Skip to content

Commit bfcdbad

Browse files
sebixsebix
committed
Merge remote-tracking branch 'upstream/pr/2134' into develop
2 parents 9501b33 + 747100f commit bfcdbad

File tree

1 file changed

+74
-3
lines changed

1 file changed

+74
-3
lines changed

intelmq/bots/parsers/shadowserver/_config.py

Lines changed: 74 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1015,8 +1015,8 @@ def force_base64(value: Optional[str]) -> Optional[str]:
10151015
},
10161016
}
10171017

1018-
# https://www.shadowserver.org/wiki/pmwiki.php/Services/Ssl-Scan
1019-
ssl_poodle_vulnerable_servers = {
1018+
# https://www.shadowserver.org/what-we-do/network-reporting/ssl-poodle-report/
1019+
ssl_poodle46_vulnerable_servers = {
10201020
'required_fields': [
10211021
('time.source', 'timestamp', add_UTC_to_timestamp),
10221022
('source.ip', 'ip'),
@@ -2903,10 +2903,78 @@ def scan_exchange_identifier(field):
29032903
}
29042904
}
29052905

2906+
# https://www.shadowserver.org/what-we-do/network-reporting/accessible-amqp-report/
2907+
accessible_amqp = {
2908+
'required_fields': [
2909+
('time.source', 'timestamp', add_UTC_to_timestamp),
2910+
('source.ip', 'ip'),
2911+
('source.port', 'port')
2912+
],
2913+
'optional_fields': [
2914+
('protocol.transport', 'protocol'),
2915+
('source.reverse_dns', 'hostname'),
2916+
('source.asn', 'asn', invalidate_zero),
2917+
('source.geolocation.cc', 'geo'),
2918+
('source.geolocation.region', 'region'),
2919+
('source.geolocation.city', 'city'),
2920+
('extra.', 'tag'),
2921+
('extra.', 'naics', invalidate_zero),
2922+
('extra.', 'sic', invalidate_zero),
2923+
('extra.', 'channel', convert_int),
2924+
('extra.', 'message_length', convert_int),
2925+
('extra.', 'class', convert_int),
2926+
('extra.', 'method', convert_int),
2927+
('extra.', 'version_major', validate_to_none),
2928+
('extra.', 'version_minor', validate_to_none),
2929+
('extra.', 'capabilities', validate_to_none),
2930+
('extra.', 'cluster_name', validate_to_none),
2931+
('extra.', 'platform', validate_to_none),
2932+
('extra.', 'product', validate_to_none),
2933+
('extra.', 'product_version', validate_to_none),
2934+
('extra.', 'mechanisms', validate_to_none),
2935+
('extra.', 'locales', validate_to_none),
2936+
],
2937+
'constant_fields': {
2938+
'classification.taxonomy': 'vulnerable',
2939+
'classification.type': 'vulnerable-system',
2940+
'classification.identifier': 'accessible-amqp',
2941+
}
2942+
}
2943+
2944+
# https://www.shadowserver.org/what-we-do/network-reporting/device-identification-report/
2945+
device_id = {
2946+
'required_fields': [
2947+
('time.source', 'timestamp', add_UTC_to_timestamp),
2948+
('source.ip', 'ip'),
2949+
('source.port', 'port')
2950+
],
2951+
'optional_fields': [
2952+
('protocol.transport', 'protocol'),
2953+
('source.reverse_dns', 'hostname'),
2954+
('source.asn', 'asn', invalidate_zero),
2955+
('source.geolocation.cc', 'geo'),
2956+
('source.geolocation.region', 'region'),
2957+
('source.geolocation.city', 'city'),
2958+
('extra.', 'tag'),
2959+
('extra.', 'naics', invalidate_zero),
2960+
('extra.', 'sic', invalidate_zero),
2961+
('extra.', 'sector', validate_to_none),
2962+
('extra.', 'device_vendor', validate_to_none),
2963+
('extra.', 'device_type', validate_to_none),
2964+
('extra.', 'device_model', validate_to_none),
2965+
],
2966+
'constant_fields': {
2967+
'classification.taxonomy': 'other',
2968+
'classification.type': 'undetermined',
2969+
'classification.identifier': 'device-id',
2970+
}
2971+
}
2972+
29062973
mapping = (
29072974
# feed name, file name, function
29082975
('Accessible-ADB', 'scan_adb', accessible_adb),
29092976
('Accessible-AFP', 'scan_afp', accessible_afp),
2977+
('Accessible-AMQP', 'scan_amqp', accessible_amqp),
29102978
('Accessible-ARD', 'scan_ard', accessible_ard),
29112979
('Accessible-CoAP', 'scan_coap', accessible_coap),
29122980
('Accessible-CWMP', 'scan_cwmp', accessible_cwmp),
@@ -2930,6 +2998,8 @@ def scan_exchange_identifier(field):
29302998
('Compromised-Website', 'compromised_website', compromised_website),
29312999
('DNS-Open-Resolvers', 'scan_dns', dns_open_resolvers),
29323000
('Darknet', 'darknet', darknet), # legacy (replaced by event4_honeypot_darknet)
3001+
('Device-Identification IPv4', 'device_id', device_id),
3002+
('Device-Identification IPv6', 'device_id6', device_id),
29333003
('Drone', 'botnet_drone', drone), # legacy (replaced by event4_sinkhole, event4_honeypot_darknet and event46_sinkhole_http)
29343004
('Drone-Brute-Force', 'drone_brute_force', drone_brute_force), # legacy (replaced by honeypot_brute_force)
29353005
('HTTP-Scanners', 'hp_http_scan', http_scanners),
@@ -2970,7 +3040,8 @@ def scan_exchange_identifier(field):
29703040
('Outdated-DNSSEC-Key', 'outdated_dnssec_key', outdated_dnssec_key),
29713041
('Outdated-DNSSEC-Key-IPv6', 'outdated_dnssec_key_v6', outdated_dnssec_key),
29723042
('SSL-FREAK-Vulnerable-Servers', 'scan_ssl_freak', ssl_freak_vulnerable_servers),
2973-
('SSL-POODLE-Vulnerable-Servers', 'scan_ssl_poodle', ssl_poodle_vulnerable_servers),
3043+
('SSL-POODLE-Vulnerable-Servers IPv4', 'scan_ssl_poodle', ssl_poodle46_vulnerable_servers),
3044+
('SSL-POODLE-Vulnerable-Servers IPv6', 'scan6_ssl_poodle', ssl_poodle46_vulnerable_servers),
29743045
('Sandbox-URL', 'cwsandbox_url', sandbox_url),
29753046
('Sinkhole-DNS', 'sinkhole_dns', sinkhole_dns),
29763047
('Sinkhole-Events', 'event4_sinkhole', event46_sinkhole),

0 commit comments

Comments
 (0)