[IntelMQ-dev] Shadowserver parser: Bad mapping for malware events
Sebix
sebix at sebix.at
Fri Jan 26 15:30:16 CET 2024
Dear list,
On 1/26/24 11:01, Thomas Hungenberg via IntelMQ-dev wrote:
> I thought about this again in more detail.
> The classification attributes should describe the incident with
> getting more specific from taxonomy to identifier.
> So for feeds like Open-SNMP, it makes sense to set the
> classification.identifer to the feed's name like this:
>
> 'classification.taxonomy': 'vulnerable',
> 'classification.type': 'vulnerable-system',
> 'classification.identifier': 'open-snmp',
I agree.
> However, for malware events my proposal of setting the
> classification.identifier to the feed's name
> does not make sense as a feedname like "event4-microsoft-sinkhole" is
> not a specific description
> of the incident itself but rather the type of source of the information.
>
> So I think it is best to keep writing the malware name ("infection" or
> "tag") to classification.identifier
> as this is a specific description of the individual incident.
> However, the malware name ("infection" or "tag") needs also be stored
> in malware.name for the malware name mapping to work.
> "family" should instead be stored in extra.
Originally, the intended use of classification.identifier and
malware.name was:
- malware.name contained the original (and unprocessed) malware name. It
was as specific as possible. It can have the malware variant. For
example, "b157-rL".
- The classification.* fields should be usable for aggregation,
de-duplication, statistics etc.
- For malware events, the parsers could write the malware family (e.g.
"zeus") or the malware name to the identifier.
- The family took precedence, but if not known, the more specific
malware.name could be used instead.
- It was always up to the user to replace the identifier with a more
generic malware family, e.g. using the public malware name mapping and
malpedia.
At least until 2022, IntelMQ and all its parsers fit this concept. It
may still be the case, given the recent significant changes.
https://docs.intelmq.org/latest/user/event/#meaning-of-source-and-destination-identities
still contains a short summary.
best regards
Sebastian
--
Institute for Common Good Technology
gemeinnütziger Kulturverein - nonprofit cultural society
https://commongoodtechnology.org/
ZVR 1510673578
More information about the IntelMQ-dev
mailing list