Hello,
Attached is the revised schema with your suggestions.
Please let me know if any additional changes are needed or if the schema is ready to be published.
Regards,
Jason
On 1/2/25 4:56 AM, Thomas Hungenberg wrote:
Hi Jason,
thank a lot for providing the schema update!
I'd like to propose changing the classification identifier "open-pop3" to "accessible-pop3" and "open-imap" to "accessible-imap"
For some (newer) reports like Accessible-ADB the report names already match the classification identifier. Several older reports have been renamed from Open-* to Accessible-* (like Accessible-RDP) but IntelMQ still uses the old open-* classification identifiers. This still needs to be adjusted along with some other inconsistencies at some point in the future.
I noticed the POP3/IMAP reports include several fields like "freak_cipher_suite", "freak_vulnerable", "raw_cert" and others not mentioned under "FIELDS" on the corresponding webpages. Looks like those fields are always empty and they are probably not of interest in this context as there are dedicated Accessible-SSL and SSL/FREAK reports.
Piotr is now looking into this.
So the mapping for some fields probably needs to be removed from the schema.
Regards Thomas
On 30.12.24 18:09, elsif wrote:
Hello,
We have new reports for POP3 and IMAP that will be available soon.
https://www.shadowserver.org/what-we-do/network-reporting/accessible-imap-re...
https://www.shadowserver.org/what-we-do/network-reporting/vulnerable-imap-re...
https://www.shadowserver.org/what-we-do/network-reporting/accessible-pop3-re...
https://www.shadowserver.org/what-we-do/network-reporting/vulnerable-pop3-re...
The draft schema is attached. Please let me know if any changes are needed or if the schema is ready to be published.
Regards,
Jason
IntelMQ-dev mailing list https://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev https://docs.intelmq.org/