From mika.silander at csc.fi Thu Oct 3 08:35:05 2024 From: mika.silander at csc.fi (Mika Silander) Date: Thu, 3 Oct 2024 09:35:05 +0300 (EEST) Subject: [IntelMQ-dev] About Shadowserver's generic Special report Message-ID: <183366838.5909478.1727937305713.JavaMail.zimbra@csc.fi> Hi, We received today a Shadowserver report that gets mapped into the feed "Special" by the Shadowserver parser bot. It's fine to try to inform about vulnerabilities asap, but as this report was unknown to our checker bot, it was put on hold. The corresponding email is named "Vulnerable CUPS Special Report" which already gives an idea of what the report speaks about. This report does not seem to be documented on Shadowserver's own pages under https://www.shadowserver.org/what-we-do/network-reporting (yet?). So, here's a request: could someone who is able to update https://interchange.shadowserver.org/intelmq/v1/schema/shadowserver-schema.json turn the special report into a more specific feed definition, e.g. the report file name could be "scan_cups" (and "scan6_cups" for IPv6) and the "feed.name" field could be e.g. "Vulnerable-CUPS-Server" or similar? Another option is to create a report of its own for vulnerable CUPS servers and leave "special" as the catch-all alongside. Thank you. Br, Mika P.S: The usual disclaimer: I hope I have not misunderstood anything in the the aforementioned specs. From mankowski at cert.at Thu Oct 3 10:24:23 2024 From: mankowski at cert.at (Kamil Mankowski) Date: Thu, 3 Oct 2024 10:24:23 +0200 Subject: [IntelMQ-dev] About Shadowserver's generic Special report In-Reply-To: <183366838.5909478.1727937305713.JavaMail.zimbra@csc.fi> References: <183366838.5909478.1727937305713.JavaMail.zimbra@csc.fi> Message-ID: Hey, just FYI - the ShadowServer documentation for that feed is already available: https://www.shadowserver.org/what-we-do/network-reporting/vulnerable-cups-special-report/ Best regards // Kamil Mańkowski - T: +43 676 898 298 7204 // CERT Austria - https://www.cert.at/ // CERT.at GmbH, FB-Nr. 561772k, HG Wien On 10/3/24 08:35, Mika Silander via IntelMQ-dev wrote: > Hi, > > We received today a Shadowserver report that gets mapped into the feed "Special" by the Shadowserver parser bot. It's fine to try to inform about vulnerabilities asap, but as this report was unknown to our checker bot, it was put on hold. The corresponding email is named "Vulnerable CUPS Special Report" which already gives an idea of what the report speaks about. This report does not seem to be documented on Shadowserver's own pages under https://www.shadowserver.org/what-we-do/network-reporting (yet?). > > So, here's a request: could someone who is able to update > > https://interchange.shadowserver.org/intelmq/v1/schema/shadowserver-schema.json > > turn the special report into a more specific feed definition, e.g. the report file name could be "scan_cups" (and "scan6_cups" for IPv6) and the "feed.name" field could be e.g. "Vulnerable-CUPS-Server" or similar? Another option is to create a report of its own for vulnerable CUPS servers and leave "special" as the catch-all alongside. > > Thank you. > > Br, Mika > > P.S: The usual disclaimer: I hope I have not misunderstood anything in the the aforementioned specs. > > _______________________________________________ > IntelMQ-dev mailing list > https://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev https://docs.intelmq.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From mika.silander at csc.fi Thu Oct 3 10:49:37 2024 From: mika.silander at csc.fi (Mika Silander) Date: Thu, 3 Oct 2024 11:49:37 +0300 (EEST) Subject: [IntelMQ-dev] About Shadowserver's generic Special report In-Reply-To: References: <183366838.5909478.1727937305713.JavaMail.zimbra@csc.fi> Message-ID: <308806860.6317998.1727945377065.JavaMail.zimbra@csc.fi> Hi, Yes, now it seems to be there however, earlier this morning I could not see it. Are special reports always one-time reports? If this is the case, we (our team) need to continue to stop them and curate the configuration before forwarding the events within to our clients. Br, Mika ----- Original Message ----- From: "Kamil Mankowski via IntelMQ-dev" To: "intelmq-dev" Sent: Thursday, 3 October, 2024 11:24:23 Subject: Re: [IntelMQ-dev] About Shadowserver's generic Special report Hey, just FYI - the ShadowServer documentation for