[IntelMQ-dev] classification attributes in IntelMQ Shadowserver parser schema
Kamil Mankowski
mankowski at cert.at
Mon Feb 5 10:46:24 CET 2024
Or rather not fully - as @gethvi brought to my attention that most of
"Accessible" or "Open" feeds should be rather classified as
"potentially-unwanted-accessible" according to the taxonomy
(https://github.com/enisaeu/Reference-Security-Incident-Taxonomy-Task-Force/blob/master/working_copy/humanv1.md)
- instead of vulnerable-system or other.
For many cases we have our own classification enforced - I'm attaching
an extract from my configuration to compare with the original schema.
It's a YAML list used to generate the final configuration later.
Best regards
// Kamil Mańkowski <mankowski at cert.at> - T: +43 676 898 298 7204
// CERT Austria - https://www.cert.at/
// CERT.at GmbH, FB-Nr. 561772k, HG Wien
On 2/5/24 10:15, Kamil Mankowski wrote:
> Hi, thanks for the changes and reviews! They looks good to me too!
>
> Best regards
>
> // Kamil Mańkowski <mankowski at cert.at> - T: +43 676 898 298 7204
> // CERT Austria - https://www.cert.at/
> // CERT.at GmbH, FB-Nr. 561772k, HG Wien
>
> On 2/2/24 11:48, Thomas Hungenberg via IntelMQ-dev wrote:
>> Hi,
>>
>> thanks a lot for your prompt response and sorry for the delay on my side.
>>
>> The changes look good!
>>
>> However, I have made a few additional changes:
>>
>> 1)
>> Make classification.identifier for honeypot_ics_scan consistent
>> with other honeypot scans:
>> =====================
>> "event_honeypot_ics_scan" : {
>> "constant_fields" : {
>> - "classification.identifier" : "ics",
>> + "classification.identifier" : "honeypot-ics-scan",
>> =====================
>>
>> This change should be documented here:
>> https://github.com/The-Shadowserver-Foundation/report_schema/blob/main/completed-changes.md
>>
>>
>> 2)
>> Change classification.taxonomy and classification.type from
>>
>> "classification.taxonomy" : "other",
>> "classification.type" : "other",
>>
>> to
>> "classification.taxonomy" : "vulnerable",
>> "classification.type" : "vulnerable-system",
>>
>> for accessible-bgp and accessible-msmq.
>>
>> Not included in old _config.py, so no need to document.
>>
>>
>> 3)
>> Change classification.taxonomy and classification.type from
>>
>> "classification.taxonomy" : "other",
>> "classification.type" : "other",
>>
>> to
>> "classification.taxonomy" : "vulnerable",
>> "classification.type" : "vulnerable-system",
>>
>> for open-mysql, open-postgres, open-couchdb, open-epmd.
>>
>> This change should be documented here:
>> https://github.com/The-Shadowserver-Foundation/report_schema/blob/main/completed-changes.md
>>
>>
>> 4)
>> Correct classification.identifier for vulnerable-http:
>> =====================
>> "scan_http_vulnerable" : {
>> "constant_fields" : {
>> - "classification.identifier" : "accessible-http",
>> + "classification.identifier" : "vulnerable-http",
>>
>> "scan6_http_vulnerable" : {
>> "constant_fields" : {
>> - "classification.identifier" : "accessible-http",
>> + "classification.identifier" : "vulnerable-http",
>> =====================
>>
>> This change should be documented here:
>> https://github.com/The-Shadowserver-Foundation/report_schema/blob/main/completed-changes.md
>>
>>
>> Please find the updates intelmq.json attached.
>>
>>
>> Kind regards
>> Thomas
>>
>>
>> On 31.01.24 16:42, elsif wrote:
>>> Hello,
>>>
>>> Proposed changes are attached. Please let me know if you agree with
>>> the changes or have any alterations.
>>>
>>> Regards
>>>
>>> On 1/31/24 7:05 AM, Thomas Hungenberg wrote:
>>>> Hi,
>>>>
>>>> Sebastian (sebix) told me it was agreed that with the translation
>>>> from the current parser _config.py (included with IntelMQ 3.2.1)
>>>> to the new schema, no classification.* attributes will be changed.
