ATR Core Specification
The normative wire format, identifier scheme, evaluation semantics, conformance levels, and IANA media types for ATR rules. Written for implementers, not marketing — IETF RFC style, BCP 14 normative language, SemVer contract.
Specification Outline
Full specification authored in IETF RFC style with BCP 14 normative MUST/SHOULD/MAY.
| § | Section | Link |
|---|---|---|
| 1 | Abstract | Read |
| 3 | Conventions and Terminology (RFC 2119) | Read |
| 4 | Rule Identifier (ATR-YYYY-NNNNN) | Read |
| 5 | Rule Document Structure | Read |
| 6 | Detection Semantics | Read |
| 7 | Match Output | Read |
| 8 | Canonical Categories (10) | Read |
| 9 | Crosswalks (OWASP/NIST/ISO/MITRE) | Read |
| 10 | Versioning (SemVer) | Read |
| 11 | Conformance Levels L1/L2/L3 | Read |
| 12 | Conformance Test Suite | Read |
| 13 | Security and Privacy Considerations | Read |
| 14 | IANA Considerations | Read |
Conformance Levels
Any engine claiming "ATR-Compatible" must declare a conformance level with a reproducible test report.
Loads the published Corpus without parse errors. Emits Match output per Section 7.
100% pass on Conformance Test Suite (100 TP + 100 TN fixtures) for the declared Spec version.
Passes L2 AND emits output in ≥2 interchange formats (JSON + SARIF/STIX 2.1/MISP/OpenCTI). Publishes FP rate on the public benign corpus.
Related Artifacts
Spec, schema, and data artifacts
Note to standards-body reviewers
This specification uses BCP 14 normative language, defines a conformance test suite, commits to a SemVer contract, and requests IANA media-type registration. Submissions for formal adoption (IETF Internet-Draft, OASIS TC) are welcomed at [email protected].