MISP
/
misp-training
mirror of https://github.com/MISP/misp-training
2
0
Fork 0
Code Issues Releases Wiki Activity

small changes

pull/11/head
iglocska 2019-12-05 09:10:16 +01:00
parent 16ec626dbb
commit 4b025889d5
No known key found for this signature in database
GPG Key ID: BEA224F1FEF113AC
1 changed files with 24 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
a.9-restsearch-dev/content.tex
View File

@ -8,12 +8,12 @@
\begin{frame} \begin{frame}
\frametitle{Building a native restSearch export} \frametitle{Building a native restSearch export}
\begin{itemize} \begin{itemize}
\item Similar in scope to an export module via MISP modules \item Similar in scope to an {\bf export module} of the MISP modules system
\item Pros: \item Pros:
\begin{itemize} \begin{itemize}
\item Can be used for composited data coming from a search \item Can be used for composited data coming from a {\bf filtered query}
\item Fast, native approach \item Fast, {\bf native approach}
\item Can be built to support several scopes (events, attributes, sightings) \item Can be built to support {\bf several scopes} (events, attributes, sightings)
\end{itemize} \end{itemize}
\item Cons... \item Cons...
\end{itemize} \end{itemize}
@ -22,12 +22,12 @@
\begin{frame} \begin{frame}
\frametitle{Building a native restSearch export} \frametitle{Building a native restSearch export}
\begin{itemize} \begin{itemize}
\item Similar in scope to an export module via MISP modules \item Similar in scope to an {\bf export module} of the MISP modules system
\item Pros: \item Pros:
\begin{itemize} \begin{itemize}
\item Can be used for composited data coming from a search \item Can be used for composited data coming from a {\bf filtered query}
\item Fast, native approach \item Fast, {\bf native approach}
\item Can be built to support several scopes (events, attributes, sightings) \item Can be built to support {\bf several scopes} (events, attributes, sightings)
\end{itemize} \end{itemize}
\item Cons... \item Cons...
\end{itemize} \end{itemize}
@ -39,10 +39,10 @@
\begin{frame} \begin{frame}
\frametitle{So how does restSearch work?} \frametitle{So how does restSearch work?}
\begin{itemize} \begin{itemize}
\item Standardised way of collecting parameters \item Standardised way of collecting {\bf parameters}
\item Using the parameters, a loop is started to chunk and gradually build our export data \item Using the parameters, a loop is started to {\bf chunk and gradually build} our export data
\item The chunk size depends on memory envelopes \item The chunk size depends on memory envelopes
\item Each chunk is converted piece by piece... \item Each chunk is {\bf converted piece by piece}...
\item ... and subsequently are concatenated into a temporary file \item ... and subsequently are concatenated into a temporary file
\item Once no more elements are left, the file is sent in the response \item Once no more elements are left, the file is sent in the response
\end{itemize} \end{itemize}
@ -53,11 +53,11 @@
\begin{itemize} \begin{itemize}
\item The export modules handle 5 tasks: \item The export modules handle 5 tasks:
\begin{itemize} \begin{itemize}
\item Pass meta-information back to restSearch on the export format itself \item Pass {\bf meta-information} back to restSearch on the export format itself
\item Add a start section to the exported data \item Add a {\bf start segment} to the exported data
\item Do the actual conversion from MISP's internal format to the desired export format \item Do the actual {\bf conversion} from MISP's internal format to the desired export format
\item Provide a separator for data chunks \item Provide a {\bf separator} for data chunks
\item Have a closing segment for the returned data, based on the format\'s conventions \item Have a {\bf closing segment} for the returned data, based on the format\'s conventions
\end{itemize} \end{itemize}
\end{itemize} \end{itemize}
\end{frame} \end{frame}
@ -72,19 +72,10 @@
\begin{frame} \begin{frame}
\frametitle{Nibbler} \frametitle{Nibbler}
\begin{itemize} \begin{itemize}
\item Simplistic tool with its own proprietary format \item Simplistic tool with its {\bf own proprietary format}
\item Meant to mimic a typical in-house tool \item Meant to mimic a typical {\bf in-house tool}
\item Lightweight scope, for simplicity\'s sake \item Lightweight scope, for simplicity\'s sake
\end{itemize} \item {\bf pipe separated values}
\end{frame}
\begin{frame}
\frametitle{Nibbler format}
\begin{itemize}
\item Format
\item Meant to mimic a typical in-house tool
\item Lightweight scope, for simplicity\'s sake
\item pipe separated values
\item VALUE | TYPE | DESCRIPTION | REFERENCE | ACTION \item VALUE | TYPE | DESCRIPTION | REFERENCE | ACTION
\end{itemize} \end{itemize}
\end{frame} \end{frame}
@ -105,11 +96,11 @@
\begin{frame} \begin{frame}
\frametitle{Nibbler format} \frametitle{Nibbler format}
\begin{itemize} \begin{itemize}
\item Value: The actual indicator value \item {\bf Value}: The actual indicator value
\item Type: The format of the indicator \item {\bf Type}: The format of the indicator
\item Description: A quick description for analysts investigating the alert, why is this relevant \item {\bf Description}: A quick description for analysts investigating the alert, why is this relevant
\item Reference: A backreference that the analyst can use to find out more about the alert \item {\bf Reference}: A backreference that the analyst can use to find out more about the alert
\item Action: What should Nibbler do if it trips over the value? \item {\bf Action}: What should Nibbler do if it trips over the value?
\end{itemize} \end{itemize}
\end{frame} \end{frame}