[IntelMQ-dev] classification attributes in IntelMQ Shadowserver parser schema
Thomas Hungenberg
th at cert-bund.de
Fri Feb 2 11:48:06 CET 2024
Hi,
thanks a lot for your prompt response and sorry for the delay on my side.
The changes look good!
However, I have made a few additional changes:
1)
Make classification.identifier for honeypot_ics_scan consistent
with other honeypot scans:
=====================
"event_honeypot_ics_scan" : {
"constant_fields" : {
- "classification.identifier" : "ics",
+ "classification.identifier" : "honeypot-ics-scan",
=====================
This change should be documented here:
https://github.com/The-Shadowserver-Foundation/report_schema/blob/main/completed-changes.md
2)
Change classification.taxonomy and classification.type from
"classification.taxonomy" : "other",
"classification.type" : "other",
to
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
for accessible-bgp and accessible-msmq.
Not included in old _config.py, so no need to document.
3)
Change classification.taxonomy and classification.type from
"classification.taxonomy" : "other",
"classification.type" : "other",
to
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
for open-mysql, open-postgres, open-couchdb, open-epmd.
This change should be documented here:
https://github.com/The-Shadowserver-Foundation/report_schema/blob/main/completed-changes.md
4)
Correct classification.identifier for vulnerable-http:
=====================
"scan_http_vulnerable" : {
"constant_fields" : {
- "classification.identifier" : "accessible-http",
+ "classification.identifier" : "vulnerable-http",
"scan6_http_vulnerable" : {
"constant_fields" : {
- "classification.identifier" : "accessible-http",
+ "classification.identifier" : "vulnerable-http",
=====================
This change should be documented here:
https://github.com/The-Shadowserver-Foundation/report_schema/blob/main/completed-changes.md
Please find the updates intelmq.json attached.
Kind regards
Thomas
On 31.01.24 16:42, elsif wrote:
> Hello,
>
> Proposed changes are attached. Please let me know if you agree with the changes or have any alterations.
>
> Regards
>
> On 1/31/24 7:05 AM, Thomas Hungenberg wrote:
>> Hi,
>>
>> Sebastian (sebix) told me it was agreed that with the translation
>> from the current parser _config.py (included with IntelMQ 3.2.1)
>> to the new schema, no classification.* attributes will be changed.
>>
>> This is very important as our setup (and most probably others as well)
>> heavily depends on known classification identifiers like "open-rdp"
>> and classification types from the initial parsing of events up to
>> notification_rules and formats/templates for mailgen.
>> So with a change of a classification attribute lots of scripts and
>> configs would need to be changed as well.
>>
>> Looking at the current schema, I see the classification identifiers
>> are still correct for some feeds for both IPv4 and IPv6 like here:
>>
>> "scan_dns" : {
>> "constant_fields" : {
>> "classification.identifier" : "dns-open-resolver",
>>
>> "scan6_dns" : {
>> "constant_fields" : {
>> "classification.identifier" : "dns-open-resolver",
>>
>>
>> However, for other feeds the classification identifier has been kept
>> correctly for IPv4 like here:
>>
>> "scan_rdp" : {
>> "constant_fields" : {
>> "classification.identifier" : "open-rdp",
>>
>> "compromised_website" : {
>> "constant_fields" : {
>> "classification.identifier" : "compromised-website",
>>
>>
>> but for IPv6 it has changed to the name of the feed:
>>
>> "scan6_rdp" : {
>> "constant_fields" : {
>> "classification.identifier" : "scan6-rdp", <- should be "open-rdp"
>>
>> "compromised_website6" : {
>> "constant_fields" : {
>> "classification.identifier" : "compromised-website6", <- should be "compromised-website"
>>
>>
>> The classification.identifier should describe the incident (like "open-rdp")
>> and not the source (like "scan6-rdp").
>>
>> May I ask you to check and adjust all classification identifiers and types
>> in the schema so they are consistent with the ones generated by the current
>> _config.py?
>>
>>
>> Thanks a lot for all your work on the new schema based parser!
>>
>>
>> Kind regards
>> Thomas
>>
--
- Thomas
CERT-Bund Incident Response & Malware Analysis Team
-------------- next part --------------
{
"_meta" : {
"change_log" : [
"The 'classification.identifier' has been updated to describe the incident for the compromised_website6, population6_bgp, population6_msmq, population_bgp, population_msmq, scan6_activemq, scan6_bgp, scan6_cwmp, scan6_elasticsearch, scan6_ipp, scan6_mqtt, scan6_mqtt_anon, scan6_mysql, scan6_postgres, scan6_rdp, scan6_slp, scan6_smb, scan6_smtp, scan6_smtp_vulnerable, scan6_snmp, scan6_ssh, scan6_ssl, scan6_ssl_freak, scan6_ssl_poodle, scan6_stun, scan6_telnet, and scan6_vnc reports."
],
"date_created" : "2024-01-31T15:37:08Z"
},
"blocklist" : {
"constant_fields" : {
"classification.identifier" : "blacklisted-ip",
"classification.taxonomy" : "other",
"classification.type" : "blacklist"
},
"feed_name" : "Blocklist",
"file_name" : "blocklist",
"optional_fields" : [
[
"source.network",
"ip",
"validate_network"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"source",
"validate_to_none"
],
[
"extra.",
"reason",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.",
"naics",
"invalidate_zero"
],
[
"extra.",
"sector",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/blocklist-report/"
},
"compromised_account" : {
"constant_fields" : {
"classification.identifier" : "compromised-account",
"classification.taxonomy" : "information-content-security",
"classification.type" : "data-leak"
},
"feed_name" : "Compromised-Account",
"file_name" : "compromised_account",
"optional_fields" : [
[
"source.account",
"username",
"validate_to_none"
],
[
"event_description.text",
"detail",
"validate_to_none"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"extra.",
"email",
"validate_to_none"
],
[
"malware.name",
"infection",
"validate_to_none"
],
[
"extra.",
"source_url",
"validate_to_none"
],
[
"extra.",
"public_source",
"validate_to_none"
],
[
"status",
"status"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"extra.",
"service",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/compromised-account-report/"
},
"compromised_website" : {
"constant_fields" : {
"classification.identifier" : "compromised-website",
"classification.taxonomy" : "intrusions",
"classification.type" : "system-compromise"
},
"feed_name" : "Compromised-Website",
"file_name" : "compromised_website",
"optional_fields" : [
[
"protocol.application",
"application",
"validate_to_none"
],
[
"source.url",
"url",
"convert_http_host_and_url",
true
],
[
"source.fqdn",
"http_host",
"validate_fqdn"
],
[
"event_description.text",
"category",
"category_or_detail",
true
],
[
"malware.name",
"family",
"validate_to_none"
],
[
"source.account",
"account",
"validate_to_none"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.",
"system",
"validate_to_none"
],
[
"extra.",
"detected_since",
"validate_to_none"
],
[
"extra.",
"server",
"validate_to_none"
],
[
"extra.",
"redirect_target",
"validate_to_none"
],
[
"extra.",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"sector",
"validate_to_none"
],
[
"extra.",
"cc_url",
"validate_to_none"
],
[
"status",
"status"
],
[
"extra.",
"detail",
"validate_to_none"
],
[
"extra.",
"public_source",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/compromised-website-report/"
},
"compromised_website6" : {
"constant_fields" : {
"classification.identifier" : "compromised-website",
"classification.taxonomy" : "intrusions",
"classification.type" : "system-compromise"
},
"feed_name" : "IPv6-Compromised-Website",
"file_name" : "compromised_website6",
"optional_fields" : [
[
"protocol.application",
"application",
"validate_to_none"
],
[
"source.url",
"url",
"convert_http_host_and_url",
true
],
[
"source.fqdn",
"http_host",
"validate_fqdn"
],
[
"event_description.text",
"category",
"category_or_detail",
true
],
[
"malware.name",
"family",
"validate_to_none"
],
[
"source.account",
"account",
"validate_to_none"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.",
"system",
"validate_to_none"
],
[
"extra.",
"detected_since",
"validate_to_none"
],
[
"extra.",
"server",
"validate_to_none"
],
[
"extra.",
"redirect_target",
"validate_to_none"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
],
[
"extra.",
"cc_url",
"validate_to_none"
],
[
"status",
"status"
],
[
"extra.",
"detail",
"validate_to_none"
],
[
"extra.",
"public_source",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/compromised-website-report/"
},
"device_id" : {
"constant_fields" : {
"classification.identifier" : "device-id",
"classification.taxonomy" : "other",
"classification.type" : "undetermined"
},
"feed_name" : "Device-Identification IPv4",
"file_name" : "device_id",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"sector",
"validate_to_none"
],
[
"extra.",
"device_vendor",
"validate_to_none"
],
[
"extra.",
"device_type",
"validate_to_none"
],
[
"extra.",
"device_model",
"validate_to_none"
],
[
"extra.",
"device_version",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/device-identification-report/"
},
"device_id6" : {
"constant_fields" : {
"classification.identifier" : "device-id",
"classification.taxonomy" : "other",
"classification.type" : "undetermined"
},
"feed_name" : "Device-Identification IPv6",
"file_name" : "device_id6",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
],
[
"extra.",
"device_vendor",
"validate_to_none"
],
[
"extra.",
"device_type",
"validate_to_none"
],
[
"extra.",
"device_model",
"validate_to_none"
],
[
"extra.",
"device_version",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
]
},
"event4_microsoft_sinkhole" : {
"constant_fields" : {
"classification.taxonomy" : "malicious-code",
"classification.type" : "infected-system"
},
"feed_name" : "Microsoft-Sinkhole-Events IPv4",
"file_name" : "event4_microsoft_sinkhole",
"optional_fields" : [
[
"classification.identifier",
"infection",
"validate_to_none"
],
[
"malware.name",
"infection",
"validate_to_none"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"extra.",
"family",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.asn",
"src_asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"src_geo"
],
[
"source.geolocation.region",
"src_region"
],
[
"source.geolocation.city",
"src_city"
],
[
"source.reverse_dns",
"src_hostname"
],
[
"extra.source.naics",
"src_naics",
"invalidate_zero"
],
[
"extra.source.sector",
"src_sector",
"validate_to_none"
],
[
"extra.",
"device_vendor",
"validate_to_none"
],
[
"extra.",
"device_type",
"validate_to_none"
],
[
"extra.",
"device_model",
"validate_to_none"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"destination.ip",
"dst_ip",
"validate_ip"
],
[
"destination.port",
"dst_port",
"convert_int"
],
[
"destination.asn",
"dst_asn",
"invalidate_zero"
],
[
"destination.geolocation.cc",
"dst_geo"
],
[
"destination.geolocation.region",
"dst_region"
],
[
"destination.geolocation.city",
"dst_city"
],
[
"destination.reverse_dns",
"dst_hostname",
"validate_to_none"
],
[
"extra.destination.naics",
"dst_naics",
"invalidate_zero"
],
[
"extra.destination.sector",
"dst_sector",
"validate_to_none"
],
[
"extra.",
"public_source",
"validate_to_none"
],
[
"extra.",
"application",
"validate_to_none"
],
[
"extra.",
"version",
"validate_to_none"
],
[
"extra.",
"event_id",
"validate_to_none"
],
[
"extra.",
"ssl_cipher",
"validate_to_none"
],
[
"extra.",
"ssl_servername",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"src_ip",
"validate_ip"
],
[
"source.port",
"src_port",
"convert_int"
]
]
},
"event4_microsoft_sinkhole_http" : {
"constant_fields" : {
"classification.taxonomy" : "malicious-code",
"classification.type" : "infected-system",
"protocol.application" : "http"
},
"feed_name" : "Microsoft-Sinkhole-Events-HTTP IPv4",
"file_name" : "event4_microsoft_sinkhole_http",
"optional_fields" : [
[
"classification.identifier",
"infection",
"validate_to_none"
],
[
"malware.name",
"infection",
"validate_to_none"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"extra.",
"family",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.asn",
"src_asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"src_geo"
],
[
"source.geolocation.region",
"src_region"
],
[
"source.geolocation.city",
"src_city"
],
[
"source.reverse_dns",
"src_hostname"
],
[
"extra.source.naics",
"src_naics",
"invalidate_zero"
],
[
"extra.source.sector",
"src_sector",
"validate_to_none"
],
[
"extra.",
"device_vendor",
"validate_to_none"
],
[
"extra.",
"device_type",
"validate_to_none"
],
[
"extra.",
"device_model",
"validate_to_none"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"destination.ip",
"dst_ip",
"validate_ip"
],
[
"destination.port",
"dst_port",
"convert_int"
],
[
"destination.asn",
"dst_asn",
"invalidate_zero"
],
[
"destination.geolocation.cc",
"dst_geo"
],
[
"destination.geolocation.region",
"dst_region"
],
[
"destination.geolocation.city",
"dst_city"
],
[
"destination.reverse_dns",
"dst_hostname",
"validate_to_none"
],
[
"extra.destination.naics",
"dst_naics",
"invalidate_zero"
],
[
"extra.destination.sector",
"dst_sector",
"validate_to_none"
],
[
"extra.",
"public_source",
"validate_to_none"
],
[
"extra.",
"application",
"validate_to_none"
],
[
"extra.",
"version",
"validate_to_none"
],
[
"extra.",
"event_id",
"validate_to_none"
],
[
"destination.url",
"http_url",
"convert_http_host_and_url",
true
],
[
"destination.fqdn",
"http_host",
"validate_fqdn"
],
[
"extra.",
"http_agent",
"validate_to_none"
],
[
"extra.",
"forwarded_by",
"validate_to_none"
],
[
"extra.",
"ssl_cipher",
"validate_to_none"
],
[
"extra.",
"http_referer",
"validate_to_none"
],
[
"extra.",
"ssl_servername",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"src_ip",
"validate_ip"
],
[
"source.port",
"src_port",
"convert_int"
]
]
},
"event6_sinkhole" : {
"constant_fields" : {
"classification.taxonomy" : "malicious-code",
"classification.type" : "infected-system"
},
"feed_name" : "Sinkhole-Events IPv6",
"file_name" : "event6_sinkhole",
"optional_fields" : [
[
"classification.identifier",
"infection",
"validate_to_none"
],
[
"malware.name",
"infection",
"validate_to_none"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"extra.",
"family",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.asn",
"src_asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"src_geo"
],
[
"source.geolocation.region",
"src_region"
],
[
"source.geolocation.city",
"src_city"
],
[
"source.reverse_dns",
"src_hostname"
],
[
"extra.source.naics",
"src_naics",
"invalidate_zero"
],
[
"extra.source.sector",
"src_sector",
"validate_to_none"
],
[
"extra.",
"device_vendor",
"validate_to_none"
],
[
"extra.",
"device_type",
"validate_to_none"
],
[
"extra.",
"device_model",
"validate_to_none"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"destination.ip",
"dst_ip",
"validate_ip"
],
[
"destination.port",
"dst_port",
"convert_int"
],
[
"destination.asn",
"dst_asn",
"invalidate_zero"
],
[
"destination.geolocation.cc",
"dst_geo"
],
[
"destination.geolocation.region",
"dst_region"
],
[
"destination.geolocation.city",
"dst_city"
],
[
"destination.reverse_dns",
"dst_hostname",
"validate_to_none"
],
[
"extra.destination.naics",
"dst_naics",
"invalidate_zero"
],
[
"extra.destination.sector",
"dst_sector",
"validate_to_none"
],
[
"extra.",
"public_source",
"validate_to_none"
],
[
"extra.",
"application",
"validate_to_none"
],
[
"extra.",
"version",
"validate_to_none"
],
[
"extra.",
"event_id",
"validate_to_none"
],
[
"extra.",
"ssl_cipher",
"validate_to_none"
],
[
"extra.",
"ssl_servername",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"src_ip",
"validate_ip"
],
[
"source.port",
"src_port",
"convert_int"
]
]
},
"event6_sinkhole_http" : {
"constant_fields" : {
"classification.taxonomy" : "malicious-code",
"classification.type" : "infected-system",
"protocol.application" : "http"
},
"feed_name" : "Sinkhole-Events-HTTP IPv6",
"file_name" : "event6_sinkhole_http",
"optional_fields" : [
[
"classification.identifier",
"infection",
"validate_to_none"
],
[
"malware.name",
"infection",
"validate_to_none"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"extra.",
"family",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.asn",
"src_asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"src_geo"
],
[
"source.geolocation.region",
"src_region"
],
[
"source.geolocation.city",
"src_city"
],
[
"source.reverse_dns",
"src_hostname"
],
[
"extra.source.naics",
"src_naics",
"invalidate_zero"
],
[
"extra.source.sector",
"src_sector",
"validate_to_none"
],
[
"extra.",
"device_vendor",
"validate_to_none"
],
[
"extra.",
"device_type",
"validate_to_none"
],
[
"extra.",
"device_model",
"validate_to_none"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"destination.ip",
"dst_ip",
"validate_ip"
],
[
"destination.port",
"dst_port",
"convert_int"
],
[
"destination.asn",
"dst_asn",
"invalidate_zero"
],
[
"destination.geolocation.cc",
"dst_geo"
],
[
"destination.geolocation.region",
"dst_region"
],
[
"destination.geolocation.city",
"dst_city"
],
[
"destination.reverse_dns",
"dst_hostname",
"validate_to_none"
],
[
"extra.destination.naics",
"dst_naics",
"invalidate_zero"
],
[
"extra.destination.sector",
"dst_sector",
"validate_to_none"
],
[
"extra.",
"public_source",
"validate_to_none"
],
[
"extra.",
"application",
"validate_to_none"
],
[
"extra.",
"version",
"validate_to_none"
],
[
"extra.",
"event_id",
"validate_to_none"
],
[
"destination.url",
"http_url",
"convert_http_host_and_url",
true
],
[
"destination.fqdn",
"http_host",
"validate_fqdn"
],
[
"extra.",
"http_agent",
"validate_to_none"
],
[
"extra.",
"forwarded_by",
"validate_to_none"
],
[
"extra.",
"ssl_cipher",
"validate_to_none"
],
[
"extra.",
"http_referer",
"validate_to_none"
],
[
"extra.",
"ssl_servername",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"src_ip",
"validate_ip"
],
[
"source.port",
"src_port",
"convert_int"
]
]
},
"event6_sinkhole_http_referer" : {
"constant_fields" : {
"classification.taxonomy" : "malicious-code",
"classification.type" : "infected-system",
"protocol.application" : "http"
},
"feed_name" : "Sinkhole-Events-HTTP-Referer IPv6",
"file_name" : "event6_sinkhole_http_referer",
"optional_fields" : [
[
"classification.identifier",
"infection",
"validate_to_none"
],
[
"malware.name",
"infection",
"validate_to_none"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"extra.",
"family",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"extra.",
"http_referer_ip",
"validate_ip"
],
[
"extra.",
"http_referer_port",
"convert_int"
],
[
"extra.",
"http_referer_asn",
"invalidate_zero"
],
[
"extra.",
"http_referer_geo",
"validate_to_none"
],
[
"extra.",
"http_referer_region",
"validate_to_none"
],
[
"extra.",
"http_referer_city",
"validate_to_none"
],
[
"extra.",
"http_referer_hostname",
"validate_to_none"
],
[
"extra.",
"http_referer_naics",
"invalidate_zero"
],
[
"extra.",
"http_referer_sector",
"validate_to_none"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"destination.ip",
"dst_ip",
"validate_ip"
],
[
"destination.port",
"dst_port",
"convert_int"
],
[
"destination.asn",
"dst_asn",
"invalidate_zero"
],
[
"destination.geolocation.cc",
"dst_geo"
],
[
"destination.geolocation.region",
"dst_region"
],
[
"destination.geolocation.city",
"dst_city"
],
[
"destination.reverse_dns",
"dst_hostname",
"validate_to_none"
],
[
"extra.destination.naics",
"dst_naics",
"invalidate_zero"
],
[
"extra.destination.sector",
"dst_sector",
"validate_to_none"
],
[
"extra.",
"public_source",
"validate_to_none"
],
[
"extra.",
"application",
"validate_to_none"
],
[
"extra.",
"version",
"validate_to_none"
],
[
"extra.",
"event_id",
"validate_to_none"
],
[
"destination.url",
"http_url",
"convert_http_host_and_url",
true
],
[
"destination.fqdn",
"http_host",
"validate_fqdn"
],
[
"extra.",
"http_referer",
"validate_to_none"
],
[
"extra.",
"ssl_servername",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
]
]
},
"event_ddos_participant" : {
"constant_fields" : {
"classification.identifier" : "ddos-participant",
"classification.taxonomy" : "availability",
"classification.type" : "ddos"
},
"feed_name" : "DDoS-Participant",
"file_name" : "event4_ddos_participant",
"optional_fields" : [
[
"extra.",
"duration",
"convert_int"
],
[
"extra.",
"attack_src_port",
"convert_int"
],
[
"extra.",
"http_usessl",
"convert_bool"
],
[
"extra.",
"ip_header_seqnum",
"convert_int"
],
[
"extra.",
"ip_header_ttl",
"convert_int"
],
[
"extra.",
"number_of_connections",
"convert_int"
],
[
"extra.",
"packet_length",
"convert_int"
],
[
"extra.",
"packet_randomized",
"convert_bool"
],
[
"malware.name",
"infection",
"validate_to_none"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"extra.",
"family",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.asn",
"src_asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"src_geo"
],
[
"source.geolocation.region",
"src_region"
],
[
"source.geolocation.city",
"src_city"
],
[
"source.reverse_dns",
"src_hostname"
],
[
"extra.source.naics",
"src_naics",
"invalidate_zero"
],
[
"extra.source.sector",
"src_sector",
"validate_to_none"
],
[
"extra.",
"device_vendor",
"validate_to_none"
],
[
"extra.",
"device_type",
"validate_to_none"
],
[
"extra.",
"device_model",
"validate_to_none"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"destination.ip",
"dst_ip",
"validate_ip"
],
[
"destination.port",
"dst_port",
"convert_int"
],
[
"destination.asn",
"dst_asn",
"invalidate_zero"
],
[
"destination.geolocation.cc",
"dst_geo"
],
[
"destination.geolocation.region",
"dst_region"
],
[
"destination.geolocation.city",
"dst_city"
],
[
"destination.reverse_dns",
"dst_hostname",
"validate_to_none"
],
[
"extra.destination.naics",
"dst_naics",
"invalidate_zero"
],
[
"extra.destination.sector",
"dst_sector",
"validate_to_none"
],
[
"extra.",
"domain_source",
"validate_to_none"
],
[
"extra.",
"public_source",
"validate_to_none"
],
[
"extra.",
"application",
"validate_to_none"
],
[
"extra.",
"version",
"validate_to_none"
],
[
"extra.",
"event_id",
"validate_to_none"
],
[
"extra.",
"dst_network",
"validate_to_none"
],
[
"extra.",
"dst_netmask",
"validate_to_none"
],
[
"extra.",
"attack",
"validate_to_none"
],
[
"extra.",
"attack_src_ip",
"validate_to_none"
],
[
"extra.",
"domain",
"validate_to_none"
],
[
"extra.",
"domain_transaction_id",
"validate_to_none"
],
[
"extra.",
"gcip",
"validate_to_none"
],
[
"extra.",
"http_method",
"validate_to_none"
],
[
"extra.",
"http_path",
"validate_to_none"
],
[
"extra.",
"http_postdata",
"validate_to_none"
],
[
"extra.",
"ip_header_ack",
"validate_to_none"
],
[
"extra.",
"ip_header_acknum",
"validate_to_none"
],
[
"extra.",
"ip_header_dont_fragment",
"validate_to_none"
],
[
"extra.",
"ip_header_fin",
"validate_to_none"
],
[
"extra.",
"ip_header_identity",
"validate_to_none"
],
[
"extra.",
"ip_header_psh",
"validate_to_none"
],
[
"extra.",
"ip_header_rst",
"validate_to_none"
],
[
"extra.",
"ip_header_syn",
"validate_to_none"
],
[
"extra.",
"ip_header_tos",
"validate_to_none"
],
[
"extra.",
"ip_header_urg",
"validate_to_none"
],
[
"extra.",
"http_agent",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"src_ip",
"validate_ip"
],
[
"source.port",
"src_port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/ddos-participant-report/"
},
"event_honeypot_adb_scan" : {
"constant_fields" : {
"classification.identifier" : "honeypot-adb-scan",
"classification.taxonomy" : "information-gathering",
"classification.type" : "scanner",
"protocol.application" : "adb"
},
"feed_name" : "Honeypot-ADB-Scanner",
"file_name" : "event4_honeypot_adb_scan",
"optional_fields" : [
[
"malware.name",
"infection",
"validate_to_none"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"extra.",
"family",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.asn",
"src_asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"src_geo"
],
[
"source.geolocation.region",
"src_region"
],
[
"source.geolocation.city",
"src_city"
],
[
"source.reverse_dns",
"src_hostname"
],
[
"extra.source.naics",
"src_naics",
"invalidate_zero"
],
[
"extra.source.sector",
"src_sector",
"validate_to_none"
],
[
"extra.",
"device_vendor",
"validate_to_none"
],
[
"extra.",
"device_type",
"validate_to_none"
],
[
"extra.",
"device_model",
"validate_to_none"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"destination.ip",
"dst_ip",
"validate_ip"
],
[
"destination.port",
"dst_port",
"convert_int"
],
[
"destination.asn",
"dst_asn",
"invalidate_zero"
],
[
"destination.geolocation.cc",
"dst_geo"
],
[
"destination.geolocation.region",
"dst_region"
],
[
"destination.geolocation.city",
"dst_city"
],
[
"destination.reverse_dns",
"dst_hostname",
"validate_to_none"
],
[
"extra.destination.naics",
"dst_naics",
"invalidate_zero"
],
[
"extra.destination.sector",
"dst_sector",
"validate_to_none"
],
[
"extra.",
"public_source",
"validate_to_none"
],
[
"extra.",
"application",
"validate_to_none"
],
[
"extra.",
"version",
"validate_to_none"
],
[
"extra.",
"event_id",
"validate_to_none"
],
[
"extra.",
"vulnerability_enum",
"validate_to_none"
],
[
"extra.",
"vulnerability_id",
"validate_to_none"
],
[
"extra.",
"vulnerability_class",
"validate_to_none"
],
[
"extra.",
"vulnerability_score",
"convert_float"
],
[
"extra.",
"vulnerability_severity",
"validate_to_none"
],
[
"extra.",
"vulnerability_version",
"validate_to_none"
],
[
"extra.",
"threat_framework",
"validate_to_none"
],
[
"extra.",
"threat_tactic_id",
"validate_to_none"
],
[
"extra.",
"threat_technique_id",
"validate_to_none"
],
[
"extra.",
"target_vendor",
"validate_to_none"
],
[
"extra.",
"target_product",
"validate_to_none"
],
[
"extra.",
"target_class",
"validate_to_none"
],
[
"extra.",
"banner",
"validate_to_none"
],
[
"extra.",
"commands",
"validate_to_none"
],
[
"extra.",
"maxdata",
"validate_to_none"
],
[
"extra.",
"system_type",
"validate_to_none"
],
[
"extra.",
"opened",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"src_ip",
"validate_ip"
],
[
"source.port",
"src_port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/honeypot-adb-scanner-events-report/"
},
"event_honeypot_brute_force" : {
"constant_fields" : {
"classification.taxonomy" : "intrusion-attempts",
"classification.type" : "brute-force"
},
"feed_name" : "Honeypot-Brute-Force-Events",
"file_name" : "event4_honeypot_brute_force",
"optional_fields" : [
[
"classification.identifier",
"application"
],
[
"destination.account",
"username",
"validate_to_none"
],
[
"malware.name",
"infection",
"validate_to_none"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"extra.",
"family",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.asn",
"src_asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"src_geo"
],
[
"source.geolocation.region",
"src_region"
],
[
"source.geolocation.city",
"src_city"
],
[
"source.reverse_dns",
"src_hostname"
],
[
"extra.source.naics",
"src_naics",
"invalidate_zero"
],
[
"extra.source.sector",
"src_sector",
"validate_to_none"
],
[
"extra.",
"device_vendor",
"validate_to_none"
],
[
"extra.",
"device_type",
"validate_to_none"
],
[
"extra.",
"device_model",
"validate_to_none"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"destination.ip",
"dst_ip",
"validate_ip"
],
[
"destination.port",
"dst_port",
"convert_int"
],
[
"destination.asn",
"dst_asn",
"invalidate_zero"
],
[
"destination.geolocation.cc",
"dst_geo"
],
[
"destination.geolocation.region",
"dst_region"
],
[
"destination.geolocation.city",
"dst_city"
],
[
"destination.reverse_dns",
"dst_hostname",
"validate_to_none"
],
[
"extra.destination.naics",
"dst_naics",
"invalidate_zero"
],
[
"extra.destination.sector",
"dst_sector",
"validate_to_none"
],
[
"extra.",
"public_source",
"validate_to_none"
],
[
"extra.",
"application",
"validate_to_none"
],
[
"extra.",
"version",
"validate_to_none"
],
[
"extra.",
"event_id",
"validate_to_none"
],
[
"extra.",
"service",
"validate_to_none"
],
[
"extra.",
"start_time",
"convert_date_utc"
],
[
"extra.",
"end_time",
"convert_date_utc"
],
[
"extra.",
"client_version",
"validate_to_none"
],
[
"extra.",
"password",
"validate_to_none"
],
[
"extra.",
"payload_url",
"validate_to_none"
],
[
"extra.",
"payload_md5",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"src_ip",
"validate_ip"
],
[
"source.port",
"src_port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/honeypot-brute-force-events-report/"
},
"event_honeypot_darknet" : {
"constant_fields" : {
"classification.taxonomy" : "other",
"classification.type" : "other"
},
"feed_name" : "Honeypot-Darknet",
"file_name" : "event4_honeypot_darknet",
"optional_fields" : [
[
"classification.identifier",
"tag",
"validate_to_none"
],
[
"malware.name",
"infection",
"validate_to_none"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"extra.",
"family",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.asn",
"src_asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"src_geo"
],
[
"source.geolocation.region",
"src_region"
],
[
"source.geolocation.city",
"src_city"
],
[
"source.reverse_dns",
"src_hostname"
],
[
"extra.source.naics",
"src_naics",
"invalidate_zero"
],
[
"extra.source.sector",
"src_sector",
"validate_to_none"
],
[
"extra.",
"device_vendor",
"validate_to_none"
],
[
"extra.",
"device_type",
"validate_to_none"
],
[
"extra.",
"device_model",
"validate_to_none"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"destination.ip",
"dst_ip",
"validate_ip"
],
[
"destination.port",
"dst_port",
"convert_int"
],
[
"destination.asn",
"dst_asn",
"invalidate_zero"
],
[
"destination.geolocation.cc",
"dst_geo"
],
[