>>>>
>>>> This is very important as our setup (and most probably others as well)
>>>> heavily depends on known classification identifiers like "open-rdp"
>>>> and classification types from the initial parsing of events up to
>>>> notification_rules and formats/templates for mailgen.
>>>> So with a change of a classification attribute lots of scripts and
>>>> configs would need to be changed as well.
>>>>
>>>> Looking at the current schema, I see the classification identifiers
>>>> are still correct for some feeds for both IPv4 and IPv6 like here:
>>>>
>>>> "scan_dns" : {
>>>> "constant_fields" : {
>>>> "classification.identifier" : "dns-open-resolver",
>>>>
>>>> "scan6_dns" : {
>>>> "constant_fields" : {
>>>> "classification.identifier" : "dns-open-resolver",
>>>>
>>>>
>>>> However, for other feeds the classification identifier has been kept
>>>> correctly for IPv4 like here:
>>>>
>>>> "scan_rdp" : {
>>>> "constant_fields" : {
>>>> "classification.identifier" : "open-rdp",
>>>>
>>>> "compromised_website" : {
>>>> "constant_fields" : {
>>>> "classification.identifier" : "compromised-website",
>>>>
>>>>
>>>> but for IPv6 it has changed to the name of the feed:
>>>>
>>>> "scan6_rdp" : {
>>>> "constant_fields" : {
>>>> "classification.identifier" : "scan6-rdp", <- should be
>>>> "open-rdp"
>>>>
>>>> "compromised_website6" : {
>>>> "constant_fields" : {
>>>> "classification.identifier" : "compromised-website6", <-
>>>> should be "compromised-website"
>>>>
>>>>
>>>> The classification.identifier should describe the incident (like
>>>> "open-rdp")
>>>> and not the source (like "scan6-rdp").
>>>>
>>>> May I ask you to check and adjust all classification identifiers and
>>>> types
>>>> in the schema so they are consistent with the ones generated by the
>>>> current
>>>> _config.py?
>>>>
>>>>
>>>> Thanks a lot for all your work on the new schema based parser!
>>>>
>>>>
>>>> Kind regards
>>>> Thomas
>>>>
>>
>>
>> _______________________________________________
>> IntelMQ-dev mailing list
>> https://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev
>> https://intelmq.readthedocs.io/
-------------- next part --------------
shadow_server_feeds:
- code: shadowserver-accessible-mysql-server
name: Shadowserver Accessible MySQL Server
search_subject_like: Shadowserver % Accessible MySQL Server Report
documentation: https://cert.at/de/services/daten-feeds/vulnerable/#accessible-mysql-server
__taxonomy: ["vulnerable", "potentially-unwanted-accessible"]
- code: shadowserver-openmemcached
name: Shadowserver Open Memcached
search_subject_like: Shadowserver % Open Memcached Server Report
documentation: https://cert.at/de/services/daten-feeds/vulnerable/#open-memcached
__taxonomy: ["vulnerable", "ddos-amplifier"]
- code: shadowserver-openmssql
name: Shadowserver Open MSSQL
search_subject_like: Shadowserver % Open MS-SQL Server Resolution Service Report
documentation: https://cert.at/de/services/daten-feeds/vulnerable/#open-mssql
__taxonomy: ["vulnerable", "potentially-unwanted-accessible"]
- code: shadowserver-opentftp
name: Shadowserver Open TFTP
search_subject_like: Shadowserver % Open TFTP Servers Report
documentation: https://cert.at/de/services/daten-feeds/vulnerable/#open-tftp
__taxonomy: ["vulnerable", "potentially-unwanted-accessible"]
- code: shadowserver-accessible-rdp
name: Shadowserver Accessible RDP
search_subject_like: Shadowserver % Accessible RDP Report
documentation: https://cert.at/de/services/daten-feeds/vulnerable/#accessible-rdp
