generic question regarding JSON output and misp-object

certsocietegenerale / fame

FAME Automates Malware Evaluation

https://certsocietegenerale.github.io/fame/

GNU General Public License v3.0

847 stars 167 forks source link

generic question regarding JSON output and misp-object #5

Closed adulau closed 7 years ago

adulau commented 7 years ago

We did a quick review of fame and we really like the approach, the overall design and the modularity. As we are working on the object model in MISP (to be released soon), we were wondering if the fame format json output as seen in this example.

Will the fame JSON format stable in the forthcoming releases?
Can we base a fame misp-object based on this? or should we expect major changes soon?

Thank you very much

gaelmuller commented 7 years ago

At the moment, we do not have any plans that would involve modifications to the JSON output format, so I would expect it to remain stable.

The results field however stores results provided by the modules, which it is more subject to changes / evolutions.

If I understand correctly, the point would be to be able to store / share the results of a FAME analysis directly in MISP ?

adulau commented 7 years ago

@gaelmuller yep this is the idea and to benefit from the sharing, storing and correlation from the fame report. That's why I was wondering if the format will remain stable (to make it as a misp-object) or if this is better to parse the JSON and make separated existing misp-objects directly (file, pe, pe-section,...).