,
|
"count":578391,
|
||||||
"tags":"",
|
"tags":"",
|
||||||
"ttl":0,
|
"ttl":0,
|
||||||
"manifold": 17
|
"consensus": 17
|
||||||
}
|
}
|
||||||
</pre>
|
</pre>
|
||||||
<h1 id="rfc.section.2.3">
|
<h1 id="rfc.section.2.3">
|
||||||
|
@ -586,20 +588,36 @@
|
||||||
<p id="rfc.section.2.4.p.1">When data must be sent and received in large amounts, it is preferable to embed in JSON all the objects at once. As such, for reading and writing, the format is the following:</p>
|
<p id="rfc.section.2.4.p.1">When data must be sent and received in large amounts, it is preferable to embed in JSON all the objects at once. As such, for reading and writing, the format is the following:</p>
|
||||||
<pre>{
|
<pre>{
|
||||||
"items": [
|
"items": [
|
||||||
{ "/your/namespace": "127.0.0.1" },
|
{ "<namespace>": "<value>" },
|
||||||
{ "/your/other/namespace": "110812f67fa1e1f0117f6f3d70241c1a42a7b07711a93c2477cc516d9042f9db" }
|
{ "<namespace>": "<value>", "timestamp": <epoch> }
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
</pre>
|
</pre>
|
||||||
<p id="rfc.section.2.4.p.2">Which will either store or retrieve the wanted data.</p>
|
<p id="rfc.section.2.4.p.2">Where:</p>
|
||||||
|
<p id="rfc.section.2.4.p.3">namespace: is the wanted namespace where to store the value</p>
|
||||||
|
<p id="rfc.section.2.4.p.4">value: the value one want to track</p>
|
||||||
|
<p id="rfc.section.2.4.p.5">timestamp: OPTIONAL epoch timestamp to set the value at.</p>
|
||||||
|
<p id="rfc.section.2.4.p.6">The timestamp is how one can use SightingDB and use old datasets where the first seen and last seen is not relative to "right now".</p>
|
||||||
<h1 id="rfc.section.2.4.1">
|
<h1 id="rfc.section.2.4.1">
|
||||||
<a href="#rfc.section.2.4.1">2.4.1.</a> <a href="#response" id="response">Response</a>
|
<a href="#rfc.section.2.4.1">2.4.1.</a> <a href="#request" id="request">Request</a>
|
||||||
</h1>
|
</h1>
|
||||||
<p id="rfc.section.2.4.1.p.1">The response when retrieving sightings also has the list of items, in order, one per line of the results:</p>
|
<p id="rfc.section.2.4.1.p.1">A Proper request with two items is made like this:</p>
|
||||||
<pre>{
|
<pre>{
|
||||||
"items": [
|
"items": [
|
||||||
{ "first_seen":1530337182, "last_seen":1573110615, "count":93021, "tags":"", "ttl":0, "manifold": 1 },
|
{ "/your/namespace": "127.0.0.1" },
|
||||||
{ "first_seen":1562930418, "last_seen":1573110404, "count":1020492, "tags":"", "ttl":8912, "manifold": 3 }
|
{ "/your/other/namespace": "110812f67fa1e1f0117f6f3d70241c1a42a7b07711a93c2477cc516d9042f9db", "timestamp": 1586825229 }
|
||||||
|
]
|
||||||
|
}
|
||||||
|
</pre>
|
||||||
|
<p id="rfc.section.2.4.1.p.2">Which will either store or retrieve the wanted data.</p>
|
||||||
|
<h1 id="rfc.section.2.4.2">
|
||||||
|
<a href="#rfc.section.2.4.2">2.4.2.</a> <a href="#response" id="response">Response</a>
|
||||||
|
</h1>
|
||||||
|
<p id="rfc.section.2.4.2.p.1">The response when retrieving sightings also has the list of items, in order, one per line of the results:</p>
|
||||||
|
<pre>{
|
||||||
|
"items": [
|
||||||
|
{"value": "Octave_Hergebel", "first_seen":1530337182, "last_seen":1573110615, "count":93021, "tags":"", "ttl":0, "consensus": 1},
|
||||||
|
{"value": "127.0.0.1", "first_seen":1562930418, "last_seen":1573110404, "count":1020492, "tags":"", "ttl":8912, "consensus": 3}
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
</pre>
|
</pre>
|
||||||
|
|
|
@ -4,7 +4,7 @@
|
||||||
|
|
||||||
Network Working Group S. Tricaud
|
Network Working Group S. Tricaud
|
||||||
Internet-Draft Devo Inc.