that feed is already available: https://www.shadowserver.org/what-we-do/network-reporting/vulnerable-cups-special-report/ Best regards // Kamil Mańkowski - T: +43 676 898 298 7204 // CERT Austria - https://www.cert.at/ // CERT.at GmbH, FB-Nr. 561772k, HG Wien On 10/3/24 08:35, Mika Silander via IntelMQ-dev wrote: > Hi, > > We received today a Shadowserver report that gets mapped into the feed "Special" by the Shadowserver parser bot. It's fine to try to inform about vulnerabilities asap, but as this report was unknown to our checker bot, it was put on hold. The corresponding email is named "Vulnerable CUPS Special Report" which already gives an idea of what the report speaks about. This report does not seem to be documented on Shadowserver's own pages under https://www.shadowserver.org/what-we-do/network-reporting (yet?). > > So, here's a request: could someone who is able to update > > https://interchange.shadowserver.org/intelmq/v1/schema/shadowserver-schema.json > > turn the special report into a more specific feed definition, e.g. the report file name could be "scan_cups" (and "scan6_cups" for IPv6) and the "feed.name" field could be e.g. "Vulnerable-CUPS-Server" or similar? Another option is to create a report of its own for vulnerable CUPS servers and leave "special" as the catch-all alongside. > > Thank you. > > Br, Mika > > P.S: The usual disclaimer: I hope I have not misunderstood anything in the the aforementioned specs. > > _______________________________________________ > IntelMQ-dev mailing list > https://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev https://docs.intelmq.org/ _______________________________________________ IntelMQ-dev mailing list https://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev https://docs.intelmq.org/ From mankowski at cert.at Thu Oct 3 11:02:03 2024 From: mankowski at cert.at (Kamil Mankowski) Date: Thu, 3 Oct 2024 11:02:03 +0200 Subject: [IntelMQ-dev] About Shadowserver's generic Special report In-Reply-To: <308806860.6317998.1727945377065.JavaMail.zimbra@csc.fi> References: <183366838.5909478.1727937305713.JavaMail.zimbra@csc.fi> <308806860.6317998.1727945377065.JavaMail.zimbra@csc.fi> Message-ID: <2b2ea6ad-7fed-43ec-ab6d-d84de9d1d085@cert.at> Yes, according to what I see on their page: "About Special Reports Shadowserver Special Reports are unlike all of our other standard free daily network reports. Instead, we send out Special Reports in situations where we share one-time, high value datasets that we feel should be reported responsibly for maximum public benefit, such as in cases where we have a critical new vulnerability being exploited against potentially high value targets. Note that the data shared across special reports may differ on a case by case basis hence the report formats for different Special Reports may be different." At CERT.at we don't process special reports automatically, instead, the team decided what to do every time, and usually issues a one-shot semi-manually (they upload them via CSV uploader & manually map fields we need, then it's handled by the IntelMQ). Best regards // Kamil Mańkowski - T: +43 676 898 298 7204 // CERT Austria - https://www.cert.at/ // CERT.at GmbH, FB-Nr. 561772k, HG Wien On 10/3/24 10:49, Mika Silander via IntelMQ-dev wrote: > Hi, > > Yes, now it seems to be there however, earlier this morning I could not see it. Are special reports always one-time reports? If this is the case, we (our team) need to continue to stop them and curate the configuration before forwarding the events within to our clients. > > Br, Mika > > ----- Original Message ----- > From: "Kamil Mankowski via IntelMQ-dev" > To: "intelmq-dev" > Sent: Thursday, 3 October, 2024 11:24:23 > Subject: Re: [IntelMQ-dev] About Shadowserver's generic Special report > > Hey, > > just FYI - the ShadowServer documentation for that feed is already > available: > https://www.shadowserver.org/what-we-do/network-reporting/vulnerable-cups-special-report/ > > > Best regards > > // Kamil Mańkowski - T: +43 676 898 298 7204 > // CERT Austria - https://www.cert.at/ > // CERT.at GmbH, FB-Nr. 561772k, HG Wien > > On 10/3/24 08:35, Mika Silander via IntelMQ-dev wrote: >> Hi, >> >> We received today a Shadowserver report that gets mapped into the feed "Special" by the Shadowserver parser bot. It's fine to try to inform about vulnerabilities