new: [3.3] misp object template added
|
@ -0,0 +1,173 @@
|
||||||
|
% DO NOT COMPILE THIS FILE DIRECTLY!
|
||||||
|
% This is included by the other .tex files.
|
||||||
|
|
||||||
|
\begin{frame}[t,plain]
|
||||||
|
\titlepage
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Objects - or How We Learned to Stop Worrying and Love the Templates}
|
||||||
|
\begin{itemize}
|
||||||
|
\item Attributes are a simple but powerful tool to describe data
|
||||||
|
\item Lacking the capability to create containers around attributes describing a common concept
|
||||||
|
\item The goal was to develop something semi-standardised, with the option to {\bf dynamically build templates}
|
||||||
|
\item We have considered a list of different solutions such as simple boolean operators, but found that the current implementation was superior.
|
||||||
|
\item The result is a simple template that uses the basic attriubte types as building blocks along with some meta data
|
||||||
|
\item The template does {\bf not have to be known} in order to use the constructed objects
|
||||||
|
\item What we maintain now is a set of common objects, but similarly to our other JSON formats, users can extend it with their own ideas.
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{MISP Object Templates}
|
||||||
|
\begin{itemize}
|
||||||
|
\item Using a similar JSON format as the taxonomies, galaxies, warninglists.
|
||||||
|
\item You can find the default set of object templates in the git repository\footnote{\url{https://www.github.com/MISP/misp-objects/}}.
|
||||||
|
\item Some of the object templates capture objects from other standards or mimic the output of tools
|
||||||
|
\item We tried to capture the most common use-cases coming from our own use-case as well as those of various partners that got involved
|
||||||
|
\item Improvements or pull requests for new object templates are of course always welcome
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Existing Object examples}
|
||||||
|
\begin{itemize}
|
||||||
|
\item AIL-leak - {\bf AIL object, an example for an object catering to the output of another tool}
|
||||||
|
\item Android permission - {\bf An object used to further contextualise another object}
|
||||||
|
\item Bank account
|
||||||
|
\item File {\bf Generic object to describe a file}
|
||||||
|
\item Passive DNS
|
||||||
|
\item Regex
|
||||||
|
\item Sandbox report
|
||||||
|
\item Vulnerability {\bf Enabling new use-cases such as pre-sharing of vulnerability information}
|
||||||
|
\item x509
|
||||||
|
\item Yara {\bf Verbatim sharing of rule sets along with meta-data}
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\colorlet{punct}{red!60!black}
|
||||||
|
\definecolor{background}{HTML}{EEEEEE}
|
||||||
|
\definecolor{delim}{RGB}{20,105,176}
|
||||||
|
\colorlet{numb}{magenta!60!black}
|
||||||
|
\lstdefinelanguage{json}{
|
||||||
|
basicstyle=\scriptsize,
|
||||||
|
numbers=left,
|
||||||
|
numberstyle=\scriptsize,
|
||||||
|
stepnumber=1,
|
||||||
|
numbersep=5pt,
|
||||||
|
showstringspaces=false,
|
||||||
|
breaklines=true,
|
||||||
|
frame=lines,
|
||||||
|
backgroundcolor=\color{background},
|
||||||
|
literate=
|
||||||
|
*{0}{{{\color{numb}0}}}{1}
|
||||||
|
{1}{{{\color{numb}1}}}{1}
|
||||||
|
{2}{{{\color{numb}2}}}{1}
|
||||||
|
{3}{{{\color{numb}3}}}{1}
|
||||||
|
{4}{{{\color{numb}4}}}{1}