"destination.geolocation.region",
"dst_region"
],
[
"destination.geolocation.city",
"dst_city"
],
[
"destination.reverse_dns",
"dst_hostname",
"validate_to_none"
],
[
"extra.destination.naics",
"dst_naics",
"invalidate_zero"
],
[
"extra.destination.sector",
"dst_sector",
"validate_to_none"
],
[
"extra.",
"public_source",
"validate_to_none"
],
[
"extra.",
"application",
"validate_to_none"
],
[
"extra.",
"version",
"validate_to_none"
],
[
"extra.",
"event_id",
"validate_to_none"
],
[
"extra.",
"count",
"convert_int"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"src_ip",
"validate_ip"
],
[
"source.port",
"src_port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/honeypot-darknet-events-report/"
},
"event_honeypot_ddos" : {
"constant_fields" : {
"classification.identifier" : "honeypot-ddos",
"classification.taxonomy" : "availability",
"classification.type" : "ddos"
},
"feed_name" : "Honeypot-DDoS",
"file_name" : "event4_honeypot_ddos",
"optional_fields" : [
[
"extra.",
"duration",
"convert_int"
],
[
"extra.",
"attack_src_port",
"convert_int"
],
[
"extra.",
"http_usessl",
"convert_bool"
],
[
"extra.",
"ip_header_seqnum",
"convert_int"
],
[
"extra.",
"ip_header_ttl",
"convert_int"
],
[
"extra.",
"number_of_connections",
"convert_int"
],
[
"extra.",
"packet_length",
"convert_int"
],
[
"extra.",
"packet_randomized",
"convert_bool"
],
[
"malware.name",
"infection",
"validate_to_none"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"extra.",
"family",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.asn",
"src_asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"src_geo"
],
[
"source.geolocation.region",
"src_region"
],
[
"source.geolocation.city",
"src_city"
],
[
"source.reverse_dns",
"src_hostname"
],
[
"extra.source.naics",
"src_naics",
"invalidate_zero"
],
[
"extra.source.sector",
"src_sector",
"validate_to_none"
],
[
"extra.",
"device_vendor",
"validate_to_none"
],
[
"extra.",
"device_type",
"validate_to_none"
],
[
"extra.",
"device_model",
"validate_to_none"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"destination.ip",
"dst_ip",
"validate_ip"
],
[
"destination.port",
"dst_port",
"convert_int"
],
[
"destination.asn",
"dst_asn",
"invalidate_zero"
],
[
"destination.geolocation.cc",
"dst_geo"
],
[
"destination.geolocation.region",
"dst_region"
],
[
"destination.geolocation.city",
"dst_city"
],
[
"destination.reverse_dns",
"dst_hostname",
"validate_to_none"
],
[
"extra.destination.naics",
"dst_naics",
"invalidate_zero"
],
[
"extra.destination.sector",
"dst_sector",
"validate_to_none"
],
[
"extra.",
"domain_source",
"validate_to_none"
],
[
"extra.",
"public_source",
"validate_to_none"
],
[
"extra.",
"application",
"validate_to_none"
],
[
"extra.",
"version",
"validate_to_none"
],
[
"extra.",
"event_id",
"validate_to_none"
],
[
"extra.",
"dst_network",
"validate_to_none"
],
[
"extra.",
"dst_netmask",
"validate_to_none"
],
[
"extra.",
"attack",
"validate_to_none"
],
[
"extra.",
"attack_src_ip",
"validate_to_none"
],
[
"extra.",
"domain",
"validate_to_none"
],
[
"extra.",
"domain_transaction_id",
"validate_to_none"
],
[
"extra.",
"gcip",
"validate_to_none"
],
[
"extra.",
"http_method",
"validate_to_none"
],
[
"extra.",
"http_path",
"validate_to_none"
],
[
"extra.",
"http_postdata",
"validate_to_none"
],
[
"extra.",
"ip_header_ack",
"validate_to_none"
],
[
"extra.",
"ip_header_acknum",
"validate_to_none"
],
[
"extra.",
"ip_header_dont_fragment",
"validate_to_none"
],
[
"extra.",
"ip_header_fin",
"validate_to_none"
],
[
"extra.",
"ip_header_identity",
"validate_to_none"
],
[
"extra.",
"ip_header_psh",
"validate_to_none"
],
[
"extra.",
"ip_header_rst",
"validate_to_none"
],
[
"extra.",
"ip_header_syn",
"validate_to_none"
],
[
"extra.",
"ip_header_tos",
"validate_to_none"
],
[
"extra.",
"ip_header_urg",
"validate_to_none"
],
[
"extra.",
"http_agent",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"src_ip",
"validate_ip"
],
[
"source.port",
"src_port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/honeypot-ddos-events/"
},
"event_honeypot_ddos_amp" : {
"constant_fields" : {
"classification.identifier" : "amplification-ddos-victim",
"classification.taxonomy" : "availability",
"classification.type" : "ddos"
},
"feed_name" : "Honeypot-Amplification-DDoS-Events",
"file_name" : "event4_honeypot_ddos_amp",
"optional_fields" : [
[
"extra.",
"avg_pps",
"convert_float"
],
[
"extra.",
"max_pps",
"convert_float"
],
[
"malware.name",
"infection",
"validate_to_none"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"extra.",
"family",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.asn",
"src_asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"src_geo"
],
[
"source.geolocation.region",
"src_region"
],
[
"source.geolocation.city",
"src_city"
],
[
"source.reverse_dns",
"src_hostname"
],
[
"extra.source.naics",
"src_naics",
"invalidate_zero"
],
[
"extra.source.sector",
"src_sector",
"validate_to_none"
],
[
"extra.",
"device_vendor",
"validate_to_none"
],
[
"extra.",
"device_type",
"validate_to_none"
],
[
"extra.",
"device_model",
"validate_to_none"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"destination.ip",
"dst_ip",
"validate_ip"
],
[
"destination.port",
"dst_port",
"convert_int"
],
[
"destination.asn",
"dst_asn",
"invalidate_zero"
],
[
"destination.geolocation.cc",
"dst_geo"
],
[
"destination.geolocation.region",
"dst_region"
],
[
"destination.geolocation.city",
"dst_city"
],
[
"destination.reverse_dns",
"dst_hostname",
"validate_to_none"
],
[
"extra.destination.naics",
"dst_naics",
"invalidate_zero"
],
[
"extra.destination.sector",
"dst_sector",
"validate_to_none"
],
[
"extra.",
"public_source",
"validate_to_none"
],
[
"extra.",
"application",
"validate_to_none"
],
[
"extra.",
"version",
"validate_to_none"
],
[
"extra.",
"event_id",
"validate_to_none"
],
[
"extra.",
"request",
"validate_to_none"
],
[
"extra.",
"count",
"convert_int"
],
[
"extra.",
"bytes",
"convert_int"
],
[
"extra.",
"end_time",
"convert_date_utc"
],
[
"extra.",
"duration",
"convert_int"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"src_ip",
"validate_ip"
],
[
"source.port",
"src_port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/honeypot-amplification-ddos-events-report/"
},
"event_honeypot_ddos_target" : {
"constant_fields" : {
"classification.identifier" : "honeypot-ddos-target",
"classification.taxonomy" : "availability",
"classification.type" : "ddos"
},
"feed_name" : "Honeypot-DDoS-Target",
"file_name" : "event4_honeypot_ddos_target",
"optional_fields" : [
[
"extra.",
"attack_src_port",
"convert_int"
],
[
"extra.",
"http_usessl",
"convert_bool"
],
[
"extra.",
"ip_header_seqnum",
"convert_int"
],
[
"extra.",
"ip_header_ttl",
"convert_int"
],
[
"extra.",
"number_of_connections",
"convert_int"
],
[
"extra.",
"packet_length",
"convert_int"
],
[
"extra.",
"packet_randomized",
"convert_bool"
],
[
"malware.name",
"infection",
"validate_to_none"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"extra.",
"family",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"destination.ip",
"dst_ip",
"validate_ip"
],
[
"destination.port",
"dst_port",
"convert_int"
],
[
"destination.asn",
"dst_asn",
"invalidate_zero"
],
[
"destination.geolocation.cc",
"dst_geo"
],
[
"destination.geolocation.region",
"dst_region"
],
[
"destination.geolocation.city",
"dst_city"
],
[
"destination.reverse_dns",
"dst_hostname",
"validate_to_none"
],
[
"extra.destination.naics",
"dst_naics",
"invalidate_zero"
],
[
"extra.destination.sector",
"dst_sector",
"validate_to_none"
],
[
"extra.",
"device_vendor",
"validate_to_none"
],
[
"extra.",
"device_type",
"validate_to_none"
],
[
"extra.",
"device_model",
"validate_to_none"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"source.asn",
"src_asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"src_geo"
],
[
"source.geolocation.region",
"src_region"
],
[
"source.geolocation.city",
"src_city"
],
[
"source.reverse_dns",
"src_hostname"
],
[
"extra.source.naics",
"src_naics",
"invalidate_zero"
],
[
"extra.source.sector",
"src_sector",
"validate_to_none"
],
[
"extra.",
"domain_source",
"validate_to_none"
],
[
"extra.",
"public_source",
"validate_to_none"
],
[
"extra.",
"application",
"validate_to_none"
],
[
"extra.",
"version",
"validate_to_none"
],
[
"extra.",
"event_id",
"validate_to_none"
],
[
"extra.",
"dst_network",
"validate_to_none"
],
[
"extra.",
"dst_netmask",
"validate_to_none"
],
[
"extra.",
"attack",
"validate_to_none"
],
[
"extra.",
"duration",
"convert_int"
],
[
"extra.",
"attack_src_ip",
"validate_to_none"
],
[
"extra.",
"domain",
"validate_to_none"
],
[
"extra.",
"domain_transaction_id",
"validate_to_none"
],
[
"extra.",
"gcip",
"validate_to_none"
],
[
"extra.",
"http_method",
"validate_to_none"
],
[
"extra.",
"http_path",
"validate_to_none"
],
[
"extra.",
"http_postdata",
"validate_to_none"
],
[
"extra.",
"ip_header_ack",
"validate_to_none"
],
[
"extra.",
"ip_header_acknum",
"validate_to_none"
],
[
"extra.",
"ip_header_dont_fragment",
"validate_to_none"
],
[
"extra.",
"ip_header_fin",
"validate_to_none"
],
[
"extra.",
"ip_header_identity",
"validate_to_none"
],
[
"extra.",
"ip_header_psh",
"validate_to_none"
],
[
"extra.",
"ip_header_rst",
"validate_to_none"
],
[
"extra.",
"ip_header_syn",
"validate_to_none"
],
[
"extra.",
"ip_header_tos",
"validate_to_none"
],
[
"extra.",
"ip_header_urg",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"src_ip",
"validate_ip"
],
[
"source.port",
"src_port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/honeypot-ddos-target-events-report/"
},
"event_honeypot_http_scan" : {
"constant_fields" : {
"classification.identifier" : "honeypot-http-scan",
"classification.taxonomy" : "information-gathering",
"classification.type" : "scanner",
"protocol.application" : "http"
},
"feed_name" : "Honeypot-HTTP-Scan",
"file_name" : "event4_honeypot_http_scan",
"optional_fields" : [
[
"user_agent",
"http_agent",
"validate_to_none"
],
[
"extra.method",
"http_request_method",
"validate_to_none"
],
[
"malware.name",
"infection",
"validate_to_none"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"extra.",
"family",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.asn",
"src_asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"src_geo"
],
[
"source.geolocation.region",
"src_region"
],
[
"source.geolocation.city",
"src_city"
],
[
"source.reverse_dns",
"src_hostname"
],
[
"extra.source.naics",
"src_naics",
"invalidate_zero"
],
[
"extra.source.sector",
"src_sector",
"validate_to_none"
],
[
"extra.",
"device_vendor",
"validate_to_none"
],
[
"extra.",
"device_type",
"validate_to_none"
],
[
"extra.",
"device_model",
"validate_to_none"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"destination.ip",
"dst_ip",
"validate_ip"
],
[
"destination.port",
"dst_port",
"convert_int"
],
[
"destination.asn",
"dst_asn",
"invalidate_zero"
],
[
"destination.geolocation.cc",
"dst_geo"
],
[
"destination.geolocation.region",
"dst_region"
],
[
"destination.geolocation.city",
"dst_city"
],
[
"destination.reverse_dns",
"dst_hostname",
"validate_to_none"
],
[
"extra.destination.naics",
"dst_naics",
"invalidate_zero"
],
[
"extra.destination.sector",
"dst_sector",
"validate_to_none"
],
[
"extra.",
"public_source",
"validate_to_none"
],
[
"extra.",
"application",
"validate_to_none"
],
[
"extra.",
"version",
"validate_to_none"
],
[
"extra.",
"event_id",
"validate_to_none"
],
[
"extra.",
"pattern",
"validate_to_none"
],
[
"destination.url",
"http_url",
"convert_http_host_and_url",
true
],
[
"extra.",
"url_scheme",
"validate_to_none"
],
[
"extra.",
"session_tags",
"validate_to_none"
],
[
"extra.",
"vulnerability_enum",
"validate_to_none"
],
[
"extra.",
"vulnerability_id",
"validate_to_none"
],
[
"extra.",
"vulnerability_class",
"validate_to_none"
],
[
"extra.",
"vulnerability_score",
"convert_float"
],
[
"extra.",
"vulnerability_severity",
"validate_to_none"
],
[
"extra.",
"vulnerability_version",
"validate_to_none"
],
[
"extra.",
"threat_framework",
"validate_to_none"
],
[
"extra.",
"threat_tactic_id",
"validate_to_none"
],
[
"extra.",
"threat_technique_id",
"validate_to_none"
],
[
"extra.",
"target_vendor",
"validate_to_none"
],
[
"extra.",
"target_product",
"validate_to_none"
],
[
"extra.",
"target_class",
"validate_to_none"
],
[
"extra.",
"file_md5",
"validate_to_none"
],
[
"extra.",
"file_sha256",
"validate_to_none"
],
[
"extra.",
"request_raw",
"force_base64"
],
[
"extra.",
"body_raw",
"force_base64"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"src_ip",
"validate_ip"
],
[
"source.port",
"src_port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/honeypot-http-scanner-events/"
},
"event_honeypot_ics_scan" : {
"constant_fields" : {
"classification.identifier" : "honeypot-ics-scan",
"classification.taxonomy" : "information-gathering",
"classification.type" : "scanner"
},
"feed_name" : "Honeypot-ICS-Scanner",
"file_name" : "event4_honeypot_ics_scan",
"optional_fields" : [
[
"malware.name",
"infection",
"validate_to_none"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"extra.",
"family",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.asn",
"src_asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"src_geo"
],
[
"source.geolocation.region",
"src_region"
],
[
"source.geolocation.city",
"src_city"
],
[
"source.reverse_dns",
"src_hostname"
],
[
"extra.source.naics",
"src_naics",
"invalidate_zero"
],
[
"extra.source.sector",
"src_sector",
"validate_to_none"
],
[
"extra.",
"device_vendor",
"validate_to_none"
],
[
"extra.",
"device_type",
"validate_to_none"
],
[
"extra.",
"device_model",
"validate_to_none"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"destination.ip",
"dst_ip",
"validate_ip"
],
[
"destination.port",
"dst_port",
"convert_int"
],
[
"destination.asn",
"dst_asn",
"invalidate_zero"
],
[
"destination.geolocation.cc",
"dst_geo"
],
[
"destination.geolocation.region",
"dst_region"
],
[
"destination.geolocation.city",
"dst_city"
],
[
"destination.reverse_dns",
"dst_hostname",
"validate_to_none"
],
[
"extra.destination.naics",
"dst_naics",
"invalidate_zero"
],
[
"extra.destination.sector",
"dst_sector",
"validate_to_none"
],
[
"extra.",
"public_source",
"validate_to_none"
],
[
"extra.",
"application",
"validate_to_none"
],
[
"extra.",
"version",
"validate_to_none"
],
[
"extra.",
"event_id",
"validate_to_none"
],
[
"extra.",
"state",
"validate_to_none"
],
[
"extra.",
"sensor_id",
"validate_to_none"
],
[
"extra.",
"slave_id",
"validate_to_none"
],
[
"extra.",
"function_code",
"validate_to_none"
],
[
"extra.",
"request",
"validate_to_none"
],
[
"extra.",
"response",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"src_ip",
"validate_ip"
],
[
"source.port",
"src_port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/honeypot-ics-scanner-events-report/"
},
"event_honeypot_ikev2_scan" : {
"constant_fields" : {
"classification.identifier" : "honeypot-ikev2-scan",
"classification.taxonomy" : "information-gathering",
"classification.type" : "scanner",
"protocol.application" : "ikev2"
},
"feed_name" : "Honeypot-IKEv2-Scanner",
"file_name" : "event4_honeypot_ikev2_scan",
"optional_fields" : [
[
"malware.name",
"infection",
"validate_to_none"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"extra.",
"family",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.asn",
"src_asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"src_geo"
],
[
"source.geolocation.region",
"src_region"
],
[
"source.geolocation.city",
"src_city"
],
[
"source.reverse_dns",
"src_hostname"
],
[
"extra.source.naics",
"src_naics",
"invalidate_zero"
],
[
"extra.source.sector",
"src_sector",
"validate_to_none"
],
[
"extra.",
"device_vendor",
"validate_to_none"
],
[
"extra.",
"device_type",
"validate_to_none"
],
[
"extra.",
"device_model",
"validate_to_none"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"destination.ip",
"dst_ip",
"validate_ip"
],
[
"destination.port",
"dst_port",
"convert_int"
],
[
"destination.asn",
"dst_asn",
"invalidate_zero"
],
[
"destination.geolocation.cc",
"dst_geo"
],
[
"destination.geolocation.region",
"dst_region"
],
[
"destination.geolocation.city",
"dst_city"
],
[
"destination.reverse_dns",
"dst_hostname",
"validate_to_none"
],
[
"extra.destination.naics",
"dst_naics",
"invalidate_zero"
],
[
"extra.destination.sector",
"dst_sector",
"validate_to_none"
],
[
"extra.",
"public_source",
"validate_to_none"
],
[
"extra.",
"application",
"validate_to_none"
],
[
"extra.",
"version",
"validate_to_none"
],
[
"extra.",
"event_id",
"validate_to_none"
],
[
"extra.",
"vulnerability_enum",
"validate_to_none"
],
[
"extra.",
"vulnerability_id",
"validate_to_none"
],
[
"extra.",
"vulnerability_class",
"validate_to_none"
],
[
"extra.",
"vulnerability_score",
"convert_float"
],
[
"extra.",
"vulnerability_severity",
"validate_to_none"
],
[
"extra.",
"vulnerability_version",
"validate_to_none"
],
[
"extra.",
"threat_framework",
"validate_to_none"
],
[
"extra.",
"threat_tactic_id",
"validate_to_none"
],
[
"extra.",
"threat_technique_id",
"validate_to_none"
],
[
"extra.",
"target_vendor",
"validate_to_none"
],
[
"extra.",
"target_product",
"validate_to_none"
],
[
"extra.",
"target_class",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"src_ip",
"validate_ip"
],
[
"source.port",
"src_port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/honeypot-ikev2-scanner-events-report/"
},
"event_honeypot_rdp_scan" : {
"constant_fields" : {
"classification.identifier" : "honeypot-rdp-scan",
"classification.taxonomy" : "information-gathering",
"classification.type" : "scanner",
"protocol.application" : "rdp"
},
"feed_name" : "Honeypot-RDP-Scanner",
"file_name" : "event4_honeypot_rdp_scan",
"optional_fields" : [
[
"malware.name",
"infection",
"validate_to_none"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"extra.",
"family",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.asn",
"src_asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"src_geo"
],
[
"source.geolocation.region",
"src_region"
],
[
"source.geolocation.city",
"src_city"
],
[
"source.reverse_dns",
"src_hostname"
],
[
"extra.source.naics",
"src_naics",
"invalidate_zero"
],
[
"extra.source.sector",
"src_sector",
"validate_to_none"
],
[
"extra.",
"device_vendor",
"validate_to_none"
],
[
"extra.",
"device_type",
"validate_to_none"
],
[
"extra.",
"device_model",
"validate_to_none"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"destination.ip",
"dst_ip",
"validate_ip"
],
[
"destination.port",
"dst_port",
"convert_int"
],
[
"destination.asn",
"dst_asn",
"invalidate_zero"
],
[
"destination.geolocation.cc",
"dst_geo"
],
[
"destination.geolocation.region",
"dst_region"
],
[
"destination.geolocation.city",
"dst_city"
],
[
"destination.reverse_dns",
"dst_hostname",
"validate_to_none"
],
[
"extra.destination.naics",
"dst_naics",
"invalidate_zero"
],
[
"extra.destination.sector",
"dst_sector",
"validate_to_none"
],
[
"extra.",
"public_source",
"validate_to_none"
],
[
"extra.",
"application",
"validate_to_none"
],
[
"extra.",
"version",
"validate_to_none"
],
[
"extra.",
"event_id",
"validate_to_none"
],
[
"extra.",
"vulnerability_enum",
"validate_to_none"
],
[
"extra.",
"vulnerability_id",
"validate_to_none"
],
[
"extra.",
"vulnerability_class",
"validate_to_none"
],
[
"extra.",
"vulnerability_score",
"convert_float"
],
[
"extra.",
"vulnerability_severity",
"validate_to_none"
],
[
"extra.",
"vulnerability_version",
"validate_to_none"
],
[
"extra.",
"threat_framework",
"validate_to_none"
],
[
"extra.",
"threat_tactic_id",
"validate_to_none"
],
[
"extra.",
"threat_technique_id",
"validate_to_none"
],
[
"extra.",
"target_vendor",
"validate_to_none"
],
[
"extra.",
"target_product",
"validate_to_none"
],
[
"extra.",
"target_class",
"validate_to_none"
],
[
"extra.",
"cookie",
"validate_to_none"
],
[
"extra.",
"session_tags",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"src_ip",
"validate_ip"
],
[
"source.port",
"src_port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/honeypot-rdp-scanner-events-report/"
},
"event_honeypot_rocketmq_scan" : {
"constant_fields" : {
"classification.identifier" : "honeypot-rocketmq-scan",
"classification.taxonomy" : "information-gathering",
"classification.type" : "scanner",
"protocol.application" : "rocketmq"
},
"feed_name" : "Honeypot-RocketMQ-Scanner",
"file_name" : "event4_honeypot_rocketmq_scan",
"optional_fields" : [
[
"malware.name",
"infection",
"validate_to_none"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"extra.",
"family",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.asn",
"src_asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"src_geo"
],
[
"source.geolocation.region",
"src_region"
],
[
"source.geolocation.city",
"src_city"
],
[
"source.reverse_dns",
"src_hostname"
],
[
"extra.source.naics",
"src_naics",
"invalidate_zero"
],
[
"extra.source.sector",
"src_sector",
"validate_to_none"
],
[
"extra.",
"device_vendor",
"validate_to_none"
],
[
"extra.",
"device_type",
"validate_to_none"
],
[
"extra.",
"device_model",
"validate_to_none"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"destination.ip",
"dst_ip",
"validate_ip"
],
[
"destination.port",
"dst_port",
"convert_int"
],
[
"destination.asn",
"dst_asn",
"invalidate_zero"
],
[
"destination.geolocation.cc",
"dst_geo"
],
[
"destination.geolocation.region",
"dst_region"
],
[
"destination.geolocation.city",
"dst_city"
],
[
"destination.reverse_dns",
"dst_hostname",
"validate_to_none"
],
[
"extra.destination.naics",
"dst_naics",
"invalidate_zero"
],
[
"extra.destination.sector",
"dst_sector",
"validate_to_none"
],
[
"extra.",
"public_source",
"validate_to_none"
],
[
"extra.",
"application",
"validate_to_none"
],
[
"extra.",
"version",
"validate_to_none"
],
[
"extra.",
"event_id",
"validate_to_none"
],
[
"extra.",
"vulnerability_enum",
"validate_to_none"
],
[
"extra.",
"vulnerability_id",
"validate_to_none"
],
[
"extra.",
"vulnerability_class",
"validate_to_none"
],
[
"extra.",
"vulnerability_score",
"convert_float"
],
[
"extra.",
"vulnerability_severity",
"validate_to_none"
],
[
"extra.",
"vulnerability_version",
"validate_to_none"
],
[
"extra.",
"threat_framework",
"validate_to_none"
],
[
"extra.",
"threat_tactic_id",
"validate_to_none"
],
[
"extra.",
"threat_technique_id",
"validate_to_none"
],
[
"extra.",
"target_vendor",
"validate_to_none"
],
[
"extra.",
"target_product",
"validate_to_none"
],
[
"extra.",
"target_class",
"validate_to_none"
],
[
"extra.",
"code",
"validate_to_none"
],
[
"extra.",
"flag",
"validate_to_none"
],
[
"extra.",
"language",
"validate_to_none"
],
[
"extra.",
"opaque",
"validate_to_none"
],
[
"extra.",
"serialize_type",
"validate_to_none"
],
[
"extra.",
"body",
"validate_to_none"
],
[
"extra.",
"body_base64",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"src_ip",
"validate_ip"
],
[
"source.port",
"src_port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/honeypot-rocketmq-scanner-events-report/"
},
"event_honeypot_smb_scan" : {
"constant_fields" : {
"classification.identifier" : "honeypot-smb-scan",
"classification.taxonomy" : "information-gathering",
"classification.type" : "scanner",
"protocol.application" : "smb"
},
"feed_name" : "Honeypot-SMB-Scanner",
"file_name" : "event4_honeypot_smb_scan",
"optional_fields" : [
[
"malware.name",
"infection",
"validate_to_none"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"extra.",
"family",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.asn",
"src_asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"src_geo"
],
[
"source.geolocation.region",
"src_region"
],
[
"source.geolocation.city",
"src_city"
],
[
"source.reverse_dns",
"src_hostname"
],
[
"extra.source.naics",
"src_naics",
"invalidate_zero"
],
[
"extra.source.sector",
"src_sector",
"validate_to_none"
],
[
"extra.",
"device_vendor",
"validate_to_none"
],
[
"extra.",
"device_type",
"validate_to_none"
],
[
"extra.",
"device_model",
"validate_to_none"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"destination.ip",
"dst_ip",
"validate_ip"
],
[
"destination.port",
"dst_port",
"convert_int"
],
[
"destination.asn",
"dst_asn",
"invalidate_zero"
],
[
"destination.geolocation.cc",
"dst_geo"
],
[
"destination.geolocation.region",
"dst_region"
],
[
"destination.geolocation.city",
"dst_city"
],
[
"destination.reverse_dns",
"dst_hostname",
"validate_to_none"
],
[
"extra.destination.naics",
"dst_naics",
"invalidate_zero"
],
[
"extra.destination.sector",
"dst_sector",
"validate_to_none"
],
[
"extra.",
"public_source",
"validate_to_none"
],
[
"extra.",
"application",
"validate_to_none"
],
[
"extra.",
"version",
"validate_to_none"
],
[
"extra.",
"event_id",
"validate_to_none"
],
[
"extra.",
"vulnerability_enum",
"validate_to_none"
],
[
"extra.",
"vulnerability_id",
"validate_to_none"
],
[
"extra.",
"vulnerability_class",
"validate_to_none"
],
[
"extra.",
"vulnerability_score",
"convert_float"
],
[
"extra.",
"vulnerability_severity",
"validate_to_none"
],
[
"extra.",
"vulnerability_version",
"validate_to_none"
],
[
"extra.",
"threat_framework",
"validate_to_none"
],
[
"extra.",
"threat_tactic_id",
"validate_to_none"
],
[
"extra.",
"threat_technique_id",
"validate_to_none"
],
[
"extra.",
"target_vendor",
"validate_to_none"
],
[
"extra.",
"target_product",
"validate_to_none"
],
[
"extra.",
"target_class",
"validate_to_none"
],
[
"extra.",
"command",
"validate_to_none"
],
[
"extra.",
"flags",
"validate_to_none"
],
[
"extra.",
"supported_protocols",
"validate_to_none"
],
[
"extra.",
"session_tags",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"src_ip",
"validate_ip"
],
[
"source.port",
"src_port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/honeypot-smb-scanner-events-report/"
},
"event_ip_spoofer" : {
"constant_fields" : {
"classification.identifier" : "ip-spoofer",
"classification.taxonomy" : "fraud",
"classification.type" : "masquerade"
},
"feed_name" : "IP-Spoofer-Events",
"file_name" : "event4_ip_spoofer",
"optional_fields" : [
[
"extra.",
"infection",
"validate_to_none"
],
[
"source.network",
"network",
"validate_network"
],
[
"malware.name",
"infection",
"validate_to_none"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"extra.",
"family",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.asn",
"src_asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"src_geo"
],
[
"source.geolocation.region",
"src_region"
],
[
"source.geolocation.city",
"src_city"
],
[
"source.reverse_dns",
"src_hostname"
],
[
"extra.source.naics",
"src_naics",
"invalidate_zero"
],
[
"extra.source.sector",
"src_sector",
"validate_to_none"
],
[
"extra.",
"device_vendor",
"validate_to_none"
],
[
"extra.",
"device_type",
"validate_to_none"
],
[
"extra.",
"device_model",
"validate_to_none"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"destination.ip",
"dst_ip",
"validate_ip"
],
[
"destination.port",
"dst_port",
"convert_int"
],
[
"destination.asn",
"dst_asn",
"invalidate_zero"
],
[
"destination.geolocation.cc",
"dst_geo"
],
[
"destination.geolocation.region",
"dst_region"
],
[
"destination.geolocation.city",
"dst_city"
],
[
"destination.reverse_dns",
"dst_hostname",
"validate_to_none"
],
[
"extra.destination.naics",
"dst_naics",
"invalidate_zero"
],
[
"extra.destination.sector",
"dst_sector",
"validate_to_none"
],
[
"extra.",
"public_source",
"validate_to_none"
],
[
"extra.",
"application",
"validate_to_none"
],
[
"extra.",
"version",
"validate_to_none"
],
[
"extra.",
"event_id",
"validate_to_none"
],
[
"extra.",
"routedspoof",
"validate_to_none"
],
[
"extra.",
"session",
"validate_to_none"
],
[
"extra.",
"nat",
"convert_bool"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"src_ip",
"validate_ip"
],
[
"source.port",
"src_port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/ip-spoofer-events-report/"
},
"event_sinkhole" : {
"constant_fields" : {
"classification.taxonomy" : "malicious-code",
"classification.type" : "infected-system"
},
"feed_name" : "Sinkhole-Events IPv4",
"file_name" : "event4_sinkhole",
"optional_fields" : [
[
"classification.identifier",
"infection",
"validate_to_none"
],
[
"malware.name",
"infection",
"validate_to_none"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"extra.",
"family",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.asn",
"src_asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"src_geo"
],
[
"source.geolocation.region",
"src_region"
],
[
"source.geolocation.city",
"src_city"
],
[
"source.reverse_dns",
"src_hostname"
],
[
"extra.source.naics",
"src_naics",
"invalidate_zero"
],
[
"extra.source.sector",
"src_sector",
"validate_to_none"
],
[
"extra.",
"device_vendor",
"validate_to_none"
],
[
"extra.",
"device_type",
"validate_to_none"
],
[
"extra.",
"device_model",
"validate_to_none"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"destination.ip",
"dst_ip",
"validate_ip"
],
[
"destination.port",
"dst_port",
"convert_int"
],
[
"destination.asn",
"dst_asn",
"invalidate_zero"
],
[
"destination.geolocation.cc",
"dst_geo"
],
[
"destination.geolocation.region",
"dst_region"
],
[
"destination.geolocation.city",
"dst_city"
],
[
"destination.reverse_dns",
"dst_hostname",
"validate_to_none"
],
[
"extra.destination.naics",
"dst_naics",
"invalidate_zero"
],
[
"extra.destination.sector",
"dst_sector",
"validate_to_none"
],
[
"extra.",
"public_source",
"validate_to_none"
],
[
"extra.",
"application",
"validate_to_none"
],
[
"extra.",
"version",
"validate_to_none"
],
[
"extra.",
"event_id",
"validate_to_none"
],
[
"extra.",
"ssl_cipher",
"validate_to_none"
],
[
"extra.",
"ssl_servername",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"src_ip",
"validate_ip"
],
[
"source.port",
"src_port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/sinkhole-events-report/"
