On 08/09/2025 10:03, Kamil Mankowski via IntelMQ-dev wrote:
Mapping looks good to me - I was considering usage of "weak-crypto" type, but the scan seems to be concentrated on misconfiguration (default secrets). Thus, the vulnerable-system works better.
Most weak cryptography is bad configuration and to some extent every vulnerability is also bad configuration (reach-ability from the internet, no updates etc.). IMHO this feed perfectly fits the definition of weak-crypto. Its description is: "Publicly accessible services offering weak cryptography, e.g., web servers susceptible to POODLE/FREAK attacks."
I'm wondering more if the term "badsecrets" (used as classification.identifier) is widely known in the industry or if it is otherwise self-explanatory. To me it seems to be very generic and nondescript.
Feedback on the field naming:
On 08/09/2025 17:01, elsif via IntelMQ-dev wrote:
[ "extra.", "http", "validate_to_none" ],
According to your website this is the HTTP version used, so better: "http_version"
[ "extra.", "server", "validate_to_none" ],
The website says "HTTP Server type", so the wording here is very ambiguous. What about http_server_version?
In the next IntelMQ version the correct field will be product.full_name (https://github.com/certtools/intelmq/pull/2574). So, we will need different schemas per IntelMQ version 🤔️
[ "extra.", "request_path", "validate_to_none" ],
Other Shadowserver Feeds use http_path. Another common name is urlpath (parsers fireeye and ctip).