[IntelMQ-dev] classification attributes in IntelMQ Shadowserver parser schema

[elsif]

Hello,

Proposed changes are attached. Please let me know if you agree with the 
changes or have any alterations.

Regards

On 1/31/24 7:05 AM, Thomas Hungenberg wrote:
> Hi,
>
> Sebastian (sebix) told me it was agreed that with the translation
> from the current parser _config.py (included with IntelMQ 3.2.1)
> to the new schema, no classification.* attributes will be changed.
>
> This is very important as our setup (and most probably others as well)
> heavily depends on known classification identifiers like "open-rdp"
> and classification types from the initial parsing of events up to
> notification_rules and formats/templates for mailgen.
> So with a change of a classification attribute lots of scripts and
> configs would need to be changed as well.
>
> Looking at the current schema, I see the classification identifiers
> are still correct for some feeds for both IPv4 and IPv6 like here:
>
>    "scan_dns" : {
>       "constant_fields" : {
>          "classification.identifier" : "dns-open-resolver",
>
>    "scan6_dns" : {
>       "constant_fields" : {
>          "classification.identifier" : "dns-open-resolver",
>
>
> However, for other feeds the classification identifier has been kept
> correctly for IPv4 like here:
>
>    "scan_rdp" : {
>       "constant_fields" : {
>          "classification.identifier" : "open-rdp",
>
>    "compromised_website" : {
>       "constant_fields" : {
>          "classification.identifier" : "compromised-website",
>
>
> but for IPv6 it has changed to the name of the feed:
>
>    "scan6_rdp" : {
>       "constant_fields" : {
>          "classification.identifier" : "scan6-rdp",   <- should be 
> "open-rdp"
>
>    "compromised_website6" : {
>       "constant_fields" : {
>          "classification.identifier" : "compromised-website6", <- 
> should be "compromised-website"
>
>
> The classification.identifier should describe the incident (like 
> "open-rdp")
> and not the source (like "scan6-rdp").
>
> May I ask you to check and adjust all classification identifiers and 
> types
> in the schema so they are consistent with the ones generated by the 
> current
> _config.py?
>
>
> Thanks a lot for all your work on the new schema based parser!
>
>
> Kind regards
> Thomas
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: intelmq.json
Type: application/json
Size: 586798 bytes
Desc: not available
URL: <http://lists.cert.at/pipermail/intelmq-dev/attachments/20240131/80afd518/attachment-0001.json>