MISP
/
misp-standard.org
mirror of https://github.com/MISP/misp-standard.org
2
0
Fork 0
Code Issues Releases Wiki Activity

chg: [misp-core] standard updated regarding first_seen/last_seen added at attribute and object level

pull/2/head
Alexandre Dulaunoy 2020-01-22 10:44:09 +01:00
parent 55f6d63494
commit bcac386ce1
No known key found for this signature in database
GPG Key ID: 09E2CD4944E6CBCD
2 changed files with 182 additions and 114 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
rfc/misp-standard-core.html
View File

@ -813,10 +813,10 @@
<br>comment, text, other, size-in-bytes, counter, datetime, cpe, port, float, hex, phone-number, boolean, anonymised</dd>
<dt>Payload delivery</dt>
<dd style="margin-left: 8">
<br>md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip-src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email-src, email-dst, email-subject, email-attachment, email-body, url, user-agent, AS, pattern-in-file, pattern-in-traffic, stix2-pattern, yara, sigma, mime-type, attachment, malware-sample, link, malware-type, comment, text, hex, vulnerability, weakness, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other, hostname|port, email-dst-display-name, email-src-display-name, email-header, email-reply-to, email-x-mailer, email-mime-boundary, email-thread-index, email-message-id, mobile-application-id, whois-registrant-email, anonymised</dd>
<br>md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip-src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email-src, email-dst, email-subject, email-attachment, email-body, url, user-agent, AS, pattern-in-file, pattern-in-traffic, stix2-pattern, yara, sigma, mime-type, attachment, malware-sample, link, malware-type, comment, text, hex, vulnerability, weakness, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other, hostname|port, email-dst-display-name, email-src-display-name, email-header, email-reply-to, email-x-mailer, email-mime-boundary, email-thread-index, email-message-id, mobile-application-id, chrome-extension-id, whois-registrant-email, anonymised</dd>
<dt>Payload installation</dt>
<dd style="margin-left: 8">
<br>md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in-traffic, pattern-in-memory, stix2-pattern, yara, sigma, vulnerability, weakness, attachment, malware-sample, malware-type, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, mobile-application-id, other, mime-type, anonymised</dd>
<br>md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in-traffic, pattern-in-memory, stix2-pattern, yara, sigma, vulnerability, weakness, attachment, malware-sample, malware-type, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, mobile-application-id, chrome-extension-id, other, mime-type, anonymised</dd>
<dt>Payload type</dt>
<dd style="margin-left: 8">
<br>comment, text, other, anonymised</dd>
@ -1011,10 +1011,10 @@
<br>comment, text, other, size-in-bytes, counter, datetime, cpe, port, float, hex, phone-number, boolean, anonymised</dd>
<dt>Payload delivery</dt>
<dd style="margin-left: 8">
<br>md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip-src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email-src, email-dst, email-subject, email-attachment, email-body, url, user-agent, AS, pattern-in-file, pattern-in-traffic, stix2-pattern, yara, sigma, mime-type, attachment, malware-sample, link, malware-type, comment, text, hex, vulnerability, weakness, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other, hostname|port, email-dst-display-name, email-src-display-name, email-header, email-reply-to, email-x-mailer, email-mime-boundary, email-thread-index, email-message-id, mobile-application-id, whois-registrant-email, anonymised</dd>
