-
Notifications
You must be signed in to change notification settings - Fork 299
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MISP parser: added functionality to honor/filter the "to_ids" attribute of MISP #1649
base: develop
Are you sure you want to change the base?
Conversation
* added the new field "misp.to_ids" to harmonization.conf (Boolean) * added the new parameter "only_ids" to the MISP parser * MISP parser now inserts the MISP attribute "to_ids" into the resulting IntelMQ events * When parameter "only_ids" is set to "true", the MISP parser only processes and forwards MISP events if their "to_ids" attribute's value is true
This introduces a new field in the harmonization (internal data format) -> @aaronkaplan |
It seems fine to me. |
Thanks! |
@exitnode Can you please better explain what the |
This is from the MISP core format documentation:
We use the "to_ids" flag inside of MISP to decide if an IOC will be later on be included in a blocking list e.g. for a proxy server. We use this to manually verify what will be blocked and what not while working on the MISP events. Now we can filter inside IntelMQ if an event' property is meant for blocking or not and therefore put it in a pipeline that eventually generates the blocking list. FYI: I'm working on additional enhancements to the MISP collector that will also include this property and some more functionality. As soon as it is stable enough, I will send a PR for it, too. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If I got the meaning of the to_ids
field right, I think this is similar to the discussion #758. Both fields have equivalent meanings, i.e. that the IoC is actionable. IMHO we should only have one field, not one field per input/output as long as they do not conflict (I don't see this risk at the moment)
@@ -205,6 +205,10 @@ | |||
"regex": "^[a-z0-9]{8}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}-[0-9a-z]{12}$", | |||
"type": "LowercaseString" | |||
}, | |||
"misp.to_ids": { | |||
"description": "MISP - Malware Information Sharing Platform & Threat Sharing IDS flag", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For me, this is not descriptive enough. I can't understand the meaning of the field from this text.
Added the following to honor the "to_ids" attribute of MISP: