< draft-dulaunoy-misp-object-template-format-02.txt   draft-dulaunoy-misp-object-template-format-03.txt >
Network Working Group A. Dulaunoy Network Working Group A. Dulaunoy
Internet-Draft A. Iklody Internet-Draft A. Iklody
Intended status: Informational CIRCL Intended status: Informational CIRCL
Expires: April 18, 2019 October 15, 2018 Expires: December 25, 2019 June 23, 2019
MISP object template format MISP object template format
draft-dulaunoy-misp-object-template-format-02 draft-dulaunoy-misp-object-template-format-03
Abstract Abstract
This document describes the MISP object template format which This document describes the MISP object template format which
describes a simple JSON format to represent the various templates describes a simple JSON format to represent the various templates
used to construct MISP objects. A public directory of common used to construct MISP objects. A public directory of common
vocabularies MISP object templates [MISP-O] is available and relies vocabularies MISP object templates [MISP-O] is available and relies
on the MISP object reference format. on the MISP object reference format.
Status of This Memo Status of This Memo
skipping to change at page 1, line 34 skipping to change at page 1, line 34
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 18, 2019. This Internet-Draft will expire on December 25, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 2, line 16 skipping to change at page 2, line 16
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Conventions and Terminology . . . . . . . . . . . . . . . 2 1.1. Conventions and Terminology . . . . . . . . . . . . . . . 2
2. Format . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Format . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 3 2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 3
2.1.1. Object Template . . . . . . . . . . . . . . . . . . . 3 2.1.1. Object Template . . . . . . . . . . . . . . . . . . . 3
2.1.2. attributes . . . . . . . . . . . . . . . . . . . . . 4 2.1.2. attributes . . . . . . . . . . . . . . . . . . . . . 4
2.1.3. Sample Object Template object . . . . . . . . . . . . 6 2.1.3. Sample Object Template object . . . . . . . . . . . . 6
2.1.4. Object Relationships . . . . . . . . . . . . . . . . 9 2.1.4. Object Relationships . . . . . . . . . . . . . . . . 9
3. Directory . . . . . . . . . . . . . . . . . . . . . . . . . . 10 3. Directory . . . . . . . . . . . . . . . . . . . . . . . . . . 10
4. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 10 3.1. Existing and public MISP object templates . . . . . . . . 10
5. References . . . . . . . . . . . . . . . . . . . . . . . . . 10 4. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 18
5.1. Normative References . . . . . . . . . . . . . . . . . . 10 5. References . . . . . . . . . . . . . . . . . . . . . . . . . 18
5.2. Informative References . . . . . . . . . . . . . . . . . 10 5.1. Normative References . . . . . . . . . . . . . . . . . . 18
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 5.2. Informative References . . . . . . . . . . . . . . . . . 18
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 19
1. Introduction 1. Introduction
Due to the increased maturity of threat information sharing, the need Due to the increased maturity of threat information sharing, the need
arose for more complex and exhaustive data-points to be shared across arose for more complex and exhaustive data-points to be shared across
the various sharing communities. MISP's information sharing in the various sharing communities. MISP's information sharing in
general relied on a flat structure of attributes contained within an general relied on a flat structure of attributes contained within an
event, where attributes served as atomic secluded data-points with event, where attributes served as atomic secluded data-points with
some commonalities as defined by the encapsulating event. However, some commonalities as defined by the encapsulating event. However,
this flat structure restricted the use of more diverse and complex this flat structure restricted the use of more diverse and complex
skipping to change at page 10, line 21 skipping to change at page 10, line 21
3. Directory 3. Directory
The MISP object template directory is publicly available [MISP-O] in The MISP object template directory is publicly available [MISP-O] in
a git repository. The repository contains an objects directory, a git repository. The repository contains an objects directory,
which contains a directory per object type, containing a file named which contains a directory per object type, containing a file named
definition.json which contains the definition of the object template definition.json which contains the definition of the object template
in the above described format. in the above described format.
