Hello,
Below is the proposed mapping for a new report as documented at https://www.shadowserver.org/what-we-do/network-reporting/accessible-isakmp-....
Please let me know if you have any changes before September 11th.
Regards,
Jason
{ "constant_fields" : { "classification.identifier" : "accessible-ike", "classification.taxonomy" : "other", "classification.type" : "other", "protocol.application" : "ipsec" }, "feed_name" : "Accessible-ISAKMP", "file_name" : "population_isakmp", "optional_fields" : [ [ "extra.", "spi_size", "convert_int" ], [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ], [ "extra.", "initiator_spi", "validate_to_none" ], [ "extra.", "responder_spi", "validate_to_none" ], [ "extra.", "next_payload", "validate_to_none" ], [ "extra.", "exchange_type", "validate_to_none" ], [ "extra.", "flags", "validate_to_none" ], [ "extra.", "message_id", "validate_to_none" ], [ "extra.", "next_payload2", "validate_to_none" ], [ "extra.", "domain_of_interpretation", "validate_to_none" ], [ "extra.", "protocol_id", "validate_to_none" ], [ "extra.", "notify_message_type", "validate_to_none" ], [ "extra.", "response_size", "convert_int" ], [ "extra.", "amplification", "convert_float" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-isakmp-..." }
{ "constant_fields" : { "classification.identifier" : "accessible-ike", "classification.taxonomy" : "other", "classification.type" : "other", "protocol.application" : "ipsec" }, "feed_name" : "IPv6-Accessible-ISAKMP", "file_name" : "population6_isakmp", "optional_fields" : [ [ "extra.", "spi_size", "convert_int" ], [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ], [ "extra.", "initiator_spi", "validate_to_none" ], [ "extra.", "responder_spi", "validate_to_none" ], [ "extra.", "next_payload", "validate_to_none" ], [ "extra.", "exchange_type", "validate_to_none" ], [ "extra.", "flags", "validate_to_none" ], [ "extra.", "message_id", "validate_to_none" ], [ "extra.", "next_payload2", "validate_to_none" ], [ "extra.", "domain_of_interpretation", "validate_to_none" ], [ "extra.", "protocol_id", "validate_to_none" ], [ "extra.", "notify_message_type", "validate_to_none" ], [ "extra.", "response_size", "convert_int" ], [ "extra.", "amplification", "convert_float" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-isakmp-..." }