[IntelMQ-dev] Feedback on IEP04 exchange data format between IntelMQ instances

Bernhard Reiter bernhard at intevation.de
Thu Apr 22 16:56:47 CEST 2021 

Hi,

thoughts about
  https://github.com/certtools/ieps/tree/main/004

== which events are equal?

As this is about an exchange format between IntelMQ instances,
someone could define how a hash about the event data is calculated easily (as 
it is the identical code everywhere). This is the same as defining what 
equality means.

This way no "universally unique identifier" needs to be invented or 
transfered. Thereby avoiding the danger that the same events gets several 
fresh random ids, because of race conditions. (Example two IntelMQ instances 
have the same feed and both receive the same event before having talked about 
it.)

(If you actually end up use a hash, don't call it UUID. :) )
BTW: The concept of hierarchy (like the hash trees in SCMs) is not entirely 
clear to me. Is this about one instance stating that it has seen this part
of meta data from the other instance?


== Do instances trust each other fully?

Shouldn't a concept about event exchange include a consideration of trust of 
the instances? While I believe there are very good relations between many CERT 
organisations, the trust of instances they or others may run is not endless. 
(Example: An IntelMQ server gets compromised, e.g. by an previously unknown 
hardware defect and the attackers want to obstruct the network. They enter bad 
metadata and may want to achieve that some CERTs do not get some events. Okay, 
far fetched.)

In my imagination it makes sense that each instance will have their own set
of sources and this may have a different piece of info than the others (like a 
restricted national feed) and may only like to share a part of this info.

Regards,
Bernhard
ps.: Thanks for putting the IEPs up with markdown rendering, reads much 
better. :)

-- 
www.intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.cert.at/pipermail/intelmq-dev/attachments/20210422/11b1bc5b/attachment-0001.sig>

More information about the IntelMQ-dev mailing list