A relationships directory is also included, containing a A relationships directory is also included, containing a
definition.json file which contains a list of MISP object relation definition.json file which contains a list of MISP object relation
definitions. There are more than 90 existing templates object definitions. There are more than 125 existing templates object
documented in [MISP-O-DOC]. documented in [MISP-O-DOC].
3.1. Existing and public MISP object templates
o tsk-chats - An Object Template to gather information from
evidential or interesting exchange of messages identified during a
digital forensic investigation.
o tsk-web-bookmark - An Object Template to add evidential bookmarks
identified during a digital forensic investigation.
o tsk-web-cookie - An TSK-Autopsy Object Template to represent
cookies identified during a forensic investigation.
o tsk-web-downloads - An Object Template to add web-downloads.
o tsk-web-history - An Object Template to share web history
information.
o tsk-web-search-query - An Object Template to share web search
query information.
o ail-leak - An information leak as defined by the AIL Analysis
Information Leak framework.
o ais-info - Automated Indicator Sharing (AIS) Information Source
Markings.
o android-permission - A set of android permissions - one or more
permission(s) which can be linked to other objects (e.g. malware,
app).
o annotation - An annotation object allowing analysts to add
annotations, comments, executive summary to a MISP event, objects
or attributes.
o anonymisation - Anonymisation object describing an anonymisation
technique used to encode MISP attribute values. Reference:
<https://www.caida.org/tools/taxonomy/anonymization.xml>.
o asn - Autonomous system object describing an autonomous system
which can include one or more network operators management an
entity (e.g. ISP) along with their routing policy, routing
prefixes or alike.
o authenticode-signerinfo - Authenticode Signer Info.
o av-signature - Antivirus detection signature.
o bank-account - An object describing bank account information based
on account description from goAML 4.0.
o bgp-hijack - Object encapsulating BGP Hijack description as
specified, for example, by bgpstream.com.
o cap-alert - Common Alerting Protocol Version (CAP) alert object.
o cap-info - Common Alerting Protocol Version (CAP) info object.
o cap-resource - Common Alerting Protocol Version (CAP) resource
object.
o coin-address - An address used in a cryptocurrency.
o cookie - An HTTP cookie (web cookie, browser cookie) is a small
piece of data that a server sends to the user's web browser. The
browser may store it and send it back with the next request to the
same server. Typically, it's used to tell if two requests came
from the same browser -- keeping a user logged-in, for example.
It remembers stateful information for the stateless HTTP protocol.
(as defined by the Mozilla foundation.
o cortex - Cortex object describing a complete cortex analysis.
Observables would be attribute with a relationship from this
object.
o cortex-taxonomy - Cortex object describing an Cortex Taxonomy (or
mini report).
o course-of-action - An object describing a specific measure taken
to prevent or respond to an attack.
o cowrie - Cowrie honeypot object template.
o credential - Credential describes one or more credential(s)
including password(s), api key(s) or decryption key(s).
o credit-card - A payment card like credit card, debit card or any
similar cards which can be used for financial transactions.
o ddos - DDoS object describes a current DDoS activity from a
specific or/and to a specific target. Type of DDoS can be
attached to the object as a taxonomy.
o device - An object to define a device.
o diameter-attack - Attack as seen on diameter authentication
against a GSM, UMTS or LTE network.
o domain-ip - A domain and IP address seen as a tuple in a specific
time frame.
o elf - Object describing a Executable and Linkable Format.
o elf-section - Object describing a section of an Executable and
Linkable Format.
o email - Email object describing an email with meta-information.
o exploit-poc - Exploit-poc object describing a proof of concept or
exploit of a vulnerability. This object has often a relationship
with a vulnerability object.
o facial-composite - An object which describes a facial composite.
o fail2ban - Fail2ban event.
o file - File object describing a file with meta-information.
o forensic-case - An object template to describe a digital forensic
case.
o forensic-evidence - An object template to describe a digital
forensic evidence.