<br>md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip-src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email-src, email-dst, email-subject, email-attachment, email-body, url, user-agent, AS, pattern-in-file, pattern-in-traffic, stix2-pattern, yara, sigma, mime-type, attachment, malware-sample, link, malware-type, comment, text, hex, vulnerability, weakness, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver-md5, other, hostname|port, email-dst-display-name, email-src-display-name, email-header, email-reply-to, email-x-mailer, email-mime-boundary, email-thread-index, email-message-id, mobile-application-id, chrome-extension-id, whois-registrant-email, anonymised</dd>
<dt>Payload installation</dt>
<dd style="margin-left: 8">
<br>md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in-traffic, pattern-in-memory, stix2-pattern, yara, sigma, vulnerability, weakness, attachment, malware-sample, malware-type, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, mobile-application-id, other, mime-type, anonymised</dd>
<br>md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, ssdeep, imphash, impfuzzy, authentihash, pehash, tlsh, cdhash, filename, filename|md5, filename|sha1, filename|sha224, filename|sha256, filename|sha384, filename|sha512, filename|sha512/224, filename|sha512/256, filename|authentihash, filename|ssdeep, filename|tlsh, filename|imphash, filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in-traffic, pattern-in-memory, stix2-pattern, yara, sigma, vulnerability, weakness, attachment, malware-sample, malware-type, comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, mobile-application-id, chrome-extension-id, other, mime-type, anonymised</dd>
<dt>Payload type</dt>
<dd style="margin-left: 8">
<br>comment, text, other, anonymised</dd>
@ -1701,6 +1701,12 @@
"timestamp": {
"type": "string"
},
"first_seen": {
"type": "string"
},
"last_seen": {
"type": "string"
},
"distribution": {
"type": "string"
},
@ -1868,6 +1874,12 @@
"timestamp": {
"type": "string"
},
"first_seen": {
"type": "string"
},
"last_seen": {
"type": "string"
},
"comment": {
"type": "string"
},

276
rfc/misp-standard-core.txt
View File

@ -100,7 +100,7 @@ Table of Contents
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 51
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 51
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 51
9.1. Normative References . . . . . . . . . . . . . . . . . . 51
9.1. Normative References . . . . . . . . . . . . . . . . . . 52
9.2. Informative References . . . . . . . . . . . . . . . . . 52
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 52
@ -588,7 +588,7 @@ Internet-Draft MISP core format August 2018
hostname|port, email-dst-display-name, email-src-display-name,
email-header, email-reply-to, email-x-mailer, email-mime-boundary,
email-thread-index, email-message-id, mobile-application-id,
whois-registrant-email, anonymised
chrome-extension-id, whois-registrant-email, anonymised
Payload installation
md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256,
@ -601,8 +601,8 @@ Internet-Draft MISP core format August 2018
traffic, pattern-in-memory, stix2-pattern, yara, sigma,
vulnerability, weakness, attachment, malware-sample, malware-type,
comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5,
x509-fingerprint-sha256, mobile-application-id, other, mime-type,
anonymised
x509-fingerprint-sha256, mobile-application-id, chrome-extension-
id, other, mime-type, anonymised
Payload type
comment, text, other, anonymised
@ -985,7 +985,7 @@ Internet-Draft MISP core format August 2018
hostname|port, email-dst-display-name, email-src-display-name,
email-header, email-reply-to, email-x-mailer, email-mime-boundary,
email-thread-index, email-message-id, mobile-application-id,
whois-registrant-email, anonymised
chrome-extension-id, whois-registrant-email, anonymised
Payload installation