|
||||||
|
{5}{{{\color{numb}5}}}{1}
|
||||||
|
{6}{{{\color{numb}6}}}{1}
|
||||||
|
{7}{{{\color{numb}7}}}{1}
|
||||||
|
{8}{{{\color{numb}8}}}{1}
|
||||||
|
{9}{{{\color{numb}9}}}{1}
|
||||||
|
{:}{{{\color{punct}{:}}}}{1}
|
||||||
|
{,}{{{\color{punct}{,}}}}{1}
|
||||||
|
{\{}{{{\color{delim}{\{}}}}{1}
|
||||||
|
{\}}{{{\color{delim}{\}}}}}{1}
|
||||||
|
{[}{{{\color{delim}{[}}}}{1}
|
||||||
|
{]}{{{\color{delim}{]}}}}{1},
|
||||||
|
}
|
||||||
|
|
||||||
|
\begin{frame}[fragile]
|
||||||
|
\frametitle{Object Template skeleton}
|
||||||
|
\begin{lstlisting}[language=json,firstnumber=1]
|
||||||
|
{
|
||||||
|
"requiredOneOf": [],
|
||||||
|
"required": [],
|
||||||
|
"attributes": {},
|
||||||
|
"version": 1,
|
||||||
|
"description": "My description",
|
||||||
|
"meta-category": "Chosen meta category",
|
||||||
|
"uuid": "Object template uuid",
|
||||||
|
"name": "Object template name"
|
||||||
|
}
|
||||||
|
\end{lstlisting}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}[fragile]
|
||||||
|
\frametitle{Adding elements to an object template}
|
||||||
|
\begin{lstlisting}[language=json,firstnumber=1]
|
||||||
|
"regexp-type": {
|
||||||
|
"description": "Type of the regular expression syntax.",
|
||||||
|
"disable_correlation": true,
|
||||||
|
"ui-priority": 0,
|
||||||
|
"misp-attribute": "text",
|
||||||
|
"values_list": [
|
||||||
|
"PCRE",
|
||||||
|
"PCRE2",
|
||||||
|
"POSIX BRE",
|
||||||
|
"POSIX ERE"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
\end{lstlisting}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Attribute keys}
|
||||||
|
\begin{itemize}
|
||||||
|
\item Primary key: Object relation
|
||||||
|
\item description: A description of the attribute in relation to the object
|
||||||
|
\item disable\_correlation: You can disable correlations for attributes in the resulting object
|
||||||
|
\item ui-priority: Not implemented yet, but the idea is to have a "quick view" of objects only showing certain prio levels
|
||||||
|
\item misp-attribute: The misp attribute type used as as the building block
|
||||||
|
\item values\_list: an optional list of values from which the user {\bf must} choose instead of entering a value manually
|
||||||
|
\item sane\_defaults: an optional list of values from which the user {\bf may} choose instead of entering a value
|
||||||
|
\item multiple: Allow the user to add {\bf more} than one of this attribute
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Enforcement of certain keys}
|
||||||
|
\begin{itemize}
|
||||||
|
\item The template also defines which of the added attributes are mandatory
|
||||||
|
\item Requirements are pointed to via their {\bf object relations names}
|
||||||
|
\item We differentiate between two types of rule sets:
|
||||||
|
\begin{itemize}
|
||||||
|
\item Required: Everything in this list has to be set in order for the object to validate
|
||||||
|
\item Required One Of: Any of the attributes in this list will satisfy the requirements
|
||||||
|
\end{itemize}
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{What will the the template actually do?}
|
||||||
|
\begin{itemize}
|
||||||
|
\item Templates create a form that can be used to populate an event
|
||||||
|
\item When using templates, MISP will enforce everything according to the template rules
|
||||||
|