o geolocation - An object to describe a geographic location.
o gtp-attack - GTP attack object as seen on a GSM, UMTS or LTE
network.
o http-request - A single HTTP request header.
o ilr-impact - Institut Luxembourgeois de Regulation - Impact.
o ilr-notification-incident - Institut Luxembourgeois de Regulation
- Notification d'incident.
o internal-reference - Internal reference.
o interpol-notice - An object which describes a Interpol notice.
o ip-api-address - IP Address information. Useful if you are
pulling your ip information from ip-api.com.
o ip-port - An IP address (or domain or hostname) and a port seen as
a tuple (or as a triple) in a specific time frame.
o irc - An IRC object to describe an IRC server and the associated
channels.
o ja3 - JA3 is a new technique for creating SSL client fingerprints
that are easy to produce and can be easily shared for threat
intelligence. Fingerprints are composed of Client Hello packet;
SSL Version, Accepted Ciphers, List of Extensions, Elliptic
Curves, and Elliptic Curve Formats.
<https://github.com/salesforce/ja3>.
o legal-entity - An object to describe a legal entity.
o lnk - LNK object describing a Windows LNK binary file (aka Windows
shortcut).
o macho - Object describing a file in Mach-O format.
o macho-section - Object describing a section of a file in Mach-O
format.
o mactime-timeline-analysis - Mactime template, used in forensic
investigations to describe the timeline of a file activity.
o malware-config - Malware configuration recovered or extracted from
a malicious binary.
o microblog - Microblog post like a Twitter tweet or a post on a
Facebook wall.
o mutex - Object to describe mutual exclusion locks (mutex) as seen
in memory or computer program.
o netflow - Netflow object describes an network object based on the
Netflowv5/v9 minimal definition.
o network-connection - A local or remote network connection.
o network-socket - Network socket object describes a local or remote
network connections based on the socket data structure.
o misc - An object which describes an organization.
o original-imported-file - Object describing the original file used
to import data in MISP.
o passive-dns - Passive DNS records as expressed in draft-dulaunoy-
dnsop-passive-dns-cof-01.
o paste - Paste or similar post from a website allowing to share
privately or publicly posts.
o pcap-metadata - Network packet capture metadata.
o pe - Object describing a Portable Executable.
o pe-section - Object describing a section of a Portable Executable.
o person - An object which describes a person or an identity.
o phishing - Phishing template to describe a phishing website and
its analysis.
o phishing-kit - Object to describe a phishing-kit.
o phone - A phone or mobile phone object which describe a phone.
o process - Object describing a system process.
o python-etvx-event-log - Event log object template to share
information of the activities conducted on a system. .
o r2graphity - Indicators extracted from files using radare2 and
graphml.
o regexp - An object describing a regular expression (regex or
regexp). The object can be linked via a relationship to other
attributes or objects to describe how it can be represented as a
regular expression.
o registry-key - Registry key object describing a Windows registry
key with value and last-modified timestamp.
o regripper-NTUser - Regripper Object template designed to present
user specific configuration details extracted from the NTUSER.dat
hive.
o regripper-sam-hive-single-user - Regripper Object template
designed to present user profile details extracted from the SAM
hive.
o regripper-sam-hive-user-group - Regripper Object template designed
to present group profile details extracted from the SAM hive.
o regripper-software-hive-BHO - Regripper Object template designed
to gather information of the browser helper objects installed on
the system.
o regripper-software-hive-appInit-DLLS - Regripper Object template
designed to gather information of the DLL files installed on the
system.
o regripper-software-hive-application-paths - Regripper Object
template designed to gather information of the application paths.
o regripper-software-hive-applications-installed - Regripper Object
template designed to gather information of the applications
installed on the system.
o regripper-software-hive-command-shell - Regripper Object template
designed to gather information of the shell commands executed on
the system.
o regripper-software-hive-windows-general-info - Regripper Object
template designed to gather general windows information extracted
from the software-hive.
