[Intelmq-dev] Classification of malware events
Thomas Hungenberg
th at cert-bund.de
Fri Mar 2 13:12:50 CET 2018
I've created PR #1197 for this.
On 01.03.2018 15:41, Thomas Hungenberg wrote:
>
> The current classification scheme for malware events in shadowserver/parser/config.py is:
>
> 'constant_fields': {
> 'classification.taxonomy': 'malicious code',
> 'classification.type': 'botnet drone',
> 'classification.identifier': 'botnet',
> },
>
> The modify expert (if used) overwrites the classification.identifier
> with a malware name (either a "harmonized" name or the value of
> malware.name as default).
>
> Last year, we discussed dropping the term "botnet (drone)" and
> replace it by "infected system" (as not all malware infected
> systems are necessarily part of a botnet).
>
> The config.py in branch develop currently looks like:
>
> 'classification.taxonomy': 'malicious code',
> 'classification.type': 'botnet drone',
> 'classification.identifier': 'infected system',
>
> However, my intention was to set the *type* to 'infected system'
> and not the *identifier* (which will be overwritten by the modify expert).
>
> So I'd like to propose to change the classification scheme as follows:
>
> 'classification.taxonomy': 'malicious code',
> 'classification.type': 'infected system',
> 'classification.identifier': 'malware', # default name, will be overwritten by modify expert
>
> So the final classification of an event will look like:
>
> 'classification.taxonomy': 'malicious code',
> 'classification.type': 'infected system',
> 'classification.identifier': 'ramnit',
>
>
> Thoughts? Objections?
>
>
> - Thomas
>
> CERT-Bund Incident Response & Malware Analysis Team
>
> _______________________________________________
> Intelmq-dev mailing list
> Intelmq-dev at lists.cert.at
> https://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev
>
More information about the Intelmq-dev
mailing list