Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Threat level coding misleading #729

Closed
abulhol opened this issue Nov 24, 2015 · 8 comments
Closed

Threat level coding misleading #729

abulhol opened this issue Nov 24, 2015 · 8 comments
Labels
documentation This issue involves creating or refining documentation T: enhancement Type: enhancement. This issue requires improving an existing feature

Comments

@abulhol
Copy link
Contributor

abulhol commented Nov 24, 2015

The threat level IDs to be used in the XML upload (web interface or API) seems to be:
1 = high
2 = medium
3 = low
4 = undefined
This is a) not documented anywhere and b) not intuitive
The authors of PyMISP got it wrong right away, see upload_event.py:
"The threat level ID of the newly created event, if applicatble. [0-3]"
"0" actually lets the import fail.
Should be improved one way or the other. ;-)
@iglocska
Copy link
Member

I agree, it's not too intuitive...

@adulau
Copy link
Member

adulau commented Nov 24, 2015

Thank you for the notification.

Looking at the PyMISP library, it seems to be fine:

https://github.com/CIRCL/PyMISP/blob/master/pymisp/api.py#L234

But on the viper.li misp.py module, the threat id value is increased by one and from the upload.py it's indeed incorrect in the argument definition.

https://github.com/viper-framework/viper/blob/master/modules/misp.py

It's indeed quite confusing. I'll fix the upload.py script. And I update the misp-book to better describe what the threat id is ;-)

adulau added a commit to MISP/PyMISP that referenced this issue Nov 24, 2015
@adulau
Threat level id is from 1 to 4 (not from 0 to 3)
3403a57 
MISP/MISP#729
@adulau
Copy link
Member

adulau commented Nov 24, 2015

There is another issue that we should fix in the MISP tool-tip concerning the threat id:

formInfoValues['EventThreatLevelId']['1'] = "Sophisticated APT malware or 0-day attack";
formInfoValues['EventThreatLevelId']['2'] = "APT malware";
formInfoValues['EventThreatLevelId']['3'] = "Mass-malware";
formInfoValues['EventThreatLevelId']['4'] = "No risk";

The level 4 which is Undefined mentions "No risk" in the tool-tip. I think there is a fundamental difference between not knowing the risk level versus "No risk". I would recommend to change it "Risk level undefined/unknown".

@adulau adulau mentioned this issue Nov 24, 2015
Closed
@iglocska
Copy link
Member

Good point, will change the description
On 24 Nov 2015 17:21, "Alexandre Dulaunoy" notifications@github.com wrote:

There is another issue that we should fix in the MISP tool-tip concerning
the threat id:

formInfoValues['EventThreatLevelId']['1'] = "Sophisticated APT malware or 0-day attack";
formInfoValues['EventThreatLevelId']['2'] = "APT malware";
formInfoValues['EventThreatLevelId']['3'] = "Mass-malware";
formInfoValues['EventThreatLevelId']['4'] = "No risk";

The level 4 which is Undefined mentions "No risk" in the tool-tip. I think
there is a fundamental difference between not knowing the risk level versus
"No risk". I would recommend to change it "Risk level undefined/unknown".


Reply to this email directly or view it on GitHub
#729 (comment).

@Rafiot Rafiot added T: enhancement Type: enhancement. This issue requires improving an existing feature documentation This issue involves creating or refining documentation labels Jan 11, 2016
@Rafiot
Copy link
Member

Rafiot commented Jan 11, 2016

@iglocska Can we close the ticket?

@elhoim
Copy link
Member

elhoim commented Feb 11, 2016

@iglocska ping

@Rafiot
Copy link
Member

Rafiot commented Mar 23, 2016

Fixed.

@Rafiot Rafiot closed this as completed Mar 23, 2016
@packet-rat
Copy link

Threat Level mapping still doesn't appear to be in the documentation(?). I've looked in the API and MISP Guide. Please advise where we should direct users for these types of questions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
documentation This issue involves creating or refining documentation T: enhancement Type: enhancement. This issue requires improving an existing feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@adulau @elhoim @Rafiot @packet-rat @iglocska @abulhol