[IntelMQ-dev] RFC: scan_msrpc report
Mika Silander
mika.silander at csc.fi
Tue Dec 3 08:00:43 CET 2024
Hi Jason,
Thank you for notifying us about this. One additional request though: could you please also enable access to the feed's web page? Accessing https://www.shadowserver.org/what-we-do/network-reporting/what-we-do/network-reporting/ms-rpc-endpoint-mapper-report now gives (at least to me) "404 page not found".
Br, Mika
----- Original Message -----
From: "elsif" <elsif at shadowserver.org>
To: "intelmq-dev" <intelmq-dev at lists.cert.at>
Sent: Monday, 2 December, 2024 21:36:48
Subject: [IntelMQ-dev] RFC: scan_msrpc report
Hello,
A new report for accessible MS-RPC will begin distribution tonight.
Please let me know if the sample schema mapping below is acceptable or
if any changes are needed.
Regards,
Jason
--
"scan_msrpc" : {
"constant_fields" : {
"classification.identifier" : "accessible-msrpc",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system"
},
"feed_name" : "Accessible-MS-RPC-Endpoint-Mapper",
"file_name" : "scan_msrpc",
"optional_fields" : [
[
"extra.",
"packet_type_value",
"convert_int"
],
[
"extra.",
"fragment_length",
"convert_int"
],
[
"extra.",
"max_transmit",
"convert_int"
],
[
"extra.",
"max_receive",
"convert_int"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
],
[
"extra.",
"version",
"validate_to_none"
],
[
"extra.",
"packet_type",
"validate_to_none"
],
[
"extra.",
"packet_flags",
"validate_to_none"
],
[
"extra.",
"data_representation",
"validate_to_none"
],
[
"extra.",
"auth_length",
"validate_to_none"
],
[
"extra.",
"call_id",
"validate_to_none"
],
[
"extra.",
"association_group",
"validate_to_none"
],
[
"extra.",
"raw_response",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" :
"https://www.shadowserver.org/what-we-do/network-reporting/what-we-do/network-reporting/ms-rpc-endpoint-mapper-report"
}
_______________________________________________
IntelMQ-dev mailing list
https://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev https://docs.intelmq.org/
More information about the IntelMQ-dev
mailing list