__taxonomy: ["vulnerable", "potentially-unwanted-accessible"]
- code: shadowserver-accessible-docker-service
name: Shadowserver Accessible Docker Service
search_subject_like: Shadowserver % Accessible Docker Service Report
documentation: https://cert.at/de/services/daten-feeds/vulnerable/#accessible-docker-service
monitoring-ignore-no-data: Rarerly contains any data
__taxonomy: ["vulnerable", "potentially-unwanted-accessible"]
- code: shadowserver-accessible-erlang-port-mapper-daemon-report
name: Shadowserver Accessible Erlang Port Mapper Daemon Report
search_subject_like: Shadowserver % Accessible Erlang Port Mapper Daemon Report
__taxonomy: ["vulnerable", "potentially-unwanted-accessible"]
documentation: https://cert.at/de/services/daten-feeds/vulnerable/#accessible-erlang-port-mapper-daemon
- code: shadowserver-open-port-mapper
name: Shadowserver Austria Open Portmapper Scan
search_subject_like: Shadowserver % Open Portmapper Scan Report
__taxonomy: ["vulnerable", "ddos-amplifier"]
documentation: https://cert.at/de/services/daten-feeds/vulnerable/#open-portmapper
- code: shadowserver-accessible-kubernetes-api
name: Shadowserver Accessible Kubernetes API
search_subject_like: Shadowserver % Accessible Kubernetes API Server Report
documentation: https://cert.at/de/services/daten-feeds/vulnerable/#accessible-kubernetes-api
__taxonomy: ["vulnerable", "potentially-unwanted-accessible"]
- code: shadowserver-accessible-smb-service
name: Shadowserver Accessible SMB Service
search_subject_like: Shadowserver % Accessible SMB Service Report
documentation: https://cert.at/de/services/daten-feeds/vulnerable/#accessible-smb
__taxonomy: ["vulnerable", "potentially-unwanted-accessible"]
- code: shadowserver-ntp-monitor
name: Shadowserver NTP Monitor
search_subject_like: Shadowserver % NTP Monitor Report
documentation: https://cert.at/de/services/daten-feeds/vulnerable/#ntp-monitor
__taxonomy: ["vulnerable", "ddos-amplifier"]
- code: shadowserver-ntp-version
name: Shadowserver NTP Version
search_subject_like: Shadowserver % NTP Version Report
documentation: https://cert.at/de/services/daten-feeds/vulnerable/#ntp-version
__taxonomy: ["vulnerable", "ddos-amplifier"]
- code: shadowserver-open-chargen
name: Shadowserver Open Chargen
search_subject_like: Shadowserver % Open Chargen Report
documentation: https://cert.at/de/services/daten-feeds/vulnerable/#open-chargen
__taxonomy: ["vulnerable", "ddos-amplifier"]
- code: shadowserver-open-ipmi
name: Shadowserver Open IPMI
search_subject_like: Shadowserver % Open IPMI Report
documentation: https://cert.at/de/services/daten-feeds/vulnerable/#open-ipmi
__taxonomy: ["vulnerable", "vulnerable-system"]
- code: shadowserver-open-mdns
name: Shadowserver Open mDNS
search_subject_like: Shadowserver % Open mDNS Report
documentation: https://cert.at/de/services/daten-feeds/vulnerable/#open-mdns
__taxonomy: ["vulnerable", "information-disclosure"]
- code: shadowserver-open-mongodb-service
name: Shadowserver Open MongoDB Service
search_subject_like: Shadowserver % Open MongoDB Service Report
documentation: https://cert.at/de/services/daten-feeds/vulnerable/#open-mongodb
__taxonomy: ["vulnerable", "potentially-unwanted-accessible"]
- code: shadowserver-open-netbios
name: Shadowserver Open Netbios
search_subject_like: Shadowserver % Open Netbios Report
documentation: https://cert.at/de/services/daten-feeds/vulnerable/#open-netbios
__taxonomy: ["vulnerable", "vulnerable-system"]
- code: shadowserver-open-qotd
