[IntelMQ-dev] classification attributes in IntelMQ Shadowserver parser schema
Filip Pokorný
filip.pokorny at csirt.cz
Mon Feb 5 10:45:27 CET 2024
Hi,
I agree with Thomas that the classification should describe content and
not the source (IPv4 vs IPv6).
Based on this I also noticed something else regarding the schema:
I believe all the Accessible-SERVICE feeds classified as
"vulnerable-system" should be actually classified as
"potentially-unwanted-accessible". They are not vulnerable per se, they
are just exposing a service to the internet which is usually exposed by
mistake.
Best regards,
Filip Pokorný
CSIRT.CZ
On 1/31/24 16:05, Thomas Hungenberg via IntelMQ-dev wrote:
> Hi,
>
> Sebastian (sebix) told me it was agreed that with the translation
> from the current parser _config.py (included with IntelMQ 3.2.1)
> to the new schema, no classification.* attributes will be changed.
>
> This is very important as our setup (and most probably others as well)
> heavily depends on known classification identifiers like "open-rdp"
> and classification types from the initial parsing of events up to
> notification_rules and formats/templates for mailgen.
> So with a change of a classification attribute lots of scripts and
> configs would need to be changed as well.
>
> Looking at the current schema, I see the classification identifiers
> are still correct for some feeds for both IPv4 and IPv6 like here:
>
> "scan_dns" : {
> "constant_fields" : {
> "classification.identifier" : "dns-open-resolver",
>
> "scan6_dns" : {
> "constant_fields" : {
> "classification.identifier" : "dns-open-resolver",
>
>
> However, for other feeds the classification identifier has been kept
> correctly for IPv4 like here:
>
> "scan_rdp" : {
> "constant_fields" : {
> "classification.identifier" : "open-rdp",
>
> "compromised_website" : {
> "constant_fields" : {
> "classification.identifier" : "compromised-website",
>
>
> but for IPv6 it has changed to the name of the feed:
>
> "scan6_rdp" : {
> "constant_fields" : {
> "classification.identifier" : "scan6-rdp", <- should be
> "open-rdp"
>
> "compromised_website6" : {
> "constant_fields" : {
> "classification.identifier" : "compromised-website6", <-
> should be "compromised-website"
>
>
> The classification.identifier should describe the incident (like
> "open-rdp")
> and not the source (like "scan6-rdp").
>
> May I ask you to check and adjust all classification identifiers and types
> in the schema so they are consistent with the ones generated by the current
> _config.py?
>
>
> Thanks a lot for all your work on the new schema based parser!
>
>
> Kind regards
> Thomas
>
> _______________________________________________
> IntelMQ-dev mailing list
> https://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev
> https://intelmq.readthedocs.io/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x8C1607AE1371C607.asc
Type: application/pgp-keys
Size: 8854 bytes
Desc: OpenPGP public key
URL: <http://lists.cert.at/pipermail/intelmq-dev/attachments/20240205/0355b648/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/intelmq-dev/attachments/20240205/0355b648/attachment-0001.sig>
More information about the IntelMQ-dev
mailing list