Hi all, thanks for the info.
From my side:
1. The link looks broken, should be https://www.shadowserver.org/what-we-do/network-reporting/ms-rpc-endpoint-ma... 2. As it doesn't assess any vulnerability, I'd suggest the classification type "potentially-unwanted-accessible", what do you think?
The rest looks good to me, thanks for the new report!
Best regards
// Kamil Mańkowski mankowski@cert.at - T: +43 676 898 298 7204 // CERT Austria - https://www.cert.at/ // CERT.at GmbH, FB-Nr. 561772k, HG Wien
On 12/3/24 08:00, Mika Silander via IntelMQ-dev wrote:
Hi Jason,
Thank you for notifying us about this. One additional request though: could you please also enable access to the feed's web page? Accessing https://www.shadowserver.org/what-we-do/network-reporting/what-we-do/network... now gives (at least to me) "404 page not found".
Br, Mika
----- Original Message ----- From: "elsif" elsif@shadowserver.org To: "intelmq-dev" intelmq-dev@lists.cert.at Sent: Monday, 2 December, 2024 21:36:48 Subject: [IntelMQ-dev] RFC: scan_msrpc report
Hello,
A new report for accessible MS-RPC will begin distribution tonight.
Please let me know if the sample schema mapping below is acceptable or if any changes are needed.
Regards,
Jason
--
"scan_msrpc" : { "constant_fields" : { "classification.identifier" : "accessible-msrpc", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system" }, "feed_name" : "Accessible-MS-RPC-Endpoint-Mapper", "file_name" : "scan_msrpc", "optional_fields" : [ [ "extra.", "packet_type_value", "convert_int" ], [ "extra.", "fragment_length", "convert_int" ], [ "extra.", "max_transmit", "convert_int" ], [ "extra.", "max_receive", "convert_int" ], [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ], [ "extra.", "version", "validate_to_none" ], [ "extra.", "packet_type", "validate_to_none" ], [ "extra.", "packet_flags", "validate_to_none" ], [ "extra.", "data_representation", "validate_to_none" ], [ "extra.", "auth_length", "validate_to_none" ], [ "extra.", "call_id", "validate_to_none" ], [ "extra.", "association_group", "validate_to_none" ], [ "extra.", "raw_response", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/what-we-do/network..." }
IntelMQ-dev mailing list https://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev https://docs.intelmq.org/ _______________________________________________ IntelMQ-dev mailing list https://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev https://docs.intelmq.org/