name: Shadowserver Open QOTD
search_subject_like: Shadowserver % Open QOTD Report
documentation: https://cert.at/de/services/daten-feeds/vulnerable/#open-qotd
__taxonomy: ["vulnerable", "ddos-amplifier"]
- code: shadowserver-open-snmp
name: Shadowserver Open SNMP
search_subject_like: Shadowserver % Open SNMP Report
documentation: https://cert.at/de/services/daten-feeds/vulnerable/#open-snmp
__taxonomy: ["vulnerable", "vulnerable-system"]
- code: shadowserver-open-ssdp
name: Shadowserver Open SSDP
search_subject_like: Shadowserver % Open SSDP Report
documentation: https://cert.at/de/services/daten-feeds/vulnerable/#open-ssdp
__taxonomy: ["vulnerable", "ddos-amplifier"]
- code: shadowserver-vulnerable-http
name: Shadowserver Vulnerable HTTP
search_subject_like: Shadowserver % Vulnerable HTTP Report
documentation: https://cert.at/de/services/daten-feeds/vulnerable/#vulnerable-http
__taxonomy: ["vulnerable", "vulnerable-system"]
- code: shadowserver-vulnerable-isakmp
name: Shadowserver Vulnerable ISAKMP
search_subject_like: Shadowserver % Vulnerable ISAKMP Report
documentation: https://cert.at/de/services/daten-feeds/vulnerable/#vulnerable-isakmp
monitoring-ignore-no-data: Rarerly contains any data
- code: shadowserver-ssl-freak
name: Shadowserver SSL/FREAK
search_subject_like: Shadowserver % SSL/Freak Vulnerable Servers Report
documentation: https://cert.at/de/services/daten-feeds/vulnerable/#ssl-freak
- code: shadowserver-vulnerable-exchange-server
name: Shadowserver Vulnerable Exchange Server
search_subject_like: Shadowserver % Vulnerable Exchange Server Report
documentation: https://cert.at/de/services/daten-feeds/vulnerable/#vulnerable-exchange-server
__taxonomy: ["vulnerable", "vulnerable-system"]
- code: shadowserver-accessible-postgresql
name: Shadowserver Accessible PostgreSQL Server
search_subject_like: Shadowserver % Accessible PostgreSQL Server Report
__taxonomy: ["vulnerable", "potentially-unwanted-accessible"]
documentation: https://cert.at/de/services/daten-feeds/vulnerable/#accessible-postgresql-server
- code: shadowserver-accessible-vnc
name: Shadowserver Accessible VNC
search_subject_like: Shadowserver % Accessible VNC Report
documentation: https://cert.at/de/services/daten-feeds/vulnerable/#accessible-vnc
__taxonomy: ["vulnerable", "potentially-unwanted-accessible"]
monitoring-ignore-no-data: We have never got any data
- code: shadowserver-accessible-afp
name: ShadowServer Accessible Apple Filing Protocol
search_subject_like: ShadowServer % Accessible Apple Filing Protocol
documentation: https://cert.at/de/services/daten-feeds/vulnerable/#accessible-afp
__taxonomy: ["vulnerable", "potentially-unwanted-accessible"]
- code: shadowserver-accessible-amqp
name: Shadowserver Accessible AMQP
search_subject_like: Shadowserver % Accessible AMQP Report
documentation: https://cert.at/de/services/daten-feeds/vulnerable/#accessible-amqp
__taxonomy: ["vulnerable", "potentially-unwanted-accessible"]
- code: shadowserver-accessible-apple-remote-desktop
name: Shadowserver Accessible Apple Remote Desktop
search_subject_like: Shadowserver % Accessible Apple Remote Desktop Report
documentation: https://cert.at/de/services/daten-feeds/vulnerable/#accessible-ard
__taxonomy: ["vulnerable", "potentially-unwanted-accessible"]
- code: shadowserver-accessible-coap
name: Shadowserver Accessible CoAP
search_subject_like: Shadowserver % Accessible CoAP Report
documentation: https://cert.at/de/services/daten-feeds/vulnerable/#accessible-coap
