[IntelMQ-dev] regarding IEP03
L. Aaron Kaplan
aaron at lo-res.org
Thu Apr 22 11:48:18 CEST 2021
Hi everyone,
I wanted to send back a better write-up of my stance on IEP03 ("multiple values" in the IntelMQ internal data format).
Alas, I was quite busy and I am sprinting to push out some code for our deadline at work.
However, let me summarise it:
I think the IEP03 is very well written, thank you a lot for this! Thinking this through was important and I think Sebastian Waldbauer did a great job.
Reading it, I realised that my initial proposal of having multiple values is really breaking the KISS principle of IntelMQ in a bad way. Worse than I had thought. So, I am thinking of retracting the proposal.
However, .... https://github.com/certtools/ieps/tree/main/003#alternatives has a good core in it.
If we have multiple values, instead of doing the n x m complexity explosion, we link different events (JSON rows) together via UUIDs this gives us what we need:
* UUIDs help with deduplication! That's important when linking IntelMQ instances!
* lower complexity / keep the KISS principle
* consumers can ignore the UUID-linking if it's not relevant for them (f.ex enrichment processes/bots)
* we can still represent linked events.
I would like to add one little but important thing for the UUID linking idea: add a "link-type".
Examples for link-types:
* parent-child event
* grouping types (all of these events belong to the same report)
etc.
With this triplet information , we are close to RDF (left-side, type, right-side) and thus we can (future-proof) represent any type of relation.
A list of valid types needs to be documented in the IDF format page of course.
So, I think with that, we can go ahead.
Thanks,
a.
PS: and sorry that my feedback came a bit late, as said - code sprints.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.cert.at/pipermail/intelmq-dev/attachments/20210422/f182e42a/attachment.sig>
More information about the IntelMQ-dev
mailing list