[IntelMQ-dev] classification attributes in IntelMQ Shadowserver parser schema

Thomas Hungenberg th at cert-bund.de
Thu Feb 8 11:32:12 CET 2024 

Hi Aaron,

green light for the release from my side.

Thanks for delaying it for the recent discussions.


      - Thomas

On 08.02.24 11:11, L. Aaron Kaplan wrote:
> Hi all,
> 
> thanks for the lively discussion first of all, because it shows that these things matter :)
> 
> However, my question currently is:  green light for release or not?
> What do you feel Thomas? Do you feel we need more time to discover things which would create a lot of havoc at different installations ? Or do you feel that these changes are so minimal that it's just part of the regular attentive update cycle?
> We can put that into the CHANGELOG and NEWS file of course. Would that be enough?
> 
> 
> Because I have been delaying the release a bit for the discussion to settle and in order to make sure that there are as few surprises as possible for everyone with the dynamic schema update.
> 
> Best,
> Aaron.
> 
> 
> 
>> On 08.02.2024, at 10:59, Thomas Hungenberg via IntelMQ-dev <intelmq-dev at lists.cert.at> wrote:
>>
>> On 06.02.24 13:42, Kamil Mankowski wrote:
>>> When it comes to identifiers changes, I would be very conservative.
>>> They can be used for filtering, and as so - changing them is potentially dangerous. > I second fixes about IPv6, those were more misleading than helping, but for the rest -
>>> we need to be careful and announce the change.
>>
>> Yes, our IntelMQ setup with mailgen etc. also heavily depends on the known
>> classification identifiers. That is why I asked not to change them with the
>> switch to the dynamic schema.
>>
>> However, Shadowserver renamed some "old" feeds from "open-*" to "accessible-*"
>> some years ago (e.g. "open-telnet" -> "accessible-telnet").
>> So far, we have not adopted those changes for the classification identifiers
>> but still use "open-telnet" etc. for "old" feeds.
>> On the other hand, for newer feeds like "accessible-ftp" we use the
>> classification identifier "accessible-ftp".
>> So we have "open-telnet" but "accessible-ftp" which is not consistent.
>>
>> We should probably discuss which services are "open" and which ones are
>> "accessible" and change the classification identifiers accordingly.
>>
>> Of course, all those changes need to be documented in the CHANGELOG and
>> we should provide SQL UPDATE statements in NEWS.md like for the changes
>> in version 3.0.0.
>>
>>
>>      - Thomas
>>
>> _______________________________________________
>> IntelMQ-dev mailing list
>> https://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev
>> https://intelmq.readthedocs.io/
>

More information about the IntelMQ-dev mailing list