md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256,
@ -998,8 +998,8 @@ Internet-Draft MISP core format August 2018
traffic, pattern-in-memory, stix2-pattern, yara, sigma,
vulnerability, weakness, attachment, malware-sample, malware-type,
comment, text, hex, x509-fingerprint-sha1, x509-fingerprint-md5,
x509-fingerprint-sha256, mobile-application-id, other, mime-type,
anonymised
x509-fingerprint-sha256, mobile-application-id, chrome-extension-
id, other, mime-type, anonymised
Payload type
@ -2144,6 +2144,12 @@ Internet-Draft MISP core format August 2018
"timestamp": {
"type": "string"
},
"first_seen": {
"type": "string"
},
"last_seen": {
"type": "string"
},
"distribution": {
"type": "string"
},
@ -2172,12 +2178,6 @@ Internet-Draft MISP core format August 2018
"sighthing": {
"type": "object",
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"attribute_id": {
"type": "string"
@ -2186,6 +2186,12 @@ Dulaunoy & Iklody Expires February 9, 2019 [Page 39]
Internet-Draft MISP core format August 2018
"properties": {
"id": {
"type": "string"
},
"attribute_id": {
"type": "string"
},
"event_id": {
"type": "string"
@ -2228,12 +2234,6 @@ Internet-Draft MISP core format August 2018
"objectreference": {
"type": "object",
"additionalProperties": false,
"properties": {
"deleted": {
"type": "boolean"
},
"object_id": {
"type": "string"
@ -2242,6 +2242,12 @@ Dulaunoy & Iklody Expires February 9, 2019 [Page 40]
Internet-Draft MISP core format August 2018
"properties": {
"deleted": {
"type": "boolean"
},
"object_id": {
"type": "string"
},
"event_id": {
"type": "string"
@ -2284,12 +2290,6 @@ Internet-Draft MISP core format August 2018
"attribute": {
"type": "object",
"additionalProperties": false,
"properties": {
"id": {
"type": "string"
},
"old_id": {
"type": "string"
@ -2298,6 +2298,12 @@ Dulaunoy & Iklody Expires February 9, 2019 [Page 41]
Internet-Draft MISP core format August 2018
"properties": {
"id": {
"type": "string"
},
"old_id": {
"type": "string"
},
"type": {
"type": "string"
@ -2334,6 +2340,20 @@ Internet-Draft MISP core format August 2018
},
"timestamp": {
"type": "string"
},
"first_seen": {
"type": "string"
},
"last_seen": {
"type": "string"
Dulaunoy & Iklody Expires February 9, 2019 [Page 42]
Internet-Draft MISP core format August 2018
},
"comment": {
"type": "string"
@ -2346,14 +2366,6 @@ Internet-Draft MISP core format August 2018
},
"disable_correlation": {
"type": "boolean"
Dulaunoy & Iklody Expires February 9, 2019 [Page 42]
Internet-Draft MISP core format August 2018
},
"value": {
"type": "string"
@ -2390,6 +2402,14 @@ Internet-Draft MISP core format August 2018
"items": {
"$ref": "#/defs/galaxy"
}
Dulaunoy & Iklody Expires February 9, 2019 [Page 43]
Internet-Draft MISP core format August 2018
},
"Tag": {
"uniqueItems": true,
@ -2402,14 +2422,6 @@ Internet-Draft MISP core format August 2018
},
"event": {
"type": "object",
Dulaunoy & Iklody Expires February 9, 2019 [Page 43]
Internet-Draft MISP core format August 2018
"additionalProperties": false,
"properties": {
"id": {
@ -2446,6 +2458,14 @@ Internet-Draft MISP core format August 2018
"type": "string"
},
"timestamp": {
Dulaunoy & Iklody Expires February 9, 2019 [Page 44]
Internet-Draft MISP core format August 2018
"type": "string"
},
"distribution": {
@ -2458,14 +2478,6 @@ Internet-Draft MISP core format August 2018
"type": "boolean"
},
"publish_timestamp": {
Dulaunoy & Iklody Expires February 9, 2019 [Page 44]
Internet-Draft MISP core format August 2018
"type": "string"
},
"sharing_group_id": {
@ -2502,6 +2514,14 @@ Internet-Draft MISP core format August 2018
},
"RelatedEvent": {
"type": "array",
Dulaunoy & Iklody Expires February 9, 2019 [Page 45]
Internet-Draft MISP core format August 2018
"uniqueItems": true,
"items": {
"type": "object",
@ -2514,14 +2534,6 @@ Internet-Draft MISP core format August 2018