},
"event_sinkhole_dns" : {
"constant_fields" : {
"classification.identifier" : "sinkholedns",
"classification.taxonomy" : "other",
"classification.type" : "other",
"protocol.application" : "dns"
},
"feed_name" : "Sinkhole-DNS",
"file_name" : "event4_sinkhole_dns",
"optional_fields" : [
[
"extra.naics",
"src_naics",
"invalidate_zero"
],
[
"extra.sector",
"src_sector",
"validate_to_none"
],
[
"extra.dns_query_type",
"query_type"
],
[
"extra.dns_query",
"query"
],
[
"malware.name",
"infection",
"validate_to_none"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"extra.",
"family",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.asn",
"src_asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"src_geo"
],
[
"source.geolocation.region",
"src_region"
],
[
"source.geolocation.city",
"src_city"
],
[
"source.reverse_dns",
"src_hostname"
],
[
"extra.",
"device_vendor",
"validate_to_none"
],
[
"extra.",
"device_type",
"validate_to_none"
],
[
"extra.",
"device_model",
"validate_to_none"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"extra.",
"count",
"convert_int"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"src_ip",
"validate_ip"
],
[
"source.port",
"src_port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/sinkhole-dns-events-report/"
},
"event_sinkhole_http" : {
"constant_fields" : {
"classification.taxonomy" : "malicious-code",
"classification.type" : "infected-system",
"protocol.application" : "http"
},
"feed_name" : "Sinkhole-Events-HTTP IPv4",
"file_name" : "event4_sinkhole_http",
"optional_fields" : [
[
"classification.identifier",
"infection",
"validate_to_none"
],
[
"malware.name",
"infection",
"validate_to_none"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"extra.",
"family",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.asn",
"src_asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"src_geo"
],
[
"source.geolocation.region",
"src_region"
],
[
"source.geolocation.city",
"src_city"
],
[
"source.reverse_dns",
"src_hostname"
],
[
"extra.source.naics",
"src_naics",
"invalidate_zero"
],
[
"extra.source.sector",
"src_sector",
"validate_to_none"
],
[
"extra.",
"device_vendor",
"validate_to_none"
],
[
"extra.",
"device_type",
"validate_to_none"
],
[
"extra.",
"device_model",
"validate_to_none"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"destination.ip",
"dst_ip",
"validate_ip"
],
[
"destination.port",
"dst_port",
"convert_int"
],
[
"destination.asn",
"dst_asn",
"invalidate_zero"
],
[
"destination.geolocation.cc",
"dst_geo"
],
[
"destination.geolocation.region",
"dst_region"
],
[
"destination.geolocation.city",
"dst_city"
],
[
"destination.reverse_dns",
"dst_hostname",
"validate_to_none"
],
[
"extra.destination.naics",
"dst_naics",
"invalidate_zero"
],
[
"extra.destination.sector",
"dst_sector",
"validate_to_none"
],
[
"extra.",
"public_source",
"validate_to_none"
],
[
"extra.",
"application",
"validate_to_none"
],
[
"extra.",
"version",
"validate_to_none"
],
[
"extra.",
"event_id",
"validate_to_none"
],
[
"destination.url",
"http_url",
"convert_http_host_and_url",
true
],
[
"destination.fqdn",
"http_host",
"validate_fqdn"
],
[
"extra.",
"http_agent",
"validate_to_none"
],
[
"extra.",
"forwarded_by",
"validate_to_none"
],
[
"extra.",
"ssl_cipher",
"validate_to_none"
],
[
"extra.",
"http_referer",
"validate_to_none"
],
[
"extra.",
"ssl_servername",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"src_ip",
"validate_ip"
],
[
"source.port",
"src_port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/sinkhole-http-events-report/"
},
"event_sinkhole_http_referer" : {
"constant_fields" : {
"classification.taxonomy" : "malicious-code",
"classification.type" : "infected-system",
"protocol.application" : "http"
},
"feed_name" : "Sinkhole-Events-HTTP-Referer IPv4",
"file_name" : "event4_sinkhole_http_referer",
"optional_fields" : [
[
"classification.identifier",
"infection",
"validate_to_none"
],
[
"malware.name",
"infection",
"validate_to_none"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"extra.",
"family",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"extra.",
"http_referer_ip",
"validate_ip"
],
[
"extra.",
"http_referer_port",
"convert_int"
],
[
"extra.",
"http_referer_asn",
"invalidate_zero"
],
[
"extra.",
"http_referer_geo",
"validate_to_none"
],
[
"extra.",
"http_referer_region",
"validate_to_none"
],
[
"extra.",
"http_referer_city",
"validate_to_none"
],
[
"extra.",
"http_referer_hostname",
"validate_to_none"
],
[
"extra.",
"http_referer_naics",
"invalidate_zero"
],
[
"extra.",
"http_referer_sector",
"validate_to_none"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"destination.ip",
"dst_ip",
"validate_ip"
],
[
"destination.port",
"dst_port",
"convert_int"
],
[
"destination.asn",
"dst_asn",
"invalidate_zero"
],
[
"destination.geolocation.cc",
"dst_geo"
],
[
"destination.geolocation.region",
"dst_region"
],
[
"destination.geolocation.city",
"dst_city"
],
[
"destination.reverse_dns",
"dst_hostname",
"validate_to_none"
],
[
"extra.destination.naics",
"dst_naics",
"invalidate_zero"
],
[
"extra.destination.sector",
"dst_sector",
"validate_to_none"
],
[
"extra.",
"public_source",
"validate_to_none"
],
[
"extra.",
"application",
"validate_to_none"
],
[
"extra.",
"version",
"validate_to_none"
],
[
"extra.",
"event_id",
"validate_to_none"
],
[
"destination.url",
"http_url",
"convert_http_host_and_url",
true
],
[
"destination.fqdn",
"http_host",
"validate_fqdn"
],
[
"extra.",
"http_referer",
"validate_to_none"
],
[
"extra.",
"ssl_servername",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/sinkhole-http-referer-events-report/"
},
"malware_url" : {
"constant_fields" : {
"classification.identifier" : "malware-url",
"classification.taxonomy" : "malicious-code",
"classification.type" : "malware-distribution"
},
"feed_name" : "Malware-URL",
"file_name" : "malware_url",
"optional_fields" : [
[
"source.url",
"url",
"convert_http_host_and_url",
true
],
[
"source.fqdn",
"hostname",
"validate_fqdn"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"extra.",
"tag"
],
[
"extra.",
"source",
"validate_to_none"
],
[
"malware.hash.sha256",
"sha256",
"validate_to_none"
],
[
"extra.",
"application",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/malware-url-report/"
},
"phish_url" : {
"constant_fields" : {
"classification.identifier" : "phish-url",
"classification.taxonomy" : "fraud",
"classification.type" : "phishing"
},
"feed_name" : "Phish-URL",
"file_name" : "phish_url",
"optional_fields" : [
[
"source.url",
"url",
"convert_http_host_and_url",
true
],
[
"source.fqdn",
"hostname",
"validate_fqdn"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"extra.",
"tag"
],
[
"extra.",
"source",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
]
},
"population6_bgp" : {
"constant_fields" : {
"classification.identifier" : "accessible-bgp",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "bgp"
},
"feed_name" : "IPv6-Accessible-BGP",
"file_name" : "population6_bgp",
"optional_fields" : [
[
"extra.",
"message_type_int",
"convert_int"
],
[
"extra.",
"message2_type_int",
"convert_int"
],
[
"extra.",
"major_error_code_int",
"convert_int"
],
[
"extra.",
"minor_error_code_int",
"convert_int"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
],
[
"extra.",
"message_length",
"convert_int"
],
[
"extra.",
"message_type",
"validate_to_none"
],
[
"extra.",
"bgp_version",
"validate_to_none"
],
[
"extra.",
"sender_asn",
"validate_to_none"
],
[
"extra.",
"hold_time",
"validate_to_none"
],
[
"extra.",
"bgp_identifier",
"validate_to_none"
],
[
"extra.",
"message2_type",
"validate_to_none"
],
[
"extra.",
"major_error_code",
"validate_to_none"
],
[
"extra.",
"minor_error_code",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
]
},
"population6_http_proxy" : {
"constant_fields" : {
"classification.identifier" : "accessible-http-proxy",
"classification.taxonomy" : "other",
"classification.type" : "other",
"protocol.application" : "http"
},
"feed_name" : "IPv6-Accessible-HTTP-Proxy",
"file_name" : "population6_http_proxy",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"http",
"validate_to_none"
],
[
"extra.",
"http_code",
"convert_int"
],
[
"extra.",
"http_reason",
"validate_to_none"
],
[
"extra.",
"content_type",
"validate_to_none"
],
[
"extra.",
"connection",
"validate_to_none"
],
[
"extra.",
"proxy_authenticate",
"validate_to_none"
],
[
"extra.",
"via",
"validate_to_none"
],
[
"extra.",
"server",
"validate_to_none"
],
[
"extra.",
"content_length",
"convert_int"
],
[
"extra.",
"transfer_encoding",
"validate_to_none"
],
[
"extra.",
"http_date",
"convert_date"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
]
},
"population6_msmq" : {
"constant_fields" : {
"classification.identifier" : "accessible-msmq",
"classification.taxonomy" : "other",
"classification.type" : "other",
"protocol.application" : "msmq"
},
"feed_name" : "IPv6-Accessible-MSMQ",
"file_name" : "population6_msmq",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
],
[
"extra.",
"response_size",
"convert_int"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
]
},
"population_bgp" : {
"constant_fields" : {
"classification.identifier" : "accessible-bgp",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "bgp"
},
"feed_name" : "Accessible-BGP",
"file_name" : "population_bgp",
"optional_fields" : [
[
"extra.",
"message_type_int",
"convert_int"
],
[
"extra.",
"message2_type_int",
"convert_int"
],
[
"extra.",
"major_error_code_int",
"convert_int"
],
[
"extra.",
"minor_error_code_int",
"convert_int"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
],
[
"extra.",
"message_length",
"convert_int"
],
[
"extra.",
"message_type",
"validate_to_none"
],
[
"extra.",
"bgp_version",
"validate_to_none"
],
[
"extra.",
"sender_asn",
"validate_to_none"
],
[
"extra.",
"hold_time",
"validate_to_none"
],
[
"extra.",
"bgp_identifier",
"validate_to_none"
],
[
"extra.",
"message2_type",
"validate_to_none"
],
[
"extra.",
"major_error_code",
"validate_to_none"
],
[
"extra.",
"minor_error_code",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-bgp-service-report/"
},
"population_http_proxy" : {
"constant_fields" : {
"classification.identifier" : "accessible-http-proxy",
"classification.taxonomy" : "other",
"classification.type" : "other",
"protocol.application" : "http"
},
"feed_name" : "Accessible-HTTP-Proxy",
"file_name" : "population_http_proxy",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"http",
"validate_to_none"
],
[
"extra.",
"http_code",
"convert_int"
],
[
"extra.",
"http_reason",
"validate_to_none"
],
[
"extra.",
"content_type",
"validate_to_none"
],
[
"extra.",
"connection",
"validate_to_none"
],
[
"extra.",
"proxy_authenticate",
"validate_to_none"
],
[
"extra.",
"via",
"validate_to_none"
],
[
"extra.",
"server",
"validate_to_none"
],
[
"extra.",
"content_length",
"convert_int"
],
[
"extra.",
"transfer_encoding",
"validate_to_none"
],
[
"extra.",
"http_date",
"convert_date"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-http-proxy-report/"
},
"population_msmq" : {
"constant_fields" : {
"classification.identifier" : "accessible-msmq",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "msmq"
},
"feed_name" : "Accessible-MSMQ",
"file_name" : "population_msmq",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
],
[
"extra.",
"response_size",
"convert_int"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-msmq-service-report/"
},
"ransomware_victim" : {
"constant_fields" : {
"classification.identifier" : "ransomware-victim",
"classification.taxonomy" : "intrusions",
"classification.type" : "system-compromise"
},
"feed_name" : "Ransomware-victim",
"file_name" : "ransomware_victim",
"optional_fields" : [
[
"extra.",
"entity_name",
"validate_to_none"
],
[
"extra.",
"website",
"validate_to_none"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
],
[
"extra.",
"date_published",
"validate_to_none"
],
[
"extra.",
"ransomware",
"validate_to_none"
],
[
"extra.",
"leak_site_url",
"validate_to_none"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"extra.",
"actor_geo_stats_30d",
"validate_to_none"
],
[
"extra.",
"actor_total_stats_30d",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/ransomware-victim-report/"
},
"sandbox_conn" : {
"constant_fields" : {
"classification.identifier" : "sandbox-conn",
"classification.taxonomy" : "malicious-code",
"classification.type" : "malware-distribution"
},
"feed_name" : "Sandbox-Connections",
"file_name" : "sandbox_conn",
"optional_fields" : [
[
"source.fqdn",
"hostname",
"validate_fqdn"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"malware.hash.md5",
"md5",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"extra.",
"bytes_in",
"validate_to_none"
],
[
"extra.",
"bytes_out",
"validate_to_none"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
],
[
"malware.hash.sha1",
"sha1",
"validate_to_none"
],
[
"malware.hash.sha256",
"sha256",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/sandbox-connection-report/"
},
"sandbox_dns" : {
"constant_fields" : {
"classification.identifier" : "sandbox-dns",
"classification.taxonomy" : "other",
"classification.type" : "other",
"protocol.application" : "dns"
},
"feed_name" : "Sandbox-DNS",
"file_name" : "sandbox_dns",
"optional_fields" : [
[
"extra.dns_query_type",
"request_type",
"validate_to_none"
],
[
"malware.hash.md5",
"md5",
"validate_to_none"
],
[
"extra.",
"request",
"validate_to_none"
],
[
"extra.",
"response",
"validate_to_none"
],
[
"malware.name",
"family",
"validate_to_none"
],
[
"extra.",
"tag"
],
[
"extra.",
"source",
"validate_to_none"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"malware.hash.sha1",
"sha1",
"validate_to_none"
],
[
"malware.hash.sha256",
"sha256",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
]
]
},
"sandbox_url" : {
"constant_fields" : {
"classification.identifier" : "sandbox-url",
"classification.taxonomy" : "malicious-code",
"classification.type" : "malware-distribution"
},
"feed_name" : "Sandbox-URL",
"file_name" : "sandbox_url",
"optional_fields" : [
[
"source.fqdn",
"hostname",
"validate_fqdn"
],
[
"extra.http_request_method",
"method",
"validate_to_none"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"malware.hash.md5",
"md5",
"validate_to_none"
],
[
"destination.url",
"url",
"convert_http_host_and_url",
true
],
[
"user_agent",
"user_agent",
"validate_to_none"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"malware.hash.sha1",
"sha1",
"validate_to_none"
],
[
"malware.hash.sha256",
"sha256",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/sandbox-url-report/"
},
"scan6_activemq" : {
"constant_fields" : {
"classification.identifier" : "open-activemq",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "activemq"
},
"feed_name" : "IPv6-Accessible-ActiveMQ",
"file_name" : "scan6_activemq",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
],
[
"extra.",
"command",
"validate_to_none"
],
[
"extra.",
"vendor",
"validate_to_none"
],
[
"extra.",
"version",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
]
},
"scan6_bgp" : {
"constant_fields" : {
"classification.identifier" : "open-bgp",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "bgp"
},
"feed_name" : "IPv6-Open-BGP",
"file_name" : "scan6_bgp",
"optional_fields" : [
[
"extra.",
"message_type_int",
"convert_int"
],
[
"extra.",
"message2_type_int",
"convert_int"
],
[
"extra.",
"major_error_code_int",
"convert_int"
],
[
"extra.",
"minor_error_code_int",
"convert_int"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
],
[
"extra.",
"message_length",
"convert_int"
],
[
"extra.",
"message_type",
"validate_to_none"
],
[
"extra.",
"bgp_version",
"validate_to_none"
],
[
"extra.",
"sender_asn",
"validate_to_none"
],
[
"extra.",
"hold_time",
"validate_to_none"
],
[
"extra.",
"bgp_identifier",
"validate_to_none"
],
[
"extra.",
"message2_type",
"validate_to_none"
],
[
"extra.",
"major_error_code",
"validate_to_none"
],
[
"extra.",
"minor_error_code",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
]
},
"scan6_cwmp" : {
"constant_fields" : {
"classification.identifier" : "open-cwmp",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "cwmp"
},
"feed_name" : "IPv6-Accessible-CWMP",
"file_name" : "scan6_cwmp",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"http",
"validate_to_none"
],
[
"extra.",
"http_code",
"convert_int"
],
[
"extra.",
"http_reason",
"validate_to_none"
],
[
"extra.",
"content_type",
"validate_to_none"
],
[
"extra.",
"connection",
"validate_to_none"
],
[
"extra.",
"www_authenticate",
"validate_to_none"
],
[
"extra.",
"set_cookie",
"validate_to_none"
],
[
"extra.",
"server",
"validate_to_none"
],
[
"extra.",
"content_length",
"convert_int"
],
[
"extra.",
"transfer_encoding",
"validate_to_none"
],
[
"extra.",
"date",
"validate_to_none"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
]
},
"scan6_dns" : {
"constant_fields" : {
"classification.identifier" : "dns-open-resolver",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "dns"
},
"feed_name" : "IPv6-DNS-Open-Resolvers",
"file_name" : "scan6_dns",
"optional_fields" : [
[
"extra.",
"min_amplification",
"convert_float"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag"
],
[
"extra.",
"dns_version",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
]
},
"scan6_elasticsearch" : {
"constant_fields" : {
"classification.identifier" : "open-elasticsearch",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "elasticsearch"
},
"feed_name" : "IPv6-Open-Elasticsearch",
"file_name" : "scan6_elasticsearch",
"optional_fields" : [
[
"extra.",
"build_snapshot",
"convert_bool"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag"
],
[
"extra.",
"version",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"ok",
"convert_bool"
],
[
"extra.",
"name",
"validate_to_none"
],
[
"extra.",
"cluster_name",
"validate_to_none"
],
[
"extra.",
"http_code",
"convert_int"
],
[
"extra.",
"build_hash",
"validate_to_none"
],
[
"extra.",
"build_timestamp",
"validate_to_none"
],
[
"extra.",
"lucene_version",
"validate_to_none"
],
[
"extra.",
"tagline",
"validate_to_none"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
]
},
"scan6_exchange" : {
"constant_fields" : {
"protocol.application" : "exchange"
},
"feed_name" : "IPv6-Vulnerable-Exchange",
"file_name" : "scan6_exchange",
"optional_fields" : [
[
"classification.taxonomy",
"tag",
"scan_exchange_taxonomy"
],
[
"classification.type",
"tag",
"scan_exchange_type"
],
[
"classification.identifier",
"tag",
"scan_exchange_identifier"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
],
[
"extra.",
"version",
"validate_to_none"
],
[
"extra.",
"servername",
"validate_to_none"
],
[
"destination.url",
"url",
"convert_http_host_and_url",
true
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
]
},
"scan6_ftp" : {
"constant_fields" : {
"classification.identifier" : "accessible-ftp",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "ftp"
},
"feed_name" : "IPv6-Accessible-FTP",
"file_name" : "scan6_ftp",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"banner",
"validate_to_none"
],
[
"extra.",
"handshake",
"validate_to_none"
],
[
"extra.",
"cipher_suite",
"validate_to_none"
],
[
"extra.",
"cert_length",
"convert_int"
],
[
"extra.",
"subject_common_name",
"validate_to_none"
],
[
"extra.",
"issuer_common_name",
"validate_to_none"
],
[
"extra.",
"cert_issue_date",
"validate_to_none"
],
[
"extra.",
"cert_expiration_date",
"validate_to_none"
],
[
"extra.",
"sha1_fingerprint",
"validate_to_none"
],
[
"extra.",
"cert_serial_number",
"validate_to_none"
],
[
"extra.",
"ssl_version",
"convert_int"
],
[
"extra.",
"signature_algorithm",
"validate_to_none"
],
[
"extra.",
"key_algorithm",
"validate_to_none"
],
[
"extra.",
"subject_organization_name",
"validate_to_none"
],
[
"extra.",
"subject_organization_unit_name",
"validate_to_none"
],
[
"extra.",
"subject_country",
"validate_to_none"
],
[
"extra.",
"subject_state_or_province_name",
"validate_to_none"
],
[
"extra.",
"subject_locality_name",
"validate_to_none"
],
[
"extra.",
"subject_street_address",
"validate_to_none"
],
[
"extra.",
"subject_postal_code",
"validate_to_none"
],
[
"extra.",
"subject_surname",
"validate_to_none"
],
[
"extra.",
"subject_given_name",
"validate_to_none"
],
[
"extra.",
"subject_email_address",
"validate_to_none"
],
[
"extra.",
"subject_business_category",
"validate_to_none"
],
[
"extra.",
"subject_serial_number",
"validate_to_none"
],
[
"extra.",
"issuer_organization_name",
"validate_to_none"
],
[
"extra.",
"issuer_organization_unit_name",
"validate_to_none"
],
[
"extra.",
"issuer_country",
"validate_to_none"
],
[
"extra.",
"issuer_state_or_province_name",
"validate_to_none"
],
[
"extra.",
"issuer_locality_name",
"validate_to_none"
],
[
"extra.",
"issuer_street_address",
"validate_to_none"
],
[
"extra.",
"issuer_postal_code",
"validate_to_none"
],
[
"extra.",
"issuer_surname",
"validate_to_none"
],
[
"extra.",
"issuer_given_name",
"validate_to_none"
],
[
"extra.",
"issuer_email_address",
"validate_to_none"
],
[
"extra.",
"issuer_business_category",
"validate_to_none"
],
[
"extra.",
"issuer_serial_number",
"validate_to_none"
],
[
"extra.",
"sha256_fingerprint",
"validate_to_none"
],
[
"extra.",
"sha512_fingerprint",
"validate_to_none"
],
[
"extra.",
"md5_fingerprint",
"validate_to_none"
],
[
"extra.",
"cert_valid",
"convert_bool"
],
[
"extra.",
"self_signed",
"convert_bool"
],
[
"extra.",
"cert_expired",
"convert_bool"
],
[
"extra.",
"validation_level",
"validate_to_none"
],
[
"extra.",
"auth_tls_response",
"validate_to_none"
],
[
"extra.",
"auth_ssl_response",
"validate_to_none"
],
[
"extra.",
"tlsv13_support",
"validate_to_none"
],
[
"extra.",
"tlsv13_cipher",
"validate_to_none"
],
[
"extra.",
"jarm",
"validate_to_none"
],
[
"extra.",
"device_vendor",
"validate_to_none"
],
[
"extra.",
"device_type",
"validate_to_none"
],
[
"extra.",
"device_model",
"validate_to_none"
],
[
"extra.",
"device_version",
"validate_to_none"
],
[
"extra.",
"device_sector",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
]
},
"scan6_http" : {
"constant_fields" : {
"classification.identifier" : "accessible-http",
"classification.taxonomy" : "other",
"classification.type" : "other",
"protocol.application" : "http"
},
"feed_name" : "IPv6-Accessible-HTTP",
"file_name" : "scan6_http",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"http",
"validate_to_none"
],
[
"extra.",
"http_code",
"convert_int"
],
[
"extra.",
"http_reason",
"validate_to_none"
],
[
"extra.",
"content_type",
"validate_to_none"
],
[
"extra.",
"connection",
"validate_to_none"
],
[
"extra.",
"www_authenticate",
"validate_to_none"
],
[
"extra.",
"set_cookie",
"validate_to_none"
],
[
"extra.",
"server",
"validate_to_none"
],
[
"extra.",
"content_length",
"convert_int"
],
[
"extra.",
"transfer_encoding",
"validate_to_none"
],
[
"extra.",
"http_date",
"convert_date"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
]
},
"scan6_http_proxy" : {
"constant_fields" : {
"classification.identifier" : "open-http-proxy",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "http"
},
"feed_name" : "IPv6-Open-HTTP-Proxy",
"file_name" : "scan6_http_proxy",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"http",
"validate_to_none"
],
[
"extra.",
"http_code",
"convert_int"
],
[
"extra.",
"http_reason",
"validate_to_none"
],
[
"extra.",
"content_type",
"validate_to_none"
],
[
"extra.",
"connection",
"validate_to_none"
],
[
"extra.",
"proxy_authenticate",
"validate_to_none"
],
[
"extra.",
"via",
"validate_to_none"
],
[
"extra.",
"server",
"validate_to_none"
],
[
"extra.",
"content_length",
"convert_int"
],
[
"extra.",
"transfer_encoding",
"validate_to_none"
],
[
"extra.",
"http_date",
"convert_date"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
]
},
"scan6_http_vulnerable" : {
"constant_fields" : {
"classification.identifier" : "vulnerable-http",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "http"
},
"feed_name" : "IPv6-Vulnerable-HTTP",
"file_name" : "scan6_http_vulnerable",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"http",
"validate_to_none"
],
[
"extra.",
"http_code",
"convert_int"
],
[
"extra.",
"http_reason",
"validate_to_none"
],
[
"extra.",
"content_type",
"validate_to_none"
],
[
"extra.",
"connection",
"validate_to_none"
],
[
"extra.",
"www_authenticate",
"validate_to_none"
],
[
"extra.",
"set_cookie",
"validate_to_none"
],
[
"extra.",
"server",
"validate_to_none"
],
[
"extra.",
"content_length",
"convert_int"
],
[
"extra.",
"transfer_encoding",
"validate_to_none"
],
[
"extra.",
"http_date",
"convert_date"
],
[
"extra.",
"version",
"validate_to_none"
],
[
"extra.",
"build_date",
"validate_to_none"
],
[
"extra.",
"detail",
"validate_to_none"
],
[
"extra.",
"build_branch",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
]
},
"scan6_ipp" : {
"constant_fields" : {
"classification.identifier" : "open-ipp",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "ipp"
},
"feed_name" : "IPv6-Open-IPP",
"file_name" : "scan6_ipp",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"ipp_version",
"validate_to_none"
],
[
"extra.",
"cups_version",
"validate_to_none"
],
[
"extra.",
"printer_uris",
"validate_to_none"
],
[
"extra.",
"printer_name",
"validate_to_none"
],
[
"extra.",
"printer_info",
"validate_to_none"
],
[
"extra.",
"printer_more_info",
"validate_to_none"
],
[
"extra.",
"printer_make_and_model",
"validate_to_none"
],
[
"extra.",
"printer_firmware_name",
"validate_to_none"
],
[
"extra.",
"printer_firmware_string_version",
"validate_to_none"
],
[
"extra.",
"printer_firmware_version",
"validate_to_none"
],
[
"extra.",
"printer_organization",
"validate_to_none"
],
[
"extra.",
"printer_organization_unit",
"validate_to_none"
],
[
"extra.",
"printer_uuid",
"validate_to_none"
],
[
"extra.",
"printer_wifi_ssid",
"validate_to_none"
],
[
"extra.",
"device_vendor",
"validate_to_none"
],
[
"extra.",
"device_type",
"validate_to_none"
],
[
"extra.",
"device_model",
"validate_to_none"
],
[
"extra.",
"device_version",
"validate_to_none"
],
[
"extra.",
"device_sector",
"validate_to_none"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
]
},
"scan6_isakmp" : {
"constant_fields" : {
"classification.identifier" : "open-ike",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "ipsec"
},
"feed_name" : "IPv6-Vulnerable-ISAKMP",
"file_name" : "scan6_isakmp",
"optional_fields" : [
[
"extra.",
"spi_size",
"convert_int"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"initiator_spi",
"validate_to_none"
],
[
"extra.",
"responder_spi",
"validate_to_none"
],
[
"extra.",
"next_payload",
"validate_to_none"
],
[
"extra.",
"exchange_type",
"validate_to_none"
],
[
"extra.",
"flags",
"validate_to_none"
],
[
"extra.",
"message_id",
"validate_to_none"
],
[
"extra.",
"next_payload2",
"validate_to_none"
],
[
"extra.",
"domain_of_interpretation",
"validate_to_none"
],
[
"extra.",
"protocol_id",
"validate_to_none"
],
[
"extra.",
"notify_message_type",
"validate_to_none"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
]
},
"scan6_ldap_tcp" : {
"constant_fields" : {
"classification.identifier" : "open-ldap",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "ldap"
},
"feed_name" : "IPv6-Open-LDAP-TCP",
"file_name" : "scan6_ldap_tcp",
"optional_fields" : [
[
"source.local_hostname",
"dns_host_name",
"validate_to_none"
],
[
"extra.",
"domain_controller_functionality",
"convert_int"
],
[
"extra.",
"domain_functionality",
"convert_int"
],
[
"extra.",
"forest_functionality",
"convert_int"
],
[
"extra.",
"highest_committed_usn",
"convert_int"
],
[
"extra.",
"is_global_catalog_ready",
"convert_bool"
],
[
"extra.",
"is_synchronized",
"convert_bool"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"response_size",
"convert_int"
],
[
"extra.",
"configuration_naming_context",
"validate_to_none"
],
[
"extra.",
"current_time",
"validate_to_none"
],
[
"extra.",
"default_naming_context",
"validate_to_none"
],
[
"extra.",
"ds_service_name",
"validate_to_none"
],
[
"extra.",
"ldap_service_name",
"validate_to_none"
],
[
"extra.",
"naming_contexts",
"validate_to_none"
],
[
"extra.",
"root_domain_naming_context",
"validate_to_none"
],
[
"extra.",
"schema_naming_context",
"validate_to_none"
],
[
"extra.",
"server_name",
"validate_to_none"
],
[
"extra.",
"subschema_subentry",
"validate_to_none"
],
[
"extra.",
"supported_capabilities",
"validate_to_none"
],
[
"extra.",
"supported_control",
"validate_to_none"
],
[
"extra.",
"supported_ldap_policies",
"validate_to_none"
],
[
"extra.",
"supported_ldap_version",
"validate_to_none"
],
[
"extra.",
"supported_sasl_mechanisms",
"validate_to_none"
],
[
"extra.",
"amplification",
"convert_float"
],
[
"extra.",
"handshake",
"validate_to_none"
],
[
"extra.",
"cipher_suite",
"validate_to_none"
],
[
"extra.",
"cert_length",
"convert_int"
],
[
"extra.",
"subject_common_name",
"validate_to_none"
],
[
"extra.",
"issuer_common_name",
"validate_to_none"
],
[
"extra.",
"cert_issue_date",
"validate_to_none"
],
[
"extra.",
"cert_expiration_date",
"validate_to_none"
],
[
"extra.",
"sha1_fingerprint",
"validate_to_none"
],
[
"extra.",
"cert_serial_number",
"validate_to_none"
],
[
"extra.",
"ssl_version",
"convert_int"
],
[
"extra.",
"signature_algorithm",
"validate_to_none"
],
[
"extra.",
"key_algorithm",
"validate_to_none"
],
[
"extra.",
"subject_organization_name",
"validate_to_none"
],
[
"extra.",
"subject_organization_unit_name",
"validate_to_none"
],
[
"extra.",
"subject_country",
"validate_to_none"
],
[
"extra.",
"subject_state_or_province_name",
"validate_to_none"
],
[
"extra.",
"subject_locality_name",
"validate_to_none"
],
[
"extra.",
