[IntelMQ-dev] RFC: scan_msrpc report
Kamil Mankowski
mankowski at cert.at
Tue Dec 3 09:30:18 CET 2024
Hi all,
thanks for the info.
From my side:
1. The link looks broken, should be
https://www.shadowserver.org/what-we-do/network-reporting/ms-rpc-endpoint-mapper-report/
2. As it doesn't assess any vulnerability, I'd suggest the
classification type "potentially-unwanted-accessible", what do you think?
The rest looks good to me, thanks for the new report!
Best regards
// Kamil Mańkowski <mankowski at cert.at> - T: +43 676 898 298 7204
// CERT Austria - https://www.cert.at/
// CERT.at GmbH, FB-Nr. 561772k, HG Wien
On 12/3/24 08:00, Mika Silander via IntelMQ-dev wrote:
> Hi Jason,
>
> Thank you for notifying us about this. One additional request though: could you please also enable access to the feed's web page? Accessing https://www.shadowserver.org/what-we-do/network-reporting/what-we-do/network-reporting/ms-rpc-endpoint-mapper-report now gives (at least to me) "404 page not found".
>
> Br, Mika
>
> ----- Original Message -----
> From: "elsif" <elsif at shadowserver.org>
> To: "intelmq-dev" <intelmq-dev at lists.cert.at>
> Sent: Monday, 2 December, 2024 21:36:48
> Subject: [IntelMQ-dev] RFC: scan_msrpc report
>
> Hello,
>
> A new report for accessible MS-RPC will begin distribution tonight.
>
> Please let me know if the sample schema mapping below is acceptable or
> if any changes are needed.
>
> Regards,
>
> Jason
>
>
> --
>
> "scan_msrpc" : {
> "constant_fields" : {
> "classification.identifier" : "accessible-msrpc",
> "classification.taxonomy" : "vulnerable",
> "classification.type" : "vulnerable-system"
> },
> "feed_name" : "Accessible-MS-RPC-Endpoint-Mapper",
> "file_name" : "scan_msrpc",
> "optional_fields" : [
> [
> "extra.",
> "packet_type_value",
> "convert_int"
> ],
> [
> "extra.",
> "fragment_length",
> "convert_int"
> ],
> [
> "extra.",
> "max_transmit",
> "convert_int"
> ],
> [
> "extra.",
> "max_receive",
> "convert_int"
> ],
> [
> "extra.",
> "severity",
> "validate_to_none"
> ],
> [
> "protocol.transport",
> "protocol"
> ],
> [
> "source.reverse_dns",
> "hostname"
> ],
> [
> "extra.",
> "tag",
> "validate_to_none"
> ],
> [
> "source.asn",
> "asn",
> "invalidate_zero"
> ],
> [
> "source.geolocation.cc",
> "geo"
> ],
> [
> "source.geolocation.region",
> "region"
> ],
> [
> "source.geolocation.city",
> "city"
> ],
> [
> "extra.source.naics",
> "naics",
> "invalidate_zero"
> ],
> [
> "extra.",
> "hostname_source",
> "validate_to_none"
> ],
> [
> "extra.source.sector",
> "sector",
> "validate_to_none"
> ],
> [
> "extra.",
> "version",
> "validate_to_none"
> ],
> [
> "extra.",
> "packet_type",
> "validate_to_none"
> ],
> [
> "extra.",
> "packet_flags",
> "validate_to_none"
> ],
> [
> "extra.",
> "data_representation",
> "validate_to_none"
> ],
> [
> "extra.",
> "auth_length",
> "validate_to_none"
> ],
> [
> "extra.",
> "call_id",
> "validate_to_none"
> ],
> [
> "extra.",
> "association_group",
> "validate_to_none"
> ],
> [
> "extra.",
> "raw_response",
> "validate_to_none"
> ]
> ],
> "required_fields" : [
> [
> "time.source",
> "timestamp",
> "add_UTC_to_timestamp"
> ],
> [
> "source.ip",
> "ip",
> "validate_ip"
> ],
> [
> "source.port",
> "port",
> "convert_int"
> ]
> ],
> "url" :
> "https://www.shadowserver.org/what-we-do/network-reporting/what-we-do/network-reporting/ms-rpc-endpoint-mapper-report"
> }
>
> _______________________________________________
> IntelMQ-dev mailing list
> https://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev https://docs.intelmq.org/
> _______________________________________________
> IntelMQ-dev mailing list
> https://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev https://docs.intelmq.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/intelmq-dev/attachments/20241203/791adc08/attachment-0001.sig>
More information about the IntelMQ-dev
mailing list