Folks,
I've been looking at some of the data that we recently processed with our IntelMQ setup (leading to https://cert.at/de/aktuelles/2023/8/verwundbare-webserver-status-in-osterrei...), and I found that we need a few changes to IntelMQ to better process these kind of feeds.
What happened? Initially, our focus with IntelMQ was on botnet drones which were detected via sinkholing. That's why we have the source.*, destination.*, and malware.* parameters in the data model. A C2 communication was the main inspiration.
These days, a majority of the data feeds we process are generated by scanning the Internet. That can be Shodan, that can be Shadowserver, that can be from our own local scans. This is fine and good, it gives us valuable telemetry on what's going on in our constituency.
But the fields needed to store the data in a consistent way are missing in the current iteration of the IDF. I don't want to pack that into extra.* or any non-standard field, I think we should come to an agreement what those elements are and how they should be handled.
Here are some of the data fields I'm missing:
What did the scanning find?
* vendor * product * software version
Are there any problems with it?
* Vulnerability identifier (CVE or other, potentially multi-valued, which is another can of worms) * Severity information (e.g. associated CVSS score) * CWE IDs (https://cwe.mitre.org/index.html)
Generic tagging
* I see e.g. "iot", "ics" or similar ones popping up.
As a minimum I think we need "vendor", "product" and "vulnerability".
What do you all think?
otmar
-----------
References:
There is e.g.:
os string Operating system platform string product string Name of the software that powers the service. vendor string
https://www.shadowserver.org/what-we-do/network-reporting/vulnerable-http-re...
info on the vendor and CVEs is stored in the tag field.