"subject_street_address",
"validate_to_none"
],
[
"extra.",
"subject_postal_code",
"validate_to_none"
],
[
"extra.",
"subject_surname",
"validate_to_none"
],
[
"extra.",
"subject_given_name",
"validate_to_none"
],
[
"extra.",
"subject_email_address",
"validate_to_none"
],
[
"extra.",
"subject_business_category",
"validate_to_none"
],
[
"extra.",
"subject_serial_number",
"validate_to_none"
],
[
"extra.",
"issuer_organization_name",
"validate_to_none"
],
[
"extra.",
"issuer_organization_unit_name",
"validate_to_none"
],
[
"extra.",
"issuer_country",
"validate_to_none"
],
[
"extra.",
"issuer_state_or_province_name",
"validate_to_none"
],
[
"extra.",
"issuer_locality_name",
"validate_to_none"
],
[
"extra.",
"issuer_street_address",
"validate_to_none"
],
[
"extra.",
"issuer_postal_code",
"validate_to_none"
],
[
"extra.",
"issuer_surname",
"validate_to_none"
],
[
"extra.",
"issuer_given_name",
"validate_to_none"
],
[
"extra.",
"issuer_email_address",
"validate_to_none"
],
[
"extra.",
"issuer_business_category",
"validate_to_none"
],
[
"extra.",
"issuer_serial_number",
"validate_to_none"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
],
[
"extra.",
"sha256_fingerprint",
"validate_to_none"
],
[
"extra.",
"sha512_fingerprint",
"validate_to_none"
],
[
"extra.",
"md5_fingerprint",
"validate_to_none"
],
[
"extra.",
"cert_valid",
"convert_bool"
],
[
"extra.",
"self_signed",
"convert_bool"
],
[
"extra.",
"cert_expired",
"convert_bool"
],
[
"extra.",
"validation_level",
"validate_to_none"
],
[
"extra.",
"auth_tls_response",
"validate_to_none"
],
[
"extra.",
"auth_ssl_response",
"validate_to_none"
],
[
"extra.",
"tlsv13_support",
"validate_to_none"
],
[
"extra.",
"tlsv13_cipher",
"validate_to_none"
],
[
"extra.",
"jarm",
"validate_to_none"
],
[
"extra.",
"device_vendor",
"validate_to_none"
],
[
"extra.",
"device_type",
"validate_to_none"
],
[
"extra.",
"device_model",
"validate_to_none"
],
[
"extra.",
"device_version",
"validate_to_none"
],
[
"extra.",
"device_sector",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
]
},
"scan6_mqtt" : {
"constant_fields" : {
"classification.identifier" : "open-mqtt",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "mqtt"
},
"feed_name" : "IPv6-Open-MQTT",
"file_name" : "scan6_mqtt",
"optional_fields" : [
[
"extra.",
"anonymous_access",
"convert_bool"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"raw_response",
"validate_to_none"
],
[
"extra.",
"hex_code",
"validate_to_none"
],
[
"extra.",
"code",
"validate_to_none"
],
[
"extra.",
"cipher_suite",
"validate_to_none"
],
[
"extra.",
"cert_length",
"convert_int"
],
[
"extra.",
"subject_common_name",
"validate_to_none"
],
[
"extra.",
"issuer_common_name",
"validate_to_none"
],
[
"extra.",
"cert_issue_date",
"validate_to_none"
],
[
"extra.",
"cert_expiration_date",
"validate_to_none"
],
[
"extra.",
"sha1_fingerprint",
"validate_to_none"
],
[
"extra.",
"sha256_fingerprint",
"validate_to_none"
],
[
"extra.",
"sha512_fingerprint",
"validate_to_none"
],
[
"extra.",
"md5_fingerprint",
"validate_to_none"
],
[
"extra.",
"cert_serial_number",
"validate_to_none"
],
[
"extra.",
"ssl_version",
"convert_int"
],
[
"extra.",
"signature_algorithm",
"validate_to_none"
],
[
"extra.",
"key_algorithm",
"validate_to_none"
],
[
"extra.",
"subject_organization_name",
"validate_to_none"
],
[
"extra.",
"subject_organization_unit_name",
"validate_to_none"
],
[
"extra.",
"subject_country",
"validate_to_none"
],
[
"extra.",
"subject_state_or_province_name",
"validate_to_none"
],
[
"extra.",
"subject_locality_name",
"validate_to_none"
],
[
"extra.",
"subject_street_address",
"validate_to_none"
],
[
"extra.",
"subject_postal_code",
"validate_to_none"
],
[
"extra.",
"subject_surname",
"validate_to_none"
],
[
"extra.",
"subject_given_name",
"validate_to_none"
],
[
"extra.",
"subject_email_address",
"validate_to_none"
],
[
"extra.",
"subject_business_category",
"validate_to_none"
],
[
"extra.",
"subject_serial_number",
"validate_to_none"
],
[
"extra.",
"issuer_organization_name",
"validate_to_none"
],
[
"extra.",
"issuer_organization_unit_name",
"validate_to_none"
],
[
"extra.",
"issuer_country",
"validate_to_none"
],
[
"extra.",
"issuer_state_or_province_name",
"validate_to_none"
],
[
"extra.",
"issuer_locality_name",
"validate_to_none"
],
[
"extra.",
"issuer_street_address",
"validate_to_none"
],
[
"extra.",
"issuer_postal_code",
"validate_to_none"
],
[
"extra.",
"issuer_surname",
"validate_to_none"
],
[
"extra.",
"issuer_given_name",
"validate_to_none"
],
[
"extra.",
"issuer_email_address",
"validate_to_none"
],
[
"extra.",
"issuer_business_category",
"validate_to_none"
],
[
"extra.",
"issuer_serial_number",
"validate_to_none"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
]
},
"scan6_mqtt_anon" : {
"constant_fields" : {
"classification.identifier" : "open-mqtt-anon",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "mqtt"
},
"feed_name" : "IPv6-Open-Anonymous-MQTT",
"file_name" : "scan6_mqtt_anon",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"raw_response",
"validate_to_none"
],
[
"extra.",
"hex_code",
"validate_to_none"
],
[
"extra.",
"code",
"validate_to_none"
],
[
"extra.",
"cipher_suite",
"validate_to_none"
],
[
"extra.",
"cert_length",
"convert_int"
],
[
"extra.",
"subject_common_name",
"validate_to_none"
],
[
"extra.",
"issuer_common_name",
"validate_to_none"
],
[
"extra.",
"cert_issue_date",
"validate_to_none"
],
[
"extra.",
"cert_expiration_date",
"validate_to_none"
],
[
"extra.",
"sha1_fingerprint",
"validate_to_none"
],
[
"extra.",
"sha256_fingerprint",
"validate_to_none"
],
[
"extra.",
"sha512_fingerprint",
"validate_to_none"
],
[
"extra.",
"md5_fingerprint",
"validate_to_none"
],
[
"extra.",
"cert_serial_number",
"validate_to_none"
],
[
"extra.",
"ssl_version",
"convert_int"
],
[
"extra.",
"signature_algorithm",
"validate_to_none"
],
[
"extra.",
"key_algorithm",
"validate_to_none"
],
[
"extra.",
"subject_organization_name",
"validate_to_none"
],
[
"extra.",
"subject_organization_unit_name",
"validate_to_none"
],
[
"extra.",
"subject_country",
"validate_to_none"
],
[
"extra.",
"subject_state_or_province_name",
"validate_to_none"
],
[
"extra.",
"subject_locality_name",
"validate_to_none"
],
[
"extra.",
"subject_street_address",
"validate_to_none"
],
[
"extra.",
"subject_postal_code",
"validate_to_none"
],
[
"extra.",
"subject_surname",
"validate_to_none"
],
[
"extra.",
"subject_given_name",
"validate_to_none"
],
[
"extra.",
"subject_email_address",
"validate_to_none"
],
[
"extra.",
"subject_business_category",
"validate_to_none"
],
[
"extra.",
"subject_serial_number",
"validate_to_none"
],
[
"extra.",
"issuer_organization_name",
"validate_to_none"
],
[
"extra.",
"issuer_organization_unit_name",
"validate_to_none"
],
[
"extra.",
"issuer_country",
"validate_to_none"
],
[
"extra.",
"issuer_state_or_province_name",
"validate_to_none"
],
[
"extra.",
"issuer_locality_name",
"validate_to_none"
],
[
"extra.",
"issuer_street_address",
"validate_to_none"
],
[
"extra.",
"issuer_postal_code",
"validate_to_none"
],
[
"extra.",
"issuer_surname",
"validate_to_none"
],
[
"extra.",
"issuer_given_name",
"validate_to_none"
],
[
"extra.",
"issuer_email_address",
"validate_to_none"
],
[
"extra.",
"issuer_business_category",
"validate_to_none"
],
[
"extra.",
"issuer_serial_number",
"validate_to_none"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
]
},
"scan6_mysql" : {
"constant_fields" : {
"classification.identifier" : "open-mysql",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "mysql"
},
"feed_name" : "IPv6-Accessible-MySQL",
"file_name" : "scan6_mysql",
"optional_fields" : [
[
"extra.",
"client_can_handle_expired_passwords",
"convert_bool"
],
[
"extra.",
"client_compress",
"convert_bool"
],
[
"extra.",
"client_connect_attrs",
"convert_bool"
],
[
"extra.",
"client_connect_with_db",
"convert_bool"
],
[
"extra.",
"client_deprecated_eof",
"convert_bool"
],
[
"extra.",
"client_found_rows",
"convert_bool"
],
[
"extra.",
"client_ignore_sigpipe",
"convert_bool"
],
[
"extra.",
"client_ignore_space",
"convert_bool"
],
[
"extra.",
"client_interactive",
"convert_bool"
],
[
"extra.",
"client_local_files",
"convert_bool"
],
[
"extra.",
"client_long_flag",
"convert_bool"
],
[
"extra.",
"client_long_password",
"convert_bool"
],
[
"extra.",
"client_multi_results",
"convert_bool"
],
[
"extra.",
"client_multi_statements",
"convert_bool"
],
[
"extra.",
"client_no_schema",
"convert_bool"
],
[
"extra.",
"client_odbc",
"convert_bool"
],
[
"extra.",
"client_plugin_auth",
"convert_bool"
],
[
"extra.",
"client_plugin_auth_len_enc_client_data",
"convert_bool"
],
[
"extra.",
"client_protocol_41",
"convert_bool"
],
[
"extra.",
"client_ps_multi_results",
"convert_bool"
],
[
"extra.",
"client_reserved",
"convert_bool"
],
[
"extra.",
"client_secure_connection",
"convert_bool"
],
[
"extra.",
"client_session_track",
"convert_bool"
],
[
"extra.",
"client_ssl",
"convert_bool"
],
[
"extra.",
"client_transactions",
"convert_bool"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag"
],
[
"extra.",
"version",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
],
[
"extra.",
"mysql_protocol_version",
"validate_to_none"
],
[
"extra.",
"server_version",
"validate_to_none"
],
[
"extra.",
"error_code",
"validate_to_none"
],
[
"extra.",
"error_id",
"validate_to_none"
],
[
"extra.",
"error_message",
"validate_to_none"
],
[
"extra.",
"handshake",
"validate_to_none"
],
[
"extra.",
"cipher_suite",
"validate_to_none"
],
[
"extra.",
"cert_length",
"convert_int"
],
[
"extra.",
"subject_common_name",
"validate_to_none"
],
[
"extra.",
"issuer_common_name",
"validate_to_none"
],
[
"extra.",
"cert_issue_date",
"validate_to_none"
],
[
"extra.",
"cert_expiration_date",
"validate_to_none"
],
[
"extra.",
"sha1_fingerprint",
"validate_to_none"
],
[
"extra.",
"cert_serial_number",
"validate_to_none"
],
[
"extra.",
"ssl_version",
"convert_int"
],
[
"extra.",
"signature_algorithm",
"validate_to_none"
],
[
"extra.",
"key_algorithm",
"validate_to_none"
],
[
"extra.",
"subject_organization_name",
"validate_to_none"
],
[
"extra.",
"subject_organization_unit_name",
"validate_to_none"
],
[
"extra.",
"subject_country",
"validate_to_none"
],
[
"extra.",
"subject_state_or_province_name",
"validate_to_none"
],
[
"extra.",
"subject_locality_name",
"validate_to_none"
],
[
"extra.",
"subject_street_address",
"validate_to_none"
],
[
"extra.",
"subject_postal_code",
"validate_to_none"
],
[
"extra.",
"subject_surname",
"validate_to_none"
],
[
"extra.",
"subject_given_name",
"validate_to_none"
],
[
"extra.",
"subject_email_address",
"validate_to_none"
],
[
"extra.",
"subject_business_category",
"validate_to_none"
],
[
"extra.",
"subject_serial_number",
"validate_to_none"
],
[
"extra.",
"issuer_organization_name",
"validate_to_none"
],
[
"extra.",
"issuer_organization_unit_name",
"validate_to_none"
],
[
"extra.",
"issuer_country",
"validate_to_none"
],
[
"extra.",
"issuer_state_or_province_name",
"validate_to_none"
],
[
"extra.",
"issuer_locality_name",
"validate_to_none"
],
[
"extra.",
"issuer_street_address",
"validate_to_none"
],
[
"extra.",
"issuer_postal_code",
"validate_to_none"
],
[
"extra.",
"issuer_surname",
"validate_to_none"
],
[
"extra.",
"issuer_given_name",
"validate_to_none"
],
[
"extra.",
"issuer_email_address",
"validate_to_none"
],
[
"extra.",
"issuer_business_category",
"validate_to_none"
],
[
"extra.",
"issuer_serial_number",
"validate_to_none"
],
[
"extra.",
"sha256_fingerprint",
"validate_to_none"
],
[
"extra.",
"sha512_fingerprint",
"validate_to_none"
],
[
"extra.",
"md5_fingerprint",
"validate_to_none"
],
[
"extra.",
"cert_valid",
"convert_bool"
],
[
"extra.",
"self_signed",
"convert_bool"
],
[
"extra.",
"cert_expired",
"convert_bool"
],
[
"extra.",
"validation_level",
"validate_to_none"
],
[
"extra.",
"browser_trusted",
"convert_bool"
],
[
"extra.",
"browser_error",
"validate_to_none"
],
[
"extra.",
"raw_cert",
"validate_to_none"
],
[
"extra.",
"raw_cert_chain",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
]
},
"scan6_ntp" : {
"constant_fields" : {
"classification.identifier" : "ntp-version",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "ntp"
},
"feed_name" : "IPv6-NTP-Version",
"file_name" : "scan6_ntp",
"optional_fields" : [
[
"extra.",
"clk_wander",
"convert_float"
],
[
"extra.",
"frequency",
"convert_float"
],
[
"extra.",
"jitter",
"convert_float"
],
[
"extra.",
"leap",
"convert_float"
],
[
"extra.",
"offset",
"convert_float"
],
[
"extra.",
"peer",
"convert_int"
],
[
"extra.",
"poll",
"convert_int"
],
[
"extra.",
"precision",
"convert_int"
],
[
"extra.",
"rootdelay",
"convert_float"
],
[
"extra.",
"rootdispersion",
"convert_float"
],
[
"extra.",
"stratum",
"convert_int"
],
[
"extra.",
"tc",
"convert_int"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.",
"version",
"validate_to_none"
],
[
"extra.",
"clock",
"validate_to_none"
],
[
"extra.",
"error",
"validate_to_none"
],
[
"extra.",
"mintc",
"validate_to_none"
],
[
"extra.",
"noise",
"validate_to_none"
],
[
"extra.",
"phase",
"validate_to_none"
],
[
"extra.",
"processor",
"validate_to_none"
],
[
"extra.",
"refid",
"validate_to_none"
],
[
"extra.",
"reftime",
"validate_to_none"
],
[
"extra.",
"stability",
"validate_to_none"
],
[
"extra.",
"state",
"validate_to_none"
],
[
"extra.",
"system",
"validate_to_none"
],
[
"extra.",
"tai",
"validate_to_none"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
],
[
"extra.",
"response_size",
"convert_int"
],
[
"extra.",
"amplification",
"convert_float"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
]
},
"scan6_ntpmonitor" : {
"constant_fields" : {
"classification.identifier" : "ntp-monitor",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "ntp"
},
"feed_name" : "IPv6-NTP-Monitor",
"file_name" : "scan6_ntpmonitor",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"packets",
"convert_int"
],
[
"extra.",
"response_size",
"convert_int"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
],
[
"extra.",
"amplification",
"convert_float"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
]
},
"scan6_postgres" : {
"constant_fields" : {
"classification.identifier" : "open-postgres",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "postgres"
},
"feed_name" : "IPv6-Accessible-PostgreSQL",
"file_name" : "scan6_postgres",
"optional_fields" : [
[
"extra.",
"startup_error_line",
"convert_int"
],
[
"extra.",
"client_ssl",
"convert_bool"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag"
],
[
"extra.",
"version",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
],
[
"extra.",
"supported_protocols",
"validate_to_none"
],
[
"extra.",
"protocol_error_code",
"validate_to_none"
],
[
"extra.",
"protocol_error_file",
"validate_to_none"
],
[
"extra.",
"protocol_error_line",
"validate_to_none"
],
[
"extra.",
"protocol_error_message",
"validate_to_none"
],
[
"extra.",
"protocol_error_routine",
"validate_to_none"
],
[
"extra.",
"protocol_error_severity",
"validate_to_none"
],
[
"extra.",
"protocol_error_severity_v",
"validate_to_none"
],
[
"extra.",
"startup_error_code",
"validate_to_none"
],
[
"extra.",
"startup_error_file",
"validate_to_none"
],
[
"extra.",
"startup_error_message",
"validate_to_none"
],
[
"extra.",
"startup_error_routine",
"validate_to_none"
],
[
"extra.",
"startup_error_severity",
"validate_to_none"
],
[
"extra.",
"startup_error_severity_v",
"validate_to_none"
],
[
"extra.",
"handshake",
"validate_to_none"
],
[
"extra.",
"cipher_suite",
"validate_to_none"
],
[
"extra.",
"cert_length",
"convert_int"
],
[
"extra.",
"subject_common_name",
"validate_to_none"
],
[
"extra.",
"issuer_common_name",
"validate_to_none"
],
[
"extra.",
"cert_issue_date",
"validate_to_none"
],
[
"extra.",
"cert_expiration_date",
"validate_to_none"
],
[
"extra.",
"sha1_fingerprint",
"validate_to_none"
],
[
"extra.",
"cert_serial_number",
"validate_to_none"
],
[
"extra.",
"ssl_version",
"convert_int"
],
[
"extra.",
"signature_algorithm",
"validate_to_none"
],
[
"extra.",
"key_algorithm",
"validate_to_none"
],
[
"extra.",
"subject_organization_name",
"validate_to_none"
],
[
"extra.",
"subject_organization_unit_name",
"validate_to_none"
],
[
"extra.",
"subject_country",
"validate_to_none"
],
[
"extra.",
"subject_state_or_province_name",
"validate_to_none"
],
[
"extra.",
"subject_locality_name",
"validate_to_none"
],
[
"extra.",
"subject_street_address",
"validate_to_none"
],
[
"extra.",
"subject_postal_code",
"validate_to_none"
],
[
"extra.",
"subject_surname",
"validate_to_none"
],
[
"extra.",
"subject_given_name",
"validate_to_none"
],
[
"extra.",
"subject_email_address",
"validate_to_none"
],
[
"extra.",
"subject_business_category",
"validate_to_none"
],
[
"extra.",
"subject_serial_number",
"validate_to_none"
],
[
"extra.",
"issuer_organization_name",
"validate_to_none"
],
[
"extra.",
"issuer_organization_unit_name",
"validate_to_none"
],
[
"extra.",
"issuer_country",
"validate_to_none"
],
[
"extra.",
"issuer_state_or_province_name",
"validate_to_none"
],
[
"extra.",
"issuer_locality_name",
"validate_to_none"
],
[
"extra.",
"issuer_street_address",
"validate_to_none"
],
[
"extra.",
"issuer_postal_code",
"validate_to_none"
],
[
"extra.",
"issuer_surname",
"validate_to_none"
],
[
"extra.",
"issuer_given_name",
"validate_to_none"
],
[
"extra.",
"issuer_email_address",
"validate_to_none"
],
[
"extra.",
"issuer_business_category",
"validate_to_none"
],
[
"extra.",
"issuer_serial_number",
"validate_to_none"
],
[
"extra.",
"sha256_fingerprint",
"validate_to_none"
],
[
"extra.",
"sha512_fingerprint",
"validate_to_none"
],
[
"extra.",
"md5_fingerprint",
"validate_to_none"
],
[
"extra.",
"cert_valid",
"convert_bool"
],
[
"extra.",
"self_signed",
"convert_bool"
],
[
"extra.",
"cert_expired",
"convert_bool"
],
[
"extra.",
"validation_level",
"validate_to_none"
],
[
"extra.",
"browser_trusted",
"convert_bool"
],
[
"extra.",
"browser_error",
"validate_to_none"
],
[
"extra.",
"raw_cert",
"validate_to_none"
],
[
"extra.",
"raw_cert_chain",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
]
},
"scan6_rdp" : {
"constant_fields" : {
"classification.identifier" : "open-rdp",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "rdp",
"protocol.transport" : "tcp"
},
"feed_name" : "IPv6-Accessible-RDP",
"file_name" : "scan6_rdp",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag"
],
[
"extra.",
"handshake",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.",
"rdp_protocol",
"validate_to_none"
],
[
"extra.",
"cert_length",
"convert_int"
],
[
"extra.",
"subject_common_name",
"validate_to_none"
],
[
"extra.",
"issuer_common_name",
"validate_to_none"
],
[
"extra.",
"cert_issue_date",
"validate_to_none"
],
[
"extra.",
"cert_expiration_date",
"validate_to_none"
],
[
"extra.",
"sha1_fingerprint",
"validate_to_none"
],
[
"extra.",
"cert_serial_number",
"validate_to_none"
],
[
"extra.",
"ssl_version",
"convert_int"
],
[
"extra.",
"signature_algorithm",
"validate_to_none"
],
[
"extra.",
"key_algorithm",
"validate_to_none"
],
[
"extra.",
"sha256_fingerprint",
"validate_to_none"
],
[
"extra.",
"sha512_fingerprint",
"validate_to_none"
],
[
"extra.",
"md5_fingerprint",
"validate_to_none"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
],
[
"extra.",
"tlsv13_support",
"validate_to_none"
],
[
"extra.",
"tlsv13_cipher",
"validate_to_none"
],
[
"extra.",
"jarm",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
]
},
"scan6_slp" : {
"constant_fields" : {
"classification.identifier" : "open-slp",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "slp"
},
"feed_name" : "IPv6-Accessible-SLP",
"file_name" : "scan6_slp",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
],
[
"extra.",
"version",
"validate_to_none"
],
[
"extra.",
"function",
"validate_to_none"
],
[
"extra.",
"function_text",
"validate_to_none"
],
[
"extra.",
"flags",
"validate_to_none"
],
[
"extra.",
"next_extension_offset",
"validate_to_none"
],
[
"extra.",
"xid",
"validate_to_none"
],
[
"extra.",
"language_tag_length",
"validate_to_none"
],
[
"extra.",
"language_tag",
"validate_to_none"
],
[
"extra.",
"error_code",
"validate_to_none"
],
[
"extra.",
"error_code_text",
"validate_to_none"
],
[
"extra.",
"response_size",
"convert_int"
],
[
"extra.",
"raw_response",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
]
},
"scan6_smb" : {
"constant_fields" : {
"classification.identifier" : "open-smb",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "smb",
"protocol.transport" : "tcp"
},
"feed_name" : "IPv6-Accessible-SMB",
"file_name" : "scan6_smb",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"arch",
"validate_to_none"
],
[
"extra.",
"key",
"validate_to_none"
],
[
"extra.",
"smb_major_number",
"validate_to_none"
],
[
"extra.",
"smb_minor_number",
"validate_to_none"
],
[
"extra.",
"smb_revision",
"validate_to_none"
],
[
"extra.",
"smb_version_string",
"validate_to_none"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
]
},
"scan6_smtp" : {
"constant_fields" : {
"classification.identifier" : "open-smtp",
"classification.taxonomy" : "other",
"classification.type" : "other",
"protocol.application" : "smtp"
},
"feed_name" : "IPv6-Accessible-SMTP",
"file_name" : "scan6_smtp",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"banner",
"validate_to_none"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
],
[
"extra.",
"auth_ssl_response",
"validate_to_none"
],
[
"extra.",
"auth_tls_response",
"validate_to_none"
],
[
"extra.",
"cert_expiration_date",
"validate_to_none"
],
[
"extra.",
"cert_expired",
"convert_bool"
],
[
"extra.",
"cert_issue_date",
"validate_to_none"
],
[
"extra.",
"cert_length",
"convert_int"
],
[
"extra.",
"cert_serial_number",
"validate_to_none"
],
[
"extra.",
"cert_valid",
"convert_bool"
],
[
"extra.",
"cipher_suite",
"validate_to_none"
],
[
"extra.",
"freak_cipher_suite",
"validate_to_none"
],
[
"extra.",
"freak_vulnerable",
"convert_bool"
],
[
"extra.",
"handshake",
"validate_to_none"
],
[
"extra.",
"issuer_business_category",
"validate_to_none"
],
[
"extra.",
"issuer_common_name",
"validate_to_none"
],
[
"extra.",
"issuer_country",
"validate_to_none"
],
[
"extra.",
"issuer_email_address",
"validate_to_none"
],
[
"extra.",
"issuer_given_name",
"validate_to_none"
],
[
"extra.",
"issuer_locality_name",
"validate_to_none"
],
[
"extra.",
"issuer_organization_name",
"validate_to_none"
],
[
"extra.",
"issuer_organization_unit_name",
"validate_to_none"
],
[
"extra.",
"issuer_postal_code",
"validate_to_none"
],
[
"extra.",
"issuer_serial_number",
"validate_to_none"
],
[
"extra.",
"issuer_state_or_province_name",
"validate_to_none"
],
[
"extra.",
"issuer_street_address",
"validate_to_none"
],
[
"extra.",
"issuer_surname",
"validate_to_none"
],
[
"extra.",
"jarm",
"validate_to_none"
],
[
"extra.",
"key_algorithm",
"validate_to_none"
],
[
"extra.",
"md5_fingerprint",
"validate_to_none"
],
[
"extra.",
"raw_cert",
"validate_to_none"
],
[
"extra.",
"raw_cert_chain",
"validate_to_none"
],
[
"extra.",
"self_signed",
"convert_bool"
],
[
"extra.",
"sha1_fingerprint",
"validate_to_none"
],
[
"extra.",
"sha256_fingerprint",
"validate_to_none"
],
[
"extra.",
"sha512_fingerprint",
"validate_to_none"
],
[
"extra.",
"signature_algorithm",
"validate_to_none"
],
[
"extra.",
"ssl_version",
"convert_int"
],
[
"extra.",
"sslv3_supported",
"validate_to_none"
],
[
"extra.",
"subject_business_category",
"validate_to_none"
],
[
"extra.",
"subject_common_name",
"validate_to_none"
],
[
"extra.",
"subject_country",
"validate_to_none"
],
[
"extra.",
"subject_email_address",
"validate_to_none"
],
[
"extra.",
"subject_given_name",
"validate_to_none"
],
[
"extra.",
"subject_locality_name",
"validate_to_none"
],
[
"extra.",
"subject_organization_name",
"validate_to_none"
],
[
"extra.",
"subject_organization_unit_name",
"validate_to_none"
],
[
"extra.",
"subject_postal_code",
"validate_to_none"
],
[
"extra.",
"subject_serial_number",
"validate_to_none"
],
[
"extra.",
"subject_state_or_province_name",
"validate_to_none"
],
[
"extra.",
"subject_street_address",
"validate_to_none"
],
[
"extra.",
"subject_surname",
"validate_to_none"
],
[
"extra.",
"tlsv13_cipher",
"validate_to_none"
],
[
"extra.",
"tlsv13_support",
"validate_to_none"
],
[
"extra.",
"validation_level",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
]
},
"scan6_smtp_vulnerable" : {
"constant_fields" : {
"classification.identifier" : "vulnerable-smtp",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "smtp"
},
"feed_name" : "IPv6-Vulnerable-SMTP",
"file_name" : "scan6_smtp_vulnerable",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"banner",
"validate_to_none"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
],
[
"extra.",
"auth_ssl_response",
"validate_to_none"
],
[
"extra.",
"auth_tls_response",
"validate_to_none"
],
[
"extra.",
"cert_expiration_date",
"validate_to_none"
],
[
"extra.",
"cert_expired",
"convert_bool"
],
[
"extra.",
"cert_issue_date",
"validate_to_none"
],
[
"extra.",
"cert_length",
"convert_int"
],
[
"extra.",
"cert_serial_number",
"validate_to_none"
],
[
"extra.",
"cert_valid",
"convert_bool"
],
[
"extra.",
"cipher_suite",
"validate_to_none"
],
[
"extra.",
"freak_cipher_suite",
"validate_to_none"
],
[
"extra.",
"freak_vulnerable",
"convert_bool"
],
[
"extra.",
"handshake",
"validate_to_none"
],
[
"extra.",
"issuer_business_category",
"validate_to_none"
],
[
"extra.",
"issuer_common_name",
"validate_to_none"
],
[
"extra.",
"issuer_country",
"validate_to_none"
],
[
"extra.",
"issuer_email_address",
"validate_to_none"
],
[
"extra.",
"issuer_given_name",
"validate_to_none"
],
[
"extra.",
"issuer_locality_name",
"validate_to_none"
],
[
"extra.",
"issuer_organization_name",
"validate_to_none"
],
[
"extra.",
"issuer_organization_unit_name",
"validate_to_none"
],
[
"extra.",
"issuer_postal_code",
"validate_to_none"
],
[
"extra.",
"issuer_serial_number",
"validate_to_none"
],
[
"extra.",
"issuer_state_or_province_name",
"validate_to_none"
],
[
"extra.",
"issuer_street_address",
"validate_to_none"
],
[
"extra.",
"issuer_surname",
"validate_to_none"
],
[
"extra.",
"jarm",
"validate_to_none"
],
[
"extra.",
"key_algorithm",
"validate_to_none"
],
[
"extra.",
"md5_fingerprint",
"validate_to_none"
],
[
"extra.",
"raw_cert",
"validate_to_none"
],
[
"extra.",
"raw_cert_chain",
"validate_to_none"
],
[
"extra.",
"self_signed",
"convert_bool"
],
[
"extra.",
"sha1_fingerprint",
"validate_to_none"
],
[
"extra.",
"sha256_fingerprint",
"validate_to_none"
],
[
"extra.",
"sha512_fingerprint",
"validate_to_none"
],
[
"extra.",
"signature_algorithm",
"validate_to_none"
],
[
"extra.",
"ssl_version",
"convert_int"
],
[
"extra.",
"sslv3_supported",
"validate_to_none"
],
[
"extra.",
"subject_business_category",
"validate_to_none"
],
[
"extra.",
"subject_common_name",
"validate_to_none"
],
[
"extra.",
"subject_country",
"validate_to_none"
],
[
"extra.",
"subject_email_address",
"validate_to_none"
],
[
"extra.",
"subject_given_name",
"validate_to_none"
],
[
"extra.",
"subject_locality_name",
"validate_to_none"
],
[
"extra.",
"subject_organization_name",
"validate_to_none"
],
[
"extra.",
"subject_organization_unit_name",
"validate_to_none"
],
[
"extra.",
"subject_postal_code",
"validate_to_none"
],
[
"extra.",
"subject_serial_number",
"validate_to_none"
],
[
"extra.",
"subject_state_or_province_name",
"validate_to_none"
],
[
"extra.",
"subject_street_address",
"validate_to_none"
],
[
"extra.",
"subject_surname",
"validate_to_none"
],
[
"extra.",
"tlsv13_cipher",
"validate_to_none"
],
[
"extra.",
"tlsv13_support",
"validate_to_none"
],
[
"extra.",
"validation_level",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
]
},
"scan6_snmp" : {
"constant_fields" : {
"classification.identifier" : "open-snmp",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "snmp"
},
"feed_name" : "IPv6-Open-SNMP",
"file_name" : "scan6_snmp",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag"
],
[
"extra.",
"sysname",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.",
"version",
"validate_to_none"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
],
[
"extra.",
"device_vendor",
"validate_to_none"
],
[
"extra.",
"device_type",
"validate_to_none"
],
[
"extra.",
"device_model",
"validate_to_none"
],
[
"extra.",
"device_version",
"validate_to_none"
],
[
"extra.",
"device_sector",
"validate_to_none"
],
[
"extra.",
"sysdesc",
"validate_to_none"
],
[
"extra.",
"community",
"validate_to_none"
],
[
"extra.",
"response_size",
"convert_int"
],
[
"extra.",
"amplification",
"convert_float"
],
[
"extra.",
"uptime",
"convert_int"
],
[
"extra.",
"mac_address",
"validate_to_none"
],
[
"extra.",
"vendor_id",
"validate_to_none"
],
[
"extra.",
"vendor",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
]
},
"scan6_ssh" : {
"constant_fields" : {
"classification.identifier" : "open-ssh",
"classification.taxonomy" : "other",
"classification.type" : "other"
},
"feed_name" : "IPv6-Accessible-SSH",
"file_name" : "scan6_ssh",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"serverid_raw",
"validate_to_none"
],
[
"extra.",
"serverid_version",
"validate_to_none"
],
[
"extra.",
"serverid_software",
"validate_to_none"
],
[
"extra.",
"serverid_comment",
"validate_to_none"
],
[
"extra.",
"server_cookie",
"validate_to_none"
],
[
"extra.",
"available_kex",
"validate_to_none"
],
[
"extra.",
"available_ciphers",
"validate_to_none"
],
[
"extra.",
"available_mac",
"validate_to_none"
],
[
"extra.",
"available_compression",
"validate_to_none"
],
[
"extra.",
"selected_kex",
"validate_to_none"
],
[
"extra.",
"algorithm",
"validate_to_none"
],
[
"extra.",
"selected_cipher",
"validate_to_none"
],
[
"extra.",
"selected_mac",
"validate_to_none"
],
[
"extra.",
