[Intelmq-dev] Classification of malware events
Sebastian Wagner
wagner at cert.at
Tue Mar 6 16:57:46 CET 2018
Hi,
On 2018-03-01 15:41, Thomas Hungenberg wrote:
> However, my intention was to set the *type* to 'infected system'
> and not the *identifier*
Makes sense. But couldn't a c&c server also be an infected system? An
infected system could also be a hacked website which sends spam. The
term is very generic.
> (which will be overwritten by the modify expert).
BTW: I will soon publish a PR which adds a download&convert script for
the newly create malware family mappings, to use them for the modify
bot: http://github.com/certtools/malware_name_mapping
> So I'd like to propose to change the classification scheme as follows:
>
> 'classification.taxonomy': 'malicious code',
> 'classification.type': 'infected system',
> 'classification.identifier': 'malware', # default name, will be overwritten by modify expert
Sounds reasonable, because at this point we do not know for sure if we
do not know the malware or not. If the former would be so, I'd prefer
something like 'malware-generic' which indicates that it is some kind of
generic value.
Sebastian
--
// Sebastian Wagner <wagner at cert.at> - T: +43 1 5056416 7201
// CERT Austria - https://www.cert.at/
// Eine Initiative der nic.at GmbH - https://www.nic.at/
// Firmenbuchnummer 172568b, LG Salzburg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/intelmq-dev/attachments/20180306/6232e33e/attachment.sig>
More information about the Intelmq-dev
mailing list