misp / misp-taxonomies Goto Github PK
View Code? Open in Web Editor NEWTaxonomies used in MISP taxonomy system and can be used by other information sharing tool.
Home Page: https://www.circl.lu/doc/misp-taxonomies/
License: Other
Taxonomies used in MISP taxonomy system and can be used by other information sharing tool.
Home Page: https://www.circl.lu/doc/misp-taxonomies/
License: Other
Documentation and presentation about misp-taxonomies
This gives the error Could not update any of the taxonomy libraries when updating the tags. This is caused by:
2016-10-28 12:57:18 Warning: Warning (2): file_get_contents(/var/www/MISP/app/files/taxonomies/mapping/machinetag.json): failed to open stream: No such file or directory in [/var/www/MISP/app/Lib/cakephp/lib/Cake/Utility/File.php, line 154]
It looks like there's another client focus (or item from an unrelated collection) mangled into the description
text of the Culture
item; I believe the line should read simply The organization campaigns or acts to promote cultural events
.
https://github.com/MISP/misp-taxonomies/blob/master/accessnow/machinetag.json#L19
Mapping IEP <-> PAP - @Delta-Sierra could you check to add PAP and IEP in the mapping?
Adding DML Detection Maturity Level model as taxonomy
http://ryanstillions.blogspot.com/2014/04/the-dml-model_21.html
Priority should indicate the need for urgent or immediate action, such as further distribution.
Maybe this would a good start: https://www.us-cert.gov/NCCIC-Cyber-Incident-Scoring-System
Extend the MISP Taxonomy Library with a method to influence the behavior of remote instances.
E.g. Event creator publishes 'without email notification'. A remote instance would still publish their users. This could be regarded - in the eyes of the creator - as a disrespect.
Adding a description field for each value
NATO classification to add
During the First / TFCsirt meeting there was a question for a taxonomy to classify vulns. Would like to take that issue as an opportunity to collect papers covering classifications etc as a baseline to start with a machine readable vuln. taxonomy.
Hope it make sense.
A
Hi folks,
are the following two taxonomy configurations possible (intended for private taxonomy)?
a) Mixture of "predicate only" and "predicate and value" structure
I receive parsing errors if I ommit the values on "predicate only" level or set the value to "null". However the a unique, not mixed structure "predicate and value" != "null" works fine.
b) Tag colour configuration on "value" level
Like on "predicate" level e. g. in https://github.com/MISP/misp-taxonomies/tree/master/tlp
Colours defined on "value" level are not interpreted in my machinetag.json
Add a version in the JSON format as requested by @iglocska while doing an update.
Not sure if relevant for MISP, but it would be relatively easy to represent: https://unstats.un.org/unsd/cr/registry/regcst.asp?Cl=27
Note that it goes 4 levels depth: https://unstats.un.org/unsd/cr/registry/regcs.asp?Cl=27&Lg=1&Co=0111
It is expected? Why do we have this empty string? Why not just removing it? It is not required by the schema.
https://github.com/MISP/misp-taxonomies/blob/master/ifx-vetting/machinetag.json#L62
action-taken:
informed ISP/Hosting Service Provider
informed Registrar
informed Registrant
informed abuse-contact (domain)
informed abuse-contact (IP)
informed legal department
100% Certainty
The General Area of Possibility
93% give or take about 6% Almost certain
75% give or take about 12% Probable
50% give or take about 10% Chances about even
30% give or take about 10% Probably not
7% give or take about 5% Almost certainly not
0% Impossibility
As defined in ISO/IEC 27019 The originator of an information exchange should indicate if the sensitivity of the information supplied will reduce after some external event, or the passage of time
.
A taxonomy for sensitivity reduction should be created in order to cover such cases.
Same concept as the protocol names
In draft / Release requested / Finalized
It would be great if the veris taxonomy could be updated to the latest version from the veris project.
Hi! I've looked through this repo and I'm not sure how to propose the extension of existing taxonomies.
I think the circl:incident-classification set is very useful, but at AusCERT we've seen a lot of cryptocurrency-mining attacks and would like a standard tag for them.
Happy to make a pull request if that's the correct approach. Is the taxonomy defined elsewhere and would need some discussion?