|
Internet-Draft Devo Inc.
|
||||||
Expires: May 6, 2020 November 3, 2019
|
Expires: October 15, 2020 April 13, 2020
|
||||||
|
|
||||||
|
|
||||||
SightingDB query format
|
SightingDB query format
|
||||||
|
@ -31,11 +31,11 @@ Status of This Memo
|
||||||
time. It is inappropriate to use Internet-Drafts as reference
|
time. It is inappropriate to use Internet-Drafts as reference
|
||||||
material or to cite them other than as "work in progress."
|
material or to cite them other than as "work in progress."
|
||||||
|
|
||||||
This Internet-Draft will expire on May 6, 2020.
|
This Internet-Draft will expire on October 15, 2020.
|
||||||
|
|
||||||
Copyright Notice
|
Copyright Notice
|
||||||
|
|
||||||
Copyright (c) 2019 IETF Trust and the persons identified as the
|
Copyright (c) 2020 IETF Trust and the persons identified as the
|
||||||
document authors. All rights reserved.
|
document authors. All rights reserved.
|
||||||
|
|
||||||
This document is subject to BCP 78 and the IETF Trust's Legal
|
This document is subject to BCP 78 and the IETF Trust's Legal
|
||||||
|
@ -53,9 +53,9 @@ Copyright Notice
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Tricaud Expires May 6, 2020 [Page 1]
|
Tricaud Expires October 15, 2020 [Page 1]
|
||||||
|
|
||||||
Internet-Draft SightingDB query format November 2019
|
Internet-Draft SightingDB query format April 2020
|
||||||
|
|
||||||
|
|
||||||
Table of Contents
|
Table of Contents
|
||||||
|
@ -71,11 +71,12 @@ Table of Contents
|
||||||
2.3. Value . . . . . . . . . . . . . . . . . . . . . . . . . . 5
|
2.3. Value . . . . . . . . . . . . . . . . . . . . . . . . . . 5
|
||||||
2.3.1. Configuring the value format for a Namespace . . . . 5
|
2.3.1. Configuring the value format for a Namespace . . . . 5
|
||||||
2.4. Bulk . . . . . . . . . . . . . . . . . . . . . . . . . . 5
|
2.4. Bulk . . . . . . . . . . . . . . . . . . . . . . . . . . 5
|
||||||
2.4.1. Response . . . . . . . . . . . . . . . . . . . . . . 6
|
2.4.1. Request . . . . . . . . . . . . . . . . . . . . . . . 6
|
||||||
|
2.4.2. Response . . . . . . . . . . . . . . . . . . . . . . 6
|
||||||
3. Security Considerations . . . . . . . . . . . . . . . . . . . 6
|
3. Security Considerations . . . . . . . . . . . . . . . . . . . 6
|
||||||
4. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6
|
4. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6
|
||||||
5. Normative References . . . . . . . . . . . . . . . . . . . . 6
|
5. Normative References . . . . . . . . . . . . . . . . . . . . 7
|
||||||
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 6
|
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 7
|
||||||
|
|
||||||
1. Introduction
|
1. Introduction
|
||||||
|
|
||||||
|
@ -98,22 +99,24 @@ Table of Contents
|
||||||
The SightingDB format is in JSON [RFC8259] format and used to query a
|
The SightingDB format is in JSON [RFC8259] format and used to query a
|
||||||
SightingDB compatible connector. In SightingDB, a Sighting Object is
|
SightingDB compatible connector. In SightingDB, a Sighting Object is
|
||||||
composed of a single JSON object. This object contains the following
|
composed of a single JSON object. This object contains the following
|
||||||
fields: value, first_seen, last_seen, count, tags, ttl and manifold.
|
fields: value, first_seen, last_seen, count, tags, ttl and consensus.