}
},
"Galaxy": {
Dulaunoy & Iklody Expires February 9, 2019 [Page 45]
Internet-Draft MISP core format August 2018
"type": "array",
"uniqueItems": true,
"items": {
@ -2558,6 +2570,14 @@ Internet-Draft MISP core format August 2018
"type": "string"
},
"exportable": {
Dulaunoy & Iklody Expires February 9, 2019 [Page 46]
Internet-Draft MISP core format August 2018
"type": "boolean"
},
"hide_tag": {
@ -2570,14 +2590,6 @@ Internet-Draft MISP core format August 2018
},
"galaxy": {
"type": "object",
Dulaunoy & Iklody Expires February 9, 2019 [Page 46]
Internet-Draft MISP core format August 2018
"additionalProperties": false,
"properties": {
"id": {
@ -2614,6 +2626,14 @@ Internet-Draft MISP core format August 2018
}
},
"galaxy_cluster": {
Dulaunoy & Iklody Expires February 9, 2019 [Page 47]
Internet-Draft MISP core format August 2018
"type": "object",
"additionalProperties": false,
"properties": {
@ -2626,14 +2646,6 @@ Internet-Draft MISP core format August 2018
"type": {
"type": "string"
},
Dulaunoy & Iklody Expires February 9, 2019 [Page 47]
Internet-Draft MISP core format August 2018
"value": {
"type": "string"
},
@ -2670,6 +2682,14 @@ Internet-Draft MISP core format August 2018
},
"type": "object",
"properties": {
Dulaunoy & Iklody Expires February 9, 2019 [Page 48]
Internet-Draft MISP core format August 2018
"Event": {
"$ref": "#/defs/event"
}
@ -2679,17 +2699,6 @@ Internet-Draft MISP core format August 2018
]
}
Dulaunoy & Iklody Expires February 9, 2019 [Page 48]
Internet-Draft MISP core format August 2018
4. Manifest
MISP events can be shared over an HTTP repository, a file package or
@ -2729,6 +2738,14 @@ Internet-Draft MISP core format August 2018
representation of the associated MISP event file to ensure
integrity of the file. (SHOULD)
Dulaunoy & Iklody Expires February 9, 2019 [Page 49]
Internet-Draft MISP core format August 2018
o integrity:pgp represents a detached PGP signature [RFC4880] of the
associated MISP event file to ensure integrity of the file.
(SHOULD)
@ -2738,14 +2755,6 @@ Internet-Draft MISP core format August 2018
detached PGP signature for a manifest file is a manifest.json.asc
file containing the PGP signature.
Dulaunoy & Iklody Expires February 9, 2019 [Page 49]
Internet-Draft MISP core format August 2018
4.1.1. Sample Manifest
{
@ -2785,6 +2794,14 @@ Internet-Draft MISP core format August 2018
},
{
"colour": "#3d7a00",
Dulaunoy & Iklody Expires February 9, 2019 [Page 50]
Internet-Draft MISP core format August 2018
"name": "circl:incident-classification=\"malware\""
},
{
@ -2794,14 +2811,6 @@ Internet-Draft MISP core format August 2018
],
"timestamp": "1461764231",
"date": "2016-04-27",
Dulaunoy & Iklody Expires February 9, 2019 [Page 50]
Internet-Draft MISP core format August 2018
"threat_level_id": "3"
}
}
@ -2837,6 +2846,18 @@ Internet-Draft MISP core format August 2018
9. References
Dulaunoy & Iklody Expires February 9, 2019 [Page 51]
Internet-Draft MISP core format August 2018
9.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
@ -2849,15 +2870,6 @@ Internet-Draft MISP core format August 2018
DOI 10.17487/RFC4122, July 2005,
<https://www.rfc-editor.org/info/rfc4122>.
Dulaunoy & Iklody Expires February 9, 2019 [Page 51]
Internet-Draft MISP core format August 2018
[RFC4880] Callas, J., Donnerhacke, L., Finney, H., Shaw, D., and R.
Thayer, "OpenPGP Message Format", RFC 4880,
DOI 10.17487/RFC4880, November 2007,
@ -2888,6 +2900,20 @@ Internet-Draft MISP core format August 2018
Authors' Addresses
Dulaunoy & Iklody Expires February 9, 2019 [Page 52]
Internet-Draft MISP core format August 2018
Alexandre Dulaunoy
Computer Incident Response Center Luxembourg
16, bd d'Avranches
@ -2909,4 +2935,34 @@ Authors' Addresses
Dulaunoy & Iklody Expires February 9, 2019 [Page 52]
Dulaunoy & Iklody Expires February 9, 2019 [Page 53]