__taxonomy: ["vulnerable", "potentially-unwanted-accessible"]
- code: shadowserver-accessible-radmin
name: Shadowserver Accessible Radmin
search_subject_like: Shadowserver % Accessible Radmin Report
documentation: https://cert.at/de/services/daten-feeds/vulnerable/#accessible-radmin
__taxonomy: ["vulnerable", "potentially-unwanted-accessible"]
- code: shadowserver-accessible-sip
name: Shadowserver Accessible SIP
search_subject_like: Shadowserver % Accessible SIP Report
documentation: https://cert.at/de/services/daten-feeds/vulnerable/#accessible-sip
__taxonomy: ["vulnerable", "ddos-amplifier"]
- code: shadowserver-accessible-slp
name: Shadowserver Accessible SLP Service
search_subject_like: Shadowserver % Accessible SLP Service Report
documentation: https://cert.at/de/services/daten-feeds/vulnerable/#accessible-slp
__taxonomy: ["vulnerable", "potentially-unwanted-accessible"]
- code: shadowserver-honeypot-ddos-amplification
name: Shadowserver Honeypot DDoS Amplification Events
search_subject_like: Shadowserver % Honeypot DDoS Amplification Events Report
documentation: https://cert.at/de/services/daten-feeds/vulnerable/#honeypot-ddos-ampl
__taxonomy: ["availability", "ddos"]
- code: shadowserver-vulnerable-smtp
name: Shadowserver Vulnerable SMTP
search_subject_like: Shadowserver % Vulnerable SMTP Report
documentation: https://cert.at/de/services/daten-feeds/vulnerable/#vulnerable-smtp
__taxonomy: ["vulnerable", "vulnerable-system"]
- code: shadowserver-accessible-xdmcp-service
name: Shadowserver Accessible XDMCP Service
search_subject_like: Shadowserver % Accessible XDMCP Service Report
documentation: https://cert.at/de/services/daten-feeds/vulnerable/#accessible-xdmcp
__taxonomy: ["vulnerable", "ddos-amplifier"]
- code: shadowserver-accessible-ws-discovery-service
name: Shadowserver Accessible WS-Discovery Service
search_subject_like: Shadowserver % Accessible WS-Discovery Service Report
documentation: https://cert.at/de/services/daten-feeds/vulnerable/#accessible-ws-discovery
__taxonomy: ["vulnerable", "ddos-amplifier"]
- code: shadowserver-accessible-stun-service
name: Shadowserver Accessible Session Traversal Utilities for NAT Service
search_subject_like: Shadowserver % Accessible Session Traversal Utilities for NAT Report
documentation: https://cert.at/de/services/daten-feeds/vulnerable/#accessible-stun
__taxonomy: ["vulnerable", "ddos-amplifier"]
- code: shadowserver-accessible-rsync-service
name: Shadowserver Accessible Rsync Service
search_subject_like: Shadowserver % Accessible Rsync Service Report
documentation: https://cert.at/de/services/daten-feeds/vulnerable/#accessible-rsync
__taxonomy: ["vulnerable", "potentially-unwanted-accessible"]
- code: shadowserver-open-mqtt
name: Shadowserver Open MQTT
search_subject_like: Shadowserver % Open MQTT Report
documentation: https://cert.at/de/services/daten-feeds/vulnerable/#open-mqtt
__taxonomy: ["vulnerable", "information-disclosure"]
- code: shadowserver-accessible-dvr-dhcpdiscover
name: Shadowserver Accessible DVR DHCPDiscover
search_subject_like: Shadowserver % Accessible DVR DHCPDiscover Report
documentation: https://cert.at/de/services/daten-feeds/vulnerable/#accessible-dvr-dhcp
__taxonomy: ["vulnerable", "ddos-amplifier"]
- code: shadowserver-accessible-couchdb-server
name: Shadowserver Accessible CouchDB Server
search_subject_like: Shadowserver % Accessible CouchDB Server Report
documentation: https://cert.at/de/services/daten-feeds/vulnerable/#accessible-couchdb
