{ "_meta" : { "change_log" : [ "The 'classification.identifier' has been updated to describe the incident for the compromised_website6, population6_bgp, population6_msmq, population_bgp, population_msmq, scan6_activemq, scan6_bgp, scan6_cwmp, scan6_elasticsearch, scan6_ipp, scan6_mqtt, scan6_mqtt_anon, scan6_mysql, scan6_postgres, scan6_rdp, scan6_slp, scan6_smb, scan6_smtp, scan6_smtp_vulnerable, scan6_snmp, scan6_ssh, scan6_ssl, scan6_ssl_freak, scan6_ssl_poodle, scan6_stun, scan6_telnet, and scan6_vnc reports." ], "date_created" : "2024-01-31T15:37:08Z" }, "blocklist" : { "constant_fields" : { "classification.identifier" : "blacklisted-ip", "classification.taxonomy" : "other", "classification.type" : "blacklist" }, "feed_name" : "Blocklist", "file_name" : "blocklist", "optional_fields" : [ [ "source.network", "ip", "validate_network" ], [ "extra.", "tag", "validate_to_none" ], [ "extra.", "severity", "validate_to_none" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "source", "validate_to_none" ], [ "extra.", "reason", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.", "naics", "invalidate_zero" ], [ "extra.", "sector", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/blocklist-report/" }, "compromised_account" : { "constant_fields" : { "classification.identifier" : "compromised-account", "classification.taxonomy" : "information-content-security", "classification.type" : "data-leak" }, "feed_name" : "Compromised-Account", "file_name" : "compromised_account", "optional_fields" : [ [ "source.account", "username", "validate_to_none" ], [ "event_description.text", "detail", "validate_to_none" ], [ "extra.", "tag", "validate_to_none" ], [ "extra.", "email", "validate_to_none" ], [ "malware.name", "infection", "validate_to_none" ], [ "extra.", "source_url", "validate_to_none" ], [ "extra.", "public_source", "validate_to_none" ], [ "status", "status" ], [ "extra.", "severity", "validate_to_none" ], [ "extra.", "service", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/compromised-account-report/" }, "compromised_website" : { "constant_fields" : { "classification.identifier" : "compromised-website", "classification.taxonomy" : "intrusions", "classification.type" : "system-compromise" }, "feed_name" : "Compromised-Website", "file_name" : "compromised_website", "optional_fields" : [ [ "protocol.application", "application", "validate_to_none" ], [ "source.url", "url", "convert_http_host_and_url", true ], [ "source.fqdn", "http_host", "validate_fqdn" ], [ "event_description.text", "category", "category_or_detail", true ], [ "malware.name", "family", "validate_to_none" ], [ "source.account", "account", "validate_to_none" ], [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.", "system", "validate_to_none" ], [ "extra.", "detected_since", "validate_to_none" ], [ "extra.", "server", "validate_to_none" ], [ "extra.", "redirect_target", "validate_to_none" ], [ "extra.", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "sector", "validate_to_none" ], [ "extra.", "cc_url", "validate_to_none" ], [ "status", "status" ], [ "extra.", "detail", "validate_to_none" ], [ "extra.", "public_source", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/compromised-website-report/" }, "compromised_website6" : { "constant_fields" : { "classification.identifier" : "compromised-website", "classification.taxonomy" : "intrusions", "classification.type" : "system-compromise" }, "feed_name" : "IPv6-Compromised-Website", "file_name" : "compromised_website6", "optional_fields" : [ [ "protocol.application", "application", "validate_to_none" ], [ "source.url", "url", "convert_http_host_and_url", true ], [ "source.fqdn", "http_host", "validate_fqdn" ], [ "event_description.text", "category", "category_or_detail", true ], [ "malware.name", "family", "validate_to_none" ], [ "source.account", "account", "validate_to_none" ], [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.", "system", "validate_to_none" ], [ "extra.", "detected_since", "validate_to_none" ], [ "extra.", "server", "validate_to_none" ], [ "extra.", "redirect_target", "validate_to_none" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ], [ "extra.", "cc_url", "validate_to_none" ], [ "status", "status" ], [ "extra.", "detail", "validate_to_none" ], [ "extra.", "public_source", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/compromised-website-report/" }, "device_id" : { "constant_fields" : { "classification.identifier" : "device-id", "classification.taxonomy" : "other", "classification.type" : "undetermined" }, "feed_name" : "Device-Identification IPv4", "file_name" : "device_id", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "sector", "validate_to_none" ], [ "extra.", "device_vendor", "validate_to_none" ], [ "extra.", "device_type", "validate_to_none" ], [ "extra.", "device_model", "validate_to_none" ], [ "extra.", "device_version", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/device-identification-report/" }, "device_id6" : { "constant_fields" : { "classification.identifier" : "device-id", "classification.taxonomy" : "other", "classification.type" : "undetermined" }, "feed_name" : "Device-Identification IPv6", "file_name" : "device_id6", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ], [ "extra.", "device_vendor", "validate_to_none" ], [ "extra.", "device_type", "validate_to_none" ], [ "extra.", "device_model", "validate_to_none" ], [ "extra.", "device_version", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ] }, "event4_microsoft_sinkhole" : { "constant_fields" : { "classification.taxonomy" : "malicious-code", "classification.type" : "infected-system" }, "feed_name" : "Microsoft-Sinkhole-Events IPv4", "file_name" : "event4_microsoft_sinkhole", "optional_fields" : [ [ "classification.identifier", "infection", "validate_to_none" ], [ "malware.name", "infection", "validate_to_none" ], [ "extra.", "tag", "validate_to_none" ], [ "extra.", "family", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.asn", "src_asn", "invalidate_zero" ], [ "source.geolocation.cc", "src_geo" ], [ "source.geolocation.region", "src_region" ], [ "source.geolocation.city", "src_city" ], [ "source.reverse_dns", "src_hostname" ], [ "extra.source.naics", "src_naics", "invalidate_zero" ], [ "extra.source.sector", "src_sector", "validate_to_none" ], [ "extra.", "device_vendor", "validate_to_none" ], [ "extra.", "device_type", "validate_to_none" ], [ "extra.", "device_model", "validate_to_none" ], [ "extra.", "severity", "validate_to_none" ], [ "destination.ip", "dst_ip", "validate_ip" ], [ "destination.port", "dst_port", "convert_int" ], [ "destination.asn", "dst_asn", "invalidate_zero" ], [ "destination.geolocation.cc", "dst_geo" ], [ "destination.geolocation.region", "dst_region" ], [ "destination.geolocation.city", "dst_city" ], [ "destination.reverse_dns", "dst_hostname", "validate_to_none" ], [ "extra.destination.naics", "dst_naics", "invalidate_zero" ], [ "extra.destination.sector", "dst_sector", "validate_to_none" ], [ "extra.", "public_source", "validate_to_none" ], [ "extra.", "application", "validate_to_none" ], [ "extra.", "version", "validate_to_none" ], [ "extra.", "event_id", "validate_to_none" ], [ "extra.", "ssl_cipher", "validate_to_none" ], [ "extra.", "ssl_servername", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "src_ip", "validate_ip" ], [ "source.port", "src_port", "convert_int" ] ] }, "event4_microsoft_sinkhole_http" : { "constant_fields" : { "classification.taxonomy" : "malicious-code", "classification.type" : "infected-system", "protocol.application" : "http" }, "feed_name" : "Microsoft-Sinkhole-Events-HTTP IPv4", "file_name" : "event4_microsoft_sinkhole_http", "optional_fields" : [ [ "classification.identifier", "infection", "validate_to_none" ], [ "malware.name", "infection", "validate_to_none" ], [ "extra.", "tag", "validate_to_none" ], [ "extra.", "family", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.asn", "src_asn", "invalidate_zero" ], [ "source.geolocation.cc", "src_geo" ], [ "source.geolocation.region", "src_region" ], [ "source.geolocation.city", "src_city" ], [ "source.reverse_dns", "src_hostname" ], [ "extra.source.naics", "src_naics", "invalidate_zero" ], [ "extra.source.sector", "src_sector", "validate_to_none" ], [ "extra.", "device_vendor", "validate_to_none" ], [ "extra.", "device_type", "validate_to_none" ], [ "extra.", "device_model", "validate_to_none" ], [ "extra.", "severity", "validate_to_none" ], [ "destination.ip", "dst_ip", "validate_ip" ], [ "destination.port", "dst_port", "convert_int" ], [ "destination.asn", "dst_asn", "invalidate_zero" ], [ "destination.geolocation.cc", "dst_geo" ], [ "destination.geolocation.region", "dst_region" ], [ "destination.geolocation.city", "dst_city" ], [ "destination.reverse_dns", "dst_hostname", "validate_to_none" ], [ "extra.destination.naics", "dst_naics", "invalidate_zero" ], [ "extra.destination.sector", "dst_sector", "validate_to_none" ], [ "extra.", "public_source", "validate_to_none" ], [ "extra.", "application", "validate_to_none" ], [ "extra.", "version", "validate_to_none" ], [ "extra.", "event_id", "validate_to_none" ], [ "destination.url", "http_url", "convert_http_host_and_url", true ], [ "destination.fqdn", "http_host", "validate_fqdn" ], [ "extra.", "http_agent", "validate_to_none" ], [ "extra.", "forwarded_by", "validate_to_none" ], [ "extra.", "ssl_cipher", "validate_to_none" ], [ "extra.", "http_referer", "validate_to_none" ], [ "extra.", "ssl_servername", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "src_ip", "validate_ip" ], [ "source.port", "src_port", "convert_int" ] ] }, "event6_sinkhole" : { "constant_fields" : { "classification.taxonomy" : "malicious-code", "classification.type" : "infected-system" }, "feed_name" : "Sinkhole-Events IPv6", "file_name" : "event6_sinkhole", "optional_fields" : [ [ "classification.identifier", "infection", "validate_to_none" ], [ "malware.name", "infection", "validate_to_none" ], [ "extra.", "tag", "validate_to_none" ], [ "extra.", "family", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.asn", "src_asn", "invalidate_zero" ], [ "source.geolocation.cc", "src_geo" ], [ "source.geolocation.region", "src_region" ], [ "source.geolocation.city", "src_city" ], [ "source.reverse_dns", "src_hostname" ], [ "extra.source.naics", "src_naics", "invalidate_zero" ], [ "extra.source.sector", "src_sector", "validate_to_none" ], [ "extra.", "device_vendor", "validate_to_none" ], [ "extra.", "device_type", "validate_to_none" ], [ "extra.", "device_model", "validate_to_none" ], [ "extra.", "severity", "validate_to_none" ], [ "destination.ip", "dst_ip", "validate_ip" ], [ "destination.port", "dst_port", "convert_int" ], [ "destination.asn", "dst_asn", "invalidate_zero" ], [ "destination.geolocation.cc", "dst_geo" ], [ "destination.geolocation.region", "dst_region" ], [ "destination.geolocation.city", "dst_city" ], [ "destination.reverse_dns", "dst_hostname", "validate_to_none" ], [ "extra.destination.naics", "dst_naics", "invalidate_zero" ], [ "extra.destination.sector", "dst_sector", "validate_to_none" ], [ "extra.", "public_source", "validate_to_none" ], [ "extra.", "application", "validate_to_none" ], [ "extra.", "version", "validate_to_none" ], [ "extra.", "event_id", "validate_to_none" ], [ "extra.", "ssl_cipher", "validate_to_none" ], [ "extra.", "ssl_servername", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "src_ip", "validate_ip" ], [ "source.port", "src_port", "convert_int" ] ] }, "event6_sinkhole_http" : { "constant_fields" : { "classification.taxonomy" : "malicious-code", "classification.type" : "infected-system", "protocol.application" : "http" }, "feed_name" : "Sinkhole-Events-HTTP IPv6", "file_name" : "event6_sinkhole_http", "optional_fields" : [ [ "classification.identifier", "infection", "validate_to_none" ], [ "malware.name", "infection", "validate_to_none" ], [ "extra.", "tag", "validate_to_none" ], [ "extra.", "family", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.asn", "src_asn", "invalidate_zero" ], [ "source.geolocation.cc", "src_geo" ], [ "source.geolocation.region", "src_region" ], [ "source.geolocation.city", "src_city" ], [ "source.reverse_dns", "src_hostname" ], [ "extra.source.naics", "src_naics", "invalidate_zero" ], [ "extra.source.sector", "src_sector", "validate_to_none" ], [ "extra.", "device_vendor", "validate_to_none" ], [ "extra.", "device_type", "validate_to_none" ], [ "extra.", "device_model", "validate_to_none" ], [ "extra.", "severity", "validate_to_none" ], [ "destination.ip", "dst_ip", "validate_ip" ], [ "destination.port", "dst_port", "convert_int" ], [ "destination.asn", "dst_asn", "invalidate_zero" ], [ "destination.geolocation.cc", "dst_geo" ], [ "destination.geolocation.region", "dst_region" ], [ "destination.geolocation.city", "dst_city" ], [ "destination.reverse_dns", "dst_hostname", "validate_to_none" ], [ "extra.destination.naics", "dst_naics", "invalidate_zero" ], [ "extra.destination.sector", "dst_sector", "validate_to_none" ], [ "extra.", "public_source", "validate_to_none" ], [ "extra.", "application", "validate_to_none" ], [ "extra.", "version", "validate_to_none" ], [ "extra.", "event_id", "validate_to_none" ], [ "destination.url", "http_url", "convert_http_host_and_url", true ], [ "destination.fqdn", "http_host", "validate_fqdn" ], [ "extra.", "http_agent", "validate_to_none" ], [ "extra.", "forwarded_by", "validate_to_none" ], [ "extra.", "ssl_cipher", "validate_to_none" ], [ "extra.", "http_referer", "validate_to_none" ], [ "extra.", "ssl_servername", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "src_ip", "validate_ip" ], [ "source.port", "src_port", "convert_int" ] ] }, "event6_sinkhole_http_referer" : { "constant_fields" : { "classification.taxonomy" : "malicious-code", "classification.type" : "infected-system", "protocol.application" : "http" }, "feed_name" : "Sinkhole-Events-HTTP-Referer IPv6", "file_name" : "event6_sinkhole_http_referer", "optional_fields" : [ [ "classification.identifier", "infection", "validate_to_none" ], [ "malware.name", "infection", "validate_to_none" ], [ "extra.", "tag", "validate_to_none" ], [ "extra.", "family", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "extra.", "http_referer_ip", "validate_ip" ], [ "extra.", "http_referer_port", "convert_int" ], [ "extra.", "http_referer_asn", "invalidate_zero" ], [ "extra.", "http_referer_geo", "validate_to_none" ], [ "extra.", "http_referer_region", "validate_to_none" ], [ "extra.", "http_referer_city", "validate_to_none" ], [ "extra.", "http_referer_hostname", "validate_to_none" ], [ "extra.", "http_referer_naics", "invalidate_zero" ], [ "extra.", "http_referer_sector", "validate_to_none" ], [ "extra.", "severity", "validate_to_none" ], [ "destination.ip", "dst_ip", "validate_ip" ], [ "destination.port", "dst_port", "convert_int" ], [ "destination.asn", "dst_asn", "invalidate_zero" ], [ "destination.geolocation.cc", "dst_geo" ], [ "destination.geolocation.region", "dst_region" ], [ "destination.geolocation.city", "dst_city" ], [ "destination.reverse_dns", "dst_hostname", "validate_to_none" ], [ "extra.destination.naics", "dst_naics", "invalidate_zero" ], [ "extra.destination.sector", "dst_sector", "validate_to_none" ], [ "extra.", "public_source", "validate_to_none" ], [ "extra.", "application", "validate_to_none" ], [ "extra.", "version", "validate_to_none" ], [ "extra.", "event_id", "validate_to_none" ], [ "destination.url", "http_url", "convert_http_host_and_url", true ], [ "destination.fqdn", "http_host", "validate_fqdn" ], [ "extra.", "http_referer", "validate_to_none" ], [ "extra.", "ssl_servername", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ] ] }, "event_ddos_participant" : { "constant_fields" : { "classification.identifier" : "ddos-participant", "classification.taxonomy" : "availability", "classification.type" : "ddos" }, "feed_name" : "DDoS-Participant", "file_name" : "event4_ddos_participant", "optional_fields" : [ [ "extra.", "duration", "convert_int" ], [ "extra.", "attack_src_port", "convert_int" ], [ "extra.", "http_usessl", "convert_bool" ], [ "extra.", "ip_header_seqnum", "convert_int" ], [ "extra.", "ip_header_ttl", "convert_int" ], [ "extra.", "number_of_connections", "convert_int" ], [ "extra.", "packet_length", "convert_int" ], [ "extra.", "packet_randomized", "convert_bool" ], [ "malware.name", "infection", "validate_to_none" ], [ "extra.", "tag", "validate_to_none" ], [ "extra.", "family", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.asn", "src_asn", "invalidate_zero" ], [ "source.geolocation.cc", "src_geo" ], [ "source.geolocation.region", "src_region" ], [ "source.geolocation.city", "src_city" ], [ "source.reverse_dns", "src_hostname" ], [ "extra.source.naics", "src_naics", "invalidate_zero" ], [ "extra.source.sector", "src_sector", "validate_to_none" ], [ "extra.", "device_vendor", "validate_to_none" ], [ "extra.", "device_type", "validate_to_none" ], [ "extra.", "device_model", "validate_to_none" ], [ "extra.", "severity", "validate_to_none" ], [ "destination.ip", "dst_ip", "validate_ip" ], [ "destination.port", "dst_port", "convert_int" ], [ "destination.asn", "dst_asn", "invalidate_zero" ], [ "destination.geolocation.cc", "dst_geo" ], [ "destination.geolocation.region", "dst_region" ], [ "destination.geolocation.city", "dst_city" ], [ "destination.reverse_dns", "dst_hostname", "validate_to_none" ], [ "extra.destination.naics", "dst_naics", "invalidate_zero" ], [ "extra.destination.sector", "dst_sector", "validate_to_none" ], [ "extra.", "domain_source", "validate_to_none" ], [ "extra.", "public_source", "validate_to_none" ], [ "extra.", "application", "validate_to_none" ], [ "extra.", "version", "validate_to_none" ], [ "extra.", "event_id", "validate_to_none" ], [ "extra.", "dst_network", "validate_to_none" ], [ "extra.", "dst_netmask", "validate_to_none" ], [ "extra.", "attack", "validate_to_none" ], [ "extra.", "attack_src_ip", "validate_to_none" ], [ "extra.", "domain", "validate_to_none" ], [ "extra.", "domain_transaction_id", "validate_to_none" ], [ "extra.", "gcip", "validate_to_none" ], [ "extra.", "http_method", "validate_to_none" ], [ "extra.", "http_path", "validate_to_none" ], [ "extra.", "http_postdata", "validate_to_none" ], [ "extra.", "ip_header_ack", "validate_to_none" ], [ "extra.", "ip_header_acknum", "validate_to_none" ], [ "extra.", "ip_header_dont_fragment", "validate_to_none" ], [ "extra.", "ip_header_fin", "validate_to_none" ], [ "extra.", "ip_header_identity", "validate_to_none" ], [ "extra.", "ip_header_psh", "validate_to_none" ], [ "extra.", "ip_header_rst", "validate_to_none" ], [ "extra.", "ip_header_syn", "validate_to_none" ], [ "extra.", "ip_header_tos", "validate_to_none" ], [ "extra.", "ip_header_urg", "validate_to_none" ], [ "extra.", "http_agent", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "src_ip", "validate_ip" ], [ "source.port", "src_port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/ddos-participant-report/" }, "event_honeypot_adb_scan" : { "constant_fields" : { "classification.identifier" : "honeypot-adb-scan", "classification.taxonomy" : "information-gathering", "classification.type" : "scanner", "protocol.application" : "adb" }, "feed_name" : "Honeypot-ADB-Scanner", "file_name" : "event4_honeypot_adb_scan", "optional_fields" : [ [ "malware.name", "infection", "validate_to_none" ], [ "extra.", "tag", "validate_to_none" ], [ "extra.", "family", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.asn", "src_asn", "invalidate_zero" ], [ "source.geolocation.cc", "src_geo" ], [ "source.geolocation.region", "src_region" ], [ "source.geolocation.city", "src_city" ], [ "source.reverse_dns", "src_hostname" ], [ "extra.source.naics", "src_naics", "invalidate_zero" ], [ "extra.source.sector", "src_sector", "validate_to_none" ], [ "extra.", "device_vendor", "validate_to_none" ], [ "extra.", "device_type", "validate_to_none" ], [ "extra.", "device_model", "validate_to_none" ], [ "extra.", "severity", "validate_to_none" ], [ "destination.ip", "dst_ip", "validate_ip" ], [ "destination.port", "dst_port", "convert_int" ], [ "destination.asn", "dst_asn", "invalidate_zero" ], [ "destination.geolocation.cc", "dst_geo" ], [ "destination.geolocation.region", "dst_region" ], [ "destination.geolocation.city", "dst_city" ], [ "destination.reverse_dns", "dst_hostname", "validate_to_none" ], [ "extra.destination.naics", "dst_naics", "invalidate_zero" ], [ "extra.destination.sector", "dst_sector", "validate_to_none" ], [ "extra.", "public_source", "validate_to_none" ], [ "extra.", "application", "validate_to_none" ], [ "extra.", "version", "validate_to_none" ], [ "extra.", "event_id", "validate_to_none" ], [ "extra.", "vulnerability_enum", "validate_to_none" ], [ "extra.", "vulnerability_id", "validate_to_none" ], [ "extra.", "vulnerability_class", "validate_to_none" ], [ "extra.", "vulnerability_score", "convert_float" ], [ "extra.", "vulnerability_severity", "validate_to_none" ], [ "extra.", "vulnerability_version", "validate_to_none" ], [ "extra.", "threat_framework", "validate_to_none" ], [ "extra.", "threat_tactic_id", "validate_to_none" ], [ "extra.", "threat_technique_id", "validate_to_none" ], [ "extra.", "target_vendor", "validate_to_none" ], [ "extra.", "target_product", "validate_to_none" ], [ "extra.", "target_class", "validate_to_none" ], [ "extra.", "banner", "validate_to_none" ], [ "extra.", "commands", "validate_to_none" ], [ "extra.", "maxdata", "validate_to_none" ], [ "extra.", "system_type", "validate_to_none" ], [ "extra.", "opened", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "src_ip", "validate_ip" ], [ "source.port", "src_port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/honeypot-adb-scanner-events-report/" }, "event_honeypot_brute_force" : { "constant_fields" : { "classification.taxonomy" : "intrusion-attempts", "classification.type" : "brute-force" }, "feed_name" : "Honeypot-Brute-Force-Events", "file_name" : "event4_honeypot_brute_force", "optional_fields" : [ [ "classification.identifier", "application" ], [ "destination.account", "username", "validate_to_none" ], [ "malware.name", "infection", "validate_to_none" ], [ "extra.", "tag", "validate_to_none" ], [ "extra.", "family", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.asn", "src_asn", "invalidate_zero" ], [ "source.geolocation.cc", "src_geo" ], [ "source.geolocation.region", "src_region" ], [ "source.geolocation.city", "src_city" ], [ "source.reverse_dns", "src_hostname" ], [ "extra.source.naics", "src_naics", "invalidate_zero" ], [ "extra.source.sector", "src_sector", "validate_to_none" ], [ "extra.", "device_vendor", "validate_to_none" ], [ "extra.", "device_type", "validate_to_none" ], [ "extra.", "device_model", "validate_to_none" ], [ "extra.", "severity", "validate_to_none" ], [ "destination.ip", "dst_ip", "validate_ip" ], [ "destination.port", "dst_port", "convert_int" ], [ "destination.asn", "dst_asn", "invalidate_zero" ], [ "destination.geolocation.cc", "dst_geo" ], [ "destination.geolocation.region", "dst_region" ], [ "destination.geolocation.city", "dst_city" ], [ "destination.reverse_dns", "dst_hostname", "validate_to_none" ], [ "extra.destination.naics", "dst_naics", "invalidate_zero" ], [ "extra.destination.sector", "dst_sector", "validate_to_none" ], [ "extra.", "public_source", "validate_to_none" ], [ "extra.", "application", "validate_to_none" ], [ "extra.", "version", "validate_to_none" ], [ "extra.", "event_id", "validate_to_none" ], [ "extra.", "service", "validate_to_none" ], [ "extra.", "start_time", "convert_date_utc" ], [ "extra.", "end_time", "convert_date_utc" ], [ "extra.", "client_version", "validate_to_none" ], [ "extra.", "password", "validate_to_none" ], [ "extra.", "payload_url", "validate_to_none" ], [ "extra.", "payload_md5", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "src_ip", "validate_ip" ], [ "source.port", "src_port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/honeypot-brute-force-events-report/" }, "event_honeypot_darknet" : { "constant_fields" : { "classification.taxonomy" : "other", "classification.type" : "other" }, "feed_name" : "Honeypot-Darknet", "file_name" : "event4_honeypot_darknet", "optional_fields" : [ [ "classification.identifier", "tag", "validate_to_none" ], [ "malware.name", "infection", "validate_to_none" ], [ "extra.", "tag", "validate_to_none" ], [ "extra.", "family", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.asn", "src_asn", "invalidate_zero" ], [ "source.geolocation.cc", "src_geo" ], [ "source.geolocation.region", "src_region" ], [ "source.geolocation.city", "src_city" ], [ "source.reverse_dns", "src_hostname" ], [ "extra.source.naics", "src_naics", "invalidate_zero" ], [ "extra.source.sector", "src_sector", "validate_to_none" ], [ "extra.", "device_vendor", "validate_to_none" ], [ "extra.", "device_type", "validate_to_none" ], [ "extra.", "device_model", "validate_to_none" ], [ "extra.", "severity", "validate_to_none" ], [ "destination.ip", "dst_ip", "validate_ip" ], [ "destination.port", "dst_port", "convert_int" ], [ "destination.asn", "dst_asn", "invalidate_zero" ], [ "destination.geolocation.cc", "dst_geo" ], [ "destination.geolocation.region", "dst_region" ], [ "destination.geolocation.city", "dst_city" ], [ "destination.reverse_dns", "dst_hostname", "validate_to_none" ], [ "extra.destination.naics", "dst_naics", "invalidate_zero" ], [ "extra.destination.sector", "dst_sector", "validate_to_none" ], [ "extra.", "public_source", "validate_to_none" ], [ "extra.", "application", "validate_to_none" ], [ "extra.", "version", "validate_to_none" ], [ "extra.", "event_id", "validate_to_none" ], [ "extra.", "count", "convert_int" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "src_ip", "validate_ip" ], [ "source.port", "src_port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/honeypot-darknet-events-report/" }, "event_honeypot_ddos" : { "constant_fields" : { "classification.identifier" : "honeypot-ddos", "classification.taxonomy" : "availability", "classification.type" : "ddos" }, "feed_name" : "Honeypot-DDoS", "file_name" : "event4_honeypot_ddos", "optional_fields" : [ [ "extra.", "duration", "convert_int" ], [ "extra.", "attack_src_port", "convert_int" ], [ "extra.", "http_usessl", "convert_bool" ], [ "extra.", "ip_header_seqnum", "convert_int" ], [ "extra.", "ip_header_ttl", "convert_int" ], [ "extra.", "number_of_connections", "convert_int" ], [ "extra.", "packet_length", "convert_int" ], [ "extra.", "packet_randomized", "convert_bool" ], [ "malware.name", "infection", "validate_to_none" ], [ "extra.", "tag", "validate_to_none" ], [ "extra.", "family", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.asn", "src_asn", "invalidate_zero" ], [ "source.geolocation.cc", "src_geo" ], [ "source.geolocation.region", "src_region" ], [ "source.geolocation.city", "src_city" ], [ "source.reverse_dns", "src_hostname" ], [ "extra.source.naics", "src_naics", "invalidate_zero" ], [ "extra.source.sector", "src_sector", "validate_to_none" ], [ "extra.", "device_vendor", "validate_to_none" ], [ "extra.", "device_type", "validate_to_none" ], [ "extra.", "device_model", "validate_to_none" ], [ "extra.", "severity", "validate_to_none" ], [ "destination.ip", "dst_ip", "validate_ip" ], [ "destination.port", "dst_port", "convert_int" ], [ "destination.asn", "dst_asn", "invalidate_zero" ], [ "destination.geolocation.cc", "dst_geo" ], [ "destination.geolocation.region", "dst_region" ], [ "destination.geolocation.city", "dst_city" ], [ "destination.reverse_dns", "dst_hostname", "validate_to_none" ], [ "extra.destination.naics", "dst_naics", "invalidate_zero" ], [ "extra.destination.sector", "dst_sector", "validate_to_none" ], [ "extra.", "domain_source", "validate_to_none" ], [ "extra.", "public_source", "validate_to_none" ], [ "extra.", "application", "validate_to_none" ], [ "extra.", "version", "validate_to_none" ], [ "extra.", "event_id", "validate_to_none" ], [ "extra.", "dst_network", "validate_to_none" ], [ "extra.", "dst_netmask", "validate_to_none" ], [ "extra.", "attack", "validate_to_none" ], [ "extra.", "attack_src_ip", "validate_to_none" ], [ "extra.", "domain", "validate_to_none" ], [ "extra.", "domain_transaction_id", "validate_to_none" ], [ "extra.", "gcip", "validate_to_none" ], [ "extra.", "http_method", "validate_to_none" ], [ "extra.", "http_path", "validate_to_none" ], [ "extra.", "http_postdata", "validate_to_none" ], [ "extra.", "ip_header_ack", "validate_to_none" ], [ "extra.", "ip_header_acknum", "validate_to_none" ], [ "extra.", "ip_header_dont_fragment", "validate_to_none" ], [ "extra.", "ip_header_fin", "validate_to_none" ], [ "extra.", "ip_header_identity", "validate_to_none" ], [ "extra.", "ip_header_psh", "validate_to_none" ], [ "extra.", "ip_header_rst", "validate_to_none" ], [ "extra.", "ip_header_syn", "validate_to_none" ], [ "extra.", "ip_header_tos", "validate_to_none" ], [ "extra.", "ip_header_urg", "validate_to_none" ], [ "extra.", "http_agent", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "src_ip", "validate_ip" ], [ "source.port", "src_port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/honeypot-ddos-events/" }, "event_honeypot_ddos_amp" : { "constant_fields" : { "classification.identifier" : "amplification-ddos-victim", "classification.taxonomy" : "availability", "classification.type" : "ddos" }, "feed_name" : "Honeypot-Amplification-DDoS-Events", "file_name" : "event4_honeypot_ddos_amp", "optional_fields" : [ [ "extra.", "avg_pps", "convert_float" ], [ "extra.", "max_pps", "convert_float" ], [ "malware.name", "infection", "validate_to_none" ], [ "extra.", "tag", "validate_to_none" ], [ "extra.", "family", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.asn", "src_asn", "invalidate_zero" ], [ "source.geolocation.cc", "src_geo" ], [ "source.geolocation.region", "src_region" ], [ "source.geolocation.city", "src_city" ], [ "source.reverse_dns", "src_hostname" ], [ "extra.source.naics", "src_naics", "invalidate_zero" ], [ "extra.source.sector", "src_sector", "validate_to_none" ], [ "extra.", "device_vendor", "validate_to_none" ], [ "extra.", "device_type", "validate_to_none" ], [ "extra.", "device_model", "validate_to_none" ], [ "extra.", "severity", "validate_to_none" ], [ "destination.ip", "dst_ip", "validate_ip" ], [ "destination.port", "dst_port", "convert_int" ], [ "destination.asn", "dst_asn", "invalidate_zero" ], [ "destination.geolocation.cc", "dst_geo" ], [ "destination.geolocation.region", "dst_region" ], [ "destination.geolocation.city", "dst_city" ], [ "destination.reverse_dns", "dst_hostname", "validate_to_none" ], [ "extra.destination.naics", "dst_naics", "invalidate_zero" ], [ "extra.destination.sector", "dst_sector", "validate_to_none" ], [ "extra.", "public_source", "validate_to_none" ], [ "extra.", "application", "validate_to_none" ], [ "extra.", "version", "validate_to_none" ], [ "extra.", "event_id", "validate_to_none" ], [ "extra.", "request", "validate_to_none" ], [ "extra.", "count", "convert_int" ], [ "extra.", "bytes", "convert_int" ], [ "extra.", "end_time", "convert_date_utc" ], [ "extra.", "duration", "convert_int" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "src_ip", "validate_ip" ], [ "source.port", "src_port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/honeypot-amplification-ddos-events-report/" }, "event_honeypot_ddos_target" : { "constant_fields" : { "classification.identifier" : "honeypot-ddos-target", "classification.taxonomy" : "availability", "classification.type" : "ddos" }, "feed_name" : "Honeypot-DDoS-Target", "file_name" : "event4_honeypot_ddos_target", "optional_fields" : [ [ "extra.", "attack_src_port", "convert_int" ], [ "extra.", "http_usessl", "convert_bool" ], [ "extra.", "ip_header_seqnum", "convert_int" ], [ "extra.", "ip_header_ttl", "convert_int" ], [ "extra.", "number_of_connections", "convert_int" ], [ "extra.", "packet_length", "convert_int" ], [ "extra.", "packet_randomized", "convert_bool" ], [ "malware.name", "infection", "validate_to_none" ], [ "extra.", "tag", "validate_to_none" ], [ "extra.", "family", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "destination.ip", "dst_ip", "validate_ip" ], [ "destination.port", "dst_port", "convert_int" ], [ "destination.asn", "dst_asn", "invalidate_zero" ], [ "destination.geolocation.cc", "dst_geo" ], [ "destination.geolocation.region", "dst_region" ], [ "destination.geolocation.city", "dst_city" ], [ "destination.reverse_dns", "dst_hostname", "validate_to_none" ], [ "extra.destination.naics", "dst_naics", "invalidate_zero" ], [ "extra.destination.sector", "dst_sector", "validate_to_none" ], [ "extra.", "device_vendor", "validate_to_none" ], [ "extra.", "device_type", "validate_to_none" ], [ "extra.", "device_model", "validate_to_none" ], [ "extra.", "severity", "validate_to_none" ], [ "source.asn", "src_asn", "invalidate_zero" ], [ "source.geolocation.cc", "src_geo" ], [ "source.geolocation.region", "src_region" ], [ "source.geolocation.city", "src_city" ], [ "source.reverse_dns", "src_hostname" ], [ "extra.source.naics", "src_naics", "invalidate_zero" ], [ "extra.source.sector", "src_sector", "validate_to_none" ], [ "extra.", "domain_source", "validate_to_none" ], [ "extra.", "public_source", "validate_to_none" ], [ "extra.", "application", "validate_to_none" ], [ "extra.", "version", "validate_to_none" ], [ "extra.", "event_id", "validate_to_none" ], [ "extra.", "dst_network", "validate_to_none" ], [ "extra.", "dst_netmask", "validate_to_none" ], [ "extra.", "attack", "validate_to_none" ], [ "extra.", "duration", "convert_int" ], [ "extra.", "attack_src_ip", "validate_to_none" ], [ "extra.", "domain", "validate_to_none" ], [ "extra.", "domain_transaction_id", "validate_to_none" ], [ "extra.", "gcip", "validate_to_none" ], [ "extra.", "http_method", "validate_to_none" ], [ "extra.", "http_path", "validate_to_none" ], [ "extra.", "http_postdata", "validate_to_none" ], [ "extra.", "ip_header_ack", "validate_to_none" ], [ "extra.", "ip_header_acknum", "validate_to_none" ], [ "extra.", "ip_header_dont_fragment", "validate_to_none" ], [ "extra.", "ip_header_fin", "validate_to_none" ], [ "extra.", "ip_header_identity", "validate_to_none" ], [ "extra.", "ip_header_psh", "validate_to_none" ], [ "extra.", "ip_header_rst", "validate_to_none" ], [ "extra.", "ip_header_syn", "validate_to_none" ], [ "extra.", "ip_header_tos", "validate_to_none" ], [ "extra.", "ip_header_urg", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "src_ip", "validate_ip" ], [ "source.port", "src_port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/honeypot-ddos-target-events-report/" }, "event_honeypot_http_scan" : { "constant_fields" : { "classification.identifier" : "honeypot-http-scan", "classification.taxonomy" : "information-gathering", "classification.type" : "scanner", "protocol.application" : "http" }, "feed_name" : "Honeypot-HTTP-Scan", "file_name" : "event4_honeypot_http_scan", "optional_fields" : [ [ "user_agent", "http_agent", "validate_to_none" ], [ "extra.method", "http_request_method", "validate_to_none" ], [ "malware.name", "infection", "validate_to_none" ], [ "extra.", "tag", "validate_to_none" ], [ "extra.", "family", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.asn", "src_asn", "invalidate_zero" ], [ "source.geolocation.cc", "src_geo" ], [ "source.geolocation.region", "src_region" ], [ "source.geolocation.city", "src_city" ], [ "source.reverse_dns", "src_hostname" ], [ "extra.source.naics", "src_naics", "invalidate_zero" ], [ "extra.source.sector", "src_sector", "validate_to_none" ], [ "extra.", "device_vendor", "validate_to_none" ], [ "extra.", "device_type", "validate_to_none" ], [ "extra.", "device_model", "validate_to_none" ], [ "extra.", "severity", "validate_to_none" ], [ "destination.ip", "dst_ip", "validate_ip" ], [ "destination.port", "dst_port", "convert_int" ], [ "destination.asn", "dst_asn", "invalidate_zero" ], [ "destination.geolocation.cc", "dst_geo" ], [ "destination.geolocation.region", "dst_region" ], [ "destination.geolocation.city", "dst_city" ], [ "destination.reverse_dns", "dst_hostname", "validate_to_none" ], [ "extra.destination.naics", "dst_naics", "invalidate_zero" ], [ "extra.destination.sector", "dst_sector", "validate_to_none" ], [ "extra.", "public_source", "validate_to_none" ], [ "extra.", "application", "validate_to_none" ], [ "extra.", "version", "validate_to_none" ], [ "extra.", "event_id", "validate_to_none" ], [ "extra.", "pattern", "validate_to_none" ], [ "destination.url", "http_url", "convert_http_host_and_url", true ], [ "extra.", "url_scheme", "validate_to_none" ], [ "extra.", "session_tags", "validate_to_none" ], [ "extra.", "vulnerability_enum", "validate_to_none" ], [ "extra.", "vulnerability_id", "validate_to_none" ], [ "extra.", "vulnerability_class", "validate_to_none" ], [ "extra.", "vulnerability_score", "convert_float" ], [ "extra.", "vulnerability_severity", "validate_to_none" ], [ "extra.", "vulnerability_version", "validate_to_none" ], [ "extra.", "threat_framework", "validate_to_none" ], [ "extra.", "threat_tactic_id", "validate_to_none" ], [ "extra.", "threat_technique_id", "validate_to_none" ], [ "extra.", "target_vendor", "validate_to_none" ], [ "extra.", "target_product", "validate_to_none" ], [ "extra.", "target_class", "validate_to_none" ], [ "extra.", "file_md5", "validate_to_none" ], [ "extra.", "file_sha256", "validate_to_none" ], [ "extra.", "request_raw", "force_base64" ], [ "extra.", "body_raw", "force_base64" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "src_ip", "validate_ip" ], [ "source.port", "src_port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/honeypot-http-scanner-events/" }, "event_honeypot_ics_scan" : { "constant_fields" : { "classification.identifier" : "honeypot-ics-scan", "classification.taxonomy" : "information-gathering", "classification.type" : "scanner" }, "feed_name" : "Honeypot-ICS-Scanner", "file_name" : "event4_honeypot_ics_scan", "optional_fields" : [ [ "malware.name", "infection", "validate_to_none" ], [ "extra.", "tag", "validate_to_none" ], [ "extra.", "family", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.asn", "src_asn", "invalidate_zero" ], [ "source.geolocation.cc", "src_geo" ], [ "source.geolocation.region", "src_region" ], [ "source.geolocation.city", "src_city" ], [ "source.reverse_dns", "src_hostname" ], [ "extra.source.naics", "src_naics", "invalidate_zero" ], [ "extra.source.sector", "src_sector", "validate_to_none" ], [ "extra.", "device_vendor", "validate_to_none" ], [ "extra.", "device_type", "validate_to_none" ], [ "extra.", "device_model", "validate_to_none" ], [ "extra.", "severity", "validate_to_none" ], [ "destination.ip", "dst_ip", "validate_ip" ], [ "destination.port", "dst_port", "convert_int" ], [ "destination.asn", "dst_asn", "invalidate_zero" ], [ "destination.geolocation.cc", "dst_geo" ], [ "destination.geolocation.region", "dst_region" ], [ "destination.geolocation.city", "dst_city" ], [ "destination.reverse_dns", "dst_hostname", "validate_to_none" ], [ "extra.destination.naics", "dst_naics", "invalidate_zero" ], [ "extra.destination.sector", "dst_sector", "validate_to_none" ], [ "extra.", "public_source", "validate_to_none" ], [ "extra.", "application", "validate_to_none" ], [ "extra.", "version", "validate_to_none" ], [ "extra.", "event_id", "validate_to_none" ], [ "extra.", "state", "validate_to_none" ], [ "extra.", "sensor_id", "validate_to_none" ], [ "extra.", "slave_id", "validate_to_none" ], [ "extra.", "function_code", "validate_to_none" ], [ "extra.", "request", "validate_to_none" ], [ "extra.", "response", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "src_ip", "validate_ip" ], [ "source.port", "src_port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/honeypot-ics-scanner-events-report/" }, "event_honeypot_ikev2_scan" : { "constant_fields" : { "classification.identifier" : "honeypot-ikev2-scan", "classification.taxonomy" : "information-gathering", "classification.type" : "scanner", "protocol.application" : "ikev2" }, "feed_name" : "Honeypot-IKEv2-Scanner", "file_name" : "event4_honeypot_ikev2_scan", "optional_fields" : [ [ "malware.name", "infection", "validate_to_none" ], [ "extra.", "tag", "validate_to_none" ], [ "extra.", "family", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.asn", "src_asn", "invalidate_zero" ], [ "source.geolocation.cc", "src_geo" ], [ "source.geolocation.region", "src_region" ], [ "source.geolocation.city", "src_city" ], [ "source.reverse_dns", "src_hostname" ], [ "extra.source.naics", "src_naics", "invalidate_zero" ], [ "extra.source.sector", "src_sector", "validate_to_none" ], [ "extra.", "device_vendor", "validate_to_none" ], [ "extra.", "device_type", "validate_to_none" ], [ "extra.", "device_model", "validate_to_none" ], [ "extra.", "severity", "validate_to_none" ], [ "destination.ip", "dst_ip", "validate_ip" ], [ "destination.port", "dst_port", "convert_int" ], [ "destination.asn", "dst_asn", "invalidate_zero" ], [ "destination.geolocation.cc", "dst_geo" ], [ "destination.geolocation.region", "dst_region" ], [ "destination.geolocation.city", "dst_city" ], [ "destination.reverse_dns", "dst_hostname", "validate_to_none" ], [ "extra.destination.naics", "dst_naics", "invalidate_zero" ], [ "extra.destination.sector", "dst_sector", "validate_to_none" ], [ "extra.", "public_source", "validate_to_none" ], [ "extra.", "application", "validate_to_none" ], [ "extra.", "version", "validate_to_none" ], [ "extra.", "event_id", "validate_to_none" ], [ "extra.", "vulnerability_enum", "validate_to_none" ], [ "extra.", "vulnerability_id", "validate_to_none" ], [ "extra.", "vulnerability_class", "validate_to_none" ], [ "extra.", "vulnerability_score", "convert_float" ], [ "extra.", "vulnerability_severity", "validate_to_none" ], [ "extra.", "vulnerability_version", "validate_to_none" ], [ "extra.", "threat_framework", "validate_to_none" ], [ "extra.", "threat_tactic_id", "validate_to_none" ], [ "extra.", "threat_technique_id", "validate_to_none" ], [ "extra.", "target_vendor", "validate_to_none" ], [ "extra.", "target_product", "validate_to_none" ], [ "extra.", "target_class", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "src_ip", "validate_ip" ], [ "source.port", "src_port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/honeypot-ikev2-scanner-events-report/" }, "event_honeypot_rdp_scan" : { "constant_fields" : { "classification.identifier" : "honeypot-rdp-scan", "classification.taxonomy" : "information-gathering", "classification.type" : "scanner", "protocol.application" : "rdp" }, "feed_name" : "Honeypot-RDP-Scanner", "file_name" : "event4_honeypot_rdp_scan", "optional_fields" : [ [ "malware.name", "infection", "validate_to_none" ], [ "extra.", "tag", "validate_to_none" ], [ "extra.", "family", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.asn", "src_asn", "invalidate_zero" ], [ "source.geolocation.cc", "src_geo" ], [ "source.geolocation.region", "src_region" ], [ "source.geolocation.city", "src_city" ], [ "source.reverse_dns", "src_hostname" ], [ "extra.source.naics", "src_naics", "invalidate_zero" ], [ "extra.source.sector", "src_sector", "validate_to_none" ], [ "extra.", "device_vendor", "validate_to_none" ], [ "extra.", "device_type", "validate_to_none" ], [ "extra.", "device_model", "validate_to_none" ], [ "extra.", "severity", "validate_to_none" ], [ "destination.ip", "dst_ip", "validate_ip" ], [ "destination.port", "dst_port", "convert_int" ], [ "destination.asn", "dst_asn", "invalidate_zero" ], [ "destination.geolocation.cc", "dst_geo" ], [ "destination.geolocation.region", "dst_region" ], [ "destination.geolocation.city", "dst_city" ], [ "destination.reverse_dns", "dst_hostname", "validate_to_none" ], [ "extra.destination.naics", "dst_naics", "invalidate_zero" ], [ "extra.destination.sector", "dst_sector", "validate_to_none" ], [ "extra.", "public_source", "validate_to_none" ], [ "extra.", "application", "validate_to_none" ], [ "extra.", "version", "validate_to_none" ], [ "extra.", "event_id", "validate_to_none" ], [ "extra.", "vulnerability_enum", "validate_to_none" ], [ "extra.", "vulnerability_id", "validate_to_none" ], [ "extra.", "vulnerability_class", "validate_to_none" ], [ "extra.", "vulnerability_score", "convert_float" ], [ "extra.", "vulnerability_severity", "validate_to_none" ], [ "extra.", "vulnerability_version", "validate_to_none" ], [ "extra.", "threat_framework", "validate_to_none" ], [ "extra.", "threat_tactic_id", "validate_to_none" ], [ "extra.", "threat_technique_id", "validate_to_none" ], [ "extra.", "target_vendor", "validate_to_none" ], [ "extra.", "target_product", "validate_to_none" ], [ "extra.", "target_class", "validate_to_none" ], [ "extra.", "cookie", "validate_to_none" ], [ "extra.", "session_tags", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "src_ip", "validate_ip" ], [ "source.port", "src_port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/honeypot-rdp-scanner-events-report/" }, "event_honeypot_rocketmq_scan" : { "constant_fields" : { "classification.identifier" : "honeypot-rocketmq-scan", "classification.taxonomy" : "information-gathering", "classification.type" : "scanner", "protocol.application" : "rocketmq" }, "feed_name" : "Honeypot-RocketMQ-Scanner", "file_name" : "event4_honeypot_rocketmq_scan", "optional_fields" : [ [ "malware.name", "infection", "validate_to_none" ], [ "extra.", "tag", "validate_to_none" ], [ "extra.", "family", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.asn", "src_asn", "invalidate_zero" ], [ "source.geolocation.cc", "src_geo" ], [ "source.geolocation.region", "src_region" ], [ "source.geolocation.city", "src_city" ], [ "source.reverse_dns", "src_hostname" ], [ "extra.source.naics", "src_naics", "invalidate_zero" ], [ "extra.source.sector", "src_sector", "validate_to_none" ], [ "extra.", "device_vendor", "validate_to_none" ], [ "extra.", "device_type", "validate_to_none" ], [ "extra.", "device_model", "validate_to_none" ], [ "extra.", "severity", "validate_to_none" ], [ "destination.ip", "dst_ip", "validate_ip" ], [ "destination.port", "dst_port", "convert_int" ], [ "destination.asn", "dst_asn", "invalidate_zero" ], [ "destination.geolocation.cc", "dst_geo" ], [ "destination.geolocation.region", "dst_region" ], [ "destination.geolocation.city", "dst_city" ], [ "destination.reverse_dns", "dst_hostname", "validate_to_none" ], [ "extra.destination.naics", "dst_naics", "invalidate_zero" ], [ "extra.destination.sector", "dst_sector", "validate_to_none" ], [ "extra.", "public_source", "validate_to_none" ], [ "extra.", "application", "validate_to_none" ], [ "extra.", "version", "validate_to_none" ], [ "extra.", "event_id", "validate_to_none" ], [ "extra.", "vulnerability_enum", "validate_to_none" ], [ "extra.", "vulnerability_id", "validate_to_none" ], [ "extra.", "vulnerability_class", "validate_to_none" ], [ "extra.", "vulnerability_score", "convert_float" ], [ "extra.", "vulnerability_severity", "validate_to_none" ], [ "extra.", "vulnerability_version", "validate_to_none" ], [ "extra.", "threat_framework", "validate_to_none" ], [ "extra.", "threat_tactic_id", "validate_to_none" ], [ "extra.", "threat_technique_id", "validate_to_none" ], [ "extra.", "target_vendor", "validate_to_none" ], [ "extra.", "target_product", "validate_to_none" ], [ "extra.", "target_class", "validate_to_none" ], [ "extra.", "code", "validate_to_none" ], [ "extra.", "flag", "validate_to_none" ], [ "extra.", "language", "validate_to_none" ], [ "extra.", "opaque", "validate_to_none" ], [ "extra.", "serialize_type", "validate_to_none" ], [ "extra.", "body", "validate_to_none" ], [ "extra.", "body_base64", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "src_ip", "validate_ip" ], [ "source.port", "src_port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/honeypot-rocketmq-scanner-events-report/" }, "event_honeypot_smb_scan" : { "constant_fields" : { "classification.identifier" : "honeypot-smb-scan", "classification.taxonomy" : "information-gathering", "classification.type" : "scanner", "protocol.application" : "smb" }, "feed_name" : "Honeypot-SMB-Scanner", "file_name" : "event4_honeypot_smb_scan", "optional_fields" : [ [ "malware.name", "infection", "validate_to_none" ], [ "extra.", "tag", "validate_to_none" ], [ "extra.", "family", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.asn", "src_asn", "invalidate_zero" ], [ "source.geolocation.cc", "src_geo" ], [ "source.geolocation.region", "src_region" ], [ "source.geolocation.city", "src_city" ], [ "source.reverse_dns", "src_hostname" ], [ "extra.source.naics", "src_naics", "invalidate_zero" ], [ "extra.source.sector", "src_sector", "validate_to_none" ], [ "extra.", "device_vendor", "validate_to_none" ], [ "extra.", "device_type", "validate_to_none" ], [ "extra.", "device_model", "validate_to_none" ], [ "extra.", "severity", "validate_to_none" ], [ "destination.ip", "dst_ip", "validate_ip" ], [ "destination.port", "dst_port", "convert_int" ], [ "destination.asn", "dst_asn", "invalidate_zero" ], [ "destination.geolocation.cc", "dst_geo" ], [ "destination.geolocation.region", "dst_region" ], [ "destination.geolocation.city", "dst_city" ], [ "destination.reverse_dns", "dst_hostname", "validate_to_none" ], [ "extra.destination.naics", "dst_naics", "invalidate_zero" ], [ "extra.destination.sector", "dst_sector", "validate_to_none" ], [ "extra.", "public_source", "validate_to_none" ], [ "extra.", "application", "validate_to_none" ], [ "extra.", "version", "validate_to_none" ], [ "extra.", "event_id", "validate_to_none" ], [ "extra.", "vulnerability_enum", "validate_to_none" ], [ "extra.", "vulnerability_id", "validate_to_none" ], [ "extra.", "vulnerability_class", "validate_to_none" ], [ "extra.", "vulnerability_score", "convert_float" ], [ "extra.", "vulnerability_severity", "validate_to_none" ], [ "extra.", "vulnerability_version", "validate_to_none" ], [ "extra.", "threat_framework", "validate_to_none" ], [ "extra.", "threat_tactic_id", "validate_to_none" ], [ "extra.", "threat_technique_id", "validate_to_none" ], [ "extra.", "target_vendor", "validate_to_none" ], [ "extra.", "target_product", "validate_to_none" ], [ "extra.", "target_class", "validate_to_none" ], [ "extra.", "command", "validate_to_none" ], [ "extra.", "flags", "validate_to_none" ], [ "extra.", "supported_protocols", "validate_to_none" ], [ "extra.", "session_tags", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "src_ip", "validate_ip" ], [ "source.port", "src_port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/honeypot-smb-scanner-events-report/" }, "event_ip_spoofer" : { "constant_fields" : { "classification.identifier" : "ip-spoofer", "classification.taxonomy" : "fraud", "classification.type" : "masquerade" }, "feed_name" : "IP-Spoofer-Events", "file_name" : "event4_ip_spoofer", "optional_fields" : [ [ "extra.", "infection", "validate_to_none" ], [ "source.network", "network", "validate_network" ], [ "malware.name", "infection", "validate_to_none" ], [ "extra.", "tag", "validate_to_none" ], [ "extra.", "family", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.asn", "src_asn", "invalidate_zero" ], [ "source.geolocation.cc", "src_geo" ], [ "source.geolocation.region", "src_region" ], [ "source.geolocation.city", "src_city" ], [ "source.reverse_dns", "src_hostname" ], [ "extra.source.naics", "src_naics", "invalidate_zero" ], [ "extra.source.sector", "src_sector", "validate_to_none" ], [ "extra.", "device_vendor", "validate_to_none" ], [ "extra.", "device_type", "validate_to_none" ], [ "extra.", "device_model", "validate_to_none" ], [ "extra.", "severity", "validate_to_none" ], [ "destination.ip", "dst_ip", "validate_ip" ], [ "destination.port", "dst_port", "convert_int" ], [ "destination.asn", "dst_asn", "invalidate_zero" ], [ "destination.geolocation.cc", "dst_geo" ], [ "destination.geolocation.region", "dst_region" ], [ "destination.geolocation.city", "dst_city" ], [ "destination.reverse_dns", "dst_hostname", "validate_to_none" ], [ "extra.destination.naics", "dst_naics", "invalidate_zero" ], [ "extra.destination.sector", "dst_sector", "validate_to_none" ], [ "extra.", "public_source", "validate_to_none" ], [ "extra.", "application", "validate_to_none" ], [ "extra.", "version", "validate_to_none" ], [ "extra.", "event_id", "validate_to_none" ], [ "extra.", "routedspoof", "validate_to_none" ], [ "extra.", "session", "validate_to_none" ], [ "extra.", "nat", "convert_bool" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "src_ip", "validate_ip" ], [ "source.port", "src_port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/ip-spoofer-events-report/" }, "event_sinkhole" : { "constant_fields" : { "classification.taxonomy" : "malicious-code", "classification.type" : "infected-system" }, "feed_name" : "Sinkhole-Events IPv4", "file_name" : "event4_sinkhole", "optional_fields" : [ [ "classification.identifier", "infection", "validate_to_none" ], [ "malware.name", "infection", "validate_to_none" ], [ "extra.", "tag", "validate_to_none" ], [ "extra.", "family", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.asn", "src_asn", "invalidate_zero" ], [ "source.geolocation.cc", "src_geo" ], [ "source.geolocation.region", "src_region" ], [ "source.geolocation.city", "src_city" ], [ "source.reverse_dns", "src_hostname" ], [ "extra.source.naics", "src_naics", "invalidate_zero" ], [ "extra.source.sector", "src_sector", "validate_to_none" ], [ "extra.", "device_vendor", "validate_to_none" ], [ "extra.", "device_type", "validate_to_none" ], [ "extra.", "device_model", "validate_to_none" ], [ "extra.", "severity", "validate_to_none" ], [ "destination.ip", "dst_ip", "validate_ip" ], [ "destination.port", "dst_port", "convert_int" ], [ "destination.asn", "dst_asn", "invalidate_zero" ], [ "destination.geolocation.cc", "dst_geo" ], [ "destination.geolocation.region", "dst_region" ], [ "destination.geolocation.city", "dst_city" ], [ "destination.reverse_dns", "dst_hostname", "validate_to_none" ], [ "extra.destination.naics", "dst_naics", "invalidate_zero" ], [ "extra.destination.sector", "dst_sector", "validate_to_none" ], [ "extra.", "public_source", "validate_to_none" ], [ "extra.", "application", "validate_to_none" ], [ "extra.", "version", "validate_to_none" ], [ "extra.", "event_id", "validate_to_none" ], [ "extra.", "ssl_cipher", "validate_to_none" ], [ "extra.", "ssl_servername", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "src_ip", "validate_ip" ], [ "source.port", "src_port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/sinkhole-events-report/" }, "event_sinkhole_dns" : { "constant_fields" : { "classification.identifier" : "sinkholedns", "classification.taxonomy" : "other", "classification.type" : "other", "protocol.application" : "dns" }, "feed_name" : "Sinkhole-DNS", "file_name" : "event4_sinkhole_dns", "optional_fields" : [ [ "extra.naics", "src_naics", "invalidate_zero" ], [ "extra.sector", "src_sector", "validate_to_none" ], [ "extra.dns_query_type", "query_type" ], [ "extra.dns_query", "query" ], [ "malware.name", "infection", "validate_to_none" ], [ "extra.", "tag", "validate_to_none" ], [ "extra.", "family", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.asn", "src_asn", "invalidate_zero" ], [ "source.geolocation.cc", "src_geo" ], [ "source.geolocation.region", "src_region" ], [ "source.geolocation.city", "src_city" ], [ "source.reverse_dns", "src_hostname" ], [ "extra.", "device_vendor", "validate_to_none" ], [ "extra.", "device_type", "validate_to_none" ], [ "extra.", "device_model", "validate_to_none" ], [ "extra.", "severity", "validate_to_none" ], [ "extra.", "count", "convert_int" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "src_ip", "validate_ip" ], [ "source.port", "src_port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/sinkhole-dns-events-report/" }, "event_sinkhole_http" : { "constant_fields" : { "classification.taxonomy" : "malicious-code", "classification.type" : "infected-system", "protocol.application" : "http" }, "feed_name" : "Sinkhole-Events-HTTP IPv4", "file_name" : "event4_sinkhole_http", "optional_fields" : [ [ "classification.identifier", "infection", "validate_to_none" ], [ "malware.name", "infection", "validate_to_none" ], [ "extra.", "tag", "validate_to_none" ], [ "extra.", "family", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.asn", "src_asn", "invalidate_zero" ], [ "source.geolocation.cc", "src_geo" ], [ "source.geolocation.region", "src_region" ], [ "source.geolocation.city", "src_city" ], [ "source.reverse_dns", "src_hostname" ], [ "extra.source.naics", "src_naics", "invalidate_zero" ], [ "extra.source.sector", "src_sector", "validate_to_none" ], [ "extra.", "device_vendor", "validate_to_none" ], [ "extra.", "device_type", "validate_to_none" ], [ "extra.", "device_model", "validate_to_none" ], [ "extra.", "severity", "validate_to_none" ], [ "destination.ip", "dst_ip", "validate_ip" ], [ "destination.port", "dst_port", "convert_int" ], [ "destination.asn", "dst_asn", "invalidate_zero" ], [ "destination.geolocation.cc", "dst_geo" ], [ "destination.geolocation.region", "dst_region" ], [ "destination.geolocation.city", "dst_city" ], [ "destination.reverse_dns", "dst_hostname", "validate_to_none" ], [ "extra.destination.naics", "dst_naics", "invalidate_zero" ], [ "extra.destination.sector", "dst_sector", "validate_to_none" ], [ "extra.", "public_source", "validate_to_none" ], [ "extra.", "application", "validate_to_none" ], [ "extra.", "version", "validate_to_none" ], [ "extra.", "event_id", "validate_to_none" ], [ "destination.url", "http_url", "convert_http_host_and_url", true ], [ "destination.fqdn", "http_host", "validate_fqdn" ], [ "extra.", "http_agent", "validate_to_none" ], [ "extra.", "forwarded_by", "validate_to_none" ], [ "extra.", "ssl_cipher", "validate_to_none" ], [ "extra.", "http_referer", "validate_to_none" ], [ "extra.", "ssl_servername", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "src_ip", "validate_ip" ], [ "source.port", "src_port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/sinkhole-http-events-report/" }, "event_sinkhole_http_referer" : { "constant_fields" : { "classification.taxonomy" : "malicious-code", "classification.type" : "infected-system", "protocol.application" : "http" }, "feed_name" : "Sinkhole-Events-HTTP-Referer IPv4", "file_name" : "event4_sinkhole_http_referer", "optional_fields" : [ [ "classification.identifier", "infection", "validate_to_none" ], [ "malware.name", "infection", "validate_to_none" ], [ "extra.", "tag", "validate_to_none" ], [ "extra.", "family", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "extra.", "http_referer_ip", "validate_ip" ], [ "extra.", "http_referer_port", "convert_int" ], [ "extra.", "http_referer_asn", "invalidate_zero" ], [ "extra.", "http_referer_geo", "validate_to_none" ], [ "extra.", "http_referer_region", "validate_to_none" ], [ "extra.", "http_referer_city", "validate_to_none" ], [ "extra.", "http_referer_hostname", "validate_to_none" ], [ "extra.", "http_referer_naics", "invalidate_zero" ], [ "extra.", "http_referer_sector", "validate_to_none" ], [ "extra.", "severity", "validate_to_none" ], [ "destination.ip", "dst_ip", "validate_ip" ], [ "destination.port", "dst_port", "convert_int" ], [ "destination.asn", "dst_asn", "invalidate_zero" ], [ "destination.geolocation.cc", "dst_geo" ], [ "destination.geolocation.region", "dst_region" ], [ "destination.geolocation.city", "dst_city" ], [ "destination.reverse_dns", "dst_hostname", "validate_to_none" ], [ "extra.destination.naics", "dst_naics", "invalidate_zero" ], [ "extra.destination.sector", "dst_sector", "validate_to_none" ], [ "extra.", "public_source", "validate_to_none" ], [ "extra.", "application", "validate_to_none" ], [ "extra.", "version", "validate_to_none" ], [ "extra.", "event_id", "validate_to_none" ], [ "destination.url", "http_url", "convert_http_host_and_url", true ], [ "destination.fqdn", "http_host", "validate_fqdn" ], [ "extra.", "http_referer", "validate_to_none" ], [ "extra.", "ssl_servername", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/sinkhole-http-referer-events-report/" }, "malware_url" : { "constant_fields" : { "classification.identifier" : "malware-url", "classification.taxonomy" : "malicious-code", "classification.type" : "malware-distribution" }, "feed_name" : "Malware-URL", "file_name" : "malware_url", "optional_fields" : [ [ "source.url", "url", "convert_http_host_and_url", true ], [ "source.fqdn", "hostname", "validate_fqdn" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.source.sector", "sector", "validate_to_none" ], [ "extra.", "severity", "validate_to_none" ], [ "extra.", "tag" ], [ "extra.", "source", "validate_to_none" ], [ "malware.hash.sha256", "sha256", "validate_to_none" ], [ "extra.", "application", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/malware-url-report/" }, "phish_url" : { "constant_fields" : { "classification.identifier" : "phish-url", "classification.taxonomy" : "fraud", "classification.type" : "phishing" }, "feed_name" : "Phish-URL", "file_name" : "phish_url", "optional_fields" : [ [ "source.url", "url", "convert_http_host_and_url", true ], [ "source.fqdn", "hostname", "validate_fqdn" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.source.sector", "sector", "validate_to_none" ], [ "extra.", "severity", "validate_to_none" ], [ "extra.", "tag" ], [ "extra.", "source", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ] }, "population6_bgp" : { "constant_fields" : { "classification.identifier" : "accessible-bgp", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "bgp" }, "feed_name" : "IPv6-Accessible-BGP", "file_name" : "population6_bgp", "optional_fields" : [ [ "extra.", "message_type_int", "convert_int" ], [ "extra.", "message2_type_int", "convert_int" ], [ "extra.", "major_error_code_int", "convert_int" ], [ "extra.", "minor_error_code_int", "convert_int" ], [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ], [ "extra.", "message_length", "convert_int" ], [ "extra.", "message_type", "validate_to_none" ], [ "extra.", "bgp_version", "validate_to_none" ], [ "extra.", "sender_asn", "validate_to_none" ], [ "extra.", "hold_time", "validate_to_none" ], [ "extra.", "bgp_identifier", "validate_to_none" ], [ "extra.", "message2_type", "validate_to_none" ], [ "extra.", "major_error_code", "validate_to_none" ], [ "extra.", "minor_error_code", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ] }, "population6_http_proxy" : { "constant_fields" : { "classification.identifier" : "accessible-http-proxy", "classification.taxonomy" : "other", "classification.type" : "other", "protocol.application" : "http" }, "feed_name" : "IPv6-Accessible-HTTP-Proxy", "file_name" : "population6_http_proxy", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag" ], [ "extra.source.sector", "sector", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "http", "validate_to_none" ], [ "extra.", "http_code", "convert_int" ], [ "extra.", "http_reason", "validate_to_none" ], [ "extra.", "content_type", "validate_to_none" ], [ "extra.", "connection", "validate_to_none" ], [ "extra.", "proxy_authenticate", "validate_to_none" ], [ "extra.", "via", "validate_to_none" ], [ "extra.", "server", "validate_to_none" ], [ "extra.", "content_length", "convert_int" ], [ "extra.", "transfer_encoding", "validate_to_none" ], [ "extra.", "http_date", "convert_date" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ] }, "population6_msmq" : { "constant_fields" : { "classification.identifier" : "accessible-msmq", "classification.taxonomy" : "other", "classification.type" : "other", "protocol.application" : "msmq" }, "feed_name" : "IPv6-Accessible-MSMQ", "file_name" : "population6_msmq", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ], [ "extra.", "response_size", "convert_int" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ] }, "population_bgp" : { "constant_fields" : { "classification.identifier" : "accessible-bgp", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "bgp" }, "feed_name" : "Accessible-BGP", "file_name" : "population_bgp", "optional_fields" : [ [ "extra.", "message_type_int", "convert_int" ], [ "extra.", "message2_type_int", "convert_int" ], [ "extra.", "major_error_code_int", "convert_int" ], [ "extra.", "minor_error_code_int", "convert_int" ], [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ], [ "extra.", "message_length", "convert_int" ], [ "extra.", "message_type", "validate_to_none" ], [ "extra.", "bgp_version", "validate_to_none" ], [ "extra.", "sender_asn", "validate_to_none" ], [ "extra.", "hold_time", "validate_to_none" ], [ "extra.", "bgp_identifier", "validate_to_none" ], [ "extra.", "message2_type", "validate_to_none" ], [ "extra.", "major_error_code", "validate_to_none" ], [ "extra.", "minor_error_code", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-bgp-service-report/" }, "population_http_proxy" : { "constant_fields" : { "classification.identifier" : "accessible-http-proxy", "classification.taxonomy" : "other", "classification.type" : "other", "protocol.application" : "http" }, "feed_name" : "Accessible-HTTP-Proxy", "file_name" : "population_http_proxy", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag" ], [ "extra.source.sector", "sector", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "http", "validate_to_none" ], [ "extra.", "http_code", "convert_int" ], [ "extra.", "http_reason", "validate_to_none" ], [ "extra.", "content_type", "validate_to_none" ], [ "extra.", "connection", "validate_to_none" ], [ "extra.", "proxy_authenticate", "validate_to_none" ], [ "extra.", "via", "validate_to_none" ], [ "extra.", "server", "validate_to_none" ], [ "extra.", "content_length", "convert_int" ], [ "extra.", "transfer_encoding", "validate_to_none" ], [ "extra.", "http_date", "convert_date" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-http-proxy-report/" }, "population_msmq" : { "constant_fields" : { "classification.identifier" : "accessible-msmq", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "msmq" }, "feed_name" : "Accessible-MSMQ", "file_name" : "population_msmq", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ], [ "extra.", "response_size", "convert_int" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-msmq-service-report/" }, "ransomware_victim" : { "constant_fields" : { "classification.identifier" : "ransomware-victim", "classification.taxonomy" : "intrusions", "classification.type" : "system-compromise" }, "feed_name" : "Ransomware-victim", "file_name" : "ransomware_victim", "optional_fields" : [ [ "extra.", "entity_name", "validate_to_none" ], [ "extra.", "website", "validate_to_none" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "extra.source.sector", "sector", "validate_to_none" ], [ "extra.", "date_published", "validate_to_none" ], [ "extra.", "ransomware", "validate_to_none" ], [ "extra.", "leak_site_url", "validate_to_none" ], [ "extra.", "severity", "validate_to_none" ], [ "extra.", "actor_geo_stats_30d", "validate_to_none" ], [ "extra.", "actor_total_stats_30d", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/ransomware-victim-report/" }, "sandbox_conn" : { "constant_fields" : { "classification.identifier" : "sandbox-conn", "classification.taxonomy" : "malicious-code", "classification.type" : "malware-distribution" }, "feed_name" : "Sandbox-Connections", "file_name" : "sandbox_conn", "optional_fields" : [ [ "source.fqdn", "hostname", "validate_fqdn" ], [ "extra.", "severity", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "malware.hash.md5", "md5", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "extra.", "bytes_in", "validate_to_none" ], [ "extra.", "bytes_out", "validate_to_none" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.source.sector", "sector", "validate_to_none" ], [ "malware.hash.sha1", "sha1", "validate_to_none" ], [ "malware.hash.sha256", "sha256", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/sandbox-connection-report/" }, "sandbox_dns" : { "constant_fields" : { "classification.identifier" : "sandbox-dns", "classification.taxonomy" : "other", "classification.type" : "other", "protocol.application" : "dns" }, "feed_name" : "Sandbox-DNS", "file_name" : "sandbox_dns", "optional_fields" : [ [ "extra.dns_query_type", "request_type", "validate_to_none" ], [ "malware.hash.md5", "md5", "validate_to_none" ], [ "extra.", "request", "validate_to_none" ], [ "extra.", "response", "validate_to_none" ], [ "malware.name", "family", "validate_to_none" ], [ "extra.", "tag" ], [ "extra.", "source", "validate_to_none" ], [ "extra.", "severity", "validate_to_none" ], [ "malware.hash.sha1", "sha1", "validate_to_none" ], [ "malware.hash.sha256", "sha256", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ] ] }, "sandbox_url" : { "constant_fields" : { "classification.identifier" : "sandbox-url", "classification.taxonomy" : "malicious-code", "classification.type" : "malware-distribution" }, "feed_name" : "Sandbox-URL", "file_name" : "sandbox_url", "optional_fields" : [ [ "source.fqdn", "hostname", "validate_fqdn" ], [ "extra.http_request_method", "method", "validate_to_none" ], [ "extra.", "severity", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "malware.hash.md5", "md5", "validate_to_none" ], [ "destination.url", "url", "convert_http_host_and_url", true ], [ "user_agent", "user_agent", "validate_to_none" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.source.sector", "sector", "validate_to_none" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "malware.hash.sha1", "sha1", "validate_to_none" ], [ "malware.hash.sha256", "sha256", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/sandbox-url-report/" }, "scan6_activemq" : { "constant_fields" : { "classification.identifier" : "open-activemq", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "activemq" }, "feed_name" : "IPv6-Accessible-ActiveMQ", "file_name" : "scan6_activemq", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ], [ "extra.", "command", "validate_to_none" ], [ "extra.", "vendor", "validate_to_none" ], [ "extra.", "version", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ] }, "scan6_bgp" : { "constant_fields" : { "classification.identifier" : "open-bgp", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "bgp" }, "feed_name" : "IPv6-Open-BGP", "file_name" : "scan6_bgp", "optional_fields" : [ [ "extra.", "message_type_int", "convert_int" ], [ "extra.", "message2_type_int", "convert_int" ], [ "extra.", "major_error_code_int", "convert_int" ], [ "extra.", "minor_error_code_int", "convert_int" ], [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ], [ "extra.", "message_length", "convert_int" ], [ "extra.", "message_type", "validate_to_none" ], [ "extra.", "bgp_version", "validate_to_none" ], [ "extra.", "sender_asn", "validate_to_none" ], [ "extra.", "hold_time", "validate_to_none" ], [ "extra.", "bgp_identifier", "validate_to_none" ], [ "extra.", "message2_type", "validate_to_none" ], [ "extra.", "major_error_code", "validate_to_none" ], [ "extra.", "minor_error_code", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ] }, "scan6_cwmp" : { "constant_fields" : { "classification.identifier" : "open-cwmp", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "cwmp" }, "feed_name" : "IPv6-Accessible-CWMP", "file_name" : "scan6_cwmp", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "http", "validate_to_none" ], [ "extra.", "http_code", "convert_int" ], [ "extra.", "http_reason", "validate_to_none" ], [ "extra.", "content_type", "validate_to_none" ], [ "extra.", "connection", "validate_to_none" ], [ "extra.", "www_authenticate", "validate_to_none" ], [ "extra.", "set_cookie", "validate_to_none" ], [ "extra.", "server", "validate_to_none" ], [ "extra.", "content_length", "convert_int" ], [ "extra.", "transfer_encoding", "validate_to_none" ], [ "extra.", "date", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ] }, "scan6_dns" : { "constant_fields" : { "classification.identifier" : "dns-open-resolver", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "dns" }, "feed_name" : "IPv6-DNS-Open-Resolvers", "file_name" : "scan6_dns", "optional_fields" : [ [ "extra.", "min_amplification", "convert_float" ], [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag" ], [ "extra.", "dns_version", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ] }, "scan6_elasticsearch" : { "constant_fields" : { "classification.identifier" : "open-elasticsearch", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "elasticsearch" }, "feed_name" : "IPv6-Open-Elasticsearch", "file_name" : "scan6_elasticsearch", "optional_fields" : [ [ "extra.", "build_snapshot", "convert_bool" ], [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag" ], [ "extra.", "version", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "ok", "convert_bool" ], [ "extra.", "name", "validate_to_none" ], [ "extra.", "cluster_name", "validate_to_none" ], [ "extra.", "http_code", "convert_int" ], [ "extra.", "build_hash", "validate_to_none" ], [ "extra.", "build_timestamp", "validate_to_none" ], [ "extra.", "lucene_version", "validate_to_none" ], [ "extra.", "tagline", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ] }, "scan6_exchange" : { "constant_fields" : { "protocol.application" : "exchange" }, "feed_name" : "IPv6-Vulnerable-Exchange", "file_name" : "scan6_exchange", "optional_fields" : [ [ "classification.taxonomy", "tag", "scan_exchange_taxonomy" ], [ "classification.type", "tag", "scan_exchange_type" ], [ "classification.identifier", "tag", "scan_exchange_identifier" ], [ "extra.", "tag", "validate_to_none" ], [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ], [ "extra.", "version", "validate_to_none" ], [ "extra.", "servername", "validate_to_none" ], [ "destination.url", "url", "convert_http_host_and_url", true ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ] }, "scan6_ftp" : { "constant_fields" : { "classification.identifier" : "accessible-ftp", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "ftp" }, "feed_name" : "IPv6-Accessible-FTP", "file_name" : "scan6_ftp", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "banner", "validate_to_none" ], [ "extra.", "handshake", "validate_to_none" ], [ "extra.", "cipher_suite", "validate_to_none" ], [ "extra.", "cert_length", "convert_int" ], [ "extra.", "subject_common_name", "validate_to_none" ], [ "extra.", "issuer_common_name", "validate_to_none" ], [ "extra.", "cert_issue_date", "validate_to_none" ], [ "extra.", "cert_expiration_date", "validate_to_none" ], [ "extra.", "sha1_fingerprint", "validate_to_none" ], [ "extra.", "cert_serial_number", "validate_to_none" ], [ "extra.", "ssl_version", "convert_int" ], [ "extra.", "signature_algorithm", "validate_to_none" ], [ "extra.", "key_algorithm", "validate_to_none" ], [ "extra.", "subject_organization_name", "validate_to_none" ], [ "extra.", "subject_organization_unit_name", "validate_to_none" ], [ "extra.", "subject_country", "validate_to_none" ], [ "extra.", "subject_state_or_province_name", "validate_to_none" ], [ "extra.", "subject_locality_name", "validate_to_none" ], [ "extra.", "subject_street_address", "validate_to_none" ], [ "extra.", "subject_postal_code", "validate_to_none" ], [ "extra.", "subject_surname", "validate_to_none" ], [ "extra.", "subject_given_name", "validate_to_none" ], [ "extra.", "subject_email_address", "validate_to_none" ], [ "extra.", "subject_business_category", "validate_to_none" ], [ "extra.", "subject_serial_number", "validate_to_none" ], [ "extra.", "issuer_organization_name", "validate_to_none" ], [ "extra.", "issuer_organization_unit_name", "validate_to_none" ], [ "extra.", "issuer_country", "validate_to_none" ], [ "extra.", "issuer_state_or_province_name", "validate_to_none" ], [ "extra.", "issuer_locality_name", "validate_to_none" ], [ "extra.", "issuer_street_address", "validate_to_none" ], [ "extra.", "issuer_postal_code", "validate_to_none" ], [ "extra.", "issuer_surname", "validate_to_none" ], [ "extra.", "issuer_given_name", "validate_to_none" ], [ "extra.", "issuer_email_address", "validate_to_none" ], [ "extra.", "issuer_business_category", "validate_to_none" ], [ "extra.", "issuer_serial_number", "validate_to_none" ], [ "extra.", "sha256_fingerprint", "validate_to_none" ], [ "extra.", "sha512_fingerprint", "validate_to_none" ], [ "extra.", "md5_fingerprint", "validate_to_none" ], [ "extra.", "cert_valid", "convert_bool" ], [ "extra.", "self_signed", "convert_bool" ], [ "extra.", "cert_expired", "convert_bool" ], [ "extra.", "validation_level", "validate_to_none" ], [ "extra.", "auth_tls_response", "validate_to_none" ], [ "extra.", "auth_ssl_response", "validate_to_none" ], [ "extra.", "tlsv13_support", "validate_to_none" ], [ "extra.", "tlsv13_cipher", "validate_to_none" ], [ "extra.", "jarm", "validate_to_none" ], [ "extra.", "device_vendor", "validate_to_none" ], [ "extra.", "device_type", "validate_to_none" ], [ "extra.", "device_model", "validate_to_none" ], [ "extra.", "device_version", "validate_to_none" ], [ "extra.", "device_sector", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ] }, "scan6_http" : { "constant_fields" : { "classification.identifier" : "accessible-http", "classification.taxonomy" : "other", "classification.type" : "other", "protocol.application" : "http" }, "feed_name" : "IPv6-Accessible-HTTP", "file_name" : "scan6_http", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag" ], [ "extra.source.sector", "sector", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "http", "validate_to_none" ], [ "extra.", "http_code", "convert_int" ], [ "extra.", "http_reason", "validate_to_none" ], [ "extra.", "content_type", "validate_to_none" ], [ "extra.", "connection", "validate_to_none" ], [ "extra.", "www_authenticate", "validate_to_none" ], [ "extra.", "set_cookie", "validate_to_none" ], [ "extra.", "server", "validate_to_none" ], [ "extra.", "content_length", "convert_int" ], [ "extra.", "transfer_encoding", "validate_to_none" ], [ "extra.", "http_date", "convert_date" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ] }, "scan6_http_proxy" : { "constant_fields" : { "classification.identifier" : "open-http-proxy", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "http" }, "feed_name" : "IPv6-Open-HTTP-Proxy", "file_name" : "scan6_http_proxy", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag" ], [ "extra.source.sector", "sector", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "http", "validate_to_none" ], [ "extra.", "http_code", "convert_int" ], [ "extra.", "http_reason", "validate_to_none" ], [ "extra.", "content_type", "validate_to_none" ], [ "extra.", "connection", "validate_to_none" ], [ "extra.", "proxy_authenticate", "validate_to_none" ], [ "extra.", "via", "validate_to_none" ], [ "extra.", "server", "validate_to_none" ], [ "extra.", "content_length", "convert_int" ], [ "extra.", "transfer_encoding", "validate_to_none" ], [ "extra.", "http_date", "convert_date" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ] }, "scan6_http_vulnerable" : { "constant_fields" : { "classification.identifier" : "vulnerable-http", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "http" }, "feed_name" : "IPv6-Vulnerable-HTTP", "file_name" : "scan6_http_vulnerable", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag" ], [ "extra.source.sector", "sector", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "http", "validate_to_none" ], [ "extra.", "http_code", "convert_int" ], [ "extra.", "http_reason", "validate_to_none" ], [ "extra.", "content_type", "validate_to_none" ], [ "extra.", "connection", "validate_to_none" ], [ "extra.", "www_authenticate", "validate_to_none" ], [ "extra.", "set_cookie", "validate_to_none" ], [ "extra.", "server", "validate_to_none" ], [ "extra.", "content_length", "convert_int" ], [ "extra.", "transfer_encoding", "validate_to_none" ], [ "extra.", "http_date", "convert_date" ], [ "extra.", "version", "validate_to_none" ], [ "extra.", "build_date", "validate_to_none" ], [ "extra.", "detail", "validate_to_none" ], [ "extra.", "build_branch", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ] }, "scan6_ipp" : { "constant_fields" : { "classification.identifier" : "open-ipp", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "ipp" }, "feed_name" : "IPv6-Open-IPP", "file_name" : "scan6_ipp", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "ipp_version", "validate_to_none" ], [ "extra.", "cups_version", "validate_to_none" ], [ "extra.", "printer_uris", "validate_to_none" ], [ "extra.", "printer_name", "validate_to_none" ], [ "extra.", "printer_info", "validate_to_none" ], [ "extra.", "printer_more_info", "validate_to_none" ], [ "extra.", "printer_make_and_model", "validate_to_none" ], [ "extra.", "printer_firmware_name", "validate_to_none" ], [ "extra.", "printer_firmware_string_version", "validate_to_none" ], [ "extra.", "printer_firmware_version", "validate_to_none" ], [ "extra.", "printer_organization", "validate_to_none" ], [ "extra.", "printer_organization_unit", "validate_to_none" ], [ "extra.", "printer_uuid", "validate_to_none" ], [ "extra.", "printer_wifi_ssid", "validate_to_none" ], [ "extra.", "device_vendor", "validate_to_none" ], [ "extra.", "device_type", "validate_to_none" ], [ "extra.", "device_model", "validate_to_none" ], [ "extra.", "device_version", "validate_to_none" ], [ "extra.", "device_sector", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ] }, "scan6_isakmp" : { "constant_fields" : { "classification.identifier" : "open-ike", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "ipsec" }, "feed_name" : "IPv6-Vulnerable-ISAKMP", "file_name" : "scan6_isakmp", "optional_fields" : [ [ "extra.", "spi_size", "convert_int" ], [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "initiator_spi", "validate_to_none" ], [ "extra.", "responder_spi", "validate_to_none" ], [ "extra.", "next_payload", "validate_to_none" ], [ "extra.", "exchange_type", "validate_to_none" ], [ "extra.", "flags", "validate_to_none" ], [ "extra.", "message_id", "validate_to_none" ], [ "extra.", "next_payload2", "validate_to_none" ], [ "extra.", "domain_of_interpretation", "validate_to_none" ], [ "extra.", "protocol_id", "validate_to_none" ], [ "extra.", "notify_message_type", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ] }, "scan6_ldap_tcp" : { "constant_fields" : { "classification.identifier" : "open-ldap", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "ldap" }, "feed_name" : "IPv6-Open-LDAP-TCP", "file_name" : "scan6_ldap_tcp", "optional_fields" : [ [ "source.local_hostname", "dns_host_name", "validate_to_none" ], [ "extra.", "domain_controller_functionality", "convert_int" ], [ "extra.", "domain_functionality", "convert_int" ], [ "extra.", "forest_functionality", "convert_int" ], [ "extra.", "highest_committed_usn", "convert_int" ], [ "extra.", "is_global_catalog_ready", "convert_bool" ], [ "extra.", "is_synchronized", "convert_bool" ], [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "response_size", "convert_int" ], [ "extra.", "configuration_naming_context", "validate_to_none" ], [ "extra.", "current_time", "validate_to_none" ], [ "extra.", "default_naming_context", "validate_to_none" ], [ "extra.", "ds_service_name", "validate_to_none" ], [ "extra.", "ldap_service_name", "validate_to_none" ], [ "extra.", "naming_contexts", "validate_to_none" ], [ "extra.", "root_domain_naming_context", "validate_to_none" ], [ "extra.", "schema_naming_context", "validate_to_none" ], [ "extra.", "server_name", "validate_to_none" ], [ "extra.", "subschema_subentry", "validate_to_none" ], [ "extra.", "supported_capabilities", "validate_to_none" ], [ "extra.", "supported_control", "validate_to_none" ], [ "extra.", "supported_ldap_policies", "validate_to_none" ], [ "extra.", "supported_ldap_version", "validate_to_none" ], [ "extra.", "supported_sasl_mechanisms", "validate_to_none" ], [ "extra.", "amplification", "convert_float" ], [ "extra.", "handshake", "validate_to_none" ], [ "extra.", "cipher_suite", "validate_to_none" ], [ "extra.", "cert_length", "convert_int" ], [ "extra.", "subject_common_name", "validate_to_none" ], [ "extra.", "issuer_common_name", "validate_to_none" ], [ "extra.", "cert_issue_date", "validate_to_none" ], [ "extra.", "cert_expiration_date", "validate_to_none" ], [ "extra.", "sha1_fingerprint", "validate_to_none" ], [ "extra.", "cert_serial_number", "validate_to_none" ], [ "extra.", "ssl_version", "convert_int" ], [ "extra.", "signature_algorithm", "validate_to_none" ], [ "extra.", "key_algorithm", "validate_to_none" ], [ "extra.", "subject_organization_name", "validate_to_none" ], [ "extra.", "subject_organization_unit_name", "validate_to_none" ], [ "extra.", "subject_country", "validate_to_none" ], [ "extra.", "subject_state_or_province_name", "validate_to_none" ], [ "extra.", "subject_locality_name", "validate_to_none" ], [ "extra.", "subject_street_address", "validate_to_none" ], [ "extra.", "subject_postal_code", "validate_to_none" ], [ "extra.", "subject_surname", "validate_to_none" ], [ "extra.", "subject_given_name", "validate_to_none" ], [ "extra.", "subject_email_address", "validate_to_none" ], [ "extra.", "subject_business_category", "validate_to_none" ], [ "extra.", "subject_serial_number", "validate_to_none" ], [ "extra.", "issuer_organization_name", "validate_to_none" ], [ "extra.", "issuer_organization_unit_name", "validate_to_none" ], [ "extra.", "issuer_country", "validate_to_none" ], [ "extra.", "issuer_state_or_province_name", "validate_to_none" ], [ "extra.", "issuer_locality_name", "validate_to_none" ], [ "extra.", "issuer_street_address", "validate_to_none" ], [ "extra.", "issuer_postal_code", "validate_to_none" ], [ "extra.", "issuer_surname", "validate_to_none" ], [ "extra.", "issuer_given_name", "validate_to_none" ], [ "extra.", "issuer_email_address", "validate_to_none" ], [ "extra.", "issuer_business_category", "validate_to_none" ], [ "extra.", "issuer_serial_number", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ], [ "extra.", "sha256_fingerprint", "validate_to_none" ], [ "extra.", "sha512_fingerprint", "validate_to_none" ], [ "extra.", "md5_fingerprint", "validate_to_none" ], [ "extra.", "cert_valid", "convert_bool" ], [ "extra.", "self_signed", "convert_bool" ], [ "extra.", "cert_expired", "convert_bool" ], [ "extra.", "validation_level", "validate_to_none" ], [ "extra.", "auth_tls_response", "validate_to_none" ], [ "extra.", "auth_ssl_response", "validate_to_none" ], [ "extra.", "tlsv13_support", "validate_to_none" ], [ "extra.", "tlsv13_cipher", "validate_to_none" ], [ "extra.", "jarm", "validate_to_none" ], [ "extra.", "device_vendor", "validate_to_none" ], [ "extra.", "device_type", "validate_to_none" ], [ "extra.", "device_model", "validate_to_none" ], [ "extra.", "device_version", "validate_to_none" ], [ "extra.", "device_sector", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ] }, "scan6_mqtt" : { "constant_fields" : { "classification.identifier" : "open-mqtt", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "mqtt" }, "feed_name" : "IPv6-Open-MQTT", "file_name" : "scan6_mqtt", "optional_fields" : [ [ "extra.", "anonymous_access", "convert_bool" ], [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "raw_response", "validate_to_none" ], [ "extra.", "hex_code", "validate_to_none" ], [ "extra.", "code", "validate_to_none" ], [ "extra.", "cipher_suite", "validate_to_none" ], [ "extra.", "cert_length", "convert_int" ], [ "extra.", "subject_common_name", "validate_to_none" ], [ "extra.", "issuer_common_name", "validate_to_none" ], [ "extra.", "cert_issue_date", "validate_to_none" ], [ "extra.", "cert_expiration_date", "validate_to_none" ], [ "extra.", "sha1_fingerprint", "validate_to_none" ], [ "extra.", "sha256_fingerprint", "validate_to_none" ], [ "extra.", "sha512_fingerprint", "validate_to_none" ], [ "extra.", "md5_fingerprint", "validate_to_none" ], [ "extra.", "cert_serial_number", "validate_to_none" ], [ "extra.", "ssl_version", "convert_int" ], [ "extra.", "signature_algorithm", "validate_to_none" ], [ "extra.", "key_algorithm", "validate_to_none" ], [ "extra.", "subject_organization_name", "validate_to_none" ], [ "extra.", "subject_organization_unit_name", "validate_to_none" ], [ "extra.", "subject_country", "validate_to_none" ], [ "extra.", "subject_state_or_province_name", "validate_to_none" ], [ "extra.", "subject_locality_name", "validate_to_none" ], [ "extra.", "subject_street_address", "validate_to_none" ], [ "extra.", "subject_postal_code", "validate_to_none" ], [ "extra.", "subject_surname", "validate_to_none" ], [ "extra.", "subject_given_name", "validate_to_none" ], [ "extra.", "subject_email_address", "validate_to_none" ], [ "extra.", "subject_business_category", "validate_to_none" ], [ "extra.", "subject_serial_number", "validate_to_none" ], [ "extra.", "issuer_organization_name", "validate_to_none" ], [ "extra.", "issuer_organization_unit_name", "validate_to_none" ], [ "extra.", "issuer_country", "validate_to_none" ], [ "extra.", "issuer_state_or_province_name", "validate_to_none" ], [ "extra.", "issuer_locality_name", "validate_to_none" ], [ "extra.", "issuer_street_address", "validate_to_none" ], [ "extra.", "issuer_postal_code", "validate_to_none" ], [ "extra.", "issuer_surname", "validate_to_none" ], [ "extra.", "issuer_given_name", "validate_to_none" ], [ "extra.", "issuer_email_address", "validate_to_none" ], [ "extra.", "issuer_business_category", "validate_to_none" ], [ "extra.", "issuer_serial_number", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ] }, "scan6_mqtt_anon" : { "constant_fields" : { "classification.identifier" : "open-mqtt-anon", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "mqtt" }, "feed_name" : "IPv6-Open-Anonymous-MQTT", "file_name" : "scan6_mqtt_anon", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "raw_response", "validate_to_none" ], [ "extra.", "hex_code", "validate_to_none" ], [ "extra.", "code", "validate_to_none" ], [ "extra.", "cipher_suite", "validate_to_none" ], [ "extra.", "cert_length", "convert_int" ], [ "extra.", "subject_common_name", "validate_to_none" ], [ "extra.", "issuer_common_name", "validate_to_none" ], [ "extra.", "cert_issue_date", "validate_to_none" ], [ "extra.", "cert_expiration_date", "validate_to_none" ], [ "extra.", "sha1_fingerprint", "validate_to_none" ], [ "extra.", "sha256_fingerprint", "validate_to_none" ], [ "extra.", "sha512_fingerprint", "validate_to_none" ], [ "extra.", "md5_fingerprint", "validate_to_none" ], [ "extra.", "cert_serial_number", "validate_to_none" ], [ "extra.", "ssl_version", "convert_int" ], [ "extra.", "signature_algorithm", "validate_to_none" ], [ "extra.", "key_algorithm", "validate_to_none" ], [ "extra.", "subject_organization_name", "validate_to_none" ], [ "extra.", "subject_organization_unit_name", "validate_to_none" ], [ "extra.", "subject_country", "validate_to_none" ], [ "extra.", "subject_state_or_province_name", "validate_to_none" ], [ "extra.", "subject_locality_name", "validate_to_none" ], [ "extra.", "subject_street_address", "validate_to_none" ], [ "extra.", "subject_postal_code", "validate_to_none" ], [ "extra.", "subject_surname", "validate_to_none" ], [ "extra.", "subject_given_name", "validate_to_none" ], [ "extra.", "subject_email_address", "validate_to_none" ], [ "extra.", "subject_business_category", "validate_to_none" ], [ "extra.", "subject_serial_number", "validate_to_none" ], [ "extra.", "issuer_organization_name", "validate_to_none" ], [ "extra.", "issuer_organization_unit_name", "validate_to_none" ], [ "extra.", "issuer_country", "validate_to_none" ], [ "extra.", "issuer_state_or_province_name", "validate_to_none" ], [ "extra.", "issuer_locality_name", "validate_to_none" ], [ "extra.", "issuer_street_address", "validate_to_none" ], [ "extra.", "issuer_postal_code", "validate_to_none" ], [ "extra.", "issuer_surname", "validate_to_none" ], [ "extra.", "issuer_given_name", "validate_to_none" ], [ "extra.", "issuer_email_address", "validate_to_none" ], [ "extra.", "issuer_business_category", "validate_to_none" ], [ "extra.", "issuer_serial_number", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ] }, "scan6_mysql" : { "constant_fields" : { "classification.identifier" : "open-mysql", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "mysql" }, "feed_name" : "IPv6-Accessible-MySQL", "file_name" : "scan6_mysql", "optional_fields" : [ [ "extra.", "client_can_handle_expired_passwords", "convert_bool" ], [ "extra.", "client_compress", "convert_bool" ], [ "extra.", "client_connect_attrs", "convert_bool" ], [ "extra.", "client_connect_with_db", "convert_bool" ], [ "extra.", "client_deprecated_eof", "convert_bool" ], [ "extra.", "client_found_rows", "convert_bool" ], [ "extra.", "client_ignore_sigpipe", "convert_bool" ], [ "extra.", "client_ignore_space", "convert_bool" ], [ "extra.", "client_interactive", "convert_bool" ], [ "extra.", "client_local_files", "convert_bool" ], [ "extra.", "client_long_flag", "convert_bool" ], [ "extra.", "client_long_password", "convert_bool" ], [ "extra.", "client_multi_results", "convert_bool" ], [ "extra.", "client_multi_statements", "convert_bool" ], [ "extra.", "client_no_schema", "convert_bool" ], [ "extra.", "client_odbc", "convert_bool" ], [ "extra.", "client_plugin_auth", "convert_bool" ], [ "extra.", "client_plugin_auth_len_enc_client_data", "convert_bool" ], [ "extra.", "client_protocol_41", "convert_bool" ], [ "extra.", "client_ps_multi_results", "convert_bool" ], [ "extra.", "client_reserved", "convert_bool" ], [ "extra.", "client_secure_connection", "convert_bool" ], [ "extra.", "client_session_track", "convert_bool" ], [ "extra.", "client_ssl", "convert_bool" ], [ "extra.", "client_transactions", "convert_bool" ], [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag" ], [ "extra.", "version", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ], [ "extra.", "mysql_protocol_version", "validate_to_none" ], [ "extra.", "server_version", "validate_to_none" ], [ "extra.", "error_code", "validate_to_none" ], [ "extra.", "error_id", "validate_to_none" ], [ "extra.", "error_message", "validate_to_none" ], [ "extra.", "handshake", "validate_to_none" ], [ "extra.", "cipher_suite", "validate_to_none" ], [ "extra.", "cert_length", "convert_int" ], [ "extra.", "subject_common_name", "validate_to_none" ], [ "extra.", "issuer_common_name", "validate_to_none" ], [ "extra.", "cert_issue_date", "validate_to_none" ], [ "extra.", "cert_expiration_date", "validate_to_none" ], [ "extra.", "sha1_fingerprint", "validate_to_none" ], [ "extra.", "cert_serial_number", "validate_to_none" ], [ "extra.", "ssl_version", "convert_int" ], [ "extra.", "signature_algorithm", "validate_to_none" ], [ "extra.", "key_algorithm", "validate_to_none" ], [ "extra.", "subject_organization_name", "validate_to_none" ], [ "extra.", "subject_organization_unit_name", "validate_to_none" ], [ "extra.", "subject_country", "validate_to_none" ], [ "extra.", "subject_state_or_province_name", "validate_to_none" ], [ "extra.", "subject_locality_name", "validate_to_none" ], [ "extra.", "subject_street_address", "validate_to_none" ], [ "extra.", "subject_postal_code", "validate_to_none" ], [ "extra.", "subject_surname", "validate_to_none" ], [ "extra.", "subject_given_name", "validate_to_none" ], [ "extra.", "subject_email_address", "validate_to_none" ], [ "extra.", "subject_business_category", "validate_to_none" ], [ "extra.", "subject_serial_number", "validate_to_none" ], [ "extra.", "issuer_organization_name", "validate_to_none" ], [ "extra.", "issuer_organization_unit_name", "validate_to_none" ], [ "extra.", "issuer_country", "validate_to_none" ], [ "extra.", "issuer_state_or_province_name", "validate_to_none" ], [ "extra.", "issuer_locality_name", "validate_to_none" ], [ "extra.", "issuer_street_address", "validate_to_none" ], [ "extra.", "issuer_postal_code", "validate_to_none" ], [ "extra.", "issuer_surname", "validate_to_none" ], [ "extra.", "issuer_given_name", "validate_to_none" ], [ "extra.", "issuer_email_address", "validate_to_none" ], [ "extra.", "issuer_business_category", "validate_to_none" ], [ "extra.", "issuer_serial_number", "validate_to_none" ], [ "extra.", "sha256_fingerprint", "validate_to_none" ], [ "extra.", "sha512_fingerprint", "validate_to_none" ], [ "extra.", "md5_fingerprint", "validate_to_none" ], [ "extra.", "cert_valid", "convert_bool" ], [ "extra.", "self_signed", "convert_bool" ], [ "extra.", "cert_expired", "convert_bool" ], [ "extra.", "validation_level", "validate_to_none" ], [ "extra.", "browser_trusted", "convert_bool" ], [ "extra.", "browser_error", "validate_to_none" ], [ "extra.", "raw_cert", "validate_to_none" ], [ "extra.", "raw_cert_chain", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ] }, "scan6_ntp" : { "constant_fields" : { "classification.identifier" : "ntp-version", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "ntp" }, "feed_name" : "IPv6-NTP-Version", "file_name" : "scan6_ntp", "optional_fields" : [ [ "extra.", "clk_wander", "convert_float" ], [ "extra.", "frequency", "convert_float" ], [ "extra.", "jitter", "convert_float" ], [ "extra.", "leap", "convert_float" ], [ "extra.", "offset", "convert_float" ], [ "extra.", "peer", "convert_int" ], [ "extra.", "poll", "convert_int" ], [ "extra.", "precision", "convert_int" ], [ "extra.", "rootdelay", "convert_float" ], [ "extra.", "rootdispersion", "convert_float" ], [ "extra.", "stratum", "convert_int" ], [ "extra.", "tc", "convert_int" ], [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.", "version", "validate_to_none" ], [ "extra.", "clock", "validate_to_none" ], [ "extra.", "error", "validate_to_none" ], [ "extra.", "mintc", "validate_to_none" ], [ "extra.", "noise", "validate_to_none" ], [ "extra.", "phase", "validate_to_none" ], [ "extra.", "processor", "validate_to_none" ], [ "extra.", "refid", "validate_to_none" ], [ "extra.", "reftime", "validate_to_none" ], [ "extra.", "stability", "validate_to_none" ], [ "extra.", "state", "validate_to_none" ], [ "extra.", "system", "validate_to_none" ], [ "extra.", "tai", "validate_to_none" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ], [ "extra.", "response_size", "convert_int" ], [ "extra.", "amplification", "convert_float" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ] }, "scan6_ntpmonitor" : { "constant_fields" : { "classification.identifier" : "ntp-monitor", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "ntp" }, "feed_name" : "IPv6-NTP-Monitor", "file_name" : "scan6_ntpmonitor", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "packets", "convert_int" ], [ "extra.", "response_size", "convert_int" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ], [ "extra.", "amplification", "convert_float" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ] }, "scan6_postgres" : { "constant_fields" : { "classification.identifier" : "open-postgres", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "postgres" }, "feed_name" : "IPv6-Accessible-PostgreSQL", "file_name" : "scan6_postgres", "optional_fields" : [ [ "extra.", "startup_error_line", "convert_int" ], [ "extra.", "client_ssl", "convert_bool" ], [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag" ], [ "extra.", "version", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ], [ "extra.", "supported_protocols", "validate_to_none" ], [ "extra.", "protocol_error_code", "validate_to_none" ], [ "extra.", "protocol_error_file", "validate_to_none" ], [ "extra.", "protocol_error_line", "validate_to_none" ], [ "extra.", "protocol_error_message", "validate_to_none" ], [ "extra.", "protocol_error_routine", "validate_to_none" ], [ "extra.", "protocol_error_severity", "validate_to_none" ], [ "extra.", "protocol_error_severity_v", "validate_to_none" ], [ "extra.", "startup_error_code", "validate_to_none" ], [ "extra.", "startup_error_file", "validate_to_none" ], [ "extra.", "startup_error_message", "validate_to_none" ], [ "extra.", "startup_error_routine", "validate_to_none" ], [ "extra.", "startup_error_severity", "validate_to_none" ], [ "extra.", "startup_error_severity_v", "validate_to_none" ], [ "extra.", "handshake", "validate_to_none" ], [ "extra.", "cipher_suite", "validate_to_none" ], [ "extra.", "cert_length", "convert_int" ], [ "extra.", "subject_common_name", "validate_to_none" ], [ "extra.", "issuer_common_name", "validate_to_none" ], [ "extra.", "cert_issue_date", "validate_to_none" ], [ "extra.", "cert_expiration_date", "validate_to_none" ], [ "extra.", "sha1_fingerprint", "validate_to_none" ], [ "extra.", "cert_serial_number", "validate_to_none" ], [ "extra.", "ssl_version", "convert_int" ], [ "extra.", "signature_algorithm", "validate_to_none" ], [ "extra.", "key_algorithm", "validate_to_none" ], [ "extra.", "subject_organization_name", "validate_to_none" ], [ "extra.", "subject_organization_unit_name", "validate_to_none" ], [ "extra.", "subject_country", "validate_to_none" ], [ "extra.", "subject_state_or_province_name", "validate_to_none" ], [ "extra.", "subject_locality_name", "validate_to_none" ], [ "extra.", "subject_street_address", "validate_to_none" ], [ "extra.", "subject_postal_code", "validate_to_none" ], [ "extra.", "subject_surname", "validate_to_none" ], [ "extra.", "subject_given_name", "validate_to_none" ], [ "extra.", "subject_email_address", "validate_to_none" ], [ "extra.", "subject_business_category", "validate_to_none" ], [ "extra.", "subject_serial_number", "validate_to_none" ], [ "extra.", "issuer_organization_name", "validate_to_none" ], [ "extra.", "issuer_organization_unit_name", "validate_to_none" ], [ "extra.", "issuer_country", "validate_to_none" ], [ "extra.", "issuer_state_or_province_name", "validate_to_none" ], [ "extra.", "issuer_locality_name", "validate_to_none" ], [ "extra.", "issuer_street_address", "validate_to_none" ], [ "extra.", "issuer_postal_code", "validate_to_none" ], [ "extra.", "issuer_surname", "validate_to_none" ], [ "extra.", "issuer_given_name", "validate_to_none" ], [ "extra.", "issuer_email_address", "validate_to_none" ], [ "extra.", "issuer_business_category", "validate_to_none" ], [ "extra.", "issuer_serial_number", "validate_to_none" ], [ "extra.", "sha256_fingerprint", "validate_to_none" ], [ "extra.", "sha512_fingerprint", "validate_to_none" ], [ "extra.", "md5_fingerprint", "validate_to_none" ], [ "extra.", "cert_valid", "convert_bool" ], [ "extra.", "self_signed", "convert_bool" ], [ "extra.", "cert_expired", "convert_bool" ], [ "extra.", "validation_level", "validate_to_none" ], [ "extra.", "browser_trusted", "convert_bool" ], [ "extra.", "browser_error", "validate_to_none" ], [ "extra.", "raw_cert", "validate_to_none" ], [ "extra.", "raw_cert_chain", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ] }, "scan6_rdp" : { "constant_fields" : { "classification.identifier" : "open-rdp", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "rdp", "protocol.transport" : "tcp" }, "feed_name" : "IPv6-Accessible-RDP", "file_name" : "scan6_rdp", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag" ], [ "extra.", "handshake", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.", "rdp_protocol", "validate_to_none" ], [ "extra.", "cert_length", "convert_int" ], [ "extra.", "subject_common_name", "validate_to_none" ], [ "extra.", "issuer_common_name", "validate_to_none" ], [ "extra.", "cert_issue_date", "validate_to_none" ], [ "extra.", "cert_expiration_date", "validate_to_none" ], [ "extra.", "sha1_fingerprint", "validate_to_none" ], [ "extra.", "cert_serial_number", "validate_to_none" ], [ "extra.", "ssl_version", "convert_int" ], [ "extra.", "signature_algorithm", "validate_to_none" ], [ "extra.", "key_algorithm", "validate_to_none" ], [ "extra.", "sha256_fingerprint", "validate_to_none" ], [ "extra.", "sha512_fingerprint", "validate_to_none" ], [ "extra.", "md5_fingerprint", "validate_to_none" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ], [ "extra.", "tlsv13_support", "validate_to_none" ], [ "extra.", "tlsv13_cipher", "validate_to_none" ], [ "extra.", "jarm", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ] }, "scan6_slp" : { "constant_fields" : { "classification.identifier" : "open-slp", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "slp" }, "feed_name" : "IPv6-Accessible-SLP", "file_name" : "scan6_slp", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ], [ "extra.", "version", "validate_to_none" ], [ "extra.", "function", "validate_to_none" ], [ "extra.", "function_text", "validate_to_none" ], [ "extra.", "flags", "validate_to_none" ], [ "extra.", "next_extension_offset", "validate_to_none" ], [ "extra.", "xid", "validate_to_none" ], [ "extra.", "language_tag_length", "validate_to_none" ], [ "extra.", "language_tag", "validate_to_none" ], [ "extra.", "error_code", "validate_to_none" ], [ "extra.", "error_code_text", "validate_to_none" ], [ "extra.", "response_size", "convert_int" ], [ "extra.", "raw_response", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ] }, "scan6_smb" : { "constant_fields" : { "classification.identifier" : "open-smb", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "smb", "protocol.transport" : "tcp" }, "feed_name" : "IPv6-Accessible-SMB", "file_name" : "scan6_smb", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "arch", "validate_to_none" ], [ "extra.", "key", "validate_to_none" ], [ "extra.", "smb_major_number", "validate_to_none" ], [ "extra.", "smb_minor_number", "validate_to_none" ], [ "extra.", "smb_revision", "validate_to_none" ], [ "extra.", "smb_version_string", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ] }, "scan6_smtp" : { "constant_fields" : { "classification.identifier" : "open-smtp", "classification.taxonomy" : "other", "classification.type" : "other", "protocol.application" : "smtp" }, "feed_name" : "IPv6-Accessible-SMTP", "file_name" : "scan6_smtp", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "banner", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ], [ "extra.", "auth_ssl_response", "validate_to_none" ], [ "extra.", "auth_tls_response", "validate_to_none" ], [ "extra.", "cert_expiration_date", "validate_to_none" ], [ "extra.", "cert_expired", "convert_bool" ], [ "extra.", "cert_issue_date", "validate_to_none" ], [ "extra.", "cert_length", "convert_int" ], [ "extra.", "cert_serial_number", "validate_to_none" ], [ "extra.", "cert_valid", "convert_bool" ], [ "extra.", "cipher_suite", "validate_to_none" ], [ "extra.", "freak_cipher_suite", "validate_to_none" ], [ "extra.", "freak_vulnerable", "convert_bool" ], [ "extra.", "handshake", "validate_to_none" ], [ "extra.", "issuer_business_category", "validate_to_none" ], [ "extra.", "issuer_common_name", "validate_to_none" ], [ "extra.", "issuer_country", "validate_to_none" ], [ "extra.", "issuer_email_address", "validate_to_none" ], [ "extra.", "issuer_given_name", "validate_to_none" ], [ "extra.", "issuer_locality_name", "validate_to_none" ], [ "extra.", "issuer_organization_name", "validate_to_none" ], [ "extra.", "issuer_organization_unit_name", "validate_to_none" ], [ "extra.", "issuer_postal_code", "validate_to_none" ], [ "extra.", "issuer_serial_number", "validate_to_none" ], [ "extra.", "issuer_state_or_province_name", "validate_to_none" ], [ "extra.", "issuer_street_address", "validate_to_none" ], [ "extra.", "issuer_surname", "validate_to_none" ], [ "extra.", "jarm", "validate_to_none" ], [ "extra.", "key_algorithm", "validate_to_none" ], [ "extra.", "md5_fingerprint", "validate_to_none" ], [ "extra.", "raw_cert", "validate_to_none" ], [ "extra.", "raw_cert_chain", "validate_to_none" ], [ "extra.", "self_signed", "convert_bool" ], [ "extra.", "sha1_fingerprint", "validate_to_none" ], [ "extra.", "sha256_fingerprint", "validate_to_none" ], [ "extra.", "sha512_fingerprint", "validate_to_none" ], [ "extra.", "signature_algorithm", "validate_to_none" ], [ "extra.", "ssl_version", "convert_int" ], [ "extra.", "sslv3_supported", "validate_to_none" ], [ "extra.", "subject_business_category", "validate_to_none" ], [ "extra.", "subject_common_name", "validate_to_none" ], [ "extra.", "subject_country", "validate_to_none" ], [ "extra.", "subject_email_address", "validate_to_none" ], [ "extra.", "subject_given_name", "validate_to_none" ], [ "extra.", "subject_locality_name", "validate_to_none" ], [ "extra.", "subject_organization_name", "validate_to_none" ], [ "extra.", "subject_organization_unit_name", "validate_to_none" ], [ "extra.", "subject_postal_code", "validate_to_none" ], [ "extra.", "subject_serial_number", "validate_to_none" ], [ "extra.", "subject_state_or_province_name", "validate_to_none" ], [ "extra.", "subject_street_address", "validate_to_none" ], [ "extra.", "subject_surname", "validate_to_none" ], [ "extra.", "tlsv13_cipher", "validate_to_none" ], [ "extra.", "tlsv13_support", "validate_to_none" ], [ "extra.", "validation_level", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ] }, "scan6_smtp_vulnerable" : { "constant_fields" : { "classification.identifier" : "vulnerable-smtp", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "smtp" }, "feed_name" : "IPv6-Vulnerable-SMTP", "file_name" : "scan6_smtp_vulnerable", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "banner", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ], [ "extra.", "auth_ssl_response", "validate_to_none" ], [ "extra.", "auth_tls_response", "validate_to_none" ], [ "extra.", "cert_expiration_date", "validate_to_none" ], [ "extra.", "cert_expired", "convert_bool" ], [ "extra.", "cert_issue_date", "validate_to_none" ], [ "extra.", "cert_length", "convert_int" ], [ "extra.", "cert_serial_number", "validate_to_none" ], [ "extra.", "cert_valid", "convert_bool" ], [ "extra.", "cipher_suite", "validate_to_none" ], [ "extra.", "freak_cipher_suite", "validate_to_none" ], [ "extra.", "freak_vulnerable", "convert_bool" ], [ "extra.", "handshake", "validate_to_none" ], [ "extra.", "issuer_business_category", "validate_to_none" ], [ "extra.", "issuer_common_name", "validate_to_none" ], [ "extra.", "issuer_country", "validate_to_none" ], [ "extra.", "issuer_email_address", "validate_to_none" ], [ "extra.", "issuer_given_name", "validate_to_none" ], [ "extra.", "issuer_locality_name", "validate_to_none" ], [ "extra.", "issuer_organization_name", "validate_to_none" ], [ "extra.", "issuer_organization_unit_name", "validate_to_none" ], [ "extra.", "issuer_postal_code", "validate_to_none" ], [ "extra.", "issuer_serial_number", "validate_to_none" ], [ "extra.", "issuer_state_or_province_name", "validate_to_none" ], [ "extra.", "issuer_street_address", "validate_to_none" ], [ "extra.", "issuer_surname", "validate_to_none" ], [ "extra.", "jarm", "validate_to_none" ], [ "extra.", "key_algorithm", "validate_to_none" ], [ "extra.", "md5_fingerprint", "validate_to_none" ], [ "extra.", "raw_cert", "validate_to_none" ], [ "extra.", "raw_cert_chain", "validate_to_none" ], [ "extra.", "self_signed", "convert_bool" ], [ "extra.", "sha1_fingerprint", "validate_to_none" ], [ "extra.", "sha256_fingerprint", "validate_to_none" ], [ "extra.", "sha512_fingerprint", "validate_to_none" ], [ "extra.", "signature_algorithm", "validate_to_none" ], [ "extra.", "ssl_version", "convert_int" ], [ "extra.", "sslv3_supported", "validate_to_none" ], [ "extra.", "subject_business_category", "validate_to_none" ], [ "extra.", "subject_common_name", "validate_to_none" ], [ "extra.", "subject_country", "validate_to_none" ], [ "extra.", "subject_email_address", "validate_to_none" ], [ "extra.", "subject_given_name", "validate_to_none" ], [ "extra.", "subject_locality_name", "validate_to_none" ], [ "extra.", "subject_organization_name", "validate_to_none" ], [ "extra.", "subject_organization_unit_name", "validate_to_none" ], [ "extra.", "subject_postal_code", "validate_to_none" ], [ "extra.", "subject_serial_number", "validate_to_none" ], [ "extra.", "subject_state_or_province_name", "validate_to_none" ], [ "extra.", "subject_street_address", "validate_to_none" ], [ "extra.", "subject_surname", "validate_to_none" ], [ "extra.", "tlsv13_cipher", "validate_to_none" ], [ "extra.", "tlsv13_support", "validate_to_none" ], [ "extra.", "validation_level", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ] }, "scan6_snmp" : { "constant_fields" : { "classification.identifier" : "open-snmp", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "snmp" }, "feed_name" : "IPv6-Open-SNMP", "file_name" : "scan6_snmp", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag" ], [ "extra.", "sysname", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.", "version", "validate_to_none" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ], [ "extra.", "device_vendor", "validate_to_none" ], [ "extra.", "device_type", "validate_to_none" ], [ "extra.", "device_model", "validate_to_none" ], [ "extra.", "device_version", "validate_to_none" ], [ "extra.", "device_sector", "validate_to_none" ], [ "extra.", "sysdesc", "validate_to_none" ], [ "extra.", "community", "validate_to_none" ], [ "extra.", "response_size", "convert_int" ], [ "extra.", "amplification", "convert_float" ], [ "extra.", "uptime", "convert_int" ], [ "extra.", "mac_address", "validate_to_none" ], [ "extra.", "vendor_id", "validate_to_none" ], [ "extra.", "vendor", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ] }, "scan6_ssh" : { "constant_fields" : { "classification.identifier" : "open-ssh", "classification.taxonomy" : "other", "classification.type" : "other" }, "feed_name" : "IPv6-Accessible-SSH", "file_name" : "scan6_ssh", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "serverid_raw", "validate_to_none" ], [ "extra.", "serverid_version", "validate_to_none" ], [ "extra.", "serverid_software", "validate_to_none" ], [ "extra.", "serverid_comment", "validate_to_none" ], [ "extra.", "server_cookie", "validate_to_none" ], [ "extra.", "available_kex", "validate_to_none" ], [ "extra.", "available_ciphers", "validate_to_none" ], [ "extra.", "available_mac", "validate_to_none" ], [ "extra.", "available_compression", "validate_to_none" ], [ "extra.", "selected_kex", "validate_to_none" ], [ "extra.", "algorithm", "validate_to_none" ], [ "extra.", "selected_cipher", "validate_to_none" ], [ "extra.", "selected_mac", "validate_to_none" ], [ "extra.", "selected_compression", "validate_to_none" ], [ "extra.", "server_signature_value", "validate_to_none" ], [ "extra.", "server_signature_raw", "validate_to_none" ], [ "extra.", "server_host_key", "validate_to_none" ], [ "extra.", "server_host_key_sha256", "validate_to_none" ], [ "extra.", "rsa_prime", "validate_to_none" ], [ "extra.", "rsa_prime_length", "validate_to_none" ], [ "extra.", "rsa_generator", "validate_to_none" ], [ "extra.", "rsa_generator_length", "validate_to_none" ], [ "extra.", "rsa_public_key", "validate_to_none" ], [ "extra.", "rsa_public_key_length", "validate_to_none" ], [ "extra.", "rsa_exponent", "validate_to_none" ], [ "extra.", "rsa_modulus", "validate_to_none" ], [ "extra.", "rsa_length", "validate_to_none" ], [ "extra.", "dss_prime", "validate_to_none" ], [ "extra.", "dss_prime_length", "validate_to_none" ], [ "extra.", "dss_generator", "validate_to_none" ], [ "extra.", "dss_generator_length", "validate_to_none" ], [ "extra.", "dss_public_key", "validate_to_none" ], [ "extra.", "dss_public_key_length", "validate_to_none" ], [ "extra.", "dss_dsa_public_g", "validate_to_none" ], [ "extra.", "dss_dsa_public_p", "validate_to_none" ], [ "extra.", "dss_dsa_public_q", "validate_to_none" ], [ "extra.", "dss_dsa_public_y", "validate_to_none" ], [ "extra.", "ecdsa_curve25519", "validate_to_none" ], [ "extra.", "ecdsa_curve", "validate_to_none" ], [ "extra.", "ecdsa_public_key_length", "validate_to_none" ], [ "extra.", "ecdsa_public_key_b", "validate_to_none" ], [ "extra.", "ecdsa_public_key_gx", "validate_to_none" ], [ "extra.", "ecdsa_public_key_gy", "validate_to_none" ], [ "extra.", "ecdsa_public_key_n", "validate_to_none" ], [ "extra.", "ecdsa_public_key_p", "validate_to_none" ], [ "extra.", "ecdsa_public_key_x", "validate_to_none" ], [ "extra.", "ecdsa_public_key_y", "validate_to_none" ], [ "extra.", "ed25519_curve25519", "validate_to_none" ], [ "extra.", "ed25519_cert_public_key_nonce", "validate_to_none" ], [ "extra.", "ed25519_cert_public_key_bytes", "validate_to_none" ], [ "extra.", "ed25519_cert_public_key_raw", "validate_to_none" ], [ "extra.", "ed25519_cert_public_key_sha256", "validate_to_none" ], [ "extra.", "ed25519_cert_public_key_serial", "validate_to_none" ], [ "extra.", "ed25519_cert_public_key_type_id", "validate_to_none" ], [ "extra.", "ed25519_cert_public_key_type_name", "validate_to_none" ], [ "extra.", "ed25519_cert_public_key_keyid", "validate_to_none" ], [ "extra.", "ed25519_cert_public_key_principles", "validate_to_none" ], [ "extra.", "ed25519_cert_public_key_valid_after", "validate_to_none" ], [ "extra.", "ed25519_cert_public_key_valid_before", "validate_to_none" ], [ "extra.", "ed25519_cert_public_key_duration", "validate_to_none" ], [ "extra.", "ed25519_cert_public_key_sigkey_bytes", "validate_to_none" ], [ "extra.", "ed25519_cert_public_key_sigkey_raw", "validate_to_none" ], [ "extra.", "ed25519_cert_public_key_sigkey_sha256", "validate_to_none" ], [ "extra.", "ed25519_cert_public_key_sigkey_value", "validate_to_none" ], [ "extra.", "ed25519_cert_public_key_sig_raw", "validate_to_none" ], [ "extra.", "banner", "validate_to_none" ], [ "extra.", "userauth_methods", "validate_to_none" ], [ "extra.", "device_vendor", "validate_to_none" ], [ "extra.", "device_type", "validate_to_none" ], [ "extra.", "device_model", "validate_to_none" ], [ "extra.", "device_version", "validate_to_none" ], [ "extra.", "device_sector", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ] }, "scan6_ssl" : { "constant_fields" : { "classification.identifier" : "open-ssl", "classification.taxonomy" : "other", "classification.type" : "other", "protocol.application" : "https" }, "feed_name" : "IPv6-Accessible-SSL", "file_name" : "scan6_ssl", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag" ], [ "extra.", "handshake", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.", "cipher_suite", "validate_to_none" ], [ "extra.", "ssl_poodle", "convert_bool" ], [ "extra.", "cert_length", "convert_int" ], [ "extra.", "subject_common_name", "validate_to_none" ], [ "extra.", "issuer_common_name", "validate_to_none" ], [ "extra.", "cert_issue_date", "validate_to_none" ], [ "extra.", "cert_expiration_date", "validate_to_none" ], [ "extra.", "sha1_fingerprint", "validate_to_none" ], [ "extra.", "cert_serial_number", "validate_to_none" ], [ "extra.", "ssl_version", "convert_int" ], [ "extra.", "signature_algorithm", "validate_to_none" ], [ "extra.", "key_algorithm", "validate_to_none" ], [ "extra.", "subject_organization_name", "validate_to_none" ], [ "extra.", "subject_organization_unit_name", "validate_to_none" ], [ "extra.", "subject_country", "validate_to_none" ], [ "extra.", "subject_state_or_province_name", "validate_to_none" ], [ "extra.", "subject_locality_name", "validate_to_none" ], [ "extra.", "subject_street_address", "validate_to_none" ], [ "extra.", "subject_postal_code", "validate_to_none" ], [ "extra.", "subject_surname", "validate_to_none" ], [ "extra.", "subject_given_name", "validate_to_none" ], [ "extra.", "subject_email_address", "validate_to_none" ], [ "extra.", "subject_business_category", "validate_to_none" ], [ "extra.", "subject_serial_number", "validate_to_none" ], [ "extra.", "issuer_organization_name", "validate_to_none" ], [ "extra.", "issuer_organization_unit_name", "validate_to_none" ], [ "extra.", "issuer_country", "validate_to_none" ], [ "extra.", "issuer_state_or_province_name", "validate_to_none" ], [ "extra.", "issuer_locality_name", "validate_to_none" ], [ "extra.", "issuer_street_address", "validate_to_none" ], [ "extra.", "issuer_postal_code", "validate_to_none" ], [ "extra.", "issuer_surname", "validate_to_none" ], [ "extra.", "issuer_given_name", "validate_to_none" ], [ "extra.", "issuer_email_address", "validate_to_none" ], [ "extra.", "issuer_business_category", "validate_to_none" ], [ "extra.", "issuer_serial_number", "validate_to_none" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "freak_vulnerable", "convert_bool" ], [ "extra.", "freak_cipher_suite", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ], [ "extra.", "sha256_fingerprint", "validate_to_none" ], [ "extra.", "sha512_fingerprint", "validate_to_none" ], [ "extra.", "md5_fingerprint", "validate_to_none" ], [ "extra.", "http_response_type", "validate_to_none" ], [ "extra.", "http_code", "convert_int" ], [ "extra.", "http_reason", "validate_to_none" ], [ "extra.", "content_type", "validate_to_none" ], [ "extra.", "http_connection", "validate_to_none" ], [ "extra.", "www_authenticate", "validate_to_none" ], [ "extra.", "set_cookie", "validate_to_none" ], [ "extra.", "server_type", "validate_to_none" ], [ "extra.", "content_length", "convert_int" ], [ "extra.", "transfer_encoding", "validate_to_none" ], [ "extra.", "http_date", "convert_date" ], [ "extra.", "cert_valid", "convert_bool" ], [ "extra.", "self_signed", "convert_bool" ], [ "extra.", "cert_expired", "convert_bool" ], [ "extra.", "browser_trusted", "convert_bool" ], [ "extra.", "validation_level", "validate_to_none" ], [ "extra.", "browser_error", "validate_to_none" ], [ "extra.", "tlsv13_support", "validate_to_none" ], [ "extra.", "tlsv13_cipher", "validate_to_none" ], [ "extra.", "jarm", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ] }, "scan6_ssl_freak" : { "constant_fields" : { "classification.identifier" : "ssl-freak", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "https" }, "feed_name" : "SSL-FREAK-Vulnerable-Servers IPv6", "file_name" : "scan6_ssl_freak", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag" ], [ "extra.", "handshake", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.", "cipher_suite", "validate_to_none" ], [ "extra.", "cert_length", "convert_int" ], [ "extra.", "subject_common_name", "validate_to_none" ], [ "extra.", "issuer_common_name", "validate_to_none" ], [ "extra.", "cert_issue_date", "validate_to_none" ], [ "extra.", "cert_expiration_date", "validate_to_none" ], [ "extra.", "sha1_fingerprint", "validate_to_none" ], [ "extra.", "cert_serial_number", "validate_to_none" ], [ "extra.", "signature_algorithm", "validate_to_none" ], [ "extra.", "key_algorithm", "validate_to_none" ], [ "extra.", "subject_organization_name", "validate_to_none" ], [ "extra.", "subject_organization_unit_name", "validate_to_none" ], [ "extra.", "subject_country", "validate_to_none" ], [ "extra.", "subject_state_or_province_name", "validate_to_none" ], [ "extra.", "subject_locality_name", "validate_to_none" ], [ "extra.", "subject_street_address", "validate_to_none" ], [ "extra.", "subject_postal_code", "validate_to_none" ], [ "extra.", "subject_surname", "validate_to_none" ], [ "extra.", "subject_given_name", "validate_to_none" ], [ "extra.", "subject_email_address", "validate_to_none" ], [ "extra.", "subject_business_category", "validate_to_none" ], [ "extra.", "subject_serial_number", "validate_to_none" ], [ "extra.", "issuer_organization_name", "validate_to_none" ], [ "extra.", "issuer_organization_unit_name", "validate_to_none" ], [ "extra.", "issuer_country", "validate_to_none" ], [ "extra.", "issuer_state_or_province_name", "validate_to_none" ], [ "extra.", "issuer_locality_name", "validate_to_none" ], [ "extra.", "issuer_street_address", "validate_to_none" ], [ "extra.", "issuer_postal_code", "validate_to_none" ], [ "extra.", "issuer_surname", "validate_to_none" ], [ "extra.", "issuer_given_name", "validate_to_none" ], [ "extra.", "issuer_email_address", "validate_to_none" ], [ "extra.", "issuer_business_category", "validate_to_none" ], [ "extra.", "issuer_serial_number", "validate_to_none" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "freak_vulnerable", "convert_bool" ], [ "extra.", "freak_cipher_suite", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ], [ "extra.", "sha256_fingerprint", "validate_to_none" ], [ "extra.", "sha512_fingerprint", "validate_to_none" ], [ "extra.", "md5_fingerprint", "validate_to_none" ], [ "extra.", "http_response_type", "validate_to_none" ], [ "extra.", "http_code", "convert_int" ], [ "extra.", "http_reason", "validate_to_none" ], [ "extra.", "content_type", "validate_to_none" ], [ "extra.", "http_connection", "validate_to_none" ], [ "extra.", "www_authenticate", "validate_to_none" ], [ "extra.", "set_cookie", "validate_to_none" ], [ "extra.", "server_type", "validate_to_none" ], [ "extra.", "content_length", "convert_int" ], [ "extra.", "transfer_encoding", "validate_to_none" ], [ "extra.", "http_date", "convert_date" ], [ "extra.", "cert_valid", "convert_bool" ], [ "extra.", "self_signed", "convert_bool" ], [ "extra.", "cert_expired", "convert_bool" ], [ "extra.", "browser_trusted", "convert_bool" ], [ "extra.", "validation_level", "validate_to_none" ], [ "extra.", "browser_error", "validate_to_none" ], [ "extra.", "tlsv13_support", "validate_to_none" ], [ "extra.", "tlsv13_cipher", "validate_to_none" ], [ "extra.", "raw_cert", "validate_to_none" ], [ "extra.", "raw_cert_chain", "validate_to_none" ], [ "extra.", "jarm", "validate_to_none" ], [ "extra.", "device_vendor", "validate_to_none" ], [ "extra.", "device_type", "validate_to_none" ], [ "extra.", "device_model", "validate_to_none" ], [ "extra.", "device_version", "validate_to_none" ], [ "extra.", "device_sector", "validate_to_none" ], [ "extra.", "page_sha256fp", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ] }, "scan6_ssl_poodle" : { "constant_fields" : { "classification.identifier" : "ssl-poodle", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "https" }, "feed_name" : "SSL-POODLE-Vulnerable-Servers IPv6", "file_name" : "scan6_ssl_poodle", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag" ], [ "extra.", "handshake", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.", "cipher_suite", "validate_to_none" ], [ "extra.", "ssl_poodle", "convert_bool" ], [ "extra.", "cert_length", "convert_int" ], [ "extra.", "subject_common_name", "validate_to_none" ], [ "extra.", "issuer_common_name", "validate_to_none" ], [ "extra.", "cert_issue_date", "validate_to_none" ], [ "extra.", "cert_expiration_date", "validate_to_none" ], [ "extra.", "sha1_fingerprint", "validate_to_none" ], [ "extra.", "cert_serial_number", "validate_to_none" ], [ "extra.", "ssl_version", "convert_int" ], [ "extra.", "signature_algorithm", "validate_to_none" ], [ "extra.", "key_algorithm", "validate_to_none" ], [ "extra.", "subject_organization_name", "validate_to_none" ], [ "extra.", "subject_organization_unit_name", "validate_to_none" ], [ "extra.", "subject_country", "validate_to_none" ], [ "extra.", "subject_state_or_province_name", "validate_to_none" ], [ "extra.", "subject_locality_name", "validate_to_none" ], [ "extra.", "subject_street_address", "validate_to_none" ], [ "extra.", "subject_postal_code", "validate_to_none" ], [ "extra.", "subject_surname", "validate_to_none" ], [ "extra.", "subject_given_name", "validate_to_none" ], [ "extra.", "subject_email_address", "validate_to_none" ], [ "extra.", "subject_business_category", "validate_to_none" ], [ "extra.", "subject_serial_number", "validate_to_none" ], [ "extra.", "issuer_organization_name", "validate_to_none" ], [ "extra.", "issuer_organization_unit_name", "validate_to_none" ], [ "extra.", "issuer_country", "validate_to_none" ], [ "extra.", "issuer_state_or_province_name", "validate_to_none" ], [ "extra.", "issuer_locality_name", "validate_to_none" ], [ "extra.", "issuer_street_address", "validate_to_none" ], [ "extra.", "issuer_postal_code", "validate_to_none" ], [ "extra.", "issuer_surname", "validate_to_none" ], [ "extra.", "issuer_given_name", "validate_to_none" ], [ "extra.", "issuer_email_address", "validate_to_none" ], [ "extra.", "issuer_business_category", "validate_to_none" ], [ "extra.", "issuer_serial_number", "validate_to_none" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ], [ "extra.", "sha256_fingerprint", "validate_to_none" ], [ "extra.", "sha512_fingerprint", "validate_to_none" ], [ "extra.", "md5_fingerprint", "validate_to_none" ], [ "extra.", "http_response_type", "validate_to_none" ], [ "extra.", "http_code", "convert_int" ], [ "extra.", "http_reason", "validate_to_none" ], [ "extra.", "content_type", "validate_to_none" ], [ "extra.", "http_connection", "validate_to_none" ], [ "extra.", "www_authenticate", "validate_to_none" ], [ "extra.", "set_cookie", "validate_to_none" ], [ "extra.", "server_type", "validate_to_none" ], [ "extra.", "content_length", "convert_int" ], [ "extra.", "transfer_encoding", "validate_to_none" ], [ "extra.", "http_date", "convert_date" ], [ "extra.", "cert_valid", "convert_bool" ], [ "extra.", "self_signed", "convert_bool" ], [ "extra.", "cert_expired", "convert_bool" ], [ "extra.", "browser_trusted", "convert_bool" ], [ "extra.", "validation_level", "validate_to_none" ], [ "extra.", "browser_error", "validate_to_none" ], [ "extra.", "tlsv13_support", "validate_to_none" ], [ "extra.", "tlsv13_cipher", "validate_to_none" ], [ "extra.", "raw_cert", "validate_to_none" ], [ "extra.", "raw_cert_chain", "validate_to_none" ], [ "extra.", "jarm", "validate_to_none" ], [ "extra.", "device_vendor", "validate_to_none" ], [ "extra.", "device_type", "validate_to_none" ], [ "extra.", "device_model", "validate_to_none" ], [ "extra.", "device_version", "validate_to_none" ], [ "extra.", "device_sector", "validate_to_none" ], [ "extra.", "page_sha256fp", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ] }, "scan6_stun" : { "constant_fields" : { "classification.identifier" : "open-stun", "classification.taxonomy" : "other", "classification.type" : "other", "protocol.application" : "Session Traversal Utilities for NAT" }, "feed_name" : "IPv6-Accessible-Session-Traversal-Utilities-for-NAT", "file_name" : "scan6_stun", "optional_fields" : [ [ "extra.", "mapped_port", "convert_int" ], [ "extra.", "xor_mapped_port", "convert_int" ], [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ], [ "extra.", "transaction_id", "validate_to_none" ], [ "extra.", "magic_cookie", "validate_to_none" ], [ "extra.", "message_length", "convert_int" ], [ "extra.", "message_type", "validate_to_none" ], [ "extra.", "mapped_family", "validate_to_none" ], [ "extra.", "mapped_address", "validate_to_none" ], [ "extra.", "xor_mapped_family", "validate_to_none" ], [ "extra.", "xor_mapped_address", "validate_to_none" ], [ "extra.", "software", "validate_to_none" ], [ "extra.", "fingerprint", "validate_to_none" ], [ "extra.", "amplification", "convert_float" ], [ "extra.", "response_size", "convert_int" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ] }, "scan6_telnet" : { "constant_fields" : { "classification.identifier" : "open-telnet", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "telnet" }, "feed_name" : "IPv6-Accessible-Telnet", "file_name" : "scan6_telnet", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "banner", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ] }, "scan6_vnc" : { "constant_fields" : { "classification.identifier" : "open-vnc", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "vnc", "protocol.transport" : "tcp" }, "feed_name" : "IPv6-Accessible-VNC", "file_name" : "scan6_vnc", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "product", "validate_to_none" ], [ "extra.", "banner", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ] }, "scan_activemq" : { "constant_fields" : { "classification.identifier" : "open-activemq", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "activemq" }, "feed_name" : "Accessible-ActiveMQ", "file_name" : "scan_activemq", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ], [ "extra.", "command", "validate_to_none" ], [ "extra.", "vendor", "validate_to_none" ], [ "extra.", "version", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-activemq-service-report/" }, "scan_adb" : { "constant_fields" : { "classification.identifier" : "accessible-adb", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "adb" }, "feed_name" : "Accessible-ADB", "file_name" : "scan_adb", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "name", "validate_to_none" ], [ "extra.", "model", "validate_to_none" ], [ "extra.", "device", "validate_to_none" ], [ "extra.", "features", "validate_to_none" ], [ "extra.", "device_vendor", "validate_to_none" ], [ "extra.", "device_type", "validate_to_none" ], [ "extra.", "device_model", "validate_to_none" ], [ "extra.", "device_version", "validate_to_none" ], [ "extra.", "device_sector", "validate_to_none" ], [ "extra.", "sector", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-adb-report/" }, "scan_afp" : { "constant_fields" : { "classification.identifier" : "accessible-afp", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "afp" }, "feed_name" : "Accessible-AFP", "file_name" : "scan_afp", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "machine_type", "validate_to_none" ], [ "extra.", "afp_versions", "validate_to_none" ], [ "extra.", "uams", "validate_to_none" ], [ "extra.", "flags", "validate_to_none" ], [ "extra.", "server_name", "validate_to_none" ], [ "extra.", "signature", "validate_to_none" ], [ "extra.", "directory_service", "validate_to_none" ], [ "extra.", "utf8_servername", "validate_to_none" ], [ "extra.", "network_address", "validate_to_none" ], [ "extra.", "sector", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-afp-report/" }, "scan_amqp" : { "constant_fields" : { "classification.identifier" : "accessible-amqp", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "amqp" }, "feed_name" : "Accessible-AMQP", "file_name" : "scan_amqp", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "channel", "validate_to_none" ], [ "extra.", "message_length", "convert_int" ], [ "extra.", "class", "validate_to_none" ], [ "extra.", "method", "validate_to_none" ], [ "extra.", "version_major", "validate_to_none" ], [ "extra.", "version_minor", "validate_to_none" ], [ "extra.", "capabilities", "validate_to_none" ], [ "extra.", "cluster_name", "validate_to_none" ], [ "extra.", "platform", "validate_to_none" ], [ "extra.", "product", "validate_to_none" ], [ "extra.", "product_version", "validate_to_none" ], [ "extra.", "mechanisms", "validate_to_none" ], [ "extra.", "locales", "validate_to_none" ], [ "extra.", "sector", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-amqp-report/" }, "scan_ard" : { "constant_fields" : { "classification.identifier" : "accessible-ard", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system" }, "feed_name" : "Accessible-ARD", "file_name" : "scan_ard", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "machine_name", "validate_to_none" ], [ "extra.", "response_size", "convert_int" ], [ "extra.", "amplification", "convert_float" ], [ "extra.", "sector", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-apple-remote-desktop-ard-report/" }, "scan_bgp" : { "constant_fields" : { "classification.identifier" : "open-bgp", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "bgp" }, "feed_name" : "Open-BGP", "file_name" : "scan_bgp", "optional_fields" : [ [ "extra.", "message_type_int", "convert_int" ], [ "extra.", "message2_type_int", "convert_int" ], [ "extra.", "major_error_code_int", "convert_int" ], [ "extra.", "minor_error_code_int", "convert_int" ], [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ], [ "extra.", "message_length", "convert_int" ], [ "extra.", "message_type", "validate_to_none" ], [ "extra.", "bgp_version", "validate_to_none" ], [ "extra.", "sender_asn", "validate_to_none" ], [ "extra.", "hold_time", "validate_to_none" ], [ "extra.", "bgp_identifier", "validate_to_none" ], [ "extra.", "message2_type", "validate_to_none" ], [ "extra.", "major_error_code", "validate_to_none" ], [ "extra.", "minor_error_code", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/open-bgp-service-report/" }, "scan_chargen" : { "constant_fields" : { "classification.identifier" : "open-chargen", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "chargen" }, "feed_name" : "Open-Chargen", "file_name" : "scan_chargen", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "sector", "validate_to_none" ], [ "extra.", "response_size", "convert_int" ], [ "extra.", "amplification", "convert_float" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/open-chargen-report/" }, "scan_cisco_smart_install" : { "constant_fields" : { "classification.identifier" : "accessible-cisco-smart-install", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "cisco-smart-install" }, "feed_name" : "Accessible-Cisco-Smart-Install", "file_name" : "scan_cisco_smart_install", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "sector", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-cisco-smart-install-report/" }, "scan_coap" : { "constant_fields" : { "classification.identifier" : "accessible-coap", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "coap" }, "feed_name" : "Accessible-CoAP", "file_name" : "scan_coap", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "extra.", "version", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "response", "validate_to_none" ], [ "extra.", "response_size", "convert_int" ], [ "extra.", "amplification", "convert_float" ], [ "extra.", "sector", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-coap-report/" }, "scan_couchdb" : { "constant_fields" : { "classification.identifier" : "open-couchdb", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "CouchDB" }, "feed_name" : "Accessible-CouchDB", "file_name" : "scan_couchdb", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ], [ "extra.", "server_version", "validate_to_none" ], [ "extra.", "couchdb_message", "validate_to_none" ], [ "extra.", "couchdb_version", "validate_to_none" ], [ "extra.", "git_sha", "validate_to_none" ], [ "extra.", "features", "validate_to_none" ], [ "extra.", "vendor", "validate_to_none" ], [ "extra.", "visible_databases", "validate_to_none" ], [ "extra.", "error", "validate_to_none" ], [ "extra.", "error_reason", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-couchdb-report/" }, "scan_cwmp" : { "constant_fields" : { "classification.identifier" : "open-cwmp", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "cwmp" }, "feed_name" : "Accessible-CWMP", "file_name" : "scan_cwmp", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "http", "validate_to_none" ], [ "extra.", "http_code", "convert_int" ], [ "extra.", "http_reason", "validate_to_none" ], [ "extra.", "content_type", "validate_to_none" ], [ "extra.", "connection", "validate_to_none" ], [ "extra.", "www_authenticate", "validate_to_none" ], [ "extra.", "set_cookie", "validate_to_none" ], [ "extra.", "server", "validate_to_none" ], [ "extra.", "content_length", "convert_int" ], [ "extra.", "transfer_encoding", "validate_to_none" ], [ "extra.", "date", "validate_to_none" ], [ "extra.", "sector", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/open-cwmp-report/" }, "scan_db2" : { "constant_fields" : { "classification.identifier" : "open-db2-discovery-service", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "db2" }, "feed_name" : "Open-DB2-Discovery-Service", "file_name" : "scan_db2", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "db2_hostname", "validate_to_none" ], [ "extra.", "servername", "validate_to_none" ], [ "extra.", "response_size", "convert_int" ], [ "extra.", "amplification", "convert_float" ], [ "extra.", "sector", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/open-db2-discovery-service-report/" }, "scan_ddos_middlebox" : { "constant_fields" : { "classification.identifier" : "open-ddos-middlebox", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system" }, "feed_name" : "Vulnerable-DDoS-Middlebox", "file_name" : "scan_ddos_middlebox", "optional_fields" : [ [ "protocol.application", "tag" ], [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ], [ "extra.", "source_port", "validate_to_none" ], [ "extra.", "bytes", "convert_int" ], [ "extra.", "amplification", "convert_float" ], [ "extra.", "method", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/vulnerable-ddos-middlebox-report/" }, "scan_dns" : { "constant_fields" : { "classification.identifier" : "dns-open-resolver", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "dns" }, "feed_name" : "DNS-Open-Resolvers", "file_name" : "scan_dns", "optional_fields" : [ [ "extra.", "min_amplification", "convert_float" ], [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "extra.", "dns_version", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "sector", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/dns-open-resolvers-report/" }, "scan_docker" : { "constant_fields" : { "classification.identifier" : "open-docker", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "docker" }, "feed_name" : "Accessible-Docker", "file_name" : "scan_docker", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "extra.", "version", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ], [ "extra.", "http", "validate_to_none" ], [ "extra.", "http_code", "convert_int" ], [ "extra.", "http_reason", "validate_to_none" ], [ "extra.", "content_type", "validate_to_none" ], [ "extra.", "server", "validate_to_none" ], [ "extra.", "date", "validate_to_none" ], [ "extra.", "experimental", "validate_to_none" ], [ "extra.", "api_version", "validate_to_none" ], [ "extra.", "arch", "validate_to_none" ], [ "extra.", "go_version", "validate_to_none" ], [ "extra.os.name", "os", "validate_to_none" ], [ "extra.", "kernel_version", "validate_to_none" ], [ "extra.", "git_commit", "validate_to_none" ], [ "extra.", "min_api_version", "validate_to_none" ], [ "extra.", "build_time", "validate_to_none" ], [ "extra.", "pkg_version", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-docker-service-report/" }, "scan_dvr_dhcpdiscover" : { "constant_fields" : { "classification.identifier" : "open-dvr-dhcpdiscover", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system" }, "feed_name" : "Accessible-DVR-DHCPDiscover", "file_name" : "scan_dvr_dhcpdiscover", "optional_fields" : [ [ "protocol.application", "tag" ], [ "extra.", "video_input_channels", "convert_int" ], [ "extra.", "alarm_input_channels", "convert_int" ], [ "extra.", "video_output_channels", "convert_int" ], [ "extra.", "alarm_output_channels", "convert_int" ], [ "extra.", "remote_video_input_channels", "convert_int" ], [ "extra.", "ipv4_dhcp_enable", "convert_bool" ], [ "extra.", "ipv6_dhcp_enable", "convert_bool" ], [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ], [ "extra.", "device_vendor", "validate_to_none" ], [ "extra.", "device_type", "validate_to_none" ], [ "extra.", "device_model", "validate_to_none" ], [ "extra.", "device_version", "validate_to_none" ], [ "extra.", "device_id", "validate_to_none" ], [ "extra.", "device_serial", "validate_to_none" ], [ "extra.", "machine_name", "validate_to_none" ], [ "extra.", "manufacturer", "validate_to_none" ], [ "extra.", "method", "validate_to_none" ], [ "extra.", "http_port", "convert_int" ], [ "extra.", "internal_port", "convert_int" ], [ "extra.", "mac_address", "validate_to_none" ], [ "extra.", "ipv4_address", "validate_to_none" ], [ "extra.", "ipv4_gateway", "validate_to_none" ], [ "extra.", "ipv4_subnet_mask", "validate_to_none" ], [ "extra.", "ipv6_address", "validate_to_none" ], [ "extra.", "ipv6_link_local", "validate_to_none" ], [ "extra.", "ipv6_gateway", "validate_to_none" ], [ "extra.", "response_size", "convert_int" ], [ "extra.", "amplification", "convert_float" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/open-dvr-dhcpdiscover-report/" }, "scan_elasticsearch" : { "constant_fields" : { "classification.identifier" : "open-elasticsearch", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "elasticsearch" }, "feed_name" : "Open-Elasticsearch", "file_name" : "scan_elasticsearch", "optional_fields" : [ [ "extra.", "build_snapshot", "convert_bool" ], [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "extra.", "version", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "ok", "convert_bool" ], [ "extra.", "name", "validate_to_none" ], [ "extra.", "cluster_name", "validate_to_none" ], [ "extra.", "http_code", "convert_int" ], [ "extra.", "build_hash", "validate_to_none" ], [ "extra.", "build_timestamp", "validate_to_none" ], [ "extra.", "lucene_version", "validate_to_none" ], [ "extra.", "tagline", "validate_to_none" ], [ "extra.", "sector", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/open-elasticsearch-report/" }, "scan_epmd" : { "constant_fields" : { "classification.identifier" : "open-epmd", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "Erlang