Please see the revised mapping below.
Regards,
Jason
--
{
"constant_fields" : {
"classification.identifier" : "accessible-ike",
"classification.taxonomy" : "other",
"classification.type" : "other",
"protocol.application" : "ipsec"
},
"feed_name" : "IPv6-Accessible-ISAKMP",
"file_name" : "population6_isakmp",
"optional_fields" : [
[
"extra.isakmp_exchange_type",
"exchange_type"
],
[
"extra.isakmp_spi_size",
"spi_size",
"convert_int"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
],
[
"extra.",
"initiator_spi",
"validate_to_none"
],
[
"extra.",
"responder_spi",
"validate_to_none"
],
[
"extra.",
"next_payload",
"validate_to_none"
],
[
"extra.",
"flags",
"validate_to_none"
],
[
"extra.",
"message_id",
"validate_to_none"
],
[
"extra.",
"next_payload2",
"validate_to_none"
],
[
"extra.",
"domain_of_interpretation",
"validate_to_none"
],
[
"extra.",
"protocol_id",
"validate_to_none"
],
[
"extra.",
"notify_message_type",
"validate_to_none"
],
[
"extra.",
"response_size",
"convert_int"
],
[
"extra.",
"amplification",
"convert_float"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" :
"https://www.shadowserver.org/what-we-do/network-reporting/accessible-isakmp-report/"
}
{
"constant_fields" : {
"classification.identifier" : "accessible-ike",
"classification.taxonomy" : "other",
"classification.type" : "other",
"protocol.application" : "ipsec"
},
"feed_name" : "Accessible-ISAKMP",
"file_name" : "population_isakmp",
"optional_fields" : [
[
"extra.isakmp_exchange_type",
"exchange_type"
],
[
"extra.isakmp_spi_size",
"spi_size",
"convert_int"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
],
[
"extra.",
"initiator_spi",
"validate_to_none"
],
[
"extra.",
"responder_spi",
"validate_to_none"
],
[
"extra.",
"next_payload",
"validate_to_none"
],
[
"extra.",
"flags",
"validate_to_none"
],
[
"extra.",
"message_id",
"validate_to_none"
],
[
"extra.",
"next_payload2",
"validate_to_none"
],
[
"extra.",
"domain_of_interpretation",
"validate_to_none"
],
[
"extra.",
"protocol_id",
"validate_to_none"
],
[
"extra.",
"notify_message_type",
"validate_to_none"
],
[
"extra.",
"response_size",
"convert_int"
],
[
"extra.",
"amplification",
"convert_float"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" :
"https://www.shadowserver.org/what-we-do/network-reporting/accessible-isakmp-report/"
}
Hi!
On 04/09/2025 17:06, elsif via IntelMQ-dev wrote:
"optional_fields" : [Is that the size of a serial interface?
[
"extra.",
"spi_size",
"convert_int"
],
[
"extra.",
"exchange_type",
"validate_to_none"
],
Does that indicate what type of trade that is?
These two could be given different names to be clearer and better reflect their actual meaning. Maybe adding a prefix `isakmp_`.
Best regards
Sebastian
-- Institute for Common Good Technology gemeinnütziger Kulturverein - nonprofit cultural society https://commongoodtechnology.org/ ZVR 1510673578