Mapping looks good to me - I was considering usage of "weak-crypto" type, but the scan seems to be concentrated on misconfiguration (default secrets). Thus, the vulnerable-system works better.
Most weak cryptography is bad configuration and to some extent
every vulnerability is also bad configuration (reach-ability from
the internet, no updates etc.).
IMHO this feed perfectly fits the definition of weak-crypto. Its
description is: "Publicly accessible services offering weak
cryptography, e.g., web servers susceptible to POODLE/FREAK
attacks."
I'm wondering more if the term "badsecrets" (used as classification.identifier) is widely known in the industry or if it is otherwise self-explanatory. To me it seems to be very generic and nondescript.
Feedback on the field naming:
According to your website this is the HTTP version used, so better: "http_version"
[
"extra.",
"http",
"validate_to_none"
],
[
"extra.",
"server",
"validate_to_none"
],
The website says "HTTP Server type", so the wording here is very ambiguous. What about http_server_version?
In the next IntelMQ version the correct field will be product.full_name (https://github.com/certtools/intelmq/pull/2574). So, we will need different schemas per IntelMQ version 🤔️
[Other Shadowserver Feeds use http_path. Another common name is urlpath (parsers fireeye and ctip).
"extra.",
"request_path",
"validate_to_none"
],
-- Institute for Common Good Technology gemeinnütziger Kulturverein - nonprofit cultural society https://commongoodtechnology.org/ ZVR 1510673578