Hi
I want to know who determines the tag values? for example determining "Source Reliability tag" levels or
likelihood-probability?
And can we we do tagging automatically?
thanks
Binaries type might be:
The expanded key in the ifx-vetted taxonomy is empty. This is causing an error on the update taxonomies call. I am using Ubuntu 18.04 and PHP 7.2.
ifx-vetting could not be installed/updated. Error: {"TaxonomyPredicate":{"1":{"TaxonomyEntry":[{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]},{"expanded":["Expanded cannot be empty."]}]}}}
That means: uppercase, match colours, etc. But more importantly: the updated definition of TLP:AMBER. See https://www.first.org/tlp/
Covering techniques and semantic
If anyone can find a list to start with, it would be very useful to create a "targeted technology" taxonomy. This would indicate what technology a piece of malware is targeting. Like OS (windows/linux/iOs/Android/etc), browsers (Chrome, IE, Firefox, etc), middleware (Java, ActiveX, etc), etc.
OK, so I know about RTFM, but have read, re-read, re-re-read, et. al -- the documentation to determine if I was loosing it, or not.
I added a new directory under the /var/www/MISP/app/files/taxonomies directory, and clicked on 'Update Taxonomies" -- nothing. Nothing showed up.
Am I missing something here? Made it the same permissions as everything else. The taxonomy was duplicated using the TLP as its 'base' (so that should've worked). So...the question is -- what did I do wrong?
workflow:todo="global"
workflow:todo="expansion"
workflow:todo="review"
workflow:todo="review-for-false-positive"
workflow:todo="review-for-publication"
https://www.gesetze-im-internet.de/bsi-kritisv/BJNR095800016.html
A new taxonomy might be required.
It would be nice to be able to say that some values are mutually exclusive. For example, it should not be possible to tag something as "TLP Red" and "TLP Green". This is something that would be good to be able to do for all taxonomies.
Would probably not use it a lot myself, but if someone feels like it, ETSI has a nomenclature for infosec indicators, including for incidents that could be easily ported to a taxonomy:
http://www.etsi.org/technologies-clusters/technologies/information-security-indicators
http://www.etsi.org/deliver/etsi_gs/ISI/001_099/00101/01.01.01_60/gs_ISI00101v010101p.pdf
HTH
MISP seems so close to implementing true Knowledge Graph technology as provided through the Semantic Web community. See the Google Knowledge Graph, Facebook Graph, and DBpedia as examples. MISP can help by pushing the OASIS CTI to develop a true ontology for STIX, CyBOX, MAEC, etc. The ontology principles, graph DBs, and inference engines seem to be a perfect match for MISP. MISP Galaxies could be federated Knowledge Graphs / SPARQL Endpoints. The taxonomies need to move to the next level--employing actual ontologies. What needs to be done to move MISP in this direction?
It would be great if the taxonomy definitions would allow for a color code field that would be picked up by MISP. Right now whenever I enable a taxonomy on multiple MISP instances I need to synchronize the tag colors by hand.
Improve NIS taxonomy following ENISA work
Look at the attach graphic. When I renamed the taxonomy from "cipsectors" to "uscipsectors", then refreshed the URL, now 2 of the same taxonomy show up. I've made the change within the "./tools/machinetag.py", as well as the directory name, and the taxonomy name to "uscipsectors". It still shows 2 of the same thing.
Got any ideas of how to remove the erroneous taxonomy?
Add TLP classification as a taxonomy
But it will only be meaningful when tags can be added to attributes since they are specific for an IOC/observable:
Targeted Threat Index
(following this ticket MISP/MISP#317) it seems more appropriate to make
a taxonomy out of it.
There's a typo in the MUST NOT value:
"predicate": "unmodified-resale",
"entry": [
{
"value": "MAY",
"expanded": "Recipients MAY resell the information received."
},
{
"value": "MUST NO",
"expanded": "Recipients MUST NOT resell the information received unmodified or in a semantically equivalent format."
Should be:
"predicate": "unmodified-resale",
"entry": [
{
"value": "MAY",
"expanded": "Recipients MAY resell the information received."
},
{
"value": "MUST NOT",
"expanded": "Recipients MUST NOT resell the information received unmodified or in a semantically equivalent format."
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.