The schema has been updated:


***************
*** 13,18 ****
--- 13,23 ----
           "validate_to_none"
        ],
        [
+          "source.ip",
+          "http_referer_ip",
+          "validate_ip"
+       ],
+       [
           "malware.name",
           "infection",
           "validate_to_none"
***************
*** 33,43 ****
        ],
        [
           "extra.",
-          "http_referer_ip",
-          "validate_ip"
-       ],
-       [
-          "extra.",
           "http_referer_port",
           "convert_int"
        ],

On 3/31/25 1:43 AM, Sebix wrote:

Hi Mika


I agree with you. As per IntelMQ's guidelines/documentation (https://docs.intelmq.org/latest/user/event/#meaning-of-source-and-destination-identities) the data we care about is always in the source part, and the IP address in source.ip.


Jason, can you please adapt the mapping?


best regards
Sebastian


On 3/31/25 10:08 AM, Mika Silander via IntelMQ-dev wrote:
Hi,

 We received one sinkhole http referer event that got flagged as not belonging to our constituency. At a closer look,  it turned out that intelmq's destination.ip field (see event4_sinkhole_http_referer in https://github.com/The-Shadowserver-Foundation/report_schema/blob/main/intelmq.json)
contains the IP the malware tried to access (?) and then the IP of the machine possibly infected by the malware ended up in extra.http_referer_ip. Everything fine and coherent with the feed's documentation, no complaints.

 To deduce to whom in our constituency an event belongs, we have a bot that first looks at the source.ip field and if this does not match, then we try the destination.ip field. This heuristic works fine with all feeds but in the above case it fails.

 Is there a chance the report field http_referer_ip gets mapped one day in intelmq.json to intelmq's source.ip field (like in the majority of other feeds) instead of extra.http_referer_ip? Just asking since I'd like to keep things simpler and avoid work-arounds.

Br, Mika


The information in this email may be confidential and is intended solely for the use of the individual or entity to whom it is intended. If you are not the intended recipient of this message, please delete the message and notify the sender immediately.  For information on how we process personal data and our contact information, please see CSC's website: Privacy

Tämän sähköpostin tiedot voivat olla luottamuksellisia ja ne on tarkoitettu yksinomaan sen henkilön tai yhteisön käyttöön, jolle ne on osoitettu. Jos et ole viestissä tarkoitettu vastaanottaja, tuhoa viesti ja ilmoita asiasta välittömästi viestin lähettäjälle. Tietoja henkilötietojen ja yhteystietojen käsittelystä löydät CSC:n verkkosivuilta: Tietosuoja

_______________________________________________
IntelMQ-dev mailing list -- intelmq-dev@lists.cert.at
To unsubscribe send an email to intelmq-dev-leave@lists.cert.at
-- 
Institute for Common Good Technology
gemeinnütziger Kulturverein - nonprofit cultural society
https://commongoodtechnology.org/
ZVR 1510673578