[IntelMQ-dev] classification attributes in IntelMQ Shadowserver parser schema
Thomas Hungenberg
th at cert-bund.de
Wed Jan 31 16:05:53 CET 2024
Hi,
Sebastian (sebix) told me it was agreed that with the translation
from the current parser _config.py (included with IntelMQ 3.2.1)
to the new schema, no classification.* attributes will be changed.
This is very important as our setup (and most probably others as well)
heavily depends on known classification identifiers like "open-rdp"
and classification types from the initial parsing of events up to
notification_rules and formats/templates for mailgen.
So with a change of a classification attribute lots of scripts and
configs would need to be changed as well.
Looking at the current schema, I see the classification identifiers
are still correct for some feeds for both IPv4 and IPv6 like here:
"scan_dns" : {
"constant_fields" : {
"classification.identifier" : "dns-open-resolver",
"scan6_dns" : {
"constant_fields" : {
"classification.identifier" : "dns-open-resolver",
However, for other feeds the classification identifier has been kept
correctly for IPv4 like here:
"scan_rdp" : {
"constant_fields" : {
"classification.identifier" : "open-rdp",
"compromised_website" : {
"constant_fields" : {
"classification.identifier" : "compromised-website",
but for IPv6 it has changed to the name of the feed:
"scan6_rdp" : {
"constant_fields" : {
"classification.identifier" : "scan6-rdp", <- should be "open-rdp"
"compromised_website6" : {
"constant_fields" : {
"classification.identifier" : "compromised-website6", <- should be "compromised-website"
The classification.identifier should describe the incident (like "open-rdp")
and not the source (like "scan6-rdp").
May I ask you to check and adjust all classification identifiers and types
in the schema so they are consistent with the ones generated by the current
_config.py?
Thanks a lot for all your work on the new schema based parser!
Kind regards
Thomas
More information about the IntelMQ-dev
mailing list