[IntelMQ-dev] Feedback on IEP04 exchange data format between IntelMQ instances
Sebastian Wagner
wagner at cert.at
Thu Apr 22 17:53:21 CEST 2021
Hi,
On 4/22/21 4:56 PM, Bernhard Reiter wrote:
> == which events are equal?
>
> As this is about an exchange format between IntelMQ instances,
> someone could define how a hash about the event data is calculated easily (as
> it is the identical code everywhere). This is the same as defining what
> equality means.
>
> This way no "universally unique identifier" needs to be invented or
> transfered. Thereby avoiding the danger that the same events gets several
> fresh random ids, because of race conditions. (Example two IntelMQ instances
> have the same feed and both receive the same event before having talked about
> it.)
I'm afraid that this may be hard to achieve, but it would definitely be
an advantage. What we agreed on, is that having a static identifier (not
changing with the content) solves the use-case to represent inter-event
relations (links, also instead of IEP003).
IMO the development of such a hash is worth the effort, but as part of a
separate IEP.
> (If you actually end up use a hash, don't call it UUID. :) )
Of course :)
> BTW: The concept of hierarchy (like the hash trees in SCMs) is not entirely
> clear to me. Is this about one instance stating that it has seen this part
> of meta data from the other instance?
For this part, participants of the hackathon presented several use-cases
and ideas, so I leave the floor to them to explain them with examples.
This is also the part which needs more discussion/specification now.
> == Do instances trust each other fully?
>
> Shouldn't a concept about event exchange include a consideration of trust of
> the instances? While I believe there are very good relations between many CERT
> organisations, the trust of instances they or others may run is not endless.
> (Example: An IntelMQ server gets compromised, e.g. by an previously unknown
> hardware defect and the attackers want to obstruct the network. They enter bad
> metadata and may want to achieve that some CERTs do not get some events. Okay,
> far fetched.)
>
> In my imagination it makes sense that each instance will have their own set
> of sources and this may have a different piece of info than the others (like a
> restricted national feed) and may only like to share a part of this info.
Sure. It's always up to the administrator to define what will be
collected and what will be share to whom. IEP004 is *not* about sharing
data (un-)conditionally, it does not even define a transmission
layer/protocol. IEP004 is only one (small) part to make cross-instance
data sharing easier. The thoughts about trust are good, but I'd like to
not solve that problem in that IEP but rather keep the focus on the
meta-information.
You're like a never-ending spring of good ideas :)
kind regards
Sebastian
--
// Sebastian Wagner <wagner at cert.at> - T: +43 1 5056416 7201
// CERT Austria - https://www.cert.at/
// Eine Initiative der nic.at GmbH - https://www.nic.at/
// Firmenbuchnummer 172568b, LG Salzburg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/intelmq-dev/attachments/20210422/993c8b19/attachment.sig>
More information about the IntelMQ-dev
mailing list