__taxonomy: ["vulnerable", "potentially-unwanted-accessible"]
- code: shadowserver-honeypot-brutforce
name: Shadowserver Honeypot Brute Force Events
search_subject_like: Shadowserver % Honeypot Brute Force Events Report
documentation: https://cert.at/de/services/daten-feeds/vulnerable/#honeypot-brutforce
__taxonomy: ["vulnerable", "potentially-unwanted-accessible"]
- code: shadowserver-hadoop
name: Shadowserver Accessible Hadoop
search_subject_like: Shadowserver % Accessible Hadoop Report
documentation: https://cert.at/de/services/daten-feeds/vulnerable/#accessible-hadoop
__taxonomy: ["vulnerable", "potentially-unwanted-accessible"]
monitoring-ignore-no-data: "Rarerly any data"
- code: shadowserver-ddos-participant
name: Shadowserver DDoS Participant
search_subject_like: Shadowserver % DDoS Participant Report
documentation: https://cert.at/de/services/daten-feeds/vulnerable/#ddos-participant
__taxonomy: ["availability", "ddos"]
monitoring-ignore-no-data: "Rarerly any data"
- code: shadowserver-netcore-netis
name: Shadowserver Netcore/Netis Router Vulnerability Scan
search_subject_like: Shadowserver % Netcore/Netis Router Vulnerability Scan Report
documentation: https://cert.at/de/services/daten-feeds/vulnerable/#netcore-netis
__taxonomy: ["vulnerable", "vulnerable-system"]
monitoring-ignore-no-data: "Rarerly any data"
- code: shadowserver-synful-scan
name: Shadowserver Synful Scan
search_subject_like: Shadowserver % Synful Scan Report
documentation: https://cert.at/de/services/daten-feeds/vulnerable/#synful-scan
__taxonomy: ["vulnerable", "vulnerable-system"]
monitoring-ignore-no-data: "Rarerly any data"
- code: shadowserver-accessible-adb
name: Shadowserver Accessible Android Debug Bridge
search_subject_like: Shadowserver % Accessible Android Debug Bridge Report
documentation: https://cert.at/de/services/daten-feeds/vulnerable#accessible-adb
__taxonomy: ["vulnerable", "potentially-unwanted-accessible"]
- code: sinkhole-http-events
name: Shadowserver Sinkhole HTTP Events
search_subject_like: Shadowserver % Sinkhole HTTP Events Report
documentation: https://cert.at/de/services/daten-feeds/malicious-code#sinkhole-events
__taxonomy: ["malicious-code", "infected-system"]
- code: sinkhole-events
name: Shadowserver Sinkhole Events Report
search_subject_like: Shadowserver % Sinkhole Events Report
documentation: https://cert.at/de/services/daten-feeds/malicious-code#sinkhole-events
__taxonomy: ["malicious-code", "infected-system"]
- code: shadowserver-accessible-ftp
name: Shadowserver Accessible FTP
search_subject_like: Shadowserver % Accessible FTP Service Report
documentation: https://cert.at/de/services/daten-feeds/vulnerable/#accessible-ftp
__taxonomy: ["vulnerable", "vulnerable-system"] # We filter out non-CVE entries
- code: shadowserver-accessible-socks
name: ShadowServer Accessible SOCKS 4/5 Proxy
search_subject_like: Shadowserver % Accessible SOCKS4/5 Proxy Report
documentation: https://cert.at/de/services/daten-feeds/vulnerable/#accessible-socks45
__taxonomy: ["vulnerable", "potentially-unwanted-accessible"]
- code: shadowserver-open-http-proxy
name: ShadowServer Open HTTP Proxy
search_subject_like: Shadowserver % Open HTTP Proxy Report
documentation: https://cert.at/de/services/daten-feeds/vulnerable/#open-http-proxy
__taxonomy: ["vulnerable", "potentially-unwanted-accessible"]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/intelmq-dev/attachments/20240205/44950d69/attachment-0001.sig>
More information about the IntelMQ-dev
mailing list