[IntelMQ-dev] IEP04: The choice of the UUID-format

moto kawasaki moto at kawasaki3.org
Tue Sep 7 02:40:28 CEST 2021


Dear Sebastian and all,

Thank you for your effort to provide better IntelMQ.
I am trying to catch up the discussion (but still behind a lot...)

Regarding IEP004, I'd second the current proposal and Variant
AIL. That is natural and easy to understand.

But don't we need to have a timestamp in the meta-data ?
I mean something like this;

{
    "format": "intelmq",
    "version": 1,
    "type": "event",
    "meta": {
        "intelmq:uuid": "<event-uuid-1>",
	"intelmq:uuid_org": "<org-uuid-1>",
	"intelmq:timestamp": "<creation time of this message>",  <== here
	:

With this timestamp, we don't need to consider a time-sortable UUID
but just use UUID-whatever.

If you've already discussed and decided not to have it, please ignore
and receive my apology to rehash old discussion.

Thank you very much.



Best Regards,



-- 
moto kawasaki <moto at kawasaki3.org> +81-90-2464-8454




From: Sebastian Wagner <wagner at cert.at>
Subject: [IntelMQ-dev] IEP04: The choice of the UUID-format
Date: Mon, 6 Sep 2021 18:59:36 +0200

> Dear allies,
> 
> The discussion around the IEP04 proposal, adding meta-information to
> IntelMQ messages, has stalled over the last months - first because of
> the time-intensive IntelMQ 3.0 release preparations and then because of
> the vacation season.
> 
> Here is the current proposal:
> https://github.com/certtools/ieps/tree/main/004#readme
> 
> Aaron, Sebastian Waldbauer and myself worked on it over the summer and
> also identified two open issues to be discussed:
> 1. The exact format of the meta-information and how to name and
> structure the fields. AIL made the first move and now uses a format
> similar to the previously proposed Variant "A". The IEP04 document
> contains the current proposal which is in line with the AIL format:
> https://github.com/certtools/ieps/tree/main/004#user-content-variant-ail
> If there are no other proposals, this will most probably the way to go.
> 2. The format of the UUID format which we want to uniquely identify
> IntelMQ events. We don't necessarily need to use the UUIDv4 format which
> represents pure randomness, but also other options which include the
> time and are even /time-sortable/. Sebastian Waldbauer analysed a couple
> of options and summarised his results in this document:
> 
> https://github.com/certtools/ieps/blob/main/004/UUID.md
> 
> Please let us know your opinion on the different UUID options.
> 
> cheers
> Sebastian
> 
> -- 
> // Sebastian Wagner <wagner at cert.at> - T: +43 676 898 298 7201
> // CERT Austria - https://www.cert.at/
> // Eine Initiative der nic.at GmbH - https://www.nic.at/
> // Firmenbuchnummer 172568b, LG Salzburg
> 
> 


More information about the IntelMQ-dev mailing list