"selected_compression",
"validate_to_none"
],
[
"extra.",
"server_signature_value",
"validate_to_none"
],
[
"extra.",
"server_signature_raw",
"validate_to_none"
],
[
"extra.",
"server_host_key",
"validate_to_none"
],
[
"extra.",
"server_host_key_sha256",
"validate_to_none"
],
[
"extra.",
"rsa_prime",
"validate_to_none"
],
[
"extra.",
"rsa_prime_length",
"validate_to_none"
],
[
"extra.",
"rsa_generator",
"validate_to_none"
],
[
"extra.",
"rsa_generator_length",
"validate_to_none"
],
[
"extra.",
"rsa_public_key",
"validate_to_none"
],
[
"extra.",
"rsa_public_key_length",
"validate_to_none"
],
[
"extra.",
"rsa_exponent",
"validate_to_none"
],
[
"extra.",
"rsa_modulus",
"validate_to_none"
],
[
"extra.",
"rsa_length",
"validate_to_none"
],
[
"extra.",
"dss_prime",
"validate_to_none"
],
[
"extra.",
"dss_prime_length",
"validate_to_none"
],
[
"extra.",
"dss_generator",
"validate_to_none"
],
[
"extra.",
"dss_generator_length",
"validate_to_none"
],
[
"extra.",
"dss_public_key",
"validate_to_none"
],
[
"extra.",
"dss_public_key_length",
"validate_to_none"
],
[
"extra.",
"dss_dsa_public_g",
"validate_to_none"
],
[
"extra.",
"dss_dsa_public_p",
"validate_to_none"
],
[
"extra.",
"dss_dsa_public_q",
"validate_to_none"
],
[
"extra.",
"dss_dsa_public_y",
"validate_to_none"
],
[
"extra.",
"ecdsa_curve25519",
"validate_to_none"
],
[
"extra.",
"ecdsa_curve",
"validate_to_none"
],
[
"extra.",
"ecdsa_public_key_length",
"validate_to_none"
],
[
"extra.",
"ecdsa_public_key_b",
"validate_to_none"
],
[
"extra.",
"ecdsa_public_key_gx",
"validate_to_none"
],
[
"extra.",
"ecdsa_public_key_gy",
"validate_to_none"
],
[
"extra.",
"ecdsa_public_key_n",
"validate_to_none"
],
[
"extra.",
"ecdsa_public_key_p",
"validate_to_none"
],
[
"extra.",
"ecdsa_public_key_x",
"validate_to_none"
],
[
"extra.",
"ecdsa_public_key_y",
"validate_to_none"
],
[
"extra.",
"ed25519_curve25519",
"validate_to_none"
],
[
"extra.",
"ed25519_cert_public_key_nonce",
"validate_to_none"
],
[
"extra.",
"ed25519_cert_public_key_bytes",
"validate_to_none"
],
[
"extra.",
"ed25519_cert_public_key_raw",
"validate_to_none"
],
[
"extra.",
"ed25519_cert_public_key_sha256",
"validate_to_none"
],
[
"extra.",
"ed25519_cert_public_key_serial",
"validate_to_none"
],
[
"extra.",
"ed25519_cert_public_key_type_id",
"validate_to_none"
],
[
"extra.",
"ed25519_cert_public_key_type_name",
"validate_to_none"
],
[
"extra.",
"ed25519_cert_public_key_keyid",
"validate_to_none"
],
[
"extra.",
"ed25519_cert_public_key_principles",
"validate_to_none"
],
[
"extra.",
"ed25519_cert_public_key_valid_after",
"validate_to_none"
],
[
"extra.",
"ed25519_cert_public_key_valid_before",
"validate_to_none"
],
[
"extra.",
"ed25519_cert_public_key_duration",
"validate_to_none"
],
[
"extra.",
"ed25519_cert_public_key_sigkey_bytes",
"validate_to_none"
],
[
"extra.",
"ed25519_cert_public_key_sigkey_raw",
"validate_to_none"
],
[
"extra.",
"ed25519_cert_public_key_sigkey_sha256",
"validate_to_none"
],
[
"extra.",
"ed25519_cert_public_key_sigkey_value",
"validate_to_none"
],
[
"extra.",
"ed25519_cert_public_key_sig_raw",
"validate_to_none"
],
[
"extra.",
"banner",
"validate_to_none"
],
[
"extra.",
"userauth_methods",
"validate_to_none"
],
[
"extra.",
"device_vendor",
"validate_to_none"
],
[
"extra.",
"device_type",
"validate_to_none"
],
[
"extra.",
"device_model",
"validate_to_none"
],
[
"extra.",
"device_version",
"validate_to_none"
],
[
"extra.",
"device_sector",
"validate_to_none"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
]
},
"scan6_ssl" : {
"constant_fields" : {
"classification.identifier" : "open-ssl",
"classification.taxonomy" : "other",
"classification.type" : "other",
"protocol.application" : "https"
},
"feed_name" : "IPv6-Accessible-SSL",
"file_name" : "scan6_ssl",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag"
],
[
"extra.",
"handshake",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.",
"cipher_suite",
"validate_to_none"
],
[
"extra.",
"ssl_poodle",
"convert_bool"
],
[
"extra.",
"cert_length",
"convert_int"
],
[
"extra.",
"subject_common_name",
"validate_to_none"
],
[
"extra.",
"issuer_common_name",
"validate_to_none"
],
[
"extra.",
"cert_issue_date",
"validate_to_none"
],
[
"extra.",
"cert_expiration_date",
"validate_to_none"
],
[
"extra.",
"sha1_fingerprint",
"validate_to_none"
],
[
"extra.",
"cert_serial_number",
"validate_to_none"
],
[
"extra.",
"ssl_version",
"convert_int"
],
[
"extra.",
"signature_algorithm",
"validate_to_none"
],
[
"extra.",
"key_algorithm",
"validate_to_none"
],
[
"extra.",
"subject_organization_name",
"validate_to_none"
],
[
"extra.",
"subject_organization_unit_name",
"validate_to_none"
],
[
"extra.",
"subject_country",
"validate_to_none"
],
[
"extra.",
"subject_state_or_province_name",
"validate_to_none"
],
[
"extra.",
"subject_locality_name",
"validate_to_none"
],
[
"extra.",
"subject_street_address",
"validate_to_none"
],
[
"extra.",
"subject_postal_code",
"validate_to_none"
],
[
"extra.",
"subject_surname",
"validate_to_none"
],
[
"extra.",
"subject_given_name",
"validate_to_none"
],
[
"extra.",
"subject_email_address",
"validate_to_none"
],
[
"extra.",
"subject_business_category",
"validate_to_none"
],
[
"extra.",
"subject_serial_number",
"validate_to_none"
],
[
"extra.",
"issuer_organization_name",
"validate_to_none"
],
[
"extra.",
"issuer_organization_unit_name",
"validate_to_none"
],
[
"extra.",
"issuer_country",
"validate_to_none"
],
[
"extra.",
"issuer_state_or_province_name",
"validate_to_none"
],
[
"extra.",
"issuer_locality_name",
"validate_to_none"
],
[
"extra.",
"issuer_street_address",
"validate_to_none"
],
[
"extra.",
"issuer_postal_code",
"validate_to_none"
],
[
"extra.",
"issuer_surname",
"validate_to_none"
],
[
"extra.",
"issuer_given_name",
"validate_to_none"
],
[
"extra.",
"issuer_email_address",
"validate_to_none"
],
[
"extra.",
"issuer_business_category",
"validate_to_none"
],
[
"extra.",
"issuer_serial_number",
"validate_to_none"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"freak_vulnerable",
"convert_bool"
],
[
"extra.",
"freak_cipher_suite",
"validate_to_none"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
],
[
"extra.",
"sha256_fingerprint",
"validate_to_none"
],
[
"extra.",
"sha512_fingerprint",
"validate_to_none"
],
[
"extra.",
"md5_fingerprint",
"validate_to_none"
],
[
"extra.",
"http_response_type",
"validate_to_none"
],
[
"extra.",
"http_code",
"convert_int"
],
[
"extra.",
"http_reason",
"validate_to_none"
],
[
"extra.",
"content_type",
"validate_to_none"
],
[
"extra.",
"http_connection",
"validate_to_none"
],
[
"extra.",
"www_authenticate",
"validate_to_none"
],
[
"extra.",
"set_cookie",
"validate_to_none"
],
[
"extra.",
"server_type",
"validate_to_none"
],
[
"extra.",
"content_length",
"convert_int"
],
[
"extra.",
"transfer_encoding",
"validate_to_none"
],
[
"extra.",
"http_date",
"convert_date"
],
[
"extra.",
"cert_valid",
"convert_bool"
],
[
"extra.",
"self_signed",
"convert_bool"
],
[
"extra.",
"cert_expired",
"convert_bool"
],
[
"extra.",
"browser_trusted",
"convert_bool"
],
[
"extra.",
"validation_level",
"validate_to_none"
],
[
"extra.",
"browser_error",
"validate_to_none"
],
[
"extra.",
"tlsv13_support",
"validate_to_none"
],
[
"extra.",
"tlsv13_cipher",
"validate_to_none"
],
[
"extra.",
"jarm",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
]
},
"scan6_ssl_freak" : {
"constant_fields" : {
"classification.identifier" : "ssl-freak",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "https"
},
"feed_name" : "SSL-FREAK-Vulnerable-Servers IPv6",
"file_name" : "scan6_ssl_freak",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag"
],
[
"extra.",
"handshake",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.",
"cipher_suite",
"validate_to_none"
],
[
"extra.",
"cert_length",
"convert_int"
],
[
"extra.",
"subject_common_name",
"validate_to_none"
],
[
"extra.",
"issuer_common_name",
"validate_to_none"
],
[
"extra.",
"cert_issue_date",
"validate_to_none"
],
[
"extra.",
"cert_expiration_date",
"validate_to_none"
],
[
"extra.",
"sha1_fingerprint",
"validate_to_none"
],
[
"extra.",
"cert_serial_number",
"validate_to_none"
],
[
"extra.",
"signature_algorithm",
"validate_to_none"
],
[
"extra.",
"key_algorithm",
"validate_to_none"
],
[
"extra.",
"subject_organization_name",
"validate_to_none"
],
[
"extra.",
"subject_organization_unit_name",
"validate_to_none"
],
[
"extra.",
"subject_country",
"validate_to_none"
],
[
"extra.",
"subject_state_or_province_name",
"validate_to_none"
],
[
"extra.",
"subject_locality_name",
"validate_to_none"
],
[
"extra.",
"subject_street_address",
"validate_to_none"
],
[
"extra.",
"subject_postal_code",
"validate_to_none"
],
[
"extra.",
"subject_surname",
"validate_to_none"
],
[
"extra.",
"subject_given_name",
"validate_to_none"
],
[
"extra.",
"subject_email_address",
"validate_to_none"
],
[
"extra.",
"subject_business_category",
"validate_to_none"
],
[
"extra.",
"subject_serial_number",
"validate_to_none"
],
[
"extra.",
"issuer_organization_name",
"validate_to_none"
],
[
"extra.",
"issuer_organization_unit_name",
"validate_to_none"
],
[
"extra.",
"issuer_country",
"validate_to_none"
],
[
"extra.",
"issuer_state_or_province_name",
"validate_to_none"
],
[
"extra.",
"issuer_locality_name",
"validate_to_none"
],
[
"extra.",
"issuer_street_address",
"validate_to_none"
],
[
"extra.",
"issuer_postal_code",
"validate_to_none"
],
[
"extra.",
"issuer_surname",
"validate_to_none"
],
[
"extra.",
"issuer_given_name",
"validate_to_none"
],
[
"extra.",
"issuer_email_address",
"validate_to_none"
],
[
"extra.",
"issuer_business_category",
"validate_to_none"
],
[
"extra.",
"issuer_serial_number",
"validate_to_none"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"freak_vulnerable",
"convert_bool"
],
[
"extra.",
"freak_cipher_suite",
"validate_to_none"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
],
[
"extra.",
"sha256_fingerprint",
"validate_to_none"
],
[
"extra.",
"sha512_fingerprint",
"validate_to_none"
],
[
"extra.",
"md5_fingerprint",
"validate_to_none"
],
[
"extra.",
"http_response_type",
"validate_to_none"
],
[
"extra.",
"http_code",
"convert_int"
],
[
"extra.",
"http_reason",
"validate_to_none"
],
[
"extra.",
"content_type",
"validate_to_none"
],
[
"extra.",
"http_connection",
"validate_to_none"
],
[
"extra.",
"www_authenticate",
"validate_to_none"
],
[
"extra.",
"set_cookie",
"validate_to_none"
],
[
"extra.",
"server_type",
"validate_to_none"
],
[
"extra.",
"content_length",
"convert_int"
],
[
"extra.",
"transfer_encoding",
"validate_to_none"
],
[
"extra.",
"http_date",
"convert_date"
],
[
"extra.",
"cert_valid",
"convert_bool"
],
[
"extra.",
"self_signed",
"convert_bool"
],
[
"extra.",
"cert_expired",
"convert_bool"
],
[
"extra.",
"browser_trusted",
"convert_bool"
],
[
"extra.",
"validation_level",
"validate_to_none"
],
[
"extra.",
"browser_error",
"validate_to_none"
],
[
"extra.",
"tlsv13_support",
"validate_to_none"
],
[
"extra.",
"tlsv13_cipher",
"validate_to_none"
],
[
"extra.",
"raw_cert",
"validate_to_none"
],
[
"extra.",
"raw_cert_chain",
"validate_to_none"
],
[
"extra.",
"jarm",
"validate_to_none"
],
[
"extra.",
"device_vendor",
"validate_to_none"
],
[
"extra.",
"device_type",
"validate_to_none"
],
[
"extra.",
"device_model",
"validate_to_none"
],
[
"extra.",
"device_version",
"validate_to_none"
],
[
"extra.",
"device_sector",
"validate_to_none"
],
[
"extra.",
"page_sha256fp",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
]
},
"scan6_ssl_poodle" : {
"constant_fields" : {
"classification.identifier" : "ssl-poodle",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "https"
},
"feed_name" : "SSL-POODLE-Vulnerable-Servers IPv6",
"file_name" : "scan6_ssl_poodle",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag"
],
[
"extra.",
"handshake",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.",
"cipher_suite",
"validate_to_none"
],
[
"extra.",
"ssl_poodle",
"convert_bool"
],
[
"extra.",
"cert_length",
"convert_int"
],
[
"extra.",
"subject_common_name",
"validate_to_none"
],
[
"extra.",
"issuer_common_name",
"validate_to_none"
],
[
"extra.",
"cert_issue_date",
"validate_to_none"
],
[
"extra.",
"cert_expiration_date",
"validate_to_none"
],
[
"extra.",
"sha1_fingerprint",
"validate_to_none"
],
[
"extra.",
"cert_serial_number",
"validate_to_none"
],
[
"extra.",
"ssl_version",
"convert_int"
],
[
"extra.",
"signature_algorithm",
"validate_to_none"
],
[
"extra.",
"key_algorithm",
"validate_to_none"
],
[
"extra.",
"subject_organization_name",
"validate_to_none"
],
[
"extra.",
"subject_organization_unit_name",
"validate_to_none"
],
[
"extra.",
"subject_country",
"validate_to_none"
],
[
"extra.",
"subject_state_or_province_name",
"validate_to_none"
],
[
"extra.",
"subject_locality_name",
"validate_to_none"
],
[
"extra.",
"subject_street_address",
"validate_to_none"
],
[
"extra.",
"subject_postal_code",
"validate_to_none"
],
[
"extra.",
"subject_surname",
"validate_to_none"
],
[
"extra.",
"subject_given_name",
"validate_to_none"
],
[
"extra.",
"subject_email_address",
"validate_to_none"
],
[
"extra.",
"subject_business_category",
"validate_to_none"
],
[
"extra.",
"subject_serial_number",
"validate_to_none"
],
[
"extra.",
"issuer_organization_name",
"validate_to_none"
],
[
"extra.",
"issuer_organization_unit_name",
"validate_to_none"
],
[
"extra.",
"issuer_country",
"validate_to_none"
],
[
"extra.",
"issuer_state_or_province_name",
"validate_to_none"
],
[
"extra.",
"issuer_locality_name",
"validate_to_none"
],
[
"extra.",
"issuer_street_address",
"validate_to_none"
],
[
"extra.",
"issuer_postal_code",
"validate_to_none"
],
[
"extra.",
"issuer_surname",
"validate_to_none"
],
[
"extra.",
"issuer_given_name",
"validate_to_none"
],
[
"extra.",
"issuer_email_address",
"validate_to_none"
],
[
"extra.",
"issuer_business_category",
"validate_to_none"
],
[
"extra.",
"issuer_serial_number",
"validate_to_none"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
],
[
"extra.",
"sha256_fingerprint",
"validate_to_none"
],
[
"extra.",
"sha512_fingerprint",
"validate_to_none"
],
[
"extra.",
"md5_fingerprint",
"validate_to_none"
],
[
"extra.",
"http_response_type",
"validate_to_none"
],
[
"extra.",
"http_code",
"convert_int"
],
[
"extra.",
"http_reason",
"validate_to_none"
],
[
"extra.",
"content_type",
"validate_to_none"
],
[
"extra.",
"http_connection",
"validate_to_none"
],
[
"extra.",
"www_authenticate",
"validate_to_none"
],
[
"extra.",
"set_cookie",
"validate_to_none"
],
[
"extra.",
"server_type",
"validate_to_none"
],
[
"extra.",
"content_length",
"convert_int"
],
[
"extra.",
"transfer_encoding",
"validate_to_none"
],
[
"extra.",
"http_date",
"convert_date"
],
[
"extra.",
"cert_valid",
"convert_bool"
],
[
"extra.",
"self_signed",
"convert_bool"
],
[
"extra.",
"cert_expired",
"convert_bool"
],
[
"extra.",
"browser_trusted",
"convert_bool"
],
[
"extra.",
"validation_level",
"validate_to_none"
],
[
"extra.",
"browser_error",
"validate_to_none"
],
[
"extra.",
"tlsv13_support",
"validate_to_none"
],
[
"extra.",
"tlsv13_cipher",
"validate_to_none"
],
[
"extra.",
"raw_cert",
"validate_to_none"
],
[
"extra.",
"raw_cert_chain",
"validate_to_none"
],
[
"extra.",
"jarm",
"validate_to_none"
],
[
"extra.",
"device_vendor",
"validate_to_none"
],
[
"extra.",
"device_type",
"validate_to_none"
],
[
"extra.",
"device_model",
"validate_to_none"
],
[
"extra.",
"device_version",
"validate_to_none"
],
[
"extra.",
"device_sector",
"validate_to_none"
],
[
"extra.",
"page_sha256fp",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
]
},
"scan6_stun" : {
"constant_fields" : {
"classification.identifier" : "open-stun",
"classification.taxonomy" : "other",
"classification.type" : "other",
"protocol.application" : "Session Traversal Utilities for NAT"
},
"feed_name" : "IPv6-Accessible-Session-Traversal-Utilities-for-NAT",
"file_name" : "scan6_stun",
"optional_fields" : [
[
"extra.",
"mapped_port",
"convert_int"
],
[
"extra.",
"xor_mapped_port",
"convert_int"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
],
[
"extra.",
"transaction_id",
"validate_to_none"
],
[
"extra.",
"magic_cookie",
"validate_to_none"
],
[
"extra.",
"message_length",
"convert_int"
],
[
"extra.",
"message_type",
"validate_to_none"
],
[
"extra.",
"mapped_family",
"validate_to_none"
],
[
"extra.",
"mapped_address",
"validate_to_none"
],
[
"extra.",
"xor_mapped_family",
"validate_to_none"
],
[
"extra.",
"xor_mapped_address",
"validate_to_none"
],
[
"extra.",
"software",
"validate_to_none"
],
[
"extra.",
"fingerprint",
"validate_to_none"
],
[
"extra.",
"amplification",
"convert_float"
],
[
"extra.",
"response_size",
"convert_int"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
]
},
"scan6_telnet" : {
"constant_fields" : {
"classification.identifier" : "open-telnet",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "telnet"
},
"feed_name" : "IPv6-Accessible-Telnet",
"file_name" : "scan6_telnet",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"banner",
"validate_to_none"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
]
},
"scan6_vnc" : {
"constant_fields" : {
"classification.identifier" : "open-vnc",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "vnc",
"protocol.transport" : "tcp"
},
"feed_name" : "IPv6-Accessible-VNC",
"file_name" : "scan6_vnc",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"product",
"validate_to_none"
],
[
"extra.",
"banner",
"validate_to_none"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
]
},
"scan_activemq" : {
"constant_fields" : {
"classification.identifier" : "open-activemq",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "activemq"
},
"feed_name" : "Accessible-ActiveMQ",
"file_name" : "scan_activemq",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
],
[
"extra.",
"command",
"validate_to_none"
],
[
"extra.",
"vendor",
"validate_to_none"
],
[
"extra.",
"version",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-activemq-service-report/"
},
"scan_adb" : {
"constant_fields" : {
"classification.identifier" : "accessible-adb",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "adb"
},
"feed_name" : "Accessible-ADB",
"file_name" : "scan_adb",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"name",
"validate_to_none"
],
[
"extra.",
"model",
"validate_to_none"
],
[
"extra.",
"device",
"validate_to_none"
],
[
"extra.",
"features",
"validate_to_none"
],
[
"extra.",
"device_vendor",
"validate_to_none"
],
[
"extra.",
"device_type",
"validate_to_none"
],
[
"extra.",
"device_model",
"validate_to_none"
],
[
"extra.",
"device_version",
"validate_to_none"
],
[
"extra.",
"device_sector",
"validate_to_none"
],
[
"extra.",
"sector",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-adb-report/"
},
"scan_afp" : {
"constant_fields" : {
"classification.identifier" : "accessible-afp",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "afp"
},
"feed_name" : "Accessible-AFP",
"file_name" : "scan_afp",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"machine_type",
"validate_to_none"
],
[
"extra.",
"afp_versions",
"validate_to_none"
],
[
"extra.",
"uams",
"validate_to_none"
],
[
"extra.",
"flags",
"validate_to_none"
],
[
"extra.",
"server_name",
"validate_to_none"
],
[
"extra.",
"signature",
"validate_to_none"
],
[
"extra.",
"directory_service",
"validate_to_none"
],
[
"extra.",
"utf8_servername",
"validate_to_none"
],
[
"extra.",
"network_address",
"validate_to_none"
],
[
"extra.",
"sector",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-afp-report/"
},
"scan_amqp" : {
"constant_fields" : {
"classification.identifier" : "accessible-amqp",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "amqp"
},
"feed_name" : "Accessible-AMQP",
"file_name" : "scan_amqp",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"channel",
"validate_to_none"
],
[
"extra.",
"message_length",
"convert_int"
],
[
"extra.",
"class",
"validate_to_none"
],
[
"extra.",
"method",
"validate_to_none"
],
[
"extra.",
"version_major",
"validate_to_none"
],
[
"extra.",
"version_minor",
"validate_to_none"
],
[
"extra.",
"capabilities",
"validate_to_none"
],
[
"extra.",
"cluster_name",
"validate_to_none"
],
[
"extra.",
"platform",
"validate_to_none"
],
[
"extra.",
"product",
"validate_to_none"
],
[
"extra.",
"product_version",
"validate_to_none"
],
[
"extra.",
"mechanisms",
"validate_to_none"
],
[
"extra.",
"locales",
"validate_to_none"
],
[
"extra.",
"sector",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-amqp-report/"
},
"scan_ard" : {
"constant_fields" : {
"classification.identifier" : "accessible-ard",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system"
},
"feed_name" : "Accessible-ARD",
"file_name" : "scan_ard",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"machine_name",
"validate_to_none"
],
[
"extra.",
"response_size",
"convert_int"
],
[
"extra.",
"amplification",
"convert_float"
],
[
"extra.",
"sector",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-apple-remote-desktop-ard-report/"
},
"scan_bgp" : {
"constant_fields" : {
"classification.identifier" : "open-bgp",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "bgp"
},
"feed_name" : "Open-BGP",
"file_name" : "scan_bgp",
"optional_fields" : [
[
"extra.",
"message_type_int",
"convert_int"
],
[
"extra.",
"message2_type_int",
"convert_int"
],
[
"extra.",
"major_error_code_int",
"convert_int"
],
[
"extra.",
"minor_error_code_int",
"convert_int"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
],
[
"extra.",
"message_length",
"convert_int"
],
[
"extra.",
"message_type",
"validate_to_none"
],
[
"extra.",
"bgp_version",
"validate_to_none"
],
[
"extra.",
"sender_asn",
"validate_to_none"
],
[
"extra.",
"hold_time",
"validate_to_none"
],
[
"extra.",
"bgp_identifier",
"validate_to_none"
],
[
"extra.",
"message2_type",
"validate_to_none"
],
[
"extra.",
"major_error_code",
"validate_to_none"
],
[
"extra.",
"minor_error_code",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/open-bgp-service-report/"
},
"scan_chargen" : {
"constant_fields" : {
"classification.identifier" : "open-chargen",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "chargen"
},
"feed_name" : "Open-Chargen",
"file_name" : "scan_chargen",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"sector",
"validate_to_none"
],
[
"extra.",
"response_size",
"convert_int"
],
[
"extra.",
"amplification",
"convert_float"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/open-chargen-report/"
},
"scan_cisco_smart_install" : {
"constant_fields" : {
"classification.identifier" : "accessible-cisco-smart-install",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "cisco-smart-install"
},
"feed_name" : "Accessible-Cisco-Smart-Install",
"file_name" : "scan_cisco_smart_install",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"sector",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-cisco-smart-install-report/"
},
"scan_coap" : {
"constant_fields" : {
"classification.identifier" : "accessible-coap",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "coap"
},
"feed_name" : "Accessible-CoAP",
"file_name" : "scan_coap",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"extra.",
"version",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"response",
"validate_to_none"
],
[
"extra.",
"response_size",
"convert_int"
],
[
"extra.",
"amplification",
"convert_float"
],
[
"extra.",
"sector",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-coap-report/"
},
"scan_couchdb" : {
"constant_fields" : {
"classification.identifier" : "open-couchdb",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "CouchDB"
},
"feed_name" : "Accessible-CouchDB",
"file_name" : "scan_couchdb",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
],
[
"extra.",
"server_version",
"validate_to_none"
],
[
"extra.",
"couchdb_message",
"validate_to_none"
],
[
"extra.",
"couchdb_version",
"validate_to_none"
],
[
"extra.",
"git_sha",
"validate_to_none"
],
[
"extra.",
"features",
"validate_to_none"
],
[
"extra.",
"vendor",
"validate_to_none"
],
[
"extra.",
"visible_databases",
"validate_to_none"
],
[
"extra.",
"error",
"validate_to_none"
],
[
"extra.",
"error_reason",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-couchdb-report/"
},
"scan_cwmp" : {
"constant_fields" : {
"classification.identifier" : "open-cwmp",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "cwmp"
},
"feed_name" : "Accessible-CWMP",
"file_name" : "scan_cwmp",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"http",
"validate_to_none"
],
[
"extra.",
"http_code",
"convert_int"
],
[
"extra.",
"http_reason",
"validate_to_none"
],
[
"extra.",
"content_type",
"validate_to_none"
],
[
"extra.",
"connection",
"validate_to_none"
],
[
"extra.",
"www_authenticate",
"validate_to_none"
],
[
"extra.",
"set_cookie",
"validate_to_none"
],
[
"extra.",
"server",
"validate_to_none"
],
[
"extra.",
"content_length",
"convert_int"
],
[
"extra.",
"transfer_encoding",
"validate_to_none"
],
[
"extra.",
"date",
"validate_to_none"
],
[
"extra.",
"sector",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/open-cwmp-report/"
},
"scan_db2" : {
"constant_fields" : {
"classification.identifier" : "open-db2-discovery-service",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "db2"
},
"feed_name" : "Open-DB2-Discovery-Service",
"file_name" : "scan_db2",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"db2_hostname",
"validate_to_none"
],
[
"extra.",
"servername",
"validate_to_none"
],
[
"extra.",
"response_size",
"convert_int"
],
[
"extra.",
"amplification",
"convert_float"
],
[
"extra.",
"sector",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/open-db2-discovery-service-report/"
},
"scan_ddos_middlebox" : {
"constant_fields" : {
"classification.identifier" : "open-ddos-middlebox",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system"
},
"feed_name" : "Vulnerable-DDoS-Middlebox",
"file_name" : "scan_ddos_middlebox",
"optional_fields" : [
[
"protocol.application",
"tag"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
],
[
"extra.",
"source_port",
"validate_to_none"
],
[
"extra.",
"bytes",
"convert_int"
],
[
"extra.",
"amplification",
"convert_float"
],
[
"extra.",
"method",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/vulnerable-ddos-middlebox-report/"
},
"scan_dns" : {
"constant_fields" : {
"classification.identifier" : "dns-open-resolver",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "dns"
},
"feed_name" : "DNS-Open-Resolvers",
"file_name" : "scan_dns",
"optional_fields" : [
[
"extra.",
"min_amplification",
"convert_float"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"extra.",
"dns_version",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"sector",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/dns-open-resolvers-report/"
},
"scan_docker" : {
"constant_fields" : {
"classification.identifier" : "open-docker",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "docker"
},
"feed_name" : "Accessible-Docker",
"file_name" : "scan_docker",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"extra.",
"version",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
],
[
"extra.",
"http",
"validate_to_none"
],
[
"extra.",
"http_code",
"convert_int"
],
[
"extra.",
"http_reason",
"validate_to_none"
],
[
"extra.",
"content_type",
"validate_to_none"
],
[
"extra.",
"server",
"validate_to_none"
],
[
"extra.",
"date",
"validate_to_none"
],
[
"extra.",
"experimental",
"validate_to_none"
],
[
"extra.",
"api_version",
"validate_to_none"
],
[
"extra.",
"arch",
"validate_to_none"
],
[
"extra.",
"go_version",
"validate_to_none"
],
[
"extra.os.name",
"os",
"validate_to_none"
],
[
"extra.",
"kernel_version",
"validate_to_none"
],
[
"extra.",
"git_commit",
"validate_to_none"
],
[
"extra.",
"min_api_version",
"validate_to_none"
],
[
"extra.",
"build_time",
"validate_to_none"
],
[
"extra.",
"pkg_version",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-docker-service-report/"
},
"scan_dvr_dhcpdiscover" : {
"constant_fields" : {
"classification.identifier" : "open-dvr-dhcpdiscover",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system"
},
"feed_name" : "Accessible-DVR-DHCPDiscover",
"file_name" : "scan_dvr_dhcpdiscover",
"optional_fields" : [
[
"protocol.application",
"tag"
],
[
"extra.",
"video_input_channels",
"convert_int"
],
[
"extra.",
"alarm_input_channels",
"convert_int"
],
[
"extra.",
"video_output_channels",
"convert_int"
],
[
"extra.",
"alarm_output_channels",
"convert_int"
],
[
"extra.",
"remote_video_input_channels",
"convert_int"
],
[
"extra.",
"ipv4_dhcp_enable",
"convert_bool"
],
[
"extra.",
"ipv6_dhcp_enable",
"convert_bool"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
],
[
"extra.",
"device_vendor",
"validate_to_none"
],
[
"extra.",
"device_type",
"validate_to_none"
],
[
"extra.",
"device_model",
"validate_to_none"
],
[
"extra.",
"device_version",
"validate_to_none"
],
[
"extra.",
"device_id",
"validate_to_none"
],
[
"extra.",
"device_serial",
"validate_to_none"
],
[
"extra.",
"machine_name",
"validate_to_none"
],
[
"extra.",
"manufacturer",
"validate_to_none"
],
[
"extra.",
"method",
"validate_to_none"
],
[
"extra.",
"http_port",
"convert_int"
],
[
"extra.",
"internal_port",
"convert_int"
],
[
"extra.",
"mac_address",
"validate_to_none"
],
[
"extra.",
"ipv4_address",
"validate_to_none"
],
[
"extra.",
"ipv4_gateway",
"validate_to_none"
],
[
"extra.",
"ipv4_subnet_mask",
"validate_to_none"
],
[
"extra.",
"ipv6_address",
"validate_to_none"
],
[
"extra.",
"ipv6_link_local",
"validate_to_none"
],
[
"extra.",
"ipv6_gateway",
"validate_to_none"
],
[
"extra.",
"response_size",
"convert_int"
],
[
"extra.",
"amplification",
"convert_float"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/open-dvr-dhcpdiscover-report/"
