[IntelMQ-dev] ShadowServer feeds vs. ShadowServer parser bot

Sebastian Wagner wagner at cert.at
Wed Mar 24 08:57:18 CET 2021


Hi list,

I just opened the issue https://github.com/certtools/intelmq/issues/1829
for tracking the support for these optional Shadowserver feeds.

Contributions are welcome.

kind regards
Sebastian

On 3/23/21 9:17 AM, Mika Silander wrote:
> Hi Sebastian,
>
>  True. It also seems ShadowServer recently started publishing some new reports tagged "special" related to Hafnium and vulnerable Exchange servers. It is not easy to keep up with new feeds.
>
>  I'd be happy to contribute with pull requests but our own project is top on the priority list so contributions have to wait still for a while :-). I'll send the list of feeds in a private message.
>
> Br, Mika
>
> ----- Original Message -----
> From: "Sebastian Wagner" <wagner at cert.at>
> To: "Mika Silander" <mika.silander at csc.fi>, "intelmq-dev" <intelmq-dev at lists.cert.at>
> Sent: Tuesday, 23 March, 2021 10:06:40
> Subject: Re: [IntelMQ-dev] ShadowServer feeds vs. ShadowServer parser bot
>
> Good Morning,
>
> I wasn't even aware of that feed. IntelMQ will always be running after
> Shadowserver as we don't know of feeds in advance either (and the data
> examples for the feeds given on Shadowservers website are often not
> complete).
>
> If you can pass me on one example file (I can anonymize it myself as
> well) I can extend the Shadowserver parser for this new feed. We are
> also happily accepting pull requests :)
>
> kind regards
> Sebastian
>
> On 3/23/21 8:05 AM, Mika Silander wrote:
>> Hi.
>>
>>  After trying to match current ShadowServer feeds to their internal intelmq identifiers, I got stuck with a few that I cannot find a corresponding internal mapping for in intelmq/bots/parsers/shadowserver/config.py (intelmq 2.3.1). One example is the Click-Fraud Report (https://www.shadowserver.org/what-we-do/network-reporting/click-fraud-report/). Correct me if I'm wrong in assuming all ShadowServer feeds are perhaps not (yet?) supported by the ShadowServer parser bot. 
>>
>>  Are there plans for extending the parser bot in question? Don't take me wrong, this is no criticism, the bot does a fine job. I would just like to know what the situation is and then be able to decide how to continue with our own project.
>>
>> Cheers, Mika
>> _______________________________________________
>> IntelMQ-dev mailing list
>> https://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev
>> https://intelmq.readthedocs.io/

-- 
// Sebastian Wagner <wagner at cert.at> - T: +43 1 5056416 7201
// CERT Austria - https://www.cert.at/
// Eine Initiative der nic.at GmbH - https://www.nic.at/
// Firmenbuchnummer 172568b, LG Salzburg


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/intelmq-dev/attachments/20210324/c2151b44/attachment.sig>


More information about the IntelMQ-dev mailing list