Hello,
Below is the proposed mapping for a new report as documented at https://www.shadowserver.org/what-we-do/network-reporting/accessible-gprs-tu....
Please let me know if you have any changes before August 26th.
Regards,
Jason
{ "constant_fields" : { "classification.identifier" : "accessible-gtp", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system" }, "feed_name" : "Accessible-GPRS-Tunneling-Protocol-GTP", "file_name" : "scan_gtp", "optional_fields" : [ [ "extra.", "teid", "convert_int" ], [ "extra.", "sequence", "convert_int" ], [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ], [ "extra.", "flags", "validate_to_none" ], [ "extra.", "message_type", "validate_to_none" ], [ "extra.", "message_type_text", "validate_to_none" ], [ "extra.", "message_length", "convert_int" ], [ "extra.", "recovery", "validate_to_none" ], [ "extra.", "response_size", "convert_int" ], [ "extra.", "raw_response", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-gprs-tu..." }
Looks good to me +1
Best regards
// Kamil Mańkowski mankowski@cert.at - T: +43 676 898 298 7204 // CERT Austria - https://www.cert.at/ // CERT.at GmbH, FB-Nr. 561772k, HG Wien
On 8/19/25 19:11, elsif via IntelMQ-dev wrote:
Hello,
Below is the proposed mapping for a new report as documented at https:// www.shadowserver.org/what-we-do/network-reporting/accessible-gprs- tunneling-protocol-gtp-report/.
Please let me know if you have any changes before August 26th.
Regards,
Jason
{ "constant_fields" : { "classification.identifier" : "accessible-gtp", "classification.taxonomy" : "vulnerable", "classification.type" : "vulnerable-system" }, "feed_name" : "Accessible-GPRS-Tunneling-Protocol-GTP", "file_name" : "scan_gtp", "optional_fields" : [ [ "extra.", "teid", "convert_int" ], [ "extra.", "sequence", "convert_int" ], [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag", "validate_to_none" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ], [ "extra.", "flags", "validate_to_none" ], [ "extra.", "message_type", "validate_to_none" ], [ "extra.", "message_type_text", "validate_to_none" ], [ "extra.", "message_length", "convert_int" ], [ "extra.", "recovery", "validate_to_none" ], [ "extra.", "response_size", "convert_int" ], [ "extra.", "raw_response", "validate_to_none" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/ accessible-gprs-tunneling-protocol-gtp-report/" }
IntelMQ-dev mailing list -- intelmq-dev@lists.cert.at To unsubscribe send an email to intelmq-dev-leave@lists.cert.at