\item However, these are only optional, users can avoid using the templates when creating events via the API
|
||||||
|
\item The reason for this is that you do not need to have the template in order to create an object
|
||||||
|
\item The limitation of this system: You {\bf cannot modify} objects that were created with unknown templates
|
||||||
|
\end{itemize}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Templates as rendered in the UI}
|
||||||
|
\includegraphics[scale=0.4]{template.png}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}
|
||||||
|
\frametitle{Templates as rendered in the UI}
|
||||||
|
\includegraphics[scale=0.21]{object.png}
|
||||||
|
\end{frame}
|
||||||
|
|
||||||
|
\begin{frame}[t,fragile] {Q\&A}
|
||||||
|
\includegraphics[scale=0.5]{misplogo.pdf}
|
||||||
|
\begin{itemize}
|
||||||
|
\item \url{https://github.com/MISP/MISP}
|
||||||
|
\item \url{https://github.com/MISP/misp-objects}
|
||||||
|
\item info@circl.lu (if you want to join one of the MISP community operated by CIRCL)
|
||||||
|
\item PGP key fingerprint: CA57 2205 C002 4E06 BA70 BE89 EAAD CFFC 22BD 4CD5
|
||||||
|
\end{itemize}
|
||||||
|
|
||||||
|
\end{frame}
|
||||||
|
|
After Width: | Height: | Size: 31 KiB |
After Width: | Height: | Size: 85 KiB |
|
@ -0,0 +1,28 @@
|
||||||
|
\documentclass{beamer}
|
||||||
|
\usetheme[numbering=progressbar]{focus}
|
||||||
|
\definecolor{main}{RGB}{47, 161, 219}
|
||||||
|
\definecolor{textcolor}{RGB}{128, 128, 128}
|
||||||
|
\definecolor{background}{RGB}{240, 247, 255}
|
||||||
|
|
||||||
|
|
||||||
|
\usepackage[utf8]{inputenc}
|
||||||
|
\usepackage{tikz}
|
||||||
|
\usepackage{listings}
|
||||||
|
\usetikzlibrary{positioning}
|
||||||
|
\usetikzlibrary{shapes,arrows}
|
||||||
|
%\usepackage[T1]{fontenc}
|
||||||
|
%\usepackage[scaled]{beramono}
|
||||||
|
|
||||||
|
\author{\small{\input{../includes/authors.txt}}}
|
||||||
|
|
||||||
|
\title{MISP Object Template}
|
||||||
|
\subtitle{Building custom and open data models}
|
||||||
|
\institute{\href{http://www.misp-project.org/}{http://www.misp-project.org/} \\ Twitter: \emph{\href{https://twitter.com/mispproject}{@MISPProject}}}
|
||||||
|
\date{\input{../includes/location.txt}}
|
||||||
|
\titlegraphic{\includegraphics[scale=0.85]{misp.pdf}}
|
||||||
|
|
||||||
|
|
||||||
|
\begin{document}
|
||||||
|
\include{content}
|
||||||
|
\end{document}
|
||||||
|
|
After Width: | Height: | Size: 337 KiB |
After Width: | Height: | Size: 102 KiB |
After Width: | Height: | Size: 41 KiB |
After Width: | Height: | Size: 57 KiB |
After Width: | Height: | Size: 35 KiB |
After Width: | Height: | Size: 93 KiB |
2
build.sh
|
@ -1,7 +1,7 @@
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
#
|
#
|
||||||
|
|
||||||
slidedecks=("0-misp-introduction-to-information-sharing" "1-misp-usage" "1.1-misp-viper-integration" "1.2.1-misp-integration-mail2misp" "2-misp-administration" "3-misp-taxonomy-tagging" "3.1-misp-modules" "3.2-misp-galaxy")
|
slidedecks=("0-misp-introduction-to-information-sharing" "1-misp-usage" "1.1-misp-viper-integration" "1.2.1-misp-integration-mail2misp" "2-misp-administration" "3-misp-taxonomy-tagging" "3.1-misp-modules" "3.2-misp-galaxy" "3.3-misp-object-template")
|
||||||
mkdir output
|
mkdir output
|
||||||
export TEXINPUTS=::`pwd`/themes/
|
export TEXINPUTS=::`pwd`/themes/
|
||||||
echo ${TEXINPUTS}
|
echo ${TEXINPUTS}
|
||||||
|
|