Hi,
On 4/22/21 4:56 PM, Bernhard Reiter wrote:
== which events are equal?
As this is about an exchange format between IntelMQ instances, someone could define how a hash about the event data is calculated easily (as it is the identical code everywhere). This is the same as defining what equality means.
This way no "universally unique identifier" needs to be invented or transfered. Thereby avoiding the danger that the same events gets several fresh random ids, because of race conditions. (Example two IntelMQ instances have the same feed and both receive the same event before having talked about it.)
I'm afraid that this may be hard to achieve, but it would definitely be an advantage. What we agreed on, is that having a static identifier (not changing with the content) solves the use-case to represent inter-event relations (links, also instead of IEP003).
IMO the development of such a hash is worth the effort, but as part of a separate IEP.
(If you actually end up use a hash, don't call it UUID. :) )
Of course :)
BTW: The concept of hierarchy (like the hash trees in SCMs) is not entirely clear to me. Is this about one instance stating that it has seen this part of meta data from the other instance?
For this part, participants of the hackathon presented several use-cases and ideas, so I leave the floor to them to explain them with examples. This is also the part which needs more discussion/specification now.
== Do instances trust each other fully?
Shouldn't a concept about event exchange include a consideration of trust of the instances? While I believe there are very good relations between many CERT organisations, the trust of instances they or others may run is not endless. (Example: An IntelMQ server gets compromised, e.g. by an previously unknown hardware defect and the attackers want to obstruct the network. They enter bad metadata and may want to achieve that some CERTs do not get some events. Okay, far fetched.)
In my imagination it makes sense that each instance will have their own set of sources and this may have a different piece of info than the others (like a restricted national feed) and may only like to share a part of this info.
Sure. It's always up to the administrator to define what will be collected and what will be share to whom. IEP004 is *not* about sharing data (un-)conditionally, it does not even define a transmission layer/protocol. IEP004 is only one (small) part to make cross-instance data sharing easier. The thoughts about trust are good, but I'd like to not solve that problem in that IEP but rather keep the focus on the meta-information.
You're like a never-ending spring of good ideas :)
kind regards Sebastian