Hello,
Below is the proposed mapping for a new report as documented at https://www.shadowserver.org/what-we-do/network-reporting/accessible-isakmp-....
Please let me know if you have any changes before September 11th.
Regards,
Jason
{ "constant_fields" : { "classification.identifier" : "accessible-ike", "classification.taxonomy" : "other", "classification.type" : "other", "protocol.application" : "ipsec" }, "feed_name" : "Accessible-ISAKMP", "file_name" : "population_isakmp", "optional_fields" : [ [ "extra.", "spi_size", "convert_int" ], [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ], [ "extra.", "initiator_spi", "validate_to_none" ], [ "extra.", "responder_spi", "validate_to_none" ], [ "extra.", "next_payload", "validate_to_none" ], [ "extra.", "exchange_type", "validate_to_none" ], [ "extra.", "flags", "validate_to_none" ], [ "extra.", "message_id", "validate_to_none" ], [ "extra.", "next_payload2", "validate_to_none" ], [ "extra.", "domain_of_interpretation", "validate_to_none" ], [ "extra.", "protocol_id", "validate_to_none" ], [ "extra.", "notify_message_type", "validate_to_none" ], [ "extra.", "response_size", "convert_int" ], [ "extra.", "amplification", "convert_float" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-isakmp-..." }
{ "constant_fields" : { "classification.identifier" : "accessible-ike", "classification.taxonomy" : "other", "classification.type" : "other", "protocol.application" : "ipsec" }, "feed_name" : "IPv6-Accessible-ISAKMP", "file_name" : "population6_isakmp", "optional_fields" : [ [ "extra.", "spi_size", "convert_int" ], [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ], [ "extra.", "initiator_spi", "validate_to_none" ], [ "extra.", "responder_spi", "validate_to_none" ], [ "extra.", "next_payload", "validate_to_none" ], [ "extra.", "exchange_type", "validate_to_none" ], [ "extra.", "flags", "validate_to_none" ], [ "extra.", "message_id", "validate_to_none" ], [ "extra.", "next_payload2", "validate_to_none" ], [ "extra.", "domain_of_interpretation", "validate_to_none" ], [ "extra.", "protocol_id", "validate_to_none" ], [ "extra.", "notify_message_type", "validate_to_none" ], [ "extra.", "response_size", "convert_int" ], [ "extra.", "amplification", "convert_float" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-isakmp-..." }
Hi!
On 04/09/2025 17:06, elsif via IntelMQ-dev wrote:
"optional_fields" : [ [ "extra.", "spi_size", "convert_int" ],
Is that the size of a serial interface?
[ "extra.", "exchange_type", "validate_to_none" ],
Does that indicate what type of trade that is?
These two could be given different names to be clearer and better reflect their actual meaning. Maybe adding a prefix `isakmp_`.
Best regards Sebastian
Please see the revised mapping below.
Regards,
Jason
--
{ "constant_fields" : { "classification.identifier" : "accessible-ike", "classification.taxonomy" : "other", "classification.type" : "other", "protocol.application" : "ipsec" }, "feed_name" : "IPv6-Accessible-ISAKMP", "file_name" : "population6_isakmp", "optional_fields" : [ [ "extra.isakmp_exchange_type", "exchange_type" ], [ "extra.isakmp_spi_size", "spi_size", "convert_int" ], [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ], [ "extra.", "initiator_spi", "validate_to_none" ], [ "extra.", "responder_spi", "validate_to_none" ], [ "extra.", "next_payload", "validate_to_none" ], [ "extra.", "flags", "validate_to_none" ], [ "extra.", "message_id", "validate_to_none" ], [ "extra.", "next_payload2", "validate_to_none" ], [ "extra.", "domain_of_interpretation", "validate_to_none" ], [ "extra.", "protocol_id", "validate_to_none" ], [ "extra.", "notify_message_type", "validate_to_none" ], [ "extra.", "response_size", "convert_int" ], [ "extra.", "amplification", "convert_float" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-isakmp-..." }
{ "constant_fields" : { "classification.identifier" : "accessible-ike", "classification.taxonomy" : "other", "classification.type" : "other", "protocol.application" : "ipsec" }, "feed_name" : "Accessible-ISAKMP", "file_name" : "population_isakmp", "optional_fields" : [ [ "extra.isakmp_exchange_type", "exchange_type" ], [ "extra.isakmp_spi_size", "spi_size", "convert_int" ], [ "extra.", "severity", "validate_to_none" ], [ "protocol.transport", "protocol" ], [ "source.reverse_dns", "hostname" ], [ "extra.", "tag" ], [ "source.asn", "asn", "invalidate_zero" ], [ "source.geolocation.cc", "geo" ], [ "source.geolocation.region", "region" ], [ "source.geolocation.city", "city" ], [ "extra.source.naics", "naics", "invalidate_zero" ], [ "extra.", "hostname_source", "validate_to_none" ], [ "extra.source.sector", "sector", "validate_to_none" ], [ "extra.", "initiator_spi", "validate_to_none" ], [ "extra.", "responder_spi", "validate_to_none" ], [ "extra.", "next_payload", "validate_to_none" ], [ "extra.", "flags", "validate_to_none" ], [ "extra.", "message_id", "validate_to_none" ], [ "extra.", "next_payload2", "validate_to_none" ], [ "extra.", "domain_of_interpretation", "validate_to_none" ], [ "extra.", "protocol_id", "validate_to_none" ], [ "extra.", "notify_message_type", "validate_to_none" ], [ "extra.", "response_size", "convert_int" ], [ "extra.", "amplification", "convert_float" ] ], "required_fields" : [ [ "time.source", "timestamp", "add_UTC_to_timestamp" ], [ "source.ip", "ip", "validate_ip" ], [ "source.port", "port", "convert_int" ] ], "url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-isakmp-..." }
On 9/4/25 10:23 PM, Sebix wrote:
Hi!
On 04/09/2025 17:06, elsif via IntelMQ-dev wrote:
"optional_fields" : [ [ "extra.", "spi_size", "convert_int" ],
Is that the size of a serial interface?
[ "extra.", "exchange_type", "validate_to_none" ],
Does that indicate what type of trade that is?
These two could be given different names to be clearer and better reflect their actual meaning. Maybe adding a prefix `isakmp_`.
Best regards Sebastian
-- Institute for Common Good Technology gemeinnütziger Kulturverein - nonprofit cultural society https://commongoodtechnology.org/ ZVR 1510673578