[IntelMQ-dev] classification attributes in IntelMQ Shadowserver parser schema
Thomas Hungenberg
th at cert-bund.de
Thu Feb 8 10:59:59 CET 2024
On 06.02.24 13:42, Kamil Mankowski wrote:
> When it comes to identifiers changes, I would be very conservative.
> They can be used for filtering, and as so - changing them is potentially dangerous. > I second fixes about IPv6, those were more misleading than helping, but for the rest -
> we need to be careful and announce the change.
Yes, our IntelMQ setup with mailgen etc. also heavily depends on the known
classification identifiers. That is why I asked not to change them with the
switch to the dynamic schema.
However, Shadowserver renamed some "old" feeds from "open-*" to "accessible-*"
some years ago (e.g. "open-telnet" -> "accessible-telnet").
So far, we have not adopted those changes for the classification identifiers
but still use "open-telnet" etc. for "old" feeds.
On the other hand, for newer feeds like "accessible-ftp" we use the
classification identifier "accessible-ftp".
So we have "open-telnet" but "accessible-ftp" which is not consistent.
We should probably discuss which services are "open" and which ones are
"accessible" and change the classification identifiers accordingly.
Of course, all those changes need to be documented in the CHANGELOG and
we should provide SQL UPDATE statements in NEWS.md like for the changes
in version 3.0.0.
- Thomas
More information about the IntelMQ-dev
mailing list