},
"scan_elasticsearch" : {
"constant_fields" : {
"classification.identifier" : "open-elasticsearch",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "elasticsearch"
},
"feed_name" : "Open-Elasticsearch",
"file_name" : "scan_elasticsearch",
"optional_fields" : [
[
"extra.",
"build_snapshot",
"convert_bool"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"extra.",
"version",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"ok",
"convert_bool"
],
[
"extra.",
"name",
"validate_to_none"
],
[
"extra.",
"cluster_name",
"validate_to_none"
],
[
"extra.",
"http_code",
"convert_int"
],
[
"extra.",
"build_hash",
"validate_to_none"
],
[
"extra.",
"build_timestamp",
"validate_to_none"
],
[
"extra.",
"lucene_version",
"validate_to_none"
],
[
"extra.",
"tagline",
"validate_to_none"
],
[
"extra.",
"sector",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/open-elasticsearch-report/"
},
"scan_epmd" : {
"constant_fields" : {
"classification.identifier" : "open-epmd",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "Erlang Port Mapper Daemon"
},
"feed_name" : "Accessible-Erlang-Port-Mapper-Daemon",
"file_name" : "scan_epmd",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
],
[
"extra.",
"nodes",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-erlang-port-mapper-report-daemon/"
},
"scan_exchange" : {
"constant_fields" : {
"protocol.application" : "exchange"
},
"feed_name" : "Vulnerable-Exchange-Server",
"file_name" : "scan_exchange",
"optional_fields" : [
[
"classification.taxonomy",
"tag",
"scan_exchange_taxonomy"
],
[
"classification.type",
"tag",
"scan_exchange_type"
],
[
"classification.identifier",
"tag",
"scan_exchange_identifier"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
],
[
"extra.",
"version",
"validate_to_none"
],
[
"extra.",
"servername",
"validate_to_none"
],
[
"destination.url",
"url",
"convert_http_host_and_url",
true
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/vulnerable-exchange-server-report/"
},
"scan_ftp" : {
"constant_fields" : {
"classification.identifier" : "accessible-ftp",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "ftp"
},
"feed_name" : "Accessible-FTP",
"file_name" : "scan_ftp",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"banner",
"validate_to_none"
],
[
"extra.",
"handshake",
"validate_to_none"
],
[
"extra.",
"cipher_suite",
"validate_to_none"
],
[
"extra.",
"cert_length",
"convert_int"
],
[
"extra.",
"subject_common_name",
"validate_to_none"
],
[
"extra.",
"issuer_common_name",
"validate_to_none"
],
[
"extra.",
"cert_issue_date",
"validate_to_none"
],
[
"extra.",
"cert_expiration_date",
"validate_to_none"
],
[
"extra.",
"sha1_fingerprint",
"validate_to_none"
],
[
"extra.",
"cert_serial_number",
"validate_to_none"
],
[
"extra.",
"ssl_version",
"convert_int"
],
[
"extra.",
"signature_algorithm",
"validate_to_none"
],
[
"extra.",
"key_algorithm",
"validate_to_none"
],
[
"extra.",
"subject_organization_name",
"validate_to_none"
],
[
"extra.",
"subject_organization_unit_name",
"validate_to_none"
],
[
"extra.",
"subject_country",
"validate_to_none"
],
[
"extra.",
"subject_state_or_province_name",
"validate_to_none"
],
[
"extra.",
"subject_locality_name",
"validate_to_none"
],
[
"extra.",
"subject_street_address",
"validate_to_none"
],
[
"extra.",
"subject_postal_code",
"validate_to_none"
],
[
"extra.",
"subject_surname",
"validate_to_none"
],
[
"extra.",
"subject_given_name",
"validate_to_none"
],
[
"extra.",
"subject_email_address",
"validate_to_none"
],
[
"extra.",
"subject_business_category",
"validate_to_none"
],
[
"extra.",
"subject_serial_number",
"validate_to_none"
],
[
"extra.",
"issuer_organization_name",
"validate_to_none"
],
[
"extra.",
"issuer_organization_unit_name",
"validate_to_none"
],
[
"extra.",
"issuer_country",
"validate_to_none"
],
[
"extra.",
"issuer_state_or_province_name",
"validate_to_none"
],
[
"extra.",
"issuer_locality_name",
"validate_to_none"
],
[
"extra.",
"issuer_street_address",
"validate_to_none"
],
[
"extra.",
"issuer_postal_code",
"validate_to_none"
],
[
"extra.",
"issuer_surname",
"validate_to_none"
],
[
"extra.",
"issuer_given_name",
"validate_to_none"
],
[
"extra.",
"issuer_email_address",
"validate_to_none"
],
[
"extra.",
"issuer_business_category",
"validate_to_none"
],
[
"extra.",
"issuer_serial_number",
"validate_to_none"
],
[
"extra.",
"sha256_fingerprint",
"validate_to_none"
],
[
"extra.",
"sha512_fingerprint",
"validate_to_none"
],
[
"extra.",
"md5_fingerprint",
"validate_to_none"
],
[
"extra.",
"cert_valid",
"convert_bool"
],
[
"extra.",
"self_signed",
"convert_bool"
],
[
"extra.",
"cert_expired",
"convert_bool"
],
[
"extra.",
"validation_level",
"validate_to_none"
],
[
"extra.",
"auth_tls_response",
"validate_to_none"
],
[
"extra.",
"auth_ssl_response",
"validate_to_none"
],
[
"extra.",
"tlsv13_support",
"validate_to_none"
],
[
"extra.",
"tlsv13_cipher",
"validate_to_none"
],
[
"extra.",
"jarm",
"validate_to_none"
],
[
"extra.",
"device_vendor",
"validate_to_none"
],
[
"extra.",
"device_type",
"validate_to_none"
],
[
"extra.",
"device_model",
"validate_to_none"
],
[
"extra.",
"device_version",
"validate_to_none"
],
[
"extra.",
"device_sector",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-ftp-report/"
},
"scan_hadoop" : {
"constant_fields" : {
"classification.identifier" : "accessible-hadoop",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "hadoop",
"protocol.transport" : "tcp"
},
"feed_name" : "Accessible-Hadoop",
"file_name" : "scan_hadoop",
"optional_fields" : [
[
"extra.",
"total_disk",
"convert_int"
],
[
"extra.",
"used_disk",
"convert_int"
],
[
"extra.",
"free_disk",
"convert_int"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"extra.",
"version",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"server_type",
"validate_to_none"
],
[
"extra.",
"clusterid",
"validate_to_none"
],
[
"extra.",
"livenodes",
"validate_to_none"
],
[
"extra.",
"namenodeaddress",
"validate_to_none"
],
[
"extra.",
"volumeinfo",
"validate_to_none"
],
[
"extra.",
"sector",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-hadoop-report/"
},
"scan_http" : {
"constant_fields" : {
"classification.identifier" : "accessible-http",
"classification.taxonomy" : "other",
"classification.type" : "other",
"protocol.application" : "http"
},
"feed_name" : "Accessible-HTTP",
"file_name" : "scan_http",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"http",
"validate_to_none"
],
[
"extra.",
"http_code",
"convert_int"
],
[
"extra.",
"http_reason",
"validate_to_none"
],
[
"extra.",
"content_type",
"validate_to_none"
],
[
"extra.",
"connection",
"validate_to_none"
],
[
"extra.",
"www_authenticate",
"validate_to_none"
],
[
"extra.",
"set_cookie",
"validate_to_none"
],
[
"extra.",
"server",
"validate_to_none"
],
[
"extra.",
"content_length",
"convert_int"
],
[
"extra.",
"transfer_encoding",
"validate_to_none"
],
[
"extra.",
"http_date",
"convert_date"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-http-report/"
},
"scan_http_proxy" : {
"constant_fields" : {
"classification.identifier" : "open-http-proxy",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "http"
},
"feed_name" : "Open-HTTP-Proxy",
"file_name" : "scan_http_proxy",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"http",
"validate_to_none"
],
[
"extra.",
"http_code",
"convert_int"
],
[
"extra.",
"http_reason",
"validate_to_none"
],
[
"extra.",
"content_type",
"validate_to_none"
],
[
"extra.",
"connection",
"validate_to_none"
],
[
"extra.",
"proxy_authenticate",
"validate_to_none"
],
[
"extra.",
"via",
"validate_to_none"
],
[
"extra.",
"server",
"validate_to_none"
],
[
"extra.",
"content_length",
"convert_int"
],
[
"extra.",
"transfer_encoding",
"validate_to_none"
],
[
"extra.",
"http_date",
"convert_date"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/open-http-proxy-report/"
},
"scan_http_vulnerable" : {
"constant_fields" : {
"classification.identifier" : "vulnerable-http",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "http"
},
"feed_name" : "Vulnerable-HTTP",
"file_name" : "scan_http_vulnerable",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"extra.",
"sector",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"http",
"validate_to_none"
],
[
"extra.",
"http_code",
"convert_int"
],
[
"extra.",
"http_reason",
"validate_to_none"
],
[
"extra.",
"content_type",
"validate_to_none"
],
[
"extra.",
"connection",
"validate_to_none"
],
[
"extra.",
"www_authenticate",
"validate_to_none"
],
[
"extra.",
"set_cookie",
"validate_to_none"
],
[
"extra.",
"server",
"validate_to_none"
],
[
"extra.",
"content_length",
"convert_int"
],
[
"extra.",
"transfer_encoding",
"validate_to_none"
],
[
"extra.",
"http_date",
"convert_date"
],
[
"extra.",
"version",
"validate_to_none"
],
[
"extra.",
"build_date",
"validate_to_none"
],
[
"extra.",
"detail",
"validate_to_none"
],
[
"extra.",
"build_branch",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/vulnerable-http-report/"
},
"scan_ics" : {
"constant_fields" : {
"classification.identifier" : "open-ics",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system"
},
"feed_name" : "Accessible-ICS",
"file_name" : "scan_ics",
"optional_fields" : [
[
"protocol.application",
"tag"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
],
[
"extra.",
"device_vendor",
"validate_to_none"
],
[
"extra.",
"device_type",
"validate_to_none"
],
[
"extra.",
"device_model",
"validate_to_none"
],
[
"extra.",
"device_version",
"validate_to_none"
],
[
"extra.",
"device_id",
"validate_to_none"
],
[
"extra.",
"response_size",
"convert_int"
],
[
"extra.",
"raw_response",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-ics-report/"
},
"scan_ipmi" : {
"constant_fields" : {
"classification.identifier" : "open-ipmi",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "ipmi",
"protocol.transport" : "udp"
},
"feed_name" : "Open-IPMI",
"file_name" : "scan_ipmi",
"optional_fields" : [
[
"extra.",
"none_auth",
"convert_bool"
],
[
"extra.",
"md2_auth",
"convert_bool"
],
[
"extra.",
"md5_auth",
"convert_bool"
],
[
"extra.",
"passkey_auth",
"convert_bool"
],
[
"extra.",
"oem_auth",
"convert_bool"
],
[
"extra.",
"permessage_auth",
"convert_bool"
],
[
"extra.",
"userlevel_auth",
"convert_bool"
],
[
"extra.",
"usernames",
"convert_bool"
],
[
"extra.",
"nulluser",
"convert_bool"
],
[
"extra.",
"anon_login",
"convert_bool"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"extra.",
"ipmi_version",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.",
"defaultkg",
"validate_to_none"
],
[
"extra.",
"error",
"validate_to_none"
],
[
"extra.",
"deviceid",
"validate_to_none"
],
[
"extra.",
"devicerev",
"validate_to_none"
],
[
"extra.",
"firmwarerev",
"validate_to_none"
],
[
"extra.",
"version",
"validate_to_none"
],
[
"extra.",
"manufacturerid",
"validate_to_none"
],
[
"extra.",
"manufacturername",
"validate_to_none"
],
[
"extra.",
"productid",
"validate_to_none"
],
[
"extra.",
"productname",
"validate_to_none"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/open-ipmi-report/"
},
"scan_ipp" : {
"constant_fields" : {
"classification.identifier" : "open-ipp",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "ipp"
},
"feed_name" : "Open-IPP",
"file_name" : "scan_ipp",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"ipp_version",
"validate_to_none"
],
[
"extra.",
"cups_version",
"validate_to_none"
],
[
"extra.",
"printer_uris",
"validate_to_none"
],
[
"extra.",
"printer_name",
"validate_to_none"
],
[
"extra.",
"printer_info",
"validate_to_none"
],
[
"extra.",
"printer_more_info",
"validate_to_none"
],
[
"extra.",
"printer_make_and_model",
"validate_to_none"
],
[
"extra.",
"printer_firmware_name",
"validate_to_none"
],
[
"extra.",
"printer_firmware_string_version",
"validate_to_none"
],
[
"extra.",
"printer_firmware_version",
"validate_to_none"
],
[
"extra.",
"printer_organization",
"validate_to_none"
],
[
"extra.",
"printer_organization_unit",
"validate_to_none"
],
[
"extra.",
"printer_uuid",
"validate_to_none"
],
[
"extra.",
"printer_wifi_ssid",
"validate_to_none"
],
[
"extra.",
"device_vendor",
"validate_to_none"
],
[
"extra.",
"device_type",
"validate_to_none"
],
[
"extra.",
"device_model",
"validate_to_none"
],
[
"extra.",
"device_version",
"validate_to_none"
],
[
"extra.",
"device_sector",
"validate_to_none"
],
[
"extra.",
"sector",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/open-ipp-report/"
},
"scan_isakmp" : {
"constant_fields" : {
"classification.identifier" : "open-ike",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "ipsec"
},
"feed_name" : "Vulnerable-ISAKMP",
"file_name" : "scan_isakmp",
"optional_fields" : [
[
"extra.",
"spi_size",
"convert_int"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"initiator_spi",
"validate_to_none"
],
[
"extra.",
"responder_spi",
"validate_to_none"
],
[
"extra.",
"next_payload",
"validate_to_none"
],
[
"extra.",
"exchange_type",
"validate_to_none"
],
[
"extra.",
"flags",
"validate_to_none"
],
[
"extra.",
"message_id",
"validate_to_none"
],
[
"extra.",
"next_payload2",
"validate_to_none"
],
[
"extra.",
"domain_of_interpretation",
"validate_to_none"
],
[
"extra.",
"protocol_id",
"validate_to_none"
],
[
"extra.",
"notify_message_type",
"validate_to_none"
],
[
"extra.",
"sector",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/vulnerable-isakmp-report/"
},
"scan_kubernetes" : {
"constant_fields" : {
"classification.identifier" : "open-kubernetes",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "kubernetes"
},
"feed_name" : "Accessible-Kubernetes-API",
"file_name" : "scan_kubernetes",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"extra.",
"version",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
],
[
"extra.",
"http",
"validate_to_none"
],
[
"extra.",
"http_code",
"convert_int"
],
[
"extra.",
"http_reason",
"validate_to_none"
],
[
"extra.",
"content_type",
"validate_to_none"
],
[
"extra.",
"server",
"validate_to_none"
],
[
"extra.",
"date",
"validate_to_none"
],
[
"extra.",
"major",
"validate_to_none"
],
[
"extra.",
"minor",
"validate_to_none"
],
[
"extra.",
"git_version",
"validate_to_none"
],
[
"extra.",
"git_commit",
"validate_to_none"
],
[
"extra.",
"git_tree_state",
"validate_to_none"
],
[
"extra.",
"build_date",
"validate_to_none"
],
[
"extra.",
"go_version",
"validate_to_none"
],
[
"extra.",
"compiler",
"validate_to_none"
],
[
"extra.",
"platform",
"validate_to_none"
],
[
"extra.",
"handshake",
"validate_to_none"
],
[
"extra.",
"cipher_suite",
"validate_to_none"
],
[
"extra.",
"cert_length",
"convert_int"
],
[
"extra.",
"subject_common_name",
"validate_to_none"
],
[
"extra.",
"issuer_common_name",
"validate_to_none"
],
[
"extra.",
"cert_issue_date",
"validate_to_none"
],
[
"extra.",
"cert_expiration_date",
"validate_to_none"
],
[
"extra.",
"sha1_fingerprint",
"validate_to_none"
],
[
"extra.",
"cert_serial_number",
"validate_to_none"
],
[
"extra.",
"ssl_version",
"convert_int"
],
[
"extra.",
"signature_algorithm",
"validate_to_none"
],
[
"extra.",
"key_algorithm",
"validate_to_none"
],
[
"extra.",
"subject_organization_name",
"validate_to_none"
],
[
"extra.",
"subject_organization_unit_name",
"validate_to_none"
],
[
"extra.",
"subject_country",
"validate_to_none"
],
[
"extra.",
"subject_state_or_province_name",
"validate_to_none"
],
[
"extra.",
"subject_locality_name",
"validate_to_none"
],
[
"extra.",
"subject_street_address",
"validate_to_none"
],
[
"extra.",
"subject_postal_code",
"validate_to_none"
],
[
"extra.",
"subject_surname",
"validate_to_none"
],
[
"extra.",
"subject_given_name",
"validate_to_none"
],
[
"extra.",
"subject_email_address",
"validate_to_none"
],
[
"extra.",
"subject_business_category",
"validate_to_none"
],
[
"extra.",
"subject_serial_number",
"validate_to_none"
],
[
"extra.",
"issuer_organization_name",
"validate_to_none"
],
[
"extra.",
"issuer_organization_unit_name",
"validate_to_none"
],
[
"extra.",
"issuer_country",
"validate_to_none"
],
[
"extra.",
"issuer_state_or_province_name",
"validate_to_none"
],
[
"extra.",
"issuer_locality_name",
"validate_to_none"
],
[
"extra.",
"issuer_street_address",
"validate_to_none"
],
[
"extra.",
"issuer_postal_code",
"validate_to_none"
],
[
"extra.",
"issuer_surname",
"validate_to_none"
],
[
"extra.",
"issuer_given_name",
"validate_to_none"
],
[
"extra.",
"issuer_email_address",
"validate_to_none"
],
[
"extra.",
"issuer_business_category",
"validate_to_none"
],
[
"extra.",
"issuer_serial_number",
"validate_to_none"
],
[
"extra.",
"sha256_fingerprint",
"validate_to_none"
],
[
"extra.",
"sha512_fingerprint",
"validate_to_none"
],
[
"extra.",
"md5_fingerprint",
"validate_to_none"
],
[
"extra.",
"cert_valid",
"convert_bool"
],
[
"extra.",
"self_signed",
"convert_bool"
],
[
"extra.",
"cert_expired",
"convert_bool"
],
[
"extra.",
"validation_level",
"validate_to_none"
],
[
"extra.",
"browser_trusted",
"convert_bool"
],
[
"extra.",
"browser_error",
"validate_to_none"
],
[
"extra.",
"raw_cert",
"validate_to_none"
],
[
"extra.",
"raw_cert_chain",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-kubernetes-api-server-report/"
},
"scan_ldap_tcp" : {
"constant_fields" : {
"classification.identifier" : "open-ldap",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "ldap"
},
"feed_name" : "Open-LDAP-TCP",
"file_name" : "scan_ldap_tcp",
"optional_fields" : [
[
"source.local_hostname",
"dns_host_name",
"validate_to_none"
],
[
"extra.",
"domain_controller_functionality",
"convert_int"
],
[
"extra.",
"domain_functionality",
"convert_int"
],
[
"extra.",
"forest_functionality",
"convert_int"
],
[
"extra.",
"highest_committed_usn",
"convert_int"
],
[
"extra.",
"is_global_catalog_ready",
"convert_bool"
],
[
"extra.",
"is_synchronized",
"convert_bool"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"response_size",
"convert_int"
],
[
"extra.",
"configuration_naming_context",
"validate_to_none"
],
[
"extra.",
"current_time",
"validate_to_none"
],
[
"extra.",
"default_naming_context",
"validate_to_none"
],
[
"extra.",
"ds_service_name",
"validate_to_none"
],
[
"extra.",
"ldap_service_name",
"validate_to_none"
],
[
"extra.",
"naming_contexts",
"validate_to_none"
],
[
"extra.",
"root_domain_naming_context",
"validate_to_none"
],
[
"extra.",
"schema_naming_context",
"validate_to_none"
],
[
"extra.",
"server_name",
"validate_to_none"
],
[
"extra.",
"subschema_subentry",
"validate_to_none"
],
[
"extra.",
"supported_capabilities",
"validate_to_none"
],
[
"extra.",
"supported_control",
"validate_to_none"
],
[
"extra.",
"supported_ldap_policies",
"validate_to_none"
],
[
"extra.",
"supported_ldap_version",
"validate_to_none"
],
[
"extra.",
"supported_sasl_mechanisms",
"validate_to_none"
],
[
"extra.",
"amplification",
"convert_float"
],
[
"extra.",
"handshake",
"validate_to_none"
],
[
"extra.",
"cipher_suite",
"validate_to_none"
],
[
"extra.",
"cert_length",
"convert_int"
],
[
"extra.",
"subject_common_name",
"validate_to_none"
],
[
"extra.",
"issuer_common_name",
"validate_to_none"
],
[
"extra.",
"cert_issue_date",
"validate_to_none"
],
[
"extra.",
"cert_expiration_date",
"validate_to_none"
],
[
"extra.",
"sha1_fingerprint",
"validate_to_none"
],
[
"extra.",
"cert_serial_number",
"validate_to_none"
],
[
"extra.",
"ssl_version",
"convert_int"
],
[
"extra.",
"signature_algorithm",
"validate_to_none"
],
[
"extra.",
"key_algorithm",
"validate_to_none"
],
[
"extra.",
"subject_organization_name",
"validate_to_none"
],
[
"extra.",
"subject_organization_unit_name",
"validate_to_none"
],
[
"extra.",
"subject_country",
"validate_to_none"
],
[
"extra.",
"subject_state_or_province_name",
"validate_to_none"
],
[
"extra.",
"subject_locality_name",
"validate_to_none"
],
[
"extra.",
"subject_street_address",
"validate_to_none"
],
[
"extra.",
"subject_postal_code",
"validate_to_none"
],
[
"extra.",
"subject_surname",
"validate_to_none"
],
[
"extra.",
"subject_given_name",
"validate_to_none"
],
[
"extra.",
"subject_email_address",
"validate_to_none"
],
[
"extra.",
"subject_business_category",
"validate_to_none"
],
[
"extra.",
"subject_serial_number",
"validate_to_none"
],
[
"extra.",
"issuer_organization_name",
"validate_to_none"
],
[
"extra.",
"issuer_organization_unit_name",
"validate_to_none"
],
[
"extra.",
"issuer_country",
"validate_to_none"
],
[
"extra.",
"issuer_state_or_province_name",
"validate_to_none"
],
[
"extra.",
"issuer_locality_name",
"validate_to_none"
],
[
"extra.",
"issuer_street_address",
"validate_to_none"
],
[
"extra.",
"issuer_postal_code",
"validate_to_none"
],
[
"extra.",
"issuer_surname",
"validate_to_none"
],
[
"extra.",
"issuer_given_name",
"validate_to_none"
],
[
"extra.",
"issuer_email_address",
"validate_to_none"
],
[
"extra.",
"issuer_business_category",
"validate_to_none"
],
[
"extra.",
"issuer_serial_number",
"validate_to_none"
],
[
"extra.",
"sector",
"validate_to_none"
],
[
"extra.",
"sha256_fingerprint",
"validate_to_none"
],
[
"extra.",
"sha512_fingerprint",
"validate_to_none"
],
[
"extra.",
"md5_fingerprint",
"validate_to_none"
],
[
"extra.",
"cert_valid",
"convert_bool"
],
[
"extra.",
"self_signed",
"convert_bool"
],
[
"extra.",
"cert_expired",
"convert_bool"
],
[
"extra.",
"validation_level",
"validate_to_none"
],
[
"extra.",
"auth_tls_response",
"validate_to_none"
],
[
"extra.",
"auth_ssl_response",
"validate_to_none"
],
[
"extra.",
"tlsv13_support",
"validate_to_none"
],
[
"extra.",
"tlsv13_cipher",
"validate_to_none"
],
[
"extra.",
"jarm",
"validate_to_none"
],
[
"extra.",
"device_vendor",
"validate_to_none"
],
[
"extra.",
"device_type",
"validate_to_none"
],
[
"extra.",
"device_model",
"validate_to_none"
],
[
"extra.",
"device_version",
"validate_to_none"
],
[
"extra.",
"device_sector",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/open-ldap-tcp-report/"
},
"scan_ldap_udp" : {
"constant_fields" : {
"classification.identifier" : "open-ldap",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "ldap"
},
"feed_name" : "Open-LDAP",
"file_name" : "scan_ldap_udp",
"optional_fields" : [
[
"source.local_hostname",
"dns_host_name",
"validate_to_none"
],
[
"extra.",
"domain_controller_functionality",
"convert_int"
],
[
"extra.",
"domain_functionality",
"convert_int"
],
[
"extra.",
"forest_functionality",
"convert_int"
],
[
"extra.",
"highest_committed_usn",
"convert_int"
],
[
"extra.",
"is_global_catalog_ready",
"convert_bool"
],
[
"extra.",
"is_synchronized",
"convert_bool"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"response_size",
"convert_int"
],
[
"extra.",
"configuration_naming_context",
"validate_to_none"
],
[
"extra.",
"current_time",
"validate_to_none"
],
[
"extra.",
"default_naming_context",
"validate_to_none"
],
[
"extra.",
"ds_service_name",
"validate_to_none"
],
[
"extra.",
"ldap_service_name",
"validate_to_none"
],
[
"extra.",
"naming_contexts",
"validate_to_none"
],
[
"extra.",
"root_domain_naming_context",
"validate_to_none"
],
[
"extra.",
"schema_naming_context",
"validate_to_none"
],
[
"extra.",
"server_name",
"validate_to_none"
],
[
"extra.",
"subschema_subentry",
"validate_to_none"
],
[
"extra.",
"supported_capabilities",
"validate_to_none"
],
[
"extra.",
"supported_control",
"validate_to_none"
],
[
"extra.",
"supported_ldap_policies",
"validate_to_none"
],
[
"extra.",
"supported_ldap_version",
"validate_to_none"
],
[
"extra.",
"supported_sasl_mechanisms",
"validate_to_none"
],
[
"extra.",
"amplification",
"convert_float"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/open-ldap-report/"
},
"scan_mdns" : {
"constant_fields" : {
"classification.identifier" : "open-mdns",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "mdns"
},
"feed_name" : "Open-mDNS",
"file_name" : "scan_mdns",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"mdns_name",
"validate_to_none"
],
[
"extra.",
"mdns_ipv4",
"validate_to_none"
],
[
"extra.",
"mdns_ipv6",
"validate_to_none"
],
[
"extra.",
"services",
"validate_to_none"
],
[
"extra.",
"workstation_name",
"validate_to_none"
],
[
"extra.",
"workstation_ipv4",
"validate_to_none"
],
[
"extra.",
"workstation_ipv6",
"validate_to_none"
],
[
"extra.",
"workstation_info",
"validate_to_none"
],
[
"extra.",
"http_name",
"validate_to_none"
],
[
"extra.",
"http_ipv4",
"validate_to_none"
],
[
"extra.",
"http_ipv6",
"validate_to_none"
],
[
"extra.",
"http_ptr",
"validate_to_none"
],
[
"extra.",
"http_info",
"validate_to_none"
],
[
"extra.",
"http_target",
"validate_to_none"
],
[
"extra.",
"http_port",
"convert_int"
],
[
"extra.",
"spotify_name",
"validate_to_none"
],
[
"extra.",
"spotify_ipv4",
"validate_to_none"
],
[
"extra.",
"spotify_ipv6",
"validate_to_none"
],
[
"extra.",
"opc_ua_discovery",
"validate_to_none"
],
[
"extra.",
"sector",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/open-mdns-report/"
},
"scan_memcached" : {
"constant_fields" : {
"classification.identifier" : "open-memcached",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "memcached"
},
"feed_name" : "Open-Memcached",
"file_name" : "scan_memcached",
"optional_fields" : [
[
"extra.",
"pid",
"convert_int"
],
[
"extra.",
"pointer_size",
"convert_int"
],
[
"extra.",
"uptime",
"convert_int"
],
[
"extra.",
"curr_connections",
"convert_int"
],
[
"extra.",
"total_connections",
"convert_int"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"extra.",
"version",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"time",
"validate_to_none"
],
[
"extra.",
"sector",
"validate_to_none"
],
[
"extra.",
"response_size",
"convert_int"
],
[
"extra.",
"amplification",
"convert_float"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/open-memcached-report/"
},
"scan_mongodb" : {
"constant_fields" : {
"classification.identifier" : "open-mongodb",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "mongodb"
},
"feed_name" : "Open-MongoDB",
"file_name" : "scan_mongodb",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"extra.",
"version",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"gitversion",
"validate_to_none"
],
[
"extra.",
"sysinfo",
"validate_to_none"
],
[
"extra.",
"opensslversion",
"validate_to_none"
],
[
"extra.",
"allocator",
"validate_to_none"
],
[
"extra.",
"javascriptengine",
"validate_to_none"
],
[
"extra.",
"bits",
"validate_to_none"
],
[
"extra.",
"maxbsonobjectsize",
"validate_to_none"
],
[
"extra.",
"ok",
"convert_bool"
],
[
"extra.",
"visible_databases",
"validate_to_none"
],
[
"extra.",
"sector",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/open-mongodb-report/"
},
"scan_mqtt" : {
"constant_fields" : {
"classification.identifier" : "open-mqtt",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "mqtt"
},
"feed_name" : "Open-MQTT",
"file_name" : "scan_mqtt",
"optional_fields" : [
[
"extra.",
"anonymous_access",
"convert_bool"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"raw_response",
"validate_to_none"
],
[
"extra.",
"hex_code",
"validate_to_none"
],
[
"extra.",
"code",
"validate_to_none"
],
[
"extra.",
"cipher_suite",
"validate_to_none"
],
[
"extra.",
"cert_length",
"convert_int"
],
[
"extra.",
"subject_common_name",
"validate_to_none"
],
[
"extra.",
"issuer_common_name",
"validate_to_none"
],
[
"extra.",
"cert_issue_date",
"validate_to_none"
],
[
"extra.",
"cert_expiration_date",
"validate_to_none"
],
[
"extra.",
"sha1_fingerprint",
"validate_to_none"
],
[
"extra.",
"sha256_fingerprint",
"validate_to_none"
],
[
"extra.",
"sha512_fingerprint",
"validate_to_none"
],
[
"extra.",
"md5_fingerprint",
"validate_to_none"
],
[
"extra.",
"cert_serial_number",
"validate_to_none"
],
[
"extra.",
"ssl_version",
"convert_int"
],
[
"extra.",
"signature_algorithm",
"validate_to_none"
],
[
"extra.",
"key_algorithm",
"validate_to_none"
],
[
"extra.",
"subject_organization_name",
"validate_to_none"
],
[
"extra.",
"subject_organization_unit_name",
"validate_to_none"
],
[
"extra.",
"subject_country",
"validate_to_none"
],
[
"extra.",
"subject_state_or_province_name",
"validate_to_none"
],
[
"extra.",
"subject_locality_name",
"validate_to_none"
],
[
"extra.",
"subject_street_address",
"validate_to_none"
],
[
"extra.",
"subject_postal_code",
"validate_to_none"
],
[
"extra.",
"subject_surname",
"validate_to_none"
],
[
"extra.",
"subject_given_name",
"validate_to_none"
],
[
"extra.",
"subject_email_address",
"validate_to_none"
],
[
"extra.",
"subject_business_category",
"validate_to_none"
],
[
"extra.",
"subject_serial_number",
"validate_to_none"
],
[
"extra.",
"issuer_organization_name",
"validate_to_none"
],
[
"extra.",
"issuer_organization_unit_name",
"validate_to_none"
],
[
"extra.",
"issuer_country",
"validate_to_none"
],
[
"extra.",
"issuer_state_or_province_name",
"validate_to_none"
],
[
"extra.",
"issuer_locality_name",
"validate_to_none"
],
[
"extra.",
"issuer_street_address",
"validate_to_none"
],
[
"extra.",
"issuer_postal_code",
"validate_to_none"
],
[
"extra.",
"issuer_surname",
"validate_to_none"
],
[
"extra.",
"issuer_given_name",
"validate_to_none"
],
[
"extra.",
"issuer_email_address",
"validate_to_none"
],
[
"extra.",
"issuer_business_category",
"validate_to_none"
],
[
"extra.",
"issuer_serial_number",
"validate_to_none"
],
[
"extra.",
"sector",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/open-mqtt-report/"
},
"scan_mqtt_anon" : {
"constant_fields" : {
"classification.identifier" : "open-mqtt-anon",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "mqtt"
},
"feed_name" : "Open-Anonymous-MQTT",
"file_name" : "scan_mqtt_anon",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"raw_response",
"validate_to_none"
],
[
"extra.",
"hex_code",
"validate_to_none"
],
[
"extra.",
"code",
"validate_to_none"
],
[
"extra.",
"cipher_suite",
"validate_to_none"
],
[
"extra.",
"cert_length",
"convert_int"
],
[
"extra.",
