[IntelMQ-dev] RFC: scan_msrpc report
Thomas Hungenberg
th at cert-bund.de
Mon Dec 9 15:43:11 CET 2024
Hi all,
sorry for jumping in late... I was out of office last week.
Kamil Mankowski wrote:
> 2. As it doesn't assess any vulnerability, I'd suggest the classification type "potentially-unwanted-accessible", what do you think?
This is true for many other open-* and accessible-* reports as well.
We discussed this with the first version of the schema and decided to stay
with "vulnerable-service" and change the classification type to
"potentially-unwanted-accessible" where appropriate for all reports at once
at some time later to not mix up things.
scan_msrpc now is the only report with classification.type "potentially-unwanted-accessible".
I'd suggest setting the classification type to "vulnerable-service" here for now
and change it to "potentially-unwanted-accessible" at some time later
along with all other reports where appropriate.
Sebix wrote:
> If I'd read just "extra.version" in the event data either as data receiver or operator, I'd have no idea what version is meant here.
We have "extra.version" with many other reports like open-elasticsearch,
accessible-activemq or accessible-mysql as well.
I think that in a "scan_msrpc" report, it's intuitive that "version" is the msrpc version.
We usually map all extra fields from the reports using their original name
(like "version" -> "extra.version" or "tag" -> "extra.tag").
What we IMHO should NOT do is breaking this convention by mapping "version" to "extra.msrpc_version".
So I'd suggest keeping "extra.version" like with other reports.
Regards
Thomas
On 05.12.24 17:27, elsif wrote:
> Thank you. The schema update has been published.
>
> Regards,
>
> Jason
>
> On 12/5/24 4:42 AM, Kamil Mankowski via IntelMQ-dev wrote:
>> It looks good to me :)
>>
>> Best regards
>>
>> // Kamil Mańkowski <mankowski at cert.at> - T: +43 676 898 298 7204
>> // CERT Austria - https://www.cert.at/
>> // CERT.at GmbH, FB-Nr. 561772k, HG Wien
>>
>> On 12/3/24 17:25, elsif wrote:
>>> Thank you for your comments.
>>>
>>> Here are the changes based on your feedback:
>>>
>>> "scan_msrpc" : {
>>> "constant_fields" : {
>>> "classification.identifier" : "accessible-msrpc",
>>> "classification.taxonomy" : "vulnerable",
>>> "classification.type" : "potentially-unwanted-accessible"
>>> },
>>> "feed_name" : "Accessible-MS-RPC-Endpoint-Mapper",
>>> "file_name" : "scan_msrpc",
>>> "optional_fields" : [
>>> [
>>> "extra.msrpc_version",
>>> "version",
>>> "convert_float"
>>> ],
>>>
>>> ...
>>>
>>> "url" : "https://www.shadowserver.org/what-we-do/network-reporting/ms-rpc-endpoint-mapper-report"
>>>
>>> }
>>>
>>> Please let me if that know if any changes are needed or it is ready to publish.
>>>
>>> Regards,
>>>
>>> Jason
>>>
>>>
>>> _______________________________________________
>>> IntelMQ-dev mailing list
>>> https://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev https://docs.intelmq.org/
>>
>> _______________________________________________
>> IntelMQ-dev mailing list
>> https://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev https://docs.intelmq.org/
> _______________________________________________
> IntelMQ-dev mailing list
> https://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev https://docs.intelmq.org/
More information about the IntelMQ-dev
mailing list