[IntelMQ-dev] classification attributes in IntelMQ Shadowserver parser schema

L. Aaron Kaplan aaron at lo-res.org
Thu Feb 8 11:45:49 CET 2024 

Super ! Thanks :)

I think it's important that we do this in a coordinated fashion. Thanks :)

Best,
Aaron.


> On 08.02.2024, at 11:32, Thomas Hungenberg <th at cert-bund.de> wrote:
> 
> Hi Aaron,
> 
> green light for the release from my side.
> 
> Thanks for delaying it for the recent discussions.
> 
> 
>     - Thomas
> 
> On 08.02.24 11:11, L. Aaron Kaplan wrote:
>> Hi all,
>> thanks for the lively discussion first of all, because it shows that these things matter :)
>> However, my question currently is:  green light for release or not?
>> What do you feel Thomas? Do you feel we need more time to discover things which would create a lot of havoc at different installations ? Or do you feel that these changes are so minimal that it's just part of the regular attentive update cycle?
>> We can put that into the CHANGELOG and NEWS file of course. Would that be enough?
>> Because I have been delaying the release a bit for the discussion to settle and in order to make sure that there are as few surprises as possible for everyone with the dynamic schema update.
>> Best,
>> Aaron.
>>> On 08.02.2024, at 10:59, Thomas Hungenberg via IntelMQ-dev <intelmq-dev at lists.cert.at> wrote:
>>> 
>>> On 06.02.24 13:42, Kamil Mankowski wrote:
>>>> When it comes to identifiers changes, I would be very conservative.
>>>> They can be used for filtering, and as so - changing them is potentially dangerous. > I second fixes about IPv6, those were more misleading than helping, but for the rest -
>>>> we need to be careful and announce the change.
>>> 
>>> Yes, our IntelMQ setup with mailgen etc. also heavily depends on the known
>>> classification identifiers. That is why I asked not to change them with the
>>> switch to the dynamic schema.
>>> 
>>> However, Shadowserver renamed some "old" feeds from "open-*" to "accessible-*"
>>> some years ago (e.g. "open-telnet" -> "accessible-telnet").
>>> So far, we have not adopted those changes for the classification identifiers
>>> but still use "open-telnet" etc. for "old" feeds.
>>> On the other hand, for newer feeds like "accessible-ftp" we use the
>>> classification identifier "accessible-ftp".
>>> So we have "open-telnet" but "accessible-ftp" which is not consistent.
>>> 
>>> We should probably discuss which services are "open" and which ones are
>>> "accessible" and change the classification identifiers accordingly.
>>> 
>>> Of course, all those changes need to be documented in the CHANGELOG and
>>> we should provide SQL UPDATE statements in NEWS.md like for the changes
>>> in version 3.0.0.
>>> 
>>> 
>>>     - Thomas
>>> 
>>> _______________________________________________
>>> IntelMQ-dev mailing list
>>> https://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev
>>> https://intelmq.readthedocs.io/

More information about the IntelMQ-dev mailing list