[IntelMQ-dev] Shift of focus, new fields in IDF needed for scanning results?

Otmar Lendl lendl at cert.at
Thu Aug 17 17:32:20 CEST 2023 

Folks,

I've been looking at some of the data that we recently processed with 
our IntelMQ setup (leading to 
https://cert.at/de/aktuelles/2023/8/verwundbare-webserver-status-in-osterreich), 
and I found that we need a few changes to IntelMQ to better process 
these kind of feeds.

What happened? Initially, our focus with IntelMQ was on botnet drones 
which were detected via sinkholing. That's why we have the source.*, 
destination.*, and malware.* parameters in the data model. A C2 
communication was the main inspiration.

These days, a majority of the data feeds we process are generated by 
scanning the Internet. That can be Shodan, that can be Shadowserver, 
that can be from our own local scans. This is fine and good, it gives us 
valuable telemetry on what's going on in our constituency.

But the fields needed to store the data in a consistent way are missing 
in the current iteration of the IDF. I don't want to pack that into 
extra.* or any non-standard field, I think we should come to an 
agreement what those elements are and how they should be handled.

Here are some of the data fields I'm missing:

What did the scanning find?

* vendor
* product
* software version

Are there any problems with it?

* Vulnerability identifier (CVE or other, potentially multi-valued, 
which is another can of worms)
* Severity information (e.g. associated CVSS score)
* CWE IDs (https://cwe.mitre.org/index.html)

Generic tagging

* I see e.g. "iot", "ics" or similar ones popping up.

As a minimum I think we need "vendor", "product" and "vulnerability".

What do you all think?

otmar

-----------

References:

https://datapedia.shodan.io/

There is e.g.:

os        string Operating system 	
platform  string 		
product   string Name of the software that powers the service. 	
vendor    string


https://www.shadowserver.org/what-we-do/network-reporting/vulnerable-http-report/

info on the vendor and CVEs is stored in the tag field.

-- 
// Otmar Lendl <lendl at cert.at> - T: +43 1 5056416 711
// CERT Austria - https://www.cert.at/
// CERT.at GmbH, FB-Nr. 561772k, HG Wien
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/intelmq-dev/attachments/20230817/a0749e14/attachment.sig>

More information about the IntelMQ-dev mailing list