asap, but as this report was unknown to our checker bot, it was put on hold. The corresponding email is named "Vulnerable CUPS Special Report" which already gives an idea of what the report speaks about. This report does not seem to be documented on Shadowserver's own pages under https://www.shadowserver.org/what-we-do/network-reporting (yet?). >> >> So, here's a request: could someone who is able to update >> >> https://interchange.shadowserver.org/intelmq/v1/schema/shadowserver-schema.json >> >> turn the special report into a more specific feed definition, e.g. the report file name could be "scan_cups" (and "scan6_cups" for IPv6) and the "feed.name" field could be e.g. "Vulnerable-CUPS-Server" or similar? Another option is to create a report of its own for vulnerable CUPS servers and leave "special" as the catch-all alongside. >> >> Thank you. >> >> Br, Mika >> >> P.S: The usual disclaimer: I hope I have not misunderstood anything in the the aforementioned specs. >> >> _______________________________________________ >> IntelMQ-dev mailing list >> https://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev https://docs.intelmq.org/ > > _______________________________________________ > IntelMQ-dev mailing list > https://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev https://docs.intelmq.org/ > _______________________________________________ > IntelMQ-dev mailing list > https://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev https://docs.intelmq.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From mika.silander at csc.fi Thu Oct 3 11:10:15 2024 From: mika.silander at csc.fi (Mika Silander) Date: Thu, 3 Oct 2024 12:10:15 +0300 (EEST) Subject: [IntelMQ-dev] About Shadowserver's generic Special report In-Reply-To: <2b2ea6ad-7fed-43ec-ab6d-d84de9d1d085@cert.at> References: <183366838.5909478.1727937305713.JavaMail.zimbra@csc.fi> <308806860.6317998.1727945377065.JavaMail.zimbra@csc.fi> <2b2ea6ad-7fed-43ec-ab6d-d84de9d1d085@cert.at> Message-ID: <100872899.6378011.1727946615851.JavaMail.zimbra@csc.fi> Yes, I saw that. I was just wondering whether you as developers had had some direct exchange of info with Shadowserver representatives regarding the special report and its contents. Looks like the processing in this case will be semi-manual for us as well. Br, Mika ----- Original Message ----- From: "Kamil Mankowski via IntelMQ-dev" To: "intelmq-dev" Sent: Thursday, 3 October, 2024 12:02:03 Subject: Re: [IntelMQ-dev] About Shadowserver's generic Special report Yes, according to what I see on their page: "About Special Reports Shadowserver Special Reports are unlike all of our other standard free daily network reports. Instead, we send out Special Reports in situations where we share one-time, high value datasets that we feel should be reported responsibly for maximum public benefit, such as in cases where we have a critical new vulnerability being exploited against potentially high value targets. Note that the data shared across special reports may differ on a case by case basis hence the report formats for different Special Reports may be different." At CERT.at we don't process special reports automatically, instead, the team decided what to do every time, and usually issues a one-shot semi-manually (they upload them via CSV uploader & manually map fields we need, then it's handled by the IntelMQ). Best regards // Kamil Mańkowski - T: +43 676 898 298 7204 // CERT Austria - https://www.cert.at/ // CERT.at GmbH, FB-Nr. 561772k, HG Wien On 10/3/24 10:49, Mika Silander via IntelMQ-dev wrote: > Hi, > > Yes, now it seems to be there however, earlier this morning I could not see it. Are special reports always one-time reports? If this is the case, we (our team) need to continue to stop them and curate the configuration before forwarding the events within to our clients. > > Br, Mika > > ----- Original Message ----- > From: "Kamil Mankowski via IntelMQ-dev" > To: "intelmq-dev" > Sent: Thursday, 3 October, 2024 11:24:23 > Subject: Re: [IntelMQ-dev] About Shadowserver's generic Special report > > Hey, > > just FYI - the ShadowServer documentation for that feed is already > available: > https://www.shadowserver.org/what-we-do/network-reporting/vulnerable-cups-special-report/ > > > Best regards > > // Kamil Mańkowski - T: +43 676 898 298 7204 > // CERT Austria - https://www.cert.at/ > // CERT.at GmbH, FB-Nr. 561772k, HG Wien > > On 10/3/24 08:35, Mika Silander via IntelMQ-dev wrote: >> Hi, >> >> We received today a Shadowserver report that gets mapped into the feed "Special" by the Shadowserver parser bot. It's fine to try to inform about vulnerabilities asap, but as this report was unknown to our checker bot, it was put on hold. The corresponding email is named "Vulnerable CUPS Special Report" which already gives an idea of what the report speaks about. This report does not seem to be documented on Shadowserver's own pages under https://www.shadowserver.org/what-we-do/network-reporting (yet?). >> >> So, here's a request: could someone who is able to update >> >> https://interchange.shadowserver.org/intelmq/v1/schema/shadowserver-schema.json >> >> turn the special report into a more specific feed definition, e.g. the report file name could be "scan_cups" (and "scan6_cups" for IPv6) and the "feed.name" field could be e.g. "Vulnerable-CUPS-Server" or similar? Another option is to create a report of its own for vulnerable CUPS servers and leave "special" as the catch-all alongside. >> >> Thank you. >> >> Br, Mika >> >> P.S: The usual disclaimer: I hope I have not misunderstood anything in the the aforementioned specs. >> >> _______________________________________________ >> IntelMQ-dev mailing list >> https://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev https://docs.intelmq.org/ > > _______________________________________________ > IntelMQ-dev mailing list > https://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev https://docs.intelmq.org/ > _______________________________________________ > IntelMQ-dev mailing list > https://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev https://docs.intelmq.org/ _______________________________________________ IntelMQ-dev mailing list https://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev https://docs.intelmq.org/ From mankowski at cert.at Thu Oct 3 11:11:55 2024 From: mankowski at cert.at (Kamil Mankowski) Date: Thu, 3 Oct 2024 11:11:55 +0200 Subject: [IntelMQ-dev] About Shadowserver's generic Special report In-Reply-To: <100872899.6378011.1727946615851.JavaMail.zimbra@csc.fi> References: <183366838.5909478.1727937305713.JavaMail.zimbra@csc.fi> <308806860.6317998.1727945377065.JavaMail.zimbra@csc.fi> <2b2ea6ad-7fed-43ec-ab6d-d84de9d1d085@cert.at> <100872899.6378011.1727946615851.JavaMail.zimbra@csc.fi> Message-ID: <8532baf5-174e-4677-ba13-77a8eeb35564@cert.at> @elsif from ShadowServer is in the list, I think he could say more :) Best regards // Kamil Mańkowski - T: +43 676 898 298 7204 // CERT Austria - https://www.cert.at/ // CERT.at GmbH, FB-Nr. 561772k, HG Wien On 10/3/24 11:10, Mika Silander via IntelMQ-dev wrote: > Yes, I saw that. I was just wondering whether you as developers had had some direct exchange of info with Shadowserver representatives regarding the special report and its contents. Looks like the processing in this case will be semi-manual for us as well. > > Br, Mika > > ----- Original Message ----- > From: "Kamil Mankowski via IntelMQ-dev" > To: "intelmq-dev" > Sent: Thursday, 3 October, 2024 12:02:03 > Subject: Re: [IntelMQ-dev] About Shadowserver's generic Special report > > Yes, according to what I see on their page: > > "About Special Reports > > Shadowserver Special Reports are unlike all of our other standard free > daily network reports. > > Instead, we send out Special Reports in situations where we share > one-time, high value datasets that we feel should be reported > responsibly for maximum public benefit, such as in cases where we have a > critical new vulnerability being exploited against potentially high > value targets. > > Note that the data shared across special reports may differ on a case by > case basis hence the report formats for different Special Reports may be > different." > > At CERT.at we don't process special reports automatically, instead, the > team decided what to do every time, and usually issues a one-shot > semi-manually (they upload them via CSV uploader & manually map fields > we need, then it's handled by the IntelMQ). > > Best regards > > // Kamil Mańkowski - T: +43 676 898 298 7204 > // CERT Austria - https://www.cert.at/ > // CERT.at GmbH, FB-Nr. 561772k, HG Wien > > On 10/3/24 10:49, Mika Silander via IntelMQ-dev wrote: >> Hi, >> >> Yes, now it seems to be there however, earlier this morning I could not see it. Are special reports always one-time reports? If this is the case, we (our team) need to continue to stop them and curate the configuration before forwarding the events within to our clients. >> >> Br, Mika >> >> ----- Original Message ----- >> From: "Kamil Mankowski via IntelMQ-dev" >> To: "intelmq-dev" >> Sent: Thursday, 3 October, 2024 11:24:23 >> Subject: Re: [IntelMQ-dev] About Shadowserver's generic Special report >> >> Hey, >> >> just FYI - the ShadowServer documentation for that feed is already >> available: >> https://www.shadowserver.org/what-we-do/network-reporting/vulnerable-cups-special-report/ >> >> >> Best regards >> >> // Kamil Mańkowski - T: +43 676 898 298 7204 >> // CERT Austria - https://www.cert.at/ >> // CERT.at GmbH, FB-Nr. 561772k, HG Wien >> >> On 10/3/24 08:35, Mika Silander via IntelMQ-dev wrote: >>> Hi, >>> >>> We received today a Shadowserver report that gets mapped into the feed "Special" by the Shadowserver parser bot. It's fine to try to inform about vulnerabilities asap, but as this report was unknown to our checker bot, it was put on hold. The corresponding email is named "Vulnerable CUPS Special Report" which already gives an idea of what the report speaks about. This report does not seem to be documented on Shadowserver's own pages under https://www.shadowserver.org/what-we-do/network-reporting (yet?). >>> >>> So, here's a request: could someone who is able to update >>> >>> https://interchange.shadowserver.org/intelmq/v1/schema/shadowserver-schema.json >>> >>> turn the special report into a more specific feed definition, e.g. the report file name could be "scan_cups" (and "scan6_cups" for IPv6) and the "feed.name" field could be e.g. "Vulnerable-CUPS-Server" or similar? Another option is to create a report of its own for vulnerable CUPS servers and leave "special" as the catch-all alongside. >>> >>> Thank you. >>> >>> Br, Mika >>> >>> P.S: The usual disclaimer: I hope I have not misunderstood anything in the the aforementioned specs. >>> >>> _______________________________________________ >>> IntelMQ-dev mailing list >>> https://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev https://docs.intelmq.org/ >> >> _______________________________________________ >> IntelMQ-dev mailing list >> https://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev https://docs.intelmq.org/ >> _______________________________________________ >> IntelMQ-dev mailing list >> https://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev https://docs.intelmq.org/ > > _______________________________________________ > IntelMQ-dev mailing list > https://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev https://docs.intelmq.org/ > _______________________________________________ > IntelMQ-dev mailing list > https://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev https://docs.intelmq.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: From aaron at lo-res.org Thu Oct 3 11:12:47 2024 From: aaron at lo-res.org (L. Aaron Kaplan) Date: Thu, 3 Oct 2024 11:12:47 +0200 Subject: [IntelMQ-dev] About Shadowserver's generic Special report In-Reply-To: <8532baf5-174e-4677-ba13-77a8eeb35564@cert.at> References: <183366838.5909478.1727937305713.JavaMail.zimbra@csc.fi> <308806860.6317998.1727945377065.JavaMail.zimbra@csc.fi> <2b2ea6ad-7fed-43ec-ab6d-d84de9d1d085@cert.at> <100872899.6378011.1727946615851.JavaMail.zimbra@csc.fi> <8532baf5-174e-4677-ba13-77a8eeb35564@cert.at> Message-ID: <8754E448-916A-4949-A1F2-ABCBE250185B@lo-res.org> Yes, please be patient :) Time zones etc... > On 03.10.2024, at 11:11, Kamil Mankowski via IntelMQ-dev wrote: > > Signed PGP part > @elsif from ShadowServer is in the list, I think he could say more :) > > Best regards > > // Kamil Mańkowski - T: +43 676 898 298 7204 > // CERT Austria - https://www.cert.at/ > // CERT.at GmbH, FB-Nr. 561772k, HG Wien > > On 10/3/24 11:10, Mika Silander via IntelMQ-dev wrote: >> Yes, I saw that. I was just wondering whether you as developers had had some direct exchange of info with Shadowserver representatives regarding the special report and its contents. Looks like the processing in this case will be semi-manual for us as well. >> Br, Mika >> ----- Original Message ----- >> From: "Kamil Mankowski via