The current classification scheme for malware events in shadowserver/parser/config.py is:
'constant_fields': {
'classification.taxonomy': 'malicious code',
'classification.type': 'botnet drone',
'classification.identifier': 'botnet',
},
The modify expert (if used) overwrites the classification.identifier
with a malware name (either a "harmonized" name or the value of
malware.name as default).
Last year, we discussed dropping the term "botnet (drone)" and
replace it by "infected system" (as not all malware infected
systems are necessarily part of a botnet).
The config.py in branch develop currently looks like:
'classification.taxonomy': 'malicious code',
'classification.type': 'botnet drone',
'classification.identifier': 'infected system',
However, my intention was to set the *type* to 'infected system'
and not the *identifier* (which will be overwritten by the modify expert).
So I'd like to propose to change the classification scheme as follows:
'classification.taxonomy': 'malicious code',
'classification.type': 'infected system',
'classification.identifier': 'malware', # default name, will be overwritten by modify expert
So the final classification of an event will look like:
'classification.taxonomy': 'malicious code',
'classification.type': 'infected system',
'classification.identifier': 'ramnit',
Thoughts? Objections?
- Thomas
CERT-Bund Incident Response & Malware Analysis Team