o regripper-software-hive-software-run - Regripper Object template
designed to gather information of the applications set to run on
the system.
o regripper-software-hive-userprofile-winlogon - Regripper Object
template designed to gather user profile information when the user
logs onto the system, gathered from the software hive.
o regripper-system-hive-firewall-configuration - Regripper Object
template designed to present firewall configuration information
extracted from the system-hive.
o regripper-system-hive-general-configuration - Regripper Object
template designed to present general system properties extracted
from the system-hive.
o regripper-system-hive-network-information. - Regripper object
template designed to gather network information from the system-
hive.
o regripper-system-hive-services-drivers - Regripper Object template
designed to gather information regarding the services/drivers from
the system-hive.
o report - Metadata used to generate an executive level report.
o research-scanner - Information related to known scanning activity
(e.g. from research projects).
o rogue-dns - Rogue DNS as defined by CERT.br.
o rtir - RTIR - Request Tracker for Incident Response.
o sandbox-report - Sandbox report.
o sb-signature - Sandbox detection signature.
o script - Object describing a computer program written to be run in
a special run-time environment. The script or shell script can be
used for malicious activities but also as support tools for threat
analysts.
o shell-commands - Object describing a series of shell commands
executed. This object can be linked with malicious files in order
to describe a specific execution of shell commands.
o short-message-service - Short Message Service (SMS) object
template describing one or more SMS message. Restriction of the
initial format 3GPP 23.038 GSM character set doesn't apply.
o shortened-link - Shortened link and its redirect target.
o splunk - Splunk / Splunk ES object.
o ss7-attack - SS7 object of an attack seen on a GSM, UMTS or LTE
network via SS7 logging.
o ssh-authorized-keys - An object to store ssh authorized keys file.
o stix2-pattern - An object describing a STIX pattern. The object
can be linked via a relationship to other attributes or objects to
describe how it can be represented as a STIX pattern.
o suricata - An object describing one or more Suricata rule(s) along
with version and contextual information.
o target-system - Description about an targeted system, this could
potentially be a compromissed internal system.
o threatgrid-report - ThreatGrid report.
o timecode - Timecode object to describe a start of video sequence
(e.g. CCTV evidence) and the end of the video sequence.
o timesketch-timeline - A timesketch timeline object based on
mandatory field in timesketch to describe a log entry.
o timesketch_message - A timesketch message entry.
o timestamp - A generic timestamp object to represent time including
first time and last time seen. Relationship will then define the
kind of time relationship.
o tor-hiddenservice - Tor hidden service (onion service) object.
o tor-node - Tor node (which protects your privacy on the internet
by hiding the connection between users Internet address and the
services used by the users) description which are part of the Tor
network at a time.
o tracking-id - Analytics and tracking ID such as used in Google
Analytics or other analytic platform.
o transaction - An object to describe a financial transaction.
o url - url object describes an url along with its normalized field
(like extracted using faup parsing library) and its metadata.
o vehicle - Vehicle object template to describe a vehicle
information and registration.
o victim - Victim object describes the target of an attack or abuse.
o virustotal-report - VirusTotal report.
o vulnerability - Vulnerability object describing a common
vulnerability enumeration which can describe published,
unpublished, under review or embargo vulnerability for software,
equipments or hardware.
o whois - Whois records information for a domain name or an IP
address.
o x509 - x509 object describing a X.509 certificate.
o yabin - yabin.py generates Yara rules from function prologs, for
matching and hunting binaries. ref: <https://github.com/
AlienVault-OTX/yabin>.
o yara - An object describing a YARA rule along with its version.
4. Acknowledgements 4. Acknowledgements
The authors wish to thank all the MISP community who are supporting The authors wish to thank all the MISP community who are supporting
the creation of open standards in threat intelligence sharing. the creation of open standards in threat intelligence sharing.
5. References 5. References
5.1. Normative References 5.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
 End of changes. 7 change blocks. 
10 lines changed or deleted 393 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/