[IntelMQ-dev] classification attributes in IntelMQ Shadowserver parser schema

Kamil Mankowski mankowski at cert.at
Mon Feb 5 10:15:57 CET 2024 

Hi, thanks for the changes and reviews! They looks good to me too!

Best regards

// Kamil Mańkowski <mankowski at cert.at> - T: +43 676 898 298 7204
// CERT Austria - https://www.cert.at/
// CERT.at GmbH, FB-Nr. 561772k, HG Wien

On 2/2/24 11:48, Thomas Hungenberg via IntelMQ-dev wrote:
> Hi,
> 
> thanks a lot for your prompt response and sorry for the delay on my side.
> 
> The changes look good!
> 
> However, I have made a few additional changes:
> 
> 1)
> Make classification.identifier for honeypot_ics_scan consistent
> with other honeypot scans:
> =====================
>      "event_honeypot_ics_scan" : {
>         "constant_fields" : {
> -         "classification.identifier" : "ics",
> +         "classification.identifier" : "honeypot-ics-scan",
> =====================
> 
> This change should be documented here:
> https://github.com/The-Shadowserver-Foundation/report_schema/blob/main/completed-changes.md
> 
> 
> 2)
> Change classification.taxonomy and classification.type from
> 
>           "classification.taxonomy" : "other",
>           "classification.type" : "other",
> 
> to
>           "classification.taxonomy" : "vulnerable",
>           "classification.type" : "vulnerable-system",
> 
> for accessible-bgp and accessible-msmq.
> 
> Not included in old _config.py, so no need to document.
> 
> 
> 3)
> Change classification.taxonomy and classification.type from
> 
>           "classification.taxonomy" : "other",
>           "classification.type" : "other",
> 
> to
>           "classification.taxonomy" : "vulnerable",
>           "classification.type" : "vulnerable-system",
> 
> for open-mysql, open-postgres, open-couchdb, open-epmd.
> 
> This change should be documented here:
> https://github.com/The-Shadowserver-Foundation/report_schema/blob/main/completed-changes.md
> 
> 
> 4)
> Correct classification.identifier for vulnerable-http:
> =====================
>     "scan_http_vulnerable" : {
>         "constant_fields" : {
> -         "classification.identifier" : "accessible-http",
> +         "classification.identifier" : "vulnerable-http",
> 
>      "scan6_http_vulnerable" : {
>         "constant_fields" : {
> -         "classification.identifier" : "accessible-http",
> +         "classification.identifier" : "vulnerable-http",
> =====================
> 
> This change should be documented here:
> https://github.com/The-Shadowserver-Foundation/report_schema/blob/main/completed-changes.md
> 
> 
> Please find the updates intelmq.json attached.
> 
> 
> Kind regards
> Thomas
> 
> 
> On 31.01.24 16:42, elsif wrote:
>> Hello,
>>
>> Proposed changes are attached. Please let me know if you agree with 
>> the changes or have any alterations.
>>
>> Regards
>>
>> On 1/31/24 7:05 AM, Thomas Hungenberg wrote:
>>> Hi,
>>>
>>> Sebastian (sebix) told me it was agreed that with the translation
>>> from the current parser _config.py (included with IntelMQ 3.2.1)
>>> to the new schema, no classification.* attributes will be changed.
>>>
>>> This is very important as our setup (and most probably others as well)
>>> heavily depends on known classification identifiers like "open-rdp"
>>> and classification types from the initial parsing of events up to
>>> notification_rules and formats/templates for mailgen.
>>> So with a change of a classification attribute lots of scripts and
>>> configs would need to be changed as well.
>>>
>>> Looking at the current schema, I see the classification identifiers
>>> are still correct for some feeds for both IPv4 and IPv6 like here:
>>>
>>>    "scan_dns" : {
>>>       "constant_fields" : {
>>>          "classification.identifier" : "dns-open-resolver",
>>>
>>>    "scan6_dns" : {
>>>       "constant_fields" : {
>>>          "classification.identifier" : "dns-open-resolver",
>>>
>>>
>>> However, for other feeds the classification identifier has been kept
>>> correctly for IPv4 like here:
>>>
>>>    "scan_rdp" : {
>>>       "constant_fields" : {
>>>          "classification.identifier" : "open-rdp",
>>>
>>>    "compromised_website" : {
>>>       "constant_fields" : {
>>>          "classification.identifier" : "compromised-website",
>>>
>>>
>>> but for IPv6 it has changed to the name of the feed:
>>>
>>>    "scan6_rdp" : {
>>>       "constant_fields" : {
>>>          "classification.identifier" : "scan6-rdp",   <- should be 
>>> "open-rdp"
>>>
>>>    "compromised_website6" : {
>>>       "constant_fields" : {
>>>          "classification.identifier" : "compromised-website6", <- 
>>> should be "compromised-website"
>>>
>>>
>>> The classification.identifier should describe the incident (like 
>>> "open-rdp")
>>> and not the source (like "scan6-rdp").
>>>
>>> May I ask you to check and adjust all classification identifiers and 
>>> types
>>> in the schema so they are consistent with the ones generated by the 
>>> current
>>> _config.py?
>>>
>>>
>>> Thanks a lot for all your work on the new schema based parser!
>>>
>>>
>>> Kind regards
>>> Thomas
>>>
> 
> 
> _______________________________________________
> IntelMQ-dev mailing list
> https://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev
> https://intelmq.readthedocs.io/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/intelmq-dev/attachments/20240205/41c22c6c/attachment.sig>

More information about the IntelMQ-dev mailing list