Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MISP parser: added functionality to honor/filter the "to_ids" attribute of MISP #1649

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

MISP parser: added functionality to honor/filter the "to_ids" attribute of MISP #1649

wants to merge 1 commit into from

Conversation

DK1MI
Copy link

@DK1MI DK1MI commented Nov 4, 2020

Added the following to honor the "to_ids" attribute of MISP:

  • added the new field "misp.to_ids" to harmonization.conf (Boolean)
  • added the new parameter "only_ids" to the MISP parser
  • MISP parser now inserts the MISP attribute "to_ids" into the resulting IntelMQ events
  • When parameter "only_ids" is set to "true", the MISP parser only processes and forwards MISP events if their "to_ids" attribute's value is true

@DK1MI
Added the following to honor the "to_ids" attribute of MISP:
19f7b1a 
* added the new field "misp.to_ids" to harmonization.conf (Boolean)
* added the new parameter "only_ids" to the MISP parser
* MISP parser now inserts the MISP attribute "to_ids" into the resulting IntelMQ events
* When parameter "only_ids" is set to "true", the MISP parser only processes and forwards MISP events if their "to_ids" attribute's value is true
@ghost ghost requested a review from Rafiot November 4, 2020 19:07
@ghost ghost self-assigned this Nov 4, 2020
@ghost ghost requested a review from aaronkaplan November 5, 2020 08:29
@ghost
Copy link

ghost commented Nov 5, 2020

This introduces a new field in the harmonization (internal data format) -> @aaronkaplan

@ghost ghost added this to the 2.3.0 milestone Nov 5, 2020
@ghost ghost added component: bots feature request Indicates new feature requests data-format labels Nov 5, 2020
@Rafiot
Copy link
Member

Rafiot commented Nov 5, 2020

It seems fine to me.

@ghost
Copy link

ghost commented Nov 5, 2020

It seems fine to me.

Thanks!

@ghost
Copy link

ghost commented Nov 6, 2020

@exitnode Can you please better explain what the to_ids field is for (the given explanation in harmonization.conf is way too generic`) and why we need a separate field for it in IntelMQ?

@DK1MI
Copy link
Author

DK1MI commented Nov 6, 2020

@exitnode Can you please better explain what the to_ids field is for (the given explanation in harmonization.conf is way too generic`) and why we need a separate field for it in IntelMQ?

This is from the MISP core format documentation:

to_ids represents whether the attribute is meant to be actionable.
Actionable defined attributes that can be used in automated processes
as a pattern for detection in Local or Network Intrusion Detection
System, log analysis tools or even filtering mechanisms

We use the "to_ids" flag inside of MISP to decide if an IOC will be later on be included in a blocking list e.g. for a proxy server. We use this to manually verify what will be blocked and what not while working on the MISP events.

Now we can filter inside IntelMQ if an event' property is meant for blocking or not and therefore put it in a pipeline that eventually generates the blocking list.

FYI: I'm working on additional enhancements to the MISP collector that will also include this property and some more functionality. As soon as it is stable enough, I will send a PR for it, too.

@ghost ghost self-requested a review November 6, 2020 14:02
ghost
ghost reviewed Nov 10, 2020
View reviewed changes
Copy link

@ghost ghost left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I got the meaning of the to_ids field right, I think this is similar to the discussion #758. Both fields have equivalent meanings, i.e. that the IoC is actionable. IMHO we should only have one field, not one field per input/output as long as they do not conflict (I don't see this risk at the moment)

intelmq/etc/harmonization.conf
@@ -205,6 +205,10 @@
"regex": "^[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}-[0-9a-z]{12}$",
"type": "LowercaseString"
},
"misp.to_ids": {
"description": "MISP - Malware Information Sharing Platform & Threat Sharing IDS flag",
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For me, this is not descriptive enough. I can't understand the meaning of the field from this text.

@ghost ghost removed this from the 2.3.0 milestone Feb 5, 2021
@ghost ghost added the needs: feedback label Aug 20, 2021
@ghost ghost removed their assignment Aug 20, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Rafiot Rafiot Awaiting requested review from Rafiot

@aaronkaplan aaronkaplan Awaiting requested review from aaronkaplan

Assignees
No one assigned
Labels
component: bots data-format feature request Indicates new feature requests needs: feedback
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@DK1MI @Rafiot