Added rrname_{ip,domain}, rdata_{ip,domain} fields

[aaronkaplan]

... as discussed with @Rafiot this is unfortuantely needed for allowing correlation with other ip addresses or domains in other objects. See the detailed comment in the previous commit please for an explanation.

@adulau, I'd appreciate a quick merge so that I can proceed. Thx :)

BTW: no idea why validate.sh complains in git status --porcelain. I did a jq_all_the_things.sh before, and that works. It's valid JSON.

[adulau]

But the approach is to create a second object (ip/domain) and add a relationship. @Rafiot not sure I understand the issue.

[aaronkaplan]

I’ll try to explain from my phone but I’ll be reachable later today via signal or mail. So the background problem is this: Rrname rrtype rdata Can be either of type: Ip PTR domain Or Domain CNAME/DName domain Or Domain A/AAAA/A6 IP Or Domain something text Or Domain SOA … Etc. you get the idea :) Now if we want to have the fields of the MISP object fields „rrname“ or „rdata“ correlated with the same fields in other MISP events which include these fields… then the types must match. Only having „text“ as type won’t allow for the correlation, right? So I see two solutions: 1) extend the passive-DNS cof MISP object as I did. in the PR or 2) create all kinds of combination MISP objects for every possible combination. Any better ideas? Did I miss something? Best, A.

…

--- Mobile

On 02.05.2021, at 20:07, Alexandre Dulaunoy ***@***.***> wrote:  But the approach is to create a second object (ip/domain) and add a relationship. @Rafiot not sure I understand the issue. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or unsubscribe.

[Rafiot]

The issue is that the attribute type (on MISP) for rrname and rrdata is text. The correlation won't work if in an other event, we have the an attribute of type domain that would match an attribute of object_relation rrname in an object passive-dns.

[adulau]

Correlation works on the value. The type is disregarded.

[Rafiot]

Right. I thought it didn't. Never mind then, no need to change the template.

[aaronkaplan]

On 02.05.2021, at 22:39, Raphaël Vinot ***@***.***> wrote: Right. I thought it didn't. Never mind then, no need to change the template.

Oh man, okay. 3h of code rewriting goes down the drain :)

[Rafiot]

it doesn't go down the drain, finding the type can simply be done on the consumer side: the MISP objects are created with the currently existing template, and when you want to use the data from MISP, you figure out the type.

Advantage: you can also use the objects created by other people.

When we discussed that, I understood that the correlation wasn't possible across different types on MISP, but correlation works. and as the passive DNS reference format doesn't enforce a type for rrname or rrdata, it is just plain confusing to add all the possible types in the template, especially since there are many different other types.

And I didn't realize, but the format gives the type: https://github.com/MISP/misp-modules/pull/491/files#diff-fd991138ae0c6034d46face71f07a15e814015d7fa8cd0ec5da32a40cff0a730R84
So when you get a MISPObject passive-dns you know the type to expect.

[aaronkaplan]

On 02.05.2021, at 23:01, Raphaël Vinot ***@***.***> wrote: it doesn't go down the drain, finding the type can simply be done on the module side.

I see. So, then I suggest we do one single change: bailiwick is *always* a domain. So that would be the right type for it. And we leave the other fields in definition.json as text.

[aaronkaplan]

Okay, so that's adapted to NOT need the rrname_ip, rrname_domain and rdata_ip, rdata_domain fields.
Bailiwick was changed to domain however, since it's always a domain.

please review, @adulau and @Rafiot if that fits you now.
If so, please merge and I adapted the other code in the misp_module to fit these definitions now.

Thx!!

PS: no idea why validate.sh fails. Since jq_all_the_things.sh works.

[adulau]

Thanks a lot for the update!