[IntelMQ-dev] [IntelMQ-users] IEP03: IntelMQ Data Format - Multiple Values

Pavel Kácha ph at cesnet.cz
Tue Apr 6 17:50:14 CEST 2021


Hello Sebastian,

> From: Sebastian Waldbauer <waldbauer at cert.at>, Date: dub 06, 2021
>
> IMHO, I wouldn't use multiple values in source fields as intelmq data gets
> more complex and will break the KISS principle. Using the parent uuid would
> solve this problem of nesting, as you can use uuids to connect similar
> events to each other. I'd propose to use multiple values in fields where it
> doenst get too complex like `tags`. Tags can be used to add specified tags
> like campaigns.

   Sure, then you'll have to embrace IEP04, however with its own set of
problems (M:N alias difficult to describe DDoS, data completeness problem
alias "how long should I wait to be reasonably sure I have complete set of
events?").
   We wanted to take the analysis/assembly/complexity burden out of readers
(cause we have our experience with IDMEF, IODEF and MISP, which seem to me
as writer friendly, not reader friendly :) ), so we went for (hopefully
reasonably) increased complexity and against dropping (too much) features -
and trying to solve most of the problems on our side. Real world is usually
not KISS. :)

> > > ### Classification
> > ...
> > > ## Format
> > > {"classification.taxonomy": ["information-content-security", "fraud"],
> > > "classification.type": ["unauthorised-modification-of-information",
> > > "phishing"]
> >     I believe (feel free to correct me) that RSIT does not preclude usage of
> > just first level category in cases where second level is ambiguous or
> > unknown, so in two array format you could solve it for example like:
> > 
> >     {
> >        "classification.taxonomy": ["information-content-security", "fraud"],
> >        "classification.type": [null, "phishing"]
> > 
> >     In Idea we went for "merged" field, here it might look like:
> > 
> >     classification: [
> >        "information-content-security.unauthorised-modification-of-information",
> >        "fraud.phishing"
> >     ]
> > 
> >     or considering missing second level:
> > 
> >     classification: [
> >        "information-content-security",
> >        "fraud.phishing"
> >     ]
> 
> Agree with the "tagging" style, as it can contain a lot of information & can
> be set per event.

   Just a note that came to my mind - on RSIT, second level implies first
level (all second level labels are unique and belong to exactly one first
level labels), so (as for completeness of information, not necessarily for
clarity) "unauthorised-modification-of-information" is in fact enough,
instead of "information-content-security.unauthorised-modification-of-information".
   However, explicit is usually better than implicit. :)

-- Pavel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.cert.at/pipermail/intelmq-dev/attachments/20210406/64595bca/attachment.sig>


More information about the IntelMQ-dev mailing list