Hi Jason,
thanks for the update.
I noticed you changed
"feed_name" : "IPv6-Accessible-IMAP" to "feed_name" : "Accessible-IMAP IPv6",
and
"feed_name" : "IPv6-Accessible-POP3", to "feed_name" : "Accessible-POP3 IPv6",
but kept
"feed_name" : "IPv6-Vulnerable-IMAP" "feed_name" : "IPv6-Vulnerable-POP3"
This should be made consistent.
I'd suggest changing the latter to
"feed_name" : "Vulnerable-IMAP IPv6" "feed_name" : "Vulnerable-POP3 IPv6"
as well.
In the schema, most IPv6 feed names start with "IPv6-"
"feed_name" : "IPv6-Accessible-ActiveMQ" "feed_name" : "IPv6-Accessible-BGP" "feed_name" : "IPv6-Accessible-CWMP" "feed_name" : "IPv6-Accessible-FTP"
while others have an " IPv6" suffix:
"feed_name" : "Sinkhole-Events-HTTP IPv6" "feed_name" : "Sinkhole-Events-HTTP-Referer IPv6" "feed_name" : "Sinkhole-Events IPv6"
We should make this consistent with some future update as well. (I'd prefer the latter format for all feed names.)
You removed the mapping for the following fields:
freak_cipher_suite freak_vulnerable raw_cert raw_cert_chain
Maybe there are additional fields that could/should be removed from the IMAP/POP3 reports? Piotr is looking into this now.
We should postpone the publication of the schema until the final format of the reports is set.
Thanks for all your work on this!
Regards Thomas
On 02.01.25 16:18, elsif wrote:
Hello,
Attached is the revised schema with your suggestions.
Please let me know if any additional changes are needed or if the schema is ready to be published.
Regards,
Jason
On 1/2/25 4:56 AM, Thomas Hungenberg wrote:
Hi Jason,
thank a lot for providing the schema update!
I'd like to propose changing the classification identifier "open-pop3" to "accessible-pop3" and "open-imap" to "accessible-imap"
For some (newer) reports like Accessible-ADB the report names already match the classification identifier. Several older reports have been renamed from Open-* to Accessible-* (like Accessible-RDP) but IntelMQ still uses the old open-* classification identifiers. This still needs to be adjusted along with some other inconsistencies at some point in the future.
I noticed the POP3/IMAP reports include several fields like "freak_cipher_suite", "freak_vulnerable", "raw_cert" and others not mentioned under "FIELDS" on the corresponding webpages. Looks like those fields are always empty and they are probably not of interest in this context as there are dedicated Accessible-SSL and SSL/FREAK reports.
Piotr is now looking into this.
So the mapping for some fields probably needs to be removed from the schema.
Regards Thomas
On 30.12.24 18:09, elsif wrote:
Hello,
We have new reports for POP3 and IMAP that will be available soon.
https://www.shadowserver.org/what-we-do/network-reporting/accessible-imap-re...
https://www.shadowserver.org/what-we-do/network-reporting/vulnerable-imap-re...
https://www.shadowserver.org/what-we-do/network-reporting/accessible-pop3-re...
https://www.shadowserver.org/what-we-do/network-reporting/vulnerable-pop3-re...
The draft schema is attached. Please let me know if any changes are needed or if the schema is ready to be published.
Regards,
Jason
IntelMQ-dev mailing list https://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev https://docs.intelmq.org/