IntelMQ-dev" >> To: "intelmq-dev" >> Sent: Thursday, 3 October, 2024 12:02:03 >> Subject: Re: [IntelMQ-dev] About Shadowserver's generic Special report >> Yes, according to what I see on their page: >> "About Special Reports >> Shadowserver Special Reports are unlike all of our other standard free >> daily network reports. >> Instead, we send out Special Reports in situations where we share >> one-time, high value datasets that we feel should be reported >> responsibly for maximum public benefit, such as in cases where we have a >> critical new vulnerability being exploited against potentially high >> value targets. >> Note that the data shared across special reports may differ on a case by >> case basis hence the report formats for different Special Reports may be >> different." >> At CERT.at we don't process special reports automatically, instead, the >> team decided what to do every time, and usually issues a one-shot >> semi-manually (they upload them via CSV uploader & manually map fields >> we need, then it's handled by the IntelMQ). >> Best regards >> // Kamil Mańkowski - T: +43 676 898 298 7204 >> // CERT Austria - https://www.cert.at/ >> // CERT.at GmbH, FB-Nr. 561772k, HG Wien >> On 10/3/24 10:49, Mika Silander via IntelMQ-dev wrote: >>> Hi, >>> >>> Yes, now it seems to be there however, earlier this morning I could not see it. Are special reports always one-time reports? If this is the case, we (our team) need to continue to stop them and curate the configuration before forwarding the events within to our clients. >>> >>> Br, Mika >>> >>> ----- Original Message ----- >>> From: "Kamil Mankowski via IntelMQ-dev" >>> To: "intelmq-dev" >>> Sent: Thursday, 3 October, 2024 11:24:23 >>> Subject: Re: [IntelMQ-dev] About Shadowserver's generic Special report >>> >>> Hey, >>> >>> just FYI - the ShadowServer documentation for that feed is already >>> available: >>> https://www.shadowserver.org/what-we-do/network-reporting/vulnerable-cups-special-report/ >>> >>> >>> Best regards >>> >>> // Kamil Mańkowski - T: +43 676 898 298 7204 >>> // CERT Austria - https://www.cert.at/ >>> // CERT.at GmbH, FB-Nr. 561772k, HG Wien >>> >>> On 10/3/24 08:35, Mika Silander via IntelMQ-dev wrote: >>>> Hi, >>>> >>>> We received today a Shadowserver report that gets mapped into the feed "Special" by the Shadowserver parser bot. It's fine to try to inform about vulnerabilities asap, but as this report was unknown to our checker bot, it was put on hold. The corresponding email is named "Vulnerable CUPS Special Report" which already gives an idea of what the report speaks about. This report does not seem to be documented on Shadowserver's own pages under https://www.shadowserver.org/what-we-do/network-reporting (yet?). >>>> >>>> So, here's a request: could someone who is able to update >>>> >>>> https://interchange.shadowserver.org/intelmq/v1/schema/shadowserver-schema.json >>>> >>>> turn the special report into a more specific feed definition, e.g. the report file name could be "scan_cups" (and "scan6_cups" for IPv6) and the "feed.name" field could be e.g. "Vulnerable-CUPS-Server" or similar? Another option is to create a report of its own for vulnerable CUPS servers and leave "special" as the catch-all alongside. >>>> >>>> Thank you. >>>> >>>> Br, Mika >>>> >>>> P.S: The usual disclaimer: I hope I have not misunderstood anything in the the aforementioned specs. >>>> >>>> _______________________________________________ >>>> IntelMQ-dev mailing list >>>> https://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev https://docs.intelmq.org/ >>> >>> _______________________________________________ >>> IntelMQ-dev mailing list >>> https://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev https://docs.intelmq.org/ >>> _______________________________________________ >>> IntelMQ-dev mailing list >>> https://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev https://docs.intelmq.org/ >> _______________________________________________ >> IntelMQ-dev mailing list >> https://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev https://docs.intelmq.org/ >> _______________________________________________ >> IntelMQ-dev mailing list >> https://lists.cert.at/cgi-bin/mailman/listinfo/intelmq-dev https://docs.intelmq.org/ > > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: Message signed with OpenPGP URL: