[IntelMQ-dev] IEP04 use-cases (Was: Re: Decision on IEP04: IntelMQ Data Format - Meta-Information)

Sebastian Wagner wagner at cert.at
Mon May 3 09:55:32 CEST 2021


Dear Pavel,

Thank you very much for this great composition of possible use-cases.
May I integrate them into the current IEP04 text?

Sebastian

On 4/29/21 3:40 PM, Pavel Kácha wrote:
> Hello,
>
>    at the hackaton we decided to try to document some real use-cases that
> might be covered by IntelMQ. I guess this is still bit of a design phase and
> does not fit into one of the issues at GitHub, so I'll try to kick it off
> here for discussion (and decisions of what IntelMQ does and does not want to
> support, or what to consider and what to scratch).
>
>  1, Events with multiple target IPs/hostnames/ports
>
>   - Horizontal portscan (multiple machines, one port)
>   - SSH bruteforce (multiple machines, one port/service)
>   - Vertical portscan (one machine, multiple ports)
>
>  2, Events with multiple source IPs/hostames/ports
>
>   - Targeted DDoS (mutiple machines/reflectors shoot at one target)
>
>  3, Events with both multiple sources and targets
>
>   - Wider DDoS (multiple machines/reflectors shoot at mutiple machines,
>     whole subnet, etc.)
>
>  4, Events with one or more both sources and targets, where exact pattern is
>     not known
>
>   - Aka one of [1, 2, 3], but we do not have complete information about
>     specific connections made, possibly because the event/detection came
>     from the statistical detector or from some form of aggregation (where
>     original full information from for example netflow is already lost).
>
>
>    I guess these (1-4) initiated creation of IEP03 and IEP04 and probably
> are the only ones worth considering now.
>
>
>    Taking into account the possibility of linking of events, there might be
> other orthogonal use-cases:
>
>  5, Identification of identical events from possibly the same source to
>     avoid duplication/circles
>
>   - aka some form of stable identifier
>
>  6, When target organisation contacts source organisation for more info,
>     identification of where event came from internally
>
>   - aka possibility to put there the internal (opaque) identifier, like
>     CESNET-RT#2235 (Request tracker), or Idea:UUID (what Idea event was
>     converted into this IntelMQ event)
>
>  7, Meta-events
>
>   - event, linking together multiple completely different events as one
>     incident (email address of spammer from spam email, IPs of spamming
>     mailservers, phishing URL from spam email)
>
>  8, Correlated events
>
>   - aka different events, but identified as related/part of other events
>     (like ongoing attack)
>
>  9, Modification or deletion/withdrawal of information
>
>   - aka "this event replaces that event with new info", or "that event was
>     wrong, sent by error, forget it"
>
>
>    All above are ones we considered in Idea (see ID, AltNames, CorrelID,
> AggrID, PredID, RelID at [1], and not yet implemented GroupID), and I
> personally consider:
>
>   - 1-4, maybe 5 quite important, 
>   - 6 handy (nice to have)
>   - 7-9 - we incorporated possibility of these, but in fact never used
>
>
>    I believe pretty much all are solvable by linking of events (IEP04):
>
>  1, 2, 3 as bunch of linked events with source-target relation in each of them
>  4 as two linked events - one with all the sources, one with all the targets
>
>  5 as additional calculated identifier, hard part is not storage, but
>    standardization/calculation
>  6 as additional opaque (freehand, non UUID) identifiers
>  7, 8 as bunch of linked events, with possibility of some meta-event maybe
>  9 as additional type of link 
>
> -- Pavel
>
> [1] https://idea.cesnet.cz/en/definition
>
> _______________________________________________
> IntelMQ-dev mailing list
> https://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev
> https://intelmq.readthedocs.io/

-- 
// Sebastian Wagner <wagner at cert.at> - T: +43 676 898 298 7201
// CERT Austria - https://www.cert.at/
// Eine Initiative der nic.at GmbH - https://www.nic.at/
// Firmenbuchnummer 172568b, LG Salzburg

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cert.at/pipermail/intelmq-dev/attachments/20210503/376e0e5b/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/intelmq-dev/attachments/20210503/376e0e5b/attachment.sig>


More information about the IntelMQ-dev mailing list