Hi Thomas,
On 1/7/25 10:37 AM, Thomas Hungenberg wrote:
We had always kept the original field names (for "version" and others) from the Shadowserver reports when writing to extra so there was a 1:1 mapping.
Not always, but mostly. In most cases, the data field names of Shadowserver are good enough and appropriate to use them 1:1. I don't know of any convention that we must use them.
Now we broke this convention by writing "version" to "extra.msrpc_version" which makes things prone to errors when referencing fields.
As I wrote before, "version" is ambiguous for me, it's unclear what the version field refers to.
It could be the version of the IntelMQ data format. It could be the version of the IntelMQ software. It could be the version of the data feed. It could be the version of the server software. And it could be the version an application protocol, as it is in this case.
just my 2 cents
Sebastian