|
||||||
|
|
||||||
2.1.1. Attribute Storage
|
2.1.1. Attribute Storage
|
||||||
|
|
||||||
The fields described previously describe an Attribute and all the
|
The fields described previously describe an Attribute and all the
|
||||||
required characteristics. However they are stored in a Namespace. A
|
required characteristics. However they are stored in a Namespace. A
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Tricaud Expires October 15, 2020 [Page 2]
|
||||||
|
|
||||||
|
Internet-Draft SightingDB query format April 2020
|
||||||
|
|
||||||
|
|
||||||
Namespace is similar to a path in a file-system where the same file
|
Namespace is similar to a path in a file-system where the same file
|
||||||
can be stored in multiple places.
|
can be stored in multiple places.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Tricaud Expires May 6, 2020 [Page 2]
|
|
||||||
|
|
||||||
Internet-Draft SightingDB query format November 2019
|
|
||||||
|
|
||||||
|
|
||||||
2.1.2. Namespace
|
2.1.2. Namespace
|
||||||
|
|
||||||
A Namespace with multiple levels MUST be separated with the slash '/'
|
A Namespace with multiple levels MUST be separated with the slash '/'
|
||||||
|
@ -132,12 +135,10 @@ Internet-Draft SightingDB query format November 2019
|
||||||
_shadow/<namespace>: When a value is searched and does not exists, it
|
_shadow/<namespace>: When a value is searched and does not exists, it
|
||||||
is stored there
|
is stored there
|
||||||
|
|
||||||
_stats: Statistics
|
|
||||||
|
|
||||||
_config: Configuration
|
_config: Configuration
|
||||||
|
|
||||||
_all: All the Attributes in one place, used to retrieve the
|
_all: All the Attributes in one place, used to retrieve the
|
||||||
'manifold' property.
|
'consensus' property.
|
||||||
|
|
||||||
The Attribute Key MUST always be the last part of the Namespace.
|
The Attribute Key MUST always be the last part of the Namespace.
|
||||||
|
|
||||||
|
@ -164,10 +165,9 @@ Internet-Draft SightingDB query format November 2019
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Tricaud Expires October 15, 2020 [Page 3]
|
||||||
|
|
||||||
Tricaud Expires May 6, 2020 [Page 3]
|
Internet-Draft SightingDB query format April 2020
|
||||||
|
|
||||||
Internet-Draft SightingDB query format November 2019
|
|
||||||
|
|
||||||
|
|
||||||
2.1.3.2. first_seen
|
2.1.3.2. first_seen
|
||||||
|
@ -199,10 +199,10 @@ Internet-Draft SightingDB query format November 2019
|
||||||
When an Attribute has this field set to a number greater than 0, the
|
When an Attribute has this field set to a number greater than 0, the
|
||||||
expiration status is computed only at retrieval time.
|
expiration status is computed only at retrieval time.
|
||||||
|
|
||||||
2.1.3.7. manifold
|
2.1.3.7. consensus
|
||||||
|
|
||||||
When a given Attribute Value is stored in different namespaces, the
|
When a given Attribute Value is stored in different namespaces, the
|
||||||
manifold field keeps track of them so it returns in how many
|
consensus field keeps track of them so it returns in how many
|
||||||
different places this attributes exists. This is a simple counter.
|
different places this attributes exists. This is a simple counter.
|
||||||
|
|
||||||
2.2. SightingDB Format - One Attribute
|
2.2. SightingDB Format - One Attribute
|
||||||
|
@ -214,16 +214,16 @@ Internet-Draft SightingDB query format November 2019
|
||||||
"count":578391,
|
"count":578391,
|
||||||
"tags":"",
|
"tags":"",
|
||||||
"ttl":0,
|
"ttl":0,
|
||||||
"manifold": 17
|
"consensus": 17
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Tricaud Expires May 6, 2020 [Page 4]
|
Tricaud Expires October 15, 2020 [Page 4]
|
||||||
|
|
||||||
Internet-Draft SightingDB query format November 2019
|
Internet-Draft SightingDB query format April 2020
|
||||||
|
|
||||||
|
|
||||||
2.3. Value
|
2.3. Value
|
||||||
|
@ -263,34 +263,54 @@ Internet-Draft SightingDB query format November 2019
|
||||||
preferable to embed in JSON all the objects at once. As such, for
|
preferable to embed in JSON all the objects at once. As such, for
|
||||||
reading and writing, the format is the following:
|
reading and writing, the format is the following:
|
||||||
|
|
||||||
|
{
|
||||||
|
"items": [
|
||||||
|
{ "<namespace>": "<value>" },
|
||||||
|
{ "<namespace>": "<value>", "timestamp": <epoch> }
|
||||||
|
]
|
||||||
|
}
|
||||||
|
|
||||||
|
Where:
|
||||||
|
|
||||||
|
namespace: is the wanted namespace where to store the value
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Tricaud Expires October 15, 2020 [Page 5]
|
||||||
|
|
||||||
|
Internet-Draft SightingDB query format April 2020
|
||||||
|
|
||||||
|
|
||||||
|
value: the value one want to track
|
||||||
|
|
||||||
|
timestamp: OPTIONAL epoch timestamp to set the value at.
