The revised mapping is attached below.
The 'badsecret_secret' was added late in the day yesterday, so it was only partially populated.
Regards,
Jason
--
{ "constant_fields" : { "classification.identifier" : "badsecret", "classification.taxonomy" : "vulnerable", "classification.type" : "weak-crypto", "protocol.application" : "http" }, "feed_name" : "IPv6-Badsecrets", "file_name" : "scan6_badsecrets", "optional_fields" : [ [ "extra.badsecret_value", "badsecret_product", "validate_to_none" ], [ "extra.http_version", "http", "validate_to_none" ], [ "extra.http_server", "server", "validate_to_none" ], [ "extra.http_path", "request_path", "validate_to_none" ], [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ], [ "extra.", "badsecret_location", "validate_to_none" ], [ "extra.", "badsecret_module", "validate_to_none" ], [ "extra.", "badsecret_type", "validate_to_none" ], [ "extra.", "http_code", "convert_int" ], [ "extra.", "cert_serial_number", "validate_to_none" ], [ "extra.", "subject_common_name", "validate_to_none" ], [ "extra.", "issuer_common_name", "validate_to_none" ], [ "extra.", "subject_organization_name", "validate_to_none" ], [ "extra.", "issuer_organization_name", "validate_to_none" ], [ "extra.", "sha1_fingerprint", "validate_to_none" ], [ "extra.", "sha256_fingerprint", "validate_to_none" ], [ "extra.", "badsecret_secret", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/badsecrets-report/" }
{ "constant_fields" : { "classification.identifier" : "badsecret", "classification.taxonomy" : "vulnerable", "classification.type" : "weak-crypto", "protocol.application" : "http" }, "feed_name" : "Badsecrets", "file_name" : "scan_badsecrets", "optional_fields" : [ [ "extra.badsecret_value", "badsecret_product", "validate_to_none" ], [ "extra.http_version", "http", "validate_to_none" ], [ "extra.http_server", "server", "validate_to_none" ], [ "extra.http_path", "request_path", "validate_to_none" ], [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ], [ "extra.", "badsecret_location", "validate_to_none" ], [ "extra.", "badsecret_module", "validate_to_none" ], [ "extra.", "badsecret_type", "validate_to_none" ], [ "extra.", "http_code", "convert_int" ], [ "extra.", "cert_serial_number", "validate_to_none" ], [ "extra.", "subject_common_name", "validate_to_none" ], [ "extra.", "issuer_common_name", "validate_to_none" ], [ "extra.", "subject_organization_name", "validate_to_none" ], [ "extra.", "issuer_organization_name", "validate_to_none" ], [ "extra.", "sha1_fingerprint", "validate_to_none" ], [ "extra.", "sha256_fingerprint", "validate_to_none" ], [ "extra.", "badsecret_secret", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/badsecrets-report/" }
On 9/9/25 2:44 AM, Thomas Hungenberg via IntelMQ-dev wrote:
On 09.09.25 09:25, Kamil Mankowski via IntelMQ-dev wrote:
I belive it could match both categories, so the question to others - what suits better from the operators' perspective?
I think "weak-crypto" perfectly fits here and the classification.type should also be changed to "weak-crypto" for ssl-poodle and ssl-freak.
"extra.http_server_version", "server", "validate_to_none"
The value of "server" is not only a version number but also includes the product name (like Apache or nginx). So how about writing this to "extra.http_server" (without "_version")?
Btw, I think the term "product" is quite confusing here. While the authors of the badsecrets library use it for "cryptographic product" I think most people will associate the name of an affected product like "Django" or "Rails" with "product".
So I wonder if something like "extra.badsecret_value" would be a better place to store the value of "badsecret_product" to avoid confusions?
I also wonder why the value of "badsecret_secret" is empty in most cases in the reports. Shouldn't this value always be available if a known secret has been detected?
- Thomas
IntelMQ-dev mailing list -- intelmq-dev@lists.cert.at To unsubscribe send an email to intelmq-dev-leave@lists.cert.at