Dear list,
On 1/26/24 11:01, Thomas Hungenberg via IntelMQ-dev wrote:
I thought about this again in more detail. The classification attributes should describe the incident with getting more specific from taxonomy to identifier. So for feeds like Open-SNMP, it makes sense to set the classification.identifer to the feed's name like this:
'classification.taxonomy': 'vulnerable', 'classification.type': 'vulnerable-system', 'classification.identifier': 'open-snmp',
I agree.
However, for malware events my proposal of setting the classification.identifier to the feed's name does not make sense as a feedname like "event4-microsoft-sinkhole" is not a specific description of the incident itself but rather the type of source of the information.
So I think it is best to keep writing the malware name ("infection" or "tag") to classification.identifier as this is a specific description of the individual incident. However, the malware name ("infection" or "tag") needs also be stored in malware.name for the malware name mapping to work. "family" should instead be stored in extra.
Originally, the intended use of classification.identifier and malware.name was: - malware.name contained the original (and unprocessed) malware name. It was as specific as possible. It can have the malware variant. For example, "b157-rL". - The classification.* fields should be usable for aggregation, de-duplication, statistics etc. - For malware events, the parsers could write the malware family (e.g. "zeus") or the malware name to the identifier. - The family took precedence, but if not known, the more specific malware.name could be used instead. - It was always up to the user to replace the identifier with a more generic malware family, e.g. using the public malware name mapping and malpedia.
At least until 2022, IntelMQ and all its parsers fit this concept. It may still be the case, given the recent significant changes.
https://docs.intelmq.org/latest/user/event/#meaning-of-source-and-destinatio... still contains a short summary.
best regards Sebastian