"subject_common_name",
"validate_to_none"
],
[
"extra.",
"issuer_common_name",
"validate_to_none"
],
[
"extra.",
"cert_issue_date",
"validate_to_none"
],
[
"extra.",
"cert_expiration_date",
"validate_to_none"
],
[
"extra.",
"sha1_fingerprint",
"validate_to_none"
],
[
"extra.",
"sha256_fingerprint",
"validate_to_none"
],
[
"extra.",
"sha512_fingerprint",
"validate_to_none"
],
[
"extra.",
"md5_fingerprint",
"validate_to_none"
],
[
"extra.",
"cert_serial_number",
"validate_to_none"
],
[
"extra.",
"ssl_version",
"convert_int"
],
[
"extra.",
"signature_algorithm",
"validate_to_none"
],
[
"extra.",
"key_algorithm",
"validate_to_none"
],
[
"extra.",
"subject_organization_name",
"validate_to_none"
],
[
"extra.",
"subject_organization_unit_name",
"validate_to_none"
],
[
"extra.",
"subject_country",
"validate_to_none"
],
[
"extra.",
"subject_state_or_province_name",
"validate_to_none"
],
[
"extra.",
"subject_locality_name",
"validate_to_none"
],
[
"extra.",
"subject_street_address",
"validate_to_none"
],
[
"extra.",
"subject_postal_code",
"validate_to_none"
],
[
"extra.",
"subject_surname",
"validate_to_none"
],
[
"extra.",
"subject_given_name",
"validate_to_none"
],
[
"extra.",
"subject_email_address",
"validate_to_none"
],
[
"extra.",
"subject_business_category",
"validate_to_none"
],
[
"extra.",
"subject_serial_number",
"validate_to_none"
],
[
"extra.",
"issuer_organization_name",
"validate_to_none"
],
[
"extra.",
"issuer_organization_unit_name",
"validate_to_none"
],
[
"extra.",
"issuer_country",
"validate_to_none"
],
[
"extra.",
"issuer_state_or_province_name",
"validate_to_none"
],
[
"extra.",
"issuer_locality_name",
"validate_to_none"
],
[
"extra.",
"issuer_street_address",
"validate_to_none"
],
[
"extra.",
"issuer_postal_code",
"validate_to_none"
],
[
"extra.",
"issuer_surname",
"validate_to_none"
],
[
"extra.",
"issuer_given_name",
"validate_to_none"
],
[
"extra.",
"issuer_email_address",
"validate_to_none"
],
[
"extra.",
"issuer_business_category",
"validate_to_none"
],
[
"extra.",
"issuer_serial_number",
"validate_to_none"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/open-mqtt-report/"
},
"scan_mssql" : {
"constant_fields" : {
"classification.identifier" : "open-mssql",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "mssql"
},
"feed_name" : "Open-MSSQL",
"file_name" : "scan_mssql",
"optional_fields" : [
[
"source.local_hostname",
"server_name",
"validate_to_none"
],
[
"extra.",
"tcp_port",
"convert_int"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"extra.",
"version",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"instance_name",
"validate_to_none"
],
[
"extra.",
"named_pipe",
"validate_to_none"
],
[
"extra.",
"response_size",
"convert_int"
],
[
"extra.",
"amplification",
"convert_float"
],
[
"extra.",
"sector",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/open-ms-sql-server-resolution-service-report/"
},
"scan_mysql" : {
"constant_fields" : {
"classification.identifier" : "open-mysql",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "mysql"
},
"feed_name" : "Accessible-MySQL",
"file_name" : "scan_mysql",
"optional_fields" : [
[
"extra.",
"client_can_handle_expired_passwords",
"convert_bool"
],
[
"extra.",
"client_compress",
"convert_bool"
],
[
"extra.",
"client_connect_attrs",
"convert_bool"
],
[
"extra.",
"client_connect_with_db",
"convert_bool"
],
[
"extra.",
"client_deprecated_eof",
"convert_bool"
],
[
"extra.",
"client_found_rows",
"convert_bool"
],
[
"extra.",
"client_ignore_sigpipe",
"convert_bool"
],
[
"extra.",
"client_ignore_space",
"convert_bool"
],
[
"extra.",
"client_interactive",
"convert_bool"
],
[
"extra.",
"client_local_files",
"convert_bool"
],
[
"extra.",
"client_long_flag",
"convert_bool"
],
[
"extra.",
"client_long_password",
"convert_bool"
],
[
"extra.",
"client_multi_results",
"convert_bool"
],
[
"extra.",
"client_multi_statements",
"convert_bool"
],
[
"extra.",
"client_no_schema",
"convert_bool"
],
[
"extra.",
"client_odbc",
"convert_bool"
],
[
"extra.",
"client_plugin_auth",
"convert_bool"
],
[
"extra.",
"client_plugin_auth_len_enc_client_data",
"convert_bool"
],
[
"extra.",
"client_protocol_41",
"convert_bool"
],
[
"extra.",
"client_ps_multi_results",
"convert_bool"
],
[
"extra.",
"client_reserved",
"convert_bool"
],
[
"extra.",
"client_secure_connection",
"convert_bool"
],
[
"extra.",
"client_session_track",
"convert_bool"
],
[
"extra.",
"client_ssl",
"convert_bool"
],
[
"extra.",
"client_transactions",
"convert_bool"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"extra.",
"version",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
],
[
"extra.",
"mysql_protocol_version",
"validate_to_none"
],
[
"extra.",
"server_version",
"validate_to_none"
],
[
"extra.",
"error_code",
"validate_to_none"
],
[
"extra.",
"error_id",
"validate_to_none"
],
[
"extra.",
"error_message",
"validate_to_none"
],
[
"extra.",
"handshake",
"validate_to_none"
],
[
"extra.",
"cipher_suite",
"validate_to_none"
],
[
"extra.",
"cert_length",
"convert_int"
],
[
"extra.",
"subject_common_name",
"validate_to_none"
],
[
"extra.",
"issuer_common_name",
"validate_to_none"
],
[
"extra.",
"cert_issue_date",
"validate_to_none"
],
[
"extra.",
"cert_expiration_date",
"validate_to_none"
],
[
"extra.",
"sha1_fingerprint",
"validate_to_none"
],
[
"extra.",
"cert_serial_number",
"validate_to_none"
],
[
"extra.",
"ssl_version",
"convert_int"
],
[
"extra.",
"signature_algorithm",
"validate_to_none"
],
[
"extra.",
"key_algorithm",
"validate_to_none"
],
[
"extra.",
"subject_organization_name",
"validate_to_none"
],
[
"extra.",
"subject_organization_unit_name",
"validate_to_none"
],
[
"extra.",
"subject_country",
"validate_to_none"
],
[
"extra.",
"subject_state_or_province_name",
"validate_to_none"
],
[
"extra.",
"subject_locality_name",
"validate_to_none"
],
[
"extra.",
"subject_street_address",
"validate_to_none"
],
[
"extra.",
"subject_postal_code",
"validate_to_none"
],
[
"extra.",
"subject_surname",
"validate_to_none"
],
[
"extra.",
"subject_given_name",
"validate_to_none"
],
[
"extra.",
"subject_email_address",
"validate_to_none"
],
[
"extra.",
"subject_business_category",
"validate_to_none"
],
[
"extra.",
"subject_serial_number",
"validate_to_none"
],
[
"extra.",
"issuer_organization_name",
"validate_to_none"
],
[
"extra.",
"issuer_organization_unit_name",
"validate_to_none"
],
[
"extra.",
"issuer_country",
"validate_to_none"
],
[
"extra.",
"issuer_state_or_province_name",
"validate_to_none"
],
[
"extra.",
"issuer_locality_name",
"validate_to_none"
],
[
"extra.",
"issuer_street_address",
"validate_to_none"
],
[
"extra.",
"issuer_postal_code",
"validate_to_none"
],
[
"extra.",
"issuer_surname",
"validate_to_none"
],
[
"extra.",
"issuer_given_name",
"validate_to_none"
],
[
"extra.",
"issuer_email_address",
"validate_to_none"
],
[
"extra.",
"issuer_business_category",
"validate_to_none"
],
[
"extra.",
"issuer_serial_number",
"validate_to_none"
],
[
"extra.",
"sha256_fingerprint",
"validate_to_none"
],
[
"extra.",
"sha512_fingerprint",
"validate_to_none"
],
[
"extra.",
"md5_fingerprint",
"validate_to_none"
],
[
"extra.",
"cert_valid",
"convert_bool"
],
[
"extra.",
"self_signed",
"convert_bool"
],
[
"extra.",
"cert_expired",
"convert_bool"
],
[
"extra.",
"validation_level",
"validate_to_none"
],
[
"extra.",
"browser_trusted",
"convert_bool"
],
[
"extra.",
"browser_error",
"validate_to_none"
],
[
"extra.",
"raw_cert",
"validate_to_none"
],
[
"extra.",
"raw_cert_chain",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-mysql-server-report/"
},
"scan_nat_pmp" : {
"constant_fields" : {
"classification.identifier" : "open-natpmp",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "natpmp"
},
"feed_name" : "Open-NATPMP",
"file_name" : "scan_nat_pmp",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"extra.",
"version",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"opcode",
"validate_to_none"
],
[
"extra.",
"uptime",
"convert_int"
],
[
"extra.",
"external_ip",
"validate_to_none"
],
[
"extra.",
"sector",
"validate_to_none"
],
[
"extra.",
"response_size",
"convert_int"
],
[
"extra.",
"amplification",
"convert_float"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/open-nat-pmp-report/"
},
"scan_netbios" : {
"constant_fields" : {
"classification.identifier" : "open-netbios-nameservice",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "netbios-nameservice"
},
"feed_name" : "Open-NetBIOS-Nameservice",
"file_name" : "scan_netbios",
"optional_fields" : [
[
"source.account",
"username"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"extra.",
"mac_address",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.",
"workgroup",
"validate_to_none"
],
[
"extra.",
"machine_name",
"validate_to_none"
],
[
"extra.",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"sector",
"validate_to_none"
],
[
"extra.",
"response_size",
"convert_int"
],
[
"extra.",
"amplification",
"convert_float"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/open-netbios-report/"
},
"scan_netis_router" : {
"constant_fields" : {
"classification.identifier" : "open-netis",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.transport" : "udp"
},
"feed_name" : "Open-Netis",
"file_name" : "scan_netis_router",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"extra.",
"response",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"sector",
"validate_to_none"
],
[
"extra.",
"response_size",
"convert_int"
],
[
"extra.",
"amplification",
"convert_float"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/netcore-netis-router-vulnerability-scan-report/"
},
"scan_ntp" : {
"constant_fields" : {
"classification.identifier" : "ntp-version",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "ntp"
},
"feed_name" : "NTP-Version",
"file_name" : "scan_ntp",
"optional_fields" : [
[
"extra.",
"clk_wander",
"convert_float"
],
[
"extra.",
"frequency",
"convert_float"
],
[
"extra.",
"jitter",
"convert_float"
],
[
"extra.",
"leap",
"convert_float"
],
[
"extra.",
"offset",
"convert_float"
],
[
"extra.",
"peer",
"convert_int"
],
[
"extra.",
"poll",
"convert_int"
],
[
"extra.",
"precision",
"convert_int"
],
[
"extra.",
"rootdelay",
"convert_float"
],
[
"extra.",
"rootdispersion",
"convert_float"
],
[
"extra.",
"stratum",
"convert_int"
],
[
"extra.",
"tc",
"convert_int"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.",
"version",
"validate_to_none"
],
[
"extra.",
"clock",
"validate_to_none"
],
[
"extra.",
"error",
"validate_to_none"
],
[
"extra.",
"mintc",
"validate_to_none"
],
[
"extra.",
"noise",
"validate_to_none"
],
[
"extra.",
"phase",
"validate_to_none"
],
[
"extra.",
"processor",
"validate_to_none"
],
[
"extra.",
"refid",
"validate_to_none"
],
[
"extra.",
"reftime",
"validate_to_none"
],
[
"extra.",
"stability",
"validate_to_none"
],
[
"extra.",
"state",
"validate_to_none"
],
[
"extra.",
"system",
"validate_to_none"
],
[
"extra.",
"tai",
"validate_to_none"
],
[
"extra.",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"sector",
"validate_to_none"
],
[
"extra.",
"response_size",
"convert_int"
],
[
"extra.",
"amplification",
"convert_float"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/ntp-version-report/"
},
"scan_ntpmonitor" : {
"constant_fields" : {
"classification.identifier" : "ntp-monitor",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "ntp"
},
"feed_name" : "NTP-Monitor",
"file_name" : "scan_ntpmonitor",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"packets",
"convert_int"
],
[
"extra.",
"response_size",
"convert_int"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"sector",
"validate_to_none"
],
[
"extra.",
"amplification",
"convert_float"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/ntp-monitor-report/"
},
"scan_portmapper" : {
"constant_fields" : {
"classification.identifier" : "open-portmapper",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "portmapper"
},
"feed_name" : "Open-Portmapper",
"file_name" : "scan_portmapper",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"programs",
"validate_to_none"
],
[
"extra.",
"mountd_port",
"validate_to_none"
],
[
"extra.",
"exports",
"validate_to_none"
],
[
"extra.",
"sector",
"validate_to_none"
],
[
"extra.",
"response_size",
"convert_int"
],
[
"extra.",
"amplification",
"convert_float"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/open-portmapper-report/"
},
"scan_post_exploitation_framework" : {
"constant_fields" : {
"classification.identifier" : "c2-beacon",
"classification.taxonomy" : "malicious-code",
"classification.type" : "infected-system"
},
"feed_name" : "Post-Exploitation-Framework",
"file_name" : "scan_post_exploitation_framework",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
],
[
"extra.",
"http",
"validate_to_none"
],
[
"destination.url",
"http_url",
"convert_http_host_and_url",
true
],
[
"extra.",
"http_code",
"convert_int"
],
[
"extra.",
"content_type",
"validate_to_none"
],
[
"extra.",
"content_length",
"convert_int"
],
[
"extra.",
"architecture",
"validate_to_none"
],
[
"extra.",
"beacon_type",
"validate_to_none"
],
[
"extra.",
"beacon_host",
"validate_to_none"
],
[
"extra.",
"beacon_port",
"validate_to_none"
],
[
"extra.",
"beacon_http_get",
"validate_to_none"
],
[
"extra.",
"beacon_http_post",
"validate_to_none"
],
[
"extra.",
"license_id",
"validate_to_none"
],
[
"extra.",
"config_md5",
"validate_to_none"
],
[
"extra.",
"config_sha1",
"validate_to_none"
],
[
"extra.",
"config_sha256",
"validate_to_none"
],
[
"extra.",
"config_sha512",
"validate_to_none"
],
[
"extra.",
"binary_md5",
"validate_to_none"
],
[
"extra.",
"binary_sha1",
"validate_to_none"
],
[
"extra.",
"binary_sha256",
"validate_to_none"
],
[
"extra.",
"binary_sha512",
"validate_to_none"
],
[
"extra.",
"encoded_length",
"validate_to_none"
],
[
"extra.",
"encoded_data",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/post-exploitation-framework/"
},
"scan_postgres" : {
"constant_fields" : {
"classification.identifier" : "open-postgres",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "postgres"
},
"feed_name" : "Accessible-PostgreSQL",
"file_name" : "scan_postgres",
"optional_fields" : [
[
"extra.",
"startup_error_line",
"convert_int"
],
[
"extra.",
"client_ssl",
"convert_bool"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"extra.",
"version",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
],
[
"extra.",
"supported_protocols",
"validate_to_none"
],
[
"extra.",
"protocol_error_code",
"validate_to_none"
],
[
"extra.",
"protocol_error_file",
"validate_to_none"
],
[
"extra.",
"protocol_error_line",
"validate_to_none"
],
[
"extra.",
"protocol_error_message",
"validate_to_none"
],
[
"extra.",
"protocol_error_routine",
"validate_to_none"
],
[
"extra.",
"protocol_error_severity",
"validate_to_none"
],
[
"extra.",
"protocol_error_severity_v",
"validate_to_none"
],
[
"extra.",
"startup_error_code",
"validate_to_none"
],
[
"extra.",
"startup_error_file",
"validate_to_none"
],
[
"extra.",
"startup_error_message",
"validate_to_none"
],
[
"extra.",
"startup_error_routine",
"validate_to_none"
],
[
"extra.",
"startup_error_severity",
"validate_to_none"
],
[
"extra.",
"startup_error_severity_v",
"validate_to_none"
],
[
"extra.",
"handshake",
"validate_to_none"
],
[
"extra.",
"cipher_suite",
"validate_to_none"
],
[
"extra.",
"cert_length",
"convert_int"
],
[
"extra.",
"subject_common_name",
"validate_to_none"
],
[
"extra.",
"issuer_common_name",
"validate_to_none"
],
[
"extra.",
"cert_issue_date",
"validate_to_none"
],
[
"extra.",
"cert_expiration_date",
"validate_to_none"
],
[
"extra.",
"sha1_fingerprint",
"validate_to_none"
],
[
"extra.",
"cert_serial_number",
"validate_to_none"
],
[
"extra.",
"ssl_version",
"convert_int"
],
[
"extra.",
"signature_algorithm",
"validate_to_none"
],
[
"extra.",
"key_algorithm",
"validate_to_none"
],
[
"extra.",
"subject_organization_name",
"validate_to_none"
],
[
"extra.",
"subject_organization_unit_name",
"validate_to_none"
],
[
"extra.",
"subject_country",
"validate_to_none"
],
[
"extra.",
"subject_state_or_province_name",
"validate_to_none"
],
[
"extra.",
"subject_locality_name",
"validate_to_none"
],
[
"extra.",
"subject_street_address",
"validate_to_none"
],
[
"extra.",
"subject_postal_code",
"validate_to_none"
],
[
"extra.",
"subject_surname",
"validate_to_none"
],
[
"extra.",
"subject_given_name",
"validate_to_none"
],
[
"extra.",
"subject_email_address",
"validate_to_none"
],
[
"extra.",
"subject_business_category",
"validate_to_none"
],
[
"extra.",
"subject_serial_number",
"validate_to_none"
],
[
"extra.",
"issuer_organization_name",
"validate_to_none"
],
[
"extra.",
"issuer_organization_unit_name",
"validate_to_none"
],
[
"extra.",
"issuer_country",
"validate_to_none"
],
[
"extra.",
"issuer_state_or_province_name",
"validate_to_none"
],
[
"extra.",
"issuer_locality_name",
"validate_to_none"
],
[
"extra.",
"issuer_street_address",
"validate_to_none"
],
[
"extra.",
"issuer_postal_code",
"validate_to_none"
],
[
"extra.",
"issuer_surname",
"validate_to_none"
],
[
"extra.",
"issuer_given_name",
"validate_to_none"
],
[
"extra.",
"issuer_email_address",
"validate_to_none"
],
[
"extra.",
"issuer_business_category",
"validate_to_none"
],
[
"extra.",
"issuer_serial_number",
"validate_to_none"
],
[
"extra.",
"sha256_fingerprint",
"validate_to_none"
],
[
"extra.",
"sha512_fingerprint",
"validate_to_none"
],
[
"extra.",
"md5_fingerprint",
"validate_to_none"
],
[
"extra.",
"cert_valid",
"convert_bool"
],
[
"extra.",
"self_signed",
"convert_bool"
],
[
"extra.",
"cert_expired",
"convert_bool"
],
[
"extra.",
"validation_level",
"validate_to_none"
],
[
"extra.",
"browser_trusted",
"convert_bool"
],
[
"extra.",
"browser_error",
"validate_to_none"
],
[
"extra.",
"raw_cert",
"validate_to_none"
],
[
"extra.",
"raw_cert_chain",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-postgresql-server-report/"
},
"scan_qotd" : {
"constant_fields" : {
"classification.identifier" : "open-qotd",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "qotd"
},
"feed_name" : "Open-QOTD",
"file_name" : "scan_qotd",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"extra.",
"quote",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"sector",
"validate_to_none"
],
[
"extra.",
"response_size",
"convert_int"
],
[
"extra.",
"amplification",
"convert_float"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/open-qotd-report/"
},
"scan_quic" : {
"constant_fields" : {
"classification.identifier" : "open-quic",
"classification.taxonomy" : "other",
"classification.type" : "other"
},
"feed_name" : "Accessible-QUIC",
"file_name" : "scan_quic",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"version_field_1",
"validate_to_none"
],
[
"extra.",
"version_field_2",
"validate_to_none"
],
[
"extra.",
"version_field_3",
"validate_to_none"
],
[
"extra.",
"version_field_4",
"validate_to_none"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-quic-report/"
},
"scan_radmin" : {
"constant_fields" : {
"classification.identifier" : "accessible-radmin",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system"
},
"feed_name" : "Accessible-Radmin",
"file_name" : "scan_radmin",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"extra.",
"version",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"sector",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-radmin-report/"
},
"scan_rdp" : {
"constant_fields" : {
"classification.identifier" : "open-rdp",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "rdp",
"protocol.transport" : "tcp"
},
"feed_name" : "Accessible-RDP",
"file_name" : "scan_rdp",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"extra.",
"handshake",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.",
"rdp_protocol",
"validate_to_none"
],
[
"extra.",
"cert_length",
"convert_int"
],
[
"extra.",
"subject_common_name",
"validate_to_none"
],
[
"extra.",
"issuer_common_name",
"validate_to_none"
],
[
"extra.",
"cert_issue_date",
"validate_to_none"
],
[
"extra.",
"cert_expiration_date",
"validate_to_none"
],
[
"extra.",
"sha1_fingerprint",
"validate_to_none"
],
[
"extra.",
"cert_serial_number",
"validate_to_none"
],
[
"extra.",
"ssl_version",
"convert_int"
],
[
"extra.",
"signature_algorithm",
"validate_to_none"
],
[
"extra.",
"key_algorithm",
"validate_to_none"
],
[
"extra.",
"sha256_fingerprint",
"validate_to_none"
],
[
"extra.",
"sha512_fingerprint",
"validate_to_none"
],
[
"extra.",
"md5_fingerprint",
"validate_to_none"
],
[
"extra.",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"sector",
"validate_to_none"
],
[
"extra.",
"tlsv13_support",
"validate_to_none"
],
[
"extra.",
"tlsv13_cipher",
"validate_to_none"
],
[
"extra.",
"jarm",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-rdp-report/"
},
"scan_rdpeudp" : {
"constant_fields" : {
"classification.identifier" : "accessible-msrdpeudp",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system"
},
"feed_name" : "Accessible-MS-RDPEUDP",
"file_name" : "scan_rdpeudp",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"sessionid",
"validate_to_none"
],
[
"extra.",
"response_size",
"convert_int"
],
[
"extra.",
"amplification",
"convert_float"
],
[
"extra.",
"sector",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-ms-rdpeudp/"
},
"scan_redis" : {
"constant_fields" : {
"classification.identifier" : "open-redis",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "redis"
},
"feed_name" : "Open-Redis",
"file_name" : "scan_redis",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"extra.",
"version",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"git_sha1",
"validate_to_none"
],
[
"extra.",
"git_dirty_flag",
"validate_to_none"
],
[
"extra.",
"build_id",
"validate_to_none"
],
[
"extra.",
"mode",
"validate_to_none"
],
[
"extra.os.name",
"os",
"validate_to_none"
],
[
"extra.",
"architecture",
"validate_to_none"
],
[
"extra.",
"multiplexing_api",
"validate_to_none"
],
[
"extra.",
"gcc_version",
"validate_to_none"
],
[
"extra.",
"process_id",
"validate_to_none"
],
[
"extra.",
"run_id",
"validate_to_none"
],
[
"extra.",
"uptime",
"convert_int"
],
[
"extra.",
"connected_clients",
"validate_to_none"
],
[
"extra.",
"sector",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/open-redis-report/"
},
"scan_rsync" : {
"constant_fields" : {
"classification.identifier" : "accessible-rsync",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "rsync"
},
"feed_name" : "Accessible-Rsync",
"file_name" : "scan_rsync",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"module",
"validate_to_none"
],
[
"extra.",
"motd",
"validate_to_none"
],
[
"extra.",
"has_password",
"validate_to_none"
],
[
"extra.",
"sector",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-rsync-report/"
},
"scan_sip" : {
"constant_fields" : {
"classification.identifier" : "open-sip",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "sip"
},
"feed_name" : "Accessible-SIP",
"file_name" : "scan_sip",
"optional_fields" : [
[
"extra.sip_server",
"server",
"validate_to_none"
],
[
"extra.sip_contact",
"contact",
"validate_to_none"
],
[
"extra.sip_cseq",
"cseq",
"validate_to_none"
],
[
"extra.sip_call_id",
"call_id",
"validate_to_none"
],
[
"extra.sip_allow",
"allow",
"validate_to_none"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.",
"sip",
"validate_to_none"
],
[
"extra.",
"sip_code",
"validate_to_none"
],
[
"extra.",
"sip_reason",
"validate_to_none"
],
[
"user_agent",
"user_agent",
"validate_to_none"
],
[
"extra.",
"sip_via",
"validate_to_none"
],
[
"extra.",
"sip_to",
"validate_to_none"
],
[
"extra.",
"sip_from",
"validate_to_none"
],
[
"extra.",
"content_length",
"convert_int"
],
[
"extra.",
"content_type",
"validate_to_none"
],
[
"extra.",
"amplification",
"convert_float"
],
[
"extra.",
"response_size",
"convert_int"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-sip-report/"
},
"scan_slp" : {
"constant_fields" : {
"classification.identifier" : "open-slp",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "slp"
},
"feed_name" : "Accessible-SLP",
"file_name" : "scan_slp",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
],
[
"extra.",
"version",
"validate_to_none"
],
[
"extra.",
"function",
"validate_to_none"
],
[
"extra.",
"function_text",
"validate_to_none"
],
[
"extra.",
"flags",
"validate_to_none"
],
[
"extra.",
"next_extension_offset",
"validate_to_none"
],
[
"extra.",
"xid",
"validate_to_none"
],
[
"extra.",
"language_tag_length",
"validate_to_none"
],
[
"extra.",
"language_tag",
"validate_to_none"
],
[
"extra.",
"error_code",
"validate_to_none"
],
[
"extra.",
"error_code_text",
"validate_to_none"
],
[
"extra.",
"response_size",
"convert_int"
],
[
"extra.",
"raw_response",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-slp-service-report/"
},
"scan_smb" : {
"constant_fields" : {
"classification.identifier" : "open-smb",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "smb",
"protocol.transport" : "tcp"
},
"feed_name" : "Accessible-SMB",
"file_name" : "scan_smb",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"arch",
"validate_to_none"
],
[
"extra.",
"key",
"validate_to_none"
],
[
"extra.",
"smb_major_number",
"validate_to_none"
],
[
"extra.",
"smb_minor_number",
"validate_to_none"
],
[
"extra.",
"smb_revision",
"validate_to_none"
],
[
"extra.",
"smb_version_string",
"validate_to_none"
],
[
"extra.",
"sector",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-smb-report/"
},
"scan_smtp" : {
"constant_fields" : {
"classification.identifier" : "open-smtp",
"classification.taxonomy" : "other",
"classification.type" : "other",
"protocol.application" : "smtp"
},
"feed_name" : "Accessible-SMTP",
"file_name" : "scan_smtp",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"banner",
"validate_to_none"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
],
[
"extra.",
"auth_ssl_response",
"validate_to_none"
],
[
"extra.",
"auth_tls_response",
"validate_to_none"
],
[
"extra.",
"cert_expiration_date",
"validate_to_none"
],
[
"extra.",
"cert_expired",
"convert_bool"
],
[
"extra.",
"cert_issue_date",
"validate_to_none"
],
[
"extra.",
"cert_length",
"convert_int"
],
[
"extra.",
"cert_serial_number",
"validate_to_none"
],
[
"extra.",
"cert_valid",
"convert_bool"
],
[
"extra.",
"cipher_suite",
"validate_to_none"
],
[
"extra.",
"freak_cipher_suite",
"validate_to_none"
],
[
"extra.",
"freak_vulnerable",
"convert_bool"
],
[
"extra.",
"handshake",
"validate_to_none"
],
[
"extra.",
"issuer_business_category",
"validate_to_none"
],
[
"extra.",
"issuer_common_name",
"validate_to_none"
],
[
"extra.",
"issuer_country",
"validate_to_none"
],
[
"extra.",
"issuer_email_address",
"validate_to_none"
],
[
"extra.",
"issuer_given_name",
"validate_to_none"
],
[
"extra.",
"issuer_locality_name",
"validate_to_none"
],
[
"extra.",
"issuer_organization_name",
"validate_to_none"
],
[
"extra.",
"issuer_organization_unit_name",
"validate_to_none"
],
[
"extra.",
"issuer_postal_code",
"validate_to_none"
],
[
"extra.",
"issuer_serial_number",
"validate_to_none"
],
[
"extra.",
"issuer_state_or_province_name",
"validate_to_none"
],
[
"extra.",
"issuer_street_address",
"validate_to_none"
],
[
"extra.",
"issuer_surname",
"validate_to_none"
],
[
"extra.",
"jarm",
"validate_to_none"
],
[
"extra.",
"key_algorithm",
"validate_to_none"
],
[
"extra.",
"md5_fingerprint",
"validate_to_none"
],
[
"extra.",
"raw_cert",
"validate_to_none"
],
[
"extra.",
"raw_cert_chain",
"validate_to_none"
],
[
"extra.",
"self_signed",
"convert_bool"
],
[
"extra.",
"sha1_fingerprint",
"validate_to_none"
],
[
"extra.",
"sha256_fingerprint",
"validate_to_none"
],
[
"extra.",
"sha512_fingerprint",
"validate_to_none"
],
[
"extra.",
"signature_algorithm",
"validate_to_none"
],
[
"extra.",
"ssl_version",
"convert_int"
],
[
"extra.",
"sslv3_supported",
"validate_to_none"
],
[
"extra.",
"subject_business_category",
"validate_to_none"
],
[
"extra.",
"subject_common_name",
"validate_to_none"
],
[
"extra.",
"subject_country",
"validate_to_none"
],
[
"extra.",
"subject_email_address",
"validate_to_none"
],
[
"extra.",
"subject_given_name",
"validate_to_none"
],
[
"extra.",
"subject_locality_name",
"validate_to_none"
],
[
"extra.",
"subject_organization_name",
"validate_to_none"
],
[
"extra.",
"subject_organization_unit_name",
"validate_to_none"
],
[
"extra.",
"subject_postal_code",
"validate_to_none"
],
[
"extra.",
"subject_serial_number",
"validate_to_none"
],
[
"extra.",
"subject_state_or_province_name",
"validate_to_none"
],
[
"extra.",
"subject_street_address",
"validate_to_none"
],
[
"extra.",
"subject_surname",
"validate_to_none"
],
[
"extra.",
"tlsv13_cipher",
"validate_to_none"
],
[
"extra.",
"tlsv13_support",
"validate_to_none"
],
[
"extra.",
"validation_level",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-smtp-report/"
},
"scan_smtp_vulnerable" : {
"constant_fields" : {
"classification.identifier" : "vulnerable-smtp",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "smtp"
},
"feed_name" : "Vulnerable-SMTP",
"file_name" : "scan_smtp_vulnerable",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"banner",
"validate_to_none"
],
[
"extra.",
"sector",
"validate_to_none"
],
[
"extra.",
"auth_ssl_response",
"validate_to_none"
],
[
"extra.",
"auth_tls_response",
"validate_to_none"
],
[
"extra.",
"cert_expiration_date",
"validate_to_none"
],
[
"extra.",
"cert_expired",
"convert_bool"
],
[
"extra.",
"cert_issue_date",
"validate_to_none"
],
[
"extra.",
"cert_length",
"convert_int"
],
[
"extra.",
"cert_serial_number",
"validate_to_none"
],
[
"extra.",
"cert_valid",
"convert_bool"
],
[
"extra.",
"cipher_suite",
"validate_to_none"
],
[
"extra.",
"freak_cipher_suite",
"validate_to_none"
],
[
"extra.",
"freak_vulnerable",
"convert_bool"
],
[
"extra.",
"handshake",
"validate_to_none"
],
[
"extra.",
"issuer_business_category",
"validate_to_none"
],
[
"extra.",
"issuer_common_name",
"validate_to_none"
],
[
"extra.",
"issuer_country",
"validate_to_none"
],
[
"extra.",
"issuer_email_address",
"validate_to_none"
],
[
"extra.",
"issuer_given_name",
"validate_to_none"
],
[
"extra.",
"issuer_locality_name",
"validate_to_none"
],
[
"extra.",
"issuer_organization_name",
"validate_to_none"
],
[
"extra.",
"issuer_organization_unit_name",
"validate_to_none"
],
[
"extra.",
"issuer_postal_code",
"validate_to_none"
],
[
"extra.",
"issuer_serial_number",
"validate_to_none"
],
[
"extra.",
"issuer_state_or_province_name",
"validate_to_none"
],
[
"extra.",
"issuer_street_address",
"validate_to_none"
],
[
"extra.",
"issuer_surname",
"validate_to_none"
],
[
"extra.",
"jarm",
"validate_to_none"
],
[
"extra.",
"key_algorithm",
"validate_to_none"
],
[
"extra.",
"md5_fingerprint",
"validate_to_none"
],
[
"extra.",
"raw_cert",
"validate_to_none"
],
[
"extra.",
"raw_cert_chain",
"validate_to_none"
],
[
"extra.",
"self_signed",
"convert_bool"
],
[
"extra.",
"sha1_fingerprint",
"validate_to_none"
],
[
"extra.",
"sha256_fingerprint",
"validate_to_none"
],
[
"extra.",
"sha512_fingerprint",
"validate_to_none"
],
[
"extra.",
"signature_algorithm",
"validate_to_none"
],
[
"extra.",
"ssl_version",
"convert_int"
],
[
"extra.",
"sslv3_supported",
"validate_to_none"
],
[
"extra.",
"subject_business_category",
"validate_to_none"
],
[
"extra.",
"subject_common_name",
"validate_to_none"
],
[
"extra.",
"subject_country",
"validate_to_none"
],
[
"extra.",
"subject_email_address",
"validate_to_none"
],
[
"extra.",
"subject_given_name",
"validate_to_none"
],
[
"extra.",
"subject_locality_name",
"validate_to_none"
],
[
"extra.",
"subject_organization_name",
"validate_to_none"
],
[
"extra.",
"subject_organization_unit_name",
"validate_to_none"
],
[
"extra.",
"subject_postal_code",
"validate_to_none"
],
[
"extra.",
"subject_serial_number",
"validate_to_none"
],
[
"extra.",
"subject_state_or_province_name",
"validate_to_none"
],
[
"extra.",
"subject_street_address",
"validate_to_none"
],
[
"extra.",
"subject_surname",
"validate_to_none"
],
[
"extra.",
"tlsv13_cipher",
"validate_to_none"
],
[
"extra.",
"tlsv13_support",
"validate_to_none"
],
[
"extra.",
"validation_level",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/vulnerable-smtp-report/"
},
"scan_snmp" : {
"constant_fields" : {
"classification.identifier" : "open-snmp",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "snmp"
},
"feed_name" : "Open-SNMP",
"file_name" : "scan_snmp",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"extra.",
"sysname",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.",
"version",
"validate_to_none"
],
[
"extra.",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"sector",
"validate_to_none"
],
[
"extra.",
"device_vendor",
"validate_to_none"
],
[
"extra.",
"device_type",
"validate_to_none"
],
[
"extra.",
"device_model",
"validate_to_none"
],
[
"extra.",
"device_version",
"validate_to_none"
],
[
"extra.",
"device_sector",
"validate_to_none"
],
[
"extra.",
"sysdesc",
"validate_to_none"
],
[
"extra.",
"community",
"validate_to_none"
],
[
"extra.",
"response_size",
"convert_int"
],
[
"extra.",
"amplification",
"convert_float"
],
[
"extra.",
"uptime",
"convert_int"
],
[
"extra.",
"mac_address",
"validate_to_none"
],
[
"extra.",
"vendor_id",
"validate_to_none"
],
[
"extra.",
"vendor",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/open-snmp-report/"
},
"scan_socks" : {
"constant_fields" : {
"classification.identifier" : "open-socks",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system"
},
"feed_name" : "Accessible-SOCKS4/5-Proxy",
"file_name" : "scan_socks",
"optional_fields" : [
[
"protocol.application",
"tag"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-socks4-5-proxy-report/"
},
"scan_ssdp" : {
"constant_fields" : {
"classification.identifier" : "open-ssdp",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "ssdp"
},
"feed_name" : "Open-SSDP",
"file_name" : "scan_ssdp",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"extra.",
"header",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.",
"systime",
"validate_to_none"
],
[
"extra.",
"cache_control",
"validate_to_none"
],
[
"extra.",
"location",
"validate_to_none"
],
[
"extra.",
"server",
"validate_to_none"
],
[
"extra.",
"search_target",
"validate_to_none"
],
[
"extra.",
"unique_service_name",
"validate_to_none"
],
[
"extra.",
"host",
"validate_to_none"
],
[
"extra.",
"nts",
"validate_to_none"
],
[
"extra.",
"nt",
"validate_to_none"
],
[
"extra.",
"content_type",
"validate_to_none"
],
[
"extra.",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"sector",
"validate_to_none"
],
[
"extra.",
"server_port",
"validate_to_none"
],
[
"extra.",
"instance",
"validate_to_none"
],
[
"extra.",
"version",
"validate_to_none"
],
[
"extra.",
"updated_at",
"validate_to_none"
],
[
"extra.",
"resource_identifier",
"validate_to_none"
],
[
"extra.",
"amplification",
"convert_float"
],
[
"extra.",
"response_size",
"convert_int"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/open-ssdp-report/"
},
"scan_ssh" : {
"constant_fields" : {
"classification.identifier" : "open-ssh",
"classification.taxonomy" : "other",
"classification.type" : "other"
},
"feed_name" : "Accessible-SSH",
"file_name" : "scan_ssh",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"serverid_raw",
"validate_to_none"
],
[
"extra.",
"serverid_version",
"validate_to_none"
],
[
"extra.",
"serverid_software",
"validate_to_none"
],
[
"extra.",
"serverid_comment",
"validate_to_none"
],
[
"extra.",
"server_cookie",
"validate_to_none"
],
[
"extra.",
"available_kex",
"validate_to_none"
],
[
"extra.",
"available_ciphers",
"validate_to_none"
],
[
"extra.",
"available_mac",
"validate_to_none"
],
[
"extra.",
"available_compression",
"validate_to_none"
],
[
"extra.",
"selected_kex",
"validate_to_none"
],
[
"extra.",
"algorithm",
"validate_to_none"
],
[
"extra.",
"selected_cipher",
"validate_to_none"
],
[
"extra.",
"selected_mac",
"validate_to_none"
],
[
"extra.",
"selected_compression",
"validate_to_none"
],
[
"extra.",
"server_signature_value",
"validate_to_none"
],
[
"extra.",
"server_signature_raw",
"validate_to_none"
],
[
"extra.",
"server_host_key",
"validate_to_none"
],
[
"extra.",
"server_host_key_sha256",
"validate_to_none"
],
[
"extra.",
"rsa_prime",
"validate_to_none"
],
[
"extra.",
"rsa_prime_length",
"validate_to_none"
],
[
"extra.",
"rsa_generator",
"validate_to_none"
],
[
"extra.",
"rsa_generator_length",
"validate_to_none"
],
[
"extra.",
"rsa_public_key",
"validate_to_none"
],
[
"extra.",
"rsa_public_key_length",
"validate_to_none"
],
[
"extra.",
"rsa_exponent",
"validate_to_none"
],
[
"extra.",
"rsa_modulus",
"validate_to_none"
],
[
"extra.",
"rsa_length",
"validate_to_none"
],
[
"extra.",
"dss_prime",
"validate_to_none"
],
[
"extra.",
"dss_prime_length",
"validate_to_none"
],
[
"extra.",
"dss_generator",
"validate_to_none"
],
[
"extra.",
"dss_generator_length",
"validate_to_none"
],
[
"extra.",
"dss_public_key",
"validate_to_none"
],
[
"extra.",
"dss_public_key_length",
"validate_to_none"
],
[
"extra.",
"dss_dsa_public_g",
"validate_to_none"
],
[
"extra.",
"dss_dsa_public_p",
"validate_to_none"
],
[
"extra.",
"dss_dsa_public_q",
"validate_to_none"
],
[
"extra.",
"dss_dsa_public_y",
"validate_to_none"
],
[
"extra.",
"ecdsa_curve25519",
"validate_to_none"
],
[
"extra.",
"ecdsa_curve",
"validate_to_none"
],
[
"extra.",
"ecdsa_public_key_length",
"validate_to_none"
],
[
"extra.",
"ecdsa_public_key_b",
"validate_to_none"
],
[
"extra.",
"ecdsa_public_key_gx",
"validate_to_none"
],
[
"extra.",
"ecdsa_public_key_gy",
"validate_to_none"
],
[
"extra.",
"ecdsa_public_key_n",
"validate_to_none"
],
[
"extra.",
"ecdsa_public_key_p",
"validate_to_none"
],
[
"extra.",
"ecdsa_public_key_x",
"validate_to_none"
],
[
"extra.",
"ecdsa_public_key_y",
"validate_to_none"
],
[
"extra.",
"ed25519_curve25519",
"validate_to_none"
],
[
"extra.",
"ed25519_cert_public_key_nonce",
"validate_to_none"
],
[
"extra.",
"ed25519_cert_public_key_bytes",
"validate_to_none"
],
[
"extra.",
"ed25519_cert_public_key_raw",
"validate_to_none"
],
[
"extra.",
"ed25519_cert_public_key_sha256",
"validate_to_none"
],
[
"extra.",
"ed25519_cert_public_key_serial",
"validate_to_none"
],
[
"extra.",
"ed25519_cert_public_key_type_id",
"validate_to_none"
],
[
"extra.",
"ed25519_cert_public_key_type_name",
"validate_to_none"
],
[
"extra.",
"ed25519_cert_public_key_keyid",
"validate_to_none"
],
[
"extra.",
"ed25519_cert_public_key_principles",
"validate_to_none"
],
[
"extra.",
"ed25519_cert_public_key_valid_after",
"validate_to_none"
],
[
"extra.",
"ed25519_cert_public_key_valid_before",
"validate_to_none"
],
[
"extra.",
"ed25519_cert_public_key_duration",
"validate_to_none"
],
[
"extra.",
"ed25519_cert_public_key_sigkey_bytes",
"validate_to_none"
],
[
"extra.",
"ed25519_cert_public_key_sigkey_raw",
"validate_to_none"
],
[
"extra.",
"ed25519_cert_public_key_sigkey_sha256",
"validate_to_none"
],
[
"extra.",
"ed25519_cert_public_key_sigkey_value",
"validate_to_none"
],
[
"extra.",
"ed25519_cert_public_key_sig_raw",
"validate_to_none"
],
[
"extra.",
"banner",
"validate_to_none"
],
[
"extra.",
"userauth_methods",
"validate_to_none"
],
[
"extra.",
"device_vendor",
"validate_to_none"
],
[
"extra.",
"device_type",
"validate_to_none"
],
[
"extra.",
"device_model",
"validate_to_none"
],
[
"extra.",
"device_version",
"validate_to_none"
],
[
"extra.",
"device_sector",
"validate_to_none"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-ssh-report/"
},
"scan_ssl" : {
"constant_fields" : {
"classification.identifier" : "open-ssl",
"classification.taxonomy" : "other",
"classification.type" : "other",
"protocol.application" : "https"
},
"feed_name" : "Accessible-SSL",
"file_name" : "scan_ssl",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"extra.",
"handshake",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.",
"cipher_suite",
"validate_to_none"
],
[
"extra.",
"ssl_poodle",
"convert_bool"
],
[
"extra.",
"cert_length",
"convert_int"
],
[
"extra.",
"subject_common_name",
"validate_to_none"
],
[
"extra.",
"issuer_common_name",
"validate_to_none"
],
[
"extra.",
"cert_issue_date",
"validate_to_none"
],
[
"extra.",
"cert_expiration_date",
"validate_to_none"
],
[
"extra.",
"sha1_fingerprint",
"validate_to_none"
],
[
"extra.",
"cert_serial_number",
"validate_to_none"
],
[
"extra.",
"ssl_version",
"convert_int"
],
[
"extra.",
"signature_algorithm",
"validate_to_none"
],
[
"extra.",
"key_algorithm",
"validate_to_none"
],
[
"extra.",
"subject_organization_name",
"validate_to_none"
],
[
"extra.",
"subject_organization_unit_name",
"validate_to_none"
],
[
"extra.",
"subject_country",
"validate_to_none"
],
[
"extra.",
"subject_state_or_province_name",
"validate_to_none"
],
[
"extra.",
"subject_locality_name",
"validate_to_none"
],
[
"extra.",
"subject_street_address",
"validate_to_none"
],
[
"extra.",
"subject_postal_code",
"validate_to_none"
],
[
"extra.",
"subject_surname",
"validate_to_none"
],
[
"extra.",
"subject_given_name",
"validate_to_none"
],
[
"extra.",
"subject_email_address",
"validate_to_none"
],
[
"extra.",
"subject_business_category",
"validate_to_none"
],
[
"extra.",
"subject_serial_number",
"validate_to_none"
],
[
"extra.",
"issuer_organization_name",
"validate_to_none"
],
[
"extra.",
"issuer_organization_unit_name",
"validate_to_none"
],
[
"extra.",
"issuer_country",
"validate_to_none"
],
[
"extra.",
"issuer_state_or_province_name",
"validate_to_none"
],
[
"extra.",
"issuer_locality_name",
"validate_to_none"
],
[
"extra.",
"issuer_street_address",
"validate_to_none"
],
[
"extra.",
"issuer_postal_code",
"validate_to_none"
],
[
"extra.",
"issuer_surname",
"validate_to_none"
],
[
"extra.",
"issuer_given_name",
"validate_to_none"
],
[
"extra.",
"issuer_email_address",
"validate_to_none"
],
[
"extra.",
"issuer_business_category",
"validate_to_none"
],
[
"extra.",
"issuer_serial_number",
"validate_to_none"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"freak_vulnerable",
"convert_bool"
],
[
"extra.",
"freak_cipher_suite",
"validate_to_none"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
],
[
"extra.",
"sha256_fingerprint",
"validate_to_none"
],
[
"extra.",
"sha512_fingerprint",
"validate_to_none"
],
[
"extra.",
"md5_fingerprint",
"validate_to_none"
],
[
"extra.",
"http_response_type",
"validate_to_none"
],
[
"extra.",
"http_code",
"convert_int"
],
[
"extra.",
"http_reason",
"validate_to_none"
],
[
"extra.",
"content_type",
"validate_to_none"
],
[
"extra.",
"http_connection",
"validate_to_none"
],
[
"extra.",
"www_authenticate",
"validate_to_none"
],
[
"extra.",
"set_cookie",
"validate_to_none"
],
[
"extra.",
"server_type",
"validate_to_none"
],
[
"extra.",
"content_length",
"convert_int"
],
[
"extra.",
"transfer_encoding",
"validate_to_none"
],
[
"extra.",
"http_date",
"convert_date"
],
[
"extra.",
"cert_valid",
"convert_bool"
],
[
"extra.",
"self_signed",
"convert_bool"
],
[
"extra.",
"cert_expired",
"convert_bool"
],
[
"extra.",
"browser_trusted",
"convert_bool"
],
[
"extra.",
"validation_level",
"validate_to_none"
],
[
"extra.",
"browser_error",
"validate_to_none"
],
[
"extra.",
"tlsv13_support",
"validate_to_none"
],
[
"extra.",
"tlsv13_cipher",
"validate_to_none"
],
[
"extra.",
"jarm",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-ssl-report/"
},
"scan_ssl_freak" : {
"constant_fields" : {
"classification.identifier" : "ssl-freak",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "https"
},
"feed_name" : "SSL-FREAK-Vulnerable-Servers",
"file_name" : "scan_ssl_freak",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"extra.",
"handshake",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.",
"cipher_suite",
"validate_to_none"
],
[
"extra.",
"cert_length",
"convert_int"
],
[
"extra.",
"subject_common_name",
"validate_to_none"
],
[
"extra.",
"issuer_common_name",
"validate_to_none"
],
[
"extra.",
"cert_issue_date",
"validate_to_none"
],
[
"extra.",
"cert_expiration_date",
"validate_to_none"
],
[
"extra.",
"sha1_fingerprint",
"validate_to_none"
],
[
"extra.",
"cert_serial_number",
"validate_to_none"
],
[
"extra.",
"signature_algorithm",
"validate_to_none"
],
[
"extra.",
"key_algorithm",
"validate_to_none"
],
[
"extra.",
"subject_organization_name",
"validate_to_none"
],
[
"extra.",
"subject_organization_unit_name",
"validate_to_none"
],
[
"extra.",
"subject_country",
"validate_to_none"
],
[
"extra.",
"subject_state_or_province_name",
"validate_to_none"
],
[
"extra.",
"subject_locality_name",
"validate_to_none"
],
[
"extra.",
"subject_street_address",
"validate_to_none"
],
[
"extra.",
"subject_postal_code",
"validate_to_none"
],
[
"extra.",
"subject_surname",
"validate_to_none"
],
[
"extra.",
"subject_given_name",
"validate_to_none"
],
[
"extra.",
"subject_email_address",
"validate_to_none"
],
[
"extra.",
"subject_business_category",
"validate_to_none"
],
[
"extra.",
"subject_serial_number",
"validate_to_none"
],
[
"extra.",
"issuer_organization_name",
"validate_to_none"
],
[
"extra.",
"issuer_organization_unit_name",
"validate_to_none"
],
[
"extra.",
"issuer_country",
"validate_to_none"
],
[
"extra.",
"issuer_state_or_province_name",
"validate_to_none"
],
[
"extra.",
"issuer_locality_name",
"validate_to_none"
],
[
"extra.",
"issuer_street_address",
"validate_to_none"
],
[
"extra.",
"issuer_postal_code",
"validate_to_none"
],
[
"extra.",
"issuer_surname",
"validate_to_none"
],
[
"extra.",
"issuer_given_name",
"validate_to_none"
],
[
"extra.",
"issuer_email_address",
"validate_to_none"
],
[
"extra.",
"issuer_business_category",
"validate_to_none"
],
[
"extra.",
"issuer_serial_number",
"validate_to_none"
],
[
"extra.",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"freak_vulnerable",
"convert_bool"
],
[
"extra.",
"freak_cipher_suite",
"validate_to_none"
],
[
"extra.",
"sector",
"validate_to_none"
],
[
"extra.",
"sha256_fingerprint",
"validate_to_none"
],
[
"extra.",
"sha512_fingerprint",
"validate_to_none"
],
[
"extra.",
"md5_fingerprint",
"validate_to_none"
],
[
"extra.",
"http_response_type",
"validate_to_none"
],
[
"extra.",
"http_code",
"convert_int"
],
[
"extra.",
"http_reason",
"validate_to_none"
],
[
"extra.",
"content_type",
"validate_to_none"
],
[
"extra.",
"http_connection",
"validate_to_none"
],
[
"extra.",
"www_authenticate",
"validate_to_none"
],
[
"extra.",
"set_cookie",
"validate_to_none"
],
[
"extra.",
"server_type",
"validate_to_none"
],
[
"extra.",
"content_length",
"convert_int"
],
[
"extra.",
"transfer_encoding",
"validate_to_none"
],
[
"extra.",
"http_date",
"convert_date"
],
[
"extra.",
"cert_valid",
"convert_bool"
],
[
"extra.",
"self_signed",
"convert_bool"
],
[
"extra.",
"cert_expired",
"convert_bool"
],
[
"extra.",
"browser_trusted",
"convert_bool"
],
[
"extra.",
"validation_level",
"validate_to_none"
],
[
"extra.",
"browser_error",
"validate_to_none"
],
[
"extra.",
"tlsv13_support",
"validate_to_none"
],
[
"extra.",
"tlsv13_cipher",
"validate_to_none"
],
[
"extra.",
"raw_cert",
"validate_to_none"
],
[
"extra.",
"raw_cert_chain",
"validate_to_none"
],
[
"extra.",
"jarm",
"validate_to_none"
],
[
"extra.",
"device_vendor",
"validate_to_none"
],
[
"extra.",
"device_type",
"validate_to_none"
],
[
"extra.",
"device_model",
"validate_to_none"
],
[
"extra.",
"device_version",
"validate_to_none"
],
[
"extra.",
"device_sector",
"validate_to_none"
],
[
"extra.",
"page_sha256fp",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/ssl-freak-report/"
},
"scan_ssl_poodle" : {
"constant_fields" : {
"classification.identifier" : "ssl-poodle",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "https"
},
"feed_name" : "SSL-POODLE-Vulnerable-Servers IPv4",
"file_name" : "scan_ssl_poodle",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"extra.",
"handshake",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.",
"cipher_suite",
"validate_to_none"
],
[
"extra.",
"ssl_poodle",
"convert_bool"
],
[
"extra.",
"cert_length",
"convert_int"
],
[
"extra.",
"subject_common_name",
"validate_to_none"
],
[
"extra.",
"issuer_common_name",
"validate_to_none"
],
[
"extra.",
"cert_issue_date",
"validate_to_none"
],
[
"extra.",
"cert_expiration_date",
"validate_to_none"
],
[
"extra.",
"sha1_fingerprint",
"validate_to_none"
],
[
"extra.",
"cert_serial_number",
"validate_to_none"
],
[
"extra.",
"ssl_version",
"convert_int"
],
[
"extra.",
"signature_algorithm",
"validate_to_none"
],
[
"extra.",
"key_algorithm",
"validate_to_none"
],
[
"extra.",
"subject_organization_name",
"validate_to_none"
],
[
"extra.",
"subject_organization_unit_name",
"validate_to_none"
],
[
"extra.",
"subject_country",
"validate_to_none"
],
[
"extra.",
"subject_state_or_province_name",
"validate_to_none"
],
[
"extra.",
"subject_locality_name",
"validate_to_none"
],
[
"extra.",
"subject_street_address",
"validate_to_none"
],
[
"extra.",
"subject_postal_code",
"validate_to_none"
],
[
"extra.",
"subject_surname",
"validate_to_none"
],
[
"extra.",
"subject_given_name",
"validate_to_none"
],
[
"extra.",
"subject_email_address",
"validate_to_none"
],
[
"extra.",
"subject_business_category",
"validate_to_none"
],
[
"extra.",
"subject_serial_number",
"validate_to_none"
],
[
"extra.",
"issuer_organization_name",
"validate_to_none"
],
[
"extra.",
"issuer_organization_unit_name",
"validate_to_none"
],
[
"extra.",
"issuer_country",
"validate_to_none"
],
[
"extra.",
"issuer_state_or_province_name",
"validate_to_none"
],
[
"extra.",
"issuer_locality_name",
"validate_to_none"
],
[
"extra.",
"issuer_street_address",
"validate_to_none"
],
[
"extra.",
"issuer_postal_code",
"validate_to_none"
],
[
"extra.",
"issuer_surname",
"validate_to_none"
],
[
"extra.",
"issuer_given_name",
"validate_to_none"
],
[
"extra.",
"issuer_email_address",
"validate_to_none"
],
[
"extra.",
"issuer_business_category",
"validate_to_none"
],
[
"extra.",
"issuer_serial_number",
"validate_to_none"
],
[
"extra.",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"sector",
"validate_to_none"
],
[
"extra.",
"sha256_fingerprint",
"validate_to_none"
],
[
"extra.",
"sha512_fingerprint",
"validate_to_none"
],
[
"extra.",
"md5_fingerprint",
"validate_to_none"
],
[
"extra.",
"http_response_type",
"validate_to_none"
],
[
"extra.",
"http_code",
"convert_int"
],
[
"extra.",
"http_reason",
"validate_to_none"
],
[
"extra.",
"content_type",
"validate_to_none"
],
[
"extra.",
"http_connection",
"validate_to_none"
],
[
"extra.",
"www_authenticate",
"validate_to_none"
],
[
"extra.",
"set_cookie",
"validate_to_none"
],
[
"extra.",
"server_type",
"validate_to_none"
],
[
"extra.",
"content_length",
"convert_int"
],
[
"extra.",
"transfer_encoding",
"validate_to_none"
],
[
"extra.",
"http_date",
"convert_date"
],
[
"extra.",
"cert_valid",
"convert_bool"
],
[
"extra.",
"self_signed",
"convert_bool"
],
[
"extra.",
"cert_expired",
"convert_bool"
],
[
"extra.",
"browser_trusted",
"convert_bool"
],
[
"extra.",
"validation_level",
"validate_to_none"
],
[
"extra.",
"browser_error",
"validate_to_none"
],
[
"extra.",
"tlsv13_support",
"validate_to_none"
],
[
"extra.",
"tlsv13_cipher",
"validate_to_none"
],
[
"extra.",
"raw_cert",
"validate_to_none"
],
[
"extra.",
"raw_cert_chain",
"validate_to_none"
],
[
"extra.",
"jarm",
"validate_to_none"
],
[
"extra.",
"device_vendor",
"validate_to_none"
],
[
"extra.",
"device_type",
"validate_to_none"
],
[
"extra.",
"device_model",
"validate_to_none"
],
[
"extra.",
"device_version",
"validate_to_none"
],
[
"extra.",
"device_sector",
"validate_to_none"
],
[
"extra.",
"page_sha256fp",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/ssl-poodle-report/"
},
"scan_stun" : {
"constant_fields" : {
"classification.identifier" : "open-stun",
"classification.taxonomy" : "other",
"classification.type" : "other",
"protocol.application" : "Session Traversal Utilities for NAT"
},
"feed_name" : "Accessible-Session-Traversal-Utilities-for-NAT",
"file_name" : "scan_stun",
"optional_fields" : [
[
"extra.",
"mapped_port",
"convert_int"
],
[
"extra.",
"xor_mapped_port",
"convert_int"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
],
[
"extra.",
"transaction_id",
"validate_to_none"
],
[
"extra.",
"magic_cookie",
"validate_to_none"
],
[
"extra.",
"message_length",
"convert_int"
],
[
"extra.",
"message_type",
"validate_to_none"
],
[
"extra.",
"mapped_family",
"validate_to_none"
],
[
"extra.",
"mapped_address",
"validate_to_none"
],
[
"extra.",
"xor_mapped_family",
"validate_to_none"
],
[
"extra.",
"xor_mapped_address",
"validate_to_none"
],
[
"extra.",
"software",
"validate_to_none"
],
[
"extra.",
"fingerprint",
"validate_to_none"
],
[
"extra.",
"amplification",
"convert_float"
],
[
"extra.",
"response_size",
"convert_int"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-stun-service-report/"
},
"scan_synfulknock" : {
"constant_fields" : {
"classification.identifier" : "open-synfulknock",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system"
},
"feed_name" : "SYNful-Knock",
"file_name" : "scan_synfulknock",
"optional_fields" : [
[
"extra.",
"ack_number",
"convert_int"
],
[
"extra.",
"window_size",
"convert_int"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"sequence_number",
"validate_to_none"
],
[
"extra.",
"urgent_pointer",
"validate_to_none"
],
[
"extra.",
"tcp_flags",
"validate_to_none"
],
[
"extra.",
"raw_packet",
"validate_to_none"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/synful-scan-report/"
},
"scan_telnet" : {
"constant_fields" : {
"classification.identifier" : "open-telnet",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "telnet"
},
"feed_name" : "Accessible-Telnet",
"file_name" : "scan_telnet",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"banner",
"validate_to_none"
],
[
"extra.",
"sector",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-telnet-report/"
},
"scan_tftp" : {
"constant_fields" : {
"classification.identifier" : "open-tftp",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "tftp"
},
"feed_name" : "Open-TFTP",
"file_name" : "scan_tftp",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"opcode",
"validate_to_none"
],
[
"extra.",
"errorcode",
"validate_to_none"
],
[
"extra.",
"error",
"validate_to_none"
],
[
"extra.",
"errormessage",
"validate_to_none"
],
[
"extra.",
"response_size",
"convert_int"
],
[
"extra.",
"amplification",
"convert_float"
],
[
"extra.",
"sector",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/open-accessible-tftp-report/"
},
"scan_ubiquiti" : {
"constant_fields" : {
"classification.identifier" : "accessible-ubiquiti-discovery-service",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system"
},
"feed_name" : "Accessible-Ubiquiti-Discovery-Service",
"file_name" : "scan_ubiquiti",
"optional_fields" : [
[
"extra.mac_address",
"mac",
"validate_to_none"
],
[
"extra.radio_name",
"radioname",
"validate_to_none"
],
[
"extra.model",
"modelshort",
"validate_to_none"
],
[
"extra.model_full",
"modelfull",
"validate_to_none"
],
[
"extra.firmwarerev",
"firmware",
"validate_to_none"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"essid",
"validate_to_none"
],
[
"extra.",
"response_size",
"convert_int"
],
[
"extra.",
"amplification",
"convert_float"
],
[
"extra.",
"sector",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/open-ubiquiti-report/"
},
"scan_vnc" : {
"constant_fields" : {
"classification.identifier" : "open-vnc",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "vnc",
"protocol.transport" : "tcp"
},
"feed_name" : "Accessible-VNC",
"file_name" : "scan_vnc",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"product",
"validate_to_none"
],
[
"extra.",
"banner",
"validate_to_none"
],
[
"extra.",
"sector",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-vnc-report/"
},
"scan_ws_discovery" : {
"constant_fields" : {
"classification.identifier" : "open-ws-discovery",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "ws-discovery"
},
"feed_name" : "Accessible-WS-Discovery-Service",
"file_name" : "scan_ws_discovery",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
],
[
"extra.",
"response_size",
"convert_int"
],
[
"extra.",
"amplification",
"convert_float"
],
[
"extra.",
"error",
"validate_to_none"
],
[
"extra.",
"raw_response",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-ws-discovery-service-report/"
},
"scan_xdmcp" : {
"constant_fields" : {
"classification.identifier" : "open-xdmcp",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system",
"protocol.application" : "xdmcp"
},
"feed_name" : "Open-XDMCP",
"file_name" : "scan_xdmcp",
"optional_fields" : [
[
"extra.",
"severity",
"validate_to_none"
],
[
"protocol.transport",
"protocol"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.",
"tag",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.",
"naics",
"invalidate_zero"
],
[
"extra.",
"hostname_source",
"validate_to_none"
],
[
"extra.",
"opcode",
"validate_to_none"
],
[
"extra.",
"reported_hostname",
"validate_to_none"
],
[
"status",
"status"
],
[
"extra.",
"response_size",
"convert_int"
],
[
"extra.",
"amplification",
"convert_float"
],
[
"extra.",
"sector",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/accessible-xdmcp-service-report/"
},
"spam_url" : {
"constant_fields" : {
"classification.identifier" : "spam-url",
"classification.taxonomy" : "abusive-content",
"classification.type" : "spam"
},
"feed_name" : "Spam-URL",
"file_name" : "spam_url",
"optional_fields" : [
[
"source.url",
"url",
"convert_http_host_and_url",
true
],
[
"source.fqdn",
"hostname",
"validate_fqdn"
],
[
"extra.relay.ip",
"src_ip",
"validate_ip"
],
[
"extra.relay.asn",
"src_asn",
"invalidate_zero"
],
[
"extra.relay.geolocation.cc",
"src_geo",
"validate_to_none"
],
[
"extra.relay.geolocation.region",
"src_region",
"validate_to_none"
],
[
"extra.relay.geolocation.city",
"src_city",
"validate_to_none"
],
[
"extra.relay.naics",
"src_naics",
"invalidate_zero"
],
[
"extra.relay.sector",
"src_sector",
"validate_to_none"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"extra.",
"naics",
"invalidate_zero"
],
[
"extra.",
"sector",
"validate_to_none"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"extra.",
"tag"
],
[
"extra.",
"source",
"validate_to_none"
],
[
"extra.",
"sender",
"validate_to_none"
],
[
"extra.",
"subject",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
],
"url" : "https://www.shadowserver.org/what-we-do/network-reporting/spam-url-report/"
},
"special" : {
"constant_fields" : {
"classification.identifier" : "special",
"classification.taxonomy" : "vulnerable",
"classification.type" : "vulnerable-system"
},
"feed_name" : "Special",
"file_name" : "special",
"optional_fields" : [
[
"event_description.text",
"detail"
],
[
"protocol.transport",
"protocol"
],
[
"source.asn",
"asn",
"invalidate_zero"
],
[
"source.geolocation.cc",
"geo"
],
[
"source.geolocation.region",
"region"
],
[
"source.geolocation.city",
"city"
],
[
"source.reverse_dns",
"hostname"
],
[
"extra.source.naics",
"naics",
"invalidate_zero"
],
[
"extra.source.sector",
"sector",
"validate_to_none"
],
[
"extra.",
"tag"
],
[
"extra.",
"public_source",
"validate_to_none"
],
[
"status",
"status"
],
[
"extra.",
"method",
"validate_to_none"
],
[
"extra.",
"device_vendor",
"validate_to_none"
],
[
"extra.",
"severity",
"validate_to_none"
],
[
"extra.",
"hostname_source",
"validate_to_none"
]
],
"required_fields" : [
[
"time.source",
"timestamp",
"add_UTC_to_timestamp"
],
[
"source.ip",
"ip",
"validate_ip"
],
[
"source.port",
"port",
"convert_int"
]
]
}
}
More information about the IntelMQ-dev
mailing list