[Intelmq-dev] nested message representation
Sebastian Wagner
wagner at cert.at
Fri Sep 9 12:55:17 CEST 2016
Hi,
IntelMQ uses dictionaries to represent messages (in python, json etc.).
We use a flat and unnested structure, which is one of the first design
goals made in the very beginning of IntelMQ AFAIK.
E.g. we have field names like "source.ip"
But there's also another possible representation, which is implemented
in IntelMQ: nested structures. E.g.:
flat: {"classification.type": "unknown", "source.asn": 456, "source.ip":
"127.0.0.1"}
nested: {"classification": {"type": "unknown"}, "source": {"ip":
"127.0.0.1", "asn": 456}}
The first is used everywhere except:
The messages to_json and to_dict methods, which use the nested format by
default. These methods are used in these output bots: file, xmpp,
restapi, mongodb, intelmqmailer
I think, that this is a wrong default. The default should be something
which can be directly interpreted by IntelMQ: the flat structure.
Proposal: make flat default and nested optional (for the function and
the bots)
Sebastian
--
// Sebastian Wagner <wagner at cert.at> - T: +43 1 50564167201
// CERT Austria - http://www.cert.at/
// Eine Initiative der nic.at GmbH - http://www.nic.at/
// Firmenbuchnummer 172568b, LG Salzburg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/intelmq-dev/attachments/20160909/2f2d60ec/attachment.sig>
More information about the Intelmq-dev
mailing list