[IntelMQ-dev] IEP04: The choice of the UUID-format
moto kawasaki
moto at kawasaki3.org
Tue Sep 7 02:40:28 CEST 2021
Dear Sebastian and all,
Thank you for your effort to provide better IntelMQ.
I am trying to catch up the discussion (but still behind a lot...)
Regarding IEP004, I'd second the current proposal and Variant
AIL. That is natural and easy to understand.
But don't we need to have a timestamp in the meta-data ?
I mean something like this;
{
"format": "intelmq",
"version": 1,
"type": "event",
"meta": {
"intelmq:uuid": "<event-uuid-1>",
"intelmq:uuid_org": "<org-uuid-1>",
"intelmq:timestamp": "<creation time of this message>", <== here
:
With this timestamp, we don't need to consider a time-sortable UUID
but just use UUID-whatever.
If you've already discussed and decided not to have it, please ignore
and receive my apology to rehash old discussion.
Thank you very much.
Best Regards,
--
moto kawasaki <moto at kawasaki3.org> +81-90-2464-8454
From: Sebastian Wagner <wagner at cert.at>
Subject: [IntelMQ-dev] IEP04: The choice of the UUID-format
Date: Mon, 6 Sep 2021 18:59:36 +0200
> Dear allies,
>
> The discussion around the IEP04 proposal, adding meta-information to
> IntelMQ messages, has stalled over the last months - first because of
> the time-intensive IntelMQ 3.0 release preparations and then because of
> the vacation season.
>
> Here is the current proposal:
> https://github.com/certtools/ieps/tree/main/004#readme
>
> Aaron, Sebastian Waldbauer and myself worked on it over the summer and
> also identified two open issues to be discussed:
> 1. The exact format of the meta-information and how to name and
> structure the fields. AIL made the first move and now uses a format
> similar to the previously proposed Variant "A". The IEP04 document
> contains the current proposal which is in line with the AIL format:
> https://github.com/certtools/ieps/tree/main/004#user-content-variant-ail
> If there are no other proposals, this will most probably the way to go.
> 2. The format of the UUID format which we want to uniquely identify
> IntelMQ events. We don't necessarily need to use the UUIDv4 format which
> represents pure randomness, but also other options which include the
> time and are even /time-sortable/. Sebastian Waldbauer analysed a couple
> of options and summarised his results in this document:
>
> https://github.com/certtools/ieps/blob/main/004/UUID.md
>
> Please let us know your opinion on the different UUID options.
>
> cheers
> Sebastian
>
> --
> // Sebastian Wagner <wagner at cert.at> - T: +43 676 898 298 7201
> // CERT Austria - https://www.cert.at/
> // Eine Initiative der nic.at GmbH - https://www.nic.at/
> // Firmenbuchnummer 172568b, LG Salzburg
>
>
More information about the IntelMQ-dev
mailing list