|
||||||
|
|
||||||
|
The timestamp is how one can use SightingDB and use old datasets
|
||||||
|
where the first seen and last seen is not relative to "right now".
|
||||||
|
|
||||||
|
2.4.1. Request
|
||||||
|
|
||||||
|
A Proper request with two items is made like this:
|
||||||
|
|
||||||
{
|
{
|
||||||
"items": [
|
"items": [
|
||||||
{ "/your/namespace": "127.0.0.1" },
|
{ "/your/namespace": "127.0.0.1" },
|
||||||
{ "/your/other/namespace": "110812f67fa1e1f0117f6f3d70241c1a42a7b07711a93c2477cc516d9042f9db" }
|
{ "/your/other/namespace": "110812f67fa1e1f0117f6f3d70241c1a42a7b07711a93c2477cc516d9042f9db", "timestamp": 1586825229 }
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
Which will either store or retrieve the wanted data.
|
Which will either store or retrieve the wanted data.
|
||||||
|
|
||||||
|
2.4.2. Response
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Tricaud Expires May 6, 2020 [Page 5]
|
|
||||||
|
|
||||||
Internet-Draft SightingDB query format November 2019
|
|
||||||
|
|
||||||
|
|
||||||
2.4.1. Response
|
|
||||||
|
|
||||||
The response when retrieving sightings also has the list of items, in
|
The response when retrieving sightings also has the list of items, in
|
||||||
order, one per line of the results:
|
order, one per line of the results:
|
||||||
|
|
||||||
{
|
{
|
||||||
"items": [
|
"items": [
|
||||||
{ "first_seen":1530337182, "last_seen":1573110615, "count":93021, "tags":"", "ttl":0, "manifold": 1 },
|
{"value": "Octave_Hergebel", "first_seen":1530337182, "last_seen":1573110615, "count":93021, "tags":"", "ttl":0, "consensus": 1},
|
||||||
{ "first_seen":1562930418, "last_seen":1573110404, "count":1020492, "tags":"", "ttl":8912, "manifold": 3 }
|
{"value": "127.0.0.1", "first_seen":1562930418, "last_seen":1573110404, "count":1020492, "tags":"", "ttl":8912, "consensus": 3}
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -311,6 +331,13 @@ Internet-Draft SightingDB query format November 2019
|
||||||
well as amazing feedback gathered during the MISP Summit 2019 in
|
well as amazing feedback gathered during the MISP Summit 2019 in
|
||||||
Luxembourg, in particular with Alexandre Dulaunoy and Andras Iklody.
|
Luxembourg, in particular with Alexandre Dulaunoy and Andras Iklody.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Tricaud Expires October 15, 2020 [Page 6]
|
||||||
|
|
||||||
|
Internet-Draft SightingDB query format April 2020
|
||||||
|
|
||||||
|
|
||||||
5. Normative References
|
5. Normative References
|
||||||
|
|
||||||
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
|
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
|
||||||
|
@ -325,19 +352,6 @@ Internet-Draft SightingDB query format November 2019
|
||||||
|
|
||||||
Author's Address
|
Author's Address
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Tricaud Expires May 6, 2020 [Page 6]
|
|
||||||
|
|
||||||
Internet-Draft SightingDB query format November 2019
|
|
||||||
|
|
||||||
|
|
||||||
Sebastien Tricaud
|
Sebastien Tricaud
|
||||||
Devo Inc.
|
Devo Inc.
|
||||||
150 Cambridgepark Drive
|
150 Cambridgepark Drive
|
||||||
|
@ -375,18 +389,4 @@ Internet-Draft SightingDB query format November 2019
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Tricaud Expires October 15, 2020 [Page 7]
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Tricaud Expires May 6, 2020 [Page 7]
|
|
||||||
|
|
Loading…
Reference in New Issue