Skip to content

MISP parser: added functionality to honor/filter the "to_ids" attribute of MISP#1649

Open
DK1MI wants to merge 1 commit into
certtools:developfrom
DK1MI:misp_ids
Open

MISP parser: added functionality to honor/filter the "to_ids" attribute of MISP#1649
DK1MI wants to merge 1 commit into
certtools:developfrom
DK1MI:misp_ids

Conversation

@DK1MI
Copy link
Copy Markdown

@DK1MI DK1MI commented Nov 4, 2020

Added the following to honor the "to_ids" attribute of MISP:

  • added the new field "misp.to_ids" to harmonization.conf (Boolean)
  • added the new parameter "only_ids" to the MISP parser
  • MISP parser now inserts the MISP attribute "to_ids" into the resulting IntelMQ events
  • When parameter "only_ids" is set to "true", the MISP parser only processes and forwards MISP events if their "to_ids" attribute's value is true

@DK1MI
Added the following to honor the "to_ids" attribute of MISP:
19f7b1a 
* added the new field "misp.to_ids" to harmonization.conf (Boolean)
* added the new parameter "only_ids" to the MISP parser
* MISP parser now inserts the MISP attribute "to_ids" into the resulting IntelMQ events
* When parameter "only_ids" is set to "true", the MISP parser only processes and forwards MISP events if their "to_ids" attribute's value is true
@ghost ghost requested a review from Rafiot November 4, 2020 19:07
@ghost ghost self-assigned this Nov 4, 2020
@ghost ghost requested a review from aaronkaplan November 5, 2020 08:29
@ghost
Copy link
Copy Markdown

ghost commented Nov 5, 2020

This introduces a new field in the harmonization (internal data format) -> @aaronkaplan

@ghost ghost added this to the 2.3.0 milestone Nov 5, 2020
@ghost ghost added component: bots feature Indicates new feature requests or new features data-format labels Nov 5, 2020
@Rafiot
Copy link
Copy Markdown
Member

Rafiot commented Nov 5, 2020

It seems fine to me.

@ghost
Copy link
Copy Markdown

ghost commented Nov 5, 2020

It seems fine to me.

Thanks!

@ghost
Copy link
Copy Markdown

ghost commented Nov 6, 2020

@exitnode Can you please better explain what the to_ids field is for (the given explanation in harmonization.conf is way too generic`) and why we need a separate field for it in IntelMQ?

@DK1MI
Copy link
Copy Markdown
Author

DK1MI commented Nov 6, 2020

@exitnode Can you please better explain what the to_ids field is for (the given explanation in harmonization.conf is way too generic`) and why we need a separate field for it in IntelMQ?

This is from the MISP core format documentation:

to_ids represents whether the attribute is meant to be actionable.
Actionable defined attributes that can be used in automated processes
as a pattern for detection in Local or Network Intrusion Detection
System, log analysis tools or even filtering mechanisms

We use the "to_ids" flag inside of MISP to decide if an IOC will be later on be included in a blocking list e.g. for a proxy server. We use this to manually verify what will be blocked and what not while working on the MISP events.

Now we can filter inside IntelMQ if an event' property is meant for blocking or not and therefore put it in a pipeline that eventually generates the blocking list.

FYI: I'm working on additional enhancements to the MISP collector that will also include this property and some more functionality. As soon as it is stable enough, I will send a PR for it, too.

@ghost ghost self-requested a review November 6, 2020 14:02
ghost
ghost reviewed Nov 10, 2020
View reviewed changes
Copy link
Copy Markdown

@ghost ghost left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I got the meaning of the to_ids field right, I think this is similar to the discussion #758. Both fields have equivalent meanings, i.e. that the IoC is actionable. IMHO we should only have one field, not one field per input/output as long as they do not conflict (I don't see this risk at the moment)

Comment thread intelmq/etc/harmonization.conf
"type": "LowercaseString"
},
"misp.to_ids": {
"description": "MISP - Malware Information Sharing Platform & Threat Sharing IDS flag",
Copy link
Copy Markdown

@ghost ghost Nov 10, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For me, this is not descriptive enough. I can't understand the meaning of the field from this text.

@ghost ghost removed this from the 2.3.0 milestone Feb 5, 2021
@ghost ghost added the needs: feedback label Aug 20, 2021
@ghost ghost removed their assignment Aug 20, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Rafiot Rafiot Awaiting requested review from Rafiot

@aaronkaplan aaronkaplan Awaiting requested review from aaronkaplan

1 more reviewer
Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

component: bots data-format feature Indicates new feature requests or new features needs: feedback

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@DK1MI @Rafiot