Port Mapper Daemon" }, "feed_name" : "Accessible-Erlang-Port-Mapper-Daemon", "file_name" : "scan_epmd", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ], [ "extra.", "nodes", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-erlang-port-mapper-report-daemon/" }, "scan_exchange" : { "constant_fields" : { "protocol.application" : "exchange" }, "feed_name" : "Vulnerable-Exchange-Server", "file_name" : "scan_exchange", "optional_fields" : [ [ "classification.taxonomy", "tag", "scan_exchange_taxonomy" ], [ "classification.type", "tag", "scan_exchange_type" ], [ "classification.identifier", "tag", "scan_exchange_identifier" ], [ "extra.", "tag", "validate_to_none" ], [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ], [ "extra.", "version", "validate_to_none" ], [ "extra.", "servername", "validate_to_none" ], [ "destination.url", "url", "convert_http_host_and_url", true ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/vulnerable-exchange-server-report/" }, "scan_ftp" : { "constant_fields" : { "classification.identifier" : "accessible-ftp", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "ftp" }, "feed_name" : "Accessible-FTP", "file_name" : "scan_ftp", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "banner", "validate_to_none" ], [ "extra.", "handshake", "validate_to_none" ], [ "extra.", "cipher_suite", "validate_to_none" ], [ "extra.", "cert_length", "convert_int" ], [ "extra.", "subject_common_name", "validate_to_none" ], [ "extra.", "issuer_common_name", "validate_to_none" ], [ "extra.", "cert_issue_date", "validate_to_none" ], [ "extra.", "cert_expiration_date", "validate_to_none" ], [ "extra.", "sha1_fingerprint", "validate_to_none" ], [ "extra.", "cert_serial_number", "validate_to_none" ], [ "extra.", "ssl_version", "convert_int" ], [ "extra.", "signature_algorithm", "validate_to_none" ], [ "extra.", "key_algorithm", "validate_to_none" ], [ "extra.", "subject_organization_name", "validate_to_none" ], [ "extra.", "subject_organization_unit_name", "validate_to_none" ], [ "extra.", "subject_country", "validate_to_none" ], [ "extra.", "subject_state_or_province_name", "validate_to_none" ], [ "extra.", "subject_locality_name", "validate_to_none" ], [ "extra.", "subject_street_address", "validate_to_none" ], [ "extra.", "subject_postal_code", "validate_to_none" ], [ "extra.", "subject_surname", "validate_to_none" ], [ "extra.", "subject_given_name", "validate_to_none" ], [ "extra.", "subject_email_address", "validate_to_none" ], [ "extra.", "subject_business_category", "validate_to_none" ], [ "extra.", "subject_serial_number", "validate_to_none" ], [ "extra.", "issuer_organization_name", "validate_to_none" ], [ "extra.", "issuer_organization_unit_name", "validate_to_none" ], [ "extra.", "issuer_country", "validate_to_none" ], [ "extra.", "issuer_state_or_province_name", "validate_to_none" ], [ "extra.", "issuer_locality_name", "validate_to_none" ], [ "extra.", "issuer_street_address", "validate_to_none" ], [ "extra.", "issuer_postal_code", "validate_to_none" ], [ "extra.", "issuer_surname", "validate_to_none" ], [ "extra.", "issuer_given_name", "validate_to_none" ], [ "extra.", "issuer_email_address", "validate_to_none" ], [ "extra.", "issuer_business_category", "validate_to_none" ], [ "extra.", "issuer_serial_number", "validate_to_none" ], [ "extra.", "sha256_fingerprint", "validate_to_none" ], [ "extra.", "sha512_fingerprint", "validate_to_none" ], [ "extra.", "md5_fingerprint", "validate_to_none" ], [ "extra.", "cert_valid", "convert_bool" ], [ "extra.", "self_signed", "convert_bool" ], [ "extra.", "cert_expired", "convert_bool" ], [ "extra.", "validation_level", "validate_to_none" ], [ "extra.", "auth_tls_response", "validate_to_none" ], [ "extra.", "auth_ssl_response", "validate_to_none" ], [ "extra.", "tlsv13_support", "validate_to_none" ], [ "extra.", "tlsv13_cipher", "validate_to_none" ], [ "extra.", "jarm", "validate_to_none" ], [ "extra.", "device_vendor", "validate_to_none" ], [ "extra.", "device_type", "validate_to_none" ], [ "extra.", "device_model", "validate_to_none" ], [ "extra.", "device_version", "validate_to_none" ], [ "extra.", "device_sector", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-ftp-report/" }, "scan_hadoop" : { "constant_fields" : { "classification.identifier" : "accessible-hadoop", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "hadoop", "protocol.transport" : "tcp" }, "feed_name" : "Accessible-Hadoop", "file_name" : "scan_hadoop", "optional_fields" : [ [ "extra.", "total_disk", "convert_int" ], [ "extra.", "used_disk", "convert_int" ], [ "extra.", "free_disk", "convert_int" ], [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "extra.", "version", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "server_type", "validate_to_none" ], [ "extra.", "clusterid", "validate_to_none" ], [ "extra.", "livenodes", "validate_to_none" ], [ "extra.", "namenodeaddress", "validate_to_none" ], [ "extra.", "volumeinfo", "validate_to_none" ], [ "extra.", "sector", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-hadoop-report/" }, "scan_http" : { "constant_fields" : { "classification.identifier" : "accessible-http", "classification.taxonomy" : "other", "classification.type" : "other", "protocol.application" : "http" }, "feed_name" : "Accessible-HTTP", "file_name" : "scan_http", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "http", "validate_to_none" ], [ "extra.", "http_code", "convert_int" ], [ "extra.", "http_reason", "validate_to_none" ], [ "extra.", "content_type", "validate_to_none" ], [ "extra.", "connection", "validate_to_none" ], [ "extra.", "www_authenticate", "validate_to_none" ], [ "extra.", "set_cookie", "validate_to_none" ], [ "extra.", "server", "validate_to_none" ], [ "extra.", "content_length", "convert_int" ], [ "extra.", "transfer_encoding", "validate_to_none" ], [ "extra.", "http_date", "convert_date" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-http-report/" }, "scan_http_proxy" : { "constant_fields" : { "classification.identifier" : "open-http-proxy", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "http" }, "feed_name" : "Open-HTTP-Proxy", "file_name" : "scan_http_proxy", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "http", "validate_to_none" ], [ "extra.", "http_code", "convert_int" ], [ "extra.", "http_reason", "validate_to_none" ], [ "extra.", "content_type", "validate_to_none" ], [ "extra.", "connection", "validate_to_none" ], [ "extra.", "proxy_authenticate", "validate_to_none" ], [ "extra.", "via", "validate_to_none" ], [ "extra.", "server", "validate_to_none" ], [ "extra.", "content_length", "convert_int" ], [ "extra.", "transfer_encoding", "validate_to_none" ], [ "extra.", "http_date", "convert_date" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/open-http-proxy-report/" }, "scan_http_vulnerable" : { "constant_fields" : { "classification.identifier" : "vulnerable-http", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "http" }, "feed_name" : "Vulnerable-HTTP", "file_name" : "scan_http_vulnerable", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "extra.", "sector", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "http", "validate_to_none" ], [ "extra.", "http_code", "convert_int" ], [ "extra.", "http_reason", "validate_to_none" ], [ "extra.", "content_type", "validate_to_none" ], [ "extra.", "connection", "validate_to_none" ], [ "extra.", "www_authenticate", "validate_to_none" ], [ "extra.", "set_cookie", "validate_to_none" ], [ "extra.", "server", "validate_to_none" ], [ "extra.", "content_length", "convert_int" ], [ "extra.", "transfer_encoding", "validate_to_none" ], [ "extra.", "http_date", "convert_date" ], [ "extra.", "version", "validate_to_none" ], [ "extra.", "build_date", "validate_to_none" ], [ "extra.", "detail", "validate_to_none" ], [ "extra.", "build_branch", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/vulnerable-http-report/" }, "scan_ics" : { "constant_fields" : { "classification.identifier" : "open-ics", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system" }, "feed_name" : "Accessible-ICS", "file_name" : "scan_ics", "optional_fields" : [ [ "protocol.application", "tag" ], [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ], [ "extra.", "device_vendor", "validate_to_none" ], [ "extra.", "device_type", "validate_to_none" ], [ "extra.", "device_model", "validate_to_none" ], [ "extra.", "device_version", "validate_to_none" ], [ "extra.", "device_id", "validate_to_none" ], [ "extra.", "response_size", "convert_int" ], [ "extra.", "raw_response", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-ics-report/" }, "scan_ipmi" : { "constant_fields" : { "classification.identifier" : "open-ipmi", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "ipmi", "protocol.transport" : "udp" }, "feed_name" : "Open-IPMI", "file_name" : "scan_ipmi", "optional_fields" : [ [ "extra.", "none_auth", "convert_bool" ], [ "extra.", "md2_auth", "convert_bool" ], [ "extra.", "md5_auth", "convert_bool" ], [ "extra.", "passkey_auth", "convert_bool" ], [ "extra.", "oem_auth", "convert_bool" ], [ "extra.", "permessage_auth", "convert_bool" ], [ "extra.", "userlevel_auth", "convert_bool" ], [ "extra.", "usernames", "convert_bool" ], [ "extra.", "nulluser", "convert_bool" ], [ "extra.", "anon_login", "convert_bool" ], [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "extra.", "ipmi_version", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.", "defaultkg", "validate_to_none" ], [ "extra.", "error", "validate_to_none" ], [ "extra.", "deviceid", "validate_to_none" ], [ "extra.", "devicerev", "validate_to_none" ], [ "extra.", "firmwarerev", "validate_to_none" ], [ "extra.", "version", "validate_to_none" ], [ "extra.", "manufacturerid", "validate_to_none" ], [ "extra.", "manufacturername", "validate_to_none" ], [ "extra.", "productid", "validate_to_none" ], [ "extra.", "productname", "validate_to_none" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/open-ipmi-report/" }, "scan_ipp" : { "constant_fields" : { "classification.identifier" : "open-ipp", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "ipp" }, "feed_name" : "Open-IPP", "file_name" : "scan_ipp", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "ipp_version", "validate_to_none" ], [ "extra.", "cups_version", "validate_to_none" ], [ "extra.", "printer_uris", "validate_to_none" ], [ "extra.", "printer_name", "validate_to_none" ], [ "extra.", "printer_info", "validate_to_none" ], [ "extra.", "printer_more_info", "validate_to_none" ], [ "extra.", "printer_make_and_model", "validate_to_none" ], [ "extra.", "printer_firmware_name", "validate_to_none" ], [ "extra.", "printer_firmware_string_version", "validate_to_none" ], [ "extra.", "printer_firmware_version", "validate_to_none" ], [ "extra.", "printer_organization", "validate_to_none" ], [ "extra.", "printer_organization_unit", "validate_to_none" ], [ "extra.", "printer_uuid", "validate_to_none" ], [ "extra.", "printer_wifi_ssid", "validate_to_none" ], [ "extra.", "device_vendor", "validate_to_none" ], [ "extra.", "device_type", "validate_to_none" ], [ "extra.", "device_model", "validate_to_none" ], [ "extra.", "device_version", "validate_to_none" ], [ "extra.", "device_sector", "validate_to_none" ], [ "extra.", "sector", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/open-ipp-report/" }, "scan_isakmp" : { "constant_fields" : { "classification.identifier" : "open-ike", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "ipsec" }, "feed_name" : "Vulnerable-ISAKMP", "file_name" : "scan_isakmp", "optional_fields" : [ [ "extra.", "spi_size", "convert_int" ], [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "initiator_spi", "validate_to_none" ], [ "extra.", "responder_spi", "validate_to_none" ], [ "extra.", "next_payload", "validate_to_none" ], [ "extra.", "exchange_type", "validate_to_none" ], [ "extra.", "flags", "validate_to_none" ], [ "extra.", "message_id", "validate_to_none" ], [ "extra.", "next_payload2", "validate_to_none" ], [ "extra.", "domain_of_interpretation", "validate_to_none" ], [ "extra.", "protocol_id", "validate_to_none" ], [ "extra.", "notify_message_type", "validate_to_none" ], [ "extra.", "sector", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/vulnerable-isakmp-report/" }, "scan_kubernetes" : { "constant_fields" : { "classification.identifier" : "open-kubernetes", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "kubernetes" }, "feed_name" : "Accessible-Kubernetes-API", "file_name" : "scan_kubernetes", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "extra.", "version", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ], [ "extra.", "http", "validate_to_none" ], [ "extra.", "http_code", "convert_int" ], [ "extra.", "http_reason", "validate_to_none" ], [ "extra.", "content_type", "validate_to_none" ], [ "extra.", "server", "validate_to_none" ], [ "extra.", "date", "validate_to_none" ], [ "extra.", "major", "validate_to_none" ], [ "extra.", "minor", "validate_to_none" ], [ "extra.", "git_version", "validate_to_none" ], [ "extra.", "git_commit", "validate_to_none" ], [ "extra.", "git_tree_state", "validate_to_none" ], [ "extra.", "build_date", "validate_to_none" ], [ "extra.", "go_version", "validate_to_none" ], [ "extra.", "compiler", "validate_to_none" ], [ "extra.", "platform", "validate_to_none" ], [ "extra.", "handshake", "validate_to_none" ], [ "extra.", "cipher_suite", "validate_to_none" ], [ "extra.", "cert_length", "convert_int" ], [ "extra.", "subject_common_name", "validate_to_none" ], [ "extra.", "issuer_common_name", "validate_to_none" ], [ "extra.", "cert_issue_date", "validate_to_none" ], [ "extra.", "cert_expiration_date", "validate_to_none" ], [ "extra.", "sha1_fingerprint", "validate_to_none" ], [ "extra.", "cert_serial_number", "validate_to_none" ], [ "extra.", "ssl_version", "convert_int" ], [ "extra.", "signature_algorithm", "validate_to_none" ], [ "extra.", "key_algorithm", "validate_to_none" ], [ "extra.", "subject_organization_name", "validate_to_none" ], [ "extra.", "subject_organization_unit_name", "validate_to_none" ], [ "extra.", "subject_country", "validate_to_none" ], [ "extra.", "subject_state_or_province_name", "validate_to_none" ], [ "extra.", "subject_locality_name", "validate_to_none" ], [ "extra.", "subject_street_address", "validate_to_none" ], [ "extra.", "subject_postal_code", "validate_to_none" ], [ "extra.", "subject_surname", "validate_to_none" ], [ "extra.", "subject_given_name", "validate_to_none" ], [ "extra.", "subject_email_address", "validate_to_none" ], [ "extra.", "subject_business_category", "validate_to_none" ], [ "extra.", "subject_serial_number", "validate_to_none" ], [ "extra.", "issuer_organization_name", "validate_to_none" ], [ "extra.", "issuer_organization_unit_name", "validate_to_none" ], [ "extra.", "issuer_country", "validate_to_none" ], [ "extra.", "issuer_state_or_province_name", "validate_to_none" ], [ "extra.", "issuer_locality_name", "validate_to_none" ], [ "extra.", "issuer_street_address", "validate_to_none" ], [ "extra.", "issuer_postal_code", "validate_to_none" ], [ "extra.", "issuer_surname", "validate_to_none" ], [ "extra.", "issuer_given_name", "validate_to_none" ], [ "extra.", "issuer_email_address", "validate_to_none" ], [ "extra.", "issuer_business_category", "validate_to_none" ], [ "extra.", "issuer_serial_number", "validate_to_none" ], [ "extra.", "sha256_fingerprint", "validate_to_none" ], [ "extra.", "sha512_fingerprint", "validate_to_none" ], [ "extra.", "md5_fingerprint", "validate_to_none" ], [ "extra.", "cert_valid", "convert_bool" ], [ "extra.", "self_signed", "convert_bool" ], [ "extra.", "cert_expired", "convert_bool" ], [ "extra.", "validation_level", "validate_to_none" ], [ "extra.", "browser_trusted", "convert_bool" ], [ "extra.", "browser_error", "validate_to_none" ], [ "extra.", "raw_cert", "validate_to_none" ], [ "extra.", "raw_cert_chain", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-kubernetes-api-server-report/" }, "scan_ldap_tcp" : { "constant_fields" : { "classification.identifier" : "open-ldap", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "ldap" }, "feed_name" : "Open-LDAP-TCP", "file_name" : "scan_ldap_tcp", "optional_fields" : [ [ "source.local_hostname", "dns_host_name", "validate_to_none" ], [ "extra.", "domain_controller_functionality", "convert_int" ], [ "extra.", "domain_functionality", "convert_int" ], [ "extra.", "forest_functionality", "convert_int" ], [ "extra.", "highest_committed_usn", "convert_int" ], [ "extra.", "is_global_catalog_ready", "convert_bool" ], [ "extra.", "is_synchronized", "convert_bool" ], [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "response_size", "convert_int" ], [ "extra.", "configuration_naming_context", "validate_to_none" ], [ "extra.", "current_time", "validate_to_none" ], [ "extra.", "default_naming_context", "validate_to_none" ], [ "extra.", "ds_service_name", "validate_to_none" ], [ "extra.", "ldap_service_name", "validate_to_none" ], [ "extra.", "naming_contexts", "validate_to_none" ], [ "extra.", "root_domain_naming_context", "validate_to_none" ], [ "extra.", "schema_naming_context", "validate_to_none" ], [ "extra.", "server_name", "validate_to_none" ], [ "extra.", "subschema_subentry", "validate_to_none" ], [ "extra.", "supported_capabilities", "validate_to_none" ], [ "extra.", "supported_control", "validate_to_none" ], [ "extra.", "supported_ldap_policies", "validate_to_none" ], [ "extra.", "supported_ldap_version", "validate_to_none" ], [ "extra.", "supported_sasl_mechanisms", "validate_to_none" ], [ "extra.", "amplification", "convert_float" ], [ "extra.", "handshake", "validate_to_none" ], [ "extra.", "cipher_suite", "validate_to_none" ], [ "extra.", "cert_length", "convert_int" ], [ "extra.", "subject_common_name", "validate_to_none" ], [ "extra.", "issuer_common_name", "validate_to_none" ], [ "extra.", "cert_issue_date", "validate_to_none" ], [ "extra.", "cert_expiration_date", "validate_to_none" ], [ "extra.", "sha1_fingerprint", "validate_to_none" ], [ "extra.", "cert_serial_number", "validate_to_none" ], [ "extra.", "ssl_version", "convert_int" ], [ "extra.", "signature_algorithm", "validate_to_none" ], [ "extra.", "key_algorithm", "validate_to_none" ], [ "extra.", "subject_organization_name", "validate_to_none" ], [ "extra.", "subject_organization_unit_name", "validate_to_none" ], [ "extra.", "subject_country", "validate_to_none" ], [ "extra.", "subject_state_or_province_name", "validate_to_none" ], [ "extra.", "subject_locality_name", "validate_to_none" ], [ "extra.", "subject_street_address", "validate_to_none" ], [ "extra.", "subject_postal_code", "validate_to_none" ], [ "extra.", "subject_surname", "validate_to_none" ], [ "extra.", "subject_given_name", "validate_to_none" ], [ "extra.", "subject_email_address", "validate_to_none" ], [ "extra.", "subject_business_category", "validate_to_none" ], [ "extra.", "subject_serial_number", "validate_to_none" ], [ "extra.", "issuer_organization_name", "validate_to_none" ], [ "extra.", "issuer_organization_unit_name", "validate_to_none" ], [ "extra.", "issuer_country", "validate_to_none" ], [ "extra.", "issuer_state_or_province_name", "validate_to_none" ], [ "extra.", "issuer_locality_name", "validate_to_none" ], [ "extra.", "issuer_street_address", "validate_to_none" ], [ "extra.", "issuer_postal_code", "validate_to_none" ], [ "extra.", "issuer_surname", "validate_to_none" ], [ "extra.", "issuer_given_name", "validate_to_none" ], [ "extra.", "issuer_email_address", "validate_to_none" ], [ "extra.", "issuer_business_category", "validate_to_none" ], [ "extra.", "issuer_serial_number", "validate_to_none" ], [ "extra.", "sector", "validate_to_none" ], [ "extra.", "sha256_fingerprint", "validate_to_none" ], [ "extra.", "sha512_fingerprint", "validate_to_none" ], [ "extra.", "md5_fingerprint", "validate_to_none" ], [ "extra.", "cert_valid", "convert_bool" ], [ "extra.", "self_signed", "convert_bool" ], [ "extra.", "cert_expired", "convert_bool" ], [ "extra.", "validation_level", "validate_to_none" ], [ "extra.", "auth_tls_response", "validate_to_none" ], [ "extra.", "auth_ssl_response", "validate_to_none" ], [ "extra.", "tlsv13_support", "validate_to_none" ], [ "extra.", "tlsv13_cipher", "validate_to_none" ], [ "extra.", "jarm", "validate_to_none" ], [ "extra.", "device_vendor", "validate_to_none" ], [ "extra.", "device_type", "validate_to_none" ], [ "extra.", "device_model", "validate_to_none" ], [ "extra.", "device_version", "validate_to_none" ], [ "extra.", "device_sector", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/open-ldap-tcp-report/" }, "scan_ldap_udp" : { "constant_fields" : { "classification.identifier" : "open-ldap", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "ldap" }, "feed_name" : "Open-LDAP", "file_name" : "scan_ldap_udp", "optional_fields" : [ [ "source.local_hostname", "dns_host_name", "validate_to_none" ], [ "extra.", "domain_controller_functionality", "convert_int" ], [ "extra.", "domain_functionality", "convert_int" ], [ "extra.", "forest_functionality", "convert_int" ], [ "extra.", "highest_committed_usn", "convert_int" ], [ "extra.", "is_global_catalog_ready", "convert_bool" ], [ "extra.", "is_synchronized", "convert_bool" ], [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "response_size", "convert_int" ], [ "extra.", "configuration_naming_context", "validate_to_none" ], [ "extra.", "current_time", "validate_to_none" ], [ "extra.", "default_naming_context", "validate_to_none" ], [ "extra.", "ds_service_name", "validate_to_none" ], [ "extra.", "ldap_service_name", "validate_to_none" ], [ "extra.", "naming_contexts", "validate_to_none" ], [ "extra.", "root_domain_naming_context", "validate_to_none" ], [ "extra.", "schema_naming_context", "validate_to_none" ], [ "extra.", "server_name", "validate_to_none" ], [ "extra.", "subschema_subentry", "validate_to_none" ], [ "extra.", "supported_capabilities", "validate_to_none" ], [ "extra.", "supported_control", "validate_to_none" ], [ "extra.", "supported_ldap_policies", "validate_to_none" ], [ "extra.", "supported_ldap_version", "validate_to_none" ], [ "extra.", "supported_sasl_mechanisms", "validate_to_none" ], [ "extra.", "amplification", "convert_float" ], [ "extra.source.sector", "sector", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/open-ldap-report/" }, "scan_mdns" : { "constant_fields" : { "classification.identifier" : "open-mdns", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "mdns" }, "feed_name" : "Open-mDNS", "file_name" : "scan_mdns", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "mdns_name", "validate_to_none" ], [ "extra.", "mdns_ipv4", "validate_to_none" ], [ "extra.", "mdns_ipv6", "validate_to_none" ], [ "extra.", "services", "validate_to_none" ], [ "extra.", "workstation_name", "validate_to_none" ], [ "extra.", "workstation_ipv4", "validate_to_none" ], [ "extra.", "workstation_ipv6", "validate_to_none" ], [ "extra.", "workstation_info", "validate_to_none" ], [ "extra.", "http_name", "validate_to_none" ], [ "extra.", "http_ipv4", "validate_to_none" ], [ "extra.", "http_ipv6", "validate_to_none" ], [ "extra.", "http_ptr", "validate_to_none" ], [ "extra.", "http_info", "validate_to_none" ], [ "extra.", "http_target", "validate_to_none" ], [ "extra.", "http_port", "convert_int" ], [ "extra.", "spotify_name", "validate_to_none" ], [ "extra.", "spotify_ipv4", "validate_to_none" ], [ "extra.", "spotify_ipv6", "validate_to_none" ], [ "extra.", "opc_ua_discovery", "validate_to_none" ], [ "extra.", "sector", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/open-mdns-report/" }, "scan_memcached" : { "constant_fields" : { "classification.identifier" : "open-memcached", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "memcached" }, "feed_name" : "Open-Memcached", "file_name" : "scan_memcached", "optional_fields" : [ [ "extra.", "pid", "convert_int" ], [ "extra.", "pointer_size", "convert_int" ], [ "extra.", "uptime", "convert_int" ], [ "extra.", "curr_connections", "convert_int" ], [ "extra.", "total_connections", "convert_int" ], [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "extra.", "version", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "time", "validate_to_none" ], [ "extra.", "sector", "validate_to_none" ], [ "extra.", "response_size", "convert_int" ], [ "extra.", "amplification", "convert_float" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/open-memcached-report/" }, "scan_mongodb" : { "constant_fields" : { "classification.identifier" : "open-mongodb", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "mongodb" }, "feed_name" : "Open-MongoDB", "file_name" : "scan_mongodb", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "extra.", "version", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "gitversion", "validate_to_none" ], [ "extra.", "sysinfo", "validate_to_none" ], [ "extra.", "opensslversion", "validate_to_none" ], [ "extra.", "allocator", "validate_to_none" ], [ "extra.", "javascriptengine", "validate_to_none" ], [ "extra.", "bits", "validate_to_none" ], [ "extra.", "maxbsonobjectsize", "validate_to_none" ], [ "extra.", "ok", "convert_bool" ], [ "extra.", "visible_databases", "validate_to_none" ], [ "extra.", "sector", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/open-mongodb-report/" }, "scan_mqtt" : { "constant_fields" : { "classification.identifier" : "open-mqtt", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "mqtt" }, "feed_name" : "Open-MQTT", "file_name" : "scan_mqtt", "optional_fields" : [ [ "extra.", "anonymous_access", "convert_bool" ], [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "raw_response", "validate_to_none" ], [ "extra.", "hex_code", "validate_to_none" ], [ "extra.", "code", "validate_to_none" ], [ "extra.", "cipher_suite", "validate_to_none" ], [ "extra.", "cert_length", "convert_int" ], [ "extra.", "subject_common_name", "validate_to_none" ], [ "extra.", "issuer_common_name", "validate_to_none" ], [ "extra.", "cert_issue_date", "validate_to_none" ], [ "extra.", "cert_expiration_date", "validate_to_none" ], [ "extra.", "sha1_fingerprint", "validate_to_none" ], [ "extra.", "sha256_fingerprint", "validate_to_none" ], [ "extra.", "sha512_fingerprint", "validate_to_none" ], [ "extra.", "md5_fingerprint", "validate_to_none" ], [ "extra.", "cert_serial_number", "validate_to_none" ], [ "extra.", "ssl_version", "convert_int" ], [ "extra.", "signature_algorithm", "validate_to_none" ], [ "extra.", "key_algorithm", "validate_to_none" ], [ "extra.", "subject_organization_name", "validate_to_none" ], [ "extra.", "subject_organization_unit_name", "validate_to_none" ], [ "extra.", "subject_country", "validate_to_none" ], [ "extra.", "subject_state_or_province_name", "validate_to_none" ], [ "extra.", "subject_locality_name", "validate_to_none" ], [ "extra.", "subject_street_address", "validate_to_none" ], [ "extra.", "subject_postal_code", "validate_to_none" ], [ "extra.", "subject_surname", "validate_to_none" ], [ "extra.", "subject_given_name", "validate_to_none" ], [ "extra.", "subject_email_address", "validate_to_none" ], [ "extra.", "subject_business_category", "validate_to_none" ], [ "extra.", "subject_serial_number", "validate_to_none" ], [ "extra.", "issuer_organization_name", "validate_to_none" ], [ "extra.", "issuer_organization_unit_name", "validate_to_none" ], [ "extra.", "issuer_country", "validate_to_none" ], [ "extra.", "issuer_state_or_province_name", "validate_to_none" ], [ "extra.", "issuer_locality_name", "validate_to_none" ], [ "extra.", "issuer_street_address", "validate_to_none" ], [ "extra.", "issuer_postal_code", "validate_to_none" ], [ "extra.", "issuer_surname", "validate_to_none" ], [ "extra.", "issuer_given_name", "validate_to_none" ], [ "extra.", "issuer_email_address", "validate_to_none" ], [ "extra.", "issuer_business_category", "validate_to_none" ], [ "extra.", "issuer_serial_number", "validate_to_none" ], [ "extra.", "sector", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/open-mqtt-report/" }, "scan_mqtt_anon" : { "constant_fields" : { "classification.identifier" : "open-mqtt-anon", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "mqtt" }, "feed_name" : "Open-Anonymous-MQTT", "file_name" : "scan_mqtt_anon", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "raw_response", "validate_to_none" ], [ "extra.", "hex_code", "validate_to_none" ], [ "extra.", "code", "validate_to_none" ], [ "extra.", "cipher_suite", "validate_to_none" ], [ "extra.", "cert_length", "convert_int" ], [ "extra.", "subject_common_name", "validate_to_none" ], [ "extra.", "issuer_common_name", "validate_to_none" ], [ "extra.", "cert_issue_date", "validate_to_none" ], [ "extra.", "cert_expiration_date", "validate_to_none" ], [ "extra.", "sha1_fingerprint", "validate_to_none" ], [ "extra.", "sha256_fingerprint", "validate_to_none" ], [ "extra.", "sha512_fingerprint", "validate_to_none" ], [ "extra.", "md5_fingerprint", "validate_to_none" ], [ "extra.", "cert_serial_number", "validate_to_none" ], [ "extra.", "ssl_version", "convert_int" ], [ "extra.", "signature_algorithm", "validate_to_none" ], [ "extra.", "key_algorithm", "validate_to_none" ], [ "extra.", "subject_organization_name", "validate_to_none" ], [ "extra.", "subject_organization_unit_name", "validate_to_none" ], [ "extra.", "subject_country", "validate_to_none" ], [ "extra.", "subject_state_or_province_name", "validate_to_none" ], [ "extra.", "subject_locality_name", "validate_to_none" ], [ "extra.", "subject_street_address", "validate_to_none" ], [ "extra.", "subject_postal_code", "validate_to_none" ], [ "extra.", "subject_surname", "validate_to_none" ], [ "extra.", "subject_given_name", "validate_to_none" ], [ "extra.", "subject_email_address", "validate_to_none" ], [ "extra.", "subject_business_category", "validate_to_none" ], [ "extra.", "subject_serial_number", "validate_to_none" ], [ "extra.", "issuer_organization_name", "validate_to_none" ], [ "extra.", "issuer_organization_unit_name", "validate_to_none" ], [ "extra.", "issuer_country", "validate_to_none" ], [ "extra.", "issuer_state_or_province_name", "validate_to_none" ], [ "extra.", "issuer_locality_name", "validate_to_none" ], [ "extra.", "issuer_street_address", "validate_to_none" ], [ "extra.", "issuer_postal_code", "validate_to_none" ], [ "extra.", "issuer_surname", "validate_to_none" ], [ "extra.", "issuer_given_name", "validate_to_none" ], [ "extra.", "issuer_email_address", "validate_to_none" ], [ "extra.", "issuer_business_category", "validate_to_none" ], [ "extra.", "issuer_serial_number", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/open-mqtt-report/" }, "scan_mssql" : { "constant_fields" : { "classification.identifier" : "open-mssql", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "mssql" }, "feed_name" : "Open-MSSQL", "file_name" : "scan_mssql", "optional_fields" : [ [ "source.local_hostname", "server_name", "validate_to_none" ], [ "extra.", "tcp_port", "convert_int" ], [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "extra.", "version", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "instance_name", "validate_to_none" ], [ "extra.", "named_pipe", "validate_to_none" ], [ "extra.", "response_size", "convert_int" ], [ "extra.", "amplification", "convert_float" ], [ "extra.", "sector", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/open-ms-sql-server-resolution-service-report/" }, "scan_mysql" : { "constant_fields" : { "classification.identifier" : "open-mysql", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "mysql" }, "feed_name" : "Accessible-MySQL", "file_name" : "scan_mysql", "optional_fields" : [ [ "extra.", "client_can_handle_expired_passwords", "convert_bool" ], [ "extra.", "client_compress", "convert_bool" ], [ "extra.", "client_connect_attrs", "convert_bool" ], [ "extra.", "client_connect_with_db", "convert_bool" ], [ "extra.", "client_deprecated_eof", "convert_bool" ], [ "extra.", "client_found_rows", "convert_bool" ], [ "extra.", "client_ignore_sigpipe", "convert_bool" ], [ "extra.", "client_ignore_space", "convert_bool" ], [ "extra.", "client_interactive", "convert_bool" ], [ "extra.", "client_local_files", "convert_bool" ], [ "extra.", "client_long_flag", "convert_bool" ], [ "extra.", "client_long_password", "convert_bool" ], [ "extra.", "client_multi_results", "convert_bool" ], [ "extra.", "client_multi_statements", "convert_bool" ], [ "extra.", "client_no_schema", "convert_bool" ], [ "extra.", "client_odbc", "convert_bool" ], [ "extra.", "client_plugin_auth", "convert_bool" ], [ "extra.", "client_plugin_auth_len_enc_client_data", "convert_bool" ], [ "extra.", "client_protocol_41", "convert_bool" ], [ "extra.", "client_ps_multi_results", "convert_bool" ], [ "extra.", "client_reserved", "convert_bool" ], [ "extra.", "client_secure_connection", "convert_bool" ], [ "extra.", "client_session_track", "convert_bool" ], [ "extra.", "client_ssl", "convert_bool" ], [ "extra.", "client_transactions", "convert_bool" ], [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "extra.", "version", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ], [ "extra.", "mysql_protocol_version", "validate_to_none" ], [ "extra.", "server_version", "validate_to_none" ], [ "extra.", "error_code", "validate_to_none" ], [ "extra.", "error_id", "validate_to_none" ], [ "extra.", "error_message", "validate_to_none" ], [ "extra.", "handshake", "validate_to_none" ], [ "extra.", "cipher_suite", "validate_to_none" ], [ "extra.", "cert_length", "convert_int" ], [ "extra.", "subject_common_name", "validate_to_none" ], [ "extra.", "issuer_common_name", "validate_to_none" ], [ "extra.", "cert_issue_date", "validate_to_none" ], [ "extra.", "cert_expiration_date", "validate_to_none" ], [ "extra.", "sha1_fingerprint", "validate_to_none" ], [ "extra.", "cert_serial_number", "validate_to_none" ], [ "extra.", "ssl_version", "convert_int" ], [ "extra.", "signature_algorithm", "validate_to_none" ], [ "extra.", "key_algorithm", "validate_to_none" ], [ "extra.", "subject_organization_name", "validate_to_none" ], [ "extra.", "subject_organization_unit_name", "validate_to_none" ], [ "extra.", "subject_country", "validate_to_none" ], [ "extra.", "subject_state_or_province_name", "validate_to_none" ], [ "extra.", "subject_locality_name", "validate_to_none" ], [ "extra.", "subject_street_address", "validate_to_none" ], [ "extra.", "subject_postal_code", "validate_to_none" ], [ "extra.", "subject_surname", "validate_to_none" ], [ "extra.", "subject_given_name", "validate_to_none" ], [ "extra.", "subject_email_address", "validate_to_none" ], [ "extra.", "subject_business_category", "validate_to_none" ], [ "extra.", "subject_serial_number", "validate_to_none" ], [ "extra.", "issuer_organization_name", "validate_to_none" ], [ "extra.", "issuer_organization_unit_name", "validate_to_none" ], [ "extra.", "issuer_country", "validate_to_none" ], [ "extra.", "issuer_state_or_province_name", "validate_to_none" ], [ "extra.", "issuer_locality_name", "validate_to_none" ], [ "extra.", "issuer_street_address", "validate_to_none" ], [ "extra.", "issuer_postal_code", "validate_to_none" ], [ "extra.", "issuer_surname", "validate_to_none" ], [ "extra.", "issuer_given_name", "validate_to_none" ], [ "extra.", "issuer_email_address", "validate_to_none" ], [ "extra.", "issuer_business_category", "validate_to_none" ], [ "extra.", "issuer_serial_number", "validate_to_none" ], [ "extra.", "sha256_fingerprint", "validate_to_none" ], [ "extra.", "sha512_fingerprint", "validate_to_none" ], [ "extra.", "md5_fingerprint", "validate_to_none" ], [ "extra.", "cert_valid", "convert_bool" ], [ "extra.", "self_signed", "convert_bool" ], [ "extra.", "cert_expired", "convert_bool" ], [ "extra.", "validation_level", "validate_to_none" ], [ "extra.", "browser_trusted", "convert_bool" ], [ "extra.", "browser_error", "validate_to_none" ], [ "extra.", "raw_cert", "validate_to_none" ], [ "extra.", "raw_cert_chain", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-mysql-server-report/" }, "scan_nat_pmp" : { "constant_fields" : { "classification.identifier" : "open-natpmp", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "natpmp" }, "feed_name" : "Open-NATPMP", "file_name" : "scan_nat_pmp", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "extra.", "version", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "opcode", "validate_to_none" ], [ "extra.", "uptime", "convert_int" ], [ "extra.", "external_ip", "validate_to_none" ], [ "extra.", "sector", "validate_to_none" ], [ "extra.", "response_size", "convert_int" ], [ "extra.", "amplification", "convert_float" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/open-nat-pmp-report/" }, "scan_netbios" : { "constant_fields" : { "classification.identifier" : "open-netbios-nameservice", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "netbios-nameservice" }, "feed_name" : "Open-NetBIOS-Nameservice", "file_name" : "scan_netbios", "optional_fields" : [ [ "source.account", "username" ], [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "extra.", "mac_address", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.", "workgroup", "validate_to_none" ], [ "extra.", "machine_name", "validate_to_none" ], [ "extra.", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "sector", "validate_to_none" ], [ "extra.", "response_size", "convert_int" ], [ "extra.", "amplification", "convert_float" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/open-netbios-report/" }, "scan_netis_router" : { "constant_fields" : { "classification.identifier" : "open-netis", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.transport" : "udp" }, "feed_name" : "Open-Netis", "file_name" : "scan_netis_router", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "extra.", "response", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "sector", "validate_to_none" ], [ "extra.", "response_size", "convert_int" ], [ "extra.", "amplification", "convert_float" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/netcore-netis-router-vulnerability-scan-report/" }, "scan_ntp" : { "constant_fields" : { "classification.identifier" : "ntp-version", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "ntp" }, "feed_name" : "NTP-Version", "file_name" : "scan_ntp", "optional_fields" : [ [ "extra.", "clk_wander", "convert_float" ], [ "extra.", "frequency", "convert_float" ], [ "extra.", "jitter", "convert_float" ], [ "extra.", "leap", "convert_float" ], [ "extra.", "offset", "convert_float" ], [ "extra.", "peer", "convert_int" ], [ "extra.", "poll", "convert_int" ], [ "extra.", "precision", "convert_int" ], [ "extra.", "rootdelay", "convert_float" ], [ "extra.", "rootdispersion", "convert_float" ], [ "extra.", "stratum", "convert_int" ], [ "extra.", "tc", "convert_int" ], [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.", "version", "validate_to_none" ], [ "extra.", "clock", "validate_to_none" ], [ "extra.", "error", "validate_to_none" ], [ "extra.", "mintc", "validate_to_none" ], [ "extra.", "noise", "validate_to_none" ], [ "extra.", "phase", "validate_to_none" ], [ "extra.", "processor", "validate_to_none" ], [ "extra.", "refid", "validate_to_none" ], [ "extra.", "reftime", "validate_to_none" ], [ "extra.", "stability", "validate_to_none" ], [ "extra.", "state", "validate_to_none" ], [ "extra.", "system", "validate_to_none" ], [ "extra.", "tai", "validate_to_none" ], [ "extra.", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "sector", "validate_to_none" ], [ "extra.", "response_size", "convert_int" ], [ "extra.", "amplification", "convert_float" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/ntp-version-report/" }, "scan_ntpmonitor" : { "constant_fields" : { "classification.identifier" : "ntp-monitor", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "ntp" }, "feed_name" : "NTP-Monitor", "file_name" : "scan_ntpmonitor", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "packets", "convert_int" ], [ "extra.", "response_size", "convert_int" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "sector", "validate_to_none" ], [ "extra.", "amplification", "convert_float" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/ntp-monitor-report/" }, "scan_portmapper" : { "constant_fields" : { "classification.identifier" : "open-portmapper", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "portmapper" }, "feed_name" : "Open-Portmapper", "file_name" : "scan_portmapper", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "programs", "validate_to_none" ], [ "extra.", "mountd_port", "validate_to_none" ], [ "extra.", "exports", "validate_to_none" ], [ "extra.", "sector", "validate_to_none" ], [ "extra.", "response_size", "convert_int" ], [ "extra.", "amplification", "convert_float" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/open-portmapper-report/" }, "scan_post_exploitation_framework" : { "constant_fields" : { "classification.identifier" : "c2-beacon", "classification.taxonomy" : "malicious-code", "classification.type" : "infected-system" }, "feed_name" : "Post-Exploitation-Framework", "file_name" : "scan_post_exploitation_framework", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ], [ "extra.", "http", "validate_to_none" ], [ "destination.url", "http_url", "convert_http_host_and_url", true ], [ "extra.", "http_code", "convert_int" ], [ "extra.", "content_type", "validate_to_none" ], [ "extra.", "content_length", "convert_int" ], [ "extra.", "architecture", "validate_to_none" ], [ "extra.", "beacon_type", "validate_to_none" ], [ "extra.", "beacon_host", "validate_to_none" ], [ "extra.", "beacon_port", "validate_to_none" ], [ "extra.", "beacon_http_get", "validate_to_none" ], [ "extra.", "beacon_http_post", "validate_to_none" ], [ "extra.", "license_id", "validate_to_none" ], [ "extra.", "config_md5", "validate_to_none" ], [ "extra.", "config_sha1", "validate_to_none" ], [ "extra.", "config_sha256", "validate_to_none" ], [ "extra.", "config_sha512", "validate_to_none" ], [ "extra.", "binary_md5", "validate_to_none" ], [ "extra.", "binary_sha1", "validate_to_none" ], [ "extra.", "binary_sha256", "validate_to_none" ], [ "extra.", "binary_sha512", "validate_to_none" ], [ "extra.", "encoded_length", "validate_to_none" ], [ "extra.", "encoded_data", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/post-exploitation-framework/" }, "scan_postgres" : { "constant_fields" : { "classification.identifier" : "open-postgres", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "postgres" }, "feed_name" : "Accessible-PostgreSQL", "file_name" : "scan_postgres", "optional_fields" : [ [ "extra.", "startup_error_line", "convert_int" ], [ "extra.", "client_ssl", "convert_bool" ], [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "extra.", "version", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ], [ "extra.", "supported_protocols", "validate_to_none" ], [ "extra.", "protocol_error_code", "validate_to_none" ], [ "extra.", "protocol_error_file", "validate_to_none" ], [ "extra.", "protocol_error_line", "validate_to_none" ], [ "extra.", "protocol_error_message", "validate_to_none" ], [ "extra.", "protocol_error_routine", "validate_to_none" ], [ "extra.", "protocol_error_severity", "validate_to_none" ], [ "extra.", "protocol_error_severity_v", "validate_to_none" ], [ "extra.", "startup_error_code", "validate_to_none" ], [ "extra.", "startup_error_file", "validate_to_none" ], [ "extra.", "startup_error_message", "validate_to_none" ], [ "extra.", "startup_error_routine", "validate_to_none" ], [ "extra.", "startup_error_severity", "validate_to_none" ], [ "extra.", "startup_error_severity_v", "validate_to_none" ], [ "extra.", "handshake", "validate_to_none" ], [ "extra.", "cipher_suite", "validate_to_none" ], [ "extra.", "cert_length", "convert_int" ], [ "extra.", "subject_common_name", "validate_to_none" ], [ "extra.", "issuer_common_name", "validate_to_none" ], [ "extra.", "cert_issue_date", "validate_to_none" ], [ "extra.", "cert_expiration_date", "validate_to_none" ], [ "extra.", "sha1_fingerprint", "validate_to_none" ], [ "extra.", "cert_serial_number", "validate_to_none" ], [ "extra.", "ssl_version", "convert_int" ], [ "extra.", "signature_algorithm", "validate_to_none" ], [ "extra.", "key_algorithm", "validate_to_none" ], [ "extra.", "subject_organization_name", "validate_to_none" ], [ "extra.", "subject_organization_unit_name", "validate_to_none" ], [ "extra.", "subject_country", "validate_to_none" ], [ "extra.", "subject_state_or_province_name", "validate_to_none" ], [ "extra.", "subject_locality_name", "validate_to_none" ], [ "extra.", "subject_street_address", "validate_to_none" ], [ "extra.", "subject_postal_code", "validate_to_none" ], [ "extra.", "subject_surname", "validate_to_none" ], [ "extra.", "subject_given_name", "validate_to_none" ], [ "extra.", "subject_email_address", "validate_to_none" ], [ "extra.", "subject_business_category", "validate_to_none" ], [ "extra.", "subject_serial_number", "validate_to_none" ], [ "extra.", "issuer_organization_name", "validate_to_none" ], [ "extra.", "issuer_organization_unit_name", "validate_to_none" ], [ "extra.", "issuer_country", "validate_to_none" ], [ "extra.", "issuer_state_or_province_name", "validate_to_none" ], [ "extra.", "issuer_locality_name", "validate_to_none" ], [ "extra.", "issuer_street_address", "validate_to_none" ], [ "extra.", "issuer_postal_code", "validate_to_none" ], [ "extra.", "issuer_surname", "validate_to_none" ], [ "extra.", "issuer_given_name", "validate_to_none" ], [ "extra.", "issuer_email_address", "validate_to_none" ], [ "extra.", "issuer_business_category", "validate_to_none" ], [ "extra.", "issuer_serial_number", "validate_to_none" ], [ "extra.", "sha256_fingerprint", "validate_to_none" ], [ "extra.", "sha512_fingerprint", "validate_to_none" ], [ "extra.", "md5_fingerprint", "validate_to_none" ], [ "extra.", "cert_valid", "convert_bool" ], [ "extra.", "self_signed", "convert_bool" ], [ "extra.", "cert_expired", "convert_bool" ], [ "extra.", "validation_level", "validate_to_none" ], [ "extra.", "browser_trusted", "convert_bool" ], [ "extra.", "browser_error", "validate_to_none" ], [ "extra.", "raw_cert", "validate_to_none" ], [ "extra.", "raw_cert_chain", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-postgresql-server-report/" }, "scan_qotd" : { "constant_fields" : { "classification.identifier" : "open-qotd", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "qotd" }, "feed_name" : "Open-QOTD", "file_name" : "scan_qotd", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "extra.", "quote", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "sector", "validate_to_none" ], [ "extra.", "response_size", "convert_int" ], [ "extra.", "amplification", "convert_float" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/open-qotd-report/" }, "scan_quic" : { "constant_fields" : { "classification.identifier" : "open-quic", "classification.taxonomy" : "other", "classification.type" : "other" }, "feed_name" : "Accessible-QUIC", "file_name" : "scan_quic", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "version_field_1", "validate_to_none" ], [ "extra.", "version_field_2", "validate_to_none" ], [ "extra.", "version_field_3", "validate_to_none" ], [ "extra.", "version_field_4", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-quic-report/" }, "scan_radmin" : { "constant_fields" : { "classification.identifier" : "accessible-radmin", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system" }, "feed_name" : "Accessible-Radmin", "file_name" : "scan_radmin", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "extra.", "version", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "sector", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-radmin-report/" }, "scan_rdp" : { "constant_fields" : { "classification.identifier" : "open-rdp", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "rdp", "protocol.transport" : "tcp" }, "feed_name" : "Accessible-RDP", "file_name" : "scan_rdp", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "extra.", "handshake", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.", "rdp_protocol", "validate_to_none" ], [ "extra.", "cert_length", "convert_int" ], [ "extra.", "subject_common_name", "validate_to_none" ], [ "extra.", "issuer_common_name", "validate_to_none" ], [ "extra.", "cert_issue_date", "validate_to_none" ], [ "extra.", "cert_expiration_date", "validate_to_none" ], [ "extra.", "sha1_fingerprint", "validate_to_none" ], [ "extra.", "cert_serial_number", "validate_to_none" ], [ "extra.", "ssl_version", "convert_int" ], [ "extra.", "signature_algorithm", "validate_to_none" ], [ "extra.", "key_algorithm", "validate_to_none" ], [ "extra.", "sha256_fingerprint", "validate_to_none" ], [ "extra.", "sha512_fingerprint", "validate_to_none" ], [ "extra.", "md5_fingerprint", "validate_to_none" ], [ "extra.", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "sector", "validate_to_none" ], [ "extra.", "tlsv13_support", "validate_to_none" ], [ "extra.", "tlsv13_cipher", "validate_to_none" ], [ "extra.", "jarm", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-rdp-report/" }, "scan_rdpeudp" : { "constant_fields" : { "classification.identifier" : "accessible-msrdpeudp", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system" }, "feed_name" : "Accessible-MS-RDPEUDP", "file_name" : "scan_rdpeudp", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "sessionid", "validate_to_none" ], [ "extra.", "response_size", "convert_int" ], [ "extra.", "amplification", "convert_float" ], [ "extra.", "sector", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-ms-rdpeudp/" }, "scan_redis" : { "constant_fields" : { "classification.identifier" : "open-redis", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "redis" }, "feed_name" : "Open-Redis", "file_name" : "scan_redis", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "extra.", "version", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "git_sha1", "validate_to_none" ], [ "extra.", "git_dirty_flag", "validate_to_none" ], [ "extra.", "build_id", "validate_to_none" ], [ "extra.", "mode", "validate_to_none" ], [ "extra.os.name", "os", "validate_to_none" ], [ "extra.", "architecture", "validate_to_none" ], [ "extra.", "multiplexing_api", "validate_to_none" ], [ "extra.", "gcc_version", "validate_to_none" ], [ "extra.", "process_id", "validate_to_none" ], [ "extra.", "run_id", "validate_to_none" ], [ "extra.", "uptime", "convert_int" ], [ "extra.", "connected_clients", "validate_to_none" ], [ "extra.", "sector", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/open-redis-report/" }, "scan_rsync" : { "constant_fields" : { "classification.identifier" : "accessible-rsync", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "rsync" }, "feed_name" : "Accessible-Rsync", "file_name" : "scan_rsync", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "module", "validate_to_none" ], [ "extra.", "motd", "validate_to_none" ], [ "extra.", "has_password", "validate_to_none" ], [ "extra.", "sector", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-rsync-report/" }, "scan_sip" : { "constant_fields" : { "classification.identifier" : "open-sip", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "sip" }, "feed_name" : "Accessible-SIP", "file_name" : "scan_sip", "optional_fields" : [ [ "extra.sip_server", "server", "validate_to_none" ], [ "extra.sip_contact", "contact", "validate_to_none" ], [ "extra.sip_cseq", "cseq", "validate_to_none" ], [ "extra.sip_call_id", "call_id", "validate_to_none" ], [ "extra.sip_allow", "allow", "validate_to_none" ], [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.", "sip", "validate_to_none" ], [ "extra.", "sip_code", "validate_to_none" ], [ "extra.", "sip_reason", "validate_to_none" ], [ "user_agent", "user_agent", "validate_to_none" ], [ "extra.", "sip_via", "validate_to_none" ], [ "extra.", "sip_to", "validate_to_none" ], [ "extra.", "sip_from", "validate_to_none" ], [ "extra.", "content_length", "convert_int" ], [ "extra.", "content_type", "validate_to_none" ], [ "extra.", "amplification", "convert_float" ], [ "extra.", "response_size", "convert_int" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.source.sector", "sector", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-sip-report/" }, "scan_slp" : { "constant_fields" : { "classification.identifier" : "open-slp", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "slp" }, "feed_name" : "Accessible-SLP", "file_name" : "scan_slp", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ], [ "extra.", "version", "validate_to_none" ], [ "extra.", "function", "validate_to_none" ], [ "extra.", "function_text", "validate_to_none" ], [ "extra.", "flags", "validate_to_none" ], [ "extra.", "next_extension_offset", "validate_to_none" ], [ "extra.", "xid", "validate_to_none" ], [ "extra.", "language_tag_length", "validate_to_none" ], [ "extra.", "language_tag", "validate_to_none" ], [ "extra.", "error_code", "validate_to_none" ], [ "extra.", "error_code_text", "validate_to_none" ], [ "extra.", "response_size", "convert_int" ], [ "extra.", "raw_response", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-slp-service-report/" }, "scan_smb" : { "constant_fields" : { "classification.identifier" : "open-smb", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "smb", "protocol.transport" : "tcp" }, "feed_name" : "Accessible-SMB", "file_name" : "scan_smb", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "arch", "validate_to_none" ], [ "extra.", "key", "validate_to_none" ], [ "extra.", "smb_major_number", "validate_to_none" ], [ "extra.", "smb_minor_number", "validate_to_none" ], [ "extra.", "smb_revision", "validate_to_none" ], [ "extra.", "smb_version_string", "validate_to_none" ], [ "extra.", "sector", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-smb-report/" }, "scan_smtp" : { "constant_fields" : { "classification.identifier" : "open-smtp", "classification.taxonomy" : "other", "classification.type" : "other", "protocol.application" : "smtp" }, "feed_name" : "Accessible-SMTP", "file_name" : "scan_smtp", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "banner", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ], [ "extra.", "auth_ssl_response", "validate_to_none" ], [ "extra.", "auth_tls_response", "validate_to_none" ], [ "extra.", "cert_expiration_date", "validate_to_none" ], [ "extra.", "cert_expired", "convert_bool" ], [ "extra.", "cert_issue_date", "validate_to_none" ], [ "extra.", "cert_length", "convert_int" ], [ "extra.", "cert_serial_number", "validate_to_none" ], [ "extra.", "cert_valid", "convert_bool" ], [ "extra.", "cipher_suite", "validate_to_none" ], [ "extra.", "freak_cipher_suite", "validate_to_none" ], [ "extra.", "freak_vulnerable", "convert_bool" ], [ "extra.", "handshake", "validate_to_none" ], [ "extra.", "issuer_business_category", "validate_to_none" ], [ "extra.", "issuer_common_name", "validate_to_none" ], [ "extra.", "issuer_country", "validate_to_none" ], [ "extra.", "issuer_email_address", "validate_to_none" ], [ "extra.", "issuer_given_name", "validate_to_none" ], [ "extra.", "issuer_locality_name", "validate_to_none" ], [ "extra.", "issuer_organization_name", "validate_to_none" ], [ "extra.", "issuer_organization_unit_name", "validate_to_none" ], [ "extra.", "issuer_postal_code", "validate_to_none" ], [ "extra.", "issuer_serial_number", "validate_to_none" ], [ "extra.", "issuer_state_or_province_name", "validate_to_none" ], [ "extra.", "issuer_street_address", "validate_to_none" ], [ "extra.", "issuer_surname", "validate_to_none" ], [ "extra.", "jarm", "validate_to_none" ], [ "extra.", "key_algorithm", "validate_to_none" ], [ "extra.", "md5_fingerprint", "validate_to_none" ], [ "extra.", "raw_cert", "validate_to_none" ], [ "extra.", "raw_cert_chain", "validate_to_none" ], [ "extra.", "self_signed", "convert_bool" ], [ "extra.", "sha1_fingerprint", "validate_to_none" ], [ "extra.", "sha256_fingerprint", "validate_to_none" ], [ "extra.", "sha512_fingerprint", "validate_to_none" ], [ "extra.", "signature_algorithm", "validate_to_none" ], [ "extra.", "ssl_version", "convert_int" ], [ "extra.", "sslv3_supported", "validate_to_none" ], [ "extra.", "subject_business_category", "validate_to_none" ], [ "extra.", "subject_common_name", "validate_to_none" ], [ "extra.", "subject_country", "validate_to_none" ], [ "extra.", "subject_email_address", "validate_to_none" ], [ "extra.", "subject_given_name", "validate_to_none" ], [ "extra.", "subject_locality_name", "validate_to_none" ], [ "extra.", "subject_organization_name", "validate_to_none" ], [ "extra.", "subject_organization_unit_name", "validate_to_none" ], [ "extra.", "subject_postal_code", "validate_to_none" ], [ "extra.", "subject_serial_number", "validate_to_none" ], [ "extra.", "subject_state_or_province_name", "validate_to_none" ], [ "extra.", "subject_street_address", "validate_to_none" ], [ "extra.", "subject_surname", "validate_to_none" ], [ "extra.", "tlsv13_cipher", "validate_to_none" ], [ "extra.", "tlsv13_support", "validate_to_none" ], [ "extra.", "validation_level", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-smtp-report/" }, "scan_smtp_vulnerable" : { "constant_fields" : { "classification.identifier" : "vulnerable-smtp", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "smtp" }, "feed_name" : "Vulnerable-SMTP", "file_name" : "scan_smtp_vulnerable", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "banner", "validate_to_none" ], [ "extra.", "sector", "validate_to_none" ], [ "extra.", "auth_ssl_response", "validate_to_none" ], [ "extra.", "auth_tls_response", "validate_to_none" ], [ "extra.", "cert_expiration_date", "validate_to_none" ], [ "extra.", "cert_expired", "convert_bool" ], [ "extra.", "cert_issue_date", "validate_to_none" ], [ "extra.", "cert_length", "convert_int" ], [ "extra.", "cert_serial_number", "validate_to_none" ], [ "extra.", "cert_valid", "convert_bool" ], [ "extra.", "cipher_suite", "validate_to_none" ], [ "extra.", "freak_cipher_suite", "validate_to_none" ], [ "extra.", "freak_vulnerable", "convert_bool" ], [ "extra.", "handshake", "validate_to_none" ], [ "extra.", "issuer_business_category", "validate_to_none" ], [ "extra.", "issuer_common_name", "validate_to_none" ], [ "extra.", "issuer_country", "validate_to_none" ], [ "extra.", "issuer_email_address", "validate_to_none" ], [ "extra.", "issuer_given_name", "validate_to_none" ], [ "extra.", "issuer_locality_name", "validate_to_none" ], [ "extra.", "issuer_organization_name", "validate_to_none" ], [ "extra.", "issuer_organization_unit_name", "validate_to_none" ], [ "extra.", "issuer_postal_code", "validate_to_none" ], [ "extra.", "issuer_serial_number", "validate_to_none" ], [ "extra.", "issuer_state_or_province_name", "validate_to_none" ], [ "extra.", "issuer_street_address", "validate_to_none" ], [ "extra.", "issuer_surname", "validate_to_none" ], [ "extra.", "jarm", "validate_to_none" ], [ "extra.", "key_algorithm", "validate_to_none" ], [ "extra.", "md5_fingerprint", "validate_to_none" ], [ "extra.", "raw_cert", "validate_to_none" ], [ "extra.", "raw_cert_chain", "validate_to_none" ], [ "extra.", "self_signed", "convert_bool" ], [ "extra.", "sha1_fingerprint", "validate_to_none" ], [ "extra.", "sha256_fingerprint", "validate_to_none" ], [ "extra.", "sha512_fingerprint", "validate_to_none" ], [ "extra.", "signature_algorithm", "validate_to_none" ], [ "extra.", "ssl_version", "convert_int" ], [ "extra.", "sslv3_supported", "validate_to_none" ], [ "extra.", "subject_business_category", "validate_to_none" ], [ "extra.", "subject_common_name", "validate_to_none" ], [ "extra.", "subject_country", "validate_to_none" ], [ "extra.", "subject_email_address", "validate_to_none" ], [ "extra.", "subject_given_name", "validate_to_none" ], [ "extra.", "subject_locality_name", "validate_to_none" ], [ "extra.", "subject_organization_name", "validate_to_none" ], [ "extra.", "subject_organization_unit_name", "validate_to_none" ], [ "extra.", "subject_postal_code", "validate_to_none" ], [ "extra.", "subject_serial_number", "validate_to_none" ], [ "extra.", "subject_state_or_province_name", "validate_to_none" ], [ "extra.", "subject_street_address", "validate_to_none" ], [ "extra.", "subject_surname", "validate_to_none" ], [ "extra.", "tlsv13_cipher", "validate_to_none" ], [ "extra.", "tlsv13_support", "validate_to_none" ], [ "extra.", "validation_level", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/vulnerable-smtp-report/" }, "scan_snmp" : { "constant_fields" : { "classification.identifier" : "open-snmp", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "snmp" }, "feed_name" : "Open-SNMP", "file_name" : "scan_snmp", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "extra.", "sysname", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.", "version", "validate_to_none" ], [ "extra.", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "sector", "validate_to_none" ], [ "extra.", "device_vendor", "validate_to_none" ], [ "extra.", "device_type", "validate_to_none" ], [ "extra.", "device_model", "validate_to_none" ], [ "extra.", "device_version", "validate_to_none" ], [ "extra.", "device_sector", "validate_to_none" ], [ "extra.", "sysdesc", "validate_to_none" ], [ "extra.", "community", "validate_to_none" ], [ "extra.", "response_size", "convert_int" ], [ "extra.", "amplification", "convert_float" ], [ "extra.", "uptime", "convert_int" ], [ "extra.", "mac_address", "validate_to_none" ], [ "extra.", "vendor_id", "validate_to_none" ], [ "extra.", "vendor", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/open-snmp-report/" }, "scan_socks" : { "constant_fields" : { "classification.identifier" : "open-socks", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system" }, "feed_name" : "Accessible-SOCKS4/5-Proxy", "file_name" : "scan_socks", "optional_fields" : [ [ "protocol.application", "tag" ], [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-socks4-5-proxy-report/" }, "scan_ssdp" : { "constant_fields" : { "classification.identifier" : "open-ssdp", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "ssdp" }, "feed_name" : "Open-SSDP", "file_name" : "scan_ssdp", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "extra.", "header", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.", "systime", "validate_to_none" ], [ "extra.", "cache_control", "validate_to_none" ], [ "extra.", "location", "validate_to_none" ], [ "extra.", "server", "validate_to_none" ], [ "extra.", "search_target", "validate_to_none" ], [ "extra.", "unique_service_name", "validate_to_none" ], [ "extra.", "host", "validate_to_none" ], [ "extra.", "nts", "validate_to_none" ], [ "extra.", "nt", "validate_to_none" ], [ "extra.", "content_type", "validate_to_none" ], [ "extra.", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "sector", "validate_to_none" ], [ "extra.", "server_port", "validate_to_none" ], [ "extra.", "instance", "validate_to_none" ], [ "extra.", "version", "validate_to_none" ], [ "extra.", "updated_at", "validate_to_none" ], [ "extra.", "resource_identifier", "validate_to_none" ], [ "extra.", "amplification", "convert_float" ], [ "extra.", "response_size", "convert_int" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/open-ssdp-report/" }, "scan_ssh" : { "constant_fields" : { "classification.identifier" : "open-ssh", "classification.taxonomy" : "other", "classification.type" : "other" }, "feed_name" : "Accessible-SSH", "file_name" : "scan_ssh", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "serverid_raw", "validate_to_none" ], [ "extra.", "serverid_version", "validate_to_none" ], [ "extra.", "serverid_software", "validate_to_none" ], [ "extra.", "serverid_comment", "validate_to_none" ], [ "extra.", "server_cookie", "validate_to_none" ], [ "extra.", "available_kex", "validate_to_none" ], [ "extra.", "available_ciphers", "validate_to_none" ], [ "extra.", "available_mac", "validate_to_none" ], [ "extra.", "available_compression", "validate_to_none" ], [ "extra.", "selected_kex", "validate_to_none" ], [ "extra.", "algorithm", "validate_to_none" ], [ "extra.", "selected_cipher", "validate_to_none" ], [ "extra.", "selected_mac", "validate_to_none" ], [ "extra.", "selected_compression", "validate_to_none" ], [ "extra.", "server_signature_value", "validate_to_none" ], [ "extra.", "server_signature_raw", "validate_to_none" ], [ "extra.", "server_host_key", "validate_to_none" ], [ "extra.", "server_host_key_sha256", "validate_to_none" ], [ "extra.", "rsa_prime", "validate_to_none" ], [ "extra.", "rsa_prime_length", "validate_to_none" ], [ "extra.", "rsa_generator", "validate_to_none" ], [ "extra.", "rsa_generator_length", "validate_to_none" ], [ "extra.", "rsa_public_key", "validate_to_none" ], [ "extra.", "rsa_public_key_length", "validate_to_none" ], [ "extra.", "rsa_exponent", "validate_to_none" ], [ "extra.", "rsa_modulus", "validate_to_none" ], [ "extra.", "rsa_length", "validate_to_none" ], [ "extra.", "dss_prime", "validate_to_none" ], [ "extra.", "dss_prime_length", "validate_to_none" ], [ "extra.", "dss_generator", "validate_to_none" ], [ "extra.", "dss_generator_length", "validate_to_none" ], [ "extra.", "dss_public_key", "validate_to_none" ], [ "extra.", "dss_public_key_length", "validate_to_none" ], [ "extra.", "dss_dsa_public_g", "validate_to_none" ], [ "extra.", "dss_dsa_public_p", "validate_to_none" ], [ "extra.", "dss_dsa_public_q", "validate_to_none" ], [ "extra.", "dss_dsa_public_y", "validate_to_none" ], [ "extra.", "ecdsa_curve25519", "validate_to_none" ], [ "extra.", "ecdsa_curve", "validate_to_none" ], [ "extra.", "ecdsa_public_key_length", "validate_to_none" ], [ "extra.", "ecdsa_public_key_b", "validate_to_none" ], [ "extra.", "ecdsa_public_key_gx", "validate_to_none" ], [ "extra.", "ecdsa_public_key_gy", "validate_to_none" ], [ "extra.", "ecdsa_public_key_n", "validate_to_none" ], [ "extra.", "ecdsa_public_key_p", "validate_to_none" ], [ "extra.", "ecdsa_public_key_x", "validate_to_none" ], [ "extra.", "ecdsa_public_key_y", "validate_to_none" ], [ "extra.", "ed25519_curve25519", "validate_to_none" ], [ "extra.", "ed25519_cert_public_key_nonce", "validate_to_none" ], [ "extra.", "ed25519_cert_public_key_bytes", "validate_to_none" ], [ "extra.", "ed25519_cert_public_key_raw", "validate_to_none" ], [ "extra.", "ed25519_cert_public_key_sha256", "validate_to_none" ], [ "extra.", "ed25519_cert_public_key_serial", "validate_to_none" ], [ "extra.", "ed25519_cert_public_key_type_id", "validate_to_none" ], [ "extra.", "ed25519_cert_public_key_type_name", "validate_to_none" ], [ "extra.", "ed25519_cert_public_key_keyid", "validate_to_none" ], [ "extra.", "ed25519_cert_public_key_principles", "validate_to_none" ], [ "extra.", "ed25519_cert_public_key_valid_after", "validate_to_none" ], [ "extra.", "ed25519_cert_public_key_valid_before", "validate_to_none" ], [ "extra.", "ed25519_cert_public_key_duration", "validate_to_none" ], [ "extra.", "ed25519_cert_public_key_sigkey_bytes", "validate_to_none" ], [ "extra.", "ed25519_cert_public_key_sigkey_raw", "validate_to_none" ], [ "extra.", "ed25519_cert_public_key_sigkey_sha256", "validate_to_none" ], [ "extra.", "ed25519_cert_public_key_sigkey_value", "validate_to_none" ], [ "extra.", "ed25519_cert_public_key_sig_raw", "validate_to_none" ], [ "extra.", "banner", "validate_to_none" ], [ "extra.", "userauth_methods", "validate_to_none" ], [ "extra.", "device_vendor", "validate_to_none" ], [ "extra.", "device_type", "validate_to_none" ], [ "extra.", "device_model", "validate_to_none" ], [ "extra.", "device_version", "validate_to_none" ], [ "extra.", "device_sector", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-ssh-report/" }, "scan_ssl" : { "constant_fields" : { "classification.identifier" : "open-ssl", "classification.taxonomy" : "other", "classification.type" : "other", "protocol.application" : "https" }, "feed_name" : "Accessible-SSL", "file_name" : "scan_ssl", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "extra.", "handshake", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.", "cipher_suite", "validate_to_none" ], [ "extra.", "ssl_poodle", "convert_bool" ], [ "extra.", "cert_length", "convert_int" ], [ "extra.", "subject_common_name", "validate_to_none" ], [ "extra.", "issuer_common_name", "validate_to_none" ], [ "extra.", "cert_issue_date", "validate_to_none" ], [ "extra.", "cert_expiration_date", "validate_to_none" ], [ "extra.", "sha1_fingerprint", "validate_to_none" ], [ "extra.", "cert_serial_number", "validate_to_none" ], [ "extra.", "ssl_version", "convert_int" ], [ "extra.", "signature_algorithm", "validate_to_none" ], [ "extra.", "key_algorithm", "validate_to_none" ], [ "extra.", "subject_organization_name", "validate_to_none" ], [ "extra.", "subject_organization_unit_name", "validate_to_none" ], [ "extra.", "subject_country", "validate_to_none" ], [ "extra.", "subject_state_or_province_name", "validate_to_none" ], [ "extra.", "subject_locality_name", "validate_to_none" ], [ "extra.", "subject_street_address", "validate_to_none" ], [ "extra.", "subject_postal_code", "validate_to_none" ], [ "extra.", "subject_surname", "validate_to_none" ], [ "extra.", "subject_given_name", "validate_to_none" ], [ "extra.", "subject_email_address", "validate_to_none" ], [ "extra.", "subject_business_category", "validate_to_none" ], [ "extra.", "subject_serial_number", "validate_to_none" ], [ "extra.", "issuer_organization_name", "validate_to_none" ], [ "extra.", "issuer_organization_unit_name", "validate_to_none" ], [ "extra.", "issuer_country", "validate_to_none" ], [ "extra.", "issuer_state_or_province_name", "validate_to_none" ], [ "extra.", "issuer_locality_name", "validate_to_none" ], [ "extra.", "issuer_street_address", "validate_to_none" ], [ "extra.", "issuer_postal_code", "validate_to_none" ], [ "extra.", "issuer_surname", "validate_to_none" ], [ "extra.", "issuer_given_name", "validate_to_none" ], [ "extra.", "issuer_email_address", "validate_to_none" ], [ "extra.", "issuer_business_category", "validate_to_none" ], [ "extra.", "issuer_serial_number", "validate_to_none" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "freak_vulnerable", "convert_bool" ], [ "extra.", "freak_cipher_suite", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ], [ "extra.", "sha256_fingerprint", "validate_to_none" ], [ "extra.", "sha512_fingerprint", "validate_to_none" ], [ "extra.", "md5_fingerprint", "validate_to_none" ], [ "extra.", "http_response_type", "validate_to_none" ], [ "extra.", "http_code", "convert_int" ], [ "extra.", "http_reason", "validate_to_none" ], [ "extra.", "content_type", "validate_to_none" ], [ "extra.", "http_connection", "validate_to_none" ], [ "extra.", "www_authenticate", "validate_to_none" ], [ "extra.", "set_cookie", "validate_to_none" ], [ "extra.", "server_type", "validate_to_none" ], [ "extra.", "content_length", "convert_int" ], [ "extra.", "transfer_encoding", "validate_to_none" ], [ "extra.", "http_date", "convert_date" ], [ "extra.", "cert_valid", "convert_bool" ], [ "extra.", "self_signed", "convert_bool" ], [ "extra.", "cert_expired", "convert_bool" ], [ "extra.", "browser_trusted", "convert_bool" ], [ "extra.", "validation_level", "validate_to_none" ], [ "extra.", "browser_error", "validate_to_none" ], [ "extra.", "tlsv13_support", "validate_to_none" ], [ "extra.", "tlsv13_cipher", "validate_to_none" ], [ "extra.", "jarm", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-ssl-report/" }, "scan_ssl_freak" : { "constant_fields" : { "classification.identifier" : "ssl-freak", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "https" }, "feed_name" : "SSL-FREAK-Vulnerable-Servers", "file_name" : "scan_ssl_freak", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "extra.", "handshake", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.", "cipher_suite", "validate_to_none" ], [ "extra.", "cert_length", "convert_int" ], [ "extra.", "subject_common_name", "validate_to_none" ], [ "extra.", "issuer_common_name", "validate_to_none" ], [ "extra.", "cert_issue_date", "validate_to_none" ], [ "extra.", "cert_expiration_date", "validate_to_none" ], [ "extra.", "sha1_fingerprint", "validate_to_none" ], [ "extra.", "cert_serial_number", "validate_to_none" ], [ "extra.", "signature_algorithm", "validate_to_none" ], [ "extra.", "key_algorithm", "validate_to_none" ], [ "extra.", "subject_organization_name", "validate_to_none" ], [ "extra.", "subject_organization_unit_name", "validate_to_none" ], [ "extra.", "subject_country", "validate_to_none" ], [ "extra.", "subject_state_or_province_name", "validate_to_none" ], [ "extra.", "subject_locality_name", "validate_to_none" ], [ "extra.", "subject_street_address", "validate_to_none" ], [ "extra.", "subject_postal_code", "validate_to_none" ], [ "extra.", "subject_surname", "validate_to_none" ], [ "extra.", "subject_given_name", "validate_to_none" ], [ "extra.", "subject_email_address", "validate_to_none" ], [ "extra.", "subject_business_category", "validate_to_none" ], [ "extra.", "subject_serial_number", "validate_to_none" ], [ "extra.", "issuer_organization_name", "validate_to_none" ], [ "extra.", "issuer_organization_unit_name", "validate_to_none" ], [ "extra.", "issuer_country", "validate_to_none" ], [ "extra.", "issuer_state_or_province_name", "validate_to_none" ], [ "extra.", "issuer_locality_name", "validate_to_none" ], [ "extra.", "issuer_street_address", "validate_to_none" ], [ "extra.", "issuer_postal_code", "validate_to_none" ], [ "extra.", "issuer_surname", "validate_to_none" ], [ "extra.", "issuer_given_name", "validate_to_none" ], [ "extra.", "issuer_email_address", "validate_to_none" ], [ "extra.", "issuer_business_category", "validate_to_none" ], [ "extra.", "issuer_serial_number", "validate_to_none" ], [ "extra.", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "freak_vulnerable", "convert_bool" ], [ "extra.", "freak_cipher_suite", "validate_to_none" ], [ "extra.", "sector", "validate_to_none" ], [ "extra.", "sha256_fingerprint", "validate_to_none" ], [ "extra.", "sha512_fingerprint", "validate_to_none" ], [ "extra.", "md5_fingerprint", "validate_to_none" ], [ "extra.", "http_response_type", "validate_to_none" ], [ "extra.", "http_code", "convert_int" ], [ "extra.", "http_reason", "validate_to_none" ], [ "extra.", "content_type", "validate_to_none" ], [ "extra.", "http_connection", "validate_to_none" ], [ "extra.", "www_authenticate", "validate_to_none" ], [ "extra.", "set_cookie", "validate_to_none" ], [ "extra.", "server_type", "validate_to_none" ], [ "extra.", "content_length", "convert_int" ], [ "extra.", "transfer_encoding", "validate_to_none" ], [ "extra.", "http_date", "convert_date" ], [ "extra.", "cert_valid", "convert_bool" ], [ "extra.", "self_signed", "convert_bool" ], [ "extra.", "cert_expired", "convert_bool" ], [ "extra.", "browser_trusted", "convert_bool" ], [ "extra.", "validation_level", "validate_to_none" ], [ "extra.", "browser_error", "validate_to_none" ], [ "extra.", "tlsv13_support", "validate_to_none" ], [ "extra.", "tlsv13_cipher", "validate_to_none" ], [ "extra.", "raw_cert", "validate_to_none" ], [ "extra.", "raw_cert_chain", "validate_to_none" ], [ "extra.", "jarm", "validate_to_none" ], [ "extra.", "device_vendor", "validate_to_none" ], [ "extra.", "device_type", "validate_to_none" ], [ "extra.", "device_model", "validate_to_none" ], [ "extra.", "device_version", "validate_to_none" ], [ "extra.", "device_sector", "validate_to_none" ], [ "extra.", "page_sha256fp", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/ssl-freak-report/" }, "scan_ssl_poodle" : { "constant_fields" : { "classification.identifier" : "ssl-poodle", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "https" }, "feed_name" : "SSL-POODLE-Vulnerable-Servers IPv4", "file_name" : "scan_ssl_poodle", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "extra.", "handshake", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.", "cipher_suite", "validate_to_none" ], [ "extra.", "ssl_poodle", "convert_bool" ], [ "extra.", "cert_length", "convert_int" ], [ "extra.", "subject_common_name", "validate_to_none" ], [ "extra.", "issuer_common_name", "validate_to_none" ], [ "extra.", "cert_issue_date", "validate_to_none" ], [ "extra.", "cert_expiration_date", "validate_to_none" ], [ "extra.", "sha1_fingerprint", "validate_to_none" ], [ "extra.", "cert_serial_number", "validate_to_none" ], [ "extra.", "ssl_version", "convert_int" ], [ "extra.", "signature_algorithm", "validate_to_none" ], [ "extra.", "key_algorithm", "validate_to_none" ], [ "extra.", "subject_organization_name", "validate_to_none" ], [ "extra.", "subject_organization_unit_name", "validate_to_none" ], [ "extra.", "subject_country", "validate_to_none" ], [ "extra.", "subject_state_or_province_name", "validate_to_none" ], [ "extra.", "subject_locality_name", "validate_to_none" ], [ "extra.", "subject_street_address", "validate_to_none" ], [ "extra.", "subject_postal_code", "validate_to_none" ], [ "extra.", "subject_surname", "validate_to_none" ], [ "extra.", "subject_given_name", "validate_to_none" ], [ "extra.", "subject_email_address", "validate_to_none" ], [ "extra.", "subject_business_category", "validate_to_none" ], [ "extra.", "subject_serial_number", "validate_to_none" ], [ "extra.", "issuer_organization_name", "validate_to_none" ], [ "extra.", "issuer_organization_unit_name", "validate_to_none" ], [ "extra.", "issuer_country", "validate_to_none" ], [ "extra.", "issuer_state_or_province_name", "validate_to_none" ], [ "extra.", "issuer_locality_name", "validate_to_none" ], [ "extra.", "issuer_street_address", "validate_to_none" ], [ "extra.", "issuer_postal_code", "validate_to_none" ], [ "extra.", "issuer_surname", "validate_to_none" ], [ "extra.", "issuer_given_name", "validate_to_none" ], [ "extra.", "issuer_email_address", "validate_to_none" ], [ "extra.", "issuer_business_category", "validate_to_none" ], [ "extra.", "issuer_serial_number", "validate_to_none" ], [ "extra.", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "sector", "validate_to_none" ], [ "extra.", "sha256_fingerprint", "validate_to_none" ], [ "extra.", "sha512_fingerprint", "validate_to_none" ], [ "extra.", "md5_fingerprint", "validate_to_none" ], [ "extra.", "http_response_type", "validate_to_none" ], [ "extra.", "http_code", "convert_int" ], [ "extra.", "http_reason", "validate_to_none" ], [ "extra.", "content_type", "validate_to_none" ], [ "extra.", "http_connection", "validate_to_none" ], [ "extra.", "www_authenticate", "validate_to_none" ], [ "extra.", "set_cookie", "validate_to_none" ], [ "extra.", "server_type", "validate_to_none" ], [ "extra.", "content_length", "convert_int" ], [ "extra.", "transfer_encoding", "validate_to_none" ], [ "extra.", "http_date", "convert_date" ], [ "extra.", "cert_valid", "convert_bool" ], [ "extra.", "self_signed", "convert_bool" ], [ "extra.", "cert_expired", "convert_bool" ], [ "extra.", "browser_trusted", "convert_bool" ], [ "extra.", "validation_level", "validate_to_none" ], [ "extra.", "browser_error", "validate_to_none" ], [ "extra.", "tlsv13_support", "validate_to_none" ], [ "extra.", "tlsv13_cipher", "validate_to_none" ], [ "extra.", "raw_cert", "validate_to_none" ], [ "extra.", "raw_cert_chain", "validate_to_none" ], [ "extra.", "jarm", "validate_to_none" ], [ "extra.", "device_vendor", "validate_to_none" ], [ "extra.", "device_type", "validate_to_none" ], [ "extra.", "device_model", "validate_to_none" ], [ "extra.", "device_version", "validate_to_none" ], [ "extra.", "device_sector", "validate_to_none" ], [ "extra.", "page_sha256fp", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/ssl-poodle-report/" }, "scan_stun" : { "constant_fields" : { "classification.identifier" : "open-stun", "classification.taxonomy" : "other", "classification.type" : "other", "protocol.application" : "Session Traversal Utilities for NAT" }, "feed_name" : "Accessible-Session-Traversal-Utilities-for-NAT", "file_name" : "scan_stun", "optional_fields" : [ [ "extra.", "mapped_port", "convert_int" ], [ "extra.", "xor_mapped_port", "convert_int" ], [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ], [ "extra.", "transaction_id", "validate_to_none" ], [ "extra.", "magic_cookie", "validate_to_none" ], [ "extra.", "message_length", "convert_int" ], [ "extra.", "message_type", "validate_to_none" ], [ "extra.", "mapped_family", "validate_to_none" ], [ "extra.", "mapped_address", "validate_to_none" ], [ "extra.", "xor_mapped_family", "validate_to_none" ], [ "extra.", "xor_mapped_address", "validate_to_none" ], [ "extra.", "software", "validate_to_none" ], [ "extra.", "fingerprint", "validate_to_none" ], [ "extra.", "amplification", "convert_float" ], [ "extra.", "response_size", "convert_int" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-stun-service-report/" }, "scan_synfulknock" : { "constant_fields" : { "classification.identifier" : "open-synfulknock", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system" }, "feed_name" : "SYNful-Knock", "file_name" : "scan_synfulknock", "optional_fields" : [ [ "extra.", "ack_number", "convert_int" ], [ "extra.", "window_size", "convert_int" ], [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "sequence_number", "validate_to_none" ], [ "extra.", "urgent_pointer", "validate_to_none" ], [ "extra.", "tcp_flags", "validate_to_none" ], [ "extra.", "raw_packet", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/synful-scan-report/" }, "scan_telnet" : { "constant_fields" : { "classification.identifier" : "open-telnet", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "telnet" }, "feed_name" : "Accessible-Telnet", "file_name" : "scan_telnet", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "banner", "validate_to_none" ], [ "extra.", "sector", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-telnet-report/" }, "scan_tftp" : { "constant_fields" : { "classification.identifier" : "open-tftp", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "tftp" }, "feed_name" : "Open-TFTP", "file_name" : "scan_tftp", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "opcode", "validate_to_none" ], [ "extra.", "errorcode", "validate_to_none" ], [ "extra.", "error", "validate_to_none" ], [ "extra.", "errormessage", "validate_to_none" ], [ "extra.", "response_size", "convert_int" ], [ "extra.", "amplification", "convert_float" ], [ "extra.", "sector", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/open-accessible-tftp-report/" }, "scan_ubiquiti" : { "constant_fields" : { "classification.identifier" : "accessible-ubiquiti-discovery-service", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system" }, "feed_name" : "Accessible-Ubiquiti-Discovery-Service", "file_name" : "scan_ubiquiti", "optional_fields" : [ [ "extra.mac_address", "mac", "validate_to_none" ], [ "extra.radio_name", "radioname", "validate_to_none" ], [ "extra.model", "modelshort", "validate_to_none" ], [ "extra.model_full", "modelfull", "validate_to_none" ], [ "extra.firmwarerev", "firmware", "validate_to_none" ], [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "essid", "validate_to_none" ], [ "extra.", "response_size", "convert_int" ], [ "extra.", "amplification", "convert_float" ], [ "extra.", "sector", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/open-ubiquiti-report/" }, "scan_vnc" : { "constant_fields" : { "classification.identifier" : "open-vnc", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "vnc", "protocol.transport" : "tcp" }, "feed_name" : "Accessible-VNC", "file_name" : "scan_vnc", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "product", "validate_to_none" ], [ "extra.", "banner", "validate_to_none" ], [ "extra.", "sector", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-vnc-report/" }, "scan_ws_discovery" : { "constant_fields" : { "classification.identifier" : "open-ws-discovery", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "ws-discovery" }, "feed_name" : "Accessible-WS-Discovery-Service", "file_name" : "scan_ws_discovery", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ], [ "extra.", "response_size", "convert_int" ], [ "extra.", "amplification", "convert_float" ], [ "extra.", "error", "validate_to_none" ], [ "extra.", "raw_response", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-ws-discovery-service-report/" }, "scan_xdmcp" : { "constant_fields" : { "classification.identifier" : "open-xdmcp", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system", "protocol.application" : "xdmcp" }, "feed_name" : "Open-XDMCP", "file_name" : "scan_xdmcp", "optional_fields" : [ [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.", "opcode", "validate_to_none" ], [ "extra.", "reported_hostname", "validate_to_none" ], [ "status", "status" ], [ "extra.", "response_size", "convert_int" ], [ "extra.", "amplification", "convert_float" ], [ "extra.", "sector", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-xdmcp-service-report/" }, "spam_url" : { "constant_fields" : { "classification.identifier" : "spam-url", "classification.taxonomy" : "abusive-content", "classification.type" : "spam" }, "feed_name" : "Spam-URL", "file_name" : "spam_url", "optional_fields" : [ [ "source.url", "url", "convert_http_host_and_url", true ], [ "source.fqdn", "hostname", "validate_fqdn" ], [ "extra.relay.ip", "src_ip", "validate_ip" ], [ "extra.relay.asn", "src_asn", "invalidate_zero" ], [ "extra.relay.geolocation.cc", "src_geo", "validate_to_none" ], [ "extra.relay.geolocation.region", "src_region", "validate_to_none" ], [ "extra.relay.geolocation.city", "src_city", "validate_to_none" ], [ "extra.relay.naics", "src_naics", "invalidate_zero" ], [ "extra.relay.sector", "src_sector", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.", "naics", "invalidate_zero" ], [ "extra.", "sector", "validate_to_none" ], [ "extra.", "severity", "validate_to_none" ], [ "extra.", "tag" ], [ "extra.", "source", "validate_to_none" ], [ "extra.", "sender", "validate_to_none" ], [ "extra.", "subject", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/spam-url-report/" }, "special" : { "constant_fields" : { "classification.identifier" : "special", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system" }, "feed_name" : "Special", "file_name" : "special", "optional_fields" : [ [ "event_description.text", "detail" ], [ "protocol.transport", "protocol" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "source.reverse_dns", "hostname" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.source.sector", "sector", "validate_to_none" ], [ "extra.", "tag" ], [ "extra.", "public_source", "validate_to_none" ], [ "status", "status" ], [ "extra.", "method", "validate_to_none" ], [ "extra.", "device_vendor", "validate_to_none" ], [ "extra.", "severity", "validate_to_none" ], [ "extra.", "hostname_source", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ] } }