intelmq icon indicating copy to clipboard operation
intelmq copied to clipboard

Published 20 hours ago verified publisher icon certtools

For discussion: define a recommended minimum requirements and (dis)allowed fields for each classification type

Open gethvi opened this issue 2 years ago • 0 comments

What?

I know there are general recommendations in the docs.

However I am proposing to create a definition of:

  • required fields for each classification type
  • disallowed fields for each classification type

It would be somewhat of an extension to this docs page.

The enforcement of such rules would be optional (perhaps via dedicated expert bot).

Why?

  • This would make it easier to interpret what the event is actually describing. Please let me know in the comments how would you understand the following event (because technically it is a valid IntelMQ Event):
{
  "classification.type": "vulnerable-system",
  "time.source": "2021-06-21T06:34:53+00:00",
  "source.port": 1359,
  "protocol.transport": "tcp",
  "source.ip": "46.13.XXX.XXX",
  "destination.geolocation.cc": "US",
  "destination.port": 80,
  "source.geolocation.cc": "CZ",
  "destination.ip": "104.42.XXX.XXX",
  "classification.taxonomy": "vulnerable",
  "time.observation": "2021-06-22T16:31:31+00:00"
}
  • It would make it easier to interpret the event programatically for other systems consuming intelmq events.
  • It would make sharing IntelMQ events more consistent across various IntelMQ instances of different organizations.
  • The implementation and usage of such expert bot would prevent informationally incomplete or ambiguous events. It would also be useful as a notification that such incomplete or ambiguous event has appeared in the IntelMQ and would indicate that some kind of configuration adjustment might be needed.

Example

Events with classification type "vulnerable-system": source.ip: must be present destination.* must not be present etc.

Events with classification type "phishing": source.url: must be present destination.*: should not be present (or have a clear definition what it means when "phishing" has some form of destination) etc.

Events with classification type "dga-domain": source.fqdn: must be present etc.

Outcome

What would be the outcome of this issue:

  • rather long documentation page with the recommendations/rules
  • possibly an expert bot that could be optionally used to enforce such rules

None of it would be mandatory to use, but recommended for sharing and other processing of IntelMQ events.

I am most definitely willing to put together a draft of such recommendations/rules for discussion. But first I would like to know if it is something this community would accept at all.

gethvi avatar May 05 '22 16:05 gethvi