Morning!
I'd like to pick up this thread again.
We had always kept the original field names (for "version" and others) from the Shadowserver reports when writing to extra so there was a 1:1 mapping.
Now we broke this convention by writing "version" to "extra.msrpc_version" which makes things prone to errors when referencing fields.
So I'd like to suggest changing this from
"extra.msrpc_version", "version", "convert_float"
to
"extra.version", "version", "convert_float"
again.
For the classification type, I'm fine with keeping this set to "potentially-unwanted-accessible" if we change the classification type for other events like accessible-postgresql from "vulnerable-system" to "potentially-unwanted-accessible" in a timely manner as well.
What do you think?
Regards Thomas
On 09.12.24 15:43, Thomas Hungenberg via IntelMQ-dev wrote:
Hi all,
sorry for jumping in late... I was out of office last week.
Kamil Mankowski wrote:
- As it doesn't assess any vulnerability, I'd suggest the classification type "potentially-unwanted-accessible", what do you think?
This is true for many other open-* and accessible-* reports as well. We discussed this with the first version of the schema and decided to stay with "vulnerable-service" and change the classification type to "potentially-unwanted-accessible" where appropriate for all reports at once at some time later to not mix up things.
scan_msrpc now is the only report with classification.type "potentially-unwanted-accessible".
I'd suggest setting the classification type to "vulnerable-service" here for now and change it to "potentially-unwanted-accessible" at some time later along with all other reports where appropriate.
Sebix wrote:
If I'd read just "extra.version" in the event data either as data receiver or operator, I'd have no idea what version is meant here.
We have "extra.version" with many other reports like open-elasticsearch, accessible-activemq or accessible-mysql as well.
I think that in a "scan_msrpc" report, it's intuitive that "version" is the msrpc version.
We usually map all extra fields from the reports using their original name (like "version" -> "extra.version" or "tag" -> "extra.tag").
What we IMHO should NOT do is breaking this convention by mapping "version" to "extra.msrpc_version".
So I'd suggest keeping "extra.version" like with other reports.
Regards Thomas
On 05.12.24 17:27, elsif wrote:
Thank you. The schema update has been published.
Regards,
Jason
On 12/5/24 4:42 AM, Kamil Mankowski via IntelMQ-dev wrote:
It looks good to me :)
Best regards
// Kamil Mańkowski mankowski@cert.at - T: +43 676 898 298 7204 // CERT Austria - https://www.cert.at/ // CERT.at GmbH, FB-Nr. 561772k, HG Wien
On 12/3/24 17:25, elsif wrote:
Thank you for your comments.
Here are the changes based on your feedback:
"scan_msrpc" : { "constant_fields" : { "classification.identifier" : "accessible-msrpc", "classification.taxonomy" : "vulnerable", "classification.type" : "potentially-unwanted-accessible" }, "feed_name" : "Accessible-MS-RPC-Endpoint-Mapper", "file_name" : "scan_msrpc", "optional_fields" : [ [ "extra.msrpc_version", "version", "convert_float" ],
...
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/ms-rpc-endpoint-ma..."
}
Please let me if that know if any changes are needed or it is ready to publish.
Regards,
Jason
IntelMQ-dev mailing list https://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev https://docs.intelmq.org/
IntelMQ-dev mailing list https://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev https://docs.intelmq.org/
IntelMQ-dev mailing list https://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev https://docs.intelmq.org/
IntelMQ-dev mailing list https://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev https://docs.intelmq.org/